Session ticket expiration checked on server

2025-08-01 10:06:53 +03:00 · 2013-08-14 16:52:14 +02:00
parent f0e39acb58
commit 606b4ba20f
6 changed files with 42 additions and 1 deletions
--- a/library/error.c
+++ b/library/error.c
@ -371,6 +371,8 @@ void polarssl_strerror( int ret, char *buf, size_t buflen )
            snprintf( buf, buflen, "SSL - Handshake protocol not within min/max boundaries" );
        if( use_ret == -(POLARSSL_ERR_SSL_BAD_HS_NEW_SESSION_TICKET) )
            snprintf( buf, buflen, "SSL - Processing of the NewSessionTicket handshake message failed" );
+        if( use_ret == -(POLARSSL_ERR_SSL_SESSION_TICKET_EXPIRED) )
+            snprintf( buf, buflen, "SSL - Session ticket has expired" );
 #endif /* POLARSSL_SSL_TLS_C */

 #if defined(POLARSSL_X509_PARSE_C)
--- a/library/ssl_srv.c
+++ b/library/ssl_srv.c
@ -288,6 +288,16 @@ static int ssl_parse_ticket( ssl_context *ssl,
        return( ret );
    }

+#if defined(POLARSSL_HAVE_TIME)
+    /* Check if still valid */
+    if( (int) ( time( NULL) - session.start ) > ssl->ticket_lifetime )
+    {
+        SSL_DEBUG_MSG( 1, ( "session ticket expired" ) );
+        memset( &session, 0, sizeof( ssl_session ) );
+        return( POLARSSL_ERR_SSL_SESSION_TICKET_EXPIRED );
+    }
+#endif
+
    /*
     * Keep the session ID sent by the client, since we MUST send it back to
     * inform him we're accepting the ticket  (RFC 5077 section 3.4)
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@ -2898,6 +2898,10 @@ int ssl_init( ssl_context *ssl )
    ssl->hostname = NULL;
    ssl->hostname_len = 0;

+#if defined(POLARSSL_SSL_SESSION_TICKETS)
+    ssl->ticket_lifetime = SSL_DEFAULT_TICKET_LIFETIME;
+#endif
+
    if( ( ret = ssl_handshake_init( ssl ) ) != 0 )
        return( ret );

@ -3016,8 +3020,10 @@ void ssl_set_endpoint( ssl_context *ssl, int endpoint )
 {
    ssl->endpoint   = endpoint;

+#if defined(POLARSSL_SSL_SESSION_TICKETS)
    if( endpoint == SSL_IS_CLIENT )
        ssl->session_tickets = SSL_SESSION_TICKETS_ENABLED;
+#endif
 }

 void ssl_set_authmode( ssl_context *ssl, int authmode )
@ -3278,6 +3284,11 @@ int ssl_set_session_tickets( ssl_context *ssl, int use_tickets )

    return( ssl_ticket_keys_init( ssl ) );
 }
+
+void ssl_set_session_ticket_lifetime( ssl_context *ssl, int lifetime )
+{
+    ssl->ticket_lifetime = lifetime;
+}
 #endif /* POLARSSL_SSL_SESSION_TICKETS */

 /*