mirror/mbedtls
1
0
Fork 0
mirror of https://github.com/Mbed-TLS/mbedtls.git synced 2025-04-02 16:21:20 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Make cookie timeout configurable

Browse Source
This commit is contained in:
Manuel Pégourié-Gonnard 2014-07-23 23:40:29 +02:00 committed by Paul Bakker
parent e90308178f
commit bef8f09899
3 changed files with 27 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
include/polarssl/config.h
View File

@ -2201,6 +2201,7 @@
//#define SSL_MAX_CONTENT_LEN 16384 /**< Size of the input / output buffer */ //#define SSL_MAX_CONTENT_LEN 16384 /**< Size of the input / output buffer */
//#define SSL_DEFAULT_TICKET_LIFETIME 86400 /**< Lifetime of session tickets (if enabled) */ //#define SSL_DEFAULT_TICKET_LIFETIME 86400 /**< Lifetime of session tickets (if enabled) */
//#define POLARSSL_PSK_MAX_LEN 32 /**< Max size of TLS pre-shared keys, in bytes (default 256 bits) */ //#define POLARSSL_PSK_MAX_LEN 32 /**< Max size of TLS pre-shared keys, in bytes (default 256 bits) */
//#define POLARSSL_SSL_COOKIE_TIMEOUT 60 /**< Default expiration delay of DTLS cookies, in seconds if HAVE_TIME, or in number of cookies issued */
/** /**
* Complete list of ciphersuites to use, in order of preference. * Complete list of ciphersuites to use, in order of preference.

21
include/polarssl/ssl_cookie.h
View File

@ -36,6 +36,9 @@
* Either change them in config.h or define them on the compiler command line. * Either change them in config.h or define them on the compiler command line.
* \{ * \{
*/ */
#ifndef POLARSSL_SSL_COOKIE_TIMEOUT
#define POLARSSL_SSL_COOKIE_TIMEOUT 60 /**< Default expiration delay of DTLS cookies, in seconds if HAVE_TIME, or in number of cookies issued */
#endif
/* \} name SECTION: Module settings */ /* \} name SECTION: Module settings */
@ -48,10 +51,13 @@ extern "C" {
*/ */
typedef struct typedef struct
{ {
md_context_t hmac_ctx; /*!< context for the HMAC portion */ md_context_t hmac_ctx; /*!< context for the HMAC portion */
#if !defined(POLARSSL_HAVE_TIME) #if !defined(POLARSSL_HAVE_TIME)
unsigned long serial; /*!< serial number for expiration */ unsigned long serial; /*!< serial number for expiration */
#endif #endif
unsigned long timeout; /*!< timeout delay, in seconds if HAVE_TIME,
or in number of tickets issued */
} ssl_cookie_ctx; } ssl_cookie_ctx;
/** /**
@ -66,6 +72,17 @@ int ssl_cookie_setup( ssl_cookie_ctx *ctx,
int (*f_rng)(void *, unsigned char *, size_t), int (*f_rng)(void *, unsigned char *, size_t),
void *p_rng ); void *p_rng );
/**
* \brief Set expiration delay for cookies
* (Default POLARSSL_SSL_COOKIE_TIMEOUT)
*
* \param ctx Cookie contex
* \param delay Delay, in seconds if HAVE_TIME, or in number of cookies
* issued in the meantime.
* 0 to disable expiration (NOT recommended)
*/
void ssl_cookie_set_timeout( ssl_cookie_ctx *ctx, unsigned long delay );
/** /**
* \brief Free cookie context * \brief Free cookie context
*/ */

10
library/ssl_cookie.c
View File

@ -76,14 +76,18 @@ static void polarssl_zeroize( void *v, size_t n ) {
*/ */
#define COOKIE_LEN ( 4 + COOKIE_HMAC_LEN ) #define COOKIE_LEN ( 4 + COOKIE_HMAC_LEN )
#define COOKIE_TIMEOUT 60
void ssl_cookie_init( ssl_cookie_ctx *ctx ) void ssl_cookie_init( ssl_cookie_ctx *ctx )
{ {
md_init( &ctx->hmac_ctx ); md_init( &ctx->hmac_ctx );
#if !defined(POLARSSL_HAVE_TIME) #if !defined(POLARSSL_HAVE_TIME)
ctx->serial = 0; ctx->serial = 0;
#endif #endif
ctx->timeout = POLARSSL_SSL_COOKIE_TIMEOUT;
}
void ssl_cookie_set_timeout( ssl_cookie_ctx *ctx, unsigned long delay )
{
ctx->timeout = delay;
} }
void ssl_cookie_free( ssl_cookie_ctx *ctx ) void ssl_cookie_free( ssl_cookie_ctx *ctx )
@ -211,7 +215,7 @@ int ssl_cookie_check( void *p_ctx,
( (unsigned long) cookie[2] << 8 ) | ( (unsigned long) cookie[2] << 8 ) |
( (unsigned long) cookie[3] ); ( (unsigned long) cookie[3] );
if( cur_time - cookie_time > COOKIE_TIMEOUT ) if( ctx->timeout != 0 && cur_time - cookie_time > ctx->timeout )
return( -1 ); return( -1 );
return( 0 ); return( 0 );