From 15d717f574b2aad393f1f039ca0fbcd1a0886439 Mon Sep 17 00:00:00 2001 From: Emilia Kasper Date: Wed, 19 Nov 2014 16:40:27 +0100 Subject: [PATCH] Always require an advertised NewSessionTicket message. The server must send a NewSessionTicket message if it advertised one in the ServerHello, so make a missing ticket message an alert in the client. An equivalent change was independently made in BoringSSL, see commit 6444287806d801b9a45baf1f6f02a0e3a16e144c. Reviewed-by: Matt Caswell (cherry picked from commit de2c7504ebd4ec15334ae151a31917753468f86f) Conflicts: CHANGES --- CHANGES | 16 ++++++++++------ ssl/s3_clnt.c | 13 +------------ 2 files changed, 11 insertions(+), 18 deletions(-) diff --git a/CHANGES b/CHANGES index de1f0c9fb..38c4e5f1d 100644 --- a/CHANGES +++ b/CHANGES @@ -4,12 +4,16 @@ Changes between 1.0.1j and 1.0.1k [xx XXX xxxx] - *) Tighten client-side session ticket handling during renegotiation: - ensure that the client only accepts a session ticket if the server sends - the extension anew in the ServerHello. Previously, a TLS client would - reuse the old extension state and thus accept a session ticket if one was - announced in the initial ServerHello. - [Emilia Käsper] + *) Tighten client-side session ticket handling during renegotiation: + ensure that the client only accepts a session ticket if the server sends + the extension anew in the ServerHello. Previously, a TLS client would + reuse the old extension state and thus accept a session ticket if one was + announced in the initial ServerHello. + + Similarly, ensure that the client requires a session ticket if one + was advertised in the ServerHello. Previously, a TLS client would + ignore a missing NewSessionTicket message. + [Emilia Käsper] Changes between 1.0.1i and 1.0.1j [15 Oct 2014] diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c index e3c9533ee..6bbcf391c 100644 --- a/ssl/s3_clnt.c +++ b/ssl/s3_clnt.c @@ -2160,24 +2160,13 @@ int ssl3_get_new_session_ticket(SSL *s) n=s->method->ssl_get_message(s, SSL3_ST_CR_SESSION_TICKET_A, SSL3_ST_CR_SESSION_TICKET_B, - -1, + SSL3_MT_NEWSESSION_TICKET, 16384, &ok); if (!ok) return((int)n); - if (s->s3->tmp.message_type == SSL3_MT_FINISHED) - { - s->s3->tmp.reuse_message=1; - return(1); - } - if (s->s3->tmp.message_type != SSL3_MT_NEWSESSION_TICKET) - { - al=SSL_AD_UNEXPECTED_MESSAGE; - SSLerr(SSL_F_SSL3_GET_NEW_SESSION_TICKET,SSL_R_BAD_MESSAGE_TYPE); - goto f_err; - } if (n < 6) { /* need at least ticket_lifetime_hint + ticket length */