From: Matt Caswell <matt@openssl.org>
Date: Thu, 21 Jun 2018 15:54:55 +0000 (+0100)
Subject: Use stateful tickets if we are doing anti-replay
X-Git-Tag: OpenSSL_1_1_1-pre9~225
X-Git-Url: https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff_plain;h=e880d4e58d1afe4d6e2d76646a8fbbe95fe05d40;hp=6cc0b3c2171e26379e898574cb6d42b8d8dcc113

Use stateful tickets if we are doing anti-replay

During anti-replay we cache the ticket anyway, so there is no point in
using a full stateless ticket.

Fixes #6391

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6563)
---

diff --git a/ssl/statem/extensions_srvr.c b/ssl/statem/extensions_srvr.c
index 48be0444af..f58ed0b582 100644
--- a/ssl/statem/extensions_srvr.c
+++ b/ssl/statem/extensions_srvr.c
@@ -1159,7 +1159,13 @@ int tls_parse_ctos_psk(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
             uint32_t ticket_age = 0, now, agesec, agems;
             int ret;
 
-            if ((s->options & SSL_OP_NO_TICKET) != 0)
+            /*
+             * If we are using anti-replay protection then we behave as if
+             * SSL_OP_NO_TICKET is set - we are caching tickets anyway so there
+             * is no point in using full stateless tickets.
+             */
+            if ((s->options & SSL_OP_NO_TICKET) != 0
+                    || s->max_early_data > 0)
                 ret = tls_get_stateful_ticket(s, &identity, &sess);
             else
                 ret = tls_decrypt_ticket(s, PACKET_data(&identity),
diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c
index ab16e632fd..9c44be0301 100644
--- a/ssl/statem/statem_srvr.c
+++ b/ssl/statem/statem_srvr.c
@@ -4082,7 +4082,13 @@ int tls_construct_new_session_ticket(SSL *s, WPACKET *pkt)
         tctx->generate_ticket_cb(s, tctx->ticket_cb_data) == 0)
         goto err;
 
-    if ((s->options & SSL_OP_NO_TICKET) != 0 && SSL_IS_TLS13(s)) {
+    /*
+     * If we are using anti-replay protection then we behave as if
+     * SSL_OP_NO_TICKET is set - we are caching tickets anyway so there
+     * is no point in using full stateless tickets.
+     */
+    if (((s->options & SSL_OP_NO_TICKET) != 0 || s->max_early_data > 0)
+            && SSL_IS_TLS13(s)) {
         if (!construct_stateful_ticket(s, pkt, age_add_u.age_add, tick_nonce)) {
             /* SSLfatal() already called */
             goto err;