1 /*
2 * This file is part of the openHiTLS project.
3 *
4 * openHiTLS is licensed under the Mulan PSL v2.
5 * You can use this software according to the terms and conditions of the Mulan PSL v2.
6 * You may obtain a copy of Mulan PSL v2 at:
7 *
8 * http://license.coscl.org.cn/MulanPSL2
9 *
10 * THIS SOFTWARE IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OF ANY KIND,
11 * EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO NON-INFRINGEMENT,
12 * MERCHANTABILITY OR FIT FOR A PARTICULAR PURPOSE.
13 * See the Mulan PSL v2 for more details.
14 */
15 #include <string.h>
16 #include "hitls_build.h"
17 #include "securec.h"
18 #include "bsl_bytes.h"
19 #include "bsl_sal.h"
20 #include "tls_binlog_id.h"
21 #include "bsl_log_internal.h"
22 #include "bsl_log.h"
23 #include "bsl_err_internal.h"
24 #include "hitls.h"
25 #include "hitls_error.h"
26 #include "tls_config.h"
27 #include "bsl_errno.h"
28 #include "bsl_uio.h"
29 #include "uio_base.h"
30 #ifdef HITLS_TLS_FEATURE_INDICATOR
31 #include "indicator.h"
32 #endif /* HITLS_TLS_FEATURE_INDICATOR */
33 #include "pack.h"
34 #ifdef HITLS_TLS_FEATURE_SECURITY
35 #include "security.h"
36 #endif
37 #include "parse.h"
38 #include "hs_kx.h"
39 #include "hs.h"
40 #include "hs_extensions.h"
41 #include "hs_common.h"
42 #include "config_type.h"
43 #include "config_check.h"
44
45 #ifdef HITLS_TLS_PROTO_DTLS12
46 #define DTLS_SCTP_AUTH_LABEL "EXPORTER_DTLS_OVER_SCTP" /* dtls SCTP auth key label */
47 #endif
48 #ifdef HITLS_TLS_PROTO_TLS13
49 /* Fixed random value of the hello retry request packet */
50 const uint8_t g_hrrRandom[HS_RANDOM_SIZE] = {
51 0xcf, 0x21, 0xad, 0x74, 0xe5, 0x9a, 0x61, 0x11, 0xbe, 0x1d, 0x8c, 0x02, 0x1e, 0x65, 0xb8, 0x91,
52 0xc2, 0xa2, 0x11, 0x16, 0x7a, 0xbb, 0x8c, 0x5e, 0x07, 0x9e, 0x09, 0xe2, 0xc8, 0xa8, 0x33, 0x9c
53 };
54
HS_GetHrrRandom(uint32_t * len)55 const uint8_t *HS_GetHrrRandom(uint32_t *len)
56 {
57 *len = HS_RANDOM_SIZE;
58 return g_hrrRandom;
59 }
60 #ifdef HITLS_TLS_PROTO_TLS_BASIC
61 const uint8_t g_tls12Downgrade[HS_DOWNGRADE_RANDOM_SIZE] = {
62 0x44, 0x4f, 0x57, 0x4e, 0x47, 0x52, 0x44, 0x01
63 };
64
HS_GetTls12DowngradeRandom(uint32_t * len)65 const uint8_t *HS_GetTls12DowngradeRandom(uint32_t *len)
66 {
67 *len = HS_DOWNGRADE_RANDOM_SIZE;
68 return g_tls12Downgrade;
69 }
70 #endif /* HITLS_TLS_PROTO_TLS_BASIC */
71 #endif /* HITLS_TLS_PROTO_TLS13 */
72
HS_GetVersion(const TLS_Ctx * ctx)73 uint32_t HS_GetVersion(const TLS_Ctx *ctx)
74 {
75 if (ctx->negotiatedInfo.version > 0) {
76 return ctx->negotiatedInfo.version;
77 } else {
78 /* If the version is not negotiated, the latest version supported by the local is returned */
79 return ctx->config.tlsConfig.maxVersion;
80 }
81 }
82
83 static const char *g_stateMachineStr[] = {
84 [TLS_IDLE] = "idle",
85 [TLS_CONNECTED] = "connected",
86 #ifdef HITLS_TLS_HOST_CLIENT
87 [TRY_SEND_CLIENT_HELLO] = "send client hello",
88 [TRY_SEND_CLIENT_KEY_EXCHANGE] = "send client key exchange",
89 [TRY_RECV_SERVER_HELLO] = "recv server hello",
90 [TRY_RECV_HELLO_VERIFY_REQUEST] = "recv hello verify request",
91 [TRY_RECV_SERVER_KEY_EXCHANGE] = "recv server key exchange",
92 [TRY_RECV_SERVER_HELLO_DONE] = "recv server hello done",
93 [TRY_RECV_NEW_SESSION_TICKET] = "recv new session ticket",
94 [TRY_RECV_HELLO_REQUEST] = "recv hello request",
95 #endif
96 #ifdef HITLS_TLS_HOST_SERVER
97 [TRY_SEND_HELLO_REQUEST] = "send hello request",
98 [TRY_SEND_SERVER_HELLO] = "send server hello",
99 [TRY_SEND_HELLO_VERIFY_REQUEST] = "send hello verify request",
100 [TRY_SEND_SERVER_KEY_EXCHANGE] = "send server key exchange",
101 [TRY_RECV_CLIENT_HELLO] = "recv client hello",
102 [TRY_RECV_CLIENT_KEY_EXCHANGE] = "recv client key exchange",
103 [TRY_SEND_SERVER_HELLO_DONE] = "send server hello done",
104 [TRY_SEND_NEW_SESSION_TICKET] = "send new session ticket",
105 #endif
106 #ifdef HITLS_TLS_PROTO_TLS13
107 [TRY_RECV_KEY_UPDATE] = "recv keyupdate",
