Prevent session ticket nonce overflow

Frauschi · Frauschi · commit 1d8864980a3e · 2026-03-06T10:23:08.000+01:00
diff --git a/src/internal.c b/src/internal.c
@@ -27549,6 +27549,9 @@ const char* wolfSSL_ERR_reason_error_string(unsigned long e)
 
     case WOLFSSL_EVP_R_PRIVATE_KEY_DECODE_ERROR:
         return "Private key decode error (EVP)";
+
+    case SESSION_TICKET_NONCE_OVERFLOW:
+        return "Session ticket nonce overflow";
     }
 
     return "unknown error number";
diff --git a/src/tls13.c b/src/tls13.c
@@ -12159,6 +12159,13 @@ static int SendTls13NewSessionTicket(WOLFSSL* ssl)
         if (ssl->error != WC_NO_ERR_TRACE(WC_PENDING_E))
     #endif
     {
+        if (ssl->session->ticketNonce.data[0] == 255) {
+            /* RFC8446 Section 4.6.1: Each ticket must have a unique nonce
+             * value. As the nonce is only a single byte, we have to prevent
+             * the overflow and abort. */
+            return SESSION_TICKET_NONCE_OVERFLOW;
+        }
+        else
             ssl->session->ticketNonce.data[0]++;
     }
 
diff --git a/wolfssl/error-ssl.h b/wolfssl/error-ssl.h
@@ -238,7 +238,9 @@ enum wolfSSL_ErrorCodes {
     CRYPTO_POLICY_FORBIDDEN      = -516,   /* operation forbidden by system
                                             * crypto-policy */
 
-    WOLFSSL_LAST_E               = -516
+    SESSION_TICKET_NONCE_OVERFLOW = -517,  /* Session ticket nonce overflow */
+
+    WOLFSSL_LAST_E               = -517
 
     /* codes -1000 to -1999 are reserved for wolfCrypt. */
 };

Original file line number	Diff line number	Diff line change
`@@ -27549,6 +27549,9 @@ const char* wolfSSL_ERR_reason_error_string(unsigned long e)`
`27549`	`27549`
`27550`	`27550`	`case WOLFSSL_EVP_R_PRIVATE_KEY_DECODE_ERROR:`
`27551`	`27551`	`return "Private key decode error (EVP)";`
	`27552`	`+`
	`27553`	`+ case SESSION_TICKET_NONCE_OVERFLOW:`
	`27554`	`+ return "Session ticket nonce overflow";`
`27552`	`27555`	`}`
`27553`	`27556`
`27554`	`27557`	`return "unknown error number";`
Original file line number	Diff line number	Diff line change
`@@ -12159,6 +12159,13 @@ static int SendTls13NewSessionTicket(WOLFSSL* ssl)`
`12159`	`12159`	`if (ssl->error != WC_NO_ERR_TRACE(WC_PENDING_E))`
`12160`	`12160`	`#endif`
`12161`	`12161`	`{`
	`12162`	`+ if (ssl->session->ticketNonce.data[0] == 255) {`
	`12163`	`+ /* RFC8446 Section 4.6.1: Each ticket must have a unique nonce`
	`12164`	`+ * value. As the nonce is only a single byte, we have to prevent`
	`12165`	`+ * the overflow and abort. */`
	`12166`	`+ return SESSION_TICKET_NONCE_OVERFLOW;`
	`12167`	`+ }`
	`12168`	`+ else`
`12162`	`12169`	`ssl->session->ticketNonce.data[0]++;`
`12163`	`12170`	`}`
`12164`	`12171`