/src/nss/lib/ssl/tls13con.c
Line | Count | Source (jump to first uncovered line) |
1 | | /* -*- Mode: C; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 4 -*- */ |
2 | | /* |
3 | | * TLS 1.3 Protocol |
4 | | * |
5 | | * This Source Code Form is subject to the terms of the Mozilla Public |
6 | | * License, v. 2.0. If a copy of the MPL was not distributed with this |
7 | | * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ |
8 | | |
9 | | #include "sslt.h" |
10 | | #include "stdarg.h" |
11 | | #include "cert.h" |
12 | | #include "ssl.h" |
13 | | #include "keyhi.h" |
14 | | #include "pk11func.h" |
15 | | #include "prerr.h" |
16 | | #include "secitem.h" |
17 | | #include "secmod.h" |
18 | | #include "sslimpl.h" |
19 | | #include "sslproto.h" |
20 | | #include "sslerr.h" |
21 | | #include "ssl3exthandle.h" |
22 | | #include "tls13hkdf.h" |
23 | | #include "tls13con.h" |
24 | | #include "tls13err.h" |
25 | | #include "tls13ech.h" |
26 | | #include "tls13exthandle.h" |
27 | | #include "tls13hashstate.h" |
28 | | #include "tls13subcerts.h" |
29 | | #include "tls13psk.h" |
30 | | |
31 | | static SECStatus tls13_SetCipherSpec(sslSocket *ss, PRUint16 epoch, |
32 | | SSLSecretDirection install, |
33 | | PRBool deleteSecret); |
34 | | static SECStatus tls13_SendServerHelloSequence(sslSocket *ss); |
35 | | static SECStatus tls13_SendEncryptedExtensions(sslSocket *ss); |
36 | | static void tls13_SetKeyExchangeType(sslSocket *ss, const sslNamedGroupDef *group); |
37 | | static SECStatus tls13_HandleClientKeyShare(sslSocket *ss, |
38 | | TLS13KeyShareEntry *peerShare); |
39 | | static SECStatus tls13_SendHelloRetryRequest( |
40 | | sslSocket *ss, const sslNamedGroupDef *selectedGroup, |
41 | | const PRUint8 *token, unsigned int tokenLen); |
42 | | |
43 | | static SECStatus tls13_HandleServerKeyShare(sslSocket *ss); |
44 | | static SECStatus tls13_HandleEncryptedExtensions(sslSocket *ss, PRUint8 *b, |
45 | | PRUint32 length); |
46 | | static SECStatus tls13_SendCertificate(sslSocket *ss); |
47 | | static SECStatus tls13_HandleCertificateDecode( |
48 | | sslSocket *ss, PRUint8 *b, PRUint32 length); |
49 | | static SECStatus tls13_HandleCertificate( |
50 | | sslSocket *ss, PRUint8 *b, PRUint32 length, PRBool alreadyHashed); |
51 | | static SECStatus tls13_ReinjectHandshakeTranscript(sslSocket *ss); |
52 | | static SECStatus tls13_SendCertificateRequest(sslSocket *ss); |
53 | | static SECStatus tls13_HandleCertificateRequest(sslSocket *ss, PRUint8 *b, |
54 | | PRUint32 length); |
55 | | static SECStatus |
56 | | tls13_SendCertificateVerify(sslSocket *ss, SECKEYPrivateKey *privKey); |
57 | | static SECStatus tls13_HandleCertificateVerify( |
58 | | sslSocket *ss, PRUint8 *b, PRUint32 length); |
59 | | static SECStatus tls13_RecoverWrappedSharedSecret(sslSocket *ss, |
60 | | sslSessionID *sid); |
61 | | static SECStatus |
62 | | tls13_DeriveSecretWrap(sslSocket *ss, PK11SymKey *key, |
63 | | const char *prefix, |
64 | | const char *suffix, |
65 | | const char *keylogLabel, |
66 | | PK11SymKey **dest); |
67 | | SECStatus |
68 | | tls13_DeriveSecret(sslSocket *ss, PK11SymKey *key, |
69 | | const char *label, |
70 | | unsigned int labelLen, |
71 | | const SSL3Hashes *hashes, |
72 | | PK11SymKey **dest, |
73 | | SSLHashType hash); |
74 | | static SECStatus tls13_SendEndOfEarlyData(sslSocket *ss); |
75 | | static SECStatus tls13_HandleEndOfEarlyData(sslSocket *ss, const PRUint8 *b, |
76 | | PRUint32 length); |
77 | | static SECStatus tls13_MaybeHandleSuppressedEndOfEarlyData(sslSocket *ss); |
78 | | static SECStatus tls13_SendFinished(sslSocket *ss, PK11SymKey *baseKey); |
79 | | static SECStatus tls13_ComputePskBinderHash(sslSocket *ss, PRUint8 *b, size_t length, |
80 | | SSL3Hashes *hashes, SSLHashType type); |
81 | | static SECStatus tls13_VerifyFinished(sslSocket *ss, SSLHandshakeType message, |
82 | | PK11SymKey *secret, |
83 | | PRUint8 *b, PRUint32 length, |
84 | | const SSL3Hashes *hashes); |
85 | | static SECStatus tls13_ClientHandleFinished(sslSocket *ss, |
86 | | PRUint8 *b, PRUint32 length); |
87 | | static SECStatus tls13_ServerHandleFinished(sslSocket *ss, |
88 | | PRUint8 *b, PRUint32 length); |
89 | | static SECStatus tls13_SendNewSessionTicket(sslSocket *ss, |
90 | | const PRUint8 *appToken, |
91 | | unsigned int appTokenLen); |
92 | | static SECStatus tls13_HandleNewSessionTicket(sslSocket *ss, PRUint8 *b, |
93 | | PRUint32 length); |
94 | | static SECStatus tls13_ComputeEarlySecretsWithPsk(sslSocket *ss); |
95 | | static SECStatus tls13_ComputeHandshakeSecrets(sslSocket *ss); |
96 | | static SECStatus tls13_ComputeApplicationSecrets(sslSocket *ss); |
97 | | static SECStatus tls13_ComputeFinalSecrets(sslSocket *ss); |
98 | | static SECStatus tls13_ComputeFinished( |
99 | | sslSocket *ss, PK11SymKey *baseKey, SSLHashType hashType, |
100 | | const SSL3Hashes *hashes, PRBool sending, PRUint8 *output, |
101 | | unsigned int *outputLen, unsigned int maxOutputLen); |
102 | | static SECStatus tls13_SendClientSecondRound(sslSocket *ss); |
103 | | static SECStatus tls13_SendClientSecondFlight(sslSocket *ss); |
104 | | static SECStatus tls13_FinishHandshake(sslSocket *ss); |
105 | | |
106 | | const char kHkdfLabelClient[] = "c"; |
107 | | const char kHkdfLabelServer[] = "s"; |
108 | | const char kHkdfLabelDerivedSecret[] = "derived"; |
109 | | const char kHkdfLabelResPskBinderKey[] = "res binder"; |
110 | | const char kHkdfLabelExtPskBinderKey[] = "ext binder"; |
111 | | const char kHkdfLabelEarlyTrafficSecret[] = "e traffic"; |
112 | | const char kHkdfLabelEarlyExporterSecret[] = "e exp master"; |
113 | | const char kHkdfLabelHandshakeTrafficSecret[] = "hs traffic"; |
114 | | const char kHkdfLabelApplicationTrafficSecret[] = "ap traffic"; |
115 | | const char kHkdfLabelFinishedSecret[] = "finished"; |
116 | | const char kHkdfLabelResumptionMasterSecret[] = "res master"; |
117 | | const char kHkdfLabelExporterMasterSecret[] = "exp master"; |
118 | | const char kHkdfLabelResumption[] = "resumption"; |
119 | | const char kHkdfLabelTrafficUpdate[] = "traffic upd"; |
120 | | const char kHkdfPurposeKey[] = "key"; |
121 | | const char kHkdfPurposeSn[] = "sn"; |
122 | | const char kHkdfPurposeIv[] = "iv"; |
123 | | |
124 | | const char keylogLabelClientEarlyTrafficSecret[] = "CLIENT_EARLY_TRAFFIC_SECRET"; |
125 | | const char keylogLabelClientHsTrafficSecret[] = "CLIENT_HANDSHAKE_TRAFFIC_SECRET"; |
126 | | const char keylogLabelServerHsTrafficSecret[] = "SERVER_HANDSHAKE_TRAFFIC_SECRET"; |
127 | | const char keylogLabelClientTrafficSecret[] = "CLIENT_TRAFFIC_SECRET_0"; |
128 | | const char keylogLabelServerTrafficSecret[] = "SERVER_TRAFFIC_SECRET_0"; |
129 | | const char keylogLabelEarlyExporterSecret[] = "EARLY_EXPORTER_SECRET"; |
130 | | const char keylogLabelExporterSecret[] = "EXPORTER_SECRET"; |
131 | | |
132 | | /* Belt and suspenders in case we ever add a TLS 1.4. */ |
133 | | PR_STATIC_ASSERT(SSL_LIBRARY_VERSION_MAX_SUPPORTED <= |
134 | | SSL_LIBRARY_VERSION_TLS_1_3); |
135 | | |
136 | | void |
137 | | tls13_FatalError(sslSocket *ss, PRErrorCode prError, SSL3AlertDescription desc) |
138 | 1.39k | { |
139 | 1.39k | PORT_Assert(desc != internal_error); /* These should never happen */ |
140 | 1.39k | (void)SSL3_SendAlert(ss, alert_fatal, desc); |
141 | 1.39k | PORT_SetError(prError); |
142 | 1.39k | } |
143 | | |
144 | | #ifdef TRACE |
145 | | #define STATE_CASE(a) \ |
146 | 1.68k | case a: \ |
147 | 1.68k | return #a |
148 | | static char * |
149 | | tls13_HandshakeState(SSL3WaitState st) |
150 | 1.68k | { |
151 | 1.68k | switch (st) { |
152 | 4 | STATE_CASE(idle_handshake); |
153 | 0 | STATE_CASE(wait_client_hello); |
154 | 0 | STATE_CASE(wait_end_of_early_data); |
155 | 464 | STATE_CASE(wait_client_cert); |
156 | 0 | STATE_CASE(wait_client_key); |
157 | 0 | STATE_CASE(wait_cert_verify); |
158 | 0 | STATE_CASE(wait_change_cipher); |
159 | 275 | STATE_CASE(wait_finished); |
160 | 0 | STATE_CASE(wait_server_hello); |
161 | 0 | STATE_CASE(wait_certificate_status); |
162 | 0 | STATE_CASE(wait_server_cert); |
163 | 0 | STATE_CASE(wait_server_key); |
164 | 0 | STATE_CASE(wait_cert_request); |
165 | 0 | STATE_CASE(wait_hello_done); |
166 | 0 | STATE_CASE(wait_new_session_ticket); |
167 | 942 | STATE_CASE(wait_encrypted_extensions); |
168 | 0 | default: |
169 | 0 | break; |
170 | 1.68k | } |
171 | 0 | PORT_Assert(0); |
172 | 0 | return "unknown"; |
173 | 1.68k | } |
174 | | #endif |
175 | | |
176 | 4.70k | #define TLS13_WAIT_STATE_MASK 0x80 |
177 | | |
178 | | #define TLS13_BASE_WAIT_STATE(ws) (ws & ~TLS13_WAIT_STATE_MASK) |
179 | | /* We don't mask idle_handshake because other parts of the code use it*/ |
180 | 2.68k | #define TLS13_WAIT_STATE(ws) (((ws == idle_handshake) || (ws == wait_server_hello)) ? ws : ws | TLS13_WAIT_STATE_MASK) |
181 | | #define TLS13_CHECK_HS_STATE(ss, err, ...) \ |
182 | 350 | tls13_CheckHsState(ss, err, #err, __func__, __FILE__, __LINE__, \ |
183 | 350 | __VA_ARGS__, \ |
184 | 350 | wait_invalid) |
185 | | void |
186 | | tls13_SetHsState(sslSocket *ss, SSL3WaitState ws, |
187 | | const char *func, const char *file, int line) |
188 | 1.68k | { |
189 | 1.68k | #ifdef TRACE |
190 | 1.68k | const char *new_state_name = |
191 | 1.68k | tls13_HandshakeState(ws); |
192 | | |
193 | 1.68k | SSL_TRC(3, ("%d: TLS13[%d]: %s state change from %s->%s in %s (%s:%d)", |
194 | 1.68k | SSL_GETPID(), ss->fd, SSL_ROLE(ss), |
195 | 1.68k | tls13_HandshakeState(TLS13_BASE_WAIT_STATE(ss->ssl3.hs.ws)), |
196 | 1.68k | new_state_name, |
197 | 1.68k | func, file, line)); |
198 | 1.68k | #endif |
199 | | |
200 | 1.68k | ss->ssl3.hs.ws = TLS13_WAIT_STATE(ws); |
201 | 1.68k | } |
202 | | |
203 | | static PRBool |
204 | | tls13_InHsStateV(sslSocket *ss, va_list ap) |
205 | 997 | { |
206 | 997 | SSL3WaitState ws; |
207 | | |
208 | 1.44k | while ((ws = va_arg(ap, SSL3WaitState)) != wait_invalid) { |
209 | 999 | if (TLS13_WAIT_STATE(ws) == ss->ssl3.hs.ws) { |
210 | 550 | return PR_TRUE; |
211 | 550 | } |
212 | 999 | } |
213 | 447 | return PR_FALSE; |
214 | 997 | } |
215 | | |
216 | | PRBool |
217 | | tls13_InHsState(sslSocket *ss, ...) |
218 | 647 | { |
219 | 647 | PRBool found; |
220 | 647 | va_list ap; |
221 | | |
222 | 647 | va_start(ap, ss); |
223 | 647 | found = tls13_InHsStateV(ss, ap); |
224 | 647 | va_end(ap); |
225 | | |
226 | 647 | return found; |
227 | 647 | } |
228 | | |
229 | | static SECStatus |
230 | | tls13_CheckHsState(sslSocket *ss, int err, const char *error_name, |
231 | | const char *func, const char *file, int line, |
232 | | ...) |
233 | 350 | { |
234 | 350 | va_list ap; |
235 | 350 | va_start(ap, line); |
236 | 350 | if (tls13_InHsStateV(ss, ap)) { |
237 | 20 | va_end(ap); |
238 | 20 | return SECSuccess; |
239 | 20 | } |
240 | 330 | va_end(ap); |
241 | | |
242 | 330 | SSL_TRC(3, ("%d: TLS13[%d]: error %s state is (%s) at %s (%s:%d)", |
243 | 330 | SSL_GETPID(), ss->fd, |
244 | 330 | error_name, |
245 | 330 | tls13_HandshakeState(TLS13_BASE_WAIT_STATE(ss->ssl3.hs.ws)), |
246 | 330 | func, file, line)); |
247 | 330 | tls13_FatalError(ss, err, unexpected_message); |
248 | 330 | return SECFailure; |
249 | 350 | } |
250 | | |
251 | | PRBool |
252 | | tls13_IsPostHandshake(const sslSocket *ss) |
253 | 57.5k | { |
254 | 57.5k | return ss->version >= SSL_LIBRARY_VERSION_TLS_1_3 && ss->firstHsDone; |
255 | 57.5k | } |
256 | | |
257 | | SSLHashType |
258 | | tls13_GetHashForCipherSuite(ssl3CipherSuite suite) |
259 | 0 | { |
260 | 0 | const ssl3CipherSuiteDef *cipherDef = |
261 | 0 | ssl_LookupCipherSuiteDef(suite); |
262 | 0 | PORT_Assert(cipherDef); |
263 | 0 | if (!cipherDef) { |
264 | 0 | return ssl_hash_none; |
265 | 0 | } |
266 | 0 | return cipherDef->prf_hash; |
267 | 0 | } |
268 | | |
269 | | SSLHashType |
270 | | tls13_GetHash(const sslSocket *ss) |
271 | 32.7k | { |
272 | | /* suite_def may not be set yet when doing EPSK 0-Rtt. */ |
273 | 32.7k | if (!ss->ssl3.hs.suite_def) { |
274 | 0 | if (ss->xtnData.selectedPsk) { |
275 | 0 | return ss->xtnData.selectedPsk->hash; |
276 | 0 | } |
277 | | /* This should never happen. */ |
278 | 0 | PORT_Assert(0); |
279 | 0 | return ssl_hash_none; |
280 | 0 | } |
281 | | |
282 | | /* All TLS 1.3 cipher suites must have an explict PRF hash. */ |
283 | 32.7k | PORT_Assert(ss->ssl3.hs.suite_def->prf_hash != ssl_hash_none); |
284 | 32.7k | return ss->ssl3.hs.suite_def->prf_hash; |
285 | 32.7k | } |
286 | | |
287 | | SECStatus |
288 | | tls13_GetHashAndCipher(PRUint16 version, PRUint16 cipherSuite, |
289 | | SSLHashType *hash, const ssl3BulkCipherDef **cipher) |
290 | 0 | { |
291 | 0 | if (version < SSL_LIBRARY_VERSION_TLS_1_3) { |
292 | 0 | PORT_SetError(SEC_ERROR_INVALID_ARGS); |
293 | 0 | return SECFailure; |
294 | 0 | } |
295 | | |
296 | | // Lookup and check the suite. |
297 | 0 | SSLVersionRange vrange = { version, version }; |
298 | 0 | if (!ssl3_CipherSuiteAllowedForVersionRange(cipherSuite, &vrange)) { |
299 | 0 | PORT_SetError(SEC_ERROR_INVALID_ARGS); |
300 | 0 | return SECFailure; |
301 | 0 | } |
302 | 0 | const ssl3CipherSuiteDef *suiteDef = ssl_LookupCipherSuiteDef(cipherSuite); |
303 | 0 | const ssl3BulkCipherDef *cipherDef = ssl_GetBulkCipherDef(suiteDef); |
304 | 0 | if (cipherDef->type != type_aead) { |
305 | 0 | PORT_SetError(SEC_ERROR_INVALID_ARGS); |
306 | 0 | return SECFailure; |
307 | 0 | } |
308 | 0 | *hash = suiteDef->prf_hash; |
309 | 0 | if (cipher != NULL) { |
310 | 0 | *cipher = cipherDef; |
311 | 0 | } |
312 | 0 | return SECSuccess; |
313 | 0 | } |
314 | | |
315 | | unsigned int |
316 | | tls13_GetHashSizeForHash(SSLHashType hash) |
317 | 23.7k | { |
318 | 23.7k | switch (hash) { |
319 | 14.4k | case ssl_hash_sha256: |
320 | 14.4k | return 32; |
321 | 9.37k | case ssl_hash_sha384: |
322 | 9.37k | return 48; |
323 | 0 | default: |
324 | 0 | PORT_Assert(0); |
325 | 23.7k | } |
326 | 0 | return 32; |
327 | 23.7k | } |
328 | | |
329 | | unsigned int |
330 | | tls13_GetHashSize(const sslSocket *ss) |
331 | 8.09k | { |
332 | 8.09k | return tls13_GetHashSizeForHash(tls13_GetHash(ss)); |
333 | 8.09k | } |
334 | | |
335 | | static CK_MECHANISM_TYPE |
336 | | tls13_GetHmacMechanismFromHash(SSLHashType hashType) |
337 | 1.49k | { |
338 | 1.49k | switch (hashType) { |
339 | 704 | case ssl_hash_sha256: |
340 | 704 | return CKM_SHA256_HMAC; |
341 | 793 | case ssl_hash_sha384: |
342 | 793 | return CKM_SHA384_HMAC; |
343 | 0 | default: |
344 | 0 | PORT_Assert(0); |
345 | 1.49k | } |
346 | 0 | return CKM_SHA256_HMAC; |
347 | 1.49k | } |
348 | | |
349 | | static CK_MECHANISM_TYPE |
350 | | tls13_GetHmacMechanism(const sslSocket *ss) |
351 | 11 | { |
352 | 11 | return tls13_GetHmacMechanismFromHash(tls13_GetHash(ss)); |
353 | 11 | } |
354 | | |
355 | | SECStatus |
356 | | tls13_ComputeHash(sslSocket *ss, SSL3Hashes *hashes, |
357 | | const PRUint8 *buf, unsigned int len, |
358 | | SSLHashType hash) |
359 | 4.52k | { |
360 | 4.52k | SECStatus rv; |
361 | | |
362 | 4.52k | rv = PK11_HashBuf(ssl3_HashTypeToOID(hash), hashes->u.raw, buf, len); |
363 | 4.52k | if (rv != SECSuccess) { |
364 | 0 | FATAL_ERROR(ss, SEC_ERROR_LIBRARY_FAILURE, internal_error); |
365 | 0 | return SECFailure; |
366 | 0 | } |
367 | 4.52k | hashes->len = tls13_GetHashSizeForHash(hash); |
368 | | |
369 | 4.52k | return SECSuccess; |
370 | 4.52k | } |
371 | | |
372 | | static SECStatus |
373 | | tls13_CreateKEMKeyPair(sslSocket *ss, const sslNamedGroupDef *groupDef, |
374 | | sslKeyPair **outKeyPair) |
375 | 0 | { |
376 | 0 | PORT_Assert(groupDef); |
377 | 0 | if (groupDef->name != ssl_grp_kem_xyber768d00) { |
378 | 0 | PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); |
379 | 0 | return SECFailure; |
380 | 0 | } |
381 | | |
382 | 0 | sslKeyPair *keyPair = NULL; |
383 | 0 | SECKEYPrivateKey *privKey = NULL; |
384 | 0 | SECKEYPublicKey *pubKey = NULL; |
385 | 0 | CK_MECHANISM_TYPE mechanism = CKM_NSS_KYBER_KEY_PAIR_GEN; |
386 | 0 | CK_NSS_KEM_PARAMETER_SET_TYPE paramSet = CKP_NSS_KYBER_768_ROUND3; |
387 | |
|
388 | 0 | PK11SlotInfo *slot = PK11_GetBestSlot(mechanism, ss->pkcs11PinArg); |
389 | 0 | if (!slot) { |
390 | 0 | goto loser; |
391 | 0 | } |
392 | | |
393 | 0 | privKey = PK11_GenerateKeyPairWithOpFlags(slot, mechanism, |
394 | 0 | ¶mSet, &pubKey, PK11_ATTR_SESSION | PK11_ATTR_SENSITIVE | PK11_ATTR_PRIVATE, |
395 | 0 | CKF_DERIVE, CKF_DERIVE, ss->pkcs11PinArg); |
396 | 0 | PK11_FreeSlot(slot); |
397 | 0 | if (!privKey || !pubKey) { |
398 | 0 | goto loser; |
399 | 0 | } |
400 | | |
401 | 0 | keyPair = ssl_NewKeyPair(privKey, pubKey); |
402 | 0 | if (!keyPair) { |
403 | 0 | goto loser; |
404 | 0 | } |
405 | | |
406 | 0 | SSL_TRC(50, ("%d: SSL[%d]: Create Kyber ephemeral key %d", |
407 | 0 | SSL_GETPID(), ss ? ss->fd : NULL, groupDef->name)); |
408 | 0 | PRINT_BUF(50, (ss, "Public Key", pubKey->u.kyber.publicValue.data, |
409 | 0 | pubKey->u.kyber.publicValue.len)); |
410 | 0 | #ifdef TRACE |
411 | 0 | if (ssl_trace >= 50) { |
412 | 0 | SECItem d = { siBuffer, NULL, 0 }; |
413 | 0 | SECStatus rv = PK11_ReadRawAttribute(PK11_TypePrivKey, privKey, CKA_VALUE, &d); |
414 | 0 | if (rv == SECSuccess) { |
415 | 0 | PRINT_BUF(50, (ss, "Private Key", d.data, d.len)); |
416 | 0 | SECITEM_FreeItem(&d, PR_FALSE); |
417 | 0 | } else { |
418 | 0 | SSL_TRC(50, ("Error extracting private key")); |
419 | 0 | } |
420 | 0 | } |
421 | 0 | #endif |
422 | |
|
423 | 0 | *outKeyPair = keyPair; |
424 | 0 | return SECSuccess; |
425 | | |
426 | 0 | loser: |
427 | 0 | SECKEY_DestroyPrivateKey(privKey); |
428 | 0 | SECKEY_DestroyPublicKey(pubKey); |
429 | 0 | ssl_MapLowLevelError(SEC_ERROR_KEYGEN_FAIL); |
430 | 0 | return SECFailure; |
431 | 0 | } |
432 | | |
433 | | SECStatus |
434 | | tls13_CreateKeyShare(sslSocket *ss, const sslNamedGroupDef *groupDef, |
435 | | sslEphemeralKeyPair **outKeyPair) |
436 | 21.1k | { |
437 | 21.1k | SECStatus rv; |
438 | 21.1k | const ssl3DHParams *params; |
439 | 21.1k | sslEphemeralKeyPair *keyPair = NULL; |
440 | | |
441 | 21.1k | PORT_Assert(groupDef); |
442 | 21.1k | switch (groupDef->keaType) { |
443 | 0 | case ssl_kea_ecdh_hybrid: |
444 | 0 | if (groupDef->name != ssl_grp_kem_xyber768d00) { |
445 | 0 | PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); |
446 | 0 | return SECFailure; |
447 | 0 | } |
448 | 0 | rv = ssl_CreateECDHEphemeralKeyPair(ss, ssl_LookupNamedGroup(ssl_grp_ec_curve25519), &keyPair); |
449 | 0 | if (rv != SECSuccess) { |
450 | 0 | return SECFailure; |
451 | 0 | } |
452 | 0 | keyPair->group = groupDef; |
453 | 0 | break; |
454 | 19.9k | case ssl_kea_ecdh: |
455 | 19.9k | rv = ssl_CreateECDHEphemeralKeyPair(ss, groupDef, &keyPair); |
456 | 19.9k | if (rv != SECSuccess) { |
457 | 0 | return SECFailure; |
458 | 0 | } |
459 | 19.9k | break; |
460 | 19.9k | case ssl_kea_dh: |
461 | 1.17k | params = ssl_GetDHEParams(groupDef); |
462 | 1.17k | PORT_Assert(params->name != ssl_grp_ffdhe_custom); |
463 | 1.17k | rv = ssl_CreateDHEKeyPair(groupDef, params, &keyPair); |
464 | 1.17k | if (rv != SECSuccess) { |
465 | 0 | return SECFailure; |
466 | 0 | } |
467 | 1.17k | break; |
468 | 1.17k | default: |
469 | 0 | PORT_Assert(0); |
470 | 0 | PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); |
471 | 0 | return SECFailure; |
472 | 21.1k | } |
473 | | |
474 | | // If we're creating an ECDH + KEM hybrid share and we're the client, then |
475 | | // we still need to generate the KEM key pair. Otherwise we're done. |
476 | 21.1k | if (groupDef->keaType == ssl_kea_ecdh_hybrid && !ss->sec.isServer) { |
477 | 0 | rv = tls13_CreateKEMKeyPair(ss, groupDef, &keyPair->kemKeys); |
478 | 0 | if (rv != SECSuccess) { |
479 | 0 | ssl_FreeEphemeralKeyPair(keyPair); |
480 | 0 | return SECFailure; |
481 | 0 | } |
482 | 0 | } |
483 | | |
484 | 21.1k | *outKeyPair = keyPair; |
485 | 21.1k | return SECSuccess; |
486 | 21.1k | } |
487 | | |
488 | | SECStatus |
489 | | tls13_AddKeyShare(sslSocket *ss, const sslNamedGroupDef *groupDef) |
490 | 21.1k | { |
491 | 21.1k | sslEphemeralKeyPair *keyPair = NULL; |
492 | 21.1k | SECStatus rv; |
493 | | |
494 | 21.1k | rv = tls13_CreateKeyShare(ss, groupDef, &keyPair); |
495 | 21.1k | if (rv != SECSuccess) { |
496 | 0 | return SECFailure; |
497 | 0 | } |
498 | 21.1k | PR_APPEND_LINK(&keyPair->link, &ss->ephemeralKeyPairs); |
499 | 21.1k | return SECSuccess; |
500 | 21.1k | } |
501 | | |
502 | | SECStatus |
503 | | SSL_SendAdditionalKeyShares(PRFileDesc *fd, unsigned int count) |
504 | 0 | { |
505 | 0 | sslSocket *ss = ssl_FindSocket(fd); |
506 | 0 | if (!ss) { |
507 | 0 | PORT_SetError(SEC_ERROR_INVALID_ARGS); |
508 | 0 | return SECFailure; |
509 | 0 | } |
510 | | |
511 | 0 | ss->additionalShares = count; |
512 | 0 | return SECSuccess; |
513 | 0 | } |
514 | | |
515 | | /* |
516 | | * Generate shares for ECDHE and FFDHE. This picks the first enabled group of |
517 | | * the requisite type and creates a share for that. |
518 | | * |
519 | | * Called from ssl3_SendClientHello. |
520 | | */ |
521 | | SECStatus |
522 | | tls13_SetupClientHello(sslSocket *ss, sslClientHelloType chType) |
523 | 24.5k | { |
524 | 24.5k | unsigned int i; |
525 | 24.5k | SSL3Statistics *ssl3stats = SSL_GetStatistics(); |
526 | 24.5k | NewSessionTicket *session_ticket = NULL; |
527 | 24.5k | sslSessionID *sid = ss->sec.ci.sid; |
528 | 24.5k | unsigned int numShares = 0; |
529 | 24.5k | SECStatus rv; |
530 | | |
531 | 24.5k | PORT_Assert(ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); |
532 | 24.5k | PORT_Assert(ss->opt.noLocks || ssl_HaveXmitBufLock(ss)); |
533 | | |
534 | 24.5k | rv = tls13_ClientSetupEch(ss, chType); |
535 | 24.5k | if (rv != SECSuccess) { |
536 | 0 | return SECFailure; |
537 | 0 | } |
538 | | |
539 | | /* Everything below here is only run on the first CH. */ |
540 | 24.5k | if (chType != client_hello_initial) { |
541 | 5.29k | return SECSuccess; |
542 | 5.29k | } |
543 | | |
544 | 19.2k | rv = tls13_ClientGreaseSetup(ss); |
545 | 19.2k | if (rv != SECSuccess) { |
546 | 0 | return SECFailure; |
547 | 0 | } |
548 | | |
549 | | /* Select the first enabled group. |
550 | | * TODO(ekr@rtfm.com): be smarter about offering the group |
551 | | * that the other side negotiated if we are resuming. */ |
552 | 19.2k | PORT_Assert(PR_CLIST_IS_EMPTY(&ss->ephemeralKeyPairs)); |
553 | 19.2k | for (i = 0; i < SSL_NAMED_GROUP_COUNT; ++i) { |
554 | 19.2k | if (!ss->namedGroupPreferences[i]) { |
555 | 0 | continue; |
556 | 0 | } |
557 | 19.2k | rv = tls13_AddKeyShare(ss, ss->namedGroupPreferences[i]); |
558 | 19.2k | if (rv != SECSuccess) { |
559 | 0 | return SECFailure; |
560 | 0 | } |
561 | 19.2k | if (++numShares > ss->additionalShares) { |
562 | 19.2k | break; |
563 | 19.2k | } |
564 | 19.2k | } |
565 | | |
566 | 19.2k | if (PR_CLIST_IS_EMPTY(&ss->ephemeralKeyPairs)) { |
567 | 0 | PORT_SetError(SSL_ERROR_NO_CIPHERS_SUPPORTED); |
568 | 0 | return SECFailure; |
569 | 0 | } |
570 | | |
571 | | /* Try to do stateless resumption, if we can. */ |
572 | 19.2k | if (sid->cached != never_cached && |
573 | 19.2k | sid->version >= SSL_LIBRARY_VERSION_TLS_1_3) { |
574 | | /* The caller must be holding sid->u.ssl3.lock for reading. */ |
575 | 0 | session_ticket = &sid->u.ssl3.locked.sessionTicket; |
576 | 0 | PORT_Assert(session_ticket && session_ticket->ticket.data); |
577 | |
|
578 | 0 | if (ssl_TicketTimeValid(ss, session_ticket)) { |
579 | 0 | ss->statelessResume = PR_TRUE; |
580 | 0 | } |
581 | |
|
582 | 0 | if (ss->statelessResume) { |
583 | 0 | PORT_Assert(ss->sec.ci.sid); |
584 | 0 | rv = tls13_RecoverWrappedSharedSecret(ss, ss->sec.ci.sid); |
585 | 0 | if (rv != SECSuccess) { |
586 | 0 | FATAL_ERROR(ss, SEC_ERROR_LIBRARY_FAILURE, internal_error); |
587 | 0 | SSL_AtomicIncrementLong(&ssl3stats->sch_sid_cache_not_ok); |
588 | 0 | ssl_UncacheSessionID(ss); |
589 | 0 | ssl_FreeSID(ss->sec.ci.sid); |
590 | 0 | ss->sec.ci.sid = NULL; |
591 | 0 | return SECFailure; |
592 | 0 | } |
593 | | |
594 | 0 | ss->ssl3.hs.cipher_suite = ss->sec.ci.sid->u.ssl3.cipherSuite; |
595 | 0 | rv = ssl3_SetupCipherSuite(ss, PR_FALSE); |
596 | 0 | if (rv != SECSuccess) { |
597 | 0 | FATAL_ERROR(ss, PORT_GetError(), internal_error); |
598 | 0 | return SECFailure; |
599 | 0 | } |
600 | 0 | PORT_Assert(!PR_CLIST_IS_EMPTY(&ss->ssl3.hs.psks)); |
601 | 0 | } |
602 | 0 | } |
603 | | |
604 | | /* Derive the binder keys if any PSKs. */ |
605 | 19.2k | if (!PR_CLIST_IS_EMPTY(&ss->ssl3.hs.psks)) { |
606 | | /* If an External PSK specified a suite, use that. */ |
607 | 0 | sslPsk *psk = (sslPsk *)PR_LIST_HEAD(&ss->ssl3.hs.psks); |
608 | 0 | if (!ss->statelessResume && |
609 | 0 | psk->type == ssl_psk_external && |
610 | 0 | psk->zeroRttSuite != TLS_NULL_WITH_NULL_NULL) { |
611 | 0 | ss->ssl3.hs.cipher_suite = psk->zeroRttSuite; |
612 | 0 | } |
613 | |
|
614 | 0 | rv = tls13_ComputeEarlySecretsWithPsk(ss); |
615 | 0 | if (rv != SECSuccess) { |
616 | 0 | FATAL_ERROR(ss, SEC_ERROR_LIBRARY_FAILURE, internal_error); |
617 | 0 | return SECFailure; |
618 | 0 | } |
619 | 0 | } |
620 | | |
621 | 19.2k | return SECSuccess; |
622 | 19.2k | } |
623 | | |
624 | | static SECStatus |
625 | | tls13_ImportDHEKeyShare(SECKEYPublicKey *peerKey, |
626 | | PRUint8 *b, PRUint32 length, |
627 | | SECKEYPublicKey *pubKey) |
628 | 1.05k | { |
629 | 1.05k | SECStatus rv; |
630 | 1.05k | SECItem publicValue = { siBuffer, NULL, 0 }; |
631 | | |
632 | 1.05k | publicValue.data = b; |
633 | 1.05k | publicValue.len = length; |
634 | 1.05k | if (!ssl_IsValidDHEShare(&pubKey->u.dh.prime, &publicValue)) { |
635 | 7 | PORT_SetError(SSL_ERROR_RX_MALFORMED_DHE_KEY_SHARE); |
636 | 7 | return SECFailure; |
637 | 7 | } |
638 | | |
639 | 1.04k | peerKey->keyType = dhKey; |
640 | 1.04k | rv = SECITEM_CopyItem(peerKey->arena, &peerKey->u.dh.prime, |
641 | 1.04k | &pubKey->u.dh.prime); |
642 | 1.04k | if (rv != SECSuccess) |
643 | 0 | return SECFailure; |
644 | 1.04k | rv = SECITEM_CopyItem(peerKey->arena, &peerKey->u.dh.base, |
645 | 1.04k | &pubKey->u.dh.base); |
646 | 1.04k | if (rv != SECSuccess) |
647 | 0 | return SECFailure; |
648 | 1.04k | rv = SECITEM_CopyItem(peerKey->arena, &peerKey->u.dh.publicValue, |
649 | 1.04k | &publicValue); |
650 | 1.04k | if (rv != SECSuccess) |
651 | 0 | return SECFailure; |
652 | | |
653 | 1.04k | return SECSuccess; |
654 | 1.04k | } |
655 | | |
656 | | static SECStatus |
657 | | tls13_ImportKEMKeyShare(SECKEYPublicKey *peerKey, TLS13KeyShareEntry *entry) |
658 | 0 | { |
659 | 0 | SECItem pk = { siBuffer, NULL, 0 }; |
660 | 0 | SECStatus rv; |
661 | |
|
662 | 0 | if (entry->group->name != ssl_grp_kem_xyber768d00) { |
663 | 0 | PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); |
664 | 0 | return SECFailure; |
665 | 0 | } |
666 | | |
667 | 0 | if (entry->key_exchange.len != X25519_PUBLIC_KEY_BYTES + KYBER768_PUBLIC_KEY_BYTES) { |
668 | 0 | PORT_SetError(SSL_ERROR_RX_MALFORMED_HYBRID_KEY_SHARE); |
669 | 0 | return SECFailure; |
670 | 0 | } |
671 | 0 | pk.data = entry->key_exchange.data + X25519_PUBLIC_KEY_BYTES; |
672 | 0 | pk.len = entry->key_exchange.len - X25519_PUBLIC_KEY_BYTES; |
673 | |
|
674 | 0 | peerKey->keyType = kyberKey; |
675 | 0 | peerKey->u.kyber.params = params_kyber768_round3; |
676 | |
|
677 | 0 | rv = SECITEM_CopyItem(peerKey->arena, &peerKey->u.kyber.publicValue, &pk); |
678 | 0 | if (rv != SECSuccess) { |
679 | 0 | PORT_SetError(SEC_ERROR_NO_MEMORY); |
680 | 0 | return SECFailure; |
681 | 0 | } |
682 | | |
683 | 0 | return SECSuccess; |
684 | 0 | } |
685 | | |
686 | | static SECStatus |
687 | | tls13_HandleKEMCiphertext(sslSocket *ss, TLS13KeyShareEntry *entry, sslKeyPair *keyPair, PK11SymKey **outKey) |
688 | 0 | { |
689 | 0 | SECItem ct = { siBuffer, NULL, 0 }; |
690 | 0 | SECStatus rv; |
691 | |
|
692 | 0 | switch (entry->group->name) { |
693 | 0 | case ssl_grp_kem_xyber768d00: |
694 | 0 | if (entry->key_exchange.len != X25519_PUBLIC_KEY_BYTES + KYBER768_CIPHERTEXT_BYTES) { |
695 | 0 | ssl_MapLowLevelError(SSL_ERROR_RX_MALFORMED_HYBRID_KEY_SHARE); |
696 | 0 | return SECFailure; |
697 | 0 | } |
698 | 0 | ct.data = entry->key_exchange.data + X25519_PUBLIC_KEY_BYTES; |
699 | 0 | ct.len = entry->key_exchange.len - X25519_PUBLIC_KEY_BYTES; |
700 | 0 | break; |
701 | 0 | default: |
702 | 0 | PORT_Assert(0); |
703 | 0 | ssl_MapLowLevelError(SEC_ERROR_LIBRARY_FAILURE); |
704 | 0 | return SECFailure; |
705 | 0 | } |
706 | | |
707 | 0 | rv = PK11_Decapsulate(keyPair->privKey, &ct, CKM_HKDF_DERIVE, PK11_ATTR_SESSION | PK11_ATTR_SENSITIVE, CKF_DERIVE, outKey); |
708 | 0 | if (rv != SECSuccess) { |
709 | 0 | ssl_MapLowLevelError(SSL_ERROR_KEY_EXCHANGE_FAILURE); |
710 | 0 | } |
711 | 0 | return rv; |
712 | 0 | } |
713 | | |
714 | | static SECStatus |
715 | | tls13_HandleKEMKey(sslSocket *ss, |
716 | | TLS13KeyShareEntry *entry, |
717 | | PK11SymKey **key, |
718 | | SECItem **ciphertext) |
719 | 0 | { |
720 | 0 | PORTCheapArenaPool arena; |
721 | 0 | SECKEYPublicKey *peerKey; |
722 | 0 | CK_OBJECT_HANDLE handle; |
723 | 0 | SECStatus rv; |
724 | |
|
725 | 0 | PORT_InitCheapArena(&arena, DER_DEFAULT_CHUNKSIZE); |
726 | 0 | peerKey = PORT_ArenaZNew(&arena.arena, SECKEYPublicKey); |
727 | 0 | if (peerKey == NULL) { |
728 | 0 | goto loser; |
729 | 0 | } |
730 | 0 | peerKey->arena = &arena.arena; |
731 | 0 | peerKey->pkcs11Slot = NULL; |
732 | 0 | peerKey->pkcs11ID = CK_INVALID_HANDLE; |
733 | |
|
734 | 0 | rv = tls13_ImportKEMKeyShare(peerKey, entry); |
735 | 0 | if (rv != SECSuccess) { |
736 | 0 | goto loser; |
737 | 0 | } |
738 | | |
739 | 0 | PK11SlotInfo *slot = PK11_GetBestSlot(CKM_NSS_KYBER, ss->pkcs11PinArg); |
740 | 0 | if (!slot) { |
741 | 0 | goto loser; |
742 | 0 | } |
743 | | |
744 | 0 | handle = PK11_ImportPublicKey(slot, peerKey, PR_FALSE); |
745 | 0 | PK11_FreeSlot(slot); /* peerKey holds a slot reference on success. */ |
746 | 0 | if (handle == CK_INVALID_HANDLE) { |
747 | 0 | goto loser; |
748 | 0 | } |
749 | | |
750 | 0 | rv = PK11_Encapsulate(peerKey, |
751 | 0 | CKM_HKDF_DERIVE, PK11_ATTR_SESSION | PK11_ATTR_SENSITIVE | PK11_ATTR_PRIVATE, |
752 | 0 | CKF_DERIVE, key, ciphertext); |
753 | | |
754 | | /* Destroy the imported public key */ |
755 | 0 | PORT_Assert(peerKey->pkcs11Slot); |
756 | 0 | PK11_DestroyObject(peerKey->pkcs11Slot, peerKey->pkcs11ID); |
757 | 0 | PK11_FreeSlot(peerKey->pkcs11Slot); |
758 | |
|
759 | 0 | PORT_DestroyCheapArena(&arena); |
760 | 0 | return SECSuccess; |
761 | | |
762 | 0 | loser: |
763 | 0 | PORT_DestroyCheapArena(&arena); |
764 | 0 | return SECFailure; |
765 | 0 | } |
766 | | |
767 | | SECStatus |
768 | | tls13_HandleKeyShare(sslSocket *ss, |
769 | | TLS13KeyShareEntry *entry, |
770 | | sslKeyPair *keyPair, |
771 | | SSLHashType hash, |
772 | | PK11SymKey **out) |
773 | 1.85k | { |
774 | 1.85k | PORTCheapArenaPool arena; |
775 | 1.85k | SECKEYPublicKey *peerKey; |
776 | 1.85k | CK_MECHANISM_TYPE mechanism; |
777 | 1.85k | PK11SymKey *key; |
778 | 1.85k | SECStatus rv; |
779 | 1.85k | int keySize = 0; |
780 | | |
781 | 1.85k | PORT_InitCheapArena(&arena, DER_DEFAULT_CHUNKSIZE); |
782 | 1.85k | peerKey = PORT_ArenaZNew(&arena.arena, SECKEYPublicKey); |
783 | 1.85k | if (peerKey == NULL) { |
784 | 0 | goto loser; |
785 | 0 | } |
786 | 1.85k | peerKey->arena = &arena.arena; |
787 | 1.85k | peerKey->pkcs11Slot = NULL; |
788 | 1.85k | peerKey->pkcs11ID = CK_INVALID_HANDLE; |
789 | | |
790 | 1.85k | switch (entry->group->keaType) { |
791 | 0 | case ssl_kea_ecdh_hybrid: |
792 | 0 | if (entry->group->name != ssl_grp_kem_xyber768d00 || entry->key_exchange.len < X25519_PUBLIC_KEY_BYTES) { |
793 | 0 | PORT_SetError(SSL_ERROR_RX_MALFORMED_HYBRID_KEY_SHARE); |
794 | 0 | goto loser; |
795 | 0 | } |
796 | 0 | rv = ssl_ImportECDHKeyShare(peerKey, |
797 | 0 | entry->key_exchange.data, |
798 | 0 | X25519_PUBLIC_KEY_BYTES, |
799 | 0 | ssl_LookupNamedGroup(ssl_grp_ec_curve25519)); |
800 | 0 | mechanism = CKM_ECDH1_DERIVE; |
801 | 0 | break; |
802 | 808 | case ssl_kea_ecdh: |
803 | 808 | rv = ssl_ImportECDHKeyShare(peerKey, |
804 | 808 | entry->key_exchange.data, |
805 | 808 | entry->key_exchange.len, |
806 | 808 | entry->group); |
807 | 808 | mechanism = CKM_ECDH1_DERIVE; |
808 | 808 | break; |
809 | 1.05k | case ssl_kea_dh: |
810 | 1.05k | rv = tls13_ImportDHEKeyShare(peerKey, |
811 | 1.05k | entry->key_exchange.data, |
812 | 1.05k | entry->key_exchange.len, |
813 | 1.05k | keyPair->pubKey); |
814 | 1.05k | mechanism = CKM_DH_PKCS_DERIVE; |
815 | 1.05k | keySize = peerKey->u.dh.publicValue.len; |
816 | 1.05k | break; |
817 | 0 | default: |
818 | 0 | PORT_Assert(0); |
819 | 0 | goto loser; |
820 | 1.85k | } |
821 | 1.85k | if (rv != SECSuccess) { |
822 | 16 | goto loser; |
823 | 16 | } |
824 | | |
825 | 1.84k | key = PK11_PubDeriveWithKDF( |
826 | 1.84k | keyPair->privKey, peerKey, PR_FALSE, NULL, NULL, mechanism, |
827 | 1.84k | CKM_HKDF_DERIVE, CKA_DERIVE, keySize, CKD_NULL, NULL, NULL); |
828 | 1.84k | if (!key) { |
829 | 161 | ssl_MapLowLevelError(SSL_ERROR_KEY_EXCHANGE_FAILURE); |
830 | 161 | goto loser; |
831 | 161 | } |
832 | | |
833 | 1.68k | *out = key; |
834 | 1.68k | PORT_DestroyCheapArena(&arena); |
835 | 1.68k | return SECSuccess; |
836 | | |
837 | 177 | loser: |
838 | 177 | PORT_DestroyCheapArena(&arena); |
839 | 177 | return SECFailure; |
840 | 1.84k | } |
841 | | |
842 | | static PRBool |
843 | | tls13_UseServerSecret(sslSocket *ss, SSLSecretDirection direction) |
844 | 3.30k | { |
845 | 3.30k | return ss->sec.isServer == (direction == ssl_secret_write); |
846 | 3.30k | } |
847 | | |
848 | | static PK11SymKey ** |
849 | | tls13_TrafficSecretRef(sslSocket *ss, SSLSecretDirection direction) |
850 | 11 | { |
851 | 11 | if (tls13_UseServerSecret(ss, direction)) { |
852 | 5 | return &ss->ssl3.hs.serverTrafficSecret; |
853 | 5 | } |
854 | 6 | return &ss->ssl3.hs.clientTrafficSecret; |
855 | 11 | } |
856 | | |
857 | | SECStatus |
858 | | tls13_UpdateTrafficKeys(sslSocket *ss, SSLSecretDirection direction) |
859 | 11 | { |
860 | 11 | PK11SymKey **secret; |
861 | 11 | PK11SymKey *updatedSecret; |
862 | 11 | PRUint16 epoch; |
863 | 11 | SECStatus rv; |
864 | | |
865 | 11 | secret = tls13_TrafficSecretRef(ss, direction); |
866 | 11 | rv = tls13_HkdfExpandLabel(*secret, tls13_GetHash(ss), |
867 | 11 | NULL, 0, |
868 | 11 | kHkdfLabelTrafficUpdate, |
869 | 11 | strlen(kHkdfLabelTrafficUpdate), |
870 | 11 | tls13_GetHmacMechanism(ss), |
871 | 11 | tls13_GetHashSize(ss), |
872 | 11 | ss->protocolVariant, |
873 | 11 | &updatedSecret); |
874 | 11 | if (rv != SECSuccess) { |
875 | 0 | return SECFailure; |
876 | 0 | } |
877 | | |
878 | 11 | PK11_FreeSymKey(*secret); |
879 | 11 | *secret = updatedSecret; |
880 | | |
881 | 11 | ssl_GetSpecReadLock(ss); |
882 | 11 | if (direction == ssl_secret_read) { |
883 | 6 | epoch = ss->ssl3.crSpec->epoch; |
884 | 6 | } else { |
885 | 5 | epoch = ss->ssl3.cwSpec->epoch; |
886 | 5 | } |
887 | 11 | ssl_ReleaseSpecReadLock(ss); |
888 | | |
889 | 11 | if (epoch == PR_UINT16_MAX) { |
890 | | /* Good chance that this is an overflow from too many updates. */ |
891 | 0 | FATAL_ERROR(ss, SSL_ERROR_TOO_MANY_KEY_UPDATES, internal_error); |
892 | 0 | return SECFailure; |
893 | 0 | } |
894 | 11 | ++epoch; |
895 | | |
896 | 11 | if (ss->secretCallback) { |
897 | 0 | ss->secretCallback(ss->fd, epoch, direction, updatedSecret, |
898 | 0 | ss->secretCallbackArg); |
899 | 0 | } |
900 | 11 | rv = tls13_SetCipherSpec(ss, epoch, direction, PR_FALSE); |
901 | 11 | if (rv != SECSuccess) { |
902 | 0 | FATAL_ERROR(ss, SEC_ERROR_LIBRARY_FAILURE, internal_error); |
903 | 0 | return SECFailure; |
904 | 0 | } |
905 | 11 | return SECSuccess; |
906 | 11 | } |
907 | | |
908 | | SECStatus |
909 | | tls13_SendKeyUpdate(sslSocket *ss, tls13KeyUpdateRequest request, PRBool buffer) |
910 | 5 | { |
911 | 5 | SECStatus rv; |
912 | | |
913 | 5 | SSL_TRC(3, ("%d: TLS13[%d]: %s send key update, response %s", |
914 | 5 | SSL_GETPID(), ss->fd, SSL_ROLE(ss), |
915 | 5 | (request == update_requested) ? "requested" |
916 | 5 | : "not requested")); |
917 | | |
918 | 5 | PORT_Assert(ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); |
919 | 5 | PORT_Assert(!ss->sec.isServer || !ss->ssl3.clientCertRequested); |
920 | | |
921 | 5 | if (!tls13_IsPostHandshake(ss)) { |
922 | 0 | PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); |
923 | 0 | return SECFailure; |
924 | 0 | } |
925 | | |
926 | 5 | rv = TLS13_CHECK_HS_STATE(ss, SEC_ERROR_LIBRARY_FAILURE, |
927 | 5 | idle_handshake); |
928 | 5 | if (rv != SECSuccess) { |
929 | 0 | return SECFailure; |
930 | 0 | } |
931 | | |
932 | 5 | if (IS_DTLS(ss)) { |
933 | 0 | rv = dtls13_MaybeSendKeyUpdate(ss, request, buffer); |
934 | 0 | if (rv != SECSuccess) { |
935 | | /* Error code set already. */ |
936 | 0 | return SECFailure; |
937 | 0 | } |
938 | 0 | return rv; |
939 | 0 | } |
940 | | |
941 | 5 | ssl_GetXmitBufLock(ss); |
942 | 5 | rv = ssl3_AppendHandshakeHeader(ss, ssl_hs_key_update, 1); |
943 | 5 | if (rv != SECSuccess) { |
944 | 0 | FATAL_ERROR(ss, SEC_ERROR_LIBRARY_FAILURE, internal_error); |
945 | 0 | goto loser; |
946 | 0 | } |
947 | 5 | rv = ssl3_AppendHandshakeNumber(ss, request, 1); |
948 | 5 | if (rv != SECSuccess) { |
949 | 0 | FATAL_ERROR(ss, SEC_ERROR_LIBRARY_FAILURE, internal_error); |
950 | 0 | goto loser; |
951 | 0 | } |
952 | | |
953 | | /* If we have been asked to buffer, then do so. This allows us to coalesce |
954 | | * a KeyUpdate with a pending write. */ |
955 | 5 | rv = ssl3_FlushHandshake(ss, buffer ? ssl_SEND_FLAG_FORCE_INTO_BUFFER : 0); |
956 | 5 | if (rv != SECSuccess) { |
957 | 0 | goto loser; /* error code set by ssl3_FlushHandshake */ |
958 | 0 | } |
959 | 5 | ssl_ReleaseXmitBufLock(ss); |
960 | | |
961 | 5 | rv = tls13_UpdateTrafficKeys(ss, ssl_secret_write); |
962 | 5 | if (rv != SECSuccess) { |
963 | 0 | goto loser; /* error code set by tls13_UpdateTrafficKeys */ |
964 | 0 | } |
965 | | |
966 | 5 | return SECSuccess; |
967 | | |
968 | 0 | loser: |
969 | 0 | ssl_ReleaseXmitBufLock(ss); |
970 | 0 | return SECFailure; |
971 | 5 | } |
972 | | |
973 | | SECStatus |
974 | | SSLExp_KeyUpdate(PRFileDesc *fd, PRBool requestUpdate) |
975 | 0 | { |
976 | 0 | SECStatus rv; |
977 | 0 | sslSocket *ss = ssl_FindSocket(fd); |
978 | 0 | if (!ss) { |
979 | 0 | return SECFailure; |
980 | 0 | } |
981 | | |
982 | 0 | if (!tls13_IsPostHandshake(ss)) { |
983 | 0 | PORT_SetError(SEC_ERROR_INVALID_ARGS); |
984 | 0 | return SECFailure; |
985 | 0 | } |
986 | | |
987 | 0 | if (ss->ssl3.clientCertRequested) { |
988 | 0 | PORT_SetError(PR_WOULD_BLOCK_ERROR); |
989 | 0 | return SECFailure; |
990 | 0 | } |
991 | | |
992 | 0 | rv = TLS13_CHECK_HS_STATE(ss, SEC_ERROR_INVALID_ARGS, |
993 | 0 | idle_handshake); |
994 | 0 | if (rv != SECSuccess) { |
995 | 0 | return SECFailure; |
996 | 0 | } |
997 | | |
998 | 0 | ssl_GetSSL3HandshakeLock(ss); |
999 | 0 | rv = tls13_SendKeyUpdate(ss, requestUpdate ? update_requested : update_not_requested, |
1000 | 0 | PR_FALSE /* don't buffer */); |
1001 | | |
1002 | | /* Remember that we are the ones that initiated this KeyUpdate. */ |
1003 | 0 | if (rv == SECSuccess) { |
1004 | 0 | ss->ssl3.peerRequestedKeyUpdate = PR_FALSE; |
1005 | 0 | } |
1006 | 0 | ssl_ReleaseSSL3HandshakeLock(ss); |
1007 | 0 | return rv; |
1008 | 0 | } |
1009 | | |
1010 | | SECStatus |
1011 | | SSLExp_SetCertificateCompressionAlgorithm(PRFileDesc *fd, SSLCertificateCompressionAlgorithm alg) |
1012 | 0 | { |
1013 | 0 | sslSocket *ss = ssl_FindSocket(fd); |
1014 | 0 | if (!ss) { |
1015 | 0 | return SECFailure; /* Code already set. */ |
1016 | 0 | } |
1017 | | |
1018 | 0 | ssl_GetSSL3HandshakeLock(ss); |
1019 | 0 | if (ss->ssl3.supportedCertCompressionAlgorithmsCount == MAX_SUPPORTED_CERTIFICATE_COMPRESSION_ALGS) { |
1020 | 0 | goto loser; |
1021 | 0 | } |
1022 | | |
1023 | | /* Reserved ID */ |
1024 | 0 | if (alg.id == 0) { |
1025 | 0 | goto loser; |
1026 | 0 | } |
1027 | | |
1028 | 0 | if (alg.encode == NULL && alg.decode == NULL) { |
1029 | 0 | goto loser; |
1030 | 0 | } |
1031 | | |
1032 | | /* Checking that we have not yet registed an algorithm with the same ID. */ |
1033 | 0 | for (int i = 0; i < ss->ssl3.supportedCertCompressionAlgorithmsCount; i++) { |
1034 | 0 | if (ss->ssl3.supportedCertCompressionAlgorithms[i].id == alg.id) { |
1035 | 0 | goto loser; |
1036 | 0 | } |
1037 | 0 | } |
1038 | | |
1039 | 0 | PORT_Memcpy(&ss->ssl3.supportedCertCompressionAlgorithms |
1040 | 0 | [ss->ssl3.supportedCertCompressionAlgorithmsCount], |
1041 | 0 | &alg, sizeof(alg)); |
1042 | 0 | ss->ssl3.supportedCertCompressionAlgorithmsCount += 1; |
1043 | 0 | ssl_ReleaseSSL3HandshakeLock(ss); |
1044 | 0 | return SECSuccess; |
1045 | | |
1046 | 0 | loser: |
1047 | 0 | PORT_SetError(SEC_ERROR_INVALID_ARGS); |
1048 | 0 | ssl_ReleaseSSL3HandshakeLock(ss); |
1049 | 0 | return SECFailure; |
1050 | 0 | } |
1051 | | |
1052 | | /* |
1053 | | * enum { |
1054 | | * update_not_requested(0), update_requested(1), (255) |
1055 | | * } KeyUpdateRequest; |
1056 | | * |
1057 | | * struct { |
1058 | | * KeyUpdateRequest request_update; |
1059 | | * } KeyUpdate; |
1060 | | */ |
1061 | | |
1062 | | /* If we're handing the DTLS1.3 message, we silently fail if there is a parsing problem. */ |
1063 | | static SECStatus |
1064 | | tls13_HandleKeyUpdate(sslSocket *ss, PRUint8 *b, unsigned int length) |
1065 | 11 | { |
1066 | 11 | SECStatus rv; |
1067 | 11 | PRUint32 update; |
1068 | | |
1069 | 11 | SSL_TRC(3, ("%d: TLS13[%d]: %s handle key update", |
1070 | 11 | SSL_GETPID(), ss->fd, SSL_ROLE(ss))); |
1071 | | |
1072 | 11 | PORT_Assert(ss->opt.noLocks || ssl_HaveRecvBufLock(ss)); |
1073 | 11 | PORT_Assert(ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); |
1074 | | |
1075 | 11 | if (!tls13_IsPostHandshake(ss)) { |
1076 | 4 | FATAL_ERROR(ss, SSL_ERROR_RX_UNEXPECTED_KEY_UPDATE, unexpected_message); |
1077 | 4 | return SECFailure; |
1078 | 4 | } |
1079 | | |
1080 | 7 | rv = TLS13_CHECK_HS_STATE(ss, SSL_ERROR_RX_UNEXPECTED_KEY_UPDATE, |
1081 | 7 | idle_handshake); |
1082 | 7 | if (rv != SECSuccess) { |
1083 | | /* We should never be idle_handshake prior to firstHsDone. */ |
1084 | 0 | FATAL_ERROR(ss, SEC_ERROR_LIBRARY_FAILURE, internal_error); |
1085 | 0 | return SECFailure; |
1086 | 0 | } |
1087 | | |
1088 | 7 | rv = ssl3_ConsumeHandshakeNumber(ss, &update, 1, &b, &length); |
1089 | 7 | if (rv != SECSuccess) { |
1090 | 0 | return SECFailure; /* Error code set already. */ |
1091 | 0 | } |
1092 | 7 | if (length != 0) { |
1093 | 1 | FATAL_ERROR(ss, SSL_ERROR_RX_MALFORMED_KEY_UPDATE, decode_error); |
1094 | 1 | return SECFailure; |
1095 | 1 | } |
1096 | 6 | if (!(update == update_requested || |
1097 | 6 | update == update_not_requested)) { |
1098 | 0 | FATAL_ERROR(ss, SSL_ERROR_RX_MALFORMED_KEY_UPDATE, decode_error); |
1099 | 0 | return SECFailure; |
1100 | 0 | } |
1101 | | |
1102 | 6 | if (IS_DTLS(ss)) { |
1103 | 0 | return dtls13_HandleKeyUpdate(ss, b, length, update); |
1104 | 0 | } |
1105 | | |
1106 | 6 | rv = tls13_UpdateTrafficKeys(ss, ssl_secret_read); |
1107 | 6 | if (rv != SECSuccess) { |
1108 | 0 | return SECFailure; /* Error code set by tls13_UpdateTrafficKeys. */ |
1109 | 0 | } |
1110 | | |
1111 | 6 | if (update == update_requested) { |
1112 | 6 | PRBool sendUpdate; |
1113 | 6 | if (ss->ssl3.clientCertRequested) { |
1114 | | /* Post-handshake auth is in progress; defer sending a key update. */ |
1115 | 0 | ss->ssl3.hs.keyUpdateDeferred = PR_TRUE; |
1116 | 0 | ss->ssl3.hs.deferredKeyUpdateRequest = update_not_requested; |
1117 | 0 | sendUpdate = PR_FALSE; |
1118 | 6 | } else if (ss->ssl3.peerRequestedKeyUpdate) { |
1119 | | /* Only send an update if we have sent with the current spec. This |
1120 | | * prevents us from being forced to crank forward pointlessly. */ |
1121 | 5 | ssl_GetSpecReadLock(ss); |
1122 | 5 | sendUpdate = ss->ssl3.cwSpec->nextSeqNum > 0; |
1123 | 5 | ssl_ReleaseSpecReadLock(ss); |
1124 | 5 | } else { |
1125 | 1 | sendUpdate = PR_TRUE; |
1126 | 1 | } |
1127 | 6 | if (sendUpdate) { |
1128 | | /* Respond immediately (don't buffer). */ |
1129 | 5 | rv = tls13_SendKeyUpdate(ss, update_not_requested, PR_FALSE); |
1130 | 5 | if (rv != SECSuccess) { |
1131 | 0 | return SECFailure; /* Error already set. */ |
1132 | 0 | } |
1133 | 5 | } |
1134 | 6 | ss->ssl3.peerRequestedKeyUpdate = PR_TRUE; |
1135 | 6 | } |
1136 | | |
1137 | 6 | return SECSuccess; |
1138 | 6 | } |
1139 | | |
1140 | | SECStatus |
1141 | | SSLExp_SendCertificateRequest(PRFileDesc *fd) |
1142 | 0 | { |
1143 | 0 | SECStatus rv; |
1144 | 0 | sslSocket *ss = ssl_FindSocket(fd); |
1145 | 0 | if (!ss) { |
1146 | 0 | return SECFailure; |
1147 | 0 | } |
1148 | | |
1149 | | /* Not supported. */ |
1150 | 0 | if (IS_DTLS(ss)) { |
1151 | 0 | PORT_SetError(SSL_ERROR_FEATURE_NOT_SUPPORTED_FOR_VERSION); |
1152 | 0 | return SECFailure; |
1153 | 0 | } |
1154 | | |
1155 | 0 | if (!tls13_IsPostHandshake(ss)) { |
1156 | 0 | PORT_SetError(SEC_ERROR_INVALID_ARGS); |
1157 | 0 | return SECFailure; |
1158 | 0 | } |
1159 | | |
1160 | 0 | if (ss->ssl3.clientCertRequested) { |
1161 | 0 | PORT_SetError(PR_WOULD_BLOCK_ERROR); |
1162 | 0 | return SECFailure; |
1163 | 0 | } |
1164 | | |
1165 | | /* Disallow a CertificateRequest if this connection uses an external PSK. */ |
1166 | 0 | if (ss->sec.authType == ssl_auth_psk) { |
1167 | 0 | PORT_SetError(SSL_ERROR_FEATURE_DISABLED); |
1168 | 0 | return SECFailure; |
1169 | 0 | } |
1170 | | |
1171 | 0 | rv = TLS13_CHECK_HS_STATE(ss, SEC_ERROR_INVALID_ARGS, |
1172 | 0 | idle_handshake); |
1173 | 0 | if (rv != SECSuccess) { |
1174 | 0 | return SECFailure; |
1175 | 0 | } |
1176 | | |
1177 | 0 | if (!ssl3_ExtensionNegotiated(ss, ssl_tls13_post_handshake_auth_xtn)) { |
1178 | 0 | PORT_SetError(SSL_ERROR_MISSING_POST_HANDSHAKE_AUTH_EXTENSION); |
1179 | 0 | return SECFailure; |
1180 | 0 | } |
1181 | | |
1182 | 0 | ssl_GetSSL3HandshakeLock(ss); |
1183 | |
|
1184 | 0 | rv = tls13_SendCertificateRequest(ss); |
1185 | 0 | if (rv == SECSuccess) { |
1186 | 0 | ssl_GetXmitBufLock(ss); |
1187 | 0 | rv = ssl3_FlushHandshake(ss, 0); |
1188 | 0 | ssl_ReleaseXmitBufLock(ss); |
1189 | 0 | ss->ssl3.clientCertRequested = PR_TRUE; |
1190 | 0 | } |
1191 | |
|
1192 | 0 | ssl_ReleaseSSL3HandshakeLock(ss); |
1193 | 0 | return rv; |
1194 | 0 | } |
1195 | | |
1196 | | SECStatus |
1197 | | tls13_HandlePostHelloHandshakeMessage(sslSocket *ss, PRUint8 *b, PRUint32 length) |
1198 | 366 | { |
1199 | 366 | if (ss->sec.isServer && ss->ssl3.hs.zeroRttIgnore != ssl_0rtt_ignore_none) { |
1200 | 14 | SSL_TRC(3, ("%d: TLS13[%d]: successfully decrypted handshake after " |
1201 | 14 | "failed 0-RTT", |
1202 | 14 | SSL_GETPID(), ss->fd)); |
1203 | 14 | ss->ssl3.hs.zeroRttIgnore = ssl_0rtt_ignore_none; |
1204 | 14 | } |
1205 | | |
1206 | | /* TODO(ekr@rtfm.com): Would it be better to check all the states here? */ |
1207 | 366 | switch (ss->ssl3.hs.msg_type) { |
1208 | 34 | case ssl_hs_certificate: |
1209 | 34 | return tls13_HandleCertificate(ss, b, length, PR_FALSE); |
1210 | 4 | case ssl_hs_compressed_certificate: |
1211 | 4 | return tls13_HandleCertificateDecode(ss, b, length); |
1212 | 4 | case ssl_hs_certificate_request: |
1213 | 4 | return tls13_HandleCertificateRequest(ss, b, length); |
1214 | | |
1215 | 4 | case ssl_hs_certificate_verify: |
1216 | 4 | return tls13_HandleCertificateVerify(ss, b, length); |
1217 | | |
1218 | 4 | case ssl_hs_encrypted_extensions: |
1219 | 4 | return tls13_HandleEncryptedExtensions(ss, b, length); |
1220 | | |
1221 | 4 | case ssl_hs_new_session_ticket: |
1222 | 4 | return tls13_HandleNewSessionTicket(ss, b, length); |
1223 | | |
1224 | 283 | case ssl_hs_finished: |
1225 | 283 | if (ss->sec.isServer) { |
1226 | 281 | return tls13_ServerHandleFinished(ss, b, length); |
1227 | 281 | } else { |
1228 | 2 | return tls13_ClientHandleFinished(ss, b, length); |
1229 | 2 | } |
1230 | | |
1231 | 5 | case ssl_hs_end_of_early_data: |
1232 | 5 | return tls13_HandleEndOfEarlyData(ss, b, length); |
1233 | | |
1234 | 11 | case ssl_hs_key_update: |
1235 | 11 | return tls13_HandleKeyUpdate(ss, b, length); |
1236 | | |
1237 | 13 | default: |
1238 | 13 | FATAL_ERROR(ss, SSL_ERROR_RX_UNKNOWN_HANDSHAKE, unexpected_message); |
1239 | 13 | return SECFailure; |
1240 | 366 | } |
1241 | | |
1242 | 0 | PORT_Assert(0); /* Unreached */ |
1243 | 0 | return SECFailure; |
1244 | 366 | } |
1245 | | |
1246 | | static SECStatus |
1247 | | tls13_RecoverWrappedSharedSecret(sslSocket *ss, sslSessionID *sid) |
1248 | 0 | { |
1249 | 0 | PK11SymKey *wrapKey; /* wrapping key */ |
1250 | 0 | SECItem wrappedMS = { siBuffer, NULL, 0 }; |
1251 | 0 | SSLHashType hashType; |
1252 | |
|
1253 | 0 | SSL_TRC(3, ("%d: TLS13[%d]: recovering static secret (%s)", |
1254 | 0 | SSL_GETPID(), ss->fd, SSL_ROLE(ss))); |
1255 | | |
1256 | | /* Now find the hash used as the PRF for the previous handshake. */ |
1257 | 0 | hashType = tls13_GetHashForCipherSuite(sid->u.ssl3.cipherSuite); |
1258 | | |
1259 | | /* If we are the server, we compute the wrapping key, but if we |
1260 | | * are the client, its coordinates are stored with the ticket. */ |
1261 | 0 | if (ss->sec.isServer) { |
1262 | 0 | wrapKey = ssl3_GetWrappingKey(ss, NULL, |
1263 | 0 | sid->u.ssl3.masterWrapMech, |
1264 | 0 | ss->pkcs11PinArg); |
1265 | 0 | } else { |
1266 | 0 | PK11SlotInfo *slot = SECMOD_LookupSlot(sid->u.ssl3.masterModuleID, |
1267 | 0 | sid->u.ssl3.masterSlotID); |
1268 | 0 | if (!slot) |
1269 | 0 | return SECFailure; |
1270 | | |
1271 | 0 | wrapKey = PK11_GetWrapKey(slot, |
1272 | 0 | sid->u.ssl3.masterWrapIndex, |
1273 | 0 | sid->u.ssl3.masterWrapMech, |
1274 | 0 | sid->u.ssl3.masterWrapSeries, |
1275 | 0 | ss->pkcs11PinArg); |
1276 | 0 | PK11_FreeSlot(slot); |
1277 | 0 | } |
1278 | 0 | if (!wrapKey) { |
1279 | 0 | return SECFailure; |
1280 | 0 | } |
1281 | | |
1282 | 0 | wrappedMS.data = sid->u.ssl3.keys.wrapped_master_secret; |
1283 | 0 | wrappedMS.len = sid->u.ssl3.keys.wrapped_master_secret_len; |
1284 | |
|
1285 | 0 | PK11SymKey *unwrappedPsk = ssl_unwrapSymKey(wrapKey, sid->u.ssl3.masterWrapMech, |
1286 | 0 | NULL, &wrappedMS, CKM_SSL3_MASTER_KEY_DERIVE, |
1287 | 0 | CKA_DERIVE, tls13_GetHashSizeForHash(hashType), |
1288 | 0 | CKF_SIGN | CKF_VERIFY, ss->pkcs11PinArg); |
1289 | 0 | PK11_FreeSymKey(wrapKey); |
1290 | 0 | if (!unwrappedPsk) { |
1291 | 0 | return SECFailure; |
1292 | 0 | } |
1293 | 0 | sslPsk *rpsk = tls13_MakePsk(unwrappedPsk, ssl_psk_resume, hashType, NULL); |
1294 | 0 | if (!rpsk) { |
1295 | 0 | PK11_FreeSymKey(unwrappedPsk); |
1296 | 0 | return SECFailure; |
1297 | 0 | } |
1298 | 0 | if (sid->u.ssl3.locked.sessionTicket.flags & ticket_allow_early_data) { |
1299 | 0 | rpsk->maxEarlyData = sid->u.ssl3.locked.sessionTicket.max_early_data_size; |
1300 | 0 | rpsk->zeroRttSuite = sid->u.ssl3.cipherSuite; |
1301 | 0 | } |
1302 | 0 | PRINT_KEY(50, (ss, "Recovered RMS", rpsk->key)); |
1303 | 0 | PORT_Assert(PR_CLIST_IS_EMPTY(&ss->ssl3.hs.psks) || |
1304 | 0 | ((sslPsk *)PR_LIST_HEAD(&ss->ssl3.hs.psks))->type != ssl_psk_resume); |
1305 | |
|
1306 | 0 | if (ss->sec.isServer) { |
1307 | | /* In server, we couldn't select the RPSK in the extension handler |
1308 | | * since it was not unwrapped yet. We're committed now, so select |
1309 | | * it and add it to the list (to ensure it is freed). */ |
1310 | 0 | ss->xtnData.selectedPsk = rpsk; |
1311 | 0 | } |
1312 | 0 | PR_APPEND_LINK(&rpsk->link, &ss->ssl3.hs.psks); |
1313 | |
|
1314 | 0 | return SECSuccess; |
1315 | 0 | } |
1316 | | |
1317 | | /* Key Derivation Functions. |
1318 | | * |
1319 | | * 0 |
1320 | | * | |
1321 | | * v |
1322 | | * PSK -> HKDF-Extract = Early Secret |
1323 | | * | |
1324 | | * +-----> Derive-Secret(., "ext binder" | "res binder", "") |
1325 | | * | = binder_key |
1326 | | * | |
1327 | | * +-----> Derive-Secret(., "c e traffic", |
1328 | | * | ClientHello) |
1329 | | * | = client_early_traffic_secret |
1330 | | * | |
1331 | | * +-----> Derive-Secret(., "e exp master", |
1332 | | * | ClientHello) |
1333 | | * | = early_exporter_secret |
1334 | | * v |
1335 | | * Derive-Secret(., "derived", "") |
1336 | | * | |
1337 | | * v |
1338 | | *(EC)DHE -> HKDF-Extract = Handshake Secret |
1339 | | * | |
1340 | | * +-----> Derive-Secret(., "c hs traffic", |
1341 | | * | ClientHello...ServerHello) |
1342 | | * | = client_handshake_traffic_secret |
1343 | | * | |
1344 | | * +-----> Derive-Secret(., "s hs traffic", |
1345 | | * | ClientHello...ServerHello) |
1346 | | * | = server_handshake_traffic_secret |
1347 | | * v |
1348 | | * Derive-Secret(., "derived", "") |
1349 | | * | |
1350 | | * v |
1351 | | * 0 -> HKDF-Extract = Master Secret |
1352 | | * | |
1353 | | * +-----> Derive-Secret(., "c ap traffic", |
1354 | | * | ClientHello...Server Finished) |
1355 | | * | = client_traffic_secret_0 |
1356 | | * | |
1357 | | * +-----> Derive-Secret(., "s ap traffic", |
1358 | | * | ClientHello...Server Finished) |
1359 | | * | = server_traffic_secret_0 |
1360 | | * | |
1361 | | * +-----> Derive-Secret(., "exp master", |
1362 | | * | ClientHello...Server Finished) |
1363 | | * | = exporter_secret |
1364 | | * | |
1365 | | * +-----> Derive-Secret(., "res master", |
1366 | | * ClientHello...Client Finished) |
1367 | | * = resumption_master_secret |
1368 | | * |
1369 | | */ |
1370 | | static SECStatus |
1371 | | tls13_ComputeEarlySecretsWithPsk(sslSocket *ss) |
1372 | 0 | { |
1373 | 0 | SECStatus rv; |
1374 | |
|
1375 | 0 | SSL_TRC(5, ("%d: TLS13[%d]: compute early secrets (%s)", |
1376 | 0 | SSL_GETPID(), ss->fd, SSL_ROLE(ss))); |
1377 | |
|
1378 | 0 | PORT_Assert(!ss->ssl3.hs.currentSecret); |
1379 | 0 | sslPsk *psk = NULL; |
1380 | |
|
1381 | 0 | if (ss->sec.isServer) { |
1382 | 0 | psk = ss->xtnData.selectedPsk; |
1383 | 0 | } else { |
1384 | | /* Client to use the first PSK for early secrets. */ |
1385 | 0 | PORT_Assert(!PR_CLIST_IS_EMPTY(&ss->ssl3.hs.psks)); |
1386 | 0 | psk = (sslPsk *)PR_LIST_HEAD(&ss->ssl3.hs.psks); |
1387 | 0 | } |
1388 | 0 | PORT_Assert(psk && psk->key); |
1389 | 0 | PORT_Assert(psk->hash != ssl_hash_none); |
1390 | |
|
1391 | 0 | PK11SymKey *earlySecret = NULL; |
1392 | 0 | rv = tls13_HkdfExtract(NULL, psk->key, psk->hash, &earlySecret); |
1393 | 0 | if (rv != SECSuccess) { |
1394 | 0 | return SECFailure; |
1395 | 0 | } |
1396 | | |
1397 | | /* No longer need the raw input key */ |
1398 | 0 | PK11_FreeSymKey(psk->key); |
1399 | 0 | psk->key = NULL; |
1400 | 0 | const char *label = (psk->type == ssl_psk_resume) ? kHkdfLabelResPskBinderKey : kHkdfLabelExtPskBinderKey; |
1401 | 0 | rv = tls13_DeriveSecretNullHash(ss, earlySecret, |
1402 | 0 | label, strlen(label), |
1403 | 0 | &psk->binderKey, psk->hash); |
1404 | 0 | if (rv != SECSuccess) { |
1405 | 0 | PK11_FreeSymKey(earlySecret); |
1406 | 0 | return SECFailure; |
1407 | 0 | } |
1408 | 0 | ss->ssl3.hs.currentSecret = earlySecret; |
1409 | |
|
1410 | 0 | return SECSuccess; |
1411 | 0 | } |
1412 | | |
1413 | | /* This derives the early traffic and early exporter secrets. */ |
1414 | | static SECStatus |
1415 | | tls13_DeriveEarlySecrets(sslSocket *ss) |
1416 | 0 | { |
1417 | 0 | SECStatus rv; |
1418 | 0 | PORT_Assert(ss->ssl3.hs.currentSecret); |
1419 | 0 | rv = tls13_DeriveSecretWrap(ss, ss->ssl3.hs.currentSecret, |
1420 | 0 | kHkdfLabelClient, |
1421 | 0 | kHkdfLabelEarlyTrafficSecret, |
1422 | 0 | keylogLabelClientEarlyTrafficSecret, |
1423 | 0 | &ss->ssl3.hs.clientEarlyTrafficSecret); |
1424 | 0 | if (rv != SECSuccess) { |
1425 | 0 | return SECFailure; |
1426 | 0 | } |
1427 | | |
1428 | 0 | if (ss->secretCallback) { |
1429 | 0 | ss->secretCallback(ss->fd, (PRUint16)TrafficKeyEarlyApplicationData, |
1430 | 0 | ss->sec.isServer ? ssl_secret_read : ssl_secret_write, |
1431 | 0 | ss->ssl3.hs.clientEarlyTrafficSecret, |
1432 | 0 | ss->secretCallbackArg); |
1433 | 0 | } |
1434 | |
|
1435 | 0 | rv = tls13_DeriveSecretWrap(ss, ss->ssl3.hs.currentSecret, |
1436 | 0 | NULL, kHkdfLabelEarlyExporterSecret, |
1437 | 0 | keylogLabelEarlyExporterSecret, |
1438 | 0 | &ss->ssl3.hs.earlyExporterSecret); |
1439 | 0 | if (rv != SECSuccess) { |
1440 | 0 | return SECFailure; |
1441 | 0 | } |
1442 | | |
1443 | 0 | return SECSuccess; |
1444 | 0 | } |
1445 | | |
1446 | | static SECStatus |
1447 | | tls13_ComputeHandshakeSecret(sslSocket *ss) |
1448 | 1.68k | { |
1449 | 1.68k | SECStatus rv; |
1450 | 1.68k | PK11SymKey *derivedSecret = NULL; |
1451 | 1.68k | PK11SymKey *newSecret = NULL; |
1452 | 1.68k | SSL_TRC(5, ("%d: TLS13[%d]: compute handshake secret (%s)", |
1453 | 1.68k | SSL_GETPID(), ss->fd, SSL_ROLE(ss))); |
1454 | | |
1455 | | /* If no PSK, generate the default early secret. */ |
1456 | 1.68k | if (!ss->ssl3.hs.currentSecret) { |
1457 | 1.68k | PORT_Assert(!ss->xtnData.selectedPsk); |
1458 | 1.68k | rv = tls13_HkdfExtract(NULL, NULL, |
1459 | 1.68k | tls13_GetHash(ss), &ss->ssl3.hs.currentSecret); |
1460 | 1.68k | if (rv != SECSuccess) { |
1461 | 0 | return SECFailure; |
1462 | 0 | } |
1463 | 1.68k | } |
1464 | 1.68k | PORT_Assert(ss->ssl3.hs.currentSecret); |
1465 | 1.68k | PORT_Assert(ss->ssl3.hs.dheSecret); |
1466 | | |
1467 | | /* Derive-Secret(., "derived", "") */ |
1468 | 1.68k | rv = tls13_DeriveSecretNullHash(ss, ss->ssl3.hs.currentSecret, |
1469 | 1.68k | kHkdfLabelDerivedSecret, |
1470 | 1.68k | strlen(kHkdfLabelDerivedSecret), |
1471 | 1.68k | &derivedSecret, tls13_GetHash(ss)); |
1472 | 1.68k | if (rv != SECSuccess) { |
1473 | 0 | LOG_ERROR(ss, SEC_ERROR_LIBRARY_FAILURE); |
1474 | 0 | return rv; |
1475 | 0 | } |
1476 | | |
1477 | | /* HKDF-Extract(ECDHE, .) = Handshake Secret */ |
1478 | 1.68k | rv = tls13_HkdfExtract(derivedSecret, ss->ssl3.hs.dheSecret, |
1479 | 1.68k | tls13_GetHash(ss), &newSecret); |
1480 | 1.68k | PK11_FreeSymKey(derivedSecret); |
1481 | 1.68k | if (rv != SECSuccess) { |
1482 | 0 | LOG_ERROR(ss, SEC_ERROR_LIBRARY_FAILURE); |
1483 | 0 | return rv; |
1484 | 0 | } |
1485 | | |
1486 | 1.68k | PK11_FreeSymKey(ss->ssl3.hs.currentSecret); |
1487 | 1.68k | ss->ssl3.hs.currentSecret = newSecret; |
1488 | 1.68k | return SECSuccess; |
1489 | 1.68k | } |
1490 | | |
1491 | | static SECStatus |
1492 | | tls13_ComputeHandshakeSecrets(sslSocket *ss) |
1493 | 1.68k | { |
1494 | 1.68k | SECStatus rv; |
1495 | 1.68k | PK11SymKey *derivedSecret = NULL; |
1496 | 1.68k | PK11SymKey *newSecret = NULL; |
1497 | | |
1498 | 1.68k | PK11_FreeSymKey(ss->ssl3.hs.dheSecret); |
1499 | 1.68k | ss->ssl3.hs.dheSecret = NULL; |
1500 | | |
1501 | 1.68k | SSL_TRC(5, ("%d: TLS13[%d]: compute handshake secrets (%s)", |
1502 | 1.68k | SSL_GETPID(), ss->fd, SSL_ROLE(ss))); |
1503 | | |
1504 | | /* Now compute |*HsTrafficSecret| */ |
1505 | 1.68k | rv = tls13_DeriveSecretWrap(ss, ss->ssl3.hs.currentSecret, |
1506 | 1.68k | kHkdfLabelClient, |
1507 | 1.68k | kHkdfLabelHandshakeTrafficSecret, |
1508 | 1.68k | keylogLabelClientHsTrafficSecret, |
1509 | 1.68k | &ss->ssl3.hs.clientHsTrafficSecret); |
1510 | 1.68k | if (rv != SECSuccess) { |
1511 | 0 | LOG_ERROR(ss, SEC_ERROR_LIBRARY_FAILURE); |
1512 | 0 | return rv; |
1513 | 0 | } |
1514 | 1.68k | rv = tls13_DeriveSecretWrap(ss, ss->ssl3.hs.currentSecret, |
1515 | 1.68k | kHkdfLabelServer, |
1516 | 1.68k | kHkdfLabelHandshakeTrafficSecret, |
1517 | 1.68k | keylogLabelServerHsTrafficSecret, |
1518 | 1.68k | &ss->ssl3.hs.serverHsTrafficSecret); |
1519 | 1.68k | if (rv != SECSuccess) { |
1520 | 0 | LOG_ERROR(ss, SEC_ERROR_LIBRARY_FAILURE); |
1521 | 0 | return rv; |
1522 | 0 | } |
1523 | | |
1524 | 1.68k | if (ss->secretCallback) { |
1525 | 0 | SSLSecretDirection dir = |
1526 | 0 | ss->sec.isServer ? ssl_secret_read : ssl_secret_write; |
1527 | 0 | ss->secretCallback(ss->fd, (PRUint16)TrafficKeyHandshake, dir, |
1528 | 0 | ss->ssl3.hs.clientHsTrafficSecret, |
1529 | 0 | ss->secretCallbackArg); |
1530 | 0 | dir = ss->sec.isServer ? ssl_secret_write : ssl_secret_read; |
1531 | 0 | ss->secretCallback(ss->fd, (PRUint16)TrafficKeyHandshake, dir, |
1532 | 0 | ss->ssl3.hs.serverHsTrafficSecret, |
1533 | 0 | ss->secretCallbackArg); |
1534 | 0 | } |
1535 | | |
1536 | 1.68k | SSL_TRC(5, ("%d: TLS13[%d]: compute master secret (%s)", |
1537 | 1.68k | SSL_GETPID(), ss->fd, SSL_ROLE(ss))); |
1538 | | |
1539 | | /* Crank HKDF forward to make master secret, which we |
1540 | | * stuff in current secret. */ |
1541 | 1.68k | rv = tls13_DeriveSecretNullHash(ss, ss->ssl3.hs.currentSecret, |
1542 | 1.68k | kHkdfLabelDerivedSecret, |
1543 | 1.68k | strlen(kHkdfLabelDerivedSecret), |
1544 | 1.68k | &derivedSecret, tls13_GetHash(ss)); |
1545 | 1.68k | if (rv != SECSuccess) { |
1546 | 0 | LOG_ERROR(ss, SEC_ERROR_LIBRARY_FAILURE); |
1547 | 0 | return rv; |
1548 | 0 | } |
1549 | 1.68k | rv = tls13_HkdfExtract(derivedSecret, |
1550 | 1.68k | NULL, |
1551 | 1.68k | tls13_GetHash(ss), |
1552 | 1.68k | &newSecret); |
1553 | 1.68k | PK11_FreeSymKey(derivedSecret); |
1554 | 1.68k | if (rv != SECSuccess) { |
1555 | 0 | LOG_ERROR(ss, SEC_ERROR_LIBRARY_FAILURE); |
1556 | 0 | return SECFailure; |
1557 | 0 | } |
1558 | 1.68k | PK11_FreeSymKey(ss->ssl3.hs.currentSecret); |
1559 | 1.68k | ss->ssl3.hs.currentSecret = newSecret; |
1560 | | |
1561 | 1.68k | return SECSuccess; |
1562 | 1.68k | } |
1563 | | |
1564 | | static SECStatus |
1565 | | tls13_ComputeApplicationSecrets(sslSocket *ss) |
1566 | 739 | { |
1567 | 739 | SECStatus rv; |
1568 | | |
1569 | 739 | rv = tls13_DeriveSecretWrap(ss, ss->ssl3.hs.currentSecret, |
1570 | 739 | kHkdfLabelClient, |
1571 | 739 | kHkdfLabelApplicationTrafficSecret, |
1572 | 739 | keylogLabelClientTrafficSecret, |
1573 | 739 | &ss->ssl3.hs.clientTrafficSecret); |
1574 | 739 | if (rv != SECSuccess) { |
1575 | 0 | return SECFailure; |
1576 | 0 | } |
1577 | 739 | rv = tls13_DeriveSecretWrap(ss, ss->ssl3.hs.currentSecret, |
1578 | 739 | kHkdfLabelServer, |
1579 | 739 | kHkdfLabelApplicationTrafficSecret, |
1580 | 739 | keylogLabelServerTrafficSecret, |
1581 | 739 | &ss->ssl3.hs.serverTrafficSecret); |
1582 | 739 | if (rv != SECSuccess) { |
1583 | 0 | return SECFailure; |
1584 | 0 | } |
1585 | | |
1586 | 739 | if (ss->secretCallback) { |
1587 | 0 | SSLSecretDirection dir = |
1588 | 0 | ss->sec.isServer ? ssl_secret_read : ssl_secret_write; |
1589 | 0 | ss->secretCallback(ss->fd, (PRUint16)TrafficKeyApplicationData, |
1590 | 0 | dir, ss->ssl3.hs.clientTrafficSecret, |
1591 | 0 | ss->secretCallbackArg); |
1592 | 0 | dir = ss->sec.isServer ? ssl_secret_write : ssl_secret_read; |
1593 | 0 | ss->secretCallback(ss->fd, (PRUint16)TrafficKeyApplicationData, |
1594 | 0 | dir, ss->ssl3.hs.serverTrafficSecret, |
1595 | 0 | ss->secretCallbackArg); |
1596 | 0 | } |
1597 | | |
1598 | 739 | rv = tls13_DeriveSecretWrap(ss, ss->ssl3.hs.currentSecret, |
1599 | 739 | NULL, kHkdfLabelExporterMasterSecret, |
1600 | 739 | keylogLabelExporterSecret, |
1601 | 739 | &ss->ssl3.hs.exporterSecret); |
1602 | 739 | if (rv != SECSuccess) { |
1603 | 0 | return SECFailure; |
1604 | 0 | } |
1605 | | |
1606 | 739 | return SECSuccess; |
1607 | 739 | } |
1608 | | |
1609 | | static SECStatus |
1610 | | tls13_ComputeFinalSecrets(sslSocket *ss) |
1611 | 4 | { |
1612 | 4 | SECStatus rv; |
1613 | | |
1614 | 4 | PORT_Assert(!ss->ssl3.crSpec->masterSecret); |
1615 | 4 | PORT_Assert(!ss->ssl3.cwSpec->masterSecret); |
1616 | 4 | PORT_Assert(ss->ssl3.hs.currentSecret); |
1617 | 4 | rv = tls13_DeriveSecretWrap(ss, ss->ssl3.hs.currentSecret, |
1618 | 4 | NULL, kHkdfLabelResumptionMasterSecret, |
1619 | 4 | NULL, |
1620 | 4 | &ss->ssl3.hs.resumptionMasterSecret); |
1621 | 4 | PK11_FreeSymKey(ss->ssl3.hs.currentSecret); |
1622 | 4 | ss->ssl3.hs.currentSecret = NULL; |
1623 | 4 | if (rv != SECSuccess) { |
1624 | 0 | return SECFailure; |
1625 | 0 | } |
1626 | | |
1627 | 4 | return SECSuccess; |
1628 | 4 | } |
1629 | | |
1630 | | static void |
1631 | | tls13_RestoreCipherInfo(sslSocket *ss, sslSessionID *sid) |
1632 | 0 | { |
1633 | | /* Set these to match the cached value. |
1634 | | * TODO(ekr@rtfm.com): Make a version with the "true" values. |
1635 | | * Bug 1256137. |
1636 | | */ |
1637 | 0 | ss->sec.authType = sid->authType; |
1638 | 0 | ss->sec.authKeyBits = sid->authKeyBits; |
1639 | 0 | ss->sec.originalKeaGroup = ssl_LookupNamedGroup(sid->keaGroup); |
1640 | 0 | ss->sec.signatureScheme = sid->sigScheme; |
1641 | 0 | } |
1642 | | |
1643 | | /* Check whether resumption-PSK is allowed. */ |
1644 | | static PRBool |
1645 | | tls13_CanResume(sslSocket *ss, const sslSessionID *sid) |
1646 | 19 | { |
1647 | 19 | const sslServerCert *sc; |
1648 | | |
1649 | 19 | if (!sid) { |
1650 | 0 | return PR_FALSE; |
1651 | 0 | } |
1652 | | |
1653 | 19 | if (sid->version != ss->version) { |
1654 | 11 | return PR_FALSE; |
1655 | 11 | } |
1656 | | |
1657 | | #ifdef UNSAFE_FUZZER_MODE |
1658 | | /* When fuzzing, sid could contain garbage that will crash tls13_GetHashForCipherSuite. |
1659 | | * Do a direct comparison of cipher suites. This makes us refuse to resume when the |
1660 | | * protocol allows it, but resumption is discretionary anyway. */ |
1661 | | if (sid->u.ssl3.cipherSuite != ss->ssl3.hs.cipher_suite) { |
1662 | | #else |
1663 | 8 | if (tls13_GetHashForCipherSuite(sid->u.ssl3.cipherSuite) != tls13_GetHashForCipherSuite(ss->ssl3.hs.cipher_suite)) { |
1664 | 1 | #endif |
1665 | 1 | return PR_FALSE; |
1666 | 1 | } |
1667 | | |
1668 | | /* Server sids don't remember the server cert we previously sent, but they |
1669 | | * do remember the type of certificate we originally used, so we can locate |
1670 | | * it again, provided that the current ssl socket has had its server certs |
1671 | | * configured the same as the previous one. */ |
1672 | 7 | sc = ssl_FindServerCert(ss, sid->authType, sid->namedCurve); |
1673 | 7 | if (!sc || !sc->serverCert) { |
1674 | 4 | return PR_FALSE; |
1675 | 4 | } |
1676 | | |
1677 | 3 | return PR_TRUE; |
1678 | 7 | } |
1679 | | |
1680 | | static PRBool |
1681 | | tls13_CanNegotiateZeroRtt(sslSocket *ss, const sslSessionID *sid) |
1682 | 304 | { |
1683 | 304 | PORT_Assert(ss->ssl3.hs.zeroRttState == ssl_0rtt_sent); |
1684 | 304 | sslPsk *psk = ss->xtnData.selectedPsk; |
1685 | | |
1686 | 304 | if (!ss->opt.enable0RttData) { |
1687 | 304 | return PR_FALSE; |
1688 | 304 | } |
1689 | 0 | if (!psk) { |
1690 | 0 | return PR_FALSE; |
1691 | 0 | } |
1692 | 0 | if (psk->zeroRttSuite == TLS_NULL_WITH_NULL_NULL) { |
1693 | 0 | return PR_FALSE; |
1694 | 0 | } |
1695 | 0 | if (!psk->maxEarlyData) { |
1696 | 0 | return PR_FALSE; |
1697 | 0 | } |
1698 | 0 | if (ss->ssl3.hs.cipher_suite != psk->zeroRttSuite) { |
1699 | 0 | return PR_FALSE; |
1700 | 0 | } |
1701 | 0 | if (psk->type == ssl_psk_resume) { |
1702 | 0 | if (!sid) { |
1703 | 0 | return PR_FALSE; |
1704 | 0 | } |
1705 | 0 | PORT_Assert(sid->u.ssl3.locked.sessionTicket.flags & ticket_allow_early_data); |
1706 | 0 | PORT_Assert(ss->statelessResume); |
1707 | 0 | if (!ss->statelessResume) { |
1708 | 0 | return PR_FALSE; |
1709 | 0 | } |
1710 | 0 | if (SECITEM_CompareItem(&ss->xtnData.nextProto, |
1711 | 0 | &sid->u.ssl3.alpnSelection) != 0) { |
1712 | 0 | return PR_FALSE; |
1713 | 0 | } |
1714 | 0 | } else if (psk->type != ssl_psk_external) { |
1715 | 0 | PORT_Assert(0); |
1716 | 0 | return PR_FALSE; |
1717 | 0 | } |
1718 | | |
1719 | 0 | if (tls13_IsReplay(ss, sid)) { |
1720 | 0 | return PR_FALSE; |
1721 | 0 | } |
1722 | | |
1723 | 0 | return PR_TRUE; |
1724 | 0 | } |
1725 | | |
1726 | | /* Called from tls13_HandleClientHelloPart2 to update the state of 0-RTT handling. |
1727 | | * |
1728 | | * 0-RTT is only permitted if: |
1729 | | * 1. The early data extension was present. |
1730 | | * 2. We are resuming a session. |
1731 | | * 3. The 0-RTT option is set. |
1732 | | * 4. The ticket allowed 0-RTT. |
1733 | | * 5. We negotiated the same ALPN value as in the ticket. |
1734 | | */ |
1735 | | static void |
1736 | | tls13_NegotiateZeroRtt(sslSocket *ss, const sslSessionID *sid) |
1737 | 759 | { |
1738 | 759 | SSL_TRC(3, ("%d: TLS13[%d]: negotiate 0-RTT %p", |
1739 | 759 | SSL_GETPID(), ss->fd, sid)); |
1740 | | |
1741 | | /* tls13_ServerHandleEarlyDataXtn sets this to ssl_0rtt_sent, so this will |
1742 | | * be ssl_0rtt_none unless early_data is present. */ |
1743 | 759 | if (ss->ssl3.hs.zeroRttState == ssl_0rtt_none) { |
1744 | 455 | return; |
1745 | 455 | } |
1746 | | |
1747 | 304 | if (ss->ssl3.hs.zeroRttState == ssl_0rtt_ignored) { |
1748 | | /* HelloRetryRequest causes 0-RTT to be ignored. On the second |
1749 | | * ClientHello, reset the ignore state so that decryption failure is |
1750 | | * handled normally. */ |
1751 | 0 | if (ss->ssl3.hs.zeroRttIgnore == ssl_0rtt_ignore_hrr) { |
1752 | 0 | PORT_Assert(ss->ssl3.hs.helloRetry); |
1753 | 0 | ss->ssl3.hs.zeroRttState = ssl_0rtt_none; |
1754 | 0 | ss->ssl3.hs.zeroRttIgnore = ssl_0rtt_ignore_none; |
1755 | 0 | } else { |
1756 | 0 | SSL_TRC(3, ("%d: TLS13[%d]: application ignored 0-RTT", |
1757 | 0 | SSL_GETPID(), ss->fd)); |
1758 | 0 | } |
1759 | 0 | return; |
1760 | 0 | } |
1761 | | |
1762 | 304 | if (!tls13_CanNegotiateZeroRtt(ss, sid)) { |
1763 | 304 | SSL_TRC(3, ("%d: TLS13[%d]: ignore 0-RTT", SSL_GETPID(), ss->fd)); |
1764 | 304 | ss->ssl3.hs.zeroRttState = ssl_0rtt_ignored; |
1765 | 304 | ss->ssl3.hs.zeroRttIgnore = ssl_0rtt_ignore_trial; |
1766 | 304 | return; |
1767 | 304 | } |
1768 | | |
1769 | 0 | SSL_TRC(3, ("%d: TLS13[%d]: enable 0-RTT", SSL_GETPID(), ss->fd)); |
1770 | 0 | PORT_Assert(ss->xtnData.selectedPsk); |
1771 | 0 | ss->ssl3.hs.zeroRttState = ssl_0rtt_accepted; |
1772 | 0 | ss->ssl3.hs.zeroRttIgnore = ssl_0rtt_ignore_none; |
1773 | 0 | ss->ssl3.hs.zeroRttSuite = ss->ssl3.hs.cipher_suite; |
1774 | 0 | ss->ssl3.hs.preliminaryInfo |= ssl_preinfo_0rtt_cipher_suite; |
1775 | 0 | } |
1776 | | |
1777 | | /* Check if the offered group is acceptable. */ |
1778 | | static PRBool |
1779 | | tls13_isGroupAcceptable(const sslNamedGroupDef *offered, |
1780 | | const sslNamedGroupDef *preferredGroup) |
1781 | 11 | { |
1782 | | /* We accept epsilon (e) bits around the offered group size. */ |
1783 | 11 | const unsigned int e = 2; |
1784 | | |
1785 | 11 | PORT_Assert(offered); |
1786 | 11 | PORT_Assert(preferredGroup); |
1787 | | |
1788 | 11 | if (offered->bits >= preferredGroup->bits - e && |
1789 | 11 | offered->bits <= preferredGroup->bits + e) { |
1790 | 1 | return PR_TRUE; |
1791 | 1 | } |
1792 | | |
1793 | 10 | return PR_FALSE; |
1794 | 11 | } |
1795 | | |
1796 | | /* Find remote key share for given group and return it. |
1797 | | * Returns NULL if no key share is found. */ |
1798 | | static TLS13KeyShareEntry * |
1799 | | tls13_FindKeyShareEntry(sslSocket *ss, const sslNamedGroupDef *group) |
1800 | 1.07k | { |
1801 | 1.07k | PRCList *cur_p = PR_NEXT_LINK(&ss->xtnData.remoteKeyShares); |
1802 | 1.36k | while (cur_p != &ss->xtnData.remoteKeyShares) { |
1803 | 1.07k | TLS13KeyShareEntry *offer = (TLS13KeyShareEntry *)cur_p; |
1804 | 1.07k | if (offer->group == group) { |
1805 | 781 | return offer; |
1806 | 781 | } |
1807 | 290 | cur_p = PR_NEXT_LINK(cur_p); |
1808 | 290 | } |
1809 | 295 | return NULL; |
1810 | 1.07k | } |
1811 | | |
1812 | | static SECStatus |
1813 | | tls13_NegotiateKeyExchange(sslSocket *ss, |
1814 | | const sslNamedGroupDef **requestedGroup, |
1815 | | TLS13KeyShareEntry **clientShare) |
1816 | 1.07k | { |
1817 | 1.07k | unsigned int index; |
1818 | 1.07k | TLS13KeyShareEntry *entry = NULL; |
1819 | 1.07k | const sslNamedGroupDef *preferredGroup = NULL; |
1820 | | |
1821 | | /* We insist on DHE. */ |
1822 | 1.07k | if (ssl3_ExtensionNegotiated(ss, ssl_tls13_pre_shared_key_xtn)) { |
1823 | 27 | if (!ssl3_ExtensionNegotiated(ss, ssl_tls13_psk_key_exchange_modes_xtn)) { |
1824 | 11 | FATAL_ERROR(ss, SSL_ERROR_MISSING_PSK_KEY_EXCHANGE_MODES, |
1825 | 11 | missing_extension); |
1826 | 11 | return SECFailure; |
1827 | 11 | } |
1828 | | /* Since the server insists on DHE to provide forward secracy, for |
1829 | | * every other PskKem value but DHE stateless resumption is disabled, |
1830 | | * this includes other specified and GREASE values. */ |
1831 | 16 | if (!memchr(ss->xtnData.psk_ke_modes.data, tls13_psk_dh_ke, |
1832 | 16 | ss->xtnData.psk_ke_modes.len)) { |
1833 | 13 | SSL_TRC(3, ("%d: TLS13[%d]: client offered PSK without DH", |
1834 | 13 | SSL_GETPID(), ss->fd)); |
1835 | 13 | ss->statelessResume = PR_FALSE; |
1836 | 13 | } |
1837 | 16 | } |
1838 | | |
1839 | | /* Now figure out which key share we like the best out of the |
1840 | | * mutually supported groups, regardless of what the client offered |
1841 | | * for key shares. |
1842 | | */ |
1843 | 1.05k | if (!ssl3_ExtensionNegotiated(ss, ssl_supported_groups_xtn)) { |
1844 | 9 | FATAL_ERROR(ss, SSL_ERROR_MISSING_SUPPORTED_GROUPS_EXTENSION, |
1845 | 9 | missing_extension); |
1846 | 9 | return SECFailure; |
1847 | 9 | } |
1848 | | |
1849 | 1.05k | SSL_TRC(3, ("%d: TLS13[%d]: selected KE = %s", SSL_GETPID(), |
1850 | 1.05k | ss->fd, ss->statelessResume || ss->xtnData.selectedPsk ? "PSK + (EC)DHE" : "(EC)DHE")); |
1851 | | |
1852 | | /* Find the preferred group and an according client key share available. */ |
1853 | 3.05k | for (index = 0; index < SSL_NAMED_GROUP_COUNT; ++index) { |
1854 | | /* Continue to the next group if this one is not enabled. */ |
1855 | 3.04k | if (!ss->namedGroupPreferences[index]) { |
1856 | | /* There's a gap in the preferred groups list. Assume this is a group |
1857 | | * that's not supported by the client but preferred by the server. */ |
1858 | 1.97k | if (preferredGroup) { |
1859 | 246 | entry = NULL; |
1860 | 246 | break; |
1861 | 246 | } |
1862 | 1.72k | continue; |
1863 | 1.97k | } |
1864 | | |
