[thirdparty/openssl.git] / util / perl / TLSProxy / Message.pm

# Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved.
#
# Licensed under the Apache License 2.0 (the "License").  You may not use
# this file except in compliance with the License.  You can obtain a copy
# in the file LICENSE in the source distribution or at
# https://www.openssl.org/source/license.html

use strict;

package TLSProxy::Message;

use TLSProxy::Alert;

use constant TLS_MESSAGE_HEADER_LENGTH => 4;

#Message types
use constant {
    MT_HELLO_REQUEST => 0,
    MT_CLIENT_HELLO => 1,
    MT_SERVER_HELLO => 2,
    MT_NEW_SESSION_TICKET => 4,
    MT_ENCRYPTED_EXTENSIONS => 8,
    MT_CERTIFICATE => 11,
    MT_SERVER_KEY_EXCHANGE => 12,
    MT_CERTIFICATE_REQUEST => 13,
    MT_SERVER_HELLO_DONE => 14,
    MT_CERTIFICATE_VERIFY => 15,
    MT_CLIENT_KEY_EXCHANGE => 16,
    MT_FINISHED => 20,
    MT_CERTIFICATE_STATUS => 22,
    MT_NEXT_PROTO => 67
};

#Alert levels
use constant {
    AL_LEVEL_WARN => 1,
    AL_LEVEL_FATAL => 2
};

#Alert descriptions
use constant {
    AL_DESC_CLOSE_NOTIFY => 0,
    AL_DESC_UNEXPECTED_MESSAGE => 10,
    AL_DESC_ILLEGAL_PARAMETER => 47,
    AL_DESC_NO_RENEGOTIATION => 100
};

my %message_type = (
    MT_HELLO_REQUEST, "HelloRequest",
    MT_CLIENT_HELLO, "ClientHello",
    MT_SERVER_HELLO, "ServerHello",
    MT_NEW_SESSION_TICKET, "NewSessionTicket",
    MT_ENCRYPTED_EXTENSIONS, "EncryptedExtensions",
    MT_CERTIFICATE, "Certificate",
    MT_SERVER_KEY_EXCHANGE, "ServerKeyExchange",
    MT_CERTIFICATE_REQUEST, "CertificateRequest",
    MT_SERVER_HELLO_DONE, "ServerHelloDone",
    MT_CERTIFICATE_VERIFY, "CertificateVerify",
    MT_CLIENT_KEY_EXCHANGE, "ClientKeyExchange",
    MT_FINISHED, "Finished",
    MT_CERTIFICATE_STATUS, "CertificateStatus",
    MT_NEXT_PROTO, "NextProto"
);

use constant {
    EXT_SERVER_NAME => 0,
    EXT_MAX_FRAGMENT_LENGTH => 1,
    EXT_STATUS_REQUEST => 5,
    EXT_SUPPORTED_GROUPS => 10,
    EXT_EC_POINT_FORMATS => 11,
    EXT_SRP => 12,
    EXT_SIG_ALGS => 13,
    EXT_USE_SRTP => 14,
    EXT_ALPN => 16,
    EXT_SCT => 18,
    EXT_PADDING => 21,
    EXT_ENCRYPT_THEN_MAC => 22,
    EXT_EXTENDED_MASTER_SECRET => 23,
    EXT_SESSION_TICKET => 35,
    EXT_KEY_SHARE => 51,
    EXT_PSK => 41,
    EXT_SUPPORTED_VERSIONS => 43,
    EXT_COOKIE => 44,
    EXT_PSK_KEX_MODES => 45,
    EXT_POST_HANDSHAKE_AUTH => 49,
    EXT_SIG_ALGS_CERT => 50,
    EXT_RENEGOTIATE => 65281,
    EXT_NPN => 13172,
    EXT_CRYPTOPRO_BUG_EXTENSION => 0xfde8,
    EXT_UNKNOWN => 0xfffe,
    #Unknown extension that should appear last
    EXT_FORCE_LAST => 0xffff
};

# SignatureScheme of TLS 1.3 from:
# https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-signaturescheme
# We have to manually grab the SHA224 equivalents from the old registry
use constant {
    SIG_ALG_RSA_PKCS1_SHA256 => 0x0401,
    SIG_ALG_RSA_PKCS1_SHA384 => 0x0501,
    SIG_ALG_RSA_PKCS1_SHA512 => 0x0601,
    SIG_ALG_ECDSA_SECP256R1_SHA256 => 0x0403,
    SIG_ALG_ECDSA_SECP384R1_SHA384 => 0x0503,
    SIG_ALG_ECDSA_SECP521R1_SHA512 => 0x0603,
    SIG_ALG_RSA_PSS_RSAE_SHA256 => 0x0804,
    SIG_ALG_RSA_PSS_RSAE_SHA384 => 0x0805,
    SIG_ALG_RSA_PSS_RSAE_SHA512 => 0x0806,
    SIG_ALG_ED25519 => 0x0807,
    SIG_ALG_ED448 => 0x0808,
    SIG_ALG_RSA_PSS_PSS_SHA256 => 0x0809,
    SIG_ALG_RSA_PSS_PSS_SHA384 => 0x080a,
    SIG_ALG_RSA_PSS_PSS_SHA512 => 0x080b,
    SIG_ALG_RSA_PKCS1_SHA1 => 0x0201,
    SIG_ALG_ECDSA_SHA1 => 0x0203,
    SIG_ALG_DSA_SHA1 => 0x0202,
    SIG_ALG_DSA_SHA256 => 0x0402,
    SIG_ALG_DSA_SHA384 => 0x0502,
    SIG_ALG_DSA_SHA512 => 0x0602,
    OSSL_SIG_ALG_RSA_PKCS1_SHA224 => 0x0301,
    OSSL_SIG_ALG_DSA_SHA224 => 0x0302,
    OSSL_SIG_ALG_ECDSA_SHA224 => 0x0303
};

