Made session tickets support configurable from config.h
diff --git a/include/polarssl/config.h b/include/polarssl/config.h
index 6cabebb..6fa95c4 100644
--- a/include/polarssl/config.h
+++ b/include/polarssl/config.h
@@ -529,6 +529,18 @@
#define POLARSSL_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO
/**
+ * \def POLARSSL_SSL_SESSION_TICKETS
+ *
+ * Enable support for RFC 5077 session tickets in SSL
+ *
+ * Requires: POLARSSL_AES_C
+ * POLARSSL_SHA256_C
+ *
+ * Comment this macro to disable support for SSL session tickets
+ */
+#define POLARSSL_SSL_SESSION_TICKETS
+
+/**
* \def POLARSSL_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION
*
* If set, the X509 parser will not break-off when parsing an X509 certificate
diff --git a/include/polarssl/ssl.h b/include/polarssl/ssl.h
index 6570081..f45d00e 100644
--- a/include/polarssl/ssl.h
+++ b/include/polarssl/ssl.h
@@ -329,7 +329,9 @@
typedef struct _ssl_context ssl_context;
typedef struct _ssl_transform ssl_transform;
typedef struct _ssl_handshake_params ssl_handshake_params;
+#if defined(POLARSSL_SSL_SESSION_TICKETS)
typedef struct _ssl_ticket_keys ssl_ticket_keys;
+#endif
/*
* This structure is used for storing current session data.
@@ -349,9 +351,11 @@
x509_cert *peer_cert; /*!< peer X.509 cert chain */
#endif /* POLARSSL_X509_PARSE_C */
+#if defined(POLARSSL_SSL_SESSION_TICKETS)
unsigned char *ticket; /*!< RFC 5077 session ticket */
size_t ticket_len; /*!< session ticket length */
uint32_t ticket_lifetime; /*!< ticket lifetime hint */
+#endif /* POLARSSL_SSL_SESSION_TICKETS */
unsigned char mfl_code; /*!< MaxFragmentLength negotiated by peer */
int trunc_hmac; /*!< flag for truncated hmac activation */
@@ -444,9 +448,12 @@
int max_major_ver; /*!< max. major version client*/
int max_minor_ver; /*!< max. minor version client*/
+#if defined(POLARSSL_SSL_SESSION_TICKETS)
int new_session_ticket; /*!< use NewSessionTicket? */
+#endif /* POLARSSL_SSL_SESSION_TICKETS */
};
+#if defined(POLARSSL_SSL_SESSION_TICKETS)
/*
* Parameters needed to secure session tickets
*/
@@ -457,6 +464,7 @@
aes_context dec; /*!< decryption context */
unsigned char mac_key[16]; /*!< authentication key */
};
+#endif /* POLARSSL_SSL_SESSION_TICKETS */
struct _ssl_context
{
@@ -566,10 +574,12 @@
const char *peer_cn; /*!< expected peer CN */
#endif /* POLARSSL_X509_PARSE_C */
+#if defined(POLARSSL_SSL_SESSION_TICKETS)
/*
* Support for generating and checking session tickets
*/
ssl_ticket_keys *ticket_keys; /*!< keys for ticket encryption */
+#endif /* POLARSSL_SSL_SESSION_TICKETS */
/*
* User settings
@@ -1037,6 +1047,7 @@
*/
int ssl_set_truncated_hmac( ssl_context *ssl, int truncate );
+#if defined(POLARSSL_SSL_SESSION_TICKETS)
/**
* \brief Enable / Disable session tickets
* (Default: SSL_SESSION_TICKETS_ENABLED on client,
@@ -1054,6 +1065,7 @@
* or a specific error code (server only).
