aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorlloyd <[email protected]>2012-03-23 00:00:16 +0000
committerlloyd <[email protected]>2012-03-23 00:00:16 +0000
commit508060bd6c1a26cffd94d43eefcd83adab1cc895 (patch)
tree60b4214cb3b4a85bbd72a8e27907adf47f90b52d
parent0a07acbfc915971a3da7e8f7e27819be8cbff923 (diff)
Only claim we support session tickets if we actually have a key of
some kind. Fix New_Session_Ticket decoding. Apparently when the RFC says that a server that does not want to send a ticket sends "an empty ticket" that means a lifetime value plus an empty ticket, not an actually empty extension.
-rw-r--r--src/tls/session_ticket.cpp12
-rw-r--r--src/tls/tls_server.cpp13
2 files changed, 16 insertions, 9 deletions
diff --git a/src/tls/session_ticket.cpp b/src/tls/session_ticket.cpp
index 47a8a5c32..273996a16 100644
--- a/src/tls/session_ticket.cpp
+++ b/src/tls/session_ticket.cpp
@@ -35,13 +35,13 @@ New_Session_Ticket::New_Session_Ticket(Record_Writer& writer,
New_Session_Ticket::New_Session_Ticket(const MemoryRegion<byte>& buf) :
m_ticket_lifetime_hint(0)
{
- if(buf.size() >= 6)
- {
- TLS_Data_Reader reader(buf);
+ if(buf.size() < 6)
+ throw Decoding_Error("Session ticket message too short to be valid");
- m_ticket_lifetime_hint = reader.get_u32bit();
- m_ticket = reader.get_range<byte>(2, 0, 65535);
- }
+ TLS_Data_Reader reader(buf);
+
+ m_ticket_lifetime_hint = reader.get_u32bit();
+ m_ticket = reader.get_range<byte>(2, 0, 65535);
}
MemoryVector<byte> New_Session_Ticket::serialize() const
diff --git a/src/tls/tls_server.cpp b/src/tls/tls_server.cpp
index a0920fc28..6ec139710 100644
--- a/src/tls/tls_server.cpp
+++ b/src/tls/tls_server.cpp
@@ -217,6 +217,13 @@ void Server::process_handshake_msg(Handshake_Type type,
creds,
state->client_hello);
+ SymmetricKey session_ticket_key;
+ try
+ {
+ session_ticket_key = creds.psk("tls-server", "session-ticket", "");
+ }
+ catch(...) {}
+
if(resuming)
{
// resume session
@@ -231,7 +238,7 @@ void Server::process_handshake_msg(Handshake_Type type,
session_info.fragment_size(),
secure_renegotiation.supported(),
secure_renegotiation.for_server_hello(),
- state->client_hello->supports_session_ticket(),
+ state->client_hello->supports_session_ticket() && session_ticket_key.length() > 0,
state->client_hello->next_protocol_notification(),
m_possible_protocols,
rng);
@@ -259,9 +266,9 @@ void Server::process_handshake_msg(Handshake_Type type,
{
try
{
- SymmetricKey key = creds.psk("tls-server", "session-ticket", "");
state->new_session_ticket =
- new New_Session_Ticket(writer, state->hash, session_info.encrypt(key, rng));
+ new New_Session_Ticket(writer, state->hash,
+ session_info.encrypt(session_ticket_key, rng));
}
catch(...)
{