/* -*- Mode: C; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 4 -*- */

/*

 * TLS 1.3 Protocol

 *

 * This Source Code Form is subject to the terms of the Mozilla Public

 * License, v. 2.0. If a copy of the MPL was not distributed with this

 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */

#include "sslt.h"

#include "stdarg.h"

#include "cert.h"

#include "ssl.h"

#include "keyhi.h"

#include "pk11func.h"

#include "prerr.h"

#include "secitem.h"

#include "secmod.h"

#include "sslimpl.h"

#include "sslproto.h"

#include "sslerr.h"

#include "ssl3exthandle.h"

#include "tls13hkdf.h"

#include "tls13con.h"

#include "tls13err.h"

#include "tls13ech.h"

#include "tls13exthandle.h"

#include "tls13hashstate.h"

#include "tls13subcerts.h"

#include "tls13psk.h"

static SECStatus tls13_SetCipherSpec(sslSocket *ss, PRUint16 epoch,

                                     SSLSecretDirection install,

                                     PRBool deleteSecret);

static SECStatus tls13_SendServerHelloSequence(sslSocket *ss);

static SECStatus tls13_SendEncryptedExtensions(sslSocket *ss);

static void tls13_SetKeyExchangeType(sslSocket *ss, const sslNamedGroupDef *group);

static SECStatus tls13_HandleClientKeyShare(sslSocket *ss,

                                            TLS13KeyShareEntry *peerShare);

static SECStatus tls13_SendHelloRetryRequest(

    sslSocket *ss, const sslNamedGroupDef *selectedGroup,

    const PRUint8 *token, unsigned int tokenLen);

static SECStatus tls13_HandleServerKeyShare(sslSocket *ss);

static SECStatus tls13_HandleEncryptedExtensions(sslSocket *ss, PRUint8 *b,

                                                 PRUint32 length);

static SECStatus tls13_SendCertificate(sslSocket *ss);

static SECStatus tls13_HandleCertificateDecode(

    sslSocket *ss, PRUint8 *b, PRUint32 length);

static SECStatus tls13_HandleCertificate(

    sslSocket *ss, PRUint8 *b, PRUint32 length, PRBool alreadyHashed);

static SECStatus tls13_ReinjectHandshakeTranscript(sslSocket *ss);

static SECStatus tls13_SendCertificateRequest(sslSocket *ss);

static SECStatus tls13_HandleCertificateRequest(sslSocket *ss, PRUint8 *b,

                                                PRUint32 length);

static SECStatus

tls13_SendCertificateVerify(sslSocket *ss, SECKEYPrivateKey *privKey);

static SECStatus tls13_HandleCertificateVerify(

    sslSocket *ss, PRUint8 *b, PRUint32 length);

static SECStatus tls13_RecoverWrappedSharedSecret(sslSocket *ss,

                                                  sslSessionID *sid);

static SECStatus

tls13_DeriveSecretWrap(sslSocket *ss, PK11SymKey *key,

                       const char *prefix,

                       const char *suffix,

                       const char *keylogLabel,

                       PK11SymKey **dest);

SECStatus

tls13_DeriveSecret(sslSocket *ss, PK11SymKey *key,

                   const char *label,

                   unsigned int labelLen,

                   const SSL3Hashes *hashes,

                   PK11SymKey **dest,

                   SSLHashType hash);

static SECStatus tls13_SendEndOfEarlyData(sslSocket *ss);

static SECStatus tls13_HandleEndOfEarlyData(sslSocket *ss, const PRUint8 *b,

                                            PRUint32 length);

static SECStatus tls13_MaybeHandleSuppressedEndOfEarlyData(sslSocket *ss);

static SECStatus tls13_SendFinished(sslSocket *ss, PK11SymKey *baseKey);

static SECStatus tls13_ComputePskBinderHash(sslSocket *ss, PRUint8 *b, size_t length,

                                            SSL3Hashes *hashes, SSLHashType type);

static SECStatus tls13_VerifyFinished(sslSocket *ss, SSLHandshakeType message,

                                      PK11SymKey *secret,

                                      PRUint8 *b, PRUint32 length,

                                      const SSL3Hashes *hashes);

static SECStatus tls13_ClientHandleFinished(sslSocket *ss,

                                            PRUint8 *b, PRUint32 length);

static SECStatus tls13_ServerHandleFinished(sslSocket *ss,

                                            PRUint8 *b, PRUint32 length);

static SECStatus tls13_SendNewSessionTicket(sslSocket *ss,

                                            const PRUint8 *appToken,

                                            unsigned int appTokenLen);

static SECStatus tls13_HandleNewSessionTicket(sslSocket *ss, PRUint8 *b,

                                              PRUint32 length);

static SECStatus tls13_ComputeEarlySecretsWithPsk(sslSocket *ss);

static SECStatus tls13_ComputeHandshakeSecrets(sslSocket *ss);

static SECStatus tls13_ComputeApplicationSecrets(sslSocket *ss);

static SECStatus tls13_ComputeFinalSecrets(sslSocket *ss);

