From a16ca4e8aeef1178ce013569058afcec1f6ac77c Mon Sep 17 00:00:00 2001 From: "Dr. Stephen Henson" Date: Mon, 22 Jun 2015 14:03:08 +0100 Subject: [PATCH] Fix PSK client handling. The PSK identity hint should be stored in the SSL_SESSION structure and not in the parent context (which will overwrite values used by other SSL structures with the same SSL_CTX). Reviewed-by: Matt Caswell --- ssl/s3_clnt.c | 30 +++++------------------------- 1 file changed, 5 insertions(+), 25 deletions(-) diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c index a911bb154a..f912f2cf0d 100644 --- a/ssl/s3_clnt.c +++ b/ssl/s3_clnt.c @@ -1431,17 +1431,7 @@ int ssl3_get_key_exchange(SSL *s) al = SSL_AD_UNEXPECTED_MESSAGE; goto f_err; } -#ifndef OPENSSL_NO_PSK - /* - * In plain PSK ciphersuite, ServerKeyExchange can be omitted if no - * identity hint is sent. Set session->sess_cert anyway to avoid - * problems later. - */ - if (alg_k & SSL_kPSK) { - OPENSSL_free(s->ctx->psk_identity_hint); - s->ctx->psk_identity_hint = NULL; - } -#endif + s->s3->tmp.reuse_message = 1; return (1); } @@ -1504,9 +1494,9 @@ int ssl3_get_key_exchange(SSL *s) */ memcpy(tmp_id_hint, p, i); memset(tmp_id_hint + i, 0, PSK_MAX_IDENTITY_LEN + 1 - i); - OPENSSL_free(s->ctx->psk_identity_hint); - s->ctx->psk_identity_hint = BUF_strdup(tmp_id_hint); - if (s->ctx->psk_identity_hint == NULL) { + OPENSSL_free(s->session->psk_identity_hint); + s->session->psk_identity_hint = BUF_strdup(tmp_id_hint); + if (s->session->psk_identity_hint == NULL) { al = SSL_AD_HANDSHAKE_FAILURE; SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, ERR_R_MALLOC_FAILURE); goto f_err; @@ -2830,7 +2820,7 @@ int ssl3_send_client_key_exchange(SSL *s) if (!pms) goto memerr; - psk_len = s->psk_client_callback(s, s->ctx->psk_identity_hint, + psk_len = s->psk_client_callback(s, s->session->psk_identity_hint, identity, sizeof(identity) - 1, pms, pmslen); if (psk_len > PSK_MAX_PSK_LEN) { @@ -2859,16 +2849,6 @@ int ssl3_send_client_key_exchange(SSL *s) t += psk_len; s2n(psk_len, t); - OPENSSL_free(s->session->psk_identity_hint); - s->session->psk_identity_hint = - BUF_strdup(s->ctx->psk_identity_hint); - if (s->ctx->psk_identity_hint != NULL - && s->session->psk_identity_hint == NULL) { - SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, - ERR_R_MALLOC_FAILURE); - goto psk_err; - } - OPENSSL_free(s->session->psk_identity); s->session->psk_identity = BUF_strdup(identity); if (s->session->psk_identity == NULL) { -- 2.40.0