diff options
| -rw-r--r-- | lib/db.c | 30 | ||||
| -rw-r--r-- | lib/ext/session_ticket.c | 8 | ||||
| -rw-r--r-- | lib/session_pack.c | 11 | ||||
| -rw-r--r-- | lib/tls13/session_ticket.c | 8 |
4 files changed, 29 insertions, 28 deletions
@@ -260,12 +260,28 @@ int _gnutls_server_register_current_session(gnutls_session_t session) int _gnutls_check_resumed_params(gnutls_session_t session) { - if (session->internals.resumed_security_parameters.ext_master_secret != - session->security_parameters.ext_master_secret) - return gnutls_assert_val(GNUTLS_E_INVALID_SESSION); - - if (!_gnutls_server_name_matches_resumed(session)) - return gnutls_assert_val(GNUTLS_E_INVALID_SESSION); + time_t timestamp = gnutls_time(0); + const version_entry_st *vers; + + /* check whether the session is expired */ + if (timestamp - + session->internals.resumed_security_parameters.timestamp > + session->internals.expire_time + || session->internals.resumed_security_parameters.timestamp > + timestamp) + return gnutls_assert_val(GNUTLS_E_EXPIRED); + + /* check various parameters applicable to resumption in TLS1.2 or earlier + */ + vers = get_version(session); + if (!vers || !vers->tls13_sem) { + if (session->internals.resumed_security_parameters.ext_master_secret != + session->security_parameters.ext_master_secret) + return gnutls_assert_val(GNUTLS_E_INVALID_SESSION); + + if (!_gnutls_server_name_matches_resumed(session)) + return gnutls_assert_val(GNUTLS_E_INVALID_SESSION); + } return 0; } @@ -311,7 +327,6 @@ _gnutls_server_restore_session(gnutls_session_t session, return GNUTLS_E_INVALID_SESSION; } - /* expiration check is performed inside */ ret = gnutls_session_set_data(session, data.data, data.size); gnutls_free(data.data); @@ -320,6 +335,7 @@ _gnutls_server_restore_session(gnutls_session_t session, return ret; } + /* expiration check is performed inside */ ret = _gnutls_check_resumed_params(session); if (ret < 0) return gnutls_assert_val(ret); diff --git a/lib/ext/session_ticket.c b/lib/ext/session_ticket.c index 177135e642..3eb63818b9 100644 --- a/lib/ext/session_ticket.c +++ b/lib/ext/session_ticket.c @@ -349,7 +349,6 @@ static int unpack_session(gnutls_session_t session, const gnutls_datum_t *state) { int ret; - time_t timestamp = gnutls_time(0); if (unlikely(!state)) return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR); @@ -358,13 +357,6 @@ unpack_session(gnutls_session_t session, const gnutls_datum_t *state) if (ret < 0) return gnutls_assert_val(ret); - if (timestamp - - session->internals.resumed_security_parameters.timestamp > - session->internals.expire_time - || session->internals.resumed_security_parameters.timestamp > - timestamp) - return gnutls_assert_val(GNUTLS_E_EXPIRED); - ret = _gnutls_check_resumed_params(session); if (ret < 0) return gnutls_assert_val(ret); diff --git a/lib/session_pack.c b/lib/session_pack.c index f8b1830568..c5801fb32e 100644 --- a/lib/session_pack.c +++ b/lib/session_pack.c @@ -960,8 +960,6 @@ unpack_security_parameters(gnutls_session_t session, gnutls_buffer_st * ps) session->internals.resumed_security_parameters.timestamp = timestamp; - timestamp = gnutls_time(0); - BUFFER_POP_NUM(ps, session->internals.resumed_security_parameters. entity); @@ -1071,15 +1069,6 @@ unpack_security_parameters(gnutls_session_t session, gnutls_buffer_st * ps) } } - if (timestamp - - session->internals.resumed_security_parameters.timestamp > - session->internals.expire_time - || session->internals.resumed_security_parameters.timestamp > - timestamp) { - gnutls_assert(); - return GNUTLS_E_EXPIRED; - } - ret = 0; error: diff --git a/lib/tls13/session_ticket.c b/lib/tls13/session_ticket.c index 8087ba7a8b..36d5dc5260 100644 --- a/lib/tls13/session_ticket.c +++ b/lib/tls13/session_ticket.c @@ -31,6 +31,7 @@ #include "auth/cert.h" #include "tls13/session_ticket.h" #include "session_pack.h" +#include "db.h" static int pack_ticket(gnutls_session_t session, tls13_ticket_t *ticket, gnutls_datum_t *packed) @@ -422,9 +423,12 @@ int _gnutls13_unpack_session_ticket(gnutls_session_t session, /* Return ticket parameters */ ret = unpack_ticket(session, &decrypted, ticket_data); _gnutls_free_datum(&decrypted); - if (ret < 0) { + if (ret < 0) return ret; - } + + ret = _gnutls_check_resumed_params(session); + if (ret < 0) + return gnutls_assert_val(ret); return 0; } |