diff options
| author | doug <> | 2017-08-12 21:17:03 +0000 |
|---|---|---|
| committer | doug <> | 2017-08-12 21:17:03 +0000 |
| commit | 57d8377dfdb1def39bfaf39a76b799989c4b8b15 (patch) | |
| tree | a6945bbfcf083598e38feabf2ece8ed3cbfaed2b /src/lib/libssl/t1_lib.c | |
| parent | aa07f6851bbcb6c8ad4d78c02d2b5814864eaac1 (diff) | |
| download | openbsd-57d8377dfdb1def39bfaf39a76b799989c4b8b15.tar.gz openbsd-57d8377dfdb1def39bfaf39a76b799989c4b8b15.tar.bz2 openbsd-57d8377dfdb1def39bfaf39a76b799989c4b8b15.zip | |
Rewrite session ticket TLS extension handling using CBB/CBS and the new
extension framework.
ok jsing@ beck@
Diffstat (limited to 'src/lib/libssl/t1_lib.c')
| -rw-r--r-- | src/lib/libssl/t1_lib.c | 66 |
1 files changed, 3 insertions, 63 deletions
diff --git a/src/lib/libssl/t1_lib.c b/src/lib/libssl/t1_lib.c index 911e8d3f4e..63d401c337 100644 --- a/src/lib/libssl/t1_lib.c +++ b/src/lib/libssl/t1_lib.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: t1_lib.c,v 1.128 2017/08/12 21:03:08 jsing Exp $ */ | 1 | /* $OpenBSD: t1_lib.c,v 1.129 2017/08/12 21:17:03 doug Exp $ */ |
| 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
| 3 | * All rights reserved. | 3 | * All rights reserved. |
| 4 | * | 4 | * |
| @@ -690,39 +690,6 @@ ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned char *limit) | |||
| 690 | return NULL; | 690 | return NULL; |
| 691 | ret += len; | 691 | ret += len; |
| 692 | 692 | ||
| 693 | if (!(SSL_get_options(s) & SSL_OP_NO_TICKET)) { | ||
| 694 | int ticklen; | ||
| 695 | if (!s->internal->new_session && s->session && s->session->tlsext_tick) | ||
| 696 | ticklen = s->session->tlsext_ticklen; | ||
| 697 | else if (s->session && s->internal->tlsext_session_ticket && | ||
| 698 | s->internal->tlsext_session_ticket->data) { | ||
| 699 | ticklen = s->internal->tlsext_session_ticket->length; | ||
| 700 | s->session->tlsext_tick = malloc(ticklen); | ||
| 701 | if (!s->session->tlsext_tick) | ||
| 702 | return NULL; | ||
| 703 | memcpy(s->session->tlsext_tick, | ||
| 704 | s->internal->tlsext_session_ticket->data, ticklen); | ||
| 705 | s->session->tlsext_ticklen = ticklen; | ||
| 706 | } else | ||
| 707 | ticklen = 0; | ||
| 708 | if (ticklen == 0 && s->internal->tlsext_session_ticket && | ||
| 709 | s->internal->tlsext_session_ticket->data == NULL) | ||
| 710 | goto skip_ext; | ||
| 711 | /* Check for enough room 2 for extension type, 2 for len | ||
| 712 | * rest for ticket | ||
| 713 | */ | ||
| 714 | if ((size_t)(limit - ret) < 4 + ticklen) | ||
| 715 | return NULL; | ||
| 716 | s2n(TLSEXT_TYPE_session_ticket, ret); | ||
| 717 | |||
| 718 | s2n(ticklen, ret); | ||
| 719 | if (ticklen) { | ||
| 720 | memcpy(ret, s->session->tlsext_tick, ticklen); | ||
| 721 | ret += ticklen; | ||
| 722 | } | ||
| 723 | } | ||
| 724 | skip_ext: | ||
| 725 | |||
| 726 | if (TLS1_get_client_version(s) >= TLS1_2_VERSION) { | 693 | if (TLS1_get_client_version(s) >= TLS1_2_VERSION) { |
