| 1 | /* |
|---|---|
| 2 | * TLS server tickets callbacks implementation |
| 3 | * |
| 4 | * Copyright The Mbed TLS Contributors |
| 5 | * SPDX-License-Identifier: Apache-2.0 |
| 6 | * |
| 7 | * Licensed under the Apache License, Version 2.0 (the "License"); you may |
| 8 | * not use this file except in compliance with the License. |
| 9 | * You may obtain a copy of the License at |
| 10 | * |
| 11 | * http://www.apache.org/licenses/LICENSE-2.0 |
| 12 | * |
| 13 | * Unless required by applicable law or agreed to in writing, software |
| 14 | * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT |
| 15 | * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| 16 | * See the License for the specific language governing permissions and |
| 17 | * limitations under the License. |
| 18 | */ |
| 19 | |
| 20 | #include "common.h" |
| 21 | |
| 22 | #if defined(MBEDTLS_SSL_TICKET_C) |
| 23 | |
| 24 | #include "mbedtls/platform.h" |
| 25 | |
| 26 | #include "mbedtls/ssl_internal.h" |
| 27 | #include "mbedtls/ssl_ticket.h" |
| 28 | #include "mbedtls/error.h" |
| 29 | #include "mbedtls/platform_util.h" |
| 30 | |
| 31 | #include <string.h> |
| 32 | |
| 33 | /* |
| 34 | * Initialize context |
| 35 | */ |
| 36 | void mbedtls_ssl_ticket_init(mbedtls_ssl_ticket_context *ctx) |
| 37 | { |
| 38 | memset(ctx, 0, sizeof(mbedtls_ssl_ticket_context)); |
| 39 | |
| 40 | #if defined(MBEDTLS_THREADING_C) |
| 41 | mbedtls_mutex_init(&ctx->mutex); |
| 42 | #endif |
| 43 | } |
| 44 | |
| 45 | #define MAX_KEY_BYTES 32 /* 256 bits */ |
| 46 | |
| 47 | #define TICKET_KEY_NAME_BYTES 4 |
| 48 | #define TICKET_IV_BYTES 12 |
| 49 | #define TICKET_CRYPT_LEN_BYTES 2 |
| 50 | #define TICKET_AUTH_TAG_BYTES 16 |
| 51 | |
| 52 | #define TICKET_MIN_LEN (TICKET_KEY_NAME_BYTES + \ |
| 53 | TICKET_IV_BYTES + \ |
| 54 | TICKET_CRYPT_LEN_BYTES + \ |
| 55 | TICKET_AUTH_TAG_BYTES) |
| 56 | #define TICKET_ADD_DATA_LEN (TICKET_KEY_NAME_BYTES + \ |
| 57 | TICKET_IV_BYTES + \ |
| 58 | TICKET_CRYPT_LEN_BYTES) |
| 59 | |
| 60 | /* |
| 61 | * Generate/update a key |
| 62 | */ |
| 63 | MBEDTLS_CHECK_RETURN_CRITICAL |
| 64 | static int ssl_ticket_gen_key(mbedtls_ssl_ticket_context *ctx, |
| 65 | unsigned char index) |
| 66 | { |
| 67 | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
| 68 | unsigned char buf[MAX_KEY_BYTES]; |
| 69 | mbedtls_ssl_ticket_key *key = ctx->keys + index; |
| 70 | |
| 71 | #if defined(MBEDTLS_HAVE_TIME) |
| 72 | key->generation_time = (uint32_t) mbedtls_time(NULL); |
| 73 | #endif |
| 74 | |
| 75 | if ((ret = ctx->f_rng(ctx->p_rng, key->name, sizeof(key->name))) != 0) { |
| 76 | return ret; |
| 77 | } |
| 78 | |
| 79 | if ((ret = ctx->f_rng(ctx->p_rng, buf, sizeof(buf))) != 0) { |
| 80 | return ret; |
| 81 | } |
| 82 | |
| 83 | /* With GCM and CCM, same context can encrypt & decrypt */ |
| 84 | ret = mbedtls_cipher_setkey(&key->ctx, buf, |
