Added helper function

aws · Jul 23, 2024 · 6d9330b · 6d9330b
1 parent ef35d72
commit 6d9330b
Show file tree

Hide file tree

Showing 2 changed files with 27 additions and 4 deletions.
diff --git a/tls/s2n_resume.c b/tls/s2n_resume.c
@@ -462,7 +462,7 @@ int s2n_resume_from_cache(struct s2n_connection *conn)
     struct s2n_stuffer from = { 0 };
     POSIX_GUARD(s2n_stuffer_init(&from, &entry));
     POSIX_GUARD(s2n_stuffer_write(&from, &entry));
-    POSIX_GUARD_RESULT(s2n_resume_decrypt_session_ticket(conn, &from));
+    POSIX_GUARD_RESULT(s2n_resume_decrypt_session_cache(conn, &from));
 
     return 0;
 }
@@ -827,7 +827,8 @@ S2N_RESULT s2n_resume_encrypt_session_ticket(struct s2n_connection *conn, struct
     return S2N_RESULT_OK;
 }
 
-S2N_RESULT s2n_resume_decrypt_session_ticket(struct s2n_connection *conn, struct s2n_stuffer *from)
+S2N_RESULT s2n_resume_decrypt_session_impl(struct s2n_connection *conn, struct s2n_stuffer *from,
+        uint64_t *key_intro_time)
 {
     RESULT_ENSURE_REF(conn);
     RESULT_ENSURE_REF(from);
@@ -882,14 +883,28 @@ S2N_RESULT s2n_resume_decrypt_session_ticket(struct s2n_connection *conn, struct
     RESULT_GUARD_POSIX(s2n_stuffer_skip_write(&state_stuffer, state_blob_size));
     RESULT_GUARD(s2n_deserialize_resumption_state(conn, &from->blob, &state_stuffer));
 
-    if (s2n_connection_get_protocol_version(conn) >= S2N_TLS13 || conn->config->use_session_cache) {
+    /* Store this key timestamp for session ticket logic */
+    *key_intro_time = key->intro_timestamp;
+
+    return S2N_RESULT_OK;
+}
+
+S2N_RESULT s2n_resume_decrypt_session_ticket(struct s2n_connection *conn, struct s2n_stuffer *from)
+{
+    RESULT_ENSURE_REF(conn);
+    RESULT_ENSURE_REF(conn->config);
+
+    uint64_t key_intro_time = 0;
+    RESULT_GUARD(s2n_resume_decrypt_session_impl(conn, from, &key_intro_time));
+
+    if (s2n_connection_get_protocol_version(conn) >= S2N_TLS13) {
         return S2N_RESULT_OK;
     }
 
     /* A new key is assigned for the ticket if the key used to encrypt current ticket is expired */
     uint64_t now = 0;
     RESULT_GUARD(s2n_config_wall_clock(conn->config, &now));
-    if (now >= key->intro_timestamp + conn->config->encrypt_decrypt_key_lifetime_in_nanos) {
+    if (now >= key_intro_time + conn->config->encrypt_decrypt_key_lifetime_in_nanos) {
         if (s2n_result_is_ok(s2n_config_is_encrypt_key_available(conn->config))) {
             conn->session_ticket_status = S2N_NEW_TICKET;
             RESULT_GUARD(s2n_handshake_type_set_tls12_flag(conn, WITH_SESSION_TICKET));
@@ -898,6 +913,13 @@ S2N_RESULT s2n_resume_decrypt_session_ticket(struct s2n_connection *conn, struct
     return S2N_RESULT_OK;
 }
 
+S2N_RESULT s2n_resume_decrypt_session_cache(struct s2n_connection *conn, struct s2n_stuffer *from)
+{
+    uint64_t key_intro_time = 0;
+    RESULT_GUARD(s2n_resume_decrypt_session_impl(conn, from, &key_intro_time));
+    return S2N_RESULT_OK;
+}
+
 /* This function is used to remove all or just one expired key from server config */
 int s2n_config_wipe_expired_ticket_crypto_keys(struct s2n_config *config, int8_t expired_key_index)
 {

diff --git a/tls/s2n_resume.h b/tls/s2n_resume.h
@@ -73,6 +73,7 @@ struct s2n_session_ticket {
 struct s2n_ticket_key *s2n_find_ticket_key(struct s2n_config *config, const uint8_t name[S2N_TICKET_KEY_NAME_LEN]);
 S2N_RESULT s2n_resume_encrypt_session_ticket(struct s2n_connection *conn, struct s2n_stuffer *to);
 S2N_RESULT s2n_resume_decrypt_session_ticket(struct s2n_connection *conn, struct s2n_stuffer *from);
+S2N_RESULT s2n_resume_decrypt_session_cache(struct s2n_connection *conn, struct s2n_stuffer *from);
 S2N_RESULT s2n_config_is_encrypt_key_available(struct s2n_config *config);
 int s2n_verify_unique_ticket_key(struct s2n_config *config, uint8_t *hash, uint16_t *insert_index);
 int s2n_config_wipe_expired_ticket_crypto_keys(struct s2n_config *config, int8_t expired_key_index);