From d59675d92c74d99a36d6f35d34b9f2e1bd189931 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Tue, 19 May 2015 15:28:00 +0200 Subject: [PATCH] Move to callback for session tickets --- include/mbedtls/ssl.h | 109 +++++++++++++++++++++++++---------- include/mbedtls/ssl_ticket.h | 74 ++++++++++++++++++++---- library/ssl_srv.c | 20 +++++-- library/ssl_ticket.c | 68 +++++++++++++++++++++- library/ssl_tls.c | 82 +++----------------------- programs/ssl/ssl_server2.c | 36 +++++++++--- 6 files changed, 257 insertions(+), 132 deletions(-) diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index 3f3a36900..17bdede12 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -563,9 +563,6 @@ typedef struct mbedtls_ssl_session mbedtls_ssl_session; typedef struct mbedtls_ssl_context mbedtls_ssl_context; typedef struct mbedtls_ssl_transform mbedtls_ssl_transform; typedef struct mbedtls_ssl_handshake_params mbedtls_ssl_handshake_params; -#if defined(MBEDTLS_SSL_SESSION_TICKETS) -typedef struct mbedtls_ssl_ticket_keys mbedtls_ssl_ticket_keys; -#endif #if defined(MBEDTLS_X509_CRT_PARSE_C) typedef struct mbedtls_ssl_key_cert mbedtls_ssl_key_cert; #endif @@ -750,20 +747,6 @@ struct mbedtls_ssl_handshake_params #endif }; -#if defined(MBEDTLS_SSL_SESSION_TICKETS) -/* - * Parameters needed to secure session tickets - */ -struct mbedtls_ssl_ticket_keys -{ - unsigned char key_name[16]; /*!< name to quickly discard bad tickets */ - mbedtls_aes_context enc; /*!< encryption context */ - mbedtls_aes_context dec; /*!< decryption context */ - unsigned char mac_key[16]; /*!< authentication key */ - uint32_t ticket_lifetime; -}; -#endif /* MBEDTLS_SSL_SESSION_TICKETS */ - #if defined(MBEDTLS_X509_CRT_PARSE_C) /* * List of certificate + private key pairs @@ -844,6 +827,15 @@ typedef struct void *p_cookie; /*!< context for the cookie callbacks */ #endif +#if defined(MBEDTLS_SSL_SESSION_TICKETS) + /** Callback to create & write a session ticket */ + int (*f_ticket_write)( void *, const mbedtls_ssl_session *, + unsigned char *, const unsigned char *, size_t *, uint32_t * ); + /** Callback to parse a session ticket into a session structure */ + int (*f_ticket_parse)( void *, mbedtls_ssl_session *, unsigned char *, size_t); + void *p_ticket; /*!< context for the ticket callbacks */ +#endif /* MBEDTLS_SSL_SESSION_TICKETS */ + #if defined(MBEDTLS_X509_CRT_PARSE_C) mbedtls_ssl_key_cert *key_cert; /*!< own certificate/key pair(s) */ mbedtls_x509_crt *ca_chain; /*!< trusted CAs */ @@ -870,10 +862,6 @@ typedef struct const char **alpn_list; /*!< ordered list of protocols */ #endif -#if defined(MBEDTLS_SSL_SESSION_TICKETS) - mbedtls_ssl_ticket_keys *ticket_keys; /*!