TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / 301711e96ee71bef96163f51ba877f8b3fa92301 / . / library / ssl_ticket.c
blob: 39f120995deadb118ba8fedd521f4e31ec922f45 [file] [log] [blame]
Manuel Pégourié-Gonnardfd6d8972015-05-15 12:09:00 +0200[diff] [blame]1/*
2 * TLS server tickets callbacks implementation
3 *
Bence Szépkúti1e148272020-08-07 13:07:28 +0200[diff] [blame]4 * Copyright The Mbed TLS Contributors
Manuel Pégourié-Gonnard37ff1402015-09-04 14:21:07 +0200[diff] [blame]5 * SPDX-License-Identifier: Apache-2.0
6 *
7 * Licensed under the Apache License, Version 2.0 (the "License"); you may
8 * not use this file except in compliance with the License.
9 * You may obtain a copy of the License at
10 *
11 * http://www.apache.org/licenses/LICENSE-2.0
12 *
13 * Unless required by applicable law or agreed to in writing, software
14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 * See the License for the specific language governing permissions and
17 * limitations under the License.
Manuel Pégourié-Gonnardfd6d8972015-05-15 12:09:00 +0200[diff] [blame]18 */
19
Gilles Peskinedb09ef62020-06-03 01:43:33 +0200[diff] [blame]20#include "common.h"
Manuel Pégourié-Gonnardfd6d8972015-05-15 12:09:00 +0200[diff] [blame]21
22#if defined(MBEDTLS_SSL_TICKET_C)
23
Manuel Pégourié-Gonnardfd6d8972015-05-15 12:09:00 +0200[diff] [blame]24#if defined(MBEDTLS_PLATFORM_C)
25#include "mbedtls/platform.h"
26#else
Manuel Pégourié-Gonnard7551cb92015-05-26 16:04:06 +0200[diff] [blame]27#include <stdlib.h>
28#define mbedtls_calloc calloc
SimonBd5800b72016-04-26 07:43:27 +0100[diff] [blame]29#define mbedtls_free free
Manuel Pégourié-Gonnardfd6d8972015-05-15 12:09:00 +0200[diff] [blame]30#endif
31
Chris Jones84a773f2021-03-05 18:38:47 +0000[diff] [blame]32#include "ssl_misc.h"
SimonBd5800b72016-04-26 07:43:27 +0100[diff] [blame]33#include "mbedtls/ssl_ticket.h"
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]34#include "mbedtls/error.h"
Janos Follath73c616b2019-12-18 15:07:04 +0000[diff] [blame]35#include "mbedtls/platform_util.h"
SimonBd5800b72016-04-26 07:43:27 +0100[diff] [blame]36
Manuel Pégourié-Gonnardfd6d8972015-05-15 12:09:00 +0200[diff] [blame]37#include <string.h>
38
Manuel Pégourié-Gonnardd59675d2015-05-19 15:28:00 +0200[diff] [blame]39/*
40 * Initialze context
41 */
42void mbedtls_ssl_ticket_init( mbedtls_ssl_ticket_context *ctx )
43{
44 memset( ctx, 0, sizeof( mbedtls_ssl_ticket_context ) );
Manuel Pégourié-Gonnard0849a0a2015-05-20 11:34:54 +0200[diff] [blame]45
46#if defined(MBEDTLS_THREADING_C)
47 mbedtls_mutex_init( &ctx->mutex );
48#endif
Manuel Pégourié-Gonnardd59675d2015-05-19 15:28:00 +0200[diff] [blame]49}
50
Glenn Straussa941b622022-02-09 15:24:56 -0500[diff] [blame]51#define MAX_KEY_BYTES MBEDTLS_SSL_TICKET_MAX_KEY_BYTES
Manuel Pégourié-Gonnard887674a2015-05-25 11:00:19 +0200[diff] [blame]52
Glenn Straussa941b622022-02-09 15:24:56 -0500[diff] [blame]53#define TICKET_KEY_NAME_BYTES MBEDTLS_SSL_TICKET_KEY_NAME_BYTES
Hanno Beckerd140d082018-11-17 21:18:01 +0000[diff] [blame]54#define TICKET_IV_BYTES 12
55#define TICKET_CRYPT_LEN_BYTES 2
56#define TICKET_AUTH_TAG_BYTES 16
57
58#define TICKET_MIN_LEN ( TICKET_KEY_NAME_BYTES + \
59 TICKET_IV_BYTES + \
60 TICKET_CRYPT_LEN_BYTES + \
61 TICKET_AUTH_TAG_BYTES )
62#define TICKET_ADD_DATA_LEN ( TICKET_KEY_NAME_BYTES + \
63 TICKET_IV_BYTES + \
64 TICKET_CRYPT_LEN_BYTES )
65
Manuel Pégourié-Gonnard887674a2015-05-25 11:00:19 +0200[diff] [blame]66/*
67 * Generate/update a key
68 */
69static int ssl_ticket_gen_key( mbedtls_ssl_ticket_context *ctx,
70 unsigned char index )
71{
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]72 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Manuel Pégourié-Gonnard887674a2015-05-25 11:00:19 +0200[diff] [blame]73 unsigned char buf[MAX_KEY_BYTES];
74 mbedtls_ssl_ticket_key *key = ctx->keys + index;
75
Gabor Mezei2a020512022-03-10 15:15:46 +0100[diff] [blame]76#if defined(MBEDTLS_USE_PSA_CRYPTO)
77 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
78#endif
79
Manuel Pégourié-Gonnard887674a2015-05-25 11:00:19 +0200[diff] [blame]80#if defined(MBEDTLS_HAVE_TIME)
SimonBd5800b72016-04-26 07:43:27 +0100[diff] [blame]81 key->generation_time = (uint32_t) mbedtls_time( NULL );
Manuel Pégourié-Gonnard887674a2015-05-25 11:00:19 +0200[diff] [blame]82#endif
83
84 if( ( ret = ctx->f_rng( ctx->p_rng, key->name, sizeof( key->name ) ) ) != 0 )
85 return( ret );
86
87 if( ( ret = ctx->f_rng( ctx->p_rng, buf, sizeof( buf ) ) ) != 0 )
88 return( ret );
89
Gabor Mezei2a020512022-03-10 15:15:46 +0100[diff] [blame]90#if defined(MBEDTLS_USE_PSA_CRYPTO)
Gabor Mezei2a020512022-03-10 15:15:46 +0100[diff] [blame]91 psa_set_key_usage_flags( &attributes,
92 PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT );
93 psa_set_key_algorithm( &attributes, key->alg );
94 psa_set_key_type( &attributes, key->key_type );
95 psa_set_key_bits( &attributes, key->key_bits );
96
97 ret = psa_ssl_status_to_mbedtls(
98 psa_import_key( &attributes, buf,
99 PSA_BITS_TO_BYTES( key->key_bits ),
100 &key->key ) );
Gabor Mezei2a020512022-03-10 15:15:46 +0100[diff] [blame]101#else
Manuel Pégourié-Gonnard887674a2015-05-25 11:00:19 +0200[diff] [blame]102 /* With GCM and CCM, same context can encrypt & decrypt */
103 ret = mbedtls_cipher_setkey( &key->ctx, buf,
Manuel Pégourié-Gonnard097c7bb2015-06-18 16:43:38 +0200[diff] [blame]104 mbedtls_cipher_get_key_bitlen( &key->ctx ),
Manuel Pégourié-Gonnard887674a2015-05-25 11:00:19 +0200[diff] [blame]105 MBEDTLS_ENCRYPT );
Gabor Mezei2a020512022-03-10 15:15:46 +0100[diff] [blame]106#endif /* MBEDTLS_USE_PSA_CRYPTO */
107
Andres Amaya Garcia1f6301b2018-04-17 09:51:09 -0500[diff] [blame]108 mbedtls_platform_zeroize( buf, sizeof( buf ) );
Manuel Pégourié-Gonnard887674a2015-05-25 11:00:19 +0200[diff] [blame]109
110 return( ret );
111}
112
Manuel Pégourié-Gonnardd59675d2015-05-19 15:28:00 +0200[diff] [blame]113/*
Manuel Pégourié-Gonnard1e9c4db2015-05-25 14:07:08 +0200[diff] [blame]114 * Rotate/generate keys if necessary
115 */
116static int ssl_ticket_update_keys( mbedtls_ssl_ticket_context *ctx )
117{
118#if !defined(MBEDTLS_HAVE_TIME)
119 ((void) ctx);
120#else
121 if( ctx->ticket_lifetime != 0 )
122 {
SimonBd5800b72016-04-26 07:43:27 +0100[diff] [blame]123 uint32_t current_time = (uint32_t) mbedtls_time( NULL );
Manuel Pégourié-Gonnard1e9c4db2015-05-25 14:07:08 +0200[diff] [blame]124 uint32_t key_time = ctx->keys[ctx->active].generation_time;
125
Gabor Mezei2a020512022-03-10 15:15:46 +0100[diff] [blame]126#if defined(MBEDTLS_USE_PSA_CRYPTO)
Gabor Mezei5b8b8902022-03-16 12:56:58 +0100[diff] [blame]127 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
Gabor Mezei2a020512022-03-10 15:15:46 +0100[diff] [blame]128#endif
129
Hanno Beckeraa715002018-08-21 13:55:31 +0100[diff] [blame]130 if( current_time >= key_time &&
Manuel Pégourié-Gonnard1e9c4db2015-05-25 14:07:08 +0200[diff] [blame]131 current_time - key_time < ctx->ticket_lifetime )
132 {
133 return( 0 );
134 }
135
136 ctx->active = 1 - ctx->active;
137
Gabor Mezei2a020512022-03-10 15:15:46 +0100[diff] [blame]138#if defined(MBEDTLS_USE_PSA_CRYPTO)
Gabor Mezei5b8b8902022-03-16 12:56:58 +0100[diff] [blame]139 if( ( status = psa_destroy_key( ctx->keys[ctx->active].key ) ) != PSA_SUCCESS )
140 {
Gabor Mezei103e08a2022-03-16 13:40:11 +0100[diff] [blame]141 return psa_ssl_status_to_mbedtls( status );
Gabor Mezei5b8b8902022-03-16 12:56:58 +0100[diff] [blame]142 }
Gabor Mezei2a020512022-03-10 15:15:46 +0100[diff] [blame]143#endif /* MBEDTLS_USE_PSA_CRYPTO */
144
Manuel Pégourié-Gonnard1e9c4db2015-05-25 14:07:08 +0200[diff] [blame]145 return( ssl_ticket_gen_key( ctx, ctx->active ) );
146 }
147 else
148#endif /* MBEDTLS_HAVE_TIME */
149 return( 0 );
150}
151
152/*
Glenn Straussa9509382022-02-02 23:32:18 -0500[diff] [blame]153 * Rotate active session ticket encryption key
154 */
