From 56dc9e8bba509816ba80e347ed381c3ea71621b4 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= <mpg@elzevir.fr>
Date: Sat, 3 Aug 2013 17:16:31 +0200
Subject: [PATCH] Authenticate session tickets.

---
 include/polarssl/ssl.h |  1 +
 library/ssl_srv.c      | 16 ++++++++++++----
 library/ssl_tls.c      |  5 ++++-
 3 files changed, 17 insertions(+), 5 deletions(-)

diff --git a/include/polarssl/ssl.h b/include/polarssl/ssl.h
index 6b5124db4..6570081fe 100644
--- a/include/polarssl/ssl.h
+++ b/include/polarssl/ssl.h
@@ -455,6 +455,7 @@ struct _ssl_ticket_keys
     unsigned char key_name[16];     /*!< name to quickly discard bad tickets */
     aes_context enc;                /*!< encryption context                  */
     aes_context dec;                /*!< decryption context                  */
+    unsigned char mac_key[16];      /*!< authentication key                  */
 };
 
 struct _ssl_context
diff --git a/library/ssl_srv.c b/library/ssl_srv.c
index cbec7952b..f94fda50a 100644
--- a/library/ssl_srv.c
+++ b/library/ssl_srv.c
@@ -204,8 +204,8 @@ static int ssl_write_ticket( ssl_context *ssl, size_t *tlen )
     *p++ = (unsigned char)( ( enc_len      ) & 0xFF );
     p = state + enc_len;
 
-    /* Compute and write MAC */
-    memset( p, 0, 32 );
+    /* Compute and write MAC( key_name + iv + enc_state_len + enc_state ) */
+    sha256_hmac( ssl->ticket_keys->mac_key, 16, start, p - start, p, 0 );
     p += 32;
 
     *tlen = p - start;
@@ -229,6 +229,7 @@ static int ssl_parse_ticket( ssl_context *ssl,
     unsigned char *enc_len_p = iv + 16;
     unsigned char *ticket = enc_len_p + 2;
     unsigned char *mac;
+    unsigned char computed_mac[16];
     size_t enc_len, clear_len, i;
     unsigned char pad_len;
 
@@ -247,8 +248,15 @@ static int ssl_parse_ticket( ssl_context *ssl,
     if( memcmp( key_name, ssl->ticket_keys->key_name, 16 ) != 0 )
         return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
 
-    // TODO: check hmac
-    (void) mac;
+    /* Check mac */
+    sha256_hmac( ssl->ticket_keys->mac_key, 16, buf, len - 32,
+                 computed_mac, 0 );
+    ret = 0;
+    for( i = 0; i < 32; i++ )
+        if( mac[i] != computed_mac[i] )
+            ret = POLARSSL_ERR_SSL_INVALID_MAC;
+    if( ret != 0 )
+        return( ret );
 
     /* Decrypt */
     if( ( ret = aes_crypt_cbc( &ssl->ticket_keys->dec, AES_DECRYPT,
diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index fb01c6c5a..a0bf9ce1d 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -2979,7 +2979,7 @@ static int ssl_ticket_keys_init( ssl_context *ssl )
 {
     int ret;
     ssl_ticket_keys *tkeys;
-    unsigned char buf[32];
+    unsigned char buf[16];
 
     if( ssl->ticket_keys != NULL )
         return( 0 );
@@ -2997,6 +2997,9 @@ static int ssl_ticket_keys_init( ssl_context *ssl )
             return( ret );
     }
 
+    if( ( ret = ssl->f_rng( ssl->p_rng, tkeys->mac_key, 16 ) ) != 0 )
+        return( ret );
+
     ssl->ticket_keys = tkeys;
 
     return( 0 );