|
|
5c1a6c |
diff -up openssl-1.0.1e/ssl/ssl_err.c.ticket-race openssl-1.0.1e/ssl/ssl_err.c
|
|
|
5c1a6c |
--- openssl-1.0.1e/ssl/ssl_err.c.ticket-race 2015-06-09 15:40:41.000000000 +0200
|
|
|
5c1a6c |
+++ openssl-1.0.1e/ssl/ssl_err.c 2015-06-09 15:45:06.879198463 +0200
|
|
|
5c1a6c |
@@ -245,6 +245,7 @@ static ERR_STRING_DATA SSL_str_functs[]=
|
|
|
5c1a6c |
{ERR_FUNC(SSL_F_SSL_READ), "SSL_read"},
|
|
|
5c1a6c |
{ERR_FUNC(SSL_F_SSL_RSA_PRIVATE_DECRYPT), "SSL_RSA_PRIVATE_DECRYPT"},
|
|
|
5c1a6c |
{ERR_FUNC(SSL_F_SSL_RSA_PUBLIC_ENCRYPT), "SSL_RSA_PUBLIC_ENCRYPT"},
|
|
|
5c1a6c |
+{ERR_FUNC(SSL_F_SSL_SESSION_DUP), "ssl_session_dup"},
|
|
|
5c1a6c |
{ERR_FUNC(SSL_F_SSL_SESSION_NEW), "SSL_SESSION_new"},
|
|
|
5c1a6c |
{ERR_FUNC(SSL_F_SSL_SESSION_PRINT_FP), "SSL_SESSION_print_fp"},
|
|
|
5c1a6c |
{ERR_FUNC(SSL_F_SSL_SESSION_SET1_ID_CONTEXT), "SSL_SESSION_set1_id_context"},
|
|
|
5c1a6c |
diff -up openssl-1.0.1e/ssl/ssl.h.ticket-race openssl-1.0.1e/ssl/ssl.h
|
|
|
5c1a6c |
--- openssl-1.0.1e/ssl/ssl.h.ticket-race 2015-06-09 15:40:41.000000000 +0200
|
|
|
5c1a6c |
+++ openssl-1.0.1e/ssl/ssl.h 2015-06-09 15:44:22.696191291 +0200
|
|
|
5c1a6c |
@@ -2176,6 +2176,7 @@ void ERR_load_SSL_strings(void);
|
|
|
5c1a6c |
#define SSL_F_SSL_READ 223
|
|
|
5c1a6c |
#define SSL_F_SSL_RSA_PRIVATE_DECRYPT 187
|
|
|
5c1a6c |
#define SSL_F_SSL_RSA_PUBLIC_ENCRYPT 188
|
|
|
5c1a6c |
+#define SSL_F_SSL_SESSION_DUP 348
|
|
|
5c1a6c |
#define SSL_F_SSL_SESSION_NEW 189
|
|
|
5c1a6c |
#define SSL_F_SSL_SESSION_PRINT_FP 190
|
|
|
5c1a6c |
#define SSL_F_SSL_SESSION_SET1_ID_CONTEXT 312
|
|
|
5c1a6c |
diff -up openssl-1.0.1e/ssl/ssl_locl.h.ticket-race openssl-1.0.1e/ssl/ssl_locl.h
|
|
|
5c1a6c |
--- openssl-1.0.1e/ssl/ssl_locl.h.ticket-race 2015-06-09 15:40:41.000000000 +0200
|
|
|
5c1a6c |
+++ openssl-1.0.1e/ssl/ssl_locl.h 2015-06-09 16:02:41.105243796 +0200
|
|
|
5c1a6c |
@@ -822,6 +822,7 @@ void ssl_sess_cert_free(SESS_CERT *sc);
|
|
|
5c1a6c |
int ssl_set_peer_cert_type(SESS_CERT *c, int type);
|
|
|
5c1a6c |
int ssl_get_new_session(SSL *s, int session);
|
|
|
5c1a6c |
int ssl_get_prev_session(SSL *s, unsigned char *session,int len, const unsigned char *limit);
|
|
|
5c1a6c |
+SSL_SESSION *ssl_session_dup(SSL_SESSION *src, int ticket);
|
|
|
5c1a6c |
int ssl_cipher_id_cmp(const SSL_CIPHER *a,const SSL_CIPHER *b);
|
|
|
5c1a6c |
DECLARE_OBJ_BSEARCH_GLOBAL_CMP_FN(SSL_CIPHER, SSL_CIPHER,
|
|
|
5c1a6c |
ssl_cipher_id);
|
|
|
5c1a6c |
diff -up openssl-1.0.1e/ssl/ssl_sess.c.ticket-race openssl-1.0.1e/ssl/ssl_sess.c
|
|
|
5c1a6c |
--- openssl-1.0.1e/ssl/ssl_sess.c.ticket-race 2013-02-11 16:26:04.000000000 +0100
|
|
|
5c1a6c |
+++ openssl-1.0.1e/ssl/ssl_sess.c 2015-06-11 13:48:26.724348868 +0200
|
|
|
5c1a6c |
@@ -224,6 +224,146 @@ SSL_SESSION *SSL_SESSION_new(void)
|
|
|
5c1a6c |
return(ss);
|
|
|
5c1a6c |
}
|
|
|
5c1a6c |
|
|
|
5c1a6c |
+/*
|
|
|
5c1a6c |
+ * Create a new SSL_SESSION and duplicate the contents of |src| into it. If
|
|
|
5c1a6c |
+ * ticket == 0 then no ticket information is duplicated, otherwise it is.
