xref: /dragonfly/crypto/libressl/ssl/tls13_lib.c (revision f015dc58) 
1 /*	$OpenBSD: tls13_lib.c,v 1.36.4.1 2020/08/10 18:59:47 tb Exp $ */
2 /*
3  * Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org>
4  * Copyright (c) 2019 Bob Beck <beck@openbsd.org>
5  *
6  * Permission to use, copy, modify, and distribute this software for any
7  * purpose with or without fee is hereby granted, provided that the above
8  * copyright notice and this permission notice appear in all copies.
9  *
10  * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
11  * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
12  * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
13  * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
14  * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
15  * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
16  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
17  */
18 
19 #include <stddef.h>
20 
21 #include <openssl/evp.h>
22 
23 #include "ssl_locl.h"
24 #include "tls13_internal.h"
25 
26 /*
27  * Downgrade sentinels - RFC 8446 section 4.1.3, magic values which must be set
28  * by the server in server random if it is willing to downgrade but supports
29  * TLSv1.3
30  */
31 const uint8_t tls13_downgrade_12[8] = {
32 	0x44, 0x4f, 0x57, 0x4e, 0x47, 0x52, 0x44, 0x01,
33 };
34 const uint8_t tls13_downgrade_11[8] = {
35 	0x44, 0x4f, 0x57, 0x4e, 0x47, 0x52, 0x44, 0x00,
36 };
37 
38 /*
39  * HelloRetryRequest hash - RFC 8446 section 4.1.3.
40  */
41 const uint8_t tls13_hello_retry_request_hash[32] = {
42 	0xcf, 0x21, 0xad, 0x74, 0xe5, 0x9a, 0x61, 0x11,
43 	0xbe, 0x1d, 0x8c, 0x02, 0x1e, 0x65, 0xb8, 0x91,
44 	0xc2, 0xa2, 0x11, 0x16, 0x7a, 0xbb, 0x8c, 0x5e,
45 	0x07, 0x9e, 0x09, 0xe2, 0xc8, 0xa8, 0x33, 0x9c,
46 };
47 
48 /*
49  * Certificate Verify padding - RFC 8446 section 4.4.3.
50  */
51 const uint8_t tls13_cert_verify_pad[64] = {
52 	0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
53 	0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
54 	0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
55 	0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
56 	0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
57 	0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
58 	0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
59 	0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
60 };
61 
62 const uint8_t tls13_cert_client_verify_context[] =
63     "TLS 1.3, client CertificateVerify";
64 const uint8_t tls13_cert_server_verify_context[] =
65     "TLS 1.3, server CertificateVerify";
66 
67 const EVP_AEAD *
68 tls13_cipher_aead(const SSL_CIPHER *cipher)
69 {
70 	if (cipher == NULL)
71 		return NULL;
72 	if (cipher->algorithm_ssl != SSL_TLSV1_3)
73 		return NULL;
74 
75 	switch (cipher->algorithm_enc) {
76 	case SSL_AES128GCM:
77 		return EVP_aead_aes_128_gcm();
78 	case SSL_AES256GCM:
79 		return EVP_aead_aes_256_gcm();
80 	case SSL_CHACHA20POLY1305:
81 		return EVP_aead_chacha20_poly1305();
82 	}
83 
84 	return NULL;
85 }
86 
87 const EVP_MD *
88 tls13_cipher_hash(const SSL_CIPHER *cipher)
89 {
90 	if (cipher == NULL)
91 		return NULL;
92 	if (cipher->algorithm_ssl != SSL_TLSV1_3)
93 		return NULL;
94 
95 	switch (cipher->algorithm2) {
96 	case SSL_HANDSHAKE_MAC_SHA256:
97 		return EVP_sha256();
98 	case SSL_HANDSHAKE_MAC_SHA384:
99 		return EVP_sha384();
100 	}
101 
102 	return NULL;
103 }
104 
105 static void
106 tls13_alert_received_cb(uint8_t alert_desc, void *arg)
107 {
108 	struct tls13_ctx *ctx = arg;
109 	SSL *s = ctx->ssl;
110 
111 	if (alert_desc == SSL_AD_CLOSE_NOTIFY) {
112 		ctx->close_notify_recv = 1;
113 		ctx->ssl->internal->shutdown |= SSL_RECEIVED_SHUTDOWN;
114 		S3I(ctx->ssl)->warn_alert = alert_desc;
115 		return;
116 	}
117 
118 	if (alert_desc == SSL_AD_USER_CANCELLED) {
119 		/*
120 		 * We treat this as advisory, since a close_notify alert
121 		 * SHOULD follow this alert (RFC 8446 section 6.1).
