1 /*
2 * TLS server tickets callbacks implementation
3 *
4 * Copyright The Mbed TLS Contributors
5 * SPDX-License-Identifier: Apache-2.0
6 *
7 * Licensed under the Apache License, Version 2.0 (the "License"); you may
8 * not use this file except in compliance with the License.
9 * You may obtain a copy of the License at
10 *
11 * http://www.apache.org/licenses/LICENSE-2.0
12 *
13 * Unless required by applicable law or agreed to in writing, software
14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 * See the License for the specific language governing permissions and
17 * limitations under the License.
18 */
19
20 #include "common.h"
21
22 #if defined(MBEDTLS_SSL_TICKET_C)
23
24 #if defined(MBEDTLS_PLATFORM_C)
25 #include "mbedtls/platform.h"
26 #else
27 #include <stdlib.h>
28 #define mbedtls_calloc calloc
29 #define mbedtls_free free
30 #endif
31
32 #include "ssl_misc.h"
33 #include "mbedtls/ssl_ticket.h"
34 #include "mbedtls/error.h"
35 #include "mbedtls/platform_util.h"
36
37 #include <string.h>
38
39 /*
40 * Initialze context
41 */
mbedtls_ssl_ticket_init(mbedtls_ssl_ticket_context * ctx)42 void mbedtls_ssl_ticket_init( mbedtls_ssl_ticket_context *ctx )
43 {
44 memset( ctx, 0, sizeof( mbedtls_ssl_ticket_context ) );
45
46 #if defined(MBEDTLS_THREADING_C)
47 mbedtls_mutex_init( &ctx->mutex );
48 #endif
49 }
50
51 #define MAX_KEY_BYTES 32 /* 256 bits */
52
53 #define TICKET_KEY_NAME_BYTES 4
54 #define TICKET_IV_BYTES 12
55 #define TICKET_CRYPT_LEN_BYTES 2
56 #define TICKET_AUTH_TAG_BYTES 16
57
58 #define TICKET_MIN_LEN ( TICKET_KEY_NAME_BYTES + \
59 TICKET_IV_BYTES + \
60 TICKET_CRYPT_LEN_BYTES + \
61 TICKET_AUTH_TAG_BYTES )
62 #define TICKET_ADD_DATA_LEN ( TICKET_KEY_NAME_BYTES + \
63 TICKET_IV_BYTES + \
64 TICKET_CRYPT_LEN_BYTES )
65
66 /*
67 * Generate/update a key
68 */
ssl_ticket_gen_key(mbedtls_ssl_ticket_context * ctx,unsigned char index)69 static int ssl_ticket_gen_key( mbedtls_ssl_ticket_context *ctx,
70 unsigned char index )
71 {
72 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
73 unsigned char buf[MAX_KEY_BYTES];
74 mbedtls_ssl_ticket_key *key = ctx->keys + index;
75
76 #if defined(MBEDTLS_HAVE_TIME)
77 key->generation_time = (uint32_t) mbedtls_time( NULL );
78 #endif
79
80 if( ( ret = ctx->f_rng( ctx->p_rng, key->name, sizeof( key->name ) ) ) != 0 )
81 return( ret );
82
83 if( ( ret = ctx->f_rng( ctx->p_rng, buf, sizeof( buf ) ) ) != 0 )
84 return( ret );
85
86 /* With GCM and CCM, same context can encrypt & decrypt */
87 ret = mbedtls_cipher_setkey( &key->ctx, buf,
88 mbedtls_cipher_get_key_bitlen( &key->ctx ),
89 MBEDTLS_ENCRYPT );
90
91 mbedtls_platform_zeroize( buf, sizeof( buf ) );
92
93 return( ret );
94 }
95
96 /*
97 * Rotate/generate keys if necessary
98 */
ssl_ticket_update_keys(mbedtls_ssl_ticket_context * ctx)99 static int ssl_ticket_update_keys( mbedtls_ssl_ticket_context *ctx )
100 {
101 #if !defined(MBEDTLS_HAVE_TIME)
102 ((void) ctx);
103 #else
104 if( ctx->ticket_lifetime != 0 )
