1 /*
2 * This file is part of the openHiTLS project.
3 *
4 * openHiTLS is licensed under the Mulan PSL v2.
5 * You can use this software according to the terms and conditions of the Mulan PSL v2.
6 * You may obtain a copy of Mulan PSL v2 at:
7 *
8 * http://license.coscl.org.cn/MulanPSL2
9 *
10 * THIS SOFTWARE IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OF ANY KIND,
11 * EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO NON-INFRINGEMENT,
12 * MERCHANTABILITY OR FIT FOR A PARTICULAR PURPOSE.
13 * See the Mulan PSL v2 for more details.
14 */
15 #include "hitls_build.h"
16 #ifdef HITLS_TLS_HOST_SERVER
17 #include "securec.h"
18 #include "tls_binlog_id.h"
19 #include "bsl_log_internal.h"
20 #include "bsl_log.h"
21 #include "bsl_err_internal.h"
22 #include "bsl_sal.h"
23 #include "crypt.h"
24 #include "hitls_error.h"
25 #include "tls.h"
26 #include "hs.h"
27 #include "hs_ctx.h"
28 #include "session_mgr.h"
29 #include "hs_verify.h"
30 #include "transcript_hash.h"
31 #include "hs_common.h"
32 #include "pack.h"
33 #include "send_process.h"
34 #include "hs_kx.h"
35 #include "config_type.h"
36
37 #if defined(HITLS_TLS_PROTO_TLS_BASIC) || defined(HITLS_TLS_PROTO_DTLS12)
38 #ifdef HITLS_TLS_FEATURE_SESSION
ServerPrepareSessionId(TLS_Ctx * ctx)39 static int32_t ServerPrepareSessionId(TLS_Ctx *ctx)
40 {
41 /* Obtain the server information */
42 HS_Ctx *hsCtx = (HS_Ctx *)ctx->hsCtx;
43
44 hsCtx->sessionId = (uint8_t *)BSL_SAL_Calloc(1u, HITLS_SESSION_ID_MAX_SIZE);
45 if (hsCtx->sessionId == NULL) {
46 BSL_ERR_PUSH_ERROR(HITLS_MEMALLOC_FAIL);
47 BSL_LOG_BINLOG_FIXLEN(BINLOG_ID15546, BSL_LOG_LEVEL_ERR, BSL_LOG_BINLOG_TYPE_RUN, "session Id malloc fail.", 0,
48 0, 0, 0);
49 return HITLS_MEMALLOC_FAIL;
50 }
51
52 if (ctx->negotiatedInfo.isResume == false) {
53 HITLS_SESS_CACHE_MODE sessCacheMode = SESSMGR_GetCacheMode(ctx->config.tlsConfig.sessMgr);
54 bool needSessionId = (sessCacheMode == HITLS_SESS_CACHE_SERVER || sessCacheMode == HITLS_SESS_CACHE_BOTH) &&
55 (!ctx->negotiatedInfo.isTicket);
56 if (needSessionId) {
57 hsCtx->sessionIdSize = HITLS_SESSION_ID_MAX_SIZE;
58 int32_t ret = SESSMGR_GernerateSessionId(ctx, hsCtx->sessionId, hsCtx->sessionIdSize);
59 if (ret != HITLS_SUCCESS) {
60 BSL_SAL_FREE(hsCtx->sessionId);
61 ctx->method.sendAlert(ctx, ALERT_LEVEL_FATAL, ALERT_INTERNAL_ERROR);
62 return ret;
63 }
64 } else {
65 /* If session ID resumption is not supported, the session ID is not sent when the first connection
66 * is established */
67 BSL_SAL_FREE(hsCtx->sessionId);
68 hsCtx->sessionIdSize = 0;
69 }
70 } else {
71 /* If the session is resumed, obtain the session ID from the session.
