summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--src/lib/libssl/t1_lib.c82
1 files changed, 43 insertions, 39 deletions
diff --git a/src/lib/libssl/t1_lib.c b/src/lib/libssl/t1_lib.c
index 2421227c8a..75c936abc7 100644
--- a/src/lib/libssl/t1_lib.c
+++ b/src/lib/libssl/t1_lib.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: t1_lib.c,v 1.156 2019/04/21 14:38:32 jsing Exp $ */ 1/* $OpenBSD: t1_lib.c,v 1.157 2019/04/21 14:41:30 jsing Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -790,7 +790,9 @@ int
790tls1_process_ticket(SSL *s, const unsigned char *session_id, int session_id_len, 790tls1_process_ticket(SSL *s, const unsigned char *session_id, int session_id_len,
791 CBS *ext_block, SSL_SESSION **ret) 791 CBS *ext_block, SSL_SESSION **ret)
792{ 792{
793 CBS extensions; 793 CBS extensions, ext_data;
794 uint16_t ext_type = 0;
795 int r;
794 796
795 s->internal->tlsext_ticket_expected = 0; 797 s->internal->tlsext_ticket_expected = 0;
796 *ret = NULL; 798 *ret = NULL;
@@ -813,48 +815,50 @@ tls1_process_ticket(SSL *s, const unsigned char *session_id, int session_id_len,
813 return -1; 815 return -1;
814 816
815 while (CBS_len(&extensions) > 0) { 817 while (CBS_len(&extensions) > 0) {
816 uint16_t ext_type;
817 CBS ext_data;
818
819 if (!CBS_get_u16(&extensions, &ext_type) || 818 if (!CBS_get_u16(&extensions, &ext_type) ||
820 !CBS_get_u16_length_prefixed(&extensions, &ext_data)) 819 !CBS_get_u16_length_prefixed(&extensions, &ext_data))
821 return -1; 820 return -1;
822 821
823 if (ext_type == TLSEXT_TYPE_session_ticket) { 822 if (ext_type == TLSEXT_TYPE_session_ticket)
824 int r; 823 break;
825 if (CBS_len(&ext_data) == 0) { 824 }
826 /* The client will accept a ticket but doesn't 825
827 * currently have one. */ 826 if (ext_type != TLSEXT_TYPE_session_ticket)
828 s->internal->tlsext_ticket_expected = 1; 827 return 0;
829 return 1; 828
830 } 829 if (CBS_len(&ext_data) == 0) {
831 if (s->internal->tls_session_secret_cb != NULL) { 830 /*
832 /* Indicate that the ticket couldn't be 831 * The client will accept a ticket but does not currently
833 * decrypted rather than generating the session 832 * have one.
834 * from ticket now, trigger abbreviated 833 */
835 * handshake based on external mechanism to 834 s->internal->tlsext_ticket_expected = 1;
836 * calculate the master secret later. */ 835 return 1;
837 return 2; 836 }
838 } 837
839 838 if (s->internal->tls_session_secret_cb != NULL) {
840 r = tls_decrypt_ticket(s, CBS_data(&ext_data), 839 /*
841 CBS_len(&ext_data), session_id, session_id_len, ret); 840 * Indicate that the ticket could not be decrypted rather than
842 841 * generating the session from ticket now, trigger abbreviated
843 switch (r) { 842 * handshake based on external mechanism to calculate the master
844 case 2: /* ticket couldn't be decrypted */ 843 * secret later.
845 s->internal->tlsext_ticket_expected = 1; 844 */
846 return 2; 845 return 2;
847 case 3: /* ticket was decrypted */ 846 }
848 return r; 847
849 case 4: /* ticket decrypted but need to renew */ 848 r = tls_decrypt_ticket(s, CBS_data(&ext_data), CBS_len(&ext_data),
850 s->internal->tlsext_ticket_expected = 1; 849 session_id, session_id_len, ret);
851 return 3; 850 switch (r) {
852 default: /* fatal error */ 851 case 2: /* ticket couldn't be decrypted */
853 return -1; 852 s->internal->tlsext_ticket_expected = 1;
854 } 853 return 2;
855 } 854 case 3: /* ticket was decrypted */
855 return r;
856 case 4: /* ticket decrypted but need to renew */
857 s->internal->tlsext_ticket_expected = 1;
858 return 3;
859 default: /* fatal error */
860 return -1;
856 } 861 }
857 return 0;
858} 862}
859 863
860/* tls_decrypt_ticket attempts to decrypt a session ticket. 864/* tls_decrypt_ticket attempts to decrypt a session ticket.
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-03-21 18:05:07 +0000