use constant {
    CIPHER_RSA_WITH_AES_128_CBC_SHA => 0x002f,
    CIPHER_DHE_RSA_AES_128_SHA => 0x0033,
    CIPHER_ADH_AES_128_SHA => 0x0034,
    CIPHER_TLS13_AES_128_GCM_SHA256 => 0x1301,
    CIPHER_TLS13_AES_256_GCM_SHA384 => 0x1302
};

use constant {
    CLIENT => 0,
    SERVER => 1
};

my $payload = "";
my $messlen = -1;
my $mt;
my $startoffset = -1;
my $server = 0;
my $success = 0;
my $end = 0;
my @message_rec_list = ();
my @message_frag_lens = ();
my $ciphersuite = 0;
my $successondata = 0;
my $alert;

sub clear
{
    $payload = "";
    $messlen = -1;
    $startoffset = -1;
    $server = 0;
    $success = 0;
    $end = 0;
    $successondata = 0;
    @message_rec_list = ();
    @message_frag_lens = ();
    $alert = undef;
}

#Class method to extract messages from a record
sub get_messages
{
    my $class = shift;
    my $serverin = shift;
    my $record = shift;
    my @messages = ();
    my $message;

    @message_frag_lens = ();

    if ($serverin != $server && length($payload) != 0) {
        die "Changed peer, but we still have fragment data\n";
    }
    $server = $serverin;

    if ($record->content_type == TLSProxy::Record::RT_CCS) {
        if ($payload ne "") {
            #We can't handle this yet
            die "CCS received before message data complete\n";
        }
        if (!TLSProxy::Proxy->is_tls13()) {
            if ($server) {
                TLSProxy::Record->server_encrypting(1);
            } else {
                TLSProxy::Record->client_encrypting(1);
            }
        }
    } elsif ($record->content_type == TLSProxy::Record::RT_HANDSHAKE) {
        if ($record->len == 0 || $record->len_real == 0) {
            print "  Message truncated\n";
        } else {
            my $recoffset = 0;

            if (length $payload > 0) {
                #We are continuing processing a message started in a previous
                #record. Add this record to the list associated with this
                #message
                push @message_rec_list, $record;

                if ($messlen <= length($payload)) {
                    #Shouldn't happen
                    die "Internal error: invalid messlen: ".$messlen
                        ." payload length:".length($payload)."\n";
                }
                if (length($payload) + $record->decrypt_len >= $messlen) {
                    #We can complete the message with this record
                    $recoffset = $messlen - length($payload);
                    $payload .= substr($record->decrypt_data, 0, $recoffset);
                    push @message_frag_lens, $recoffset;
                    $message = create_message($server, $mt, $payload,
                                              $startoffset);
                    push @messages, $message;

                    $payload = "";
                } else {
                    #This is just part of the total message
                    $payload .= $record->decrypt_data;
                    $recoffset = $record->decrypt_len;
                    push @message_frag_lens, $record->decrypt_len;
                }
                print "  Partial message data read: ".$recoffset." bytes\n";
            }

            while ($record->decrypt_len > $recoffset) {
                #We are at the start of a new message
                if ($record->decrypt_len - $recoffset < 4) {
                    #Whilst technically probably valid we can't cope with this
                    die "End of record in the middle of a message header\n";
                }
                @message_rec_list = ($record);
                my $lenhi;
                my $lenlo;
                ($mt, $lenhi, $lenlo) = unpack('CnC',
                                               substr($record->decrypt_data,
                                                      $recoffset));
                $messlen = ($lenhi << 8) | $lenlo;
                print "  Message type: $message_type{$mt}\n";
                print "  Message Length: $messlen\n";
                $startoffset = $recoffset;
                $recoffset += 4;
                $payload = "";

                if ($recoffset <= $record->decrypt_len) {
                    #Some payload data is present in this record
                    if ($record->decrypt_len - $recoffset >= $messlen) {
                        #We can complete the message with this record
                        $payload .= substr($record->decrypt_data, $recoffset,
                                           $messlen);
                        $recoffset += $messlen;
                        push @message_frag_lens, $messlen;
                        $message = create_message($server, $mt, $payload,
                                                  $startoffset);
                        push @messages, $message;

                        $payload = "";
                    } else {
                        #This is just part of the total message
                        $payload .= substr($record->decrypt_data, $recoffset,
                                           $record->decrypt_len - $recoffset);
                        $recoffset = $record->decrypt_len;
                        push @message_frag_lens, $recoffset;
                    }
                }
            }
        }
    } elsif ($record->content_type == TLSProxy::Record::RT_APPLICATION_DATA) {
        print "  [ENCRYPTED APPLICATION DATA]\n";
        print "  [".$record->decrypt_data."]\n";

        if ($successondata) {
            $success = 1;
            $end = 1;
        }
    } elsif ($record->content_type == TLSProxy::Record::RT_ALERT) {
        my ($alertlev, $alertdesc) = unpack('CC', $record->decrypt_data);
        print "  [$alertlev, $alertdesc]\n";
        #A CloseNotify from the client indicates we have finished successfully
        #(we assume)
        if (!$end && !$server && $alertlev == AL_LEVEL_WARN
            && $alertdesc == AL_DESC_CLOSE_NOTIFY) {
            $success = 1;
        }
        #Fatal or close notify alerts end the test
        if ($alertlev == AL_LEVEL_FATAL || $alertdesc == AL_DESC_CLOSE_NOTIFY) {
            $end = 1;
        }
        $alert = TLSProxy::Alert->new(
            $server,
            $record->encrypted,
            $alertlev,
            $alertdesc);
    }

    return @messages;
}

#Function to work out which sub-class we need to create and then
#construct it
sub create_message
{
    my ($server, $mt, $data, $startoffset) = @_;
    my $message;

