/src/mozilla-central/security/nss/lib/ssl/tls13con.c
Line | Count | Source (jump to first uncovered line) |
1 | | /* -*- Mode: C; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 4 -*- */ |
2 | | /* |
3 | | * TLS 1.3 Protocol |
4 | | * |
5 | | * This Source Code Form is subject to the terms of the Mozilla Public |
6 | | * License, v. 2.0. If a copy of the MPL was not distributed with this |
7 | | * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ |
8 | | |
9 | | #include "stdarg.h" |
10 | | #include "cert.h" |
11 | | #include "ssl.h" |
12 | | #include "keyhi.h" |
13 | | #include "pk11func.h" |
14 | | #include "prerr.h" |
15 | | #include "secitem.h" |
16 | | #include "secmod.h" |
17 | | #include "sslimpl.h" |
18 | | #include "sslproto.h" |
19 | | #include "sslerr.h" |
20 | | #include "ssl3exthandle.h" |
21 | | #include "tls13hkdf.h" |
22 | | #include "tls13con.h" |
23 | | #include "tls13err.h" |
24 | | #include "tls13exthandle.h" |
25 | | #include "tls13hashstate.h" |
26 | | |
27 | | static SECStatus tls13_SetCipherSpec(sslSocket *ss, PRUint16 epoch, |
28 | | CipherSpecDirection install, |
29 | | PRBool deleteSecret); |
30 | | static SECStatus tls13_AESGCM( |
31 | | ssl3KeyMaterial *keys, |
32 | | PRBool doDecrypt, |
33 | | unsigned char *out, int *outlen, int maxout, |
34 | | const unsigned char *in, int inlen, |
35 | | const unsigned char *additionalData, int additionalDataLen); |
36 | | static SECStatus tls13_ChaCha20Poly1305( |
37 | | ssl3KeyMaterial *keys, |
38 | | PRBool doDecrypt, |
39 | | unsigned char *out, int *outlen, int maxout, |
40 | | const unsigned char *in, int inlen, |
41 | | const unsigned char *additionalData, int additionalDataLen); |
42 | | static SECStatus tls13_SendServerHelloSequence(sslSocket *ss); |
43 | | static SECStatus tls13_SendEncryptedExtensions(sslSocket *ss); |
44 | | static void tls13_SetKeyExchangeType(sslSocket *ss, const sslNamedGroupDef *group); |
45 | | static SECStatus tls13_HandleClientKeyShare(sslSocket *ss, |
46 | | TLS13KeyShareEntry *peerShare); |
47 | | static SECStatus tls13_SendHelloRetryRequest( |
48 | | sslSocket *ss, const sslNamedGroupDef *selectedGroup, |
49 | | const PRUint8 *token, unsigned int tokenLen); |
50 | | |
51 | | static SECStatus tls13_HandleServerKeyShare(sslSocket *ss); |
52 | | static SECStatus tls13_HandleEncryptedExtensions(sslSocket *ss, PRUint8 *b, |
53 | | PRUint32 length); |
54 | | static SECStatus tls13_SendCertificate(sslSocket *ss); |
55 | | static SECStatus tls13_HandleCertificate( |
56 | | sslSocket *ss, PRUint8 *b, PRUint32 length); |
57 | | static SECStatus tls13_ReinjectHandshakeTranscript(sslSocket *ss); |
58 | | static SECStatus tls13_HandleCertificateRequest(sslSocket *ss, PRUint8 *b, |
59 | | PRUint32 length); |
60 | | static SECStatus |
61 | | tls13_SendCertificateVerify(sslSocket *ss, SECKEYPrivateKey *privKey); |
62 | | static SECStatus tls13_HandleCertificateVerify( |
63 | | sslSocket *ss, PRUint8 *b, PRUint32 length); |
64 | | static SECStatus tls13_RecoverWrappedSharedSecret(sslSocket *ss, |
65 | | sslSessionID *sid); |
66 | | static SECStatus |
67 | | tls13_DeriveSecretWrap(sslSocket *ss, PK11SymKey *key, |
68 | | const char *prefix, |
69 | | const char *suffix, |
70 | | const char *keylogLabel, |
71 | | PK11SymKey **dest); |
72 | | static SECStatus |
73 | | tls13_DeriveSecret(sslSocket *ss, PK11SymKey *key, |
74 | | const char *label, |
75 | | unsigned int labelLen, |
76 | | const SSL3Hashes *hashes, |
77 | | PK11SymKey **dest); |
78 | | static SECStatus tls13_SendEndOfEarlyData(sslSocket *ss); |
79 | | static SECStatus tls13_HandleEndOfEarlyData(sslSocket *ss, PRUint8 *b, |
80 | | PRUint32 length); |
81 | | static SECStatus tls13_SendFinished(sslSocket *ss, PK11SymKey *baseKey); |
82 | | static SECStatus tls13_ComputePskBinderHash(sslSocket *ss, unsigned int prefix, |
83 | | SSL3Hashes *hashes); |
84 | | static SECStatus tls13_VerifyFinished(sslSocket *ss, SSLHandshakeType message, |
85 | | PK11SymKey *secret, |
86 | | PRUint8 *b, PRUint32 length, |
87 | | const SSL3Hashes *hashes); |
88 | | static SECStatus tls13_ClientHandleFinished(sslSocket *ss, |
89 | | PRUint8 *b, PRUint32 length); |
90 | | static SECStatus tls13_ServerHandleFinished(sslSocket *ss, |
91 | | PRUint8 *b, PRUint32 length); |
92 | | static SECStatus tls13_SendNewSessionTicket(sslSocket *ss, |
93 | | const PRUint8 *appToken, |
94 | | unsigned int appTokenLen); |
95 | | static SECStatus tls13_HandleNewSessionTicket(sslSocket *ss, PRUint8 *b, |
96 | | PRUint32 length); |
97 | | static SECStatus tls13_ComputeEarlySecrets(sslSocket *ss); |
98 | | static SECStatus tls13_ComputeHandshakeSecrets(sslSocket *ss); |
99 | | static SECStatus tls13_ComputeApplicationSecrets(sslSocket *ss); |
100 | | static SECStatus tls13_ComputeFinalSecrets(sslSocket *ss); |
101 | | static SECStatus tls13_ComputeFinished( |
102 | | sslSocket *ss, PK11SymKey *baseKey, const SSL3Hashes *hashes, |
103 | | PRBool sending, PRUint8 *output, unsigned int *outputLen, |
104 | | unsigned int maxOutputLen); |
105 | | static SECStatus tls13_SendClientSecondRound(sslSocket *ss); |
106 | | static SECStatus tls13_FinishHandshake(sslSocket *ss); |
107 | | |
108 | | const char kHkdfLabelClient[] = "c"; |
109 | | const char kHkdfLabelServer[] = "s"; |
110 | | const char kHkdfLabelDerivedSecret[] = "derived"; |
111 | | const char kHkdfLabelPskBinderKey[] = "res binder"; |
112 | | const char kHkdfLabelEarlyTrafficSecret[] = "e traffic"; |
113 | | const char kHkdfLabelEarlyExporterSecret[] = "e exp master"; |
114 | | const char kHkdfLabelHandshakeTrafficSecret[] = "hs traffic"; |
115 | | const char kHkdfLabelApplicationTrafficSecret[] = "ap traffic"; |
116 | | const char kHkdfLabelFinishedSecret[] = "finished"; |
117 | | const char kHkdfLabelResumptionMasterSecret[] = "res master"; |
118 | | const char kHkdfLabelExporterMasterSecret[] = "exp master"; |
119 | | const char kHkdfLabelResumption[] = "resumption"; |
120 | | const char kHkdfLabelTrafficUpdate[] = "traffic upd"; |
121 | | const char kHkdfPurposeKey[] = "key"; |
122 | | const char kHkdfPurposeIv[] = "iv"; |
123 | | |
124 | | const char keylogLabelClientEarlyTrafficSecret[] = "CLIENT_EARLY_TRAFFIC_SECRET"; |
125 | | const char keylogLabelClientHsTrafficSecret[] = "CLIENT_HANDSHAKE_TRAFFIC_SECRET"; |
126 | | const char keylogLabelServerHsTrafficSecret[] = "SERVER_HANDSHAKE_TRAFFIC_SECRET"; |
127 | | const char keylogLabelClientTrafficSecret[] = "CLIENT_TRAFFIC_SECRET_0"; |
128 | | const char keylogLabelServerTrafficSecret[] = "SERVER_TRAFFIC_SECRET_0"; |
129 | | const char keylogLabelEarlyExporterSecret[] = "EARLY_EXPORTER_SECRET"; |
130 | | const char keylogLabelExporterSecret[] = "EXPORTER_SECRET"; |
131 | | |
132 | | /* Belt and suspenders in case we ever add a TLS 1.4. */ |
133 | | PR_STATIC_ASSERT(SSL_LIBRARY_VERSION_MAX_SUPPORTED <= |
134 | | SSL_LIBRARY_VERSION_TLS_1_3); |
135 | | |
136 | | /* Use this instead of FATAL_ERROR when no alert shall be sent. */ |
137 | | #define LOG_ERROR(ss, prError) \ |
138 | 0 | do { \ |
139 | 0 | SSL_TRC(3, ("%d: TLS13[%d]: fatal error %d in %s (%s:%d)", \ |
140 | 0 | SSL_GETPID(), ss->fd, prError, __func__, __FILE__, __LINE__)); \ |
141 | 0 | PORT_SetError(prError); \ |
142 | 0 | } while (0) |
143 | | |
144 | | /* Log an error and generate an alert because something is irreparably wrong. */ |
145 | | #define FATAL_ERROR(ss, prError, desc) \ |
146 | 0 | do { \ |
147 | 0 | LOG_ERROR(ss, prError); \ |
148 | 0 | tls13_FatalError(ss, prError, desc); \ |
149 | 0 | } while (0) |
150 | | |
151 | | void |
152 | | tls13_FatalError(sslSocket *ss, PRErrorCode prError, SSL3AlertDescription desc) |
153 | 0 | { |
154 | 0 | PORT_Assert(desc != internal_error); /* These should never happen */ |
155 | 0 | (void)SSL3_SendAlert(ss, alert_fatal, desc); |
156 | 0 | PORT_SetError(prError); |
157 | 0 | } |
158 | | |
159 | | #ifdef TRACE |
160 | | #define STATE_CASE(a) \ |
161 | | case a: \ |
162 | | return #a |
163 | | static char * |
164 | | tls13_HandshakeState(SSL3WaitState st) |
165 | | { |
166 | | switch (st) { |
167 | | STATE_CASE(idle_handshake); |
168 | | STATE_CASE(wait_client_hello); |
169 | | STATE_CASE(wait_end_of_early_data); |
170 | | STATE_CASE(wait_client_cert); |
171 | | STATE_CASE(wait_client_key); |
172 | | STATE_CASE(wait_cert_verify); |
173 | | STATE_CASE(wait_change_cipher); |
174 | | STATE_CASE(wait_finished); |
175 | | STATE_CASE(wait_server_hello); |
176 | | STATE_CASE(wait_certificate_status); |
177 | | STATE_CASE(wait_server_cert); |
178 | | STATE_CASE(wait_server_key); |
179 | | STATE_CASE(wait_cert_request); |
180 | | STATE_CASE(wait_hello_done); |
181 | | STATE_CASE(wait_new_session_ticket); |
182 | | STATE_CASE(wait_encrypted_extensions); |
183 | | default: |
184 | | break; |
185 | | } |
186 | | PORT_Assert(0); |
187 | | return "unknown"; |
188 | | } |
189 | | #endif |
190 | | |
191 | 0 | #define TLS13_WAIT_STATE_MASK 0x80 |
192 | | |
193 | | #define TLS13_BASE_WAIT_STATE(ws) (ws & ~TLS13_WAIT_STATE_MASK) |
194 | | /* We don't mask idle_handshake because other parts of the code use it*/ |
195 | 0 | #define TLS13_WAIT_STATE(ws) (((ws == idle_handshake) || (ws == wait_server_hello)) ? ws : ws | TLS13_WAIT_STATE_MASK) |
196 | | #define TLS13_CHECK_HS_STATE(ss, err, ...) \ |
197 | 0 | tls13_CheckHsState(ss, err, #err, __func__, __FILE__, __LINE__, \ |
198 | 0 | __VA_ARGS__, \ |
199 | 0 | wait_invalid) |
200 | | void |
201 | | tls13_SetHsState(sslSocket *ss, SSL3WaitState ws, |
202 | | const char *func, const char *file, int line) |
203 | 0 | { |
204 | | #ifdef TRACE |
205 | | const char *new_state_name = |
206 | | tls13_HandshakeState(ws); |
207 | | |
208 | | SSL_TRC(3, ("%d: TLS13[%d]: %s state change from %s->%s in %s (%s:%d)", |
209 | | SSL_GETPID(), ss->fd, SSL_ROLE(ss), |
210 | | tls13_HandshakeState(TLS13_BASE_WAIT_STATE(ss->ssl3.hs.ws)), |
211 | | new_state_name, |
212 | | func, file, line)); |
213 | | #endif |
214 | |
|
215 | 0 | ss->ssl3.hs.ws = TLS13_WAIT_STATE(ws); |
216 | 0 | } |
217 | | |
218 | | static PRBool |
219 | | tls13_InHsStateV(sslSocket *ss, va_list ap) |
220 | 0 | { |
221 | 0 | SSL3WaitState ws; |
222 | 0 |
|
223 | 0 | while ((ws = va_arg(ap, SSL3WaitState)) != wait_invalid) { |
224 | 0 | if (TLS13_WAIT_STATE(ws) == ss->ssl3.hs.ws) { |
225 | 0 | return PR_TRUE; |
226 | 0 | } |
227 | 0 | } |
228 | 0 | return PR_FALSE; |
229 | 0 | } |
230 | | |
231 | | PRBool |
232 | | tls13_InHsState(sslSocket *ss, ...) |
233 | 0 | { |
234 | 0 | PRBool found; |
235 | 0 | va_list ap; |
236 | 0 |
|
237 | 0 | va_start(ap, ss); |
238 | 0 | found = tls13_InHsStateV(ss, ap); |
239 | 0 | va_end(ap); |
240 | 0 |
|
241 | 0 | return found; |
242 | 0 | } |
243 | | |
244 | | static SECStatus |
245 | | tls13_CheckHsState(sslSocket *ss, int err, const char *error_name, |
246 | | const char *func, const char *file, int line, |
247 | | ...) |
248 | 0 | { |
249 | 0 | va_list ap; |
250 | 0 | va_start(ap, line); |
251 | 0 | if (tls13_InHsStateV(ss, ap)) { |
252 | 0 | va_end(ap); |
253 | 0 | return SECSuccess; |
254 | 0 | } |
255 | 0 | va_end(ap); |
256 | 0 |
|
257 | 0 | SSL_TRC(3, ("%d: TLS13[%d]: error %s state is (%s) at %s (%s:%d)", |
258 | 0 | SSL_GETPID(), ss->fd, |
259 | 0 | error_name, |
260 | 0 | tls13_HandshakeState(TLS13_BASE_WAIT_STATE(ss->ssl3.hs.ws)), |
261 | 0 | func, file, line)); |
262 | 0 | tls13_FatalError(ss, err, unexpected_message); |
263 | 0 | return SECFailure; |
264 | 0 | } |
265 | | |
266 | | SSLHashType |
267 | | tls13_GetHashForCipherSuite(ssl3CipherSuite suite) |
268 | 0 | { |
269 | 0 | const ssl3CipherSuiteDef *cipherDef = |
270 | 0 | ssl_LookupCipherSuiteDef(suite); |
271 | 0 | PORT_Assert(cipherDef); |
272 | 0 | if (!cipherDef) { |
273 | 0 | return ssl_hash_none; |
274 | 0 | } |
275 | 0 | return cipherDef->prf_hash; |
276 | 0 | } |
277 | | |
278 | | SSLHashType |
279 | | tls13_GetHash(const sslSocket *ss) |
280 | 0 | { |
281 | 0 | /* All TLS 1.3 cipher suites must have an explict PRF hash. */ |
282 | 0 | PORT_Assert(ss->ssl3.hs.suite_def->prf_hash != ssl_hash_none); |
283 | 0 | return ss->ssl3.hs.suite_def->prf_hash; |
284 | 0 | } |
285 | | |
286 | | unsigned int |
287 | | tls13_GetHashSizeForHash(SSLHashType hash) |
288 | 0 | { |
289 | 0 | switch (hash) { |
290 | 0 | case ssl_hash_sha256: |
291 | 0 | return 32; |
292 | 0 | case ssl_hash_sha384: |
293 | 0 | return 48; |
294 | 0 | default: |
295 | 0 | PORT_Assert(0); |
296 | 0 | } |
297 | 0 | return 32; |
298 | 0 | } |
299 | | |
300 | | unsigned int |
301 | | tls13_GetHashSize(const sslSocket *ss) |
302 | 0 | { |
303 | 0 | return tls13_GetHashSizeForHash(tls13_GetHash(ss)); |
304 | 0 | } |
305 | | |
306 | | static CK_MECHANISM_TYPE |
307 | | tls13_GetHkdfMechanismForHash(SSLHashType hash) |
308 | 0 | { |
309 | 0 | switch (hash) { |
310 | 0 | case ssl_hash_sha256: |
311 | 0 | return CKM_NSS_HKDF_SHA256; |
312 | 0 | case ssl_hash_sha384: |
313 | 0 | return CKM_NSS_HKDF_SHA384; |
314 | 0 | default: |
315 | 0 | PORT_Assert(0); |
316 | 0 | } |
317 | 0 | return CKM_NSS_HKDF_SHA256; |
318 | 0 | } |
319 | | |
320 | | CK_MECHANISM_TYPE |
321 | | tls13_GetHkdfMechanism(sslSocket *ss) |
322 | 0 | { |
323 | 0 | return tls13_GetHkdfMechanismForHash(tls13_GetHash(ss)); |
324 | 0 | } |
325 | | |
326 | | static CK_MECHANISM_TYPE |
327 | | tls13_GetHmacMechanism(sslSocket *ss) |
328 | 0 | { |
329 | 0 | switch (tls13_GetHash(ss)) { |
330 | 0 | case ssl_hash_sha256: |
331 | 0 | return CKM_SHA256_HMAC; |
332 | 0 | case ssl_hash_sha384: |
333 | 0 | return CKM_SHA384_HMAC; |
334 | 0 | default: |
335 | 0 | PORT_Assert(0); |
336 | 0 | } |
337 | 0 | return CKM_SHA256_HMAC; |
338 | 0 | } |
339 | | |
340 | | SECStatus |
341 | | tls13_ComputeHash(sslSocket *ss, SSL3Hashes *hashes, |
342 | | const PRUint8 *buf, unsigned int len) |
343 | 0 | { |
344 | 0 | SECStatus rv; |
345 | 0 |
|
346 | 0 | rv = PK11_HashBuf(ssl3_HashTypeToOID(tls13_GetHash(ss)), |
347 | 0 | hashes->u.raw, buf, len); |
348 | 0 | if (rv != SECSuccess) { |
349 | 0 | FATAL_ERROR(ss, SEC_ERROR_LIBRARY_FAILURE, internal_error); |
350 | 0 | return SECFailure; |
351 | 0 | } |
352 | 0 | hashes->len = tls13_GetHashSize(ss); |
353 | 0 |
|
354 | 0 | return SECSuccess; |
355 | 0 | } |
356 | | |
357 | | SECStatus |
358 | | tls13_CreateKeyShare(sslSocket *ss, const sslNamedGroupDef *groupDef) |
359 | 0 | { |
360 | 0 | SECStatus rv; |
361 | 0 | sslEphemeralKeyPair *keyPair = NULL; |
362 | 0 | const ssl3DHParams *params; |
363 | 0 |
|
364 | 0 | PORT_Assert(groupDef); |
365 | 0 | switch (groupDef->keaType) { |
366 | 0 | case ssl_kea_ecdh: |
367 | 0 | rv = ssl_CreateECDHEphemeralKeyPair(ss, groupDef, &keyPair); |
368 | 0 | if (rv != SECSuccess) { |
369 | 0 | return SECFailure; |
370 | 0 | } |
371 | 0 | break; |
372 | 0 | case ssl_kea_dh: |
373 | 0 | params = ssl_GetDHEParams(groupDef); |
374 | 0 | PORT_Assert(params->name != ssl_grp_ffdhe_custom); |
375 | 0 | rv = ssl_CreateDHEKeyPair(groupDef, params, &keyPair); |
376 | 0 | if (rv != SECSuccess) { |
377 | 0 | return SECFailure; |
378 | 0 | } |
379 | 0 | break; |
380 | 0 | default: |
381 | 0 | PORT_Assert(0); |
382 | 0 | PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); |
383 | 0 | return SECFailure; |
384 | 0 | } |
385 | 0 |
|
386 | 0 | PR_APPEND_LINK(&keyPair->link, &ss->ephemeralKeyPairs); |
387 | 0 | return rv; |
388 | 0 | } |
389 | | |
390 | | SECStatus |
391 | | SSL_SendAdditionalKeyShares(PRFileDesc *fd, unsigned int count) |
392 | 0 | { |
393 | 0 | sslSocket *ss = ssl_FindSocket(fd); |
394 | 0 | if (!ss) { |
395 | 0 | PORT_SetError(SEC_ERROR_INVALID_ARGS); |
396 | 0 | return SECFailure; |
397 | 0 | } |
398 | 0 |
|
399 | 0 | ss->additionalShares = count; |
400 | 0 | return SECSuccess; |
401 | 0 | } |
402 | | |
403 | | /* |
404 | | * Generate shares for ECDHE and FFDHE. This picks the first enabled group of |
405 | | * the requisite type and creates a share for that. |
406 | | * |
407 | | * Called from ssl3_SendClientHello. |
408 | | */ |
409 | | SECStatus |
410 | | tls13_SetupClientHello(sslSocket *ss) |
411 | 0 | { |
412 | 0 | unsigned int i; |
413 | 0 | SSL3Statistics *ssl3stats = SSL_GetStatistics(); |
414 | 0 | NewSessionTicket *session_ticket = NULL; |
415 | 0 | sslSessionID *sid = ss->sec.ci.sid; |
416 | 0 | unsigned int numShares = 0; |
417 | 0 |
|
418 | 0 | PORT_Assert(ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); |
419 | 0 | PORT_Assert(ss->opt.noLocks || ssl_HaveXmitBufLock(ss)); |
420 | 0 | PORT_Assert(PR_CLIST_IS_EMPTY(&ss->ephemeralKeyPairs)); |
421 | 0 |
|
422 | 0 | /* Select the first enabled group. |
423 | 0 | * TODO(ekr@rtfm.com): be smarter about offering the group |
424 | 0 | * that the other side negotiated if we are resuming. */ |
425 | 0 | for (i = 0; i < SSL_NAMED_GROUP_COUNT; ++i) { |
426 | 0 | SECStatus rv; |
427 | 0 | if (!ss->namedGroupPreferences[i]) { |
428 | 0 | continue; |
429 | 0 | } |
430 | 0 | rv = tls13_CreateKeyShare(ss, ss->namedGroupPreferences[i]); |
431 | 0 | if (rv != SECSuccess) { |
432 | 0 | return SECFailure; |
433 | 0 | } |
434 | 0 | if (++numShares > ss->additionalShares) { |
435 | 0 | break; |
436 | 0 | } |
437 | 0 | } |
438 | 0 |
|
439 | 0 | if (PR_CLIST_IS_EMPTY(&ss->ephemeralKeyPairs)) { |
440 | 0 | PORT_SetError(SSL_ERROR_NO_CIPHERS_SUPPORTED); |
441 | 0 | return SECFailure; |
442 | 0 | } |
443 | 0 |
|
444 | 0 | /* Below here checks if we can do stateless resumption. */ |
445 | 0 | if (sid->cached == never_cached || |
446 | 0 | sid->version < SSL_LIBRARY_VERSION_TLS_1_3) { |
447 | 0 | return SECSuccess; |
448 | 0 | } |
449 | 0 | |
450 | 0 | /* The caller must be holding sid->u.ssl3.lock for reading. */ |
451 | 0 | session_ticket = &sid->u.ssl3.locked.sessionTicket; |
452 | 0 | PORT_Assert(session_ticket && session_ticket->ticket.data); |
453 | 0 |
|
454 | 0 | if (ssl_TicketTimeValid(session_ticket)) { |
455 | 0 | ss->statelessResume = PR_TRUE; |
456 | 0 | } |
457 | 0 |
|
458 | 0 | if (ss->statelessResume) { |
459 | 0 | SECStatus rv; |
460 | 0 |
|
461 | 0 | PORT_Assert(ss->sec.ci.sid); |
462 | 0 | rv = tls13_RecoverWrappedSharedSecret(ss, ss->sec.ci.sid); |
463 | 0 | if (rv != SECSuccess) { |
464 | 0 | FATAL_ERROR(ss, SEC_ERROR_LIBRARY_FAILURE, internal_error); |
465 | 0 | SSL_AtomicIncrementLong(&ssl3stats->sch_sid_cache_not_ok); |
466 | 0 | ssl_UncacheSessionID(ss); |
467 | 0 | ssl_FreeSID(ss->sec.ci.sid); |
468 | 0 | ss->sec.ci.sid = NULL; |
469 | 0 | return SECFailure; |
470 | 0 | } |
471 | 0 |
|
472 | 0 | ss->ssl3.hs.cipher_suite = ss->sec.ci.sid->u.ssl3.cipherSuite; |
473 | 0 | rv = ssl3_SetupCipherSuite(ss, PR_FALSE); |
474 | 0 | if (rv != SECSuccess) { |
475 | 0 | FATAL_ERROR(ss, PORT_GetError(), internal_error); |
476 | 0 | return SECFailure; |
477 | 0 | } |
478 | 0 |
|
479 | 0 | rv = tls13_ComputeEarlySecrets(ss); |
480 | 0 | if (rv != SECSuccess) { |
481 | 0 | FATAL_ERROR(ss, SEC_ERROR_LIBRARY_FAILURE, internal_error); |
482 | 0 | return SECFailure; |
483 | 0 | } |
484 | 0 | } |
485 | 0 |
|
486 | 0 | return SECSuccess; |
487 | 0 | } |
488 | | |
489 | | static SECStatus |
490 | | tls13_ImportDHEKeyShare(sslSocket *ss, SECKEYPublicKey *peerKey, |
491 | | PRUint8 *b, PRUint32 length, |
492 | | SECKEYPublicKey *pubKey) |
493 | 0 | { |
494 | 0 | SECStatus rv; |
495 | 0 | SECItem publicValue = { siBuffer, NULL, 0 }; |
496 | 0 |
|
497 | 0 | publicValue.data = b; |
498 | 0 | publicValue.len = length; |
499 | 0 | if (!ssl_IsValidDHEShare(&pubKey->u.dh.prime, &publicValue)) { |
500 | 0 | PORT_SetError(SSL_ERROR_RX_MALFORMED_DHE_KEY_SHARE); |
501 | 0 | return SECFailure; |
502 | 0 | } |
503 | 0 |
|
504 | 0 | peerKey->keyType = dhKey; |
505 | 0 | rv = SECITEM_CopyItem(peerKey->arena, &peerKey->u.dh.prime, |
506 | 0 | &pubKey->u.dh.prime); |
507 | 0 | if (rv != SECSuccess) |
508 | 0 | return SECFailure; |
509 | 0 | rv = SECITEM_CopyItem(peerKey->arena, &peerKey->u.dh.base, |
510 | 0 | &pubKey->u.dh.base); |
511 | 0 | if (rv != SECSuccess) |
512 | 0 | return SECFailure; |
513 | 0 | rv = SECITEM_CopyItem(peerKey->arena, &peerKey->u.dh.publicValue, |
514 | 0 | &publicValue); |
515 | 0 | if (rv != SECSuccess) |
516 | 0 | return SECFailure; |
517 | 0 | |
518 | 0 | return SECSuccess; |
519 | 0 | } |
520 | | |
521 | | static SECStatus |
522 | | tls13_HandleKeyShare(sslSocket *ss, |
523 | | TLS13KeyShareEntry *entry, |
524 | | sslKeyPair *keyPair) |
525 | 0 | { |
526 | 0 | PORTCheapArenaPool arena; |
527 | 0 | SECKEYPublicKey *peerKey; |
528 | 0 | CK_MECHANISM_TYPE mechanism; |
529 | 0 | PRErrorCode errorCode; |
530 | 0 | SECStatus rv; |
531 | 0 |
|
532 | 0 | PORT_InitCheapArena(&arena, DER_DEFAULT_CHUNKSIZE); |
533 | 0 | peerKey = PORT_ArenaZNew(&arena.arena, SECKEYPublicKey); |
534 | 0 | if (peerKey == NULL) { |
535 | 0 | goto loser; |
536 | 0 | } |
537 | 0 | peerKey->arena = &arena.arena; |
538 | 0 | peerKey->pkcs11Slot = NULL; |
539 | 0 | peerKey->pkcs11ID = CK_INVALID_HANDLE; |
540 | 0 |
|
541 | 0 | switch (entry->group->keaType) { |
542 | 0 | case ssl_kea_ecdh: |
543 | 0 | rv = ssl_ImportECDHKeyShare(ss, peerKey, |
544 | 0 | entry->key_exchange.data, |
545 | 0 | entry->key_exchange.len, |
546 | 0 | entry->group); |
547 | 0 | mechanism = CKM_ECDH1_DERIVE; |
548 | 0 | break; |
549 | 0 | case ssl_kea_dh: |
550 | 0 | rv = tls13_ImportDHEKeyShare(ss, peerKey, |
551 | 0 | entry->key_exchange.data, |
552 | 0 | entry->key_exchange.len, |
553 | 0 | keyPair->pubKey); |
554 | 0 | mechanism = CKM_DH_PKCS_DERIVE; |
555 | 0 | break; |
556 | 0 | default: |
557 | 0 | PORT_Assert(0); |
558 | 0 | goto loser; |
559 | 0 | } |
560 | 0 | if (rv != SECSuccess) { |
561 | 0 | goto loser; |
562 | 0 | } |
563 | 0 | |
564 | 0 | ss->ssl3.hs.dheSecret = PK11_PubDeriveWithKDF( |
565 | 0 | keyPair->privKey, peerKey, PR_FALSE, NULL, NULL, mechanism, |
566 | 0 | tls13_GetHkdfMechanism(ss), CKA_DERIVE, 0, CKD_NULL, NULL, NULL); |
567 | 0 | if (!ss->ssl3.hs.dheSecret) { |
568 | 0 | ssl_MapLowLevelError(SSL_ERROR_KEY_EXCHANGE_FAILURE); |
569 | 0 | goto loser; |
570 | 0 | } |
571 | 0 | PORT_DestroyCheapArena(&arena); |
572 | 0 | return SECSuccess; |
573 | 0 | |
574 | 0 | loser: |
575 | 0 | PORT_DestroyCheapArena(&arena); |
576 | 0 | errorCode = PORT_GetError(); /* don't overwrite the error code */ |
577 | 0 | tls13_FatalError(ss, errorCode, illegal_parameter); |
578 | 0 | return SECFailure; |
579 | 0 | } |
580 | | |
581 | | static PRBool |
582 | | tls13_UseServerSecret(sslSocket *ss, CipherSpecDirection direction) |
583 | 0 | { |
584 | 0 | return ss->sec.isServer == (direction == CipherSpecWrite); |
585 | 0 | } |
586 | | |
587 | | static PK11SymKey ** |
588 | | tls13_TrafficSecretRef(sslSocket *ss, CipherSpecDirection direction) |
589 | 0 | { |
590 | 0 | if (tls13_UseServerSecret(ss, direction)) { |
591 | 0 | return &ss->ssl3.hs.serverTrafficSecret; |
592 | 0 | } |
593 | 0 | return &ss->ssl3.hs.clientTrafficSecret; |
594 | 0 | } |
595 | | |
596 | | SECStatus |
597 | | tls13_UpdateTrafficKeys(sslSocket *ss, CipherSpecDirection direction) |
598 | 0 | { |
599 | 0 | PK11SymKey **secret; |
600 | 0 | PK11SymKey *updatedSecret; |
601 | 0 | PRUint16 epoch; |
602 | 0 | SECStatus rv; |
603 | 0 |
|
604 | 0 | secret = tls13_TrafficSecretRef(ss, direction); |
605 | 0 | rv = tls13_HkdfExpandLabel(*secret, tls13_GetHash(ss), |
606 | 0 | NULL, 0, |
607 | 0 | kHkdfLabelTrafficUpdate, |
608 | 0 | strlen(kHkdfLabelTrafficUpdate), |
609 | 0 | tls13_GetHmacMechanism(ss), |
610 | 0 | tls13_GetHashSize(ss), |
611 | 0 | &updatedSecret); |
612 | 0 | if (rv != SECSuccess) { |
613 | 0 | return SECFailure; |
614 | 0 | } |
615 | 0 | |
616 | 0 | PK11_FreeSymKey(*secret); |
617 | 0 | *secret = updatedSecret; |
618 | 0 |
|
619 | 0 | ssl_GetSpecReadLock(ss); |
620 | 0 | if (direction == CipherSpecRead) { |
621 | 0 | epoch = ss->ssl3.crSpec->epoch; |
622 | 0 | } else { |
623 | 0 | epoch = ss->ssl3.cwSpec->epoch; |
624 | 0 | } |
625 | 0 | ssl_ReleaseSpecReadLock(ss); |
626 | 0 |
|
627 | 0 | if (epoch == PR_UINT16_MAX) { |
628 | 0 | /* Good chance that this is an overflow from too many updates. */ |
629 | 0 | FATAL_ERROR(ss, SSL_ERROR_TOO_MANY_KEY_UPDATES, internal_error); |
630 | 0 | return SECFailure; |
631 | 0 | } |
632 | 0 | ++epoch; |
633 | 0 |
|
634 | 0 | rv = tls13_SetCipherSpec(ss, epoch, direction, PR_FALSE); |
635 | 0 | if (rv != SECSuccess) { |
636 | 0 | FATAL_ERROR(ss, SEC_ERROR_LIBRARY_FAILURE, internal_error); |
637 | 0 | return SECFailure; |
638 | 0 | } |
639 | 0 |
|
640 | 0 | return SECSuccess; |
641 | 0 | } |
642 | | |
643 | | SECStatus |
644 | | tls13_SendKeyUpdate(sslSocket *ss, tls13KeyUpdateRequest request, PRBool buffer) |
645 | 0 | { |
646 | 0 | SECStatus rv; |
647 | 0 |
|
648 | 0 | SSL_TRC(3, ("%d: TLS13[%d]: %s send key update, response %s", |
649 | 0 | SSL_GETPID(), ss->fd, SSL_ROLE(ss), |
650 | 0 | (request == update_requested) ? "requested" |
651 | 0 | : "not requested")); |
652 | 0 |
|
653 | 0 | PORT_Assert(ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); |
654 | 0 |
|
655 | 0 | if (!ss->firstHsDone) { |
656 | 0 | PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); |
657 | 0 | return SECFailure; |
658 | 0 | } |
659 | 0 |
|
660 | 0 | rv = TLS13_CHECK_HS_STATE(ss, SEC_ERROR_LIBRARY_FAILURE, |
661 | 0 | idle_handshake); |
662 | 0 | if (rv != SECSuccess) { |
663 | 0 | return SECFailure; |
664 | 0 | } |
665 | 0 | |
666 | 0 | /* Not supported. */ |
667 | 0 | if (IS_DTLS(ss)) { |
668 | 0 | PORT_SetError(SEC_ERROR_INVALID_ARGS); |
669 | 0 | return SECFailure; |
670 | 0 | } |
671 | 0 |
|
672 | 0 | ssl_GetXmitBufLock(ss); |
673 | 0 | rv = ssl3_AppendHandshakeHeader(ss, ssl_hs_key_update, 1); |
674 | 0 | if (rv != SECSuccess) { |
675 | 0 | FATAL_ERROR(ss, SEC_ERROR_LIBRARY_FAILURE, internal_error); |
676 | 0 | goto loser; |
677 | 0 | } |
678 | 0 | rv = ssl3_AppendHandshakeNumber(ss, request, 1); |
679 | 0 | if (rv != SECSuccess) { |
680 | 0 | FATAL_ERROR(ss, SEC_ERROR_LIBRARY_FAILURE, internal_error); |
681 | 0 | goto loser; |
682 | 0 | } |
683 | 0 |
|
684 | 0 | /* If we have been asked to buffer, then do so. This allows us to coalesce |
685 | 0 | * a KeyUpdate with a pending write. */ |
686 | 0 | rv = ssl3_FlushHandshake(ss, buffer ? ssl_SEND_FLAG_FORCE_INTO_BUFFER : 0); |
687 | 0 | if (rv != SECSuccess) { |
688 | 0 | goto loser; /* error code set by ssl3_FlushHandshake */ |
689 | 0 | } |
690 | 0 | ssl_ReleaseXmitBufLock(ss); |
691 | 0 |
|
692 | 0 | rv = tls13_UpdateTrafficKeys(ss, CipherSpecWrite); |
693 | 0 | if (rv != SECSuccess) { |
694 | 0 | goto loser; /* error code set by tls13_UpdateTrafficKeys */ |
695 | 0 | } |
696 | 0 | |
697 | 0 | return SECSuccess; |
698 | 0 | |
699 | 0 | loser: |
700 | 0 | ssl_ReleaseXmitBufLock(ss); |
701 | 0 | return SECFailure; |
702 | 0 | } |
703 | | |
704 | | SECStatus |
705 | | SSLExp_KeyUpdate(PRFileDesc *fd, PRBool requestUpdate) |
706 | 0 | { |
707 | 0 | SECStatus rv; |
708 | 0 | sslSocket *ss = ssl_FindSocket(fd); |
709 | 0 | if (!ss) { |
710 | 0 | return SECFailure; |
711 | 0 | } |
712 | 0 | |
713 | 0 | if (!ss->firstHsDone) { |
714 | 0 | PORT_SetError(SEC_ERROR_INVALID_ARGS); |
715 | 0 | return SECFailure; |
716 | 0 | } |
717 | 0 |
|
718 | 0 | rv = TLS13_CHECK_HS_STATE(ss, SEC_ERROR_INVALID_ARGS, |
719 | 0 | idle_handshake); |
720 | 0 | if (rv != SECSuccess) { |
721 | 0 | return SECFailure; |
722 | 0 | } |
723 | 0 | |
724 | 0 | ssl_GetSSL3HandshakeLock(ss); |
725 | 0 | rv = tls13_SendKeyUpdate(ss, requestUpdate ? update_requested : update_not_requested, |
726 | 0 | PR_FALSE /* don't buffer */); |
727 | 0 |
|
728 | 0 | /* Remember that we are the ones that initiated this KeyUpdate. */ |
729 | 0 | if (rv == SECSuccess) { |
730 | 0 | ss->ssl3.peerRequestedKeyUpdate = PR_FALSE; |
731 | 0 | } |
732 | 0 | ssl_ReleaseSSL3HandshakeLock(ss); |
733 | 0 | return rv; |
734 | 0 | } |
735 | | |
736 | | /* |
737 | | * enum { |
738 | | * update_not_requested(0), update_requested(1), (255) |
739 | | * } KeyUpdateRequest; |
740 | | * |
741 | | * struct { |
742 | | * KeyUpdateRequest request_update; |
743 | | * } KeyUpdate; |
744 | | */ |
745 | | static SECStatus |
746 | | tls13_HandleKeyUpdate(sslSocket *ss, PRUint8 *b, unsigned int length) |
747 | 0 | { |
748 | 0 | SECStatus rv; |
749 | 0 | PRUint32 update; |
750 | 0 |
|
751 | 0 | SSL_TRC(3, ("%d: TLS13[%d]: %s handle key update", |
752 | 0 | SSL_GETPID(), ss->fd, SSL_ROLE(ss))); |
753 | 0 |
|
754 | 0 | PORT_Assert(ss->opt.noLocks || ssl_HaveRecvBufLock(ss)); |
755 | 0 | PORT_Assert(ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); |
756 | 0 |
|
757 | 0 | PORT_Assert(ss->firstHsDone); |
758 | 0 | if (!ss->firstHsDone) { |
759 | 0 | FATAL_ERROR(ss, SSL_ERROR_RX_UNEXPECTED_KEY_UPDATE, unexpected_message); |
760 | 0 | return SECFailure; |
761 | 0 | } |
762 | 0 |
|
763 | 0 | rv = TLS13_CHECK_HS_STATE(ss, SSL_ERROR_RX_UNEXPECTED_KEY_UPDATE, |
764 | 0 | idle_handshake); |
765 | 0 | if (rv != SECSuccess) { |
766 | 0 | /* We should never be idle_handshake prior to firstHsDone. */ |
767 | 0 | FATAL_ERROR(ss, SEC_ERROR_LIBRARY_FAILURE, internal_error); |
768 | 0 | return SECFailure; |
769 | 0 | } |
770 | 0 |
|
771 | 0 | rv = ssl3_ConsumeHandshakeNumber(ss, &update, 1, &b, &length); |
772 | 0 | if (rv != SECSuccess) { |
773 | 0 | return SECFailure; /* Error code set already. */ |
774 | 0 | } |
775 | 0 | if (length != 0) { |
776 | 0 | FATAL_ERROR(ss, SSL_ERROR_RX_MALFORMED_KEY_UPDATE, decode_error); |
777 | 0 | return SECFailure; |
778 | 0 | } |
779 | 0 | if (!(update == update_requested || |
780 | 0 | update == update_not_requested)) { |
781 | 0 | FATAL_ERROR(ss, SSL_ERROR_RX_MALFORMED_KEY_UPDATE, decode_error); |
782 | 0 | return SECFailure; |
783 | 0 | } |
784 | 0 |
|
785 | 0 | rv = tls13_UpdateTrafficKeys(ss, CipherSpecRead); |
786 | 0 | if (rv != SECSuccess) { |
787 | 0 | return SECFailure; /* Error code set by tls13_UpdateTrafficKeys. */ |
788 | 0 | } |
789 | 0 | |
790 | 0 | if (update == update_requested) { |
791 | 0 | PRBool sendUpdate; |
792 | 0 | if (ss->ssl3.peerRequestedKeyUpdate) { |
793 | 0 | /* Only send an update if we have sent with the current spec. This |
794 | 0 | * prevents us from being forced to crank forward pointlessly. */ |
795 | 0 | ssl_GetSpecReadLock(ss); |
796 | 0 | sendUpdate = ss->ssl3.cwSpec->nextSeqNum > 0; |
797 | 0 | ssl_ReleaseSpecReadLock(ss); |
798 | 0 | } else { |
799 | 0 | sendUpdate = PR_TRUE; |
800 | 0 | } |
801 | 0 | if (sendUpdate) { |
802 | 0 | /* Respond immediately (don't buffer). */ |
803 | 0 | rv = tls13_SendKeyUpdate(ss, update_not_requested, PR_FALSE); |
804 | 0 | if (rv != SECSuccess) { |
805 | 0 | return SECFailure; /* Error already set. */ |
806 | 0 | } |
807 | 0 | } |
808 | 0 | ss->ssl3.peerRequestedKeyUpdate = PR_TRUE; |
809 | 0 | } |
810 | 0 |
|
811 | 0 | return SECSuccess; |
812 | 0 | } |
813 | | |
814 | | SECStatus |
815 | | tls13_HandlePostHelloHandshakeMessage(sslSocket *ss, PRUint8 *b, PRUint32 length) |
816 | 0 | { |
817 | 0 | if (ss->sec.isServer && ss->ssl3.hs.zeroRttIgnore != ssl_0rtt_ignore_none) { |
818 | 0 | SSL_TRC(3, ("%d: TLS13[%d]: %s successfully decrypted handshake after" |
819 | 0 | "failed 0-RTT", |
820 | 0 | SSL_GETPID(), ss->fd)); |
821 | 0 | ss->ssl3.hs.zeroRttIgnore = ssl_0rtt_ignore_none; |
822 | 0 | } |
823 | 0 |
|
824 | 0 | /* TODO(ekr@rtfm.com): Would it be better to check all the states here? */ |
825 | 0 | switch (ss->ssl3.hs.msg_type) { |
826 | 0 | case ssl_hs_certificate: |
827 | 0 | return tls13_HandleCertificate(ss, b, length); |
828 | 0 |
|
829 | 0 | case ssl_hs_certificate_request: |
830 | 0 | return tls13_HandleCertificateRequest(ss, b, length); |
831 | 0 |
|
832 | 0 | case ssl_hs_certificate_verify: |
833 | 0 | return tls13_HandleCertificateVerify(ss, b, length); |
834 | 0 |
|
835 | 0 | case ssl_hs_encrypted_extensions: |
836 | 0 | return tls13_HandleEncryptedExtensions(ss, b, length); |
837 | 0 |
|
838 | 0 | case ssl_hs_new_session_ticket: |
839 | 0 | return tls13_HandleNewSessionTicket(ss, b, length); |
840 | 0 |
|
841 | 0 | case ssl_hs_finished: |
842 | 0 | if (ss->sec.isServer) { |
843 | 0 | return tls13_ServerHandleFinished(ss, b, length); |
844 | 0 | } else { |
845 | 0 | return tls13_ClientHandleFinished(ss, b, length); |
846 | 0 | } |
847 | 0 | |
848 | 0 | case ssl_hs_end_of_early_data: |
849 | 0 | return tls13_HandleEndOfEarlyData(ss, b, length); |
850 | 0 |
|
851 | 0 | case ssl_hs_key_update: |
852 | 0 | return tls13_HandleKeyUpdate(ss, b, length); |
853 | 0 |
|
854 | 0 | default: |
855 | 0 | FATAL_ERROR(ss, SSL_ERROR_RX_UNKNOWN_HANDSHAKE, unexpected_message); |
856 | 0 | return SECFailure; |
857 | 0 | } |
858 | 0 |
|
859 | 0 | PORT_Assert(0); /* Unreached */ |
860 | 0 | return SECFailure; |
861 | 0 | } |
862 | | |
863 | | static SECStatus |
864 | | tls13_RecoverWrappedSharedSecret(sslSocket *ss, sslSessionID *sid) |
865 | 0 | { |
866 | 0 | PK11SymKey *wrapKey; /* wrapping key */ |
867 | 0 | SECItem wrappedMS = { siBuffer, NULL, 0 }; |
868 | 0 | SSLHashType hashType; |
869 | 0 |
|
870 | 0 | SSL_TRC(3, ("%d: TLS13[%d]: recovering static secret (%s)", |
871 | 0 | SSL_GETPID(), ss->fd, SSL_ROLE(ss))); |
872 | 0 |
|
873 | 0 | /* Now find the hash used as the PRF for the previous handshake. */ |
874 | 0 | hashType = tls13_GetHashForCipherSuite(sid->u.ssl3.cipherSuite); |
875 | 0 |
|
876 | 0 | /* If we are the server, we compute the wrapping key, but if we |
877 | 0 | * are the client, its coordinates are stored with the ticket. */ |
878 | 0 | if (ss->sec.isServer) { |
879 | 0 | wrapKey = ssl3_GetWrappingKey(ss, NULL, |
880 | 0 | sid->u.ssl3.masterWrapMech, |
881 | 0 | ss->pkcs11PinArg); |
882 | 0 | } else { |
883 | 0 | PK11SlotInfo *slot = SECMOD_LookupSlot(sid->u.ssl3.masterModuleID, |
884 | 0 | sid->u.ssl3.masterSlotID); |
885 | 0 | if (!slot) |
886 | 0 | return SECFailure; |
887 | 0 | |
888 | 0 | wrapKey = PK11_GetWrapKey(slot, |
889 | 0 | sid->u.ssl3.masterWrapIndex, |
890 | 0 | sid->u.ssl3.masterWrapMech, |
891 | 0 | sid->u.ssl3.masterWrapSeries, |
892 | 0 | ss->pkcs11PinArg); |
893 | 0 | PK11_FreeSlot(slot); |
894 | 0 | } |
895 | 0 | if (!wrapKey) { |
896 | 0 | return SECFailure; |
897 | 0 | } |
898 | 0 | |
899 | 0 | wrappedMS.data = sid->u.ssl3.keys.wrapped_master_secret; |
900 | 0 | wrappedMS.len = sid->u.ssl3.keys.wrapped_master_secret_len; |
901 | 0 |
|
902 | 0 | /* unwrap the "master secret" which is actually RMS. */ |
903 | 0 | ss->ssl3.hs.resumptionMasterSecret = PK11_UnwrapSymKeyWithFlags( |
904 | 0 | wrapKey, sid->u.ssl3.masterWrapMech, |
905 | 0 | NULL, &wrappedMS, |
906 | 0 | CKM_SSL3_MASTER_KEY_DERIVE, |
907 | 0 | CKA_DERIVE, |
908 | 0 | tls13_GetHashSizeForHash(hashType), |
909 | 0 | CKF_SIGN | CKF_VERIFY); |
910 | 0 | PK11_FreeSymKey(wrapKey); |
911 | 0 | if (!ss->ssl3.hs.resumptionMasterSecret) { |
912 | 0 | return SECFailure; |
913 | 0 | } |
914 | 0 | |
915 | 0 | PRINT_KEY(50, (ss, "Recovered RMS", ss->ssl3.hs.resumptionMasterSecret)); |
916 | 0 |
|
917 | 0 | return SECSuccess; |
918 | 0 | } |
919 | | |
920 | | /* Key Derivation Functions. |
921 | | * |
922 | | * 0 |
923 | | * | |
924 | | * v |
925 | | * PSK -> HKDF-Extract = Early Secret |
926 | | * | |
927 | | * +-----> Derive-Secret(., "ext binder" | "res binder", "") |
928 | | * | = binder_key |
929 | | * | |
930 | | * +-----> Derive-Secret(., "c e traffic", |
931 | | * | ClientHello) |
932 | | * | = client_early_traffic_secret |
933 | | * | |
934 | | * +-----> Derive-Secret(., "e exp master", |
935 | | * | ClientHello) |
936 | | * | = early_exporter_secret |
937 | | * v |
938 | | * Derive-Secret(., "derived", "") |
939 | | * | |
940 | | * v |
941 | | *(EC)DHE -> HKDF-Extract = Handshake Secret |
942 | | * | |
943 | | * +-----> Derive-Secret(., "c hs traffic", |
944 | | * | ClientHello...ServerHello) |
945 | | * | = client_handshake_traffic_secret |
946 | | * | |
947 | | * +-----> Derive-Secret(., "s hs traffic", |
948 | | * | ClientHello...ServerHello) |
949 | | * | = server_handshake_traffic_secret |
950 | | * v |
951 | | * Derive-Secret(., "derived", "") |
952 | | * | |
953 | | * v |
954 | | * 0 -> HKDF-Extract = Master Secret |
955 | | * | |
956 | | * +-----> Derive-Secret(., "c ap traffic", |
957 | | * | ClientHello...Server Finished) |
958 | | * | = client_traffic_secret_0 |
959 | | * | |
960 | | * +-----> Derive-Secret(., "s ap traffic", |
961 | | * | ClientHello...Server Finished) |
962 | | * | = server_traffic_secret_0 |
963 | | * | |
964 | | * +-----> Derive-Secret(., "exp master", |
965 | | * | ClientHello...Server Finished) |
966 | | * | = exporter_secret |
967 | | * | |
968 | | * +-----> Derive-Secret(., "res master", |
969 | | * ClientHello...Client Finished) |
970 | | * = resumption_master_secret |
971 | | * |
972 | | */ |
973 | | |
974 | | static SECStatus |
975 | | tls13_ComputeEarlySecrets(sslSocket *ss) |
976 | 0 | { |
977 | 0 | SECStatus rv = SECSuccess; |
978 | 0 |
|
979 | 0 | SSL_TRC(5, ("%d: TLS13[%d]: compute early secrets (%s)", |
980 | 0 | SSL_GETPID(), ss->fd, SSL_ROLE(ss))); |
981 | 0 |
|
982 | 0 | /* Extract off the resumptionMasterSecret (if present), else pass the NULL |
983 | 0 | * resumptionMasterSecret which will be internally translated to zeroes. */ |
984 | 0 | PORT_Assert(!ss->ssl3.hs.currentSecret); |
985 | 0 | rv = tls13_HkdfExtract(NULL, ss->ssl3.hs.resumptionMasterSecret, |
986 | 0 | tls13_GetHash(ss), &ss->ssl3.hs.currentSecret); |
987 | 0 | if (rv != SECSuccess) { |
988 | 0 | return SECFailure; |
989 | 0 | } |
990 | 0 | |
991 | 0 | PORT_Assert(ss->statelessResume == (ss->ssl3.hs.resumptionMasterSecret != NULL)); |
992 | 0 | if (ss->statelessResume) { |
993 | 0 | PK11_FreeSymKey(ss->ssl3.hs.resumptionMasterSecret); |
994 | 0 | ss->ssl3.hs.resumptionMasterSecret = NULL; |
995 | 0 |
|
996 | 0 | rv = tls13_DeriveSecretNullHash(ss, ss->ssl3.hs.currentSecret, |
997 | 0 | kHkdfLabelPskBinderKey, |
998 | 0 | strlen(kHkdfLabelPskBinderKey), |
999 | 0 | &ss->ssl3.hs.pskBinderKey); |
1000 | 0 | if (rv != SECSuccess) { |
1001 | 0 | return SECFailure; |
1002 | 0 | } |
1003 | 0 | } |
1004 | 0 | PORT_Assert(!ss->ssl3.hs.resumptionMasterSecret); |
1005 | 0 |
|
1006 | 0 | return SECSuccess; |
1007 | 0 | } |
1008 | | |
1009 | | /* This derives the early traffic and early exporter secrets. */ |
1010 | | static SECStatus |
1011 | | tls13_DeriveEarlySecrets(sslSocket *ss) |
1012 | 0 | { |
1013 | 0 | SECStatus rv; |
1014 | 0 |
|
1015 | 0 | rv = tls13_DeriveSecretWrap(ss, ss->ssl3.hs.currentSecret, |
1016 | 0 | kHkdfLabelClient, |
1017 | 0 | kHkdfLabelEarlyTrafficSecret, |
1018 | 0 | keylogLabelClientEarlyTrafficSecret, |
1019 | 0 | &ss->ssl3.hs.clientEarlyTrafficSecret); |
1020 | 0 | if (rv != SECSuccess) { |
1021 | 0 | return SECFailure; |
1022 | 0 | } |
1023 | 0 | |
1024 | 0 | rv = tls13_DeriveSecretWrap(ss, ss->ssl3.hs.currentSecret, |
1025 | 0 | NULL, kHkdfLabelEarlyExporterSecret, |
1026 | 0 | keylogLabelEarlyExporterSecret, |
1027 | 0 | &ss->ssl3.hs.earlyExporterSecret); |
1028 | 0 | if (rv != SECSuccess) { |
1029 | 0 | return SECFailure; |
1030 | 0 | } |
1031 | 0 | |
1032 | 0 | return SECSuccess; |
1033 | 0 | } |
1034 | | |
1035 | | static SECStatus |
1036 | | tls13_ComputeHandshakeSecrets(sslSocket *ss) |
1037 | 0 | { |
1038 | 0 | SECStatus rv; |
1039 | 0 | PK11SymKey *derivedSecret = NULL; |
1040 | 0 | PK11SymKey *newSecret = NULL; |
1041 | 0 |
|
1042 | 0 | SSL_TRC(5, ("%d: TLS13[%d]: compute handshake secrets (%s)", |
1043 | 0 | SSL_GETPID(), ss->fd, SSL_ROLE(ss))); |
1044 | 0 |
|
1045 | 0 | /* First update |currentSecret| to add |dheSecret|, if any. */ |
1046 | 0 | PORT_Assert(ss->ssl3.hs.currentSecret); |
1047 | 0 | PORT_Assert(ss->ssl3.hs.dheSecret); |
1048 | 0 |
|
1049 | 0 | /* Expand before we extract. */ |
1050 | 0 | rv = tls13_DeriveSecretNullHash(ss, ss->ssl3.hs.currentSecret, |
1051 | 0 | kHkdfLabelDerivedSecret, |
1052 | 0 | strlen(kHkdfLabelDerivedSecret), |
1053 | 0 | &derivedSecret); |
1054 | 0 | if (rv != SECSuccess) { |
1055 | 0 | LOG_ERROR(ss, SEC_ERROR_LIBRARY_FAILURE); |
1056 | 0 | return rv; |
1057 | 0 | } |
1058 | 0 |
|
1059 | 0 | rv = tls13_HkdfExtract(derivedSecret, ss->ssl3.hs.dheSecret, |
1060 | 0 | tls13_GetHash(ss), &newSecret); |
1061 | 0 | PK11_FreeSymKey(derivedSecret); |
1062 | 0 |
|
1063 | 0 | if (rv != SECSuccess) { |
1064 | 0 | LOG_ERROR(ss, SEC_ERROR_LIBRARY_FAILURE); |
1065 | 0 | return rv; |
1066 | 0 | } |
1067 | 0 | PK11_FreeSymKey(ss->ssl3.hs.dheSecret); |
1068 | 0 | ss->ssl3.hs.dheSecret = NULL; |
1069 | 0 | PK11_FreeSymKey(ss->ssl3.hs.currentSecret); |
1070 | 0 | ss->ssl3.hs.currentSecret = newSecret; |
1071 | 0 |
|
1072 | 0 | /* Now compute |*HsTrafficSecret| */ |
1073 | 0 | rv = tls13_DeriveSecretWrap(ss, ss->ssl3.hs.currentSecret, |
1074 | 0 | kHkdfLabelClient, |
1075 | 0 | kHkdfLabelHandshakeTrafficSecret, |
1076 | 0 | keylogLabelClientHsTrafficSecret, |
1077 | 0 | &ss->ssl3.hs.clientHsTrafficSecret); |
1078 | 0 | if (rv != SECSuccess) { |
1079 | 0 | LOG_ERROR(ss, SEC_ERROR_LIBRARY_FAILURE); |
1080 | 0 | return rv; |
1081 | 0 | } |
1082 | 0 | rv = tls13_DeriveSecretWrap(ss, ss->ssl3.hs.currentSecret, |
1083 | 0 | kHkdfLabelServer, |
1084 | 0 | kHkdfLabelHandshakeTrafficSecret, |
1085 | 0 | keylogLabelServerHsTrafficSecret, |
1086 | 0 | &ss->ssl3.hs.serverHsTrafficSecret); |
1087 | 0 | if (rv != SECSuccess) { |
1088 | 0 | LOG_ERROR(ss, SEC_ERROR_LIBRARY_FAILURE); |
1089 | 0 | return rv; |
1090 | 0 | } |
1091 | 0 |
|
1092 | 0 | SSL_TRC(5, ("%d: TLS13[%d]: compute master secret (%s)", |
1093 | 0 | SSL_GETPID(), ss->fd, SSL_ROLE(ss))); |
1094 | 0 |
|
1095 | 0 | /* Crank HKDF forward to make master secret, which we |
1096 | 0 | * stuff in current secret. */ |
1097 | 0 | rv = tls13_DeriveSecretNullHash(ss, ss->ssl3.hs.currentSecret, |
1098 | 0 | kHkdfLabelDerivedSecret, |
1099 | 0 | strlen(kHkdfLabelDerivedSecret), |
1100 | 0 | &derivedSecret); |
1101 | 0 | if (rv != SECSuccess) { |
1102 | 0 | LOG_ERROR(ss, SEC_ERROR_LIBRARY_FAILURE); |
1103 | 0 | return rv; |
1104 | 0 | } |
1105 | 0 | rv = tls13_HkdfExtract(derivedSecret, |
1106 | 0 | NULL, |
1107 | 0 | tls13_GetHash(ss), |
1108 | 0 | &newSecret); |
1109 | 0 | PK11_FreeSymKey(derivedSecret); |
1110 | 0 | if (rv != SECSuccess) { |
1111 | 0 | LOG_ERROR(ss, SEC_ERROR_LIBRARY_FAILURE); |
1112 | 0 | return SECFailure; |
1113 | 0 | } |
1114 | 0 | PK11_FreeSymKey(ss->ssl3.hs.currentSecret); |
1115 | 0 | ss->ssl3.hs.currentSecret = newSecret; |
1116 | 0 |
|
1117 | 0 | return SECSuccess; |
1118 | 0 | } |
1119 | | |
1120 | | static SECStatus |
1121 | | tls13_ComputeApplicationSecrets(sslSocket *ss) |
1122 | 0 | { |
1123 | 0 | SECStatus rv; |
1124 | 0 |
|
1125 | 0 | rv = tls13_DeriveSecretWrap(ss, ss->ssl3.hs.currentSecret, |
1126 | 0 | kHkdfLabelClient, |
1127 | 0 | kHkdfLabelApplicationTrafficSecret, |
1128 | 0 | keylogLabelClientTrafficSecret, |
1129 | 0 | &ss->ssl3.hs.clientTrafficSecret); |
1130 | 0 | if (rv != SECSuccess) { |
1131 | 0 | return SECFailure; |
1132 | 0 | } |
1133 | 0 | rv = tls13_DeriveSecretWrap(ss, ss->ssl3.hs.currentSecret, |
1134 | 0 | kHkdfLabelServer, |
1135 | 0 | kHkdfLabelApplicationTrafficSecret, |
1136 | 0 | keylogLabelServerTrafficSecret, |
1137 | 0 | &ss->ssl3.hs.serverTrafficSecret); |
1138 | 0 | if (rv != SECSuccess) { |
1139 | 0 | return SECFailure; |
1140 | 0 | } |
1141 | 0 | |
1142 | 0 | rv = tls13_DeriveSecretWrap(ss, ss->ssl3.hs.currentSecret, |
1143 | 0 | NULL, kHkdfLabelExporterMasterSecret, |
1144 | 0 | keylogLabelExporterSecret, |
1145 | 0 | &ss->ssl3.hs.exporterSecret); |
1146 | 0 | if (rv != SECSuccess) { |
1147 | 0 | return SECFailure; |
1148 | 0 | } |
1149 | 0 | |
1150 | 0 | return SECSuccess; |
1151 | 0 | } |
1152 | | |
1153 | | static SECStatus |
1154 | | tls13_ComputeFinalSecrets(sslSocket *ss) |
1155 | 0 | { |
1156 | 0 | SECStatus rv; |
1157 | 0 |
|
1158 | 0 | PORT_Assert(!ss->ssl3.crSpec->masterSecret); |
1159 | 0 | PORT_Assert(!ss->ssl3.cwSpec->masterSecret); |
1160 | 0 |
|
1161 | 0 | rv = tls13_DeriveSecretWrap(ss, ss->ssl3.hs.currentSecret, |
1162 | 0 | NULL, kHkdfLabelResumptionMasterSecret, |
1163 | 0 | NULL, |
1164 | 0 | &ss->ssl3.hs.resumptionMasterSecret); |
1165 | 0 | PK11_FreeSymKey(ss->ssl3.hs.currentSecret); |
1166 | 0 | ss->ssl3.hs.currentSecret = NULL; |
1167 | 0 | if (rv != SECSuccess) { |
1168 | 0 | return SECFailure; |
1169 | 0 | } |
1170 | 0 | |
1171 | 0 | return SECSuccess; |
1172 | 0 | } |
1173 | | |
1174 | | static void |
1175 | | tls13_RestoreCipherInfo(sslSocket *ss, sslSessionID *sid) |
1176 | 0 | { |
1177 | 0 | /* Set these to match the cached value. |
1178 | 0 | * TODO(ekr@rtfm.com): Make a version with the "true" values. |
1179 | 0 | * Bug 1256137. |
1180 | 0 | */ |
1181 | 0 | ss->sec.authType = sid->authType; |
1182 | 0 | ss->sec.authKeyBits = sid->authKeyBits; |
1183 | 0 | ss->sec.originalKeaGroup = ssl_LookupNamedGroup(sid->keaGroup); |
1184 | 0 | ss->sec.signatureScheme = sid->sigScheme; |
1185 | 0 | } |
1186 | | |
1187 | | /* Check whether resumption-PSK is allowed. */ |
1188 | | static PRBool |
1189 | | tls13_CanResume(sslSocket *ss, const sslSessionID *sid) |
1190 | 0 | { |
1191 | 0 | const sslServerCert *sc; |
1192 | 0 |
|
1193 | 0 | if (!sid) { |
1194 | 0 | return PR_FALSE; |
1195 | 0 | } |
1196 | 0 |
|
1197 | 0 | if (sid->version != ss->version) { |
1198 | 0 | return PR_FALSE; |
1199 | 0 | } |
1200 | 0 |
|
1201 | 0 | if (tls13_GetHashForCipherSuite(sid->u.ssl3.cipherSuite) != tls13_GetHashForCipherSuite(ss->ssl3.hs.cipher_suite)) { |
1202 | 0 | return PR_FALSE; |
1203 | 0 | } |
1204 | 0 |
|
1205 | 0 | /* Server sids don't remember the server cert we previously sent, but they |
1206 | 0 | * do remember the type of certificate we originally used, so we can locate |
1207 | 0 | * it again, provided that the current ssl socket has had its server certs |
1208 | 0 | * configured the same as the previous one. */ |
1209 | 0 | sc = ssl_FindServerCert(ss, sid->authType, sid->namedCurve); |
1210 | 0 | if (!sc || !sc->serverCert) { |
1211 | 0 | return PR_FALSE; |
1212 | 0 | } |
1213 | 0 |
|
1214 | 0 | return PR_TRUE; |
1215 | 0 | } |
1216 | | |
1217 | | static PRBool |
1218 | | tls13_CanNegotiateZeroRtt(sslSocket *ss, const sslSessionID *sid) |
1219 | 0 | { |
1220 | 0 | PORT_Assert(ss->ssl3.hs.zeroRttState == ssl_0rtt_sent); |
1221 | 0 |
|
1222 | 0 | if (!sid) |
1223 | 0 | return PR_FALSE; |
1224 | 0 | PORT_Assert(ss->statelessResume); |
1225 | 0 | if (!ss->statelessResume) |
1226 | 0 | return PR_FALSE; |
1227 | 0 | if (ss->ssl3.hs.cipher_suite != sid->u.ssl3.cipherSuite) |
1228 | 0 | return PR_FALSE; |
1229 | 0 | if (!ss->opt.enable0RttData) |
1230 | 0 | return PR_FALSE; |
1231 | 0 | if (!(sid->u.ssl3.locked.sessionTicket.flags & ticket_allow_early_data)) |
1232 | 0 | return PR_FALSE; |
1233 | 0 | if (SECITEM_CompareItem(&ss->xtnData.nextProto, |
1234 | 0 | &sid->u.ssl3.alpnSelection) != 0) |
1235 | 0 | return PR_FALSE; |
1236 | 0 | |
1237 | 0 | if (tls13_IsReplay(ss, sid)) { |
1238 | 0 | return PR_FALSE; |
1239 | 0 | } |
1240 | 0 |
|
1241 | 0 | return PR_TRUE; |
1242 | 0 | } |
1243 | | |
1244 | | /* Called from tls13_HandleClientHelloPart2 to update the state of 0-RTT handling. |
1245 | | * |
1246 | | * 0-RTT is only permitted if: |
1247 | | * 1. The early data extension was present. |
1248 | | * 2. We are resuming a session. |
1249 | | * 3. The 0-RTT option is set. |
1250 | | * 4. The ticket allowed 0-RTT. |
1251 | | * 5. We negotiated the same ALPN value as in the ticket. |
1252 | | */ |
1253 | | static void |
1254 | | tls13_NegotiateZeroRtt(sslSocket *ss, const sslSessionID *sid) |
1255 | 0 | { |
1256 | 0 | SSL_TRC(3, ("%d: TLS13[%d]: negotiate 0-RTT %p", |
1257 | 0 | SSL_GETPID(), ss->fd, sid)); |
1258 | 0 |
|
1259 | 0 | /* tls13_ServerHandleEarlyDataXtn sets this to ssl_0rtt_sent, so this will |
1260 | 0 | * be ssl_0rtt_none unless early_data is present. */ |
1261 | 0 | if (ss->ssl3.hs.zeroRttState == ssl_0rtt_none) { |
1262 | 0 | return; |
1263 | 0 | } |
1264 | 0 | |
1265 | 0 | /* If we rejected 0-RTT on the first ClientHello, then we can just say that |
1266 | 0 | * there is no 0-RTT for the second. We shouldn't get any more. Reset the |
1267 | 0 | * ignore state so that we treat decryption failure normally. */ |
1268 | 0 | if (ss->ssl3.hs.zeroRttIgnore == ssl_0rtt_ignore_hrr) { |
1269 | 0 | PORT_Assert(ss->ssl3.hs.helloRetry); |
1270 | 0 | ss->ssl3.hs.zeroRttState = ssl_0rtt_none; |
1271 | 0 | ss->ssl3.hs.zeroRttIgnore = ssl_0rtt_ignore_none; |
1272 | 0 | return; |
1273 | 0 | } |
1274 | 0 |
|
1275 | 0 | if (!tls13_CanNegotiateZeroRtt(ss, sid)) { |
1276 | 0 | SSL_TRC(3, ("%d: TLS13[%d]: ignore 0-RTT", |
1277 | 0 | SSL_GETPID(), ss->fd)); |
1278 | 0 | ss->ssl3.hs.zeroRttState = ssl_0rtt_ignored; |
1279 | 0 | ss->ssl3.hs.zeroRttIgnore = ssl_0rtt_ignore_trial; |
1280 | 0 | return; |
1281 | 0 | } |
1282 | 0 | |
1283 | 0 | SSL_TRC(3, ("%d: TLS13[%d]: enable 0-RTT", |
1284 | 0 | SSL_GETPID(), ss->fd)); |
1285 | 0 | PORT_Assert(ss->statelessResume); |
1286 | 0 | ss->ssl3.hs.zeroRttState = ssl_0rtt_accepted; |
1287 | 0 | ss->ssl3.hs.zeroRttIgnore = ssl_0rtt_ignore_none; |
1288 | 0 | } |
1289 | | |
1290 | | /* Check if the offered group is acceptable. */ |
1291 | | static PRBool |
1292 | | tls13_isGroupAcceptable(const sslNamedGroupDef *offered, |
1293 | | const sslNamedGroupDef *preferredGroup) |
1294 | 0 | { |
1295 | 0 | /* We accept epsilon (e) bits around the offered group size. */ |
1296 | 0 | const unsigned int e = 2; |
1297 | 0 |
|
1298 | 0 | PORT_Assert(offered); |
1299 | 0 | PORT_Assert(preferredGroup); |
1300 | 0 |
|
1301 | 0 | if (offered->bits >= preferredGroup->bits - e && |
1302 | 0 | offered->bits <= preferredGroup->bits + e) { |
1303 | 0 | return PR_TRUE; |
1304 | 0 | } |
1305 | 0 |
|
1306 | 0 | return PR_FALSE; |
1307 | 0 | } |
1308 | | |
1309 | | /* Find remote key share for given group and return it. |
1310 | | * Returns NULL if no key share is found. */ |
1311 | | static TLS13KeyShareEntry * |
1312 | | tls13_FindKeyShareEntry(sslSocket *ss, const sslNamedGroupDef *group) |
1313 | 0 | { |
1314 | 0 | PRCList *cur_p = PR_NEXT_LINK(&ss->xtnData.remoteKeyShares); |
1315 | 0 | while (cur_p != &ss->xtnData.remoteKeyShares) { |
1316 | 0 | TLS13KeyShareEntry *offer = (TLS13KeyShareEntry *)cur_p; |
1317 | 0 | if (offer->group == group) { |
1318 | 0 | return offer; |
1319 | 0 | } |
1320 | 0 | cur_p = PR_NEXT_LINK(cur_p); |
1321 | 0 | } |
1322 | 0 | return NULL; |
1323 | 0 | } |
1324 | | |
1325 | | static SECStatus |
1326 | | tls13_NegotiateKeyExchange(sslSocket *ss, |
1327 | | const sslNamedGroupDef **requestedGroup, |
1328 | | TLS13KeyShareEntry **clientShare) |
1329 | 0 | { |
1330 | 0 | unsigned int index; |
1331 | 0 | TLS13KeyShareEntry *entry = NULL; |
1332 | 0 | const sslNamedGroupDef *preferredGroup = NULL; |
1333 | 0 |
|
1334 | 0 | /* We insist on DHE. */ |
1335 | 0 | if (ss->statelessResume) { |
1336 | 0 | if (!ssl3_ExtensionNegotiated(ss, ssl_tls13_psk_key_exchange_modes_xtn)) { |
1337 | 0 | FATAL_ERROR(ss, SSL_ERROR_MISSING_PSK_KEY_EXCHANGE_MODES, |
1338 | 0 | missing_extension); |
1339 | 0 | return SECFailure; |
1340 | 0 | } |
1341 | 0 | if (!memchr(ss->xtnData.psk_ke_modes.data, tls13_psk_dh_ke, |
1342 | 0 | ss->xtnData.psk_ke_modes.len)) { |
1343 | 0 | SSL_TRC(3, ("%d: TLS13[%d]: client offered PSK without DH", |
1344 | 0 | SSL_GETPID(), ss->fd)); |
1345 | 0 | ss->statelessResume = PR_FALSE; |
1346 | 0 | } |
1347 | 0 | } |
1348 | 0 |
|
1349 | 0 | /* Now figure out which key share we like the best out of the |
1350 | 0 | * mutually supported groups, regardless of what the client offered |
1351 | 0 | * for key shares. |
1352 | 0 | */ |
1353 | 0 | if (!ssl3_ExtensionNegotiated(ss, ssl_supported_groups_xtn)) { |
1354 | 0 | FATAL_ERROR(ss, SSL_ERROR_MISSING_SUPPORTED_GROUPS_EXTENSION, |
1355 | 0 | missing_extension); |
1356 | 0 | return SECFailure; |
1357 | 0 | } |
1358 | 0 |
|
1359 | 0 | SSL_TRC(3, ("%d: TLS13[%d]: selected KE = %s", |
1360 | 0 | SSL_GETPID(), ss->fd, ss->statelessResume ? "PSK + (EC)DHE" : "(EC)DHE")); |
1361 | 0 |
|
1362 | 0 | /* Find the preferred group and an according client key share available. */ |
1363 | 0 | for (index = 0; index < SSL_NAMED_GROUP_COUNT; ++index) { |
1364 | 0 | /* Continue to the next group if this one is not enabled. */ |
1365 | 0 | if (!ss->namedGroupPreferences[index]) { |
1366 | 0 | /* There's a gap in the preferred groups list. Assume this is a group |
1367 | 0 | * that's not supported by the client but preferred by the server. */ |
1368 | 0 | if (preferredGroup) { |
1369 | 0 | entry = NULL; |
1370 | 0 | break; |
1371 | 0 | } |
1372 | 0 | continue; |
1373 | 0 | } |
1374 | 0 | |
1375 | 0 | /* Check if the client sent a key share for this group. */ |
