The SSL session cache module (ssl_cache) now also retains peer_cert information (not the entire chain)

The real peer certificate is copied into a x509_buf in the
ssl_cache_entry and reinstated upon cache retrieval. The information
about the rest of the certificate chain is lost in the process.

As the handshake (and certificate verification) has already been
performed, no issue is foreseen.
This commit is contained in:
Paul Bakker 2013-03-06 17:40:46 +01:00
parent a35aa54967
commit e81beda60f
3 changed files with 50 additions and 6 deletions

View file

@ -16,6 +16,8 @@ Changes
or rsa_rsaes_oaep_decrypt() or rsa_rsaes_oaep_decrypt()
* Re-added handling for SSLv2 Client Hello when the define * Re-added handling for SSLv2 Client Hello when the define
POLARSSL_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO is set POLARSSL_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO is set
* The SSL session cache module (ssl_cache) now also retains peer_cert
information (not the entire chain)
Security Security
* Removed further timing differences during SSL message decryption in * Removed further timing differences during SSL message decryption in

View file

@ -46,6 +46,7 @@ struct _ssl_cache_entry
{ {
time_t timestamp; /*!< entry timestamp */ time_t timestamp; /*!< entry timestamp */
ssl_session session; /*!< entry session */ ssl_session session; /*!< entry session */
x509_buf peer_cert; /*!< entry peer_cert */
ssl_cache_entry *next; /*!< chain pointer */ ssl_cache_entry *next; /*!< chain pointer */
}; };

View file

@ -71,6 +71,26 @@ int ssl_cache_get( void *data, ssl_session *session )
continue; continue;
memcpy( session->master, entry->session.master, 48 ); memcpy( session->master, entry->session.master, 48 );
/*
* Restore peer certificate (without rest of the original chain)
*/
if( entry->peer_cert.p != NULL )
{
session->peer_cert = (x509_cert *) malloc( sizeof(x509_cert) );
if( session->peer_cert == NULL )
return( 1 );
memset( session->peer_cert, 0, sizeof(x509_cert) );
if( x509parse_crt( session->peer_cert, entry->peer_cert.p,
entry->peer_cert.len ) != 0 )
{
free( session->peer_cert );
session->peer_cert = NULL;
return( 1 );
}
}
return( 0 ); return( 0 );
} }
@ -119,15 +139,20 @@ int ssl_cache_set( void *data, const ssl_session *session )
if( old != NULL && count >= cache->max_entries ) if( old != NULL && count >= cache->max_entries )
{ {
cur = old; cur = old;
memset( &cur->session, 0, sizeof( ssl_session ) ); memset( &cur->session, 0, sizeof(ssl_session) );
if( cur->peer_cert.p != NULL )
{
free( cur->peer_cert.p );
memset( &cur->peer_cert, 0, sizeof(x509_buf) );
}
} }
else else
{ {
cur = (ssl_cache_entry *) malloc( sizeof( ssl_cache_entry ) ); cur = (ssl_cache_entry *) malloc( sizeof(ssl_cache_entry) );
if( cur == NULL ) if( cur == NULL )
return( 1 ); return( 1 );
memset( cur, 0, sizeof( ssl_cache_entry ) ); memset( cur, 0, sizeof(ssl_cache_entry) );
if( prv == NULL ) if( prv == NULL )
cache->chain = cur; cache->chain = cur;
@ -140,9 +165,21 @@ int ssl_cache_set( void *data, const ssl_session *session )
memcpy( &cur->session, session, sizeof( ssl_session ) ); memcpy( &cur->session, session, sizeof( ssl_session ) );
// Do not include peer_cert in cache entry /*
// * Store peer certificate
*/
if( session->peer_cert != NULL )
{
cur->peer_cert.p = (unsigned char *) malloc( session->peer_cert->raw.len );
if( cur->peer_cert.p == NULL )
return( 1 );
memcpy( cur->peer_cert.p, session->peer_cert->raw.p,
session->peer_cert->raw.len );
cur->peer_cert.len = session->peer_cert->raw.len;
cur->session.peer_cert = NULL; cur->session.peer_cert = NULL;
}
return( 0 ); return( 0 );
} }
@ -173,6 +210,10 @@ void ssl_cache_free( ssl_cache_context *cache )
cur = cur->next; cur = cur->next;
ssl_session_free( &prv->session ); ssl_session_free( &prv->session );
if( prv->peer_cert.p != NULL )
free( prv->peer_cert.p );
free( prv ); free( prv );
} }
} }