    #We only support ClientHello in this version...needs to be extended for
    #others
    if ($mt == MT_CLIENT_HELLO) {
        $message = TLSProxy::ClientHello->new(
            $server,
            $data,
            [@message_rec_list],
            $startoffset,
            [@message_frag_lens]
        );
        $message->parse();
    } elsif ($mt == MT_SERVER_HELLO) {
        $message = TLSProxy::ServerHello->new(
            $server,
            $data,
            [@message_rec_list],
            $startoffset,
            [@message_frag_lens]
        );
        $message->parse();
    } elsif ($mt == MT_ENCRYPTED_EXTENSIONS) {
        $message = TLSProxy::EncryptedExtensions->new(
            $server,
            $data,
            [@message_rec_list],
            $startoffset,
            [@message_frag_lens]
        );
        $message->parse();
    } elsif ($mt == MT_CERTIFICATE) {
        $message = TLSProxy::Certificate->new(
            $server,
            $data,
            [@message_rec_list],
            $startoffset,
            [@message_frag_lens]
        );
        $message->parse();
    } elsif ($mt == MT_CERTIFICATE_REQUEST) {
        $message = TLSProxy::CertificateRequest->new(
            $server,
            $data,
            [@message_rec_list],
            $startoffset,
            [@message_frag_lens]
        );
        $message->parse();
    } elsif ($mt == MT_CERTIFICATE_VERIFY) {
        $message = TLSProxy::CertificateVerify->new(
            $server,
            $data,
            [@message_rec_list],
            $startoffset,
            [@message_frag_lens]
        );
        $message->parse();
    } elsif ($mt == MT_SERVER_KEY_EXCHANGE) {
        $message = TLSProxy::ServerKeyExchange->new(
            $server,
            $data,
            [@message_rec_list],
            $startoffset,
            [@message_frag_lens]
        );
        $message->parse();
    } elsif ($mt == MT_NEW_SESSION_TICKET) {
        $message = TLSProxy::NewSessionTicket->new(
            $server,
            $data,
            [@message_rec_list],
            $startoffset,
            [@message_frag_lens]
        );
        $message->parse();
    } else {
        #Unknown message type
        $message = TLSProxy::Message->new(
            $server,
            $mt,
            $data,
            [@message_rec_list],
            $startoffset,
            [@message_frag_lens]
        );
    }

    return $message;
}

sub end
{
    my $class = shift;
    return $end;
}
sub success
{
    my $class = shift;
    return $success;
}
sub fail
{
    my $class = shift;
    return !$success && $end;
}

sub alert
{
    return $alert;
}

sub new
{
    my $class = shift;
    my ($server,
        $mt,
        $data,
        $records,
        $startoffset,
        $message_frag_lens) = @_;

    my $self = {
        server => $server,
        data => $data,
        records => $records,
        mt => $mt,
        startoffset => $startoffset,
        message_frag_lens => $message_frag_lens,
        dupext => -1
    };

    return bless $self, $class;
}

sub ciphersuite
{
    my $class = shift;
    if (@_) {
      $ciphersuite = shift;
    }
    return $ciphersuite;
}

#Update all the underlying records with the modified data from this message
#Note: Only supports TLSv1.3 and ETM encryption
sub repack
{
    my $self = shift;
    my $msgdata;

    my $numrecs = $#{$self->records};

    $self->set_message_contents();

    my $lenhi;
    my $lenlo;

    $lenlo = length($self->data) & 0xff;
    $lenhi = length($self->data) >> 8;
    $msgdata = pack('CnC', $self->mt, $lenhi, $lenlo).$self->data;

    if ($numrecs == 0) {
        #The message is fully contained within one record
        my ($rec) = @{$self->records};
        my $recdata = $rec->decrypt_data;

        my $old_length;

        # We use empty message_frag_lens to indicates that pre-repacking,
        # the message wasn't present. The first fragment length doesn't include
        # the TLS header, so we need to check and compute the right length.
        if (@{$self->message_frag_lens}) {
            $old_length = ${$self->message_frag_lens}[0] +
              TLS_MESSAGE_HEADER_LENGTH;
        } else {
            $old_length = 0;
        }

        my $prefix = substr($recdata, 0, $self->startoffset);
        my $suffix = substr($recdata, $self->startoffset + $old_length);

        $rec->decrypt_data($prefix.($msgdata).($suffix));
        # TODO(openssl-team): don't keep explicit lengths.
        # (If a length override is ever needed to construct invalid packets,
        #  use an explicit override field instead.)
        $rec->decrypt_len(length($rec->decrypt_data));
        # Only support re-encryption for TLSv1.3 and ETM.
        if ($rec->encrypted()) {
            if (TLSProxy::Proxy->is_tls13()) {
                #Add content type (1 byte) and 16 tag bytes
                $rec->data($rec->decrypt_data
                    .pack("C", TLSProxy::Record::RT_HANDSHAKE).("\0"x16));
            } elsif ($rec->etm()) {
                my $data = $rec->decrypt_data;
                #Add padding
                my $padval = length($data) % 16;
                $padval = 15 - $padval;
                for (0..$padval) {
                    $data .= pack("C", $padval);
                }

