enum ssl_session_result_t ssl_get_prev_session( SSL *ssl, SSL_SESSION **out_session, int *out_tickets_supported, int *out_renew_ticket, const SSL_CLIENT_HELLO *client_hello) { /* This is used only by servers. */ assert(ssl->server); SSL_SESSION *session = NULL; int renew_ticket = 0; /* If tickets are disabled, always behave as if no tickets are present. */ const uint8_t *ticket = NULL; size_t ticket_len = 0; const int tickets_supported = !(SSL_get_options(ssl) & SSL_OP_NO_TICKET) && ssl->version > SSL3_VERSION && SSL_early_callback_ctx_extension_get( client_hello, TLSEXT_TYPE_session_ticket, &ticket, &ticket_len); if (tickets_supported && ticket_len > 0) { switch (ssl_process_ticket(ssl, &session, &renew_ticket, ticket, ticket_len, client_hello->session_id, client_hello->session_id_len)) { case ssl_ticket_aead_success: break; case ssl_ticket_aead_ignore_ticket: assert(session == NULL); break; case ssl_ticket_aead_error: return ssl_session_error; case ssl_ticket_aead_retry: return ssl_session_ticket_retry; } } else { /* The client didn't send a ticket, so the session ID is a real ID. */ enum ssl_session_result_t lookup_ret = ssl_lookup_session( ssl, &session, client_hello->session_id, client_hello->session_id_len); if (lookup_ret != ssl_session_success) { return lookup_ret; } } *out_session = session; *out_tickets_supported = tickets_supported; *out_renew_ticket = renew_ticket; return ssl_session_success; }
static enum ssl_ticket_aead_result_t select_session( SSL_HANDSHAKE *hs, uint8_t *out_alert, SSL_SESSION **out_session, int32_t *out_ticket_age_skew, const SSL_CLIENT_HELLO *client_hello) { SSL *const ssl = hs->ssl; *out_session = NULL; /* Decode the ticket if we agreed on a PSK key exchange mode. */ CBS pre_shared_key; if (!hs->accept_psk_mode || !ssl_client_hello_get_extension(client_hello, &pre_shared_key, TLSEXT_TYPE_pre_shared_key)) { return ssl_ticket_aead_ignore_ticket; } /* Verify that the pre_shared_key extension is the last extension in * ClientHello. */ if (CBS_data(&pre_shared_key) + CBS_len(&pre_shared_key) != client_hello->extensions + client_hello->extensions_len) { OPENSSL_PUT_ERROR(SSL, SSL_R_PRE_SHARED_KEY_MUST_BE_LAST); *out_alert = SSL_AD_ILLEGAL_PARAMETER; return ssl_ticket_aead_error; } CBS ticket, binders; uint32_t client_ticket_age; if (!ssl_ext_pre_shared_key_parse_clienthello(hs, &ticket, &binders, &client_ticket_age, out_alert, &pre_shared_key)) { return ssl_ticket_aead_error; } /* TLS 1.3 session tickets are renewed separately as part of the * NewSessionTicket. */ int unused_renew; SSL_SESSION *session = NULL; enum ssl_ticket_aead_result_t ret = ssl_process_ticket(ssl, &session, &unused_renew, CBS_data(&ticket), CBS_len(&ticket), NULL, 0); switch (ret) { case ssl_ticket_aead_success: break; case ssl_ticket_aead_error: *out_alert = SSL_AD_INTERNAL_ERROR; return ret; default: return ret; } if (!ssl_session_is_resumable(hs, session) || /* Historically, some TLS 1.3 tickets were missing ticket_age_add. */ !session->ticket_age_add_valid) { SSL_SESSION_free(session); return ssl_ticket_aead_ignore_ticket; } /* Recover the client ticket age and convert to seconds. */ client_ticket_age -= session->ticket_age_add; client_ticket_age /= 1000; struct OPENSSL_timeval now; ssl_get_current_time(ssl, &now); /* Compute the server ticket age in seconds. */ assert(now.tv_sec >= session->time); uint64_t server_ticket_age = now.tv_sec - session->time; /* To avoid overflowing |hs->ticket_age_skew|, we will not resume * 68-year-old sessions. */ if (server_ticket_age > INT32_MAX) { SSL_SESSION_free(session); return ssl_ticket_aead_ignore_ticket; } /* TODO(davidben,svaldez): Measure this value to decide on tolerance. For * now, accept all values. https://crbug.com/boringssl/113. */ *out_ticket_age_skew = (int32_t)client_ticket_age - (int32_t)server_ticket_age; /* Check the PSK binder. */ if (!tls13_verify_psk_binder(hs, session, &binders)) { SSL_SESSION_free(session); *out_alert = SSL_AD_DECRYPT_ERROR; return ssl_ticket_aead_error; } *out_session = session; return ssl_ticket_aead_success; }