mbedtls/include/mbedtls/ssl_ticket.h

/**
 * \file ssl_ticket.h
 *
 * \brief TLS server ticket callbacks implementation
 */
/*
 *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
 *  SPDX-License-Identifier: Apache-2.0
 *
 *  Licensed under the Apache License, Version 2.0 (the "License"); you may
 *  not use this file except in compliance with the License.
 *  You may obtain a copy of the License at
 *
 *  http://www.apache.org/licenses/LICENSE-2.0
 *
 *  Unless required by applicable law or agreed to in writing, software
 *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
 *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 *  See the License for the specific language governing permissions and
 *  limitations under the License.
 *
 *  This file is part of mbed TLS (https://tls.mbed.org)
 */
#ifndef MBEDTLS_SSL_TICKET_H
#define MBEDTLS_SSL_TICKET_H

#if !defined(MBEDTLS_CONFIG_FILE)
#include "config.h"
#else
#include MBEDTLS_CONFIG_FILE
#endif

/*
 * This implementation of the session ticket callbacks includes key
 * management, rotating the keys periodically in order to preserve forward
 * secrecy, when MBEDTLS_HAVE_TIME is defined.
 */

#include "ssl.h"
#include "cipher.h"

#if defined(MBEDTLS_THREADING_C)
#include "threading.h"
#endif

#ifdef __cplusplus
extern "C" {
#endif

/**
 * \brief   Information for session ticket protection
 */
typedef struct mbedtls_ssl_ticket_key
{
    unsigned char name[4];          /*!< random key identifier              */
    uint32_t generation_time;       /*!< key generation timestamp (seconds) */
    mbedtls_cipher_context_t ctx;   /*!< context for auth enc/decryption    */
}
mbedtls_ssl_ticket_key;

/**
 * \brief   Context for session ticket handling functions
 */
typedef struct mbedtls_ssl_ticket_context
{
    mbedtls_ssl_ticket_key keys[2]; /*!< ticket protection keys             */
    unsigned char active;           /*!< index of the currently active key  */

    uint32_t ticket_lifetime;       /*!< lifetime of tickets in seconds     */

    /** Callback for getting (pseudo-)random numbers                        */
    int  (*f_rng)(void *, unsigned char *, size_t);
    void *p_rng;                    /*!< context for the RNG function       */

#if defined(MBEDTLS_THREADING_C)
    mbedtls_threading_mutex_t mutex;
#endif
}
mbedtls_ssl_ticket_context;

/**
 * \brief           Initialize a ticket context.
 *                  (Just make it ready for mbedtls_ssl_ticket_setup()
 *                  or mbedtls_ssl_ticket_free().)
 *
 * \param ctx       Context to be initialized
 */
void mbedtls_ssl_ticket_init( mbedtls_ssl_ticket_context *ctx );

/**
 * \brief           Prepare context to be actually used
 *
 * \param ctx       Context to be set up
 * \param f_rng     RNG callback function
 * \param p_rng     RNG callback context
 * \param cipher    AEAD cipher to use for ticket protection.
 *                  Recommended value: MBEDTLS_CIPHER_AES_256_GCM.
 * \param lifetime  Tickets lifetime in seconds
 *                  Recommended value: 86400 (one day).
 *
 * \note            It is highly recommended to select a cipher that is at
 *                  least as strong as the the strongest ciphersuite
 *                  supported. Usually that means a 256-bit key.
 *
 * \note            The lifetime of the keys is twice the lifetime of tickets.
 *                  It is recommended to pick a reasonnable lifetime so as not
 *                  to negate the benefits of forward secrecy.
 *
 * \return          0 if successful,
 *                  or a specific MBEDTLS_ERR_XXX error code
 */
int mbedtls_ssl_ticket_setup( mbedtls_ssl_ticket_context *ctx,
    int (*f_rng)(void *, unsigned char *, size_t), void *p_rng,
    mbedtls_cipher_type_t cipher,
    uint32_t lifetime );

/**
 * \brief           Implementation of the ticket write callback
 *
 * \note            See \c mbedlts_ssl_ticket_write_t for description
 */
mbedtls_ssl_ticket_write_t mbedtls_ssl_ticket_write;

/**
 * \brief           Implementation of the ticket parse callback
 *
 * \note            See \c mbedlts_ssl_ticket_parse_t for description
 */
mbedtls_ssl_ticket_parse_t mbedtls_ssl_ticket_parse;

/**
 * \brief           Free a context's content and zeroize it.
 *
 * \param ctx       Context to be cleaned up
 */
void mbedtls_ssl_ticket_free( mbedtls_ssl_ticket_context *ctx );

