mirror of
https://github.com/Mbed-TLS/mbedtls.git
synced 2025-02-21 15:41:00 +00:00
Session ticket expiration checked on server
This commit is contained in:
Paul Bakker
parent
f0e39acb58
commit
606b4ba20f
@ -1332,6 +1332,7 @@
|
|||||||
// SSL options
|
// SSL options
|
||||||
//
|
//
|
||||||
#define SSL_MAX_CONTENT_LEN 16384 /**< Size of the input / output buffer */
|
#define SSL_MAX_CONTENT_LEN 16384 /**< Size of the input / output buffer */
|
||||||
|
#define SSL_DEFAULT_TICKET_LIFETIME 86400 /**< Lifetime of session tickets (if enabled) */
|
||||||
|
|
||||||
#endif /* POLARSSL_CONFIG_OPTIONS */
|
#endif /* POLARSSL_CONFIG_OPTIONS */
|
||||||
|
|
||||||
|
|||||||
@ -84,7 +84,7 @@
|
|||||||
* ECP 4 4 (Started from top)
|
* ECP 4 4 (Started from top)
|
||||||
* MD 5 4
|
* MD 5 4
|
||||||
* CIPHER 6 5
|
* CIPHER 6 5
|
||||||
* SSL 6 4 (Started from top)
|
* SSL 6 5 (Started from top)
|
||||||
* SSL 7 31
|
* SSL 7 31
|
||||||
*
|
*
|
||||||
* Module dependent error code (5 bits 0x.08.-0x.F8.)
|
* Module dependent error code (5 bits 0x.08.-0x.F8.)
|
||||||
|
|||||||
@ -109,6 +109,7 @@
|
|||||||
#define POLARSSL_ERR_SSL_COMPRESSION_FAILED -0x6F00 /**< Processing of the compression / decompression failed */
|
#define POLARSSL_ERR_SSL_COMPRESSION_FAILED -0x6F00 /**< Processing of the compression / decompression failed */
|
||||||
#define POLARSSL_ERR_SSL_BAD_HS_PROTOCOL_VERSION -0x6E80 /**< Handshake protocol not within min/max boundaries */
|
#define POLARSSL_ERR_SSL_BAD_HS_PROTOCOL_VERSION -0x6E80 /**< Handshake protocol not within min/max boundaries */
|
||||||
#define POLARSSL_ERR_SSL_BAD_HS_NEW_SESSION_TICKET -0x6E00 /**< Processing of the NewSessionTicket handshake message failed. */
|
#define POLARSSL_ERR_SSL_BAD_HS_NEW_SESSION_TICKET -0x6E00 /**< Processing of the NewSessionTicket handshake message failed. */
|
||||||
|
#define POLARSSL_ERR_SSL_SESSION_TICKET_EXPIRED -0x6D80 /**< Session ticket has expired. */
|
||||||
|
|
||||||
|
|
||||||
/*
|
/*
|
||||||
@ -158,6 +159,10 @@
|
|||||||
#define SSL_SESSION_TICKETS_DISABLED 0
|
#define SSL_SESSION_TICKETS_DISABLED 0
|
||||||
#define SSL_SESSION_TICKETS_ENABLED 1
|
#define SSL_SESSION_TICKETS_ENABLED 1
|
||||||
|
|
||||||
|
#if !defined(POLARSSL_CONFIG_OPTIONS)
|
||||||
|
#define SSL_DEFAULT_TICKET_LIFETIME 86400 /**< Lifetime of session tickets (if enabled) */
|
||||||
|
#endif /* !POLARSSL_CONFIG_OPTIONS */
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* Size of the input / output buffer.
|
* Size of the input / output buffer.
|
||||||
* Note: the RFC defines the default size of SSL / TLS messages. If you
|
* Note: the RFC defines the default size of SSL / TLS messages. If you
|
||||||
@ -592,7 +597,10 @@ struct _ssl_context
|
|||||||
int allow_legacy_renegotiation; /*!< allow legacy renegotiation */
|
int allow_legacy_renegotiation; /*!< allow legacy renegotiation */
|
||||||
const int *ciphersuite_list[4]; /*!< allowed ciphersuites / version */
|
const int *ciphersuite_list[4]; /*!< allowed ciphersuites / version */
|
||||||
int trunc_hmac; /*!< negotiate truncated hmac? */
|
int trunc_hmac; /*!< negotiate truncated hmac? */
|
||||||
|
#if defined(POLARSSL_SSL_SESSION_TICKETS)
|
||||||
int session_tickets; /*!< use session tickets? */
|
int session_tickets; /*!< use session tickets? */
|
||||||
|
int ticket_lifetime; /*!< session ticket lifetime */
|
||||||
|
#endif
|
||||||
|
|
||||||
#if defined(POLARSSL_DHM_C)
|
#if defined(POLARSSL_DHM_C)
|
||||||
mpi dhm_P; /*!< prime modulus for DHM */
|
mpi dhm_P; /*!< prime modulus for DHM */
|
||||||
@ -1065,6 +1073,15 @@ int ssl_set_truncated_hmac( ssl_context *ssl, int truncate );
|
|||||||
* or a specific error code (server only).
|
* or a specific error code (server only).
