| # Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved. |
| # |
| # Licensed under the Apache License 2.0 (the "License"). You may not use |
| # this file except in compliance with the License. You can obtain a copy |
| # in the file LICENSE in the source distribution or at |
| # https://www.openssl.org/source/license.html |
| |
| use strict; |
| |
| package TLSProxy::Message; |
| |
| use TLSProxy::Alert; |
| |
| use constant TLS_MESSAGE_HEADER_LENGTH => 4; |
| |
| #Message types |
| use constant { |
| MT_HELLO_REQUEST => 0, |
| MT_CLIENT_HELLO => 1, |
| MT_SERVER_HELLO => 2, |
| MT_NEW_SESSION_TICKET => 4, |
| MT_ENCRYPTED_EXTENSIONS => 8, |
| MT_CERTIFICATE => 11, |
| MT_SERVER_KEY_EXCHANGE => 12, |
| MT_CERTIFICATE_REQUEST => 13, |
| MT_SERVER_HELLO_DONE => 14, |
| MT_CERTIFICATE_VERIFY => 15, |
| MT_CLIENT_KEY_EXCHANGE => 16, |
| MT_FINISHED => 20, |
| MT_CERTIFICATE_STATUS => 22, |
| MT_NEXT_PROTO => 67 |
| }; |
| |
| #Alert levels |
| use constant { |
| AL_LEVEL_WARN => 1, |
| AL_LEVEL_FATAL => 2 |
| }; |
| |
| #Alert descriptions |
| use constant { |
| AL_DESC_CLOSE_NOTIFY => 0, |
| AL_DESC_UNEXPECTED_MESSAGE => 10, |
| AL_DESC_ILLEGAL_PARAMETER => 47, |
| AL_DESC_NO_RENEGOTIATION => 100 |
| }; |
| |
| my %message_type = ( |
| MT_HELLO_REQUEST, "HelloRequest", |
| MT_CLIENT_HELLO, "ClientHello", |
| MT_SERVER_HELLO, "ServerHello", |
| MT_NEW_SESSION_TICKET, "NewSessionTicket", |
| MT_ENCRYPTED_EXTENSIONS, "EncryptedExtensions", |
| MT_CERTIFICATE, "Certificate", |
| MT_SERVER_KEY_EXCHANGE, "ServerKeyExchange", |
| MT_CERTIFICATE_REQUEST, "CertificateRequest", |
| MT_SERVER_HELLO_DONE, "ServerHelloDone", |
| MT_CERTIFICATE_VERIFY, "CertificateVerify", |
| MT_CLIENT_KEY_EXCHANGE, "ClientKeyExchange", |
| MT_FINISHED, "Finished", |
| MT_CERTIFICATE_STATUS, "CertificateStatus", |
| MT_NEXT_PROTO, "NextProto" |
| ); |
| |
| use constant { |
| EXT_SERVER_NAME => 0, |
| EXT_MAX_FRAGMENT_LENGTH => 1, |
| EXT_STATUS_REQUEST => 5, |
| EXT_SUPPORTED_GROUPS => 10, |
| EXT_EC_POINT_FORMATS => 11, |
| EXT_SRP => 12, |
| EXT_SIG_ALGS => 13, |
| EXT_USE_SRTP => 14, |
| EXT_ALPN => 16, |
| EXT_SCT => 18, |
| EXT_PADDING => 21, |
| EXT_ENCRYPT_THEN_MAC => 22, |
| EXT_EXTENDED_MASTER_SECRET => 23, |
| EXT_SESSION_TICKET => 35, |
| EXT_KEY_SHARE => 51, |
| EXT_PSK => 41, |
| EXT_SUPPORTED_VERSIONS => 43, |
| EXT_COOKIE => 44, |
| EXT_PSK_KEX_MODES => 45, |
| EXT_POST_HANDSHAKE_AUTH => 49, |
| EXT_SIG_ALGS_CERT => 50, |
| EXT_RENEGOTIATE => 65281, |
| EXT_NPN => 13172, |
| EXT_CRYPTOPRO_BUG_EXTENSION => 0xfde8, |
| EXT_UNKNOWN => 0xfffe, |
| #Unknown extension that should appear last |
| EXT_FORCE_LAST => 0xffff |
| }; |
| |
| # SignatureScheme of TLS 1.3 from: |
| # https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-signaturescheme |
| # We have to manually grab the SHA224 equivalents from the old registry |
| use constant { |
| SIG_ALG_RSA_PKCS1_SHA256 => 0x0401, |
| SIG_ALG_RSA_PKCS1_SHA384 => 0x0501, |
| SIG_ALG_RSA_PKCS1_SHA512 => 0x0601, |
| SIG_ALG_ECDSA_SECP256R1_SHA256 => 0x0403, |
| SIG_ALG_ECDSA_SECP384R1_SHA384 => 0x0503, |
| SIG_ALG_ECDSA_SECP521R1_SHA512 => 0x0603, |
| SIG_ALG_RSA_PSS_RSAE_SHA256 => 0x0804, |
| SIG_ALG_RSA_PSS_RSAE_SHA384 => 0x0805, |
| SIG_ALG_RSA_PSS_RSAE_SHA512 => 0x0806, |