122 		 */
123 		return;
124 	}
125 
126 	/* All other alerts are treated as fatal in TLSv1.3. */
127 	S3I(ctx->ssl)->fatal_alert = alert_desc;
128 
129 	SSLerror(ctx->ssl, SSL_AD_REASON_OFFSET + alert_desc);
130 	ERR_asprintf_error_data("SSL alert number %d", alert_desc);
131 
132 	SSL_CTX_remove_session(s->ctx, s->session);
133 }
134 
135 static void
136 tls13_legacy_handshake_message_recv_cb(void *arg)
137 {
138 	struct tls13_ctx *ctx = arg;
139 	SSL *s = ctx->ssl;
140 	CBS cbs;
141 
142 	if (s->internal->msg_callback == NULL)
143 		return;
144 
145 	tls13_handshake_msg_data(ctx->hs_msg, &cbs);
146 	s->internal->msg_callback(0, TLS1_3_VERSION, SSL3_RT_HANDSHAKE,
147 	    CBS_data(&cbs), CBS_len(&cbs), s, s->internal->msg_callback_arg);
148 }
149 
150 static void
151 tls13_legacy_handshake_message_sent_cb(void *arg)
152 {
153 	struct tls13_ctx *ctx = arg;
154 	SSL *s = ctx->ssl;
155 	CBS cbs;
156 
157 	if (s->internal->msg_callback == NULL)
158 		return;
159 
160 	tls13_handshake_msg_data(ctx->hs_msg, &cbs);
161 	s->internal->msg_callback(1, TLS1_3_VERSION, SSL3_RT_HANDSHAKE,
162 	    CBS_data(&cbs), CBS_len(&cbs), s, s->internal->msg_callback_arg);
163 }
164 
165 static int
166 tls13_phh_update_local_traffic_secret(struct tls13_ctx *ctx)
167 {
168 	struct tls13_secrets *secrets = ctx->hs->secrets;
169 
170 	if (ctx->mode == TLS13_HS_CLIENT)
171 		return (tls13_update_client_traffic_secret(secrets) &&
172 		    tls13_record_layer_set_write_traffic_key(ctx->rl,
173 			&secrets->client_application_traffic));
174 	return (tls13_update_server_traffic_secret(secrets) &&
175 	    tls13_record_layer_set_read_traffic_key(ctx->rl,
176 	    &secrets->server_application_traffic));
177 }
178 
179 static int
180 tls13_phh_update_peer_traffic_secret(struct tls13_ctx *ctx)
181 {
182 	struct tls13_secrets *secrets = ctx->hs->secrets;
183 
184 	if (ctx->mode == TLS13_HS_CLIENT)
185 		return (tls13_update_server_traffic_secret(secrets) &&
186 		    tls13_record_layer_set_read_traffic_key(ctx->rl,
187 		    &secrets->server_application_traffic));
188 	return (tls13_update_client_traffic_secret(secrets) &&
189 	    tls13_record_layer_set_write_traffic_key(ctx->rl,
190 	    &secrets->client_application_traffic));
191 }
192 
193 /*
194  * XXX arbitrarily chosen limit of 100 post handshake handshake
195  * messages in an hour - to avoid a hostile peer from constantly
196  * requesting certificates or key renegotiaitons, etc.
