Internal changes in preparation for key rotation

- two sets of keys
- separate function for key generation/update
This commit is contained in:
Manuel Pégourié-Gonnard 2015-05-25 11:00:19 +02:00
parent a0adc1bbe4
commit 887674a33b
2 changed files with 70 additions and 40 deletions

View File

@ -35,13 +35,23 @@
extern "C" { extern "C" {
#endif #endif
/**
* \brief Information for session ticket protection
*/
typedef struct
{
unsigned char name[4]; /*!< random key identifier */
uint32_t generation_time; /*!< key generation timestamp (seconds) */
mbedtls_cipher_context_t ctx; /*!< context for auth enc/decryption */
}
mbedtls_ssl_ticket_key;
/** /**
* \brief Context for session ticket handling functions * \brief Context for session ticket handling functions
*/ */
typedef struct typedef struct
{ {
unsigned char key_name[4]; /*!< name to quickly reject bad tickets */ mbedtls_ssl_ticket_key keys[2]; /*!< ticket protection keys */
mbedtls_cipher_context_t cipher;/*!< cipher context */
uint32_t ticket_lifetime; /*!< lifetime of tickets in seconds */ uint32_t ticket_lifetime; /*!< lifetime of tickets in seconds */

View File

@ -56,6 +56,38 @@ void mbedtls_ssl_ticket_init( mbedtls_ssl_ticket_context *ctx )
#endif #endif
} }
#define MAX_KEY_BYTES 32 /* 256 bits */
/*
* Generate/update a key
*/
static int ssl_ticket_gen_key( mbedtls_ssl_ticket_context *ctx,
unsigned char index )
{
int ret;
unsigned char buf[MAX_KEY_BYTES];
mbedtls_ssl_ticket_key *key = ctx->keys + index;
#if defined(MBEDTLS_HAVE_TIME)
key->generation_time = (uint32_t) time( NULL );
#endif
if( ( ret = ctx->f_rng( ctx->p_rng, key->name, sizeof( key->name ) ) ) != 0 )
return( ret );
if( ( ret = ctx->f_rng( ctx->p_rng, buf, sizeof( buf ) ) ) != 0 )
return( ret );
/* With GCM and CCM, same context can encrypt & decrypt */
ret = mbedtls_cipher_setkey( &key->ctx, buf,
mbedtls_cipher_get_key_size( &key->ctx ),
MBEDTLS_ENCRYPT );
mbedtls_zeroize( buf, sizeof( buf ) );
return( ret );
}
/* /*
* Setup context for actual use * Setup context for actual use
*/ */
@ -65,56 +97,41 @@ int mbedtls_ssl_ticket_setup( mbedtls_ssl_ticket_context *ctx,
uint32_t lifetime ) uint32_t lifetime )
{ {
int ret; int ret;
unsigned char buf[32]; const mbedtls_cipher_info_t *cipher_info;
mbedtls_cipher_mode_t mode;
size_t key_bits;
ctx->f_rng = f_rng; ctx->f_rng = f_rng;
ctx->p_rng = p_rng; ctx->p_rng = p_rng;
ctx->ticket_lifetime = lifetime; ctx->ticket_lifetime = lifetime;
if( ( ret = mbedtls_cipher_setup( &ctx->cipher, cipher_info = mbedtls_cipher_info_from_type( cipher);
mbedtls_cipher_info_from_type( cipher) ) ) != 0 ) if( cipher_info == NULL )
return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
if( cipher_info->mode != MBEDTLS_MODE_GCM &&
cipher_info->mode != MBEDTLS_MODE_CCM )
{ {
goto cleanup; return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
} }
mode = mbedtls_cipher_get_cipher_mode( &ctx->cipher ); if( cipher_info->key_length > 8 * MAX_KEY_BYTES )
if( mode != MBEDTLS_MODE_GCM && mode != MBEDTLS_MODE_CCM ) return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
if( ( ret = mbedtls_cipher_setup( &ctx->keys[0].ctx, cipher_info ) ) != 0 ||
( ret = mbedtls_cipher_setup( &ctx->keys[1].ctx, cipher_info ) ) != 0 )
{ {
ret = MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
goto cleanup;
}
key_bits = mbedtls_cipher_get_key_size( &ctx->cipher );
if( key_bits > 8 * sizeof( buf ) )
{
ret = MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
goto cleanup;
}