1376 | 0 | entry = tls13_FindKeyShareEntry(ss, ss->namedGroupPreferences[index]); |
1377 | 0 |
|
1378 | 0 | if (preferredGroup) { |
1379 | 0 | /* We already found our preferred group but the group didn't have a share. */ |
1380 | 0 | if (entry) { |
1381 | 0 | /* The client sent a key share with group ss->namedGroupPreferences[index] */ |
1382 | 0 | if (tls13_isGroupAcceptable(ss->namedGroupPreferences[index], |
1383 | 0 | preferredGroup)) { |
1384 | 0 | /* This is not the preferred group, but it's acceptable */ |
1385 | 0 | preferredGroup = ss->namedGroupPreferences[index]; |
1386 | 0 | } else { |
1387 | 0 | /* The proposed group is not acceptable. */ |
1388 | 0 | entry = NULL; |
1389 | 0 | } |
1390 | 0 | } |
1391 | 0 | break; |
1392 | 0 | } else { |
1393 | 0 | /* The first enabled group is the preferred group. */ |
1394 | 0 | preferredGroup = ss->namedGroupPreferences[index]; |
1395 | 0 | if (entry) { |
1396 | 0 | break; |
1397 | 0 | } |
1398 | 0 | } |
1399 | 0 | } |
1400 | 0 |
|
1401 | 0 | if (!preferredGroup) { |
1402 | 0 | FATAL_ERROR(ss, SSL_ERROR_NO_CYPHER_OVERLAP, handshake_failure); |
1403 | 0 | return SECFailure; |
1404 | 0 | } |
1405 | 0 | SSL_TRC(3, ("%d: TLS13[%d]: group = %d", SSL_GETPID(), ss->fd, |
1406 | 0 | preferredGroup->name)); |
1407 | 0 |
|
1408 | 0 | /* Either provide a share, or provide a group that should be requested in a |
1409 | 0 | * HelloRetryRequest, but not both. */ |
1410 | 0 | if (entry) { |
1411 | 0 | PORT_Assert(preferredGroup == entry->group); |
1412 | 0 | *clientShare = entry; |
1413 | 0 | *requestedGroup = NULL; |
1414 | 0 | } else { |
1415 | 0 | *clientShare = NULL; |
1416 | 0 | *requestedGroup = preferredGroup; |
1417 | 0 | } |
1418 | 0 | return SECSuccess; |
1419 | 0 | } |
1420 | | |
1421 | | SECStatus |
1422 | | tls13_SelectServerCert(sslSocket *ss) |
1423 | 0 | { |
1424 | 0 | PRCList *cursor; |
1425 | 0 | SECStatus rv; |
1426 | 0 |
|
1427 | 0 | if (!ssl3_ExtensionNegotiated(ss, ssl_signature_algorithms_xtn)) { |
1428 | 0 | FATAL_ERROR(ss, SSL_ERROR_MISSING_SIGNATURE_ALGORITHMS_EXTENSION, |
1429 | 0 | missing_extension); |
1430 | 0 | return SECFailure; |
1431 | 0 | } |
1432 | 0 |
|
1433 | 0 | /* This picks the first certificate that has: |
1434 | 0 | * a) the right authentication method, and |
1435 | 0 | * b) the right named curve (EC only) |
1436 | 0 | * |
1437 | 0 | * We might want to do some sort of ranking here later. For now, it's all |
1438 | 0 | * based on what order they are configured in. */ |
1439 | 0 | for (cursor = PR_NEXT_LINK(&ss->serverCerts); |
1440 | 0 | cursor != &ss->serverCerts; |
1441 | 0 | cursor = PR_NEXT_LINK(cursor)) { |
1442 | 0 | sslServerCert *cert = (sslServerCert *)cursor; |
1443 | 0 |
|
1444 | 0 | if (SSL_CERT_IS_ONLY(cert, ssl_auth_rsa_decrypt)) { |
1445 | 0 | continue; |
1446 | 0 | } |
1447 | 0 | |
1448 | 0 | rv = ssl_PickSignatureScheme(ss, |
1449 | 0 | cert->serverCert, |
1450 | 0 | cert->serverKeyPair->pubKey, |
1451 | 0 | cert->serverKeyPair->privKey, |
1452 | 0 | ss->xtnData.sigSchemes, |
1453 | 0 | ss->xtnData.numSigSchemes, |
1454 | 0 | PR_FALSE); |
1455 | 0 | if (rv == SECSuccess) { |
1456 | 0 | /* Found one. */ |
1457 | 0 | ss->sec.serverCert = cert; |
1458 | 0 | ss->sec.authType = ss->ssl3.hs.kea_def_mutable.authKeyType = |
1459 | 0 | ssl_SignatureSchemeToAuthType(ss->ssl3.hs.signatureScheme); |
1460 | 0 | ss->sec.authKeyBits = cert->serverKeyBits; |
1461 | 0 | return SECSuccess; |
1462 | 0 | } |
1463 | 0 | } |
1464 | 0 |
|
1465 | 0 | FATAL_ERROR(ss, SSL_ERROR_UNSUPPORTED_SIGNATURE_ALGORITHM, |
1466 | 0 | handshake_failure); |
1467 | 0 | return SECFailure; |
1468 | 0 | } |
1469 | | |
1470 | | /* Note: |requestedGroup| is non-NULL when we send a key_share extension. */ |
1471 | | static SECStatus |
1472 | | tls13_MaybeSendHelloRetry(sslSocket *ss, const sslNamedGroupDef *requestedGroup, |
1473 | | PRBool *hrrSent) |
1474 | 0 | { |
1475 | 0 | SSLHelloRetryRequestAction action = ssl_hello_retry_accept; |
1476 | 0 | PRUint8 token[256] = { 0 }; |
1477 | 0 | unsigned int tokenLen = 0; |
1478 | 0 | SECStatus rv; |
1479 | 0 |
|
1480 | 0 | if (ss->hrrCallback) { |
1481 | 0 | action = ss->hrrCallback(!ss->ssl3.hs.helloRetry, |
1482 | 0 | ss->xtnData.applicationToken.data, |
1483 | 0 | ss->xtnData.applicationToken.len, |
1484 | 0 | token, &tokenLen, sizeof(token), |
1485 | 0 | ss->hrrCallbackArg); |
1486 | 0 | } |
1487 | 0 |
|
1488 | 0 | /* These use SSL3_SendAlert directly to avoid an assertion in |
1489 | 0 | * tls13_FatalError(), which is ordinarily OK. */ |
1490 | 0 | if (action == ssl_hello_retry_request && ss->ssl3.hs.helloRetry) { |
1491 | 0 | (void)SSL3_SendAlert(ss, alert_fatal, internal_error); |
1492 | 0 | PORT_SetError(SSL_ERROR_APP_CALLBACK_ERROR); |
1493 | 0 | return SECFailure; |
1494 | 0 | } |
1495 | 0 |
|
1496 | 0 | if (action != ssl_hello_retry_request && tokenLen) { |
1497 | 0 | (void)SSL3_SendAlert(ss, alert_fatal, internal_error); |
1498 | 0 | PORT_SetError(SSL_ERROR_APP_CALLBACK_ERROR); |
1499 | 0 | return SECFailure; |
1500 | 0 | } |
1501 | 0 |
|
1502 | 0 | if (tokenLen > sizeof(token)) { |
1503 | 0 | (void)SSL3_SendAlert(ss, alert_fatal, internal_error); |
1504 | 0 | PORT_SetError(SSL_ERROR_APP_CALLBACK_ERROR); |
1505 | 0 | return SECFailure; |
1506 | 0 | } |
1507 | 0 |
|
1508 | 0 | if (action == ssl_hello_retry_fail) { |
1509 | 0 | FATAL_ERROR(ss, SSL_ERROR_APPLICATION_ABORT, handshake_failure); |
1510 | 0 | return SECFailure; |
1511 | 0 | } |
1512 | 0 |
|
1513 | 0 | if (!requestedGroup && action != ssl_hello_retry_request) { |
1514 | 0 | return SECSuccess; |
1515 | 0 | } |
1516 | 0 | |
1517 | 0 | rv = tls13_SendHelloRetryRequest(ss, requestedGroup, token, tokenLen); |
1518 | 0 | if (rv != SECSuccess) { |
1519 | 0 | return SECFailure; /* Code already set. */ |
1520 | 0 | } |
1521 | 0 | |
1522 | 0 | *hrrSent = PR_TRUE; |
1523 | 0 | return SECSuccess; |
1524 | 0 | } |
1525 | | |
1526 | | static SECStatus |
1527 | | tls13_NegotiateAuthentication(sslSocket *ss) |
1528 | 0 | { |
1529 | 0 | SECStatus rv; |
1530 | 0 |
|
1531 | 0 | if (ss->statelessResume) { |
1532 | 0 | SSL_TRC(3, ("%d: TLS13[%d]: selected PSK authentication", |
1533 | 0 | SSL_GETPID(), ss->fd)); |
1534 | 0 | ss->ssl3.hs.signatureScheme = ssl_sig_none; |
1535 | 0 | ss->ssl3.hs.kea_def_mutable.authKeyType = ssl_auth_psk; |
1536 | 0 | return SECSuccess; |
1537 | 0 | } |
1538 | 0 | |
1539 | 0 | SSL_TRC(3, ("%d: TLS13[%d]: selected certificate authentication", |
1540 | 0 | SSL_GETPID(), ss->fd)); |
1541 | 0 | /* We've now established that we need to sign.... */ |
1542 | 0 | rv = tls13_SelectServerCert(ss); |
1543 | 0 | if (rv != SECSuccess) { |
1544 | 0 | return SECFailure; |
1545 | 0 | } |
1546 | 0 | return SECSuccess; |
1547 | 0 | } |
1548 | | |
1549 | | /* Called from ssl3_HandleClientHello after we have parsed the |
1550 | | * ClientHello and are sure that we are going to do TLS 1.3 |
1551 | | * or fail. */ |
1552 | | SECStatus |
1553 | | tls13_HandleClientHelloPart2(sslSocket *ss, |
1554 | | const SECItem *suites, |
1555 | | sslSessionID *sid, |
1556 | | const PRUint8 *msg, |
1557 | | unsigned int len) |
1558 | 0 | { |
1559 | 0 | SECStatus rv; |
1560 | 0 | SSL3Statistics *ssl3stats = SSL_GetStatistics(); |
1561 | 0 | const sslNamedGroupDef *requestedGroup = NULL; |
1562 | 0 | TLS13KeyShareEntry *clientShare = NULL; |
1563 | 0 | ssl3CipherSuite previousCipherSuite = 0; |
1564 | 0 | const sslNamedGroupDef *previousGroup = NULL; |
1565 | 0 | PRBool hrr = PR_FALSE; |
1566 | 0 |
|
1567 | 0 | ss->ssl3.hs.endOfFlight = PR_TRUE; |
1568 | 0 |
|
1569 | 0 | if (ssl3_ExtensionNegotiated(ss, ssl_tls13_early_data_xtn)) { |
1570 | 0 | ss->ssl3.hs.zeroRttState = ssl_0rtt_sent; |
1571 | 0 | } |
1572 | 0 |
|
1573 | 0 | #ifndef PARANOID |
1574 | 0 | /* Look for a matching cipher suite. */ |
1575 | 0 | if (ssl3_config_match_init(ss) == 0) { /* no ciphers are working/supported by PK11 */ |
1576 | 0 | FATAL_ERROR(ss, PORT_GetError(), internal_error); |
1577 | 0 | goto loser; |
1578 | 0 | } |
1579 | 0 | #endif |
1580 | 0 |
|
1581 | 0 | /* Negotiate cipher suite. */ |
1582 | 0 | rv = ssl3_NegotiateCipherSuite(ss, suites, PR_FALSE); |
1583 | 0 | if (rv != SECSuccess) { |
1584 | 0 | FATAL_ERROR(ss, SSL_ERROR_NO_CYPHER_OVERLAP, handshake_failure); |
1585 | 0 | goto loser; |
1586 | 0 | } |
1587 | 0 |
|
1588 | 0 | /* If we are going around again, then we should make sure that the cipher |
1589 | 0 | * suite selection doesn't change. That's a sign of client shennanigans. */ |
1590 | 0 | if (ss->ssl3.hs.helloRetry) { |
1591 | 0 |
|
1592 | 0 | /* Update sequence numbers before checking the cookie so that any alerts |
1593 | 0 | * we generate are sent with the right sequence numbers. */ |
1594 | 0 | if (IS_DTLS(ss)) { |
1595 | 0 | /* Count the first ClientHello and the HelloRetryRequest. */ |
1596 | 0 | ss->ssl3.hs.sendMessageSeq = 1; |
1597 | 0 | ss->ssl3.hs.recvMessageSeq = 1; |
1598 | 0 | ssl_GetSpecWriteLock(ss); |
1599 | 0 | /* Increase the write sequence number. The read sequence number |
1600 | 0 | * will be reset after this to early data or handshake. */ |
1601 | 0 | ss->ssl3.cwSpec->nextSeqNum = 1; |
1602 | 0 | ssl_ReleaseSpecWriteLock(ss); |
1603 | 0 | } |
1604 | 0 |
|
1605 | 0 | if (!ssl3_ExtensionNegotiated(ss, ssl_tls13_cookie_xtn) || |
1606 | 0 | !ss->xtnData.cookie.len) { |
1607 | 0 | FATAL_ERROR(ss, SSL_ERROR_MISSING_COOKIE_EXTENSION, |
1608 | 0 | missing_extension); |
1609 | 0 | goto loser; |
1610 | 0 | } |
1611 | 0 | PRINT_BUF(50, (ss, "Client sent cookie", |
1612 | 0 | ss->xtnData.cookie.data, ss->xtnData.cookie.len)); |
1613 | 0 |
|
1614 | 0 | rv = tls13_RecoverHashState(ss, ss->xtnData.cookie.data, |
1615 | 0 | ss->xtnData.cookie.len, |
1616 | 0 | &previousCipherSuite, |
1617 | 0 | &previousGroup); |
1618 | 0 | if (rv != SECSuccess) { |
1619 | 0 | FATAL_ERROR(ss, SSL_ERROR_BAD_2ND_CLIENT_HELLO, illegal_parameter); |
1620 | 0 | goto loser; |
1621 | 0 | } |
1622 | 0 | } |
1623 | 0 |
|
1624 | 0 | /* Now merge the ClientHello into the hash state. */ |
1625 | 0 | rv = ssl_HashHandshakeMessage(ss, ssl_hs_client_hello, msg, len); |
1626 | 0 | if (rv != SECSuccess) { |
1627 | 0 | FATAL_ERROR(ss, SEC_ERROR_LIBRARY_FAILURE, internal_error); |
1628 | 0 | goto loser; |
1629 | 0 | } |
1630 | 0 |
|
1631 | 0 | /* Now create a synthetic kea_def that we can tweak. */ |
1632 | 0 | ss->ssl3.hs.kea_def_mutable = *ss->ssl3.hs.kea_def; |
1633 | 0 | ss->ssl3.hs.kea_def = &ss->ssl3.hs.kea_def_mutable; |
1634 | 0 |
|
1635 | 0 | /* Note: We call this quite a bit earlier than with TLS 1.2 and |
1636 | 0 | * before. */ |
1637 | 0 | rv = ssl3_ServerCallSNICallback(ss); |
1638 | 0 | if (rv != SECSuccess) { |
1639 | 0 | goto loser; /* An alert has already been sent. */ |
1640 | 0 | } |
1641 | 0 | |
1642 | 0 | /* Check if we could in principle resume. */ |
1643 | 0 | if (ss->statelessResume) { |
1644 | 0 | PORT_Assert(sid); |
1645 | 0 | if (!sid) { |
1646 | 0 | FATAL_ERROR(ss, SEC_ERROR_LIBRARY_FAILURE, internal_error); |
1647 | 0 | return SECFailure; |
1648 | 0 | } |
1649 | 0 | if (!tls13_CanResume(ss, sid)) { |
1650 | 0 | ss->statelessResume = PR_FALSE; |
1651 | 0 | } |
1652 | 0 | } |
1653 | 0 |
|
1654 | 0 | /* Select key exchange. */ |
1655 | 0 | rv = tls13_NegotiateKeyExchange(ss, &requestedGroup, &clientShare); |
1656 | 0 | if (rv != SECSuccess) { |
1657 | 0 | goto loser; |
1658 | 0 | } |
1659 | 0 | /* We should get either one of these, but not both. */ |
1660 | 0 | PORT_Assert((requestedGroup && !clientShare) || |
1661 | 0 | (!requestedGroup && clientShare)); |
1662 | 0 |
|
1663 | 0 | /* After HelloRetryRequest, check consistency of cipher and group. */ |
1664 | 0 | if (ss->ssl3.hs.helloRetry) { |
1665 | 0 | PORT_Assert(previousCipherSuite); |
1666 | 0 | if (ss->ssl3.hs.cipher_suite != previousCipherSuite) { |
1667 | 0 | FATAL_ERROR(ss, SSL_ERROR_BAD_2ND_CLIENT_HELLO, |
1668 | 0 | illegal_parameter); |
1669 | 0 | goto loser; |
1670 | 0 | } |
1671 | 0 | if (!clientShare) { |
1672 | 0 | FATAL_ERROR(ss, SSL_ERROR_BAD_2ND_CLIENT_HELLO, |
1673 | 0 | illegal_parameter); |
1674 | 0 | goto loser; |
1675 | 0 | } |
1676 | 0 |
|
1677 | 0 | /* If we requested a new key share, check that the client provided just |
1678 | 0 | * one of the right type. */ |
1679 | 0 | if (previousGroup) { |
1680 | 0 | if (PR_PREV_LINK(&ss->xtnData.remoteKeyShares) != |
1681 | 0 | PR_NEXT_LINK(&ss->xtnData.remoteKeyShares)) { |
1682 | 0 | FATAL_ERROR(ss, SSL_ERROR_BAD_2ND_CLIENT_HELLO, |
1683 | 0 | illegal_parameter); |
1684 | 0 | goto loser; |
1685 | 0 | } |
1686 | 0 | if (clientShare->group != previousGroup) { |
1687 | 0 | FATAL_ERROR(ss, SSL_ERROR_BAD_2ND_CLIENT_HELLO, |
1688 | 0 | illegal_parameter); |
1689 | 0 | goto loser; |
1690 | 0 | } |
1691 | 0 | } |
1692 | 0 | } |
1693 | 0 |
|
1694 | 0 | rv = tls13_MaybeSendHelloRetry(ss, requestedGroup, &hrr); |
1695 | 0 | if (rv != SECSuccess) { |
1696 | 0 | goto loser; |
1697 | 0 | } |
1698 | 0 | if (hrr) { |
1699 | 0 | if (sid) { /* Free the sid. */ |
1700 | 0 | ssl_UncacheSessionID(ss); |
1701 | 0 | ssl_FreeSID(sid); |
1702 | 0 | } |
1703 | 0 | PORT_Assert(ss->ssl3.hs.helloRetry); |
1704 | 0 | return SECSuccess; |
1705 | 0 | } |
1706 | 0 |
|
1707 | 0 | /* Select the authentication (this is also handshake shape). */ |
1708 | 0 | rv = tls13_NegotiateAuthentication(ss); |
1709 | 0 | if (rv != SECSuccess) { |
1710 | 0 | goto loser; |
1711 | 0 | } |
1712 | 0 | |
1713 | 0 | if (ss->statelessResume) { |
1714 | 0 | /* We are now committed to trying to resume. */ |
1715 | 0 | PORT_Assert(sid); |
1716 | 0 |
|
1717 | 0 | /* Check that the negotiated SNI and the cached SNI match. */ |
1718 | 0 | if (SECITEM_CompareItem(&sid->u.ssl3.srvName, |
1719 | 0 | &ss->ssl3.hs.srvVirtName) != SECEqual) { |
1720 | 0 | FATAL_ERROR(ss, SSL_ERROR_RX_MALFORMED_CLIENT_HELLO, |
1721 | 0 | handshake_failure); |
1722 | 0 | goto loser; |
1723 | 0 | } |
1724 | 0 |
|
1725 | 0 | ss->sec.serverCert = ssl_FindServerCert(ss, sid->authType, |
1726 | 0 | sid->namedCurve); |
1727 | 0 | PORT_Assert(ss->sec.serverCert); |
1728 | 0 |
|
1729 | 0 | rv = tls13_RecoverWrappedSharedSecret(ss, sid); |
1730 | 0 | if (rv != SECSuccess) { |
1731 | 0 | SSL_AtomicIncrementLong(&ssl3stats->hch_sid_cache_not_ok); |
1732 | 0 | FATAL_ERROR(ss, SEC_ERROR_LIBRARY_FAILURE, internal_error); |
1733 | 0 | goto loser; |
1734 | 0 | } |
1735 | 0 | tls13_RestoreCipherInfo(ss, sid); |
1736 | 0 |
|
1737 | 0 | ss->sec.localCert = CERT_DupCertificate(ss->sec.serverCert->serverCert); |
1738 | 0 | if (sid->peerCert != NULL) { |
1739 | 0 | ss->sec.peerCert = CERT_DupCertificate(sid->peerCert); |
1740 | 0 | } |
1741 | 0 |
|
1742 | 0 | ssl3_RegisterExtensionSender( |
1743 | 0 | ss, &ss->xtnData, |
1744 | 0 | ssl_tls13_pre_shared_key_xtn, tls13_ServerSendPreSharedKeyXtn); |
1745 | 0 |
|
1746 | 0 | tls13_NegotiateZeroRtt(ss, sid); |
1747 | 0 | } else { |
1748 | 0 | if (sid) { /* we had a sid, but it's no longer valid, free it */ |
1749 | 0 | SSL_AtomicIncrementLong(&ssl3stats->hch_sid_cache_not_ok); |
1750 | 0 | ssl_UncacheSessionID(ss); |
1751 | 0 | ssl_FreeSID(sid); |
1752 | 0 | sid = NULL; |
1753 | 0 | } |
1754 | 0 | tls13_NegotiateZeroRtt(ss, NULL); |
1755 | 0 | } |
1756 | 0 |
|
1757 | 0 | /* Need to compute early secrets. */ |
1758 | 0 | rv = tls13_ComputeEarlySecrets(ss); |
1759 | 0 | if (rv != SECSuccess) { |
1760 | 0 | FATAL_ERROR(ss, SEC_ERROR_LIBRARY_FAILURE, internal_error); |
1761 | 0 | return SECFailure; |
1762 | 0 | } |
1763 | 0 |
|
1764 | 0 | /* Now that we have the binder key check the binder. */ |
1765 | 0 | if (ss->statelessResume) { |
1766 | 0 | SSL3Hashes hashes; |
1767 | 0 |
|
1768 | 0 | PORT_Assert(ss->ssl3.hs.messages.len > ss->xtnData.pskBindersLen); |
1769 | 0 | rv = tls13_ComputePskBinderHash( |
1770 | 0 | ss, |
1771 | 0 | ss->ssl3.hs.messages.len - ss->xtnData.pskBindersLen, |
1772 | 0 | &hashes); |
1773 | 0 | if (rv != SECSuccess) { |
1774 | 0 | FATAL_ERROR(ss, SEC_ERROR_LIBRARY_FAILURE, internal_error); |
1775 | 0 | goto loser; |
1776 | 0 | } |
1777 | 0 |
|
1778 | 0 | rv = tls13_VerifyFinished(ss, ssl_hs_client_hello, |
1779 | 0 | ss->ssl3.hs.pskBinderKey, |
1780 | 0 | ss->xtnData.pskBinder.data, |
1781 | 0 | ss->xtnData.pskBinder.len, |
1782 | 0 | &hashes); |
1783 | 0 | if (rv != SECSuccess) { |
1784 | 0 | goto loser; |
1785 | 0 | } |
1786 | 0 | } |
1787 | 0 | |
1788 | 0 | /* This needs to go after we verify the psk binder. */ |
1789 | 0 | rv = ssl3_InitHandshakeHashes(ss); |
1790 | 0 | if (rv != SECSuccess) { |
1791 | 0 | goto loser; |
1792 | 0 | } |
1793 | 0 | |
1794 | 0 | /* If this is TLS 1.3 we are expecting a ClientKeyShare |
1795 | 0 | * extension. Missing/absent extension cause failure |
1796 | 0 | * below. */ |
1797 | 0 | rv = tls13_HandleClientKeyShare(ss, clientShare); |
1798 | 0 | if (rv != SECSuccess) { |
1799 | 0 | goto loser; /* An alert was sent already. */ |
1800 | 0 | } |
1801 | 0 | |
1802 | 0 | /* From this point we are either committed to resumption, or not. */ |
1803 | 0 | if (ss->statelessResume) { |
1804 | 0 | SSL_AtomicIncrementLong(&ssl3stats->hch_sid_cache_hits); |
1805 | 0 | SSL_AtomicIncrementLong(&ssl3stats->hch_sid_stateless_resumes); |
1806 | 0 | } else { |
1807 | 0 | if (sid) { |
1808 | 0 | /* We had a sid, but it's no longer valid, free it. */ |
1809 | 0 | SSL_AtomicIncrementLong(&ssl3stats->hch_sid_cache_not_ok); |
1810 | 0 | ssl_UncacheSessionID(ss); |
1811 | 0 | ssl_FreeSID(sid); |
1812 | 0 | } else { |
1813 | 0 | SSL_AtomicIncrementLong(&ssl3stats->hch_sid_cache_misses); |
1814 | 0 | } |
1815 | 0 |
|
1816 | 0 | sid = ssl3_NewSessionID(ss, PR_TRUE); |
1817 | 0 | if (!sid) { |
1818 | 0 | FATAL_ERROR(ss, PORT_GetError(), internal_error); |
1819 | 0 | return SECFailure; |
1820 | 0 | } |
1821 | 0 | } |
1822 | 0 | /* Take ownership of the session. */ |
1823 | 0 | ss->sec.ci.sid = sid; |
1824 | 0 | sid = NULL; |
1825 | 0 |
|
1826 | 0 | if (ss->ssl3.hs.zeroRttState == ssl_0rtt_accepted) { |
1827 | 0 | rv = tls13_DeriveEarlySecrets(ss); |
1828 | 0 | if (rv != SECSuccess) { |
1829 | 0 | FATAL_ERROR(ss, SEC_ERROR_LIBRARY_FAILURE, internal_error); |
1830 | 0 | return SECFailure; |
1831 | 0 | } |
1832 | 0 | } |
1833 | 0 |
|
1834 | 0 | ssl_GetXmitBufLock(ss); |
1835 | 0 | rv = tls13_SendServerHelloSequence(ss); |
1836 | 0 | ssl_ReleaseXmitBufLock(ss); |
1837 | 0 | if (rv != SECSuccess) { |
1838 | 0 | FATAL_ERROR(ss, PORT_GetError(), handshake_failure); |
1839 | 0 | return SECFailure; |
1840 | 0 | } |
1841 | 0 |
|
1842 | 0 | return SECSuccess; |
1843 | 0 | |
1844 | 0 | loser: |
1845 | 0 | if (sid) { |
1846 | 0 | ssl_UncacheSessionID(ss); |
1847 | 0 | ssl_FreeSID(sid); |
1848 | 0 | } |
1849 | 0 | return SECFailure; |
1850 | 0 | } |
1851 | | |
1852 | | SECStatus |
1853 | | SSLExp_HelloRetryRequestCallback(PRFileDesc *fd, |
1854 | | SSLHelloRetryRequestCallback cb, void *arg) |
1855 | 0 | { |
1856 | 0 | sslSocket *ss = ssl_FindSocket(fd); |
1857 | 0 | if (!ss) { |
1858 | 0 | return SECFailure; /* Code already set. */ |
1859 | 0 | } |
1860 | 0 | |
1861 | 0 | ss->hrrCallback = cb; |
1862 | 0 | ss->hrrCallbackArg = arg; |
1863 | 0 | return SECSuccess; |
1864 | 0 | } |
1865 | | |
1866 | | /* |
1867 | | * struct { |
1868 | | * ProtocolVersion server_version; |
1869 | | * CipherSuite cipher_suite; |
1870 | | * Extension extensions<2..2^16-1>; |
1871 | | * } HelloRetryRequest; |
1872 | | * |
1873 | | * Note: this function takes an empty buffer and returns |
1874 | | * a non-empty one on success, in which case the caller must |
1875 | | * eventually clean up. |
1876 | | */ |
1877 | | SECStatus |
1878 | | tls13_ConstructHelloRetryRequest(sslSocket *ss, |
1879 | | ssl3CipherSuite cipherSuite, |
1880 | | const sslNamedGroupDef *selectedGroup, |
1881 | | PRUint8 *cookie, unsigned int cookieLen, |
1882 | | sslBuffer *buffer) |
1883 | 0 | { |
1884 | 0 | SECStatus rv; |
1885 | 0 | sslBuffer extensionsBuf = SSL_BUFFER_EMPTY; |
1886 | 0 | PORT_Assert(buffer->len == 0); |
1887 | 0 |
|
1888 | 0 | /* Note: cookie is pointing to a stack variable, so is only valid |
1889 | 0 | * now. */ |
1890 | 0 | ss->xtnData.selectedGroup = selectedGroup; |
1891 | 0 | ss->xtnData.cookie.data = cookie; |
1892 | 0 | ss->xtnData.cookie.len = cookieLen; |
1893 | 0 | rv = ssl_ConstructExtensions(ss, &extensionsBuf, |
1894 | 0 | ssl_hs_hello_retry_request); |
1895 | 0 | if (rv != SECSuccess) { |
1896 | 0 | goto loser; |
1897 | 0 | } |
1898 | 0 | /* These extensions can't be empty. */ |
1899 | 0 | PORT_Assert(SSL_BUFFER_LEN(&extensionsBuf) > 0); |
1900 | 0 |
|
1901 | 0 | /* Clean up cookie so we're not pointing at random memory. */ |
1902 | 0 | ss->xtnData.cookie.data = NULL; |
1903 | 0 | ss->xtnData.cookie.len = 0; |
1904 | 0 |
|
1905 | 0 | rv = ssl_ConstructServerHello(ss, PR_TRUE, &extensionsBuf, buffer); |
1906 | 0 | if (rv != SECSuccess) { |
1907 | 0 | goto loser; |
1908 | 0 | } |
1909 | 0 | sslBuffer_Clear(&extensionsBuf); |
1910 | 0 | return SECSuccess; |
1911 | 0 | |
1912 | 0 | loser: |
1913 | 0 | sslBuffer_Clear(&extensionsBuf); |
1914 | 0 | sslBuffer_Clear(buffer); |
1915 | 0 | return SECFailure; |
1916 | 0 | } |
1917 | | |
1918 | | static SECStatus |
1919 | | tls13_SendHelloRetryRequest(sslSocket *ss, |
1920 | | const sslNamedGroupDef *requestedGroup, |
1921 | | const PRUint8 *appToken, unsigned int appTokenLen) |
1922 | 0 | { |
1923 | 0 | SECStatus rv; |
1924 | 0 | unsigned int cookieLen; |
1925 | 0 | PRUint8 cookie[1024]; |
1926 | 0 | sslBuffer messageBuf = SSL_BUFFER_EMPTY; |
1927 | 0 |
|
1928 | 0 | SSL_TRC(3, ("%d: TLS13[%d]: send hello retry request handshake", |
1929 | 0 | SSL_GETPID(), ss->fd)); |
1930 | 0 |
|
1931 | 0 | PORT_Assert(ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); |
1932 | 0 |
|
1933 | 0 | /* Compute the cookie we are going to need. */ |
1934 | 0 | rv = tls13_MakeHrrCookie(ss, requestedGroup, |
1935 | 0 | appToken, appTokenLen, |
1936 | 0 | cookie, &cookieLen, sizeof(cookie)); |
1937 | 0 | if (rv != SECSuccess) { |
1938 | 0 | FATAL_ERROR(ss, SEC_ERROR_LIBRARY_FAILURE, internal_error); |
1939 | 0 | return SECFailure; |
1940 | 0 | } |
1941 | 0 |
|
1942 | 0 | /* Now build the body of the message. */ |
1943 | 0 | rv = tls13_ConstructHelloRetryRequest(ss, ss->ssl3.hs.cipher_suite, |
1944 | 0 | requestedGroup, |
1945 | 0 | cookie, cookieLen, &messageBuf); |
1946 | 0 | if (rv != SECSuccess) { |
1947 | 0 | FATAL_ERROR(ss, SEC_ERROR_LIBRARY_FAILURE, internal_error); |
1948 | 0 | return SECFailure; |
1949 | 0 | } |
1950 | 0 |
|
1951 | 0 | /* And send it. */ |
1952 | 0 | ssl_GetXmitBufLock(ss); |
1953 | 0 | rv = ssl3_AppendHandshakeHeader(ss, ssl_hs_server_hello, |
1954 | 0 | SSL_BUFFER_LEN(&messageBuf)); |
1955 | 0 | if (rv != SECSuccess) { |
1956 | 0 | goto loser; |
1957 | 0 | } |
1958 | 0 | rv = ssl3_AppendBufferToHandshake(ss, &messageBuf); |
1959 | 0 | if (rv != SECSuccess) { |
1960 | 0 | goto loser; |
1961 | 0 | } |
1962 | 0 | sslBuffer_Clear(&messageBuf); /* Done with messageBuf */ |
1963 | 0 |
|
1964 | 0 | if (ss->ssl3.hs.fakeSid.len) { |
1965 | 0 | PRInt32 sent; |
1966 | 0 |
|
1967 | 0 | PORT_Assert(!IS_DTLS(ss)); |
1968 | 0 | rv = ssl3_SendChangeCipherSpecsInt(ss); |
1969 | 0 | if (rv != SECSuccess) { |
1970 | 0 | goto loser; |
1971 | 0 | } |
1972 | 0 | /* ssl3_SendChangeCipherSpecsInt() only flushes to the output buffer, so we |
1973 | 0 | * have to force a send. */ |
1974 | 0 | sent = ssl_SendSavedWriteData(ss); |
1975 | 0 | if (sent < 0 && PORT_GetError() != PR_WOULD_BLOCK_ERROR) { |
1976 | 0 | PORT_SetError(SSL_ERROR_SOCKET_WRITE_FAILURE); |
1977 | 0 | goto loser; |
1978 | 0 | } |
1979 | 0 | } else { |
1980 | 0 | rv = ssl3_FlushHandshake(ss, 0); |
1981 | 0 | if (rv != SECSuccess) { |
1982 | 0 | goto loser; /* error code set by ssl3_FlushHandshake */ |
1983 | 0 | } |
1984 | 0 | } |
1985 | 0 | |
1986 | 0 | /* We depend on this being exactly one record and one message. */ |
1987 | 0 | PORT_Assert(!IS_DTLS(ss) || (ss->ssl3.hs.sendMessageSeq == 1 && |
1988 | 0 | ss->ssl3.cwSpec->nextSeqNum == 1)); |
1989 | 0 | ssl_ReleaseXmitBufLock(ss); |
1990 | 0 |
|
1991 | 0 | ss->ssl3.hs.helloRetry = PR_TRUE; |
1992 | 0 |
|
1993 | 0 | /* We received early data but have to ignore it because we sent a retry. */ |
1994 | 0 | if (ss->ssl3.hs.zeroRttState == ssl_0rtt_sent) { |
1995 | 0 | ss->ssl3.hs.zeroRttState = ssl_0rtt_ignored; |
1996 | 0 | ss->ssl3.hs.zeroRttIgnore = ssl_0rtt_ignore_hrr; |
1997 | 0 | } |
1998 | 0 |
|
1999 | 0 | return SECSuccess; |
2000 | 0 |
|
2001 | 0 | loser: |
2002 | 0 | sslBuffer_Clear(&messageBuf); |
2003 | 0 | ssl_ReleaseXmitBufLock(ss); |
2004 | 0 | return SECFailure; |
2005 | 0 | } |
2006 | | |
2007 | | /* Called from tls13_HandleClientHello. |
2008 | | * |
2009 | | * Caller must hold Handshake and RecvBuf locks. |
2010 | | */ |
2011 | | |
2012 | | static SECStatus |
2013 | | tls13_HandleClientKeyShare(sslSocket *ss, TLS13KeyShareEntry *peerShare) |
2014 | 0 | { |
2015 | 0 | SECStatus rv; |
2016 | 0 | sslEphemeralKeyPair *keyPair; /* ours */ |
2017 | 0 |
|
2018 | 0 | SSL_TRC(3, ("%d: TLS13[%d]: handle client_key_share handshake", |
2019 | 0 | SSL_GETPID(), ss->fd)); |
2020 | 0 |
|
2021 | 0 | PORT_Assert(ss->opt.noLocks || ssl_HaveRecvBufLock(ss)); |
2022 | 0 | PORT_Assert(ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); |
2023 | 0 | PORT_Assert(peerShare); |
2024 | 0 |
|
2025 | 0 | tls13_SetKeyExchangeType(ss, peerShare->group); |
2026 | 0 |
|
2027 | 0 | /* Generate our key */ |
2028 | 0 | rv = tls13_CreateKeyShare(ss, peerShare->group); |
2029 | 0 | if (rv != SECSuccess) { |
2030 | 0 | return rv; |
2031 | 0 | } |
2032 | 0 | |
2033 | 0 | /* We should have exactly one key share. */ |
2034 | 0 | PORT_Assert(!PR_CLIST_IS_EMPTY(&ss->ephemeralKeyPairs)); |
2035 | 0 | PORT_Assert(PR_PREV_LINK(&ss->ephemeralKeyPairs) == |
2036 | 0 | PR_NEXT_LINK(&ss->ephemeralKeyPairs)); |
2037 | 0 |
|
2038 | 0 | keyPair = ((sslEphemeralKeyPair *)PR_NEXT_LINK(&ss->ephemeralKeyPairs)); |
2039 | 0 | ss->sec.keaKeyBits = SECKEY_PublicKeyStrengthInBits(keyPair->keys->pubKey); |
2040 | 0 |
|
2041 | 0 | /* Register the sender */ |
2042 | 0 | rv = ssl3_RegisterExtensionSender(ss, &ss->xtnData, ssl_tls13_key_share_xtn, |
2043 | 0 | tls13_ServerSendKeyShareXtn); |
2044 | 0 | if (rv != SECSuccess) { |
2045 | 0 | return SECFailure; /* Error code set already. */ |
