tls_session_ticket-srv.c 8.24 KB
Newer Older
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39
/*  Copyright (C) 2018 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz>

    This program is free software: you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
    the Free Software Foundation, either version 3 of the License, or
    (at your option) any later version.

    This program is distributed in the hope that it will be useful,
    but WITHOUT ANY WARRANTY; without even the implied warranty of
    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
    GNU General Public License for more details.

    You should have received a copy of the GNU General Public License
    along with this program.  If not, see <https://www.gnu.org/licenses/>.
 */

#include <assert.h>
#include <inttypes.h>
#include <stdbool.h>
#include <stdlib.h>
#include <string.h>
#include <sys/time.h>

#include <gnutls/gnutls.h>
#include <gnutls/crypto.h>
#include <uv.h>

#include "lib/utils.h"

/* Style: "local/static" identifiers are usually named tst_* */

/** The number of seconds between synchronized rotation of TLS session ticket key. */
#define TST_KEY_LIFETIME 4096

/** Value from gnutls:lib/ext/session_ticket.c
 * Beware: changing this needs to change the hashing implementation. */
#define SESSION_KEY_SIZE 64

/** Compile-time support for setting the secret. */
40 41
/* This is not secure with TLS <= 1.2 but TLS 1.3 and secure configuration
 * is not available in GnuTLS yet. See https://gitlab.com/gnutls/gnutls/issues/477
42
#ifndef TLS_SESSION_RESUMPTION_SYNC
43
	#define TLS_SESSION_RESUMPTION_SYNC (GNUTLS_VERSION_NUMBER >= 0x030603)
44
#endif
45
*/
46 47 48 49 50 51 52

#if GNUTLS_VERSION_NUMBER < 0x030400
	/* It's of little use anyway.  We may get the secret through lua,
	 * which creates a copy outside of our control. */
	#define gnutls_memset memset
#endif

53
#ifdef GNUTLS_DIG_SHA3_512
54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103
	#define TST_HASH GNUTLS_DIG_SHA3_512
#else
	#define TST_HASH abort()
#endif

/** Fields are internal to tst_key_* functions. */
typedef struct tls_session_ticket_ctx {
	uv_timer_t timer;	/**< timer for rotation of the key */
	unsigned char key[SESSION_KEY_SIZE]; /**< the key itself */
	bool has_secret;	/**< false -> key is random for each epoch */
	uint16_t hash_len;	/**< length of `hash_data` */
	char hash_data[];	/**< data to hash to obtain `key`;
				 *   it's `time_t epoch` and then the secret string */
} tst_ctx_t;

/** Check invariants, based on gnutls version. */
static bool tst_key_invariants(void)
{
	static int result = 0; /*< cache for multiple invocations */
	if (result) return result > 0;
	bool ok = true;
	#if TLS_SESSION_RESUMPTION_SYNC
		/* SHA3-512 output size may never change, but let's check it anyway :-) */
		ok = ok && gnutls_hash_get_len(TST_HASH) == SESSION_KEY_SIZE;
	#endif
	/* The ticket key size might change in a different gnutls version. */
	gnutls_datum_t key = { 0, 0 };
	ok = ok && gnutls_session_ticket_key_generate(&key) == 0
		&& key.size == SESSION_KEY_SIZE;
	free(key.data);
	result = ok ? 1 : -1;
	return ok;
}

/** Create the internal structures and copy the secret. Beware: secret must be kept secure. */
static tst_ctx_t * tst_key_create(const char *secret, size_t secret_len, uv_loop_t *loop)
{
	const size_t hash_len = sizeof(time_t) + secret_len;
	if (secret_len &&
	    (!secret || hash_len > UINT16_MAX || hash_len < secret_len)) {
		assert(!EINVAL);
		return NULL;
		/* reasonable secret_len is best enforced in config API */
	}
	if (!tst_key_invariants()) {
		assert(!EFAULT);
		return NULL;
	}
	#if !TLS_SESSION_RESUMPTION_SYNC
		if (secret_len) {
104
			kr_log_error("[tls] session ticket: secrets were not enabled at compile-time (your GnuTLS version is not supported)\n");
105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147
			return NULL; /* ENOTSUP */
		}
	#endif

	tst_ctx_t *ctx = malloc(sizeof(*ctx) + hash_len); /* can be slightly longer */
	if (!ctx) return NULL;
	ctx->has_secret = secret_len > 0;
	ctx->hash_len = hash_len;
	if (secret_len) {
		memcpy(ctx->hash_data + sizeof(time_t), secret, secret_len);
	}

	if (uv_timer_init(loop, &ctx->timer) != 0) {
		free(ctx);
		return NULL;
	}
	ctx->timer.data = ctx;
	return ctx;
}

/** Random variant of secret rotation: generate into key_tmp and copy. */
static int tst_key_get_random(tst_ctx_t *ctx)
{
	gnutls_datum_t key_tmp = { NULL, 0 };
	int err = gnutls_session_ticket_key_generate(&key_tmp);
	if (err) return kr_error(err);
	if (key_tmp.size != SESSION_KEY_SIZE) {
		assert(!EFAULT);
		return kr_error(EFAULT);
	}
	memcpy(ctx->key, key_tmp.data, SESSION_KEY_SIZE);
	gnutls_memset(key_tmp.data, 0, SESSION_KEY_SIZE);
	free(key_tmp.data);
	return kr_ok();
}

