LCOV - code coverage report
Current view: top level - tls - s2n_server_new_session_ticket.c (source / functions) Hit Total Coverage
Test: unit_test_coverage.info Lines: 217 217 100.0 %
Date: 2026-07-04 07:27:58 Functions: 10 10 100.0 %
Branches: 152 294 51.7 %

           Branch data     Line data    Source code
       1                 :            : /*
       2                 :            :  * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
       3                 :            :  *
       4                 :            :  * Licensed under the Apache License, Version 2.0 (the "License").
       5                 :            :  * You may not use this file except in compliance with the License.
       6                 :            :  * A copy of the License is located at
       7                 :            :  *
       8                 :            :  *  http://aws.amazon.com/apache2.0
       9                 :            :  *
      10                 :            :  * or in the "license" file accompanying this file. This file is distributed
      11                 :            :  * on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
      12                 :            :  * express or implied. See the License for the specific language governing
      13                 :            :  * permissions and limitations under the License.
      14                 :            :  */
      15                 :            : 
      16                 :            : #include <time.h>
      17                 :            : 
      18                 :            : #include "api/s2n.h"
      19                 :            : #include "error/s2n_errno.h"
      20                 :            : #include "stuffer/s2n_stuffer.h"
      21                 :            : #include "tls/s2n_alerts.h"
      22                 :            : #include "tls/s2n_connection.h"
      23                 :            : #include "tls/s2n_record.h"
      24                 :            : #include "tls/s2n_resume.h"
      25                 :            : #include "tls/s2n_tls.h"
      26                 :            : #include "tls/s2n_tls13_handshake.h"
      27                 :            : #include "utils/s2n_random.h"
      28                 :            : #include "utils/s2n_safety.h"
      29                 :            : 
      30                 :            : /*
      31                 :            :  * The maximum size of the NewSessionTicket message, not taking into account the
      32                 :            :  * ticket itself.
      33                 :            :  *
      34                 :            :  * To get the actual maximum size required for the NewSessionTicket message, we'll need
      35                 :            :  * to add the size of the ticket, which is much less predictable.
      36                 :            :  *
      37                 :            :  * This constant is enforced via unit tests.
      38                 :            :  */
      39                 :        297 : #define S2N_TLS13_MAX_FIXED_NEW_SESSION_TICKET_SIZE 112
      40                 :            : 
      41                 :            : int s2n_server_nst_recv(struct s2n_connection *conn)
      42                 :         18 : {
      43         [ -  + ]:         18 :     POSIX_GUARD(s2n_stuffer_read_uint32(&conn->handshake.io, &conn->ticket_lifetime_hint));
      44                 :            : 
      45                 :         18 :     uint16_t session_ticket_len = 0;
      46         [ -  + ]:         18 :     POSIX_GUARD(s2n_stuffer_read_uint16(&conn->handshake.io, &session_ticket_len));
      47                 :            : 
      48         [ +  + ]:         18 :     if (session_ticket_len > 0) {
      49         [ -  + ]:         17 :         POSIX_GUARD(s2n_realloc(&conn->client_ticket, session_ticket_len));
      50                 :            : 
      51         [ -  + ]:         17 :         POSIX_GUARD(s2n_stuffer_read(&conn->handshake.io, &conn->client_ticket));
      52                 :            : 
      53         [ +  + ]:         17 :         if (conn->config->session_ticket_cb != NULL) {
      54                 :          7 :             size_t session_len = s2n_connection_get_session_length(conn);
      55                 :            : 
      56                 :            :             /* Alloc some memory for the serialized session ticket */
      57                 :          7 :             DEFER_CLEANUP(struct s2n_blob mem = { 0 }, s2n_free);
      58         [ -  + ]:          7 :             POSIX_GUARD(s2n_alloc(&mem,
