libtls: Add downgrade protection for TLS 1.3 and TLS 1.2
[strongswan.git] / src / libtls / tls.c
1 /*
2 * Copyright (C) 2021 Tobias Brunner
3 * Copyright (C) 2020-2021 Pascal Knecht
4 * HSR Hochschule fuer Technik Rapperswil
5 *
6 * Copyright (C) 2010 Martin Willi
7 * Copyright (C) 2010 revosec AG
8 *
9 * This program is free software; you can redistribute it and/or modify it
10 * under the terms of the GNU General Public License as published by the
11 * Free Software Foundation; either version 2 of the License, or (at your
12 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
13 *
14 * This program is distributed in the hope that it will be useful, but
15 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
16 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
17 * for more details.
18 */
19
20 #include "tls.h"
21
22 #include <utils/debug.h>
23
24 #include "tls_protection.h"
25 #include "tls_compression.h"
26 #include "tls_fragmentation.h"
27 #include "tls_crypto.h"
28 #include "tls_server.h"
29 #include "tls_peer.h"
30
31 ENUM_BEGIN(tls_version_names, TLS_UNSPEC, TLS_UNSPEC,
32 "TLS UNSPEC");
33 ENUM_NEXT(tls_version_names, SSL_2_0, SSL_2_0, TLS_UNSPEC,
34 "SSLv2");
35 ENUM_NEXT(tls_version_names, SSL_3_0, TLS_1_3, SSL_2_0,
36 "SSLv3",
37 "TLS 1.0",
38 "TLS 1.1",
39 "TLS 1.2",
40 "TLS 1.3");
41 ENUM_END(tls_version_names, TLS_1_3);
42
43 /**
44 * Only supported versions are mapped
45 */
46 ENUM(tls_numeric_version_names, TLS_SUPPORTED_MIN, TLS_SUPPORTED_MAX,
47 "1.0",
48 "1.1",
49 "1.2",
50 "1.3");
51
52 ENUM(tls_content_type_names, TLS_CHANGE_CIPHER_SPEC, TLS_APPLICATION_DATA,
53 "ChangeCipherSpec",
54 "Alert",
55 "Handshake",
56 "ApplicationData",
57 );
58
59 ENUM_BEGIN(tls_handshake_type_names, TLS_HELLO_REQUEST, TLS_HELLO_REQUEST,
60 "HelloRequest");
61 ENUM_NEXT(tls_handshake_type_names,
62 TLS_CLIENT_HELLO, TLS_HELLO_RETRY_REQUEST, TLS_HELLO_REQUEST,
63 "ClientHello",
64 "ServerHello",
65 "HelloVerifyRequest",
66 "NewSessionTicket",
67 "EndOfEarlyData",
68 "HelloRetryRequest");
69 ENUM_NEXT(tls_handshake_type_names,
70 TLS_ENCRYPTED_EXTENSIONS, TLS_ENCRYPTED_EXTENSIONS,
71 TLS_HELLO_RETRY_REQUEST,
72 "EncryptedExtensions");
73 ENUM_NEXT(tls_handshake_type_names,
74 TLS_CERTIFICATE, TLS_CLIENT_KEY_EXCHANGE, TLS_ENCRYPTED_EXTENSIONS,
75 "Certificate",
76 "ServerKeyExchange",
77 "CertificateRequest",
78 "ServerHelloDone",
79 "CertificateVerify",
80 "ClientKeyExchange");
81 ENUM_NEXT(tls_handshake_type_names,
82 TLS_FINISHED, TLS_KEY_UPDATE, TLS_CLIENT_KEY_EXCHANGE,
83 "Finished",
84 "CertificateUrl",
85 "CertificateStatus",
86 "SupplementalData",
87 "KeyUpdate");
88 ENUM_NEXT(tls_handshake_type_names,
89 TLS_MESSAGE_HASH, TLS_MESSAGE_HASH, TLS_KEY_UPDATE,
90 "MessageHash");
91 ENUM_END(tls_handshake_type_names, TLS_MESSAGE_HASH);
92
