- Added simple SSL session cache implementation
- Revamped session resumption handling
diff --git a/include/polarssl/config.h b/include/polarssl/config.h
index c5ac1c5..538ef81 100644
--- a/include/polarssl/config.h
+++ b/include/polarssl/config.h
@@ -3,7 +3,7 @@
*
* \brief Configuration options (set of defines)
*
- * Copyright (C) 2006-2011, Brainspark B.V.
+ * Copyright (C) 2006-2012, Brainspark B.V.
*
* This file is part of PolarSSL (http://www.polarssl.org)
* Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
@@ -684,6 +684,18 @@
#define POLARSSL_SHA4_C
/**
+ * \def POLARSSL_SSL_CACHE_C
+ *
+ * Enable simple SSL cache implementation.
+ *
+ * Module: library/ssl_cache.c
+ * Caller:
+ *
+ * Requires: POLARSSL_SSL_CACHE_C
+ */
+#define POLARSSL_SSL_CACHE_C
+
+/**
* \def POLARSSL_SSL_CLI_C
*
* Enable the SSL/TLS client code.
diff --git a/include/polarssl/ssl.h b/include/polarssl/ssl.h
index dc2619a..fcf8a8f 100644
--- a/include/polarssl/ssl.h
+++ b/include/polarssl/ssl.h
@@ -284,7 +284,7 @@
typedef struct _ssl_handshake_params ssl_handshake_params;
/*
- * This structure is used for session resuming.
+ * This structure is used for storing current session data.
*/
struct _ssl_session
{
@@ -295,7 +295,6 @@
unsigned char id[32]; /*!< session identifier */
unsigned char master[48]; /*!< the master secret */
x509_cert *peer_cert; /*!< peer X.509 cert chain */
- ssl_session *next; /*!< next session entry */
};
/*
@@ -362,6 +361,8 @@
unsigned char randbytes[64]; /*!< random bytes */
unsigned char premaster[256]; /*!< premaster secret */
+
+ int resume; /*!< session resume indicator*/
};
struct _ssl_context
@@ -386,24 +387,24 @@
int (*f_recv)(void *, unsigned char *, size_t);
int (*f_send)(void *, const unsigned char *, size_t);
int (*f_vrfy)(void *, x509_cert *, int, int);
+ int (*f_get_cache)(void *, ssl_session *);
+ int (*f_set_cache)(void *, const ssl_session *);
void *p_rng; /*!< context for the RNG function */
void *p_dbg; /*!< context for the debug function */
void *p_recv; /*!< context for reading operations */
void *p_send; /*!< context for writing operations */
- void *p_vrfy; /*!< context for verification */
+ void *p_vrfy; /*!< context for verification */
+ void *p_get_cache; /*!< context for cache retrieval */
+ void *p_set_cache; /*!< context for cache store */
/*
* Session layer
*/
- int resume; /*!< session resuming flag */
- int timeout; /*!< sess. expiration time */
ssl_session *session_in; /*!< current session data (in) */
ssl_session *session_out; /*!< current session data (out) */
ssl_session *session; /*!< negotiated session data */
ssl_session *session_negotiate; /*!< session data in negotiation */
- int (*s_get)(ssl_context *); /*!< (server) get callback */
- int (*s_set)(ssl_context *); /*!< (server) set callback */
ssl_handshake_params *handshake; /*!< params required only during
the handshake process */
@@ -636,26 +637,59 @@
int (*f_send)(void *, const unsigned char *, size_t), void *p_send );
/**
- * \brief Set the session callbacks (server-side only)
+ * \brief Set the session cache callbacks (server-side only)
+ * If not set, no session resuming is done.
*
- * \param ssl SSL context
- * \param s_get session get callback
- * \param s_set session set callback
+ * The session cache has the responsibility to check for stale
+ * entries based on timeout. See RFC 5246 for recommendations.
+ *
+ * Warning: session.peer_cert is cleared by the SSL/TLS layer on
+ * connection shutdown, so do not cache the pointer! Either set
+ * it to NULL or make a full copy of the certificate.
+ *
+ * The get callback is called once during the initial handshake
+ * to enable session resuming. The get function has the
+ * following parameters: (void *parameter, ssl_session *session)
+ * If a valid entry is found, it should fill the master of
+ * the session object with the cached values and return 0,
+ * return 1 otherwise. Optionally peer_cert can be set as well
+ * if it is properly present in cache entry.