2046 | 0 | } |
2047 | 0 | |
2048 | 0 | rv = tls13_HandleKeyShare(ss, peerShare, keyPair->keys); |
2049 | 0 | return rv; /* Error code set already. */ |
2050 | 0 | } |
2051 | | |
2052 | | /* |
2053 | | * [draft-ietf-tls-tls13-11] Section 6.3.3.2 |
2054 | | * |
2055 | | * opaque DistinguishedName<1..2^16-1>; |
2056 | | * |
2057 | | * struct { |
2058 | | * opaque certificate_extension_oid<1..2^8-1>; |
2059 | | * opaque certificate_extension_values<0..2^16-1>; |
2060 | | * } CertificateExtension; |
2061 | | * |
2062 | | * struct { |
2063 | | * opaque certificate_request_context<0..2^8-1>; |
2064 | | * SignatureAndHashAlgorithm |
2065 | | * supported_signature_algorithms<2..2^16-2>; |
2066 | | * DistinguishedName certificate_authorities<0..2^16-1>; |
2067 | | * CertificateExtension certificate_extensions<0..2^16-1>; |
2068 | | * } CertificateRequest; |
2069 | | */ |
2070 | | static SECStatus |
2071 | | tls13_SendCertificateRequest(sslSocket *ss) |
2072 | 0 | { |
2073 | 0 | SECStatus rv; |
2074 | 0 | sslBuffer extensionBuf = SSL_BUFFER_EMPTY; |
2075 | 0 |
|
2076 | 0 | SSL_TRC(3, ("%d: TLS13[%d]: begin send certificate_request", |
2077 | 0 | SSL_GETPID(), ss->fd)); |
2078 | 0 |
|
2079 | 0 | rv = ssl_ConstructExtensions(ss, &extensionBuf, ssl_hs_certificate_request); |
2080 | 0 | if (rv != SECSuccess) { |
2081 | 0 | return SECFailure; /* Code already set. */ |
2082 | 0 | } |
2083 | 0 | /* We should always have at least one of these. */ |
2084 | 0 | PORT_Assert(SSL_BUFFER_LEN(&extensionBuf) > 0); |
2085 | 0 |
|
2086 | 0 | rv = ssl3_AppendHandshakeHeader(ss, ssl_hs_certificate_request, |
2087 | 0 | 1 + 0 + /* empty request context */ |
2088 | 0 | 2 + /* extension length */ |
2089 | 0 | SSL_BUFFER_LEN(&extensionBuf)); |
2090 | 0 | if (rv != SECSuccess) { |
2091 | 0 | goto loser; /* err set by AppendHandshake. */ |
2092 | 0 | } |
2093 | 0 | |
2094 | 0 | /* Context. */ |
2095 | 0 | rv = ssl3_AppendHandshakeNumber(ss, 0, 1); |
2096 | 0 | if (rv != SECSuccess) { |
2097 | 0 | goto loser; /* err set by AppendHandshake. */ |
2098 | 0 | } |
2099 | 0 | /* Extensions. */ |
2100 | 0 | rv = ssl3_AppendBufferToHandshakeVariable(ss, &extensionBuf, 2); |
2101 | 0 | if (rv != SECSuccess) { |
2102 | 0 | goto loser; /* err set by AppendHandshake. */ |
2103 | 0 | } |
2104 | 0 | |
2105 | 0 | sslBuffer_Clear(&extensionBuf); |
2106 | 0 | return SECSuccess; |
2107 | 0 | |
2108 | 0 | loser: |
2109 | 0 | sslBuffer_Clear(&extensionBuf); |
2110 | 0 | return SECFailure; |
2111 | 0 | } |
2112 | | |
2113 | | /* [draft-ietf-tls-tls13; S 4.4.1] says: |
2114 | | * |
2115 | | * Transcript-Hash(ClientHello1, HelloRetryRequest, ... MN) = |
2116 | | * Hash(message_hash || // Handshake type |
2117 | | * 00 00 Hash.length || // Handshake message length |
2118 | | * Hash(ClientHello1) || // Hash of ClientHello1 |
2119 | | * HelloRetryRequest ... MN) |
2120 | | */ |
2121 | | static SECStatus |
2122 | | tls13_ReinjectHandshakeTranscript(sslSocket *ss) |
2123 | 0 | { |
2124 | 0 | SSL3Hashes hashes; |
2125 | 0 | SECStatus rv; |
2126 | 0 |
|
2127 | 0 | // First compute the hash. |
2128 | 0 | rv = tls13_ComputeHash(ss, &hashes, |
2129 | 0 | ss->ssl3.hs.messages.buf, |
2130 | 0 | ss->ssl3.hs.messages.len); |
2131 | 0 | if (rv != SECSuccess) { |
2132 | 0 | return SECFailure; |
2133 | 0 | } |
2134 | 0 | |
2135 | 0 | // Now re-init the handshake. |
2136 | 0 | ssl3_RestartHandshakeHashes(ss); |
2137 | 0 |
|
2138 | 0 | // And reinject the message. |
2139 | 0 | rv = ssl_HashHandshakeMessage(ss, ssl_hs_message_hash, |
2140 | 0 | hashes.u.raw, hashes.len); |
2141 | 0 | if (rv != SECSuccess) { |
2142 | 0 | return SECFailure; |
2143 | 0 | } |
2144 | 0 | |
2145 | 0 | return SECSuccess; |
2146 | 0 | } |
2147 | | |
2148 | | static unsigned int |
2149 | | ssl_ListCount(PRCList *list) |
2150 | 0 | { |
2151 | 0 | unsigned int c = 0; |
2152 | 0 | PRCList *cur; |
2153 | 0 | for (cur = PR_NEXT_LINK(list); cur != list; cur = PR_NEXT_LINK(cur)) { |
2154 | 0 | ++c; |
2155 | 0 | } |
2156 | 0 | return c; |
2157 | 0 | } |
2158 | | |
2159 | | SECStatus |
2160 | | tls13_HandleHelloRetryRequest(sslSocket *ss, const PRUint8 *savedMsg, |
2161 | | PRUint32 savedLength) |
2162 | 0 | { |
2163 | 0 | SECStatus rv; |
2164 | 0 |
|
2165 | 0 | SSL_TRC(3, ("%d: TLS13[%d]: handle hello retry request", |
2166 | 0 | SSL_GETPID(), ss->fd)); |
2167 | 0 |
|
2168 | 0 | PORT_Assert(ss->opt.noLocks || ssl_HaveRecvBufLock(ss)); |
2169 | 0 | PORT_Assert(ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); |
2170 | 0 |
|
2171 | 0 | if (ss->vrange.max < SSL_LIBRARY_VERSION_TLS_1_3) { |
2172 | 0 | FATAL_ERROR(ss, SSL_ERROR_RX_UNEXPECTED_HELLO_RETRY_REQUEST, |
2173 | 0 | unexpected_message); |
2174 | 0 | return SECFailure; |
2175 | 0 | } |
2176 | 0 | PORT_Assert(ss->ssl3.hs.ws == wait_server_hello); |
2177 | 0 |
|
2178 | 0 | if (ss->ssl3.hs.zeroRttState == ssl_0rtt_sent) { |
2179 | 0 | ss->ssl3.hs.zeroRttState = ssl_0rtt_ignored; |
2180 | 0 | /* Restore the null cipher spec for writing. */ |
2181 | 0 | ssl_GetSpecWriteLock(ss); |
2182 | 0 | ssl_CipherSpecRelease(ss->ssl3.cwSpec); |
2183 | 0 | ss->ssl3.cwSpec = ssl_FindCipherSpecByEpoch(ss, CipherSpecWrite, |
2184 | 0 | TrafficKeyClearText); |
2185 | 0 | PORT_Assert(ss->ssl3.cwSpec); |
2186 | 0 | ssl_ReleaseSpecWriteLock(ss); |
2187 | 0 | } else { |
2188 | 0 | PORT_Assert(ss->ssl3.hs.zeroRttState == ssl_0rtt_none); |
2189 | 0 | } |
2190 | 0 | /* Set the spec version, because we want to send CH now with 0303 */ |
2191 | 0 | tls13_SetSpecRecordVersion(ss, ss->ssl3.cwSpec); |
2192 | 0 |
|
2193 | 0 | /* Extensions must contain more than just supported_versions. This will |
2194 | 0 | * ensure that a HelloRetryRequest isn't a no-op: we must have at least two |
2195 | 0 | * extensions, supported_versions plus one other. That other must be one |
2196 | 0 | * that we understand and recognize as being valid for HelloRetryRequest, |
2197 | 0 | * and all the extensions we permit cause us to modify our second |
2198 | 0 | * ClientHello in some meaningful way. */ |
2199 | 0 | if (ssl_ListCount(&ss->ssl3.hs.remoteExtensions) <= 1) { |
2200 | 0 | FATAL_ERROR(ss, SSL_ERROR_RX_MALFORMED_HELLO_RETRY_REQUEST, |
2201 | 0 | decode_error); |
2202 | 0 | return SECFailure; |
2203 | 0 | } |
2204 | 0 |
|
2205 | 0 | rv = ssl3_HandleParsedExtensions(ss, ssl_hs_hello_retry_request); |
2206 | 0 | ssl3_DestroyRemoteExtensions(&ss->ssl3.hs.remoteExtensions); |
2207 | 0 | if (rv != SECSuccess) { |
2208 | 0 | return SECFailure; /* Error code set below */ |
2209 | 0 | } |
2210 | 0 | |
2211 | 0 | ss->ssl3.hs.helloRetry = PR_TRUE; |
2212 | 0 | rv = tls13_ReinjectHandshakeTranscript(ss); |
2213 | 0 | if (rv != SECSuccess) { |
2214 | 0 | return rv; |
2215 | 0 | } |
2216 | 0 | |
2217 | 0 | rv = ssl_HashHandshakeMessage(ss, ssl_hs_server_hello, |
2218 | 0 | savedMsg, savedLength); |
2219 | 0 | if (rv != SECSuccess) { |
2220 | 0 | return SECFailure; |
2221 | 0 | } |
2222 | 0 | |
2223 | 0 | ssl_GetXmitBufLock(ss); |
2224 | 0 | if (ss->opt.enableTls13CompatMode && !IS_DTLS(ss) && |
2225 | 0 | ss->ssl3.hs.zeroRttState == ssl_0rtt_none) { |
2226 | 0 | rv = ssl3_SendChangeCipherSpecsInt(ss); |
2227 | 0 | if (rv != SECSuccess) { |
2228 | 0 | goto loser; |
2229 | 0 | } |
2230 | 0 | } |
2231 | 0 | |
2232 | 0 | rv = ssl3_SendClientHello(ss, client_hello_retry); |
2233 | 0 | if (rv != SECSuccess) { |
2234 | 0 | goto loser; |
2235 | 0 | } |
2236 | 0 | |
2237 | 0 | ssl_ReleaseXmitBufLock(ss); |
2238 | 0 | return SECSuccess; |
2239 | 0 | |
2240 | 0 | loser: |
2241 | 0 | ssl_ReleaseXmitBufLock(ss); |
2242 | 0 | return SECFailure; |
2243 | 0 | } |
2244 | | |
2245 | | static SECStatus |
2246 | | tls13_HandleCertificateRequest(sslSocket *ss, PRUint8 *b, PRUint32 length) |
2247 | 0 | { |
2248 | 0 | SECStatus rv; |
2249 | 0 | SECItem context = { siBuffer, NULL, 0 }; |
2250 | 0 | SECItem extensionsData = { siBuffer, NULL, 0 }; |
2251 | 0 |
|
2252 | 0 | SSL_TRC(3, ("%d: TLS13[%d]: handle certificate_request sequence", |
2253 | 0 | SSL_GETPID(), ss->fd)); |
2254 | 0 |
|
2255 | 0 | PORT_Assert(ss->opt.noLocks || ssl_HaveRecvBufLock(ss)); |
2256 | 0 | PORT_Assert(ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); |
2257 | 0 |
|
2258 | 0 | /* Client */ |
2259 | 0 | rv = TLS13_CHECK_HS_STATE(ss, SSL_ERROR_RX_UNEXPECTED_CERT_REQUEST, |
2260 | 0 | wait_cert_request); |
2261 | 0 | if (rv != SECSuccess) { |
2262 | 0 | return SECFailure; |
2263 | 0 | } |
2264 | 0 | |
2265 | 0 | PORT_Assert(ss->ssl3.clientCertChain == NULL); |
2266 | 0 | PORT_Assert(ss->ssl3.clientCertificate == NULL); |
2267 | 0 | PORT_Assert(ss->ssl3.clientPrivateKey == NULL); |
2268 | 0 | PORT_Assert(!ss->ssl3.hs.clientCertRequested); |
2269 | 0 |
|
2270 | 0 | rv = ssl3_ConsumeHandshakeVariable(ss, &context, 1, &b, &length); |
2271 | 0 | if (rv != SECSuccess) { |
2272 | 0 | return SECFailure; |
2273 | 0 | } |
2274 | 0 | |
2275 | 0 | /* We don't support post-handshake client auth, the certificate request |
2276 | 0 | * context must always be empty. */ |
2277 | 0 | if (context.len > 0) { |
2278 | 0 | FATAL_ERROR(ss, SSL_ERROR_RX_MALFORMED_CERT_REQUEST, illegal_parameter); |
2279 | 0 | return SECFailure; |
2280 | 0 | } |
2281 | 0 |
|
2282 | 0 | rv = ssl3_ConsumeHandshakeVariable(ss, &extensionsData, 2, &b, &length); |
2283 | 0 | if (rv != SECSuccess) { |
2284 | 0 | return SECFailure; |
2285 | 0 | } |
2286 | 0 | |
2287 | 0 | if (length) { |
2288 | 0 | FATAL_ERROR(ss, SSL_ERROR_RX_MALFORMED_CERT_REQUEST, decode_error); |
2289 | 0 | return SECFailure; |
2290 | 0 | } |
2291 | 0 |
|
2292 | 0 | /* Process all the extensions. */ |
2293 | 0 | rv = ssl3_HandleExtensions(ss, &extensionsData.data, &extensionsData.len, |
2294 | 0 | ssl_hs_certificate_request); |
2295 | 0 | if (rv != SECSuccess) { |
2296 | 0 | return SECFailure; |
2297 | 0 | } |
2298 | 0 | |
2299 | 0 | if (!ss->xtnData.numSigSchemes) { |
2300 | 0 | FATAL_ERROR(ss, SSL_ERROR_MISSING_SIGNATURE_ALGORITHMS_EXTENSION, |
2301 | 0 | missing_extension); |
2302 | 0 | return SECFailure; |
2303 | 0 | } |
2304 | 0 |
|
2305 | 0 | rv = SECITEM_CopyItem(NULL, &ss->xtnData.certReqContext, &context); |
2306 | 0 | if (rv != SECSuccess) { |
2307 | 0 | return SECFailure; |
2308 | 0 | } |
2309 | 0 | |
2310 | 0 | ss->ssl3.hs.clientCertRequested = PR_TRUE; |
2311 | 0 | TLS13_SET_HS_STATE(ss, wait_server_cert); |
2312 | 0 | return SECSuccess; |
2313 | 0 | } |
2314 | | |
2315 | | static PRBool |
2316 | | tls13_CanRequestClientAuth(sslSocket *ss) |
2317 | 0 | { |
2318 | 0 | return ss->opt.requestCertificate && |
2319 | 0 | ss->ssl3.hs.kea_def->authKeyType != ssl_auth_psk; |
2320 | 0 | } |
2321 | | |
2322 | | static SECStatus |
2323 | | tls13_SendEncryptedServerSequence(sslSocket *ss) |
2324 | 0 | { |
2325 | 0 | SECStatus rv; |
2326 | 0 |
|
2327 | 0 | rv = tls13_ComputeHandshakeSecrets(ss); |
2328 | 0 | if (rv != SECSuccess) { |
2329 | 0 | return SECFailure; /* error code is set. */ |
2330 | 0 | } |
2331 | 0 | |
2332 | 0 | rv = tls13_SetCipherSpec(ss, TrafficKeyHandshake, |
2333 | 0 | CipherSpecWrite, PR_FALSE); |
2334 | 0 | if (rv != SECSuccess) { |
2335 | 0 | LOG_ERROR(ss, SEC_ERROR_LIBRARY_FAILURE); |
2336 | 0 | return SECFailure; |
2337 | 0 | } |
2338 | 0 |
|
2339 | 0 | if (ss->ssl3.hs.zeroRttState == ssl_0rtt_accepted) { |
2340 | 0 | rv = ssl3_RegisterExtensionSender(ss, &ss->xtnData, |
2341 | 0 | ssl_tls13_early_data_xtn, |
2342 | 0 | ssl_SendEmptyExtension); |
2343 | 0 | if (rv != SECSuccess) { |
2344 | 0 | return SECFailure; /* Error code set already. */ |
2345 | 0 | } |
2346 | 0 | } |
2347 | 0 | |
2348 | 0 | rv = tls13_SendEncryptedExtensions(ss); |
2349 | 0 | if (rv != SECSuccess) { |
2350 | 0 | return SECFailure; /* error code is set. */ |
2351 | 0 | } |
2352 | 0 | |
2353 | 0 | if (tls13_CanRequestClientAuth(ss)) { |
2354 | 0 | rv = tls13_SendCertificateRequest(ss); |
2355 | 0 | if (rv != SECSuccess) { |
2356 | 0 | return SECFailure; /* error code is set. */ |
2357 | 0 | } |
2358 | 0 | } |
2359 | 0 | if (ss->ssl3.hs.signatureScheme != ssl_sig_none) { |
2360 | 0 | SECKEYPrivateKey *svrPrivKey; |
2361 | 0 |
|
2362 | 0 | rv = tls13_SendCertificate(ss); |
2363 | 0 | if (rv != SECSuccess) { |
2364 | 0 | return SECFailure; /* error code is set. */ |
2365 | 0 | } |
2366 | 0 | |
2367 | 0 | svrPrivKey = ss->sec.serverCert->serverKeyPair->privKey; |
2368 | 0 | rv = tls13_SendCertificateVerify(ss, svrPrivKey); |
2369 | 0 | if (rv != SECSuccess) { |
2370 | 0 | return SECFailure; /* err code is set. */ |
2371 | 0 | } |
2372 | 0 | } |
2373 | 0 | |
2374 | 0 | rv = tls13_SendFinished(ss, ss->ssl3.hs.serverHsTrafficSecret); |
2375 | 0 | if (rv != SECSuccess) { |
2376 | 0 | return SECFailure; /* error code is set. */ |
2377 | 0 | } |
2378 | 0 | |
2379 | 0 | return SECSuccess; |
2380 | 0 | } |
2381 | | |
2382 | | /* Called from: ssl3_HandleClientHello */ |
2383 | | static SECStatus |
2384 | | tls13_SendServerHelloSequence(sslSocket *ss) |
2385 | 0 | { |
2386 | 0 | SECStatus rv; |
2387 | 0 | PRErrorCode err = 0; |
2388 | 0 |
|
2389 | 0 | SSL_TRC(3, ("%d: TLS13[%d]: begin send server_hello sequence", |
2390 | 0 | SSL_GETPID(), ss->fd)); |
2391 | 0 |
|
2392 | 0 | PORT_Assert(ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); |
2393 | 0 | PORT_Assert(ss->opt.noLocks || ssl_HaveXmitBufLock(ss)); |
2394 | 0 |
|
2395 | 0 | rv = ssl3_RegisterExtensionSender(ss, &ss->xtnData, |
2396 | 0 | ssl_tls13_supported_versions_xtn, |
2397 | 0 | tls13_ServerSendSupportedVersionsXtn); |
2398 | 0 | if (rv != SECSuccess) { |
2399 | 0 | return SECFailure; |
2400 | 0 | } |
2401 | 0 | |
2402 | 0 | rv = ssl3_SendServerHello(ss); |
2403 | 0 | if (rv != SECSuccess) { |
2404 | 0 | return rv; /* err code is set. */ |
2405 | 0 | } |
2406 | 0 | |
2407 | 0 | if (ss->ssl3.hs.fakeSid.len) { |
2408 | 0 | PORT_Assert(!IS_DTLS(ss)); |
2409 | 0 | SECITEM_FreeItem(&ss->ssl3.hs.fakeSid, PR_FALSE); |
2410 | 0 | if (!ss->ssl3.hs.helloRetry) { |
2411 | 0 | rv = ssl3_SendChangeCipherSpecsInt(ss); |
2412 | 0 | if (rv != SECSuccess) { |
2413 | 0 | return rv; |
2414 | 0 | } |
2415 | 0 | } |
2416 | 0 | } |
2417 | 0 | |
2418 | 0 | rv = tls13_SendEncryptedServerSequence(ss); |
2419 | 0 | if (rv != SECSuccess) { |
2420 | 0 | err = PORT_GetError(); |
2421 | 0 | } |
2422 | 0 | /* Even if we get an error, since the ServerHello was successfully |
2423 | 0 | * serialized, we should give it a chance to reach the network. This gives |
2424 | 0 | * the client a chance to perform the key exchange and decrypt the alert |
2425 | 0 | * we're about to send. */ |
2426 | 0 | rv |= ssl3_FlushHandshake(ss, 0); |
2427 | 0 | if (rv != SECSuccess) { |
2428 | 0 | if (err) { |
2429 | 0 | PORT_SetError(err); |
2430 | 0 | } |
2431 | 0 | return SECFailure; |
2432 | 0 | } |
2433 | 0 |
|
2434 | 0 | /* Compute the rest of the secrets except for the resumption |
2435 | 0 | * and exporter secret. */ |
2436 | 0 | rv = tls13_ComputeApplicationSecrets(ss); |
2437 | 0 | if (rv != SECSuccess) { |
2438 | 0 | LOG_ERROR(ss, PORT_GetError()); |
2439 | 0 | return SECFailure; |
2440 | 0 | } |
2441 | 0 |
|
2442 | 0 | rv = tls13_SetCipherSpec(ss, TrafficKeyApplicationData, |
2443 | 0 | CipherSpecWrite, PR_FALSE); |
2444 | 0 | if (rv != SECSuccess) { |
2445 | 0 | LOG_ERROR(ss, SEC_ERROR_LIBRARY_FAILURE); |
2446 | 0 | return SECFailure; |
2447 | 0 | } |
2448 | 0 |
|
2449 | 0 | if (IS_DTLS(ss)) { |
2450 | 0 | /* We need this for reading ACKs. */ |
2451 | 0 | ssl_CipherSpecAddRef(ss->ssl3.crSpec); |
2452 | 0 | } |
2453 | 0 | if (ss->ssl3.hs.zeroRttState == ssl_0rtt_accepted) { |
2454 | 0 | rv = tls13_SetCipherSpec(ss, TrafficKeyEarlyApplicationData, |
2455 | 0 | CipherSpecRead, PR_TRUE); |
2456 | 0 | if (rv != SECSuccess) { |
2457 | 0 | LOG_ERROR(ss, SEC_ERROR_LIBRARY_FAILURE); |
2458 | 0 | return SECFailure; |
2459 | 0 | } |
2460 | 0 | TLS13_SET_HS_STATE(ss, wait_end_of_early_data); |
2461 | 0 | } else { |
2462 | 0 | PORT_Assert(ss->ssl3.hs.zeroRttState == ssl_0rtt_none || |
2463 | 0 | ss->ssl3.hs.zeroRttState == ssl_0rtt_ignored); |
2464 | 0 |
|
2465 | 0 | rv = tls13_SetCipherSpec(ss, |
2466 | 0 | TrafficKeyHandshake, |
2467 | 0 | CipherSpecRead, PR_FALSE); |
2468 | 0 | if (rv != SECSuccess) { |
2469 | 0 | LOG_ERROR(ss, SEC_ERROR_LIBRARY_FAILURE); |
2470 | 0 | return SECFailure; |
2471 | 0 | } |
2472 | 0 | if (tls13_CanRequestClientAuth(ss)) { |
2473 | 0 | TLS13_SET_HS_STATE(ss, wait_client_cert); |
2474 | 0 | } else { |
2475 | 0 | TLS13_SET_HS_STATE(ss, wait_finished); |
2476 | 0 | } |
2477 | 0 | } |
2478 | 0 |
|
2479 | 0 | ss->ssl3.hs.serverHelloTime = ssl_TimeUsec(); |
2480 | 0 | return SECSuccess; |
2481 | 0 | } |
2482 | | |
2483 | | SECStatus |
2484 | | tls13_HandleServerHelloPart2(sslSocket *ss) |
2485 | 0 | { |
2486 | 0 | SECStatus rv; |
2487 | 0 | sslSessionID *sid = ss->sec.ci.sid; |
2488 | 0 | SSL3Statistics *ssl3stats = SSL_GetStatistics(); |
2489 | 0 |
|
2490 | 0 | if (ssl3_ExtensionNegotiated(ss, ssl_tls13_pre_shared_key_xtn)) { |
2491 | 0 | PORT_Assert(ss->statelessResume); |
2492 | 0 | } else { |
2493 | 0 | if (ss->ssl3.hs.currentSecret) { |
2494 | 0 | PORT_Assert(ss->statelessResume); |
2495 | 0 | PK11_FreeSymKey(ss->ssl3.hs.currentSecret); |
2496 | 0 | ss->ssl3.hs.currentSecret = NULL; |
2497 | 0 | } |
2498 | 0 | ss->statelessResume = PR_FALSE; |
2499 | 0 | } |
2500 | 0 |
|
2501 | 0 | if (ss->statelessResume) { |
2502 | 0 | PORT_Assert(sid->version >= SSL_LIBRARY_VERSION_TLS_1_3); |
2503 | 0 | if (tls13_GetHash(ss) != |
2504 | 0 | tls13_GetHashForCipherSuite(sid->u.ssl3.cipherSuite)) { |
2505 | 0 | FATAL_ERROR(ss, SSL_ERROR_RX_MALFORMED_SERVER_HELLO, |
2506 | 0 | illegal_parameter); |
2507 | 0 | return SECFailure; |
2508 | 0 | } |
2509 | 0 | } |
2510 | 0 |
|
2511 | 0 | /* Now create a synthetic kea_def that we can tweak. */ |
2512 | 0 | ss->ssl3.hs.kea_def_mutable = *ss->ssl3.hs.kea_def; |
2513 | 0 | ss->ssl3.hs.kea_def = &ss->ssl3.hs.kea_def_mutable; |
2514 | 0 |
|
2515 | 0 | if (ss->statelessResume) { |
2516 | 0 | /* PSK */ |
2517 | 0 | ss->ssl3.hs.kea_def_mutable.authKeyType = ssl_auth_psk; |
2518 | 0 | tls13_RestoreCipherInfo(ss, sid); |
2519 | 0 | if (sid->peerCert) { |
2520 | 0 | ss->sec.peerCert = CERT_DupCertificate(sid->peerCert); |
2521 | 0 | } |
2522 | 0 |
|
2523 | 0 | SSL_AtomicIncrementLong(&ssl3stats->hsh_sid_cache_hits); |
2524 | 0 | SSL_AtomicIncrementLong(&ssl3stats->hsh_sid_stateless_resumes); |
2525 | 0 | } else { |
2526 | 0 | /* !PSK */ |
2527 | 0 | if (ssl3_ExtensionAdvertised(ss, ssl_tls13_pre_shared_key_xtn)) { |
2528 | 0 | SSL_AtomicIncrementLong(&ssl3stats->hsh_sid_cache_misses); |
2529 | 0 | } |
2530 | 0 | if (sid->cached == in_client_cache) { |
2531 | 0 | /* If we tried to resume and failed, let's not try again. */ |
2532 | 0 | ssl_UncacheSessionID(ss); |
2533 | 0 | } |
2534 | 0 | } |
2535 | 0 |
|
2536 | 0 | if (!ss->ssl3.hs.currentSecret) { |
2537 | 0 | PORT_Assert(!ss->statelessResume); |
2538 | 0 |
|
2539 | 0 | /* If we don't already have the Early Secret we need to make it |
2540 | 0 | * now. */ |
2541 | 0 | rv = tls13_ComputeEarlySecrets(ss); |
2542 | 0 | if (rv != SECSuccess) { |
2543 | 0 | FATAL_ERROR(ss, SEC_ERROR_LIBRARY_FAILURE, internal_error); |
2544 | 0 | return SECFailure; |
2545 | 0 | } |
2546 | 0 | } |
2547 | 0 |
|
2548 | 0 | /* Discard current SID and make a new one, though it may eventually |
2549 | 0 | * end up looking a lot like the old one. |
2550 | 0 | */ |
2551 | 0 | ssl_FreeSID(sid); |
2552 | 0 | ss->sec.ci.sid = sid = ssl3_NewSessionID(ss, PR_FALSE); |
2553 | 0 | if (sid == NULL) { |
2554 | 0 | FATAL_ERROR(ss, PORT_GetError(), internal_error); |
2555 | 0 | return SECFailure; |
2556 | 0 | } |
2557 | 0 | if (ss->statelessResume) { |
2558 | 0 | PORT_Assert(ss->sec.peerCert); |
2559 | 0 | sid->peerCert = CERT_DupCertificate(ss->sec.peerCert); |
2560 | 0 | } |
2561 | 0 | sid->version = ss->version; |
2562 | 0 |
|
2563 | 0 | rv = tls13_HandleServerKeyShare(ss); |
2564 | 0 | if (rv != SECSuccess) { |
2565 | 0 | return SECFailure; |
2566 | 0 | } |
2567 | 0 | rv = tls13_ComputeHandshakeSecrets(ss); |
2568 | 0 | if (rv != SECSuccess) { |
2569 | 0 | return SECFailure; /* error code is set. */ |
2570 | 0 | } |
2571 | 0 | |
2572 | 0 | if (ss->ssl3.hs.zeroRttState == ssl_0rtt_sent) { |
2573 | 0 | /* When we send 0-RTT, we saved the null spec in case we needed it to |
2574 | 0 | * send another ClientHello in response to a HelloRetryRequest. Now |
2575 | 0 | * that we won't be receiving a HelloRetryRequest, release the spec. */ |
2576 | 0 | ssl_CipherSpecReleaseByEpoch(ss, CipherSpecWrite, TrafficKeyClearText); |
2577 | 0 | } |
2578 | 0 |
|
2579 | 0 | rv = tls13_SetCipherSpec(ss, TrafficKeyHandshake, |
2580 | 0 | CipherSpecRead, PR_FALSE); |
2581 | 0 | if (rv != SECSuccess) { |
2582 | 0 | FATAL_ERROR(ss, SSL_ERROR_INIT_CIPHER_SUITE_FAILURE, internal_error); |
2583 | 0 | return SECFailure; |
2584 | 0 | } |
2585 | 0 | TLS13_SET_HS_STATE(ss, wait_encrypted_extensions); |
2586 | 0 |
|
2587 | 0 | return SECSuccess; |
2588 | 0 | } |
2589 | | |
2590 | | static void |
2591 | | tls13_SetKeyExchangeType(sslSocket *ss, const sslNamedGroupDef *group) |
2592 | 0 | { |
2593 | 0 | ss->sec.keaGroup = group; |
2594 | 0 | switch (group->keaType) { |
2595 | 0 | /* Note: These overwrite on resumption.... so if you start with ECDH |
2596 | 0 | * and resume with DH, we report DH. That's fine, since no answer |
2597 | 0 | * is really right. */ |
2598 | 0 | case ssl_kea_ecdh: |
2599 | 0 | ss->ssl3.hs.kea_def_mutable.exchKeyType = |
2600 | 0 | ss->statelessResume ? ssl_kea_ecdh_psk : ssl_kea_ecdh; |
2601 | 0 | ss->sec.keaType = ssl_kea_ecdh; |
2602 | 0 | break; |
2603 | 0 | case ssl_kea_dh: |
2604 | 0 | ss->ssl3.hs.kea_def_mutable.exchKeyType = |
2605 | 0 | ss->statelessResume ? ssl_kea_dh_psk : ssl_kea_dh; |
2606 | 0 | ss->sec.keaType = ssl_kea_dh; |
2607 | 0 | break; |
2608 | 0 | default: |
2609 | 0 | PORT_Assert(0); |
2610 | 0 | } |
2611 | 0 | } |
2612 | | |
2613 | | /* |
2614 | | * Called from ssl3_HandleServerHello. |
2615 | | * |
2616 | | * Caller must hold Handshake and RecvBuf locks. |
2617 | | */ |
2618 | | static SECStatus |
2619 | | tls13_HandleServerKeyShare(sslSocket *ss) |
2620 | 0 | { |
2621 | 0 | SECStatus rv; |
2622 | 0 | TLS13KeyShareEntry *entry; |
2623 | 0 | sslEphemeralKeyPair *keyPair; |
2624 | 0 |
|
2625 | 0 | SSL_TRC(3, ("%d: TLS13[%d]: handle server_key_share handshake", |
2626 | 0 | SSL_GETPID(), ss->fd)); |
2627 | 0 | PORT_Assert(ss->opt.noLocks || ssl_HaveRecvBufLock(ss)); |
2628 | 0 | PORT_Assert(ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); |
2629 | 0 |
|
2630 | 0 | /* This list should have one entry. */ |
2631 | 0 | if (PR_CLIST_IS_EMPTY(&ss->xtnData.remoteKeyShares)) { |
2632 | 0 | FATAL_ERROR(ss, SSL_ERROR_MISSING_KEY_SHARE, missing_extension); |
2633 | 0 | return SECFailure; |
2634 | 0 | } |
2635 | 0 |
|
2636 | 0 | entry = (TLS13KeyShareEntry *)PR_NEXT_LINK(&ss->xtnData.remoteKeyShares); |
2637 | 0 | PORT_Assert(PR_NEXT_LINK(&entry->link) == &ss->xtnData.remoteKeyShares); |
2638 | 0 |
|
2639 | 0 | /* Now get our matching key. */ |
2640 | 0 | keyPair = ssl_LookupEphemeralKeyPair(ss, entry->group); |
2641 | 0 | if (!keyPair) { |
2642 | 0 | FATAL_ERROR(ss, SSL_ERROR_RX_MALFORMED_KEY_SHARE, illegal_parameter); |
2643 | 0 | return SECFailure; |
2644 | 0 | } |
2645 | 0 |
|
2646 | 0 | PORT_Assert(ssl_NamedGroupEnabled(ss, entry->group)); |
2647 | 0 |
|
2648 | 0 | rv = tls13_HandleKeyShare(ss, entry, keyPair->keys); |
2649 | 0 | if (rv != SECSuccess) |
2650 | 0 | return SECFailure; /* Error code set by caller. */ |
2651 | 0 | |
2652 | 0 | tls13_SetKeyExchangeType(ss, entry->group); |
2653 | 0 | ss->sec.keaKeyBits = SECKEY_PublicKeyStrengthInBits(keyPair->keys->pubKey); |
2654 | 0 |
|
2655 | 0 | return SECSuccess; |
2656 | 0 | } |
2657 | | |
2658 | | /* |
2659 | | * opaque ASN1Cert<1..2^24-1>; |
2660 | | * |
2661 | | * struct { |
2662 | | * ASN1Cert cert_data; |
2663 | | * Extension extensions<0..2^16-1>; |
2664 | | * } CertificateEntry; |
2665 | | * |
2666 | | * struct { |
2667 | | * opaque certificate_request_context<0..2^8-1>; |
2668 | | * CertificateEntry certificate_list<0..2^24-1>; |
2669 | | * } Certificate; |
2670 | | */ |
2671 | | static SECStatus |
2672 | | tls13_SendCertificate(sslSocket *ss) |
2673 | 0 | { |
2674 | 0 | SECStatus rv; |
2675 | 0 | CERTCertificateList *certChain; |
2676 | 0 | int certChainLen = 0; |
2677 | 0 | int i; |
2678 | 0 | SECItem context = { siBuffer, NULL, 0 }; |
2679 | 0 | sslBuffer extensionBuf = SSL_BUFFER_EMPTY; |
2680 | 0 |
|
2681 | 0 | SSL_TRC(3, ("%d: TLS1.3[%d]: send certificate handshake", |
2682 | 0 | SSL_GETPID(), ss->fd)); |
2683 | 0 |
|
2684 | 0 | PORT_Assert(ss->opt.noLocks || ssl_HaveXmitBufLock(ss)); |
2685 | 0 | PORT_Assert(ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); |
2686 | 0 |
|
2687 | 0 | if (ss->sec.isServer) { |
2688 | 0 | PORT_Assert(!ss->sec.localCert); |
2689 | 0 | /* A server certificate is selected in tls13_SelectServerCert(). */ |
2690 | 0 | PORT_Assert(ss->sec.serverCert); |
2691 | 0 |
|
2692 | 0 | certChain = ss->sec.serverCert->serverCertChain; |
2693 | 0 | ss->sec.localCert = CERT_DupCertificate(ss->sec.serverCert->serverCert); |
2694 | 0 | } else { |
2695 | 0 | if (ss->sec.localCert) |
2696 | 0 | CERT_DestroyCertificate(ss->sec.localCert); |
2697 | 0 |
|
2698 | 0 | certChain = ss->ssl3.clientCertChain; |
2699 | 0 | ss->sec.localCert = CERT_DupCertificate(ss->ssl3.clientCertificate); |
2700 | 0 | } |
2701 | 0 |
|
2702 | 0 | if (!ss->sec.isServer) { |
2703 | 0 | PORT_Assert(ss->ssl3.hs.clientCertRequested); |
2704 | 0 | context = ss->xtnData.certReqContext; |
2705 | 0 | } |
2706 | 0 | if (certChain) { |
2707 | 0 | for (i = 0; i < certChain->len; i++) { |
2708 | 0 | /* Each cert is 3 octet length, cert, and extensions */ |
2709 | 0 | certChainLen += 3 + certChain->certs[i].len + 2; |
2710 | 0 | } |
2711 | 0 |
|
2712 | 0 | /* Build the extensions. This only applies to the leaf cert, because we |
2713 | 0 | * don't yet send extensions for non-leaf certs. */ |
2714 | 0 | rv = ssl_ConstructExtensions(ss, &extensionBuf, ssl_hs_certificate); |
2715 | 0 | if (rv != SECSuccess) { |
2716 | 0 | return SECFailure; /* code already set */ |
2717 | 0 | } |
2718 | 0 | /* extensionBuf.len is only added once, for the leaf cert. */ |
