summaryrefslogtreecommitdiff
path: root/src/lib/libtls/tls.h
diff options
context:
space:
mode:
authorclaudio <>2017-01-24 01:48:05 +0000
committerclaudio <>2017-01-24 01:48:05 +0000
commitd78c389be49cfb5c1e450de1ffe9b19331871124 (patch)
treedf70a1321916b965fd5fe88a72940612ae3642f4 /src/lib/libtls/tls.h
parent2367558cf5d952b4f895457cfb15046d05a01529 (diff)
downloadopenbsd-d78c389be49cfb5c1e450de1ffe9b19331871124.tar.gz
openbsd-d78c389be49cfb5c1e450de1ffe9b19331871124.tar.bz2
openbsd-d78c389be49cfb5c1e450de1ffe9b19331871124.zip
Introduce ticket support. To enable them it is enough to set a positive
lifetime with tls_config_set_session_lifetime(). This enables tickets and uses an internal automatic rekeying mode for the ticket keys. If multiple processes are involved the following functions can be used to make tickets work accross all instances: - tls_config_set_session_id() sets the session identifier - tls_config_add_ticket_key() adds an encryption and authentication key For now only the last 4 keys added will be used (unless they are too old). If tls_config_add_ticket_key() is used the caller must ensure to add new keys regularly. It is best to do this 4 times per session lifetime (which is also the ticket key lifetime). Since tickets break PFS it is best to minimize the session lifetime according to needs. With a lot of help, input and OK beck@, jsing@
Diffstat (limited to 'src/lib/libtls/tls.h')
-rw-r--r--src/lib/libtls/tls.h11
1 files changed, 10 insertions, 1 deletions
diff --git a/src/lib/libtls/tls.h b/src/lib/libtls/tls.h
index 645204a170..25d7c258e7 100644
--- a/src/lib/libtls/tls.h
+++ b/src/lib/libtls/tls.h
@@ -1,4 +1,4 @@
1/* $OpenBSD: tls.h,v 1.44 2017/01/22 03:59:30 jsing Exp $ */ 1/* $OpenBSD: tls.h,v 1.45 2017/01/24 01:48:05 claudio Exp $ */
2/* 2/*
3 * Copyright (c) 2014 Joel Sing <jsing@openbsd.org> 3 * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
4 * 4 *
@@ -66,6 +66,9 @@ extern "C" {
66#define TLS_CRL_REASON_PRIVILEGE_WITHDRAWN 9 66#define TLS_CRL_REASON_PRIVILEGE_WITHDRAWN 9
67#define TLS_CRL_REASON_AA_COMPROMISE 10 67#define TLS_CRL_REASON_AA_COMPROMISE 10
68 68
69#define TLS_MAX_SESSION_ID_LENGTH 32
70#define TLS_TICKET_KEY_SIZE 48
71
69struct tls; 72struct tls;
70struct tls_config; 73struct tls_config;
71 74
@@ -128,6 +131,12 @@ void tls_config_verify_client_optional(struct tls_config *_config);
128void tls_config_clear_keys(struct tls_config *_config); 131void tls_config_clear_keys(struct tls_config *_config);
129int tls_config_parse_protocols(uint32_t *_protocols, const char *_protostr); 132int tls_config_parse_protocols(uint32_t *_protocols, const char *_protostr);
130 133
134int tls_config_set_session_id(struct tls_config *_config,
135 const unsigned char *_session_id, size_t _len);
136int tls_config_set_session_lifetime(struct tls_config *_config, int _lifetime);
137int tls_config_add_ticket_key(struct tls_config *_config, uint32_t _keyrev,
138 unsigned char *_key, size_t _keylen);
139
131struct tls *tls_client(void); 140struct tls *tls_client(void);
132struct tls *tls_server(void); 141struct tls *tls_server(void);
133int tls_configure(struct tls *_ctx, struct tls_config *_config); 142int tls_configure(struct tls *_ctx, struct tls_config *_config);