File: | s/lib/ssl/tls13con.c |
Warning: | line 2843, column 14 4th function call argument is an uninitialized value |
Press '?' to see keyboard shortcuts
Keyboard shortcuts:
1 | /* -*- Mode: C; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 4 -*- */ | |||
2 | /* | |||
3 | * TLS 1.3 Protocol | |||
4 | * | |||
5 | * This Source Code Form is subject to the terms of the Mozilla Public | |||
6 | * License, v. 2.0. If a copy of the MPL was not distributed with this | |||
7 | * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ | |||
8 | ||||
9 | #include "sslt.h" | |||
10 | #include "stdarg.h" | |||
11 | #include "cert.h" | |||
12 | #include "ssl.h" | |||
13 | #include "keyhi.h" | |||
14 | #include "pk11func.h" | |||
15 | #include "prerr.h" | |||
16 | #include "secitem.h" | |||
17 | #include "secmod.h" | |||
18 | #include "sslimpl.h" | |||
19 | #include "sslproto.h" | |||
20 | #include "sslerr.h" | |||
21 | #include "ssl3exthandle.h" | |||
22 | #include "tls13hkdf.h" | |||
23 | #include "tls13con.h" | |||
24 | #include "tls13err.h" | |||
25 | #include "tls13ech.h" | |||
26 | #include "tls13exthandle.h" | |||
27 | #include "tls13hashstate.h" | |||
28 | #include "tls13subcerts.h" | |||
29 | #include "tls13psk.h" | |||
30 | ||||
31 | static SECStatus tls13_SetCipherSpec(sslSocket *ss, PRUint16 epoch, | |||
32 | SSLSecretDirection install, | |||
33 | PRBool deleteSecret); | |||
34 | static SECStatus tls13_SendServerHelloSequence(sslSocket *ss); | |||
35 | static SECStatus tls13_SendEncryptedExtensions(sslSocket *ss); | |||
36 | static void tls13_SetKeyExchangeType(sslSocket *ss, const sslNamedGroupDef *group); | |||
37 | static SECStatus tls13_HandleClientKeyShare(sslSocket *ss, | |||
38 | TLS13KeyShareEntry *peerShare); | |||
39 | static SECStatus tls13_SendHelloRetryRequest( | |||
40 | sslSocket *ss, const sslNamedGroupDef *selectedGroup, | |||
41 | const PRUint8 *token, unsigned int tokenLen); | |||
42 | ||||
43 | static SECStatus tls13_HandleServerKeyShare(sslSocket *ss); | |||
44 | static SECStatus tls13_HandleEncryptedExtensions(sslSocket *ss, PRUint8 *b, | |||
45 | PRUint32 length); | |||
46 | static SECStatus tls13_SendCertificate(sslSocket *ss); | |||
47 | static SECStatus tls13_HandleCertificateDecode( | |||
48 | sslSocket *ss, PRUint8 *b, PRUint32 length); | |||
49 | static SECStatus tls13_HandleCertificate( | |||
50 | sslSocket *ss, PRUint8 *b, PRUint32 length, PRBool alreadyHashed); | |||
51 | static SECStatus tls13_ReinjectHandshakeTranscript(sslSocket *ss); | |||
52 | static SECStatus tls13_SendCertificateRequest(sslSocket *ss); | |||
53 | static SECStatus tls13_HandleCertificateRequest(sslSocket *ss, PRUint8 *b, | |||
54 | PRUint32 length); | |||
55 | static SECStatus | |||
56 | tls13_SendCertificateVerify(sslSocket *ss, SECKEYPrivateKey *privKey); | |||
57 | static SECStatus tls13_HandleCertificateVerify( | |||
58 | sslSocket *ss, PRUint8 *b, PRUint32 length); | |||
59 | static SECStatus tls13_RecoverWrappedSharedSecret(sslSocket *ss, | |||
60 | sslSessionID *sid); | |||
61 | static SECStatus | |||
62 | tls13_DeriveSecretWrap(sslSocket *ss, PK11SymKey *key, | |||
63 | const char *prefix, | |||
64 | const char *suffix, | |||
65 | const char *keylogLabel, | |||
66 | PK11SymKey **dest); | |||
67 | SECStatus | |||
68 | tls13_DeriveSecret(sslSocket *ss, PK11SymKey *key, | |||
69 | const char *label, | |||
70 | unsigned int labelLen, | |||
71 | const SSL3Hashes *hashes, | |||
72 | PK11SymKey **dest, | |||
73 | SSLHashType hash); | |||
74 | static SECStatus tls13_SendEndOfEarlyData(sslSocket *ss); | |||
75 | static SECStatus tls13_HandleEndOfEarlyData(sslSocket *ss, const PRUint8 *b, | |||
76 | PRUint32 length); | |||
77 | static SECStatus tls13_MaybeHandleSuppressedEndOfEarlyData(sslSocket *ss); | |||
78 | static SECStatus tls13_SendFinished(sslSocket *ss, PK11SymKey *baseKey); | |||
79 | static SECStatus tls13_ComputePskBinderHash(sslSocket *ss, PRUint8 *b, size_t length, | |||
80 | SSL3Hashes *hashes, SSLHashType type); | |||
81 | static SECStatus tls13_VerifyFinished(sslSocket *ss, SSLHandshakeType message, | |||
82 | PK11SymKey *secret, | |||
83 | PRUint8 *b, PRUint32 length, | |||
84 | const SSL3Hashes *hashes); | |||
85 | static SECStatus tls13_ClientHandleFinished(sslSocket *ss, | |||
86 | PRUint8 *b, PRUint32 length); | |||
87 | static SECStatus tls13_ServerHandleFinished(sslSocket *ss, | |||
88 | PRUint8 *b, PRUint32 length); | |||
89 | static SECStatus tls13_SendNewSessionTicket(sslSocket *ss, | |||
90 | const PRUint8 *appToken, | |||
91 | unsigned int appTokenLen); | |||
92 | static SECStatus tls13_HandleNewSessionTicket(sslSocket *ss, PRUint8 *b, | |||
93 | PRUint32 length); | |||
94 | static SECStatus tls13_ComputeEarlySecretsWithPsk(sslSocket *ss); | |||
95 | static SECStatus tls13_ComputeHandshakeSecrets(sslSocket *ss); | |||
96 | static SECStatus tls13_ComputeApplicationSecrets(sslSocket *ss); | |||
97 | static SECStatus tls13_ComputeFinalSecrets(sslSocket *ss); | |||
98 | static SECStatus tls13_ComputeFinished( | |||
99 | sslSocket *ss, PK11SymKey *baseKey, SSLHashType hashType, | |||
100 | const SSL3Hashes *hashes, PRBool sending, PRUint8 *output, | |||
101 | unsigned int *outputLen, unsigned int maxOutputLen); | |||
102 | static SECStatus tls13_SendClientSecondRound(sslSocket *ss); | |||
103 | static SECStatus tls13_SendClientSecondFlight(sslSocket *ss); | |||
104 | static SECStatus tls13_FinishHandshake(sslSocket *ss); | |||
105 | ||||
106 | const char kHkdfLabelClient[] = "c"; | |||
107 | const char kHkdfLabelServer[] = "s"; | |||
108 | const char kHkdfLabelDerivedSecret[] = "derived"; | |||
109 | const char kHkdfLabelResPskBinderKey[] = "res binder"; | |||
110 | const char kHkdfLabelExtPskBinderKey[] = "ext binder"; | |||
111 | const char kHkdfLabelEarlyTrafficSecret[] = "e traffic"; | |||
112 | const char kHkdfLabelEarlyExporterSecret[] = "e exp master"; | |||
113 | const char kHkdfLabelHandshakeTrafficSecret[] = "hs traffic"; | |||
114 | const char kHkdfLabelApplicationTrafficSecret[] = "ap traffic"; | |||
115 | const char kHkdfLabelFinishedSecret[] = "finished"; | |||
116 | const char kHkdfLabelResumptionMasterSecret[] = "res master"; | |||
117 | const char kHkdfLabelExporterMasterSecret[] = "exp master"; | |||
118 | const char kHkdfLabelResumption[] = "resumption"; | |||
119 | const char kHkdfLabelTrafficUpdate[] = "traffic upd"; | |||
120 | const char kHkdfPurposeKey[] = "key"; | |||
121 | const char kHkdfPurposeSn[] = "sn"; | |||
122 | const char kHkdfPurposeIv[] = "iv"; | |||
123 | ||||
124 | const char keylogLabelClientEarlyTrafficSecret[] = "CLIENT_EARLY_TRAFFIC_SECRET"; | |||
125 | const char keylogLabelClientHsTrafficSecret[] = "CLIENT_HANDSHAKE_TRAFFIC_SECRET"; | |||
126 | const char keylogLabelServerHsTrafficSecret[] = "SERVER_HANDSHAKE_TRAFFIC_SECRET"; | |||
127 | const char keylogLabelClientTrafficSecret[] = "CLIENT_TRAFFIC_SECRET_0"; | |||
128 | const char keylogLabelServerTrafficSecret[] = "SERVER_TRAFFIC_SECRET_0"; | |||
129 | const char keylogLabelEarlyExporterSecret[] = "EARLY_EXPORTER_SECRET"; | |||
130 | const char keylogLabelExporterSecret[] = "EXPORTER_SECRET"; | |||
131 | ||||
132 | /* Belt and suspenders in case we ever add a TLS 1.4. */ | |||
133 | PR_STATIC_ASSERT(SSL_LIBRARY_VERSION_MAX_SUPPORTED <=extern void pr_static_assert(int arg[(0x0304 <= 0x0304) ? 1 : -1]) | |||
134 | SSL_LIBRARY_VERSION_TLS_1_3)extern void pr_static_assert(int arg[(0x0304 <= 0x0304) ? 1 : -1]); | |||
135 | ||||
136 | void | |||
137 | tls13_FatalError(sslSocket *ss, PRErrorCode prError, SSL3AlertDescription desc) | |||
138 | { | |||
139 | PORT_Assert(desc != internal_error)((desc != internal_error)?((void)0):PR_Assert("desc != internal_error" ,"tls13con.c",139)); /* These should never happen */ | |||
140 | (void)SSL3_SendAlert(ss, alert_fatal, desc); | |||
141 | PORT_SetErrorPORT_SetError_Util(prError); | |||
142 | } | |||
143 | ||||
144 | #ifdef TRACE | |||
145 | #define STATE_CASE(a)case a: return "a" \ | |||
146 | case a: \ | |||
147 | return #a | |||
148 | static char * | |||
149 | tls13_HandshakeState(SSL3WaitState st) | |||
150 | { | |||
151 | switch (st) { | |||
152 | STATE_CASE(idle_handshake)case idle_handshake: return "idle_handshake"; | |||
153 | STATE_CASE(wait_client_hello)case wait_client_hello: return "wait_client_hello"; | |||
154 | STATE_CASE(wait_end_of_early_data)case wait_end_of_early_data: return "wait_end_of_early_data"; | |||
155 | STATE_CASE(wait_client_cert)case wait_client_cert: return "wait_client_cert"; | |||
156 | STATE_CASE(wait_client_key)case wait_client_key: return "wait_client_key"; | |||
157 | STATE_CASE(wait_cert_verify)case wait_cert_verify: return "wait_cert_verify"; | |||
158 | STATE_CASE(wait_change_cipher)case wait_change_cipher: return "wait_change_cipher"; | |||
159 | STATE_CASE(wait_finished)case wait_finished: return "wait_finished"; | |||
160 | STATE_CASE(wait_server_hello)case wait_server_hello: return "wait_server_hello"; | |||
161 | STATE_CASE(wait_certificate_status)case wait_certificate_status: return "wait_certificate_status"; | |||
162 | STATE_CASE(wait_server_cert)case wait_server_cert: return "wait_server_cert"; | |||
163 | STATE_CASE(wait_server_key)case wait_server_key: return "wait_server_key"; | |||
164 | STATE_CASE(wait_cert_request)case wait_cert_request: return "wait_cert_request"; | |||
165 | STATE_CASE(wait_hello_done)case wait_hello_done: return "wait_hello_done"; | |||
166 | STATE_CASE(wait_new_session_ticket)case wait_new_session_ticket: return "wait_new_session_ticket"; | |||
167 | STATE_CASE(wait_encrypted_extensions)case wait_encrypted_extensions: return "wait_encrypted_extensions"; | |||
168 | default: | |||
169 | break; | |||
170 | } | |||
171 | PORT_Assert(0)((0)?((void)0):PR_Assert("0","tls13con.c",171)); | |||
172 | return "unknown"; | |||
173 | } | |||
174 | #endif | |||
175 | ||||
176 | #define TLS13_WAIT_STATE_MASK0x80 0x80 | |||
177 | ||||
178 | #define TLS13_BASE_WAIT_STATE(ws)(ws & ~0x80) (ws & ~TLS13_WAIT_STATE_MASK0x80) | |||
179 | /* We don't mask idle_handshake because other parts of the code use it*/ | |||
180 | #define TLS13_WAIT_STATE(ws)(((ws == idle_handshake) || (ws == wait_server_hello)) ? ws : ws | 0x80) (((ws == idle_handshake) || (ws == wait_server_hello)) ? ws : ws | TLS13_WAIT_STATE_MASK0x80) | |||
181 | #define TLS13_CHECK_HS_STATE(ss, err, ...)tls13_CheckHsState(ss, err, "err", __func__, "tls13con.c", 181 , ..., wait_invalid) \ | |||
182 | tls13_CheckHsState(ss, err, #err, __func__, __FILE__"tls13con.c", __LINE__182, \ | |||
183 | __VA_ARGS__, \ | |||
184 | wait_invalid) | |||
185 | void | |||
186 | tls13_SetHsState(sslSocket *ss, SSL3WaitState ws, | |||
187 | const char *func, const char *file, int line) | |||
188 | { | |||
189 | #ifdef TRACE | |||
190 | const char *new_state_name = | |||
191 | tls13_HandshakeState(ws); | |||
192 | ||||
193 | SSL_TRC(3, ("%d: TLS13[%d]: %s state change from %s->%s in %s (%s:%d)",if (ssl_trace >= (3)) ssl_Trace ("%d: TLS13[%d]: %s state change from %s->%s in %s (%s:%d)" , getpid(), ss->fd, (ss->sec.isServer ? "server" : "client" ), tls13_HandshakeState((ss->ssl3.hs.ws & ~0x80)), new_state_name , func, file, line) | |||
194 | SSL_GETPID(), ss->fd, SSL_ROLE(ss),if (ssl_trace >= (3)) ssl_Trace ("%d: TLS13[%d]: %s state change from %s->%s in %s (%s:%d)" , getpid(), ss->fd, (ss->sec.isServer ? "server" : "client" ), tls13_HandshakeState((ss->ssl3.hs.ws & ~0x80)), new_state_name , func, file, line) | |||
195 | tls13_HandshakeState(TLS13_BASE_WAIT_STATE(ss->ssl3.hs.ws)),if (ssl_trace >= (3)) ssl_Trace ("%d: TLS13[%d]: %s state change from %s->%s in %s (%s:%d)" , getpid(), ss->fd, (ss->sec.isServer ? "server" : "client" ), tls13_HandshakeState((ss->ssl3.hs.ws & ~0x80)), new_state_name , func, file, line) | |||
196 | new_state_name,if (ssl_trace >= (3)) ssl_Trace ("%d: TLS13[%d]: %s state change from %s->%s in %s (%s:%d)" , getpid(), ss->fd, (ss->sec.isServer ? "server" : "client" ), tls13_HandshakeState((ss->ssl3.hs.ws & ~0x80)), new_state_name , func, file, line) | |||
197 | func, file, line))if (ssl_trace >= (3)) ssl_Trace ("%d: TLS13[%d]: %s state change from %s->%s in %s (%s:%d)" , getpid(), ss->fd, (ss->sec.isServer ? "server" : "client" ), tls13_HandshakeState((ss->ssl3.hs.ws & ~0x80)), new_state_name , func, file, line); | |||
198 | #endif | |||
199 | ||||
200 | ss->ssl3.hs.ws = TLS13_WAIT_STATE(ws)(((ws == idle_handshake) || (ws == wait_server_hello)) ? ws : ws | 0x80); | |||
201 | } | |||
202 | ||||
203 | static PRBool | |||
204 | tls13_InHsStateV(sslSocket *ss, va_list ap) | |||
205 | { | |||
206 | SSL3WaitState ws; | |||
207 | ||||
208 | while ((ws = va_arg(ap, SSL3WaitState)__builtin_va_arg(ap, SSL3WaitState)) != wait_invalid) { | |||
209 | if (TLS13_WAIT_STATE(ws)(((ws == idle_handshake) || (ws == wait_server_hello)) ? ws : ws | 0x80) == ss->ssl3.hs.ws) { | |||
210 | return PR_TRUE1; | |||
211 | } | |||
212 | } | |||
213 | return PR_FALSE0; | |||
214 | } | |||
215 | ||||
216 | PRBool | |||
217 | tls13_InHsState(sslSocket *ss, ...) | |||
218 | { | |||
219 | PRBool found; | |||
220 | va_list ap; | |||
221 | ||||
222 | va_start(ap, ss)__builtin_va_start(ap, ss); | |||
223 | found = tls13_InHsStateV(ss, ap); | |||
224 | va_end(ap)__builtin_va_end(ap); | |||
225 | ||||
226 | return found; | |||
227 | } | |||
228 | ||||
229 | static SECStatus | |||
230 | tls13_CheckHsState(sslSocket *ss, int err, const char *error_name, | |||
231 | const char *func, const char *file, int line, | |||
232 | ...) | |||
233 | { | |||
234 | va_list ap; | |||
235 | va_start(ap, line)__builtin_va_start(ap, line); | |||
236 | if (tls13_InHsStateV(ss, ap)) { | |||
237 | va_end(ap)__builtin_va_end(ap); | |||
238 | return SECSuccess; | |||
239 | } | |||
240 | va_end(ap)__builtin_va_end(ap); | |||
241 | ||||
242 | SSL_TRC(3, ("%d: TLS13[%d]: error %s state is (%s) at %s (%s:%d)",if (ssl_trace >= (3)) ssl_Trace ("%d: TLS13[%d]: error %s state is (%s) at %s (%s:%d)" , getpid(), ss->fd, error_name, tls13_HandshakeState((ss-> ssl3.hs.ws & ~0x80)), func, file, line) | |||
243 | SSL_GETPID(), ss->fd,if (ssl_trace >= (3)) ssl_Trace ("%d: TLS13[%d]: error %s state is (%s) at %s (%s:%d)" , getpid(), ss->fd, error_name, tls13_HandshakeState((ss-> ssl3.hs.ws & ~0x80)), func, file, line) | |||
244 | error_name,if (ssl_trace >= (3)) ssl_Trace ("%d: TLS13[%d]: error %s state is (%s) at %s (%s:%d)" , getpid(), ss->fd, error_name, tls13_HandshakeState((ss-> ssl3.hs.ws & ~0x80)), func, file, line) | |||
245 | tls13_HandshakeState(TLS13_BASE_WAIT_STATE(ss->ssl3.hs.ws)),if (ssl_trace >= (3)) ssl_Trace ("%d: TLS13[%d]: error %s state is (%s) at %s (%s:%d)" , getpid(), ss->fd, error_name, tls13_HandshakeState((ss-> ssl3.hs.ws & ~0x80)), func, file, line) | |||
246 | func, file, line))if (ssl_trace >= (3)) ssl_Trace ("%d: TLS13[%d]: error %s state is (%s) at %s (%s:%d)" , getpid(), ss->fd, error_name, tls13_HandshakeState((ss-> ssl3.hs.ws & ~0x80)), func, file, line); | |||
247 | tls13_FatalError(ss, err, unexpected_message); | |||
248 | return SECFailure; | |||
249 | } | |||
250 | ||||
251 | PRBool | |||
252 | tls13_IsPostHandshake(const sslSocket *ss) | |||
253 | { | |||
254 | return ss->version >= SSL_LIBRARY_VERSION_TLS_1_30x0304 && ss->firstHsDone; | |||
255 | } | |||
256 | ||||
257 | SSLHashType | |||
258 | tls13_GetHashForCipherSuite(ssl3CipherSuite suite) | |||
259 | { | |||
260 | const ssl3CipherSuiteDef *cipherDef = | |||
261 | ssl_LookupCipherSuiteDef(suite); | |||
262 | PORT_Assert(cipherDef)((cipherDef)?((void)0):PR_Assert("cipherDef","tls13con.c",262 )); | |||
263 | if (!cipherDef) { | |||
264 | return ssl_hash_none; | |||
265 | } | |||
266 | return cipherDef->prf_hash; | |||
267 | } | |||
268 | ||||
269 | SSLHashType | |||
270 | tls13_GetHash(const sslSocket *ss) | |||
271 | { | |||
272 | /* suite_def may not be set yet when doing EPSK 0-Rtt. */ | |||
273 | if (!ss->ssl3.hs.suite_def) { | |||
274 | if (ss->xtnData.selectedPsk) { | |||
275 | return ss->xtnData.selectedPsk->hash; | |||
276 | } | |||
277 | /* This should never happen. */ | |||
278 | PORT_Assert(0)((0)?((void)0):PR_Assert("0","tls13con.c",278)); | |||
279 | return ssl_hash_none; | |||
280 | } | |||
281 | ||||
282 | /* All TLS 1.3 cipher suites must have an explict PRF hash. */ | |||
283 | PORT_Assert(ss->ssl3.hs.suite_def->prf_hash != ssl_hash_none)((ss->ssl3.hs.suite_def->prf_hash != ssl_hash_none)?((void )0):PR_Assert("ss->ssl3.hs.suite_def->prf_hash != ssl_hash_none" ,"tls13con.c",283)); | |||
284 | return ss->ssl3.hs.suite_def->prf_hash; | |||
285 | } | |||
286 | ||||
287 | SECStatus | |||
288 | tls13_GetHashAndCipher(PRUint16 version, PRUint16 cipherSuite, | |||
289 | SSLHashType *hash, const ssl3BulkCipherDef **cipher) | |||
290 | { | |||
291 | if (version < SSL_LIBRARY_VERSION_TLS_1_30x0304) { | |||
292 | PORT_SetErrorPORT_SetError_Util(SEC_ERROR_INVALID_ARGS); | |||
293 | return SECFailure; | |||
294 | } | |||
295 | ||||
296 | // Lookup and check the suite. | |||
297 | SSLVersionRange vrange = { version, version }; | |||
298 | if (!ssl3_CipherSuiteAllowedForVersionRange(cipherSuite, &vrange)) { | |||
299 | PORT_SetErrorPORT_SetError_Util(SEC_ERROR_INVALID_ARGS); | |||
300 | return SECFailure; | |||
301 | } | |||
302 | const ssl3CipherSuiteDef *suiteDef = ssl_LookupCipherSuiteDef(cipherSuite); | |||
303 | const ssl3BulkCipherDef *cipherDef = ssl_GetBulkCipherDef(suiteDef); | |||
304 | if (cipherDef->type != type_aead) { | |||
305 | PORT_SetErrorPORT_SetError_Util(SEC_ERROR_INVALID_ARGS); | |||
306 | return SECFailure; | |||
307 | } | |||
308 | *hash = suiteDef->prf_hash; | |||
309 | if (cipher != NULL((void*)0)) { | |||
310 | *cipher = cipherDef; | |||
311 | } | |||
312 | return SECSuccess; | |||
313 | } | |||
314 | ||||
315 | unsigned int | |||
316 | tls13_GetHashSizeForHash(SSLHashType hash) | |||
317 | { | |||
318 | switch (hash) { | |||
319 | case ssl_hash_sha256: | |||
320 | return 32; | |||
