| <!DOCTYPE html><html lang="en"><head><meta charset="utf-8"><meta name="viewport" content="width=device-width, initial-scale=1.0"><meta name="generator" content="rustdoc"><meta name="description" content="Source of the Rust file `/root/.cargo/registry/src/github.com-1ecc6299db9ec823/rustls-0.19.1/src/manual/implvulns.rs`."><meta name="keywords" content="rust, rustlang, rust-lang"><title>implvulns.rs - source</title><link rel="preload" as="font" type="font/woff2" crossorigin href="../../../SourceSerif4-Regular.ttf.woff2"><link rel="preload" as="font" type="font/woff2" crossorigin href="../../../FiraSans-Regular.woff2"><link rel="preload" as="font" type="font/woff2" crossorigin href="../../../FiraSans-Medium.woff2"><link rel="preload" as="font" type="font/woff2" crossorigin href="../../../SourceCodePro-Regular.ttf.woff2"><link rel="preload" as="font" type="font/woff2" crossorigin href="../../../SourceSerif4-Bold.ttf.woff2"><link rel="preload" as="font" type="font/woff2" crossorigin href="../../../SourceCodePro-Semibold.ttf.woff2"><link rel="stylesheet" href="../../../normalize.css"><link rel="stylesheet" href="../../../rustdoc.css" id="mainThemeStyle"><link rel="stylesheet" href="../../../ayu.css" disabled><link rel="stylesheet" href="../../../dark.css" disabled><link rel="stylesheet" href="../../../light.css" id="themeStyle"><script id="default-settings" ></script><script src="../../../storage.js"></script><script defer src="../../../source-script.js"></script><script defer src="../../../source-files.js"></script><script defer src="../../../main.js"></script><noscript><link rel="stylesheet" href="../../../noscript.css"></noscript><link rel="alternate icon" type="image/png" href="../../../favicon-16x16.png"><link rel="alternate icon" type="image/png" href="../../../favicon-32x32.png"><link rel="icon" type="image/svg+xml" href="../../../favicon.svg"></head><body class="rustdoc source"><!--[if lte IE 11]><div class="warning">This old browser is unsupported and will most likely display funky things.</div><![endif]--><nav class="sidebar"><a class="sidebar-logo" href="../../../rustls/index.html"><div class="logo-container"><img class="rust-logo" src="../../../rust-logo.svg" alt="logo"></div></a></nav><main><div class="width-limiter"><nav class="sub"><a class="sub-logo-container" href="../../../rustls/index.html"><img class="rust-logo" src="../../../rust-logo.svg" alt="logo"></a><form class="search-form"><div class="search-container"><span></span><input class="search-input" name="search" autocomplete="off" spellcheck="false" placeholder="Click or press ‘S’ to search, ‘?’ for more options…" type="search"><div id="help-button" title="help" tabindex="-1"><a href="../../../help.html">?</a></div><div id="settings-menu" tabindex="-1"><a href="../../../settings.html" title="settings"><img width="22" height="22" alt="Change settings" src="../../../wheel.svg"></a></div></div></form></nav><section id="main-content" class="content"><div class="example-wrap"><pre class="src-line-numbers"><span id="1">1</span> |
| <span id="2">2</span> |
| <span id="3">3</span> |
| <span id="4">4</span> |
| <span id="5">5</span> |
| <span id="6">6</span> |
| <span id="7">7</span> |
| <span id="8">8</span> |
| <span id="9">9</span> |
| <span id="10">10</span> |
| <span id="11">11</span> |
| <span id="12">12</span> |
| <span id="13">13</span> |
| <span id="14">14</span> |
| <span id="15">15</span> |
| <span id="16">16</span> |
| <span id="17">17</span> |
| <span id="18">18</span> |
| <span id="19">19</span> |
| <span id="20">20</span> |
| <span id="21">21</span> |
| <span id="22">22</span> |
| <span id="23">23</span> |
| <span id="24">24</span> |
| <span id="25">25</span> |
| <span id="26">26</span> |
| <span id="27">27</span> |
| <span id="28">28</span> |
| <span id="29">29</span> |
| <span id="30">30</span> |
| <span id="31">31</span> |
| <span id="32">32</span> |
| <span id="33">33</span> |
| <span id="34">34</span> |
| <span id="35">35</span> |
| <span id="36">36</span> |
