[openssl] OpenSSL_1_1_1-stable update
Matt Caswell
matt at openssl.org
Mon Jul 12 09:09:47 UTC 2021
The branch OpenSSL_1_1_1-stable has been updated
via 5b71c677781ca260c8d9968c103d92c44d644007 (commit)
from ea26844c4f624ef515d9228d3b623761a369b049 (commit)
- Log -----------------------------------------------------------------
commit 5b71c677781ca260c8d9968c103d92c44d644007
Author: Matt Caswell <matt at openssl.org>
Date: Wed Jun 23 08:54:12 2021 +0100
Avoid "excessive message size" for session tickets
We received a report of an "excessive message size" for a received
session ticket. Our maximum size was significantly less than the theoretical
maximum. The server may put any data it likes in the session ticket
including (for example) the full certificate chain so we should be able to
handle longer tickets. Update the value to the maximum allowed by the spec.
Reviewed-by: Paul Dale <pauli at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15877)
(cherry picked from commit e54f0c9b2fe3dd2dcb5e8100e2c69e5b2f6eb681)
-----------------------------------------------------------------------
Summary of changes:
ssl/statem/statem_clnt.c | 3 ++-
ssl/statem/statem_local.h | 2 ++
2 files changed, 4 insertions(+), 1 deletion(-)
diff --git a/ssl/statem/statem_clnt.c b/ssl/statem/statem_clnt.c
index 5543e08c59..d1a3969812 100644
--- a/ssl/statem/statem_clnt.c
+++ b/ssl/statem/statem_clnt.c
@@ -1001,7 +1001,8 @@ size_t ossl_statem_client_max_message_size(SSL *s)
return CCS_MAX_LENGTH;
case TLS_ST_CR_SESSION_TICKET:
- return SSL3_RT_MAX_PLAIN_LENGTH;
+ return (SSL_IS_TLS13(s)) ? SESSION_TICKET_MAX_LENGTH_TLS13
+ : SESSION_TICKET_MAX_LENGTH_TLS12;
case TLS_ST_CR_FINISHED:
return FINISHED_MAX_LENGTH;
diff --git a/ssl/statem/statem_local.h b/ssl/statem/statem_local.h
index e27c0c13a2..3efa1c5a1c 100644
--- a/ssl/statem/statem_local.h
+++ b/ssl/statem/statem_local.h
@@ -22,6 +22,8 @@
#define SERVER_HELLO_MAX_LENGTH 20000
#define HELLO_RETRY_REQUEST_MAX_LENGTH 20000
#define ENCRYPTED_EXTENSIONS_MAX_LENGTH 20000
+#define SESSION_TICKET_MAX_LENGTH_TLS13 131338
+#define SESSION_TICKET_MAX_LENGTH_TLS12 65541
#define SERVER_KEY_EXCH_MAX_LENGTH 102400
#define SERVER_HELLO_DONE_MAX_LENGTH 0
#define KEY_UPDATE_MAX_LENGTH 1
More information about the openssl-commits
mailing list