Commit bef8f098 authored by Manuel Pégourié-Gonnard's avatar Manuel Pégourié-Gonnard Committed by Paul Bakker
Browse files

Make cookie timeout configurable

parent e9030817
......@@ -2201,6 +2201,7 @@
//#define SSL_MAX_CONTENT_LEN 16384 /**< Size of the input / output buffer */
//#define SSL_DEFAULT_TICKET_LIFETIME 86400 /**< Lifetime of session tickets (if enabled) */
//#define POLARSSL_PSK_MAX_LEN 32 /**< Max size of TLS pre-shared keys, in bytes (default 256 bits) */
//#define POLARSSL_SSL_COOKIE_TIMEOUT 60 /**< Default expiration delay of DTLS cookies, in seconds if HAVE_TIME, or in number of cookies issued */
/**
* Complete list of ciphersuites to use, in order of preference.
......
......@@ -36,6 +36,9 @@
* Either change them in config.h or define them on the compiler command line.
* \{
*/
#ifndef POLARSSL_SSL_COOKIE_TIMEOUT
#define POLARSSL_SSL_COOKIE_TIMEOUT 60 /**< Default expiration delay of DTLS cookies, in seconds if HAVE_TIME, or in number of cookies issued */
#endif
/* \} name SECTION: Module settings */
......@@ -48,10 +51,13 @@ extern "C" {
*/
typedef struct
{
md_context_t hmac_ctx; /*!< context for the HMAC portion */
md_context_t hmac_ctx; /*!< context for the HMAC portion */
#if !defined(POLARSSL_HAVE_TIME)
unsigned long serial; /*!< serial number for expiration */
unsigned long serial; /*!< serial number for expiration */
#endif
unsigned long timeout; /*!< timeout delay, in seconds if HAVE_TIME,
or in number of tickets issued */
} ssl_cookie_ctx;
/**
......@@ -66,6 +72,17 @@ int ssl_cookie_setup( ssl_cookie_ctx *ctx,
int (*f_rng)(void *, unsigned char *, size_t),
void *p_rng );
/**
* \brief Set expiration delay for cookies
* (Default POLARSSL_SSL_COOKIE_TIMEOUT)
*
* \param ctx Cookie contex
* \param delay Delay, in seconds if HAVE_TIME, or in number of cookies
* issued in the meantime.
* 0 to disable expiration (NOT recommended)
*/
void ssl_cookie_set_timeout( ssl_cookie_ctx *ctx, unsigned long delay );
/**
* \brief Free cookie context
*/
......
......@@ -76,14 +76,18 @@ static void polarssl_zeroize( void *v, size_t n ) {
*/
#define COOKIE_LEN ( 4 + COOKIE_HMAC_LEN )
#define COOKIE_TIMEOUT 60
void ssl_cookie_init( ssl_cookie_ctx *ctx )
{
md_init( &ctx->hmac_ctx );
#if !defined(POLARSSL_HAVE_TIME)
ctx->serial = 0;
#endif
ctx->timeout = POLARSSL_SSL_COOKIE_TIMEOUT;
}
void ssl_cookie_set_timeout( ssl_cookie_ctx *ctx, unsigned long delay )
{
ctx->timeout = delay;
}
void ssl_cookie_free( ssl_cookie_ctx *ctx )
......@@ -211,7 +215,7 @@ int ssl_cookie_check( void *p_ctx,
( (unsigned long) cookie[2] << 8 ) |
( (unsigned long) cookie[3] );
if( cur_time - cookie_time > COOKIE_TIMEOUT )
if( ctx->timeout != 0 && cur_time - cookie_time > ctx->timeout )
return( -1 );
return( 0 );
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment