TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / 5479f5321aca0b08762074372e22f2c0033d939d / . / library / ssl_ticket.c
blob: 1c05001a86b22d26f2ee7f0a508f097c9fe84659 [file] [log] [blame]
Manuel Pégourié-Gonnardfd6d8972015-05-15 12:09:00 +0200[diff] [blame]1/*
2 * TLS server tickets callbacks implementation
3 *
Bence Szépkúti1e148272020-08-07 13:07:28 +0200[diff] [blame]4 * Copyright The Mbed TLS Contributors
Manuel Pégourié-Gonnard37ff1402015-09-04 14:21:07 +0200[diff] [blame]5 * SPDX-License-Identifier: Apache-2.0
6 *
7 * Licensed under the Apache License, Version 2.0 (the "License"); you may
8 * not use this file except in compliance with the License.
9 * You may obtain a copy of the License at
10 *
11 * http://www.apache.org/licenses/LICENSE-2.0
12 *
13 * Unless required by applicable law or agreed to in writing, software
14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 * See the License for the specific language governing permissions and
17 * limitations under the License.
Manuel Pégourié-Gonnardfd6d8972015-05-15 12:09:00 +0200[diff] [blame]18 */
19
Gilles Peskinedb09ef62020-06-03 01:43:33 +0200[diff] [blame]20#include "common.h"
Manuel Pégourié-Gonnardfd6d8972015-05-15 12:09:00 +0200[diff] [blame]21
22#if defined(MBEDTLS_SSL_TICKET_C)
23
Manuel Pégourié-Gonnardfd6d8972015-05-15 12:09:00 +0200[diff] [blame]24#if defined(MBEDTLS_PLATFORM_C)
25#include "mbedtls/platform.h"
26#else
Manuel Pégourié-Gonnard7551cb92015-05-26 16:04:06 +0200[diff] [blame]27#include <stdlib.h>
28#define mbedtls_calloc calloc
SimonBd5800b72016-04-26 07:43:27 +0100[diff] [blame]29#define mbedtls_free free
Manuel Pégourié-Gonnardfd6d8972015-05-15 12:09:00 +0200[diff] [blame]30#endif
31
Chris Jones84a773f2021-03-05 18:38:47 +0000[diff] [blame]32#include "ssl_misc.h"
SimonBd5800b72016-04-26 07:43:27 +0100[diff] [blame]33#include "mbedtls/ssl_ticket.h"
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]34#include "mbedtls/error.h"
Janos Follath73c616b2019-12-18 15:07:04 +0000[diff] [blame]35#include "mbedtls/platform_util.h"
SimonBd5800b72016-04-26 07:43:27 +0100[diff] [blame]36
Manuel Pégourié-Gonnardfd6d8972015-05-15 12:09:00 +0200[diff] [blame]37#include <string.h>
38
Manuel Pégourié-Gonnardd59675d2015-05-19 15:28:00 +0200[diff] [blame]39/*
40 * Initialze context
41 */
42void mbedtls_ssl_ticket_init( mbedtls_ssl_ticket_context *ctx )
43{
44 memset( ctx, 0, sizeof( mbedtls_ssl_ticket_context ) );
Manuel Pégourié-Gonnard0849a0a2015-05-20 11:34:54 +0200[diff] [blame]45
46#if defined(MBEDTLS_THREADING_C)
47 mbedtls_mutex_init( &ctx->mutex );
48#endif
Manuel Pégourié-Gonnardd59675d2015-05-19 15:28:00 +0200[diff] [blame]49}
50
Glenn Straussa941b622022-02-09 15:24:56 -0500[diff] [blame]51#define MAX_KEY_BYTES MBEDTLS_SSL_TICKET_MAX_KEY_BYTES
Manuel Pégourié-Gonnard887674a2015-05-25 11:00:19 +0200[diff] [blame]52
Glenn Straussa941b622022-02-09 15:24:56 -0500[diff] [blame]53#define TICKET_KEY_NAME_BYTES MBEDTLS_SSL_TICKET_KEY_NAME_BYTES
Hanno Beckerd140d082018-11-17 21:18:01 +0000[diff] [blame]54#define TICKET_IV_BYTES 12
55#define TICKET_CRYPT_LEN_BYTES 2
56#define TICKET_AUTH_TAG_BYTES 16
57
58#define TICKET_MIN_LEN ( TICKET_KEY_NAME_BYTES + \
59 TICKET_IV_BYTES + \
60 TICKET_CRYPT_LEN_BYTES + \
61 TICKET_AUTH_TAG_BYTES )
62#define TICKET_ADD_DATA_LEN ( TICKET_KEY_NAME_BYTES + \
63 TICKET_IV_BYTES + \
64 TICKET_CRYPT_LEN_BYTES )
65
Manuel Pégourié-Gonnard887674a2015-05-25 11:00:19 +0200[diff] [blame]66/*
67 * Generate/update a key
68 */
69static int ssl_ticket_gen_key( mbedtls_ssl_ticket_context *ctx,
70 unsigned char index )
71{
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]72 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Manuel Pégourié-Gonnard887674a2015-05-25 11:00:19 +0200[diff] [blame]73 unsigned char buf[MAX_KEY_BYTES];
74 mbedtls_ssl_ticket_key *key = ctx->keys + index;
75
Gabor Mezei2a020512022-03-10 15:15:46 +0100[diff] [blame]76#if defined(MBEDTLS_USE_PSA_CRYPTO)