| 85 | mbedtls_cipher_get_key_bitlen(&key->ctx), |
| 86 | MBEDTLS_ENCRYPT); |
| 87 | |
| 88 | mbedtls_platform_zeroize(buf, sizeof(buf)); |
| 89 | |
| 90 | return ret; |
| 91 | } |
| 92 | |
| 93 | /* |
| 94 | * Rotate/generate keys if necessary |
| 95 | */ |
| 96 | MBEDTLS_CHECK_RETURN_CRITICAL |
| 97 | static int ssl_ticket_update_keys(mbedtls_ssl_ticket_context *ctx) |
| 98 | { |
| 99 | #if !defined(MBEDTLS_HAVE_TIME) |
| 100 | ((void) ctx); |
| 101 | #else |
| 102 | if (ctx->ticket_lifetime != 0) { |
| 103 | uint32_t current_time = (uint32_t) mbedtls_time(NULL); |
| 104 | uint32_t key_time = ctx->keys[ctx->active].generation_time; |
| 105 | |
| 106 | if (current_time >= key_time && |
| 107 | current_time - key_time < ctx->ticket_lifetime) { |
| 108 | return 0; |
| 109 | } |
| 110 | |
| 111 | ctx->active = 1 - ctx->active; |
| 112 | |
| 113 | return ssl_ticket_gen_key(ctx, ctx->active); |
| 114 | } else |
| 115 | #endif /* MBEDTLS_HAVE_TIME */ |
| 116 | return 0; |
| 117 | } |
| 118 | |
| 119 | /* |
| 120 | * Setup context for actual use |
| 121 | */ |
| 122 | int mbedtls_ssl_ticket_setup(mbedtls_ssl_ticket_context *ctx, |
| 123 | int (*f_rng)(void *, unsigned char *, size_t), void *p_rng, |
| 124 | mbedtls_cipher_type_t cipher, |
| 125 | uint32_t lifetime) |
| 126 | { |
| 127 | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
| 128 | const mbedtls_cipher_info_t *cipher_info; |
| 129 | |
| 130 | ctx->f_rng = f_rng; |
| 131 | ctx->p_rng = p_rng; |
| 132 | |
| 133 | ctx->ticket_lifetime = lifetime; |
| 134 | |
| 135 | cipher_info = mbedtls_cipher_info_from_type(cipher); |
| 136 | if (cipher_info == NULL) { |
| 137 | return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; |
| 138 | } |
| 139 | |
| 140 | if (cipher_info->mode != MBEDTLS_MODE_GCM && |
| 141 | cipher_info->mode != MBEDTLS_MODE_CCM) { |
| 142 | return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; |
| 143 | } |
| 144 | |
| 145 | if (cipher_info->key_bitlen > 8 * MAX_KEY_BYTES) { |
| 146 | return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; |
| 147 | } |
| 148 | |
| 149 | int do_mbedtls_cipher_setup = 1; |
| 150 | #if defined(MBEDTLS_USE_PSA_CRYPTO) |
| 151 | ret = mbedtls_cipher_setup_psa(&ctx->keys[0].ctx, |
| 152 | cipher_info, TICKET_AUTH_TAG_BYTES); |
| 153 | |
| 154 | switch (ret) { |
| 155 | case 0: |
| 156 | do_mbedtls_cipher_setup = 0; |
| 157 | break; |
| 158 | case MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE: |
| 159 | /* We don't yet expect to support all ciphers through PSA, |
| 160 | * so allow fallback to ordinary mbedtls_cipher_setup(). */ |
| 161 | do_mbedtls_cipher_setup = 1; |
| 162 | break; |
| 163 | default: |
| 164 | return ret; |
| 165 | } |
| 166 | #endif /* MBEDTLS_USE_PSA_CRYPTO */ |
| 167 | if (do_mbedtls_cipher_setup) { |
| 168 | if ((ret = mbedtls_cipher_setup(&ctx->keys[0].ctx, cipher_info)) |
| 169 | != 0) { |
| 170 | return ret; |
