Skip to content

Reject NewSessionTicket messages with empty tickets in TLS 1.3 #2367

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
May 8, 2025
Merged

Reject NewSessionTicket messages with empty tickets in TLS 1.3 #2367

merged 1 commit into from
May 8, 2025

Conversation

justsmth
Copy link
Contributor

In TLS 1.2, the ticket field could be empty to indicate the server changed its mind on sending a ticket, having previously committed to sending a NewSessionTicket message a round-trip ago.

In TLS 1.3, the server does not commit to sending NewSessionTicket. It can always just not send it. So the ticket field is required to be non-empty.

It's important we enforce this on the client because otherwise we produce a mixed up SSL_SESSION object that looks like an ID session (thanks to the placeholder ID field that was added for a still unfixed Envoy bug, see b/200292207). That, in turn, confuses some code in assembling the next ClientHello.

The subsequent CL will tighten that up.

Update-Note: BoringSSL TLS 1.3 clients will now correctly reject zero-length tickets, rather than letting servers get us into a slightly funny state.

Change-Id: I1651e7887f9611ebc44ac54af89c85bf86a9feff
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/73007
Commit-Queue: David Benjamin [email protected]
Auto-Submit: David Benjamin [email protected]
Reviewed-by: Adam Langley [email protected]

Issues:

Resolves #ISSUE-NUMBER1
Addresses #ISSUE-NUMBER2

Description of changes:

Describe AWS-LC’s current behavior and how your code changes that behavior. If there are no issues this pr is resolving, explain why this change is necessary.

Call-outs:

Point out areas that need special attention or support during the review process. Discuss architecture or design changes.

Testing:

How is this change tested (unit tests, fuzz tests, etc.)? Are there any testing steps to be verified by the reviewer?

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license and the ISC license.

@davidben @justsmth
Reject NewSessionTicket messages with empty tickets in TLS 1.3
17a0e2d 
In TLS 1.2, the ticket field could be empty to indicate the server
changed its mind on sending a ticket, having previously committed to
sending a NewSessionTicket message a round-trip ago.

In TLS 1.3, the server does not commit to sending NewSessionTicket. It
can always just not send it. So the ticket field is required to be
non-empty.

It's important we enforce this on the client because otherwise we
produce a mixed up SSL_SESSION object that looks like an ID session
(thanks to the placeholder ID field that was added for a still unfixed
Envoy bug, see b/200292207). That, in turn, confuses some code in
assembling the next ClientHello.

The subsequent CL will tighten that up.

Update-Note: BoringSSL TLS 1.3 clients will now correctly reject
zero-length tickets, rather than letting servers get us into a slightly
funny state.

Change-Id: I1651e7887f9611ebc44ac54af89c85bf86a9feff
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/73007
Commit-Queue: David Benjamin <[email protected]>
Auto-Submit: David Benjamin <[email protected]>
Reviewed-by: Adam Langley <[email protected]>
@codecov-commenter
Copy link

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 78.77%. Comparing base (e6afed9) to head (17a0e2d).

Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #2367      +/-   ##
==========================================
- Coverage   78.77%   78.77%   -0.01%     
==========================================
  Files         620      620              
  Lines      107958   107959       +1     
  Branches    15329    15329              
==========================================
- Hits        85045    85042       -3     
- Misses      22257    22260       +3     
- Partials      656      657       +1

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@justsmth justsmth changed the title [DRAFT] Reject NewSessionTicket messages with empty tickets in TLS 1.3 Reject NewSessionTicket messages with empty tickets in TLS 1.3 Apr 28, 2025
@justsmth justsmth marked this pull request as ready for review April 28, 2025 17:20
@justsmth justsmth requested a review from a team as a code owner April 28, 2025 17:20
@justsmth justsmth merged commit e97d873 into aws:main May 8, 2025
111 of 114 checks passed
@justsmth justsmth deleted the Reject-empty-NewSessionTicket branch May 8, 2025 20:23
@skmcgrail skmcgrail mentioned this pull request May 22, 2025
Merged
skmcgrail added a commit that referenced this pull request May 23, 2025
@skmcgrail
Prepare v1.52.0 release (#2434)
40ac425 
## What's Changed
* Fix prefix build when path has spaces by @justsmth in
#2400
* Prepare v1.51.2 by @justsmth in
#2401
* Set OPENSSL_NO_EXTERNAL_PSK_TLS13 to indicate lack of TLS 1.3 PSK by
@WillChilds-Klein in #2399
* BIO datagram functions by @justsmth in
#2321
* Reject NewSessionTicket messages with empty tickets in TLS 1.3 by
@justsmth in #2367
* Ensure that AVX512 is not used on macOS by @justsmth in
#2363
* Fix socket test issues by @torben-hansen in
#2404
* Remove python CI patch for main by @WillChilds-Klein in
#2407
* Remove xmlsec patch by @smittals2 in
#2405
* Fix clang tidy ci by @justsmth in
#2375
* Mark fallible container operations as `nodiscard` by @justsmth in
#2366
* Remove extra va_end in err_add_error_vdata by @justsmth in
#2364
* Check for QUIC in SSL_process_quic_post_handshake by @justsmth in
#2365
* Add missing symbols for Unbound by @nhatnghiho in
#2352
* Update mlkem-native by @hanno-becker in
#2406
* CI for iOS by @justsmth in #2389
* Squelch clang-tidy by @justsmth in
#2414
* Clang-tidy is still noisy by @justsmth in
#2417
* Add back two rules for clang-tidy by @smittals2 in
#2418
* Implement BIO_dump by @kingstjo in
#2331
* Make ASN1_get_object a direct call by @samuel40791765 in
#2332
* Add Python 3.9 CI patch by @WillChilds-Klein in
#2415
* Rework memory BIOs and implement BIO_seek by @nhatnghiho in
#2380
* ML-DSA: ASN.1 Module - add parsing of BOTH private key format by
@jakemas in #2416
* Detection of unused results by @justsmth in
#2411
* Fix gtest_util.sh failure detection by @justsmth in
#2423
* Remove unused docs/configs by @torben-hansen in
#2427
* ML-DSA: Add ML-DSA keyGen to break-kat.go by @jakemas in
#2422
* Fix CI for mingw by @justsmth in
#2428
* Bump AWSLC_API_VERSION for X509_STORE_CTX_set_verify_crit_oids by
@samuel40791765 in #2426
* Revert "Rework memory BIOs and implement BIO_seek (#2380)" by
@samuel40791765 in #2432
* Resolve SSL_PRIVATE_METHOD and certificate slots functionality by
@skmcgrail in #2429

By submitting this pull request, I confirm that my contribution is made
under the terms of the Apache 2.0 license and the ISC license.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@skmcgrail skmcgrail skmcgrail approved these changes

@samuel40791765 samuel40791765 samuel40791765 approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@justsmth @codecov-commenter @skmcgrail @samuel40791765 @davidben