mirror of
https://github.com/lwip-tcpip/lwip.git
synced 2024-10-06 14:49:48 +00:00
altcp_tls_mbedtls: add session tickes, improve configuration for session cache
This commit is contained in:
parent
54448559bb
commit
6f232b7c3f
@ -76,6 +76,7 @@
|
|||||||
#include "mbedtls/platform.h"
|
#include "mbedtls/platform.h"
|
||||||
#include "mbedtls/memory_buffer_alloc.h"
|
#include "mbedtls/memory_buffer_alloc.h"
|
||||||
#include "mbedtls/ssl_cache.h"
|
#include "mbedtls/ssl_cache.h"
|
||||||
|
#include "mbedtls/ssl_ticket.h"
|
||||||
|
|
||||||
#include "mbedtls/ssl_internal.h" /* to call mbedtls_flush_output after ERR_MEM */
|
#include "mbedtls/ssl_internal.h" /* to call mbedtls_flush_output after ERR_MEM */
|
||||||
|
|
||||||
@ -100,10 +101,13 @@ struct altcp_tls_config {
|
|||||||
mbedtls_x509_crt *cert;
|
mbedtls_x509_crt *cert;
|
||||||
mbedtls_pk_context *pkey;
|
mbedtls_pk_context *pkey;
|
||||||
mbedtls_x509_crt *ca;
|
mbedtls_x509_crt *ca;
|
||||||
#if defined(MBEDTLS_SSL_CACHE_C) && ALTCP_MBEDTLS_SESSION_CACHE_TIMEOUT_SECONDS
|
#if defined(MBEDTLS_SSL_CACHE_C) && ALTCP_MBEDTLS_USE_SESSION_CACHE
|
||||||
/** Inter-connection cache for fast connection startup */
|
/** Inter-connection cache for fast connection startup */
|
||||||
struct mbedtls_ssl_cache_context cache;
|
struct mbedtls_ssl_cache_context cache;
|
||||||
#endif
|
#endif
|
||||||
|
#if defined(MBEDTLS_SSL_SESSION_TICKETS) && ALTCP_MBEDTLS_USE_SESSION_TICKETS
|
||||||
|
mbedtls_ssl_ticket_context ticket_ctx;
|
||||||
|
#endif
|
||||||
};
|
};
|
||||||
|
|
||||||
static err_t altcp_mbedtls_lower_recv(void *arg, struct altcp_pcb *inner_conn, struct pbuf *p, err_t err);
|
static err_t altcp_mbedtls_lower_recv(void *arg, struct altcp_pcb *inner_conn, struct pbuf *p, err_t err);
|
||||||
@ -721,12 +725,28 @@ altcp_tls_create_config(int is_server, int have_cert, int have_pkey, int have_ca
|
|||||||
#if ALTCP_MBEDTLS_LIB_DEBUG != LWIP_DBG_OFF
|
#if ALTCP_MBEDTLS_LIB_DEBUG != LWIP_DBG_OFF
|
||||||
mbedtls_ssl_conf_dbg(&conf->conf, altcp_mbedtls_debug, stdout);
|
mbedtls_ssl_conf_dbg(&conf->conf, altcp_mbedtls_debug, stdout);
|
||||||
#endif
|
#endif
|
||||||
#if defined(MBEDTLS_SSL_CACHE_C) && ALTCP_MBEDTLS_SESSION_CACHE_TIMEOUT_SECONDS
|
#if defined(MBEDTLS_SSL_CACHE_C) && ALTCP_MBEDTLS_USE_SESSION_CACHE
|
||||||
mbedtls_ssl_conf_session_cache(&conf->conf, &conf->cache, mbedtls_ssl_cache_get, mbedtls_ssl_cache_set);
|
mbedtls_ssl_conf_session_cache(&conf->conf, &conf->cache, mbedtls_ssl_cache_get, mbedtls_ssl_cache_set);
|
||||||
mbedtls_ssl_cache_set_timeout(&conf->cache, 30);
|
mbedtls_ssl_cache_set_timeout(&conf->cache, ALTCP_MBEDTLS_SESSION_CACHE_TIMEOUT_SECONDS);
|
||||||
mbedtls_ssl_cache_set_max_entries(&conf->cache, 30);
|
mbedtls_ssl_cache_set_max_entries(&conf->cache, ALTCP_MBEDTLS_SESSION_CACHE_SIZE);
