1 /* $OpenBSD: tls13_lib.c,v 1.34 2020/02/15 14:40:38 jsing Exp $ */ 2 /* 3 * Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org> 4 * Copyright (c) 2019 Bob Beck <beck@openbsd.org> 5 * 6 * Permission to use, copy, modify, and distribute this software for any 7 * purpose with or without fee is hereby granted, provided that the above 8 * copyright notice and this permission notice appear in all copies. 9 * 10 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 11 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 12 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 13 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 14 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 15 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 16 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 17 */ 18 19 #include <stddef.h> 20 21 #include <openssl/evp.h> 22 23 #include "ssl_locl.h" 24 #include "tls13_internal.h" 25 26 /* 27 * RFC 8446 section 4.1.3, magic values which must be set by the 28 * server in server random if it is willing to downgrade but supports 29 * tls v1.3 30 */ 31 uint8_t tls13_downgrade_12[8] = {0x44, 0x4f, 0x57, 0x4e, 0x47, 0x52, 0x44, 0x01}; 32 uint8_t tls13_downgrade_11[8] = {0x44, 0x4f, 0x57, 0x4e, 0x47, 0x52, 0x44, 0x00}; 33 34 const EVP_AEAD * 35 tls13_cipher_aead(const SSL_CIPHER *cipher) 36 { 37 if (cipher == NULL) 38 return NULL; 39 if (cipher->algorithm_ssl != SSL_TLSV1_3) 40 return NULL; 41 42 switch (cipher->algorithm_enc) { 43 case SSL_AES128GCM: 44 return EVP_aead_aes_128_gcm(); 45 case SSL_AES256GCM: 46 return EVP_aead_aes_256_gcm(); 47 case SSL_CHACHA20POLY1305: 48 return EVP_aead_chacha20_poly1305(); 49 } 50 51 return NULL; 52 } 53 54 const EVP_MD * 55 tls13_cipher_hash(const SSL_CIPHER *cipher) 56 { 57 if (cipher == NULL) 58 return NULL; 59 if (cipher->algorithm_ssl != SSL_TLSV1_3) 60 return NULL; 61 62 switch (cipher->algorithm2) { 63 case SSL_HANDSHAKE_MAC_SHA256: 64 return EVP_sha256(); 65 case SSL_HANDSHAKE_MAC_SHA384: 66 return EVP_sha384(); 67 } 68 69 return NULL; 70 } 71 72 static void 73 tls13_alert_received_cb(uint8_t alert_desc, void *arg) 74 { 75 struct tls13_ctx *ctx = arg; 76 SSL *s = ctx->ssl; 77 78 if (alert_desc == SSL_AD_CLOSE_NOTIFY) { 79 ctx->close_notify_recv = 1; 80 ctx->ssl->internal->shutdown |= SSL_RECEIVED_SHUTDOWN; 81 S3I(ctx->ssl)->warn_alert = alert_desc; 82 return; 83 } 84 85 if (alert_desc == SSL_AD_USER_CANCELLED) { 86 /* 87 * We treat this as advisory, since a close_notify alert 88 * SHOULD follow this alert (RFC 8446 section 6.1). 89 */ 90 return; 91 } 92 93 /* All other alerts are treated as fatal in TLSv1.3. */ 94 S3I(ctx->ssl)->fatal_alert = alert_desc; 95 96 SSLerror(ctx->ssl, SSL_AD_REASON_OFFSET + alert_desc); 97 ERR_asprintf_error_data("SSL alert number %d", alert_desc); 98 99 SSL_CTX_remove_session(s->ctx, s->session); 100 } 101 102 static void 103 tls13_legacy_handshake_message_recv_cb(void *arg) 104 { 105 struct tls13_ctx *ctx = arg; 106 SSL *s = ctx->ssl; 107 CBS cbs; 108 109 if (s->internal->msg_callback == NULL) 110 return; 111 112 tls13_handshake_msg_data(ctx->hs_msg, &cbs); 113 s->internal->msg_callback(0, TLS1_3_VERSION, SSL3_RT_HANDSHAKE, 114 CBS_data(&cbs), CBS_len(&cbs), s, s->internal->msg_callback_arg); 115 } 116 117 static void 118 