Google Git
Sign in
boringssl/boringssl.git/123db570097d6373ed501cf693452dc33fc532cb^!/./ssl/ssl_test.cc
commit
123db570097d6373ed501cf693452dc33fc532cb
[log]
author
David Benjamin <davidben@google.com>
Thu Nov 03 16:59:25 2016 -0400
committer
CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
Tue Nov 08 23:51:10 2016 +0000
tree
9264269086f9b1fb21a42228eed4f2ee27ffdb78
parent
e75cc2766ca8e6d8a9378171f56d2d71882d7da9 [diff] [blame]
Measure session->timeout from ticket issuance.

The distinction for full handshakes is not meaningful (the timestamp is
currently the start of the handshake), but for renewed sessions, we
currently retain the timestamp of the original issuance.

Instead, when minting or receiving tickets, adjust session->time and
session->timeout so that session->time is the ticket issuance time.

This is still not our final TLS 1.3 behavior (which will need a both
renewable and non-renewable times to honor the server ticket lifetime),
but it gets us closer and unblocks handling ticket_age_add from TLS 1.3
draft 18 and sends the correct NewSessionTicket lifetime.

This fixes the ticket lifetime hint which we emit on the server to
mirror the true ticket lifetime. It also fixes the TLS 1.3 server code
to not set the ticket lifetime hint. There is no need to waste ticket
size with it, it is no longer a "hint" in TLS 1.3, and even in the TLS
1.3 code we didn't fill it in on the server.

Change-Id: I140541f1005a24e53e1b1eaa90996d6dada1c3a1
Reviewed-on: https://boringssl-review.googlesource.com/12105
Reviewed-by: Adam Langley <agl@google.com>
Commit-Queue: Adam Langley <agl@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>

diff --git a/ssl/ssl_test.cc b/ssl/ssl_test.cc
index 9198a28..5eede01 100644
--- a/ssl/ssl_test.cc
+++ b/ssl/ssl_test.cc

@@ -2097,6 +2097,38 @@
   return encrypt ? 1 : 2;
 }
 
+static bool GetServerTicketTime(long *out, const SSL_SESSION *session) {
+  static const uint8_t kZeros[16] = {0};
+
+  if (session->tlsext_ticklen < 16 + 16 + SHA256_DIGEST_LENGTH) {
+    return false;
+  }
+
+  const uint8_t *iv = session->tlsext_tick + 16;
+  const uint8_t *ciphertext = session->tlsext_tick + 16 + 16;
+  size_t len = session->tlsext_ticklen - 16 - 16 - SHA256_DIGEST_LENGTH;
+  std::unique_ptr<uint8_t[]> plaintext(new uint8_t[len]);
+
+  bssl::ScopedEVP_CIPHER_CTX ctx;
+  int len1, len2;
+  if (!EVP_DecryptInit_ex(ctx.get(), EVP_aes_128_cbc(), nullptr, kZeros, iv) ||
+      !EVP_DecryptUpdate(ctx.get(), plaintext.get(), &len1, ciphertext, len) ||
+      !EVP_DecryptFinal_ex(ctx.get(), plaintext.get() + len1, &len2)) {
+    return false;
+  }
+
+  len = static_cast<size_t>(len1 + len2);
+
+  bssl::UniquePtr<SSL_SESSION> server_session(
+      SSL_SESSION_from_bytes(plaintext.get(), len));
+  if (!server_session) {
+    return false;
+  }
+
+  *out = server_session->time;
+  return true;
+}
+
 static bool TestSessionTimeout() {
   bssl::UniquePtr<X509> cert = GetTestCertificate();
   bssl::UniquePtr<EVP_PKEY> key = GetTestKey();
@@ -2192,6 +2224,25 @@
         return false;
       }
 
+      // Check the sessions have timestamps measured from issuance.
+      long session_time = 0;
+      if (server_test) {
+        if (!GetServerTicketTime(&session_time, new_session.get())) {
+          fprintf(stderr, "Failed to decode session ticket (version = %04x).\n",
+                  version);
+          return false;
+        }
+      } else {
+        session_time = new_session->time;
+      }
+
+      if (session_time != g_current_time.tv_sec) {
+        fprintf(stderr,
+                "New session is not measured from issuance (version = %04x).\n",
+                version);
+        return false;
+      }
+
       // The new session is usable just before the old expiration.
       g_current_time.tv_sec = kStartTime + SSL_DEFAULT_SESSION_TIMEOUT - 1;
       if (!ExpectSessionReused(client_ctx.get(), server_ctx.get(),