From 2d71de0765cbc92f064a29e03aab8ff88725deb4 Mon Sep 17 00:00:00 2001 From: Peter Dettman Date: Sat, 8 Jul 2023 23:19:24 +0700 Subject: DTLS: refactoring around extended_master_secret - especially the interaction with session resumption and the methods relating to use of EMS. --- crypto/src/tls/DtlsClientProtocol.cs | 243 +++++++++++++++++------------ crypto/src/tls/DtlsServerProtocol.cs | 286 ++++++++++++++++++++--------------- crypto/src/tls/TlsClientProtocol.cs | 12 +- crypto/src/tls/TlsServerProtocol.cs | 2 +- 4 files changed, 317 insertions(+), 226 deletions(-) diff --git a/crypto/src/tls/DtlsClientProtocol.cs b/crypto/src/tls/DtlsClientProtocol.cs index eec920c4a..da39320ea 100644 --- a/crypto/src/tls/DtlsClientProtocol.cs +++ b/crypto/src/tls/DtlsClientProtocol.cs @@ -35,27 +35,6 @@ namespace Org.BouncyCastle.Tls SecurityParameters securityParameters = clientContext.SecurityParameters; securityParameters.m_extendedPadding = client.ShouldUseExtendedPadding(); - TlsSession sessionToResume = client.GetSessionToResume(); - if (sessionToResume != null && sessionToResume.IsResumable) - { - SessionParameters sessionParameters = sessionToResume.ExportSessionParameters(); - - if (sessionParameters != null - && (sessionParameters.IsExtendedMasterSecret - || (!client.RequiresExtendedMasterSecret() && client.AllowLegacyResumption()))) - { - TlsCrypto crypto = clientContext.Crypto; - TlsSecret sessionMasterSecret = TlsUtilities.GetSessionMasterSecret(crypto, - sessionParameters.MasterSecret); - if (sessionMasterSecret != null) - { - state.tlsSession = sessionToResume; - state.sessionParameters = sessionParameters; - state.sessionMasterSecret = sessionMasterSecret; - } - } - } - DtlsRecordLayer recordLayer = new DtlsRecordLayer(clientContext, client, transport); client.NotifyCloseHandle(recordLayer); @@ -129,6 +108,8 @@ namespace Org.BouncyCastle.Tls recordLayer.SetWriteVersion(recordLayerVersion); ProcessServerHello(state, serverMessage.Body); + + ApplyMaxFragmentLengthExtension(recordLayer, securityParameters.MaxFragmentLength); } else { @@ -137,8 +118,6 @@ namespace Org.BouncyCastle.Tls handshake.HandshakeHash.NotifyPrfDetermined(); - ApplyMaxFragmentLengthExtension(recordLayer, securityParameters.MaxFragmentLength); - if (securityParameters.IsResumedSession) { securityParameters.m_masterSecret = state.sessionMasterSecret; @@ -412,7 +391,7 @@ namespace Org.BouncyCastle.Tls ProtocolVersion[] supportedVersions = client.GetProtocolVersions(); - //ProtocolVersion earliestVersion = ProtocolVersion.GetEarliestDtls(supportedVersions); + ProtocolVersion earliestVersion = ProtocolVersion.GetEarliestDtls(supportedVersions); ProtocolVersion latestVersion = ProtocolVersion.GetLatestDtls(supportedVersions); if (!ProtocolVersion.IsSupportedDtlsVersionClient(latestVersion)) @@ -421,7 +400,7 @@ namespace Org.BouncyCastle.Tls clientContext.SetClientVersion(latestVersion); clientContext.SetClientSupportedVersions(supportedVersions); - //bool offeringDtlsV12Minus = ProtocolVersion.DTLSv12.IsEqualOrLaterVersionOf(earliestVersion); + bool offeringDtlsV12Minus = ProtocolVersion.DTLSv12.IsEqualOrLaterVersionOf(earliestVersion); bool offeringDtlsV13Plus = ProtocolVersion.DTLSv13.IsEqualOrEarlierVersionOf(latestVersion); { @@ -430,12 +409,18 @@ namespace Org.BouncyCastle.Tls securityParameters.m_clientRandom = TlsProtocol.CreateRandomBlock(useGmtUnixTime, clientContext); } + TlsSession sessionToResume = offeringDtlsV12Minus ? client.GetSessionToResume() : null; + bool fallback = client.IsFallback(); state.offeredCipherSuites = client.GetCipherSuites(); state.clientExtensions = TlsExtensionsUtilities.EnsureExtensionsInitialised(client.GetClientExtensions()); + bool shouldUseEms = client.ShouldUseExtendedMasterSecret(); + + EstablishSession(state, sessionToResume); + byte[] legacy_session_id = TlsUtilities.GetSessionID(state.tlsSession); if (legacy_session_id.Length > 0) @@ -457,7 +442,31 @@ namespace Org.BouncyCastle.Tls } } - client.NotifySessionToResume(legacy_session_id.Length < 1 ? null : state.tlsSession); + if (legacy_session_id.Length > 0 && TlsUtilities.IsExtendedMasterSecretOptional(sessionVersion)) + { + if (shouldUseEms) + { + if (!state.sessionParameters.IsExtendedMasterSecret && + !client.AllowLegacyResumption()) + { + legacy_session_id = TlsUtilities.EmptyBytes; + } + } + else + { + if (state.sessionParameters.IsExtendedMasterSecret) + { + legacy_session_id = TlsUtilities.EmptyBytes; + } + } + } + + if (legacy_session_id.Length < 1) + { + CancelSession(state); + } + + client.NotifySessionToResume(state.tlsSession); ProtocolVersion legacy_version = latestVersion; if (offeringDtlsV13Plus) @@ -493,15 +502,13 @@ namespace Org.BouncyCastle.Tls state.clientAgreements = TlsUtilities.AddKeyShareToClientHello(clientContext, client, state.clientExtensions); - if (TlsUtilities.IsExtendedMasterSecretOptional(supportedVersions) - && client.ShouldUseExtendedMasterSecret()) + if (shouldUseEms && TlsUtilities.IsExtendedMasterSecretOptional(supportedVersions)) { TlsExtensionsUtilities.AddExtendedMasterSecretExtension(state.clientExtensions); } - else if (!offeringDtlsV13Plus - && client.RequiresExtendedMasterSecret()) + else { - throw new TlsFatalAlert(AlertDescription.internal_error); + state.clientExtensions.Remove(ExtensionType.extended_master_secret); } // Cipher Suites (and SCSV) @@ -572,7 +579,7 @@ namespace Org.BouncyCastle.Tls return buf.ToArray(); } - protected virtual void InvalidateSession(ClientHandshakeState state) + protected virtual void CancelSession(ClientHandshakeState state) { if (state.sessionMasterSecret != null) { @@ -586,11 +593,53 @@ namespace Org.BouncyCastle.Tls state.sessionParameters = null; } + state.tlsSession = null; + } + + protected virtual bool EstablishSession(ClientHandshakeState state, TlsSession sessionToResume) + { + state.tlsSession = null; + state.sessionParameters = null; + state.sessionMasterSecret = null; + + if (null == sessionToResume || !sessionToResume.IsResumable) + return false; + + SessionParameters sessionParameters = sessionToResume.ExportSessionParameters(); + if (null == sessionParameters) + return false; + + ProtocolVersion sessionVersion = sessionParameters.NegotiatedVersion; + if (null == sessionVersion || !sessionVersion.IsDtls) + return false; + + bool isEms = sessionParameters.IsExtendedMasterSecret; + if (!TlsUtilities.IsExtendedMasterSecretOptional(sessionVersion)) + { + if (!isEms) + return false; + } + + TlsCrypto crypto = state.clientContext.Crypto; + TlsSecret sessionMasterSecret = TlsUtilities.GetSessionMasterSecret(crypto, sessionParameters.MasterSecret); + if (null == sessionMasterSecret) + return false; + + state.tlsSession = sessionToResume; + state.sessionParameters = sessionParameters; + state.sessionMasterSecret = sessionMasterSecret; + + return true; + } + + protected virtual void InvalidateSession(ClientHandshakeState state) + { if (state.tlsSession != null) { state.tlsSession.Invalidate(); - state.tlsSession = null; } + + CancelSession(state); } /// @@ -685,11 +734,11 @@ namespace Org.BouncyCastle.Tls MemoryStream buf = new MemoryStream(body, false); ServerHello serverHello = ServerHello.Parse(buf); - state.serverExtensions = serverHello.Extensions; + var serverHelloExtensions = serverHello.Extensions; ProtocolVersion legacy_version = serverHello.Version; ProtocolVersion supported_version = TlsExtensionsUtilities.GetSupportedVersionsExtensionServer( - state.serverExtensions); + serverHelloExtensions); ProtocolVersion server_version; if (null == supported_version) @@ -773,64 +822,16 @@ namespace Org.BouncyCastle.Tls client.NotifySelectedCipherSuite(cipherSuite); } - /* - * RFC3546 2.2 The extended server hello message format MAY be