diff options
-rw-r--r-- | lib/libssl/ssl_locl.h | 9 | ||||
-rw-r--r-- | lib/libssl/ssl_sess.c | 16 | ||||
-rw-r--r-- | lib/libssl/t1_lib.c | 73 |
3 files changed, 51 insertions, 47 deletions
diff --git a/lib/libssl/ssl_locl.h b/lib/libssl/ssl_locl.h index 036c1dacb28..18ff5b0c30d 100644 --- a/lib/libssl/ssl_locl.h +++ b/lib/libssl/ssl_locl.h @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_locl.h,v 1.285 2020/08/31 14:04:51 tb Exp $ */ +/* $OpenBSD: ssl_locl.h,v 1.286 2020/08/31 14:34:01 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -1397,6 +1397,13 @@ int ssl_check_clienthello_tlsext_early(SSL *s); int ssl_check_clienthello_tlsext_late(SSL *s); int ssl_check_serverhello_tlsext(SSL *s); +#define TLS1_TICKET_FATAL_ERROR -1 +#define TLS1_TICKET_NONE 0 +#define TLS1_TICKET_EMPTY 1 +#define TLS1_TICKET_NOT_DECRYPTED 2 +#define TLS1_TICKET_DECRYPTED 3 +#define TLS1_TICKET_DECRYPTED_RENEW 4 + int tls1_process_ticket(SSL *s, CBS *session_id, CBS *ext_block, int *alert, SSL_SESSION **ret); diff --git a/lib/libssl/ssl_sess.c b/lib/libssl/ssl_sess.c index 827360176b0..9e8edd93e89 100644 --- a/lib/libssl/ssl_sess.c +++ b/lib/libssl/ssl_sess.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_sess.c,v 1.86 2020/08/31 14:04:51 tb Exp $ */ +/* $OpenBSD: ssl_sess.c,v 1.87 2020/08/31 14:34:01 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -440,7 +440,6 @@ ssl_get_prev_session(SSL *s, CBS *session_id, CBS *ext_block, int *alert) SSL_SESSION *ret = NULL; int alert_desc = SSL_AD_INTERNAL_ERROR, fatal = 0; int try_session_cache = 1; - int r; /* This is used only by servers. */ @@ -451,16 +450,15 @@ ssl_get_prev_session(SSL *s, CBS *session_id, CBS *ext_block, int *alert) try_session_cache = 0; /* Sets s->internal->tlsext_ticket_expected. */ - r = tls1_process_ticket(s, session_id, ext_block, &alert_desc, &ret); - switch (r) { - case -1: /* Error during processing */ + switch (tls1_process_ticket(s, session_id, ext_block, &alert_desc, &ret)) { + case TLS1_TICKET_FATAL_ERROR: fatal = 1; goto err; - case 0: /* No ticket found */ - case 1: /* Zero length ticket found */ + case TLS1_TICKET_NONE: + case TLS1_TICKET_EMPTY: break; /* Ok to carry on processing session id. */ - case 2: /* Ticket found but not decrypted. */ - case 3: /* Ticket decrypted, *ret has been set. */ + case TLS1_TICKET_NOT_DECRYPTED: + case TLS1_TICKET_DECRYPTED: try_session_cache = 0; break; default: diff --git a/lib/libssl/t1_lib.c b/lib/libssl/t1_lib.c index 59146eb767a..b0fc630236b 100644 --- a/lib/libssl/t1_lib.c +++ b/lib/libssl/t1_lib.c @@ -1,4 +1,4 @@ -/* $OpenBSD: t1_lib.c,v 1.170 2020/08/31 14:04:51 tb Exp $ */ +/* $OpenBSD: t1_lib.c,v 1.171 2020/08/31 14:34:01 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -765,13 +765,14 @@ ssl_check_serverhello_tlsext(SSL *s) * never be decrypted, nor will s->internal->tlsext_ticket_expected be set to 1. * * Returns: - * -1: fatal error, either from parsing or decrypting the ticket. - * 0: no ticket was found (or was ignored, based on settings). - * 1: a zero length extension was found, indicating that the client supports - * session tickets but doesn't currently have one to offer. - * 2: either s->internal->tls_session_secret_cb was set, or a ticket was offered but - * couldn't be decrypted because of a non-fatal error. - * 3: a ticket was successfully decrypted and *ret was set. + * TLS1_TICKET_FATAL_ERROR: error from parsing or decrypting the ticket. + * TLS1_TICKET_NONE: no ticket was found (or was ignored, based on settings). + * TLS1_TICKET_EMPTY: a zero length extension was found, indicating that the + * client supports session tickets but doesn't currently have one to offer. + * TLS1_TICKET_NOT_DECRYPTED: either s->internal->tls_session_secret_cb was + * set, or a ticket was offered but couldn't be decrypted because of a + * non-fatal error. + * TLS1_TICKET_DECRYPTED: a ticket was successfully decrypted and *ret was set. * * Side effects: * Sets s->internal->tlsext_ticket_expected to 1 if the server will have