1 /* $OpenBSD: tls13_lib.c,v 1.36.4.1 2020/08/10 18:59:47 tb Exp $ */ 2 /* 3 * Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org> 4 * Copyright (c) 2019 Bob Beck <beck@openbsd.org> 5 * 6 * Permission to use, copy, modify, and distribute this software for any 7 * purpose with or without fee is hereby granted, provided that the above 8 * copyright notice and this permission notice appear in all copies. 9 * 10 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 11 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 12 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 13 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 14 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 15 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 16 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 17 */ 18 19 #include <stddef.h> 20 21 #include <openssl/evp.h> 22 23 #include "ssl_locl.h" 24 #include "tls13_internal.h" 25 26 /* 27 * Downgrade sentinels - RFC 8446 section 4.1.3, magic values which must be set 28 * by the server in server random if it is willing to downgrade but supports 29 * TLSv1.3 30 */ 31 const uint8_t tls13_downgrade_12[8] = { 32 0x44, 0x4f, 0x57, 0x4e, 0x47, 0x52, 0x44, 0x01, 33 }; 34 const uint8_t tls13_downgrade_11[8] = { 35 0x44, 0x4f, 0x57, 0x4e, 0x47, 0x52, 0x44, 0x00, 36 }; 37 38 /* 39 * HelloRetryRequest hash - RFC 8446 section 4.1.3. 40 */ 41 const uint8_t tls13_hello_retry_request_hash[32] = { 42 0xcf, 0x21, 0xad, 0x74, 0xe5, 0x9a, 0x61, 0x11, 43 0xbe, 0x1d, 0x8c, 0x02, 0x1e, 0x65, 0xb8, 0x91, 44 0xc2, 0xa2, 0x11, 0x16, 0x7a, 0xbb, 0x8c, 0x5e, 45 0x07, 0x9e, 0x09, 0xe2, 0xc8, 0xa8, 0x33, 0x9c, 46 }; 47 48 /* 49 * Certificate Verify padding - RFC 8446 section 4.4.3. 50 */ 51 const uint8_t tls13_cert_verify_pad[64] = { 52 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 53 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 54 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 55 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 56 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 57 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 58 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 59 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 60 }; 61 62 const uint8_t tls13_cert_client_verify_context[] = 63 "TLS 1.3, client CertificateVerify"; 64 const uint8_t tls13_cert_server_verify_context[] = 65 "TLS 1.3, server CertificateVerify"; 66 67 const EVP_AEAD * 68 tls13_cipher_aead(const SSL_CIPHER *cipher) 69 { 70 if (cipher == NULL) 71 return NULL; 72 if (cipher->algorithm_ssl != SSL_TLSV1_3) 73 return NULL; 74 75 switch (cipher->algorithm_enc) { 76 case SSL_AES128GCM: 77 return EVP_aead_aes_128_gcm(); 78 case SSL_AES256GCM: 79 return EVP_aead_aes_256_gcm(); 80 case SSL_CHACHA20POLY1305: 81 return EVP_aead_chacha20_poly1305(); 82 } 83 84 return NULL; 85 } 86 87 const EVP_MD * 88 tls13_cipher_hash(const SSL_CIPHER *cipher) 89 { 90 if (cipher == NULL) 91 return NULL; 92 if (cipher->algorithm_ssl != SSL_TLSV1_3) 93 return NULL; 94 95 switch (cipher->algorithm2) { 96 case SSL_HANDSHAKE_MAC_SHA256: 97 return EVP_sha256(); 98 case SSL_HANDSHAKE_MAC_SHA384: 99 return EVP_sha384(); 100 } 101 102 return NULL; 103 } 104 105 static void 106 tls13_alert_received_cb(uint8_t alert_desc, void *arg) 107 { 108 struct tls13_ctx *ctx = arg; 109 SSL *s = ctx->ssl; 110 111 if (alert_desc == SSL_AD_CLOSE_NOTIFY) { 112 ctx->close_notify_recv = 1; 113 ctx->ssl->internal->shutdown |= SSL_RECEIVED_SHUTDOWN; 114 S3I(ctx->ssl)->warn_alert = alert_desc; 115 return; 116 } 117 118 if (alert_desc == SSL_AD_USER_CANCELLED) { 119 /* 120 * We treat this as advisory, since a close_notify alert 121 * SHOULD follow this alert (RFC 8446 section 6.1). 