Send and receive the ticket_nonce field in a NewSessionTicket

This just adds the processing for sending and receiving the newly added
ticket_nonce field. It doesn't actually use it yet.
Reviewed-by: NBen Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/3852)

ssl/ssl_asn1.c

@@ -41,6 +41,7 @@ typedef struct {
     uint64_t flags;
     uint32_t max_early_data;
     ASN1_OCTET_STRING *alpn_selected;
+    ASN1_OCTET_STRING *tick_nonce;
 } SSL_SESSION_ASN1;
 
 ASN1_SEQUENCE(SSL_SESSION_ASN1) = {
@@ -69,7 +70,8 @@ ASN1_SEQUENCE(SSL_SESSION_ASN1) = {
     ASN1_EXP_OPT_EMBED(SSL_SESSION_ASN1, flags, ZUINT64, 13),
     ASN1_EXP_OPT_EMBED(SSL_SESSION_ASN1, tlsext_tick_age_add, ZUINT32, 14),
     ASN1_EXP_OPT_EMBED(SSL_SESSION_ASN1, max_early_data, ZUINT32, 15),
-    ASN1_EXP_OPT(SSL_SESSION_ASN1, alpn_selected, ASN1_OCTET_STRING, 16)
+    ASN1_EXP_OPT(SSL_SESSION_ASN1, alpn_selected, ASN1_OCTET_STRING, 16),
+    ASN1_EXP_OPT(SSL_SESSION_ASN1, tick_nonce, ASN1_OCTET_STRING, 17)
 } static_ASN1_SEQUENCE_END(SSL_SESSION_ASN1)
 
 IMPLEMENT_STATIC_ASN1_ENCODE_FUNCTIONS(SSL_SESSION_ASN1)
@@ -118,6 +120,7 @@ int i2d_SSL_SESSION(SSL_SESSION *in, unsigned char **pp)
     ASN1_OCTET_STRING psk_identity, psk_identity_hint;
 #endif
     ASN1_OCTET_STRING alpn_selected;
+    ASN1_OCTET_STRING tick_nonce;
 
     long l;
 
@@ -187,6 +190,12 @@ int i2d_SSL_SESSION(SSL_SESSION *in, unsigned char **pp)
         ssl_session_oinit(&as.alpn_selected, &alpn_selected,
                           in->ext.alpn_selected, in->ext.alpn_selected_len);
 
+    if (in->ext.tick_nonce == NULL)
+        as.tick_nonce = NULL;
+    else
+        ssl_session_oinit(&as.tick_nonce, &tick_nonce,
+                          in->ext.tick_nonce, in->ext.tick_nonce_len);
+
     return i2d_SSL_SESSION_ASN1(&as, pp);
 
 }
@@ -352,6 +361,15 @@ SSL_SESSION *d2i_SSL_SESSION(SSL_SESSION **a, const unsigned char **pp,
         ret->ext.alpn_selected_len = 0;
     }
 
+    if (as->tick_nonce != NULL) {
+        ret->ext.tick_nonce = as->tick_nonce->data;
+        ret->ext.tick_nonce_len = as->tick_nonce->length;
+        as->tick_nonce->data = NULL;
+    } else {
+        ret->ext.tick_nonce = NULL;
+        ret->ext.tick_nonce_len = 0;
+    }
+
     M_ASN1_free_of(as, SSL_SESSION_ASN1);
 
     if ((a != NULL) && (*a == NULL))

ssl/ssl_locl.h

@@ -551,6 +551,8 @@ struct ssl_session_st {
         /* Session lifetime hint in seconds */
         unsigned long tick_lifetime_hint;
         uint32_t tick_age_add;
+        unsigned char *tick_nonce;
+        size_t tick_nonce_len;
         int tick_identity;
         /* Max number of bytes that can be sent as early data */
         uint32_t max_early_data;

ssl/ssl_sess.c

@@ -130,6 +130,8 @@ SSL_SESSION *ssl_session_dup(SSL_SESSION *src, int ticket)
     dest->peer = NULL;
     memset(&dest->ex_data, 0, sizeof(dest->ex_data));
 
