Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
Bug 1471967, skip unrecognized session tickets in TLS 1.3, r=ekr
Summary: In TLS 1.3, upon receiving a malformed ticket, server doesn't immediately abort the connection, but rejects client's resumption attempt.

Reviewers: ekr

Reviewed By: ekr

Subscribers: mt, ekr, kaie, ueno, rrelyea, HubertKario

Tags: #secure-revision, PHID-PROJ-ffhf7tdvqze7zrdn6dh3

Bug #: 1471967

Differential Revision: https://phabricator.services.mozilla.com/D3620

--HG--
extra : rebase_source : 8d81c1c91d58f363f29ef1e5084cfcdf142f3d38
extra : amend_source : 518ae54337eafe0fa5054637cc9b8a2aea5c8282
  • Loading branch information
ueno committed Aug 22, 2018
1 parent 3d3560b commit 0c3fab7
Show file tree
Hide file tree
Showing 2 changed files with 14 additions and 8 deletions.
5 changes: 5 additions & 0 deletions gtests/ssl_gtest/ssl_resumption_unittest.cc
Expand Up @@ -276,9 +276,14 @@ TEST_P(TlsConnectGeneric, ConnectResumeCorruptTicket) {
ASSERT_NE(nullptr, hmac_key);
SSLInt_SetSelfEncryptMacKey(hmac_key);
ConfigureSessionCache(RESUME_BOTH, RESUME_TICKET);
if (version_ >= SSL_LIBRARY_VERSION_TLS_1_3) {
ExpectResumption(RESUME_NONE);
Connect();
} else {
ConnectExpectAlert(server_, illegal_parameter);
server_->CheckErrorCode(SSL_ERROR_RX_MALFORMED_CLIENT_HELLO);
}
}

// This callback switches out the "server" cert used on the server with
// the "client" certificate, which should be the same type.
Expand Down
17 changes: 9 additions & 8 deletions lib/ssl/ssl3exthandle.c
Expand Up @@ -1174,17 +1174,18 @@ ssl3_ProcessSessionTicketCommon(sslSocket *ss, const SECItem *ticket,
&decryptedTicket.len,
decryptedTicket.len);
if (rv != SECSuccess) {
/* Ignore decryption failure if we are doing TLS 1.3; that
* means the server rejects the client's resumption
* attempt. In TLS 1.2, however, it's a hard failure, unless
* it's just because we're not the recipient of the ticket. */
if (ss->version >= SSL_LIBRARY_VERSION_TLS_1_3 ||
PORT_GetError() == SEC_ERROR_NOT_A_RECIPIENT) {
SECITEM_ZfreeItem(&decryptedTicket, PR_FALSE);

/* Fail with no ticket if we're not a recipient. Otherwise
* it's a hard failure. */
if (PORT_GetError() != SEC_ERROR_NOT_A_RECIPIENT) {
SSL3_SendAlert(ss, alert_fatal, illegal_parameter);
return SECFailure;
return SECSuccess;
}

/* We didn't have the right key, so pretend we don't have a
* ticket. */
SSL3_SendAlert(ss, alert_fatal, illegal_parameter);
goto loser;
}

rv = ssl_ParseSessionTicket(ss, &decryptedTicket, &parsedTicket);
Expand Down

0 comments on commit 0c3fab7

Please sign in to comment.