2719 | 0 | certChainLen += SSL_BUFFER_LEN(&extensionBuf); |
2720 | 0 | } |
2721 | 0 |
|
2722 | 0 | rv = ssl3_AppendHandshakeHeader(ss, ssl_hs_certificate, |
2723 | 0 | 1 + context.len + 3 + certChainLen); |
2724 | 0 | if (rv != SECSuccess) { |
2725 | 0 | return SECFailure; /* err set by AppendHandshake. */ |
2726 | 0 | } |
2727 | 0 | |
2728 | 0 | rv = ssl3_AppendHandshakeVariable(ss, context.data, |
2729 | 0 | context.len, 1); |
2730 | 0 | if (rv != SECSuccess) { |
2731 | 0 | goto loser; /* err set by AppendHandshake. */ |
2732 | 0 | } |
2733 | 0 | |
2734 | 0 | rv = ssl3_AppendHandshakeNumber(ss, certChainLen, 3); |
2735 | 0 | if (rv != SECSuccess) { |
2736 | 0 | goto loser; /* err set by AppendHandshake. */ |
2737 | 0 | } |
2738 | 0 | if (certChain) { |
2739 | 0 | for (i = 0; i < certChain->len; i++) { |
2740 | 0 | rv = ssl3_AppendHandshakeVariable(ss, certChain->certs[i].data, |
2741 | 0 | certChain->certs[i].len, 3); |
2742 | 0 | if (rv != SECSuccess) { |
2743 | 0 | goto loser; /* err set by AppendHandshake. */ |
2744 | 0 | } |
2745 | 0 | |
2746 | 0 | if (i) { |
2747 | 0 | /* Not end-entity. */ |
2748 | 0 | rv = ssl3_AppendHandshakeNumber(ss, 0, 2); |
2749 | 0 | if (rv != SECSuccess) { |
2750 | 0 | goto loser; /* err set by AppendHandshake. */ |
2751 | 0 | } |
2752 | 0 | continue; |
2753 | 0 | } |
2754 | 0 | |
2755 | 0 | /* End-entity, send extensions. */ |
2756 | 0 | rv = ssl3_AppendBufferToHandshakeVariable(ss, &extensionBuf, 2); |
2757 | 0 | if (rv != SECSuccess) { |
2758 | 0 | goto loser; /* err set by AppendHandshake. */ |
2759 | 0 | } |
2760 | 0 | } |
2761 | 0 | } |
2762 | 0 |
|
2763 | 0 | sslBuffer_Clear(&extensionBuf); |
2764 | 0 | return SECSuccess; |
2765 | 0 | |
2766 | 0 | loser: |
2767 | 0 | sslBuffer_Clear(&extensionBuf); |
2768 | 0 | return SECFailure; |
2769 | 0 | } |
2770 | | |
2771 | | static SECStatus |
2772 | | tls13_HandleCertificateEntry(sslSocket *ss, SECItem *data, PRBool first, |
2773 | | CERTCertificate **certp) |
2774 | 0 | { |
2775 | 0 | SECStatus rv; |
2776 | 0 | SECItem certData; |
2777 | 0 | SECItem extensionsData; |
2778 | 0 | CERTCertificate *cert = NULL; |
2779 | 0 |
|
2780 | 0 | rv = ssl3_ConsumeHandshakeVariable(ss, &certData, |
2781 | 0 | 3, &data->data, &data->len); |
2782 | 0 | if (rv != SECSuccess) { |
2783 | 0 | return SECFailure; |
2784 | 0 | } |
2785 | 0 | |
2786 | 0 | rv = ssl3_ConsumeHandshakeVariable(ss, &extensionsData, |
2787 | 0 | 2, &data->data, &data->len); |
2788 | 0 | if (rv != SECSuccess) { |
2789 | 0 | return SECFailure; |
2790 | 0 | } |
2791 | 0 | |
2792 | 0 | /* Parse all the extensions. */ |
2793 | 0 | if (first && !ss->sec.isServer) { |
2794 | 0 | rv = ssl3_HandleExtensions(ss, &extensionsData.data, |
2795 | 0 | &extensionsData.len, |
2796 | 0 | ssl_hs_certificate); |
2797 | 0 | if (rv != SECSuccess) { |
2798 | 0 | return SECFailure; |
2799 | 0 | } |
2800 | 0 | |
2801 | 0 | /* TODO(ekr@rtfm.com): Copy out SCTs. Bug 1315727. */ |
2802 | 0 | } |
2803 | 0 | |
2804 | 0 | cert = CERT_NewTempCertificate(ss->dbHandle, &certData, NULL, |
2805 | 0 | PR_FALSE, PR_TRUE); |
2806 | 0 |
|
2807 | 0 | if (!cert) { |
2808 | 0 | PRErrorCode errCode = PORT_GetError(); |
2809 | 0 | switch (errCode) { |
2810 | 0 | case PR_OUT_OF_MEMORY_ERROR: |
2811 | 0 | case SEC_ERROR_BAD_DATABASE: |
2812 | 0 | case SEC_ERROR_NO_MEMORY: |
2813 | 0 | FATAL_ERROR(ss, errCode, internal_error); |
2814 | 0 | return SECFailure; |
2815 | 0 | default: |
2816 | 0 | ssl3_SendAlertForCertError(ss, errCode); |
2817 | 0 | return SECFailure; |
2818 | 0 | } |
2819 | 0 | } |
2820 | 0 | |
2821 | 0 | *certp = cert; |
2822 | 0 |
|
2823 | 0 | return SECSuccess; |
2824 | 0 | } |
2825 | | |
2826 | | /* Called from tls13_CompleteHandleHandshakeMessage() when it has deciphered a complete |
2827 | | * tls13 Certificate message. |
2828 | | * Caller must hold Handshake and RecvBuf locks. |
2829 | | */ |
2830 | | static SECStatus |
2831 | | tls13_HandleCertificate(sslSocket *ss, PRUint8 *b, PRUint32 length) |
2832 | 0 | { |
2833 | 0 | SECStatus rv; |
2834 | 0 | SECItem context = { siBuffer, NULL, 0 }; |
2835 | 0 | SECItem certList; |
2836 | 0 | PRBool first = PR_TRUE; |
2837 | 0 | ssl3CertNode *lastCert = NULL; |
2838 | 0 |
|
2839 | 0 | SSL_TRC(3, ("%d: TLS13[%d]: handle certificate handshake", |
2840 | 0 | SSL_GETPID(), ss->fd)); |
2841 | 0 | PORT_Assert(ss->opt.noLocks || ssl_HaveRecvBufLock(ss)); |
2842 | 0 | PORT_Assert(ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); |
2843 | 0 |
|
2844 | 0 | if (ss->sec.isServer) { |
2845 | 0 | rv = TLS13_CHECK_HS_STATE(ss, SSL_ERROR_RX_UNEXPECTED_CERTIFICATE, |
2846 | 0 | wait_client_cert); |
2847 | 0 | } else { |
2848 | 0 | rv = TLS13_CHECK_HS_STATE(ss, SSL_ERROR_RX_UNEXPECTED_CERTIFICATE, |
2849 | 0 | wait_cert_request, wait_server_cert); |
2850 | 0 | } |
2851 | 0 | if (rv != SECSuccess) |
2852 | 0 | return SECFailure; |
2853 | 0 | |
2854 | 0 | /* We can ignore any other cleartext from the client. */ |
2855 | 0 | if (ss->sec.isServer && IS_DTLS(ss)) { |
2856 | 0 | ssl_CipherSpecReleaseByEpoch(ss, CipherSpecRead, TrafficKeyClearText); |
2857 | 0 | dtls_ReceivedFirstMessageInFlight(ss); |
2858 | 0 | } |
2859 | 0 | /* Process the context string */ |
2860 | 0 | rv = ssl3_ConsumeHandshakeVariable(ss, &context, 1, &b, &length); |
2861 | 0 | if (rv != SECSuccess) |
2862 | 0 | return SECFailure; |
2863 | 0 | |
2864 | 0 | if (context.len) { |
2865 | 0 | /* The context string MUST be empty */ |
2866 | 0 | FATAL_ERROR(ss, SSL_ERROR_RX_MALFORMED_CERTIFICATE, illegal_parameter); |
2867 | 0 | return SECFailure; |
2868 | 0 | } |
2869 | 0 |
|
2870 | 0 | rv = ssl3_ConsumeHandshakeVariable(ss, &certList, 3, &b, &length); |
2871 | 0 | if (rv != SECSuccess) { |
2872 | 0 | return SECFailure; |
2873 | 0 | } |
2874 | 0 | if (length) { |
2875 | 0 | FATAL_ERROR(ss, SSL_ERROR_RX_MALFORMED_CERTIFICATE, illegal_parameter); |
2876 | 0 | return SECFailure; |
2877 | 0 | } |
2878 | 0 |
|
2879 | 0 | if (!certList.len) { |
2880 | 0 | if (!ss->sec.isServer) { |
2881 | 0 | /* Servers always need to send some cert. */ |
2882 | 0 | FATAL_ERROR(ss, SSL_ERROR_RX_MALFORMED_CERTIFICATE, bad_certificate); |
2883 | 0 | return SECFailure; |
2884 | 0 | } else { |
2885 | 0 | /* This is TLS's version of a no_certificate alert. */ |
2886 | 0 | /* I'm a server. I've requested a client cert. He hasn't got one. */ |
2887 | 0 | rv = ssl3_HandleNoCertificate(ss); |
2888 | 0 | if (rv != SECSuccess) { |
2889 | 0 | return SECFailure; |
2890 | 0 | } |
2891 | 0 | |
2892 | 0 | TLS13_SET_HS_STATE(ss, wait_finished); |
2893 | 0 | return SECSuccess; |
2894 | 0 | } |
2895 | 0 | } |
2896 | 0 |
|
2897 | 0 | /* Now clean up. */ |
2898 | 0 | ssl3_CleanupPeerCerts(ss); |
2899 | 0 | ss->ssl3.peerCertArena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); |
2900 | 0 | if (ss->ssl3.peerCertArena == NULL) { |
2901 | 0 | FATAL_ERROR(ss, SEC_ERROR_NO_MEMORY, internal_error); |
2902 | 0 | return SECFailure; |
2903 | 0 | } |
2904 | 0 |
|
2905 | 0 | while (certList.len) { |
2906 | 0 | CERTCertificate *cert; |
2907 | 0 |
|
2908 | 0 | rv = tls13_HandleCertificateEntry(ss, &certList, first, |
2909 | 0 | &cert); |
2910 | 0 | if (rv != SECSuccess) { |
2911 | 0 | ss->xtnData.signedCertTimestamps.len = 0; |
2912 | 0 | return SECFailure; |
2913 | 0 | } |
2914 | 0 | |
2915 | 0 | if (first) { |
2916 | 0 | ss->sec.peerCert = cert; |
2917 | 0 |
|
2918 | 0 | if (ss->xtnData.signedCertTimestamps.len) { |
2919 | 0 | sslSessionID *sid = ss->sec.ci.sid; |
2920 | 0 | rv = SECITEM_CopyItem(NULL, &sid->u.ssl3.signedCertTimestamps, |
2921 | 0 | &ss->xtnData.signedCertTimestamps); |
2922 | 0 | ss->xtnData.signedCertTimestamps.len = 0; |
2923 | 0 | if (rv != SECSuccess) { |
2924 | 0 | FATAL_ERROR(ss, SEC_ERROR_NO_MEMORY, internal_error); |
2925 | 0 | return SECFailure; |
2926 | 0 | } |
2927 | 0 | } |
2928 | 0 | } else { |
2929 | 0 | ssl3CertNode *c = PORT_ArenaNew(ss->ssl3.peerCertArena, |
2930 | 0 | ssl3CertNode); |
2931 | 0 | if (!c) { |
2932 | 0 | FATAL_ERROR(ss, SEC_ERROR_NO_MEMORY, internal_error); |
2933 | 0 | return SECFailure; |
2934 | 0 | } |
2935 | 0 | c->cert = cert; |
2936 | 0 | c->next = NULL; |
2937 | 0 |
|
2938 | 0 | if (lastCert) { |
2939 | 0 | lastCert->next = c; |
2940 | 0 | } else { |
2941 | 0 | ss->ssl3.peerCertChain = c; |
2942 | 0 | } |
2943 | 0 | lastCert = c; |
2944 | 0 | } |
2945 | 0 |
|
2946 | 0 | first = PR_FALSE; |
2947 | 0 | } |
2948 | 0 | SECKEY_UpdateCertPQG(ss->sec.peerCert); |
2949 | 0 |
|
2950 | 0 | return ssl3_AuthCertificate(ss); /* sets ss->ssl3.hs.ws */ |
2951 | 0 | } |
2952 | | |
2953 | | /* Add context to the hash functions as described in |
2954 | | [draft-ietf-tls-tls13; Section 4.9.1] */ |
2955 | | SECStatus |
2956 | | tls13_AddContextToHashes(sslSocket *ss, const SSL3Hashes *hashes, |
2957 | | SSLHashType algorithm, PRBool sending, |
2958 | | SSL3Hashes *tbsHash) |
2959 | 0 | { |
2960 | 0 | SECStatus rv = SECSuccess; |
2961 | 0 | PK11Context *ctx; |
2962 | 0 | const unsigned char context_padding[] = { |
2963 | 0 | 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, |
2964 | 0 | 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, |
2965 | 0 | 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, |
2966 | 0 | 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, |
2967 | 0 | 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, |
2968 | 0 | 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, |
2969 | 0 | 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, |
2970 | 0 | 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, |
2971 | 0 | }; |
2972 | 0 |
|
2973 | 0 | const char *client_cert_verify_string = "TLS 1.3, client CertificateVerify"; |
2974 | 0 | const char *server_cert_verify_string = "TLS 1.3, server CertificateVerify"; |
2975 | 0 | const char *context_string = (sending ^ ss->sec.isServer) ? client_cert_verify_string |
2976 | 0 | : server_cert_verify_string; |
2977 | 0 | unsigned int hashlength; |
2978 | 0 |
|
2979 | 0 | /* Double check that we are doing the same hash.*/ |
2980 | 0 | PORT_Assert(hashes->len == tls13_GetHashSize(ss)); |
2981 | 0 |
|
2982 | 0 | ctx = PK11_CreateDigestContext(ssl3_HashTypeToOID(algorithm)); |
2983 | 0 | if (!ctx) { |
2984 | 0 | PORT_SetError(SEC_ERROR_NO_MEMORY); |
2985 | 0 | goto loser; |
2986 | 0 | } |
2987 | 0 |
|
2988 | 0 | PORT_Assert(SECFailure); |
2989 | 0 | PORT_Assert(!SECSuccess); |
2990 | 0 |
|
2991 | 0 | PRINT_BUF(50, (ss, "TLS 1.3 hash without context", hashes->u.raw, hashes->len)); |
2992 | 0 | PRINT_BUF(50, (ss, "Context string", context_string, strlen(context_string))); |
2993 | 0 | rv |= PK11_DigestBegin(ctx); |
2994 | 0 | rv |= PK11_DigestOp(ctx, context_padding, sizeof(context_padding)); |
2995 | 0 | rv |= PK11_DigestOp(ctx, (unsigned char *)context_string, |
2996 | 0 | strlen(context_string) + 1); /* +1 includes the terminating 0 */ |
2997 | 0 | rv |= PK11_DigestOp(ctx, hashes->u.raw, hashes->len); |
2998 | 0 | /* Update the hash in-place */ |
2999 | 0 | rv |= PK11_DigestFinal(ctx, tbsHash->u.raw, &hashlength, sizeof(tbsHash->u.raw)); |
3000 | 0 | PK11_DestroyContext(ctx, PR_TRUE); |
3001 | 0 | PRINT_BUF(50, (ss, "TLS 1.3 hash with context", tbsHash->u.raw, hashlength)); |
3002 | 0 |
|
3003 | 0 | tbsHash->len = hashlength; |
3004 | 0 | tbsHash->hashAlg = algorithm; |
3005 | 0 |
|
3006 | 0 | if (rv) { |
3007 | 0 | ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE); |
3008 | 0 | goto loser; |
3009 | 0 | } |
3010 | 0 | return SECSuccess; |
3011 | 0 | |
3012 | 0 | loser: |
3013 | 0 | return SECFailure; |
3014 | 0 | } |
3015 | | |
3016 | | /* |
3017 | | * Derive-Secret(Secret, Label, Messages) = |
3018 | | * HKDF-Expand-Label(Secret, Label, |
3019 | | * Hash(Messages) + Hash(resumption_context), L)) |
3020 | | */ |
3021 | | SECStatus |
3022 | | tls13_DeriveSecret(sslSocket *ss, PK11SymKey *key, |
3023 | | const char *label, |
3024 | | unsigned int labelLen, |
3025 | | const SSL3Hashes *hashes, |
3026 | | PK11SymKey **dest) |
3027 | 0 | { |
3028 | 0 | SECStatus rv; |
3029 | 0 |
|
3030 | 0 | rv = tls13_HkdfExpandLabel(key, tls13_GetHash(ss), |
3031 | 0 | hashes->u.raw, hashes->len, |
3032 | 0 | label, labelLen, |
3033 | 0 | tls13_GetHkdfMechanism(ss), |
3034 | 0 | tls13_GetHashSize(ss), dest); |
3035 | 0 | if (rv != SECSuccess) { |
3036 | 0 | LOG_ERROR(ss, SEC_ERROR_LIBRARY_FAILURE); |
3037 | 0 | return SECFailure; |
3038 | 0 | } |
3039 | 0 | return SECSuccess; |
3040 | 0 | } |
3041 | | |
3042 | | /* Convenience wrapper for the empty hash. */ |
3043 | | SECStatus |
3044 | | tls13_DeriveSecretNullHash(sslSocket *ss, PK11SymKey *key, |
3045 | | const char *label, |
3046 | | unsigned int labelLen, |
3047 | | PK11SymKey **dest) |
3048 | 0 | { |
3049 | 0 | SSL3Hashes hashes; |
3050 | 0 | SECStatus rv; |
3051 | 0 | PRUint8 buf[] = { 0 }; |
3052 | 0 |
|
3053 | 0 | rv = tls13_ComputeHash(ss, &hashes, buf, 0); |
3054 | 0 | if (rv != SECSuccess) { |
3055 | 0 | return SECFailure; |
3056 | 0 | } |
3057 | 0 | |
3058 | 0 | return tls13_DeriveSecret(ss, key, label, labelLen, &hashes, dest); |
3059 | 0 | } |
3060 | | |
3061 | | /* Convenience wrapper that lets us supply a separate prefix and suffix. */ |
3062 | | static SECStatus |
3063 | | tls13_DeriveSecretWrap(sslSocket *ss, PK11SymKey *key, |
3064 | | const char *prefix, |
3065 | | const char *suffix, |
3066 | | const char *keylogLabel, |
3067 | | PK11SymKey **dest) |
3068 | 0 | { |
3069 | 0 | SECStatus rv; |
3070 | 0 | SSL3Hashes hashes; |
3071 | 0 | char buf[100]; |
3072 | 0 | const char *label; |
3073 | 0 |
|
3074 | 0 | if (prefix) { |
3075 | 0 | if ((strlen(prefix) + strlen(suffix) + 2) > sizeof(buf)) { |
3076 | 0 | PORT_Assert(0); |
3077 | 0 | PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); |
3078 | 0 | return SECFailure; |
3079 | 0 | } |
3080 | 0 | (void)PR_snprintf(buf, sizeof(buf), "%s %s", |
3081 | 0 | prefix, suffix); |
3082 | 0 | label = buf; |
3083 | 0 | } else { |
3084 | 0 | label = suffix; |
3085 | 0 | } |
3086 | 0 |
|
3087 | 0 | SSL_TRC(3, ("%d: TLS13[%d]: deriving secret '%s'", |
3088 | 0 | SSL_GETPID(), ss->fd, label)); |
3089 | 0 | rv = tls13_ComputeHandshakeHashes(ss, &hashes); |
3090 | 0 | if (rv != SECSuccess) { |
3091 | 0 | PORT_Assert(0); /* Should never fail */ |
3092 | 0 | ssl_MapLowLevelError(SEC_ERROR_LIBRARY_FAILURE); |
3093 | 0 | return SECFailure; |
3094 | 0 | } |
3095 | 0 |
|
3096 | 0 | rv = tls13_DeriveSecret(ss, key, label, strlen(label), |
3097 | 0 | &hashes, dest); |
3098 | 0 | if (rv != SECSuccess) { |
3099 | 0 | return SECFailure; |
3100 | 0 | } |
3101 | 0 | |
3102 | 0 | if (keylogLabel) { |
3103 | 0 | ssl3_RecordKeyLog(ss, keylogLabel, *dest); |
3104 | 0 | } |
3105 | 0 | return SECSuccess; |
3106 | 0 | } |
3107 | | |
3108 | | /* Derive traffic keys for the next cipher spec in the queue. */ |
3109 | | static SECStatus |
3110 | | tls13_DeriveTrafficKeys(sslSocket *ss, ssl3CipherSpec *spec, |
3111 | | TrafficKeyType type, |
3112 | | PRBool deleteSecret) |
3113 | 0 | { |
3114 | 0 | size_t keySize = spec->cipherDef->key_size; |
3115 | 0 | size_t ivSize = spec->cipherDef->iv_size + |
3116 | 0 | spec->cipherDef->explicit_nonce_size; /* This isn't always going to |
3117 | 0 | * work, but it does for |
3118 | 0 | * AES-GCM */ |
3119 | 0 | CK_MECHANISM_TYPE bulkAlgorithm = ssl3_Alg2Mech(spec->cipherDef->calg); |
3120 | 0 | PK11SymKey **prkp = NULL; |
3121 | 0 | PK11SymKey *prk = NULL; |
3122 | 0 | PRBool clientSecret; |
3123 | 0 | SECStatus rv; |
3124 | 0 | /* These labels are just used for debugging. */ |
3125 | 0 | static const char kHkdfPhaseEarlyApplicationDataKeys[] = "early application data"; |
3126 | 0 | static const char kHkdfPhaseHandshakeKeys[] = "handshake data"; |
3127 | 0 | static const char kHkdfPhaseApplicationDataKeys[] = "application data"; |
3128 | 0 |
|
3129 | 0 | PORT_Assert(ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); |
3130 | 0 |
|
3131 | 0 | clientSecret = !tls13_UseServerSecret(ss, spec->direction); |
3132 | 0 | switch (type) { |
3133 | 0 | case TrafficKeyEarlyApplicationData: |
3134 | 0 | PORT_Assert(clientSecret); |
3135 | 0 | prkp = &ss->ssl3.hs.clientEarlyTrafficSecret; |
3136 | 0 | spec->phase = kHkdfPhaseEarlyApplicationDataKeys; |
3137 | 0 | break; |
3138 | 0 | case TrafficKeyHandshake: |
3139 | 0 | prkp = clientSecret ? &ss->ssl3.hs.clientHsTrafficSecret |
3140 | 0 | : &ss->ssl3.hs.serverHsTrafficSecret; |
3141 | 0 | spec->phase = kHkdfPhaseHandshakeKeys; |
3142 | 0 | break; |
3143 | 0 | case TrafficKeyApplicationData: |
3144 | 0 | prkp = clientSecret ? &ss->ssl3.hs.clientTrafficSecret |
3145 | 0 | : &ss->ssl3.hs.serverTrafficSecret; |
3146 | 0 | spec->phase = kHkdfPhaseApplicationDataKeys; |
3147 | 0 | break; |
3148 | 0 | default: |
3149 | 0 | LOG_ERROR(ss, SEC_ERROR_LIBRARY_FAILURE); |
3150 | 0 | PORT_Assert(0); |
3151 | 0 | return SECFailure; |
3152 | 0 | } |
3153 | 0 | PORT_Assert(prkp != NULL); |
3154 | 0 | prk = *prkp; |
3155 | 0 |
|
3156 | 0 | SSL_TRC(3, ("%d: TLS13[%d]: deriving %s traffic keys epoch=%d (%s)", |
3157 | 0 | SSL_GETPID(), ss->fd, SPEC_DIR(spec), |
3158 | 0 | spec->epoch, spec->phase)); |
3159 | 0 |
|
3160 | 0 | rv = tls13_HkdfExpandLabel(prk, tls13_GetHash(ss), |
3161 | 0 | NULL, 0, |
3162 | 0 | kHkdfPurposeKey, strlen(kHkdfPurposeKey), |
3163 | 0 | bulkAlgorithm, keySize, |
3164 | 0 | &spec->keyMaterial.key); |
3165 | 0 | if (rv != SECSuccess) { |
3166 | 0 | LOG_ERROR(ss, SEC_ERROR_LIBRARY_FAILURE); |
3167 | 0 | PORT_Assert(0); |
3168 | 0 | goto loser; |
3169 | 0 | } |
3170 | 0 |
|
3171 | 0 | rv = tls13_HkdfExpandLabelRaw(prk, tls13_GetHash(ss), |
3172 | 0 | NULL, 0, |
3173 | 0 | kHkdfPurposeIv, strlen(kHkdfPurposeIv), |
3174 | 0 | spec->keyMaterial.iv, ivSize); |
3175 | 0 | if (rv != SECSuccess) { |
3176 | 0 | LOG_ERROR(ss, SEC_ERROR_LIBRARY_FAILURE); |
3177 | 0 | PORT_Assert(0); |
3178 | 0 | goto loser; |
3179 | 0 | } |
3180 | 0 |
|
3181 | 0 | if (deleteSecret) { |
3182 | 0 | PK11_FreeSymKey(prk); |
3183 | 0 | *prkp = NULL; |
3184 | 0 | } |
3185 | 0 | return SECSuccess; |
3186 | 0 |
|
3187 | 0 | loser: |
3188 | 0 | return SECFailure; |
3189 | 0 | } |
3190 | | |
3191 | | void |
3192 | | tls13_SetSpecRecordVersion(sslSocket *ss, ssl3CipherSpec *spec) |
3193 | 0 | { |
3194 | 0 | /* Set the record version to pretend to be (D)TLS 1.2. */ |
3195 | 0 | if (IS_DTLS(ss)) { |
3196 | 0 | spec->recordVersion = SSL_LIBRARY_VERSION_DTLS_1_2_WIRE; |
3197 | 0 | } else { |
3198 | 0 | spec->recordVersion = SSL_LIBRARY_VERSION_TLS_1_2; |
3199 | 0 | } |
3200 | 0 | SSL_TRC(10, ("%d: TLS13[%d]: set spec=%d record version to 0x%04x", |
3201 | 0 | SSL_GETPID(), ss->fd, spec, spec->recordVersion)); |
3202 | 0 | } |
3203 | | |
3204 | | static SECStatus |
3205 | | tls13_SetupPendingCipherSpec(sslSocket *ss, ssl3CipherSpec *spec) |
3206 | 0 | { |
3207 | 0 | ssl3CipherSuite suite = ss->ssl3.hs.cipher_suite; |
3208 | 0 |
|
3209 | 0 | PORT_Assert(ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); |
3210 | 0 | PORT_Assert(spec->epoch); |
3211 | 0 |
|
3212 | 0 | /* Version isn't set when we send 0-RTT data. */ |
3213 | 0 | spec->version = PR_MAX(SSL_LIBRARY_VERSION_TLS_1_3, ss->version); |
3214 | 0 |
|
3215 | 0 | ssl_SaveCipherSpec(ss, spec); |
3216 | 0 | /* We want to keep read cipher specs around longer because |
3217 | 0 | * there are cases where we might get either epoch N or |
3218 | 0 | * epoch N+1. */ |
3219 | 0 | if (IS_DTLS(ss) && spec->direction == CipherSpecRead) { |
3220 | 0 | ssl_CipherSpecAddRef(spec); |
3221 | 0 | } |
3222 | 0 |
|
3223 | 0 | SSL_TRC(3, ("%d: TLS13[%d]: Set Pending Cipher Suite to 0x%04x", |
3224 | 0 | SSL_GETPID(), ss->fd, suite)); |
3225 | 0 |
|
3226 | 0 | spec->cipherDef = ssl_GetBulkCipherDef(ssl_LookupCipherSuiteDef(suite)); |
3227 | 0 | switch (spec->cipherDef->calg) { |
3228 | 0 | case ssl_calg_aes_gcm: |
3229 | 0 | spec->aead = tls13_AESGCM; |
3230 | 0 | break; |
3231 | 0 | case ssl_calg_chacha20: |
3232 | 0 | spec->aead = tls13_ChaCha20Poly1305; |
3233 | 0 | break; |
3234 | 0 | default: |
3235 | 0 | PORT_Assert(0); |
3236 | 0 | return SECFailure; |
3237 | 0 | } |
3238 | 0 |
|
3239 | 0 | if (spec->epoch == TrafficKeyEarlyApplicationData) { |
3240 | 0 | spec->earlyDataRemaining = |
3241 | 0 | ss->sec.ci.sid->u.ssl3.locked.sessionTicket.max_early_data_size; |
3242 | 0 | } |
3243 | 0 |
|
3244 | 0 | tls13_SetSpecRecordVersion(ss, spec); |
3245 | 0 |
|
3246 | 0 | /* The record size limit is reduced by one so that the remainder of the |
3247 | 0 | * record handling code can use the same checks for all versions. */ |
3248 | 0 | if (ssl3_ExtensionNegotiated(ss, ssl_record_size_limit_xtn)) { |
3249 | 0 | spec->recordSizeLimit = ((spec->direction == CipherSpecRead) |
3250 | 0 | ? ss->opt.recordSizeLimit |
3251 | 0 | : ss->xtnData.recordSizeLimit) - |
3252 | 0 | 1; |
3253 | 0 | } else { |
3254 | 0 | spec->recordSizeLimit = MAX_FRAGMENT_LENGTH; |
3255 | 0 | } |
3256 | 0 | return SECSuccess; |
3257 | 0 | } |
3258 | | |
3259 | | /* |
3260 | | * Called before sending alerts to set up the right key on the client. |
3261 | | * We might encounter errors during the handshake where the current |
3262 | | * key is ClearText or EarlyApplicationData. This |
3263 | | * function switches to the Handshake key if possible. |
3264 | | */ |
3265 | | SECStatus |
3266 | | tls13_SetAlertCipherSpec(sslSocket *ss) |
3267 | 0 | { |
3268 | 0 | SECStatus rv; |
3269 | 0 |
|
3270 | 0 | if (ss->sec.isServer) { |
3271 | 0 | return SECSuccess; |
3272 | 0 | } |
3273 | 0 | if (ss->version < SSL_LIBRARY_VERSION_TLS_1_3) { |
3274 | 0 | return SECSuccess; |
3275 | 0 | } |
3276 | 0 | if (TLS13_IN_HS_STATE(ss, wait_server_hello)) { |
3277 | 0 | return SECSuccess; |
3278 | 0 | } |
3279 | 0 | if ((ss->ssl3.cwSpec->epoch != TrafficKeyClearText) && |
3280 | 0 | (ss->ssl3.cwSpec->epoch != TrafficKeyEarlyApplicationData)) { |
3281 | 0 | return SECSuccess; |
3282 | 0 | } |
3283 | 0 | |
3284 | 0 | rv = tls13_SetCipherSpec(ss, TrafficKeyHandshake, |
3285 | 0 | CipherSpecWrite, PR_FALSE); |
3286 | 0 | if (rv != SECSuccess) { |
3287 | 0 | PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); |
3288 | 0 | return SECFailure; |
3289 | 0 | } |
3290 | 0 | return SECSuccess; |
3291 | 0 | } |
3292 | | |
3293 | | /* Install a new cipher spec for this direction. |
3294 | | * |
3295 | | * During the handshake, the values for |epoch| take values from the |
3296 | | * TrafficKeyType enum. Afterwards, key update increments them. |
3297 | | */ |
3298 | | static SECStatus |
3299 | | tls13_SetCipherSpec(sslSocket *ss, PRUint16 epoch, |
3300 | | CipherSpecDirection direction, PRBool deleteSecret) |
3301 | 0 | { |
3302 | 0 | TrafficKeyType type; |
3303 | 0 | SECStatus rv; |
3304 | 0 | ssl3CipherSpec *spec = NULL; |
3305 | 0 | ssl3CipherSpec **specp; |
3306 | 0 |
|
3307 | 0 | /* Flush out old handshake data. */ |
3308 | 0 | ssl_GetXmitBufLock(ss); |
3309 | 0 | rv = ssl3_FlushHandshake(ss, ssl_SEND_FLAG_FORCE_INTO_BUFFER); |
3310 | 0 | ssl_ReleaseXmitBufLock(ss); |
3311 | 0 | if (rv != SECSuccess) { |
3312 | 0 | return SECFailure; |
3313 | 0 | } |
3314 | 0 | |
3315 | 0 | /* Create the new spec. */ |
3316 | 0 | spec = ssl_CreateCipherSpec(ss, direction); |
3317 | 0 | if (!spec) { |
3318 | 0 | return SECFailure; |
3319 | 0 | } |
3320 | 0 | spec->epoch = epoch; |
3321 | 0 | spec->nextSeqNum = 0; |
3322 | 0 | if (IS_DTLS(ss)) { |
3323 | 0 | dtls_InitRecvdRecords(&spec->recvdRecords); |
3324 | 0 | } |
3325 | 0 |
|
3326 | 0 | /* This depends on spec having a valid direction and epoch. */ |
3327 | 0 | rv = tls13_SetupPendingCipherSpec(ss, spec); |
3328 | 0 | if (rv != SECSuccess) { |
3329 | 0 | goto loser; |
3330 | 0 | } |
3331 | 0 | |
3332 | 0 | type = (TrafficKeyType)PR_MIN(TrafficKeyApplicationData, epoch); |
3333 | 0 | rv = tls13_DeriveTrafficKeys(ss, spec, type, deleteSecret); |
3334 | 0 | if (rv != SECSuccess) { |
3335 | 0 | goto loser; |
3336 | 0 | } |
3337 | 0 | |
3338 | 0 | /* Now that we've set almost everything up, finally cut over. */ |
3339 | 0 | specp = (direction == CipherSpecRead) ? &ss->ssl3.crSpec : &ss->ssl3.cwSpec; |
3340 | 0 | ssl_GetSpecWriteLock(ss); |
3341 | 0 | ssl_CipherSpecRelease(*specp); /* May delete old cipher. */ |
3342 | 0 | *specp = spec; /* Overwrite. */ |
3343 | 0 | ssl_ReleaseSpecWriteLock(ss); |
3344 | 0 |
|
3345 | 0 | SSL_TRC(3, ("%d: TLS13[%d]: %s installed key for epoch=%d (%s) dir=%s", |
3346 | 0 | SSL_GETPID(), ss->fd, SSL_ROLE(ss), spec->epoch, |
3347 | 0 | spec->phase, SPEC_DIR(spec))); |
3348 | 0 |
|
3349 | 0 | if (ss->ssl3.changedCipherSpecFunc) { |
3350 | 0 | ss->ssl3.changedCipherSpecFunc(ss->ssl3.changedCipherSpecArg, |
3351 | 0 | direction == CipherSpecWrite, spec); |
3352 | 0 | } |
3353 | 0 | return SECSuccess; |
3354 | 0 |
|
3355 | 0 | loser: |
3356 | 0 | ssl_CipherSpecRelease(spec); |
3357 | 0 | return SECFailure; |
3358 | 0 | } |
3359 | | |
3360 | | SECStatus |
3361 | | tls13_ComputeHandshakeHashes(sslSocket *ss, SSL3Hashes *hashes) |
3362 | 0 | { |
3363 | 0 | SECStatus rv; |
3364 | 0 | PK11Context *ctx = NULL; |
3365 | 0 |
|
3366 | 0 | PORT_Assert(ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); |
3367 | 0 | if (ss->ssl3.hs.hashType == handshake_hash_unknown) { |
3368 | 0 | /* Backup: if we haven't done any hashing, then hash now. |
3369 | 0 | * This happens when we are doing 0-RTT on the client. */ |
3370 | 0 | ctx = PK11_CreateDigestContext(ssl3_HashTypeToOID(tls13_GetHash(ss))); |
3371 | 0 | if (!ctx) { |
3372 | 0 | ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE); |
3373 | 0 | return SECFailure; |
3374 | 0 | } |
3375 | 0 | |
3376 | 0 | if (PK11_DigestBegin(ctx) != SECSuccess) { |
3377 | 0 | ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE); |
3378 | 0 | goto loser; |
3379 | 0 | } |
3380 | 0 | |
3381 | 0 | PRINT_BUF(10, (ss, "Handshake hash computed over saved messages", |
3382 | 0 | ss->ssl3.hs.messages.buf, |
3383 | 0 | ss->ssl3.hs.messages.len)); |
3384 | 0 |
|
3385 | 0 | if (PK11_DigestOp(ctx, |
3386 | 0 | ss->ssl3.hs.messages.buf, |
3387 | 0 | ss->ssl3.hs.messages.len) != SECSuccess) { |
3388 | 0 | ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE); |
3389 | 0 | goto loser; |
3390 | 0 | } |
3391 | 0 | } else { |
3392 | 0 | ctx = PK11_CloneContext(ss->ssl3.hs.sha); |
3393 | 0 | if (!ctx) { |
3394 | 0 | ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE); |