                #Add MAC. Assumed to be 20 bytes
                foreach my $macval (0..19) {
                    $data .= pack("C", $macval);
                }

                if ($rec->version() >= TLSProxy::Record::VERS_TLS_1_1) {
                    #Explicit IV
                    $data = ("\0"x16).$data;
                }
                $rec->data($data);
            } else {
                die "Unsupported encryption: No ETM";
            }
        } else {
            $rec->data($rec->decrypt_data);
        }
        $rec->len(length($rec->data));

        #Update the fragment len in case we changed it above
        ${$self->message_frag_lens}[0] = length($msgdata)
                                         - TLS_MESSAGE_HEADER_LENGTH;
        return;
    }

    #Note we don't currently support changing a fragmented message length
    my $recctr = 0;
    my $datadone = 0;
    foreach my $rec (@{$self->records}) {
        my $recdata = $rec->decrypt_data;
        if ($recctr == 0) {
            #This is the first record
            my $remainlen = length($recdata) - $self->startoffset;
            $rec->data(substr($recdata, 0, $self->startoffset)
                       .substr(($msgdata), 0, $remainlen));
            $datadone += $remainlen;
        } elsif ($recctr + 1 == $numrecs) {
            #This is the last record
            $rec->data(substr($msgdata, $datadone));
        } else {
            #This is a middle record
            $rec->data(substr($msgdata, $datadone, length($rec->data)));
            $datadone += length($rec->data);
        }
        $recctr++;
    }
}

#To be overridden by sub-classes
sub set_message_contents
{
}

#Read only accessors
sub server
{
    my $self = shift;
    return $self->{server};
}

#Read/write accessors
sub mt
{
    my $self = shift;
    if (@_) {
      $self->{mt} = shift;
    }
    return $self->{mt};
}
sub data
{
    my $self = shift;
    if (@_) {
      $self->{data} = shift;
    }
    return $self->{data};
}
sub records
{
    my $self = shift;
    if (@_) {
      $self->{records} = shift;
    }
    return $self->{records};
}
sub startoffset
{
    my $self = shift;
    if (@_) {
      $self->{startoffset} = shift;
    }
    return $self->{startoffset};
}
sub message_frag_lens
{
    my $self = shift;
    if (@_) {
      $self->{message_frag_lens} = shift;
    }
    return $self->{message_frag_lens};
}
sub encoded_length
{
    my $self = shift;
    return TLS_MESSAGE_HEADER_LENGTH + length($self->data);
}
sub dupext
{
    my $self = shift;
    if (@_) {
        $self->{dupext} = shift;
    }
    return $self->{dupext};
}
sub successondata
{
    my $class = shift;
    if (@_) {
        $successondata = shift;
    }
    return $successondata;
}
1;
Commit	Line	Data
3c2bdd7d	1	# Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved.
631c1206	2	#
9059ab42	3	# Licensed under the Apache License 2.0 (the "License"). You may not use
ac3d0e13 RS	4	# this file except in compliance with the License. You can obtain a copy
	5	# in the file LICENSE in the source distribution or at
	6	# https://www.openssl.org/source/license.html
631c1206 MC	7
	8	use strict;
	9
	10	package TLSProxy::Message;
	11
f460e839 MC	12	use TLSProxy::Alert;
f460e839 MC	13
631c1206 MC	14	use constant TLS_MESSAGE_HEADER_LENGTH => 4;
	15
	16	#Message types
	17	use constant {
	18	MT_HELLO_REQUEST => 0,
	19	MT_CLIENT_HELLO => 1,
	20	MT_SERVER_HELLO => 2,
	21	MT_NEW_SESSION_TICKET => 4,
e46f2334	22	MT_ENCRYPTED_EXTENSIONS => 8,
631c1206 MC	23	MT_CERTIFICATE => 11,
	24	MT_SERVER_KEY_EXCHANGE => 12,
	25	MT_CERTIFICATE_REQUEST => 13,
	26	MT_SERVER_HELLO_DONE => 14,
	27	MT_CERTIFICATE_VERIFY => 15,
	28	MT_CLIENT_KEY_EXCHANGE => 16,
	29	MT_FINISHED => 20,
	30	MT_CERTIFICATE_STATUS => 22,
	31	MT_NEXT_PROTO => 67
	32	};
8af538e5 MC	33
	34	#Alert levels
	35	use constant {
	36	AL_LEVEL_WARN => 1,
	37	AL_LEVEL_FATAL => 2
	38	};
	39
	40	#Alert descriptions
	41	use constant {
c3fd55d4	42	AL_DESC_CLOSE_NOTIFY => 0,
a2a0c86b	43	AL_DESC_UNEXPECTED_MESSAGE => 10,
9b287d53	44	AL_DESC_ILLEGAL_PARAMETER => 47,
a2a0c86b	45	AL_DESC_NO_RENEGOTIATION => 100
8af538e5 MC	46	};
8af538e5 MC	47
631c1206 MC	48	my %message_type = (
	49	MT_HELLO_REQUEST, "HelloRequest",
	50	MT_CLIENT_HELLO, "ClientHello",
	51	MT_SERVER_HELLO, "ServerHello",
	52	MT_NEW_SESSION_TICKET, "NewSessionTicket",
e46f2334	53	MT_ENCRYPTED_EXTENSIONS, "EncryptedExtensions",
631c1206 MC	54	MT_CERTIFICATE, "Certificate",
	55	MT_SERVER_KEY_EXCHANGE, "ServerKeyExchange",
	56	MT_CERTIFICATE_REQUEST, "CertificateRequest",
	57	MT_SERVER_HELLO_DONE, "ServerHelloDone",
	58	MT_CERTIFICATE_VERIFY, "CertificateVerify",
	59	MT_CLIENT_KEY_EXCHANGE, "ClientKeyExchange",
	60	MT_FINISHED, "Finished",
	61	MT_CERTIFICATE_STATUS, "CertificateStatus",
	62	MT_NEXT_PROTO, "NextProto"
	63	);
	64
aa474d1f	65	use constant {
9ce3ed2a	66	EXT_SERVER_NAME => 0,
cf72c757	67	EXT_MAX_FRAGMENT_LENGTH => 1,
aa474d1f	68	EXT_STATUS_REQUEST => 5,
5a8e54d9	69	EXT_SUPPORTED_GROUPS => 10,
9ce3ed2a MC	70	EXT_EC_POINT_FORMATS => 11,
	71	EXT_SRP => 12,
	72	EXT_SIG_ALGS => 13,
	73	EXT_USE_SRTP => 14,
	74	EXT_ALPN => 16,
	75	EXT_SCT => 18,
	76	EXT_PADDING => 21,
aa474d1f EK	77	EXT_ENCRYPT_THEN_MAC => 22,
	78	EXT_EXTENDED_MASTER_SECRET => 23,
	79	EXT_SESSION_TICKET => 35,
f27f5cd4	80	EXT_KEY_SHARE => 51,
1c361b4a	81	EXT_PSK => 41,
9ce3ed2a	82	EXT_SUPPORTED_VERSIONS => 43,
ee700226	83	EXT_COOKIE => 44,
b2f7e8c0	84	EXT_PSK_KEX_MODES => 45,
9d75dce3	85	EXT_POST_HANDSHAKE_AUTH => 49,
3e524bf2	86	EXT_SIG_ALGS_CERT => 50,
9ce3ed2a MC	87	EXT_RENEGOTIATE => 65281,
9ce3ed2a MC	88	EXT_NPN => 13172,
9effc496	89	EXT_CRYPTOPRO_BUG_EXTENSION => 0xfde8,
5e3766e2	90	EXT_UNKNOWN => 0xfffe,
717afd93 MC	91	#Unknown extension that should appear last
717afd93 MC	92	EXT_FORCE_LAST => 0xffff
aa474d1f EK	93	};
aa474d1f EK	94
35e742ec MC	95	# SignatureScheme of TLS 1.3 from:
35e742ec MC	96	# https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-signaturescheme
d499a3e1 BK	97	# We have to manually grab the SHA224 equivalents from the old registry
	98	use constant {
	99	SIG_ALG_RSA_PKCS1_SHA256 => 0x0401,
	100	SIG_ALG_RSA_PKCS1_SHA384 => 0x0501,
	101	SIG_ALG_RSA_PKCS1_SHA512 => 0x0601,
	102	SIG_ALG_ECDSA_SECP256R1_SHA256 => 0x0403,
	103	SIG_ALG_ECDSA_SECP384R1_SHA384 => 0x0503,
	104	SIG_ALG_ECDSA_SECP521R1_SHA512 => 0x0603,
9e6a3202 MC	105	SIG_ALG_RSA_PSS_RSAE_SHA256 => 0x0804,
	106	SIG_ALG_RSA_PSS_RSAE_SHA384 => 0x0805,
	107	SIG_ALG_RSA_PSS_RSAE_SHA512 => 0x0806,
d499a3e1 BK	108	SIG_ALG_ED25519 => 0x0807,
d499a3e1 BK	109	SIG_ALG_ED448 => 0x0808,
