summaryrefslogtreecommitdiff
path: root/src/lib/libssl/ssl_asn1.c
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--src/lib/libssl/ssl_asn1.c167
1 files changed, 130 insertions, 37 deletions
diff --git a/src/lib/libssl/ssl_asn1.c b/src/lib/libssl/ssl_asn1.c
index 0f9a3489dd..28709978b5 100644
--- a/src/lib/libssl/ssl_asn1.c
+++ b/src/lib/libssl/ssl_asn1.c
@@ -55,6 +55,32 @@
55 * copied and put under another distribution licence 55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.] 56 * [including the GNU Public Licence.]
57 */ 57 */
58/* ====================================================================
59 * Copyright 2005 Nokia. All rights reserved.
60 *
61 * The portions of the attached software ("Contribution") is developed by
62 * Nokia Corporation and is licensed pursuant to the OpenSSL open source
63 * license.
64 *
65 * The Contribution, originally written by Mika Kousa and Pasi Eronen of
66 * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites
67 * support (see RFC 4279) to OpenSSL.
68 *
69 * No patent licenses or other rights except those expressly stated in
70 * the OpenSSL open source license shall be deemed granted or received
71 * expressly, by implication, estoppel, or otherwise.
72 *
73 * No assurances are provided by Nokia that the Contribution does not
74 * infringe the patent or other intellectual property rights of any third
75 * party or that the license provides you with all the necessary rights
76 * to make use of the Contribution.
77 *
78 * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN
79 * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA
80 * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY
81 * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR
82 * OTHERWISE.
83 */
58 84
59#include <stdio.h> 85#include <stdio.h>
60#include <stdlib.h> 86#include <stdlib.h>
@@ -68,6 +94,7 @@ typedef struct ssl_session_asn1_st
68 ASN1_INTEGER version; 94 ASN1_INTEGER version;
69 ASN1_INTEGER ssl_version; 95 ASN1_INTEGER ssl_version;
70 ASN1_OCTET_STRING cipher; 96 ASN1_OCTET_STRING cipher;
97 ASN1_OCTET_STRING comp_id;
71 ASN1_OCTET_STRING master_key; 98 ASN1_OCTET_STRING master_key;
72 ASN1_OCTET_STRING session_id; 99 ASN1_OCTET_STRING session_id;
73 ASN1_OCTET_STRING session_id_context; 100 ASN1_OCTET_STRING session_id_context;
@@ -83,18 +110,26 @@ typedef struct ssl_session_asn1_st
83 ASN1_INTEGER tlsext_tick_lifetime; 110 ASN1_INTEGER tlsext_tick_lifetime;
84 ASN1_OCTET_STRING tlsext_tick; 111 ASN1_OCTET_STRING tlsext_tick;
85#endif /* OPENSSL_NO_TLSEXT */ 112#endif /* OPENSSL_NO_TLSEXT */
113#ifndef OPENSSL_NO_PSK
114 ASN1_OCTET_STRING psk_identity_hint;
115 ASN1_OCTET_STRING psk_identity;
116#endif /* OPENSSL_NO_PSK */
86 } SSL_SESSION_ASN1; 117 } SSL_SESSION_ASN1;
