1 /*
2 * TLS server tickets callbacks implementation
3 *
4 * Copyright The Mbed TLS Contributors
5 * SPDX-License-Identifier: Apache-2.0
6 *
7 * Licensed under the Apache License, Version 2.0 (the "License"); you may
8 * not use this file except in compliance with the License.
9 * You may obtain a copy of the License at
10 *
11 * http://www.apache.org/licenses/LICENSE-2.0
12 *
13 * Unless required by applicable law or agreed to in writing, software
14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 * See the License for the specific language governing permissions and
17 * limitations under the License.
18 */
19
20 #include "common.h"
21
22 #if defined(MBEDTLS_SSL_TICKET_C)
23
24 #if defined(MBEDTLS_PLATFORM_C)
25 #include "mbedtls/platform.h"
26 #else
27 #include <stdlib.h>
28 #define mbedtls_calloc calloc
29 #define mbedtls_free free
30 #endif
31
32 #include "mbedtls/ssl_internal.h"
33 #include "mbedtls/ssl_ticket.h"
34 #include "mbedtls/error.h"
35 #include "mbedtls/platform_util.h"
36
37 #include <string.h>
38
39 /*
40 * Initialize context
41 */
mbedtls_ssl_ticket_init(mbedtls_ssl_ticket_context * ctx)42 void mbedtls_ssl_ticket_init( mbedtls_ssl_ticket_context *ctx )
43 {
44 memset( ctx, 0, sizeof( mbedtls_ssl_ticket_context ) );
45
46 #if defined(MBEDTLS_THREADING_C)
47 mbedtls_mutex_init( &ctx->mutex );
48 #endif
49 }
50
51 #define MAX_KEY_BYTES 32 /* 256 bits */
52
53 #define TICKET_KEY_NAME_BYTES 4
54 #define TICKET_IV_BYTES 12
55 #define TICKET_CRYPT_LEN_BYTES 2
56 #define TICKET_AUTH_TAG_BYTES 16
57
58 #define TICKET_MIN_LEN ( TICKET_KEY_NAME_BYTES + \
59 TICKET_IV_BYTES + \
60 TICKET_CRYPT_LEN_BYTES + \
61 TICKET_AUTH_TAG_BYTES )
62 #define TICKET_ADD_DATA_LEN ( TICKET_KEY_NAME_BYTES + \
63 TICKET_IV_BYTES + \
64 TICKET_CRYPT_LEN_BYTES )
65
66 /*
67 * Generate/update a key
68 */
69 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_ticket_gen_key(mbedtls_ssl_ticket_context * ctx,unsigned char index)70 static int ssl_ticket_gen_key( mbedtls_ssl_ticket_context *ctx,
71 unsigned char index )
72 {
73 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
74 unsigned char buf[MAX_KEY_BYTES];
75 mbedtls_ssl_ticket_key *key = ctx->keys + index;
76
77 #if defined(MBEDTLS_HAVE_TIME)
78 key->generation_time = (uint32_t) mbedtls_time( NULL );
79 #endif
80
81 if( ( ret = ctx->f_rng( ctx->p_rng, key->name, sizeof( key->name ) ) ) != 0 )
82 return( ret );
83
84 if( ( ret = ctx->f_rng( ctx->p_rng, buf, sizeof( buf ) ) ) != 0 )
85 return( ret );
86
87 /* With GCM and CCM, same context can encrypt & decrypt */
88 ret = mbedtls_cipher_setkey( &key->ctx, buf,
89 mbedtls_cipher_get_key_bitlen( &key->ctx ),
90 MBEDTLS_ENCRYPT );
91
92 mbedtls_platform_zeroize( buf, sizeof( buf ) );
93
94 return( ret );
95 }
96
97 /*
98 * Rotate/generate keys if necessary
99 */
100 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_ticket_update_keys(mbedtls_ssl_ticket_context * ctx)101 static int ssl_ticket_update_keys( mbedtls_ssl_ticket_context *ctx )
102 {
103 #if !defined(MBEDTLS_HAVE_TIME)
104 ((void) ctx);
