diff options
| author | Peter Dettman <peter.dettman@bouncycastle.org> | 2021-10-04 18:18:43 +0700 |
|---|---|---|
| committer | Peter Dettman <peter.dettman@bouncycastle.org> | 2021-10-04 18:18:43 +0700 |
| commit | 2d280660f30fe7653ebdc5d1e3d991e20c8bc92f (patch) | |
| tree | f5e24398c52a45304e2d9d0ef7ceab492ab1d471 | |
| parent | Fix test namespaces (diff) | |
| download | BouncyCastle.NET-ed25519-2d280660f30fe7653ebdc5d1e3d991e20c8bc92f.tar.xz | |
Fixes for new_session_ticket
- see https://github.com/bcgit/bc-csharp/issues/317
| -rw-r--r-- | crypto/src/tls/DtlsClientProtocol.cs | 13 | ||||
| -rw-r--r-- | crypto/src/tls/DtlsReliableHandshake.cs | 3 | ||||
| -rw-r--r-- | crypto/src/tls/DtlsServerProtocol.cs | 5 | ||||
| -rw-r--r-- | crypto/src/tls/TlsClientProtocol.cs | 14 | ||||
| -rw-r--r-- | crypto/src/tls/TlsProtocol.cs | 28 | ||||
| -rw-r--r-- | crypto/src/tls/TlsServerProtocol.cs | 6 |
6 files changed, 53 insertions, 16 deletions
diff --git a/crypto/src/tls/DtlsClientProtocol.cs b/crypto/src/tls/DtlsClientProtocol.cs index a4810b983..44f574e3a 100644 --- a/crypto/src/tls/DtlsClientProtocol.cs +++ b/crypto/src/tls/DtlsClientProtocol.cs @@ -177,10 +177,7 @@ namespace Org.BouncyCastle.Tls } InvalidateSession(state); - state.tlsSession = TlsUtilities.ImportSession(securityParameters.SessionID, null); - state.sessionParameters = null; - state.sessionMasterSecret = null; serverMessage = handshake.ReceiveMessage(); @@ -343,6 +340,14 @@ namespace Org.BouncyCastle.Tls serverMessage = handshake.ReceiveMessage(); if (serverMessage.Type == HandshakeType.new_session_ticket) { + /* + * RFC 5077 3.4. If the client receives a session ticket from the server, then it + * discards any Session ID that was sent in the ServerHello. + */ + securityParameters.m_sessionID = TlsUtilities.EmptyBytes; + InvalidateSession(state); + state.tlsSession = TlsUtilities.ImportSession(securityParameters.SessionID, null); + ProcessNewSessionTicket(state, serverMessage.Body); } else @@ -373,7 +378,7 @@ namespace Org.BouncyCastle.Tls .SetServerExtensions(state.serverExtensions) .Build(); - state.tlsSession = TlsUtilities.ImportSession(state.tlsSession.SessionID, state.sessionParameters); + state.tlsSession = TlsUtilities.ImportSession(securityParameters.SessionID, state.sessionParameters); securityParameters.m_tlsUnique = securityParameters.LocalVerifyData; diff --git a/crypto/src/tls/DtlsReliableHandshake.cs b/crypto/src/tls/DtlsReliableHandshake.cs index b2f8f130a..e27d72762 100644 --- a/crypto/src/tls/DtlsReliableHandshake.cs +++ b/crypto/src/tls/DtlsReliableHandshake.cs @@ -408,9 +408,10 @@ namespace Org.BouncyCastle.Tls case HandshakeType.hello_request: case HandshakeType.hello_verify_request: case HandshakeType.key_update: - case HandshakeType.new_session_ticket: break; + // TODO[dtls13] Not included in the transcript for (D)TLS 1.3+ + case HandshakeType.new_session_ticket: default: { byte[] body = message.Body; diff --git a/crypto/src/tls/DtlsServerProtocol.cs b/crypto/src/tls/DtlsServerProtocol.cs index 5637d4106..99c47ba1b 100644 --- a/crypto/src/tls/DtlsServerProtocol.cs +++ b/crypto/src/tls/DtlsServerProtocol.cs @@ -313,6 +313,11 @@ namespace Org.BouncyCastle.Tls if (state.expectSessionTicket) { + /* + * TODO[new_session_ticket] Check the server-side rules regarding the session ID, since the client + * is going to ignore any session ID it received once it sees the new_session_ticket message. + */ + NewSessionTicket newSessionTicket = state.server.GetNewSessionTicket(); byte[] newSessionTicketBody = GenerateNewSessionTicket(state, newSessionTicket); handshake.SendMessage(HandshakeType.new_session_ticket, newSessionTicketBody); diff --git a/crypto/src/tls/TlsClientProtocol.cs b/crypto/src/tls/TlsClientProtocol.cs index 4616580f0..c132b257b 100644 --- a/crypto/src/tls/TlsClientProtocol.cs +++ b/crypto/src/tls/TlsClientProtocol.cs @@ -708,7 +708,9 @@ namespace Org.BouncyCastle.Tls * RFC 5077 3.4. If the client receives a session ticket from the server, then it * discards any Session ID that was sent in the ServerHello. */ + securityParameters.m_sessionID = TlsUtilities.EmptyBytes; InvalidateSession(); + this.m_tlsSession = TlsUtilities.ImportSession(securityParameters.SessionID, null); ReceiveNewSessionTicket(buf); break; @@ -1001,13 +1003,8 @@ namespace Org.BouncyCastle.Tls TlsUtilities.Establish13PhaseSecrets(m_tlsClientContext, pskEarlySecret, sharedSecret); - { - InvalidateSession(); - - this.m_tlsSession = TlsUtilities.ImportSession(securityParameters.SessionID, null); - this.m_sessionParameters = null; - this.m_sessionMasterSecret = null; - } + InvalidateSession(); + this.m_tlsSession = TlsUtilities.ImportSession(securityParameters.SessionID, null); } /// <exception cref="IOException"/> @@ -1325,10 +1322,7 @@ namespace Org.BouncyCastle.Tls else { InvalidateSession(); - this.m_tlsSession = TlsUtilities.ImportSession(securityParameters.SessionID, null); - this.m_sessionParameters = null; - this.m_sessionMasterSecret = null; } } diff --git a/crypto/src/tls/TlsProtocol.cs b/crypto/src/tls/TlsProtocol.cs index 8d0e3fc0d..8fe6dc225 100644 --- a/crypto/src/tls/TlsProtocol.cs +++ b/crypto/src/tls/TlsProtocol.cs @@ -450,7 +450,7 @@ namespace Org.BouncyCastle.Tls .SetServerExtensions(m_serverExtensions) .Build(); - this.m_tlsSession = TlsUtilities.ImportSession(m_tlsSession.SessionID, m_sessionParameters); + this.m_tlsSession = TlsUtilities.ImportSession(securityParameters.SessionID, m_sessionParameters); } else { @@ -590,8 +590,21 @@ namespace Org.BouncyCastle.Tls */ case HandshakeType.hello_request: case HandshakeType.key_update: + break; + + /* + * Not included in the transcript for (D)TLS 1.3+ + */ case HandshakeType.new_session_ticket: + { + ProtocolVersion negotiatedVersion = Context.ServerVersion; + if (null != negotiatedVersion && !TlsUtilities.IsTlsV13(negotiatedVersion)) + { + buf.UpdateHash(m_handshakeHash); + } + break; + } /* * These message types are deferred to the handler to explicitly update the transcript. @@ -956,8 +969,21 @@ namespace Org.BouncyCastle.Tls */ case HandshakeType.hello_request: case HandshakeType.key_update: + break; + + /* + * Not included in the transcript for (D)TLS 1.3+ + */ case HandshakeType.new_session_ticket: + { + ProtocolVersion negotiatedVersion = Context.ServerVersion; + if (null != negotiatedVersion && !TlsUtilities.IsTlsV13(negotiatedVersion)) + { + m_handshakeHash.Update(buf, off, len); + } + break; + } /* * These message types are deferred to the writer to explicitly update the transcript. diff --git a/crypto/src/tls/TlsServerProtocol.cs b/crypto/src/tls/TlsServerProtocol.cs index 1320cf5fa..e14fb7d70 100644 --- a/crypto/src/tls/TlsServerProtocol.cs +++ b/crypto/src/tls/TlsServerProtocol.cs @@ -1148,6 +1148,12 @@ namespace Org.BouncyCastle.Tls if (m_expectSessionTicket) { + /* + * TODO[new_session_ticket] Check the server-side rules regarding the session ID, since + * the client is going to ignore any session ID it received once it sees the + * new_session_ticket message. + */ + SendNewSessionTicketMessage(m_tlsServer.GetNewSessionTicket()); this.m_connectionState = CS_SERVER_SESSION_TICKET; } |