Session ticket expiration checked on server
diff --git a/include/polarssl/config.h b/include/polarssl/config.h
index 6fa95c4..22faf04 100644
--- a/include/polarssl/config.h
+++ b/include/polarssl/config.h
@@ -1332,6 +1332,7 @@
// SSL options
//
#define SSL_MAX_CONTENT_LEN 16384 /**< Size of the input / output buffer */
+#define SSL_DEFAULT_TICKET_LIFETIME 86400 /**< Lifetime of session tickets (if enabled) */
#endif /* POLARSSL_CONFIG_OPTIONS */
diff --git a/include/polarssl/error.h b/include/polarssl/error.h
index 48de009..45a6640 100644
--- a/include/polarssl/error.h
+++ b/include/polarssl/error.h
@@ -84,7 +84,7 @@
* ECP 4 4 (Started from top)
* MD 5 4
* CIPHER 6 5
- * SSL 6 4 (Started from top)
+ * SSL 6 5 (Started from top)
* SSL 7 31
*
* Module dependent error code (5 bits 0x.08.-0x.F8.)
diff --git a/include/polarssl/ssl.h b/include/polarssl/ssl.h
index f45d00e..ed11e1e 100644
--- a/include/polarssl/ssl.h
+++ b/include/polarssl/ssl.h
@@ -109,6 +109,7 @@
#define POLARSSL_ERR_SSL_COMPRESSION_FAILED -0x6F00 /**< Processing of the compression / decompression failed */
#define POLARSSL_ERR_SSL_BAD_HS_PROTOCOL_VERSION -0x6E80 /**< Handshake protocol not within min/max boundaries */
#define POLARSSL_ERR_SSL_BAD_HS_NEW_SESSION_TICKET -0x6E00 /**< Processing of the NewSessionTicket handshake message failed. */
+#define POLARSSL_ERR_SSL_SESSION_TICKET_EXPIRED -0x6D80 /**< Session ticket has expired. */
/*
@@ -158,6 +159,10 @@
#define SSL_SESSION_TICKETS_DISABLED 0
#define SSL_SESSION_TICKETS_ENABLED 1
+#if !defined(POLARSSL_CONFIG_OPTIONS)
+#define SSL_DEFAULT_TICKET_LIFETIME 86400 /**< Lifetime of session tickets (if enabled) */
+#endif /* !POLARSSL_CONFIG_OPTIONS */
+
/*
* Size of the input / output buffer.
* Note: the RFC defines the default size of SSL / TLS messages. If you
@@ -592,7 +597,10 @@
int allow_legacy_renegotiation; /*!< allow legacy renegotiation */
const int *ciphersuite_list[4]; /*!< allowed ciphersuites / version */
int trunc_hmac; /*!< negotiate truncated hmac? */
+#if defined(POLARSSL_SSL_SESSION_TICKETS)
int session_tickets; /*!< use session tickets? */
+ int ticket_lifetime; /*!< session ticket lifetime */
+#endif
#if defined(POLARSSL_DHM_C)
mpi dhm_P; /*!< prime modulus for DHM */
@@ -1065,6 +1073,15 @@
* or a specific error code (server only).
*/
int ssl_set_session_tickets( ssl_context *ssl, int use_tickets );
+
+/**
+ * \brief Set session ticket lifetime (server only)
+ * (Default: SSL_DEFAULT_TICKET_LIFETIME (86400 secs / 1 day))
+ *
+ * \param ssl SSL context
+ * \param lifetime session ticket lifetime
+ */
+void ssl_set_session_ticket_lifetime( ssl_context *ssl, int lifetime );
#endif /* POLARSSL_SSL_SESSION_TICKETS */
/**
diff --git a/library/error.c b/library/error.c
index 94d8dc1..23f4a85 100644
--- a/library/error.c
+++ b/library/error.c
@@ -371,6 +371,8 @@
snprintf( buf, buflen, "SSL - Handshake protocol not within min/max boundaries" );
if( use_ret == -(POLARSSL_ERR_SSL_BAD_HS_NEW_SESSION_TICKET) )
snprintf( buf, buflen, "SSL - Processing of the NewSessionTicket handshake message failed" );
+ if( use_ret == -(POLARSSL_ERR_SSL_SESSION_TICKET_EXPIRED) )
+ snprintf( buf, buflen, "SSL - Session ticket has expired" );
#endif /* POLARSSL_SSL_TLS_C */
#if defined(POLARSSL_X509_PARSE_C)
diff --git a/library/ssl_srv.c b/library/ssl_srv.c
index 9ae25f5..7de1577 100644
--- a/library/ssl_srv.c
+++ b/library/ssl_srv.c
@@ -288,6 +288,16 @@
return( ret );
}
+#if defined(POLARSSL_HAVE_TIME)
+ /* Check if still valid */
+ if( (int) ( time( NULL) - session.start ) > ssl->ticket_lifetime )
+ {
+ SSL_DEBUG_MSG( 1, ( "session ticket expired" ) );
+ memset( &session, 0, sizeof( ssl_session ) );
+ return( POLARSSL_ERR_SSL_SESSION_TICKET_EXPIRED );
+ }
+#endif
+
/*
* Keep the session ID sent by the client, since we MUST send it back to
* inform him we're accepting the ticket (RFC 5077 section 3.4)
diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index 2585d6e..bb605b9 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -2898,6 +2898,10 @@
ssl->hostname = NULL;
ssl->hostname_len = 0;
+#if defined(POLARSSL_SSL_SESSION_TICKETS)
+ ssl->ticket_lifetime = SSL_DEFAULT_TICKET_LIFETIME;
+#endif
+
if( ( ret = ssl_handshake_init( ssl ) ) != 0 )
return( ret );
@@ -3016,8 +3020,10 @@
{
ssl->endpoint = endpoint;
+#if defined(POLARSSL_SSL_SESSION_TICKETS)
if( endpoint == SSL_IS_CLIENT )
ssl->session_tickets = SSL_SESSION_TICKETS_ENABLED;
+#endif
}
void ssl_set_authmode( ssl_context *ssl, int authmode )
@@ -3278,6 +3284,11 @@
return( ssl_ticket_keys_init( ssl ) );
}
+
+void ssl_set_session_ticket_lifetime( ssl_context *ssl, int lifetime )
+{
+ ssl->ticket_lifetime = lifetime;
+}
#endif /* POLARSSL_SSL_SESSION_TICKETS */
/*