1 /**
2  * \file ssl_ticket.h
3  *
4  * \brief TLS server ticket callbacks implementation
5  */
6 /*
7  *  Copyright The Mbed TLS Contributors
8  *  SPDX-License-Identifier: Apache-2.0
9  *
10  *  Licensed under the Apache License, Version 2.0 (the "License"); you may
11  *  not use this file except in compliance with the License.
12  *  You may obtain a copy of the License at
13  *
14  *  http://www.apache.org/licenses/LICENSE-2.0
15  *
16  *  Unless required by applicable law or agreed to in writing, software
17  *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
18  *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
19  *  See the License for the specific language governing permissions and
20  *  limitations under the License.
21  */
22 #ifndef MBEDTLS_SSL_TICKET_H
23 #define MBEDTLS_SSL_TICKET_H
24 #include "mbedtls/private_access.h"
25 
26 #include "mbedtls/build_info.h"
27 
28 /*
29  * This implementation of the session ticket callbacks includes key
30  * management, rotating the keys periodically in order to preserve forward
31  * secrecy, when MBEDTLS_HAVE_TIME is defined.
32  */
33 
34 #include "mbedtls/ssl.h"
35 #include "mbedtls/cipher.h"
36 
37 #if defined(MBEDTLS_HAVE_TIME)
38 #include "mbedtls/platform_time.h"
39 #endif
40 
41 #if defined(MBEDTLS_USE_PSA_CRYPTO)
42 #include "psa/crypto.h"
43 #endif
44 
45 #if defined(MBEDTLS_THREADING_C)
46 #include "mbedtls/threading.h"
47 #endif
48 
49 #ifdef __cplusplus
50 extern "C" {
51 #endif
52 
53 #define MBEDTLS_SSL_TICKET_MAX_KEY_BYTES 32          /*!< Max supported key length in bytes */
54 #define MBEDTLS_SSL_TICKET_KEY_NAME_BYTES 4          /*!< key name length in bytes */
55 
56 /**
57  * \brief   Information for session ticket protection
58  */
59 typedef struct mbedtls_ssl_ticket_key
60 {
61     unsigned char MBEDTLS_PRIVATE(name)[MBEDTLS_SSL_TICKET_KEY_NAME_BYTES];
62                                                      /*!< random key identifier              */
63 #if defined(MBEDTLS_HAVE_TIME)
64     mbedtls_time_t MBEDTLS_PRIVATE(generation_time); /*!< key generation timestamp (seconds) */
65 #endif
66 #if !defined(MBEDTLS_USE_PSA_CRYPTO)
67     mbedtls_cipher_context_t MBEDTLS_PRIVATE(ctx);   /*!< context for auth enc/decryption    */
68 #else
69     mbedtls_svc_key_id_t MBEDTLS_PRIVATE(key);       /*!< key used for auth enc/decryption   */
70     psa_algorithm_t MBEDTLS_PRIVATE(alg);            /*!< algorithm of auth enc/decryption   */
71     psa_key_type_t MBEDTLS_PRIVATE(key_type);        /*!< key type                           */
72     size_t MBEDTLS_PRIVATE(key_bits);                /*!< key length in bits                 */
73 #endif
74 }
75 mbedtls_ssl_ticket_key;
76 
77 /**
78  * \brief   Context for session ticket handling functions
79  */
80 typedef struct mbedtls_ssl_ticket_context
81 {
82     mbedtls_ssl_ticket_key MBEDTLS_PRIVATE(keys)[2]; /*!< ticket protection keys             */
83     unsigned char MBEDTLS_PRIVATE(active);           /*!< index of the currently active key  */
84 
85     uint32_t MBEDTLS_PRIVATE(ticket_lifetime);       /*!< lifetime of tickets in seconds     */
86 
87     /** Callback for getting (pseudo-)random numbers                        */
88     int  (*MBEDTLS_PRIVATE(f_rng))(void *, unsigned char *, size_t);
89     void *MBEDTLS_PRIVATE(p_rng);                    /*!< context for the RNG function       */
90 
91 #if defined(MBEDTLS_THREADING_C)
92     mbedtls_threading_mutex_t MBEDTLS_PRIVATE(mutex);
93 #endif
94 }
95 mbedtls_ssl_ticket_context;
96 
97 /**
98  * \brief           Initialize a ticket context.
