From 9b16066654f768d22ee2cd5a2576fcc4cab9590b Mon Sep 17 00:00:00 2001 From: David Benjamin Date: Wed, 25 Jan 2017 19:53:43 -0500 Subject: [PATCH] Ignore 0-RTT-capable tickets unless enabled. Until we've gotten it fully working, we should not mint any of these SSL_SESSIONs, to avoid constraining future versions of our client code. Notably, if any of our TLS 1.3 clients today serialized sessions, we would need to rev the serialization format. Without opting into 0-RTT, a TLS 1.3 client will create SSL_SESSIONs tagged as 0-RTT-capable but missing important fields (ALPN, etc.). When that serialized session makes its way to a future version of our client code, it would disagree with the server about the ALPN value stored in the ticket and cause interop failures. I believe the only client code enabling TLS 1.3 right now is Chrome, and the window is small, so it should be fine. But fix this now before it becomes a problem. Change-Id: Ie2b109f8d158017a6f3b4cb6169050d38a66b31c Reviewed-on: https://boringssl-review.googlesource.com/13342 CQ-Verified: CQ bot account: commit-bot@chromium.org Reviewed-by: Steven Valdez Reviewed-by: David Benjamin Commit-Queue: David Benjamin --- ssl/test/runner/runner.go | 13 +++++++++++++ ssl/tls13_client.c | 2 +- 2 files changed, 14 insertions(+), 1 deletion(-) diff --git a/ssl/test/runner/runner.go b/ssl/test/runner/runner.go index 54bfca58..7aa3c840 100644 --- a/ssl/test/runner/runner.go +++ b/ssl/test/runner/runner.go @@ -8443,10 +8443,23 @@ func addSessionTicketTests() { }, }, flags: []string{ + "-enable-early-data", "-expect-early-data-info", }, }) + // Test that 0-RTT tickets are ignored in clients unless opted in. + testCases = append(testCases, testCase{ + testType: clientTest, + name: "TLS13-SendTicketEarlyDataInfo-Disabled", + config: Config{ + MaxVersion: VersionTLS13, + Bugs: ProtocolBugs{ + SendTicketEarlyDataInfo: 16384, + }, + }, + }) + testCases = append(testCases, testCase{ testType: clientTest, name: "TLS13-DuplicateTicketEarlyDataInfo", diff --git a/ssl/tls13_client.c b/ssl/tls13_client.c index 774b8066..ad279f58 100644 --- a/ssl/tls13_client.c +++ b/ssl/tls13_client.c @@ -651,7 +651,7 @@ int tls13_process_new_session_ticket(SSL *ssl) { goto err; } - if (have_early_data_info) { + if (have_early_data_info && ssl->ctx->enable_early_data) { if (!CBS_get_u32(&early_data_info, &session->ticket_max_early_data) || CBS_len(&early_data_info) != 0) { ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);