|
||||||
*/
|
*/
|
||||||
int ssl_set_session_tickets( ssl_context *ssl, int use_tickets );
|
int ssl_set_session_tickets( ssl_context *ssl, int use_tickets );
|
||||||
|
|
||||||
|
/**
|
||||||
|
* \brief Set session ticket lifetime (server only)
|
||||||
|
* (Default: SSL_DEFAULT_TICKET_LIFETIME (86400 secs / 1 day))
|
||||||
|
*
|
||||||
|
* \param ssl SSL context
|
||||||
|
* \param lifetime session ticket lifetime
|
||||||
|
*/
|
||||||
|
void ssl_set_session_ticket_lifetime( ssl_context *ssl, int lifetime );
|
||||||
#endif /* POLARSSL_SSL_SESSION_TICKETS */
|
#endif /* POLARSSL_SSL_SESSION_TICKETS */
|
||||||
|
|
||||||
/**
|
/**
|
||||||
|
|||||||
@ -371,6 +371,8 @@ void polarssl_strerror( int ret, char *buf, size_t buflen )
|
|||||||
snprintf( buf, buflen, "SSL - Handshake protocol not within min/max boundaries" );
|
snprintf( buf, buflen, "SSL - Handshake protocol not within min/max boundaries" );
|
||||||
if( use_ret == -(POLARSSL_ERR_SSL_BAD_HS_NEW_SESSION_TICKET) )
|
if( use_ret == -(POLARSSL_ERR_SSL_BAD_HS_NEW_SESSION_TICKET) )
|
||||||
snprintf( buf, buflen, "SSL - Processing of the NewSessionTicket handshake message failed" );
|
snprintf( buf, buflen, "SSL - Processing of the NewSessionTicket handshake message failed" );
|
||||||
|
if( use_ret == -(POLARSSL_ERR_SSL_SESSION_TICKET_EXPIRED) )
|
||||||
|
snprintf( buf, buflen, "SSL - Session ticket has expired" );
|
||||||
#endif /* POLARSSL_SSL_TLS_C */
|
#endif /* POLARSSL_SSL_TLS_C */
|
||||||
|
|
||||||
#if defined(POLARSSL_X509_PARSE_C)
|
#if defined(POLARSSL_X509_PARSE_C)
|
||||||
|
|||||||
@ -288,6 +288,16 @@ static int ssl_parse_ticket( ssl_context *ssl,
|
|||||||
return( ret );
|
return( ret );
|
||||||
}
|
}
|
||||||
|
|
||||||
|
#if defined(POLARSSL_HAVE_TIME)
|
||||||
|
/* Check if still valid */
|
||||||
|
if( (int) ( time( NULL) - session.start ) > ssl->ticket_lifetime )
|
||||||
|
{
|
||||||
|
SSL_DEBUG_MSG( 1, ( "session ticket expired" ) );
|
||||||
|
memset( &session, 0, sizeof( ssl_session ) );
|
||||||
|
return( POLARSSL_ERR_SSL_SESSION_TICKET_EXPIRED );
|
||||||
|
}
|
||||||
|
#endif
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* Keep the session ID sent by the client, since we MUST send it back to
|
* Keep the session ID sent by the client, since we MUST send it back to
|
||||||
* inform him we're accepting the ticket (RFC 5077 section 3.4)
|
* inform him we're accepting the ticket (RFC 5077 section 3.4)
|
||||||
|
|||||||
@ -2898,6 +2898,10 @@ int ssl_init( ssl_context *ssl )
|
|||||||
ssl->hostname = NULL;
|
ssl->hostname = NULL;
|
||||||
ssl->hostname_len = 0;
|
ssl->hostname_len = 0;
|
||||||
|
|
||||||
|
#if defined(POLARSSL_SSL_SESSION_TICKETS)
|
||||||
|
ssl->ticket_lifetime = SSL_DEFAULT_TICKET_LIFETIME;
|
||||||
|
#endif
|
||||||
|
|
||||||
if( ( ret = ssl_handshake_init( ssl ) ) != 0 )
|
if( ( ret = ssl_handshake_init( ssl ) ) != 0 )
|
||||||
return( ret );
|
return( ret );
|
||||||
|
|
||||||
@ -3016,8 +3020,10 @@ void ssl_set_endpoint( ssl_context *ssl, int endpoint )
|
|||||||
{
|
{
|
||||||
ssl->endpoint = endpoint;
|
ssl->endpoint = endpoint;
|
||||||
|
|
||||||
|
#if defined(POLARSSL_SSL_SESSION_TICKETS)
|
||||||
if( endpoint == SSL_IS_CLIENT )
|
if( endpoint == SSL_IS_CLIENT )
|
||||||
ssl->session_tickets = SSL_SESSION_TICKETS_ENABLED;
|
ssl->session_tickets = SSL_SESSION_TICKETS_ENABLED;
|
||||||
|
#endif
|
||||||
}
|
}
|
||||||
|
|
||||||
void ssl_set_authmode( ssl_context *ssl, int authmode )
|
void ssl_set_authmode( ssl_context *ssl, int authmode )
|
||||||
@ -3278,6 +3284,11 @@ int ssl_set_session_tickets( ssl_context *ssl, int use_tickets )
|
|||||||
|
|
||||||
return( ssl_ticket_keys_init( ssl ) );
|
return( ssl_ticket_keys_init( ssl ) );
|
||||||
}
|
}
|
||||||
|
|
||||||
|
void ssl_set_session_ticket_lifetime( ssl_context *ssl, int lifetime )
|
||||||
|
{
|
||||||
|
ssl->ticket_lifetime = lifetime;
|
||||||
|
}
|
||||||
#endif /* POLARSSL_SSL_SESSION_TICKETS */
|
#endif /* POLARSSL_SSL_SESSION_TICKETS */
|
||||||
|
|
||||||
/*
|
/*
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user