session tickets: check timestamp for validitytmp-session-ticket-key-rotation-ajuaristi

We were previously only relying on the client's view of the ticket lifetime for TLS1.3 tickets. This makes sure that we only resume tickets that the server considers valid and consolidates the expiration time checks to _gnutls_check_resumed_params(). Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
author: Nikos Mavrogiannopoulos <nmav@redhat.com> 2018-09-19 14:15:20 +0200
committer: Nikos Mavrogiannopoulos <nmav@redhat.com> 2018-09-20 13:40:32 +0200
commit: 088baae15da080dcbccf7df5c08bbc0ca3ad3237 (patch)
tree: 6ca3afa87b6f128c2a0f87d77071549c4d53b71f /lib/tls13
parent: fe6c0ff7b911ff077d7dcf3434e8c4700f6794a4 (diff)
download: gnutls-088baae15da080dcbccf7df5c08bbc0ca3ad3237.tar.gz
1 files changed, 6 insertions, 2 deletions
diff --git a/lib/tls13/session_ticket.c b/lib/tls13/session_ticket.c
index 8087ba7a8b..36d5dc5260 100644
--- a/lib/tls13/session_ticket.c
+++ b/lib/tls13/session_ticket.c
@@ -31,6 +31,7 @@
 #include "auth/cert.h"
 #include "tls13/session_ticket.h"
 #include "session_pack.h"
+#include "db.h"
 
 static int
 pack_ticket(gnutls_session_t session, tls13_ticket_t *ticket, gnutls_datum_t *packed)
@@ -422,9 +423,12 @@ int _gnutls13_unpack_session_ticket(gnutls_session_t session,
 	/* Return ticket parameters */
 	ret = unpack_ticket(session, &decrypted, ticket_data);
 	_gnutls_free_datum(&decrypted);
-	if (ret < 0) {
+	if (ret < 0)
 		return ret;
-	}
+
+	ret = _gnutls_check_resumed_params(session);
+	if (ret < 0)
+		return gnutls_assert_val(ret);
 
 	return 0;
 }
author	Nikos Mavrogiannopoulos <nmav@redhat.com>	2018-09-19 14:15:20 +0200
committer	Nikos Mavrogiannopoulos <nmav@redhat.com>	2018-09-20 13:40:32 +0200
commit	088baae15da080dcbccf7df5c08bbc0ca3ad3237 (patch)
tree	6ca3afa87b6f128c2a0f87d77071549c4d53b71f /lib/tls13
parent	fe6c0ff7b911ff077d7dcf3434e8c4700f6794a4 (diff)
download	gnutls-088baae15da080dcbccf7df5c08bbc0ca3ad3237.tar.gz