Add ssl_set_session_tickets()

This commit is contained in:
Manuel Pégourié-Gonnard 2013-08-03 13:02:31 +02:00 committed by Paul Bakker
parent 306827e3bc
commit aa0d4d1aff
6 changed files with 72 additions and 1 deletions

View File

@ -154,6 +154,9 @@
#define SSL_TRUNC_HMAC_ENABLED 1 #define SSL_TRUNC_HMAC_ENABLED 1
#define SSL_TRUNCATED_HMAC_LEN 10 /* 80 bits, rfc 6066 section 7 */ #define SSL_TRUNCATED_HMAC_LEN 10 /* 80 bits, rfc 6066 section 7 */
#define SSL_SESSION_TICKETS_DISABLED 0
#define SSL_SESSION_TICKETS_ENABLED 1
/* /*
* Size of the input / output buffer. * Size of the input / output buffer.
* Note: the RFC defines the default size of SSL / TLS messages. If you * Note: the RFC defines the default size of SSL / TLS messages. If you
@ -561,6 +564,7 @@ struct _ssl_context
int allow_legacy_renegotiation; /*!< allow legacy renegotiation */ int allow_legacy_renegotiation; /*!< allow legacy renegotiation */
const int *ciphersuite_list[4]; /*!< allowed ciphersuites / version */ const int *ciphersuite_list[4]; /*!< allowed ciphersuites / version */
int trunc_hmac; /*!< negotiate truncated hmac? */ int trunc_hmac; /*!< negotiate truncated hmac? */
int session_tickets; /*!< use session tickets? */
#if defined(POLARSSL_DHM_C) #if defined(POLARSSL_DHM_C)
mpi dhm_P; /*!< prime modulus for DHM */ mpi dhm_P; /*!< prime modulus for DHM */
@ -667,6 +671,9 @@ int ssl_session_reset( ssl_context *ssl );
* *
* \param ssl SSL context * \param ssl SSL context
* \param endpoint must be SSL_IS_CLIENT or SSL_IS_SERVER * \param endpoint must be SSL_IS_CLIENT or SSL_IS_SERVER
*
* \note This function should be called right after ssl_init() since
* some other ssl_set_foo() functions depend on it.
*/ */
void ssl_set_endpoint( ssl_context *ssl, int endpoint ); void ssl_set_endpoint( ssl_context *ssl, int endpoint );
@ -1012,6 +1019,24 @@ int ssl_set_max_frag_len( ssl_context *ssl, unsigned char mfl_code );
*/ */
int ssl_set_truncated_hmac( ssl_context *ssl, int truncate ); int ssl_set_truncated_hmac( ssl_context *ssl, int truncate );
/**
* \brief Enable / Disable session tickets
* (Default: SSL_SESSION_TICKETS_ENABLED on client,
* SSL_SESSION_TICKETS_DISABLED on server)
*
* \note On server, ssl_set_rng() must be called before this function
* to allow generating the ticket encryption and
* authentication keys.
*
* \param ssl SSL context
* \param use_tickets Enable or disable (SSL_SESSION_TICKETS_ENABLED or
* SSL_SESSION_TICKETS_DISABLED)
*
* \return O if successful,
* or a specific error code (server only).
*/
int ssl_set_session_tickets( ssl_context *ssl, int use_tickets );
/** /**
* \brief Enable / Disable renegotiation support for connection when * \brief Enable / Disable renegotiation support for connection when
* initiated by peer * initiated by peer

View File

@ -328,6 +328,12 @@ static void ssl_write_session_ticket_ext( ssl_context *ssl,
unsigned char *p = buf; unsigned char *p = buf;
size_t tlen = ssl->session_negotiate->ticket_len; size_t tlen = ssl->session_negotiate->ticket_len;
if( ssl->session_tickets == SSL_SESSION_TICKETS_DISABLED )
{
*olen = 0;
return;
}
SSL_DEBUG_MSG( 3, ( "client hello, adding session ticket extension" ) ); SSL_DEBUG_MSG( 3, ( "client hello, adding session ticket extension" ) );
*p++ = (unsigned char)( ( TLS_EXT_SESSION_TICKET >> 8 ) & 0xFF ); *p++ = (unsigned char)( ( TLS_EXT_SESSION_TICKET >> 8 ) & 0xFF );
@ -648,8 +654,11 @@ static int ssl_parse_session_ticket_ext( ssl_context *ssl,
const unsigned char *buf, const unsigned char *buf,
size_t len ) size_t len )
{ {
if( len != 0 ) if( ssl->session_tickets == SSL_SESSION_TICKETS_DISABLED ||
len != 0 )
{
return( POLARSSL_ERR_SSL_BAD_HS_SERVER_HELLO ); return( POLARSSL_ERR_SSL_BAD_HS_SERVER_HELLO );
}
((void) buf); ((void) buf);

