TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / 69f17280d3836a47c5ceda4c61127795f6431c99^! / . / library / ssl_srv.c
commit69f17280d3836a47c5ceda4c61127795f6431c99[log] [tgz]
authorManuel Pégourié-Gonnard <mpg@elzevir.fr>Mon May 18 14:35:08 2015 +0200
committerManuel Pégourié-Gonnard <mpg@elzevir.fr>Wed May 20 11:14:57 2015 +0200
tree01a5861457f072d966b4c057e3312807f64875d5
parenta4a473516ef24e46bfe07639300869414b3e49ce [diff] [blame]
Adapt prototypes of ticket handling functions

This is an intermediate step. The ssl_config argument will be replace by a
ticket context next.

diff --git a/library/ssl_srv.c b/library/ssl_srv.c
index 5b7cbeb..6b317a2 100644
--- a/library/ssl_srv.c
+++ b/library/ssl_srv.c

@@ -51,6 +51,11 @@
 
 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
 #include "mbedtls/ssl_ticket.h"
+
+/* Implementation that should never be optimized out by the compiler */
+static void mbedtls_zeroize( void *v, size_t n ) {
+    volatile unsigned char *p = v; while( n-- ) *p++ = 0;
+}
 #endif
 
 #if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY)
@@ -406,6 +411,7 @@
                                          size_t len )
 {
     int ret;
+    mbedtls_ssl_session session;
 
     if( ssl->conf->session_tickets == MBEDTLS_SSL_SESSION_TICKETS_DISABLED )
         return( 0 );
@@ -429,12 +435,27 @@
     /*
      * Failures are ok: just ignore the ticket and proceed.
      */
-    if( ( ret = mbedtls_ssl_ticket_parse( ssl, buf, len ) ) != 0 )
+    if( ( ret = mbedtls_ssl_ticket_parse( ssl->conf, &session,
+                                          buf, len ) ) != 0 )
     {
+        mbedtls_ssl_session_free( &session );
         MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_ticket_parse", ret );
         return( 0 );
     }
 
+    /*
+     * Keep the session ID sent by the client, since we MUST send it back to
+     * inform them we're accepting the ticket  (RFC 5077 section 3.4)
+     */
+    session.length = ssl->session_negotiate->length;
+    memcpy( &session.id, ssl->session_negotiate->id, session.length );
+
+    mbedtls_ssl_session_free( ssl->session_negotiate );
+    memcpy( ssl->session_negotiate, &session, sizeof( mbedtls_ssl_session ) );
+
+    /* Zeroize instead of free as we copied the content */
+    mbedtls_zeroize( &session, sizeof( mbedtls_ssl_session ) );
+
     MBEDTLS_SSL_DEBUG_MSG( 3, ( "session successfully restored from ticket" ) );
 
     ssl->handshake->resume = 1;
@@ -3509,7 +3530,11 @@
     ssl->out_msg[6] = ( lifetime >>  8 ) & 0xFF;
     ssl->out_msg[7] = ( lifetime       ) & 0xFF;
 
-    if( ( ret = mbedtls_ssl_ticket_write( ssl, &tlen ) ) != 0 )
+    if( ( ret = mbedtls_ssl_ticket_write( ssl->conf,
+                                ssl->session_negotiate,
+                                ssl->out_msg + 10,
+                                ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN,
+                                &tlen ) ) != 0 )
     {
         MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_ticket_write", ret );
         tlen = 0;