TLS 1.3: Introduced TLS 1.3 session resumption

This introduces session resumption under TLS 1.3. For that,
it enables the psk_ke_modes extension when we enable session
tickets. It enables sending session tickets in addition to
PSK usernames. The detection of resumption vs pure PSK is done by
comparing the indexes sent with the index received by the server.

TLS 1.3 session tickets are always sent to the peer unless the
GNUTLS_NO_TICKETS is specified.

Resolves #290

Signed-off-by: Ander Juaristi <a@juaristi.eus>
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
Signed-off-by: Daiki Ueno <dueno@redhat.com>

1 files changed, 49 insertions, 14 deletions

diff --git a/lib/gnutls_int.h b/lib/gnutls_int.h
index 29e766185d..cc2003ae5f 100644
--- a/lib/gnutls_int.h
+++ b/lib/gnutls_int.h
@@ -160,7 +160,7 @@ typedef struct {
 #define _GNUTLS_EXT_TLS_POST_CS 177
 
 /* expire time for resuming sessions */
-#define DEFAULT_EXPIRE_TIME 3600
+#define DEFAULT_EXPIRE_TIME 21600
 #define DEFAULT_HANDSHAKE_TIMEOUT_MS 40*1000
 
 /* The EC group to be used when the extension
@@ -269,7 +269,7 @@ typedef enum handshake_state_t { STATE0 = 0, STATE1, STATE2,
 	STATE90=90, STATE91, STATE92, STATE93, STATE99=99,
 	STATE100=100, STATE101, STATE102, STATE103, STATE104,
 	STATE105, STATE106, STATE107, STATE108, STATE109, STATE110,
-	STATE111,
+	STATE111, STATE112,
 	STATE150 /* key update */
 } handshake_state_t;
 
@@ -469,6 +469,17 @@ typedef struct auth_cred_st {
 #define TICKET_CIPHER_KEY_SIZE 32
 #define TICKET_MAC_SECRET_SIZE 16
 
+struct binder_data_st {
+	const struct mac_entry_st *prf; /* non-null if this struct is set */
+	gnutls_datum_t psk;
+
+	/* 0-based index of the selected PSK.
+	 * This only applies if the HSK_PSK_SELECTED flag is set in internals.hsk_flags,
+	 * which signals a PSK has indeed been selected. */
+	uint8_t idx;
+	uint8_t resumption; /* whether it is a resumption binder */
+};
+
 struct gnutls_key_st {
 	struct { /* These are kept outside the TLS1.3 union as they are
 	          * negotiated via extension, even before protocol is negotiated */
@@ -484,14 +495,6 @@ struct gnutls_key_st {
 	 */
 	union {
 		struct {
-			/*
-			 * 0-based index of the selected PSK.
-			 * This only applies if the HSK_PSK_SELECTED flag is set in internals.hsk_flags,
-			 * which signals a PSK has indeed been selected.
-			 */
-			unsigned psk_index;
-			const struct mac_entry_st *binder_prf;
-
 			/* the current (depending on state) secret, can be
 			 * early_secret, client_early_traffic_secret, ... */
 			uint8_t temp_secret[MAX_HASH_SIZE];
@@ -499,6 +502,7 @@ struct gnutls_key_st {
 			uint8_t hs_ckey[MAX_HASH_SIZE]; /* client_handshake_traffic_secret */
 			uint8_t hs_skey[MAX_HASH_SIZE]; /* server_handshake_traffic_secret */
 			uint8_t ap_expkey[MAX_HASH_SIZE]; /* exporter_master_secret */
+			uint8_t ap_rms[MAX_HASH_SIZE]; /* resumption_master_secret */
 		} tls13; /* tls1.3 */
 
 		/* Folow the SSL3.0 and TLS1.2 key exchanges */
@@ -533,9 +537,14 @@ struct gnutls_key_st {
 		} tls12; /* from ssl3.0 to tls12 */
 	} proto;
 
-	/* Pre-shared key in use (if any); temporary storage */
-	gnutls_datum_t psk;
-	unsigned psk_needs_free;
+	/* binders / pre-shared keys in use; temporary storage.
+	 * On client side it will hold data for the resumption and external
+	 * PSKs After server hello is received the selected binder is set on 0 position
+	 * and HSK_PSK_SELECTED is set.
+	 *
+	 * On server side the first value is populated with
+	 * the selected PSK data if HSK_PSK_SELECTED flag is set. */
+	struct binder_data_st binders[2];
 
 	/* TLS pre-master key; applies to 1.2 and 1.3 */
 	gnutls_datum_t key;
@@ -749,6 +758,9 @@ typedef struct {
 	/* encrypt-then-mac -> rfc7366 */
 	uint8_t etm;
 
+	uint8_t client_auth_type; /* gnutls_credentials_type_t */
+	uint8_t server_auth_type;
+
 	/* Note: if you add anything in Security_Parameters struct, then
 	 * also modify CPY_COMMON in constate.c, and session_pack.c,
 	 * in order to save it in the session storage.
@@ -938,6 +950,19 @@ typedef struct gnutls_dh_params_int {
 				 */
 } dh_params_st;
 
+/* TLS 1.3 session ticket
+ */
+typedef struct tls13_ticket {
+	time_t timestamp;
+	uint32_t lifetime;
+	uint32_t age_add;
+	uint8_t nonce[255];
+	size_t nonce_size;
+	const mac_entry_st *prf;
+	uint8_t resumption_master_secret[MAX_HASH_SIZE];
+	gnutls_datum_t ticket;
+} tls13_ticket_t;
+
 /* DTLS session state
  */
 typedef struct {
@@ -997,7 +1022,7 @@ typedef struct {
 	gnutls_buffer_st handshake_hash_buffer;	/* used to keep the last received handshake 
 						 * message */
 	bool resumable;	/* TRUE or FALSE - if we can resume that session */
-	bool ticket_sent;	/* whether a session ticket was sent */
+
 	bye_state_t bye_state; /* used by gnutls_bye() */
 	reauth_state_t reauth_state; /* used by gnutls_reauth() */
 
@@ -1240,6 +1265,13 @@ typedef struct {
 #define HSK_PSK_SELECTED (1<<15)
 #define HSK_KEY_SHARE_SENT (1<<16) /* server: key share was sent to client */
 #define HSK_KEY_SHARE_RECEIVED (1<<17) /* client: key share was received */
+#define HSK_TLS13_TICKET_SENT (1<<18) /* client: sent a ticket under TLS1.3;
+					 * server: a ticket was sent to client.
+					 */
+#define HSK_TLS12_TICKET_SENT (1<<19) /* client: sent a ticket under TLS1.2;
+				       * server: a ticket was sent to client.
+				       */
+#define HSK_TICKET_RECEIVED (1<<20) /* client: a session ticket was received */
 
 	/* The hsk_flags are for use within the ongoing handshake;
 	 * they are reset to zero prior to handshake start by gnutls_handshake. */
@@ -1335,8 +1367,11 @@ typedef struct {
 	/* the ciphersuite received in HRR */
 	uint8_t hrr_cs[2];
 
+	/* this is only used under TLS1.2 or earlier */
 	int session_ticket_renew;
 
+	tls13_ticket_t tls13_ticket;
+
 	/* If you add anything here, check _gnutls_handshake_internal_state_clear().
 	 */
 } internals_st;