ssl_ticket.c 13 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486
  1. /*
  2. * TLS server tickets callbacks implementation
  3. *
  4. * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
  5. * SPDX-License-Identifier: Apache-2.0
  6. *
  7. * Licensed under the Apache License, Version 2.0 (the "License"); you may
  8. * not use this file except in compliance with the License.
  9. * You may obtain a copy of the License at
  10. *
  11. * http://www.apache.org/licenses/LICENSE-2.0
  12. *
  13. * Unless required by applicable law or agreed to in writing, software
  14. * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
  15. * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  16. * See the License for the specific language governing permissions and
  17. * limitations under the License.
  18. *
  19. * This file is part of mbed TLS (https://tls.mbed.org)
  20. */
  21. #if !defined(MBEDTLS_CONFIG_FILE)
  22. #include "mbedtls/config.h"
  23. #else
  24. #include MBEDTLS_CONFIG_FILE
  25. #endif
  26. #if defined(MBEDTLS_SSL_TICKET_C)
  27. #if defined(MBEDTLS_PLATFORM_C)
  28. #include "mbedtls/platform.h"
  29. #else
  30. #include <stdlib.h>
  31. #define mbedtls_calloc calloc
  32. #define mbedtls_free free
  33. #endif
  34. #include "mbedtls/ssl_ticket.h"
  35. #include "mbedtls/platform_util.h"
  36. #include <string.h>
  37. /*
  38. * Initialze context
  39. */
  40. void mbedtls_ssl_ticket_init( mbedtls_ssl_ticket_context *ctx )
  41. {
  42. memset( ctx, 0, sizeof( mbedtls_ssl_ticket_context ) );
  43. #if defined(MBEDTLS_THREADING_C)
  44. mbedtls_mutex_init( &ctx->mutex );
  45. #endif
  46. }
  47. #define MAX_KEY_BYTES 32 /* 256 bits */
  48. /*
  49. * Generate/update a key
  50. */
  51. static int ssl_ticket_gen_key( mbedtls_ssl_ticket_context *ctx,
  52. unsigned char index )
  53. {
  54. int ret;
  55. unsigned char buf[MAX_KEY_BYTES];
  56. mbedtls_ssl_ticket_key *key = ctx->keys + index;
  57. #if defined(MBEDTLS_HAVE_TIME)
  58. key->generation_time = (uint32_t) mbedtls_time( NULL );
  59. #endif
  60. if( ( ret = ctx->f_rng( ctx->p_rng, key->name, sizeof( key->name ) ) ) != 0 )
  61. return( ret );
  62. if( ( ret = ctx->f_rng( ctx->p_rng, buf, sizeof( buf ) ) ) != 0 )
  63. return( ret );
  64. /* With GCM and CCM, same context can encrypt & decrypt */
  65. ret = mbedtls_cipher_setkey( &key->ctx, buf,
  66. mbedtls_cipher_get_key_bitlen( &key->ctx ),
  67. MBEDTLS_ENCRYPT );
  68. mbedtls_platform_zeroize( buf, sizeof( buf ) );
  69. return( ret );
  70. }
  71. /*
  72. * Rotate/generate keys if necessary
  73. */
  74. static int ssl_ticket_update_keys( mbedtls_ssl_ticket_context *ctx )
  75. {
  76. #if !defined(MBEDTLS_HAVE_TIME)
  77. ((void) ctx);
  78. #else
  79. if( ctx->ticket_lifetime != 0 )
  80. {
  81. uint32_t current_time = (uint32_t) mbedtls_time( NULL );
  82. uint32_t key_time = ctx->keys[ctx->active].generation_time;
  83. if( current_time > key_time &&
  84. current_time - key_time < ctx->ticket_lifetime )
  85. {
  86. return( 0 );
  87. }
  88. ctx->active = 1 - ctx->active;
  89. return( ssl_ticket_gen_key( ctx, ctx->active ) );
  90. }
  91. else
  92. #endif /* MBEDTLS_HAVE_TIME */
  93. return( 0 );
  94. }
  95. /*
  96. * Setup context for actual use
  97. */
  98. int mbedtls_ssl_ticket_setup( mbedtls_ssl_ticket_context *ctx,
  99. int (*f_rng)(void *, unsigned char *, size_t), void *p_rng,
  100. mbedtls_cipher_type_t cipher,
  101. uint32_t lifetime )
  102. {
  103. int ret;
  104. const mbedtls_cipher_info_t *cipher_info;
  105. ctx->f_rng = f_rng;
  106. ctx->p_rng = p_rng;
  107. ctx->ticket_lifetime = lifetime;
  108. cipher_info = mbedtls_cipher_info_from_type( cipher);
  109. if( cipher_info == NULL )
  110. return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
  111. if( cipher_info->mode != MBEDTLS_MODE_GCM &&
  112. cipher_info->mode != MBEDTLS_MODE_CCM )
  113. {
  114. return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
  115. }
  116. if( cipher_info->key_bitlen > 8 * MAX_KEY_BYTES )