87 118
88int i2d_SSL_SESSION(SSL_SESSION *in, unsigned char **pp) 119int i2d_SSL_SESSION(SSL_SESSION *in, unsigned char **pp)
89 { 120 {
90#define LSIZE2 (sizeof(long)*2) 121#define LSIZE2 (sizeof(long)*2)
91 int v1=0,v2=0,v3=0,v4=0,v5=0; 122 int v1=0,v2=0,v3=0,v4=0,v5=0,v7=0,v8=0;
92 unsigned char buf[4],ibuf1[LSIZE2],ibuf2[LSIZE2]; 123 unsigned char buf[4],ibuf1[LSIZE2],ibuf2[LSIZE2];
93 unsigned char ibuf3[LSIZE2],ibuf4[LSIZE2],ibuf5[LSIZE2]; 124 unsigned char ibuf3[LSIZE2],ibuf4[LSIZE2],ibuf5[LSIZE2];
94#ifndef OPENSSL_NO_TLSEXT 125#ifndef OPENSSL_NO_TLSEXT
95 int v6=0,v9=0,v10=0; 126 int v6=0,v9=0,v10=0;
96 unsigned char ibuf6[LSIZE2]; 127 unsigned char ibuf6[LSIZE2];
97#endif 128#endif
129#ifndef OPENSSL_NO_COMP
130 unsigned char cbuf;
131 int v11=0;
132#endif
98 long l; 133 long l;
99 SSL_SESSION_ASN1 a; 134 SSL_SESSION_ASN1 a;
100 M_ASN1_I2D_vars(in); 135 M_ASN1_I2D_vars(in);
@@ -138,6 +173,16 @@ int i2d_SSL_SESSION(SSL_SESSION *in, unsigned char **pp)
138 buf[1]=((unsigned char)(l ))&0xff; 173 buf[1]=((unsigned char)(l ))&0xff;
139 } 174 }
140 175
176#ifndef OPENSSL_NO_COMP
177 if (in->compress_meth)
178 {
179 cbuf = (unsigned char)in->compress_meth;
180 a.comp_id.length = 1;
181 a.comp_id.type = V_ASN1_OCTET_STRING;
182 a.comp_id.data = &cbuf;
183 }
184#endif
185
141 a.master_key.length=in->master_key_length; 186 a.master_key.length=in->master_key_length;
142 a.master_key.type=V_ASN1_OCTET_STRING; 187 a.master_key.type=V_ASN1_OCTET_STRING;
143 a.master_key.data=in->master_key; 188 a.master_key.data=in->master_key;
@@ -162,7 +207,7 @@ int i2d_SSL_SESSION(SSL_SESSION *in, unsigned char **pp)
162 a.krb5_princ.data=in->krb5_client_princ; 207 a.krb5_princ.data=in->krb5_client_princ;
163 } 208 }
164#endif /* OPENSSL_NO_KRB5 */ 209#endif /* OPENSSL_NO_KRB5 */
165 210
166 if (in->time != 0L) 211 if (in->time != 0L)
167 { 212 {
168 a.time.length=LSIZE2; 213 a.time.length=LSIZE2;
@@ -199,12 +244,6 @@ int i2d_SSL_SESSION(SSL_SESSION *in, unsigned char **pp)
199 a.tlsext_tick.length= in->tlsext_ticklen; 244 a.tlsext_tick.length= in->tlsext_ticklen;
200 a.tlsext_tick.type=V_ASN1_OCTET_STRING; 245 a.tlsext_tick.type=V_ASN1_OCTET_STRING;
201 a.tlsext_tick.data=(unsigned char *)in->tlsext_tick; 246 a.tlsext_tick.data=(unsigned char *)in->tlsext_tick;
202 /* If we have a ticket set session ID to empty because
203 * it will be bogus. If liftime hint is -1 treat as a special
204 * case because the session is being used as a container
205 */
206 if (in->tlsext_ticklen && (in->tlsext_tick_lifetime_hint != -1))
207 a.session_id.length=0;
208 } 247 }
209 if (in->tlsext_tick_lifetime_hint > 0) 248 if (in->tlsext_tick_lifetime_hint > 0)
210 { 249 {
