2015-05-15 12:09:00 +02:00
|
|
|
/**
|
|
|
|
|
* \file ssl_ticket.h
|
|
|
|
|
*
|
|
|
|
|
* \brief TLS server ticket callbacks implementation
|
|
|
|
|
*
|
|
|
|
|
* Copyright (C) 2015, ARM Limited, All Rights Reserved
|
|
|
|
|
*
|
|
|
|
|
* This file is part of mbed TLS (https://tls.mbed.org)
|
|
|
|
|
*
|
|
|
|
|
* This program is free software; you can redistribute it and/or modify
|
|
|
|
|
* it under the terms of the GNU General Public License as published by
|
|
|
|
|
* the Free Software Foundation; either version 2 of the License, or
|
|
|
|
|
* (at your option) any later version.
|
|
|
|
|
*
|
|
|
|
|
* This program is distributed in the hope that it will be useful,
|
|
|
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
|
|
|
* GNU General Public License for more details.
|
|
|
|
|
*
|
|
|
|
|
* You should have received a copy of the GNU General Public License along
|
|
|
|
|
* with this program; if not, write to the Free Software Foundation, Inc.,
|
|
|
|
|
* 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
|
|
|
|
|
*/
|
|
|
|
|
#ifndef MBEDTLS_SSL_TICKET_H
|
|
|
|
|
#define MBEDTLS_SSL_TICKET_H
|
|
|
|
|
|
2015-05-25 19:34:49 +02:00
|
|
|
/*
|
|
|
|
|
* This implementation of the session ticket callbacks includes key
|
|
|
|
|
* management, rotating the keys periodically in order to preserve forward
|
|
|
|
|
* secrecy, when MBEDTLS_HAVE_TIME is defined.
|
|
|
|
|
*/
|
|
|
|
|
|
2015-05-15 12:09:00 +02:00
|
|
|
#include "ssl.h"
|
2015-05-20 19:59:39 +02:00
|
|
|
#include "cipher.h"
|
2015-05-15 12:09:00 +02:00
|
|
|
|
2015-05-20 11:34:54 +02:00
|
|
|
#if defined(MBEDTLS_THREADING_C)
|
|
|
|
|
#include "threading.h"
|
|
|
|
|
#endif
|
|
|
|
|
|
2015-05-15 12:09:00 +02:00
|
|
|
#ifdef __cplusplus
|
|
|
|
|
extern "C" {
|
|
|
|
|
#endif
|
|
|
|
|
|
2015-05-25 11:00:19 +02:00
|
|
|
/**
|
|
|
|
|
* \brief Information for session ticket protection
|
|
|
|
|
*/
|
|
|
|
|
typedef struct
|
|
|
|
|
{
|
|
|
|
|
unsigned char name[4]; /*!< random key identifier */
|
|
|
|
|
uint32_t generation_time; /*!< key generation timestamp (seconds) */
|
|
|
|
|
mbedtls_cipher_context_t ctx; /*!< context for auth enc/decryption */
|
|
|
|
|
}
|
|
|
|
|
mbedtls_ssl_ticket_key;
|
|
|
|
|
|
2015-05-19 15:28:00 +02:00
|
|
|
/**
|
|
|
|
|
* \brief Context for session ticket handling functions
|
|
|
|
|
*/
|
|
|
|
|
typedef struct
|
|
|
|
|
{
|
2015-05-25 11:00:19 +02:00
|
|
|
mbedtls_ssl_ticket_key keys[2]; /*!< ticket protection keys */
|
2015-05-25 14:07:08 +02:00
|
|
|
unsigned char active; /*!< index of the currently active key */
|
2015-05-19 15:28:00 +02:00
|
|
|
|
|
|
|
|
uint32_t ticket_lifetime; /*!< lifetime of tickets in seconds */
|
|
|
|
|
|
|
|
|
|
/** Callback for getting (pseudo-)random numbers */
|
|
|
|
|
int (*f_rng)(void *, unsigned char *, size_t);
|
|
|
|
|
void *p_rng; /*!< context for the RNG function */
|
2015-05-20 11:34:54 +02:00
|
|
|
|
|
|
|
|
#if defined(MBEDTLS_THREADING_C)
|
|
|
|
|
mbedtls_threading_mutex_t mutex;
|
|
|
|
|
#endif
|
2015-05-19 15:28:00 +02:00
|
|
|
}
|
|
|
|
|
mbedtls_ssl_ticket_context;
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* \brief Initialize a ticket context.
|
|
|
|
|
* (Just make it ready for mbedtls_ssl_ticket_setup()
|
|
|
|
|
* or mbedtls_ssl_ticket_free().)
|
|
|
|
|
*
|
|
|
|
|
* \param ctx Context to be initialized
|
|
|
|
|
*/
|
|
|
|
|
void mbedtls_ssl_ticket_init( mbedtls_ssl_ticket_context *ctx );
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* \brief Prepare context to be actually used
|
|
|
|
|
*
|
|
|
|
|
* \param ctx Context to be set up
|
|
|
|
|
* \param f_rng RNG callback function
|
|
|
|
|
* \param p_rng RNG callback context
|
2015-05-25 10:35:16 +02:00
|
|
|
* \param cipher AEAD cipher to use for ticket protection, eg
|
|
|
|
|
* MBEDTLS_CIPHER_AES_256_GCM or MBEDTLS_CIPHER_AES_256_CCM.
|
2015-05-19 15:28:00 +02:00
|
|
|
* \param lifetime Tickets lifetime in seconds
|
|
|
|
|
*
|
2015-05-25 10:35:16 +02:00
|
|
|
* \note It is highly recommended to select a cipher that is at
|
|
|
|
|
* least as strong as the the strongest ciphersuite
|
|
|
|
|
* supported. Usually that means a 256-bit key.
|
|
|
|
|
*
|
2015-05-19 15:28:00 +02:00
|
|
|
* \return 0 is successful,
|
|
|
|
|
* or a specific MBEDTLS_ERR_XXX error code
|
|
|
|
|
*/
|
|
|
|
|
int mbedtls_ssl_ticket_setup( mbedtls_ssl_ticket_context *ctx,
|
|
|
|
|
int (*f_rng)(void *, unsigned char *, size_t), void *p_rng,
|
2015-05-25 10:35:16 +02:00
|
|
|
mbedtls_cipher_type_t cipher,
|
2015-05-19 15:28:00 +02:00
|
|
|
uint32_t lifetime );
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* \brief Implementation of the ticket write callback
|
|
|
|
|
*
|
|
|
|
|
* \note See \c mbedlts_ssl_ticket_write_t for description
|
|
|
|
|
*/
|
|
|
|
|
mbedtls_ssl_ticket_write_t mbedtls_ssl_ticket_write;
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* \brief Implementation of the ticket parse callback
|
|
|
|
|
*
|
|
|
|
|
* \note See \c mbedlts_ssl_ticket_parse_t for description
|
|
|
|
|
*/
|
|
|
|
|
mbedtls_ssl_ticket_parse_t mbedtls_ssl_ticket_parse;
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* \brief Free a context's content and zeroize it.
|
|
|
|
|
*
|
|
|
|
|
* \param ctx Context to be cleaned up
|
|
|
|
|
*/
|
|
|
|
|
void mbedtls_ssl_ticket_free( mbedtls_ssl_ticket_context *ctx );
|
2015-05-15 12:09:00 +02:00
|
|
|
|
|
|
|
|
#ifdef __cplusplus
|
|
|
|
|
}
|
|
|
|
|
#endif
|
|
|
|
|
|
|
|
|
|
#endif /* ssl_ticket.h */
|
