Commit bef8f098 authored by Manuel Pégourié-Gonnard's avatar Manuel Pégourié-Gonnard Committed by Paul Bakker
Browse files

Make cookie timeout configurable

parent e9030817
...@@ -2201,6 +2201,7 @@ ...@@ -2201,6 +2201,7 @@
//#define SSL_MAX_CONTENT_LEN 16384 /**< Size of the input / output buffer */ //#define SSL_MAX_CONTENT_LEN 16384 /**< Size of the input / output buffer */
//#define SSL_DEFAULT_TICKET_LIFETIME 86400 /**< Lifetime of session tickets (if enabled) */ //#define SSL_DEFAULT_TICKET_LIFETIME 86400 /**< Lifetime of session tickets (if enabled) */
//#define POLARSSL_PSK_MAX_LEN 32 /**< Max size of TLS pre-shared keys, in bytes (default 256 bits) */ //#define POLARSSL_PSK_MAX_LEN 32 /**< Max size of TLS pre-shared keys, in bytes (default 256 bits) */
//#define POLARSSL_SSL_COOKIE_TIMEOUT 60 /**< Default expiration delay of DTLS cookies, in seconds if HAVE_TIME, or in number of cookies issued */
/** /**
* Complete list of ciphersuites to use, in order of preference. * Complete list of ciphersuites to use, in order of preference.
......
...@@ -36,6 +36,9 @@ ...@@ -36,6 +36,9 @@
* Either change them in config.h or define them on the compiler command line. * Either change them in config.h or define them on the compiler command line.
* \{ * \{
*/ */
#ifndef POLARSSL_SSL_COOKIE_TIMEOUT
#define POLARSSL_SSL_COOKIE_TIMEOUT 60 /**< Default expiration delay of DTLS cookies, in seconds if HAVE_TIME, or in number of cookies issued */
#endif
/* \} name SECTION: Module settings */ /* \} name SECTION: Module settings */
...@@ -48,10 +51,13 @@ extern "C" { ...@@ -48,10 +51,13 @@ extern "C" {
*/ */
typedef struct typedef struct
{ {
md_context_t hmac_ctx; /*!< context for the HMAC portion */ md_context_t hmac_ctx; /*!< context for the HMAC portion */
#if !defined(POLARSSL_HAVE_TIME) #if !defined(POLARSSL_HAVE_TIME)
unsigned long serial; /*!< serial number for expiration */ unsigned long serial; /*!< serial number for expiration */
#endif #endif
unsigned long timeout; /*!< timeout delay, in seconds if HAVE_TIME,
or in number of tickets issued */
} ssl_cookie_ctx; } ssl_cookie_ctx;
/** /**
...@@ -66,6 +72,17 @@ int ssl_cookie_setup( ssl_cookie_ctx *ctx, ...@@ -66,6 +72,17 @@ int ssl_cookie_setup( ssl_cookie_ctx *ctx,
int (*f_rng)(void *, unsigned char *, size_t), int (*f_rng)(void *, unsigned char *, size_t),
void *p_rng ); void *p_rng );
/**
* \brief Set expiration delay for cookies
* (Default POLARSSL_SSL_COOKIE_TIMEOUT)
*
* \param ctx Cookie contex
* \param delay Delay, in seconds if HAVE_TIME, or in number of cookies
* issued in the meantime.
* 0 to disable expiration (NOT recommended)
*/
void ssl_cookie_set_timeout( ssl_cookie_ctx *ctx, unsigned long delay );
/** /**
* \brief Free cookie context * \brief Free cookie context
*/ */
......
...@@ -76,14 +76,18 @@ static void polarssl_zeroize( void *v, size_t n ) { ...@@ -76,14 +76,18 @@ static void polarssl_zeroize( void *v, size_t n ) {
*/ */
#define COOKIE_LEN ( 4 + COOKIE_HMAC_LEN ) #define COOKIE_LEN ( 4 + COOKIE_HMAC_LEN )
#define COOKIE_TIMEOUT 60
void ssl_cookie_init( ssl_cookie_ctx *ctx ) void ssl_cookie_init( ssl_cookie_ctx *ctx )
{ {
md_init( &ctx->hmac_ctx ); md_init( &ctx->hmac_ctx );
#if !defined(POLARSSL_HAVE_TIME) #if !defined(POLARSSL_HAVE_TIME)
ctx->serial = 0; ctx->serial = 0;
#endif #endif
ctx->timeout = POLARSSL_SSL_COOKIE_TIMEOUT;
}
void ssl_cookie_set_timeout( ssl_cookie_ctx *ctx, unsigned long delay )
{
ctx->timeout = delay;
} }
void ssl_cookie_free( ssl_cookie_ctx *ctx ) void ssl_cookie_free( ssl_cookie_ctx *ctx )
...@@ -211,7 +215,7 @@ int ssl_cookie_check( void *p_ctx, ...@@ -211,7 +215,7 @@ int ssl_cookie_check( void *p_ctx,
( (unsigned long) cookie[2] << 8 ) | ( (unsigned long) cookie[2] << 8 ) |
( (unsigned long) cookie[3] ); ( (unsigned long) cookie[3] );
if( cur_time - cookie_time > COOKIE_TIMEOUT ) if( ctx->timeout != 0 && cur_time - cookie_time > ctx->timeout )
return( -1 ); return( -1 );
return( 0 ); return( 0 );
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment