Provide ssl_session_dup()

SSL_SESSION_dup() is a currently essentially unused public OpenSSL 1.1.1 API. Add a version that does not duplicate the secrets for internal use. If the public API should be needed, we can easily make it a wrapper. ok jsing
author: tb <> 2022-10-20 15:22:51 +0000
committer: tb <> 2022-10-20 15:22:51 +0000
commit: 2eb5ecc0e85a8e912093ea091e01062b9f248743 (patch)
tree: 4d9d553629fe11145cfba0462caaeaad44995a65 /src
parent: 47209472cf3275a516b2c41cd92de3e922851222 (diff)
download: openbsd-2eb5ecc0e85a8e912093ea091e01062b9f248743.tar.gz
openbsd-2eb5ecc0e85a8e912093ea091e01062b9f248743.tar.bz2
openbsd-2eb5ecc0e85a8e912093ea091e01062b9f248743.zip
2 files changed, 108 insertions, 2 deletions
diff --git a/src/lib/libssl/ssl_locl.h b/src/lib/libssl/ssl_locl.h
index 1ddc5e0d5c..42ae429074 100644
--- a/src/lib/libssl/ssl_locl.h
+++ b/src/lib/libssl/ssl_locl.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_locl.h,v 1.428 2022/10/20 15:20:27 tb Exp $ */
+/* $OpenBSD: ssl_locl.h,v 1.429 2022/10/20 15:22:51 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -1313,6 +1313,7 @@ int ssl_security_cert_chain(const SSL *ssl, STACK_OF(X509) *sk,
 int ssl_security_shared_group(const SSL *ssl, uint16_t group_id);
 int ssl_security_supported_group(const SSL *ssl, uint16_t group_id);
+SSL_SESSION *ssl_session_dup(SSL_SESSION *src, int include_ticket);
 int ssl_get_new_session(SSL *s, int session);
 int ssl_get_prev_session(SSL *s, CBS *session_id, CBS *ext_block,
    int *alert);
diff --git a/src/lib/libssl/ssl_sess.c b/src/lib/libssl/ssl_sess.c
index 39e8b3353a..dcf9b103da 100644
--- a/src/lib/libssl/ssl_sess.c
+++ b/src/lib/libssl/ssl_sess.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_sess.c,v 1.119 2022/10/20 15:21:22 tb Exp $ */
+/* $OpenBSD: ssl_sess.c,v 1.120 2022/10/20 15:22:51 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -242,6 +242,111 @@ SSL_SESSION_new(void)
        return (ss);
 }
+SSL_SESSION *
+ssl_session_dup(SSL_SESSION *sess, int include_ticket)
+{
+        SSL_SESSION *copy;
+        CBS cbs;
+        if ((copy = calloc(1, sizeof(*copy))) == NULL) {
+                SSLerrorx(ERR_R_MALLOC_FAILURE);
+                goto err;
+        }
+        copy->ssl_version = sess->ssl_version;
+        CBS_init(&cbs, sess->master_key, sess->master_key_length);
+        if (!CBS_write_bytes(&cbs, copy->master_key, sizeof(copy->master_key),
+            &copy->master_key_length))
+                goto err;
+        CBS_init(&cbs, sess->session_id, sess->session_id_length);
+        if (!CBS_write_bytes(&cbs, copy->session_id, sizeof(copy->session_id),
+            &copy->session_id_length))
+                goto err;
+        CBS_init(&cbs, sess->sid_ctx, sess->sid_ctx_length);
+        if (!CBS_write_bytes(&cbs, copy->sid_ctx, sizeof(copy->sid_ctx),
+            &copy->sid_ctx_length))
+                goto err;
+        if (sess->peer_cert != NULL) {
+                if (!X509_up_ref(sess->peer_cert))
+                        goto err;
+                copy->peer_cert = sess->peer_cert;
+        }
+        copy->peer_cert_type = sess->peer_cert_type;
+        copy->verify_result = sess->verify_result;
+        copy->timeout = sess->timeout;
+        copy->time = sess->time;
+        copy->references = 1;
+        copy->cipher = sess->cipher;
+        copy->cipher_id = sess->cipher_id;
+        if (sess->ciphers != NULL) {
+                if ((copy->ciphers = sk_SSL_CIPHER_dup(sess->ciphers)) == NULL)
+                        goto err;
+        }
+        if (sess->tlsext_hostname != NULL) {
+                copy->tlsext_hostname = strdup(sess->tlsext_hostname);
+                if (copy->tlsext_hostname == NULL)
+                        goto err;
+        }
+        if (include_ticket) {
+                CBS_init(&cbs, sess->tlsext_tick, sess->tlsext_ticklen);
+                if (!CBS_stow(&cbs, &copy->tlsext_tick, &copy->tlsext_ticklen))
+                        goto err;
+                copy->tlsext_tick_lifetime_hint =
+                    sess->tlsext_tick_lifetime_hint;
+                /*
+                 * XXX - copy sess->resumption_master_secret and all other
+                 * TLSv1.3 info here.
+                 */
+        }
+        if (!CRYPTO_new_ex_data(CRYPTO_EX_INDEX_SSL_SESSION, copy,
+            &copy->ex_data))
+                goto err;
+        if (!CRYPTO_dup_ex_data(CRYPTO_EX_INDEX_SSL_SESSION, &copy->ex_data,
+            &sess->ex_data))
+                goto err;
+        /* Omit prev/next: the new session gets its own slot in the cache. */
+        copy->not_resumable = sess->not_resumable;
+        CBS_init(&cbs, sess->tlsext_ecpointformatlist,
+            sess->tlsext_ecpointformatlist_length);
+        if (!CBS_stow(&cbs, &copy->tlsext_ecpointformatlist,
+            &copy->tlsext_ecpointformatlist_length))
+                goto err;
+        if (sess->tlsext_supportedgroups != NULL) {
+                if ((copy->tlsext_supportedgroups = calloc(sizeof(uint16_t),
+                    sess->tlsext_supportedgroups_length)) == NULL)
+                        goto err;
+                memcpy(copy->tlsext_supportedgroups,
+                    sess->tlsext_supportedgroups,
+                    sizeof(uint16_t) * sess->tlsext_supportedgroups_length);
+                copy->tlsext_supportedgroups_length =
+                    sess->tlsext_supportedgroups_length;
+        }
+        return copy;
+ err:
+        SSL_SESSION_free(copy);
+        return NULL;
+}
 const unsigned char *
 SSL_SESSION_get_id(const SSL_SESSION *ss, unsigned int *len)
 {
author	tb <>	2022-10-20 15:22:51 +0000
committer	tb <>	2022-10-20 15:22:51 +0000
commit	2eb5ecc0e85a8e912093ea091e01062b9f248743 (patch)
tree	4d9d553629fe11145cfba0462caaeaad44995a65 /src
parent	47209472cf3275a516b2c41cd92de3e922851222 (diff)
download	openbsd-2eb5ecc0e85a8e912093ea091e01062b9f248743.tar.gz openbsd-2eb5ecc0e85a8e912093ea091e01062b9f248743.tar.bz2 openbsd-2eb5ecc0e85a8e912093ea091e01062b9f248743.zip

diff --git a/src/lib/libssl/ssl_locl.h b/src/lib/libssl/ssl_locl.h index 1ddc5e0d5c..42ae429074 100644 --- a/src/lib/libssl/ssl_locl.h +++ b/src/lib/libssl/ssl_locl.h
@@ -1,4 +1,4 @@
1	/* $OpenBSD: ssl_locl.h,v 1.428 2022/10/20 15:20:27 tb Exp $ */	1	/* $OpenBSD: ssl_locl.h,v 1.429 2022/10/20 15:22:51 tb Exp $ */
2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3	* All rights reserved.	3	* All rights reserved.
4	*	4	*
@@ -1313,6 +1313,7 @@ int ssl_security_cert_chain(const SSL ssl, STACK_OF(X509) sk,
1313	int ssl_security_shared_group(const SSL *ssl, uint16_t group_id);	1313	int ssl_security_shared_group(const SSL *ssl, uint16_t group_id);
1314	int ssl_security_supported_group(const SSL *ssl, uint16_t group_id);	1314	int ssl_security_supported_group(const SSL *ssl, uint16_t group_id);
1315		1315
		1316	SSL_SESSION ssl_session_dup(SSL_SESSION src, int include_ticket);
1316	int ssl_get_new_session(SSL *s, int session);	1317	int ssl_get_new_session(SSL *s, int session);
1317	int ssl_get_prev_session(SSL s, CBS session_id, CBS *ext_block,	1318	int ssl_get_prev_session(SSL s, CBS session_id, CBS *ext_block,
1318	int *alert);	1319	int *alert);


diff --git a/src/lib/libssl/ssl_sess.c b/src/lib/libssl/ssl_sess.c index 39e8b3353a..dcf9b103da 100644 --- a/src/lib/libssl/ssl_sess.c +++ b/src/lib/libssl/ssl_sess.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: ssl_sess.c,v 1.119 2022/10/20 15:21:22 tb Exp $ */	1	/* $OpenBSD: ssl_sess.c,v 1.120 2022/10/20 15:22:51 tb Exp $ */
2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3	* All rights reserved.	3	* All rights reserved.
4	*	4	*
@@ -242,6 +242,111 @@ SSL_SESSION_new(void)
242	return (ss);	242	return (ss);
243	}	243	}
244		244
		245	SSL_SESSION *
		246	ssl_session_dup(SSL_SESSION *sess, int include_ticket)
		247	{
		248	SSL_SESSION *copy;
		249	CBS cbs;
		250
		251	if ((copy = calloc(1, sizeof(*copy))) == NULL) {
		252	SSLerrorx(ERR_R_MALLOC_FAILURE);
		253	goto err;
		254	}
		255
		256	copy->ssl_version = sess->ssl_version;
		257
		258	CBS_init(&cbs, sess->master_key, sess->master_key_length);
		259	if (!CBS_write_bytes(&cbs, copy->master_key, sizeof(copy->master_key),
		260	&copy->master_key_length))
		261	goto err;
		262
		263	CBS_init(&cbs, sess->session_id, sess->session_id_length);
		264	if (!CBS_write_bytes(&cbs, copy->session_id, sizeof(copy->session_id),
		265	&copy->session_id_length))
		266	goto err;
		267
		268	CBS_init(&cbs, sess->sid_ctx, sess->sid_ctx_length);
		269	if (!CBS_write_bytes(&cbs, copy->sid_ctx, sizeof(copy->sid_ctx),
		270	&copy->sid_ctx_length))
		271	goto err;
		272
		273	if (sess->peer_cert != NULL) {
		274	if (!X509_up_ref(sess->peer_cert))
		275	goto err;
		276	copy->peer_cert = sess->peer_cert;
		277	}
		278	copy->peer_cert_type = sess->peer_cert_type;
		279
		280	copy->verify_result = sess->verify_result;
		281
		282	copy->timeout = sess->timeout;
		283	copy->time = sess->time;
		284	copy->references = 1;
		285
		286	copy->cipher = sess->cipher;
		287	copy->cipher_id = sess->cipher_id;
		288
		289	if (sess->ciphers != NULL) {
		290	if ((copy->ciphers = sk_SSL_CIPHER_dup(sess->ciphers)) == NULL)
		291	goto err;
		292	}
		293
		294	if (sess->tlsext_hostname != NULL) {
		295	copy->tlsext_hostname = strdup(sess->tlsext_hostname);
		296	if (copy->tlsext_hostname == NULL)
		297	goto err;
		298	}
		299
		300	if (include_ticket) {
		301	CBS_init(&cbs, sess->tlsext_tick, sess->tlsext_ticklen);
		302	if (!CBS_stow(&cbs, &copy->tlsext_tick, &copy->tlsext_ticklen))
		303	goto err;
		304	copy->tlsext_tick_lifetime_hint =
		305	sess->tlsext_tick_lifetime_hint;
		306
		307	/*
		308	* XXX - copy sess->resumption_master_secret and all other
		309	* TLSv1.3 info here.
		310	*/
		311	}
		312
		313	if (!CRYPTO_new_ex_data(CRYPTO_EX_INDEX_SSL_SESSION, copy,
		314	&copy->ex_data))
		315	goto err;
		316
		317	if (!CRYPTO_dup_ex_data(CRYPTO_EX_INDEX_SSL_SESSION, &copy->ex_data,
		318	&sess->ex_data))
		319	goto err;
		320
		321	/* Omit prev/next: the new session gets its own slot in the cache. */
		322
		323	copy->not_resumable = sess->not_resumable;
		324
		325	CBS_init(&cbs, sess->tlsext_ecpointformatlist,
		326	sess->tlsext_ecpointformatlist_length);
		327	if (!CBS_stow(&cbs, &copy->tlsext_ecpointformatlist,
		328	&copy->tlsext_ecpointformatlist_length))
		329	goto err;
		330
		331	if (sess->tlsext_supportedgroups != NULL) {
		332	if ((copy->tlsext_supportedgroups = calloc(sizeof(uint16_t),
		333	sess->tlsext_supportedgroups_length)) == NULL)
		334	goto err;
		335	memcpy(copy->tlsext_supportedgroups,
		336	sess->tlsext_supportedgroups,
		337	sizeof(uint16_t) * sess->tlsext_supportedgroups_length);
		338	copy->tlsext_supportedgroups_length =
		339	sess->tlsext_supportedgroups_length;
		340	}
		341
		342	return copy;
		343
		344	err:
		345	SSL_SESSION_free(copy);
		346
		347	return NULL;
		348	}
		349
245	const unsigned char *	350	const unsigned char *
246	SSL_SESSION_get_id(const SSL_SESSION ss, unsigned int len)	351	SSL_SESSION_get_id(const SSL_SESSION ss, unsigned int len)
247	{	352	{