155int mbedtls_ssl_ticket_rotate( mbedtls_ssl_ticket_context *ctx,
156 const unsigned char *name, size_t nlength,
157 const unsigned char *k, size_t klength,
158 uint32_t lifetime )
159{
160 const unsigned char idx = 1 - ctx->active;
161 mbedtls_ssl_ticket_key * const key = ctx->keys + idx;
Gabor Mezei2a020512022-03-10 15:15:46 +0100[diff] [blame]162 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
163
164#if defined(MBEDTLS_USE_PSA_CRYPTO)
Gabor Mezei5b8b8902022-03-16 12:56:58 +0100[diff] [blame]165 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
Gabor Mezei2a020512022-03-10 15:15:46 +0100[diff] [blame]166 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
Gabor Mezei36c9f512022-03-16 12:55:32 +0100[diff] [blame]167 const size_t bitlen = key->key_bits;
Gabor Mezei2a020512022-03-10 15:15:46 +0100[diff] [blame]168#else
Glenn Straussa9509382022-02-02 23:32:18 -0500[diff] [blame]169 const int bitlen = mbedtls_cipher_get_key_bitlen( &key->ctx );
Gabor Mezei2a020512022-03-10 15:15:46 +0100[diff] [blame]170#endif
171
Glenn Straussa9509382022-02-02 23:32:18 -0500[diff] [blame]172 if( nlength < TICKET_KEY_NAME_BYTES || klength * 8 < (size_t)bitlen )
173 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
174
Gabor Mezei2a020512022-03-10 15:15:46 +0100[diff] [blame]175#if defined(MBEDTLS_USE_PSA_CRYPTO)
Gabor Mezei5b8b8902022-03-16 12:56:58 +0100[diff] [blame]176 if( ( status = psa_destroy_key( key->key ) ) != PSA_SUCCESS )
177 {
178 ret = psa_ssl_status_to_mbedtls( status );
Gabor Mezei2a020512022-03-10 15:15:46 +0100[diff] [blame]179 return( ret );
Gabor Mezei5b8b8902022-03-16 12:56:58 +0100[diff] [blame]180 }
Gabor Mezei2a020512022-03-10 15:15:46 +0100[diff] [blame]181
182 psa_set_key_usage_flags( &attributes,
183 PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT );
184 psa_set_key_algorithm( &attributes, key->alg );
185 psa_set_key_type( &attributes, key->key_type );
186 psa_set_key_bits( &attributes, key->key_bits );
187
Gabor Mezei103e08a2022-03-16 13:40:11 +0100[diff] [blame]188 if( ( status = psa_import_key( &attributes, k,
189 PSA_BITS_TO_BYTES( key->key_bits ),
190 &key->key ) ) != PSA_SUCCESS )
Gabor Mezei5b8b8902022-03-16 12:56:58 +0100[diff] [blame]191 {
192 ret = psa_ssl_status_to_mbedtls( status );
Gabor Mezei2a020512022-03-10 15:15:46 +0100[diff] [blame]193 return( ret );
Gabor Mezei5b8b8902022-03-16 12:56:58 +0100[diff] [blame]194 }
Gabor Mezei2a020512022-03-10 15:15:46 +0100[diff] [blame]195#else
Glenn Straussa9509382022-02-02 23:32:18 -0500[diff] [blame]196 ret = mbedtls_cipher_setkey( &key->ctx, k, bitlen, MBEDTLS_ENCRYPT );
197 if( ret != 0 )
198 return( ret );
Gabor Mezei2a020512022-03-10 15:15:46 +0100[diff] [blame]199#endif /* MBEDTLS_USE_PSA_CRYPTO */
200
Glenn Straussa9509382022-02-02 23:32:18 -0500[diff] [blame]201 ctx->active = idx;
202 ctx->ticket_lifetime = lifetime;
203 memcpy( key->name, name, TICKET_KEY_NAME_BYTES );
204#if defined(MBEDTLS_HAVE_TIME)
205 key->generation_time = (uint32_t) mbedtls_time( NULL );
206#endif
207 return 0;
208}
209
210/*
Manuel Pégourié-Gonnardd59675d2015-05-19 15:28:00 +0200[diff] [blame]211 * Setup context for actual use
212 */
213int mbedtls_ssl_ticket_setup( mbedtls_ssl_ticket_context *ctx,
214 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng,
Manuel Pégourié-Gonnarda0adc1b2015-05-25 10:35:16 +0200[diff] [blame]215 mbedtls_cipher_type_t cipher,
Manuel Pégourié-Gonnardd59675d2015-05-19 15:28:00 +0200[diff] [blame]216 uint32_t lifetime )
217{
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]218 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Manuel Pégourié-Gonnardd59675d2015-05-19 15:28:00 +0200[diff] [blame]219
Gabor Mezei2a020512022-03-10 15:15:46 +0100[diff] [blame]220#if defined(MBEDTLS_USE_PSA_CRYPTO)
221 psa_algorithm_t alg;
222 psa_key_type_t key_type;
223 size_t key_bits;
Neil Armstrong858581e2022-04-01 18:03:15 +0200[diff] [blame]224#else
225 const mbedtls_cipher_info_t *cipher_info;
