diff options
Diffstat (limited to 'src/tls')
| -rw-r--r-- | src/tls/s_hello.cpp | 4 | ||||
| -rw-r--r-- | src/tls/tls_messages.h | 1 | ||||
| -rw-r--r-- | src/tls/tls_server.cpp | 67 |
3 files changed, 33 insertions, 39 deletions
diff --git a/src/tls/s_hello.cpp b/src/tls/s_hello.cpp index 4cbc69f30..7da9fdc57 100644 --- a/src/tls/s_hello.cpp +++ b/src/tls/s_hello.cpp @@ -25,6 +25,7 @@ Server_Hello::Server_Hello(Record_Writer& writer, const Client_Hello& c_hello, const std::vector<std::string>& available_cert_types, const Policy& policy, + bool have_session_ticket_key, bool client_has_secure_renegotiation, const MemoryRegion<byte>& reneg_info, bool client_has_npn, @@ -38,7 +39,8 @@ Server_Hello::Server_Hello(Record_Writer& writer, m_renegotiation_info(reneg_info), m_next_protocol(client_has_npn), m_next_protocols(next_protocols), - m_supports_session_ticket(c_hello.supports_session_ticket()) + m_supports_session_ticket(have_session_ticket_key && + c_hello.supports_session_ticket()) { suite = policy.choose_suite( c_hello.ciphersuites(), diff --git a/src/tls/tls_messages.h b/src/tls/tls_messages.h index 7312d8bb1..2f8af5fd2 100644 --- a/src/tls/tls_messages.h +++ b/src/tls/tls_messages.h @@ -197,6 +197,7 @@ class Server_Hello : public Handshake_Message const Client_Hello& other, const std::vector<std::string>& available_cert_types, const Policy& policies, + bool have_session_ticket_key, bool client_has_secure_renegotiation, const MemoryRegion<byte>& reneg_info, bool client_has_npn, diff --git a/src/tls/tls_server.cpp b/src/tls/tls_server.cpp index e4c7ea339..1f69d153e 100644 --- a/src/tls/tls_server.cpp +++ b/src/tls/tls_server.cpp @@ -40,13 +40,9 @@ bool check_for_resume(Session& session_info, // If a session ticket was sent, ignore client session ID try { - const SymmetricKey& session_ticket_key = credentials.session_ticket_key(); - - if(session_ticket_key.length() == 0) - return false; - - session_info = Session::decrypt(session_ticket, - session_ticket_key); + session_info = Session::decrypt( + session_ticket, + credentials.psk("tls-server", "session-ticket", "")); } catch(...) { @@ -221,7 +217,14 @@ void Server::process_handshake_msg(Handshake_Type type, creds, state->client_hello); - const SymmetricKey& session_ticket_key = creds.session_ticket_key(); + bool have_session_ticket_key = false; + + try + { + have_session_ticket_key = + creds.psk("tls-server", "session-ticket", "").length() > 0; + } + catch(...) {} if(resuming) { @@ -237,7 +240,7 @@ void Server::process_handshake_msg(Handshake_Type type, session_info.fragment_size(), secure_renegotiation.supported(), secure_renegotiation.for_server_hello(), - state->client_hello->supports_session_ticket() && session_ticket_key.length() > 0, + state->client_hello->supports_session_ticket() && have_session_ticket_key, state->client_hello->next_protocol_notification(), m_possible_protocols, rng); @@ -265,14 +268,16 @@ void Server::process_handshake_msg(Handshake_Type type, { try { + const SymmetricKey ticket_key = creds.psk("tls-server", "session-ticket", ""); + state->new_session_ticket = new New_Session_Ticket(writer, state->hash, - session_info.encrypt(session_ticket_key, rng)); + session_info.encrypt(ticket_key, rng)); } - catch(...) - { + catch(...) {} + + if(!state->new_session_ticket) state->new_session_ticket = new New_Session_Ticket(writer, state->hash); - } } writer.send(CHANGE_CIPHER_SPEC, 1); @@ -312,6 +317,7 @@ void Server::process_handshake_msg(Handshake_Type type, *(state->client_hello), available_cert_types, policy, + have_session_ticket_key, secure_renegotiation.supported(), secure_renegotiation.for_server_hello(), state->client_hello->next_protocol_notification(), @@ -422,10 +428,9 @@ void Server::process_handshake_msg(Handshake_Type type, state->hash.update(type, contents); /* - * Using DECRYPT_ERROR looks weird here, but per RFC 4346 this - * error is for indicating that "A handshake cryptographic - * operation failed, including being unable to correctly verify a - * signature, ..." + * Using DECRYPT_ERROR looks weird here, but per RFC 4346 is for + * "A handshake cryptographic operation failed, including being + * unable to correctly verify a signature, ..." */ if(!sig_valid) throw TLS_Exception(Alert::DECRYPT_ERROR, "Client cert verify failed"); @@ -496,17 +501,11 @@ void Server::process_handshake_msg(Handshake_Type type, { try { - const SymmetricKey& session_ticket_key = - creds.session_ticket_key(); - - if(session_ticket_key.length() > 0) - { - state->new_session_ticket = - new New_Session_Ticket( - writer, - state->hash, - session_info.encrypt(session_ticket_key, rng)); - } + const SymmetricKey ticket_key = creds.psk("tls-server", "session-ticket", ""); + + state->new_session_ticket = + new New_Session_Ticket(writer, state->hash, + session_info.encrypt(ticket_key, rng)); } catch(...) {} } @@ -514,16 +513,8 @@ void Server::process_handshake_msg(Handshake_Type type, session_manager.save(session_info); } - /* - If we sent the extension we have to send something; - an empty ticket is allowed - */ - if(!state->new_session_ticket && - state->server_hello->supports_session_ticket()) - { - state->new_session_ticket = - new New_Session_Ticket(writer, state->hash); - } + if(state->server_hello->supports_session_ticket() && !state->new_session_ticket) + state->new_session_ticket = new New_Session_Ticket(writer, state->hash); writer.send(CHANGE_CIPHER_SPEC, 1); |