Commit e880d4e5 authored Jun 21, 2018 by Matt Caswell

Use stateful tickets if we are doing anti-replay



During anti-replay we cache the ticket anyway, so there is no point in
using a full stateless ticket.

Fixes #6391

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6563)

parent 6cc0b3c2

ssl/statem/extensions_srvr.c

+7 −1

Original line number	Diff line number	Diff line
		@@ -1159,7 +1159,13 @@ int tls_parse_ctos_psk(SSL s, PACKET pkt, unsigned int context, X509 *x,
		uint32_t ticket_age = 0, now, agesec, agems;
		int ret;

		if ((s->options & SSL_OP_NO_TICKET) != 0)
		/*
		* If we are using anti-replay protection then we behave as if
		* SSL_OP_NO_TICKET is set - we are caching tickets anyway so there
		* is no point in using full stateless tickets.
		*/
		if ((s->options & SSL_OP_NO_TICKET) != 0
		\|\| s->max_early_data > 0)
		ret = tls_get_stateful_ticket(s, &identity, &sess);
		else
		ret = tls_decrypt_ticket(s, PACKET_data(&identity),

ssl/statem/statem_srvr.c

+7 −1

Original line number	Diff line number	Diff line
		@@ -4082,7 +4082,13 @@ int tls_construct_new_session_ticket(SSL s, WPACKET pkt)
		tctx->generate_ticket_cb(s, tctx->ticket_cb_data) == 0)
		goto err;

		if ((s->options & SSL_OP_NO_TICKET) != 0 && SSL_IS_TLS13(s)) {
		/*
		* If we are using anti-replay protection then we behave as if
		* SSL_OP_NO_TICKET is set - we are caching tickets anyway so there
		* is no point in using full stateless tickets.
		*/
		if (((s->options & SSL_OP_NO_TICKET) != 0 \|\| s->max_early_data > 0)
		&& SSL_IS_TLS13(s)) {
		if (!construct_stateful_ticket(s, pkt, age_add_u.age_add, tick_nonce)) {
		/* SSLfatal() already called */
		goto err;