generic-library/openssl
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Tighten session ticket handling

Browse Source 
Tighten client-side session ticket handling during renegotiation:
ensure that the client only accepts a session ticket if the server sends
the extension anew in the ServerHello. Previously, a TLS client would
reuse the old extension state and thus accept a session ticket if one was
announced in the initial ServerHello.

Reviewed-by: Bodo Moeller <bodo@openssl.org>
(cherry picked from commit d663df2399d1d9d6015bcfd2ec87b925ea3558a2)

Conflicts:
	CHANGES
This commit is contained in:
Emilia Kasper 2014-10-28 17:35:59 +01:00
parent f63fa8b10a
commit 9bdedec0cf
3 changed files with 30 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
CHANGES
View File

@ -4,7 +4,12 @@
Changes between 1.0.1j and 1.0.1k [xx XXX xxxx] Changes between 1.0.1j and 1.0.1k [xx XXX xxxx]
*) *) Tighten client-side session ticket handling during renegotiation:
ensure that the client only accepts a session ticket if the server sends
the extension anew in the ServerHello. Previously, a TLS client would
reuse the old extension state and thus accept a session ticket if one was
announced in the initial ServerHello.
[Emilia Käsper]
Changes between 1.0.1i and 1.0.1j [15 Oct 2014] Changes between 1.0.1i and 1.0.1j [15 Oct 2014]

10
ssl/s3_clnt.c
View File

@ -225,6 +225,14 @@ int ssl3_connect(SSL *s)
s->renegotiate=1; s->renegotiate=1;
s->state=SSL_ST_CONNECT; s->state=SSL_ST_CONNECT;
s->ctx->stats.sess_connect_renegotiate++; s->ctx->stats.sess_connect_renegotiate++;
#ifndef OPENSSL_NO_TLSEXT
/*
* If renegotiating, the server may choose to not issue
* a new ticket, so reset the flag. It will be set to
* the right value when parsing ServerHello extensions.
*/
s->tlsext_ticket_expected = 0;
#endif
/* break */ /* break */
case SSL_ST_BEFORE: case SSL_ST_BEFORE:
case SSL_ST_CONNECT: case SSL_ST_CONNECT:
@ -2223,7 +2231,7 @@ int ssl3_get_new_session_ticket(SSL *s)
} }
memcpy(s->session->tlsext_tick, p, ticklen); memcpy(s->session->tlsext_tick, p, ticklen);
s->session->tlsext_ticklen = ticklen; s->session->tlsext_ticklen = ticklen;
/* There are two ways to detect a resumed ticket sesion. /* There are two ways to detect a resumed ticket session.
* One is to set an appropriate session ID and then the server * One is to set an appropriate session ID and then the server
* must return a match in ServerHello. This allows the normal * must return a match in ServerHello. This allows the normal
* client session ID matching to work and we know much * client session ID matching to work and we know much

16
ssl/ssl_sess.c
View File

@ -335,7 +335,21 @@ int ssl_get_new_session(SSL *s, int session)
return(0); return(0);
} }
#ifndef OPENSSL_NO_TLSEXT #ifndef OPENSSL_NO_TLSEXT
/* If RFC4507 ticket use empty session ID */ /*
* If RFC5077 ticket, use empty session ID (as server).
* Note that:
* (a) ssl_get_prev_session() does lookahead into the
* ClientHello extensions to find the session ticket.
* When ssl_get_prev_session() fails, s3_srvr.c calls
* ssl_get_new_session() in ssl3_get_client_hello().
* At that point, it has not yet parsed the extensions,
* however, because of the lookahead, it already knows
* whether a ticket is expected or not.
*
* (b) s3_clnt.c calls ssl_get_new_session() before parsing
* ServerHello extensions, and before recording the session
* ID received from the server, so this block is a noop.
*/
if (s->tlsext_ticket_expected) if (s->tlsext_ticket_expected)
{ {
ss->session_id_length = 0; ss->session_id_length = 0;