77 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
78#endif
79
Manuel Pégourié-Gonnard887674a2015-05-25 11:00:19 +0200[diff] [blame]80#if defined(MBEDTLS_HAVE_TIME)
SimonBd5800b72016-04-26 07:43:27 +0100[diff] [blame]81 key->generation_time = (uint32_t) mbedtls_time( NULL );
Manuel Pégourié-Gonnard887674a2015-05-25 11:00:19 +0200[diff] [blame]82#endif
83
84 if( ( ret = ctx->f_rng( ctx->p_rng, key->name, sizeof( key->name ) ) ) != 0 )
85 return( ret );
86
87 if( ( ret = ctx->f_rng( ctx->p_rng, buf, sizeof( buf ) ) ) != 0 )
88 return( ret );
89
Gabor Mezei2a020512022-03-10 15:15:46 +0100[diff] [blame]90#if defined(MBEDTLS_USE_PSA_CRYPTO)
Gabor Mezei2a020512022-03-10 15:15:46 +0100[diff] [blame]91 psa_set_key_usage_flags( &attributes,
92 PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT );
93 psa_set_key_algorithm( &attributes, key->alg );
94 psa_set_key_type( &attributes, key->key_type );
95 psa_set_key_bits( &attributes, key->key_bits );
96
97 ret = psa_ssl_status_to_mbedtls(
98 psa_import_key( &attributes, buf,
99 PSA_BITS_TO_BYTES( key->key_bits ),
100 &key->key ) );
Gabor Mezei2a020512022-03-10 15:15:46 +0100[diff] [blame]101#else
Manuel Pégourié-Gonnard887674a2015-05-25 11:00:19 +0200[diff] [blame]102 /* With GCM and CCM, same context can encrypt & decrypt */
103 ret = mbedtls_cipher_setkey( &key->ctx, buf,
Manuel Pégourié-Gonnard097c7bb2015-06-18 16:43:38 +0200[diff] [blame]104 mbedtls_cipher_get_key_bitlen( &key->ctx ),
Manuel Pégourié-Gonnard887674a2015-05-25 11:00:19 +0200[diff] [blame]105 MBEDTLS_ENCRYPT );
Gabor Mezei2a020512022-03-10 15:15:46 +0100[diff] [blame]106#endif /* MBEDTLS_USE_PSA_CRYPTO */
107
Andres Amaya Garcia1f6301b2018-04-17 09:51:09 -0500[diff] [blame]108 mbedtls_platform_zeroize( buf, sizeof( buf ) );
Manuel Pégourié-Gonnard887674a2015-05-25 11:00:19 +0200[diff] [blame]109
110 return( ret );
111}
112
Manuel Pégourié-Gonnardd59675d2015-05-19 15:28:00 +0200[diff] [blame]113/*
Manuel Pégourié-Gonnard1e9c4db2015-05-25 14:07:08 +0200[diff] [blame]114 * Rotate/generate keys if necessary
115 */
116static int ssl_ticket_update_keys( mbedtls_ssl_ticket_context *ctx )
117{
118#if !defined(MBEDTLS_HAVE_TIME)
119 ((void) ctx);
120#else
121 if( ctx->ticket_lifetime != 0 )
122 {
SimonBd5800b72016-04-26 07:43:27 +0100[diff] [blame]123 uint32_t current_time = (uint32_t) mbedtls_time( NULL );
Manuel Pégourié-Gonnard1e9c4db2015-05-25 14:07:08 +0200[diff] [blame]124 uint32_t key_time = ctx->keys[ctx->active].generation_time;
125
Gabor Mezei2a020512022-03-10 15:15:46 +0100[diff] [blame]126#if defined(MBEDTLS_USE_PSA_CRYPTO)
Gabor Mezei5b8b8902022-03-16 12:56:58 +0100[diff] [blame]127 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
Gabor Mezei2a020512022-03-10 15:15:46 +0100[diff] [blame]128#endif
129
Hanno Beckeraa715002018-08-21 13:55:31 +0100[diff] [blame]130 if( current_time >= key_time &&
Manuel Pégourié-Gonnard1e9c4db2015-05-25 14:07:08 +0200[diff] [blame]131 current_time - key_time < ctx->ticket_lifetime )
132 {
133 return( 0 );
134 }
135
136 ctx->active = 1 - ctx->active;
137
Gabor Mezei2a020512022-03-10 15:15:46 +0100[diff] [blame]138#if defined(MBEDTLS_USE_PSA_CRYPTO)
Gabor Mezei5b8b8902022-03-16 12:56:58 +0100[diff] [blame]139 if( ( status = psa_destroy_key( ctx->keys[ctx->active].key ) ) != PSA_SUCCESS )
140 {
Gabor Mezei103e08a2022-03-16 13:40:11 +0100[diff] [blame]141 return psa_ssl_status_to_mbedtls( status );
Gabor Mezei5b8b8902022-03-16 12:56:58 +0100[diff] [blame]142 }
Gabor Mezei2a020512022-03-10 15:15:46 +0100[diff] [blame]143#endif /* MBEDTLS_USE_PSA_CRYPTO */
144
Manuel Pégourié-Gonnard1e9c4db2015-05-25 14:07:08 +0200[diff] [blame]145 return( ssl_ticket_gen_key( ctx, ctx->active ) );
146 }
147 else
148#endif /* MBEDTLS_HAVE_TIME */
149 return( 0 );
150}
151
152/*
Glenn Straussa9509382022-02-02 23:32:18 -0500[diff] [blame]153 * Rotate active session ticket encryption key
154 */
155int mbedtls_ssl_ticket_rotate( mbedtls_ssl_ticket_context *ctx,