#ifdef __cplusplus
}
#endif

#endif /* ssl_ticket.h */
Add new submodule ssl_ticket 2015-05-15 12:09:00 +02:00			`/**`
			`* \file ssl_ticket.h`
			`*`
			`* \brief TLS server ticket callbacks implementation`
Update Doxygen file blocks to remove copyright and license information 2018-01-05 16:33:17 +01:00			`*/`
			`/*`
Update date in copyright line 2015-07-27 11:11:48 +02:00			`* Copyright (C) 2006-2015, ARM Limited, All Rights Reserved`
Change main license to Apache 2.0 2015-09-04 14:21:07 +02:00			`* SPDX-License-Identifier: Apache-2.0`
Add new submodule ssl_ticket 2015-05-15 12:09:00 +02:00			`*`
Change main license to Apache 2.0 2015-09-04 14:21:07 +02:00			`* Licensed under the Apache License, Version 2.0 (the "License"); you may`
			`* not use this file except in compliance with the License.`
			`* You may obtain a copy of the License at`
Add new submodule ssl_ticket 2015-05-15 12:09:00 +02:00			`*`
Change main license to Apache 2.0 2015-09-04 14:21:07 +02:00			`* http://www.apache.org/licenses/LICENSE-2.0`
Add new submodule ssl_ticket 2015-05-15 12:09:00 +02:00			`*`
Change main license to Apache 2.0 2015-09-04 14:21:07 +02:00			`* Unless required by applicable law or agreed to in writing, software`
			`* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT`
			`* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.`
			`* See the License for the specific language governing permissions and`
			`* limitations under the License.`
Add new submodule ssl_ticket 2015-05-15 12:09:00 +02:00			`*`
Change main license to Apache 2.0 2015-09-04 14:21:07 +02:00			`* This file is part of mbed TLS (https://tls.mbed.org)`
Add new submodule ssl_ticket 2015-05-15 12:09:00 +02:00			`*/`
			`#ifndef MBEDTLS_SSL_TICKET_H`
			`#define MBEDTLS_SSL_TICKET_H`

Include configuration file to headers Add inclusion to configration file in header files, instead of relying on other header files to include the configuration file. This issue resolves #1371 2018-02-14 15:02:41 +01:00			`#if !defined(MBEDTLS_CONFIG_FILE)`
			`#include "config.h"`
			`#else`
			`#include MBEDTLS_CONFIG_FILE`
			`#endif`

Update dependencies and documentation 2015-05-25 19:34:49 +02:00			`/*`
			`* This implementation of the session ticket callbacks includes key`
			`* management, rotating the keys periodically in order to preserve forward`
			`* secrecy, when MBEDTLS_HAVE_TIME is defined.`
			`*/`

Add new submodule ssl_ticket 2015-05-15 12:09:00 +02:00			`#include "ssl.h"`
Use AES-GCM-256 for session ticket protection 2015-05-20 19:59:39 +02:00			`#include "cipher.h"`
Add new submodule ssl_ticket 2015-05-15 12:09:00 +02:00
Make ssl ticket functions thread-safe 2015-05-20 11:34:54 +02:00			`#if defined(MBEDTLS_THREADING_C)`
			`#include "threading.h"`
			`#endif`

Add new submodule ssl_ticket 2015-05-15 12:09:00 +02:00			`#ifdef __cplusplus`
			`extern "C" {`
			`#endif`

Internal changes in preparation for key rotation - two sets of keys - separate function for key generation/update 2015-05-25 11:00:19 +02:00			`/**`
			`* \brief Information for session ticket protection`
			`*/`
Allow to forward declare of public structs #1215 Thanks to forward declare we can declare `struct` in our header file instead making #include 2018-07-24 10:02:47 +02:00			`typedef struct mbedtls_ssl_ticket_key`
Internal changes in preparation for key rotation - two sets of keys - separate function for key generation/update 2015-05-25 11:00:19 +02:00			`{`
			`unsigned char name[4]; /!< random key identifier /`
			`uint32_t generation_time; /!< key generation timestamp (seconds) /`
			`mbedtls_cipher_context_t ctx; /!< context for auth enc/decryption /`
			`}`
			`mbedtls_ssl_ticket_key;`

