commit 606b4ba20f0d95d4fd3d0965601b3aaa380c744d
author Paul Bakker <p.j.bakker@polarssl.org> Wed Aug 14 16:52:14 2013 +0200
committer Paul Bakker <p.j.bakker@polarssl.org> Thu Aug 15 11:42:48 2013 +0200
tree bfe4c37886f459730c94ccbd5cfe616c57fcfad6
parent f0e39acb58990d7fe659770674261cd6829bdc02

Session ticket expiration checked on server

library/error.c

diff --git a/library/error.c b/library/error.c
index 94d8dc1..23f4a85 100644
--- a/library/error.c
+++ b/library/error.c
@@ -371,6 +371,8 @@
             snprintf( buf, buflen, "SSL - Handshake protocol not within min/max boundaries" );
         if( use_ret == -(POLARSSL_ERR_SSL_BAD_HS_NEW_SESSION_TICKET) )
             snprintf( buf, buflen, "SSL - Processing of the NewSessionTicket handshake message failed" );
+        if( use_ret == -(POLARSSL_ERR_SSL_SESSION_TICKET_EXPIRED) )
+            snprintf( buf, buflen, "SSL - Session ticket has expired" );
 #endif /* POLARSSL_SSL_TLS_C */
 
 #if defined(POLARSSL_X509_PARSE_C)

library/ssl_srv.c

diff --git a/library/ssl_srv.c b/library/ssl_srv.c
index 9ae25f5..7de1577 100644
--- a/library/ssl_srv.c
+++ b/library/ssl_srv.c
@@ -288,6 +288,16 @@
         return( ret );
     }
 
+#if defined(POLARSSL_HAVE_TIME)
+    /* Check if still valid */
+    if( (int) ( time( NULL) - session.start ) > ssl->ticket_lifetime )
+    {
+        SSL_DEBUG_MSG( 1, ( "session ticket expired" ) );
+        memset( &session, 0, sizeof( ssl_session ) );
+        return( POLARSSL_ERR_SSL_SESSION_TICKET_EXPIRED );
+    }
+#endif
+
     /*
      * Keep the session ID sent by the client, since we MUST send it back to
      * inform him we're accepting the ticket  (RFC 5077 section 3.4)

library/ssl_tls.c

diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index 2585d6e..bb605b9 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -2898,6 +2898,10 @@
     ssl->hostname = NULL;
     ssl->hostname_len = 0;
 
+#if defined(POLARSSL_SSL_SESSION_TICKETS)
+    ssl->ticket_lifetime = SSL_DEFAULT_TICKET_LIFETIME;
+#endif
+
     if( ( ret = ssl_handshake_init( ssl ) ) != 0 )
         return( ret );
 
@@ -3016,8 +3020,10 @@
 {
     ssl->endpoint   = endpoint;
 
+#if defined(POLARSSL_SSL_SESSION_TICKETS)
     if( endpoint == SSL_IS_CLIENT )
         ssl->session_tickets = SSL_SESSION_TICKETS_ENABLED;
+#endif
 }
 
 void ssl_set_authmode( ssl_context *ssl, int authmode )
@@ -3278,6 +3284,11 @@
 
     return( ssl_ticket_keys_init( ssl ) );
 }
+
+void ssl_set_session_ticket_lifetime( ssl_context *ssl, int lifetime )
+{
+    ssl->ticket_lifetime = lifetime;
+}
 #endif /* POLARSSL_SSL_SESSION_TICKETS */
 
 /*