156 const unsigned char *name, size_t nlength,
157 const unsigned char *k, size_t klength,
158 uint32_t lifetime )
159{
160 const unsigned char idx = 1 - ctx->active;
161 mbedtls_ssl_ticket_key * const key = ctx->keys + idx;
Gabor Mezei2a020512022-03-10 15:15:46 +0100[diff] [blame]162 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
163
164#if defined(MBEDTLS_USE_PSA_CRYPTO)
Gabor Mezei5b8b8902022-03-16 12:56:58 +0100[diff] [blame]165 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
Gabor Mezei2a020512022-03-10 15:15:46 +0100[diff] [blame]166 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
Gabor Mezei36c9f512022-03-16 12:55:32 +0100[diff] [blame]167 const size_t bitlen = key->key_bits;
Gabor Mezei2a020512022-03-10 15:15:46 +0100[diff] [blame]168#else
Glenn Straussa9509382022-02-02 23:32:18 -0500[diff] [blame]169 const int bitlen = mbedtls_cipher_get_key_bitlen( &key->ctx );
Gabor Mezei2a020512022-03-10 15:15:46 +0100[diff] [blame]170#endif
171
Glenn Straussa9509382022-02-02 23:32:18 -0500[diff] [blame]172 if( nlength < TICKET_KEY_NAME_BYTES || klength * 8 < (size_t)bitlen )
173 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
174
Gabor Mezei2a020512022-03-10 15:15:46 +0100[diff] [blame]175#if defined(MBEDTLS_USE_PSA_CRYPTO)
Gabor Mezei5b8b8902022-03-16 12:56:58 +0100[diff] [blame]176 if( ( status = psa_destroy_key( key->key ) ) != PSA_SUCCESS )
177 {
178 ret = psa_ssl_status_to_mbedtls( status );
Gabor Mezei2a020512022-03-10 15:15:46 +0100[diff] [blame]179 return( ret );
Gabor Mezei5b8b8902022-03-16 12:56:58 +0100[diff] [blame]180 }
Gabor Mezei2a020512022-03-10 15:15:46 +0100[diff] [blame]181
182 psa_set_key_usage_flags( &attributes,
183 PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT );
184 psa_set_key_algorithm( &attributes, key->alg );
185 psa_set_key_type( &attributes, key->key_type );
186 psa_set_key_bits( &attributes, key->key_bits );
187
Gabor Mezei103e08a2022-03-16 13:40:11 +0100[diff] [blame]188 if( ( status = psa_import_key( &attributes, k,
189 PSA_BITS_TO_BYTES( key->key_bits ),
190 &key->key ) ) != PSA_SUCCESS )
Gabor Mezei5b8b8902022-03-16 12:56:58 +0100[diff] [blame]191 {
192 ret = psa_ssl_status_to_mbedtls( status );
Gabor Mezei2a020512022-03-10 15:15:46 +0100[diff] [blame]193 return( ret );
Gabor Mezei5b8b8902022-03-16 12:56:58 +0100[diff] [blame]194 }
Gabor Mezei2a020512022-03-10 15:15:46 +0100[diff] [blame]195#else
Glenn Straussa9509382022-02-02 23:32:18 -0500[diff] [blame]196 ret = mbedtls_cipher_setkey( &key->ctx, k, bitlen, MBEDTLS_ENCRYPT );
197 if( ret != 0 )
198 return( ret );
Gabor Mezei2a020512022-03-10 15:15:46 +0100[diff] [blame]199#endif /* MBEDTLS_USE_PSA_CRYPTO */
200
Glenn Straussa9509382022-02-02 23:32:18 -0500[diff] [blame]201 ctx->active = idx;
202 ctx->ticket_lifetime = lifetime;
203 memcpy( key->name, name, TICKET_KEY_NAME_BYTES );
204#if defined(MBEDTLS_HAVE_TIME)
205 key->generation_time = (uint32_t) mbedtls_time( NULL );
206#endif
207 return 0;
208}
209
210/*
Manuel Pégourié-Gonnardd59675d2015-05-19 15:28:00 +0200[diff] [blame]211 * Setup context for actual use
212 */
213int mbedtls_ssl_ticket_setup( mbedtls_ssl_ticket_context *ctx,
214 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng,
Manuel Pégourié-Gonnarda0adc1b2015-05-25 10:35:16 +0200[diff] [blame]215 mbedtls_cipher_type_t cipher,
Manuel Pégourié-Gonnardd59675d2015-05-19 15:28:00 +0200[diff] [blame]216 uint32_t lifetime )
217{
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]218 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Neil Armstrong3bf040e2022-04-27 10:35:24 +0200[diff] [blame]219 size_t key_bits;
Manuel Pégourié-Gonnardd59675d2015-05-19 15:28:00 +0200[diff] [blame]220
Gabor Mezei2a020512022-03-10 15:15:46 +0100[diff] [blame]221#if defined(MBEDTLS_USE_PSA_CRYPTO)
222 psa_algorithm_t alg;
223 psa_key_type_t key_type;
Neil Armstrong858581e2022-04-01 18:03:15 +0200[diff] [blame]224#else
225 const mbedtls_cipher_info_t *cipher_info;
