diff options
| -rw-r--r-- | doc/examples/tls_client.cpp | 3 | ||||
| -rw-r--r-- | doc/examples/tls_server.cpp | 3 | ||||
| -rw-r--r-- | src/tls/info.txt | 10 | ||||
| -rw-r--r-- | src/tls/tls_channel.cpp | 4 | ||||
| -rw-r--r-- | src/tls/tls_channel.h | 6 | ||||
| -rw-r--r-- | src/tls/tls_client.cpp | 4 | ||||
| -rw-r--r-- | src/tls/tls_client.h | 4 | ||||
| -rw-r--r-- | src/tls/tls_handshake_state.cpp (renamed from src/tls/tls_state.cpp) | 2 | ||||
| -rw-r--r-- | src/tls/tls_handshake_state.h (renamed from src/tls/tls_state.h) | 2 | ||||
| -rw-r--r-- | src/tls/tls_server.cpp | 10 | ||||
| -rw-r--r-- | src/tls/tls_server.h | 4 | ||||
| -rw-r--r-- | src/tls/tls_session.cpp (renamed from src/tls/tls_session_state.cpp) | 76 | ||||
| -rw-r--r-- | src/tls/tls_session.h (renamed from src/tls/tls_session_state.h) | 88 | ||||
| -rw-r--r-- | src/tls/tls_session_manager.cpp | 66 | ||||
| -rw-r--r-- | src/tls/tls_session_manager.h | 103 |
15 files changed, 219 insertions, 166 deletions
diff --git a/doc/examples/tls_client.cpp b/doc/examples/tls_client.cpp index be72a65e7..275d4b309 100644 --- a/doc/examples/tls_client.cpp +++ b/doc/examples/tls_client.cpp @@ -1,5 +1,6 @@ #include <botan/botan.h> #include <botan/tls_client.h> +#include <botan/hex.h> #include <stdio.h> #include <string> #include <iostream> @@ -66,7 +67,7 @@ int connect_to_host(const std::string& host, u16bit port) return fd; } -void handshake_complete(const TLS_Session_Params& session) +void handshake_complete(const TLS_Session& session) { printf("Handshake complete, protocol=%04X ciphersuite=%04X compression=%d\n", session.version(), session.ciphersuite(), diff --git a/doc/examples/tls_server.cpp b/doc/examples/tls_server.cpp index 0710c35f9..d9334c47e 100644 --- a/doc/examples/tls_server.cpp +++ b/doc/examples/tls_server.cpp @@ -1,5 +1,6 @@ #include <botan/botan.h> #include <botan/tls_server.h> +#include <botan/hex.h> #include <botan/rsa.h> #include <botan/dsa.h> @@ -15,7 +16,7 @@ using namespace Botan; #include <iostream> #include <memory> -void handshake_complete(const TLS_Session_Params& session) +void handshake_complete(const TLS_Session& session) { printf("Handshake complete, protocol=%04X ciphersuite=%04X compression=%d\n", session.version(), session.ciphersuite(), diff --git a/src/tls/info.txt b/src/tls/info.txt index 857a5bc2a..b8bc12d4d 100644 --- a/src/tls/info.txt +++ b/src/tls/info.txt @@ -15,7 +15,8 @@ tls_magic.h tls_policy.h tls_record.h tls_server.h -tls_session_state.h +tls_session.h +tls_session_manager.h tls_suites.h </header:public> @@ -26,7 +27,7 @@ tls_extensions.h tls_messages.h tls_reader.h tls_session_key.h -tls_state.h +tls_handshake_state.h </header:internal> <source> @@ -45,8 +46,9 @@ tls_client.cpp tls_policy.cpp tls_server.cpp tls_session_key.cpp -tls_session_state.cpp -tls_state.cpp +tls_session.cpp +tls_session_manager.cpp +tls_handshake_state.cpp tls_suites.cpp </source> diff --git a/src/tls/tls_channel.cpp b/src/tls/tls_channel.cpp index 0e119c2a3..1836c1a77 100644 --- a/src/tls/tls_channel.cpp +++ b/src/tls/tls_channel.cpp @@ -7,14 +7,14 @@ #include <botan/tls_channel.h> #include <botan/internal/tls_alerts.h> -#include <botan/internal/tls_state.h> +#include <botan/internal/tls_handshake_state.h> #include <botan/loadstor.h> namespace Botan { TLS_Channel::TLS_Channel(std::tr1::function<void (const byte[], size_t)> socket_output_fn, std::tr1::function<void (const byte[], size_t, u16bit)> proc_fn, - std::tr1::function<void (const TLS_Session_Params&)> handshake_complete) : + std::tr1::function<void (const TLS_Session&)> handshake_complete) : proc_fn(proc_fn), handshake_fn(handshake_complete), writer(socket_output_fn), diff --git a/src/tls/tls_channel.h b/src/tls/tls_channel.h index 4b5a91a65..8eca71305 100644 --- a/src/tls/tls_channel.h +++ b/src/tls/tls_channel.h @@ -10,7 +10,7 @@ #include <botan/tls_policy.h> #include <botan/tls_record.h> -#include <botan/tls_session_state.h> +#include <botan/tls_session.h> #include <botan/x509cert.h> #include <vector> @@ -73,7 +73,7 @@ class BOTAN_DLL TLS_Channel TLS_Channel(std::tr1::function<void (const byte[], size_t)> socket_output_fn, std::tr1::function<void (const byte[], size_t, u16bit)> proc_fn, - std::tr1::function<void (const TLS_Session_Params&)> handshake_complete); + std::tr1::function<void (const TLS_Session&)> handshake_complete); virtual ~TLS_Channel(); protected: @@ -84,7 +84,7 @@ class BOTAN_DLL TLS_Channel const MemoryRegion<byte>& contents) = 0; std::tr1::function<void (const byte[], size_t, u16bit)> proc_fn; - std::tr1::function<void (const TLS_Session_Params&)> handshake_fn; + std::tr1::function<void (const TLS_Session&)> handshake_fn; Record_Writer writer; Record_Reader reader; diff --git a/src/tls/tls_client.cpp b/src/tls/tls_client.cpp index 5dbf9dc9c..1790151f9 100644 --- a/src/tls/tls_client.cpp +++ b/src/tls/tls_client.cpp @@ -7,7 +7,7 @@ #include <botan/tls_client.h> #include <botan/internal/tls_session_key.h> -#include <botan/internal/tls_state.h> +#include <botan/internal/tls_handshake_state.h> #include <botan/rsa.h> #include <botan/dsa.h> #include <botan/dh.h> @@ -19,7 +19,7 @@ namespace Botan { */ TLS_Client::TLS_Client(std::tr1::function<void (const byte[], size_t)> output_fn, std::tr1::function<void (const byte[], size_t, u16bit)> proc_fn, - std::tr1::function<void (const TLS_Session_Params&)> handshake_fn, + std::tr1::function<void (const TLS_Session&)> handshake_fn, TLS_Session_Manager& session_manager, const TLS_Policy& policy, RandomNumberGenerator& rng, diff --git a/src/tls/tls_client.h b/src/tls/tls_client.h index e2623015a..75a85f74d 100644 --- a/src/tls/tls_client.h +++ b/src/tls/tls_client.h @@ -9,7 +9,7 @@ #define BOTAN_TLS_CLIENT_H__ #include <botan/tls_channel.h> -#include <botan/tls_session_state.h> +#include <botan/tls_session_manager.h> #include <vector> namespace Botan { @@ -33,7 +33,7 @@ class BOTAN_DLL TLS_Client : public TLS_Channel */ TLS_Client(std::tr1::function<void (const byte[], size_t)> socket_output_fn, std::tr1::function<void (const byte[], size_t, u16bit)> proc_fn, - std::tr1::function<void (const TLS_Session_Params&)> handshake_complete, + std::tr1::function<void (const TLS_Session&)> handshake_complete, TLS_Session_Manager& session_manager, const TLS_Policy& policy, RandomNumberGenerator& rng, diff --git a/src/tls/tls_state.cpp b/src/tls/tls_handshake_state.cpp index 227a3e237..39292fc1b 100644 --- a/src/tls/tls_state.cpp +++ b/src/tls/tls_handshake_state.cpp @@ -5,7 +5,7 @@ * Released under the terms of the Botan license */ -#include <botan/internal/tls_state.h> +#include <botan/internal/tls_handshake_state.h> namespace Botan { diff --git a/src/tls/tls_state.h b/src/tls/tls_handshake_state.h index 4d1ae9d6d..1602ca17c 100644 --- a/src/tls/tls_state.h +++ b/src/tls/tls_handshake_state.h @@ -44,7 +44,7 @@ class Handshake_State Public_Key* kex_pub; Private_Key* kex_priv; - CipherSuite suite; + TLS_Cipher_Suite suite; SessionKeys keys; TLS_Handshake_Hash hash; diff --git a/src/tls/tls_server.cpp b/src/tls/tls_server.cpp