Skip to content
体验新版
项目
组织
正在加载...
登录
切换导航
打开侧边栏
OpenHarmony
Third Party Openssl
提交
661dc143
T
Third Party Openssl
项目概览
OpenHarmony
/
Third Party Openssl
大约 1 年 前同步成功
通知
9
Star
18
Fork
1
代码
文件
提交
分支
Tags
贡献者
分支图
Diff
Issue
0
列表
看板
标记
里程碑
合并请求
0
Wiki
0
Wiki
分析
仓库
DevOps
项目成员
Pages
T
Third Party Openssl
项目概览
项目概览
详情
发布
仓库
仓库
文件
提交
分支
标签
贡献者
分支图
比较
Issue
0
Issue
0
列表
看板
标记
里程碑
合并请求
0
合并请求
0
Pages
分析
分析
仓库分析
DevOps
Wiki
0
Wiki
成员
成员
收起侧边栏
关闭侧边栏
动态
分支图
创建新Issue
提交
Issue看板
体验新版 GitCode,发现更多精彩内容 >>
提交
661dc143
编写于
10月 30, 2009
作者:
D
Dr. Stephen Henson
浏览文件
操作
浏览文件
下载
电子邮件补丁
差异文件
Fix statless session resumption so it can coexist with SNI
上级
213f08a6
变更
4
隐藏空白更改
内联
并排
Showing
4 changed file
with
34 addition
and
16 deletion
+34
-16
CHANGES
CHANGES
+9
-0
ssl/s3_srvr.c
ssl/s3_srvr.c
+6
-5
ssl/ssl_asn1.c
ssl/ssl_asn1.c
+13
-6
ssl/t1_lib.c
ssl/t1_lib.c
+6
-5
未找到文件。
CHANGES
浏览文件 @
661dc143
...
...
@@ -4,6 +4,15 @@
Changes between 0.9.8k and 1.0 [xx XXX xxxx]
*) Fixes to stateless session resumption handling. Use initial_ctx when
issuing and attempting to decrypt tickets in case it has changed during
servername handling. Use a non-zero length session ID when attempting
stateless session resumption: this makes it possible to determine if
a resumption has occurred immediately after receiving server hello
(several places in OpenSSL subtly assume this) instead of later in
the handshake.
[Steve Henson]
*) Update OCSP request code to permit adding custom headers to the request:
some responders need this.
[Steve Henson]
...
...
ssl/s3_srvr.c
浏览文件 @
661dc143
...
...
@@ -2973,6 +2973,7 @@ int ssl3_send_newsession_ticket(SSL *s)
unsigned
int
hlen
;
EVP_CIPHER_CTX
ctx
;
HMAC_CTX
hctx
;
SSL_CTX
*
tctx
=
s
->
initial_ctx
;
unsigned
char
iv
[
EVP_MAX_IV_LENGTH
];
unsigned
char
key_name
[
16
];
...
...
@@ -3011,9 +3012,9 @@ int ssl3_send_newsession_ticket(SSL *s)
* it does all the work otherwise use generated values
* from parent ctx.
*/
if
(
s
->
ctx
->
tlsext_ticket_key_cb
)
if
(
t
ctx
->
tlsext_ticket_key_cb
)
{
if
(
s
->
ctx
->
tlsext_ticket_key_cb
(
s
,
key_name
,
iv
,
&
ctx
,
if
(
t
ctx
->
tlsext_ticket_key_cb
(
s
,
key_name
,
iv
,
&
ctx
,
&
hctx
,
1
)
<
0
)
{
OPENSSL_free
(
senc
);
...
...
@@ -3024,10 +3025,10 @@ int ssl3_send_newsession_ticket(SSL *s)
{
RAND_pseudo_bytes
(
iv
,
16
);
EVP_EncryptInit_ex
(
&
ctx
,
EVP_aes_128_cbc
(),
NULL
,
s
->
ctx
->
tlsext_tick_aes_key
,
iv
);
HMAC_Init_ex
(
&
hctx
,
s
->
ctx
->
tlsext_tick_hmac_key
,
16
,
t
ctx
->
tlsext_tick_aes_key
,
iv
);
HMAC_Init_ex
(
&
hctx
,
t
ctx
->
tlsext_tick_hmac_key
,
16
,
tlsext_tick_md
(),
NULL
);
memcpy
(
key_name
,
s
->
ctx
->
tlsext_tick_key_name
,
16
);
memcpy
(
key_name
,
t
ctx
->
tlsext_tick_key_name
,
16
);
}
l2n
(
s
->
session
->
tlsext_tick_lifetime_hint
,
p
);
/* Skip ticket length for now */
...
