jcs.org
Serenity Operating System
1/*
2 * Copyright (c) 2020, Ali Mohammad Pur <mpfard@serenityos.org>
3 * Copyright (c) 2022, Michiel Visser <opensource@webmichiel.nl>
4 *
5 * SPDX-License-Identifier: BSD-2-Clause
6 */
7
8#include <AK/Debug.h>
9#include <AK/Endian.h>
10#include <AK/Random.h>
11
12#include <LibCore/Timer.h>
13#include <LibCrypto/ASN1/DER.h>
14#include <LibCrypto/PK/Code/EMSA_PSS.h>
15#include <LibTLS/TLSv12.h>
16
17namespace TLS {
18
19ByteBuffer TLSv12::build_hello()
20{
21 fill_with_random(&m_context.local_random, 32);
22
23 auto packet_version = (u16)m_context.options.version;
24 auto version = (u16)m_context.options.version;
25 PacketBuilder builder { MessageType::Handshake, packet_version };
26
27 builder.append((u8)ClientHello);
28
29 // hello length (for later)
30 u8 dummy[3] = {};
31 builder.append(dummy, 3);
32
33 auto start_length = builder.length();
34
35 builder.append(version);
36 builder.append(m_context.local_random, sizeof(m_context.local_random));
37
38 builder.append(m_context.session_id_size);
39 if (m_context.session_id_size)
40 builder.append(m_context.session_id, m_context.session_id_size);
41
42 size_t extension_length = 0;
43 size_t alpn_length = 0;
44 size_t alpn_negotiated_length = 0;
45
46 // ALPN
47 if (!m_context.negotiated_alpn.is_null()) {
48 alpn_negotiated_length = m_context.negotiated_alpn.length();
49 alpn_length = alpn_negotiated_length + 1;
50 extension_length += alpn_length + 6;
51 } else if (m_context.alpn.size()) {
52 for (auto& alpn : m_context.alpn) {
53 size_t length = alpn.length();
54 alpn_length += length + 1;
55 }
56 if (alpn_length)
57 extension_length += alpn_length + 6;
58 }
59
60 // Ciphers
61 builder.append((u16)(m_context.options.usable_cipher_suites.size() * sizeof(u16)));
62 for (auto suite : m_context.options.usable_cipher_suites)
63 builder.append((u16)suite);
64
65 // we don't like compression
66 VERIFY(!m_context.options.use_compression);
67 builder.append((u8)1);
68 builder.append((u8)m_context.options.use_compression);
69
70 // set SNI if we have one, and the user hasn't explicitly asked us to omit it.
71 auto sni_length = 0;
72 if (!m_context.extensions.SNI.is_null() && m_context.options.use_sni)
73 sni_length = m_context.extensions.SNI.length();
74
75 auto elliptic_curves_length = 2 * m_context.options.elliptic_curves.size();
76 auto supported_ec_point_formats_length = m_context.options.supported_ec_point_formats.size();
77 bool supports_elliptic_curves = elliptic_curves_length && supported_ec_point_formats_length;
78
79 // signature_algorithms: 2b extension ID, 2b extension length, 2b vector length, 2xN signatures and hashes
80 extension_length += 2 + 2 + 2 + 2 * m_context.options.supported_signature_algorithms.size();
81
82 if (sni_length)
83 extension_length += sni_length + 9;
84
85 // Only send elliptic_curves and ec_point_formats extensions if both are supported
86 if (supports_elliptic_curves)
87 extension_length += 6 + elliptic_curves_length + 5 + supported_ec_point_formats_length;
88
89 builder.append((u16)extension_length);
90
91 if (sni_length) {
92 // SNI extension
93 builder.append((u16)HandshakeExtension::ServerName);
94 // extension length
95 builder.append((u16)(sni_length + 5));
96 // SNI length
97 builder.append((u16)(sni_length + 3));
98 // SNI type
99 builder.append((u8)0);
100 // SNI host length + value
101 builder.append((u16)sni_length);
102 builder.append((u8 const*)m_context.extensions.SNI.characters(), sni_length);
103 }
104
105 // signature_algorithms extension
106 builder.append((u16)HandshakeExtension::SignatureAlgorithms);
107 // Extension length
108 builder.append((u16)(2 + 2 * m_context.options.supported_signature_algorithms.size()));
109 // Vector count
110 builder.append((u16)(m_context.options.supported_signature_algorithms.size() * 2));
111 // Entries
112 for (auto& entry : m_context.options.supported_signature_algorithms) {