static SECStatus tls13_ComputeFinished(

    sslSocket *ss, PK11SymKey *baseKey, SSLHashType hashType,

    const SSL3Hashes *hashes, PRBool sending, PRUint8 *output,

    unsigned int *outputLen, unsigned int maxOutputLen);

static SECStatus tls13_SendClientSecondRound(sslSocket *ss);

static SECStatus tls13_SendClientSecondFlight(sslSocket *ss);

static SECStatus tls13_FinishHandshake(sslSocket *ss);

const char kHkdfLabelClient[] = "c";

const char kHkdfLabelServer[] = "s";

const char kHkdfLabelDerivedSecret[] = "derived";

const char kHkdfLabelResPskBinderKey[] = "res binder";

const char kHkdfLabelExtPskBinderKey[] = "ext binder";

const char kHkdfLabelEarlyTrafficSecret[] = "e traffic";

const char kHkdfLabelEarlyExporterSecret[] = "e exp master";

const char kHkdfLabelHandshakeTrafficSecret[] = "hs traffic";

const char kHkdfLabelApplicationTrafficSecret[] = "ap traffic";

const char kHkdfLabelFinishedSecret[] = "finished";

const char kHkdfLabelResumptionMasterSecret[] = "res master";

const char kHkdfLabelExporterMasterSecret[] = "exp master";

const char kHkdfLabelResumption[] = "resumption";

const char kHkdfLabelTrafficUpdate[] = "traffic upd";

const char kHkdfPurposeKey[] = "key";

const char kHkdfPurposeSn[] = "sn";

const char kHkdfPurposeIv[] = "iv";

const char keylogLabelClientEarlyTrafficSecret[] = "CLIENT_EARLY_TRAFFIC_SECRET";

const char keylogLabelClientHsTrafficSecret[] = "CLIENT_HANDSHAKE_TRAFFIC_SECRET";

const char keylogLabelServerHsTrafficSecret[] = "SERVER_HANDSHAKE_TRAFFIC_SECRET";

const char keylogLabelClientTrafficSecret[] = "CLIENT_TRAFFIC_SECRET_0";

const char keylogLabelServerTrafficSecret[] = "SERVER_TRAFFIC_SECRET_0";

const char keylogLabelEarlyExporterSecret[] = "EARLY_EXPORTER_SECRET";

const char keylogLabelExporterSecret[] = "EXPORTER_SECRET";

/* Belt and suspenders in case we ever add a TLS 1.4. */

PR_STATIC_ASSERT(SSL_LIBRARY_VERSION_MAX_SUPPORTED <=

                 SSL_LIBRARY_VERSION_TLS_1_3);

void

tls13_FatalError(sslSocket *ss, PRErrorCode prError, SSL3AlertDescription desc)

{

    PORT_Assert(desc != internal_error); /* These should never happen */

    (void)SSL3_SendAlert(ss, alert_fatal, desc);

    PORT_SetError(prError);

}

#ifdef TRACE

#define STATE_CASE(a) \

    case a:           \

        return #a

static char *

tls13_HandshakeState(SSL3WaitState st)

{

    switch (st) {

        STATE_CASE(idle_handshake);

        STATE_CASE(wait_client_hello);

        STATE_CASE(wait_end_of_early_data);

        STATE_CASE(wait_client_cert);

        STATE_CASE(wait_client_key);

        STATE_CASE(wait_cert_verify);

        STATE_CASE(wait_change_cipher);

        STATE_CASE(wait_finished);

        STATE_CASE(wait_server_hello);

        STATE_CASE(wait_certificate_status);

        STATE_CASE(wait_server_cert);

        STATE_CASE(wait_server_key);

        STATE_CASE(wait_cert_request);

        STATE_CASE(wait_hello_done);

        STATE_CASE(wait_new_session_ticket);

        STATE_CASE(wait_encrypted_extensions);

        default:

            break;

    }

    PORT_Assert(0);

    return "unknown";

}

#endif

#define TLS13_WAIT_STATE_MASK 0x80

#define TLS13_BASE_WAIT_STATE(ws) (ws & ~TLS13_WAIT_STATE_MASK)

/* We don't mask idle_handshake because other parts of the code use it*/

#define TLS13_WAIT_STATE(ws) (((ws == idle_handshake) || (ws == wait_server_hello)) ? ws : ws | TLS13_WAIT_STATE_MASK)

#define TLS13_CHECK_HS_STATE(ss, err, ...)                          \

    tls13_CheckHsState(ss, err, #err, __func__, __FILE__, __LINE__, \

                       __VA_ARGS__,                                 \

                       wait_invalid)

void

tls13_SetHsState(sslSocket *ss, SSL3WaitState ws,

                 const char *func, const char *file, int line)

{

#ifdef TRACE

    const char *new_state_name =

        tls13_HandshakeState(ws);

    SSL_TRC(3, ("%d: TLS13[%d]: %s state change from %s->%s in %s (%s:%d)",

                SSL_GETPID(), ss->fd, SSL_ROLE(ss),

                tls13_HandshakeState(TLS13_BASE_WAIT_STATE(ss->ssl3.hs.ws)),

                new_state_name,

                func, file, line));

#endif

    ss->ssl3.hs.ws = TLS13_WAIT_STATE(ws);

}

static PRBool

tls13_InHsStateV(sslSocket *ss, va_list ap)

{

    SSL3WaitState ws;

    while ((ws = va_arg(ap, SSL3WaitState)) != wait_invalid) {

        if (TLS13_WAIT_STATE(ws) == ss->ssl3.hs.ws) {

            return PR_TRUE;

        }

    }

    return PR_FALSE;

}

PRBool

tls13_InHsState(sslSocket *ss, ...)