|
|
|
5c1a6c |
+ */
|
|
|
5c1a6c |
+SSL_SESSION *ssl_session_dup(SSL_SESSION *src, int ticket)
|
|
|
5c1a6c |
+{
|
|
|
5c1a6c |
+ SSL_SESSION *dest;
|
|
|
5c1a6c |
+
|
|
|
5c1a6c |
+ dest = OPENSSL_malloc(sizeof(*src));
|
|
|
5c1a6c |
+ if (dest == NULL)
|
|
|
5c1a6c |
+ {
|
|
|
5c1a6c |
+ goto err;
|
|
|
5c1a6c |
+ }
|
|
|
5c1a6c |
+ memcpy(dest, src, sizeof(*dest));
|
|
|
5c1a6c |
+
|
|
|
5c1a6c |
+ /*
|
|
|
5c1a6c |
+ * Set the various pointers to NULL so that we can call SSL_SESSION_free in
|
|
|
5c1a6c |
+ * the case of an error whilst halfway through constructing dest
|
|
|
5c1a6c |
+ */
|
|
|
5c1a6c |
+#ifndef OPENSSL_NO_PSK
|
|
|
5c1a6c |
+ dest->psk_identity_hint = NULL;
|
|
|
5c1a6c |
+ dest->psk_identity = NULL;
|
|
|
5c1a6c |
+#endif
|
|
|
5c1a6c |
+ dest->ciphers = NULL;
|
|
|
5c1a6c |
+#ifndef OPENSSL_NO_TLSEXT
|
|
|
5c1a6c |
+ dest->tlsext_hostname = NULL;
|
|
|
5c1a6c |
+# ifndef OPENSSL_NO_EC
|
|
|
5c1a6c |
+ dest->tlsext_ecpointformatlist = NULL;
|
|
|
5c1a6c |
+ dest->tlsext_ellipticcurvelist = NULL;
|
|
|
5c1a6c |
+# endif
|
|
|
5c1a6c |
+#endif
|
|
|
5c1a6c |
+ dest->tlsext_tick = NULL;
|
|
|
5c1a6c |
+#ifndef OPENSSL_NO_SRP
|
|
|
5c1a6c |
+ dest->srp_username = NULL;
|
|
|
5c1a6c |
+#endif
|
|
|
5c1a6c |
+ memset(&dest->ex_data, 0, sizeof(dest->ex_data));
|
|
|
5c1a6c |
+
|
|
|
5c1a6c |
+ /* We deliberately don't copy the prev and next pointers */
|
|
|
5c1a6c |
+ dest->prev = NULL;
|
|
|
5c1a6c |
+ dest->next = NULL;
|
|
|
5c1a6c |
+
|
|
|
5c1a6c |
+ dest->references = 1;
|
|
|
5c1a6c |
+
|
|
|
5c1a6c |
+ if (src->sess_cert != NULL)
|
|
|
5c1a6c |
+ CRYPTO_add(&src->sess_cert->references, 1, CRYPTO_LOCK_SSL_SESS_CERT);
|
|
|
5c1a6c |
+
|
|
|
5c1a6c |
+ if (src->peer != NULL)
|
|
|
5c1a6c |
+ CRYPTO_add(&src->peer->references, 1, CRYPTO_LOCK_X509);
|
|
|
5c1a6c |
+
|
|
|
5c1a6c |
+#ifndef OPENSSL_NO_PSK
|
|
|
5c1a6c |
+ if (src->psk_identity_hint)
|
|
|
5c1a6c |
+ {
|
|
|
5c1a6c |
+ dest->psk_identity_hint = BUF_strdup(src->psk_identity_hint);
|
|
|
5c1a6c |
+ if (dest->psk_identity_hint == NULL)
|
|
|
5c1a6c |
+ {
|
|
|
5c1a6c |
+ goto err;
|
|
|
5c1a6c |
+ }
|
|
|
5c1a6c |
+ }
|
|
|
5c1a6c |
+ if (src->psk_identity)
|
|
|
5c1a6c |
+ {
|
|
|
5c1a6c |
+ dest->psk_identity = BUF_strdup(src->psk_identity);
|
|
|
5c1a6c |
+ if (dest->psk_identity == NULL)
|
|
|
5c1a6c |
+ {
|
|
|
5c1a6c |
+ goto err;