93 ENUM_BEGIN(tls_extension_names, TLS_EXT_SERVER_NAME, TLS_EXT_STATUS_REQUEST,
94 "server name",
95 "max fragment length",
96 "client certificate url",
97 "trusted ca keys",
98 "truncated hmac",
99 "status request");
100 ENUM_NEXT(tls_extension_names,
101 TLS_EXT_SUPPORTED_GROUPS, TLS_EXT_EC_POINT_FORMATS,
102 TLS_EXT_STATUS_REQUEST,
103 "supported groups",
104 "ec point formats");
105 ENUM_NEXT(tls_extension_names,
106 TLS_EXT_SIGNATURE_ALGORITHMS,
107 TLS_EXT_APPLICATION_LAYER_PROTOCOL_NEGOTIATION,
108 TLS_EXT_EC_POINT_FORMATS,
109 "signature algorithms",
110 "use rtp",
111 "heartbeat",
112 "application layer protocol negotiation");
113 ENUM_NEXT(tls_extension_names,
114 TLS_CLIENT_CERTIFICATE_TYPE, TLS_SERVER_CERTIFICATE_TYPE,
115 TLS_EXT_APPLICATION_LAYER_PROTOCOL_NEGOTIATION,
116 "client certificate type",
117 "server certificate type");
118 ENUM_NEXT(tls_extension_names,
119 TLS_EXT_ENCRYPT_THEN_MAC, TLS_EXT_EXTENDED_MASTER_SECRET,
120 TLS_SERVER_CERTIFICATE_TYPE,
121 "encrypt-then-mac",
122 "extended master secret");
123 ENUM_NEXT(tls_extension_names,
124 TLS_EXT_SESSION_TICKET, TLS_EXT_SESSION_TICKET,
125 TLS_EXT_EXTENDED_MASTER_SECRET,
126 "session ticket");
127 ENUM_NEXT(tls_extension_names,
128 TLS_EXT_PRE_SHARED_KEY, TLS_EXT_PSK_KEY_EXCHANGE_MODES,
129 TLS_EXT_SESSION_TICKET,
130 "pre-shared key",
131 "early data",
132 "supported versions",
133 "cookie",
134 "psk key exchange modes");
135 ENUM_NEXT(tls_extension_names,
136 TLS_EXT_CERTIFICATE_AUTHORITIES, TLS_EXT_KEY_SHARE,
137 TLS_EXT_PSK_KEY_EXCHANGE_MODES,
138 "certificate authorities",
139 "oid filters",
140 "post-handshake auth",
141 "signature algorithms cert",
142 "key-share");
143 ENUM_NEXT(tls_extension_names,
144 TLS_EXT_RENEGOTIATION_INFO, TLS_EXT_RENEGOTIATION_INFO,
145 TLS_EXT_KEY_SHARE,
146 "renegotiation info");
147 ENUM_END(tls_extension_names, TLS_EXT_RENEGOTIATION_INFO);
148
149 chunk_t tls_hello_retry_request_magic = chunk_from_chars(
150 0xCF, 0x21, 0xAD, 0x74, 0xE5, 0x9A, 0x61, 0x11,
151 0xBE, 0x1D, 0x8C, 0x02, 0x1E, 0x65, 0xB8, 0x91,
152 0xC2, 0xA2, 0x11, 0x16, 0x7A, 0xBB, 0x8C, 0x5E,
153 0x07, 0x9E, 0x09, 0xE2, 0xC8, 0xA8, 0x33, 0x9C,
154 );
155
156 chunk_t tls_downgrade_protection_tls11 = chunk_from_chars(
157 0x44, 0x4F, 0x57, 0x4E, 0x47, 0x52, 0x44, 0x00,
158 );
159 chunk_t tls_downgrade_protection_tls12 = chunk_from_chars(
160 0x44, 0x4F, 0x57, 0x4E, 0x47, 0x52, 0x44, 0x01,
161 );
162
163 /**
164 * TLS record
165 */
166 typedef struct __attribute__((packed)) {
167 uint8_t type;
168 uint16_t version;
169 uint16_t length;
170 char data[];
171 } tls_record_t;
172
173 typedef struct private_tls_t private_tls_t;
174
175 /**
176 * Private data of an tls_protection_t object.
177 */
178 struct private_tls_t {
179
180 /**
181 * Public tls_t interface.
182 */
183 tls_t public;
184
185 /**
186 * Role this TLS stack acts as.
