lib/mbedtls
1
0
Fork 0
mirror of https://github.com/Mbed-TLS/mbedtls.git synced 2025-07-29 11:41:15 +03:00
Code Activity

ssl_ticket.c: Fix ticket lifetime enforcement

Browse Source 
Take into account that the lifetime of
tickets can be changed through the
mbedtls_ssl_ticket_rotate() API.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
This commit is contained in:
Ronald Cron
2023-11-21 13:53:18 +01:00
parent e34f124ff1
commit ba5165e09a
2 changed files with 16 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

17
library/ssl_ticket.c
View File

@ -75,6 +75,10 @@ static int ssl_ticket_gen_key(mbedtls_ssl_ticket_context *ctx,
#if defined(MBEDTLS_HAVE_TIME)
key->generation_time = mbedtls_time(NULL);
#endif
/* The lifetime of a key is the configured lifetime of the tickets when
* the key is created.
*/
key->lifetime = ctx->ticket_lifetime;
if ((ret = ctx->f_rng(ctx->p_rng, key->name, sizeof(key->name))) != 0) {
return ret;
@ -116,16 +120,17 @@ static int ssl_ticket_update_keys(mbedtls_ssl_ticket_context *ctx)
#if !defined(MBEDTLS_HAVE_TIME)
((void) ctx);
#else
if (ctx->ticket_lifetime != 0) {
mbedtls_ssl_ticket_key * const key = ctx->keys + ctx->active;
if (key->lifetime != 0) {
mbedtls_time_t current_time = mbedtls_time(NULL);
mbedtls_time_t key_time = ctx->keys[ctx->active].generation_time;
mbedtls_time_t key_time = key->generation_time;
#if defined(MBEDTLS_USE_PSA_CRYPTO)
psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
#endif
if (current_time >= key_time &&
(uint64_t) (current_time - key_time) < ctx->ticket_lifetime) {
(uint64_t) (current_time - key_time) < key->lifetime) {
return 0;
}
@ -198,6 +203,8 @@ int mbedtls_ssl_ticket_rotate(mbedtls_ssl_ticket_context *ctx,
#if defined(MBEDTLS_HAVE_TIME)
key->generation_time = mbedtls_time(NULL);
#endif
key->lifetime = lifetime;
return 0;
}
@ -331,7 +338,7 @@ int mbedtls_ssl_ticket_write(void *p_ticket,
key = &ctx->keys[ctx->active];
*ticket_lifetime = ctx->ticket_lifetime;
*ticket_lifetime = key->lifetime;
memcpy(key_name, key->name, TICKET_KEY_NAME_BYTES);
@ -515,7 +522,7 @@ int mbedtls_ssl_ticket_parse(void *p_ticket,
mbedtls_time_t current_time = mbedtls_time(NULL);
if (current_time < session->start ||
(uint32_t) (current_time - session->start) > ctx->ticket_lifetime) {
(uint32_t) (current_time - session->start) > key->lifetime) {
ret = MBEDTLS_ERR_SSL_SESSION_TICKET_EXPIRED;
goto cleanup;
}