122 */ 123 return; 124 } 125 126 /* All other alerts are treated as fatal in TLSv1.3. */ 127 S3I(ctx->ssl)->fatal_alert = alert_desc; 128 129 SSLerror(ctx->ssl, SSL_AD_REASON_OFFSET + alert_desc); 130 ERR_asprintf_error_data("SSL alert number %d", alert_desc); 131 132 SSL_CTX_remove_session(s->ctx, s->session); 133 } 134 135 static void 136 tls13_legacy_handshake_message_recv_cb(void *arg) 137 { 138 struct tls13_ctx *ctx = arg; 139 SSL *s = ctx->ssl; 140 CBS cbs; 141 142 if (s->internal->msg_callback == NULL) 143 return; 144 145 tls13_handshake_msg_data(ctx->hs_msg, &cbs); 146 s->internal->msg_callback(0, TLS1_3_VERSION, SSL3_RT_HANDSHAKE, 147 CBS_data(&cbs), CBS_len(&cbs), s, s->internal->msg_callback_arg); 148 } 149 150 static void 151 tls13_legacy_handshake_message_sent_cb(void *arg) 152 { 153 struct tls13_ctx *ctx = arg; 154 SSL *s = ctx->ssl; 155 CBS cbs; 156 157 if (s->internal->msg_callback == NULL) 158 return; 159 160 tls13_handshake_msg_data(ctx->hs_msg, &cbs); 161 s->internal->msg_callback(1, TLS1_3_VERSION, SSL3_RT_HANDSHAKE, 162 CBS_data(&cbs), CBS_len(&cbs), s, s->internal->msg_callback_arg); 163 } 164 165 static int 166 tls13_phh_update_local_traffic_secret(struct tls13_ctx *ctx) 167 { 168 struct tls13_secrets *secrets = ctx->hs->secrets; 169 170 if (ctx->mode == TLS13_HS_CLIENT) 171 return (tls13_update_client_traffic_secret(secrets) && 172 tls13_record_layer_set_write_traffic_key(ctx->rl, 173 &secrets->client_application_traffic)); 174 return (tls13_update_server_traffic_secret(secrets) && 175 tls13_record_layer_set_read_traffic_key(ctx->rl, 176 &secrets->server_application_traffic)); 177 } 178 179 static int 180 tls13_phh_update_peer_traffic_secret(struct tls13_ctx *ctx) 181 { 182 struct tls13_secrets *secrets = ctx->hs->secrets; 183 184 if (ctx->mode == TLS13_HS_CLIENT) 185 return (tls13_update_server_traffic_secret(secrets) && 186 tls13_record_layer_set_read_traffic_key(ctx->rl, 187 &secrets->server_application_traffic)); 188 return (tls13_update_client_traffic_secret(secrets) && 189 tls13_record_layer_set_write_traffic_key(ctx->rl, 190 &secrets->client_application_traffic)); 191 } 192 193 /* 194 * XXX arbitrarily chosen limit of 100 post handshake handshake 195 * messages in an hour - to avoid a hostile peer from constantly 196 * requesting certificates or key renegotiaitons, etc. 197 */ 198 static int 199 tls13_phh_limit_check(struct tls13_ctx *ctx) 200 { 201 time_t now = time(NULL); 202 203 if (ctx->phh_last_seen > now - TLS13_PHH_LIMIT_TIME) { 204 if (ctx->phh_count > TLS13_PHH_LIMIT) 205 return 0; 206 } else 207 ctx->phh_count = 0; 208 ctx->phh_count++; 209 ctx->phh_last_seen = now; 210 return 1; 211 } 212 213 static ssize_t 214 tls13_key_update_recv(struct tls13_ctx *ctx, CBS *cbs) 215 { 216 ssize_t ret = TLS13_IO_FAILURE; 217 218 if (!CBS_get_u8(cbs, &ctx->key_update_request)) 219 goto err; 220 if (CBS_len(cbs) != 0) 221 goto err; 222 223 if (!tls13_phh_update_peer_traffic_secret(ctx)) 224 goto err; 225 226 if (ctx->key_update_request) { 227 CBB cbb; 228 CBS cbs; /* XXX */ 229 230 tls13_handshake_msg_free(ctx->hs_msg); 231 if ((ctx->hs_msg = tls13_handshake_msg_new()) == NULL) 232 goto err; 233 if (!tls13_handshake_msg_start(ctx->hs_msg, &cbb, TLS13_MT_KEY_UPDATE)) 234 goto err; 235 if (!CBB_add_u8(&cbb, 0)) 236 goto err; 237 if (!tls13_handshake_msg_finish(ctx->hs_msg)) 238 goto err; 239 tls13_handshake_msg_data(ctx->hs_msg, &cbs); 240 ret = tls13_record_layer_phh(ctx->rl, &cbs); 241 242 tls13_handshake_msg_free(ctx->hs_msg); 243 ctx->hs_msg = NULL; 244 } else 245 ret = TLS13_IO_SUCCESS; 246 247 return ret; 248 err: 249 ctx->key_update_request = 0; 250 /* XXX alert */ 251 return TLS13_IO_FAILURE; 252 } 253 254 static void 255 tls13_phh_done_cb(void *cb_arg) 256 { 257 struct tls13_ctx *ctx = cb_arg; 258 259 if (ctx->key_update_request) { 260 