@@ -214,6 +253,21 @@ int i2d_SSL_SESSION(SSL_SESSION *in, unsigned char **pp)
214 ASN1_INTEGER_set(&a.tlsext_tick_lifetime,in->tlsext_tick_lifetime_hint); 253 ASN1_INTEGER_set(&a.tlsext_tick_lifetime,in->tlsext_tick_lifetime_hint);
215 } 254 }
216#endif /* OPENSSL_NO_TLSEXT */ 255#endif /* OPENSSL_NO_TLSEXT */
256#ifndef OPENSSL_NO_PSK
257 if (in->psk_identity_hint)
258 {
259 a.psk_identity_hint.length=strlen(in->psk_identity_hint);
260 a.psk_identity_hint.type=V_ASN1_OCTET_STRING;
261 a.psk_identity_hint.data=(unsigned char *)(in->psk_identity_hint);
262 }
263 if (in->psk_identity)
264 {
265 a.psk_identity.length=strlen(in->psk_identity);
266 a.psk_identity.type=V_ASN1_OCTET_STRING;
267 a.psk_identity.data=(unsigned char *)(in->psk_identity);
268 }
269#endif /* OPENSSL_NO_PSK */
270
217 M_ASN1_I2D_len(&(a.version), i2d_ASN1_INTEGER); 271 M_ASN1_I2D_len(&(a.version), i2d_ASN1_INTEGER);
218 M_ASN1_I2D_len(&(a.ssl_version), i2d_ASN1_INTEGER); 272 M_ASN1_I2D_len(&(a.ssl_version), i2d_ASN1_INTEGER);
219 M_ASN1_I2D_len(&(a.cipher), i2d_ASN1_OCTET_STRING); 273 M_ASN1_I2D_len(&(a.cipher), i2d_ASN1_OCTET_STRING);
@@ -242,7 +296,18 @@ int i2d_SSL_SESSION(SSL_SESSION *in, unsigned char **pp)
242 M_ASN1_I2D_len_EXP_opt(&(a.tlsext_tick), i2d_ASN1_OCTET_STRING,10,v10); 296 M_ASN1_I2D_len_EXP_opt(&(a.tlsext_tick), i2d_ASN1_OCTET_STRING,10,v10);
243 if (in->tlsext_hostname) 297 if (in->tlsext_hostname)
244 M_ASN1_I2D_len_EXP_opt(&(a.tlsext_hostname), i2d_ASN1_OCTET_STRING,6,v6); 298 M_ASN1_I2D_len_EXP_opt(&(a.tlsext_hostname), i2d_ASN1_OCTET_STRING,6,v6);
299#ifndef OPENSSL_NO_COMP
300 if (in->compress_meth)
301 M_ASN1_I2D_len_EXP_opt(&(a.comp_id), i2d_ASN1_OCTET_STRING,11,v11);
302#endif
245#endif /* OPENSSL_NO_TLSEXT */ 303#endif /* OPENSSL_NO_TLSEXT */
304#ifndef OPENSSL_NO_PSK
305 if (in->psk_identity_hint)
306 M_ASN1_I2D_len_EXP_opt(&(a.psk_identity_hint), i2d_ASN1_OCTET_STRING,7,v7);
307 if (in->psk_identity)
308 M_ASN1_I2D_len_EXP_opt(&(a.psk_identity), i2d_ASN1_OCTET_STRING,8,v8);
309#endif /* OPENSSL_NO_PSK */
310
246 M_ASN1_I2D_seq_total(); 311 M_ASN1_I2D_seq_total();
247 312
248 M_ASN1_I2D_put(&(a.version), i2d_ASN1_INTEGER); 313 M_ASN1_I2D_put(&(a.version), i2d_ASN1_INTEGER);
@@ -269,16 +334,28 @@ int i2d_SSL_SESSION(SSL_SESSION *in, unsigned char **pp)
269#ifndef OPENSSL_NO_TLSEXT 334#ifndef OPENSSL_NO_TLSEXT
270 if (in->tlsext_hostname) 335 if (in->tlsext_hostname)
271 M_ASN1_I2D_put_EXP_opt(&(a.tlsext_hostname), i2d_ASN1_OCTET_STRING,6,v6); 336 M_ASN1_I2D_put_EXP_opt(&(a.tlsext_hostname), i2d_ASN1_OCTET_STRING,6,v6);
337#endif /* OPENSSL_NO_TLSEXT */
338#ifndef OPENSSL_NO_PSK
339 if (in->psk_identity_hint)
340 M_ASN1_I2D_put_EXP_opt(&(a.psk_identity_hint), i2d_ASN1_OCTET_STRING,7,v7);
341 if (in->psk_identity)