      59                 :          7 :                     S2N_STATE_FORMAT_LEN + S2N_SESSION_TICKET_SIZE_LEN + conn->client_ticket.size + S2N_TLS12_STATE_SIZE_IN_BYTES));
      60                 :            : 
      61         [ -  + ]:          7 :             POSIX_GUARD(s2n_connection_get_session(conn, mem.data, session_len));
      62                 :          7 :             uint32_t session_lifetime = s2n_connection_get_session_ticket_lifetime_hint(conn);
      63                 :            : 
      64                 :          7 :             struct s2n_session_ticket ticket = { .ticket_data = mem, .session_lifetime = session_lifetime };
      65                 :            : 
      66 [ -  + ][ #  # ]:          7 :             POSIX_ENSURE(conn->config->session_ticket_cb(conn, conn->config->session_ticket_ctx, &ticket) >= S2N_SUCCESS,
      67                 :          7 :                     S2N_ERR_CANCELLED);
      68                 :          7 :         }
      69                 :         17 :     }
      70                 :            : 
      71                 :         18 :     return S2N_SUCCESS;
      72                 :         18 : }
      73                 :            : 
      74                 :            : static S2N_RESULT s2n_generate_ticket_lifetime(struct s2n_connection *conn, uint64_t key_intro_time,
      75                 :            :         uint32_t *ticket_lifetime)
      76                 :        402 : {
      77 [ #  # ][ -  + ]:        402 :     RESULT_ENSURE_REF(conn);
      78 [ -  + ][ #  # ]:        402 :     RESULT_ENSURE_REF(conn->config);
      79 [ -  + ][ #  # ]:        402 :     RESULT_ENSURE_MUT(ticket_lifetime);
      80                 :            : 
      81                 :        402 :     uint64_t now = 0;
      82         [ -  + ]:        402 :     RESULT_GUARD(s2n_config_wall_clock(conn->config, &now));
      83                 :            : 
      84                 :            :     /* Calculate ticket key age */
      85 [ #  # ][ -  + ]:        402 :     RESULT_ENSURE_GTE(now, key_intro_time);
      86                 :        402 :     uint64_t ticket_key_age_in_nanos = now - key_intro_time;
      87                 :            : 
      88                 :            :     /* Calculate remaining key lifetime */
      89                 :        402 :     uint64_t key_lifetime_in_nanos = conn->config->encrypt_decrypt_key_lifetime_in_nanos + conn->config->decrypt_key_lifetime_in_nanos;
      90 [ -  + ][ #  # ]:        402 :     RESULT_ENSURE_GTE(key_lifetime_in_nanos, ticket_key_age_in_nanos);
      91                 :        402 :     uint32_t remaining_key_lifetime = (key_lifetime_in_nanos - ticket_key_age_in_nanos) / ONE_SEC_IN_NANOS;
      92                 :            : 
      93                 :        402 :     uint32_t session_lifetime = conn->config->session_state_lifetime_in_nanos / ONE_SEC_IN_NANOS;
      94                 :            : 
      95                 :            :     /* Min of remaining key lifetime and session */
      96         [ +  + ]:        402 :     uint32_t min_lifetime = S2N_MIN(remaining_key_lifetime, session_lifetime);
      97                 :            : 
      98                 :            :     /* In TLS1.3 we take into account keying material lifetime */
      99         [ +  + ]:        402 :     if (conn->actual_protocol_version == S2N_TLS13) {
     100                 :        385 :         uint32_t key_material_lifetime = conn->server_keying_material_lifetime;
     101                 :        385 :         struct s2n_psk *chosen_psk = conn->psk_params.chosen_psk;
     102         [ +  + ]:        385 :         if (chosen_psk) {
     103 [ #  # ][ -  + ]:        186 :             RESULT_ENSURE_GTE(chosen_psk->keying_material_expiration, now);
     104                 :        186 :             uint32_t psk_key_material_lifetime = (chosen_psk->keying_material_expiration - now) / ONE_SEC_IN_NANOS;
     105         [ -  + ]:        186 :             key_material_lifetime = S2N_MIN(key_material_lifetime, psk_key_material_lifetime);
     106                 :        186 :         }
     107         [ +  - ]:        385 :         min_lifetime = S2N_MIN(min_lifetime, key_material_lifetime);
     108                 :        385 :     }
     109                 :            : 
     110                 :            :     /**
     111                 :            :      *= https://www.rfc-editor.org/rfc/rfc8446#section-4.6.1
     112                 :            :      *# Servers MUST NOT use any value greater than
     113                 :            :      *# 604800 seconds (7 days).
