summaryrefslogtreecommitdiff
path: root/src/lib/libssl/ssl_sess.c (follow)
Commit message (Collapse)AuthorAgeFilesLines
* Prepare to provide SSL_SESSION_{set,get}_max_early_data()tb2020-09-191-1/+13
| | | | | | | Since we do not support 0-RTT, these are noops. Some software expects this API to be available if TLS1_3_VERSION is defined. ok beck jsing
* Simplify SSL method lookups.jsing2020-09-171-4/+2
| | | | | | | | | There are three places where we call tls1_get_{client,server}_method() and if that returns NULL, call dtls1_get_{client,server}_method(). Simplify this by combining the lookup into a single function. While here also use uint16_t for version types. ok inoguchi@ millert@
* Cleanup and simplify SSL_set_session().jsing2020-09-141-36/+22
| | | | | | | | | | SSL_set_ssl_method() checks to see if the method is already the same, so we do not need to do this check in three different places. Switch to dtls1_get_client_method()/tls1_get_client_method() to find the method - this is a slight change in behaviour, however there is not much point trying to resume a session on something other than a client. ok beck@
* KNF and comment tweakstb2020-09-021-8/+10
|
* Zero out data to avoid leaving stack garbage in the tail oftb2020-09-011-1/+3
| | | | | | | the session id in case the copied session id is shorter than SSL_MAX_SESSION_ID_LENGTH. long standing bug pointed out by jsing
* The bumping of sess_cb_hit stats can wait until handling oftb2020-09-011-4/+3
| | | | get_session_cb is completed.
* In the explanatory comment of ssl_get_prev_session fix the spelling oftb2020-09-011-5/+6
| | | | the function name, document alert and make it fit into 80 columns.
* Split session retrieval out of ssl_get_prev_session()tb2020-09-011-78/+92
| | | | | | | | | | | | | | | | In case the session ticket was empty or missing, an attempt is made to retrieve the session from the internal cache or via a callback. This code can easily be flattened a bit and factored into two functions. I decided to wrap those into a third function to make the call from the switch easier on the eye. I could have kept the try_session_cache flag, but it now seems rather pointless and awkwardly named anyway, so I took its negation and named it ticket_decrypted. To top things off, a little bit of polish in the exit path. ok beck inoguchi jsing (with the usual healthy dose of nits)
* copy session id directly in ssl_get_prev_sessiontb2020-09-011-3/+16
| | | | | | | | | | | | ssl_get_prev_session() hands the session id down to tls_decrypt_ticket() which then copies it into the session pointer that it is about to return. It's a lot simpler to retrieve the session pointer and copy the session id inside ssl_get_prev_session(). Also, 'goto err' directly in TLS1_TICKET_NOT_DECRYPTED instead of skipping a couple of long if clauses before doing so. ok inoguchi jsing
* indent the only other label in this filetb2020-09-011-2/+2
|
* Indent label and remove dangling elsetb2020-09-011-4/+4
|
* Zap NULL check before SSL_SESSION_free()tb2020-09-011-3/+2
|
* Rename the session pointer ret to sesstb2020-09-011-25/+25
| | | | | | ret is a confusing name for a pointer in a function that returns int. ret is only returned in the sense that it ultimately replaces the current s->session on success.
* Return code tweaks for session ticket handlerstb2020-08-311-9/+7
| | | | | | | | In tls1_process_ticket() and tls_decrypt_ticket() use #defines with descriptive names instead of hardcoding -1 1 2 3 4 and occasionally explaining the magic numbers with comments. ok beck inoguchi
* Send alert on ssl_get_prev_session failuretb2020-08-311-6/+7
| | | | | | | | | | | | ssl_get_prev_session() can fail for various reasons some of which may be internal_error others decode_error alerts. Propagate the appropriate alert up to the caller so we can abort the handshake by sending a fatal alert instead of rudely closing the pipe. Currently only 28 of 292 test cases of tlsfuzzer's test-extension.py pass. With this diff, 272 pass. The rest will require fixes elsewhere. ok beck inoguchi jsing
* Pass the session ID down to the session/ticket handling code as a CBS.jsing2019-04-221-9/+10
| | | | | | | | | Convert ssl_get_prev_session(), tls1_process_ticket() and tls1_decrypt_ticket() to handle the session ID from the client hello as a CBS. While here also swap the order of arguments for tls1_decrypt_ticket() so that it is consistent with the other functions. ok tb@
* This case also needs to be fatal.jsing2019-04-041-1/+2
|
* mark ERR_R_INTERNAL_ERROR instead of assert or _exit, sighderaadt2019-04-011-3/+3
|
* do not call assert(), which has a tendency to leave traces of stuff inderaadt2019-03-241-2/+3
| | | | | | corefiles. Instead call OPENSSL_assert(), which has recently been trained to do this in a safer (if more awkward to debug) way. discussed with jsing and beck a while back
* Simplify session ticket parsing/handling.jsing2018-08-241-11/+11
| | | | | | | | | | | | The original implementation is rather crazy and means that we effectively have two lots of code that parse a ClientHello and two lots of code that parse TLS extensions. Partially simplify this by passing a CBS containing the extension block through to the session handling functions, removing the need to reimplement the ClientHello parsing. While here standarise on naming for session_id and session_id_len. ok inoguchi@ tb@