105 #else
106 if( ctx->ticket_lifetime != 0 )
107 {
108 uint32_t current_time = (uint32_t) mbedtls_time( NULL );
109 uint32_t key_time = ctx->keys[ctx->active].generation_time;
110
111 if( current_time >= key_time &&
112 current_time - key_time < ctx->ticket_lifetime )
113 {
114 return( 0 );
115 }
116
117 ctx->active = 1 - ctx->active;
118
119 return( ssl_ticket_gen_key( ctx, ctx->active ) );
120 }
121 else
122 #endif /* MBEDTLS_HAVE_TIME */
123 return( 0 );
124 }
125
126 /*
127 * Setup context for actual use
128 */
mbedtls_ssl_ticket_setup(mbedtls_ssl_ticket_context * ctx,int (* f_rng)(void *,unsigned char *,size_t),void * p_rng,mbedtls_cipher_type_t cipher,uint32_t lifetime)129 int mbedtls_ssl_ticket_setup( mbedtls_ssl_ticket_context *ctx,
130 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng,
131 mbedtls_cipher_type_t cipher,
132 uint32_t lifetime )
133 {
134 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
135 const mbedtls_cipher_info_t *cipher_info;
136
137 ctx->f_rng = f_rng;
138 ctx->p_rng = p_rng;
139
140 ctx->ticket_lifetime = lifetime;
141
142 cipher_info = mbedtls_cipher_info_from_type( cipher);
143 if( cipher_info == NULL )
144 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
145
146 if( cipher_info->mode != MBEDTLS_MODE_GCM &&
147 cipher_info->mode != MBEDTLS_MODE_CCM )
148 {
149 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
150 }
151
152 if( cipher_info->key_bitlen > 8 * MAX_KEY_BYTES )
153 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
154
155 #if defined(MBEDTLS_USE_PSA_CRYPTO)
156 ret = mbedtls_cipher_setup_psa( &ctx->keys[0].ctx,
157 cipher_info, TICKET_AUTH_TAG_BYTES );
158 if( ret != 0 && ret != MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE )
159 return( ret );
160 /* We don't yet expect to support all ciphers through PSA,
161 * so allow fallback to ordinary mbedtls_cipher_setup(). */
162 if( ret == MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE )
163 #endif /* MBEDTLS_USE_PSA_CRYPTO */
164 if( ( ret = mbedtls_cipher_setup( &ctx->keys[0].ctx, cipher_info ) ) != 0 )
165 return( ret );
166
167 #if defined(MBEDTLS_USE_PSA_CRYPTO)
168 ret = mbedtls_cipher_setup_psa( &ctx->keys[1].ctx,
169 cipher_info, TICKET_AUTH_TAG_BYTES );
170 if( ret != 0 && ret != MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE )
171 return( ret );
172 if( ret == MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE )
173 #endif /* MBEDTLS_USE_PSA_CRYPTO */
174 if( ( ret = mbedtls_cipher_setup( &ctx->keys[1].ctx, cipher_info ) ) != 0 )
175 return( ret );
176
177 if( ( ret = ssl_ticket_gen_key( ctx, 0 ) ) != 0 ||
178 ( ret = ssl_ticket_gen_key( ctx, 1 ) ) != 0 )
179 {
180 return( ret );
181 }
182
183 return( 0 );
184 }
185
186 /*
187 * Create session ticket, with the following structure:
188 *
189 * struct {
190 * opaque key_name[4];
191 * opaque iv[12];
192 * opaque encrypted_state<0..2^16-1>;
193 * opaque tag[16];
194 * } ticket;
195 *
196 * The key_name, iv, and length of encrypted_state are the additional
197 * authenticated data.