| 727 | if ((size_t)(limit - ret) < sizeof(tls12_sigalgs) + 6) | 694 | if ((size_t)(limit - ret) < sizeof(tls12_sigalgs) + 6) |
| 728 | return NULL; | 695 | return NULL; |
| @@ -884,15 +851,6 @@ ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned char *limit) | |||
| 884 | * extension. | 851 | * extension. |
| 885 | */ | 852 | */ |
| 886 | 853 | ||
| 887 | if (s->internal->tlsext_ticket_expected && | ||
| 888 | !(SSL_get_options(s) & SSL_OP_NO_TICKET)) { | ||
| 889 | if ((size_t)(limit - ret) < 4) | ||
| 890 | return NULL; | ||
| 891 | |||
| 892 | s2n(TLSEXT_TYPE_session_ticket, ret); | ||
| 893 | s2n(0, ret); | ||
| 894 | } | ||
| 895 | |||
| 896 | if (s->internal->tlsext_status_expected) { | 854 | if (s->internal->tlsext_status_expected) { |
| 897 | if ((size_t)(limit - ret) < 4) | 855 | if ((size_t)(limit - ret) < 4) |
| 898 | return NULL; | 856 | return NULL; |
| @@ -1068,13 +1026,7 @@ ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, | |||
| 1068 | if (!tlsext_clienthello_parse_one(s, &cbs, type, al)) | 1026 | if (!tlsext_clienthello_parse_one(s, &cbs, type, al)) |
| 1069 | return 0; | 1027 | return 0; |
| 1070 | 1028 | ||
| 1071 | if (type == TLSEXT_TYPE_session_ticket) { | 1029 | if (type == TLSEXT_TYPE_signature_algorithms) { |
| 1072 | if (s->internal->tls_session_ticket_ext_cb && | ||
| 1073 | !s->internal->tls_session_ticket_ext_cb(s, data, size, s->internal->tls_session_ticket_ext_cb_arg)) { | ||
| 1074 | *al = TLS1_AD_INTERNAL_ERROR; | ||
| 1075 | return 0; | ||
| 1076 | } | ||
| 1077 | } else if (type == TLSEXT_TYPE_signature_algorithms) { | ||
| 1078 | int dsize; | 1030 | int dsize; |
| 1079 | if (sigalg_seen || size < 2) { | 1031 | if (sigalg_seen || size < 2) { |
| 1080 | *al = SSL_AD_DECODE_ERROR; | 1032 | *al = SSL_AD_DECODE_ERROR; |
| @@ -1277,19 +1229,7 @@ ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, size_t n, int *al) | |||
| 1277 | if (!tlsext_serverhello_parse_one(s, &cbs, type, al)) | 1229 | if (!tlsext_serverhello_parse_one(s, &cbs, type, al)) |
| 1278 | return 0; | 1230 | return 0; |
| 1279 | 1231 | ||
| 1280 | if (type == TLSEXT_TYPE_session_ticket) { | 1232 | if (type == TLSEXT_TYPE_status_request && |
| 1281 | if (s->internal->tls_session_ticket_ext_cb && | ||
| 1282 | !s->internal->tls_session_ticket_ext_cb(s, data, size, s->internal->tls_session_ticket_ext_cb_arg)) { | ||
| 1283 | *al = TLS1_AD_INTERNAL_ERROR; | ||
| 1284 | return 0; | ||
| 1285 | } | ||
| 1286 | if ((SSL_get_options(s) & SSL_OP_NO_TICKET) || (size > 0)) { | ||
| 1287 | *al = TLS1_AD_UNSUPPORTED_EXTENSION; | ||
| 1288 | return 0; | ||
| 1289 | } | ||
| 1290 | s->internal->tlsext_ticket_expected = 1; | ||
| 1291 | } | ||
| 1292 | else if (type == TLSEXT_TYPE_status_request && | ||
| 1293 | s->version != DTLS1_VERSION) { | 1233 | s->version != DTLS1_VERSION) { |
| 1294 | /* MUST be empty and only sent if we've requested | 1234 | /* MUST be empty and only sent if we've requested |
| 1295 | * a status request message. | 1235 | * a status request message. |