state.ml1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 354 355 356 357 358 359(* Defines all high-level datatypes for the TLS library. It is opaque to clients of this library, and only used from within the library. *) open Sexplib open Sexplib.Conv open Core open Mirage_crypto type hmac_key = Cstruct.t (* initialisation vector style, depending on TLS version *) type iv_mode = | Iv of Cstruct_sexp.t (* traditional CBC (reusing last cipherblock) *) | Random_iv (* TLS 1.1 and higher explicit IV (we use random) *) [@@deriving sexp_of] type 'k cbc_cipher = (module Cipher_block.S.CBC with type key = 'k) type 'k cbc_state = { cipher : 'k cbc_cipher ; cipher_secret : 'k ; iv_mode : iv_mode ; hmac : Hash.hash ; hmac_secret : hmac_key } type nonce = Cstruct.t type 'k aead_cipher = | CCM of (module Cipher_block.S.CCM with type key = 'k) | GCM of (module Cipher_block.S.GCM with type key = 'k) | ChaCha20_Poly1305 of (module AEAD with type key = 'k) type 'k aead_state = { cipher : 'k aead_cipher ; cipher_secret : 'k ; nonce : nonce } (* state of a symmetric cipher *) type cipher_st = | CBC : 'k cbc_state -> cipher_st | AEAD : 'k aead_state -> cipher_st (* Sexplib stubs -- rethink how to play with crypto. *) let sexp_of_cipher_st = function | CBC _ -> Sexp.Atom "<cbc-state>" | AEAD _ -> Sexp.Atom "<aead-state>" (* *** *) (* context of a TLS connection (both in and out has each one of these) *) type crypto_context = { sequence : int64 ; (* sequence number *) cipher_st : cipher_st ; (* cipher state *) } [@@deriving sexp_of] (* the raw handshake log we need to carry around *) type hs_log = Cstruct_sexp.t list [@@deriving sexp_of] type dh_secret = [ | `Finite_field of Mirage_crypto_pk.Dh.secret | `P256 of Mirage_crypto_ec.P256.Dh.secret | `P384 of Mirage_crypto_ec.P384.Dh.secret | `P521 of Mirage_crypto_ec.P521.Dh.secret | `X25519 of Mirage_crypto_ec.X25519.secret ] let sexp_of_dh_secret _ = Sexp.Atom "dh_secret" let dh_secret_of_sexp = Conv.of_sexp_error "dh_secret_of_sexp: not implemented" (* a collection of client and server verify bytes for renegotiation *) type reneg_params = Cstruct_sexp.t * Cstruct_sexp.t [@@deriving sexp_of] type common_session_data = { server_random : Cstruct_sexp.t ; (* 32 bytes random from the server hello *) client_random : Cstruct_sexp.t ; (* 32 bytes random from the client hello *) peer_certificate_chain : Cert.t list ; peer_certificate : Cert.t option ; trust_anchor : Cert.t option ; received_certificates : Cert.t list ; own_certificate : Cert.t list ; own_private_key : Priv.t option ; own_name : string option ; client_auth : bool ; master_secret : master_secret ; alpn_protocol : string option ; (* selected alpn protocol after handshake *) } [@@deriving sexp_of] type session_data = { common_session_data : common_session_data ; client_version : tls_any_version ; (* version in client hello (needed in RSA client key exchange) *) ciphersuite : Ciphersuite.ciphersuite ; group : group option ; renegotiation : reneg_params ; (* renegotiation data *) session_id : Cstruct_sexp.t ; extended_ms : bool ; } [@@deriving sexp_of] (* state machine of the server *) type server_handshake_state = | AwaitClientHello (* initial state *) | AwaitClientHelloRenegotiate | AwaitClientCertificate_RSA of session_data * hs_log | AwaitClientCertificate_DHE of session_data * dh_secret * hs_log | AwaitClientKeyExchange_RSA of session_data * hs_log (* server hello done is sent, and RSA key exchange used, waiting for a client key exchange message *) | AwaitClientKeyExchange_DHE of session_data * dh_secret * hs_log (* server hello done is sent, and DHE_RSA key exchange used, waiting for client key exchange *) | AwaitClientCertificateVerify of session_data * crypto_context * crypto_context * hs_log | AwaitClientChangeCipherSpec of session_data * crypto_context * crypto_context * hs_log (* client key exchange received, next should be change cipher spec *) | AwaitClientChangeCipherSpecResume of session_data * crypto_context * Cstruct_sexp.t * hs_log (* resumption: next should be change cipher spec *) | AwaitClientFinished of session_data * hs_log (* change cipher spec received, next should be the finished including a hmac over all handshake packets *) | AwaitClientFinishedResume of session_data * Cstruct_sexp.t * hs_log (* change cipher spec received, next should be the finished including a hmac over all handshake packets *) | Established (* handshake successfully completed *) [@@deriving sexp_of] (* state machine of the client *) type client_handshake_state = | ClientInitial (* initial state *) | AwaitServerHello of client_hello * (group * dh_secret) list * hs_log (* client hello is