diff options
Diffstat (limited to 'tls_server.c')
| -rw-r--r-- | tls_server.c | 36 |
1 files changed, 25 insertions, 11 deletions
diff --git a/tls_server.c b/tls_server.c index 98a8389..11303ca 100644 --- a/tls_server.c +++ b/tls_server.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tls_server.c,v 1.45 2019/05/13 22:36:01 bcook Exp $ */ +/* $OpenBSD: tls_server.c,v 1.49 2023/05/14 07:26:25 op Exp $ */ /* * Copyright (c) 2014 Joel Sing <jsing@openbsd.org> * @@ -20,6 +20,8 @@ #include <arpa/inet.h> +#include <string.h> + #include <openssl/ec.h> #include <openssl/err.h> #include <openssl/ssl.h> @@ -110,7 +112,7 @@ tls_servername_cb(SSL *ssl, int *al, void *arg) inet_pton(AF_INET6, name, &addrbuf) == 1) return (SSL_TLSEXT_ERR_NOACK); - free((char *)conn_ctx->servername); + free(conn_ctx->servername); if ((conn_ctx->servername = strdup(name)) == NULL) goto err; @@ -134,7 +136,7 @@ tls_servername_cb(SSL *ssl, int *al, void *arg) * There is no way to tell libssl that an internal failure occurred. * The only option we have is to return a fatal alert. */ - *al = TLS1_AD_INTERNAL_ERROR; + *al = SSL_AD_INTERNAL_ERROR; return (SSL_TLSEXT_ERR_ALERT_FATAL); } @@ -186,10 +188,16 @@ tls_server_ticket_cb(SSL *ssl, unsigned char *keyname, unsigned char *iv, memcpy(keyname, key->key_name, sizeof(key->key_name)); arc4random_buf(iv, EVP_MAX_IV_LENGTH); - EVP_EncryptInit_ex(ctx, EVP_aes_256_cbc(), NULL, - key->aes_key, iv); - HMAC_Init_ex(hctx, key->hmac_key, sizeof(key->hmac_key), - EVP_sha256(), NULL); + if (!EVP_EncryptInit_ex(ctx, EVP_aes_256_cbc(), NULL, + key->aes_key, iv)) { + tls_set_errorx(tls_ctx, "failed to init encrypt"); + return (-1); + } + if (!HMAC_Init_ex(hctx, key->hmac_key, sizeof(key->hmac_key), + EVP_sha256(), NULL)) { + tls_set_errorx(tls_ctx, "failed to init hmac"); + return (-1); + } return (0); } else { /* get key by name */ @@ -197,10 +205,16 @@ tls_server_ticket_cb(SSL *ssl, unsigned char *keyname, unsigned char *iv, if (key == NULL) return (0); - EVP_DecryptInit_ex(ctx, EVP_aes_256_cbc(), NULL, - key->aes_key, iv); - HMAC_Init_ex(hctx, key->hmac_key, sizeof(key->hmac_key), - EVP_sha256(), NULL); + if (!EVP_DecryptInit_ex(ctx, EVP_aes_256_cbc(), NULL, + key->aes_key, iv)) { + tls_set_errorx(tls_ctx, "failed to init decrypt"); + return (-1); + } + if (!HMAC_Init_ex(hctx, key->hmac_key, sizeof(key->hmac_key), + EVP_sha256(), NULL)) { + tls_set_errorx(tls_ctx, "failed to init hmac"); + return (-1); + } /* time to renew the ticket? is it the primary key? */ if (key != &tls_ctx->config->ticket_keys[0]) |