Start adding ticket keys (only key_name for now)
This commit is contained in:
parent
aa0d4d1aff
commit
779e42982c
3 changed files with 52 additions and 5 deletions
|
@ -328,6 +328,7 @@ typedef struct _ssl_session ssl_session;
|
||||||
typedef struct _ssl_context ssl_context;
|
typedef struct _ssl_context ssl_context;
|
||||||
typedef struct _ssl_transform ssl_transform;
|
typedef struct _ssl_transform ssl_transform;
|
||||||
typedef struct _ssl_handshake_params ssl_handshake_params;
|
typedef struct _ssl_handshake_params ssl_handshake_params;
|
||||||
|
typedef struct _ssl_ticket_keys ssl_ticket_keys;
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* This structure is used for storing current session data.
|
* This structure is used for storing current session data.
|
||||||
|
@ -445,6 +446,14 @@ struct _ssl_handshake_params
|
||||||
int new_session_ticket; /*!< use NewSessionTicket? */
|
int new_session_ticket; /*!< use NewSessionTicket? */
|
||||||
};
|
};
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Parameters needed to secure session tickets
|
||||||
|
*/
|
||||||
|
struct _ssl_ticket_keys
|
||||||
|
{
|
||||||
|
unsigned char key_name[16]; /*!< name to quickly discard bad tickets */
|
||||||
|
};
|
||||||
|
|
||||||
struct _ssl_context
|
struct _ssl_context
|
||||||
{
|
{
|
||||||
/*
|
/*
|
||||||
|
@ -553,6 +562,11 @@ struct _ssl_context
|
||||||
const char *peer_cn; /*!< expected peer CN */
|
const char *peer_cn; /*!< expected peer CN */
|
||||||
#endif /* POLARSSL_X509_PARSE_C */
|
#endif /* POLARSSL_X509_PARSE_C */
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Support for generating and checking session tickets
|
||||||
|
*/
|
||||||
|
ssl_ticket_keys *ticket_keys; /*!< keys for ticket encryption */
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* User settings
|
* User settings
|
||||||
*/
|
*/
|
||||||
|
|
|
@ -165,7 +165,10 @@ static int ssl_write_ticket( ssl_context *ssl, size_t *tlen )
|
||||||
unsigned char *p = start;
|
unsigned char *p = start;
|
||||||
size_t clear_len, enc_len;
|
size_t clear_len, enc_len;
|
||||||
|
|
||||||
memset( p, 0, 16 ); // TODO: key_name
|
if( ssl->ticket_keys == NULL )
|
||||||
|
return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
|
||||||
|
|
||||||
|
memcpy( p, ssl->ticket_keys->key_name, 16 );
|
||||||
p += 16;
|
p += 16;
|
||||||
|
|
||||||
memset( p, 0, 16 ); // TODO: iv
|
memset( p, 0, 16 ); // TODO: iv
|
||||||
|
@ -208,7 +211,7 @@ static int ssl_parse_ticket( ssl_context *ssl,
|
||||||
const unsigned char *mac;
|
const unsigned char *mac;
|
||||||
size_t enc_len, clear_len;
|
size_t enc_len, clear_len;
|
||||||
|
|
||||||
if( len < 34 )
|
if( len < 34 || ssl->ticket_keys == NULL )
|
||||||
return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
|
return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
|
||||||
|
|
||||||
enc_len = ( enc_len_p[0] << 8 ) | enc_len_p[1];
|
enc_len = ( enc_len_p[0] << 8 ) | enc_len_p[1];
|
||||||
|
@ -217,8 +220,8 @@ static int ssl_parse_ticket( ssl_context *ssl,
|
||||||
if( len != enc_len + 66 )
|
if( len != enc_len + 66 )
|
||||||
return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
|
return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
|
||||||
|
|
||||||
// TODO: check key_name
|
if( memcmp( key_name, ssl->ticket_keys->key_name, 16 ) != 0 )
|
||||||
(void) key_name;
|
return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
|
||||||
|
|
||||||
// TODO: check hmac
|
// TODO: check hmac
|
||||||
(void) mac;
|
(void) mac;
|
||||||
|
|
|
@ -2972,6 +2972,28 @@ int ssl_session_reset( ssl_context *ssl )
|
||||||
return( 0 );
|
return( 0 );
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Allocate and initialize ticket keys
|
||||||
|
*/
|
||||||
|
static int ssl_ticket_keys_init( ssl_context *ssl )
|
||||||
|
{
|
||||||
|
int ret;
|
||||||
|
ssl_ticket_keys *tkeys;
|
||||||
|
|
||||||
|
if( ssl->ticket_keys != NULL )
|
||||||
|
return( 0 );
|
||||||
|
|
||||||
|
if( ( tkeys = polarssl_malloc( sizeof( ssl_ticket_keys ) ) ) == NULL )
|
||||||
|
return( POLARSSL_ERR_SSL_MALLOC_FAILED );
|
||||||
|
|
||||||
|
if( ( ret = ssl->f_rng( ssl->p_rng, tkeys->key_name, 16 ) ) != 0 )
|
||||||
|
return( ret );
|
||||||
|
|
||||||
|
ssl->ticket_keys = tkeys;
|
||||||
|
|
||||||
|
return( 0 );
|
||||||
|
}
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* SSL set accessors
|
* SSL set accessors
|
||||||
*/
|
*/
|
||||||
|
@ -3232,7 +3254,13 @@ int ssl_set_session_tickets( ssl_context *ssl, int use_tickets )
|
||||||
{
|
{
|
||||||
ssl->session_tickets = use_tickets;
|
ssl->session_tickets = use_tickets;
|
||||||
|
|
||||||
return( 0 );
|
if( ssl->endpoint == SSL_IS_CLIENT )
|
||||||
|
return( 0 );
|
||||||
|
|
||||||
|
if( ssl->f_rng == NULL )
|
||||||
|
return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
|
||||||
|
|
||||||
|
return( ssl_ticket_keys_init( ssl ) );
|
||||||
}
|
}
|
||||||
|
|
||||||
/*
|
/*
|
||||||
|
@ -3671,6 +3699,8 @@ void ssl_free( ssl_context *ssl )
|
||||||
polarssl_free( ssl->session );
|
polarssl_free( ssl->session );
|
||||||
}
|
}
|
||||||
|
|
||||||
|
polarssl_free( ssl->ticket_keys );
|
||||||
|
|
||||||
if ( ssl->hostname != NULL)
|
if ( ssl->hostname != NULL)
|
||||||
{
|
{
|
||||||
memset( ssl->hostname, 0, ssl->hostname_len );
|
memset( ssl->hostname, 0, ssl->hostname_len );
|
||||||
|
|
Loading…
Reference in a new issue