diff options
author | Matt Caswell <matt@openssl.org> | 2017-06-20 14:25:38 +0100 |
---|---|---|
committer | Matt Caswell <matt@openssl.org> | 2017-06-21 14:45:36 +0100 |
commit | 011d768aba675ed3efa4b8484eb6a14d78c27f12 (patch) | |
tree | d25b07efeedc4bc2ae2d616a22989379d5b60b72 | |
parent | 725b0f1e133495acc35378bd6304ec1d401a761c (diff) |
Fix some bugs in the TLSv1.3 PSK code
Found while developing the PSK tests
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3670)
-rw-r--r-- | ssl/statem/extensions_clnt.c | 5 | ||||
-rw-r--r-- | ssl/statem/extensions_srvr.c | 11 |
2 files changed, 13 insertions, 3 deletions
diff --git a/ssl/statem/extensions_clnt.c b/ssl/statem/extensions_clnt.c index 5733a114ff..d4af0329f3 100644 --- a/ssl/statem/extensions_clnt.c +++ b/ssl/statem/extensions_clnt.c @@ -898,7 +898,7 @@ EXT_RETURN tls_construct_ctos_psk(SSL *s, WPACKET *pkt, unsigned int context, goto err; } - if (s->hello_retry_request && mdres != handmd) { + if (s->hello_retry_request && mdpsk != handmd) { /* * Selected ciphersuite hash does not match the hash for the PSK * session. This is an application bug. @@ -971,12 +971,15 @@ EXT_RETURN tls_construct_ctos_psk(SSL *s, WPACKET *pkt, unsigned int context, if (dores) s->session->ext.tick_identity = 0; + SSL_SESSION_free(s->psksession); s->psksession = psksess; if (psksess != NULL) s->psksession->ext.tick_identity = (dores ? 1 : 0); + psksess = NULL; ret = EXT_RETURN_SENT; err: + SSL_SESSION_free(psksess); return ret; #else return 1; diff --git a/ssl/statem/extensions_srvr.c b/ssl/statem/extensions_srvr.c index 4e65320df2..3da9f556e9 100644 --- a/ssl/statem/extensions_srvr.c +++ b/ssl/statem/extensions_srvr.c @@ -713,8 +713,15 @@ int tls_parse_ctos_psk(SSL *s, PACKET *pkt, unsigned int context, X509 *x, } if (s->psk_find_session_cb != NULL - && s->psk_find_session_cb(s, PACKET_data(&identity), - PACKET_remaining(&identity), &sess)) { + && !s->psk_find_session_cb(s, PACKET_data(&identity), + PACKET_remaining(&identity), + &sess)) { + *al = SSL_AD_INTERNAL_ERROR; + return 0; + } + + if (sess != NULL) { + /* We found a PSK */ SSL_SESSION *sesstmp = ssl_session_dup(sess, 0); if (sesstmp == NULL) { |