eden-emu/mbedtls
15
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Move to callback for session tickets

Browse source
This commit is contained in:
Manuel Pégourié-Gonnard 2015-05-19 15:28:00 +02:00
parent 2ff873c0fa
commit d59675d92c
6 changed files with 257 additions and 132 deletions
Download patch file Download diff file Expand all files Collapse all files

20
library/ssl_srv.c
View file

@ -413,8 +413,11 @@ static int ssl_parse_session_ticket_ext( mbedtls_ssl_context *ssl,
int ret;
mbedtls_ssl_session session;
if( ssl->conf->session_tickets == MBEDTLS_SSL_SESSION_TICKETS_DISABLED )
if( ssl->conf->f_ticket_parse == NULL ||
ssl->conf->f_ticket_write == NULL )
{
return( 0 );
}
/* Remember the client asked us to send a new ticket */
ssl->handshake->new_session_ticket = 1;
@ -435,11 +438,18 @@ static int ssl_parse_session_ticket_ext( mbedtls_ssl_context *ssl,
/*
* Failures are ok: just ignore the ticket and proceed.
*/
if( ( ret = mbedtls_ssl_ticket_parse( ssl->conf->ticket_keys, &session,
buf, len ) ) != 0 )
if( ( ret = ssl->conf->f_ticket_parse( ssl->conf->p_ticket, &session,
buf, len ) ) != 0 )
{
mbedtls_ssl_session_free( &session );
MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_ticket_parse", ret );
if( ret == MBEDTLS_ERR_SSL_INVALID_MAC )
MBEDTLS_SSL_DEBUG_MSG( 3, ( "ticket is not authentic" ) );
else if( ret == MBEDTLS_ERR_SSL_SESSION_TICKET_EXPIRED )
MBEDTLS_SSL_DEBUG_MSG( 3, ( "ticket is expired" ) );
else
MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_ticket_parse", ret );
return( 0 );
}
@ -3525,7 +3535,7 @@ static int ssl_write_new_session_ticket( mbedtls_ssl_context *ssl )
* 10 . 9+n ticket content
*/
if( ( ret = mbedtls_ssl_ticket_write( ssl->conf->ticket_keys,
if( ( ret = ssl->conf->f_ticket_write( ssl->conf->p_ticket,
ssl->session_negotiate,
ssl->out_msg + 10,
ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN,

68
library/ssl_ticket.c
View file

@ -39,6 +39,56 @@
#include <string.h>
/* Implementation that should never be optimized out by the compiler */
static void mbedtls_zeroize( void *v, size_t n ) {
volatile unsigned char *p = v; while( n-- ) *p++ = 0;
}
/*
* Initialze context
*/
void mbedtls_ssl_ticket_init( mbedtls_ssl_ticket_context *ctx )
{
memset( ctx, 0, sizeof( mbedtls_ssl_ticket_context ) );
}
/*
* Setup context for actual use
*/
int mbedtls_ssl_ticket_setup( mbedtls_ssl_ticket_context *ctx,
int (*f_rng)(void *, unsigned char *, size_t), void *p_rng,
uint32_t lifetime )
{
int ret;
unsigned char buf[16];
ctx->f_rng = f_rng;
ctx->p_rng = p_rng;
ctx->ticket_lifetime = lifetime;
mbedtls_aes_init( &ctx->enc );
mbedtls_aes_init( &ctx->dec );
if( ( ret = f_rng( p_rng, ctx->key_name, 16 ) != 0 ) ||
( ret = f_rng( p_rng, ctx->mac_key, 16 ) != 0 ) ||
( ret = f_rng( p_rng, buf, 16 ) != 0 ) )
{
return( ret );
}
if( ( ret = mbedtls_aes_setkey_enc( &ctx->enc, buf, 128 ) ) != 0 ||
( ret = mbedtls_aes_setkey_dec( &ctx->dec, buf, 128 ) ) != 0 )
{
mbedtls_ssl_ticket_free( ctx );
return( ret );
}
mbedtls_zeroize( buf, sizeof( buf ) );
return( 0 );
}
/*
* Serialize a session in the following format:
* 0 . n-1 session structure, n = sizeof(mbedtls_ssl_session)
@ -170,7 +220,7 @@ int mbedtls_ssl_ticket_write( void *p_ticket,
uint32_t *ticket_lifetime )
{
int ret;
mbedtls_ssl_ticket_keys *ctx = p_ticket;
mbedtls_ssl_ticket_context *ctx = p_ticket;
unsigned char *p = start;
unsigned char *state;
unsigned char iv[16];
@ -194,7 +244,8 @@ int mbedtls_ssl_ticket_write( void *p_ticket,
p += 16;
/* Generate and write IV (with a copy for aes_crypt) */
memset( p, 0x2a, 16 ); /* Temporary WIP */
if( ( ret = ctx->f_rng( ctx->p_rng, p, 16 ) ) != 0 )
return( ret );
memcpy( iv, p, 16 );
p += 16;
@ -244,7 +295,7 @@ int mbedtls_ssl_ticket_parse( void *p_ticket,
size_t len )
{
int ret;
mbedtls_ssl_ticket_keys *ctx = p_ticket;
mbedtls_ssl_ticket_context *ctx = p_ticket;
unsigned char *key_name = buf;
unsigned char *iv = buf + 16;
unsigned char *enc_len_p = iv + 16;
@ -317,4 +368,15 @@ int mbedtls_ssl_ticket_parse( void *p_ticket,
return( 0 );
}
/*
* Free context
*/
void mbedtls_ssl_ticket_free( mbedtls_ssl_ticket_context *ctx )
{
mbedtls_aes_free( &ctx->enc );
mbedtls_aes_free( &ctx->dec );
mbedtls_zeroize( ctx, sizeof( mbedtls_ssl_ticket_context ) );
}
#endif /* MBEDTLS_SSL_TICKET_C */