1865 | | /* Check if the client sent a key share for this group. */ |
1866 | 1.07k | entry = tls13_FindKeyShareEntry(ss, ss->namedGroupPreferences[index]); |
1867 | | |
1868 | 1.07k | if (preferredGroup) { |
1869 | | /* We already found our preferred group but the group didn't have a share. */ |
1870 | 30 | if (entry) { |
1871 | | /* The client sent a key share with group ss->namedGroupPreferences[index] */ |
1872 | 11 | if (tls13_isGroupAcceptable(ss->namedGroupPreferences[index], |
1873 | 11 | preferredGroup)) { |
1874 | | /* This is not the preferred group, but it's acceptable */ |
1875 | 1 | preferredGroup = ss->namedGroupPreferences[index]; |
1876 | 10 | } else { |
1877 | | /* The proposed group is not acceptable. */ |
1878 | 10 | entry = NULL; |
1879 | 10 | } |
1880 | 11 | } |
1881 | 30 | break; |
1882 | 1.04k | } else { |
1883 | | /* The first enabled group is the preferred group. */ |
1884 | 1.04k | preferredGroup = ss->namedGroupPreferences[index]; |
1885 | 1.04k | if (entry) { |
1886 | 770 | break; |
1887 | 770 | } |
1888 | 1.04k | } |
1889 | 1.07k | } |
1890 | | |
1891 | 1.05k | if (!preferredGroup) { |
1892 | 4 | FATAL_ERROR(ss, SSL_ERROR_NO_CYPHER_OVERLAP, handshake_failure); |
1893 | 4 | return SECFailure; |
1894 | 4 | } |
1895 | 1.04k | SSL_TRC(3, ("%d: TLS13[%d]: group = %d", SSL_GETPID(), ss->fd, |
1896 | 1.04k | preferredGroup->name)); |
1897 | | |
1898 | | /* Either provide a share, or provide a group that should be requested in a |
1899 | | * HelloRetryRequest, but not both. */ |
1900 | 1.04k | if (entry) { |
1901 | 771 | PORT_Assert(preferredGroup == entry->group); |
1902 | 771 | *clientShare = entry; |
1903 | 771 | *requestedGroup = NULL; |
1904 | 771 | } else { |
1905 | 275 | *clientShare = NULL; |
1906 | 275 | *requestedGroup = preferredGroup; |
1907 | 275 | } |
1908 | 1.04k | return SECSuccess; |
1909 | 1.05k | } |
1910 | | |
1911 | | SECStatus |
1912 | | tls13_SelectServerCert(sslSocket *ss) |
1913 | 771 | { |
1914 | 771 | PRCList *cursor; |
1915 | 771 | SECStatus rv; |
1916 | | |
1917 | 771 | if (!ssl3_ExtensionNegotiated(ss, ssl_signature_algorithms_xtn)) { |
1918 | 2 | FATAL_ERROR(ss, SSL_ERROR_MISSING_SIGNATURE_ALGORITHMS_EXTENSION, |
1919 | 2 | missing_extension); |
1920 | 2 | return SECFailure; |
1921 | 2 | } |
1922 | | |
1923 | | /* This picks the first certificate that has: |
1924 | | * a) the right authentication method, and |
1925 | | * b) the right named curve (EC only) |
1926 | | * |
1927 | | * We might want to do some sort of ranking here later. For now, it's all |
1928 | | * based on what order they are configured in. */ |
1929 | 769 | for (cursor = PR_NEXT_LINK(&ss->serverCerts); |
1930 | 1.37k | cursor != &ss->serverCerts; |
1931 | 1.36k | cursor = PR_NEXT_LINK(cursor)) { |
1932 | 1.36k | sslServerCert *cert = (sslServerCert *)cursor; |
1933 | | |
1934 | 1.36k | if (SSL_CERT_IS_ONLY(cert, ssl_auth_rsa_decrypt)) { |
1935 | 0 | continue; |
1936 | 0 | } |
1937 | | |
1938 | 1.36k | rv = ssl_PickSignatureScheme(ss, |
1939 | 1.36k | cert->serverCert, |
1940 | 1.36k | cert->serverKeyPair->pubKey, |
1941 | 1.36k | cert->serverKeyPair->privKey, |
1942 | 1.36k | ss->xtnData.sigSchemes, |
1943 | 1.36k | ss->xtnData.numSigSchemes, |
1944 | 1.36k | PR_FALSE, |
1945 | 1.36k | &ss->ssl3.hs.signatureScheme); |
1946 | 1.36k | if (rv == SECSuccess) { |
1947 | | /* Found one. */ |
1948 | 759 | ss->sec.serverCert = cert; |
1949 | | |
1950 | | /* If we can use a delegated credential (DC) for authentication in |
1951 | | * the current handshake, then commit to using it now. We'll send a |
1952 | | * DC as an extension and use the DC private key to sign the |
1953 | | * handshake. |
1954 | | * |
1955 | | * This sets the signature scheme to be the signature scheme |
1956 | | * indicated by the DC. |
1957 | | */ |
1958 | 759 | rv = tls13_MaybeSetDelegatedCredential(ss); |
1959 | 759 | if (rv != SECSuccess) { |
1960 | 0 | return SECFailure; /* Failure indicates an internal error. */ |
1961 | 0 | } |
1962 | | |
1963 | 759 | ss->sec.authType = ss->ssl3.hs.kea_def_mutable.authKeyType = |
1964 | 759 | ssl_SignatureSchemeToAuthType(ss->ssl3.hs.signatureScheme); |
1965 | 759 | ss->sec.authKeyBits = cert->serverKeyBits; |
1966 | 759 | return SECSuccess; |
1967 | 759 | } |
1968 | 1.36k | } |
1969 | | |
1970 | 10 | FATAL_ERROR(ss, SSL_ERROR_UNSUPPORTED_SIGNATURE_ALGORITHM, |
1971 | 10 | handshake_failure); |
1972 | 10 | return SECFailure; |
1973 | 769 | } |
1974 | | |
1975 | | /* Note: |requestedGroup| is non-NULL when we send a key_share extension. */ |
1976 | | static SECStatus |
1977 | | tls13_MaybeSendHelloRetry(sslSocket *ss, const sslNamedGroupDef *requestedGroup, |
1978 | | PRBool *hrrSent) |
1979 | 1.04k | { |
1980 | 1.04k | SSLHelloRetryRequestAction action = ssl_hello_retry_accept; |
1981 | 1.04k | PRUint8 token[256] = { 0 }; |
1982 | 1.04k | unsigned int tokenLen = 0; |
1983 | 1.04k | SECStatus rv; |
1984 | | |
1985 | 1.04k | if (ss->hrrCallback) { |
1986 | 0 | action = ss->hrrCallback(!ss->ssl3.hs.helloRetry, |
1987 | 0 | ss->xtnData.applicationToken.data, |
1988 | 0 | ss->xtnData.applicationToken.len, |
1989 | 0 | token, &tokenLen, sizeof(token), |
1990 | 0 | ss->hrrCallbackArg); |
1991 | 0 | } |
1992 | | |
1993 | | /* These use SSL3_SendAlert directly to avoid an assertion in |
1994 | | * tls13_FatalError(), which is ordinarily OK. */ |
1995 | 1.04k | if (action == ssl_hello_retry_request && ss->ssl3.hs.helloRetry) { |
1996 | 0 | (void)SSL3_SendAlert(ss, alert_fatal, internal_error); |
1997 | 0 | PORT_SetError(SSL_ERROR_APP_CALLBACK_ERROR); |
1998 | 0 | return SECFailure; |
1999 | 0 | } |
2000 | | |
2001 | 1.04k | if (action != ssl_hello_retry_request && tokenLen) { |
2002 | 0 | (void)SSL3_SendAlert(ss, alert_fatal, internal_error); |
2003 | 0 | PORT_SetError(SSL_ERROR_APP_CALLBACK_ERROR); |
2004 | 0 | return SECFailure; |
2005 | 0 | } |
2006 | | |
2007 | 1.04k | if (tokenLen > sizeof(token)) { |
2008 | 0 | (void)SSL3_SendAlert(ss, alert_fatal, internal_error); |
2009 | 0 | PORT_SetError(SSL_ERROR_APP_CALLBACK_ERROR); |
2010 | 0 | return SECFailure; |
2011 | 0 | } |
2012 | | |
2013 | 1.04k | if (action == ssl_hello_retry_fail) { |
2014 | 0 | FATAL_ERROR(ss, SSL_ERROR_APPLICATION_ABORT, handshake_failure); |
2015 | 0 | return SECFailure; |
2016 | 0 | } |
2017 | | |
2018 | 1.04k | if (action == ssl_hello_retry_reject_0rtt) { |
2019 | 0 | ss->ssl3.hs.zeroRttState = ssl_0rtt_ignored; |
2020 | 0 | ss->ssl3.hs.zeroRttIgnore = ssl_0rtt_ignore_trial; |
2021 | 0 | } |
2022 | | |
2023 | 1.04k | if (!requestedGroup && action != ssl_hello_retry_request) { |
2024 | 771 | return SECSuccess; |
2025 | 771 | } |
2026 | | |
2027 | 275 | rv = tls13_SendHelloRetryRequest(ss, requestedGroup, token, tokenLen); |
2028 | 275 | if (rv != SECSuccess) { |
2029 | 0 | return SECFailure; /* Code already set. */ |
2030 | 0 | } |
2031 | | |
2032 | | /* We may have received ECH, but have to start over with CH2. */ |
2033 | 275 | ss->ssl3.hs.echAccepted = PR_FALSE; |
2034 | 275 | PK11_HPKE_DestroyContext(ss->ssl3.hs.echHpkeCtx, PR_TRUE); |
2035 | 275 | ss->ssl3.hs.echHpkeCtx = NULL; |
2036 | | |
2037 | 275 | *hrrSent = PR_TRUE; |
2038 | 275 | return SECSuccess; |
2039 | 275 | } |
2040 | | |
2041 | | static SECStatus |
2042 | | tls13_NegotiateAuthentication(sslSocket *ss) |
2043 | 771 | { |
2044 | 771 | if (ss->statelessResume) { |
2045 | 0 | SSL_TRC(3, ("%d: TLS13[%d]: selected resumption PSK authentication", |
2046 | 0 | SSL_GETPID(), ss->fd)); |
2047 | 0 | ss->ssl3.hs.signatureScheme = ssl_sig_none; |
2048 | 0 | ss->ssl3.hs.kea_def_mutable.authKeyType = ssl_auth_psk; |
2049 | | /* Overwritten by tls13_RestoreCipherInfo. */ |
2050 | 0 | ss->sec.authType = ssl_auth_psk; |
2051 | 0 | return SECSuccess; |
2052 | 771 | } else if (ss->xtnData.selectedPsk) { |
2053 | | /* If the EPSK doesn't specify a suite, use what was negotiated. |
2054 | | * Else, only use the EPSK if we negotiated that suite. */ |
2055 | 0 | if (ss->xtnData.selectedPsk->zeroRttSuite == TLS_NULL_WITH_NULL_NULL || |
2056 | 0 | ss->ssl3.hs.cipher_suite == ss->xtnData.selectedPsk->zeroRttSuite) { |
2057 | 0 | SSL_TRC(3, ("%d: TLS13[%d]: selected external PSK authentication", |
2058 | 0 | SSL_GETPID(), ss->fd)); |
2059 | 0 | ss->ssl3.hs.signatureScheme = ssl_sig_none; |
2060 | 0 | ss->ssl3.hs.kea_def_mutable.authKeyType = ssl_auth_psk; |
2061 | 0 | ss->sec.authType = ssl_auth_psk; |
2062 | 0 | return SECSuccess; |
2063 | 0 | } |
2064 | 0 | } |
2065 | | |
2066 | | /* If there were PSKs, they are no longer needed. */ |
2067 | 771 | if (ss->xtnData.selectedPsk) { |
2068 | 0 | tls13_DestroyPskList(&ss->ssl3.hs.psks); |
2069 | 0 | ss->xtnData.selectedPsk = NULL; |
2070 | 0 | } |
2071 | | |
2072 | 771 | SSL_TRC(3, ("%d: TLS13[%d]: selected certificate authentication", |
2073 | 771 | SSL_GETPID(), ss->fd)); |
2074 | 771 | SECStatus rv = tls13_SelectServerCert(ss); |
2075 | 771 | if (rv != SECSuccess) { |
2076 | 12 | return SECFailure; |
2077 | 12 | } |
2078 | 759 | return SECSuccess; |
2079 | 771 | } |
2080 | | /* Called from ssl3_HandleClientHello after we have parsed the |
2081 | | * ClientHello and are sure that we are going to do TLS 1.3 |
2082 | | * or fail. */ |
2083 | | SECStatus |
2084 | | tls13_HandleClientHelloPart2(sslSocket *ss, |
2085 | | const SECItem *suites, |
2086 | | sslSessionID *sid, |
2087 | | const PRUint8 *msg, |
2088 | | unsigned int len) |
2089 | 1.25k | { |
2090 | 1.25k | SECStatus rv; |
2091 | 1.25k | SSL3Statistics *ssl3stats = SSL_GetStatistics(); |
2092 | 1.25k | const sslNamedGroupDef *requestedGroup = NULL; |
2093 | 1.25k | TLS13KeyShareEntry *clientShare = NULL; |
2094 | 1.25k | ssl3CipherSuite previousCipherSuite = 0; |
2095 | 1.25k | const sslNamedGroupDef *previousGroup = NULL; |
2096 | 1.25k | PRBool hrr = PR_FALSE; |
2097 | 1.25k | PRBool previousOfferedEch; |
2098 | | |
2099 | | /* If the legacy_version field is set to 0x300 or smaller, |
2100 | | * reject the connection with protocol_version alert. */ |
2101 | 1.25k | if (ss->clientHelloVersion <= SSL_LIBRARY_VERSION_3_0) { |
2102 | 25 | FATAL_ERROR(ss, SSL_ERROR_RX_MALFORMED_CLIENT_HELLO, protocol_version); |
2103 | 25 | goto loser; |
2104 | 25 | } |
2105 | | |
2106 | 1.23k | ss->ssl3.hs.endOfFlight = PR_TRUE; |
2107 | | |
2108 | 1.23k | if (ssl3_ExtensionNegotiated(ss, ssl_tls13_early_data_xtn)) { |
2109 | 394 | ss->ssl3.hs.zeroRttState = ssl_0rtt_sent; |
2110 | 394 | } |
2111 | | |
2112 | | /* Negotiate cipher suite. */ |
2113 | 1.23k | rv = ssl3_NegotiateCipherSuite(ss, suites, PR_FALSE); |
2114 | 1.23k | if (rv != SECSuccess) { |
2115 | 33 | FATAL_ERROR(ss, PORT_GetError(), handshake_failure); |
2116 | 33 | goto loser; |
2117 | 33 | } |
2118 | | |
2119 | | /* If we are going around again, then we should make sure that the cipher |
2120 | | * suite selection doesn't change. That's a sign of client shennanigans. */ |
2121 | 1.19k | if (ss->ssl3.hs.helloRetry) { |
2122 | | |
2123 | | /* Update sequence numbers before checking the cookie so that any alerts |
2124 | | * we generate are sent with the right sequence numbers. */ |
2125 | 128 | if (IS_DTLS(ss)) { |
2126 | | /* Count the first ClientHello and the HelloRetryRequest. */ |
2127 | 0 | ss->ssl3.hs.sendMessageSeq = 1; |
2128 | 0 | ss->ssl3.hs.recvMessageSeq = 1; |
2129 | 0 | ssl_GetSpecWriteLock(ss); |
2130 | | /* Increase the write sequence number. The read sequence number |
2131 | | * will be reset after this to early data or handshake. */ |
2132 | 0 | ss->ssl3.cwSpec->nextSeqNum = 1; |
2133 | 0 | ssl_ReleaseSpecWriteLock(ss); |
2134 | 0 | } |
2135 | | |
2136 | 128 | if (!ssl3_ExtensionNegotiated(ss, ssl_tls13_cookie_xtn) || |
2137 | 128 | !ss->xtnData.cookie.len) { |
2138 | 56 | FATAL_ERROR(ss, SSL_ERROR_MISSING_COOKIE_EXTENSION, |
2139 | 56 | missing_extension); |
2140 | 56 | goto loser; |
2141 | 56 | } |
2142 | 72 | PRINT_BUF(50, (ss, "Client sent cookie", |
2143 | 72 | ss->xtnData.cookie.data, ss->xtnData.cookie.len)); |
2144 | | |
2145 | 72 | rv = tls13_HandleHrrCookie(ss, ss->xtnData.cookie.data, |
2146 | 72 | ss->xtnData.cookie.len, |
2147 | 72 | &previousCipherSuite, |
2148 | 72 | &previousGroup, |
2149 | 72 | &previousOfferedEch, NULL, PR_TRUE); |
2150 | | |
2151 | 72 | if (rv != SECSuccess) { |
2152 | 72 | FATAL_ERROR(ss, SSL_ERROR_BAD_2ND_CLIENT_HELLO, illegal_parameter); |
2153 | 72 | goto loser; |
2154 | 72 | } |
2155 | 72 | } |
2156 | | |
2157 | | /* Now merge the ClientHello into the hash state. */ |
2158 | 1.07k | rv = ssl_HashHandshakeMessage(ss, ssl_hs_client_hello, msg, len); |
2159 | 1.07k | if (rv != SECSuccess) { |
2160 | 0 | FATAL_ERROR(ss, SEC_ERROR_LIBRARY_FAILURE, internal_error); |
2161 | 0 | goto loser; |
2162 | 0 | } |
2163 | | |
2164 | | /* Now create a synthetic kea_def that we can tweak. */ |
2165 | 1.07k | ss->ssl3.hs.kea_def_mutable = *ss->ssl3.hs.kea_def; |
2166 | 1.07k | ss->ssl3.hs.kea_def = &ss->ssl3.hs.kea_def_mutable; |
2167 | | |
2168 | | /* Note: We call this quite a bit earlier than with TLS 1.2 and |
2169 | | * before. */ |
2170 | 1.07k | rv = ssl3_ServerCallSNICallback(ss); |
2171 | 1.07k | if (rv != SECSuccess) { |
2172 | 0 | goto loser; /* An alert has already been sent. */ |
2173 | 0 | } |
2174 | | |
2175 | | /* Check if we could in principle resume. */ |
2176 | 1.07k | if (ss->statelessResume) { |
2177 | 19 | PORT_Assert(sid); |
2178 | 19 | if (!sid) { |
2179 | 0 | FATAL_ERROR(ss, SEC_ERROR_LIBRARY_FAILURE, internal_error); |
2180 | 0 | return SECFailure; |
2181 | 0 | } |
2182 | 19 | if (!tls13_CanResume(ss, sid)) { |
2183 | 16 | ss->statelessResume = PR_FALSE; |
2184 | 16 | } |
2185 | 19 | } |
2186 | | |
2187 | | /* Select key exchange. */ |
2188 | 1.07k | rv = tls13_NegotiateKeyExchange(ss, &requestedGroup, &clientShare); |
2189 | 1.07k | if (rv != SECSuccess) { |
2190 | 24 | goto loser; |
2191 | 24 | } |
2192 | | /* We should get either one of these, but not both. */ |
2193 | 1.04k | PORT_Assert((requestedGroup && !clientShare) || |
2194 | 1.04k | (!requestedGroup && clientShare)); |
2195 | | |
2196 | | /* After HelloRetryRequest, check consistency of cipher and group. */ |
2197 | 1.04k | if (ss->ssl3.hs.helloRetry) { |
2198 | 0 | PORT_Assert(previousCipherSuite); |
2199 | 0 | if (ss->ssl3.hs.cipher_suite != previousCipherSuite) { |
2200 | 0 | FATAL_ERROR(ss, SSL_ERROR_BAD_2ND_CLIENT_HELLO, |
2201 | 0 | illegal_parameter); |
2202 | 0 | goto loser; |
2203 | 0 | } |
2204 | 0 | if (!clientShare) { |
2205 | 0 | FATAL_ERROR(ss, SSL_ERROR_BAD_2ND_CLIENT_HELLO, |
2206 | 0 | illegal_parameter); |
2207 | 0 | goto loser; |
2208 | 0 | } |
2209 | | |
2210 | | /* CH1/CH2 must either both include ECH, or both exclude it. */ |
2211 | 0 | if (previousOfferedEch != (ss->xtnData.ech != NULL)) { |
2212 | 0 | FATAL_ERROR(ss, SSL_ERROR_BAD_2ND_CLIENT_HELLO, |
2213 | 0 | previousOfferedEch ? missing_extension : illegal_parameter); |
2214 | 0 | goto loser; |
2215 | 0 | } |
2216 | | |
2217 | | /* If we requested a new key share, check that the client provided just |
2218 | | * one of the right type. */ |
2219 | 0 | if (previousGroup) { |
2220 | 0 | if (PR_PREV_LINK(&ss->xtnData.remoteKeyShares) != |
2221 | 0 | PR_NEXT_LINK(&ss->xtnData.remoteKeyShares)) { |
2222 | 0 | FATAL_ERROR(ss, SSL_ERROR_BAD_2ND_CLIENT_HELLO, |
2223 | 0 | illegal_parameter); |
2224 | 0 | goto loser; |
2225 | 0 | } |
2226 | 0 | if (clientShare->group != previousGroup) { |
2227 | 0 | FATAL_ERROR(ss, SSL_ERROR_BAD_2ND_CLIENT_HELLO, |
2228 | 0 | illegal_parameter); |
2229 | 0 | goto loser; |
2230 | 0 | } |
2231 | 0 | } |
2232 | 0 | } |
2233 | | |
2234 | 1.04k | rv = tls13_MaybeSendHelloRetry(ss, requestedGroup, &hrr); |
2235 | 1.04k | if (rv != SECSuccess) { |
2236 | 0 | goto loser; |
2237 | 0 | } |
2238 | 1.04k | if (hrr) { |
2239 | 275 | if (sid) { /* Free the sid. */ |
2240 | 10 | ssl_UncacheSessionID(ss); |
2241 | 10 | ssl_FreeSID(sid); |
2242 | 10 | } |
2243 | 275 | PORT_Assert(ss->ssl3.hs.helloRetry); |
2244 | 275 | return SECSuccess; |
2245 | 275 | } |
2246 | | |
2247 | | /* Select the authentication (this is also handshake shape). */ |
2248 | 771 | rv = tls13_NegotiateAuthentication(ss); |
2249 | 771 | if (rv != SECSuccess) { |
2250 | 12 | goto loser; |
2251 | 12 | } |
2252 | | |
2253 | 759 | if (ss->sec.authType == ssl_auth_psk) { |
2254 | 0 | if (ss->statelessResume) { |
2255 | | /* We are now committed to trying to resume. */ |
2256 | 0 | PORT_Assert(sid); |
2257 | | /* Check that the negotiated SNI and the cached SNI match. */ |
2258 | 0 | if (SECITEM_CompareItem(&sid->u.ssl3.srvName, |
2259 | 0 | &ss->ssl3.hs.srvVirtName) != SECEqual) { |
2260 | 0 | FATAL_ERROR(ss, SSL_ERROR_RX_MALFORMED_CLIENT_HELLO, |
2261 | 0 | handshake_failure); |
2262 | 0 | goto loser; |
2263 | 0 | } |
2264 | | |
2265 | 0 | ss->sec.serverCert = ssl_FindServerCert(ss, sid->authType, |
2266 | 0 | sid->namedCurve); |
2267 | 0 | PORT_Assert(ss->sec.serverCert); |
2268 | |
|
2269 | 0 | rv = tls13_RecoverWrappedSharedSecret(ss, sid); |
2270 | 0 | if (rv != SECSuccess) { |
2271 | 0 | SSL_AtomicIncrementLong(&ssl3stats->hch_sid_cache_not_ok); |
2272 | 0 | FATAL_ERROR(ss, SEC_ERROR_LIBRARY_FAILURE, internal_error); |
2273 | 0 | goto loser; |
2274 | 0 | } |
2275 | 0 | tls13_RestoreCipherInfo(ss, sid); |
2276 | |
|
2277 | 0 | ss->sec.localCert = CERT_DupCertificate(ss->sec.serverCert->serverCert); |
2278 | 0 | if (sid->peerCert != NULL) { |
2279 | 0 | ss->sec.peerCert = CERT_DupCertificate(sid->peerCert); |
2280 | 0 | } |
2281 | 0 | } else if (sid) { |
2282 | | /* We should never have a SID in the non-resumption case. */ |
2283 | 0 | PORT_Assert(0); |
2284 | 0 | ssl_UncacheSessionID(ss); |
2285 | 0 | ssl_FreeSID(sid); |
2286 | 0 | sid = NULL; |
2287 | 0 | } |
2288 | 0 | ssl3_RegisterExtensionSender( |
2289 | 0 | ss, &ss->xtnData, |
2290 | 0 | ssl_tls13_pre_shared_key_xtn, tls13_ServerSendPreSharedKeyXtn); |
2291 | 0 | tls13_NegotiateZeroRtt(ss, sid); |
2292 | |
|
2293 | 0 | rv = tls13_ComputeEarlySecretsWithPsk(ss); |
2294 | 0 | if (rv != SECSuccess) { |
2295 | 0 | FATAL_ERROR(ss, SEC_ERROR_LIBRARY_FAILURE, internal_error); |
2296 | 0 | return SECFailure; |
2297 | 0 | } |
2298 | 759 | } else { |
2299 | 759 | if (sid) { /* we had a sid, but it's no longer valid, free it */ |
2300 | 0 | SSL_AtomicIncrementLong(&ssl3stats->hch_sid_cache_not_ok); |
2301 | 0 | ssl_UncacheSessionID(ss); |
2302 | 0 | ssl_FreeSID(sid); |
2303 | 0 | sid = NULL; |
2304 | 0 | } |
2305 | 759 | tls13_NegotiateZeroRtt(ss, NULL); |
2306 | 759 | } |
2307 | | |
2308 | 759 | if (ss->statelessResume) { |
2309 | 0 | PORT_Assert(ss->xtnData.selectedPsk); |
2310 | 0 | PORT_Assert(ss->ssl3.hs.kea_def_mutable.authKeyType == ssl_auth_psk); |
2311 | 0 | } |
2312 | | |
2313 | | /* Now that we have the binder key, check the binder. */ |
2314 | 759 | if (ss->xtnData.selectedPsk) { |
2315 | 0 | SSL3Hashes hashes; |
2316 | 0 | PORT_Assert(ss->ssl3.hs.messages.len > ss->xtnData.pskBindersLen); |
2317 | 0 | rv = tls13_ComputePskBinderHash( |
2318 | 0 | ss, |
2319 | 0 | ss->ssl3.hs.messages.buf, |
2320 | 0 | ss->ssl3.hs.messages.len - ss->xtnData.pskBindersLen, |
2321 | 0 | &hashes, tls13_GetHash(ss)); |
2322 | 0 | if (rv != SECSuccess) { |
2323 | 0 | FATAL_ERROR(ss, SEC_ERROR_LIBRARY_FAILURE, internal_error); |
2324 | 0 | goto loser; |
2325 | 0 | } |
2326 | | |
2327 | 0 | PORT_Assert(ss->xtnData.selectedPsk->hash == tls13_GetHash(ss)); |
2328 | 0 | PORT_Assert(ss->ssl3.hs.suite_def); |
2329 | 0 | rv = tls13_VerifyFinished(ss, ssl_hs_client_hello, |
2330 | 0 | ss->xtnData.selectedPsk->binderKey, |
2331 | 0 | ss->xtnData.pskBinder.data, |
2332 | 0 | ss->xtnData.pskBinder.len, |
2333 | 0 | &hashes); |
2334 | 0 | } |
2335 | 759 | if (rv != SECSuccess) { |
2336 | 0 | goto loser; |
2337 | 0 | } |
2338 | | |
2339 | | /* This needs to go after we verify the psk binder. */ |
2340 | 759 | rv = ssl3_InitHandshakeHashes(ss); |
2341 | 759 | if (rv != SECSuccess) { |
2342 | 0 | goto loser; |
2343 | 0 | } |
2344 | | |
2345 | | /* If this is TLS 1.3 we are expecting a ClientKeyShare |
2346 | | * extension. Missing/absent extension cause failure |
2347 | | * below. */ |
2348 | 759 | rv = tls13_HandleClientKeyShare(ss, clientShare); |
2349 | 759 | if (rv != SECSuccess) { |
2350 | 20 | goto loser; /* An alert was sent already. */ |
2351 | 20 | } |
2352 | | |
2353 | | /* From this point we are either committed to resumption, or not. */ |
2354 | 739 | if (ss->statelessResume) { |
2355 | 0 | SSL_AtomicIncrementLong(&ssl3stats->hch_sid_cache_hits); |
2356 | 0 | SSL_AtomicIncrementLong(&ssl3stats->hch_sid_stateless_resumes); |
2357 | 739 | } else { |
2358 | 739 | if (sid) { |
2359 | | /* We had a sid, but it's no longer valid, free it. */ |
2360 | 0 | SSL_AtomicIncrementLong(&ssl3stats->hch_sid_cache_not_ok); |
2361 | 0 | ssl_UncacheSessionID(ss); |
2362 | 0 | ssl_FreeSID(sid); |
2363 | 739 | } else if (!ss->xtnData.selectedPsk) { |
2364 | 739 | SSL_AtomicIncrementLong(&ssl3stats->hch_sid_cache_misses); |
2365 | 739 | } |
2366 | | |
2367 | 739 | sid = ssl3_NewSessionID(ss, PR_TRUE); |
2368 | 739 | if (!sid) { |
2369 | 0 | FATAL_ERROR(ss, PORT_GetError(), internal_error); |
2370 | 0 | return SECFailure; |
2371 | 0 | } |
2372 | 739 | } |
2373 | | /* Take ownership of the session. */ |
2374 | 739 | ss->sec.ci.sid = sid; |
2375 | 739 | sid = NULL; |
2376 | | |
2377 | 739 | if (ss->ssl3.hs.zeroRttState == ssl_0rtt_accepted) { |
2378 | 0 | rv = tls13_DeriveEarlySecrets(ss); |
2379 | 0 | if (rv != SECSuccess) { |
2380 | 0 | FATAL_ERROR(ss, SEC_ERROR_LIBRARY_FAILURE, internal_error); |
2381 | 0 | return SECFailure; |
2382 | 0 | } |
2383 | 0 | } |
2384 | | |
2385 | 739 | ssl_GetXmitBufLock(ss); |
2386 | 739 | rv = tls13_SendServerHelloSequence(ss); |
2387 | 739 | ssl_ReleaseXmitBufLock(ss); |
2388 | 739 | if (rv != SECSuccess) { |
2389 | 0 | FATAL_ERROR(ss, PORT_GetError(), handshake_failure); |
2390 | 0 | return SECFailure; |
2391 | 0 | } |
2392 | | |
2393 | | /* We're done with PSKs */ |
2394 | 739 | tls13_DestroyPskList(&ss->ssl3.hs.psks); |
2395 | 739 | ss->xtnData.selectedPsk = NULL; |
2396 | | |
2397 | 739 | return SECSuccess; |
2398 | | |
2399 | 242 | loser: |
2400 | 242 | if (sid) { |
2401 | 14 | ssl_UncacheSessionID(ss); |
2402 | 14 | ssl_FreeSID(sid); |
2403 | 14 | } |
2404 | 242 | return SECFailure; |
2405 | 739 | } |
2406 | | |
2407 | | SECStatus |
2408 | | SSLExp_HelloRetryRequestCallback(PRFileDesc *fd, |
2409 | | SSLHelloRetryRequestCallback cb, void *arg) |
2410 | 0 | { |
2411 | 0 | sslSocket *ss = ssl_FindSocket(fd); |
2412 | 0 | if (!ss) { |
2413 | 0 | return SECFailure; /* Code already set. */ |
2414 | 0 | } |
2415 | | |
2416 | 0 | ss->hrrCallback = cb; |
2417 | 0 | ss->hrrCallbackArg = arg; |
2418 | 0 | return SECSuccess; |
2419 | 0 | } |
2420 | | |
2421 | | /* |
2422 | | * struct { |
2423 | | * ProtocolVersion server_version; |
2424 | | * CipherSuite cipher_suite; |
2425 | | * Extension extensions<2..2^16-1>; |
2426 | | * } HelloRetryRequest; |
2427 | | * |
2428 | | * Note: this function takes an empty buffer and returns |
2429 | | * a non-empty one on success, in which case the caller must |
2430 | | * eventually clean up. |
2431 | | */ |
2432 | | SECStatus |
2433 | | tls13_ConstructHelloRetryRequest(sslSocket *ss, |
2434 | | ssl3CipherSuite cipherSuite, |
2435 | | const sslNamedGroupDef *selectedGroup, |
2436 | | PRUint8 *cookie, unsigned int cookieLen, |
2437 | | const PRUint8 *cookieGreaseEchSignal, |
2438 | | sslBuffer *buffer) |
2439 | 275 | { |
2440 | 275 | SECStatus rv; |
2441 | 275 | sslBuffer extensionsBuf = SSL_BUFFER_EMPTY; |
2442 | 275 | PORT_Assert(buffer->len == 0); |
2443 | | |
2444 | | /* Note: cookie is pointing to a stack variable, so is only valid |
2445 | | * now. */ |
2446 | 275 | ss->xtnData.selectedGroup = selectedGroup; |
2447 | 275 | ss->xtnData.cookie.data = cookie; |
2448 | 275 | ss->xtnData.cookie.len = cookieLen; |
2449 | | |
2450 | | /* Set restored ss->ssl3.hs.greaseEchBuf value for ECH HRR extension |
2451 | | * reconstruction. */ |
2452 | 275 | if (cookieGreaseEchSignal) { |
2453 | 0 | PORT_Assert(!ss->ssl3.hs.greaseEchBuf.len); |
2454 | 0 | rv = sslBuffer_Append(&ss->ssl3.hs.greaseEchBuf, |
2455 | 0 | cookieGreaseEchSignal, |
2456 | 0 | TLS13_ECH_SIGNAL_LEN); |
2457 | 0 | if (rv != SECSuccess) { |
2458 | 0 | goto loser; |
2459 | 0 | } |
2460 | 0 | } |
2461 | 275 | rv = ssl_ConstructExtensions(ss, &extensionsBuf, |
2462 | 275 | ssl_hs_hello_retry_request); |
2463 | | /* Reset ss->ssl3.hs.greaseEchBuf if it was changed. */ |
2464 | 275 | if (cookieGreaseEchSignal) { |
2465 | 0 | sslBuffer_Clear(&ss->ssl3.hs.greaseEchBuf); |
2466 | 0 | } |
2467 | 275 | if (rv != SECSuccess) { |
2468 | 0 | goto loser; |
2469 | 0 | } |
2470 | | /* These extensions can't be empty. */ |
2471 | 275 | PORT_Assert(SSL_BUFFER_LEN(&extensionsBuf) > 0); |
2472 | | |
2473 | | /* Clean up cookie so we're not pointing at random memory. */ |
2474 | 275 | ss->xtnData.cookie.data = NULL; |
2475 | 275 | ss->xtnData.cookie.len = 0; |
2476 | | |
2477 | 275 | rv = ssl_ConstructServerHello(ss, PR_TRUE, &extensionsBuf, buffer); |
2478 | 275 | if (rv != SECSuccess) { |
2479 | 0 | goto loser; |
2480 | 0 | } |
2481 | 275 | sslBuffer_Clear(&extensionsBuf); |
2482 | 275 | return SECSuccess; |
2483 | | |
2484 | 0 | loser: |
2485 | 0 | sslBuffer_Clear(&extensionsBuf); |
2486 | 0 | sslBuffer_Clear(buffer); |
2487 | 0 | return SECFailure; |
2488 | 275 | } |
2489 | | |
2490 | | static SECStatus |
2491 | | tls13_SendHelloRetryRequest(sslSocket *ss, |
2492 | | const sslNamedGroupDef *requestedGroup, |
2493 | | const PRUint8 *appToken, unsigned int appTokenLen) |
2494 | 275 | { |
2495 | 275 | SECStatus rv; |
2496 | 275 | unsigned int cookieLen; |
2497 | 275 | PRUint8 cookie[1024]; |
2498 | 275 | sslBuffer messageBuf = SSL_BUFFER_EMPTY; |
2499 | | |
2500 | 275 | SSL_TRC(3, ("%d: TLS13[%d]: send hello retry request handshake", |
2501 | 275 | SSL_GETPID(), ss->fd)); |
2502 | | |
2503 | 275 | PORT_Assert(ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); |
2504 | | |
2505 | | /* If an ECH backend or shared-mode server accepted ECH when offered, |
2506 | | * the HRR extension's payload must be set to 8 zero bytes, these are |
2507 | | * overwritten with the accept_confirmation value after the handshake |
2508 | | * transcript calculation. |
2509 | | * If a client-facing or shared-mode server did not accept ECH when offered |
2510 | | * OR if ECH GREASE is enabled on the server and a ECH extension was |
2511 | | * received, a 8 byte random value is set as the extension's payload |
2512 | | * [draft-ietf-tls-esni-14, Section 7]. |
2513 | | * |
2514 | | * The (temporary) payload is written to the extension in tls13exthandle.c/ |
2515 | | * tls13_ServerSendHrrEchXtn(). */ |
2516 | 275 | if (ss->xtnData.ech) { |
2517 | 7 | PRUint8 echGreaseRaw[TLS13_ECH_SIGNAL_LEN] = { 0 }; |
2518 | 7 | if (!(ss->ssl3.hs.echAccepted || |
2519 | 7 | (ss->opt.enableTls13BackendEch && |
2520 | 7 | ss->xtnData.ech && |
2521 | 7 | ss->xtnData.ech->receivedInnerXtn))) { |
2522 | 7 | rv = PK11_GenerateRandom(echGreaseRaw, TLS13_ECH_SIGNAL_LEN); |
2523 | 7 | if (rv != SECSuccess) { |
2524 | 0 | return SECFailure; |
2525 | 0 | } |
2526 | 7 | SSL_TRC(100, ("Generated random value for ECH HRR GREASE.")); |
2527 | 7 | } |
2528 | 7 | sslBuffer echGreaseBuffer = SSL_BUFFER_EMPTY; |
2529 | 7 | rv = sslBuffer_Append(&echGreaseBuffer, echGreaseRaw, sizeof(echGreaseRaw)); |
2530 | 7 | if (rv != SECSuccess) { |
2531 | 0 | return SECFailure; |
2532 | 0 | } |
2533 | | /* HRR GREASE/accept_confirmation zero bytes placeholder buffer. */ |
2534 | 7 | ss->ssl3.hs.greaseEchBuf = echGreaseBuffer; |
2535 | 7 | } |
2536 | | |
2537 | | /* Compute the cookie we are going to need. */ |
2538 | 275 | rv = tls13_MakeHrrCookie(ss, requestedGroup, |
2539 | 275 | appToken, appTokenLen, |
2540 | 275 | cookie, &cookieLen, sizeof(cookie)); |
2541 | 275 | if (rv != SECSuccess) { |
2542 | 0 | FATAL_ERROR(ss, SEC_ERROR_LIBRARY_FAILURE, internal_error); |
2543 | 0 | return SECFailure; |
2544 | 0 | } |
2545 | | |
2546 | | /* Now build the body of the message. */ |
2547 | 275 | rv = tls13_ConstructHelloRetryRequest(ss, ss->ssl3.hs.cipher_suite, |
2548 | 275 | requestedGroup, |
2549 | 275 | cookie, cookieLen, |
2550 | 275 | NULL, &messageBuf); |
2551 | 275 | if (rv != SECSuccess) { |
2552 | 0 | FATAL_ERROR(ss, SEC_ERROR_LIBRARY_FAILURE, internal_error); |
2553 | 0 | return SECFailure; |
2554 | 0 | } |
2555 | | |
2556 | | /* And send it. */ |
2557 | 275 | ssl_GetXmitBufLock(ss); |
2558 | 275 | rv = ssl3_AppendHandshakeHeader(ss, ssl_hs_server_hello, |
2559 | 275 | SSL_BUFFER_LEN(&messageBuf)); |
2560 | 275 | if (rv != SECSuccess) { |
2561 | 0 | goto loser; |
2562 | 0 | } |
2563 | 275 | rv = ssl3_AppendBufferToHandshake(ss, &messageBuf); |
2564 | 275 | if (rv != SECSuccess) { |
2565 | 0 | goto loser; |
2566 | 0 | } |
2567 | 275 | sslBuffer_Clear(&messageBuf); /* Done with messageBuf */ |
2568 | | |
2569 | 275 | if (ss->ssl3.hs.fakeSid.len) { |
2570 | 37 | PRInt32 sent; |
2571 | | |
2572 | 37 | PORT_Assert(!IS_DTLS(ss)); |
2573 | 37 | rv = ssl3_SendChangeCipherSpecsInt(ss); |
2574 | 37 | if (rv != SECSuccess) { |
2575 | 0 | goto loser; |
2576 | 0 | } |
2577 | | /* ssl3_SendChangeCipherSpecsInt() only flushes to the output buffer, so we |
2578 | | * have to force a send. */ |
2579 | 37 | sent = ssl_SendSavedWriteData(ss); |
2580 | 37 | if (sent < 0 && PORT_GetError() != PR_WOULD_BLOCK_ERROR) { |
2581 | 0 | PORT_SetError(SSL_ERROR_SOCKET_WRITE_FAILURE); |
2582 | 0 | goto loser; |
2583 | 0 | } |
2584 | 238 | } else { |
2585 | 238 | rv = ssl3_FlushHandshake(ss, 0); |
2586 | 238 | if (rv != SECSuccess) { |
2587 | 0 | goto loser; /* error code set by ssl3_FlushHandshake */ |
2588 | 0 | } |
2589 | 238 | } |
2590 | | |
2591 | | /* We depend on this being exactly one record and one message. */ |
2592 | 275 | PORT_Assert(!IS_DTLS(ss) || (ss->ssl3.hs.sendMessageSeq == 1 && |
2593 | 275 | ss->ssl3.cwSpec->nextSeqNum == 1)); |
2594 | 275 | ssl_ReleaseXmitBufLock(ss); |
2595 | | |
2596 | 275 | ss->ssl3.hs.helloRetry = PR_TRUE; |
2597 | | |
2598 | | /* We received early data but have to ignore it because we sent a retry. */ |
2599 | 275 | if (ss->ssl3.hs.zeroRttState == ssl_0rtt_sent) { |
2600 | 80 | ss->ssl3.hs.zeroRttState = ssl_0rtt_ignored; |
2601 | 80 | ss->ssl3.hs.zeroRttIgnore = ssl_0rtt_ignore_hrr; |
2602 | 80 | } |
2603 | | |
2604 | 275 | return SECSuccess; |
2605 | | |
2606 | 0 | loser: |
2607 | 0 | sslBuffer_Clear(&messageBuf); |
2608 | 0 | ssl_ReleaseXmitBufLock(ss); |
2609 | 0 | return SECFailure; |
2610 | 275 | } |
2611 | | |
2612 | | /* Called from tls13_HandleClientHello. |
2613 | | * |
2614 | | * Caller must hold Handshake and RecvBuf locks. |
2615 | | */ |
2616 | | |
2617 | | static SECStatus |
2618 | | tls13_HandleClientKeyShare(sslSocket *ss, TLS13KeyShareEntry *peerShare) |
2619 | 759 | { |
2620 | 759 | SECStatus rv; |
2621 | 759 | sslEphemeralKeyPair *keyPair; /* ours */ |
2622 | 759 | SECItem *ciphertext = NULL; |
2623 | 759 | PK11SymKey *dheSecret = NULL; |
2624 | 759 | PK11SymKey *kemSecret = NULL; |
2625 | | |
2626 | 759 | SSL_TRC(3, ("%d: TLS13[%d]: handle client_key_share handshake", |
2627 | 759 | SSL_GETPID(), ss->fd)); |
2628 | | |
2629 | 759 | PORT_Assert(ss->opt.noLocks || ssl_HaveRecvBufLock(ss)); |
2630 | 759 | PORT_Assert(ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); |
2631 | 759 | PORT_Assert(peerShare); |
2632 | | |
2633 | 759 | tls13_SetKeyExchangeType(ss, peerShare->group); |
2634 | | |
2635 | | /* Generate our key */ |
2636 | 759 | rv = tls13_AddKeyShare(ss, peerShare->group); |
2637 | 759 | if (rv != SECSuccess) { |
2638 | 0 | return rv; |
2639 | 0 | } |
2640 | | |
2641 | | /* We should have exactly one key share. */ |
2642 | 759 | PORT_Assert(!PR_CLIST_IS_EMPTY(&ss->ephemeralKeyPairs)); |
2643 | 759 | PORT_Assert(PR_PREV_LINK(&ss->ephemeralKeyPairs) == |
2644 | 759 | PR_NEXT_LINK(&ss->ephemeralKeyPairs)); |
2645 | | |
2646 | 759 | keyPair = ((sslEphemeralKeyPair *)PR_NEXT_LINK(&ss->ephemeralKeyPairs)); |
2647 | 759 | ss->sec.keaKeyBits = SECKEY_PublicKeyStrengthInBits(keyPair->keys->pubKey); |
2648 | | |
2649 | | /* Register the sender */ |
2650 | 759 | rv = ssl3_RegisterExtensionSender(ss, &ss->xtnData, ssl_tls13_key_share_xtn, |
2651 | 759 | tls13_ServerSendKeyShareXtn); |
2652 | 759 | if (rv != SECSuccess) { |
2653 | 0 | return SECFailure; /* Error code set already. */ |
2654 | 0 | } |
2655 | | |
2656 | 759 | rv = tls13_HandleKeyShare(ss, peerShare, keyPair->keys, |
2657 | 759 | tls13_GetHash(ss), |
2658 | 759 | &dheSecret); |
2659 | 759 | if (rv != SECSuccess) { |
2660 | 20 | goto loser; /* Error code already set. */ |
2661 | 20 | } |
2662 | | |
2663 | 739 | if (peerShare->group->keaType == ssl_kea_ecdh_hybrid) { |
2664 | 0 | rv = tls13_HandleKEMKey(ss, peerShare, &kemSecret, &ciphertext); |
2665 | 0 | if (rv != SECSuccess) { |
2666 | 0 | goto loser; /* Error set by tls13_HandleKEMKey */ |
2667 | 0 | } |
2668 | | // We may need to handle different "combiners" here in the future. For |
2669 | | // now this is specific to xyber768d00. |
2670 | 0 | PORT_Assert(peerShare->group->name == ssl_grp_kem_xyber768d00); |
2671 | 0 | ss->ssl3.hs.dheSecret = PK11_ConcatSymKeys(dheSecret, kemSecret, CKM_HKDF_DERIVE, CKA_DERIVE); |
2672 | 0 | if (!ss->ssl3.hs.dheSecret) { |
2673 | 0 | goto loser; /* Error set by PK11_ConcatSymKeys */ |
2674 | 0 | } |
2675 | 0 | keyPair->kemCt = ciphertext; |
2676 | 0 | PK11_FreeSymKey(dheSecret); |
2677 | 0 | PK11_FreeSymKey(kemSecret); |
2678 | 739 | } else { |
2679 | 739 | ss->ssl3.hs.dheSecret = dheSecret; |
2680 | 739 | } |
2681 | | |
2682 | 739 | return SECSuccess; |
2683 | | |
2684 | 20 | loser: |
2685 | 20 | SECITEM_FreeItem(ciphertext, PR_TRUE); |
2686 | 20 | PK11_FreeSymKey(dheSecret); |
2687 | 20 | PK11_FreeSymKey(kemSecret); |
2688 | 20 | FATAL_ERROR(ss, PORT_GetError(), illegal_parameter); |
2689 | 20 | return SECFailure; |
2690 | 739 | } |
2691 | | |
2692 | | /* |
2693 | | * [draft-ietf-tls-tls13-11] Section 6.3.3.2 |
2694 | | * |
2695 | | * opaque DistinguishedName<1..2^16-1>; |
2696 | | * |
2697 | | * struct { |
2698 | | * opaque certificate_extension_oid<1..2^8-1>; |
2699 | | * opaque certificate_extension_values<0..2^16-1>; |
2700 | | * } CertificateExtension; |
2701 | | * |
2702 | | * struct { |
2703 | | * opaque certificate_request_context<0..2^8-1>; |
2704 | | * SignatureAndHashAlgorithm |
2705 | | * supported_signature_algorithms<2..2^16-2>; |
2706 | | * DistinguishedName certificate_authorities<0..2^16-1>; |
2707 | | * CertificateExtension certificate_extensions<0..2^16-1>; |
2708 | | * } CertificateRequest; |
2709 | | */ |
2710 | | static SECStatus |
2711 | | tls13_SendCertificateRequest(sslSocket *ss) |
2712 | 464 | { |
2713 | 464 | SECStatus rv; |
2714 | 464 | sslBuffer extensionBuf = SSL_BUFFER_EMPTY; |
2715 | 464 | unsigned int offset = 0; |
2716 | | |
2717 | 464 | SSL_TRC(3, ("%d: TLS13[%d]: begin send certificate_request", |
2718 | 464 | SSL_GETPID(), ss->fd)); |
2719 | | |
2720 | 464 | if (ss->firstHsDone) { |
2721 | 0 | PORT_Assert(ss->ssl3.hs.shaPostHandshake == NULL); |
2722 | 0 | ss->ssl3.hs.shaPostHandshake = PK11_CloneContext(ss->ssl3.hs.sha); |
2723 | 0 | if (ss->ssl3.hs.shaPostHandshake == NULL) { |
2724 | 0 | ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE); |
2725 | 0 | return SECFailure; |
2726 | 0 | } |
2727 | 0 | } |
2728 | | |
2729 | 464 | rv = ssl_ConstructExtensions(ss, &extensionBuf, ssl_hs_certificate_request); |
2730 | 464 | if (rv != SECSuccess) { |
2731 | 0 | return SECFailure; /* Code already set. */ |
2732 | 0 | } |
2733 | | /* We should always have at least one of these. */ |
2734 | 464 | PORT_Assert(SSL_BUFFER_LEN(&extensionBuf) > 0); |
2735 | | |
2736 | | /* Create a new request context for post-handshake authentication */ |
2737 | 464 | if (ss->firstHsDone) { |
2738 | 0 | PRUint8 context[16]; |
2739 | 0 | SECItem contextItem = { siBuffer, context, sizeof(context) }; |
2740 | |
|
2741 | 0 | rv = PK11_GenerateRandom(context, sizeof(context)); |
2742 | 0 | if (rv != SECSuccess) { |
2743 | 0 | goto loser; |
2744 | 0 | } |
2745 | | |
2746 | 0 | SECITEM_FreeItem(&ss->xtnData.certReqContext, PR_FALSE); |
2747 | 0 | rv = SECITEM_CopyItem(NULL, &ss->xtnData.certReqContext, &contextItem); |
2748 | 0 | if (rv != SECSuccess) { |
2749 | 0 | FATAL_ERROR(ss, SEC_ERROR_NO_MEMORY, internal_error); |
2750 | 0 | goto loser; |
2751 | 0 | } |
2752 | | |
2753 | 0 | offset = SSL_BUFFER_LEN(&ss->sec.ci.sendBuf); |
2754 | 0 | } |
2755 | | |
2756 | 464 | rv = ssl3_AppendHandshakeHeader(ss, ssl_hs_certificate_request, |
2757 | 464 | 1 + /* request context length */ |