| SIG_ALG_ED25519 => 0x0807, |
| SIG_ALG_ED448 => 0x0808, |
| SIG_ALG_RSA_PSS_PSS_SHA256 => 0x0809, |
| SIG_ALG_RSA_PSS_PSS_SHA384 => 0x080a, |
| SIG_ALG_RSA_PSS_PSS_SHA512 => 0x080b, |
| SIG_ALG_RSA_PKCS1_SHA1 => 0x0201, |
| SIG_ALG_ECDSA_SHA1 => 0x0203, |
| SIG_ALG_DSA_SHA1 => 0x0202, |
| SIG_ALG_DSA_SHA256 => 0x0402, |
| SIG_ALG_DSA_SHA384 => 0x0502, |
| SIG_ALG_DSA_SHA512 => 0x0602, |
| OSSL_SIG_ALG_RSA_PKCS1_SHA224 => 0x0301, |
| OSSL_SIG_ALG_DSA_SHA224 => 0x0302, |
| OSSL_SIG_ALG_ECDSA_SHA224 => 0x0303 |
| }; |
| |
| use constant { |
| CIPHER_RSA_WITH_AES_128_CBC_SHA => 0x002f, |
| CIPHER_DHE_RSA_AES_128_SHA => 0x0033, |
| CIPHER_ADH_AES_128_SHA => 0x0034, |
| CIPHER_TLS13_AES_128_GCM_SHA256 => 0x1301, |
| CIPHER_TLS13_AES_256_GCM_SHA384 => 0x1302 |
| }; |
| |
| use constant { |
| CLIENT => 0, |
| SERVER => 1 |
| }; |
| |
| my $payload = ""; |
| my $messlen = -1; |
| my $mt; |
| my $startoffset = -1; |
| my $server = 0; |
| my $success = 0; |
| my $end = 0; |
| my @message_rec_list = (); |
| my @message_frag_lens = (); |
| my $ciphersuite = 0; |
| my $successondata = 0; |
| my $alert; |
| |
| sub clear |
| { |
| $payload = ""; |
| $messlen = -1; |
| $startoffset = -1; |
| $server = 0; |
| $success = 0; |
| $end = 0; |
| $successondata = 0; |
| @message_rec_list = (); |
| @message_frag_lens = (); |
| $alert = undef; |
| } |
| |
| #Class method to extract messages from a record |
| sub get_messages |
| { |
| my $class = shift; |
| my $serverin = shift; |
| my $record = shift; |
| my @messages = (); |
| my $message; |
| |
| @message_frag_lens = (); |
| |
| if ($serverin != $server && length($payload) != 0) { |
| die "Changed peer, but we still have fragment data\n"; |
| } |
| $server = $serverin; |
| |
| if ($record->content_type == TLSProxy::Record::RT_CCS) { |
| if ($payload ne "") { |
| #We can't handle this yet |
| die "CCS received before message data complete\n"; |
| } |
| if (!TLSProxy::Proxy->is_tls13()) { |
| if ($server) { |
| TLSProxy::Record->server_encrypting(1); |
| } else { |
| TLSProxy::Record->client_encrypting(1); |
| } |
| } |
| } elsif ($record->content_type == TLSProxy::Record::RT_HANDSHAKE) { |
| if ($record->len == 0 || $record->len_real == 0) { |
| print " Message truncated\n"; |
| } else { |
| my $recoffset = 0; |
| |
| if (length $payload > 0) { |
| #We are continuing processing a message started in a previous |
| #record. Add this record to the list associated with this |
| #message |
| push @message_rec_list, $record; |
| |
| if ($messlen <= length($payload)) { |
| #Shouldn't happen |
| die "Internal error: invalid messlen: ".$messlen |
| ." payload length:".length($payload)."\n"; |
| } |
| if (length($payload) + $record->decrypt_len >= $messlen) { |
| #We can complete the message with this record |
| $recoffset = $messlen - length($payload); |
| $payload .= substr($record->decrypt_data, 0, $recoffset); |
| push @message_frag_lens, $recoffset; |
| $message = create_message($server, $mt, $payload, |
| $startoffset); |
| push @messages, $message; |
| |
| $payload = ""; |
| } else { |
| #This is just part of the total message |
| $payload .= $record->decrypt_data; |
| $recoffset = $record->decrypt_len; |
| push @message_frag_lens, $record->decrypt_len; |
| } |
