altcp_tls_mbedtls: add session tickes, improve configuration for session cache

(cherry picked from commit 6f232b7c3f04e80465a9edb5805dbf90f58fb515)
author: Simon Goldschmidt <[email protected]> 2018-11-23 22:39:58 +0100
committer: Simon Goldschmidt <[email protected]> 2019-02-18 13:12:18 +0100
commit: 4b3c59e4cc98c2c5a6bf801fb83bdff09eaaae6d (patch)
tree: d7ef0f24a7ec1271f2bd30d0699045f94154c720
parent: beeb300c18c3828c88bf1d067d448c80e1905135 (diff)
2 files changed, 54 insertions, 6 deletions
diff --git a/src/apps/altcp_tls/altcp_tls_mbedtls.c b/src/apps/altcp_tls/altcp_tls_mbedtls.c
index 1b6baf6d..ea9303ca 100644
--- a/src/apps/altcp_tls/altcp_tls_mbedtls.c
+++ b/src/apps/altcp_tls/altcp_tls_mbedtls.c
@@ -76,6 +76,7 @@
 #include "mbedtls/platform.h"
 #include "mbedtls/memory_buffer_alloc.h"
 #include "mbedtls/ssl_cache.h"
+#include "mbedtls/ssl_ticket.h"
 
 #include "mbedtls/ssl_internal.h" /* to call mbedtls_flush_output after ERR_MEM */
 
@@ -100,10 +101,13 @@ struct altcp_tls_config {
   mbedtls_x509_crt *cert;
   mbedtls_pk_context *pkey;
   mbedtls_x509_crt *ca;
-#if defined(MBEDTLS_SSL_CACHE_C) && ALTCP_MBEDTLS_SESSION_CACHE_TIMEOUT_SECONDS
+#if defined(MBEDTLS_SSL_CACHE_C) && ALTCP_MBEDTLS_USE_SESSION_CACHE
   /** Inter-connection cache for fast connection startup */
   struct mbedtls_ssl_cache_context cache;
 #endif
+#if defined(MBEDTLS_SSL_SESSION_TICKETS) && ALTCP_MBEDTLS_USE_SESSION_TICKETS
+  mbedtls_ssl_ticket_context ticket_ctx;
+#endif
 };
 
 static err_t altcp_mbedtls_lower_recv(void *arg, struct altcp_pcb *inner_conn, struct pbuf *p, err_t err);
@@ -721,12 +725,28 @@ altcp_tls_create_config(int is_server, int have_cert, int have_pkey, int have_ca
 #if ALTCP_MBEDTLS_LIB_DEBUG != LWIP_DBG_OFF
   mbedtls_ssl_conf_dbg(&conf->conf, altcp_mbedtls_debug, stdout);
 #endif
-#if defined(MBEDTLS_SSL_CACHE_C) && ALTCP_MBEDTLS_SESSION_CACHE_TIMEOUT_SECONDS
+#if defined(MBEDTLS_SSL_CACHE_C) && ALTCP_MBEDTLS_USE_SESSION_CACHE
   mbedtls_ssl_conf_session_cache(&conf->conf, &conf->cache, mbedtls_ssl_cache_get, mbedtls_ssl_cache_set);
-  mbedtls_ssl_cache_set_timeout(&conf->cache, 30);
-  mbedtls_ssl_cache_set_max_entries(&conf->cache, 30);
+  mbedtls_ssl_cache_set_timeout(&conf->cache, ALTCP_MBEDTLS_SESSION_CACHE_TIMEOUT_SECONDS);
+  mbedtls_ssl_cache_set_max_entries(&conf->cache, ALTCP_MBEDTLS_SESSION_CACHE_SIZE);
 #endif
 
