From a503a63b8578fd2b8fec1809a0e11088edc04027 Mon Sep 17 00:00:00 2001 From: Paul Bakker Date: Wed, 14 Aug 2013 13:48:06 +0200 Subject: [PATCH] Made session tickets support configurable from config.h --- include/polarssl/config.h | 12 ++++++++++++ include/polarssl/ssl.h | 12 ++++++++++++ library/ssl_cli.c | 14 ++++++++++++++ library/ssl_srv.c | 23 ++++++++++++++++++++++- library/ssl_tls.c | 10 ++++++++++ programs/ssl/ssl_client2.c | 11 ++++++++++- programs/ssl/ssl_server2.c | 11 ++++++++++- 7 files changed, 90 insertions(+), 3 deletions(-) diff --git a/include/polarssl/config.h b/include/polarssl/config.h index 6cabebb2f..6fa95c433 100644 --- a/include/polarssl/config.h +++ b/include/polarssl/config.h @@ -528,6 +528,18 @@ */ #define POLARSSL_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO +/** + * \def POLARSSL_SSL_SESSION_TICKETS + * + * Enable support for RFC 5077 session tickets in SSL + * + * Requires: POLARSSL_AES_C + * POLARSSL_SHA256_C + * + * Comment this macro to disable support for SSL session tickets + */ +#define POLARSSL_SSL_SESSION_TICKETS + /** * \def POLARSSL_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION * diff --git a/include/polarssl/ssl.h b/include/polarssl/ssl.h index 6570081fe..f45d00e55 100644 --- a/include/polarssl/ssl.h +++ b/include/polarssl/ssl.h @@ -329,7 +329,9 @@ typedef struct _ssl_session ssl_session; typedef struct _ssl_context ssl_context; typedef struct _ssl_transform ssl_transform; typedef struct _ssl_handshake_params ssl_handshake_params; +#if defined(POLARSSL_SSL_SESSION_TICKETS) typedef struct _ssl_ticket_keys ssl_ticket_keys; +#endif /* * This structure is used for storing current session data. @@ -349,9 +351,11 @@ struct _ssl_session x509_cert *peer_cert; /*!< peer X.509 cert chain */ #endif /* POLARSSL_X509_PARSE_C */ +#if defined(POLARSSL_SSL_SESSION_TICKETS) unsigned char *ticket; /*!< RFC 5077 session ticket */ size_t ticket_len; /*!< session ticket length */ uint32_t ticket_lifetime; /*!< ticket lifetime hint */ +#endif /* POLARSSL_SSL_SESSION_TICKETS */ unsigned char mfl_code; /*!< MaxFragmentLength negotiated by peer */ int trunc_hmac; /*!< flag for truncated hmac activation */ @@ -444,9 +448,12 @@ struct _ssl_handshake_params int max_major_ver; /*!< max. major version client*/ int max_minor_ver; /*!< max. minor version client*/ +#if defined(POLARSSL_SSL_SESSION_TICKETS) int new_session_ticket; /*!< use NewSessionTicket? */ +#endif /* POLARSSL_SSL_SESSION_TICKETS */ }; +#if defined(POLARSSL_SSL_SESSION_TICKETS) /* * Parameters needed to secure session tickets */ @@ -457,6 +464,7 @@ struct _ssl_ticket_keys aes_context dec; /*!< decryption context */ unsigned char mac_key[16]; /*!< authentication key */ }; +#endif /* POLARSSL_SSL_SESSION_TICKETS */ struct _ssl_context { @@ -566,10 +574,12 @@ struct _ssl_context const char *peer_cn; /*!< expected peer CN */ #endif /* POLARSSL_X509_PARSE_C */ +#if defined(POLARSSL_SSL_SESSION_TICKETS) /* * Support for generating and checking session tickets */ ssl_ticket_keys *ticket_keys; /*!