| print " Partial message data read: ".$recoffset." bytes\n"; |
| } |
| |
| while ($record->decrypt_len > $recoffset) { |
| #We are at the start of a new message |
| if ($record->decrypt_len - $recoffset < 4) { |
| #Whilst technically probably valid we can't cope with this |
| die "End of record in the middle of a message header\n"; |
| } |
| @message_rec_list = ($record); |
| my $lenhi; |
| my $lenlo; |
| ($mt, $lenhi, $lenlo) = unpack('CnC', |
| substr($record->decrypt_data, |
| $recoffset)); |
| $messlen = ($lenhi << 8) | $lenlo; |
| print " Message type: $message_type{$mt}\n"; |
| print " Message Length: $messlen\n"; |
| $startoffset = $recoffset; |
| $recoffset += 4; |
| $payload = ""; |
| |
| if ($recoffset <= $record->decrypt_len) { |
| #Some payload data is present in this record |
| if ($record->decrypt_len - $recoffset >= $messlen) { |
| #We can complete the message with this record |
| $payload .= substr($record->decrypt_data, $recoffset, |
| $messlen); |
| $recoffset += $messlen; |
| push @message_frag_lens, $messlen; |
| $message = create_message($server, $mt, $payload, |
| $startoffset); |
| push @messages, $message; |
| |
| $payload = ""; |
| } else { |
| #This is just part of the total message |
| $payload .= substr($record->decrypt_data, $recoffset, |
| $record->decrypt_len - $recoffset); |
| $recoffset = $record->decrypt_len; |
| push @message_frag_lens, $recoffset; |
| } |
| } |
| } |
| } |
| } elsif ($record->content_type == TLSProxy::Record::RT_APPLICATION_DATA) { |
| print " [ENCRYPTED APPLICATION DATA]\n"; |
| print " [".$record->decrypt_data."]\n"; |
| |
| if ($successondata) { |
| $success = 1; |
| $end = 1; |
| } |
| } elsif ($record->content_type == TLSProxy::Record::RT_ALERT) { |
| my ($alertlev, $alertdesc) = unpack('CC', $record->decrypt_data); |
| print " [$alertlev, $alertdesc]\n"; |
| #A CloseNotify from the client indicates we have finished successfully |
| #(we assume) |
| if (!$end && !$server && $alertlev == AL_LEVEL_WARN |
| && $alertdesc == AL_DESC_CLOSE_NOTIFY) { |
| $success = 1; |
| } |
| #Fatal or close notify alerts end the test |
| if ($alertlev == AL_LEVEL_FATAL || $alertdesc == AL_DESC_CLOSE_NOTIFY) { |
| $end = 1; |
| } |
| $alert = TLSProxy::Alert->new( |
| $server, |
| $record->encrypted, |
| $alertlev, |
| $alertdesc); |
| } |
| |
| return @messages; |
| } |
| |
| #Function to work out which sub-class we need to create and then |
| #construct it |
| sub create_message |
| { |
| my ($server, $mt, $data, $startoffset) = @_; |
| my $message; |
| |
| #We only support ClientHello in this version...needs to be extended for |
| #others |
| if ($mt == MT_CLIENT_HELLO) { |
| $message = TLSProxy::ClientHello->new( |
| $server, |
| $data, |
| [@message_rec_list], |
| $startoffset, |
| [@message_frag_lens] |
| ); |
| $message->parse(); |
| } elsif ($mt == MT_SERVER_HELLO) { |
| $message = TLSProxy::ServerHello->new( |
| $server, |
| $data, |
| [@message_rec_list], |
| $startoffset, |
| [@message_frag_lens] |
| ); |
| $message->parse(); |
| } elsif ($mt == MT_ENCRYPTED_EXTENSIONS) { |
| $message = TLSProxy::EncryptedExtensions->new( |
| $server, |
| $data, |
| [@message_rec_list], |
| $startoffset, |
| [@message_frag_lens] |
| ); |
| $message->parse(); |
| } elsif ($mt == MT_CERTIFICATE) { |