| 171 | } |
| 172 | } |
| 173 | |
| 174 | do_mbedtls_cipher_setup = 1; |
| 175 | #if defined(MBEDTLS_USE_PSA_CRYPTO) |
| 176 | do_mbedtls_cipher_setup = 0; |
| 177 | |
| 178 | ret = mbedtls_cipher_setup_psa(&ctx->keys[1].ctx, |
| 179 | cipher_info, TICKET_AUTH_TAG_BYTES); |
| 180 | if (ret != 0 && ret != MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE) { |
| 181 | return ret; |
| 182 | } |
| 183 | if (ret == MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE) { |
| 184 | do_mbedtls_cipher_setup = 1; |
| 185 | } |
| 186 | #endif /* MBEDTLS_USE_PSA_CRYPTO */ |
| 187 | if (do_mbedtls_cipher_setup) { |
| 188 | if ((ret = mbedtls_cipher_setup(&ctx->keys[1].ctx, cipher_info)) |
| 189 | != 0) { |
| 190 | return ret; |
| 191 | } |
| 192 | } |
| 193 | |
| 194 | if ((ret = ssl_ticket_gen_key(ctx, 0)) != 0 || |
| 195 | (ret = ssl_ticket_gen_key(ctx, 1)) != 0) { |
| 196 | return ret; |
| 197 | } |
| 198 | |
| 199 | return 0; |
| 200 | } |
| 201 | |
| 202 | /* |
| 203 | * Create session ticket, with the following structure: |
| 204 | * |
| 205 | * struct { |
| 206 | * opaque key_name[4]; |
| 207 | * opaque iv[12]; |
| 208 | * opaque encrypted_state<0..2^16-1>; |
| 209 | * opaque tag[16]; |
| 210 | * } ticket; |
| 211 | * |
| 212 | * The key_name, iv, and length of encrypted_state are the additional |
| 213 | * authenticated data. |
| 214 | */ |
| 215 | |
| 216 | int mbedtls_ssl_ticket_write(void *p_ticket, |
| 217 | const mbedtls_ssl_session *session, |
| 218 | unsigned char *start, |
| 219 | const unsigned char *end, |
| 220 | size_t *tlen, |
| 221 | uint32_t *ticket_lifetime) |
| 222 | { |
| 223 | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
| 224 | mbedtls_ssl_ticket_context *ctx = p_ticket; |
| 225 | mbedtls_ssl_ticket_key *key; |
| 226 | unsigned char *key_name = start; |
| 227 | unsigned char *iv = start + TICKET_KEY_NAME_BYTES; |
| 228 | unsigned char *state_len_bytes = iv + TICKET_IV_BYTES; |
| 229 | unsigned char *state = state_len_bytes + TICKET_CRYPT_LEN_BYTES; |
| 230 | size_t clear_len, ciph_len; |
| 231 | |
| 232 | *tlen = 0; |
| 233 | |
| 234 | if (ctx == NULL || ctx->f_rng == NULL) { |
| 235 | return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; |
| 236 | } |
| 237 | |
| 238 | /* We need at least 4 bytes for key_name, 12 for IV, 2 for len 16 for tag, |
| 239 | * in addition to session itself, that will be checked when writing it. */ |
| 240 | MBEDTLS_SSL_CHK_BUF_PTR(start, end, TICKET_MIN_LEN); |
| 241 | |
| 242 | #if defined(MBEDTLS_THREADING_C) |
| 243 | if ((ret = mbedtls_mutex_lock(&ctx->mutex)) != 0) { |
| 244 | return ret; |
| 245 | } |
| 246 | #endif |
| 247 | |
| 248 | if ((ret = ssl_ticket_update_keys(ctx)) != 0) { |
| 249 | goto cleanup; |
| 250 | } |
| 251 | |
| 252 | key = &ctx->keys[ctx->active]; |
| 253 | |
| 254 | *ticket_lifetime = ctx->ticket_lifetime; |
| 255 | |
