Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
Bug 1385746 - API for sending a NewSessionTicket, r=ekr
--HG--
branch : NSS_TLS13_DRAFT19_BRANCH
  • Loading branch information
martinthomson committed Jul 31, 2017
1 parent cb58afa commit 4050b48
Show file tree
Hide file tree
Showing 5 changed files with 67 additions and 8 deletions.
2 changes: 0 additions & 2 deletions lib/ssl/ssl3con.c
Expand Up @@ -11617,7 +11617,6 @@ ssl_HashHandshakeMessage(sslSocket *ss, SSLHandshakeType type,
return SECSuccess;
}


/* Called from ssl3_HandleHandshake() when it has gathered a complete ssl3
* handshake message.
* Caller must hold Handshake and RecvBuf locks.
Expand All @@ -11635,7 +11634,6 @@ ssl3_HandleHandshakeMessage(sslSocket *ss, PRUint8 *b, PRUint32 length,
SSL_TRC(30, ("%d: SSL3[%d]: handle handshake message: %s", SSL_GETPID(),
ss->fd, ssl3_DecodeHandshakeType(ss->ssl3.hs.msg_type)));


/* Start new handshake hashes when we start a new handshake. Unless this is
* TLS 1.3 and we sent a HelloRetryRequest. */
if (ss->ssl3.hs.msg_type == ssl_hs_client_hello && !ss->ssl3.hs.helloRetry) {
Expand Down
20 changes: 20 additions & 0 deletions lib/ssl/sslexp.h
Expand Up @@ -222,6 +222,26 @@ typedef SECStatus(PR_CALLBACK *SSLExtensionHandler)(
(PRTime _window, unsigned int _k, unsigned int _bits), \
(window, k, bits))

/*
* This function allows a server application to generate a session ticket that
* will embed the provided token.
*
* This function will cause a NewSessionTicket message to be sent by a server.
* This happens even if SSL_ENABLE_SESSION_TICKETS is disabled. This allows a
* server to suppress the usually automatic generation of a session ticket at
* the completion of the handshake - which do not include any token - and to
* control when session tickets are transmitted.
*
* This function will fail unless the socket has an active TLS 1.3 session.
* Earlier versions of TLS do not support the spontaneous sending of the
* NewSessionTicket message.
*/
#define SSL_SendSessionTicket(fd, token, tokenLen) \
SSL_EXPERIMENTAL_API("SSL_SendSessionTicket", \
(PRFiledesc * _fd, const PRUint8 *_token, \
unsigned int _tokenLen), \
(fd, token, tokenLen))

SEC_END_PROTOS

#endif /* __sslexp_h_ */
3 changes: 3 additions & 0 deletions lib/ssl/sslimpl.h
Expand Up @@ -866,6 +866,7 @@ typedef struct SSL3HandshakeStateStr {
ssl3KEADef kea_def_mutable; /* Used to hold the writable kea_def
* we use for TLS 1.3 */
PRTime serverHelloTime; /* Time the ServerHello flight was sent. */
PRUint16 ticketNonce; /* A counter we use for tickets. */
} SSL3HandshakeState;

/*
Expand Down Expand Up @@ -1698,6 +1699,8 @@ extern void ssl3_SetSIDSessionTicket(sslSessionID *sid,
SECStatus ssl3_EncodeSessionTicket(sslSocket *ss,
const NewSessionTicket *ticket,
SECItem *ticket_data, PK11SymKey *secret);
SECStatus SSLExp_SendSessionTicket(PRFileDesc *fd, const PRUint8 *token,
unsigned int tokenLen);

SECStatus ssl_MaybeSetSelfEncryptKeyPair(const sslKeyPair *keyPair);
SECStatus ssl_GetSelfEncryptKeys(sslSocket *ss, unsigned char *keyName,
Expand Down
1 change: 1 addition & 0 deletions lib/ssl/sslsock.c
Expand Up @@ -3904,6 +3904,7 @@ struct {
#ifndef SSL_DISABLE_EXPERIMENTAL_API
EXP(GetExtensionSupport),
EXP(InstallExtensionHooks),
EXP(SendSessionTicket),
EXP(SetupAntiReplay),
#endif
{ "", NULL }
Expand Down
49 changes: 43 additions & 6 deletions lib/ssl/tls13con.c
Expand Up @@ -69,7 +69,7 @@ static SECStatus tls13_HandleCertificateRequest(sslSocket *ss, PRUint8 *b,
static SECStatus
tls13_SendCertificateVerify(sslSocket *ss, SECKEYPrivateKey *privKey);
static SECStatus tls13_HandleCertificateVerify(
sslSocket *ss, PRUint8 *b, PRUint32 length);
sslSocket *ss, PRUint8 *b, PRUint32 length);
static SECStatus tls13_RecoverWrappedSharedSecret(sslSocket *ss,
sslSessionID *sid);
static SECStatus
Expand Down Expand Up @@ -1808,7 +1808,7 @@ tls13_HandleHelloRetryRequest(sslSocket *ss, PRUint8 *b, PRUint32 length)
}

