yuzu-emu/mbedtls
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Add ticket creation time to TLS 1.2 session serialization

Browse source 
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
This commit is contained in:
Ronald Cron 2023-11-22 09:50:01 +01:00
parent d1c106c787
commit c57f86e132
3 changed files with 44 additions and 30 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

32
library/ssl_tls.c
View file

@ -8951,6 +8951,7 @@ unsigned int mbedtls_ssl_tls12_get_preferred_hash_for_sig_alg(
* opaque peer_cert<0..2^24-1>; // length 0 means no peer cert
* opaque ticket<0..2^24-1>; // length 0 means no ticket
* uint32 ticket_lifetime;
* uint64 ticket_creation_time;
* uint8 mfl_code; // up to 255 according to standard
* uint8 encrypt_then_mac; // 0 or 1
* } serialized_session_tls12;
@ -9058,7 +9059,8 @@ static size_t ssl_tls12_session_save(const mbedtls_ssl_session *session,
/*
* Session ticket if any, plus associated data
*/
#if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_CLI_C)
#if defined(MBEDTLS_SSL_SESSION_TICKETS)
#if defined(MBEDTLS_SSL_CLI_C)
if (session->endpoint == MBEDTLS_SSL_IS_CLIENT) {
used += 3 + session->ticket_len + 4; /* len + ticket + lifetime */
@ -9076,7 +9078,18 @@ static size_t ssl_tls12_session_save(const mbedtls_ssl_session *session,
p += 4;
}
}
#endif /* MBEDTLS_SSL_SESSION_TICKETS && MBEDTLS_SSL_CLI_C */
#endif /* MBEDTLS_SSL_CLI_C */
#if defined(MBEDTLS_HAVE_TIME) && defined(MBEDTLS_SSL_SRV_C)
if (session->endpoint == MBEDTLS_SSL_IS_SERVER) {
used += 8;
if (used <= buf_len) {
MBEDTLS_PUT_UINT64_BE((uint64_t) session->ticket_creation_time, p, 0);
p += 8;
}
}
#endif /* MBEDTLS_HAVE_TIME && MBEDTLS_SSL_SRV_C */
#endif /* MBEDTLS_SSL_SESSION_TICKETS */
/*
* Misc extension-related info
@ -9242,7 +9255,8 @@ static int ssl_tls12_session_load(mbedtls_ssl_session *session,
/*
* Session ticket and associated data
*/
#if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_CLI_C)
#if defined(MBEDTLS_SSL_SESSION_TICKETS)
#if defined(MBEDTLS_SSL_CLI_C)
if (session->endpoint == MBEDTLS_SSL_IS_CLIENT) {
if (3 > (size_t) (end - p)) {
return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
@ -9272,7 +9286,17 @@ static int ssl_tls12_session_load(mbedtls_ssl_session *session,
session->ticket_lifetime = MBEDTLS_GET_UINT32_BE(p, 0);
p += 4;
}
#endif /* MBEDTLS_SSL_SESSION_TICKETS && MBEDTLS_SSL_CLI_C */
#endif /* MBEDTLS_SSL_CLI_C */
#if defined(MBEDTLS_HAVE_TIME) && defined(MBEDTLS_SSL_SRV_C)
if (session->endpoint == MBEDTLS_SSL_IS_SERVER) {
if (8 > (size_t) (end - p)) {
return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
}
session->ticket_creation_time = MBEDTLS_GET_UINT64_BE(p, 0);
p += 8;
}
#endif /* MBEDTLS_HAVE_TIME && MBEDTLS_SSL_SRV_C */
#endif /* MBEDTLS_SSL_SESSION_TICKETS */
/*
* Misc extension-related info

14
tests/src/test_helpers/ssl_helpers.c
View file

@ -1639,6 +1639,8 @@ int mbedtls_test_ssl_tls12_populate_session(mbedtls_ssl_session *session,
int endpoint_type,
const char *crt_file)
{
(void) ticket_len;
#if defined(MBEDTLS_HAVE_TIME)
session->start = mbedtls_time(NULL) - 42;
#endif
@ -1710,7 +1712,8 @@ int mbedtls_test_ssl_tls12_populate_session(mbedtls_ssl_session *session,
#endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED && MBEDTLS_FS_IO */
session->verify_result = 0xdeadbeef;
#if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_CLI_C)
#if defined(MBEDTLS_SSL_SESSION_TICKETS)
#if defined(MBEDTLS_SSL_CLI_C)
if (ticket_len != 0) {
session->ticket = mbedtls_calloc(1, ticket_len);
if (session->ticket == NULL) {
@ -1720,9 +1723,14 @@ int mbedtls_test_ssl_tls12_populate_session(mbedtls_ssl_session *session,
}
session->ticket_len = ticket_len;
session->ticket_lifetime = 86401;
#else
(void) ticket_len;
#endif /* MBEDTLS_SSL_CLI_C */
#if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_HAVE_TIME)
if (session->endpoint == MBEDTLS_SSL_IS_SERVER) {
session->ticket_creation_time = mbedtls_ms_time() - 42;
}
#endif
#endif /* MBEDTLS_SSL_SESSION_TICKETS */
#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
session->mfl_code = 1;

28
tests/suites/test_suite_ssl.function
View file

@ -1972,26 +1972,13 @@ void ssl_serialize_session_save_load(int ticket_len, char *crt_file,
* Make sure both session structures are identical
*/
#if defined(MBEDTLS_HAVE_TIME)
switch (tls_version) {
#if defined(MBEDTLS_SSL_PROTO_TLS1_3) && defined(MBEDTLS_SSL_SRV_C)
case MBEDTLS_SSL_VERSION_TLS1_3:
TEST_ASSERT(original.ticket_creation_time == restored.ticket_creation_time);
break;
#endif
#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
case MBEDTLS_SSL_VERSION_TLS1_2:
TEST_ASSERT(original.start == restored.start);
break;
#endif
default:
/* should never happen */
TEST_ASSERT(0);
break;
if (tls_version == MBEDTLS_SSL_VERSION_TLS1_2) {
TEST_ASSERT(original.start == restored.start);
}
#if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_SRV_C)
TEST_ASSERT(original.ticket_creation_time == restored.ticket_creation_time);
#endif
#endif /* MBEDTLS_HAVE_TIME */
TEST_ASSERT(original.tls_version == restored.tls_version);
TEST_ASSERT(original.endpoint == restored.endpoint);
@ -2070,11 +2057,6 @@ void ssl_serialize_session_save_load(int ticket_len, char *crt_file,
original.max_early_data_size == restored.max_early_data_size);
#endif
#if defined(MBEDTLS_HAVE_TIME) && defined(MBEDTLS_SSL_SRV_C)
if (endpoint_type == MBEDTLS_SSL_IS_SERVER) {
TEST_ASSERT(original.ticket_creation_time == restored.ticket_creation_time);
}
#endif
#if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_CLI_C)
if (endpoint_type == MBEDTLS_SSL_IS_CLIENT) {
#if defined(MBEDTLS_HAVE_TIME)