197  */
198 static int
199 tls13_phh_limit_check(struct tls13_ctx *ctx)
200 {
201 	time_t now = time(NULL);
202 
203 	if (ctx->phh_last_seen > now - TLS13_PHH_LIMIT_TIME) {
204 		if (ctx->phh_count > TLS13_PHH_LIMIT)
205 			return 0;
206 	} else
207 		ctx->phh_count = 0;
208 	ctx->phh_count++;
209 	ctx->phh_last_seen = now;
210 	return 1;
211 }
212 
213 static ssize_t
214 tls13_key_update_recv(struct tls13_ctx *ctx, CBS *cbs)
215 {
216 	ssize_t ret = TLS13_IO_FAILURE;
217 
218 	if (!CBS_get_u8(cbs, &ctx->key_update_request))
219 		goto err;
220 	if (CBS_len(cbs) != 0)
221 		goto err;
222 
223 	if (!tls13_phh_update_peer_traffic_secret(ctx))
224 		goto err;
225 
226 	if (ctx->key_update_request) {
227 		CBB cbb;
228 		CBS cbs; /* XXX */
229 
230 		tls13_handshake_msg_free(ctx->hs_msg);
231 		if ((ctx->hs_msg = tls13_handshake_msg_new()) == NULL)
232 			goto err;
233 		if (!tls13_handshake_msg_start(ctx->hs_msg, &cbb, TLS13_MT_KEY_UPDATE))
234 			goto err;
235 		if (!CBB_add_u8(&cbb, 0))
236 			goto err;
237 		if (!tls13_handshake_msg_finish(ctx->hs_msg))
238 			goto err;
239 		tls13_handshake_msg_data(ctx->hs_msg, &cbs);
240 		ret = tls13_record_layer_phh(ctx->rl, &cbs);
241 
242 		tls13_handshake_msg_free(ctx->hs_msg);
243 		ctx->hs_msg = NULL;
244 	} else
245 		ret = TLS13_IO_SUCCESS;
246 
247 	return ret;
248  err:
249 	ctx->key_update_request = 0;
250 	/* XXX alert */
251 	return TLS13_IO_FAILURE;
252 }
253 
254 static void
255 tls13_phh_done_cb(void *cb_arg)
256 {
257 	struct tls13_ctx *ctx = cb_arg;
258 
259 	if (ctx->key_update_request) {
260 		tls13_phh_update_local_traffic_secret(ctx);
261 		ctx->key_update_request = 0;
262 	}
263 }
264 
265 static ssize_t
266 tls13_phh_received_cb(void *cb_arg, CBS *cbs)
267 {
268 	ssize_t ret = TLS13_IO_FAILURE;
269 	struct tls13_ctx *ctx = cb_arg;
270 	CBS phh_cbs;
271 
272 	if (!tls13_phh_limit_check(ctx))
273 		return tls13_send_alert(ctx->rl, SSL3_AD_UNEXPECTED_MESSAGE);
274 
275 	if ((ctx->hs_msg == NULL) &&
276 	    ((ctx->hs_msg = tls13_handshake_msg_new()) == NULL))
277 		return TLS13_IO_FAILURE;
278 
279 	if (!tls13_handshake_msg_set_buffer(ctx->hs_msg, cbs))
280 		return TLS13_IO_FAILURE;
281 
282 	if ((ret = tls13_handshake_msg_recv(ctx->hs_msg, ctx->rl))
283 	    != TLS13_IO_SUCCESS)
284 		return ret;
285 
286 	if (!tls13_handshake_msg_content(ctx->hs_msg, &phh_cbs))
287 		return TLS13_IO_FAILURE;
288 
289 	switch(tls13_handshake_msg_type(ctx->hs_msg)) {
290 	case TLS13_MT_KEY_UPDATE:
291 		ret = tls13_key_update_recv(ctx, &phh_cbs);
292 		break;
293 	case TLS13_MT_NEW_SESSION_TICKET:
294 		/* XXX do nothing for now and ignore this */
295 		break;
296 	case TLS13_MT_CERTIFICATE_REQUEST:
297 		/* XXX add support if we choose to advertise this */
298 		/* FALLTHROUGH */