{

    PRBool found;

    va_list ap;

    va_start(ap, ss);

    found = tls13_InHsStateV(ss, ap);

    va_end(ap);

    return found;

}

static SECStatus

tls13_CheckHsState(sslSocket *ss, int err, const char *error_name,

                   const char *func, const char *file, int line,

                   ...)

{

    va_list ap;

    va_start(ap, line);

    if (tls13_InHsStateV(ss, ap)) {

        va_end(ap);

        return SECSuccess;

    }

    va_end(ap);

    SSL_TRC(3, ("%d: TLS13[%d]: error %s state is (%s) at %s (%s:%d)",

                SSL_GETPID(), ss->fd,

                error_name,

                tls13_HandshakeState(TLS13_BASE_WAIT_STATE(ss->ssl3.hs.ws)),

                func, file, line));

    tls13_FatalError(ss, err, unexpected_message);

    return SECFailure;

}

PRBool

tls13_IsPostHandshake(const sslSocket *ss)

{

    return ss->version >= SSL_LIBRARY_VERSION_TLS_1_3 && ss->firstHsDone;

}

SSLHashType

tls13_GetHashForCipherSuite(ssl3CipherSuite suite)

{

    const ssl3CipherSuiteDef *cipherDef =

        ssl_LookupCipherSuiteDef(suite);

    PORT_Assert(cipherDef);

    if (!cipherDef) {

        return ssl_hash_none;

    }

    return cipherDef->prf_hash;

}

SSLHashType

tls13_GetHash(const sslSocket *ss)

{

    /* suite_def may not be set yet when doing EPSK 0-Rtt. */

    if (!ss->ssl3.hs.suite_def) {

        if (ss->xtnData.selectedPsk) {

            return ss->xtnData.selectedPsk->hash;

        }

        /* This should never happen. */

        PORT_Assert(0);

        return ssl_hash_none;

    }

    /* All TLS 1.3 cipher suites must have an explict PRF hash. */

    PORT_Assert(ss->ssl3.hs.suite_def->prf_hash != ssl_hash_none);

    return ss->ssl3.hs.suite_def->prf_hash;

}

SECStatus

tls13_GetHashAndCipher(PRUint16 version, PRUint16 cipherSuite,

                       SSLHashType *hash, const ssl3BulkCipherDef **cipher)

{

    if (version < SSL_LIBRARY_VERSION_TLS_1_3) {

        PORT_SetError(SEC_ERROR_INVALID_ARGS);

        return SECFailure;

    }

    // Lookup and check the suite.

    SSLVersionRange vrange = { version, version };

    if (!ssl3_CipherSuiteAllowedForVersionRange(cipherSuite, &vrange)) {

        PORT_SetError(SEC_ERROR_INVALID_ARGS);

        return SECFailure;

    }

    const ssl3CipherSuiteDef *suiteDef = ssl_LookupCipherSuiteDef(cipherSuite);

    const ssl3BulkCipherDef *cipherDef = ssl_GetBulkCipherDef(suiteDef);

    if (cipherDef->type != type_aead) {

        PORT_SetError(SEC_ERROR_INVALID_ARGS);

        return SECFailure;

    }

    *hash = suiteDef->prf_hash;

    if (cipher != NULL) {

        *cipher = cipherDef;

    }

    return SECSuccess;

}

unsigned int

tls13_GetHashSizeForHash(SSLHashType hash)

{

    switch (hash) {

        case ssl_hash_sha256:

            return 32;

        case ssl_hash_sha384:

            return 48;

        default:

            PORT_Assert(0);

    }

    return 32;

}

unsigned int

tls13_GetHashSize(const sslSocket *ss)

{

    return tls13_GetHashSizeForHash(tls13_GetHash(ss));

}

static CK_MECHANISM_TYPE

tls13_GetHmacMechanismFromHash(SSLHashType hashType)

{

    switch (hashType) {

        case ssl_hash_sha256:

            return CKM_SHA256_HMAC;

        case ssl_hash_sha384:

            return CKM_SHA384_HMAC;

        default:

            PORT_Assert(0);

    }

    return CKM_SHA256_HMAC;

}

static CK_MECHANISM_TYPE

tls13_GetHmacMechanism(const sslSocket *ss)

{

    return tls13_GetHmacMechanismFromHash(tls13_GetHash(ss));

}

SECStatus

tls13_ComputeHash(sslSocket *ss, SSL3Hashes *hashes,

                  const PRUint8 *buf, unsigned int len,

                  SSLHashType hash)

{

    SECStatus rv;

    rv = PK11_HashBuf(ssl3_HashTypeToOID(hash), hashes->u.raw, buf, len);

    if (rv != SECSuccess) {

        FATAL_ERROR(ss, SEC_ERROR_LIBRARY_FAILURE, internal_error);

        return SECFailure;