< keys for ticket encryption */ +#endif /* POLARSSL_SSL_SESSION_TICKETS */ /* * User settings @@ -1037,6 +1047,7 @@ int ssl_set_max_frag_len( ssl_context *ssl, unsigned char mfl_code ); */ int ssl_set_truncated_hmac( ssl_context *ssl, int truncate ); +#if defined(POLARSSL_SSL_SESSION_TICKETS) /** * \brief Enable / Disable session tickets * (Default: SSL_SESSION_TICKETS_ENABLED on client, @@ -1054,6 +1065,7 @@ int ssl_set_truncated_hmac( ssl_context *ssl, int truncate ); * or a specific error code (server only). */ int ssl_set_session_tickets( ssl_context *ssl, int use_tickets ); +#endif /* POLARSSL_SSL_SESSION_TICKETS */ /** * \brief Enable / Disable renegotiation support for connection when diff --git a/library/ssl_cli.c b/library/ssl_cli.c index 402c85a47..ac728324f 100644 --- a/library/ssl_cli.c +++ b/library/ssl_cli.c @@ -322,6 +322,7 @@ static void ssl_write_truncated_hmac_ext( ssl_context *ssl, *olen = 4; } +#if defined(POLARSSL_SSL_SESSION_TICKETS) static void ssl_write_session_ticket_ext( ssl_context *ssl, unsigned char *buf, size_t *olen ) { @@ -356,6 +357,7 @@ static void ssl_write_session_ticket_ext( ssl_context *ssl, *olen += tlen; } +#endif /* POLARSSL_SSL_SESSION_TICKETS */ static int ssl_write_client_hello( ssl_context *ssl ) { @@ -441,6 +443,7 @@ static int ssl_write_client_hello( ssl_context *ssl ) n = 0; } +#if defined(POLARSSL_SSL_SESSION_TICKETS) /* * RFC 5077 section 3.4: "When presenting a ticket, the client MAY * generate and include a Session ID in the TLS ClientHello." @@ -456,6 +459,7 @@ static int ssl_write_client_hello( ssl_context *ssl ) ssl->session_negotiate->length = n = 32; } +#endif /* POLARSSL_SSL_SESSION_TICKETS */ *p++ = (unsigned char) n; @@ -548,8 +552,10 @@ static int ssl_write_client_hello( ssl_context *ssl ) ssl_write_truncated_hmac_ext( ssl, p + 2 + ext_len, &olen ); ext_len += olen; +#if defined(POLARSSL_SSL_SESSION_TICKETS) ssl_write_session_ticket_ext( ssl, p + 2 + ext_len, &olen ); ext_len += olen; +#endif SSL_DEBUG_MSG( 3, ( "client hello, total extension length: %d", ext_len ) ); @@ -650,6 +656,7 @@ static int ssl_parse_truncated_hmac_ext( ssl_context *ssl, return( 0 ); } +#if defined(POLARSSL_SSL_SESSION_TICKETS) static int ssl_parse_session_ticket_ext( ssl_context *ssl, const unsigned char *buf, size_t len ) @@ -666,6 +673,7 @@ static int ssl_parse_session_ticket_ext( ssl_context *ssl, return( 0 ); } +#endif /* POLARSSL_SSL_SESSION_TICKETS */ static int ssl_parse_server_hello( ssl_context *ssl ) { @@ -905,6 +913,7 @@ static int ssl_parse_server_hello( ssl_context *ssl ) break; +#if defined(POLARSSL_SSL_SESSION_TICKETS) case TLS_EXT_SESSION_TICKET: SSL_DEBUG_MSG( 3, ( "found session_ticket extension" ) ); @@ -915,6 +924,7 @@ static int ssl_parse_server_hello( ssl_context *ssl ) } break; +#endif /* POLARSSL_SSL_SESSION_TICKETS */ default: SSL_DEBUG_MSG( 3, ( "unknown extension found: %d (ignoring)", @@ -1925,6 +1935,7 @@ static int