Merge pull request #3384 from SparkiDev/tls13_sess_tick_compat

TLS session tickets: cannot share between TLS 1.3 and TLS 1.2
2020-10-20 15:56:03 -07:00
parent 7aae784a53 07e69829d7
commit e4eda3e125
3 changed files with 22 additions and 3 deletions
--- a/src/internal.c
+++ b/src/internal.c
@@ -28539,6 +28539,13 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
                return VERSION_ERROR;
            }
            else if (ssl->version.minor > it.pv.minor) {
+                if (IsAtLeastTLSv1_3(it.pv) != IsAtLeastTLSv1_3(ssl->version)) {
+                    ForceZero(&it, sizeof(it));
+                    WOLFSSL_MSG("Tickets cannot be shared between "
+                                               "TLS 1.3 and TLS 1.2 and lower");
+                    return VERSION_ERROR;
+                }
+
                if (!ssl->options.downgrade) {
                    ForceZero(&it, sizeof(it));
                    WOLFSSL_MSG("Ticket has lesser version");
--- a/src/tls.c
+++ b/src/tls.c
@@ -5030,12 +5030,19 @@ static int TLSX_SessionTicket_Parse(WOLFSSL* ssl, byte* input, word16 length,
            return 0;
        }

-        if (length == 0) {
+        if (length > SESSION_TICKET_LEN) {
+            ret = BAD_TICKET_MSG_SZ;
+        } else if (IsAtLeastTLSv1_3(ssl->version)) {
+            WOLFSSL_MSG("Process client ticket rejected, TLS 1.3 no support");
+            ssl->options.rejectTicket = 1;
+            ret = 0;  /* not fatal */
+        } else if (length == 0) {
            /* blank ticket */
            ret = TLSX_UseSessionTicket(&ssl->extensions, NULL, ssl->heap);
            if (ret == WOLFSSL_SUCCESS) {
                ret = 0;
-                TLSX_SetResponse(ssl, TLSX_SESSION_TICKET);  /* send blank ticket */
+                /* send blank ticket */
+                TLSX_SetResponse(ssl, TLSX_SESSION_TICKET);
                ssl->options.createTicket = 1;  /* will send ticket msg */
                ssl->options.useTicket    = 1;
                ssl->options.resuming     = 0;  /* no standard resumption */
@@ -5063,6 +5070,10 @@ static int TLSX_SessionTicket_Parse(WOLFSSL* ssl, byte* input, word16 length,
                WOLFSSL_MSG("Process client ticket rejected, not using");
                ssl->options.rejectTicket = 1;
                ret = 0;  /* not fatal */
+            } else if (ret == VERSION_ERROR) {
+                WOLFSSL_MSG("Process client ticket rejected, bad TLS version");
+                ssl->options.rejectTicket = 1;
+                ret = 0;  /* not fatal */
            } else if (ret == WOLFSSL_TICKET_RET_FATAL || ret < 0) {
                WOLFSSL_MSG("Process client ticket fatal error, not using");
            }
--- a/src/tls13.c
+++ b/src/tls13.c
@@ -3369,7 +3369,8 @@ static int DoPreSharedKeys(WOLFSSL* ssl, const byte* input, word32 helloSz,
                                     diff - MAX_TICKET_AGE_SECS * 1000 > 1000) {
                /* Invalid difference, fallback to full handshake. */
                ssl->options.resuming = 0;
-                break;
+                /* Hash the rest of the ClientHello. */
+                return HashRaw(ssl, input + helloSz - bindersLen, bindersLen);
            }

            /* Check whether resumption is possible based on suites in SSL and