342 M_ASN1_I2D_put_EXP_opt(&(a.psk_identity), i2d_ASN1_OCTET_STRING,8,v8);
343#endif /* OPENSSL_NO_PSK */
344#ifndef OPENSSL_NO_TLSEXT
272 if (in->tlsext_tick_lifetime_hint > 0) 345 if (in->tlsext_tick_lifetime_hint > 0)
273 M_ASN1_I2D_put_EXP_opt(&a.tlsext_tick_lifetime, i2d_ASN1_INTEGER,9,v9); 346 M_ASN1_I2D_put_EXP_opt(&a.tlsext_tick_lifetime, i2d_ASN1_INTEGER,9,v9);
274 if (in->tlsext_tick) 347 if (in->tlsext_tick)
275 M_ASN1_I2D_put_EXP_opt(&(a.tlsext_tick), i2d_ASN1_OCTET_STRING,10,v10); 348 M_ASN1_I2D_put_EXP_opt(&(a.tlsext_tick), i2d_ASN1_OCTET_STRING,10,v10);
276#endif /* OPENSSL_NO_TLSEXT */ 349#endif /* OPENSSL_NO_TLSEXT */
350#ifndef OPENSSL_NO_COMP
351 if (in->compress_meth)
352 M_ASN1_I2D_put_EXP_opt(&(a.comp_id), i2d_ASN1_OCTET_STRING,11,v11);
353#endif
277 M_ASN1_I2D_finish(); 354 M_ASN1_I2D_finish();
278 } 355 }
279 356
280SSL_SESSION *d2i_SSL_SESSION(SSL_SESSION **a, const unsigned char **pp, 357SSL_SESSION *d2i_SSL_SESSION(SSL_SESSION **a, const unsigned char **pp,
281 long length) 358 long length)
282 { 359 {
283 int version,ssl_version=0,i; 360 int version,ssl_version=0,i;
284 long id; 361 long id;
@@ -317,7 +394,7 @@ SSL_SESSION *d2i_SSL_SESSION(SSL_SESSION **a, const unsigned char **pp,
317 ((unsigned long)os.data[1]<< 8L)| 394 ((unsigned long)os.data[1]<< 8L)|
318 (unsigned long)os.data[2]; 395 (unsigned long)os.data[2];
319 } 396 }
320 else if ((ssl_version>>8) == SSL3_VERSION_MAJOR) 397 else if ((ssl_version>>8) >= SSL3_VERSION_MAJOR)
321 { 398 {
322 if (os.length != 2) 399 if (os.length != 2)
323 { 400 {
@@ -330,15 +407,15 @@ SSL_SESSION *d2i_SSL_SESSION(SSL_SESSION **a, const unsigned char **pp,
330 } 407 }
331 else 408 else
332 { 409 {
333 SSLerr(SSL_F_D2I_SSL_SESSION,SSL_R_UNKNOWN_SSL_VERSION); 410 c.error=SSL_R_UNKNOWN_SSL_VERSION;
334 return(NULL); 411 goto err;
335 } 412 }
336 413
337 ret->cipher=NULL; 414 ret->cipher=NULL;
338 ret->cipher_id=id; 415 ret->cipher_id=id;
339 416
340 M_ASN1_D2I_get_x(ASN1_OCTET_STRING,osp,d2i_ASN1_OCTET_STRING); 417 M_ASN1_D2I_get_x(ASN1_OCTET_STRING,osp,d2i_ASN1_OCTET_STRING);
341 if ((ssl_version>>8) == SSL3_VERSION_MAJOR) 418 if ((ssl_version>>8) >= SSL3_VERSION_MAJOR)
342 i=SSL3_MAX_SSL_SESSION_ID_LENGTH; 419 i=SSL3_MAX_SSL_SESSION_ID_LENGTH;
343 else /* if (ssl_version>>8 == SSL2_VERSION_MAJOR) */ 420 else /* if (ssl_version>>8 == SSL2_VERSION_MAJOR) */
344 i=SSL2_MAX_SSL_SESSION_ID_LENGTH; 421 i=SSL2_MAX_SSL_SESSION_ID_LENGTH;
@@ -422,8 +499,8 @@ SSL_SESSION *d2i_SSL_SESSION(SSL_SESSION **a, const unsigned char **pp,
422 { 499 {
423 if (os.length > SSL_MAX_SID_CTX_LENGTH) 500 if (os.length > SSL_MAX_SID_CTX_LENGTH)
424 { 501 {
425 ret->sid_ctx_length=os.length; 502 c.error=SSL_R_BAD_LENGTH;
426 SSLerr(SSL_F_D2I_SSL_SESSION,SSL_R_BAD_LENGTH); 503 goto err;
