commit a950938ff0d7301cf25da9c7242d6ab3b607462d
author Glenn Strauss <gstrauss@gluelogic.com> Wed Feb 02 23:32:18 2022 -0500
committer Glenn Strauss <gstrauss@gluelogic.com> Wed Feb 09 14:33:15 2022 -0500
tree c7a612ac53264e57925846e5eea7fd90301b81cb
parent 196a1c425605b5d5d2619fea1674403694a89cc4

Add mbedtls_ssl_ticket_rotate for ticket rotation.

Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com>

library/ssl_ticket.c

diff --git a/library/ssl_ticket.c b/library/ssl_ticket.c
index e998111..e410b6b 100644
--- a/library/ssl_ticket.c
+++ b/library/ssl_ticket.c
@@ -122,6 +122,35 @@
 }
 
 /*
+ * Rotate active session ticket encryption key
+ */
+int mbedtls_ssl_ticket_rotate( mbedtls_ssl_ticket_context *ctx,
+    const unsigned char *name, size_t nlength,
+    const unsigned char *k, size_t klength,
+    uint32_t lifetime )
+{
+    const unsigned char idx = 1 - ctx->active;
+    mbedtls_ssl_ticket_key * const key = ctx->keys + idx;
+    const int bitlen = mbedtls_cipher_get_key_bitlen( &key->ctx );
+    int ret;
+    if( nlength < TICKET_KEY_NAME_BYTES || klength * 8 < (size_t)bitlen )
+        return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
+
+    /* With GCM and CCM, same context can encrypt & decrypt */
+    ret = mbedtls_cipher_setkey( &key->ctx, k, bitlen, MBEDTLS_ENCRYPT );
+    if( ret != 0 )
+        return( ret );
+
+    ctx->active = idx;
+    ctx->ticket_lifetime = lifetime;
+    memcpy( key->name, name, TICKET_KEY_NAME_BYTES );
+#if defined(MBEDTLS_HAVE_TIME)
+    key->generation_time = (uint32_t) mbedtls_time( NULL );
+#endif
+    return 0;
+}
+
+/*
  * Setup context for actual use
  */
 int mbedtls_ssl_ticket_setup( mbedtls_ssl_ticket_context *ctx,