yuzu-emu/mbedtls
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

disable session resumption when ticket expired

Browse source 
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
This commit is contained in:
Jerry Yu 2022-10-10 22:10:08 +08:00
parent 03aa174d7c
commit 4f77ecf409
2 changed files with 26 additions and 28 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

51
library/ssl_client.c
View file

@ -720,6 +720,30 @@ static int ssl_prepare_client_hello( mbedtls_ssl_context *ssl )
int ret; int ret;
size_t session_id_len; size_t session_id_len;
#if defined(MBEDTLS_SSL_PROTO_TLS1_3) && \
defined(MBEDTLS_SSL_SESSION_TICKETS) && \
defined(MBEDTLS_HAVE_TIME)
/* Check if a tls13 ticket has been configured. */
if( ssl->session_negotiate->tls_version == MBEDTLS_SSL_VERSION_TLS1_3 &&
ssl->handshake->resume != 0 &&
ssl->session_negotiate != NULL &&
ssl->session_negotiate->ticket != NULL )
{
mbedtls_time_t now = mbedtls_time( NULL );
if( ssl->session_negotiate->ticket_received > now ||
(uint64_t)( now - ssl->session_negotiate->ticket_received )
> ssl->session_negotiate->ticket_lifetime )
{
/* Without valid ticket, disable session resumption.*/
MBEDTLS_SSL_DEBUG_MSG(
3, ( "Ticket expired, disable session resumption" ) );
ssl->handshake->resume = 0;
}
}
#endif /* MBEDTLS_SSL_PROTO_TLS1_3 &&
MBEDTLS_SSL_SESSION_TICKETS &&
MBEDTLS_HAVE_TIME */
if( ssl->conf->f_rng == NULL ) if( ssl->conf->f_rng == NULL )
{ {
MBEDTLS_SSL_DEBUG_MSG( 1, ( "no RNG provided" ) ); MBEDTLS_SSL_DEBUG_MSG( 1, ( "no RNG provided" ) );
@ -843,33 +867,6 @@ static int ssl_prepare_client_hello( mbedtls_ssl_context *ssl )
} }
} }
#if defined(MBEDTLS_SSL_PROTO_TLS1_3) && \
defined(MBEDTLS_SSL_SESSION_TICKETS) && \
defined(MBEDTLS_HAVE_TIME)
/* Check if a tls13 ticket has been configured. */
if( ssl->session_negotiate->tls_version == MBEDTLS_SSL_VERSION_TLS1_3 &&
ssl->handshake->resume != 0 &&
ssl->session_negotiate != NULL &&
ssl->session_negotiate->ticket != NULL )
{
mbedtls_time_t now = mbedtls_time( NULL );
if( ssl->session_negotiate->ticket_received > now ||
(uint64_t)( now - ssl->session_negotiate->ticket_received )
> ssl->session_negotiate->ticket_lifetime )
{
MBEDTLS_SSL_DEBUG_MSG( 3, ( "ticket expired" ) );
mbedtls_platform_zeroize( ssl->session_negotiate->ticket,
ssl->session_negotiate->ticket_len );
mbedtls_free( ssl->session_negotiate->ticket );
ssl->session_negotiate->ticket = NULL;
ssl->session_negotiate->ticket_len = 0;
}
}
#endif /* MBEDTLS_SSL_PROTO_TLS1_3 &&
MBEDTLS_SSL_SESSION_TICKETS &&
MBEDTLS_HAVE_TIME */
return( 0 ); return( 0 );
} }

3
library/ssl_tls13_client.c
View file

@ -681,7 +681,8 @@ static psa_algorithm_t ssl_tls13_get_ciphersuite_hash_alg( int ciphersuite )
static int ssl_tls13_has_configured_ticket( mbedtls_ssl_context *ssl ) static int ssl_tls13_has_configured_ticket( mbedtls_ssl_context *ssl )
{ {
mbedtls_ssl_session *session = ssl->session_negotiate; mbedtls_ssl_session *session = ssl->session_negotiate;
return( session != NULL && session->ticket != NULL ); return( ssl->handshake->resume &&
session != NULL && session->ticket != NULL );
} }
MBEDTLS_CHECK_RETURN_CRITICAL MBEDTLS_CHECK_RETURN_CRITICAL