Made session tickets support configurable from config.h

include/polarssl/config.h

@@ -528,6 +528,18 @@
  */
 #define POLARSSL_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO
 
+/**
+ * \def POLARSSL_SSL_SESSION_TICKETS
+ *
+ * Enable support for RFC 5077 session tickets in SSL
+ *
+ * Requires: POLARSSL_AES_C
+ *           POLARSSL_SHA256_C
+ *
+ * Comment this macro to disable support for SSL session tickets
+ */
+#define POLARSSL_SSL_SESSION_TICKETS
+
 /**
  * \def POLARSSL_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION
  *

include/polarssl/ssl.h

@@ -329,7 +329,9 @@ typedef struct _ssl_session ssl_session;
 typedef struct _ssl_context ssl_context;
 typedef struct _ssl_transform ssl_transform;
 typedef struct _ssl_handshake_params ssl_handshake_params;
+#if defined(POLARSSL_SSL_SESSION_TICKETS)
 typedef struct _ssl_ticket_keys ssl_ticket_keys;
+#endif
 
 /*
  * This structure is used for storing current session data.
@@ -349,9 +351,11 @@ struct _ssl_session
     x509_cert *peer_cert;       /*!< peer X.509 cert chain */
 #endif /* POLARSSL_X509_PARSE_C */
 
+#if defined(POLARSSL_SSL_SESSION_TICKETS)
     unsigned char *ticket;      /*!< RFC 5077 session ticket */
     size_t ticket_len;          /*!< session ticket length   */
     uint32_t ticket_lifetime;   /*!< ticket lifetime hint    */
+#endif /* POLARSSL_SSL_SESSION_TICKETS */
 
     unsigned char mfl_code;     /*!< MaxFragmentLength negotiated by peer */
     int trunc_hmac;             /*!< flag for truncated hmac activation   */
@@ -444,9 +448,12 @@ struct _ssl_handshake_params
     int max_major_ver;                  /*!< max. major version client*/
     int max_minor_ver;                  /*!< max. minor version client*/
 
+#if defined(POLARSSL_SSL_SESSION_TICKETS)
     int new_session_ticket;             /*!< use NewSessionTicket?    */
+#endif /* POLARSSL_SSL_SESSION_TICKETS */
 };
 
+#if defined(POLARSSL_SSL_SESSION_TICKETS)
 /*
  * Parameters needed to secure session tickets
  */
@@ -457,6 +464,7 @@ struct _ssl_ticket_keys
     aes_context dec;                /*!< decryption context                  */
     unsigned char mac_key[16];      /*!< authentication key                  */
 };
+#endif /* POLARSSL_SSL_SESSION_TICKETS */
 
 struct _ssl_context
 {
@@ -566,10 +574,12 @@ struct _ssl_context
     const char *peer_cn;                /*!<  expected peer CN        */
 #endif /* POLARSSL_X509_PARSE_C */
 
+#if defined(POLARSSL_SSL_SESSION_TICKETS)
     /*
      * Support for generating and checking session tickets
      */
     ssl_ticket_keys *ticket_keys;       /*!<  keys for ticket encryption */
+#endif /* POLARSSL_SSL_SESSION_TICKETS */
 
     /*
      * User settings
@@ -1037,6 +1047,7 @@ int ssl_set_max_frag_len( ssl_context *ssl, unsigned char mfl_code );
  */
 int ssl_set_truncated_hmac( ssl_context *ssl, int truncate );
 
+#if defined(POLARSSL_SSL_SESSION_TICKETS)
 /**
  * \brief          Enable / Disable session tickets
  *                 (Default: SSL_SESSION_TICKETS_ENABLED on client,
@@ -1054,6 +1065,7 @@ int ssl_set_truncated_hmac( ssl_context *ssl, int truncate );
  *                 or a specific error code (server only).
  */
 int ssl_set_session_tickets( ssl_context *ssl, int use_tickets );
+#endif /* POLARSSL_SSL_SESSION_TICKETS */
 
