diff options
| author | Emilia Kasper <emilia@openssl.org> | 2015-09-30 15:33:12 +0200 |
|---|---|---|
| committer | Emilia Kasper <emilia@openssl.org> | 2015-10-05 19:03:52 +0200 |
| commit | b3e2272c59a5720467045e2ae62940fdb708ce76 (patch) | |
| tree | 9d61dfbedf4c9b1f7cf0e52fde863c07f8d9963c /ssl/ssl_sess.c | |
| parent | 2ff00bdbc4aad268e07df82541ff4a16b1f91fe8 (diff) | |
ssl3_get_client_hello: rearrange logic
Move all packet parsing to the beginning of the method. This limits the
SSLv2 compatibility soup to the parsing, and makes the rest of the
processing uniform.
This is also needed for simpler EMS support: EMS servers need to do an
early scan for EMS to make resumption decisions. This'll be easier when
the entire ClientHello is parsed in the beginning.
As a side effect,
1) PACKETize ssl_get_prev_session and tls1_process_ticket; and
2) Delete dead code for SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG.
Reviewed-by: Matt Caswell <matt@openssl.org>
Diffstat (limited to 'ssl/ssl_sess.c')
| -rw-r--r-- | ssl/ssl_sess.c | 24 |
1 files changed, 13 insertions, 11 deletions
diff --git a/ssl/ssl_sess.c b/ssl/ssl_sess.c index 3774db4154..83171f1f9f 100644 --- a/ssl/ssl_sess.c +++ b/ssl/ssl_sess.c @@ -513,11 +513,8 @@ int ssl_get_new_session(SSL *s, int session) * ssl_get_prev attempts to find an SSL_SESSION to be used to resume this * connection. It is only called by servers. * - * session_id: points at the session ID in the ClientHello. This code will - * read past the end of this in order to parse out the session ticket - * extension, if any. - * len: the length of the session ID. - * limit: a pointer to the first byte after the ClientHello. + * ext: ClientHello extensions (including length prefix) + * session_id: ClientHello session ID. * * Returns: * -1: error @@ -529,8 +526,7 @@ int ssl_get_new_session(SSL *s, int session) * - Both for new and resumed sessions, s->tlsext_ticket_expected is set to 1 * if the server should issue a new session ticket (to 0 otherwise). */ -int ssl_get_prev_session(SSL *s, PACKET *pkt, unsigned char *session_id, - int len) +int ssl_get_prev_session(SSL *s, const PACKET *ext, const PACKET *session_id) { /* This is used only by servers. */ @@ -538,15 +534,16 @@ int ssl_get_prev_session(SSL *s, PACKET *pkt, unsigned char *session_id, int fatal = 0; int try_session_cache = 1; int r; + size_t len = PACKET_remaining(session_id); - if (len < 0 || len > SSL_MAX_SSL_SESSION_ID_LENGTH) + if (len > SSL_MAX_SSL_SESSION_ID_LENGTH) goto err; if (len == 0) try_session_cache = 0; /* sets s->tlsext_ticket_expected */ - r = tls1_process_ticket(s, pkt, session_id, len, &ret); + r = tls1_process_ticket(s, ext, session_id, &ret); switch (r) { case -1: /* Error during processing */ fatal = 1; @@ -571,7 +568,7 @@ int ssl_get_prev_session(SSL *s, PACKET *pkt, unsigned char *session_id, data.session_id_length = len; if (len == 0) return 0; - memcpy(data.session_id, session_id, len); + memcpy(data.session_id, PACKET_data(session_id), len); CRYPTO_r_lock(CRYPTO_LOCK_SSL_CTX); ret = lh_SSL_SESSION_retrieve(s->session_ctx->sessions, &data); if (ret != NULL) { @@ -587,7 +584,12 @@ int ssl_get_prev_session(SSL *s, PACKET *pkt, unsigned char *session_id, ret == NULL && s->session_ctx->get_session_cb != NULL) { int copy = 1; - if ((ret = s->session_ctx->get_session_cb(s, session_id, len, ©))) { + /* + * TODO(openssl-team): grab a copy of the data in |session_id| + * so that the PACKET data can be made const. + */ + if ((ret = s->session_ctx->get_session_cb(s, PACKET_data(session_id), + len, ©))) { s->session_ctx->stats.sess_cb_hit++; /* |