diff options
author | Sam Roberts <vieuxtech@gmail.com> | 2019-06-12 13:43:44 -0700 |
---|---|---|
committer | Ruben Bridgewater <ruben@bridgewater.de> | 2019-06-17 11:55:44 +0200 |
commit | 4c8fe4a96fddc66a18a33e7d8ae22ea10436ecb8 (patch) | |
tree | 165630be149e639f99070b5e4a5b3ec4fab21920 /deps/openssl/openssl/ssl/statem/extensions_clnt.c | |
parent | 5990c4d453b8fc8453a26566bb7ac680a76bd83f (diff) | |
download | android-node-v8-4c8fe4a96fddc66a18a33e7d8ae22ea10436ecb8.tar.gz android-node-v8-4c8fe4a96fddc66a18a33e7d8ae22ea10436ecb8.tar.bz2 android-node-v8-4c8fe4a96fddc66a18a33e7d8ae22ea10436ecb8.zip |
deps: upgrade openssl sources to 1.1.1c
This updates all sources in deps/openssl/openssl by:
$ cd deps/openssl/
$ rm -rf openssl
$ tar zxf ~/tmp/openssl-1.1.1c.tar.gz
$ mv openssl-1.1.1c openssl
$ git add --all openssl
$ git commit openssl
PR-URL: https://github.com/nodejs/node/pull/28211
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Ujjwal Sharma <usharma1998@gmail.com>
Reviewed-By: Shigeki Ohtsu <ohtsu@ohtsu.org>
Reviewed-By: Tobias Nießen <tniessen@tnie.de>
Diffstat (limited to 'deps/openssl/openssl/ssl/statem/extensions_clnt.c')
-rw-r--r-- | deps/openssl/openssl/ssl/statem/extensions_clnt.c | 38 |
1 files changed, 24 insertions, 14 deletions
diff --git a/deps/openssl/openssl/ssl/statem/extensions_clnt.c b/deps/openssl/openssl/ssl/statem/extensions_clnt.c index ab4dbf6713..3c7d84427f 100644 --- a/deps/openssl/openssl/ssl/statem/extensions_clnt.c +++ b/deps/openssl/openssl/ssl/statem/extensions_clnt.c @@ -1,5 +1,5 @@ /* - * Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2016-2019 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -993,7 +993,7 @@ EXT_RETURN tls_construct_ctos_psk(SSL *s, WPACKET *pkt, unsigned int context, const EVP_MD *handmd = NULL, *mdres = NULL, *mdpsk = NULL; int dores = 0; - s->session->ext.tick_identity = TLSEXT_PSK_BAD_IDENTITY; + s->ext.tick_identity = 0; /* * Note: At this stage of the code we only support adding a single @@ -1083,6 +1083,7 @@ EXT_RETURN tls_construct_ctos_psk(SSL *s, WPACKET *pkt, unsigned int context, agems += s->session->ext.tick_age_add; reshashsize = EVP_MD_size(mdres); + s->ext.tick_identity++; dores = 1; } @@ -1142,6 +1143,7 @@ EXT_RETURN tls_construct_ctos_psk(SSL *s, WPACKET *pkt, unsigned int context, ERR_R_INTERNAL_ERROR); return EXT_RETURN_FAIL; } + s->ext.tick_identity++; } if (!WPACKET_close(pkt) @@ -1180,11 +1182,6 @@ EXT_RETURN tls_construct_ctos_psk(SSL *s, WPACKET *pkt, unsigned int context, return EXT_RETURN_FAIL; } - if (dores) - s->session->ext.tick_identity = 0; - if (s->psksession != NULL) - s->psksession->ext.tick_identity = (dores ? 1 : 0); - return EXT_RETURN_SENT; #else return EXT_RETURN_NOT_SENT; @@ -1927,8 +1924,7 @@ int tls_parse_stoc_early_data(SSL *s, PACKET *pkt, unsigned int context, } if (!s->ext.early_data_ok - || !s->hit - || s->session->ext.tick_identity != 0) { + || !s->hit) { /* * If we get here then we didn't send early data, or we didn't resume * using the first identity, or the SNI/ALPN is not consistent so the @@ -1956,17 +1952,28 @@ int tls_parse_stoc_psk(SSL *s, PACKET *pkt, unsigned int context, X509 *x, return 0; } - if (s->session->ext.tick_identity == (int)identity) { + if (identity >= (unsigned int)s->ext.tick_identity) { + SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PARSE_STOC_PSK, + SSL_R_BAD_PSK_IDENTITY); + return 0; + } + + /* + * Session resumption tickets are always sent before PSK tickets. If the + * ticket index is 0 then it must be for a session resumption ticket if we + * sent two tickets, or if we didn't send a PSK ticket. + */ + if (identity == 0 && (s->psksession == NULL || s->ext.tick_identity == 2)) { s->hit = 1; SSL_SESSION_free(s->psksession); s->psksession = NULL; return 1; } - if (s->psksession == NULL - || s->psksession->ext.tick_identity != (int)identity) { - SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PARSE_STOC_PSK, - SSL_R_BAD_PSK_IDENTITY); + if (s->psksession == NULL) { + /* Should never happen */ + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_STOC_PSK, + ERR_R_INTERNAL_ERROR); return 0; } @@ -1985,6 +1992,9 @@ int tls_parse_stoc_psk(SSL *s, PACKET *pkt, unsigned int context, X509 *x, s->session = s->psksession; s->psksession = NULL; s->hit = 1; + /* Early data is only allowed if we used the first ticket */ + if (identity != 0) + s->ext.early_data_ok = 0; #endif return 1; |