82
library/ssl_tls.c
View file

@ -5146,56 +5146,6 @@ int mbedtls_ssl_session_reset( mbedtls_ssl_context *ssl )
return( 0 );
}
#if defined(MBEDTLS_SSL_SESSION_TICKETS)
static void ssl_ticket_keys_free( mbedtls_ssl_ticket_keys *tkeys )
{
mbedtls_aes_free( &tkeys->enc );
mbedtls_aes_free( &tkeys->dec );
mbedtls_zeroize( tkeys, sizeof(mbedtls_ssl_ticket_keys) );
}
/*
* Allocate and initialize ticket keys
*/
static int ssl_ticket_keys_init( mbedtls_ssl_config *conf )
{
int ret;
mbedtls_ssl_ticket_keys *tkeys;
unsigned char buf[16];
if( conf->ticket_keys != NULL )
return( 0 );
tkeys = mbedtls_malloc( sizeof(mbedtls_ssl_ticket_keys) );
if( tkeys == NULL )
return( MBEDTLS_ERR_SSL_MALLOC_FAILED );
mbedtls_aes_init( &tkeys->enc );
mbedtls_aes_init( &tkeys->dec );
/* Temporary WIP! Using hardcoded keys. This is to remove the dependency
* on the RNG and allow puttint the keys in conf. Key generation will soon
* be move outside the main SSL module anyway. */
memset( tkeys->key_name, 'x', 16 );
memset( tkeys->mac_key, 0x2a, 16 );
memset( buf, 0x2a, 16 );
if( ( ret = mbedtls_aes_setkey_enc( &tkeys->enc, buf, 128 ) ) != 0 ||
( ret = mbedtls_aes_setkey_dec( &tkeys->dec, buf, 128 ) ) != 0 )
{
ssl_ticket_keys_free( tkeys );
mbedtls_free( tkeys );
return( ret );
}
conf->ticket_keys = tkeys;
return( 0 );
}
#endif /* MBEDTLS_SSL_SESSION_TICKETS */
/*
* SSL set accessors
*/
@ -5691,20 +5641,17 @@ int mbedtls_ssl_conf_session_tickets( mbedtls_ssl_config *conf, int use_tickets
{
conf->session_tickets = use_tickets;
#if defined(MBEDTLS_SSL_CLI_C)
if( conf->endpoint == MBEDTLS_SSL_IS_CLIENT )
return( 0 );
#endif
if( use_tickets == MBEDTLS_SSL_SESSION_TICKETS_DISABLED )
return( 0 );
return( ssl_ticket_keys_init( conf ) );
return( 0 );
}
void mbedtls_ssl_conf_session_ticket_lifetime( mbedtls_ssl_config *conf, int lifetime )
void mbedtls_ssl_conf_session_tickets_cb( mbedtls_ssl_config *conf,
mbedtls_ssl_ticket_write_t *f_ticket_write,
mbedtls_ssl_ticket_parse_t *f_ticket_parse,
void *p_ticket )
{
conf->ticket_keys->ticket_lifetime = lifetime;
conf->f_ticket_write = f_ticket_write;
conf->f_ticket_parse = f_ticket_parse;
conf->p_ticket = p_ticket;
}
#endif /* MBEDTLS_SSL_SESSION_TICKETS */
@ -6699,11 +6646,6 @@ int mbedtls_ssl_config_defaults( mbedtls_ssl_config *conf,
conf->cbc_record_splitting = MBEDTLS_SSL_CBC_RECORD_SPLITTING_ENABLED;
#endif
#if defined(MBEDTLS_SSL_SESSION_TICKETS)
ssl_ticket_keys_init( &conf );
conf->ticket_keys->ticket_lifetime = MBEDTLS_SSL_DEFAULT_TICKET_LIFETIME;
#endif
#if defined(MBEDTLS_SSL_SET_CURVES)
conf->curve_list = mbedtls_ecp_grp_id_list( );
#endif
@ -6765,14 +6707,6 @@ void mbedtls_ssl_config_free( mbedtls_ssl_config *conf )
}
#endif
#if defined(MBEDTLS_SSL_SESSION_TICKETS)
if( conf->ticket_keys )
{
ssl_ticket_keys_free( conf->ticket_keys );
mbedtls_free( conf->ticket_keys );
}
#endif
#if defined(MBEDTLS_X509_CRT_PARSE_C)
ssl_key_cert_free( conf->key_cert );
#endif