1=pod 2 3=head1 NAME 4 5SSL_CTX_set_tlsext_ticket_key_cb - set a callback for session ticket processing 6 7=head1 SYNOPSIS 8 9 #include <openssl/tls1.h> 10 11 long SSL_CTX_set_tlsext_ticket_key_cb(SSL_CTX sslctx, 12 int (*cb)(SSL *s, unsigned char key_name[16], 13 unsigned char iv[EVP_MAX_IV_LENGTH], 14 EVP_CIPHER_CTX *ctx, HMAC_CTX *hctx, int enc)); 15 16=head1 DESCRIPTION 17 18SSL_CTX_set_tlsext_ticket_key_cb() sets a callback function I<cb> for handling 19session tickets for the ssl context I<sslctx>. Session tickets, defined in 20RFC5077 provide an enhanced session resumption capability where the server 21implementation is not required to maintain per session state. It only applies 22to TLS and there is no SSLv3 implementation. 23 24The callback function I<cb> will be called for every client instigated TLS 25session when session ticket extension is presented in the TLS hello 26message. It is the responsibility of this function to create or retrieve the 27cryptographic parameters and to maintain their state. 28 29The OpenSSL library uses your callback function to help implement a common TLS 30ticket construction state according to RFC5077 Section 4 such that per session 31state is unnecessary and a small set of cryptographic variables needs to be 32maintained by the callback function implementation. 33 34In order to reuse a session, a TLS client must send the a session ticket 35extension to the server. The client can only send exactly one session ticket. 36The server, through the callback function, either agrees to reuse the session 37ticket information or it starts a full TLS handshake to create a new session 38ticket. 39 40Before the callback function is started I<ctx> and I<hctx> have been 41initialised with L<EVP_CIPHER_CTX_reset(3)> and L<HMAC_CTX_reset(3)> respectively. 42 43For new sessions tickets, when the client doesn't present a session ticket, or 44an attempted retrieval of the ticket failed, or a renew option was indicated, 45the callback function will be called with I<enc> equal to 1. The OpenSSL 46library expects that the function will set an arbitrary I<name>, initialize 47I<iv>, and set the cipher context I<ctx> and the hash context I<hctx>. 48 49The I<name> is 16 characters long and is used as a key identifier. 50 51The I<iv> length is the length of the IV of the corresponding cipher. The 52maximum IV length is B<EVP_MAX_IV_LENGTH> bytes defined in B<evp.h>. 53 54The initialization vector I<iv> should be a random value. The cipher context 55I<ctx> should use the initialisation vector I<iv>. The cipher context can be 56set using L<EVP_EncryptInit_ex(3)>. The hmac context can be set using 57L<HMAC_Init_ex(3)>. 58 59When the client presents a session ticket, the callback function with be called 60with I<enc> set to 0 indicating that the I<cb> function should retrieve a set 61of parameters. In this case I<name> and I<iv> have already been parsed out of 62the session ticket. The OpenSSL library expects that the I<name> will be used 63to retrieve a cryptographic parameters and that the cryptographic context 64I<ctx> will be set with the retrieved parameters and the initialization vector 65I<iv>. using a function like L<EVP_DecryptInit_ex(3)>. The I<hctx> needs to be 66set using L<HMAC_Init_ex(3)>. 67 68If the I<name> is still valid but a renewal of the ticket is required the 69callback function should return 2. The library will call the callback again 70with an argument of enc equal to 1 to set the new ticket. 71 72The return value of the I<cb> function is used by OpenSSL to determine what 73further processing will occur. The following return values have meaning: 74 75=over 4 76 77=item Z<>2 78 79This indicates that the I<ctx> and I<hctx> have been set and the session can 80continue on those parameters. Additionally it indicates that the session 81ticket is in a renewal period and should be replaced. The OpenSSL library will 82call I<cb> again with an enc argument of 1 to set the new ticket (see RFC5077 833.3 paragraph 2). 