aboutsummaryrefslogtreecommitdiffstats
path: root/src/tls
diff options
context:
space:
mode:
authorlloyd <[email protected]>2012-03-22 15:59:24 +0000
committerlloyd <[email protected]>2012-03-22 15:59:24 +0000
commit544171d3e20d65f17a1d3955388a8db4f04cfe44 (patch)
tree18cffe0f9fae50ed2ba935d4bb1c882a05200f17 /src/tls
parentcc9e16e623466d3d7a71b69736a816e665302bd4 (diff)
Working client-side session tickets. Tested against gmail.com and
OpenSSL 1.0.1-beta2 running on localhost.
Diffstat (limited to 'src/tls')
-rw-r--r--src/tls/c_hello.cpp7
-rw-r--r--src/tls/session_ticket.cpp2
-rw-r--r--src/tls/sessions_sqlite/tls_sqlite_sess_mgr.cpp3
-rw-r--r--src/tls/tls_client.cpp32
-rw-r--r--src/tls/tls_handshake_state.cpp8
-rw-r--r--src/tls/tls_handshake_state.h2
6 files changed, 37 insertions, 17 deletions
diff --git a/src/tls/c_hello.cpp b/src/tls/c_hello.cpp
index df76c748f..0798bfaf3 100644
--- a/src/tls/c_hello.cpp
+++ b/src/tls/c_hello.cpp
@@ -102,7 +102,8 @@ Client_Hello::Client_Hello(Record_Writer& writer,
m_next_protocol(next_protocol),
m_fragment_size(session.fragment_size()),
m_secure_renegotiation(session.secure_renegotiation()),
- m_supports_session_ticket(true)
+ m_supports_session_ticket(true),
+ m_session_ticket(session.session_ticket())
{
m_suites.push_back(session.ciphersuite_code());
m_comp_methods.push_back(session.compression_method());
@@ -159,18 +160,20 @@ MemoryVector<byte> Client_Hello::serialize() const
extensions.add(new Server_Name_Indicator(m_hostname));
extensions.add(new SRP_Identifier(m_srp_identifier));
extensions.add(new Supported_Elliptic_Curves(m_supported_curves));
- extensions.add(new Session_Ticket());
if(m_version >= Protocol_Version::TLS_V12)
extensions.add(new Signature_Algorithms(m_supported_algos));
if(m_next_protocol)
extensions.add(new Next_Protocol_Notification());
+
+ extensions.add(new Session_Ticket(m_session_ticket));
}
else
{
// renegotiation
extensions.add(new Renegotation_Extension(m_renegotiation_info));
+ extensions.add(new Session_Ticket(m_session_ticket));
}
buf += extensions.serialize();
diff --git a/src/tls/session_ticket.cpp b/src/tls/session_ticket.cpp
index 6aa05c577..d209d3dca 100644
--- a/src/tls/session_ticket.cpp
+++ b/src/tls/session_ticket.cpp
@@ -18,7 +18,7 @@ namespace TLS {
New_Session_Ticket::New_Session_Ticket(const MemoryRegion<byte>& buf) :
m_ticket_lifetime_hint(0)
{
- if(buf.size() >= 4)
+ if(buf.size() >= 6)
{
TLS_Data_Reader reader(buf);
diff --git a/src/tls/sessions_sqlite/tls_sqlite_sess_mgr.cpp b/src/tls/sessions_sqlite/tls_sqlite_sess_mgr.cpp
index 7605313ff..61e68a7b4 100644
--- a/src/tls/sessions_sqlite/tls_sqlite_sess_mgr.cpp
+++ b/src/tls/sessions_sqlite/tls_sqlite_sess_mgr.cpp
@@ -191,7 +191,8 @@ void Session_Manager_SQLite::remove_entry(const MemoryRegion<byte>& session_id)
void Session_Manager_SQLite::save(const Session& session)
{
- sqlite3_statement stmt(m_db, "insert into " + m_table_name + " values(?1, ?2, ?3, ?4, ?5)");
+ sqlite3_statement stmt(m_db, "insert or replace into " + m_table_name +
+ " values(?1, ?2, ?3, ?4, ?5)");
stmt.bind(1, hex_encode(session.session_id()));
stmt.bind(2, session.start_time());
diff --git a/src/tls/tls_client.cpp b/src/tls/tls_client.cpp
index f6e016725..06a58385c 100644
--- a/src/tls/tls_client.cpp
+++ b/src/tls/tls_client.cpp
@@ -11,9 +11,6 @@
#include <botan/internal/stl_util.h>
#include <memory>
-#include <stdio.h>
-#include <botan/hex.h>
-
namespace Botan {
namespace TLS {
@@ -115,7 +112,7 @@ void Client::alert_notify(const Alert& alert)
