mirror of
https://github.com/yuzu-emu/mbedtls.git
synced 2024-11-29 09:54:21 +01:00
Move to callback for session tickets
This commit is contained in:
parent
2ff873c0fa
commit
d59675d92c
@ -563,9 +563,6 @@ typedef struct mbedtls_ssl_session mbedtls_ssl_session;
|
|||||||
typedef struct mbedtls_ssl_context mbedtls_ssl_context;
|
typedef struct mbedtls_ssl_context mbedtls_ssl_context;
|
||||||
typedef struct mbedtls_ssl_transform mbedtls_ssl_transform;
|
typedef struct mbedtls_ssl_transform mbedtls_ssl_transform;
|
||||||
typedef struct mbedtls_ssl_handshake_params mbedtls_ssl_handshake_params;
|
typedef struct mbedtls_ssl_handshake_params mbedtls_ssl_handshake_params;
|
||||||
#if defined(MBEDTLS_SSL_SESSION_TICKETS)
|
|
||||||
typedef struct mbedtls_ssl_ticket_keys mbedtls_ssl_ticket_keys;
|
|
||||||
#endif
|
|
||||||
#if defined(MBEDTLS_X509_CRT_PARSE_C)
|
#if defined(MBEDTLS_X509_CRT_PARSE_C)
|
||||||
typedef struct mbedtls_ssl_key_cert mbedtls_ssl_key_cert;
|
typedef struct mbedtls_ssl_key_cert mbedtls_ssl_key_cert;
|
||||||
#endif
|
#endif
|
||||||
@ -750,20 +747,6 @@ struct mbedtls_ssl_handshake_params
|
|||||||
#endif
|
#endif
|
||||||
};
|
};
|
||||||
|
|
||||||
#if defined(MBEDTLS_SSL_SESSION_TICKETS)
|
|
||||||
/*
|
|
||||||
* Parameters needed to secure session tickets
|
|
||||||
*/
|
|
||||||
struct mbedtls_ssl_ticket_keys
|
|
||||||
{
|
|
||||||
unsigned char key_name[16]; /*!< name to quickly discard bad tickets */
|
|
||||||
mbedtls_aes_context enc; /*!< encryption context */
|
|
||||||
mbedtls_aes_context dec; /*!< decryption context */
|
|
||||||
unsigned char mac_key[16]; /*!< authentication key */
|
|
||||||
uint32_t ticket_lifetime;
|
|
||||||
};
|
|
||||||
#endif /* MBEDTLS_SSL_SESSION_TICKETS */
|
|
||||||
|
|
||||||
#if defined(MBEDTLS_X509_CRT_PARSE_C)
|
#if defined(MBEDTLS_X509_CRT_PARSE_C)
|
||||||
/*
|
/*
|
||||||
* List of certificate + private key pairs
|
* List of certificate + private key pairs
|
||||||
@ -844,6 +827,15 @@ typedef struct
|
|||||||
void *p_cookie; /*!< context for the cookie callbacks */
|
void *p_cookie; /*!< context for the cookie callbacks */
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_SSL_SESSION_TICKETS)
|
||||||
|
/** Callback to create & write a session ticket */
|
||||||
|
int (*f_ticket_write)( void *, const mbedtls_ssl_session *,
|
||||||
|
unsigned char *, const unsigned char *, size_t *, uint32_t * );
|
||||||
|
/** Callback to parse a session ticket into a session structure */
|
||||||
|
int (*f_ticket_parse)( void *, mbedtls_ssl_session *, unsigned char *, size_t);
|
||||||
|
void *p_ticket; /*!< context for the ticket callbacks */
|
||||||
|
#endif /* MBEDTLS_SSL_SESSION_TICKETS */
|
||||||
|
|
||||||
#if defined(MBEDTLS_X509_CRT_PARSE_C)
|
#if defined(MBEDTLS_X509_CRT_PARSE_C)
|
||||||
mbedtls_ssl_key_cert *key_cert; /*!< own certificate/key pair(s) */
|
mbedtls_ssl_key_cert *key_cert; /*!< own certificate/key pair(s) */
|
||||||
mbedtls_x509_crt *ca_chain; /*!< trusted CAs */
|
mbedtls_x509_crt *ca_chain; /*!< trusted CAs */
|
||||||
@ -870,10 +862,6 @@ typedef struct
|
|||||||
const char **alpn_list; /*!< ordered list of protocols */
|
const char **alpn_list; /*!< ordered list of protocols */
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
#if defined(MBEDTLS_SSL_SESSION_TICKETS)
|
|
||||||
mbedtls_ssl_ticket_keys *ticket_keys; /*!< keys for ticket encryption */
|
|
||||||
#endif /* MBEDTLS_SSL_SESSION_TICKETS */
|
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* Numerical settings (int then char)
|
* Numerical settings (int then char)
|
||||||
*/
|
*/
|
||||||
@ -1334,6 +1322,76 @@ void mbedtls_ssl_set_timer_cb( mbedtls_ssl_context *ssl,
|
|||||||
void (*f_set_timer)(void *, uint32_t int_ms, uint32_t fin_ms),
|
void (*f_set_timer)(void *, uint32_t int_ms, uint32_t fin_ms),
|
||||||
int (*f_get_timer)(void *) );
|
int (*f_get_timer)(void *) );
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_SSL_SESSION_TICKETS)
|
||||||
|
/**
|
||||||
|
* \brief Callback type: generate and write session ticket
|
||||||
|
*
|
||||||
|
* \note This describes what a callback implementation should do.
