From 4ff1a5266685f4a687a9f91b531c2f979b96db22 Mon Sep 17 00:00:00 2001 From: Matt Caswell Date: Fri, 1 Jun 2018 16:52:34 +0100 Subject: Fix TLSv1.3 ticket nonces All tickets on a connection need to have a unique nonce. When this was originally implemented we only ever sent one ticket on the conneciton so this didn't matter. We were just using the value 0. Now we can get multiple tickets to we need to start doing the ticket nonce properly. Fixes #6387 Reviewed-by: Andy Polyakov (Merged from https://github.com/openssl/openssl/pull/6415) --- ssl/statem/statem_clnt.c | 27 +++++++++++++++++++++++++++ 1 file changed, 27 insertions(+) (limited to 'ssl/statem/statem_clnt.c') diff --git a/ssl/statem/statem_clnt.c b/ssl/statem/statem_clnt.c index 6c0f8be564..99445a6564 100644 --- a/ssl/statem/statem_clnt.c +++ b/ssl/statem/statem_clnt.c @@ -22,6 +22,7 @@ #include #include #include +#include static MSG_PROCESS_RETURN tls_process_as_hello_retry_request(SSL *s, PACKET *pkt); static MSG_PROCESS_RETURN tls_process_encrypted_extensions(SSL *s, PACKET *pkt); @@ -2674,6 +2675,32 @@ MSG_PROCESS_RETURN tls_process_new_session_ticket(SSL *s, PACKET *pkt) /* This is a standalone message in TLSv1.3, so there is no more to read */ if (SSL_IS_TLS13(s)) { + const EVP_MD *md = ssl_handshake_md(s); + int hashleni = EVP_MD_size(md); + size_t hashlen; + static const unsigned char nonce_label[] = "resumption"; + + /* Ensure cast to size_t is safe */ + if (!ossl_assert(hashleni >= 0)) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, + SSL_F_TLS_PROCESS_NEW_SESSION_TICKET, + ERR_R_INTERNAL_ERROR); + goto err; + } + hashlen = (size_t)hashleni; + + if (!tls13_hkdf_expand(s, md, s->resumption_master_secret, + nonce_label, + sizeof(nonce_label) - 1, + s->session->ext.tick_nonce, + s->session->ext.tick_nonce_len, + s->session->master_key, + hashlen)) { + /* SSLfatal() already called */ + goto err; + } + s->session->master_key_length = hashlen; + OPENSSL_free(exts); ssl_update_cache(s, SSL_SESS_CACHE_CLIENT); return MSG_PROCESS_FINISHED_READING; -- cgit v1.2.3