Tighten session ticket handling (9bdedec0) · Commits · CYBER - Cyber Security / TS 103 523 MSP / TLMSP / TLMSP OpenSSL

CHANGES

+6 −1

Original line number	Diff line number	Diff line
		@@ -4,7 +4,12 @@

		Changes between 1.0.1j and 1.0.1k [xx XXX xxxx]

		*)
		*) Tighten client-side session ticket handling during renegotiation:
		ensure that the client only accepts a session ticket if the server sends
		the extension anew in the ServerHello. Previously, a TLS client would
		reuse the old extension state and thus accept a session ticket if one was
		announced in the initial ServerHello.
		[Emilia Käsper]

		Changes between 1.0.1i and 1.0.1j [15 Oct 2014]

+9 −1

Original line number	Diff line number	Diff line
		@@ -225,6 +225,14 @@ int ssl3_connect(SSL *s)
		s->renegotiate=1;
		s->state=SSL_ST_CONNECT;
		s->ctx->stats.sess_connect_renegotiate++;
		#ifndef OPENSSL_NO_TLSEXT
		/*
		* If renegotiating, the server may choose to not issue
		* a new ticket, so reset the flag. It will be set to
		* the right value when parsing ServerHello extensions.
		*/
		s->tlsext_ticket_expected = 0;
		#endif
		/* break */
		case SSL_ST_BEFORE:
		case SSL_ST_CONNECT:
		@@ -2223,7 +2231,7 @@ int ssl3_get_new_session_ticket(SSL *s)
		}
		memcpy(s->session->tlsext_tick, p, ticklen);
		s->session->tlsext_ticklen = ticklen;
		/* There are two ways to detect a resumed ticket sesion.
		/* There are two ways to detect a resumed ticket session.
		* One is to set an appropriate session ID and then the server
		* must return a match in ServerHello. This allows the normal
		* client session ID matching to work and we know much

+15 −1

Original line number	Diff line number	Diff line
		@@ -335,7 +335,21 @@ int ssl_get_new_session(SSL *s, int session)
		return(0);
		}
		#ifndef OPENSSL_NO_TLSEXT
		/* If RFC4507 ticket use empty session ID */
		/*
		* If RFC5077 ticket, use empty session ID (as server).
		* Note that:
		* (a) ssl_get_prev_session() does lookahead into the
		* ClientHello extensions to find the session ticket.
		* When ssl_get_prev_session() fails, s3_srvr.c calls
		* ssl_get_new_session() in ssl3_get_client_hello().
		* At that point, it has not yet parsed the extensions,
		* however, because of the lookahead, it already knows
		* whether a ticket is expected or not.
		*
		* (b) s3_clnt.c calls ssl_get_new_session() before parsing
		* ServerHello extensions, and before recording the session
		* ID received from the server, so this block is a noop.
		*/
		if (s->tlsext_ticket_expected)
		{
		ss->session_id_length = 0;