187 */
188 bool is_server;
189
190 /**
191 * Negotiated TLS version and maximum supported TLS version
192 */
193 tls_version_t version_max;
194
195 /**
196 * Minimal supported TLS version
197 */
198 tls_version_t version_min;
199
200 /**
201 * TLS stack purpose, as given to constructor
202 */
203 tls_purpose_t purpose;
204
205 /**
206 * TLS record protection layer
207 */
208 tls_protection_t *protection;
209
210 /**
211 * TLS record compression layer
212 */
213 tls_compression_t *compression;
214
215 /**
216 * TLS record fragmentation layer
217 */
218 tls_fragmentation_t *fragmentation;
219
220 /**
221 * TLS alert handler
222 */
223 tls_alert_t *alert;
224
225 /**
226 * TLS crypto helper context
227 */
228 tls_crypto_t *crypto;
229
230 /**
231 * TLS handshake protocol handler
232 */
233 tls_handshake_t *handshake;
234
235 /**
236 * TLS application data handler
237 */
238 tls_application_t *application;
239
240 /**
241 * Allocated input buffer
242 */
243 chunk_t input;
244
245 /**
246 * Number of bytes read in input buffer
247 */
248 size_t inpos;
249
250 /**
251 * Allocated output buffer
252 */
253 chunk_t output;
254
255 /**
256 * Number of bytes processed from output buffer
257 */
258 size_t outpos;
259
260 /**
261 * Position in partially received record header
262 */
263 size_t headpos;
264
265 /**
266 * Partial TLS record header received
267 */
268 tls_record_t head;
269 };
270
271 /**
272 * Described in header.
273 */
274 void libtls_init(void)
275 {
276 /* empty */
277 }
278
279 METHOD(tls_t, process, status_t,
280 private_tls_t *this, void *buf, size_t buflen)
281 {
282 tls_record_t *record;
283 status_t status;
284 u_int len;
285
286 if (this->headpos)
287 { /* have a partial TLS record header, try to complete it */
288 len = min(buflen, sizeof(this->head) - this->headpos);
289 memcpy(((char*)&this->head) + this->headpos, buf, len);
290 this->headpos += len;
291 buflen -= len;
292 buf += len;
293 if (this->headpos == sizeof(this->head))
294 { /* header complete, allocate space with new header */
295 len = untoh16(&this->head.length);
296 this->input = chunk_alloc(len + sizeof(tls_record_t));
297 memcpy(this->input.ptr, &this->head, sizeof(this->head));
298 this->inpos = sizeof(this->head);
299 this->headpos = 0;
300 }
301 }
302
303 while (buflen)
304 {
305 if (this->input.len == 0)
306 {
307 while (buflen >= sizeof(tls_record_t))
308 {
309 /* try to process records inline */
310 record = buf;
311 len = untoh16(&record->length);
312
313 if (len + sizeof(tls_record_t) > buflen)
314 { /* not a full record, read to buffer */
315 this->input = chunk_alloc(len + sizeof(tls_record_t));
316 this->inpos = 0;
317 break;
318 }
319 DBG2(DBG_TLS, "processing TLS %N record (%d bytes)",
320 tls_content_type_names, record->type, len);
321 status = this->protection->process(this->protection,
322 record->type, chunk_create(record->data, len));
323 if (status != NEED_MORE)
324 {
325 return status;
326 }
327 buf += len + sizeof(tls_record_t);
328 buflen -= len + sizeof(tls_record_t);
329 if (buflen == 0)
330 {
331 return NEED_MORE;
332 }
333 }
334 if (buflen < sizeof(tls_record_t))
335 {
336 DBG2(DBG_TLS, "received incomplete TLS record header");
337 memcpy(&this->head, buf, buflen);
338 this->headpos = buflen;
339 break;
340 }
341 }
342 len = min(buflen, this->input.len - this->inpos);
343 memcpy(this->input.ptr + this->inpos, buf, len);
344 buf += len;
345 buflen -= len;
346 this->inpos += len;
347 DBG2(DBG_TLS, "buffering %d bytes, %d bytes of %d byte TLS record received",
348 len, this->inpos, this->input.len);
349 if (this->input.len == this->inpos)
350 {
351 record = (tls_record_t*)this->input.ptr;
352 len = untoh16(&record->length);
353
