tris: add SessionTicketSealer

13.go

@@ -191,7 +191,7 @@ func (hs *serverHandshakeState) readClientFinished13() error {
 	// happens, even if the Read call might do more work.
 	c.confirmMutex.Unlock()
 
-	return hs.sendSessionTicket13()
+	return hs.sendSessionTicket13() // TODO: do in a goroutine
 }
 
 func (hs *serverHandshakeState) sendCertificate13() error {
@@ -460,12 +460,20 @@ func (hs *serverHandshakeState) checkPSK() (earlySecret []byte, alert alert) {
 	hashSize := hash.Size()
 	for i := range hs.clientHello.psks {
 		sessionTicket := append([]uint8{}, hs.clientHello.psks[i].identity...)
-		serializedTicket, _ := hs.c.decryptTicket(sessionTicket)
-		if serializedTicket == nil {
-			continue
+		if hs.c.config.SessionTicketSealer != nil {
+			var ok bool
+			sessionTicket, ok = hs.c.config.SessionTicketSealer.Unseal(hs.clientHelloInfo(), sessionTicket)
+			if !ok {
+				continue
+			}
+		} else {
+			sessionTicket, _ = hs.c.decryptTicket(sessionTicket)
+			if sessionTicket == nil {
+				continue
+			}
 		}
 		s := &sessionState13{}
-		if s.unmarshal(serializedTicket) != alertSuccess {
+		if s.unmarshal(sessionTicket) != alertSuccess {
 			continue
 		}
 		if s.vers != hs.c.vers {
@@ -565,11 +573,21 @@ func (hs *serverHandshakeState) sendSessionTicket13() error {
 	}
 
 	for i := 0; i < numSessionTickets; i++ {
-		ticket, err := c.encryptTicket(sessionState.marshal())
+		ticket := sessionState.marshal()
+		var err error
+		if c.config.SessionTicketSealer != nil {
+			cs := c.ConnectionState()
+			ticket, err = c.config.SessionTicketSealer.Seal(&cs, ticket)
+		} else {
+			ticket, err = c.encryptTicket(ticket)
+		}
 		if err != nil {
 			c.sendAlert(alertInternalError)
 			return err
 		}
+		if ticket == nil {
+			continue
+		}
 		ticketMsg := &newSessionTicketMsg13{
 			lifetime:           24 * 3600, // TODO(filippo)
 			maxEarlyDataLength: c.config.Max0RTTDataSize,

common.go

@@ -592,6 +592,10 @@ type Config struct {
 	// See https://tools.ietf.org/html/draft-ietf-tls-tls13-18#section-2.3.
 	Accept0RTTData bool
 
+	// SessionTicketSealer, if not nil, is used to wrap and unwrap
+	// session tickets, instead of SessionTicketKey.
+	SessionTicketSealer SessionTicketSealer
+
 	serverInitOnce sync.Once // guards calling (*Config).serverInit
 
 	// mutex protects sessionTicketKeys.
@@ -668,6 +672,7 @@ func (c *Config) Clone() *Config {
 		KeyLogWriter:                c.KeyLogWriter,
 		Accept0RTTData:              c.Accept0RTTData,
 		Max0RTTDataSize:             c.Max0RTTDataSize,
+		SessionTicketSealer:         c.SessionTicketSealer,
 		sessionTicketKeys:           sessionTicketKeys,
 	}
 }
@@ -676,7 +681,7 @@ func (c *Config) Clone() *Config {
 // returned by a GetConfigForClient callback then the argument should be the
 // Config that was passed to Server, otherwise it should be nil.
 func (c *Config) serverInit(originalConfig *Config) {
-	if c.SessionTicketsDisabled || len(c.ticketKeys()) != 0 {
+	if c.SessionTicketsDisabled || len(c.ticketKeys()) != 0 || c.SessionTicketSealer != nil {
 		return
 	}
 

ticket.go

@@ -15,6 +15,23 @@ import (
 	"io"
 )
 
+// A SessionTicketSealer provides a way to securely encapsulate
+// session state for storage on the client. All methods are safe for
+// concurrent use.
+type SessionTicketSealer interface {
+	// Seal returns a session ticket value that can be later passed to Unseal
+	// to recover the content, usually by encrypting it. The ticket will be sent
+	// to the client to be stored, and will be sent back in plaintext, so it can
+	// be read and modified by an attacker.
+	Seal(cs *ConnectionState, content []byte) (ticket []byte, err error)
+
+	// Unseal returns a session ticket contents. The ticket can't be safely
+	// assumed to have been generated by Seal.
+	// If unable to unseal the ticket, the connection will proceed with a
+	// complete handshake.
+	Unseal(chi *ClientHelloInfo, ticket []byte) (content []byte, success bool)
+}
+
 // sessionState contains the information that is serialized into a session
 // ticket in order to later resume a connection.
 type sessionState struct {

tls_test.go

@@ -656,6 +656,8 @@ func TestCloneNonFuncFields(t *testing.T) {
 			f.Set(reflect.ValueOf(RenegotiateOnceAsClient))
 		case "Max0RTTDataSize":
 			f.Set(reflect.ValueOf(uint32(0)))
+		case "SessionTicketSealer":
+			// TODO
 		default:
 			t.Errorf("all fields must be accounted for, but saw unknown field %q", fn)
 		}