Merge pull request #3608 from Rohde-Schwarz/tls13/kem_callbacks

reneme · web-flow · commit cf8d8a6ca86e · 2023-07-03T17:00:43.000+02:00
[TLS 1.3] Use a KEM interface in the Callbacks
diff --git a/src/bogo_shim/bogo_shim.cpp b/src/bogo_shim/bogo_shim.cpp
@@ -225,7 +225,7 @@ std::string map_to_bogo_error(const std::string& e) {
       {"Server sent ECC curve prohibited by policy", ":WRONG_CURVE:"},
       {"group was not advertised as supported", ":WRONG_CURVE:"},
       {"group was already offered", ":WRONG_CURVE:"},
-      {"Server selected an unexpected key exchange group.", ":WRONG_CURVE:"},
+      {"Server selected a key exchange group we didn't offer.", ":WRONG_CURVE:"},
       {"TLS 1.3 Server Hello selected a different version", ":SECOND_SERVERHELLO_VERSION_MISMATCH:"},
       {"Version downgrade received after Hello Retry", ":SECOND_SERVERHELLO_VERSION_MISMATCH:"},
       {"protected change cipher spec received", ":UNEXPECTED_RECORD:"},
diff --git a/src/lib/tls/msg_server_hello.cpp b/src/lib/tls/msg_server_hello.cpp
@@ -482,6 +482,21 @@ std::variant<Hello_Retry_Request, Server_Hello_13> Server_Hello_13::create(const
       throw TLS_Exception(Alert::HandshakeFailure, "Client did not offer any acceptable group");
    }
 
+   // RFC 8446 4.2.8:
+   //    Servers MUST NOT send a KeyShareEntry for any group not indicated in the
+   //    client's "supported_groups" extension [...]
+   if(!value_exists(supported_by_client, selected_group)) {
+      throw TLS_Exception(Alert::InternalError, "Application selected a group that is not supported by the client");
+   }
+
+   // RFC 8446 4.1.4
+   //    The server will send this message in response to a ClientHello
+   //    message if it is able to find an acceptable set of parameters but the
+   //    ClientHello does not contain sufficient information to proceed with
+   //    the handshake.
+   //
+   // In this case, the Client Hello did not contain a key share offer for
+   // the group selected by the application.
    if(!value_exists(offered_by_client, selected_group)) {
       // RFC 8446 4.1.4
       //    If a client receives a second HelloRetryRequest in the same
@@ -709,7 +724,9 @@ Server_Hello_13::Server_Hello_13(const Client_Hello_13& ch,
    m_data->extensions().add(new Supported_Versions(Protocol_Version::TLS_V13));
 
    if(key_exchange_group.has_value()) {
-      m_data->extensions().add(new Key_Share(key_exchange_group.value(), cb, rng));
+      BOTAN_ASSERT_NOMSG(ch.extensions().has<Key_Share>());
+      m_data->extensions().add(Key_Share::create_as_encapsulation(
+         key_exchange_group.value(), *ch.extensions().get<Key_Share>(), policy, cb, rng));
    }
 
    auto& ch_exts = ch.extensions();
diff --git a/src/lib/tls/tls13/tls_client_impl_13.cpp b/src/lib/tls/tls13/tls_client_impl_13.cpp
@@ -298,8 +298,7 @@ void Client_Impl_13::handle(const Server_Hello_13& sh) {
    }
 
    auto my_keyshare = ch.extensions().get<Key_Share>();
-   auto shared_secret = my_keyshare->exchange(*sh.extensions().get<Key_Share>(), policy(), callbacks(), rng());
-   my_keyshare->erase();
+   auto shared_secret = my_keyshare->decapsulate(*sh.extensions().get<Key_Share>(), policy(), callbacks(), rng());
 
    m_transcript_hash.set_algorithm(cipher.value().prf_algo());
 
