mirror of
https://github.com/yuzu-emu/mbedtls.git
synced 2024-11-29 08:34:19 +01:00
Add ssl_set_session_tickets()
This commit is contained in:
parent
306827e3bc
commit
aa0d4d1aff
@ -154,6 +154,9 @@
|
|||||||
#define SSL_TRUNC_HMAC_ENABLED 1
|
#define SSL_TRUNC_HMAC_ENABLED 1
|
||||||
#define SSL_TRUNCATED_HMAC_LEN 10 /* 80 bits, rfc 6066 section 7 */
|
#define SSL_TRUNCATED_HMAC_LEN 10 /* 80 bits, rfc 6066 section 7 */
|
||||||
|
|
||||||
|
#define SSL_SESSION_TICKETS_DISABLED 0
|
||||||
|
#define SSL_SESSION_TICKETS_ENABLED 1
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* Size of the input / output buffer.
|
* Size of the input / output buffer.
|
||||||
* Note: the RFC defines the default size of SSL / TLS messages. If you
|
* Note: the RFC defines the default size of SSL / TLS messages. If you
|
||||||
@ -561,6 +564,7 @@ struct _ssl_context
|
|||||||
int allow_legacy_renegotiation; /*!< allow legacy renegotiation */
|
int allow_legacy_renegotiation; /*!< allow legacy renegotiation */
|
||||||
const int *ciphersuite_list[4]; /*!< allowed ciphersuites / version */
|
const int *ciphersuite_list[4]; /*!< allowed ciphersuites / version */
|
||||||
int trunc_hmac; /*!< negotiate truncated hmac? */
|
int trunc_hmac; /*!< negotiate truncated hmac? */
|
||||||
|
int session_tickets; /*!< use session tickets? */
|
||||||
|
|
||||||
#if defined(POLARSSL_DHM_C)
|
#if defined(POLARSSL_DHM_C)
|
||||||
mpi dhm_P; /*!< prime modulus for DHM */
|
mpi dhm_P; /*!< prime modulus for DHM */
|
||||||
@ -667,6 +671,9 @@ int ssl_session_reset( ssl_context *ssl );
|
|||||||
*
|
*
|
||||||
* \param ssl SSL context
|
* \param ssl SSL context
|
||||||
* \param endpoint must be SSL_IS_CLIENT or SSL_IS_SERVER
|
* \param endpoint must be SSL_IS_CLIENT or SSL_IS_SERVER
|
||||||
|
*
|
||||||
|
* \note This function should be called right after ssl_init() since
|
||||||
|
* some other ssl_set_foo() functions depend on it.
|
||||||
*/
|
*/
|
||||||
void ssl_set_endpoint( ssl_context *ssl, int endpoint );
|
void ssl_set_endpoint( ssl_context *ssl, int endpoint );
|
||||||
|
|
||||||
@ -1012,6 +1019,24 @@ int ssl_set_max_frag_len( ssl_context *ssl, unsigned char mfl_code );
|
|||||||
*/
|
*/
|
||||||
int ssl_set_truncated_hmac( ssl_context *ssl, int truncate );
|
int ssl_set_truncated_hmac( ssl_context *ssl, int truncate );
|
||||||
|
|
||||||
|
/**
|
||||||
|
* \brief Enable / Disable session tickets
|
||||||
|
* (Default: SSL_SESSION_TICKETS_ENABLED on client,
|
||||||
|
* SSL_SESSION_TICKETS_DISABLED on server)
|
||||||
|
*
|
||||||
|
* \note On server, ssl_set_rng() must be called before this function
|
||||||
|
* to allow generating the ticket encryption and
|
||||||
|
* authentication keys.
|
||||||
|
*
|
||||||
|
* \param ssl SSL context
|
||||||
|
* \param use_tickets Enable or disable (SSL_SESSION_TICKETS_ENABLED or
|
||||||
|
* SSL_SESSION_TICKETS_DISABLED)
|
||||||
|
*
|
||||||
|
* \return O if successful,
|
||||||
|
* or a specific error code (server only).