99  *                  (Just make it ready for mbedtls_ssl_ticket_setup()
100  *                  or mbedtls_ssl_ticket_free().)
101  *
102  * \param ctx       Context to be initialized
103  */
104 void mbedtls_ssl_ticket_init( mbedtls_ssl_ticket_context *ctx );
105 
106 /**
107  * \brief           Prepare context to be actually used
108  *
109  * \param ctx       Context to be set up
110  * \param f_rng     RNG callback function (mandatory)
111  * \param p_rng     RNG callback context
112  * \param cipher    AEAD cipher to use for ticket protection.
113  *                  Recommended value: MBEDTLS_CIPHER_AES_256_GCM.
114  * \param lifetime  Tickets lifetime in seconds
115  *                  Recommended value: 86400 (one day).
116  *
117  * \note            It is highly recommended to select a cipher that is at
118  *                  least as strong as the strongest ciphersuite
119  *                  supported. Usually that means a 256-bit key.
120  *
121  * \note            The lifetime of the keys is twice the lifetime of tickets.
122  *                  It is recommended to pick a reasonable lifetime so as not
123  *                  to negate the benefits of forward secrecy.
124  *
125  * \return          0 if successful,
126  *                  or a specific MBEDTLS_ERR_XXX error code
127  */
128 int mbedtls_ssl_ticket_setup( mbedtls_ssl_ticket_context *ctx,
129     int (*f_rng)(void *, unsigned char *, size_t), void *p_rng,
130     mbedtls_cipher_type_t cipher,
131     uint32_t lifetime );
132 
133 /**
134  * \brief           Rotate session ticket encryption key to new specified key.
135  *                  Provides for external control of session ticket encryption
136  *                  key rotation, e.g. for synchronization between different
137  *                  machines.  If this function is not used, or if not called
138  *                  before ticket lifetime expires, then a new session ticket
139  *                  encryption key is generated internally in order to avoid
140  *                  unbounded session ticket encryption key lifetimes.
141  *
142  * \param ctx       Context to be set up
143  * \param name      Session ticket encryption key name
144  * \param nlength   Session ticket encryption key name length in bytes
145  * \param k         Session ticket encryption key
146  * \param klength   Session ticket encryption key length in bytes
147  * \param lifetime  Tickets lifetime in seconds
148  *                  Recommended value: 86400 (one day).
149  *
150  * \note            \c name and \c k are recommended to be cryptographically
151  *                  random data.
152  *
153  * \note            \c nlength must match sizeof( ctx->name )
154  *
155  * \note            \c klength must be sufficient for use by cipher specified
156  *                  to \c mbedtls_ssl_ticket_setup
157  *
158  * \note            The lifetime of the keys is twice the lifetime of tickets.
159  *                  It is recommended to pick a reasonable lifetime so as not
160  *                  to negate the benefits of forward secrecy.
161  *
162  * \return          0 if successful,
163  *                  or a specific MBEDTLS_ERR_XXX error code
164  */
165 int mbedtls_ssl_ticket_rotate( mbedtls_ssl_ticket_context *ctx,
166     const unsigned char *name, size_t nlength,
167     const unsigned char *k, size_t klength,
168     uint32_t lifetime );
169 
170 /**
171  * \brief           Implementation of the ticket write callback
172  *
173  * \note            See \c mbedtls_ssl_ticket_write_t for description
174  */
175 mbedtls_ssl_ticket_write_t mbedtls_ssl_ticket_write;
176 
177 /**
178  * \brief           Implementation of the ticket parse callback
179  *
180  * \note            See \c mbedtls_ssl_ticket_parse_t for description
181  */
182 mbedtls_ssl_ticket_parse_t mbedtls_ssl_ticket_parse;
183 
184 /**
185  * \brief           Free a context's content and zeroize it.
186  *
187  * \param ctx       Context to be cleaned up
188  */
189 void mbedtls_ssl_ticket_free( mbedtls_ssl_ticket_context *ctx );
190 
191 #ifdef __cplusplus
192 }
193 #endif
194 
195 #endif /* ssl_ticket.h */
196