226#endif /* MBEDTLS_USE_PSA_CRYPTO */
Gabor Mezei2a020512022-03-10 15:15:46 +0100[diff] [blame]227
Manuel Pégourié-Gonnardd59675d2015-05-19 15:28:00 +0200[diff] [blame]228 ctx->f_rng = f_rng;
229 ctx->p_rng = p_rng;
230
231 ctx->ticket_lifetime = lifetime;
232
Neil Armstrong858581e2022-04-01 18:03:15 +0200[diff] [blame]233#if defined(MBEDTLS_USE_PSA_CRYPTO)
234 if( mbedtls_ssl_cipher_to_psa( cipher, TICKET_AUTH_TAG_BYTES,
235 &alg, &key_type, &key_bits ) != PSA_SUCCESS )
236 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
237
238 if( PSA_ALG_IS_AEAD( alg ) == 0 )
239 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
240
241 if( key_bits > PSA_BYTES_TO_BITS( MAX_KEY_BYTES ) )
242 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
243
244 ctx->keys[0].alg = alg;
245 ctx->keys[0].key_type = key_type;
246 ctx->keys[0].key_bits = key_bits;
247
248 ctx->keys[1].alg = alg;
249 ctx->keys[1].key_type = key_type;
250 ctx->keys[1].key_bits = key_bits;
251#else
Gabor Mezeie6d867f2022-03-10 15:04:58 +0100[diff] [blame]252 cipher_info = mbedtls_cipher_info_from_type( cipher );
Manuel Pégourié-Gonnard887674a2015-05-25 11:00:19 +0200[diff] [blame]253
Gilles Peskinee720dbe2021-07-19 17:37:46 +0200[diff] [blame]254 if( mbedtls_cipher_info_get_mode( cipher_info ) != MBEDTLS_MODE_GCM &&
Gabor Mezei49c8eb32022-03-10 16:13:17 +0100[diff] [blame]255 mbedtls_cipher_info_get_mode( cipher_info ) != MBEDTLS_MODE_CCM &&
256 mbedtls_cipher_info_get_mode( cipher_info ) != MBEDTLS_MODE_CHACHAPOLY )
Manuel Pégourié-Gonnardd59675d2015-05-19 15:28:00 +0200[diff] [blame]257 {
Manuel Pégourié-Gonnard887674a2015-05-25 11:00:19 +0200[diff] [blame]258 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
Manuel Pégourié-Gonnardd59675d2015-05-19 15:28:00 +0200[diff] [blame]259 }
260
Gilles Peskinee720dbe2021-07-19 17:37:46 +0200[diff] [blame]261 if( mbedtls_cipher_info_get_key_bitlen( cipher_info ) > 8 * MAX_KEY_BYTES )
Manuel Pégourié-Gonnard887674a2015-05-25 11:00:19 +0200[diff] [blame]262 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
263
Hanno Becker679d8ce2018-11-17 21:25:59 +0000[diff] [blame]264 if( ( ret = mbedtls_cipher_setup( &ctx->keys[0].ctx, cipher_info ) ) != 0 )
265 return( ret );
266
Hanno Becker679d8ce2018-11-17 21:25:59 +0000[diff] [blame]267 if( ( ret = mbedtls_cipher_setup( &ctx->keys[1].ctx, cipher_info ) ) != 0 )
268 return( ret );
Gabor Mezei2a020512022-03-10 15:15:46 +0100[diff] [blame]269#endif /* MBEDTLS_USE_PSA_CRYPTO */
270
Manuel Pégourié-Gonnard887674a2015-05-25 11:00:19 +0200[diff] [blame]271 if( ( ret = ssl_ticket_gen_key( ctx, 0 ) ) != 0 ||
272 ( ret = ssl_ticket_gen_key( ctx, 1 ) ) != 0 )
Manuel Pégourié-Gonnarda0adc1b2015-05-25 10:35:16 +0200[diff] [blame]273 {
Manuel Pégourié-Gonnard887674a2015-05-25 11:00:19 +0200[diff] [blame]274 return( ret );
Manuel Pégourié-Gonnarda0adc1b2015-05-25 10:35:16 +0200[diff] [blame]275 }
276
Manuel Pégourié-Gonnard887674a2015-05-25 11:00:19 +0200[diff] [blame]277 return( 0 );
Manuel Pégourié-Gonnardd59675d2015-05-19 15:28:00 +0200[diff] [blame]278}
279
Manuel Pégourié-Gonnarda4a47352015-05-15 15:14:54 +0200[diff] [blame]280/*
Manuel Pégourié-Gonnard1041a392015-05-20 19:59:39 +0200[diff] [blame]281 * Create session ticket, with the following structure:
Manuel Pégourié-Gonnarda4a47352015-05-15 15:14:54 +0200[diff] [blame]282 *
283 * struct {
Manuel Pégourié-Gonnard1041a392015-05-20 19:59:39 +0200[diff] [blame]284 * opaque key_name[4];
285 * opaque iv[12];
Manuel Pégourié-Gonnarda4a47352015-05-15 15:14:54 +0200[diff] [blame]286 * opaque encrypted_state<0..2^16-1>;
Manuel Pégourié-Gonnard1041a392015-05-20 19:59:39 +0200[diff] [blame]287 * opaque tag[16];
Manuel Pégourié-Gonnarda4a47352015-05-15 15:14:54 +0200[diff] [blame]288 * } ticket;
289 *
Manuel Pégourié-Gonnard1041a392015-05-20 19:59:39 +0200[diff] [blame]290 * The key_name, iv, and length of encrypted_state are the additional
291 * authenticated data.
