diff options
| author | lloyd <[email protected]> | 2012-08-05 20:31:42 +0000 |
|---|---|---|
| committer | lloyd <[email protected]> | 2012-08-05 20:31:42 +0000 |
| commit | abede6dce6be19d3e916bff16048096f36bddb03 (patch) | |
| tree | a9b336cc8c7eac8176ce4a3db69fa10bad98202c | |
| parent | de2d1a699748c4cbd6f8bc8aaa67e02826108125 (diff) | |
In the in-memory session manager, choose a random key at startup and
encrypt all of the sessions, decrypting before return. This minimizes
load on the locked memory (48 bytes master secret per session, vs 32
bytes for a single master key). It might also make recovering session
data from memory dumps a little bit harder though this isn't worth
counting on IMO
| -rw-r--r-- | src/tls/tls_session.h | 2 | ||||
| -rw-r--r-- | src/tls/tls_session_manager.cpp | 25 | ||||
| -rw-r--r-- | src/tls/tls_session_manager.h | 11 |
3 files changed, 28 insertions, 10 deletions
diff --git a/src/tls/tls_session.h b/src/tls/tls_session.h index 2c474bc6a..ac18ebb48 100644 --- a/src/tls/tls_session.h +++ b/src/tls/tls_session.h @@ -77,7 +77,7 @@ class BOTAN_DLL Session * Encrypt a session (useful for serialization or session tickets) */ std::vector<byte> encrypt(const SymmetricKey& key, - RandomNumberGenerator& rng) const; + RandomNumberGenerator& rng) const; /** diff --git a/src/tls/tls_session_manager.cpp b/src/tls/tls_session_manager.cpp index 823f4c123..673ee90ff 100644 --- a/src/tls/tls_session_manager.cpp +++ b/src/tls/tls_session_manager.cpp @@ -1,11 +1,12 @@ /* * TLS Session Management -* (C) 2011 Jack Lloyd +* (C) 2011,2012 Jack Lloyd * * Released under the terms of the Botan license */ #include <botan/tls_session_manager.h> +#include <botan/libstate.h> #include <botan/hex.h> #include <chrono> @@ -13,6 +14,14 @@ namespace Botan { namespace TLS { +Session_Manager_In_Memory::Session_Manager_In_Memory( + size_t max_sessions, std::chrono::seconds session_lifetime) : + m_max_sessions(max_sessions), + m_session_lifetime(session_lifetime), + m_rng(global_state().global_rng()), + m_session_key(m_rng, 32) + {} + bool Session_Manager_In_Memory::load_from_session_str( const std::string& session_str, Session& session) { @@ -23,16 +32,24 @@ bool Session_Manager_In_Memory::load_from_session_str( if(i == m_sessions.end()) return false; + try + { + session = Session::decrypt(i->second, m_session_key); + } + catch(...) + { + return false; + } + // if session has expired, remove it const auto now = std::chrono::system_clock::now(); - if(i->second.start_time() + session_lifetime() < now) + if(session.start_time() + session_lifetime() < now) { m_sessions.erase(i); return false; } - session = i->second; return true; } @@ -96,7 +113,7 @@ void Session_Manager_In_Memory::save(const Session& session, u16bit port) const std::string session_id_str = hex_encode(session.session_id()); - m_sessions[session_id_str] = session; + m_sessions[session_id_str] = session.encrypt(m_session_key, m_rng); const std::string hostname = session.sni_hostname(); diff --git a/src/tls/tls_session_manager.h b/src/tls/tls_session_manager.h index 4c979362f..4efefb6ff 100644 --- a/src/tls/tls_session_manager.h +++ b/src/tls/tls_session_manager.h @@ -110,10 +110,8 @@ class BOTAN_DLL Session_Manager_In_Memory : public Session_Manager * seconds have elapsed from initial handshake. */ Session_Manager_In_Memory(size_t max_sessions = 1000, - std::chrono::seconds session_lifetime = std::chrono::seconds(7200)) : - m_max_sessions(max_sessions), - m_session_lifetime(session_lifetime) - {} + std::chrono::seconds session_lifetime = + std::chrono::seconds(7200)); bool load_from_session_id(const std::vector<byte>& session_id, Session& session) override; @@ -138,7 +136,10 @@ class BOTAN_DLL Session_Manager_In_Memory : public Session_Manager std::chrono::seconds m_session_lifetime; - std::map<std::string, Session> m_sessions; // hex(session_id) -> session + RandomNumberGenerator& m_rng; + SymmetricKey m_session_key; + + std::map<std::string, std::vector<byte>> m_sessions; // hex(session_id) -> session std::map<std::string, std::string> m_host_sessions; }; |