1 /*
2 * This file is part of the openHiTLS project.
3 *
4 * openHiTLS is licensed under the Mulan PSL v2.
5 * You can use this software according to the terms and conditions of the Mulan PSL v2.
6 * You may obtain a copy of Mulan PSL v2 at:
7 *
8 * http://license.coscl.org.cn/MulanPSL2
9 *
10 * THIS SOFTWARE IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OF ANY KIND,
11 * EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO NON-INFRINGEMENT,
12 * MERCHANTABILITY OR FIT FOR A PARTICULAR PURPOSE.
13 * See the Mulan PSL v2 for more details.
14 */
15
16 #include "hitls_build.h"
17 #if defined(HITLS_TLS_PROTO_DTLS12) && defined(HITLS_BSL_UIO_UDP)
18 #include "securec.h"
19 #include "tls_binlog_id.h"
20 #include "bsl_log_internal.h"
21 #include "bsl_log.h"
22 #include "bsl_err_internal.h"
23 #include "bsl_sal.h"
24 #include "bsl_bytes.h"
25 #include "bsl_errno.h"
26 #include "sal_net.h"
27 #include "uio_base.h"
28 #include "hitls.h"
29 #include "hitls_error.h"
30 #include "hitls_cookie.h"
31 #include "hitls_crypt_type.h"
32 #include "tls.h"
33 #include "tls_config.h"
34 #include "hs_ctx.h"
35 #include "hs.h"
36
37 #define MAX_IP_ADDR_SIZE 256u
38
UpdateMacKey(TLS_Ctx * ctx,CookieInfo * cookieInfo)39 static int32_t UpdateMacKey(TLS_Ctx *ctx, CookieInfo *cookieInfo)
40 {
41 (void)memcpy_s(cookieInfo->preMacKey, MAC_KEY_LEN, cookieInfo->macKey, MAC_KEY_LEN); /* Save the old key */
42 int32_t ret = SAL_CRYPT_Rand(LIBCTX_FROM_CTX(ctx), cookieInfo->macKey, MAC_KEY_LEN); /* Create a new key */
43 if (ret != HITLS_SUCCESS) {
44 BSL_LOG_BINLOG_FIXLEN(BINLOG_ID15691, BSL_LOG_LEVEL_ERR, BSL_LOG_BINLOG_TYPE_RUN,
45 "generate macKey fail when calc cookie.", 0, 0, 0, 0);
46 return ret;
47 }
48 cookieInfo->algRemainTime = COOKIE_SECRET_LIFETIME; /* Updated the current HMAC algorithm usage times */
49 return HITLS_SUCCESS;
50 }
51
FillCipherSuite(const ClientHelloMsg * clientHello,uint8_t * material,uint32_t * offset)52 static void FillCipherSuite(const ClientHelloMsg *clientHello, uint8_t *material,
53 uint32_t *offset)
54 {
55 for (uint32_t i = 0; i < clientHello->cipherSuitesSize; i++) {
56 BSL_Uint16ToByte(clientHello->cipherSuites[i], &material[*offset]);
57 *offset += sizeof(uint16_t);
58 }
59 }
60
61 /**
62 * @brief Generate cookie calculation materials
63 * @attention The maximum memory required is already applied, so the function does not
64 * need to check whether the memory is out of bounds
65 *
66 * @param ctx [IN] Hitls context
67 * @param clientHello [IN] ClientHello message
68 * @param material [OUT] Returned material
69 * @param materialSize [IN] Maximum length of the material
70 * @param usedLen [OUT] Returned actual material length
71 *
72 * @retval HITLS_SUCCESS
73 * @retval HITLS_MEMCPY_FAIL
74 */
GenerateCookieCalcMaterial(const TLS_Ctx * ctx,const ClientHelloMsg * clientHello,uint8_t * material,uint32_t materialSize,uint32_t * usedLen)75 static int32_t GenerateCookieCalcMaterial(const TLS_Ctx *ctx, const ClientHelloMsg *clientHello,