| <span id="37">37</span> |
| <span id="38">38</span> |
| <span id="39">39</span> |
| <span id="40">40</span> |
| <span id="41">41</span> |
| <span id="42">42</span> |
| <span id="43">43</span> |
| <span id="44">44</span> |
| <span id="45">45</span> |
| <span id="46">46</span> |
| <span id="47">47</span> |
| <span id="48">48</span> |
| <span id="49">49</span> |
| <span id="50">50</span> |
| <span id="51">51</span> |
| <span id="52">52</span> |
| <span id="53">53</span> |
| <span id="54">54</span> |
| <span id="55">55</span> |
| <span id="56">56</span> |
| <span id="57">57</span> |
| <span id="58">58</span> |
| <span id="59">59</span> |
| <span id="60">60</span> |
| <span id="61">61</span> |
| <span id="62">62</span> |
| <span id="63">63</span> |
| <span id="64">64</span> |
| <span id="65">65</span> |
| <span id="66">66</span> |
| <span id="67">67</span> |
| <span id="68">68</span> |
| <span id="69">69</span> |
| <span id="70">70</span> |
| <span id="71">71</span> |
| <span id="72">72</span> |
| <span id="73">73</span> |
| <span id="74">74</span> |
| <span id="75">75</span> |
| <span id="76">76</span> |
| <span id="77">77</span> |
| <span id="78">78</span> |
| <span id="79">79</span> |
| <span id="80">80</span> |
| <span id="81">81</span> |
| <span id="82">82</span> |
| <span id="83">83</span> |
| <span id="84">84</span> |
| <span id="85">85</span> |
| <span id="86">86</span> |
| <span id="87">87</span> |
| <span id="88">88</span> |
| <span id="89">89</span> |
| <span id="90">90</span> |
| <span id="91">91</span> |
| <span id="92">92</span> |
| <span id="93">93</span> |
| <span id="94">94</span> |
| <span id="95">95</span> |
| <span id="96">96</span> |
| <span id="97">97</span> |
| <span id="98">98</span> |
| <span id="99">99</span> |
| <span id="100">100</span> |
| <span id="101">101</span> |
| <span id="102">102</span> |
| <span id="103">103</span> |
| <span id="104">104</span> |
| </pre><pre class="rust"><code><span class="doccomment">/*! # A review of TLS Implementation Vulnerabilities |
| |
| An important part of engineering involves studying and learning from the mistakes of the past. |
| It would be tremendously unfortunate to spend effort re-discovering and re-fixing the same |
| vulnerabilities that were discovered in the past. |
| |
| ## Memory safety |
| |
| Being written entirely in the safe-subset of Rust immediately offers us freedom from the entire |
| class of memory safety vulnerabilities. There are too many to exhaustively list, and there will |
| certainly be more in the future. |
| |
| Examples: |
| |
| - Heartbleed [CVE-2014-0160](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160) (OpenSSL) |
| - Memory corruption in ASN.1 decoder [CVE-2016-2108](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2108) (OpenSSL) |
| - Buffer overflow in read_server_hello [CVE-2014-3466](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3466) (GnuTLS) |
| |
| ## `goto fail` |
| |
| This is the name of a vulnerability in Apple Secure Transport [CVE-2014-1266](https://nvd.nist.gov/vuln/detail/CVE-2014-1266). |
| This boiled down to the following code, which validates the server's signature on the key exchange: |
| |
| ```c |
| if ((err = SSLHashSHA1.update(&hashCtx, &serverRandom)) != 0) |
| goto fail; |
| if ((err = SSLHashSHA1.update(&hashCtx, &signedParams)) != 0) |
| goto fail; |
| > goto fail; |
| if ((err = SSLHashSHA1.final(&hashCtx, &hashOut)) != 0) |
| goto fail; |
| ``` |
| |
| The marked line was duplicated, likely accidentally during a merge. This meant |
| the remaining part of the function (including the actual signature validation) |
| was unconditionally skipped. |
| |
| Ultimately the one countermeasure to this type of bug is basic testing: that a |
| valid signature returns success, and that an invalid one does not. rustls |
| has such testing, but this is really table stakes for security code. |
| |
| Further than this, though, we could consider that the *lack* of an error from |
