Make cipher used in ssl tickets configurable

parent 1041a393
......@@ -70,13 +70,20 @@ void mbedtls_ssl_ticket_init( mbedtls_ssl_ticket_context *ctx );
* \param ctx Context to be set up
* \param f_rng RNG callback function
* \param p_rng RNG callback context
* \param cipher AEAD cipher to use for ticket protection, eg
* MBEDTLS_CIPHER_AES_256_GCM or MBEDTLS_CIPHER_AES_256_CCM.
* \param lifetime Tickets lifetime in seconds
*
* \note It is highly recommended to select a cipher that is at
* least as strong as the the strongest ciphersuite
* supported. Usually that means a 256-bit key.
*
* \return 0 is successful,
* or a specific MBEDTLS_ERR_XXX error code
*/
int mbedtls_ssl_ticket_setup( mbedtls_ssl_ticket_context *ctx,
int (*f_rng)(void *, unsigned char *, size_t), void *p_rng,
mbedtls_cipher_type_t cipher,
uint32_t lifetime );
/**
......
......@@ -61,10 +61,13 @@ void mbedtls_ssl_ticket_init( mbedtls_ssl_ticket_context *ctx )
*/
int mbedtls_ssl_ticket_setup( mbedtls_ssl_ticket_context *ctx,
int (*f_rng)(void *, unsigned char *, size_t), void *p_rng,
mbedtls_cipher_type_t cipher,
uint32_t lifetime )
{
int ret;
unsigned char buf[32];
mbedtls_cipher_mode_t mode;
size_t key_bits;
ctx->f_rng = f_rng;
ctx->p_rng = p_rng;
......@@ -72,19 +75,32 @@ int mbedtls_ssl_ticket_setup( mbedtls_ssl_ticket_context *ctx,
ctx->ticket_lifetime = lifetime;
if( ( ret = mbedtls_cipher_setup( &ctx->cipher,
mbedtls_cipher_info_from_type(
MBEDTLS_CIPHER_AES_256_GCM ) ) ) != 0 )
mbedtls_cipher_info_from_type( cipher) ) ) != 0 )
{
goto cleanup;
}
mode = mbedtls_cipher_get_cipher_mode( &ctx->cipher );
if( mode != MBEDTLS_MODE_GCM && mode != MBEDTLS_MODE_CCM )
{
ret = MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
goto cleanup;
}
key_bits = mbedtls_cipher_get_key_size( &ctx->cipher );
if( key_bits > 8 * sizeof( buf ) )
{
ret = MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
goto cleanup;
}
if( ( ret = f_rng( p_rng, buf, sizeof( buf ) ) != 0 ) )
{
goto cleanup;
}
/* With GCM and CCM, same context can encrypt & decrypt */
if( ( ret = mbedtls_cipher_setkey( &ctx->cipher, buf, 256,
if( ( ret = mbedtls_cipher_setkey( &ctx->cipher, buf, key_bits,
MBEDTLS_ENCRYPT ) ) != 0 )
{
goto cleanup;
......
......@@ -1598,6 +1598,7 @@ int main( int argc, char *argv[] )
{
if( ( ret = mbedtls_ssl_ticket_setup( &ticket_ctx,
mbedtls_ctr_drbg_random, &ctr_drbg,
MBEDTLS_CIPHER_AES_256_GCM,
opt.ticket_timeout ) ) != 0 )
{
mbedtls_printf( " failed\n ! mbedtls_ssl_ticket_setup returned %d\n\n", ret );
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment