ssl_ticket.c 12 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405
  1. /*
  2. * TLS server tickets callbacks implementation
  3. *
  4. * Copyright The Mbed TLS Contributors
  5. * SPDX-License-Identifier: Apache-2.0
  6. *
  7. * Licensed under the Apache License, Version 2.0 (the "License"); you may
  8. * not use this file except in compliance with the License.
  9. * You may obtain a copy of the License at
  10. *
  11. * http://www.apache.org/licenses/LICENSE-2.0
  12. *
  13. * Unless required by applicable law or agreed to in writing, software
  14. * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
  15. * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  16. * See the License for the specific language governing permissions and
  17. * limitations under the License.
  18. */
  19. #include "common.h"
  20. #if defined(MBEDTLS_SSL_TICKET_C)
  21. #if defined(MBEDTLS_PLATFORM_C)
  22. #include "mbedtls/platform.h"
  23. #else
  24. #include <stdlib.h>
  25. #define mbedtls_calloc calloc
  26. #define mbedtls_free free
  27. #endif
  28. #include "mbedtls/ssl_internal.h"
  29. #include "mbedtls/ssl_ticket.h"
  30. #include "mbedtls/error.h"
  31. #include "mbedtls/platform_util.h"
  32. #include <string.h>
  33. /*
  34. * Initialze context
  35. */
  36. void mbedtls_ssl_ticket_init( mbedtls_ssl_ticket_context *ctx )
  37. {
  38. memset( ctx, 0, sizeof( mbedtls_ssl_ticket_context ) );
  39. #if defined(MBEDTLS_THREADING_C)
  40. mbedtls_mutex_init( &ctx->mutex );
  41. #endif
  42. }
  43. #define MAX_KEY_BYTES 32 /* 256 bits */
  44. #define TICKET_KEY_NAME_BYTES 4
  45. #define TICKET_IV_BYTES 12
  46. #define TICKET_CRYPT_LEN_BYTES 2
  47. #define TICKET_AUTH_TAG_BYTES 16
  48. #define TICKET_MIN_LEN ( TICKET_KEY_NAME_BYTES + \
  49. TICKET_IV_BYTES + \
  50. TICKET_CRYPT_LEN_BYTES + \
  51. TICKET_AUTH_TAG_BYTES )
  52. #define TICKET_ADD_DATA_LEN ( TICKET_KEY_NAME_BYTES + \
  53. TICKET_IV_BYTES + \
  54. TICKET_CRYPT_LEN_BYTES )
  55. /*
  56. * Generate/update a key
  57. */
  58. static int ssl_ticket_gen_key( mbedtls_ssl_ticket_context *ctx,
  59. unsigned char index )
  60. {
  61. int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
  62. unsigned char buf[MAX_KEY_BYTES];
  63. mbedtls_ssl_ticket_key *key = ctx->keys + index;
  64. #if defined(MBEDTLS_HAVE_TIME)
  65. key->generation_time = (uint32_t) mbedtls_time( NULL );
  66. #endif
  67. if( ( ret = ctx->f_rng( ctx->p_rng, key->name, sizeof( key->name ) ) ) != 0 )
  68. return( ret );
  69. if( ( ret = ctx->f_rng( ctx->p_rng, buf, sizeof( buf ) ) ) != 0 )
  70. return( ret );
  71. /* With GCM and CCM, same context can encrypt & decrypt */
  72. ret = mbedtls_cipher_setkey( &key->ctx, buf,
  73. mbedtls_cipher_get_key_bitlen( &key->ctx ),
  74. MBEDTLS_ENCRYPT );
  75. mbedtls_platform_zeroize( buf, sizeof( buf ) );
  76. return( ret );
  77. }
  78. /*
  79. * Rotate/generate keys if necessary
  80. */
  81. static int ssl_ticket_update_keys( mbedtls_ssl_ticket_context *ctx )
  82. {
  83. #if !defined(MBEDTLS_HAVE_TIME)
