wolfSSL
tls13: support ticketNonce with size bigger than MAX_TICKET_NONCE_SZ
Description
Support for arbitrary-sized tickets nonces.
Ticket nonces are sent together with session tickets in TLSv1.3, and they are used to compute the PSK associated with the ticket.
WolfSSL used static buffers to store ticket nonces and failed if a client receives a ticket nonce that doesn't fit into that.
This PR allows:
a) to customize the size of the static buffer, using the TLS13_TICKET_NONCE_MAX_STATIC_SZ compile-time define
b) to dynamically allocate a heap-based buffer if the ticket nonce doesn't fit in the static buffer. This feature is enabled with WOLFSSL_TICKET_NONCE_MALLOC or with the --enable-nonce-malloc option
a) Has the drawback that all the connections will use the memory of the buffer regardless of the real size of the used ticket nonce, but if you know in advance how big will be the ticket nonces it may save some allocation.
Fixes zd#14780
Testing
./configure --enable-session-ticket --enable-opensslextra && make check
./configure --enable-session-ticket --enable-opensslextra --enable-ticket-nonce-malloc && make check
./configure --enable-session-ticket --enable-opensslextra CFLAGS="-DTLS13_TICKET_NONCE_MAX_STATIC_SZ=32" && make check
I tried against rustls that uses 32 bytes ticket and against a modified version that uses 255 bytes ticket
Thanks for the feedback
Concerned about code size growth here. Could we wrap this new logic in a new build option like
NO_SESSION_TICKET_MALLOCto disable for customers who don't need it?
Sure
Session tickets are supported with TLS v1.2 also, but seems this new logic is wrapped with TLS v1.2? Is there a reason TLS v1.2 doesn't have this issue?
While session tickets are used both for TLSv1.2 and TLSv1.3, ticket nonces are TLSv1.3 specific.