|
|
|
5c1a6c |
+ }
|
|
|
5c1a6c |
+ }
|
|
|
5c1a6c |
+#endif
|
|
|
5c1a6c |
+
|
|
|
5c1a6c |
+ if(src->ciphers != NULL)
|
|
|
5c1a6c |
+ {
|
|
|
5c1a6c |
+ dest->ciphers = sk_SSL_CIPHER_dup(src->ciphers);
|
|
|
5c1a6c |
+ if (dest->ciphers == NULL)
|
|
|
5c1a6c |
+ goto err;
|
|
|
5c1a6c |
+ }
|
|
|
5c1a6c |
+
|
|
|
5c1a6c |
+ if (!CRYPTO_dup_ex_data(CRYPTO_EX_INDEX_SSL_SESSION,
|
|
|
5c1a6c |
+ &dest->ex_data, &src->ex_data))
|
|
|
5c1a6c |
+ {
|
|
|
5c1a6c |
+ goto err;
|
|
|
5c1a6c |
+ }
|
|
|
5c1a6c |
+
|
|
|
5c1a6c |
+#ifndef OPENSSL_NO_TLSEXT
|
|
|
5c1a6c |
+ if (src->tlsext_hostname)
|
|
|
5c1a6c |
+ {
|
|
|
5c1a6c |
+ dest->tlsext_hostname = BUF_strdup(src->tlsext_hostname);
|
|
|
5c1a6c |
+ if (dest->tlsext_hostname == NULL)
|
|
|
5c1a6c |
+ {
|
|
|
5c1a6c |
+ goto err;
|
|
|
5c1a6c |
+ }
|
|
|
5c1a6c |
+ }
|
|
|
5c1a6c |
+# ifndef OPENSSL_NO_EC
|
|
|
5c1a6c |
+ if (src->tlsext_ecpointformatlist)
|
|
|
5c1a6c |
+ {
|
|
|
5c1a6c |
+ dest->tlsext_ecpointformatlist =
|
|
|
5c1a6c |
+ BUF_memdup(src->tlsext_ecpointformatlist,
|
|
|
5c1a6c |
+ src->tlsext_ecpointformatlist_length);
|
|
|
5c1a6c |
+ if (dest->tlsext_ecpointformatlist == NULL)
|
|
|
5c1a6c |
+ goto err;
|
|
|
5c1a6c |
+ }
|
|
|
5c1a6c |
+ if (src->tlsext_ellipticcurvelist)
|
|
|
5c1a6c |
+ {
|
|
|
5c1a6c |
+ dest->tlsext_ellipticcurvelist =
|
|
|
5c1a6c |
+ BUF_memdup(src->tlsext_ellipticcurvelist,
|
|
|
5c1a6c |
+ src->tlsext_ellipticcurvelist_length);
|
|
|
5c1a6c |
+ if (dest->tlsext_ellipticcurvelist == NULL)
|
|
|
5c1a6c |
+ goto err;
|
|
|
5c1a6c |
+ }
|
|
|
5c1a6c |
+# endif
|
|
|
5c1a6c |
+#endif
|
|
|
5c1a6c |
+
|
|
|
5c1a6c |
+ if (ticket != 0)
|
|
|
5c1a6c |
+ {
|
|
|
5c1a6c |
+ dest->tlsext_tick = BUF_memdup(src->tlsext_tick, src->tlsext_ticklen);
|
|
|
5c1a6c |
+ if(dest->tlsext_tick == NULL)
|
|
|
5c1a6c |
+ goto err;
|
|
|
5c1a6c |
+ }
|
|
|
5c1a6c |
+ else
|
|
|
5c1a6c |
+ {
|
|
|
5c1a6c |
+ dest->tlsext_tick_lifetime_hint = 0;
|
|
|
5c1a6c |
+ dest->tlsext_ticklen = 0;
|
|
|
5c1a6c |
+ }
|
|
|
5c1a6c |
+
|
|
|
5c1a6c |
+#ifndef OPENSSL_NO_SRP
|
|
|
5c1a6c |
+ if (src->srp_username)
|
|
|
5c1a6c |
+ {
|
|
|
5c1a6c |
+ dest->srp_username = BUF_strdup(src->srp_username);
|
|
|
5c1a6c |
+ if (dest->srp_username == NULL)
|
|
|
5c1a6c |
+ {
|
|
|
5c1a6c |
+ goto err;
|
|
|
5c1a6c |
+ }
|
|
|
5c1a6c |
+ }
|
|
|
5c1a6c |
+#endif
|
