crypto/tls: add support for session ticket key rotation

This change adds a new method to tls.Config, SetSessionTicketKeys, that changes the key used to encrypt session tickets while the server is running. Additional keys may be provided that will be used to maintain continuity while rotating keys. If a ticket encrypted with an old key is provided by the client, the server will resume the session and provide the client with a ticket encrypted using the new key. Fixes #9994 Change-Id: Idbc16b10ff39616109a51ed39a6fa208faad5b4e Reviewed-on: https://go-review.googlesource.com/9072 Reviewed-by: Jonathan Rudenberg <jonathan@titanous.com> Reviewed-by: Adam Langley <agl@golang.org>
2025-04-04 12:37:35 +03:00 · 2015-04-17 21:32:11 -04:00 · 2015-04-17 21:32:11 -04:00 · 7576470d56
commit 7576470d56
parent cf04082452
10 changed files with 367 additions and 242 deletions
--- a/testdata/Server-TLSv12-IssueTicket
+++ b/testdata/Server-TLSv12-IssueTicket
@ -1,11 +1,11 @@
 >>> Flow 1 (client to server)
-00000000  16 03 01 00 60 01 00 00  5c 03 03 52 cc 57 59 7e  |....`...\..R.WY~|
-00000010  43 5c 3b fd 50 ab 61 3f  64 a4 f9 bd ba 8c 28 e1  |C\;.P.a?d.....(.|
-00000020  f9 a1 45 7e 48 9e 62 af  25 de 0e 00 00 04 00 05  |..E~H.b.%.......|
-00000030  00 ff 01 00 00 2f 00 23  00 00 00 0d 00 22 00 20  |...../.#.....". |
-00000040  06 01 06 02 06 03 05 01  05 02 05 03 04 01 04 02  |................|
-00000050  04 03 03 01 03 02 03 03  02 01 02 02 02 03 01 01  |................|
-00000060  00 0f 00 01 01                                    |.....|
+00000000  16 03 01 00 5f 01 00 00  5b 03 03 01 02 22 4f 51  |...._...[...."OQ|
+00000010  53 d9 c0 f2 4b 61 53 2d  04 cd ab 95 ed 6a 74 8c  |S...KaS-.....jt.|
+00000020  96 00 70 e3 bf d0 5a 03  7a 1e 75 00 00 04 00 05  |..p...Z.z.u.....|
+00000030  00 ff 02 01 00 00 2d 00  23 00 00 00 0d 00 20 00  |......-.#..... .|
+00000040  1e 06 01 06 02 06 03 05  01 05 02 05 03 04 01 04  |................|
+00000050  02 04 03 03 01 03 02 03  03 02 01 02 02 02 03 00  |................|
+00000060  0f 00 01 01                                       |....|
 >>> Flow 2 (server to client)
 00000000  16 03 03 00 35 02 00 00  31 03 03 00 00 00 00 00  |....5...1.......|
 00000010  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
@ -57,31 +57,32 @@
 000002f0  71 99 9b 26 6e 38 50 29  6c 90 a7 bd d9 16 03 03  |q..&n8P)l.......|
 00000300  00 04 0e 00 00 00                                 |......|
 >>> Flow 3 (client to server)
-00000000  16 03 03 00 86 10 00 00  82 00 80 6e 2e 79 82 3a  |...........n.y.:|
-00000010  c4 68 72 f5 a2 42 3d 71  f9 ec 22 8c 0b fa f0 82  |.hr..B=q..".....|
-00000020  82 c0 cb fc 52 0a 51 03  04 8c eb 4a 4e 4f b6 49  |....R.Q....JNO.I|
-00000030  ef 94 65 21 3c f7 9d 46  85 6e 35 d5 17 6b ff a3  |..e!<..F.n5..k..|
-00000040  5e 4d c1 36 1a 2f 68 f5  06 d4 2d 73 4f 1c 3b 7b  |^M.6./h...-sO.;{|
-00000050  c1 fa 4e 7e 7c f9 6c 13  a6 f4 3a 43 e9 aa be 22  |..N~|.l...:C..."|
-00000060  85 6f 2f 7c 5b b0 08 e2  86 b2 ae cb a9 12 d8 32  |.o/|[..........2|
-00000070  80 1d e4 2e 5d c3 66 d1  19 e5 89 33 2a 88 24 40  |....].f....3*.$@|
-00000080  2a 6d 6b b5 f1 92 4b 66  06 b8 49 14 03 03 00 01  |*mk...Kf..I.....|
-00000090  01 16 03 03 00 24 16 49  e2 a0 67 31 cf 0d 72 cb  |.....$.I..g1..r.|
-000000a0  ac 16 2c 80 37 71 69 f7  5f c4 d3 00 19 b7 4b fb  |..,.7qi._.....K.|
-000000b0  e5 e9 74 8e 30 b3 1c c5  ae e6                    |..t.0.....|