     114                 :            :      **/
     115         [ +  - ]:        402 :     *ticket_lifetime = S2N_MIN(min_lifetime, ONE_WEEK_IN_SEC);
     116                 :            : 
     117                 :        402 :     return S2N_RESULT_OK;
     118                 :        402 : }
     119                 :            : 
     120                 :            : int s2n_server_nst_send(struct s2n_connection *conn)
     121                 :         21 : {
     122 [ #  # ][ -  + ]:         21 :     POSIX_ENSURE_REF(conn);
     123                 :            : 
     124                 :         21 :     uint8_t data[S2N_TLS12_TICKET_SIZE_IN_BYTES] = { 0 };
     125                 :         21 :     struct s2n_blob session_ticket = { 0 };
     126         [ -  + ]:         21 :     POSIX_GUARD(s2n_blob_init(&session_ticket, data, sizeof(data)));
     127                 :            : 
     128                 :         21 :     uint32_t lifetime_hint_in_secs = 0;
     129                 :            : 
     130                 :            :     /* Send a zero-length ticket in the NewSessionTicket message if the server changes 
     131                 :            :      * its mind mid-handshake or if there are no valid encrypt keys currently available. 
     132                 :            :      *
     133                 :            :      *= https://www.rfc-editor.org/rfc/rfc5077#section-3.3
     134                 :            :      *# If the server determines that it does not want to include a
     135                 :            :      *# ticket after it has included the SessionTicket extension in the
     136                 :            :      *# ServerHello, then it sends a zero-length ticket in the
     137                 :            :      *# NewSessionTicket handshake message.
     138                 :            :      **/
     139         [ +  + ]:         21 :     if (s2n_result_is_error(s2n_server_nst_write(conn, &lifetime_hint_in_secs, &session_ticket))) {
     140         [ -  + ]:          3 :         POSIX_GUARD(s2n_stuffer_write_uint32(&conn->handshake.io, 0));
     141         [ -  + ]:          3 :         POSIX_GUARD(s2n_stuffer_write_uint16(&conn->handshake.io, 0));
     142                 :          3 :         return S2N_SUCCESS;
     143                 :          3 :     }
     144                 :            : 
     145         [ -  + ]:         18 :     POSIX_GUARD(s2n_stuffer_write_uint32(&conn->handshake.io, lifetime_hint_in_secs));
     146         [ -  + ]:         18 :     POSIX_GUARD(s2n_stuffer_write_uint16(&conn->handshake.io, session_ticket.size));
     147         [ -  + ]:         18 :     POSIX_GUARD(s2n_stuffer_write(&conn->handshake.io, &session_ticket));
     148                 :            : 
     149                 :            :     /* For parity with TLS1.3, track the single ticket sent.
     150                 :            :      * This simplifies s2n_connection_get_tickets_sent.
     151                 :            :      */
     152                 :         18 :     conn->tickets_sent++;
     153                 :         18 :     return S2N_SUCCESS;
     154                 :         18 : }
     155                 :            : 
     156                 :            : S2N_RESULT s2n_server_nst_write(struct s2n_connection *conn, uint32_t *lifetime_hint_in_secs,
     157                 :            :         struct s2n_blob *session_ticket)
     158                 :         21 : {
     159 [ #  # ][ -  + ]:         21 :     RESULT_ENSURE_REF(conn);
     160 [ +  - ][ +  + ]:         21 :     RESULT_ENSURE(s2n_server_sending_nst(conn), S2N_ERR_SENDING_NST);
                 [ +  - ]
     161                 :            : 
     162                 :         19 :     struct s2n_stuffer output = { 0 };
     163         [ -  + ]:         19 :     RESULT_GUARD_POSIX(s2n_stuffer_init(&output, session_ticket));
     164                 :            : 
     165                 :         19 :     struct s2n_ticket_key *key = s2n_get_ticket_encrypt_decrypt_key(conn->config);
     166 [ +  - ][ +  + ]:         19 :     RESULT_ENSURE(key != NULL, S2N_ERR_NO_TICKET_ENCRYPT_DECRYPT_KEY);
     167                 :            : 
     168         [ -  + ]:         18 :     RESULT_GUARD(s2n_generate_ticket_lifetime(conn, key->intro_timestamp, lifetime_hint_in_secs));
     169         [ -  + ]:         18 :     RESULT_GUARD(s2n_resume_encrypt_session_ticket(conn, key, &output));
     170                 :            : 
     171                 :         18 :     return S2N_RESULT_OK;
     172                 :         18 : }
     173                 :            : 
     174                 :            : S2N_RESULT s2n_tls13_server_nst_send(struct s2n_connection *conn, s2n_blocked_status *blocked)
     175                 :      50566 : {
     176 [ -  + ][ #  # ]:      50566 :     RESULT_ENSURE_REF(conn);
     177 [ +  - ][ +  + ]:      50566 :     RESULT_ENSURE_GTE(conn->actual_protocol_version, S2N_TLS13);
     178                 :            : 
     179                 :            :     /* Usually tickets are sent immediately after the handshake.
