session tickets: Use sizeof() for the various fields

author TJ Saunders <tj@castaglia.org>

Sat, 27 Feb 2016 18:36:00 +0000 (19:36 +0100)

committer Kurt Roeckx <kurt@roeckx.be>

Mon, 16 May 2016 18:42:21 +0000 (20:42 +0200)
author TJ Saunders <tj@castaglia.org>
Sat, 27 Feb 2016 18:36:00 +0000 (19:36 +0100)
committer Kurt Roeckx <kurt@roeckx.be>
Mon, 16 May 2016 18:42:21 +0000 (20:42 +0200)
diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c

index eaf6ee23e9ac82141f8291850c799e49004cea42..6f9b23b1eafa07c7836ade7f2a10505d7066f55e 100644 (file)
--- a/ssl/s3_lib.c
+++ b/ssl/s3_lib.c
@@ -3395,20 +3395,32 @@ long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg)
      case SSL_CTRL_GET_TLSEXT_TICKET_KEYS:
          {
              unsigned char *keys = parg;
+            long tlsext_tick_keylen = (sizeof(ctx->tlsext_tick_key_name) +
+                sizeof(ctx->tlsext_tick_hmac_key) + (ctx->tlsext_tick_aes_key));
              if (!keys)
-                return 48;
-            if (larg != 48) {
+                return tlsext_tick_keylen;
+            if (larg != tlsext_tick_keylen) {
                  SSLerr(SSL_F_SSL3_CTX_CTRL, SSL_R_INVALID_TICKET_KEYS_LENGTH);
                  return 0;
              }
              if (cmd == SSL_CTRL_SET_TLSEXT_TICKET_KEYS) {
-                memcpy(ctx->tlsext_tick_key_name, keys, 16);
-                memcpy(ctx->tlsext_tick_hmac_key, keys + 16, 16);
-                memcpy(ctx->tlsext_tick_aes_key, keys + 32, 16);
+                memcpy(ctx->tlsext_tick_key_name, keys,
+                       sizeof(ctx->tlsext_tick_key_name));
+                memcpy(ctx->tlsext_tick_hmac_key,
+                       keys + sizeof(ctx->tlsext_tick_key_name),
+                       sizeof(ctx->tlsext_tick_hmac_key));
+                memcpy(ctx->tlsext_tick_aes_key,
+                       keys + sizeof(ctx->tlsext_tick_key_name) + sizeof(ctx->tlsext_tick_hmac_key),
+                       sizeof(ctx->tlsext_tick_aes_key));
              } else {
-                memcpy(keys, ctx->tlsext_tick_key_name, 16);
-                memcpy(keys + 16, ctx->tlsext_tick_hmac_key, 16);
-                memcpy(keys + 32, ctx->tlsext_tick_aes_key, 16);
+                memcpy(keys, ctx->tlsext_tick_key_name,
+                       sizeof(ctx->tlsext_tick_key_name));
+                memcpy(keys + sizeof(ctx->tlsext_tick_key_name),
+                       ctx->tlsext_tick_hmac_key,
+                       sizeof(ctx->tlsext_tick_hmac_key));
+                memcpy(keys + sizeof(ctx->tlsext_tick_key_name) + sizeof(ctx->tlsext_tick_hmac_key),
+                       ctx->tlsext_tick_aes_key,
+                       sizeof(ctx->tlsext_tick_aes_key));
              }
              return 1;
          }
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c

index 471779b03a17d7433a9e596334cfb82db96a577a..2c5548d29cf77443a1830d6c9cab6e9284f095e5 100644 (file)
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -2461,10 +2461,10 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *meth)
      ret->max_send_fragment = SSL3_RT_MAX_PLAIN_LENGTH;
      ret->split_send_fragment = SSL3_RT_MAX_PLAIN_LENGTH;
  
-    /* Setup RFC4507 ticket keys */
-    if ((RAND_bytes(ret->tlsext_tick_key_name, 16) <= 0)
-        || (RAND_bytes(ret->tlsext_tick_hmac_key, 16) <= 0)
-        || (RAND_bytes(ret->tlsext_tick_aes_key, 16) <= 0))
+    /* Setup RFC5077 ticket keys */
+    if ((RAND_bytes(ret->tlsext_tick_key_name, sizeof(ret->tlsext_tick_key_name)) <= 0)
+        || (RAND_bytes(ret->tlsext_tick_hmac_key, sizeof(ret->tlsext_tick_hmac_key)) <= 0)
+        || (RAND_bytes(ret->tlsext_tick_aes_key, sizeof(ret->tlsext_tick_aes_key)) <= 0))
          ret->options |= SSL_OP_NO_TICKET;
  
  #ifndef OPENSSL_NO_SRP
diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c

index 90b9d2dfac5f91d3de2af6ba83809249e65db346..c8c68dc07847f18b49505eca8ea893fb0ffedcd7 100644 (file)
--- a/ssl/statem/statem_srvr.c
+++ b/ssl/statem/statem_srvr.c
@@ -3051,10 +3051,12 @@ int tls_construct_new_session_ticket(SSL *s)
          if (!EVP_EncryptInit_ex(ctx, EVP_aes_128_cbc(), NULL,
                                  tctx->tlsext_tick_aes_key, iv))
              goto err;
-        if (!HMAC_Init_ex(hctx, tctx->tlsext_tick_hmac_key, 16,
+        if (!HMAC_Init_ex(hctx, tctx->tlsext_tick_hmac_key,
+                          sizeof(tctx->tlsext_tick_hmac_key),
                            EVP_sha256(), NULL))
              goto err;
-        memcpy(key_name, tctx->tlsext_tick_key_name, 16);
+        memcpy(key_name, tctx->tlsext_tick_key_name,
+               sizeof(tctx->tlsext_tick_key_name));
      }
  
      /*
diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c

index 3082a59810525b1272265eb50e74e7d44d432152..996a1320779e04f3b7a993a5aff2c67773d8976e 100644 (file)
--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c
@@ -3129,15 +3129,17 @@ static int tls_decrypt_ticket(SSL *s, const unsigned char *etick,
              renew_ticket = 1;
      } else {
          /* Check key name matches */
-        if (memcmp(etick, tctx->tlsext_tick_key_name, 16)) {
+        if (memcmp(etick, tctx->tlsext_tick_key_name,
+                   sizeof(tctx->tlsext_tick_key_name)) != 0) {
              ret = 2;
              goto err;
          }
-        if (HMAC_Init_ex(hctx, tctx->tlsext_tick_hmac_key, 16,
+        if (HMAC_Init_ex(hctx, tctx->tlsext_tick_hmac_key,
+                         sizeof(tctx->tlsext_tick_hmac_key),
                           EVP_sha256(), NULL) <= 0
                  || EVP_DecryptInit_ex(ctx, EVP_aes_128_cbc(), NULL,
                                        tctx->tlsext_tick_aes_key,
-                                      etick + 16) <= 0) {
+                                      etick + sizeof(tctx->tlsext_tick_key_name)) <= 0) {
              goto err;
         }
      }
author	TJ Saunders <tj@castaglia.org>
	Sat, 27 Feb 2016 18:36:00 +0000 (19:36 +0100)
committer	Kurt Roeckx <kurt@roeckx.be>
	Mon, 16 May 2016 18:42:21 +0000 (20:42 +0200)
ssl/s3_lib.c		patch \| blob \| history
ssl/ssl_lib.c		patch \| blob \| history
ssl/statem/statem_srvr.c		patch \| blob \| history
ssl/t1_lib.c		patch \| blob \| history