View File

@ -534,6 +534,9 @@ static int ssl_parse_session_ticket_ext( ssl_context *ssl,
const unsigned char *buf, const unsigned char *buf,
size_t len ) size_t len )
{ {
if( ssl->session_tickets == SSL_SESSION_TICKETS_DISABLED )
return( 0 );
/* Remember the client asked us to send a new ticket */ /* Remember the client asked us to send a new ticket */
ssl->handshake->new_session_ticket = 1; ssl->handshake->new_session_ticket = 1;

View File

@ -2978,6 +2978,9 @@ int ssl_session_reset( ssl_context *ssl )
void ssl_set_endpoint( ssl_context *ssl, int endpoint ) void ssl_set_endpoint( ssl_context *ssl, int endpoint )
{ {
ssl->endpoint = endpoint; ssl->endpoint = endpoint;
if( endpoint == SSL_IS_CLIENT )
ssl->session_tickets = SSL_SESSION_TICKETS_ENABLED;
} }
void ssl_set_authmode( ssl_context *ssl, int authmode ) void ssl_set_authmode( ssl_context *ssl, int authmode )
@ -3225,6 +3228,13 @@ void ssl_legacy_renegotiation( ssl_context *ssl, int allow_legacy )
ssl->allow_legacy_renegotiation = allow_legacy; ssl->allow_legacy_renegotiation = allow_legacy;
} }
int ssl_set_session_tickets( ssl_context *ssl, int use_tickets )
{
ssl->session_tickets = use_tickets;
return( 0 );
}
/* /*
* SSL get accessors * SSL get accessors
*/ */

View File

@ -60,6 +60,7 @@
#define DFL_MFL_CODE SSL_MAX_FRAG_LEN_NONE #define DFL_MFL_CODE SSL_MAX_FRAG_LEN_NONE
#define DFL_TRUNC_HMAC 0 #define DFL_TRUNC_HMAC 0
#define DFL_RECONNECT 0 #define DFL_RECONNECT 0
#define DFL_TICKETS SSL_SESSION_TICKETS_ENABLED
#define LONG_HEADER "User-agent: blah-blah-blah-blah-blah-blah-blah-blah-" \ #define LONG_HEADER "User-agent: blah-blah-blah-blah-blah-blah-blah-blah-" \
"-01--blah-blah-blah-blah-blah-blah-blah-blah-blah-blah-blah-blah-blah-" \ "-01--blah-blah-blah-blah-blah-blah-blah-blah-blah-blah-blah-blah-blah-" \
@ -98,6 +99,7 @@ struct options
unsigned char mfl_code; /* code for maximum fragment length */ unsigned char mfl_code; /* code for maximum fragment length */
int trunc_hmac; /* negotiate truncated hmac or not */ int trunc_hmac; /* negotiate truncated hmac or not */
int reconnect; /* attempt to resume session */ int reconnect; /* attempt to resume session */
int tickets; /* enable / disable session tickets */
} opt; } opt;
static void my_debug( void *ctx, int level, const char *str ) static void my_debug( void *ctx, int level, const char *str )
@ -187,6 +189,7 @@ static int my_verify( void *data, x509_cert *crt, int depth, int *flags )
" renegotiation=%%d default: 1 (enabled)\n" \ " renegotiation=%%d default: 1 (enabled)\n" \
" allow_legacy=%%d default: 0 (disabled)\n" \ " allow_legacy=%%d default: 0 (disabled)\n" \
" reconnect=%%d default: 0 (disabled)\n" \ " reconnect=%%d default: 0 (disabled)\n" \
" tickets=%%d default: 1 (enabled)\n" \
"\n" \ "\n" \
" min_version=%%s default: \"\" (ssl3)\n" \ " min_version=%%s default: \"\" (ssl3)\n" \
" max_version=%%s default: \"\" (tls1_2)\n" \ " max_version=%%s default: \"\" (tls1_2)\n" \
@ -291,6 +294,7 @@ int main( int argc, char *argv[] )
opt.mfl_code = DFL_MFL_CODE; opt.mfl_code = DFL_MFL_CODE;
opt.trunc_hmac = DFL_TRUNC_HMAC; opt.trunc_hmac = DFL_TRUNC_HMAC;
opt.reconnect = DFL_RECONNECT; opt.reconnect = DFL_RECONNECT;
opt.tickets = DFL_TICKETS;
for( i = 1; i < argc; i++ ) for( i = 1; i < argc; i++ )
{ {
@ -357,6 +361,12 @@ int main( int argc, char *argv[] )
if( opt.reconnect < 0 || opt.reconnect > 2 ) if( opt.reconnect < 0 || opt.reconnect > 2 )
goto usage; goto usage;
} }
else if( strcmp( p, "tickets" ) == 0 )
{
opt.tickets = atoi( q );
if( opt.tickets < 0 || opt.tickets > 2 )
goto usage;
}
else if( strcmp( p, "min_version" ) == 0 ) else if( strcmp( p, "min_version" ) == 0 )
{ {
if( strcmp( q, "ssl3" ) == 0 ) if( strcmp( q, "ssl3" ) == 0 )
@ -664,6 +674,8 @@ int main( int argc, char *argv[] )
ssl_set_bio( &ssl, net_recv, &server_fd, ssl_set_bio( &ssl, net_recv, &server_fd,
net_send, &server_fd ); net_send, &server_fd );
ssl_set_session_tickets( &ssl, opt.tickets );
if( opt.force_ciphersuite[0] != DFL_FORCE_CIPHER ) if( opt.force_ciphersuite[0] != DFL_FORCE_CIPHER )
ssl_set_ciphersuites( &ssl, opt.force_ciphersuite ); ssl_set_ciphersuites( &ssl, opt.force_ciphersuite );

