1 /*
2 * This file is part of the openHiTLS project.
3 *
4 * openHiTLS is licensed under the Mulan PSL v2.
5 * You can use this software according to the terms and conditions of the Mulan PSL v2.
6 * You may obtain a copy of Mulan PSL v2 at:
7 *
8 * http://license.coscl.org.cn/MulanPSL2
9 *
10 * THIS SOFTWARE IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OF ANY KIND,
11 * EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO NON-INFRINGEMENT,
12 * MERCHANTABILITY OR FIT FOR A PARTICULAR PURPOSE.
13 * See the Mulan PSL v2 for more details.
14 */
15 #include "hitls_build.h"
16 #ifdef HITLS_TLS_HOST_SERVER
17 #include "tls_binlog_id.h"
18 #include "bsl_log_internal.h"
19 #include "bsl_log.h"
20 #include "bsl_err_internal.h"
21 #include "bsl_sal.h"
22 #include "hitls_error.h"
23 #include "hitls_crypt_type.h"
24 #include "hitls_security.h"
25 #include "tls.h"
26 #ifdef HITLS_TLS_FEATURE_SECURITY
27 #include "security.h"
28 #endif
29 #include "cert_method.h"
30 #include "hs_ctx.h"
31 #include "hs_common.h"
32 #include "pack.h"
33 #include "send_process.h"
34 #if defined(HITLS_TLS_PROTO_TLS_BASIC) || defined(HITLS_TLS_PROTO_DTLS12)
35 #ifdef HITLS_TLS_SUITE_KX_DHE
36 #define DEFAULT_DHE_PSK_BIT_NUM 128
37 #define TLS_DHE_PARAM_MAX_LEN 1024
38
39 #ifdef HITLS_TLS_CONFIG_MANUAL_DH
GenerateDhEphemeralKey(HITLS_Lib_Ctx * libCtx,const char * attrName,HITLS_CRYPT_Key * priKey)40 static HITLS_CRYPT_Key *GenerateDhEphemeralKey(HITLS_Lib_Ctx *libCtx, const char *attrName, HITLS_CRYPT_Key *priKey)
41 {
42 uint8_t p[TLS_DHE_PARAM_MAX_LEN] = {0};
43 uint8_t g[TLS_DHE_PARAM_MAX_LEN] = {0};
44 uint16_t pLen = TLS_DHE_PARAM_MAX_LEN;
45 uint16_t gLen = TLS_DHE_PARAM_MAX_LEN;
46
47 int32_t ret = SAL_CRYPT_GetDhParameters(priKey, p, &pLen, g, &gLen);
48 if (ret != HITLS_SUCCESS) {
49 return NULL;
50 }
51 return SAL_CRYPT_GenerateDhKeyByParams(libCtx, attrName, p, pLen, g, gLen);
52 }
53
GetDhKeyByDhTmp(TLS_Ctx * ctx)54 static HITLS_CRYPT_Key *GetDhKeyByDhTmp(TLS_Ctx *ctx)
55 {
56 HITLS_CRYPT_Key *key = NULL;
57 int32_t ret = HITLS_SUCCESS;
58 int32_t secBits = 0;
59 HITLS_Config *config = &ctx->config.tlsConfig;
60 key = ctx->config.tlsConfig.dhTmp;
61 if (key != NULL) {
62 key = GenerateDhEphemeralKey(LIBCTX_FROM_CTX(ctx), ATTRIBUTE_FROM_CTX(ctx), key);
63 }
64 if ((key == NULL) && (ctx->config.tlsConfig.dhTmpCb != NULL)) {
65 key = ctx->config.tlsConfig.dhTmpCb(ctx, 0, TLS_DHE_PARAM_MAX_LEN);
66 }
67 /* Temporary DH security check */
68 ret = SAL_CERT_KeyCtrl(config, key, CERT_KEY_CTRL_GET_SECBITS, NULL, (void *)&secBits);
69 if (ret != HITLS_SUCCESS) {
70 BSL_LOG_BINLOG_FIXLEN(BINLOG_ID17161, BSL_LOG_LEVEL_ERR, BSL_LOG_BINLOG_TYPE_RUN,
71 "GET_SECBITS fail", 0, 0, 0, 0);
72 SAL_CRYPT_FreeDhKey(key);
73 return NULL;
74 }
75 #ifdef HITLS_TLS_FEATURE_SECURITY