72 * In the session ticket resumption mode, the session ID may not be obtained. Therefore, the return value is
73 * not checked */
74 hsCtx->sessionIdSize = HITLS_SESSION_ID_MAX_SIZE;
75 HITLS_SESS_GetSessionId(ctx->session, hsCtx->sessionId, &hsCtx->sessionIdSize);
76 if (hsCtx->sessionIdSize == 0) {
77 BSL_SAL_FREE(hsCtx->sessionId);
78 }
79 }
80
81 return HITLS_SUCCESS;
82 }
83 #endif /* HITLS_TLS_FEATURE_SESSION */
ServerChangeStateAfterSendHello(TLS_Ctx * ctx)84 static int32_t ServerChangeStateAfterSendHello(TLS_Ctx *ctx)
85 {
86 #ifdef HITLS_TLS_FEATURE_SESSION
87 int32_t ret = HITLS_SUCCESS;
88 if (ctx->negotiatedInfo.isResume == true) {
89 ret = HS_ResumeKeyEstablish(ctx);
90 if (ret != HITLS_SUCCESS) {
91 return ret;
92 }
93 if (ctx->negotiatedInfo.isTicket) {
94 return HS_ChangeState(ctx, TRY_SEND_NEW_SESSION_TICKET);
95 }
96 return HS_ChangeState(ctx, TRY_SEND_CHANGE_CIPHER_SPEC);
97 }
98 #endif /* HITLS_TLS_FEATURE_SESSION */
99 /* Check whether the server sends the certificate message. If the server does not need to send the certificate
100 * message, update the status to the server key exchange */
101 if (IsNeedCertPrepare(&ctx->negotiatedInfo.cipherSuiteInfo) == false) {
102 #ifdef HITLS_TLS_FEATURE_PSK
103 /* There are multiple possible jumps after the ServerHello in the plain PSK negotiation */
104 if (ctx->hsCtx->kxCtx->keyExchAlgo == HITLS_KEY_EXCH_PSK) {
105 /* Special: If the server does not send the certificate and the plain PSK negotiation mode is used, the
106 * system determines whether to send the SKE by checking whether the hint exists. There are multiple
107 * redirection scenarios. */
108 /* In the scenario of RSA PSK negotiation, whether SKE messages are sent depends on the existence of hints.
109 * If RSA is used, the certificate sending phase is entered. The SKE status transition is not performed here
110 */
111 if (ctx->config.tlsConfig.pskIdentityHint != NULL) {
112 return HS_ChangeState(ctx, TRY_SEND_SERVER_KEY_EXCHANGE);
113 }
114 return HS_ChangeState(ctx, TRY_SEND_SERVER_HELLO_DONE);
115 }
116 #endif /* HITLS_TLS_FEATURE_PSK */
117 return HS_ChangeState(ctx, TRY_SEND_SERVER_KEY_EXCHANGE);
118 }
119 return HS_ChangeState(ctx, TRY_SEND_CERTIFICATE);
120 }
121 #if defined(HITLS_TLS_PROTO_TLS13) && defined(HITLS_TLS_PROTO_TLS_BASIC)
DowngradeServerRandom(TLS_Ctx * ctx)122 static int32_t DowngradeServerRandom(TLS_Ctx *ctx)
123 {
124 /* Obtain server information */
125 int32_t ret = HITLS_SUCCESS;
126 HS_Ctx *hsCtx = (HS_Ctx *)ctx->hsCtx;
127 uint32_t downgradeRandomLen = 0;
128 uint32_t offset = 0;
129 /* Obtain the random part to be rewritten */
130 if (ctx->negotiatedInfo.version == HITLS_VERSION_TLS12) {
131 const uint8_t *downgradeRandom = HS_GetTls12DowngradeRandom(&downgradeRandomLen);
132 /* Some positions need to be rewritten to obtain random */
133 offset = HS_RANDOM_SIZE - downgradeRandomLen;
