1/*
2 * DTLS cookie callbacks implementation
3 *
4 * Copyright The Mbed TLS Contributors
5 * SPDX-License-Identifier: Apache-2.0
6 *
7 * Licensed under the Apache License, Version 2.0 (the "License"); you may
8 * not use this file except in compliance with the License.
9 * You may obtain a copy of the License at
10 *
11 * http://www.apache.org/licenses/LICENSE-2.0
12 *
13 * Unless required by applicable law or agreed to in writing, software
14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 * See the License for the specific language governing permissions and
17 * limitations under the License.
18 */
19/*
20 * These session callbacks use a simple chained list
21 * to store and retrieve the session information.
22 */
23
24#include "common.h"
25
26#if defined(MBEDTLS_SSL_COOKIE_C)
27
28#include "mbedtls/platform.h"
29
30#include "mbedtls/ssl_cookie.h"
31#include "mbedtls/ssl_internal.h"
32#include "mbedtls/error.h"
33#include "mbedtls/platform_util.h"
34#include "mbedtls/constant_time.h"
35
36#include <string.h>
37
38/*
39 * If DTLS is in use, then at least one of SHA-1, SHA-256, SHA-512 is
40 * available. Try SHA-256 first, 512 wastes resources since we need to stay
41 * with max 32 bytes of cookie for DTLS 1.0
42 */
43#if defined(MBEDTLS_SHA256_C)
44#define COOKIE_MD MBEDTLS_MD_SHA224
45#define COOKIE_MD_OUTLEN 32
46#define COOKIE_HMAC_LEN 28
47#elif defined(MBEDTLS_SHA512_C)
48#define COOKIE_MD MBEDTLS_MD_SHA384
49#define COOKIE_MD_OUTLEN 48
50#define COOKIE_HMAC_LEN 28
51#elif defined(MBEDTLS_SHA1_C)
52#define COOKIE_MD MBEDTLS_MD_SHA1
53#define COOKIE_MD_OUTLEN 20
54#define COOKIE_HMAC_LEN 20
55#else
56#error "DTLS hello verify needs SHA-1 or SHA-2"
57#endif
58
59/*
60 * Cookies are formed of a 4-bytes timestamp (or serial number) and
61 * an HMAC of timestamp and client ID.
62 */
63#define COOKIE_LEN (4 + COOKIE_HMAC_LEN)
64
65void mbedtls_ssl_cookie_init(mbedtls_ssl_cookie_ctx *ctx)
66{
67 mbedtls_md_init(&ctx->hmac_ctx);
68#if !defined(MBEDTLS_HAVE_TIME)
69 ctx->serial = 0;
70#endif
71 ctx->timeout = MBEDTLS_SSL_COOKIE_TIMEOUT;
72
73#if defined(MBEDTLS_THREADING_C)
74 mbedtls_mutex_init(&ctx->mutex);
75#endif
76}
77
78void mbedtls_ssl_cookie_set_timeout(mbedtls_ssl_cookie_ctx *ctx, unsigned long delay)
79{
80 ctx->timeout = delay;
81}
82
83void mbedtls_ssl_cookie_free(mbedtls_ssl_cookie_ctx *ctx)
84{
85 mbedtls_md_free(&ctx->hmac_ctx);
86
87#if defined(MBEDTLS_THREADING_C)
88 mbedtls_mutex_free(&ctx->mutex);
89#endif
90
91 mbedtls_platform_zeroize(ctx, sizeof(mbedtls_ssl_cookie_ctx));
92}
93
94int mbedtls_ssl_cookie_setup(mbedtls_ssl_cookie_ctx *ctx,
95 int (*f_rng)(void *, unsigned char *, size_t),
96 void *p_rng)
97{
98 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
99 unsigned char key[COOKIE_MD_OUTLEN];
100
101 if ((ret = f_rng(p_rng, key, sizeof(key))) != 0) {
102 return ret;
103 }
104
105 ret = mbedtls_md_setup(&ctx->hmac_ctx, mbedtls_md_info_from_type(COOKIE_MD), 1);
106 if (ret != 0) {
107 return ret;
108 }
109
110 ret = mbedtls_md_hmac_starts(&ctx->hmac_ctx, key, sizeof(key));
111 if (ret != 0) {
112 return ret;
113 }
114
115 mbedtls_platform_zeroize(key, sizeof(key));
116
117 return 0;
118}
119
120/*
121 * Generate the HMAC part of a cookie
122 */
123MBEDTLS_CHECK_RETURN_CRITICAL
124static int ssl_cookie_hmac(mbedtls_md_context_t *hmac_ctx,
125 const unsigned char time[4],
126 unsigned char **p, unsigned char *end,
127 const unsigned char *cli_id, size_t cli_id_len)
128{
129 unsigned char hmac_out[COOKIE_MD_OUTLEN];
