aboutsummaryrefslogtreecommitdiffstats
path: root/src
diff options
context:
space:
mode:
authorlloyd <[email protected]>2012-08-05 20:31:42 +0000
committerlloyd <[email protected]>2012-08-05 20:31:42 +0000
commitabede6dce6be19d3e916bff16048096f36bddb03 (patch)
treea9b336cc8c7eac8176ce4a3db69fa10bad98202c /src
parentde2d1a699748c4cbd6f8bc8aaa67e02826108125 (diff)
In the in-memory session manager, choose a random key at startup and
encrypt all of the sessions, decrypting before return. This minimizes load on the locked memory (48 bytes master secret per session, vs 32 bytes for a single master key). It might also make recovering session data from memory dumps a little bit harder though this isn't worth counting on IMO
Diffstat (limited to 'src')
-rw-r--r--src/tls/tls_session.h2
-rw-r--r--src/tls/tls_session_manager.cpp25
-rw-r--r--src/tls/tls_session_manager.h11
3 files changed, 28 insertions, 10 deletions
diff --git a/src/tls/tls_session.h b/src/tls/tls_session.h
index 2c474bc6a..ac18ebb48 100644
--- a/src/tls/tls_session.h
+++ b/src/tls/tls_session.h
@@ -77,7 +77,7 @@ class BOTAN_DLL Session
* Encrypt a session (useful for serialization or session tickets)
*/
std::vector<byte> encrypt(const SymmetricKey& key,
- RandomNumberGenerator& rng) const;
+ RandomNumberGenerator& rng) const;
/**
diff --git a/src/tls/tls_session_manager.cpp b/src/tls/tls_session_manager.cpp
index 823f4c123..673ee90ff 100644
--- a/src/tls/tls_session_manager.cpp
+++ b/src/tls/tls_session_manager.cpp
@@ -1,11 +1,12 @@
/*
* TLS Session Management
-* (C) 2011 Jack Lloyd
+* (C) 2011,2012 Jack Lloyd
*
* Released under the terms of the Botan license
*/
#include <botan/tls_session_manager.h>
+#include <botan/libstate.h>
#include <botan/hex.h>
#include <chrono>
@@ -13,6 +14,14 @@ namespace Botan {
namespace TLS {
+Session_Manager_In_Memory::Session_Manager_In_Memory(
+ size_t max_sessions, std::chrono::seconds session_lifetime) :
+ m_max_sessions(max_sessions),
+ m_session_lifetime(session_lifetime),
+ m_rng(global_state().global_rng()),
+ m_session_key(m_rng, 32)
+ {}
+
bool Session_Manager_In_Memory::load_from_session_str(
const std::string& session_str, Session& session)
{
@@ -23,16 +32,24 @@ bool Session_Manager_In_Memory::load_from_session_str(
if(i == m_sessions.end())
return false;
+ try
+ {
+ session = Session::decrypt(i->second, m_session_key);
+ }
+ catch(...)
+ {
+ return false;
+ }
+
// if session has expired, remove it
const auto now = std::chrono::system_clock::now();
- if(i->second.start_time() + session_lifetime() < now)
+ if(session.start_time() + session_lifetime() < now)
{
m_sessions.erase(i);
return false;
}
- session = i->second;
return true;
}
@@ -96,7 +113,7 @@ void Session_Manager_In_Memory::save(const Session& session, u16bit port)
const std::string session_id_str = hex_encode(session.session_id());
- m_sessions[session_id_str] = session;
+ m_sessions[session_id_str] = session.encrypt(m_session_key, m_rng);
const std::string hostname = session.sni_hostname();
diff --git a/src/tls/tls_session_manager.h b/src/tls/tls_session_manager.h
index 4c979362f..4efefb6ff 100644
--- a/src/tls/tls_session_manager.h
+++ b/src/tls/tls_session_manager.h
@@ -110,10 +110,8 @@ class BOTAN_DLL Session_Manager_In_Memory : public Session_Manager
* seconds have elapsed from initial handshake.
*/
Session_Manager_In_Memory(size_t max_sessions = 1000,
- std::chrono::seconds session_lifetime = std::chrono::seconds(7200)) :
- m_max_sessions(max_sessions),
- m_session_lifetime(session_lifetime)
- {}
+ std::chrono::seconds session_lifetime =
+ std::chrono::seconds(7200));
bool load_from_session_id(const std::vector<byte>& session_id,
Session& session) override;
@@ -138,7 +136,10 @@ class BOTAN_DLL Session_Manager_In_Memory : public Session_Manager
std::chrono::seconds m_session_lifetime;
- std::map<std::string, Session> m_sessions; // hex(session_id) -> session
+ RandomNumberGenerator& m_rng;
+ SymmetricKey m_session_key;
+
+ std::map<std::string, std::vector<byte>> m_sessions; // hex(session_id) -> session
std::map<std::string, std::string> m_host_sessions;
};