134 /* Rewrite the last eight bytes of the random */
135 ret = memcpy_s(hsCtx->serverRandom + offset, HS_RANDOM_DOWNGRADE_SIZE, downgradeRandom, downgradeRandomLen);
136 }
137 return ret;
138 }
139 #endif /* HITLS_TLS_PROTO_TLS13 && HITLS_TLS_PROTO_TLS_BASIC */
ServerSendServerHelloProcess(TLS_Ctx * ctx)140 int32_t ServerSendServerHelloProcess(TLS_Ctx *ctx)
141 {
142 int32_t ret = HITLS_SUCCESS;
143 /* Obtain server information */
144 HS_Ctx *hsCtx = (HS_Ctx *)ctx->hsCtx;
145
146 /* Determine whether to pack a message */
147 if (hsCtx->msgLen == 0) {
148 #ifdef HITLS_TLS_FEATURE_SESSION
149 ret = ServerPrepareSessionId(ctx);
150 if (ret != HITLS_SUCCESS) {
151 return ret;
152 }
153 #endif
154 ret = SAL_CRYPT_Rand(LIBCTX_FROM_CTX(ctx), hsCtx->serverRandom, HS_RANDOM_SIZE);
155 if (ret != HITLS_SUCCESS) {
156 BSL_LOG_BINLOG_FIXLEN(BINLOG_ID15548, BSL_LOG_LEVEL_ERR, BSL_LOG_BINLOG_TYPE_RUN,
157 "get server random error.", 0, 0, 0, 0);
158 return ret;
159 }
160 #if defined(HITLS_TLS_PROTO_TLS13) && defined(HITLS_TLS_PROTO_TLS_BASIC)
161 TLS_Config *tlsConfig = &ctx->config.tlsConfig;
162 /* If TLS 1.3 is supported but an earlier version is negotiated, the last eight bits of the random number need
163 * to be rewritten */
164 if (tlsConfig->maxVersion == HITLS_VERSION_TLS13) {
165 ret = DowngradeServerRandom(ctx);
166 if (ret != EOK) {
167 BSL_ERR_PUSH_ERROR(HITLS_MEMCPY_FAIL);
168 BSL_LOG_BINLOG_FIXLEN(BINLOG_ID16248, BSL_LOG_LEVEL_ERR, BSL_LOG_BINLOG_TYPE_RUN,
169 "copy down grade random fail.", 0, 0, 0, 0);
170 return HITLS_MEMCPY_FAIL;
171 }
172 }
173 #endif /* HITLS_TLS_PROTO_TLS13 && HITLS_TLS_PROTO_TLS_BASIC */
174 /* Set the verify information. */
175 ret = VERIFY_SetHash(LIBCTX_FROM_CTX(ctx), ATTRIBUTE_FROM_CTX(ctx),
176 hsCtx->verifyCtx, ctx->negotiatedInfo.cipherSuiteInfo.hashAlg);
177 if (ret != HITLS_SUCCESS) {
178 BSL_LOG_BINLOG_FIXLEN(BINLOG_ID15549, BSL_LOG_LEVEL_ERR, BSL_LOG_BINLOG_TYPE_RUN, "set verify info fail.",
179 0, 0, 0, 0);
180 return ret;
181 }
182
183 ret = HS_PackMsg(ctx, SERVER_HELLO, hsCtx->msgBuf, hsCtx->bufferLen, &hsCtx->msgLen);
184 if (ret != HITLS_SUCCESS) {
185 BSL_LOG_BINLOG_FIXLEN(BINLOG_ID15550, BSL_LOG_LEVEL_ERR, BSL_LOG_BINLOG_TYPE_RUN,
186 "pack server hello msg fail.", 0, 0, 0, 0);
187 return ret;
188 }
189 }
190
191 ret = HS_SendMsg(ctx);
192 if (ret != HITLS_SUCCESS) {
193 return ret;
194 }
195
196 BSL_LOG_BINLOG_FIXLEN(BINLOG_ID15551, BSL_LOG_LEVEL_INFO, BSL_LOG_BINLOG_TYPE_RUN, "send server hello msg success.",
197 0, 0, 0, 0);
198
199 return ServerChangeStateAfterSendHello(ctx);
200 }
201 #endif /* HITLS_TLS_PROTO_TLS_BASIC || HITLS_TLS_PROTO_DTLS12 */
202 #ifdef HITLS_TLS_PROTO_TLS13
Tls13ServerPrepareKeyShare(TLS_Ctx * ctx)203 static int32_t Tls13ServerPrepareKeyShare(TLS_Ctx *ctx)
204 {
205 KeyShareParam *keyShare = &ctx->hsCtx->kxCtx->keyExchParam.share;
