Tolerate a zero length ticket nonce

TLSv1.3 draft-21 requires the ticket nonce to be at least 1 byte in length.
However NSS sends a zero length nonce. This is actually ok because the next
draft will allow zero length nonces anyway, so we should tolerate this.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3957)

diff --git a/ssl/statem/extensions.c b/ssl/statem/extensions.c
index 9e25a3ed648877f04e73dad74e9ddb863d23666e..ab9f0d3616ecfb88683575ba48a6e3a765fb3253 100644 (file)
--- a/ssl/statem/extensions.c
+++ b/ssl/statem/extensions.c
@@ -1259,10 +1259,6 @@ int tls_psk_do_binder(SSL *s, const EVP_MD *md, const unsigned char *msgstart,
     if (external) {
         psk = sess->master_key;
     } else {
-        if (sess->ext.tick_nonce == NULL) {
-            SSLerr(SSL_F_TLS_PSK_DO_BINDER, SSL_R_BAD_PSK);
-            goto err;
-        }
         psk = tmppsk;
         if (!tls13_hkdf_expand(s, md, sess->master_key,
                                (const unsigned char *)nonce_label,

diff --git a/ssl/statem/statem_clnt.c b/ssl/statem/statem_clnt.c
index ed9bd5c209161dbf65c9ca4d19a3b24eebdefa7f..cef0df8591216adc9d2fe7f1fc841d427248a240 100644 (file)
--- a/ssl/statem/statem_clnt.c
+++ b/ssl/statem/statem_clnt.c
@@ -2429,7 +2429,6 @@ MSG_PROCESS_RETURN tls_process_new_session_ticket(SSL *s, PACKET *pkt)
         || (SSL_IS_TLS13(s)
             && (!PACKET_get_net_4(pkt, &age_add)
                 || !PACKET_get_length_prefixed_1(pkt, &nonce)
-                || PACKET_remaining(&nonce) == 0
                 || !PACKET_memdup(&nonce, &s->session->ext.tick_nonce,
                                   &s->session->ext.tick_nonce_len)))
         || !PACKET_get_net_2(pkt, &ticklen)