handling PHA in server

Author: tomato42

tests/tlstest.py

@@ -77,7 +77,6 @@ def testConnClient(conn):
     conn.write(b1)
     conn.write(b10)
     conn.write(b100)
-    conn.write(b1000)
     r1 = conn.read(min=1, max=1)
     assert len(r1) == 1
     assert r1 == b1
@@ -87,6 +86,7 @@ def testConnClient(conn):
     r100 = conn.read(min=100, max=100)
     assert len(r100) == 100
     assert r100 == b100
+    conn.write(b1000)
     r1000 = conn.read(min=1000, max=1000)
     assert len(r1000) == 1000
     assert r1000 == b1000
@@ -707,6 +707,20 @@ def connect():
 
     test_no += 1
 
+    print("Test {0} - good mutual X.509, PHA, TLSv1.3".format(test_no))
+    synchro.recv(1)
+    connection = connect()
+    settings = HandshakeSettings()
+    settings.minVersion = (3, 4)
+    settings.maxVersion = (3, 4)
+    connection.handshakeClientCert(x509Chain, x509Key, settings=settings)
+    synchro.recv(1)
+    testConnClient(connection)
+    assert(isinstance(connection.session.serverCertChain, X509CertChain))
+    connection.close()
+
+    test_no += 1
+
     print("Test {0} - good mutual X.509, TLSv1.1".format(test_no))
     synchro.recv(1)
     connection = connect()
@@ -1934,6 +1948,26 @@ def connect():
 
     test_no += 1
 
+    print("Test {0} - good mutual X.509, PHA, TLSv1.3".format(test_no))
+    synchro.send(b'R')
+    connection = connect()
+    settings = HandshakeSettings()
+    settings.minVersion = (3, 4)
+    settings.maxVersion = (3, 4)
+    connection.handshakeServer(certChain=x509Chain, privateKey=x509Key,
+                               settings=settings)
+    assert connection.session.clientCertChain is None
+    for result in connection.request_post_handshake_auth(settings):
+        assert result in (0, 1)
+    synchro.send(b'R')
+    testConnServer(connection)
+
+    assert connection.session.clientCertChain is not None
+    assert isinstance(connection.session.clientCertChain, X509CertChain)
+    connection.close()
+
+    test_no += 1
+
     print("Test {0} - good mutual X.509, TLSv1.1".format(test_no))
     synchro.send(b'R')
     connection = connect()

tlslite/tlsconnection.py

@@ -85,6 +85,7 @@ def __init__(self, sock):
         # if and how big is the limit on records peer is willing to accept
         # used only for TLS 1.2 and earlier
         self._peer_record_size_limit = None
+        self._pha_supported = False
 
     def keyingMaterialExporter(self, label, length=20):
         """Return keying material as described in RFC 5705
@@ -2327,6 +2328,40 @@ def _handshakeServerAsyncHelper(self, verifierDB,
         self._serverRandom = serverHello.random
         self._clientRandom = clientHello.random
 
+    def request_post_handshake_auth(self, settings=None):
+        """
+        Request Post-handshake Authentication from client.
+
+        The PHA process is asynchronous, and client may send some data before
+        its certificates are added to Session object. Calling this generator
+        will only request for the new identity of client, it will not wait for
+        it.
+        """
+        if self.version != (3, 4):
+            raise ValueError("PHA is supported only in TLS 1.3")
+        if self._client:
+            raise ValueError("PHA can only be requested by server")
+        if not self._pha_supported:
+            raise ValueError("PHA not supported by client")
+
+        settings = settings or HandshakeSettings()
+        settings = settings.validate()
+
+        valid_sig_algs = self._sigHashesToList(settings)
+        if not valid_sig_algs:
+            raise ValueError("No signature algorithms enabled in "
+                             "HandshakeSettings")
+
+        context = bytes(getRandomBytes(32))
+
+        certificate_request = CertificateRequest(self.version)
+        certificate_request.create(context=context, sig_algs=valid_sig_algs)
+
+        self._cert_requests[context] = certificate_request
+
+        for result in self._sendMsg(certificate_request):
+            yield result
+
     @staticmethod
     def _derive_key_iv(nonce, user_key, settings):
         """Derive the IV and key for session ticket encryption."""
@@ -2820,6 +2855,8 @@ def _serverTLS13Handshake(self, settings, clientHello, cipherSuite,
                                                  self._handshake_hash,
                                                  prf_name)
 
+        self._first_handshake_hashes = self._handshake_hash.copy()
+
         self.session = Session()
         self.extendedMasterSecret = True
         server_name = None
@@ -2986,6 +3023,16 @@ def _serverGetClientHello(self, settings, private_key, cert_chain,
             sup_groups = clientHello.getExtension(
                 ExtensionType.supported_groups)
 
+            pha = clientHello.getExtension(ExtensionType.post_handshake_auth)
+            if pha:
+                if pha.extData:
+                    for result in self._sendError(
+                            AlertDescription.decode_error,
+                            "Invalid encoding of post_handshake_auth extension"
+                            ):
+                        yield result
+                self._pha_supported = True
+
             key_exchange = None
 
             if psk_modes:

tlslite/tlsrecordlayer.py

@@ -188,6 +188,11 @@ def __init__(self, sock):
         # used for post handshake authentication in TLS 1.3
         self._client_keypair = None
 
