handshake: increase the default number of tickets we send to 2tmp-increase-nr-of-tickets

This makes it easier for clients which perform multiple connections
to the server to use the tickets sent by a default server. That's
because 2 tickets allow for 2 new connections (if one is using each
ticket once as recommended), which in turn lead to 4 new and so on.

Resolves: #596

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

9 files changed, 67 insertions, 35 deletions

diff --git a/NEWS b/NEWS
index 5087eb94dd..a2eec5b621 100644
--- a/NEWS
+++ b/NEWS
@@ -29,6 +29,10 @@ See the end for copying conditions.
    session, as non-writeable security officer sessions are undefined in PKCS#11
    (#721).
 
+** libgnutls: the default number of tickets sent under TLS 1.3 was increased to
+   two. This makes it easier for clients which perform multiple connections
+   to the server to use the tickets sent by a default server.
+
 ** libgnutls: no longer send downgrade sentinel in TLS 1.3.
    Previously the sentinel value was embedded to early in version
    negotiation and was sent even on TLS 1.3. It is now sent only when
diff --git a/doc/cha-gtls-app.texi b/doc/cha-gtls-app.texi
index 215f257c8b..6f605dfa1c 100644
--- a/doc/cha-gtls-app.texi
+++ b/doc/cha-gtls-app.texi
@@ -1918,8 +1918,8 @@ is set using @funcref{gnutls_db_set_cache_expiration}. This function also contro
 the ticket key rotation period. Currently, the session key rotation interval is set
 to 3 times the expiration time set by this function.
 
-Under TLS 1.3, the server can send a new session ticket at any time
-using @funcref{gnutls_session_ticket_send}.
+Under TLS 1.3, the server sends by default 2 tickets, and can send
+additional session tickets at any time using @funcref{gnutls_session_ticket_send}.
 
 @showfuncdesc{gnutls_session_ticket_send}
 
diff --git a/lib/Makefile.am b/lib/Makefile.am
index 955ac683e7..fe9cf63a2f 100644
--- a/lib/Makefile.am
+++ b/lib/Makefile.am
@@ -111,11 +111,11 @@ if ENABLE_NETTLE
 SUBDIRS += nettle
 endif
 
-HFILES = abstract_int.h debug.h cipher.h	\
-	buffers.h errors.h gnutls_int.h dtls.h	\
-	handshake.h num.h algorithms.h		\
-	dh.h kx.h hash_int.h cipher_int.h	\
-	db.h auth.h hello_ext.h	\
+HFILES = abstract_int.h debug.h cipher.h	 \
+	buffers.h errors.h gnutls_int.h dtls.h	 \
+	handshake.h num.h algorithms.h		 \
+	dh.h kx.h hash_int.h cipher_int.h	 \
+	db.h auth.h hello_ext.h	handshake-defs.h \
 	x509_b64.h sslv2_compat.h datum.h \
 	mpi.h pk.h record.h		\
 	constate.h global.h tls-sig.h mem.h	\
diff --git a/lib/gnutls_int.h b/lib/gnutls_int.h
index ccbcc5b558..bfca84c96f 100644
--- a/lib/gnutls_int.h
+++ b/lib/gnutls_int.h
@@ -127,16 +127,9 @@ typedef struct {
 #define GNUTLS_MASTER_SIZE 48
 #define GNUTLS_RANDOM_SIZE 32
 
-#define HRR_RANDOM \
-	 "\xCF\x21\xAD\x74\xE5\x9A\x61\x11\xBE\x1D\x8C\x02\x1E\x65\xB8\x91" \
-	 "\xC2\xA2\x11\x16\x7A\xBB\x8C\x5E\x07\x9E\x09\xE2\xC8\xA8\x33\x9C"
-
 /* Under TLS1.3 a hello retry request is sent as server hello */
 #define REAL_HSK_TYPE(t) ((t)==GNUTLS_HANDSHAKE_HELLO_RETRY_REQUEST?GNUTLS_HANDSHAKE_SERVER_HELLO:t)
 