+00000000  16 03 03 00 86 10 00 00  82 00 80 80 38 a6 b0 01  |............8...|
+00000010  2a 9e cf 11 34 45 e8 6d  f5 1c 44 ef 74 74 61 32  |*...4E.m..D.tta2|
+00000020  71 5f f8 c1 a9 65 2d af  7e 7e 38 84 d3 f2 b9 3d  |q_...e-.~~8....=|
+00000030  76 12 b8 e0 41 7e 25 2a  53 b0 1a c7 8d bd d6 3d  |v...A~%*S......=|
+00000040  a5 8a dd 94 76 80 fc 3e  fd 41 ac 71 c3 ad 0e 1f  |....v..>.A.q....|
+00000050  30 a7 7a 64 e2 f3 f7 c1  1f bc 53 99 35 4e 24 34  |0.zd......S.5N$4|
+00000060  e9 25 20 d0 da 00 30 d4  16 40 5e 78 8e 72 ea 03  |.% ...0..@^x.r..|
+00000070  9e eb ca 89 4e 2f 60 d0  0c 9d 98 44 e0 7c 19 a4  |....N/`....D.|..|
+00000080  ec 0f 6b 67 35 06 08 9c  d9 2d bb 14 03 03 00 01  |..kg5....-......|
+00000090  01 16 03 03 00 24 ca d6  25 be 3b a7 b0 e1 42 3b  |.....$..%.;...B;|
+000000a0  ce ef a5 7e b6 4a d5 74  e1 ca bf 34 6c 67 3b 02  |...~.J.t...4lg;.|
+000000b0  0a f5 e8 e7 d1 a8 a6 2d  cb 02                    |.......-..|
 >>> Flow 4 (server to client)
-00000000  16 03 03 00 72 04 00 00  6e 00 00 00 00 00 68 00  |....r...n.....h.|
-00000010  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 65  |...............e|
-00000020  ea 4b d1 ef ba 06 38 1e  e1 88 82 3a cd 03 ac 3b  |.K....8....:...;|
-00000030  39 0a e0 19 fd af 6c 57  30 df 31 6e f7 92 38 4b  |9.....lW0.1n..8K|
-00000040  5d 77 90 39 ff 32 51 f5  ed 12 d7 b0 7c 4d 6c c5  |]w.9.2Q.....|Ml.|
-00000050  76 e4 72 48 3e 59 23 fe  0d 15 df f4 ba ea b9 67  |v.rH>Y#........g|
-00000060  16 23 8f 7d 15 b6 11 f1  ab d7 d4 cd a3 21 82 92  |.#.}.........!..|
-00000070  2a 12 cf 95 f3 60 b2 14  03 03 00 01 01 16 03 03  |*....`..........|
-00000080  00 24 89 ad 87 04 4f 08  dc 2a 71 37 fb f1 95 d1  |.$....O..*q7....|
-00000090  2e 3c c2 6e 0f 38 5d e4  0e c3 f7 27 d0 46 a3 c1  |.<.n.8]....'.F..|
-000000a0  a8 3b 06 ed 96 ec 17 03  03 00 21 30 d4 9f 0b 49  |.;........!0...I|
-000000b0  9f a2 a8 a1 2c 0a 79 93  56 2d 8a ee 85 ed 62 42  |....,.y.V-....bB|
-000000c0  8c 18 fe 7a 09 3a 24 c4  5e ed 7d 2a 15 03 03 00  |...z.:$.^.}*....|
-000000d0  16 a0 24 0a 8b 90 4c fc  99 ba 67 bb 04 1e 59 69  |..$...L...g...Yi|
-000000e0  c2 98 49 b5 00 0b e0                              |..I....|
+00000000  16 03 03 00 82 04 00 00  7e 00 00 00 00 00 78 50  |........~.....xP|
+00000010  46 ad c1 db a8 38 86 7b  2b bb fd d0 c3 42 3e 00  |F....8.{+....B>.|
+00000020  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 94  |................|
+00000030  6f 2c b5 83 61 e8 c1 5d  af d6 da c9 8f df 1e c4  |o,..a..]........|
+00000040  16 47 a0 dd cf 3c 9d 95  11 fe 01 fb 52 5b d0 aa  |.G...<......R[..|
+00000050  56 fb 04 d5 7f 89 31 7d  75 e3 df f4 28 6a fb 1f  |V.....1}u...(j..|
+00000060  76 ee 77 55 0b 33 94 82  e2 ee 73 2f 7f a7 f6 7c  |v.wU.3....s/...||
+00000070  68 25 eb fd 56 5b 89 29  b4 32 b6 92 57 3f c3 f9  |h%..V[.).2..W?..|
+00000080  01 fb 01 25 7f 0f 10 14  03 03 00 01 01 16 03 03  |...%............|
+00000090  00 24 9a 9b 1b 57 2c 86  71 0c 6d 4f 6c 40 a2 98  |.$...W,.q.mOl@..|
+000000a0  7d e3 f5 75 0e 4a b7 82  1c d8 f7 8c 22 a5 5b 34  |}..u.J......".[4|
+000000b0  19 79 12 e2 a4 e6 17 03  03 00 21 53 7a cc 02 0f  |.y........!Sz...|
+000000c0  6d b5 9d 8c ff 4a 2d 29  31 59 38 96 bb 6b a8 93  |m....J-)1Y8..k..|
+000000d0  09 af 38 c7 4d 6e 31 ef  18 d4 59 35 15 03 03 00  |..8.Mn1...Y5....|
+000000e0  16 1e 04 62 d6 6b 6c fc  0b 70 f8 32 d0 11 59 64  |...b.kl..p.2..Yd|
+000000f0  11 71 b0 ab ac 2d 6d                              |.q...-m|