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_SSL_SESSION_TICKETS) && ALTCP_MBEDTLS_USE_SESSION_TICKETS
|
||||||
|
mbedtls_ssl_ticket_init(&conf->ticket_ctx);
|
||||||
|
|
||||||
|
ret = mbedtls_ssl_ticket_setup(&conf->ticket_ctx, mbedtls_ctr_drbg_random, &conf->ctr_drbg,
|
||||||
|
ALTCP_MBEDTLS_SESSION_TICKET_CIPHER, ALTCP_MBEDTLS_SESSION_TICKET_TIMEOUT_SECONDS);
|
||||||
|
if (ret) {
|
||||||
|
LWIP_DEBUGF(ALTCP_MBEDTLS_DEBUG, ("mbedtls_ssl_ticket_setup failed: %d\n", ret));
|
||||||
|
altcp_mbedtls_free_config(conf);
|
||||||
|
return NULL;
|
||||||
|
}
|
||||||
|
|
||||||
|
mbedtls_ssl_conf_session_tickets_cb(&conf->conf, mbedtls_ssl_ticket_write, mbedtls_ssl_ticket_parse,
|
||||||
|
&conf->ticket_ctx);
|
||||||
|
#endif
|
||||||
|
|
||||||
|
|
||||||
return conf;
|
return conf;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -65,11 +65,39 @@
|
|||||||
#define ALTCP_MBEDTLS_LIB_DEBUG_LEVEL_MIN 0
|
#define ALTCP_MBEDTLS_LIB_DEBUG_LEVEL_MIN 0
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
/** Set a session timeout in seconds for the basic session cache
|
/** Enable the basic session cache
|
||||||
* ATTENTION: Using a session cache can lower security by reusing keys!
|
* ATTENTION: Using a session cache can lower security by reusing keys!
|
||||||
*/
|
*/
|
||||||
|
#ifndef ALTCP_MBEDTLS_USE_SESSION_CACHE
|
||||||
|
#define ALTCP_MBEDTLS_USE_SESSION_CACHE 0
|
||||||
|
#endif
|
||||||
|
|
||||||
|
/** Maximum cache size of the basic session cache */
|
||||||
|
#ifndef ALTCP_MBEDTLS_SESSION_CACHE_SIZE
|
||||||
|
#define ALTCP_MBEDTLS_SESSION_CACHE_SIZE 30
|
||||||
|
#endif
|
||||||
|
|
||||||
|
/** Set a session timeout in seconds for the basic session cache */
|
||||||
#ifndef ALTCP_MBEDTLS_SESSION_CACHE_TIMEOUT_SECONDS
|
#ifndef ALTCP_MBEDTLS_SESSION_CACHE_TIMEOUT_SECONDS
|
||||||
#define ALTCP_MBEDTLS_SESSION_CACHE_TIMEOUT_SECONDS 0
|
#define ALTCP_MBEDTLS_SESSION_CACHE_TIMEOUT_SECONDS (60 * 60)
|
||||||
|
#endif
|
||||||
|
|
||||||
|
/** Use session tickets to speed up connection setup (needs
|
||||||
|
* MBEDTLS_SSL_SESSION_TICKETS enabled in mbedTLS config).
|
||||||
|
* ATTENTION: Using session tickets can lower security by reusing keys!
|
||||||
|
*/
|
||||||
|
#ifndef ALTCP_MBEDTLS_USE_SESSION_TICKETS
|
||||||
|
#define ALTCP_MBEDTLS_USE_SESSION_TICKETS 0
|
||||||
|
#endif
|
||||||
|
|
||||||
|
/** Session ticket cipher */
|
||||||
|
#ifndef ALTCP_MBEDTLS_SESSION_TICKET_CIPHER
|
||||||
|
#define ALTCP_MBEDTLS_SESSION_TICKET_CIPHER MBEDTLS_CIPHER_AES_256_GCM
|
||||||
|
#endif
|
||||||
|
|
||||||
|
/** Maximum timeout for session tickets */
|
||||||
|
#ifndef ALTCP_MBEDTLS_SESSION_TICKET_TIMEOUT_SECONDS
|
||||||
|
#define ALTCP_MBEDTLS_SESSION_TICKET_TIMEOUT_SECONDS (60 * 60 * 24)
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
#endif /* LWIP_ALTCP */
|
#endif /* LWIP_ALTCP */
|
||||||
|
Loading…
Reference in New Issue
Block a user