Manuel Pégourié-Gonnarda4a47352015-05-15 15:14:54 +0200[diff] [blame]292 */
Hanno Beckerd140d082018-11-17 21:18:01 +0000[diff] [blame]293
Manuel Pégourié-Gonnardb0394be2015-05-19 11:40:30 +0200[diff] [blame]294int mbedtls_ssl_ticket_write( void *p_ticket,
Manuel Pégourié-Gonnard69f17282015-05-18 14:35:08 +0200[diff] [blame]295 const mbedtls_ssl_session *session,
296 unsigned char *start,
297 const unsigned char *end,
Manuel Pégourié-Gonnardb0394be2015-05-19 11:40:30 +0200[diff] [blame]298 size_t *tlen,
299 uint32_t *ticket_lifetime )
Manuel Pégourié-Gonnarda4a47352015-05-15 15:14:54 +0200[diff] [blame]300{
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]301 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Manuel Pégourié-Gonnardd59675d2015-05-19 15:28:00 +0200[diff] [blame]302 mbedtls_ssl_ticket_context *ctx = p_ticket;
Manuel Pégourié-Gonnard1e9c4db2015-05-25 14:07:08 +0200[diff] [blame]303 mbedtls_ssl_ticket_key *key;
Manuel Pégourié-Gonnard1041a392015-05-20 19:59:39 +0200[diff] [blame]304 unsigned char *key_name = start;
Hanno Beckerd140d082018-11-17 21:18:01 +0000[diff] [blame]305 unsigned char *iv = start + TICKET_KEY_NAME_BYTES;
306 unsigned char *state_len_bytes = iv + TICKET_IV_BYTES;
307 unsigned char *state = state_len_bytes + TICKET_CRYPT_LEN_BYTES;
Manuel Pégourié-Gonnard1041a392015-05-20 19:59:39 +0200[diff] [blame]308 size_t clear_len, ciph_len;
Manuel Pégourié-Gonnarda4a47352015-05-15 15:14:54 +0200[diff] [blame]309
Gabor Mezei5b8b8902022-03-16 12:56:58 +0100[diff] [blame]310#if defined(MBEDTLS_USE_PSA_CRYPTO)
311 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
312#endif
313
Manuel Pégourié-Gonnarda4a47352015-05-15 15:14:54 +0200[diff] [blame]314 *tlen = 0;
315
Manuel Pégourié-Gonnard1041a392015-05-20 19:59:39 +0200[diff] [blame]316 if( ctx == NULL || ctx->f_rng == NULL )
Manuel Pégourié-Gonnarda4a47352015-05-15 15:14:54 +0200[diff] [blame]317 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
318
Manuel Pégourié-Gonnard1041a392015-05-20 19:59:39 +0200[diff] [blame]319 /* We need at least 4 bytes for key_name, 12 for IV, 2 for len 16 for tag,
320 * in addition to session itself, that will be checked when writing it. */
Hanno Becker261602c2017-04-12 14:54:42 +0100[diff] [blame]321 MBEDTLS_SSL_CHK_BUF_PTR( start, end, TICKET_MIN_LEN );
Manuel Pégourié-Gonnard69f17282015-05-18 14:35:08 +0200[diff] [blame]322
Manuel Pégourié-Gonnard0849a0a2015-05-20 11:34:54 +0200[diff] [blame]323#if defined(MBEDTLS_THREADING_C)
324 if( ( ret = mbedtls_mutex_lock( &ctx->mutex ) ) != 0 )
325 return( ret );
326#endif
327
Manuel Pégourié-Gonnard1e9c4db2015-05-25 14:07:08 +0200[diff] [blame]328 if( ( ret = ssl_ticket_update_keys( ctx ) ) != 0 )
329 goto cleanup;
330
331 key = &ctx->keys[ctx->active];
332
Manuel Pégourié-Gonnard0849a0a2015-05-20 11:34:54 +0200[diff] [blame]333 *ticket_lifetime = ctx->ticket_lifetime;
334
Hanno Beckerd140d082018-11-17 21:18:01 +0000[diff] [blame]335 memcpy( key_name, key->name, TICKET_KEY_NAME_BYTES );
Manuel Pégourié-Gonnarda4a47352015-05-15 15:14:54 +0200[diff] [blame]336
Hanno Beckerd140d082018-11-17 21:18:01 +0000[diff] [blame]337 if( ( ret = ctx->f_rng( ctx->p_rng, iv, TICKET_IV_BYTES ) ) != 0 )
Manuel Pégourié-Gonnard0849a0a2015-05-20 11:34:54 +0200[diff] [blame]338 goto cleanup;
Manuel Pégourié-Gonnarda4a47352015-05-15 15:14:54 +0200[diff] [blame]339
Manuel Pégourié-Gonnard69f17282015-05-18 14:35:08 +0200[diff] [blame]340 /* Dump session state */
Manuel Pégourié-Gonnarda3e7c652019-05-16 10:08:35 +0200[diff] [blame]341 if( ( ret = mbedtls_ssl_session_save( session,
342 state, end - state,
343 &clear_len ) ) != 0 ||
Manuel Pégourié-Gonnard1041a392015-05-20 19:59:39 +0200[diff] [blame]344 (unsigned long) clear_len > 65535 )
Manuel Pégourié-Gonnard0849a0a2015-05-20 11:34:54 +0200[diff] [blame]345 {