108 [TRY_SEND_KEY_UPDATE] = "send keyupdate",
109 #ifdef HITLS_TLS_HOST_CLIENT
110 [TRY_RECV_ENCRYPTED_EXTENSIONS] = "recv encrypted extensions",
111 [TRY_SEND_END_OF_EARLY_DATA] = "send end of early data",
112 #endif /* HITLS_TLS_HOST_CLIENT */
113 #ifdef HITLS_TLS_HOST_SERVER
114 [TRY_SEND_ENCRYPTED_EXTENSIONS] = "send encrypted extensions",
115 [TRY_SEND_HELLO_RETRY_REQUEST] = "send hello retry request",
116 [TRY_RECV_END_OF_EARLY_DATA] = "recv end of early data",
117 #endif /* HITLS_TLS_HOST_SERVER */
118 #endif /* HITLS_TLS_PROTO_TLS13 */
119 [TRY_SEND_CERTIFICATE] = "send certificate",
120 [TRY_SEND_CERTIFICATE_REQUEST] = "send certificate request",
121 [TRY_SEND_CERTIFICATE_VERIFY] = "send certificate verify",
122 [TRY_SEND_CHANGE_CIPHER_SPEC] = "send change cipher spec",
123 [TRY_RECV_CERTIFICATE] = "recv certificate",
124 [TRY_RECV_CERTIFICATE_REQUEST] = "recv certificate request",
125 [TRY_RECV_CERTIFICATE_VERIFY] = "recv certificate verify",
126 [TRY_RECV_FINISH] = "recv finished",
127 [TRY_SEND_FINISH] = "send finished",
128 };
129
HS_GetStateStr(uint32_t state)130 const char *HS_GetStateStr(uint32_t state)
131 {
132 if ((state >= (sizeof(g_stateMachineStr) / sizeof(char *))) || (g_stateMachineStr[state] == NULL)) {
133 return "unknown";
134 }
135
136 return g_stateMachineStr[state];
137 }
138
HS_GetMsgTypeStr(HS_MsgType type)139 const char *HS_GetMsgTypeStr(HS_MsgType type)
140 {
141 switch (type) {
142 case HELLO_REQUEST:
143 return "hello request";
144 case CLIENT_HELLO:
145 return "client hello";
146 case SERVER_HELLO:
147 return "server hello";
148 #ifdef HITLS_TLS_PROTO_TLS13
149 case ENCRYPTED_EXTENSIONS:
150 return "encrypted extensions";
151 #endif
152 case CERTIFICATE:
153 return "certificate";
154 case SERVER_KEY_EXCHANGE:
155 return "server key exchange";
156 case CERTIFICATE_REQUEST:
157 return "certificate request";
158 case SERVER_HELLO_DONE:
159 return "server hello done";
160 case CERTIFICATE_VERIFY:
161 return "certificate verify";
162 case CLIENT_KEY_EXCHANGE:
163 return "client key exchange";
164 case NEW_SESSION_TICKET:
165 return "new session ticket";
166 case FINISHED:
167 return "finished";
168 default:
169 break;
170 }
171 return "unknown";
172 }
173
HS_ChangeState(TLS_Ctx * ctx,uint32_t nextState)174 int32_t HS_ChangeState(TLS_Ctx *ctx, uint32_t nextState)
175 {
176 HS_Ctx *hsCtx = (HS_Ctx *)ctx->hsCtx;
177 hsCtx->state = nextState;
178 /* when link state is transporting, unexpected hs message should be processed, the log shouldn't be printed during
179 the hsCtx initiation */
180 if (ctx->state != CM_STATE_TRANSPORTING) {
181 #ifdef HITLS_TLS_FEATURE_INDICATOR
182 if (ctx->isClient) {
183 INDICATOR_StatusIndicate(ctx, INDICATE_EVENT_STATE_CONNECT_LOOP, INDICATE_VALUE_SUCCESS);
184 } else {
185 INDICATOR_StatusIndicate(ctx, INDICATE_EVENT_STATE_ACCEPT_LOOP, INDICATE_VALUE_SUCCESS);
186 }
187 #endif /* HITLS_TLS_FEATURE_INDICATOR */
188
189 BSL_LOG_BINLOG_VARLEN(BINLOG_ID15573, BSL_LOG_LEVEL_INFO, BSL_LOG_BINLOG_TYPE_RUN,
190 "handshake state machine change to:%s.", HS_GetStateStr(nextState));
191 }
192 return HITLS_SUCCESS;
193 }
194
HS_CombineRandom(const uint8_t * random1,const uint8_t * random2,uint32_t randomSize,uint8_t * dest,uint32_t destSize)195 int32_t HS_CombineRandom(const uint8_t *random1, const uint8_t *random2, uint32_t randomSize,
196 uint8_t *dest, uint32_t destSize)
197 {
198 /** If the random number length is 0 or the memory address is less than twice the random number length, return an
199 * error code. */
200 if ((randomSize == 0u) || (destSize < randomSize * 2)) {
201 BSL_ERR_PUSH_ERROR(HITLS_MSG_HANDLE_RANDOM_SIZE_ERR);
202 BSL_LOG_BINLOG_FIXLEN(BINLOG_ID15574, BSL_LOG_LEVEL_ERR, BSL_LOG_BINLOG_TYPE_RUN,
203 "invalid randomSize for combine random.", 0, 0, 0, 0);
204 return HITLS_MSG_HANDLE_RANDOM_SIZE_ERR;
205 }
206
207 if (memcpy_s(dest, destSize, random1, randomSize) != EOK) {