< keys for ticket encryption */ -#endif /* MBEDTLS_SSL_SESSION_TICKETS */ - /* * Numerical settings (int then char) */ @@ -1334,6 +1322,76 @@ void mbedtls_ssl_set_timer_cb( mbedtls_ssl_context *ssl, void (*f_set_timer)(void *, uint32_t int_ms, uint32_t fin_ms), int (*f_get_timer)(void *) ); +#if defined(MBEDTLS_SSL_SESSION_TICKETS) +/** + * \brief Callback type: generate and write session ticket + * + * \note This describes what a callback implementation should do. + * This callback should generate and encrypted and + * authenticated ticket for the session and write it to the + * output buffer. Here, ticket means the opaque ticket part + * of the NewSessionTicket structure of RFC 5077. + * + * \param p_ticket Context for the callback + * \param session SSL session to bo written in the ticket + * \param start Start of the outpur buffer + * \param end End of the output buffer + * \param tlen On exit, holds the length written + * \param lifetime On exit, holds the lifetime of the ticket in seconds + * + * \return 0 if successful, or + * a specific MBEDTLS_ERR_XXX code. + */ +typedef int mbedtls_ssl_ticket_write_t( void *p_ticket, + const mbedtls_ssl_session *session, + unsigned char *start, + const unsigned char *end, + size_t *tlen, + uint32_t *lifetime ); + +/** + * \brief Callback type: parse and load session ticket + * + * \note This describes what a callback implementation should do. + * This callback should parse a session ticket as generated + * by the corresponding mbedtls_ssl_ticket_write_t function, + * and, if the ticket is authentic and valid, load the + * session. + * + * \note The implementation is allowed to modify the first len + * of the input buffer, eg to use it as a temporary area for + * the decrypted ticket contents. + * + * \param p_ticket Context for the callback + * \param session SSL session to be loaded + * \param buf Start of the buffer containing the ticket + * \param len Length of the ticket. + * + * \return 0 if successful, or + * MBEDTLS_ERR_SSL_INVALID_MAC if not authentic, or + * MBEDTLS_ERR_SSL_SESSION_TICKET_EXPIRED if expired, or + * any other non-zero code for other failures. + */ +typedef int mbedtls_ssl_ticket_parse_t( void *p_ticket, + mbedtls_ssl_session *session, + unsigned char *buf, + size_t len ); + +/** + * \brief Configure SSL session ticket callbacks + * + * \param conf SSL configuration context + * \param f_ticket_write Callback for writing a ticket + * \param f_ticket_parse Callback for parsing a ticket + * \param p_ticket Context shared by the two callbacks + */ +void mbedtls_ssl_conf_session_tickets_cb( mbedtls_ssl_config *conf, + mbedtls_ssl_ticket_write_t *f_ticket_write, + mbedtls_ssl_ticket_parse_t *f_ticket_parse, + void *p_ticket ); + +#endif /* MBEDTLS_SSL_SESSION_TICKETS */ + #if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) /** * \brief Set client's transport-level identification info. @@ -2008,15 +2066,6 @@ void mbedtls_ssl_conf_cbc_record_splitting( mbedtls_ssl_config *conf, char split * or a specific error code (server only). */ int mbedtls_ssl_conf_session_tickets( mbedtls_ssl_config *conf, int use_tickets ); - -/** - * \brief Set session ticket lifetime (server only) - * (Default: MBEDTLS_SSL_DEFAULT_TICKET_LIFETIME (86400 secs / 1 day)) - * - * \param conf SSL configuration - * \param lifetime session ticket lifetime - */ -void mbedtls_ssl_conf_session_ticket_lifetime( mbedtls_ssl_config *conf, int lifetime ); #endif /* MBEDTLS_SSL_SESSION_TICKETS */ #if defined(MBEDTLS_SSL_RENEGOTIATION) diff --git a/include/mbedtls/ssl_ticket.h b/include/mbedtls/ssl_ticket.h