diff --git a/src/lib/tls/tls13/tls_extensions_key_share.cpp b/src/lib/tls/tls13/tls_extensions_key_share.cpp
diff --git a/src/lib/tls/tls13/tls_server_impl_13.cpp b/src/lib/tls/tls13/tls_server_impl_13.cpp
@@ -253,18 +253,17 @@ void Server_Impl_13::handle_reply_to_client_hello(Server_Hello_13 server_hello)
       // Currently, PSK without DHE is not implemented...
       const auto my_keyshare = m_handshake_state.server_hello().extensions().get<Key_Share>();
       BOTAN_ASSERT_NONNULL(my_keyshare);
-      auto shared_secret = my_keyshare->exchange(*exts.get<Key_Share>(), policy(), callbacks(), rng());
-      my_keyshare->erase();
 
       if(uses_psk) {
          BOTAN_ASSERT_NONNULL(psk_cipher_state);
          psk_cipher_state->advance_with_client_hello(m_transcript_hash.previous());
-         psk_cipher_state->advance_with_server_hello(cipher, std::move(shared_secret), m_transcript_hash.current());
+         psk_cipher_state->advance_with_server_hello(
+            cipher, my_keyshare->take_shared_secret(), m_transcript_hash.current());
 
          return std::move(psk_cipher_state);
       } else {
          return Cipher_State::init_with_server_hello(
-            m_side, std::move(shared_secret), cipher, m_transcript_hash.current());
+            m_side, my_keyshare->take_shared_secret(), cipher, m_transcript_hash.current());
       }
    }();
 
diff --git a/src/lib/tls/tls_algos.h b/src/lib/tls/tls_algos.h
@@ -114,6 +114,10 @@ constexpr bool is_dh(const Group_Params group) {
           group == Group_Params::FFDHE_6144 || group == Group_Params::FFDHE_8192;
 }
 
+constexpr bool is_kem(const Group_Params) {
+   return false;  // no KEMs implemented, yet
+}
+
 std::string group_param_to_string(Group_Params group);
 Group_Params group_param_from_string(std::string_view group_name);
 bool group_param_is_dh(Group_Params group);
diff --git a/src/lib/tls/tls_callbacks.cpp b/src/lib/tls/tls_callbacks.cpp
@@ -14,6 +14,7 @@
 #include <botan/dl_group.h>
 #include <botan/ecdh.h>
 #include <botan/ocsp.h>
+#include <botan/pk_algs.h>
 #include <botan/tls_algos.h>
 #include <botan/tls_exceptn.h>
 #include <botan/tls_policy.h>
@@ -131,6 +132,32 @@ bool TLS::Callbacks::tls_verify_message(const Public_Key& key,
    return verifier.verify_message(msg, sig);
 }
 
+std::unique_ptr<Private_Key> TLS::Callbacks::tls_kem_generate_key(TLS::Group_Params group, RandomNumberGenerator& rng) {
+   return tls_generate_ephemeral_key(group, rng);
+}
+
+TLS::Callbacks::Encapsulation_Result TLS::Callbacks::tls_kem_encapsulate(TLS::Group_Params group,
+                                                                         const std::vector<uint8_t>& encoded_public_key,
+                                                                         RandomNumberGenerator& rng,
+                                                                         const Policy& policy) {
+   auto ephemeral_keypair = tls_generate_ephemeral_key(group, rng);
+   return {ephemeral_keypair->public_value(),
+           tls_ephemeral_key_agreement(group, *ephemeral_keypair, encoded_public_key, rng, policy)};
+}
+
+secure_vector<uint8_t> TLS::Callbacks::tls_kem_decapsulate(TLS::Group_Params group,
+                                                           const Private_Key& private_key,
+                                                           const std::vector<uint8_t>& encapsulated_bytes,
+                                                           RandomNumberGenerator& rng,
+                                                           const Policy& policy) {
+   try {
+      auto& key_agreement_key = dynamic_cast<const PK_Key_Agreement_Key&>(private_key);
+      return tls_ephemeral_key_agreement(group, key_agreement_key, encapsulated_bytes, rng, policy);
+   } catch(const std::bad_cast&) {
+      throw Invalid_Argument("provided ephemeral key is not a PK_Key_Agreement_Key");
+   }
+}
+
 namespace {
 
 bool is_dh_group(const std::variant<TLS::Group_Params, DL_Group>& group) {
diff --git a/src/lib/tls/tls_callbacks.h b/src/lib/tls/tls_callbacks.h
@@ -255,6 +255,98 @@ class BOTAN_PUBLIC_API(2, 0) Callbacks {
                                       const std::vector<uint8_t>& msg,
                                       const std::vector<uint8_t>& sig);
 
