xref: /openbsd-src/lib/libssl/tls13_lib.c (revision 505ee9ea3b177e2387d907a91ca7da069f3f14d8) 
1 /*	$OpenBSD: tls13_lib.c,v 1.52 2020/07/03 04:12:51 tb Exp $ */
2 /*
3  * Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org>
4  * Copyright (c) 2019 Bob Beck <beck@openbsd.org>
5  *
6  * Permission to use, copy, modify, and distribute this software for any
7  * purpose with or without fee is hereby granted, provided that the above
8  * copyright notice and this permission notice appear in all copies.
9  *
10  * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
11  * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
12  * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
13  * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
14  * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
15  * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
16  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
17  */
18 
19 #include <stddef.h>
20 
21 #include <openssl/evp.h>
22 
23 #include "ssl_locl.h"
24 #include "ssl_tlsext.h"
25 #include "tls13_internal.h"
26 
27 /*
28  * Downgrade sentinels - RFC 8446 section 4.1.3, magic values which must be set
29  * by the server in server random if it is willing to downgrade but supports
30  * TLSv1.3
31  */
32 const uint8_t tls13_downgrade_12[8] = {
33 	0x44, 0x4f, 0x57, 0x4e, 0x47, 0x52, 0x44, 0x01,
34 };
35 const uint8_t tls13_downgrade_11[8] = {
36 	0x44, 0x4f, 0x57, 0x4e, 0x47, 0x52, 0x44, 0x00,
37 };
38 
39 /*
40  * HelloRetryRequest hash - RFC 8446 section 4.1.3.
41  */
42 const uint8_t tls13_hello_retry_request_hash[32] = {
43 	0xcf, 0x21, 0xad, 0x74, 0xe5, 0x9a, 0x61, 0x11,
44 	0xbe, 0x1d, 0x8c, 0x02, 0x1e, 0x65, 0xb8, 0x91,
45 	0xc2, 0xa2, 0x11, 0x16, 0x7a, 0xbb, 0x8c, 0x5e,
46 	0x07, 0x9e, 0x09, 0xe2, 0xc8, 0xa8, 0x33, 0x9c,
47 };
48 
49 /*
50  * Certificate Verify padding - RFC 8446 section 4.4.3.
51  */
52 const uint8_t tls13_cert_verify_pad[64] = {
53 	0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
54 	0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
55 	0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
56 	0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
57 	0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
58 	0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
59 	0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
60 	0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
61 };
62 
63 const uint8_t tls13_cert_client_verify_context[] =
64     "TLS 1.3, client CertificateVerify";
65 const uint8_t tls13_cert_server_verify_context[] =
66     "TLS 1.3, server CertificateVerify";
67 
68 const EVP_AEAD *
69 tls13_cipher_aead(const SSL_CIPHER *cipher)
70 {
71 	if (cipher == NULL)
72 		return NULL;
73 	if (cipher->algorithm_ssl != SSL_TLSV1_3)
74 		return NULL;
75 
76 	switch (cipher->algorithm_enc) {
77 	case SSL_AES128GCM:
78 		return EVP_aead_aes_128_gcm();
79 	case SSL_AES256GCM:
80 		return EVP_aead_aes_256_gcm();
81 	case SSL_CHACHA20POLY1305:
82 		return EVP_aead_chacha20_poly1305();
83 	}
84 
85 	return NULL;
86 }
87 
88 const EVP_MD *
89 tls13_cipher_hash(const SSL_CIPHER *cipher)
90 {
91 	if (cipher == NULL)
92 		return NULL;
93 	if (cipher->algorithm_ssl != SSL_TLSV1_3)
94 		return NULL;
95 
96 	switch (cipher->algorithm2) {
97 	case SSL_HANDSHAKE_MAC_SHA256:
98 		return EVP_sha256();
99 	case SSL_HANDSHAKE_MAC_SHA384:
100 		return EVP_sha384();
101 	}
102 
103 	return NULL;
104 }
105 
106 static void
107 tls13_alert_received_cb(uint8_t alert_desc, void *arg)
108 {
109 	struct tls13_ctx *ctx = arg;
110 
111 	if (alert_desc == TLS13_ALERT_CLOSE_NOTIFY) {
112 		ctx->close_notify_recv = 1;
113 		ctx->ssl->internal->shutdown |= SSL_RECEIVED_SHUTDOWN;
114 		S3I(ctx->ssl)->warn_alert = alert_desc;
115 		return;
116 	}
117 
118 	if (alert_desc == TLS13_ALERT_USER_CANCELED) {
119 		/*
120 		 * We treat this as advisory, since a close_notify alert
121 		 * SHOULD follow this alert (RFC 8446 section 6.1).