105 {
106 uint32_t current_time = (uint32_t) mbedtls_time( NULL );
107 uint32_t key_time = ctx->keys[ctx->active].generation_time;
108
109 if( current_time >= key_time &&
110 current_time - key_time < ctx->ticket_lifetime )
111 {
112 return( 0 );
113 }
114
115 ctx->active = 1 - ctx->active;
116
117 return( ssl_ticket_gen_key( ctx, ctx->active ) );
118 }
119 else
120 #endif /* MBEDTLS_HAVE_TIME */
121 return( 0 );
122 }
123
124 /*
125 * Setup context for actual use
126 */
mbedtls_ssl_ticket_setup(mbedtls_ssl_ticket_context * ctx,int (* f_rng)(void *,unsigned char *,size_t),void * p_rng,mbedtls_cipher_type_t cipher,uint32_t lifetime)127 int mbedtls_ssl_ticket_setup( mbedtls_ssl_ticket_context *ctx,
128 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng,
129 mbedtls_cipher_type_t cipher,
130 uint32_t lifetime )
131 {
132 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
133 const mbedtls_cipher_info_t *cipher_info;
134
135 ctx->f_rng = f_rng;
136 ctx->p_rng = p_rng;
137
138 ctx->ticket_lifetime = lifetime;
139
140 cipher_info = mbedtls_cipher_info_from_type( cipher);
141
142 if( mbedtls_cipher_info_get_mode( cipher_info ) != MBEDTLS_MODE_GCM &&
143 mbedtls_cipher_info_get_mode( cipher_info ) != MBEDTLS_MODE_CCM )
144 {
145 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
146 }
147
148 if( mbedtls_cipher_info_get_key_bitlen( cipher_info ) > 8 * MAX_KEY_BYTES )
149 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
150
151 #if defined(MBEDTLS_USE_PSA_CRYPTO)
152 ret = mbedtls_cipher_setup_psa( &ctx->keys[0].ctx,
153 cipher_info, TICKET_AUTH_TAG_BYTES );
154 if( ret != 0 && ret != MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE )
155 return( ret );
156 /* We don't yet expect to support all ciphers through PSA,
157 * so allow fallback to ordinary mbedtls_cipher_setup(). */
158 if( ret == MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE )
159 #endif /* MBEDTLS_USE_PSA_CRYPTO */
160 if( ( ret = mbedtls_cipher_setup( &ctx->keys[0].ctx, cipher_info ) ) != 0 )
161 return( ret );
162
163 #if defined(MBEDTLS_USE_PSA_CRYPTO)
164 ret = mbedtls_cipher_setup_psa( &ctx->keys[1].ctx,
165 cipher_info, TICKET_AUTH_TAG_BYTES );
166 if( ret != 0 && ret != MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE )
167 return( ret );
168 if( ret == MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE )
169 #endif /* MBEDTLS_USE_PSA_CRYPTO */
170 if( ( ret = mbedtls_cipher_setup( &ctx->keys[1].ctx, cipher_info ) ) != 0 )
171 return( ret );
172
173 if( ( ret = ssl_ticket_gen_key( ctx, 0 ) ) != 0 ||
174 ( ret = ssl_ticket_gen_key( ctx, 1 ) ) != 0 )
175 {
176 return( ret );
177 }
178
179 return( 0 );
180 }
181
182 /*
183 * Create session ticket, with the following structure:
184 *
185 * struct {
186 * opaque key_name[4];
187 * opaque iv[12];
188 * opaque encrypted_state<0..2^16-1>;
189 * opaque tag[16];
190 * } ticket;
191 *
192 * The key_name, iv, and length of encrypted_state are the additional
193 * authenticated data.