321 | case ssl_hash_sha384: | |||
322 | return 48; | |||
323 | default: | |||
324 | PORT_Assert(0)((0)?((void)0):PR_Assert("0","tls13con.c",324)); | |||
325 | } | |||
326 | return 32; | |||
327 | } | |||
328 | ||||
329 | unsigned int | |||
330 | tls13_GetHashSize(const sslSocket *ss) | |||
331 | { | |||
332 | return tls13_GetHashSizeForHash(tls13_GetHash(ss)); | |||
333 | } | |||
334 | ||||
335 | static CK_MECHANISM_TYPE | |||
336 | tls13_GetHmacMechanismFromHash(SSLHashType hashType) | |||
337 | { | |||
338 | switch (hashType) { | |||
339 | case ssl_hash_sha256: | |||
340 | return CKM_SHA256_HMAC0x00000251UL; | |||
341 | case ssl_hash_sha384: | |||
342 | return CKM_SHA384_HMAC0x00000261UL; | |||
343 | default: | |||
344 | PORT_Assert(0)((0)?((void)0):PR_Assert("0","tls13con.c",344)); | |||
345 | } | |||
346 | return CKM_SHA256_HMAC0x00000251UL; | |||
347 | } | |||
348 | ||||
349 | static CK_MECHANISM_TYPE | |||
350 | tls13_GetHmacMechanism(const sslSocket *ss) | |||
351 | { | |||
352 | return tls13_GetHmacMechanismFromHash(tls13_GetHash(ss)); | |||
353 | } | |||
354 | ||||
355 | SECStatus | |||
356 | tls13_ComputeHash(sslSocket *ss, SSL3Hashes *hashes, | |||
357 | const PRUint8 *buf, unsigned int len, | |||
358 | SSLHashType hash) | |||
359 | { | |||
360 | SECStatus rv; | |||
361 | ||||
362 | rv = PK11_HashBuf(ssl3_HashTypeToOID(hash), hashes->u.raw, buf, len); | |||
363 | if (rv != SECSuccess) { | |||
364 | FATAL_ERROR(ss, SEC_ERROR_LIBRARY_FAILURE, internal_error)do { do { if (ssl_trace >= (3)) ssl_Trace ("%d: TLS13[%d]: fatal error %d in %s (%s:%d)" , getpid(), ss->fd, SEC_ERROR_LIBRARY_FAILURE, __func__, "tls13con.c" , 364); PORT_SetError_Util(SEC_ERROR_LIBRARY_FAILURE); } while (0); tls13_FatalError(ss, SEC_ERROR_LIBRARY_FAILURE, internal_error ); } while (0); | |||
365 | return SECFailure; | |||
366 | } | |||
367 | hashes->len = tls13_GetHashSizeForHash(hash); | |||
368 | ||||
369 | return SECSuccess; | |||
370 | } | |||
371 | ||||
372 | static SECStatus | |||
373 | tls13_CreateKEMKeyPair(sslSocket *ss, const sslNamedGroupDef *groupDef, | |||
374 | sslKeyPair **outKeyPair) | |||
375 | { | |||
376 | PORT_Assert(groupDef)((groupDef)?((void)0):PR_Assert("groupDef","tls13con.c",376)); | |||
377 | if (groupDef->name != ssl_grp_kem_xyber768d00) { | |||
378 | PORT_SetErrorPORT_SetError_Util(SEC_ERROR_LIBRARY_FAILURE); | |||
379 | return SECFailure; | |||
380 | } | |||
381 | ||||
382 | sslKeyPair *keyPair = NULL((void*)0); | |||
383 | SECKEYPrivateKey *privKey = NULL((void*)0); | |||
384 | SECKEYPublicKey *pubKey = NULL((void*)0); | |||
385 | CK_MECHANISM_TYPE mechanism = CKM_NSS_KYBER_KEY_PAIR_GEN((0x80000000UL | 0x4E534350) + 45); | |||
386 | CK_NSS_KEM_PARAMETER_SET_TYPE paramSet = CKP_NSS_KYBER_768_ROUND3((0x80000000UL | 0x4E534350) + 1); | |||
387 | ||||
388 | PK11SlotInfo *slot = PK11_GetBestSlot(mechanism, ss->pkcs11PinArg); | |||
389 | if (!slot) { | |||
390 | goto loser; | |||
391 | } | |||
392 | ||||
393 | privKey = PK11_GenerateKeyPairWithOpFlags(slot, mechanism, | |||
394 | ¶mSet, &pubKey, PK11_ATTR_SESSION0x00000002L | PK11_ATTR_SENSITIVE0x00000040L | PK11_ATTR_PRIVATE0x00000004L, | |||
395 | CKF_DERIVE0x00080000UL, CKF_DERIVE0x00080000UL, ss->pkcs11PinArg); | |||
396 | PK11_FreeSlot(slot); | |||
397 | if (!privKey || !pubKey) { | |||
398 | goto loser; | |||
399 | } | |||
400 | ||||
401 | keyPair = ssl_NewKeyPair(privKey, pubKey); | |||
402 | if (!keyPair) { | |||
403 | goto loser; | |||
404 | } | |||
405 | ||||
406 | SSL_TRC(50, ("%d: SSL[%d]: Create Kyber ephemeral key %d",if (ssl_trace >= (50)) ssl_Trace ("%d: SSL[%d]: Create Kyber ephemeral key %d" , getpid(), ss ? ss->fd : ((void*)0), groupDef->name) | |||
407 | SSL_GETPID(), ss ? ss->fd : NULL, groupDef->name))if (ssl_trace >= (50)) ssl_Trace ("%d: SSL[%d]: Create Kyber ephemeral key %d" , getpid(), ss ? ss->fd : ((void*)0), groupDef->name); | |||
408 | PRINT_BUF(50, (ss, "Public Key", pubKey->u.kyber.publicValue.data,if (ssl_trace >= (50)) ssl_PrintBuf (ss, "Public Key", pubKey ->u.kyber.publicValue.data, pubKey->u.kyber.publicValue .len) | |||
409 | pubKey->u.kyber.publicValue.len))if (ssl_trace >= (50)) ssl_PrintBuf (ss, "Public Key", pubKey ->u.kyber.publicValue.data, pubKey->u.kyber.publicValue .len); | |||
410 | #ifdef TRACE | |||
411 | if (ssl_trace >= 50) { | |||
412 | SECItem d = { siBuffer, NULL((void*)0), 0 }; | |||
413 | SECStatus rv = PK11_ReadRawAttribute(PK11_TypePrivKey, privKey, CKA_VALUE0x00000011UL, &d); | |||
414 | if (rv == SECSuccess) { | |||
415 | PRINT_BUF(50, (ss, "Private Key", d.data, d.len))if (ssl_trace >= (50)) ssl_PrintBuf (ss, "Private Key", d. data, d.len); | |||
416 | SECITEM_FreeItemSECITEM_FreeItem_Util(&d, PR_FALSE0); | |||
417 | } else { | |||
418 | SSL_TRC(50, ("Error extracting private key"))if (ssl_trace >= (50)) ssl_Trace ("Error extracting private key" ); | |||
419 | } | |||
420 | } | |||
421 | #endif | |||
422 | ||||
423 | *outKeyPair = keyPair; | |||
424 | return SECSuccess; | |||
425 | ||||
426 | loser: | |||
427 | SECKEY_DestroyPrivateKey(privKey); | |||
428 | SECKEY_DestroyPublicKey(pubKey); | |||
429 | ssl_MapLowLevelError(SEC_ERROR_KEYGEN_FAIL); | |||
430 | return SECFailure; | |||
431 | } | |||
432 | ||||
433 | SECStatus | |||
434 | tls13_CreateKeyShare(sslSocket *ss, const sslNamedGroupDef *groupDef, | |||
435 | sslEphemeralKeyPair **outKeyPair) | |||
436 | { | |||
437 | SECStatus rv; | |||
438 | const ssl3DHParams *params; | |||
439 | sslEphemeralKeyPair *keyPair = NULL((void*)0); | |||
440 | ||||
441 | PORT_Assert(groupDef)((groupDef)?((void)0):PR_Assert("groupDef","tls13con.c",441)); | |||
442 | switch (groupDef->keaType) { | |||
443 | case ssl_kea_ecdh_hybrid: | |||
444 | if (groupDef->name != ssl_grp_kem_xyber768d00) { | |||
445 | PORT_SetErrorPORT_SetError_Util(SEC_ERROR_LIBRARY_FAILURE); | |||
446 | return SECFailure; | |||
447 | } | |||
448 | rv = ssl_CreateECDHEphemeralKeyPair(ss, ssl_LookupNamedGroup(ssl_grp_ec_curve25519), &keyPair); | |||
449 | if (rv != SECSuccess) { | |||
450 | return SECFailure; | |||
451 | } | |||
452 | keyPair->group = groupDef; | |||
453 | break; | |||
454 | case ssl_kea_ecdh: | |||
455 | rv = ssl_CreateECDHEphemeralKeyPair(ss, groupDef, &keyPair); | |||
456 | if (rv != SECSuccess) { | |||
457 | return SECFailure; | |||
458 | } | |||
459 | break; | |||
460 | case ssl_kea_dh: | |||
461 | params = ssl_GetDHEParams(groupDef); | |||
462 | PORT_Assert(params->name != ssl_grp_ffdhe_custom)((params->name != ssl_grp_ffdhe_custom)?((void)0):PR_Assert ("params->name != ssl_grp_ffdhe_custom","tls13con.c",462)); | |||
463 | rv = ssl_CreateDHEKeyPair(groupDef, params, &keyPair); | |||
464 | if (rv != SECSuccess) { | |||
465 | return SECFailure; | |||
466 | } | |||
467 | break; | |||
468 | default: | |||
469 | PORT_Assert(0)((0)?((void)0):PR_Assert("0","tls13con.c",469)); | |||
470 | PORT_SetErrorPORT_SetError_Util(SEC_ERROR_LIBRARY_FAILURE); | |||
471 | return SECFailure; | |||
472 | } | |||
473 | ||||
474 | // If we're creating an ECDH + KEM hybrid share and we're the client, then | |||
475 | // we still need to generate the KEM key pair. Otherwise we're done. | |||
476 | if (groupDef->keaType == ssl_kea_ecdh_hybrid && !ss->sec.isServer) { | |||
477 | rv = tls13_CreateKEMKeyPair(ss, groupDef, &keyPair->kemKeys); | |||
478 | if (rv != SECSuccess) { | |||
479 | ssl_FreeEphemeralKeyPair(keyPair); | |||
480 | return SECFailure; | |||
481 | } | |||
482 | } | |||
483 | ||||
484 | *outKeyPair = keyPair; | |||
485 | return SECSuccess; | |||
486 | } | |||
487 | ||||
488 | SECStatus | |||
489 | tls13_AddKeyShare(sslSocket *ss, const sslNamedGroupDef *groupDef) | |||
490 | { | |||
491 | sslEphemeralKeyPair *keyPair = NULL((void*)0); | |||
492 | SECStatus rv; | |||
493 | ||||
494 | rv = tls13_CreateKeyShare(ss, groupDef, &keyPair); | |||
495 | if (rv != SECSuccess) { | |||
496 | return SECFailure; | |||
497 | } | |||
498 | PR_APPEND_LINK(&keyPair->link, &ss->ephemeralKeyPairs)do { (&keyPair->link)->next = (&ss->ephemeralKeyPairs ); (&keyPair->link)->prev = (&ss->ephemeralKeyPairs )->prev; (&ss->ephemeralKeyPairs)->prev->next = (&keyPair->link); (&ss->ephemeralKeyPairs)-> prev = (&keyPair->link); } while (0); | |||
499 | return SECSuccess; | |||
500 | } | |||
501 | ||||
502 | SECStatus | |||
503 | SSL_SendAdditionalKeyShares(PRFileDesc *fd, unsigned int count) | |||
504 | { | |||
505 | sslSocket *ss = ssl_FindSocket(fd); | |||
506 | if (!ss) { | |||
507 | PORT_SetErrorPORT_SetError_Util(SEC_ERROR_INVALID_ARGS); | |||
508 | return SECFailure; | |||
509 | } | |||
510 | ||||
511 | ss->additionalShares = count; | |||
512 | return SECSuccess; | |||
513 | } | |||
514 | ||||
515 | /* | |||
516 | * Generate shares for ECDHE and FFDHE. This picks the first enabled group of | |||
517 | * the requisite type and creates a share for that. | |||
518 | * | |||
519 | * Called from ssl3_SendClientHello. | |||
520 | */ | |||
521 | SECStatus | |||
522 | tls13_SetupClientHello(sslSocket *ss, sslClientHelloType chType) | |||
523 | { | |||
524 | unsigned int i; | |||
525 | SSL3Statistics *ssl3stats = SSL_GetStatistics(); | |||
526 | NewSessionTicket *session_ticket = NULL((void*)0); | |||
527 | sslSessionID *sid = ss->sec.ci.sid; | |||
528 | unsigned int numShares = 0; | |||
529 | SECStatus rv; | |||
530 | ||||
531 | PORT_Assert(ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss))((ss->opt.noLocks || ((PR_GetMonitorEntryCount(((ss)->ssl3HandshakeLock )) > 0)))?((void)0):PR_Assert("ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)" ,"tls13con.c",531)); | |||
532 | PORT_Assert(ss->opt.noLocks || ssl_HaveXmitBufLock(ss))((ss->opt.noLocks || ((PR_GetMonitorEntryCount(((ss)->xmitBufLock )) > 0)))?((void)0):PR_Assert("ss->opt.noLocks || ssl_HaveXmitBufLock(ss)" ,"tls13con.c",532)); | |||
533 | ||||
534 | rv = tls13_ClientSetupEch(ss, chType); | |||
535 | if (rv != SECSuccess) { | |||
536 | return SECFailure; | |||
537 | } | |||
538 | ||||
539 | /* Everything below here is only run on the first CH. */ | |||
540 | if (chType != client_hello_initial) { | |||
541 | return SECSuccess; | |||
542 | } | |||
543 | ||||
544 | rv = tls13_ClientGreaseSetup(ss); | |||
545 | if (rv != SECSuccess) { | |||
546 | return SECFailure; | |||
547 | } | |||
548 | ||||
549 | /* Select the first enabled group. | |||
550 | * TODO(ekr@rtfm.com): be smarter about offering the group | |||
551 | * that the other side negotiated if we are resuming. */ | |||
552 | PORT_Assert(PR_CLIST_IS_EMPTY(&ss->ephemeralKeyPairs))((((&ss->ephemeralKeyPairs)->next == (&ss->ephemeralKeyPairs )))?((void)0):PR_Assert("PR_CLIST_IS_EMPTY(&ss->ephemeralKeyPairs)" ,"tls13con.c",552)); | |||
553 | for (i = 0; i < SSL_NAMED_GROUP_COUNT32; ++i) { | |||
554 | if (!ss->namedGroupPreferences[i]) { | |||
555 | continue; | |||
556 | } | |||
557 | rv = tls13_AddKeyShare(ss, ss->namedGroupPreferences[i]); | |||
558 | if (rv != SECSuccess) { | |||
559 | return SECFailure; | |||
560 | } | |||
561 | if (++numShares > ss->additionalShares) { | |||
562 | break; | |||
563 | } | |||
564 | } | |||
565 | ||||
566 | if (PR_CLIST_IS_EMPTY(&ss->ephemeralKeyPairs)((&ss->ephemeralKeyPairs)->next == (&ss->ephemeralKeyPairs ))) { | |||
567 | PORT_SetErrorPORT_SetError_Util(SSL_ERROR_NO_CIPHERS_SUPPORTED); | |||
568 | return SECFailure; | |||
569 | } | |||
570 | ||||
571 | /* Try to do stateless resumption, if we can. */ | |||
572 | if (sid->cached != never_cached && | |||
573 | sid->version >= SSL_LIBRARY_VERSION_TLS_1_30x0304) { | |||
574 | /* The caller must be holding sid->u.ssl3.lock for reading. */ | |||
575 | session_ticket = &sid->u.ssl3.locked.sessionTicket; | |||
576 | PORT_Assert(session_ticket && session_ticket->ticket.data)((session_ticket && session_ticket->ticket.data)?( (void)0):PR_Assert("session_ticket && session_ticket->ticket.data" ,"tls13con.c",576)); | |||
577 | ||||
578 | if (ssl_TicketTimeValid(ss, session_ticket)) { | |||
579 | ss->statelessResume = PR_TRUE1; | |||
580 | } | |||
581 | ||||
582 | if (ss->statelessResume) { | |||
583 | PORT_Assert(ss->sec.ci.sid)((ss->sec.ci.sid)?((void)0):PR_Assert("ss->sec.ci.sid", "tls13con.c",583)); | |||
584 | rv = tls13_RecoverWrappedSharedSecret(ss, ss->sec.ci.sid); | |||
585 | if (rv != SECSuccess) { | |||
586 | FATAL_ERROR(ss, SEC_ERROR_LIBRARY_FAILURE, internal_error)do { do { if (ssl_trace >= (3)) ssl_Trace ("%d: TLS13[%d]: fatal error %d in %s (%s:%d)" , getpid(), ss->fd, SEC_ERROR_LIBRARY_FAILURE, __func__, "tls13con.c" , 586); PORT_SetError_Util(SEC_ERROR_LIBRARY_FAILURE); } while (0); tls13_FatalError(ss, SEC_ERROR_LIBRARY_FAILURE, internal_error ); } while (0); | |||
587 | SSL_AtomicIncrementLong(&ssl3stats->sch_sid_cache_not_ok); | |||
588 | ssl_UncacheSessionID(ss); | |||
589 | ssl_FreeSID(ss->sec.ci.sid); | |||
590 | ss->sec.ci.sid = NULL((void*)0); | |||
591 | return SECFailure; | |||
592 | } | |||
593 | ||||
594 | ss->ssl3.hs.cipher_suite = ss->sec.ci.sid->u.ssl3.cipherSuite; | |||
595 | rv = ssl3_SetupCipherSuite(ss, PR_FALSE0); | |||
596 | if (rv != SECSuccess) { | |||
597 | FATAL_ERROR(ss, PORT_GetError(), internal_error)do { do { if (ssl_trace >= (3)) ssl_Trace ("%d: TLS13[%d]: fatal error %d in %s (%s:%d)" , getpid(), ss->fd, PORT_GetError_Util(), __func__, "tls13con.c" , 597); PORT_SetError_Util(PORT_GetError_Util()); } while (0) ; tls13_FatalError(ss, PORT_GetError_Util(), internal_error); } while (0); | |||
598 | return SECFailure; | |||
599 | } | |||
600 | PORT_Assert(!PR_CLIST_IS_EMPTY(&ss->ssl3.hs.psks))((!((&ss->ssl3.hs.psks)->next == (&ss->ssl3. hs.psks)))?((void)0):PR_Assert("!PR_CLIST_IS_EMPTY(&ss->ssl3.hs.psks)" ,"tls13con.c",600)); | |||
601 | } | |||
602 | } | |||
603 | ||||
604 | /* Derive the binder keys if any PSKs. */ | |||
605 | if (!PR_CLIST_IS_EMPTY(&ss->ssl3.hs.psks)((&ss->ssl3.hs.psks)->next == (&ss->ssl3.hs. psks))) { | |||
606 | /* If an External PSK specified a suite, use that. */ | |||
607 | sslPsk *psk = (sslPsk *)PR_LIST_HEAD(&ss->ssl3.hs.psks)(&ss->ssl3.hs.psks)->next; | |||
608 | if (!ss->statelessResume && | |||
609 | psk->type == ssl_psk_external && | |||
610 | psk->zeroRttSuite != TLS_NULL_WITH_NULL_NULL0x0000) { | |||
611 | ss->ssl3.hs.cipher_suite = psk->zeroRttSuite; | |||
612 | } | |||
613 | ||||
614 | rv = tls13_ComputeEarlySecretsWithPsk(ss); | |||
615 | if (rv != SECSuccess) { | |||
616 | FATAL_ERROR(ss, SEC_ERROR_LIBRARY_FAILURE, internal_error)do { do { if (ssl_trace >= (3)) ssl_Trace ("%d: TLS13[%d]: fatal error %d in %s (%s:%d)" , getpid(), ss->fd, SEC_ERROR_LIBRARY_FAILURE, __func__, "tls13con.c" , 616); PORT_SetError_Util(SEC_ERROR_LIBRARY_FAILURE); } while (0); tls13_FatalError(ss, SEC_ERROR_LIBRARY_FAILURE, internal_error ); } while (0); | |||
617 | return SECFailure; | |||
618 | } | |||
619 | } | |||
620 | ||||
621 | return SECSuccess; | |||
622 | } | |||
623 | ||||
624 | static SECStatus | |||
625 | tls13_ImportDHEKeyShare(SECKEYPublicKey *peerKey, | |||
626 | PRUint8 *b, PRUint32 length, | |||
627 | SECKEYPublicKey *pubKey) | |||
628 | { | |||
629 | SECStatus rv; | |||
630 | SECItem publicValue = { siBuffer, NULL((void*)0), 0 }; | |||
631 | ||||
632 | publicValue.data = b; | |||
633 | publicValue.len = length; | |||
634 | if (!ssl_IsValidDHEShare(&pubKey->u.dh.prime, &publicValue)) { | |||
635 | PORT_SetErrorPORT_SetError_Util(SSL_ERROR_RX_MALFORMED_DHE_KEY_SHARE); | |||
636 | return SECFailure; | |||
637 | } | |||
638 | ||||
639 | peerKey->keyType = dhKey; | |||
640 | rv = SECITEM_CopyItemSECITEM_CopyItem_Util(peerKey->arena, &peerKey->u.dh.prime, | |||
641 | &pubKey->u.dh.prime); | |||
642 | if (rv != SECSuccess) | |||
643 | return SECFailure; | |||
644 | rv = SECITEM_CopyItemSECITEM_CopyItem_Util(peerKey->arena, &peerKey->u.dh.base, | |||
645 | &pubKey->u.dh.base); | |||
646 | if (rv != SECSuccess) | |||
647 | return SECFailure; | |||
648 | rv = SECITEM_CopyItemSECITEM_CopyItem_Util(peerKey->arena, &peerKey->u.dh.publicValue, | |||
649 | &publicValue); | |||
650 | if (rv != SECSuccess) | |||
651 | return SECFailure; | |||
652 | ||||
653 | return SECSuccess; | |||
654 | } | |||
655 | ||||
656 | static SECStatus | |||
657 | tls13_ImportKEMKeyShare(SECKEYPublicKey *peerKey, TLS13KeyShareEntry *entry) | |||
658 | { | |||
659 | SECItem pk = { siBuffer, NULL((void*)0), 0 }; | |||
660 | SECStatus rv; | |||
661 | ||||
662 | if (entry->group->name != ssl_grp_kem_xyber768d00) { | |||
663 | PORT_SetErrorPORT_SetError_Util(SEC_ERROR_LIBRARY_FAILURE); | |||
664 | return SECFailure; | |||
665 | } | |||
666 | ||||
667 | if (entry->key_exchange.len != X25519_PUBLIC_KEY_BYTES32U + KYBER768_PUBLIC_KEY_BYTES1184U) { | |||
668 | PORT_SetErrorPORT_SetError_Util(SSL_ERROR_RX_MALFORMED_HYBRID_KEY_SHARE); | |||
669 | return SECFailure; | |||
670 | } | |||
671 | pk.data = entry->key_exchange.data + X25519_PUBLIC_KEY_BYTES32U; | |||
672 | pk.len = entry->key_exchange.len - X25519_PUBLIC_KEY_BYTES32U; | |||
673 | ||||
674 | peerKey->keyType = kyberKey; | |||
675 | peerKey->u.kyber.params = params_kyber768_round3; | |||
676 | ||||
677 | rv = SECITEM_CopyItemSECITEM_CopyItem_Util(peerKey->arena, &peerKey->u.kyber.publicValue, &pk); | |||
678 | if (rv != SECSuccess) { | |||
679 | PORT_SetErrorPORT_SetError_Util(SEC_ERROR_NO_MEMORY); | |||
680 | return SECFailure; | |||
681 | } | |||
682 | ||||
683 | return SECSuccess; | |||
684 | } | |||
685 | ||||
686 | static SECStatus | |||
687 | tls13_HandleKEMCiphertext(sslSocket *ss, TLS13KeyShareEntry *entry, sslKeyPair *keyPair, PK11SymKey **outKey) | |||
688 | { | |||
689 | SECItem ct = { siBuffer, NULL((void*)0), 0 }; | |||
690 | SECStatus rv; | |||
691 | ||||
692 | switch (entry->group->name) { | |||
693 | case ssl_grp_kem_xyber768d00: | |||
694 | if (entry->key_exchange.len != X25519_PUBLIC_KEY_BYTES32U + KYBER768_CIPHERTEXT_BYTES1088U) { | |||
695 | ssl_MapLowLevelError(SSL_ERROR_RX_MALFORMED_HYBRID_KEY_SHARE); | |||
696 | return SECFailure; | |||
697 | } | |||
698 | ct.data = entry->key_exchange.data + X25519_PUBLIC_KEY_BYTES32U; | |||