|
||||||
|
* This callback should generate and encrypted and
|
||||||
|
* authenticated ticket for the session and write it to the
|
||||||
|
* output buffer. Here, ticket means the opaque ticket part
|
||||||
|
* of the NewSessionTicket structure of RFC 5077.
|
||||||
|
*
|
||||||
|
* \param p_ticket Context for the callback
|
||||||
|
* \param session SSL session to bo written in the ticket
|
||||||
|
* \param start Start of the outpur buffer
|
||||||
|
* \param end End of the output buffer
|
||||||
|
* \param tlen On exit, holds the length written
|
||||||
|
* \param lifetime On exit, holds the lifetime of the ticket in seconds
|
||||||
|
*
|
||||||
|
* \return 0 if successful, or
|
||||||
|
* a specific MBEDTLS_ERR_XXX code.
|
||||||
|
*/
|
||||||
|
typedef int mbedtls_ssl_ticket_write_t( void *p_ticket,
|
||||||
|
const mbedtls_ssl_session *session,
|
||||||
|
unsigned char *start,
|
||||||
|
const unsigned char *end,
|
||||||
|
size_t *tlen,
|
||||||
|
uint32_t *lifetime );
|
||||||
|
|
||||||
|
/**
|
||||||
|
* \brief Callback type: parse and load session ticket
|
||||||
|
*
|
||||||
|
* \note This describes what a callback implementation should do.
|
||||||
|
* This callback should parse a session ticket as generated
|
||||||
|
* by the corresponding mbedtls_ssl_ticket_write_t function,
|
||||||
|
* and, if the ticket is authentic and valid, load the
|
||||||
|
* session.
|
||||||
|
*
|
||||||
|
* \note The implementation is allowed to modify the first len
|
||||||
|
* of the input buffer, eg to use it as a temporary area for
|
||||||
|
* the decrypted ticket contents.
|
||||||
|
*
|
||||||
|
* \param p_ticket Context for the callback
|
||||||
|
* \param session SSL session to be loaded
|
||||||
|
* \param buf Start of the buffer containing the ticket
|
||||||
|
* \param len Length of the ticket.
|
||||||
|
*
|
||||||
|
* \return 0 if successful, or
|
||||||
|
* MBEDTLS_ERR_SSL_INVALID_MAC if not authentic, or
|
||||||
|
* MBEDTLS_ERR_SSL_SESSION_TICKET_EXPIRED if expired, or
|
||||||
|
* any other non-zero code for other failures.
|
||||||
|
*/
|
||||||
|
typedef int mbedtls_ssl_ticket_parse_t( void *p_ticket,
|
||||||
|
mbedtls_ssl_session *session,
|
||||||
|
unsigned char *buf,
|
||||||
|
size_t len );
|
||||||
|
|
||||||
|
/**
|
||||||
|
* \brief Configure SSL session ticket callbacks
|
||||||
|
*
|
||||||
|
* \param conf SSL configuration context
|
||||||
|
* \param f_ticket_write Callback for writing a ticket
|
||||||
|
* \param f_ticket_parse Callback for parsing a ticket
|
||||||
|
* \param p_ticket Context shared by the two callbacks
|
||||||
|
*/
|
||||||
|
void mbedtls_ssl_conf_session_tickets_cb( mbedtls_ssl_config *conf,
|
||||||
|
mbedtls_ssl_ticket_write_t *f_ticket_write,
|
||||||
|
mbedtls_ssl_ticket_parse_t *f_ticket_parse,
|
||||||
|
void *p_ticket );
|
||||||
|
|
||||||
|
#endif /* MBEDTLS_SSL_SESSION_TICKETS */
|
||||||
|
|
||||||
#if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY)
|
#if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY)
|
||||||
/**
|
/**
|
||||||
* \brief Set client's transport-level identification info.
|
* \brief Set client's transport-level identification info.