9e6a3202 MC	110	SIG_ALG_RSA_PSS_PSS_SHA256 => 0x0809,
	111	SIG_ALG_RSA_PSS_PSS_SHA384 => 0x080a,
	112	SIG_ALG_RSA_PSS_PSS_SHA512 => 0x080b,
d499a3e1 BK	113	SIG_ALG_RSA_PKCS1_SHA1 => 0x0201,
	114	SIG_ALG_ECDSA_SHA1 => 0x0203,
	115	SIG_ALG_DSA_SHA1 => 0x0202,
	116	SIG_ALG_DSA_SHA256 => 0x0402,
	117	SIG_ALG_DSA_SHA384 => 0x0502,
	118	SIG_ALG_DSA_SHA512 => 0x0602,
	119	OSSL_SIG_ALG_RSA_PKCS1_SHA224 => 0x0301,
	120	OSSL_SIG_ALG_DSA_SHA224 => 0x0302,
	121	OSSL_SIG_ALG_ECDSA_SHA224 => 0x0303
	122	};
	123
397f4f78	124	use constant {
9b287d53	125	CIPHER_RSA_WITH_AES_128_CBC_SHA => 0x002f,
79d8c167	126	CIPHER_DHE_RSA_AES_128_SHA => 0x0033,
c35cb287 MC	127	CIPHER_ADH_AES_128_SHA => 0x0034,
	128	CIPHER_TLS13_AES_128_GCM_SHA256 => 0x1301,
	129	CIPHER_TLS13_AES_256_GCM_SHA384 => 0x1302
397f4f78 MC	130	};
397f4f78 MC	131
dc5bcb88 MC	132	use constant {
	133	CLIENT => 0,
	134	SERVER => 1
	135	};
	136
631c1206 MC	137	my $payload = "";
	138	my $messlen = -1;
	139	my $mt;
	140	my $startoffset = -1;
	141	my $server = 0;
	142	my $success = 0;
	143	my $end = 0;
	144	my @message_rec_list = ();
	145	my @message_frag_lens = ();
a1accbb1	146	my $ciphersuite = 0;
1c361b4a	147	my $successondata = 0;
f460e839	148	my $alert;
631c1206 MC	149
	150	sub clear
	151	{
	152	$payload = "";
	153	$messlen = -1;
	154	$startoffset = -1;
	155	$server = 0;
	156	$success = 0;
	157	$end = 0;
1c361b4a	158	$successondata = 0;
631c1206 MC	159	@message_rec_list = ();
631c1206 MC	160	@message_frag_lens = ();
f460e839	161	$alert = undef;
631c1206 MC	162	}
	163
	164	#Class method to extract messages from a record
	165	sub get_messages
	166	{
	167	my $class = shift;
	168	my $serverin = shift;
	169	my $record = shift;
	170	my @messages = ();
	171	my $message;
	172
a1accbb1 MC	173	@message_frag_lens = ();
a1accbb1 MC	174
631c1206 MC	175	if ($serverin != $server && length($payload) != 0) {
	176	die "Changed peer, but we still have fragment data\n";
	177	}
	178	$server = $serverin;
	179
	180	if ($record->content_type == TLSProxy::Record::RT_CCS) {
	181	if ($payload ne "") {
	182	#We can't handle this yet
	183	die "CCS received before message data complete\n";
	184	}
be60b10a MC	185	if (!TLSProxy::Proxy->is_tls13()) {
	186	if ($server) {
	187	TLSProxy::Record->server_encrypting(1);
	188	} else {
	189	TLSProxy::Record->client_encrypting(1);
	190	}
631c1206 MC	191	}
	192	} elsif ($record->content_type == TLSProxy::Record::RT_HANDSHAKE) {
	193	if ($record->len == 0 \|\| $record->len_real == 0) {
	194	print " Message truncated\n";
	195	} else {
	196	my $recoffset = 0;
	197
	198	if (length $payload > 0) {
	199	#We are continuing processing a message started in a previous
	200	#record. Add this record to the list associated with this
	201	#message
	202	push @message_rec_list, $record;
	203
	204	if ($messlen <= length($payload)) {
	205	#Shouldn't happen
	206	die "Internal error: invalid messlen: ".$messlen
	207	." payload length:".length($payload)."\n";
	208	}
	209	if (length($payload) + $record->decrypt_len >= $messlen) {
	210	#We can complete the message with this record
	211	$recoffset = $messlen - length($payload);
	212	$payload .= substr($record->decrypt_data, 0, $recoffset);
	213	push @message_frag_lens, $recoffset;
	214	$message = create_message($server, $mt, $payload,
	215	$startoffset);
	216	push @messages, $message;
	217
631c1206 MC	218	$payload = "";
	219	} else {
	220	#This is just part of the total message
	221	$payload .= $record->decrypt_data;
	222	$recoffset = $record->decrypt_len;
	223	push @message_frag_lens, $record->decrypt_len;
	224	}
	225	print " Partial message data read: ".$recoffset." bytes\n";
	226	}
	227
	228	while ($record->decrypt_len > $recoffset) {
	229	#We are at the start of a new message
	230	if ($record->decrypt_len - $recoffset < 4) {
	231	#Whilst technically probably valid we can't cope with this
	232	die "End of record in the middle of a message header\n";
	233	}
	234	@message_rec_list = ($record);
	235	my $lenhi;
	236	my $lenlo;
	237	($mt, $lenhi, $lenlo) = unpack('CnC',
	238	substr($record->decrypt_data,
	239	$recoffset));
	240	$messlen = ($lenhi << 8) \| $lenlo;
	241	print " Message type: $message_type{$mt}\n";
	242	print " Message Length: $messlen\n";
	243	$startoffset = $recoffset;
	244	$recoffset += 4;
	245	$payload = "";
df443918	246
d70bde88	247	if ($recoffset <= $record->decrypt_len) {
631c1206 MC	248	#Some payload data is present in this record
	249	if ($record->decrypt_len - $recoffset >= $messlen) {
	250	#We can complete the message with this record
	251	$payload .= substr($record->decrypt_data, $recoffset,
	252	$messlen);
	253	$recoffset += $messlen;
	254	push @message_frag_lens, $messlen;
	255	$message = create_message($server, $mt, $payload,
	256	$startoffset);
