deps: upgrade openssl sources to 1.1.1c

This updates all sources in deps/openssl/openssl by: $ cd deps/openssl/ $ rm -rf openssl $ tar zxf ~/tmp/openssl-1.1.1c.tar.gz $ mv openssl-1.1.1c openssl $ git add --all openssl $ git commit openssl PR-URL: https://github.com/nodejs/node/pull/28211 Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Ujjwal Sharma <usharma1998@gmail.com> Reviewed-By: Shigeki Ohtsu <ohtsu@ohtsu.org> Reviewed-By: Tobias Nießen <tniessen@tnie.de>
author: Sam Roberts <vieuxtech@gmail.com> 2019-06-12 13:43:44 -0700
committer: Ruben Bridgewater <ruben@bridgewater.de> 2019-06-17 11:55:44 +0200
commit: 4c8fe4a96fddc66a18a33e7d8ae22ea10436ecb8 (patch)
tree: 165630be149e639f99070b5e4a5b3ec4fab21920 /deps/openssl/openssl/ssl/statem/extensions_clnt.c
parent: 5990c4d453b8fc8453a26566bb7ac680a76bd83f (diff)
download: android-node-v8-4c8fe4a96fddc66a18a33e7d8ae22ea10436ecb8.tar.gz
android-node-v8-4c8fe4a96fddc66a18a33e7d8ae22ea10436ecb8.tar.bz2
android-node-v8-4c8fe4a96fddc66a18a33e7d8ae22ea10436ecb8.zip
1 files changed, 24 insertions, 14 deletions
diff --git a/deps/openssl/openssl/ssl/statem/extensions_clnt.c b/deps/openssl/openssl/ssl/statem/extensions_clnt.c
index ab4dbf6713..3c7d84427f 100644
--- a/deps/openssl/openssl/ssl/statem/extensions_clnt.c
+++ b/deps/openssl/openssl/ssl/statem/extensions_clnt.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2016-2019 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the OpenSSL license (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
@@ -993,7 +993,7 @@ EXT_RETURN tls_construct_ctos_psk(SSL *s, WPACKET *pkt, unsigned int context,
     const EVP_MD *handmd = NULL, *mdres = NULL, *mdpsk = NULL;
     int dores = 0;
 
-    s->session->ext.tick_identity = TLSEXT_PSK_BAD_IDENTITY;
+    s->ext.tick_identity = 0;
 
     /*
      * Note: At this stage of the code we only support adding a single
@@ -1083,6 +1083,7 @@ EXT_RETURN tls_construct_ctos_psk(SSL *s, WPACKET *pkt, unsigned int context,
         agems += s->session->ext.tick_age_add;
 
         reshashsize = EVP_MD_size(mdres);
+        s->ext.tick_identity++;
         dores = 1;
     }
 
@@ -1142,6 +1143,7 @@ EXT_RETURN tls_construct_ctos_psk(SSL *s, WPACKET *pkt, unsigned int context,
                      ERR_R_INTERNAL_ERROR);
             return EXT_RETURN_FAIL;
         }
+        s->ext.tick_identity++;
     }
 
     if (!WPACKET_close(pkt)
@@ -1180,11 +1182,6 @@ EXT_RETURN tls_construct_ctos_psk(SSL *s, WPACKET *pkt, unsigned int context,
         return EXT_RETURN_FAIL;
     }
 
-    if (dores)
-        s->session->ext.tick_identity = 0;
-    if (s->psksession != NULL)
-        s->psksession->ext.tick_identity = (dores ? 1 : 0);
-
     return EXT_RETURN_SENT;
 #else
     return EXT_RETURN_NOT_SENT;
@@ -1927,8 +1924,7 @@ int tls_parse_stoc_early_data(SSL *s, PACKET *pkt, unsigned int context,
     }
 
     if (!s->ext.early_data_ok
-            || !s->hit
-            || s->session->ext.tick_identity != 0) {
+            || !s->hit) {
         /*
          * If we get here then we didn't send early data, or we didn't resume
          * using the first identity, or the SNI/ALPN is not consistent so the
@@ -1956,17 +1952,28 @@ int tls_parse_stoc_psk(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
         return 0;
     }
 
-    if (s->session->ext.tick_identity == (int)identity) {
+    if (identity >= (unsigned int)s->ext.tick_identity) {
+        SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PARSE_STOC_PSK,
+                 SSL_R_BAD_PSK_IDENTITY);
+        return 0;
+    }
+
+    /*
+     * Session resumption tickets are always sent before PSK tickets. If the
+     * ticket index is 0 then it must be for a session resumption ticket if we
+     * sent two tickets, or if we didn't send a PSK ticket.
+     */
+    if (identity == 0 && (s->psksession == NULL || s->ext.tick_identity == 2)) {
         s->hit = 1;
         SSL_SESSION_free(s->psksession);
         s->psksession = NULL;
         return 1;
     }
 
-    if (s->psksession == NULL
-            || s->psksession->ext.tick_identity != (int)identity) {
-        SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PARSE_STOC_PSK,
-                 SSL_R_BAD_PSK_IDENTITY);
+    if (s->psksession == NULL) {
+        /* Should never happen */
+        SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_STOC_PSK,
+                 ERR_R_INTERNAL_ERROR);
         return 0;
     }
 
@@ -1985,6 +1992,9 @@ int tls_parse_stoc_psk(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
     s->session = s->psksession;
     s->psksession = NULL;
     s->hit = 1;
+    /* Early data is only allowed if we used the first ticket */
+    if (identity != 0)
+        s->ext.early_data_ok = 0;
 #endif
 
     return 1;
author	Sam Roberts <vieuxtech@gmail.com>	2019-06-12 13:43:44 -0700
committer	Ruben Bridgewater <ruben@bridgewater.de>	2019-06-17 11:55:44 +0200
commit	4c8fe4a96fddc66a18a33e7d8ae22ea10436ecb8 (patch)
tree	165630be149e639f99070b5e4a5b3ec4fab21920 /deps/openssl/openssl/ssl/statem/extensions_clnt.c
parent	5990c4d453b8fc8453a26566bb7ac680a76bd83f (diff)
download	android-node-v8-4c8fe4a96fddc66a18a33e7d8ae22ea10436ecb8.tar.gz android-node-v8-4c8fe4a96fddc66a18a33e7d8ae22ea10436ecb8.tar.bz2 android-node-v8-4c8fe4a96fddc66a18a33e7d8ae22ea10436ecb8.zip