TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / 910a751037a1e424f38ed63621c2d5d3d067fe63 / . / library / ssl_ticket.c
blob: 23ee122cfc90bec42d1c2e645c57931d0f27e355 [file] [log] [blame]
Manuel Pégourié-Gonnardfd6d8972015-05-15 12:09:00 +0200[diff] [blame]1/*
2 * TLS server tickets callbacks implementation
3 *
Manuel Pégourié-Gonnard6fb81872015-07-27 11:11:48 +0200[diff] [blame]4 * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
Manuel Pégourié-Gonnard37ff1402015-09-04 14:21:07 +0200[diff] [blame]5 * SPDX-License-Identifier: Apache-2.0
6 *
7 * Licensed under the Apache License, Version 2.0 (the "License"); you may
8 * not use this file except in compliance with the License.
9 * You may obtain a copy of the License at
10 *
11 * http://www.apache.org/licenses/LICENSE-2.0
12 *
13 * Unless required by applicable law or agreed to in writing, software
14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 * See the License for the specific language governing permissions and
17 * limitations under the License.
Manuel Pégourié-Gonnardfd6d8972015-05-15 12:09:00 +0200[diff] [blame]18 *
19 * This file is part of mbed TLS (https://tls.mbed.org)
Manuel Pégourié-Gonnardfd6d8972015-05-15 12:09:00 +0200[diff] [blame]20 */
21
22#if !defined(MBEDTLS_CONFIG_FILE)
23#include "mbedtls/config.h"
24#else
25#include MBEDTLS_CONFIG_FILE
26#endif
27
28#if defined(MBEDTLS_SSL_TICKET_C)
29
Manuel Pégourié-Gonnardfd6d8972015-05-15 12:09:00 +0200[diff] [blame]30#if defined(MBEDTLS_PLATFORM_C)
31#include "mbedtls/platform.h"
32#else
Manuel Pégourié-Gonnard7551cb92015-05-26 16:04:06 +0200[diff] [blame]33#include <stdlib.h>
34#define mbedtls_calloc calloc
SimonBd5800b72016-04-26 07:43:27 +0100[diff] [blame]35#define mbedtls_free free
Manuel Pégourié-Gonnardfd6d8972015-05-15 12:09:00 +0200[diff] [blame]36#endif
37
SimonBd5800b72016-04-26 07:43:27 +0100[diff] [blame]38#include "mbedtls/ssl_ticket.h"
39
Manuel Pégourié-Gonnardfd6d8972015-05-15 12:09:00 +0200[diff] [blame]40#include <string.h>
41
Manuel Pégourié-Gonnardd59675d2015-05-19 15:28:00 +0200[diff] [blame]42/* Implementation that should never be optimized out by the compiler */
43static void mbedtls_zeroize( void *v, size_t n ) {
44 volatile unsigned char *p = v; while( n-- ) *p++ = 0;
45}
46
47/*
48 * Initialze context
49 */
50void mbedtls_ssl_ticket_init( mbedtls_ssl_ticket_context *ctx )
51{
52 memset( ctx, 0, sizeof( mbedtls_ssl_ticket_context ) );
Manuel Pégourié-Gonnard0849a0a2015-05-20 11:34:54 +0200[diff] [blame]53
54#if defined(MBEDTLS_THREADING_C)
55 mbedtls_mutex_init( &ctx->mutex );
56#endif
Manuel Pégourié-Gonnardd59675d2015-05-19 15:28:00 +0200[diff] [blame]57}
58
Manuel Pégourié-Gonnard887674a2015-05-25 11:00:19 +0200[diff] [blame]59#define MAX_KEY_BYTES 32 /* 256 bits */
60
Hanno Becker910a7512018-11-17 21:18:01 +0000[diff] [blame^]61#define TICKET_KEY_NAME_BYTES 4
62#define TICKET_IV_BYTES 12
63#define TICKET_CRYPT_LEN_BYTES 2
64#define TICKET_AUTH_TAG_BYTES 16
65
66#define TICKET_MIN_LEN ( TICKET_KEY_NAME_BYTES + \
67 TICKET_IV_BYTES + \
68 TICKET_CRYPT_LEN_BYTES + \
69 TICKET_AUTH_TAG_BYTES )
70#define TICKET_ADD_DATA_LEN ( TICKET_KEY_NAME_BYTES + \
71 TICKET_IV_BYTES + \
72 TICKET_CRYPT_LEN_BYTES )
73
Manuel Pégourié-Gonnard887674a2015-05-25 11:00:19 +0200[diff] [blame]74/*
