crypto/tls: rotate session keys in older TLS versions

Also encode the certificates in a way that's more consistent with TLS 1.3 (with a 24 byte length prefix). Note that this will have an additional performance cost requiring clients to do a full handshake every 7 days where previously they were able to use the same ticket indefinitely. Updates #25256 Change-Id: Ic4d1ba0d92773c490b33b5f6c1320d557cc7347d Reviewed-on: https://go-review.googlesource.com/c/go/+/231317 Run-TryBot: Katie Hockman <katie@golang.org> TryBot-Result: Gobot Gobot <gobot@golang.org> Reviewed-by: Filippo Valsorda <filippo@golang.org>
2025-04-03 20:17:36 +03:00 · 2020-04-30 20:11:55 -04:00 · 2020-04-30 20:11:55 -04:00 · 451074ba19
commit 451074ba19
parent 5c59a6c577
11 changed files with 408 additions and 393 deletions
--- a/ticket.go
+++ b/ticket.go
@ -22,9 +22,10 @@ import (
 type sessionState struct {
 	vers         uint16
 	cipherSuite  uint16
+	createdAt    uint64
 	masterSecret []byte // opaque master_secret<1..2^16-1>;
-	// uint16 num_certificates;
-	certificates [][]byte // opaque certificate<1..2^32-1>;
+	// struct { opaque certificate<1..2^24-1> } Certificate;
+	certificates [][]byte // Certificate certificate_list<0..2^24-1>;

 	// usedOldKey is true if the ticket from which this session came from
 	// was encrypted with an older key and thus should be refreshed.
@ -35,36 +36,38 @@ func (m *sessionState) marshal() []byte {
 	var b cryptobyte.Builder
 	b.AddUint16(m.vers)
 	b.AddUint16(m.cipherSuite)
+	addUint64(&b, m.createdAt)
 	b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
 		b.AddBytes(m.masterSecret)
 	})
-	b.AddUint16(uint16(len(m.certificates)))
-	for _, cert := range m.certificates {
-		b.AddUint32LengthPrefixed(func(b *cryptobyte.Builder) {
-			b.AddBytes(cert)
-		})
-	}
+	b.AddUint24LengthPrefixed(func(b *cryptobyte.Builder) {
+		for _, cert := range m.certificates {
+			b.AddUint24LengthPrefixed(func(b *cryptobyte.Builder) {
+				b.AddBytes(cert)
+			})
+		}
+	})
 	return b.BytesOrPanic()
 }

 func (m *sessionState) unmarshal(data []byte) bool {
 	*m = sessionState{usedOldKey: m.usedOldKey}
 	s := cryptobyte.String(data)
-	var numCerts uint16
 	if ok := s.ReadUint16(&m.vers) &&
 		m.vers != VersionTLS13 &&
 		s.ReadUint16(&m.cipherSuite) &&
+		readUint64(&s, &m.createdAt) &&
 		readUint16LengthPrefixed(&s, &m.masterSecret) &&
-		len(m.masterSecret) != 0 &&
-		s.ReadUint16(&numCerts); !ok {
+		len(m.masterSecret) != 0; !ok {
 		return false
 	}
-
-	for i := 0; i < int(numCerts); i++ {
-		var certLen uint32
-		s.ReadUint32(&certLen)
+	var certList cryptobyte.String
+	if !s.ReadUint24LengthPrefixed(&certList) {
+		return false
+	}
+	for !certList.Empty() {
 		var cert []byte
-		if certLen == 0 || !s.ReadBytes(&cert, int(certLen)) {
+		if !readUint24LengthPrefixed(&certList, &cert) {
 			return false
 		}
 		m.certificates = append(m.certificates, cert)