    }

    hashes->len = tls13_GetHashSizeForHash(hash);

    return SECSuccess;

}

static SECStatus

tls13_CreateKEMKeyPair(sslSocket *ss, const sslNamedGroupDef *groupDef,

                       sslKeyPair **outKeyPair)

{

    PORT_Assert(groupDef);

    sslKeyPair *keyPair = NULL;

    SECKEYPrivateKey *privKey = NULL;

    SECKEYPublicKey *pubKey = NULL;

    CK_MECHANISM_TYPE mechanism;

    CK_NSS_KEM_PARAMETER_SET_TYPE paramSet;

    switch (groupDef->name) {

        case ssl_grp_kem_xyber768d00:

            mechanism = CKM_NSS_KYBER_KEY_PAIR_GEN;

            paramSet = CKP_NSS_KYBER_768_ROUND3;

            break;

        case ssl_grp_kem_mlkem768x25519:

        case ssl_grp_kem_secp256r1mlkem768:

            mechanism = CKM_ML_KEM_KEY_PAIR_GEN;

            paramSet = CKP_ML_KEM_768;

            break;

        case ssl_grp_kem_secp384r1mlkem1024:

            mechanism = CKM_ML_KEM_KEY_PAIR_GEN;

            paramSet = CKP_ML_KEM_1024;

            break;

        default:

            PORT_Assert(0);

            PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);

            return SECFailure;

    }

    PK11SlotInfo *slot = PK11_GetBestSlot(mechanism, ss->pkcs11PinArg);

    if (!slot) {

        goto loser;

    }

    /* avoid pairwise check in non-FIPS mode */

    /* the only difference between CKM_ML_KEM_KEY_PAIR_GEN and

     * CKM_NSS_ML_KEM_KEY_PAIR_GEN is the latter skips the pairwise consistency

     * check and is only supported by softoken */

    if ((mechanism == CKM_ML_KEM_KEY_PAIR_GEN) && !PK11_IsFIPS() &&

        PK11_DoesMechanism(slot, CKM_NSS_ML_KEM_KEY_PAIR_GEN)) {

        mechanism = CKM_NSS_ML_KEM_KEY_PAIR_GEN;

    }

    privKey = PK11_GenerateKeyPairWithOpFlags(slot, mechanism,

                                              &paramSet, &pubKey,

                                              PK11_ATTR_SESSION | PK11_ATTR_INSENSITIVE | PK11_ATTR_PUBLIC,

                                              CKF_ENCAPSULATE | CKF_DECAPSULATE,

                                              CKF_ENCAPSULATE | CKF_DECAPSULATE,

                                              ss->pkcs11PinArg);

    if (!privKey) {

        privKey = PK11_GenerateKeyPairWithOpFlags(slot, mechanism,

                                                  &paramSet, &pubKey,

                                                  PK11_ATTR_SESSION | PK11_ATTR_SENSITIVE | PK11_ATTR_PRIVATE,

                                                  CKF_ENCAPSULATE | CKF_DECAPSULATE,

                                                  CKF_ENCAPSULATE | CKF_DECAPSULATE,

                                                  ss->pkcs11PinArg);

    }

    PK11_FreeSlot(slot);

    if (!privKey || !pubKey) {

        goto loser;

    }

    keyPair = ssl_NewKeyPair(privKey, pubKey);

    if (!keyPair) {

        goto loser;

    }

    SSL_TRC(50, ("%d: SSL[%d]: Create Kyber ephemeral key %d",

                 SSL_GETPID(), ss ? ss->fd : NULL, groupDef->name));

    PRINT_BUF(50, (ss, "Public Key", pubKey->u.kyber.publicValue.data,

                   pubKey->u.kyber.publicValue.len));

#ifdef TRACE

    if (ssl_trace >= 50) {

        SECItem d = { siBuffer, NULL, 0 };

        SECStatus rv = PK11_ReadRawAttribute(PK11_TypePrivKey, privKey, CKA_VALUE, &d);

        if (rv == SECSuccess) {

            PRINT_BUF(50, (ss, "Private Key", d.data, d.len));

            SECITEM_FreeItem(&d, PR_FALSE);

        } else {

            SSL_TRC(50, ("Error extracting private key"));

        }

    }

#endif

    *outKeyPair = keyPair;

    return SECSuccess;

loser:

    SECKEY_DestroyPrivateKey(privKey);

    SECKEY_DestroyPublicKey(pubKey);

    ssl_MapLowLevelError(SEC_ERROR_KEYGEN_FAIL);

    return SECFailure;

}

/* only copy the ECDH component of an ephemeral KeyPair */

sslEphemeralKeyPair *

tls13_CopyECDHKeyFromHybrid(sslEphemeralKeyPair *copyKeyPair,

                            const sslNamedGroupDef *groupDef)

{

    /* We could use ssl_CopyEphemeralKeyPair here, but we would need to free

     * the KEM components. So we only copy the ECDH keys */

    sslEphemeralKeyPair *keyPair = PORT_ZNew(sslEphemeralKeyPair);

    if (!keyPair) {

        return NULL;