699 | ct.len = entry->key_exchange.len - X25519_PUBLIC_KEY_BYTES32U; | |||
700 | break; | |||
701 | default: | |||
702 | PORT_Assert(0)((0)?((void)0):PR_Assert("0","tls13con.c",702)); | |||
703 | ssl_MapLowLevelError(SEC_ERROR_LIBRARY_FAILURE); | |||
704 | return SECFailure; | |||
705 | } | |||
706 | ||||
707 | rv = PK11_Decapsulate(keyPair->privKey, &ct, CKM_HKDF_DERIVE0x0000402aUL, PK11_ATTR_SESSION0x00000002L | PK11_ATTR_SENSITIVE0x00000040L, CKF_DERIVE0x00080000UL, outKey); | |||
708 | if (rv != SECSuccess) { | |||
709 | ssl_MapLowLevelError(SSL_ERROR_KEY_EXCHANGE_FAILURE); | |||
710 | } | |||
711 | return rv; | |||
712 | } | |||
713 | ||||
714 | static SECStatus | |||
715 | tls13_HandleKEMKey(sslSocket *ss, | |||
716 | TLS13KeyShareEntry *entry, | |||
717 | PK11SymKey **key, | |||
718 | SECItem **ciphertext) | |||
719 | { | |||
720 | PORTCheapArenaPool arena; | |||
721 | SECKEYPublicKey *peerKey; | |||
722 | CK_OBJECT_HANDLE handle; | |||
723 | SECStatus rv; | |||
724 | ||||
725 | PORT_InitCheapArena(&arena, DER_DEFAULT_CHUNKSIZE(2048)); | |||
726 | peerKey = PORT_ArenaZNew(&arena.arena, SECKEYPublicKey)(SECKEYPublicKey *)PORT_ArenaZAlloc_Util(&arena.arena, sizeof (SECKEYPublicKey)); | |||
727 | if (peerKey == NULL((void*)0)) { | |||
728 | goto loser; | |||
729 | } | |||
730 | peerKey->arena = &arena.arena; | |||
731 | peerKey->pkcs11Slot = NULL((void*)0); | |||
732 | peerKey->pkcs11ID = CK_INVALID_HANDLE0; | |||
733 | ||||
734 | rv = tls13_ImportKEMKeyShare(peerKey, entry); | |||
735 | if (rv != SECSuccess) { | |||
736 | goto loser; | |||
737 | } | |||
738 | ||||
739 | PK11SlotInfo *slot = PK11_GetBestSlot(CKM_NSS_KYBER((0x80000000UL | 0x4E534350) + 46), ss->pkcs11PinArg); | |||
740 | if (!slot) { | |||
741 | goto loser; | |||
742 | } | |||
743 | ||||
744 | handle = PK11_ImportPublicKey(slot, peerKey, PR_FALSE0); | |||
745 | PK11_FreeSlot(slot); /* peerKey holds a slot reference on success. */ | |||
746 | if (handle == CK_INVALID_HANDLE0) { | |||
747 | goto loser; | |||
748 | } | |||
749 | ||||
750 | rv = PK11_Encapsulate(peerKey, | |||
751 | CKM_HKDF_DERIVE0x0000402aUL, PK11_ATTR_SESSION0x00000002L | PK11_ATTR_SENSITIVE0x00000040L | PK11_ATTR_PRIVATE0x00000004L, | |||
752 | CKF_DERIVE0x00080000UL, key, ciphertext); | |||
753 | ||||
754 | /* Destroy the imported public key */ | |||
755 | PORT_Assert(peerKey->pkcs11Slot)((peerKey->pkcs11Slot)?((void)0):PR_Assert("peerKey->pkcs11Slot" ,"tls13con.c",755)); | |||
756 | PK11_DestroyObject(peerKey->pkcs11Slot, peerKey->pkcs11ID); | |||
757 | PK11_FreeSlot(peerKey->pkcs11Slot); | |||
758 | ||||
759 | PORT_DestroyCheapArena(&arena); | |||
760 | return SECSuccess; | |||
761 | ||||
762 | loser: | |||
763 | PORT_DestroyCheapArena(&arena); | |||
764 | return SECFailure; | |||
765 | } | |||
766 | ||||
767 | SECStatus | |||
768 | tls13_HandleKeyShare(sslSocket *ss, | |||
769 | TLS13KeyShareEntry *entry, | |||
770 | sslKeyPair *keyPair, | |||
771 | SSLHashType hash, | |||
772 | PK11SymKey **out) | |||
773 | { | |||
774 | PORTCheapArenaPool arena; | |||
775 | SECKEYPublicKey *peerKey; | |||
776 | CK_MECHANISM_TYPE mechanism; | |||
777 | PK11SymKey *key; | |||
778 | SECStatus rv; | |||
779 | int keySize = 0; | |||
780 | ||||
781 | PORT_InitCheapArena(&arena, DER_DEFAULT_CHUNKSIZE(2048)); | |||
782 | peerKey = PORT_ArenaZNew(&arena.arena, SECKEYPublicKey)(SECKEYPublicKey *)PORT_ArenaZAlloc_Util(&arena.arena, sizeof (SECKEYPublicKey)); | |||
783 | if (peerKey == NULL((void*)0)) { | |||
784 | goto loser; | |||
785 | } | |||
786 | peerKey->arena = &arena.arena; | |||
787 | peerKey->pkcs11Slot = NULL((void*)0); | |||
788 | peerKey->pkcs11ID = CK_INVALID_HANDLE0; | |||
789 | ||||
790 | switch (entry->group->keaType) { | |||
791 | case ssl_kea_ecdh_hybrid: | |||
792 | if (entry->group->name != ssl_grp_kem_xyber768d00 || entry->key_exchange.len < X25519_PUBLIC_KEY_BYTES32U) { | |||
793 | PORT_SetErrorPORT_SetError_Util(SSL_ERROR_RX_MALFORMED_HYBRID_KEY_SHARE); | |||
794 | goto loser; | |||
795 | } | |||
796 | rv = ssl_ImportECDHKeyShare(peerKey, | |||
797 | entry->key_exchange.data, | |||
798 | X25519_PUBLIC_KEY_BYTES32U, | |||
799 | ssl_LookupNamedGroup(ssl_grp_ec_curve25519)); | |||
800 | mechanism = CKM_ECDH1_DERIVE0x00001050UL; | |||
801 | break; | |||
802 | case ssl_kea_ecdh: | |||
803 | rv = ssl_ImportECDHKeyShare(peerKey, | |||
804 | entry->key_exchange.data, | |||
805 | entry->key_exchange.len, | |||
806 | entry->group); | |||
807 | mechanism = CKM_ECDH1_DERIVE0x00001050UL; | |||
808 | break; | |||
809 | case ssl_kea_dh: | |||
810 | rv = tls13_ImportDHEKeyShare(peerKey, | |||
811 | entry->key_exchange.data, | |||
812 | entry->key_exchange.len, | |||
813 | keyPair->pubKey); | |||
814 | mechanism = CKM_DH_PKCS_DERIVE0x00000021UL; | |||
815 | keySize = peerKey->u.dh.publicValue.len; | |||
816 | break; | |||
817 | default: | |||
818 | PORT_Assert(0)((0)?((void)0):PR_Assert("0","tls13con.c",818)); | |||
819 | goto loser; | |||
820 | } | |||
821 | if (rv != SECSuccess) { | |||
822 | goto loser; | |||
823 | } | |||
824 | ||||
825 | key = PK11_PubDeriveWithKDF( | |||
826 | keyPair->privKey, peerKey, PR_FALSE0, NULL((void*)0), NULL((void*)0), mechanism, | |||
827 | CKM_HKDF_DERIVE0x0000402aUL, CKA_DERIVE0x0000010CUL, keySize, CKD_NULL0x00000001UL, NULL((void*)0), NULL((void*)0)); | |||
828 | if (!key) { | |||
829 | ssl_MapLowLevelError(SSL_ERROR_KEY_EXCHANGE_FAILURE); | |||
830 | goto loser; | |||
831 | } | |||
832 | ||||
833 | *out = key; | |||
834 | PORT_DestroyCheapArena(&arena); | |||
835 | return SECSuccess; | |||
836 | ||||
837 | loser: | |||
838 | PORT_DestroyCheapArena(&arena); | |||
839 | return SECFailure; | |||
840 | } | |||
841 | ||||
842 | static PRBool | |||
843 | tls13_UseServerSecret(sslSocket *ss, SSLSecretDirection direction) | |||
844 | { | |||
845 | return ss->sec.isServer == (direction == ssl_secret_write); | |||
846 | } | |||
847 | ||||
848 | static PK11SymKey ** | |||
849 | tls13_TrafficSecretRef(sslSocket *ss, SSLSecretDirection direction) | |||
850 | { | |||
851 | if (tls13_UseServerSecret(ss, direction)) { | |||
852 | return &ss->ssl3.hs.serverTrafficSecret; | |||
853 | } | |||
854 | return &ss->ssl3.hs.clientTrafficSecret; | |||
855 | } | |||
856 | ||||
857 | SECStatus | |||
858 | tls13_UpdateTrafficKeys(sslSocket *ss, SSLSecretDirection direction) | |||
859 | { | |||
860 | PK11SymKey **secret; | |||
861 | PK11SymKey *updatedSecret; | |||
862 | PRUint16 epoch; | |||
863 | SECStatus rv; | |||
864 | ||||
865 | secret = tls13_TrafficSecretRef(ss, direction); | |||
866 | rv = tls13_HkdfExpandLabel(*secret, tls13_GetHash(ss), | |||
867 | NULL((void*)0), 0, | |||
868 | kHkdfLabelTrafficUpdate, | |||
869 | strlen(kHkdfLabelTrafficUpdate), | |||
870 | tls13_GetHmacMechanism(ss), | |||
871 | tls13_GetHashSize(ss), | |||
872 | ss->protocolVariant, | |||
873 | &updatedSecret); | |||
874 | if (rv != SECSuccess) { | |||
875 | return SECFailure; | |||
876 | } | |||
877 | ||||
878 | PK11_FreeSymKey(*secret); | |||
879 | *secret = updatedSecret; | |||
880 | ||||
881 | ssl_GetSpecReadLock(ss){ if (!ss->opt.noLocks) NSSRWLock_LockRead_Util((ss)->specLock ); }; | |||
882 | if (direction == ssl_secret_read) { | |||
883 | epoch = ss->ssl3.crSpec->epoch; | |||
884 | } else { | |||
885 | epoch = ss->ssl3.cwSpec->epoch; | |||
886 | } | |||
887 | ssl_ReleaseSpecReadLock(ss){ if (!ss->opt.noLocks) NSSRWLock_UnlockRead_Util((ss)-> specLock); }; | |||
888 | ||||
889 | if (epoch == PR_UINT16_MAX65535U) { | |||
890 | /* Good chance that this is an overflow from too many updates. */ | |||
891 | FATAL_ERROR(ss, SSL_ERROR_TOO_MANY_KEY_UPDATES, internal_error)do { do { if (ssl_trace >= (3)) ssl_Trace ("%d: TLS13[%d]: fatal error %d in %s (%s:%d)" , getpid(), ss->fd, SSL_ERROR_TOO_MANY_KEY_UPDATES, __func__ , "tls13con.c", 891); PORT_SetError_Util(SSL_ERROR_TOO_MANY_KEY_UPDATES ); } while (0); tls13_FatalError(ss, SSL_ERROR_TOO_MANY_KEY_UPDATES , internal_error); } while (0); | |||
892 | return SECFailure; | |||
893 | } | |||
894 | ++epoch; | |||
895 | ||||
896 | if (ss->secretCallback) { | |||
897 | ss->secretCallback(ss->fd, epoch, direction, updatedSecret, | |||
898 | ss->secretCallbackArg); | |||
899 | } | |||
900 | rv = tls13_SetCipherSpec(ss, epoch, direction, PR_FALSE0); | |||
901 | if (rv != SECSuccess) { | |||
902 | FATAL_ERROR(ss, SEC_ERROR_LIBRARY_FAILURE, internal_error)do { do { if (ssl_trace >= (3)) ssl_Trace ("%d: TLS13[%d]: fatal error %d in %s (%s:%d)" , getpid(), ss->fd, SEC_ERROR_LIBRARY_FAILURE, __func__, "tls13con.c" , 902); PORT_SetError_Util(SEC_ERROR_LIBRARY_FAILURE); } while (0); tls13_FatalError(ss, SEC_ERROR_LIBRARY_FAILURE, internal_error ); } while (0); | |||
903 | return SECFailure; | |||
904 | } | |||
905 | return SECSuccess; | |||
906 | } | |||
907 | ||||
908 | SECStatus | |||
909 | tls13_SendKeyUpdate(sslSocket *ss, tls13KeyUpdateRequest request, PRBool buffer) | |||
910 | { | |||
911 | SECStatus rv; | |||
912 | ||||
913 | SSL_TRC(3, ("%d: TLS13[%d]: %s send key update, response %s",if (ssl_trace >= (3)) ssl_Trace ("%d: TLS13[%d]: %s send key update, response %s" , getpid(), ss->fd, (ss->sec.isServer ? "server" : "client" ), (request == update_requested) ? "requested" : "not requested" ) | |||
914 | SSL_GETPID(), ss->fd, SSL_ROLE(ss),if (ssl_trace >= (3)) ssl_Trace ("%d: TLS13[%d]: %s send key update, response %s" , getpid(), ss->fd, (ss->sec.isServer ? "server" : "client" ), (request == update_requested) ? "requested" : "not requested" ) | |||
915 | (request == update_requested) ? "requested"if (ssl_trace >= (3)) ssl_Trace ("%d: TLS13[%d]: %s send key update, response %s" , getpid(), ss->fd, (ss->sec.isServer ? "server" : "client" ), (request == update_requested) ? "requested" : "not requested" ) | |||
916 | : "not requested"))if (ssl_trace >= (3)) ssl_Trace ("%d: TLS13[%d]: %s send key update, response %s" , getpid(), ss->fd, (ss->sec.isServer ? "server" : "client" ), (request == update_requested) ? "requested" : "not requested" ); | |||
917 | ||||
918 | PORT_Assert(ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss))((ss->opt.noLocks || ((PR_GetMonitorEntryCount(((ss)->ssl3HandshakeLock )) > 0)))?((void)0):PR_Assert("ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)" ,"tls13con.c",918)); | |||
919 | PORT_Assert(!ss->sec.isServer || !ss->ssl3.clientCertRequested)((!ss->sec.isServer || !ss->ssl3.clientCertRequested)?( (void)0):PR_Assert("!ss->sec.isServer || !ss->ssl3.clientCertRequested" ,"tls13con.c",919)); | |||
920 | ||||
921 | if (!tls13_IsPostHandshake(ss)) { | |||
922 | PORT_SetErrorPORT_SetError_Util(SEC_ERROR_LIBRARY_FAILURE); | |||
923 | return SECFailure; | |||
924 | } | |||
925 | ||||
926 | rv = TLS13_CHECK_HS_STATE(ss, SEC_ERROR_LIBRARY_FAILURE,tls13_CheckHsState(ss, SEC_ERROR_LIBRARY_FAILURE, "SEC_ERROR_LIBRARY_FAILURE" , __func__, "tls13con.c", 927, idle_handshake, wait_invalid) | |||
927 | idle_handshake)tls13_CheckHsState(ss, SEC_ERROR_LIBRARY_FAILURE, "SEC_ERROR_LIBRARY_FAILURE" , __func__, "tls13con.c", 927, idle_handshake, wait_invalid); | |||
928 | if (rv != SECSuccess) { | |||
929 | return SECFailure; | |||
930 | } | |||
931 | ||||
932 | if (IS_DTLS(ss)(ss->protocolVariant == ssl_variant_datagram)) { | |||
933 | rv = dtls13_MaybeSendKeyUpdate(ss, request, buffer); | |||
934 | if (rv != SECSuccess) { | |||
935 | /* Error code set already. */ | |||
936 | return SECFailure; | |||
937 | } | |||
938 | return rv; | |||
939 | } | |||
940 | ||||
941 | ssl_GetXmitBufLock(ss){ if (!ss->opt.noLocks) PR_EnterMonitor(((ss)->xmitBufLock )); }; | |||
942 | rv = ssl3_AppendHandshakeHeader(ss, ssl_hs_key_update, 1); | |||
943 | if (rv != SECSuccess) { | |||
944 | FATAL_ERROR(ss, SEC_ERROR_LIBRARY_FAILURE, internal_error)do { do { if (ssl_trace >= (3)) ssl_Trace ("%d: TLS13[%d]: fatal error %d in %s (%s:%d)" , getpid(), ss->fd, SEC_ERROR_LIBRARY_FAILURE, __func__, "tls13con.c" , 944); PORT_SetError_Util(SEC_ERROR_LIBRARY_FAILURE); } while (0); tls13_FatalError(ss, SEC_ERROR_LIBRARY_FAILURE, internal_error ); } while (0); | |||
945 | goto loser; | |||
946 | } | |||
947 | rv = ssl3_AppendHandshakeNumber(ss, request, 1); | |||
948 | if (rv != SECSuccess) { | |||
949 | FATAL_ERROR(ss, SEC_ERROR_LIBRARY_FAILURE, internal_error)do { do { if (ssl_trace >= (3)) ssl_Trace ("%d: TLS13[%d]: fatal error %d in %s (%s:%d)" , getpid(), ss->fd, SEC_ERROR_LIBRARY_FAILURE, __func__, "tls13con.c" , 949); PORT_SetError_Util(SEC_ERROR_LIBRARY_FAILURE); } while (0); tls13_FatalError(ss, SEC_ERROR_LIBRARY_FAILURE, internal_error ); } while (0); | |||
950 | goto loser; | |||
951 | } | |||
952 | ||||
953 | /* If we have been asked to buffer, then do so. This allows us to coalesce | |||
954 | * a KeyUpdate with a pending write. */ | |||
955 | rv = ssl3_FlushHandshake(ss, buffer ? ssl_SEND_FLAG_FORCE_INTO_BUFFER0x40000000 : 0); | |||
956 | if (rv != SECSuccess) { | |||
957 | goto loser; /* error code set by ssl3_FlushHandshake */ | |||
958 | } | |||
959 | ssl_ReleaseXmitBufLock(ss){ if (!ss->opt.noLocks) PR_ExitMonitor(((ss)->xmitBufLock )); }; | |||
960 | ||||
961 | rv = tls13_UpdateTrafficKeys(ss, ssl_secret_write); | |||
962 | if (rv != SECSuccess) { | |||
963 | goto loser; /* error code set by tls13_UpdateTrafficKeys */ | |||
964 | } | |||
965 | ||||
966 | return SECSuccess; | |||
967 | ||||
968 | loser: | |||
969 | ssl_ReleaseXmitBufLock(ss){ if (!ss->opt.noLocks) PR_ExitMonitor(((ss)->xmitBufLock )); }; | |||
970 | return SECFailure; | |||
971 | } | |||
972 | ||||
973 | SECStatus | |||
974 | SSLExp_KeyUpdate(PRFileDesc *fd, PRBool requestUpdate) | |||
975 | { | |||
976 | SECStatus rv; | |||
977 | sslSocket *ss = ssl_FindSocket(fd); | |||
978 | if (!ss) { | |||
979 | return SECFailure; | |||
980 | } | |||
981 | ||||
982 | if (!tls13_IsPostHandshake(ss)) { | |||
983 | PORT_SetErrorPORT_SetError_Util(SEC_ERROR_INVALID_ARGS); | |||
984 | return SECFailure; | |||
985 | } | |||
986 | ||||
987 | if (ss->ssl3.clientCertRequested) { | |||
988 | PORT_SetErrorPORT_SetError_Util(PR_WOULD_BLOCK_ERROR(-5998L)); | |||
989 | return SECFailure; | |||
990 | } | |||
991 | ||||
992 | rv = TLS13_CHECK_HS_STATE(ss, SEC_ERROR_INVALID_ARGS,tls13_CheckHsState(ss, SEC_ERROR_INVALID_ARGS, "SEC_ERROR_INVALID_ARGS" , __func__, "tls13con.c", 993, idle_handshake, wait_invalid) | |||
993 | idle_handshake)tls13_CheckHsState(ss, SEC_ERROR_INVALID_ARGS, "SEC_ERROR_INVALID_ARGS" , __func__, "tls13con.c", 993, idle_handshake, wait_invalid); | |||
994 | if (rv != SECSuccess) { | |||
995 | return SECFailure; | |||
996 | } | |||
997 | ||||
998 | ssl_GetSSL3HandshakeLock(ss){ if (!ss->opt.noLocks) { ((!((PR_GetMonitorEntryCount(((ss )->xmitBufLock)) > 0)))?((void)0):PR_Assert("!ssl_HaveXmitBufLock(ss)" ,"tls13con.c",998)); PR_EnterMonitor(((ss)->ssl3HandshakeLock )); } }; | |||
999 | rv = tls13_SendKeyUpdate(ss, requestUpdate ? update_requested : update_not_requested, | |||
1000 | PR_FALSE0 /* don't buffer */); | |||
1001 | ||||
1002 | /* Remember that we are the ones that initiated this KeyUpdate. */ | |||
1003 | if (rv == SECSuccess) { | |||
1004 | ss->ssl3.peerRequestedKeyUpdate = PR_FALSE0; | |||
1005 | } | |||
1006 | ssl_ReleaseSSL3HandshakeLock(ss){ if (!ss->opt.noLocks) PR_ExitMonitor(((ss)->ssl3HandshakeLock )); }; | |||
1007 | return rv; | |||
1008 | } | |||
1009 | ||||
1010 | SECStatus | |||
1011 | SSLExp_SetCertificateCompressionAlgorithm(PRFileDesc *fd, SSLCertificateCompressionAlgorithm alg) | |||
1012 | { | |||
1013 | sslSocket *ss = ssl_FindSocket(fd); | |||
1014 | if (!ss) { | |||
1015 | return SECFailure; /* Code already set. */ | |||
1016 | } | |||
1017 | ||||
1018 | ssl_GetSSL3HandshakeLock(ss){ if (!ss->opt.noLocks) { ((!((PR_GetMonitorEntryCount(((ss )->xmitBufLock)) > 0)))?((void)0):PR_Assert("!ssl_HaveXmitBufLock(ss)" ,"tls13con.c",1018)); PR_EnterMonitor(((ss)->ssl3HandshakeLock )); } }; | |||
1019 | if (ss->ssl3.supportedCertCompressionAlgorithmsCount == MAX_SUPPORTED_CERTIFICATE_COMPRESSION_ALGS32) { | |||
1020 | goto loser; | |||
1021 | } | |||
1022 | ||||
1023 | /* Reserved ID */ | |||
1024 | if (alg.id == 0) { | |||
1025 | goto loser; | |||
1026 | } | |||
1027 | ||||
1028 | if (alg.encode == NULL((void*)0) && alg.decode == NULL((void*)0)) { | |||
1029 | goto loser; | |||
1030 | } | |||
1031 | ||||
1032 | /* Checking that we have not yet registed an algorithm with the same ID. */ | |||
1033 | for (int i = 0; i < ss->ssl3.supportedCertCompressionAlgorithmsCount; i++) { | |||
1034 | if (ss->ssl3.supportedCertCompressionAlgorithms[i].id == alg.id) { | |||
1035 | goto loser; | |||
1036 | } | |||
1037 | } | |||
1038 | ||||
1039 | PORT_Memcpymemcpy(&ss->ssl3.supportedCertCompressionAlgorithms | |||
1040 | [ss->ssl3.supportedCertCompressionAlgorithmsCount], | |||
1041 | &alg, sizeof(alg)); | |||
1042 | ss->ssl3.supportedCertCompressionAlgorithmsCount += 1; | |||
1043 | ssl_ReleaseSSL3HandshakeLock(ss){ if (!ss->opt.noLocks) PR_ExitMonitor(((ss)->ssl3HandshakeLock )); }; | |||
1044 | return SECSuccess; | |||
1045 | ||||
1046 | loser: | |||
1047 | PORT_SetErrorPORT_SetError_Util(SEC_ERROR_INVALID_ARGS); | |||
1048 | ssl_ReleaseSSL3HandshakeLock(ss){ if (!ss->opt.noLocks) PR_ExitMonitor(((ss)->ssl3HandshakeLock )); }; | |||
1049 | return SECFailure; | |||
1050 | } | |||
1051 | ||||
1052 | /* | |||
1053 | * enum { | |||
1054 | * update_not_requested(0), update_requested(1), (255) | |||
1055 | * } KeyUpdateRequest; | |||
1056 | * | |||
1057 | * struct { | |||
1058 | * KeyUpdateRequest request_update; | |||
1059 | * } KeyUpdate; | |||
1060 | */ | |||
1061 | ||||
1062 | /* If we're handing the DTLS1.3 message, we silently fail if there is a parsing problem. */ | |||
1063 | static SECStatus | |||
1064 | tls13_HandleKeyUpdate(sslSocket *ss, PRUint8 *b, unsigned int length) | |||
1065 | { | |||
1066 | SECStatus rv; | |||
1067 | PRUint32 update; | |||
1068 | ||||
1069 | SSL_TRC(3, ("%d: TLS13[%d]: %s handle key update",if (ssl_trace >= (3)) ssl_Trace ("%d: TLS13[%d]: %s handle key update" , getpid(), ss->fd, (ss->sec.isServer ? "server" : "client" )) | |||
