diff options
author | Matt Caswell <matt@openssl.org> | 2018-06-05 12:23:28 +0100 |
---|---|---|
committer | Matt Caswell <matt@openssl.org> | 2018-06-07 10:58:35 +0100 |
commit | 6cf2dbd9faffbed52a6bede924fe0a93345b8bfa (patch) | |
tree | 81f0b2d8235ed72960672ff1663582c6367e4ff8 /ssl/statem/statem_srvr.c | |
parent | 4ff1a5266685f4a687a9f91b531c2f979b96db22 (diff) |
Don't store the ticket nonce in the session
We generate the secrets based on the nonce immediately so there is no
need to keep the nonce.
Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6415)
Diffstat (limited to 'ssl/statem/statem_srvr.c')
-rw-r--r-- | ssl/statem/statem_srvr.c | 27 |
1 files changed, 9 insertions, 18 deletions
diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c index c690cf0191..c2976b7a32 100644 --- a/ssl/statem/statem_srvr.c +++ b/ssl/statem/statem_srvr.c @@ -3753,6 +3753,7 @@ int tls_construct_new_session_ticket(SSL *s, WPACKET *pkt) unsigned char iv[EVP_MAX_IV_LENGTH]; unsigned char key_name[TLSEXT_KEYNAME_LENGTH]; int iv_len; + unsigned char tick_nonce[TICKET_NONCE_SIZE]; size_t macoffset, macendoffset; union { unsigned char age_add_c[sizeof(uint32_t)]; @@ -3762,7 +3763,7 @@ int tls_construct_new_session_ticket(SSL *s, WPACKET *pkt) if (SSL_IS_TLS13(s)) { size_t i, hashlen; uint64_t nonce; - const char nonce_label[] = "resumption"; + static const unsigned char nonce_label[] = "resumption"; const EVP_MD *md = ssl_handshake_md(s); void (*cb) (const SSL *ssl, int type, int val) = NULL; int hashleni = EVP_MD_size(md); @@ -3781,7 +3782,6 @@ int tls_construct_new_session_ticket(SSL *s, WPACKET *pkt) else if (s->ctx->info_callback != NULL) cb = s->ctx->info_callback; - if (cb != NULL) { /* * We don't start and stop the handshake in between each ticket when @@ -3823,26 +3823,17 @@ int tls_construct_new_session_ticket(SSL *s, WPACKET *pkt) } s->session->ext.tick_age_add = age_add_u.age_add; - OPENSSL_free(s->session->ext.tick_nonce); - s->session->ext.tick_nonce = OPENSSL_zalloc(TICKET_NONCE_SIZE); - if (s->session->ext.tick_nonce == NULL) { - SSLfatal(s, SSL_AD_INTERNAL_ERROR, - SSL_F_TLS_CONSTRUCT_NEW_SESSION_TICKET, - ERR_R_MALLOC_FAILURE); - goto err; - } nonce = s->next_ticket_nonce; - for (i = TICKET_NONCE_SIZE; nonce > 0 && i > 0; i--) { - s->session->ext.tick_nonce[i - 1] = nonce & 0xff; + for (i = TICKET_NONCE_SIZE; i > 0; i--) { + tick_nonce[i - 1] = (unsigned char)(nonce & 0xff); nonce >>= 8; } - s->session->ext.tick_nonce_len = TICKET_NONCE_SIZE; if (!tls13_hkdf_expand(s, md, s->resumption_master_secret, - (const unsigned char *)nonce_label, + nonce_label, sizeof(nonce_label) - 1, - s->session->ext.tick_nonce, - s->session->ext.tick_nonce_len, + tick_nonce, + TICKET_NONCE_SIZE, s->session->master_key, hashlen)) { /* SSLfatal() already called */ @@ -3992,8 +3983,8 @@ int tls_construct_new_session_ticket(SSL *s, WPACKET *pkt) ? 0 : s->session->timeout) || (SSL_IS_TLS13(s) && (!WPACKET_put_bytes_u32(pkt, age_add_u.age_add) - || !WPACKET_sub_memcpy_u8(pkt, s->session->ext.tick_nonce, - s->session->ext.tick_nonce_len))) + || !WPACKET_sub_memcpy_u8(pkt, tick_nonce, + TICKET_NONCE_SIZE))) /* Now the actual ticket data */ || !WPACKET_start_sub_packet_u16(pkt) || !WPACKET_get_total_written(pkt, &macoffset) |