	257	push @messages, $message;
	258
631c1206 MC	259	$payload = "";
	260	} else {
	261	#This is just part of the total message
	262	$payload .= substr($record->decrypt_data, $recoffset,
	263	$record->decrypt_len - $recoffset);
	264	$recoffset = $record->decrypt_len;
	265	push @message_frag_lens, $recoffset;
	266	}
	267	}
	268	}
	269	}
	270	} elsif ($record->content_type == TLSProxy::Record::RT_APPLICATION_DATA) {
	271	print " [ENCRYPTED APPLICATION DATA]\n";
	272	print " [".$record->decrypt_data."]\n";
1c361b4a MC	273
	274	if ($successondata) {
	275	$success = 1;
	276	$end = 1;
	277	}
631c1206	278	} elsif ($record->content_type == TLSProxy::Record::RT_ALERT) {
8af538e5	279	my ($alertlev, $alertdesc) = unpack('CC', $record->decrypt_data);
3f473b93	280	print " [$alertlev, $alertdesc]\n";
8af538e5 MC	281	#A CloseNotify from the client indicates we have finished successfully
8af538e5 MC	282	#(we assume)
8523288e	283	if (!$end && !$server && $alertlev == AL_LEVEL_WARN
8af538e5 MC	284	&& $alertdesc == AL_DESC_CLOSE_NOTIFY) {
	285	$success = 1;
	286	}
3f473b93 AP	287	#Fatal or close notify alerts end the test
	288	if ($alertlev == AL_LEVEL_FATAL \|\| $alertdesc == AL_DESC_CLOSE_NOTIFY) {
	289	$end = 1;
	290	}
f460e839 MC	291	$alert = TLSProxy::Alert->new(
	292	$server,
	293	$record->encrypted,
	294	$alertlev,
	295	$alertdesc);
631c1206 MC	296	}
	297
	298	return @messages;
	299	}
	300
	301	#Function to work out which sub-class we need to create and then
	302	#construct it
	303	sub create_message
	304	{
	305	my ($server, $mt, $data, $startoffset) = @_;
	306	my $message;
	307
	308	#We only support ClientHello in this version...needs to be extended for
	309	#others
	310	if ($mt == MT_CLIENT_HELLO) {
	311	$message = TLSProxy::ClientHello->new(
	312	$server,
	313	$data,
	314	[@message_rec_list],
	315	$startoffset,
	316	[@message_frag_lens]
	317	);
	318	$message->parse();
a1accbb1 MC	319	} elsif ($mt == MT_SERVER_HELLO) {
	320	$message = TLSProxy::ServerHello->new(
	321	$server,
	322	$data,
	323	[@message_rec_list],
	324	$startoffset,
	325	[@message_frag_lens]
	326	);
9ce3ed2a MC	327	$message->parse();
	328	} elsif ($mt == MT_ENCRYPTED_EXTENSIONS) {
	329	$message = TLSProxy::EncryptedExtensions->new(
	330	$server,
	331	$data,
	332	[@message_rec_list],
	333	$startoffset,
	334	[@message_frag_lens]
	335	);
e96e0f8e MC	336	$message->parse();
	337	} elsif ($mt == MT_CERTIFICATE) {
	338	$message = TLSProxy::Certificate->new(
	339	$server,
	340	$data,
	341	[@message_rec_list],
	342	$startoffset,
	343	[@message_frag_lens]
	344	);
adb403de	345	$message->parse();
dc5bcb88 MC	346	} elsif ($mt == MT_CERTIFICATE_REQUEST) {
	347	$message = TLSProxy::CertificateRequest->new(
	348	$server,
	349	$data,
	350	[@message_rec_list],
	351	$startoffset,
	352	[@message_frag_lens]
	353	);
	354	$message->parse();
adb403de MC	355	} elsif ($mt == MT_CERTIFICATE_VERIFY) {
	356	$message = TLSProxy::CertificateVerify->new(
	357	$server,
	358	$data,
	359	[@message_rec_list],
	360	$startoffset,
	361	[@message_frag_lens]
	362	);
a1accbb1 MC	363	$message->parse();
	364	} elsif ($mt == MT_SERVER_KEY_EXCHANGE) {
	365	$message = TLSProxy::ServerKeyExchange->new(
	366	$server,
	367	$data,
	368	[@message_rec_list],
	369	$startoffset,
	370	[@message_frag_lens]
7f6d90ac EK	371	);
	372	$message->parse();
	373	} elsif ($mt == MT_NEW_SESSION_TICKET) {
	374	$message = TLSProxy::NewSessionTicket->new(
	375	$server,
	376	$data,
	377	[@message_rec_list],
	378	$startoffset,
	379	[@message_frag_lens]
a1accbb1 MC	380	);
a1accbb1 MC	381	$message->parse();
631c1206 MC	382	} else {
	383	#Unknown message type
	384	$message = TLSProxy::Message->new(
	385	$server,
	386	$mt,
	387	$data,
	388	[@message_rec_list],
	389	$startoffset,
	390	[@message_frag_lens]
	391	);
	392	}
	393
	394	return $message;
	395	}
	396
	397	sub end
	398	{
	399	my $class = shift;
	400	return $end;
	401	}
	402	sub success
	403	{
	404	my $class = shift;
	405	return $success;
	406	}
a1accbb1 MC	407	sub fail
	408	{
	409	my $class = shift;
	410	return !$success && $end;
	411	}
f460e839 MC	412
	413	sub alert
	414	{
	415	return $alert;
	416	}
	417
631c1206 MC	418	sub new
	419	{
	420	my $class = shift;
	421	my ($server,
	422	$mt,
	423	$data,
	424	$records,
	425	$startoffset,
	426	$message_frag_lens) = @_;
df443918	427
631c1206 MC	428	my $self = {
	429	server => $server,
	430	data => $data,
	431	records => $records,
	432	mt => $mt,
	433	startoffset => $startoffset,
9effc496 MC	434	message_frag_lens => $message_frag_lens,
9effc496 MC	435	dupext => -1
631c1206 MC	436	};
	437
	438	return bless $self, $class;
	439	}
	440
a1accbb1 MC	441	sub ciphersuite
	442	{
	443	my $class = shift;
	444	if (@_) {
	445	$ciphersuite = shift;
	446	}
	447	return $ciphersuite;
	448	}
	449