 /**
  * \brief          Enable / Disable renegotiation support for connection when

library/ssl_cli.c

@@ -322,6 +322,7 @@ static void ssl_write_truncated_hmac_ext( ssl_context *ssl,
     *olen = 4;
 }
 
+#if defined(POLARSSL_SSL_SESSION_TICKETS)
 static void ssl_write_session_ticket_ext( ssl_context *ssl,
                                           unsigned char *buf, size_t *olen )
 {
@@ -356,6 +357,7 @@ static void ssl_write_session_ticket_ext( ssl_context *ssl,
 
     *olen += tlen;
 }
+#endif /* POLARSSL_SSL_SESSION_TICKETS */
 
 static int ssl_write_client_hello( ssl_context *ssl )
 {
@@ -441,6 +443,7 @@ static int ssl_write_client_hello( ssl_context *ssl )
         n = 0;
     }
 
+#if defined(POLARSSL_SSL_SESSION_TICKETS)
     /*
      * RFC 5077 section 3.4: "When presenting a ticket, the client MAY
      * generate and include a Session ID in the TLS ClientHello."
@@ -456,6 +459,7 @@ static int ssl_write_client_hello( ssl_context *ssl )
 
         ssl->session_negotiate->length = n = 32;
     }
+#endif /* POLARSSL_SSL_SESSION_TICKETS */
 
     *p++ = (unsigned char) n;
 
@@ -548,8 +552,10 @@ static int ssl_write_client_hello( ssl_context *ssl )
     ssl_write_truncated_hmac_ext( ssl, p + 2 + ext_len, &olen );
     ext_len += olen;
 
+#if defined(POLARSSL_SSL_SESSION_TICKETS)
     ssl_write_session_ticket_ext( ssl, p + 2 + ext_len, &olen );
     ext_len += olen;
+#endif
 
     SSL_DEBUG_MSG( 3, ( "client hello, total extension length: %d",
                    ext_len ) );
@@ -650,6 +656,7 @@ static int ssl_parse_truncated_hmac_ext( ssl_context *ssl,
     return( 0 );
 }
 
+#if defined(POLARSSL_SSL_SESSION_TICKETS)
 static int ssl_parse_session_ticket_ext( ssl_context *ssl,
                                          const unsigned char *buf,
                                          size_t len )
@@ -666,6 +673,7 @@ static int ssl_parse_session_ticket_ext( ssl_context *ssl,
 
     return( 0 );
 }
+#endif /* POLARSSL_SSL_SESSION_TICKETS */
 
 static int ssl_parse_server_hello( ssl_context *ssl )
 {
@@ -905,6 +913,7 @@ static int ssl_parse_server_hello( ssl_context *ssl )
 
             break;
 
+#if defined(POLARSSL_SSL_SESSION_TICKETS)
         case TLS_EXT_SESSION_TICKET:
             SSL_DEBUG_MSG( 3, ( "found session_ticket extension" ) );
 
@@ -915,6 +924,7 @@ static int ssl_parse_server_hello( ssl_context *ssl )
             }
 
             break;
+#endif /* POLARSSL_SSL_SESSION_TICKETS */
 
         default:
             SSL_DEBUG_MSG( 3, ( "unknown extension found: %d (ignoring)",
@@ -1925,6 +1935,7 @@ static int ssl_write_certificate_verify( ssl_context *ssl )
           !POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED &&
           !POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED */
 
+#if defined(POLARSSL_SSL_SESSION_TICKETS)
 static int ssl_parse_new_session_ticket( ssl_context *ssl )
 {
     int ret;
@@ -2016,6 +2027,7 @@ static int ssl_parse_new_session_ticket( ssl_context *ssl )
 
     return( 0 );
 }
+#endif /* POLARSSL_SSL_SESSION_TICKETS */
 
 /*
  * SSL handshake -- client side -- single step
@@ -2105,9 +2117,11 @@ int ssl_handshake_client_step( ssl_context *ssl )
         *        Finished
         */
        case SSL_SERVER_CHANGE_CIPHER_SPEC:
+#if defined(POLARSSL_SSL_SESSION_TICKETS)
            if( ssl->handshake->new_session_ticket != 0 )
                ret = ssl_parse_new_session_ticket( ssl );
            else
+#endif
                ret = ssl_parse_change_cipher_spec( ssl );
            break;
 