| $message = TLSProxy::Certificate->new( |
| $server, |
| $data, |
| [@message_rec_list], |
| $startoffset, |
| [@message_frag_lens] |
| ); |
| $message->parse(); |
| } elsif ($mt == MT_CERTIFICATE_REQUEST) { |
| $message = TLSProxy::CertificateRequest->new( |
| $server, |
| $data, |
| [@message_rec_list], |
| $startoffset, |
| [@message_frag_lens] |
| ); |
| $message->parse(); |
| } elsif ($mt == MT_CERTIFICATE_VERIFY) { |
| $message = TLSProxy::CertificateVerify->new( |
| $server, |
| $data, |
| [@message_rec_list], |
| $startoffset, |
| [@message_frag_lens] |
| ); |
| $message->parse(); |
| } elsif ($mt == MT_SERVER_KEY_EXCHANGE) { |
| $message = TLSProxy::ServerKeyExchange->new( |
| $server, |
| $data, |
| [@message_rec_list], |
| $startoffset, |
| [@message_frag_lens] |
| ); |
| $message->parse(); |
| } elsif ($mt == MT_NEW_SESSION_TICKET) { |
| $message = TLSProxy::NewSessionTicket->new( |
| $server, |
| $data, |
| [@message_rec_list], |
| $startoffset, |
| [@message_frag_lens] |
| ); |
| $message->parse(); |
| } else { |
| #Unknown message type |
| $message = TLSProxy::Message->new( |
| $server, |
| $mt, |
| $data, |
| [@message_rec_list], |
| $startoffset, |
| [@message_frag_lens] |
| ); |
| } |
| |
| return $message; |
| } |
| |
| sub end |
| { |
| my $class = shift; |
| return $end; |
| } |
| sub success |
| { |
| my $class = shift; |
| return $success; |
| } |
| sub fail |
| { |
| my $class = shift; |
| return !$success && $end; |
| } |
| |
| sub alert |
| { |
| return $alert; |
| } |
| |
| sub new |
| { |
| my $class = shift; |
| my ($server, |
| $mt, |
| $data, |
| $records, |
| $startoffset, |
| $message_frag_lens) = @_; |
| |
| my $self = { |
| server => $server, |
| data => $data, |
| records => $records, |
| mt => $mt, |
| startoffset => $startoffset, |
| message_frag_lens => $message_frag_lens, |
| dupext => -1 |
| }; |
| |
| return bless $self, $class; |
| } |
| |
| sub ciphersuite |
| { |
| my $class = shift; |
| if (@_) { |
| $ciphersuite = shift; |
| } |
| return $ciphersuite; |
| } |
| |
| #Update all the underlying records with the modified data from this message |
| #Note: Only supports TLSv1.3 and ETM encryption |
| sub repack |
| { |
| my $self = shift; |
| my $msgdata; |
| |
| my $numrecs = $#{$self->records}; |
| |
| $self->set_message_contents(); |
| |
| my $lenhi; |
| my $lenlo; |
| |
| $lenlo = length($self->data) & 0xff; |
| $lenhi = length($self->data) >> 8; |
| $msgdata = pack('CnC', $self->mt, $lenhi, $lenlo).$self->data; |
| |
| if ($numrecs == 0) { |
| #The message is fully contained within one record |
| my ($rec) = @{$self->records}; |
| my $recdata = $rec->decrypt_data; |
| |
| my $old_length; |
| |
| # We use empty message_frag_lens to indicates that pre-repacking, |
| # the message wasn't present. The first fragment length doesn't include |
| # the TLS header, so we need to check and compute the right length. |
| if (@{$self->message_frag_lens}) { |
| $old_length = ${$self->message_frag_lens}[0] + |
| TLS_MESSAGE_HEADER_LENGTH; |
| } else { |
| $old_length = 0; |
| } |
| |
| my $prefix = substr($recdata, 0, $self->startoffset); |
| my $suffix = substr($recdata, $self->startoffset + $old_length); |
| |
| $rec->decrypt_data($prefix.($msgdata).($suffix)); |