Move to callback for session tickets 2015-05-19 15:28:00 +02:00			`/**`
			`* \brief Context for session ticket handling functions`
			`*/`
Allow to forward declare of public structs #1215 Thanks to forward declare we can declare `struct` in our header file instead making #include 2018-07-24 10:02:47 +02:00			`typedef struct mbedtls_ssl_ticket_context`
Move to callback for session tickets 2015-05-19 15:28:00 +02:00			`{`
Internal changes in preparation for key rotation - two sets of keys - separate function for key generation/update 2015-05-25 11:00:19 +02:00			`mbedtls_ssl_ticket_key keys[2]; /!< ticket protection keys /`
Implement key rotation 2015-05-25 14:07:08 +02:00			`unsigned char active; /!< index of the currently active key /`
Move to callback for session tickets 2015-05-19 15:28:00 +02:00
			`uint32_t ticket_lifetime; /!< lifetime of tickets in seconds /`

			`/** Callback for getting (pseudo-)random numbers */`
			`int (f_rng)(void , unsigned char *, size_t);`
			`void p_rng; /!< context for the RNG function */`
Make ssl ticket functions thread-safe 2015-05-20 11:34:54 +02:00
			`#if defined(MBEDTLS_THREADING_C)`
			`mbedtls_threading_mutex_t mutex;`
			`#endif`
Move to callback for session tickets 2015-05-19 15:28:00 +02:00			`}`
			`mbedtls_ssl_ticket_context;`

			`/**`
			`* \brief Initialize a ticket context.`
			`* (Just make it ready for mbedtls_ssl_ticket_setup()`
			`* or mbedtls_ssl_ticket_free().)`
			`*`
			`* \param ctx Context to be initialized`
			`*/`
			`void mbedtls_ssl_ticket_init( mbedtls_ssl_ticket_context *ctx );`

			`/**`
			`* \brief Prepare context to be actually used`
			`*`
			`* \param ctx Context to be set up`
			`* \param f_rng RNG callback function`
			`* \param p_rng RNG callback context`
Improve documentation about SSL ticket encryption 2015-06-25 12:44:46 +02:00			`* \param cipher AEAD cipher to use for ticket protection.`
			`* Recommended value: MBEDTLS_CIPHER_AES_256_GCM.`
Move to callback for session tickets 2015-05-19 15:28:00 +02:00			`* \param lifetime Tickets lifetime in seconds`
Improve documentation about SSL ticket encryption 2015-06-25 12:44:46 +02:00			`* Recommended value: 86400 (one day).`
Move to callback for session tickets 2015-05-19 15:28:00 +02:00			`*`
Make cipher used in ssl tickets configurable 2015-05-25 10:35:16 +02:00			`* \note It is highly recommended to select a cipher that is at`
			`* least as strong as the the strongest ciphersuite`
			`* supported. Usually that means a 256-bit key.`
			`*`
Improve documentation about SSL ticket encryption 2015-06-25 12:44:46 +02:00			`* \note The lifetime of the keys is twice the lifetime of tickets.`
			`* It is recommended to pick a reasonnable lifetime so as not`
			`* to negate the benefits of forward secrecy.`
			`*`
Fix typos/style in doxygen documentation 2015-05-29 12:53:47 +02:00			`* \return 0 if successful,`
Move to callback for session tickets 2015-05-19 15:28:00 +02:00			`* or a specific MBEDTLS_ERR_XXX error code`
			`*/`
			`int mbedtls_ssl_ticket_setup( mbedtls_ssl_ticket_context *ctx,`
			`int (f_rng)(void , unsigned char , size_t), void p_rng,`
Make cipher used in ssl tickets configurable 2015-05-25 10:35:16 +02:00			`mbedtls_cipher_type_t cipher,`
Move to callback for session tickets 2015-05-19 15:28:00 +02:00			`uint32_t lifetime );`

			`/**`
			`* \brief Implementation of the ticket write callback`
			`*`
			`* \note See \c mbedlts_ssl_ticket_write_t for description`
			`*/`
			`mbedtls_ssl_ticket_write_t mbedtls_ssl_ticket_write;`

			`/**`
			`* \brief Implementation of the ticket parse callback`
			`*`
			`* \note See \c mbedlts_ssl_ticket_parse_t for description`
			`*/`
			`mbedtls_ssl_ticket_parse_t mbedtls_ssl_ticket_parse;`

			`/**`
			`* \brief Free a context's content and zeroize it.`
			`*`
			`* \param ctx Context to be cleaned up`
			`*/`
			`void mbedtls_ssl_ticket_free( mbedtls_ssl_ticket_context *ctx );`
Add new submodule ssl_ticket 2015-05-15 12:09:00 +02:00
			`#ifdef __cplusplus`
			`}`
			`#endif`

			`#endif /* ssl_ticket.h */`