index 0e6951362..1bbd646da 100644 --- a/include/mbedtls/ssl_ticket.h +++ b/include/mbedtls/ssl_ticket.h @@ -30,19 +30,69 @@ extern "C" { #endif -/* Temporary, WIP */ -int mbedtls_ssl_ticket_write( void *p_ticket, - const mbedtls_ssl_session *session, - unsigned char *start, - const unsigned char *end, - size_t *tlen, - uint32_t *ticket_lifetime ); -/* Temporary, WIP */ -int mbedtls_ssl_ticket_parse( void *p_ticket, - mbedtls_ssl_session *session, - unsigned char *buf, - size_t len ); +/** + * \brief Context for session ticket handling functions + */ +typedef struct +{ + unsigned char key_name[16]; /*!< name to quickly reject bad tickets */ + mbedtls_aes_context enc; /*!< encryption context */ + mbedtls_aes_context dec; /*!< decryption context */ + unsigned char mac_key[16]; /*!< authentication key */ + + uint32_t ticket_lifetime; /*!< lifetime of tickets in seconds */ + + /** Callback for getting (pseudo-)random numbers */ + int (*f_rng)(void *, unsigned char *, size_t); + void *p_rng; /*!< context for the RNG function */ +} +mbedtls_ssl_ticket_context; + +/** + * \brief Initialize a ticket context. + * (Just make it ready for mbedtls_ssl_ticket_setup() + * or mbedtls_ssl_ticket_free().) + * + * \param ctx Context to be initialized + */ +void mbedtls_ssl_ticket_init( mbedtls_ssl_ticket_context *ctx ); + +/** + * \brief Prepare context to be actually used + * + * \param ctx Context to be set up + * \param f_rng RNG callback function + * \param p_rng RNG callback context + * \param lifetime Tickets lifetime in seconds + * + * \return 0 is successful, + * or a specific MBEDTLS_ERR_XXX error code + */ +int mbedtls_ssl_ticket_setup( mbedtls_ssl_ticket_context *ctx, + int (*f_rng)(void *, unsigned char *, size_t), void *p_rng, + uint32_t lifetime ); + +/** + * \brief Implementation of the ticket write callback + * + * \note See \c mbedlts_ssl_ticket_write_t for description + */ +mbedtls_ssl_ticket_write_t mbedtls_ssl_ticket_write; + +/** + * \brief Implementation of the ticket parse callback + * + * \note See \c mbedlts_ssl_ticket_parse_t for description + */ +mbedtls_ssl_ticket_parse_t mbedtls_ssl_ticket_parse; + +/** + * \brief Free a context's content and zeroize it. + * + * \param ctx Context to be cleaned up + */ +void mbedtls_ssl_ticket_free( mbedtls_ssl_ticket_context *ctx ); #ifdef __cplusplus } diff --git a/library/ssl_srv.c b/library/ssl_srv.c index 688248f95..06a6c0b48 100644 --- a/library/ssl_srv.c +++ b/library/ssl_srv.c @@ -413,8 +413,11 @@ static int ssl_parse_session_ticket_ext( mbedtls_ssl_context *ssl, int ret; mbedtls_ssl_session session; - if( ssl->conf->session_tickets == MBEDTLS_SSL_SESSION_TICKETS_DISABLED ) + if( ssl->conf->f_ticket_parse == NULL || + ssl->conf->f_ticket_write == NULL ) + { return( 0 ); + } /* Remember the client asked us to send a new ticket */ ssl->handshake->new_session_ticket = 1; @@ -435,11 +438,18 @@ static int ssl_parse_session_ticket_ext( mbedtls_ssl_context *ssl, /* * Failures are ok: just ignore the ticket and proceed. */ - if( ( ret = mbedtls_ssl_ticket_parse( ssl->conf->ticket_keys, &session, - buf, len ) ) != 0 ) + if( ( ret = ssl->conf->f_ticket_parse( ssl->conf->p_ticket, &session, + buf, len ) ) != 0 ) { mbedtls_ssl_session_free( &session ); - MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_ticket_parse", ret ); + + if( ret == MBEDTLS_ERR_SSL_INVALID_MAC ) + MBEDTLS_SSL_DEBUG_MSG( 3, ( "ticket is not authentic" ) ); + else if( ret == MBEDTLS_ERR_SSL_SESSION_TICKET_EXPIRED ) + MBEDTLS_SSL_DEBUG_MSG( 3, ( "ticket is expired" ) ); + else + MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_ticket_parse", ret ); + return( 0 ); } @@ -3525,7 +3535,7 @@ static int ssl_write_new_session_ticket( mbedtls_ssl_context *ssl ) * 10 . 9+n ticket content */ - if( ( ret = mbedtls_ssl_ticket_write( ssl->conf->ticket_keys, + if( ( ret = ssl->conf->f_ticket_write( ssl->conf->p_ticket, ssl->session_negotiate, ssl->out_msg + 10, ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN, diff --git a/library/ssl_ticket.c b/library/ssl_ticket.c index 181f045da..c1881b721 100644 --- a/library/ssl_ticket.c +++ b/library/ssl_ticket.c @@ -39,6 +39,56 @@ #include +/* Implementation that should never be optimized out by the compiler */ +static void mbedtls_zeroize( void *v, size_t n ) { + volatile unsigned char *p = v; while( n-- ) *p++ = 0; +} + +/* + * Initialze context + */ +void mbedtls_ssl_ticket_init( mbedtls_ssl_ticket_context *ctx ) +{ + memset( ctx, 0, sizeof( mbedtls_ssl_ticket_context ) ); +} + +/* + * Setup context for actual use + */ +int mbedtls_ssl_ticket_setup( mbedtls_ssl_ticket_context *ctx, + int (*f_rng)(void *, unsigned char *, size_t), void *p_rng, + uint32_t lifetime ) +{ + int ret; + unsigned char buf[16]; + + ctx->f_rng = f_rng; + ctx->p_rng = p_rng; + + ctx->ticket_lifetime = lifetime; + + mbedtls_aes_init( &ctx->enc ); + mbedtls_aes_init( &ctx->dec ); + + if( ( ret = f_rng( p_rng, ctx->key_name, 16 ) != 0 ) || + ( ret = f_rng( p_rng, ctx->mac_key, 16 ) != 0 ) || + ( ret = f_rng( p_rng, buf, 16 ) != 0 ) ) + { + return( ret ); + } + + if( ( ret = mbedtls_aes_setkey_enc( &ctx->enc, buf, 128 ) ) != 0 || + ( ret = mbedtls_aes_setkey_dec( &ctx->dec, buf, 128 ) ) != 0 ) + { + mbedtls_ssl_ticket_free( ctx ); + return( ret ); + } + + mbedtls_zeroize( buf, sizeof( buf ) ); + + return( 0 ); +} + /* * Serialize a session in the following format: * 0 . n-1 session structure, n = sizeof(mbedtls_ssl_session) @@ -170,7 +220,7 @@ int mbedtls_ssl_ticket_write( void *p_ticket, uint32_t *ticket_lifetime ) { int ret; - mbedtls_ssl_ticket_keys *ctx = p_ticket; + mbedtls_ssl_ticket_context *ctx = p_ticket; unsigned char *p = start; unsigned char *state; unsigned char iv[16]; @@ -194,7 +244,8 @@ int mbedtls_ssl_ticket_write( void *p_ticket, p += 16; /* Generate and write IV (with a copy for aes_crypt) */ - memset( p, 0x2a, 16 ); /* Temporary WIP */ + if( ( ret = ctx->f_rng( ctx->p_rng, p, 16 ) ) != 0 ) + return( ret ); memcpy( iv, p, 16 ); p += 16; @@ -244,7 +295,7 @@ int mbedtls_ssl_ticket_parse( void *p_ticket, size_t len ) { int ret; - mbedtls_ssl_ticket_keys *ctx = p_ticket; + mbedtls_ssl_ticket_context *ctx = p_ticket; unsigned char *key_name = buf; unsigned char *iv = buf + 16; unsigned char *enc_len_p = iv + 16; @@ -317,4 +368,15 @@ int mbedtls_ssl_ticket_parse( void *p_ticket, return( 0 ); } +/* + * Free context + */ +void mbedtls_ssl_ticket_free( mbedtls_ssl_ticket_context *ctx ) +{ + mbedtls_aes_free( &ctx->enc ); + mbedtls_aes_free( &ctx->dec ); + + mbedtls_zeroize( ctx, sizeof( mbedtls_ssl_ticket_context ) ); +} + #endif /* MBEDTLS_SSL_TICKET_C */ diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 25a4debb7..82411005b 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -5146,56 +5146,6 @@ int mbedtls_ssl_session_reset( mbedtls_ssl_context *ssl ) return( 0 ); } -#if defined(MBEDTLS_SSL_SESSION_TICKETS) -static void ssl_ticket_keys_free( mbedtls_ssl_ticket_keys *tkeys ) -{ - mbedtls_aes_free( &tkeys->enc ); - mbedtls_aes_free( &tkeys->dec ); - - mbedtls_zeroize( tkeys, sizeof(mbedtls_ssl_ticket_keys) ); -} - -/* - * Allocate and initialize ticket keys - */ -static int ssl_ticket_keys_init( mbedtls_ssl_config *conf ) -{ - int ret; - mbedtls_ssl_ticket_keys *tkeys; - unsigned char buf[16]; - - if( conf->ticket_keys != NULL ) - return( 0 ); - - tkeys = mbedtls_malloc( sizeof(mbedtls_ssl_ticket_keys) ); - if( tkeys == NULL ) - return( MBEDTLS_ERR_SSL_MALLOC_FAILED ); - - mbedtls_aes_init( &tkeys->enc ); - mbedtls_aes_init( &tkeys->dec ); - - /* Temporary WIP! Using hardcoded keys. This is to remove the dependency - * on the RNG and allow puttint the keys in conf. Key generation will soon - * be move outside the main SSL module anyway. */ - - memset( tkeys->key_name, 'x', 16 ); - memset( tkeys->mac_key, 0x2a, 16 ); - memset( buf, 0x2a, 16 ); - - if( ( ret = mbedtls_aes_setkey_enc( &tkeys->enc, buf, 128 ) ) != 0 || - ( ret = mbedtls_aes_setkey_dec( &tkeys->dec, buf, 128 ) ) != 0 ) - { - ssl_ticket_keys_free( tkeys ); - mbedtls_free( tkeys ); - return( ret ); - } - - conf->ticket_keys = tkeys; - - return( 0 ); -} -#endif /* MBEDTLS_SSL_SESSION_TICKETS */ - /* * SSL set accessors */ @@ -5691,20 +5641,17 @@ int mbedtls_ssl_conf_session_tickets( mbedtls_ssl_config *conf, int use_tickets { conf->session_tickets = use_tickets; -#if defined(MBEDTLS_SSL_CLI_C) - if( conf->endpoint == MBEDTLS_SSL_IS_CLIENT ) - return( 0 ); -#endif - - if( use_tickets == MBEDTLS_SSL_SESSION_TICKETS_DISABLED ) - return( 0 ); - - return( ssl_ticket_keys_init( conf ) ); + return( 0 ); } -void mbedtls_ssl_conf_session_ticket_lifetime( mbedtls_ssl_config *conf, int lifetime ) +void mbedtls_ssl_conf_session_tickets_cb( mbedtls_ssl_config *conf, + mbedtls_ssl_ticket_write_t *f_ticket_write, + mbedtls_ssl_ticket_parse_t *f_ticket_parse, + void *p_ticket ) { - conf->ticket_keys->ticket_lifetime = lifetime; + conf->f_ticket_write = f_ticket_write; + conf->f_ticket_parse = f_ticket_parse; + conf->p_ticket = p_ticket; } #endif /* MBEDTLS_SSL_SESSION_TICKETS */ @@ -6699,11 +6646,6 @@ int mbedtls_ssl_config_defaults( mbedtls_ssl_config *conf, conf->cbc_record_splitting = MBEDTLS_SSL_CBC_RECORD_SPLITTING_ENABLED; #endif -#if defined(MBEDTLS_SSL_SESSION_TICKETS) - ssl_ticket_keys_init( &conf ); - conf->ticket_keys->ticket_lifetime = MBEDTLS_SSL_DEFAULT_TICKET_LIFETIME; -#endif - #if