From: Matt Caswell Date: Fri, 13 Mar 2020 23:54:07 +0000 (+0000) Subject: Use a fetched version of SHA256 in tls_process_new_session_ticket() X-Git-Tag: openssl-3.0.0-alpha1~222 X-Git-Url: https://git.librecmc.org/?a=commitdiff_plain;h=abd86cecce06a2f56f2d0ccc4743273e5981d547;p=oweals%2Fopenssl.git Use a fetched version of SHA256 in tls_process_new_session_ticket() We use the SHA256 digest of the ticket as a "fake" session id. We should ensure that the SHA256 implementation is fetched from the appropriate provider. Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/11356) --- diff --git a/crypto/err/openssl.txt b/crypto/err/openssl.txt index 2f4ffc8bad..090d0f39a5 100644 --- a/crypto/err/openssl.txt +++ b/crypto/err/openssl.txt @@ -3089,6 +3089,7 @@ SSL_R_EXTENSION_NOT_RECEIVED:279:extension not received SSL_R_EXTRA_DATA_IN_MESSAGE:153:extra data in message SSL_R_EXT_LENGTH_MISMATCH:163:ext length mismatch SSL_R_FAILED_TO_INIT_ASYNC:405:failed to init async +SSL_R_ALGORITHM_FETCH_FAILED:295:algorithm fetch failed SSL_R_FRAGMENTED_CLIENT_HELLO:401:fragmented client hello SSL_R_GOT_A_FIN_BEFORE_A_CCS:154:got a fin before a ccs SSL_R_HTTPS_PROXY_REQUEST:155:https proxy request diff --git a/include/openssl/sslerr.h b/include/openssl/sslerr.h index 8ccdf3dc6b..e1617aae45 100644 --- a/include/openssl/sslerr.h +++ b/include/openssl/sslerr.h @@ -561,6 +561,7 @@ int ERR_load_SSL_strings(void); # define SSL_R_EXTRA_DATA_IN_MESSAGE 153 # define SSL_R_EXT_LENGTH_MISMATCH 163 # define SSL_R_FAILED_TO_INIT_ASYNC 405 +# define SSL_R_ALGORITHM_FETCH_FAILED 295 # define SSL_R_FRAGMENTED_CLIENT_HELLO 401 # define SSL_R_GOT_A_FIN_BEFORE_A_CCS 154 # define SSL_R_HTTPS_PROXY_REQUEST 155 diff --git a/ssl/ssl_err.c b/ssl/ssl_err.c index 517e90c141..85d9dd8448 100644 --- a/ssl/ssl_err.c +++ b/ssl/ssl_err.c @@ -171,6 +171,8 @@ static const ERR_STRING_DATA SSL_str_reasons[] = { "ext length mismatch"}, {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_FAILED_TO_INIT_ASYNC), "failed to init async"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_ALGORITHM_FETCH_FAILED), + "algorithm fetch failed"}, {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_FRAGMENTED_CLIENT_HELLO), "fragmented client hello"}, {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_GOT_A_FIN_BEFORE_A_CCS), diff --git a/ssl/statem/statem_clnt.c b/ssl/statem/statem_clnt.c index dfc6f5a721..534902f9b9 100644 --- a/ssl/statem/statem_clnt.c +++ b/ssl/statem/statem_clnt.c @@ -2560,6 +2560,7 @@ MSG_PROCESS_RETURN tls_process_new_session_ticket(SSL *s, PACKET *pkt) unsigned int sess_len; RAW_EXTENSION *exts = NULL; PACKET nonce; + EVP_MD *sha256 = NULL; PACKET_null_init(&nonce); @@ -2675,20 +2676,28 @@ MSG_PROCESS_RETURN tls_process_new_session_ticket(SSL *s, PACKET *pkt) * other way is to set zero length session ID when the ticket is * presented and rely on the handshake to determine session resumption. * We choose the former approach because this fits in with assumptions - * elsewhere in OpenSSL. The session ID is set to the SHA256 (or SHA1 is - * SHA256 is disabled) hash of the ticket. + * elsewhere in OpenSSL. The session ID is set to the SHA256 hash of the + * ticket. */ + sha256 = EVP_MD_fetch(s->ctx->libctx, "SHA2-256", s->ctx->propq); + if (sha256 == NULL) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_NEW_SESSION_TICKET, + SSL_R_ALGORITHM_FETCH_FAILED); + goto err; + } /* * TODO(size_t): we use sess_len here because EVP_Digest expects an int * but s->session->session_id_length is a size_t */ if (!EVP_Digest(s->session->ext.tick, ticklen, s->session->session_id, &sess_len, - EVP_sha256(), NULL)) { + sha256, NULL)) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_NEW_SESSION_TICKET, ERR_R_EVP_LIB); goto err; } + EVP_MD_free(sha256); + sha256 = NULL; s->session->session_id_length = sess_len; s->session->not_resumable = 0; @@ -2727,6 +2736,7 @@ MSG_PROCESS_RETURN tls_process_new_session_ticket(SSL *s, PACKET *pkt) return MSG_PROCESS_CONTINUE_READING; err: + EVP_MD_free(sha256); OPENSSL_free(exts); return MSG_PROCESS_ERROR; }