208 BSL_ERR_PUSH_ERROR(HITLS_MEMCPY_FAIL);
209 BSL_LOG_BINLOG_FIXLEN(BINLOG_ID15575, BSL_LOG_LEVEL_ERR, BSL_LOG_BINLOG_TYPE_RUN,
210 "combine random1 fail.", 0, 0, 0, 0);
211 return HITLS_MEMCPY_FAIL;
212 }
213 if (memcpy_s(&dest[randomSize], destSize - randomSize, random2, randomSize) != EOK) {
214 BSL_ERR_PUSH_ERROR(HITLS_MEMCPY_FAIL);
215 BSL_LOG_BINLOG_FIXLEN(BINLOG_ID15576, BSL_LOG_LEVEL_ERR, BSL_LOG_BINLOG_TYPE_RUN,
216 "combine random2 fail.", 0, 0, 0, 0);
217 return HITLS_MEMCPY_FAIL;
218 }
219
220 return HITLS_SUCCESS;
221 }
222
223 #ifdef HITLS_TLS_PROTO_TLCP11
HS_PrepareSignDataTlcp(const TLS_Ctx * ctx,const uint8_t * partSignData,uint32_t partSignDataLen,uint32_t * signDataLen)224 uint8_t *HS_PrepareSignDataTlcp(const TLS_Ctx *ctx, const uint8_t *partSignData, uint32_t partSignDataLen,
225 uint32_t *signDataLen)
226 {
227 /* Signature data: client random number + server random number + exchange parameter length + key exchange packet
228 * data/encryption certificate */
229 uint32_t exchParamLen = 3;
230 uint32_t randomLen = HS_RANDOM_SIZE * 2u;
231 uint32_t dataLen = randomLen + partSignDataLen + exchParamLen;
232
233 uint8_t *data = BSL_SAL_Calloc(1u, dataLen);
234 if (data == NULL) {
235 BSL_ERR_PUSH_ERROR(HITLS_MEMALLOC_FAIL);
236 BSL_LOG_BINLOG_FIXLEN(BINLOG_ID15577, BSL_LOG_LEVEL_ERR, BSL_LOG_BINLOG_TYPE_RUN,
237 "signature data memory alloc fail.", 0, 0, 0, 0);
238 return NULL;
239 }
240
241 (void)memcpy_s(data, dataLen, ctx->hsCtx->clientRandom, HS_RANDOM_SIZE);
242 (void)memcpy_s(&data[HS_RANDOM_SIZE], dataLen - HS_RANDOM_SIZE, ctx->hsCtx->serverRandom, HS_RANDOM_SIZE);
243 /* Fill the length of the key exchange parameter */
244 BSL_Uint24ToByte(partSignDataLen, &data[randomLen]);
245 /* Copy key exchange packet data */
246 (void)memcpy_s(&data[randomLen] + exchParamLen, dataLen - randomLen - exchParamLen, partSignData, partSignDataLen);
247
248 *signDataLen = dataLen;
249 return data;
250 }
251 #endif
252
HS_PrepareSignData(const TLS_Ctx * ctx,const uint8_t * partSignData,uint32_t partSignDataLen,uint32_t * signDataLen)253 uint8_t *HS_PrepareSignData(const TLS_Ctx *ctx, const uint8_t *partSignData,
254 uint32_t partSignDataLen, uint32_t *signDataLen)
255 {
256 int32_t ret;
257 /* Signature data: client random number + server random number + key exchange packet data/encryption certificate */
258 uint32_t randomLen = HS_RANDOM_SIZE * 2u;
259 uint32_t dataLen = randomLen + partSignDataLen;
260
261 uint8_t *data = BSL_SAL_Calloc(1u, dataLen);
262 if (data == NULL) {
263 BSL_LOG_BINLOG_FIXLEN(BINLOG_ID16813, BSL_LOG_LEVEL_ERR, BSL_LOG_BINLOG_TYPE_RUN, "Calloc fail", 0, 0, 0, 0);
264 BSL_ERR_PUSH_ERROR(HITLS_INTERNAL_EXCEPTION);
265 return NULL;
266 }
267
268 (void)memcpy_s(data, dataLen, ctx->hsCtx->clientRandom, HS_RANDOM_SIZE);
269 (void)memcpy_s(&data[HS_RANDOM_SIZE], dataLen - HS_RANDOM_SIZE, ctx->hsCtx->serverRandom, HS_RANDOM_SIZE);
270 /* Copy key exchange packet data */
271 ret = memcpy_s(&data[randomLen], dataLen - randomLen, partSignData, partSignDataLen);
272 if (ret != EOK) {
273 BSL_LOG_BINLOG_FIXLEN(BINLOG_ID16814, BSL_LOG_LEVEL_ERR, BSL_LOG_BINLOG_TYPE_RUN, "memcpy fail", 0, 0, 0, 0);
274 BSL_SAL_Free(data);
275 BSL_ERR_PUSH_ERROR(HITLS_INTERNAL_EXCEPTION);
276 return NULL;
277 }
278
279 *signDataLen = dataLen;
280 return data;
281 }
282
283 #if defined(HITLS_TLS_PROTO_DTLS12) && defined(HITLS_BSL_UIO_SCTP)
284 /**
285 * @brief Calculate the sctp auth key
286 * @details auth key: PRF(SecurityParameters.master_secret, label,
287 * SecurityParameters.client_random +
288 * SecurityParameters.server_random)[length]
289 *
290 * @param ctx [IN] TLS context
291 * @param authKey [OUT] Authorization key
292 * @param authKeyLen [IN] Key length
293 *
294 * @retval HITLS_SUCCESS calculation is complete.
295 * @retval HITLS_MSG_HANDLE_RANDOM_SIZE_ERR The random number length is incorrect.
296 * @retval For other error codes, see SAL_CRYPT_PRF.
