diff options
| author | claudio <> | 2017-01-24 01:48:05 +0000 |
|---|---|---|
| committer | claudio <> | 2017-01-24 01:48:05 +0000 |
| commit | d78c389be49cfb5c1e450de1ffe9b19331871124 (patch) | |
| tree | df70a1321916b965fd5fe88a72940612ae3642f4 /src/lib/libtls/tls.h | |
| parent | 2367558cf5d952b4f895457cfb15046d05a01529 (diff) | |
| download | openbsd-d78c389be49cfb5c1e450de1ffe9b19331871124.tar.gz openbsd-d78c389be49cfb5c1e450de1ffe9b19331871124.tar.bz2 openbsd-d78c389be49cfb5c1e450de1ffe9b19331871124.zip | |
Introduce ticket support. To enable them it is enough to set a positive
lifetime with tls_config_set_session_lifetime(). This enables tickets
and uses an internal automatic rekeying mode for the ticket keys.
If multiple processes are involved the following functions can be used to make
tickets work accross all instances:
- tls_config_set_session_id() sets the session identifier
- tls_config_add_ticket_key() adds an encryption and authentication key
For now only the last 4 keys added will be used (unless they are too old).
If tls_config_add_ticket_key() is used the caller must ensure to add new keys
regularly. It is best to do this 4 times per session lifetime (which is also
the ticket key lifetime).
Since tickets break PFS it is best to minimize the session lifetime according
to needs.
With a lot of help, input and OK beck@, jsing@
Diffstat (limited to 'src/lib/libtls/tls.h')
| -rw-r--r-- | src/lib/libtls/tls.h | 11 |
1 files changed, 10 insertions, 1 deletions
diff --git a/src/lib/libtls/tls.h b/src/lib/libtls/tls.h index 645204a170..25d7c258e7 100644 --- a/src/lib/libtls/tls.h +++ b/src/lib/libtls/tls.h | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: tls.h,v 1.44 2017/01/22 03:59:30 jsing Exp $ */ | 1 | /* $OpenBSD: tls.h,v 1.45 2017/01/24 01:48:05 claudio Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Copyright (c) 2014 Joel Sing <jsing@openbsd.org> | 3 | * Copyright (c) 2014 Joel Sing <jsing@openbsd.org> |
| 4 | * | 4 | * |
| @@ -66,6 +66,9 @@ extern "C" { | |||
| 66 | #define TLS_CRL_REASON_PRIVILEGE_WITHDRAWN 9 | 66 | #define TLS_CRL_REASON_PRIVILEGE_WITHDRAWN 9 |
| 67 | #define TLS_CRL_REASON_AA_COMPROMISE 10 | 67 | #define TLS_CRL_REASON_AA_COMPROMISE 10 |
| 68 | 68 | ||
| 69 | #define TLS_MAX_SESSION_ID_LENGTH 32 | ||
| 70 | #define TLS_TICKET_KEY_SIZE 48 | ||
| 71 | |||
| 69 | struct tls; | 72 | struct tls; |
| 70 | struct tls_config; | 73 | struct tls_config; |
| 71 | 74 | ||
| @@ -128,6 +131,12 @@ void tls_config_verify_client_optional(struct tls_config *_config); | |||
| 128 | void tls_config_clear_keys(struct tls_config *_config); | 131 | void tls_config_clear_keys(struct tls_config *_config); |
| 129 | int tls_config_parse_protocols(uint32_t *_protocols, const char *_protostr); | 132 | int tls_config_parse_protocols(uint32_t *_protocols, const char *_protostr); |
| 130 | 133 | ||
| 134 | int tls_config_set_session_id(struct tls_config *_config, | ||
| 135 | const unsigned char *_session_id, size_t _len); | ||
| 136 | int tls_config_set_session_lifetime(struct tls_config *_config, int _lifetime); | ||
| 137 | int tls_config_add_ticket_key(struct tls_config *_config, uint32_t _keyrev, | ||
| 138 | unsigned char *_key, size_t _keylen); | ||
| 139 | |||
| 131 | struct tls *tls_client(void); | 140 | struct tls *tls_client(void); |
| 132 | struct tls *tls_server(void); | 141 | struct tls *tls_server(void); |
| 133 | int tls_configure(struct tls *_ctx, struct tls_config *_config); | 142 | int tls_configure(struct tls *_ctx, struct tls_config *_config); |