Add a |SSL_process_tls13_new_session_ticket|.
This API processes a given NewSessionTicket message and returns a resumable
|SSL_SESSION| object that contains the ticket.
(Change by Cesar Ghali.)
Change-Id: I7426933b043865ca54d3cf597f7ecd54d493bf35
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/41464
Commit-Queue: David Benjamin <davidben@google.com>
Reviewed-by: David Benjamin <davidben@google.com>
diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h
index 5a5cbdc..8e11ef2 100644
--- a/include/openssl/ssl.h
+++ b/include/openssl/ssl.h
@@ -2197,6 +2197,20 @@
OPENSSL_EXPORT void SSL_CTX_set_ticket_aead_method(
SSL_CTX *ctx, const SSL_TICKET_AEAD_METHOD *aead_method);
+// SSL_process_tls13_new_session_ticket processes an unencrypted TLS 1.3
+// NewSessionTicket message from |buf| and returns a resumable |SSL_SESSION|,
+// or NULL on error. The caller takes ownership of the returned session and
+// must call |SSL_SESSION_free| to free it.
+//
+// |buf| contains |buf_len| bytes that represents a complete NewSessionTicket
+// message including its header, i.e., one byte for the type (0x04) and three
+// bytes for the length. |buf| must contain only one such message.
+//
+// This function may be used to process NewSessionTicket messages in TLS 1.3
+// clients that are handling the record layer externally.
+OPENSSL_EXPORT SSL_SESSION *SSL_process_tls13_new_session_ticket(
+ SSL *ssl, const uint8_t *buf, size_t buf_len);
+
// Elliptic curve Diffie-Hellman.
//
diff --git a/ssl/internal.h b/ssl/internal.h
index b1c8bd1..182b02f 100644
--- a/ssl/internal.h
+++ b/ssl/internal.h
@@ -1863,6 +1863,8 @@
bool tls13_add_finished(SSL_HANDSHAKE *hs);
bool tls13_process_new_session_ticket(SSL *ssl, const SSLMessage &msg);
+bssl::UniquePtr<SSL_SESSION> tls13_create_session_with_ticket(SSL *ssl,
+ CBS *body);
bool ssl_ext_key_share_parse_serverhello(SSL_HANDSHAKE *hs,
Array<uint8_t> *out_secret,
diff --git a/ssl/ssl_lib.cc b/ssl/ssl_lib.cc
index 625f733..90c265e 100644
--- a/ssl/ssl_lib.cc
+++ b/ssl/ssl_lib.cc
@@ -2968,6 +2968,34 @@
ctx->ticket_aead_method = aead_method;
}
+SSL_SESSION *SSL_process_tls13_new_session_ticket(SSL *ssl, const uint8_t *buf,
+ size_t buf_len) {
+ if (SSL_in_init(ssl) ||
+ ssl_protocol_version(ssl) != TLS1_3_VERSION ||
+ ssl->server) {
+ // Only TLS 1.3 clients are supported.
+ OPENSSL_PUT_ERROR(SSL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
+ return nullptr;
+ }
+
+ CBS cbs, body;
+ CBS_init(&cbs, buf, buf_len);
+ uint8_t type;
+ if (!CBS_get_u8(&cbs, &type) ||
+ !CBS_get_u24_length_prefixed(&cbs, &body) ||
+ CBS_len(&cbs) != 0) {
+ OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
+ return nullptr;
+ }
+
+ UniquePtr<SSL_SESSION> session = tls13_create_session_with_ticket(ssl, &body);
+ if (!session) {
+ // |tls13_create_session_with_ticket| puts the correct error.
+ return nullptr;
+ }
+ return session.release();
+}
+
int SSL_set_tlsext_status_type(SSL *ssl, int type) {
if (!ssl->config) {
return 0;
diff --git a/ssl/ssl_test.cc b/ssl/ssl_test.cc
index 73f0b9d..4f4a80f 100644
--- a/ssl/ssl_test.cc
+++ b/ssl/ssl_test.cc
@@ -6303,5 +6303,70 @@
EXPECT_EQ(session2.get(), session3.get());
}
+TEST(SSLTest, ProcessTLS13NewSessionTicket) {
+ // Configure client and server to negotiate TLS 1.3 only.