113 builder.append((u8)entry.hash);
114 builder.append((u8)entry.signature);
115 }
116
117 if (supports_elliptic_curves) {
118 // elliptic_curves extension
119 builder.append((u16)HandshakeExtension::EllipticCurves);
120 builder.append((u16)(2 + elliptic_curves_length));
121 builder.append((u16)elliptic_curves_length);
122 for (auto& curve : m_context.options.elliptic_curves)
123 builder.append((u16)curve);
124
125 // ec_point_formats extension
126 builder.append((u16)HandshakeExtension::ECPointFormats);
127 builder.append((u16)(1 + supported_ec_point_formats_length));
128 builder.append((u8)supported_ec_point_formats_length);
129 for (auto& format : m_context.options.supported_ec_point_formats)
130 builder.append((u8)format);
131 }
132
133 if (alpn_length) {
134 // TODO
135 VERIFY_NOT_REACHED();
136 }
137
138 // set the "length" field of the packet
139 size_t remaining = builder.length() - start_length;
140 size_t payload_position = 6;
141 builder.set(payload_position, remaining / 0x10000);
142 remaining %= 0x10000;
143 builder.set(payload_position + 1, remaining / 0x100);
144 remaining %= 0x100;
145 builder.set(payload_position + 2, remaining);
146
147 auto packet = builder.build();
148 update_packet(packet);
149
150 return packet;
151}
152
153ByteBuffer TLSv12::build_change_cipher_spec()
154{
155 PacketBuilder builder { MessageType::ChangeCipher, m_context.options.version, 64 };
156 builder.append((u8)1);
157 auto packet = builder.build();
158 update_packet(packet);
159 m_context.local_sequence_number = 0;
160 return packet;
161}
162
163ByteBuffer TLSv12::build_handshake_finished()
164{
165 PacketBuilder builder { MessageType::Handshake, m_context.options.version, 12 + 64 };
166 builder.append((u8)HandshakeType::Finished);
167
168 // RFC 5246 section 7.4.9: "In previous versions of TLS, the verify_data was always 12 octets
169 // long. In the current version of TLS, it depends on the cipher
170 // suite. Any cipher suite which does not explicitly specify
171 // verify_data_length has a verify_data_length equal to 12."
172 // Simplification: Assume that verify_data_length is always 12.
173 constexpr u32 verify_data_length = 12;
174
175 builder.append_u24(verify_data_length);
176
177 u8 out[verify_data_length];
178 auto outbuffer = Bytes { out, verify_data_length };
179 ByteBuffer dummy;
180
181 auto digest = m_context.handshake_hash.digest();
182 auto hashbuf = ReadonlyBytes { digest.immutable_data(), m_context.handshake_hash.digest_size() };
183 pseudorandom_function(outbuffer, m_context.master_key, (u8 const*)"client finished", 15, hashbuf, dummy);
184
185 builder.append(outbuffer);
186 auto packet = builder.build();
187 update_packet(packet);
188
189 return packet;
190}
191
192ssize_t TLSv12::handle_handshake_finished(ReadonlyBytes buffer, WritePacketStage& write_packets)
193{
194 if (m_context.connection_status < ConnectionStatus::KeyExchange || m_context.connection_status == ConnectionStatus::Established) {
195 dbgln("unexpected finished message");
196 return (i8)Error::UnexpectedMessage;
197 }
198
199 write_packets = WritePacketStage::Initial;
200
201 if (buffer.size() < 3) {
202 return (i8)Error::NeedMoreData;
203 }
204
205 size_t index = 3;
206
207 u32 size = buffer[0] * 0x10000 + buffer[1] * 0x100 + buffer[2];
208
209 if (size < 12) {
210 dbgln_if(TLS_DEBUG, "finished packet smaller than minimum size: {}", size);
211 return (i8)Error::BrokenPacket;
212 }
213
214 if (size < buffer.size() - index) {
215 dbgln_if(TLS_DEBUG, "not enough data after length: {} > {}", size, buffer.size() - index);
216 return (i8)Error::NeedMoreData;
217 }
218
219 // TODO: Compare Hashes
220 dbgln_if(TLS_DEBUG, "FIXME: handle_handshake_finished :: Check message validity");
221 m_context.connection_status = ConnectionStatus::Established;
222
223 if (m_handshake_timeout_timer) {
224 // Disable the handshake timeout timer as handshake has been established.