75 * Generate/update a key
76 */
77static int ssl_ticket_gen_key( mbedtls_ssl_ticket_context *ctx,
78 unsigned char index )
79{
80 int ret;
81 unsigned char buf[MAX_KEY_BYTES];
82 mbedtls_ssl_ticket_key *key = ctx->keys + index;
83
84#if defined(MBEDTLS_HAVE_TIME)
SimonBd5800b72016-04-26 07:43:27 +0100[diff] [blame]85 key->generation_time = (uint32_t) mbedtls_time( NULL );
Manuel Pégourié-Gonnard887674a2015-05-25 11:00:19 +0200[diff] [blame]86#endif
87
88 if( ( ret = ctx->f_rng( ctx->p_rng, key->name, sizeof( key->name ) ) ) != 0 )
89 return( ret );
90
91 if( ( ret = ctx->f_rng( ctx->p_rng, buf, sizeof( buf ) ) ) != 0 )
92 return( ret );
93
94 /* With GCM and CCM, same context can encrypt & decrypt */
95 ret = mbedtls_cipher_setkey( &key->ctx, buf,
Manuel Pégourié-Gonnard097c7bb2015-06-18 16:43:38 +0200[diff] [blame]96 mbedtls_cipher_get_key_bitlen( &key->ctx ),
Manuel Pégourié-Gonnard887674a2015-05-25 11:00:19 +0200[diff] [blame]97 MBEDTLS_ENCRYPT );
98
99 mbedtls_zeroize( buf, sizeof( buf ) );
100
101 return( ret );
102}
103
Manuel Pégourié-Gonnardd59675d2015-05-19 15:28:00 +0200[diff] [blame]104/*
Manuel Pégourié-Gonnard1e9c4db2015-05-25 14:07:08 +0200[diff] [blame]105 * Rotate/generate keys if necessary
106 */
107static int ssl_ticket_update_keys( mbedtls_ssl_ticket_context *ctx )
108{
109#if !defined(MBEDTLS_HAVE_TIME)
110 ((void) ctx);
111#else
112 if( ctx->ticket_lifetime != 0 )
113 {
SimonBd5800b72016-04-26 07:43:27 +0100[diff] [blame]114 uint32_t current_time = (uint32_t) mbedtls_time( NULL );
Manuel Pégourié-Gonnard1e9c4db2015-05-25 14:07:08 +0200[diff] [blame]115 uint32_t key_time = ctx->keys[ctx->active].generation_time;
116
Hanno Becker6c794fa2018-08-21 13:55:31 +0100[diff] [blame]117 if( current_time >= key_time &&
Manuel Pégourié-Gonnard1e9c4db2015-05-25 14:07:08 +0200[diff] [blame]118 current_time - key_time < ctx->ticket_lifetime )
119 {
120 return( 0 );
121 }
122
123 ctx->active = 1 - ctx->active;
124
125 return( ssl_ticket_gen_key( ctx, ctx->active ) );
126 }
127 else
128#endif /* MBEDTLS_HAVE_TIME */
129 return( 0 );
130}
131
132/*
Manuel Pégourié-Gonnardd59675d2015-05-19 15:28:00 +0200[diff] [blame]133 * Setup context for actual use
134 */
135int mbedtls_ssl_ticket_setup( mbedtls_ssl_ticket_context *ctx,
136 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng,
Manuel Pégourié-Gonnarda0adc1b2015-05-25 10:35:16 +0200[diff] [blame]137 mbedtls_cipher_type_t cipher,
Manuel Pégourié-Gonnardd59675d2015-05-19 15:28:00 +0200[diff] [blame]138 uint32_t lifetime )
139{
140 int ret;
Manuel Pégourié-Gonnard887674a2015-05-25 11:00:19 +0200[diff] [blame]141 const mbedtls_cipher_info_t *cipher_info;
Manuel Pégourié-Gonnardd59675d2015-05-19 15:28:00 +0200[diff] [blame]142
143 ctx->f_rng = f_rng;
144 ctx->p_rng = p_rng;
145
146 ctx->ticket_lifetime = lifetime;
147
Manuel Pégourié-Gonnard887674a2015-05-25 11:00:19 +0200[diff] [blame]148 cipher_info = mbedtls_cipher_info_from_type( cipher);
149 if( cipher_info == NULL )
150 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
151
152 if( cipher_info->mode != MBEDTLS_MODE_GCM &&
153 cipher_info->mode != MBEDTLS_MODE_CCM )
Manuel Pégourié-Gonnardd59675d2015-05-19 15:28:00 +0200[diff] [blame]154 {
Manuel Pégourié-Gonnard887674a2015-05-25 11:00:19 +0200[diff] [blame]155 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