+      struct Encapsulation_Result {
+            std::vector<uint8_t> encapsulated_bytes;
+            secure_vector<uint8_t> shared_secret;
+      };
+
+      /**
+       * Generate an ephemeral KEM key for a TLS 1.3 handshake
+       *
+       * Applications may use this to add custom KEM algorithms or entirely
+       * different key exchange schemes to the TLS 1.3 handshake. For instance,
+       * this could provide an entry point to implement a hybrid key exchange
+       * with both a traditional algorithm like ECDH and a quantum-secure KEM.
+       * Typical use cases of the library don't need to do that and serious
+       * security risks are associated with customizing TLS's key encapsulation
+       * mechanism.
+       *
+       * Note that the KEM interface is usable for TLS 1.3 handshakes, only.
+       *
+       * The default implementation simply delegates this to the
+       * tls_generate_ephemeral_key() call when appropriate.
+       *
+       * @param group the group identifier to generate an ephemeral keypair for
+       * @param rng   a random number generator
+       *
+       * @returns a keypair whose public key will be provided to the peer and
+       *          the private key will be provided to tls_kem_decapsulate later
+       *          in the handshake.
+       */
+      virtual std::unique_ptr<Private_Key> tls_kem_generate_key(TLS::Group_Params group, RandomNumberGenerator& rng);
+
+      /**
+       * Performs a key encapsulation operation (used for TLS 1.3 servers)
+       *
+       * Applications may use this to add custom KEM algorithms or entirely
+       * different key exchange schemes to the TLS 1.3 handshake. For instance,
+       * this could provide an entry point to implement a hybrid key exchange
+       * with both a traditional algorithm like ECDH and a quantum-secure KEM.
+       * Typical use cases of the library don't need to do that and serious
+       * security risks are associated with customizing TLS's key encapsulation
+       * mechanism.
+       *
+       * Note that the KEM interface is usable for TLS 1.3 handshakes, only.
+       *
+       * The default implementation implements this key encapsulation as a
+       * combination of tls_generate_ephemeral_key() followed by
+       * tls_ephemeral_key_agreement() with the provided @p encoded_public_key.
+       * The just-generated ephemeral private key is destroyed immediately.
+       *
+       * @param group the group identifier of the KEM/KEX algorithm
+       * @param encoded_public_key the public key used for encapsulation/KEX
+       * @param rng a random number generator
+       * @param policy a TLS policy object
+       *
+       * @returns the shared secret both in plaintext and encapsulated with
+       *          @p encoded_public_key.
+       */
+      virtual Encapsulation_Result tls_kem_encapsulate(TLS::Group_Params group,
+                                                       const std::vector<uint8_t>& encoded_public_key,
+                                                       RandomNumberGenerator& rng,
+                                                       const Policy& policy);
+
+      /**
+       * Performs a key decapsulation operation (used for TLS 1.3 clients).
+       *
+       * Applications may use this to add custom KEM algorithms or entirely
+       * different key exchange schemes to the TLS 1.3 handshake. For instance,
+       * this could provide an entry point to implement a hybrid key exchange
+       * with both a traditional algorithm like ECDH and a quantum-secure KEM.
+       * Typical use cases of the library don't need to do that and serious
+       * security risks are associated with customizing TLS's key encapsulation
+       * mechanism.
+       *
+       * Note that the KEM interface is usable for TLS 1.3 handshakes, only.
+       *
+       * The default implementation simply delegates this to the
+       * tls_ephemeral_key_agreement() callback to obtain the shared secret.
+       *
+       * @param group the group identifier of the KEM/KEX algorithm
+       * @param private_key the private key used for decapsulation/KEX
+       * @param encapsulated_bytes the content to decapsulate (or the public key share)
+       * @param rng a random number generator
+       * @param policy a TLS policy object
+       *
+       * @returns the plaintext shared secret from @p encapsulated_bytes after
+       *          decapsulation with @p private_key.
+       */
+      virtual secure_vector<uint8_t> tls_kem_decapsulate(TLS::Group_Params group,
+                                                         const Private_Key& private_key,
+                                                         const std::vector<uint8_t>& encapsulated_bytes,
+                                                         RandomNumberGenerator& rng,
+                                                         const Policy& policy);
+
       /**
        * Generate an ephemeral key pair for the TLS handshake.
        *
diff --git a/src/lib/tls/tls_extensions.h b/src/lib/tls/tls_extensions.h
@@ -663,13 +663,31 @@ class BOTAN_UNSTABLE_API Key_Share final : public Extension {
       bool empty() const override;
 
