diff options
| author | Matt Caswell <matt@openssl.org> | 2018-06-01 16:52:34 +0100 |
|---|---|---|
| committer | Matt Caswell <matt@openssl.org> | 2018-06-07 10:58:35 +0100 |
| commit | 4ff1a5266685f4a687a9f91b531c2f979b96db22 (patch) | |
| tree | 43fd2babb3b724e2c1eb4786a66f66ee4757cf88 /ssl/statem/statem_clnt.c | |
| parent | 309371d6266877a8f04d0aa7b0f6add6d269d962 (diff) | |
Fix TLSv1.3 ticket nonces
All tickets on a connection need to have a unique nonce. When this was
originally implemented we only ever sent one ticket on the conneciton so
this didn't matter. We were just using the value 0. Now we can get multiple
tickets to we need to start doing the ticket nonce properly.
Fixes #6387
Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6415)
Diffstat (limited to 'ssl/statem/statem_clnt.c')
| -rw-r--r-- | ssl/statem/statem_clnt.c | 27 |
1 files changed, 27 insertions, 0 deletions
diff --git a/ssl/statem/statem_clnt.c b/ssl/statem/statem_clnt.c index 6c0f8be564..99445a6564 100644 --- a/ssl/statem/statem_clnt.c +++ b/ssl/statem/statem_clnt.c @@ -22,6 +22,7 @@ #include <openssl/dh.h> #include <openssl/bn.h> #include <openssl/engine.h> +#include <internal/cryptlib.h> static MSG_PROCESS_RETURN tls_process_as_hello_retry_request(SSL *s, PACKET *pkt); static MSG_PROCESS_RETURN tls_process_encrypted_extensions(SSL *s, PACKET *pkt); @@ -2674,6 +2675,32 @@ MSG_PROCESS_RETURN tls_process_new_session_ticket(SSL *s, PACKET *pkt) /* This is a standalone message in TLSv1.3, so there is no more to read */ if (SSL_IS_TLS13(s)) { + const EVP_MD *md = ssl_handshake_md(s); + int hashleni = EVP_MD_size(md); + size_t hashlen; + static const unsigned char nonce_label[] = "resumption"; + + /* Ensure cast to size_t is safe */ + if (!ossl_assert(hashleni >= 0)) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, + SSL_F_TLS_PROCESS_NEW_SESSION_TICKET, + ERR_R_INTERNAL_ERROR); + goto err; + } + hashlen = (size_t)hashleni; + + if (!tls13_hkdf_expand(s, md, s->resumption_master_secret, + nonce_label, + sizeof(nonce_label) - 1, + s->session->ext.tick_nonce, + s->session->ext.tick_nonce_len, + s->session->master_key, + hashlen)) { + /* SSLfatal() already called */ + goto err; + } + s->session->master_key_length = hashlen; + OPENSSL_free(exts); ssl_update_cache(s, SSL_SESS_CACHE_CLIENT); return MSG_PROCESS_FINISHED_READING; |