76 uint8_t *material, uint32_t materialSize, uint32_t *usedLen)
77 {
78 uint8_t ipAddr[MAX_IP_ADDR_SIZE] = {0};
79 BSL_UIO_CtrlGetPeerIpAddrParam param = {ipAddr, sizeof(ipAddr)};
80 uint32_t offset = 0;
81 BSL_SAL_SockAddr peerAddr = NULL;
82 int32_t ret = SAL_SockAddrNew(&peerAddr);
83 if (ret != BSL_SUCCESS) {
84 BSL_LOG_BINLOG_FIXLEN(BINLOG_ID16916, BSL_LOG_LEVEL_ERR, BSL_LOG_BINLOG_TYPE_RUN, "addr New fail", 0, 0, 0, 0);
85 return HITLS_MEMCPY_FAIL;
86 }
87 int32_t peerAddrLen = SAL_SockAddrSize(peerAddr);
88 /* Add the peer IP address */
89 ret = BSL_UIO_Ctrl(ctx->uio, BSL_UIO_GET_PEER_IP_ADDR, peerAddrLen, peerAddr);
90 if (ret == BSL_SUCCESS) {
91 if (memcpy_s(ipAddr, MAX_IP_ADDR_SIZE, peerAddr, SAL_SockAddrSize(peerAddr)) != EOK) {
92 SAL_SockAddrFree(peerAddr);
93 return BSL_MEMCPY_FAIL;
94 }
95 param.size = SAL_SockAddrSize(peerAddr);
96 if (memcpy_s(material, materialSize, ipAddr, param.size) != EOK) {
97 BSL_ERR_PUSH_ERROR(HITLS_MEMCPY_FAIL);
98 BSL_LOG_BINLOG_FIXLEN(BINLOG_ID15692, BSL_LOG_LEVEL_ERR, BSL_LOG_BINLOG_TYPE_RUN,
99 "copy ipAddr fail when calc cookie.", 0, 0, 0, 0);
100 SAL_SockAddrFree(peerAddr);
101 return HITLS_MEMCPY_FAIL;
102 }
103 offset += param.size;
104 }
105 SAL_SockAddrFree(peerAddr);
106 /* fill the version */
107 BSL_Uint16ToByte(clientHello->version, &material[offset]);
108 offset += sizeof(uint16_t);
109
110 /* fill client's random value */
111 if (memcpy_s(&material[offset], materialSize - offset, clientHello->randomValue, HS_RANDOM_SIZE) != EOK) {
112 BSL_ERR_PUSH_ERROR(HITLS_MEMCPY_FAIL);
113 BSL_LOG_BINLOG_FIXLEN(BINLOG_ID15693, BSL_LOG_LEVEL_ERR, BSL_LOG_BINLOG_TYPE_RUN,
114 "copy random fail when calc cookie.", 0, 0, 0, 0);
115 return HITLS_MEMCPY_FAIL;
116 }
117 offset += HS_RANDOM_SIZE;
118
119 /* fill session_id */
120 if (clientHello->sessionIdSize != 0 && clientHello->sessionId != NULL) {
121 if (memcpy_s(&material[offset], materialSize - offset,
122 clientHello->sessionId, clientHello->sessionIdSize) != EOK) {
123 BSL_ERR_PUSH_ERROR(HITLS_MEMCPY_FAIL);
124 BSL_LOG_BINLOG_FIXLEN(BINLOG_ID15694, BSL_LOG_LEVEL_ERR, BSL_LOG_BINLOG_TYPE_RUN,
125 "copy sessionId fail when calc cookie.", 0, 0, 0, 0);
126 return HITLS_MEMCPY_FAIL;
127 }
128 offset += clientHello->sessionIdSize;
129 }
130
131 /* fill the cipher suite */
132 FillCipherSuite(clientHello, material, &offset);
133
134 *usedLen = offset;
135 return HITLS_SUCCESS;
136 }
137
138 /**
139 * @brief Add cookie calculation materials to the HMAC.
140 *
141 * @param ctx [IN] Hitls context
142 * @param clientHello [IN] ClientHello message
143 * @param cookieInfo [IN] cookie info
144 * @param cookie [IN] cookie
145 * @param cookieLen [IN] cookie len
146 *
147 * @retval HITLS_SUCCESS
148 * @retval For other error codes, see hitls_error.h.