tls13_legacy_handshake_message_sent_cb(void *arg) 119 { 120 struct tls13_ctx *ctx = arg; 121 SSL *s = ctx->ssl; 122 CBS cbs; 123 124 if (s->internal->msg_callback == NULL) 125 return; 126 127 tls13_handshake_msg_data(ctx->hs_msg, &cbs); 128 s->internal->msg_callback(1, TLS1_3_VERSION, SSL3_RT_HANDSHAKE, 129 CBS_data(&cbs), CBS_len(&cbs), s, s->internal->msg_callback_arg); 130 } 131 132 static int 133 tls13_phh_update_local_traffic_secret(struct tls13_ctx *ctx) 134 { 135 struct tls13_secrets *secrets = ctx->hs->secrets; 136 137 if (ctx->mode == TLS13_HS_CLIENT) 138 return (tls13_update_client_traffic_secret(secrets) && 139 tls13_record_layer_set_write_traffic_key(ctx->rl, 140 &secrets->client_application_traffic)); 141 return (tls13_update_server_traffic_secret(secrets) && 142 tls13_record_layer_set_read_traffic_key(ctx->rl, 143 &secrets->server_application_traffic)); 144 } 145 146 static int 147 tls13_phh_update_peer_traffic_secret(struct tls13_ctx *ctx) 148 { 149 struct tls13_secrets *secrets = ctx->hs->secrets; 150 151 if (ctx->mode == TLS13_HS_CLIENT) 152 return (tls13_update_server_traffic_secret(secrets) && 153 tls13_record_layer_set_read_traffic_key(ctx->rl, 154 &secrets->server_application_traffic)); 155 return (tls13_update_client_traffic_secret(secrets) && 156 tls13_record_layer_set_write_traffic_key(ctx->rl, 157 &secrets->client_application_traffic)); 158 } 159 160 /* 161 * XXX arbitrarily chosen limit of 100 post handshake handshake 162 * messages in an hour - to avoid a hostile peer from constantly 163 * requesting certificates or key renegotiaitons, etc. 164 */ 165 static int 166 tls13_phh_limit_check(struct tls13_ctx *ctx) 167 { 168 time_t now = time(NULL); 169 170 if (ctx->phh_last_seen > now - TLS13_PHH_LIMIT_TIME) { 171 if (ctx->phh_count > TLS13_PHH_LIMIT) 172 return 0; 173 } else 174 ctx->phh_count = 0; 175 ctx->phh_count++; 176 ctx->phh_last_seen = now; 177 return 1; 178 } 179 180 static ssize_t 181 tls13_key_update_recv(struct tls13_ctx *ctx, CBS *cbs) 182 { 183 ssize_t ret = TLS13_IO_FAILURE; 184 185 if (!CBS_get_u8(cbs, &ctx->key_update_request)) 186 goto err; 187 if (CBS_len(cbs) != 0) 188 goto err; 189 190 if (!tls13_phh_update_peer_traffic_secret(ctx)) 191 goto err; 192 193 if (ctx->key_update_request) { 194 CBB cbb; 195 CBS cbs; /* XXX */ 196 197 free(ctx->hs_msg); 198 ctx->hs_msg = tls13_handshake_msg_new(); 199 if (!tls13_handshake_msg_start(ctx->hs_msg, &cbb, TLS13_MT_KEY_UPDATE)) 200 goto err; 201 if (!CBB_add_u8(&cbb, 0)) 202 goto err; 203 if (!tls13_handshake_msg_finish(ctx->hs_msg)) 204 goto err; 205 tls13_handshake_msg_data(ctx->hs_msg, &cbs); 206 ret = tls13_record_layer_phh(ctx->rl, &cbs); 207 208 tls13_handshake_msg_free(ctx->hs_msg); 209 ctx->hs_msg = NULL; 210 } else 211 ret = TLS13_IO_SUCCESS; 212 213 return ret; 214 err: 215 ctx->key_update_request = 0; 216 /* XXX alert */ 217 return TLS13_IO_FAILURE; 218 } 219 220 static void 221 tls13_phh_done_cb(void *cb_arg) 222 { 223 struct tls13_ctx *ctx = cb_arg; 224 225 if (ctx->key_update_request) { 226 tls13_phh_update_local_traffic_secret(ctx); 227 ctx->key_update_request = 0; 228 } 229 } 230 231 static ssize_t 232 tls13_phh_received_cb(void *cb_arg, CBS *cbs) 233 { 234 ssize_t ret = TLS13_IO_FAILURE; 235 struct tls13_ctx *ctx = cb_arg; 236 