297 */
CalcSctpAuthKey(const TLS_Ctx * ctx,uint8_t * authKey,uint32_t authKeyLen)298 int32_t CalcSctpAuthKey(const TLS_Ctx *ctx, uint8_t *authKey, uint32_t authKeyLen)
299 {
300 int32_t ret;
301 uint8_t randomValue[HS_RANDOM_SIZE * 2] = {0}; // key derivation seed, with the length of two random characters
302 uint32_t randomValueSize = HS_RANDOM_SIZE * 2; // key derivation seed, with the length of two random characters
303 HS_Ctx *hsCtx = (HS_Ctx *)ctx->hsCtx;
304
305 /** Combine the two random values */
306 ret = HS_CombineRandom(hsCtx->clientRandom, hsCtx->serverRandom, HS_RANDOM_SIZE, randomValue, randomValueSize);
307 if (ret != HITLS_SUCCESS) {
308 BSL_LOG_BINLOG_FIXLEN(BINLOG_ID15579, BSL_LOG_LEVEL_ERR, BSL_LOG_BINLOG_TYPE_RUN,
309 "combine random fail.", 0, 0, 0, 0);
310 return ret;
311 }
312
313 CRYPT_KeyDeriveParameters deriveInfo;
314 deriveInfo.hashAlgo = ctx->negotiatedInfo.cipherSuiteInfo.hashAlg;
315 deriveInfo.secret = hsCtx->masterKey;
316 deriveInfo.secretLen = MASTER_SECRET_LEN;
317 deriveInfo.label = (const uint8_t *)DTLS_SCTP_AUTH_LABEL;
318 deriveInfo.labelLen = strlen(DTLS_SCTP_AUTH_LABEL);
319 deriveInfo.seed = randomValue;
320 deriveInfo.seedLen = randomValueSize;
321 deriveInfo.libCtx = LIBCTX_FROM_CTX(ctx);
322 deriveInfo.attrName = ATTRIBUTE_FROM_CTX(ctx);
323 /** Key derivation */
324 ret = SAL_CRYPT_PRF(&deriveInfo, authKey, authKeyLen);
325 if (ret != HITLS_SUCCESS) {
326 BSL_LOG_BINLOG_FIXLEN(BINLOG_ID15580, BSL_LOG_LEVEL_ERR, BSL_LOG_BINLOG_TYPE_RUN,
327 "SAL_CRYPT_PRF fail when calc sctp auth key.", 0, 0, 0, 0);
328 }
329 return ret;
330 }
331
HS_SetSctpAuthKey(TLS_Ctx * ctx)332 int32_t HS_SetSctpAuthKey(TLS_Ctx *ctx)
333 {
334 if (!BSL_UIO_GetUioChainTransportType(ctx->uio, BSL_UIO_SCTP)) {
335 return HITLS_SUCCESS;
336 }
337
338 int32_t ret;
339 uint8_t authKey[DTLS_SCTP_SHARED_AUTHKEY_LEN] = {0};
340 uint16_t authKeyLen = sizeof(authKey);
341
342 ret = CalcSctpAuthKey(ctx, authKey, authKeyLen);
343 if (ret != HITLS_SUCCESS) {
344 BSL_LOG_BINLOG_FIXLEN(BINLOG_ID15581, BSL_LOG_LEVEL_ERR, BSL_LOG_BINLOG_TYPE_RUN,
345 "calc sctp auth key failed.", 0, 0, 0, 0);
346 ctx->method.sendAlert(ctx, ALERT_LEVEL_FATAL, ALERT_INTERNAL_ERROR);
347 return ret;
348 }
349
350 /* If the UIO_SctpAddAuthKey is added but not active, return HITLS_SUCCESS when the interface
351 is invoked again */
352 ret = BSL_UIO_Ctrl(ctx->uio, BSL_UIO_SCTP_ADD_AUTH_SHARED_KEY, (int32_t)authKeyLen, authKey);
353 /* Clear sensitive information */
354 BSL_SAL_CleanseData(authKey, DTLS_SCTP_SHARED_AUTHKEY_LEN);
355 if (ret != BSL_SUCCESS) {
356 BSL_ERR_PUSH_ERROR(HITLS_UIO_SCTP_ADD_AUTH_KEY_FAIL);
357 BSL_LOG_BINLOG_FIXLEN(BINLOG_ID15582, BSL_LOG_LEVEL_ERR, BSL_LOG_BINLOG_TYPE_RUN,
358 "uio add sctp auth shared key failed.", 0, 0, 0, 0);
359 ctx->method.sendAlert(ctx, ALERT_LEVEL_FATAL, ALERT_INTERNAL_ERROR);
360 return HITLS_UIO_SCTP_ADD_AUTH_KEY_FAIL;
361 }
362
363 return HITLS_SUCCESS;
364 }
365
HS_ActiveSctpAuthKey(TLS_Ctx * ctx)366 int32_t HS_ActiveSctpAuthKey(TLS_Ctx *ctx)
367 {
368 if (!BSL_UIO_GetUioChainTransportType(ctx->uio, BSL_UIO_SCTP)) {
369 return HITLS_SUCCESS;
370 }
371
372 int32_t ret = BSL_UIO_Ctrl(ctx->uio, BSL_UIO_SCTP_ACTIVE_AUTH_SHARED_KEY, 0, NULL);
373 if (ret != BSL_SUCCESS) {
374 BSL_LOG_BINLOG_FIXLEN(BINLOG_ID15583, BSL_LOG_LEVEL_ERR, BSL_LOG_BINLOG_TYPE_RUN,
375 "next sctp auth key error.", 0, 0, 0, 0);
376 ctx->method.sendAlert(ctx, ALERT_LEVEL_FATAL, ALERT_INTERNAL_ERROR);
377 return HITLS_UIO_SCTP_ACTIVE_AUTH_KEY_FAIL;
378 }
379 return HITLS_SUCCESS;
380 }
381
HS_DeletePreviousSctpAuthKey(TLS_Ctx * ctx)382 int32_t HS_DeletePreviousSctpAuthKey(TLS_Ctx *ctx)
383 {
384 if (!BSL_UIO_GetUioChainTransportType(ctx->uio, BSL_UIO_SCTP)) {
385 return HITLS_SUCCESS;
386 }
387
388 /* After the handshake is complete, delete the old sctp auth key */
389 int32_t ret = BSL_UIO_Ctrl(ctx->uio, BSL_UIO_SCTP_DEL_PRE_AUTH_SHARED_KEY, 0, NULL);