Manuel Pégourié-Gonnardd59675d2015-05-19 15:28:00 +0200[diff] [blame]156 }
157
Manuel Pégourié-Gonnard898e0aa2015-06-18 15:28:12 +0200[diff] [blame]158 if( cipher_info->key_bitlen > 8 * MAX_KEY_BYTES )
Manuel Pégourié-Gonnard887674a2015-05-25 11:00:19 +0200[diff] [blame]159 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
160
161 if( ( ret = mbedtls_cipher_setup( &ctx->keys[0].ctx, cipher_info ) ) != 0 ||
162 ( ret = mbedtls_cipher_setup( &ctx->keys[1].ctx, cipher_info ) ) != 0 )
Manuel Pégourié-Gonnarda0adc1b2015-05-25 10:35:16 +0200[diff] [blame]163 {
Manuel Pégourié-Gonnard887674a2015-05-25 11:00:19 +0200[diff] [blame]164 return( ret );
Manuel Pégourié-Gonnarda0adc1b2015-05-25 10:35:16 +0200[diff] [blame]165 }
166
Manuel Pégourié-Gonnard887674a2015-05-25 11:00:19 +0200[diff] [blame]167 if( ( ret = ssl_ticket_gen_key( ctx, 0 ) ) != 0 ||
168 ( ret = ssl_ticket_gen_key( ctx, 1 ) ) != 0 )
Manuel Pégourié-Gonnarda0adc1b2015-05-25 10:35:16 +0200[diff] [blame]169 {
Manuel Pégourié-Gonnard887674a2015-05-25 11:00:19 +0200[diff] [blame]170 return( ret );
Manuel Pégourié-Gonnarda0adc1b2015-05-25 10:35:16 +0200[diff] [blame]171 }
172
Manuel Pégourié-Gonnard887674a2015-05-25 11:00:19 +0200[diff] [blame]173 return( 0 );
Manuel Pégourié-Gonnardd59675d2015-05-19 15:28:00 +0200[diff] [blame]174}
175
Manuel Pégourié-Gonnarda4a47352015-05-15 15:14:54 +0200[diff] [blame]176/*
177 * Serialize a session in the following format:
178 * 0 . n-1 session structure, n = sizeof(mbedtls_ssl_session)
179 * n . n+2 peer_cert length = m (0 if no certificate)
180 * n+3 . n+2+m peer cert ASN.1
Manuel Pégourié-Gonnarda4a47352015-05-15 15:14:54 +0200[diff] [blame]181 */
182static int ssl_save_session( const mbedtls_ssl_session *session,
183 unsigned char *buf, size_t buf_len,
184 size_t *olen )
185{
186 unsigned char *p = buf;
187 size_t left = buf_len;
188#if defined(MBEDTLS_X509_CRT_PARSE_C)
189 size_t cert_len;
190#endif /* MBEDTLS_X509_CRT_PARSE_C */
191
192 if( left < sizeof( mbedtls_ssl_session ) )
Manuel Pégourié-Gonnard0849a0a2015-05-20 11:34:54 +0200[diff] [blame]193 return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL );
Manuel Pégourié-Gonnarda4a47352015-05-15 15:14:54 +0200[diff] [blame]194
195 memcpy( p, session, sizeof( mbedtls_ssl_session ) );
196 p += sizeof( mbedtls_ssl_session );
197 left -= sizeof( mbedtls_ssl_session );
198
199#if defined(MBEDTLS_X509_CRT_PARSE_C)
200 if( session->peer_cert == NULL )
201 cert_len = 0;
202 else
203 cert_len = session->peer_cert->raw.len;
204
205 if( left < 3 + cert_len )
Manuel Pégourié-Gonnard0849a0a2015-05-20 11:34:54 +0200[diff] [blame]206 return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL );
Manuel Pégourié-Gonnarda4a47352015-05-15 15:14:54 +0200[diff] [blame]207
Hanno Beckere67f7a72018-10-24 13:31:49 +0100[diff] [blame]208 *p++ = (unsigned char)( ( cert_len >> 16 ) & 0xFF );
209 *p++ = (unsigned char)( ( cert_len >> 8 ) & 0xFF );
210 *p++ = (unsigned char)( ( cert_len ) & 0xFF );
Manuel Pégourié-Gonnarda4a47352015-05-15 15:14:54 +0200[diff] [blame]211
212 if( session->peer_cert != NULL )
213 memcpy( p, session->peer_cert->raw.p, cert_len );
214
215 p += cert_len;
216#endif /* MBEDTLS_X509_CRT_PARSE_C */
217