*/
int ssl_set_session_tickets( ssl_context *ssl, int use_tickets );
+#endif /* POLARSSL_SSL_SESSION_TICKETS */
/**
* \brief Enable / Disable renegotiation support for connection when
diff --git a/library/ssl_cli.c b/library/ssl_cli.c
index 402c85a..ac72832 100644
--- a/library/ssl_cli.c
+++ b/library/ssl_cli.c
@@ -322,6 +322,7 @@
*olen = 4;
}
+#if defined(POLARSSL_SSL_SESSION_TICKETS)
static void ssl_write_session_ticket_ext( ssl_context *ssl,
unsigned char *buf, size_t *olen )
{
@@ -356,6 +357,7 @@
*olen += tlen;
}
+#endif /* POLARSSL_SSL_SESSION_TICKETS */
static int ssl_write_client_hello( ssl_context *ssl )
{
@@ -441,6 +443,7 @@
n = 0;
}
+#if defined(POLARSSL_SSL_SESSION_TICKETS)
/*
* RFC 5077 section 3.4: "When presenting a ticket, the client MAY
* generate and include a Session ID in the TLS ClientHello."
@@ -456,6 +459,7 @@
ssl->session_negotiate->length = n = 32;
}
+#endif /* POLARSSL_SSL_SESSION_TICKETS */
*p++ = (unsigned char) n;
@@ -548,8 +552,10 @@
ssl_write_truncated_hmac_ext( ssl, p + 2 + ext_len, &olen );
ext_len += olen;
+#if defined(POLARSSL_SSL_SESSION_TICKETS)
ssl_write_session_ticket_ext( ssl, p + 2 + ext_len, &olen );
ext_len += olen;
+#endif
SSL_DEBUG_MSG( 3, ( "client hello, total extension length: %d",
ext_len ) );
@@ -650,6 +656,7 @@
return( 0 );
}
+#if defined(POLARSSL_SSL_SESSION_TICKETS)
static int ssl_parse_session_ticket_ext( ssl_context *ssl,
const unsigned char *buf,
size_t len )
@@ -666,6 +673,7 @@
return( 0 );
}
+#endif /* POLARSSL_SSL_SESSION_TICKETS */
static int ssl_parse_server_hello( ssl_context *ssl )
{
@@ -905,6 +913,7 @@
break;
+#if defined(POLARSSL_SSL_SESSION_TICKETS)
case TLS_EXT_SESSION_TICKET:
SSL_DEBUG_MSG( 3, ( "found session_ticket extension" ) );
@@ -915,6 +924,7 @@
}
break;
+#endif /* POLARSSL_SSL_SESSION_TICKETS */
default:
SSL_DEBUG_MSG( 3, ( "unknown extension found: %d (ignoring)",
@@ -1925,6 +1935,7 @@
!POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED &&
!POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED */
+#if defined(POLARSSL_SSL_SESSION_TICKETS)
static int ssl_parse_new_session_ticket( ssl_context *ssl )
{
int ret;
@@ -2016,6 +2027,7 @@
return( 0 );
}
+#endif /* POLARSSL_SSL_SESSION_TICKETS */
/*
* SSL handshake -- client side -- single step
@@ -2105,9 +2117,11 @@
* Finished
*/
case SSL_SERVER_CHANGE_CIPHER_SPEC:
+#if defined(POLARSSL_SSL_SESSION_TICKETS)
if( ssl->handshake->new_session_ticket != 0 )
ret = ssl_parse_new_session_ticket( ssl );
else
+#endif
ret = ssl_parse_change_cipher_spec( ssl );
break;
diff --git a/library/ssl_srv.c b/library/ssl_srv.c
index f94fda5..0dbcdb5 100644
--- a/library/ssl_srv.c
+++ b/library/ssl_srv.c
@@ -47,6 +47,7 @@
#include <time.h>
#endif
+#if defined(POLARSSL_SSL_SESSION_TICKETS)
/*
* Serialize a session in the following format:
* 0 . n-1 session structure, n = sizeof(ssl_session)
@@ -300,6 +301,7 @@
return( 0 );
}
+#endif /* POLARSSL_SSL_SESSION_TICKETS */
static int ssl_parse_servername_ext( ssl_context *ssl,
const unsigned char *buf,
@@ -584,6 +586,7 @@
return( 0 );
}
+#if defined(POLARSSL_SSL_SESSION_TICKETS)
