- Added simple SSL session cache implementation
- Revamped session resumption handling
This commit is contained in:
parent
1a0f552030
commit
0a59707523
18 changed files with 408 additions and 372 deletions
|
@ -3,7 +3,7 @@
|
|||
*
|
||||
* \brief Configuration options (set of defines)
|
||||
*
|
||||
* Copyright (C) 2006-2011, Brainspark B.V.
|
||||
* Copyright (C) 2006-2012, Brainspark B.V.
|
||||
*
|
||||
* This file is part of PolarSSL (http://www.polarssl.org)
|
||||
* Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
|
||||
|
@ -683,6 +683,18 @@
|
|||
*/
|
||||
#define POLARSSL_SHA4_C
|
||||
|
||||
/**
|
||||
* \def POLARSSL_SSL_CACHE_C
|
||||
*
|
||||
* Enable simple SSL cache implementation.
|
||||
*
|
||||
* Module: library/ssl_cache.c
|
||||
* Caller:
|
||||
*
|
||||
* Requires: POLARSSL_SSL_CACHE_C
|
||||
*/
|
||||
#define POLARSSL_SSL_CACHE_C
|
||||
|
||||
/**
|
||||
* \def POLARSSL_SSL_CLI_C
|
||||
*
|
||||
|
|
|
@ -284,7 +284,7 @@ typedef struct _ssl_transform ssl_transform;
|
|||
typedef struct _ssl_handshake_params ssl_handshake_params;
|
||||
|
||||
/*
|
||||
* This structure is used for session resuming.
|
||||
* This structure is used for storing current session data.
|
||||
*/
|
||||
struct _ssl_session
|
||||
{
|
||||
|
@ -295,7 +295,6 @@ struct _ssl_session
|
|||
unsigned char id[32]; /*!< session identifier */
|
||||
unsigned char master[48]; /*!< the master secret */
|
||||
x509_cert *peer_cert; /*!< peer X.509 cert chain */
|
||||
ssl_session *next; /*!< next session entry */
|
||||
};
|
||||
|
||||
/*
|
||||
|
@ -362,6 +361,8 @@ struct _ssl_handshake_params
|
|||
|
||||
unsigned char randbytes[64]; /*!< random bytes */
|
||||
unsigned char premaster[256]; /*!< premaster secret */
|
||||
|
||||
int resume; /*!< session resume indicator*/
|
||||
};
|
||||
|
||||
struct _ssl_context
|
||||
|
@ -386,24 +387,24 @@ struct _ssl_context
|
|||
int (*f_recv)(void *, unsigned char *, size_t);
|
||||
int (*f_send)(void *, const unsigned char *, size_t);
|
||||
int (*f_vrfy)(void *, x509_cert *, int, int);
|
||||
int (*f_get_cache)(void *, ssl_session *);
|
||||
int (*f_set_cache)(void *, const ssl_session *);
|
||||
|
||||
void *p_rng; /*!< context for the RNG function */
|
||||
void *p_dbg; /*!< context for the debug function */
|
||||
void *p_recv; /*!< context for reading operations */
|
||||
void *p_send; /*!< context for writing operations */
|
||||
void *p_vrfy; /*!< context for verification */
|
||||
void *p_vrfy; /*!< context for verification */
|
||||
void *p_get_cache; /*!< context for cache retrieval */
|
||||
void *p_set_cache; /*!< context for cache store */
|
||||
|
||||
/*
|
||||
* Session layer
|
||||
*/
|
||||
int resume; /*!< session resuming flag */
|
||||
int timeout; /*!< sess. expiration time */
|
||||
ssl_session *session_in; /*!< current session data (in) */
|
||||
ssl_session *session_out; /*!< current session data (out) */
|
||||
ssl_session *session; /*!< negotiated session data */
|
||||
ssl_session *session_negotiate; /*!< session data in negotiation */
|
||||
int (*s_get)(ssl_context *); /*!< (server) get callback */
|
||||
int (*s_set)(ssl_context *); /*!< (server) set callback */
|
||||
|
||||
ssl_handshake_params *handshake; /*!< params required only during
|
||||
the handshake process */
|
||||
|
@ -636,26 +637,59 @@ void ssl_set_bio( ssl_context *ssl,
|
|||
int (*f_send)(void *, const unsigned char *, size_t), void *p_send );
|
||||
|
||||
/**
|
||||
* \brief Set the session callbacks (server-side only)
|
||||
* \brief Set the session cache callbacks (server-side only)
|
||||
* If not set, no session resuming is done.