|
|
5c1a6c |
+
|
|
|
5c1a6c |
+ return dest;
|
|
|
5c1a6c |
+err:
|
|
|
5c1a6c |
+ SSLerr(SSL_F_SSL_SESSION_DUP, ERR_R_MALLOC_FAILURE);
|
|
|
5c1a6c |
+ SSL_SESSION_free(dest);
|
|
|
5c1a6c |
+ return NULL;
|
|
|
5c1a6c |
+}
|
|
|
5c1a6c |
+
|
|
|
5c1a6c |
const unsigned char *SSL_SESSION_get_id(const SSL_SESSION *s, unsigned int *len)
|
|
|
5c1a6c |
{
|
|
|
5c1a6c |
if(len)
|
|
|
5c1a6c |
diff -up openssl-1.0.1e/ssl/s3_clnt.c.ticket-race openssl-1.0.1e/ssl/s3_clnt.c
|
|
|
5c1a6c |
--- openssl-1.0.1e/ssl/s3_clnt.c.ticket-race 2015-06-09 15:40:41.000000000 +0200
|
|
|
5c1a6c |
+++ openssl-1.0.1e/ssl/s3_clnt.c 2015-06-09 15:39:56.315119013 +0200
|
|
|
a42c31 |
@@ -2092,6 +2092,44 @@ int ssl3_get_new_session_ticket(SSL *s)
|
|
|
5c1a6c |
}
|
|
|
5c1a6c |
|
|
|
5c1a6c |
p=d=(unsigned char *)s->init_msg;
|
|
|
5c1a6c |
+
|
|
|
5c1a6c |
+ if (s->session->session_id_length > 0)
|
|
|
5c1a6c |
+ {
|
|
|
5c1a6c |
+ int i = s->session_ctx->session_cache_mode;
|
|
|
5c1a6c |
+ SSL_SESSION *new_sess;
|
|
|
5c1a6c |
+ /*
|
|
|
5c1a6c |
+ * We reused an existing session, so we need to replace it with a new
|
|
|
5c1a6c |
+ * one
|
|
|
5c1a6c |
+ */
|
|
|
5c1a6c |
+ if (i & SSL_SESS_CACHE_CLIENT)
|
|
|
5c1a6c |
+ {
|
|
|
5c1a6c |
+ /*
|
|
|
5c1a6c |
+ * Remove the old session from the cache
|
|
|
5c1a6c |
+ */
|
|
|
5c1a6c |
+ if (i & SSL_SESS_CACHE_NO_INTERNAL_STORE)
|
|
|
5c1a6c |
+ {
|
|
|
5c1a6c |
+ if (s->session_ctx->remove_session_cb != NULL)
|
|
|
5c1a6c |
+ s->session_ctx->remove_session_cb(s->session_ctx,
|
|
|
5c1a6c |
+ s->session);
|
|
|
5c1a6c |
+ }
|
|
|
5c1a6c |
+ else
|
|
|
5c1a6c |
+ {
|
|
|
5c1a6c |
+ /* We carry on if this fails */
|
|
|
5c1a6c |
+ SSL_CTX_remove_session(s->session_ctx, s->session);
|
|
|
5c1a6c |
+ }
|
|
|
5c1a6c |
+ }
|
|
|
5c1a6c |
+
|
|
|
5c1a6c |
+ if ((new_sess = ssl_session_dup(s->session, 0)) == 0)
|
|
|
5c1a6c |
+ {
|
|
|
5c1a6c |
+ al = SSL_AD_INTERNAL_ERROR;
|
|
|
5c1a6c |
+ SSLerr(SSL_F_SSL3_GET_NEW_SESSION_TICKET, ERR_R_MALLOC_FAILURE);
|
|
|
5c1a6c |
+ goto f_err;
|
|
|
5c1a6c |
+ }
|
|
|
5c1a6c |
+
|
|
|
5c1a6c |
+ SSL_SESSION_free(s->session);
|
|
|
5c1a6c |
+ s->session = new_sess;
|
|
|
5c1a6c |
+ }
|
|
|
5c1a6c |
+
|
|
|
5c1a6c |
n2l(p, s->session->tlsext_tick_lifetime_hint);
|
|
|
5c1a6c |
n2s(p, ticklen);
|
|
|
5c1a6c |
/* ticket_lifetime_hint + ticket_length + ticket */
|