Tighten session ticket handling

Tighten client-side session ticket handling during renegotiation: ensure that the client only accepts a session ticket if the server sends the extension anew in the ServerHello. Previously, a TLS client would reuse the old extension state and thus accept a session ticket if one was announced in the initial ServerHello. Reviewed-by: Bodo Moeller <bodo@openssl.org>
2024-11-21 01:15:20 +08:00 · 2014-10-28 17:35:59 +01:00 · 2014-10-28 17:35:59 +01:00 · d663df2399
commit d663df2399
parent 49b0dfc502
3 changed files with 40 additions and 2 deletions
--- a/16
+++ b/16
@ -305,6 +305,13 @@

 Changes between 1.0.1j and 1.0.2 [xx XXX xxxx]

+   *) Tighten client-side session ticket handling during renegotiation:
+      ensure that the client only accepts a session ticket if the server sends
+      the extension anew in the ServerHello. Previously, a TLS client would
+      reuse the old extension state and thus accept a session ticket if one was
+      announced in the initial ServerHello.
+      [Emilia Käsper]
+
  *) Accelerated NIST P-256 elliptic curve implementation for x86_64
     (other platforms pending).
     [Shay Gueron & Vlad Krasnov (Intel Corp), Andy Polyakov]
@ -625,6 +632,15 @@
     X509_CINF_set_modified, X509_CINF_get_issuer, X509_CINF_get_extensions and
     X509_CINF_get_signature were reverted post internal team review.

+ Changes between 1.0.1j and 1.0.1k [xx XXX xxxx]
+
+   *) Tighten client-side session ticket handling during renegotiation:
+      ensure that the client only accepts a session ticket if the server sends
+      the extension anew in the ServerHello. Previously, a TLS client would
+      reuse the old extension state and thus accept a session ticket if one was
+      announced in the initial ServerHello.
+      [Emilia Käsper]
+
 Changes between 1.0.1i and 1.0.1j [15 Oct 2014]

  *) SRTP Memory Leak.
--- a/ssl/s3_clnt.c
+++ b/ssl/s3_clnt.c
@ -225,6 +225,14 @@ int ssl3_connect(SSL *s)
 			s->renegotiate=1;
 			s->state=SSL_ST_CONNECT;
 			s->ctx->stats.sess_connect_renegotiate++;
+#ifndef OPENSSL_NO_TLSEXT
+			/*
+			 * If renegotiating, the server may choose to not issue
+			 * a new ticket, so reset the flag. It will be set to
+			 * the right value when parsing ServerHello extensions.
+			 */
+			s->tlsext_ticket_expected = 0;
+#endif
 			/* break */
 		case SSL_ST_BEFORE:
 		case SSL_ST_CONNECT:
@ -2351,7 +2359,7 @@ int ssl3_get_new_session_ticket(SSL *s)
 		}
 	memcpy(s->session->tlsext_tick, p, ticklen);
 	s->session->tlsext_ticklen = ticklen;
-	/* There are two ways to detect a resumed ticket sesion.
+	/* There are two ways to detect a resumed ticket session.
 	 * One is to set an appropriate session ID and then the server
 	 * must return a match in ServerHello. This allows the normal
 	 * client session ID matching to work and we know much 
--- a/ssl/ssl_sess.c
+++ b/ssl/ssl_sess.c
@ -340,7 +340,21 @@ int ssl_get_new_session(SSL *s, int session)
 			return(0);
 			}
 #ifndef OPENSSL_NO_TLSEXT
-		/* If RFC4507 ticket use empty session ID */
+		/*
+		 * If RFC5077 ticket, use empty session ID (as server).
+		 * Note that:
+		 * (a) ssl_get_prev_session() does lookahead into the
+		 *     ClientHello extensions to find the session ticket.
+		 *     When ssl_get_prev_session() fails, s3_srvr.c calls
+		 *     ssl_get_new_session() in ssl3_get_client_hello().
+		 *     At that point, it has not yet parsed the extensions,
+		 *     however, because of the lookahead, it already knows
+		 *     whether a ticket is expected or not.
+		 *
+		 * (b) s3_clnt.c calls ssl_get_new_session() before parsing
+		 *     ServerHello extensions, and before recording the session
+		 *     ID received from the server, so this block is a noop.
+		 */
 		if (s->tlsext_ticket_expected)
 			{
 			ss->session_id_length = 0;