+        # dictionary with CertificateRequest messages we (as a server) have
+        # sent, the keys are the "certificate request context" from the
+        # messages (which are the values)
+        self._cert_requests = {}
+
     @property
     def _send_record_limit(self):
         """Maximum size of payload that can be sent."""
@@ -303,13 +308,19 @@ def readAsync(self, max=None, min=1):
         :rtype: iterable
         :returns: A generator; see above for details.
         """
+        constructor_type = None
         if self.version > (3, 3):
             allowedTypes = (ContentType.application_data,
                             ContentType.handshake)
             if self._client_keypair:
                 allowedHsTypes = (HandshakeType.new_session_ticket,
                                   HandshakeType.key_update,
                                   HandshakeType.certificate_request)
+            elif self._cert_requests:
+                allowedHsTypes = (HandshakeType.new_session_ticket,
+                                  HandshakeType.key_update,
+                                  HandshakeType.certificate)
+                constructor_type = CertificateType.x509
             else:
                 allowedHsTypes = (HandshakeType.new_session_ticket,
                                   HandshakeType.key_update)
@@ -320,7 +331,8 @@ def readAsync(self, max=None, min=1):
             while len(self._readBuffer) < min and not self.closed:
                 try:
                     for result in self._getMsg(allowedTypes,
-                                               allowedHsTypes):
+                                               allowedHsTypes,
+                                               constructor_type):
                         if result in (0, 1):
                             yield result
                     if isinstance(result, NewSessionTicket):
@@ -331,10 +343,13 @@ def readAsync(self, max=None, min=1):
                         for result in self._handle_keyupdate_request(result):
                             yield result
                         continue
+                    elif isinstance(result, Certificate):
+                        for result in self._handle_srv_pha(result):
+                            yield result
+                        continue
                     elif isinstance(result, CertificateRequest):
                         for result in self._handle_pha(result):
-                            if result in (0, 1):
-                                yield
+                            yield result
                         continue
                     applicationData = result
                     self._readBuffer += applicationData.write()
@@ -705,6 +720,117 @@ def _handle_pha(self, cert_request):
         for result in self._sendMsgs(msgs):
             yield result
 
+    def _handle_srv_pha(self, cert):
+        """Process the post-handshake authentication from client."""
+        prf_name = 'sha256'
+        prf_size = 32
+        if self.session.cipherSuite in CipherSuite.sha384PrfSuites:
+            prf_name = 'sha384'
+            prf_size = 48
+
+        cr_context = cert.certificate_request_context
+        if not cr_context:
+            for result in self._sendError(
+                    AlertDescription.illegal_parameter,
+                    "Certificate Request context missing in Certificate "
+                    "message from client"):
+                yield result
+
+        try:
+            cr = self._cert_requests.pop(bytes(cr_context))
+        except KeyError:
+            for result in self._sendError(
+                    AlertDescription.illegal_parameter,
+                    "Certificiate Request context is incorrect or was already "
+                    "handled previously"):
+                yield result
+
+        # TODO: verify that the extensions used by client were sent by us in
+        # CertificateReuest
+
+        handshake_context = self._first_handshake_hashes.copy()
+        handshake_context.update(cr.write())
+        handshake_context.update(cert.write())
+
+        if cert.cert_chain:
+            for result in self._getMsg(ContentType.handshake,
+                                       HandshakeType.certificate_verify):
+                if result in (0, 1):
+                    yield result
+                else:
+                    break
+            assert isinstance(result, CertificateVerify)
+            cert_verify = result
+
+            valid_sig_algs = cr.supported_signature_algs
+            if cert_verify.signatureAlgorithm not in valid_sig_algs:
+                for result in self._sendError(
+                        AlertDescription.illegal_parameter,
+                        "Client selected signature algorithm we didn't "
+                        "advertise"):
+                    yield result
+            avail_sig_algs = self._sigHashesToList(HandshakeSettings(), None,
+                                                   cert.cert_chain,
+                                                   version=(3, 4))
+            if cert_verify.signatureAlgorithm not in avail_sig_algs:
+                for result in self._sendError(
+                        AlertDescription.illegal_parameter,
+                        "Client selected signature algorithm not consistent "
+                        "with public key in its certificate"):
+                    yield result
+            scheme = SignatureScheme.toRepr(cert_verify.signatureAlgorithm)
+            sig_scheme = getattr(SignatureScheme, scheme)
+
+            signature_context = \
+                KeyExchange.calcVerifyBytes((3, 4),
+                                            handshake_context,
+                                            sig_scheme, None, None, None,
+                                            prf_name, b'client')
+
+            if sig_scheme[1] == SignatureAlgorithm.ecdsa:
+                pad_type = None
+                hash_name = HashAlgorithm.toRepr(sig_scheme[0])
+                salt_len = None
+            else:
+                pad_type = SignatureScheme.getPadding(scheme)
+                hash_name = SignatureScheme.getHash(scheme)
+                salt_len = getattr(hashlib, hash_name)().digest_size
+
+            if not cert.cert_chain.getEndEntityPublicKey().verify(
+                    cert_verify.signature, signature_context, pad_type,
+                    hash_name, salt_len):
+                for result in self._sendError(
+                        AlertDescription.decrypt_error,
+                        "Signature verification failed"):
+                    yield result
+            handshake_context.update(cert_verify.write())
+
+        finished_key = HKDF_expand_label(self.session.cl_app_secret,
+                                         b'finished', b'',
+                                         prf_size, prf_name)
+        verify_data = secureHMAC(finished_key,
+                                 handshake_context.digest(prf_name),
+                                 prf_name)
+
+        for result in self._getMsg(ContentType.handshake,
+                                   HandshakeType.finished,
+                                   prf_size):
+            if result in (0, 1):
+                yield result
+            else:
+                break
+        assert isinstance(result, Finished)
+
+        finished = result
+
+        if finished.verify_data != verify_data:
+            for result in self._sendError(
+                    AlertDescription.decrypt_error,
+                    "Invalid Finished verify_data from client"):
+                yield result
+
+        self.session.clientCertChain = cert.cert_chain
+
     def _shutdown(self, resumable):
         self._recordLayer.shutdown()
         self.version = (0,0)