225 m_handshake_timeout_timer->stop();
226 m_handshake_timeout_timer->remove_from_parent();
227 m_handshake_timeout_timer = nullptr;
228 }
229
230 if (on_connected)
231 on_connected();
232
233 return index + size;
234}
235
236ssize_t TLSv12::handle_handshake_payload(ReadonlyBytes vbuffer)
237{
238 if (m_context.connection_status == ConnectionStatus::Established) {
239 dbgln_if(TLS_DEBUG, "Renegotiation attempt ignored");
240 // FIXME: We should properly say "NoRenegotiation", but that causes a handshake failure
241 // so we just roll with it and pretend that we _did_ renegotiate
242 // This will cause issues when we decide to have long-lasting connections, but
243 // we do not have those at the moment :^)
244 return 1;
245 }
246 auto buffer = vbuffer;
247 auto buffer_length = buffer.size();
248 auto original_length = buffer_length;
249 while (buffer_length >= 4 && !m_context.critical_error) {
250 ssize_t payload_res = 0;
251 if (buffer_length < 1)
252 return (i8)Error::NeedMoreData;
253 auto type = buffer[0];
254 auto write_packets { WritePacketStage::Initial };
255 size_t payload_size = buffer[1] * 0x10000 + buffer[2] * 0x100 + buffer[3] + 3;
256 dbgln_if(TLS_DEBUG, "payload size: {} buffer length: {}", payload_size, buffer_length);
257 if (payload_size + 1 > buffer_length)
258 return (i8)Error::NeedMoreData;
259
260 switch (type) {
261 case HelloRequest:
262 if (m_context.handshake_messages[0] >= 1) {
263 dbgln("unexpected hello request message");
264 payload_res = (i8)Error::UnexpectedMessage;
265 break;
266 }
267 ++m_context.handshake_messages[0];
268 dbgln("hello request (renegotiation?)");
269 if (m_context.connection_status == ConnectionStatus::Established) {
270 // renegotiation
271 payload_res = (i8)Error::NoRenegotiation;
272 } else {
273 // :shrug:
274 payload_res = (i8)Error::UnexpectedMessage;
275 }
276 break;
277 case ClientHello:
278 // FIXME: We only support client mode right now
279 if (m_context.is_server) {
280 VERIFY_NOT_REACHED();
281 }
282 payload_res = (i8)Error::UnexpectedMessage;
283 break;
284 case ServerHello:
285 if (m_context.handshake_messages[2] >= 1) {
286 dbgln("unexpected server hello message");
287 payload_res = (i8)Error::UnexpectedMessage;
288 break;
289 }
290 ++m_context.handshake_messages[2];
291 dbgln_if(TLS_DEBUG, "server hello");
292 if (m_context.is_server) {
293 dbgln("unsupported: server mode");
294 VERIFY_NOT_REACHED();
295 }
296 payload_res = handle_server_hello(buffer.slice(1, payload_size), write_packets);
297 break;
298 case HelloVerifyRequest:
299 dbgln("unsupported: DTLS");
300 payload_res = (i8)Error::UnexpectedMessage;
301 break;
302 case CertificateMessage:
303 if (m_context.handshake_messages[4] >= 1) {
304 dbgln("unexpected certificate message");
305 payload_res = (i8)Error::UnexpectedMessage;
306 break;
307 }
308 ++m_context.handshake_messages[4];
309 dbgln_if(TLS_DEBUG, "certificate");
310 if (m_context.connection_status == ConnectionStatus::Negotiating) {
311 if (m_context.is_server) {
312 dbgln("unsupported: server mode");
313 VERIFY_NOT_REACHED();
314 }
315 payload_res = handle_certificate(buffer.slice(1, payload_size));
316 } else {
317 payload_res = (i8)Error::UnexpectedMessage;
318 }
319 break;
320 case ServerKeyExchange:
321 if (m_context.handshake_messages[5] >= 1) {
322 dbgln("unexpected server key exchange message");
323 payload_res = (i8)Error::UnexpectedMessage;
324 break;
325 }