tls13_phh_update_local_traffic_secret(ctx); 261 ctx->key_update_request = 0; 262 } 263 } 264 265 static ssize_t 266 tls13_phh_received_cb(void *cb_arg, CBS *cbs) 267 { 268 ssize_t ret = TLS13_IO_FAILURE; 269 struct tls13_ctx *ctx = cb_arg; 270 CBS phh_cbs; 271 272 if (!tls13_phh_limit_check(ctx)) 273 return tls13_send_alert(ctx->rl, SSL3_AD_UNEXPECTED_MESSAGE); 274 275 if ((ctx->hs_msg == NULL) && 276 ((ctx->hs_msg = tls13_handshake_msg_new()) == NULL)) 277 return TLS13_IO_FAILURE; 278 279 if (!tls13_handshake_msg_set_buffer(ctx->hs_msg, cbs)) 280 return TLS13_IO_FAILURE; 281 282 if ((ret = tls13_handshake_msg_recv(ctx->hs_msg, ctx->rl)) 283 != TLS13_IO_SUCCESS) 284 return ret; 285 286 if (!tls13_handshake_msg_content(ctx->hs_msg, &phh_cbs)) 287 return TLS13_IO_FAILURE; 288 289 switch(tls13_handshake_msg_type(ctx->hs_msg)) { 290 case TLS13_MT_KEY_UPDATE: 291 ret = tls13_key_update_recv(ctx, &phh_cbs); 292 break; 293 case TLS13_MT_NEW_SESSION_TICKET: 294 /* XXX do nothing for now and ignore this */ 295 break; 296 case TLS13_MT_CERTIFICATE_REQUEST: 297 /* XXX add support if we choose to advertise this */ 298 /* FALLTHROUGH */ 299 default: 300 ret = TLS13_IO_FAILURE; /* XXX send alert */ 301 break; 302 } 303 304 tls13_handshake_msg_free(ctx->hs_msg); 305 ctx->hs_msg = NULL; 306 return ret; 307 } 308 309 struct tls13_ctx * 310 tls13_ctx_new(int mode) 311 { 312 struct tls13_ctx *ctx = NULL; 313 314 if ((ctx = calloc(sizeof(struct tls13_ctx), 1)) == NULL) 315 goto err; 316 317 ctx->mode = mode; 318 319 if ((ctx->rl = tls13_record_layer_new(tls13_legacy_wire_read_cb, 320 tls13_legacy_wire_write_cb, tls13_alert_received_cb, 321 tls13_phh_received_cb, tls13_phh_done_cb, ctx)) == NULL) 322 goto err; 323 324 ctx->handshake_message_sent_cb = tls13_legacy_handshake_message_sent_cb; 325 ctx->handshake_message_recv_cb = tls13_legacy_handshake_message_recv_cb; 326 327 return ctx; 328 329 err: 330 tls13_ctx_free(ctx); 331 332 return NULL; 333 } 334 335 void 336 tls13_ctx_free(struct tls13_ctx *ctx) 337 { 338 if (ctx == NULL) 339 return; 340 341 tls13_error_clear(&ctx->error); 342 tls13_record_layer_free(ctx->rl); 343 tls13_handshake_msg_free(ctx->hs_msg); 344 345 freezero(ctx, sizeof(struct tls13_ctx)); 346 } 347 348 int 349 tls13_cert_add(CBB *cbb, X509 *cert) 350 { 351 CBB cert_data, cert_exts; 352 uint8_t *data; 353 int cert_len; 354 355 if ((cert_len = i2d_X509(cert, NULL)) < 0) 356 return 0; 357 358 if (!CBB_add_u24_length_prefixed(cbb, &cert_data)) 359 return 0; 360 if (!CBB_add_space(&cert_data, &data, cert_len)) 361 return 0; 362 if (i2d_X509(cert, &data) != cert_len) 363 return 0; 364 365 if (!CBB_add_u16_length_prefixed(cbb, &cert_exts)) 366 return 0; 367 368 if (!CBB_flush(cbb)) 369 return 0; 370 371 return 1; 372 } 373 374 int 375 tls13_synthetic_handshake_message(struct tls13_ctx *ctx) 376 { 377 struct tls13_handshake_msg *hm = NULL; 378 unsigned char buf[EVP_MAX_MD_SIZE]; 379 size_t hash_len; 380 CBB cbb; 381 CBS cbs; 382 SSL *s = ctx->ssl; 383 int ret = 0; 384 385 /* 386 * Replace ClientHello with synthetic handshake message - see 387 * RFC 8446 section 4.4.1. 388 */ 389 if (!tls1_transcript_hash_init(s)) 390 goto err; 391 if (!tls1_transcript_hash_value(s, buf, sizeof(buf), &hash_len)) 392 goto err; 393 394 if ((hm = tls13_handshake_msg_new()) == NULL) 395 goto err; 396 if (!tls13_handshake_msg_start(hm, &cbb, TLS13_MT_MESSAGE_HASH)) 397 goto err; 398 if (!CBB_add_bytes(&cbb, buf, hash_len)) 399 goto err; 400 if (!tls13_handshake_msg_finish(hm)) 401 goto err; 402 403 tls13_handshake_msg_data(hm, &cbs); 404 405 tls1_transcript_reset(ctx->ssl); 406 if (!tls1_transcript_record(ctx->ssl, CBS_data(&cbs), CBS_len(&cbs))) 407 goto err; 408 409 ret = 1; 410 411 err: 412 tls13_handshake_msg_free(hm); 413 414 return ret; 415 } 416