From: TJ Saunders Date: Sat, 27 Feb 2016 18:36:00 +0000 (+0100) Subject: session tickets: Use sizeof() for the various fields X-Git-Tag: OpenSSL_1_1_0-pre6~822 X-Git-Url: https://git.librecmc.org/?a=commitdiff_plain;h=4e2e1ec9d53696abeb6873f700ec1da141cdd9a9;p=oweals%2Fopenssl.git session tickets: Use sizeof() for the various fields Signed-off-by: Kurt Roeckx Reviewed-by: Matt Caswell GH: #515, MR: #2153 --- diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c index eaf6ee23e9..6f9b23b1ea 100644 --- a/ssl/s3_lib.c +++ b/ssl/s3_lib.c @@ -3395,20 +3395,32 @@ long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg) case SSL_CTRL_GET_TLSEXT_TICKET_KEYS: { unsigned char *keys = parg; + long tlsext_tick_keylen = (sizeof(ctx->tlsext_tick_key_name) + + sizeof(ctx->tlsext_tick_hmac_key) + (ctx->tlsext_tick_aes_key)); if (!keys) - return 48; - if (larg != 48) { + return tlsext_tick_keylen; + if (larg != tlsext_tick_keylen) { SSLerr(SSL_F_SSL3_CTX_CTRL, SSL_R_INVALID_TICKET_KEYS_LENGTH); return 0; } if (cmd == SSL_CTRL_SET_TLSEXT_TICKET_KEYS) { - memcpy(ctx->tlsext_tick_key_name, keys, 16); - memcpy(ctx->tlsext_tick_hmac_key, keys + 16, 16); - memcpy(ctx->tlsext_tick_aes_key, keys + 32, 16); + memcpy(ctx->tlsext_tick_key_name, keys, + sizeof(ctx->tlsext_tick_key_name)); + memcpy(ctx->tlsext_tick_hmac_key, + keys + sizeof(ctx->tlsext_tick_key_name), + sizeof(ctx->tlsext_tick_hmac_key)); + memcpy(ctx->tlsext_tick_aes_key, + keys + sizeof(ctx->tlsext_tick_key_name) + sizeof(ctx->tlsext_tick_hmac_key), + sizeof(ctx->tlsext_tick_aes_key)); } else { - memcpy(keys, ctx->tlsext_tick_key_name, 16); - memcpy(keys + 16, ctx->tlsext_tick_hmac_key, 16); - memcpy(keys + 32, ctx->tlsext_tick_aes_key, 16); + memcpy(keys, ctx->tlsext_tick_key_name, + sizeof(ctx->tlsext_tick_key_name)); + memcpy(keys + sizeof(ctx->tlsext_tick_key_name), + ctx->tlsext_tick_hmac_key, + sizeof(ctx->tlsext_tick_hmac_key)); + memcpy(keys + sizeof(ctx->tlsext_tick_key_name) + sizeof(ctx->tlsext_tick_hmac_key), + ctx->tlsext_tick_aes_key, + sizeof(ctx->tlsext_tick_aes_key)); } return 1; } diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c index 471779b03a..2c5548d29c 100644 --- a/ssl/ssl_lib.c +++ b/ssl/ssl_lib.c @@ -2461,10 +2461,10 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *meth) ret->max_send_fragment = SSL3_RT_MAX_PLAIN_LENGTH; ret->split_send_fragment = SSL3_RT_MAX_PLAIN_LENGTH; - /* Setup RFC4507 ticket keys */ - if ((RAND_bytes(ret->tlsext_tick_key_name, 16) <= 0) - || (RAND_bytes(ret->tlsext_tick_hmac_key, 16) <= 0) - || (RAND_bytes(ret->tlsext_tick_aes_key, 16) <= 0)) + /* Setup RFC5077 ticket keys */ + if ((RAND_bytes(ret->tlsext_tick_key_name, sizeof(ret->tlsext_tick_key_name)) <= 0) + || (RAND_bytes(ret->tlsext_tick_hmac_key, sizeof(ret->tlsext_tick_hmac_key)) <= 0) + || (RAND_bytes(ret->tlsext_tick_aes_key, sizeof(ret->tlsext_tick_aes_key)) <= 0)) ret->options |= SSL_OP_NO_TICKET; #ifndef OPENSSL_NO_SRP diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c index 90b9d2dfac..c8c68dc078 100644 --- a/ssl/statem/statem_srvr.c +++ b/ssl/statem/statem_srvr.c @@ -3051,10 +3051,12 @@ int tls_construct_new_session_ticket(SSL *s) if (!EVP_EncryptInit_ex(ctx, EVP_aes_128_cbc(), NULL, tctx->tlsext_tick_aes_key, iv)) goto err; - if (!HMAC_Init_ex(hctx, tctx->tlsext_tick_hmac_key, 16, + if (!HMAC_Init_ex(hctx, tctx->tlsext_tick_hmac_key, + sizeof(tctx->tlsext_tick_hmac_key), EVP_sha256(), NULL)) goto err; - memcpy(key_name, tctx->tlsext_tick_key_name, 16); + memcpy(key_name, tctx->tlsext_tick_key_name, + sizeof(tctx->tlsext_tick_key_name)); } /* diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c index 3082a59810..996a132077 100644 --- a/ssl/t1_lib.c +++ b/ssl/t1_lib.c @@ -3129,15 +3129,17 @@ static int tls_decrypt_ticket(SSL *s, const unsigned char *etick, renew_ticket = 1; } else { /* Check key name matches */ - if (memcmp(etick, tctx->tlsext_tick_key_name, 16)) { + if (memcmp(etick, tctx->tlsext_tick_key_name, + sizeof(tctx->tlsext_tick_key_name)) != 0) { ret = 2; goto err; } - if (HMAC_Init_ex(hctx, tctx->tlsext_tick_hmac_key, 16, + if (HMAC_Init_ex(hctx, tctx->tlsext_tick_hmac_key, + sizeof(tctx->tlsext_tick_hmac_key), EVP_sha256(), NULL) <= 0 || EVP_DecryptInit_ex(ctx, EVP_aes_128_cbc(), NULL, tctx->tlsext_tick_aes_key, - etick + 16) <= 0) { + etick + sizeof(tctx->tlsext_tick_key_name)) <= 0) { goto err; } }