194 */
195
mbedtls_ssl_ticket_write(void * p_ticket,const mbedtls_ssl_session * session,unsigned char * start,const unsigned char * end,size_t * tlen,uint32_t * ticket_lifetime)196 int mbedtls_ssl_ticket_write( void *p_ticket,
197 const mbedtls_ssl_session *session,
198 unsigned char *start,
199 const unsigned char *end,
200 size_t *tlen,
201 uint32_t *ticket_lifetime )
202 {
203 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
204 mbedtls_ssl_ticket_context *ctx = p_ticket;
205 mbedtls_ssl_ticket_key *key;
206 unsigned char *key_name = start;
207 unsigned char *iv = start + TICKET_KEY_NAME_BYTES;
208 unsigned char *state_len_bytes = iv + TICKET_IV_BYTES;
209 unsigned char *state = state_len_bytes + TICKET_CRYPT_LEN_BYTES;
210 size_t clear_len, ciph_len;
211
212 *tlen = 0;
213
214 if( ctx == NULL || ctx->f_rng == NULL )
215 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
216
217 /* We need at least 4 bytes for key_name, 12 for IV, 2 for len 16 for tag,
218 * in addition to session itself, that will be checked when writing it. */
219 MBEDTLS_SSL_CHK_BUF_PTR( start, end, TICKET_MIN_LEN );
220
221 #if defined(MBEDTLS_THREADING_C)
222 if( ( ret = mbedtls_mutex_lock( &ctx->mutex ) ) != 0 )
223 return( ret );
224 #endif
225
226 if( ( ret = ssl_ticket_update_keys( ctx ) ) != 0 )
227 goto cleanup;
228
229 key = &ctx->keys[ctx->active];
230
231 *ticket_lifetime = ctx->ticket_lifetime;
232
233 memcpy( key_name, key->name, TICKET_KEY_NAME_BYTES );
234
235 if( ( ret = ctx->f_rng( ctx->p_rng, iv, TICKET_IV_BYTES ) ) != 0 )
236 goto cleanup;
237
238 /* Dump session state */
239 if( ( ret = mbedtls_ssl_session_save( session,
240 state, end - state,
241 &clear_len ) ) != 0 ||
242 (unsigned long) clear_len > 65535 )
243 {
244 goto cleanup;
245 }
246 MBEDTLS_PUT_UINT16_BE( clear_len, state_len_bytes, 0 );
247
248 /* Encrypt and authenticate */
249 if( ( ret = mbedtls_cipher_auth_encrypt_ext( &key->ctx,
250 iv, TICKET_IV_BYTES,
251 /* Additional data: key name, IV and length */
252 key_name, TICKET_ADD_DATA_LEN,
253 state, clear_len,
254 state, end - state, &ciph_len,
255 TICKET_AUTH_TAG_BYTES ) ) != 0 )
256 {
257 goto cleanup;
258 }
259 if( ciph_len != clear_len + TICKET_AUTH_TAG_BYTES )
260 {
261 ret = MBEDTLS_ERR_SSL_INTERNAL_ERROR;
262 goto cleanup;
263 }
264
265 *tlen = TICKET_MIN_LEN + ciph_len - TICKET_AUTH_TAG_BYTES;
266
267 cleanup:
268 #if defined(MBEDTLS_THREADING_C)
269 if( mbedtls_mutex_unlock( &ctx->mutex ) != 0 )
270 return( MBEDTLS_ERR_THREADING_MUTEX_ERROR );
271 #endif
272
273 return( ret );
274 }
275
276 /*
277 * Select key based on name
278 */
ssl_ticket_select_key(mbedtls_ssl_ticket_context * ctx,const unsigned char name[4])279 static mbedtls_ssl_ticket_key *ssl_ticket_select_key(
280 mbedtls_ssl_ticket_context *ctx,
281 const unsigned char name[4] )
282 {
283 unsigned char i;
284
285 for( i = 0; i < sizeof( ctx->keys ) / sizeof( *ctx->keys ); i++ )
286 if( memcmp( name, ctx->keys[i].name, 4 ) == 0 )
287 return( &ctx->keys[i] );
288
289 return( NULL );
290 }
291
292 /*
293 * Load session ticket (see mbedtls_ssl_ticket_write for structure)
294 */