  84. ((void) ctx);
  85. #else
  86. if( ctx->ticket_lifetime != 0 )
  87. {
  88. uint32_t current_time = (uint32_t) mbedtls_time( NULL );
  89. uint32_t key_time = ctx->keys[ctx->active].generation_time;
  90. if( current_time >= key_time &&
  91. current_time - key_time < ctx->ticket_lifetime )
  92. {
  93. return( 0 );
  94. }
  95. ctx->active = 1 - ctx->active;
  96. return( ssl_ticket_gen_key( ctx, ctx->active ) );
  97. }
  98. else
  99. #endif /* MBEDTLS_HAVE_TIME */
  100. return( 0 );
  101. }
  102. /*
  103. * Setup context for actual use
  104. */
  105. int mbedtls_ssl_ticket_setup( mbedtls_ssl_ticket_context *ctx,
  106. int (*f_rng)(void *, unsigned char *, size_t), void *p_rng,
  107. mbedtls_cipher_type_t cipher,
  108. uint32_t lifetime )
  109. {
  110. int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
  111. const mbedtls_cipher_info_t *cipher_info;
  112. ctx->f_rng = f_rng;
  113. ctx->p_rng = p_rng;
  114. ctx->ticket_lifetime = lifetime;
  115. cipher_info = mbedtls_cipher_info_from_type( cipher);
  116. if( cipher_info == NULL )
  117. return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
  118. if( cipher_info->mode != MBEDTLS_MODE_GCM &&
  119. cipher_info->mode != MBEDTLS_MODE_CCM )
  120. {
  121. return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
  122. }
  123. if( cipher_info->key_bitlen > 8 * MAX_KEY_BYTES )
  124. return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
  125. #if defined(MBEDTLS_USE_PSA_CRYPTO)
  126. ret = mbedtls_cipher_setup_psa( &ctx->keys[0].ctx,
  127. cipher_info, TICKET_AUTH_TAG_BYTES );
  128. if( ret != 0 && ret != MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE )
  129. return( ret );
  130. /* We don't yet expect to support all ciphers through PSA,
  131. * so allow fallback to ordinary mbedtls_cipher_setup(). */
  132. if( ret == MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE )
  133. #endif /* MBEDTLS_USE_PSA_CRYPTO */
  134. if( ( ret = mbedtls_cipher_setup( &ctx->keys[0].ctx, cipher_info ) ) != 0 )
  135. return( ret );
  136. #if defined(MBEDTLS_USE_PSA_CRYPTO)
  137. ret = mbedtls_cipher_setup_psa( &ctx->keys[1].ctx,
  138. cipher_info, TICKET_AUTH_TAG_BYTES );
  139. if( ret != 0 && ret != MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE )
  140. return( ret );
  141. if( ret == MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE )
  142. #endif /* MBEDTLS_USE_PSA_CRYPTO */
  143. if( ( ret = mbedtls_cipher_setup( &ctx->keys[1].ctx, cipher_info ) ) != 0 )
  144. return( ret );
  145. if( ( ret = ssl_ticket_gen_key( ctx, 0 ) ) != 0 ||
  146. ( ret = ssl_ticket_gen_key( ctx, 1 ) ) != 0 )
  147. {
  148. return( ret );
  149. }
  150. return( 0 );
  151. }
  152. /*
  153. * Create session ticket, with the following structure:
  154. *
  155. * struct {
  156. * opaque key_name[4];
  157. * opaque iv[12];
  158. * opaque encrypted_state<0..2^16-1>;
  159. * opaque tag[16];
  160. * } ticket;
  161. *
  162. * The key_name, iv, and length of encrypted_state are the additional
  163. * authenticated data.
  164. */
  165. int mbedtls_ssl_ticket_write( void *p_ticket,
  166. const mbedtls_ssl_session *session,
  167. unsigned char *start,
  168. const unsigned char *end,
  169. size_t *tlen,
  170. uint32_t *ticket_lifetime )
  171. {
  172. int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
  173. mbedtls_ssl_ticket_context *ctx = p_ticket;
  174. mbedtls_ssl_ticket_key *key;
  175. unsigned char *key_name = start;
  176. unsigned char *iv = start + TICKET_KEY_NAME_BYTES;
  177. unsigned char *state_len_bytes = iv + TICKET_IV_BYTES;
  178. unsigned char *state = state_len_bytes + TICKET_CRYPT_LEN_BYTES;
  179. size_t clear_len, ciph_len;
  180. *tlen = 0;
  181. if( ctx == NULL || ctx->f_rng == NULL )
  182. return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
  183. /* We need at least 4 bytes for key_name, 12 for IV, 2 for len 16 for tag,
  184. * in addition to session itself, that will be checked when writing it. */
  185. MBEDTLS_SSL_CHK_BUF_PTR( start, end, TICKET_MIN_LEN );
  186. #if defined(MBEDTLS_THREADING_C)
  187. if( ( ret = mbedtls_mutex_lock( &ctx->mutex ) ) != 0 )
  188. return( ret );
  189. #endif
  190. if( ( ret = ssl_ticket_update_keys( ctx ) ) != 0 )
  191. goto cleanup;
  192. key = &ctx->keys[ctx->active];
  193. *ticket_lifetime = ctx->ticket_lifetime;
  194. memcpy( key_name, key->name, TICKET_KEY_NAME_BYTES );
  195. if( ( ret = ctx->f_rng( ctx->p_rng, iv, TICKET_IV_BYTES ) ) != 0 )
  196. goto cleanup;
  197. /* Dump session state */
  198. if( ( ret = mbedtls_ssl_session_save( session,
  199. state, end - state,
  200. &clear_len ) ) != 0 ||
  201. (unsigned long) clear_len > 65535 )
  202. {
  203. goto cleanup;
  204. }
  205. MBEDTLS_PUT_UINT16_BE( clear_len, state_len_bytes, 0 );
  206. /* Encrypt and authenticate */
  207. if( ( ret = mbedtls_cipher_auth_encrypt_ext( &key->ctx,
  208. iv, TICKET_IV_BYTES,
  209. /* Additional data: key name, IV and length */
  210. key_name, TICKET_ADD_DATA_LEN,
  211. state, clear_len,
  212. state, end - state, &ciph_len,
  213. TICKET_AUTH_TAG_BYTES ) ) != 0 )
  214. {
  215. goto cleanup;
  216. }
  217. if( ciph_len != clear_len + TICKET_AUTH_TAG_BYTES )
  218. {
  219. ret = MBEDTLS_ERR_SSL_INTERNAL_ERROR;
  220. goto cleanup;
  221. }
  222. *tlen = TICKET_MIN_LEN + ciph_len - TICKET_AUTH_TAG_BYTES;
  223. cleanup:
  224. #if defined(MBEDTLS_THREADING_C)
  225. if( mbedtls_mutex_unlock( &ctx->mutex ) != 0 )
  226. return( MBEDTLS_ERR_THREADING_MUTEX_ERROR );
  227. #endif
  228. return( ret );
  229. }
  230. /*
  231. * Select key based on name
  232. */
  233. static mbedtls_ssl_ticket_key *ssl_ticket_select_key(
  234. mbedtls_ssl_ticket_context *ctx,
  235. const unsigned char name[4] )
  236. {
  237. unsigned char i;
  238. for( i = 0; i < sizeof( ctx->keys ) / sizeof( *ctx->keys ); i++ )
  239. if( memcmp( name, ctx->keys[i].name, 4 ) == 0 )
  240. return( &ctx->keys[i] );
  241. return( NULL );
  242. }
  243. /*
  244. * Load session ticket (see mbedtls_ssl_ticket_write for structure)
  245. */
  246. int mbedtls_ssl_ticket_parse( void *p_ticket,
  247. mbedtls_ssl_session *session,
  248. unsigned char *buf,
