/*
* Copyright (C) 2018 Red Hat, Inc.
*
* Author: Daiki Ueno
*
* This file is part of GnuTLS.
*
* The GnuTLS is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public License
* as published by the Free Software Foundation; either version 2.1 of
* the License, or (at your option) any later version.
*
* This library is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with this program. If not, see <https://www.gnu.org/licenses/>
*
*/
#include "gnutls_int.h"
#include "db.h"
#include "system.h"
#include "tls13/anti_replay.h"
/* The default time window in milliseconds; RFC8446 suggests the order
* of ten seconds is sufficient for the clients on the Internet. */
#define DEFAULT_WINDOW_MS 10000
struct gnutls_anti_replay_st {
uint32_t window;
struct timespec start_time;
gnutls_db_add_func db_add_func;
void *db_ptr;
};
/**
* gnutls_anti_replay_init:
* @anti_replay: is a pointer to #gnutls_anti_replay_t type
*
* This function will allocate and initialize the @anti_replay context
* to be usable for detect replay attacks. The context can then be
* attached to a @gnutls_session_t with
* gnutls_anti_replay_enable().
*
* Returns: Zero or a negative error code on error.
*
* Since: 3.6.5
**/
int
gnutls_anti_replay_init(gnutls_anti_replay_t *anti_replay)
{
*anti_replay = gnutls_calloc(1, sizeof(struct gnutls_anti_replay_st));
if (!*anti_replay)
return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
(*anti_replay)->window = DEFAULT_WINDOW_MS;
gnutls_gettime(&(*anti_replay)->start_time);
return 0;
}
/**
* gnutls_anti_replay_set_window:
* @anti_replay: is a #gnutls_anti_replay_t type.
* @window: is the time window recording ClientHello, in milliseconds
*
* Sets the time window used for ClientHello recording. In order to
* protect against replay attacks, the server records ClientHello
* messages within this time period from the last update, and
* considers it a replay when a ClientHello outside of the period; if
* a ClientHello arrives within this period, the server checks the
* database and detects duplicates.
*
* For the details of the algorithm, see RFC 8446, section 8.2.
*
* Since: 3.6.5
*/
void
gnutls_anti_replay_set_window(gnutls_anti_replay_t anti_replay,
unsigned int window)
{
anti_replay->window = window;
}
/**
* gnutls_anti_replay_deinit:
* @anti_replay: is a #gnutls_anti_replay type
*
* This function will deinitialize all resources occupied by the given
* anti-replay context.
*
* Since: 3.6.5
**/
void
gnutls_anti_replay_deinit(gnutls_anti_replay_t anti_replay)
{
gnutls_free(anti_replay);
}
/**
* gnutls_anti_replay_enable:
* @session: is a #gnutls_session_t type.
* @anti_replay: is a #gnutls_anti_replay_t type.
*
* Request that the server should use anti-replay mechanism.
*
* Since: 3.6.5
**/
void
gnutls_anti_replay_enable(gnutls_session_t session,
gnutls_anti_replay_t anti_replay)
{
if (unlikely(session->security_parameters.entity != GNUTLS_SERVER)) {
gnutls_assert();
return;
}
session->internals.anti_replay = anti_replay;
}
int
_gnutls_anti_replay_check(gnutls_anti_replay_t anti_replay,
uint32_t client_ticket_age,
struct timespec *ticket_creation_time,
gnutls_datum_t *id)
{
struct timespec now;
time_t window;
uint32_t server_ticket_age, diff;
gnutls_datum_t key = { NULL, 0 };
gnutls_datum_t entry = { NULL, 0 };
unsigned char key_buffer[MAX_HASH_SIZE + 12];
unsigned char entry_buffer[12]; /* magic + timestamp + expire_time */
unsigned char *p;
int ret;
if (unlikely(id->size > MAX_HASH_SIZE))
return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
gnutls_gettime(&now);
server_ticket_age = timespec_sub_ms(&now, ticket_creation_time);
/* It shouldn't be possible that the server's view of ticket
* age is smaller than the client's view.
*/
if (unlikely(server_ticket_age < client_ticket_age))
return gnutls_assert_val(GNUTLS_E_ILLEGAL_PARAMETER);
/* If ticket is created before recording has started, discard
* reject early data.