|
||||||
|
*/
|
||||||
|
int ssl_set_session_tickets( ssl_context *ssl, int use_tickets );
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* \brief Enable / Disable renegotiation support for connection when
|
* \brief Enable / Disable renegotiation support for connection when
|
||||||
* initiated by peer
|
* initiated by peer
|
||||||
|
@ -328,6 +328,12 @@ static void ssl_write_session_ticket_ext( ssl_context *ssl,
|
|||||||
unsigned char *p = buf;
|
unsigned char *p = buf;
|
||||||
size_t tlen = ssl->session_negotiate->ticket_len;
|
size_t tlen = ssl->session_negotiate->ticket_len;
|
||||||
|
|
||||||
|
if( ssl->session_tickets == SSL_SESSION_TICKETS_DISABLED )
|
||||||
|
{
|
||||||
|
*olen = 0;
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
SSL_DEBUG_MSG( 3, ( "client hello, adding session ticket extension" ) );
|
SSL_DEBUG_MSG( 3, ( "client hello, adding session ticket extension" ) );
|
||||||
|
|
||||||
*p++ = (unsigned char)( ( TLS_EXT_SESSION_TICKET >> 8 ) & 0xFF );
|
*p++ = (unsigned char)( ( TLS_EXT_SESSION_TICKET >> 8 ) & 0xFF );
|
||||||
@ -648,8 +654,11 @@ static int ssl_parse_session_ticket_ext( ssl_context *ssl,
|
|||||||
const unsigned char *buf,
|
const unsigned char *buf,
|
||||||
size_t len )
|
size_t len )
|
||||||
{
|
{
|
||||||
if( len != 0 )
|
if( ssl->session_tickets == SSL_SESSION_TICKETS_DISABLED ||
|
||||||
|
len != 0 )
|
||||||
|
{
|
||||||
return( POLARSSL_ERR_SSL_BAD_HS_SERVER_HELLO );
|
return( POLARSSL_ERR_SSL_BAD_HS_SERVER_HELLO );
|
||||||
|
}
|
||||||
|
|
||||||
((void) buf);
|
((void) buf);
|
||||||
|
|
||||||
|
@ -534,6 +534,9 @@ static int ssl_parse_session_ticket_ext( ssl_context *ssl,
|
|||||||
const unsigned char *buf,
|
const unsigned char *buf,
|
||||||
size_t len )
|
size_t len )
|
||||||
{
|
{
|
||||||
|
if( ssl->session_tickets == SSL_SESSION_TICKETS_DISABLED )
|
||||||
|
return( 0 );
|
||||||
|
|
||||||
/* Remember the client asked us to send a new ticket */
|
/* Remember the client asked us to send a new ticket */
|
||||||
ssl->handshake->new_session_ticket = 1;
|
ssl->handshake->new_session_ticket = 1;
|
||||||
|
|
||||||
|
@ -2978,6 +2978,9 @@ int ssl_session_reset( ssl_context *ssl )
|
|||||||
void ssl_set_endpoint( ssl_context *ssl, int endpoint )
|
void ssl_set_endpoint( ssl_context *ssl, int endpoint )
|
||||||
{
|
{
|
||||||
ssl->endpoint = endpoint;
|
ssl->endpoint = endpoint;
|
||||||
|
|
||||||
|
if( endpoint == SSL_IS_CLIENT )
|
||||||
|
ssl->session_tickets = SSL_SESSION_TICKETS_ENABLED;
|
||||||
}
|
}
|
||||||
|
|
||||||
void ssl_set_authmode( ssl_context *ssl, int authmode )
|
void ssl_set_authmode( ssl_context *ssl, int authmode )
|
||||||
@ -3225,6 +3228,13 @@ void ssl_legacy_renegotiation( ssl_context *ssl, int allow_legacy )
|
|||||||
ssl->allow_legacy_renegotiation = allow_legacy;
|
ssl->allow_legacy_renegotiation = allow_legacy;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
int ssl_set_session_tickets( ssl_context *ssl, int use_tickets )
|
||||||
|
{
|
||||||
|
ssl->session_tickets = use_tickets;
|
||||||
|
|
||||||
|
return( 0 );
|
||||||
|
}
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* SSL get accessors
|
* SSL get accessors
|
||||||
*/
|
*/
|
||||||
|
@ -60,6 +60,7 @@
|
|||||||
#define DFL_MFL_CODE SSL_MAX_FRAG_LEN_NONE
|
#define DFL_MFL_CODE SSL_MAX_FRAG_LEN_NONE
|
||||||
#define DFL_TRUNC_HMAC 0