346 goto cleanup;
347 }
Joe Subbiani6dd73642021-07-19 11:56:54 +0100[diff] [blame]348 MBEDTLS_PUT_UINT16_BE( clear_len, state_len_bytes, 0 );
Manuel Pégourié-Gonnarda4a47352015-05-15 15:14:54 +0200[diff] [blame]349
Manuel Pégourié-Gonnard1041a392015-05-20 19:59:39 +0200[diff] [blame]350 /* Encrypt and authenticate */
Gabor Mezei2a020512022-03-10 15:15:46 +0100[diff] [blame]351#if defined(MBEDTLS_USE_PSA_CRYPTO)
Gabor Mezei5b8b8902022-03-16 12:56:58 +0100[diff] [blame]352 if( ( status = psa_aead_encrypt( key->key, key->alg, iv, TICKET_IV_BYTES,
353 key_name, TICKET_ADD_DATA_LEN,
354 state, clear_len,
355 state, end - state,
356 &ciph_len ) ) != PSA_SUCCESS )
357 {
358 ret = psa_ssl_status_to_mbedtls( status );
359 goto cleanup;
360 }
Gabor Mezei2a020512022-03-10 15:15:46 +0100[diff] [blame]361#else
Manuel Pégourié-Gonnardf5cf71e2020-12-01 11:43:40 +0100[diff] [blame]362 if( ( ret = mbedtls_cipher_auth_encrypt_ext( &key->ctx,
Hanno Beckerd140d082018-11-17 21:18:01 +0000[diff] [blame]363 iv, TICKET_IV_BYTES,
364 /* Additional data: key name, IV and length */
365 key_name, TICKET_ADD_DATA_LEN,
Manuel Pégourié-Gonnardf5cf71e2020-12-01 11:43:40 +0100[diff] [blame]366 state, clear_len,
367 state, end - state, &ciph_len,
368 TICKET_AUTH_TAG_BYTES ) ) != 0 )
Manuel Pégourié-Gonnarda4a47352015-05-15 15:14:54 +0200[diff] [blame]369 {
Manuel Pégourié-Gonnard0849a0a2015-05-20 11:34:54 +0200[diff] [blame]370 goto cleanup;
Manuel Pégourié-Gonnarda4a47352015-05-15 15:14:54 +0200[diff] [blame]371 }
Gabor Mezei5b8b8902022-03-16 12:56:58 +0100[diff] [blame]372#endif /* MBEDTLS_USE_PSA_CRYPTO */
Gabor Mezei2a020512022-03-10 15:15:46 +0100[diff] [blame]373
Manuel Pégourié-Gonnardf5cf71e2020-12-01 11:43:40 +0100[diff] [blame]374 if( ciph_len != clear_len + TICKET_AUTH_TAG_BYTES )
Manuel Pégourié-Gonnarda4a47352015-05-15 15:14:54 +0200[diff] [blame]375 {
Manuel Pégourié-Gonnard1041a392015-05-20 19:59:39 +0200[diff] [blame]376 ret = MBEDTLS_ERR_SSL_INTERNAL_ERROR;
Manuel Pégourié-Gonnard0849a0a2015-05-20 11:34:54 +0200[diff] [blame]377 goto cleanup;
Manuel Pégourié-Gonnarda4a47352015-05-15 15:14:54 +0200[diff] [blame]378 }
Manuel Pégourié-Gonnarda4a47352015-05-15 15:14:54 +0200[diff] [blame]379
Manuel Pégourié-Gonnardf5cf71e2020-12-01 11:43:40 +0100[diff] [blame]380 *tlen = TICKET_MIN_LEN + ciph_len - TICKET_AUTH_TAG_BYTES;
Manuel Pégourié-Gonnarda4a47352015-05-15 15:14:54 +0200[diff] [blame]381
Manuel Pégourié-Gonnard0849a0a2015-05-20 11:34:54 +0200[diff] [blame]382cleanup:
383#if defined(MBEDTLS_THREADING_C)
384 if( mbedtls_mutex_unlock( &ctx->mutex ) != 0 )
385 return( MBEDTLS_ERR_THREADING_MUTEX_ERROR );
386#endif
387
388 return( ret );
Manuel Pégourié-Gonnarda4a47352015-05-15 15:14:54 +0200[diff] [blame]389}
390
391/*
Manuel Pégourié-Gonnard1e9c4db2015-05-25 14:07:08 +0200[diff] [blame]392 * Select key based on name
393 */
394static mbedtls_ssl_ticket_key *ssl_ticket_select_key(
395 mbedtls_ssl_ticket_context *ctx,
396 const unsigned char name[4] )
397{
398 unsigned char i;
399
400 for( i = 0; i < sizeof( ctx->keys ) / sizeof( *ctx->keys ); i++ )
401 if( memcmp( name, ctx->keys[i].name, 4 ) == 0 )
402 return( &ctx->keys[i] );
403
404 return( NULL );
405}
406
407/*
Manuel Pégourié-Gonnarda4a47352015-05-15 15:14:54 +0200[diff] [blame]408 * Load session ticket (see mbedtls_ssl_ticket_write for structure)
409 */
Manuel Pégourié-Gonnardb0394be2015-05-19 11:40:30 +0200[diff] [blame]410int mbedtls_ssl_ticket_parse( void *p_ticket,
Manuel Pégourié-Gonnard69f17282015-05-18 14:35:08 +0200[diff] [blame]411 mbedtls_ssl_session *session,
412 unsigned char *buf,
413 size_t len )
Manuel Pégourié-Gonnarda4a47352015-05-15 15:14:54 +0200[diff] [blame]414{
