ssl_cookie.c 7.0 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260
  1. /*
  2. * DTLS cookie callbacks implementation
  3. *
  4. * Copyright The Mbed TLS Contributors
  5. * SPDX-License-Identifier: Apache-2.0
  6. *
  7. * Licensed under the Apache License, Version 2.0 (the "License"); you may
  8. * not use this file except in compliance with the License.
  9. * You may obtain a copy of the License at
  10. *
  11. * http://www.apache.org/licenses/LICENSE-2.0
  12. *
  13. * Unless required by applicable law or agreed to in writing, software
  14. * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
  15. * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  16. * See the License for the specific language governing permissions and
  17. * limitations under the License.
  18. */
  19. /*
  20. * These session callbacks use a simple chained list
  21. * to store and retrieve the session information.
  22. */
  23. #include "common.h"
  24. #if defined(MBEDTLS_SSL_COOKIE_C)
  25. #include "mbedtls/platform.h"
  26. #include "mbedtls/ssl_cookie.h"
  27. #include "mbedtls/ssl_internal.h"
  28. #include "mbedtls/error.h"
  29. #include "mbedtls/platform_util.h"
  30. #include "mbedtls/constant_time.h"
  31. #include <string.h>
  32. /*
  33. * If DTLS is in use, then at least one of SHA-1, SHA-256, SHA-512 is
  34. * available. Try SHA-256 first, 512 wastes resources since we need to stay
  35. * with max 32 bytes of cookie for DTLS 1.0
  36. */
  37. #if defined(MBEDTLS_SHA256_C)
  38. #define COOKIE_MD MBEDTLS_MD_SHA224
  39. #define COOKIE_MD_OUTLEN 32
  40. #define COOKIE_HMAC_LEN 28
  41. #elif defined(MBEDTLS_SHA512_C)
  42. #define COOKIE_MD MBEDTLS_MD_SHA384
  43. #define COOKIE_MD_OUTLEN 48
  44. #define COOKIE_HMAC_LEN 28
  45. #elif defined(MBEDTLS_SHA1_C)
  46. #define COOKIE_MD MBEDTLS_MD_SHA1
  47. #define COOKIE_MD_OUTLEN 20
  48. #define COOKIE_HMAC_LEN 20
  49. #else
  50. #error "DTLS hello verify needs SHA-1 or SHA-2"
  51. #endif
  52. /*
  53. * Cookies are formed of a 4-bytes timestamp (or serial number) and
  54. * an HMAC of timestamp and client ID.
  55. */
  56. #define COOKIE_LEN (4 + COOKIE_HMAC_LEN)
  57. void mbedtls_ssl_cookie_init(mbedtls_ssl_cookie_ctx *ctx)
  58. {
  59. mbedtls_md_init(&ctx->hmac_ctx);
  60. #if !defined(MBEDTLS_HAVE_TIME)
  61. ctx->serial = 0;
  62. #endif
  63. ctx->timeout = MBEDTLS_SSL_COOKIE_TIMEOUT;
  64. #if defined(MBEDTLS_THREADING_C)
  65. mbedtls_mutex_init(&ctx->mutex);
  66. #endif
  67. }
  68. void mbedtls_ssl_cookie_set_timeout(mbedtls_ssl_cookie_ctx *ctx, unsigned long delay)
  69. {
  70. ctx->timeout = delay;
  71. }
  72. void mbedtls_ssl_cookie_free(mbedtls_ssl_cookie_ctx *ctx)
  73. {
  74. mbedtls_md_free(&ctx->hmac_ctx);
  75. #if defined(MBEDTLS_THREADING_C)
  76. mbedtls_mutex_free(&ctx->mutex);
  77. #endif
  78. mbedtls_platform_zeroize(ctx, sizeof(mbedtls_ssl_cookie_ctx));
  79. }
  80. int mbedtls_ssl_cookie_setup(mbedtls_ssl_cookie_ctx *ctx,
  81. int (*f_rng)(void *, unsigned char *, size_t),
  82. void *p_rng)
  83. {
  84. int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
  85. unsigned char key[COOKIE_MD_OUTLEN];
  86. if ((ret = f_rng(p_rng, key, sizeof(key))) != 0) {
  87. return ret;
  88. }
  89. ret = mbedtls_md_setup(&ctx->hmac_ctx, mbedtls_md_info_from_type(COOKIE_MD), 1);
  90. if (ret != 0) {
  91. return ret;
  92. }
  93. ret = mbedtls_md_hmac_starts(&ctx->hmac_ctx, key, sizeof(key));
  94. if (ret != 0) {
  95. return ret;
  96. }
  97. mbedtls_platform_zeroize(key, sizeof(key));
  98. return 0;
  99. }
  100. /*
  101. * Generate the HMAC part of a cookie
  102. */
  103. MBEDTLS_CHECK_RETURN_CRITICAL
  104. static int ssl_cookie_hmac(mbedtls_md_context_t *hmac_ctx,
  105. const unsigned char time[4],
  106. unsigned char **p, unsigned char *end,