|
||||
*
|
||||
* \param ssl SSL context
|
||||
* \param s_get session get callback
|
||||
* \param s_set session set callback
|
||||
* The session cache has the responsibility to check for stale
|
||||
* entries based on timeout. See RFC 5246 for recommendations.
|
||||
*
|
||||
* Warning: session.peer_cert is cleared by the SSL/TLS layer on
|
||||
* connection shutdown, so do not cache the pointer! Either set
|
||||
* it to NULL or make a full copy of the certificate.
|
||||
*
|
||||
* The get callback is called once during the initial handshake
|
||||
* to enable session resuming. The get function has the
|
||||
* following parameters: (void *parameter, ssl_session *session)
|
||||
* If a valid entry is found, it should fill the master of
|
||||
* the session object with the cached values and return 0,
|
||||
* return 1 otherwise. Optionally peer_cert can be set as well
|
||||
* if it is properly present in cache entry.
|
||||
*
|
||||
* The set callback is called once during the initial handshake
|
||||
* to enable session resuming after the entire handshake has
|
||||
* been finished. The set function has the following parameters:
|
||||
* (void *parameter, const ssl_session *session). The function
|
||||
* should create a cache entry for future retrieval based on
|
||||
* the data in the session structure and should keep in mind
|
||||
* that the ssl_session object presented (and all its referenced
|
||||
* data) is cleared by the SSL/TLS layer when the connection is
|
||||
* terminated. It is recommended to add metadata to determine if
|
||||
* an entry is still valid in the future. Return 0 if
|
||||
* successfully cached, return 0 otherwise.
|
||||
*
|
||||
* \param ssl SSL context
|
||||
* \param f_get_cache session get callback
|
||||
* \param p_get_cache session get parameter
|
||||
* \param f_set_cache session set callback
|
||||
* \param p_set_cache session set parameter
|
||||
*/
|
||||
void ssl_set_scb( ssl_context *ssl,
|
||||
int (*s_get)(ssl_context *),
|
||||
int (*s_set)(ssl_context *) );
|
||||
void ssl_set_session_cache( ssl_context *ssl,
|
||||
int (*f_get_cache)(void *, ssl_session *), void *p_get_cache,
|
||||
int (*f_set_cache)(void *, const ssl_session *), void *p_set_cache );
|
||||
|
||||
/**
|
||||
* \brief Set the session resuming flag, timeout and data
|
||||
* \brief Request resumption of session (client-side only)
|
||||
* Session data is copied from presented session structure.
|
||||
*
|
||||
* Warning: session.peer_cert is cleared by the SSL/TLS layer on
|
||||
* connection shutdown, so do not cache the pointer! Either set
|
||||
* it to NULL or make a full copy of the certificate when
|
||||
* storing the session for use in this function.
|
||||
*
|
||||
* \param ssl SSL context
|
||||
* \param resume if 0 (default), the session will not be resumed
|
||||
* \param timeout session timeout in seconds, or 0 (no timeout)
|
||||
* \param session session context
|
||||
*/
|
||||
void ssl_set_session( ssl_context *ssl, int resume, int timeout,
|
||||
ssl_session *session );
|
||||
void ssl_set_session( ssl_context *ssl, const ssl_session *session );
|
||||
|
||||
/**
|
||||
* \brief Set the list of allowed ciphersuites
|
||||
|
@ -900,8 +934,8 @@ int ssl_close_notify( ssl_context *ssl );
|
|||
void ssl_free( ssl_context *ssl );
|
||||
|
||||
/**
|
||||
* \brief Free referenced items in an SSL session and free all
|
||||
* sessions in the chain. Memory is cleared
|
||||
* \brief Free referenced items in an SSL session including the
|
||||
* peer certificate and clear memory
|
||||
*
|
||||
* \param session SSL session
|
||||
*/
|
||||
|
|
105
include/polarssl/ssl_cache.h
Normal file
105
include/polarssl/ssl_cache.h
Normal file
|
@ -0,0 +1,105 @@
|
|||
/**
|
||||
* \file ssl_cache.h
|
||||
*
|
||||
* \brief SSL session cache implementation
|
||||
*
|
||||
* Copyright (C) 2006-2012, Brainspark B.V.
