summaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
Diffstat (limited to 'src')
-rw-r--r--src/lib/libssl/ssl_locl.h9
-rw-r--r--src/lib/libssl/ssl_sess.c19
-rw-r--r--src/lib/libssl/ssl_srvr.c5
-rw-r--r--src/lib/libssl/t1_lib.c38
4 files changed, 36 insertions, 35 deletions
diff --git a/src/lib/libssl/ssl_locl.h b/src/lib/libssl/ssl_locl.h
index b895de1fd3..c3c762a5fa 100644
--- a/src/lib/libssl/ssl_locl.h
+++ b/src/lib/libssl/ssl_locl.h
@@ -1,4 +1,4 @@
1/* $OpenBSD: ssl_locl.h,v 1.246 2019/04/22 14:49:42 jsing Exp $ */ 1/* $OpenBSD: ssl_locl.h,v 1.247 2019/04/22 15:12:20 jsing Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -1096,8 +1096,7 @@ int ssl_cert_add1_chain_cert(CERT *c, X509 *cert);
1096SESS_CERT *ssl_sess_cert_new(void); 1096SESS_CERT *ssl_sess_cert_new(void);
1097void ssl_sess_cert_free(SESS_CERT *sc); 1097void ssl_sess_cert_free(SESS_CERT *sc);
1098int ssl_get_new_session(SSL *s, int session); 1098int ssl_get_new_session(SSL *s, int session);
1099int ssl_get_prev_session(SSL *s, const unsigned char *session_id, 1099int ssl_get_prev_session(SSL *s, CBS *session_id, CBS *ext_block);
1100 int session_id_len, CBS *ext_block);
1101int ssl_cipher_id_cmp(const SSL_CIPHER *a, const SSL_CIPHER *b); 1100int ssl_cipher_id_cmp(const SSL_CIPHER *a, const SSL_CIPHER *b);
1102SSL_CIPHER *OBJ_bsearch_ssl_cipher_id(SSL_CIPHER *key, SSL_CIPHER const *base, 1101SSL_CIPHER *OBJ_bsearch_ssl_cipher_id(SSL_CIPHER *key, SSL_CIPHER const *base,
1103 int num); 1102 int num);
@@ -1327,8 +1326,8 @@ int ssl_check_clienthello_tlsext_early(SSL *s);
1327int ssl_check_clienthello_tlsext_late(SSL *s); 1326int ssl_check_clienthello_tlsext_late(SSL *s);
1328int ssl_check_serverhello_tlsext(SSL *s); 1327int ssl_check_serverhello_tlsext(SSL *s);
1329 1328
1330int tls1_process_ticket(SSL *s, const unsigned char *session_id, 1329int tls1_process_ticket(SSL *s, CBS *session_id, CBS *ext_block,
1331 int session_id_len, CBS *ext_block, SSL_SESSION **ret); 1330 SSL_SESSION **ret);
1332 1331
1333long ssl_get_algorithm2(SSL *s); 1332long ssl_get_algorithm2(SSL *s);
1334 1333
diff --git a/src/lib/libssl/ssl_sess.c b/src/lib/libssl/ssl_sess.c
index 7e8a1bc670..16b4b75bc4 100644
--- a/src/lib/libssl/ssl_sess.c
+++ b/src/lib/libssl/ssl_sess.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: ssl_sess.c,v 1.84 2019/04/04 14:32:49 jsing Exp $ */ 1/* $OpenBSD: ssl_sess.c,v 1.85 2019/04/22 15:12:20 jsing Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -435,8 +435,7 @@ sess_id_done:
435 * to 1 if the server should issue a new session ticket (to 0 otherwise). 435 * to 1 if the server should issue a new session ticket (to 0 otherwise).