326 ++m_context.handshake_messages[5];
327 dbgln_if(TLS_DEBUG, "server key exchange");
328 if (m_context.is_server) {
329 dbgln("unsupported: server mode");
330 VERIFY_NOT_REACHED();
331 } else {
332 payload_res = handle_server_key_exchange(buffer.slice(1, payload_size));
333 }
334 break;
335 case CertificateRequest:
336 if (m_context.handshake_messages[6] >= 1) {
337 dbgln("unexpected certificate request message");
338 payload_res = (i8)Error::UnexpectedMessage;
339 break;
340 }
341 ++m_context.handshake_messages[6];
342 if (m_context.is_server) {
343 dbgln("invalid request");
344 dbgln("unsupported: server mode");
345 VERIFY_NOT_REACHED();
346 } else {
347 // we do not support "certificate request"
348 dbgln("certificate request");
349 if (on_tls_certificate_request)
350 on_tls_certificate_request(*this);
351 m_context.client_verified = VerificationNeeded;
352 }
353 break;
354 case ServerHelloDone:
355 if (m_context.handshake_messages[7] >= 1) {
356 dbgln("unexpected server hello done message");
357 payload_res = (i8)Error::UnexpectedMessage;
358 break;
359 }
360 ++m_context.handshake_messages[7];
361 dbgln_if(TLS_DEBUG, "server hello done");
362 if (m_context.is_server) {
363 dbgln("unsupported: server mode");
364 VERIFY_NOT_REACHED();
365 } else {
366 payload_res = handle_server_hello_done(buffer.slice(1, payload_size));
367 if (payload_res > 0)
368 write_packets = WritePacketStage::ClientHandshake;
369 }
370 break;
371 case CertificateVerify:
372 if (m_context.handshake_messages[8] >= 1) {
373 dbgln("unexpected certificate verify message");
374 payload_res = (i8)Error::UnexpectedMessage;
375 break;
376 }
377 ++m_context.handshake_messages[8];
378 dbgln_if(TLS_DEBUG, "certificate verify");
379 if (m_context.connection_status == ConnectionStatus::KeyExchange) {
380 payload_res = handle_certificate_verify(buffer.slice(1, payload_size));
381 } else {
382 payload_res = (i8)Error::UnexpectedMessage;
383 }
384 break;
385 case ClientKeyExchange:
386 if (m_context.handshake_messages[9] >= 1) {
387 dbgln("unexpected client key exchange message");
388 payload_res = (i8)Error::UnexpectedMessage;
389 break;
390 }
391 ++m_context.handshake_messages[9];
392 dbgln_if(TLS_DEBUG, "client key exchange");
393 if (m_context.is_server) {
394 dbgln("unsupported: server mode");
395 VERIFY_NOT_REACHED();
396 } else {
397 payload_res = (i8)Error::UnexpectedMessage;
398 }
399 break;
400 case Finished:
401 m_context.cached_handshake.clear();
402 if (m_context.handshake_messages[10] >= 1) {
403 dbgln("unexpected finished message");
404 payload_res = (i8)Error::UnexpectedMessage;
405 break;
406 }
407 ++m_context.handshake_messages[10];
408 dbgln_if(TLS_DEBUG, "finished");
409 payload_res = handle_handshake_finished(buffer.slice(1, payload_size), write_packets);
410 if (payload_res > 0) {
411 memset(m_context.handshake_messages, 0, sizeof(m_context.handshake_messages));
412 }
413 break;
414 default:
415 dbgln("message type not understood: {}", type);
416 return (i8)Error::NotUnderstood;
417 }
418
419 if (type != HelloRequest) {
420 update_hash(buffer.slice(0, payload_size + 1), 0);
421 }
422
423 // if something went wrong, send an alert about it
424 if (payload_res < 0) {
425 switch ((Error)payload_res) {
426 case Error::UnexpectedMessage: {
427 auto packet = build_alert(true, (u8)AlertDescription::UnexpectedMessage);
428 write_packet(packet);
429 break;
430 }
431 case Error::CompressionNotSupported: {