  249. size_t len )
  250. {
  251. int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
  252. mbedtls_ssl_ticket_context *ctx = p_ticket;
  253. mbedtls_ssl_ticket_key *key;
  254. unsigned char *key_name = buf;
  255. unsigned char *iv = buf + TICKET_KEY_NAME_BYTES;
  256. unsigned char *enc_len_p = iv + TICKET_IV_BYTES;
  257. unsigned char *ticket = enc_len_p + TICKET_CRYPT_LEN_BYTES;
  258. size_t enc_len, clear_len;
  259. if( ctx == NULL || ctx->f_rng == NULL )
  260. return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
  261. if( len < TICKET_MIN_LEN )
  262. return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
  263. #if defined(MBEDTLS_THREADING_C)
  264. if( ( ret = mbedtls_mutex_lock( &ctx->mutex ) ) != 0 )
  265. return( ret );
  266. #endif
  267. if( ( ret = ssl_ticket_update_keys( ctx ) ) != 0 )
  268. goto cleanup;
  269. enc_len = ( enc_len_p[0] << 8 ) | enc_len_p[1];
  270. if( len != TICKET_MIN_LEN + enc_len )
  271. {
  272. ret = MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
  273. goto cleanup;
  274. }
  275. /* Select key */
  276. if( ( key = ssl_ticket_select_key( ctx, key_name ) ) == NULL )
  277. {
  278. /* We can't know for sure but this is a likely option unless we're
  279. * under attack - this is only informative anyway */
  280. ret = MBEDTLS_ERR_SSL_SESSION_TICKET_EXPIRED;
  281. goto cleanup;
  282. }
  283. /* Decrypt and authenticate */
  284. if( ( ret = mbedtls_cipher_auth_decrypt_ext( &key->ctx,
  285. iv, TICKET_IV_BYTES,
  286. /* Additional data: key name, IV and length */
  287. key_name, TICKET_ADD_DATA_LEN,
  288. ticket, enc_len + TICKET_AUTH_TAG_BYTES,
  289. ticket, enc_len, &clear_len,
  290. TICKET_AUTH_TAG_BYTES ) ) != 0 )
  291. {
  292. if( ret == MBEDTLS_ERR_CIPHER_AUTH_FAILED )
  293. ret = MBEDTLS_ERR_SSL_INVALID_MAC;
  294. goto cleanup;
  295. }
  296. if( clear_len != enc_len )
  297. {
  298. ret = MBEDTLS_ERR_SSL_INTERNAL_ERROR;
  299. goto cleanup;
  300. }
  301. /* Actually load session */
  302. if( ( ret = mbedtls_ssl_session_load( session, ticket, clear_len ) ) != 0 )
  303. goto cleanup;
  304. #if defined(MBEDTLS_HAVE_TIME)
  305. {
  306. /* Check for expiration */
  307. mbedtls_time_t current_time = mbedtls_time( NULL );
  308. if( current_time < session->start ||
  309. (uint32_t)( current_time - session->start ) > ctx->ticket_lifetime )
  310. {
  311. ret = MBEDTLS_ERR_SSL_SESSION_TICKET_EXPIRED;
  312. goto cleanup;
  313. }
  314. }
  315. #endif
  316. cleanup:
  317. #if defined(MBEDTLS_THREADING_C)
  318. if( mbedtls_mutex_unlock( &ctx->mutex ) != 0 )
  319. return( MBEDTLS_ERR_THREADING_MUTEX_ERROR );
  320. #endif
  321. return( ret );
  322. }
  323. /*
  324. * Free context
  325. */
  326. void mbedtls_ssl_ticket_free( mbedtls_ssl_ticket_context *ctx )
  327. {
  328. mbedtls_cipher_free( &ctx->keys[0].ctx );
  329. mbedtls_cipher_free( &ctx->keys[1].ctx );
  330. #if defined(MBEDTLS_THREADING_C)
  331. mbedtls_mutex_free( &ctx->mutex );
  332. #endif
  333. mbedtls_platform_zeroize( ctx, sizeof( mbedtls_ssl_ticket_context ) );
  334. }
  335. #endif /* MBEDTLS_SSL_TICKET_C */