Use a separate timeout scheme for TLS 1.3.
In TLS 1.2, resumption's benefits are more-or-less subsumed by False
Start. TLS 1.2 resumption lifetime is bounded by how much traffic we are
willing to encrypt without fresh key material, so the lifetime is short.
Renewal uses the same key, so we do not allow it to increase lifetimes.
In TLS 1.3, resumption unlocks 0-RTT. We do not implement psk_ke, so
resumption incorporates fresh key material into both encrypted traffic
(except for early data) and renewed tickets. Thus we are both more
willing to and more interested in longer lifetimes for tickets. Renewal
is also not useless. Thus in TLS 1.3, lifetime is bound separately by
the lifetime of a given secret as a psk_dhe_ke authenticator and the
lifetime of the online signature which authenticated the initial
handshake.
This change maintains two lifetimes on an SSL_SESSION: timeout which is
the renewable lifetime of this ticket, and auth_timeout which is the
non-renewable cliff. It also separates the TLS 1.2 and TLS 1.3 timeouts.
The old session timeout defaults and configuration apply to TLS 1.3, and
we define new ones for TLS 1.3.
Finally, this makes us honor the NewSessionTicket timeout in TLS 1.3.
It's no longer a "hint" in 1.3 and there's probably value in avoiding
known-useless 0-RTT offers.
BUG=120
Change-Id: Iac46d56e5a6a377d8b88b8fa31f492d534cb1b85
Reviewed-on: https://boringssl-review.googlesource.com/13503
Reviewed-by: Adam Langley <agl@google.com>
diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h
index 01433d5..326a82b 100644
--- a/include/openssl/ssl.h
+++ b/include/openssl/ssl.h
@@ -1726,19 +1726,36 @@
OPENSSL_EXPORT SSL_SESSION *SSL_get1_session(SSL *ssl);
/* SSL_DEFAULT_SESSION_TIMEOUT is the default lifetime, in seconds, of a
- * session. */
+ * session in TLS 1.2 or earlier. This is how long we are willing to use the
+ * secret to encrypt traffic without fresh key material. */
#define SSL_DEFAULT_SESSION_TIMEOUT (2 * 60 * 60)
-/* SSL_CTX_set_timeout sets the lifetime, in seconds, of sessions created in
- * |ctx| to |timeout|. */
+/* SSL_DEFAULT_SESSION_PSK_DHE_TIMEOUT is the default lifetime, in seconds, of a
+ * session for TLS 1.3 psk_dhe_ke. This is how long we are willing to use the
+ * secret as an authenticator. */
+#define SSL_DEFAULT_SESSION_PSK_DHE_TIMEOUT (2 * 24 * 60 * 60)
+
+/* SSL_DEFAULT_SESSION_AUTH_TIMEOUT is the default non-renewable lifetime, in
+ * seconds, of a TLS 1.3 session. This is how long we are willing to trust the
+ * signature in the initial handshake. */
+#define SSL_DEFAULT_SESSION_AUTH_TIMEOUT (7 * 24 * 60 * 60)
+
+/* SSL_CTX_set_timeout sets the lifetime, in seconds, of TLS 1.2 (or earlier)
+ * sessions created in |ctx| to |timeout|. */
OPENSSL_EXPORT long SSL_CTX_set_timeout(SSL_CTX *ctx, long timeout);
-/* SSL_CTX_get_timeout returns the lifetime, in seconds, of sessions created in
- * |ctx|. */
+/* SSL_CTX_set_session_psk_dhe_timeout sets the lifetime, in seconds, of TLS 1.3
+ * sessions created in |ctx| to |timeout|. */
+OPENSSL_EXPORT void SSL_CTX_set_session_psk_dhe_timeout(SSL_CTX *ctx,
+ long timeout);
+
+/* SSL_CTX_get_timeout returns the lifetime, in seconds, of TLS 1.2 (or earlier)
+ * sessions created in |ctx|. */
OPENSSL_EXPORT long SSL_CTX_get_timeout(const SSL_CTX *ctx);
-/* SSL_set_session_timeout sets the default lifetime, in seconds, of the
- * session created in |ssl| to |timeout|, and returns the old value.
+/* SSL_set_session_timeout sets the default lifetime, in seconds, of a TLS 1.2
+ * (or earlier) session created in |ssl| to |timeout|, and returns the old
+ * value.
*
* By default the value |SSL_DEFAULT_SESSION_TIMEOUT| is used, which can be
* overridden at the context level by calling |SSL_CTX_set_timeout|.
@@ -1746,6 +1763,10 @@
* If |timeout| is zero the newly created session will not be resumable. */
OPENSSL_EXPORT long SSL_set_session_timeout(SSL *ssl, long timeout);
+/* SSL_set_session_psk_dhe_timeout sets the lifetime, in seconds, of TLS 1.3
+ * sessions created in |ssl| to |timeout|. */
+OPENSSL_EXPORT void SSL_set_session_psk_dhe_timeout(SSL *ssl, long timeout);
+
/* SSL_CTX_set_session_id_context sets |ctx|'s session ID context to |sid_ctx|.
* It returns one on success and zero on error. The session ID context is an
* application-defined opaque byte string. A session will not be used in a
@@ -3736,9 +3757,14 @@
* non-fatal certificate errors. */
long verify_result;
- /* timeout is the lifetime of the session in seconds, measured from |time|. */
+ /* timeout is the lifetime of the session in seconds, measured from |time|.
+ * This is renewable up to |auth_timeout|. */
long timeout;
+ /* auth_timeout is the non-renewable lifetime of the session in seconds,
+ * measured from |time|. */
+ long auth_timeout;
+
/* time is the time the session was issued, measured in seconds from the UNIX
* epoch. */
long time;
@@ -3872,9 +3898,14 @@
* SSL_accept which cache SSL_SESSIONS. */
int session_cache_mode;
- /* session_timeout is the default lifetime for new sessions, in seconds. */
+ /* session_timeout is the default lifetime for new sessions in TLS 1.2 and
+ * earlier, in seconds. */
long session_timeout;
+ /* session_psk_dhe_timeout is the default lifetime for new sessions in TLS
+ * 1.3, in seconds. */
+ long session_psk_dhe_timeout;
+
/* If this callback is not null, it will be called each time a session id is
* added to the cache. If this function returns 1, it means that the
* callback will do a SSL_SESSION_free() when it has finished using it.
@@ -4237,9 +4268,13 @@
unsigned retain_only_sha256_of_client_certs:1;
/* session_timeout is the default lifetime in seconds of the session
- * created in this connection. */
+ * created in this connection at TLS 1.2 and earlier. */
long session_timeout;
+ /* session_psk_dhe_timeout is the default lifetime in seconds of sessions
+ * created in this connection at TLS 1.3. */
+ long session_psk_dhe_timeout;
+
/* OCSP response to be sent to the client, if requested. */
CRYPTO_BUFFER *ocsp_response;
};