436 */ 436 */
437int 437int
438ssl_get_prev_session(SSL *s, const unsigned char *session_id, 438ssl_get_prev_session(SSL *s, CBS *session_id, CBS *ext_block)
439 int session_id_len, CBS *ext_block)
440{ 439{
441 SSL_SESSION *ret = NULL; 440 SSL_SESSION *ret = NULL;
442 int fatal = 0; 441 int fatal = 0;
@@ -445,14 +444,14 @@ ssl_get_prev_session(SSL *s, const unsigned char *session_id,
445 444
446 /* This is used only by servers. */ 445 /* This is used only by servers. */
447 446
448 if (session_id_len > SSL_MAX_SSL_SESSION_ID_LENGTH) 447 if (CBS_len(session_id) > SSL_MAX_SSL_SESSION_ID_LENGTH)
449 goto err; 448 goto err;
450 449
451 if (session_id_len == 0) 450 if (CBS_len(session_id) == 0)
452 try_session_cache = 0; 451 try_session_cache = 0;
453 452
454 /* Sets s->internal->tlsext_ticket_expected. */ 453 /* Sets s->internal->tlsext_ticket_expected. */
455 r = tls1_process_ticket(s, session_id, session_id_len, ext_block, &ret); 454 r = tls1_process_ticket(s, session_id, ext_block, &ret);
456 switch (r) { 455 switch (r) {
457 case -1: /* Error during processing */ 456 case -1: /* Error during processing */
458 fatal = 1; 457 fatal = 1;
@@ -474,9 +473,11 @@ ssl_get_prev_session(SSL *s, const unsigned char *session_id,
474 !(s->session_ctx->internal->session_cache_mode & 473 !(s->session_ctx->internal->session_cache_mode &
475 SSL_SESS_CACHE_NO_INTERNAL_LOOKUP)) { 474 SSL_SESS_CACHE_NO_INTERNAL_LOOKUP)) {
476 SSL_SESSION data; 475 SSL_SESSION data;
476
477 data.ssl_version = s->version; 477 data.ssl_version = s->version;
478 data.session_id_length = session_id_len; 478 data.session_id_length = CBS_len(session_id);
479 memcpy(data.session_id, session_id, session_id_len); 479 memcpy(data.session_id, CBS_data(session_id),
480 CBS_len(session_id));
480 481
481 CRYPTO_r_lock(CRYPTO_LOCK_SSL_CTX); 482 CRYPTO_r_lock(CRYPTO_LOCK_SSL_CTX);
482 ret = lh_SSL_SESSION_retrieve(s->session_ctx->internal->sessions, &data); 483 ret = lh_SSL_SESSION_retrieve(s->session_ctx->internal->sessions, &data);
@@ -496,7 +497,7 @@ ssl_get_prev_session(SSL *s, const unsigned char *session_id,
496 int copy = 1; 497 int copy = 1;
497 498
498 if ((ret = s->session_ctx->internal->get_session_cb(s, 499 if ((ret = s->session_ctx->internal->get_session_cb(s,
499 session_id, session_id_len, &copy))) { 500 CBS_data(session_id), CBS_len(session_id), &copy))) {
500 s->session_ctx->internal->stats.sess_cb_hit++; 501 s->session_ctx->internal->stats.sess_cb_hit++;
501 502
502 /* 503 /*
diff --git a/src/lib/libssl/ssl_srvr.c b/src/lib/libssl/ssl_srvr.c
index 0a53343058..809f589653 100644
--- a/src/lib/libssl/ssl_srvr.c
+++ b/src/lib/libssl/ssl_srvr.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: ssl_srvr.c,v 1.67 2019/04/22 14:49:42 jsing Exp $ */ 1/* $OpenBSD: ssl_srvr.c,v 1.68 2019/04/22 15:12:20 jsing Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -913,8 +913,7 @@ ssl3_get_client_hello(SSL *s)
913 913
914 CBS_dup(&cbs, &ext_block); 914 CBS_dup(&cbs, &ext_block);
915 915
916 i = ssl_get_prev_session(s, CBS_data(&session_id), 916 i = ssl_get_prev_session(s, &session_id, &ext_block);
917 CBS_len(&session_id), &ext_block);
918 if (i == 1) { /* previous session */ 917 if (i == 1) { /* previous session */
919 s->internal->hit = 1; 918 s->internal->hit = 1;
920 } else if (i == -1) 919 } else if (i == -1)
diff --git a/src/lib/libssl/t1_lib.c b/src/lib/libssl/t1_lib.c
index b8aa989413..6af6d77edd 100644
--- a/src/lib/libssl/t1_lib.c
+++ b/src/lib/libssl/t1_lib.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: t1_lib.c,v 1.158 2019/04/22 14:49:42 jsing Exp $ */ 1/* $OpenBSD: t1_lib.c,v 1.159 2019/04/22 15:12:20 jsing Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -122,9 +122,8 @@
122#include "ssl_sigalgs.h" 122#include "ssl_sigalgs.h"
123#include "ssl_tlsext.h" 123#include "ssl_tlsext.h"
124 124
125static int tls_decrypt_ticket(SSL *s, const unsigned char *tick, int ticklen, 125static int tls_decrypt_ticket(SSL *s, CBS *session_id,
126 const unsigned char *sess_id, int sesslen, 126 const unsigned char *tick, int ticklen, SSL_SESSION **psess);
127 SSL_SESSION **psess);
128 127
129SSL3_ENC_METHOD TLSv1_enc_data = { 128SSL3_ENC_METHOD TLSv1_enc_data = {
130 .enc = tls1_enc, 129 .enc = tls1_enc,
@@ -759,8 +758,7 @@ ssl_check_serverhello_tlsext(SSL *s)
759 * ClientHello, and other operations depend on the result, we need to handle 758 * ClientHello, and other operations depend on the result, we need to handle
760 * any TLS session ticket extension at the same time. 759 * any TLS session ticket extension at the same time.
761 * 760 *
762 * session_id: points at the session ID in the ClientHello. 761 * session_id: a CBS containing the session ID.
763 * session_id_len: the length of the session ID.
764 * ext_block: a CBS for the ClientHello extensions block. 762 * ext_block: a CBS for the ClientHello extensions block.
765 * ret: (output) on return, if a ticket was decrypted, then this is set to 763 * ret: (output) on return, if a ticket was decrypted, then this is set to
766 * point to the resulting session. 764 * point to the resulting session.
