Google Git
Sign in
boringssl / boringssl.git / e9c7b1c8ae85e5625e9d24d9e20ccedeaaeb0d0a^! / .
commite9c7b1c8ae85e5625e9d24d9e20ccedeaaeb0d0a[log] [tgz]
authorDavid Benjamin <davidben@google.com>Thu Sep 28 14:12:52 2017 -0400
committerCQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>Thu Sep 28 18:38:17 2017 +0000
tree01b9e68094ea6e687a852eb3f1d0835d5bf3541c
parent21fa684236738fa249ecf19769c67ef45031193f [diff]
Add SSL_SESSION_is_single_use.

Querying versions is a bit of a mess between DTLS and TLS and variants
and friends. Add SSL_SESSION_is_single_use which informs the caller
whether the session should be single-use.

Bug: chromium:631988
Change-Id: I745d8a5dd5dc52008fe99930d81fed7651b92e4e
Reviewed-on: https://boringssl-review.googlesource.com/20844
Commit-Queue: David Benjamin <davidben@google.com>
Commit-Queue: Steven Valdez <svaldez@google.com>
Reviewed-by: Steven Valdez <svaldez@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>

diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h
index 008a90f..b0e706d 100644
--- a/include/openssl/ssl.h
+++ b/include/openssl/ssl.h

@@ -1709,6 +1709,15 @@
                                                const uint8_t *sid_ctx,
                                                size_t sid_ctx_len);
 
+// SSL_SESSION_should_be_single_use returns one if |session| should be
+// single-use (TLS 1.3 and later) and zero otherwise.
+//
+// If this function returns one, clients retain multiple sessions and use each
+// only once. This prevents passive observers from correlating connections with
+// tickets. See draft-ietf-tls-tls13-18, appendix B.5. If it returns zero,
+// |session| cannot be used without leaking a correlator.
+OPENSSL_EXPORT int SSL_SESSION_should_be_single_use(const SSL_SESSION *session);
+
 
 // Session caching.
 //
@@ -1745,6 +1754,12 @@
 // e.g., different cipher suite settings or client certificates should also use
 // separate session caches between those contexts. Servers should also partition
 // session caches between SNI hosts with |SSL_CTX_set_session_id_context|.
+//
+// Note also, in TLS 1.2 and earlier, offering sessions allows passive observers
+// to correlate different client connections. TLS 1.3 and later fix this,
+// provided clients use sessions at most once. Session caches are managed by the
+// caller in BoringSSL, so this must be implemented externally. See
+// |SSL_SESSION_should_be_single_use| for details.
 
 // SSL_SESS_CACHE_OFF disables all session caching.
 #define SSL_SESS_CACHE_OFF 0x0000

diff --git a/ssl/ssl_session.cc b/ssl/ssl_session.cc
index 4c6d93f..5da24c4 100644
--- a/ssl/ssl_session.cc
+++ b/ssl/ssl_session.cc

@@ -960,6 +960,10 @@
   return 1;
 }
 
+int SSL_SESSION_should_be_single_use(const SSL_SESSION *session) {
+  return SSL_SESSION_protocol_version(session) >= TLS1_3_VERSION;
+}
+
 SSL_SESSION *SSL_magic_pending_session_ptr(void) {
   return (SSL_SESSION *)&g_pending_session_magic;
 }