432 auto packet = build_alert(true, (u8)AlertDescription::DecompressionFailure);
433 write_packet(packet);
434 break;
435 }
436 case Error::BrokenPacket: {
437 auto packet = build_alert(true, (u8)AlertDescription::DecodeError);
438 write_packet(packet);
439 break;
440 }
441 case Error::NotVerified: {
442 auto packet = build_alert(true, (u8)AlertDescription::BadRecordMAC);
443 write_packet(packet);
444 break;
445 }
446 case Error::BadCertificate: {
447 auto packet = build_alert(true, (u8)AlertDescription::BadCertificate);
448 write_packet(packet);
449 break;
450 }
451 case Error::UnsupportedCertificate: {
452 auto packet = build_alert(true, (u8)AlertDescription::UnsupportedCertificate);
453 write_packet(packet);
454 break;
455 }
456 case Error::NoCommonCipher: {
457 auto packet = build_alert(true, (u8)AlertDescription::InsufficientSecurity);
458 write_packet(packet);
459 break;
460 }
461 case Error::NotUnderstood:
462 case Error::OutOfMemory: {
463 auto packet = build_alert(true, (u8)AlertDescription::InternalError);
464 write_packet(packet);
465 break;
466 }
467 case Error::NoRenegotiation: {
468 auto packet = build_alert(true, (u8)AlertDescription::NoRenegotiation);
469 write_packet(packet);
470 break;
471 }
472 case Error::DecryptionFailed: {
473 auto packet = build_alert(true, (u8)AlertDescription::DecryptionFailed);
474 write_packet(packet);
475 break;
476 }
477 case Error::NotSafe: {
478 auto packet = build_alert(true, (u8)AlertDescription::DecryptError);
479 write_packet(packet);
480 break;
481 }
482 case Error::NeedMoreData:
483 // Ignore this, as it's not an "error"
484 dbgln_if(TLS_DEBUG, "More data needed");
485 break;
486 default:
487 dbgln("Unknown TLS::Error with value {}", payload_res);
488 VERIFY_NOT_REACHED();
489 break;
490 }
491 if (payload_res < 0)
492 return payload_res;
493 }
494 switch (write_packets) {
495 case WritePacketStage::Initial:
496 // nothing to write
497 break;
498 case WritePacketStage::ClientHandshake:
499 if (m_context.client_verified == VerificationNeeded) {
500 dbgln_if(TLS_DEBUG, "> Client Certificate");
501 auto packet = build_certificate();
502 write_packet(packet);
503 m_context.client_verified = Verified;
504 }
505 {
506 dbgln_if(TLS_DEBUG, "> Key exchange");
507 auto packet = build_client_key_exchange();
508 write_packet(packet);
509 }
510 {
511 dbgln_if(TLS_DEBUG, "> change cipher spec");
512 auto packet = build_change_cipher_spec();
513 write_packet(packet);
514 }
515 m_context.cipher_spec_set = 1;
516 m_context.local_sequence_number = 0;
517 {
518 dbgln_if(TLS_DEBUG, "> client finished");
519 auto packet = build_handshake_finished();
520 write_packet(packet);
521 }
522 m_context.cipher_spec_set = 0;
523 break;
524 case WritePacketStage::ServerHandshake:
525 // server handshake
526 dbgln("UNSUPPORTED: Server mode");
527 VERIFY_NOT_REACHED();
528 break;
529 case WritePacketStage::Finished:
530 // finished
531 {
532 dbgln_if(TLS_DEBUG, "> change cipher spec");
533 auto packet = build_change_cipher_spec();
534 write_packet(packet);
535 }
536 {
537 dbgln_if(TLS_DEBUG, "> client finished");
538 auto packet = build_handshake_finished();
539 write_packet(packet);
540 }
541 m_context.connection_status = ConnectionStatus::Established;
542 break;
543 }
544 payload_size++;
545 buffer_length -= payload_size;
546 buffer = buffer.slice(payload_size, buffer_length);
547 }
548 return original_length;
549}
550}