if( ( ret = f_rng( p_rng, buf, sizeof( buf ) ) != 0 ) )
{
goto cleanup;
}
/* With GCM and CCM, same context can encrypt & decrypt */
if( ( ret = mbedtls_cipher_setkey( &ctx->cipher, buf, key_bits,
MBEDTLS_ENCRYPT ) ) != 0 )
{
goto cleanup;
}
cleanup:
mbedtls_zeroize( buf, sizeof( buf ) );
if( ret != 0 )
mbedtls_ssl_ticket_free( ctx );
return( ret ); return( ret );
} }
if( ( ret = ssl_ticket_gen_key( ctx, 0 ) ) != 0 ||
( ret = ssl_ticket_gen_key( ctx, 1 ) ) != 0 )
{
return( ret );
}
return( 0 );
}
/* /*
* Serialize a session in the following format: * Serialize a session in the following format:
* 0 . n-1 session structure, n = sizeof(mbedtls_ssl_session) * 0 . n-1 session structure, n = sizeof(mbedtls_ssl_session)
@ -246,6 +263,7 @@ int mbedtls_ssl_ticket_write( void *p_ticket,
{ {
int ret; int ret;
mbedtls_ssl_ticket_context *ctx = p_ticket; mbedtls_ssl_ticket_context *ctx = p_ticket;
mbedtls_ssl_ticket_key *key = ctx->keys;
unsigned char *key_name = start; unsigned char *key_name = start;
unsigned char *iv = start + 4; unsigned char *iv = start + 4;
unsigned char *state_len_bytes = iv + 12; unsigned char *state_len_bytes = iv + 12;
@ -270,7 +288,7 @@ int mbedtls_ssl_ticket_write( void *p_ticket,
*ticket_lifetime = ctx->ticket_lifetime; *ticket_lifetime = ctx->ticket_lifetime;
memcpy( key_name, ctx->key_name, 4 ); memcpy( key_name, key->name, 4 );
if( ( ret = ctx->f_rng( ctx->p_rng, iv, 12 ) ) != 0 ) if( ( ret = ctx->f_rng( ctx->p_rng, iv, 12 ) ) != 0 )
goto cleanup; goto cleanup;
@ -287,7 +305,7 @@ int mbedtls_ssl_ticket_write( void *p_ticket,
/* Encrypt and authenticate */ /* Encrypt and authenticate */
tag = state + clear_len; tag = state + clear_len;
if( ( ret = mbedtls_cipher_auth_encrypt( &ctx->cipher, if( ( ret = mbedtls_cipher_auth_encrypt( &key->ctx,
iv, 12, key_name, 4 + 12 + 2, iv, 12, key_name, 4 + 12 + 2,
state, clear_len, state, &ciph_len, tag, 16 ) ) != 0 ) state, clear_len, state, &ciph_len, tag, 16 ) ) != 0 )
{ {
@ -320,6 +338,7 @@ int mbedtls_ssl_ticket_parse( void *p_ticket,
{ {
int ret; int ret;
mbedtls_ssl_ticket_context *ctx = p_ticket; mbedtls_ssl_ticket_context *ctx = p_ticket;
mbedtls_ssl_ticket_key *key = ctx->keys;
unsigned char *key_name = buf; unsigned char *key_name = buf;
unsigned char *iv = buf + 4; unsigned char *iv = buf + 4;
unsigned char *enc_len_p = iv + 12; unsigned char *enc_len_p = iv + 12;
@ -348,14 +367,14 @@ int mbedtls_ssl_ticket_parse( void *p_ticket,
} }
/* Check name (public data) */ /* Check name (public data) */
if( memcmp( key_name, ctx->key_name, 4 ) != 0 ) if( memcmp( key_name, key->name, 4 ) != 0 )
{ {
ret = MBEDTLS_ERR_SSL_INVALID_MAC; ret = MBEDTLS_ERR_SSL_INVALID_MAC;
goto cleanup; goto cleanup;
} }
/* Decrypt and authenticate */ /* Decrypt and authenticate */
if( ( ret = mbedtls_cipher_auth_decrypt( &ctx->cipher, iv, 12, if( ( ret = mbedtls_cipher_auth_decrypt( &key->ctx, iv, 12,
key_name, 4 + 12 + 2, ticket, enc_len, key_name, 4 + 12 + 2, ticket, enc_len,
ticket, &clear_len, tag, 16 ) ) != 0 ) ticket, &clear_len, tag, 16 ) ) != 0 )
{ {
@ -400,7 +419,8 @@ cleanup:
*/ */
void mbedtls_ssl_ticket_free( mbedtls_ssl_ticket_context *ctx ) void mbedtls_ssl_ticket_free( mbedtls_ssl_ticket_context *ctx )
{ {
mbedtls_cipher_free( &ctx->cipher ); mbedtls_cipher_free( &ctx->keys[0].ctx );
mbedtls_cipher_free( &ctx->keys[1].ctx );
#if defined(MBEDTLS_THREADING_C) #if defined(MBEDTLS_THREADING_C)
mbedtls_mutex_free( &ctx->mutex ); mbedtls_mutex_free( &ctx->mutex );