3395 | 0 | return SECFailure; |
3396 | 0 | } |
3397 | 0 | } |
3398 | 0 | |
3399 | 0 | rv = PK11_DigestFinal(ctx, hashes->u.raw, |
3400 | 0 | &hashes->len, |
3401 | 0 | sizeof(hashes->u.raw)); |
3402 | 0 | if (rv != SECSuccess) { |
3403 | 0 | ssl_MapLowLevelError(SSL_ERROR_DIGEST_FAILURE); |
3404 | 0 | goto loser; |
3405 | 0 | } |
3406 | 0 | |
3407 | 0 | PRINT_BUF(10, (ss, "Handshake hash", hashes->u.raw, hashes->len)); |
3408 | 0 | PORT_Assert(hashes->len == tls13_GetHashSize(ss)); |
3409 | 0 | PK11_DestroyContext(ctx, PR_TRUE); |
3410 | 0 |
|
3411 | 0 | return SECSuccess; |
3412 | 0 |
|
3413 | 0 | loser: |
3414 | 0 | PK11_DestroyContext(ctx, PR_TRUE); |
3415 | 0 | return SECFailure; |
3416 | 0 | } |
3417 | | |
3418 | | void |
3419 | | tls13_DestroyKeyShareEntry(TLS13KeyShareEntry *offer) |
3420 | 0 | { |
3421 | 0 | SECITEM_ZfreeItem(&offer->key_exchange, PR_FALSE); |
3422 | 0 | PORT_ZFree(offer, sizeof(*offer)); |
3423 | 0 | } |
3424 | | |
3425 | | void |
3426 | | tls13_DestroyKeyShares(PRCList *list) |
3427 | 0 | { |
3428 | 0 | PRCList *cur_p; |
3429 | 0 |
|
3430 | 0 | /* The list must be initialized. */ |
3431 | 0 | PORT_Assert(PR_LIST_HEAD(list)); |
3432 | 0 |
|
3433 | 0 | while (!PR_CLIST_IS_EMPTY(list)) { |
3434 | 0 | cur_p = PR_LIST_TAIL(list); |
3435 | 0 | PR_REMOVE_LINK(cur_p); |
3436 | 0 | tls13_DestroyKeyShareEntry((TLS13KeyShareEntry *)cur_p); |
3437 | 0 | } |
3438 | 0 | } |
3439 | | |
3440 | | void |
3441 | | tls13_DestroyEarlyData(PRCList *list) |
3442 | 0 | { |
3443 | 0 | PRCList *cur_p; |
3444 | 0 |
|
3445 | 0 | while (!PR_CLIST_IS_EMPTY(list)) { |
3446 | 0 | TLS13EarlyData *msg; |
3447 | 0 |
|
3448 | 0 | cur_p = PR_LIST_TAIL(list); |
3449 | 0 | msg = (TLS13EarlyData *)cur_p; |
3450 | 0 |
|
3451 | 0 | PR_REMOVE_LINK(cur_p); |
3452 | 0 | SECITEM_ZfreeItem(&msg->data, PR_FALSE); |
3453 | 0 | PORT_ZFree(msg, sizeof(*msg)); |
3454 | 0 | } |
3455 | 0 | } |
3456 | | |
3457 | | /* draft-ietf-tls-tls13 Section 5.2.2 specifies the following |
3458 | | * nonce algorithm: |
3459 | | * |
3460 | | * The length of the per-record nonce (iv_length) is set to max(8 bytes, |
3461 | | * N_MIN) for the AEAD algorithm (see [RFC5116] Section 4). An AEAD |
3462 | | * algorithm where N_MAX is less than 8 bytes MUST NOT be used with TLS. |
3463 | | * The per-record nonce for the AEAD construction is formed as follows: |
3464 | | * |
3465 | | * 1. The 64-bit record sequence number is padded to the left with |
3466 | | * zeroes to iv_length. |
3467 | | * |
3468 | | * 2. The padded sequence number is XORed with the static |
3469 | | * client_write_iv or server_write_iv, depending on the role. |
3470 | | * |
3471 | | * The resulting quantity (of length iv_length) is used as the per- |
3472 | | * record nonce. |
3473 | | * |
3474 | | * Existing suites have the same nonce size: N_MIN = N_MAX = 12 bytes |
3475 | | * |
3476 | | * See RFC 5288 and https://tools.ietf.org/html/draft-ietf-tls-chacha20-poly1305-04#section-2 |
3477 | | */ |
3478 | | static void |
3479 | | tls13_WriteNonce(ssl3KeyMaterial *keys, |
3480 | | const unsigned char *seqNumBuf, unsigned int seqNumLen, |
3481 | | unsigned char *nonce, unsigned int nonceLen) |
3482 | 0 | { |
3483 | 0 | size_t i; |
3484 | 0 |
|
3485 | 0 | PORT_Assert(nonceLen == 12); |
3486 | 0 | memcpy(nonce, keys->iv, 12); |
3487 | 0 |
|
3488 | 0 | /* XOR the last 8 bytes of the IV with the sequence number. */ |
3489 | 0 | PORT_Assert(seqNumLen == 8); |
3490 | 0 | for (i = 0; i < 8; ++i) { |
3491 | 0 | nonce[4 + i] ^= seqNumBuf[i]; |
3492 | 0 | } |
3493 | 0 | PRINT_BUF(50, (NULL, "Nonce", nonce, nonceLen)); |
3494 | 0 | } |
3495 | | |
3496 | | /* Implement the SSLAEADCipher interface defined in sslimpl.h. |
3497 | | * |
3498 | | * That interface takes the additional data (see below) and reinterprets that as |
3499 | | * a sequence number. In TLS 1.3 there is no additional data so this value is |
3500 | | * just the encoded sequence number. |
3501 | | */ |
3502 | | static SECStatus |
3503 | | tls13_AEAD(ssl3KeyMaterial *keys, PRBool doDecrypt, |
3504 | | unsigned char *out, int *outlen, int maxout, |
3505 | | const unsigned char *in, int inlen, |
3506 | | CK_MECHANISM_TYPE mechanism, |
3507 | | unsigned char *aeadParams, unsigned int aeadParamLength) |
3508 | 0 | { |
3509 | 0 | SECStatus rv; |
3510 | 0 | unsigned int uOutLen = 0; |
3511 | 0 | SECItem param = { |
3512 | 0 | siBuffer, aeadParams, aeadParamLength |
3513 | 0 | }; |
3514 | 0 |
|
3515 | 0 | if (doDecrypt) { |
3516 | 0 | rv = PK11_Decrypt(keys->key, mechanism, ¶m, |
3517 | 0 | out, &uOutLen, maxout, in, inlen); |
3518 | 0 | } else { |
3519 | 0 | rv = PK11_Encrypt(keys->key, mechanism, ¶m, |
3520 | 0 | out, &uOutLen, maxout, in, inlen); |
3521 | 0 | } |
3522 | 0 | *outlen = (int)uOutLen; |
3523 | 0 |
|
3524 | 0 | return rv; |
3525 | 0 | } |
3526 | | |
3527 | | static SECStatus |
3528 | | tls13_AESGCM(ssl3KeyMaterial *keys, |
3529 | | PRBool doDecrypt, |
3530 | | unsigned char *out, |
3531 | | int *outlen, |
3532 | | int maxout, |
3533 | | const unsigned char *in, |
3534 | | int inlen, |
3535 | | const unsigned char *additionalData, |
3536 | | int additionalDataLen) |
3537 | 0 | { |
3538 | 0 | CK_GCM_PARAMS gcmParams; |
3539 | 0 | unsigned char nonce[12]; |
3540 | 0 |
|
3541 | 0 | PORT_Assert(additionalDataLen > 8); |
3542 | 0 | memset(&gcmParams, 0, sizeof(gcmParams)); |
3543 | 0 | gcmParams.pIv = nonce; |
3544 | 0 | gcmParams.ulIvLen = sizeof(nonce); |
3545 | 0 | gcmParams.pAAD = (PRUint8 *)(additionalData + 8); |
3546 | 0 | gcmParams.ulAADLen = additionalDataLen - 8; |
3547 | 0 | gcmParams.ulTagBits = 128; /* GCM measures tag length in bits. */ |
3548 | 0 |
|
3549 | 0 | tls13_WriteNonce(keys, additionalData, 8, |
3550 | 0 | nonce, sizeof(nonce)); |
3551 | 0 | return tls13_AEAD(keys, doDecrypt, out, outlen, maxout, in, inlen, |
3552 | 0 | CKM_AES_GCM, |
3553 | 0 | (unsigned char *)&gcmParams, sizeof(gcmParams)); |
3554 | 0 | } |
3555 | | |
3556 | | static SECStatus |
3557 | | tls13_ChaCha20Poly1305(ssl3KeyMaterial *keys, PRBool doDecrypt, |
3558 | | unsigned char *out, int *outlen, int maxout, |
3559 | | const unsigned char *in, int inlen, |
3560 | | const unsigned char *additionalData, |
3561 | | int additionalDataLen) |
3562 | 0 | { |
3563 | 0 | CK_NSS_AEAD_PARAMS aeadParams; |
3564 | 0 | unsigned char nonce[12]; |
3565 | 0 |
|
3566 | 0 | PORT_Assert(additionalDataLen > 8); |
3567 | 0 | memset(&aeadParams, 0, sizeof(aeadParams)); |
3568 | 0 | aeadParams.pNonce = nonce; |
3569 | 0 | aeadParams.ulNonceLen = sizeof(nonce); |
3570 | 0 | aeadParams.pAAD = (PRUint8 *)(additionalData + 8); |
3571 | 0 | aeadParams.ulAADLen = additionalDataLen - 8; |
3572 | 0 | aeadParams.ulTagLen = 16; /* The Poly1305 tag is 16 octets. */ |
3573 | 0 |
|
3574 | 0 | tls13_WriteNonce(keys, additionalData, 8, |
3575 | 0 | nonce, sizeof(nonce)); |
3576 | 0 | return tls13_AEAD(keys, doDecrypt, out, outlen, maxout, in, inlen, |
3577 | 0 | CKM_NSS_CHACHA20_POLY1305, |
3578 | 0 | (unsigned char *)&aeadParams, sizeof(aeadParams)); |
3579 | 0 | } |
3580 | | |
3581 | | static SECStatus |
3582 | | tls13_HandleEncryptedExtensions(sslSocket *ss, PRUint8 *b, PRUint32 length) |
3583 | 0 | { |
3584 | 0 | SECStatus rv; |
3585 | 0 | PRUint32 innerLength; |
3586 | 0 | SECItem oldAlpn = { siBuffer, NULL, 0 }; |
3587 | 0 |
|
3588 | 0 | PORT_Assert(ss->opt.noLocks || ssl_HaveRecvBufLock(ss)); |
3589 | 0 | PORT_Assert(ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); |
3590 | 0 |
|
3591 | 0 | SSL_TRC(3, ("%d: TLS13[%d]: handle encrypted extensions", |
3592 | 0 | SSL_GETPID(), ss->fd)); |
3593 | 0 |
|
3594 | 0 | rv = TLS13_CHECK_HS_STATE(ss, SSL_ERROR_RX_UNEXPECTED_ENCRYPTED_EXTENSIONS, |
3595 | 0 | wait_encrypted_extensions); |
3596 | 0 | if (rv != SECSuccess) { |
3597 | 0 | return SECFailure; |
3598 | 0 | } |
3599 | 0 | |
3600 | 0 | rv = ssl3_ConsumeHandshakeNumber(ss, &innerLength, 2, &b, &length); |
3601 | 0 | if (rv != SECSuccess) { |
3602 | 0 | return SECFailure; /* Alert already sent. */ |
3603 | 0 | } |
3604 | 0 | if (innerLength != length) { |
3605 | 0 | FATAL_ERROR(ss, SSL_ERROR_RX_MALFORMED_ENCRYPTED_EXTENSIONS, |
3606 | 0 | illegal_parameter); |
3607 | 0 | return SECFailure; |
3608 | 0 | } |
3609 | 0 |
|
3610 | 0 | /* If we are doing 0-RTT, then we already have an ALPN value. Stash |
3611 | 0 | * it for comparison. */ |
3612 | 0 | if (ss->ssl3.hs.zeroRttState == ssl_0rtt_sent && |
3613 | 0 | ss->xtnData.nextProtoState == SSL_NEXT_PROTO_EARLY_VALUE) { |
3614 | 0 | oldAlpn = ss->xtnData.nextProto; |
3615 | 0 | ss->xtnData.nextProto.data = NULL; |
3616 | 0 | ss->xtnData.nextProtoState = SSL_NEXT_PROTO_NO_SUPPORT; |
3617 | 0 | } |
3618 | 0 | rv = ssl3_HandleExtensions(ss, &b, &length, ssl_hs_encrypted_extensions); |
3619 | 0 | if (rv != SECSuccess) { |
3620 | 0 | return SECFailure; /* Error code set below */ |
3621 | 0 | } |
3622 | 0 | |
3623 | 0 | /* We can only get here if we offered 0-RTT. */ |
3624 | 0 | if (ssl3_ExtensionNegotiated(ss, ssl_tls13_early_data_xtn)) { |
3625 | 0 | PORT_Assert(ss->ssl3.hs.zeroRttState == ssl_0rtt_sent); |
3626 | 0 | if (!ss->statelessResume) { |
3627 | 0 | /* Illegal to accept 0-RTT without also accepting PSK. */ |
3628 | 0 | FATAL_ERROR(ss, SSL_ERROR_RX_MALFORMED_ENCRYPTED_EXTENSIONS, |
3629 | 0 | illegal_parameter); |
3630 | 0 | } |
3631 | 0 | ss->ssl3.hs.zeroRttState = ssl_0rtt_accepted; |
3632 | 0 |
|
3633 | 0 | /* Check that the server negotiated the same ALPN (if any). */ |
3634 | 0 | if (SECITEM_CompareItem(&oldAlpn, &ss->xtnData.nextProto)) { |
3635 | 0 | SECITEM_FreeItem(&oldAlpn, PR_FALSE); |
3636 | 0 | FATAL_ERROR(ss, SSL_ERROR_NEXT_PROTOCOL_DATA_INVALID, |
3637 | 0 | illegal_parameter); |
3638 | 0 | return SECFailure; |
3639 | 0 | } |
3640 | 0 | /* Check that the server negotiated the same cipher suite. */ |
3641 | 0 | if (ss->ssl3.hs.cipher_suite != ss->ssl3.hs.zeroRttSuite) { |
3642 | 0 | FATAL_ERROR(ss, SSL_ERROR_RX_MALFORMED_ENCRYPTED_EXTENSIONS, |
3643 | 0 | illegal_parameter); |
3644 | 0 | return SECFailure; |
3645 | 0 | } |
3646 | 0 | } else if (ss->ssl3.hs.zeroRttState == ssl_0rtt_sent) { |
3647 | 0 | /* Though we sent 0-RTT, the early_data extension wasn't present so the |
3648 | 0 | * state is unmodified; the server must have rejected 0-RTT. */ |
3649 | 0 | ss->ssl3.hs.zeroRttState = ssl_0rtt_ignored; |
3650 | 0 | ss->ssl3.hs.zeroRttIgnore = ssl_0rtt_ignore_trial; |
3651 | 0 | } else { |
3652 | 0 | PORT_Assert(ss->ssl3.hs.zeroRttState == ssl_0rtt_none || |
3653 | 0 | (ss->ssl3.hs.helloRetry && |
3654 | 0 | ss->ssl3.hs.zeroRttState == ssl_0rtt_ignored)); |
3655 | 0 | } |
3656 | 0 |
|
3657 | 0 | SECITEM_FreeItem(&oldAlpn, PR_FALSE); |
3658 | 0 | if (ss->ssl3.hs.kea_def->authKeyType == ssl_auth_psk) { |
3659 | 0 | TLS13_SET_HS_STATE(ss, wait_finished); |
3660 | 0 | } else { |
3661 | 0 | TLS13_SET_HS_STATE(ss, wait_cert_request); |
3662 | 0 | } |
3663 | 0 |
|
3664 | 0 | return SECSuccess; |
3665 | 0 | } |
3666 | | |
3667 | | static SECStatus |
3668 | | tls13_SendEncryptedExtensions(sslSocket *ss) |
3669 | 0 | { |
3670 | 0 | sslBuffer extensions = SSL_BUFFER_EMPTY; |
3671 | 0 | SECStatus rv; |
3672 | 0 |
|
3673 | 0 | SSL_TRC(3, ("%d: TLS13[%d]: send encrypted extensions handshake", |
3674 | 0 | SSL_GETPID(), ss->fd)); |
3675 | 0 |
|
3676 | 0 | PORT_Assert(ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); |
3677 | 0 | PORT_Assert(ss->opt.noLocks || ssl_HaveXmitBufLock(ss)); |
3678 | 0 |
|
3679 | 0 | rv = ssl_ConstructExtensions(ss, &extensions, ssl_hs_encrypted_extensions); |
3680 | 0 | if (rv != SECSuccess) { |
3681 | 0 | return SECFailure; |
3682 | 0 | } |
3683 | 0 | |
3684 | 0 | rv = ssl3_AppendHandshakeHeader(ss, ssl_hs_encrypted_extensions, |
3685 | 0 | SSL_BUFFER_LEN(&extensions) + 2); |
3686 | 0 | if (rv != SECSuccess) { |
3687 | 0 | LOG_ERROR(ss, SEC_ERROR_LIBRARY_FAILURE); |
3688 | 0 | goto loser; |
3689 | 0 | } |
3690 | 0 | rv = ssl3_AppendBufferToHandshakeVariable(ss, &extensions, 2); |
3691 | 0 | if (rv != SECSuccess) { |
3692 | 0 | LOG_ERROR(ss, SEC_ERROR_LIBRARY_FAILURE); |
3693 | 0 | goto loser; |
3694 | 0 | } |
3695 | 0 | sslBuffer_Clear(&extensions); |
3696 | 0 | return SECSuccess; |
3697 | 0 | |
3698 | 0 | loser: |
3699 | 0 | sslBuffer_Clear(&extensions); |
3700 | 0 | return SECFailure; |
3701 | 0 | } |
3702 | | |
3703 | | SECStatus |
3704 | | tls13_SendCertificateVerify(sslSocket *ss, SECKEYPrivateKey *privKey) |
3705 | 0 | { |
3706 | 0 | SECStatus rv = SECFailure; |
3707 | 0 | SECItem buf = { siBuffer, NULL, 0 }; |
3708 | 0 | unsigned int len; |
3709 | 0 | SSLHashType hashAlg; |
3710 | 0 | SSL3Hashes hash; |
3711 | 0 | SSL3Hashes tbsHash; /* The hash "to be signed". */ |
3712 | 0 |
|
3713 | 0 | PORT_Assert(ss->opt.noLocks || ssl_HaveXmitBufLock(ss)); |
3714 | 0 | PORT_Assert(ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); |
3715 | 0 |
|
3716 | 0 | SSL_TRC(3, ("%d: TLS13[%d]: send certificate_verify handshake", |
3717 | 0 | SSL_GETPID(), ss->fd)); |
3718 | 0 |
|
3719 | 0 | PORT_Assert(ss->ssl3.hs.hashType == handshake_hash_single); |
3720 | 0 | rv = tls13_ComputeHandshakeHashes(ss, &hash); |
3721 | 0 | if (rv != SECSuccess) { |
3722 | 0 | return SECFailure; |
3723 | 0 | } |
3724 | 0 | |
3725 | 0 | /* We should have picked a signature scheme when we received a |
3726 | 0 | * CertificateRequest, or when we picked a server certificate. */ |
3727 | 0 | PORT_Assert(ss->ssl3.hs.signatureScheme != ssl_sig_none); |
3728 | 0 | if (ss->ssl3.hs.signatureScheme == ssl_sig_none) { |
3729 | 0 | PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); |
3730 | 0 | return SECFailure; |
3731 | 0 | } |
3732 | 0 | hashAlg = ssl_SignatureSchemeToHashType(ss->ssl3.hs.signatureScheme); |
3733 | 0 | rv = tls13_AddContextToHashes(ss, &hash, hashAlg, |
3734 | 0 | PR_TRUE, &tbsHash); |
3735 | 0 | if (rv != SECSuccess) { |
3736 | 0 | return SECFailure; |
3737 | 0 | } |
3738 | 0 | |
3739 | 0 | rv = ssl3_SignHashes(ss, &tbsHash, privKey, &buf); |
3740 | 0 | if (rv == SECSuccess && !ss->sec.isServer) { |
3741 | 0 | /* Remember the info about the slot that did the signing. |
3742 | 0 | * Later, when doing an SSL restart handshake, verify this. |
3743 | 0 | * These calls are mere accessors, and can't fail. |
3744 | 0 | */ |
3745 | 0 | PK11SlotInfo *slot; |
3746 | 0 | sslSessionID *sid = ss->sec.ci.sid; |
3747 | 0 |
|
3748 | 0 | slot = PK11_GetSlotFromPrivateKey(privKey); |
3749 | 0 | sid->u.ssl3.clAuthSeries = PK11_GetSlotSeries(slot); |
3750 | 0 | sid->u.ssl3.clAuthSlotID = PK11_GetSlotID(slot); |
3751 | 0 | sid->u.ssl3.clAuthModuleID = PK11_GetModuleID(slot); |
3752 | 0 | sid->u.ssl3.clAuthValid = PR_TRUE; |
3753 | 0 | PK11_FreeSlot(slot); |
3754 | 0 | } |
3755 | 0 | if (rv != SECSuccess) { |
3756 | 0 | goto done; /* err code was set by ssl3_SignHashes */ |
3757 | 0 | } |
3758 | 0 | |
3759 | 0 | len = buf.len + 2 + 2; |
3760 | 0 |
|
3761 | 0 | rv = ssl3_AppendHandshakeHeader(ss, ssl_hs_certificate_verify, len); |
3762 | 0 | if (rv != SECSuccess) { |
3763 | 0 | goto done; /* error code set by AppendHandshake */ |
3764 | 0 | } |
3765 | 0 | |
3766 | 0 | rv = ssl3_AppendHandshakeNumber(ss, ss->ssl3.hs.signatureScheme, 2); |
3767 | 0 | if (rv != SECSuccess) { |
3768 | 0 | goto done; /* err set by AppendHandshakeNumber */ |
3769 | 0 | } |
3770 | 0 | |
3771 | 0 | rv = ssl3_AppendHandshakeVariable(ss, buf.data, buf.len, 2); |
3772 | 0 | if (rv != SECSuccess) { |
3773 | 0 | goto done; /* error code set by AppendHandshake */ |
3774 | 0 | } |
3775 | 0 | |
3776 | 0 | done: |
3777 | 0 | /* For parity with the allocation functions, which don't use |
3778 | 0 | * SECITEM_AllocItem(). */ |
3779 | 0 | if (buf.data) |
3780 | 0 | PORT_Free(buf.data); |
3781 | 0 | return rv; |
3782 | 0 | } |
3783 | | |
3784 | | /* Called from tls13_CompleteHandleHandshakeMessage() when it has deciphered a complete |
3785 | | * tls13 CertificateVerify message |
3786 | | * Caller must hold Handshake and RecvBuf locks. |
3787 | | */ |
3788 | | SECStatus |
3789 | | tls13_HandleCertificateVerify(sslSocket *ss, PRUint8 *b, PRUint32 length) |
3790 | 0 | { |
3791 | 0 | SECItem signed_hash = { siBuffer, NULL, 0 }; |
3792 | 0 | SECStatus rv; |
3793 | 0 | SSLSignatureScheme sigScheme; |
3794 | 0 | SSLHashType hashAlg; |
3795 | 0 | SSL3Hashes tbsHash; |
3796 | 0 | SSL3Hashes hashes; |
3797 | 0 |
|
3798 | 0 | SSL_TRC(3, ("%d: TLS13[%d]: handle certificate_verify handshake", |
3799 | 0 | SSL_GETPID(), ss->fd)); |
3800 | 0 | PORT_Assert(ss->opt.noLocks || ssl_HaveRecvBufLock(ss)); |
3801 | 0 | PORT_Assert(ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); |
3802 | 0 |
|
3803 | 0 | rv = TLS13_CHECK_HS_STATE(ss, SSL_ERROR_RX_UNEXPECTED_CERT_VERIFY, |
3804 | 0 | wait_cert_verify); |
3805 | 0 | if (rv != SECSuccess) { |
3806 | 0 | return SECFailure; |
3807 | 0 | } |
3808 | 0 | |
3809 | 0 | rv = tls13_ComputeHandshakeHashes(ss, &hashes); |
3810 | 0 | if (rv != SECSuccess) { |
3811 | 0 | return SECFailure; |
3812 | 0 | } |
3813 | 0 | |
3814 | 0 | rv = ssl_HashHandshakeMessage(ss, ssl_hs_certificate_verify, b, length); |
3815 | 0 | if (rv != SECSuccess) { |
3816 | 0 | PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); |
3817 | 0 | return SECFailure; |
3818 | 0 | } |
3819 | 0 |
|
3820 | 0 | rv = ssl_ConsumeSignatureScheme(ss, &b, &length, &sigScheme); |
3821 | 0 | if (rv != SECSuccess) { |
3822 | 0 | FATAL_ERROR(ss, SSL_ERROR_RX_MALFORMED_CERT_VERIFY, illegal_parameter); |
3823 | 0 | return SECFailure; |
3824 | 0 | } |
3825 | 0 |
|
3826 | 0 | rv = ssl_CheckSignatureSchemeConsistency(ss, sigScheme, ss->sec.peerCert); |
3827 | 0 | if (rv != SECSuccess) { |
3828 | 0 | /* Error set already */ |
3829 | 0 | FATAL_ERROR(ss, PORT_GetError(), illegal_parameter); |
3830 | 0 | return SECFailure; |
3831 | 0 | } |
3832 | 0 | hashAlg = ssl_SignatureSchemeToHashType(sigScheme); |
3833 | 0 |
|
3834 | 0 | rv = tls13_AddContextToHashes(ss, &hashes, hashAlg, PR_FALSE, &tbsHash); |
3835 | 0 | if (rv != SECSuccess) { |
3836 | 0 | FATAL_ERROR(ss, SSL_ERROR_DIGEST_FAILURE, internal_error); |
3837 | 0 | return SECFailure; |
3838 | 0 | } |
3839 | 0 |
|
3840 | 0 | rv = ssl3_ConsumeHandshakeVariable(ss, &signed_hash, 2, &b, &length); |
3841 | 0 | if (rv != SECSuccess) { |
3842 | 0 | PORT_SetError(SSL_ERROR_RX_MALFORMED_CERT_VERIFY); |
3843 | 0 | return SECFailure; |
3844 | 0 | } |
3845 | 0 |
|
3846 | 0 | if (length != 0) { |
3847 | 0 | FATAL_ERROR(ss, SSL_ERROR_RX_MALFORMED_CERT_VERIFY, decode_error); |
3848 | 0 | return SECFailure; |
3849 | 0 | } |
3850 | 0 |
|
3851 | 0 | rv = ssl3_VerifySignedHashes(ss, sigScheme, &tbsHash, &signed_hash); |
3852 | 0 | if (rv != SECSuccess) { |
3853 | 0 | FATAL_ERROR(ss, PORT_GetError(), decrypt_error); |
3854 | 0 | return SECFailure; |
3855 | 0 | } |
3856 | 0 |
|
3857 | 0 | /* Set the auth type. */ |
3858 | 0 | if (!ss->sec.isServer) { |
3859 | 0 | ss->sec.authType = ssl_SignatureSchemeToAuthType(sigScheme); |
3860 | 0 | } |
3861 | 0 |
|
3862 | 0 | /* Request a client certificate now if one was requested. */ |
3863 | 0 | if (ss->ssl3.hs.clientCertRequested) { |
3864 | 0 | PORT_Assert(!ss->sec.isServer); |
3865 | 0 | rv = ssl3_CompleteHandleCertificateRequest( |
3866 | 0 | ss, ss->xtnData.sigSchemes, ss->xtnData.numSigSchemes, |
3867 | 0 | &ss->xtnData.certReqAuthorities); |
3868 | 0 | if (rv != SECSuccess) { |
3869 | 0 | FATAL_ERROR(ss, SEC_ERROR_LIBRARY_FAILURE, internal_error); |
3870 | 0 | return rv; |
3871 | 0 | } |
3872 | 0 | } |
3873 | 0 |
|
3874 | 0 | TLS13_SET_HS_STATE(ss, wait_finished); |
3875 | 0 |
|
3876 | 0 | return SECSuccess; |
3877 | 0 | } |
3878 | | |
3879 | | static SECStatus |
3880 | | tls13_ComputePskBinderHash(sslSocket *ss, unsigned int prefixLength, |
3881 | | SSL3Hashes *hashes) |
3882 | 0 | { |
3883 | 0 | SECStatus rv; |
3884 | 0 |
|
3885 | 0 | PORT_Assert(ss->ssl3.hs.hashType == handshake_hash_unknown); |
3886 | 0 | PORT_Assert(ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); |
3887 | 0 | PORT_Assert(prefixLength <= ss->ssl3.hs.messages.len); |
3888 | 0 |
|
3889 | 0 | PRINT_BUF(10, (NULL, "Handshake hash computed over ClientHello prefix", |
3890 | 0 | ss->ssl3.hs.messages.buf, prefixLength)); |
3891 | 0 | rv = PK11_HashBuf(ssl3_HashTypeToOID(tls13_GetHash(ss)), |
3892 | 0 | hashes->u.raw, ss->ssl3.hs.messages.buf, prefixLength); |
3893 | 0 | if (rv != SECSuccess) { |
3894 | 0 | ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE); |
3895 | 0 | return SECFailure; |
3896 | 0 | } |
3897 | 0 | |
3898 | 0 | hashes->len = tls13_GetHashSize(ss); |
3899 | 0 | PRINT_BUF(10, (NULL, "PSK Binder hash", hashes->u.raw, hashes->len)); |
3900 | 0 |
|
3901 | 0 | return SECSuccess; |
3902 | 0 | } |
3903 | | |
3904 | | /* Compute and inject the PSK Binder for sending. |
3905 | | * |
3906 | | * When sending a ClientHello, we construct all the extensions with a dummy |
3907 | | * value for the binder. To construct the binder, we commit the entire message |
3908 | | * up to the point where the binders start. Then we calculate the hash using |
3909 | | * the saved message (in ss->ssl3.hs.messages). This is written over the dummy |
3910 | | * binder, after which we write the remainder of the binder extension. */ |
3911 | | SECStatus |
3912 | | tls13_WriteExtensionsWithBinder(sslSocket *ss, sslBuffer *extensions) |
3913 | 0 | { |
3914 | 0 | SSL3Hashes hashes; |
3915 | 0 | SECStatus rv; |
3916 | 0 | unsigned int size = tls13_GetHashSize(ss); |
3917 | 0 | unsigned int prefixLen = extensions->len - size - 3; |
3918 | 0 | unsigned int finishedLen; |
3919 | 0 |
|
3920 | 0 | PORT_Assert(extensions->len >= size + 3); |
3921 | 0 |
|
3922 | 0 | rv = ssl3_AppendHandshakeNumber(ss, extensions->len, 2); |
3923 | 0 | if (rv != SECSuccess) { |
3924 | 0 | return SECFailure; |
3925 | 0 | } |
3926 | 0 | |
3927 | 0 | /* Only write the extension up to the point before the binders. Assume that |
3928 | 0 | * the pre_shared_key extension is at the end of the buffer. Don't write |
3929 | 0 | * the binder, or the lengths that precede it (a 2 octet length for the list |
3930 | 0 | * of all binders, plus a 1 octet length for the binder length). */ |
3931 | 0 | rv = ssl3_AppendHandshake(ss, extensions->buf, prefixLen); |
3932 | 0 | if (rv != SECSuccess) { |
3933 | 0 | return SECFailure; |
3934 | 0 | } |
3935 | 0 | |
3936 | 0 | /* Calculate the binder based on what has been written out. */ |
3937 | 0 | rv = tls13_ComputePskBinderHash(ss, ss->ssl3.hs.messages.len, &hashes); |
3938 | 0 | if (rv != SECSuccess) { |
3939 | 0 | return SECFailure; |
3940 | 0 | } |
3941 | 0 | |
3942 | 0 | /* Write the binder into the extensions buffer, over the zeros we reserved |
3943 | 0 | * previously. This avoids an allocation and means that we don't need a |
3944 | 0 | * separate write for the extra bits that precede the binder. */ |
3945 | 0 | rv = tls13_ComputeFinished(ss, ss->ssl3.hs.pskBinderKey, &hashes, PR_TRUE, |
3946 | 0 | extensions->buf + extensions->len - size, |
3947 | 0 | &finishedLen, size); |
3948 | 0 | if (rv != SECSuccess) { |
3949 | 0 | return SECFailure; |
3950 | 0 | } |
3951 | 0 | PORT_Assert(finishedLen == size); |
3952 | 0 |
|
3953 | 0 | /* Write out the remainder of the extension. */ |
3954 | 0 | rv = ssl3_AppendHandshake(ss, extensions->buf + prefixLen, |
3955 | 0 | extensions->len - prefixLen); |
3956 | 0 | if (rv != SECSuccess) { |
3957 | 0 | return SECFailure; |
3958 | 0 | } |
3959 | 0 | |
3960 | 0 | return SECSuccess; |
3961 | 0 | } |
3962 | | |
3963 | | static SECStatus |
3964 | | tls13_ComputeFinished(sslSocket *ss, PK11SymKey *baseKey, |
3965 | | const SSL3Hashes *hashes, |
3966 | | PRBool sending, PRUint8 *output, unsigned int *outputLen, |
3967 | | unsigned int maxOutputLen) |
3968 | 0 | { |
3969 | 0 | SECStatus rv; |
3970 | 0 | PK11Context *hmacCtx = NULL; |
3971 | 0 | CK_MECHANISM_TYPE macAlg = tls13_GetHmacMechanism(ss); |
3972 | 0 | SECItem param = { siBuffer, NULL, 0 }; |
3973 | 0 | unsigned int outputLenUint; |
3974 | 0 | const char *label = kHkdfLabelFinishedSecret; |
3975 | 0 | PK11SymKey *secret = NULL; |
3976 | 0 |
|
3977 | 0 | PORT_Assert(baseKey); |
3978 | 0 | SSL_TRC(3, ("%d: TLS13[%d]: %s calculate finished", |
3979 | 0 | SSL_GETPID(), ss->fd, SSL_ROLE(ss))); |
3980 | 0 | PRINT_BUF(50, (ss, "Handshake hash", hashes->u.raw, hashes->len)); |
3981 | 0 |
|
3982 | 0 | /* Now derive the appropriate finished secret from the base secret. */ |
3983 | 0 | rv = tls13_HkdfExpandLabel(baseKey, |
3984 | 0 | tls13_GetHash(ss), |
3985 | 0 | NULL, 0, |
3986 | 0 | label, strlen(label), |
3987 | 0 | tls13_GetHmacMechanism(ss), |
3988 | 0 | tls13_GetHashSize(ss), &secret); |
3989 | 0 | if (rv != SECSuccess) { |
3990 | 0 | goto abort; |
3991 | 0 | } |
3992 | 0 | |
3993 | 0 | PORT_Assert(hashes->len == tls13_GetHashSize(ss)); |
3994 | 0 | hmacCtx = PK11_CreateContextBySymKey(macAlg, CKA_SIGN, |
3995 | 0 | secret, ¶m); |
3996 | 0 | if (!hmacCtx) { |
3997 | 0 | goto abort; |
3998 | 0 | } |
3999 | 0 | |
4000 | 0 | rv = PK11_DigestBegin(hmacCtx); |
4001 | 0 | if (rv != SECSuccess) |
4002 | 0 | goto abort; |
4003 | 0 | |
4004 | 0 | rv = PK11_DigestOp(hmacCtx, hashes->u.raw, hashes->len); |
4005 | 0 | if (rv != SECSuccess) |
4006 | 0 | goto abort; |
4007 | 0 | |
4008 | 0 | PORT_Assert(maxOutputLen >= tls13_GetHashSize(ss)); |
4009 | 0 | rv = PK11_DigestFinal(hmacCtx, output, &outputLenUint, maxOutputLen); |
4010 | 0 | if (rv != SECSuccess) |
4011 | 0 | goto abort; |
4012 | 0 | *outputLen = outputLenUint; |
4013 | 0 |
|
4014 | 0 | PK11_FreeSymKey(secret); |
4015 | 0 | PK11_DestroyContext(hmacCtx, PR_TRUE); |
4016 | 0 | PRINT_BUF(50, (ss, "finished value", output, outputLenUint)); |
4017 | 0 | return SECSuccess; |
4018 | 0 |
|
4019 | 0 | abort: |
4020 | 0 | if (secret) { |
4021 | 0 | PK11_FreeSymKey(secret); |
4022 | 0 | } |
4023 | 0 |
|
4024 | 0 | if (hmacCtx) { |
4025 | 0 | PK11_DestroyContext(hmacCtx, PR_TRUE); |
4026 | 0 | } |
4027 | 0 |
|
4028 | 0 | PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); |
4029 | 0 | return SECFailure; |
4030 | 0 | } |
4031 | | |
4032 | | static SECStatus |
4033 | | tls13_SendFinished(sslSocket *ss, PK11SymKey *baseKey) |
4034 | 0 | { |
4035 | 0 | SECStatus rv; |
4036 | 0 | PRUint8 finishedBuf[TLS13_MAX_FINISHED_SIZE]; |
4037 | 0 | unsigned int finishedLen; |