226#endif /* MBEDTLS_USE_PSA_CRYPTO */
Gabor Mezei2a020512022-03-10 15:15:46 +0100[diff] [blame]227
Neil Armstrong858581e2022-04-01 18:03:15 +0200[diff] [blame]228#if defined(MBEDTLS_USE_PSA_CRYPTO)
229 if( mbedtls_ssl_cipher_to_psa( cipher, TICKET_AUTH_TAG_BYTES,
230 &alg, &key_type, &key_bits ) != PSA_SUCCESS )
231 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
232
233 if( PSA_ALG_IS_AEAD( alg ) == 0 )
234 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
Neil Armstrong858581e2022-04-01 18:03:15 +0200[diff] [blame]235#else
Gabor Mezeie6d867f2022-03-10 15:04:58 +0100[diff] [blame]236 cipher_info = mbedtls_cipher_info_from_type( cipher );
Manuel Pégourié-Gonnard887674a2015-05-25 11:00:19 +0200[diff] [blame]237
Gilles Peskinee720dbe2021-07-19 17:37:46 +0200[diff] [blame]238 if( mbedtls_cipher_info_get_mode( cipher_info ) != MBEDTLS_MODE_GCM &&
Gabor Mezei49c8eb32022-03-10 16:13:17 +0100[diff] [blame]239 mbedtls_cipher_info_get_mode( cipher_info ) != MBEDTLS_MODE_CCM &&
240 mbedtls_cipher_info_get_mode( cipher_info ) != MBEDTLS_MODE_CHACHAPOLY )
Manuel Pégourié-Gonnardd59675d2015-05-19 15:28:00 +0200[diff] [blame]241 {
Manuel Pégourié-Gonnard887674a2015-05-25 11:00:19 +0200[diff] [blame]242 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
Manuel Pégourié-Gonnardd59675d2015-05-19 15:28:00 +0200[diff] [blame]243 }
244
Neil Armstrong3bf040e2022-04-27 10:35:24 +0200[diff] [blame]245 key_bits = mbedtls_cipher_info_get_key_bitlen( cipher_info );
246#endif /* MBEDTLS_USE_PSA_CRYPTO */
247
248 if( key_bits > 8 * MAX_KEY_BYTES )
Manuel Pégourié-Gonnard887674a2015-05-25 11:00:19 +0200[diff] [blame]249 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
250
Neil Armstrong3bf040e2022-04-27 10:35:24 +0200[diff] [blame]251 ctx->f_rng = f_rng;
252 ctx->p_rng = p_rng;
253
254 ctx->ticket_lifetime = lifetime;
255
256#if defined(MBEDTLS_USE_PSA_CRYPTO)
257 ctx->keys[0].alg = alg;
258 ctx->keys[0].key_type = key_type;
259 ctx->keys[0].key_bits = key_bits;
260
261 ctx->keys[1].alg = alg;
262 ctx->keys[1].key_type = key_type;
263 ctx->keys[1].key_bits = key_bits;
264#else
Hanno Becker679d8ce2018-11-17 21:25:59 +0000[diff] [blame]265 if( ( ret = mbedtls_cipher_setup( &ctx->keys[0].ctx, cipher_info ) ) != 0 )
266 return( ret );
267
Hanno Becker679d8ce2018-11-17 21:25:59 +0000[diff] [blame]268 if( ( ret = mbedtls_cipher_setup( &ctx->keys[1].ctx, cipher_info ) ) != 0 )
269 return( ret );
Gabor Mezei2a020512022-03-10 15:15:46 +0100[diff] [blame]270#endif /* MBEDTLS_USE_PSA_CRYPTO */
271
Manuel Pégourié-Gonnard887674a2015-05-25 11:00:19 +0200[diff] [blame]272 if( ( ret = ssl_ticket_gen_key( ctx, 0 ) ) != 0 ||
273 ( ret = ssl_ticket_gen_key( ctx, 1 ) ) != 0 )
Manuel Pégourié-Gonnarda0adc1b2015-05-25 10:35:16 +0200[diff] [blame]274 {
Manuel Pégourié-Gonnard887674a2015-05-25 11:00:19 +0200[diff] [blame]275 return( ret );
Manuel Pégourié-Gonnarda0adc1b2015-05-25 10:35:16 +0200[diff] [blame]276 }
277
Manuel Pégourié-Gonnard887674a2015-05-25 11:00:19 +0200[diff] [blame]278 return( 0 );
Manuel Pégourié-Gonnardd59675d2015-05-19 15:28:00 +0200[diff] [blame]279}
280
Manuel Pégourié-Gonnarda4a47352015-05-15 15:14:54 +0200[diff] [blame]281/*
Manuel Pégourié-Gonnard1041a392015-05-20 19:59:39 +0200[diff] [blame]282 * Create session ticket, with the following structure:
Manuel Pégourié-Gonnarda4a47352015-05-15 15:14:54 +0200[diff] [blame]283 *
284 * struct {
Manuel Pégourié-Gonnard1041a392015-05-20 19:59:39 +0200[diff] [blame]285 * opaque key_name[4];
286 * opaque iv[12];
Manuel Pégourié-Gonnarda4a47352015-05-15 15:14:54 +0200[diff] [blame]287 * opaque encrypted_state<0..2^16-1>;
Manuel Pégourié-Gonnard1041a392015-05-20 19:59:39 +0200[diff] [blame]288 * opaque tag[16];
Manuel Pégourié-Gonnarda4a47352015-05-15 15:14:54 +0200[diff] [blame]289 * } ticket;
290 *
Manuel Pégourié-Gonnard1041a392015-05-20 19:59:39 +0200[diff] [blame]291 * The key_name, iv, and length of encrypted_state are the additional
292 * authenticated data.
