projects
/
openssl.git
/ blobdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
|
commitdiff
|
tree
raw
|
inline
| side by side
PACKETise NewSessionTicket
[openssl.git]
/
ssl
/
s3_clnt.c
diff --git
a/ssl/s3_clnt.c
b/ssl/s3_clnt.c
index dedbfea6fed2554725c5529cca40f42eb288d93b..13942930b9b0bfcd1bd15e6abbc27299338166f6 100644
(file)
--- a/
ssl/s3_clnt.c
+++ b/
ssl/s3_clnt.c
@@
-2174,10
+2174,10
@@
static int ca_dn_cmp(const X509_NAME *const *a, const X509_NAME *const *b)
int ssl3_get_new_session_ticket(SSL *s)
{
int ssl3_get_new_session_ticket(SSL *s)
{
- int ok, al, ret = 0, ticklen;
+ int ok, al, ret = 0;
+ unsigned int ticklen;
long n;
long n;
- const unsigned char *p;
- unsigned char *d;
+ PACKET pkt;
n = s->method->ssl_get_message(s,
SSL3_ST_CR_SESSION_TICKET_A,
n = s->method->ssl_get_message(s,
SSL3_ST_CR_SESSION_TICKET_A,
@@
-2187,15
+2187,12
@@
int ssl3_get_new_session_ticket(SSL *s)
if (!ok)
return ((int)n);
if (!ok)
return ((int)n);
- if (n < 6) {
- /* need at least ticket_lifetime_hint + ticket length */
- al = SSL_AD_DECODE_ERROR;
- SSLerr(SSL_F_SSL3_GET_NEW_SESSION_TICKET, SSL_R_LENGTH_MISMATCH);
+ if (!PACKET_buf_init(&pkt, s->init_msg, n)) {
+ al = SSL_AD_INTERNAL_ERROR;
+ SSLerr(SSL_F_SSL3_GET_NEW_SESSION_TICKET, ERR_R_INTERNAL_ERROR);
goto f_err;
}
goto f_err;
}
- p = d = (unsigned char *)s->init_msg;
-
if (s->session->session_id_length > 0) {
int i = s->session_ctx->session_cache_mode;
SSL_SESSION *new_sess;
if (s->session->session_id_length > 0) {
int i = s->session_ctx->session_cache_mode;
SSL_SESSION *new_sess;
@@
-2227,10
+2224,9
@@
int ssl3_get_new_session_ticket(SSL *s)
s->session = new_sess;
}
s->session = new_sess;
}
- n2l(p, s->session->tlsext_tick_lifetime_hint);
- n2s(p, ticklen);
- /* ticket_lifetime_hint + ticket_length + ticket */
- if (ticklen + 6 != n) {
+ if (!PACKET_get_net_4(&pkt, &s->session->tlsext_tick_lifetime_hint)
+ || !PACKET_get_net_2(&pkt, &ticklen)
+ || PACKET_remaining(&pkt) != ticklen) {
al = SSL_AD_DECODE_ERROR;
SSLerr(SSL_F_SSL3_GET_NEW_SESSION_TICKET, SSL_R_LENGTH_MISMATCH);
goto f_err;
al = SSL_AD_DECODE_ERROR;
SSLerr(SSL_F_SSL3_GET_NEW_SESSION_TICKET, SSL_R_LENGTH_MISMATCH);
goto f_err;
@@
-2242,7
+2238,11
@@
int ssl3_get_new_session_ticket(SSL *s)
SSLerr(SSL_F_SSL3_GET_NEW_SESSION_TICKET, ERR_R_MALLOC_FAILURE);
goto err;
}
SSLerr(SSL_F_SSL3_GET_NEW_SESSION_TICKET, ERR_R_MALLOC_FAILURE);
goto err;
}
- memcpy(s->session->tlsext_tick, p, ticklen);
+ if (!PACKET_copy_bytes(&pkt, s->session->tlsext_tick, ticklen)) {
+ al = SSL_AD_DECODE_ERROR;
+ SSLerr(SSL_F_SSL3_GET_NEW_SESSION_TICKET, SSL_R_LENGTH_MISMATCH);
+ goto f_err;
+ }
s->session->tlsext_ticklen = ticklen;
/*
* There are two ways to detect a resumed ticket session. One is to set
s->session->tlsext_ticklen = ticklen;
/*
* There are two ways to detect a resumed ticket session. One is to set
@@
-2255,7
+2255,7
@@
int ssl3_get_new_session_ticket(SSL *s)
* elsewhere in OpenSSL. The session ID is set to the SHA256 (or SHA1 is
* SHA256 is disabled) hash of the ticket.
*/
* elsewhere in OpenSSL. The session ID is set to the SHA256 (or SHA1 is
* SHA256 is disabled) hash of the ticket.
*/
- EVP_Digest(
p
, ticklen,
+ EVP_Digest(
s->session->tlsext_tick
, ticklen,
s->session->session_id, &s->session->session_id_length,
EVP_sha256(), NULL);
ret = 1;
s->session->session_id, &s->session->session_id_length,
EVP_sha256(), NULL);
ret = 1;