static int ssl_parse_session_ticket_ext( ssl_context *ssl,
unsigned char *buf,
size_t len )
@@ -625,6 +628,7 @@
return( 0 );
}
+#endif /* POLARSSL_SSL_SESSION_TICKETS */
#if defined(POLARSSL_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO)
static int ssl_parse_client_hello_v2( ssl_context *ssl )
@@ -1176,6 +1180,7 @@
return( ret );
break;
+#if defined(POLARSSL_SSL_SESSION_TICKETS)
case TLS_EXT_SESSION_TICKET:
SSL_DEBUG_MSG( 3, ( "found session ticket extension" ) );
@@ -1183,6 +1188,7 @@
if( ret != 0 )
return( ret );
break;
+#endif /* POLARSSL_SSL_SESSION_TICKETS */
default:
SSL_DEBUG_MSG( 3, ( "unknown extension found: %d (ignoring)",
@@ -1316,6 +1322,7 @@
*olen = 4;
}
+#if defined(POLARSSL_SSL_SESSION_TICKETS)
static void ssl_write_session_ticket_ext( ssl_context *ssl,
unsigned char *buf,
size_t *olen )
@@ -1338,6 +1345,7 @@
*olen = 4;
}
+#endif /* POLARSSL_SSL_SESSION_TICKETS */
static void ssl_write_renegotiation_ext( ssl_context *ssl,
unsigned char *buf,
@@ -1466,11 +1474,12 @@
*/
ssl->state++;
+#if defined(POLARSSL_SSL_SESSION_TICKETS)
if( ssl->handshake->new_session_ticket == 0 )
{
ssl->session_negotiate->length = n = 32;
if( ( ret = ssl->f_rng( ssl->p_rng, ssl->session_negotiate->id,
- n ) ) != 0 )
+ n ) ) != 0 )
return( ret );
}
else
@@ -1478,6 +1487,12 @@
ssl->session_negotiate->length = 0;
memset( ssl->session_negotiate->id, 0, 32 );
}
+#else
+ ssl->session_negotiate->length = n = 32;
+ if( ( ret = ssl->f_rng( ssl->p_rng, ssl->session_negotiate->id,
+ n ) ) != 0 )
+ return( ret );
+#endif /* POLARSSL_SSL_SESSION_TICKETS */
}
else
{
@@ -1531,8 +1546,10 @@
ssl_write_truncated_hmac_ext( ssl, p + 2 + ext_len, &olen );
ext_len += olen;
+#if defined(POLARSSL_SSL_SESSION_TICKETS)
ssl_write_session_ticket_ext( ssl, p + 2 + ext_len, &olen );
ext_len += olen;
+#endif
SSL_DEBUG_MSG( 3, ( "server hello, total extension length: %d", ext_len ) );
@@ -2469,6 +2486,7 @@
!POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED &&
!POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED */
+#if defined(POLARSSL_SSL_SESSION_TICKETS)
static int ssl_write_new_session_ticket( ssl_context *ssl )
{
int ret;
@@ -2518,6 +2536,7 @@
return( 0 );
}
+#endif /* POLARSSL_SSL_SESSION_TICKETS */
/*
* SSL handshake -- server side -- single step
@@ -2607,9 +2626,11 @@
* Finished
*/
case SSL_SERVER_CHANGE_CIPHER_SPEC:
+#if defined(POLARSSL_SSL_SESSION_TICKETS)
if( ssl->handshake->new_session_ticket != 0 )
ret = ssl_write_new_session_ticket( ssl );
else
+#endif
ret = ssl_write_change_cipher_spec( ssl );
break;
diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index a0bf9ce..2585d6e 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -101,6 +101,7 @@
}
#endif /* POLARSSL_X509_PARSE_C */
+#if defined(POLARSSL_SSL_SESSION_TICKETS)
if( src->ticket != NULL )
{
if( ( dst->ticket = polarssl_malloc( src->ticket_len ) ) == NULL )
@@ -108,6 +109,7 @@
memcpy( dst->ticket, src->ticket, src->ticket_len );
}
+#endif /* POLARSSL_SSL_SESSION_TICKETS */
return( 0 );
}
@@ -2972,6 +2974,7 @@
return( 0 );
}