library/ssl_srv.c

@@ -47,6 +47,7 @@
 #include <time.h>
 #endif
 
+#if defined(POLARSSL_SSL_SESSION_TICKETS)
 /*
  * Serialize a session in the following format:
  *  0   .   n-1     session structure, n = sizeof(ssl_session)
@@ -300,6 +301,7 @@ static int ssl_parse_ticket( ssl_context *ssl,
 
     return( 0 );
 }
+#endif /* POLARSSL_SSL_SESSION_TICKETS */
 
 static int ssl_parse_servername_ext( ssl_context *ssl,
                                      const unsigned char *buf,
@@ -584,6 +586,7 @@ static int ssl_parse_truncated_hmac_ext( ssl_context *ssl,
     return( 0 );
 }
 
+#if defined(POLARSSL_SSL_SESSION_TICKETS)
 static int ssl_parse_session_ticket_ext( ssl_context *ssl,
                                          unsigned char *buf,
                                          size_t len )
@@ -625,6 +628,7 @@ static int ssl_parse_session_ticket_ext( ssl_context *ssl,
 
     return( 0 );
 }
+#endif /* POLARSSL_SSL_SESSION_TICKETS */
 
 #if defined(POLARSSL_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO)
 static int ssl_parse_client_hello_v2( ssl_context *ssl )
@@ -1176,6 +1180,7 @@ static int ssl_parse_client_hello( ssl_context *ssl )
                 return( ret );
             break;
 
+#if defined(POLARSSL_SSL_SESSION_TICKETS)
         case TLS_EXT_SESSION_TICKET:
             SSL_DEBUG_MSG( 3, ( "found session ticket extension" ) );
 
@@ -1183,6 +1188,7 @@ static int ssl_parse_client_hello( ssl_context *ssl )
             if( ret != 0 )
                 return( ret );
             break;
+#endif /* POLARSSL_SSL_SESSION_TICKETS */
 
         default:
             SSL_DEBUG_MSG( 3, ( "unknown extension found: %d (ignoring)",
@@ -1316,6 +1322,7 @@ static void ssl_write_truncated_hmac_ext( ssl_context *ssl,
     *olen = 4;
 }
 
+#if defined(POLARSSL_SSL_SESSION_TICKETS)
 static void ssl_write_session_ticket_ext( ssl_context *ssl,
                                           unsigned char *buf,
                                           size_t *olen )
@@ -1338,6 +1345,7 @@ static void ssl_write_session_ticket_ext( ssl_context *ssl,
 
     *olen = 4;
 }
+#endif /* POLARSSL_SSL_SESSION_TICKETS */
 
 static void ssl_write_renegotiation_ext( ssl_context *ssl,
                                          unsigned char *buf,
@@ -1466,11 +1474,12 @@ static int ssl_write_server_hello( ssl_context *ssl )
          */
         ssl->state++;
 
+#if defined(POLARSSL_SSL_SESSION_TICKETS)
         if( ssl->handshake->new_session_ticket == 0 )
         {
             ssl->session_negotiate->length = n = 32;
             if( ( ret = ssl->f_rng( ssl->p_rng, ssl->session_negotiate->id,
-                            n ) ) != 0 )
+                                    n ) ) != 0 )
                 return( ret );
         }
         else
@@ -1478,6 +1487,12 @@ static int ssl_write_server_hello( ssl_context *ssl )
             ssl->session_negotiate->length = 0;
             memset( ssl->session_negotiate->id, 0, 32 );
         }
+#else
+        ssl->session_negotiate->length = n = 32;
+        if( ( ret = ssl->f_rng( ssl->p_rng, ssl->session_negotiate->id,
+                                n ) ) != 0 )
+            return( ret );
+#endif /* POLARSSL_SSL_SESSION_TICKETS */
     }
     else
     {
@@ -1531,8 +1546,10 @@ static int ssl_write_server_hello( ssl_context *ssl )
     ssl_write_truncated_hmac_ext( ssl, p + 2 + ext_len, &olen );
     ext_len += olen;
 