2758 | 464 | ss->xtnData.certReqContext.len + |
2759 | 464 | 2 + /* extension length */ |
2760 | 464 | SSL_BUFFER_LEN(&extensionBuf)); |
2761 | 464 | if (rv != SECSuccess) { |
2762 | 0 | goto loser; /* err set by AppendHandshake. */ |
2763 | 0 | } |
2764 | | |
2765 | | /* Context. */ |
2766 | 464 | rv = ssl3_AppendHandshakeVariable(ss, ss->xtnData.certReqContext.data, |
2767 | 464 | ss->xtnData.certReqContext.len, 1); |
2768 | 464 | if (rv != SECSuccess) { |
2769 | 0 | goto loser; /* err set by AppendHandshake. */ |
2770 | 0 | } |
2771 | | /* Extensions. */ |
2772 | 464 | rv = ssl3_AppendBufferToHandshakeVariable(ss, &extensionBuf, 2); |
2773 | 464 | if (rv != SECSuccess) { |
2774 | 0 | goto loser; /* err set by AppendHandshake. */ |
2775 | 0 | } |
2776 | | |
2777 | 464 | if (ss->firstHsDone) { |
2778 | 0 | rv = ssl3_UpdatePostHandshakeHashes(ss, |
2779 | 0 | SSL_BUFFER_BASE(&ss->sec.ci.sendBuf) + offset, |
2780 | 0 | SSL_BUFFER_LEN(&ss->sec.ci.sendBuf) - offset); |
2781 | 0 | if (rv != SECSuccess) { |
2782 | 0 | goto loser; |
2783 | 0 | } |
2784 | 0 | } |
2785 | | |
2786 | 464 | sslBuffer_Clear(&extensionBuf); |
2787 | 464 | return SECSuccess; |
2788 | | |
2789 | 0 | loser: |
2790 | 0 | sslBuffer_Clear(&extensionBuf); |
2791 | 0 | return SECFailure; |
2792 | 464 | } |
2793 | | |
2794 | | /* [draft-ietf-tls-tls13; S 4.4.1] says: |
2795 | | * |
2796 | | * Transcript-Hash(ClientHello1, HelloRetryRequest, ... MN) = |
2797 | | * Hash(message_hash || // Handshake type |
2798 | | * 00 00 Hash.length || // Handshake message length |
2799 | | * Hash(ClientHello1) || // Hash of ClientHello1 |
2800 | | * HelloRetryRequest ... MN) |
2801 | | * |
2802 | | * For an ECH handshake, the process occurs for the outer |
2803 | | * transcript in |ss->ssl3.hs.messages| and the inner |
2804 | | * transcript in |ss->ssl3.hs.echInnerMessages|. |
2805 | | */ |
2806 | | static SECStatus |
2807 | | tls13_ReinjectHandshakeTranscript(sslSocket *ss) |
2808 | 1.16k | { |
2809 | 1.16k | SSL3Hashes hashes; |
2810 | 1.16k | SSL3Hashes echInnerHashes; |
2811 | 1.16k | SECStatus rv; |
2812 | | |
2813 | | /* First compute the hash. */ |
2814 | 1.16k | rv = tls13_ComputeHash(ss, &hashes, |
2815 | 1.16k | ss->ssl3.hs.messages.buf, |
2816 | 1.16k | ss->ssl3.hs.messages.len, |
2817 | 1.16k | tls13_GetHash(ss)); |
2818 | 1.16k | if (rv != SECSuccess) { |
2819 | 0 | return SECFailure; |
2820 | 0 | } |
2821 | | |
2822 | 1.16k | if (ss->ssl3.hs.echHpkeCtx) { |
2823 | 0 | rv = tls13_ComputeHash(ss, &echInnerHashes, |
2824 | 0 | ss->ssl3.hs.echInnerMessages.buf, |
2825 | 0 | ss->ssl3.hs.echInnerMessages.len, |
2826 | 0 | tls13_GetHash(ss)); |
2827 | 0 | if (rv != SECSuccess) { |
2828 | 0 | return SECFailure; |
2829 | 0 | } |
2830 | 0 | } |
2831 | | |
2832 | 1.16k | ssl3_RestartHandshakeHashes(ss); |
2833 | | |
2834 | | /* Reinject the message. The Default context variant updates |
2835 | | * the default hash state. Use it for both non-ECH and ECH Outer. */ |
2836 | 1.16k | rv = ssl_HashHandshakeMessageDefault(ss, ssl_hs_message_hash, |
2837 | 1.16k | hashes.u.raw, hashes.len); |
2838 | 1.16k | if (rv != SECSuccess) { |
2839 | 0 | return SECFailure; |
2840 | 0 | } |
2841 | | |
2842 | 1.16k | if (ss->ssl3.hs.echHpkeCtx) { |
2843 | 0 | rv = ssl_HashHandshakeMessageEchInner(ss, ssl_hs_message_hash, |
2844 | 0 | echInnerHashes.u.raw, |
2845 | 0 | echInnerHashes.len); |
2846 | 0 | if (rv != SECSuccess) { |
2847 | 0 | return SECFailure; |
2848 | 0 | } |
2849 | 0 | } |
2850 | | |
2851 | 1.16k | return SECSuccess; |
2852 | 1.16k | } |
2853 | | static unsigned int |
2854 | | ssl_ListCount(PRCList *list) |
2855 | 1.21k | { |
2856 | 1.21k | unsigned int c = 0; |
2857 | 1.21k | PRCList *cur; |
2858 | 4.81k | for (cur = PR_NEXT_LINK(list); cur != list; cur = PR_NEXT_LINK(cur)) { |
2859 | 3.60k | ++c; |
2860 | 3.60k | } |
2861 | 1.21k | return c; |
2862 | 1.21k | } |
2863 | | |
2864 | | /* |
2865 | | * savedMsg contains the HelloRetryRequest message. When its extensions are parsed |
2866 | | * in ssl3_HandleParsedExtensions, the handler for ECH HRR extensions (tls13_ClientHandleHrrEchXtn) |
2867 | | * will take a reference into the message buffer. |
2868 | | * |
2869 | | * This reference is then used in tls13_MaybeHandleEchSignal in order to compute |
2870 | | * the transcript for the ECH signal calculation. This was felt to be preferable |
2871 | | * to re-parsing the HelloRetryRequest message in order to create the transcript. |
2872 | | * |
2873 | | * Consequently, savedMsg should not be moved or mutated between these |
2874 | | * function calls. |
2875 | | */ |
2876 | | SECStatus |
2877 | | tls13_HandleHelloRetryRequest(sslSocket *ss, const PRUint8 *savedMsg, |
2878 | | PRUint32 savedLength) |
2879 | 1.21k | { |
2880 | 1.21k | SECStatus rv; |
2881 | | |
2882 | 1.21k | SSL_TRC(3, ("%d: TLS13[%d]: handle hello retry request", |
2883 | 1.21k | SSL_GETPID(), ss->fd)); |
2884 | | |
2885 | 1.21k | PORT_Assert(ss->opt.noLocks || ssl_HaveRecvBufLock(ss)); |
2886 | 1.21k | PORT_Assert(ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); |
2887 | | |
2888 | 1.21k | if (ss->vrange.max < SSL_LIBRARY_VERSION_TLS_1_3) { |
2889 | 0 | FATAL_ERROR(ss, SSL_ERROR_RX_UNEXPECTED_HELLO_RETRY_REQUEST, |
2890 | 0 | unexpected_message); |
2891 | 0 | return SECFailure; |
2892 | 0 | } |
2893 | 1.21k | PORT_Assert(ss->ssl3.hs.ws == wait_server_hello); |
2894 | | |
2895 | 1.21k | if (ss->ssl3.hs.zeroRttState == ssl_0rtt_sent) { |
2896 | 0 | ss->ssl3.hs.zeroRttState = ssl_0rtt_ignored; |
2897 | | /* Restore the null cipher spec for writing. */ |
2898 | 0 | ssl_GetSpecWriteLock(ss); |
2899 | 0 | ssl_CipherSpecRelease(ss->ssl3.cwSpec); |
2900 | 0 | ss->ssl3.cwSpec = ssl_FindCipherSpecByEpoch(ss, ssl_secret_write, |
2901 | 0 | TrafficKeyClearText); |
2902 | 0 | PORT_Assert(ss->ssl3.cwSpec); |
2903 | 0 | ssl_ReleaseSpecWriteLock(ss); |
2904 | 1.21k | } else { |
2905 | 1.21k | PORT_Assert(ss->ssl3.hs.zeroRttState == ssl_0rtt_none); |
2906 | 1.21k | } |
2907 | | /* Set the spec version, because we want to send CH now with 0303 */ |
2908 | 1.21k | tls13_SetSpecRecordVersion(ss, ss->ssl3.cwSpec); |
2909 | | |
2910 | | /* Extensions must contain more than just supported_versions. This will |
2911 | | * ensure that a HelloRetryRequest isn't a no-op: we must have at least two |
2912 | | * extensions, supported_versions plus one other. That other must be one |
2913 | | * that we understand and recognize as being valid for HelloRetryRequest, |
2914 | | * and should alter our next Client Hello. */ |
2915 | 1.21k | unsigned int requiredExtensions = 1; |
2916 | | /* The ECH HRR extension is a no-op from the client's perspective. */ |
2917 | 1.21k | if (ss->xtnData.ech) { |
2918 | 0 | requiredExtensions++; |
2919 | 0 | } |
2920 | 1.21k | if (ssl_ListCount(&ss->ssl3.hs.remoteExtensions) <= requiredExtensions) { |
2921 | 2 | FATAL_ERROR(ss, SSL_ERROR_RX_MALFORMED_HELLO_RETRY_REQUEST, |
2922 | 2 | decode_error); |
2923 | 2 | return SECFailure; |
2924 | 2 | } |
2925 | | |
2926 | 1.21k | rv = ssl3_HandleParsedExtensions(ss, ssl_hs_hello_retry_request); |
2927 | 1.21k | ssl3_DestroyRemoteExtensions(&ss->ssl3.hs.remoteExtensions); |
2928 | 1.21k | if (rv != SECSuccess) { |
2929 | 43 | return SECFailure; /* Error code set below */ |
2930 | 43 | } |
2931 | 1.16k | rv = tls13_MaybeHandleEchSignal(ss, savedMsg, savedLength, PR_TRUE); |
2932 | 1.16k | if (rv != SECSuccess) { |
2933 | 0 | return SECFailure; |
2934 | 0 | } |
2935 | 1.16k | ss->ssl3.hs.helloRetry = PR_TRUE; |
2936 | 1.16k | rv = tls13_ReinjectHandshakeTranscript(ss); |
2937 | 1.16k | if (rv != SECSuccess) { |
2938 | 0 | return rv; |
2939 | 0 | } |
2940 | | |
2941 | 1.16k | rv = ssl_HashHandshakeMessage(ss, ssl_hs_server_hello, |
2942 | 1.16k | savedMsg, savedLength); |
2943 | 1.16k | if (rv != SECSuccess) { |
2944 | 0 | return SECFailure; |
2945 | 0 | } |
2946 | | |
2947 | 1.16k | ssl_GetXmitBufLock(ss); |
2948 | 1.16k | if (ss->opt.enableTls13CompatMode && !IS_DTLS(ss) && |
2949 | 1.16k | ss->ssl3.hs.zeroRttState == ssl_0rtt_none) { |
2950 | 0 | rv = ssl3_SendChangeCipherSpecsInt(ss); |
2951 | 0 | if (rv != SECSuccess) { |
2952 | 0 | goto loser; |
2953 | 0 | } |
2954 | 0 | } |
2955 | | |
2956 | 1.16k | rv = ssl3_SendClientHello(ss, client_hello_retry); |
2957 | 1.16k | if (rv != SECSuccess) { |
2958 | 0 | goto loser; |
2959 | 0 | } |
2960 | | |
2961 | 1.16k | ssl_ReleaseXmitBufLock(ss); |
2962 | 1.16k | return SECSuccess; |
2963 | | |
2964 | 0 | loser: |
2965 | 0 | ssl_ReleaseXmitBufLock(ss); |
2966 | 0 | return SECFailure; |
2967 | 1.16k | } |
2968 | | |
2969 | | static SECStatus |
2970 | | tls13_SendPostHandshakeCertificate(sslSocket *ss) |
2971 | 0 | { |
2972 | 0 | SECStatus rv; |
2973 | 0 | if (ss->ssl3.hs.restartTarget) { |
2974 | 0 | PR_NOT_REACHED("unexpected ss->ssl3.hs.restartTarget"); |
2975 | 0 | PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); |
2976 | 0 | return SECFailure; |
2977 | 0 | } |
2978 | | |
2979 | 0 | if (ss->ssl3.hs.clientCertificatePending) { |
2980 | 0 | SSL_TRC(3, ("%d: TLS13[%d]: deferring tls13_SendClientSecondFlight because" |
2981 | 0 | " certificate authentication is still pending.", |
2982 | 0 | SSL_GETPID(), ss->fd)); |
2983 | 0 | ss->ssl3.hs.restartTarget = tls13_SendPostHandshakeCertificate; |
2984 | 0 | PORT_SetError(PR_WOULD_BLOCK_ERROR); |
2985 | 0 | return SECFailure; |
2986 | 0 | } |
2987 | | |
2988 | 0 | ssl_GetXmitBufLock(ss); |
2989 | 0 | rv = tls13_SendClientSecondFlight(ss); |
2990 | 0 | ssl_ReleaseXmitBufLock(ss); |
2991 | 0 | PORT_Assert(ss->ssl3.hs.ws == idle_handshake); |
2992 | 0 | PORT_Assert(ss->ssl3.hs.shaPostHandshake != NULL); |
2993 | 0 | PK11_DestroyContext(ss->ssl3.hs.shaPostHandshake, PR_TRUE); |
2994 | 0 | ss->ssl3.hs.shaPostHandshake = NULL; |
2995 | 0 | if (rv != SECSuccess) { |
2996 | 0 | return SECFailure; |
2997 | 0 | } |
2998 | 0 | return rv; |
2999 | 0 | } |
3000 | | |
3001 | | static SECStatus |
3002 | | tls13_HandleCertificateRequest(sslSocket *ss, PRUint8 *b, PRUint32 length) |
3003 | 4 | { |
3004 | 4 | SECStatus rv; |
3005 | 4 | SECItem context = { siBuffer, NULL, 0 }; |
3006 | 4 | SECItem extensionsData = { siBuffer, NULL, 0 }; |
3007 | | |
3008 | 4 | SSL_TRC(3, ("%d: TLS13[%d]: handle certificate_request sequence", |
3009 | 4 | SSL_GETPID(), ss->fd)); |
3010 | | |
3011 | 4 | PORT_Assert(ss->opt.noLocks || ssl_HaveRecvBufLock(ss)); |
3012 | 4 | PORT_Assert(ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); |
3013 | | |
3014 | | /* Client */ |
3015 | 4 | if (ss->opt.enablePostHandshakeAuth) { |
3016 | 0 | rv = TLS13_CHECK_HS_STATE(ss, SSL_ERROR_RX_UNEXPECTED_CERT_REQUEST, |
3017 | 0 | wait_cert_request, idle_handshake); |
3018 | 4 | } else { |
3019 | 4 | rv = TLS13_CHECK_HS_STATE(ss, SSL_ERROR_RX_UNEXPECTED_CERT_REQUEST, |
3020 | 4 | wait_cert_request); |
3021 | 4 | } |
3022 | 4 | if (rv != SECSuccess) { |
3023 | 4 | return SECFailure; |
3024 | 4 | } |
3025 | | |
3026 | | /* MUST NOT combine external PSKs with certificate authentication. */ |
3027 | 0 | if (ss->sec.authType == ssl_auth_psk) { |
3028 | 0 | FATAL_ERROR(ss, SSL_ERROR_RX_UNEXPECTED_CERT_REQUEST, unexpected_message); |
3029 | 0 | return SECFailure; |
3030 | 0 | } |
3031 | | |
3032 | 0 | if (tls13_IsPostHandshake(ss)) { |
3033 | 0 | PORT_Assert(ss->ssl3.hs.shaPostHandshake == NULL); |
3034 | 0 | ss->ssl3.hs.shaPostHandshake = PK11_CloneContext(ss->ssl3.hs.sha); |
3035 | 0 | if (ss->ssl3.hs.shaPostHandshake == NULL) { |
3036 | 0 | ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE); |
3037 | 0 | return SECFailure; |
3038 | 0 | } |
3039 | 0 | rv = ssl_HashPostHandshakeMessage(ss, ssl_hs_certificate_request, b, length); |
3040 | 0 | if (rv != SECSuccess) { |
3041 | 0 | FATAL_ERROR(ss, SEC_ERROR_LIBRARY_FAILURE, internal_error); |
3042 | 0 | return SECFailure; |
3043 | 0 | } |
3044 | | |
3045 | | /* clean up anything left from previous handshake. */ |
3046 | 0 | if (ss->ssl3.clientCertChain != NULL) { |
3047 | 0 | CERT_DestroyCertificateList(ss->ssl3.clientCertChain); |
3048 | 0 | ss->ssl3.clientCertChain = NULL; |
3049 | 0 | } |
3050 | 0 | if (ss->ssl3.clientCertificate != NULL) { |
3051 | 0 | CERT_DestroyCertificate(ss->ssl3.clientCertificate); |
3052 | 0 | ss->ssl3.clientCertificate = NULL; |
3053 | 0 | } |
3054 | 0 | if (ss->ssl3.clientPrivateKey != NULL) { |
3055 | 0 | SECKEY_DestroyPrivateKey(ss->ssl3.clientPrivateKey); |
3056 | 0 | ss->ssl3.clientPrivateKey = NULL; |
3057 | 0 | } |
3058 | 0 | if (ss->ssl3.hs.clientAuthSignatureSchemes != NULL) { |
3059 | 0 | PORT_Free(ss->ssl3.hs.clientAuthSignatureSchemes); |
3060 | 0 | ss->ssl3.hs.clientAuthSignatureSchemes = NULL; |
3061 | 0 | ss->ssl3.hs.clientAuthSignatureSchemesLen = 0; |
3062 | 0 | } |
3063 | 0 | SECITEM_FreeItem(&ss->xtnData.certReqContext, PR_FALSE); |
3064 | 0 | ss->xtnData.certReqContext.data = NULL; |
3065 | 0 | } else { |
3066 | 0 | PORT_Assert(ss->ssl3.clientCertChain == NULL); |
3067 | 0 | PORT_Assert(ss->ssl3.clientCertificate == NULL); |
3068 | 0 | PORT_Assert(ss->ssl3.clientPrivateKey == NULL); |
3069 | 0 | PORT_Assert(ss->ssl3.hs.clientAuthSignatureSchemes == NULL); |
3070 | 0 | PORT_Assert(ss->ssl3.hs.clientAuthSignatureSchemesLen == 0); |
3071 | 0 | PORT_Assert(!ss->ssl3.hs.clientCertRequested); |
3072 | 0 | PORT_Assert(ss->xtnData.certReqContext.data == NULL); |
3073 | 0 | } |
3074 | | |
3075 | 0 | rv = ssl3_ConsumeHandshakeVariable(ss, &context, 1, &b, &length); |
3076 | 0 | if (rv != SECSuccess) { |
3077 | 0 | return SECFailure; |
3078 | 0 | } |
3079 | | |
3080 | | /* Unless it is a post-handshake client auth, the certificate |
3081 | | * request context must be empty. */ |
3082 | 0 | if (!tls13_IsPostHandshake(ss) && context.len > 0) { |
3083 | 0 | FATAL_ERROR(ss, SSL_ERROR_RX_MALFORMED_CERT_REQUEST, illegal_parameter); |
3084 | 0 | return SECFailure; |
3085 | 0 | } |
3086 | | |
3087 | 0 | rv = ssl3_ConsumeHandshakeVariable(ss, &extensionsData, 2, &b, &length); |
3088 | 0 | if (rv != SECSuccess) { |
3089 | 0 | return SECFailure; |
3090 | 0 | } |
3091 | | |
3092 | 0 | if (length) { |
3093 | 0 | FATAL_ERROR(ss, SSL_ERROR_RX_MALFORMED_CERT_REQUEST, decode_error); |
3094 | 0 | return SECFailure; |
3095 | 0 | } |
3096 | | |
3097 | | /* Process all the extensions. */ |
3098 | 0 | rv = ssl3_HandleExtensions(ss, &extensionsData.data, &extensionsData.len, |
3099 | 0 | ssl_hs_certificate_request); |
3100 | 0 | if (rv != SECSuccess) { |
3101 | 0 | return SECFailure; |
3102 | 0 | } |
3103 | | |
3104 | 0 | if (!ss->xtnData.numSigSchemes) { |
3105 | 0 | FATAL_ERROR(ss, SSL_ERROR_MISSING_SIGNATURE_ALGORITHMS_EXTENSION, |
3106 | 0 | missing_extension); |
3107 | 0 | return SECFailure; |
3108 | 0 | } |
3109 | | |
3110 | 0 | rv = SECITEM_CopyItem(NULL, &ss->xtnData.certReqContext, &context); |
3111 | 0 | if (rv != SECSuccess) { |
3112 | 0 | return SECFailure; |
3113 | 0 | } |
3114 | | |
3115 | 0 | ss->ssl3.hs.clientCertRequested = PR_TRUE; |
3116 | |
|
3117 | 0 | if (ss->firstHsDone) { |
3118 | | |
3119 | | /* Request a client certificate. */ |
3120 | 0 | rv = ssl3_BeginHandleCertificateRequest( |
3121 | 0 | ss, ss->xtnData.sigSchemes, ss->xtnData.numSigSchemes, |
3122 | 0 | &ss->xtnData.certReqAuthorities); |
3123 | 0 | if (rv != SECSuccess) { |
3124 | 0 | FATAL_ERROR(ss, SEC_ERROR_LIBRARY_FAILURE, internal_error); |
3125 | 0 | return rv; |
3126 | 0 | } |
3127 | 0 | rv = tls13_SendPostHandshakeCertificate(ss); |
3128 | 0 | } else { |
3129 | 0 | TLS13_SET_HS_STATE(ss, wait_server_cert); |
3130 | 0 | } |
3131 | 0 | return SECSuccess; |
3132 | 0 | } |
3133 | | |
3134 | | PRBool |
3135 | | tls13_ShouldRequestClientAuth(sslSocket *ss) |
3136 | 1.76k | { |
3137 | | /* Even if we are configured to request a certificate, we can't |
3138 | | * if this handshake used a PSK, even when we are resuming. */ |
3139 | 1.76k | return ss->opt.requestCertificate && |
3140 | 1.76k | ss->ssl3.hs.kea_def->authKeyType != ssl_auth_psk; |
3141 | 1.76k | } |
3142 | | |
3143 | | static SECStatus |
3144 | | tls13_SendEncryptedServerSequence(sslSocket *ss) |
3145 | 739 | { |
3146 | 739 | SECStatus rv; |
3147 | | |
3148 | 739 | rv = tls13_ComputeHandshakeSecrets(ss); |
3149 | 739 | if (rv != SECSuccess) { |
3150 | 0 | return SECFailure; /* error code is set. */ |
3151 | 0 | } |
3152 | | |
3153 | 739 | rv = tls13_SetCipherSpec(ss, TrafficKeyHandshake, |
3154 | 739 | ssl_secret_write, PR_FALSE); |
3155 | 739 | if (rv != SECSuccess) { |
3156 | 0 | LOG_ERROR(ss, SEC_ERROR_LIBRARY_FAILURE); |
3157 | 0 | return SECFailure; |
3158 | 0 | } |
3159 | | |
3160 | 739 | if (ss->ssl3.hs.zeroRttState == ssl_0rtt_accepted) { |
3161 | 0 | rv = ssl3_RegisterExtensionSender(ss, &ss->xtnData, |
3162 | 0 | ssl_tls13_early_data_xtn, |
3163 | 0 | ssl_SendEmptyExtension); |
3164 | 0 | if (rv != SECSuccess) { |
3165 | 0 | return SECFailure; /* Error code set already. */ |
3166 | 0 | } |
3167 | 0 | } |
3168 | | |
3169 | 739 | rv = tls13_SendEncryptedExtensions(ss); |
3170 | 739 | if (rv != SECSuccess) { |
3171 | 0 | return SECFailure; /* error code is set. */ |
3172 | 0 | } |
3173 | | |
3174 | 739 | if (tls13_ShouldRequestClientAuth(ss)) { |
3175 | 464 | rv = tls13_SendCertificateRequest(ss); |
3176 | 464 | if (rv != SECSuccess) { |
3177 | 0 | return SECFailure; /* error code is set. */ |
3178 | 0 | } |
3179 | 464 | } |
3180 | 739 | if (ss->ssl3.hs.signatureScheme != ssl_sig_none) { |
3181 | 739 | SECKEYPrivateKey *svrPrivKey; |
3182 | | |
3183 | 739 | rv = tls13_SendCertificate(ss); |
3184 | 739 | if (rv != SECSuccess) { |
3185 | 0 | return SECFailure; /* error code is set. */ |
3186 | 0 | } |
3187 | | |
3188 | 739 | if (tls13_IsSigningWithDelegatedCredential(ss)) { |
3189 | 0 | SSL_TRC(3, ("%d: TLS13[%d]: Signing with delegated credential", |
3190 | 0 | SSL_GETPID(), ss->fd)); |
3191 | 0 | svrPrivKey = ss->sec.serverCert->delegCredKeyPair->privKey; |
3192 | 739 | } else { |
3193 | 739 | svrPrivKey = ss->sec.serverCert->serverKeyPair->privKey; |
3194 | 739 | } |
3195 | | |
3196 | 739 | rv = tls13_SendCertificateVerify(ss, svrPrivKey); |
3197 | 739 | if (rv != SECSuccess) { |
3198 | 0 | return SECFailure; /* err code is set. */ |
3199 | 0 | } |
3200 | 739 | } |
3201 | | |
3202 | 739 | rv = tls13_SendFinished(ss, ss->ssl3.hs.serverHsTrafficSecret); |
3203 | 739 | if (rv != SECSuccess) { |
3204 | 0 | return SECFailure; /* error code is set. */ |
3205 | 0 | } |
3206 | | |
3207 | 739 | return SECSuccess; |
3208 | 739 | } |
3209 | | |
3210 | | /* Called from: ssl3_HandleClientHello */ |
3211 | | static SECStatus |
3212 | | tls13_SendServerHelloSequence(sslSocket *ss) |
3213 | 739 | { |
3214 | 739 | SECStatus rv; |
3215 | 739 | PRErrorCode err = 0; |
3216 | | |
3217 | 739 | SSL_TRC(3, ("%d: TLS13[%d]: begin send server_hello sequence", |
3218 | 739 | SSL_GETPID(), ss->fd)); |
3219 | | |
3220 | 739 | PORT_Assert(ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); |
3221 | 739 | PORT_Assert(ss->opt.noLocks || ssl_HaveXmitBufLock(ss)); |
3222 | | |
3223 | 739 | rv = ssl3_RegisterExtensionSender(ss, &ss->xtnData, |
3224 | 739 | ssl_tls13_supported_versions_xtn, |
3225 | 739 | tls13_ServerSendSupportedVersionsXtn); |
3226 | 739 | if (rv != SECSuccess) { |
3227 | 0 | return SECFailure; |
3228 | 0 | } |
3229 | | |
3230 | 739 | rv = tls13_ComputeHandshakeSecret(ss); |
3231 | 739 | if (rv != SECSuccess) { |
3232 | 0 | return SECFailure; /* error code is set. */ |
3233 | 0 | } |
3234 | | |
3235 | 739 | rv = ssl3_SendServerHello(ss); |
3236 | 739 | if (rv != SECSuccess) { |
3237 | 0 | return rv; /* err code is set. */ |
3238 | 0 | } |
3239 | | |
3240 | 739 | if (ss->ssl3.hs.fakeSid.len) { |
3241 | 571 | PORT_Assert(!IS_DTLS(ss)); |
3242 | 571 | SECITEM_FreeItem(&ss->ssl3.hs.fakeSid, PR_FALSE); |
3243 | 571 | if (!ss->ssl3.hs.helloRetry) { |
3244 | 571 | rv = ssl3_SendChangeCipherSpecsInt(ss); |
3245 | 571 | if (rv != SECSuccess) { |
3246 | 0 | return rv; |
3247 | 0 | } |
3248 | 571 | } |
3249 | 571 | } |
3250 | | |
3251 | 739 | rv = tls13_SendEncryptedServerSequence(ss); |
3252 | 739 | if (rv != SECSuccess) { |
3253 | 0 | err = PORT_GetError(); |
3254 | 0 | } |
3255 | | /* Even if we get an error, since the ServerHello was successfully |
3256 | | * serialized, we should give it a chance to reach the network. This gives |
3257 | | * the client a chance to perform the key exchange and decrypt the alert |
3258 | | * we're about to send. */ |
3259 | 739 | rv |= ssl3_FlushHandshake(ss, 0); |
3260 | 739 | if (rv != SECSuccess) { |
3261 | 0 | if (err) { |
3262 | 0 | PORT_SetError(err); |
3263 | 0 | } |
3264 | 0 | return SECFailure; |
3265 | 0 | } |
3266 | | |
3267 | | /* Compute the rest of the secrets except for the resumption |
3268 | | * and exporter secret. */ |
3269 | 739 | rv = tls13_ComputeApplicationSecrets(ss); |
3270 | 739 | if (rv != SECSuccess) { |
3271 | 0 | LOG_ERROR(ss, PORT_GetError()); |
3272 | 0 | return SECFailure; |
3273 | 0 | } |
3274 | | |
3275 | 739 | rv = tls13_SetCipherSpec(ss, TrafficKeyApplicationData, |
3276 | 739 | ssl_secret_write, PR_FALSE); |
3277 | 739 | if (rv != SECSuccess) { |
3278 | 0 | LOG_ERROR(ss, SEC_ERROR_LIBRARY_FAILURE); |
3279 | 0 | return SECFailure; |
3280 | 0 | } |
3281 | | |
3282 | 739 | if (IS_DTLS(ss)) { |
3283 | | /* We need this for reading ACKs. */ |
3284 | 0 | ssl_CipherSpecAddRef(ss->ssl3.crSpec); |
3285 | 0 | } |
3286 | 739 | if (ss->ssl3.hs.zeroRttState == ssl_0rtt_accepted) { |
3287 | 0 | rv = tls13_SetCipherSpec(ss, TrafficKeyEarlyApplicationData, |
3288 | 0 | ssl_secret_read, PR_TRUE); |
3289 | 0 | if (rv != SECSuccess) { |
3290 | 0 | LOG_ERROR(ss, SEC_ERROR_LIBRARY_FAILURE); |
3291 | 0 | return SECFailure; |
3292 | 0 | } |
3293 | 0 | TLS13_SET_HS_STATE(ss, wait_end_of_early_data); |
3294 | 739 | } else { |
3295 | 739 | PORT_Assert(ss->ssl3.hs.zeroRttState == ssl_0rtt_none || |
3296 | 739 | ss->ssl3.hs.zeroRttState == ssl_0rtt_ignored); |
3297 | | |
3298 | 739 | rv = tls13_SetCipherSpec(ss, |
3299 | 739 | TrafficKeyHandshake, |
3300 | 739 | ssl_secret_read, PR_FALSE); |
3301 | 739 | if (rv != SECSuccess) { |
3302 | 0 | LOG_ERROR(ss, SEC_ERROR_LIBRARY_FAILURE); |
3303 | 0 | return SECFailure; |
3304 | 0 | } |
3305 | 739 | if (tls13_ShouldRequestClientAuth(ss)) { |
3306 | 464 | TLS13_SET_HS_STATE(ss, wait_client_cert); |
3307 | 464 | } else { |
3308 | 275 | TLS13_SET_HS_STATE(ss, wait_finished); |
3309 | 275 | } |
3310 | 739 | } |
3311 | | |
3312 | | /* Here we set a baseline value for our RTT estimation. |
3313 | | * This value is updated when we get a response from the client. */ |
3314 | 739 | ss->ssl3.hs.rttEstimate = ssl_Time(ss); |
3315 | 739 | return SECSuccess; |
3316 | 739 | } |
3317 | | |
3318 | | SECStatus |
3319 | | tls13_HandleServerHelloPart2(sslSocket *ss, const PRUint8 *savedMsg, PRUint32 savedLength) |
3320 | 1.12k | { |
3321 | 1.12k | SECStatus rv; |
3322 | 1.12k | sslSessionID *sid = ss->sec.ci.sid; |
3323 | 1.12k | SSL3Statistics *ssl3stats = SSL_GetStatistics(); |
3324 | | |
3325 | 1.12k | if (ssl3_ExtensionNegotiated(ss, ssl_tls13_pre_shared_key_xtn)) { |
3326 | 0 | PORT_Assert(!PR_CLIST_IS_EMPTY(&ss->ssl3.hs.psks)); |
3327 | 0 | PORT_Assert(ss->xtnData.selectedPsk); |
3328 | |
|
3329 | 0 | if (ss->xtnData.selectedPsk->type != ssl_psk_resume) { |
3330 | 0 | ss->statelessResume = PR_FALSE; |
3331 | 0 | } |
3332 | 1.12k | } else { |
3333 | | /* We may have offered a PSK. If the server didn't negotiate |
3334 | | * it, clear this state to re-extract the Early Secret. */ |
3335 | 1.12k | if (ss->ssl3.hs.currentSecret) { |
3336 | | /* We might have dropped incompatible PSKs on HRR |
3337 | | * (see RFC8466, Section 4.1.4). */ |
3338 | 0 | PORT_Assert(ss->ssl3.hs.helloRetry || |
3339 | 0 | ssl3_ExtensionAdvertised(ss, ssl_tls13_pre_shared_key_xtn)); |
3340 | 0 | PK11_FreeSymKey(ss->ssl3.hs.currentSecret); |
3341 | 0 | ss->ssl3.hs.currentSecret = NULL; |
3342 | 0 | } |
3343 | 1.12k | ss->statelessResume = PR_FALSE; |
3344 | 1.12k | ss->xtnData.selectedPsk = NULL; |
3345 | 1.12k | } |
3346 | | |
3347 | 1.12k | if (ss->statelessResume) { |
3348 | 0 | PORT_Assert(sid->version >= SSL_LIBRARY_VERSION_TLS_1_3); |
3349 | 0 | if (tls13_GetHash(ss) != |
3350 | 0 | tls13_GetHashForCipherSuite(sid->u.ssl3.cipherSuite)) { |
3351 | 0 | FATAL_ERROR(ss, SSL_ERROR_RX_MALFORMED_SERVER_HELLO, |
3352 | 0 | illegal_parameter); |
3353 | 0 | return SECFailure; |
3354 | 0 | } |
3355 | 0 | } |
3356 | | |
3357 | | /* Now create a synthetic kea_def that we can tweak. */ |
3358 | 1.12k | ss->ssl3.hs.kea_def_mutable = *ss->ssl3.hs.kea_def; |
3359 | 1.12k | ss->ssl3.hs.kea_def = &ss->ssl3.hs.kea_def_mutable; |
3360 | | |
3361 | 1.12k | if (ss->xtnData.selectedPsk) { |
3362 | 0 | ss->ssl3.hs.kea_def_mutable.authKeyType = ssl_auth_psk; |
3363 | 0 | if (ss->statelessResume) { |
3364 | 0 | tls13_RestoreCipherInfo(ss, sid); |
3365 | 0 | if (sid->peerCert) { |
3366 | 0 | ss->sec.peerCert = CERT_DupCertificate(sid->peerCert); |
3367 | 0 | } |
3368 | |
|
3369 | 0 | SSL_AtomicIncrementLong(&ssl3stats->hsh_sid_cache_hits); |
3370 | 0 | SSL_AtomicIncrementLong(&ssl3stats->hsh_sid_stateless_resumes); |
3371 | 0 | } else { |
3372 | 0 | ss->sec.authType = ssl_auth_psk; |
3373 | 0 | } |
3374 | 1.12k | } else { |
3375 | 1.12k | if (ss->statelessResume && |
3376 | 1.12k | ssl3_ExtensionAdvertised(ss, ssl_tls13_pre_shared_key_xtn)) { |
3377 | 0 | SSL_AtomicIncrementLong(&ssl3stats->hsh_sid_cache_misses); |
3378 | 0 | } |
3379 | 1.12k | if (sid->cached == in_client_cache) { |
3380 | | /* If we tried to resume and failed, let's not try again. */ |
3381 | 0 | ssl_UncacheSessionID(ss); |
3382 | 0 | } |
3383 | 1.12k | } |
3384 | | |
3385 | | /* Discard current SID and make a new one, though it may eventually |
3386 | | * end up looking a lot like the old one. |
3387 | | */ |
3388 | 1.12k | ssl_FreeSID(sid); |
3389 | 1.12k | ss->sec.ci.sid = sid = ssl3_NewSessionID(ss, PR_FALSE); |
3390 | 1.12k | if (sid == NULL) { |
3391 | 0 | FATAL_ERROR(ss, PORT_GetError(), internal_error); |
3392 | 0 | return SECFailure; |
3393 | 0 | } |
3394 | 1.12k | if (ss->statelessResume) { |
3395 | 0 | PORT_Assert(ss->sec.peerCert); |
3396 | 0 | sid->peerCert = CERT_DupCertificate(ss->sec.peerCert); |
3397 | 0 | } |
3398 | 1.12k | sid->version = ss->version; |
3399 | | |
3400 | 1.12k | rv = tls13_HandleServerKeyShare(ss); |
3401 | 1.12k | if (rv != SECSuccess) { |
3402 | 185 | return SECFailure; |
3403 | 185 | } |
3404 | | |
3405 | 942 | rv = tls13_ComputeHandshakeSecret(ss); |
3406 | 942 | if (rv != SECSuccess) { |
3407 | 0 | return SECFailure; /* error code is set. */ |
3408 | 0 | } |
3409 | | |
3410 | 942 | rv = tls13_MaybeHandleEchSignal(ss, savedMsg, savedLength, PR_FALSE); |
3411 | 942 | if (rv != SECSuccess) { |
3412 | 0 | return SECFailure; /* error code is set. */ |
3413 | 0 | } |
3414 | | |
3415 | 942 | rv = tls13_ComputeHandshakeSecrets(ss); |
3416 | 942 | if (rv != SECSuccess) { |
3417 | 0 | return SECFailure; /* error code is set. */ |
3418 | 0 | } |
3419 | | |
3420 | 942 | if (ss->ssl3.hs.zeroRttState == ssl_0rtt_sent) { |
3421 | | /* When we send 0-RTT, we saved the null spec in case we needed it to |
3422 | | * send another ClientHello in response to a HelloRetryRequest. Now |
3423 | | * that we won't be receiving a HelloRetryRequest, release the spec. */ |
3424 | 0 | ssl_CipherSpecReleaseByEpoch(ss, ssl_secret_write, TrafficKeyClearText); |
3425 | 0 | } |
3426 | | |
3427 | 942 | rv = tls13_SetCipherSpec(ss, TrafficKeyHandshake, |
3428 | 942 | ssl_secret_read, PR_FALSE); |
3429 | 942 | if (rv != SECSuccess) { |
3430 | 0 | FATAL_ERROR(ss, SSL_ERROR_INIT_CIPHER_SUITE_FAILURE, internal_error); |
3431 | 0 | return SECFailure; |
3432 | 0 | } |
3433 | 942 | TLS13_SET_HS_STATE(ss, wait_encrypted_extensions); |
3434 | | |
3435 | 942 | return SECSuccess; |
3436 | 942 | } |
3437 | | |
3438 | | static void |
3439 | | tls13_SetKeyExchangeType(sslSocket *ss, const sslNamedGroupDef *group) |
3440 | 1.70k | { |
3441 | 1.70k | ss->sec.keaGroup = group; |
3442 | 1.70k | switch (group->keaType) { |
3443 | | /* Note: These overwrite on resumption.... so if you start with ECDH |
3444 | | * and resume with DH, we report DH. That's fine, since no answer |
3445 | | * is really right. */ |
3446 | 652 | case ssl_kea_ecdh: |
3447 | 652 | ss->ssl3.hs.kea_def_mutable.exchKeyType = |
3448 | 652 | ss->statelessResume ? ssl_kea_ecdh_psk : ssl_kea_ecdh; |
3449 | 652 | ss->sec.keaType = ssl_kea_ecdh; |
3450 | 652 | break; |
3451 | 0 | case ssl_kea_ecdh_hybrid: |
3452 | 0 | ss->ssl3.hs.kea_def_mutable.exchKeyType = |
3453 | 0 | ss->statelessResume ? ssl_kea_ecdh_hybrid_psk : ssl_kea_ecdh_hybrid; |
3454 | 0 | ss->sec.keaType = ssl_kea_ecdh_hybrid; |
3455 | 0 | break; |
3456 | 1.04k | case ssl_kea_dh: |
3457 | 1.04k | ss->ssl3.hs.kea_def_mutable.exchKeyType = |
3458 | 1.04k | ss->statelessResume ? ssl_kea_dh_psk : ssl_kea_dh; |
3459 | 1.04k | ss->sec.keaType = ssl_kea_dh; |
3460 | 1.04k | break; |
3461 | 0 | default: |
3462 | 0 | PORT_Assert(0); |
3463 | 1.70k | } |
3464 | 1.70k | } |
3465 | | |
3466 | | /* |
3467 | | * Called from ssl3_HandleServerHello. |
3468 | | * |
3469 | | * Caller must hold Handshake and RecvBuf locks. |
3470 | | */ |
3471 | | static SECStatus |
3472 | | tls13_HandleServerKeyShare(sslSocket *ss) |
3473 | 1.12k | { |
3474 | 1.12k | SECStatus rv; |
3475 | 1.12k | TLS13KeyShareEntry *entry; |
3476 | 1.12k | sslEphemeralKeyPair *keyPair; |
3477 | 1.12k | PK11SymKey *dheSecret = NULL; |
3478 | 1.12k | PK11SymKey *kemSecret = NULL; |
3479 | | |
3480 | 1.12k | SSL_TRC(3, ("%d: TLS13[%d]: handle server_key_share handshake", |
3481 | 1.12k | SSL_GETPID(), ss->fd)); |
3482 | 1.12k | PORT_Assert(ss->opt.noLocks || ssl_HaveRecvBufLock(ss)); |
3483 | 1.12k | PORT_Assert(ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); |
3484 | | |
3485 | | /* This list should have one entry. */ |
3486 | 1.12k | if (PR_CLIST_IS_EMPTY(&ss->xtnData.remoteKeyShares)) { |
3487 | 21 | FATAL_ERROR(ss, SSL_ERROR_MISSING_KEY_SHARE, missing_extension); |
3488 | 21 | return SECFailure; |
3489 | 21 | } |
3490 | | |
3491 | 1.10k | entry = (TLS13KeyShareEntry *)PR_NEXT_LINK(&ss->xtnData.remoteKeyShares); |
3492 | 1.10k | PORT_Assert(PR_NEXT_LINK(&entry->link) == &ss->xtnData.remoteKeyShares); |
3493 | | |
3494 | | /* Now get our matching key. */ |
3495 | 1.10k | keyPair = ssl_LookupEphemeralKeyPair(ss, entry->group); |
3496 | 1.10k | if (!keyPair) { |
3497 | 7 | FATAL_ERROR(ss, SSL_ERROR_RX_MALFORMED_KEY_SHARE, illegal_parameter); |
3498 | 7 | return SECFailure; |
3499 | 7 | } |
3500 | | |
3501 | 1.09k | PORT_Assert(ssl_NamedGroupEnabled(ss, entry->group)); |
3502 | | |
3503 | 1.09k | rv = tls13_HandleKeyShare(ss, entry, keyPair->keys, |
3504 | 1.09k | tls13_GetHash(ss), |
3505 | 1.09k | &dheSecret); |
3506 | 1.09k | if (rv != SECSuccess) { |
3507 | 157 | goto loser; /* Error code already set. */ |
3508 | 157 | } |
3509 | | |
3510 | 942 | if (entry->group->keaType == ssl_kea_ecdh_hybrid) { |
3511 | 0 | rv = tls13_HandleKEMCiphertext(ss, entry, keyPair->kemKeys, &kemSecret); |
3512 | 0 | if (rv != SECSuccess) { |
3513 | 0 | goto loser; /* Error set by tls13_HandleKEMCiphertext */ |
3514 | 0 | } |
3515 | | // We may need to handle different "combiners" here in the future. For |
3516 | | // now this is specific to xyber768d00. |
3517 | 0 | PORT_Assert(entry->group->name == ssl_grp_kem_xyber768d00); |
3518 | 0 | ss->ssl3.hs.dheSecret = PK11_ConcatSymKeys(dheSecret, kemSecret, CKM_HKDF_DERIVE, CKA_DERIVE); |
3519 | 0 | if (!ss->ssl3.hs.dheSecret) { |
3520 | 0 | goto loser; /* Error set by PK11_ConcatSymKeys */ |
3521 | 0 | } |
3522 | 0 | PK11_FreeSymKey(dheSecret); |
3523 | 0 | PK11_FreeSymKey(kemSecret); |
3524 | 942 | } else { |
3525 | 942 | ss->ssl3.hs.dheSecret = dheSecret; |
3526 | 942 | } |
3527 | | |
3528 | 942 | tls13_SetKeyExchangeType(ss, entry->group); |
3529 | 942 | ss->sec.keaKeyBits = SECKEY_PublicKeyStrengthInBits(keyPair->keys->pubKey); |
3530 | | |
3531 | 942 | return SECSuccess; |
3532 | | |
3533 | 157 | loser: |
3534 | 157 | PK11_FreeSymKey(dheSecret); |
3535 | 157 | PK11_FreeSymKey(kemSecret); |
3536 | 157 | FATAL_ERROR(ss, PORT_GetError(), illegal_parameter); |
3537 | 157 | return SECFailure; |
3538 | 942 | } |
3539 | | |
3540 | | static PRBool |
3541 | | tls13_FindCompressionAlgAndCheckIfSupportsEncoding(sslSocket *ss) |
3542 | 0 | { |
3543 | 0 | PORT_Assert(ss->opt.noLocks || ssl_HaveXmitBufLock(ss)); |
3544 | 0 | PORT_Assert(ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); |
3545 | |
|
3546 | 0 | for (int j = 0; j < ss->ssl3.supportedCertCompressionAlgorithmsCount; j++) { |
3547 | 0 | if (ss->ssl3.supportedCertCompressionAlgorithms[j].id == ss->xtnData.compressionAlg) { |
3548 | 0 | if (ss->ssl3.supportedCertCompressionAlgorithms[j].encode != NULL) { |
3549 | 0 | return PR_TRUE; |
3550 | 0 | } |
3551 | 0 | return PR_FALSE; |
3552 | 0 | } |
3553 | 0 | } |
3554 | | |
3555 | 0 | return PR_FALSE; |
3556 | 0 | } |
3557 | | |
3558 | | static SECStatus |
3559 | | tls13_FindCompressionAlgAndEncodeCertificate( |
3560 | | sslSocket *ss, SECItem *certificateToEncode, SECItem *encodedCertificate) |
3561 | 0 | { |
3562 | 0 | PORT_Assert(ss->opt.noLocks || ssl_HaveXmitBufLock(ss)); |
3563 | 0 | PORT_Assert(ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); |
3564 | |
|
3565 | 0 | SECStatus rv = SECFailure; |
3566 | 0 | for (int j = 0; j < ss->ssl3.supportedCertCompressionAlgorithmsCount; j++) { |
3567 | 0 | if (ss->ssl3.supportedCertCompressionAlgorithms[j].id == ss->xtnData.compressionAlg && |
3568 | 0 | ss->ssl3.supportedCertCompressionAlgorithms[j].encode != NULL) { |
3569 | 0 | rv = ss->ssl3.supportedCertCompressionAlgorithms[j].encode( |
3570 | 0 | certificateToEncode, encodedCertificate); |
3571 | 0 | return rv; |
3572 | 0 | } |
3573 | 0 | } |
3574 | | |
3575 | 0 | PORT_SetError(SEC_ERROR_CERTIFICATE_COMPRESSION_ALGORITHM_NOT_SUPPORTED); |
3576 | 0 | return SECFailure; |
3577 | 0 | } |
3578 | | |
3579 | | static SECStatus |
3580 | | tls13_SendCompressedCertificate(sslSocket *ss, sslBuffer *bufferCertificate) |
3581 | 0 | { |
3582 | | /* TLS Certificate Compression. RFC 8879 */ |
3583 | | /* As the encoding function takes as input a SECItem, |
3584 | | * we convert bufferCertificate to certificateToEncode. |
3585 | | * |
3586 | | * encodedCertificate is used to store the certificate |
3587 | | * after encoding. |
3588 | | */ |
3589 | 0 | SECItem encodedCertificate = { siBuffer, NULL, 0 }; |
3590 | 0 | SECItem certificateToEncode = { siBuffer, NULL, 0 }; |
3591 | 0 | SECStatus rv = SECFailure; |
3592 | |
|
3593 | 0 | PORT_Assert(ss->opt.noLocks || ssl_HaveXmitBufLock(ss)); |
3594 | 0 | PORT_Assert(ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); |
3595 | |
|
3596 | 0 | SSL_TRC(30, ("%d: TLS13[%d]: %s is encoding the certificate using the %s compression algorithm", |
3597 | 0 | SSL_GETPID(), ss->fd, SSL_ROLE(ss), |
3598 | 0 | ssl3_mapCertificateCompressionAlgorithmToName(ss, ss->xtnData.compressionAlg))); |
3599 | |
|
3600 | 0 | PRINT_BUF(50, (NULL, "The certificate before encoding:", |
3601 | 0 | bufferCertificate->buf, bufferCertificate->len)); |
3602 | |
|
3603 | 0 | PRUint32 lengthUnencodedMessage = bufferCertificate->len; |
3604 | 0 | rv = ssl3_CopyToSECItem(bufferCertificate, &certificateToEncode); |
3605 | 0 | if (rv != SECSuccess) { |
3606 | 0 | SSL_TRC(50, ("%d: TLS13[%d]: %s has failed encoding the certificate.", |
3607 | 0 | SSL_GETPID(), ss->fd, SSL_ROLE(ss))); |
3608 | 0 | goto loser; /* Code already set. */ |
3609 | 0 | } |
3610 | | |
3611 | 0 | rv = tls13_FindCompressionAlgAndEncodeCertificate(ss, &certificateToEncode, |
3612 | 0 | &encodedCertificate); |
3613 | 0 | if (rv != SECSuccess) { |
3614 | 0 | SSL_TRC(50, ("%d: TLS13[%d]: %s has failed encoding the certificate.", |
3615 | 0 | SSL_GETPID(), ss->fd, SSL_ROLE(ss))); |
3616 | 0 | PORT_SetError(SEC_ERROR_NO_MEMORY); |
3617 | 0 | goto loser; /* Code already set. */ |
3618 | 0 | } |
3619 | | |
3620 | | /* The CompressedCertificate message is formed as follows: |
3621 | | * struct { |
3622 | | * CertificateCompressionAlgorithm algorithm; |
3623 | | * uint24 uncompressed_length; |
3624 | | * opaque compressed_certificate_message<1..2^24-1>; |
3625 | | * } CompressedCertificate; |
3626 | | */ |
3627 | | |
3628 | 0 | if (encodedCertificate.len < 1) { |
3629 | 0 | PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); |
3630 | 0 | goto loser; |
3631 | 0 | } |
3632 | | |
3633 | 0 | rv = ssl3_AppendHandshakeHeader(ss, ssl_hs_compressed_certificate, |
3634 | 0 | encodedCertificate.len + 2 + 3 + 3); |
3635 | 0 | if (rv != SECSuccess) { |
3636 | 0 | goto loser; /* err set by AppendHandshake. */ |