to issue @@ -787,7 +788,6 @@ tls1_process_ticket(SSL *s, CBS *session_id, CBS *ext_block, int *alert, { CBS extensions, ext_data; uint16_t ext_type = 0; - int r; s->internal->tlsext_ticket_expected = 0; *ret = NULL; @@ -797,25 +797,25 @@ tls1_process_ticket(SSL *s, CBS *session_id, CBS *ext_block, int *alert, * resumption. */ if (SSL_get_options(s) & SSL_OP_NO_TICKET) - return 0; + return TLS1_TICKET_NONE; /* * An empty extensions block is valid, but obviously does not contain * a session ticket. */ if (CBS_len(ext_block) == 0) - return 0; + return TLS1_TICKET_NONE; if (!CBS_get_u16_length_prefixed(ext_block, &extensions)) { *alert = SSL_AD_DECODE_ERROR; - return -1; + return TLS1_TICKET_FATAL_ERROR; } while (CBS_len(&extensions) > 0) { if (!CBS_get_u16(&extensions, &ext_type) || !CBS_get_u16_length_prefixed(&extensions, &ext_data)) { *alert = SSL_AD_DECODE_ERROR; - return -1; + return TLS1_TICKET_FATAL_ERROR; } if (ext_type == TLSEXT_TYPE_session_ticket) @@ -823,7 +823,7 @@ tls1_process_ticket(SSL *s, CBS *session_id, CBS *ext_block, int *alert, } if (ext_type != TLSEXT_TYPE_session_ticket) - return 0; + return TLS1_TICKET_NONE; if (CBS_len(&ext_data) == 0) { /* @@ -831,7 +831,7 @@ tls1_process_ticket(SSL *s, CBS *session_id, CBS *ext_block, int *alert, * have one. */ s->internal->tlsext_ticket_expected = 1; - return 1; + return TLS1_TICKET_EMPTY; } if (s->internal->tls_session_secret_cb != NULL) { @@ -841,21 +841,20 @@ tls1_process_ticket(SSL *s, CBS *session_id, CBS *ext_block, int *alert, * handshake based on external mechanism to calculate the master * secret later. */ - return 2; + return TLS1_TICKET_NOT_DECRYPTED; } - r = tls_decrypt_ticket(s, session_id, &ext_data, alert, ret); - switch (r) { - case 2: /* ticket couldn't be decrypted */ + switch (tls_decrypt_ticket(s, session_id, &ext_data, alert, ret)) { + case TLS1_TICKET_NOT_DECRYPTED: s->internal->tlsext_ticket_expected = 1; - return 2; - case 3: /* ticket was decrypted */ - return r; - case 4: /* ticket decrypted but need to renew */ + return TLS1_TICKET_NOT_DECRYPTED; + case TLS1_TICKET_DECRYPTED: + return TLS1_TICKET_DECRYPTED; + case TLS1_TICKET_DECRYPTED_RENEW: s->internal->tlsext_ticket_expected = 1; - return 3; - default: /* fatal error */ - return -1; + return TLS1_TICKET_DECRYPTED; + default: + return TLS1_TICKET_FATAL_ERROR; } } @@ -867,10 +866,10 @@ tls1_process_ticket(SSL *s, CBS *session_id, CBS *ext_block, int *alert, * point to the resulting session. * * Returns: - * -1: fatal error, either from parsing or decrypting the ticket. - * 2: the ticket couldn't be decrypted. - * 3: a ticket was successfully decrypted and *psess was set. - * 4: same as 3, but the ticket needs to be renewed. + * TLS1_TICKET_FATAL_ERROR: error from parsing or decrypting the ticket. + * TLS1_TICKET_NOT_DECRYPTED: the ticket couldn't be decrypted. + * TLS1_TICKET_DECRYPTED: a ticket was decrypted and *psess was set. + * TLS1_TICKET_DECRYPTED_RENEW: same as 3, but the ticket needs to be renewed. */ static int tls_decrypt_ticket(SSL *s, CBS *session_id, CBS *ticket, int *alert, @@ -887,9 +886,9 @@ tls_decrypt_ticket(SSL *s, CBS *session_id, CBS *ticket, int *alert, EVP_CIPHER_CTX *cctx = NULL; SSL_CTX *tctx = s->initial_ctx; int slen, hlen; - int renew_ticket = 0; - int ret = -1; int alert_desc = SSL_AD_INTERNAL_ERROR; + int renew_ticket = 0; + int ret = TLS1_TICKET_FATAL_ERROR; *psess = NULL; @@ -1018,19 +1017,19 @@ tls_decrypt_ticket(SSL *s, CBS *session_id, CBS *ticket, int *alert, sess = NULL; if (renew_ticket) - ret = 4; + ret = TLS1_TICKET_DECRYPTED_RENEW; else - ret = 3; + ret = TLS1_TICKET_DECRYPTED; goto done; derr: - ret = 2; + ret = TLS1_TICKET_NOT_DECRYPTED; goto done; err: *alert = alert_desc; - ret = -1; + ret = TLS1_TICKET_FATAL_ERROR; goto done; done: @@ -1039,7 +1038,7 @@ tls_decrypt_ticket(SSL *s, CBS *session_id, CBS *ticket, int *alert, HMAC_CTX_free(hctx); SSL_SESSION_free(sess); - if (ret == 2) + if (ret == TLS1_TICKET_NOT_DECRYPTED) ERR_clear_error(); return ret; |