diff options
| author | Matt Caswell <matt@openssl.org> | 2017-01-19 15:01:55 +0000 |
|---|---|---|
| committer | Matt Caswell <matt@openssl.org> | 2017-01-30 10:18:22 +0000 |
| commit | 534a43ffeaec03e50768ccf84d431f96f11256e3 (patch) | |
| tree | b13507098f77003ce9bbb64955ec8b0b38918462 | |
| parent | 4086b42b2d58773bee8463f69eee4bf8c299b589 (diff) | |
Always ensure that session->cipher is set
If we have deserialized the SSL_SESSION then in some circumstances the
session->cipher value is NULL. We were patching up in some places but not
in others. We should just do it as part of loading the SSL_SESSION.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2259)
| -rw-r--r-- | ssl/ssl_asn1.c | 4 | ||||
| -rw-r--r-- | ssl/ssl_ciph.c | 11 | ||||
| -rw-r--r-- | ssl/ssl_locl.h | 1 | ||||
| -rw-r--r-- | ssl/ssl_sess.c | 18 | ||||
| -rw-r--r-- | ssl/statem/extensions_clnt.c | 6 | ||||
| -rw-r--r-- | ssl/statem/extensions_srvr.c | 2 |
6 files changed, 12 insertions, 30 deletions
diff --git a/ssl/ssl_asn1.c b/ssl/ssl_asn1.c index ced6a51f4b..568f41ff5b 100644 --- a/ssl/ssl_asn1.c +++ b/ssl/ssl_asn1.c @@ -284,8 +284,10 @@ SSL_SESSION *d2i_SSL_SESSION(SSL_SESSION **a, const unsigned char **pp, p = as->cipher->data; id = 0x03000000L | ((unsigned long)p[0] << 8L) | (unsigned long)p[1]; - ret->cipher = NULL; ret->cipher_id = id; + ret->cipher = ssl3_get_cipher_by_id(id); + if (ret->cipher == NULL) + goto err; if (!ssl_session_memcpy(ret->session_id, &ret->session_id_length, as->session_id, SSL3_MAX_SSL_SESSION_ID_LENGTH)) diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c index d4145ba5da..88b99cca14 100644 --- a/ssl/ssl_ciph.c +++ b/ssl/ssl_ciph.c @@ -2018,14 +2018,3 @@ int ssl_cipher_get_overhead(const SSL_CIPHER *c, size_t *mac_overhead, return 1; } - -const EVP_MD *ssl_cipher_get_handshake_md(int cipher_id) -{ - const SSL_CIPHER *cipher = ssl3_get_cipher_by_id(cipher_id); - if (cipher == NULL) { - /* Don't recognise this cipher */ - return NULL; - } - - return ssl_md(cipher->algorithm2); -} diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h index 64019fe0aa..a59683bdff 100644 --- a/ssl/ssl_locl.h +++ b/ssl/ssl_locl.h @@ -1956,7 +1956,6 @@ __owur int ssl_cipher_get_overhead(const SSL_CIPHER *c, size_t *mac_overhead, __owur int ssl_cipher_get_cert_index(const SSL_CIPHER *c); __owur const SSL_CIPHER *ssl_get_cipher_by_char(SSL *ssl, const unsigned char *ptr); -__owur const EVP_MD *ssl_cipher_get_handshake_md(int cipher_id); __owur int ssl_cert_set0_chain(SSL *s, SSL_CTX *ctx, STACK_OF(X509) *chain); __owur int ssl_cert_set1_chain(SSL *s, SSL_CTX *ctx, STACK_OF(X509) *chain); __owur int ssl_cert_add0_chain_cert(SSL *s, SSL_CTX *ctx, X509 *x); diff --git a/ssl/ssl_sess.c b/ssl/ssl_sess.c index c28a5e1b3f..77c917f38a 100644 --- a/ssl/ssl_sess.c +++ b/ssl/ssl_sess.c @@ -91,6 +91,9 @@ SSL_SESSION *SSL_SESSION_new(void) { SSL_SESSION *ss; + if (!OPENSSL_init_ssl(OPENSSL_INIT_LOAD_SSL_STRINGS, NULL)) + return NULL; + ss = OPENSSL_zalloc(sizeof(*ss)); if (ss == NULL) { SSLerr(SSL_F_SSL_SESSION_NEW, ERR_R_MALLOC_FAILURE); @@ -586,21 +589,6 @@ int ssl_get_prev_session(SSL *s, CLIENTHELLO_MSG *hello) goto err; } - if (ret->cipher == NULL) { - unsigned char buf[5], *p; - unsigned long l; - - p = buf; - l = ret->cipher_id; - l2n(l, p); - if ((ret->ssl_version >> 8) >= SSL3_VERSION_MAJOR) - ret->cipher = ssl_get_cipher_by_char(s, &(buf[2])); - else - ret->cipher = ssl_get_cipher_by_char(s, &(buf[1])); - if (ret->cipher == NULL) - goto err; - } - if (ret->timeout < (long)(time(NULL) - ret->time)) { /* timeout */ s->session_ctx->stats.sess_timeout++; if (try_session_cache) { diff --git a/ssl/statem/extensions_clnt.c b/ssl/statem/extensions_clnt.c index c17901a954..368f1968d8 100644 --- a/ssl/statem/extensions_clnt.c +++ b/ssl/statem/extensions_clnt.c @@ -717,7 +717,11 @@ int tls_construct_ctos_psk(SSL *s, WPACKET *pkt, X509 *x, size_t chainidx, */ agems += s->session->ext.tick_age_add; - md = ssl_cipher_get_handshake_md(s->session->cipher_id); + if (s->session->cipher == NULL) { + SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_PSK, ERR_R_INTERNAL_ERROR); + goto err; + } + md = ssl_md(s->session->cipher->algorithm2); if (md == NULL) { /* Don't recognise this cipher so we can't use the session. Ignore it */ return 1; diff --git a/ssl/statem/extensions_srvr.c b/ssl/statem/extensions_srvr.c index 5a5d846e04..088dcbc3b6 100644 --- a/ssl/statem/extensions_srvr.c +++ b/ssl/statem/extensions_srvr.c @@ -712,7 +712,7 @@ int tls_parse_ctos_psk(SSL *s, PACKET *pkt, X509 *x, size_t chainidx, int *al) if (ret == TICKET_NO_DECRYPT) continue; - md = ssl_cipher_get_handshake_md(sess->cipher_id); + md = ssl_md(sess->cipher->algorithm2); if (md == NULL) { /* * Don't recognise this cipher so we can't use the session. |