1070 | SSL_GETPID(), ss->fd, SSL_ROLE(ss)))if (ssl_trace >= (3)) ssl_Trace ("%d: TLS13[%d]: %s handle key update" , getpid(), ss->fd, (ss->sec.isServer ? "server" : "client" )); | |||
1071 | ||||
1072 | PORT_Assert(ss->opt.noLocks || ssl_HaveRecvBufLock(ss))((ss->opt.noLocks || ((PR_GetMonitorEntryCount(((ss)->recvBufLock )) > 0)))?((void)0):PR_Assert("ss->opt.noLocks || ssl_HaveRecvBufLock(ss)" ,"tls13con.c",1072)); | |||
1073 | PORT_Assert(ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss))((ss->opt.noLocks || ((PR_GetMonitorEntryCount(((ss)->ssl3HandshakeLock )) > 0)))?((void)0):PR_Assert("ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)" ,"tls13con.c",1073)); | |||
1074 | ||||
1075 | if (!tls13_IsPostHandshake(ss)) { | |||
1076 | FATAL_ERROR(ss, SSL_ERROR_RX_UNEXPECTED_KEY_UPDATE, unexpected_message)do { do { if (ssl_trace >= (3)) ssl_Trace ("%d: TLS13[%d]: fatal error %d in %s (%s:%d)" , getpid(), ss->fd, SSL_ERROR_RX_UNEXPECTED_KEY_UPDATE, __func__ , "tls13con.c", 1076); PORT_SetError_Util(SSL_ERROR_RX_UNEXPECTED_KEY_UPDATE ); } while (0); tls13_FatalError(ss, SSL_ERROR_RX_UNEXPECTED_KEY_UPDATE , unexpected_message); } while (0); | |||
1077 | return SECFailure; | |||
1078 | } | |||
1079 | ||||
1080 | rv = TLS13_CHECK_HS_STATE(ss, SSL_ERROR_RX_UNEXPECTED_KEY_UPDATE,tls13_CheckHsState(ss, SSL_ERROR_RX_UNEXPECTED_KEY_UPDATE, "SSL_ERROR_RX_UNEXPECTED_KEY_UPDATE" , __func__, "tls13con.c", 1081, idle_handshake, wait_invalid) | |||
1081 | idle_handshake)tls13_CheckHsState(ss, SSL_ERROR_RX_UNEXPECTED_KEY_UPDATE, "SSL_ERROR_RX_UNEXPECTED_KEY_UPDATE" , __func__, "tls13con.c", 1081, idle_handshake, wait_invalid); | |||
1082 | if (rv != SECSuccess) { | |||
1083 | /* We should never be idle_handshake prior to firstHsDone. */ | |||
1084 | FATAL_ERROR(ss, SEC_ERROR_LIBRARY_FAILURE, internal_error)do { do { if (ssl_trace >= (3)) ssl_Trace ("%d: TLS13[%d]: fatal error %d in %s (%s:%d)" , getpid(), ss->fd, SEC_ERROR_LIBRARY_FAILURE, __func__, "tls13con.c" , 1084); PORT_SetError_Util(SEC_ERROR_LIBRARY_FAILURE); } while (0); tls13_FatalError(ss, SEC_ERROR_LIBRARY_FAILURE, internal_error ); } while (0); | |||
1085 | return SECFailure; | |||
1086 | } | |||
1087 | ||||
1088 | rv = ssl3_ConsumeHandshakeNumber(ss, &update, 1, &b, &length); | |||
1089 | if (rv != SECSuccess) { | |||
1090 | return SECFailure; /* Error code set already. */ | |||
1091 | } | |||
1092 | if (length != 0) { | |||
1093 | FATAL_ERROR(ss, SSL_ERROR_RX_MALFORMED_KEY_UPDATE, decode_error)do { do { if (ssl_trace >= (3)) ssl_Trace ("%d: TLS13[%d]: fatal error %d in %s (%s:%d)" , getpid(), ss->fd, SSL_ERROR_RX_MALFORMED_KEY_UPDATE, __func__ , "tls13con.c", 1093); PORT_SetError_Util(SSL_ERROR_RX_MALFORMED_KEY_UPDATE ); } while (0); tls13_FatalError(ss, SSL_ERROR_RX_MALFORMED_KEY_UPDATE , decode_error); } while (0); | |||
1094 | return SECFailure; | |||
1095 | } | |||
1096 | if (!(update == update_requested || | |||
1097 | update == update_not_requested)) { | |||
1098 | FATAL_ERROR(ss, SSL_ERROR_RX_MALFORMED_KEY_UPDATE, decode_error)do { do { if (ssl_trace >= (3)) ssl_Trace ("%d: TLS13[%d]: fatal error %d in %s (%s:%d)" , getpid(), ss->fd, SSL_ERROR_RX_MALFORMED_KEY_UPDATE, __func__ , "tls13con.c", 1098); PORT_SetError_Util(SSL_ERROR_RX_MALFORMED_KEY_UPDATE ); } while (0); tls13_FatalError(ss, SSL_ERROR_RX_MALFORMED_KEY_UPDATE , decode_error); } while (0); | |||
1099 | return SECFailure; | |||
1100 | } | |||
1101 | ||||
1102 | if (IS_DTLS(ss)(ss->protocolVariant == ssl_variant_datagram)) { | |||
1103 | return dtls13_HandleKeyUpdate(ss, b, length, update); | |||
1104 | } | |||
1105 | ||||
1106 | rv = tls13_UpdateTrafficKeys(ss, ssl_secret_read); | |||
1107 | if (rv != SECSuccess) { | |||
1108 | return SECFailure; /* Error code set by tls13_UpdateTrafficKeys. */ | |||
1109 | } | |||
1110 | ||||
1111 | if (update == update_requested) { | |||
1112 | PRBool sendUpdate; | |||
1113 | if (ss->ssl3.clientCertRequested) { | |||
1114 | /* Post-handshake auth is in progress; defer sending a key update. */ | |||
1115 | ss->ssl3.hs.keyUpdateDeferred = PR_TRUE1; | |||
1116 | ss->ssl3.hs.deferredKeyUpdateRequest = update_not_requested; | |||
1117 | sendUpdate = PR_FALSE0; | |||
1118 | } else if (ss->ssl3.peerRequestedKeyUpdate) { | |||
1119 | /* Only send an update if we have sent with the current spec. This | |||
1120 | * prevents us from being forced to crank forward pointlessly. */ | |||
1121 | ssl_GetSpecReadLock(ss){ if (!ss->opt.noLocks) NSSRWLock_LockRead_Util((ss)->specLock ); }; | |||
1122 | sendUpdate = ss->ssl3.cwSpec->nextSeqNum > 0; | |||
1123 | ssl_ReleaseSpecReadLock(ss){ if (!ss->opt.noLocks) NSSRWLock_UnlockRead_Util((ss)-> specLock); }; | |||
1124 | } else { | |||
1125 | sendUpdate = PR_TRUE1; | |||
1126 | } | |||
1127 | if (sendUpdate) { | |||
1128 | /* Respond immediately (don't buffer). */ | |||
1129 | rv = tls13_SendKeyUpdate(ss, update_not_requested, PR_FALSE0); | |||
1130 | if (rv != SECSuccess) { | |||
1131 | return SECFailure; /* Error already set. */ | |||
1132 | } | |||
1133 | } | |||
1134 | ss->ssl3.peerRequestedKeyUpdate = PR_TRUE1; | |||
1135 | } | |||
1136 | ||||
1137 | return SECSuccess; | |||
1138 | } | |||
1139 | ||||
1140 | SECStatus | |||
1141 | SSLExp_SendCertificateRequest(PRFileDesc *fd) | |||
1142 | { | |||
1143 | SECStatus rv; | |||
1144 | sslSocket *ss = ssl_FindSocket(fd); | |||
1145 | if (!ss) { | |||
1146 | return SECFailure; | |||
1147 | } | |||
1148 | ||||
1149 | /* Not supported. */ | |||
1150 | if (IS_DTLS(ss)(ss->protocolVariant == ssl_variant_datagram)) { | |||
1151 | PORT_SetErrorPORT_SetError_Util(SSL_ERROR_FEATURE_NOT_SUPPORTED_FOR_VERSION); | |||
1152 | return SECFailure; | |||
1153 | } | |||
1154 | ||||
1155 | if (!tls13_IsPostHandshake(ss)) { | |||
1156 | PORT_SetErrorPORT_SetError_Util(SEC_ERROR_INVALID_ARGS); | |||
1157 | return SECFailure; | |||
1158 | } | |||
1159 | ||||
1160 | if (ss->ssl3.clientCertRequested) { | |||
1161 | PORT_SetErrorPORT_SetError_Util(PR_WOULD_BLOCK_ERROR(-5998L)); | |||
1162 | return SECFailure; | |||
1163 | } | |||
1164 | ||||
1165 | /* Disallow a CertificateRequest if this connection uses an external PSK. */ | |||
1166 | if (ss->sec.authType == ssl_auth_psk) { | |||
1167 | PORT_SetErrorPORT_SetError_Util(SSL_ERROR_FEATURE_DISABLED); | |||
1168 | return SECFailure; | |||
1169 | } | |||
1170 | ||||
1171 | rv = TLS13_CHECK_HS_STATE(ss, SEC_ERROR_INVALID_ARGS,tls13_CheckHsState(ss, SEC_ERROR_INVALID_ARGS, "SEC_ERROR_INVALID_ARGS" , __func__, "tls13con.c", 1172, idle_handshake, wait_invalid) | |||
1172 | idle_handshake)tls13_CheckHsState(ss, SEC_ERROR_INVALID_ARGS, "SEC_ERROR_INVALID_ARGS" , __func__, "tls13con.c", 1172, idle_handshake, wait_invalid); | |||
1173 | if (rv != SECSuccess) { | |||
1174 | return SECFailure; | |||
1175 | } | |||
1176 | ||||
1177 | if (!ssl3_ExtensionNegotiated(ss, ssl_tls13_post_handshake_auth_xtn)) { | |||
1178 | PORT_SetErrorPORT_SetError_Util(SSL_ERROR_MISSING_POST_HANDSHAKE_AUTH_EXTENSION); | |||
1179 | return SECFailure; | |||
1180 | } | |||
1181 | ||||
1182 | ssl_GetSSL3HandshakeLock(ss){ if (!ss->opt.noLocks) { ((!((PR_GetMonitorEntryCount(((ss )->xmitBufLock)) > 0)))?((void)0):PR_Assert("!ssl_HaveXmitBufLock(ss)" ,"tls13con.c",1182)); PR_EnterMonitor(((ss)->ssl3HandshakeLock )); } }; | |||
1183 | ||||
1184 | rv = tls13_SendCertificateRequest(ss); | |||
1185 | if (rv == SECSuccess) { | |||
1186 | ssl_GetXmitBufLock(ss){ if (!ss->opt.noLocks) PR_EnterMonitor(((ss)->xmitBufLock )); }; | |||
1187 | rv = ssl3_FlushHandshake(ss, 0); | |||
1188 | ssl_ReleaseXmitBufLock(ss){ if (!ss->opt.noLocks) PR_ExitMonitor(((ss)->xmitBufLock )); }; | |||
1189 | ss->ssl3.clientCertRequested = PR_TRUE1; | |||
1190 | } | |||
1191 | ||||
1192 | ssl_ReleaseSSL3HandshakeLock(ss){ if (!ss->opt.noLocks) PR_ExitMonitor(((ss)->ssl3HandshakeLock )); }; | |||
1193 | return rv; | |||
1194 | } | |||
1195 | ||||
1196 | SECStatus | |||
1197 | tls13_HandlePostHelloHandshakeMessage(sslSocket *ss, PRUint8 *b, PRUint32 length) | |||
1198 | { | |||
1199 | if (ss->sec.isServer && ss->ssl3.hs.zeroRttIgnore != ssl_0rtt_ignore_none) { | |||
1200 | SSL_TRC(3, ("%d: TLS13[%d]: successfully decrypted handshake after "if (ssl_trace >= (3)) ssl_Trace ("%d: TLS13[%d]: successfully decrypted handshake after " "failed 0-RTT", getpid(), ss->fd) | |||
1201 | "failed 0-RTT",if (ssl_trace >= (3)) ssl_Trace ("%d: TLS13[%d]: successfully decrypted handshake after " "failed 0-RTT", getpid(), ss->fd) | |||
1202 | SSL_GETPID(), ss->fd))if (ssl_trace >= (3)) ssl_Trace ("%d: TLS13[%d]: successfully decrypted handshake after " "failed 0-RTT", getpid(), ss->fd); | |||
1203 | ss->ssl3.hs.zeroRttIgnore = ssl_0rtt_ignore_none; | |||
1204 | } | |||
1205 | ||||
1206 | /* TODO(ekr@rtfm.com): Would it be better to check all the states here? */ | |||
1207 | switch (ss->ssl3.hs.msg_type) { | |||
1208 | case ssl_hs_certificate: | |||
1209 | return tls13_HandleCertificate(ss, b, length, PR_FALSE0); | |||
1210 | case ssl_hs_compressed_certificate: | |||
1211 | return tls13_HandleCertificateDecode(ss, b, length); | |||
1212 | case ssl_hs_certificate_request: | |||
1213 | return tls13_HandleCertificateRequest(ss, b, length); | |||
1214 | ||||
1215 | case ssl_hs_certificate_verify: | |||
1216 | return tls13_HandleCertificateVerify(ss, b, length); | |||
1217 | ||||
1218 | case ssl_hs_encrypted_extensions: | |||
1219 | return tls13_HandleEncryptedExtensions(ss, b, length); | |||
1220 | ||||
1221 | case ssl_hs_new_session_ticket: | |||
1222 | return tls13_HandleNewSessionTicket(ss, b, length); | |||
1223 | ||||
1224 | case ssl_hs_finished: | |||
1225 | if (ss->sec.isServer) { | |||
1226 | return tls13_ServerHandleFinished(ss, b, length); | |||
1227 | } else { | |||
1228 | return tls13_ClientHandleFinished(ss, b, length); | |||
1229 | } | |||
1230 | ||||
1231 | case ssl_hs_end_of_early_data: | |||
1232 | return tls13_HandleEndOfEarlyData(ss, b, length); | |||
1233 | ||||
1234 | case ssl_hs_key_update: | |||
1235 | return tls13_HandleKeyUpdate(ss, b, length); | |||
1236 | ||||
1237 | default: | |||
1238 | FATAL_ERROR(ss, SSL_ERROR_RX_UNKNOWN_HANDSHAKE, unexpected_message)do { do { if (ssl_trace >= (3)) ssl_Trace ("%d: TLS13[%d]: fatal error %d in %s (%s:%d)" , getpid(), ss->fd, SSL_ERROR_RX_UNKNOWN_HANDSHAKE, __func__ , "tls13con.c", 1238); PORT_SetError_Util(SSL_ERROR_RX_UNKNOWN_HANDSHAKE ); } while (0); tls13_FatalError(ss, SSL_ERROR_RX_UNKNOWN_HANDSHAKE , unexpected_message); } while (0); | |||
1239 | return SECFailure; | |||
1240 | } | |||
1241 | ||||
1242 | PORT_Assert(0)((0)?((void)0):PR_Assert("0","tls13con.c",1242)); /* Unreached */ | |||
1243 | return SECFailure; | |||
1244 | } | |||
1245 | ||||
1246 | static SECStatus | |||
1247 | tls13_RecoverWrappedSharedSecret(sslSocket *ss, sslSessionID *sid) | |||
1248 | { | |||
1249 | PK11SymKey *wrapKey; /* wrapping key */ | |||
1250 | SECItem wrappedMS = { siBuffer, NULL((void*)0), 0 }; | |||
1251 | SSLHashType hashType; | |||
1252 | ||||
1253 | SSL_TRC(3, ("%d: TLS13[%d]: recovering static secret (%s)",if (ssl_trace >= (3)) ssl_Trace ("%d: TLS13[%d]: recovering static secret (%s)" , getpid(), ss->fd, (ss->sec.isServer ? "server" : "client" )) | |||
1254 | SSL_GETPID(), ss->fd, SSL_ROLE(ss)))if (ssl_trace >= (3)) ssl_Trace ("%d: TLS13[%d]: recovering static secret (%s)" , getpid(), ss->fd, (ss->sec.isServer ? "server" : "client" )); | |||
1255 | ||||
1256 | /* Now find the hash used as the PRF for the previous handshake. */ | |||
1257 | hashType = tls13_GetHashForCipherSuite(sid->u.ssl3.cipherSuite); | |||
1258 | ||||
1259 | /* If we are the server, we compute the wrapping key, but if we | |||
1260 | * are the client, its coordinates are stored with the ticket. */ | |||
1261 | if (ss->sec.isServer) { | |||
1262 | wrapKey = ssl3_GetWrappingKey(ss, NULL((void*)0), | |||
1263 | sid->u.ssl3.masterWrapMech, | |||
1264 | ss->pkcs11PinArg); | |||
1265 | } else { | |||
1266 | PK11SlotInfo *slot = SECMOD_LookupSlot(sid->u.ssl3.masterModuleID, | |||
1267 | sid->u.ssl3.masterSlotID); | |||
1268 | if (!slot) | |||
1269 | return SECFailure; | |||
1270 | ||||
1271 | wrapKey = PK11_GetWrapKey(slot, | |||
1272 | sid->u.ssl3.masterWrapIndex, | |||
1273 | sid->u.ssl3.masterWrapMech, | |||
1274 | sid->u.ssl3.masterWrapSeries, | |||
1275 | ss->pkcs11PinArg); | |||
1276 | PK11_FreeSlot(slot); | |||
1277 | } | |||
1278 | if (!wrapKey) { | |||
1279 | return SECFailure; | |||
1280 | } | |||
1281 | ||||
1282 | wrappedMS.data = sid->u.ssl3.keys.wrapped_master_secret; | |||
1283 | wrappedMS.len = sid->u.ssl3.keys.wrapped_master_secret_len; | |||
1284 | ||||
1285 | PK11SymKey *unwrappedPsk = ssl_unwrapSymKey(wrapKey, sid->u.ssl3.masterWrapMech, | |||
1286 | NULL((void*)0), &wrappedMS, CKM_SSL3_MASTER_KEY_DERIVE0x00000371UL, | |||
1287 | CKA_DERIVE0x0000010CUL, tls13_GetHashSizeForHash(hashType), | |||
1288 | CKF_SIGN0x00000800UL | CKF_VERIFY0x00002000, ss->pkcs11PinArg); | |||
1289 | PK11_FreeSymKey(wrapKey); | |||
1290 | if (!unwrappedPsk) { | |||
1291 | return SECFailure; | |||
1292 | } | |||
1293 | sslPsk *rpsk = tls13_MakePsk(unwrappedPsk, ssl_psk_resume, hashType, NULL((void*)0)); | |||
1294 | if (!rpsk) { | |||
1295 | PK11_FreeSymKey(unwrappedPsk); | |||
1296 | return SECFailure; | |||
1297 | } | |||
1298 | if (sid->u.ssl3.locked.sessionTicket.flags & ticket_allow_early_data) { | |||
1299 | rpsk->maxEarlyData = sid->u.ssl3.locked.sessionTicket.max_early_data_size; | |||
1300 | rpsk->zeroRttSuite = sid->u.ssl3.cipherSuite; | |||
1301 | } | |||
1302 | PRINT_KEY(50, (ss, "Recovered RMS", rpsk->key))if (ssl_trace >= (50)) ssl_PrintKey (ss, "Recovered RMS", rpsk ->key); | |||
1303 | PORT_Assert(PR_CLIST_IS_EMPTY(&ss->ssl3.hs.psks) ||((((&ss->ssl3.hs.psks)->next == (&ss->ssl3.hs .psks)) || ((sslPsk *)(&ss->ssl3.hs.psks)->next)-> type != ssl_psk_resume)?((void)0):PR_Assert("PR_CLIST_IS_EMPTY(&ss->ssl3.hs.psks) || ((sslPsk *)PR_LIST_HEAD(&ss->ssl3.hs.psks))->type != ssl_psk_resume" ,"tls13con.c",1304)) | |||
1304 | ((sslPsk *)PR_LIST_HEAD(&ss->ssl3.hs.psks))->type != ssl_psk_resume)((((&ss->ssl3.hs.psks)->next == (&ss->ssl3.hs .psks)) || ((sslPsk *)(&ss->ssl3.hs.psks)->next)-> type != ssl_psk_resume)?((void)0):PR_Assert("PR_CLIST_IS_EMPTY(&ss->ssl3.hs.psks) || ((sslPsk *)PR_LIST_HEAD(&ss->ssl3.hs.psks))->type != ssl_psk_resume" ,"tls13con.c",1304)); | |||
1305 | ||||
1306 | if (ss->sec.isServer) { | |||
1307 | /* In server, we couldn't select the RPSK in the extension handler | |||
1308 | * since it was not unwrapped yet. We're committed now, so select | |||
1309 | * it and add it to the list (to ensure it is freed). */ | |||
1310 | ss->xtnData.selectedPsk = rpsk; | |||
1311 | } | |||
1312 | PR_APPEND_LINK(&rpsk->link, &ss->ssl3.hs.psks)do { (&rpsk->link)->next = (&ss->ssl3.hs.psks ); (&rpsk->link)->prev = (&ss->ssl3.hs.psks) ->prev; (&ss->ssl3.hs.psks)->prev->next = (& rpsk->link); (&ss->ssl3.hs.psks)->prev = (&rpsk ->link); } while (0); | |||
1313 | ||||
1314 | return SECSuccess; | |||
1315 | } | |||
1316 | ||||
1317 | /* Key Derivation Functions. | |||
1318 | * | |||
1319 | * 0 | |||
1320 | * | | |||
1321 | * v | |||
1322 | * PSK -> HKDF-Extract = Early Secret | |||
1323 | * | | |||
1324 | * +-----> Derive-Secret(., "ext binder" | "res binder", "") | |||
1325 | * | = binder_key | |||
1326 | * | | |||
1327 | * +-----> Derive-Secret(., "c e traffic", | |||
1328 | * | ClientHello) | |||
1329 | * | = client_early_traffic_secret | |||
1330 | * | | |||
1331 | * +-----> Derive-Secret(., "e exp master", | |||
1332 | * | ClientHello) | |||
1333 | * | = early_exporter_secret | |||
1334 | * v | |||
1335 | * Derive-Secret(., "derived", "") | |||
1336 | * | | |||
1337 | * v | |||
1338 | *(EC)DHE -> HKDF-Extract = Handshake Secret | |||
1339 | * | | |||
1340 | * +-----> Derive-Secret(., "c hs traffic", | |||
1341 | * | ClientHello...ServerHello) | |||
1342 | * | = client_handshake_traffic_secret | |||
1343 | * | | |||
1344 | * +-----> Derive-Secret(., "s hs traffic", | |||
1345 | * | ClientHello...ServerHello) | |||
1346 | * | = server_handshake_traffic_secret | |||
1347 | * v | |||
1348 | * Derive-Secret(., "derived", "") | |||
1349 | * | | |||
1350 | * v | |||
1351 | * 0 -> HKDF-Extract = Master Secret | |||
1352 | * | | |||
1353 | * +-----> Derive-Secret(., "c ap traffic", | |||
1354 | * | ClientHello...Server Finished) | |||
1355 | * | = client_traffic_secret_0 | |||
1356 | * | | |||
1357 | * +-----> Derive-Secret(., "s ap traffic", | |||
1358 | * | ClientHello...Server Finished) | |||
1359 | * | = server_traffic_secret_0 | |||
1360 | * | | |||
1361 | * +-----> Derive-Secret(., "exp master", | |||
1362 | * | ClientHello...Server Finished) | |||
1363 | * | = exporter_secret | |||
1364 | * | | |||
1365 | * +-----> Derive-Secret(., "res master", | |||
1366 | * ClientHello...Client Finished) | |||
1367 | * = resumption_master_secret | |||
1368 | * | |||
1369 | */ | |||
1370 | static SECStatus | |||
1371 | tls13_ComputeEarlySecretsWithPsk(sslSocket *ss) | |||
1372 | { | |||
1373 | SECStatus rv; | |||
1374 | ||||
1375 | SSL_TRC(5, ("%d: TLS13[%d]: compute early secrets (%s)",if (ssl_trace >= (5)) ssl_Trace ("%d: TLS13[%d]: compute early secrets (%s)" , getpid(), ss->fd, (ss->sec.isServer ? "server" : "client" )) | |||
1376 | SSL_GETPID(), ss->fd, SSL_ROLE(ss)))if (ssl_trace >= (5)) ssl_Trace ("%d: TLS13[%d]: compute early secrets (%s)" , getpid(), ss->fd, (ss->sec.isServer ? "server" : "client" )); | |||
1377 | ||||
1378 | PORT_Assert(!ss->ssl3.hs.currentSecret)((!ss->ssl3.hs.currentSecret)?((void)0):PR_Assert("!ss->ssl3.hs.currentSecret" ,"tls13con.c",1378)); | |||
1379 | sslPsk *psk = NULL((void*)0); | |||
1380 | ||||
1381 | if (ss->sec.isServer) { | |||
1382 | psk = ss->xtnData.selectedPsk; | |||
1383 | } else { | |||
1384 | /* Client to use the first PSK for early secrets. */ | |||