+ bssl::UniquePtr<X509> cert = GetTestCertificate();
+ bssl::UniquePtr<EVP_PKEY> key = GetTestKey();
+ bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLS_method()));
+ bssl::UniquePtr<SSL_CTX> server_ctx(SSL_CTX_new(TLS_method()));
+ ASSERT_TRUE(client_ctx);
+ ASSERT_TRUE(server_ctx);
+ ASSERT_TRUE(SSL_CTX_set_min_proto_version(client_ctx.get(), TLS1_3_VERSION));
+ ASSERT_TRUE(SSL_CTX_set_min_proto_version(server_ctx.get(), TLS1_3_VERSION));
+ ASSERT_TRUE(SSL_CTX_set_max_proto_version(client_ctx.get(), TLS1_3_VERSION));
+ ASSERT_TRUE(SSL_CTX_set_max_proto_version(server_ctx.get(), TLS1_3_VERSION));
+ ASSERT_TRUE(SSL_CTX_use_certificate(server_ctx.get(), cert.get()));
+ ASSERT_TRUE(SSL_CTX_use_PrivateKey(server_ctx.get(), key.get()));
+
+ bssl::UniquePtr<SSL> client, server;
+ ASSERT_TRUE(ConnectClientAndServer(&client, &server, client_ctx.get(),
+ server_ctx.get()));
+ EXPECT_EQ(TLS1_3_VERSION, SSL_version(client.get()));
+
+ // Process a TLS 1.3 NewSessionTicket.
+ static const uint8_t kTicket[] = {
+ 0x04, 0x00, 0x00, 0xb2, 0x00, 0x02, 0xa3, 0x00, 0x04, 0x03, 0x02, 0x01,
+ 0x01, 0x00, 0x00, 0xa0, 0x01, 0x06, 0x09, 0x11, 0x16, 0x19, 0x21, 0x26,
+ 0x29, 0x31, 0x36, 0x39, 0x41, 0x46, 0x49, 0x51, 0x03, 0x06, 0x09, 0x13,
+ 0x16, 0x19, 0x23, 0x26, 0x29, 0x33, 0x36, 0x39, 0x43, 0x46, 0x49, 0x53,
+ 0xf7, 0x00, 0x29, 0xec, 0xf2, 0xc4, 0xa4, 0x41, 0xfc, 0x30, 0x17, 0x2e,
+ 0x9f, 0x7c, 0xa8, 0xaf, 0x75, 0x70, 0xf0, 0x1f, 0xc7, 0x98, 0xf7, 0xcf,
+ 0x5a, 0x5a, 0x6b, 0x5b, 0xfe, 0xf1, 0xe7, 0x3a, 0xe8, 0xf7, 0x6c, 0xd2,
+ 0xa8, 0xa6, 0x92, 0x5b, 0x96, 0x8d, 0xde, 0xdb, 0xd3, 0x20, 0x6a, 0xcb,
+ 0x69, 0x06, 0xf4, 0x91, 0x85, 0x2e, 0xe6, 0x5e, 0x0c, 0x59, 0xf2, 0x9e,
+ 0x9b, 0x79, 0x91, 0x24, 0x7e, 0x4a, 0x32, 0x3d, 0xbe, 0x4b, 0x80, 0x70,
+ 0xaf, 0xd0, 0x1d, 0xe2, 0xca, 0x05, 0x35, 0x09, 0x09, 0x05, 0x0f, 0xbb,
+ 0xc4, 0xae, 0xd7, 0xc4, 0xed, 0xd7, 0xae, 0x35, 0xc8, 0x73, 0x63, 0x78,
+ 0x64, 0xc9, 0x7a, 0x1f, 0xed, 0x7a, 0x9a, 0x47, 0x44, 0xfd, 0x50, 0xf7,
+ 0xb7, 0xe0, 0x64, 0xa9, 0x02, 0xc1, 0x5c, 0x23, 0x18, 0x3f, 0xc4, 0xcf,
+ 0x72, 0x02, 0x59, 0x2d, 0xe1, 0xaa, 0x61, 0x72, 0x00, 0x04, 0x5a, 0x5a,
+ 0x00, 0x00,
+ };
+ bssl::UniquePtr<SSL_SESSION> session(SSL_process_tls13_new_session_ticket(
+ client.get(), kTicket, sizeof(kTicket)));
+ ASSERT_TRUE(session);
+ ASSERT_TRUE(SSL_SESSION_has_ticket(session.get()));
+
+ uint8_t *session_buf = nullptr;
+ size_t session_length = 0;
+ ASSERT_TRUE(
+ SSL_SESSION_to_bytes(session.get(), &session_buf, &session_length));
+ bssl::UniquePtr<uint8_t> session_buf_free(session_buf);
+ ASSERT_TRUE(session_buf);
+ ASSERT_GT(session_length, 0u);
+
+ // Servers cannot call |SSL_process_tls13_new_session_ticket|.
