diff options
| author |   reyk <reyk@openbsd.org> | 2015-01-16 14:34:51 +0000 |
|---|---|---|
| committer | reyk <reyk@openbsd.org> | 2015-01-16 14:34:51 +0000 |
| commit | 31413d7e14c4bb6e451ce431ebff2b807d8f72f8 (patch) | |
| tree | 8312b1551f84838b8b3a3075afc5522b4e2372d3 /lib | |
| parent | Tweak previous: Do not put punctuation on its own line, put it at the end (diff) | |
| download | wireguard-openbsd-31413d7e14c4bb6e451ce431ebff2b807d8f72f8.tar.xz wireguard-openbsd-31413d7e14c4bb6e451ce431ebff2b807d8f72f8.zip | |
The SSL/TLS session Id context is limited to 32 bytes. Instead of
using the name of relayd relay or smtpd pki, use a 32 byte arc4random
buffer that should be unique for the context. This fixes an issue in
OpenSMTPD when a long pki name could break the configuration.
OK gilles@ benno@
Diffstat (limited to 'lib')
| -rw-r--r-- | lib/libtls/tls_server.c | 14 |
1 files changed, 13 insertions, 1 deletions
diff --git a/lib/libtls/tls_server.c b/lib/libtls/tls_server.c index 001f19ded4d..514148bd936 100644 --- a/lib/libtls/tls_server.c +++ b/lib/libtls/tls_server.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tls_server.c,v 1.1 2014/10/31 13:46:17 jsing Exp $ */ +/* $OpenBSD: tls_server.c,v 1.2 2015/01/16 14:34:51 reyk Exp $ */ /* * Copyright (c) 2014 Joel Sing <jsing@openbsd.org> * @@ -51,6 +51,7 @@ int tls_configure_server(struct tls *ctx) { EC_KEY *ecdh_key; + unsigned char sid[SSL_MAX_SSL_SESSION_ID_LENGTH]; if ((ctx->ssl_ctx = SSL_CTX_new(SSLv23_server_method())) == NULL) { tls_set_error(ctx, "ssl context failure"); @@ -75,6 +76,17 @@ tls_configure_server(struct tls *ctx) EC_KEY_free(ecdh_key); } + /* + * Set session ID context to a random value. We don't support + * persistent caching of sessions so it is OK to set a temporary + * session ID context that is valid during run time. + */ + arc4random_buf(sid, sizeof(sid)); + if (!SSL_CTX_set_session_id_context(ctx->ssl_ctx, sid, sizeof(sid))) { + tls_set_error(ctx, "failed to set session id context"); + goto err; + } + return (0); err: |