|
#define DFL_TRUNC_HMAC 0
|
||||||
#define DFL_RECONNECT 0
|
#define DFL_RECONNECT 0
|
||||||
|
#define DFL_TICKETS SSL_SESSION_TICKETS_ENABLED
|
||||||
|
|
||||||
#define LONG_HEADER "User-agent: blah-blah-blah-blah-blah-blah-blah-blah-" \
|
#define LONG_HEADER "User-agent: blah-blah-blah-blah-blah-blah-blah-blah-" \
|
||||||
"-01--blah-blah-blah-blah-blah-blah-blah-blah-blah-blah-blah-blah-blah-" \
|
"-01--blah-blah-blah-blah-blah-blah-blah-blah-blah-blah-blah-blah-blah-" \
|
||||||
@ -98,6 +99,7 @@ struct options
|
|||||||
unsigned char mfl_code; /* code for maximum fragment length */
|
unsigned char mfl_code; /* code for maximum fragment length */
|
||||||
int trunc_hmac; /* negotiate truncated hmac or not */
|
int trunc_hmac; /* negotiate truncated hmac or not */
|
||||||
int reconnect; /* attempt to resume session */
|
int reconnect; /* attempt to resume session */
|
||||||
|
int tickets; /* enable / disable session tickets */
|
||||||
} opt;
|
} opt;
|
||||||
|
|
||||||
static void my_debug( void *ctx, int level, const char *str )
|
static void my_debug( void *ctx, int level, const char *str )
|
||||||
@ -187,6 +189,7 @@ static int my_verify( void *data, x509_cert *crt, int depth, int *flags )
|
|||||||
" renegotiation=%%d default: 1 (enabled)\n" \
|
" renegotiation=%%d default: 1 (enabled)\n" \
|
||||||
" allow_legacy=%%d default: 0 (disabled)\n" \
|
" allow_legacy=%%d default: 0 (disabled)\n" \
|
||||||
" reconnect=%%d default: 0 (disabled)\n" \
|
" reconnect=%%d default: 0 (disabled)\n" \
|
||||||
|
" tickets=%%d default: 1 (enabled)\n" \
|
||||||
"\n" \
|
"\n" \
|
||||||
" min_version=%%s default: \"\" (ssl3)\n" \
|
" min_version=%%s default: \"\" (ssl3)\n" \
|
||||||
" max_version=%%s default: \"\" (tls1_2)\n" \
|
" max_version=%%s default: \"\" (tls1_2)\n" \
|
||||||
@ -291,6 +294,7 @@ int main( int argc, char *argv[] )
|
|||||||
opt.mfl_code = DFL_MFL_CODE;
|
opt.mfl_code = DFL_MFL_CODE;
|
||||||
opt.trunc_hmac = DFL_TRUNC_HMAC;
|
opt.trunc_hmac = DFL_TRUNC_HMAC;
|
||||||
opt.reconnect = DFL_RECONNECT;
|
opt.reconnect = DFL_RECONNECT;
|
||||||
|
opt.tickets = DFL_TICKETS;
|
||||||
|
|
||||||
for( i = 1; i < argc; i++ )
|
for( i = 1; i < argc; i++ )
|
||||||
{
|
{
|
||||||
@ -357,6 +361,12 @@ int main( int argc, char *argv[] )
|
|||||||
if( opt.reconnect < 0 || opt.reconnect > 2 )
|
if( opt.reconnect < 0 || opt.reconnect > 2 )
|
||||||
goto usage;
|
goto usage;
|
||||||
}
|
}
|
||||||
|
else if( strcmp( p, "tickets" ) == 0 )
|
||||||
|
{
|
||||||
|
opt.tickets = atoi( q );
|
||||||
|
if( opt.tickets < 0 || opt.tickets > 2 )
|
||||||
|
goto usage;
|
||||||
|
}
|
||||||
else if( strcmp( p, "min_version" ) == 0 )
|
else if( strcmp( p, "min_version" ) == 0 )
|
||||||
{
|
{
|
||||||
if( strcmp( q, "ssl3" ) == 0 )
|
if( strcmp( q, "ssl3" ) == 0 )
|
||||||
@ -664,6 +674,8 @@ int main( int argc, char *argv[] )
|
|||||||
ssl_set_bio( &ssl, net_recv, &server_fd,
|
ssl_set_bio( &ssl, net_recv, &server_fd,
|
||||||
net_send, &server_fd );
|
net_send, &server_fd );
|
||||||
|
|
||||||
|
ssl_set_session_tickets( &ssl, opt.tickets );
|
||||||
|
|
||||||
if( opt.force_ciphersuite[0] != DFL_FORCE_CIPHER )
|
if( opt.force_ciphersuite[0] != DFL_FORCE_CIPHER )
|
||||||
ssl_set_ciphersuites( &ssl, opt.force_ciphersuite );
|
ssl_set_ciphersuites( &ssl, opt.force_ciphersuite );
|
