diff options
| author | David Benjamin <davidben@google.com> | 2016-09-17 02:34:02 +0300 |
|---|---|---|
| committer | Adam Langley <agl@google.com> | 2016-09-21 01:37:24 +0300 |
| commit | bac75b80cc4e4bad0a7fdfe651d32324ea8c185d (patch) | |
| tree | 126165153a8e15d29aad05bf9018ac82266449e0 | |
| parent | 1ccfb4e32d9dbc46eb7e0e27608c7f62fc280c3f (diff) | |
Move peer_psk_identity_hint to SSL_HANDSHAKE.
One less field to reset on renego and save a pointer of post-handshake
memory.
Change-Id: Ifc0c3c73072af244ee3848d9a798988d2c8a7c38
Reviewed-on: https://boringssl-review.googlesource.com/11086
Reviewed-by: Adam Langley <agl@google.com>
| -rw-r--r-- | include/openssl/ssl.h | 4 | ||||
| -rw-r--r-- | ssl/handshake_client.c | 13 | ||||
| -rw-r--r-- | ssl/internal.h | 4 | ||||
| -rw-r--r-- | ssl/s3_both.c | 1 | ||||
| -rw-r--r-- | ssl/s3_lib.c | 1 |
5 files changed, 8 insertions, 15 deletions
diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h index 8602ec6c..ac1a63b4 100644 --- a/include/openssl/ssl.h +++ b/include/openssl/ssl.h @@ -4398,10 +4398,6 @@ typedef struct ssl3_state_st { * didn't use it to create the master secret initially. */ char extended_master_secret; - /* Client-only: peer_psk_identity_hint is the psk_identity_hint sent by the - * server when using a PSK key exchange. */ - char *peer_psk_identity_hint; - /* new_mac_secret_size is unused and exists only until wpa_supplicant can * be updated. It is only needed for EAP-FAST, which we don't support. */ uint8_t new_mac_secret_size; diff --git a/ssl/handshake_client.c b/ssl/handshake_client.c index d48b000f..b8153f5a 100644 --- a/ssl/handshake_client.c +++ b/ssl/handshake_client.c @@ -1116,20 +1116,13 @@ static int ssl3_get_server_key_exchange(SSL *ssl) { } if (ssl->s3->tmp.message_type != SSL3_MT_SERVER_KEY_EXCHANGE) { + /* Some ciphers (pure PSK) have an optional ServerKeyExchange message. */ if (ssl_cipher_requires_server_key_exchange(ssl->s3->tmp.new_cipher)) { OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_MESSAGE); ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_UNEXPECTED_MESSAGE); return -1; } - /* In plain PSK ciphersuite, ServerKeyExchange may be omitted to send no - * identity hint. */ - if (ssl->s3->tmp.new_cipher->algorithm_auth & SSL_aPSK) { - /* TODO(davidben): This should be reset in one place with the rest of the - * handshake state. */ - OPENSSL_free(ssl->s3->tmp.peer_psk_identity_hint); - ssl->s3->tmp.peer_psk_identity_hint = NULL; - } ssl->s3->tmp.reuse_message = 1; return 1; } @@ -1168,7 +1161,7 @@ static int ssl3_get_server_key_exchange(SSL *ssl) { } /* Save the identity hint as a C string. */ - if (!CBS_strdup(&psk_identity_hint, &ssl->s3->tmp.peer_psk_identity_hint)) { + if (!CBS_strdup(&psk_identity_hint, &ssl->s3->hs->peer_psk_identity_hint)) { al = SSL_AD_INTERNAL_ERROR; OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE); goto f_err; @@ -1542,7 +1535,7 @@ static int ssl3_send_client_key_exchange(SSL *ssl) { char identity[PSK_MAX_IDENTITY_LEN + 1]; memset(identity, 0, sizeof(identity)); psk_len = ssl->psk_client_callback( - ssl, ssl->s3->tmp.peer_psk_identity_hint, identity, sizeof(identity), + ssl, ssl->s3->hs->peer_psk_identity_hint, identity, sizeof(identity), psk, sizeof(psk)); if (psk_len == 0) { OPENSSL_PUT_ERROR(SSL, SSL_R_PSK_IDENTITY_NOT_FOUND); diff --git a/ssl/internal.h b/ssl/internal.h index 13dec3ac..c090094a 100644 --- a/ssl/internal.h +++ b/ssl/internal.h @@ -922,6 +922,10 @@ struct ssl_handshake_st { size_t num_peer_sigalgs; uint8_t session_tickets_sent; + + /* peer_psk_identity_hint, on the client, is the psk_identity_hint sent by the + * server when using a TLS 1.2 PSK key exchange. */ + char *peer_psk_identity_hint; } /* SSL_HANDSHAKE */; SSL_HANDSHAKE *ssl_handshake_new(enum ssl_hs_wait_t (*do_handshake)(SSL *ssl)); diff --git a/ssl/s3_both.c b/ssl/s3_both.c index 4baa839f..23cda928 100644 --- a/ssl/s3_both.c +++ b/ssl/s3_both.c @@ -166,6 +166,7 @@ void ssl_handshake_free(SSL_HANDSHAKE *hs) { OPENSSL_free(hs->key_share_bytes); OPENSSL_free(hs->public_key); OPENSSL_free(hs->peer_sigalgs); + OPENSSL_free(hs->peer_psk_identity_hint); OPENSSL_free(hs); } diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c index 3378526e..2a7bbae7 100644 --- a/ssl/s3_lib.c +++ b/ssl/s3_lib.c @@ -210,7 +210,6 @@ void ssl3_free(SSL *ssl) { sk_X509_NAME_pop_free(ssl->s3->tmp.ca_names, X509_NAME_free); OPENSSL_free(ssl->s3->tmp.certificate_types); OPENSSL_free(ssl->s3->tmp.peer_supported_group_list); - OPENSSL_free(ssl->s3->tmp.peer_psk_identity_hint); SSL_SESSION_free(ssl->s3->new_session); SSL_SESSION_free(ssl->s3->established_session); ssl3_free_handshake_buffer(ssl); |