390 if (ret != BSL_SUCCESS) {
391 ret = HITLS_UIO_SCTP_DEL_AUTH_KEY_FAIL;
392 BSL_LOG_BINLOG_FIXLEN(BINLOG_ID15584, BSL_LOG_LEVEL_ERR, BSL_LOG_BINLOG_TYPE_RUN,
393 "uio delete sctp auth shared key failed.", 0, 0, 0, 0);
394 ctx->method.sendAlert(ctx, ALERT_LEVEL_FATAL, ALERT_INTERNAL_ERROR);
395 }
396 return ret;
397 }
398 #endif /* defined(HITLS_TLS_PROTO_DTLS12) && defined(HITLS_BSL_UIO_SCTP) */
399
IsNeedServerKeyExchange(const TLS_Ctx * ctx)400 bool IsNeedServerKeyExchange(const TLS_Ctx *ctx)
401 {
402 HITLS_KeyExchAlgo kxAlg = ctx->negotiatedInfo.cipherSuiteInfo.kxAlg;
403
404 /* Special: If the PSK identity hint is set, the PSK and RSA_PSK may also need to send
405 * the ServerKeyExchange message
406 */
407 if ((kxAlg == HITLS_KEY_EXCH_PSK) || (kxAlg == HITLS_KEY_EXCH_RSA_PSK)) {
408 /* In this case, the client receives the ServerKeyExchange message by default */
409 if (ctx->isClient) {
410 return true;
411 } else {
412 /* If the PSK identity hint is set on the server, the ServerKeyExchange message needs to be sent */
413 if (ctx->config.tlsConfig.pskIdentityHint != NULL) {
414 return true;
415 }
416 return false;
417 }
418 }
419 #ifdef HITLS_TLS_PROTO_TLCP11
420 if (ctx->negotiatedInfo.version == HITLS_VERSION_TLCP_DTLCP11) {
421 return true; /* The TLCP needs to send the ServerKeyExchange message. */
422 }
423 #endif
424 /* The ECDH and DH certificates already contain the public key information, and the ServerKeyExchange message
425 * is not required. */
426 /* RSA keys are generated by the client, and the ServerKeyExchange message is not required. */
427 return ((kxAlg != HITLS_KEY_EXCH_ECDH) && (kxAlg != HITLS_KEY_EXCH_DH) && (kxAlg != HITLS_KEY_EXCH_RSA));
428 }
429
IsNeedCertPrepare(const CipherSuiteInfo * cipherSuiteInfo)430 bool IsNeedCertPrepare(const CipherSuiteInfo *cipherSuiteInfo)
431 {
432 if (cipherSuiteInfo == NULL) {
433 return false;
434 }
435
436 /* PSK related ciphersuite */
437 switch (cipherSuiteInfo->kxAlg) {
438 case HITLS_KEY_EXCH_PSK:
439 case HITLS_KEY_EXCH_DHE_PSK:
440 case HITLS_KEY_EXCH_ECDHE_PSK:
441 return false;
442 default:
443 break;
444 }
445
446 /* Anonymous ciphersuite related */
447 switch (cipherSuiteInfo->authAlg) {
448 case HITLS_AUTH_NULL:
449 return false;
450 default:
451 break;
452 }
453
454 return true;
455 }
IsTicketSupport(const TLS_Ctx * ctx)456 bool IsTicketSupport(const TLS_Ctx *ctx)
457 {
458 #ifdef HITLS_TLS_FEATURE_SESSION_TICKET
459 if (ctx->config.tlsConfig.isSupportSessionTicket && (!ctx->config.isSupportPto)
460 #ifdef HITLS_TLS_FEATURE_SECURITY
461 && (SECURITY_SslCheck(ctx, HITLS_SECURITY_SECOP_TICKET, 0, 0, NULL) == SECURITY_SUCCESS)
462 #endif
463 ) {
464 return true;
465 }
466 #endif
467 (void)ctx;
468 return false;
469 }
470 #ifdef HITLS_TLS_FEATURE_PSK
471
IsPskNegotiation(const TLS_Ctx * ctx)472 bool IsPskNegotiation(const TLS_Ctx *ctx)
473 {
474 HITLS_KeyExchAlgo kxAlg = ctx->negotiatedInfo.cipherSuiteInfo.kxAlg;
475
476 return ((kxAlg == HITLS_KEY_EXCH_ECDHE_PSK) || (kxAlg == HITLS_KEY_EXCH_DHE_PSK) ||
477 (kxAlg == HITLS_KEY_EXCH_RSA_PSK) || (kxAlg == HITLS_KEY_EXCH_PSK));
478 }
479
CheckClientPsk(TLS_Ctx * ctx)480 int32_t CheckClientPsk(TLS_Ctx *ctx)
481 {
482 uint8_t psk[HS_PSK_MAX_LEN] = {0};
483 uint8_t identity[HS_PSK_IDENTITY_MAX_LEN + 1] = {0};
484
485 /* If the value of psk is not NULL, it has been processed. */
486 if (ctx->hsCtx->kxCtx->pskInfo != NULL && ctx->hsCtx->kxCtx->pskInfo->psk != NULL) {
487 return HITLS_SUCCESS;
488 }
489
490 if (ctx->config.tlsConfig.pskClientCb == NULL) {
491 return RETURN_ERROR_NUMBER_PROCESS(HITLS_UNREGISTERED_CALLBACK, BINLOG_ID16815, "unregistered pskClientCb");
492 }
493
494 uint32_t pskUsedLen = ctx->config.tlsConfig.pskClientCb(ctx, NULL, identity, HS_PSK_IDENTITY_MAX_LEN,
495 psk, HS_PSK_MAX_LEN);
496 if (pskUsedLen == 0 || pskUsedLen > HS_PSK_IDENTITY_MAX_LEN) {