84 85=item Z<>1 86 87This indicates that the I<ctx> and I<hctx> have been set and the session can 88continue on those parameters. 89 90=item Z<>0 91 92This indicates that it was not possible to set/retrieve a session ticket and 93the SSL/TLS session will continue by negotiating a set of cryptographic 94parameters or using the alternate SSL/TLS resumption mechanism, session ids. 95 96If called with enc equal to 0 the library will call the I<cb> again to get 97a new set of parameters. 98 99=item less than 0 100 101This indicates an error. 102 103=back 104 105=head1 NOTES 106 107Session resumption shortcuts the TLS so that the client certificate 108negotiation don't occur. It makes up for this by storing client certificate 109an all other negotiated state information encrypted within the ticket. In a 110resumed session the applications will have all this state information available 111exactly as if a full negotiation had occurred. 112 113If an attacker can obtain the key used to encrypt a session ticket, they can 114obtain the master secret for any ticket using that key and decrypt any traffic 115using that session: even if the cipher suite supports forward secrecy. As 116a result applications may wish to use multiple keys and avoid using long term 117keys stored in files. 118 119Applications can use longer keys to maintain a consistent level of security. 120For example if a cipher suite uses 256 bit ciphers but only a 128 bit ticket key 121the overall security is only 128 bits because breaking the ticket key will 122enable an attacker to obtain the session keys. 123 124=head1 RETURN VALUES 125 126Returns 1 to indicate the callback function was set and 0 otherwise. 127 128=head1 EXAMPLES 129 130Reference Implementation: 131 132 SSL_CTX_set_tlsext_ticket_key_cb(SSL, ssl_tlsext_ticket_key_cb); 133 ... 134 135 static int ssl_tlsext_ticket_key_cb(SSL *s, unsigned char key_name[16], 136 unsigned char *iv, EVP_CIPHER_CTX *ctx, 137 HMAC_CTX *hctx, int enc) 138 { 139 your_type_t *key; /* something that you need to implement */ 140 141 if (enc) { /* create new session */ 142 if (RAND_bytes(iv, EVP_MAX_IV_LENGTH) <= 0) 143 return -1; /* insufficient random */ 144 145 key = currentkey(); /* something that you need to implement */ 146 if (key == NULL) { 147 /* current key doesn't exist or isn't valid */ 148 key = createkey(); /* 149 * Something that you need to implement. 150 * createkey needs to initialise a name, 151 * an aes_key, a hmac_key and optionally 152 * an expire time. 153 */ 154 if (key == NULL) /* key couldn't be created */ 155 return 0; 156 } 157 memcpy(key_name, key->name, 16); 158 159 EVP_EncryptInit_ex(&ctx, EVP_aes_256_cbc(), NULL, key->aes_key, iv); 160 HMAC_Init_ex(&hctx, key->hmac_key, 32, EVP_sha256(), NULL); 161 162 return 1; 163 164 } else { /* retrieve session */ 165 time_t t = time(NULL); 166 key = findkey(key_name); /* something that you need to implement */ 167 168 if (key == NULL || key->expire < t) 169 return 0; 170 171 HMAC_Init_ex(&hctx, key->hmac_key, 32, EVP_sha256(), NULL); 172 EVP_DecryptInit_ex(&ctx, EVP_aes_256_cbc(), NULL, key->aes_key, iv); 173 174 if (key->expire < t - RENEW_TIME) { /* RENEW_TIME: implement */ 175 /* 176 * return 2 - This session will get a new ticket even though the 177 * current one is still valid. 178 */ 179 return 2; 180 } 181 return 1; 182 } 183 } 184 185=head1 SEE ALSO 186 187L<ssl(7)>, L<SSL_set_session(3)>, 188L<SSL_session_reused(3)>, 189L<SSL_CTX_add_session(3)>, 190L<SSL_CTX_sess_number(3)>, 191L<SSL_CTX_sess_set_get_cb(3)>, 192L<SSL_CTX_set_session_id_context(3)>, 193 194=head1 COPYRIGHT 195 196Copyright 2014-2021 The OpenSSL Project Authors. All Rights Reserved. 197 198Licensed under the OpenSSL license (the "License"). You may not use 199this file except in compliance with the License. You can obtain a copy 200in the file LICENSE in the source distribution or at 201L<https://www.openssl.org/source/license.html>. 202 203=cut 204