| 256 | memcpy(key_name, key->name, TICKET_KEY_NAME_BYTES); |
| 257 | |
| 258 | if ((ret = ctx->f_rng(ctx->p_rng, iv, TICKET_IV_BYTES)) != 0) { |
| 259 | goto cleanup; |
| 260 | } |
| 261 | |
| 262 | /* Dump session state */ |
| 263 | if ((ret = mbedtls_ssl_session_save(session, |
| 264 | state, end - state, |
| 265 | &clear_len)) != 0 || |
| 266 | (unsigned long) clear_len > 65535) { |
| 267 | goto cleanup; |
| 268 | } |
| 269 | MBEDTLS_PUT_UINT16_BE(clear_len, state_len_bytes, 0); |
| 270 | |
| 271 | /* Encrypt and authenticate */ |
| 272 | if ((ret = mbedtls_cipher_auth_encrypt_ext(&key->ctx, |
| 273 | iv, TICKET_IV_BYTES, |
| 274 | /* Additional data: key name, IV and length */ |
| 275 | key_name, TICKET_ADD_DATA_LEN, |
| 276 | state, clear_len, |
| 277 | state, end - state, &ciph_len, |
| 278 | TICKET_AUTH_TAG_BYTES)) != 0) { |
| 279 | goto cleanup; |
| 280 | } |
| 281 | if (ciph_len != clear_len + TICKET_AUTH_TAG_BYTES) { |
| 282 | ret = MBEDTLS_ERR_SSL_INTERNAL_ERROR; |
| 283 | goto cleanup; |
| 284 | } |
| 285 | |
| 286 | *tlen = TICKET_MIN_LEN + ciph_len - TICKET_AUTH_TAG_BYTES; |
| 287 | |
| 288 | cleanup: |
| 289 | #if defined(MBEDTLS_THREADING_C) |
| 290 | if (mbedtls_mutex_unlock(&ctx->mutex) != 0) { |
| 291 | return MBEDTLS_ERR_THREADING_MUTEX_ERROR; |
| 292 | } |
| 293 | #endif |
| 294 | |
| 295 | return ret; |
| 296 | } |
| 297 | |
| 298 | /* |
| 299 | * Select key based on name |
| 300 | */ |
| 301 | static mbedtls_ssl_ticket_key *ssl_ticket_select_key( |
| 302 | mbedtls_ssl_ticket_context *ctx, |
| 303 | const unsigned char name[4]) |
| 304 | { |
| 305 | unsigned char i; |
| 306 | |
| 307 | for (i = 0; i < sizeof(ctx->keys) / sizeof(*ctx->keys); i++) { |
| 308 | if (memcmp(name, ctx->keys[i].name, 4) == 0) { |
| 309 | return &ctx->keys[i]; |
| 310 | } |
| 311 | } |
| 312 | |
| 313 | return NULL; |
| 314 | } |
| 315 | |
| 316 | /* |
| 317 | * Load session ticket (see mbedtls_ssl_ticket_write for structure) |
| 318 | */ |
| 319 | int mbedtls_ssl_ticket_parse(void *p_ticket, |
| 320 | mbedtls_ssl_session *session, |
| 321 | unsigned char *buf, |
| 322 | size_t len) |
| 323 | { |
| 324 | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
| 325 | mbedtls_ssl_ticket_context *ctx = p_ticket; |
| 326 | mbedtls_ssl_ticket_key *key; |
| 327 | unsigned char *key_name = buf; |
| 328 | unsigned char *iv = buf + TICKET_KEY_NAME_BYTES; |
| 329 | unsigned char *enc_len_p = iv + TICKET_IV_BYTES; |
| 330 | unsigned char *ticket = enc_len_p + TICKET_CRYPT_LEN_BYTES; |
| 331 | size_t enc_len, clear_len; |
| 332 | |
| 333 | if (ctx == NULL || ctx->f_rng == NULL) { |
| 334 | return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; |
| 335 | } |
| 336 | |
| 337 | if (len < TICKET_MIN_LEN) { |
| 338 | return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; |
| 339 | } |
| 340 | |
| 341 | #if defined(MBEDTLS_THREADING_C) |
