diff options
author | lloyd <[email protected]> | 2012-03-22 15:59:24 +0000 |
---|---|---|
committer | lloyd <[email protected]> | 2012-03-22 15:59:24 +0000 |
commit | 544171d3e20d65f17a1d3955388a8db4f04cfe44 (patch) | |
tree | 18cffe0f9fae50ed2ba935d4bb1c882a05200f17 /src | |
parent | cc9e16e623466d3d7a71b69736a816e665302bd4 (diff) |
Working client-side session tickets. Tested against gmail.com and
OpenSSL 1.0.1-beta2 running on localhost.
Diffstat (limited to 'src')
-rw-r--r-- | src/tls/c_hello.cpp | 7 | ||||
-rw-r--r-- | src/tls/session_ticket.cpp | 2 | ||||
-rw-r--r-- | src/tls/sessions_sqlite/tls_sqlite_sess_mgr.cpp | 3 | ||||
-rw-r--r-- | src/tls/tls_client.cpp | 32 | ||||
-rw-r--r-- | src/tls/tls_handshake_state.cpp | 8 | ||||
-rw-r--r-- | src/tls/tls_handshake_state.h | 2 |
6 files changed, 37 insertions, 17 deletions
diff --git a/src/tls/c_hello.cpp b/src/tls/c_hello.cpp index df76c748f..0798bfaf3 100644 --- a/src/tls/c_hello.cpp +++ b/src/tls/c_hello.cpp @@ -102,7 +102,8 @@ Client_Hello::Client_Hello(Record_Writer& writer, m_next_protocol(next_protocol), m_fragment_size(session.fragment_size()), m_secure_renegotiation(session.secure_renegotiation()), - m_supports_session_ticket(true) + m_supports_session_ticket(true), + m_session_ticket(session.session_ticket()) { m_suites.push_back(session.ciphersuite_code()); m_comp_methods.push_back(session.compression_method()); @@ -159,18 +160,20 @@ MemoryVector<byte> Client_Hello::serialize() const extensions.add(new Server_Name_Indicator(m_hostname)); extensions.add(new SRP_Identifier(m_srp_identifier)); extensions.add(new Supported_Elliptic_Curves(m_supported_curves)); - extensions.add(new Session_Ticket()); if(m_version >= Protocol_Version::TLS_V12) extensions.add(new Signature_Algorithms(m_supported_algos)); if(m_next_protocol) extensions.add(new Next_Protocol_Notification()); + + extensions.add(new Session_Ticket(m_session_ticket)); } else { // renegotiation extensions.add(new Renegotation_Extension(m_renegotiation_info)); + extensions.add(new Session_Ticket(m_session_ticket)); } buf += extensions.serialize(); diff --git a/src/tls/session_ticket.cpp b/src/tls/session_ticket.cpp index 6aa05c577..d209d3dca 100644 --- a/src/tls/session_ticket.cpp +++ b/src/tls/session_ticket.cpp @@ -18,7 +18,7 @@ namespace TLS { New_Session_Ticket::New_Session_Ticket(const MemoryRegion<byte>& buf) : m_ticket_lifetime_hint(0) { - if(buf.size() >= 4) + if(buf.size() >= 6) { TLS_Data_Reader reader(buf); diff --git a/src/tls/sessions_sqlite/tls_sqlite_sess_mgr.cpp b/src/tls/sessions_sqlite/tls_sqlite_sess_mgr.cpp index 7605313ff..61e68a7b4 100644 --- a/src/tls/sessions_sqlite/tls_sqlite_sess_mgr.cpp +++ b/src/tls/sessions_sqlite/tls_sqlite_sess_mgr.cpp @@ -191,7 +191,8 @@ void Session_Manager_SQLite::remove_entry(const MemoryRegion<byte>& session_id) void Session_Manager_SQLite::save(const Session& session) { - sqlite3_statement stmt(m_db, "insert into " + m_table_name + " values(?1, ?2, ?3, ?4, ?5)"); + sqlite3_statement stmt(m_db, "insert or replace into " + m_table_name + + " values(?1, ?2, ?3, ?4, ?5)"); stmt.bind(1, hex_encode(session.session_id())); stmt.bind(2, session.start_time()); diff --git a/src/tls/tls_client.cpp b/src/tls/tls_client.cpp index f6e016725..06a58385c 100644 --- a/src/tls/tls_client.cpp +++ b/src/tls/tls_client.cpp @@ -11,9 +11,6 @@ #include <botan/internal/stl_util.h> #include <memory> -#include <stdio.h> -#include <botan/hex.h> - namespace Botan { namespace TLS { @@ -115,7 +112,7 @@ void