    }

    PR_INIT_CLIST(&keyPair->link);

    keyPair->group = groupDef;

    keyPair->keys = ssl_GetKeyPairRef(copyKeyPair->keys);

    return keyPair;

}

/*

 * find a hybrid key Pair they might contain the same ecdh key so we

 * can reuse them. Each ec group can map to more than one hybrid Pair

 */

sslEphemeralKeyPair *

tls13_FindHybridKeyPair(sslSocket *ss, const sslNamedGroupDef *groupDef)

{

    sslEphemeralKeyPair *hybridPair = NULL;

    switch (groupDef->name) {

        case ssl_grp_ec_secp256r1:

            /* future, this may be a loop to check multiple named groups */

            hybridPair = ssl_LookupEphemeralKeyPair(ss,

                                                    ssl_LookupNamedGroup(ssl_grp_kem_secp256r1mlkem768));

            break;

        case ssl_grp_ec_secp384r1:

            hybridPair = ssl_LookupEphemeralKeyPair(ss,

                                                    ssl_LookupNamedGroup(ssl_grp_kem_secp384r1mlkem1024));

            break;

        case ssl_grp_ec_curve25519: {

            /* a loop to check multiple named groups */

            SSLNamedGroup gnames[] = { ssl_grp_kem_xyber768d00,

                                       ssl_grp_kem_mlkem768x25519 };

            for (int i = 0; i < PR_ARRAY_SIZE(gnames); i++) {

                hybridPair = ssl_LookupEphemeralKeyPair(ss,

                                                        ssl_LookupNamedGroup(gnames[i]));

                if (hybridPair != NULL) {

                    break;

                }

            }

            break;

        }

        default:

            PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);

            return NULL;

    }

    return hybridPair;

}

SECStatus

tls13_CreateKeyShare(sslSocket *ss, const sslNamedGroupDef *groupDef,

                     sslEphemeralKeyPair **outKeyPair)

{

    SECStatus rv;

    const ssl3DHParams *params;

    sslEphemeralKeyPair *keyPair = NULL;

    const sslNamedGroupDef *ecGroup = NULL;

    PORT_Assert(groupDef);

    switch (groupDef->keaType) {

        case ssl_kea_ecdh_hybrid:

            switch (groupDef->name) {

                case ssl_grp_kem_secp256r1mlkem768:

                    ecGroup = ssl_LookupNamedGroup(ssl_grp_ec_secp256r1);

                    break;

                case ssl_grp_kem_secp384r1mlkem1024:

                    ecGroup = ssl_LookupNamedGroup(ssl_grp_ec_secp384r1);

                    break;

                case ssl_grp_kem_xyber768d00:

                case ssl_grp_kem_mlkem768x25519:

                    ecGroup = ssl_LookupNamedGroup(ssl_grp_ec_curve25519);

                    break;

                default:

                    PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);

                    return SECFailure;

            }

            if (ecGroup == NULL) {

                PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);

                return SECFailure;

            }

            keyPair = ssl_LookupEphemeralKeyPair(ss, ecGroup);

            if (keyPair) {

                keyPair = ssl_CopyEphemeralKeyPair(keyPair);

            }

            if (!keyPair) {

                rv = ssl_CreateECDHEphemeralKeyPair(ss, ecGroup, &keyPair);

                if (rv != SECSuccess) {

                    return SECFailure;

                }

            }

            keyPair->group = groupDef;

            break;

        case ssl_kea_ecdh:

            keyPair = tls13_FindHybridKeyPair(ss, groupDef);

            if (keyPair) {

                keyPair = tls13_CopyECDHKeyFromHybrid(keyPair, groupDef);

            }

            if (!keyPair) {

                rv = ssl_CreateECDHEphemeralKeyPair(ss, groupDef, &keyPair);

                if (rv != SECSuccess) {

                    return SECFailure;

                }

            }

            break;

        case ssl_kea_dh:

            params = ssl_GetDHEParams(groupDef);

            PORT_Assert(params->name != ssl_grp_ffdhe_custom);

            rv = ssl_CreateDHEKeyPair(groupDef, params, &keyPair);

            if (rv != SECSuccess) {

                return SECFailure;

            }

            break;

        default:

            PORT_Assert(0);

            PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);

            return SECFailure;

    }

    // If we're creating an ECDH + KEM hybrid share and we're the client, then

    // we still need to generate the KEM key pair. Otherwise we're done.

    if (groupDef->keaType == ssl_kea_ecdh_hybrid && !ss->sec.isServer) {

        rv = tls13_CreateKEMKeyPair(ss, groupDef, &keyPair->kemKeys);

        if (rv != SECSuccess) {

            ssl_FreeEphemeralKeyPair(keyPair);

            return SECFailure;

        }

    }

    *outKeyPair = keyPair;

    return SECSuccess;

}

SECStatus

tls13_AddKeyShare(sslSocket *ss, const sslNamedGroupDef *groupDef)

{

    sslEphemeralKeyPair *keyPair = NULL;

    SECStatus rv;

    rv = tls13_CreateKeyShare(ss, groupDef, &keyPair);

    if (rv != SECSuccess) {

        return SECFailure;

    }

    PR_APPEND_LINK(&keyPair->link, &ss->ephemeralKeyPairs);

    return SECSuccess;

}

SECStatus

SSL_SendAdditionalKeyShares(PRFileDesc *fd, unsigned int count)

{

    sslSocket *ss = ssl_FindSocket(fd);

    if (!ss) {

        PORT_SetError(SEC_ERROR_INVALID_ARGS);

        return SECFailure;

    }

    ss->additionalShares = count;

    return SECSuccess;

}

/*

 * Generate shares for ECDHE and FFDHE.  This picks the first enabled group of

 * the requisite type and creates a share for that.