CBS phh_cbs; 237 238 if (!tls13_phh_limit_check(ctx)) 239 return tls13_send_alert(ctx->rl, SSL3_AD_UNEXPECTED_MESSAGE); 240 241 if ((ctx->hs_msg == NULL) && 242 ((ctx->hs_msg = tls13_handshake_msg_new()) == NULL)) 243 return TLS13_IO_FAILURE; 244 245 if (!tls13_handshake_msg_set_buffer(ctx->hs_msg, cbs)) 246 return TLS13_IO_FAILURE; 247 248 if ((ret = tls13_handshake_msg_recv(ctx->hs_msg, ctx->rl)) 249 != TLS13_IO_SUCCESS) 250 return ret; 251 252 if (!tls13_handshake_msg_content(ctx->hs_msg, &phh_cbs)) 253 return TLS13_IO_FAILURE; 254 255 switch(tls13_handshake_msg_type(ctx->hs_msg)) { 256 case TLS13_MT_KEY_UPDATE: 257 ret = tls13_key_update_recv(ctx, &phh_cbs); 258 break; 259 case TLS13_MT_NEW_SESSION_TICKET: 260 /* XXX do nothing for now and ignore this */ 261 break; 262 case TLS13_MT_CERTIFICATE_REQUEST: 263 /* XXX add support if we choose to advertise this */ 264 /* FALLTHROUGH */ 265 default: 266 ret = TLS13_IO_FAILURE; /* XXX send alert */ 267 break; 268 } 269 270 tls13_handshake_msg_free(ctx->hs_msg); 271 ctx->hs_msg = NULL; 272 return ret; 273 } 274 275 struct tls13_ctx * 276 tls13_ctx_new(int mode) 277 { 278 struct tls13_ctx *ctx = NULL; 279 280 if ((ctx = calloc(sizeof(struct tls13_ctx), 1)) == NULL) 281 goto err; 282 283 ctx->mode = mode; 284 285 if ((ctx->rl = tls13_record_layer_new(tls13_legacy_wire_read_cb, 286 tls13_legacy_wire_write_cb, tls13_alert_received_cb, 287 tls13_phh_received_cb, tls13_phh_done_cb, ctx)) == NULL) 288 goto err; 289 290 ctx->handshake_message_sent_cb = tls13_legacy_handshake_message_sent_cb; 291 ctx->handshake_message_recv_cb = tls13_legacy_handshake_message_recv_cb; 292 293 return ctx; 294 295 err: 296 tls13_ctx_free(ctx); 297 298 return NULL; 299 } 300 301 void 302 tls13_ctx_free(struct tls13_ctx *ctx) 303 { 304 if (ctx == NULL) 305 return; 306 307 tls13_error_clear(&ctx->error); 308 tls13_record_layer_free(ctx->rl); 309 tls13_handshake_msg_free(ctx->hs_msg); 310 311 freezero(ctx, sizeof(struct tls13_ctx)); 312 } 313 314 /* 315 * Certificate Verify padding - RFC 8446 section 4.4.3. 316 */ 317 uint8_t tls13_cert_verify_pad[64] = { 318 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 319 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 320 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 321 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 322 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 323 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 324 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 325 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 326 }; 327 328 uint8_t tls13_cert_client_verify_context[] = "TLS 1.3, client CertificateVerify"; 329 uint8_t tls13_cert_server_verify_context[] = "TLS 1.3, server CertificateVerify"; 330 331 int 332 tls13_cert_add(CBB *cbb, X509 *cert) 333 { 334 CBB cert_data, cert_exts; 335 uint8_t *data; 336 int cert_len; 337 338 if ((cert_len = i2d_X509(cert, NULL)) < 0) 339 return 0; 340 341 if (!CBB_add_u24_length_prefixed(cbb, &cert_data)) 342 return 0; 343 if (!CBB_add_space(&cert_data, &data, cert_len)) 344 return 0; 345 if (i2d_X509(cert, &data) != cert_len) 346 return 0; 347 348 if (!CBB_add_u16_length_prefixed(cbb, &cert_exts)) 349 return 0; 350 351 if (!CBB_flush(cbb)) 352 return 0; 353 354 return 1; 355 } 356