198 */
199
mbedtls_ssl_ticket_write(void * p_ticket,const mbedtls_ssl_session * session,unsigned char * start,const unsigned char * end,size_t * tlen,uint32_t * ticket_lifetime)200 int mbedtls_ssl_ticket_write( void *p_ticket,
201 const mbedtls_ssl_session *session,
202 unsigned char *start,
203 const unsigned char *end,
204 size_t *tlen,
205 uint32_t *ticket_lifetime )
206 {
207 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
208 mbedtls_ssl_ticket_context *ctx = p_ticket;
209 mbedtls_ssl_ticket_key *key;
210 unsigned char *key_name = start;
211 unsigned char *iv = start + TICKET_KEY_NAME_BYTES;
212 unsigned char *state_len_bytes = iv + TICKET_IV_BYTES;
213 unsigned char *state = state_len_bytes + TICKET_CRYPT_LEN_BYTES;
214 size_t clear_len, ciph_len;
215
216 *tlen = 0;
217
218 if( ctx == NULL || ctx->f_rng == NULL )
219 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
220
221 /* We need at least 4 bytes for key_name, 12 for IV, 2 for len 16 for tag,
222 * in addition to session itself, that will be checked when writing it. */
223 MBEDTLS_SSL_CHK_BUF_PTR( start, end, TICKET_MIN_LEN );
224
225 #if defined(MBEDTLS_THREADING_C)
226 if( ( ret = mbedtls_mutex_lock( &ctx->mutex ) ) != 0 )
227 return( ret );
228 #endif
229
230 if( ( ret = ssl_ticket_update_keys( ctx ) ) != 0 )
231 goto cleanup;
232
233 key = &ctx->keys[ctx->active];
234
235 *ticket_lifetime = ctx->ticket_lifetime;
236
237 memcpy( key_name, key->name, TICKET_KEY_NAME_BYTES );
238
239 if( ( ret = ctx->f_rng( ctx->p_rng, iv, TICKET_IV_BYTES ) ) != 0 )
240 goto cleanup;
241
242 /* Dump session state */
243 if( ( ret = mbedtls_ssl_session_save( session,
244 state, end - state,
245 &clear_len ) ) != 0 ||
246 (unsigned long) clear_len > 65535 )
247 {
248 goto cleanup;
249 }
250 MBEDTLS_PUT_UINT16_BE( clear_len, state_len_bytes, 0 );
251
252 /* Encrypt and authenticate */
253 if( ( ret = mbedtls_cipher_auth_encrypt_ext( &key->ctx,
254 iv, TICKET_IV_BYTES,
255 /* Additional data: key name, IV and length */
256 key_name, TICKET_ADD_DATA_LEN,
257 state, clear_len,
258 state, end - state, &ciph_len,
259 TICKET_AUTH_TAG_BYTES ) ) != 0 )
260 {
261 goto cleanup;
262 }
263 if( ciph_len != clear_len + TICKET_AUTH_TAG_BYTES )
264 {
265 ret = MBEDTLS_ERR_SSL_INTERNAL_ERROR;
266 goto cleanup;
267 }
268
269 *tlen = TICKET_MIN_LEN + ciph_len - TICKET_AUTH_TAG_BYTES;
270
271 cleanup:
272 #if defined(MBEDTLS_THREADING_C)
273 if( mbedtls_mutex_unlock( &ctx->mutex ) != 0 )
274 return( MBEDTLS_ERR_THREADING_MUTEX_ERROR );
275 #endif
276
277 return( ret );
278 }
279
280 /*
281 * Select key based on name
282 */
ssl_ticket_select_key(mbedtls_ssl_ticket_context * ctx,const unsigned char name[4])283 static mbedtls_ssl_ticket_key *ssl_ticket_select_key(
284 mbedtls_ssl_ticket_context *ctx,
285 const unsigned char name[4] )
286 {
287 unsigned char i;
288
289 for( i = 0; i < sizeof( ctx->keys ) / sizeof( *ctx->keys ); i++ )
290 if( memcmp( name, ctx->keys[i].name, 4 ) == 0 )
291 return( &ctx->keys[i] );
292
293 return( NULL );
294 }
295
296 /*
297 * Load session ticket (see mbedtls_ssl_ticket_write for structure)
298 */