497 (void)memset_s(psk, HS_PSK_MAX_LEN, 0, HS_PSK_MAX_LEN);
498 return RETURN_ERROR_NUMBER_PROCESS(HITLS_MSG_HANDLE_ILLEGAL_PSK_LEN, BINLOG_ID16816, "pskUsedLen incorrect");
499 }
500 /* Length of pskid will not exceed 128 bytes */
501 uint32_t identityUsedLen = (uint32_t)strnlen((char *)identity, HS_PSK_IDENTITY_MAX_LEN + 1);
502 if (identityUsedLen > HS_PSK_IDENTITY_MAX_LEN) {
503 (void)memset_s(psk, HS_PSK_MAX_LEN, 0, HS_PSK_MAX_LEN);
504 return HITLS_MSG_HANDLE_ILLEGAL_IDENTITY_LEN;
505 }
506
507 if (ctx->hsCtx->kxCtx->pskInfo == NULL) {
508 ctx->hsCtx->kxCtx->pskInfo = (PskInfo *)BSL_SAL_Calloc(1u, sizeof(PskInfo));
509 if (ctx->hsCtx->kxCtx->pskInfo == NULL) {
510 (void)memset_s(psk, HS_PSK_MAX_LEN, 0, HS_PSK_MAX_LEN);
511 return RETURN_ERROR_NUMBER_PROCESS(HITLS_MEMALLOC_FAIL, BINLOG_ID16694, "Calloc fail");
512 }
513 }
514
515 uint8_t *tmpIdentity = NULL;
516 if (identityUsedLen > 0) {
517 tmpIdentity = (uint8_t *)BSL_SAL_Calloc(1u, (identityUsedLen + 1));
518 if (tmpIdentity == NULL) {
519 (void)memset_s(psk, HS_PSK_MAX_LEN, 0, HS_PSK_MAX_LEN);
520 return RETURN_ERROR_NUMBER_PROCESS(HITLS_MEMALLOC_FAIL, BINLOG_ID16817, "Calloc fail");
521 }
522 (void)memcpy_s(tmpIdentity, identityUsedLen + 1, identity, identityUsedLen);
523 }
524 ctx->hsCtx->kxCtx->pskInfo->psk = (uint8_t *)BSL_SAL_Dump(psk, pskUsedLen);
525 (void)memset_s(psk, HS_PSK_MAX_LEN, 0, HS_PSK_MAX_LEN);
526 if (ctx->hsCtx->kxCtx->pskInfo->psk == NULL) {
527 BSL_SAL_FREE(tmpIdentity);
528 return RETURN_ERROR_NUMBER_PROCESS(HITLS_MEMALLOC_FAIL, BINLOG_ID16818, "Dump fail");
529 }
530 ctx->hsCtx->kxCtx->pskInfo->pskLen = pskUsedLen;
531
532 if (tmpIdentity != NULL) {
533 BSL_SAL_FREE(ctx->hsCtx->kxCtx->pskInfo->identity);
534 ctx->hsCtx->kxCtx->pskInfo->identity = tmpIdentity;
535 ctx->hsCtx->kxCtx->pskInfo->identityLen = identityUsedLen;
536 }
537 return HITLS_SUCCESS;
538 }
539 #endif /* HITLS_TLS_FEATURE_PSK */
540
HS_GetState(const TLS_Ctx * ctx)541 uint32_t HS_GetState(const TLS_Ctx *ctx)
542 {
543 if (ctx->hsCtx == NULL) {
544 return HS_STATE_BUTT;
545 }
546
547 return ctx->hsCtx->state;
548 }
549 #ifdef HITLS_TLS_FEATURE_SNI
HS_GetServerName(const TLS_Ctx * ctx)550 const char *HS_GetServerName(const TLS_Ctx *ctx)
551 {
552 if (ctx == NULL || ctx->hsCtx == NULL) {
553 return NULL;
554 }
555 return (char *)ctx->hsCtx->serverName;
556 }
557 #endif
558
HS_GrowMsgBuf(TLS_Ctx * ctx,uint32_t msgSize,bool keepOldData)559 int32_t HS_GrowMsgBuf(TLS_Ctx *ctx, uint32_t msgSize, bool keepOldData)
560 {
561 if (msgSize <= ctx->hsCtx->bufferLen) {
562 return HITLS_SUCCESS;
563 }
564 uint32_t bufSize = ctx->hsCtx->bufferLen;
565 uint32_t oldDataSize = bufSize;
566 uint8_t *oldDataAddr = ctx->hsCtx->msgBuf;
567 while (bufSize != 0 && bufSize < msgSize) {
568 bufSize = bufSize << 1;
569 }
570 ctx->hsCtx->msgBuf = BSL_SAL_Calloc(1u, bufSize);
571 if (ctx->hsCtx->msgBuf == NULL) {
572 ctx->hsCtx->msgBuf = oldDataAddr;
573 BSL_ERR_PUSH_ERROR(HITLS_MEMALLOC_FAIL);
574 BSL_LOG_BINLOG_FIXLEN(BINLOG_ID15935, BSL_LOG_LEVEL_ERR, BSL_LOG_BINLOG_TYPE_RUN,
575 "msgBuf malloc fail while get reass msg.", 0, 0, 0, 0);
576 return HITLS_MEMALLOC_FAIL;
577 }
578 ctx->hsCtx->bufferLen = bufSize;
579 if (keepOldData) {
580 (void)memcpy_s(ctx->hsCtx->msgBuf, bufSize, oldDataAddr, oldDataSize);
581 }
582 BSL_SAL_FREE(oldDataAddr);
583 return HITLS_SUCCESS;
584 }
585
HS_ReSizeMsgBuf(TLS_Ctx * ctx,uint32_t msgSize)586 int32_t HS_ReSizeMsgBuf(TLS_Ctx *ctx, uint32_t msgSize)
587 {
588 bool keepOldData = false;
589 return HS_GrowMsgBuf(ctx, msgSize, keepOldData);
590 }
591
HS_MaxMessageSize(TLS_Ctx * ctx,HS_MsgType type)592 uint32_t HS_MaxMessageSize(TLS_Ctx *ctx, HS_MsgType type)
593 {
594 switch (type) {
595 case HELLO_REQUEST:
596 return HITLS_HELLO_REQUEST_MAX_SIZE;
597 case CLIENT_HELLO:
598 return HITLS_CLIENT_HELLO_MAX_SIZE;
599 #ifdef HITLS_TLS_PROTO_DTLS12
600 case HELLO_VERIFY_REQUEST:
601 return HITLS_HELLO_VERIFY_REQUEST_MAX_SIZE;
602 #endif
603 case SERVER_HELLO:
604 return HITLS_SERVER_HELLO_MAX_SIZE;
605 case ENCRYPTED_EXTENSIONS:
606 return HITLS_ENCRYPTED_EXTENSIONS_MAX_SIZE;
607 case CERTIFICATE:
608 if (ctx->config.tlsConfig.maxCertList == 0) {
609 return HITLS_MAX_CERT_LIST_DEFAULT;
610 }
611 return ctx->config.tlsConfig.maxCertList;
612 case SERVER_KEY_EXCHANGE:
613 return HITLS_SERVER_KEY_EXCH_MAX_SIZE;
614 case CERTIFICATE_REQUEST:
615 if (ctx->config.tlsConfig.maxCertList == 0) {
616 return HITLS_MAX_CERT_LIST_DEFAULT;
617 }
618 return ctx->config.tlsConfig.maxCertList;
619 case SERVER_HELLO_DONE:
620 return HITLS_SERVER_HELLO_DONE_MAX_SIZE;
621 case CLIENT_KEY_EXCHANGE:
622 return HITLS_CLIENT_KEY_EXCH_MAX_SIZE;
623 case CERTIFICATE_VERIFY:
624 return REC_MAX_PLAIN_LENGTH;
625 case NEW_SESSION_TICKET:
626 if (HS_GetVersion(ctx) == HITLS_VERSION_TLS13) {
627 return HITLS_SESSION_TICKET_MAX_SIZE_TLS13;
628 }
629 return HITLS_SESSION_TICKET_MAX_SIZE_TLS12;
630 case END_OF_EARLY_DATA:
631 return HITLS_END_OF_EARLY_DATA_MAX_SIZE;
632 case FINISHED:
633 return HITLS_FINISHED_MAX_SIZE;
634 case KEY_UPDATE:
635 return HITLS_KEY_UPDATE_MAX_SIZE;
636 default:
637 return 0;
638 }
639 }
640 #ifdef HITLS_TLS_PROTO_TLS13
HS_GetBinderLen(HITLS_Session * session,HITLS_HashAlgo * hashAlg)641 uint32_t HS_GetBinderLen(HITLS_Session *session, HITLS_HashAlgo *hashAlg)
642 {
643 if (*hashAlg != HITLS_HASH_BUTT) {
644 return SAL_CRYPT_HmacSize(*hashAlg);
645 }
646
647 if (session == NULL) {
648 return 0;
649 }
650
651 uint16_t cipherSuite = 0;
652 int32_t ret = HITLS_SESS_GetCipherSuite(session, &cipherSuite);
653 if (ret != HITLS_SUCCESS) {
654 return 0;
655 }
656
657 CipherSuiteInfo cipherInfo = {0};
658 ret = CFG_GetCipherSuiteInfo(cipherSuite, &cipherInfo);
659 if (ret != HITLS_SUCCESS) {
660 BSL_LOG_BINLOG_FIXLEN(BINLOG_ID16819, BSL_LOG_LEVEL_ERR, BSL_LOG_BINLOG_TYPE_RUN,
661 "GetCipherSuiteInfo fail", 0, 0, 0, 0);
662 return 0;
663 }
664 *hashAlg = cipherInfo.hashAlg;
665 return SAL_CRYPT_HmacSize(*hashAlg);
666 }
667 #endif /* HITLS_TLS_PROTO_TLS13 */
668
GroupConformToVersion(const TLS_Ctx * ctx,uint16_t version,uint16_t group)669 bool GroupConformToVersion(const TLS_Ctx *ctx, uint16_t version, uint16_t group)
670 {
671 uint32_t versionBits = MapVersion2VersionBit(IS_SUPPORT_DATAGRAM(ctx->config.tlsConfig.originVersionMask), version);
672 const TLS_GroupInfo *groupInfo = ConfigGetGroupInfo(&ctx->config.tlsConfig, group);
673 if (groupInfo == NULL || ((groupInfo->versionBits & versionBits) != versionBits)) {
674 return false;
675 }
676 return true;
677 }
678
CheckSupportSignAlgorithms(const TLS_Ctx * ctx,const uint16_t * signAlgorithms,uint32_t signAlgorithmsSize,uint32_t * newSignAlgorithmsSize)679 uint16_t *CheckSupportSignAlgorithms(const TLS_Ctx *ctx, const uint16_t *signAlgorithms,
680 uint32_t signAlgorithmsSize, uint32_t *newSignAlgorithmsSize)
681 {
682 (void)ctx;
683 uint32_t validNum = 0;
684 uint16_t *retSignAlgorithms = BSL_SAL_Calloc(signAlgorithmsSize, sizeof(uint16_t));
685 if (retSignAlgorithms == NULL) {
686 BSL_LOG_BINLOG_FIXLEN(BINLOG_ID17308, BSL_LOG_LEVEL_ERR, BSL_LOG_BINLOG_TYPE_RUN, "Calloc fail", 0, 0, 0, 0);
687 return NULL;
688 }
689 for (uint32_t i = 0; i < signAlgorithmsSize; i++) {
690 #ifdef HITLS_TLS_PROTO_TLS13
691 const uint32_t dsaMask = 0x02;
692 const uint32_t sha1Mask = 0x0200;
693 const uint32_t sha224Mask = 0x0300;
694 if (ctx->config.tlsConfig.maxVersion == HITLS_VERSION_TLS13 &&
695 ctx->config.tlsConfig.minVersion == HITLS_VERSION_TLS13) {
696 if (ctx->isClient &&
697 (((signAlgorithms[i] & 0xff00) == sha1Mask) ||
698 ((signAlgorithms[i] & 0xff00) == sha224Mask))) {
699 continue;
700 }
701 if (((signAlgorithms[i] & 0xff) == dsaMask) ||
702 signAlgorithms[i] == CERT_SIG_SCHEME_RSA_PKCS1_SHA1 ||