130
131 MBEDTLS_SSL_CHK_BUF_PTR(*p, end, COOKIE_HMAC_LEN);
132
133 if (mbedtls_md_hmac_reset(hmac_ctx) != 0 ||
134 mbedtls_md_hmac_update(hmac_ctx, time, 4) != 0 ||
135 mbedtls_md_hmac_update(hmac_ctx, cli_id, cli_id_len) != 0 ||
136 mbedtls_md_hmac_finish(hmac_ctx, hmac_out) != 0) {
137 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
138 }
139
140 memcpy(*p, hmac_out, COOKIE_HMAC_LEN);
141 *p += COOKIE_HMAC_LEN;
142
143 return 0;
144}
145
146/*
147 * Generate cookie for DTLS ClientHello verification
148 */
149int mbedtls_ssl_cookie_write(void *p_ctx,
150 unsigned char **p, unsigned char *end,
151 const unsigned char *cli_id, size_t cli_id_len)
152{
153 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
154 mbedtls_ssl_cookie_ctx *ctx = (mbedtls_ssl_cookie_ctx *) p_ctx;
155 unsigned long t;
156
157 if (ctx == NULL || cli_id == NULL) {
158 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
159 }
160
161 MBEDTLS_SSL_CHK_BUF_PTR(*p, end, COOKIE_LEN);
162
163#if defined(MBEDTLS_HAVE_TIME)
164 t = (unsigned long) mbedtls_time(NULL);
165#else
166 t = ctx->serial++;
167#endif
168
169 MBEDTLS_PUT_UINT32_BE(t, *p, 0);
170 *p += 4;
171
172#if defined(MBEDTLS_THREADING_C)
173 if ((ret = mbedtls_mutex_lock(&ctx->mutex)) != 0) {
174 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_SSL_INTERNAL_ERROR, ret);
175 }
176#endif
177
178 ret = ssl_cookie_hmac(&ctx->hmac_ctx, *p - 4,
179 p, end, cli_id, cli_id_len);
180
181#if defined(MBEDTLS_THREADING_C)
182 if (mbedtls_mutex_unlock(&ctx->mutex) != 0) {
183 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_SSL_INTERNAL_ERROR,
184 MBEDTLS_ERR_THREADING_MUTEX_ERROR);
185 }
186#endif
187
188 return ret;
189}
190
191/*
192 * Check a cookie
193 */
194int mbedtls_ssl_cookie_check(void *p_ctx,
195 const unsigned char *cookie, size_t cookie_len,
196 const unsigned char *cli_id, size_t cli_id_len)
197{
198 unsigned char ref_hmac[COOKIE_HMAC_LEN];
199 int ret = 0;
200 unsigned char *p = ref_hmac;
201 mbedtls_ssl_cookie_ctx *ctx = (mbedtls_ssl_cookie_ctx *) p_ctx;
202 unsigned long cur_time, cookie_time;
203
204 if (ctx == NULL || cli_id == NULL) {
205 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
206 }
207
208 if (cookie_len != COOKIE_LEN) {
209 return -1;
210 }
211
212#if defined(MBEDTLS_THREADING_C)
213 if ((ret = mbedtls_mutex_lock(&ctx->mutex)) != 0) {
214 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_SSL_INTERNAL_ERROR, ret);
215 }
216#endif
217
218 if (ssl_cookie_hmac(&ctx->hmac_ctx, cookie,
219 &p, p + sizeof(ref_hmac),
220 cli_id, cli_id_len) != 0) {
221 ret = -1;
222 }
223
224#if defined(MBEDTLS_THREADING_C)
225 if (mbedtls_mutex_unlock(&ctx->mutex) != 0) {
226 ret = MBEDTLS_ERROR_ADD(MBEDTLS_ERR_SSL_INTERNAL_ERROR,
227 MBEDTLS_ERR_THREADING_MUTEX_ERROR);
228 }
229#endif
230
231 if (ret != 0) {
232 goto exit;
233 }
234
235 if (mbedtls_ct_memcmp(cookie + 4, ref_hmac, sizeof(ref_hmac)) != 0) {
236 ret = -1;
237 goto exit;
238 }
239
240#if defined(MBEDTLS_HAVE_TIME)
241 cur_time = (unsigned long) mbedtls_time(NULL);
242#else
243 cur_time = ctx->serial;
244#endif
245
246 cookie_time = ((unsigned long) cookie[0] << 24) |
247 ((unsigned long) cookie[1] << 16) |
248 ((unsigned long) cookie[2] << 8) |
249 ((unsigned long) cookie[3]);
250
251 if (ctx->timeout != 0 && cur_time - cookie_time > ctx->timeout) {
252 ret = -1;
253 goto exit;
254 }
255
256exit:
257 mbedtls_platform_zeroize(ref_hmac, sizeof(ref_hmac));
258 return ret;
259}
260#endif /* MBEDTLS_SSL_COOKIE_C */
261