mbedtls_ssl_ticket_parse(void * p_ticket,mbedtls_ssl_session * session,unsigned char * buf,size_t len)299 int mbedtls_ssl_ticket_parse( void *p_ticket,
300 mbedtls_ssl_session *session,
301 unsigned char *buf,
302 size_t len )
303 {
304 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
305 mbedtls_ssl_ticket_context *ctx = p_ticket;
306 mbedtls_ssl_ticket_key *key;
307 unsigned char *key_name = buf;
308 unsigned char *iv = buf + TICKET_KEY_NAME_BYTES;
309 unsigned char *enc_len_p = iv + TICKET_IV_BYTES;
310 unsigned char *ticket = enc_len_p + TICKET_CRYPT_LEN_BYTES;
311 size_t enc_len, clear_len;
312
313 if( ctx == NULL || ctx->f_rng == NULL )
314 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
315
316 if( len < TICKET_MIN_LEN )
317 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
318
319 #if defined(MBEDTLS_THREADING_C)
320 if( ( ret = mbedtls_mutex_lock( &ctx->mutex ) ) != 0 )
321 return( ret );
322 #endif
323
324 if( ( ret = ssl_ticket_update_keys( ctx ) ) != 0 )
325 goto cleanup;
326
327 enc_len = ( enc_len_p[0] << 8 ) | enc_len_p[1];
328
329 if( len != TICKET_MIN_LEN + enc_len )
330 {
331 ret = MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
332 goto cleanup;
333 }
334
335 /* Select key */
336 if( ( key = ssl_ticket_select_key( ctx, key_name ) ) == NULL )
337 {
338 /* We can't know for sure but this is a likely option unless we're
339 * under attack - this is only informative anyway */
340 ret = MBEDTLS_ERR_SSL_SESSION_TICKET_EXPIRED;
341 goto cleanup;
342 }
343
344 /* Decrypt and authenticate */
345 if( ( ret = mbedtls_cipher_auth_decrypt_ext( &key->ctx,
346 iv, TICKET_IV_BYTES,
347 /* Additional data: key name, IV and length */
348 key_name, TICKET_ADD_DATA_LEN,
349 ticket, enc_len + TICKET_AUTH_TAG_BYTES,
350 ticket, enc_len, &clear_len,
351 TICKET_AUTH_TAG_BYTES ) ) != 0 )
352 {
353 if( ret == MBEDTLS_ERR_CIPHER_AUTH_FAILED )
354 ret = MBEDTLS_ERR_SSL_INVALID_MAC;
355
356 goto cleanup;
357 }
358 if( clear_len != enc_len )
359 {
360 ret = MBEDTLS_ERR_SSL_INTERNAL_ERROR;
361 goto cleanup;
362 }
363
364 /* Actually load session */
365 if( ( ret = mbedtls_ssl_session_load( session, ticket, clear_len ) ) != 0 )
366 goto cleanup;
367
368 #if defined(MBEDTLS_HAVE_TIME)
369 {
370 /* Check for expiration */
371 mbedtls_time_t current_time = mbedtls_time( NULL );
372
373 if( current_time < session->start ||
374 (uint32_t)( current_time - session->start ) > ctx->ticket_lifetime )
375 {
376 ret = MBEDTLS_ERR_SSL_SESSION_TICKET_EXPIRED;
377 goto cleanup;
378 }
379 }
380 #endif
381
382 cleanup:
383 #if defined(MBEDTLS_THREADING_C)
384 if( mbedtls_mutex_unlock( &ctx->mutex ) != 0 )
385 return( MBEDTLS_ERR_THREADING_MUTEX_ERROR );
386 #endif
387
388 return( ret );
389 }
390
391 /*
392 * Free context
393 */
mbedtls_ssl_ticket_free(mbedtls_ssl_ticket_context * ctx)394 void mbedtls_ssl_ticket_free( mbedtls_ssl_ticket_context *ctx )
395 {
396 mbedtls_cipher_free( &ctx->keys[0].ctx );
397 mbedtls_cipher_free( &ctx->keys[1].ctx );
398
399 #if defined(MBEDTLS_THREADING_C)
400 mbedtls_mutex_free( &ctx->mutex );
401 #endif
402
403 mbedtls_platform_zeroize( ctx, sizeof( mbedtls_ssl_ticket_context ) );
404 }
405
406 #endif /* MBEDTLS_SSL_TICKET_C */
407