diff options
| author |   jsing <jsing@openbsd.org> | 2018-08-27 16:42:48 +0000 |
|---|---|---|
| committer | jsing <jsing@openbsd.org> | 2018-08-27 16:42:48 +0000 |
| commit | 12fe7be032d9773f215e29e6d37815f9da949ef4 (patch) | |
| tree | 33fcf1260ddbe801064b1a3132062a275bf19662 /lib/libssl/ssl_asn1.c | |
| parent | Rename struct kd -> kcov_dev. The terse name was initially fine since it wasn't (diff) | |
| download | wireguard-openbsd-12fe7be032d9773f215e29e6d37815f9da949ef4.tar.xz wireguard-openbsd-12fe7be032d9773f215e29e6d37815f9da949ef4.zip | |
Simplify new session ticket encoding/generation.
The original code did a crazy encode/malloc/encode/decode/modify/encode
dance, in order to encode a session in the form needed to encrypt then add
to a session ticket. By modifying the encoding functions slightly, we can
do this entire dance as a single encode.
Inspired by similar changes in BoringSSL.
ok inoguchi@ tb@
Diffstat (limited to 'lib/libssl/ssl_asn1.c')
| -rw-r--r-- | lib/libssl/ssl_asn1.c | 69 |
1 files changed, 49 insertions, 20 deletions
diff --git a/lib/libssl/ssl_asn1.c b/lib/libssl/ssl_asn1.c index 0ca442faa0c..94fc8685fc9 100644 --- a/lib/libssl/ssl_asn1.c +++ b/lib/libssl/ssl_asn1.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_asn1.c,v 1.56 2018/03/20 16:10:57 jsing Exp $ */ +/* $OpenBSD: ssl_asn1.c,v 1.57 2018/08/27 16:42:48 jsing Exp $ */ /* * Copyright (c) 2016 Joel Sing <jsing@openbsd.org> * @@ -44,23 +44,16 @@ time_max(void) return 0; } -int -i2d_SSL_SESSION(SSL_SESSION *s, unsigned char **pp) +static int +SSL_SESSION_encode(SSL_SESSION *s, unsigned char **out, size_t *out_len, + int ticket_encoding) { CBB cbb, session, cipher_suite, session_id, master_key, time, timeout; - CBB peer_cert, sidctx, verify_result, hostname, lifetime, ticket; - CBB value; - unsigned char *data = NULL, *peer_cert_bytes = NULL; - size_t data_len = 0; - int len, rv = -1; + CBB peer_cert, sidctx, verify_result, hostname, lifetime, ticket, value; + unsigned char *peer_cert_bytes = NULL; + int len, rv = 0; uint16_t cid; - if (s == NULL) - return (0); - - if (s->cipher == NULL && s->cipher_id == 0) - return (0); - if (!CBB_init(&cbb, 0)) goto err; @@ -87,10 +80,11 @@ i2d_SSL_SESSION(SSL_SESSION *s, unsigned char **pp) if (!CBB_add_u16(&cipher_suite, cid)) goto err; - /* Session ID. */ + /* Session ID - zero length for a ticket. */ if (!CBB_add_asn1(&session, &session_id, CBS_ASN1_OCTETSTRING)) goto err; - if (!CBB_add_bytes(&session_id, s->session_id, s->session_id_length)) + if (!CBB_add_bytes(&session_id, s->session_id, + ticket_encoding ? 0 : s->session_id_length)) goto err; /* Master key. */ @@ -173,7 +167,7 @@ i2d_SSL_SESSION(SSL_SESSION *s, unsigned char **pp) } /* Ticket [10]. */ - if (s->tlsext_tick) { + if (s->tlsext_tick != NULL) { if (!CBB_add_asn1(&session, &ticket, SSLASN1_TICKET_TAG)) goto err; if (!CBB_add_asn1(&ticket, &value, CBS_ASN1_OCTETSTRING)) @@ -185,7 +179,44 @@ i2d_SSL_SESSION(SSL_SESSION *s, unsigned char **pp) /* Compression method [11]. */ /* SRP username [12]. */ - if (!CBB_finish(&cbb, &data, &data_len)) + if (!CBB_finish(&cbb, out, out_len)) + goto err; + + rv = 1; + + err: + CBB_cleanup(&cbb); + free(peer_cert_bytes); + + return rv; +} + +int +SSL_SESSION_ticket(SSL_SESSION *ss, unsigned char **out, size_t *out_len) +{ + if (ss == NULL) + return 0; + + if (ss->cipher == NULL && ss->cipher_id == 0) + return 0; + + return SSL_SESSION_encode(ss, out, out_len, 1); +} + +int +i2d_SSL_SESSION(SSL_SESSION *ss, unsigned char **pp) +{ + unsigned char *data = NULL; + size_t data_len = 0; + int rv = -1; + + if (ss == NULL) + return 0; + + if (ss->cipher == NULL && ss->cipher_id == 0) + return 0; + + if (!SSL_SESSION_encode(ss, &data, &data_len, 0)) goto err; if (data_len > INT_MAX) @@ -204,9 +235,7 @@ i2d_SSL_SESSION(SSL_SESSION *s, unsigned char **pp) rv = (int)data_len; err: - CBB_cleanup(&cbb); freezero(data, data_len); - free(peer_cert_bytes); return rv; } |