defined(MBEDTLS_SSL_SET_CURVES) conf->curve_list = mbedtls_ecp_grp_id_list( ); #endif @@ -6765,14 +6707,6 @@ void mbedtls_ssl_config_free( mbedtls_ssl_config *conf ) } #endif -#if defined(MBEDTLS_SSL_SESSION_TICKETS) - if( conf->ticket_keys ) - { - ssl_ticket_keys_free( conf->ticket_keys ); - mbedtls_free( conf->ticket_keys ); - } -#endif - #if defined(MBEDTLS_X509_CRT_PARSE_C) ssl_key_cert_free( conf->key_cert ); #endif diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c index f0ef8511f..5f66d51a4 100644 --- a/programs/ssl/ssl_server2.c +++ b/programs/ssl/ssl_server2.c @@ -69,6 +69,10 @@ int main( void ) #include "mbedtls/ssl_cache.h" #endif +#if defined(MBEDTLS_SSL_TICKET_C) +#include "mbedtls/ssl_ticket.h" +#endif + #if defined(MBEDTLS_SSL_COOKIE_C) #include "mbedtls/ssl_cookie.h" #endif @@ -114,7 +118,7 @@ int main( void ) #define DFL_MFL_CODE MBEDTLS_SSL_MAX_FRAG_LEN_NONE #define DFL_TRUNC_HMAC -1 #define DFL_TICKETS MBEDTLS_SSL_SESSION_TICKETS_ENABLED -#define DFL_TICKET_TIMEOUT -1 +#define DFL_TICKET_TIMEOUT 86400 #define DFL_CACHE_MAX -1 #define DFL_CACHE_TIMEOUT -1 #define DFL_SNI NULL @@ -190,7 +194,7 @@ int main( void ) #if defined(MBEDTLS_SSL_SESSION_TICKETS) #define USAGE_TICKETS \ " tickets=%%d default: 1 (enabled)\n" \ - " ticket_timeout=%%d default: ticket default (1d)\n" + " ticket_timeout=%%d default: 86400 (one day)\n" #else #define USAGE_TICKETS "" #endif /* MBEDTLS_SSL_SESSION_TICKETS */ @@ -740,6 +744,9 @@ int main( int argc, char *argv[] ) #if defined(MBEDTLS_SSL_CACHE_C) mbedtls_ssl_cache_context cache; #endif +#if defined(MBEDTLS_SSL_SESSION_TICKETS) + mbedtls_ssl_ticket_context ticket_ctx; +#endif #if defined(SNI_OPTION) sni_entry *sni_info = NULL; #endif @@ -778,6 +785,9 @@ int main( int argc, char *argv[] ) #if defined(MBEDTLS_SSL_CACHE_C) mbedtls_ssl_cache_init( &cache ); #endif +#if defined(MBEDTLS_SSL_SESSION_TICKETS) + mbedtls_ssl_ticket_init( &ticket_ctx ); +#endif #if defined(MBEDTLS_SSL_ALPN) memset( (void *) alpn_list, 0, sizeof( alpn_list ) ); #endif @@ -1584,14 +1594,21 @@ int main( int argc, char *argv[] ) #endif #if defined(MBEDTLS_SSL_SESSION_TICKETS) - if( ( ret = mbedtls_ssl_conf_session_tickets( &conf, opt.tickets ) ) != 0 ) + if( opt.tickets == MBEDTLS_SSL_SESSION_TICKETS_ENABLED ) { - mbedtls_printf( " failed\n ! mbedtls_ssl_conf_session_tickets returned %d\n\n", ret ); - goto exit; - } + if( ( ret = mbedtls_ssl_ticket_setup( &ticket_ctx, + mbedtls_ctr_drbg_random, &ctr_drbg, + opt.ticket_timeout ) ) != 0 ) + { + mbedtls_printf( " failed\n ! mbedtls_ssl_ticket_setup returned %d\n\n", ret ); + goto exit; + } - if( opt.ticket_timeout != -1 ) - mbedtls_ssl_conf_session_ticket_lifetime( &conf, opt.ticket_timeout ); + mbedtls_ssl_conf_session_tickets_cb( &conf, + mbedtls_ssl_ticket_write, + mbedtls_ssl_ticket_parse, + &ticket_ctx ); + } #endif #if defined(MBEDTLS_SSL_PROTO_DTLS) @@ -2203,6 +2220,9 @@ exit: #if defined(MBEDTLS_SSL_CACHE_C) mbedtls_ssl_cache_free( &cache ); #endif +#if defined(MBEDTLS_SSL_SESSION_TICKETS) + mbedtls_ssl_ticket_free( &ticket_ctx ); +#endif #if defined(MBEDTLS_SSL_COOKIE_C) mbedtls_ssl_cookie_free( &cookie_ctx ); #endif