|
||||||
@ -2008,15 +2066,6 @@ void mbedtls_ssl_conf_cbc_record_splitting( mbedtls_ssl_config *conf, char split
|
|||||||
* or a specific error code (server only).
|
* or a specific error code (server only).
|
||||||
*/
|
*/
|
||||||
int mbedtls_ssl_conf_session_tickets( mbedtls_ssl_config *conf, int use_tickets );
|
int mbedtls_ssl_conf_session_tickets( mbedtls_ssl_config *conf, int use_tickets );
|
||||||
|
|
||||||
/**
|
|
||||||
* \brief Set session ticket lifetime (server only)
|
|
||||||
* (Default: MBEDTLS_SSL_DEFAULT_TICKET_LIFETIME (86400 secs / 1 day))
|
|
||||||
*
|
|
||||||
* \param conf SSL configuration
|
|
||||||
* \param lifetime session ticket lifetime
|
|
||||||
*/
|
|
||||||
void mbedtls_ssl_conf_session_ticket_lifetime( mbedtls_ssl_config *conf, int lifetime );
|
|
||||||
#endif /* MBEDTLS_SSL_SESSION_TICKETS */
|
#endif /* MBEDTLS_SSL_SESSION_TICKETS */
|
||||||
|
|
||||||
#if defined(MBEDTLS_SSL_RENEGOTIATION)
|
#if defined(MBEDTLS_SSL_RENEGOTIATION)
|
||||||
|
@ -30,19 +30,69 @@
|
|||||||
extern "C" {
|
extern "C" {
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
/* Temporary, WIP */
|
|
||||||
int mbedtls_ssl_ticket_write( void *p_ticket,
|
|
||||||
const mbedtls_ssl_session *session,
|
|
||||||
unsigned char *start,
|
|
||||||
const unsigned char *end,
|
|
||||||
size_t *tlen,
|
|
||||||
uint32_t *ticket_lifetime );
|
|
||||||
|
|
||||||
/* Temporary, WIP */
|
/**
|
||||||
int mbedtls_ssl_ticket_parse( void *p_ticket,
|
* \brief Context for session ticket handling functions
|
||||||
mbedtls_ssl_session *session,
|
*/
|
||||||
unsigned char *buf,
|
typedef struct
|
||||||
size_t len );
|
{
|
||||||
|
unsigned char key_name[16]; /*!< name to quickly reject bad tickets */
|
||||||
|
mbedtls_aes_context enc; /*!< encryption context */
|
||||||
|
mbedtls_aes_context dec; /*!< decryption context */
|
||||||
|
unsigned char mac_key[16]; /*!< authentication key */
|
||||||
|
|
||||||
|
uint32_t ticket_lifetime; /*!< lifetime of tickets in seconds */
|
||||||
|
|
||||||
|
/** Callback for getting (pseudo-)random numbers */
|
||||||
|
int (*f_rng)(void *, unsigned char *, size_t);
|
||||||
|
void *p_rng; /*!< context for the RNG function */
|
||||||
|
}
|
||||||
|
mbedtls_ssl_ticket_context;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* \brief Initialize a ticket context.
|
||||||
|
* (Just make it ready for mbedtls_ssl_ticket_setup()
|
||||||
|
* or mbedtls_ssl_ticket_free().)
|
||||||
|
*
|
||||||
|
* \param ctx Context to be initialized
|
||||||
|
*/
|
||||||
|
void mbedtls_ssl_ticket_init( mbedtls_ssl_ticket_context *ctx );
|
||||||
|
|
||||||
|
/**
|
||||||
|
* \brief Prepare context to be actually used
|
||||||
|
*
|
||||||
|
* \param ctx Context to be set up
|
||||||
|
* \param f_rng RNG callback function
|
||||||
|
* \param p_rng RNG callback context
|
||||||
|
* \param lifetime Tickets lifetime in seconds
|
||||||
|
*
|
||||||
|
* \return 0 is successful,
|
||||||
|
* or a specific MBEDTLS_ERR_XXX error code
|
||||||
|
*/
|
||||||
|
int mbedtls_ssl_ticket_setup( mbedtls_ssl_ticket_context *ctx,
|
||||||
|
int (*f_rng)(void *, unsigned char *, size_t), void *p_rng,
|
||||||
|
uint32_t lifetime );
|
||||||
|
|
||||||
|
/**
|
||||||
|
* \brief Implementation of the ticket write callback
|
||||||
|
*
|
||||||
|
* \note See \c mbedlts_ssl_ticket_write_t for description
|
||||||
|
*/
|
||||||
|
mbedtls_ssl_ticket_write_t mbedtls_ssl_ticket_write;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* \brief Implementation of the ticket parse callback
|
||||||
|
*
|
||||||
|
* \note See \c mbedlts_ssl_ticket_parse_t for description
|
||||||
|
*/
|
||||||
|
mbedtls_ssl_ticket_parse_t mbedtls_ssl_ticket_parse;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* \brief Free a context's content and zeroize it.
|
||||||
|
*
|
||||||
|
* \param ctx Context to be cleaned up
|
||||||
|
*/
|
||||||
|
void mbedtls_ssl_ticket_free( mbedtls_ssl_ticket_context *ctx );
|
||||||
|
|
||||||
#ifdef __cplusplus
|
#ifdef __cplusplus
|
||||||
}
|
}
|
||||||
|
@ -413,8 +413,11 @@ static int ssl_parse_session_ticket_ext( mbedtls_ssl_context *ssl,
|
|||||||
int ret;
|
int ret;
|
||||||
mbedtls_ssl_session session;
|
mbedtls_ssl_session session;
|
||||||
|
|
||||||
if( ssl->conf->session_tickets == MBEDTLS_SSL_SESSION_TICKETS_DISABLED )
|
if( ssl->conf->f_ticket_parse == NULL ||
|
||||||
|
ssl->conf->f_ticket_write == NULL )
|
||||||
|
{
|
||||||
return( 0 );
|
return( 0 );
|
||||||
|
}
|
||||||
|
|
||||||
/* Remember the client asked us to send a new ticket */
|
/* Remember the client asked us to send a new ticket */
|
||||||
ssl->handshake->new_session_ticket = 1;
|
ssl->handshake->new_session_ticket = 1;
|
||||||
@ -435,11 +438,18 @@ static int ssl_parse_session_ticket_ext( mbedtls_ssl_context *ssl,
|
|||||||
/*
|
/*
|
||||||
* Failures are ok: just ignore the ticket and proceed.
|
* Failures are ok: just ignore the ticket and proceed.
|
||||||
*/
|
*/
|
||||||
if( ( ret = mbedtls_ssl_ticket_parse( ssl->conf->ticket_keys, &session,
|
if( ( ret = ssl->conf->f_ticket_parse( ssl->conf->p_ticket, &session,
|
||||||
buf, len ) ) != 0 )
|
buf, len ) ) != 0 )
|
||||||
{
|
{
|
||||||
mbedtls_ssl_session_free( &session );
|
mbedtls_ssl_session_free( &session );
|
||||||
|
|
||||||
|
if( ret == MBEDTLS_ERR_SSL_INVALID_MAC )
|
||||||
|
MBEDTLS_SSL_DEBUG_MSG( 3, ( "ticket is not authentic" ) );
|
||||||
|
else if( ret == MBEDTLS_ERR_SSL_SESSION_TICKET_EXPIRED )
|
||||||
|
MBEDTLS_SSL_DEBUG_MSG( 3, ( "ticket is expired" ) );
|
||||||
|
else
|
||||||
MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_ticket_parse", ret );
|
MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_ticket_parse", ret );
|
||||||
|
|
||||||
return( 0 );
|
return( 0 );
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -3525,7 +3535,7 @@ static int ssl_write_new_session_ticket( mbedtls_ssl_context *ssl )
|
|||||||
* 10 . 9+n ticket content
|
* 10 . 9+n ticket content
|
||||||
*/
|
*/
|
||||||
|
|
||||||
if( ( ret = mbedtls_ssl_ticket_write( ssl->conf->ticket_keys,
|
if( ( ret = ssl->conf->f_ticket_write( ssl->conf->p_ticket,
|
||||||
ssl->session_negotiate,
|
ssl->session_negotiate,
|
||||||
ssl->out_msg + 10,
|
ssl->out_msg + 10,
|
||||||
ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN,
|
ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN,
|
||||||
|
@ -39,6 +39,56 @@
|
|||||||
|
|
||||||
#include <string.h>
|
#include <string.h>
|
||||||
|
|
||||||
|
/* Implementation that should never be optimized out by the compiler */
|
||||||
|
static void mbedtls_zeroize( void *v, size_t n ) {
|
||||||
|
volatile unsigned char *p = v; while( n-- ) *p++ = 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Initialze context
|
||||||
|
*/
|
||||||
|
void mbedtls_ssl_ticket_init( mbedtls_ssl_ticket_context *ctx )
|
||||||
|
{
|
||||||
|
memset( ctx, 0, sizeof( mbedtls_ssl_ticket_context ) );
|