3637 | 0 | } |
3638 | | |
3639 | 0 | rv = ssl3_AppendHandshakeNumber(ss, ss->xtnData.compressionAlg, 2); |
3640 | 0 | if (rv != SECSuccess) { |
3641 | 0 | goto loser; /* err set by AppendHandshake. */ |
3642 | 0 | } |
3643 | | |
3644 | 0 | rv = ssl3_AppendHandshakeNumber(ss, lengthUnencodedMessage, 3); |
3645 | 0 | if (rv != SECSuccess) { |
3646 | 0 | goto loser; /* err set by AppendHandshake. */ |
3647 | 0 | } |
3648 | | |
3649 | 0 | PRINT_BUF(30, (NULL, "The encoded certificate: ", |
3650 | 0 | encodedCertificate.data, encodedCertificate.len)); |
3651 | |
|
3652 | 0 | rv = ssl3_AppendHandshakeVariable(ss, encodedCertificate.data, encodedCertificate.len, 3); |
3653 | 0 | if (rv != SECSuccess) { |
3654 | 0 | goto loser; /* err set by AppendHandshake. */ |
3655 | 0 | } |
3656 | | |
3657 | 0 | SECITEM_FreeItem(&certificateToEncode, PR_FALSE); |
3658 | 0 | SECITEM_FreeItem(&encodedCertificate, PR_FALSE); |
3659 | 0 | return SECSuccess; |
3660 | | |
3661 | 0 | loser: |
3662 | 0 | SECITEM_FreeItem(&certificateToEncode, PR_FALSE); |
3663 | 0 | SECITEM_FreeItem(&encodedCertificate, PR_FALSE); |
3664 | 0 | return SECFailure; |
3665 | 0 | } |
3666 | | |
3667 | | /* |
3668 | | * opaque ASN1Cert<1..2^24-1>; |
3669 | | * |
3670 | | * struct { |
3671 | | * ASN1Cert cert_data; |
3672 | | * Extension extensions<0..2^16-1>; |
3673 | | * } CertificateEntry; |
3674 | | * |
3675 | | * struct { |
3676 | | * opaque certificate_request_context<0..2^8-1>; |
3677 | | * CertificateEntry certificate_list<0..2^24-1>; |
3678 | | * } Certificate; |
3679 | | */ |
3680 | | static SECStatus |
3681 | | tls13_SendCertificate(sslSocket *ss) |
3682 | 739 | { |
3683 | 739 | SECStatus rv; |
3684 | 739 | CERTCertificateList *certChain; |
3685 | 739 | int certChainLen = 0; |
3686 | 739 | int i; |
3687 | 739 | SECItem context = { siBuffer, NULL, 0 }; |
3688 | 739 | sslBuffer extensionBuf = SSL_BUFFER_EMPTY; |
3689 | 739 | sslBuffer bufferCertificate = SSL_BUFFER_EMPTY; |
3690 | | |
3691 | 739 | SSL_TRC(3, ("%d: TLS1.3[%d]: send certificate handshake", |
3692 | 739 | SSL_GETPID(), ss->fd)); |
3693 | | |
3694 | 739 | PORT_Assert(ss->opt.noLocks || ssl_HaveXmitBufLock(ss)); |
3695 | 739 | PORT_Assert(ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); |
3696 | | |
3697 | 739 | if (ss->sec.isServer) { |
3698 | 739 | PORT_Assert(!ss->sec.localCert); |
3699 | | /* A server certificate is selected in tls13_SelectServerCert(). */ |
3700 | 739 | PORT_Assert(ss->sec.serverCert); |
3701 | | |
3702 | 739 | certChain = ss->sec.serverCert->serverCertChain; |
3703 | 739 | ss->sec.localCert = CERT_DupCertificate(ss->sec.serverCert->serverCert); |
3704 | 739 | } else { |
3705 | 0 | if (ss->sec.localCert) |
3706 | 0 | CERT_DestroyCertificate(ss->sec.localCert); |
3707 | |
|
3708 | 0 | certChain = ss->ssl3.clientCertChain; |
3709 | 0 | ss->sec.localCert = CERT_DupCertificate(ss->ssl3.clientCertificate); |
3710 | 0 | } |
3711 | | |
3712 | 739 | if (!ss->sec.isServer) { |
3713 | 0 | PORT_Assert(ss->ssl3.hs.clientCertRequested); |
3714 | 0 | context = ss->xtnData.certReqContext; |
3715 | 0 | } |
3716 | | |
3717 | 739 | if (certChain) { |
3718 | 1.47k | for (i = 0; i < certChain->len; i++) { |
3719 | | /* Each cert is 3 octet length, cert, and extensions */ |
3720 | 739 | certChainLen += 3 + certChain->certs[i].len + 2; |
3721 | 739 | } |
3722 | | |
3723 | | /* Build the extensions. This only applies to the leaf cert, because we |
3724 | | * don't yet send extensions for non-leaf certs. */ |
3725 | 739 | rv = ssl_ConstructExtensions(ss, &extensionBuf, ssl_hs_certificate); |
3726 | 739 | if (rv != SECSuccess) { |
3727 | 0 | return SECFailure; /* code already set */ |
3728 | 0 | } |
3729 | | /* extensionBuf.len is only added once, for the leaf cert. */ |
3730 | 739 | certChainLen += SSL_BUFFER_LEN(&extensionBuf); |
3731 | 739 | } |
3732 | | |
3733 | 739 | rv = sslBuffer_AppendVariable(&bufferCertificate, context.data, context.len, 1); |
3734 | 739 | if (rv != SECSuccess) { |
3735 | 0 | goto loser; /* Code already set. */ |
3736 | 0 | } |
3737 | | |
3738 | 739 | rv = sslBuffer_AppendNumber(&bufferCertificate, certChainLen, 3); |
3739 | 739 | if (rv != SECSuccess) { |
3740 | 0 | goto loser; /* Code already set. */ |
3741 | 0 | } |
3742 | | |
3743 | 739 | if (certChain) { |
3744 | 1.47k | for (i = 0; i < certChain->len; i++) { |
3745 | 739 | rv = sslBuffer_AppendVariable(&bufferCertificate, certChain->certs[i].data, |
3746 | 739 | certChain->certs[i].len, 3); |
3747 | 739 | if (rv != SECSuccess) { |
3748 | 0 | goto loser; /* Code already set. */ |
3749 | 0 | } |
3750 | | |
3751 | 739 | if (i) { |
3752 | | /* Not end-entity. */ |
3753 | 0 | rv = sslBuffer_AppendNumber(&bufferCertificate, 0, 2); |
3754 | 0 | if (rv != SECSuccess) { |
3755 | 0 | goto loser; /* Code already set. */ |
3756 | 0 | } |
3757 | 0 | continue; |
3758 | 0 | } |
3759 | | |
3760 | 739 | rv = sslBuffer_AppendBufferVariable(&bufferCertificate, &extensionBuf, 2); |
3761 | 739 | if (rv != SECSuccess) { |
3762 | 0 | goto loser; /* Code already set. */ |
3763 | 0 | } |
3764 | 739 | } |
3765 | 739 | } |
3766 | | |
3767 | | /* If no compression mechanism was established or |
3768 | | * the compression mechanism supports only decoding, |
3769 | | * we continue as before. */ |
3770 | 739 | if (ss->xtnData.compressionAlg == 0 || !tls13_FindCompressionAlgAndCheckIfSupportsEncoding(ss)) { |
3771 | 739 | rv = ssl3_AppendHandshakeHeader(ss, ssl_hs_certificate, |
3772 | 739 | 1 + context.len + 3 + certChainLen); |
3773 | 739 | if (rv != SECSuccess) { |
3774 | 0 | goto loser; /* err set by AppendHandshake. */ |
3775 | 0 | } |
3776 | 739 | rv = ssl3_AppendBufferToHandshake(ss, &bufferCertificate); |
3777 | 739 | if (rv != SECSuccess) { |
3778 | 0 | goto loser; /* err set by AppendHandshake. */ |
3779 | 0 | } |
3780 | 739 | } else { |
3781 | 0 | rv = tls13_SendCompressedCertificate(ss, &bufferCertificate); |
3782 | 0 | if (rv != SECSuccess) { |
3783 | 0 | goto loser; /* err set by tls13_SendCompressedCertificate. */ |
3784 | 0 | } |
3785 | 0 | } |
3786 | | |
3787 | 739 | sslBuffer_Clear(&bufferCertificate); |
3788 | 739 | sslBuffer_Clear(&extensionBuf); |
3789 | 739 | return SECSuccess; |
3790 | | |
3791 | 0 | loser: |
3792 | 0 | sslBuffer_Clear(&bufferCertificate); |
3793 | 0 | sslBuffer_Clear(&extensionBuf); |
3794 | 0 | return SECFailure; |
3795 | 739 | } |
3796 | | |
3797 | | static SECStatus |
3798 | | tls13_HandleCertificateEntry(sslSocket *ss, SECItem *data, PRBool first, |
3799 | | CERTCertificate **certp) |
3800 | 0 | { |
3801 | 0 | SECStatus rv; |
3802 | 0 | SECItem certData; |
3803 | 0 | SECItem extensionsData; |
3804 | 0 | CERTCertificate *cert = NULL; |
3805 | |
|
3806 | 0 | rv = ssl3_ConsumeHandshakeVariable(ss, &certData, |
3807 | 0 | 3, &data->data, &data->len); |
3808 | 0 | if (rv != SECSuccess) { |
3809 | 0 | return SECFailure; |
3810 | 0 | } |
3811 | | |
3812 | 0 | rv = ssl3_ConsumeHandshakeVariable(ss, &extensionsData, |
3813 | 0 | 2, &data->data, &data->len); |
3814 | 0 | if (rv != SECSuccess) { |
3815 | 0 | return SECFailure; |
3816 | 0 | } |
3817 | | |
3818 | | /* Parse all the extensions. */ |
3819 | 0 | if (first && !ss->sec.isServer) { |
3820 | 0 | rv = ssl3_HandleExtensions(ss, &extensionsData.data, |
3821 | 0 | &extensionsData.len, |
3822 | 0 | ssl_hs_certificate); |
3823 | 0 | if (rv != SECSuccess) { |
3824 | 0 | return SECFailure; |
3825 | 0 | } |
3826 | | /* TODO(ekr@rtfm.com): Copy out SCTs. Bug 1315727. */ |
3827 | 0 | } |
3828 | | |
3829 | 0 | cert = CERT_NewTempCertificate(ss->dbHandle, &certData, NULL, |
3830 | 0 | PR_FALSE, PR_TRUE); |
3831 | |
|
3832 | 0 | if (!cert) { |
3833 | 0 | PRErrorCode errCode = PORT_GetError(); |
3834 | 0 | switch (errCode) { |
3835 | 0 | case PR_OUT_OF_MEMORY_ERROR: |
3836 | 0 | case SEC_ERROR_BAD_DATABASE: |
3837 | 0 | case SEC_ERROR_NO_MEMORY: |
3838 | 0 | FATAL_ERROR(ss, errCode, internal_error); |
3839 | 0 | return SECFailure; |
3840 | 0 | default: |
3841 | 0 | ssl3_SendAlertForCertError(ss, errCode); |
3842 | 0 | return SECFailure; |
3843 | 0 | } |
3844 | 0 | } |
3845 | | |
3846 | 0 | *certp = cert; |
3847 | |
|
3848 | 0 | return SECSuccess; |
3849 | 0 | } |
3850 | | |
3851 | | static SECStatus |
3852 | | tls13_EnsureCerticateExpected(sslSocket *ss) |
3853 | 34 | { |
3854 | 34 | SECStatus rv = SECFailure; |
3855 | 34 | PORT_Assert(ss->opt.noLocks || ssl_HaveRecvBufLock(ss)); |
3856 | 34 | PORT_Assert(ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); |
3857 | | |
3858 | 34 | if (ss->sec.isServer) { |
3859 | | /* Receiving this message might be the first sign we have that |
3860 | | * early data is over, so pretend we received EOED. */ |
3861 | 32 | rv = tls13_MaybeHandleSuppressedEndOfEarlyData(ss); |
3862 | 32 | if (rv != SECSuccess) { |
3863 | 0 | return SECFailure; /* Code already set. */ |
3864 | 0 | } |
3865 | | |
3866 | 32 | if (ss->ssl3.clientCertRequested) { |
3867 | 0 | rv = TLS13_CHECK_HS_STATE(ss, SSL_ERROR_RX_UNEXPECTED_CERTIFICATE, |
3868 | 0 | idle_handshake); |
3869 | 32 | } else { |
3870 | 32 | rv = TLS13_CHECK_HS_STATE(ss, SSL_ERROR_RX_UNEXPECTED_CERTIFICATE, |
3871 | 32 | wait_client_cert); |
3872 | 32 | } |
3873 | 32 | } else { |
3874 | 2 | rv = TLS13_CHECK_HS_STATE(ss, SSL_ERROR_RX_UNEXPECTED_CERTIFICATE, |
3875 | 2 | wait_cert_request, wait_server_cert); |
3876 | 2 | } |
3877 | 34 | return rv; |
3878 | 34 | } |
3879 | | |
3880 | | /* RFC 8879 TLS Certificate Compression |
3881 | | * struct { |
3882 | | * CertificateCompressionAlgorithm algorithm; |
3883 | | * uint24 uncompressed_length; |
3884 | | * opaque compressed_certificate_message<1..2^24-1>; |
3885 | | * } CompressedCertificate; |
3886 | | */ |
3887 | | static SECStatus |
3888 | | tls13_HandleCertificateDecode(sslSocket *ss, PRUint8 *b, PRUint32 length) |
3889 | 4 | { |
3890 | 4 | PORT_Assert(ss->opt.noLocks || ssl_HaveRecvBufLock(ss)); |
3891 | 4 | PORT_Assert(ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); |
3892 | | |
3893 | 4 | SECStatus rv = SECFailure; |
3894 | | |
3895 | 4 | if (!ss->xtnData.certificateCompressionAdvertised) { |
3896 | 4 | FATAL_ERROR(ss, SEC_ERROR_UNEXPECTED_COMPRESSED_CERTIFICATE, decode_error); |
3897 | 4 | return SECFailure; |
3898 | 4 | } |
3899 | | |
3900 | 0 | rv = tls13_EnsureCerticateExpected(ss); |
3901 | 0 | if (rv != SECSuccess) { |
3902 | 0 | return SECFailure; /* Code already set. */ |
3903 | 0 | } |
3904 | | |
3905 | 0 | if (ss->firstHsDone) { |
3906 | 0 | rv = ssl_HashPostHandshakeMessage(ss, ssl_hs_compressed_certificate, b, length); |
3907 | 0 | if (rv != SECSuccess) { |
3908 | 0 | return rv; |
3909 | 0 | } |
3910 | 0 | } |
3911 | | |
3912 | 0 | SSL_TRC(30, ("%d: TLS1.3[%d]: %s handles certificate compression handshake", |
3913 | 0 | SSL_GETPID(), ss->fd, SSL_ROLE(ss))); |
3914 | |
|
3915 | 0 | PRINT_BUF(50, (NULL, "The certificate before decoding:", b, length)); |
3916 | | /* Reading CertificateCompressionAlgorithm. */ |
3917 | 0 | PRUint32 compressionAlg = 0; |
3918 | 0 | rv = ssl3_ConsumeHandshakeNumber(ss, &compressionAlg, 2, &b, &length); |
3919 | 0 | if (rv != SECSuccess) { |
3920 | 0 | return SECFailure; /* Alert already sent. */ |
3921 | 0 | } |
3922 | | |
3923 | 0 | PRBool compressionAlgorithmIsSupported = PR_FALSE; |
3924 | 0 | SECStatus (*certificateDecodingFunc)(const SECItem *, SECItem *, size_t) = NULL; |
3925 | 0 | for (int i = 0; i < ss->ssl3.supportedCertCompressionAlgorithmsCount; i++) { |
3926 | 0 | if (ss->ssl3.supportedCertCompressionAlgorithms[i].id == compressionAlg) { |
3927 | 0 | compressionAlgorithmIsSupported = PR_TRUE; |
3928 | 0 | certificateDecodingFunc = ss->ssl3.supportedCertCompressionAlgorithms[i].decode; |
3929 | 0 | } |
3930 | 0 | } |
3931 | | |
3932 | | /* Peer selected a compression algorithm we do not support (and did not advertise). */ |
3933 | 0 | if (!compressionAlgorithmIsSupported) { |
3934 | 0 | PORT_SetError(SEC_ERROR_CERTIFICATE_COMPRESSION_ALGORITHM_NOT_SUPPORTED); |
3935 | 0 | FATAL_ERROR(ss, PORT_GetError(), illegal_parameter); |
3936 | 0 | return SECFailure; |
3937 | 0 | } |
3938 | | |
3939 | | /* The algorithm does not support decoding. */ |
3940 | 0 | if (certificateDecodingFunc == NULL) { |
3941 | 0 | PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); |
3942 | 0 | FATAL_ERROR(ss, PORT_GetError(), illegal_parameter); |
3943 | 0 | return SECFailure; |
3944 | 0 | } |
3945 | | |
3946 | 0 | SSL_TRC(30, ("%d: TLS13[%d]: %s is decoding the certificate using the %s compression algorithm", |
3947 | 0 | SSL_GETPID(), ss->fd, SSL_ROLE(ss), |
3948 | 0 | ssl3_mapCertificateCompressionAlgorithmToName(ss, compressionAlg))); |
3949 | 0 | PRUint32 decodedCertificateLen = 0; |
3950 | 0 | rv = ssl3_ConsumeHandshakeNumber(ss, &decodedCertificateLen, 3, &b, &length); |
3951 | 0 | if (rv != SECSuccess) { |
3952 | 0 | return SECFailure; /* alert has been sent */ |
3953 | 0 | } |
3954 | | |
3955 | | /* If the received CompressedCertificate message cannot be decompressed, |
3956 | | * he connection MUST be terminated with the "bad_certificate" alert. |
3957 | | */ |
3958 | 0 | if (decodedCertificateLen == 0) { |
3959 | 0 | SSL_TRC(50, ("%d: TLS13[%d]: %s decoded certificate length is incorrect", |
3960 | 0 | SSL_GETPID(), ss->fd, SSL_ROLE(ss), |
3961 | 0 | ssl3_mapCertificateCompressionAlgorithmToName(ss, compressionAlg))); |
3962 | 0 | FATAL_ERROR(ss, SSL_ERROR_RX_MALFORMED_CERTIFICATE, bad_certificate); |
3963 | 0 | return SECFailure; |
3964 | 0 | } |
3965 | | |
3966 | | /* opaque compressed_certificate_message<1..2^24-1>; */ |
3967 | 0 | PRUint32 compressedCertificateMessageLen = 0; |
3968 | 0 | rv = ssl3_ConsumeHandshakeNumber(ss, &compressedCertificateMessageLen, 3, &b, &length); |
3969 | 0 | if (rv != SECSuccess) { |
3970 | 0 | return SECFailure; /* alert has been sent */ |
3971 | 0 | } |
3972 | | |
3973 | 0 | if (compressedCertificateMessageLen == 0 || compressedCertificateMessageLen != length) { |
3974 | 0 | FATAL_ERROR(ss, SSL_ERROR_RX_MALFORMED_CERTIFICATE, bad_certificate); |
3975 | 0 | return SECFailure; |
3976 | 0 | } |
3977 | | |
3978 | | /* Decoding received certificate. */ |
3979 | 0 | SECItem decodedCertificate = { siBuffer, NULL, 0 }; |
3980 | 0 | if (!SECITEM_AllocItem(NULL, &decodedCertificate, decodedCertificateLen)) { |
3981 | 0 | FATAL_ERROR(ss, SEC_ERROR_NO_MEMORY, internal_error); |
3982 | 0 | return SECFailure; |
3983 | 0 | } |
3984 | | |
3985 | 0 | SECItem encodedCertAsSecItem = { siBuffer, b, compressedCertificateMessageLen }; |
3986 | 0 | rv = certificateDecodingFunc(&encodedCertAsSecItem, &decodedCertificate, decodedCertificateLen); |
3987 | |
|
3988 | 0 | if (rv != SECSuccess) { |
3989 | 0 | SSL_TRC(50, ("%d: TLS13[%d]: %s decoding of the certificate has failed", |
3990 | 0 | SSL_GETPID(), ss->fd, SSL_ROLE(ss), |
3991 | 0 | ssl3_mapCertificateCompressionAlgorithmToName(ss, compressionAlg))); |
3992 | 0 | FATAL_ERROR(ss, SSL_ERROR_RX_MALFORMED_CERTIFICATE, bad_certificate); |
3993 | 0 | goto loser; |
3994 | 0 | } |
3995 | 0 | PRINT_BUF(60, (ss, "consume bytes:", b, compressedCertificateMessageLen)); |
3996 | 0 | *b += compressedCertificateMessageLen; |
3997 | 0 | length -= compressedCertificateMessageLen; |
3998 | | |
3999 | | /* If, after decompression, the specified length does not match the actual length, |
4000 | | * the party receiving the invalid message MUST abort the connection |
4001 | | * with the "bad_certificate" alert. |
4002 | | */ |
4003 | 0 | if (decodedCertificateLen != decodedCertificate.len) { |
4004 | 0 | SSL_TRC(50, ("%d: TLS13[%d]: %s certificate length does not correspond to extension length", |
4005 | 0 | SSL_GETPID(), ss->fd, SSL_ROLE(ss), |
4006 | 0 | ssl3_mapCertificateCompressionAlgorithmToName(ss, compressionAlg))); |
4007 | 0 | FATAL_ERROR(ss, SSL_ERROR_RX_MALFORMED_CERTIFICATE, bad_certificate); |
4008 | 0 | goto loser; |
4009 | 0 | } |
4010 | | |
4011 | 0 | PRINT_BUF(50, (NULL, "Decoded certificate", |
4012 | 0 | decodedCertificate.data, decodedCertificate.len)); |
4013 | | |
4014 | | /* compressed_certificate_message: The result of applying the indicated |
4015 | | * compression algorithm to the encoded Certificate message that |
4016 | | * would have been sent if certificate compression was not in use. |
4017 | | * |
4018 | | * After decompression, the Certificate message MUST be processed as if |
4019 | | * it were encoded without being compressed. This way, the parsing and |
4020 | | * the verification have the same security properties as they would have |
4021 | | * in TLS normally. |
4022 | | */ |
4023 | 0 | rv = tls13_HandleCertificate(ss, decodedCertificate.data, decodedCertificate.len, PR_TRUE); |
4024 | 0 | if (rv != SECSuccess) { |
4025 | 0 | goto loser; |
4026 | 0 | } |
4027 | | /* We allow only one compressed certificate to be handled after each |
4028 | | certificate compression advertisement. |
4029 | | See test CertificateCompression_TwoEncodedCertificateRequests. */ |
4030 | 0 | ss->xtnData.certificateCompressionAdvertised = PR_FALSE; |
4031 | 0 | SECITEM_FreeItem(&decodedCertificate, PR_FALSE); |
4032 | 0 | return SECSuccess; |
4033 | | |
4034 | 0 | loser: |
4035 | 0 | SECITEM_FreeItem(&decodedCertificate, PR_FALSE); |
4036 | 0 | return SECFailure; |
4037 | 0 | } |
4038 | | |
4039 | | /* Called from tls13_CompleteHandleHandshakeMessage() when it has deciphered a complete |
4040 | | * tls13 Certificate message. |
4041 | | * Caller must hold Handshake and RecvBuf locks. |
4042 | | */ |
4043 | | static SECStatus |
4044 | | tls13_HandleCertificate(sslSocket *ss, PRUint8 *b, PRUint32 length, PRBool alreadyHashed) |
4045 | 34 | { |
4046 | 34 | SECStatus rv; |
4047 | 34 | SECItem context = { siBuffer, NULL, 0 }; |
4048 | 34 | SECItem certList; |
4049 | 34 | PRBool first = PR_TRUE; |
4050 | 34 | ssl3CertNode *lastCert = NULL; |
4051 | | |
4052 | 34 | SSL_TRC(3, ("%d: TLS13[%d]: handle certificate handshake", |
4053 | 34 | SSL_GETPID(), ss->fd)); |
4054 | 34 | PORT_Assert(ss->opt.noLocks || ssl_HaveRecvBufLock(ss)); |
4055 | 34 | PORT_Assert(ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); |
4056 | | |
4057 | 34 | rv = tls13_EnsureCerticateExpected(ss); |
4058 | 34 | if (rv != SECSuccess) { |
4059 | 30 | return SECFailure; /* Code already set. */ |
4060 | 30 | } |
4061 | | |
4062 | | /* We can ignore any other cleartext from the client. */ |
4063 | 4 | if (ss->sec.isServer && IS_DTLS(ss)) { |
4064 | 0 | ssl_CipherSpecReleaseByEpoch(ss, ssl_secret_read, TrafficKeyClearText); |
4065 | 0 | dtls_ReceivedFirstMessageInFlight(ss); |
4066 | 0 | } |
4067 | | |
4068 | | /* AlreadyHashed is true only when Certificate Compression is used. */ |
4069 | 4 | if (ss->firstHsDone && !alreadyHashed) { |
4070 | 0 | rv = ssl_HashPostHandshakeMessage(ss, ssl_hs_certificate, b, length); |
4071 | 0 | if (rv != SECSuccess) { |
4072 | 0 | PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); |
4073 | 0 | return SECFailure; |
4074 | 0 | } |
4075 | 0 | } |
4076 | | |
4077 | 4 | if (!ss->firstHsDone && ss->sec.isServer) { |
4078 | | /* Our first shot an getting an RTT estimate. If the client took extra |
4079 | | * time to fetch a certificate, this will be bad, but we can't do much |
4080 | | * about that. */ |
4081 | 4 | ss->ssl3.hs.rttEstimate = ssl_Time(ss) - ss->ssl3.hs.rttEstimate; |
4082 | 4 | } |
4083 | | |
4084 | | /* Process the context string */ |
4085 | 4 | rv = ssl3_ConsumeHandshakeVariable(ss, &context, 1, &b, &length); |
4086 | 4 | if (rv != SECSuccess) |
4087 | 0 | return SECFailure; |
4088 | | |
4089 | 4 | if (ss->ssl3.clientCertRequested) { |
4090 | 0 | PORT_Assert(ss->sec.isServer); |
4091 | 0 | if (SECITEM_CompareItem(&context, &ss->xtnData.certReqContext) != 0) { |
4092 | 0 | FATAL_ERROR(ss, SSL_ERROR_RX_MALFORMED_CERTIFICATE, illegal_parameter); |
4093 | 0 | return SECFailure; |
4094 | 0 | } |
4095 | 0 | } |
4096 | 4 | rv = ssl3_ConsumeHandshakeVariable(ss, &certList, 3, &b, &length); |
4097 | 4 | if (rv != SECSuccess) { |
4098 | 3 | return SECFailure; |
4099 | 3 | } |
4100 | 1 | if (length) { |
4101 | 1 | FATAL_ERROR(ss, SSL_ERROR_RX_MALFORMED_CERTIFICATE, illegal_parameter); |
4102 | 1 | return SECFailure; |
4103 | 1 | } |
4104 | | |
4105 | 0 | if (!certList.len) { |
4106 | 0 | if (!ss->sec.isServer) { |
4107 | | /* Servers always need to send some cert. */ |
4108 | 0 | FATAL_ERROR(ss, SSL_ERROR_RX_MALFORMED_CERTIFICATE, bad_certificate); |
4109 | 0 | return SECFailure; |
4110 | 0 | } else { |
4111 | | /* This is TLS's version of a no_certificate alert. */ |
4112 | | /* I'm a server. I've requested a client cert. He hasn't got one. */ |
4113 | 0 | rv = ssl3_HandleNoCertificate(ss); |
4114 | 0 | if (rv != SECSuccess) { |
4115 | 0 | return SECFailure; |
4116 | 0 | } |
4117 | | |
4118 | 0 | TLS13_SET_HS_STATE(ss, wait_finished); |
4119 | 0 | return SECSuccess; |
4120 | 0 | } |
4121 | 0 | } |
4122 | | |
4123 | | /* Now clean up. */ |
4124 | 0 | ssl3_CleanupPeerCerts(ss); |
4125 | 0 | ss->ssl3.peerCertArena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); |
4126 | 0 | if (ss->ssl3.peerCertArena == NULL) { |
4127 | 0 | FATAL_ERROR(ss, SEC_ERROR_NO_MEMORY, internal_error); |
4128 | 0 | return SECFailure; |
4129 | 0 | } |
4130 | | |
4131 | 0 | while (certList.len) { |
4132 | 0 | CERTCertificate *cert; |
4133 | |
|
4134 | 0 | rv = tls13_HandleCertificateEntry(ss, &certList, first, |
4135 | 0 | &cert); |
4136 | 0 | if (rv != SECSuccess) { |
4137 | 0 | ss->xtnData.signedCertTimestamps.len = 0; |
4138 | 0 | return SECFailure; |
4139 | 0 | } |
4140 | | |
4141 | 0 | if (first) { |
4142 | 0 | ss->sec.peerCert = cert; |
4143 | |
|
4144 | 0 | if (ss->xtnData.signedCertTimestamps.len) { |
4145 | 0 | sslSessionID *sid = ss->sec.ci.sid; |
4146 | 0 | rv = SECITEM_CopyItem(NULL, &sid->u.ssl3.signedCertTimestamps, |
4147 | 0 | &ss->xtnData.signedCertTimestamps); |
4148 | 0 | ss->xtnData.signedCertTimestamps.len = 0; |
4149 | 0 | if (rv != SECSuccess) { |
4150 | 0 | FATAL_ERROR(ss, SEC_ERROR_NO_MEMORY, internal_error); |
4151 | 0 | return SECFailure; |
4152 | 0 | } |
4153 | 0 | } |
4154 | 0 | } else { |
4155 | 0 | ssl3CertNode *c = PORT_ArenaNew(ss->ssl3.peerCertArena, |
4156 | 0 | ssl3CertNode); |
4157 | 0 | if (!c) { |
4158 | 0 | FATAL_ERROR(ss, SEC_ERROR_NO_MEMORY, internal_error); |
4159 | 0 | return SECFailure; |
4160 | 0 | } |
4161 | 0 | c->cert = cert; |
4162 | 0 | c->next = NULL; |
4163 | |
|
4164 | 0 | if (lastCert) { |
4165 | 0 | lastCert->next = c; |
4166 | 0 | } else { |
4167 | 0 | ss->ssl3.peerCertChain = c; |
4168 | 0 | } |
4169 | 0 | lastCert = c; |
4170 | 0 | } |
4171 | | |
4172 | 0 | first = PR_FALSE; |
4173 | 0 | } |
4174 | 0 | SECKEY_UpdateCertPQG(ss->sec.peerCert); |
4175 | |
|
4176 | 0 | return ssl3_AuthCertificate(ss); /* sets ss->ssl3.hs.ws */ |
4177 | 0 | } |
4178 | | |
4179 | | /* Add context to the hash functions as described in |
4180 | | [draft-ietf-tls-tls13; Section 4.9.1] */ |
4181 | | SECStatus |
4182 | | tls13_AddContextToHashes(sslSocket *ss, const SSL3Hashes *hashes, |
4183 | | SSLHashType algorithm, PRBool sending, |
4184 | | SSL3Hashes *tbsHash) |
4185 | 739 | { |
4186 | 739 | SECStatus rv = SECSuccess; |
4187 | 739 | PK11Context *ctx; |
4188 | 739 | const unsigned char context_padding[] = { |
4189 | 739 | 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, |
4190 | 739 | 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, |
4191 | 739 | 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, |
4192 | 739 | 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, |
4193 | 739 | 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, |
4194 | 739 | 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, |
4195 | 739 | 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, |
4196 | 739 | 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20 |
4197 | 739 | }; |
4198 | | |
4199 | 739 | const char *client_cert_verify_string = "TLS 1.3, client CertificateVerify"; |
4200 | 739 | const char *server_cert_verify_string = "TLS 1.3, server CertificateVerify"; |
4201 | 739 | const char *context_string = (sending ^ ss->sec.isServer) ? client_cert_verify_string |
4202 | 739 | : server_cert_verify_string; |
4203 | 739 | unsigned int hashlength; |
4204 | | |
4205 | | /* Double check that we are doing the same hash.*/ |
4206 | 739 | PORT_Assert(hashes->len == tls13_GetHashSize(ss)); |
4207 | | |
4208 | 739 | ctx = PK11_CreateDigestContext(ssl3_HashTypeToOID(algorithm)); |
4209 | 739 | if (!ctx) { |
4210 | 0 | PORT_SetError(SEC_ERROR_NO_MEMORY); |
4211 | 0 | goto loser; |
4212 | 0 | } |
4213 | | |
4214 | 739 | PORT_Assert(SECFailure); |
4215 | 739 | PORT_Assert(!SECSuccess); |
4216 | | |
4217 | 739 | PRINT_BUF(50, (ss, "TLS 1.3 hash without context", hashes->u.raw, hashes->len)); |
4218 | 739 | PRINT_BUF(50, (ss, "Context string", context_string, strlen(context_string))); |
4219 | 739 | rv |= PK11_DigestBegin(ctx); |
4220 | 739 | rv |= PK11_DigestOp(ctx, context_padding, sizeof(context_padding)); |
4221 | 739 | rv |= PK11_DigestOp(ctx, (unsigned char *)context_string, |
4222 | 739 | strlen(context_string) + 1); /* +1 includes the terminating 0 */ |
4223 | 739 | rv |= PK11_DigestOp(ctx, hashes->u.raw, hashes->len); |
4224 | | /* Update the hash in-place */ |
4225 | 739 | rv |= PK11_DigestFinal(ctx, tbsHash->u.raw, &hashlength, sizeof(tbsHash->u.raw)); |
4226 | 739 | PK11_DestroyContext(ctx, PR_TRUE); |
4227 | 739 | PRINT_BUF(50, (ss, "TLS 1.3 hash with context", tbsHash->u.raw, hashlength)); |
4228 | | |
4229 | 739 | tbsHash->len = hashlength; |
4230 | 739 | tbsHash->hashAlg = algorithm; |
4231 | | |
4232 | 739 | if (rv) { |
4233 | 0 | ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE); |
4234 | 0 | goto loser; |
4235 | 0 | } |
4236 | 739 | return SECSuccess; |
4237 | | |
4238 | 0 | loser: |
4239 | 0 | return SECFailure; |
4240 | 739 | } |
4241 | | |
4242 | | /* |
4243 | | * Derive-Secret(Secret, Label, Messages) = |
4244 | | * HKDF-Expand-Label(Secret, Label, |
4245 | | * Hash(Messages) + Hash(resumption_context), L)) |
4246 | | */ |
4247 | | SECStatus |
4248 | | tls13_DeriveSecret(sslSocket *ss, PK11SymKey *key, |
4249 | | const char *label, |
4250 | | unsigned int labelLen, |
4251 | | const SSL3Hashes *hashes, |
4252 | | PK11SymKey **dest, |
4253 | | SSLHashType hash) |
4254 | 8.94k | { |
4255 | 8.94k | SECStatus rv; |
4256 | | |
4257 | 8.94k | rv = tls13_HkdfExpandLabel(key, hash, hashes->u.raw, hashes->len, |
4258 | 8.94k | label, labelLen, CKM_HKDF_DERIVE, |
4259 | 8.94k | tls13_GetHashSizeForHash(hash), |
4260 | 8.94k | ss->protocolVariant, dest); |
4261 | 8.94k | if (rv != SECSuccess) { |
4262 | 0 | LOG_ERROR(ss, SEC_ERROR_LIBRARY_FAILURE); |
4263 | 0 | return SECFailure; |
4264 | 0 | } |
4265 | 8.94k | return SECSuccess; |
4266 | 8.94k | } |
4267 | | |
4268 | | /* Convenience wrapper for the empty hash. */ |
4269 | | SECStatus |
4270 | | tls13_DeriveSecretNullHash(sslSocket *ss, PK11SymKey *key, |
4271 | | const char *label, |
4272 | | unsigned int labelLen, |
4273 | | PK11SymKey **dest, |
4274 | | SSLHashType hash) |
4275 | 3.36k | { |
4276 | 3.36k | SSL3Hashes hashes; |
4277 | 3.36k | SECStatus rv; |
4278 | 3.36k | PRUint8 buf[] = { 0 }; |
4279 | | |
4280 | 3.36k | rv = tls13_ComputeHash(ss, &hashes, buf, 0, hash); |
4281 | 3.36k | if (rv != SECSuccess) { |
4282 | 0 | return SECFailure; |
4283 | 0 | } |
4284 | | |
4285 | 3.36k | return tls13_DeriveSecret(ss, key, label, labelLen, &hashes, dest, hash); |
4286 | 3.36k | } |
4287 | | |
4288 | | /* Convenience wrapper that lets us supply a separate prefix and suffix. */ |
4289 | | static SECStatus |
4290 | | tls13_DeriveSecretWrap(sslSocket *ss, PK11SymKey *key, |
4291 | | const char *prefix, |
4292 | | const char *suffix, |
4293 | | const char *keylogLabel, |
4294 | | PK11SymKey **dest) |
4295 | 5.58k | { |
4296 | 5.58k | SECStatus rv; |
4297 | 5.58k | SSL3Hashes hashes; |
4298 | 5.58k | char buf[100]; |
4299 | 5.58k | const char *label; |
4300 | | |
4301 | 5.58k | if (prefix) { |
4302 | 4.84k | if ((strlen(prefix) + strlen(suffix) + 2) > sizeof(buf)) { |
4303 | 0 | PORT_Assert(0); |
4304 | 0 | PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); |
4305 | 0 | return SECFailure; |
4306 | 0 | } |
4307 | 4.84k | (void)PR_snprintf(buf, sizeof(buf), "%s %s", |
4308 | 4.84k | prefix, suffix); |
4309 | 4.84k | label = buf; |
4310 | 4.84k | } else { |
4311 | 743 | label = suffix; |
4312 | 743 | } |
4313 | | |
4314 | 5.58k | SSL_TRC(3, ("%d: TLS13[%d]: deriving secret '%s'", |
4315 | 5.58k | SSL_GETPID(), ss->fd, label)); |
4316 | 5.58k | rv = tls13_ComputeHandshakeHashes(ss, &hashes); |
4317 | 5.58k | if (rv != SECSuccess) { |
4318 | 0 | PORT_Assert(0); /* Should never fail */ |
4319 | 0 | ssl_MapLowLevelError(SEC_ERROR_LIBRARY_FAILURE); |
4320 | 0 | return SECFailure; |
4321 | 0 | } |
4322 | | |
4323 | 5.58k | rv = tls13_DeriveSecret(ss, key, label, strlen(label), |
4324 | 5.58k | &hashes, dest, tls13_GetHash(ss)); |
4325 | 5.58k | if (rv != SECSuccess) { |
4326 | 0 | return SECFailure; |
4327 | 0 | } |
4328 | | |
4329 | 5.58k | if (keylogLabel) { |
4330 | 5.57k | ssl3_RecordKeyLog(ss, keylogLabel, *dest); |
4331 | 5.57k | } |
4332 | 5.58k | return SECSuccess; |
4333 | 5.58k | } |
4334 | | |
4335 | | SECStatus |
4336 | | SSLExp_SecretCallback(PRFileDesc *fd, SSLSecretCallback cb, void *arg) |
4337 | 0 | { |
4338 | 0 | sslSocket *ss = ssl_FindSocket(fd); |
4339 | 0 | if (!ss) { |
4340 | 0 | SSL_DBG(("%d: SSL[%d]: bad socket in SSL_SecretCallback", |
4341 | 0 | SSL_GETPID(), fd)); |
4342 | 0 | return SECFailure; |
4343 | 0 | } |
4344 | | |
4345 | 0 | ssl_Get1stHandshakeLock(ss); |
4346 | 0 | ssl_GetSSL3HandshakeLock(ss); |
4347 | 0 | ss->secretCallback = cb; |
4348 | 0 | ss->secretCallbackArg = arg; |
4349 | 0 | ssl_ReleaseSSL3HandshakeLock(ss); |
4350 | 0 | ssl_Release1stHandshakeLock(ss); |
4351 | 0 | return SECSuccess; |
4352 | 0 | } |
4353 | | |
4354 | | /* Derive traffic keys for the next cipher spec in the queue. */ |
4355 | | static SECStatus |
4356 | | tls13_DeriveTrafficKeys(sslSocket *ss, ssl3CipherSpec *spec, |
4357 | | TrafficKeyType type, |
4358 | | PRBool deleteSecret) |
4359 | 3.29k | { |
4360 | 3.29k | size_t keySize = spec->cipherDef->key_size; |
4361 | 3.29k | size_t ivSize = spec->cipherDef->iv_size + |
4362 | 3.29k | spec->cipherDef->explicit_nonce_size; /* This isn't always going to |
4363 | | * work, but it does for |
4364 | | * AES-GCM */ |
4365 | 3.29k | CK_MECHANISM_TYPE bulkAlgorithm = ssl3_Alg2Mech(spec->cipherDef->calg); |
4366 | 3.29k | PK11SymKey **prkp = NULL; |
4367 | 3.29k | PK11SymKey *prk = NULL; |
4368 | 3.29k | PRBool clientSecret; |
4369 | 3.29k | SECStatus rv; |
4370 | | /* These labels are just used for debugging. */ |
4371 | 3.29k | static const char kHkdfPhaseEarlyApplicationDataKeys[] = "early application data"; |
4372 | 3.29k | static const char kHkdfPhaseHandshakeKeys[] = "handshake data"; |
4373 | 3.29k | static const char kHkdfPhaseApplicationDataKeys[] = "application data"; |
4374 | | |
4375 | 3.29k | PORT_Assert(ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); |
4376 | | |
4377 | 3.29k | clientSecret = !tls13_UseServerSecret(ss, spec->direction); |
4378 | 3.29k | switch (type) { |
4379 | 0 | case TrafficKeyEarlyApplicationData: |
4380 | 0 | PORT_Assert(clientSecret); |
4381 | 0 | prkp = &ss->ssl3.hs.clientEarlyTrafficSecret; |
4382 | 0 | spec->phase = kHkdfPhaseEarlyApplicationDataKeys; |
4383 | 0 | break; |
4384 | 2.53k | case TrafficKeyHandshake: |
4385 | 2.53k | prkp = clientSecret ? &ss->ssl3.hs.clientHsTrafficSecret |
4386 | 2.53k | : &ss->ssl3.hs.serverHsTrafficSecret; |
4387 | 2.53k | spec->phase = kHkdfPhaseHandshakeKeys; |
4388 | 2.53k | break; |
4389 | 754 | case TrafficKeyApplicationData: |
4390 | 754 | prkp = clientSecret ? &ss->ssl3.hs.clientTrafficSecret |
4391 | 754 | : &ss->ssl3.hs.serverTrafficSecret; |
4392 | 754 | spec->phase = kHkdfPhaseApplicationDataKeys; |
4393 | 754 | break; |
4394 | 0 | default: |
4395 | 0 | LOG_ERROR(ss, SEC_ERROR_LIBRARY_FAILURE); |
4396 | 0 | PORT_Assert(0); |
4397 | 0 | return SECFailure; |
4398 | 3.29k | } |
4399 | 3.29k | PORT_Assert(prkp != NULL); |
4400 | 3.29k | prk = *prkp; |
4401 | | |
4402 | 3.29k | SSL_TRC(3, ("%d: TLS13[%d]: deriving %s traffic keys epoch=%d (%s)", |
4403 | 3.29k | SSL_GETPID(), ss->fd, SPEC_DIR(spec), |
4404 | 3.29k | spec->epoch, spec->phase)); |
4405 | | |
4406 | 3.29k | rv = tls13_HkdfExpandLabel(prk, tls13_GetHash(ss), |
4407 | 3.29k | NULL, 0, |
4408 | 3.29k | kHkdfPurposeKey, strlen(kHkdfPurposeKey), |
4409 | 3.29k | bulkAlgorithm, keySize, |
4410 | 3.29k | ss->protocolVariant, |
4411 | 3.29k | &spec->keyMaterial.key); |
4412 | 3.29k | if (rv != SECSuccess) { |
4413 | 0 | LOG_ERROR(ss, SEC_ERROR_LIBRARY_FAILURE); |
4414 | 0 | PORT_Assert(0); |
4415 | 0 | goto loser; |
4416 | 0 | } |
4417 | | |
4418 | 3.29k | if (IS_DTLS(ss) && spec->epoch > 0) { |
4419 | 0 | rv = ssl_CreateMaskingContextInner(spec->version, ss->ssl3.hs.cipher_suite, |
4420 | 0 | ss->protocolVariant, prk, kHkdfPurposeSn, |
4421 | 0 | strlen(kHkdfPurposeSn), &spec->maskContext); |
4422 | 0 | if (rv != SECSuccess) { |
4423 | 0 | LOG_ERROR(ss, SEC_ERROR_LIBRARY_FAILURE); |
4424 | 0 | PORT_Assert(0); |
4425 | 0 | goto loser; |
4426 | 0 | } |
4427 | 0 | } |
4428 | | |
4429 | 3.29k | rv = tls13_HkdfExpandLabelRaw(prk, tls13_GetHash(ss), |
4430 | 3.29k | NULL, 0, |
4431 | 3.29k | kHkdfPurposeIv, strlen(kHkdfPurposeIv), |
4432 | 3.29k | ss->protocolVariant, |
4433 | 3.29k | spec->keyMaterial.iv, ivSize); |
4434 | 3.29k | if (rv != SECSuccess) { |
4435 | 0 | LOG_ERROR(ss, SEC_ERROR_LIBRARY_FAILURE); |
4436 | 0 | PORT_Assert(0); |
4437 | 0 | goto loser; |
4438 | 0 | } |
4439 | | |
4440 | 3.29k | if (deleteSecret) { |
4441 | 0 | PK11_FreeSymKey(prk); |
4442 | 0 | *prkp = NULL; |
4443 | 0 | } |
4444 | 3.29k | return SECSuccess; |
4445 | | |
4446 | 0 | loser: |
4447 | 0 | return SECFailure; |
4448 | 3.29k | } |
4449 | | |
4450 | | void |
4451 | | tls13_SetSpecRecordVersion(sslSocket *ss, ssl3CipherSpec *spec) |
4452 | 7.47k | { |
4453 | | /* Set the record version to pretend to be (D)TLS 1.2. */ |
4454 | 7.47k | if (IS_DTLS(ss)) { |
4455 | 0 | spec->recordVersion = SSL_LIBRARY_VERSION_DTLS_1_2_WIRE; |
4456 | 7.47k | } else { |
4457 | 7.47k | spec->recordVersion = SSL_LIBRARY_VERSION_TLS_1_2; |
4458 | 7.47k | } |
4459 | 7.47k | SSL_TRC(10, ("%d: TLS13[%d]: set spec=%d record version to 0x%04x", |
4460 | 7.47k | SSL_GETPID(), ss->fd, spec, spec->recordVersion)); |
4461 | 7.47k | } |
4462 | | |
4463 | | static SECStatus |
4464 | | tls13_SetupPendingCipherSpec(sslSocket *ss, ssl3CipherSpec *spec) |
4465 | 3.29k | { |
4466 | 3.29k | ssl3CipherSuite suite = ss->ssl3.hs.cipher_suite; |
4467 | | |
4468 | 3.29k | PORT_Assert(ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); |
4469 | 3.29k | PORT_Assert(spec->epoch); |
4470 | | |
4471 | | /* Version isn't set when we send 0-RTT data. */ |
4472 | 3.29k | spec->version = PR_MAX(SSL_LIBRARY_VERSION_TLS_1_3, ss->version); |
4473 | | |
4474 | 3.29k | ssl_SaveCipherSpec(ss, spec); |
4475 | | /* We want to keep read cipher specs around longer because |
4476 | | * there are cases where we might get either epoch N or |
4477 | | * epoch N+1. */ |
4478 | 3.29k | if (IS_DTLS(ss) && spec->direction == ssl_secret_read) { |
4479 | 0 | ssl_CipherSpecAddRef(spec); |
4480 | 0 | } |
4481 | | |
4482 | 3.29k | SSL_TRC(3, ("%d: TLS13[%d]: Set Pending Cipher Suite to 0x%04x", |
4483 | 3.29k | SSL_GETPID(), ss->fd, suite)); |
4484 | | |
4485 | 3.29k | spec->cipherDef = ssl_GetBulkCipherDef(ssl_LookupCipherSuiteDef(suite)); |
4486 | | |
4487 | 3.29k | if (spec->epoch == TrafficKeyEarlyApplicationData) { |
4488 | 0 | if (ss->xtnData.selectedPsk && |
4489 | 0 | ss->xtnData.selectedPsk->zeroRttSuite != TLS_NULL_WITH_NULL_NULL) { |
4490 | 0 | spec->earlyDataRemaining = ss->xtnData.selectedPsk->maxEarlyData; |
4491 | 0 | } |
4492 | 0 | } |
4493 | | |
4494 | 3.29k | tls13_SetSpecRecordVersion(ss, spec); |
4495 | | |
4496 | | /* The record size limit is reduced by one so that the remainder of the |
4497 | | * record handling code can use the same checks for all versions. */ |
4498 | 3.29k | if (ssl3_ExtensionNegotiated(ss, ssl_record_size_limit_xtn)) { |
4499 | 1.26k | spec->recordSizeLimit = ((spec->direction == ssl_secret_read) |
4500 | 1.26k | ? ss->opt.recordSizeLimit |
4501 | 1.26k | : ss->xtnData.recordSizeLimit) - |
4502 | 1.26k | 1; |
4503 | 2.02k | } else { |
4504 | 2.02k | spec->recordSizeLimit = MAX_FRAGMENT_LENGTH; |
4505 | 2.02k | } |
4506 | 3.29k | return SECSuccess; |
4507 | 3.29k | } |
4508 | | |
4509 | | /* |
4510 | | * Initialize the cipher context. All TLS 1.3 operations are AEAD, |