  117. return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
  118. if( ( ret = mbedtls_cipher_setup( &ctx->keys[0].ctx, cipher_info ) ) != 0 ||
  119. ( ret = mbedtls_cipher_setup( &ctx->keys[1].ctx, cipher_info ) ) != 0 )
  120. {
  121. return( ret );
  122. }
  123. if( ( ret = ssl_ticket_gen_key( ctx, 0 ) ) != 0 ||
  124. ( ret = ssl_ticket_gen_key( ctx, 1 ) ) != 0 )
  125. {
  126. return( ret );
  127. }
  128. return( 0 );
  129. }
  130. /*
  131. * Serialize a session in the following format:
  132. * 0 . n-1 session structure, n = sizeof(mbedtls_ssl_session)
  133. * n . n+2 peer_cert length = m (0 if no certificate)
  134. * n+3 . n+2+m peer cert ASN.1
  135. */
  136. static int ssl_save_session( const mbedtls_ssl_session *session,
  137. unsigned char *buf, size_t buf_len,
  138. size_t *olen )
  139. {
  140. unsigned char *p = buf;
  141. size_t left = buf_len;
  142. #if defined(MBEDTLS_X509_CRT_PARSE_C)
  143. size_t cert_len;
  144. #endif /* MBEDTLS_X509_CRT_PARSE_C */
  145. if( left < sizeof( mbedtls_ssl_session ) )
  146. return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL );
  147. memcpy( p, session, sizeof( mbedtls_ssl_session ) );
  148. p += sizeof( mbedtls_ssl_session );
  149. left -= sizeof( mbedtls_ssl_session );
  150. #if defined(MBEDTLS_X509_CRT_PARSE_C)
  151. if( session->peer_cert == NULL )
  152. cert_len = 0;
  153. else
  154. cert_len = session->peer_cert->raw.len;
  155. if( left < 3 + cert_len )
  156. return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL );
  157. *p++ = (unsigned char)( cert_len >> 16 & 0xFF );
  158. *p++ = (unsigned char)( cert_len >> 8 & 0xFF );
  159. *p++ = (unsigned char)( cert_len & 0xFF );
  160. if( session->peer_cert != NULL )
  161. memcpy( p, session->peer_cert->raw.p, cert_len );
  162. p += cert_len;
  163. #endif /* MBEDTLS_X509_CRT_PARSE_C */
  164. *olen = p - buf;
  165. return( 0 );
  166. }
  167. /*
  168. * Unserialise session, see ssl_save_session()
  169. */
  170. static int ssl_load_session( mbedtls_ssl_session *session,
  171. const unsigned char *buf, size_t len )
  172. {
  173. const unsigned char *p = buf;
  174. const unsigned char * const end = buf + len;
  175. #if defined(MBEDTLS_X509_CRT_PARSE_C)
  176. size_t cert_len;
  177. #endif /* MBEDTLS_X509_CRT_PARSE_C */
  178. if( p + sizeof( mbedtls_ssl_session ) > end )
  179. return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
  180. memcpy( session, p, sizeof( mbedtls_ssl_session ) );
  181. p += sizeof( mbedtls_ssl_session );
  182. #if defined(MBEDTLS_X509_CRT_PARSE_C)
  183. if( p + 3 > end )
  184. return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
  185. cert_len = ( p[0] << 16 ) | ( p[1] << 8 ) | p[2];
  186. p += 3;
  187. if( cert_len == 0 )
  188. {
  189. session->peer_cert = NULL;
  190. }
  191. else
  192. {
  193. int ret;
  194. if( p + cert_len > end )
  195. return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
  196. session->peer_cert = mbedtls_calloc( 1, sizeof( mbedtls_x509_crt ) );
  197. if( session->peer_cert == NULL )
  198. return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
  199. mbedtls_x509_crt_init( session->peer_cert );
  200. if( ( ret = mbedtls_x509_crt_parse_der( session->peer_cert,
  201. p, cert_len ) ) != 0 )
  202. {
  203. mbedtls_x509_crt_free( session->peer_cert );
  204. mbedtls_free( session->peer_cert );
  205. session->peer_cert = NULL;
  206. return( ret );
  207. }
  208. p += cert_len;
  209. }
  210. #endif /* MBEDTLS_X509_CRT_PARSE_C */
  211. if( p != end )
  212. return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
  213. return( 0 );
  214. }
  215. /*
  216. * Create session ticket, with the following structure:
  217. *
  218. * struct {
  219. * opaque key_name[4];
  220. * opaque iv[12];
  221. * opaque encrypted_state<0..2^16-1>;
  222. * opaque tag[16];
  223. * } ticket;
  224. *
  225. * The key_name, iv, and length of encrypted_state are the additional
  226. * authenticated data.