218 *olen = p - buf;
219
220 return( 0 );
221}
222
223/*
224 * Unserialise session, see ssl_save_session()
225 */
226static int ssl_load_session( mbedtls_ssl_session *session,
227 const unsigned char *buf, size_t len )
228{
229 const unsigned char *p = buf;
230 const unsigned char * const end = buf + len;
231#if defined(MBEDTLS_X509_CRT_PARSE_C)
232 size_t cert_len;
233#endif /* MBEDTLS_X509_CRT_PARSE_C */
234
Hanno Beckerfa95a6a2018-10-24 13:33:02 +0100[diff] [blame]235 if( sizeof( mbedtls_ssl_session ) > (size_t)( end - p ) )
Manuel Pégourié-Gonnarda4a47352015-05-15 15:14:54 +0200[diff] [blame]236 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
237
238 memcpy( session, p, sizeof( mbedtls_ssl_session ) );
239 p += sizeof( mbedtls_ssl_session );
240
241#if defined(MBEDTLS_X509_CRT_PARSE_C)
Hanno Beckerfa95a6a2018-10-24 13:33:02 +0100[diff] [blame]242 if( 3 > (size_t)( end - p ) )
Manuel Pégourié-Gonnarda4a47352015-05-15 15:14:54 +0200[diff] [blame]243 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
244
245 cert_len = ( p[0] << 16 ) | ( p[1] << 8 ) | p[2];
246 p += 3;
247
248 if( cert_len == 0 )
249 {
250 session->peer_cert = NULL;
251 }
252 else
253 {
254 int ret;
255
Hanno Beckerfa95a6a2018-10-24 13:33:02 +0100[diff] [blame]256 if( cert_len > (size_t)( end - p ) )
Manuel Pégourié-Gonnarda4a47352015-05-15 15:14:54 +0200[diff] [blame]257 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
258
Manuel Pégourié-Gonnard7551cb92015-05-26 16:04:06 +0200[diff] [blame]259 session->peer_cert = mbedtls_calloc( 1, sizeof( mbedtls_x509_crt ) );
Manuel Pégourié-Gonnarda4a47352015-05-15 15:14:54 +0200[diff] [blame]260
261 if( session->peer_cert == NULL )
Manuel Pégourié-Gonnard6a8ca332015-05-28 09:33:39 +0200[diff] [blame]262 return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
Manuel Pégourié-Gonnarda4a47352015-05-15 15:14:54 +0200[diff] [blame]263
264 mbedtls_x509_crt_init( session->peer_cert );
265
266 if( ( ret = mbedtls_x509_crt_parse_der( session->peer_cert,
Hanno Becker52adf342018-10-24 13:41:37 +0100[diff] [blame]267 p, cert_len ) ) != 0 )
Manuel Pégourié-Gonnarda4a47352015-05-15 15:14:54 +0200[diff] [blame]268 {
269 mbedtls_x509_crt_free( session->peer_cert );
270 mbedtls_free( session->peer_cert );
271 session->peer_cert = NULL;
272 return( ret );
273 }
274
275 p += cert_len;
276 }
277#endif /* MBEDTLS_X509_CRT_PARSE_C */
278
279 if( p != end )
280 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
281
282 return( 0 );
283}
284
285/*
Manuel Pégourié-Gonnard1041a392015-05-20 19:59:39 +0200[diff] [blame]286 * Create session ticket, with the following structure:
Manuel Pégourié-Gonnarda4a47352015-05-15 15:14:54 +0200[diff] [blame]287 *
288 * struct {
Manuel Pégourié-Gonnard1041a392015-05-20 19:59:39 +0200[diff] [blame]289 * opaque key_name[4];
290 * opaque iv[12];
Manuel Pégourié-Gonnarda4a47352015-05-15 15:14:54 +0200[diff] [blame]291 * opaque encrypted_state<0..2^16-1>;
Manuel Pégourié-Gonnard1041a392015-05-20 19:59:39 +0200[diff] [blame]292 * opaque tag[16];
Manuel Pégourié-Gonnarda4a47352015-05-15 15:14:54 +0200[diff] [blame]293 * } ticket;
294 *
Manuel Pégourié-Gonnard1041a392015-05-20 19:59:39 +0200[diff] [blame]295 * The key_name, iv, and length of encrypted_state are the additional
296 * authenticated data.