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]415 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Manuel Pégourié-Gonnardd59675d2015-05-19 15:28:00 +0200[diff] [blame]416 mbedtls_ssl_ticket_context *ctx = p_ticket;
Manuel Pégourié-Gonnard1e9c4db2015-05-25 14:07:08 +0200[diff] [blame]417 mbedtls_ssl_ticket_key *key;
Manuel Pégourié-Gonnarda4a47352015-05-15 15:14:54 +0200[diff] [blame]418 unsigned char *key_name = buf;
Hanno Beckerd140d082018-11-17 21:18:01 +0000[diff] [blame]419 unsigned char *iv = buf + TICKET_KEY_NAME_BYTES;
420 unsigned char *enc_len_p = iv + TICKET_IV_BYTES;
421 unsigned char *ticket = enc_len_p + TICKET_CRYPT_LEN_BYTES;
Manuel Pégourié-Gonnard1041a392015-05-20 19:59:39 +0200[diff] [blame]422 size_t enc_len, clear_len;
Manuel Pégourié-Gonnarda4a47352015-05-15 15:14:54 +0200[diff] [blame]423
Gabor Mezei5b8b8902022-03-16 12:56:58 +0100[diff] [blame]424#if defined(MBEDTLS_USE_PSA_CRYPTO)
425 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
426#endif
427
Manuel Pégourié-Gonnard1e9c4db2015-05-25 14:07:08 +0200[diff] [blame]428 if( ctx == NULL || ctx->f_rng == NULL )
Manuel Pégourié-Gonnarda4a47352015-05-15 15:14:54 +0200[diff] [blame]429 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
Manuel Pégourié-Gonnard1e9c4db2015-05-25 14:07:08 +0200[diff] [blame]430
Hanno Beckerd140d082018-11-17 21:18:01 +0000[diff] [blame]431 if( len < TICKET_MIN_LEN )
Manuel Pégourié-Gonnard1e9c4db2015-05-25 14:07:08 +0200[diff] [blame]432 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
Manuel Pégourié-Gonnarda4a47352015-05-15 15:14:54 +0200[diff] [blame]433
Manuel Pégourié-Gonnard0849a0a2015-05-20 11:34:54 +0200[diff] [blame]434#if defined(MBEDTLS_THREADING_C)
435 if( ( ret = mbedtls_mutex_lock( &ctx->mutex ) ) != 0 )
436 return( ret );
437#endif
438
Manuel Pégourié-Gonnard1e9c4db2015-05-25 14:07:08 +0200[diff] [blame]439 if( ( ret = ssl_ticket_update_keys( ctx ) ) != 0 )
440 goto cleanup;
441
Manuel Pégourié-Gonnarda4a47352015-05-15 15:14:54 +0200[diff] [blame]442 enc_len = ( enc_len_p[0] << 8 ) | enc_len_p[1];
Manuel Pégourié-Gonnarda4a47352015-05-15 15:14:54 +0200[diff] [blame]443
Hanno Beckerd140d082018-11-17 21:18:01 +0000[diff] [blame]444 if( len != TICKET_MIN_LEN + enc_len )
Manuel Pégourié-Gonnard0849a0a2015-05-20 11:34:54 +0200[diff] [blame]445 {
446 ret = MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
447 goto cleanup;
448 }
Manuel Pégourié-Gonnarda4a47352015-05-15 15:14:54 +0200[diff] [blame]449
Manuel Pégourié-Gonnard1e9c4db2015-05-25 14:07:08 +0200[diff] [blame]450 /* Select key */
451 if( ( key = ssl_ticket_select_key( ctx, key_name ) ) == NULL )
Manuel Pégourié-Gonnard0849a0a2015-05-20 11:34:54 +0200[diff] [blame]452 {
Manuel Pégourié-Gonnard1e9c4db2015-05-25 14:07:08 +0200[diff] [blame]453 /* We can't know for sure but this is a likely option unless we're
454 * under attack - this is only informative anyway */
455 ret = MBEDTLS_ERR_SSL_SESSION_TICKET_EXPIRED;
Manuel Pégourié-Gonnard0849a0a2015-05-20 11:34:54 +0200[diff] [blame]456 goto cleanup;
457 }
Manuel Pégourié-Gonnarda4a47352015-05-15 15:14:54 +0200[diff] [blame]458
Manuel Pégourié-Gonnard1041a392015-05-20 19:59:39 +0200[diff] [blame]459 /* Decrypt and authenticate */
Gabor Mezei2a020512022-03-10 15:15:46 +0100[diff] [blame]460#if defined(MBEDTLS_USE_PSA_CRYPTO)
Gabor Mezei5b8b8902022-03-16 12:56:58 +0100[diff] [blame]461 if( ( status = psa_aead_decrypt( key->key, key->alg, iv, TICKET_IV_BYTES,
462 key_name, TICKET_ADD_DATA_LEN,
463 ticket, enc_len + TICKET_AUTH_TAG_BYTES,
464 ticket, enc_len, &clear_len ) ) != PSA_SUCCESS )
465 {
466 ret = psa_ssl_status_to_mbedtls( status );
467 goto cleanup;
468 }
Gabor Mezei2a020512022-03-10 15:15:46 +0100[diff] [blame]469#else
Manuel Pégourié-Gonnardf5cf71e2020-12-01 11:43:40 +0100[diff] [blame]470 if( ( ret = mbedtls_cipher_auth_decrypt_ext( &key->ctx,
Hanno Beckerd140d082018-11-17 21:18:01 +0000[diff] [blame]471 iv, TICKET_IV_BYTES,