76 ret = SECURITY_SslCheck((HITLS_Ctx *)ctx, HITLS_SECURITY_SECOP_TMP_DH, secBits, 0, key);
77 if (ret != SECURITY_SUCCESS) {
78 BSL_LOG_BINLOG_FIXLEN(BINLOG_ID17162, BSL_LOG_LEVEL_ERR, BSL_LOG_BINLOG_TYPE_RUN,
79 "SslCheck fail", 0, 0, 0, 0);
80 ctx->method.sendAlert(ctx, ALERT_LEVEL_FATAL, ALERT_INSUFFICIENT_SECURITY);
81 SAL_CRYPT_FreeDhKey(key);
82 return NULL;
83 }
84 #endif /* HITLS_TLS_FEATURE_SECURITY */
85 return key;
86 }
87 #endif /* HITLS_TLS_CONFIG_MANUAL_DH */
88
GetDhKeyBySecBits(TLS_Ctx * ctx)89 static HITLS_CRYPT_Key *GetDhKeyBySecBits(TLS_Ctx *ctx)
90 {
91 int32_t ret = HITLS_SUCCESS;
92 int32_t secBits = 0;
93 HITLS_Config *config = &ctx->config.tlsConfig;
94 CERT_MgrCtx *certMgrCtx = config->certMgrCtx;
95 KeyExchCtx *keyExCtx = ctx->hsCtx->kxCtx;
96 CipherSuiteInfo *cipherSuiteInfo = &ctx->negotiatedInfo.cipherSuiteInfo;
97 HITLS_CERT_X509 *cert = SAL_CERT_GetCurrentCert(certMgrCtx);
98
99 if ((keyExCtx->keyExchAlgo == HITLS_KEY_EXCH_DHE_PSK) ||
100 ((keyExCtx->keyExchAlgo == HITLS_KEY_EXCH_DHE) && (cipherSuiteInfo->authAlg == HITLS_AUTH_NULL))) {
101 secBits =
102 #ifdef HITLS_TLS_FEATURE_SECURITY
103 (SECURITY_GetSecbits(ctx->config.tlsConfig.securityLevel) != 0)
104 ? SECURITY_GetSecbits(ctx->config.tlsConfig.securityLevel)
105 :
106 #endif /* HITLS_TLS_FEATURE_SECURITY */
107 DEFAULT_DHE_PSK_BIT_NUM;
108 } else if (cert != NULL) {
109 HITLS_CERT_Key *pubkey = NULL;
110 (void)SAL_CERT_X509Ctrl(config, cert, CERT_CTRL_GET_PUB_KEY, NULL, (void *)&pubkey);
111 ret = SAL_CERT_KeyCtrl(config, pubkey, CERT_KEY_CTRL_GET_SECBITS, NULL, (void *)&secBits);
112 SAL_CERT_KeyFree(certMgrCtx, pubkey);
113 if (ret != HITLS_SUCCESS) {
114 BSL_LOG_BINLOG_FIXLEN(BINLOG_ID17163, BSL_LOG_LEVEL_ERR, BSL_LOG_BINLOG_TYPE_RUN,
115 "GET_SECBITS fail", 0, 0, 0, 0);
116 return NULL;
117 }
118 }
119
120 return SAL_CRYPT_GenerateDhKeyBySecbits(ctx, secBits);
121 }
122
GetDhKey(TLS_Ctx * ctx)123 static HITLS_CRYPT_Key *GetDhKey(TLS_Ctx *ctx)
124 {
125 HITLS_CRYPT_Key *key = NULL;
126 #ifdef HITLS_TLS_CONFIG_MANUAL_DH
127 if (!ctx->config.tlsConfig.isSupportDhAuto) {
128 key = GetDhKeyByDhTmp(ctx);
129 } else
130 #endif /* HITLS_TLS_CONFIG_MANUAL_DH */
131 {
132 key = GetDhKeyBySecBits(ctx);
133 }
134 return key;
135 }
136
137 // Generate the DH cipher suite parameters
GenDhCipherSuiteParams(TLS_Ctx * ctx)138 static int32_t GenDhCipherSuiteParams(TLS_Ctx *ctx)
139 {
140 HITLS_CRYPT_Key *key = GetDhKey(ctx);
141 if (key == NULL) {
142 BSL_ERR_PUSH_ERROR(HITLS_MSG_HANDLE_ERR_GET_DH_KEY);
143 BSL_LOG_BINLOG_FIXLEN(BINLOG_ID15744, BSL_LOG_LEVEL_ERR, BSL_LOG_BINLOG_TYPE_RUN,
144 "get dh key error when processing dh cipher suite.", 0, 0, 0, 0);
145 return HITLS_MSG_HANDLE_ERR_GET_DH_KEY;
146 }
147
148 uint8_t p[TLS_DHE_PARAM_MAX_LEN] = {0};
149 uint8_t g[TLS_DHE_PARAM_MAX_LEN] = {0};
150 uint16_t pLen = TLS_DHE_PARAM_MAX_LEN;
