Server app managed custom resumption tickets/Client app managed resumption tickets over SChannel #5371
Conversation
…SChannel - Code to push/retrieve client resumption ticket over SChannel - Few corresponding test changes
…g explicit ticket management for SChannel - Refactored tls_schannel code to rx/tx resumption tickets/ session state only when the credential flag is enabled - If the app receiving ticket indicates error, it is logged but the TLS connection will proceed - Added further checks and fixed up code in tls_schannel to ensure all TLS tests pass - Refactored tls unit tests to include the new credential flag and enabled all unit tests for SChannel - Other minor refactoring
- Added comments - Fixed TLS resumption unit tests (ignored scnearios/bugs) - Added many unit tests to cover the various resumption scenarios - Minor refactoring
- Minor refactoring
- Fix up comments/documentation
- Update some traces and CLOG sidecar
…propriate init path - Clear buffers/buffer length at initialization - Clear buffer length after a ticket/app state is delivered - Add new series of e2e tests for non-zero length app resumption states for the new Schannel scenarios
…o missing library support - Unit tests that rely on empty tickets being indicated are moved back into OpenSSL-only category
|
This draft PR was used to develop this change: #5311 |
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #5371 +/- ##
==========================================
- Coverage 86.71% 85.59% -1.12%
==========================================
Files 59 59
Lines 18328 18328
==========================================
- Hits 15893 15688 -205
- Misses 2435 2640 +205 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
|
|
||
| if (TLSExtensionAllocated && AppSessionStateAllocated && SessionTicketAllocated) { | ||
| break; | ||
| } |
There was a problem hiding this comment.
Is this check still needed when you have the check below
if (!(Result & CXPLAT_TLS_RESULT_ERROR) &&
(TLSExtensionAllocated || AppSessionStateAllocated || SessionTicketAllocated)) {
break;
}
| // Inline 1-RTT app state validation is not supported on Windows | ||
| // | ||
| return FALSE; | ||
| } |
There was a problem hiding this comment.
What does "Inline 1-RTT app state validation" mean?
|
|
||
| extern "C" | ||
| BOOLEAN | ||
| CxPlatSupportsTicketManagement(); |
There was a problem hiding this comment.
Test should not use internal functions.
To skip tests, please use the pattern used below (QUIC_DISABLE_0RTT_TESTS) so it is controled as a test configuration.
| } | ||
| else { |
There was a problem hiding this comment.
| } | |
| else { | |
| } else { |
| _In_ MsQuicConfiguration& ClientConfiguration, | ||
| _Out_ QUIC_BUFFER** ResumptionTicket | ||
| _Out_ QUIC_BUFFER** ResumptionTicket, | ||
| _In_ bool TrueResume |
There was a problem hiding this comment.
I think a better name is needed. TrueResume is very vague. I think it means "send a non-empty resume ticket"? A name capturing this would be better.
| // | ||
| // Received application session state on the server, typically notified to the server app. | ||
| // | ||
| PSEC_APP_SESSION_STATE RxAppSessionState; |
There was a problem hiding this comment.
Can we have "client" and "server" in the name for these variables? It's a little difficult to follow when looking at how they are used.
Maybe we can match the bit flags defined above?
|
|
||
| #ifdef QUIC_API_ENABLE_PREVIEW_FEATURES | ||
|
|
||
| QUIC_CREDENTIAL_FLAG_DISABLE_RESUMPTION = 0x00400000, // TODO: Combine this with CXPLAT_TLS_CREDENTIAL_FLAG_DISABLE_RESUMPTION |
There was a problem hiding this comment.
TODO to be solved before merging.
| memcpy(&ServerSelfSignedCredConfigSChannelResumption, SelfSignedCertParams, sizeof(QUIC_CREDENTIAL_CONFIG)); | ||
| memcpy(&ServerSelfSignedCredConfigClientAuth, SelfSignedCertParams, sizeof(QUIC_CREDENTIAL_CONFIG)); | ||
|
|
||
| #ifdef QUIC_API_ENABLE_PREVIEW_FEATURES |
There was a problem hiding this comment.
