ARMmbed/mbedtls
1
0
Fork 0
mirror of https://github.com/ARMmbed/mbedtls.git synced 2025-05-09 16:41:19 +08:00
Code Issues Releases Wiki Activity

Add maximum ticket lifetime check

Browse Source 
Also add comments for age cast

Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
This commit is contained in:
Jerry Yu 2023-11-10 13:58:16 +08:00
parent 472a69260b
commit 8e0174ac05
3 changed files with 7 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
library/ssl_misc.h
View File

@ -2766,6 +2766,8 @@ int mbedtls_ssl_session_set_hostname(mbedtls_ssl_session *session,
#if defined(MBEDTLS_SSL_PROTO_TLS1_3) && defined(MBEDTLS_SSL_SESSION_TICKETS) #if defined(MBEDTLS_SSL_PROTO_TLS1_3) && defined(MBEDTLS_SSL_SESSION_TICKETS)
#define MBEDTLS_SSL_TLS1_3_MAX_ALLOWED_TICKET_LIFETIME (604800)
static inline unsigned int mbedtls_ssl_session_get_ticket_flags( static inline unsigned int mbedtls_ssl_session_get_ticket_flags(
mbedtls_ssl_session *session, unsigned int flags) mbedtls_ssl_session *session, unsigned int flags)
{ {

3
library/ssl_tls13_client.c
View File

@ -2748,7 +2748,8 @@ static int ssl_tls13_parse_new_session_ticket(mbedtls_ssl_context *ssl,
MBEDTLS_SSL_DEBUG_MSG(3, MBEDTLS_SSL_DEBUG_MSG(3,
("ticket_lifetime: %u", ("ticket_lifetime: %u",
(unsigned int) session->ticket_lifetime)); (unsigned int) session->ticket_lifetime));
if (session->ticket_lifetime > 604800) { if (session->ticket_lifetime >
MBEDTLS_SSL_TLS1_3_MAX_ALLOWED_TICKET_LIFETIME) {
MBEDTLS_SSL_DEBUG_MSG(3, ("ticket_lifetime exceeds 7 days.")); MBEDTLS_SSL_DEBUG_MSG(3, ("ticket_lifetime exceeds 7 days."));
return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER; return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
} }

6
library/ssl_tls13_server.c
View File

@ -213,7 +213,7 @@ static int ssl_tls13_offered_psks_check_identity_match_ticket(
* the "ticket_lifetime" value which was provided with the ticket. * the "ticket_lifetime" value which was provided with the ticket.
* *
*/ */
if (server_age > 604800 * 1000) { if (server_age > MBEDTLS_SSL_TLS1_3_MAX_ALLOWED_TICKET_LIFETIME * 1000) {
MBEDTLS_SSL_DEBUG_MSG( MBEDTLS_SSL_DEBUG_MSG(
3, ("Ticket age exceeds limitation ticket_age=%" MBEDTLS_PRINTF_MS_TIME, 3, ("Ticket age exceeds limitation ticket_age=%" MBEDTLS_PRINTF_MS_TIME,
server_age)); server_age));
@ -3025,8 +3025,8 @@ static int ssl_tls13_write_new_session_ticket_body(mbedtls_ssl_context *ssl,
* MAY treat a ticket as valid for a shorter period of time than what * MAY treat a ticket as valid for a shorter period of time than what
* is stated in the ticket_lifetime. * is stated in the ticket_lifetime.
*/ */
if (ticket_lifetime > 604800) { if (ticket_lifetime > MBEDTLS_SSL_TLS1_3_MAX_ALLOWED_TICKET_LIFETIME) {
ticket_lifetime = 604800; ticket_lifetime = MBEDTLS_SSL_TLS1_3_MAX_ALLOWED_TICKET_LIFETIME;
} }
MBEDTLS_PUT_UINT32_BE(ticket_lifetime, p, 0); MBEDTLS_PUT_UINT32_BE(ticket_lifetime, p, 0);
MBEDTLS_SSL_DEBUG_MSG(3, ("ticket_lifetime: %u", MBEDTLS_SSL_DEBUG_MSG(3, ("ticket_lifetime: %u",