/** Recompute the session ticket key, if epoch has changed or forced. */
static int tst_key_update(tst_ctx_t *ctx, time_t epoch, bool force_update)
{
	if (!ctx || ctx->hash_len < sizeof(epoch)) {
		assert(!EINVAL);
		return kr_error(EINVAL);
	}
148 149
	/* documented limitation: time_t and endianess must match
	 * on instances sharing a secret */
150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209
	if (!force_update && memcmp(ctx->hash_data, &epoch, sizeof(epoch)) == 0) {
		return kr_ok(); /* we are up to date */
	}
	memcpy(ctx->hash_data, &epoch, sizeof(epoch));

	if (!ctx->has_secret) {
		return tst_key_get_random(ctx);
	}
	/* Otherwise, deterministic variant of secret rotation, if supported. */
	#if !TLS_SESSION_RESUMPTION_SYNC
		assert(false);
		return kr_error(ENOTSUP);
	#else
		int err = gnutls_hash_fast(TST_HASH, ctx->hash_data,
					   ctx->hash_len, ctx->key);
		return err == 0 ? kr_ok() : kr_error(err);
	#endif
}

/** Free all resources of the key (securely). */
static void tst_key_destroy(uv_handle_t *timer)
{
	assert(timer);
	tst_ctx_t *ctx = timer->data;
	assert(ctx);
	gnutls_memset(ctx, 0, offsetof(tst_ctx_t, hash_data) + ctx->hash_len);
	free(ctx);
}

static void tst_key_check(uv_timer_t *timer, bool force_update);
static void tst_timer_callback(uv_timer_t *timer)
{
	tst_key_check(timer, false);
}

/** Update the ST key if needed and reschedule itself via the timer. */
static void tst_key_check(uv_timer_t *timer, bool force_update)
{
	tst_ctx_t *stst = (tst_ctx_t *)timer->data;
	/* Compute the current epoch. */
	struct timeval now;
	if (gettimeofday(&now, NULL)) {
		kr_log_error("[tls] session ticket: gettimeofday failed, %s\n",
				strerror(errno));
		return;
	}
	uv_update_time(timer->loop); /* to have sync. between real and mono time */
	const time_t epoch = now.tv_sec / TST_KEY_LIFETIME;
	/* Update the key; new sessions will fetch it from the location.
	 * Old ones hopefully can't get broken by that; documentation
	 * for gnutls_session_ticket_enable_server() doesn't say. */
	int err = tst_key_update(stst, epoch, force_update);
	if (err) {
		assert(err != kr_error(EINVAL));
		kr_log_error("[tls] session ticket: failed rotation, err = %d\n", err);
	}
	/* Reschedule. */
	const time_t tv_sec_next = (epoch + 1) * TST_KEY_LIFETIME;
	const uint64_t ms_until_second = 1000 - (now.tv_usec + 501) / 1000;
	const uint64_t remain_ms = (tv_sec_next - now.tv_sec - 1) * (uint64_t)1000
210 211
				 + ms_until_second + 1;
	/* ^ +1 because we don't want to wake up half a millisecond before the epoch! */
212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243
	assert(remain_ms < (TST_KEY_LIFETIME + 1 /*rounding tolerance*/) * 1000);
	kr_log_verbose("[tls] session ticket: epoch %"PRIu64
			", scheduling rotation check in %"PRIu64" ms\n",
			(uint64_t)epoch, remain_ms);
	err = uv_timer_start(timer, &tst_timer_callback, remain_ms, 0);
	if (err) {
		assert(false);
		kr_log_error("[tls] session ticket: failed to schedule, err = %d\n", err);
	}
}

/* Implementation for prototypes from ./tls.h */

void tls_session_ticket_enable(struct tls_session_ticket_ctx *ctx, gnutls_session_t session)
{
	assert(ctx && session);
	const gnutls_datum_t gd = {
		.size = SESSION_KEY_SIZE,
		.data = ctx->key,
	};
	int err = gnutls_session_ticket_enable_server(session, &gd);
	if (err) {
		kr_log_error("[tls] failed to enable session tickets: %s (%d)\n",
				gnutls_strerror_name(err), err);
		/* but continue without tickets */
	}
}

tst_ctx_t * tls_session_ticket_ctx_create(uv_loop_t *loop, const char *secret,
					  size_t secret_len)
{
	assert(loop && (!secret_len || secret));
244 245 246 247
	#if GNUTLS_VERSION_NUMBER < 0x030500
		/* We would need different SESSION_KEY_SIZE; avoid assert. */
		return NULL;
	#endif
248 249 250 251 252 253 254 255 256 257 258 259 260 261 262
	tst_ctx_t *ctx = tst_key_create(secret, secret_len, loop);
	if (ctx) {
		tst_key_check(&ctx->timer, true);
	}
	return ctx;
}

void tls_session_ticket_ctx_destroy(tst_ctx_t *ctx)
{
	if (ctx == NULL) {
		return;
	}
	uv_close((uv_handle_t *)&ctx->timer, &tst_key_destroy);
}