122 		 */
123 		return;
124 	}
125 
126 	/* All other alerts are treated as fatal in TLSv1.3. */
127 	S3I(ctx->ssl)->fatal_alert = alert_desc;
128 
129 	SSLerror(ctx->ssl, SSL_AD_REASON_OFFSET + alert_desc);
130 	ERR_asprintf_error_data("SSL alert number %d", alert_desc);
131 
132 	SSL_CTX_remove_session(ctx->ssl->ctx, ctx->ssl->session);
133 }
134 
135 static void
136 tls13_alert_sent_cb(uint8_t alert_desc, void *arg)
137 {
138 	struct tls13_ctx *ctx = arg;
139 
140 	if (alert_desc == SSL_AD_CLOSE_NOTIFY) {
141 		ctx->close_notify_sent = 1;
142 		return;
143 	}
144 
145 	if (alert_desc == SSL_AD_USER_CANCELLED) {
146 		return;
147 	}
148 
149 	/* All other alerts are treated as fatal in TLSv1.3. */
150 	SSLerror(ctx->ssl, SSL_AD_REASON_OFFSET + alert_desc);
151 }
152 
153 static void
154 tls13_legacy_handshake_message_recv_cb(void *arg)
155 {
156 	struct tls13_ctx *ctx = arg;
157 	SSL *s = ctx->ssl;
158 	CBS cbs;
159 
160 	if (s->internal->msg_callback == NULL)
161 		return;
162 
163 	tls13_handshake_msg_data(ctx->hs_msg, &cbs);
164 	s->internal->msg_callback(0, TLS1_3_VERSION, SSL3_RT_HANDSHAKE,
165 	    CBS_data(&cbs), CBS_len(&cbs), s, s->internal->msg_callback_arg);
166 }
167 
168 static void
169 tls13_legacy_handshake_message_sent_cb(void *arg)
170 {
171 	struct tls13_ctx *ctx = arg;
172 	SSL *s = ctx->ssl;
173 	CBS cbs;
174 
175 	if (s->internal->msg_callback == NULL)
176 		return;
177 
178 	tls13_handshake_msg_data(ctx->hs_msg, &cbs);
179 	s->internal->msg_callback(1, TLS1_3_VERSION, SSL3_RT_HANDSHAKE,
180 	    CBS_data(&cbs), CBS_len(&cbs), s, s->internal->msg_callback_arg);
181 }
182 
183 static int
184 tls13_legacy_ocsp_status_recv_cb(void *arg)
185 {
186 	struct tls13_ctx *ctx = arg;
187 	SSL *s = ctx->ssl;
188 	int ret;
189 
190 	if (s->ctx->internal->tlsext_status_cb == NULL ||
191 	    s->internal->tlsext_ocsp_resp == NULL)
192 		return 1;
193 
194 	ret = s->ctx->internal->tlsext_status_cb(s,
195 	    s->ctx->internal->tlsext_status_arg);
196 	if (ret < 0) {
197 		ctx->alert = TLS13_ALERT_INTERNAL_ERROR;
198 		SSLerror(s, ERR_R_MALLOC_FAILURE);
199 		return 0;
200 	}
201 	if (ret == 0) {
202 		ctx->alert = TLS13_ALERT_BAD_CERTIFICATE_STATUS_RESPONSE;
203 		SSLerror(s, SSL_R_INVALID_STATUS_RESPONSE);
204 		return 0;
205 	}
206 
207 	return 1;
208 }
209 
210 static int
211 tls13_phh_update_local_traffic_secret(struct tls13_ctx *ctx)
212 {
213 	struct tls13_secrets *secrets = ctx->hs->secrets;
214 
215 	if (ctx->mode == TLS13_HS_CLIENT)
216 		return (tls13_update_client_traffic_secret(secrets) &&
217 		    tls13_record_layer_set_write_traffic_key(ctx->rl,
218 			&secrets->client_application_traffic));
219 	return (tls13_update_server_traffic_secret(secrets) &&
220 	    tls13_record_layer_set_read_traffic_key(ctx->rl,
221 	    &secrets->server_application_traffic));
222 }
223 
224 static int
225 tls13_phh_update_peer_traffic_secret(struct tls13_ctx *ctx)
226 {
227 	struct tls13_secrets *secrets = ctx->hs->secrets;
228 
229 	if (ctx->mode == TLS13_HS_CLIENT)
230 		return (tls13_update_server_traffic_secret(secrets) &&
231 		    tls13_record_layer_set_read_traffic_key(ctx->rl,
232 		    &secrets->server_application_traffic));
233 	return (tls13_update_client_traffic_secret(secrets) &&
234 	    tls13_record_layer_set_write_traffic_key(ctx->rl,
235 	    &secrets->client_application_traffic));
236 }
237 
238 /*
239  * XXX arbitrarily chosen limit of 100 post handshake handshake
240  * messages in an hour - to avoid a hostile peer from constantly
241  * requesting certificates or key renegotiaitons, etc.