* OpenSSL started adding const to functions all over the place. Make alltb2018-04-251-4/+4
| | | | | | | | our libssl functions match theirs wrt const, except for BIO_f_ssl(3) which will be fixed in a later step. this went through a i386 bulk by sthen ok jsing
* Provide SSL_SESSION_set1_id()tb2018-03-201-1/+14
| | | | ok jsing
* Bring in compatibility for OpenSSL 1.1 style init functions.beck2018-03-171-1/+6
| | | | | | | | | This adds OPENSSL_init_crypto and OPENSSL_init_ssl, as well thread safety modifications for the existing LibreSSL init functions. The initialization routines are called automatically by the normal entry points into the library, as in newer OpenSSL ok jsing@, nits by tb@ and deraadt@
* Provide SSL_SESSION_get_ticket_lifetime_hint() andtb2018-03-171-1/+13
| | | | | | SSL_SESSION_has_ticket() ok jsing
* SSL_SESSION_get_protocol_version() takes a const SSL_SESSION *.tb2018-03-171-2/+2
| | | | | | Noted by schwarze@ ok jsing@
* Provide SSL_SESSION_get0_id_context().jsing2018-03-171-6/+14
|
* Provide SSL_SESSION_up_ref().jsing2018-02-221-1/+8
|
* Provide SSL_SESSION_get_protocol_version()tb2018-02-201-1/+7
| | | | ok jsing
* Provide SSL_SESSION_get_master_key()jsing2018-02-171-1/+18
|
* Use freezero() for the internal opaque structures, instead of the currentjsing2017-04-101-6/+3
| | | | explicit_bzero()/free(). Less code and potentially less overhead.
* Change SSLerror() back to taking two args, with the first one being an SSL *.beck2017-02-071-15/+15
| | | | | | | | | Make a table of "function codes" which maps the internal state of the SSL * to something like a useful name so in a typical error in the connection you know in what sort of place in the handshake things happened. (instead of by arcane function name). Add SSLerrorx() for when we don't have an SSL * ok jsing@ after us both being prodded by bluhm@ to make it not terrible
* Finish the fallout of the SSLerr->SSLerror cleanup to get rid of the uglybeck2017-01-261-23/+12
| | | | line wraps that resulted
* Send the error function codes to rot in the depths of hell where they belongbeck2017-01-261-15/+15
| | | | | | | We leave a single funciton code (0xFFF) to say "SSL_internal" so the public API will not break, and we replace all internal use of the two argument SSL_err() with the internal only SSL_error() that only takes a reason code. ok jsing@
* Add support for setting the supported EC curves viajsing2017-01-241-4/+4
| | | | | | | | | | | | | SSL{_CTX}_set1_groups{_list}() - also provide defines for the previous SSL{_CTX}_set1_curves{_list} names. This also changes the default list of EC curves to be X25519, P-256 and P-384. If you want others (such a brainpool) you need to configure this yourself. Inspired by parts of BoringSSL and OpenSSL. ok beck@
* sk_SSL_CIPHER_free() checks for NULL so do not bother doing the same fromjsing2017-01-241-3/+2
| | | | the callers.
* ssl_sess_cert_free() checks for NULL, so do not bother doing it at thejsing2017-01-241-3/+6
| | | | call sites.
* There is no point in zeroing fields that exist within a struct that isjsing2017-01-241-3/+1
| | | | about to be explicit_bzero'd and freed.
* Split most of SSL_METHOD out into an internal variant, which is opaque.jsing2017-01-231-4/+3
| | | | Discussed with beck@
* Move a large part of ssl_st into internal, so we can see what squeals.beck2017-01-231-15/+15
| | | | ok jsing@
* Move ex_data, next and prev from SSL_SESSION to internal.jsing2017-01-231-24/+24
| | | | ok beck@
* Move most of the fields in SSL_CTX to internal - the ones that remain arejsing2017-01-231-28/+28
| | | | | | known to be in use. ok beck@
* move the callbacks from ssl_st to internalbeck2017-01-231-7/+7
| | | | ok jsing@
* Move callback function pointers and argument pointers from SSL_CTX tojsing2017-01-231-22/+22
| | | | | | internal. ok beck@
* Move not_resumable and sess_cert from SSL_SESSION to internal.jsing2017-01-231-5/+5
| | | | ok beck@
* Move the stats struct from SSL_CTX to internal.jsing2017-01-231-6/+6
| | | | ok beck@
* Move internal parts of ssl_session_st to internalbeck2017-01-221-9/+9
| | | | ok jsing@
* Convert publically visible structs to translucent structs.jsing2017-01-221-4/+12
| | | | | | | | | | | | | This change adds an internal opaque struct for each of the significant publically visible structs. The opaque struct is then allocated and attached to the publically visible struct when the appropriate *_new() function is called, then cleared and freed as necessary. This will allow for changes to be made to the internals of libssl, without requiring a major bump each time the publically visible structs are modified. ok beck@
* Expand LHASH_OF, IMPLEMENT_LHASH_DOALL_ARG_FN and LHASH_DOALL_ARG_FNjsing2016-11-021-5/+11
| | | | macros. Only change in generated assembly is due to line numbering.
* Wrap some >80 char lines.jsing2016-11-021-9/+9
|
* Sort and group functions.jsing2016-09-041-12/+11
|
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-03-22 04:46:00 +0000