Manuel Pégourié-Gonnarda4a47352015-05-15 15:14:54 +0200[diff] [blame]297 */
Hanno Becker910a7512018-11-17 21:18:01 +0000[diff] [blame^]298
Manuel Pégourié-Gonnardb0394be2015-05-19 11:40:30 +0200[diff] [blame]299int mbedtls_ssl_ticket_write( void *p_ticket,
Manuel Pégourié-Gonnard69f17282015-05-18 14:35:08 +0200[diff] [blame]300 const mbedtls_ssl_session *session,
301 unsigned char *start,
302 const unsigned char *end,
Manuel Pégourié-Gonnardb0394be2015-05-19 11:40:30 +0200[diff] [blame]303 size_t *tlen,
304 uint32_t *ticket_lifetime )
Manuel Pégourié-Gonnarda4a47352015-05-15 15:14:54 +0200[diff] [blame]305{
306 int ret;
Manuel Pégourié-Gonnardd59675d2015-05-19 15:28:00 +0200[diff] [blame]307 mbedtls_ssl_ticket_context *ctx = p_ticket;
Manuel Pégourié-Gonnard1e9c4db2015-05-25 14:07:08 +0200[diff] [blame]308 mbedtls_ssl_ticket_key *key;
Manuel Pégourié-Gonnard1041a392015-05-20 19:59:39 +0200[diff] [blame]309 unsigned char *key_name = start;
Hanno Becker910a7512018-11-17 21:18:01 +0000[diff] [blame^]310 unsigned char *iv = start + TICKET_KEY_NAME_BYTES;
311 unsigned char *state_len_bytes = iv + TICKET_IV_BYTES;
312 unsigned char *state = state_len_bytes + TICKET_CRYPT_LEN_BYTES;
Manuel Pégourié-Gonnard1041a392015-05-20 19:59:39 +0200[diff] [blame]313 unsigned char *tag;
314 size_t clear_len, ciph_len;
Manuel Pégourié-Gonnarda4a47352015-05-15 15:14:54 +0200[diff] [blame]315
316 *tlen = 0;
317
Manuel Pégourié-Gonnard1041a392015-05-20 19:59:39 +0200[diff] [blame]318 if( ctx == NULL || ctx->f_rng == NULL )
Manuel Pégourié-Gonnarda4a47352015-05-15 15:14:54 +0200[diff] [blame]319 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
320
Manuel Pégourié-Gonnard1041a392015-05-20 19:59:39 +0200[diff] [blame]321 /* We need at least 4 bytes for key_name, 12 for IV, 2 for len 16 for tag,
322 * in addition to session itself, that will be checked when writing it. */
Hanno Becker910a7512018-11-17 21:18:01 +0000[diff] [blame^]323 if( end - start < TICKET_MIN_LEN )
Manuel Pégourié-Gonnard69f17282015-05-18 14:35:08 +0200[diff] [blame]324 return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL );
325
Manuel Pégourié-Gonnard0849a0a2015-05-20 11:34:54 +0200[diff] [blame]326#if defined(MBEDTLS_THREADING_C)
327 if( ( ret = mbedtls_mutex_lock( &ctx->mutex ) ) != 0 )
328 return( ret );
329#endif
330
Manuel Pégourié-Gonnard1e9c4db2015-05-25 14:07:08 +0200[diff] [blame]331 if( ( ret = ssl_ticket_update_keys( ctx ) ) != 0 )
332 goto cleanup;
333
334 key = &ctx->keys[ctx->active];
335
Manuel Pégourié-Gonnard0849a0a2015-05-20 11:34:54 +0200[diff] [blame]336 *ticket_lifetime = ctx->ticket_lifetime;
337
Hanno Becker910a7512018-11-17 21:18:01 +0000[diff] [blame^]338 memcpy( key_name, key->name, TICKET_KEY_NAME_BYTES );
Manuel Pégourié-Gonnarda4a47352015-05-15 15:14:54 +0200[diff] [blame]339
Hanno Becker910a7512018-11-17 21:18:01 +0000[diff] [blame^]340 if( ( ret = ctx->f_rng( ctx->p_rng, iv, TICKET_IV_BYTES ) ) != 0 )
Manuel Pégourié-Gonnard0849a0a2015-05-20 11:34:54 +0200[diff] [blame]341 goto cleanup;
Manuel Pégourié-Gonnarda4a47352015-05-15 15:14:54 +0200[diff] [blame]342
Manuel Pégourié-Gonnard69f17282015-05-18 14:35:08 +0200[diff] [blame]343 /* Dump session state */