+    dest->ext.tick_nonce = NULL;
+
     /* We deliberately don't copy the prev and next pointers */
     dest->prev = NULL;
     dest->next = NULL;
@@ -222,6 +224,13 @@ SSL_SESSION *ssl_session_dup(SSL_SESSION *src, int ticket)
         }
     }
 
+    if (src->ext.tick_nonce != NULL) {
+        dest->ext.tick_nonce = OPENSSL_memdup(src->ext.tick_nonce,
+                                              src->ext.tick_nonce_len);
+        if (dest->ext.tick_nonce == NULL)
+            goto err;
+    }
+
 #ifndef OPENSSL_NO_SRP
     if (src->srp_username) {
         dest->srp_username = OPENSSL_strdup(src->srp_username);
@@ -785,6 +794,7 @@ void SSL_SESSION_free(SSL_SESSION *ss)
     OPENSSL_free(ss->srp_username);
 #endif
     OPENSSL_free(ss->ext.alpn_selected);
+    OPENSSL_free(ss->ext.tick_nonce);
     CRYPTO_THREAD_lock_free(ss->lock);
     OPENSSL_clear_free(ss, sizeof(*ss));
 }

ssl/statem/statem_clnt.c

@@ -2421,9 +2421,15 @@ MSG_PROCESS_RETURN tls_process_new_session_ticket(SSL *s, PACKET *pkt)
     unsigned long ticket_lifetime_hint, age_add = 0;
     unsigned int sess_len;
     RAW_EXTENSION *exts = NULL;
+    PACKET nonce;
 
     if (!PACKET_get_net_4(pkt, &ticket_lifetime_hint)
-        || (SSL_IS_TLS13(s) && !PACKET_get_net_4(pkt, &age_add))
+        || (SSL_IS_TLS13(s)
+            && (!PACKET_get_net_4(pkt, &age_add)
+                || !PACKET_get_length_prefixed_1(pkt, &nonce)
+                || PACKET_remaining(&nonce) == 0
+                || !PACKET_memdup(&nonce, &s->session->ext.tick_nonce,
+                                  &s->session->ext.tick_nonce_len)))
         || !PACKET_get_net_2(pkt, &ticklen)
         || (!SSL_IS_TLS13(s) && PACKET_remaining(pkt) != ticklen)
         || (SSL_IS_TLS13(s)

ssl/statem/statem_srvr.c

@@ -3381,6 +3381,19 @@ int tls_construct_new_session_ticket(SSL *s, WPACKET *pkt)
         if (RAND_bytes(age_add_u.age_add_c, sizeof(age_add_u)) <= 0)
             goto err;
         s->session->ext.tick_age_add = age_add_u.age_add;
+       /*
+        * ticket_nonce is set to a single 0 byte because we only ever send a
+        * single ticket per connection. IMPORTANT: If we ever support multiple
+        * tickets per connection then this will need to be changed.
+        */
+        OPENSSL_free(s->session->ext.tick_nonce);
+        s->session->ext.tick_nonce = OPENSSL_zalloc(sizeof(char));
+        if (s->session->ext.tick_nonce == NULL) {
+            SSLerr(SSL_F_TLS_CONSTRUCT_NEW_SESSION_TICKET,
+                   ERR_R_MALLOC_FAILURE);
+            goto err;
+        }
+        s->session->ext.tick_nonce_len = 1;
         s->session->time = (long)time(NULL);
         if (s->s3->alpn_selected != NULL) {
             OPENSSL_free(s->session->ext.alpn_selected);
@@ -3497,7 +3510,11 @@ int tls_construct_new_session_ticket(SSL *s, WPACKET *pkt)
                                (s->hit && !SSL_IS_TLS13(s))
                                ? 0 : s->session->timeout)
             || (SSL_IS_TLS13(s)
-                && !WPACKET_put_bytes_u32(pkt, age_add_u.age_add))
+                && (!WPACKET_put_bytes_u32(pkt, age_add_u.age_add)
+                       /* ticket_nonce */
+                    || !WPACKET_start_sub_packet_u8(pkt)
+                    || !WPACKET_put_bytes_u8(pkt, 0)
+                    || !WPACKET_close(pkt)))
                /* Now the actual ticket data */
             || !WPACKET_start_sub_packet_u16(pkt)
             || !WPACKET_get_total_written(pkt, &macoffset)