index f5efa10e4..1d96f5631 100644 --- a/src/tls/tls_server.cpp +++ b/src/tls/tls_server.cpp @@ -7,7 +7,7 @@ #include <botan/tls_server.h> #include <botan/internal/tls_session_key.h> -#include <botan/internal/tls_state.h> +#include <botan/internal/tls_handshake_state.h> #include <botan/internal/stl_util.h> #include <botan/rsa.h> #include <botan/dh.h> @@ -30,7 +30,7 @@ Version_Code choose_version(Version_Code client, Version_Code minimum) return TLS_V11; } -bool check_for_resume(TLS_Session_Params& session_info, +bool check_for_resume(TLS_Session& session_info, TLS_Session_Manager& session_manager, Client_Hello* client_hello) { @@ -81,7 +81,7 @@ bool check_for_resume(TLS_Session_Params& session_info, */ TLS_Server::TLS_Server(std::tr1::function<void (const byte[], size_t)> output_fn, std::tr1::function<void (const byte[], size_t, u16bit)> proc_fn, - std::tr1::function<void (const TLS_Session_Params&)> handshake_fn, + std::tr1::function<void (const TLS_Session&)> handshake_fn, TLS_Session_Manager& session_manager, const TLS_Policy& policy, RandomNumberGenerator& rng, @@ -172,7 +172,7 @@ void TLS_Server::process_handshake_msg(Handshake_Type type, writer.set_version(state->version); reader.set_version(state->version); - TLS_Session_Params session_info; + TLS_Session session_info; const bool resuming = check_for_resume(session_info, session_manager, state->client_hello); @@ -378,7 +378,7 @@ void TLS_Server::process_handshake_msg(Handshake_Type type, if(state->client_certs && state->client_verify) peer_certs = state->client_certs->cert_chain(); - TLS_Session_Params session_info( + TLS_Session session_info( state->server_hello->session_id(), state->keys.master_secret(), state->server_hello->version(), diff --git a/src/tls/tls_server.h b/src/tls/tls_server.h index 16c6f8e3e..d684a4a11 100644 --- a/src/tls/tls_server.h +++ b/src/tls/tls_server.h @@ -9,7 +9,7 @@ #define BOTAN_TLS_SERVER_H__ #include <botan/tls_channel.h> -#include <botan/tls_session_state.h> +#include <botan/tls_session_manager.h> #include <vector> namespace Botan { @@ -29,7 +29,7 @@ class BOTAN_DLL TLS_Server : public TLS_Channel */ TLS_Server(std::tr1::function<void (const byte[], size_t)> socket_output_fn, std::tr1::function<void (const byte[], size_t, u16bit)> proc_fn, - std::tr1::function<void (const TLS_Session_Params&)> handshake_complete, + std::tr1::function<void (const TLS_Session&)> handshake_complete, TLS_Session_Manager& session_manager, const TLS_Policy& policy, RandomNumberGenerator& rng, diff --git a/src/tls/tls_session_state.cpp b/src/tls/tls_session.cpp index bac24a5eb..deaddb227 100644 --- a/src/tls/tls_session_state.cpp +++ b/src/tls/tls_session.cpp @@ -1,11 +1,11 @@ /* -* TLS Session Management +* TLS Session State * (C) 2011 Jack Lloyd * * Released under the terms of the Botan license */ -#include <botan/tls_session_state.h> +#include <botan/tls_session.h> #include <botan/der_enc.h> #include <botan/ber_dec.h> #include <botan/asn1_str.h> @@ -13,17 +13,17 @@ namespace Botan { -TLS_Session_Params::TLS_Session_Params(const MemoryRegion<byte>& session_identifier, - const MemoryRegion<byte>& master_secret, - Version_Code version, - u16bit ciphersuite, - byte compression_method, - Connection_Side side, - bool secure_renegotiation_supported, - size_t fragment_size, - const std::vector<X509_Certificate>& certs, - const std::string& sni_hostname, - const std::string& srp_identifier) : +TLS_Session::TLS_Session(const MemoryRegion<byte>& session_identifier, + const