diff options
author | Matt Caswell <matt@openssl.org> | 2017-01-17 10:43:37 +0000 |
---|---|---|
committer | Matt Caswell <matt@openssl.org> | 2017-01-30 10:18:20 +0000 |
commit | fc24f0bf45085c0f6272af8bb3ff03602face505 (patch) | |
tree | 443d7d382e96dd66fd68217aad07364cd419a724 /ssl/statem | |
parent | ec15acb6bc554b8f87a519c3519f5bf4d367ded9 (diff) |
Add support for the age_add field
Update SSL_SESSION to store the age_add and use it where needed.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2259)
Diffstat (limited to 'ssl/statem')
-rw-r--r-- | ssl/statem/extensions_clnt.c | 11 | ||||
-rw-r--r-- | ssl/statem/statem_clnt.c | 12 | ||||
-rw-r--r-- | ssl/statem/statem_srvr.c | 10 |
3 files changed, 26 insertions, 7 deletions
diff --git a/ssl/statem/extensions_clnt.c b/ssl/statem/extensions_clnt.c index c6a8124c9e..366462ee85 100644 --- a/ssl/statem/extensions_clnt.c +++ b/ssl/statem/extensions_clnt.c @@ -694,6 +694,11 @@ int tls_construct_ctos_psk(SSL *s, WPACKET *pkt, X509 *x, size_t chainidx, now = (uint32_t)time(NULL); ages = now - (uint32_t)s->session->time; + if (s->session->ext.tick_lifetime_hint < ages) { + /* Ticket is too old. Ignore it. */ + return 1; + } + /* * Calculate age in ms. We're just doing it to nearest second. Should be * good enough. @@ -708,7 +713,11 @@ int tls_construct_ctos_psk(SSL *s, WPACKET *pkt, X509 *x, size_t chainidx, return 1; } - /* TODO(TLS1.3): Obfuscate the age here */ + /* + * Obfuscate the age. Overflow here is fine, this addition is supposed to + * be mod 2^32. + */ + agems += s->session->ext.tick_age_add; cipher = ssl3_get_cipher_by_id(s->session->cipher_id); if (cipher == NULL) { diff --git a/ssl/statem/statem_clnt.c b/ssl/statem/statem_clnt.c index d5d622c1c5..3bcd5902c1 100644 --- a/ssl/statem/statem_clnt.c +++ b/ssl/statem/statem_clnt.c @@ -48,6 +48,7 @@ */ #include <stdio.h> +#include <time.h> #include "../ssl_locl.h" #include "statem_locl.h" #include <openssl/buffer.h> @@ -2195,12 +2196,12 @@ MSG_PROCESS_RETURN tls_process_new_session_ticket(SSL *s, PACKET *pkt) { int al; unsigned int ticklen; - unsigned long ticket_lifetime_hint, add_age; + unsigned long ticket_lifetime_hint, age_add; unsigned int sess_len; RAW_EXTENSION *exts = NULL; if (!PACKET_get_net_4(pkt, &ticket_lifetime_hint) - || (SSL_IS_TLS13(s) && !PACKET_get_net_4(pkt, &add_age)) + || (SSL_IS_TLS13(s) && !PACKET_get_net_4(pkt, &age_add)) || !PACKET_get_net_2(pkt, &ticklen) || (!SSL_IS_TLS13(s) && PACKET_remaining(pkt) != ticklen) || (SSL_IS_TLS13(s) && (ticklen == 0 @@ -2243,6 +2244,12 @@ MSG_PROCESS_RETURN tls_process_new_session_ticket(SSL *s, PACKET *pkt) s->session = new_sess; } + /* + * Technically the cast to long here is not guaranteed by the C standard - + * but we use it elsewhere, so this should be ok. + */ + s->session->time = (long)time(NULL); + OPENSSL_free(s->session->ext.tick); s->session->ext.tick = NULL; s->session->ext.ticklen = 0; @@ -2259,6 +2266,7 @@ MSG_PROCESS_RETURN tls_process_new_session_ticket(SSL *s, PACKET *pkt) } s->session->ext.tick_lifetime_hint = ticket_lifetime_hint; + s->session->ext.tick_age_add = age_add; s->session->ext.ticklen = ticklen; if (SSL_IS_TLS13(s)) { diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c index 20e521a9d6..98171b948c 100644 --- a/ssl/statem/statem_srvr.c +++ b/ssl/statem/statem_srvr.c @@ -3250,6 +3250,12 @@ int tls_construct_new_session_ticket(SSL *s, WPACKET *pkt) uint32_t age_add; } age_add_u; + if (SSL_IS_TLS13(s)) { + if (RAND_bytes(age_add_u.age_add_c, sizeof(age_add_u)) <= 0) + goto err; + s->session->ext.tick_age_add = age_add_u.age_add; + } + /* get session encoding length */ slen_full = i2d_SSL_SESSION(s->session, NULL); /* @@ -3341,10 +3347,6 @@ int tls_construct_new_session_ticket(SSL *s, WPACKET *pkt) sizeof(tctx->ext.tick_key_name)); } - if (SSL_IS_TLS13(s) && RAND_bytes(age_add_u.age_add_c, - sizeof(age_add_u)) <= 0) - goto err; - /* * Ticket lifetime hint (advisory only): We leave this unspecified * for resumed session (for simplicity), and guess that tickets for |