     180                 :            :      * If possible, reuse the handshake IO stuffer before it's wiped.
     181                 :            :      *
     182                 :            :      * Note: handshake.io isn't explicitly dedicated to only reading or only writing,
     183                 :            :      * so we have to be careful using it outside of s2n_negotiate.
     184                 :            :      * If we use it for writing here, we CAN'T use it for reading any post-handshake messages.
     185                 :            :      */
     186                 :      50565 :     struct s2n_stuffer *nst_stuffer = &conn->handshake.io;
     187                 :            : 
     188 [ +  + ][ +  + ]:      50565 :     if (conn->mode != S2N_SERVER || !conn->config->use_tickets) {
     189                 :      50105 :         return S2N_RESULT_OK;
     190                 :      50105 :     }
     191                 :            : 
     192                 :            :     /* Legacy behavior is that the s2n server sends a NST even if the client did not indicate support
     193                 :            :      * for resumption or does not support the psk_dhe_ke mode. This is potentially wasteful so we 
     194                 :            :      * choose to not extend this behavior to QUIC.
     195                 :            :      */
     196 [ +  + ][ +  + ]:        460 :     if (conn->quic_enabled && conn->psk_params.psk_ke_mode != S2N_PSK_DHE_KE) {
     197                 :          3 :         return S2N_RESULT_OK;
     198                 :          3 :     }
     199                 :            : 
     200                 :            :     /* No-op if all tickets already sent.
     201                 :            :      * Clean up the stuffer used for the ticket to conserve memory. */
     202         [ +  + ]:        457 :     if (conn->tickets_to_send == conn->tickets_sent) {
     203         [ -  + ]:        159 :         RESULT_GUARD_POSIX(s2n_stuffer_resize(nst_stuffer, 0));
     204                 :        159 :         return S2N_RESULT_OK;
     205                 :        159 :     }
     206                 :            : 
     207                 :            :     /**
     208                 :            :      *= https://www.rfc-editor.org/rfc/rfc8446#section-4.6.1
     209                 :            :      *# Note that in principle it is possible to continue issuing new tickets
     210                 :            :      *# which indefinitely extend the lifetime of the keying material
     211                 :            :      *# originally derived from an initial non-PSK handshake (which was most
     212                 :            :      *# likely tied to the peer's certificate). It is RECOMMENDED that
     213                 :            :      *# implementations place limits on the total lifetime of such keying
     214                 :            :      *# material; these limits should take into account the lifetime of the
     215                 :            :      *# peer's certificate, the likelihood of intervening revocation, and the
     216                 :            :      *# time since the peer's online CertificateVerify signature.