1385 | PORT_Assert(!PR_CLIST_IS_EMPTY(&ss->ssl3.hs.psks))((!((&ss->ssl3.hs.psks)->next == (&ss->ssl3. hs.psks)))?((void)0):PR_Assert("!PR_CLIST_IS_EMPTY(&ss->ssl3.hs.psks)" ,"tls13con.c",1385)); | |||
1386 | psk = (sslPsk *)PR_LIST_HEAD(&ss->ssl3.hs.psks)(&ss->ssl3.hs.psks)->next; | |||
1387 | } | |||
1388 | PORT_Assert(psk && psk->key)((psk && psk->key)?((void)0):PR_Assert("psk && psk->key" ,"tls13con.c",1388)); | |||
1389 | PORT_Assert(psk->hash != ssl_hash_none)((psk->hash != ssl_hash_none)?((void)0):PR_Assert("psk->hash != ssl_hash_none" ,"tls13con.c",1389)); | |||
1390 | ||||
1391 | PK11SymKey *earlySecret = NULL((void*)0); | |||
1392 | rv = tls13_HkdfExtract(NULL((void*)0), psk->key, psk->hash, &earlySecret); | |||
1393 | if (rv != SECSuccess) { | |||
1394 | return SECFailure; | |||
1395 | } | |||
1396 | ||||
1397 | /* No longer need the raw input key */ | |||
1398 | PK11_FreeSymKey(psk->key); | |||
1399 | psk->key = NULL((void*)0); | |||
1400 | const char *label = (psk->type == ssl_psk_resume) ? kHkdfLabelResPskBinderKey : kHkdfLabelExtPskBinderKey; | |||
1401 | rv = tls13_DeriveSecretNullHash(ss, earlySecret, | |||
1402 | label, strlen(label), | |||
1403 | &psk->binderKey, psk->hash); | |||
1404 | if (rv != SECSuccess) { | |||
1405 | PK11_FreeSymKey(earlySecret); | |||
1406 | return SECFailure; | |||
1407 | } | |||
1408 | ss->ssl3.hs.currentSecret = earlySecret; | |||
1409 | ||||
1410 | return SECSuccess; | |||
1411 | } | |||
1412 | ||||
1413 | /* This derives the early traffic and early exporter secrets. */ | |||
1414 | static SECStatus | |||
1415 | tls13_DeriveEarlySecrets(sslSocket *ss) | |||
1416 | { | |||
1417 | SECStatus rv; | |||
1418 | PORT_Assert(ss->ssl3.hs.currentSecret)((ss->ssl3.hs.currentSecret)?((void)0):PR_Assert("ss->ssl3.hs.currentSecret" ,"tls13con.c",1418)); | |||
1419 | rv = tls13_DeriveSecretWrap(ss, ss->ssl3.hs.currentSecret, | |||
1420 | kHkdfLabelClient, | |||
1421 | kHkdfLabelEarlyTrafficSecret, | |||
1422 | keylogLabelClientEarlyTrafficSecret, | |||
1423 | &ss->ssl3.hs.clientEarlyTrafficSecret); | |||
1424 | if (rv != SECSuccess) { | |||
1425 | return SECFailure; | |||
1426 | } | |||
1427 | ||||
1428 | if (ss->secretCallback) { | |||
1429 | ss->secretCallback(ss->fd, (PRUint16)TrafficKeyEarlyApplicationData, | |||
1430 | ss->sec.isServer ? ssl_secret_read : ssl_secret_write, | |||
1431 | ss->ssl3.hs.clientEarlyTrafficSecret, | |||
1432 | ss->secretCallbackArg); | |||
1433 | } | |||
1434 | ||||
1435 | rv = tls13_DeriveSecretWrap(ss, ss->ssl3.hs.currentSecret, | |||
1436 | NULL((void*)0), kHkdfLabelEarlyExporterSecret, | |||
1437 | keylogLabelEarlyExporterSecret, | |||
1438 | &ss->ssl3.hs.earlyExporterSecret); | |||
1439 | if (rv != SECSuccess) { | |||
1440 | return SECFailure; | |||
1441 | } | |||
1442 | ||||
1443 | return SECSuccess; | |||
1444 | } | |||
1445 | ||||
1446 | static SECStatus | |||
1447 | tls13_ComputeHandshakeSecret(sslSocket *ss) | |||
1448 | { | |||
1449 | SECStatus rv; | |||
1450 | PK11SymKey *derivedSecret = NULL((void*)0); | |||
1451 | PK11SymKey *newSecret = NULL((void*)0); | |||
1452 | SSL_TRC(5, ("%d: TLS13[%d]: compute handshake secret (%s)",if (ssl_trace >= (5)) ssl_Trace ("%d: TLS13[%d]: compute handshake secret (%s)" , getpid(), ss->fd, (ss->sec.isServer ? "server" : "client" )) | |||
1453 | SSL_GETPID(), ss->fd, SSL_ROLE(ss)))if (ssl_trace >= (5)) ssl_Trace ("%d: TLS13[%d]: compute handshake secret (%s)" , getpid(), ss->fd, (ss->sec.isServer ? "server" : "client" )); | |||
1454 | ||||
1455 | /* If no PSK, generate the default early secret. */ | |||
1456 | if (!ss->ssl3.hs.currentSecret) { | |||
1457 | PORT_Assert(!ss->xtnData.selectedPsk)((!ss->xtnData.selectedPsk)?((void)0):PR_Assert("!ss->xtnData.selectedPsk" ,"tls13con.c",1457)); | |||
1458 | rv = tls13_HkdfExtract(NULL((void*)0), NULL((void*)0), | |||
1459 | tls13_GetHash(ss), &ss->ssl3.hs.currentSecret); | |||
1460 | if (rv != SECSuccess) { | |||
1461 | return SECFailure; | |||
1462 | } | |||
1463 | } | |||
1464 | PORT_Assert(ss->ssl3.hs.currentSecret)((ss->ssl3.hs.currentSecret)?((void)0):PR_Assert("ss->ssl3.hs.currentSecret" ,"tls13con.c",1464)); | |||
1465 | PORT_Assert(ss->ssl3.hs.dheSecret)((ss->ssl3.hs.dheSecret)?((void)0):PR_Assert("ss->ssl3.hs.dheSecret" ,"tls13con.c",1465)); | |||
1466 | ||||
1467 | /* Derive-Secret(., "derived", "") */ | |||
1468 | rv = tls13_DeriveSecretNullHash(ss, ss->ssl3.hs.currentSecret, | |||
1469 | kHkdfLabelDerivedSecret, | |||
1470 | strlen(kHkdfLabelDerivedSecret), | |||
1471 | &derivedSecret, tls13_GetHash(ss)); | |||
1472 | if (rv != SECSuccess) { | |||
1473 | LOG_ERROR(ss, SEC_ERROR_LIBRARY_FAILURE)do { if (ssl_trace >= (3)) ssl_Trace ("%d: TLS13[%d]: fatal error %d in %s (%s:%d)" , getpid(), ss->fd, SEC_ERROR_LIBRARY_FAILURE, __func__, "tls13con.c" , 1473); PORT_SetError_Util(SEC_ERROR_LIBRARY_FAILURE); } while (0); | |||
1474 | return rv; | |||
1475 | } | |||
1476 | ||||
1477 | /* HKDF-Extract(ECDHE, .) = Handshake Secret */ | |||
1478 | rv = tls13_HkdfExtract(derivedSecret, ss->ssl3.hs.dheSecret, | |||
1479 | tls13_GetHash(ss), &newSecret); | |||
1480 | PK11_FreeSymKey(derivedSecret); | |||
1481 | if (rv != SECSuccess) { | |||
1482 | LOG_ERROR(ss, SEC_ERROR_LIBRARY_FAILURE)do { if (ssl_trace >= (3)) ssl_Trace ("%d: TLS13[%d]: fatal error %d in %s (%s:%d)" , getpid(), ss->fd, SEC_ERROR_LIBRARY_FAILURE, __func__, "tls13con.c" , 1482); PORT_SetError_Util(SEC_ERROR_LIBRARY_FAILURE); } while (0); | |||
1483 | return rv; | |||
1484 | } | |||
1485 | ||||
1486 | PK11_FreeSymKey(ss->ssl3.hs.currentSecret); | |||
1487 | ss->ssl3.hs.currentSecret = newSecret; | |||
1488 | return SECSuccess; | |||
1489 | } | |||
1490 | ||||
1491 | static SECStatus | |||
1492 | tls13_ComputeHandshakeSecrets(sslSocket *ss) | |||
1493 | { | |||
1494 | SECStatus rv; | |||
1495 | PK11SymKey *derivedSecret = NULL((void*)0); | |||
1496 | PK11SymKey *newSecret = NULL((void*)0); | |||
1497 | ||||
1498 | PK11_FreeSymKey(ss->ssl3.hs.dheSecret); | |||
1499 | ss->ssl3.hs.dheSecret = NULL((void*)0); | |||
1500 | ||||
1501 | SSL_TRC(5, ("%d: TLS13[%d]: compute handshake secrets (%s)",if (ssl_trace >= (5)) ssl_Trace ("%d: TLS13[%d]: compute handshake secrets (%s)" , getpid(), ss->fd, (ss->sec.isServer ? "server" : "client" )) | |||
1502 | SSL_GETPID(), ss->fd, SSL_ROLE(ss)))if (ssl_trace >= (5)) ssl_Trace ("%d: TLS13[%d]: compute handshake secrets (%s)" , getpid(), ss->fd, (ss->sec.isServer ? "server" : "client" )); | |||
1503 | ||||
1504 | /* Now compute |*HsTrafficSecret| */ | |||
1505 | rv = tls13_DeriveSecretWrap(ss, ss->ssl3.hs.currentSecret, | |||
1506 | kHkdfLabelClient, | |||
1507 | kHkdfLabelHandshakeTrafficSecret, | |||
1508 | keylogLabelClientHsTrafficSecret, | |||
1509 | &ss->ssl3.hs.clientHsTrafficSecret); | |||
1510 | if (rv != SECSuccess) { | |||
1511 | LOG_ERROR(ss, SEC_ERROR_LIBRARY_FAILURE)do { if (ssl_trace >= (3)) ssl_Trace ("%d: TLS13[%d]: fatal error %d in %s (%s:%d)" , getpid(), ss->fd, SEC_ERROR_LIBRARY_FAILURE, __func__, "tls13con.c" , 1511); PORT_SetError_Util(SEC_ERROR_LIBRARY_FAILURE); } while (0); | |||
1512 | return rv; | |||
1513 | } | |||
1514 | rv = tls13_DeriveSecretWrap(ss, ss->ssl3.hs.currentSecret, | |||
1515 | kHkdfLabelServer, | |||
1516 | kHkdfLabelHandshakeTrafficSecret, | |||
1517 | keylogLabelServerHsTrafficSecret, | |||
1518 | &ss->ssl3.hs.serverHsTrafficSecret); | |||
1519 | if (rv != SECSuccess) { | |||
1520 | LOG_ERROR(ss, SEC_ERROR_LIBRARY_FAILURE)do { if (ssl_trace >= (3)) ssl_Trace ("%d: TLS13[%d]: fatal error %d in %s (%s:%d)" , getpid(), ss->fd, SEC_ERROR_LIBRARY_FAILURE, __func__, "tls13con.c" , 1520); PORT_SetError_Util(SEC_ERROR_LIBRARY_FAILURE); } while (0); | |||
1521 | return rv; | |||
1522 | } | |||
1523 | ||||
1524 | if (ss->secretCallback) { | |||
1525 | SSLSecretDirection dir = | |||
1526 | ss->sec.isServer ? ssl_secret_read : ssl_secret_write; | |||
1527 | ss->secretCallback(ss->fd, (PRUint16)TrafficKeyHandshake, dir, | |||
1528 | ss->ssl3.hs.clientHsTrafficSecret, | |||
1529 | ss->secretCallbackArg); | |||
1530 | dir = ss->sec.isServer ? ssl_secret_write : ssl_secret_read; | |||
1531 | ss->secretCallback(ss->fd, (PRUint16)TrafficKeyHandshake, dir, | |||
1532 | ss->ssl3.hs.serverHsTrafficSecret, | |||
1533 | ss->secretCallbackArg); | |||
1534 | } | |||
1535 | ||||
1536 | SSL_TRC(5, ("%d: TLS13[%d]: compute master secret (%s)",if (ssl_trace >= (5)) ssl_Trace ("%d: TLS13[%d]: compute master secret (%s)" , getpid(), ss->fd, (ss->sec.isServer ? "server" : "client" )) | |||
1537 | SSL_GETPID(), ss->fd, SSL_ROLE(ss)))if (ssl_trace >= (5)) ssl_Trace ("%d: TLS13[%d]: compute master secret (%s)" , getpid(), ss->fd, (ss->sec.isServer ? "server" : "client" )); | |||
1538 | ||||
1539 | /* Crank HKDF forward to make master secret, which we | |||
1540 | * stuff in current secret. */ | |||
1541 | rv = tls13_DeriveSecretNullHash(ss, ss->ssl3.hs.currentSecret, | |||
1542 | kHkdfLabelDerivedSecret, | |||
1543 | strlen(kHkdfLabelDerivedSecret), | |||
1544 | &derivedSecret, tls13_GetHash(ss)); | |||
1545 | if (rv != SECSuccess) { | |||
1546 | LOG_ERROR(ss, SEC_ERROR_LIBRARY_FAILURE)do { if (ssl_trace >= (3)) ssl_Trace ("%d: TLS13[%d]: fatal error %d in %s (%s:%d)" , getpid(), ss->fd, SEC_ERROR_LIBRARY_FAILURE, __func__, "tls13con.c" , 1546); PORT_SetError_Util(SEC_ERROR_LIBRARY_FAILURE); } while (0); | |||
1547 | return rv; | |||
1548 | } | |||
1549 | rv = tls13_HkdfExtract(derivedSecret, | |||
1550 | NULL((void*)0), | |||
1551 | tls13_GetHash(ss), | |||
1552 | &newSecret); | |||
1553 | PK11_FreeSymKey(derivedSecret); | |||
1554 | if (rv != SECSuccess) { | |||
1555 | LOG_ERROR(ss, SEC_ERROR_LIBRARY_FAILURE)do { if (ssl_trace >= (3)) ssl_Trace ("%d: TLS13[%d]: fatal error %d in %s (%s:%d)" , getpid(), ss->fd, SEC_ERROR_LIBRARY_FAILURE, __func__, "tls13con.c" , 1555); PORT_SetError_Util(SEC_ERROR_LIBRARY_FAILURE); } while (0); | |||
1556 | return SECFailure; | |||
1557 | } | |||
1558 | PK11_FreeSymKey(ss->ssl3.hs.currentSecret); | |||
1559 | ss->ssl3.hs.currentSecret = newSecret; | |||
1560 | ||||
1561 | return SECSuccess; | |||
1562 | } | |||
1563 | ||||
1564 | static SECStatus | |||
1565 | tls13_ComputeApplicationSecrets(sslSocket *ss) | |||
1566 | { | |||
1567 | SECStatus rv; | |||
1568 | ||||
1569 | rv = tls13_DeriveSecretWrap(ss, ss->ssl3.hs.currentSecret, | |||
1570 | kHkdfLabelClient, | |||
1571 | kHkdfLabelApplicationTrafficSecret, | |||
1572 | keylogLabelClientTrafficSecret, | |||
1573 | &ss->ssl3.hs.clientTrafficSecret); | |||
1574 | if (rv != SECSuccess) { | |||
1575 | return SECFailure; | |||
1576 | } | |||
1577 | rv = tls13_DeriveSecretWrap(ss, ss->ssl3.hs.currentSecret, | |||
1578 | kHkdfLabelServer, | |||
1579 | kHkdfLabelApplicationTrafficSecret, | |||
1580 | keylogLabelServerTrafficSecret, | |||
1581 | &ss->ssl3.hs.serverTrafficSecret); | |||
1582 | if (rv != SECSuccess) { | |||
1583 | return SECFailure; | |||
1584 | } | |||
1585 | ||||
1586 | if (ss->secretCallback) { | |||
1587 | SSLSecretDirection dir = | |||
1588 | ss->sec.isServer ? ssl_secret_read : ssl_secret_write; | |||
1589 | ss->secretCallback(ss->fd, (PRUint16)TrafficKeyApplicationData, | |||
1590 | dir, ss->ssl3.hs.clientTrafficSecret, | |||
1591 | ss->secretCallbackArg); | |||
1592 | dir = ss->sec.isServer ? ssl_secret_write : ssl_secret_read; | |||
1593 | ss->secretCallback(ss->fd, (PRUint16)TrafficKeyApplicationData, | |||
1594 | dir, ss->ssl3.hs.serverTrafficSecret, | |||
1595 | ss->secretCallbackArg); | |||
1596 | } | |||
1597 | ||||
1598 | rv = tls13_DeriveSecretWrap(ss, ss->ssl3.hs.currentSecret, | |||
1599 | NULL((void*)0), kHkdfLabelExporterMasterSecret, | |||
1600 | keylogLabelExporterSecret, | |||
1601 | &ss->ssl3.hs.exporterSecret); | |||
1602 | if (rv != SECSuccess) { | |||
1603 | return SECFailure; | |||
1604 | } | |||
1605 | ||||
1606 | return SECSuccess; | |||
1607 | } | |||
1608 | ||||
1609 | static SECStatus | |||
1610 | tls13_ComputeFinalSecrets(sslSocket *ss) | |||
1611 | { | |||
1612 | SECStatus rv; | |||
1613 | ||||
1614 | PORT_Assert(!ss->ssl3.crSpec->masterSecret)((!ss->ssl3.crSpec->masterSecret)?((void)0):PR_Assert("!ss->ssl3.crSpec->masterSecret" ,"tls13con.c",1614)); | |||
1615 | PORT_Assert(!ss->ssl3.cwSpec->masterSecret)((!ss->ssl3.cwSpec->masterSecret)?((void)0):PR_Assert("!ss->ssl3.cwSpec->masterSecret" ,"tls13con.c",1615)); | |||
1616 | PORT_Assert(ss->ssl3.hs.currentSecret)((ss->ssl3.hs.currentSecret)?((void)0):PR_Assert("ss->ssl3.hs.currentSecret" ,"tls13con.c",1616)); | |||
1617 | rv = tls13_DeriveSecretWrap(ss, ss->ssl3.hs.currentSecret, | |||
1618 | NULL((void*)0), kHkdfLabelResumptionMasterSecret, | |||
1619 | NULL((void*)0), | |||
1620 | &ss->ssl3.hs.resumptionMasterSecret); | |||
1621 | PK11_FreeSymKey(ss->ssl3.hs.currentSecret); | |||
1622 | ss->ssl3.hs.currentSecret = NULL((void*)0); | |||
1623 | if (rv != SECSuccess) { | |||
1624 | return SECFailure; | |||
1625 | } | |||
1626 | ||||
1627 | return SECSuccess; | |||
1628 | } | |||
1629 | ||||
1630 | static void | |||
1631 | tls13_RestoreCipherInfo(sslSocket *ss, sslSessionID *sid) | |||
1632 | { | |||
1633 | /* Set these to match the cached value. | |||
1634 | * TODO(ekr@rtfm.com): Make a version with the "true" values. | |||
1635 | * Bug 1256137. | |||
1636 | */ | |||
1637 | ss->sec.authType = sid->authType; | |||
1638 | ss->sec.authKeyBits = sid->authKeyBits; | |||
1639 | ss->sec.originalKeaGroup = ssl_LookupNamedGroup(sid->keaGroup); | |||
1640 | ss->sec.signatureScheme = sid->sigScheme; | |||
1641 | } | |||
1642 | ||||
1643 | /* Check whether resumption-PSK is allowed. */ | |||
1644 | static PRBool | |||
1645 | tls13_CanResume(sslSocket *ss, const sslSessionID *sid) | |||
1646 | { | |||
1647 | const sslServerCert *sc; | |||
1648 | ||||
1649 | if (!sid) { | |||
1650 | return PR_FALSE0; | |||
1651 | } | |||
1652 | ||||
1653 | if (sid->version != ss->version) { | |||
1654 | return PR_FALSE0; | |||
1655 | } | |||
1656 | ||||
1657 | #ifdef UNSAFE_FUZZER_MODE | |||
1658 | /* When fuzzing, sid could contain garbage that will crash tls13_GetHashForCipherSuite. | |||
1659 | * Do a direct comparison of cipher suites. This makes us refuse to resume when the | |||
1660 | * protocol allows it, but resumption is discretionary anyway. */ | |||
1661 | if (sid->u.ssl3.cipherSuite != ss->ssl3.hs.cipher_suite) { | |||
1662 | #else | |||
1663 | if (tls13_GetHashForCipherSuite(sid->u.ssl3.cipherSuite) != tls13_GetHashForCipherSuite(ss->ssl3.hs.cipher_suite)) { | |||
1664 | #endif | |||
1665 | return PR_FALSE0; | |||
1666 | } | |||
1667 | ||||
1668 | /* Server sids don't remember the server cert we previously sent, but they | |||
1669 | * do remember the type of certificate we originally used, so we can locate | |||
1670 | * it again, provided that the current ssl socket has had its server certs | |||
1671 | * configured the same as the previous one. */ | |||
1672 | sc = ssl_FindServerCert(ss, sid->authType, sid->namedCurve); | |||
1673 | if (!sc || !sc->serverCert) { | |||
1674 | return PR_FALSE0; | |||
1675 | } | |||
1676 | ||||
1677 | return PR_TRUE1; | |||
1678 | } | |||
1679 | ||||
1680 | static PRBool | |||
1681 | tls13_CanNegotiateZeroRtt(sslSocket *ss, const sslSessionID *sid) | |||
1682 | { | |||
1683 | PORT_Assert(ss->ssl3.hs.zeroRttState == ssl_0rtt_sent)((ss->ssl3.hs.zeroRttState == ssl_0rtt_sent)?((void)0):PR_Assert ("ss->ssl3.hs.zeroRttState == ssl_0rtt_sent","tls13con.c", 1683)); | |||
1684 | sslPsk *psk = ss->xtnData.selectedPsk; | |||
1685 | ||||
1686 | if (!ss->opt.enable0RttData) { | |||
1687 | return PR_FALSE0; | |||
1688 | } | |||
1689 | if (!psk) { | |||
1690 | return PR_FALSE0; | |||
1691 | } | |||
1692 | if (psk->zeroRttSuite == TLS_NULL_WITH_NULL_NULL0x0000) { | |||
1693 | return PR_FALSE0; | |||
1694 | } | |||
1695 | if (!psk->maxEarlyData) { | |||
1696 | return PR_FALSE0; | |||
1697 | } | |||
1698 | if (ss->ssl3.hs.cipher_suite != psk->zeroRttSuite) { | |||
1699 | return PR_FALSE0; | |||
1700 | } | |||
1701 | if (psk->type == ssl_psk_resume) { | |||
1702 | if (!sid) { | |||
1703 | return PR_FALSE0; | |||
1704 | } | |||
1705 | PORT_Assert(sid->u.ssl3.locked.sessionTicket.flags & ticket_allow_early_data)((sid->u.ssl3.locked.sessionTicket.flags & ticket_allow_early_data )?((void)0):PR_Assert("sid->u.ssl3.locked.sessionTicket.flags & ticket_allow_early_data" ,"tls13con.c",1705)); | |||
1706 | PORT_Assert(ss->statelessResume)((ss->statelessResume)?((void)0):PR_Assert("ss->statelessResume" ,"tls13con.c",1706)); | |||
1707 | if (!ss->statelessResume) { | |||
1708 | return PR_FALSE0; | |||
1709 | } | |||
1710 | if (SECITEM_CompareItemSECITEM_CompareItem_Util(&ss->xtnData.nextProto, | |||
1711 | &sid->u.ssl3.alpnSelection) != 0) { | |||
1712 | return PR_FALSE0; | |||
1713 | } | |||
1714 | } else if (psk->type != ssl_psk_external) { | |||
1715 | PORT_Assert(0)((0)?((void)0):PR_Assert("0","tls13con.c",1715)); | |||
1716 | return PR_FALSE0; | |||
1717 | } | |||
1718 | ||||
1719 | if (tls13_IsReplay(ss, sid)) { | |||
1720 | return PR_FALSE0; | |||
1721 | } | |||
1722 | ||||
1723 | return PR_TRUE1; | |||
1724 | } | |||
1725 | ||||
1726 | /* Called from tls13_HandleClientHelloPart2 to update the state of 0-RTT handling. | |||
1727 | * | |||
1728 | * 0-RTT is only permitted if: | |||
1729 | * 1. The early data extension was present. | |||
1730 | * 2. We are resuming a session. | |||
1731 | * 3. The 0-RTT option is set. | |||
1732 | * 4. The ticket allowed 0-RTT. | |||
1733 | * 5. We negotiated the same ALPN value as in the ticket. | |||
1734 | */ | |||
1735 | static void | |||
1736 | tls13_NegotiateZeroRtt(sslSocket *ss, const sslSessionID *sid) | |||
1737 | { | |||
1738 | SSL_TRC(3, ("%d: TLS13[%d]: negotiate 0-RTT %p",if (ssl_trace >= (3)) ssl_Trace ("%d: TLS13[%d]: negotiate 0-RTT %p" , getpid(), ss->fd, sid) | |||
1739 | SSL_GETPID(), ss->fd, sid))if (ssl_trace >= (3)) ssl_Trace ("%d: TLS13[%d]: negotiate 0-RTT %p" , getpid(), ss->fd, sid); | |||
1740 | ||||
1741 | /* tls13_ServerHandleEarlyDataXtn sets this to ssl_0rtt_sent, so this will | |||
