Start adding ticket keys (only key_name for now)
diff --git a/include/polarssl/ssl.h b/include/polarssl/ssl.h
index 5596cc1..b51cc87 100644
--- a/include/polarssl/ssl.h
+++ b/include/polarssl/ssl.h
@@ -328,6 +328,7 @@
typedef struct _ssl_context ssl_context;
typedef struct _ssl_transform ssl_transform;
typedef struct _ssl_handshake_params ssl_handshake_params;
+typedef struct _ssl_ticket_keys ssl_ticket_keys;
/*
* This structure is used for storing current session data.
@@ -445,6 +446,14 @@
int new_session_ticket; /*!< use NewSessionTicket? */
};
+/*
+ * Parameters needed to secure session tickets
+ */
+struct _ssl_ticket_keys
+{
+ unsigned char key_name[16]; /*!< name to quickly discard bad tickets */
+};
+
struct _ssl_context
{
/*
@@ -554,6 +563,11 @@
#endif /* POLARSSL_X509_PARSE_C */
/*
+ * Support for generating and checking session tickets
+ */
+ ssl_ticket_keys *ticket_keys; /*!< keys for ticket encryption */
+
+ /*
* User settings
*/
int endpoint; /*!< 0: client, 1: server */
diff --git a/library/ssl_srv.c b/library/ssl_srv.c
index 5b7db17..1178309 100644
--- a/library/ssl_srv.c
+++ b/library/ssl_srv.c
@@ -165,7 +165,10 @@
unsigned char *p = start;
size_t clear_len, enc_len;
- memset( p, 0, 16 ); // TODO: key_name
+ if( ssl->ticket_keys == NULL )
+ return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
+
+ memcpy( p, ssl->ticket_keys->key_name, 16 );
p += 16;
memset( p, 0, 16 ); // TODO: iv
@@ -208,7 +211,7 @@
const unsigned char *mac;
size_t enc_len, clear_len;
- if( len < 34 )
+ if( len < 34 || ssl->ticket_keys == NULL )
return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
enc_len = ( enc_len_p[0] << 8 ) | enc_len_p[1];
@@ -217,8 +220,8 @@
if( len != enc_len + 66 )
return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
- // TODO: check key_name
- (void) key_name;
+ if( memcmp( key_name, ssl->ticket_keys->key_name, 16 ) != 0 )
+ return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
// TODO: check hmac
(void) mac;
diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index f7b9bd9..f4d6e24 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -2973,6 +2973,28 @@
}
/*
+ * Allocate and initialize ticket keys
+ */
+static int ssl_ticket_keys_init( ssl_context *ssl )
+{
+ int ret;
+ ssl_ticket_keys *tkeys;
+
+ if( ssl->ticket_keys != NULL )
+ return( 0 );
+
+ if( ( tkeys = polarssl_malloc( sizeof( ssl_ticket_keys ) ) ) == NULL )
+ return( POLARSSL_ERR_SSL_MALLOC_FAILED );
+
+ if( ( ret = ssl->f_rng( ssl->p_rng, tkeys->key_name, 16 ) ) != 0 )
+ return( ret );
+
+ ssl->ticket_keys = tkeys;
+
+ return( 0 );
+}
+
+/*
* SSL set accessors
*/
void ssl_set_endpoint( ssl_context *ssl, int endpoint )
@@ -3232,7 +3254,13 @@
{
ssl->session_tickets = use_tickets;
- return( 0 );
+ if( ssl->endpoint == SSL_IS_CLIENT )
+ return( 0 );
+
+ if( ssl->f_rng == NULL )
+ return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
+
+ return( ssl_ticket_keys_init( ssl ) );
}
/*
@@ -3671,6 +3699,8 @@
polarssl_free( ssl->session );
}
+ polarssl_free( ssl->ticket_keys );
+
if ( ssl->hostname != NULL)
{
memset( ssl->hostname, 0, ssl->hostname_len );
