Port ssl3_get_new_session_ticket to CBS.
Change-Id: Iabca923c9be48d001abd3b12b8c6898e604aa85a
Reviewed-on: https://boringssl-review.googlesource.com/1165
Reviewed-by: Adam Langley <agl@google.com>
diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h
index 7f23cc7..01afe68 100644
--- a/include/openssl/ssl.h
+++ b/include/openssl/ssl.h
@@ -491,9 +491,9 @@
unsigned char *tlsext_ellipticcurvelist; /* peer's list */
#endif /* OPENSSL_NO_EC */
/* RFC4507 info */
- unsigned char *tlsext_tick; /* Session ticket */
+ uint8_t *tlsext_tick; /* Session ticket */
size_t tlsext_ticklen; /* Session ticket length */
- long tlsext_tick_lifetime_hint; /* Session lifetime hint in seconds */
+ uint32_t tlsext_tick_lifetime_hint; /* Session lifetime hint in seconds */
char peer_sha256_valid; /* Non-zero if peer_sha256 is valid */
unsigned char peer_sha256[SHA256_DIGEST_LENGTH]; /* SHA256 of peer certificate */
diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c
index 3165805..e3e58e8 100644
--- a/ssl/s3_clnt.c
+++ b/ssl/s3_clnt.c
@@ -1905,10 +1905,9 @@
int ssl3_get_new_session_ticket(SSL *s)
{
- int ok,al,ret=0, ticklen;
+ int ok,al,ret=0;
long n;
- const unsigned char *p;
- unsigned char *d;
+ CBS new_session_ticket, ticket;
n=s->method->ssl_get_message(s,
SSL3_ST_CR_SESSION_TICKET_A,
@@ -1931,37 +1930,24 @@
OPENSSL_PUT_ERROR(SSL, ssl3_get_new_session_ticket, SSL_R_BAD_MESSAGE_TYPE);
goto f_err;
}
- if (n < 6)
+
+ CBS_init(&new_session_ticket, s->init_msg, n);
+
+ if (!CBS_get_u32(&new_session_ticket, &s->session->tlsext_tick_lifetime_hint) ||
+ !CBS_get_u16_length_prefixed(&new_session_ticket, &ticket) ||
+ CBS_len(&new_session_ticket) != 0)
{
- /* need at least ticket_lifetime_hint + ticket length */
al = SSL_AD_DECODE_ERROR;
- OPENSSL_PUT_ERROR(SSL, ssl3_get_new_session_ticket, SSL_R_LENGTH_MISMATCH);
+ OPENSSL_PUT_ERROR(SSL, ssl3_get_new_session_ticket, SSL_R_DECODE_ERROR);
goto f_err;
}
- p = d = s->init_msg;
- n2l(p, s->session->tlsext_tick_lifetime_hint);
- n2s(p, ticklen);
- /* ticket_lifetime_hint + ticket_length + ticket */
- if (ticklen + 6 != n)
- {
- al = SSL_AD_DECODE_ERROR;
- OPENSSL_PUT_ERROR(SSL, ssl3_get_new_session_ticket, SSL_R_LENGTH_MISMATCH);
- goto f_err;
- }
- if (s->session->tlsext_tick)
- {
- OPENSSL_free(s->session->tlsext_tick);
- s->session->tlsext_ticklen = 0;
- }
- s->session->tlsext_tick = OPENSSL_malloc(ticklen);
- if (!s->session->tlsext_tick)
+ if (!CBS_stow(&ticket, &s->session->tlsext_tick, &s->session->tlsext_ticklen))
{
OPENSSL_PUT_ERROR(SSL, ssl3_get_new_session_ticket, ERR_R_MALLOC_FAILURE);
goto err;
}
- memcpy(s->session->tlsext_tick, p, ticklen);
- s->session->tlsext_ticklen = ticklen;
+
/* There are two ways to detect a resumed ticket sesion.
* One is to set an appropriate session ID and then the server
* must return a match in ServerHello. This allows the normal
@@ -1977,7 +1963,7 @@
* to the SHA256 (or SHA1 is SHA256 is disabled) hash of the
* ticket.
*/
- EVP_Digest(p, ticklen,
+ EVP_Digest(CBS_data(&ticket), CBS_len(&ticket),
s->session->session_id, &s->session->session_id_length,
#ifndef OPENSSL_NO_SHA256
EVP_sha256(), NULL);
diff --git a/ssl/ssl_txt.c b/ssl/ssl_txt.c
index 4ea3eb5..96a0d78 100644
--- a/ssl/ssl_txt.c
+++ b/ssl/ssl_txt.c
@@ -80,6 +80,7 @@
* OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR
* OTHERWISE. */
+#include <inttypes.h>
#include <stdio.h>
#include <openssl/buf.h>
@@ -176,7 +177,7 @@
if (x->tlsext_tick_lifetime_hint)
{
if (BIO_printf(bp,
- "\n TLS session ticket lifetime hint: %ld (seconds)",
+ "\n TLS session ticket lifetime hint: %" PRIu32 " (seconds)",
x->tlsext_tick_lifetime_hint) <=0)
goto err;
}