Make cookie timeout configurable

2025-03-30 07:20:59 +00:00 · 2014-07-23 23:40:29 +02:00 · 2014-07-23 23:40:29 +02:00 · bef8f09899
commit bef8f09899
parent e90308178f
3 changed files with 27 additions and 5 deletions
--- a/include/polarssl/config.h
+++ b/include/polarssl/config.h
@ -2201,6 +2201,7 @@
 //#define SSL_MAX_CONTENT_LEN             16384 /**< Size of the input / output buffer */
 //#define SSL_DEFAULT_TICKET_LIFETIME     86400 /**< Lifetime of session tickets (if enabled) */
 //#define POLARSSL_PSK_MAX_LEN               32 /**< Max size of TLS pre-shared keys, in bytes (default 256 bits) */
+//#define POLARSSL_SSL_COOKIE_TIMEOUT        60 /**< Default expiration delay of DTLS cookies, in seconds if HAVE_TIME, or in number of cookies issued */

 /**
 * Complete list of ciphersuites to use, in order of preference.
--- a/include/polarssl/ssl_cookie.h
+++ b/include/polarssl/ssl_cookie.h
@ -36,6 +36,9 @@
 * Either change them in config.h or define them on the compiler command line.
 * \{
 */
+#ifndef POLARSSL_SSL_COOKIE_TIMEOUT
+#define POLARSSL_SSL_COOKIE_TIMEOUT     60 /**< Default expiration delay of DTLS cookies, in seconds if HAVE_TIME, or in number of cookies issued */
+#endif

 /* \} name SECTION: Module settings */

@ -48,10 +51,13 @@ extern "C" {
 */
 typedef struct
 {
-    md_context_t    hmac_ctx;       /*!< context for the HMAC portion   */
+    md_context_t    hmac_ctx;   /*!< context for the HMAC portion   */
 #if !defined(POLARSSL_HAVE_TIME)
-    unsigned long   serial;         /*!< serial number for expiration   */
+    unsigned long   serial;     /*!< serial number for expiration   */
 #endif
+    unsigned long   timeout;    /*!< timeout delay, in seconds if HAVE_TIME,
+                                     or in number of tickets issued */
+
 } ssl_cookie_ctx;

 /**
@ -66,6 +72,17 @@ int ssl_cookie_setup( ssl_cookie_ctx *ctx,
                      int (*f_rng)(void *, unsigned char *, size_t),
                      void *p_rng );

+/**
+ * \brief          Set expiration delay for cookies
+ *                 (Default POLARSSL_SSL_COOKIE_TIMEOUT)
+ *
+ * \param ctx      Cookie contex
+ * \param delay    Delay, in seconds if HAVE_TIME, or in number of cookies
+ *                 issued in the meantime.
+ *                 0 to disable expiration (NOT recommended)
+ */
+void ssl_cookie_set_timeout( ssl_cookie_ctx *ctx, unsigned long delay );
+
 /**
 * \brief          Free cookie context
 */
--- a/library/ssl_cookie.c
+++ b/library/ssl_cookie.c
@ -76,14 +76,18 @@ static void polarssl_zeroize( void *v, size_t n ) {
 */
 #define COOKIE_LEN      ( 4 + COOKIE_HMAC_LEN )

-#define COOKIE_TIMEOUT  60
-
 void ssl_cookie_init( ssl_cookie_ctx *ctx )
 {
    md_init( &ctx->hmac_ctx );
 #if !defined(POLARSSL_HAVE_TIME)
    ctx->serial = 0;
 #endif
+    ctx->timeout = POLARSSL_SSL_COOKIE_TIMEOUT;
+}
+
+void ssl_cookie_set_timeout( ssl_cookie_ctx *ctx, unsigned long delay )
+{
+    ctx->timeout = delay;
 }

 void ssl_cookie_free( ssl_cookie_ctx *ctx )
@ -211,7 +215,7 @@ int ssl_cookie_check( void *p_ctx,
                  ( (unsigned long) cookie[2] <<  8 ) |
                  ( (unsigned long) cookie[3]       );

-    if( cur_time - cookie_time > COOKIE_TIMEOUT )
+    if( ctx->timeout != 0 && cur_time - cookie_time > ctx->timeout )
        return( -1 );

    return( 0 );