 *

 * Called from ssl3_SendClientHello.

 */

SECStatus

tls13_SetupClientHello(sslSocket *ss, sslClientHelloType chType)

{

    unsigned int i;

    SSL3Statistics *ssl3stats = SSL_GetStatistics();

    NewSessionTicket *session_ticket = NULL;

    sslSessionID *sid = ss->sec.ci.sid;

    unsigned int numShares = 0;

    SECStatus rv;

    PORT_Assert(ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));

    PORT_Assert(ss->opt.noLocks || ssl_HaveXmitBufLock(ss));

    rv = tls13_ClientSetupEch(ss, chType);

    if (rv != SECSuccess) {

        return SECFailure;

    }

    /* Everything below here is only run on the first CH. */

    if (chType != client_hello_initial) {

        return SECSuccess;

    }

    rv = tls13_ClientGreaseSetup(ss);

    if (rv != SECSuccess) {

        return SECFailure;

    }

    /* Select the first enabled group.

     * TODO(ekr@rtfm.com): be smarter about offering the group

     * that the other side negotiated if we are resuming. */

    PORT_Assert(PR_CLIST_IS_EMPTY(&ss->ephemeralKeyPairs));

    for (i = 0; i < SSL_NAMED_GROUP_COUNT; ++i) {

        if (!ss->namedGroupPreferences[i]) {

            continue;

        }

        rv = tls13_AddKeyShare(ss, ss->namedGroupPreferences[i]);

        if (rv != SECSuccess) {

            return SECFailure;

        }

        if (++numShares > ss->additionalShares) {

            break;

        }

    }

    if (PR_CLIST_IS_EMPTY(&ss->ephemeralKeyPairs)) {

        PORT_SetError(SSL_ERROR_NO_CIPHERS_SUPPORTED);

        return SECFailure;

    }

    /* Try to do stateless resumption, if we can. */

    if (sid->cached != never_cached &&

        sid->version >= SSL_LIBRARY_VERSION_TLS_1_3) {

        /* The caller must be holding sid->u.ssl3.lock for reading. */

        session_ticket = &sid->u.ssl3.locked.sessionTicket;

        PORT_Assert(session_ticket && session_ticket->ticket.data);

        if (ssl_TicketTimeValid(ss, session_ticket)) {

            ss->statelessResume = PR_TRUE;

        }

        if (ss->statelessResume) {

            PORT_Assert(ss->sec.ci.sid);

            rv = tls13_RecoverWrappedSharedSecret(ss, ss->sec.ci.sid);

            if (rv != SECSuccess) {

                FATAL_ERROR(ss, SEC_ERROR_LIBRARY_FAILURE, internal_error);

                SSL_AtomicIncrementLong(&ssl3stats->sch_sid_cache_not_ok);

                ssl_UncacheSessionID(ss);

                ssl_FreeSID(ss->sec.ci.sid);

                ss->sec.ci.sid = NULL;

                return SECFailure;

            }

            ss->ssl3.hs.cipher_suite = ss->sec.ci.sid->u.ssl3.cipherSuite;

            rv = ssl3_SetupCipherSuite(ss, PR_FALSE);

            if (rv != SECSuccess) {

                FATAL_ERROR(ss, PORT_GetError(), internal_error);

                return SECFailure;

            }

            PORT_Assert(!PR_CLIST_IS_EMPTY(&ss->ssl3.hs.psks));

        }

    }

    /* Derive the binder keys if any PSKs. */

    if (!PR_CLIST_IS_EMPTY(&ss->ssl3.hs.psks)) {

        /* If an External PSK specified a suite, use that. */

        sslPsk *psk = (sslPsk *)PR_LIST_HEAD(&ss->ssl3.hs.psks);

        if (!ss->statelessResume &&

            psk->type == ssl_psk_external &&

            psk->zeroRttSuite != TLS_NULL_WITH_NULL_NULL) {

            ss->ssl3.hs.cipher_suite = psk->zeroRttSuite;

        }

        rv = tls13_ComputeEarlySecretsWithPsk(ss);

        if (rv != SECSuccess) {

            FATAL_ERROR(ss, SEC_ERROR_LIBRARY_FAILURE, internal_error);

            return SECFailure;

        }

    }

    tls13_EchKeyLog(ss);

    return SECSuccess;

}

static SECStatus

tls13_ImportDHEKeyShare(SECKEYPublicKey *peerKey,

                        PRUint8 *b, PRUint32 length,

                        SECKEYPublicKey *pubKey)

{

    SECStatus rv;

