Don't store the ticket nonce in the session (6cf2dbd9) · Commits · CYBER - Cyber Security / TS 103 523 MSP / ETS / ETS OpenSSL

ssl/ssl_asn1.c

+2 −20

Original line number	Diff line number	Diff line
		@@ -41,7 +41,6 @@ typedef struct {
		uint64_t flags;
		uint32_t max_early_data;
		ASN1_OCTET_STRING *alpn_selected;
		ASN1_OCTET_STRING *tick_nonce;
		uint32_t tlsext_max_fragment_len_mode;
		ASN1_OCTET_STRING *ticket_appdata;
		} SSL_SESSION_ASN1;
		@@ -73,9 +72,8 @@ ASN1_SEQUENCE(SSL_SESSION_ASN1) = {
		ASN1_EXP_OPT_EMBED(SSL_SESSION_ASN1, tlsext_tick_age_add, ZUINT32, 14),
		ASN1_EXP_OPT_EMBED(SSL_SESSION_ASN1, max_early_data, ZUINT32, 15),
		ASN1_EXP_OPT(SSL_SESSION_ASN1, alpn_selected, ASN1_OCTET_STRING, 16),
		ASN1_EXP_OPT(SSL_SESSION_ASN1, tick_nonce, ASN1_OCTET_STRING, 17),
		ASN1_EXP_OPT_EMBED(SSL_SESSION_ASN1, tlsext_max_fragment_len_mode, ZUINT32, 18),
		ASN1_EXP_OPT(SSL_SESSION_ASN1, ticket_appdata, ASN1_OCTET_STRING, 19)
		ASN1_EXP_OPT_EMBED(SSL_SESSION_ASN1, tlsext_max_fragment_len_mode, ZUINT32, 17),
		ASN1_EXP_OPT(SSL_SESSION_ASN1, ticket_appdata, ASN1_OCTET_STRING, 18)
		} static_ASN1_SEQUENCE_END(SSL_SESSION_ASN1)

		IMPLEMENT_STATIC_ASN1_ENCODE_FUNCTIONS(SSL_SESSION_ASN1)
		@@ -124,7 +122,6 @@ int i2d_SSL_SESSION(SSL_SESSION in, unsigned char *pp)
		ASN1_OCTET_STRING psk_identity, psk_identity_hint;
		#endif
		ASN1_OCTET_STRING alpn_selected;
		ASN1_OCTET_STRING tick_nonce;
		ASN1_OCTET_STRING ticket_appdata;

		long l;
		@@ -195,12 +192,6 @@ int i2d_SSL_SESSION(SSL_SESSION in, unsigned char *pp)
		ssl_session_oinit(&as.alpn_selected, &alpn_selected,
		in->ext.alpn_selected, in->ext.alpn_selected_len);

		if (in->ext.tick_nonce == NULL)
		as.tick_nonce = NULL;
		else
		ssl_session_oinit(&as.tick_nonce, &tick_nonce,
		in->ext.tick_nonce, in->ext.tick_nonce_len);

		as.tlsext_max_fragment_len_mode = in->ext.max_fragment_len_mode;

		if (in->ticket_appdata == NULL)
		@@ -374,15 +365,6 @@ SSL_SESSION d2i_SSL_SESSION(SSL_SESSION a, const unsigned char *pp,
		ret->ext.alpn_selected_len = 0;
		}

		if (as->tick_nonce != NULL) {
		ret->ext.tick_nonce = as->tick_nonce->data;
		ret->ext.tick_nonce_len = as->tick_nonce->length;
		as->tick_nonce->data = NULL;
		} else {
		ret->ext.tick_nonce = NULL;
		ret->ext.tick_nonce_len = 0;
		}

		ret->ext.max_fragment_len_mode = as->tlsext_max_fragment_len_mode;

		if (as->ticket_appdata != NULL) {

ssl/ssl_locl.h

+0 −2

Original line number	Diff line number	Diff line
		@@ -569,8 +569,6 @@ struct ssl_session_st {
		/* Session lifetime hint in seconds */
		unsigned long tick_lifetime_hint;
		uint32_t tick_age_add;
		unsigned char *tick_nonce;
		size_t tick_nonce_len;
		int tick_identity;
		/* Max number of bytes that can be sent as early data */
		uint32_t max_early_data;

ssl/ssl_sess.c

+0 −9

Original line number	Diff line number	Diff line
		@@ -133,7 +133,6 @@ SSL_SESSION ssl_session_dup(SSL_SESSION src, int ticket)
		#endif
		dest->peer_chain = NULL;
		dest->peer = NULL;
		dest->ext.tick_nonce = NULL;
		dest->ticket_appdata = NULL;
		memset(&dest->ex_data, 0, sizeof(dest->ex_data));

		@@ -230,13 +229,6 @@ SSL_SESSION ssl_session_dup(SSL_SESSION src, int ticket)
		}
		}

		if (src->ext.tick_nonce != NULL) {
		dest->ext.tick_nonce = OPENSSL_memdup(src->ext.tick_nonce,
		src->ext.tick_nonce_len);
		if (dest->ext.tick_nonce == NULL)
		goto err;
		}

