diff options
| -rw-r--r-- | doc/examples/credentials.h | 16 | ||||
| -rw-r--r-- | src/tls/tls_server.cpp | 35 |
2 files changed, 37 insertions, 14 deletions
diff --git a/doc/examples/credentials.h b/doc/examples/credentials.h index 82a72406d..0999b251d 100644 --- a/doc/examples/credentials.h +++ b/doc/examples/credentials.h @@ -25,8 +25,8 @@ class Credentials_Manager_Simple : public Botan::Credentials_Manager public: Credentials_Manager_Simple(Botan::RandomNumberGenerator& rng) : rng(rng) {} - std::string psk_identity_hint(const std::string& type, - const std::string& context) + std::string psk_identity_hint(const std::string&, + const std::string&) { return ""; } @@ -37,11 +37,19 @@ class Credentials_Manager_Simple : public Botan::Credentials_Manager return "Client_identity"; } - Botan::SymmetricKey psk(const std::string&, const std::string&, + Botan::SymmetricKey psk(const std::string& type, const std::string& context, const std::string& identity) { + if(type == "tls-server" && context == "session-ticket") + { + if(session_ticket_key.length() == 0) + session_ticket_key = Botan::SymmetricKey(rng, 32); + return session_ticket_key; + } + if(identity == "Client_identity") return Botan::SymmetricKey("b5a72e1387552e6dc10766dc0eda12961f5b21e17f98ef4c41e6572e53bd7527"); + throw Botan::Internal_Error("No PSK set for " + identity); } @@ -162,6 +170,8 @@ class Credentials_Manager_Simple : public Botan::Credentials_Manager private: Botan::RandomNumberGenerator& rng; + + Botan::SymmetricKey session_ticket_key; std::map<Botan::X509_Certificate, Botan::Private_Key*> certs_and_keys; }; diff --git a/src/tls/tls_server.cpp b/src/tls/tls_server.cpp index 7632dfcdd..a0920fc28 100644 --- a/src/tls/tls_server.cpp +++ b/src/tls/tls_server.cpp @@ -20,6 +20,7 @@ namespace { bool check_for_resume(Session& session_info, Session_Manager& session_manager, + Credentials_Manager& credentials, Client_Hello* client_hello) { const MemoryVector<byte>& client_session_id = client_hello->session_id(); @@ -39,10 +40,11 @@ bool check_for_resume(Session& session_info, // If a session ticket was sent, ignore client session ID try { -#warning fixed key - session_info = Session::decrypt(session_ticket, SymmetricKey("ABCDEF")); + session_info = Session::decrypt( + session_ticket, + credentials.psk("tls-server", "session-ticket", "")); } - catch(std::exception& e) + catch(...) { return false; } @@ -212,6 +214,7 @@ void Server::process_handshake_msg(Handshake_Type type, Session session_info; const bool resuming = check_for_resume(session_info, session_manager, + creds, state->client_hello); if(resuming) @@ -251,12 +254,19 @@ void Server::process_handshake_msg(Handshake_Type type, session_manager.remove_entry(session_info.session_id()); } - // Should only send a new ticket if we need too (eg old session) + // FIXME: should only send a new ticket if we need too (eg old session) if(state->server_hello->supports_session_ticket() && !state->new_session_ticket) { - state->new_session_ticket = - new New_Session_Ticket(writer, state->hash, - session_info.encrypt(SymmetricKey("ABCDEF"), rng)); + try + { + SymmetricKey key = creds.psk("tls-server", "session-ticket", ""); + state->new_session_ticket = + new New_Session_Ticket(writer, state->hash, session_info.encrypt(key, rng)); + } + catch(...) + { + state->new_session_ticket = new New_Session_Ticket(writer, state->hash); + } } writer.send(CHANGE_CIPHER_SPEC, 1); @@ -266,7 +276,6 @@ void Server::process_handshake_msg(Handshake_Type type, state->server_finished = new Finished(writer, state, SERVER); - state->set_expected_next(HANDSHAKE_CCS); } else // new session @@ -478,9 +487,13 @@ void Server::process_handshake_msg(Handshake_Type type, { if(state->server_hello->supports_session_ticket()) { - state->new_session_ticket = - new New_Session_Ticket(writer, state->hash, - session_info.encrypt(SymmetricKey("ABCDEF"), rng)); + try + { + SymmetricKey key = creds.psk("tls-server", "session-ticket", ""); + state->new_session_ticket = + new New_Session_Ticket(writer, state->hash, session_info.encrypt(key, rng)); + } + catch(...) {} } else session_manager.save(session_info); |