Version
5.9.1, HEAD
Description
Summary
When a WOLFSSL_CTX is reused across successive DTLS 1.3 handshakes, and wolfSSL_CTX_set_TicketHint() (or wolfSSL_CTX_set_timeout(), which forwards its argument directly as the hint) is called with a value greater than WOLFSSL_TICKET_KEY_LIFETIME / 2, DefTicketEncCb permanently fails on every handshake after the first.
TicketEncCbCtx_ChooseKey() returns BAD_STATE_E when both keys are simultaneously alive but neither covers the hint window. The invariant ticketHint < WOLFSSL_TICKET_KEY_LIFETIME / 2 is enforced at compile time for SESSION_TICKET_HINT_DEFAULT but not for runtime wolfSSL_CTX_set_TicketHint() or wolfSSL_CTX_set_timeout() calls.
Tests added
test_dtls13_server_ctx_reuse_ticket — repro, fails on unpatched wolfSSL
One server WOLFSSL_CTX reused across two DTLS 1.3 handshakes using a hybrid PQ X25519MLKEM768 key share (fragmented ClientHello). Hint set to WOLFSSL_TICKET_KEY_LIFETIME + 1 to arm the trigger. The second wolfSSL_accept() must succeed — it fails with BAD_STATE_E on current HEAD.
test_dtls13_server_ctx_reuse_no_ticket_ok — control, passes on all versions
Identical setup but with wolfSSL_CTX_no_ticket_TLSv13() suppressing server-issued tickets. Both handshakes succeed, isolating the fault to NewSessionTicket issuance with an oversized hint rather than CTX reuse generally.
Suggested fix
Either cap ctx->ticketHint at WOLFSSL_TICKET_KEY_LIFETIME / 2 inside wolfSSL_CTX_set_TicketHint() and wolfSSL_CTX_set_timeout(), or extend TicketEncCbCtx_ChooseKey() to generate a new key unconditionally when neither key covers the hint window and neither has expired. This PR adds only the regression tests.
Reproduction steps
see PR #10797
./configure \
--prefix=/usr --libdir=/usr/lib64 --enable-shared --disable-static \
--enable-dtls --enable-dtls13 --enable-tls13 --enable-ecc --enable-psk \
--enable-session-ticket --enable-aesgcm --enable-aesccm --enable-chacha \
--enable-poly1305 --enable-hkdf --enable-supportedcurves --enable-curve25519 \
--enable-dtlscid --enable-rpk --enable-secure-renegotiation --enable-opensslextra \
--enable-mlkem --enable-mldsa --enable-dual-alg-certs --enable-experimental \
--enable-debug
make -j$(nproc) tests/unit.test
./tests/unit.test -1502 -1503
Version
5.9.1, HEAD
Description
Summary
When a WOLFSSL_CTX is reused across successive DTLS 1.3 handshakes, and wolfSSL_CTX_set_TicketHint() (or wolfSSL_CTX_set_timeout(), which forwards its argument directly as the hint) is called with a value greater than WOLFSSL_TICKET_KEY_LIFETIME / 2, DefTicketEncCb permanently fails on every handshake after the first.
TicketEncCbCtx_ChooseKey() returns BAD_STATE_E when both keys are simultaneously alive but neither covers the hint window. The invariant ticketHint < WOLFSSL_TICKET_KEY_LIFETIME / 2 is enforced at compile time for SESSION_TICKET_HINT_DEFAULT but not for runtime wolfSSL_CTX_set_TicketHint() or wolfSSL_CTX_set_timeout() calls.
Tests added
test_dtls13_server_ctx_reuse_ticket — repro, fails on unpatched wolfSSL
One server WOLFSSL_CTX reused across two DTLS 1.3 handshakes using a hybrid PQ X25519MLKEM768 key share (fragmented ClientHello). Hint set to WOLFSSL_TICKET_KEY_LIFETIME + 1 to arm the trigger. The second wolfSSL_accept() must succeed — it fails with BAD_STATE_E on current HEAD.
test_dtls13_server_ctx_reuse_no_ticket_ok — control, passes on all versions
Identical setup but with wolfSSL_CTX_no_ticket_TLSv13() suppressing server-issued tickets. Both handshakes succeed, isolating the fault to NewSessionTicket issuance with an oversized hint rather than CTX reuse generally.
Suggested fix
Either cap ctx->ticketHint at WOLFSSL_TICKET_KEY_LIFETIME / 2 inside wolfSSL_CTX_set_TicketHint() and wolfSSL_CTX_set_timeout(), or extend TicketEncCbCtx_ChooseKey() to generate a new key unconditionally when neither key covers the hint window and neither has expired. This PR adds only the regression tests.
Reproduction steps
see PR #10797