MemoryRegion<byte>& master_secret, + Version_Code version, + u16bit ciphersuite, + byte compression_method, + Connection_Side side, + bool secure_renegotiation_supported, + size_t fragment_size, + const std::vector<X509_Certificate>& certs, + const std::string& sni_hostname, + const std::string& srp_identifier) : m_start_time(system_time()), m_identifier(session_identifier), m_master_secret(master_secret), @@ -41,7 +41,7 @@ TLS_Session_Params::TLS_Session_Params(const MemoryRegion<byte>& session_identif m_peer_certificate = certs[0].BER_encode(); } -TLS_Session_Params::TLS_Session_Params(const byte ber[], size_t ber_len) +TLS_Session::TLS_Session(const byte ber[], size_t ber_len) { BER_Decoder decoder(ber, ber_len); @@ -70,7 +70,7 @@ TLS_Session_Params::TLS_Session_Params(const byte ber[], size_t ber_len) m_connection_side = static_cast<Connection_Side>(side_code); } -SecureVector<byte> TLS_Session_Params::BER_encode() const +SecureVector<byte> TLS_Session::BER_encode() const { return DER_Encoder() .start_cons(SEQUENCE) @@ -91,50 +91,4 @@ SecureVector<byte> TLS_Session_Params::BER_encode() const .get_contents(); } -bool TLS_Session_Manager_In_Memory::find(const MemoryVector<byte>& session_id, - TLS_Session_Params& params) - { - std::map<std::string, TLS_Session_Params>::iterator i = - sessions.find(hex_encode(session_id)); - - if(i == sessions.end()) - return false; - - // session has expired, remove it - const u64bit now = system_time(); - if(i->second.start_time() + session_lifetime >= now) - { - sessions.erase(i); - return false; - } - - params = i->second; - return true; - } - -void TLS_Session_Manager_In_Memory::prohibit_resumption( - const MemoryVector<byte>& session_id) - { - std::map<std::string, TLS_Session_Params>::iterator i = - sessions.find(hex_encode(session_id)); - - if(i != sessions.end()) - sessions.erase(i); - } - -void TLS_Session_Manager_In_Memory::save(const TLS_Session_Params& session_data) - { - if(max_sessions != 0) - { - /* - This removes randomly based on ordering of session ids. - Instead, remove oldest first? - */ - while(sessions.size() >= max_sessions) - sessions.erase(sessions.begin()); - } - - sessions[hex_encode(session_data.session_id())] = session_data; - } - } diff --git a/src/tls/tls_session_state.h b/src/tls/tls_session.h index eefdc4b67..c713efc87 100644 --- a/src/tls/tls_session_state.h +++ b/src/tls/tls_session.h @@ -1,33 +1,30 @@ /* -* TLS Session Management +* TLS Session * (C) 2011 Jack Lloyd * * Released under the terms of the Botan license */ -#ifndef TLS_SESSION_STATE_H_ -#define TLS_SESSION_STATE_H_ +#ifndef TLS_SESSION_STATE_H__ +#define TLS_SESSION_STATE_H__ #include <botan/x509cert.h> #include <botan/tls_magic.h> #include <botan/secmem.h> -#include <botan/hex.h> -#include <map> -#include <ctime> namespace Botan { /** * Class representing a TLS session state */ -class BOTAN_DLL TLS_Session_Params +class BOTAN_DLL TLS_Session { public: /** * Uninitialized session */ - TLS_Session_Params() : + TLS_Session() : m_start_time(0), m_version(0), m_ciphersuite(0), @@ -40,7 +37,7 @@ class BOTAN_DLL TLS_Session_Params /** * New session (sets session start time) */ - TLS_Session_Params(const MemoryRegion<byte>& session_id, + TLS_Session(const MemoryRegion<byte>& session_id, const MemoryRegion<byte>& master_secret, Version_Code version, u16bit ciphersuite, @@ -55,7 +52,7 @@ class BOTAN_DLL TLS_Session_Params /** * Load a session from BER (created by BER_encode) */ - TLS_Session_Params(const byte ber[], size_t ber_len); + TLS_Session(const