Use AES256 for the default encryption algoritm for TLS session tickets
This involves providing more session ticket key data, for both the cipher and
the digest
Signed-off-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Matt Caswell <matt@openssl.org>
GH: #515, MR: #2153
diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h
index 9bc9892..b39f387 100644
--- a/ssl/ssl_locl.h
+++ b/ssl/ssl_locl.h
@@ -858,8 +858,8 @@
void *tlsext_servername_arg;
/* RFC 4507 session ticket keys */
unsigned char tlsext_tick_key_name[16];
- unsigned char tlsext_tick_hmac_key[16];
- unsigned char tlsext_tick_aes_key[16];
+ unsigned char tlsext_tick_hmac_key[32];
+ unsigned char tlsext_tick_aes_key[32];
/* Callback to support customisation of ticket key setting */
int (*tlsext_ticket_key_cb) (SSL *ssl,
unsigned char *name, unsigned char *iv,
diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c
index c8c68dc..60f92e5 100644
--- a/ssl/statem/statem_srvr.c
+++ b/ssl/statem/statem_srvr.c
@@ -3048,7 +3048,7 @@
} else {
if (RAND_bytes(iv, 16) <= 0)
goto err;
- if (!EVP_EncryptInit_ex(ctx, EVP_aes_128_cbc(), NULL,
+ if (!EVP_EncryptInit_ex(ctx, EVP_aes_256_cbc(), NULL,
tctx->tlsext_tick_aes_key, iv))
goto err;
if (!HMAC_Init_ex(hctx, tctx->tlsext_tick_hmac_key,
diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
index 996a132..ef8d0ae 100644
--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c
@@ -3137,7 +3137,7 @@
if (HMAC_Init_ex(hctx, tctx->tlsext_tick_hmac_key,
sizeof(tctx->tlsext_tick_hmac_key),
EVP_sha256(), NULL) <= 0
- || EVP_DecryptInit_ex(ctx, EVP_aes_128_cbc(), NULL,
+ || EVP_DecryptInit_ex(ctx, EVP_aes_256_cbc(), NULL,
tctx->tlsext_tick_aes_key,
etick + sizeof(tctx->tlsext_tick_key_name)) <= 0) {
goto err;