  227. */
  228. int mbedtls_ssl_ticket_write( void *p_ticket,
  229. const mbedtls_ssl_session *session,
  230. unsigned char *start,
  231. const unsigned char *end,
  232. size_t *tlen,
  233. uint32_t *ticket_lifetime )
  234. {
  235. int ret;
  236. mbedtls_ssl_ticket_context *ctx = p_ticket;
  237. mbedtls_ssl_ticket_key *key;
  238. unsigned char *key_name = start;
  239. unsigned char *iv = start + 4;
  240. unsigned char *state_len_bytes = iv + 12;
  241. unsigned char *state = state_len_bytes + 2;
  242. unsigned char *tag;
  243. size_t clear_len, ciph_len;
  244. *tlen = 0;
  245. if( ctx == NULL || ctx->f_rng == NULL )
  246. return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
  247. /* We need at least 4 bytes for key_name, 12 for IV, 2 for len 16 for tag,
  248. * in addition to session itself, that will be checked when writing it. */
  249. if( end - start < 4 + 12 + 2 + 16 )
  250. return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL );
  251. #if defined(MBEDTLS_THREADING_C)
  252. if( ( ret = mbedtls_mutex_lock( &ctx->mutex ) ) != 0 )
  253. return( ret );
  254. #endif
  255. if( ( ret = ssl_ticket_update_keys( ctx ) ) != 0 )
  256. goto cleanup;
  257. key = &ctx->keys[ctx->active];
  258. *ticket_lifetime = ctx->ticket_lifetime;
  259. memcpy( key_name, key->name, 4 );
  260. if( ( ret = ctx->f_rng( ctx->p_rng, iv, 12 ) ) != 0 )
  261. goto cleanup;
  262. /* Dump session state */
  263. if( ( ret = ssl_save_session( session,
  264. state, end - state, &clear_len ) ) != 0 ||
  265. (unsigned long) clear_len > 65535 )
  266. {
  267. goto cleanup;
  268. }
  269. state_len_bytes[0] = ( clear_len >> 8 ) & 0xff;
  270. state_len_bytes[1] = ( clear_len ) & 0xff;
  271. /* Encrypt and authenticate */
  272. tag = state + clear_len;
  273. if( ( ret = mbedtls_cipher_auth_encrypt( &key->ctx,
  274. iv, 12, key_name, 4 + 12 + 2,
  275. state, clear_len, state, &ciph_len, tag, 16 ) ) != 0 )
  276. {
  277. goto cleanup;
  278. }
  279. if( ciph_len != clear_len )
  280. {
  281. ret = MBEDTLS_ERR_SSL_INTERNAL_ERROR;
  282. goto cleanup;
  283. }
  284. *tlen = 4 + 12 + 2 + 16 + ciph_len;
  285. cleanup:
  286. #if defined(MBEDTLS_THREADING_C)
  287. if( mbedtls_mutex_unlock( &ctx->mutex ) != 0 )
  288. return( MBEDTLS_ERR_THREADING_MUTEX_ERROR );
  289. #endif
  290. return( ret );
  291. }
  292. /*
  293. * Select key based on name
  294. */
  295. static mbedtls_ssl_ticket_key *ssl_ticket_select_key(
  296. mbedtls_ssl_ticket_context *ctx,
  297. const unsigned char name[4] )
  298. {
  299. unsigned char i;
  300. for( i = 0; i < sizeof( ctx->keys ) / sizeof( *ctx->keys ); i++ )
  301. if( memcmp( name, ctx->keys[i].name, 4 ) == 0 )
  302. return( &ctx->keys[i] );
  303. return( NULL );
  304. }
  305. /*
  306. * Load session ticket (see mbedtls_ssl_ticket_write for structure)
  307. */
  308. int mbedtls_ssl_ticket_parse( void *p_ticket,
  309. mbedtls_ssl_session *session,
  310. unsigned char *buf,