mbedtls_ssl_ticket_parse(void * p_ticket,mbedtls_ssl_session * session,unsigned char * buf,size_t len)295 int mbedtls_ssl_ticket_parse( void *p_ticket,
296 mbedtls_ssl_session *session,
297 unsigned char *buf,
298 size_t len )
299 {
300 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
301 mbedtls_ssl_ticket_context *ctx = p_ticket;
302 mbedtls_ssl_ticket_key *key;
303 unsigned char *key_name = buf;
304 unsigned char *iv = buf + TICKET_KEY_NAME_BYTES;
305 unsigned char *enc_len_p = iv + TICKET_IV_BYTES;
306 unsigned char *ticket = enc_len_p + TICKET_CRYPT_LEN_BYTES;
307 size_t enc_len, clear_len;
308
309 if( ctx == NULL || ctx->f_rng == NULL )
310 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
311
312 if( len < TICKET_MIN_LEN )
313 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
314
315 #if defined(MBEDTLS_THREADING_C)
316 if( ( ret = mbedtls_mutex_lock( &ctx->mutex ) ) != 0 )
317 return( ret );
318 #endif
319
320 if( ( ret = ssl_ticket_update_keys( ctx ) ) != 0 )
321 goto cleanup;
322
323 enc_len = ( enc_len_p[0] << 8 ) | enc_len_p[1];
324
325 if( len != TICKET_MIN_LEN + enc_len )
326 {
327 ret = MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
328 goto cleanup;
329 }
330
331 /* Select key */
332 if( ( key = ssl_ticket_select_key( ctx, key_name ) ) == NULL )
333 {
334 /* We can't know for sure but this is a likely option unless we're
335 * under attack - this is only informative anyway */
336 ret = MBEDTLS_ERR_SSL_SESSION_TICKET_EXPIRED;
337 goto cleanup;
338 }
339
340 /* Decrypt and authenticate */
341 if( ( ret = mbedtls_cipher_auth_decrypt_ext( &key->ctx,
342 iv, TICKET_IV_BYTES,
343 /* Additional data: key name, IV and length */
344 key_name, TICKET_ADD_DATA_LEN,
345 ticket, enc_len + TICKET_AUTH_TAG_BYTES,
346 ticket, enc_len, &clear_len,
347 TICKET_AUTH_TAG_BYTES ) ) != 0 )
348 {
349 if( ret == MBEDTLS_ERR_CIPHER_AUTH_FAILED )
350 ret = MBEDTLS_ERR_SSL_INVALID_MAC;
351
352 goto cleanup;
353 }
354 if( clear_len != enc_len )
355 {
356 ret = MBEDTLS_ERR_SSL_INTERNAL_ERROR;
357 goto cleanup;
358 }
359
360 /* Actually load session */
361 if( ( ret = mbedtls_ssl_session_load( session, ticket, clear_len ) ) != 0 )
362 goto cleanup;
363
364 #if defined(MBEDTLS_HAVE_TIME)
365 {
366 /* Check for expiration */
367 mbedtls_time_t current_time = mbedtls_time( NULL );
368
369 if( current_time < session->start ||
370 (uint32_t)( current_time - session->start ) > ctx->ticket_lifetime )
371 {
372 ret = MBEDTLS_ERR_SSL_SESSION_TICKET_EXPIRED;
373 goto cleanup;
374 }
375 }
376 #endif
377
378 cleanup:
379 #if defined(MBEDTLS_THREADING_C)
380 if( mbedtls_mutex_unlock( &ctx->mutex ) != 0 )
381 return( MBEDTLS_ERR_THREADING_MUTEX_ERROR );
382 #endif
383
384 return( ret );
385 }
386
387 /*
388 * Free context
389 */
mbedtls_ssl_ticket_free(mbedtls_ssl_ticket_context * ctx)390 void mbedtls_ssl_ticket_free( mbedtls_ssl_ticket_context *ctx )
391 {
392 mbedtls_cipher_free( &ctx->keys[0].ctx );
393 mbedtls_cipher_free( &ctx->keys[1].ctx );
394
395 #if defined(MBEDTLS_THREADING_C)
396 mbedtls_mutex_free( &ctx->mutex );
397 #endif
398
399 mbedtls_platform_zeroize( ctx, sizeof( mbedtls_ssl_ticket_context ) );
400 }
401
402 #endif /* MBEDTLS_SSL_TICKET_C */
403