| this function is a poor indicator that the signature was valid. rustls, instead, |
| has zero-size and non-copyable types that indicate a particular signature validation |
| has been performed. These types can be thought of as *capabilities* originated only |
| by designated signature verification functions -- such functions can then be a focus |
| of manual code review. Like capabilities, values of these types are otherwise unforgeable, |
| and are communicable only by Rust's move semantics. |
| |
| Values of these types are threaded through the protocol state machine, leading to terminal |
| states that look like: |
| |
| ```ignore |
| struct ExpectTraffic { |
| (...) |
| _cert_verified: verify::ServerCertVerified, |
| _sig_verified: verify::HandshakeSignatureValid, |
| _fin_verified: verify::FinishedMessageVerified, |
| } |
| ``` |
| |
| Since this state requires a value of these types, it will be a compile-time error to |
| reach that state without performing the requisite security-critical operations. |
| |
| This approach is not infallible, but it has zero runtime cost. |
| |
| ## State machine attacks: EarlyCCS and SMACK/SKIP/FREAK |
| |
| EarlyCCS [CVE-2014-0224](https://nvd.nist.gov/vuln/detail/CVE-2014-0224) was a vulnerability in OpenSSL |
| found in 2014. The TLS `ChangeCipherSpec` message would be processed at inappropriate times, leading |
| to data being encrypted with the wrong keys (specifically, keys which were not secret). This resulted |
| from OpenSSL taking a *reactive* strategy to incoming messages ("when I get a message X, I should do Y") |
| which allows it to diverge from the proper state machine under attacker control. |
| |
| [SMACK](https://mitls.org/pages/attacks/SMACK) is a similar suite of vulnerabilities found in JSSE, |
| CyaSSL, OpenSSL, Mono and axTLS. "SKIP-TLS" demonstrated that some implementations allowed handshake |
| messages (and in one case, the entire handshake!) to be skipped leading to breaks in security. "FREAK" |
| found that some implementations incorrectly allowed export-only state transitions (ie, transitions that |
| were only valid when an export ciphersuite was in use). |
| |
| rustls represents its protocol state machine carefully to avoid these defects. We model the handshake, |
| CCS and application data subprotocols in the same single state machine. Each state in this machine is |
| represented with a single struct, and transitions are modelled as functions that consume the current state |
| plus one TLS message[^1] and return a struct representing the next state. These functions fully validate |
| the message type before further operations. |
| |
| A sample sequence for a full TLSv1.2 handshake by a client looks like: |
| |
| - `hs::ExpectServerHello` (nb. ClientHello is logically sent before this state); transition to `tls12::ExpectCertificate` |
| - `tls12::ExpectCertificate`; transition to `tls12::ExpectServerKX` |
| - `tls12::ExpectServerKX`; transition to `tls12::ExpectServerDoneOrCertReq` |
| - `tls12::ExpectServerDoneOrCertReq`; delegates to `tls12::ExpectCertificateRequest` or `tls12::ExpectServerDone` depending on incoming message. |
| - `tls12::ExpectServerDone`; transition to `tls12::ExpectCCS` |
| - `tls12::ExpectCCS`; transition to `tls12::ExpectFinished` |
| - `tls12::ExpectFinished`; transition to `tls12::ExpectTraffic` |
| - `tls12::ExpectTraffic`; terminal state; transitions to `tls12::ExpectTraffic` |
| |
| In the future we plan to formally prove that all possible transitions modelled in this system of types |
| are correct with respect to the standard(s). At the moment we rely merely on exhaustive testing. |
| |
| [^1]: a logical TLS message: post-decryption, post-fragmentation. |
| |
| |
| */ |
| </span></code></pre></div> |
| </section></div></main><div id="rustdoc-vars" data-root-path="../../../" data-current-crate="rustls" data-themes="ayu,dark,light" data-resource-suffix="" data-rustdoc-version="1.66.0-nightly (5c8bff74b 2022-10-21)" ></div></body></html> |