Commit 00848ea8 authored by Matt Caswell's avatar Matt Caswell
Browse files

Tolerate a zero length ticket nonce 



TLSv1.3 draft-21 requires the ticket nonce to be at least 1 byte in length.
However NSS sends a zero length nonce. This is actually ok because the next
draft will allow zero length nonces anyway, so we should tolerate this.

Reviewed-by: default avatarRich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3957)
parent 6b84e6bf

ssl/statem/extensions.c

+0 −4
Original line number Diff line number Diff line
@@ -1259,10 +1259,6 @@ int tls_psk_do_binder(SSL *s, const EVP_MD *md, const unsigned char *msgstart, 
    if (external) {

        psk = sess->master_key;

    } else {

        if (sess->ext.tick_nonce == NULL) {

            SSLerr(SSL_F_TLS_PSK_DO_BINDER, SSL_R_BAD_PSK);

            goto err;

        }

        psk = tmppsk;

        if (!tls13_hkdf_expand(s, md, sess->master_key,

                               (const unsigned char *)nonce_label,

ssl/statem/statem_clnt.c

+0 −1
Original line number Diff line number Diff line
@@ -2429,7 +2429,6 @@ MSG_PROCESS_RETURN tls_process_new_session_ticket(SSL *s, PACKET *pkt) 
        || (SSL_IS_TLS13(s)

            && (!PACKET_get_net_4(pkt, &age_add)

                || !PACKET_get_length_prefixed_1(pkt, &nonce)

                || PACKET_remaining(&nonce) == 0

                || !PACKET_memdup(&nonce, &s->session->ext.tick_nonce,

                                  &s->session->ext.tick_nonce_len)))

        || !PACKET_get_net_2(pkt, &ticklen)