206 KeyExchCtx *kxCtx = ctx->hsCtx->kxCtx;
207 if ((kxCtx->peerPubkey == NULL) || /* If the peer public key is empty, keyshare does not need to be packed */
208 (kxCtx->key != NULL)) { /* key is not empty, it indicates that the keyshare has been calculated and does not
209 need to be calculated again */
210 return HITLS_SUCCESS;
211 }
212 const TLS_GroupInfo *groupInfo = ConfigGetGroupInfo(&ctx->config.tlsConfig, keyShare->group);
213 if (groupInfo == NULL) {
214 BSL_LOG_BINLOG_FIXLEN(BINLOG_ID16243, BSL_LOG_LEVEL_ERR, BSL_LOG_BINLOG_TYPE_RUN,
215 "group info not found", 0, 0, 0, 0);
216 return HITLS_INVALID_INPUT;
217 }
218 if (groupInfo->isKem) {
219 return HITLS_SUCCESS;
220 }
221 HITLS_ECParameters curveParams = {
222 .type = HITLS_EC_CURVE_TYPE_NAMED_CURVE,
223 .param.namedcurve = keyShare->group,
224 };
225 HITLS_CRYPT_Key *key = NULL;
226 /* The ecdhe and dhe groups can invoke the same interface to generate keys. */
227 key = SAL_CRYPT_GenEcdhKeyPair(ctx, &curveParams);
228 if (key == NULL) {
229 BSL_ERR_PUSH_ERROR(HITLS_CRYPT_ERR_ENCODE_ECDH_KEY);
230 BSL_LOG_BINLOG_FIXLEN(BINLOG_ID15552, BSL_LOG_LEVEL_ERR, BSL_LOG_BINLOG_TYPE_RUN,
231 "client generate key share key pair error.", 0, 0, 0, 0);
232 return HITLS_CRYPT_ERR_ENCODE_ECDH_KEY;
233 }
234 kxCtx->key = key;
235
236 return HITLS_SUCCESS;
237 }
238
Tls13ServerSendServerHelloProcess(TLS_Ctx * ctx)239 int32_t Tls13ServerSendServerHelloProcess(TLS_Ctx *ctx)
240 {
241 int32_t ret = HITLS_SUCCESS;
242 /* Obtain server information */
243 HS_Ctx *hsCtx = (HS_Ctx *)ctx->hsCtx;
244 /* Determine whether to pack a message */
245 if (hsCtx->msgLen == 0) {
246 ret = Tls13ServerPrepareKeyShare(ctx);
247 if (ret != HITLS_SUCCESS) {
248 return ret;
249 }
250
251 ret = SAL_CRYPT_Rand(LIBCTX_FROM_CTX(ctx), hsCtx->serverRandom, HS_RANDOM_SIZE);
252 if (ret != HITLS_SUCCESS) {
253 BSL_LOG_BINLOG_FIXLEN(BINLOG_ID15553, BSL_LOG_LEVEL_ERR, BSL_LOG_BINLOG_TYPE_RUN,
254 "get server random error.", 0, 0, 0, 0);
255 return ret;
256 }
257
258 /* Set the verify information */
259 ret = VERIFY_SetHash(LIBCTX_FROM_CTX(ctx), ATTRIBUTE_FROM_CTX(ctx),
260 hsCtx->verifyCtx, ctx->negotiatedInfo.cipherSuiteInfo.hashAlg);
261 if (ret != HITLS_SUCCESS) {
262 BSL_LOG_BINLOG_FIXLEN(BINLOG_ID15554, BSL_LOG_LEVEL_ERR, BSL_LOG_BINLOG_TYPE_RUN, "set verify info fail.",
263 0, 0, 0, 0);
264 return ret;
265 }
266
267 /* Server secret derivation */
268 ret = HS_TLS13CalcServerHelloProcessSecret(ctx);
269 if (ret != HITLS_SUCCESS) {
270 BSL_LOG_BINLOG_FIXLEN(BINLOG_ID16190, BSL_LOG_LEVEL_ERR, BSL_LOG_BINLOG_TYPE_RUN,
271 "Derive-Sevret failed.", 0, 0, 0, 0);
272 ctx->method.sendAlert(ctx, ALERT_LEVEL_FATAL, ALERT_ILLEGAL_PARAMETER);
273 return ret;
274 }
275
276 ret = HS_PackMsg(ctx, SERVER_HELLO, hsCtx->msgBuf, hsCtx->bufferLen, &hsCtx->msgLen);
277 if (ret != HITLS_SUCCESS) {
278 BSL_LOG_BINLOG_FIXLEN(BINLOG_ID15555, BSL_LOG_LEVEL_ERR, BSL_LOG_BINLOG_TYPE_RUN,
