Merge pull request #9884 from Frauschi/f-204

Prevent session ticket nonce overflow

Author: douzzer

src/internal.c

@@ -27549,6 +27549,9 @@ const char* wolfSSL_ERR_reason_error_string(unsigned long e)
 
     case WOLFSSL_EVP_R_PRIVATE_KEY_DECODE_ERROR:
         return "Private key decode error (EVP)";
+
+    case SESSION_TICKET_NONCE_OVERFLOW:
+        return "Session ticket nonce overflow";
     }
 
     return "unknown error number";

src/tls13.c

@@ -12175,6 +12175,13 @@ static int SendTls13NewSessionTicket(WOLFSSL* ssl)
         if (ssl->error != WC_NO_ERR_TRACE(WC_PENDING_E))
     #endif
     {
+        if (ssl->session->ticketNonce.data[0] == 255) {
+            /* RFC8446 Section 4.6.1: Each ticket must have a unique nonce
+             * value. As the nonce is only a single byte, we have to prevent
+             * the overflow and abort. */
+            return SESSION_TICKET_NONCE_OVERFLOW;
+        }
+        else
             ssl->session->ticketNonce.data[0]++;
     }
 

wolfssl/error-ssl.h

@@ -238,7 +238,9 @@ enum wolfSSL_ErrorCodes {
     CRYPTO_POLICY_FORBIDDEN      = -516,   /* operation forbidden by system
                                             * crypto-policy */
 
-    WOLFSSL_LAST_E               = -516
+    SESSION_TICKET_NONCE_OVERFLOW = -517,  /* Session ticket nonce overflow */
+
+    WOLFSSL_LAST_E               = -517
 
     /* codes -1000 to -1999 are reserved for wolfCrypt. */
 };