242  */
243 static int
244 tls13_phh_limit_check(struct tls13_ctx *ctx)
245 {
246 	time_t now = time(NULL);
247 
248 	if (ctx->phh_last_seen > now - TLS13_PHH_LIMIT_TIME) {
249 		if (ctx->phh_count > TLS13_PHH_LIMIT)
250 			return 0;
251 	} else
252 		ctx->phh_count = 0;
253 	ctx->phh_count++;
254 	ctx->phh_last_seen = now;
255 	return 1;
256 }
257 
258 static ssize_t
259 tls13_key_update_recv(struct tls13_ctx *ctx, CBS *cbs)
260 {
261 	struct tls13_handshake_msg *hs_msg = NULL;
262 	CBB cbb_hs;
263 	CBS cbs_hs;
264 	uint8_t alert = TLS13_ALERT_INTERNAL_ERROR;
265 	uint8_t key_update_request;
266 	ssize_t ret;
267 
268 	if (!CBS_get_u8(cbs, &key_update_request)) {
269 		alert = TLS13_ALERT_DECODE_ERROR;
270 		goto err;
271 	}
272 	if (CBS_len(cbs) != 0) {
273 		alert = TLS13_ALERT_DECODE_ERROR;
274 		goto err;
275 	}
276 	if (key_update_request > 1) {
277 		alert = TLS13_ALERT_ILLEGAL_PARAMETER;
278 		goto err;
279 	}
280 
281 	if (!tls13_phh_update_peer_traffic_secret(ctx))
282 		goto err;
283 
284 	if (key_update_request == 0)
285 		return TLS13_IO_SUCCESS;
286 
287 	/* key_update_request == 1 */
288 	if ((hs_msg = tls13_handshake_msg_new()) == NULL)
289 		goto err;
290 	if (!tls13_handshake_msg_start(hs_msg, &cbb_hs, TLS13_MT_KEY_UPDATE))
291 		goto err;
292 	if (!CBB_add_u8(&cbb_hs, 0))
293 		goto err;
294 	if (!tls13_handshake_msg_finish(hs_msg))
295 		goto err;
296 
297 	ctx->key_update_request = 1;
298 	tls13_handshake_msg_data(hs_msg, &cbs_hs);
299 	ret = tls13_record_layer_phh(ctx->rl, &cbs_hs);
300 
301 	tls13_handshake_msg_free(hs_msg);
302 	hs_msg = NULL;
303 
304 	return ret;
305 
306  err:
307 	tls13_handshake_msg_free(hs_msg);
308 
309 	return tls13_send_alert(ctx->rl, alert);
310 }
311 
312 static void
313 tls13_phh_done_cb(void *cb_arg)
314 {
315 	struct tls13_ctx *ctx = cb_arg;
316 
317 	if (ctx->key_update_request) {
318 		tls13_phh_update_local_traffic_secret(ctx);
319 		ctx->key_update_request = 0;
320 	}
321 }
322 
323 static ssize_t
324 tls13_phh_received_cb(void *cb_arg, CBS *cbs)
325 {
326 	ssize_t ret = TLS13_IO_FAILURE;
327 	struct tls13_ctx *ctx = cb_arg;
328 	CBS phh_cbs;
329 
330 	if (!tls13_phh_limit_check(ctx))
331 		return tls13_send_alert(ctx->rl, TLS13_ALERT_UNEXPECTED_MESSAGE);
332 
333 	if ((ctx->hs_msg == NULL) &&
334 	    ((ctx->hs_msg = tls13_handshake_msg_new()) == NULL))
335 		return TLS13_IO_FAILURE;
336 
337 	if (!tls13_handshake_msg_set_buffer(ctx->hs_msg, cbs))
338 		return TLS13_IO_FAILURE;
339 
340 	if ((ret = tls13_handshake_msg_recv(ctx->hs_msg, ctx->rl))
341 	    != TLS13_IO_SUCCESS)
342 		return ret;
343 
344 	if (!tls13_handshake_msg_content(ctx->hs_msg, &phh_cbs))
345 		return TLS13_IO_FAILURE;
346 
347 	switch(tls13_handshake_msg_type(ctx->hs_msg)) {
348 	case TLS13_MT_KEY_UPDATE:
349 		ret = tls13_key_update_recv(ctx, &phh_cbs);
350 		break;