703 signAlgorithms[i] == CERT_SIG_SCHEME_RSA_PKCS1_SHA224) {
704 continue;
705 }
706 }
707 #endif /* HITLS_TLS_PROTO_TLS13 */
708 #ifdef HITLS_TLS_FEATURE_SECURITY
709 if (SECURITY_SslCheck(ctx, HITLS_SECURITY_SECOP_SIGALG_CHECK, 0, signAlgorithms[i], NULL) != SECURITY_SUCCESS) {
710 continue;
711 }
712 #endif /* HITLS_TLS_FEATURE_SECURITY */
713 retSignAlgorithms[validNum] = signAlgorithms[i];
714 validNum++;
715 }
716 *newSignAlgorithmsSize = validNum;
717
718 return retSignAlgorithms;
719 }
720
HS_GetExtensionTypeId(uint32_t hsExtensionsType)721 uint32_t HS_GetExtensionTypeId(uint32_t hsExtensionsType)
722 {
723 switch (hsExtensionsType) {
724 case HS_EX_TYPE_SERVER_NAME: return HS_EX_TYPE_ID_SERVER_NAME;
725 case HS_EX_TYPE_SUPPORTED_GROUPS: return HS_EX_TYPE_ID_SUPPORTED_GROUPS;
726 case HS_EX_TYPE_POINT_FORMATS: return HS_EX_TYPE_ID_POINT_FORMATS;
727 case HS_EX_TYPE_SIGNATURE_ALGORITHMS: return HS_EX_TYPE_ID_SIGNATURE_ALGORITHMS;
728 case HS_EX_TYPE_APP_LAYER_PROTOCOLS: return HS_EX_TYPE_ID_APP_LAYER_PROTOCOLS;
729 case HS_EX_TYPE_ENCRYPT_THEN_MAC: return HS_EX_TYPE_ID_ENCRYPT_THEN_MAC;
730 case HS_EX_TYPE_EXTENDED_MASTER_SECRET: return HS_EX_TYPE_ID_EXTENDED_MASTER_SECRET;
731 case HS_EX_TYPE_SESSION_TICKET: return HS_EX_TYPE_ID_SESSION_TICKET;
732 case HS_EX_TYPE_PRE_SHARED_KEY: return HS_EX_TYPE_ID_PRE_SHARED_KEY;
733 case HS_EX_TYPE_SUPPORTED_VERSIONS: return HS_EX_TYPE_ID_SUPPORTED_VERSIONS;
734 case HS_EX_TYPE_COOKIE: return HS_EX_TYPE_ID_COOKIE;
735 case HS_EX_TYPE_PSK_KEY_EXCHANGE_MODES: return HS_EX_TYPE_ID_PSK_KEY_EXCHANGE_MODES;
736 case HS_EX_TYPE_CERTIFICATE_AUTHORITIES: return HS_EX_TYPE_ID_CERTIFICATE_AUTHORITIES;
737 case HS_EX_TYPE_POST_HS_AUTH: return HS_EX_TYPE_ID_POST_HS_AUTH;
738 case HS_EX_TYPE_KEY_SHARE: return HS_EX_TYPE_ID_KEY_SHARE;
739 case HS_EX_TYPE_RENEGOTIATION_INFO: return HS_EX_TYPE_ID_RENEGOTIATION_INFO;
740 default: break;
741 }
742 return HS_EX_TYPE_ID_UNRECOGNIZED;
743 }
744
HS_CheckReceivedExtension(HITLS_Ctx * ctx,HS_MsgType hsType,uint64_t hsMsgExtensionsMask,uint64_t hsMsgAllowedExtensionsMask)745 int32_t HS_CheckReceivedExtension(HITLS_Ctx *ctx, HS_MsgType hsType, uint64_t hsMsgExtensionsMask,
746 uint64_t hsMsgAllowedExtensionsMask)
747 {
748 if ((hsMsgExtensionsMask & hsMsgAllowedExtensionsMask) != hsMsgExtensionsMask) {
749 BSL_ERR_PUSH_ERROR(HITLS_MSG_HANDLE_UNSUPPORT_EXTENSION_TYPE);
750 BSL_LOG_BINLOG_FIXLEN(BINLOG_ID17311, BSL_LOG_LEVEL_ERR, BSL_LOG_BINLOG_TYPE_RUN,
751 "%d msg have illegal extensions, extensionMask: %lu", hsType, hsMsgExtensionsMask, 0, 0);
752 ctx->method.sendAlert(ctx, ALERT_LEVEL_FATAL, ALERT_ILLEGAL_PARAMETER);
753 return HITLS_MSG_HANDLE_UNSUPPORT_EXTENSION_TYPE;
754 }
755 return HITLS_SUCCESS;
756 }
757
IsCipherSuiteAllowed(const HITLS_Ctx * ctx,uint16_t cipherSuite)758 bool IsCipherSuiteAllowed(const HITLS_Ctx *ctx, uint16_t cipherSuite)
759 {
760 if (!CFG_CheckCipherSuiteSupported(cipherSuite)) {
761 return false;
762 }
763
764 uint16_t minVersion = ctx->config.tlsConfig.minVersion;
765 uint16_t maxVersion = ctx->config.tlsConfig.maxVersion;
766 if (!CFG_CheckCipherSuiteVersion(cipherSuite, minVersion, maxVersion)) {
767 return false;
768 }
769
770 CipherSuiteInfo cipherInfo = {0};
771 (void)CFG_GetCipherSuiteInfo(cipherSuite, &cipherInfo);
772 if ((ctx->isClient && ctx->config.tlsConfig.pskClientCb == NULL) ||
773 (!ctx->isClient && ctx->config.tlsConfig.pskServerCb == NULL)) {
774 if ((cipherInfo.kxAlg == HITLS_KEY_EXCH_PSK) ||
775 (cipherInfo.kxAlg == HITLS_KEY_EXCH_DHE_PSK) ||
776 (cipherInfo.kxAlg == HITLS_KEY_EXCH_ECDHE_PSK) ||
777 (cipherInfo.kxAlg == HITLS_KEY_EXCH_RSA_PSK)) {
778 return false;
779 }
780 }
781
782 uint16_t negotiatedVersion = ctx->negotiatedInfo.version;
783 if (negotiatedVersion > 0) {
784 if (!CFG_CheckCipherSuiteVersion(cipherSuite, negotiatedVersion, negotiatedVersion)) {
785 return false;
786 }
787 }
788
789 return true;
790 }