+ ASSERT_FALSE(SSL_process_tls13_new_session_ticket(server.get(), kTicket,
+ sizeof(kTicket)));
+
+ // Clients cannot call |SSL_process_tls13_new_session_ticket| before the
+ // handshake completes.
+ bssl::UniquePtr<SSL> client2(SSL_new(client_ctx.get()));
+ ASSERT_TRUE(client2);
+ SSL_set_connect_state(client2.get());
+ ASSERT_FALSE(SSL_process_tls13_new_session_ticket(client2.get(), kTicket,
+ sizeof(kTicket)));
+}
+
} // namespace
BSSL_NAMESPACE_END
diff --git a/ssl/tls13_client.cc b/ssl/tls13_client.cc
index b889ac2..cb379b0 100644
--- a/ssl/tls13_client.cc
+++ b/ssl/tls13_client.cc
@@ -931,26 +931,43 @@
return true;
}
+ CBS body = msg.body;
+ UniquePtr<SSL_SESSION> session = tls13_create_session_with_ticket(ssl, &body);
+ if (!session) {
+ return false;
+ }
+
+ if ((ssl->session_ctx->session_cache_mode & SSL_SESS_CACHE_CLIENT) &&
+ ssl->session_ctx->new_session_cb != NULL &&
+ ssl->session_ctx->new_session_cb(ssl, session.get())) {
+ // |new_session_cb|'s return value signals that it took ownership.
+ session.release();
+ }
+
+ return true;
+}
+
+UniquePtr<SSL_SESSION> tls13_create_session_with_ticket(SSL *ssl, CBS *body) {
UniquePtr<SSL_SESSION> session = SSL_SESSION_dup(
ssl->s3->established_session.get(), SSL_SESSION_INCLUDE_NONAUTH);
if (!session) {
- return false;
+ return nullptr;
}
ssl_session_rebase_time(ssl, session.get());
uint32_t server_timeout;
- CBS body = msg.body, ticket_nonce, ticket, extensions;
- if (!CBS_get_u32(&body, &server_timeout) ||
- !CBS_get_u32(&body, &session->ticket_age_add) ||
- !CBS_get_u8_length_prefixed(&body, &ticket_nonce) ||
- !CBS_get_u16_length_prefixed(&body, &ticket) ||
+ CBS ticket_nonce, ticket, extensions;
+ if (!CBS_get_u32(body, &server_timeout) ||
+ !CBS_get_u32(body, &session->ticket_age_add) ||
+ !CBS_get_u8_length_prefixed(body, &ticket_nonce) ||
+ !CBS_get_u16_length_prefixed(body, &ticket) ||
!session->ticket.CopyFrom(ticket) ||
- !CBS_get_u16_length_prefixed(&body, &extensions) ||
- CBS_len(&body) != 0) {
+ !CBS_get_u16_length_prefixed(body, &extensions) ||
+ CBS_len(body) != 0) {
ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
- return false;
+ return nullptr;
}
// Cap the renewable lifetime by the server advertised value. This avoids
@@ -960,7 +977,7 @@
}
if (!tls13_derive_session_psk(session.get(), ticket_nonce)) {
- return false;
+ return nullptr;
}
// Parse out the extensions.
@@ -975,7 +992,7 @@
OPENSSL_ARRAY_SIZE(ext_types),
1 /* ignore unknown */)) {
ssl_send_alert(ssl, SSL3_AL_FATAL, alert);
- return false;
+ return nullptr;
}
if (have_early_data) {
@@ -983,7 +1000,7 @@
CBS_len(&early_data) != 0) {
ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
- return false;
+ return nullptr;
}
// QUIC does not use the max_early_data_size parameter and always sets it to
@@ -992,7 +1009,7 @@
session->ticket_max_early_data != 0xffffffff) {
ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
- return false;
+ return nullptr;
}
}
@@ -1004,14 +1021,7 @@
session->ticket_age_add_valid = true;
session->not_resumable = false;
- if ((ssl->session_ctx->session_cache_mode & SSL_SESS_CACHE_CLIENT) &&
- ssl->session_ctx->new_session_cb != NULL &&
- ssl->session_ctx->new_session_cb(ssl, session.get())) {
- // |new_session_cb|'s return value signals that it took ownership.
- session.release();
- }
-
- return true;
+ return session;
}
BSSL_NAMESPACE_END