...
ssl/ssl_asn1.c
浏览文件 @
661dc143
...
...
@@ -579,19 +579,26 @@ SSL_SESSION *d2i_SSL_SESSION(SSL_SESSION **a, const unsigned char **pp,
ret
->
tlsext_ticklen
=
os
.
length
;
os
.
data
=
NULL
;
os
.
length
=
0
;
#if 0
/* There are two ways to detect a resumed ticket sesion.
* One is to set a random session ID and then the server
* must return a match in ServerHello. This allows the normal
* client session ID matching to work.
* client session ID matching to work and we know much
* earlier that the ticket has been accepted.
*
* The other way is to set zero length session ID when the
* ticket is presented and rely on the handshake to determine
* session resumption.
*/
if
(
ret
->
session_id_length
==
0
)
{
ret->session_id_length=SSL3_MAX_SSL_SESSION_ID_LENGTH;
RAND_pseudo_bytes(ret->session_id,
ret->session_id_length);
}
EVP_Digest
(
ret
->
tlsext_tick
,
ret
->
tlsext_ticklen
,
ret
->
session_id
,
&
ret
->
session_id_length
,
#ifndef OPENSSL_NO_SHA256
EVP_sha256
(),
NULL
);
#else
EVP_sha1
(),
NULL
);
#endif
}
}
else
ret
->
tlsext_tick
=
NULL
;
...
...
ssl/t1_lib.c
浏览文件 @
661dc143
...
...
@@ -1516,16 +1516,17 @@ static int tls_decrypt_ticket(SSL *s, const unsigned char *etick, int eticklen,
unsigned
char
tick_hmac
[
EVP_MAX_MD_SIZE
];
HMAC_CTX
hctx
;
EVP_CIPHER_CTX
ctx
;
SSL_CTX
*
tctx
=
s
->
initial_ctx
;
/* Need at least keyname + iv + some encrypted data */
if
(
eticklen
<
48
)
goto
tickerr
;
/* Initialize session ticket encryption and HMAC contexts */
HMAC_CTX_init
(
&
hctx
);
EVP_CIPHER_CTX_init
(
&
ctx
);
if
(
s
->
ctx
->
tlsext_ticket_key_cb
)
if
(
t
ctx
->
tlsext_ticket_key_cb
)
{
unsigned
char
*
nctick
=
(
unsigned
char
*
)
etick
;
int
rv
=
s
->
ctx
->
tlsext_ticket_key_cb
(
s
,
nctick
,
nctick
+
16
,
int
rv
=
t
ctx
->
tlsext_ticket_key_cb
(
s
,
nctick
,
nctick
+
16
,
&
ctx
,
&
hctx
,
0
);
if
(
rv
<
0
)
return
-
1
;
...
...
@@ -1537,12 +1538,12 @@ static int tls_decrypt_ticket(SSL *s, const unsigned char *etick, int eticklen,
else
{
/* Check key name matches */
if
(
memcmp
(
etick
,
s
->
ctx
->
tlsext_tick_key_name
,
16
))
if
(
memcmp
(
etick
,
t
ctx
->
tlsext_tick_key_name
,
16
))
goto
tickerr
;
HMAC_Init_ex
(
&
hctx
,
s
->
ctx
->
tlsext_tick_hmac_key
,
16
,
HMAC_Init_ex
(
&
hctx
,
t
ctx
->
tlsext_tick_hmac_key
,
16
,
tlsext_tick_md
(),
NULL
);
EVP_DecryptInit_ex
(
&
ctx
,
EVP_aes_128_cbc
(),
NULL
,
s
->
ctx
->
tlsext_tick_aes_key
,
etick
+
16
);
t
ctx
->
tlsext_tick_aes_key
,
etick
+
16
);
}
/* Attempt to process session ticket, first conduct sanity and
* integrity checks on ticket.
...
...
编辑
预览
Markdown
is supported
0%
请重试
或
添加新附件
.
添加附件
取消
You are about to add
0
people
to the discussion. Proceed with caution.
先完成此消息的编辑!
取消
想要评论请
注册
或
登录