diff options
| author | Emilia Kasper <emilia@openssl.org> | 2014-10-28 17:35:59 +0100 |
|---|---|---|
| committer | Emilia Kasper <emilia@openssl.org> | 2014-10-28 17:35:59 +0100 |
| commit | d663df2399d1d9d6015bcfd2ec87b925ea3558a2 (patch) | |
| tree | 088b028800ef69149db550d83e26180df5548168 /ssl | |
| parent | 49b0dfc5026338f1227fdb0f9b3c18485dc459e9 (diff) | |
Tighten session ticket handling
Tighten client-side session ticket handling during renegotiation:
ensure that the client only accepts a session ticket if the server sends
the extension anew in the ServerHello. Previously, a TLS client would
reuse the old extension state and thus accept a session ticket if one was
announced in the initial ServerHello.
Reviewed-by: Bodo Moeller <bodo@openssl.org>
Diffstat (limited to 'ssl')
| -rw-r--r-- | ssl/s3_clnt.c | 10 | ||||
| -rw-r--r-- | ssl/ssl_sess.c | 16 |
2 files changed, 24 insertions, 2 deletions
diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c index d3836bfd77..68c00c52c7 100644 --- a/ssl/s3_clnt.c +++ b/ssl/s3_clnt.c @@ -225,6 +225,14 @@ int ssl3_connect(SSL *s) s->renegotiate=1; s->state=SSL_ST_CONNECT; s->ctx->stats.sess_connect_renegotiate++; +#ifndef OPENSSL_NO_TLSEXT + /* + * If renegotiating, the server may choose to not issue + * a new ticket, so reset the flag. It will be set to + * the right value when parsing ServerHello extensions. + */ + s->tlsext_ticket_expected = 0; +#endif /* break */ case SSL_ST_BEFORE: case SSL_ST_CONNECT: @@ -2351,7 +2359,7 @@ int ssl3_get_new_session_ticket(SSL *s) } memcpy(s->session->tlsext_tick, p, ticklen); s->session->tlsext_ticklen = ticklen; - /* There are two ways to detect a resumed ticket sesion. + /* There are two ways to detect a resumed ticket session. * One is to set an appropriate session ID and then the server * must return a match in ServerHello. This allows the normal * client session ID matching to work and we know much diff --git a/ssl/ssl_sess.c b/ssl/ssl_sess.c index 73d87fd6c1..3f9bad10a4 100644 --- a/ssl/ssl_sess.c +++ b/ssl/ssl_sess.c @@ -340,7 +340,21 @@ int ssl_get_new_session(SSL *s, int session) return(0); } #ifndef OPENSSL_NO_TLSEXT - /* If RFC4507 ticket use empty session ID */ + /* + * If RFC5077 ticket, use empty session ID (as server). + * Note that: + * (a) ssl_get_prev_session() does lookahead into the + * ClientHello extensions to find the session ticket. + * When ssl_get_prev_session() fails, s3_srvr.c calls + * ssl_get_new_session() in ssl3_get_client_hello(). + * At that point, it has not yet parsed the extensions, + * however, because of the lookahead, it already knows + * whether a ticket is expected or not. + * + * (b) s3_clnt.c calls ssl_get_new_session() before parsing + * ServerHello extensions, and before recording the session + * ID received from the server, so this block is a noop. + */ if (s->tlsext_ticket_expected) { ss->session_id_length = 0; |