From b596abfdc05665cd4a14b92ccfe85da70bbf7448 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Wed, 20 May 2015 10:45:29 +0200 Subject: [PATCH] Refine cli/srv ifdefs for session tickets - Only the server needs to generate/parse tickets - Only the client needs to store them Also adjust prototype of ssl_conf_session_tickets() while at it. --- include/mbedtls/ssl.h | 43 +++++++++++++++++++------------------- library/ssl_tls.c | 14 +++++++------ programs/ssl/ssl_client2.c | 6 +----- 3 files changed, 30 insertions(+), 33 deletions(-) diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index 7235a248f..06b8cb90f 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -584,11 +584,11 @@ struct mbedtls_ssl_session #endif /* MBEDTLS_X509_CRT_PARSE_C */ uint32_t verify_result; /*!< verification result */ -#if defined(MBEDTLS_SSL_SESSION_TICKETS) +#if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_CLI_C) unsigned char *ticket; /*!< RFC 5077 session ticket */ size_t ticket_len; /*!< session ticket length */ uint32_t ticket_lifetime; /*!< ticket lifetime hint */ -#endif /* MBEDTLS_SSL_SESSION_TICKETS */ +#endif /* MBEDTLS_SSL_SESSION_TICKETS && MBEDTLS_SSL_CLI_C */ #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) unsigned char mfl_code; /*!< MaxFragmentLength negotiated by peer */ @@ -822,14 +822,14 @@ typedef struct void *p_cookie; /*!< context for the cookie callbacks */ #endif -#if defined(MBEDTLS_SSL_SESSION_TICKETS) +#if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_SRV_C) /** Callback to create & write a session ticket */ int (*f_ticket_write)( void *, const mbedtls_ssl_session *, unsigned char *, const unsigned char *, size_t *, uint32_t * ); /** Callback to parse a session ticket into a session structure */ int (*f_ticket_parse)( void *, mbedtls_ssl_session *, unsigned char *, size_t); void *p_ticket; /*!< context for the ticket callbacks */ -#endif /* MBEDTLS_SSL_SESSION_TICKETS */ +#endif /* MBEDTLS_SSL_SESSION_TICKETS && MBEDTLS_SSL_SRV_C */ #if defined(MBEDTLS_X509_CRT_PARSE_C) mbedtls_ssl_key_cert *key_cert; /*!< own certificate/key pair(s) */ @@ -1317,7 +1317,6 @@ void mbedtls_ssl_set_timer_cb( mbedtls_ssl_context *ssl, void (*f_set_timer)(void *, uint32_t int_ms, uint32_t fin_ms), int (*f_get_timer)(void *) ); -#if defined(MBEDTLS_SSL_SESSION_TICKETS) /** * \brief Callback type: generate and write session ticket * @@ -1354,8 +1353,8 @@ typedef int mbedtls_ssl_ticket_write_t( void *p_ticket, * session. * * \note The implementation is allowed to modify the first len - * of the input buffer, eg to use it as a temporary area for - * the decrypted ticket contents. + * bytes of the input buffer, eg to use it as a temporary + * area for the decrypted ticket contents. * * \param p_ticket Context for the callback * \param session SSL session to be loaded @@ -1372,8 +1371,15 @@ typedef int mbedtls_ssl_ticket_parse_t( void *p_ticket, unsigned char *buf, size_t len ); +#if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_SRV_C) /** - * \brief Configure SSL session ticket callbacks + * \brief Configure SSL session ticket callbacks (server only). + * (Default: none.) + * + * \note On server, session tickets are enabled by providing + * non-NULL callbacks. + * + * \note On client, use \c mbedtls_ssl_conf_seesion_tickets(). * * \param conf SSL configuration context * \param f_ticket_write Callback for writing a ticket @@ -1384,8 +1390,7 @@ void mbedtls_ssl_conf_session_tickets_cb( mbedtls_ssl_config *conf, mbedtls_ssl_ticket_write_t *f_ticket_write, mbedtls_ssl_ticket_parse_t *f_ticket_parse, void *p_ticket ); - -#endif /* MBEDTLS_SSL_SESSION_TICKETS */ +#endif /* MBEDTLS_SSL_SESSION_TICKETS && MBEDTLS_SSL_SRV_C */ #if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) /** @@ -2043,25 +2048,19 @@ void