||||||
|
}
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Setup context for actual use
|
||||||
|
*/
|
||||||
|
int mbedtls_ssl_ticket_setup( mbedtls_ssl_ticket_context *ctx,
|
||||||
|
int (*f_rng)(void *, unsigned char *, size_t), void *p_rng,
|
||||||
|
uint32_t lifetime )
|
||||||
|
{
|
||||||
|
int ret;
|
||||||
|
unsigned char buf[16];
|
||||||
|
|
||||||
|
ctx->f_rng = f_rng;
|
||||||
|
ctx->p_rng = p_rng;
|
||||||
|
|
||||||
|
ctx->ticket_lifetime = lifetime;
|
||||||
|
|
||||||
|
mbedtls_aes_init( &ctx->enc );
|
||||||
|
mbedtls_aes_init( &ctx->dec );
|
||||||
|
|
||||||
|
if( ( ret = f_rng( p_rng, ctx->key_name, 16 ) != 0 ) ||
|
||||||
|
( ret = f_rng( p_rng, ctx->mac_key, 16 ) != 0 ) ||
|
||||||
|
( ret = f_rng( p_rng, buf, 16 ) != 0 ) )
|
||||||
|
{
|
||||||
|
return( ret );
|
||||||
|
}
|
||||||
|
|
||||||
|
if( ( ret = mbedtls_aes_setkey_enc( &ctx->enc, buf, 128 ) ) != 0 ||
|
||||||
|
( ret = mbedtls_aes_setkey_dec( &ctx->dec, buf, 128 ) ) != 0 )
|
||||||
|
{
|
||||||
|
mbedtls_ssl_ticket_free( ctx );
|
||||||
|
return( ret );
|
||||||
|
}
|
||||||
|
|
||||||
|
mbedtls_zeroize( buf, sizeof( buf ) );
|
||||||
|
|
||||||
|
return( 0 );
|
||||||
|
}
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* Serialize a session in the following format:
|
* Serialize a session in the following format:
|
||||||
* 0 . n-1 session structure, n = sizeof(mbedtls_ssl_session)
|
* 0 . n-1 session structure, n = sizeof(mbedtls_ssl_session)
|
||||||
@ -170,7 +220,7 @@ int mbedtls_ssl_ticket_write( void *p_ticket,
|
|||||||
uint32_t *ticket_lifetime )
|
uint32_t *ticket_lifetime )
|
||||||
{
|
{
|
||||||
int ret;
|
int ret;
|
||||||
mbedtls_ssl_ticket_keys *ctx = p_ticket;
|
mbedtls_ssl_ticket_context *ctx = p_ticket;
|
||||||
unsigned char *p = start;
|
unsigned char *p = start;
|
||||||
unsigned char *state;
|
unsigned char *state;
|
||||||
unsigned char iv[16];
|
unsigned char iv[16];
|
||||||
@ -194,7 +244,8 @@ int mbedtls_ssl_ticket_write( void *p_ticket,
|
|||||||
p += 16;
|
p += 16;
|
||||||
|
|
||||||
/* Generate and write IV (with a copy for aes_crypt) */
|
/* Generate and write IV (with a copy for aes_crypt) */
|
||||||
memset( p, 0x2a, 16 ); /* Temporary WIP */
|
if( ( ret = ctx->f_rng( ctx->p_rng, p, 16 ) ) != 0 )
|
||||||
|
return( ret );
|
||||||
memcpy( iv, p, 16 );
|
memcpy( iv, p, 16 );
|
||||||
p += 16;
|
p += 16;
|
||||||
|
|
||||||
@ -244,7 +295,7 @@ int mbedtls_ssl_ticket_parse( void *p_ticket,
|
|||||||
size_t len )
|
size_t len )
|
||||||
{
|
{
|
||||||
int ret;
|
int ret;
|
||||||
mbedtls_ssl_ticket_keys *ctx = p_ticket;
|
mbedtls_ssl_ticket_context *ctx = p_ticket;
|
||||||
unsigned char *key_name = buf;
|
unsigned char *key_name = buf;
|
||||||
unsigned char *iv = buf + 16;
|
unsigned char *iv = buf + 16;
|
||||||
unsigned char *enc_len_p = iv + 16;
|
unsigned char *enc_len_p = iv + 16;
|
||||||
@ -317,4 +368,15 @@ int mbedtls_ssl_ticket_parse( void *p_ticket,
|
|||||||
return( 0 );
|
return( 0 );
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Free context
|
||||||
|
*/
|
||||||
|