sent, handshake_params are half-filled *) | AwaitServerHelloRenegotiate of session_data * client_hello * hs_log (* client hello is sent, handshake_params are half-filled *) | AwaitCertificate_RSA of session_data * hs_log (* certificate expected with RSA key exchange *) | AwaitCertificate_DHE of session_data * hs_log (* certificate expected with DHE key exchange *) | AwaitServerKeyExchange_DHE of session_data * hs_log (* server key exchange expected with DHE *) | AwaitCertificateRequestOrServerHelloDone of session_data * Cstruct_sexp.t * Cstruct_sexp.t * hs_log (* server hello done expected, client key exchange and premastersecret are ready *) | AwaitServerHelloDone of session_data * signature_algorithm list option * Cstruct_sexp.t * Cstruct_sexp.t * hs_log (* server hello done expected, client key exchange and premastersecret are ready *) | AwaitServerChangeCipherSpec of session_data * crypto_context * Cstruct_sexp.t * hs_log (* change cipher spec expected *) | AwaitServerChangeCipherSpecResume of session_data * crypto_context * crypto_context * hs_log (* change cipher spec expected *) | AwaitServerFinished of session_data * Cstruct_sexp.t * hs_log (* finished expected with a hmac over all handshake packets *) | AwaitServerFinishedResume of session_data * hs_log (* finished expected with a hmac over all handshake packets *) | Established (* handshake successfully completed *) [@@deriving sexp_of] type kdf = { secret : Cstruct_sexp.t ; cipher : Ciphersuite.ciphersuite13 ; hash : Ciphersuite.H.t ; } [@@deriving sexp_of] (* TODO needs log of CH..CF for post-handshake auth *) (* TODO drop master_secret!? *) type session_data13 = { common_session_data13 : common_session_data ; ciphersuite13 : Ciphersuite.ciphersuite13 ; master_secret : kdf ; resumption_secret : Cstruct_sexp.t ; state : epoch_state ; resumed : bool ; client_app_secret : Cstruct_sexp.t ; server_app_secret : Cstruct_sexp.t ; } [@@deriving sexp_of] type client13_handshake_state = | AwaitServerHello13 of client_hello * (group * dh_secret) list * Cstruct_sexp.t (* this is for CH1 ~> HRR ~> CH2 <~ WAIT SH *) | AwaitServerEncryptedExtensions13 of session_data13 * Cstruct_sexp.t * Cstruct_sexp.t * Cstruct_sexp.t | AwaitServerCertificateRequestOrCertificate13 of session_data13 * Cstruct_sexp.t * Cstruct_sexp.t * Cstruct_sexp.t | AwaitServerCertificate13 of session_data13 * Cstruct_sexp.t * Cstruct_sexp.t * signature_algorithm list option * Cstruct_sexp.t | AwaitServerCertificateVerify13 of session_data13 * Cstruct_sexp.t * Cstruct_sexp.t * signature_algorithm list option * Cstruct_sexp.t | AwaitServerFinished13 of session_data13 * Cstruct_sexp.t * Cstruct_sexp.t * signature_algorithm list option * Cstruct_sexp.t | Established13 [@@deriving sexp_of] type server13_handshake_state = | AwaitClientHelloHRR13 (* if we sent out HRR (also to-be-used for tls13-only) *) | AwaitClientCertificate13 of session_data13 * Cstruct_sexp.t * crypto_context * session_ticket option * Cstruct_sexp.t | AwaitClientCertificateVerify13 of session_data13 * Cstruct_sexp.t * crypto_context * session_ticket option * Cstruct_sexp.t | AwaitClientFinished13 of Cstruct_sexp.t * crypto_context * session_ticket option * Cstruct_sexp.t | AwaitEndOfEarlyData13 of Cstruct_sexp.t * crypto_context * crypto_context * session_ticket option * Cstruct_sexp.t | Established13 [@@deriving sexp_of] type handshake_machina_state = | Client of client_handshake_state | Server of server_handshake_state | Client13 of client13_handshake_state | Server13 of server13_handshake_state [@@deriving sexp_of] (* state during a handshake, used in the handlers *) type handshake_state = { session : [ `TLS of session_data | `TLS13 of session_data13 ] list ; protocol_version : tls_version ; early_data_left : int32 ; machina : handshake_machina_state ; (* state machine state *) config : Config.config ; (* given config *) hs_fragment : Cstruct_sexp.t ; (* handshake messages can be fragmented, leftover from before *) } [@@deriving sexp_of] (* connection state: initially None, after handshake a crypto context *) type crypto_state = crypto_context option [@@deriving sexp_of] (* record consisting of a content type and a byte vector *) type record = Packet.content_type * Cstruct_sexp.t [@@deriving sexp_of] (* response returned by a handler *) type rec_resp = [ | `Change_enc of crypto_context (* either instruction to change the encryptor to the given one *) | `Change_dec of crypto_context (* either change the decryptor to the given one *) | `Record of record (* or a record which should be sent out *) ] (* return type of handshake handlers *) type handshake_return = handshake_state * rec_resp list (* Top level state, encapsulating the entire session. *) type state = { handshake : handshake_state ; (* the current handshake state *) decryptor : crypto_state ; (* the current decryption state *) encryptor : crypto_state ; (* the current encryption state *) fragment : Cstruct_sexp.t ; (* the leftover fragment from TCP fragmentation *) } [@@deriving sexp_of] module V_err = struct type t = X509.Validation.validation_error let sexp_of_t v = let s = Fmt.to_to_string X509.Validation.pp_validation_error v in Sexplib.Sexp.Atom s end module Ec_err = struct type t = Mirage_crypto_ec.error let t_of_sexp _ = failwith "couldn't convert validatin error from sexp" let sexp_of_t v = let s = Fmt.to_to_string Mirage_crypto_ec.pp_error v in Sexplib.Sexp.Atom s end type error = [ | `AuthenticationFailure of V_err.t | `NoConfiguredCiphersuite of Ciphersuite.ciphersuite list | `NoConfiguredVersions of tls_version list | `NoConfiguredSignatureAlgorithm of signature_algorithm list | `NoMatchingCertificateFound of string | `NoCertificateConfigured | `CouldntSelectCertificate ] [@@deriving sexp_of] type client_hello_errors = [ | `EmptyCiphersuites | `NotSetCiphersuites of Packet.any_ciphersuite list | `NoSupportedCiphersuite of Packet.any_ciphersuite list | `NotSetExtension of client_extension list | `HasSignatureAlgorithmsExtension | `NoSignatureAlgorithmsExtension | `NoGoodSignatureAlgorithms of signature_algorithm list | `NoKeyShareExtension | `NoSupportedGroupExtension | `NotSetSupportedGroup of Packet.named_group list | `NotSetKeyShare of (Packet.named_group * Cstruct_sexp.t) list | `NotSubsetKeyShareSupportedGroup of (Packet.named_group list * (Packet.named_group * Cstruct_sexp.t) list) | `Has0rttAfterHRR | `NoCookie ] [@@deriving sexp_of] type fatal = [ | `NoSecureRenegotiation | `NoSupportedGroup | `NoVersions of tls_any_version list | `ReaderError of Reader.error | `NoCertificateReceived | `NoCertificateVerifyReceived | `NotRSACertificate | `KeyTooSmall | `SignatureVerificationFailed of string | `SigningFailed of string | `BadCertificateChain | `MACMismatch | `MACUnderflow | `RecordOverflow of int | `UnknownRecordVersion of int * int | `UnknownContentType of int | `CannotHandleApplicationDataYet | `NoHeartbeat | `BadRecordVersion of tls_any_version | `BadFinished | `HandshakeFragmentsNotEmpty | `InsufficientDH | `InvalidDH | `BadECDH of Ec_err.t | `InvalidRenegotiation | `InvalidClientHello of client_hello_errors | `InvalidServerHello | `InvalidRenegotiationVersion of tls_version | `InappropriateFallback | `UnexpectedCCS | `UnexpectedHandshake of tls_handshake | `InvalidCertificateUsage | `InvalidCertificateExtendedUsage | `InvalidSession | `NoApplicationProtocol | `HelloRetryRequest | `InvalidMessage | `Toomany0rttbytes | `MissingContentType | `Downgrade12 | `Downgrade11 ] [@@deriving sexp_of] type failure = [ | `Error of error | `Fatal of fatal ] [@@deriving sexp_of] let common_data_to_epoch common is_server peer_name = let own_random, peer_random = if is_server then common.server_random, common.client_random else common.client_random, common.server_random in let epoch : epoch_data = { state = `Established ; protocol_version = `TLS_1_0 ; ciphersuite = `DHE_RSA_WITH_AES_256_CBC_SHA ; peer_random ; peer_certificate = common.peer_certificate ; peer_certificate_chain = common.peer_certificate_chain ; peer_name ; trust_anchor = common.trust_anchor ; own_random ; own_certificate = common.own_certificate ; own_private_key = common.own_private_key ; own_name = common.own_name ; received_certificates = common.received_certificates ; master_secret = common.master_secret ; alpn_protocol = common.alpn_protocol ; session_id = Cstruct.empty ; extended_ms = false ; } in epoch let epoch_of_session server peer_name protocol_version = function | `TLS (session : session_data) -> let epoch = common_data_to_epoch session.common_session_data server peer_name in { epoch with protocol_version = protocol_version ; ciphersuite = session.ciphersuite ; session_id = session.session_id ; extended_ms = session.extended_ms ; } | `TLS13 (session : session_data13) -> let epoch : epoch_data = common_data_to_epoch session.common_session_data13 server peer_name in { epoch with ciphersuite = (session.ciphersuite13 :> Ciphersuite.ciphersuite) ; extended_ms = true ; (* RFC 8446, Appendix D, last paragraph *) state = session.state ; } let epoch_of_hs hs = let server = match hs.machina with | Client _ | Client13 _ -> false | Server _ | Server13 _ -> true and peer_name = Config.(hs.config.peer_name) in match hs.session with | [] -> None | session :: _ -> Some (epoch_of_session server peer_name hs.protocol_version session)