diff options
author | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2018-09-19 14:15:20 +0200 |
---|---|---|
committer | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2018-09-20 13:40:32 +0200 |
commit | 088baae15da080dcbccf7df5c08bbc0ca3ad3237 (patch) | |
tree | 6ca3afa87b6f128c2a0f87d77071549c4d53b71f /lib/tls13 | |
parent | fe6c0ff7b911ff077d7dcf3434e8c4700f6794a4 (diff) | |
download | gnutls-088baae15da080dcbccf7df5c08bbc0ca3ad3237.tar.gz |
session tickets: check timestamp for validitytmp-session-ticket-key-rotation-ajuaristi
We were previously only relying on the client's view of the
ticket lifetime for TLS1.3 tickets. This makes sure that we
only resume tickets that the server considers valid and consolidates
the expiration time checks to _gnutls_check_resumed_params().
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
Diffstat (limited to 'lib/tls13')
-rw-r--r-- | lib/tls13/session_ticket.c | 8 |
1 files changed, 6 insertions, 2 deletions
diff --git a/lib/tls13/session_ticket.c b/lib/tls13/session_ticket.c index 8087ba7a8b..36d5dc5260 100644 --- a/lib/tls13/session_ticket.c +++ b/lib/tls13/session_ticket.c @@ -31,6 +31,7 @@ #include "auth/cert.h" #include "tls13/session_ticket.h" #include "session_pack.h" +#include "db.h" static int pack_ticket(gnutls_session_t session, tls13_ticket_t *ticket, gnutls_datum_t *packed) @@ -422,9 +423,12 @@ int _gnutls13_unpack_session_ticket(gnutls_session_t session, /* Return ticket parameters */ ret = unpack_ticket(session, &decrypted, ticket_data); _gnutls_free_datum(&decrypted); - if (ret < 0) { + if (ret < 0) return ret; - } + + ret = _gnutls_check_resumed_params(session); + if (ret < 0) + return gnutls_assert_val(ret); return 0; } |