sent in place of the server - * hello message when the client has requested extended functionality via the extended - * client hello message specified in Section 2.1. ... Note that the extended server hello - * message is only sent in response to an extended client hello message. This prevents the - * possibility that the extended server hello message could "break" existing TLS 1.0 - * clients. - */ - - /* - * TODO RFC 3546 2.3 If [...] the older session is resumed, then the server MUST ignore - * extensions appearing in the client hello, and send a server hello containing no - * extensions. - */ - - /* - * RFC 7627 4. Clients and servers SHOULD NOT accept handshakes that do not use the extended - * master secret [..]. (and see 5.2, 5.3) - * - * RFC 8446 Appendix D. Because TLS 1.3 always hashes in the transcript up to the server - * Finished, implementations which support both TLS 1.3 and earlier versions SHOULD indicate - * the use of the Extended Master Secret extension in their APIs whenever TLS 1.3 is used. - */ - if (TlsUtilities.IsTlsV13(server_version)) - { - securityParameters.m_extendedMasterSecret = true; - } - else - { - bool acceptedExtendedMasterSecret = TlsExtensionsUtilities.HasExtendedMasterSecretExtension( - state.serverExtensions); - - if (acceptedExtendedMasterSecret) - { - if (!securityParameters.IsResumedSession && !client.ShouldUseExtendedMasterSecret()) - throw new TlsFatalAlert(AlertDescription.handshake_failure); - } - else - { - if (client.RequiresExtendedMasterSecret() - || (securityParameters.IsResumedSession && !client.AllowLegacyResumption())) - { - throw new TlsFatalAlert(AlertDescription.handshake_failure); - } - } - - securityParameters.m_extendedMasterSecret = acceptedExtendedMasterSecret; - } - /* * * RFC 3546 2.2 Note that the extended server hello message is only sent in response to an * extended client hello message. However, see RFC 5746 exception below. We always include * the SCSV, so an Extended Server Hello is always allowed. */ - if (state.serverExtensions != null) + state.serverExtensions = serverHelloExtensions; + if (serverHelloExtensions != null) { - foreach (int extType in state.serverExtensions.Keys) + foreach (int extType in serverHelloExtensions.Keys) { /* * RFC 5746 3.6. Note that sending a "renegotiation_info" extension in response to a @@ -867,17 +868,30 @@ namespace Org.BouncyCastle.Tls } } - /* - * RFC 5746 3.4. Client Behavior: Initial Handshake - */ + byte[] renegExtData = TlsUtilities.GetExtensionData(serverHelloExtensions, + ExtensionType.renegotiation_info); + + // NOT renegotiating { + /* + * RFC 5746 3.4. Client Behavior: Initial Handshake (both full and session-resumption) + */ + /* * When a ServerHello is received, the client MUST check if it includes the * "renegotiation_info" extension: */ - byte[] renegExtData = TlsUtilities.GetExtensionData(state.serverExtensions, - ExtensionType.renegotiation_info); - if (renegExtData != null) + if (renegExtData == null) + { + /* + * If the extension is not present, the server does not support secure + * renegotiation; set secure_renegotiation flag to FALSE. In this case, some clients + * may want to terminate the handshake instead of continuing; see Section 4.1 for + * discussion. + */ + securityParameters.m_secureRenegotiation = false; + } + else { /* * If the extension is present, set the secure_renegotiation flag to TRUE. The @@ -898,13 +912,50 @@ namespace Org.BouncyCastle.Tls // TODO[compat-gnutls] GnuTLS test server fails to send renegotiation_info extension when resuming client.NotifySecureRenegotiation(securityParameters.IsSecureRenegotiation); + // extended_master_secret + { + bool negotiatedEms = false; + + if (TlsExtensionsUtilities.HasExtendedMasterSecretExtension(state.clientExtensions)) + { + negotiatedEms = TlsExtensionsUtilities.HasExtendedMasterSecretExtension(serverHelloExtensions); + + if (TlsUtilities.IsExtendedMasterSecretOptional(server_version)) + { + if (!negotiatedEms && + client.RequiresExtendedMasterSecret()) + { + throw new TlsFatalAlert(AlertDescription.handshake_failure, + "Extended Master Secret extension is required"); + } + } + else + { + if (negotiatedEms) + { + throw new TlsFatalAlert(AlertDescription.illegal_parameter, + "Server sent an unexpected extended_master_secret extension negotiating " + server_version); + } + } + } + + securityParameters.m_extendedMasterSecret = negotiatedEms; + } + + if (securityParameters.IsResumedSession && + securityParameters.IsExtendedMasterSecret != state.sessionParameters.IsExtendedMasterSecret) + { + throw new TlsFatalAlert(AlertDescription.handshake_failure, + "Server resumed session with mismatched extended_master_secret negotiation"); + } + /* * RFC 7301 3.1. When session resumption or session tickets [...] are used, the previous * contents of this extension are irrelevant, and only the values in the new handshake * messages are considered. */ securityParameters.m_applicationProtocol = TlsExtensionsUtilities.GetAlpnExtensionServer( - state.serverExtensions); + serverHelloExtensions); securityParameters.m_applicationProtocolSet = true; // Connection ID @@ -914,7 +965,7 @@ namespace Org.BouncyCastle.Tls * RFC 9146 3. When a DTLS session is resumed or renegotiated, the "connection_id" extension is * negotiated afresh. */ - var serverConnectionID = TlsExtensionsUtilities.GetConnectionIDExtension(state.serverExtensions); + var serverConnectionID = TlsExtensionsUtilities.GetConnectionIDExtension(serverHelloExtensions); if (serverConnectionID != null) { var clientConnectionID = TlsExtensionsUtilities.GetConnectionIDExtension(state.clientExtensions) @@ -928,7 +979,7 @@ namespace Org.BouncyCastle.Tls // Heartbeats { HeartbeatExtension heartbeatExtension = TlsExtensionsUtilities.GetHeartbeatExtension( - state.serverExtensions); + serverHelloExtensions); if (null == heartbeatExtension) { state.heartbeat = null; @@ -941,7 +992,7 @@ namespace Org.BouncyCastle.Tls } var sessionClientExtensions = state.clientExtensions; - var sessionServerExtensions = state.serverExtensions; + var sessionServerExtensions = serverHelloExtensions; if (securityParameters.IsResumedSession) { diff --git a/crypto/src/tls/DtlsServerProtocol.cs b/crypto/src/tls/DtlsServerProtocol.cs index e3f2d7564..0116bb9e6 100644 --- a/crypto/src/tls/DtlsServerProtocol.cs +++ b/crypto/src/tls/DtlsServerProtocol.cs @@ -1,4 +1,5 @@ using System; +using System.Collections; using System.Collections.Generic; using System.IO; @@ -119,25 +120,6 @@ namespace Org.BouncyCastle.Tls ProcessClientHello(state, request.ClientHello); } - /* - * NOTE: Currently no server support for session resumption - * - * If adding support, ensure securityParameters.tlsUnique is set to the localVerifyData, but - * ONLY when extended_master_secret has been negotiated (otherwise NULL). - */ - { - // TODO[resumption] - - state.tlsSession = TlsUtilities.ImportSession(TlsUtilities.EmptyBytes, null); - state.sessionParameters = null; - state.sessionMasterSecret = null; - } - - securityParameters.m_resumedSession = false; - securityParameters.m_sessionID = state.tlsSession.SessionID; - - server.NotifySession(state.tlsSession); - { byte[] serverHelloBody = GenerateServerHello(state, recordLayer); @@ -379,7 +361,7 @@ namespace Org.BouncyCastle.Tls .SetServerExtensions(state.serverExtensions) .Build(); - state.tlsSession = TlsUtilities.ImportSession(state.tlsSession.SessionID, state.sessionParameters); + state.tlsSession = TlsUtilities.ImportSession(securityParameters.SessionID, state.sessionParameters); securityParameters.m_tlsUnique = securityParameters.PeerVerifyData; @@ -425,9 +407,14 @@ namespace Org.BouncyCastle.Tls TlsServerContextImpl serverContext = state.serverContext; SecurityParameters