4511 | | * so they are all message contexts. |
4512 | | */ |
4513 | | static SECStatus |
4514 | | tls13_InitPendingContext(sslSocket *ss, ssl3CipherSpec *spec) |
4515 | 3.29k | { |
4516 | 3.29k | CK_MECHANISM_TYPE encMechanism; |
4517 | 3.29k | CK_ATTRIBUTE_TYPE encMode; |
4518 | 3.29k | SECItem iv; |
4519 | 3.29k | SSLCipherAlgorithm calg; |
4520 | | |
4521 | 3.29k | calg = spec->cipherDef->calg; |
4522 | | |
4523 | 3.29k | encMechanism = ssl3_Alg2Mech(calg); |
4524 | 3.29k | encMode = CKA_NSS_MESSAGE | ((spec->direction == ssl_secret_write) ? CKA_ENCRYPT : CKA_DECRYPT); |
4525 | 3.29k | iv.data = NULL; |
4526 | 3.29k | iv.len = 0; |
4527 | | |
4528 | | /* |
4529 | | * build the context |
4530 | | */ |
4531 | 3.29k | spec->cipherContext = PK11_CreateContextBySymKey(encMechanism, encMode, |
4532 | 3.29k | spec->keyMaterial.key, |
4533 | 3.29k | &iv); |
4534 | 3.29k | if (!spec->cipherContext) { |
4535 | 0 | ssl_MapLowLevelError(SSL_ERROR_SYM_KEY_CONTEXT_FAILURE); |
4536 | 0 | return SECFailure; |
4537 | 0 | } |
4538 | 3.29k | return SECSuccess; |
4539 | 3.29k | } |
4540 | | |
4541 | | /* |
4542 | | * Called before sending alerts to set up the right key on the client. |
4543 | | * We might encounter errors during the handshake where the current |
4544 | | * key is ClearText or EarlyApplicationData. This |
4545 | | * function switches to the Handshake key if possible. |
4546 | | */ |
4547 | | SECStatus |
4548 | | tls13_SetAlertCipherSpec(sslSocket *ss) |
4549 | 54.2k | { |
4550 | 54.2k | SECStatus rv; |
4551 | | |
4552 | 54.2k | if (ss->sec.isServer) { |
4553 | 27.9k | return SECSuccess; |
4554 | 27.9k | } |
4555 | 26.2k | if (ss->version < SSL_LIBRARY_VERSION_TLS_1_3) { |
4556 | 25.5k | return SECSuccess; |
4557 | 25.5k | } |
4558 | 647 | if (TLS13_IN_HS_STATE(ss, wait_server_hello)) { |
4559 | 530 | return SECSuccess; |
4560 | 530 | } |
4561 | 117 | if ((ss->ssl3.cwSpec->epoch != TrafficKeyClearText) && |
4562 | 117 | (ss->ssl3.cwSpec->epoch != TrafficKeyEarlyApplicationData)) { |
4563 | 0 | return SECSuccess; |
4564 | 0 | } |
4565 | | |
4566 | 117 | rv = tls13_SetCipherSpec(ss, TrafficKeyHandshake, |
4567 | 117 | ssl_secret_write, PR_FALSE); |
4568 | 117 | if (rv != SECSuccess) { |
4569 | 0 | PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); |
4570 | 0 | return SECFailure; |
4571 | 0 | } |
4572 | 117 | return SECSuccess; |
4573 | 117 | } |
4574 | | |
4575 | | /* Install a new cipher spec for this direction. |
4576 | | * |
4577 | | * During the handshake, the values for |epoch| take values from the |
4578 | | * TrafficKeyType enum. Afterwards, key update increments them. |
4579 | | */ |
4580 | | static SECStatus |
4581 | | tls13_SetCipherSpec(sslSocket *ss, PRUint16 epoch, |
4582 | | SSLSecretDirection direction, PRBool deleteSecret) |
4583 | 3.29k | { |
4584 | 3.29k | TrafficKeyType type; |
4585 | 3.29k | SECStatus rv; |
4586 | 3.29k | ssl3CipherSpec *spec = NULL; |
4587 | 3.29k | ssl3CipherSpec **specp; |
4588 | | |
4589 | | /* Flush out old handshake data. */ |
4590 | 3.29k | ssl_GetXmitBufLock(ss); |
4591 | 3.29k | rv = ssl3_FlushHandshake(ss, ssl_SEND_FLAG_FORCE_INTO_BUFFER); |
4592 | 3.29k | ssl_ReleaseXmitBufLock(ss); |
4593 | 3.29k | if (rv != SECSuccess) { |
4594 | 0 | return SECFailure; |
4595 | 0 | } |
4596 | | |
4597 | | /* Create the new spec. */ |
4598 | 3.29k | spec = ssl_CreateCipherSpec(ss, direction); |
4599 | 3.29k | if (!spec) { |
4600 | 0 | return SECFailure; |
4601 | 0 | } |
4602 | 3.29k | spec->epoch = epoch; |
4603 | 3.29k | spec->nextSeqNum = 0; |
4604 | 3.29k | if (IS_DTLS(ss)) { |
4605 | 0 | dtls_InitRecvdRecords(&spec->recvdRecords); |
4606 | 0 | } |
4607 | | |
4608 | | /* This depends on spec having a valid direction and epoch. */ |
4609 | 3.29k | rv = tls13_SetupPendingCipherSpec(ss, spec); |
4610 | 3.29k | if (rv != SECSuccess) { |
4611 | 0 | goto loser; |
4612 | 0 | } |
4613 | | |
4614 | 3.29k | type = (TrafficKeyType)PR_MIN(TrafficKeyApplicationData, epoch); |
4615 | 3.29k | rv = tls13_DeriveTrafficKeys(ss, spec, type, deleteSecret); |
4616 | 3.29k | if (rv != SECSuccess) { |
4617 | 0 | goto loser; |
4618 | 0 | } |
4619 | | |
4620 | 3.29k | rv = tls13_InitPendingContext(ss, spec); |
4621 | 3.29k | if (rv != SECSuccess) { |
4622 | 0 | goto loser; |
4623 | 0 | } |
4624 | | |
4625 | | /* Now that we've set almost everything up, finally cut over. */ |
4626 | 3.29k | specp = (direction == ssl_secret_read) ? &ss->ssl3.crSpec : &ss->ssl3.cwSpec; |
4627 | 3.29k | ssl_GetSpecWriteLock(ss); |
4628 | 3.29k | ssl_CipherSpecRelease(*specp); /* May delete old cipher. */ |
4629 | 3.29k | *specp = spec; /* Overwrite. */ |
4630 | 3.29k | ssl_ReleaseSpecWriteLock(ss); |
4631 | | |
4632 | 3.29k | SSL_TRC(3, ("%d: TLS13[%d]: %s installed key for epoch=%d (%s) dir=%s", |
4633 | 3.29k | SSL_GETPID(), ss->fd, SSL_ROLE(ss), spec->epoch, |
4634 | 3.29k | spec->phase, SPEC_DIR(spec))); |
4635 | 3.29k | return SECSuccess; |
4636 | | |
4637 | 0 | loser: |
4638 | 0 | ssl_CipherSpecRelease(spec); |
4639 | 0 | return SECFailure; |
4640 | 3.29k | } |
4641 | | |
4642 | | SECStatus |
4643 | | tls13_ComputeHandshakeHashes(sslSocket *ss, SSL3Hashes *hashes) |
4644 | 7.34k | { |
4645 | 7.34k | SECStatus rv; |
4646 | 7.34k | PK11Context *ctx = NULL; |
4647 | 7.34k | PRBool useEchInner; |
4648 | 7.34k | sslBuffer *transcript; |
4649 | | |
4650 | 7.34k | PORT_Assert(ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); |
4651 | 7.34k | if (ss->ssl3.hs.hashType == handshake_hash_unknown) { |
4652 | | /* Backup: if we haven't done any hashing, then hash now. |
4653 | | * This happens when we are doing 0-RTT on the client. */ |
4654 | 275 | ctx = PK11_CreateDigestContext(ssl3_HashTypeToOID(tls13_GetHash(ss))); |
4655 | 275 | if (!ctx) { |
4656 | 0 | ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE); |
4657 | 0 | return SECFailure; |
4658 | 0 | } |
4659 | | |
4660 | 275 | if (PK11_DigestBegin(ctx) != SECSuccess) { |
4661 | 0 | ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE); |
4662 | 0 | goto loser; |
4663 | 0 | } |
4664 | | |
4665 | | /* One might expect this to use ss->ssl3.hs.echAccepted, |
4666 | | * but with 0-RTT we don't know that yet. */ |
4667 | 275 | useEchInner = ss->sec.isServer ? PR_FALSE : !!ss->ssl3.hs.echHpkeCtx; |
4668 | 275 | transcript = useEchInner ? &ss->ssl3.hs.echInnerMessages : &ss->ssl3.hs.messages; |
4669 | | |
4670 | 275 | PRINT_BUF(10, (ss, "Handshake hash computed over saved messages", |
4671 | 275 | transcript->buf, |
4672 | 275 | transcript->len)); |
4673 | | |
4674 | 275 | if (PK11_DigestOp(ctx, |
4675 | 275 | transcript->buf, |
4676 | 275 | transcript->len) != SECSuccess) { |
4677 | 0 | ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE); |
4678 | 0 | goto loser; |
4679 | 0 | } |
4680 | 7.06k | } else { |
4681 | 7.06k | if (ss->firstHsDone) { |
4682 | 0 | ctx = PK11_CloneContext(ss->ssl3.hs.shaPostHandshake); |
4683 | 7.06k | } else { |
4684 | 7.06k | ctx = PK11_CloneContext(ss->ssl3.hs.sha); |
4685 | 7.06k | } |
4686 | 7.06k | if (!ctx) { |
4687 | 0 | ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE); |
4688 | 0 | return SECFailure; |
4689 | 0 | } |
4690 | 7.06k | } |
4691 | | |
4692 | 7.34k | rv = PK11_DigestFinal(ctx, hashes->u.raw, |
4693 | 7.34k | &hashes->len, |
4694 | 7.34k | sizeof(hashes->u.raw)); |
4695 | 7.34k | if (rv != SECSuccess) { |
4696 | 0 | ssl_MapLowLevelError(SSL_ERROR_DIGEST_FAILURE); |
4697 | 0 | goto loser; |
4698 | 0 | } |
4699 | | |
4700 | 7.34k | PRINT_BUF(10, (ss, "Handshake hash", hashes->u.raw, hashes->len)); |
4701 | 7.34k | PORT_Assert(hashes->len == tls13_GetHashSize(ss)); |
4702 | 7.34k | PK11_DestroyContext(ctx, PR_TRUE); |
4703 | | |
4704 | 7.34k | return SECSuccess; |
4705 | | |
4706 | 0 | loser: |
4707 | 0 | PK11_DestroyContext(ctx, PR_TRUE); |
4708 | 0 | return SECFailure; |
4709 | 7.34k | } |
4710 | | |
4711 | | TLS13KeyShareEntry * |
4712 | | tls13_CopyKeyShareEntry(TLS13KeyShareEntry *o) |
4713 | 0 | { |
4714 | 0 | TLS13KeyShareEntry *n; |
4715 | |
|
4716 | 0 | PORT_Assert(o); |
4717 | 0 | n = PORT_ZNew(TLS13KeyShareEntry); |
4718 | 0 | if (!n) { |
4719 | 0 | return NULL; |
4720 | 0 | } |
4721 | | |
4722 | 0 | if (SECSuccess != SECITEM_CopyItem(NULL, &n->key_exchange, &o->key_exchange)) { |
4723 | 0 | PORT_Free(n); |
4724 | 0 | return NULL; |
4725 | 0 | } |
4726 | 0 | n->group = o->group; |
4727 | 0 | return n; |
4728 | 0 | } |
4729 | | |
4730 | | void |
4731 | | tls13_DestroyKeyShareEntry(TLS13KeyShareEntry *offer) |
4732 | 2.47k | { |
4733 | 2.47k | if (!offer) { |
4734 | 97 | return; |
4735 | 97 | } |
4736 | 2.37k | SECITEM_ZfreeItem(&offer->key_exchange, PR_FALSE); |
4737 | 2.37k | PORT_ZFree(offer, sizeof(*offer)); |
4738 | 2.37k | } |
4739 | | |
4740 | | void |
4741 | | tls13_DestroyKeyShares(PRCList *list) |
4742 | 279k | { |
4743 | 279k | PRCList *cur_p; |
4744 | | |
4745 | | /* The list must be initialized. */ |
4746 | 279k | PORT_Assert(PR_LIST_HEAD(list)); |
4747 | | |
4748 | 281k | while (!PR_CLIST_IS_EMPTY(list)) { |
4749 | 2.35k | cur_p = PR_LIST_TAIL(list); |
4750 | 2.35k | PR_REMOVE_LINK(cur_p); |
4751 | 2.35k | tls13_DestroyKeyShareEntry((TLS13KeyShareEntry *)cur_p); |
4752 | 2.35k | } |
4753 | 279k | } |
4754 | | |
4755 | | void |
4756 | | tls13_DestroyEarlyData(PRCList *list) |
4757 | 69.0k | { |
4758 | 69.0k | PRCList *cur_p; |
4759 | | |
4760 | 69.0k | while (!PR_CLIST_IS_EMPTY(list)) { |
4761 | 0 | TLS13EarlyData *msg; |
4762 | |
|
4763 | 0 | cur_p = PR_LIST_TAIL(list); |
4764 | 0 | msg = (TLS13EarlyData *)cur_p; |
4765 | |
|
4766 | 0 | PR_REMOVE_LINK(cur_p); |
4767 | 0 | SECITEM_ZfreeItem(&msg->data, PR_FALSE); |
4768 | 0 | PORT_ZFree(msg, sizeof(*msg)); |
4769 | 0 | } |
4770 | 69.0k | } |
4771 | | |
4772 | | /* draft-ietf-tls-tls13 Section 5.2.2 specifies the following |
4773 | | * nonce algorithm: |
4774 | | * |
4775 | | * The length of the per-record nonce (iv_length) is set to max(8 bytes, |
4776 | | * N_MIN) for the AEAD algorithm (see [RFC5116] Section 4). An AEAD |
4777 | | * algorithm where N_MAX is less than 8 bytes MUST NOT be used with TLS. |
4778 | | * The per-record nonce for the AEAD construction is formed as follows: |
4779 | | * |
4780 | | * 1. The 64-bit record sequence number is padded to the left with |
4781 | | * zeroes to iv_length. |
4782 | | * |
4783 | | * 2. The padded sequence number is XORed with the static |
4784 | | * client_write_iv or server_write_iv, depending on the role. |
4785 | | * |
4786 | | * The resulting quantity (of length iv_length) is used as the per- |
4787 | | * record nonce. |
4788 | | * |
4789 | | * Existing suites have the same nonce size: N_MIN = N_MAX = 12 bytes |
4790 | | * |
4791 | | * See RFC 5288 and https://tools.ietf.org/html/draft-ietf-tls-chacha20-poly1305-04#section-2 |
4792 | | */ |
4793 | | static void |
4794 | | tls13_WriteNonce(const unsigned char *ivIn, unsigned int ivInLen, |
4795 | | const unsigned char *nonce, unsigned int nonceLen, |
4796 | | unsigned char *ivOut, unsigned int ivOutLen) |
4797 | 14.4k | { |
4798 | 14.4k | size_t i; |
4799 | 14.4k | unsigned int offset = ivOutLen - nonceLen; |
4800 | | |
4801 | 14.4k | PORT_Assert(ivInLen <= ivOutLen); |
4802 | 14.4k | PORT_Assert(nonceLen <= ivOutLen); |
4803 | 14.4k | PORT_Memset(ivOut, 0, ivOutLen); |
4804 | 14.4k | PORT_Memcpy(ivOut, ivIn, ivInLen); |
4805 | | |
4806 | | /* XOR the last n bytes of the IV with the nonce (should be a counter). */ |
4807 | 129k | for (i = 0; i < nonceLen; ++i) { |
4808 | 115k | ivOut[offset + i] ^= nonce[i]; |
4809 | 115k | } |
4810 | 14.4k | PRINT_BUF(50, (NULL, "Nonce", ivOut, ivOutLen)); |
4811 | 14.4k | } |
4812 | | |
4813 | | /* Setup the IV for AEAD encrypt. The PKCS #11 module will add the |
4814 | | * counter, but it doesn't know about the DTLS epic, so we add it here. |
4815 | | */ |
4816 | | unsigned int |
4817 | | tls13_SetupAeadIv(PRBool isDTLS, SSL3ProtocolVersion v, unsigned char *ivOut, unsigned char *ivIn, |
4818 | | unsigned int offset, unsigned int ivLen, DTLSEpoch epoch) |
4819 | 3.16k | { |
4820 | 3.16k | PORT_Memcpy(ivOut, ivIn, ivLen); |
4821 | 3.16k | if (isDTLS && v < SSL_LIBRARY_VERSION_TLS_1_3) { |
4822 | | /* handle the tls 1.2 counter mode case, the epoc is copied |
4823 | | * instead of xored. We accomplish this by clearing ivOut |
4824 | | * before running xor. */ |
4825 | 149 | if (offset >= ivLen) { |
4826 | 149 | ivOut[offset] = ivOut[offset + 1] = 0; |
4827 | 149 | } |
4828 | 149 | ivOut[offset] ^= (unsigned char)(epoch >> BPB) & 0xff; |
4829 | 149 | ivOut[offset + 1] ^= (unsigned char)(epoch)&0xff; |
4830 | 149 | offset += 2; |
4831 | 149 | } |
4832 | | |
4833 | 3.16k | return offset; |
4834 | 3.16k | } |
4835 | | |
4836 | | /* |
4837 | | * Do a single AEAD for TLS. This differs from PK11_AEADOp in the following |
4838 | | * ways. |
4839 | | * 1) If context is not supplied, it treats the operation as a single shot |
4840 | | * and creates a context from symKey and mech. |
4841 | | * 2) It always assumes the tag will be at the end of the buffer |
4842 | | * (in on decrypt, out on encrypt) just like the old single shot. |
4843 | | * 3) If we aren't generating an IV, it uses tls13_WriteNonce to create the |
4844 | | * nonce. |
4845 | | * NOTE is context is supplied, symKey and mech are ignored |
4846 | | */ |
4847 | | SECStatus |
4848 | | tls13_AEAD(PK11Context *context, PRBool decrypt, |
4849 | | CK_GENERATOR_FUNCTION ivGen, unsigned int fixedbits, |
4850 | | const unsigned char *ivIn, unsigned char *ivOut, unsigned int ivLen, |
4851 | | const unsigned char *nonceIn, unsigned int nonceLen, |
4852 | | const unsigned char *aad, unsigned int aadLen, |
4853 | | unsigned char *out, unsigned int *outLen, unsigned int maxout, |
4854 | | unsigned int tagLen, const unsigned char *in, unsigned int inLen) |
4855 | 17.5k | { |
4856 | 17.5k | unsigned char *tag; |
4857 | 17.5k | unsigned char iv[MAX_IV_LENGTH]; |
4858 | 17.5k | unsigned char tagbuf[HASH_LENGTH_MAX]; |
4859 | 17.5k | SECStatus rv; |
4860 | | |
4861 | | /* must have either context or the symKey set */ |
4862 | 17.5k | if (!context) { |
4863 | 0 | PORT_SetError(SEC_ERROR_INVALID_ARGS); |
4864 | 0 | return SECFailure; |
4865 | 0 | } |
4866 | | |
4867 | 17.5k | PORT_Assert(ivLen <= MAX_IV_LENGTH); |
4868 | 17.5k | PORT_Assert(tagLen <= HASH_LENGTH_MAX); |
4869 | 17.5k | if (!ivOut) { |
4870 | 14.4k | ivOut = iv; /* caller doesn't need a returned, iv */ |
4871 | 14.4k | } |
4872 | | |
4873 | 17.5k | if (ivGen == CKG_NO_GENERATE) { |
4874 | 14.4k | tls13_WriteNonce(ivIn, ivLen, nonceIn, nonceLen, ivOut, ivLen); |
4875 | 14.4k | } else if (ivIn != ivOut) { |
4876 | 0 | PORT_Memcpy(ivOut, ivIn, ivLen); |
4877 | 0 | } |
4878 | 17.5k | if (decrypt) { |
4879 | 14.4k | inLen = inLen - tagLen; |
4880 | 14.4k | tag = (unsigned char *)in + inLen; |
4881 | | /* tag is const on decrypt, but returned on encrypt */ |
4882 | 14.4k | } else { |
4883 | | /* tag is written to a separate buffer, then added to the end |
4884 | | * of the actual output buffer. This allows output buffer to be larger |
4885 | | * than the input buffer and everything still work */ |
4886 | 3.16k | tag = tagbuf; |
4887 | 3.16k | } |
4888 | 17.5k | rv = PK11_AEADOp(context, ivGen, fixedbits, ivOut, ivLen, aad, aadLen, |
4889 | 17.5k | out, (int *)outLen, maxout, tag, tagLen, in, inLen); |
4890 | | /* on encrypt SSL always puts the tag at the end of the buffer */ |
4891 | 17.5k | if ((rv == SECSuccess) && !(decrypt)) { |
4892 | 3.16k | unsigned int len = *outLen; |
4893 | | /* make sure there is still space */ |
4894 | 3.16k | if (len + tagLen > maxout) { |
4895 | 0 | PORT_SetError(SEC_ERROR_OUTPUT_LEN); |
4896 | 0 | return SECFailure; |
4897 | 0 | } |
4898 | 3.16k | PORT_Memcpy(out + len, tag, tagLen); |
4899 | 3.16k | *outLen += tagLen; |
4900 | 3.16k | } |
4901 | 17.5k | return rv; |
4902 | 17.5k | } |
4903 | | |
4904 | | static SECStatus |
4905 | | tls13_HandleEncryptedExtensions(sslSocket *ss, PRUint8 *b, PRUint32 length) |
4906 | 4 | { |
4907 | 4 | SECStatus rv; |
4908 | 4 | PRUint32 innerLength; |
4909 | 4 | SECItem oldAlpn = { siBuffer, NULL, 0 }; |
4910 | | |
4911 | 4 | PORT_Assert(ss->opt.noLocks || ssl_HaveRecvBufLock(ss)); |
4912 | 4 | PORT_Assert(ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); |
4913 | | |
4914 | 4 | SSL_TRC(3, ("%d: TLS13[%d]: handle encrypted extensions", |
4915 | 4 | SSL_GETPID(), ss->fd)); |
4916 | | |
4917 | 4 | rv = TLS13_CHECK_HS_STATE(ss, SSL_ERROR_RX_UNEXPECTED_ENCRYPTED_EXTENSIONS, |
4918 | 4 | wait_encrypted_extensions); |
4919 | 4 | if (rv != SECSuccess) { |
4920 | 4 | return SECFailure; |
4921 | 4 | } |
4922 | | |
4923 | 0 | rv = ssl3_ConsumeHandshakeNumber(ss, &innerLength, 2, &b, &length); |
4924 | 0 | if (rv != SECSuccess) { |
4925 | 0 | return SECFailure; /* Alert already sent. */ |
4926 | 0 | } |
4927 | 0 | if (innerLength != length) { |
4928 | 0 | FATAL_ERROR(ss, SSL_ERROR_RX_MALFORMED_ENCRYPTED_EXTENSIONS, |
4929 | 0 | illegal_parameter); |
4930 | 0 | return SECFailure; |
4931 | 0 | } |
4932 | | |
4933 | | /* If we are doing 0-RTT, then we already have an ALPN value. Stash |
4934 | | * it for comparison. */ |
4935 | 0 | if (ss->ssl3.hs.zeroRttState == ssl_0rtt_sent && |
4936 | 0 | ss->xtnData.nextProtoState == SSL_NEXT_PROTO_EARLY_VALUE) { |
4937 | 0 | oldAlpn = ss->xtnData.nextProto; |
4938 | 0 | ss->xtnData.nextProto.data = NULL; |
4939 | 0 | ss->xtnData.nextProtoState = SSL_NEXT_PROTO_NO_SUPPORT; |
4940 | 0 | } |
4941 | |
|
4942 | 0 | rv = ssl3_ParseExtensions(ss, &b, &length); |
4943 | 0 | if (rv != SECSuccess) { |
4944 | 0 | return SECFailure; /* Error code set below */ |
4945 | 0 | } |
4946 | | |
4947 | | /* Handle the rest of the extensions. */ |
4948 | 0 | rv = ssl3_HandleParsedExtensions(ss, ssl_hs_encrypted_extensions); |
4949 | 0 | if (rv != SECSuccess) { |
4950 | 0 | return SECFailure; /* Error code set below */ |
4951 | 0 | } |
4952 | | |
4953 | | /* We can only get here if we offered 0-RTT. */ |
4954 | 0 | if (ssl3_ExtensionNegotiated(ss, ssl_tls13_early_data_xtn)) { |
4955 | 0 | PORT_Assert(ss->ssl3.hs.zeroRttState == ssl_0rtt_sent); |
4956 | 0 | if (!ss->xtnData.selectedPsk) { |
4957 | | /* Illegal to accept 0-RTT without also accepting PSK. */ |
4958 | 0 | FATAL_ERROR(ss, SSL_ERROR_RX_MALFORMED_ENCRYPTED_EXTENSIONS, |
4959 | 0 | illegal_parameter); |
4960 | 0 | } |
4961 | 0 | ss->ssl3.hs.zeroRttState = ssl_0rtt_accepted; |
4962 | | |
4963 | | /* Check that the server negotiated the same ALPN (if any). */ |
4964 | 0 | if (SECITEM_CompareItem(&oldAlpn, &ss->xtnData.nextProto)) { |
4965 | 0 | SECITEM_FreeItem(&oldAlpn, PR_FALSE); |
4966 | 0 | FATAL_ERROR(ss, SSL_ERROR_NEXT_PROTOCOL_DATA_INVALID, |
4967 | 0 | illegal_parameter); |
4968 | 0 | return SECFailure; |
4969 | 0 | } |
4970 | | /* Check that the server negotiated the same cipher suite. */ |
4971 | 0 | if (ss->ssl3.hs.cipher_suite != ss->ssl3.hs.zeroRttSuite) { |
4972 | 0 | FATAL_ERROR(ss, SSL_ERROR_RX_MALFORMED_ENCRYPTED_EXTENSIONS, |
4973 | 0 | illegal_parameter); |
4974 | 0 | return SECFailure; |
4975 | 0 | } |
4976 | 0 | } else if (ss->ssl3.hs.zeroRttState == ssl_0rtt_sent) { |
4977 | | /* Though we sent 0-RTT, the early_data extension wasn't present so the |
4978 | | * state is unmodified; the server must have rejected 0-RTT. */ |
4979 | 0 | ss->ssl3.hs.zeroRttState = ssl_0rtt_ignored; |
4980 | 0 | ss->ssl3.hs.zeroRttIgnore = ssl_0rtt_ignore_trial; |
4981 | 0 | } else { |
4982 | 0 | PORT_Assert(ss->ssl3.hs.zeroRttState == ssl_0rtt_none || |
4983 | 0 | (ss->ssl3.hs.helloRetry && |
4984 | 0 | ss->ssl3.hs.zeroRttState == ssl_0rtt_ignored)); |
4985 | 0 | } |
4986 | | |
4987 | 0 | SECITEM_FreeItem(&oldAlpn, PR_FALSE); |
4988 | 0 | if (ss->ssl3.hs.kea_def->authKeyType == ssl_auth_psk) { |
4989 | 0 | TLS13_SET_HS_STATE(ss, wait_finished); |
4990 | 0 | } else { |
4991 | 0 | TLS13_SET_HS_STATE(ss, wait_cert_request); |
4992 | 0 | } |
4993 | | |
4994 | | /* Client is done with any PSKs */ |
4995 | 0 | tls13_DestroyPskList(&ss->ssl3.hs.psks); |
4996 | 0 | ss->xtnData.selectedPsk = NULL; |
4997 | |
|
4998 | 0 | return SECSuccess; |
4999 | 0 | } |
5000 | | |
5001 | | static SECStatus |
5002 | | tls13_SendEncryptedExtensions(sslSocket *ss) |
5003 | 739 | { |
5004 | 739 | sslBuffer extensions = SSL_BUFFER_EMPTY; |
5005 | 739 | SECStatus rv; |
5006 | | |
5007 | 739 | SSL_TRC(3, ("%d: TLS13[%d]: send encrypted extensions handshake", |
5008 | 739 | SSL_GETPID(), ss->fd)); |
5009 | | |
5010 | 739 | PORT_Assert(ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); |
5011 | 739 | PORT_Assert(ss->opt.noLocks || ssl_HaveXmitBufLock(ss)); |
5012 | | |
5013 | 739 | rv = ssl_ConstructExtensions(ss, &extensions, ssl_hs_encrypted_extensions); |
5014 | 739 | if (rv != SECSuccess) { |
5015 | 0 | return SECFailure; |
5016 | 0 | } |
5017 | | |
5018 | 739 | rv = ssl3_AppendHandshakeHeader(ss, ssl_hs_encrypted_extensions, |
5019 | 739 | SSL_BUFFER_LEN(&extensions) + 2); |
5020 | 739 | if (rv != SECSuccess) { |
5021 | 0 | LOG_ERROR(ss, SEC_ERROR_LIBRARY_FAILURE); |
5022 | 0 | goto loser; |
5023 | 0 | } |
5024 | 739 | rv = ssl3_AppendBufferToHandshakeVariable(ss, &extensions, 2); |
5025 | 739 | if (rv != SECSuccess) { |
5026 | 0 | LOG_ERROR(ss, SEC_ERROR_LIBRARY_FAILURE); |
5027 | 0 | goto loser; |
5028 | 0 | } |
5029 | 739 | sslBuffer_Clear(&extensions); |
5030 | 739 | return SECSuccess; |
5031 | | |
5032 | 0 | loser: |
5033 | 0 | sslBuffer_Clear(&extensions); |
5034 | 0 | return SECFailure; |
5035 | 739 | } |
5036 | | |
5037 | | SECStatus |
5038 | | tls13_SendCertificateVerify(sslSocket *ss, SECKEYPrivateKey *privKey) |
5039 | 739 | { |
5040 | 739 | SECStatus rv = SECFailure; |
5041 | 739 | SECItem buf = { siBuffer, NULL, 0 }; |
5042 | 739 | unsigned int len; |
5043 | 739 | SSLHashType hashAlg; |
5044 | 739 | SSL3Hashes hash; |
5045 | 739 | SSL3Hashes tbsHash; /* The hash "to be signed". */ |
5046 | | |
5047 | 739 | PORT_Assert(ss->opt.noLocks || ssl_HaveXmitBufLock(ss)); |
5048 | 739 | PORT_Assert(ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); |
5049 | | |
5050 | 739 | SSL_TRC(3, ("%d: TLS13[%d]: send certificate_verify handshake", |
5051 | 739 | SSL_GETPID(), ss->fd)); |
5052 | | |
5053 | 739 | PORT_Assert(ss->ssl3.hs.hashType == handshake_hash_single); |
5054 | 739 | rv = tls13_ComputeHandshakeHashes(ss, &hash); |
5055 | 739 | if (rv != SECSuccess) { |
5056 | 0 | return SECFailure; |
5057 | 0 | } |
5058 | | |
5059 | | /* We should have picked a signature scheme when we received a |
5060 | | * CertificateRequest, or when we picked a server certificate. */ |
5061 | 739 | PORT_Assert(ss->ssl3.hs.signatureScheme != ssl_sig_none); |
5062 | 739 | if (ss->ssl3.hs.signatureScheme == ssl_sig_none) { |
5063 | 0 | PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); |
5064 | 0 | return SECFailure; |
5065 | 0 | } |
5066 | 739 | hashAlg = ssl_SignatureSchemeToHashType(ss->ssl3.hs.signatureScheme); |
5067 | 739 | rv = tls13_AddContextToHashes(ss, &hash, hashAlg, |
5068 | 739 | PR_TRUE, &tbsHash); |
5069 | 739 | if (rv != SECSuccess) { |
5070 | 0 | return SECFailure; |
5071 | 0 | } |
5072 | | |
5073 | 739 | rv = ssl3_SignHashes(ss, &tbsHash, privKey, &buf); |
5074 | 739 | if (rv == SECSuccess && !ss->sec.isServer) { |
5075 | | /* Remember the info about the slot that did the signing. |
5076 | | * Later, when doing an SSL restart handshake, verify this. |
5077 | | * These calls are mere accessors, and can't fail. |
5078 | | */ |
5079 | 0 | PK11SlotInfo *slot; |
5080 | 0 | sslSessionID *sid = ss->sec.ci.sid; |
5081 | |
|
5082 | 0 | slot = PK11_GetSlotFromPrivateKey(privKey); |
5083 | 0 | sid->u.ssl3.clAuthSeries = PK11_GetSlotSeries(slot); |
5084 | 0 | sid->u.ssl3.clAuthSlotID = PK11_GetSlotID(slot); |
5085 | 0 | sid->u.ssl3.clAuthModuleID = PK11_GetModuleID(slot); |
5086 | 0 | sid->u.ssl3.clAuthValid = PR_TRUE; |
5087 | 0 | PK11_FreeSlot(slot); |
5088 | 0 | } |
5089 | 739 | if (rv != SECSuccess) { |
5090 | 0 | goto done; /* err code was set by ssl3_SignHashes */ |
5091 | 0 | } |
5092 | | |
5093 | 739 | len = buf.len + 2 + 2; |
5094 | | |
5095 | 739 | rv = ssl3_AppendHandshakeHeader(ss, ssl_hs_certificate_verify, len); |
5096 | 739 | if (rv != SECSuccess) { |
5097 | 0 | goto done; /* error code set by AppendHandshake */ |
5098 | 0 | } |
5099 | | |
5100 | 739 | rv = ssl3_AppendHandshakeNumber(ss, ss->ssl3.hs.signatureScheme, 2); |
5101 | 739 | if (rv != SECSuccess) { |
5102 | 0 | goto done; /* err set by AppendHandshakeNumber */ |
5103 | 0 | } |
5104 | | |
5105 | 739 | rv = ssl3_AppendHandshakeVariable(ss, buf.data, buf.len, 2); |
5106 | 739 | if (rv != SECSuccess) { |
5107 | 0 | goto done; /* error code set by AppendHandshake */ |
5108 | 0 | } |
5109 | | |
5110 | 739 | done: |
5111 | | /* For parity with the allocation functions, which don't use |
5112 | | * SECITEM_AllocItem(). */ |
5113 | 739 | if (buf.data) |
5114 | 739 | PORT_Free(buf.data); |
5115 | 739 | return rv; |
5116 | 739 | } |
5117 | | |
5118 | | /* Called from tls13_CompleteHandleHandshakeMessage() when it has deciphered a complete |
5119 | | * tls13 CertificateVerify message |
5120 | | * Caller must hold Handshake and RecvBuf locks. |
5121 | | */ |
5122 | | SECStatus |
5123 | | tls13_HandleCertificateVerify(sslSocket *ss, PRUint8 *b, PRUint32 length) |
5124 | 4 | { |
5125 | 4 | sslDelegatedCredential *dc = ss->xtnData.peerDelegCred; |
5126 | 4 | CERTSubjectPublicKeyInfo *spki; |
5127 | 4 | SECKEYPublicKey *pubKey = NULL; |
5128 | 4 | SECItem signed_hash = { siBuffer, NULL, 0 }; |
5129 | 4 | SECStatus rv; |
5130 | 4 | SSLSignatureScheme sigScheme; |
5131 | 4 | SSLHashType hashAlg; |
5132 | 4 | SSL3Hashes tbsHash; |
5133 | 4 | SSL3Hashes hashes; |
5134 | | |
5135 | 4 | SSL_TRC(3, ("%d: TLS13[%d]: handle certificate_verify handshake", |
5136 | 4 | SSL_GETPID(), ss->fd)); |
5137 | 4 | PORT_Assert(ss->opt.noLocks || ssl_HaveRecvBufLock(ss)); |
5138 | 4 | PORT_Assert(ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); |
5139 | | |
5140 | 4 | rv = TLS13_CHECK_HS_STATE(ss, SSL_ERROR_RX_UNEXPECTED_CERT_VERIFY, |
5141 | 4 | wait_cert_verify); |
5142 | 4 | if (rv != SECSuccess) { |
5143 | 4 | return SECFailure; |
5144 | 4 | } |
5145 | | |
5146 | 0 | rv = tls13_ComputeHandshakeHashes(ss, &hashes); |
5147 | 0 | if (rv != SECSuccess) { |
5148 | 0 | return SECFailure; |
5149 | 0 | } |
5150 | | |
5151 | 0 | if (ss->firstHsDone) { |
5152 | 0 | rv = ssl_HashPostHandshakeMessage(ss, ssl_hs_certificate_verify, b, length); |
5153 | 0 | } else { |
5154 | 0 | rv = ssl_HashHandshakeMessage(ss, ssl_hs_certificate_verify, b, length); |
5155 | 0 | } |
5156 | 0 | if (rv != SECSuccess) { |
5157 | 0 | PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); |
5158 | 0 | return SECFailure; |
5159 | 0 | } |
5160 | | |
5161 | 0 | rv = ssl_ConsumeSignatureScheme(ss, &b, &length, &sigScheme); |
5162 | 0 | if (rv != SECSuccess) { |
5163 | 0 | FATAL_ERROR(ss, SSL_ERROR_RX_MALFORMED_CERT_VERIFY, illegal_parameter); |
5164 | 0 | return SECFailure; |
5165 | 0 | } |
5166 | | |
5167 | | /* Set the |spki| used to verify the handshake. When verifying with a |
5168 | | * delegated credential (DC), this corresponds to the DC public key; |
5169 | | * otherwise it correspond to the public key of the peer's end-entity |
5170 | | * certificate. |
5171 | | */ |
5172 | 0 | if (tls13_IsVerifyingWithDelegatedCredential(ss)) { |
5173 | | /* DelegatedCredential.cred.expected_cert_verify_algorithm is expected |
5174 | | * to match CertificateVerify.scheme. |
5175 | | * DelegatedCredential.cred.expected_cert_verify_algorithm must also be |
5176 | | * the same as was reported in ssl3_AuthCertificate. |
5177 | | */ |
5178 | 0 | if (sigScheme != dc->expectedCertVerifyAlg || sigScheme != ss->sec.signatureScheme) { |
5179 | 0 | FATAL_ERROR(ss, SSL_ERROR_DC_CERT_VERIFY_ALG_MISMATCH, illegal_parameter); |
5180 | 0 | return SECFailure; |
5181 | 0 | } |
5182 | | |
5183 | | /* Verify the DC has three steps: (1) use the peer's end-entity |
5184 | | * certificate to verify DelegatedCredential.signature, (2) check that |
5185 | | * the certificate has the correct key usage, and (3) check that the DC |
5186 | | * hasn't expired. |
5187 | | */ |
5188 | 0 | rv = tls13_VerifyDelegatedCredential(ss, dc); |
5189 | 0 | if (rv != SECSuccess) { /* Calls FATAL_ERROR() */ |
5190 | 0 | return SECFailure; |
5191 | 0 | } |
5192 | | |
5193 | 0 | SSL_TRC(3, ("%d: TLS13[%d]: Verifying with delegated credential", |
5194 | 0 | SSL_GETPID(), ss->fd)); |
5195 | 0 | spki = dc->spki; |
5196 | 0 | } else { |
5197 | 0 | spki = &ss->sec.peerCert->subjectPublicKeyInfo; |
5198 | 0 | } |
5199 | | |
5200 | 0 | rv = ssl_CheckSignatureSchemeConsistency(ss, sigScheme, spki); |
5201 | 0 | if (rv != SECSuccess) { |
5202 | | /* Error set already */ |
5203 | 0 | FATAL_ERROR(ss, PORT_GetError(), illegal_parameter); |
5204 | 0 | return SECFailure; |
5205 | 0 | } |
5206 | 0 | hashAlg = ssl_SignatureSchemeToHashType(sigScheme); |
5207 | |
|
5208 | 0 | rv = tls13_AddContextToHashes(ss, &hashes, hashAlg, PR_FALSE, &tbsHash); |
5209 | 0 | if (rv != SECSuccess) { |
5210 | 0 | FATAL_ERROR(ss, SSL_ERROR_DIGEST_FAILURE, internal_error); |
5211 | 0 | return SECFailure; |
5212 | 0 | } |
5213 | | |
5214 | 0 | rv = ssl3_ConsumeHandshakeVariable(ss, &signed_hash, 2, &b, &length); |
5215 | 0 | if (rv != SECSuccess) { |
5216 | 0 | PORT_SetError(SSL_ERROR_RX_MALFORMED_CERT_VERIFY); |
5217 | 0 | return SECFailure; |
5218 | 0 | } |
5219 | | |
5220 | 0 | if (length != 0) { |
5221 | 0 | FATAL_ERROR(ss, SSL_ERROR_RX_MALFORMED_CERT_VERIFY, decode_error); |
5222 | 0 | return SECFailure; |
5223 | 0 | } |
5224 | | |
5225 | 0 | pubKey = SECKEY_ExtractPublicKey(spki); |
5226 | 0 | if (pubKey == NULL) { |
5227 | 0 | ssl_MapLowLevelError(SSL_ERROR_EXTRACT_PUBLIC_KEY_FAILURE); |
5228 | 0 | return SECFailure; |
5229 | 0 | } |
5230 | | |
5231 | 0 | rv = ssl_VerifySignedHashesWithPubKey(ss, pubKey, sigScheme, |
5232 | 0 | &tbsHash, &signed_hash); |
5233 | 0 | if (rv != SECSuccess) { |
5234 | 0 | FATAL_ERROR(ss, PORT_GetError(), decrypt_error); |
5235 | 0 | goto loser; |
5236 | 0 | } |
5237 | | |
5238 | | /* Set the auth type and verify it is what we captured in ssl3_AuthCertificate */ |
5239 | 0 | if (!ss->sec.isServer) { |
5240 | 0 | ss->sec.authType = ssl_SignatureSchemeToAuthType(sigScheme); |
5241 | |
|
5242 | 0 | uint32_t prelimAuthKeyBits = ss->sec.authKeyBits; |
5243 | 0 | rv = ssl_SetAuthKeyBits(ss, pubKey); |
5244 | 0 | if (rv != SECSuccess) { |
5245 | 0 | goto loser; /* Alert sent and code set. */ |
5246 | 0 | } |
5247 | | |
5248 | 0 | if (prelimAuthKeyBits != ss->sec.authKeyBits) { |
5249 | 0 | FATAL_ERROR(ss, SSL_ERROR_DC_CERT_VERIFY_ALG_MISMATCH, illegal_parameter); |
5250 | 0 | goto loser; |
5251 | 0 | } |
5252 | 0 | } |
5253 | | |
5254 | | /* Request a client certificate now if one was requested. */ |
5255 | 0 | if (ss->ssl3.hs.clientCertRequested) { |
5256 | 0 | PORT_Assert(!ss->sec.isServer); |
5257 | 0 | rv = ssl3_BeginHandleCertificateRequest( |
5258 | 0 | ss, ss->xtnData.sigSchemes, ss->xtnData.numSigSchemes, |
5259 | 0 | &ss->xtnData.certReqAuthorities); |
5260 | 0 | if (rv != SECSuccess) { |
5261 | 0 | FATAL_ERROR(ss, SEC_ERROR_LIBRARY_FAILURE, internal_error); |
5262 | 0 | goto loser; |
5263 | 0 | } |
5264 | 0 | } |
5265 | | |
5266 | 0 | SECKEY_DestroyPublicKey(pubKey); |
5267 | 0 | TLS13_SET_HS_STATE(ss, wait_finished); |
5268 | 0 | return SECSuccess; |
5269 | | |
5270 | 0 | loser: |
5271 | 0 | SECKEY_DestroyPublicKey(pubKey); |
5272 | 0 | return SECFailure; |
5273 | 0 | } |
5274 | | |
5275 | | /* Compute the PSK binder hash over: |
5276 | | * Client HRR prefix, if present in ss->ssl3.hs.messages or ss->ssl3.hs.echInnerMessages, |
5277 | | * |len| bytes of |buf| */ |
5278 | | static SECStatus |
5279 | | tls13_ComputePskBinderHash(sslSocket *ss, PRUint8 *b, size_t length, |
5280 | | SSL3Hashes *hashes, SSLHashType hashType) |
5281 | 0 | { |
5282 | 0 | SECStatus rv; |
5283 | 0 | PK11Context *ctx = NULL; |
5284 | 0 | sslBuffer *clientResidual = NULL; |
5285 | 0 | if (!ss->sec.isServer) { |
5286 | | /* On the server, HRR residual is already buffered. */ |
5287 | 0 | clientResidual = ss->ssl3.hs.echHpkeCtx ? &ss->ssl3.hs.echInnerMessages : &ss->ssl3.hs.messages; |
5288 | 0 | } |
5289 | 0 | PORT_Assert(ss->ssl3.hs.hashType == handshake_hash_unknown); |
5290 | 0 | PORT_Assert(ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); |
5291 | |
|
5292 | 0 | PRINT_BUF(10, (NULL, "Binder computed over ClientHello", |
5293 | 0 | b, length)); |
5294 | |
|
5295 | 0 | ctx = PK11_CreateDigestContext(ssl3_HashTypeToOID(hashType)); |
5296 | 0 | if (!ctx) { |
5297 | 0 | goto loser; |
5298 | 0 | } |
5299 | 0 | rv = PK11_DigestBegin(ctx); |
5300 | 0 | if (rv != SECSuccess) { |
5301 | 0 | ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE); |
5302 | 0 | goto loser; |
5303 | 0 | } |
5304 | | |
5305 | 0 | if (clientResidual && clientResidual->len) { |
5306 | 0 | PRINT_BUF(10, (NULL, " with HRR prefix", clientResidual->buf, |
5307 | 0 | clientResidual->len)); |
5308 | 0 | rv = PK11_DigestOp(ctx, clientResidual->buf, clientResidual->len); |
5309 | 0 | if (rv != SECSuccess) { |
5310 | 0 | ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE); |
5311 | 0 | goto loser; |
5312 | 0 | } |
5313 | 0 | } |
5314 | | |
5315 | 0 | if (IS_DTLS(ss) && !ss->sec.isServer) { |
5316 | | /* Removing the unnecessary header fields. |
5317 | | * See ssl3_AppendHandshakeHeader.*/ |
5318 | 0 | PORT_Assert(length >= 12); |
5319 | 0 | rv = PK11_DigestOp(ctx, b, 4); |
5320 | 0 | if (rv != SECSuccess) { |
5321 | 0 | ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE); |
5322 | 0 | goto loser; |
5323 | 0 | } |
5324 | 0 | rv = PK11_DigestOp(ctx, b + 12, length - 12); |
5325 | 0 | } else { |
5326 | 0 | rv = PK11_DigestOp(ctx, b, length); |
5327 | 0 | } |
5328 | 0 | if (rv != SECSuccess) { |
5329 | 0 | ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE); |
5330 | 0 | goto loser; |
5331 | 0 | } |
5332 | 0 | rv = PK11_DigestFinal(ctx, hashes->u.raw, &hashes->len, sizeof(hashes->u.raw)); |
5333 | 0 | if (rv != SECSuccess) { |
5334 | 0 | ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE); |
5335 | 0 | goto loser; |
5336 | 0 | } |
5337 | | |
5338 | 0 | PK11_DestroyContext(ctx, PR_TRUE); |
5339 | 0 | PRINT_BUF(10, (NULL, "PSK Binder hash", hashes->u.raw, hashes->len)); |
5340 | 0 | return SECSuccess; |
5341 | | |
5342 | 0 | loser: |
5343 | 0 | if (ctx) { |
5344 | 0 | PK11_DestroyContext(ctx, PR_TRUE); |
5345 | 0 | } |
5346 | 0 | return SECFailure; |
5347 | 0 | } |
5348 | | |
5349 | | /* Compute and inject the PSK Binder for sending. |
5350 | | * |
5351 | | * When sending a ClientHello, we construct all the extensions with a dummy |
5352 | | * value for the binder. To construct the binder, we commit the entire message |
5353 | | * up to the point where the binders start. Then we calculate the hash using |
5354 | | * the saved message (in ss->ssl3.hs.messages). This is written over the dummy |
5355 | | * binder, after which we write the remainder of the binder extension. */ |
5356 | | SECStatus |
5357 | | tls13_WriteExtensionsWithBinder(sslSocket *ss, sslBuffer *extensions, sslBuffer *chBuf) |
5358 | 0 | { |
5359 | 0 | SSL3Hashes hashes; |
5360 | 0 | SECStatus rv; |
5361 | |
|
5362 | 0 | PORT_Assert(!PR_CLIST_IS_EMPTY(&ss->ssl3.hs.psks)); |
5363 | 0 | sslPsk *psk = (sslPsk *)PR_LIST_HEAD(&ss->ssl3.hs.psks); |
5364 | 0 | unsigned int size = tls13_GetHashSizeForHash(psk->hash); |
5365 | 0 | unsigned int prefixLen = extensions->len - size - 3; |
5366 | 0 | unsigned int finishedLen; |
5367 | |
|
5368 | 0 | PORT_Assert(extensions->len >= size + 3); |
5369 | |
|
5370 | 0 | rv = sslBuffer_AppendNumber(chBuf, extensions->len, 2); |
5371 | 0 | if (rv != SECSuccess) { |
5372 | 0 | return SECFailure; |
5373 | 0 | } |
5374 | | |
5375 | | /* Only write the extension up to the point before the binders. Assume that |
5376 | | * the pre_shared_key extension is at the end of the buffer. Don't write |
5377 | | * the binder, or the lengths that precede it (a 2 octet length for the list |
5378 | | * of all binders, plus a 1 octet length for the binder length). */ |
5379 | 0 | rv = sslBuffer_Append(chBuf, extensions->buf, prefixLen); |
5380 | 0 | if (rv != SECSuccess) { |
5381 | 0 | return SECFailure; |
5382 | 0 | } |
5383 | | |
5384 | | /* Calculate the binder based on what has been written out. */ |
5385 | 0 | rv = tls13_ComputePskBinderHash(ss, chBuf->buf, chBuf->len, &hashes, psk->hash); |
5386 | 0 | if (rv != SECSuccess) { |
5387 | 0 | return SECFailure; |
5388 | 0 | } |
5389 | | |
5390 | | /* Write the binder into the extensions buffer, over the zeros we reserved |