+#if defined(POLARSSL_SSL_SESSION_TICKETS)
     ssl_write_session_ticket_ext( ssl, p + 2 + ext_len, &olen );
     ext_len += olen;
+#endif
 
     SSL_DEBUG_MSG( 3, ( "server hello, total extension length: %d", ext_len ) );
 
@@ -2469,6 +2486,7 @@ static int ssl_parse_certificate_verify( ssl_context *ssl )
           !POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED &&
           !POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED */
 
+#if defined(POLARSSL_SSL_SESSION_TICKETS)
 static int ssl_write_new_session_ticket( ssl_context *ssl )
 {
     int ret;
@@ -2518,6 +2536,7 @@ static int ssl_write_new_session_ticket( ssl_context *ssl )
 
     return( 0 );
 }
+#endif /* POLARSSL_SSL_SESSION_TICKETS */
 
 /*
  * SSL handshake -- server side -- single step
@@ -2607,9 +2626,11 @@ int ssl_handshake_server_step( ssl_context *ssl )
          *        Finished
          */
         case SSL_SERVER_CHANGE_CIPHER_SPEC:
+#if defined(POLARSSL_SSL_SESSION_TICKETS)
             if( ssl->handshake->new_session_ticket != 0 )
                 ret = ssl_write_new_session_ticket( ssl );
             else
+#endif
                 ret = ssl_write_change_cipher_spec( ssl );
             break;
 

library/ssl_tls.c

@@ -101,6 +101,7 @@ static int ssl_session_copy( ssl_session *dst, const ssl_session *src )
     }
 #endif /* POLARSSL_X509_PARSE_C */
 
+#if defined(POLARSSL_SSL_SESSION_TICKETS)
     if( src->ticket != NULL )
     {
         if( ( dst->ticket = polarssl_malloc( src->ticket_len ) ) == NULL )
@@ -108,6 +109,7 @@ static int ssl_session_copy( ssl_session *dst, const ssl_session *src )
 
         memcpy( dst->ticket, src->ticket, src->ticket_len );
     }
+#endif /* POLARSSL_SSL_SESSION_TICKETS */
 
     return( 0 );
 }
@@ -2972,6 +2974,7 @@ int ssl_session_reset( ssl_context *ssl )
     return( 0 );
 }
 
+#if defined(POLARSSL_SSL_SESSION_TICKETS)
 /*
  * Allocate and initialize ticket keys
  */
@@ -3004,6 +3007,7 @@ static int ssl_ticket_keys_init( ssl_context *ssl )
 
     return( 0 );
 }
+#endif /* POLARSSL_SSL_SESSION_TICKETS */
 
 /*
  * SSL set accessors
@@ -3261,6 +3265,7 @@ void ssl_legacy_renegotiation( ssl_context *ssl, int allow_legacy )
     ssl->allow_legacy_renegotiation = allow_legacy;
 }
 
+#if defined(POLARSSL_SSL_SESSION_TICKETS)
 int ssl_set_session_tickets( ssl_context *ssl, int use_tickets )
 {
     ssl->session_tickets = use_tickets;
@@ -3273,6 +3278,7 @@ int ssl_set_session_tickets( ssl_context *ssl, int use_tickets )
 
     return( ssl_ticket_keys_init( ssl ) );
 }
+#endif /* POLARSSL_SSL_SESSION_TICKETS */
 
 /*
  * SSL get accessors
@@ -3658,7 +3664,9 @@ void ssl_session_free( ssl_session *session )
     }
 #endif
 