1742 | * be ssl_0rtt_none unless early_data is present. */ | |||
1743 | if (ss->ssl3.hs.zeroRttState == ssl_0rtt_none) { | |||
1744 | return; | |||
1745 | } | |||
1746 | ||||
1747 | if (ss->ssl3.hs.zeroRttState == ssl_0rtt_ignored) { | |||
1748 | /* HelloRetryRequest causes 0-RTT to be ignored. On the second | |||
1749 | * ClientHello, reset the ignore state so that decryption failure is | |||
1750 | * handled normally. */ | |||
1751 | if (ss->ssl3.hs.zeroRttIgnore == ssl_0rtt_ignore_hrr) { | |||
1752 | PORT_Assert(ss->ssl3.hs.helloRetry)((ss->ssl3.hs.helloRetry)?((void)0):PR_Assert("ss->ssl3.hs.helloRetry" ,"tls13con.c",1752)); | |||
1753 | ss->ssl3.hs.zeroRttState = ssl_0rtt_none; | |||
1754 | ss->ssl3.hs.zeroRttIgnore = ssl_0rtt_ignore_none; | |||
1755 | } else { | |||
1756 | SSL_TRC(3, ("%d: TLS13[%d]: application ignored 0-RTT",if (ssl_trace >= (3)) ssl_Trace ("%d: TLS13[%d]: application ignored 0-RTT" , getpid(), ss->fd) | |||
1757 | SSL_GETPID(), ss->fd))if (ssl_trace >= (3)) ssl_Trace ("%d: TLS13[%d]: application ignored 0-RTT" , getpid(), ss->fd); | |||
1758 | } | |||
1759 | return; | |||
1760 | } | |||
1761 | ||||
1762 | if (!tls13_CanNegotiateZeroRtt(ss, sid)) { | |||
1763 | SSL_TRC(3, ("%d: TLS13[%d]: ignore 0-RTT", SSL_GETPID(), ss->fd))if (ssl_trace >= (3)) ssl_Trace ("%d: TLS13[%d]: ignore 0-RTT" , getpid(), ss->fd); | |||
1764 | ss->ssl3.hs.zeroRttState = ssl_0rtt_ignored; | |||
1765 | ss->ssl3.hs.zeroRttIgnore = ssl_0rtt_ignore_trial; | |||
1766 | return; | |||
1767 | } | |||
1768 | ||||
1769 | SSL_TRC(3, ("%d: TLS13[%d]: enable 0-RTT", SSL_GETPID(), ss->fd))if (ssl_trace >= (3)) ssl_Trace ("%d: TLS13[%d]: enable 0-RTT" , getpid(), ss->fd); | |||
1770 | PORT_Assert(ss->xtnData.selectedPsk)((ss->xtnData.selectedPsk)?((void)0):PR_Assert("ss->xtnData.selectedPsk" ,"tls13con.c",1770)); | |||
1771 | ss->ssl3.hs.zeroRttState = ssl_0rtt_accepted; | |||
1772 | ss->ssl3.hs.zeroRttIgnore = ssl_0rtt_ignore_none; | |||
1773 | ss->ssl3.hs.zeroRttSuite = ss->ssl3.hs.cipher_suite; | |||
1774 | ss->ssl3.hs.preliminaryInfo |= ssl_preinfo_0rtt_cipher_suite(1U << 2); | |||
1775 | } | |||
1776 | ||||
1777 | /* Check if the offered group is acceptable. */ | |||
1778 | static PRBool | |||
1779 | tls13_isGroupAcceptable(const sslNamedGroupDef *offered, | |||
1780 | const sslNamedGroupDef *preferredGroup) | |||
1781 | { | |||
1782 | /* We accept epsilon (e) bits around the offered group size. */ | |||
1783 | const unsigned int e = 2; | |||
1784 | ||||
1785 | PORT_Assert(offered)((offered)?((void)0):PR_Assert("offered","tls13con.c",1785)); | |||
1786 | PORT_Assert(preferredGroup)((preferredGroup)?((void)0):PR_Assert("preferredGroup","tls13con.c" ,1786)); | |||
1787 | ||||
1788 | if (offered->bits >= preferredGroup->bits - e && | |||
1789 | offered->bits <= preferredGroup->bits + e) { | |||
1790 | return PR_TRUE1; | |||
1791 | } | |||
1792 | ||||
1793 | return PR_FALSE0; | |||
1794 | } | |||
1795 | ||||
1796 | /* Find remote key share for given group and return it. | |||
1797 | * Returns NULL if no key share is found. */ | |||
1798 | static TLS13KeyShareEntry * | |||
1799 | tls13_FindKeyShareEntry(sslSocket *ss, const sslNamedGroupDef *group) | |||
1800 | { | |||
1801 | PRCList *cur_p = PR_NEXT_LINK(&ss->xtnData.remoteKeyShares)((&ss->xtnData.remoteKeyShares)->next); | |||
1802 | while (cur_p != &ss->xtnData.remoteKeyShares) { | |||
1803 | TLS13KeyShareEntry *offer = (TLS13KeyShareEntry *)cur_p; | |||
1804 | if (offer->group == group) { | |||
1805 | return offer; | |||
1806 | } | |||
1807 | cur_p = PR_NEXT_LINK(cur_p)((cur_p)->next); | |||
1808 | } | |||
1809 | return NULL((void*)0); | |||
1810 | } | |||
1811 | ||||
1812 | static SECStatus | |||
1813 | tls13_NegotiateKeyExchange(sslSocket *ss, | |||
1814 | const sslNamedGroupDef **requestedGroup, | |||
1815 | TLS13KeyShareEntry **clientShare) | |||
1816 | { | |||
1817 | unsigned int index; | |||
1818 | TLS13KeyShareEntry *entry = NULL((void*)0); | |||
1819 | const sslNamedGroupDef *preferredGroup = NULL((void*)0); | |||
1820 | ||||
1821 | /* We insist on DHE. */ | |||
1822 | if (ssl3_ExtensionNegotiated(ss, ssl_tls13_pre_shared_key_xtn)) { | |||
1823 | if (!ssl3_ExtensionNegotiated(ss, ssl_tls13_psk_key_exchange_modes_xtn)) { | |||
1824 | FATAL_ERROR(ss, SSL_ERROR_MISSING_PSK_KEY_EXCHANGE_MODES,do { do { if (ssl_trace >= (3)) ssl_Trace ("%d: TLS13[%d]: fatal error %d in %s (%s:%d)" , getpid(), ss->fd, SSL_ERROR_MISSING_PSK_KEY_EXCHANGE_MODES , __func__, "tls13con.c", 1825); PORT_SetError_Util(SSL_ERROR_MISSING_PSK_KEY_EXCHANGE_MODES ); } while (0); tls13_FatalError(ss, SSL_ERROR_MISSING_PSK_KEY_EXCHANGE_MODES , missing_extension); } while (0) | |||
1825 | missing_extension)do { do { if (ssl_trace >= (3)) ssl_Trace ("%d: TLS13[%d]: fatal error %d in %s (%s:%d)" , getpid(), ss->fd, SSL_ERROR_MISSING_PSK_KEY_EXCHANGE_MODES , __func__, "tls13con.c", 1825); PORT_SetError_Util(SSL_ERROR_MISSING_PSK_KEY_EXCHANGE_MODES ); } while (0); tls13_FatalError(ss, SSL_ERROR_MISSING_PSK_KEY_EXCHANGE_MODES , missing_extension); } while (0); | |||
1826 | return SECFailure; | |||
1827 | } | |||
1828 | /* Since the server insists on DHE to provide forward secracy, for | |||
1829 | * every other PskKem value but DHE stateless resumption is disabled, | |||
1830 | * this includes other specified and GREASE values. */ | |||
1831 | if (!memchr(ss->xtnData.psk_ke_modes.data, tls13_psk_dh_ke, | |||
1832 | ss->xtnData.psk_ke_modes.len)) { | |||
1833 | SSL_TRC(3, ("%d: TLS13[%d]: client offered PSK without DH",if (ssl_trace >= (3)) ssl_Trace ("%d: TLS13[%d]: client offered PSK without DH" , getpid(), ss->fd) | |||
1834 | SSL_GETPID(), ss->fd))if (ssl_trace >= (3)) ssl_Trace ("%d: TLS13[%d]: client offered PSK without DH" , getpid(), ss->fd); | |||
1835 | ss->statelessResume = PR_FALSE0; | |||
1836 | } | |||
1837 | } | |||
1838 | ||||
1839 | /* Now figure out which key share we like the best out of the | |||
1840 | * mutually supported groups, regardless of what the client offered | |||
1841 | * for key shares. | |||
1842 | */ | |||
1843 | if (!ssl3_ExtensionNegotiated(ss, ssl_supported_groups_xtn)) { | |||
1844 | FATAL_ERROR(ss, SSL_ERROR_MISSING_SUPPORTED_GROUPS_EXTENSION,do { do { if (ssl_trace >= (3)) ssl_Trace ("%d: TLS13[%d]: fatal error %d in %s (%s:%d)" , getpid(), ss->fd, SSL_ERROR_MISSING_SUPPORTED_GROUPS_EXTENSION , __func__, "tls13con.c", 1845); PORT_SetError_Util(SSL_ERROR_MISSING_SUPPORTED_GROUPS_EXTENSION ); } while (0); tls13_FatalError(ss, SSL_ERROR_MISSING_SUPPORTED_GROUPS_EXTENSION , missing_extension); } while (0) | |||
1845 | missing_extension)do { do { if (ssl_trace >= (3)) ssl_Trace ("%d: TLS13[%d]: fatal error %d in %s (%s:%d)" , getpid(), ss->fd, SSL_ERROR_MISSING_SUPPORTED_GROUPS_EXTENSION , __func__, "tls13con.c", 1845); PORT_SetError_Util(SSL_ERROR_MISSING_SUPPORTED_GROUPS_EXTENSION ); } while (0); tls13_FatalError(ss, SSL_ERROR_MISSING_SUPPORTED_GROUPS_EXTENSION , missing_extension); } while (0); | |||
1846 | return SECFailure; | |||
1847 | } | |||
1848 | ||||
1849 | SSL_TRC(3, ("%d: TLS13[%d]: selected KE = %s", SSL_GETPID(),if (ssl_trace >= (3)) ssl_Trace ("%d: TLS13[%d]: selected KE = %s" , getpid(), ss->fd, ss->statelessResume || ss->xtnData .selectedPsk ? "PSK + (EC)DHE" : "(EC)DHE") | |||
1850 | ss->fd, ss->statelessResume || ss->xtnData.selectedPsk ? "PSK + (EC)DHE" : "(EC)DHE"))if (ssl_trace >= (3)) ssl_Trace ("%d: TLS13[%d]: selected KE = %s" , getpid(), ss->fd, ss->statelessResume || ss->xtnData .selectedPsk ? "PSK + (EC)DHE" : "(EC)DHE"); | |||
1851 | ||||
1852 | /* Find the preferred group and an according client key share available. */ | |||
1853 | for (index = 0; index < SSL_NAMED_GROUP_COUNT32; ++index) { | |||
1854 | /* Continue to the next group if this one is not enabled. */ | |||
1855 | if (!ss->namedGroupPreferences[index]) { | |||
1856 | /* There's a gap in the preferred groups list. Assume this is a group | |||
1857 | * that's not supported by the client but preferred by the server. */ | |||
1858 | if (preferredGroup) { | |||
1859 | entry = NULL((void*)0); | |||
1860 | break; | |||
1861 | } | |||
1862 | continue; | |||
1863 | } | |||
1864 | ||||
1865 | /* Check if the client sent a key share for this group. */ | |||
1866 | entry = tls13_FindKeyShareEntry(ss, ss->namedGroupPreferences[index]); | |||
1867 | ||||
1868 | if (preferredGroup) { | |||
1869 | /* We already found our preferred group but the group didn't have a share. */ | |||
1870 | if (entry) { | |||
1871 | /* The client sent a key share with group ss->namedGroupPreferences[index] */ | |||
1872 | if (tls13_isGroupAcceptable(ss->namedGroupPreferences[index], | |||
1873 | preferredGroup)) { | |||
1874 | /* This is not the preferred group, but it's acceptable */ | |||
1875 | preferredGroup = ss->namedGroupPreferences[index]; | |||
1876 | } else { | |||
1877 | /* The proposed group is not acceptable. */ | |||
1878 | entry = NULL((void*)0); | |||
1879 | } | |||
1880 | } | |||
1881 | break; | |||
1882 | } else { | |||
1883 | /* The first enabled group is the preferred group. */ | |||
1884 | preferredGroup = ss->namedGroupPreferences[index]; | |||
1885 | if (entry) { | |||
1886 | break; | |||
1887 | } | |||
1888 | } | |||
1889 | } | |||
1890 | ||||
1891 | if (!preferredGroup) { | |||
1892 | FATAL_ERROR(ss, SSL_ERROR_NO_CYPHER_OVERLAP, handshake_failure)do { do { if (ssl_trace >= (3)) ssl_Trace ("%d: TLS13[%d]: fatal error %d in %s (%s:%d)" , getpid(), ss->fd, SSL_ERROR_NO_CYPHER_OVERLAP, __func__, "tls13con.c", 1892); PORT_SetError_Util(SSL_ERROR_NO_CYPHER_OVERLAP ); } while (0); tls13_FatalError(ss, SSL_ERROR_NO_CYPHER_OVERLAP , handshake_failure); } while (0); | |||
1893 | return SECFailure; | |||
1894 | } | |||
1895 | SSL_TRC(3, ("%d: TLS13[%d]: group = %d", SSL_GETPID(), ss->fd,if (ssl_trace >= (3)) ssl_Trace ("%d: TLS13[%d]: group = %d" , getpid(), ss->fd, preferredGroup->name) | |||
1896 | preferredGroup->name))if (ssl_trace >= (3)) ssl_Trace ("%d: TLS13[%d]: group = %d" , getpid(), ss->fd, preferredGroup->name); | |||
1897 | ||||
1898 | /* Either provide a share, or provide a group that should be requested in a | |||
1899 | * HelloRetryRequest, but not both. */ | |||
1900 | if (entry) { | |||
1901 | PORT_Assert(preferredGroup == entry->group)((preferredGroup == entry->group)?((void)0):PR_Assert("preferredGroup == entry->group" ,"tls13con.c",1901)); | |||
1902 | *clientShare = entry; | |||
1903 | *requestedGroup = NULL((void*)0); | |||
1904 | } else { | |||
1905 | *clientShare = NULL((void*)0); | |||
1906 | *requestedGroup = preferredGroup; | |||
1907 | } | |||
1908 | return SECSuccess; | |||
1909 | } | |||
1910 | ||||
1911 | SECStatus | |||
1912 | tls13_SelectServerCert(sslSocket *ss) | |||
1913 | { | |||
1914 | PRCList *cursor; | |||
1915 | SECStatus rv; | |||
1916 | ||||
1917 | if (!ssl3_ExtensionNegotiated(ss, ssl_signature_algorithms_xtn)) { | |||
1918 | FATAL_ERROR(ss, SSL_ERROR_MISSING_SIGNATURE_ALGORITHMS_EXTENSION,do { do { if (ssl_trace >= (3)) ssl_Trace ("%d: TLS13[%d]: fatal error %d in %s (%s:%d)" , getpid(), ss->fd, SSL_ERROR_MISSING_SIGNATURE_ALGORITHMS_EXTENSION , __func__, "tls13con.c", 1919); PORT_SetError_Util(SSL_ERROR_MISSING_SIGNATURE_ALGORITHMS_EXTENSION ); } while (0); tls13_FatalError(ss, SSL_ERROR_MISSING_SIGNATURE_ALGORITHMS_EXTENSION , missing_extension); } while (0) | |||
1919 | missing_extension)do { do { if (ssl_trace >= (3)) ssl_Trace ("%d: TLS13[%d]: fatal error %d in %s (%s:%d)" , getpid(), ss->fd, SSL_ERROR_MISSING_SIGNATURE_ALGORITHMS_EXTENSION , __func__, "tls13con.c", 1919); PORT_SetError_Util(SSL_ERROR_MISSING_SIGNATURE_ALGORITHMS_EXTENSION ); } while (0); tls13_FatalError(ss, SSL_ERROR_MISSING_SIGNATURE_ALGORITHMS_EXTENSION , missing_extension); } while (0); | |||
1920 | return SECFailure; | |||
1921 | } | |||
1922 | ||||
1923 | /* This picks the first certificate that has: | |||
1924 | * a) the right authentication method, and | |||
1925 | * b) the right named curve (EC only) | |||
1926 | * | |||
1927 | * We might want to do some sort of ranking here later. For now, it's all | |||
1928 | * based on what order they are configured in. */ | |||
1929 | for (cursor = PR_NEXT_LINK(&ss->serverCerts)((&ss->serverCerts)->next); | |||
1930 | cursor != &ss->serverCerts; | |||
1931 | cursor = PR_NEXT_LINK(cursor)((cursor)->next)) { | |||
1932 | sslServerCert *cert = (sslServerCert *)cursor; | |||
1933 | ||||
1934 | if (SSL_CERT_IS_ONLY(cert, ssl_auth_rsa_decrypt)((cert)->authTypes == (1 << (ssl_auth_rsa_decrypt)))) { | |||
1935 | continue; | |||
1936 | } | |||
1937 | ||||
1938 | rv = ssl_PickSignatureScheme(ss, | |||
1939 | cert->serverCert, | |||
1940 | cert->serverKeyPair->pubKey, | |||
1941 | cert->serverKeyPair->privKey, | |||
1942 | ss->xtnData.sigSchemes, | |||
1943 | ss->xtnData.numSigSchemes, | |||
1944 | PR_FALSE0, | |||
1945 | &ss->ssl3.hs.signatureScheme); | |||
1946 | if (rv == SECSuccess) { | |||
1947 | /* Found one. */ | |||
1948 | ss->sec.serverCert = cert; | |||
1949 | ||||
1950 | /* If we can use a delegated credential (DC) for authentication in | |||
1951 | * the current handshake, then commit to using it now. We'll send a | |||
1952 | * DC as an extension and use the DC private key to sign the | |||
1953 | * handshake. | |||
1954 | * | |||
1955 | * This sets the signature scheme to be the signature scheme | |||
1956 | * indicated by the DC. | |||
1957 | */ | |||
1958 | rv = tls13_MaybeSetDelegatedCredential(ss); | |||
1959 | if (rv != SECSuccess) { | |||
1960 | return SECFailure; /* Failure indicates an internal error. */ | |||
1961 | } | |||
1962 | ||||
1963 | ss->sec.authType = ss->ssl3.hs.kea_def_mutable.authKeyType = | |||
1964 | ssl_SignatureSchemeToAuthType(ss->ssl3.hs.signatureScheme); | |||
1965 | ss->sec.authKeyBits = cert->serverKeyBits; | |||
1966 | return SECSuccess; | |||
1967 | } | |||
1968 | } | |||
1969 | ||||
1970 | FATAL_ERROR(ss, SSL_ERROR_UNSUPPORTED_SIGNATURE_ALGORITHM,do { do { if (ssl_trace >= (3)) ssl_Trace ("%d: TLS13[%d]: fatal error %d in %s (%s:%d)" , getpid(), ss->fd, SSL_ERROR_UNSUPPORTED_SIGNATURE_ALGORITHM , __func__, "tls13con.c", 1971); PORT_SetError_Util(SSL_ERROR_UNSUPPORTED_SIGNATURE_ALGORITHM ); } while (0); tls13_FatalError(ss, SSL_ERROR_UNSUPPORTED_SIGNATURE_ALGORITHM , handshake_failure); } while (0) | |||
1971 | handshake_failure)do { do { if (ssl_trace >= (3)) ssl_Trace ("%d: TLS13[%d]: fatal error %d in %s (%s:%d)" , getpid(), ss->fd, SSL_ERROR_UNSUPPORTED_SIGNATURE_ALGORITHM , __func__, "tls13con.c", 1971); PORT_SetError_Util(SSL_ERROR_UNSUPPORTED_SIGNATURE_ALGORITHM ); } while (0); tls13_FatalError(ss, SSL_ERROR_UNSUPPORTED_SIGNATURE_ALGORITHM , handshake_failure); } while (0); | |||
1972 | return SECFailure; | |||
1973 | } | |||
1974 | ||||
1975 | /* Note: |requestedGroup| is non-NULL when we send a key_share extension. */ | |||
1976 | static SECStatus | |||
1977 | tls13_MaybeSendHelloRetry(sslSocket *ss, const sslNamedGroupDef *requestedGroup, | |||
1978 | PRBool *hrrSent) | |||
1979 | { | |||
1980 | SSLHelloRetryRequestAction action = ssl_hello_retry_accept; | |||
1981 | PRUint8 token[256] = { 0 }; | |||
1982 | unsigned int tokenLen = 0; | |||
1983 | SECStatus rv; | |||
1984 | ||||
1985 | if (ss->hrrCallback) { | |||
1986 | action = ss->hrrCallback(!ss->ssl3.hs.helloRetry, | |||
1987 | ss->xtnData.applicationToken.data, | |||
1988 | ss->xtnData.applicationToken.len, | |||
1989 | token, &tokenLen, sizeof(token), | |||
1990 | ss->hrrCallbackArg); | |||
1991 | } | |||
1992 | ||||
1993 | /* These use SSL3_SendAlert directly to avoid an assertion in | |||
1994 | * tls13_FatalError(), which is ordinarily OK. */ | |||
1995 | if (action == ssl_hello_retry_request && ss->ssl3.hs.helloRetry) { | |||
1996 | (void)SSL3_SendAlert(ss, alert_fatal, internal_error); | |||
1997 | PORT_SetErrorPORT_SetError_Util(SSL_ERROR_APP_CALLBACK_ERROR); | |||
1998 | return SECFailure; | |||
1999 | } | |||
2000 | ||||
2001 | if (action != ssl_hello_retry_request && tokenLen) { | |||
2002 | (void)SSL3_SendAlert(ss, alert_fatal, internal_error); | |||
2003 | PORT_SetErrorPORT_SetError_Util(SSL_ERROR_APP_CALLBACK_ERROR); | |||
2004 | return SECFailure; | |||
2005 | } | |||
2006 | ||||
2007 | if (tokenLen > sizeof(token)) { | |||
2008 | (void)SSL3_SendAlert(ss, alert_fatal, internal_error); | |||
2009 | PORT_SetErrorPORT_SetError_Util(SSL_ERROR_APP_CALLBACK_ERROR); | |||
2010 | return SECFailure; | |||
2011 | } | |||
2012 | ||||
2013 | if (action == ssl_hello_retry_fail) { | |||
2014 | FATAL_ERROR(ss, SSL_ERROR_APPLICATION_ABORT, handshake_failure)do { do { if (ssl_trace >= (3)) ssl_Trace ("%d: TLS13[%d]: fatal error %d in %s (%s:%d)" , getpid(), ss->fd, SSL_ERROR_APPLICATION_ABORT, __func__, "tls13con.c", 2014); PORT_SetError_Util(SSL_ERROR_APPLICATION_ABORT ); } while (0); tls13_FatalError(ss, SSL_ERROR_APPLICATION_ABORT , handshake_failure); } while (0); | |||
2015 | return SECFailure; | |||
2016 | } | |||
2017 | ||||
2018 | if (action == ssl_hello_retry_reject_0rtt) { | |||
2019 | ss->ssl3.hs.zeroRttState = ssl_0rtt_ignored; | |||
2020 | ss->ssl3.hs.zeroRttIgnore = ssl_0rtt_ignore_trial; | |||
2021 | } | |||
2022 | ||||
2023 | if (!requestedGroup && action != ssl_hello_retry_request) { | |||
2024 | return SECSuccess; | |||
2025 | } | |||
2026 | ||||
2027 | rv = tls13_SendHelloRetryRequest(ss, requestedGroup, token, tokenLen); | |||
2028 | if (rv != SECSuccess) { | |||
2029 | return SECFailure; /* Code already set. */ | |||
2030 | } | |||
2031 | ||||
2032 | /* We may have received ECH, but have to start over with CH2. */ | |||
2033 | ss->ssl3.hs.echAccepted = PR_FALSE0; | |||
2034 | PK11_HPKE_DestroyContext(ss->ssl3.hs.echHpkeCtx, PR_TRUE1); | |||
2035 | ss->ssl3.hs.echHpkeCtx = NULL((void*)0); | |||
2036 | ||||
2037 | *hrrSent = PR_TRUE1; | |||
2038 | return SECSuccess; | |||
2039 | } | |||
2040 | ||||
2041 | static SECStatus | |||
2042 | tls13_NegotiateAuthentication(sslSocket *ss) | |||
2043 | { | |||
2044 | if (ss->statelessResume) { | |||
