feedc0de/wolfssl
1
0
Fork 0
forked from wolfSSL/wolfssl
Code Pull Requests Activity

Merge pull request #4633 from SparkiDev/tls13_expired

Browse Source 
TLS13: Skip if expired rather than turning off resuming
This commit is contained in:
David Garske
2021-12-09 14:10:42 -08:00
committed by GitHub
parent dd0e3d6ebf 32014c69fd
commit b921161309
2 changed files with 23 additions and 16 deletions
Download Patch File Download Diff File Expand all files Collapse all files

28
src/tls13.c
View File

@@ -3987,24 +3987,30 @@ static int DoPreSharedKeys(WOLFSSL* ssl, byte* suite, int* usingPSK, int* first)
/* Decode the identity. */ /* Decode the identity. */
if (DoClientTicket(ssl, current->identity, current->identityLen) if (DoClientTicket(ssl, current->identity, current->identityLen)
== WOLFSSL_TICKET_RET_OK) { == WOLFSSL_TICKET_RET_OK) {
word32 now; word32 now;
int diff; sword64 diff;
now = TimeNowInMilliseconds(); now = TimeNowInMilliseconds();
if (now == (word32)GETTIME_ERROR) if (now == (word32)GETTIME_ERROR)
return now; return now;
if (now < ssl->session.ticketSeen) /* Difference between now and time ticket constructed
diff = (0xFFFFFFFFU - ssl->session.ticketSeen) + 1 + now; * (from decrypted ticket). */
else diff = now;
diff = now - ssl->session.ticketSeen; diff -= ssl->session.ticketSeen;
diff -= current->ticketAge - ssl->session.ticketAdd; if (diff > (sword64)ssl->timeout * 1000 ||
diff > (sword64)TLS13_MAX_TICKET_AGE * 1000) {
current = current->next;
continue;
}
/* Subtract client's ticket age and unobfuscate. */
diff -= current->ticketAge;
diff += ssl->session.ticketAdd;
/* Check session and ticket age timeout. /* Check session and ticket age timeout.
* Allow +/- 1000 milliseconds on ticket age. * Allow +/- 1000 milliseconds on ticket age.
*/ */
if (diff > (int)ssl->timeout * 1000 || diff < -1000 || if (diff < -1000 || diff - MAX_TICKET_AGE_DIFF * 1000 > 1000) {
diff - MAX_TICKET_AGE_SECS * 1000 > 1000) { current = current->next;
/* Invalid difference, fallback to full handshake. */ continue;
ssl->options.resuming = 0;
} }
#ifndef WOLFSSL_PSK_ONE_ID #ifndef WOLFSSL_PSK_ONE_ID

11
wolfssl/internal.h
View File

@@ -1490,11 +1490,12 @@ enum Misc {
DTLS_TIMEOUT_MAX = 64, /* default max timeout for DTLS receive */ DTLS_TIMEOUT_MAX = 64, /* default max timeout for DTLS receive */
DTLS_TIMEOUT_MULTIPLIER = 2, /* default timeout multiplier for DTLS recv */ DTLS_TIMEOUT_MULTIPLIER = 2, /* default timeout multiplier for DTLS recv */
NULL_TERM_LEN = 1, /* length of null '\0' termination character */ NULL_TERM_LEN = 1, /* length of null '\0' termination character */
MAX_PSK_KEY_LEN = 64, /* max psk key supported */ MAX_PSK_KEY_LEN = 64, /* max psk key supported */
MIN_PSK_ID_LEN = 6, /* min length of identities */ MIN_PSK_ID_LEN = 6, /* min length of identities */
MIN_PSK_BINDERS_LEN= 33, /* min length of binders */ MIN_PSK_BINDERS_LEN = 33, /* min length of binders */
MAX_TICKET_AGE_SECS= 10, /* maximum ticket age in seconds */ MAX_TICKET_AGE_DIFF = 10, /* maximum ticket age difference in seconds */
TLS13_MAX_TICKET_AGE = 7*24*60*60, /* max ticket age in seconds, 7 days */
#ifndef MAX_WOLFSSL_FILE_SIZE #ifndef MAX_WOLFSSL_FILE_SIZE
MAX_WOLFSSL_FILE_SIZE = 1024ul * 1024ul * 4, /* 4 mb file size alloc limit */ MAX_WOLFSSL_FILE_SIZE = 1024ul * 1024ul * 4, /* 4 mb file size alloc limit */