Client::alert_notify(const Alert& alert) * Process a handshake message */ void Client::process_handshake_msg(Handshake_Type type, - const MemoryRegion<byte>& contents) + const MemoryRegion<byte>& contents) { if(state == 0) throw Unexpected_Message("Unexpected handshake message from server"); @@ -138,12 +135,12 @@ void Client::process_handshake_msg(Handshake_Type type, return; } - state->set_expected_next(SERVER_HELLO); state->client_hello = new Client_Hello(writer, state->hash, policy, rng, secure_renegotiation.for_client_hello()); - secure_renegotiation.update(state->client_hello); + state->set_expected_next(SERVER_HELLO); + return; } @@ -192,8 +189,11 @@ void Client::process_handshake_msg(Handshake_Type type, state->suite = Ciphersuite::by_id(state->server_hello->ciphersuite()); - if(!state->server_hello->session_id().empty() && - (state->server_hello->session_id() == state->client_hello->session_id())) + const bool server_returned_same_session_id = + !state->server_hello->session_id().empty() && + (state->server_hello->session_id() == state->client_hello->session_id()); + + if(server_returned_same_session_id) { // successful resumption @@ -416,8 +416,17 @@ void Client::process_handshake_msg(Handshake_Type type, state->client_finished = new Finished(writer, state, CLIENT); } + secure_renegotiation.update(state->client_finished, state->server_finished); + + MemoryVector<byte> session_id = state->server_hello->session_id(); + + const MemoryRegion<byte>& session_ticket = state->session_ticket(); + + if(session_id.empty() && !session_ticket.empty()) + session_id = make_hello_random(rng); + Session session_info( - state->server_hello->session_id(), + session_id, state->keys.master_secret(), state->server_hello->version(), state->server_hello->ciphersuite(), @@ -426,8 +435,7 @@ void Client::process_handshake_msg(Handshake_Type type, secure_renegotiation.supported(), state->server_hello->fragment_size(), peer_certs, - state->new_session_ticket ? state->new_session_ticket->ticket() : - MemoryVector<byte>(), + session_ticket, state->client_hello->sni_hostname(), "" ); @@ -437,8 +445,6 @@ void Client::process_handshake_msg(Handshake_Type type, else session_manager.remove_entry(session_info.session_id()); - secure_renegotiation.update(state->client_finished, state->server_finished); - delete state; state = 0; handshake_completed = true; diff --git a/src/tls/tls_handshake_state.cpp b/src/tls/tls_handshake_state.cpp index 4a82a1641..6ddd8d346 100644 --- a/src/tls/tls_handshake_state.cpp +++ b/src/tls/tls_handshake_state.cpp @@ -143,6 +143,14 @@ bool Handshake_State::received_handshake_msg(Handshake_Type handshake_msg) const return (hand_received_mask & mask); } +const MemoryRegion<byte>& Handshake_State::session_ticket() const + { + if(new_session_ticket && !new_session_ticket->ticket().empty()) + return new_session_ticket->ticket(); + + return client_hello->session_ticket(); + } + KDF* Handshake_State::protocol_specific_prf() { if(version() == Protocol_Version::SSL_V3) diff --git a/src/tls/tls_handshake_state.h b/src/tls/tls_handshake_state.h index 52bfd24b2..2a78d1d1e 100644 --- a/src/tls/tls_handshake_state.h +++ b/src/tls/tls_handshake_state.h @@ -50,6 +50,8 @@ class Handshake_State void confirm_transition_to(Handshake_Type handshake_msg); void set_expected_next(Handshake_Type handshake_msg); + const MemoryRegion<byte>& session_ticket() const; + std::pair<std::string, Signature_Format> understand_sig_format(const Public_Key* key, std::string hash_algo, |