+#if defined(MBEDTLS_SSL_SESSION_TICKETS) && ALTCP_MBEDTLS_USE_SESSION_TICKETS
+  mbedtls_ssl_ticket_init(&conf->ticket_ctx);
+
+  ret = mbedtls_ssl_ticket_setup(&conf->ticket_ctx, mbedtls_ctr_drbg_random, &conf->ctr_drbg,
+    ALTCP_MBEDTLS_SESSION_TICKET_CIPHER, ALTCP_MBEDTLS_SESSION_TICKET_TIMEOUT_SECONDS);
+  if (ret) {
+    LWIP_DEBUGF(ALTCP_MBEDTLS_DEBUG, ("mbedtls_ssl_ticket_setup failed: %d\n", ret));
+    altcp_mbedtls_free_config(conf);
+    return NULL;
+  }
+
+  mbedtls_ssl_conf_session_tickets_cb(&conf->conf, mbedtls_ssl_ticket_write, mbedtls_ssl_ticket_parse,
+    &conf->ticket_ctx);
+#endif
+
+
   return conf;
 }
 
diff --git a/src/include/lwip/apps/altcp_tls_mbedtls_opts.h b/src/include/lwip/apps/altcp_tls_mbedtls_opts.h
index d8129cc8..71aa5993 100644
--- a/src/include/lwip/apps/altcp_tls_mbedtls_opts.h
+++ b/src/include/lwip/apps/altcp_tls_mbedtls_opts.h
@@ -65,11 +65,39 @@
 #define ALTCP_MBEDTLS_LIB_DEBUG_LEVEL_MIN             0
 #endif
 
-/** Set a session timeout in seconds for the basic session cache
+/** Enable the basic session cache
  * ATTENTION: Using a session cache can lower security by reusing keys!
  */
+#ifndef ALTCP_MBEDTLS_USE_SESSION_CACHE
+#define ALTCP_MBEDTLS_USE_SESSION_CACHE               0
+#endif
+
+/** Maximum cache size of the basic session cache */
+#ifndef ALTCP_MBEDTLS_SESSION_CACHE_SIZE
+#define ALTCP_MBEDTLS_SESSION_CACHE_SIZE              30
+#endif
+
+/** Set a session timeout in seconds for the basic session cache  */
 #ifndef ALTCP_MBEDTLS_SESSION_CACHE_TIMEOUT_SECONDS
-#define ALTCP_MBEDTLS_SESSION_CACHE_TIMEOUT_SECONDS   0
+#define ALTCP_MBEDTLS_SESSION_CACHE_TIMEOUT_SECONDS   (60 * 60)
+#endif
+
+/** Use session tickets to speed up connection setup (needs
+ * MBEDTLS_SSL_SESSION_TICKETS enabled in mbedTLS config).
+ * ATTENTION: Using session tickets can lower security by reusing keys!
+ */
+#ifndef ALTCP_MBEDTLS_USE_SESSION_TICKETS
+#define ALTCP_MBEDTLS_USE_SESSION_TICKETS             0
+#endif
+
+/** Session ticket cipher */
+#ifndef ALTCP_MBEDTLS_SESSION_TICKET_CIPHER
+#define ALTCP_MBEDTLS_SESSION_TICKET_CIPHER           MBEDTLS_CIPHER_AES_256_GCM
+#endif
+
+/** Maximum timeout for session tickets */
+#ifndef ALTCP_MBEDTLS_SESSION_TICKET_TIMEOUT_SECONDS
+#define ALTCP_MBEDTLS_SESSION_TICKET_TIMEOUT_SECONDS  (60 * 60 * 24)
 #endif
 
 #endif /* LWIP_ALTCP */
author	Simon Goldschmidt <[email protected]>	2018-11-23 22:39:58 +0100
committer	Simon Goldschmidt <[email protected]>	2019-02-18 13:12:18 +0100
commit	4b3c59e4cc98c2c5a6bf801fb83bdff09eaaae6d (patch)
tree	d7ef0f24a7ec1271f2bd30d0699045f94154c720
parent	beeb300c18c3828c88bf1d067d448c80e1905135 (diff)