kris
/
boringssl
1
0
Креирај огранак 0
Код Дискусије 0 Захтеви за спајање 0 Издања 0 Вики Activity
Преглед изворни кода

Remove support for setting per-connection default session timeout 

As previously discussed, it turns out we don't actually need this, so
there's no point in keeping it.

Change-Id: If549c917b6bd818cd36948e37cb7839c8d122b1a
Reviewed-on: https://boringssl-review.googlesource.com/13641
Reviewed-by: David Benjamin <davidben@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
kris/onging/CECPQ3_patch15
Alessandro Ghedini пре 7 година
committed by CQ bot account: commit-bot@chromium.org
родитељ
5bd8a09f2a
комит
33fe4a0d14
7 измењених фајлова са 5 додато и 186 уклоњено
Подељен поглед
Diff Options
Show Stats Download Patch File Download Diff File
  1. +0
    -14
      include/openssl/ssl.h
  2. +0
    -8
      ssl/internal.h
  3. +0
    -3
      ssl/ssl_lib.c
  4. +3
    -13
      ssl/ssl_session.c
  5. +0
    -146
      ssl/ssl_test.cc
  6. +1
    -1
      ssl/tls13_client.c
  7. +1
    -1
      ssl/tls13_server.c

+ 0
- 14
include/openssl/ssl.h Прегледај датотеку

@@ -1753,20 +1753,6 @@ OPENSSL_EXPORT void SSL_CTX_set_session_psk_dhe_timeout(SSL_CTX *ctx,
* sessions created in |ctx|. */
OPENSSL_EXPORT long SSL_CTX_get_timeout(const SSL_CTX *ctx);

/* SSL_set_session_timeout sets the default lifetime, in seconds, of a TLS 1.2
* (or earlier) session created in |ssl| to |timeout|, and returns the old
* value.
*
* By default the value |SSL_DEFAULT_SESSION_TIMEOUT| is used, which can be
* overridden at the context level by calling |SSL_CTX_set_timeout|.
*
* If |timeout| is zero the newly created session will not be resumable. */
OPENSSL_EXPORT long SSL_set_session_timeout(SSL *ssl, long timeout);

/* SSL_set_session_psk_dhe_timeout sets the lifetime, in seconds, of TLS 1.3
* sessions created in |ssl| to |timeout|. */
OPENSSL_EXPORT void SSL_set_session_psk_dhe_timeout(SSL *ssl, long timeout);

/* SSL_CTX_set_session_id_context sets |ctx|'s session ID context to |sid_ctx|.
* It returns one on success and zero on error. The session ID context is an
* application-defined opaque byte string. A session will not be used in a


+ 0
- 8
ssl/internal.h Прегледај датотеку

@@ -1836,14 +1836,6 @@ struct ssl_st {
* session space. Only effective on the server side. */
unsigned retain_only_sha256_of_client_certs:1;

/* session_timeout is the default lifetime in seconds of the session
* created in this connection at TLS 1.2 and earlier. */
long session_timeout;

/* session_psk_dhe_timeout is the default lifetime in seconds of sessions
* created in this connection at TLS 1.3. */
long session_psk_dhe_timeout;

/* OCSP response to be sent to the client, if requested. */
CRYPTO_BUFFER *ocsp_response;
};


+ 0
- 3
ssl/ssl_lib.c Прегледај датотеку

@@ -471,9 +471,6 @@ SSL *SSL_new(SSL_CTX *ctx) {
ssl->signed_cert_timestamps_enabled = ctx->signed_cert_timestamps_enabled;
ssl->ocsp_stapling_enabled = ctx->ocsp_stapling_enabled;

ssl->session_timeout = ctx->session_timeout;
ssl->session_psk_dhe_timeout = ctx->session_psk_dhe_timeout;

/* If the context has an OCSP response, use it. */
if (ctx->ocsp_response != NULL) {
CRYPTO_BUFFER_up_ref(ctx->ocsp_response);


+ 3
- 13
ssl/ssl_session.c Прегледај датотеку

@@ -518,13 +518,13 @@ int ssl_get_new_session(SSL_HANDSHAKE *hs, int is_server) {
if (version >= TLS1_3_VERSION) {
/* TLS 1.3 uses tickets as authenticators, so we are willing to use them for
* longer. */
session->timeout = ssl->session_psk_dhe_timeout;
session->timeout = ssl->initial_ctx->session_psk_dhe_timeout;
session->auth_timeout = SSL_DEFAULT_SESSION_AUTH_TIMEOUT;
} else {
/* TLS 1.2 resumption does not incorporate new key material, so we use a
* much shorter timeout. */
session->timeout = ssl->session_timeout;
session->auth_timeout = ssl->session_timeout;
session->timeout = ssl->initial_ctx->session_timeout;
session->auth_timeout = ssl->initial_ctx->session_timeout;
}

if (is_server) {
@@ -983,16 +983,6 @@ void SSL_CTX_set_session_psk_dhe_timeout(SSL_CTX *ctx, long timeout) {
ctx->session_psk_dhe_timeout = timeout;
}

long SSL_set_session_timeout(SSL *ssl, long timeout) {
long old_timeout = ssl->session_timeout;
ssl->session_timeout = timeout;
return old_timeout;
}

void SSL_set_session_psk_dhe_timeout(SSL *ssl, long timeout) {
ssl->session_psk_dhe_timeout = timeout;
}

typedef struct timeout_param_st {
SSL_CTX *ctx;
long time;


+ 0
- 146
ssl/ssl_test.cc Прегледај датотеку

@@ -2410,151 +2410,6 @@ static bool TestSessionTimeout(bool is_dtls, const SSL_METHOD *method,
return true;
}

static int SetSessionTimeoutCallback(SSL *ssl, void *arg) {
long timeout = *(long *) arg;
SSL_set_session_timeout(ssl, timeout);
return 1;
}

static int SetSessionTimeoutCallbackTLS13(SSL *ssl, void *arg) {
long timeout = *(long *) arg;
SSL_set_session_psk_dhe_timeout(ssl, timeout);
return 1;
}

static bool TestSessionTimeoutCertCallback(bool is_dtls,
const SSL_METHOD *method,
uint16_t version) {
if (version == TLS1_3_VERSION) {
// |SSL_set_session_timeout| only applies to TLS 1.2 style resumption.
return true;
}

static const int kStartTime = 1000;
g_current_time.tv_sec = kStartTime;

bssl::UniquePtr<X509> cert = GetTestCertificate();
bssl::UniquePtr<EVP_PKEY> key = GetTestKey();
if (!cert || !key) {
return false;
}

bssl::UniquePtr<SSL_CTX> server_ctx(SSL_CTX_new(method));
bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(method));
if (!server_ctx || !client_ctx ||
!SSL_CTX_use_certificate(server_ctx.get(), cert.get()) ||
!SSL_CTX_use_PrivateKey(server_ctx.get(), key.get()) ||
!SSL_CTX_set_min_proto_version(client_ctx.get(), version) ||
!SSL_CTX_set_max_proto_version(client_ctx.get(), version) ||
!SSL_CTX_set_min_proto_version(server_ctx.get(), version) ||
!SSL_CTX_set_max_proto_version(server_ctx.get(), version)) {
return false;
}

SSL_CTX_set_session_cache_mode(client_ctx.get(), SSL_SESS_CACHE_BOTH);
SSL_CTX_set_session_cache_mode(server_ctx.get(), SSL_SESS_CACHE_BOTH);

SSL_CTX_set_current_time_cb(server_ctx.get(), CurrentTimeCallback);

long timeout = 25;
if (version == TLS1_3_VERSION) {
SSL_CTX_set_cert_cb(server_ctx.get(), SetSessionTimeoutCallbackTLS13,
&timeout);
} else {
SSL_CTX_set_cert_cb(server_ctx.get(), SetSessionTimeoutCallback, &timeout);
}

bssl::UniquePtr<SSL_SESSION> session =
CreateClientSession(client_ctx.get(), server_ctx.get());
if (!session) {
fprintf(stderr, "Error getting session.\n");
return false;
}

// Advance the clock just behind the timeout.
g_current_time.tv_sec += timeout - 1;

if (!ExpectSessionReused(client_ctx.get(), server_ctx.get(), session.get(),
true /* expect session reused */)) {
fprintf(stderr, "Error resuming session.\n");
return false;
}