149 */
AddCookieCalcMaterial(const TLS_Ctx * ctx,const ClientHelloMsg * clientHello,CookieInfo * cookieInfo,uint8_t * cookie,uint32_t * cookieLen)150 static int32_t AddCookieCalcMaterial(
151 const TLS_Ctx *ctx, const ClientHelloMsg *clientHello, CookieInfo *cookieInfo, uint8_t *cookie, uint32_t *cookieLen)
152 {
153 /* Add the cookie calculation material, that is, the peer IP address + version + random + sessionID + cipherSuites
154 */
155 uint32_t materialSize = MAX_IP_ADDR_SIZE + sizeof(uint16_t) + HS_RANDOM_SIZE + clientHello->sessionIdSize +
156 clientHello->cipherSuitesSize * sizeof(uint16_t);
157 uint8_t *material = BSL_SAL_Calloc(1u, materialSize);
158 if (material == NULL) {
159 BSL_ERR_PUSH_ERROR(HITLS_MEMALLOC_FAIL);
160 BSL_LOG_BINLOG_FIXLEN(BINLOG_ID15695, BSL_LOG_LEVEL_ERR, BSL_LOG_BINLOG_TYPE_RUN,
161 "material malloc fail when calc cookie.", 0, 0, 0, 0);
162 return HITLS_MEMALLOC_FAIL;
163 }
164
165 int32_t ret;
166 uint32_t usedLen = 0;
167 ret = GenerateCookieCalcMaterial(ctx, clientHello, material, materialSize, &usedLen);
168 if (ret != HITLS_SUCCESS) {
169 (void)memset_s(material, materialSize, 0, materialSize);
170 BSL_SAL_FREE(material);
171 return ret;
172 }
173
174 ret = SAL_CRYPT_Hmac(LIBCTX_FROM_CTX(ctx), ATTRIBUTE_FROM_CTX(ctx),
175 HITLS_HASH_SHA_256, cookieInfo->macKey, MAC_KEY_LEN, material, usedLen, cookie, cookieLen);
176 (void)memset_s(material, materialSize, 0, materialSize);
177 BSL_SAL_FREE(material);
178 if (ret != HITLS_SUCCESS) {
179 BSL_LOG_BINLOG_FIXLEN(BINLOG_ID15696, BSL_LOG_LEVEL_ERR, BSL_LOG_BINLOG_TYPE_RUN,
180 "SAL_CRYPT_Hmac fail when calc cookie.", 0, 0, 0, 0);
181 }
182 return ret;
183 }
184
HS_CalcCookie(TLS_Ctx * ctx,const ClientHelloMsg * clientHello,uint8_t * cookie,uint32_t * cookieLen)185 int32_t HS_CalcCookie(TLS_Ctx *ctx, const ClientHelloMsg *clientHello, uint8_t *cookie, uint32_t *cookieLen)
186 {
187 /* If the user's cookie calculation callback is registered, use the user's callback interface */
188 if (ctx->globalConfig != NULL && ctx->globalConfig->appGenCookieCb != NULL) {
189 int32_t returnVal = ctx->globalConfig->appGenCookieCb(ctx, cookie, cookieLen);
190 /* A return value of zero indicates that the cookie generation failed, and a return value of other values is a
191 * success, so the judgment here is a failure rather than a non-success */
192 if (returnVal == HITLS_COOKIE_GENERATE_ERROR) {
193 BSL_ERR_PUSH_ERROR(HITLS_MSG_HANDLE_COOKIE_ERR);
194 BSL_LOG_BINLOG_FIXLEN(BINLOG_ID15697, BSL_LOG_LEVEL_ERR, BSL_LOG_BINLOG_TYPE_RUN,
195 "appGenCookieCb return error 0x%x.", returnVal, 0, 0, 0);
196 return HITLS_MSG_HANDLE_COOKIE_ERR;
197 }
198 if (*cookieLen > TLS_HS_MAX_COOKIE_SIZE) {
199 BSL_ERR_PUSH_ERROR(HITLS_MSG_HANDLE_COOKIE_ERR);
200 BSL_LOG_BINLOG_FIXLEN(BINLOG_ID17353, BSL_LOG_LEVEL_ERR, BSL_LOG_BINLOG_TYPE_RUN,
201 "cookie len is too long.", 0, 0, 0, 0);
202 return HITLS_MSG_HANDLE_COOKIE_ERR;
203 }
204 return HITLS_SUCCESS;
205 }
206
207 /* If the cookie calculation callback is not registered, the default calculation is used */
208 int32_t ret = HITLS_SUCCESS;
209 CookieInfo *cookieInfo = &ctx->negotiatedInfo.cookieInfo;
210
211 /* If the number of remaining usage times of the current algorithm is 0, update the algorithm */
212 if (cookieInfo->algRemainTime == 0) {
213 ret = UpdateMacKey(ctx, cookieInfo);
214 if (ret != HITLS_SUCCESS) {
215 return ret;
216 }
217 }
218
219 /* Add cookie calculation materials */
220 ret = AddCookieCalcMaterial(ctx, clientHello, cookieInfo, cookie, cookieLen);
221 if (ret != HITLS_SUCCESS) {
222 return ret;
223 }
224
225 /* Updated the current HMAC algorithm usage times */
226 cookieInfo->algRemainTime--;
227
228 return HITLS_SUCCESS;
229 }
230
CheckCookie(TLS_Ctx * ctx,const ClientHelloMsg * clientHello,bool * isCookieValid)231 static int32_t CheckCookie(TLS_Ctx *ctx, const ClientHelloMsg *clientHello, bool *isCookieValid)
232 {
233 uint8_t cookie[TLS_HS_MAX_COOKIE_SIZE] = {0};
234 uint32_t cookieLen = sizeof(cookie);
235
236 *isCookieValid = false;
237
238 /* Calculating cookies will reduce the number of times the algorithm is used. In order to prevent algorithm
239 * switching after calculation, it is increased by itself and then calculated */
240 ctx->negotiatedInfo.cookieInfo.algRemainTime++;
241 int32_t ret = HS_CalcCookie(ctx, clientHello, cookie, &cookieLen);
242 if (ret != HITLS_SUCCESS) {
243 BSL_LOG_BINLOG_FIXLEN(BINLOG_ID16917, BSL_LOG_LEVEL_ERR, BSL_LOG_BINLOG_TYPE_RUN,
244 "CalcCookie fail", 0, 0, 0, 0);
245 return ret;
246 }
247
248 if ((cookieLen == clientHello->cookieLen) &&
249 (memcmp((char *)cookie, (char *)clientHello->cookie, cookieLen) == 0)) {
250 *isCookieValid = true;
251 }
252 (void)memset_s(cookie, TLS_HS_MAX_COOKIE_SIZE, 0, TLS_HS_MAX_COOKIE_SIZE);
253 return HITLS_SUCCESS;
254 }
255
CheckCookieWithPreMacKey(TLS_Ctx * ctx,const ClientHelloMsg * clientHello,bool * isCookieValid)256 static int32_t CheckCookieWithPreMacKey(TLS_Ctx *ctx, const ClientHelloMsg *clientHello, bool *isCookieValid)
257 {
258 uint8_t macKeyStore[MAC_KEY_LEN] = {0};
259 CookieInfo *cookieInfo = &ctx->negotiatedInfo.cookieInfo;
260
261 /* If the previous key does not exist, the system will not verify */
262 if (memcmp(cookieInfo->preMacKey, macKeyStore, MAC_KEY_LEN) == 0) {
263 return HITLS_SUCCESS;
264 }
265
266 /* Save the current mackey */
267 (void)memcpy_s(macKeyStore, MAC_KEY_LEN, cookieInfo->macKey, MAC_KEY_LEN);
268 /* Use the previous mackey */
269 (void)memcpy_s(cookieInfo->macKey, MAC_KEY_LEN, cookieInfo->preMacKey, MAC_KEY_LEN);
270
271 int32_t ret = CheckCookie(ctx, clientHello, isCookieValid);
272 if (ret != HITLS_SUCCESS) {
273 BSL_LOG_BINLOG_FIXLEN(BINLOG_ID16918, BSL_LOG_LEVEL_ERR, BSL_LOG_BINLOG_TYPE_RUN,
274 "CheckCookie fail", 0, 0, 0, 0);
275 (void)memset_s(macKeyStore, MAC_KEY_LEN, 0, MAC_KEY_LEN);
276 return ret;
277 }
278
