[openssl-commits] [openssl] master update

Matt Caswell matt at openssl.org
Tue Feb 10 22:56:41 UTC 2015 

The branch master has been updated
       via  b7c9187b32a14b5b4a850161aed5c044d2130d5a (commit)
       via  ea6bd2645431a064394c746fba7013950ea04f78 (commit)
       via  f2baac27d5f95326fa441e1cb08925b46f88b21c (commit)
       via  75ea3632bd4d647dae8191da4b228f491bec975d (commit)
      from  5afc296aa69d5c8d6aed9078c0ab4cc532cf2457 (commit)


- Log -----------------------------------------------------------------
commit b7c9187b32a14b5b4a850161aed5c044d2130d5a
Author: Matt Caswell <matt at openssl.org>
Date:   Sun Feb 8 23:37:54 2015 +0000

    Add SSL_SESSION_get0_ticket API function.
    
    Reviewed-by: Tim Hudson <tjh at openssl.org>

commit ea6bd2645431a064394c746fba7013950ea04f78
Author: Matt Caswell <matt at openssl.org>
Date:   Sun Feb 8 22:41:10 2015 +0000

    Correct reading back of tlsext_tick_lifetime_hint from ASN1.
    
    When writing out the hint, if the hint > 0, then we write it out otherwise
    we skip it.
    
    Previously when reading the hint back in, if were expecting to see one
    (because the ticket length > 0), but it wasn't present then we set the hint
    to -1, otherwise we set it to 0. This fails to set the hint to the same as
    when it was written out.
    
    The hint should never be negative because the RFC states the hint is
    unsigned. It is valid for a server to set the hint to 0 (this means the
    lifetime is unspecified according to the RFC). If the server set it to 0, it
    should still be 0 when we read it back in.
    
    Reviewed-by: Tim Hudson <tjh at openssl.org>

commit f2baac27d5f95326fa441e1cb08925b46f88b21c
Author: Matt Caswell <matt at openssl.org>
Date:   Sun Feb 8 15:43:16 2015 +0000

    Provide the API functions SSL_SESSION_has_ticket and
    SSL_SESSION_get_ticket_lifetime_hint. The latter has been reported as
    required to fix Qt for OpenSSL 1.1.0. I have also added the former in order
    to determine whether a ticket is present or not - otherwise it is difficult
    to know whether a zero lifetime hint is because the server set it to 0, or
    because there is no ticket.
    
    Reviewed-by: Tim Hudson <tjh at openssl.org>

commit 75ea3632bd4d647dae8191da4b228f491bec975d
Author: Matt Caswell <matt at openssl.org>
Date:   Sun Feb 8 15:42:46 2015 +0000

    Make tlsext_tick_lifetime_hint an unsigned long (from signed long).
    
    From RFC4507:
    "The ticket_lifetime_hint field contains a hint from the server about how
    long the ticket should be stored.  The value indicates the lifetime in
    seconds as a 32-bit unsigned integer in network byte order."
    
    Reviewed-by: Tim Hudson <tjh at openssl.org>

-----------------------------------------------------------------------

Summary of changes:
 doc/ssl/SSL_SESSION_has_ticket.pod |   42 ++++++++++++++++++++++++++++++++++++
 ssl/ssl.h                          |    4 ++++
 ssl/ssl_asn1.c                     |    4 +---
 ssl/ssl_locl.h                     |    2 +-
 ssl/ssl_sess.c                     |   18 ++++++++++++++++
 5 files changed, 66 insertions(+), 4 deletions(-)
 create mode 100644 doc/ssl/SSL_SESSION_has_ticket.pod

diff --git a/doc/ssl/SSL_SESSION_has_ticket.pod b/doc/ssl/SSL_SESSION_has_ticket.pod
new file mode 100644
index 0000000..d9b2a06
--- /dev/null
+++ b/doc/ssl/SSL_SESSION_has_ticket.pod
@@ -0,0 +1,42 @@
+=pod
+
+=head1 NAME
+
+SSL_SESSION_has_ticket, SSL_SESSION_get_ticket_lifetime_hint, SSL_SESSION_get_ticket - get details about the ticket associated with a session
+
+=head1 SYNOPSIS
+
+ #include <openssl/ssl.h>
+
+ int SSL_SESSION_has_ticket(const SSL_SESSION *s);
+ unsigned long SSL_SESSION_get_ticket_lifetime_hint(const SSL_SESSION *s);
+ void SSL_SESSION_get0_ticket(const SSL_SESSION *s, unsigned char **tick,
+                            size_t *len);
+
+=head1 DESCRIPTION
+
+SSL_SESSION_has_ticket() returns 1 if there is a Session Ticket associated with
+this session, and 0 otherwise.
+
+SSL_SESSION_get_ticket_lifetime_hint returns the lifetime hint in seconds
+associated with the session ticket.
+
+SSL_SESSION_get0_ticket obtains a pointer to the ticket associated with a
+session. The length of the ticket is written to B<*len>. If B<tick> is non
+NULL then a pointer to the ticket is written to B<*tick>. The pointer is only
+valid while the connection is in use. The session (and hence the ticket pointer)
+may also become invalid as a result of a call to SSL_CTX_flush_sessions().
+
+=head1 SEE ALSO
+
+L<ssl(3)|ssl(3)>,
+L<d2i_SSL_SESSION(3)|d2i_SSL_SESSION(3)>,
+L<SSL_SESSION_get_time(3)|SSL_SESSION_get_time(3)>,
+L<SSL_SESSION_free(3)|SSL_SESSION_free(3)>
+
+=head1 HISTORY
+
+SSL_SESSION_has_ticket, SSL_SESSION_get_ticket_lifetime_hint and
+SSL_SESSION_get0_ticket were added in OpenSSL 1.1.0.
+
+=cut
diff --git a/ssl/ssl.h b/ssl/ssl.h
index 564b75e..13fb053 100644
--- a/ssl/ssl.h
+++ b/ssl/ssl.h
@@ -1460,6 +1460,10 @@ long SSL_SESSION_get_time(const SSL_SESSION *s);
 long SSL_SESSION_set_time(SSL_SESSION *s, long t);
 long SSL_SESSION_get_timeout(const SSL_SESSION *s);
 long SSL_SESSION_set_timeout(SSL_SESSION *s, long t);
+int SSL_SESSION_has_ticket(const SSL_SESSION *s);
+unsigned long SSL_SESSION_get_ticket_lifetime_hint(const SSL_SESSION *s);
+void SSL_SESSION_get0_ticket(const SSL_SESSION *s, unsigned char **tick,
+                            size_t *len);
 void SSL_copy_session_id(SSL *to, const SSL *from);
 X509 *SSL_SESSION_get0_peer(SSL_SESSION *s);
 int SSL_SESSION_set1_id_context(SSL_SESSION *s, const unsigned char *sid_ctx,
diff --git a/ssl/ssl_asn1.c b/ssl/ssl_asn1.c
index b27e058..63fe17f 100644
--- a/ssl/ssl_asn1.c
+++ b/ssl/ssl_asn1.c
@@ -569,9 +569,7 @@ SSL_SESSION *d2i_SSL_SESSION(SSL_SESSION **a, const unsigned char **pp,
         OPENSSL_free(ai.data);
         ai.data = NULL;
         ai.length = 0;
-    } else if (ret->tlsext_ticklen && ret->session_id_length)
-        ret->tlsext_tick_lifetime_hint = -1;
-    else
+    } else
         ret->tlsext_tick_lifetime_hint = 0;
     os.length = 0;
     os.data = NULL;
diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h
index 49425d8..7a8a303 100644
--- a/ssl/ssl_locl.h
+++ b/ssl/ssl_locl.h
@@ -670,7 +670,7 @@ struct ssl_session_st {
     /* RFC4507 info */
     unsigned char *tlsext_tick; /* Session ticket */
     size_t tlsext_ticklen;      /* Session ticket length */
-    long tlsext_tick_lifetime_hint; /* Session lifetime hint in seconds */
+    unsigned long tlsext_tick_lifetime_hint; /* Session lifetime hint in seconds */
 # endif
 # ifndef OPENSSL_NO_SRP
     char *srp_username;
diff --git a/ssl/ssl_sess.c b/ssl/ssl_sess.c
index 0eda59e..cf019c8 100644
--- a/ssl/ssl_sess.c
+++ b/ssl/ssl_sess.c
@@ -848,6 +848,24 @@ long SSL_SESSION_set_time(SSL_SESSION *s, long t)
     return (t);
 }
 
+int SSL_SESSION_has_ticket(const SSL_SESSION *s)
+{
+    return (s->tlsext_ticklen > 0) ? 1 : 0;
+}
+
+unsigned long SSL_SESSION_get_ticket_lifetime_hint(const SSL_SESSION *s)
+{
+    return s->tlsext_tick_lifetime_hint;
+}
+
+void SSL_SESSION_get0_ticket(const SSL_SESSION *s, unsigned char **tick,
+                            size_t *len)
+{
+    *len = s->tlsext_ticklen;
+    if(tick != NULL)
+        *tick = s->tlsext_tick;
+}
+
 X509 *SSL_SESSION_get0_peer(SSL_SESSION *s)
 {
     return s->peer;

More information about the openssl-commits mailing list