472 /* Additional data: key name, IV and length */
473 key_name, TICKET_ADD_DATA_LEN,
Manuel Pégourié-Gonnardf5cf71e2020-12-01 11:43:40 +0100[diff] [blame]474 ticket, enc_len + TICKET_AUTH_TAG_BYTES,
475 ticket, enc_len, &clear_len,
476 TICKET_AUTH_TAG_BYTES ) ) != 0 )
Manuel Pégourié-Gonnarda4a47352015-05-15 15:14:54 +0200[diff] [blame]477 {
Manuel Pégourié-Gonnard1e9c4db2015-05-25 14:07:08 +0200[diff] [blame]478 if( ret == MBEDTLS_ERR_CIPHER_AUTH_FAILED )
479 ret = MBEDTLS_ERR_SSL_INVALID_MAC;
480
Manuel Pégourié-Gonnard0849a0a2015-05-20 11:34:54 +0200[diff] [blame]481 goto cleanup;
Manuel Pégourié-Gonnarda4a47352015-05-15 15:14:54 +0200[diff] [blame]482 }
Gabor Mezei5b8b8902022-03-16 12:56:58 +0100[diff] [blame]483#endif /* MBEDTLS_USE_PSA_CRYPTO */
484
Manuel Pégourié-Gonnard1041a392015-05-20 19:59:39 +0200[diff] [blame]485 if( clear_len != enc_len )
486 {
487 ret = MBEDTLS_ERR_SSL_INTERNAL_ERROR;
Manuel Pégourié-Gonnard0849a0a2015-05-20 11:34:54 +0200[diff] [blame]488 goto cleanup;
Manuel Pégourié-Gonnard1041a392015-05-20 19:59:39 +0200[diff] [blame]489 }
Manuel Pégourié-Gonnarda4a47352015-05-15 15:14:54 +0200[diff] [blame]490
491 /* Actually load session */
Manuel Pégourié-Gonnarda3e7c652019-05-16 10:08:35 +0200[diff] [blame]492 if( ( ret = mbedtls_ssl_session_load( session, ticket, clear_len ) ) != 0 )
Manuel Pégourié-Gonnard0849a0a2015-05-20 11:34:54 +0200[diff] [blame]493 goto cleanup;
Manuel Pégourié-Gonnarda4a47352015-05-15 15:14:54 +0200[diff] [blame]494
495#if defined(MBEDTLS_HAVE_TIME)
Manuel Pégourié-Gonnard0849a0a2015-05-20 11:34:54 +0200[diff] [blame]496 {
Manuel Pégourié-Gonnard8eff5122015-05-20 11:41:36 +0200[diff] [blame]497 /* Check for expiration */
SimonBd5800b72016-04-26 07:43:27 +0100[diff] [blame]498 mbedtls_time_t current_time = mbedtls_time( NULL );
Manuel Pégourié-Gonnard8eff5122015-05-20 11:41:36 +0200[diff] [blame]499
500 if( current_time < session->start ||
501 (uint32_t)( current_time - session->start ) > ctx->ticket_lifetime )
502 {
503 ret = MBEDTLS_ERR_SSL_SESSION_TICKET_EXPIRED;
504 goto cleanup;
505 }
Manuel Pégourié-Gonnard0849a0a2015-05-20 11:34:54 +0200[diff] [blame]506 }
Manuel Pégourié-Gonnarda4a47352015-05-15 15:14:54 +0200[diff] [blame]507#endif
508
Manuel Pégourié-Gonnard0849a0a2015-05-20 11:34:54 +0200[diff] [blame]509cleanup:
510#if defined(MBEDTLS_THREADING_C)
511 if( mbedtls_mutex_unlock( &ctx->mutex ) != 0 )
512 return( MBEDTLS_ERR_THREADING_MUTEX_ERROR );
513#endif
514
515 return( ret );
Manuel Pégourié-Gonnarda4a47352015-05-15 15:14:54 +0200[diff] [blame]516}
517
Manuel Pégourié-Gonnardd59675d2015-05-19 15:28:00 +0200[diff] [blame]518/*
519 * Free context
520 */
521void mbedtls_ssl_ticket_free( mbedtls_ssl_ticket_context *ctx )
522{
Gabor Mezei2a020512022-03-10 15:15:46 +0100[diff] [blame]523#if defined(MBEDTLS_USE_PSA_CRYPTO)
Gabor Mezei2a020512022-03-10 15:15:46 +0100[diff] [blame]524 psa_destroy_key( ctx->keys[0].key );
525 psa_destroy_key( ctx->keys[1].key );
Gabor Mezei2a020512022-03-10 15:15:46 +0100[diff] [blame]526#else
Manuel Pégourié-Gonnard887674a2015-05-25 11:00:19 +0200[diff] [blame]527 mbedtls_cipher_free( &ctx->keys[0].ctx );
528 mbedtls_cipher_free( &ctx->keys[1].ctx );
Gabor Mezei2a020512022-03-10 15:15:46 +0100[diff] [blame]529#endif /* MBEDTLS_USE_PSA_CRYPTO */
530
Manuel Pégourié-Gonnard0849a0a2015-05-20 11:34:54 +0200[diff] [blame]531#if defined(MBEDTLS_THREADING_C)
532 mbedtls_mutex_free( &ctx->mutex );
533#endif
534
Andres Amaya Garcia1f6301b2018-04-17 09:51:09 -0500[diff] [blame]535 mbedtls_platform_zeroize( ctx, sizeof( mbedtls_ssl_ticket_context ) );
Manuel Pégourié-Gonnardd59675d2015-05-19 15:28:00 +0200[diff] [blame]536}
537
Manuel Pégourié-Gonnardfd6d8972015-05-15 12:09:00 +0200[diff] [blame]538#endif /* MBEDTLS_SSL_TICKET_C */