diff options
author | lloyd <[email protected]> | 2012-03-23 13:37:34 +0000 |
---|---|---|
committer | lloyd <[email protected]> | 2012-03-23 13:37:34 +0000 |
commit | bd92af1b7fff3943703f2422836db84ba71f4e44 (patch) | |
tree | 2f3c7116e66e6dc2b7e486e2a571f872c6922366 /src/tls | |
parent | afcd29c599e1e27b674df4f630a665c095b0ff44 (diff) |
Add a special hook in credentials manager for the session ticket key,
with a default implementation that creates a new random key on the
first call.
Diffstat (limited to 'src/tls')
-rw-r--r-- | src/tls/tls_server.cpp | 50 |
1 files changed, 33 insertions, 17 deletions
diff --git a/src/tls/tls_server.cpp b/src/tls/tls_server.cpp index 6ec139710..e4c7ea339 100644 --- a/src/tls/tls_server.cpp +++ b/src/tls/tls_server.cpp @@ -40,9 +40,13 @@ bool check_for_resume(Session& session_info, // If a session ticket was sent, ignore client session ID try { - session_info = Session::decrypt( - session_ticket, - credentials.psk("tls-server", "session-ticket", "")); + const SymmetricKey& session_ticket_key = credentials.session_ticket_key(); + + if(session_ticket_key.length() == 0) + return false; + + session_info = Session::decrypt(session_ticket, + session_ticket_key); } catch(...) { @@ -217,12 +221,7 @@ void Server::process_handshake_msg(Handshake_Type type, creds, state->client_hello); - SymmetricKey session_ticket_key; - try - { - session_ticket_key = creds.psk("tls-server", "session-ticket", ""); - } - catch(...) {} + const SymmetricKey& session_ticket_key = creds.session_ticket_key(); if(resuming) { @@ -423,9 +422,10 @@ void Server::process_handshake_msg(Handshake_Type type, state->hash.update(type, contents); /* - * Using DECRYPT_ERROR looks weird here, but per RFC 4346 is for - * "A handshake cryptographic operation failed, including being - * unable to correctly verify a signature, ..." + * Using DECRYPT_ERROR looks weird here, but per RFC 4346 this + * error is for indicating that "A handshake cryptographic + * operation failed, including being unable to correctly verify a + * signature, ..." */ if(!sig_valid) throw TLS_Exception(Alert::DECRYPT_ERROR, "Client cert verify failed"); @@ -496,9 +496,17 @@ void Server::process_handshake_msg(Handshake_Type type, { try { - SymmetricKey key = creds.psk("tls-server", "session-ticket", ""); - state->new_session_ticket = - new New_Session_Ticket(writer, state->hash, session_info.encrypt(key, rng)); + const SymmetricKey& session_ticket_key = + creds.session_ticket_key(); + + if(session_ticket_key.length() > 0) + { + state->new_session_ticket = + new New_Session_Ticket( + writer, + state->hash, + session_info.encrypt(session_ticket_key, rng)); + } } catch(...) {} } @@ -506,8 +514,16 @@ void Server::process_handshake_msg(Handshake_Type type, session_manager.save(session_info); } - if(state->server_hello->supports_session_ticket() && !state->new_session_ticket) - state->new_session_ticket = new New_Session_Ticket(writer, state->hash); + /* + If we sent the extension we have to send something; + an empty ticket is allowed + */ + if(!state->new_session_ticket && + state->server_hello->supports_session_ticket()) + { + state->new_session_ticket = + new New_Session_Ticket(writer, state->hash); + } writer.send(CHANGE_CIPHER_SPEC, 1); |