-/* Enable: Appendix D4.  Middlebox Compatibility Mode */
-#define TLS13_APPENDIX_D4 1
-
 /* DTLS */
 #define DTLS_RETRANS_TIMEOUT 1000
 
diff --git a/lib/handshake-defs.h b/lib/handshake-defs.h
new file mode 100644
index 0000000000..d322febc90
--- /dev/null
+++ b/lib/handshake-defs.h
@@ -0,0 +1,49 @@
+/*
+ * Copyright (C) 2019 Red Hat, Inc.
+ *
+ * Author: Nikos Mavrogiannopoulos
+ *
+ * This file is part of GnuTLS.
+ *
+ * The GnuTLS is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public License
+ * as published by the Free Software Foundation; either version 2.1 of
+ * the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with this program.  If not, see <https://www.gnu.org/licenses/>
+ *
+ */
+#ifndef HANDSHAKE_DEFS_H
+#define HANDSHAKE_DEFS_H
+
+#define EARLY_TRAFFIC_LABEL "c e traffic"
+#define EXT_BINDER_LABEL "ext binder"
+#define RES_BINDER_LABEL "res binder"
+#define EARLY_EXPORTER_MASTER_LABEL "e exp master"
+#define HANDSHAKE_CLIENT_TRAFFIC_LABEL "c hs traffic"
+#define HANDSHAKE_SERVER_TRAFFIC_LABEL "s hs traffic"
+#define DERIVED_LABEL "derived"
+#define APPLICATION_CLIENT_TRAFFIC_LABEL "c ap traffic"
+#define APPLICATION_SERVER_TRAFFIC_LABEL "s ap traffic"
+#define APPLICATION_TRAFFIC_UPDATE "traffic upd"
+#define EXPORTER_MASTER_LABEL "exp master"
+#define RMS_MASTER_LABEL "res master"
+#define EXPORTER_LABEL "exp master"
+#define RESUMPTION_LABEL "resumption"
+
+#define HRR_RANDOM \
+	 "\xCF\x21\xAD\x74\xE5\x9A\x61\x11\xBE\x1D\x8C\x02\x1E\x65\xB8\x91" \
+	 "\xC2\xA2\x11\x16\x7A\xBB\x8C\x5E\x07\x9E\x09\xE2\xC8\xA8\x33\x9C"
+
+#define TLS13_TICKETS_TO_SEND 2
+
+/* Enable: Appendix D4.  Middlebox Compatibility Mode */
+#define TLS13_APPENDIX_D4 1
+
+#endif /* HANDSHAKE_DEFS_H */
diff --git a/lib/handshake-tls13.c b/lib/handshake-tls13.c
index 30a45986a7..33ed3afa3b 100644
--- a/lib/handshake-tls13.c
+++ b/lib/handshake-tls13.c
@@ -362,8 +362,6 @@ static int generate_hs_traffic_keys(gnutls_session_t session)
 	return 0;
 }
 
-#define TICKETS_TO_SEND 1
-
 /*
  * _gnutls13_handshake_server
  * This function does the server stuff of the handshake protocol.
@@ -510,7 +508,7 @@ int _gnutls13_handshake_server(gnutls_session_t session)
 			_gnutls_set_resumed_parameters(session);
 
 		if (session->internals.hsk_flags & HSK_EARLY_START_USED) {
-			ret = _gnutls13_send_session_ticket(session, TICKETS_TO_SEND,
+			ret = _gnutls13_send_session_ticket(session, TLS13_TICKETS_TO_SEND,
 							    AGAIN(STATE109));
 