5391 | | * previously. This avoids an allocation and means that we don't need a |
5392 | | * separate write for the extra bits that precede the binder. */ |
5393 | 0 | PORT_Assert(psk->binderKey); |
5394 | 0 | rv = tls13_ComputeFinished(ss, psk->binderKey, |
5395 | 0 | psk->hash, &hashes, PR_TRUE, |
5396 | 0 | extensions->buf + extensions->len - size, |
5397 | 0 | &finishedLen, size); |
5398 | 0 | if (rv != SECSuccess) { |
5399 | 0 | return SECFailure; |
5400 | 0 | } |
5401 | 0 | PORT_Assert(finishedLen == size); |
5402 | | |
5403 | | /* Write out the remainder of the extension. */ |
5404 | 0 | rv = sslBuffer_Append(chBuf, extensions->buf + prefixLen, |
5405 | 0 | extensions->len - prefixLen); |
5406 | 0 | if (rv != SECSuccess) { |
5407 | 0 | return SECFailure; |
5408 | 0 | } |
5409 | | |
5410 | 0 | return SECSuccess; |
5411 | 0 | } |
5412 | | |
5413 | | static SECStatus |
5414 | | tls13_ComputeFinished(sslSocket *ss, PK11SymKey *baseKey, |
5415 | | SSLHashType hashType, const SSL3Hashes *hashes, |
5416 | | PRBool sending, PRUint8 *output, unsigned int *outputLen, |
5417 | | unsigned int maxOutputLen) |
5418 | 743 | { |
5419 | 743 | SECStatus rv; |
5420 | 743 | PK11Context *hmacCtx = NULL; |
5421 | 743 | CK_MECHANISM_TYPE macAlg = tls13_GetHmacMechanismFromHash(hashType); |
5422 | 743 | SECItem param = { siBuffer, NULL, 0 }; |
5423 | 743 | unsigned int outputLenUint; |
5424 | 743 | const char *label = kHkdfLabelFinishedSecret; |
5425 | 743 | PK11SymKey *secret = NULL; |
5426 | | |
5427 | 743 | PORT_Assert(baseKey); |
5428 | 743 | SSL_TRC(3, ("%d: TLS13[%d]: %s calculate finished", |
5429 | 743 | SSL_GETPID(), ss->fd, SSL_ROLE(ss))); |
5430 | 743 | PRINT_BUF(50, (ss, "Handshake hash", hashes->u.raw, hashes->len)); |
5431 | | |
5432 | | /* Now derive the appropriate finished secret from the base secret. */ |
5433 | 743 | rv = tls13_HkdfExpandLabel(baseKey, hashType, |
5434 | 743 | NULL, 0, label, strlen(label), |
5435 | 743 | tls13_GetHmacMechanismFromHash(hashType), |
5436 | 743 | tls13_GetHashSizeForHash(hashType), |
5437 | 743 | ss->protocolVariant, &secret); |
5438 | 743 | if (rv != SECSuccess) { |
5439 | 0 | goto abort; |
5440 | 0 | } |
5441 | | |
5442 | 743 | PORT_Assert(hashes->len == tls13_GetHashSizeForHash(hashType)); |
5443 | 743 | hmacCtx = PK11_CreateContextBySymKey(macAlg, CKA_SIGN, |
5444 | 743 | secret, ¶m); |
5445 | 743 | if (!hmacCtx) { |
5446 | 0 | goto abort; |
5447 | 0 | } |
5448 | | |
5449 | 743 | rv = PK11_DigestBegin(hmacCtx); |
5450 | 743 | if (rv != SECSuccess) |
5451 | 0 | goto abort; |
5452 | | |
5453 | 743 | rv = PK11_DigestOp(hmacCtx, hashes->u.raw, hashes->len); |
5454 | 743 | if (rv != SECSuccess) |
5455 | 0 | goto abort; |
5456 | | |
5457 | 743 | PORT_Assert(maxOutputLen >= tls13_GetHashSizeForHash(hashType)); |
5458 | 743 | rv = PK11_DigestFinal(hmacCtx, output, &outputLenUint, maxOutputLen); |
5459 | 743 | if (rv != SECSuccess) |
5460 | 0 | goto abort; |
5461 | 743 | *outputLen = outputLenUint; |
5462 | | |
5463 | 743 | PK11_FreeSymKey(secret); |
5464 | 743 | PK11_DestroyContext(hmacCtx, PR_TRUE); |
5465 | 743 | PRINT_BUF(50, (ss, "finished value", output, outputLenUint)); |
5466 | 743 | return SECSuccess; |
5467 | | |
5468 | 0 | abort: |
5469 | 0 | if (secret) { |
5470 | 0 | PK11_FreeSymKey(secret); |
5471 | 0 | } |
5472 | |
|
5473 | 0 | if (hmacCtx) { |
5474 | 0 | PK11_DestroyContext(hmacCtx, PR_TRUE); |
5475 | 0 | } |
5476 | |
|
5477 | 0 | PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); |
5478 | 0 | return SECFailure; |
5479 | 743 | } |
5480 | | |
5481 | | static SECStatus |
5482 | | tls13_SendFinished(sslSocket *ss, PK11SymKey *baseKey) |
5483 | 739 | { |
5484 | 739 | SECStatus rv; |
5485 | 739 | PRUint8 finishedBuf[TLS13_MAX_FINISHED_SIZE]; |
5486 | 739 | unsigned int finishedLen; |
5487 | 739 | SSL3Hashes hashes; |
5488 | | |
5489 | 739 | SSL_TRC(3, ("%d: TLS13[%d]: send finished handshake", SSL_GETPID(), ss->fd)); |
5490 | | |
5491 | 739 | PORT_Assert(ss->opt.noLocks || ssl_HaveXmitBufLock(ss)); |
5492 | 739 | PORT_Assert(ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); |
5493 | | |
5494 | 739 | rv = tls13_ComputeHandshakeHashes(ss, &hashes); |
5495 | 739 | if (rv != SECSuccess) { |
5496 | 0 | LOG_ERROR(ss, SEC_ERROR_LIBRARY_FAILURE); |
5497 | 0 | return SECFailure; |
5498 | 0 | } |
5499 | | |
5500 | 739 | ssl_GetSpecReadLock(ss); |
5501 | 739 | rv = tls13_ComputeFinished(ss, baseKey, tls13_GetHash(ss), &hashes, PR_TRUE, |
5502 | 739 | finishedBuf, &finishedLen, sizeof(finishedBuf)); |
5503 | 739 | ssl_ReleaseSpecReadLock(ss); |
5504 | 739 | if (rv != SECSuccess) { |
5505 | 0 | LOG_ERROR(ss, SEC_ERROR_LIBRARY_FAILURE); |
5506 | 0 | return SECFailure; |
5507 | 0 | } |
5508 | | |
5509 | 739 | rv = ssl3_AppendHandshakeHeader(ss, ssl_hs_finished, finishedLen); |
5510 | 739 | if (rv != SECSuccess) { |
5511 | 0 | return SECFailure; /* Error code already set. */ |
5512 | 0 | } |
5513 | | |
5514 | 739 | rv = ssl3_AppendHandshake(ss, finishedBuf, finishedLen); |
5515 | 739 | if (rv != SECSuccess) { |
5516 | 0 | return SECFailure; /* Error code already set. */ |
5517 | 0 | } |
5518 | | |
5519 | | /* TODO(ekr@rtfm.com): Record key log */ |
5520 | 739 | return SECSuccess; |
5521 | 739 | } |
5522 | | |
5523 | | static SECStatus |
5524 | | tls13_VerifyFinished(sslSocket *ss, SSLHandshakeType message, |
5525 | | PK11SymKey *secret, |
5526 | | PRUint8 *b, PRUint32 length, |
5527 | | const SSL3Hashes *hashes) |
5528 | 4 | { |
5529 | 4 | SECStatus rv; |
5530 | 4 | PRUint8 finishedBuf[TLS13_MAX_FINISHED_SIZE]; |
5531 | 4 | unsigned int finishedLen; |
5532 | | |
5533 | 4 | if (!hashes) { |
5534 | 0 | FATAL_ERROR(ss, SEC_ERROR_LIBRARY_FAILURE, internal_error); |
5535 | 0 | return SECFailure; |
5536 | 0 | } |
5537 | | |
5538 | 4 | rv = tls13_ComputeFinished(ss, secret, tls13_GetHash(ss), hashes, PR_FALSE, |
5539 | 4 | finishedBuf, &finishedLen, sizeof(finishedBuf)); |
5540 | 4 | if (rv != SECSuccess) { |
5541 | 0 | FATAL_ERROR(ss, SEC_ERROR_LIBRARY_FAILURE, internal_error); |
5542 | 0 | return SECFailure; |
5543 | 0 | } |
5544 | | |
5545 | 4 | if (length != finishedLen) { |
5546 | | #ifndef UNSAFE_FUZZER_MODE |
5547 | | FATAL_ERROR(ss, message == ssl_hs_finished ? SSL_ERROR_RX_MALFORMED_FINISHED : SSL_ERROR_RX_MALFORMED_CLIENT_HELLO, illegal_parameter); |
5548 | | return SECFailure; |
5549 | | #endif |
5550 | 4 | } |
5551 | | |
5552 | 4 | if (NSS_SecureMemcmp(b, finishedBuf, finishedLen) != 0) { |
5553 | | #ifndef UNSAFE_FUZZER_MODE |
5554 | | FATAL_ERROR(ss, SSL_ERROR_BAD_HANDSHAKE_HASH_VALUE, |
5555 | | decrypt_error); |
5556 | | return SECFailure; |
5557 | | #endif |
5558 | 4 | } |
5559 | | |
5560 | 4 | return SECSuccess; |
5561 | 4 | } |
5562 | | |
5563 | | static SECStatus |
5564 | | tls13_CommonHandleFinished(sslSocket *ss, PK11SymKey *key, |
5565 | | PRUint8 *b, PRUint32 length) |
5566 | 283 | { |
5567 | 283 | SECStatus rv; |
5568 | 283 | SSL3Hashes hashes; |
5569 | | |
5570 | 283 | rv = TLS13_CHECK_HS_STATE(ss, SSL_ERROR_RX_UNEXPECTED_FINISHED, |
5571 | 283 | wait_finished); |
5572 | 283 | if (rv != SECSuccess) { |
5573 | 279 | return SECFailure; |
5574 | 279 | } |
5575 | 4 | ss->ssl3.hs.endOfFlight = PR_TRUE; |
5576 | | |
5577 | 4 | rv = tls13_ComputeHandshakeHashes(ss, &hashes); |
5578 | 4 | if (rv != SECSuccess) { |
5579 | 0 | LOG_ERROR(ss, SEC_ERROR_LIBRARY_FAILURE); |
5580 | 0 | return SECFailure; |
5581 | 0 | } |
5582 | | |
5583 | 4 | if (ss->firstHsDone) { |
5584 | 0 | rv = ssl_HashPostHandshakeMessage(ss, ssl_hs_finished, b, length); |
5585 | 4 | } else { |
5586 | 4 | rv = ssl_HashHandshakeMessage(ss, ssl_hs_finished, b, length); |
5587 | 4 | } |
5588 | 4 | if (rv != SECSuccess) { |
5589 | 0 | PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); |
5590 | 0 | return SECFailure; |
5591 | 0 | } |
5592 | | |
5593 | 4 | return tls13_VerifyFinished(ss, ssl_hs_finished, |
5594 | 4 | key, b, length, &hashes); |
5595 | 4 | } |
5596 | | |
5597 | | static SECStatus |
5598 | | tls13_ClientHandleFinished(sslSocket *ss, PRUint8 *b, PRUint32 length) |
5599 | 2 | { |
5600 | 2 | SECStatus rv; |
5601 | | |
5602 | 2 | PORT_Assert(ss->opt.noLocks || ssl_HaveRecvBufLock(ss)); |
5603 | 2 | PORT_Assert(ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); |
5604 | | |
5605 | 2 | SSL_TRC(3, ("%d: TLS13[%d]: client handle finished handshake", |
5606 | 2 | SSL_GETPID(), ss->fd)); |
5607 | | |
5608 | 2 | rv = tls13_CommonHandleFinished(ss, ss->ssl3.hs.serverHsTrafficSecret, |
5609 | 2 | b, length); |
5610 | 2 | if (rv != SECSuccess) { |
5611 | 2 | return SECFailure; |
5612 | 2 | } |
5613 | | |
5614 | 0 | return tls13_SendClientSecondRound(ss); |
5615 | 2 | } |
5616 | | |
5617 | | static SECStatus |
5618 | | tls13_ServerHandleFinished(sslSocket *ss, PRUint8 *b, PRUint32 length) |
5619 | 281 | { |
5620 | 281 | SECStatus rv; |
5621 | | |
5622 | 281 | PORT_Assert(ss->opt.noLocks || ssl_HaveRecvBufLock(ss)); |
5623 | 281 | PORT_Assert(ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); |
5624 | | |
5625 | 281 | SSL_TRC(3, ("%d: TLS13[%d]: server handle finished handshake", |
5626 | 281 | SSL_GETPID(), ss->fd)); |
5627 | | |
5628 | 281 | if (!tls13_ShouldRequestClientAuth(ss)) { |
5629 | | /* Receiving this message might be the first sign we have that |
5630 | | * early data is over, so pretend we received EOED. */ |
5631 | 5 | rv = tls13_MaybeHandleSuppressedEndOfEarlyData(ss); |
5632 | 5 | if (rv != SECSuccess) { |
5633 | 0 | return SECFailure; /* Code already set. */ |
5634 | 0 | } |
5635 | | |
5636 | 5 | if (!tls13_IsPostHandshake(ss)) { |
5637 | | /* Finalize the RTT estimate. */ |
5638 | 5 | ss->ssl3.hs.rttEstimate = ssl_Time(ss) - ss->ssl3.hs.rttEstimate; |
5639 | 5 | } |
5640 | 5 | } |
5641 | | |
5642 | 281 | rv = tls13_CommonHandleFinished(ss, |
5643 | 281 | ss->firstHsDone ? ss->ssl3.hs.clientTrafficSecret : ss->ssl3.hs.clientHsTrafficSecret, |
5644 | 281 | b, length); |
5645 | 281 | if (rv != SECSuccess) { |
5646 | 277 | return SECFailure; |
5647 | 277 | } |
5648 | | |
5649 | 4 | if (ss->firstHsDone) { |
5650 | 0 | TLS13_SET_HS_STATE(ss, idle_handshake); |
5651 | |
|
5652 | 0 | PORT_Assert(ss->ssl3.hs.shaPostHandshake != NULL); |
5653 | 0 | PK11_DestroyContext(ss->ssl3.hs.shaPostHandshake, PR_TRUE); |
5654 | 0 | ss->ssl3.hs.shaPostHandshake = NULL; |
5655 | |
|
5656 | 0 | ss->ssl3.clientCertRequested = PR_FALSE; |
5657 | |
|
5658 | 0 | if (ss->ssl3.hs.keyUpdateDeferred) { |
5659 | 0 | rv = tls13_SendKeyUpdate(ss, ss->ssl3.hs.deferredKeyUpdateRequest, |
5660 | 0 | PR_FALSE); |
5661 | 0 | if (rv != SECSuccess) { |
5662 | 0 | return SECFailure; /* error is set. */ |
5663 | 0 | } |
5664 | 0 | ss->ssl3.hs.keyUpdateDeferred = PR_FALSE; |
5665 | 0 | } |
5666 | | |
5667 | 0 | return SECSuccess; |
5668 | 0 | } |
5669 | | |
5670 | 4 | if (!tls13_ShouldRequestClientAuth(ss) && |
5671 | 4 | (ss->ssl3.hs.zeroRttState != ssl_0rtt_done)) { |
5672 | 4 | dtls_ReceivedFirstMessageInFlight(ss); |
5673 | 4 | } |
5674 | | |
5675 | 4 | rv = tls13_SetCipherSpec(ss, TrafficKeyApplicationData, |
5676 | 4 | ssl_secret_read, PR_FALSE); |
5677 | 4 | if (rv != SECSuccess) { |
5678 | 0 | FATAL_ERROR(ss, SEC_ERROR_LIBRARY_FAILURE, internal_error); |
5679 | 0 | return SECFailure; |
5680 | 0 | } |
5681 | | |
5682 | 4 | if (IS_DTLS(ss)) { |
5683 | 0 | ssl_CipherSpecReleaseByEpoch(ss, ssl_secret_read, TrafficKeyClearText); |
5684 | | /* We need to keep the handshake cipher spec so we can |
5685 | | * read re-transmitted client Finished. */ |
5686 | 0 | rv = dtls_StartTimer(ss, ss->ssl3.hs.hdTimer, |
5687 | 0 | DTLS_RETRANSMIT_FINISHED_MS, |
5688 | 0 | dtls13_HolddownTimerCb); |
5689 | 0 | if (rv != SECSuccess) { |
5690 | 0 | return SECFailure; |
5691 | 0 | } |
5692 | 0 | } |
5693 | | |
5694 | 4 | rv = tls13_ComputeFinalSecrets(ss); |
5695 | 4 | if (rv != SECSuccess) { |
5696 | 0 | return SECFailure; |
5697 | 0 | } |
5698 | | |
5699 | 4 | rv = tls13_FinishHandshake(ss); |
5700 | 4 | if (rv != SECSuccess) { |
5701 | 0 | return SECFailure; |
5702 | 0 | } |
5703 | | |
5704 | 4 | ssl_GetXmitBufLock(ss); |
5705 | | /* If resumption, authType is the original value and not ssl_auth_psk. */ |
5706 | 4 | if (ss->opt.enableSessionTickets && ss->sec.authType != ssl_auth_psk) { |
5707 | 0 | rv = tls13_SendNewSessionTicket(ss, NULL, 0); |
5708 | 0 | if (rv != SECSuccess) { |
5709 | 0 | goto loser; |
5710 | 0 | } |
5711 | 0 | rv = ssl3_FlushHandshake(ss, 0); |
5712 | 0 | if (rv != SECSuccess) { |
5713 | 0 | goto loser; |
5714 | 0 | } |
5715 | 0 | } |
5716 | 4 | ssl_ReleaseXmitBufLock(ss); |
5717 | 4 | return SECSuccess; |
5718 | | |
5719 | 0 | loser: |
5720 | 0 | ssl_ReleaseXmitBufLock(ss); |
5721 | 0 | return SECFailure; |
5722 | 4 | } |
5723 | | |
5724 | | static SECStatus |
5725 | | tls13_FinishHandshake(sslSocket *ss) |
5726 | 4 | { |
5727 | 4 | PORT_Assert(ss->opt.noLocks || ssl_HaveRecvBufLock(ss)); |
5728 | 4 | PORT_Assert(ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); |
5729 | 4 | PORT_Assert(ss->ssl3.hs.restartTarget == NULL); |
5730 | | |
5731 | | /* The first handshake is now completed. */ |
5732 | 4 | ss->handshake = NULL; |
5733 | | |
5734 | | /* Don't need this. */ |
5735 | 4 | PK11_FreeSymKey(ss->ssl3.hs.clientHsTrafficSecret); |
5736 | 4 | ss->ssl3.hs.clientHsTrafficSecret = NULL; |
5737 | 4 | PK11_FreeSymKey(ss->ssl3.hs.serverHsTrafficSecret); |
5738 | 4 | ss->ssl3.hs.serverHsTrafficSecret = NULL; |
5739 | | |
5740 | 4 | TLS13_SET_HS_STATE(ss, idle_handshake); |
5741 | | |
5742 | 4 | return ssl_FinishHandshake(ss); |
5743 | 4 | } |
5744 | | |
5745 | | /* Do the parts of sending the client's second round that require |
5746 | | * the XmitBuf lock. */ |
5747 | | static SECStatus |
5748 | | tls13_SendClientSecondFlight(sslSocket *ss) |
5749 | 0 | { |
5750 | 0 | SECStatus rv; |
5751 | 0 | unsigned int offset = 0; |
5752 | |
|
5753 | 0 | PORT_Assert(ss->opt.noLocks || ssl_HaveXmitBufLock(ss)); |
5754 | 0 | PORT_Assert(!ss->ssl3.hs.clientCertificatePending); |
5755 | |
|
5756 | 0 | PRBool sendClientCert = !ss->ssl3.sendEmptyCert && |
5757 | 0 | ss->ssl3.clientCertChain != NULL && |
5758 | 0 | ss->ssl3.clientPrivateKey != NULL; |
5759 | |
|
5760 | 0 | if (ss->firstHsDone) { |
5761 | 0 | offset = SSL_BUFFER_LEN(&ss->sec.ci.sendBuf); |
5762 | 0 | } |
5763 | |
|
5764 | 0 | if (ss->ssl3.sendEmptyCert) { |
5765 | 0 | ss->ssl3.sendEmptyCert = PR_FALSE; |
5766 | 0 | rv = ssl3_SendEmptyCertificate(ss); |
5767 | | /* Don't send verify */ |
5768 | 0 | if (rv != SECSuccess) { |
5769 | 0 | goto alert_error; /* error code is set. */ |
5770 | 0 | } |
5771 | 0 | } else if (sendClientCert) { |
5772 | 0 | rv = tls13_SendCertificate(ss); |
5773 | 0 | if (rv != SECSuccess) { |
5774 | 0 | goto alert_error; /* err code was set. */ |
5775 | 0 | } |
5776 | 0 | } |
5777 | | |
5778 | 0 | if (ss->firstHsDone) { |
5779 | 0 | rv = ssl3_UpdatePostHandshakeHashes(ss, |
5780 | 0 | SSL_BUFFER_BASE(&ss->sec.ci.sendBuf) + offset, |
5781 | 0 | SSL_BUFFER_LEN(&ss->sec.ci.sendBuf) - offset); |
5782 | 0 | if (rv != SECSuccess) { |
5783 | 0 | goto alert_error; /* err code was set. */ |
5784 | 0 | } |
5785 | 0 | } |
5786 | | |
5787 | 0 | if (ss->ssl3.hs.clientCertRequested) { |
5788 | 0 | SECITEM_FreeItem(&ss->xtnData.certReqContext, PR_FALSE); |
5789 | 0 | if (ss->xtnData.certReqAuthorities.arena) { |
5790 | 0 | PORT_FreeArena(ss->xtnData.certReqAuthorities.arena, PR_FALSE); |
5791 | 0 | ss->xtnData.certReqAuthorities.arena = NULL; |
5792 | 0 | } |
5793 | 0 | PORT_Memset(&ss->xtnData.certReqAuthorities, 0, |
5794 | 0 | sizeof(ss->xtnData.certReqAuthorities)); |
5795 | 0 | ss->ssl3.hs.clientCertRequested = PR_FALSE; |
5796 | 0 | } |
5797 | |
|
5798 | 0 | if (sendClientCert) { |
5799 | 0 | if (ss->firstHsDone) { |
5800 | 0 | offset = SSL_BUFFER_LEN(&ss->sec.ci.sendBuf); |
5801 | 0 | } |
5802 | |
|
5803 | 0 | rv = tls13_SendCertificateVerify(ss, ss->ssl3.clientPrivateKey); |
5804 | 0 | SECKEY_DestroyPrivateKey(ss->ssl3.clientPrivateKey); |
5805 | 0 | ss->ssl3.clientPrivateKey = NULL; |
5806 | 0 | if (rv != SECSuccess) { |
5807 | 0 | goto alert_error; /* err code was set. */ |
5808 | 0 | } |
5809 | | |
5810 | 0 | if (ss->firstHsDone) { |
5811 | 0 | rv = ssl3_UpdatePostHandshakeHashes(ss, |
5812 | 0 | SSL_BUFFER_BASE(&ss->sec.ci.sendBuf) + offset, |
5813 | 0 | SSL_BUFFER_LEN(&ss->sec.ci.sendBuf) - offset); |
5814 | 0 | if (rv != SECSuccess) { |
5815 | 0 | goto alert_error; /* err code was set. */ |
5816 | 0 | } |
5817 | 0 | } |
5818 | 0 | } |
5819 | | |
5820 | 0 | rv = tls13_SendFinished(ss, ss->firstHsDone ? ss->ssl3.hs.clientTrafficSecret : ss->ssl3.hs.clientHsTrafficSecret); |
5821 | 0 | if (rv != SECSuccess) { |
5822 | 0 | goto alert_error; /* err code was set. */ |
5823 | 0 | } |
5824 | 0 | rv = ssl3_FlushHandshake(ss, 0); |
5825 | 0 | if (rv != SECSuccess) { |
5826 | | /* No point in sending an alert here because we're not going to |
5827 | | * be able to send it if we couldn't flush the handshake. */ |
5828 | 0 | goto error; |
5829 | 0 | } |
5830 | | |
5831 | 0 | return SECSuccess; |
5832 | | |
5833 | 0 | alert_error: |
5834 | 0 | FATAL_ERROR(ss, PORT_GetError(), internal_error); |
5835 | 0 | return SECFailure; |
5836 | 0 | error: |
5837 | 0 | LOG_ERROR(ss, PORT_GetError()); |
5838 | 0 | return SECFailure; |
5839 | 0 | } |
5840 | | |
5841 | | static SECStatus |
5842 | | tls13_SendClientSecondRound(sslSocket *ss) |
5843 | 0 | { |
5844 | 0 | SECStatus rv; |
5845 | |
|
5846 | 0 | PORT_Assert(ss->opt.noLocks || ssl_HaveRecvBufLock(ss)); |
5847 | 0 | PORT_Assert(ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); |
5848 | | |
5849 | | /* Defer client authentication sending if we are still waiting for server |
5850 | | * authentication. This avoids unnecessary disclosure of client credentials |
5851 | | * to an unauthenticated server. |
5852 | | */ |
5853 | 0 | if (ss->ssl3.hs.restartTarget) { |
5854 | 0 | PR_NOT_REACHED("unexpected ss->ssl3.hs.restartTarget"); |
5855 | 0 | PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); |
5856 | 0 | return SECFailure; |
5857 | 0 | } |
5858 | 0 | if (ss->ssl3.hs.authCertificatePending || ss->ssl3.hs.clientCertificatePending) { |
5859 | 0 | SSL_TRC(3, ("%d: TLS13[%d]: deferring tls13_SendClientSecondRound because" |
5860 | 0 | " certificate authentication is still pending.", |
5861 | 0 | SSL_GETPID(), ss->fd)); |
5862 | 0 | ss->ssl3.hs.restartTarget = tls13_SendClientSecondRound; |
5863 | 0 | PORT_SetError(PR_WOULD_BLOCK_ERROR); |
5864 | 0 | return SECFailure; |
5865 | 0 | } |
5866 | | |
5867 | 0 | rv = tls13_ComputeApplicationSecrets(ss); |
5868 | 0 | if (rv != SECSuccess) { |
5869 | 0 | FATAL_ERROR(ss, SEC_ERROR_LIBRARY_FAILURE, internal_error); |
5870 | 0 | return SECFailure; |
5871 | 0 | } |
5872 | | |
5873 | 0 | if (ss->ssl3.hs.zeroRttState == ssl_0rtt_accepted) { |
5874 | 0 | ssl_GetXmitBufLock(ss); /*******************************/ |
5875 | 0 | rv = tls13_SendEndOfEarlyData(ss); |
5876 | 0 | ssl_ReleaseXmitBufLock(ss); /*******************************/ |
5877 | 0 | if (rv != SECSuccess) { |
5878 | 0 | return SECFailure; /* Error code already set. */ |
5879 | 0 | } |
5880 | 0 | } else if (ss->opt.enableTls13CompatMode && !IS_DTLS(ss) && |
5881 | 0 | ss->ssl3.hs.zeroRttState == ssl_0rtt_none && |
5882 | 0 | !ss->ssl3.hs.helloRetry) { |
5883 | 0 | ssl_GetXmitBufLock(ss); /*******************************/ |
5884 | 0 | rv = ssl3_SendChangeCipherSpecsInt(ss); |
5885 | 0 | ssl_ReleaseXmitBufLock(ss); /*******************************/ |
5886 | 0 | if (rv != SECSuccess) { |
5887 | 0 | return rv; |
5888 | 0 | } |
5889 | 0 | } |
5890 | | |
5891 | 0 | rv = tls13_SetCipherSpec(ss, TrafficKeyHandshake, |
5892 | 0 | ssl_secret_write, PR_FALSE); |
5893 | 0 | if (rv != SECSuccess) { |
5894 | 0 | FATAL_ERROR(ss, SSL_ERROR_INIT_CIPHER_SUITE_FAILURE, internal_error); |
5895 | 0 | return SECFailure; |
5896 | 0 | } |
5897 | | |
5898 | 0 | rv = tls13_SetCipherSpec(ss, TrafficKeyApplicationData, |
5899 | 0 | ssl_secret_read, PR_FALSE); |
5900 | 0 | if (rv != SECSuccess) { |
5901 | 0 | FATAL_ERROR(ss, SEC_ERROR_LIBRARY_FAILURE, internal_error); |
5902 | 0 | return SECFailure; |
5903 | 0 | } |
5904 | | |
5905 | 0 | ssl_GetXmitBufLock(ss); /*******************************/ |
5906 | | /* This call can't block, as clientAuthCertificatePending is checked above */ |
5907 | 0 | rv = tls13_SendClientSecondFlight(ss); |
5908 | 0 | ssl_ReleaseXmitBufLock(ss); /*******************************/ |
5909 | 0 | if (rv != SECSuccess) { |
5910 | 0 | return SECFailure; |
5911 | 0 | } |
5912 | 0 | rv = tls13_SetCipherSpec(ss, TrafficKeyApplicationData, |
5913 | 0 | ssl_secret_write, PR_FALSE); |
5914 | 0 | if (rv != SECSuccess) { |
5915 | 0 | PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); |
5916 | 0 | return SECFailure; |
5917 | 0 | } |
5918 | | |
5919 | 0 | rv = tls13_ComputeFinalSecrets(ss); |
5920 | 0 | if (rv != SECSuccess) { |
5921 | 0 | return SECFailure; |
5922 | 0 | } |
5923 | | |
5924 | | /* The handshake is now finished */ |
5925 | 0 | return tls13_FinishHandshake(ss); |
5926 | 0 | } |
5927 | | |
5928 | | /* |
5929 | | * enum { (65535) } TicketExtensionType; |
5930 | | * |
5931 | | * struct { |
5932 | | * TicketExtensionType extension_type; |
5933 | | * opaque extension_data<0..2^16-1>; |
5934 | | * } TicketExtension; |
5935 | | * |
5936 | | * struct { |
5937 | | * uint32 ticket_lifetime; |
5938 | | * uint32 ticket_age_add; |
5939 | | * opaque ticket_nonce<1..255>; |
5940 | | * opaque ticket<1..2^16-1>; |
5941 | | * TicketExtension extensions<0..2^16-2>; |
5942 | | * } NewSessionTicket; |
5943 | | */ |
5944 | | |
5945 | | static SECStatus |
5946 | | tls13_SendNewSessionTicket(sslSocket *ss, const PRUint8 *appToken, |
5947 | | unsigned int appTokenLen) |
5948 | 0 | { |
5949 | 0 | PRUint16 message_length; |
5950 | 0 | PK11SymKey *secret; |
5951 | 0 | SECItem ticket_data = { 0, NULL, 0 }; |
5952 | 0 | SECStatus rv; |
5953 | 0 | NewSessionTicket ticket = { 0 }; |
5954 | 0 | PRUint32 max_early_data_size_len = 0; |
5955 | 0 | PRUint32 greaseLen = 0; |
5956 | 0 | PRUint8 ticketNonce[sizeof(ss->ssl3.hs.ticketNonce)]; |
5957 | 0 | sslBuffer ticketNonceBuf = SSL_BUFFER(ticketNonce); |
5958 | |
|
5959 | 0 | SSL_TRC(3, ("%d: TLS13[%d]: send new session ticket message %d", |
5960 | 0 | SSL_GETPID(), ss->fd, ss->ssl3.hs.ticketNonce)); |
5961 | |
|
5962 | 0 | ticket.flags = 0; |
5963 | 0 | if (ss->opt.enable0RttData) { |
5964 | 0 | ticket.flags |= ticket_allow_early_data; |
5965 | 0 | max_early_data_size_len = 8; /* type + len + value. */ |
5966 | 0 | } |
5967 | 0 | ticket.ticket_lifetime_hint = ssl_ticket_lifetime; |
5968 | |
|
5969 | 0 | if (ss->opt.enableGrease) { |
5970 | 0 | greaseLen = 4; /* type + len + 0 (empty) */ |
5971 | 0 | } |
5972 | | |
5973 | | /* The ticket age obfuscator. */ |
5974 | 0 | rv = PK11_GenerateRandom((PRUint8 *)&ticket.ticket_age_add, |
5975 | 0 | sizeof(ticket.ticket_age_add)); |
5976 | 0 | if (rv != SECSuccess) |
5977 | 0 | goto loser; |
5978 | | |
5979 | 0 | rv = sslBuffer_AppendNumber(&ticketNonceBuf, ss->ssl3.hs.ticketNonce, |
5980 | 0 | sizeof(ticketNonce)); |
5981 | 0 | if (rv != SECSuccess) { |
5982 | 0 | goto loser; |
5983 | 0 | } |
5984 | 0 | ++ss->ssl3.hs.ticketNonce; |
5985 | 0 | rv = tls13_HkdfExpandLabel(ss->ssl3.hs.resumptionMasterSecret, |
5986 | 0 | tls13_GetHash(ss), |
5987 | 0 | ticketNonce, sizeof(ticketNonce), |
5988 | 0 | kHkdfLabelResumption, |
5989 | 0 | strlen(kHkdfLabelResumption), |
5990 | 0 | CKM_HKDF_DERIVE, |
5991 | 0 | tls13_GetHashSize(ss), |
5992 | 0 | ss->protocolVariant, &secret); |
5993 | 0 | if (rv != SECSuccess) { |
5994 | 0 | goto loser; |
5995 | 0 | } |
5996 | | |
5997 | 0 | rv = ssl3_EncodeSessionTicket(ss, &ticket, appToken, appTokenLen, |
5998 | 0 | secret, &ticket_data); |
5999 | 0 | PK11_FreeSymKey(secret); |
6000 | 0 | if (rv != SECSuccess) |
6001 | 0 | goto loser; |
6002 | | |
6003 | 0 | message_length = |
6004 | 0 | 4 + /* lifetime */ |
6005 | 0 | 4 + /* ticket_age_add */ |
6006 | 0 | 1 + sizeof(ticketNonce) + /* ticket_nonce */ |
6007 | 0 | 2 + /* extensions lentgh */ |
6008 | 0 | max_early_data_size_len + /* max_early_data_size extension length */ |
6009 | 0 | greaseLen + /* GREASE extension length */ |
6010 | 0 | 2 + /* ticket length */ |
6011 | 0 | ticket_data.len; |
6012 | |
|
6013 | 0 | rv = ssl3_AppendHandshakeHeader(ss, ssl_hs_new_session_ticket, |
6014 | 0 | message_length); |
6015 | 0 | if (rv != SECSuccess) |
6016 | 0 | goto loser; |
6017 | | |
6018 | | /* This is a fixed value. */ |
6019 | 0 | rv = ssl3_AppendHandshakeNumber(ss, ssl_ticket_lifetime, 4); |
6020 | 0 | if (rv != SECSuccess) |
6021 | 0 | goto loser; |
6022 | | |
6023 | 0 | rv = ssl3_AppendHandshakeNumber(ss, ticket.ticket_age_add, 4); |
6024 | 0 | if (rv != SECSuccess) |
6025 | 0 | goto loser; |
6026 | | |
6027 | | /* The ticket nonce. */ |
6028 | 0 | rv = ssl3_AppendHandshakeVariable(ss, ticketNonce, sizeof(ticketNonce), 1); |
6029 | 0 | if (rv != SECSuccess) |
6030 | 0 | goto loser; |
6031 | | |
6032 | | /* Encode the ticket. */ |
6033 | 0 | rv = ssl3_AppendHandshakeVariable( |
6034 | 0 | ss, ticket_data.data, ticket_data.len, 2); |
6035 | 0 | if (rv != SECSuccess) |
6036 | 0 | goto loser; |
6037 | | |
6038 | | /* Extensions */ |
6039 | 0 | rv = ssl3_AppendHandshakeNumber(ss, max_early_data_size_len + greaseLen, 2); |
6040 | 0 | if (rv != SECSuccess) |
6041 | 0 | goto loser; |
6042 | | |
6043 | | /* GREASE NewSessionTicket: |
6044 | | * When sending a NewSessionTicket message in TLS 1.3, a server MAY select |
6045 | | * one or more GREASE extension values and advertise them as extensions |
6046 | | * with varying length and contents [RFC8701, SEction 4.1]. */ |
6047 | 0 | if (ss->opt.enableGrease) { |
6048 | 0 | PR_ASSERT(ss->version >= SSL_LIBRARY_VERSION_TLS_1_3); |
6049 | |
|
6050 | 0 | PRUint16 grease; |
6051 | 0 | rv = tls13_RandomGreaseValue(&grease); |
6052 | 0 | if (rv != SECSuccess) |
6053 | 0 | goto loser; |
6054 | | /* Extension type */ |
6055 | 0 | rv = ssl3_AppendHandshakeNumber(ss, grease, 2); |
6056 | 0 | if (rv != SECSuccess) |
6057 | 0 | goto loser; |
6058 | | /* Extension length */ |
6059 | 0 | rv = ssl3_AppendHandshakeNumber(ss, 0, 2); |
6060 | 0 | if (rv != SECSuccess) |
6061 | 0 | goto loser; |
6062 | 0 | } |
6063 | | |
6064 | | /* Max early data size extension. */ |
6065 | 0 | if (max_early_data_size_len) { |
6066 | 0 | rv = ssl3_AppendHandshakeNumber( |
6067 | 0 | ss, ssl_tls13_early_data_xtn, 2); |
6068 | 0 | if (rv != SECSuccess) |
6069 | 0 | goto loser; |
6070 | | |
6071 | | /* Length */ |
6072 | 0 | rv = ssl3_AppendHandshakeNumber(ss, 4, 2); |
6073 | 0 | if (rv != SECSuccess) |
6074 | 0 | goto loser; |
6075 | | |
6076 | 0 | rv = ssl3_AppendHandshakeNumber(ss, ss->opt.maxEarlyDataSize, 4); |
6077 | 0 | if (rv != SECSuccess) |
6078 | 0 | goto loser; |
6079 | 0 | } |
6080 | | |
6081 | 0 | SECITEM_FreeItem(&ticket_data, PR_FALSE); |
6082 | 0 | return SECSuccess; |
6083 | | |
6084 | 0 | loser: |
6085 | 0 | if (ticket_data.data) { |
6086 | 0 | SECITEM_FreeItem(&ticket_data, PR_FALSE); |
6087 | 0 | } |
6088 | 0 | return SECFailure; |
6089 | 0 | } |
6090 | | |
6091 | | SECStatus |
6092 | | SSLExp_SendSessionTicket(PRFileDesc *fd, const PRUint8 *token, |
6093 | | unsigned int tokenLen) |
6094 | 0 | { |
6095 | 0 | sslSocket *ss; |
6096 | 0 | SECStatus rv; |
6097 | |
|
6098 | 0 | ss = ssl_FindSocket(fd); |
6099 | 0 | if (!ss) { |
6100 | 0 | return SECFailure; |
6101 | 0 | } |
6102 | | |
6103 | 0 | if (IS_DTLS(ss)) { |
6104 | 0 | PORT_SetError(SSL_ERROR_FEATURE_NOT_SUPPORTED_FOR_VERSION); |
6105 | 0 | return SECFailure; |
6106 | 0 | } |
6107 | | |
6108 | 0 | if (!ss->sec.isServer || !tls13_IsPostHandshake(ss) || |
6109 | 0 | tokenLen > 0xffff) { |
6110 | 0 | PORT_SetError(SEC_ERROR_INVALID_ARGS); |
6111 | 0 | return SECFailure; |
6112 | 0 | } |
6113 | | |
6114 | | /* Disable tickets if we can trace this connection back to a PSK. |
6115 | | * We aren't able to issue tickets (currently) without a certificate. |
6116 | | * As PSK =~ resumption, there is no reason to do this. */ |
6117 | 0 | if (ss->sec.authType == ssl_auth_psk) { |
6118 | 0 | PORT_SetError(SSL_ERROR_FEATURE_DISABLED); |
6119 | 0 | return SECFailure; |
6120 | 0 | } |
6121 | | |
6122 | 0 | ssl_GetSSL3HandshakeLock(ss); |
6123 | 0 | ssl_GetXmitBufLock(ss); |
6124 | 0 | rv = tls13_SendNewSessionTicket(ss, token, tokenLen); |
6125 | 0 | if (rv == SECSuccess) { |
6126 | 0 | rv = ssl3_FlushHandshake(ss, 0); |
6127 | 0 | } |
6128 | 0 | ssl_ReleaseXmitBufLock(ss); |
6129 | 0 | ssl_ReleaseSSL3HandshakeLock(ss); |
6130 | |
|
6131 | 0 | return rv; |
6132 | 0 | } |
6133 | | |
6134 | | static SECStatus |
6135 | | tls13_HandleNewSessionTicket(sslSocket *ss, PRUint8 *b, PRUint32 length) |
6136 | 4 | { |
6137 | 4 | SECStatus rv; |
6138 | 4 | PRUint32 utmp; |
6139 | 4 | NewSessionTicket ticket = { 0 }; |
6140 | 4 | SECItem data; |
6141 | 4 | SECItem ticket_nonce; |
6142 | 4 | SECItem ticket_data; |
6143 | | |
6144 | 4 | SSL_TRC(3, ("%d: TLS13[%d]: handle new session ticket message", |
6145 | 4 | SSL_GETPID(), ss->fd)); |
6146 | | |
6147 | 4 | rv = TLS13_CHECK_HS_STATE(ss, SSL_ERROR_RX_UNEXPECTED_NEW_SESSION_TICKET, |
6148 | 4 | idle_handshake); |
6149 | 4 | if (rv != SECSuccess) { |
6150 | 4 | return SECFailure; |
6151 | 4 | } |
6152 | 0 | if (!tls13_IsPostHandshake(ss) || ss->sec.isServer) { |
6153 | 0 | FATAL_ERROR(ss, SSL_ERROR_RX_UNEXPECTED_NEW_SESSION_TICKET, |
6154 | 0 | unexpected_message); |
6155 | 0 | return SECFailure; |
6156 | 0 | } |
6157 | | |
6158 | 0 | ticket.received_timestamp = ssl_Time(ss); |
6159 | 0 | rv = ssl3_ConsumeHandshakeNumber(ss, &ticket.ticket_lifetime_hint, 4, &b, |
6160 | 0 | &length); |
6161 | 0 | if (rv != SECSuccess) { |
6162 | 0 | FATAL_ERROR(ss, SSL_ERROR_RX_MALFORMED_NEW_SESSION_TICKET, |
6163 | 0 | decode_error); |
6164 | 0 | return SECFailure; |
6165 | 0 | } |
6166 | 0 | ticket.ticket.type = siBuffer; |
6167 | |
|
6168 | 0 | rv = ssl3_ConsumeHandshake(ss, &utmp, sizeof(utmp), |
6169 | 0 | &b, &length); |
6170 | 0 | if (rv != SECSuccess) { |
6171 | 0 | PORT_SetError(SSL_ERROR_RX_MALFORMED_NEW_SESSION_TICKET); |
6172 | 0 | return SECFailure; |
6173 | 0 | } |
6174 | 0 | ticket.ticket_age_add = PR_ntohl(utmp); |
6175 | | |
6176 | | /* The nonce. */ |
6177 | 0 | rv = ssl3_ConsumeHandshakeVariable(ss, &ticket_nonce, 1, &b, &length); |
6178 | 0 | if (rv != SECSuccess) { |
6179 | 0 | FATAL_ERROR(ss, SSL_ERROR_RX_MALFORMED_NEW_SESSION_TICKET, |
6180 | 0 | decode_error); |
6181 | 0 | return SECFailure; |
6182 | 0 | } |
6183 | | |
6184 | | /* Get the ticket value. */ |
6185 | 0 | rv = ssl3_ConsumeHandshakeVariable(ss, &ticket_data, 2, &b, &length); |
6186 | 0 | if (rv != SECSuccess || !ticket_data.len) { |
6187 | 0 | FATAL_ERROR(ss, SSL_ERROR_RX_MALFORMED_NEW_SESSION_TICKET, |
6188 | 0 | decode_error); |
6189 | 0 | return SECFailure; |
6190 | 0 | } |
6191 | | |
6192 | | /* Parse extensions. */ |
6193 | 0 | rv = ssl3_ConsumeHandshakeVariable(ss, &data, 2, &b, &length); |
6194 | 0 | if (rv != SECSuccess || length) { |
6195 | 0 | FATAL_ERROR(ss, SSL_ERROR_RX_MALFORMED_NEW_SESSION_TICKET, |
6196 | 0 | decode_error); |
6197 | 0 | return SECFailure; |
6198 | 0 | } |
6199 | | |
6200 | 0 | rv = ssl3_HandleExtensions(ss, &data.data, |
6201 | 0 | &data.len, ssl_hs_new_session_ticket); |
6202 | 0 | if (rv != SECSuccess) { |
6203 | 0 | FATAL_ERROR(ss, SSL_ERROR_RX_MALFORMED_NEW_SESSION_TICKET, |
6204 | 0 | decode_error); |
6205 | 0 | return SECFailure; |
6206 | 0 | } |
6207 | 0 | if (ss->xtnData.max_early_data_size) { |
6208 | 0 | ticket.flags |= ticket_allow_early_data; |
6209 | 0 | ticket.max_early_data_size = ss->xtnData.max_early_data_size; |
6210 | 0 | } |
6211 | |
|
6212 | 0 | if (!ss->opt.noCache) { |
6213 | 0 | PK11SymKey *secret; |
6214 | |
|
6215 | 0 | PORT_Assert(ss->sec.ci.sid); |
6216 | 0 | rv = SECITEM_CopyItem(NULL, &ticket.ticket, &ticket_data); |
6217 | 0 | if (rv != SECSuccess) { |
6218 | 0 | FATAL_ERROR(ss, SEC_ERROR_NO_MEMORY, internal_error); |
6219 | 0 | return SECFailure; |
6220 | 0 | } |
6221 | 0 | PRINT_BUF(50, (ss, "Caching session ticket", |
6222 | 0 | ticket.ticket.data, |
6223 | 0 | ticket.ticket.len)); |
6224 | | |
6225 | | /* Replace a previous session ticket when |
6226 | | * we receive a second NewSessionTicket message. */ |
6227 | 0 | if (ss->sec.ci.sid->cached == in_client_cache || |
6228 | 0 | ss->sec.ci.sid->cached == in_external_cache) { |
6229 | | /* Create a new session ID. */ |
6230 | 0 | sslSessionID *sid = ssl3_NewSessionID(ss, PR_FALSE); |
6231 | 0 | if (!sid) { |
6232 | 0 | return SECFailure; |
6233 | 0 | } |
6234 | | |
6235 | | /* Copy over the peerCert. */ |
6236 | 0 | PORT_Assert(ss->sec.ci.sid->peerCert); |
6237 | 0 | sid->peerCert = CERT_DupCertificate(ss->sec.ci.sid->peerCert); |
6238 | 0 | if (!sid->peerCert) { |
6239 | 0 | ssl_FreeSID(sid); |
6240 | 0 | return SECFailure; |
6241 | 0 | } |
6242 | | |
6243 | | /* Destroy the old SID. */ |
6244 | 0 | ssl_UncacheSessionID(ss); |
6245 | 0 | ssl_FreeSID(ss->sec.ci.sid); |
6246 | 0 | ss->sec.ci.sid = sid; |
6247 | 0 | } |
6248 | | |
6249 | 0 | ssl3_SetSIDSessionTicket(ss->sec.ci.sid, &ticket); |
6250 | 0 | PORT_Assert(!ticket.ticket.data); |
6251 | |
|
6252 | 0 | rv = tls13_HkdfExpandLabel(ss->ssl3.hs.resumptionMasterSecret, |
6253 | 0 | tls13_GetHash(ss), |
6254 | 0 | ticket_nonce.data, ticket_nonce.len, |
6255 | 0 | kHkdfLabelResumption, |
6256 | 0 | strlen(kHkdfLabelResumption), |
6257 | 0 | CKM_HKDF_DERIVE, |
6258 | 0 | tls13_GetHashSize(ss), |
6259 | 0 | ss->protocolVariant, &secret); |
6260 | 0 | if (rv != SECSuccess) { |
6261 | 0 | return SECFailure; |
6262 | 0 | } |
6263 | | |
6264 | 0 | rv = ssl3_FillInCachedSID(ss, ss->sec.ci.sid, secret); |
6265 | 0 | PK11_FreeSymKey(secret); |
6266 | 0 | if (rv != SECSuccess) { |
6267 | 0 | return SECFailure; |
6268 | 0 | } |
6269 | | |
6270 | | /* Cache the session. */ |
6271 | 0 | ssl_CacheSessionID(ss); |
6272 | 0 | } |
6273 | | |
6274 | 0 | return SECSuccess; |
6275 | 0 | } |
6276 | | |
6277 | | #define _M_NONE 0 |
6278 | 20.0k | #define _M(a) (1 << PR_MIN(a, 31)) |
6279 | | #define _M1(a) (_M(ssl_hs_##a)) |
6280 | | #define _M2(a, b) (_M1(a) | _M1(b)) |
6281 | | #define _M3(a, b, c) (_M1(a) | _M2(b, c)) |
6282 | | |
6283 | | static const struct { |
6284 | | PRUint16 ex_value; |
6285 | | PRUint32 messages; |
6286 | | } KnownExtensions[] = { |
6287 | | { ssl_server_name_xtn, _M2(client_hello, encrypted_extensions) }, |
6288 | | { ssl_supported_groups_xtn, _M2(client_hello, encrypted_extensions) }, |
6289 | | { ssl_signature_algorithms_xtn, _M2(client_hello, certificate_request) }, |
6290 | | { ssl_signature_algorithms_cert_xtn, _M2(client_hello, |
6291 | | certificate_request) }, |
6292 | | { ssl_use_srtp_xtn, _M2(client_hello, encrypted_extensions) }, |
6293 | | { ssl_app_layer_protocol_xtn, _M2(client_hello, encrypted_extensions) }, |
6294 | | { ssl_padding_xtn, _M1(client_hello) }, |
6295 | | { ssl_tls13_key_share_xtn, _M3(client_hello, server_hello, |
6296 | | hello_retry_request) }, |
6297 | | { ssl_tls13_pre_shared_key_xtn, _M2(client_hello, server_hello) }, |
6298 | | { ssl_tls13_psk_key_exchange_modes_xtn, _M1(client_hello) }, |
6299 | | { ssl_tls13_early_data_xtn, _M3(client_hello, encrypted_extensions, |
6300 | | new_session_ticket) }, |
6301 | | { ssl_signed_cert_timestamp_xtn, _M3(client_hello, certificate_request, |
6302 | | certificate) }, |
6303 | | { ssl_cert_status_xtn, _M3(client_hello, certificate_request, |
6304 | | certificate) }, |
6305 | | { ssl_delegated_credentials_xtn, _M2(client_hello, certificate) }, |
6306 | | { ssl_tls13_cookie_xtn, _M2(client_hello, hello_retry_request) }, |
6307 | | { ssl_tls13_certificate_authorities_xtn, _M2(client_hello, certificate_request) }, |
6308 | | { ssl_tls13_supported_versions_xtn, _M3(client_hello, server_hello, |
6309 | | hello_retry_request) }, |
6310 | | { ssl_record_size_limit_xtn, _M2(client_hello, encrypted_extensions) }, |
6311 | | { ssl_tls13_encrypted_client_hello_xtn, _M3(client_hello, encrypted_extensions, hello_retry_request) }, |
6312 | | { ssl_tls13_outer_extensions_xtn, _M_NONE /* Encoding/decoding only */ }, |
6313 | | { ssl_tls13_post_handshake_auth_xtn, _M1(client_hello) }, |
6314 | | { ssl_certificate_compression_xtn, _M2(client_hello, certificate_request) } |
6315 | | }; |
6316 | | |
6317 | | tls13ExtensionStatus |
6318 | | tls13_ExtensionStatus(PRUint16 extension, SSLHandshakeType message) |
6319 | 26.5k | { |
6320 | 26.5k | unsigned int i; |
6321 | | |
6322 | 26.5k | PORT_Assert((message == ssl_hs_client_hello) || |
6323 | 26.5k | (message == ssl_hs_server_hello) || |
