TLS server ticket callbacks implementation.
More...
Go to the source code of this file.
|
void | mbedtls_ssl_ticket_init (mbedtls_ssl_ticket_context *ctx) |
| Initialize a ticket context. (Just make it ready for mbedtls_ssl_ticket_setup() or mbedtls_ssl_ticket_free().)
|
|
int | mbedtls_ssl_ticket_setup (mbedtls_ssl_ticket_context *ctx, int(*f_rng)(void *, unsigned char *, size_t), void *p_rng, mbedtls_cipher_type_t cipher, uint32_t lifetime) |
| Prepare context to be actually used.
|
|
int | mbedtls_ssl_ticket_rotate (mbedtls_ssl_ticket_context *ctx, const unsigned char *name, size_t nlength, const unsigned char *k, size_t klength, uint32_t lifetime) |
| Rotate session ticket encryption key to new specified key. Provides for external control of session ticket encryption key rotation, e.g. for synchronization between different machines. If this function is not used, or if not called before ticket lifetime expires, then a new session ticket encryption key is generated internally in order to avoid unbounded session ticket encryption key lifetimes.
|
|
void | mbedtls_ssl_ticket_free (mbedtls_ssl_ticket_context *ctx) |
| Free a context's content and zeroize it.
|
|
TLS server ticket callbacks implementation.
Definition in file ssl_ticket.h.
◆ MBEDTLS_SSL_TICKET_KEY_NAME_BYTES
#define MBEDTLS_SSL_TICKET_KEY_NAME_BYTES 4 |
◆ MBEDTLS_SSL_TICKET_MAX_KEY_BYTES
#define MBEDTLS_SSL_TICKET_MAX_KEY_BYTES 32 |
Max supported key length in bytes
Definition at line 41 of file ssl_ticket.h.
◆ mbedtls_ssl_ticket_context
Context for session ticket handling functions.
◆ mbedtls_ssl_ticket_key
Information for session ticket protection.
◆ mbedtls_ssl_ticket_free()
Free a context's content and zeroize it.
- Parameters
-
ctx | Context to be cleaned up |
◆ mbedtls_ssl_ticket_init()
◆ mbedtls_ssl_ticket_rotate()
int mbedtls_ssl_ticket_rotate |
( |
mbedtls_ssl_ticket_context * |
ctx, |
|
|
const unsigned char * |
name, |
|
|
size_t |
nlength, |
|
|
const unsigned char * |
k, |
|
|
size_t |
klength, |
|
|
uint32_t |
lifetime |
|
) |
| |
Rotate session ticket encryption key to new specified key. Provides for external control of session ticket encryption key rotation, e.g. for synchronization between different machines. If this function is not used, or if not called before ticket lifetime expires, then a new session ticket encryption key is generated internally in order to avoid unbounded session ticket encryption key lifetimes.
- Parameters
-
ctx | Context to be set up |
name | Session ticket encryption key name |
nlength | Session ticket encryption key name length in bytes |
k | Session ticket encryption key |
klength | Session ticket encryption key length in bytes |
lifetime | Tickets lifetime in seconds Recommended value: 86400 (one day). |
- Note
name
and k
are recommended to be cryptographically random data.
-
nlength
must match sizeof( ctx->name )
-
klength
must be sufficient for use by cipher specified to mbedtls_ssl_ticket_setup
-
It is recommended to pick a reasonable lifetime so as not to negate the benefits of forward secrecy.
-
The TLS 1.3 specification states that ticket lifetime must be smaller than seven days. If ticket lifetime has been set to a value greater than seven days in this module then if the TLS 1.3 is configured to send tickets after the handshake it will fail the connection when trying to send the first ticket.
- Returns
- 0 if successful, or a specific MBEDTLS_ERR_XXX error code
◆ mbedtls_ssl_ticket_setup()
Prepare context to be actually used.
- Parameters
-
ctx | Context to be set up |
f_rng | RNG callback function (mandatory) |
p_rng | RNG callback context |
cipher | AEAD cipher to use for ticket protection. Recommended value: MBEDTLS_CIPHER_AES_256_GCM. |
lifetime | Tickets lifetime in seconds Recommended value: 86400 (one day). |
- Note
- It is highly recommended to select a cipher that is at least as strong as the strongest ciphersuite supported. Usually that means a 256-bit key.
-
It is recommended to pick a reasonable lifetime so as not to negate the benefits of forward secrecy.
-
The TLS 1.3 specification states that ticket lifetime must be smaller than seven days. If ticket lifetime has been set to a value greater than seven days in this module then if the TLS 1.3 is configured to send tickets after the handshake it will fail the connection when trying to send the first ticket.
- Returns
- 0 if successful, or a specific MBEDTLS_ERR_XXX error code
◆ mbedtls_ssl_ticket_parse
Implementation of the ticket parse callback.
- Note
- See
mbedtls_ssl_ticket_parse_t
for description
Definition at line 184 of file ssl_ticket.h.
◆ mbedtls_ssl_ticket_write
Implementation of the ticket write callback.
- Note
- See
mbedtls_ssl_ticket_write_t
for description
Definition at line 177 of file ssl_ticket.h.