||||||
|
|
||||||
|
@ -69,6 +69,7 @@
|
|||||||
#define DFL_MAX_VERSION -1
|
#define DFL_MAX_VERSION -1
|
||||||
#define DFL_AUTH_MODE SSL_VERIFY_OPTIONAL
|
#define DFL_AUTH_MODE SSL_VERIFY_OPTIONAL
|
||||||
#define DFL_MFL_CODE SSL_MAX_FRAG_LEN_NONE
|
#define DFL_MFL_CODE SSL_MAX_FRAG_LEN_NONE
|
||||||
|
#define DFL_TICKETS SSL_SESSION_TICKETS_ENABLED
|
||||||
|
|
||||||
#define LONG_RESPONSE "<p>01-blah-blah-blah-blah-blah-blah-blah-blah-blah\r\n" \
|
#define LONG_RESPONSE "<p>01-blah-blah-blah-blah-blah-blah-blah-blah-blah\r\n" \
|
||||||
"02-blah-blah-blah-blah-blah-blah-blah-blah-blah-blah-blah-blah-blah\r\n" \
|
"02-blah-blah-blah-blah-blah-blah-blah-blah-blah-blah-blah-blah-blah\r\n" \
|
||||||
@ -105,6 +106,7 @@ struct options
|
|||||||
int max_version; /* maximum protocol version accepted */
|
int max_version; /* maximum protocol version accepted */
|
||||||
int auth_mode; /* verify mode for connection */
|
int auth_mode; /* verify mode for connection */
|
||||||
unsigned char mfl_code; /* code for maximum fragment length */
|
unsigned char mfl_code; /* code for maximum fragment length */
|
||||||
|
int tickets; /* enable / disable session tickets */
|
||||||
} opt;
|
} opt;
|
||||||
|
|
||||||
static void my_debug( void *ctx, int level, const char *str )
|
static void my_debug( void *ctx, int level, const char *str )
|
||||||
@ -152,6 +154,7 @@ static void my_debug( void *ctx, int level, const char *str )
|
|||||||
USAGE_IO \
|
USAGE_IO \
|
||||||
" request_page=%%s default: \".\"\n" \
|
" request_page=%%s default: \".\"\n" \
|
||||||
" renegotiation=%%d default: 1 (enabled)\n" \
|
" renegotiation=%%d default: 1 (enabled)\n" \
|
||||||
|
" tickets=%%d default: 1 (enabled)\n" \
|
||||||
" allow_legacy=%%d default: 0 (disabled)\n" \
|
" allow_legacy=%%d default: 0 (disabled)\n" \
|
||||||
" min_version=%%s default: \"ssl3\"\n" \
|
" min_version=%%s default: \"ssl3\"\n" \
|
||||||
" max_version=%%s default: \"tls1_2\"\n" \
|
" max_version=%%s default: \"tls1_2\"\n" \
|
||||||
@ -265,6 +268,7 @@ int main( int argc, char *argv[] )
|
|||||||
opt.max_version = DFL_MAX_VERSION;
|
opt.max_version = DFL_MAX_VERSION;
|
||||||
opt.auth_mode = DFL_AUTH_MODE;
|
opt.auth_mode = DFL_AUTH_MODE;
|
||||||
opt.mfl_code = DFL_MFL_CODE;
|
opt.mfl_code = DFL_MFL_CODE;
|
||||||
|
opt.tickets = DFL_TICKETS;
|
||||||
|
|
||||||
for( i = 1; i < argc; i++ )
|
for( i = 1; i < argc; i++ )
|
||||||
{
|
{
|
||||||
@ -396,6 +400,12 @@ int main( int argc, char *argv[] )
|
|||||||
else
|
else
|
||||||
goto usage;
|
goto usage;
|
||||||
}
|
}
|
||||||
|
else if( strcmp( p, "tickets" ) == 0 )
|
||||||
|
{
|
||||||
|
opt.tickets = atoi( q );
|
||||||
|
if( opt.tickets < 0 || opt.tickets > 1 )
|
||||||
|
goto usage;
|
||||||
|
}
|
||||||
else
|
else
|
||||||
goto usage;
|
goto usage;
|
||||||
}
|
}
|
||||||
@ -611,6 +621,8 @@ int main( int argc, char *argv[] )
|
|||||||
ssl_cache_set, &cache );
|
ssl_cache_set, &cache );
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
|
ssl_set_session_tickets( &ssl, opt.tickets );
|
||||||
|
|
||||||
if( opt.force_ciphersuite[0] != DFL_FORCE_CIPHER )
|
if( opt.force_ciphersuite[0] != DFL_FORCE_CIPHER )
|
||||||
ssl_set_ciphersuites( &ssl, opt.force_ciphersuite );
|
ssl_set_ciphersuites( &ssl, opt.force_ciphersuite );
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user