Add maximum ticket lifetime check

Also add comments for age cast Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2023-11-10 13:58:16 +08:00 · 2023-11-10 13:58:16 +08:00 · 8e0174ac05
commit 8e0174ac05
parent 472a69260b
3 changed files with 7 additions and 4 deletions
--- a/library/ssl_misc.h
+++ b/library/ssl_misc.h
@ -2766,6 +2766,8 @@ int mbedtls_ssl_session_set_hostname(mbedtls_ssl_session *session,

 #if defined(MBEDTLS_SSL_PROTO_TLS1_3) && defined(MBEDTLS_SSL_SESSION_TICKETS)

+#define MBEDTLS_SSL_TLS1_3_MAX_ALLOWED_TICKET_LIFETIME (604800)
+
 static inline unsigned int mbedtls_ssl_session_get_ticket_flags(
    mbedtls_ssl_session *session, unsigned int flags)
 {
--- a/library/ssl_tls13_client.c
+++ b/library/ssl_tls13_client.c
@ -2748,7 +2748,8 @@ static int ssl_tls13_parse_new_session_ticket(mbedtls_ssl_context *ssl,
    MBEDTLS_SSL_DEBUG_MSG(3,
                          ("ticket_lifetime: %u",
                           (unsigned int) session->ticket_lifetime));
-    if (session->ticket_lifetime > 604800) {
+    if (session->ticket_lifetime >
+        MBEDTLS_SSL_TLS1_3_MAX_ALLOWED_TICKET_LIFETIME) {
        MBEDTLS_SSL_DEBUG_MSG(3, ("ticket_lifetime exceeds 7 days."));
        return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
    }
--- a/library/ssl_tls13_server.c
+++ b/library/ssl_tls13_server.c
@ -213,7 +213,7 @@ static int ssl_tls13_offered_psks_check_identity_match_ticket(
     * the "ticket_lifetime" value which was provided with the ticket.
     *
     */
-    if (server_age > 604800 * 1000) {
+    if (server_age > MBEDTLS_SSL_TLS1_3_MAX_ALLOWED_TICKET_LIFETIME * 1000) {
        MBEDTLS_SSL_DEBUG_MSG(
            3, ("Ticket age exceeds limitation ticket_age=%" MBEDTLS_PRINTF_MS_TIME,
                server_age));
@ -3025,8 +3025,8 @@ static int ssl_tls13_write_new_session_ticket_body(mbedtls_ssl_context *ssl,
     *      MAY treat a ticket as valid for a shorter period of time than what
     *      is stated in the ticket_lifetime.
     */
-    if (ticket_lifetime > 604800) {
-        ticket_lifetime = 604800;
+    if (ticket_lifetime > MBEDTLS_SSL_TLS1_3_MAX_ALLOWED_TICKET_LIFETIME) {
+        ticket_lifetime = MBEDTLS_SSL_TLS1_3_MAX_ALLOWED_TICKET_LIFETIME;
    }
    MBEDTLS_PUT_UINT32_BE(ticket_lifetime, p, 0);
    MBEDTLS_SSL_DEBUG_MSG(3, ("ticket_lifetime: %u",