// Advance the clock one more second.
g_current_time.tv_sec++;

if (!ExpectSessionReused(client_ctx.get(), server_ctx.get(), session.get(),
false /* expect session not reused */)) {
fprintf(stderr, "Error resuming session.\n");
return false;
}

// Set session timeout to 0 to disable resumption.
timeout = 0;
g_current_time.tv_sec = kStartTime;

bssl::UniquePtr<SSL_SESSION> not_resumable_session =
CreateClientSession(client_ctx.get(), server_ctx.get());
if (!not_resumable_session) {
fprintf(stderr, "Error getting session.\n");
return false;
}

if (!ExpectSessionReused(client_ctx.get(), server_ctx.get(),
not_resumable_session.get(),
false /* expect session not reused */)) {
fprintf(stderr, "Error resuming session with timeout of 0.\n");
return false;
}

// Set both context and connection (via callback) default session timeout.
// The connection one is the one that ends up being used.
timeout = 25;
g_current_time.tv_sec = kStartTime;

if (version == TLS1_3_VERSION) {
SSL_CTX_set_session_psk_dhe_timeout(server_ctx.get(), timeout - 10);
} else {
SSL_CTX_set_timeout(server_ctx.get(), timeout - 10);
}

bssl::UniquePtr<SSL_SESSION> ctx_and_cb_session =
CreateClientSession(client_ctx.get(), server_ctx.get());
if (!ctx_and_cb_session) {
fprintf(stderr, "Error getting session.\n");
return false;
}

if (!ExpectSessionReused(client_ctx.get(), server_ctx.get(),
ctx_and_cb_session.get(),
true /* expect session reused */)) {
fprintf(stderr, "Error resuming session with timeout of 0.\n");
return false;
}

// Advance the clock just behind the timeout.
g_current_time.tv_sec += timeout - 1;

if (!ExpectSessionReused(client_ctx.get(), server_ctx.get(),
ctx_and_cb_session.get(),
true /* expect session reused */)) {
fprintf(stderr, "Error resuming session.\n");
return false;
}

// Advance the clock one more second.
g_current_time.tv_sec++;

if (!ExpectSessionReused(client_ctx.get(), server_ctx.get(),
ctx_and_cb_session.get(),
false /* expect session not reused */)) {
fprintf(stderr, "Error resuming session.\n");
return false;
}

return true;
}

static int SwitchContext(SSL *ssl, int *out_alert, void *arg) {
SSL_CTX *ctx = reinterpret_cast<SSL_CTX*>(arg);
SSL_set_SSL_CTX(ssl, ctx);
@@ -3325,7 +3180,6 @@ TEST(SSLTest, AllTests) {
!TestClientHello() ||
!ForEachVersion(TestSessionIDContext) ||
!ForEachVersion(TestSessionTimeout) ||
!ForEachVersion(TestSessionTimeoutCertCallback) ||
!ForEachVersion(TestSNICallback) ||
!TestEarlyCallbackVersionSwitch() ||
!TestSetVersion() ||


+ 1
- 1
ssl/tls13_client.c Прегледај датотеку

@@ -261,7 +261,7 @@ static enum ssl_hs_wait_t do_process_server_hello(SSL_HANDSHAKE *hs) {

/* Resumption incorporates fresh key material, so refresh the timeout. */
ssl_session_renew_timeout(ssl, ssl->s3->new_session,
ssl->session_psk_dhe_timeout);
ssl->initial_ctx->session_psk_dhe_timeout);
} else if (!ssl_get_new_session(hs, 0)) {
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
return ssl_hs_error;


+ 1
- 1
ssl/tls13_server.c Прегледај датотеку

@@ -224,7 +224,7 @@ static enum ssl_hs_wait_t do_select_parameters(SSL_HANDSHAKE *hs) {

/* Resumption incorporates fresh key material, so refresh the timeout. */
ssl_session_renew_timeout(ssl, ssl->s3->new_session,
ssl->session_psk_dhe_timeout);
ssl->initial_ctx->session_psk_dhe_timeout);
}

if (ssl->ctx->dos_protection_cb != NULL &&


Write Preview
Loading…
Откажи
Сачувај