diff options
author | lloyd <[email protected]> | 2012-03-23 00:00:16 +0000 |
---|---|---|
committer | lloyd <[email protected]> | 2012-03-23 00:00:16 +0000 |
commit | 508060bd6c1a26cffd94d43eefcd83adab1cc895 (patch) | |
tree | 60b4214cb3b4a85bbd72a8e27907adf47f90b52d /src/tls | |
parent | 0a07acbfc915971a3da7e8f7e27819be8cbff923 (diff) |
Only claim we support session tickets if we actually have a key of
some kind.
Fix New_Session_Ticket decoding. Apparently when the RFC says that a
server that does not want to send a ticket sends "an empty ticket"
that means a lifetime value plus an empty ticket, not an actually
empty extension.
Diffstat (limited to 'src/tls')
-rw-r--r-- | src/tls/session_ticket.cpp | 12 | ||||
-rw-r--r-- | src/tls/tls_server.cpp | 13 |
2 files changed, 16 insertions, 9 deletions
diff --git a/src/tls/session_ticket.cpp b/src/tls/session_ticket.cpp index 47a8a5c32..273996a16 100644 --- a/src/tls/session_ticket.cpp +++ b/src/tls/session_ticket.cpp @@ -35,13 +35,13 @@ New_Session_Ticket::New_Session_Ticket(Record_Writer& writer, New_Session_Ticket::New_Session_Ticket(const MemoryRegion<byte>& buf) : m_ticket_lifetime_hint(0) { - if(buf.size() >= 6) - { - TLS_Data_Reader reader(buf); + if(buf.size() < 6) + throw Decoding_Error("Session ticket message too short to be valid"); - m_ticket_lifetime_hint = reader.get_u32bit(); - m_ticket = reader.get_range<byte>(2, 0, 65535); - } + TLS_Data_Reader reader(buf); + + m_ticket_lifetime_hint = reader.get_u32bit(); + m_ticket = reader.get_range<byte>(2, 0, 65535); } MemoryVector<byte> New_Session_Ticket::serialize() const diff --git a/src/tls/tls_server.cpp b/src/tls/tls_server.cpp index a0920fc28..6ec139710 100644 --- a/src/tls/tls_server.cpp +++ b/src/tls/tls_server.cpp @@ -217,6 +217,13 @@ void Server::process_handshake_msg(Handshake_Type type, creds, state->client_hello); + SymmetricKey session_ticket_key; + try + { + session_ticket_key = creds.psk("tls-server", "session-ticket", ""); + } + catch(...) {} + if(resuming) { // resume session @@ -231,7 +238,7 @@ void Server::process_handshake_msg(Handshake_Type type, session_info.fragment_size(), secure_renegotiation.supported(), secure_renegotiation.for_server_hello(), - state->client_hello->supports_session_ticket(), + state->client_hello->supports_session_ticket() && session_ticket_key.length() > 0, state->client_hello->next_protocol_notification(), m_possible_protocols, rng); @@ -259,9 +266,9 @@ void Server::process_handshake_msg(Handshake_Type type, { try { - SymmetricKey key = creds.psk("tls-server", "session-ticket", ""); state->new_session_ticket = - new New_Session_Ticket(writer, state->hash, session_info.encrypt(key, rng)); + new New_Session_Ticket(writer, state->hash, + session_info.encrypt(session_ticket_key, rng)); } catch(...) { |