|
||||
*
|
||||
* This file is part of PolarSSL (http://www.polarssl.org)
|
||||
* Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
|
||||
*
|
||||
* All rights reserved.
|
||||
*
|
||||
* This program is free software; you can redistribute it and/or modify
|
||||
* it under the terms of the GNU General Public License as published by
|
||||
* the Free Software Foundation; either version 2 of the License, or
|
||||
* (at your option) any later version.
|
||||
*
|
||||
* This program is distributed in the hope that it will be useful,
|
||||
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
* GNU General Public License for more details.
|
||||
*
|
||||
* You should have received a copy of the GNU General Public License along
|
||||
* with this program; if not, write to the Free Software Foundation, Inc.,
|
||||
* 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
|
||||
*/
|
||||
#ifndef POLARSSL_SSL_CACHE_H
|
||||
#define POLARSSL_SSL_CACHE_H
|
||||
|
||||
#include "ssl.h"
|
||||
|
||||
#define SSL_CACHE_DEFAULT_TIMEOUT 86400 /*!< 1 day */
|
||||
|
||||
#ifdef __cplusplus
|
||||
extern "C" {
|
||||
#endif
|
||||
|
||||
typedef struct _ssl_cache_context ssl_cache_context;
|
||||
typedef struct _ssl_cache_entry ssl_cache_entry;
|
||||
|
||||
/**
|
||||
* \brief This structure is used for storing cache entries
|
||||
*/
|
||||
struct _ssl_cache_entry
|
||||
{
|
||||
time_t timestamp; /*!< entry timestamp */
|
||||
ssl_session session; /*!< entry session */
|
||||
ssl_cache_entry *next; /*!< chain pointer */
|
||||
};
|
||||
|
||||
/**
|
||||
* \brief Cache context
|
||||
*/
|
||||
struct _ssl_cache_context
|
||||
{
|
||||
ssl_cache_entry *chain; /*!< start of the chain */
|
||||
int timeout; /*!< cache timeout */
|
||||
};
|
||||
|
||||
/**
|
||||
* \brief Initialize an SSL cache context
|
||||
*
|
||||
* \param cache SSL cache context
|
||||
*/
|
||||
void ssl_cache_init( ssl_cache_context *cache );
|
||||
|
||||
/**
|
||||
* \brief Cache get callback implementation
|
||||
*
|
||||
* \param data SSL cache context
|
||||
* \param session session to retrieve entry for
|
||||
*/
|
||||
int ssl_cache_get( void *data, ssl_session *session );
|
||||
|
||||
/**
|
||||
* \brief Cache set callback implementation
|
||||
*
|
||||
* \param data SSL cache context
|
||||
* \param session session to store entry for
|
||||
*/
|
||||
int ssl_cache_set( void *data, const ssl_session *session );
|
||||
|
||||
/**
|
||||
* \brief Set the cache timeout
|
||||
* (Default: SSL_CACHE_DEFAULT_TIMEOUT (1 day))
|
||||
*
|
||||
* A timeout of 0 indicates no timeout.
|
||||
*
|
||||
* \param cache SSL cache context
|
||||
* \param timeout cache entry timeout
|
||||
*/
|
||||
void ssl_cache_set_timeout( ssl_cache_context *cache, int timeout );
|
||||
|
||||
/**
|
||||
* \brief Free referenced items in a cache context and clear memory
|
||||
*
|
||||
* \param cache SSL cache context
|
||||
*/
|
||||
void ssl_cache_free( ssl_cache_context *cache );
|
||||
|
||||
#ifdef __cplusplus
|
||||
}
|
||||
#endif
|
||||
|
||||
#endif /* ssl_cache.h */
|
Loading…
Add table
Add a link
Reference in a new issue