       /**
-       * Perform key exchange with the peer's key share.
-       * This method can be called on a ClientHello's Key_Share with a ServerHello's Key_Share or vice versa.
+       * Creates a Key_Share extension meant for the Server Hello that
+       * performs a key encapsulation with the selected public key from
+       * the client.
+       *
+       * @note This will retain the shared secret in the Key_Share extension
+       *       until it is retrieved via take_shared_secret().
+       */
+      static std::unique_ptr<Key_Share> create_as_encapsulation(Group_Params selected_group,
+                                                                const Key_Share& client_keyshare,
+                                                                const Policy& policy,
+                                                                Callbacks& cb,
+                                                                RandomNumberGenerator& rng);
+
+      /**
+       * Decapsulate the shared secret with the peer's key share. This method
+       * can be called on a ClientHello's Key_Share with a ServerHello's
+       * Key_Share.
+       *
+       * @note After the decapsulation the client's private key is destroyed.
+       *       Multiple calls will result in an exception.
        */
-      secure_vector<uint8_t> exchange(const Key_Share& peer_keyshare,
-                                      const Policy& policy,
-                                      Callbacks& cb,
-                                      RandomNumberGenerator& rng) const;
+      secure_vector<uint8_t> decapsulate(const Key_Share& server_keyshare,
+                                         const Policy& policy,
+                                         Callbacks& cb,
+                                         RandomNumberGenerator& rng);
 
       /**
        * Update a ClientHello's Key_Share to comply with a HelloRetryRequest.
@@ -692,24 +710,34 @@ class BOTAN_UNSTABLE_API Key_Share final : public Extension {
       Named_Group selected_group() const;
 
       /**
-       * Delete all private keys that might be contained in Key_Share_Entries in this extension.
+       * @returns the shared secret that was obtained by constructing this
+       *          Key_Share object with the peer's.
+       *
+       * @note the shared secret value is std:move'd out. Multiple calls will
+       *       result in an exception.
        */
-      void erase();
+      secure_vector<uint8_t> take_shared_secret();
 
       Key_Share(TLS_Data_Reader& reader, uint16_t extension_size, Handshake_Type message_type);
 
       // constructor used for ClientHello msg
       Key_Share(const Policy& policy, Callbacks& cb, RandomNumberGenerator& rng);
 
-      // constructor used for ServerHello msg
-      Key_Share(Named_Group group, Callbacks& cb, RandomNumberGenerator& rng);
-
       // constructor used for HelloRetryRequest msg
       explicit Key_Share(Named_Group selected_group);
 
       // destructor implemented in .cpp to hide Key_Share_Impl
       ~Key_Share();
 
+   private:
+      // constructor used for ServerHello
+      // (called via create_as_encapsulation())
+      Key_Share(Group_Params selected_group,
+                const Key_Share& client_keyshare,
+                const Policy& policy,
+                Callbacks& cb,
+                RandomNumberGenerator& rng);
+
    private:
       class Key_Share_Impl;
       std::unique_ptr<Key_Share_Impl> m_impl;

Original file line number	Diff line number	Diff line change
`@@ -298,8 +298,7 @@ void Client_Impl_13::handle(const Server_Hello_13& sh) {`
`298`	`298`	`}`
`299`	`299`
`300`	`300`	`auto my_keyshare = ch.extensions().get<Key_Share>();`
`301`		`- auto shared_secret = my_keyshare->exchange(*sh.extensions().get<Key_Share>(), policy(), callbacks(), rng());`
`302`		`- my_keyshare->erase();`
	`301`	`+ auto shared_secret = my_keyshare->decapsulate(*sh.extensions().get<Key_Share>(), policy(), callbacks(), rng());`
`303`	`302`
`304`	`303`	`m_transcript_hash.set_algorithm(cipher.value().prf_algo());`
`305`	`304`