diff options
author | Matt Caswell <matt@openssl.org> | 2017-02-24 12:45:37 +0000 |
---|---|---|
committer | Matt Caswell <matt@openssl.org> | 2017-03-02 17:44:15 +0000 |
commit | f637004037a11bc04682f54571e3ff11d48d8e36 (patch) | |
tree | 8a8e9d34511fd8800c054e9ee24ff7e4d45813be /ssl/ssl_asn1.c | |
parent | a832b5ef7a6080a6a66d1135c80c9aaf5570fc02 (diff) |
Only accept early_data if the negotiated ALPN is the same
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2737)
Diffstat (limited to 'ssl/ssl_asn1.c')
-rw-r--r-- | ssl/ssl_asn1.c | 24 |
1 files changed, 20 insertions, 4 deletions
diff --git a/ssl/ssl_asn1.c b/ssl/ssl_asn1.c index 705db16470..856db205ef 100644 --- a/ssl/ssl_asn1.c +++ b/ssl/ssl_asn1.c @@ -66,6 +66,7 @@ typedef struct { #endif long flags; uint32_t max_early_data; + ASN1_OCTET_STRING *alpn_selected; } SSL_SESSION_ASN1; ASN1_SEQUENCE(SSL_SESSION_ASN1) = { @@ -93,7 +94,8 @@ ASN1_SEQUENCE(SSL_SESSION_ASN1) = { #endif ASN1_EXP_OPT(SSL_SESSION_ASN1, flags, ZLONG, 13), ASN1_EXP_OPT(SSL_SESSION_ASN1, tlsext_tick_age_add, ZLONG, 14), - ASN1_EXP_OPT(SSL_SESSION_ASN1, max_early_data, ZLONG, 15) + ASN1_EXP_OPT(SSL_SESSION_ASN1, max_early_data, ZLONG, 15), + ASN1_EXP_OPT(SSL_SESSION_ASN1, alpn_selected, ASN1_OCTET_STRING, 16) } static_ASN1_SEQUENCE_END(SSL_SESSION_ASN1) IMPLEMENT_STATIC_ASN1_ENCODE_FUNCTIONS(SSL_SESSION_ASN1) @@ -134,16 +136,14 @@ int i2d_SSL_SESSION(SSL_SESSION *in, unsigned char **pp) ASN1_OCTET_STRING comp_id; unsigned char comp_id_data; #endif - ASN1_OCTET_STRING tlsext_hostname, tlsext_tick; - #ifndef OPENSSL_NO_SRP ASN1_OCTET_STRING srp_username; #endif - #ifndef OPENSSL_NO_PSK ASN1_OCTET_STRING psk_identity, psk_identity_hint; #endif + ASN1_OCTET_STRING alpn_selected; long l; @@ -207,6 +207,12 @@ int i2d_SSL_SESSION(SSL_SESSION *in, unsigned char **pp) as.flags = in->flags; as.max_early_data = in->ext.max_early_data; + if (in->ext.alpn_selected == NULL) + as.alpn_selected = NULL; + else + ssl_session_oinit(&as.alpn_selected, &alpn_selected, + in->ext.alpn_selected, in->ext.alpn_selected_len); + return i2d_SSL_SESSION_ASN1(&as, pp); } @@ -362,6 +368,16 @@ SSL_SESSION *d2i_SSL_SESSION(SSL_SESSION **a, const unsigned char **pp, ret->flags = as->flags; ret->ext.max_early_data = as->max_early_data; + if (as->alpn_selected != NULL) { + if (!ssl_session_strndup((char **)&ret->ext.alpn_selected, + as->alpn_selected)) + goto err; + ret->ext.alpn_selected_len = as->alpn_selected->length; + } else { + ret->ext.alpn_selected = NULL; + ret->ext.alpn_selected_len = 0; + } + M_ASN1_free_of(as, SSL_SESSION_ASN1); if ((a != NULL) && (*a == NULL)) |