Manuel Pégourié-Gonnard0849a0a2015-05-20 11:34:54 +0200[diff] [blame]344 if( ( ret = ssl_save_session( session,
Manuel Pégourié-Gonnard1041a392015-05-20 19:59:39 +0200[diff] [blame]345 state, end - state, &clear_len ) ) != 0 ||
346 (unsigned long) clear_len > 65535 )
Manuel Pégourié-Gonnard0849a0a2015-05-20 11:34:54 +0200[diff] [blame]347 {
348 goto cleanup;
349 }
Manuel Pégourié-Gonnard1041a392015-05-20 19:59:39 +0200[diff] [blame]350 state_len_bytes[0] = ( clear_len >> 8 ) & 0xff;
351 state_len_bytes[1] = ( clear_len ) & 0xff;
Manuel Pégourié-Gonnarda4a47352015-05-15 15:14:54 +0200[diff] [blame]352
Manuel Pégourié-Gonnard1041a392015-05-20 19:59:39 +0200[diff] [blame]353 /* Encrypt and authenticate */
354 tag = state + clear_len;
Manuel Pégourié-Gonnard887674a2015-05-25 11:00:19 +0200[diff] [blame]355 if( ( ret = mbedtls_cipher_auth_encrypt( &key->ctx,
Hanno Becker910a7512018-11-17 21:18:01 +0000[diff] [blame^]356 iv, TICKET_IV_BYTES,
357 /* Additional data: key name, IV and length */
358 key_name, TICKET_ADD_DATA_LEN,
359 state, clear_len, state, &ciph_len,
360 tag, TICKET_AUTH_TAG_BYTES ) ) != 0 )
Manuel Pégourié-Gonnarda4a47352015-05-15 15:14:54 +0200[diff] [blame]361 {
Manuel Pégourié-Gonnard0849a0a2015-05-20 11:34:54 +0200[diff] [blame]362 goto cleanup;
Manuel Pégourié-Gonnarda4a47352015-05-15 15:14:54 +0200[diff] [blame]363 }
Manuel Pégourié-Gonnard1041a392015-05-20 19:59:39 +0200[diff] [blame]364 if( ciph_len != clear_len )
Manuel Pégourié-Gonnarda4a47352015-05-15 15:14:54 +0200[diff] [blame]365 {
Manuel Pégourié-Gonnard1041a392015-05-20 19:59:39 +0200[diff] [blame]366 ret = MBEDTLS_ERR_SSL_INTERNAL_ERROR;
Manuel Pégourié-Gonnard0849a0a2015-05-20 11:34:54 +0200[diff] [blame]367 goto cleanup;
Manuel Pégourié-Gonnarda4a47352015-05-15 15:14:54 +0200[diff] [blame]368 }
Manuel Pégourié-Gonnarda4a47352015-05-15 15:14:54 +0200[diff] [blame]369
Hanno Becker910a7512018-11-17 21:18:01 +0000[diff] [blame^]370 *tlen = TICKET_MIN_LEN + ciph_len;
Manuel Pégourié-Gonnarda4a47352015-05-15 15:14:54 +0200[diff] [blame]371
Manuel Pégourié-Gonnard0849a0a2015-05-20 11:34:54 +0200[diff] [blame]372cleanup:
373#if defined(MBEDTLS_THREADING_C)
374 if( mbedtls_mutex_unlock( &ctx->mutex ) != 0 )
375 return( MBEDTLS_ERR_THREADING_MUTEX_ERROR );
376#endif
377
378 return( ret );
Manuel Pégourié-Gonnarda4a47352015-05-15 15:14:54 +0200[diff] [blame]379}
380
381/*
Manuel Pégourié-Gonnard1e9c4db2015-05-25 14:07:08 +0200[diff] [blame]382 * Select key based on name
383 */
384static mbedtls_ssl_ticket_key *ssl_ticket_select_key(
385 mbedtls_ssl_ticket_context *ctx,
386 const unsigned char name[4] )
387{
388 unsigned char i;
389
390 for( i = 0; i < sizeof( ctx->keys ) / sizeof( *ctx->keys ); i++ )
391 if( memcmp( name, ctx->keys[i].name, 4 ) == 0 )
392 return( &ctx->keys[i] );
393
394 return( NULL );
395}
396
397/*
Manuel Pégourié-Gonnarda4a47352015-05-15 15:14:54 +0200[diff] [blame]398 * Load session ticket (see mbedtls_ssl_ticket_write for structure)
399 */
Manuel Pégourié-Gonnardb0394be2015-05-19 11:40:30 +0200[diff] [blame]400int mbedtls_ssl_ticket_parse( void *p_ticket,
Manuel Pégourié-Gonnard69f17282015-05-18 14:35:08 +0200[diff] [blame]401 mbedtls_ssl_session *session,
402 unsigned char *buf,
403 size_t len )