Manuel Pégourié-Gonnarda4a47352015-05-15 15:14:54 +0200[diff] [blame]293 */
Hanno Beckerd140d082018-11-17 21:18:01 +0000[diff] [blame]294
Manuel Pégourié-Gonnardb0394be2015-05-19 11:40:30 +0200[diff] [blame]295int mbedtls_ssl_ticket_write( void *p_ticket,
Manuel Pégourié-Gonnard69f17282015-05-18 14:35:08 +0200[diff] [blame]296 const mbedtls_ssl_session *session,
297 unsigned char *start,
298 const unsigned char *end,
Manuel Pégourié-Gonnardb0394be2015-05-19 11:40:30 +0200[diff] [blame]299 size_t *tlen,
300 uint32_t *ticket_lifetime )
Manuel Pégourié-Gonnarda4a47352015-05-15 15:14:54 +0200[diff] [blame]301{
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]302 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Manuel Pégourié-Gonnardd59675d2015-05-19 15:28:00 +0200[diff] [blame]303 mbedtls_ssl_ticket_context *ctx = p_ticket;
Manuel Pégourié-Gonnard1e9c4db2015-05-25 14:07:08 +0200[diff] [blame]304 mbedtls_ssl_ticket_key *key;
Manuel Pégourié-Gonnard1041a392015-05-20 19:59:39 +0200[diff] [blame]305 unsigned char *key_name = start;
Hanno Beckerd140d082018-11-17 21:18:01 +0000[diff] [blame]306 unsigned char *iv = start + TICKET_KEY_NAME_BYTES;
307 unsigned char *state_len_bytes = iv + TICKET_IV_BYTES;
308 unsigned char *state = state_len_bytes + TICKET_CRYPT_LEN_BYTES;
Manuel Pégourié-Gonnard1041a392015-05-20 19:59:39 +0200[diff] [blame]309 size_t clear_len, ciph_len;
Manuel Pégourié-Gonnarda4a47352015-05-15 15:14:54 +0200[diff] [blame]310
Gabor Mezei5b8b8902022-03-16 12:56:58 +0100[diff] [blame]311#if defined(MBEDTLS_USE_PSA_CRYPTO)
312 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
313#endif
314
Manuel Pégourié-Gonnarda4a47352015-05-15 15:14:54 +0200[diff] [blame]315 *tlen = 0;
316
Manuel Pégourié-Gonnard1041a392015-05-20 19:59:39 +0200[diff] [blame]317 if( ctx == NULL || ctx->f_rng == NULL )
Manuel Pégourié-Gonnarda4a47352015-05-15 15:14:54 +0200[diff] [blame]318 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
319
Manuel Pégourié-Gonnard1041a392015-05-20 19:59:39 +0200[diff] [blame]320 /* We need at least 4 bytes for key_name, 12 for IV, 2 for len 16 for tag,
321 * in addition to session itself, that will be checked when writing it. */
Hanno Becker261602c2017-04-12 14:54:42 +0100[diff] [blame]322 MBEDTLS_SSL_CHK_BUF_PTR( start, end, TICKET_MIN_LEN );
Manuel Pégourié-Gonnard69f17282015-05-18 14:35:08 +0200[diff] [blame]323
Manuel Pégourié-Gonnard0849a0a2015-05-20 11:34:54 +0200[diff] [blame]324#if defined(MBEDTLS_THREADING_C)
325 if( ( ret = mbedtls_mutex_lock( &ctx->mutex ) ) != 0 )
326 return( ret );
327#endif
328
Manuel Pégourié-Gonnard1e9c4db2015-05-25 14:07:08 +0200[diff] [blame]329 if( ( ret = ssl_ticket_update_keys( ctx ) ) != 0 )
330 goto cleanup;
331
332 key = &ctx->keys[ctx->active];
333
Manuel Pégourié-Gonnard0849a0a2015-05-20 11:34:54 +0200[diff] [blame]334 *ticket_lifetime = ctx->ticket_lifetime;
335
Hanno Beckerd140d082018-11-17 21:18:01 +0000[diff] [blame]336 memcpy( key_name, key->name, TICKET_KEY_NAME_BYTES );
Manuel Pégourié-Gonnarda4a47352015-05-15 15:14:54 +0200[diff] [blame]337
Hanno Beckerd140d082018-11-17 21:18:01 +0000[diff] [blame]338 if( ( ret = ctx->f_rng( ctx->p_rng, iv, TICKET_IV_BYTES ) ) != 0 )
Manuel Pégourié-Gonnard0849a0a2015-05-20 11:34:54 +0200[diff] [blame]339 goto cleanup;
Manuel Pégourié-Gonnarda4a47352015-05-15 15:14:54 +0200[diff] [blame]340
Manuel Pégourié-Gonnard69f17282015-05-18 14:35:08 +0200[diff] [blame]341 /* Dump session state */
Manuel Pégourié-Gonnarda3e7c652019-05-16 10:08:35 +0200[diff] [blame]342 if( ( ret = mbedtls_ssl_session_save( session,
343 state, end - state,
344 &clear_len ) ) != 0 ||
Manuel Pégourié-Gonnard1041a392015-05-20 19:59:39 +0200[diff] [blame]345 (unsigned long) clear_len > 65535 )
Manuel Pégourié-Gonnard0849a0a2015-05-20 11:34:54 +0200[diff] [blame]346 {