  311. size_t len )
  312. {
  313. int ret;
  314. mbedtls_ssl_ticket_context *ctx = p_ticket;
  315. mbedtls_ssl_ticket_key *key;
  316. unsigned char *key_name = buf;
  317. unsigned char *iv = buf + 4;
  318. unsigned char *enc_len_p = iv + 12;
  319. unsigned char *ticket = enc_len_p + 2;
  320. unsigned char *tag;
  321. size_t enc_len, clear_len;
  322. if( ctx == NULL || ctx->f_rng == NULL )
  323. return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
  324. /* See mbedtls_ssl_ticket_write() */
  325. if( len < 4 + 12 + 2 + 16 )
  326. return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
  327. #if defined(MBEDTLS_THREADING_C)
  328. if( ( ret = mbedtls_mutex_lock( &ctx->mutex ) ) != 0 )
  329. return( ret );
  330. #endif
  331. if( ( ret = ssl_ticket_update_keys( ctx ) ) != 0 )
  332. goto cleanup;
  333. enc_len = ( enc_len_p[0] << 8 ) | enc_len_p[1];
  334. tag = ticket + enc_len;
  335. if( len != 4 + 12 + 2 + enc_len + 16 )
  336. {
  337. ret = MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
  338. goto cleanup;
  339. }
  340. /* Select key */
  341. if( ( key = ssl_ticket_select_key( ctx, key_name ) ) == NULL )
  342. {
  343. /* We can't know for sure but this is a likely option unless we're
  344. * under attack - this is only informative anyway */
  345. ret = MBEDTLS_ERR_SSL_SESSION_TICKET_EXPIRED;
  346. goto cleanup;
  347. }
  348. /* Decrypt and authenticate */
  349. if( ( ret = mbedtls_cipher_auth_decrypt( &key->ctx, iv, 12,
  350. key_name, 4 + 12 + 2, ticket, enc_len,
  351. ticket, &clear_len, tag, 16 ) ) != 0 )
  352. {
  353. if( ret == MBEDTLS_ERR_CIPHER_AUTH_FAILED )
  354. ret = MBEDTLS_ERR_SSL_INVALID_MAC;
  355. goto cleanup;
  356. }
  357. if( clear_len != enc_len )
  358. {
  359. ret = MBEDTLS_ERR_SSL_INTERNAL_ERROR;
  360. goto cleanup;
  361. }
  362. /* Actually load session */
  363. if( ( ret = ssl_load_session( session, ticket, clear_len ) ) != 0 )
  364. goto cleanup;
  365. #if defined(MBEDTLS_HAVE_TIME)
  366. {
  367. /* Check for expiration */
  368. mbedtls_time_t current_time = mbedtls_time( NULL );
  369. if( current_time < session->start ||
  370. (uint32_t)( current_time - session->start ) > ctx->ticket_lifetime )
  371. {
  372. ret = MBEDTLS_ERR_SSL_SESSION_TICKET_EXPIRED;
  373. goto cleanup;
  374. }
  375. }
  376. #endif
  377. cleanup:
  378. #if defined(MBEDTLS_THREADING_C)
  379. if( mbedtls_mutex_unlock( &ctx->mutex ) != 0 )
  380. return( MBEDTLS_ERR_THREADING_MUTEX_ERROR );
  381. #endif
  382. return( ret );
  383. }
  384. /*
  385. * Free context
  386. */
  387. void mbedtls_ssl_ticket_free( mbedtls_ssl_ticket_context *ctx )
  388. {
  389. mbedtls_cipher_free( &ctx->keys[0].ctx );
  390. mbedtls_cipher_free( &ctx->keys[1].ctx );
  391. #if defined(MBEDTLS_THREADING_C)
  392. mbedtls_mutex_free( &ctx->mutex );
  393. #endif
  394. mbedtls_platform_zeroize( ctx, sizeof( mbedtls_ssl_ticket_context ) );
  395. }
  396. #endif /* MBEDTLS_SSL_TICKET_C */