279 /* Restore the current mackey */
280 (void)memcpy_s(cookieInfo->macKey, MAC_KEY_LEN, macKeyStore, MAC_KEY_LEN);
281 (void)memset_s(macKeyStore, MAC_KEY_LEN, 0, MAC_KEY_LEN);
282 return HITLS_SUCCESS;
283 }
284
CheckCookieDuringRenegotiation(TLS_Ctx * ctx,const ClientHelloMsg * clientHello,bool * isCookieValid)285 static int32_t CheckCookieDuringRenegotiation(TLS_Ctx *ctx, const ClientHelloMsg *clientHello, bool *isCookieValid)
286 {
287 uint8_t *cookie = ctx->negotiatedInfo.cookie;
288 uint16_t cookieLen = (uint16_t)ctx->negotiatedInfo.cookieSize;
289
290 if ((cookieLen == clientHello->cookieLen) &&
291 (memcmp((char *)cookie, (char *)clientHello->cookie, cookieLen) == 0)) {
292 *isCookieValid = true;
293 }
294 return HITLS_SUCCESS;
295 }
296
HS_CheckCookie(TLS_Ctx * ctx,const ClientHelloMsg * clientHello,bool * isCookieValid)297 int32_t HS_CheckCookie(TLS_Ctx *ctx, const ClientHelloMsg *clientHello, bool *isCookieValid)
298 {
299 /* The DTLS protocol determines whether cookie verification is required based on user setting */
300 if (IS_SUPPORT_DATAGRAM(ctx->config.tlsConfig.originVersionMask) &&
301 !ctx->config.tlsConfig.isSupportDtlsCookieExchange && !ctx->isDtlsListen) {
302 *isCookieValid = true;
303 return HITLS_SUCCESS;
304 }
305
306 *isCookieValid = false;
307
308 /* If the client does not send the cookie, the verification is not required */
309 if (clientHello->cookie == NULL) {
310 return HITLS_SUCCESS;
311 }
312
313 /* In the renegotiation scenario, the cookie stored in the negotiatedInfo is used for verification */
314 if (ctx->negotiatedInfo.isRenegotiation) {
315 return CheckCookieDuringRenegotiation(ctx, clientHello, isCookieValid);
316 }
317
318 /* If the user's cookie validation callback is registered, use the user's callback interface */
319 HITLS_AppVerifyCookieCb cookieCb = ctx->globalConfig->appVerifyCookieCb;
320 if (cookieCb != NULL) {
321 int32_t isValid = cookieCb(ctx, clientHello->cookie, clientHello->cookieLen);
322 /* If the return value is not zero, the cookie is valid, so the judgment here does not equal failure rather than
323 * success */
324 if (isValid != HITLS_COOKIE_VERIFY_ERROR) {
325 *isCookieValid = true;
326 }
327 return HITLS_SUCCESS;
328 }
329
330 /* If the cookie validation callback function of the user is not registered, use the default validation function */
331 int32_t ret = CheckCookie(ctx, clientHello, isCookieValid);
332 if (ret != HITLS_SUCCESS) {
333 BSL_LOG_BINLOG_FIXLEN(BINLOG_ID16919, BSL_LOG_LEVEL_ERR, BSL_LOG_BINLOG_TYPE_RUN,
334 "CheckCookie fail", 0, 0, 0, 0);
335 return ret;
336 }
337
338 /* If the cookie is successfully verified for the first time, it is returned. Otherwise, the previous MacKey is used
339 * to verify the cookie again */
340 if (*isCookieValid) {
341 return HITLS_SUCCESS;
342 }
343
344 return CheckCookieWithPreMacKey(ctx, clientHello, isCookieValid);
345 }
346 #endif /* HITLS_TLS_PROTO_DTLS12 && HITLS_BSL_UIO_UDP */