Commit graph

31 commits

Author SHA1 Message Date
Manuel Pégourié-Gonnard a3e7c65101 Move session save/load function to ssl_tls.c
This finishes making these functions public. Next step is to get them tested,
but there's currently a blocker for that, see next commit (and the commit
after it for tests).
2019-08-23 12:48:41 +03:00
Hanno Becker 6883874013 Fix typo in SSL ticket documentation 2019-02-26 14:38:09 +00:00
Hanno Becker 94cc26dfa6 Adapt session ticket implementation to removal of peer_cert field 2019-02-26 14:38:09 +00:00
Hanno Becker c966bd16be Remove peer CRT from tickets if !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE 2019-02-26 14:38:09 +00:00
Hanno Becker c5fcbb33c0 Add peer CRT digest to session tickets
This commit changes the format of session tickets to include
the digest of the peer's CRT if MBEDTLS_SSL_KEEP_PEER_CERTIFICATE
is disabled.

This commit does not yet remove the peer CRT itself.
2019-02-26 14:38:09 +00:00
Hanno Becker 0329f75a93 Increase robustness and documentation of ticket implementation 2019-02-26 14:38:09 +00:00
Andrzej Kurek c470b6b021 Merge development commit 8e76332 into development-psa
Additional changes to temporarily enable running tests:
ssl_srv.c and test_suite_ecdh use mbedtls_ecp_group_load instead of
mbedtls_ecdh_setup
test_suite_ctr_drbg uses mbedtls_ctr_drbg_update instead of 
mbedtls_ctr_drbg_update_ret
2019-01-31 08:20:20 -05:00
Hanno Becker 679d8ceb13 Use PSA-based ciphers for SSL ticket protection
This commit modifies the default SSL ticket implementation
from `library/ssl_ticket.c` to use PSA-based cipher context
for ticket creation and parsing.

As in mbedtls_ssl_derive_keys() adapted in an earlier commit,
we allow fallback to the ordinary mbedtls_cipher_setup()
if the provided cipher is not known. We do this even though
we always call mbedtls_ssl_ticket_setup() with AES-GCM
in our own code since this function is public and might
be used with other ciphers by users.
2018-11-22 14:05:54 +00:00
Hanno Becker d140d0828e Introduce macros for constants in SSL ticket implementation 2018-11-22 14:05:54 +00:00
Hanno Becker aa71500173 Fix bug in SSL ticket implementation removing keys of age < 1s
Fixes #1968.
2018-08-21 17:48:52 +01:00
Andres Amaya Garcia 1f6301b3c8 Rename mbedtls_zeroize to mbedtls_platform_zeroize 2018-04-17 10:00:21 -05:00
Andres Amaya Garcia e32df087fb Remove individual copies of mbedtls_zeroize()
This commit removes all the static occurrencies of the function
mbedtls_zeroize() in each of the individual .c modules. Instead the
function has been moved to utils.h that is included in each of the
modules.
2018-04-17 09:19:05 -05:00
Simon Butcher b5b6af2663 Puts platform time abstraction into its own header
Separates platform time abstraction into it's own header from the
general platform abstraction as both depend on different build options.
(MBEDTLS_PLATFORM_C vs MBEDTLS_HAVE_TIME)
2016-07-13 14:46:18 +01:00
SimonB d5800b7761 Abstracts away time()/stdlib.h into platform
Substitutes time() into a configurable platform interface to allow it to be
easily substituted.
2016-04-26 14:49:59 +01:00
Manuel Pégourié-Gonnard 37ff14062e Change main license to Apache 2.0 2015-09-04 14:21:07 +02:00
Manuel Pégourié-Gonnard 6fb8187279 Update date in copyright line 2015-07-28 17:11:58 +02:00
Manuel Pégourié-Gonnard 097c7bb05b Rename relevant global symbols from size to bitlen
Just applying rename.pl with this file:

mbedtls_cipher_get_key_size mbedtls_cipher_get_key_bitlen
mbedtls_pk_get_size mbedtls_pk_get_bitlen
MBEDTLS_BLOWFISH_MIN_KEY MBEDTLS_BLOWFISH_MIN_KEY_BITS
MBEDTLS_BLOWFISH_MAX_KEY MBEDTLS_BLOWFISH_MAX_KEY_BITS
2015-06-18 16:43:38 +02:00
Manuel Pégourié-Gonnard 898e0aa210 Rename key_length in cipher_info 2015-06-18 15:31:10 +02:00
Manuel Pégourié-Gonnard 6a8ca33fa5 Rename ERR_xxx_MALLOC_FAILED to ..._ALLOC_FAILED 2015-05-28 16:25:05 +02:00
Manuel Pégourié-Gonnard 7551cb9ee9 Replace malloc with calloc
- platform layer currently broken (not adapted yet)
- memmory_buffer_alloc too
2015-05-26 16:04:06 +02:00
Manuel Pégourié-Gonnard 1e9c4db524 Implement key rotation 2015-05-25 19:42:14 +02:00
Manuel Pégourié-Gonnard 887674a33b Internal changes in preparation for key rotation
- two sets of keys
- separate function for key generation/update
2015-05-25 12:19:00 +02:00
Manuel Pégourié-Gonnard a0adc1bbe4 Make cipher used in ssl tickets configurable 2015-05-25 10:35:16 +02:00
Manuel Pégourié-Gonnard 1041a39338 Use AES-GCM-256 for session ticket protection 2015-05-20 20:19:42 +02:00
Manuel Pégourié-Gonnard 8eff512274 Fix possible signedness issue in time comparison 2015-05-20 11:41:36 +02:00
Manuel Pégourié-Gonnard 0849a0a910 Make ssl ticket functions thread-safe 2015-05-20 11:34:54 +02:00
Manuel Pégourié-Gonnard d59675d92c Move to callback for session tickets 2015-05-20 11:14:57 +02:00
Manuel Pégourié-Gonnard b0394bebdb Further adapt prototypes of ticket functions
Moving everything in ticket_keys structure, that will soon become
ticket_context.
2015-05-20 11:14:57 +02:00
Manuel Pégourié-Gonnard 69f17280d3 Adapt prototypes of ticket handling functions
This is an intermediate step. The ssl_config argument will be replace by a
ticket context next.
2015-05-20 11:14:57 +02:00
Manuel Pégourié-Gonnard a4a473516e Rename & move ticket functions to ticket module 2015-05-20 11:14:57 +02:00
Manuel Pégourié-Gonnard fd6d8978f9 Add new submodule ssl_ticket 2015-05-20 11:14:57 +02:00