ssl_write_certificate_verify( ssl_context *ssl ) !POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED && !POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED */ +#if defined(POLARSSL_SSL_SESSION_TICKETS) static int ssl_parse_new_session_ticket( ssl_context *ssl ) { int ret; @@ -2016,6 +2027,7 @@ static int ssl_parse_new_session_ticket( ssl_context *ssl ) return( 0 ); } +#endif /* POLARSSL_SSL_SESSION_TICKETS */ /* * SSL handshake -- client side -- single step @@ -2105,9 +2117,11 @@ int ssl_handshake_client_step( ssl_context *ssl ) * Finished */ case SSL_SERVER_CHANGE_CIPHER_SPEC: +#if defined(POLARSSL_SSL_SESSION_TICKETS) if( ssl->handshake->new_session_ticket != 0 ) ret = ssl_parse_new_session_ticket( ssl ); else +#endif ret = ssl_parse_change_cipher_spec( ssl ); break; diff --git a/library/ssl_srv.c b/library/ssl_srv.c index f94fda50a..0dbcdb5ed 100644 --- a/library/ssl_srv.c +++ b/library/ssl_srv.c @@ -47,6 +47,7 @@ #include #endif +#if defined(POLARSSL_SSL_SESSION_TICKETS) /* * Serialize a session in the following format: * 0 . n-1 session structure, n = sizeof(ssl_session) @@ -300,6 +301,7 @@ static int ssl_parse_ticket( ssl_context *ssl, return( 0 ); } +#endif /* POLARSSL_SSL_SESSION_TICKETS */ static int ssl_parse_servername_ext( ssl_context *ssl, const unsigned char *buf, @@ -584,6 +586,7 @@ static int ssl_parse_truncated_hmac_ext( ssl_context *ssl, return( 0 ); } +#if defined(POLARSSL_SSL_SESSION_TICKETS) static int ssl_parse_session_ticket_ext( ssl_context *ssl, unsigned char *buf, size_t len ) @@ -625,6 +628,7 @@ static int ssl_parse_session_ticket_ext( ssl_context *ssl, return( 0 ); } +#endif /* POLARSSL_SSL_SESSION_TICKETS */ #if defined(POLARSSL_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO) static int ssl_parse_client_hello_v2( ssl_context *ssl ) @@ -1176,6 +1180,7 @@ static int ssl_parse_client_hello( ssl_context *ssl ) return( ret ); break; +#if defined(POLARSSL_SSL_SESSION_TICKETS) case TLS_EXT_SESSION_TICKET: SSL_DEBUG_MSG( 3, ( "found session ticket extension" ) ); @@ -1183,6 +1188,7 @@ static int ssl_parse_client_hello( ssl_context *ssl ) if( ret != 0 ) return( ret ); break; +#endif /* POLARSSL_SSL_SESSION_TICKETS */ default: SSL_DEBUG_MSG( 3, ( "unknown extension found: %d (ignoring)", @@ -1316,6 +1322,7 @@ static void ssl_write_truncated_hmac_ext( ssl_context *ssl, *olen = 4; } +#if defined(POLARSSL_SSL_SESSION_TICKETS) static void ssl_write_session_ticket_ext( ssl_context *ssl, unsigned char *buf, size_t *olen ) @@ -1338,6 +1345,7 @@ static void ssl_write_session_ticket_ext( ssl_context *ssl, *olen = 4; } +#endif /* POLARSSL_SSL_SESSION_TICKETS */ static void ssl_write_renegotiation_ext( ssl_context *ssl, unsigned char *buf, @@ -1466,11 +1474,12 @@ static int ssl_write_server_hello( ssl_context *ssl ) */ ssl->state++; +#if defined(POLARSSL_SSL_SESSION_TICKETS) if( ssl->handshake->new_session_ticket == 0 ) { ssl->session_negotiate->length = n = 32; if( ( ret = ssl->f_rng( ssl->p_rng, ssl->session_negotiate->id, - n ) ) != 0 ) + n ) ) != 0 ) return( ret ); } else @@ -1478,6 +1487,12 @@ static int ssl_write_server_hello( ssl_context *ssl ) ssl->session_negotiate->length = 0; memset( ssl->session_negotiate->id, 0, 32 ); } +#else + ssl->session_negotiate->length = n = 32; + if( ( ret = ssl->f_rng( ssl->p_rng, ssl->session_negotiate->id, + n ) ) != 0 ) + return( ret ); +#endif /* POLARSSL_SSL_SESSION_TICKETS */ } else { @@ -1531,8 +1546,10 @@ static int ssl_write_server_hello( ssl_context *ssl ) ssl_write_truncated_hmac_ext( ssl, p + 2 + ext_len, &olen ); ext_len += olen; +#if defined(POLARSSL_SSL_SESSION_TICKETS) ssl_write_session_ticket_ext( ssl, p + 2 + ext_len, &olen ); ext_len += olen; +#endif SSL_DEBUG_MSG( 3, ( "server hello, total extension length: %d", ext_len ) ); @@ -2469,6 +2486,7 @@ static int ssl_parse_certificate_verify( ssl_context *ssl ) !POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED && !POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED */ +#if defined(POLARSSL_SSL_SESSION_TICKETS) static int ssl_write_new_session_ticket( ssl_context *ssl ) { int ret; @@ -2518,6 +2536,7 @@ static int ssl_write_new_session_ticket( ssl_context *ssl ) return( 0 ); } +#endif /* POLARSSL_SSL_SESSION_TICKETS */ /* * SSL handshake -- server side -- single step @@ -2607,9 +2626,11 @@ int ssl_handshake_server_step( ssl_context *ssl ) * Finished */ case SSL_SERVER_CHANGE_CIPHER_SPEC: +#if defined(POLARSSL_SSL_SESSION_TICKETS) if( ssl->handshake->new_session_ticket != 0 ) ret = ssl_write_new_session_ticket( ssl ); else +#endif ret = ssl_write_change_cipher_spec( ssl ); break; diff --git a/library/ssl_tls.c b/library/ssl_tls.c index a0bf9ce1d..2585d6e23 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -101,6 +101,7 @@ static int ssl_session_copy( ssl_session *dst, const ssl_session *src ) } #endif /* POLARSSL_X509_PARSE_C */ +#if defined(POLARSSL_SSL_SESSION_TICKETS) if( src->ticket != NULL ) { if( ( dst->ticket = polarssl_malloc( src->ticket_len ) ) == NULL ) @@ -108,6 +109,7 @@ static int ssl_session_copy( ssl_session *dst, const ssl_session *src ) memcpy( dst->ticket, src->ticket, src->ticket_len ); } +#endif /* POLARSSL_SSL_SESSION_TICKETS */ return( 0 ); } @@ -2972,6 +2974,7 @@ int ssl_session_reset( ssl_context *ssl ) return( 0 ); } +#if defined(POLARSSL_SSL_SESSION_TICKETS) /* * Allocate and initialize ticket keys */ @@ -3004,6 +3007,7 @@ static int ssl_ticket_keys_init( ssl_context *ssl ) return( 0 ); } +#endif /* POLARSSL_SSL_SESSION_TICKETS */ /* * SSL set accessors @@ -3261,6 +3265,7 @@ void ssl_legacy_renegotiation( ssl_context *ssl, int allow_legacy ) ssl->allow_legacy_renegotiation = allow_legacy; } +#if defined(POLARSSL_SSL_SESSION_TICKETS) int ssl_set_session_tickets( ssl_context *ssl, int use_tickets ) { ssl->session_tickets = use_tickets; @@ -3273,6 +3278,7 @@ int ssl_set_session_tickets( ssl_context *ssl, int use_tickets ) return( ssl_ticket_keys_init( ssl ) ); } +#endif /* POLARSSL_SSL_SESSION_TICKETS */ /* * SSL get accessors @@ -3658,7 +3664,9 @@ void ssl_session_free( ssl_session *session ) } #endif +#if defined(POLARSSL_SSL_SESSION_TICKETS) polarssl_free( session->ticket ); +#endif memset( session, 0, sizeof( ssl_session ) ); } @@ -3710,7 +3718,9 @@ void ssl_free( ssl_context *ssl ) polarssl_free( ssl->session ); } +#if defined(POLARSSL_SSL_SESSION_TICKETS) polarssl_free( ssl->ticket_keys ); +#endif if ( ssl->hostname != NULL) { diff --git a/programs/ssl/ssl_client2.c b/programs/ssl/ssl_client2.c index 4b92c19f4..291795f0d 100644 --- a/programs/ssl/ssl_client2.c +++ b/programs/ssl/ssl_client2.c @@ -178,6 +178,13 @@ static int my_verify( void *data, x509_cert *crt, int depth, int *flags ) #define USAGE_PSK "" #endif /* POLARSSL_KEY_EXCHANGE_PSK_ENABLED */ +#if defined(POLARSSL_SSL_SESSION_TICKETS) +#define USAGE_TICKETS \ + " tickets=%%d default: 1 (enabled)\n" +#else +#define USAGE_TICKETS "" +#endif /* POLARSSL_SSL_SESSION_TICKETS */ + #define USAGE \ "\n usage: ssl_client2 param=<>...\n" \ "\n acceptable parameters:\n" \ @@ -189,7 +196,7 @@ static int my_verify( void *data, x509_cert *crt, int depth, int *flags ) " renegotiation=%%d default: 1 (enabled)\n" \ " allow_legacy=%%d default: 0 (disabled)\n" \ " reconnect=%%d default: 0 (disabled)\n" \ - " tickets=%%d default: 1 (enabled)\n" \ + USAGE_TICKETS \ "\n" \ " min_version=%%s default: \"\" (ssl3)\n" \ " max_version=%%s default: \"\" (tls1_2)\n" \ @@ -674,7 +681,9 @@ int main( int argc, char *argv[] ) ssl_set_bio( &ssl, net_recv, &server_fd, net_send, &server_fd ); +#if defined(POLARSSL_SSL_SESSION_TICKETS) ssl_set_session_tickets( &ssl, opt.tickets ); +#endif if( opt.force_ciphersuite[0] != DFL_FORCE_CIPHER ) ssl_set_ciphersuites( &ssl, opt.force_ciphersuite ); diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c index 2ed74e404..aca0db526 100644 --- a/programs/ssl/ssl_server2.c +++ b/programs/ssl/ssl_server2.c @@ -146,6 +146,13 @@ static void my_debug( void *ctx, int level, const char *str ) #define USAGE_PSK "" #endif /* POLARSSL_KEY_EXCHANGE_PSK_ENABLED */ +#if defined(POLARSSL_SSL_SESSION_TICKETS) +#define USAGE_TICKETS \ + " tickets=%%d default: 1 (enabled)\n" +#else +#define USAGE_TICKETS "" +#endif /* POLARSSL_SSL_SESSION_TICKETS */ + #define USAGE \ "\n usage: ssl_server2 param=<>...\n" \ "\n acceptable parameters:\n" \ @@ -154,7 +161,7 @@ static void my_debug( void *ctx, int level, const char *str ) USAGE_IO \ " request_page=%%s default: \".\"\n" \ " renegotiation=%%d default: 1 (enabled)\n" \ - " tickets=%%d default: 1 (enabled)\n" \ + USAGE_TICKETS \ " allow_legacy=%%d default: 0 (disabled)\n" \ " min_version=%%s default: \"ssl3\"\n" \ " max_version=%%s default: \"tls1_2\"\n" \ @@ -621,7 +628,9 @@ int main( int argc, char *argv[] ) ssl_cache_set, &cache ); #endif +#if defined(POLARSSL_SSL_SESSION_TICKETS) ssl_set_session_tickets( &ssl, opt.tickets ); +#endif if( opt.force_ciphersuite[0] != DFL_FORCE_CIPHER ) ssl_set_ciphersuites( &ssl, opt.force_ciphersuite );