diff --git a/src/apps/altcp_tls/altcp_tls_mbedtls.c b/src/apps/altcp_tls/altcp_tls_mbedtls.c index 1b6baf6d..ea9303ca 100644 --- a/src/apps/altcp_tls/altcp_tls_mbedtls.c +++ b/src/apps/altcp_tls/altcp_tls_mbedtls.c @@ -76,6 +76,7 @@ #include "mbedtls/platform.h" #include "mbedtls/memory_buffer_alloc.h" #include "mbedtls/ssl_cache.h" +#include "mbedtls/ssl_ticket.h" #include "mbedtls/ssl_internal.h" /* to call mbedtls_flush_output after ERR_MEM */ @@ -100,10 +101,13 @@ struct altcp_tls_config { mbedtls_x509_crt *cert; mbedtls_pk_context *pkey; mbedtls_x509_crt *ca; -#if defined(MBEDTLS_SSL_CACHE_C) && ALTCP_MBEDTLS_SESSION_CACHE_TIMEOUT_SECONDS +#if defined(MBEDTLS_SSL_CACHE_C) && ALTCP_MBEDTLS_USE_SESSION_CACHE /** Inter-connection cache for fast connection startup */ struct mbedtls_ssl_cache_context cache; #endif +#if defined(MBEDTLS_SSL_SESSION_TICKETS) && ALTCP_MBEDTLS_USE_SESSION_TICKETS + mbedtls_ssl_ticket_context ticket_ctx; +#endif }; static err_t altcp_mbedtls_lower_recv(void *arg, struct altcp_pcb *inner_conn, struct pbuf *p, err_t err); @@ -721,12 +725,28 @@ altcp_tls_create_config(int is_server, int have_cert, int have_pkey, int have_ca #if ALTCP_MBEDTLS_LIB_DEBUG != LWIP_DBG_OFF mbedtls_ssl_conf_dbg(&conf->conf, altcp_mbedtls_debug, stdout); #endif -#if defined(MBEDTLS_SSL_CACHE_C) && ALTCP_MBEDTLS_SESSION_CACHE_TIMEOUT_SECONDS +#if defined(MBEDTLS_SSL_CACHE_C) && ALTCP_MBEDTLS_USE_SESSION_CACHE mbedtls_ssl_conf_session_cache(&conf->conf, &conf->cache, mbedtls_ssl_cache_get, mbedtls_ssl_cache_set); - mbedtls_ssl_cache_set_timeout(&conf->cache, 30); - mbedtls_ssl_cache_set_max_entries(&conf->cache, 30); + mbedtls_ssl_cache_set_timeout(&conf->cache, ALTCP_MBEDTLS_SESSION_CACHE_TIMEOUT_SECONDS); + mbedtls_ssl_cache_set_max_entries(&conf->cache, ALTCP_MBEDTLS_SESSION_CACHE_SIZE); #endif +#if defined(MBEDTLS_SSL_SESSION_TICKETS) && ALTCP_MBEDTLS_USE_SESSION_TICKETS + mbedtls_ssl_ticket_init(&conf->ticket_ctx); + + ret = mbedtls_ssl_ticket_setup(&conf->ticket_ctx, mbedtls_ctr_drbg_random, &conf->ctr_drbg, + ALTCP_MBEDTLS_SESSION_TICKET_CIPHER, ALTCP_MBEDTLS_SESSION_TICKET_TIMEOUT_SECONDS); + if (ret) { + LWIP_DEBUGF(ALTCP_MBEDTLS_DEBUG, ("mbedtls_ssl_ticket_setup failed: %d\n", ret)); + altcp_mbedtls_free_config(conf); + return NULL; + } + + mbedtls_ssl_conf_session_tickets_cb(&conf->conf, mbedtls_ssl_ticket_write, mbedtls_ssl_ticket_parse, + &conf->ticket_ctx); +#endif + + return conf; } diff --git a/src/include/lwip/apps/altcp_tls_mbedtls_opts.h b/src/include/lwip/apps/altcp_tls_mbedtls_opts.h index d8129cc8..71aa5993 100644 --- a/src/include/lwip/apps/altcp_tls_mbedtls_opts.h +++ b/src/include/lwip/apps/altcp_tls_mbedtls_opts.h @@ -65,11 +65,39 @@ #define ALTCP_MBEDTLS_LIB_DEBUG_LEVEL_MIN 0 #endif -/** Set a session timeout in seconds for the basic session cache +/** Enable the basic session cache * ATTENTION: Using a session cache can lower security by reusing keys! */ +#ifndef ALTCP_MBEDTLS_USE_SESSION_CACHE +#define ALTCP_MBEDTLS_USE_SESSION_CACHE 0 +#endif + +/** Maximum cache size of the basic session cache */ +#ifndef ALTCP_MBEDTLS_SESSION_CACHE_SIZE +#define ALTCP_MBEDTLS_SESSION_CACHE_SIZE 30 +#endif + +/** Set a session timeout in seconds for the basic session cache */ #ifndef ALTCP_MBEDTLS_SESSION_CACHE_TIMEOUT_SECONDS -#define ALTCP_MBEDTLS_SESSION_CACHE_TIMEOUT_SECONDS 0 +#define ALTCP_MBEDTLS_SESSION_CACHE_TIMEOUT_SECONDS (60 * 60) +#endif + +/** Use session tickets to speed up connection setup (needs + * MBEDTLS_SSL_SESSION_TICKETS enabled in mbedTLS config). + * ATTENTION: Using session tickets can lower security by reusing keys! + */ +#ifndef ALTCP_MBEDTLS_USE_SESSION_TICKETS +#define ALTCP_MBEDTLS_USE_SESSION_TICKETS 0 +#endif + +/** Session ticket cipher */ +#ifndef ALTCP_MBEDTLS_SESSION_TICKET_CIPHER +#define ALTCP_MBEDTLS_SESSION_TICKET_CIPHER MBEDTLS_CIPHER_AES_256_GCM +#endif + +/** Maximum timeout for session tickets */ +#ifndef ALTCP_MBEDTLS_SESSION_TICKET_TIMEOUT_SECONDS +#define ALTCP_MBEDTLS_SESSION_TICKET_TIMEOUT_SECONDS (60 * 60 * 24) #endif #endif /* LWIP_ALTCP */