151 uint16_t gLen = TLS_DHE_PARAM_MAX_LEN;
152
153 /* Get p and g */
154 if (SAL_CRYPT_GetDhParameters(key, p, &pLen, g, &gLen) != HITLS_SUCCESS) {
155 SAL_CRYPT_FreeDhKey(key);
156 BSL_ERR_PUSH_ERROR(HITLS_MSG_HANDLE_ERR_GET_DH_PARAMETERS);
157 BSL_LOG_BINLOG_FIXLEN(BINLOG_ID15745, BSL_LOG_LEVEL_ERR, BSL_LOG_BINLOG_TYPE_RUN,
158 "get dh parameters error when processing dh cipher suite.", 0, 0, 0, 0);
159 return HITLS_MSG_HANDLE_ERR_GET_DH_PARAMETERS;
160 }
161 BSL_SAL_FREE(ctx->hsCtx->kxCtx->keyExchParam.dh.p);
162 ctx->hsCtx->kxCtx->keyExchParam.dh.p = BSL_SAL_Dump(p, pLen);
163 if (ctx->hsCtx->kxCtx->keyExchParam.dh.p == NULL) {
164 SAL_CRYPT_FreeDhKey(key);
165 BSL_ERR_PUSH_ERROR(HITLS_MSG_HANDLE_ERR_GET_DH_PARAMETERS);
166 BSL_LOG_BINLOG_FIXLEN(BINLOG_ID16209, BSL_LOG_LEVEL_ERR, BSL_LOG_BINLOG_TYPE_RUN,
167 "get dh parameters error when processing dh cipher suite.", 0, 0, 0, 0);
168 return HITLS_MSG_HANDLE_ERR_GET_DH_PARAMETERS;
169 }
170 BSL_SAL_FREE(ctx->hsCtx->kxCtx->keyExchParam.dh.g);
171 ctx->hsCtx->kxCtx->keyExchParam.dh.g = BSL_SAL_Dump(g, gLen);
172 if (ctx->hsCtx->kxCtx->keyExchParam.dh.g == NULL) {
173 BSL_SAL_FREE(ctx->hsCtx->kxCtx->keyExchParam.dh.p);
174 SAL_CRYPT_FreeDhKey(key);
175 BSL_ERR_PUSH_ERROR(HITLS_MSG_HANDLE_ERR_GET_DH_PARAMETERS);
176 BSL_LOG_BINLOG_FIXLEN(BINLOG_ID16210, BSL_LOG_LEVEL_ERR, BSL_LOG_BINLOG_TYPE_RUN,
177 "get dh parameters error when processing dh cipher suite.", 0, 0, 0, 0);
178 return HITLS_MSG_HANDLE_ERR_GET_DH_PARAMETERS;
179 }
180 ctx->hsCtx->kxCtx->keyExchParam.dh.plen = pLen;
181 ctx->hsCtx->kxCtx->keyExchParam.dh.glen = gLen;
182 ctx->hsCtx->kxCtx->key = key;
183 return HITLS_SUCCESS;
184 }
185 #endif /* HITLS_TLS_SUITE_KX_DHE */
PackExchMsgPrepare(TLS_Ctx * ctx)186 static int32_t PackExchMsgPrepare(TLS_Ctx *ctx)
187 {
188 int32_t ret = HITLS_SUCCESS;
189 HITLS_CRYPT_Key *key = NULL;
190 (void)ret;
191 (void)key;
192 switch (ctx->hsCtx->kxCtx->keyExchAlgo) {
193 #ifdef HITLS_TLS_SUITE_KX_ECDHE
194 case HITLS_KEY_EXCH_ECDHE: /* TLCP is included here. */
195 case HITLS_KEY_EXCH_ECDHE_PSK:
196 key = SAL_CRYPT_GenEcdhKeyPair(ctx, &ctx->hsCtx->kxCtx->keyExchParam.ecdh.curveParams);
197 if (key == NULL) {
198 BSL_LOG_BINLOG_FIXLEN(BINLOG_ID15746, BSL_LOG_LEVEL_ERR, BSL_LOG_BINLOG_TYPE_RUN,
199 "server generate ecdhe key pair error.", 0, 0, 0, 0);
200 return HITLS_CRYPT_ERR_ENCODE_ECDH_KEY;
201 }
202 ctx->hsCtx->kxCtx->key = key;
203 break;
204 #endif /* HITLS_TLS_SUITE_KX_ECDHE */
205 #ifdef HITLS_TLS_SUITE_KX_DHE
206 case HITLS_KEY_EXCH_DHE:
207 case HITLS_KEY_EXCH_DHE_PSK:
208 ret = GenDhCipherSuiteParams(ctx);
209 if (ret != HITLS_SUCCESS) {
210 BSL_LOG_BINLOG_FIXLEN(BINLOG_ID15747, BSL_LOG_LEVEL_ERR, BSL_LOG_BINLOG_TYPE_RUN,
211 "server generate dh key params error.", 0, 0, 0, 0);
212 return ret;
213 }
214 break;
215 #endif /* HITLS_TLS_SUITE_KX_DHE */