+#if defined(POLARSSL_SSL_SESSION_TICKETS)
/*
* Allocate and initialize ticket keys
*/
@@ -3004,6 +3007,7 @@
return( 0 );
}
+#endif /* POLARSSL_SSL_SESSION_TICKETS */
/*
* SSL set accessors
@@ -3261,6 +3265,7 @@
ssl->allow_legacy_renegotiation = allow_legacy;
}
+#if defined(POLARSSL_SSL_SESSION_TICKETS)
int ssl_set_session_tickets( ssl_context *ssl, int use_tickets )
{
ssl->session_tickets = use_tickets;
@@ -3273,6 +3278,7 @@
return( ssl_ticket_keys_init( ssl ) );
}
+#endif /* POLARSSL_SSL_SESSION_TICKETS */
/*
* SSL get accessors
@@ -3658,7 +3664,9 @@
}
#endif
+#if defined(POLARSSL_SSL_SESSION_TICKETS)
polarssl_free( session->ticket );
+#endif
memset( session, 0, sizeof( ssl_session ) );
}
@@ -3710,7 +3718,9 @@
polarssl_free( ssl->session );
}
+#if defined(POLARSSL_SSL_SESSION_TICKETS)
polarssl_free( ssl->ticket_keys );
+#endif
if ( ssl->hostname != NULL)
{
diff --git a/programs/ssl/ssl_client2.c b/programs/ssl/ssl_client2.c
index 4b92c19..291795f 100644
--- a/programs/ssl/ssl_client2.c
+++ b/programs/ssl/ssl_client2.c
@@ -178,6 +178,13 @@
#define USAGE_PSK ""
#endif /* POLARSSL_KEY_EXCHANGE_PSK_ENABLED */
+#if defined(POLARSSL_SSL_SESSION_TICKETS)
+#define USAGE_TICKETS \
+ " tickets=%%d default: 1 (enabled)\n"
+#else
+#define USAGE_TICKETS ""
+#endif /* POLARSSL_SSL_SESSION_TICKETS */
+
#define USAGE \
"\n usage: ssl_client2 param=<>...\n" \
"\n acceptable parameters:\n" \
@@ -189,7 +196,7 @@
" renegotiation=%%d default: 1 (enabled)\n" \
" allow_legacy=%%d default: 0 (disabled)\n" \
" reconnect=%%d default: 0 (disabled)\n" \
- " tickets=%%d default: 1 (enabled)\n" \
+ USAGE_TICKETS \
"\n" \
" min_version=%%s default: \"\" (ssl3)\n" \
" max_version=%%s default: \"\" (tls1_2)\n" \
@@ -674,7 +681,9 @@
ssl_set_bio( &ssl, net_recv, &server_fd,
net_send, &server_fd );
+#if defined(POLARSSL_SSL_SESSION_TICKETS)
ssl_set_session_tickets( &ssl, opt.tickets );
+#endif
if( opt.force_ciphersuite[0] != DFL_FORCE_CIPHER )
ssl_set_ciphersuites( &ssl, opt.force_ciphersuite );
diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c
index 2ed74e4..aca0db5 100644
--- a/programs/ssl/ssl_server2.c
+++ b/programs/ssl/ssl_server2.c
@@ -146,6 +146,13 @@
#define USAGE_PSK ""
#endif /* POLARSSL_KEY_EXCHANGE_PSK_ENABLED */
+#if defined(POLARSSL_SSL_SESSION_TICKETS)
+#define USAGE_TICKETS \
+ " tickets=%%d default: 1 (enabled)\n"
+#else
+#define USAGE_TICKETS ""
+#endif /* POLARSSL_SSL_SESSION_TICKETS */
+
#define USAGE \
"\n usage: ssl_server2 param=<>...\n" \
"\n acceptable parameters:\n" \
@@ -154,7 +161,7 @@
USAGE_IO \
" request_page=%%s default: \".\"\n" \
" renegotiation=%%d default: 1 (enabled)\n" \
- " tickets=%%d default: 1 (enabled)\n" \
+ USAGE_TICKETS \
" allow_legacy=%%d default: 0 (disabled)\n" \
" min_version=%%s default: \"ssl3\"\n" \
" max_version=%%s default: \"tls1_2\"\n" \
@@ -621,7 +628,9 @@
ssl_cache_set, &cache );
#endif
+#if defined(POLARSSL_SSL_SESSION_TICKETS)
ssl_set_session_tickets( &ssl, opt.tickets );
+#endif
if( opt.force_ciphersuite[0] != DFL_FORCE_CIPHER )
ssl_set_ciphersuites( &ssl, opt.force_ciphersuite );