* Process a handshake message
*/
void Client::process_handshake_msg(Handshake_Type type,
- const MemoryRegion<byte>& contents)
+ const MemoryRegion<byte>& contents)
{
if(state == 0)
throw Unexpected_Message("Unexpected handshake message from server");
@@ -138,12 +135,12 @@ void Client::process_handshake_msg(Handshake_Type type,
return;
}
- state->set_expected_next(SERVER_HELLO);
state->client_hello = new Client_Hello(writer, state->hash, policy, rng,
secure_renegotiation.for_client_hello());
-
secure_renegotiation.update(state->client_hello);
+ state->set_expected_next(SERVER_HELLO);
+
return;
}
@@ -192,8 +189,11 @@ void Client::process_handshake_msg(Handshake_Type type,
state->suite = Ciphersuite::by_id(state->server_hello->ciphersuite());
- if(!state->server_hello->session_id().empty() &&
- (state->server_hello->session_id() == state->client_hello->session_id()))
+ const bool server_returned_same_session_id =
+ !state->server_hello->session_id().empty() &&
+ (state->server_hello->session_id() == state->client_hello->session_id());
+
+ if(server_returned_same_session_id)
{
// successful resumption
@@ -416,8 +416,17 @@ void Client::process_handshake_msg(Handshake_Type type,
state->client_finished = new Finished(writer, state, CLIENT);
}
+ secure_renegotiation.update(state->client_finished, state->server_finished);
+
+ MemoryVector<byte> session_id = state->server_hello->session_id();
+
+ const MemoryRegion<byte>& session_ticket = state->session_ticket();
+
+ if(session_id.empty() && !session_ticket.empty())
+ session_id = make_hello_random(rng);
+
Session session_info(
- state->server_hello->session_id(),
+ session_id,
state->keys.master_secret(),
state->server_hello->version(),
state->server_hello->ciphersuite(),
@@ -426,8 +435,7 @@ void Client::process_handshake_msg(Handshake_Type type,
secure_renegotiation.supported(),
state->server_hello->fragment_size(),
peer_certs,
- state->new_session_ticket ? state->new_session_ticket->ticket() :
- MemoryVector<byte>(),
+ session_ticket,
state->client_hello->sni_hostname(),
""
);
@@ -437,8 +445,6 @@ void Client::process_handshake_msg(Handshake_Type type,
else
session_manager.remove_entry(session_info.session_id());
- secure_renegotiation.update(state->client_finished, state->server_finished);
-
delete state;
state = 0;
handshake_completed = true;
diff --git a/src/tls/tls_handshake_state.cpp b/src/tls/tls_handshake_state.cpp
index 4a82a1641..6ddd8d346 100644
--- a/src/tls/tls_handshake_state.cpp
+++ b/src/tls/tls_handshake_state.cpp
@@ -143,6 +143,14 @@ bool Handshake_State::received_handshake_msg(Handshake_Type handshake_msg) const
return (hand_received_mask & mask);
}
+const MemoryRegion<byte>& Handshake_State::session_ticket() const
+ {
+ if(new_session_ticket && !new_session_ticket->ticket().empty())
+ return new_session_ticket->ticket();
+
+ return client_hello->session_ticket();
+ }
+
KDF* Handshake_State::protocol_specific_prf()
{
if(version() == Protocol_Version::SSL_V3)
diff --git a/src/tls/tls_handshake_state.h b/src/tls/tls_handshake_state.h
index 52bfd24b2..2a78d1d1e 100644
--- a/src/tls/tls_handshake_state.h
+++ b/src/tls/tls_handshake_state.h
@@ -50,6 +50,8 @@ class Handshake_State
void confirm_transition_to(Handshake_Type handshake_msg);
void set_expected_next(Handshake_Type handshake_msg);
+ const MemoryRegion<byte>& session_ticket() const;
+
std::pair<std::string, Signature_Format>
understand_sig_format(const Public_Key* key,
std::string hash_algo,