Google Git
Sign in
boringssl/boringssl.git/9b16066654f768d22ee2cd5a2576fcc4cab9590b^!/.
commit
9b16066654f768d22ee2cd5a2576fcc4cab9590b
[log]
author
David Benjamin <davidben@google.com>
Wed Jan 25 19:53:43 2017 -0500
committer
CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
Thu Jan 26 21:29:32 2017 +0000
tree
5092c24e5d68d7513f0a1746d05b5b39000a173e
parent
258508fce1fb83be41d73370298b98b3eeb64b91 [diff]
Ignore 0-RTT-capable tickets unless enabled.

Until we've gotten it fully working, we should not mint any of these
SSL_SESSIONs, to avoid constraining future versions of our client code.

Notably, if any of our TLS 1.3 clients today serialized sessions, we
would need to rev the serialization format. Without opting into 0-RTT, a
TLS 1.3 client will create SSL_SESSIONs tagged as 0-RTT-capable but
missing important fields (ALPN, etc.). When that serialized session
makes its way to a future version of our client code, it would disagree
with the server about the ALPN value stored in the ticket and cause
interop failures.

I believe the only client code enabling TLS 1.3 right now is Chrome, and
the window is small, so it should be fine. But fix this now before it
becomes a problem.

Change-Id: Ie2b109f8d158017a6f3b4cb6169050d38a66b31c
Reviewed-on: https://boringssl-review.googlesource.com/13342
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
Reviewed-by: Steven Valdez <svaldez@google.com>
Reviewed-by: David Benjamin <davidben@google.com>
Commit-Queue: David Benjamin <davidben@google.com>

diff --git a/ssl/test/runner/runner.go b/ssl/test/runner/runner.go
index 54bfca5..7aa3c84 100644
--- a/ssl/test/runner/runner.go
+++ b/ssl/test/runner/runner.go

@@ -8443,10 +8443,23 @@
 			},
 		},
 		flags: []string{
+			"-enable-early-data",
 			"-expect-early-data-info",
 		},
 	})
 
+	// Test that 0-RTT tickets are ignored in clients unless opted in.
+	testCases = append(testCases, testCase{
+		testType: clientTest,
+		name:     "TLS13-SendTicketEarlyDataInfo-Disabled",
+		config: Config{
+			MaxVersion: VersionTLS13,
+			Bugs: ProtocolBugs{
+				SendTicketEarlyDataInfo: 16384,
+			},
+		},
+	})
+
 	testCases = append(testCases, testCase{
 		testType: clientTest,
 		name:     "TLS13-DuplicateTicketEarlyDataInfo",

diff --git a/ssl/tls13_client.c b/ssl/tls13_client.c
index 774b806..ad279f5 100644
--- a/ssl/tls13_client.c
+++ b/ssl/tls13_client.c

@@ -651,7 +651,7 @@
     goto err;
   }
 
-  if (have_early_data_info) {
+  if (have_early_data_info && ssl->ctx->enable_early_data) {
     if (!CBS_get_u32(&early_data_info, &session->ticket_max_early_data) ||
         CBS_len(&early_data_info) != 0) {
       ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);