diff options
Diffstat (limited to '')
| -rw-r--r-- | src/lib/libssl/t1_lib.c | 26 |
1 files changed, 5 insertions, 21 deletions
diff --git a/src/lib/libssl/t1_lib.c b/src/lib/libssl/t1_lib.c index 8162259c66..dc6ffae418 100644 --- a/src/lib/libssl/t1_lib.c +++ b/src/lib/libssl/t1_lib.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: t1_lib.c,v 1.173 2020/09/01 05:38:48 tb Exp $ */ | 1 | /* $OpenBSD: t1_lib.c,v 1.174 2020/09/01 12:40:53 tb Exp $ */ |
| 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
| 3 | * All rights reserved. | 3 | * All rights reserved. |
| 4 | * | 4 | * |
| @@ -122,7 +122,7 @@ | |||
| 122 | #include "ssl_sigalgs.h" | 122 | #include "ssl_sigalgs.h" |
| 123 | #include "ssl_tlsext.h" | 123 | #include "ssl_tlsext.h" |
| 124 | 124 | ||
| 125 | static int tls_decrypt_ticket(SSL *s, CBS *session_id, CBS *ticket, int *alert, | 125 | static int tls_decrypt_ticket(SSL *s, CBS *ticket, int *alert, |
| 126 | SSL_SESSION **psess); | 126 | SSL_SESSION **psess); |
| 127 | 127 | ||
| 128 | SSL3_ENC_METHOD TLSv1_enc_data = { | 128 | SSL3_ENC_METHOD TLSv1_enc_data = { |
| @@ -755,7 +755,6 @@ ssl_check_serverhello_tlsext(SSL *s) | |||
| 755 | * ClientHello, and other operations depend on the result, we need to handle | 755 | * ClientHello, and other operations depend on the result, we need to handle |
| 756 | * any TLS session ticket extension at the same time. | 756 | * any TLS session ticket extension at the same time. |
| 757 | * | 757 | * |
| 758 | * session_id: a CBS containing the session ID. | ||
| 759 | * ext_block: a CBS for the ClientHello extensions block. | 758 | * ext_block: a CBS for the ClientHello extensions block. |
| 760 | * ret: (output) on return, if a ticket was decrypted, then this is set to | 759 | * ret: (output) on return, if a ticket was decrypted, then this is set to |
| 761 | * point to the resulting session. | 760 | * point to the resulting session. |
| @@ -783,8 +782,7 @@ ssl_check_serverhello_tlsext(SSL *s) | |||
| 783 | * Otherwise, s->internal->tlsext_ticket_expected is set to 0. | 782 | * Otherwise, s->internal->tlsext_ticket_expected is set to 0. |
| 784 | */ | 783 | */ |
| 785 | int | 784 | int |
| 786 | tls1_process_ticket(SSL *s, CBS *session_id, CBS *ext_block, int *alert, | 785 | tls1_process_ticket(SSL *s, CBS *ext_block, int *alert, SSL_SESSION **ret) |
| 787 | SSL_SESSION **ret) | ||
| 788 | { | 786 | { |
| 789 | CBS extensions, ext_data; | 787 | CBS extensions, ext_data; |
| 790 | uint16_t ext_type = 0; | 788 | uint16_t ext_type = 0; |
| @@ -844,12 +842,11 @@ tls1_process_ticket(SSL *s, CBS *session_id, CBS *ext_block, int *alert, | |||
| 844 | return TLS1_TICKET_NOT_DECRYPTED; | 842 | return TLS1_TICKET_NOT_DECRYPTED; |
| 845 | } | 843 | } |
| 846 | 844 | ||
| 847 | return tls_decrypt_ticket(s, session_id, &ext_data, alert, ret); | 845 | return tls_decrypt_ticket(s, &ext_data, alert, ret); |
| 848 | } | 846 | } |
| 849 | 847 | ||
| 850 | /* tls_decrypt_ticket attempts to decrypt a session ticket. | 848 | /* tls_decrypt_ticket attempts to decrypt a session ticket. |
| 851 | * | 849 | * |
| 852 | * session_id: a CBS containing the session ID. | ||
| 853 | * ticket: a CBS containing the body of the session ticket extension. | 850 | * ticket: a CBS containing the body of the session ticket extension. |
| 854 | * psess: (output) on return, if a ticket was decrypted, then this is set to | 851 | * psess: (output) on return, if a ticket was decrypted, then this is set to |
| 855 | * point to the resulting session. | 852 | * point to the resulting session. |
| @@ -860,14 +857,12 @@ tls1_process_ticket(SSL *s, CBS *session_id, CBS *ext_block, int *alert, | |||
| 860 | * TLS1_TICKET_DECRYPTED: a ticket was decrypted and *psess was set. | 857 | * TLS1_TICKET_DECRYPTED: a ticket was decrypted and *psess was set. |
| 861 | */ | 858 | */ |
| 862 | static int | 859 | static int |
| 863 | tls_decrypt_ticket(SSL *s, CBS *session_id, CBS *ticket, int *alert, | 860 | tls_decrypt_ticket(SSL *s, CBS *ticket, int *alert, SSL_SESSION **psess) |
| 864 | SSL_SESSION **psess) | ||
| 865 | { | 861 | { |
| 866 | CBS ticket_name, ticket_iv, ticket_encdata, ticket_hmac; | 862 | CBS ticket_name, ticket_iv, ticket_encdata, ticket_hmac; |
| 867 | SSL_SESSION *sess = NULL; | 863 | SSL_SESSION *sess = NULL; |
| 868 | unsigned char *sdec = NULL; | 864 | unsigned char *sdec = NULL; |
| 869 | size_t sdec_len = 0; | 865 | size_t sdec_len = 0; |
| 870 | size_t session_id_len; | ||
| 871 | const unsigned char *p; | 866 | const unsigned char *p; |
| 872 | unsigned char hmac[EVP_MAX_MD_SIZE]; | 867 | unsigned char hmac[EVP_MAX_MD_SIZE]; |
| 873 | HMAC_CTX *hctx = NULL; | 868 | HMAC_CTX *hctx = NULL; |
| @@ -990,17 +985,6 @@ tls_decrypt_ticket(SSL *s, CBS *session_id, CBS *ticket, int *alert, | |||
| 990 | p = sdec; | 985 | p = sdec; |
| 991 | if ((sess = d2i_SSL_SESSION(NULL, &p, slen)) == NULL) | 986 | if ((sess = d2i_SSL_SESSION(NULL, &p, slen)) == NULL) |
| 992 | goto derr; | 987 | goto derr; |
| 993 | |||
| 994 | /* | ||
| 995 | * The session ID, if non-empty, is used by some clients to detect that | ||
| 996 | * the ticket has been accepted. So we copy it to the session structure. | ||
| 997 | * If it is empty set length to zero as required by standard. | ||
| 998 | */ | ||
| 999 | if (!CBS_write_bytes(session_id, sess->session_id, | ||
| 1000 | sizeof(sess->session_id), &session_id_len)) | ||
| 1001 | goto err; | ||
| 1002 | sess->session_id_length = (unsigned int)session_id_len; | ||
| 1003 | |||
| 1004 | *psess = sess; | 988 | *psess = sess; |
| 1005 | sess = NULL; | 989 | sess = NULL; |
| 1006 | 990 | ||