void mbedtls_ssl_ticket_free( mbedtls_ssl_ticket_context *ctx )
|
||||||
|
{
|
||||||
|
mbedtls_aes_free( &ctx->enc );
|
||||||
|
mbedtls_aes_free( &ctx->dec );
|
||||||
|
|
||||||
|
mbedtls_zeroize( ctx, sizeof( mbedtls_ssl_ticket_context ) );
|
||||||
|
}
|
||||||
|
|
||||||
#endif /* MBEDTLS_SSL_TICKET_C */
|
#endif /* MBEDTLS_SSL_TICKET_C */
|
||||||
|
@ -5146,56 +5146,6 @@ int mbedtls_ssl_session_reset( mbedtls_ssl_context *ssl )
|
|||||||
return( 0 );
|
return( 0 );
|
||||||
}
|
}
|
||||||
|
|
||||||
#if defined(MBEDTLS_SSL_SESSION_TICKETS)
|
|
||||||
static void ssl_ticket_keys_free( mbedtls_ssl_ticket_keys *tkeys )
|
|
||||||
{
|
|
||||||
mbedtls_aes_free( &tkeys->enc );
|
|
||||||
mbedtls_aes_free( &tkeys->dec );
|
|
||||||
|
|
||||||
mbedtls_zeroize( tkeys, sizeof(mbedtls_ssl_ticket_keys) );
|
|
||||||
}
|
|
||||||
|
|
||||||
/*
|
|
||||||
* Allocate and initialize ticket keys
|
|
||||||
*/
|
|
||||||
static int ssl_ticket_keys_init( mbedtls_ssl_config *conf )
|
|
||||||
{
|
|
||||||
int ret;
|
|
||||||
mbedtls_ssl_ticket_keys *tkeys;
|
|
||||||
unsigned char buf[16];
|
|
||||||
|
|
||||||
if( conf->ticket_keys != NULL )
|
|
||||||
return( 0 );
|
|
||||||
|
|
||||||
tkeys = mbedtls_malloc( sizeof(mbedtls_ssl_ticket_keys) );
|
|
||||||
if( tkeys == NULL )
|
|
||||||
return( MBEDTLS_ERR_SSL_MALLOC_FAILED );
|
|
||||||
|
|
||||||
mbedtls_aes_init( &tkeys->enc );
|
|
||||||
mbedtls_aes_init( &tkeys->dec );
|
|
||||||
|
|
||||||
/* Temporary WIP! Using hardcoded keys. This is to remove the dependency
|
|
||||||
* on the RNG and allow puttint the keys in conf. Key generation will soon
|
|
||||||
* be move outside the main SSL module anyway. */
|
|
||||||
|
|
||||||
memset( tkeys->key_name, 'x', 16 );
|
|
||||||
memset( tkeys->mac_key, 0x2a, 16 );
|
|
||||||
memset( buf, 0x2a, 16 );
|
|
||||||
|
|
||||||
if( ( ret = mbedtls_aes_setkey_enc( &tkeys->enc, buf, 128 ) ) != 0 ||
|
|
||||||
( ret = mbedtls_aes_setkey_dec( &tkeys->dec, buf, 128 ) ) != 0 )
|
|
||||||
{
|
|
||||||
ssl_ticket_keys_free( tkeys );
|
|
||||||
mbedtls_free( tkeys );
|
|
||||||
return( ret );
|
|
||||||
}
|
|
||||||
|
|
||||||
conf->ticket_keys = tkeys;
|
|
||||||
|
|
||||||
return( 0 );
|
|
||||||
}
|
|
||||||
#endif /* MBEDTLS_SSL_SESSION_TICKETS */
|
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* SSL set accessors
|
* SSL set accessors
|
||||||
*/
|
*/
|
||||||
@ -5691,20 +5641,17 @@ int mbedtls_ssl_conf_session_tickets( mbedtls_ssl_config *conf, int use_tickets
|
|||||||
{
|
{
|
||||||
conf->session_tickets = use_tickets;
|
conf->session_tickets = use_tickets;
|
||||||
|
|
||||||
#if defined(MBEDTLS_SSL_CLI_C)
|
|
||||||
if( conf->endpoint == MBEDTLS_SSL_IS_CLIENT )
|
|
||||||
return( 0 );
|
return( 0 );
|
||||||
#endif
|
|
||||||
|
|
||||||
if( use_tickets == MBEDTLS_SSL_SESSION_TICKETS_DISABLED )
|
|
||||||
return( 0 );
|
|
||||||
|
|
||||||
return( ssl_ticket_keys_init( conf ) );
|
|
||||||
}
|
}
|
||||||
|
|
||||||
void mbedtls_ssl_conf_session_ticket_lifetime( mbedtls_ssl_config *conf, int lifetime )
|
void mbedtls_ssl_conf_session_tickets_cb( mbedtls_ssl_config *conf,
|
||||||
|
mbedtls_ssl_ticket_write_t *f_ticket_write,
|
||||||
|
mbedtls_ssl_ticket_parse_t *f_ticket_parse,
|
||||||
|
void *p_ticket )
|
||||||
{
|
{
|
||||||
conf->ticket_keys->ticket_lifetime = lifetime;
|
conf->f_ticket_write = f_ticket_write;
|
||||||
|
conf->f_ticket_parse = f_ticket_parse;
|
||||||
|
conf->p_ticket = p_ticket;
|
||||||
}
|
}
|
||||||
#endif /* MBEDTLS_SSL_SESSION_TICKETS */
|
#endif /* MBEDTLS_SSL_SESSION_TICKETS */
|
||||||
|
|
||||||
@ -6699,11 +6646,6 @@ int mbedtls_ssl_config_defaults( mbedtls_ssl_config *conf,
|
|||||||
conf->cbc_record_splitting = MBEDTLS_SSL_CBC_RECORD_SPLITTING_ENABLED;
|
conf->cbc_record_splitting = MBEDTLS_SSL_CBC_RECORD_SPLITTING_ENABLED;
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
#if defined(MBEDTLS_SSL_SESSION_TICKETS)
|
|
||||||
ssl_ticket_keys_init( &conf );
|
|
||||||
conf->ticket_keys->ticket_lifetime = MBEDTLS_SSL_DEFAULT_TICKET_LIFETIME;
|
|
||||||
#endif
|
|
||||||
|
|
||||||
#if defined(MBEDTLS_SSL_SET_CURVES)
|
#if defined(MBEDTLS_SSL_SET_CURVES)
|
||||||
conf->curve_list = mbedtls_ecp_grp_id_list( );
|
conf->curve_list = mbedtls_ecp_grp_id_list( );
|
||||||
#endif
|
#endif
|
||||||
@ -6765,14 +6707,6 @@ void mbedtls_ssl_config_free( mbedtls_ssl_config *conf )
|
|||||||
}
|
}
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
#if defined(MBEDTLS_SSL_SESSION_TICKETS)
|
|
||||||
if( conf->ticket_keys )
|
|
||||||
{
|
|
||||||
ssl_ticket_keys_free( conf->ticket_keys );
|
|
||||||
mbedtls_free( conf->ticket_keys );
|
|
||||||
}
|
|
||||||
#endif
|
|
||||||
|
|
||||||
#if defined(MBEDTLS_X509_CRT_PARSE_C)
|
#if defined(MBEDTLS_X509_CRT_PARSE_C)
|
||||||
ssl_key_cert_free( conf->key_cert );
|
ssl_key_cert_free( conf->key_cert );
|
||||||
#endif
|
#endif
|
||||||
|
@ -69,6 +69,10 @@ int main( void )
|
|||||||
#include "mbedtls/ssl_cache.h"
|
#include "mbedtls/ssl_cache.h"
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_SSL_TICKET_C)
|
||||||
|
#include "mbedtls/ssl_ticket.h"
|
||||||
|
#endif
|
||||||
|
|
||||||
#if defined(MBEDTLS_SSL_COOKIE_C)
|
#if defined(MBEDTLS_SSL_COOKIE_C)
|
||||||
#include "mbedtls/ssl_cookie.h"
|
#include "mbedtls/ssl_cookie.h"
|
||||||
#endif
|
#endif
|
||||||
@ -114,7 +118,7 @@ int main( void )
|
|||||||
#define DFL_MFL_CODE MBEDTLS_SSL_MAX_FRAG_LEN_NONE
|
#define DFL_MFL_CODE MBEDTLS_SSL_MAX_FRAG_LEN_NONE
|
||||||
#define DFL_TRUNC_HMAC -1
|
#define DFL_TRUNC_HMAC -1
|
||||||
#define DFL_TICKETS MBEDTLS_SSL_SESSION_TICKETS_ENABLED
|
#define DFL_TICKETS MBEDTLS_SSL_SESSION_TICKETS_ENABLED
|
||||||
#define DFL_TICKET_TIMEOUT -1
|
#define DFL_TICKET_TIMEOUT 86400
|
||||||
#define DFL_CACHE_MAX -1
|
#define DFL_CACHE_MAX -1
|
||||||
#define DFL_CACHE_TIMEOUT -1
|
#define DFL_CACHE_TIMEOUT -1
|
||||||
#define DFL_SNI NULL
|
#define DFL_SNI NULL
|
||||||
@ -190,7 +194,7 @@ int main( void )
|
|||||||
#if defined(MBEDTLS_SSL_SESSION_TICKETS)
|
#if defined(MBEDTLS_SSL_SESSION_TICKETS)
|
||||||
#define USAGE_TICKETS \
|
#define USAGE_TICKETS \
|
||||||
" tickets=%%d default: 1 (enabled)\n" \
|
" tickets=%%d default: 1 (enabled)\n" \
|
||||||
