Use a separate timeout scheme for TLS 1.3.
In TLS 1.2, resumption's benefits are more-or-less subsumed by False
Start. TLS 1.2 resumption lifetime is bounded by how much traffic we are
willing to encrypt without fresh key material, so the lifetime is short.
Renewal uses the same key, so we do not allow it to increase lifetimes.
In TLS 1.3, resumption unlocks 0-RTT. We do not implement psk_ke, so
resumption incorporates fresh key material into both encrypted traffic
(except for early data) and renewed tickets. Thus we are both more
willing to and more interested in longer lifetimes for tickets. Renewal
is also not useless. Thus in TLS 1.3, lifetime is bound separately by
the lifetime of a given secret as a psk_dhe_ke authenticator and the
lifetime of the online signature which authenticated the initial
handshake.
This change maintains two lifetimes on an SSL_SESSION: timeout which is
the renewable lifetime of this ticket, and auth_timeout which is the
non-renewable cliff. It also separates the TLS 1.2 and TLS 1.3 timeouts.
The old session timeout defaults and configuration apply to TLS 1.3, and
we define new ones for TLS 1.3.
Finally, this makes us honor the NewSessionTicket timeout in TLS 1.3.
It's no longer a "hint" in 1.3 and there's probably value in avoiding
known-useless 0-RTT offers.
BUG=120
Change-Id: Iac46d56e5a6a377d8b88b8fa31f492d534cb1b85
Reviewed-on: https://boringssl-review.googlesource.com/13503
Reviewed-by: Adam Langley <agl@google.com>
diff --git a/ssl/tls13_client.c b/ssl/tls13_client.c
index 08e4edd..74d3646 100644
--- a/ssl/tls13_client.c
+++ b/ssl/tls13_client.c
@@ -15,6 +15,7 @@
#include <openssl/ssl.h>
#include <assert.h>
+#include <limits.h>
#include <string.h>
#include <openssl/bytestring.h>
@@ -257,6 +258,10 @@
return ssl_hs_error;
}
ssl_set_session(ssl, NULL);
+
+ /* Resumption incorporates fresh key material, so refresh the timeout. */
+ ssl_session_renew_timeout(ssl, ssl->s3->new_session,
+ ssl->session_psk_dhe_timeout);
} else if (!ssl_get_new_session(hs, 0)) {
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
return ssl_hs_error;
@@ -618,11 +623,12 @@
return 0;
}
- ssl_session_refresh_time(ssl, session);
+ ssl_session_rebase_time(ssl, session);
+ uint32_t server_timeout;
CBS cbs, ticket, extensions;
CBS_init(&cbs, ssl->init_msg, ssl->init_num);
- if (!CBS_get_u32(&cbs, &session->tlsext_tick_lifetime_hint) ||
+ if (!CBS_get_u32(&cbs, &server_timeout) ||
!CBS_get_u32(&cbs, &session->ticket_age_add) ||
!CBS_get_u16_length_prefixed(&cbs, &ticket) ||
!CBS_stow(&ticket, &session->tlsext_tick, &session->tlsext_ticklen) ||
@@ -633,6 +639,21 @@
goto err;
}
+ /* Cap the renewable lifetime by the server advertised value. This avoids
+ * wasting bandwidth on 0-RTT when we know the server will reject it.
+ *
+ * TODO(davidben): This dance where we're not sure if long or uint32_t is
+ * bigger is silly. session->timeout should not be a long to begin with.
+ * https://crbug.com/boringssl/155. */
+#if LONG_MAX < 0xffffffff
+ if (server_timeout > LONG_MAX) {
+ server_timeout = LONG_MAX;
+ }
+#endif
+ if (session->timeout > (long)server_timeout) {
+ session->timeout = (long)server_timeout;
+ }
+
/* Parse out the extensions. */
int have_early_data_info = 0;
CBS early_data_info;