byte ber[], size_t ber_len); /** * Encode this session data for storage @@ -145,77 +142,6 @@ class BOTAN_DLL TLS_Session_Params std::string m_srp_identifier; // optional }; -/** -* TLS_Session_Manager is an interface to systems which can save -* session parameters for support session resumption. -* -* Implementations should strive to be thread safe -*/ -class BOTAN_DLL TLS_Session_Manager - { - public: - /** - * Try to load a saved session - * @param session_id the session identifier we are trying to resume - * @param params will be set to the saved session data (if found), - or not modified if not found - * @return true if params was modified - */ - virtual bool find(const MemoryVector<byte>& session_id, - TLS_Session_Params& params) = 0; - - /** - * Prohibit resumption of this session. Effectively an erase. - */ - virtual void prohibit_resumption(const MemoryVector<byte>& session_id) = 0; - - /** - * Save a session on a best effort basis; the manager may not in - * fact be able to save the session for whatever reason, this is - * not an error. Caller cannot assume that calling save followed - * immediately by find will result in a successful lookup. - * - * @param session_id the session identifier - * @param params to save - */ - virtual void save(const TLS_Session_Params& params) = 0; - - virtual ~TLS_Session_Manager() {} - }; - -/** -* A simple implementation of TLS_Session_Manager that just saves -* values in memory, with no persistance abilities -* -* @todo add locking -*/ -class BOTAN_DLL TLS_Session_Manager_In_Memory : public TLS_Session_Manager - { - public: - /** - * @param max_sessions a hint on the maximum number of sessions - * to save at any one time. (If zero, don't cap at all) - * @param session_lifetime sesions are expired after this many - * seconds have elapsed. - */ - TLS_Session_Manager_In_Memory(size_t max_sessions = 1000, - size_t session_lifetime = 300) : - max_sessions(max_sessions), - session_lifetime(session_lifetime) - {} - - bool find(const MemoryVector<byte>& session_id, - TLS_Session_Params& params); - - void prohibit_resumption(const MemoryVector<byte>& session_id); - - void save(const TLS_Session_Params& session_data); - - private: - size_t max_sessions, session_lifetime; - std::map<std::string, TLS_Session_Params> sessions; - }; - } #endif diff --git a/src/tls/tls_session_manager.cpp b/src/tls/tls_session_manager.cpp new file mode 100644 index 000000000..05a092426 --- /dev/null +++ b/src/tls/tls_session_manager.cpp @@ -0,0 +1,66 @@ +/* +* TLS Session Management +* (C) 2011 Jack Lloyd +* +* Released under the terms of the Botan license +*/ + +#include <botan/tls_session_manager.h> +#include <botan/hex.h> +#include <botan/time.h> + +namespace Botan { + +bool TLS_Session_Manager_In_Memory::find(const MemoryVector<byte>& session_id, + TLS_Session& params) + { + std::map<std::string, TLS_Session>::iterator i = + sessions.find(hex_encode(session_id)); + + if(i == sessions.end()) + return false; + + // session has expired, remove it + const u64bit now = system_time(); + if(i->second.start_time() + session_lifetime >= now) + { + sessions.erase(i); + return false; + } + + params = i->second; + return true; + } + +bool TLS_Session_Manager_In_Memory::find(const std::string& hostname, u16bit port, + TLS_Session& params) + { + return false; + } + +void TLS_Session_Manager_In_Memory::prohibit_resumption( + const MemoryVector<byte>& session_id) + { + std::map<std::string, TLS_Session>::iterator i = + sessions.find(hex_encode(session_id)); + + if(i != sessions.end()) + sessions.erase(i); + } + +void TLS_Session_Manager_In_Memory::save(const TLS_Session& session_data) + { + if(max_sessions != 0) + { + /* + This removes randomly based on ordering of session ids. + Instead, remove oldest first? + */ + while(sessions.size() >= max_sessions) + sessions.erase(sessions.begin()); + } + + sessions[hex_encode(session_data.session_id())] = session_data; + } + +} diff --git a/src/tls/tls_session_manager.h b/src/tls/tls_session_manager.h new file mode 100644 index 000000000..e2b66afb5 --- /dev/null +++ b/src/tls/tls_session_manager.h @@ -0,0 +1,103 @@ +/* +* TLS Session Manager +* (C) 2011 Jack Lloyd +* +* Released under the terms of the Botan license +*/ + +#ifndef TLS_SESSION_MANAGER_H__ +#define TLS_SESSION_MANAGER_H__ + +#include <botan/tls_session.h> +#include <map> + +namespace Botan { + +/** +* TLS_Session_Manager is an interface to systems which can save +* session parameters for supporting session resumption. +* +* Implementations should strive to be thread safe +*/ +class BOTAN_DLL TLS_Session_Manager + { + public: + /** + * Try to load a saved session (server side) + * @param session_id the session identifier we are trying to resume + * @param params will be set to the saved session data (if found), + or not modified if not found + * @return true if params was modified + */ + virtual bool find(const MemoryVector<byte>& session_id, + TLS_Session& params) = 0; + + /** + * Try to load a saved session (client side) + * @param hostname of the host we are connecting to + * @param port the port number if we know it, or 0 if unknown + * @param params will be set to the saved session data (if found), + or not modified if not found + * @return true if params was modified + */ + virtual bool find(const std::string& hostname, u16bit port, + TLS_Session& params) = 0; + + /** + * Prohibit resumption of this session. Effectively an erase. + */ + virtual void prohibit_resumption(const MemoryVector<byte>& session_id) = 0; + + /** + * Save a session on a best effort basis; the manager may not in + * fact be able to save the session for whatever reason, this is + * not an error. Caller cannot assume that calling save followed + * immediately by find will result in a successful lookup. + * + * @param session_id the session identifier + * @param params to save + */ + virtual void save(const TLS_Session& params) = 0; + + virtual ~TLS_Session_Manager() {} + }; + +/** +* A simple implementation of TLS_Session_Manager that just saves +* values in memory, with no persistance abilities +* +* @todo add locking +*/ +class BOTAN_DLL TLS_Session_Manager_In_Memory : public TLS_Session_Manager + { + public: + /** + * @param max_sessions a hint on the maximum number of sessions + * to keep in memory at any one time. (If zero, don't cap) + * @param session_lifetime sessions are expired after this many + * seconds have elapsed from initial handshake. + */ + TLS_Session_Manager_In_Memory(size_t max_sessions = 1000, + size_t session_lifetime = 7200) : + max_sessions(max_sessions), + session_lifetime(session_lifetime) + {} + + bool find(const MemoryVector<byte>& session_id, + TLS_Session& params); + + bool find(const std::string& hostname, u16bit port, + TLS_Session& params); + + void prohibit_resumption(const MemoryVector<byte>& session_id); + + void save(const TLS_Session& session_data); + + private: + size_t max_sessions, session_lifetime; + std::map<std::string, TLS_Session> sessions; + }; + +} + +#endif |