" ticket_timeout=%%d default: ticket default (1d)\n"
|
" ticket_timeout=%%d default: 86400 (one day)\n"
|
||||||
#else
|
#else
|
||||||
#define USAGE_TICKETS ""
|
#define USAGE_TICKETS ""
|
||||||
#endif /* MBEDTLS_SSL_SESSION_TICKETS */
|
#endif /* MBEDTLS_SSL_SESSION_TICKETS */
|
||||||
@ -740,6 +744,9 @@ int main( int argc, char *argv[] )
|
|||||||
#if defined(MBEDTLS_SSL_CACHE_C)
|
#if defined(MBEDTLS_SSL_CACHE_C)
|
||||||
mbedtls_ssl_cache_context cache;
|
mbedtls_ssl_cache_context cache;
|
||||||
#endif
|
#endif
|
||||||
|
#if defined(MBEDTLS_SSL_SESSION_TICKETS)
|
||||||
|
mbedtls_ssl_ticket_context ticket_ctx;
|
||||||
|
#endif
|
||||||
#if defined(SNI_OPTION)
|
#if defined(SNI_OPTION)
|
||||||
sni_entry *sni_info = NULL;
|
sni_entry *sni_info = NULL;
|
||||||
#endif
|
#endif
|
||||||
@ -778,6 +785,9 @@ int main( int argc, char *argv[] )
|
|||||||
#if defined(MBEDTLS_SSL_CACHE_C)
|
#if defined(MBEDTLS_SSL_CACHE_C)
|
||||||
mbedtls_ssl_cache_init( &cache );
|
mbedtls_ssl_cache_init( &cache );
|
||||||
#endif
|
#endif
|
||||||
|
#if defined(MBEDTLS_SSL_SESSION_TICKETS)
|
||||||
|
mbedtls_ssl_ticket_init( &ticket_ctx );
|
||||||
|
#endif
|
||||||
#if defined(MBEDTLS_SSL_ALPN)
|
#if defined(MBEDTLS_SSL_ALPN)
|
||||||
memset( (void *) alpn_list, 0, sizeof( alpn_list ) );
|
memset( (void *) alpn_list, 0, sizeof( alpn_list ) );
|
||||||
#endif
|
#endif
|
||||||
@ -1584,14 +1594,21 @@ int main( int argc, char *argv[] )
|
|||||||
#endif
|
#endif
|
||||||
|
|
||||||
#if defined(MBEDTLS_SSL_SESSION_TICKETS)
|
#if defined(MBEDTLS_SSL_SESSION_TICKETS)
|
||||||
if( ( ret = mbedtls_ssl_conf_session_tickets( &conf, opt.tickets ) ) != 0 )
|
if( opt.tickets == MBEDTLS_SSL_SESSION_TICKETS_ENABLED )
|
||||||
{
|
{
|
||||||
mbedtls_printf( " failed\n ! mbedtls_ssl_conf_session_tickets returned %d\n\n", ret );
|
if( ( ret = mbedtls_ssl_ticket_setup( &ticket_ctx,
|
||||||
|
mbedtls_ctr_drbg_random, &ctr_drbg,
|
||||||
|
opt.ticket_timeout ) ) != 0 )
|
||||||
|
{
|
||||||
|
mbedtls_printf( " failed\n ! mbedtls_ssl_ticket_setup returned %d\n\n", ret );
|
||||||
goto exit;
|
goto exit;
|
||||||
}
|
}
|
||||||
|
|
||||||
if( opt.ticket_timeout != -1 )
|
mbedtls_ssl_conf_session_tickets_cb( &conf,
|
||||||
mbedtls_ssl_conf_session_ticket_lifetime( &conf, opt.ticket_timeout );
|
mbedtls_ssl_ticket_write,
|
||||||
|
mbedtls_ssl_ticket_parse,
|
||||||
|
&ticket_ctx );
|
||||||
|
}
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
#if defined(MBEDTLS_SSL_PROTO_DTLS)
|
#if defined(MBEDTLS_SSL_PROTO_DTLS)
|
||||||
@ -2203,6 +2220,9 @@ exit:
|
|||||||
#if defined(MBEDTLS_SSL_CACHE_C)
|
#if defined(MBEDTLS_SSL_CACHE_C)
|
||||||
mbedtls_ssl_cache_free( &cache );
|
mbedtls_ssl_cache_free( &cache );
|
||||||
#endif
|
#endif
|
||||||
|
#if defined(MBEDTLS_SSL_SESSION_TICKETS)
|
||||||
|
mbedtls_ssl_ticket_free( &ticket_ctx );
|
||||||
|
#endif
|
||||||
#if defined(MBEDTLS_SSL_COOKIE_C)
|
#if defined(MBEDTLS_SSL_COOKIE_C)
|
||||||
mbedtls_ssl_cookie_free( &cookie_ctx );
|
mbedtls_ssl_cookie_free( &cookie_ctx );
|
||||||
#endif
|
#endif
|
||||||
|
Loading…
Reference in New Issue
Block a user