| 342 | if ((ret = mbedtls_mutex_lock(&ctx->mutex)) != 0) { |
| 343 | return ret; |
| 344 | } |
| 345 | #endif |
| 346 | |
| 347 | if ((ret = ssl_ticket_update_keys(ctx)) != 0) { |
| 348 | goto cleanup; |
| 349 | } |
| 350 | |
| 351 | enc_len = (enc_len_p[0] << 8) | enc_len_p[1]; |
| 352 | |
| 353 | if (len != TICKET_MIN_LEN + enc_len) { |
| 354 | ret = MBEDTLS_ERR_SSL_BAD_INPUT_DATA; |
| 355 | goto cleanup; |
| 356 | } |
| 357 | |
| 358 | /* Select key */ |
| 359 | if ((key = ssl_ticket_select_key(ctx, key_name)) == NULL) { |
| 360 | /* We can't know for sure but this is a likely option unless we're |
| 361 | * under attack - this is only informative anyway */ |
| 362 | ret = MBEDTLS_ERR_SSL_SESSION_TICKET_EXPIRED; |
| 363 | goto cleanup; |
| 364 | } |
| 365 | |
| 366 | /* Decrypt and authenticate */ |
| 367 | if ((ret = mbedtls_cipher_auth_decrypt_ext(&key->ctx, |
| 368 | iv, TICKET_IV_BYTES, |
| 369 | /* Additional data: key name, IV and length */ |
| 370 | key_name, TICKET_ADD_DATA_LEN, |
| 371 | ticket, enc_len + TICKET_AUTH_TAG_BYTES, |
| 372 | ticket, enc_len, &clear_len, |
| 373 | TICKET_AUTH_TAG_BYTES)) != 0) { |
| 374 | if (ret == MBEDTLS_ERR_CIPHER_AUTH_FAILED) { |
| 375 | ret = MBEDTLS_ERR_SSL_INVALID_MAC; |
| 376 | } |
| 377 | |
| 378 | goto cleanup; |
| 379 | } |
| 380 | if (clear_len != enc_len) { |
| 381 | ret = MBEDTLS_ERR_SSL_INTERNAL_ERROR; |
| 382 | goto cleanup; |
| 383 | } |
| 384 | |
| 385 | /* Actually load session */ |
| 386 | if ((ret = mbedtls_ssl_session_load(session, ticket, clear_len)) != 0) { |
| 387 | goto cleanup; |
| 388 | } |
| 389 | |
| 390 | #if defined(MBEDTLS_HAVE_TIME) |
| 391 | { |
| 392 | /* Check for expiration */ |
| 393 | mbedtls_time_t current_time = mbedtls_time(NULL); |
| 394 | |
| 395 | if (current_time < session->start || |
| 396 | (uint32_t) (current_time - session->start) > ctx->ticket_lifetime) { |
| 397 | ret = MBEDTLS_ERR_SSL_SESSION_TICKET_EXPIRED; |
| 398 | goto cleanup; |
| 399 | } |
| 400 | } |
| 401 | #endif |
| 402 | |
| 403 | cleanup: |
| 404 | #if defined(MBEDTLS_THREADING_C) |
| 405 | if (mbedtls_mutex_unlock(&ctx->mutex) != 0) { |
| 406 | return MBEDTLS_ERR_THREADING_MUTEX_ERROR; |
| 407 | } |
| 408 | #endif |
| 409 | |
| 410 | return ret; |
| 411 | } |
| 412 | |
| 413 | /* |
| 414 | * Free context |
| 415 | */ |
| 416 | void mbedtls_ssl_ticket_free(mbedtls_ssl_ticket_context *ctx) |
| 417 | { |
| 418 | mbedtls_cipher_free(&ctx->keys[0].ctx); |
| 419 | mbedtls_cipher_free(&ctx->keys[1].ctx); |
| 420 | |
| 421 | #if defined(MBEDTLS_THREADING_C) |
| 422 | mbedtls_mutex_free(&ctx->mutex); |
| 423 | #endif |
| 424 | |
| 425 | mbedtls_platform_zeroize(ctx, sizeof(mbedtls_ssl_ticket_context)); |
| 426 | } |
| 427 | |
| 428 | #endif /* MBEDTLS_SSL_TICKET_C */ |
| 429 |
Generated on 2023-Sep-17 from project Godot revision 4.2
Powered by 
Code Browser 2.1
Generator usage only permitted with license.