session tickets: check timestamp for validity

author Nikos Mavrogiannopoulos <nmav@redhat.com>

Wed, 19 Sep 2018 12:15:20 +0000 (14:15 +0200)

committer Nikos Mavrogiannopoulos <nmav@redhat.com>

Thu, 20 Sep 2018 11:40:32 +0000 (13:40 +0200)
author Nikos Mavrogiannopoulos <nmav@redhat.com>
Wed, 19 Sep 2018 12:15:20 +0000 (14:15 +0200)
committer Nikos Mavrogiannopoulos <nmav@redhat.com>
Thu, 20 Sep 2018 11:40:32 +0000 (13:40 +0200)
diff --git a/lib/db.c b/lib/db.c

index 38225d31f5012761e6b576ec815d1acae0aff059..a029f351cd39b04e3f9b07231d5f4fc5f3a1eb2e 100644 (file)
--- a/lib/db.c
+++ b/lib/db.c
@@ -260,12 +260,28 @@ int _gnutls_server_register_current_session(gnutls_session_t session)
  
  int _gnutls_check_resumed_params(gnutls_session_t session)
  {
-       if (session->internals.resumed_security_parameters.ext_master_secret != 
-           session->security_parameters.ext_master_secret)
-           return gnutls_assert_val(GNUTLS_E_INVALID_SESSION);
-
-       if (!_gnutls_server_name_matches_resumed(session))
-           return gnutls_assert_val(GNUTLS_E_INVALID_SESSION);
+       time_t timestamp = gnutls_time(0);
+       const version_entry_st *vers;
+
+       /* check whether the session is expired */
+       if (timestamp -
+           session->internals.resumed_security_parameters.timestamp >
+           session->internals.expire_time
+           || session->internals.resumed_security_parameters.timestamp >
+           timestamp)
+               return gnutls_assert_val(GNUTLS_E_EXPIRED);
+
+       /* check various parameters applicable to resumption in TLS1.2 or earlier
+        */
+       vers = get_version(session);
+       if (!vers || !vers->tls13_sem) {
+               if (session->internals.resumed_security_parameters.ext_master_secret !=
+                   session->security_parameters.ext_master_secret)
+                       return gnutls_assert_val(GNUTLS_E_INVALID_SESSION);
+
+               if (!_gnutls_server_name_matches_resumed(session))
+                       return gnutls_assert_val(GNUTLS_E_INVALID_SESSION);
+       }
  
         return 0;
  }
@@ -311,7 +327,6 @@ _gnutls_server_restore_session(gnutls_session_t session,
                 return GNUTLS_E_INVALID_SESSION;
         }
  
-       /* expiration check is performed inside */
         ret = gnutls_session_set_data(session, data.data, data.size);
         gnutls_free(data.data);
  
@@ -320,6 +335,7 @@ _gnutls_server_restore_session(gnutls_session_t session,
                 return ret;
         }
  
+       /* expiration check is performed inside */
         ret = _gnutls_check_resumed_params(session);
         if (ret < 0)
                 return gnutls_assert_val(ret);
diff --git a/lib/ext/session_ticket.c b/lib/ext/session_ticket.c

index 177135e6420b5310bd036859eb602e2230dbf954..3eb63818b90fbcf7a7559553fe1028be54055207 100644 (file)
--- a/lib/ext/session_ticket.c
+++ b/lib/ext/session_ticket.c
@@ -349,7 +349,6 @@ static int
  unpack_session(gnutls_session_t session, const gnutls_datum_t *state)
  {
         int ret;
-       time_t timestamp = gnutls_time(0);
  
         if (unlikely(!state))
                 return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
@@ -358,13 +357,6 @@ unpack_session(gnutls_session_t session, const gnutls_datum_t *state)
         if (ret < 0)
                 return gnutls_assert_val(ret);
  
-       if (timestamp -
-           session->internals.resumed_security_parameters.timestamp >
-           session->internals.expire_time
-           || session->internals.resumed_security_parameters.timestamp >
-           timestamp)
-               return gnutls_assert_val(GNUTLS_E_EXPIRED);
-
         ret = _gnutls_check_resumed_params(session);
         if (ret < 0)
                 return gnutls_assert_val(ret);
diff --git a/lib/session_pack.c b/lib/session_pack.c

index f8b1830568ca83f2721c13f7d10d8d634aa228ba..c5801fb32ef53ced9c109e19c6c2c7d111e8aa8b 100644 (file)
--- a/lib/session_pack.c
+++ b/lib/session_pack.c
@@ -960,8 +960,6 @@ unpack_security_parameters(gnutls_session_t session, gnutls_buffer_st * ps)
         session->internals.resumed_security_parameters.timestamp =
             timestamp;
  
-       timestamp = gnutls_time(0);
-
         BUFFER_POP_NUM(ps,
                        session->internals.resumed_security_parameters.
                        entity);
@@ -1071,15 +1069,6 @@ unpack_security_parameters(gnutls_session_t session, gnutls_buffer_st * ps)
                 }
         }
  
-       if (timestamp -
-           session->internals.resumed_security_parameters.timestamp >
-           session->internals.expire_time
-           || session->internals.resumed_security_parameters.timestamp >
-           timestamp) {
-               gnutls_assert();
-               return GNUTLS_E_EXPIRED;
-       }
-
         ret = 0;
  
        error:
diff --git a/lib/tls13/session_ticket.c b/lib/tls13/session_ticket.c

index 8087ba7a8b9068f631ae8d8bf576b934744bbeb4..36d5dc526010992fab8a1384e8f78c53421305ae 100644 (file)
--- a/lib/tls13/session_ticket.c
+++ b/lib/tls13/session_ticket.c
@@ -31,6 +31,7 @@
  #include "auth/cert.h"
  #include "tls13/session_ticket.h"
  #include "session_pack.h"
+#include "db.h"
  
  static int
  pack_ticket(gnutls_session_t session, tls13_ticket_t *ticket, gnutls_datum_t *packed)
@@ -422,9 +423,12 @@ int _gnutls13_unpack_session_ticket(gnutls_session_t session,
         /* Return ticket parameters */
         ret = unpack_ticket(session, &decrypted, ticket_data);
         _gnutls_free_datum(&decrypted);
-       if (ret < 0) {
+       if (ret < 0)
                 return ret;
-       }
+
+       ret = _gnutls_check_resumed_params(session);
+       if (ret < 0)
+               return gnutls_assert_val(ret);
  
         return 0;
  }
author	Nikos Mavrogiannopoulos <nmav@redhat.com>
	Wed, 19 Sep 2018 12:15:20 +0000 (14:15 +0200)
committer	Nikos Mavrogiannopoulos <nmav@redhat.com>
	Thu, 20 Sep 2018 11:40:32 +0000 (13:40 +0200)
lib/db.c		patch \| blob \| blame \| history
lib/ext/session_ticket.c		patch \| blob \| blame \| history
lib/session_pack.c		patch \| blob \| blame \| history
lib/tls13/session_ticket.c		patch \| blob \| blame \| history