mbedtls_ssl_conf_truncated_hmac( mbedtls_ssl_config *conf, int truncate ); void mbedtls_ssl_conf_cbc_record_splitting( mbedtls_ssl_config *conf, char split ); #endif /* MBEDTLS_SSL_CBC_RECORD_SPLITTING */ -#if defined(MBEDTLS_SSL_SESSION_TICKETS) +#if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_CLI_C) /** - * \brief Enable / Disable session tickets - * (Default: MBEDTLS_SSL_SESSION_TICKETS_ENABLED on client, - * MBEDTLS_SSL_SESSION_TICKETS_DISABLED on server) + * \brief Enable / Disable session tickets (client only). + * (Default: MBEDTLS_SSL_SESSION_TICKETS_ENABLED.) * - * \note On server, mbedtls_ssl_conf_rng() must be called before this function - * to allow generating the ticket encryption and - * authentication keys. + * \note On server, use \c mbedtls_ssl_conf_session_tickets_cb(). * * \param conf SSL configuration * \param use_tickets Enable or disable (MBEDTLS_SSL_SESSION_TICKETS_ENABLED or * MBEDTLS_SSL_SESSION_TICKETS_DISABLED) - * - * \return 0 if successful, - * or a specific error code (server only). */ -int mbedtls_ssl_conf_session_tickets( mbedtls_ssl_config *conf, int use_tickets ); -#endif /* MBEDTLS_SSL_SESSION_TICKETS */ +void mbedtls_ssl_conf_session_tickets( mbedtls_ssl_config *conf, int use_tickets ); +#endif /* MBEDTLS_SSL_SESSION_TICKETS && MBEDTLS_SSL_CLI_C */ #if defined(MBEDTLS_SSL_RENEGOTIATION) /** diff --git a/library/ssl_tls.c b/library/ssl_tls.c index a7166624d..8b96a836d 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -188,7 +188,7 @@ static int ssl_session_copy( mbedtls_ssl_session *dst, const mbedtls_ssl_session } #endif /* MBEDTLS_X509_CRT_PARSE_C */ -#if defined(MBEDTLS_SSL_SESSION_TICKETS) +#if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_CLI_C) if( src->ticket != NULL ) { dst->ticket = mbedtls_malloc( src->ticket_len ); @@ -197,7 +197,7 @@ static int ssl_session_copy( mbedtls_ssl_session *dst, const mbedtls_ssl_session memcpy( dst->ticket, src->ticket, src->ticket_len ); } -#endif /* MBEDTLS_SSL_SESSION_TICKETS */ +#endif /* MBEDTLS_SSL_SESSION_TICKETS && MBEDTLS_SSL_CLI_C */ return( 0 ); } @@ -5639,13 +5639,14 @@ void mbedtls_ssl_conf_renegotiation_period( mbedtls_ssl_config *conf, #endif /* MBEDTLS_SSL_RENEGOTIATION */ #if defined(MBEDTLS_SSL_SESSION_TICKETS) -int mbedtls_ssl_conf_session_tickets( mbedtls_ssl_config *conf, int use_tickets ) +#if defined(MBEDTLS_SSL_CLI_C) +void mbedtls_ssl_conf_session_tickets( mbedtls_ssl_config *conf, int use_tickets ) { conf->session_tickets = use_tickets; - - return( 0 ); } +#endif +#if defined(MBEDTLS_SSL_SRV_C) void mbedtls_ssl_conf_session_tickets_cb( mbedtls_ssl_config *conf, mbedtls_ssl_ticket_write_t *f_ticket_write, mbedtls_ssl_ticket_parse_t *f_ticket_parse, @@ -5655,6 +5656,7 @@ void mbedtls_ssl_conf_session_tickets_cb( mbedtls_ssl_config *conf, conf->f_ticket_parse = f_ticket_parse; conf->p_ticket = p_ticket; } +#endif #endif /* MBEDTLS_SSL_SESSION_TICKETS */ /* @@ -6494,7 +6496,7 @@ void mbedtls_ssl_session_free( mbedtls_ssl_session *session ) } #endif -#if defined(MBEDTLS_SSL_SESSION_TICKETS) +#if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_CLI_C) mbedtls_free( session->ticket ); #endif diff --git a/programs/ssl/ssl_client2.c b/programs/ssl/ssl_client2.c index f5cf74603..2bb8354f4 100644 --- a/programs/ssl/ssl_client2.c +++ b/programs/ssl/ssl_client2.c @@ -1106,11 +1106,7 @@ int main( int argc, char *argv[] ) mbedtls_ssl_conf_read_timeout( &conf, opt.read_timeout ); #if defined(MBEDTLS_SSL_SESSION_TICKETS) - if( ( ret = mbedtls_ssl_conf_session_tickets( &conf, opt.tickets ) ) != 0 ) - { - mbedtls_printf( " failed\n ! mbedtls_ssl_conf_session_tickets returned %d\n\n", ret ); - goto exit; - } + mbedtls_ssl_conf_session_tickets( &conf, opt.tickets ); #endif if( opt.force_ciphersuite[0] != DFL_FORCE_CIPHER )