Make cipher used in ssl tickets configurable

parent 1041a393
...@@ -70,13 +70,20 @@ void mbedtls_ssl_ticket_init( mbedtls_ssl_ticket_context *ctx ); ...@@ -70,13 +70,20 @@ void mbedtls_ssl_ticket_init( mbedtls_ssl_ticket_context *ctx );
* \param ctx Context to be set up * \param ctx Context to be set up
* \param f_rng RNG callback function * \param f_rng RNG callback function
* \param p_rng RNG callback context * \param p_rng RNG callback context
* \param cipher AEAD cipher to use for ticket protection, eg
* MBEDTLS_CIPHER_AES_256_GCM or MBEDTLS_CIPHER_AES_256_CCM.
* \param lifetime Tickets lifetime in seconds * \param lifetime Tickets lifetime in seconds
* *
* \note It is highly recommended to select a cipher that is at
* least as strong as the the strongest ciphersuite
* supported. Usually that means a 256-bit key.
*
* \return 0 is successful, * \return 0 is successful,
* or a specific MBEDTLS_ERR_XXX error code * or a specific MBEDTLS_ERR_XXX error code
*/ */
int mbedtls_ssl_ticket_setup( mbedtls_ssl_ticket_context *ctx, int mbedtls_ssl_ticket_setup( mbedtls_ssl_ticket_context *ctx,
int (*f_rng)(void *, unsigned char *, size_t), void *p_rng, int (*f_rng)(void *, unsigned char *, size_t), void *p_rng,
mbedtls_cipher_type_t cipher,
uint32_t lifetime ); uint32_t lifetime );
/** /**
......
...@@ -61,10 +61,13 @@ void mbedtls_ssl_ticket_init( mbedtls_ssl_ticket_context *ctx ) ...@@ -61,10 +61,13 @@ void mbedtls_ssl_ticket_init( mbedtls_ssl_ticket_context *ctx )
*/ */
int mbedtls_ssl_ticket_setup( mbedtls_ssl_ticket_context *ctx, int mbedtls_ssl_ticket_setup( mbedtls_ssl_ticket_context *ctx,
int (*f_rng)(void *, unsigned char *, size_t), void *p_rng, int (*f_rng)(void *, unsigned char *, size_t), void *p_rng,
mbedtls_cipher_type_t cipher,
uint32_t lifetime ) uint32_t lifetime )
{ {
int ret; int ret;
unsigned char buf[32]; unsigned char buf[32];
mbedtls_cipher_mode_t mode;
size_t key_bits;
ctx->f_rng = f_rng; ctx->f_rng = f_rng;
ctx->p_rng = p_rng; ctx->p_rng = p_rng;
...@@ -72,19 +75,32 @@ int mbedtls_ssl_ticket_setup( mbedtls_ssl_ticket_context *ctx, ...@@ -72,19 +75,32 @@ int mbedtls_ssl_ticket_setup( mbedtls_ssl_ticket_context *ctx,
ctx->ticket_lifetime = lifetime; ctx->ticket_lifetime = lifetime;
if( ( ret = mbedtls_cipher_setup( &ctx->cipher, if( ( ret = mbedtls_cipher_setup( &ctx->cipher,
mbedtls_cipher_info_from_type( mbedtls_cipher_info_from_type( cipher) ) ) != 0 )
MBEDTLS_CIPHER_AES_256_GCM ) ) ) != 0 )
{ {
goto cleanup; goto cleanup;
} }
mode = mbedtls_cipher_get_cipher_mode( &ctx->cipher );
if( mode != MBEDTLS_MODE_GCM && mode != MBEDTLS_MODE_CCM )
{
ret = MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
goto cleanup;
}
key_bits = mbedtls_cipher_get_key_size( &ctx->cipher );
if( key_bits > 8 * sizeof( buf ) )
{
ret = MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
goto cleanup;
}
if( ( ret = f_rng( p_rng, buf, sizeof( buf ) ) != 0 ) ) if( ( ret = f_rng( p_rng, buf, sizeof( buf ) ) != 0 ) )
{ {
goto cleanup; goto cleanup;
} }
/* With GCM and CCM, same context can encrypt & decrypt */ /* With GCM and CCM, same context can encrypt & decrypt */
if( ( ret = mbedtls_cipher_setkey( &ctx->cipher, buf, 256, if( ( ret = mbedtls_cipher_setkey( &ctx->cipher, buf, key_bits,
MBEDTLS_ENCRYPT ) ) != 0 ) MBEDTLS_ENCRYPT ) ) != 0 )
{ {
goto cleanup; goto cleanup;
......
...@@ -1598,6 +1598,7 @@ int main( int argc, char *argv[] ) ...@@ -1598,6 +1598,7 @@ int main( int argc, char *argv[] )
{ {
if( ( ret = mbedtls_ssl_ticket_setup( &ticket_ctx, if( ( ret = mbedtls_ssl_ticket_setup( &ticket_ctx,
mbedtls_ctr_drbg_random, &ctr_drbg, mbedtls_ctr_drbg_random, &ctr_drbg,
MBEDTLS_CIPHER_AES_256_GCM,
opt.ticket_timeout ) ) != 0 ) opt.ticket_timeout ) ) != 0 )
{ {
mbedtls_printf( " failed\n ! mbedtls_ssl_ticket_setup returned %d\n\n", ret ); mbedtls_printf( " failed\n ! mbedtls_ssl_ticket_setup returned %d\n\n", ret );
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment