From: Matt Caswell Date: Thu, 19 Jan 2017 15:01:55 +0000 (+0000) Subject: Always ensure that session->cipher is set X-Git-Tag: OpenSSL_1_1_1-pre1~2561 X-Git-Url: https://git.librecmc.org/?a=commitdiff_plain;h=534a43ffeaec03e50768ccf84d431f96f11256e3;p=oweals%2Fopenssl.git Always ensure that session->cipher is set If we have deserialized the SSL_SESSION then in some circumstances the session->cipher value is NULL. We were patching up in some places but not in others. We should just do it as part of loading the SSL_SESSION. Reviewed-by: Rich Salz (Merged from https://github.com/openssl/openssl/pull/2259) --- diff --git a/ssl/ssl_asn1.c b/ssl/ssl_asn1.c index ced6a51f4b..568f41ff5b 100644 --- a/ssl/ssl_asn1.c +++ b/ssl/ssl_asn1.c @@ -284,8 +284,10 @@ SSL_SESSION *d2i_SSL_SESSION(SSL_SESSION **a, const unsigned char **pp, p = as->cipher->data; id = 0x03000000L | ((unsigned long)p[0] << 8L) | (unsigned long)p[1]; - ret->cipher = NULL; ret->cipher_id = id; + ret->cipher = ssl3_get_cipher_by_id(id); + if (ret->cipher == NULL) + goto err; if (!ssl_session_memcpy(ret->session_id, &ret->session_id_length, as->session_id, SSL3_MAX_SSL_SESSION_ID_LENGTH)) diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c index d4145ba5da..88b99cca14 100644 --- a/ssl/ssl_ciph.c +++ b/ssl/ssl_ciph.c @@ -2018,14 +2018,3 @@ int ssl_cipher_get_overhead(const SSL_CIPHER *c, size_t *mac_overhead, return 1; } - -const EVP_MD *ssl_cipher_get_handshake_md(int cipher_id) -{ - const SSL_CIPHER *cipher = ssl3_get_cipher_by_id(cipher_id); - if (cipher == NULL) { - /* Don't recognise this cipher */ - return NULL; - } - - return ssl_md(cipher->algorithm2); -} diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h index 64019fe0aa..a59683bdff 100644 --- a/ssl/ssl_locl.h +++ b/ssl/ssl_locl.h @@ -1956,7 +1956,6 @@ __owur int ssl_cipher_get_overhead(const SSL_CIPHER *c, size_t *mac_overhead, __owur int ssl_cipher_get_cert_index(const SSL_CIPHER *c); __owur const SSL_CIPHER *ssl_get_cipher_by_char(SSL *ssl, const unsigned char *ptr); -__owur const EVP_MD *ssl_cipher_get_handshake_md(int cipher_id); __owur int ssl_cert_set0_chain(SSL *s, SSL_CTX *ctx, STACK_OF(X509) *chain); __owur int ssl_cert_set1_chain(SSL *s, SSL_CTX *ctx, STACK_OF(X509) *chain); __owur int ssl_cert_add0_chain_cert(SSL *s, SSL_CTX *ctx, X509 *x); diff --git a/ssl/ssl_sess.c b/ssl/ssl_sess.c index c28a5e1b3f..77c917f38a 100644 --- a/ssl/ssl_sess.c +++ b/ssl/ssl_sess.c @@ -91,6 +91,9 @@ SSL_SESSION *SSL_SESSION_new(void) { SSL_SESSION *ss; + if (!OPENSSL_init_ssl(OPENSSL_INIT_LOAD_SSL_STRINGS, NULL)) + return NULL; + ss = OPENSSL_zalloc(sizeof(*ss)); if (ss == NULL) { SSLerr(SSL_F_SSL_SESSION_NEW, ERR_R_MALLOC_FAILURE); @@ -586,21 +589,6 @@ int ssl_get_prev_session(SSL *s, CLIENTHELLO_MSG *hello) goto err; } - if (ret->cipher == NULL) { - unsigned char buf[5], *p; - unsigned long l; - - p = buf; - l = ret->cipher_id; - l2n(l, p); - if ((ret->ssl_version >> 8) >= SSL3_VERSION_MAJOR) - ret->cipher = ssl_get_cipher_by_char(s, &(buf[2])); - else - ret->cipher = ssl_get_cipher_by_char(s, &(buf[1])); - if (ret->cipher == NULL) - goto err; - } - if (ret->timeout < (long)(time(NULL) - ret->time)) { /* timeout */ s->session_ctx->stats.sess_timeout++; if (try_session_cache) { diff --git a/ssl/statem/extensions_clnt.c b/ssl/statem/extensions_clnt.c index c17901a954..368f1968d8 100644 --- a/ssl/statem/extensions_clnt.c +++ b/ssl/statem/extensions_clnt.c @@ -717,7 +717,11 @@ int tls_construct_ctos_psk(SSL *s, WPACKET *pkt, X509 *x, size_t chainidx, */ agems += s->session->ext.tick_age_add; - md = ssl_cipher_get_handshake_md(s->session->cipher_id); + if (s->session->cipher == NULL) { + SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_PSK, ERR_R_INTERNAL_ERROR); + goto err; + } + md = ssl_md(s->session->cipher->algorithm2); if (md == NULL) { /* Don't recognise this cipher so we can't use the session. Ignore it */ return 1; diff --git a/ssl/statem/extensions_srvr.c b/ssl/statem/extensions_srvr.c index 5a5d846e04..088dcbc3b6 100644 --- a/ssl/statem/extensions_srvr.c +++ b/ssl/statem/extensions_srvr.c @@ -712,7 +712,7 @@ int tls_parse_ctos_psk(SSL *s, PACKET *pkt, X509 *x, size_t chainidx, int *al) if (ret == TICKET_NO_DECRYPT) continue; - md = ssl_cipher_get_handshake_md(sess->cipher_id); + md = ssl_md(sess->cipher->algorithm2); if (md == NULL) { /* * Don't recognise this cipher so we can't use the session.