354 DBG2(DBG_TLS, "processing buffered TLS %N record (%d bytes)",
355 tls_content_type_names, record->type, len);
356 status = this->protection->process(this->protection,
357 record->type, chunk_create(record->data, len));
358 chunk_free(&this->input);
359 this->inpos = 0;
360 if (status != NEED_MORE)
361 {
362 return status;
363 }
364 }
365 }
366 return NEED_MORE;
367 }
368
369 METHOD(tls_t, build, status_t,
370 private_tls_t *this, void *buf, size_t *buflen, size_t *msglen)
371 {
372 tls_content_type_t type;
373 tls_record_t record;
374 status_t status;
375 chunk_t data;
376 size_t len;
377
378 len = *buflen;
379 if (this->output.len == 0)
380 {
381 /* query upper layers for new records, as many as we can get */
382 while (TRUE)
383 {
384 status = this->protection->build(this->protection, &type, &data);
385 switch (status)
386 {
387 case NEED_MORE:
388 record.type = type;
389 if (this->version_max < TLS_1_3)
390 {
391 htoun16(&record.version, this->version_max);
392 }
393 else
394 {
395 htoun16(&record.version, TLS_1_2);
396 }
397 htoun16(&record.length, data.len);
398 this->output = chunk_cat("mcm", this->output,
399 chunk_from_thing(record), data);
400 DBG2(DBG_TLS, "sending TLS %N record (%d bytes)",
401 tls_content_type_names, type, data.len);
402 continue;
403 case INVALID_STATE:
404 if (this->output.len == 0)
405 {
406 return INVALID_STATE;
407 }
408 break;
409 default:
410 return status;
411 }
412 break;
413 }
414 if (msglen)
415 {
416 *msglen = this->output.len;
417 }
418 }
419 else
420 {
421 if (msglen)
422 {
423 *msglen = 0;
424 }
425 }
426 len = min(len, this->output.len - this->outpos);
427 memcpy(buf, this->output.ptr + this->outpos, len);
428 this->outpos += len;
429 *buflen = len;
430 if (this->outpos == this->output.len)
431 {
432 chunk_free(&this->output);
433 this->outpos = 0;
434 return ALREADY_DONE;
435 }
436 return NEED_MORE;
437 }
438
439 METHOD(tls_t, is_server, bool,
440 private_tls_t *this)
441 {
442 return this->is_server;
443 }
444
445 METHOD(tls_t, get_server_id, identification_t*,
446 private_tls_t *this)
447 {
448 return this->handshake->get_server_id(this->handshake);
449 }
450
451 METHOD(tls_t, get_peer_id, identification_t*,
452 private_tls_t *this)
453 {
454 return this->handshake->get_peer_id(this->handshake);
455 }
456
457 /**
458 * Determine the min/max versions
459 */
460 static void determine_versions(private_tls_t *this)
461 {
462 tls_version_t version;
463 char *version_str;
464
465 if (this->version_min == TLS_UNSPEC)
466 {
467 this->version_min = TLS_SUPPORTED_MIN;
468
469 version_str = lib->settings->get_str(lib->settings, "%s.tls.version_min",
470 NULL, lib->ns);
471 if (version_str &&
472 enum_from_name(tls_numeric_version_names, version_str, &version))
473 {
474 this->version_min = version;
475 }
476 }
477 if (this->version_max == TLS_UNSPEC)
478 { /* default to TLS 1.2 until 1.3 is stable for use in EAP */
479 this->version_max = TLS_1_2;
480
481 version_str = lib->settings->get_str(lib->settings, "%s.tls.version_max",
482 NULL, lib->ns);
483 if (version_str &&
484 enum_from_name(tls_numeric_version_names, version_str, &version))
485 {
486 this->version_max = version;
487 }
488 }
489 if (this->version_max < this->version_min)
490 {
491 this->version_min = this->version_max;
492 }
493 }
494
495 METHOD(tls_t, get_version_max, tls_version_t,
496 private_tls_t *this)
497 {
498 determine_versions(this);
499 return this->version_max;
500 }
501
502 METHOD(tls_t, get_version_min, tls_version_t,
503 private_tls_t *this)
504 {
505 determine_versions(this);
506 return this->version_min;
507 }
508
509 METHOD(tls_t, set_version, bool,
510 private_tls_t *this, tls_version_t min_version, tls_version_t max_version)
511 {
512 if (min_version == TLS_UNSPEC)
