From e9c7b1c8ae85e5625e9d24d9e20ccedeaaeb0d0a Mon Sep 17 00:00:00 2001
From: David Benjamin <davidben@google.com>
Date: Thu, 28 Sep 2017 14:12:52 -0400
Subject: [PATCH] Add SSL_SESSION_is_single_use.

Querying versions is a bit of a mess between DTLS and TLS and variants
and friends. Add SSL_SESSION_is_single_use which informs the caller
whether the session should be single-use.

Bug: chromium:631988
Change-Id: I745d8a5dd5dc52008fe99930d81fed7651b92e4e
Reviewed-on: https://boringssl-review.googlesource.com/20844
Commit-Queue: David Benjamin <davidben@google.com>
Commit-Queue: Steven Valdez <svaldez@google.com>
Reviewed-by: Steven Valdez <svaldez@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
---
 include/openssl/ssl.h | 15 +++++++++++++++
 ssl/ssl_session.cc    |  4 ++++
 2 files changed, 19 insertions(+)

diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h
index 008a90fa..b0e706db 100644
--- a/include/openssl/ssl.h
+++ b/include/openssl/ssl.h
@@ -1709,6 +1709,15 @@ OPENSSL_EXPORT int SSL_SESSION_set1_id_context(SSL_SESSION *session,
                                                const uint8_t *sid_ctx,
                                                size_t sid_ctx_len);
 
+// SSL_SESSION_should_be_single_use returns one if |session| should be
+// single-use (TLS 1.3 and later) and zero otherwise.
+//
+// If this function returns one, clients retain multiple sessions and use each
+// only once. This prevents passive observers from correlating connections with
+// tickets. See draft-ietf-tls-tls13-18, appendix B.5. If it returns zero,
+// |session| cannot be used without leaking a correlator.
+OPENSSL_EXPORT int SSL_SESSION_should_be_single_use(const SSL_SESSION *session);
+
 
 // Session caching.
 //
@@ -1745,6 +1754,12 @@ OPENSSL_EXPORT int SSL_SESSION_set1_id_context(SSL_SESSION *session,
 // e.g., different cipher suite settings or client certificates should also use
 // separate session caches between those contexts. Servers should also partition
 // session caches between SNI hosts with |SSL_CTX_set_session_id_context|.
+//
+// Note also, in TLS 1.2 and earlier, offering sessions allows passive observers
+// to correlate different client connections. TLS 1.3 and later fix this,
+// provided clients use sessions at most once. Session caches are managed by the
+// caller in BoringSSL, so this must be implemented externally. See
+// |SSL_SESSION_should_be_single_use| for details.
 
 // SSL_SESS_CACHE_OFF disables all session caching.
 #define SSL_SESS_CACHE_OFF 0x0000
diff --git a/ssl/ssl_session.cc b/ssl/ssl_session.cc
index 4c6d93ff..5da24c43 100644
--- a/ssl/ssl_session.cc
+++ b/ssl/ssl_session.cc
@@ -960,6 +960,10 @@ int SSL_SESSION_set1_id_context(SSL_SESSION *session, const uint8_t *sid_ctx,
   return 1;
 }
 
+int SSL_SESSION_should_be_single_use(const SSL_SESSION *session) {
+  return SSL_SESSION_protocol_version(session) >= TLS1_3_VERSION;
+}
+
 SSL_SESSION *SSL_magic_pending_session_ptr(void) {
   return (SSL_SESSION *)&g_pending_session_magic;
 }