commit 713634d75fd49cc0fff6e121c6050d6864dbbfe8
author Devon H. O'Dell <dhobsd@google.com> Mon Feb 01 16:41:15 2021 -0800
committer Devon H. O'Dell <dhobsd@google.com> Tue Feb 02 15:00:39 2021 +0000
tree a2358627214d436bb0011ad320b50452c79b97ba
parent 332acf3ea568380111612855a451368e4ef5ab0d

[rustls] Fix race around HRR and properly implement D.4

A ClientHello that results in a HelloRetryRequest may race against new
session negotiation that updates the session cache. This may result in
changes to the ticket used in the session negotiation, which is
prohibited per section RFC8446 section 4.1.2.

Additionally, section D.4 requires the client to provide "a non-empty
session ID in the ClientHello" both for establishing a new session and
for resuming a session. TLS 1.3 session resumptions previously used an
empty session ID as that's what's stored in the `ClientSessionValue` and
thus what's resolved when looking up a new session.

This behavior is additionally problematic for a `StoresClientSessions`
implementation that implements RFC8446 appendix C.4, as subsequent cache
lookups are guaranteed to return different tickets and session IDs.

This changes solves all three issues by only looking up session
resumption when not servicing a HelloRetryRequest (which prevents the
race condition and enables the use of a C.4-compliant session cache),
by only using tickets and session IDs generated from the initial
ClientHello, and by always generating a session ID for TLS 1.3
connections over TCP.

Bug: 68871
Test: Ran bogo tests in upstream; this is a backport.
Change-Id: I3c538123a577471e3bb2a2ebe12ae72e7db56690