Manuel Pégourié-Gonnarda4a47352015-05-15 15:14:54 +0200[diff] [blame]404{
405 int ret;
Manuel Pégourié-Gonnardd59675d2015-05-19 15:28:00 +0200[diff] [blame]406 mbedtls_ssl_ticket_context *ctx = p_ticket;
Manuel Pégourié-Gonnard1e9c4db2015-05-25 14:07:08 +0200[diff] [blame]407 mbedtls_ssl_ticket_key *key;
Manuel Pégourié-Gonnarda4a47352015-05-15 15:14:54 +0200[diff] [blame]408 unsigned char *key_name = buf;
Hanno Becker910a7512018-11-17 21:18:01 +0000[diff] [blame^]409 unsigned char *iv = buf + TICKET_KEY_NAME_BYTES;
410 unsigned char *enc_len_p = iv + TICKET_IV_BYTES;
411 unsigned char *ticket = enc_len_p + TICKET_CRYPT_LEN_BYTES;
Manuel Pégourié-Gonnard1041a392015-05-20 19:59:39 +0200[diff] [blame]412 unsigned char *tag;
413 size_t enc_len, clear_len;
Manuel Pégourié-Gonnarda4a47352015-05-15 15:14:54 +0200[diff] [blame]414
Manuel Pégourié-Gonnard1e9c4db2015-05-25 14:07:08 +0200[diff] [blame]415 if( ctx == NULL || ctx->f_rng == NULL )
Manuel Pégourié-Gonnarda4a47352015-05-15 15:14:54 +0200[diff] [blame]416 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
Manuel Pégourié-Gonnard1e9c4db2015-05-25 14:07:08 +0200[diff] [blame]417
Hanno Becker910a7512018-11-17 21:18:01 +0000[diff] [blame^]418 if( len < TICKET_MIN_LEN )
Manuel Pégourié-Gonnard1e9c4db2015-05-25 14:07:08 +0200[diff] [blame]419 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
Manuel Pégourié-Gonnarda4a47352015-05-15 15:14:54 +0200[diff] [blame]420
Manuel Pégourié-Gonnard0849a0a2015-05-20 11:34:54 +0200[diff] [blame]421#if defined(MBEDTLS_THREADING_C)
422 if( ( ret = mbedtls_mutex_lock( &ctx->mutex ) ) != 0 )
423 return( ret );
424#endif
425
Manuel Pégourié-Gonnard1e9c4db2015-05-25 14:07:08 +0200[diff] [blame]426 if( ( ret = ssl_ticket_update_keys( ctx ) ) != 0 )
427 goto cleanup;
428
Manuel Pégourié-Gonnarda4a47352015-05-15 15:14:54 +0200[diff] [blame]429 enc_len = ( enc_len_p[0] << 8 ) | enc_len_p[1];
Manuel Pégourié-Gonnard1041a392015-05-20 19:59:39 +0200[diff] [blame]430 tag = ticket + enc_len;
Manuel Pégourié-Gonnarda4a47352015-05-15 15:14:54 +0200[diff] [blame]431
Hanno Becker910a7512018-11-17 21:18:01 +0000[diff] [blame^]432 if( len != TICKET_MIN_LEN + enc_len )
Manuel Pégourié-Gonnard0849a0a2015-05-20 11:34:54 +0200[diff] [blame]433 {
434 ret = MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
435 goto cleanup;
436 }
Manuel Pégourié-Gonnarda4a47352015-05-15 15:14:54 +0200[diff] [blame]437
Manuel Pégourié-Gonnard1e9c4db2015-05-25 14:07:08 +0200[diff] [blame]438 /* Select key */
439 if( ( key = ssl_ticket_select_key( ctx, key_name ) ) == NULL )
Manuel Pégourié-Gonnard0849a0a2015-05-20 11:34:54 +0200[diff] [blame]440 {
Manuel Pégourié-Gonnard1e9c4db2015-05-25 14:07:08 +0200[diff] [blame]441 /* We can't know for sure but this is a likely option unless we're
442 * under attack - this is only informative anyway */
443 ret = MBEDTLS_ERR_SSL_SESSION_TICKET_EXPIRED;
Manuel Pégourié-Gonnard0849a0a2015-05-20 11:34:54 +0200[diff] [blame]444 goto cleanup;
445 }
Manuel Pégourié-Gonnarda4a47352015-05-15 15:14:54 +0200[diff] [blame]446
Manuel Pégourié-Gonnard1041a392015-05-20 19:59:39 +0200[diff] [blame]447 /* Decrypt and authenticate */
Hanno Becker910a7512018-11-17 21:18:01 +0000[diff] [blame^]448 if( ( ret = mbedtls_cipher_auth_decrypt( &key->ctx,
