summaryrefslogtreecommitdiff
path: root/src/ssl/ssl_lib.cc
diff options
context:
space:
mode:
Diffstat (limited to 'src/ssl/ssl_lib.cc')
-rw-r--r--src/ssl/ssl_lib.cc74
1 files changed, 48 insertions, 26 deletions
diff --git a/src/ssl/ssl_lib.cc b/src/ssl/ssl_lib.cc
index 10128d82..9ecd7df6 100644
--- a/src/ssl/ssl_lib.cc
+++ b/src/ssl/ssl_lib.cc
@@ -218,6 +218,7 @@ void ssl_update_cache(SSL_HANDSHAKE *hs, int mode) {
SSL_CTX *ctx = ssl->session_ctx;
/* Never cache sessions with empty session IDs. */
if (ssl->s3->established_session->session_id_length == 0 ||
+ ssl->s3->established_session->not_resumable ||
(ctx->session_cache_mode & mode) != mode) {
return;
}
@@ -357,11 +358,18 @@ void ssl_do_msg_callback(SSL *ssl, int is_write, int content_type,
}
void ssl_get_current_time(const SSL *ssl, struct OPENSSL_timeval *out_clock) {
- if (ssl->ctx->current_time_cb != NULL) {
+ /* TODO(martinkr): Change callers to |ssl_ctx_get_current_time| and drop the
+ * |ssl| arg from |current_time_cb| if possible. */
+ ssl_ctx_get_current_time(ssl->ctx, out_clock);
+}
+
+void ssl_ctx_get_current_time(const SSL_CTX *ctx,
+ struct OPENSSL_timeval *out_clock) {
+ if (ctx->current_time_cb != NULL) {
/* TODO(davidben): Update current_time_cb to use OPENSSL_timeval. See
* https://crbug.com/boringssl/155. */
struct timeval clock;
- ssl->ctx->current_time_cb(ssl, &clock);
+ ctx->current_time_cb(nullptr /* ssl */, &clock);
if (clock.tv_sec < 0) {
assert(0);
out_clock->tv_sec = 0;
@@ -503,13 +511,6 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *method) {
ret->max_send_fragment = SSL3_RT_MAX_PLAIN_LENGTH;
- /* Setup RFC4507 ticket keys */
- if (!RAND_bytes(ret->tlsext_tick_key_name, 16) ||
- !RAND_bytes(ret->tlsext_tick_hmac_key, 16) ||
- !RAND_bytes(ret->tlsext_tick_aes_key, 16)) {
- ret->options |= SSL_OP_NO_TICKET;
- }
-
/* Disable the auto-chaining feature by default. Once this has stuck without
* problems, the feature will be removed entirely. */
ret->mode = SSL_MODE_NO_AUTO_CHAIN;
@@ -571,6 +572,8 @@ void SSL_CTX_free(SSL_CTX *ctx) {
OPENSSL_free(ctx->alpn_client_proto_list);
EVP_PKEY_free(ctx->tlsext_channel_id_private);
OPENSSL_free(ctx->verify_sigalgs);
+ OPENSSL_free(ctx->tlsext_ticket_key_current);
+ OPENSSL_free(ctx->tlsext_ticket_key_prev);
OPENSSL_free(ctx);
}
@@ -1587,10 +1590,18 @@ int SSL_CTX_get_tlsext_ticket_keys(SSL_CTX *ctx, void *out, size_t len) {
OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_TICKET_KEYS_LENGTH);
return 0;
}
+
+ /* The default ticket keys are initialized lazily. Trigger a key
+ * rotation to initialize them. */
+ if (!ssl_ctx_rotate_ticket_encryption_key(ctx)) {
+ return 0;
+ }
+
uint8_t *out_bytes = reinterpret_cast<uint8_t *>(out);
- OPENSSL_memcpy(out_bytes, ctx->tlsext_tick_key_name, 16);