351 	case TLS13_MT_NEW_SESSION_TICKET:
352 		/* XXX do nothing for now and ignore this */
353 		break;
354 	case TLS13_MT_CERTIFICATE_REQUEST:
355 		/* XXX add support if we choose to advertise this */
356 		/* FALLTHROUGH */
357 	default:
358 		ret = TLS13_IO_FAILURE; /* XXX send alert */
359 		break;
360 	}
361 
362 	tls13_handshake_msg_free(ctx->hs_msg);
363 	ctx->hs_msg = NULL;
364 	return ret;
365 }
366 
367 static const struct tls13_record_layer_callbacks rl_callbacks = {
368 	.wire_read = tls13_legacy_wire_read_cb,
369 	.wire_write = tls13_legacy_wire_write_cb,
370 	.alert_recv = tls13_alert_received_cb,
371 	.alert_sent = tls13_alert_sent_cb,
372 	.phh_recv = tls13_phh_received_cb,
373 	.phh_sent = tls13_phh_done_cb,
374 };
375 
376 struct tls13_ctx *
377 tls13_ctx_new(int mode)
378 {
379 	struct tls13_ctx *ctx = NULL;
380 
381 	if ((ctx = calloc(sizeof(struct tls13_ctx), 1)) == NULL)
382 		goto err;
383 
384 	ctx->mode = mode;
385 
386 	if ((ctx->rl = tls13_record_layer_new(&rl_callbacks, ctx)) == NULL)
387 		goto err;
388 
389 	ctx->handshake_message_sent_cb = tls13_legacy_handshake_message_sent_cb;
390 	ctx->handshake_message_recv_cb = tls13_legacy_handshake_message_recv_cb;
391 	ctx->ocsp_status_recv_cb = tls13_legacy_ocsp_status_recv_cb;
392 
393 	ctx->middlebox_compat = 1;
394 
395 	return ctx;
396 
397  err:
398 	tls13_ctx_free(ctx);
399 
400 	return NULL;
401 }
402 
403 void
404 tls13_ctx_free(struct tls13_ctx *ctx)
405 {
406 	if (ctx == NULL)
407 		return;
408 
409 	tls13_error_clear(&ctx->error);
410 	tls13_record_layer_free(ctx->rl);
411 	tls13_handshake_msg_free(ctx->hs_msg);
412 
413 	freezero(ctx, sizeof(struct tls13_ctx));
414 }
415 
416 int
417 tls13_cert_add(struct tls13_ctx *ctx, CBB *cbb, X509 *cert,
418     int(*build_extensions)(SSL *s, uint16_t msg_type, CBB *cbb))
419 {
420 	CBB cert_data;
421 	uint8_t *data;
422 	int cert_len;
423 
424 	if ((cert_len = i2d_X509(cert, NULL)) < 0)
425 		return 0;
426 
427 	if (!CBB_add_u24_length_prefixed(cbb, &cert_data))
428 		return 0;
429 	if (!CBB_add_space(&cert_data, &data, cert_len))
430 		return 0;
431 	if (i2d_X509(cert, &data) != cert_len)
432 		return 0;
433 	if (build_extensions != NULL) {
434 		if (!build_extensions(ctx->ssl, SSL_TLSEXT_MSG_CT, cbb))
435 			return 0;
436 	} else {
437 		CBB cert_exts;
438 		if (!CBB_add_u16_length_prefixed(cbb, &cert_exts))
439 			return 0;
440 	}
441 	if (!CBB_flush(cbb))
442 		return 0;
443 
444 	return 1;
445 }
446 
447 int
448 tls13_synthetic_handshake_message(struct tls13_ctx *ctx)
449 {
450 	struct tls13_handshake_msg *hm = NULL;
451 	unsigned char buf[EVP_MAX_MD_SIZE];
452 	size_t hash_len;
453 	CBB cbb;
454 	CBS cbs;
455 	SSL *s = ctx->ssl;
456 	int ret = 0;
457 
458 	/*
459 	 * Replace ClientHello with synthetic handshake message - see
460 	 * RFC 8446 section 4.4.1.
