summaryrefslogtreecommitdiff
path: root/src/lib/libtls/tls_internal.h
diff options
context:
space:
mode:
authorclaudio <>2017-01-24 01:48:05 +0000
committerclaudio <>2017-01-24 01:48:05 +0000
commitd78c389be49cfb5c1e450de1ffe9b19331871124 (patch)
treedf70a1321916b965fd5fe88a72940612ae3642f4 /src/lib/libtls/tls_internal.h
parent2367558cf5d952b4f895457cfb15046d05a01529 (diff)
downloadopenbsd-d78c389be49cfb5c1e450de1ffe9b19331871124.tar.gz
openbsd-d78c389be49cfb5c1e450de1ffe9b19331871124.tar.bz2
openbsd-d78c389be49cfb5c1e450de1ffe9b19331871124.zip
Introduce ticket support. To enable them it is enough to set a positive
lifetime with tls_config_set_session_lifetime(). This enables tickets and uses an internal automatic rekeying mode for the ticket keys. If multiple processes are involved the following functions can be used to make tickets work accross all instances: - tls_config_set_session_id() sets the session identifier - tls_config_add_ticket_key() adds an encryption and authentication key For now only the last 4 keys added will be used (unless they are too old). If tls_config_add_ticket_key() is used the caller must ensure to add new keys regularly. It is best to do this 4 times per session lifetime (which is also the ticket key lifetime). Since tickets break PFS it is best to minimize the session lifetime according to needs. With a lot of help, input and OK beck@, jsing@
Diffstat (limited to 'src/lib/libtls/tls_internal.h')
-rw-r--r--src/lib/libtls/tls_internal.h24
1 files changed, 23 insertions, 1 deletions
diff --git a/src/lib/libtls/tls_internal.h b/src/lib/libtls/tls_internal.h
index 1db186a05f..3650ca9462 100644
--- a/src/lib/libtls/tls_internal.h
+++ b/src/lib/libtls/tls_internal.h
@@ -1,4 +1,4 @@
1/* $OpenBSD: tls_internal.h,v 1.50 2016/11/05 15:13:26 beck Exp $ */ 1/* $OpenBSD: tls_internal.h,v 1.51 2017/01/24 01:48:05 claudio Exp $ */
2/* 2/*
3 * Copyright (c) 2014 Jeremie Courreges-Anglas <jca@openbsd.org> 3 * Copyright (c) 2014 Jeremie Courreges-Anglas <jca@openbsd.org>
4 * Copyright (c) 2014 Joel Sing <jsing@openbsd.org> 4 * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
@@ -53,6 +53,22 @@ struct tls_keypair {
53 size_t key_len; 53 size_t key_len;
54}; 54};
55 55
56#define TLS_MIN_SESSION_TIMEOUT (4)
57#define TLS_MAX_SESSION_TIMEOUT (24 * 60 * 60)
58
59#define TLS_NUM_TICKETS 4
60#define TLS_TICKET_NAME_SIZE 16
61#define TLS_TICKET_AES_SIZE 32
62#define TLS_TICKET_HMAC_SIZE 16
63
64struct tls_ticket_key {
65 /* The key_name must be 16 bytes according to -lssl */
66 unsigned char key_name[TLS_TICKET_NAME_SIZE];
67 unsigned char aes_key[TLS_TICKET_AES_SIZE];
68 unsigned char hmac_key[TLS_TICKET_HMAC_SIZE];
69 time_t time;
70};
71
56struct tls_config { 72struct tls_config {
57 struct tls_error error; 73 struct tls_error error;
58 74
@@ -70,6 +86,11 @@ struct tls_config {
70 char *ocsp_staple; 86 char *ocsp_staple;
71 size_t ocsp_staple_len; 87 size_t ocsp_staple_len;
72 uint32_t protocols; 88 uint32_t protocols;
89 unsigned char session_id[TLS_MAX_SESSION_ID_LENGTH];
90 int session_lifetime;
91 struct tls_ticket_key ticket_keys[TLS_NUM_TICKETS];
92 uint32_t ticket_keyrev;
93 int ticket_autorekey;
73 int verify_cert; 94 int verify_cert;
74 int verify_client; 95 int verify_client;
75 int verify_depth; 96 int verify_depth;
@@ -171,6 +192,7 @@ int tls_handshake_server(struct tls *ctx);
171 192
172int tls_config_load_file(struct tls_error *error, const char *filetype, 193int tls_config_load_file(struct tls_error *error, const char *filetype,
173 const char *filename, char **buf, size_t *len); 194 const char *filename, char **buf, size_t *len);
195int tls_config_ticket_autorekey(struct tls_config *config);
174int tls_host_port(const char *hostport, char **host, char **port); 196int tls_host_port(const char *hostport, char **host, char **port);
175 197
176int tls_set_cbs(struct tls *ctx, 198int tls_set_cbs(struct tls *ctx,
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-08-16 05:30:57 +0000