     217                 :            :      */
     218         [ +  + ]:        298 :     if (s2n_result_is_error(s2n_psk_validate_keying_material(conn))) {
     219                 :          1 :         conn->tickets_to_send = conn->tickets_sent;
     220                 :          1 :         return S2N_RESULT_OK;
     221                 :          1 :     }
     222                 :            : 
     223 [ -  + ][ #  # ]:        297 :     RESULT_ENSURE(conn->tickets_sent <= conn->tickets_to_send, S2N_ERR_INTEGER_OVERFLOW);
     224                 :            : 
     225                 :        297 :     size_t session_state_size = 0;
     226         [ -  + ]:        297 :     RESULT_GUARD(s2n_connection_get_session_state_size(conn, &session_state_size));
     227                 :        297 :     const size_t maximum_nst_size = session_state_size + S2N_TLS13_MAX_FIXED_NEW_SESSION_TICKET_SIZE;
     228         [ +  + ]:        297 :     if (s2n_stuffer_space_remaining(nst_stuffer) < maximum_nst_size) {
     229         [ -  + ]:        128 :         RESULT_GUARD_POSIX(s2n_stuffer_resize(nst_stuffer, maximum_nst_size));
     230                 :        128 :     }
     231                 :            : 
     232         [ +  + ]:        593 :     while (conn->tickets_to_send - conn->tickets_sent > 0) {
     233         [ +  + ]:        322 :         if (s2n_result_is_error(s2n_tls13_server_nst_write(conn, nst_stuffer))) {
     234                 :          5 :             return S2N_RESULT_OK;
     235                 :          5 :         }
     236                 :            : 
     237         [ +  + ]:        317 :         RESULT_GUARD(s2n_post_handshake_write_records(conn, blocked));
     238                 :        317 :     }
     239                 :            : 
     240                 :        271 :     return S2N_RESULT_OK;
     241                 :        297 : }
     242                 :            : 
     243                 :            : /** 
     244                 :            :  *= https://www.rfc-editor.org/rfc/rfc8446#section-4.6.1
     245                 :            :  *# A per-ticket value that is unique across all tickets
     246                 :            :  *# issued on this connection.
     247                 :            :  **/
     248                 :            : static S2N_RESULT s2n_generate_ticket_nonce(uint16_t value, struct s2n_blob *output)
     249                 :        384 : {
     250 [ -  + ][ #  # ]:        384 :     RESULT_ENSURE_MUT(output);
     251                 :            : 
     252                 :        384 :     struct s2n_stuffer stuffer = { 0 };
     253         [ -  + ]:        384 :     RESULT_GUARD_POSIX(s2n_stuffer_init(&stuffer, output));
     254         [ -  + ]:        384 :     RESULT_GUARD_POSIX(s2n_stuffer_write_uint16(&stuffer, value));
     255                 :            : 
     256                 :        384 :     return S2N_RESULT_OK;
     257                 :        384 : }
     258                 :            : 
     259                 :            : /** 
     260                 :            :  *= https://www.rfc-editor.org/rfc/rfc8446#section-4.6.1
     261                 :            :  *# A securely generated, random 32-bit value that is
     262                 :            :  *# used to obscure the age of the ticket that the client includes in
     263                 :            :  *# the "pre_shared_key" extension.
     264                 :            :  **/
     265                 :            : static S2N_RESULT s2n_generate_ticket_age_add(struct s2n_blob *random_data, uint32_t *ticket_age_add)
     266                 :        384 : {
     267 [ #  # ][ -  + ]:        384 :     RESULT_ENSURE_REF(random_data);
     268 [ #  # ][ -  + ]:        384 :     RESULT_ENSURE_REF(ticket_age_add);
     269                 :            : 
     270                 :        384 :     struct s2n_stuffer stuffer = { 0 };
     271         [ -  + ]:        384 :     RESULT_GUARD_POSIX(s2n_stuffer_init(&stuffer, random_data));
     272         [ -  + ]:        384 :     RESULT_GUARD_POSIX(s2n_stuffer_skip_write(&stuffer, random_data->size));
     273         [ -  + ]:        384 :     RESULT_GUARD_POSIX(s2n_stuffer_read_uint32(&stuffer, ticket_age_add));
     274                 :            : 
     275                 :        384 :     return S2N_RESULT_OK;
     276                 :        384 : }
     277                 :            : 
     278                 :            : /**
     279                 :            :  *= https://www.rfc-editor.org/rfc/rfc8446#section-4.6.1
     280                 :            :  *# The PSK associated with the ticket is computed as:
     281                 :            :  *#
     282                 :            :  *#    HKDF-Expand-Label(resumption_master_secret,
     283                 :            :  *#                     "resumption", ticket_nonce, Hash.length)
     284                 :            :  **/
     285                 :            : static int s2n_generate_session_secret(struct s2n_connection *conn, struct s2n_blob *nonce, struct s2n_blob *output)
     286                 :        849 : {
     287 [ #  # ][ -  + ]:        849 :     POSIX_ENSURE_REF(conn);
     288 [ -  + ][ #  # ]:        849 :     POSIX_ENSURE_REF(nonce);
     289 [ -  + ][ #  # ]:        849 :     POSIX_ENSURE_REF(output);
     290                 :            : 
     291         [ -  + ]:        849 :     s2n_tls13_connection_keys(secrets, conn);
     292                 :        849 :     struct s2n_blob master_secret = { 0 };
     293         [ -  + ]:        849 :     POSIX_GUARD(s2n_blob_init(&master_secret, conn->secrets.version.tls13.resumption_master_secret, secrets.size));
     294         [ -  + ]:        849 :     POSIX_GUARD(s2n_realloc(output, secrets.size));
     295         [ -  + ]:        849 :     POSIX_GUARD_RESULT(s2n_tls13_derive_session_ticket_secret(&secrets, &master_secret, nonce, output));
     296                 :            : 
     297                 :        849 :     return S2N_SUCCESS;
     298                 :        849 : }
     299                 :            : 
     300                 :            : S2N_RESULT s2n_tls13_server_nst_write(struct s2n_connection *conn, struct s2n_stuffer *output)
     301                 :        426 : {
     302 [ -  + ][ #  # ]:        426 :     RESULT_ENSURE_REF(conn);
     303 [ -  + ][ #  # ]:        426 :     RESULT_ENSURE_REF(output);
     304                 :            : 
     305                 :        426 :     struct s2n_ticket_key *key = s2n_get_ticket_encrypt_decrypt_key(conn->config);
     306 [ +  + ][ +  - ]:        426 :     RESULT_ENSURE(key != NULL, S2N_ERR_NO_TICKET_ENCRYPT_DECRYPT_KEY);
     307                 :            : 
     308                 :        421 :     struct s2n_ticket_fields *ticket_fields = &conn->tls13_ticket_fields;
     309                 :            : 
     310                 :            :     /* Write message type because session resumption in TLS13 is a post-handshake message */
     311         [ -  + ]:        421 :     RESULT_GUARD_POSIX(s2n_stuffer_write_uint8(output, TLS_SERVER_NEW_SESSION_TICKET));
     312                 :            : 
     313                 :        421 :     struct s2n_stuffer_reservation message_size = { 0 };
     314         [ -  + ]:        421 :     RESULT_GUARD_POSIX(s2n_stuffer_reserve_uint24(output, &message_size));
     315                 :            : 
     316                 :        421 :     uint32_t ticket_lifetime_in_secs = 0;
     317         [ -  + ]:        421 :     RESULT_GUARD(s2n_generate_ticket_lifetime(conn, key->intro_timestamp, &ticket_lifetime_in_secs));
     318                 :            : 
     319 [ +  + ][ +  - ]:        421 :     RESULT_ENSURE(ticket_lifetime_in_secs > 0, S2N_ERR_ZERO_LIFETIME_TICKET);
     320         [ -  + ]:        419 :     RESULT_GUARD_POSIX(s2n_stuffer_write_uint32(output, ticket_lifetime_in_secs));
     321                 :            : 
     322                 :            :     /* Get random data to use as ticket_age_add value */
     323                 :        419 :     uint8_t data[sizeof(uint32_t)] = { 0 };
     324                 :        419 :     struct s2n_blob random_data = { 0 };
     325         [ -  + ]:        419 :     RESULT_GUARD_POSIX(s2n_blob_init(&random_data, data, sizeof(data)));
     326                 :            :     /** 
     327                 :            :      *= https://www.rfc-editor.org/rfc/rfc8446#section-4.6.1
     328                 :            :      *#  The server MUST generate a fresh value
     329                 :            :      *#  for each ticket it sends.
     330                 :            :      **/
     331         [ -  + ]:        419 :     RESULT_GUARD(s2n_get_private_random_data(&random_data));
     332         [ -  + ]:        419 :     RESULT_GUARD(s2n_generate_ticket_age_add(&random_data, &ticket_fields->ticket_age_add));
     333         [ -  + ]:        419 :     RESULT_GUARD_POSIX(s2n_stuffer_write_uint32(output, ticket_fields->ticket_age_add));
     334                 :            : 
     335                 :            :     /* Write ticket nonce */
     336                 :        419 :     uint8_t nonce_data[sizeof(uint16_t)] = { 0 };
     337                 :        419 :     struct s2n_blob nonce = { 0 };
     338         [ -  + ]:        419 :     RESULT_GUARD_POSIX(s2n_blob_init(&nonce, nonce_data, sizeof(nonce_data)));
     339         [ -  + ]:        419 :     RESULT_GUARD(s2n_generate_ticket_nonce(conn->tickets_sent, &nonce));
     340         [ -  + ]:        419 :     RESULT_GUARD_POSIX(s2n_stuffer_write_uint8(output, nonce.size));
     341         [ -  + ]:        419 :     RESULT_GUARD_POSIX(s2n_stuffer_write_bytes(output, nonce.data, nonce.size));
     342                 :            : 
     343                 :            :     /* Derive individual session ticket secret */
     344         [ -  + ]:        419 :     RESULT_GUARD_POSIX(s2n_generate_session_secret(conn, &nonce, &ticket_fields->session_secret));
     345                 :            : 
     346                 :            :     /* Write ticket */
     347                 :        419 :     struct s2n_stuffer_reservation ticket_size = { 0 };
     348         [ -  + ]:        419 :     RESULT_GUARD_POSIX(s2n_stuffer_reserve_uint16(output, &ticket_size));
     349         [ -  + ]:        419 :     RESULT_GUARD(s2n_resume_encrypt_session_ticket(conn, key, output));
     350         [ +  + ]:        419 :     RESULT_GUARD_POSIX(s2n_stuffer_write_vector_size(&ticket_size));
     351                 :            : 
     352         [ -  + ]:        418 :     RESULT_GUARD_POSIX(s2n_extension_list_send(S2N_EXTENSION_LIST_NST, conn, output));
     353                 :            : 
     354         [ -  + ]:        418 :     RESULT_GUARD_POSIX(s2n_stuffer_write_vector_size(&message_size));
     355                 :            : 
     356 [ +  - ][ +  + ]:        418 :     RESULT_ENSURE(conn->tickets_sent < UINT16_MAX, S2N_ERR_INTEGER_OVERFLOW);
     357                 :        417 :     conn->tickets_sent++;
     358                 :            : 
     359                 :        417 :     return S2N_RESULT_OK;
     360                 :        418 : }
     361                 :            : 
     362                 :            : /**
     363                 :            :  *= https://www.rfc-editor.org/rfc/rfc8446#section-4.6.1
     364                 :            :  *#     struct {
     365                 :            :  *#         uint32 ticket_lifetime;
     366                 :            :  *#         uint32 ticket_age_add;
     367                 :            :  *#         opaque ticket_nonce<0..255>;
     368                 :            :  *#         opaque ticket<1..2^16-1>;
     369                 :            :  *#         Extension extensions<0..2^16-2>;
     370                 :            :  *#      } NewSessionTicket;
     371                 :            : **/
     372                 :            : S2N_RESULT s2n_tls13_server_nst_recv(struct s2n_connection *conn, struct s2n_stuffer *input)
     373                 :        484 : {
     374 [ #  # ][ -  + ]:        484 :     RESULT_ENSURE_REF(conn);
     375 [ -  + ][ #  # ]:        484 :     RESULT_ENSURE_REF(input);
     376 [ -  + ][ #  # ]:        484 :     RESULT_ENSURE_REF(conn->config);
     377                 :            : 
     378 [ +  + ][ +  - ]:        484 :     RESULT_ENSURE(conn->actual_protocol_version >= S2N_TLS13, S2N_ERR_BAD_MESSAGE);
     379 [ +  + ][ +  - ]:        483 :     RESULT_ENSURE(conn->mode == S2N_CLIENT, S2N_ERR_BAD_MESSAGE);
     380                 :            : 
     381         [ +  + ]:        480 :     if (!conn->config->use_tickets) {
     382                 :          1 :         return S2N_RESULT_OK;
     383                 :          1 :     }
     384                 :        479 :     struct s2n_ticket_fields *ticket_fields = &conn->tls13_ticket_fields;
     385                 :            : 
     386                 :            :     /* Handle `ticket_lifetime` field */
     387                 :        479 :     uint32_t ticket_lifetime = 0;
     388         [ -  + ]:        479 :     RESULT_GUARD_POSIX(s2n_stuffer_read_uint32(input, &ticket_lifetime));
     389                 :            :     /**
     390                 :            :      *= https://www.rfc-editor.org/rfc/rfc8446#section-4.6.1
     391                 :            :      *# Servers MUST NOT use any value greater than
     392                 :            :      *# 604800 seconds (7 days).