6324 | 26.5k | (message == ssl_hs_hello_retry_request) || |
6325 | 26.5k | (message == ssl_hs_encrypted_extensions) || |
6326 | 26.5k | (message == ssl_hs_new_session_ticket) || |
6327 | 26.5k | (message == ssl_hs_certificate) || |
6328 | 26.5k | (message == ssl_hs_certificate_request)); |
6329 | | |
6330 | 362k | for (i = 0; i < PR_ARRAY_SIZE(KnownExtensions); i++) { |
6331 | | /* Hacky check for message numbers > 30. */ |
6332 | 355k | PORT_Assert(!(KnownExtensions[i].messages & (1U << 31))); |
6333 | 355k | if (KnownExtensions[i].ex_value == extension) { |
6334 | 20.0k | break; |
6335 | 20.0k | } |
6336 | 355k | } |
6337 | 26.5k | if (i >= PR_ARRAY_SIZE(KnownExtensions)) { |
6338 | 6.45k | return tls13_extension_unknown; |
6339 | 6.45k | } |
6340 | | |
6341 | | /* Return "disallowed" if the message mask bit isn't set. */ |
6342 | 20.0k | if (!(_M(message) & KnownExtensions[i].messages)) { |
6343 | 3.80k | return tls13_extension_disallowed; |
6344 | 3.80k | } |
6345 | | |
6346 | 16.2k | return tls13_extension_allowed; |
6347 | 20.0k | } |
6348 | | |
6349 | | #undef _M |
6350 | | #undef _M1 |
6351 | | #undef _M2 |
6352 | | #undef _M3 |
6353 | | |
6354 | | /* We cheat a bit on additional data because the AEAD interface |
6355 | | * which doesn't have room for the record number. The AAD we |
6356 | | * format is serialized record number followed by the true AD |
6357 | | * (i.e., the record header) plus the serialized record number. */ |
6358 | | static SECStatus |
6359 | | tls13_FormatAdditionalData( |
6360 | | sslSocket *ss, |
6361 | | const PRUint8 *header, unsigned int headerLen, |
6362 | | DTLSEpoch epoch, sslSequenceNumber seqNum, |
6363 | | PRUint8 *aad, unsigned int *aadLength, unsigned int maxLength) |
6364 | 11.8k | { |
6365 | 11.8k | SECStatus rv; |
6366 | 11.8k | sslBuffer buf = SSL_BUFFER_FIXED(aad, maxLength); |
6367 | | |
6368 | 11.8k | if (IS_DTLS_1_OR_12(ss)) { |
6369 | 0 | rv = sslBuffer_AppendNumber(&buf, epoch, 2); |
6370 | 0 | if (rv != SECSuccess) { |
6371 | 0 | return SECFailure; |
6372 | 0 | } |
6373 | 0 | } |
6374 | 11.8k | rv = sslBuffer_AppendNumber(&buf, seqNum, IS_DTLS_1_OR_12(ss) ? 6 : 8); |
6375 | 11.8k | if (rv != SECSuccess) { |
6376 | 0 | return SECFailure; |
6377 | 0 | } |
6378 | | |
6379 | 11.8k | rv = sslBuffer_Append(&buf, header, headerLen); |
6380 | 11.8k | if (rv != SECSuccess) { |
6381 | 0 | return SECFailure; |
6382 | 0 | } |
6383 | | |
6384 | 11.8k | *aadLength = buf.len; |
6385 | | |
6386 | 11.8k | return SECSuccess; |
6387 | 11.8k | } |
6388 | | |
6389 | | PRInt32 |
6390 | | tls13_LimitEarlyData(sslSocket *ss, SSLContentType type, PRInt32 toSend) |
6391 | 0 | { |
6392 | 0 | PRInt32 reduced; |
6393 | |
|
6394 | 0 | PORT_Assert(type == ssl_ct_application_data); |
6395 | 0 | PORT_Assert(ss->vrange.max >= SSL_LIBRARY_VERSION_TLS_1_3); |
6396 | 0 | PORT_Assert(!ss->firstHsDone); |
6397 | 0 | if (ss->ssl3.cwSpec->epoch != TrafficKeyEarlyApplicationData) { |
6398 | 0 | return toSend; |
6399 | 0 | } |
6400 | | |
6401 | 0 | if (IS_DTLS(ss) && toSend > ss->ssl3.cwSpec->earlyDataRemaining) { |
6402 | | /* Don't split application data records in DTLS. */ |
6403 | 0 | return 0; |
6404 | 0 | } |
6405 | | |
6406 | 0 | reduced = PR_MIN(toSend, ss->ssl3.cwSpec->earlyDataRemaining); |
6407 | 0 | ss->ssl3.cwSpec->earlyDataRemaining -= reduced; |
6408 | 0 | return reduced; |
6409 | 0 | } |
6410 | | |
6411 | | SECStatus |
6412 | | tls13_ProtectRecord(sslSocket *ss, |
6413 | | ssl3CipherSpec *cwSpec, |
6414 | | SSLContentType type, |
6415 | | const PRUint8 *pIn, |
6416 | | PRUint32 contentLen, |
6417 | | sslBuffer *wrBuf) |
6418 | 15.6k | { |
6419 | 15.6k | const ssl3BulkCipherDef *cipher_def = cwSpec->cipherDef; |
6420 | 15.6k | const int tagLen = cipher_def->tag_size; |
6421 | 15.6k | SECStatus rv; |
6422 | | |
6423 | 15.6k | PORT_Assert(cwSpec->direction == ssl_secret_write); |
6424 | 15.6k | SSL_TRC(3, ("%d: TLS13[%d]: spec=%d epoch=%d (%s) protect 0x%0llx len=%u", |
6425 | 15.6k | SSL_GETPID(), ss->fd, cwSpec, cwSpec->epoch, cwSpec->phase, |
6426 | 15.6k | cwSpec->nextSeqNum, contentLen)); |
6427 | | |
6428 | 15.6k | if (contentLen + 1 + tagLen > SSL_BUFFER_SPACE(wrBuf)) { |
6429 | 0 | PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); |
6430 | 0 | return SECFailure; |
6431 | 0 | } |
6432 | | |
6433 | | /* Copy the data into the wrBuf. We're going to encrypt in-place |
6434 | | * in the AEAD branch anyway */ |
6435 | 15.6k | PORT_Memcpy(SSL_BUFFER_NEXT(wrBuf), pIn, contentLen); |
6436 | | |
6437 | 15.6k | if (cipher_def->calg == ssl_calg_null) { |
6438 | | /* Shortcut for plaintext */ |
6439 | 12.7k | rv = sslBuffer_Skip(wrBuf, contentLen, NULL); |
6440 | 12.7k | PORT_Assert(rv == SECSuccess); |
6441 | 12.7k | } else { |
6442 | 2.97k | PRUint8 hdr[13]; |
6443 | 2.97k | sslBuffer buf = SSL_BUFFER_FIXED(hdr, sizeof(hdr)); |
6444 | 2.97k | PRBool needsLength; |
6445 | 2.97k | PRUint8 aad[21]; |
6446 | 2.97k | const int ivLen = cipher_def->iv_size + cipher_def->explicit_nonce_size; |
6447 | 2.97k | unsigned int ivOffset = ivLen - sizeof(sslSequenceNumber); |
6448 | 2.97k | unsigned char ivOut[MAX_IV_LENGTH]; |
6449 | | |
6450 | 2.97k | unsigned int aadLen; |
6451 | 2.97k | unsigned int len; |
6452 | | |
6453 | 2.97k | PORT_Assert(cipher_def->type == type_aead); |
6454 | | |
6455 | | /* If the following condition holds, we can skip the padding logic for |
6456 | | * DTLS 1.3 (4.2.3). This will be the case until we support a cipher |
6457 | | * with tag length < 15B. */ |
6458 | 2.97k | PORT_Assert(tagLen + 1 /* cType */ >= 16); |
6459 | | |
6460 | | /* Add the content type at the end. */ |
6461 | 2.97k | *(SSL_BUFFER_NEXT(wrBuf) + contentLen) = type; |
6462 | | |
6463 | | /* Create the header (ugly that we have to do it twice). */ |
6464 | 2.97k | rv = ssl_InsertRecordHeader(ss, cwSpec, ssl_ct_application_data, |
6465 | 2.97k | &buf, &needsLength); |
6466 | 2.97k | if (rv != SECSuccess) { |
6467 | 0 | return SECFailure; |
6468 | 0 | } |
6469 | 2.97k | if (needsLength) { |
6470 | 2.97k | rv = sslBuffer_AppendNumber(&buf, contentLen + 1 + tagLen, 2); |
6471 | 2.97k | if (rv != SECSuccess) { |
6472 | 0 | return SECFailure; |
6473 | 0 | } |
6474 | 2.97k | } |
6475 | 2.97k | rv = tls13_FormatAdditionalData(ss, SSL_BUFFER_BASE(&buf), SSL_BUFFER_LEN(&buf), |
6476 | 2.97k | cwSpec->epoch, cwSpec->nextSeqNum, |
6477 | 2.97k | aad, &aadLen, sizeof(aad)); |
6478 | 2.97k | if (rv != SECSuccess) { |
6479 | 0 | return SECFailure; |
6480 | 0 | } |
6481 | | /* set up initial IV value */ |
6482 | 2.97k | ivOffset = tls13_SetupAeadIv(IS_DTLS(ss), cwSpec->version, ivOut, cwSpec->keyMaterial.iv, |
6483 | 2.97k | ivOffset, ivLen, cwSpec->epoch); |
6484 | 2.97k | rv = tls13_AEAD(cwSpec->cipherContext, PR_FALSE, |
6485 | 2.97k | CKG_GENERATE_COUNTER_XOR, ivOffset * BPB, |
6486 | 2.97k | ivOut, ivOut, ivLen, /* iv */ |
6487 | 2.97k | NULL, 0, /* nonce */ |
6488 | 2.97k | aad + sizeof(sslSequenceNumber), /* aad */ |
6489 | 2.97k | aadLen - sizeof(sslSequenceNumber), |
6490 | 2.97k | SSL_BUFFER_NEXT(wrBuf), /* output */ |
6491 | 2.97k | &len, /* out len */ |
6492 | 2.97k | SSL_BUFFER_SPACE(wrBuf), /* max out */ |
6493 | 2.97k | tagLen, |
6494 | 2.97k | SSL_BUFFER_NEXT(wrBuf), /* input */ |
6495 | 2.97k | contentLen + 1); /* input len */ |
6496 | 2.97k | if (rv != SECSuccess) { |
6497 | 0 | PORT_SetError(SSL_ERROR_ENCRYPTION_FAILURE); |
6498 | 0 | return SECFailure; |
6499 | 0 | } |
6500 | 2.97k | rv = sslBuffer_Skip(wrBuf, len, NULL); |
6501 | 2.97k | PORT_Assert(rv == SECSuccess); |
6502 | 2.97k | } |
6503 | | |
6504 | 15.6k | return SECSuccess; |
6505 | 15.6k | } |
6506 | | |
6507 | | /* Unprotect a TLS 1.3 record and leave the result in plaintext. |
6508 | | * |
6509 | | * Called by ssl3_HandleRecord. Caller must hold the spec read lock. |
6510 | | * Therefore, we MUST not call SSL3_SendAlert(). |
6511 | | * |
6512 | | * If SECFailure is returned, we: |
6513 | | * 1. Set |*alert| to the alert to be sent. |
6514 | | * 2. Call PORT_SetError() with an appropriate code. |
6515 | | */ |
6516 | | SECStatus |
6517 | | tls13_UnprotectRecord(sslSocket *ss, |
6518 | | ssl3CipherSpec *spec, |
6519 | | SSL3Ciphertext *cText, |
6520 | | sslBuffer *plaintext, |
6521 | | SSLContentType *innerType, |
6522 | | SSL3AlertDescription *alert) |
6523 | 10.7k | { |
6524 | 10.7k | const ssl3BulkCipherDef *cipher_def = spec->cipherDef; |
6525 | 10.7k | const int ivLen = cipher_def->iv_size + cipher_def->explicit_nonce_size; |
6526 | 10.7k | const int tagLen = cipher_def->tag_size; |
6527 | 10.7k | const int innerTypeLen = 1; |
6528 | | |
6529 | 10.7k | PRUint8 aad[21]; |
6530 | 10.7k | unsigned int aadLen; |
6531 | 10.7k | SECStatus rv; |
6532 | | |
6533 | 10.7k | *alert = bad_record_mac; /* Default alert for most issues. */ |
6534 | | |
6535 | 10.7k | PORT_Assert(spec->direction == ssl_secret_read); |
6536 | 10.7k | SSL_TRC(3, ("%d: TLS13[%d]: spec=%d epoch=%d (%s) unprotect 0x%0llx len=%u", |
6537 | 10.7k | SSL_GETPID(), ss->fd, spec, spec->epoch, spec->phase, |
6538 | 10.7k | cText->seqNum, cText->buf->len)); |
6539 | | |
6540 | | /* Verify that the outer content type is right. |
6541 | | * |
6542 | | * For the inner content type as well as lower TLS versions this is checked |
6543 | | * in ssl3con.c/ssl3_HandleNonApllicationData(). |
6544 | | * |
6545 | | * For DTLS 1.3 this is checked in ssl3gthr.c/dtls_GatherData(). DTLS drops |
6546 | | * invalid records silently [RFC6347, Section 4.1.2.7]. |
6547 | | * |
6548 | | * Also allow the DTLS short header in TLS 1.3. */ |
6549 | 10.7k | if (!(cText->hdr[0] == ssl_ct_application_data || |
6550 | 10.7k | (IS_DTLS(ss) && |
6551 | 1.45k | ss->version >= SSL_LIBRARY_VERSION_TLS_1_3 && |
6552 | 1.45k | (cText->hdr[0] & 0xe0) == 0x20))) { |
6553 | 1.45k | SSL_TRC(3, |
6554 | 1.45k | ("%d: TLS13[%d]: record has invalid exterior type=%2.2x", |
6555 | 1.45k | SSL_GETPID(), ss->fd, cText->hdr[0])); |
6556 | 1.45k | PORT_SetError(SSL_ERROR_RX_UNEXPECTED_RECORD_TYPE); |
6557 | 1.45k | *alert = unexpected_message; |
6558 | 1.45k | return SECFailure; |
6559 | 1.45k | } |
6560 | | |
6561 | | /* We can perform this test in variable time because the record's total |
6562 | | * length and the ciphersuite are both public knowledge. */ |
6563 | 9.32k | if (cText->buf->len < tagLen) { |
6564 | 203 | SSL_TRC(3, |
6565 | 203 | ("%d: TLS13[%d]: record too short to contain valid AEAD data", |
6566 | 203 | SSL_GETPID(), ss->fd)); |
6567 | 203 | PORT_SetError(SSL_ERROR_BAD_MAC_READ); |
6568 | 203 | return SECFailure; |
6569 | 203 | } |
6570 | | |
6571 | | /* Check if the ciphertext can be valid if we assume maximum plaintext and |
6572 | | * add the specific ciphersuite expansion. |
6573 | | * This way we detect overlong plaintexts/padding before decryption. |
6574 | | * This check enforces size limitations more strict than the RFC. |
6575 | | * (see RFC8446, Section 5.2) */ |
6576 | 9.12k | if (cText->buf->len > (spec->recordSizeLimit + innerTypeLen + tagLen)) { |
6577 | 2 | *alert = record_overflow; |
6578 | 2 | PORT_SetError(SSL_ERROR_RX_RECORD_TOO_LONG); |
6579 | 2 | return SECFailure; |
6580 | 2 | } |
6581 | | |
6582 | | /* Check the version number in the record. Stream only. */ |
6583 | 9.12k | if (!IS_DTLS(ss)) { |
6584 | 9.12k | SSL3ProtocolVersion version = |
6585 | 9.12k | ((SSL3ProtocolVersion)cText->hdr[1] << 8) | |
6586 | 9.12k | (SSL3ProtocolVersion)cText->hdr[2]; |
6587 | 9.12k | if (version != spec->recordVersion) { |
6588 | | /* Do we need a better error here? */ |
6589 | 215 | SSL_TRC(3, ("%d: TLS13[%d]: record has bogus version", |
6590 | 215 | SSL_GETPID(), ss->fd)); |
6591 | 215 | return SECFailure; |
6592 | 215 | } |
6593 | 9.12k | } |
6594 | | |
6595 | | /* Decrypt */ |
6596 | 8.90k | PORT_Assert(cipher_def->type == type_aead); |
6597 | 8.90k | rv = tls13_FormatAdditionalData(ss, cText->hdr, cText->hdrLen, |
6598 | 8.90k | spec->epoch, cText->seqNum, |
6599 | 8.90k | aad, &aadLen, sizeof(aad)); |
6600 | 8.90k | if (rv != SECSuccess) { |
6601 | |
|
6602 | 0 | return SECFailure; |
6603 | 0 | } |
6604 | 8.90k | rv = tls13_AEAD(spec->cipherContext, PR_TRUE, |
6605 | 8.90k | CKG_NO_GENERATE, 0, /* ignored for decrypt */ |
6606 | 8.90k | spec->keyMaterial.iv, NULL, ivLen, /* iv */ |
6607 | 8.90k | aad, sizeof(sslSequenceNumber), /* nonce */ |
6608 | 8.90k | aad + sizeof(sslSequenceNumber), /* aad */ |
6609 | 8.90k | aadLen - sizeof(sslSequenceNumber), |
6610 | 8.90k | plaintext->buf, /* output */ |
6611 | 8.90k | &plaintext->len, /* outlen */ |
6612 | 8.90k | plaintext->space, /* maxout */ |
6613 | 8.90k | tagLen, |
6614 | 8.90k | cText->buf->buf, /* in */ |
6615 | 8.90k | cText->buf->len); /* inlen */ |
6616 | 8.90k | if (rv != SECSuccess) { |
6617 | 8.90k | if (IS_DTLS(ss)) { |
6618 | 0 | spec->deprotectionFailures++; |
6619 | 0 | } |
6620 | | |
6621 | 8.90k | SSL_TRC(3, |
6622 | 8.90k | ("%d: TLS13[%d]: record has bogus MAC", |
6623 | 8.90k | SSL_GETPID(), ss->fd)); |
6624 | 8.90k | PORT_SetError(SSL_ERROR_BAD_MAC_READ); |
6625 | 8.90k | return SECFailure; |
6626 | 8.90k | } |
6627 | | |
6628 | | /* There is a similar test in ssl3_HandleRecord, but this test is needed to |
6629 | | * account for padding. */ |
6630 | 0 | if (plaintext->len > spec->recordSizeLimit + innerTypeLen) { |
6631 | 0 | *alert = record_overflow; |
6632 | 0 | PORT_SetError(SSL_ERROR_RX_RECORD_TOO_LONG); |
6633 | 0 | return SECFailure; |
6634 | 0 | } |
6635 | | |
6636 | | /* The record is right-padded with 0s, followed by the true |
6637 | | * content type, so read from the right until we receive a |
6638 | | * nonzero byte. */ |
6639 | 0 | while (plaintext->len > 0 && !(plaintext->buf[plaintext->len - 1])) { |
6640 | 0 | --plaintext->len; |
6641 | 0 | } |
6642 | | |
6643 | | /* Bogus padding. */ |
6644 | 0 | if (plaintext->len < 1) { |
6645 | 0 | SSL_TRC(3, ("%d: TLS13[%d]: empty record", SSL_GETPID(), ss->fd)); |
6646 | | /* It's safe to report this specifically because it happened |
6647 | | * after the MAC has been verified. */ |
6648 | 0 | *alert = unexpected_message; |
6649 | 0 | PORT_SetError(SSL_ERROR_BAD_BLOCK_PADDING); |
6650 | 0 | return SECFailure; |
6651 | 0 | } |
6652 | | |
6653 | | /* Record the type. */ |
6654 | 0 | *innerType = (SSLContentType)plaintext->buf[plaintext->len - 1]; |
6655 | 0 | --plaintext->len; |
6656 | | |
6657 | | /* Check for zero-length encrypted Alert and Handshake fragments |
6658 | | * (zero-length + inner content type byte). |
6659 | | * |
6660 | | * Implementations MUST NOT send Handshake and Alert records that have a |
6661 | | * zero-length TLSInnerPlaintext.content; if such a message is received, |
6662 | | * the receiving implementation MUST terminate the connection with an |
6663 | | * "unexpected_message" alert [RFC8446, Section 5.4]. */ |
6664 | 0 | if (!plaintext->len && ((!IS_DTLS(ss) && cText->hdr[0] == ssl_ct_application_data) || |
6665 | 0 | (IS_DTLS(ss) && dtls_IsDtls13Ciphertext(spec->version, cText->hdr[0])))) { |
6666 | 0 | switch (*innerType) { |
6667 | 0 | case ssl_ct_alert: |
6668 | 0 | *alert = unexpected_message; |
6669 | 0 | PORT_SetError(SSL_ERROR_RX_MALFORMED_ALERT); |
6670 | 0 | return SECFailure; |
6671 | 0 | case ssl_ct_handshake: |
6672 | 0 | *alert = unexpected_message; |
6673 | 0 | PORT_SetError(SSL_ERROR_RX_MALFORMED_HANDSHAKE); |
6674 | 0 | return SECFailure; |
6675 | 0 | default: |
6676 | 0 | break; |
6677 | 0 | } |
6678 | 0 | } |
6679 | | |
6680 | | /* Check that we haven't received too much 0-RTT data. */ |
6681 | 0 | if (spec->epoch == TrafficKeyEarlyApplicationData && |
6682 | 0 | *innerType == ssl_ct_application_data) { |
6683 | 0 | if (plaintext->len > spec->earlyDataRemaining) { |
6684 | 0 | *alert = unexpected_message; |
6685 | 0 | PORT_SetError(SSL_ERROR_TOO_MUCH_EARLY_DATA); |
6686 | 0 | return SECFailure; |
6687 | 0 | } |
6688 | 0 | spec->earlyDataRemaining -= plaintext->len; |
6689 | 0 | } |
6690 | | |
6691 | 0 | SSL_TRC(10, |
6692 | 0 | ("%d: TLS13[%d]: %s received record of length=%d, type=%d", |
6693 | 0 | SSL_GETPID(), ss->fd, SSL_ROLE(ss), plaintext->len, *innerType)); |
6694 | |
|
6695 | 0 | return SECSuccess; |
6696 | 0 | } |
6697 | | |
6698 | | /* 0-RTT is only permitted if: |
6699 | | * |
6700 | | * 1. We are doing TLS 1.3 |
6701 | | * 2. This isn't a second ClientHello (in response to HelloRetryRequest) |
6702 | | * 3. The 0-RTT option is set. |
6703 | | * 4. We have a valid ticket or an External PSK. |
6704 | | * 5. If resuming: |
6705 | | * 5a. The server is willing to accept 0-RTT. |
6706 | | * 5b. We have not changed our ALPN settings to disallow the ALPN tag |
6707 | | * in the ticket. |
6708 | | * |
6709 | | * Called from tls13_ClientSendEarlyDataXtn(). |
6710 | | */ |
6711 | | PRBool |
6712 | | tls13_ClientAllow0Rtt(const sslSocket *ss, const sslSessionID *sid) |
6713 | 42.2k | { |
6714 | | /* We checked that the cipher suite was still allowed back in |
6715 | | * ssl3_SendClientHello. */ |
6716 | 42.2k | if (sid->version < SSL_LIBRARY_VERSION_TLS_1_3) { |
6717 | 21.8k | return PR_FALSE; |
6718 | 21.8k | } |
6719 | 20.4k | if (ss->ssl3.hs.helloRetry) { |
6720 | 1.16k | return PR_FALSE; |
6721 | 1.16k | } |
6722 | 19.2k | if (!ss->opt.enable0RttData) { |
6723 | 19.2k | return PR_FALSE; |
6724 | 19.2k | } |
6725 | 0 | if (PR_CLIST_IS_EMPTY(&ss->ssl3.hs.psks)) { |
6726 | 0 | return PR_FALSE; |
6727 | 0 | } |
6728 | 0 | sslPsk *psk = (sslPsk *)PR_LIST_HEAD(&ss->ssl3.hs.psks); |
6729 | |
|
6730 | 0 | if (psk->zeroRttSuite == TLS_NULL_WITH_NULL_NULL) { |
6731 | 0 | return PR_FALSE; |
6732 | 0 | } |
6733 | 0 | if (!psk->maxEarlyData) { |
6734 | 0 | return PR_FALSE; |
6735 | 0 | } |
6736 | | |
6737 | 0 | if (psk->type == ssl_psk_external) { |
6738 | 0 | return psk->hash == tls13_GetHashForCipherSuite(psk->zeroRttSuite); |
6739 | 0 | } |
6740 | 0 | if (psk->type == ssl_psk_resume) { |
6741 | 0 | if (!ss->statelessResume) |
6742 | 0 | return PR_FALSE; |
6743 | 0 | if ((sid->u.ssl3.locked.sessionTicket.flags & ticket_allow_early_data) == 0) |
6744 | 0 | return PR_FALSE; |
6745 | 0 | return ssl_AlpnTagAllowed(ss, &sid->u.ssl3.alpnSelection); |
6746 | 0 | } |
6747 | 0 | PORT_Assert(0); |
6748 | 0 | return PR_FALSE; |
6749 | 0 | } |
6750 | | |
6751 | | SECStatus |
6752 | | tls13_MaybeDo0RTTHandshake(sslSocket *ss) |
6753 | 20.4k | { |
6754 | 20.4k | SECStatus rv; |
6755 | | |
6756 | | /* Don't do anything if there is no early_data xtn, which means we're |
6757 | | * not doing early data. */ |
6758 | 20.4k | if (!ssl3_ExtensionAdvertised(ss, ssl_tls13_early_data_xtn)) { |
6759 | 20.4k | return SECSuccess; |
6760 | 20.4k | } |
6761 | | |
6762 | 0 | ss->ssl3.hs.zeroRttState = ssl_0rtt_sent; |
6763 | 0 | ss->ssl3.hs.zeroRttSuite = ss->ssl3.hs.cipher_suite; |
6764 | | /* Note: Reset the preliminary info here rather than just add 0-RTT. We are |
6765 | | * only guessing what might happen at this point.*/ |
6766 | 0 | ss->ssl3.hs.preliminaryInfo = ssl_preinfo_0rtt_cipher_suite; |
6767 | |
|
6768 | 0 | SSL_TRC(3, ("%d: TLS13[%d]: in 0-RTT mode", SSL_GETPID(), ss->fd)); |
6769 | | |
6770 | | /* Set the ALPN data as if it was negotiated. We check in the ServerHello |
6771 | | * handler that the server negotiates the same value. */ |
6772 | 0 | if (ss->sec.ci.sid->u.ssl3.alpnSelection.len) { |
6773 | 0 | ss->xtnData.nextProtoState = SSL_NEXT_PROTO_EARLY_VALUE; |
6774 | 0 | rv = SECITEM_CopyItem(NULL, &ss->xtnData.nextProto, |
6775 | 0 | &ss->sec.ci.sid->u.ssl3.alpnSelection); |
6776 | 0 | if (rv != SECSuccess) { |
6777 | 0 | return SECFailure; |
6778 | 0 | } |
6779 | 0 | } |
6780 | | |
6781 | 0 | if (ss->opt.enableTls13CompatMode && !IS_DTLS(ss)) { |
6782 | | /* Pretend that this is a proper ChangeCipherSpec even though it is sent |
6783 | | * before receiving the ServerHello. */ |
6784 | 0 | ssl_GetSpecWriteLock(ss); |
6785 | 0 | tls13_SetSpecRecordVersion(ss, ss->ssl3.cwSpec); |
6786 | 0 | ssl_ReleaseSpecWriteLock(ss); |
6787 | 0 | ssl_GetXmitBufLock(ss); |
6788 | 0 | rv = ssl3_SendChangeCipherSpecsInt(ss); |
6789 | 0 | ssl_ReleaseXmitBufLock(ss); |
6790 | 0 | if (rv != SECSuccess) { |
6791 | 0 | return SECFailure; |
6792 | 0 | } |
6793 | 0 | } |
6794 | | |
6795 | | /* If we have any message that was saved for later hashing. |
6796 | | * The updated hash is then used in tls13_DeriveEarlySecrets. */ |
6797 | 0 | rv = ssl3_MaybeUpdateHashWithSavedRecord(ss); |
6798 | 0 | if (rv != SECSuccess) { |
6799 | 0 | return SECFailure; |
6800 | 0 | } |
6801 | | |
6802 | | /* If we're trying 0-RTT, derive from the first PSK */ |
6803 | 0 | PORT_Assert(!PR_CLIST_IS_EMPTY(&ss->ssl3.hs.psks) && !ss->xtnData.selectedPsk); |
6804 | 0 | ss->xtnData.selectedPsk = (sslPsk *)PR_LIST_HEAD(&ss->ssl3.hs.psks); |
6805 | 0 | rv = tls13_DeriveEarlySecrets(ss); |
6806 | 0 | if (rv != SECSuccess) { |
6807 | 0 | return SECFailure; |
6808 | 0 | } |
6809 | | |
6810 | | /* Save cwSpec in case we get a HelloRetryRequest and have to send another |
6811 | | * ClientHello. */ |
6812 | 0 | ssl_CipherSpecAddRef(ss->ssl3.cwSpec); |
6813 | |
|
6814 | 0 | rv = tls13_SetCipherSpec(ss, TrafficKeyEarlyApplicationData, |
6815 | 0 | ssl_secret_write, PR_TRUE); |
6816 | 0 | ss->xtnData.selectedPsk = NULL; |
6817 | 0 | if (rv != SECSuccess) { |
6818 | 0 | return SECFailure; |
6819 | 0 | } |
6820 | | |
6821 | 0 | return SECSuccess; |
6822 | 0 | } |
6823 | | |
6824 | | PRInt32 |
6825 | | tls13_Read0RttData(sslSocket *ss, PRUint8 *buf, PRInt32 len) |
6826 | 0 | { |
6827 | 0 | PORT_Assert(!PR_CLIST_IS_EMPTY(&ss->ssl3.hs.bufferedEarlyData)); |
6828 | 0 | PRInt32 offset = 0; |
6829 | 0 | while (!PR_CLIST_IS_EMPTY(&ss->ssl3.hs.bufferedEarlyData)) { |
6830 | 0 | TLS13EarlyData *msg = |
6831 | 0 | (TLS13EarlyData *)PR_NEXT_LINK(&ss->ssl3.hs.bufferedEarlyData); |
6832 | 0 | unsigned int tocpy = msg->data.len - msg->consumed; |
6833 | |
|
6834 | 0 | if (tocpy > (len - offset)) { |
6835 | 0 | if (IS_DTLS(ss)) { |
6836 | | /* In DTLS, we only return entire records. |
6837 | | * So offset and consumed are always zero. */ |
6838 | 0 | PORT_Assert(offset == 0); |
6839 | 0 | PORT_Assert(msg->consumed == 0); |
6840 | 0 | PORT_SetError(SSL_ERROR_RX_SHORT_DTLS_READ); |
6841 | 0 | return -1; |
6842 | 0 | } |
6843 | | |
6844 | 0 | tocpy = len - offset; |
6845 | 0 | } |
6846 | | |
6847 | 0 | PORT_Memcpy(buf + offset, msg->data.data + msg->consumed, tocpy); |
6848 | 0 | offset += tocpy; |
6849 | 0 | msg->consumed += tocpy; |
6850 | |
|
6851 | 0 | if (msg->consumed == msg->data.len) { |
6852 | 0 | PR_REMOVE_LINK(&msg->link); |
6853 | 0 | SECITEM_ZfreeItem(&msg->data, PR_FALSE); |
6854 | 0 | PORT_ZFree(msg, sizeof(*msg)); |
6855 | 0 | } |
6856 | | |
6857 | | /* We are done after one record for DTLS; otherwise, when the buffer fills up. */ |
6858 | 0 | if (IS_DTLS(ss) || offset == len) { |
6859 | 0 | break; |
6860 | 0 | } |
6861 | 0 | } |
6862 | | |
6863 | 0 | return offset; |
6864 | 0 | } |
6865 | | |
6866 | | static SECStatus |
6867 | | tls13_SendEndOfEarlyData(sslSocket *ss) |
6868 | 0 | { |
6869 | 0 | SECStatus rv; |
6870 | |
|
6871 | 0 | PORT_Assert(ss->opt.noLocks || ssl_HaveXmitBufLock(ss)); |
6872 | |
|
6873 | 0 | if (!ss->opt.suppressEndOfEarlyData) { |
6874 | 0 | SSL_TRC(3, ("%d: TLS13[%d]: send EndOfEarlyData", SSL_GETPID(), ss->fd)); |
6875 | 0 | rv = ssl3_AppendHandshakeHeader(ss, ssl_hs_end_of_early_data, 0); |
6876 | 0 | if (rv != SECSuccess) { |
6877 | 0 | return rv; /* err set by AppendHandshake. */ |
6878 | 0 | } |
6879 | 0 | } |
6880 | | |
6881 | 0 | ss->ssl3.hs.zeroRttState = ssl_0rtt_done; |
6882 | 0 | return SECSuccess; |
6883 | 0 | } |
6884 | | |
6885 | | static SECStatus |
6886 | | tls13_HandleEndOfEarlyData(sslSocket *ss, const PRUint8 *b, PRUint32 length) |
6887 | 5 | { |
6888 | 5 | SECStatus rv; |
6889 | | |
6890 | 5 | PORT_Assert(ss->version >= SSL_LIBRARY_VERSION_TLS_1_3); |
6891 | | |
6892 | 5 | rv = TLS13_CHECK_HS_STATE(ss, SSL_ERROR_RX_UNEXPECTED_END_OF_EARLY_DATA, |
6893 | 5 | wait_end_of_early_data); |
6894 | 5 | if (rv != SECSuccess) { |
6895 | 5 | return SECFailure; |
6896 | 5 | } |
6897 | | |
6898 | | /* We shouldn't be getting any more early data, and if we do, |
6899 | | * it is because of reordering and we drop it. */ |
6900 | 0 | if (IS_DTLS(ss)) { |
6901 | 0 | ssl_CipherSpecReleaseByEpoch(ss, ssl_secret_read, |
6902 | 0 | TrafficKeyEarlyApplicationData); |
6903 | 0 | dtls_ReceivedFirstMessageInFlight(ss); |
6904 | 0 | } |
6905 | |
|
6906 | 0 | PORT_Assert(ss->ssl3.hs.zeroRttState == ssl_0rtt_accepted); |
6907 | |
|
6908 | 0 | if (length) { |
6909 | 0 | FATAL_ERROR(ss, SSL_ERROR_RX_MALFORMED_END_OF_EARLY_DATA, decode_error); |
6910 | 0 | return SECFailure; |
6911 | 0 | } |
6912 | | |
6913 | 0 | rv = tls13_SetCipherSpec(ss, TrafficKeyHandshake, |
6914 | 0 | ssl_secret_read, PR_FALSE); |
6915 | 0 | if (rv != SECSuccess) { |
6916 | 0 | PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); |
6917 | 0 | return SECFailure; |
6918 | 0 | } |
6919 | | |
6920 | 0 | ss->ssl3.hs.zeroRttState = ssl_0rtt_done; |
6921 | 0 | if (tls13_ShouldRequestClientAuth(ss)) { |
6922 | 0 | TLS13_SET_HS_STATE(ss, wait_client_cert); |
6923 | 0 | } else { |
6924 | 0 | TLS13_SET_HS_STATE(ss, wait_finished); |
6925 | 0 | } |
6926 | 0 | return SECSuccess; |
6927 | 0 | } |
6928 | | |
6929 | | static SECStatus |
6930 | | tls13_MaybeHandleSuppressedEndOfEarlyData(sslSocket *ss) |
6931 | 37 | { |
6932 | 37 | PORT_Assert(ss->sec.isServer); |
6933 | 37 | if (!ss->opt.suppressEndOfEarlyData || |
6934 | 37 | ss->ssl3.hs.zeroRttState != ssl_0rtt_accepted) { |
6935 | 37 | return SECSuccess; |
6936 | 37 | } |
6937 | | |
6938 | 0 | return tls13_HandleEndOfEarlyData(ss, NULL, 0); |
6939 | 37 | } |
6940 | | |
6941 | | SECStatus |
6942 | | tls13_HandleEarlyApplicationData(sslSocket *ss, sslBuffer *origBuf) |
6943 | 0 | { |
6944 | 0 | TLS13EarlyData *ed; |
6945 | 0 | SECItem it = { siBuffer, NULL, 0 }; |
6946 | |
|
6947 | 0 | PORT_Assert(ss->sec.isServer); |
6948 | 0 | PORT_Assert(ss->ssl3.hs.zeroRttState == ssl_0rtt_accepted); |
6949 | 0 | if (ss->ssl3.hs.zeroRttState != ssl_0rtt_accepted) { |
6950 | | /* Belt and suspenders. */ |
6951 | 0 | FATAL_ERROR(ss, SEC_ERROR_LIBRARY_FAILURE, internal_error); |
6952 | 0 | return SECFailure; |
6953 | 0 | } |
6954 | | |
6955 | 0 | PRINT_BUF(3, (NULL, "Received early application data", |
6956 | 0 | origBuf->buf, origBuf->len)); |
6957 | 0 | ed = PORT_ZNew(TLS13EarlyData); |
6958 | 0 | if (!ed) { |
6959 | 0 | FATAL_ERROR(ss, SEC_ERROR_NO_MEMORY, internal_error); |
6960 | 0 | return SECFailure; |
6961 | 0 | } |
6962 | 0 | it.data = origBuf->buf; |
6963 | 0 | it.len = origBuf->len; |
6964 | 0 | if (SECITEM_CopyItem(NULL, &ed->data, &it) != SECSuccess) { |
6965 | 0 | FATAL_ERROR(ss, SEC_ERROR_NO_MEMORY, internal_error); |
6966 | 0 | return SECFailure; |
6967 | 0 | } |
6968 | 0 | PR_APPEND_LINK(&ed->link, &ss->ssl3.hs.bufferedEarlyData); |
6969 | |
|
6970 | 0 | origBuf->len = 0; /* So ssl3_GatherAppDataRecord will keep looping. */ |
6971 | |
|
6972 | 0 | return SECSuccess; |
6973 | 0 | } |
6974 | | |
6975 | | PRUint16 |
6976 | | tls13_EncodeVersion(SSL3ProtocolVersion version, SSLProtocolVariant variant) |
6977 | 103k | { |
6978 | 103k | if (variant == ssl_variant_datagram) { |
6979 | 86 | return dtls_TLSVersionToDTLSVersion(version); |
6980 | 86 | } |
6981 | | /* Stream-variant encodings do not change. */ |
6982 | 103k | return (PRUint16)version; |
6983 | 103k | } |
6984 | | |
6985 | | SECStatus |
6986 | | tls13_ClientReadSupportedVersion(sslSocket *ss) |
6987 | 37.1k | { |
6988 | 37.1k | PRUint32 temp; |
6989 | 37.1k | TLSExtension *versionExtension; |
6990 | 37.1k | SECItem it; |
6991 | 37.1k | SECStatus rv; |
6992 | | |
6993 | | /* Update the version based on the extension, as necessary. */ |
6994 | 37.1k | versionExtension = ssl3_FindExtension(ss, ssl_tls13_supported_versions_xtn); |
6995 | 37.1k | if (!versionExtension) { |
6996 | 34.5k | return SECSuccess; |
6997 | 34.5k | } |
6998 | | |
6999 | | /* Struct copy so we don't damage the extension. */ |
7000 | 2.58k | it = versionExtension->data; |
7001 | | |
7002 | 2.58k | rv = ssl3_ConsumeHandshakeNumber(ss, &temp, 2, &it.data, &it.len); |
7003 | 2.58k | if (rv != SECSuccess) { |
7004 | 5 | return SECFailure; |
7005 | 5 | } |
7006 | 2.58k | if (it.len) { |
7007 | 5 | FATAL_ERROR(ss, SSL_ERROR_RX_MALFORMED_SERVER_HELLO, illegal_parameter); |
7008 | 5 | return SECFailure; |
7009 | 5 | } |
7010 | | |
7011 | 2.57k | if (temp != tls13_EncodeVersion(SSL_LIBRARY_VERSION_TLS_1_3, |
7012 | 2.57k | ss->protocolVariant)) { |
7013 | | /* You cannot negotiate < TLS 1.3 with supported_versions. */ |
7014 | 74 | FATAL_ERROR(ss, SSL_ERROR_RX_MALFORMED_SERVER_HELLO, illegal_parameter); |
7015 | 74 | return SECFailure; |
7016 | 74 | } |
7017 | | |
7018 | | /* Any endpoint receiving a Hello message with...ServerHello.legacy_version |
7019 | | * set to 0x0300 (SSL3) MUST abort the handshake with a "protocol_version" |
7020 | | * alert. [RFC8446, Section D.5] |
7021 | | * |
7022 | | * The ServerHello.legacy_version is read into the ss->version field by |
7023 | | * ssl_ClientReadVersion(). */ |
7024 | 2.50k | if (ss->version == SSL_LIBRARY_VERSION_3_0) { |
7025 | 2 | FATAL_ERROR(ss, SSL_ERROR_RX_MALFORMED_SERVER_HELLO, protocol_version); |
7026 | 2 | return SECFailure; |
7027 | 2 | } |
7028 | | |
7029 | 2.50k | ss->version = SSL_LIBRARY_VERSION_TLS_1_3; |
7030 | 2.50k | return SECSuccess; |
7031 | 2.50k | } |
7032 | | |
7033 | | /* Pick the highest version we support that is also advertised. */ |
7034 | | SECStatus |
7035 | | tls13_NegotiateVersion(sslSocket *ss, const TLSExtension *supportedVersions) |
7036 | 1.82k | { |
7037 | 1.82k | PRUint16 version; |
7038 | | /* Make a copy so we're nondestructive. */ |
7039 | 1.82k | SECItem data = supportedVersions->data; |
7040 | 1.82k | SECItem versions; |
7041 | 1.82k | SECStatus rv; |
7042 | | |
7043 | 1.82k | rv = ssl3_ConsumeHandshakeVariable(ss, &versions, 1, |
7044 | 1.82k | &data.data, &data.len); |
7045 | 1.82k | if (rv != SECSuccess) { |
7046 | 6 | return SECFailure; |
7047 | 6 | } |
7048 | 1.81k | if (data.len || !versions.len || (versions.len & 1)) { |
7049 | 18 | FATAL_ERROR(ss, SSL_ERROR_RX_MALFORMED_CLIENT_HELLO, illegal_parameter); |
7050 | 18 | return SECFailure; |
7051 | 18 | } |
7052 | 1.89k | for (version = ss->vrange.max; version >= ss->vrange.min; --version) { |
7053 | 1.85k | if (version < SSL_LIBRARY_VERSION_TLS_1_3 && |
7054 | 1.85k | (ss->ssl3.hs.helloRetry || ss->ssl3.hs.echAccepted)) { |
7055 | | /* Prevent negotiating to a lower version after 1.3 HRR or ECH |
7056 | | * When accepting ECH, a different alert is generated. |
7057 | | */ |
7058 | 5 | SSL3AlertDescription alert = ss->ssl3.hs.echAccepted ? illegal_parameter : protocol_version; |
7059 | 5 | PORT_SetError(SSL_ERROR_UNSUPPORTED_VERSION); |
7060 | 5 | FATAL_ERROR(ss, SSL_ERROR_UNSUPPORTED_VERSION, alert); |
7061 | 5 | return SECFailure; |
7062 | 5 | } |
7063 | | |
7064 | 1.85k | PRUint16 wire = tls13_EncodeVersion(version, ss->protocolVariant); |
7065 | 1.85k | unsigned long offset; |
7066 | | |
7067 | 5.65k | for (offset = 0; offset < versions.len; offset += 2) { |
7068 | 5.55k | PRUint16 supported = |
7069 | 5.55k | (versions.data[offset] << 8) | versions.data[offset + 1]; |
7070 | 5.55k | if (supported == wire) { |
7071 | 1.74k | ss->version = version; |
7072 | 1.74k | return SECSuccess; |
7073 | 1.74k | } |
7074 | 5.55k | } |
7075 | 1.85k | } |
7076 | | |
7077 | 43 | FATAL_ERROR(ss, SSL_ERROR_UNSUPPORTED_VERSION, protocol_version); |
7078 | 43 | return SECFailure; |
7079 | 1.79k | } |
7080 | | |
7081 | | /* This is TLS 1.3 or might negotiate to it. */ |
7082 | | PRBool |
7083 | | tls13_MaybeTls13(sslSocket *ss) |
7084 | 207k | { |
7085 | 207k | if (ss->version >= SSL_LIBRARY_VERSION_TLS_1_3) { |
7086 | 0 | return PR_TRUE; |
7087 | 0 | } |
7088 | | |
7089 | 207k | if (ss->vrange.max < SSL_LIBRARY_VERSION_TLS_1_3) { |
7090 | 207k | return PR_FALSE; |
7091 | 207k | } |
7092 | | |
7093 | 0 | if (!(ss->ssl3.hs.preliminaryInfo & ssl_preinfo_version)) { |
7094 | 0 | return PR_TRUE; |
7095 | 0 | } |
7096 | | |
7097 | 0 | return PR_FALSE; |
7098 | 0 | } |
7099 | | |
7100 | | /* Setup random client GREASE values according to RFC8701. State must be kept |
7101 | | * so an equal ClientHello might be send on HelloRetryRequest. */ |
7102 | | SECStatus |
7103 | | tls13_ClientGreaseSetup(sslSocket *ss) |
7104 | 19.2k | { |
7105 | 19.2k | if (!ss->opt.enableGrease) { |
7106 | 19.2k | return SECSuccess; |
7107 | 19.2k | } |
7108 | | |
7109 | 0 | PORT_Assert(ss->vrange.max >= SSL_LIBRARY_VERSION_TLS_1_3); |
7110 | |
|
7111 | 0 | if (ss->ssl3.hs.grease) { |
7112 | 0 | return SECFailure; |
7113 | 0 | } |
7114 | 0 | ss->ssl3.hs.grease = PORT_Alloc(sizeof(tls13ClientGrease)); |
7115 | 0 | if (!ss->ssl3.hs.grease) { |
7116 | 0 | return SECFailure; |
7117 | 0 | } |
7118 | | |
7119 | 0 | tls13ClientGrease *grease = ss->ssl3.hs.grease; |
7120 | | /* We require eight GREASE values and randoms. */ |
7121 | 0 | PRUint8 random[8]; |
7122 | | |
7123 | | /* Generate random GREASE values. */ |
7124 | 0 | if (PK11_GenerateRandom(random, sizeof(random)) != SECSuccess) { |
7125 | 0 | return SECFailure; |
7126 | 0 | } |
7127 | 0 | for (size_t i = 0; i < PR_ARRAY_SIZE(grease->idx); i++) { |
7128 | 0 | random[i] = ((random[i] & 0xf0) | 0x0a); |
7129 | 0 | grease->idx[i] = ((random[i] << 8) | random[i]); |
7130 | 0 | } |
7131 | | /* Specific PskKeyExchangeMode GREASE value. */ |
7132 | 0 | grease->pskKem = 0x0b + ((random[8 - 1] >> 5) * 0x1f); |
7133 | | |
7134 | | /* Duplicate extensions are not allowed. */ |
7135 | 0 | if (grease->idx[grease_extension1] == grease->idx[grease_extension2]) { |
7136 | 0 | grease->idx[grease_extension2] ^= 0x1010; |
7137 | 0 | } |
7138 | |
|
7139 | 0 | return SECSuccess; |
7140 | 0 | } |
7141 | | |
7142 | | /* Destroy client GREASE state. */ |
7143 | | void |
7144 | | tls13_ClientGreaseDestroy(sslSocket *ss) |
7145 | 138k | { |
7146 | 138k | if (ss->ssl3.hs.grease) { |
7147 | 0 | PORT_Free(ss->ssl3.hs.grease); |
7148 | 0 | ss->ssl3.hs.grease = NULL; |
7149 | 0 | } |
7150 | 138k | } |
7151 | | |
7152 | | /* Generate a random GREASE value according to RFC8701. |
7153 | | * This function does not provide valid PskKeyExchangeMode GREASE values! */ |
7154 | | SECStatus |
7155 | | tls13_RandomGreaseValue(PRUint16 *out) |
7156 | 0 | { |
7157 | 0 | PRUint8 random; |
7158 | |
|
7159 | 0 | if (PK11_GenerateRandom(&random, sizeof(random)) != SECSuccess) { |
7160 | 0 | return SECFailure; |
7161 | 0 | } |
7162 | | |
7163 | 0 | random = ((random & 0xf0) | 0x0a); |
7164 | 0 | *out = ((random << 8) | random); |
7165 | |
|
7166 | 0 | return SECSuccess; |
7167 | 0 | } |
7168 | | |
7169 | | /* Set TLS 1.3 GREASE Extension random GREASE type. */ |
7170 | | SECStatus |
7171 | | tls13_MaybeGreaseExtensionType(const sslSocket *ss, |
7172 | | const SSLHandshakeType message, |
7173 | | PRUint16 *exType) |
7174 | 352k | { |
7175 | 352k | if (*exType != ssl_tls13_grease_xtn) { |
7176 | 352k | return SECSuccess; |
7177 | 352k | } |
7178 | | |
7179 | 0 | PR_ASSERT(ss->opt.enableGrease); |
7180 | 0 | PR_ASSERT(message == ssl_hs_client_hello || |
7181 | 0 | message == ssl_hs_certificate_request); |
7182 | | |
7183 | | /* GREASE ClientHello: |
7184 | | * A client MAY select one or more GREASE extension values and |
7185 | | * advertise them as extensions with varying length and contents |
7186 | | * [RFC8701, Section 3.1]. */ |
7187 | 0 | if (message == ssl_hs_client_hello) { |
7188 | 0 | PR_ASSERT(ss->vrange.max >= SSL_LIBRARY_VERSION_TLS_1_3); |
7189 | | /* Check if the first GREASE extension was already added. */ |
7190 | 0 | if (!ssl3_ExtensionAdvertised(ss, ss->ssl3.hs.grease->idx[grease_extension1])) { |
7191 | 0 | *exType = ss->ssl3.hs.grease->idx[grease_extension1]; |
7192 | 0 | } else { |
7193 | 0 | *exType = ss->ssl3.hs.grease->idx[grease_extension2]; |
7194 | 0 | } |
7195 | 0 | } |
7196 | | /* GREASE CertificateRequest: |
7197 | | * When sending a CertificateRequest in TLS 1.3, a server MAY behave as |
7198 | | * follows: A server MAY select one or more GREASE extension values and |
7199 | | * advertise them as extensions with varying length and contents |
7200 | | * [RFC8701, Section 4.1]. */ |
7201 | 0 | else if (message == ssl_hs_certificate_request) { |
7202 | 0 | PR_ASSERT(ss->version >= SSL_LIBRARY_VERSION_TLS_1_3); |
7203 | | /* Get random grease extension type. */ |
7204 | 0 | SECStatus rv = tls13_RandomGreaseValue(exType); |
7205 | 0 | if (rv != SECSuccess) { |
7206 | 0 | return SECFailure; |
7207 | 0 | } |
7208 | 0 | } |
7209 | | |
7210 | 0 | return SECSuccess; |
7211 | 0 | } |