2045 | SSL_TRC(3, ("%d: TLS13[%d]: selected resumption PSK authentication",if (ssl_trace >= (3)) ssl_Trace ("%d: TLS13[%d]: selected resumption PSK authentication" , getpid(), ss->fd) | |||
2046 | SSL_GETPID(), ss->fd))if (ssl_trace >= (3)) ssl_Trace ("%d: TLS13[%d]: selected resumption PSK authentication" , getpid(), ss->fd); | |||
2047 | ss->ssl3.hs.signatureScheme = ssl_sig_none; | |||
2048 | ss->ssl3.hs.kea_def_mutable.authKeyType = ssl_auth_psk; | |||
2049 | /* Overwritten by tls13_RestoreCipherInfo. */ | |||
2050 | ss->sec.authType = ssl_auth_psk; | |||
2051 | return SECSuccess; | |||
2052 | } else if (ss->xtnData.selectedPsk) { | |||
2053 | /* If the EPSK doesn't specify a suite, use what was negotiated. | |||
2054 | * Else, only use the EPSK if we negotiated that suite. */ | |||
2055 | if (ss->xtnData.selectedPsk->zeroRttSuite == TLS_NULL_WITH_NULL_NULL0x0000 || | |||
2056 | ss->ssl3.hs.cipher_suite == ss->xtnData.selectedPsk->zeroRttSuite) { | |||
2057 | SSL_TRC(3, ("%d: TLS13[%d]: selected external PSK authentication",if (ssl_trace >= (3)) ssl_Trace ("%d: TLS13[%d]: selected external PSK authentication" , getpid(), ss->fd) | |||
2058 | SSL_GETPID(), ss->fd))if (ssl_trace >= (3)) ssl_Trace ("%d: TLS13[%d]: selected external PSK authentication" , getpid(), ss->fd); | |||
2059 | ss->ssl3.hs.signatureScheme = ssl_sig_none; | |||
2060 | ss->ssl3.hs.kea_def_mutable.authKeyType = ssl_auth_psk; | |||
2061 | ss->sec.authType = ssl_auth_psk; | |||
2062 | return SECSuccess; | |||
2063 | } | |||
2064 | } | |||
2065 | ||||
2066 | /* If there were PSKs, they are no longer needed. */ | |||
2067 | if (ss->xtnData.selectedPsk) { | |||
2068 | tls13_DestroyPskList(&ss->ssl3.hs.psks); | |||
2069 | ss->xtnData.selectedPsk = NULL((void*)0); | |||
2070 | } | |||
2071 | ||||
2072 | SSL_TRC(3, ("%d: TLS13[%d]: selected certificate authentication",if (ssl_trace >= (3)) ssl_Trace ("%d: TLS13[%d]: selected certificate authentication" , getpid(), ss->fd) | |||
2073 | SSL_GETPID(), ss->fd))if (ssl_trace >= (3)) ssl_Trace ("%d: TLS13[%d]: selected certificate authentication" , getpid(), ss->fd); | |||
2074 | SECStatus rv = tls13_SelectServerCert(ss); | |||
2075 | if (rv != SECSuccess) { | |||
2076 | return SECFailure; | |||
2077 | } | |||
2078 | return SECSuccess; | |||
2079 | } | |||
2080 | /* Called from ssl3_HandleClientHello after we have parsed the | |||
2081 | * ClientHello and are sure that we are going to do TLS 1.3 | |||
2082 | * or fail. */ | |||
2083 | SECStatus | |||
2084 | tls13_HandleClientHelloPart2(sslSocket *ss, | |||
2085 | const SECItem *suites, | |||
2086 | sslSessionID *sid, | |||
2087 | const PRUint8 *msg, | |||
2088 | unsigned int len) | |||
2089 | { | |||
2090 | SECStatus rv; | |||
2091 | SSL3Statistics *ssl3stats = SSL_GetStatistics(); | |||
2092 | const sslNamedGroupDef *requestedGroup = NULL((void*)0); | |||
2093 | TLS13KeyShareEntry *clientShare = NULL((void*)0); | |||
2094 | ssl3CipherSuite previousCipherSuite = 0; | |||
2095 | const sslNamedGroupDef *previousGroup = NULL((void*)0); | |||
2096 | PRBool hrr = PR_FALSE0; | |||
2097 | PRBool previousOfferedEch; | |||
2098 | ||||
2099 | /* If the legacy_version field is set to 0x300 or smaller, | |||
2100 | * reject the connection with protocol_version alert. */ | |||
2101 | if (ss->clientHelloVersion <= SSL_LIBRARY_VERSION_3_00x0300) { | |||
2102 | FATAL_ERROR(ss, SSL_ERROR_RX_MALFORMED_CLIENT_HELLO, protocol_version)do { do { if (ssl_trace >= (3)) ssl_Trace ("%d: TLS13[%d]: fatal error %d in %s (%s:%d)" , getpid(), ss->fd, SSL_ERROR_RX_MALFORMED_CLIENT_HELLO, __func__ , "tls13con.c", 2102); PORT_SetError_Util(SSL_ERROR_RX_MALFORMED_CLIENT_HELLO ); } while (0); tls13_FatalError(ss, SSL_ERROR_RX_MALFORMED_CLIENT_HELLO , protocol_version); } while (0); | |||
2103 | goto loser; | |||
2104 | } | |||
2105 | ||||
2106 | ss->ssl3.hs.endOfFlight = PR_TRUE1; | |||
2107 | ||||
2108 | if (ssl3_ExtensionNegotiated(ss, ssl_tls13_early_data_xtn)) { | |||
2109 | ss->ssl3.hs.zeroRttState = ssl_0rtt_sent; | |||
2110 | } | |||
2111 | ||||
2112 | /* Negotiate cipher suite. */ | |||
2113 | rv = ssl3_NegotiateCipherSuite(ss, suites, PR_FALSE0); | |||
2114 | if (rv != SECSuccess) { | |||
2115 | FATAL_ERROR(ss, PORT_GetError(), handshake_failure)do { do { if (ssl_trace >= (3)) ssl_Trace ("%d: TLS13[%d]: fatal error %d in %s (%s:%d)" , getpid(), ss->fd, PORT_GetError_Util(), __func__, "tls13con.c" , 2115); PORT_SetError_Util(PORT_GetError_Util()); } while (0 ); tls13_FatalError(ss, PORT_GetError_Util(), handshake_failure ); } while (0); | |||
2116 | goto loser; | |||
2117 | } | |||
2118 | ||||
2119 | /* If we are going around again, then we should make sure that the cipher | |||
2120 | * suite selection doesn't change. That's a sign of client shennanigans. */ | |||
2121 | if (ss->ssl3.hs.helloRetry) { | |||
2122 | ||||
2123 | /* Update sequence numbers before checking the cookie so that any alerts | |||
2124 | * we generate are sent with the right sequence numbers. */ | |||
2125 | if (IS_DTLS(ss)(ss->protocolVariant == ssl_variant_datagram)) { | |||
2126 | /* Count the first ClientHello and the HelloRetryRequest. */ | |||
2127 | ss->ssl3.hs.sendMessageSeq = 1; | |||
2128 | ss->ssl3.hs.recvMessageSeq = 1; | |||
2129 | ssl_GetSpecWriteLock(ss){ if (!ss->opt.noLocks) NSSRWLock_LockWrite_Util((ss)-> specLock); }; | |||
2130 | /* Increase the write sequence number. The read sequence number | |||
2131 | * will be reset after this to early data or handshake. */ | |||
2132 | ss->ssl3.cwSpec->nextSeqNum = 1; | |||
2133 | ssl_ReleaseSpecWriteLock(ss){ if (!ss->opt.noLocks) NSSRWLock_UnlockWrite_Util((ss)-> specLock); }; | |||
2134 | } | |||
2135 | ||||
2136 | if (!ssl3_ExtensionNegotiated(ss, ssl_tls13_cookie_xtn) || | |||
2137 | !ss->xtnData.cookie.len) { | |||
2138 | FATAL_ERROR(ss, SSL_ERROR_MISSING_COOKIE_EXTENSION,do { do { if (ssl_trace >= (3)) ssl_Trace ("%d: TLS13[%d]: fatal error %d in %s (%s:%d)" , getpid(), ss->fd, SSL_ERROR_MISSING_COOKIE_EXTENSION, __func__ , "tls13con.c", 2139); PORT_SetError_Util(SSL_ERROR_MISSING_COOKIE_EXTENSION ); } while (0); tls13_FatalError(ss, SSL_ERROR_MISSING_COOKIE_EXTENSION , missing_extension); } while (0) | |||
2139 | missing_extension)do { do { if (ssl_trace >= (3)) ssl_Trace ("%d: TLS13[%d]: fatal error %d in %s (%s:%d)" , getpid(), ss->fd, SSL_ERROR_MISSING_COOKIE_EXTENSION, __func__ , "tls13con.c", 2139); PORT_SetError_Util(SSL_ERROR_MISSING_COOKIE_EXTENSION ); } while (0); tls13_FatalError(ss, SSL_ERROR_MISSING_COOKIE_EXTENSION , missing_extension); } while (0); | |||
2140 | goto loser; | |||
2141 | } | |||
2142 | PRINT_BUF(50, (ss, "Client sent cookie",if (ssl_trace >= (50)) ssl_PrintBuf (ss, "Client sent cookie" , ss->xtnData.cookie.data, ss->xtnData.cookie.len) | |||
2143 | ss->xtnData.cookie.data, ss->xtnData.cookie.len))if (ssl_trace >= (50)) ssl_PrintBuf (ss, "Client sent cookie" , ss->xtnData.cookie.data, ss->xtnData.cookie.len); | |||
2144 | ||||
2145 | rv = tls13_HandleHrrCookie(ss, ss->xtnData.cookie.data, | |||
2146 | ss->xtnData.cookie.len, | |||
2147 | &previousCipherSuite, | |||
2148 | &previousGroup, | |||
2149 | &previousOfferedEch, NULL((void*)0), PR_TRUE1); | |||
2150 | ||||
2151 | if (rv != SECSuccess) { | |||
2152 | FATAL_ERROR(ss, SSL_ERROR_BAD_2ND_CLIENT_HELLO, illegal_parameter)do { do { if (ssl_trace >= (3)) ssl_Trace ("%d: TLS13[%d]: fatal error %d in %s (%s:%d)" , getpid(), ss->fd, SSL_ERROR_BAD_2ND_CLIENT_HELLO, __func__ , "tls13con.c", 2152); PORT_SetError_Util(SSL_ERROR_BAD_2ND_CLIENT_HELLO ); } while (0); tls13_FatalError(ss, SSL_ERROR_BAD_2ND_CLIENT_HELLO , illegal_parameter); } while (0); | |||
2153 | goto loser; | |||
2154 | } | |||
2155 | } | |||
2156 | ||||
2157 | /* Now merge the ClientHello into the hash state. */ | |||
2158 | rv = ssl_HashHandshakeMessage(ss, ssl_hs_client_hello, msg, len); | |||
2159 | if (rv != SECSuccess) { | |||
2160 | FATAL_ERROR(ss, SEC_ERROR_LIBRARY_FAILURE, internal_error)do { do { if (ssl_trace >= (3)) ssl_Trace ("%d: TLS13[%d]: fatal error %d in %s (%s:%d)" , getpid(), ss->fd, SEC_ERROR_LIBRARY_FAILURE, __func__, "tls13con.c" , 2160); PORT_SetError_Util(SEC_ERROR_LIBRARY_FAILURE); } while (0); tls13_FatalError(ss, SEC_ERROR_LIBRARY_FAILURE, internal_error ); } while (0); | |||
2161 | goto loser; | |||
2162 | } | |||
2163 | ||||
2164 | /* Now create a synthetic kea_def that we can tweak. */ | |||
2165 | ss->ssl3.hs.kea_def_mutable = *ss->ssl3.hs.kea_def; | |||
2166 | ss->ssl3.hs.kea_def = &ss->ssl3.hs.kea_def_mutable; | |||
2167 | ||||
2168 | /* Note: We call this quite a bit earlier than with TLS 1.2 and | |||
2169 | * before. */ | |||
2170 | rv = ssl3_ServerCallSNICallback(ss); | |||
2171 | if (rv != SECSuccess) { | |||
2172 | goto loser; /* An alert has already been sent. */ | |||
2173 | } | |||
2174 | ||||
2175 | /* Check if we could in principle resume. */ | |||
2176 | if (ss->statelessResume) { | |||
2177 | PORT_Assert(sid)((sid)?((void)0):PR_Assert("sid","tls13con.c",2177)); | |||
2178 | if (!sid) { | |||
2179 | FATAL_ERROR(ss, SEC_ERROR_LIBRARY_FAILURE, internal_error)do { do { if (ssl_trace >= (3)) ssl_Trace ("%d: TLS13[%d]: fatal error %d in %s (%s:%d)" , getpid(), ss->fd, SEC_ERROR_LIBRARY_FAILURE, __func__, "tls13con.c" , 2179); PORT_SetError_Util(SEC_ERROR_LIBRARY_FAILURE); } while (0); tls13_FatalError(ss, SEC_ERROR_LIBRARY_FAILURE, internal_error ); } while (0); | |||
2180 | return SECFailure; | |||
2181 | } | |||
2182 | if (!tls13_CanResume(ss, sid)) { | |||
2183 | ss->statelessResume = PR_FALSE0; | |||
2184 | } | |||
2185 | } | |||
2186 | ||||
2187 | /* Select key exchange. */ | |||
2188 | rv = tls13_NegotiateKeyExchange(ss, &requestedGroup, &clientShare); | |||
2189 | if (rv != SECSuccess) { | |||
2190 | goto loser; | |||
2191 | } | |||
2192 | /* We should get either one of these, but not both. */ | |||
2193 | PORT_Assert((requestedGroup && !clientShare) ||(((requestedGroup && !clientShare) || (!requestedGroup && clientShare))?((void)0):PR_Assert("(requestedGroup && !clientShare) || (!requestedGroup && clientShare)" ,"tls13con.c",2194)) | |||
2194 | (!requestedGroup && clientShare))(((requestedGroup && !clientShare) || (!requestedGroup && clientShare))?((void)0):PR_Assert("(requestedGroup && !clientShare) || (!requestedGroup && clientShare)" ,"tls13con.c",2194)); | |||
2195 | ||||
2196 | /* After HelloRetryRequest, check consistency of cipher and group. */ | |||
2197 | if (ss->ssl3.hs.helloRetry) { | |||
2198 | PORT_Assert(previousCipherSuite)((previousCipherSuite)?((void)0):PR_Assert("previousCipherSuite" ,"tls13con.c",2198)); | |||
2199 | if (ss->ssl3.hs.cipher_suite != previousCipherSuite) { | |||
2200 | FATAL_ERROR(ss, SSL_ERROR_BAD_2ND_CLIENT_HELLO,do { do { if (ssl_trace >= (3)) ssl_Trace ("%d: TLS13[%d]: fatal error %d in %s (%s:%d)" , getpid(), ss->fd, SSL_ERROR_BAD_2ND_CLIENT_HELLO, __func__ , "tls13con.c", 2201); PORT_SetError_Util(SSL_ERROR_BAD_2ND_CLIENT_HELLO ); } while (0); tls13_FatalError(ss, SSL_ERROR_BAD_2ND_CLIENT_HELLO , illegal_parameter); } while (0) | |||
2201 | illegal_parameter)do { do { if (ssl_trace >= (3)) ssl_Trace ("%d: TLS13[%d]: fatal error %d in %s (%s:%d)" , getpid(), ss->fd, SSL_ERROR_BAD_2ND_CLIENT_HELLO, __func__ , "tls13con.c", 2201); PORT_SetError_Util(SSL_ERROR_BAD_2ND_CLIENT_HELLO ); } while (0); tls13_FatalError(ss, SSL_ERROR_BAD_2ND_CLIENT_HELLO , illegal_parameter); } while (0); | |||
2202 | goto loser; | |||
2203 | } | |||
2204 | if (!clientShare) { | |||
2205 | FATAL_ERROR(ss, SSL_ERROR_BAD_2ND_CLIENT_HELLO,do { do { if (ssl_trace >= (3)) ssl_Trace ("%d: TLS13[%d]: fatal error %d in %s (%s:%d)" , getpid(), ss->fd, SSL_ERROR_BAD_2ND_CLIENT_HELLO, __func__ , "tls13con.c", 2206); PORT_SetError_Util(SSL_ERROR_BAD_2ND_CLIENT_HELLO ); } while (0); tls13_FatalError(ss, SSL_ERROR_BAD_2ND_CLIENT_HELLO , illegal_parameter); } while (0) | |||
2206 | illegal_parameter)do { do { if (ssl_trace >= (3)) ssl_Trace ("%d: TLS13[%d]: fatal error %d in %s (%s:%d)" , getpid(), ss->fd, SSL_ERROR_BAD_2ND_CLIENT_HELLO, __func__ , "tls13con.c", 2206); PORT_SetError_Util(SSL_ERROR_BAD_2ND_CLIENT_HELLO ); } while (0); tls13_FatalError(ss, SSL_ERROR_BAD_2ND_CLIENT_HELLO , illegal_parameter); } while (0); | |||
2207 | goto loser; | |||
2208 | } | |||
2209 | ||||
2210 | /* CH1/CH2 must either both include ECH, or both exclude it. */ | |||
2211 | if (previousOfferedEch != (ss->xtnData.ech != NULL((void*)0))) { | |||
2212 | FATAL_ERROR(ss, SSL_ERROR_BAD_2ND_CLIENT_HELLO,do { do { if (ssl_trace >= (3)) ssl_Trace ("%d: TLS13[%d]: fatal error %d in %s (%s:%d)" , getpid(), ss->fd, SSL_ERROR_BAD_2ND_CLIENT_HELLO, __func__ , "tls13con.c", 2213); PORT_SetError_Util(SSL_ERROR_BAD_2ND_CLIENT_HELLO ); } while (0); tls13_FatalError(ss, SSL_ERROR_BAD_2ND_CLIENT_HELLO , previousOfferedEch ? missing_extension : illegal_parameter) ; } while (0) | |||
2213 | previousOfferedEch ? missing_extension : illegal_parameter)do { do { if (ssl_trace >= (3)) ssl_Trace ("%d: TLS13[%d]: fatal error %d in %s (%s:%d)" , getpid(), ss->fd, SSL_ERROR_BAD_2ND_CLIENT_HELLO, __func__ , "tls13con.c", 2213); PORT_SetError_Util(SSL_ERROR_BAD_2ND_CLIENT_HELLO ); } while (0); tls13_FatalError(ss, SSL_ERROR_BAD_2ND_CLIENT_HELLO , previousOfferedEch ? missing_extension : illegal_parameter) ; } while (0); | |||
2214 | goto loser; | |||
2215 | } | |||
2216 | ||||
2217 | /* If we requested a new key share, check that the client provided just | |||
2218 | * one of the right type. */ | |||
2219 | if (previousGroup) { | |||
2220 | if (PR_PREV_LINK(&ss->xtnData.remoteKeyShares)((&ss->xtnData.remoteKeyShares)->prev) != | |||
2221 | PR_NEXT_LINK(&ss->xtnData.remoteKeyShares)((&ss->xtnData.remoteKeyShares)->next)) { | |||
2222 | FATAL_ERROR(ss, SSL_ERROR_BAD_2ND_CLIENT_HELLO,do { do { if (ssl_trace >= (3)) ssl_Trace ("%d: TLS13[%d]: fatal error %d in %s (%s:%d)" , getpid(), ss->fd, SSL_ERROR_BAD_2ND_CLIENT_HELLO, __func__ , "tls13con.c", 2223); PORT_SetError_Util(SSL_ERROR_BAD_2ND_CLIENT_HELLO ); } while (0); tls13_FatalError(ss, SSL_ERROR_BAD_2ND_CLIENT_HELLO , illegal_parameter); } while (0) | |||
2223 | illegal_parameter)do { do { if (ssl_trace >= (3)) ssl_Trace ("%d: TLS13[%d]: fatal error %d in %s (%s:%d)" , getpid(), ss->fd, SSL_ERROR_BAD_2ND_CLIENT_HELLO, __func__ , "tls13con.c", 2223); PORT_SetError_Util(SSL_ERROR_BAD_2ND_CLIENT_HELLO ); } while (0); tls13_FatalError(ss, SSL_ERROR_BAD_2ND_CLIENT_HELLO , illegal_parameter); } while (0); | |||
2224 | goto loser; | |||
2225 | } | |||
2226 | if (clientShare->group != previousGroup) { | |||
2227 | FATAL_ERROR(ss, SSL_ERROR_BAD_2ND_CLIENT_HELLO,do { do { if (ssl_trace >= (3)) ssl_Trace ("%d: TLS13[%d]: fatal error %d in %s (%s:%d)" , getpid(), ss->fd, SSL_ERROR_BAD_2ND_CLIENT_HELLO, __func__ , "tls13con.c", 2228); PORT_SetError_Util(SSL_ERROR_BAD_2ND_CLIENT_HELLO ); } while (0); tls13_FatalError(ss, SSL_ERROR_BAD_2ND_CLIENT_HELLO , illegal_parameter); } while (0) | |||
2228 | illegal_parameter)do { do { if (ssl_trace >= (3)) ssl_Trace ("%d: TLS13[%d]: fatal error %d in %s (%s:%d)" , getpid(), ss->fd, SSL_ERROR_BAD_2ND_CLIENT_HELLO, __func__ , "tls13con.c", 2228); PORT_SetError_Util(SSL_ERROR_BAD_2ND_CLIENT_HELLO ); } while (0); tls13_FatalError(ss, SSL_ERROR_BAD_2ND_CLIENT_HELLO , illegal_parameter); } while (0); | |||
2229 | goto loser; | |||
2230 | } | |||
2231 | } | |||
2232 | } | |||
2233 | ||||
2234 | rv = tls13_MaybeSendHelloRetry(ss, requestedGroup, &hrr); | |||
2235 | if (rv != SECSuccess) { | |||
2236 | goto loser; | |||
2237 | } | |||
2238 | if (hrr) { | |||
2239 | if (sid) { /* Free the sid. */ | |||
2240 | ssl_UncacheSessionID(ss); | |||
2241 | ssl_FreeSID(sid); | |||
2242 | } | |||
2243 | PORT_Assert(ss->ssl3.hs.helloRetry)((ss->ssl3.hs.helloRetry)?((void)0):PR_Assert("ss->ssl3.hs.helloRetry" ,"tls13con.c",2243)); | |||
2244 | return SECSuccess; | |||
2245 | } | |||
2246 | ||||
2247 | /* Select the authentication (this is also handshake shape). */ | |||
2248 | rv = tls13_NegotiateAuthentication(ss); | |||
2249 | if (rv != SECSuccess) { | |||
2250 | goto loser; | |||
2251 | } | |||
2252 | ||||
2253 | if (ss->sec.authType == ssl_auth_psk) { | |||
2254 | if (ss->statelessResume) { | |||
2255 | /* We are now committed to trying to resume. */ | |||
2256 | PORT_Assert(sid)((sid)?((void)0):PR_Assert("sid","tls13con.c",2256)); | |||
2257 | /* Check that the negotiated SNI and the cached SNI match. */ | |||
2258 | if (SECITEM_CompareItemSECITEM_CompareItem_Util(&sid->u.ssl3.srvName, | |||
2259 | &ss->ssl3.hs.srvVirtName) != SECEqual) { | |||
2260 | FATAL_ERROR(ss, SSL_ERROR_RX_MALFORMED_CLIENT_HELLO,do { do { if (ssl_trace >= (3)) ssl_Trace ("%d: TLS13[%d]: fatal error %d in %s (%s:%d)" , getpid(), ss->fd, SSL_ERROR_RX_MALFORMED_CLIENT_HELLO, __func__ , "tls13con.c", 2261); PORT_SetError_Util(SSL_ERROR_RX_MALFORMED_CLIENT_HELLO ); } while (0); tls13_FatalError(ss, SSL_ERROR_RX_MALFORMED_CLIENT_HELLO , handshake_failure); } while (0) | |||
2261 | handshake_failure)do { do { if (ssl_trace >= (3)) ssl_Trace ("%d: TLS13[%d]: fatal error %d in %s (%s:%d)" , getpid(), ss->fd, SSL_ERROR_RX_MALFORMED_CLIENT_HELLO, __func__ , "tls13con.c", 2261); PORT_SetError_Util(SSL_ERROR_RX_MALFORMED_CLIENT_HELLO ); } while (0); tls13_FatalError(ss, SSL_ERROR_RX_MALFORMED_CLIENT_HELLO , handshake_failure); } while (0); | |||
2262 | goto loser; | |||
2263 | } | |||
2264 | ||||
2265 | ss->sec.serverCert = ssl_FindServerCert(ss, sid->authType, | |||
2266 | sid->namedCurve); | |||
2267 | PORT_Assert(ss->sec.serverCert)((ss->sec.serverCert)?((void)0):PR_Assert("ss->sec.serverCert" ,"tls13con.c",2267)); | |||
2268 | ||||
2269 | rv = tls13_RecoverWrappedSharedSecret(ss, sid); | |||
2270 | if (rv != SECSuccess) { | |||
2271 | SSL_AtomicIncrementLong(&ssl3stats->hch_sid_cache_not_ok); | |||