+ *
+ * The set callback is called once during the initial handshake
+ * to enable session resuming after the entire handshake has
+ * been finished. The set function has the following parameters:
+ * (void *parameter, const ssl_session *session). The function
+ * should create a cache entry for future retrieval based on
+ * the data in the session structure and should keep in mind
+ * that the ssl_session object presented (and all its referenced
+ * data) is cleared by the SSL/TLS layer when the connection is
+ * terminated. It is recommended to add metadata to determine if
+ * an entry is still valid in the future. Return 0 if
+ * successfully cached, return 0 otherwise.
+ *
+ * \param ssl SSL context
+ * \param f_get_cache session get callback
+ * \param p_get_cache session get parameter
+ * \param f_set_cache session set callback
+ * \param p_set_cache session set parameter
*/
-void ssl_set_scb( ssl_context *ssl,
- int (*s_get)(ssl_context *),
- int (*s_set)(ssl_context *) );
+void ssl_set_session_cache( ssl_context *ssl,
+ int (*f_get_cache)(void *, ssl_session *), void *p_get_cache,
+ int (*f_set_cache)(void *, const ssl_session *), void *p_set_cache );
/**
- * \brief Set the session resuming flag, timeout and data
+ * \brief Request resumption of session (client-side only)
+ * Session data is copied from presented session structure.
+ *
+ * Warning: session.peer_cert is cleared by the SSL/TLS layer on
+ * connection shutdown, so do not cache the pointer! Either set
+ * it to NULL or make a full copy of the certificate when
+ * storing the session for use in this function.
*
* \param ssl SSL context
- * \param resume if 0 (default), the session will not be resumed
- * \param timeout session timeout in seconds, or 0 (no timeout)
* \param session session context
*/
-void ssl_set_session( ssl_context *ssl, int resume, int timeout,
- ssl_session *session );
+void ssl_set_session( ssl_context *ssl, const ssl_session *session );
/**
* \brief Set the list of allowed ciphersuites
@@ -900,8 +934,8 @@
void ssl_free( ssl_context *ssl );
/**
- * \brief Free referenced items in an SSL session and free all
- * sessions in the chain. Memory is cleared
+ * \brief Free referenced items in an SSL session including the
+ * peer certificate and clear memory
*
* \param session SSL session
*/
diff --git a/include/polarssl/ssl_cache.h b/include/polarssl/ssl_cache.h
new file mode 100644
index 0000000..e13c087
--- /dev/null
+++ b/include/polarssl/ssl_cache.h
@@ -0,0 +1,105 @@
+/**
+ * \file ssl_cache.h
+ *
+ * \brief SSL session cache implementation
+ *
+ * Copyright (C) 2006-2012, Brainspark B.V.
+ *
+ * This file is part of PolarSSL (http://www.polarssl.org)
+ * Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
+ *
+ * All rights reserved.
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ */
+#ifndef POLARSSL_SSL_CACHE_H
+#define POLARSSL_SSL_CACHE_H
+
+#include "ssl.h"
+
+#define SSL_CACHE_DEFAULT_TIMEOUT 86400 /*!< 1 day */
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+typedef struct _ssl_cache_context ssl_cache_context;
+typedef struct _ssl_cache_entry ssl_cache_entry;
+
+/**
+ * \brief This structure is used for storing cache entries
+ */
+struct _ssl_cache_entry
+{
+ time_t timestamp; /*!< entry timestamp */
+ ssl_session session; /*!< entry session */
+ ssl_cache_entry *next; /*!< chain pointer */
+};
+
+/**
+ * \brief Cache context
+ */
+struct _ssl_cache_context
+{
+ ssl_cache_entry *chain; /*!< start of the chain */
+ int timeout; /*!< cache timeout */
+};
+
+/**
+ * \brief Initialize an SSL cache context
+ *
+ * \param cache SSL cache context
+ */
+void ssl_cache_init( ssl_cache_context *cache );
+
+/**
+ * \brief Cache get callback implementation
+ *
+ * \param data SSL cache context
+ * \param session session to retrieve entry for
+ */
+int ssl_cache_get( void *data, ssl_session *session );
+
+/**
+ * \brief Cache set callback implementation
+ *
+ * \param data SSL cache context
+ * \param session session to store entry for
+ */
+int ssl_cache_set( void *data, const ssl_session *session );
+
+/**
+ * \brief Set the cache timeout
+ * (Default: SSL_CACHE_DEFAULT_TIMEOUT (1 day))
+ *
+ * A timeout of 0 indicates no timeout.
+ *
+ * \param cache SSL cache context
+ * \param timeout cache entry timeout
+ */
+void ssl_cache_set_timeout( ssl_cache_context *cache, int timeout );
+
+/**
+ * \brief Free referenced items in a cache context and clear memory
+ *
+ * \param cache SSL cache context
+ */
+void ssl_cache_free( ssl_cache_context *cache );
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* ssl_cache.h */