Question: Do we actually need this ifdef?
As far as I know:
- test code is always compiled with
QUIC_API_ENABLE_PREVIEW_FEATURES - preview features implementation is always compiled in MsQuic,
QUIC_API_ENABLE_PREVIEW_FEATURESonly control the visibility of definitions in the header
These uses of QUIC_API_ENABLE_PREVIEW_FEATURES in test code might be a remain from the past and not have any effect.
| } | ||
|
|
||
| #ifndef QUIC_API_ENABLE_PREVIEW_FEATURES | ||
| GTEST_SKIP_("Resumption ticket management is not supported in this build."); |
There was a problem hiding this comment.
That skip reason is misleading, the build always support preview features.
| return CxPlatSupportsTicketManagement(); | ||
| } | ||
|
|
||
| TEST_P(WithHandshakeArgs1, TrueResume) { |
There was a problem hiding this comment.
Please adapt the test name to describe what is tested here. If needed, feel free to change the Resume test name above to make it clear what the difference is.
| struct PrimeResumption { | ||
| CxPlatEvent ShutdownEvent; | ||
| MsQuicConnection* Connection {nullptr}; | ||
| bool TrueResume; |
There was a problem hiding this comment.
This is a C++ struct, please intialize this
| // | ||
| // If the input length is zero, then we are initializing the client | ||
| // side, and have a few special differences in this code path. | ||
| // Call to encode ticket data has different ordering of inputs and different inputs as well. |
There was a problem hiding this comment.
I don't understand this comment. Different from what? It would be more helpfult to explain the ordering needs in for the different scenarios
|
|
||
| if (ManagedResumptionTickets) { | ||
| // | ||
| // Explicit session management is in force for this context. |
There was a problem hiding this comment.
"in force": is this a typo? Did you mean "enforced"?
| } | ||
| #endif | ||
|
|
||
| if (AppSessionState != NULL) { |
There was a problem hiding this comment.
:O that function is so long, I had to scroll forever to find this cleanup.
We should break it down somehow (not for this PR)
| !AreResumptionTicketsManaged(TlsContext->SecConfig->Flags)){ | ||
| // | ||
| // Schannel currently sends the NST after receiving client finished. | ||
| // Older client behavior: Schannel sends the NST after receiving client finished. |
There was a problem hiding this comment.
What is "older" in this context?
There was a problem hiding this comment.
This isn't client behavior. Sending NST after receiving client finished is a server behavior. Its still the case, I believe, because NSTs can only be sent from the server after handshake but now the server with active management can defer sending the ticket. This piece of code fakes a ticket received event for schannel.
| // | ||
| // Client session state ticket is delivered only once. | ||
| // | ||
| TlsContext->RxSessionTicket->SessionTicketSize = 0; |
There was a problem hiding this comment.
Shouldn't we free the memory too in this case?
Description
SChannel in Windows 2025 and newer releases allows
These features help implement custom 1-RTT resumption tickets on SChannel server applications and custom resumption ticket handling on SChannel clients.
This PR adds support for these features and integrates it into existing MsQuic code that utilizes similar features supported in OpenSSL and quictls libraries. Bulk of these changes are in tls_schannel.c wrapper.
Where available (and when not explicitly disabled), MsQuic has been using the automatic SChannel 1-RTT resumption handling thus far and it would remain the default mechanism in the library.
This change introduces a new QUIC_CREDENTIAL_FLAG for SChannel use
An additional QUIC_CREDENTIAL_FLAG allows an app to turn disable the use of 1-RTT/resumption in SChannel.
These flags are available only under the preview features macro.
Methods added to tls_schannel.c and other wrappers help enable the new functionality on Server2025 and newer releases and also to target 1-RTT tests on the appropriate platforms.
This change is linked to these issues: #5307 and #5162
Testing
Existing 1-RTT unit tests, BVTs have been enabled for SChannel on Server2025+ and new unit tests are added for additional coverage in SChannel/OpenSSL/quictls.
Existing automatic resumption tests cover the default scenario and older Windows OS scenarios.
Documentation
Documentation has been added to the newly introduced credential flags.