- OPENSSL_memcpy(out_bytes + 16, ctx->tlsext_tick_hmac_key, 16);
- OPENSSL_memcpy(out_bytes + 32, ctx->tlsext_tick_aes_key, 16);
+ MutexReadLock lock(&ctx->lock);
+ OPENSSL_memcpy(out_bytes, ctx->tlsext_ticket_key_current->name, 16);
+ OPENSSL_memcpy(out_bytes + 16, ctx->tlsext_ticket_key_current->hmac_key, 16);
+ OPENSSL_memcpy(out_bytes + 32, ctx->tlsext_ticket_key_current->aes_key, 16);
return 1;
}
@@ -1602,10 +1613,22 @@ int SSL_CTX_set_tlsext_ticket_keys(SSL_CTX *ctx, const void *in, size_t len) {
OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_TICKET_KEYS_LENGTH);
return 0;
}
+ if (!ctx->tlsext_ticket_key_current) {
+ ctx->tlsext_ticket_key_current =
+ (tlsext_ticket_key *)OPENSSL_malloc(sizeof(tlsext_ticket_key));
+ if (!ctx->tlsext_ticket_key_current) {
+ return 0;
+ }
+ }
+ OPENSSL_memset(ctx->tlsext_ticket_key_current, 0, sizeof(tlsext_ticket_key));
const uint8_t *in_bytes = reinterpret_cast<const uint8_t *>(in);
- OPENSSL_memcpy(ctx->tlsext_tick_key_name, in_bytes, 16);
- OPENSSL_memcpy(ctx->tlsext_tick_hmac_key, in_bytes + 16, 16);
- OPENSSL_memcpy(ctx->tlsext_tick_aes_key, in_bytes + 32, 16);
+ OPENSSL_memcpy(ctx->tlsext_ticket_key_current->name, in_bytes, 16);
+ OPENSSL_memcpy(ctx->tlsext_ticket_key_current->hmac_key, in_bytes + 16, 16);
+ OPENSSL_memcpy(ctx->tlsext_ticket_key_current->aes_key, in_bytes + 32, 16);
+ OPENSSL_free(ctx->tlsext_ticket_key_prev);
+ ctx->tlsext_ticket_key_prev = nullptr;
+ /* Disable automatic key rotation. */
+ ctx->tlsext_ticket_key_current->next_rotation_tv_sec = 0;
return 1;
}
@@ -1789,28 +1812,27 @@ void SSL_enable_ocsp_stapling(SSL *ssl) {
void SSL_get0_signed_cert_timestamp_list(const SSL *ssl, const uint8_t **out,
size_t *out_len) {
SSL_SESSION *session = SSL_get_session(ssl);
-
- *out_len = 0;
- *out = NULL;
- if (ssl->server || !session || !session->tlsext_signed_cert_timestamp_list) {
+ if (ssl->server || !session || !session->signed_cert_timestamp_list) {
+ *out_len = 0;
+ *out = NULL;
return;
}
- *out = session->tlsext_signed_cert_timestamp_list;
- *out_len = session->tlsext_signed_cert_timestamp_list_length;
+ *out = CRYPTO_BUFFER_data(session->signed_cert_timestamp_list);
+ *out_len = CRYPTO_BUFFER_len(session->signed_cert_timestamp_list);
}
void SSL_get0_ocsp_response(const SSL *ssl, const uint8_t **out,
size_t *out_len) {
SSL_SESSION *session = SSL_get_session(ssl);
-
- *out_len = 0;
- *out = NULL;
if (ssl->server || !session || !session->ocsp_response) {
+ *out_len = 0;
+ *out = NULL;
return;
}
- *out = session->ocsp_response;
- *out_len = session->ocsp_response_length;
+
+ *out = CRYPTO_BUFFER_data(session->ocsp_response);
+ *out_len = CRYPTO_BUFFER_len(session->ocsp_response);
}
int SSL_set_tlsext_host_name(SSL *ssl, const char *name) {
generated by cgit v1.2.3 (git 2.25.1) at 2024-07-25 06:16:21 +0000