 			STATE = STATE109;
@@ -566,7 +564,7 @@ int _gnutls13_handshake_server(gnutls_session_t session)
 		FALLTHROUGH;
 	case STATE115:
 		if (!(session->internals.hsk_flags & (HSK_TLS13_TICKET_SENT|HSK_EARLY_START_USED))) {
-			ret = _gnutls13_send_session_ticket(session, TICKETS_TO_SEND,
+			ret = _gnutls13_send_session_ticket(session, TLS13_TICKETS_TO_SEND,
 							    AGAIN(STATE115));
 			STATE = STATE115;
 			IMED_RET("send session ticket", ret, 0);
@@ -738,7 +736,7 @@ _gnutls13_recv_async_handshake(gnutls_session_t session)
  *
  * Sends a fresh session ticket to the peer. This is relevant only
  * in server side under TLS1.3. This function may also return %GNUTLS_E_AGAIN
- * or %GNUTLS_E_INTERRUPTED.
+ * or %GNUTLS_E_INTERRUPTED and in that case it must be called again.
  *
  * Returns: %GNUTLS_E_SUCCESS on success, or a negative error code.
  **/
diff --git a/lib/handshake.h b/lib/handshake.h
index 2d56219591..490e836fae 100644
--- a/lib/handshake.h
+++ b/lib/handshake.h
@@ -153,20 +153,7 @@ int _gnutls_handshake_get_session_hash(gnutls_session_t session, gnutls_datum_t
 int _gnutls_check_id_for_change(gnutls_session_t session);
 int _gnutls_check_if_cert_hash_is_same(gnutls_session_t session, gnutls_certificate_credentials_t cred);
 
-#define EARLY_TRAFFIC_LABEL "c e traffic"
-#define EXT_BINDER_LABEL "ext binder"
-#define RES_BINDER_LABEL "res binder"
-#define EARLY_EXPORTER_MASTER_LABEL "e exp master"
-#define HANDSHAKE_CLIENT_TRAFFIC_LABEL "c hs traffic"
-#define HANDSHAKE_SERVER_TRAFFIC_LABEL "s hs traffic"
-#define DERIVED_LABEL "derived"
-#define APPLICATION_CLIENT_TRAFFIC_LABEL "c ap traffic"
-#define APPLICATION_SERVER_TRAFFIC_LABEL "s ap traffic"
-#define APPLICATION_TRAFFIC_UPDATE "traffic upd"
-#define EXPORTER_MASTER_LABEL "exp master"
-#define RMS_MASTER_LABEL "res master"
-#define EXPORTER_LABEL "exp master"
-#define RESUMPTION_LABEL "resumption"
+#include "handshake-defs.h"
 
 int _gnutls_call_hook_func(gnutls_session_t session,
 			   gnutls_handshake_description_t type,
diff --git a/tests/suite/tls-fuzzer/gnutls-nocert-tls13.json b/tests/suite/tls-fuzzer/gnutls-nocert-tls13.json
index 47fcf878a4..5a10d615ec 100644
--- a/tests/suite/tls-fuzzer/gnutls-nocert-tls13.json
+++ b/tests/suite/tls-fuzzer/gnutls-nocert-tls13.json
@@ -62,7 +62,7 @@
 	 {"name" : "test-tls13-conversation.py",
 	  "arguments": ["-p", "@PORT@"]},
 	 {"name" : "test-tls13-count-tickets.py",
-	  "arguments": ["-p", "@PORT@", "-t", "1"]},
+	  "arguments": ["-p", "@PORT@", "-t", "2"]},
 	 {"name" : "test-tls13-dhe-shared-secret-padding.py",
 	  "comment": "We do not support x448",
 	  "arguments": ["-p", "@PORT@",
diff --git a/tests/tls13/post-handshake-with-cert-ticket.c b/tests/tls13/post-handshake-with-cert-ticket.c
index 05cb5c88e9..bcf331e0f0 100644
--- a/tests/tls13/post-handshake-with-cert-ticket.c
+++ b/tests/tls13/post-handshake-with-cert-ticket.c
@@ -47,6 +47,7 @@ int main()
 #include <signal.h>
 #include <assert.h>
 
+#include "../lib/handshake-defs.h"
 #include "cert-common.h"
 #include "utils.h"
 
@@ -75,7 +76,7 @@ static int ticket_callback(gnutls_session_t session, unsigned int htype,
 	assert(htype == GNUTLS_HANDSHAKE_NEW_SESSION_TICKET);
 
 	counter++;
-	if (counter == 1) /* ignore the first ticket */
+	if (counter <= TLS13_TICKETS_TO_SEND) /* ignore the default tickets sent */
 		return 0;
 
 	d = gnutls_session_get_ptr(session);