631c1206	450	#Update all the underlying records with the modified data from this message
ae937a09	451	#Note: Only supports TLSv1.3 and ETM encryption
631c1206 MC	452	sub repack
	453	{
	454	my $self = shift;
	455	my $msgdata;
	456
	457	my $numrecs = $#{$self->records};
	458
	459	$self->set_message_contents();
	460
	461	my $lenhi;
	462	my $lenlo;
	463
	464	$lenlo = length($self->data) & 0xff;
	465	$lenhi = length($self->data) >> 8;
4deefd65	466	$msgdata = pack('CnC', $self->mt, $lenhi, $lenlo).$self->data;
631c1206	467
631c1206 MC	468	if ($numrecs == 0) {
	469	#The message is fully contained within one record
	470	my ($rec) = @{$self->records};
	471	my $recdata = $rec->decrypt_data;
	472
cf7f8592 EK	473	my $old_length;
	474
	475	# We use empty message_frag_lens to indicates that pre-repacking,
	476	# the message wasn't present. The first fragment length doesn't include
	477	# the TLS header, so we need to check and compute the right length.
	478	if (@{$self->message_frag_lens}) {
	479	$old_length = ${$self->message_frag_lens}[0] +
	480	TLS_MESSAGE_HEADER_LENGTH;
	481	} else {
	482	$old_length = 0;
631c1206 MC	483	}
631c1206 MC	484
cf7f8592 EK	485	my $prefix = substr($recdata, 0, $self->startoffset);
	486	my $suffix = substr($recdata, $self->startoffset + $old_length);
	487
	488	$rec->decrypt_data($prefix.($msgdata).($suffix));
	489	# TODO(openssl-team): don't keep explicit lengths.
	490	# (If a length override is ever needed to construct invalid packets,
	491	# use an explicit override field instead.)
	492	$rec->decrypt_len(length($rec->decrypt_data));
ae937a09 MC	493	# Only support re-encryption for TLSv1.3 and ETM.
	494	if ($rec->encrypted()) {
	495	if (TLSProxy::Proxy->is_tls13()) {
	496	#Add content type (1 byte) and 16 tag bytes
	497	$rec->data($rec->decrypt_data
	498	.pack("C", TLSProxy::Record::RT_HANDSHAKE).("\0"x16));
	499	} elsif ($rec->etm()) {
	500	my $data = $rec->decrypt_data;
	501	#Add padding
	502	my $padval = length($data) % 16;
	503	$padval = 15 - $padval;
	504	for (0..$padval) {
	505	$data .= pack("C", $padval);
	506	}
	507
	508	#Add MAC. Assumed to be 20 bytes
	509	foreach my $macval (0..19) {
	510	$data .= pack("C", $macval);
	511	}
	512
	513	if ($rec->version() >= TLSProxy::Record::VERS_TLS_1_1) {
	514	#Explicit IV
	515	$data = ("\0"x16).$data;
	516	}
	517	$rec->data($data);
	518	} else {
	519	die "Unsupported encryption: No ETM";
	520	}
357d096a MC	521	} else {
	522	$rec->data($rec->decrypt_data);
	523	}
ae937a09	524	$rec->len(length($rec->data));
631c1206 MC	525
	526	#Update the fragment len in case we changed it above
	527	${$self->message_frag_lens}[0] = length($msgdata)
	528	- TLS_MESSAGE_HEADER_LENGTH;
	529	return;
	530	}
	531
	532	#Note we don't currently support changing a fragmented message length
	533	my $recctr = 0;
	534	my $datadone = 0;
	535	foreach my $rec (@{$self->records}) {
	536	my $recdata = $rec->decrypt_data;
	537	if ($recctr == 0) {
	538	#This is the first record
	539	my $remainlen = length($recdata) - $self->startoffset;
	540	$rec->data(substr($recdata, 0, $self->startoffset)
	541	.substr(($msgdata), 0, $remainlen));
	542	$datadone += $remainlen;
	543	} elsif ($recctr + 1 == $numrecs) {
	544	#This is the last record
	545	$rec->data(substr($msgdata, $datadone));
	546	} else {
	547	#This is a middle record
	548	$rec->data(substr($msgdata, $datadone, length($rec->data)));
	549	$datadone += length($rec->data);
	550	}
	551	$recctr++;
	552	}
	553	}
	554
	555	#To be overridden by sub-classes
	556	sub set_message_contents
	557	{
	558	}
	559
	560	#Read only accessors
	561	sub server
	562	{
	563	my $self = shift;
	564	return $self->{server};
	565	}
	566
	567	#Read/write accessors
	568	sub mt
	569	{
	570	my $self = shift;
	571	if (@_) {
	572	$self->{mt} = shift;
	573	}
	574	return $self->{mt};
	575	}
	576	sub data
	577	{
	578	my $self = shift;
	579	if (@_) {
	580	$self->{data} = shift;
	581	}
	582	return $self->{data};
	583	}
	584	sub records
	585	{
	586	my $self = shift;
	587	if (@_) {
	588	$self->{records} = shift;
589	}
590	return $self->{records};
591	}
592	sub startoffset
593	{
594	my $self = shift;
595	if (@_) {
596	$self->{startoffset} = shift;
597	}
598	return $self->{startoffset};
599	}
600	sub message_frag_lens
601	{
602	my $self = shift;
603	if (@_) {
604	$self->{message_frag_lens} = shift;
605	}
606	return $self->{message_frag_lens};
607	}
cf7f8592 EK	608	sub encoded_length
	609	{
	610	my $self = shift;
	611	return TLS_MESSAGE_HEADER_LENGTH + length($self->data);
	612	}
9effc496 MC	613	sub dupext
	614	{
	615	my $self = shift;
	616	if (@_) {
	617	$self->{dupext} = shift;
	618	}
	619	return $self->{dupext};
	620	}
1c361b4a MC	621	sub successondata
	622	{
	623	my $class = shift;
	624	if (@_) {
	625	$successondata = shift;
	626	}
	627	return $successondata;
	628	}
631c1206	629	1;