4038 | 0 | SSL3Hashes hashes; |
4039 | 0 |
|
4040 | 0 | SSL_TRC(3, ("%d: TLS13[%d]: send finished handshake", SSL_GETPID(), ss->fd)); |
4041 | 0 |
|
4042 | 0 | PORT_Assert(ss->opt.noLocks || ssl_HaveXmitBufLock(ss)); |
4043 | 0 | PORT_Assert(ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); |
4044 | 0 |
|
4045 | 0 | rv = tls13_ComputeHandshakeHashes(ss, &hashes); |
4046 | 0 | if (rv != SECSuccess) { |
4047 | 0 | LOG_ERROR(ss, SEC_ERROR_LIBRARY_FAILURE); |
4048 | 0 | return SECFailure; |
4049 | 0 | } |
4050 | 0 |
|
4051 | 0 | ssl_GetSpecReadLock(ss); |
4052 | 0 | rv = tls13_ComputeFinished(ss, baseKey, &hashes, PR_TRUE, |
4053 | 0 | finishedBuf, &finishedLen, sizeof(finishedBuf)); |
4054 | 0 | ssl_ReleaseSpecReadLock(ss); |
4055 | 0 | if (rv != SECSuccess) { |
4056 | 0 | LOG_ERROR(ss, SEC_ERROR_LIBRARY_FAILURE); |
4057 | 0 | return SECFailure; |
4058 | 0 | } |
4059 | 0 |
|
4060 | 0 | rv = ssl3_AppendHandshakeHeader(ss, ssl_hs_finished, finishedLen); |
4061 | 0 | if (rv != SECSuccess) { |
4062 | 0 | return SECFailure; /* Error code already set. */ |
4063 | 0 | } |
4064 | 0 | |
4065 | 0 | rv = ssl3_AppendHandshake(ss, finishedBuf, finishedLen); |
4066 | 0 | if (rv != SECSuccess) { |
4067 | 0 | return SECFailure; /* Error code already set. */ |
4068 | 0 | } |
4069 | 0 | |
4070 | 0 | /* TODO(ekr@rtfm.com): Record key log */ |
4071 | 0 | return SECSuccess; |
4072 | 0 | } |
4073 | | |
4074 | | static SECStatus |
4075 | | tls13_VerifyFinished(sslSocket *ss, SSLHandshakeType message, |
4076 | | PK11SymKey *secret, |
4077 | | PRUint8 *b, PRUint32 length, |
4078 | | const SSL3Hashes *hashes) |
4079 | 0 | { |
4080 | 0 | SECStatus rv; |
4081 | 0 | PRUint8 finishedBuf[TLS13_MAX_FINISHED_SIZE]; |
4082 | 0 | unsigned int finishedLen; |
4083 | 0 |
|
4084 | 0 | if (!hashes) { |
4085 | 0 | FATAL_ERROR(ss, SEC_ERROR_LIBRARY_FAILURE, internal_error); |
4086 | 0 | return SECFailure; |
4087 | 0 | } |
4088 | 0 |
|
4089 | 0 | rv = tls13_ComputeFinished(ss, secret, hashes, PR_FALSE, |
4090 | 0 | finishedBuf, &finishedLen, sizeof(finishedBuf)); |
4091 | 0 | if (rv != SECSuccess) { |
4092 | 0 | FATAL_ERROR(ss, SEC_ERROR_LIBRARY_FAILURE, internal_error); |
4093 | 0 | return SECFailure; |
4094 | 0 | } |
4095 | 0 |
|
4096 | 0 | if (length != finishedLen) { |
4097 | 0 | #ifndef UNSAFE_FUZZER_MODE |
4098 | 0 | FATAL_ERROR(ss, message == ssl_hs_finished ? SSL_ERROR_RX_MALFORMED_FINISHED : SSL_ERROR_RX_MALFORMED_CLIENT_HELLO, illegal_parameter); |
4099 | 0 | return SECFailure; |
4100 | 0 | #endif |
4101 | 0 | } |
4102 | 0 |
|
4103 | 0 | if (NSS_SecureMemcmp(b, finishedBuf, finishedLen) != 0) { |
4104 | 0 | #ifndef UNSAFE_FUZZER_MODE |
4105 | 0 | FATAL_ERROR(ss, SSL_ERROR_BAD_HANDSHAKE_HASH_VALUE, |
4106 | 0 | decrypt_error); |
4107 | 0 | return SECFailure; |
4108 | 0 | #endif |
4109 | 0 | } |
4110 | 0 |
|
4111 | 0 | return SECSuccess; |
4112 | 0 | } |
4113 | | |
4114 | | static SECStatus |
4115 | | tls13_CommonHandleFinished(sslSocket *ss, PK11SymKey *key, |
4116 | | PRUint8 *b, PRUint32 length) |
4117 | 0 | { |
4118 | 0 | SECStatus rv; |
4119 | 0 | SSL3Hashes hashes; |
4120 | 0 |
|
4121 | 0 | rv = TLS13_CHECK_HS_STATE(ss, SSL_ERROR_RX_UNEXPECTED_FINISHED, |
4122 | 0 | wait_finished); |
4123 | 0 | if (rv != SECSuccess) { |
4124 | 0 | return SECFailure; |
4125 | 0 | } |
4126 | 0 | ss->ssl3.hs.endOfFlight = PR_TRUE; |
4127 | 0 |
|
4128 | 0 | rv = tls13_ComputeHandshakeHashes(ss, &hashes); |
4129 | 0 | if (rv != SECSuccess) { |
4130 | 0 | LOG_ERROR(ss, SEC_ERROR_LIBRARY_FAILURE); |
4131 | 0 | return SECFailure; |
4132 | 0 | } |
4133 | 0 |
|
4134 | 0 | rv = ssl_HashHandshakeMessage(ss, ssl_hs_finished, b, length); |
4135 | 0 | if (rv != SECSuccess) { |
4136 | 0 | PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); |
4137 | 0 | return SECFailure; |
4138 | 0 | } |
4139 | 0 |
|
4140 | 0 | return tls13_VerifyFinished(ss, ssl_hs_finished, |
4141 | 0 | key, b, length, &hashes); |
4142 | 0 | } |
4143 | | |
4144 | | static SECStatus |
4145 | | tls13_ClientHandleFinished(sslSocket *ss, PRUint8 *b, PRUint32 length) |
4146 | 0 | { |
4147 | 0 | SECStatus rv; |
4148 | 0 |
|
4149 | 0 | PORT_Assert(ss->opt.noLocks || ssl_HaveRecvBufLock(ss)); |
4150 | 0 | PORT_Assert(ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); |
4151 | 0 |
|
4152 | 0 | SSL_TRC(3, ("%d: TLS13[%d]: client handle finished handshake", |
4153 | 0 | SSL_GETPID(), ss->fd)); |
4154 | 0 |
|
4155 | 0 | rv = tls13_CommonHandleFinished(ss, ss->ssl3.hs.serverHsTrafficSecret, |
4156 | 0 | b, length); |
4157 | 0 | if (rv != SECSuccess) { |
4158 | 0 | return SECFailure; |
4159 | 0 | } |
4160 | 0 | |
4161 | 0 | return tls13_SendClientSecondRound(ss); |
4162 | 0 | } |
4163 | | |
4164 | | static SECStatus |
4165 | | tls13_ServerHandleFinished(sslSocket *ss, PRUint8 *b, PRUint32 length) |
4166 | 0 | { |
4167 | 0 | SECStatus rv; |
4168 | 0 |
|
4169 | 0 | PORT_Assert(ss->opt.noLocks || ssl_HaveRecvBufLock(ss)); |
4170 | 0 | PORT_Assert(ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); |
4171 | 0 |
|
4172 | 0 | SSL_TRC(3, ("%d: TLS13[%d]: server handle finished handshake", |
4173 | 0 | SSL_GETPID(), ss->fd)); |
4174 | 0 |
|
4175 | 0 | rv = tls13_CommonHandleFinished(ss, ss->ssl3.hs.clientHsTrafficSecret, |
4176 | 0 | b, length); |
4177 | 0 | if (rv != SECSuccess) { |
4178 | 0 | return SECFailure; |
4179 | 0 | } |
4180 | 0 | |
4181 | 0 | if (!tls13_CanRequestClientAuth(ss) && |
4182 | 0 | (ss->ssl3.hs.zeroRttState != ssl_0rtt_done)) { |
4183 | 0 | dtls_ReceivedFirstMessageInFlight(ss); |
4184 | 0 | } |
4185 | 0 |
|
4186 | 0 | rv = tls13_SetCipherSpec(ss, TrafficKeyApplicationData, |
4187 | 0 | CipherSpecRead, PR_FALSE); |
4188 | 0 | if (rv != SECSuccess) { |
4189 | 0 | FATAL_ERROR(ss, SEC_ERROR_LIBRARY_FAILURE, internal_error); |
4190 | 0 | return SECFailure; |
4191 | 0 | } |
4192 | 0 |
|
4193 | 0 | if (IS_DTLS(ss)) { |
4194 | 0 | ssl_CipherSpecReleaseByEpoch(ss, CipherSpecRead, TrafficKeyClearText); |
4195 | 0 | /* We need to keep the handshake cipher spec so we can |
4196 | 0 | * read re-transmitted client Finished. */ |
4197 | 0 | rv = dtls_StartTimer(ss, ss->ssl3.hs.hdTimer, |
4198 | 0 | DTLS_RETRANSMIT_FINISHED_MS, |
4199 | 0 | dtls13_HolddownTimerCb); |
4200 | 0 | if (rv != SECSuccess) { |
4201 | 0 | return SECFailure; |
4202 | 0 | } |
4203 | 0 | } |
4204 | 0 | |
4205 | 0 | rv = tls13_ComputeFinalSecrets(ss); |
4206 | 0 | if (rv != SECSuccess) { |
4207 | 0 | return SECFailure; |
4208 | 0 | } |
4209 | 0 | |
4210 | 0 | ssl_GetXmitBufLock(ss); |
4211 | 0 | if (ss->opt.enableSessionTickets) { |
4212 | 0 | rv = tls13_SendNewSessionTicket(ss, NULL, 0); |
4213 | 0 | if (rv != SECSuccess) { |
4214 | 0 | goto loser; |
4215 | 0 | } |
4216 | 0 | rv = ssl3_FlushHandshake(ss, 0); |
4217 | 0 | if (rv != SECSuccess) { |
4218 | 0 | goto loser; |
4219 | 0 | } |
4220 | 0 | } |
4221 | 0 | ssl_ReleaseXmitBufLock(ss); |
4222 | 0 |
|
4223 | 0 | return tls13_FinishHandshake(ss); |
4224 | 0 | |
4225 | 0 | loser: |
4226 | 0 | ssl_ReleaseXmitBufLock(ss); |
4227 | 0 | return SECFailure; |
4228 | 0 | } |
4229 | | |
4230 | | static SECStatus |
4231 | | tls13_FinishHandshake(sslSocket *ss) |
4232 | 0 | { |
4233 | 0 | PORT_Assert(ss->opt.noLocks || ssl_HaveRecvBufLock(ss)); |
4234 | 0 | PORT_Assert(ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); |
4235 | 0 | PORT_Assert(ss->ssl3.hs.restartTarget == NULL); |
4236 | 0 |
|
4237 | 0 | /* The first handshake is now completed. */ |
4238 | 0 | ss->handshake = NULL; |
4239 | 0 |
|
4240 | 0 | /* Don't need this. */ |
4241 | 0 | PK11_FreeSymKey(ss->ssl3.hs.clientHsTrafficSecret); |
4242 | 0 | ss->ssl3.hs.clientHsTrafficSecret = NULL; |
4243 | 0 | PK11_FreeSymKey(ss->ssl3.hs.serverHsTrafficSecret); |
4244 | 0 | ss->ssl3.hs.serverHsTrafficSecret = NULL; |
4245 | 0 |
|
4246 | 0 | TLS13_SET_HS_STATE(ss, idle_handshake); |
4247 | 0 |
|
4248 | 0 | ssl_FinishHandshake(ss); |
4249 | 0 |
|
4250 | 0 | return SECSuccess; |
4251 | 0 | } |
4252 | | |
4253 | | /* Do the parts of sending the client's second round that require |
4254 | | * the XmitBuf lock. */ |
4255 | | static SECStatus |
4256 | | tls13_SendClientSecondFlight(sslSocket *ss, PRBool sendClientCert, |
4257 | | SSL3AlertDescription *sendAlert) |
4258 | 0 | { |
4259 | 0 | SECStatus rv; |
4260 | 0 |
|
4261 | 0 | PORT_Assert(ss->opt.noLocks || ssl_HaveXmitBufLock(ss)); |
4262 | 0 |
|
4263 | 0 | *sendAlert = internal_error; |
4264 | 0 |
|
4265 | 0 | if (ss->ssl3.sendEmptyCert) { |
4266 | 0 | ss->ssl3.sendEmptyCert = PR_FALSE; |
4267 | 0 | rv = ssl3_SendEmptyCertificate(ss); |
4268 | 0 | /* Don't send verify */ |
4269 | 0 | if (rv != SECSuccess) { |
4270 | 0 | return SECFailure; /* error code is set. */ |
4271 | 0 | } |
4272 | 0 | } else if (sendClientCert) { |
4273 | 0 | rv = tls13_SendCertificate(ss); |
4274 | 0 | if (rv != SECSuccess) { |
4275 | 0 | return SECFailure; /* error code is set. */ |
4276 | 0 | } |
4277 | 0 | } |
4278 | 0 | if (ss->ssl3.hs.clientCertRequested) { |
4279 | 0 | SECITEM_FreeItem(&ss->xtnData.certReqContext, PR_FALSE); |
4280 | 0 | if (ss->xtnData.certReqAuthorities.arena) { |
4281 | 0 | PORT_FreeArena(ss->xtnData.certReqAuthorities.arena, PR_FALSE); |
4282 | 0 | ss->xtnData.certReqAuthorities.arena = NULL; |
4283 | 0 | } |
4284 | 0 | PORT_Memset(&ss->xtnData.certReqAuthorities, 0, |
4285 | 0 | sizeof(ss->xtnData.certReqAuthorities)); |
4286 | 0 | ss->ssl3.hs.clientCertRequested = PR_FALSE; |
4287 | 0 | } |
4288 | 0 |
|
4289 | 0 | if (sendClientCert) { |
4290 | 0 | rv = tls13_SendCertificateVerify(ss, ss->ssl3.clientPrivateKey); |
4291 | 0 | SECKEY_DestroyPrivateKey(ss->ssl3.clientPrivateKey); |
4292 | 0 | ss->ssl3.clientPrivateKey = NULL; |
4293 | 0 | if (rv != SECSuccess) { |
4294 | 0 | return SECFailure; /* err is set. */ |
4295 | 0 | } |
4296 | 0 | } |
4297 | 0 | |
4298 | 0 | rv = tls13_SendFinished(ss, ss->ssl3.hs.clientHsTrafficSecret); |
4299 | 0 | if (rv != SECSuccess) { |
4300 | 0 | return SECFailure; /* err code was set. */ |
4301 | 0 | } |
4302 | 0 | rv = ssl3_FlushHandshake(ss, 0); |
4303 | 0 | if (rv != SECSuccess) { |
4304 | 0 | /* No point in sending an alert here because we're not going to |
4305 | 0 | * be able to send it if we couldn't flush the handshake. */ |
4306 | 0 | *sendAlert = no_alert; |
4307 | 0 | return SECFailure; |
4308 | 0 | } |
4309 | 0 | |
4310 | 0 | return SECSuccess; |
4311 | 0 | } |
4312 | | |
4313 | | static SECStatus |
4314 | | tls13_SendClientSecondRound(sslSocket *ss) |
4315 | 0 | { |
4316 | 0 | SECStatus rv; |
4317 | 0 | PRBool sendClientCert; |
4318 | 0 | SSL3AlertDescription sendAlert = no_alert; |
4319 | 0 |
|
4320 | 0 | PORT_Assert(ss->opt.noLocks || ssl_HaveRecvBufLock(ss)); |
4321 | 0 | PORT_Assert(ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); |
4322 | 0 |
|
4323 | 0 | sendClientCert = !ss->ssl3.sendEmptyCert && |
4324 | 0 | ss->ssl3.clientCertChain != NULL && |
4325 | 0 | ss->ssl3.clientPrivateKey != NULL; |
4326 | 0 |
|
4327 | 0 | /* Defer client authentication sending if we are still waiting for server |
4328 | 0 | * authentication. This avoids unnecessary disclosure of client credentials |
4329 | 0 | * to an unauthenticated server. |
4330 | 0 | */ |
4331 | 0 | if (ss->ssl3.hs.restartTarget) { |
4332 | 0 | PR_NOT_REACHED("unexpected ss->ssl3.hs.restartTarget"); |
4333 | 0 | PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); |
4334 | 0 | return SECFailure; |
4335 | 0 | } |
4336 | 0 | if (ss->ssl3.hs.authCertificatePending) { |
4337 | 0 | SSL_TRC(3, ("%d: TLS13[%d]: deferring ssl3_SendClientSecondRound because" |
4338 | 0 | " certificate authentication is still pending.", |
4339 | 0 | SSL_GETPID(), ss->fd)); |
4340 | 0 | ss->ssl3.hs.restartTarget = tls13_SendClientSecondRound; |
4341 | 0 | return SECWouldBlock; |
4342 | 0 | } |
4343 | 0 | |
4344 | 0 | rv = tls13_ComputeApplicationSecrets(ss); |
4345 | 0 | if (rv != SECSuccess) { |
4346 | 0 | FATAL_ERROR(ss, SEC_ERROR_LIBRARY_FAILURE, internal_error); |
4347 | 0 | return SECFailure; |
4348 | 0 | } |
4349 | 0 |
|
4350 | 0 | if (ss->ssl3.hs.zeroRttState == ssl_0rtt_accepted) { |
4351 | 0 | ssl_GetXmitBufLock(ss); /*******************************/ |
4352 | 0 | rv = tls13_SendEndOfEarlyData(ss); |
4353 | 0 | ssl_ReleaseXmitBufLock(ss); /*******************************/ |
4354 | 0 | if (rv != SECSuccess) { |
4355 | 0 | return SECFailure; /* Error code already set. */ |
4356 | 0 | } |
4357 | 0 | } else if (ss->opt.enableTls13CompatMode && !IS_DTLS(ss) && |
4358 | 0 | ss->ssl3.hs.zeroRttState == ssl_0rtt_none && |
4359 | 0 | !ss->ssl3.hs.helloRetry) { |
4360 | 0 | ssl_GetXmitBufLock(ss); /*******************************/ |
4361 | 0 | rv = ssl3_SendChangeCipherSpecsInt(ss); |
4362 | 0 | ssl_ReleaseXmitBufLock(ss); /*******************************/ |
4363 | 0 | if (rv != SECSuccess) { |
4364 | 0 | return rv; |
4365 | 0 | } |
4366 | 0 | } |
4367 | 0 | |
4368 | 0 | rv = tls13_SetCipherSpec(ss, TrafficKeyHandshake, |
4369 | 0 | CipherSpecWrite, PR_FALSE); |
4370 | 0 | if (rv != SECSuccess) { |
4371 | 0 | FATAL_ERROR(ss, SSL_ERROR_INIT_CIPHER_SUITE_FAILURE, internal_error); |
4372 | 0 | return SECFailure; |
4373 | 0 | } |
4374 | 0 |
|
4375 | 0 | rv = tls13_SetCipherSpec(ss, TrafficKeyApplicationData, |
4376 | 0 | CipherSpecRead, PR_FALSE); |
4377 | 0 | if (rv != SECSuccess) { |
4378 | 0 | FATAL_ERROR(ss, SEC_ERROR_LIBRARY_FAILURE, internal_error); |
4379 | 0 | return SECFailure; |
4380 | 0 | } |
4381 | 0 |
|
4382 | 0 | ssl_GetXmitBufLock(ss); /*******************************/ |
4383 | 0 | rv = tls13_SendClientSecondFlight(ss, sendClientCert, &sendAlert); |
4384 | 0 | ssl_ReleaseXmitBufLock(ss); /*******************************/ |
4385 | 0 | if (rv != SECSuccess) { |
4386 | 0 | if (sendAlert != no_alert) { |
4387 | 0 | FATAL_ERROR(ss, PORT_GetError(), sendAlert); |
4388 | 0 | } else { |
4389 | 0 | LOG_ERROR(ss, PORT_GetError()); |
4390 | 0 | } |
4391 | 0 | return SECFailure; |
4392 | 0 | } |
4393 | 0 | rv = tls13_SetCipherSpec(ss, TrafficKeyApplicationData, |
4394 | 0 | CipherSpecWrite, PR_FALSE); |
4395 | 0 | if (rv != SECSuccess) { |
4396 | 0 | PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); |
4397 | 0 | return SECFailure; |
4398 | 0 | } |
4399 | 0 |
|
4400 | 0 | rv = tls13_ComputeFinalSecrets(ss); |
4401 | 0 | if (rv != SECSuccess) { |
4402 | 0 | return SECFailure; |
4403 | 0 | } |
4404 | 0 | |
4405 | 0 | /* The handshake is now finished */ |
4406 | 0 | return tls13_FinishHandshake(ss); |
4407 | 0 | } |
4408 | | |
4409 | | /* |
4410 | | * enum { (65535) } TicketExtensionType; |
4411 | | * |
4412 | | * struct { |
4413 | | * TicketExtensionType extension_type; |
4414 | | * opaque extension_data<0..2^16-1>; |
4415 | | * } TicketExtension; |
4416 | | * |
4417 | | * struct { |
4418 | | * uint32 ticket_lifetime; |
4419 | | * uint32 ticket_age_add; |
4420 | | * opaque ticket_nonce<1..255>; |
4421 | | * opaque ticket<1..2^16-1>; |
4422 | | * TicketExtension extensions<0..2^16-2>; |
4423 | | * } NewSessionTicket; |
4424 | | */ |
4425 | | |
4426 | | static SECStatus |
4427 | | tls13_SendNewSessionTicket(sslSocket *ss, const PRUint8 *appToken, |
4428 | | unsigned int appTokenLen) |
4429 | 0 | { |
4430 | 0 | PRUint16 message_length; |
4431 | 0 | PK11SymKey *secret; |
4432 | 0 | SECItem ticket_data = { 0, NULL, 0 }; |
4433 | 0 | SECStatus rv; |
4434 | 0 | NewSessionTicket ticket = { 0 }; |
4435 | 0 | PRUint32 max_early_data_size_len = 0; |
4436 | 0 | PRUint8 ticketNonce[sizeof(ss->ssl3.hs.ticketNonce)]; |
4437 | 0 | sslBuffer ticketNonceBuf = SSL_BUFFER(ticketNonce); |
4438 | 0 |
|
4439 | 0 | SSL_TRC(3, ("%d: TLS13[%d]: send new session ticket message %d", |
4440 | 0 | SSL_GETPID(), ss->fd, ss->ssl3.hs.ticketNonce)); |
4441 | 0 |
|
4442 | 0 | ticket.flags = 0; |
4443 | 0 | if (ss->opt.enable0RttData) { |
4444 | 0 | ticket.flags |= ticket_allow_early_data; |
4445 | 0 | max_early_data_size_len = 8; /* type + len + value. */ |
4446 | 0 | } |
4447 | 0 | ticket.ticket_lifetime_hint = ssl_ticket_lifetime; |
4448 | 0 |
|
4449 | 0 | /* The ticket age obfuscator. */ |
4450 | 0 | rv = PK11_GenerateRandom((PRUint8 *)&ticket.ticket_age_add, |
4451 | 0 | sizeof(ticket.ticket_age_add)); |
4452 | 0 | if (rv != SECSuccess) |
4453 | 0 | goto loser; |
4454 | 0 | |
4455 | 0 | rv = sslBuffer_AppendNumber(&ticketNonceBuf, ss->ssl3.hs.ticketNonce, |
4456 | 0 | sizeof(ticketNonce)); |
4457 | 0 | if (rv != SECSuccess) { |
4458 | 0 | goto loser; |
4459 | 0 | } |
4460 | 0 | ++ss->ssl3.hs.ticketNonce; |
4461 | 0 | rv = tls13_HkdfExpandLabel(ss->ssl3.hs.resumptionMasterSecret, |
4462 | 0 | tls13_GetHash(ss), |
4463 | 0 | ticketNonce, sizeof(ticketNonce), |
4464 | 0 | kHkdfLabelResumption, |
4465 | 0 | strlen(kHkdfLabelResumption), |
4466 | 0 | tls13_GetHkdfMechanism(ss), |
4467 | 0 | tls13_GetHashSize(ss), &secret); |
4468 | 0 | if (rv != SECSuccess) { |
4469 | 0 | goto loser; |
4470 | 0 | } |
4471 | 0 | |
4472 | 0 | rv = ssl3_EncodeSessionTicket(ss, &ticket, appToken, appTokenLen, |
4473 | 0 | secret, &ticket_data); |
4474 | 0 | PK11_FreeSymKey(secret); |
4475 | 0 | if (rv != SECSuccess) |
4476 | 0 | goto loser; |
4477 | 0 | |
4478 | 0 | message_length = |
4479 | 0 | 4 + /* lifetime */ |
4480 | 0 | 4 + /* ticket_age_add */ |
4481 | 0 | 1 + sizeof(ticketNonce) + /* ticket_nonce */ |
4482 | 0 | 2 + max_early_data_size_len + /* max_early_data_size_len */ |
4483 | 0 | 2 + /* ticket length */ |
4484 | 0 | ticket_data.len; |
4485 | 0 |
|
4486 | 0 | rv = ssl3_AppendHandshakeHeader(ss, ssl_hs_new_session_ticket, |
4487 | 0 | message_length); |
4488 | 0 | if (rv != SECSuccess) |
4489 | 0 | goto loser; |
4490 | 0 | |
4491 | 0 | /* This is a fixed value. */ |
4492 | 0 | rv = ssl3_AppendHandshakeNumber(ss, ssl_ticket_lifetime, 4); |
4493 | 0 | if (rv != SECSuccess) |
4494 | 0 | goto loser; |
4495 | 0 | |
4496 | 0 | rv = ssl3_AppendHandshakeNumber(ss, ticket.ticket_age_add, 4); |
4497 | 0 | if (rv != SECSuccess) |
4498 | 0 | goto loser; |
4499 | 0 | |
4500 | 0 | /* The ticket nonce. */ |
4501 | 0 | rv = ssl3_AppendHandshakeVariable(ss, ticketNonce, sizeof(ticketNonce), 1); |
4502 | 0 | if (rv != SECSuccess) |
4503 | 0 | goto loser; |
4504 | 0 | |
4505 | 0 | /* Encode the ticket. */ |
4506 | 0 | rv = ssl3_AppendHandshakeVariable( |
4507 | 0 | ss, ticket_data.data, ticket_data.len, 2); |
4508 | 0 | if (rv != SECSuccess) |
4509 | 0 | goto loser; |
4510 | 0 | |
4511 | 0 | /* Extensions. */ |
4512 | 0 | rv = ssl3_AppendHandshakeNumber(ss, max_early_data_size_len, 2); |
4513 | 0 | if (rv != SECSuccess) |
4514 | 0 | goto loser; |
4515 | 0 | |
4516 | 0 | if (max_early_data_size_len) { |
4517 | 0 | rv = ssl3_AppendHandshakeNumber( |
4518 | 0 | ss, ssl_tls13_early_data_xtn, 2); |
4519 | 0 | if (rv != SECSuccess) |
4520 | 0 | goto loser; |
4521 | 0 | |
4522 | 0 | /* Length */ |
4523 | 0 | rv = ssl3_AppendHandshakeNumber(ss, 4, 2); |
4524 | 0 | if (rv != SECSuccess) |
4525 | 0 | goto loser; |
4526 | 0 | |
4527 | 0 | rv = ssl3_AppendHandshakeNumber(ss, ss->opt.maxEarlyDataSize, 4); |
4528 | 0 | if (rv != SECSuccess) |
4529 | 0 | goto loser; |
4530 | 0 | } |
4531 | 0 | |
4532 | 0 | SECITEM_FreeItem(&ticket_data, PR_FALSE); |
4533 | 0 | return SECSuccess; |
4534 | 0 |
|
4535 | 0 | loser: |
4536 | 0 | if (ticket_data.data) { |
4537 | 0 | SECITEM_FreeItem(&ticket_data, PR_FALSE); |
4538 | 0 | } |
4539 | 0 | return SECFailure; |
4540 | 0 | } |
4541 | | |
4542 | | SECStatus |
4543 | | SSLExp_SendSessionTicket(PRFileDesc *fd, const PRUint8 *token, |
4544 | | unsigned int tokenLen) |
4545 | 0 | { |
4546 | 0 | sslSocket *ss; |
4547 | 0 | SECStatus rv; |
4548 | 0 |
|
4549 | 0 | ss = ssl_FindSocket(fd); |
4550 | 0 | if (!ss) { |
4551 | 0 | return SECFailure; |
4552 | 0 | } |
4553 | 0 | |
4554 | 0 | if (IS_DTLS(ss)) { |
4555 | 0 | PORT_SetError(SSL_ERROR_FEATURE_NOT_SUPPORTED_FOR_VERSION); |
4556 | 0 | return SECFailure; |
4557 | 0 | } |
4558 | 0 |
|
4559 | 0 | if (!ss->sec.isServer || !ss->firstHsDone || |
4560 | 0 | ss->version < SSL_LIBRARY_VERSION_TLS_1_3 || |
4561 | 0 | tokenLen > 0xffff) { |
4562 | 0 | PORT_SetError(SEC_ERROR_INVALID_ARGS); |
4563 | 0 | return SECFailure; |
4564 | 0 | } |
4565 | 0 |
|
4566 | 0 | ssl_GetSSL3HandshakeLock(ss); |
4567 | 0 | ssl_GetXmitBufLock(ss); |
4568 | 0 | rv = tls13_SendNewSessionTicket(ss, token, tokenLen); |
4569 | 0 | if (rv == SECSuccess) { |
4570 | 0 | rv = ssl3_FlushHandshake(ss, 0); |
4571 | 0 | } |
4572 | 0 | ssl_ReleaseXmitBufLock(ss); |
4573 | 0 | ssl_ReleaseSSL3HandshakeLock(ss); |
4574 | 0 |
|
4575 | 0 | return rv; |
4576 | 0 | } |
4577 | | |
4578 | | static SECStatus |
4579 | | tls13_HandleNewSessionTicket(sslSocket *ss, PRUint8 *b, PRUint32 length) |
4580 | 0 | { |
4581 | 0 | SECStatus rv; |
4582 | 0 | PRUint32 utmp; |
4583 | 0 | NewSessionTicket ticket = { 0 }; |
4584 | 0 | SECItem data; |
4585 | 0 | SECItem ticket_nonce; |
4586 | 0 | SECItem ticket_data; |
4587 | 0 |
|
4588 | 0 | SSL_TRC(3, ("%d: TLS13[%d]: handle new session ticket message", |
4589 | 0 | SSL_GETPID(), ss->fd)); |
4590 | 0 |
|
4591 | 0 | rv = TLS13_CHECK_HS_STATE(ss, SSL_ERROR_RX_UNEXPECTED_NEW_SESSION_TICKET, |
4592 | 0 | idle_handshake); |
4593 | 0 | if (rv != SECSuccess) { |
4594 | 0 | return SECFailure; |
4595 | 0 | } |
4596 | 0 | if (!ss->firstHsDone || ss->sec.isServer) { |
4597 | 0 | FATAL_ERROR(ss, SSL_ERROR_RX_UNEXPECTED_NEW_SESSION_TICKET, |
4598 | 0 | unexpected_message); |
4599 | 0 | return SECFailure; |
4600 | 0 | } |
4601 | 0 |
|
4602 | 0 | ticket.received_timestamp = ssl_TimeUsec(); |
4603 | 0 | rv = ssl3_ConsumeHandshakeNumber(ss, &ticket.ticket_lifetime_hint, 4, &b, |
4604 | 0 | &length); |
4605 | 0 | if (rv != SECSuccess) { |
4606 | 0 | FATAL_ERROR(ss, SSL_ERROR_RX_MALFORMED_NEW_SESSION_TICKET, |
4607 | 0 | decode_error); |
4608 | 0 | return SECFailure; |
4609 | 0 | } |
4610 | 0 | ticket.ticket.type = siBuffer; |
4611 | 0 |
|
4612 | 0 | rv = ssl3_ConsumeHandshake(ss, &utmp, sizeof(utmp), |
4613 | 0 | &b, &length); |
4614 | 0 | if (rv != SECSuccess) { |
4615 | 0 | PORT_SetError(SSL_ERROR_RX_MALFORMED_NEW_SESSION_TICKET); |
4616 | 0 | return SECFailure; |
4617 | 0 | } |
4618 | 0 | ticket.ticket_age_add = PR_ntohl(utmp); |
4619 | 0 |
|
4620 | 0 | /* The nonce. */ |
4621 | 0 | rv = ssl3_ConsumeHandshakeVariable(ss, &ticket_nonce, 1, &b, &length); |
4622 | 0 | if (rv != SECSuccess) { |
4623 | 0 | FATAL_ERROR(ss, SSL_ERROR_RX_MALFORMED_NEW_SESSION_TICKET, |
4624 | 0 | decode_error); |
4625 | 0 | return SECFailure; |
4626 | 0 | } |
4627 | 0 |
|
4628 | 0 | /* Get the ticket value. */ |
4629 | 0 | rv = ssl3_ConsumeHandshakeVariable(ss, &ticket_data, 2, &b, &length); |
4630 | 0 | if (rv != SECSuccess || !ticket_data.len) { |
4631 | 0 | FATAL_ERROR(ss, SSL_ERROR_RX_MALFORMED_NEW_SESSION_TICKET, |
4632 | 0 | decode_error); |
4633 | 0 | return SECFailure; |
4634 | 0 | } |
4635 | 0 |
|
4636 | 0 | /* Parse extensions. */ |
4637 | 0 | rv = ssl3_ConsumeHandshakeVariable(ss, &data, 2, &b, &length); |
4638 | 0 | if (rv != SECSuccess || length) { |
4639 | 0 | FATAL_ERROR(ss, SSL_ERROR_RX_MALFORMED_NEW_SESSION_TICKET, |
4640 | 0 | decode_error); |
4641 | 0 | return SECFailure; |
4642 | 0 | } |
4643 | 0 |
|
4644 | 0 | rv = ssl3_HandleExtensions(ss, &data.data, |
4645 | 0 | &data.len, ssl_hs_new_session_ticket); |
4646 | 0 | if (rv != SECSuccess) { |
4647 | 0 | FATAL_ERROR(ss, SSL_ERROR_RX_MALFORMED_NEW_SESSION_TICKET, |
4648 | 0 | decode_error); |
4649 | 0 | return SECFailure; |
4650 | 0 | } |
4651 | 0 | if (ss->xtnData.max_early_data_size) { |
4652 | 0 | ticket.flags |= ticket_allow_early_data; |
4653 | 0 | ticket.max_early_data_size = ss->xtnData.max_early_data_size; |
4654 | 0 | } |
4655 | 0 |
|
4656 | 0 | if (!ss->opt.noCache) { |
4657 | 0 | PK11SymKey *secret; |
4658 | 0 |
|
4659 | 0 | PORT_Assert(ss->sec.ci.sid); |
4660 | 0 | rv = SECITEM_CopyItem(NULL, &ticket.ticket, &ticket_data); |
4661 | 0 | if (rv != SECSuccess) { |
4662 | 0 | FATAL_ERROR(ss, SEC_ERROR_NO_MEMORY, internal_error); |
4663 | 0 | return SECFailure; |
4664 | 0 | } |
4665 | 0 | PRINT_BUF(50, (ss, "Caching session ticket", |
4666 | 0 | ticket.ticket.data, |
4667 | 0 | ticket.ticket.len)); |
4668 | 0 |
|
4669 | 0 | /* Replace a previous session ticket when |
4670 | 0 | * we receive a second NewSessionTicket message. */ |
4671 | 0 | if (ss->sec.ci.sid->cached == in_client_cache) { |
4672 | 0 | /* Create a new session ID. */ |
4673 | 0 | sslSessionID *sid = ssl3_NewSessionID(ss, PR_FALSE); |
4674 | 0 | if (!sid) { |
4675 | 0 | return SECFailure; |
4676 | 0 | } |
4677 | 0 | |
4678 | 0 | /* Copy over the peerCert. */ |
4679 | 0 | PORT_Assert(ss->sec.ci.sid->peerCert); |
4680 | 0 | sid->peerCert = CERT_DupCertificate(ss->sec.ci.sid->peerCert); |
4681 | 0 | if (!sid->peerCert) { |
4682 | 0 | ssl_FreeSID(sid); |
4683 | 0 | return SECFailure; |
4684 | 0 | } |
4685 | 0 | |
4686 | 0 | /* Destroy the old SID. */ |
4687 | 0 | ssl_UncacheSessionID(ss); |
4688 | 0 | ssl_FreeSID(ss->sec.ci.sid); |
4689 | 0 | ss->sec.ci.sid = sid; |
4690 | 0 | } |
4691 | 0 |
|
4692 | 0 | ssl3_SetSIDSessionTicket(ss->sec.ci.sid, &ticket); |
4693 | 0 | PORT_Assert(!ticket.ticket.data); |
4694 | 0 |
|
4695 | 0 | rv = tls13_HkdfExpandLabel(ss->ssl3.hs.resumptionMasterSecret, |
4696 | 0 | tls13_GetHash(ss), |
4697 | 0 | ticket_nonce.data, ticket_nonce.len, |
4698 | 0 | kHkdfLabelResumption, |
4699 | 0 | strlen(kHkdfLabelResumption), |
4700 | 0 | tls13_GetHkdfMechanism(ss), |
4701 | 0 | tls13_GetHashSize(ss), &secret); |
4702 | 0 | if (rv != SECSuccess) { |
4703 | 0 | return SECFailure; |
4704 | 0 | } |
4705 | 0 | |
4706 | 0 | rv = ssl3_FillInCachedSID(ss, ss->sec.ci.sid, secret); |
4707 | 0 | PK11_FreeSymKey(secret); |
4708 | 0 | if (rv != SECSuccess) { |
4709 | 0 | return SECFailure; |
4710 | 0 | } |
4711 | 0 | |
4712 | 0 | /* Cache the session. */ |
4713 | 0 | ssl_CacheSessionID(ss); |
4714 | 0 | } |
4715 | 0 |
|
4716 | 0 | return SECSuccess; |
4717 | 0 | } |
4718 | | |
4719 | 0 | #define _M(a) (1 << PR_MIN(a, 31)) |
4720 | | #define _M1(a) (_M(ssl_hs_##a)) |
4721 | | #define _M2(a, b) (_M1(a) | _M1(b)) |
4722 | | #define _M3(a, b, c) (_M1(a) | _M2(b, c)) |
4723 | | |
4724 | | static const struct { |
4725 | | PRUint16 ex_value; |
4726 | | PRUint32 messages; |
4727 | | } KnownExtensions[] = { |
4728 | | { ssl_server_name_xtn, _M2(client_hello, encrypted_extensions) }, |