View File

@ -69,6 +69,7 @@
#define DFL_MAX_VERSION -1 #define DFL_MAX_VERSION -1
#define DFL_AUTH_MODE SSL_VERIFY_OPTIONAL #define DFL_AUTH_MODE SSL_VERIFY_OPTIONAL
#define DFL_MFL_CODE SSL_MAX_FRAG_LEN_NONE #define DFL_MFL_CODE SSL_MAX_FRAG_LEN_NONE
#define DFL_TICKETS SSL_SESSION_TICKETS_ENABLED
#define LONG_RESPONSE "<p>01-blah-blah-blah-blah-blah-blah-blah-blah-blah\r\n" \ #define LONG_RESPONSE "<p>01-blah-blah-blah-blah-blah-blah-blah-blah-blah\r\n" \
"02-blah-blah-blah-blah-blah-blah-blah-blah-blah-blah-blah-blah-blah\r\n" \ "02-blah-blah-blah-blah-blah-blah-blah-blah-blah-blah-blah-blah-blah\r\n" \
@ -105,6 +106,7 @@ struct options
int max_version; /* maximum protocol version accepted */ int max_version; /* maximum protocol version accepted */
int auth_mode; /* verify mode for connection */ int auth_mode; /* verify mode for connection */
unsigned char mfl_code; /* code for maximum fragment length */ unsigned char mfl_code; /* code for maximum fragment length */
int tickets; /* enable / disable session tickets */
} opt; } opt;
static void my_debug( void *ctx, int level, const char *str ) static void my_debug( void *ctx, int level, const char *str )
@ -152,6 +154,7 @@ static void my_debug( void *ctx, int level, const char *str )
USAGE_IO \ USAGE_IO \
" request_page=%%s default: \".\"\n" \ " request_page=%%s default: \".\"\n" \
" renegotiation=%%d default: 1 (enabled)\n" \ " renegotiation=%%d default: 1 (enabled)\n" \
" tickets=%%d default: 1 (enabled)\n" \
" allow_legacy=%%d default: 0 (disabled)\n" \ " allow_legacy=%%d default: 0 (disabled)\n" \
" min_version=%%s default: \"ssl3\"\n" \ " min_version=%%s default: \"ssl3\"\n" \
" max_version=%%s default: \"tls1_2\"\n" \ " max_version=%%s default: \"tls1_2\"\n" \
@ -265,6 +268,7 @@ int main( int argc, char *argv[] )
opt.max_version = DFL_MAX_VERSION; opt.max_version = DFL_MAX_VERSION;
opt.auth_mode = DFL_AUTH_MODE; opt.auth_mode = DFL_AUTH_MODE;
opt.mfl_code = DFL_MFL_CODE; opt.mfl_code = DFL_MFL_CODE;
opt.tickets = DFL_TICKETS;
for( i = 1; i < argc; i++ ) for( i = 1; i < argc; i++ )
{ {
@ -396,6 +400,12 @@ int main( int argc, char *argv[] )
else else
goto usage; goto usage;
} }
else if( strcmp( p, "tickets" ) == 0 )
{
opt.tickets = atoi( q );
if( opt.tickets < 0 || opt.tickets > 1 )
goto usage;
}
else else
goto usage; goto usage;
} }
@ -611,6 +621,8 @@ int main( int argc, char *argv[] )
ssl_cache_set, &cache ); ssl_cache_set, &cache );
#endif #endif
ssl_set_session_tickets( &ssl, opt.tickets );
if( opt.force_ciphersuite[0] != DFL_FORCE_CIPHER ) if( opt.force_ciphersuite[0] != DFL_FORCE_CIPHER )
ssl_set_ciphersuites( &ssl, opt.force_ciphersuite ); ssl_set_ciphersuites( &ssl, opt.force_ciphersuite );