299 	default:
300 		ret = TLS13_IO_FAILURE; /* XXX send alert */
301 		break;
302 	}
303 
304 	tls13_handshake_msg_free(ctx->hs_msg);
305 	ctx->hs_msg = NULL;
306 	return ret;
307 }
308 
309 struct tls13_ctx *
310 tls13_ctx_new(int mode)
311 {
312 	struct tls13_ctx *ctx = NULL;
313 
314 	if ((ctx = calloc(sizeof(struct tls13_ctx), 1)) == NULL)
315 		goto err;
316 
317 	ctx->mode = mode;
318 
319 	if ((ctx->rl = tls13_record_layer_new(tls13_legacy_wire_read_cb,
320 	    tls13_legacy_wire_write_cb, tls13_alert_received_cb,
321 	    tls13_phh_received_cb, tls13_phh_done_cb, ctx)) == NULL)
322 		goto err;
323 
324 	ctx->handshake_message_sent_cb = tls13_legacy_handshake_message_sent_cb;
325 	ctx->handshake_message_recv_cb = tls13_legacy_handshake_message_recv_cb;
326 
327 	return ctx;
328 
329  err:
330 	tls13_ctx_free(ctx);
331 
332 	return NULL;
333 }
334 
335 void
336 tls13_ctx_free(struct tls13_ctx *ctx)
337 {
338 	if (ctx == NULL)
339 		return;
340 
341 	tls13_error_clear(&ctx->error);
342 	tls13_record_layer_free(ctx->rl);
343 	tls13_handshake_msg_free(ctx->hs_msg);
344 
345 	freezero(ctx, sizeof(struct tls13_ctx));
346 }
347 
348 int
349 tls13_cert_add(CBB *cbb, X509 *cert)
350 {
351 	CBB cert_data, cert_exts;
352 	uint8_t *data;
353 	int cert_len;
354 
355 	if ((cert_len = i2d_X509(cert, NULL)) < 0)
356 		return 0;
357 
358 	if (!CBB_add_u24_length_prefixed(cbb, &cert_data))
359 		return 0;
360 	if (!CBB_add_space(&cert_data, &data, cert_len))
361 		return 0;
362 	if (i2d_X509(cert, &data) != cert_len)
363 		return 0;
364 
365 	if (!CBB_add_u16_length_prefixed(cbb, &cert_exts))
366 		return 0;
367 
368 	if (!CBB_flush(cbb))
369 		return 0;
370 
371 	return 1;
372 }
373 
374 int
375 tls13_synthetic_handshake_message(struct tls13_ctx *ctx)
376 {
377 	struct tls13_handshake_msg *hm = NULL;
378 	unsigned char buf[EVP_MAX_MD_SIZE];
379 	size_t hash_len;
380 	CBB cbb;
381 	CBS cbs;
382 	SSL *s = ctx->ssl;
383 	int ret = 0;
384 
385 	/*
386 	 * Replace ClientHello with synthetic handshake message - see
387 	 * RFC 8446 section 4.4.1.
388 	 */
389 	if (!tls1_transcript_hash_init(s))
390 		goto err;
391 	if (!tls1_transcript_hash_value(s, buf, sizeof(buf), &hash_len))
392 		goto err;
393 
394 	if ((hm = tls13_handshake_msg_new()) == NULL)
395 		goto err;
396 	if (!tls13_handshake_msg_start(hm, &cbb, TLS13_MT_MESSAGE_HASH))
397 		goto err;
398 	if (!CBB_add_bytes(&cbb, buf, hash_len))
399 		goto err;
400 	if (!tls13_handshake_msg_finish(hm))
401 		goto err;
402 
403 	tls13_handshake_msg_data(hm, &cbs);
404 
405 	tls1_transcript_reset(ctx->ssl);
406 	if (!tls1_transcript_record(ctx->ssl, CBS_data(&cbs), CBS_len(&cbs)))
407 		goto err;
408 
409 	ret = 1;
410 
411  err:
412 	tls13_handshake_msg_free(hm);
413 
414 	return ret;
415 }
416