216 case HITLS_KEY_EXCH_PSK:
217 case HITLS_KEY_EXCH_RSA_PSK:
218 #ifdef HITLS_TLS_PROTO_TLCP11
219 case HITLS_KEY_EXCH_ECC:
220 #endif
221 break;
222 default:
223 BSL_ERR_PUSH_ERROR(HITLS_MSG_HANDLE_UNSUPPORT_KX_ALG);
224 BSL_LOG_BINLOG_FIXLEN(BINLOG_ID15748, BSL_LOG_LEVEL_ERR, BSL_LOG_BINLOG_TYPE_RUN,
225 "unsupport kx algorithm when send server kx msg.", 0, 0, 0, 0);
226 return HITLS_MSG_HANDLE_UNSUPPORT_KX_ALG;
227 }
228
229 return HITLS_SUCCESS;
230 }
231
ServerSendServerKeyExchangeProcess(TLS_Ctx * ctx)232 int32_t ServerSendServerKeyExchangeProcess(TLS_Ctx *ctx)
233 {
234 int32_t ret = HITLS_SUCCESS;
235 HS_Ctx *hsCtx = (HS_Ctx *)ctx->hsCtx;
236
237 /* Determine whether the message needs to be packed */
238 if (hsCtx->msgLen == 0) {
239 ret = PackExchMsgPrepare(ctx);
240 if (ret != HITLS_SUCCESS) {
241 BSL_LOG_BINLOG_FIXLEN(BINLOG_ID15948, BSL_LOG_LEVEL_ERR, BSL_LOG_BINLOG_TYPE_RUN,
242 "Fail to PackExchMsgPrepare, ret = %d.", ret, 0, 0, 0);
243 return ret;
244 }
245
246 ret = HS_PackMsg(ctx, SERVER_KEY_EXCHANGE, hsCtx->msgBuf, REC_MAX_PLAIN_LENGTH, &hsCtx->msgLen);
247 if (ret != HITLS_SUCCESS) {
248 BSL_LOG_BINLOG_FIXLEN(BINLOG_ID15749, BSL_LOG_LEVEL_ERR, BSL_LOG_BINLOG_TYPE_RUN,
249 "Fail to pack Server Key Exchange Message, HS_PackMsg ret = %d", ret, 0, 0, 0);
250 return ret;
251 }
252 }
253
254 ret = HS_SendMsg(ctx);
255 if (ret != HITLS_SUCCESS) {
256 return ret;
257 }
258
259 BSL_LOG_BINLOG_FIXLEN(BINLOG_ID15750, BSL_LOG_LEVEL_INFO, BSL_LOG_BINLOG_TYPE_RUN,
260 "server send keyExchange msg success.", 0, 0, 0, 0);
261
262 /* Update the state machine. If the CertificateRequest message does not need to be sent, the system directly
263 * switches to theSend_SERVER_HELLO_DONE state */
264 if (ctx->negotiatedInfo.cipherSuiteInfo.authAlg != HITLS_AUTH_NULL &&
265 ctx->negotiatedInfo.cipherSuiteInfo.authAlg != HITLS_AUTH_PSK &&
266 (ctx->config.tlsConfig.isSupportClientVerify == true) &&
267 (SAL_CERT_GetCurrentCert(ctx->config.tlsConfig.certMgrCtx) != NULL)) {
268 if (ctx->negotiatedInfo.certReqSendTime < 1 || !(ctx->config.tlsConfig.isSupportClientOnceVerify)) {
269 return HS_ChangeState(ctx, TRY_SEND_CERTIFICATE_REQUEST);
270 }
271 }
272 /* Make sure the client will always send a certificate message, because ECDHE relies on the client's encrypted
273 * certificate, even if the client does not require authentication (isSupportClientVerify equals false). */
274 #ifdef HITLS_TLS_PROTO_TLCP11
275 if (ctx->negotiatedInfo.version == HITLS_VERSION_TLCP_DTLCP11 &&
276 ctx->negotiatedInfo.cipherSuiteInfo.kxAlg == HITLS_KEY_EXCH_ECDHE) {
277 return HS_ChangeState(ctx, TRY_SEND_CERTIFICATE_REQUEST);
278 }
279 #endif
280 return HS_ChangeState(ctx, TRY_SEND_SERVER_HELLO_DONE);
281 }
282 #endif /* HITLS_TLS_PROTO_TLS_BASIC || HITLS_TLS_PROTO_DTLS12 */
283 #endif /* HITLS_TLS_HOST_SERVER */