4729 | | { ssl_supported_groups_xtn, _M2(client_hello, encrypted_extensions) }, |
4730 | | { ssl_signature_algorithms_xtn, _M2(client_hello, certificate_request) }, |
4731 | | { ssl_signature_algorithms_cert_xtn, _M2(client_hello, |
4732 | | certificate_request) }, |
4733 | | { ssl_use_srtp_xtn, _M2(client_hello, encrypted_extensions) }, |
4734 | | { ssl_app_layer_protocol_xtn, _M2(client_hello, encrypted_extensions) }, |
4735 | | { ssl_padding_xtn, _M1(client_hello) }, |
4736 | | { ssl_tls13_key_share_xtn, _M3(client_hello, server_hello, |
4737 | | hello_retry_request) }, |
4738 | | { ssl_tls13_pre_shared_key_xtn, _M2(client_hello, server_hello) }, |
4739 | | { ssl_tls13_psk_key_exchange_modes_xtn, _M1(client_hello) }, |
4740 | | { ssl_tls13_early_data_xtn, _M3(client_hello, encrypted_extensions, |
4741 | | new_session_ticket) }, |
4742 | | { ssl_signed_cert_timestamp_xtn, _M3(client_hello, certificate_request, |
4743 | | certificate) }, |
4744 | | { ssl_cert_status_xtn, _M3(client_hello, certificate_request, |
4745 | | certificate) }, |
4746 | | { ssl_tls13_cookie_xtn, _M2(client_hello, hello_retry_request) }, |
4747 | | { ssl_tls13_certificate_authorities_xtn, _M1(certificate_request) }, |
4748 | | { ssl_tls13_supported_versions_xtn, _M3(client_hello, server_hello, |
4749 | | hello_retry_request) }, |
4750 | | { ssl_record_size_limit_xtn, _M2(client_hello, encrypted_extensions) } |
4751 | | }; |
4752 | | |
4753 | | tls13ExtensionStatus |
4754 | | tls13_ExtensionStatus(PRUint16 extension, SSLHandshakeType message) |
4755 | 0 | { |
4756 | 0 | unsigned int i; |
4757 | 0 |
|
4758 | 0 | PORT_Assert((message == ssl_hs_client_hello) || |
4759 | 0 | (message == ssl_hs_server_hello) || |
4760 | 0 | (message == ssl_hs_hello_retry_request) || |
4761 | 0 | (message == ssl_hs_encrypted_extensions) || |
4762 | 0 | (message == ssl_hs_new_session_ticket) || |
4763 | 0 | (message == ssl_hs_certificate) || |
4764 | 0 | (message == ssl_hs_certificate_request)); |
4765 | 0 |
|
4766 | 0 | for (i = 0; i < PR_ARRAY_SIZE(KnownExtensions); i++) { |
4767 | 0 | /* Hacky check for message numbers > 30. */ |
4768 | 0 | PORT_Assert(!(KnownExtensions[i].messages & (1U << 31))); |
4769 | 0 | if (KnownExtensions[i].ex_value == extension) { |
4770 | 0 | break; |
4771 | 0 | } |
4772 | 0 | } |
4773 | 0 | if (i >= PR_ARRAY_SIZE(KnownExtensions)) { |
4774 | 0 | return tls13_extension_unknown; |
4775 | 0 | } |
4776 | 0 | |
4777 | 0 | /* Return "disallowed" if the message mask bit isn't set. */ |
4778 | 0 | if (!(_M(message) & KnownExtensions[i].messages)) { |
4779 | 0 | return tls13_extension_disallowed; |
4780 | 0 | } |
4781 | 0 | |
4782 | 0 | return tls13_extension_allowed; |
4783 | 0 | } |
4784 | | |
4785 | | #undef _M |
4786 | | #undef _M1 |
4787 | | #undef _M2 |
4788 | | #undef _M3 |
4789 | | |
4790 | | /* We cheat a bit on additional data because the AEAD interface |
4791 | | * which doesn't have room for the record number. The AAD we |
4792 | | * format is serialized record number followed by the true AD |
4793 | | * (i.e., the record header) plus the serialized record number. */ |
4794 | | static SECStatus |
4795 | | tls13_FormatAdditionalData( |
4796 | | sslSocket *ss, |
4797 | | const PRUint8 *header, unsigned int headerLen, |
4798 | | DTLSEpoch epoch, sslSequenceNumber seqNum, |
4799 | | PRUint8 *aad, unsigned int *aadLength, unsigned int maxLength) |
4800 | 0 | { |
4801 | 0 | SECStatus rv; |
4802 | 0 | sslBuffer buf = SSL_BUFFER_FIXED(aad, maxLength); |
4803 | 0 |
|
4804 | 0 | if (IS_DTLS(ss)) { |
4805 | 0 | rv = sslBuffer_AppendNumber(&buf, epoch, 2); |
4806 | 0 | if (rv != SECSuccess) { |
4807 | 0 | return SECFailure; |
4808 | 0 | } |
4809 | 0 | } |
4810 | 0 | rv = sslBuffer_AppendNumber(&buf, seqNum, IS_DTLS(ss) ? 6 : 8); |
4811 | 0 | if (rv != SECSuccess) { |
4812 | 0 | return SECFailure; |
4813 | 0 | } |
4814 | 0 | |
4815 | 0 | rv = sslBuffer_Append(&buf, header, headerLen); |
4816 | 0 | if (rv != SECSuccess) { |
4817 | 0 | return SECFailure; |
4818 | 0 | } |
4819 | 0 | |
4820 | 0 | *aadLength = buf.len; |
4821 | 0 |
|
4822 | 0 | return SECSuccess; |
4823 | 0 | } |
4824 | | |
4825 | | PRInt32 |
4826 | | tls13_LimitEarlyData(sslSocket *ss, SSLContentType type, PRInt32 toSend) |
4827 | 0 | { |
4828 | 0 | PRInt32 reduced; |
4829 | 0 |
|
4830 | 0 | PORT_Assert(type == ssl_ct_application_data); |
4831 | 0 | PORT_Assert(ss->vrange.max >= SSL_LIBRARY_VERSION_TLS_1_3); |
4832 | 0 | PORT_Assert(!ss->firstHsDone); |
4833 | 0 | if (ss->ssl3.cwSpec->epoch != TrafficKeyEarlyApplicationData) { |
4834 | 0 | return toSend; |
4835 | 0 | } |
4836 | 0 | |
4837 | 0 | if (IS_DTLS(ss) && toSend > ss->ssl3.cwSpec->earlyDataRemaining) { |
4838 | 0 | /* Don't split application data records in DTLS. */ |
4839 | 0 | return 0; |
4840 | 0 | } |
4841 | 0 | |
4842 | 0 | reduced = PR_MIN(toSend, ss->ssl3.cwSpec->earlyDataRemaining); |
4843 | 0 | ss->ssl3.cwSpec->earlyDataRemaining -= reduced; |
4844 | 0 | return reduced; |
4845 | 0 | } |
4846 | | |
4847 | | SECStatus |
4848 | | tls13_ProtectRecord(sslSocket *ss, |
4849 | | ssl3CipherSpec *cwSpec, |
4850 | | SSLContentType type, |
4851 | | const PRUint8 *pIn, |
4852 | | PRUint32 contentLen, |
4853 | | sslBuffer *wrBuf) |
4854 | 0 | { |
4855 | 0 | const ssl3BulkCipherDef *cipher_def = cwSpec->cipherDef; |
4856 | 0 | const int tagLen = cipher_def->tag_size; |
4857 | 0 | SECStatus rv; |
4858 | 0 |
|
4859 | 0 | PORT_Assert(cwSpec->direction == CipherSpecWrite); |
4860 | 0 | SSL_TRC(3, ("%d: TLS13[%d]: spec=%d epoch=%d (%s) protect 0x%0llx len=%u", |
4861 | 0 | SSL_GETPID(), ss->fd, cwSpec, cwSpec->epoch, cwSpec->phase, |
4862 | 0 | cwSpec->nextSeqNum, contentLen)); |
4863 | 0 |
|
4864 | 0 | if (contentLen + 1 + tagLen > SSL_BUFFER_SPACE(wrBuf)) { |
4865 | 0 | PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); |
4866 | 0 | return SECFailure; |
4867 | 0 | } |
4868 | 0 |
|
4869 | 0 | /* Copy the data into the wrBuf. We're going to encrypt in-place |
4870 | 0 | * in the AEAD branch anyway */ |
4871 | 0 | PORT_Memcpy(SSL_BUFFER_NEXT(wrBuf), pIn, contentLen); |
4872 | 0 |
|
4873 | 0 | if (cipher_def->calg == ssl_calg_null) { |
4874 | 0 | /* Shortcut for plaintext */ |
4875 | 0 | rv = sslBuffer_Skip(wrBuf, contentLen, NULL); |
4876 | 0 | PORT_Assert(rv == SECSuccess); |
4877 | 0 | } else { |
4878 | 0 | PRUint8 hdr[13]; |
4879 | 0 | sslBuffer buf = SSL_BUFFER_FIXED(hdr, sizeof(hdr)); |
4880 | 0 | PRBool needsLength; |
4881 | 0 | PRUint8 aad[21]; |
4882 | 0 | unsigned int aadLen; |
4883 | 0 | int len; |
4884 | 0 |
|
4885 | 0 | PORT_Assert(cipher_def->type == type_aead); |
4886 | 0 |
|
4887 | 0 | /* Add the content type at the end. */ |
4888 | 0 | *(SSL_BUFFER_NEXT(wrBuf) + contentLen) = type; |
4889 | 0 |
|
4890 | 0 | /* Create the header (ugly that we have to do it twice). */ |
4891 | 0 | rv = ssl_InsertRecordHeader(ss, cwSpec, ssl_ct_application_data, |
4892 | 0 | &buf, &needsLength); |
4893 | 0 | if (rv != SECSuccess) { |
4894 | 0 | return SECFailure; |
4895 | 0 | } |
4896 | 0 | if (needsLength) { |
4897 | 0 | rv = sslBuffer_AppendNumber(&buf, contentLen + 1 + |
4898 | 0 | cwSpec->cipherDef->tag_size, |
4899 | 0 | 2); |
4900 | 0 | if (rv != SECSuccess) { |
4901 | 0 | return SECFailure; |
4902 | 0 | } |
4903 | 0 | } |
4904 | 0 | rv = tls13_FormatAdditionalData(ss, SSL_BUFFER_BASE(&buf), SSL_BUFFER_LEN(&buf), |
4905 | 0 | cwSpec->epoch, cwSpec->nextSeqNum, |
4906 | 0 | aad, &aadLen, sizeof(aad)); |
4907 | 0 | if (rv != SECSuccess) { |
4908 | 0 | return SECFailure; |
4909 | 0 | } |
4910 | 0 | rv = cwSpec->aead(&cwSpec->keyMaterial, |
4911 | 0 | PR_FALSE, /* do encrypt */ |
4912 | 0 | SSL_BUFFER_NEXT(wrBuf), /* output */ |
4913 | 0 | &len, /* out len */ |
4914 | 0 | SSL_BUFFER_SPACE(wrBuf), /* max out */ |
4915 | 0 | SSL_BUFFER_NEXT(wrBuf), /* input */ |
4916 | 0 | contentLen + 1, /* input len */ |
4917 | 0 | aad, aadLen); |
4918 | 0 | if (rv != SECSuccess) { |
4919 | 0 | PORT_SetError(SSL_ERROR_ENCRYPTION_FAILURE); |
4920 | 0 | return SECFailure; |
4921 | 0 | } |
4922 | 0 | rv = sslBuffer_Skip(wrBuf, len, NULL); |
4923 | 0 | PORT_Assert(rv == SECSuccess); |
4924 | 0 | } |
4925 | 0 |
|
4926 | 0 | return SECSuccess; |
4927 | 0 | } |
4928 | | |
4929 | | /* Unprotect a TLS 1.3 record and leave the result in plaintext. |
4930 | | * |
4931 | | * Called by ssl3_HandleRecord. Caller must hold the spec read lock. |
4932 | | * Therefore, we MUST not call SSL3_SendAlert(). |
4933 | | * |
4934 | | * If SECFailure is returned, we: |
4935 | | * 1. Set |*alert| to the alert to be sent. |
4936 | | * 2. Call PORT_SetError() witn an appropriate code. |
4937 | | */ |
4938 | | SECStatus |
4939 | | tls13_UnprotectRecord(sslSocket *ss, |
4940 | | ssl3CipherSpec *spec, |
4941 | | SSL3Ciphertext *cText, |
4942 | | sslBuffer *plaintext, |
4943 | | SSLContentType *innerType, |
4944 | | SSL3AlertDescription *alert) |
4945 | 0 | { |
4946 | 0 | const ssl3BulkCipherDef *cipher_def = spec->cipherDef; |
4947 | 0 | PRUint8 aad[21]; |
4948 | 0 | unsigned int aadLen; |
4949 | 0 | SECStatus rv; |
4950 | 0 |
|
4951 | 0 | *alert = bad_record_mac; /* Default alert for most issues. */ |
4952 | 0 |
|
4953 | 0 | PORT_Assert(spec->direction == CipherSpecRead); |
4954 | 0 | SSL_TRC(3, ("%d: TLS13[%d]: spec=%d epoch=%d (%s) unprotect 0x%0llx len=%u", |
4955 | 0 | SSL_GETPID(), ss->fd, spec, spec->epoch, spec->phase, |
4956 | 0 | cText->seqNum, cText->buf->len)); |
4957 | 0 |
|
4958 | 0 | /* We can perform this test in variable time because the record's total |
4959 | 0 | * length and the ciphersuite are both public knowledge. */ |
4960 | 0 | if (cText->buf->len < cipher_def->tag_size) { |
4961 | 0 | SSL_TRC(3, |
4962 | 0 | ("%d: TLS13[%d]: record too short to contain valid AEAD data", |
4963 | 0 | SSL_GETPID(), ss->fd)); |
4964 | 0 | PORT_SetError(SSL_ERROR_BAD_MAC_READ); |
4965 | 0 | return SECFailure; |
4966 | 0 | } |
4967 | 0 |
|
4968 | 0 | /* Verify that the content type is right, even though we overwrite it. |
4969 | 0 | * Also allow the DTLS short header in TLS 1.3. */ |
4970 | 0 | if (!(cText->hdr[0] == ssl_ct_application_data || |
4971 | 0 | (IS_DTLS(ss) && |
4972 | 0 | ss->version >= SSL_LIBRARY_VERSION_TLS_1_3 && |
4973 | 0 | (cText->hdr[0] & 0xe0) == 0x20))) { |
4974 | 0 | SSL_TRC(3, |
4975 | 0 | ("%d: TLS13[%d]: record has invalid exterior type=%2.2x", |
4976 | 0 | SSL_GETPID(), ss->fd, cText->hdr[0])); |
4977 | 0 | /* Do we need a better error here? */ |
4978 | 0 | PORT_SetError(SSL_ERROR_BAD_MAC_READ); |
4979 | 0 | return SECFailure; |
4980 | 0 | } |
4981 | 0 |
|
4982 | 0 | /* Check the version number in the record. Stream only. */ |
4983 | 0 | if (!IS_DTLS(ss)) { |
4984 | 0 | SSL3ProtocolVersion version = |
4985 | 0 | ((SSL3ProtocolVersion)cText->hdr[1] << 8) | |
4986 | 0 | (SSL3ProtocolVersion)cText->hdr[2]; |
4987 | 0 | if (version != spec->recordVersion) { |
4988 | 0 | /* Do we need a better error here? */ |
4989 | 0 | SSL_TRC(3, ("%d: TLS13[%d]: record has bogus version", |
4990 | 0 | SSL_GETPID(), ss->fd)); |
4991 | 0 | return SECFailure; |
4992 | 0 | } |
4993 | 0 | } |
4994 | 0 | |
4995 | 0 | /* Decrypt */ |
4996 | 0 | PORT_Assert(cipher_def->type == type_aead); |
4997 | 0 | rv = tls13_FormatAdditionalData(ss, cText->hdr, cText->hdrLen, |
4998 | 0 | spec->epoch, cText->seqNum, |
4999 | 0 | aad, &aadLen, sizeof(aad)); |
5000 | 0 | if (rv != SECSuccess) { |
5001 | 0 | return SECFailure; |
5002 | 0 | } |
5003 | 0 | rv = spec->aead(&spec->keyMaterial, |
5004 | 0 | PR_TRUE, /* do decrypt */ |
5005 | 0 | plaintext->buf, /* out */ |
5006 | 0 | (int *)&plaintext->len, /* outlen */ |
5007 | 0 | plaintext->space, /* maxout */ |
5008 | 0 | cText->buf->buf, /* in */ |
5009 | 0 | cText->buf->len, /* inlen */ |
5010 | 0 | aad, aadLen); |
5011 | 0 | if (rv != SECSuccess) { |
5012 | 0 | SSL_TRC(3, |
5013 | 0 | ("%d: TLS13[%d]: record has bogus MAC", |
5014 | 0 | SSL_GETPID(), ss->fd)); |
5015 | 0 | PORT_SetError(SSL_ERROR_BAD_MAC_READ); |
5016 | 0 | return SECFailure; |
5017 | 0 | } |
5018 | 0 |
|
5019 | 0 | /* There is a similar test in ssl3_HandleRecord, but this test is needed to |
5020 | 0 | * account for padding. It's safe to do this here (including the alert), |
5021 | 0 | * because it only confirms that the record exceeded the size limit, which |
5022 | 0 | * is apparent from the size of the ciphertext. */ |
5023 | 0 | if (plaintext->len > spec->recordSizeLimit + 1) { |
5024 | 0 | SSL3_SendAlert(ss, alert_fatal, record_overflow); |
5025 | 0 | PORT_SetError(SSL_ERROR_RX_RECORD_TOO_LONG); |
5026 | 0 | return SECFailure; |
5027 | 0 | } |
5028 | 0 |
|
5029 | 0 | /* The record is right-padded with 0s, followed by the true |
5030 | 0 | * content type, so read from the right until we receive a |
5031 | 0 | * nonzero byte. */ |
5032 | 0 | while (plaintext->len > 0 && !(plaintext->buf[plaintext->len - 1])) { |
5033 | 0 | --plaintext->len; |
5034 | 0 | } |
5035 | 0 |
|
5036 | 0 | /* Bogus padding. */ |
5037 | 0 | if (plaintext->len < 1) { |
5038 | 0 | SSL_TRC(3, ("%d: TLS13[%d]: empty record", SSL_GETPID(), ss->fd)); |
5039 | 0 | /* It's safe to report this specifically because it happened |
5040 | 0 | * after the MAC has been verified. */ |
5041 | 0 | PORT_SetError(SSL_ERROR_BAD_BLOCK_PADDING); |
5042 | 0 | return SECFailure; |
5043 | 0 | } |
5044 | 0 |
|
5045 | 0 | /* Record the type. */ |
5046 | 0 | *innerType = (SSLContentType)plaintext->buf[plaintext->len - 1]; |
5047 | 0 | --plaintext->len; |
5048 | 0 |
|
5049 | 0 | /* Check that we haven't received too much 0-RTT data. */ |
5050 | 0 | if (spec->epoch == TrafficKeyEarlyApplicationData && |
5051 | 0 | *innerType == ssl_ct_application_data) { |
5052 | 0 | if (plaintext->len > spec->earlyDataRemaining) { |
5053 | 0 | *alert = unexpected_message; |
5054 | 0 | PORT_SetError(SSL_ERROR_TOO_MUCH_EARLY_DATA); |
5055 | 0 | return SECFailure; |
5056 | 0 | } |
5057 | 0 | spec->earlyDataRemaining -= plaintext->len; |
5058 | 0 | } |
5059 | 0 |
|
5060 | 0 | SSL_TRC(10, |
5061 | 0 | ("%d: TLS13[%d]: %s received record of length=%d, type=%d", |
5062 | 0 | SSL_GETPID(), ss->fd, SSL_ROLE(ss), plaintext->len, *innerType)); |
5063 | 0 |
|
5064 | 0 | return SECSuccess; |
5065 | 0 | } |
5066 | | |
5067 | | /* 0-RTT is only permitted if: |
5068 | | * |
5069 | | * 1. We are doing TLS 1.3 |
5070 | | * 2. This isn't a second ClientHello (in response to HelloRetryRequest) |
5071 | | * 3. The 0-RTT option is set. |
5072 | | * 4. We have a valid ticket. |
5073 | | * 5. The server is willing to accept 0-RTT. |
5074 | | * 6. We have not changed our ALPN settings to disallow the ALPN tag |
5075 | | * in the ticket. |
5076 | | * |
5077 | | * Called from tls13_ClientSendEarlyDataXtn(). |
5078 | | */ |
5079 | | PRBool |
5080 | | tls13_ClientAllow0Rtt(const sslSocket *ss, const sslSessionID *sid) |
5081 | 0 | { |
5082 | 0 | /* We checked that the cipher suite was still allowed back in |
5083 | 0 | * ssl3_SendClientHello. */ |
5084 | 0 | if (sid->version < SSL_LIBRARY_VERSION_TLS_1_3) |
5085 | 0 | return PR_FALSE; |
5086 | 0 | if (ss->ssl3.hs.helloRetry) |
5087 | 0 | return PR_FALSE; |
5088 | 0 | if (!ss->opt.enable0RttData) |
5089 | 0 | return PR_FALSE; |
5090 | 0 | if (!ss->statelessResume) |
5091 | 0 | return PR_FALSE; |
5092 | 0 | if ((sid->u.ssl3.locked.sessionTicket.flags & ticket_allow_early_data) == 0) |
5093 | 0 | return PR_FALSE; |
5094 | 0 | return ssl_AlpnTagAllowed(ss, &sid->u.ssl3.alpnSelection); |
5095 | 0 | } |
5096 | | |
5097 | | SECStatus |
5098 | | tls13_MaybeDo0RTTHandshake(sslSocket *ss) |
5099 | 0 | { |
5100 | 0 | SECStatus rv; |
5101 | 0 |
|
5102 | 0 | /* Don't do anything if there is no early_data xtn, which means we're |
5103 | 0 | * not doing early data. */ |
5104 | 0 | if (!ssl3_ExtensionAdvertised(ss, ssl_tls13_early_data_xtn)) { |
5105 | 0 | return SECSuccess; |
5106 | 0 | } |
5107 | 0 | |
5108 | 0 | ss->ssl3.hs.zeroRttState = ssl_0rtt_sent; |
5109 | 0 | ss->ssl3.hs.zeroRttSuite = ss->ssl3.hs.cipher_suite; |
5110 | 0 |
|
5111 | 0 | SSL_TRC(3, ("%d: TLS13[%d]: in 0-RTT mode", SSL_GETPID(), ss->fd)); |
5112 | 0 |
|
5113 | 0 | /* Set the ALPN data as if it was negotiated. We check in the ServerHello |
5114 | 0 | * handler that the server negotiates the same value. */ |
5115 | 0 | if (ss->sec.ci.sid->u.ssl3.alpnSelection.len) { |
5116 | 0 | ss->xtnData.nextProtoState = SSL_NEXT_PROTO_EARLY_VALUE; |
5117 | 0 | rv = SECITEM_CopyItem(NULL, &ss->xtnData.nextProto, |
5118 | 0 | &ss->sec.ci.sid->u.ssl3.alpnSelection); |
5119 | 0 | if (rv != SECSuccess) { |
5120 | 0 | return SECFailure; |
5121 | 0 | } |
5122 | 0 | } |
5123 | 0 | |
5124 | 0 | if (ss->opt.enableTls13CompatMode && !IS_DTLS(ss)) { |
5125 | 0 | /* Pretend that this is a proper ChangeCipherSpec even though it is sent |
5126 | 0 | * before receiving the ServerHello. */ |
5127 | 0 | ssl_GetSpecWriteLock(ss); |
5128 | 0 | tls13_SetSpecRecordVersion(ss, ss->ssl3.cwSpec); |
5129 | 0 | ssl_ReleaseSpecWriteLock(ss); |
5130 | 0 | ssl_GetXmitBufLock(ss); |
5131 | 0 | rv = ssl3_SendChangeCipherSpecsInt(ss); |
5132 | 0 | ssl_ReleaseXmitBufLock(ss); |
5133 | 0 | if (rv != SECSuccess) { |
5134 | 0 | return SECFailure; |
5135 | 0 | } |
5136 | 0 | } |
5137 | 0 | |
5138 | 0 | /* Cipher suite already set in tls13_SetupClientHello. */ |
5139 | 0 | ss->ssl3.hs.preliminaryInfo = 0; |
5140 | 0 |
|
5141 | 0 | rv = tls13_DeriveEarlySecrets(ss); |
5142 | 0 | if (rv != SECSuccess) { |
5143 | 0 | return SECFailure; |
5144 | 0 | } |
5145 | 0 | |
5146 | 0 | /* Save cwSpec in case we get a HelloRetryRequest and have to send another |
5147 | 0 | * ClientHello. */ |
5148 | 0 | ssl_CipherSpecAddRef(ss->ssl3.cwSpec); |
5149 | 0 |
|
5150 | 0 | rv = tls13_SetCipherSpec(ss, TrafficKeyEarlyApplicationData, |
5151 | 0 | CipherSpecWrite, PR_TRUE); |
5152 | 0 | if (rv != SECSuccess) { |
5153 | 0 | return SECFailure; |
5154 | 0 | } |
5155 | 0 | |
5156 | 0 | return SECSuccess; |
5157 | 0 | } |
5158 | | |
5159 | | PRInt32 |
5160 | | tls13_Read0RttData(sslSocket *ss, void *buf, PRInt32 len) |
5161 | 0 | { |
5162 | 0 | TLS13EarlyData *msg; |
5163 | 0 |
|
5164 | 0 | PORT_Assert(!PR_CLIST_IS_EMPTY(&ss->ssl3.hs.bufferedEarlyData)); |
5165 | 0 | msg = (TLS13EarlyData *)PR_NEXT_LINK(&ss->ssl3.hs.bufferedEarlyData); |
5166 | 0 |
|
5167 | 0 | PR_REMOVE_LINK(&msg->link); |
5168 | 0 | if (msg->data.len > len) { |
5169 | 0 | PORT_SetError(SSL_ERROR_ILLEGAL_PARAMETER_ALERT); |
5170 | 0 | return SECFailure; |
5171 | 0 | } |
5172 | 0 | len = msg->data.len; |
5173 | 0 |
|
5174 | 0 | PORT_Memcpy(buf, msg->data.data, msg->data.len); |
5175 | 0 | SECITEM_ZfreeItem(&msg->data, PR_FALSE); |
5176 | 0 | PORT_ZFree(msg, sizeof(*msg)); |
5177 | 0 |
|
5178 | 0 | return len; |
5179 | 0 | } |
5180 | | |
5181 | | static SECStatus |
5182 | | tls13_SendEndOfEarlyData(sslSocket *ss) |
5183 | 0 | { |
5184 | 0 | SECStatus rv; |
5185 | 0 |
|
5186 | 0 | SSL_TRC(3, ("%d: TLS13[%d]: send EndOfEarlyData", SSL_GETPID(), ss->fd)); |
5187 | 0 | PORT_Assert(ss->opt.noLocks || ssl_HaveXmitBufLock(ss)); |
5188 | 0 |
|
5189 | 0 | rv = ssl3_AppendHandshakeHeader(ss, ssl_hs_end_of_early_data, 0); |
5190 | 0 | if (rv != SECSuccess) { |
5191 | 0 | return rv; /* err set by AppendHandshake. */ |
5192 | 0 | } |
5193 | 0 | |
5194 | 0 | ss->ssl3.hs.zeroRttState = ssl_0rtt_done; |
5195 | 0 | return SECSuccess; |
5196 | 0 | } |
5197 | | |
5198 | | static SECStatus |
5199 | | tls13_HandleEndOfEarlyData(sslSocket *ss, PRUint8 *b, PRUint32 length) |
5200 | 0 | { |
5201 | 0 | SECStatus rv; |
5202 | 0 |
|
5203 | 0 | PORT_Assert(ss->version >= SSL_LIBRARY_VERSION_TLS_1_3); |
5204 | 0 |
|
5205 | 0 | rv = TLS13_CHECK_HS_STATE(ss, SSL_ERROR_RX_UNEXPECTED_END_OF_EARLY_DATA, |
5206 | 0 | wait_end_of_early_data); |
5207 | 0 | if (rv != SECSuccess) { |
5208 | 0 | return SECFailure; |
5209 | 0 | } |
5210 | 0 | |
5211 | 0 | /* We shouldn't be getting any more early data, and if we do, |
5212 | 0 | * it is because of reordering and we drop it. */ |
5213 | 0 | if (IS_DTLS(ss)) { |
5214 | 0 | ssl_CipherSpecReleaseByEpoch(ss, CipherSpecRead, |
5215 | 0 | TrafficKeyEarlyApplicationData); |
5216 | 0 | dtls_ReceivedFirstMessageInFlight(ss); |
5217 | 0 | } |
5218 | 0 |
|
5219 | 0 | PORT_Assert(ss->ssl3.hs.zeroRttState == ssl_0rtt_accepted); |
5220 | 0 |
|
5221 | 0 | if (length) { |
5222 | 0 | FATAL_ERROR(ss, SSL_ERROR_RX_MALFORMED_END_OF_EARLY_DATA, decode_error); |
5223 | 0 | return SECFailure; |
5224 | 0 | } |
5225 | 0 |
|
5226 | 0 | rv = tls13_SetCipherSpec(ss, TrafficKeyHandshake, |
5227 | 0 | CipherSpecRead, PR_FALSE); |
5228 | 0 | if (rv != SECSuccess) { |
5229 | 0 | PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); |
5230 | 0 | return SECFailure; |
5231 | 0 | } |
5232 | 0 |
|
5233 | 0 | ss->ssl3.hs.zeroRttState = ssl_0rtt_done; |
5234 | 0 | if (tls13_CanRequestClientAuth(ss)) { |
5235 | 0 | TLS13_SET_HS_STATE(ss, wait_client_cert); |
5236 | 0 | } else { |
5237 | 0 | TLS13_SET_HS_STATE(ss, wait_finished); |
5238 | 0 | } |
5239 | 0 | return SECSuccess; |
5240 | 0 | } |
5241 | | |
5242 | | SECStatus |
5243 | | tls13_HandleEarlyApplicationData(sslSocket *ss, sslBuffer *origBuf) |
5244 | 0 | { |
5245 | 0 | TLS13EarlyData *ed; |
5246 | 0 | SECItem it = { siBuffer, NULL, 0 }; |
5247 | 0 |
|
5248 | 0 | PORT_Assert(ss->sec.isServer); |
5249 | 0 | PORT_Assert(ss->ssl3.hs.zeroRttState == ssl_0rtt_accepted); |
5250 | 0 | if (ss->ssl3.hs.zeroRttState != ssl_0rtt_accepted) { |
5251 | 0 | /* Belt and suspenders. */ |
5252 | 0 | FATAL_ERROR(ss, SEC_ERROR_LIBRARY_FAILURE, internal_error); |
5253 | 0 | return SECFailure; |
5254 | 0 | } |
5255 | 0 |
|
5256 | 0 | PRINT_BUF(3, (NULL, "Received early application data", |
5257 | 0 | origBuf->buf, origBuf->len)); |
5258 | 0 | ed = PORT_ZNew(TLS13EarlyData); |
5259 | 0 | if (!ed) { |
5260 | 0 | FATAL_ERROR(ss, SEC_ERROR_NO_MEMORY, internal_error); |
5261 | 0 | return SECFailure; |
5262 | 0 | } |
5263 | 0 | it.data = origBuf->buf; |
5264 | 0 | it.len = origBuf->len; |
5265 | 0 | if (SECITEM_CopyItem(NULL, &ed->data, &it) != SECSuccess) { |
5266 | 0 | FATAL_ERROR(ss, SEC_ERROR_NO_MEMORY, internal_error); |
5267 | 0 | return SECFailure; |
5268 | 0 | } |
5269 | 0 | PR_APPEND_LINK(&ed->link, &ss->ssl3.hs.bufferedEarlyData); |
5270 | 0 |
|
5271 | 0 | origBuf->len = 0; /* So ssl3_GatherAppDataRecord will keep looping. */ |
5272 | 0 |
|
5273 | 0 | return SECSuccess; |
5274 | 0 | } |
5275 | | |
5276 | | PRUint16 |
5277 | | tls13_EncodeDraftVersion(SSL3ProtocolVersion version, SSLProtocolVariant variant) |
5278 | 0 | { |
5279 | 0 | #ifdef DTLS_1_3_DRAFT_VERSION |
5280 | 0 | if (version == SSL_LIBRARY_VERSION_TLS_1_3 && |
5281 | 0 | variant == ssl_variant_datagram) { |
5282 | 0 | return 0x7f00 | DTLS_1_3_DRAFT_VERSION; |
5283 | 0 | } |
5284 | 0 | #endif |
5285 | 0 | return (PRUint16)version; |
5286 | 0 | } |
5287 | | |
5288 | | SECStatus |
5289 | | tls13_ClientReadSupportedVersion(sslSocket *ss) |
5290 | 0 | { |
5291 | 0 | PRUint32 temp; |
5292 | 0 | TLSExtension *versionExtension; |
5293 | 0 | SECItem it; |
5294 | 0 | SECStatus rv; |
5295 | 0 |
|
5296 | 0 | /* Update the version based on the extension, as necessary. */ |
5297 | 0 | versionExtension = ssl3_FindExtension(ss, ssl_tls13_supported_versions_xtn); |
5298 | 0 | if (!versionExtension) { |
5299 | 0 | return SECSuccess; |
5300 | 0 | } |
5301 | 0 | |
5302 | 0 | /* Struct copy so we don't damage the extension. */ |
5303 | 0 | it = versionExtension->data; |
5304 | 0 |
|
5305 | 0 | rv = ssl3_ConsumeHandshakeNumber(ss, &temp, 2, &it.data, &it.len); |
5306 | 0 | if (rv != SECSuccess) { |
5307 | 0 | return SECFailure; |
5308 | 0 | } |
5309 | 0 | if (it.len) { |
5310 | 0 | FATAL_ERROR(ss, SSL_ERROR_RX_MALFORMED_SERVER_HELLO, illegal_parameter); |
5311 | 0 | return SECFailure; |
5312 | 0 | } |
5313 | 0 |
|
5314 | 0 | if (temp != tls13_EncodeDraftVersion(SSL_LIBRARY_VERSION_TLS_1_3, |
5315 | 0 | ss->protocolVariant)) { |
5316 | 0 | /* You cannot negotiate < TLS 1.3 with supported_versions. */ |
5317 | 0 | FATAL_ERROR(ss, SSL_ERROR_RX_MALFORMED_SERVER_HELLO, illegal_parameter); |
5318 | 0 | return SECFailure; |
5319 | 0 | } |
5320 | 0 |
|
5321 | 0 | ss->version = SSL_LIBRARY_VERSION_TLS_1_3; |
5322 | 0 | return SECSuccess; |
5323 | 0 | } |
5324 | | |
5325 | | /* Pick the highest version we support that is also advertised. */ |
5326 | | SECStatus |
5327 | | tls13_NegotiateVersion(sslSocket *ss, const TLSExtension *supportedVersions) |
5328 | 0 | { |
5329 | 0 | PRUint16 version; |
5330 | 0 | /* Make a copy so we're nondestructive. */ |
5331 | 0 | SECItem data = supportedVersions->data; |
5332 | 0 | SECItem versions; |
5333 | 0 | SECStatus rv; |
5334 | 0 |
|
5335 | 0 | rv = ssl3_ConsumeHandshakeVariable(ss, &versions, 1, |
5336 | 0 | &data.data, &data.len); |
5337 | 0 | if (rv != SECSuccess) { |
5338 | 0 | return SECFailure; |
5339 | 0 | } |
5340 | 0 | if (data.len || !versions.len || (versions.len & 1)) { |
5341 | 0 | FATAL_ERROR(ss, SSL_ERROR_RX_MALFORMED_CLIENT_HELLO, illegal_parameter); |
5342 | 0 | return SECFailure; |
5343 | 0 | } |
5344 | 0 | for (version = ss->vrange.max; version >= ss->vrange.min; --version) { |
5345 | 0 | PRUint16 wire = tls13_EncodeDraftVersion(version, ss->protocolVariant); |
5346 | 0 | unsigned long offset; |
5347 | 0 |
|
5348 | 0 | for (offset = 0; offset < versions.len; offset += 2) { |
5349 | 0 | PRUint16 supported = |
5350 | 0 | (versions.data[offset] << 8) | versions.data[offset + 1]; |
5351 | 0 | if (supported == wire) { |
5352 | 0 | ss->version = version; |
5353 | 0 | return SECSuccess; |
5354 | 0 | } |
5355 | 0 | } |
5356 | 0 | } |
5357 | 0 |
|
5358 | 0 | FATAL_ERROR(ss, SSL_ERROR_UNSUPPORTED_VERSION, protocol_version); |
5359 | 0 | return SECFailure; |
5360 | 0 | } |
5361 | | |
5362 | | /* This is TLS 1.3 or might negotiate to it. */ |
5363 | | PRBool |
5364 | | tls13_MaybeTls13(sslSocket *ss) |
5365 | 0 | { |
5366 | 0 | if (ss->version >= SSL_LIBRARY_VERSION_TLS_1_3) { |
5367 | 0 | return PR_TRUE; |
5368 | 0 | } |
5369 | 0 |
|
5370 | 0 | if (ss->vrange.max < SSL_LIBRARY_VERSION_TLS_1_3) { |
5371 | 0 | return PR_FALSE; |
5372 | 0 | } |
5373 | 0 |
|
5374 | 0 | if (!(ss->ssl3.hs.preliminaryInfo & ssl_preinfo_version)) { |
5375 | 0 | return PR_TRUE; |
5376 | 0 | } |
5377 | 0 |
|
5378 | 0 | return PR_FALSE; |
5379 | 0 | } |