		#ifndef OPENSSL_NO_SRP
		if (src->srp_username) {
		dest->srp_username = OPENSSL_strdup(src->srp_username);
		@@ -824,7 +816,6 @@ void SSL_SESSION_free(SSL_SESSION *ss)
		OPENSSL_free(ss->srp_username);
		#endif
		OPENSSL_free(ss->ext.alpn_selected);
		OPENSSL_free(ss->ext.tick_nonce);
		OPENSSL_free(ss->ticket_appdata);
		CRYPTO_THREAD_lock_free(ss->lock);
		OPENSSL_clear_free(ss, sizeof(*ss));

ssl/statem/statem_clnt.c

+5 −5

Original line number	Diff line number	Diff line
		@@ -2559,12 +2559,12 @@ MSG_PROCESS_RETURN tls_process_new_session_ticket(SSL s, PACKET pkt)
		RAW_EXTENSION *exts = NULL;
		PACKET nonce;

		PACKET_null_init(&nonce);

		if (!PACKET_get_net_4(pkt, &ticket_lifetime_hint)
		\|\| (SSL_IS_TLS13(s)
		&& (!PACKET_get_net_4(pkt, &age_add)
		\|\| !PACKET_get_length_prefixed_1(pkt, &nonce)
		\|\| !PACKET_memdup(&nonce, &s->session->ext.tick_nonce,
		&s->session->ext.tick_nonce_len)))
		\|\| !PACKET_get_length_prefixed_1(pkt, &nonce)))
		\|\| !PACKET_get_net_2(pkt, &ticklen)
		\|\| (!SSL_IS_TLS13(s) && PACKET_remaining(pkt) != ticklen)
		\|\| (SSL_IS_TLS13(s)
		@@ -2692,8 +2692,8 @@ MSG_PROCESS_RETURN tls_process_new_session_ticket(SSL s, PACKET pkt)
		if (!tls13_hkdf_expand(s, md, s->resumption_master_secret,
		nonce_label,
		sizeof(nonce_label) - 1,
		s->session->ext.tick_nonce,
		s->session->ext.tick_nonce_len,
		PACKET_data(&nonce),
		PACKET_remaining(&nonce),
		s->session->master_key,
		hashlen)) {
		/* SSLfatal() already called */

ssl/statem/statem_srvr.c

+9 −18

Original line number	Diff line number	Diff line
		@@ -3753,6 +3753,7 @@ int tls_construct_new_session_ticket(SSL s, WPACKET pkt)
		unsigned char iv[EVP_MAX_IV_LENGTH];
		unsigned char key_name[TLSEXT_KEYNAME_LENGTH];
		int iv_len;
		unsigned char tick_nonce[TICKET_NONCE_SIZE];
		size_t macoffset, macendoffset;
		union {
		unsigned char age_add_c[sizeof(uint32_t)];
		@@ -3762,7 +3763,7 @@ int tls_construct_new_session_ticket(SSL s, WPACKET pkt)
		if (SSL_IS_TLS13(s)) {
		size_t i, hashlen;
		uint64_t nonce;
		const char nonce_label[] = "resumption";
		static const unsigned char nonce_label[] = "resumption";
		const EVP_MD *md = ssl_handshake_md(s);
		void (cb) (const SSL ssl, int type, int val) = NULL;
		int hashleni = EVP_MD_size(md);
		@@ -3781,7 +3782,6 @@ int tls_construct_new_session_ticket(SSL s, WPACKET pkt)
		else if (s->ctx->info_callback != NULL)
		cb = s->ctx->info_callback;


		if (cb != NULL) {
		/*
		* We don't start and stop the handshake in between each ticket when
		@@ -3823,26 +3823,17 @@ int tls_construct_new_session_ticket(SSL s, WPACKET pkt)
		}
		s->session->ext.tick_age_add = age_add_u.age_add;

		OPENSSL_free(s->session->ext.tick_nonce);
		s->session->ext.tick_nonce = OPENSSL_zalloc(TICKET_NONCE_SIZE);
		if (s->session->ext.tick_nonce == NULL) {
		SSLfatal(s, SSL_AD_INTERNAL_ERROR,
		SSL_F_TLS_CONSTRUCT_NEW_SESSION_TICKET,
		ERR_R_MALLOC_FAILURE);
		goto err;
		}
		nonce = s->next_ticket_nonce;
		for (i = TICKET_NONCE_SIZE; nonce > 0 && i > 0; i--) {
		s->session->ext.tick_nonce[i - 1] = nonce & 0xff;
		for (i = TICKET_NONCE_SIZE; i > 0; i--) {
		tick_nonce[i - 1] = (unsigned char)(nonce & 0xff);
		nonce >>= 8;
		}
		s->session->ext.tick_nonce_len = TICKET_NONCE_SIZE;

		if (!tls13_hkdf_expand(s, md, s->resumption_master_secret,
		(const unsigned char *)nonce_label,
		nonce_label,
		sizeof(nonce_label) - 1,
		s->session->ext.tick_nonce,
		s->session->ext.tick_nonce_len,
		tick_nonce,
		TICKET_NONCE_SIZE,
		s->session->master_key,
		hashlen)) {
		/* SSLfatal() already called */
		@@ -3992,8 +3983,8 @@ int tls_construct_new_session_ticket(SSL s, WPACKET pkt)
		? 0 : s->session->timeout)
		\|\| (SSL_IS_TLS13(s)
		&& (!WPACKET_put_bytes_u32(pkt, age_add_u.age_add)
		\|\| !WPACKET_sub_memcpy_u8(pkt, s->session->ext.tick_nonce,
		s->session->ext.tick_nonce_len)))
		\|\| !WPACKET_sub_memcpy_u8(pkt, tick_nonce,
		TICKET_NONCE_SIZE)))
		/* Now the actual ticket data */
		\|\| !WPACKET_start_sub_packet_u16(pkt)
		\|\| !WPACKET_get_total_written(pkt, &macoffset)