ag/cpython-source-deps
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Imported OpenSSL 1.1.1c

Browse Source
This commit is contained in:
Steve Dower
2019-06-17 08:35:38 -07:00
parent cf34d7b72e
commit ea3c37b9ec
196 changed files with 38947 additions and 2649 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
ssl/statem/extensions.c
View File

@@ -989,7 +989,6 @@ static int final_server_name(SSL *s, unsigned int context, int sent)
ss->ext.ticklen = 0;
ss->ext.tick_lifetime_hint = 0;
ss->ext.tick_age_add = 0;
ss->ext.tick_identity = 0;
if (!ssl_generate_session_id(s, ss)) {
SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_FINAL_SERVER_NAME,
ERR_R_INTERNAL_ERROR);
@@ -1646,7 +1645,6 @@ static int final_early_data(SSL *s, unsigned int context, int sent)
if (s->max_early_data == 0
|| !s->hit
|| s->session->ext.tick_identity != 0
|| s->early_data_state != SSL_EARLY_DATA_ACCEPTING
|| !s->ext.early_data_ok
|| s->hello_retry_request != SSL_HRR_NONE

38
ssl/statem/extensions_clnt.c
View File

@@ -1,5 +1,5 @@
/*
* Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 2016-2019 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -993,7 +993,7 @@ EXT_RETURN tls_construct_ctos_psk(SSL *s, WPACKET *pkt, unsigned int context,
const EVP_MD *handmd = NULL, *mdres = NULL, *mdpsk = NULL;
int dores = 0;
s->session->ext.tick_identity = TLSEXT_PSK_BAD_IDENTITY;
s->ext.tick_identity = 0;
/*
* Note: At this stage of the code we only support adding a single
@@ -1083,6 +1083,7 @@ EXT_RETURN tls_construct_ctos_psk(SSL *s, WPACKET *pkt, unsigned int context,
agems += s->session->ext.tick_age_add;
reshashsize = EVP_MD_size(mdres);
s->ext.tick_identity++;
dores = 1;
}
@@ -1142,6 +1143,7 @@ EXT_RETURN tls_construct_ctos_psk(SSL *s, WPACKET *pkt, unsigned int context,
ERR_R_INTERNAL_ERROR);
return EXT_RETURN_FAIL;
}
s->ext.tick_identity++;
}
if (!WPACKET_close(pkt)
@@ -1180,11 +1182,6 @@ EXT_RETURN tls_construct_ctos_psk(SSL *s, WPACKET *pkt, unsigned int context,
return EXT_RETURN_FAIL;
}
if (dores)
s->session->ext.tick_identity = 0;
if (s->psksession != NULL)
s->psksession->ext.tick_identity = (dores ? 1 : 0);
return EXT_RETURN_SENT;
#else
return EXT_RETURN_NOT_SENT;
@@ -1927,8 +1924,7 @@ int tls_parse_stoc_early_data(SSL *s, PACKET *pkt, unsigned int context,
}
if (!s->ext.early_data_ok
|| !s->hit
|| s->session->ext.tick_identity != 0) {
|| !s->hit) {
/*
* If we get here then we didn't send early data, or we didn't resume
* using the first identity, or the SNI/ALPN is not consistent so the
@@ -1956,17 +1952,28 @@ int tls_parse_stoc_psk(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
return 0;
}
if (s->session->ext.tick_identity == (int)identity) {
if (identity >= (unsigned int)s->ext.tick_identity) {
SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PARSE_STOC_PSK,
SSL_R_BAD_PSK_IDENTITY);
return 0;
}
/*
* Session resumption tickets are always sent before PSK tickets. If the
* ticket index is 0 then it must be for a session resumption ticket if we
* sent two tickets, or if we didn't send a PSK ticket.
*/
if (identity == 0 && (s->psksession == NULL || s->ext.tick_identity == 2)) {
s->hit = 1;
SSL_SESSION_free(s->psksession);
s->psksession = NULL;
return 1;
}
if (s->psksession == NULL
|| s->psksession->ext.tick_identity != (int)identity) {
SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PARSE_STOC_PSK,
SSL_R_BAD_PSK_IDENTITY);
if (s->psksession == NULL) {
/* Should never happen */
SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_STOC_PSK,
ERR_R_INTERNAL_ERROR);
return 0;
}
@@ -1985,6 +1992,9 @@ int tls_parse_stoc_psk(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
s->session = s->psksession;
s->psksession = NULL;
s->hit = 1;
/* Early data is only allowed if we used the first ticket */
if (identity != 0)
s->ext.early_data_ok = 0;
#endif
return 1;

6
ssl/statem/extensions_srvr.c
View File

@@ -1,5 +1,5 @@
/*
* Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 2016-2019 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -1274,7 +1274,7 @@ int tls_parse_ctos_psk(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
goto err;
}
sess->ext.tick_identity = id;
s->ext.tick_identity = id;
SSL_SESSION_free(s->session);
s->session = sess;
@@ -1948,7 +1948,7 @@ EXT_RETURN tls_construct_stoc_psk(SSL *s, WPACKET *pkt, unsigned int context,
if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_psk)
|| !WPACKET_start_sub_packet_u16(pkt)
|| !WPACKET_put_bytes_u16(pkt, s->session->ext.tick_identity)
|| !WPACKET_put_bytes_u16(pkt, s->ext.tick_identity)
|| !WPACKET_close(pkt)) {
SSLfatal(s, SSL_AD_INTERNAL_ERROR,
SSL_F_TLS_CONSTRUCT_STOC_PSK, ERR_R_INTERNAL_ERROR);

5
ssl/statem/statem_clnt.c
View File

@@ -1613,10 +1613,7 @@ MSG_PROCESS_RETURN tls_process_server_hello(SSL *s, PACKET *pkt)
* so the PAC-based session secret is always preserved. It'll be
* overwritten if the server refuses resumption.
*/
if (s->session->session_id_length > 0
|| (SSL_IS_TLS13(s)
&& s->session->ext.tick_identity
!= TLSEXT_PSK_BAD_IDENTITY)) {
if (s->session->session_id_length > 0) {
tsan_counter(&s->session_ctx->stats.sess_miss);
if (!ssl_get_new_session(s, 0)) {
/* SSLfatal() already called */