| # TODO(openssl-team): don't keep explicit lengths. |
| # (If a length override is ever needed to construct invalid packets, |
| # use an explicit override field instead.) |
| $rec->decrypt_len(length($rec->decrypt_data)); |
| # Only support re-encryption for TLSv1.3 and ETM. |
| if ($rec->encrypted()) { |
| if (TLSProxy::Proxy->is_tls13()) { |
| #Add content type (1 byte) and 16 tag bytes |
| $rec->data($rec->decrypt_data |
| .pack("C", TLSProxy::Record::RT_HANDSHAKE).("\0"x16)); |
| } elsif ($rec->etm()) { |
| my $data = $rec->decrypt_data; |
| #Add padding |
| my $padval = length($data) % 16; |
| $padval = 15 - $padval; |
| for (0..$padval) { |
| $data .= pack("C", $padval); |
| } |
| |
| #Add MAC. Assumed to be 20 bytes |
| foreach my $macval (0..19) { |
| $data .= pack("C", $macval); |
| } |
| |
| if ($rec->version() >= TLSProxy::Record::VERS_TLS_1_1) { |
| #Explicit IV |
| $data = ("\0"x16).$data; |
| } |
| $rec->data($data); |
| } else { |
| die "Unsupported encryption: No ETM"; |
| } |
| } else { |
| $rec->data($rec->decrypt_data); |
| } |
| $rec->len(length($rec->data)); |
| |
| #Update the fragment len in case we changed it above |
| ${$self->message_frag_lens}[0] = length($msgdata) |
| - TLS_MESSAGE_HEADER_LENGTH; |
| return; |
| } |
| |
| #Note we don't currently support changing a fragmented message length |
| my $recctr = 0; |
| my $datadone = 0; |
| foreach my $rec (@{$self->records}) { |
| my $recdata = $rec->decrypt_data; |
| if ($recctr == 0) { |
| #This is the first record |
| my $remainlen = length($recdata) - $self->startoffset; |
| $rec->data(substr($recdata, 0, $self->startoffset) |
| .substr(($msgdata), 0, $remainlen)); |
| $datadone += $remainlen; |
| } elsif ($recctr + 1 == $numrecs) { |
| #This is the last record |
| $rec->data(substr($msgdata, $datadone)); |
| } else { |
| #This is a middle record |
| $rec->data(substr($msgdata, $datadone, length($rec->data))); |
| $datadone += length($rec->data); |
| } |
| $recctr++; |
| } |
| } |
| |
| #To be overridden by sub-classes |
| sub set_message_contents |
| { |
| } |
| |
| #Read only accessors |
| sub server |
| { |
| my $self = shift; |
| return $self->{server}; |
| } |
| |
| #Read/write accessors |
| sub mt |
| { |
| my $self = shift; |
| if (@_) { |
| $self->{mt} = shift; |
| } |
| return $self->{mt}; |
| } |
| sub data |
| { |
| my $self = shift; |
| if (@_) { |
| $self->{data} = shift; |
| } |
| return $self->{data}; |
| } |
| sub records |
| { |
| my $self = shift; |
| if (@_) { |
| $self->{records} = shift; |
| } |
| return $self->{records}; |
| } |
| sub startoffset |
| { |
| my $self = shift; |
| if (@_) { |
| $self->{startoffset} = shift; |
| } |
| return $self->{startoffset}; |
| } |
| sub message_frag_lens |
| { |
| my $self = shift; |
| if (@_) { |
| $self->{message_frag_lens} = shift; |
| } |
| return $self->{message_frag_lens}; |
| } |
| sub encoded_length |
| { |
| my $self = shift; |
| return TLS_MESSAGE_HEADER_LENGTH + length($self->data); |
| } |
| sub dupext |
| { |
| my $self = shift; |
| if (@_) { |
| $self->{dupext} = shift; |
| } |
| return $self->{dupext}; |
| } |
| sub successondata |
| { |
| my $class = shift; |
| if (@_) { |
| $successondata = shift; |
| } |
| return $successondata; |
| } |
| 1; |
