TLS 13 session ticket timeout: fixup checks

Check difference between now and ticket seen from encrypted ticket against timeout.
2021-12-09 12:43:30 +10:00 · 2021-12-09 12:43:30 +10:00 · 32014c69fd
commit 32014c69fd
parent 85ec6054c6
2 changed files with 21 additions and 14 deletions
--- a/src/tls13.c
+++ b/src/tls13.c
@ -3987,22 +3987,28 @@ static int DoPreSharedKeys(WOLFSSL* ssl, byte* suite, int* usingPSK, int* first)
        /* Decode the identity. */
        if (DoClientTicket(ssl, current->identity, current->identityLen)
                                                     == WOLFSSL_TICKET_RET_OK) {
-            word32 now;
-            int    diff;
+            word32  now;
+            sword64 diff;

            now = TimeNowInMilliseconds();
            if (now == (word32)GETTIME_ERROR)
                return now;
-            if (now < ssl->session.ticketSeen)
-                diff = (0xFFFFFFFFU - ssl->session.ticketSeen) + 1 + now;
-            else
-                diff = now - ssl->session.ticketSeen;
-            diff -= current->ticketAge - ssl->session.ticketAdd;
+            /* Difference between now and time ticket constructed
+             * (from decrypted ticket). */
+            diff = now;
+            diff -= ssl->session.ticketSeen;
+            if (diff > (sword64)ssl->timeout * 1000 ||
+                diff > (sword64)TLS13_MAX_TICKET_AGE * 1000) {
+                current = current->next;
+                continue;
+            }
+            /* Subtract client's ticket age and unobfuscate. */
+            diff -= current->ticketAge;
+            diff += ssl->session.ticketAdd;
            /* Check session and ticket age timeout.
             * Allow +/- 1000 milliseconds on ticket age.
             */
-            if (diff > (int)ssl->timeout * 1000 || diff < -1000 ||
-                                     diff - MAX_TICKET_AGE_SECS * 1000 > 1000) {
+            if (diff < -1000 || diff - MAX_TICKET_AGE_DIFF * 1000 > 1000) {
                current = current->next;
                continue;
            }
--- a/wolfssl/internal.h
+++ b/wolfssl/internal.h
@ -1490,11 +1490,12 @@ enum Misc {
    DTLS_TIMEOUT_MAX        = 64, /* default max timeout for DTLS receive */
    DTLS_TIMEOUT_MULTIPLIER =  2, /* default timeout multiplier for DTLS recv */

-    NULL_TERM_LEN      =   1,  /* length of null '\0' termination character */
-    MAX_PSK_KEY_LEN    =  64,  /* max psk key supported */
-    MIN_PSK_ID_LEN     =   6,  /* min length of identities */
-    MIN_PSK_BINDERS_LEN=  33,  /* min length of binders */
-    MAX_TICKET_AGE_SECS=  10,  /* maximum ticket age in seconds */
+    NULL_TERM_LEN        =   1,  /* length of null '\0' termination character */
+    MAX_PSK_KEY_LEN      =  64,  /* max psk key supported */
+    MIN_PSK_ID_LEN       =   6,  /* min length of identities */
+    MIN_PSK_BINDERS_LEN  =  33,  /* min length of binders */
+    MAX_TICKET_AGE_DIFF  =  10,  /* maximum ticket age difference in seconds */
+    TLS13_MAX_TICKET_AGE =  7*24*60*60,  /* max ticket age in seconds, 7 days */

 #ifndef MAX_WOLFSSL_FILE_SIZE
    MAX_WOLFSSL_FILE_SIZE = 1024ul * 1024ul * 4,  /* 4 mb file size alloc limit */