securityParameters = serverContext.SecurityParameters; - ProtocolVersion server_version = server.GetServerVersion(); + // TODO[dtls13] Negotiate cipher suite first? + + ProtocolVersion serverVersion; + + // NOT renegotiating { - if (!ProtocolVersion.Contains(serverContext.ClientSupportedVersions, server_version)) + serverVersion = server.GetServerVersion(); + if (!ProtocolVersion.Contains(serverContext.ClientSupportedVersions, serverVersion)) throw new TlsFatalAlert(AlertDescription.internal_error); // TODO[dtls13] Read draft/RFC for guidance on the legacy_record_version field @@ -436,24 +423,116 @@ namespace Org.BouncyCastle.Tls // : server_version; //recordLayer.SetWriteVersion(legacy_record_version); - securityParameters.m_negotiatedVersion = server_version; - - TlsUtilities.NegotiatedVersionDtlsServer(serverContext); + securityParameters.m_negotiatedVersion = serverVersion; } + // TODO[dtls13] + //if (ProtocolVersion.DTLSv13.IsEqualOrEarlierVersionOf(serverVersion)) + //{ + // // See RFC 8446 D.4. + // recordStream.SetIgnoreChangeCipherSpec(true); + + // recordStream.SetWriteVersion(ProtocolVersion.DTLSv12); + + // return Generate13ServerHello(clientHello, clientHelloMessage, false); + //} + + //recordStream.setWriteVersion(serverVersion); + { - bool useGmtUnixTime = ProtocolVersion.DTLSv12.IsEqualOrLaterVersionOf(server_version) - && server.ShouldUseGmtUnixTime(); + bool useGmtUnixTime = server.ShouldUseGmtUnixTime(); securityParameters.m_serverRandom = TlsProtocol.CreateRandomBlock(useGmtUnixTime, serverContext); - if (!server_version.Equals(ProtocolVersion.GetLatestDtls(server.GetProtocolVersions()))) + if (!serverVersion.Equals(ProtocolVersion.GetLatestDtls(server.GetProtocolVersions()))) + { + TlsUtilities.WriteDowngradeMarker(serverVersion, securityParameters.ServerRandom); + } + } + + /* + * NOTE: Currently no server support for session resumption + * + * If adding support, ensure securityParameters.tlsUnique is set to the localVerifyData, but + * ONLY when extended_master_secret has been negotiated (otherwise NULL). + */ + // TODO[resumption] + { + state.tlsSession = null; + state.sessionParameters = null; + state.sessionMasterSecret = null; + } + + bool resumedSession = false; + + if (resumedSession && !serverVersion.Equals(state.sessionParameters.NegotiatedVersion)) + { + resumedSession = false; + } + + // TODO Check the session cipher suite is selectable by the same rules that GetSelectedCipherSuite uses + + // TODO Check the resumed session has a peer certificate if we NEED client-auth + + // extended_master_secret + { + bool negotiateEms = false; + + if (TlsUtilities.IsExtendedMasterSecretOptional(serverVersion) && + server.ShouldUseExtendedMasterSecret()) + { + if (TlsExtensionsUtilities.HasExtendedMasterSecretExtension(state.clientExtensions)) + { + negotiateEms = true; + } + else if (server.RequiresExtendedMasterSecret()) + { + throw new TlsFatalAlert(AlertDescription.handshake_failure, + "Extended Master Secret extension is required"); + } + else if (resumedSession) + { + if (state.sessionParameters.IsExtendedMasterSecret) + { + throw new TlsFatalAlert(AlertDescription.handshake_failure, + "Extended Master Secret extension is required for EMS session resumption"); + } + + if (!server.AllowLegacyResumption()) + { + throw new TlsFatalAlert(AlertDescription.handshake_failure, + "Extended Master Secret extension is required for legacy session resumption"); + } + } + } + + if (resumedSession && negotiateEms != state.sessionParameters.IsExtendedMasterSecret) + { + resumedSession = false; + } + + securityParameters.m_extendedMasterSecret = negotiateEms; + } + + if (!resumedSession) + { + CancelSession(state); + + byte[] newSessionID = server.GetNewSessionID(); + if (null == newSessionID) { - TlsUtilities.WriteDowngradeMarker(server_version, securityParameters.ServerRandom); + newSessionID = TlsUtilities.EmptyBytes; } + + state.tlsSession = TlsUtilities.ImportSession(newSessionID, null); } - bool resumedSession = securityParameters.IsResumedSession; + securityParameters.m_resumedSession = resumedSession; + securityParameters.m_sessionID = state.tlsSession.SessionID; + + server.NotifySession(state.tlsSession); + + TlsUtilities.NegotiatedVersionDtlsServer(serverContext); { int cipherSuite = ValidateSelectedCipherSuite(server.GetSelectedCipherSuite(), @@ -468,76 +547,54 @@ namespace Org.BouncyCastle.Tls TlsUtilities.NegotiatedCipherSuite(securityParameters, cipherSuite); } - state.serverExtensions = TlsExtensionsUtilities.EnsureExtensionsInitialised( - server.GetServerExtensions()); - - server.GetServerExtensionsForConnection(state.serverExtensions); - - ProtocolVersion legacy_version = server_version; - if (server_version.IsLaterVersionOf(ProtocolVersion.DTLSv12)) { - legacy_version = ProtocolVersion.DTLSv12; + IDictionary sessionServerExtensions = resumedSession + ? state.sessionParameters.ReadServerExtensions() + : server.GetServerExtensions(); - TlsExtensionsUtilities.AddSupportedVersionsExtensionServer(state.serverExtensions, server_version); + state.serverExtensions = TlsExtensionsUtilities.EnsureExtensionsInitialised(sessionServerExtensions); } - /* - * RFC 5746 3.6. Server Behavior: Initial Handshake - */ - if (securityParameters.IsSecureRenegotiation) - { - byte[] renegExtData = TlsUtilities.GetExtensionData(state.serverExtensions, - ExtensionType.renegotiation_info); - bool noRenegExt = (null == renegExtData); + server.GetServerExtensionsForConnection(state.serverExtensions); - if (noRenegExt) + // NOT renegotiating + { + /* + * RFC 5746 3.6. Server Behavior: Initial Handshake (both full and session-resumption) + */ + if (securityParameters.IsSecureRenegotiation) { - /* - * Note that sending a "renegotiation_info" extension in response to a ClientHello - * containing only the SCSV is an explicit exception to the prohibition in RFC 5246, - * Section 7.4.1.4, on the server sending unsolicited extensions and is only allowed - * because the client is signaling its willingness to receive the extension via the - * TLS_EMPTY_RENEGOTIATION_INFO_SCSV SCSV. - */ + byte[] serverRenegExtData = TlsUtilities.GetExtensionData(state.serverExtensions, + ExtensionType.renegotiation_info); + bool noRenegExt = (null == serverRenegExtData); - /* - * If the secure_renegotiation flag is set to TRUE, the server MUST include an empty - * "renegotiation_info" extension in the ServerHello message. - */ - state.serverExtensions[ExtensionType.renegotiation_info] = TlsProtocol.CreateRenegotiationInfo( - TlsUtilities.EmptyBytes); + if (noRenegExt) + { + /* + * Note that sending a "renegotiation_info" extension in response to a ClientHello + * containing only the SCSV is an explicit exception to the prohibition in RFC 5246, + * Section 7.4.1.4, on the server sending unsolicited extensions and is only allowed + * because the client is signaling its willingness to receive the extension via the + * TLS_EMPTY_RENEGOTIATION_INFO_SCSV SCSV. + */ + + /* + * If the secure_renegotiation flag is set to TRUE, the server MUST include an empty + * "renegotiation_info" extension in the ServerHello message. + */ + state.serverExtensions[ExtensionType.renegotiation_info] = TlsProtocol.CreateRenegotiationInfo( + TlsUtilities.EmptyBytes); + } } } - /* - * RFC 7627 4. Clients and servers SHOULD NOT accept handshakes that do not use the extended - * master secret [..]