rv = ssl_HashHandshakeMessage(ss, ssl_hs_hello_retry_request,
savedMsg, savedLength);
savedMsg, savedLength);
if (rv != SECSuccess) {
return rv;
}
Expand Down Expand Up @@ -3939,6 +3939,10 @@ tls13_SendNewSessionTicket(sslSocket *ss)
SECStatus rv;
NewSessionTicket ticket = { 0 };
PRUint32 max_early_data_size_len = 0;
PRUint8 ticketNonce[sizeof(ss->ssl3.hs.ticketNonce)];

SSL_TRC(3, ("%d: TLS13[%d]: send new session ticket message %d",
SSL_GETPID(), ss->fd, ss->ssl3.hs.ticketNonce));

ticket.flags = 0;
if (ss->opt.enable0RttData) {
Expand All @@ -3953,9 +3957,12 @@ tls13_SendNewSessionTicket(sslSocket *ss)
if (rv != SECSuccess)
goto loser;

(void)ssl_EncodeUintX(ss->ssl3.hs.ticketNonce, sizeof(ticketNonce),
ticketNonce);
++ss->ssl3.hs.ticketNonce;
rv = tls13_HkdfExpandLabel(ss->ssl3.hs.resumptionMasterSecret,
tls13_GetHash(ss),
NULL, 0,
ticketNonce, sizeof(ticketNonce),
kHkdfLabelResumption,
strlen(kHkdfLabelResumption),
tls13_GetHkdfMechanism(ss),
Expand All @@ -3972,7 +3979,7 @@ tls13_SendNewSessionTicket(sslSocket *ss)
message_length =
4 + /* lifetime */
4 + /* ticket_age_add */
1 + /* ticket_nonce length */
1 + sizeof(ticketNonce) + /* ticket_nonce */
2 + max_early_data_size_len + /* max_early_data_size_len */
2 + /* ticket length */
ticket_data.len;
Expand All @@ -3991,8 +3998,8 @@ tls13_SendNewSessionTicket(sslSocket *ss)
if (rv != SECSuccess)
goto loser;

/* An empty nonce. */
rv = ssl3_AppendHandshakeVariable(ss, NULL, 0, 1);
/* The ticket nonce. */
rv = ssl3_AppendHandshakeVariable(ss, ticketNonce, sizeof(ticketNonce), 1);
if (rv != SECSuccess)
goto loser;

Expand Down Expand Up @@ -4033,6 +4040,36 @@ tls13_SendNewSessionTicket(sslSocket *ss)
return SECFailure;
}

SECStatus
SSLExp_SendSessionTicket(PRFileDesc *fd, const PRUint8 *token,
unsigned int tokenLen)
{
sslSocket *ss;
SECStatus rv;

ss = ssl_FindSocket(fd);
if (!ss) {
return SECFailure;
}

if (!ss->sec.isServer || !ss->firstHsDone ||
ss->version < SSL_LIBRARY_VERSION_TLS_1_3) {
PORT_SetError(SEC_ERROR_INVALID_ARGS);
return SECFailure;
}

ssl_GetSSL3HandshakeLock(ss);
ssl_GetXmitBufLock(ss);
rv = tls13_SendNewSessionTicket(ss);
if (rv == SECSuccess) {
rv = ssl3_FlushHandshake(ss, 0);
}
ssl_ReleaseXmitBufLock(ss);
ssl_ReleaseSSL3HandshakeLock(ss);

return rv;
}

static SECStatus
tls13_HandleNewSessionTicket(sslSocket *ss, PRUint8 *b, PRUint32 length)
{
Expand Down

0 comments on commit 4050b48

Please sign in to comment.