    SECItem publicValue = { siBuffer, NULL, 0 };

    publicValue.data = b;

    publicValue.len = length;

    if (!ssl_IsValidDHEShare(&pubKey->u.dh.prime, &publicValue)) {

        PORT_SetError(SSL_ERROR_RX_MALFORMED_DHE_KEY_SHARE);

        return SECFailure;

    }

    peerKey->keyType = dhKey;

    rv = SECITEM_CopyItem(peerKey->arena, &peerKey->u.dh.prime,

                          &pubKey->u.dh.prime);

    if (rv != SECSuccess)

        return SECFailure;

    rv = SECITEM_CopyItem(peerKey->arena, &peerKey->u.dh.base,

                          &pubKey->u.dh.base);

    if (rv != SECSuccess)

        return SECFailure;

    rv = SECITEM_CopyItem(peerKey->arena, &peerKey->u.dh.publicValue,

                          &publicValue);

    if (rv != SECSuccess)

        return SECFailure;

    return SECSuccess;

}

static SECStatus

tls13_ImportKEMKeyShare(SECKEYPublicKey *peerKey, TLS13KeyShareEntry *entry)

{

    SECItem pk = { siBuffer, NULL, 0 };

    SECStatus rv;

    size_t expected_len;

    switch (entry->group->name) {

        case ssl_grp_kem_xyber768d00:

            expected_len = X25519_PUBLIC_KEY_BYTES + KYBER768_PUBLIC_KEY_BYTES;

            break;

        case ssl_grp_kem_mlkem768x25519:

            expected_len = X25519_PUBLIC_KEY_BYTES + KYBER768_PUBLIC_KEY_BYTES;

            break;

        case ssl_grp_kem_secp256r1mlkem768:

            expected_len = SECP256_PUBLIC_KEY_BYTES + KYBER768_PUBLIC_KEY_BYTES;

            break;

        case ssl_grp_kem_secp384r1mlkem1024:

            expected_len = SECP384_PUBLIC_KEY_BYTES + MLKEM1024_PUBLIC_KEY_BYTES;

            break;

        default:

            PORT_SetError(SEC_ERROR_UNSUPPORTED_KEYALG);

            return SECFailure;

    }

    if (entry->key_exchange.len != expected_len) {

        PORT_SetError(SSL_ERROR_RX_MALFORMED_HYBRID_KEY_SHARE);

        return SECFailure;

    }

    switch (entry->group->name) {

        case ssl_grp_kem_xyber768d00:

            peerKey->keyType = kyberKey;

            peerKey->u.kyber.params = params_kyber768_round3;

            // key_exchange.data is `x25519 || kyber768`

            pk.data = entry->key_exchange.data + X25519_PUBLIC_KEY_BYTES;

            pk.len = KYBER768_PUBLIC_KEY_BYTES;

            break;

        case ssl_grp_kem_mlkem768x25519:

            peerKey->keyType = kyberKey;

            peerKey->u.kyber.params = params_ml_kem768;

            // key_exchange.data is `mlkem768 || x25519`

            pk.data = entry->key_exchange.data;

            pk.len = KYBER768_PUBLIC_KEY_BYTES;

            break;

        case ssl_grp_kem_secp256r1mlkem768:

            peerKey->keyType = kyberKey;

            peerKey->u.kyber.params = params_ml_kem768;

            /* key_exchange.data is `secp256 || mlkem768` */

            pk.data = entry->key_exchange.data + SECP256_PUBLIC_KEY_BYTES;

            pk.len = KYBER768_PUBLIC_KEY_BYTES;

            break;

        case ssl_grp_kem_secp384r1mlkem1024:

            peerKey->keyType = kyberKey;

            peerKey->u.kyber.params = params_ml_kem1024;

            /* key_exchange.data is `secp384 || mlkem1024` */

            pk.data = entry->key_exchange.data + SECP384_PUBLIC_KEY_BYTES;

            pk.len = MLKEM1024_PUBLIC_KEY_BYTES;

            break;

        default:

            PORT_Assert(0);

            PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);

            return SECFailure;

    }

    rv = SECITEM_CopyItem(peerKey->arena, &peerKey->u.kyber.publicValue, &pk);

    if (rv != SECSuccess) {

        PORT_SetError(SEC_ERROR_NO_MEMORY);

        return SECFailure;

    }

    return SECSuccess;

}

static SECStatus

tls13_HandleKEMCiphertext(sslSocket *ss, TLS13KeyShareEntry *entry, sslKeyPair *keyPair, PK11SymKey **outKey)

{

    SECItem ct = { siBuffer, NULL, 0 };

    SECStatus rv;

    switch (entry->group->name) {

        case ssl_grp_kem_xyber768d00:

            if (entry->key_exchange.len != X25519_PUBLIC_KEY_BYTES + KYBER768_CIPHERTEXT_BYTES) {

                ssl_MapLowLevelError(SSL_ERROR_RX_MALFORMED_HYBRID_KEY_SHARE);

                return SECFailure;