. (and see 5.2, 5.3) - * - * RFC 8446 Appendix D. Because TLS 1.3 always hashes in the transcript up to the server - * Finished, implementations which support both TLS 1.3 and earlier versions SHOULD indicate - * the use of the Extended Master Secret extension in their APIs whenever TLS 1.3 is used. - */ - if (TlsUtilities.IsTlsV13(server_version)) + if (securityParameters.IsExtendedMasterSecret) { - securityParameters.m_extendedMasterSecret = true; + TlsExtensionsUtilities.AddExtendedMasterSecretExtension(state.serverExtensions); } else { - securityParameters.m_extendedMasterSecret = state.offeredExtendedMasterSecret - && server.ShouldUseExtendedMasterSecret(); - - if (securityParameters.IsExtendedMasterSecret) - { - TlsExtensionsUtilities.AddExtendedMasterSecretExtension(state.serverExtensions); - } - else if (server.RequiresExtendedMasterSecret()) - { - throw new TlsFatalAlert(AlertDescription.handshake_failure); - } - else if (resumedSession && !server.AllowLegacyResumption()) - { - throw new TlsFatalAlert(AlertDescription.internal_error); - } + state.serverExtensions.Remove(ExtensionType.extended_master_secret); } // Heartbeats @@ -547,13 +604,6 @@ namespace Org.BouncyCastle.Tls new HeartbeatExtension(state.heartbeatPolicy)); } - - - /* - * RFC 7301 3.1. When session resumption or session tickets [...] are used, the previous - * contents of this extension are irrelevant, and only the values in the new handshake - * messages are considered. - */ securityParameters.m_applicationProtocol = TlsExtensionsUtilities.GetAlpnExtensionServer( state.serverExtensions); securityParameters.m_applicationProtocolSet = true; @@ -576,11 +626,6 @@ namespace Org.BouncyCastle.Tls } } - /* - * TODO RFC 3546 2.3 If [...] the older session is resumed, then the server MUST ignore - * extensions appearing in the client hello, and send a server hello containing no - * extensions. - */ if (state.serverExtensions.Count > 0) { securityParameters.m_encryptThenMac = TlsExtensionsUtilities.HasEncryptThenMacExtension( @@ -593,10 +638,6 @@ namespace Org.BouncyCastle.Tls securityParameters.m_truncatedHmac = TlsExtensionsUtilities.HasTruncatedHmacExtension( state.serverExtensions); - /* - * TODO It's surprising that there's no provision to allow a 'fresh' CertificateStatus to be sent in - * a session resumption handshake. - */ if (!resumedSession) { // TODO[tls13] See RFC 8446 4.4.2.1 @@ -618,17 +659,15 @@ namespace Org.BouncyCastle.Tls ApplyMaxFragmentLengthExtension(recordLayer, securityParameters.MaxFragmentLength); - - - ServerHello serverHello = new ServerHello(legacy_version, securityParameters.ServerRandom, - state.tlsSession.SessionID, securityParameters.CipherSuite, state.serverExtensions); + ServerHello serverHello = new ServerHello(serverVersion, securityParameters.ServerRandom, + securityParameters.SessionID, securityParameters.CipherSuite, state.serverExtensions); MemoryStream buf = new MemoryStream(); serverHello.Encode(serverContext, buf); return buf.ToArray(); } - protected virtual void InvalidateSession(ServerHandshakeState state) + protected virtual void CancelSession(ServerHandshakeState state) { if (state.sessionMasterSecret != null) { @@ -642,11 +681,17 @@ namespace Org.BouncyCastle.Tls state.sessionParameters = null; } + state.tlsSession = null; + } + + protected virtual void InvalidateSession(ServerHandshakeState state) + { if (state.tlsSession != null) { state.tlsSession.Invalidate(); - state.tlsSession = null; } + + CancelSession(state); } /// @@ -764,10 +809,15 @@ namespace Org.BouncyCastle.Tls * TODO[resumption] Check RFC 7627 5.4. for required behaviour */ - /* - * RFC 5746 3.6. Server Behavior: Initial Handshake - */ + byte[] clientRenegExtData = TlsUtilities.GetExtensionData(state.clientExtensions, + ExtensionType.renegotiation_info); + + // NOT renegotiatiing { + /* + * RFC 5746 3.6. Server Behavior: Initial Handshake (both full and session-resumption) + */ + /* * RFC 5746 3.4. The client MUST include either an empty "renegotiation_info" extension, * or the TLS_EMPTY_RENEGOTIATION_INFO_SCSV signaling cipher suite value in the @@ -784,13 +834,7 @@ namespace Org.BouncyCastle.Tls securityParameters.m_secureRenegotiation = true; } - /* - * The server MUST check if the "renegotiation_info" extension is included in the - * ClientHello. - */ - byte[] renegExtData = TlsUtilities.GetExtensionData(state.clientExtensions, - ExtensionType.renegotiation_info); - if (renegExtData != null) + if (clientRenegExtData != null) { /* * If the extension is present, set secure_renegotiation flag to TRUE. The @@ -799,7 +843,7 @@ namespace Org.BouncyCastle.Tls */ securityParameters.m_secureRenegotiation = true; - if (!Arrays.FixedTimeEquals(renegExtData, + if (!Arrays.FixedTimeEquals(clientRenegExtData, TlsProtocol.CreateRenegotiationInfo(TlsUtilities.EmptyBytes))) { throw new TlsFatalAlert(AlertDescription.handshake_failure); @@ -809,9 +853,6 @@ namespace Org.BouncyCastle.Tls server.NotifySecureRenegotiation(securityParameters.IsSecureRenegotiation); - state.offeredExtendedMasterSecret = TlsExtensionsUtilities.HasExtendedMasterSecretExtension( - state.clientExtensions); - if (state.clientExtensions != null) { // NOTE: Validates the padding extension data, if present @@ -889,7 +930,6 @@ namespace Org.BouncyCastle.Tls internal int[] offeredCipherSuites = null; internal IDictionary clientExtensions = null; internal IDictionary serverExtensions = null; - internal bool offeredExtendedMasterSecret = false; internal bool expectSessionTicket = false; internal TlsKeyExchange keyExchange = null; internal TlsCredentials serverCredentials = null; diff --git a/crypto/src/tls/TlsClientProtocol.cs b/crypto/src/tls/TlsClientProtocol.cs index b117a4025..30ad67fbe 100644 --- a/crypto/src/tls/TlsClientProtocol.cs +++ b/crypto/src/tls/TlsClientProtocol.cs @@ -1150,9 +1150,9 @@ namespace Org.BouncyCastle.Tls * Hello is always allowed. */ this.m_serverExtensions = serverHelloExtensions; - if (m_serverExtensions != null) + if (serverHelloExtensions != null) { - foreach (int extType in m_serverExtensions.Keys) + foreach (int extType in serverHelloExtensions.Keys) { /* * RFC 5746 3.6. Note that sending a "renegotiation_info" extension in response to a @@ -1189,7 +1189,7 @@ namespace Org.BouncyCastle.Tls } } - byte[] renegExtData = TlsUtilities.GetExtensionData(m_serverExtensions, ExtensionType.renegotiation_info); + byte[] renegExtData = TlsUtilities.GetExtensionData(serverHelloExtensions, ExtensionType.renegotiation_info); // NOT renegotiating { @@ -1235,7 +1235,7 @@ namespace Org.BouncyCastle.Tls if (TlsExtensionsUtilities.HasExtendedMasterSecretExtension(m_clientExtensions)) { - negotiatedEms = TlsExtensionsUtilities.HasExtendedMasterSecretExtension(m_serverExtensions); + negotiatedEms = TlsExtensionsUtilities.HasExtendedMasterSecretExtension(serverHelloExtensions); if (TlsUtilities.IsExtendedMasterSecretOptional(server_version)) { @@ -1272,11 +1272,11 @@ namespace Org.BouncyCastle.Tls * messages are considered. */ securityParameters.m_applicationProtocol = TlsExtensionsUtilities.GetAlpnExtensionServer( - m_serverExtensions); + serverHelloExtensions); securityParameters.m_applicationProtocolSet = true; var sessionClientExtensions = m_clientExtensions; - var sessionServerExtensions = m_serverExtensions; + var sessionServerExtensions = serverHelloExtensions; if (securityParameters.IsResumedSession) { if (securityParameters.CipherSuite != m_sessionParameters.CipherSuite diff --git a/crypto/src/tls/TlsServerProtocol.cs b/crypto/src/tls/TlsServerProtocol.cs index def8ae49b..efe055f1b 100644 --- a/crypto/src/tls/TlsServerProtocol.cs +++ b/crypto/src/tls/TlsServerProtocol.cs @@ -718,7 +718,7 @@ namespace Org.BouncyCastle.Tls ApplyMaxFragmentLengthExtension(securityParameters.MaxFragmentLength); - return new ServerHello(serverVersion, securityParameters.ServerRandom, m_tlsSession.SessionID, + return new ServerHello(serverVersion, securityParameters.ServerRandom, securityParameters.SessionID, securityParameters.CipherSuite, m_serverExtensions); } -- cgit 1.4.1