refactor: add key as a parameter for s2n_resume_encrypt_session_ticket #5014
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Release Summary:
Resolved issues:
Partial for issue #4583 and #2756.
Description of changes:
This PR is to address a comment in PR#5001. Currently
s2n_resume_encrypt_session_ticket()
picks a session ticket key inside the function:s2n-tls/tls/s2n_resume.c
Lines 818 to 825 in edf68e0
The
s2n_get_ticket_encrypt_decrypt_key()
function is non-deterministic, so we might end up with different session ticket keys if we call them multiple times. We need to specify the session ticket key outside of the function, so that when we are calculating the session ticket lifetime, S2N will use the same session ticket key for both lifetime calculation and session ticket encryption.Hence, this PR adds
struct s2n_ticket_key *key
as an additional parameter ins2n_resume_encrypt_session_ticket()
, and chooses the key before callings2n_resume_encrypt_session_ticket()
every where in the codebase.Call-outs:
s2n_get_ticket_encrypt_decrypt_key()
function available ins2n_resume.h
, because this function needs to be called ins2n_server_nst_send()
ands2n_tls13_server_nst_write()
functions.Testing:
This PR is tested locally and by the CI.
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.