diff options
| author |   tb <tb@openbsd.org> | 2020-09-01 12:40:53 +0000 |
|---|---|---|
| committer | tb <tb@openbsd.org> | 2020-09-01 12:40:53 +0000 |
| commit | a4c79661a3826ee6a0afe7906e2001ec3c25318e (patch) | |
| tree | 9c018ab34e0dd6f6d313d1fdd8256b9e624e6448 /lib/libssl/ssl_sess.c | |
| parent | Fix build with -fno-common (default in clang 11) (diff) | |
| download | wireguard-openbsd-a4c79661a3826ee6a0afe7906e2001ec3c25318e.tar.xz wireguard-openbsd-a4c79661a3826ee6a0afe7906e2001ec3c25318e.zip | |
copy session id directly in ssl_get_prev_session
ssl_get_prev_session() hands the session id down to tls_decrypt_ticket()
which then copies it into the session pointer that it is about to return.
It's a lot simpler to retrieve the session pointer and copy the session id
inside ssl_get_prev_session().
Also, 'goto err' directly in TLS1_TICKET_NOT_DECRYPTED instead of skipping
a couple of long if clauses before doing so.
ok inoguchi jsing
Diffstat (limited to 'lib/libssl/ssl_sess.c')
| -rw-r--r-- | lib/libssl/ssl_sess.c | 19 |
1 files changed, 16 insertions, 3 deletions
diff --git a/lib/libssl/ssl_sess.c b/lib/libssl/ssl_sess.c index b953580d652..460c5d85f1f 100644 --- a/lib/libssl/ssl_sess.c +++ b/lib/libssl/ssl_sess.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_sess.c,v 1.91 2020/09/01 06:05:09 tb Exp $ */ +/* $OpenBSD: ssl_sess.c,v 1.92 2020/09/01 12:40:53 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -420,7 +420,6 @@ ssl_get_new_session(SSL *s, int session) * session_id: points at the session ID in the ClientHello. This code will * read past the end of this in order to parse out the session ticket * extension, if any. - * session_id_len: the length of the session ID. * ext_block: a CBS for the ClientHello extensions block. * * Returns: @@ -438,6 +437,7 @@ int ssl_get_prev_session(SSL *s, CBS *session_id, CBS *ext_block, int *alert) { SSL_SESSION *sess = NULL; + size_t session_id_len; int alert_desc = SSL_AD_INTERNAL_ERROR, fatal = 0; int try_session_cache = 1; @@ -450,7 +450,7 @@ ssl_get_prev_session(SSL *s, CBS *session_id, CBS *ext_block, int *alert) try_session_cache = 0; /* Sets s->internal->tlsext_ticket_expected. */ - switch (tls1_process_ticket(s, session_id, ext_block, &alert_desc, &sess)) { + switch (tls1_process_ticket(s, ext_block, &alert_desc, &sess)) { case TLS1_TICKET_FATAL_ERROR: fatal = 1; goto err; @@ -458,8 +458,21 @@ ssl_get_prev_session(SSL *s, CBS *session_id, CBS *ext_block, int *alert) case TLS1_TICKET_EMPTY: break; /* Ok to carry on processing session id. */ case TLS1_TICKET_NOT_DECRYPTED: + try_session_cache = 0; + goto err; case TLS1_TICKET_DECRYPTED: try_session_cache = 0; + + /* + * The session ID is used by some clients to detect that the + * ticket has been accepted so we copy it into sess. + */ + if (!CBS_write_bytes(session_id, sess->session_id, + sizeof(sess->session_id), &session_id_len)) { + fatal = 1; + goto err; + } + sess->session_id_length = (unsigned int)session_id_len; break; default: SSLerror(s, ERR_R_INTERNAL_ERROR); |