  107. const unsigned char *cli_id, size_t cli_id_len)
  108. {
  109. unsigned char hmac_out[COOKIE_MD_OUTLEN];
  110. MBEDTLS_SSL_CHK_BUF_PTR(*p, end, COOKIE_HMAC_LEN);
  111. if (mbedtls_md_hmac_reset(hmac_ctx) != 0 ||
  112. mbedtls_md_hmac_update(hmac_ctx, time, 4) != 0 ||
  113. mbedtls_md_hmac_update(hmac_ctx, cli_id, cli_id_len) != 0 ||
  114. mbedtls_md_hmac_finish(hmac_ctx, hmac_out) != 0) {
  115. return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
  116. }
  117. memcpy(*p, hmac_out, COOKIE_HMAC_LEN);
  118. *p += COOKIE_HMAC_LEN;
  119. return 0;
  120. }
  121. /*
  122. * Generate cookie for DTLS ClientHello verification
  123. */
  124. int mbedtls_ssl_cookie_write(void *p_ctx,
  125. unsigned char **p, unsigned char *end,
  126. const unsigned char *cli_id, size_t cli_id_len)
  127. {
  128. int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
  129. mbedtls_ssl_cookie_ctx *ctx = (mbedtls_ssl_cookie_ctx *) p_ctx;
  130. unsigned long t;
  131. if (ctx == NULL || cli_id == NULL) {
  132. return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
  133. }
  134. MBEDTLS_SSL_CHK_BUF_PTR(*p, end, COOKIE_LEN);
  135. #if defined(MBEDTLS_HAVE_TIME)
  136. t = (unsigned long) mbedtls_time(NULL);
  137. #else
  138. t = ctx->serial++;
  139. #endif
  140. MBEDTLS_PUT_UINT32_BE(t, *p, 0);
  141. *p += 4;
  142. #if defined(MBEDTLS_THREADING_C)
  143. if ((ret = mbedtls_mutex_lock(&ctx->mutex)) != 0) {
  144. return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_SSL_INTERNAL_ERROR, ret);
  145. }
  146. #endif
  147. ret = ssl_cookie_hmac(&ctx->hmac_ctx, *p - 4,
  148. p, end, cli_id, cli_id_len);
  149. #if defined(MBEDTLS_THREADING_C)
  150. if (mbedtls_mutex_unlock(&ctx->mutex) != 0) {
  151. return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_SSL_INTERNAL_ERROR,
  152. MBEDTLS_ERR_THREADING_MUTEX_ERROR);
  153. }
  154. #endif
  155. return ret;
  156. }
  157. /*
  158. * Check a cookie
  159. */
  160. int mbedtls_ssl_cookie_check(void *p_ctx,
  161. const unsigned char *cookie, size_t cookie_len,
  162. const unsigned char *cli_id, size_t cli_id_len)
  163. {
  164. unsigned char ref_hmac[COOKIE_HMAC_LEN];
  165. int ret = 0;
  166. unsigned char *p = ref_hmac;
  167. mbedtls_ssl_cookie_ctx *ctx = (mbedtls_ssl_cookie_ctx *) p_ctx;
  168. unsigned long cur_time, cookie_time;
  169. if (ctx == NULL || cli_id == NULL) {
  170. return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
  171. }
  172. if (cookie_len != COOKIE_LEN) {
  173. return -1;
  174. }
  175. #if defined(MBEDTLS_THREADING_C)
  176. if ((ret = mbedtls_mutex_lock(&ctx->mutex)) != 0) {
  177. return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_SSL_INTERNAL_ERROR, ret);
  178. }
  179. #endif
  180. if (ssl_cookie_hmac(&ctx->hmac_ctx, cookie,
  181. &p, p + sizeof(ref_hmac),
  182. cli_id, cli_id_len) != 0) {
  183. ret = -1;
  184. }
  185. #if defined(MBEDTLS_THREADING_C)
  186. if (mbedtls_mutex_unlock(&ctx->mutex) != 0) {
  187. ret = MBEDTLS_ERROR_ADD(MBEDTLS_ERR_SSL_INTERNAL_ERROR,
  188. MBEDTLS_ERR_THREADING_MUTEX_ERROR);
  189. }
  190. #endif
  191. if (ret != 0) {
  192. goto exit;
  193. }
  194. if (mbedtls_ct_memcmp(cookie + 4, ref_hmac, sizeof(ref_hmac)) != 0) {
  195. ret = -1;
  196. goto exit;
  197. }
  198. #if defined(MBEDTLS_HAVE_TIME)
  199. cur_time = (unsigned long) mbedtls_time(NULL);
  200. #else
  201. cur_time = ctx->serial;
  202. #endif
  203. cookie_time = ((unsigned long) cookie[0] << 24) |
  204. ((unsigned long) cookie[1] << 16) |
  205. ((unsigned long) cookie[2] << 8) |
  206. ((unsigned long) cookie[3]);
  207. if (ctx->timeout != 0 && cur_time - cookie_time > ctx->timeout) {
  208. ret = -1;
  209. goto exit;
  210. }
  211. exit:
  212. mbedtls_platform_zeroize(ref_hmac, sizeof(ref_hmac));
  213. return ret;
  214. }
  215. #endif /* MBEDTLS_SSL_COOKIE_C */