     393                 :            :      */
     394 [ +  + ][ +  - ]:        479 :     RESULT_ENSURE(ticket_lifetime <= ONE_WEEK_IN_SEC, S2N_ERR_BAD_MESSAGE);
     395                 :            :     /**
     396                 :            :      *= https://www.rfc-editor.org/rfc/rfc8446#section-4.6.1
     397                 :            :      *# The value of zero indicates that the
     398                 :            :      *# ticket should be discarded immediately.
     399                 :            :      */
     400         [ +  + ]:        478 :     if (ticket_lifetime == 0) {
     401                 :          1 :         return S2N_RESULT_OK;
     402                 :          1 :     }
     403                 :        477 :     conn->ticket_lifetime_hint = ticket_lifetime;
     404                 :            : 
     405                 :            :     /* Handle `ticket_age_add` field */
     406         [ -  + ]:        477 :     RESULT_GUARD_POSIX(s2n_stuffer_read_uint32(input, &ticket_fields->ticket_age_add));
     407                 :            : 
     408                 :            :     /* Handle `ticket_nonce` field */
     409                 :        477 :     uint8_t ticket_nonce_len = 0;
     410         [ -  + ]:        477 :     RESULT_GUARD_POSIX(s2n_stuffer_read_uint8(input, &ticket_nonce_len));
     411                 :        477 :     uint8_t nonce_data[UINT8_MAX] = { 0 };
     412                 :        477 :     struct s2n_blob nonce = { 0 };
     413         [ -  + ]:        477 :     RESULT_GUARD_POSIX(s2n_blob_init(&nonce, nonce_data, ticket_nonce_len));
     414         [ -  + ]:        477 :     RESULT_GUARD_POSIX(s2n_stuffer_read_bytes(input, nonce.data, ticket_nonce_len));
     415         [ -  + ]:        477 :     RESULT_GUARD_POSIX(s2n_generate_session_secret(conn, &nonce, &ticket_fields->session_secret));
     416                 :            : 
     417                 :            :     /* Handle `ticket` field */
     418                 :        477 :     uint16_t session_ticket_len = 0;
     419         [ -  + ]:        477 :     RESULT_GUARD_POSIX(s2n_stuffer_read_uint16(input, &session_ticket_len));
     420 [ -  + ][ #  # ]:        477 :     RESULT_ENSURE(session_ticket_len > 0, S2N_ERR_SAFETY);
     421         [ -  + ]:        477 :     RESULT_GUARD_POSIX(s2n_realloc(&conn->client_ticket, session_ticket_len));
     422         [ -  + ]:        477 :     RESULT_GUARD_POSIX(s2n_stuffer_read(input, &conn->client_ticket));
     423                 :            : 
     424                 :            :     /* Handle `extensions` field */
     425         [ -  + ]:        477 :     RESULT_GUARD_POSIX(s2n_extension_list_recv(S2N_EXTENSION_LIST_NST, conn, input));
     426                 :            : 
     427         [ +  + ]:        477 :     if (conn->config->session_ticket_cb != NULL) {
     428                 :            :         /* Retrieve serialized session data */
     429                 :        430 :         const uint16_t session_state_size = s2n_connection_get_session_length(conn);
     430                 :        430 :         DEFER_CLEANUP(struct s2n_blob session_state = { 0 }, s2n_free);
     431         [ -  + ]:        430 :         RESULT_GUARD_POSIX(s2n_realloc(&session_state, session_state_size));
     432         [ -  + ]:        430 :         RESULT_GUARD_POSIX(s2n_connection_get_session(conn, session_state.data, session_state.size));
     433                 :            : 
     434                 :        430 :         struct s2n_session_ticket ticket = {
     435                 :        430 :             .ticket_data = session_state,
     436                 :        430 :             .session_lifetime = ticket_lifetime
     437                 :        430 :         };
     438 [ -  + ][ #  # ]:        430 :         RESULT_ENSURE(conn->config->session_ticket_cb(conn, conn->config->session_ticket_ctx, &ticket) >= S2N_SUCCESS,
     439                 :        430 :                 S2N_ERR_CANCELLED);
     440                 :        430 :     }
     441                 :            : 
     442                 :        477 :     return S2N_RESULT_OK;
     443                 :        477 : }

Generated by: LCOV version 1.14