449 iv, TICKET_IV_BYTES,
450 /* Additional data: key name, IV and length */
451 key_name, TICKET_ADD_DATA_LEN,
452 ticket, enc_len,
453 ticket, &clear_len,
454 tag, TICKET_AUTH_TAG_BYTES ) ) != 0 )
Manuel Pégourié-Gonnarda4a47352015-05-15 15:14:54 +0200[diff] [blame]455 {
Manuel Pégourié-Gonnard1e9c4db2015-05-25 14:07:08 +0200[diff] [blame]456 if( ret == MBEDTLS_ERR_CIPHER_AUTH_FAILED )
457 ret = MBEDTLS_ERR_SSL_INVALID_MAC;
458
Manuel Pégourié-Gonnard0849a0a2015-05-20 11:34:54 +0200[diff] [blame]459 goto cleanup;
Manuel Pégourié-Gonnarda4a47352015-05-15 15:14:54 +0200[diff] [blame]460 }
Manuel Pégourié-Gonnard1041a392015-05-20 19:59:39 +0200[diff] [blame]461 if( clear_len != enc_len )
462 {
463 ret = MBEDTLS_ERR_SSL_INTERNAL_ERROR;
Manuel Pégourié-Gonnard0849a0a2015-05-20 11:34:54 +0200[diff] [blame]464 goto cleanup;
Manuel Pégourié-Gonnard1041a392015-05-20 19:59:39 +0200[diff] [blame]465 }
Manuel Pégourié-Gonnarda4a47352015-05-15 15:14:54 +0200[diff] [blame]466
467 /* Actually load session */
Manuel Pégourié-Gonnard69f17282015-05-18 14:35:08 +0200[diff] [blame]468 if( ( ret = ssl_load_session( session, ticket, clear_len ) ) != 0 )
Manuel Pégourié-Gonnard0849a0a2015-05-20 11:34:54 +0200[diff] [blame]469 goto cleanup;
Manuel Pégourié-Gonnarda4a47352015-05-15 15:14:54 +0200[diff] [blame]470
471#if defined(MBEDTLS_HAVE_TIME)
Manuel Pégourié-Gonnard0849a0a2015-05-20 11:34:54 +0200[diff] [blame]472 {
Manuel Pégourié-Gonnard8eff5122015-05-20 11:41:36 +0200[diff] [blame]473 /* Check for expiration */
SimonBd5800b72016-04-26 07:43:27 +0100[diff] [blame]474 mbedtls_time_t current_time = mbedtls_time( NULL );
Manuel Pégourié-Gonnard8eff5122015-05-20 11:41:36 +0200[diff] [blame]475
476 if( current_time < session->start ||
477 (uint32_t)( current_time - session->start ) > ctx->ticket_lifetime )
478 {
479 ret = MBEDTLS_ERR_SSL_SESSION_TICKET_EXPIRED;
480 goto cleanup;
481 }
Manuel Pégourié-Gonnard0849a0a2015-05-20 11:34:54 +0200[diff] [blame]482 }
Manuel Pégourié-Gonnarda4a47352015-05-15 15:14:54 +0200[diff] [blame]483#endif
484
Manuel Pégourié-Gonnard0849a0a2015-05-20 11:34:54 +0200[diff] [blame]485cleanup:
486#if defined(MBEDTLS_THREADING_C)
487 if( mbedtls_mutex_unlock( &ctx->mutex ) != 0 )
488 return( MBEDTLS_ERR_THREADING_MUTEX_ERROR );
489#endif
490
491 return( ret );
Manuel Pégourié-Gonnarda4a47352015-05-15 15:14:54 +0200[diff] [blame]492}
493
Manuel Pégourié-Gonnardd59675d2015-05-19 15:28:00 +0200[diff] [blame]494/*
495 * Free context
496 */
497void mbedtls_ssl_ticket_free( mbedtls_ssl_ticket_context *ctx )
498{
Manuel Pégourié-Gonnard887674a2015-05-25 11:00:19 +0200[diff] [blame]499 mbedtls_cipher_free( &ctx->keys[0].ctx );
500 mbedtls_cipher_free( &ctx->keys[1].ctx );
Manuel Pégourié-Gonnardd59675d2015-05-19 15:28:00 +0200[diff] [blame]501
Manuel Pégourié-Gonnard0849a0a2015-05-20 11:34:54 +0200[diff] [blame]502#if defined(MBEDTLS_THREADING_C)
503 mbedtls_mutex_free( &ctx->mutex );
504#endif
505
Manuel Pégourié-Gonnardd59675d2015-05-19 15:28:00 +0200[diff] [blame]506 mbedtls_zeroize( ctx, sizeof( mbedtls_ssl_ticket_context ) );
507}
508
Manuel Pégourié-Gonnardfd6d8972015-05-15 12:09:00 +0200[diff] [blame]509#endif /* MBEDTLS_SSL_TICKET_C */