Make cookie timeout configurable
diff --git a/include/polarssl/config.h b/include/polarssl/config.h
index abca55f..b13a407 100644
--- a/include/polarssl/config.h
+++ b/include/polarssl/config.h
@@ -2201,6 +2201,7 @@
//#define SSL_MAX_CONTENT_LEN 16384 /**< Size of the input / output buffer */
//#define SSL_DEFAULT_TICKET_LIFETIME 86400 /**< Lifetime of session tickets (if enabled) */
//#define POLARSSL_PSK_MAX_LEN 32 /**< Max size of TLS pre-shared keys, in bytes (default 256 bits) */
+//#define POLARSSL_SSL_COOKIE_TIMEOUT 60 /**< Default expiration delay of DTLS cookies, in seconds if HAVE_TIME, or in number of cookies issued */
/**
* Complete list of ciphersuites to use, in order of preference.
diff --git a/include/polarssl/ssl_cookie.h b/include/polarssl/ssl_cookie.h
index 7db00c2..9a71443 100644
--- a/include/polarssl/ssl_cookie.h
+++ b/include/polarssl/ssl_cookie.h
@@ -36,6 +36,9 @@
* Either change them in config.h or define them on the compiler command line.
* \{
*/
+#ifndef POLARSSL_SSL_COOKIE_TIMEOUT
+#define POLARSSL_SSL_COOKIE_TIMEOUT 60 /**< Default expiration delay of DTLS cookies, in seconds if HAVE_TIME, or in number of cookies issued */
+#endif
/* \} name SECTION: Module settings */
@@ -48,10 +51,13 @@
*/
typedef struct
{
- md_context_t hmac_ctx; /*!< context for the HMAC portion */
+ md_context_t hmac_ctx; /*!< context for the HMAC portion */
#if !defined(POLARSSL_HAVE_TIME)
- unsigned long serial; /*!< serial number for expiration */
+ unsigned long serial; /*!< serial number for expiration */
#endif
+ unsigned long timeout; /*!< timeout delay, in seconds if HAVE_TIME,
+ or in number of tickets issued */
+
} ssl_cookie_ctx;
/**
@@ -67,6 +73,17 @@
void *p_rng );
/**
+ * \brief Set expiration delay for cookies
+ * (Default POLARSSL_SSL_COOKIE_TIMEOUT)
+ *
+ * \param ctx Cookie contex
+ * \param delay Delay, in seconds if HAVE_TIME, or in number of cookies
+ * issued in the meantime.
+ * 0 to disable expiration (NOT recommended)
+ */
+void ssl_cookie_set_timeout( ssl_cookie_ctx *ctx, unsigned long delay );
+
+/**
* \brief Free cookie context
*/
void ssl_cookie_free( ssl_cookie_ctx *ctx );
diff --git a/library/ssl_cookie.c b/library/ssl_cookie.c
index fa0aabc..7e1df42 100644
--- a/library/ssl_cookie.c
+++ b/library/ssl_cookie.c
@@ -76,14 +76,18 @@
*/
#define COOKIE_LEN ( 4 + COOKIE_HMAC_LEN )
-#define COOKIE_TIMEOUT 60
-
void ssl_cookie_init( ssl_cookie_ctx *ctx )
{
md_init( &ctx->hmac_ctx );
#if !defined(POLARSSL_HAVE_TIME)
ctx->serial = 0;
#endif
+ ctx->timeout = POLARSSL_SSL_COOKIE_TIMEOUT;
+}
+
+void ssl_cookie_set_timeout( ssl_cookie_ctx *ctx, unsigned long delay )
+{
+ ctx->timeout = delay;
}
void ssl_cookie_free( ssl_cookie_ctx *ctx )
@@ -211,7 +215,7 @@
( (unsigned long) cookie[2] << 8 ) |
( (unsigned long) cookie[3] );
- if( cur_time - cookie_time > COOKIE_TIMEOUT )
+ if( ctx->timeout != 0 && cur_time - cookie_time > ctx->timeout )
return( -1 );
return( 0 );