427 } 504 }
428 else 505 else
429 { 506 {
@@ -458,6 +535,24 @@ SSL_SESSION *d2i_SSL_SESSION(SSL_SESSION **a, const unsigned char **pp,
458 } 535 }
459 else 536 else
460 ret->tlsext_hostname=NULL; 537 ret->tlsext_hostname=NULL;
538#endif /* OPENSSL_NO_TLSEXT */
539
540#ifndef OPENSSL_NO_PSK
541 os.length=0;
542 os.data=NULL;
543 M_ASN1_D2I_get_EXP_opt(osp,d2i_ASN1_OCTET_STRING,7);
544 if (os.data)
545 {
546 ret->psk_identity_hint = BUF_strndup((char *)os.data, os.length);
547 OPENSSL_free(os.data);
548 os.data = NULL;
549 os.length = 0;
550 }
551 else
552 ret->psk_identity_hint=NULL;
553#endif /* OPENSSL_NO_PSK */
554
555#ifndef OPENSSL_NO_TLSEXT
461 ai.length=0; 556 ai.length=0;
462 M_ASN1_D2I_get_EXP_opt(aip,d2i_ASN1_INTEGER,9); 557 M_ASN1_D2I_get_EXP_opt(aip,d2i_ASN1_INTEGER,9);
463 if (ai.data != NULL) 558 if (ai.data != NULL)
@@ -468,33 +563,31 @@ SSL_SESSION *d2i_SSL_SESSION(SSL_SESSION **a, const unsigned char **pp,
468 else if (ret->tlsext_ticklen && ret->session_id_length) 563 else if (ret->tlsext_ticklen && ret->session_id_length)
469 ret->tlsext_tick_lifetime_hint = -1; 564 ret->tlsext_tick_lifetime_hint = -1;
470 else 565 else
471 ret->tlsext_tick_lifetime_hint = 0; 566 ret->tlsext_tick_lifetime_hint=0;
472 os.length=0; 567 os.length=0;
473 os.data=NULL; 568 os.data=NULL;
474 M_ASN1_D2I_get_EXP_opt(osp,d2i_ASN1_OCTET_STRING,10); 569 M_ASN1_D2I_get_EXP_opt(osp,d2i_ASN1_OCTET_STRING,10);
475 if (os.data) 570 if (os.data)
476 { 571 {
477 ret->tlsext_tick = os.data; 572 ret->tlsext_tick = os.data;
478 ret->tlsext_ticklen = os.length; 573 ret->tlsext_ticklen = os.length;
479 os.data = NULL; 574 os.data = NULL;
480 os.length = 0; 575 os.length = 0;
481#if 0 576 }
482 /* There are two ways to detect a resumed ticket sesion.
483 * One is to set a random session ID and then the server
484 * must return a match in ServerHello. This allows the normal
485 * client session ID matching to work.
486 */
487 if (ret->session_id_length == 0)
488 {
489 ret->session_id_length=SSL3_MAX_SSL_SESSION_ID_LENGTH;
490 RAND_pseudo_bytes(ret->session_id,
491 ret->session_id_length);
492 }
493#endif
494 }
495 else 577 else
496 ret->tlsext_tick=NULL; 578 ret->tlsext_tick=NULL;
497#endif /* OPENSSL_NO_TLSEXT */ 579#endif /* OPENSSL_NO_TLSEXT */
580#ifndef OPENSSL_NO_COMP
581 os.length=0;
582 os.data=NULL;
583 M_ASN1_D2I_get_EXP_opt(osp,d2i_ASN1_OCTET_STRING,11);
584 if (os.data)
585 {
586 ret->compress_meth = os.data[0];
587 OPENSSL_free(os.data);
588 os.data = NULL;
589 }
590#endif
498 591
499 M_ASN1_D2I_Finish(a,SSL_SESSION_free,SSL_F_D2I_SSL_SESSION); 592 M_ASN1_D2I_Finish(a,SSL_SESSION_free,SSL_F_D2I_SSL_SESSION);
500 } 593 }
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-11-03 21:14:43 +0000