aboutsummaryrefslogtreecommitdiffstats
path: root/src/tls
diff options
context:
space:
mode:
authorlloyd <[email protected]>2012-03-23 13:37:34 +0000
committerlloyd <[email protected]>2012-03-23 13:37:34 +0000
commitbd92af1b7fff3943703f2422836db84ba71f4e44 (patch)
tree2f3c7116e66e6dc2b7e486e2a571f872c6922366 /src/tls
parentafcd29c599e1e27b674df4f630a665c095b0ff44 (diff)
Add a special hook in credentials manager for the session ticket key,
with a default implementation that creates a new random key on the first call.
Diffstat (limited to 'src/tls')
-rw-r--r--src/tls/tls_server.cpp50
1 files changed, 33 insertions, 17 deletions
diff --git a/src/tls/tls_server.cpp b/src/tls/tls_server.cpp
index 6ec139710..e4c7ea339 100644
--- a/src/tls/tls_server.cpp
+++ b/src/tls/tls_server.cpp
@@ -40,9 +40,13 @@ bool check_for_resume(Session& session_info,
// If a session ticket was sent, ignore client session ID
try
{
- session_info = Session::decrypt(
- session_ticket,
- credentials.psk("tls-server", "session-ticket", ""));
+ const SymmetricKey& session_ticket_key = credentials.session_ticket_key();
+
+ if(session_ticket_key.length() == 0)
+ return false;
+
+ session_info = Session::decrypt(session_ticket,
+ session_ticket_key);
}
catch(...)
{
@@ -217,12 +221,7 @@ void Server::process_handshake_msg(Handshake_Type type,
creds,
state->client_hello);
- SymmetricKey session_ticket_key;
- try
- {
- session_ticket_key = creds.psk("tls-server", "session-ticket", "");
- }
- catch(...) {}
+ const SymmetricKey& session_ticket_key = creds.session_ticket_key();
if(resuming)
{
@@ -423,9 +422,10 @@ void Server::process_handshake_msg(Handshake_Type type,
state->hash.update(type, contents);
/*
- * Using DECRYPT_ERROR looks weird here, but per RFC 4346 is for
- * "A handshake cryptographic operation failed, including being
- * unable to correctly verify a signature, ..."
+ * Using DECRYPT_ERROR looks weird here, but per RFC 4346 this
+ * error is for indicating that "A handshake cryptographic
+ * operation failed, including being unable to correctly verify a
+ * signature, ..."
*/
if(!sig_valid)
throw TLS_Exception(Alert::DECRYPT_ERROR, "Client cert verify failed");
@@ -496,9 +496,17 @@ void Server::process_handshake_msg(Handshake_Type type,
{
try
{
- SymmetricKey key = creds.psk("tls-server", "session-ticket", "");
- state->new_session_ticket =
- new New_Session_Ticket(writer, state->hash, session_info.encrypt(key, rng));
+ const SymmetricKey& session_ticket_key =
+ creds.session_ticket_key();
+
+ if(session_ticket_key.length() > 0)
+ {
+ state->new_session_ticket =
+ new New_Session_Ticket(
+ writer,
+ state->hash,
+ session_info.encrypt(session_ticket_key, rng));
+ }
}
catch(...) {}
}
@@ -506,8 +514,16 @@ void Server::process_handshake_msg(Handshake_Type type,
session_manager.save(session_info);
}
- if(state->server_hello->supports_session_ticket() && !state->new_session_ticket)
- state->new_session_ticket = new New_Session_Ticket(writer, state->hash);
+ /*
+ If we sent the extension we have to send something;
+ an empty ticket is allowed
+ */
+ if(!state->new_session_ticket &&
+ state->server_hello->supports_session_ticket())
+ {
+ state->new_session_ticket =
+ new New_Session_Ticket(writer, state->hash);
+ }
writer.send(CHANGE_CIPHER_SPEC, 1);