279 "pack tls1.3 server hello msg fail.", 0, 0, 0, 0);
280 return ret;
281 }
282 }
283
284 ret = HS_SendMsg(ctx);
285 if (ret != HITLS_SUCCESS) {
286 return ret;
287 }
288
289 ret = HS_TLS13DeriveHandshakeTrafficSecret(ctx);
290 if (ret != HITLS_SUCCESS) {
291 return ret;
292 }
293
294 BSL_LOG_BINLOG_FIXLEN(BINLOG_ID15556, BSL_LOG_LEVEL_INFO, BSL_LOG_BINLOG_TYPE_RUN,
295 "send tls1.3 server hello msg success.", 0, 0, 0, 0);
296
297 /* In the middlebox mode, If the scenario is not hrr, the CCS needs to be sent before the EE */
298 if (!ctx->hsCtx->haveHrr) {
299 ctx->hsCtx->ccsNextState = TRY_SEND_ENCRYPTED_EXTENSIONS;
300 return HS_ChangeState(ctx, TRY_SEND_CHANGE_CIPHER_SPEC);
301 }
302 return HS_ChangeState(ctx, TRY_SEND_ENCRYPTED_EXTENSIONS);
303 }
304
Tls13ServerSendHelloRetryRequestProcess(TLS_Ctx * ctx)305 int32_t Tls13ServerSendHelloRetryRequestProcess(TLS_Ctx *ctx)
306 {
307 int32_t ret = HITLS_SUCCESS;
308 /* Obtain the server information */
309 HS_Ctx *hsCtx = (HS_Ctx *)ctx->hsCtx;
310 hsCtx->haveHrr = true; /* update state */
311
312 /* Check whether the message needs to be packed */
313 if (hsCtx->msgLen == 0) {
314 uint32_t hrrRandomLen = 0;
315 const uint8_t *hrrRandom = HS_GetHrrRandom(&hrrRandomLen);
316 if (memcpy_s(hsCtx->serverRandom, HS_RANDOM_SIZE, hrrRandom, hrrRandomLen) != EOK) {
317 BSL_ERR_PUSH_ERROR(HITLS_MEMCPY_FAIL);
318 BSL_LOG_BINLOG_FIXLEN(BINLOG_ID15557, BSL_LOG_LEVEL_ERR, BSL_LOG_BINLOG_TYPE_RUN,
319 "copy hello retry request random fail.", 0, 0, 0, 0);
320 return HITLS_MEMCPY_FAIL;
321 }
322
323 /* Pack the message. The hello retry request is assembled in the server hello format */
324 ret = HS_PackMsg(ctx, SERVER_HELLO, hsCtx->msgBuf, hsCtx->bufferLen, &hsCtx->msgLen);
325 if (ret != HITLS_SUCCESS) {
326 BSL_LOG_BINLOG_FIXLEN(BINLOG_ID15558, BSL_LOG_LEVEL_ERR, BSL_LOG_BINLOG_TYPE_RUN,
327 "pack tls1.3 hello retry request msg fail.", 0, 0, 0, 0);
328 return ret;
329 }
330 }
331
332 ret = HS_SendMsg(ctx);
333 if (ret != HITLS_SUCCESS) {
334 return ret;
335 }
336
337 BSL_LOG_BINLOG_FIXLEN(BINLOG_ID15559, BSL_LOG_LEVEL_INFO, BSL_LOG_BINLOG_TYPE_RUN,
338 "send tls1.3 hello retry request msg success.", 0, 0, 0, 0);
339
340 /* RFC 8446 4.4.1. Send the Hello Retry Request message and construct the Transcript-Hash data */
341 ret = VERIFY_HelloRetryRequestVerifyProcess(ctx);
342 if (ret != HITLS_SUCCESS) {
343 return ret;
344 }
345
346 /* In middlebox mode, the peer sends CCS messages. Set this parameter to allow receiving CCS messages */
347 ctx->method.ctrlCCS(ctx, CCS_CMD_RECV_READY);
348 /* In middlebox mode, the server sends the CCS immediately after sending the hrr */
349 ctx->hsCtx->ccsNextState = TRY_RECV_CLIENT_HELLO;
350 return HS_ChangeState(ctx, TRY_SEND_CHANGE_CIPHER_SPEC);
351 }
352 #endif /* HITLS_TLS_PROTO_TLS13 */
353 #endif /* HITLS_TLS_HOST_SERVER */