461 	 */
462 	if (!tls1_transcript_hash_init(s))
463 		goto err;
464 	if (!tls1_transcript_hash_value(s, buf, sizeof(buf), &hash_len))
465 		goto err;
466 
467 	if ((hm = tls13_handshake_msg_new()) == NULL)
468 		goto err;
469 	if (!tls13_handshake_msg_start(hm, &cbb, TLS13_MT_MESSAGE_HASH))
470 		goto err;
471 	if (!CBB_add_bytes(&cbb, buf, hash_len))
472 		goto err;
473 	if (!tls13_handshake_msg_finish(hm))
474 		goto err;
475 
476 	tls13_handshake_msg_data(hm, &cbs);
477 
478 	tls1_transcript_reset(ctx->ssl);
479 	if (!tls1_transcript_record(ctx->ssl, CBS_data(&cbs), CBS_len(&cbs)))
480 		goto err;
481 
482 	ret = 1;
483 
484  err:
485 	tls13_handshake_msg_free(hm);
486 
487 	return ret;
488 }
489 
490 int
491 tls13_clienthello_hash_init(struct tls13_ctx *ctx)
492 {
493 	if (ctx->hs->clienthello_md_ctx != NULL)
494 		return 0;
495 	if ((ctx->hs->clienthello_md_ctx = EVP_MD_CTX_new()) == NULL)
496 		return 0;
497 	if (!EVP_DigestInit_ex(ctx->hs->clienthello_md_ctx,
498 	    EVP_sha256(), NULL))
499 		return 0;
500 
501 	if ((ctx->hs->clienthello_hash == NULL) &&
502 	    (ctx->hs->clienthello_hash = calloc(1, EVP_MAX_MD_SIZE)) ==
503 	    NULL)
504 		return 0;
505 
506 	return 1;
507 }
508 
509 void
510 tls13_clienthello_hash_clear(struct ssl_handshake_tls13_st *hs)
511 {
512 	EVP_MD_CTX_free(hs->clienthello_md_ctx);
513 	hs->clienthello_md_ctx = NULL;
514 	freezero(hs->clienthello_hash, EVP_MAX_MD_SIZE);
515 	hs->clienthello_hash = NULL;
516 }
517 
518 int
519 tls13_clienthello_hash_update_bytes(struct tls13_ctx *ctx, void *data,
520     size_t len)
521 {
522 	return EVP_DigestUpdate(ctx->hs->clienthello_md_ctx, data, len);
523 }
524 
525 int
526 tls13_clienthello_hash_update(struct tls13_ctx *ctx, CBS *cbs)
527 {
528 	return tls13_clienthello_hash_update_bytes(ctx, (void *)CBS_data(cbs),
529 	    CBS_len(cbs));
530 }
531 
532 int
533 tls13_clienthello_hash_finalize(struct tls13_ctx *ctx)
534 {
535 	if (!EVP_DigestFinal_ex(ctx->hs->clienthello_md_ctx,
536 	    ctx->hs->clienthello_hash,
537 	    &ctx->hs->clienthello_hash_len))
538 		return 0;
539 	EVP_MD_CTX_free(ctx->hs->clienthello_md_ctx);
540 	ctx->hs->clienthello_md_ctx = NULL;
541 	return 1;
542 }
543 
544 int
545 tls13_clienthello_hash_validate(struct tls13_ctx *ctx)
546 {
547 	unsigned char new_ch_hash[EVP_MAX_MD_SIZE];
548 	unsigned int new_ch_hash_len;
549 
550 	if (ctx->hs->clienthello_hash == NULL)
551 		return 0;
552 
553 	if (!EVP_DigestFinal_ex(ctx->hs->clienthello_md_ctx,
554 	    new_ch_hash, &new_ch_hash_len))
555 		return 0;
556 	EVP_MD_CTX_free(ctx->hs->clienthello_md_ctx);
557 	ctx->hs->clienthello_md_ctx = NULL;
558 
559 	if (ctx->hs->clienthello_hash_len != new_ch_hash_len)
560 		return 0;
561 	if (memcmp(ctx->hs->clienthello_hash, new_ch_hash,
562 	    new_ch_hash_len) != 0)
563 		return 0;
564 
565 	return 1;
566 }
567 
568