+#if defined(POLARSSL_SSL_SESSION_TICKETS)
     polarssl_free( session->ticket );
+#endif
 
     memset( session, 0, sizeof( ssl_session ) );
 }
@@ -3710,7 +3718,9 @@ void ssl_free( ssl_context *ssl )
         polarssl_free( ssl->session );
     }
 
+#if defined(POLARSSL_SSL_SESSION_TICKETS)
     polarssl_free( ssl->ticket_keys );
+#endif
 
     if ( ssl->hostname != NULL)
     {

programs/ssl/ssl_client2.c

@@ -178,6 +178,13 @@ static int my_verify( void *data, x509_cert *crt, int depth, int *flags )
 #define USAGE_PSK ""
 #endif /* POLARSSL_KEY_EXCHANGE_PSK_ENABLED */
 
+#if defined(POLARSSL_SSL_SESSION_TICKETS)
+#define USAGE_TICKETS                                       \
+    "    tickets=%%d          default: 1 (enabled)\n"
+#else
+#define USAGE_TICKETS ""
+#endif /* POLARSSL_SSL_SESSION_TICKETS */
+
 #define USAGE \
     "\n usage: ssl_client2 param=<>...\n"                   \
     "\n acceptable parameters:\n"                           \
@@ -189,7 +196,7 @@ static int my_verify( void *data, x509_cert *crt, int depth, int *flags )
     "    renegotiation=%%d    default: 1 (enabled)\n"       \
     "    allow_legacy=%%d     default: 0 (disabled)\n"      \
     "    reconnect=%%d        default: 0 (disabled)\n"      \
-    "    tickets=%%d          default: 1 (enabled)\n"       \
+    USAGE_TICKETS                                           \
     "\n"                                                    \
     "    min_version=%%s      default: \"\" (ssl3)\n"       \
     "    max_version=%%s      default: \"\" (tls1_2)\n"     \
@@ -674,7 +681,9 @@ int main( int argc, char *argv[] )
     ssl_set_bio( &ssl, net_recv, &server_fd,
                        net_send, &server_fd );
 
+#if defined(POLARSSL_SSL_SESSION_TICKETS)
     ssl_set_session_tickets( &ssl, opt.tickets );
+#endif
 
     if( opt.force_ciphersuite[0] != DFL_FORCE_CIPHER )
         ssl_set_ciphersuites( &ssl, opt.force_ciphersuite );

programs/ssl/ssl_server2.c

@@ -146,6 +146,13 @@ static void my_debug( void *ctx, int level, const char *str )
 #define USAGE_PSK ""
 #endif /* POLARSSL_KEY_EXCHANGE_PSK_ENABLED */
 
+#if defined(POLARSSL_SSL_SESSION_TICKETS)
+#define USAGE_TICKETS                                       \
+    "    tickets=%%d          default: 1 (enabled)\n"
+#else
+#define USAGE_TICKETS ""
+#endif /* POLARSSL_SSL_SESSION_TICKETS */
+
 #define USAGE \
     "\n usage: ssl_server2 param=<>...\n"                   \
     "\n acceptable parameters:\n"                           \
@@ -154,7 +161,7 @@ static void my_debug( void *ctx, int level, const char *str )
     USAGE_IO                                                \
     "    request_page=%%s     default: \".\"\n"             \
     "    renegotiation=%%d    default: 1 (enabled)\n"       \
-    "    tickets=%%d          default: 1 (enabled)\n"       \
+    USAGE_TICKETS                                           \
     "    allow_legacy=%%d     default: 0 (disabled)\n"      \
     "    min_version=%%s      default: \"ssl3\"\n"          \
     "    max_version=%%s      default: \"tls1_2\"\n"        \
@@ -621,7 +628,9 @@ int main( int argc, char *argv[] )
                                  ssl_cache_set, &cache );
 #endif
 
+#if defined(POLARSSL_SSL_SESSION_TICKETS)
     ssl_set_session_tickets( &ssl, opt.tickets );
+#endif
 
     if( opt.force_ciphersuite[0] != DFL_FORCE_CIPHER )
         ssl_set_ciphersuites( &ssl, opt.force_ciphersuite );