@@ -787,8 +785,7 @@ ssl_check_serverhello_tlsext(SSL *s)
787 * Otherwise, s->internal->tlsext_ticket_expected is set to 0. 785 * Otherwise, s->internal->tlsext_ticket_expected is set to 0.
788 */ 786 */
789int 787int
790tls1_process_ticket(SSL *s, const unsigned char *session_id, int session_id_len, 788tls1_process_ticket(SSL *s, CBS *session_id, CBS *ext_block, SSL_SESSION **ret)
791 CBS *ext_block, SSL_SESSION **ret)
792{ 789{
793 CBS extensions, ext_data; 790 CBS extensions, ext_data;
794 uint16_t ext_type = 0; 791 uint16_t ext_type = 0;
@@ -845,8 +842,8 @@ tls1_process_ticket(SSL *s, const unsigned char *session_id, int session_id_len,
845 return 2; 842 return 2;
846 } 843 }
847 844
848 r = tls_decrypt_ticket(s, CBS_data(&ext_data), CBS_len(&ext_data), 845 r = tls_decrypt_ticket(s, session_id, CBS_data(&ext_data),
849 session_id, session_id_len, ret); 846 CBS_len(&ext_data), ret);
850 switch (r) { 847 switch (r) {
851 case 2: /* ticket couldn't be decrypted */ 848 case 2: /* ticket couldn't be decrypted */
852 s->internal->tlsext_ticket_expected = 1; 849 s->internal->tlsext_ticket_expected = 1;
@@ -863,10 +860,9 @@ tls1_process_ticket(SSL *s, const unsigned char *session_id, int session_id_len,
863 860
864/* tls_decrypt_ticket attempts to decrypt a session ticket. 861/* tls_decrypt_ticket attempts to decrypt a session ticket.
865 * 862 *
863 * session_id: a CBS containing the session ID.
866 * etick: points to the body of the session ticket extension. 864 * etick: points to the body of the session ticket extension.
867 * eticklen: the length of the session tickets extenion. 865 * eticklen: the length of the session tickets extenion.
868 * sess_id: points at the session ID.
869 * sesslen: the length of the session ID.
870 * psess: (output) on return, if a ticket was decrypted, then this is set to 866 * psess: (output) on return, if a ticket was decrypted, then this is set to
871 * point to the resulting session. 867 * point to the resulting session.
872 * 868 *
@@ -877,10 +873,11 @@ tls1_process_ticket(SSL *s, const unsigned char *session_id, int session_id_len,
877 * 4: same as 3, but the ticket needs to be renewed. 873 * 4: same as 3, but the ticket needs to be renewed.
878 */ 874 */
879static int 875static int
880tls_decrypt_ticket(SSL *s, const unsigned char *etick, int eticklen, 876tls_decrypt_ticket(SSL *s, CBS *session_id, const unsigned char *etick,
881 const unsigned char *sess_id, int sesslen, SSL_SESSION **psess) 877 int eticklen, SSL_SESSION **psess)
882{ 878{
883 SSL_SESSION *sess; 879 SSL_SESSION *sess = NULL;
880 size_t session_id_len = 0;
884 unsigned char *sdec = NULL; 881 unsigned char *sdec = NULL;
885 const unsigned char *p; 882 const unsigned char *p;
886 int slen, mlen, renew_ticket = 0; 883 int slen, mlen, renew_ticket = 0;
@@ -988,10 +985,14 @@ tls_decrypt_ticket(SSL *s, const unsigned char *etick, int eticklen,
988 * the ticket has been accepted. So we copy it to the session structure. 985 * the ticket has been accepted. So we copy it to the session structure.
989 * If it is empty set length to zero as required by standard. 986 * If it is empty set length to zero as required by standard.
990 */ 987 */
991 if (sesslen) 988 if (!CBS_write_bytes(session_id, sess->session_id,
992 memcpy(sess->session_id, sess_id, sesslen); 989 sizeof(sess->session_id), &session_id_len))
993 sess->session_id_length = sesslen; 990 goto err;
991 sess->session_id_length = (unsigned int)session_id_len;
992
994 *psess = sess; 993 *psess = sess;
994 sess = NULL;
995
995 if (renew_ticket) 996 if (renew_ticket)
996 ret = 4; 997 ret = 4;
997 else 998 else
@@ -1006,6 +1007,7 @@ tls_decrypt_ticket(SSL *s, const unsigned char *etick, int eticklen,
1006 free(sdec); 1007 free(sdec);
1007 HMAC_CTX_cleanup(&hctx); 1008 HMAC_CTX_cleanup(&hctx);
1008 EVP_CIPHER_CTX_cleanup(&ctx); 1009 EVP_CIPHER_CTX_cleanup(&ctx);
1010 SSL_SESSION_free(sess);
1009 1011
1010 if (ret == 2) 1012 if (ret == 2)
1011 ERR_clear_error(); 1013 ERR_clear_error();
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-04-27 13:03:03 +0000