Fix and align ticket age check in ssl_ticket.c for TLS 1.2 and TLS 1.3 #8574
Conversation
ronald-cron-arm
added
enhancement
component-tls
needs-ci
ronald-cron-arm
force-pushed
the
ssl-tickets
branch
from
9c4ca84 to
dba6fbd
Compare
include/mbedtls/ssl.h
Outdated
| * session, the ticket creation time may need to be saved for the ticket | ||
| * module to be able to check the ticket age when the ticket is used. | ||
| * That's the purpose of this field. | ||
| * Before to create a new ticket, an Mbed TLS server set this field with |
There was a problem hiding this comment.
Minor: before creating a new ticket
Disable ticket module if either the TLS server or the support for session tickets is not enabled at build time as in that case the ticket module is not used by the TLS library. Signed-off-by: Ronald Cron <ronald.cron@arm.com>
ssl_ticket.c is a server module. Signed-off-by: Ronald Cron <ronald.cron@arm.com>
The ticket module is removed from the build if the TLS server is not in the build now thus no need for the guard. Signed-off-by: Ronald Cron <ronald.cron@arm.com>
When calculating the ticket age, remove the check that the endpoint is a server. The module is supposed to be used only server side. Furthermore, if such check was necessary, it should be at the beginning of all ssl_ticket.c APIs. As there is no such protection in any API, just remove the check. Signed-off-by: Ronald Cron <ronald.cron@arm.com>
Take into account that the lifetime of tickets can be changed through the mbedtls_ssl_ticket_rotate() API. Signed-off-by: Ronald Cron <ronald.cron@arm.com>
The endpoint field is needed to serialize/deserialize a session in TLS 1.2 the same way it is needed in the TLS 1.3 case: client specific fields that should not be in the serialized version on server side if both TLS client and server are enabled in the TLS library. Signed-off-by: Ronald Cron <ronald.cron@arm.com>
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
The purpose of this change is to eventually base the calculation in ssl_ticket.c of the ticket age when parsing a ticket on the ticket creation time both in TLS 1.2 and TLS 1.3 case. Signed-off-by: Ronald Cron <ronald.cron@arm.com>
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
Move the save/load of session endpoint and
ciphersuite that are common to TLS 1.2 and
TLS 1.3 serialized data from the
specialized ssl_{tls12,tls13}_session_{save,load}
functions to ssl__session_{save,load}.
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
ronald-cron-arm
force-pushed
the
ssl-tickets
branch
from
dba6fbd to
40a4ab0
Compare
|
I've rebased and addressed the comments. |
ronald-cron-arm
added
needs-review
gilles-peskine-arm
removed
the
needs-reviewer
| * Before creating a new ticket, an Mbed TLS server set this field with | ||
| * its current time in milliseconds. This time may then be saved in the | ||
| * session ticket data by the session ticket writing function and | ||
| * recovered by the ticket parsing function later when the ticket is used. |
There was a problem hiding this comment.
Info: why do it this way, rather than letting the ticket writing function query the current time if it wants? That would seem more natural to me.
If this was a session creation time used for multiple purposes, this approach would be necessary, since there would have to be a single point where the official session creation time is decided. But for the ticket creation time, the (single) ticket writing function is the natural place.
(I realize that this is not new from this pull request: it's from #6788, which isn't released yet, and which AFAICT wasn't part of the public API until this PR which exposes it via mbedtls_ssl_session_get_ticket_creation_time.)
There was a problem hiding this comment.
First, thanks for the review.
Info: why do it this way, rather than letting the ticket writing function query the current time if it wants?
One important point is that when using the ticket the TLS 1.3 server needs the ticket_creation_time, it cannot be only a ticket module data. Thus it means that the ticket_creation_time needs to be in the ticket data.
In our implementation of mbedtls_ssl_ticket_write_t (and it is expected to be so in third party ones) the creation of the ticket data is based on mbedtls_ssl_session_save() thus when mbedtls_ssl_session_save() is called the
ticket_creation_time of the mbedtls_ssl_session structure must be set.
We could do it in mbedtls_ssl_ticket_write() but it is not straightforward as the session input parameter is a const: const mbedtls_ssl_session *session (we would need to copy the session ...). And if we do it that way with another implementation of mbedtls_ssl_ticket_write_t based on mbedtls_ssl_session_save() we would not add the ticket_creation_time in the ticket data.
gilles-peskine-arm
added
needs-work
and removed
needs-review
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
ronald-cron-arm
added
needs-ci
|
@gilles-peskine-arm the CI is green (but ABI-API check as expected) and I believe I have addressed your comment now, please have another look, thanks. |
tom-cosgrove-arm
added
needs-reviewer
|
@mpg doing second review on this |
mpg
removed
the
needs-review
mpg
added
the
approved
0ecb5fd
Since the merge of Mbed-TLS#8574 it is not the case anymore that the lifetime of keys is twice the lifetime of tickets. Signed-off-by: Ronald Cron <ronald.cron@arm.com>
Description
Fix and align ticket age check in ssl_ticket.c for TLS 1.2 and TLS 1.3
Follow-up of #6788, partially supersede #8525
Fixes #7795
PR checklist
Please tick as appropriate and edit the reasons (e.g.: "backport: not needed because this is a new feature")