347 goto cleanup;
348 }
Joe Subbiani6dd73642021-07-19 11:56:54 +0100[diff] [blame]349 MBEDTLS_PUT_UINT16_BE( clear_len, state_len_bytes, 0 );
Manuel Pégourié-Gonnarda4a47352015-05-15 15:14:54 +0200[diff] [blame]350
Manuel Pégourié-Gonnard1041a392015-05-20 19:59:39 +0200[diff] [blame]351 /* Encrypt and authenticate */
Gabor Mezei2a020512022-03-10 15:15:46 +0100[diff] [blame]352#if defined(MBEDTLS_USE_PSA_CRYPTO)
Gabor Mezei5b8b8902022-03-16 12:56:58 +0100[diff] [blame]353 if( ( status = psa_aead_encrypt( key->key, key->alg, iv, TICKET_IV_BYTES,
354 key_name, TICKET_ADD_DATA_LEN,
355 state, clear_len,
356 state, end - state,
357 &ciph_len ) ) != PSA_SUCCESS )
358 {
359 ret = psa_ssl_status_to_mbedtls( status );
360 goto cleanup;
361 }
Gabor Mezei2a020512022-03-10 15:15:46 +0100[diff] [blame]362#else
Manuel Pégourié-Gonnardf5cf71e2020-12-01 11:43:40 +0100[diff] [blame]363 if( ( ret = mbedtls_cipher_auth_encrypt_ext( &key->ctx,
Hanno Beckerd140d082018-11-17 21:18:01 +0000[diff] [blame]364 iv, TICKET_IV_BYTES,
365 /* Additional data: key name, IV and length */
366 key_name, TICKET_ADD_DATA_LEN,
Manuel Pégourié-Gonnardf5cf71e2020-12-01 11:43:40 +0100[diff] [blame]367 state, clear_len,
368 state, end - state, &ciph_len,
369 TICKET_AUTH_TAG_BYTES ) ) != 0 )
Manuel Pégourié-Gonnarda4a47352015-05-15 15:14:54 +0200[diff] [blame]370 {
Manuel Pégourié-Gonnard0849a0a2015-05-20 11:34:54 +0200[diff] [blame]371 goto cleanup;
Manuel Pégourié-Gonnarda4a47352015-05-15 15:14:54 +0200[diff] [blame]372 }
Gabor Mezei5b8b8902022-03-16 12:56:58 +0100[diff] [blame]373#endif /* MBEDTLS_USE_PSA_CRYPTO */
Gabor Mezei2a020512022-03-10 15:15:46 +0100[diff] [blame]374
Manuel Pégourié-Gonnardf5cf71e2020-12-01 11:43:40 +0100[diff] [blame]375 if( ciph_len != clear_len + TICKET_AUTH_TAG_BYTES )
Manuel Pégourié-Gonnarda4a47352015-05-15 15:14:54 +0200[diff] [blame]376 {
Manuel Pégourié-Gonnard1041a392015-05-20 19:59:39 +0200[diff] [blame]377 ret = MBEDTLS_ERR_SSL_INTERNAL_ERROR;
Manuel Pégourié-Gonnard0849a0a2015-05-20 11:34:54 +0200[diff] [blame]378 goto cleanup;
Manuel Pégourié-Gonnarda4a47352015-05-15 15:14:54 +0200[diff] [blame]379 }
Manuel Pégourié-Gonnarda4a47352015-05-15 15:14:54 +0200[diff] [blame]380
Manuel Pégourié-Gonnardf5cf71e2020-12-01 11:43:40 +0100[diff] [blame]381 *tlen = TICKET_MIN_LEN + ciph_len - TICKET_AUTH_TAG_BYTES;
Manuel Pégourié-Gonnarda4a47352015-05-15 15:14:54 +0200[diff] [blame]382
Manuel Pégourié-Gonnard0849a0a2015-05-20 11:34:54 +0200[diff] [blame]383cleanup:
384#if defined(MBEDTLS_THREADING_C)
385 if( mbedtls_mutex_unlock( &ctx->mutex ) != 0 )
386 return( MBEDTLS_ERR_THREADING_MUTEX_ERROR );
387#endif
388
389 return( ret );
Manuel Pégourié-Gonnarda4a47352015-05-15 15:14:54 +0200[diff] [blame]390}
391
392/*
Manuel Pégourié-Gonnard1e9c4db2015-05-25 14:07:08 +0200[diff] [blame]393 * Select key based on name
394 */
395static mbedtls_ssl_ticket_key *ssl_ticket_select_key(
396 mbedtls_ssl_ticket_context *ctx,
397 const unsigned char name[4] )
398{
399 unsigned char i;
400
401 for( i = 0; i < sizeof( ctx->keys ) / sizeof( *ctx->keys ); i++ )
402 if( memcmp( name, ctx->keys[i].name, 4 ) == 0 )
403 return( &ctx->keys[i] );
404
405 return( NULL );
406}
407
408/*
Manuel Pégourié-Gonnarda4a47352015-05-15 15:14:54 +0200[diff] [blame]409 * Load session ticket (see mbedtls_ssl_ticket_write for structure)
410 */
Manuel Pégourié-Gonnardb0394be2015-05-19 11:40:30 +0200[diff] [blame]411int mbedtls_ssl_ticket_parse( void *p_ticket,
Manuel Pégourié-Gonnard69f17282015-05-18 14:35:08 +0200[diff] [blame]412 mbedtls_ssl_session *session,
413 unsigned char *buf,
414 size_t len )
Manuel Pégourié-Gonnarda4a47352015-05-15 15:14:54 +0200[diff] [blame]415{