*/
if (_gnutls_timespec_cmp(ticket_creation_time,
&anti_replay->start_time) < 0) {
_gnutls_handshake_log("anti_replay: ticket is created before recording has started\n");
return gnutls_assert_val(GNUTLS_E_EARLY_DATA_REJECTED);
}
/* If certain amount of time (window) has elapsed, rollover
* the recording.
*/
diff = timespec_sub_ms(&now, &anti_replay->start_time);
if (diff > anti_replay->window)
gnutls_gettime(&anti_replay->start_time);
/* If expected_arrival_time is out of window, reject early
* data.
*/
if (server_ticket_age - client_ticket_age > anti_replay->window) {
_gnutls_handshake_log("anti_replay: server ticket age: %u, client ticket age: %u\n",
server_ticket_age,
client_ticket_age);
return gnutls_assert_val(GNUTLS_E_EARLY_DATA_REJECTED);
}
/* Check if the ClientHello is stored in the database.
*/
if (!anti_replay->db_add_func)
return gnutls_assert_val(GNUTLS_E_EARLY_DATA_REJECTED);
/* Create a key for database lookup, prefixing window start
* time to ID. Note that this shouldn't clash with session ID
* used in TLS 1.2, because such IDs are 32 octets, while here
* the key becomes 44+ octets.
*/
p = key_buffer;
_gnutls_write_uint32((uint64_t) anti_replay->start_time.tv_sec >> 32, p);
p += 4;
_gnutls_write_uint32(anti_replay->start_time.tv_sec & 0xFFFFFFFF, p);
p += 4;
_gnutls_write_uint32(anti_replay->start_time.tv_nsec, p);
p += 4;
memcpy(p, id->data, id->size);
p += id->size;
key.data = key_buffer;
key.size = p - key_buffer;
/* Create an entry to be stored on database if the lookup
* failed. This is formatted so that
* gnutls_db_check_entry_expire_time() work.
*/
p = entry_buffer;
_gnutls_write_uint32(PACKED_SESSION_MAGIC, p);
p += 4;
_gnutls_write_uint32(now.tv_sec, p);
p += 4;
window = anti_replay->window / 1000;
_gnutls_write_uint32(window, p);
p += 4;
entry.data = entry_buffer;
entry.size = p - entry_buffer;
ret = anti_replay->db_add_func(anti_replay->db_ptr,
(uint64_t)now.tv_sec+(uint64_t)window, &key, &entry);
if (ret < 0) {
_gnutls_handshake_log("anti_replay: duplicate ClientHello found\n");
return gnutls_assert_val(GNUTLS_E_EARLY_DATA_REJECTED);
}
return 0;
}
/**
* gnutls_anti_replay_set_ptr:
* @anti_replay: is a #gnutls_anti_replay_t type.
* @ptr: is the pointer
*
* Sets the pointer that will be provided to db add function
* as the first argument.
**/
void gnutls_anti_replay_set_ptr(gnutls_anti_replay_t anti_replay, void *ptr)
{
anti_replay->db_ptr = ptr;
}
/**
* gnutls_anti_replay_set_add_function:
* @anti_replay: is a #gnutls_anti_replay_t type.
* @add_func: is the function.
*
* Sets the function that will be used to store an entry if it is not
* already present in the resumed sessions database. This function returns 0
* if the entry is successfully stored, and a negative error code
* otherwise. In particular, if the entry is found in the database,
* it returns %GNUTLS_E_DB_ENTRY_EXISTS.
*
* The arguments to the @add_func are:
* - %ptr: the pointer set with gnutls_anti_replay_set_ptr()
* - %exp_time: the expiration time of the entry
* - %key: a pointer to the key
* - %data: a pointer to data to store
*
* The data set by this function can be examined using
* gnutls_db_check_entry_expire_time() and gnutls_db_check_entry_time().
*
* Since: 3.6.5
**/
void
gnutls_anti_replay_set_add_function(gnutls_anti_replay_t anti_replay,
gnutls_db_add_func add_func)
{
anti_replay->db_add_func = add_func;
}