513 {
514 min_version = this->version_min;
515 }
516 if (max_version == TLS_UNSPEC)
517 {
518 max_version = this->version_max;
519 }
520 if ((this->version_min != TLS_UNSPEC && min_version < this->version_min) ||
521 (this->version_max != TLS_UNSPEC && max_version > this->version_max) ||
522 (min_version != TLS_UNSPEC && min_version < TLS_SUPPORTED_MIN) ||
523 (max_version != TLS_UNSPEC && max_version > TLS_SUPPORTED_MAX) ||
524 min_version > max_version)
525 {
526 return FALSE;
527 }
528
529 this->version_min = min_version;
530 this->version_max = max_version;
531
532 if (min_version != TLS_UNSPEC && min_version == max_version)
533 {
534 this->protection->set_version(this->protection, max_version);
535 }
536 return TRUE;
537 }
538
539 METHOD(tls_t, get_purpose, tls_purpose_t,
540 private_tls_t *this)
541 {
542 return this->purpose;
543 }
544
545 METHOD(tls_t, is_complete, bool,
546 private_tls_t *this)
547 {
548 if (this->handshake->finished(this->handshake))
549 {
550 if (!this->application)
551 {
552 return TRUE;
553 }
554 return this->fragmentation->application_finished(this->fragmentation);
555 }
556 return FALSE;
557 }
558
559 METHOD(tls_t, get_eap_msk, chunk_t,
560 private_tls_t *this)
561 {
562 return this->crypto->get_eap_msk(this->crypto);
563 }
564
565 METHOD(tls_t, get_auth, auth_cfg_t*,
566 private_tls_t *this)
567 {
568 return this->handshake->get_auth(this->handshake);
569 }
570
571 METHOD(tls_t, destroy, void,
572 private_tls_t *this)
573 {
574 this->protection->destroy(this->protection);
575 this->compression->destroy(this->compression);
576 this->fragmentation->destroy(this->fragmentation);
577 this->crypto->destroy(this->crypto);
578 this->handshake->destroy(this->handshake);
579 DESTROY_IF(this->application);
580 this->alert->destroy(this->alert);
581
582 free(this->input.ptr);
583 free(this->output.ptr);
584
585 free(this);
586 }
587
588 /**
589 * See header
590 */
591 tls_t *tls_create(bool is_server, identification_t *server,
592 identification_t *peer, tls_purpose_t purpose,
593 tls_application_t *application, tls_cache_t *cache)
594 {
595 private_tls_t *this;
596
597 switch (purpose)
598 {
599 case TLS_PURPOSE_EAP_TLS:
600 case TLS_PURPOSE_EAP_TTLS:
601 case TLS_PURPOSE_EAP_PEAP:
602 case TLS_PURPOSE_GENERIC:
603 case TLS_PURPOSE_GENERIC_NULLOK:
604 break;
605 default:
606 return NULL;
607 }
608
609 INIT(this,
610 .public = {
611 .process = _process,
612 .build = _build,
613 .is_server = _is_server,
614 .get_server_id = _get_server_id,
615 .get_peer_id = _get_peer_id,
616 .get_version_max = _get_version_max,
617 .get_version_min = _get_version_min,
618 .set_version = _set_version,
619 .get_purpose = _get_purpose,
620 .is_complete = _is_complete,
621 .get_eap_msk = _get_eap_msk,
622 .get_auth = _get_auth,
623 .destroy = _destroy,
624 },
625 .is_server = is_server,
626 .application = application,
627 .purpose = purpose,
628 );
629 lib->settings->add_fallback(lib->settings, "%s.tls", "libtls", lib->ns);
630
631 this->crypto = tls_crypto_create(&this->public, cache);
632 this->alert = tls_alert_create();
633 if (is_server)
634 {
635 this->handshake = &tls_server_create(&this->public, this->crypto,
636 this->alert, server, peer)->handshake;
637 }
638 else
639 {
640 this->handshake = &tls_peer_create(&this->public, this->crypto,
641 this->alert, peer, server)->handshake;
642 }
643 this->fragmentation = tls_fragmentation_create(this->handshake, this->alert,
644 this->application, purpose);
645 this->compression = tls_compression_create(this->fragmentation, this->alert);
646 this->protection = tls_protection_create(this->compression, this->alert);
647 this->crypto->set_protection(this->crypto, this->protection);
648
649 return &this->public;
650 }