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]416 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Manuel Pégourié-Gonnardd59675d2015-05-19 15:28:00 +0200[diff] [blame]417 mbedtls_ssl_ticket_context *ctx = p_ticket;
Manuel Pégourié-Gonnard1e9c4db2015-05-25 14:07:08 +0200[diff] [blame]418 mbedtls_ssl_ticket_key *key;
Manuel Pégourié-Gonnarda4a47352015-05-15 15:14:54 +0200[diff] [blame]419 unsigned char *key_name = buf;
Hanno Beckerd140d082018-11-17 21:18:01 +0000[diff] [blame]420 unsigned char *iv = buf + TICKET_KEY_NAME_BYTES;
421 unsigned char *enc_len_p = iv + TICKET_IV_BYTES;
422 unsigned char *ticket = enc_len_p + TICKET_CRYPT_LEN_BYTES;
Manuel Pégourié-Gonnard1041a392015-05-20 19:59:39 +0200[diff] [blame]423 size_t enc_len, clear_len;
Manuel Pégourié-Gonnarda4a47352015-05-15 15:14:54 +0200[diff] [blame]424
Gabor Mezei5b8b8902022-03-16 12:56:58 +0100[diff] [blame]425#if defined(MBEDTLS_USE_PSA_CRYPTO)
426 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
427#endif
428
Manuel Pégourié-Gonnard1e9c4db2015-05-25 14:07:08 +0200[diff] [blame]429 if( ctx == NULL || ctx->f_rng == NULL )
Manuel Pégourié-Gonnarda4a47352015-05-15 15:14:54 +0200[diff] [blame]430 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
Manuel Pégourié-Gonnard1e9c4db2015-05-25 14:07:08 +0200[diff] [blame]431
Hanno Beckerd140d082018-11-17 21:18:01 +0000[diff] [blame]432 if( len < TICKET_MIN_LEN )
Manuel Pégourié-Gonnard1e9c4db2015-05-25 14:07:08 +0200[diff] [blame]433 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
Manuel Pégourié-Gonnarda4a47352015-05-15 15:14:54 +0200[diff] [blame]434
Manuel Pégourié-Gonnard0849a0a2015-05-20 11:34:54 +0200[diff] [blame]435#if defined(MBEDTLS_THREADING_C)
436 if( ( ret = mbedtls_mutex_lock( &ctx->mutex ) ) != 0 )
437 return( ret );
438#endif
439
Manuel Pégourié-Gonnard1e9c4db2015-05-25 14:07:08 +0200[diff] [blame]440 if( ( ret = ssl_ticket_update_keys( ctx ) ) != 0 )
441 goto cleanup;
442
Manuel Pégourié-Gonnarda4a47352015-05-15 15:14:54 +0200[diff] [blame]443 enc_len = ( enc_len_p[0] << 8 ) | enc_len_p[1];
Manuel Pégourié-Gonnarda4a47352015-05-15 15:14:54 +0200[diff] [blame]444
Hanno Beckerd140d082018-11-17 21:18:01 +0000[diff] [blame]445 if( len != TICKET_MIN_LEN + enc_len )
Manuel Pégourié-Gonnard0849a0a2015-05-20 11:34:54 +0200[diff] [blame]446 {
447 ret = MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
448 goto cleanup;
449 }
Manuel Pégourié-Gonnarda4a47352015-05-15 15:14:54 +0200[diff] [blame]450
Manuel Pégourié-Gonnard1e9c4db2015-05-25 14:07:08 +0200[diff] [blame]451 /* Select key */
452 if( ( key = ssl_ticket_select_key( ctx, key_name ) ) == NULL )
Manuel Pégourié-Gonnard0849a0a2015-05-20 11:34:54 +0200[diff] [blame]453 {
Manuel Pégourié-Gonnard1e9c4db2015-05-25 14:07:08 +0200[diff] [blame]454 /* We can't know for sure but this is a likely option unless we're
455 * under attack - this is only informative anyway */
456 ret = MBEDTLS_ERR_SSL_SESSION_TICKET_EXPIRED;
Manuel Pégourié-Gonnard0849a0a2015-05-20 11:34:54 +0200[diff] [blame]457 goto cleanup;
458 }
Manuel Pégourié-Gonnarda4a47352015-05-15 15:14:54 +0200[diff] [blame]459
Manuel Pégourié-Gonnard1041a392015-05-20 19:59:39 +0200[diff] [blame]460 /* Decrypt and authenticate */
Gabor Mezei2a020512022-03-10 15:15:46 +0100[diff] [blame]461#if defined(MBEDTLS_USE_PSA_CRYPTO)
Gabor Mezei5b8b8902022-03-16 12:56:58 +0100[diff] [blame]462 if( ( status = psa_aead_decrypt( key->key, key->alg, iv, TICKET_IV_BYTES,
463 key_name, TICKET_ADD_DATA_LEN,
464 ticket, enc_len + TICKET_AUTH_TAG_BYTES,
465 ticket, enc_len, &clear_len ) ) != PSA_SUCCESS )
466 {
467 ret = psa_ssl_status_to_mbedtls( status );
468 goto cleanup;
469 }
Gabor Mezei2a020512022-03-10 15:15:46 +0100[diff] [blame]470#else
Manuel Pégourié-Gonnardf5cf71e2020-12-01 11:43:40 +0100[diff] [blame]471 if( ( ret = mbedtls_cipher_auth_decrypt_ext( &key->ctx,
Hanno Beckerd140d082018-11-17 21:18:01 +0000[diff] [blame]472 iv, TICKET_IV_BYTES,