            }

            ct.data = entry->key_exchange.data + X25519_PUBLIC_KEY_BYTES;

            ct.len = KYBER768_CIPHERTEXT_BYTES;

            break;

        case ssl_grp_kem_mlkem768x25519:

            if (entry->key_exchange.len != X25519_PUBLIC_KEY_BYTES + KYBER768_CIPHERTEXT_BYTES) {

                ssl_MapLowLevelError(SSL_ERROR_RX_MALFORMED_HYBRID_KEY_SHARE);

                return SECFailure;

            }

            ct.data = entry->key_exchange.data;

            ct.len = KYBER768_CIPHERTEXT_BYTES;

            break;

        case ssl_grp_kem_secp256r1mlkem768:

            if (entry->key_exchange.len != SECP256_PUBLIC_KEY_BYTES + KYBER768_CIPHERTEXT_BYTES) {

                ssl_MapLowLevelError(SSL_ERROR_RX_MALFORMED_HYBRID_KEY_SHARE);

                return SECFailure;

            }

            ct.data = entry->key_exchange.data + SECP256_PUBLIC_KEY_BYTES;

            ct.len = KYBER768_CIPHERTEXT_BYTES;

            break;

        case ssl_grp_kem_secp384r1mlkem1024:

            if (entry->key_exchange.len != SECP384_PUBLIC_KEY_BYTES + MLKEM1024_CIPHERTEXT_BYTES) {

                ssl_MapLowLevelError(SSL_ERROR_RX_MALFORMED_HYBRID_KEY_SHARE);

                return SECFailure;

            }

            ct.data = entry->key_exchange.data + SECP384_PUBLIC_KEY_BYTES;

            ct.len = MLKEM1024_CIPHERTEXT_BYTES;

            break;

        default:

            PORT_Assert(0);

            ssl_MapLowLevelError(SEC_ERROR_LIBRARY_FAILURE);

            return SECFailure;

    }

    rv = PK11_Decapsulate(keyPair->privKey, &ct, CKM_HKDF_DERIVE,

                          PK11_ATTR_SESSION | PK11_ATTR_INSENSITIVE,

                          CKF_DERIVE, outKey);

    if (rv != SECSuccess) {

        rv = PK11_Decapsulate(keyPair->privKey, &ct, CKM_HKDF_DERIVE,

                              PK11_ATTR_SESSION | PK11_ATTR_SENSITIVE,

                              CKF_DERIVE, outKey);

        if (rv != SECSuccess) {

            ssl_MapLowLevelError(SSL_ERROR_KEY_EXCHANGE_FAILURE);

        }

    }

    return rv;

}

static SECStatus

tls13_HandleKEMKey(sslSocket *ss,

                   TLS13KeyShareEntry *entry,

                   PK11SymKey **key,

                   SECItem **ciphertext)

{

    PORTCheapArenaPool arena;

    SECKEYPublicKey *peerKey;

    CK_OBJECT_HANDLE handle;

    SECStatus rv;

    PORT_InitCheapArena(&arena, DER_DEFAULT_CHUNKSIZE);

    peerKey = PORT_ArenaZNew(&arena.arena, SECKEYPublicKey);

    if (peerKey == NULL) {

        goto loser;

    }

    peerKey->arena = &arena.arena;

    peerKey->pkcs11Slot = NULL;

    peerKey->pkcs11ID = CK_INVALID_HANDLE;

    rv = tls13_ImportKEMKeyShare(peerKey, entry);

    if (rv != SECSuccess) {

        goto loser;

    }

    PK11SlotInfo *slot = PK11_GetBestSlot(CKM_ML_KEM, ss->pkcs11PinArg);

    if (!slot) {

        goto loser;

    }

    handle = PK11_ImportPublicKey(slot, peerKey, PR_FALSE);

    PK11_FreeSlot(slot); /* peerKey holds a slot reference on success. */

    if (handle == CK_INVALID_HANDLE) {

        goto loser;

    }

    rv = PK11_Encapsulate(peerKey, CKM_HKDF_DERIVE,

                          PK11_ATTR_SESSION | PK11_ATTR_INSENSITIVE,

                          CKF_DERIVE, key, ciphertext);

    if (rv != SECSuccess) {

        rv = PK11_Encapsulate(peerKey, CKM_HKDF_DERIVE,

                              PK11_ATTR_SESSION | PK11_ATTR_SENSITIVE,

                              CKF_DERIVE, key, ciphertext);

    }

    /* Destroy the imported public key */

    PORT_Assert(peerKey->pkcs11Slot);

    PK11_DestroyObject(peerKey->pkcs11Slot, peerKey->pkcs11ID);

    PK11_FreeSlot(peerKey->pkcs11Slot);

    PORT_DestroyCheapArena(&arena);

    return rv;

loser:

    PORT_DestroyCheapArena(&arena);

    return SECFailure;

}

SECStatus

tls13_HandleKeyShare(sslSocket *ss,

                     TLS13KeyShareEntry *entry,

                     sslKeyPair *keyPair,

                     SSLHashType hash,

                     PK11SymKey **out)

{

    PORTCheapArenaPool arena;

    SECKEYPublicKey *peerKey;

    CK_MECHANISM_TYPE mechanism;

    PK11SymKey *key;

    unsigned char *ec_data;

    SECStatus rv;

    int keySize = 0;