473 /* Additional data: key name, IV and length */
474 key_name, TICKET_ADD_DATA_LEN,
Manuel Pégourié-Gonnardf5cf71e2020-12-01 11:43:40 +0100[diff] [blame]475 ticket, enc_len + TICKET_AUTH_TAG_BYTES,
476 ticket, enc_len, &clear_len,
477 TICKET_AUTH_TAG_BYTES ) ) != 0 )
Manuel Pégourié-Gonnarda4a47352015-05-15 15:14:54 +0200[diff] [blame]478 {
Manuel Pégourié-Gonnard1e9c4db2015-05-25 14:07:08 +0200[diff] [blame]479 if( ret == MBEDTLS_ERR_CIPHER_AUTH_FAILED )
480 ret = MBEDTLS_ERR_SSL_INVALID_MAC;
481
Manuel Pégourié-Gonnard0849a0a2015-05-20 11:34:54 +0200[diff] [blame]482 goto cleanup;
Manuel Pégourié-Gonnarda4a47352015-05-15 15:14:54 +0200[diff] [blame]483 }
Gabor Mezei5b8b8902022-03-16 12:56:58 +0100[diff] [blame]484#endif /* MBEDTLS_USE_PSA_CRYPTO */
485
Manuel Pégourié-Gonnard1041a392015-05-20 19:59:39 +0200[diff] [blame]486 if( clear_len != enc_len )
487 {
488 ret = MBEDTLS_ERR_SSL_INTERNAL_ERROR;
Manuel Pégourié-Gonnard0849a0a2015-05-20 11:34:54 +0200[diff] [blame]489 goto cleanup;
Manuel Pégourié-Gonnard1041a392015-05-20 19:59:39 +0200[diff] [blame]490 }
Manuel Pégourié-Gonnarda4a47352015-05-15 15:14:54 +0200[diff] [blame]491
492 /* Actually load session */
Manuel Pégourié-Gonnarda3e7c652019-05-16 10:08:35 +0200[diff] [blame]493 if( ( ret = mbedtls_ssl_session_load( session, ticket, clear_len ) ) != 0 )
Manuel Pégourié-Gonnard0849a0a2015-05-20 11:34:54 +0200[diff] [blame]494 goto cleanup;
Manuel Pégourié-Gonnarda4a47352015-05-15 15:14:54 +0200[diff] [blame]495
496#if defined(MBEDTLS_HAVE_TIME)
Manuel Pégourié-Gonnard0849a0a2015-05-20 11:34:54 +0200[diff] [blame]497 {
Manuel Pégourié-Gonnard8eff5122015-05-20 11:41:36 +0200[diff] [blame]498 /* Check for expiration */
SimonBd5800b72016-04-26 07:43:27 +0100[diff] [blame]499 mbedtls_time_t current_time = mbedtls_time( NULL );
Manuel Pégourié-Gonnard8eff5122015-05-20 11:41:36 +0200[diff] [blame]500
501 if( current_time < session->start ||
502 (uint32_t)( current_time - session->start ) > ctx->ticket_lifetime )
503 {
504 ret = MBEDTLS_ERR_SSL_SESSION_TICKET_EXPIRED;
505 goto cleanup;
506 }
Manuel Pégourié-Gonnard0849a0a2015-05-20 11:34:54 +0200[diff] [blame]507 }
Manuel Pégourié-Gonnarda4a47352015-05-15 15:14:54 +0200[diff] [blame]508#endif
509
Manuel Pégourié-Gonnard0849a0a2015-05-20 11:34:54 +0200[diff] [blame]510cleanup:
511#if defined(MBEDTLS_THREADING_C)
512 if( mbedtls_mutex_unlock( &ctx->mutex ) != 0 )
513 return( MBEDTLS_ERR_THREADING_MUTEX_ERROR );
514#endif
515
516 return( ret );
Manuel Pégourié-Gonnarda4a47352015-05-15 15:14:54 +0200[diff] [blame]517}
518
Manuel Pégourié-Gonnardd59675d2015-05-19 15:28:00 +0200[diff] [blame]519/*
520 * Free context
521 */
522void mbedtls_ssl_ticket_free( mbedtls_ssl_ticket_context *ctx )
523{
Gabor Mezei2a020512022-03-10 15:15:46 +0100[diff] [blame]524#if defined(MBEDTLS_USE_PSA_CRYPTO)
Gabor Mezei2a020512022-03-10 15:15:46 +0100[diff] [blame]525 psa_destroy_key( ctx->keys[0].key );
526 psa_destroy_key( ctx->keys[1].key );
Gabor Mezei2a020512022-03-10 15:15:46 +0100[diff] [blame]527#else
Manuel Pégourié-Gonnard887674a2015-05-25 11:00:19 +0200[diff] [blame]528 mbedtls_cipher_free( &ctx->keys[0].ctx );
529 mbedtls_cipher_free( &ctx->keys[1].ctx );
Gabor Mezei2a020512022-03-10 15:15:46 +0100[diff] [blame]530#endif /* MBEDTLS_USE_PSA_CRYPTO */
531
Manuel Pégourié-Gonnard0849a0a2015-05-20 11:34:54 +0200[diff] [blame]532#if defined(MBEDTLS_THREADING_C)
533 mbedtls_mutex_free( &ctx->mutex );
534#endif
535
Andres Amaya Garcia1f6301b2018-04-17 09:51:09 -0500[diff] [blame]536 mbedtls_platform_zeroize( ctx, sizeof( mbedtls_ssl_ticket_context ) );
Manuel Pégourié-Gonnardd59675d2015-05-19 15:28:00 +0200[diff] [blame]537}
538
Manuel Pégourié-Gonnardfd6d8972015-05-15 12:09:00 +0200[diff] [blame]539#endif /* MBEDTLS_SSL_TICKET_C */