2272 | FATAL_ERROR(ss, SEC_ERROR_LIBRARY_FAILURE, internal_error)do { do { if (ssl_trace >= (3)) ssl_Trace ("%d: TLS13[%d]: fatal error %d in %s (%s:%d)" , getpid(), ss->fd, SEC_ERROR_LIBRARY_FAILURE, __func__, "tls13con.c" , 2272); PORT_SetError_Util(SEC_ERROR_LIBRARY_FAILURE); } while (0); tls13_FatalError(ss, SEC_ERROR_LIBRARY_FAILURE, internal_error ); } while (0); | |||
2273 | goto loser; | |||
2274 | } | |||
2275 | tls13_RestoreCipherInfo(ss, sid); | |||
2276 | ||||
2277 | ss->sec.localCert = CERT_DupCertificate(ss->sec.serverCert->serverCert); | |||
2278 | if (sid->peerCert != NULL((void*)0)) { | |||
2279 | ss->sec.peerCert = CERT_DupCertificate(sid->peerCert); | |||
2280 | } | |||
2281 | } else if (sid) { | |||
2282 | /* We should never have a SID in the non-resumption case. */ | |||
2283 | PORT_Assert(0)((0)?((void)0):PR_Assert("0","tls13con.c",2283)); | |||
2284 | ssl_UncacheSessionID(ss); | |||
2285 | ssl_FreeSID(sid); | |||
2286 | sid = NULL((void*)0); | |||
2287 | } | |||
2288 | ssl3_RegisterExtensionSender( | |||
2289 | ss, &ss->xtnData, | |||
2290 | ssl_tls13_pre_shared_key_xtn, tls13_ServerSendPreSharedKeyXtn); | |||
2291 | tls13_NegotiateZeroRtt(ss, sid); | |||
2292 | ||||
2293 | rv = tls13_ComputeEarlySecretsWithPsk(ss); | |||
2294 | if (rv != SECSuccess) { | |||
2295 | FATAL_ERROR(ss, SEC_ERROR_LIBRARY_FAILURE, internal_error)do { do { if (ssl_trace >= (3)) ssl_Trace ("%d: TLS13[%d]: fatal error %d in %s (%s:%d)" , getpid(), ss->fd, SEC_ERROR_LIBRARY_FAILURE, __func__, "tls13con.c" , 2295); PORT_SetError_Util(SEC_ERROR_LIBRARY_FAILURE); } while (0); tls13_FatalError(ss, SEC_ERROR_LIBRARY_FAILURE, internal_error ); } while (0); | |||
2296 | return SECFailure; | |||
2297 | } | |||
2298 | } else { | |||
2299 | if (sid) { /* we had a sid, but it's no longer valid, free it */ | |||
2300 | SSL_AtomicIncrementLong(&ssl3stats->hch_sid_cache_not_ok); | |||
2301 | ssl_UncacheSessionID(ss); | |||
2302 | ssl_FreeSID(sid); | |||
2303 | sid = NULL((void*)0); | |||
2304 | } | |||
2305 | tls13_NegotiateZeroRtt(ss, NULL((void*)0)); | |||
2306 | } | |||
2307 | ||||
2308 | if (ss->statelessResume) { | |||
2309 | PORT_Assert(ss->xtnData.selectedPsk)((ss->xtnData.selectedPsk)?((void)0):PR_Assert("ss->xtnData.selectedPsk" ,"tls13con.c",2309)); | |||
2310 | PORT_Assert(ss->ssl3.hs.kea_def_mutable.authKeyType == ssl_auth_psk)((ss->ssl3.hs.kea_def_mutable.authKeyType == ssl_auth_psk) ?((void)0):PR_Assert("ss->ssl3.hs.kea_def_mutable.authKeyType == ssl_auth_psk" ,"tls13con.c",2310)); | |||
2311 | } | |||
2312 | ||||
2313 | /* Now that we have the binder key, check the binder. */ | |||
2314 | if (ss->xtnData.selectedPsk) { | |||
2315 | SSL3Hashes hashes; | |||
2316 | PORT_Assert(ss->ssl3.hs.messages.len > ss->xtnData.pskBindersLen)((ss->ssl3.hs.messages.len > ss->xtnData.pskBindersLen )?((void)0):PR_Assert("ss->ssl3.hs.messages.len > ss->xtnData.pskBindersLen" ,"tls13con.c",2316)); | |||
2317 | rv = tls13_ComputePskBinderHash( | |||
2318 | ss, | |||
2319 | ss->ssl3.hs.messages.buf, | |||
2320 | ss->ssl3.hs.messages.len - ss->xtnData.pskBindersLen, | |||
2321 | &hashes, tls13_GetHash(ss)); | |||
2322 | if (rv != SECSuccess) { | |||
2323 | FATAL_ERROR(ss, SEC_ERROR_LIBRARY_FAILURE, internal_error)do { do { if (ssl_trace >= (3)) ssl_Trace ("%d: TLS13[%d]: fatal error %d in %s (%s:%d)" , getpid(), ss->fd, SEC_ERROR_LIBRARY_FAILURE, __func__, "tls13con.c" , 2323); PORT_SetError_Util(SEC_ERROR_LIBRARY_FAILURE); } while (0); tls13_FatalError(ss, SEC_ERROR_LIBRARY_FAILURE, internal_error ); } while (0); | |||
2324 | goto loser; | |||
2325 | } | |||
2326 | ||||
2327 | PORT_Assert(ss->xtnData.selectedPsk->hash == tls13_GetHash(ss))((ss->xtnData.selectedPsk->hash == tls13_GetHash(ss))?( (void)0):PR_Assert("ss->xtnData.selectedPsk->hash == tls13_GetHash(ss)" ,"tls13con.c",2327)); | |||
2328 | PORT_Assert(ss->ssl3.hs.suite_def)((ss->ssl3.hs.suite_def)?((void)0):PR_Assert("ss->ssl3.hs.suite_def" ,"tls13con.c",2328)); | |||
2329 | rv = tls13_VerifyFinished(ss, ssl_hs_client_hello, | |||
2330 | ss->xtnData.selectedPsk->binderKey, | |||
2331 | ss->xtnData.pskBinder.data, | |||
2332 | ss->xtnData.pskBinder.len, | |||
2333 | &hashes); | |||
2334 | } | |||
2335 | if (rv != SECSuccess) { | |||
2336 | goto loser; | |||
2337 | } | |||
2338 | ||||
2339 | /* This needs to go after we verify the psk binder. */ | |||
2340 | rv = ssl3_InitHandshakeHashes(ss); | |||
2341 | if (rv != SECSuccess) { | |||
2342 | goto loser; | |||
2343 | } | |||
2344 | ||||
2345 | /* If this is TLS 1.3 we are expecting a ClientKeyShare | |||
2346 | * extension. Missing/absent extension cause failure | |||
2347 | * below. */ | |||
2348 | rv = tls13_HandleClientKeyShare(ss, clientShare); | |||
2349 | if (rv != SECSuccess) { | |||
2350 | goto loser; /* An alert was sent already. */ | |||
2351 | } | |||
2352 | ||||
2353 | /* From this point we are either committed to resumption, or not. */ | |||
2354 | if (ss->statelessResume) { | |||
2355 | SSL_AtomicIncrementLong(&ssl3stats->hch_sid_cache_hits); | |||
2356 | SSL_AtomicIncrementLong(&ssl3stats->hch_sid_stateless_resumes); | |||
2357 | } else { | |||
2358 | if (sid) { | |||
2359 | /* We had a sid, but it's no longer valid, free it. */ | |||
2360 | SSL_AtomicIncrementLong(&ssl3stats->hch_sid_cache_not_ok); | |||
2361 | ssl_UncacheSessionID(ss); | |||
2362 | ssl_FreeSID(sid); | |||
2363 | } else if (!ss->xtnData.selectedPsk) { | |||
2364 | SSL_AtomicIncrementLong(&ssl3stats->hch_sid_cache_misses); | |||
2365 | } | |||
2366 | ||||
2367 | sid = ssl3_NewSessionID(ss, PR_TRUE1); | |||
2368 | if (!sid) { | |||
2369 | FATAL_ERROR(ss, PORT_GetError(), internal_error)do { do { if (ssl_trace >= (3)) ssl_Trace ("%d: TLS13[%d]: fatal error %d in %s (%s:%d)" , getpid(), ss->fd, PORT_GetError_Util(), __func__, "tls13con.c" , 2369); PORT_SetError_Util(PORT_GetError_Util()); } while (0 ); tls13_FatalError(ss, PORT_GetError_Util(), internal_error) ; } while (0); | |||
2370 | return SECFailure; | |||
2371 | } | |||
2372 | } | |||
2373 | /* Take ownership of the session. */ | |||
2374 | ss->sec.ci.sid = sid; | |||
2375 | sid = NULL((void*)0); | |||
2376 | ||||
2377 | if (ss->ssl3.hs.zeroRttState == ssl_0rtt_accepted) { | |||
2378 | rv = tls13_DeriveEarlySecrets(ss); | |||
2379 | if (rv != SECSuccess) { | |||
2380 | FATAL_ERROR(ss, SEC_ERROR_LIBRARY_FAILURE, internal_error)do { do { if (ssl_trace >= (3)) ssl_Trace ("%d: TLS13[%d]: fatal error %d in %s (%s:%d)" , getpid(), ss->fd, SEC_ERROR_LIBRARY_FAILURE, __func__, "tls13con.c" , 2380); PORT_SetError_Util(SEC_ERROR_LIBRARY_FAILURE); } while (0); tls13_FatalError(ss, SEC_ERROR_LIBRARY_FAILURE, internal_error ); } while (0); | |||
2381 | return SECFailure; | |||
2382 | } | |||
2383 | } | |||
2384 | ||||
2385 | ssl_GetXmitBufLock(ss){ if (!ss->opt.noLocks) PR_EnterMonitor(((ss)->xmitBufLock )); }; | |||
2386 | rv = tls13_SendServerHelloSequence(ss); | |||
2387 | ssl_ReleaseXmitBufLock(ss){ if (!ss->opt.noLocks) PR_ExitMonitor(((ss)->xmitBufLock )); }; | |||
2388 | if (rv != SECSuccess) { | |||
2389 | FATAL_ERROR(ss, PORT_GetError(), handshake_failure)do { do { if (ssl_trace >= (3)) ssl_Trace ("%d: TLS13[%d]: fatal error %d in %s (%s:%d)" , getpid(), ss->fd, PORT_GetError_Util(), __func__, "tls13con.c" , 2389); PORT_SetError_Util(PORT_GetError_Util()); } while (0 ); tls13_FatalError(ss, PORT_GetError_Util(), handshake_failure ); } while (0); | |||
2390 | return SECFailure; | |||
2391 | } | |||
2392 | ||||
2393 | /* We're done with PSKs */ | |||
2394 | tls13_DestroyPskList(&ss->ssl3.hs.psks); | |||
2395 | ss->xtnData.selectedPsk = NULL((void*)0); | |||
2396 | ||||
2397 | return SECSuccess; | |||
2398 | ||||
2399 | loser: | |||
2400 | if (sid) { | |||
2401 | ssl_UncacheSessionID(ss); | |||
2402 | ssl_FreeSID(sid); | |||
2403 | } | |||
2404 | return SECFailure; | |||
2405 | } | |||
2406 | ||||
2407 | SECStatus | |||
2408 | SSLExp_HelloRetryRequestCallback(PRFileDesc *fd, | |||
2409 | SSLHelloRetryRequestCallback cb, void *arg) | |||
2410 | { | |||
2411 | sslSocket *ss = ssl_FindSocket(fd); | |||
2412 | if (!ss) { | |||
2413 | return SECFailure; /* Code already set. */ | |||
2414 | } | |||
2415 | ||||
2416 | ss->hrrCallback = cb; | |||
2417 | ss->hrrCallbackArg = arg; | |||
2418 | return SECSuccess; | |||
2419 | } | |||
2420 | ||||
2421 | /* | |||
2422 | * struct { | |||
2423 | * ProtocolVersion server_version; | |||
2424 | * CipherSuite cipher_suite; | |||
2425 | * Extension extensions<2..2^16-1>; | |||
2426 | * } HelloRetryRequest; | |||
2427 | * | |||
2428 | * Note: this function takes an empty buffer and returns | |||
2429 | * a non-empty one on success, in which case the caller must | |||
2430 | * eventually clean up. | |||
2431 | */ | |||
2432 | SECStatus | |||
2433 | tls13_ConstructHelloRetryRequest(sslSocket *ss, | |||
2434 | ssl3CipherSuite cipherSuite, | |||
2435 | const sslNamedGroupDef *selectedGroup, | |||
2436 | PRUint8 *cookie, unsigned int cookieLen, | |||
2437 | const PRUint8 *cookieGreaseEchSignal, | |||
2438 | sslBuffer *buffer) | |||
2439 | { | |||
2440 | SECStatus rv; | |||
2441 | sslBuffer extensionsBuf = SSL_BUFFER_EMPTY{ ((void*)0), 0, 0, 0 }; | |||
2442 | PORT_Assert(buffer->len == 0)((buffer->len == 0)?((void)0):PR_Assert("buffer->len == 0" ,"tls13con.c",2442)); | |||
2443 | ||||
2444 | /* Note: cookie is pointing to a stack variable, so is only valid | |||
2445 | * now. */ | |||
2446 | ss->xtnData.selectedGroup = selectedGroup; | |||
2447 | ss->xtnData.cookie.data = cookie; | |||
2448 | ss->xtnData.cookie.len = cookieLen; | |||
2449 | ||||
2450 | /* Set restored ss->ssl3.hs.greaseEchBuf value for ECH HRR extension | |||
2451 | * reconstruction. */ | |||
2452 | if (cookieGreaseEchSignal) { | |||
2453 | PORT_Assert(!ss->ssl3.hs.greaseEchBuf.len)((!ss->ssl3.hs.greaseEchBuf.len)?((void)0):PR_Assert("!ss->ssl3.hs.greaseEchBuf.len" ,"tls13con.c",2453)); | |||
2454 | rv = sslBuffer_Append(&ss->ssl3.hs.greaseEchBuf, | |||
2455 | cookieGreaseEchSignal, | |||
2456 | TLS13_ECH_SIGNAL_LEN8); | |||
2457 | if (rv != SECSuccess) { | |||
2458 | goto loser; | |||
2459 | } | |||
2460 | } | |||
2461 | rv = ssl_ConstructExtensions(ss, &extensionsBuf, | |||
2462 | ssl_hs_hello_retry_request); | |||
2463 | /* Reset ss->ssl3.hs.greaseEchBuf if it was changed. */ | |||
2464 | if (cookieGreaseEchSignal) { | |||
2465 | sslBuffer_Clear(&ss->ssl3.hs.greaseEchBuf); | |||
2466 | } | |||
2467 | if (rv != SECSuccess) { | |||
2468 | goto loser; | |||
2469 | } | |||
2470 | /* These extensions can't be empty. */ | |||
2471 | PORT_Assert(SSL_BUFFER_LEN(&extensionsBuf) > 0)((((&extensionsBuf)->len) > 0)?((void)0):PR_Assert( "SSL_BUFFER_LEN(&extensionsBuf) > 0","tls13con.c",2471 )); | |||
2472 | ||||
2473 | /* Clean up cookie so we're not pointing at random memory. */ | |||
2474 | ss->xtnData.cookie.data = NULL((void*)0); | |||
2475 | ss->xtnData.cookie.len = 0; | |||
2476 | ||||
2477 | rv = ssl_ConstructServerHello(ss, PR_TRUE1, &extensionsBuf, buffer); | |||
2478 | if (rv != SECSuccess) { | |||
2479 | goto loser; | |||
2480 | } | |||
2481 | sslBuffer_Clear(&extensionsBuf); | |||
2482 | return SECSuccess; | |||
2483 | ||||
2484 | loser: | |||
2485 | sslBuffer_Clear(&extensionsBuf); | |||
2486 | sslBuffer_Clear(buffer); | |||
2487 | return SECFailure; | |||
2488 | } | |||
2489 | ||||
2490 | static SECStatus | |||
2491 | tls13_SendHelloRetryRequest(sslSocket *ss, | |||
2492 | const sslNamedGroupDef *requestedGroup, | |||
2493 | const PRUint8 *appToken, unsigned int appTokenLen) | |||
2494 | { | |||
2495 | SECStatus rv; | |||
2496 | unsigned int cookieLen; | |||
2497 | PRUint8 cookie[1024]; | |||
2498 | sslBuffer messageBuf = SSL_BUFFER_EMPTY{ ((void*)0), 0, 0, 0 }; | |||
2499 | ||||
2500 | SSL_TRC(3, ("%d: TLS13[%d]: send hello retry request handshake",if (ssl_trace >= (3)) ssl_Trace ("%d: TLS13[%d]: send hello retry request handshake" , getpid(), ss->fd) | |||
2501 | SSL_GETPID(), ss->fd))if (ssl_trace >= (3)) ssl_Trace ("%d: TLS13[%d]: send hello retry request handshake" , getpid(), ss->fd); | |||
2502 | ||||
2503 | PORT_Assert(ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss))((ss->opt.noLocks || ((PR_GetMonitorEntryCount(((ss)->ssl3HandshakeLock )) > 0)))?((void)0):PR_Assert("ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)" ,"tls13con.c",2503)); | |||
2504 | ||||
2505 | /* If an ECH backend or shared-mode server accepted ECH when offered, | |||
2506 | * the HRR extension's payload must be set to 8 zero bytes, these are | |||
2507 | * overwritten with the accept_confirmation value after the handshake | |||
2508 | * transcript calculation. | |||
2509 | * If a client-facing or shared-mode server did not accept ECH when offered | |||
2510 | * OR if ECH GREASE is enabled on the server and a ECH extension was | |||
2511 | * received, a 8 byte random value is set as the extension's payload | |||
2512 | * [draft-ietf-tls-esni-14, Section 7]. | |||
2513 | * | |||
2514 | * The (temporary) payload is written to the extension in tls13exthandle.c/ | |||
2515 | * tls13_ServerSendHrrEchXtn(). */ | |||
2516 | if (ss->xtnData.ech) { | |||
2517 | PRUint8 echGreaseRaw[TLS13_ECH_SIGNAL_LEN8] = { 0 }; | |||
2518 | if (!(ss->ssl3.hs.echAccepted || | |||
2519 | (ss->opt.enableTls13BackendEch && | |||
2520 | ss->xtnData.ech && | |||
2521 | ss->xtnData.ech->receivedInnerXtn))) { | |||
2522 | rv = PK11_GenerateRandom(echGreaseRaw, TLS13_ECH_SIGNAL_LEN8); | |||
2523 | if (rv != SECSuccess) { | |||
2524 | return SECFailure; | |||
2525 | } | |||
2526 | SSL_TRC(100, ("Generated random value for ECH HRR GREASE."))if (ssl_trace >= (100)) ssl_Trace ("Generated random value for ECH HRR GREASE." ); | |||
2527 | } | |||
2528 | sslBuffer echGreaseBuffer = SSL_BUFFER_EMPTY{ ((void*)0), 0, 0, 0 }; | |||
2529 | rv = sslBuffer_Append(&echGreaseBuffer, echGreaseRaw, sizeof(echGreaseRaw)); | |||
2530 | if (rv != SECSuccess) { | |||
2531 | return SECFailure; | |||
2532 | } | |||
2533 | /* HRR GREASE/accept_confirmation zero bytes placeholder buffer. */ | |||
2534 | ss->ssl3.hs.greaseEchBuf = echGreaseBuffer; | |||
2535 | } | |||
2536 | ||||
2537 | /* Compute the cookie we are going to need. */ | |||
2538 | rv = tls13_MakeHrrCookie(ss, requestedGroup, | |||
2539 | appToken, appTokenLen, | |||
2540 | cookie, &cookieLen, sizeof(cookie)); | |||
2541 | if (rv != SECSuccess) { | |||
2542 | FATAL_ERROR(ss, SEC_ERROR_LIBRARY_FAILURE, internal_error)do { do { if (ssl_trace >= (3)) ssl_Trace ("%d: TLS13[%d]: fatal error %d in %s (%s:%d)" , getpid(), ss->fd, SEC_ERROR_LIBRARY_FAILURE, __func__, "tls13con.c" , 2542); PORT_SetError_Util(SEC_ERROR_LIBRARY_FAILURE); } while (0); tls13_FatalError(ss, SEC_ERROR_LIBRARY_FAILURE, internal_error ); } while (0); | |||
2543 | return SECFailure; | |||
2544 | } | |||
2545 | ||||
2546 | /* Now build the body of the message. */ | |||
2547 | rv = tls13_ConstructHelloRetryRequest(ss, ss->ssl3.hs.cipher_suite, | |||
2548 | requestedGroup, | |||
2549 | cookie, cookieLen, | |||
2550 | NULL((void*)0), &messageBuf); | |||
2551 | if (rv != SECSuccess) { | |||
2552 | FATAL_ERROR(ss, SEC_ERROR_LIBRARY_FAILURE, internal_error)do { do { if (ssl_trace >= (3)) ssl_Trace ("%d: TLS13[%d]: fatal error %d in %s (%s:%d)" , getpid(), ss->fd, SEC_ERROR_LIBRARY_FAILURE, __func__, "tls13con.c" , 2552); PORT_SetError_Util(SEC_ERROR_LIBRARY_FAILURE); } while (0); tls13_FatalError(ss, SEC_ERROR_LIBRARY_FAILURE, internal_error ); } while (0); | |||
2553 | return SECFailure; | |||
2554 | } | |||
2555 | ||||
2556 | /* And send it. */ | |||
2557 | ssl_GetXmitBufLock(ss){ if (!ss->opt.noLocks) PR_EnterMonitor(((ss)->xmitBufLock )); }; | |||
2558 | rv = ssl3_AppendHandshakeHeader(ss, ssl_hs_server_hello, | |||
2559 | SSL_BUFFER_LEN(&messageBuf)((&messageBuf)->len)); | |||
2560 | if (rv != SECSuccess) { | |||
2561 | goto loser; | |||
2562 | } | |||
2563 | rv = ssl3_AppendBufferToHandshake(ss, &messageBuf); | |||
2564 | if (rv != SECSuccess) { | |||
2565 | goto loser; | |||
2566 | } | |||
2567 | sslBuffer_Clear(&messageBuf); /* Done with messageBuf */ | |||
2568 | ||||
2569 | if (ss->ssl3.hs.fakeSid.len) { | |||
2570 | PRInt32 sent; | |||
2571 | ||||
2572 | PORT_Assert(!IS_DTLS(ss))((!(ss->protocolVariant == ssl_variant_datagram))?((void)0 ):PR_Assert("!IS_DTLS(ss)","tls13con.c",2572)); | |||
2573 | rv = ssl3_SendChangeCipherSpecsInt(ss); | |||
2574 | if (rv != SECSuccess) { | |||
2575 | goto loser; | |||
2576 | } | |||
2577 | /* ssl3_SendChangeCipherSpecsInt() only flushes to the output buffer, so we | |||
2578 | * have to force a send. */ | |||
2579 | sent = ssl_SendSavedWriteData(ss); | |||
2580 | if (sent < 0 && PORT_GetErrorPORT_GetError_Util() != PR_WOULD_BLOCK_ERROR(-5998L)) { | |||
2581 | PORT_SetErrorPORT_SetError_Util(SSL_ERROR_SOCKET_WRITE_FAILURE); | |||
2582 | goto loser; | |||
2583 | } | |||
2584 | } else { | |||
2585 | rv = ssl3_FlushHandshake(ss, 0); | |||
2586 | if (rv != SECSuccess) { | |||
2587 | goto loser; /* error code set by ssl3_FlushHandshake */ | |||
2588 | } | |||
2589 | } | |||
2590 | ||||
2591 | /* We depend on this being exactly one record and one message. */ | |||
2592 | PORT_Assert(!IS_DTLS(ss) || (ss->ssl3.hs.sendMessageSeq == 1 &&((!(ss->protocolVariant == ssl_variant_datagram) || (ss-> ssl3.hs.sendMessageSeq == 1 && ss->ssl3.cwSpec-> nextSeqNum == 1))?((void)0):PR_Assert("!IS_DTLS(ss) || (ss->ssl3.hs.sendMessageSeq == 1 && ss->ssl3.cwSpec->nextSeqNum == 1)" ,"tls13con.c",2593)) | |||
2593 | ss->ssl3.cwSpec->nextSeqNum == 1))((!(ss->protocolVariant == ssl_variant_datagram) || (ss-> ssl3.hs.sendMessageSeq == 1 && ss->ssl3.cwSpec-> nextSeqNum == 1))?((void)0):PR_Assert("!IS_DTLS(ss) || (ss->ssl3.hs.sendMessageSeq == 1 && ss->ssl3.cwSpec->nextSeqNum == 1)" ,"tls13con.c",2593)); | |||
2594 | ssl_ReleaseXmitBufLock(ss){ if (!ss->opt.noLocks) PR_ExitMonitor(((ss)->xmitBufLock )); }; | |||
2595 | ||||
2596 | ss->ssl3.hs.helloRetry = PR_TRUE1; | |||
2597 | ||||
2598 | /* We received early data but have to ignore it because we sent a retry. */ | |||
2599 | if (ss->ssl3.hs.zeroRttState == ssl_0rtt_sent) { | |||
2600 | ss->ssl3.hs.zeroRttState = ssl_0rtt_ignored; | |||
2601 | ss->ssl3.hs.zeroRttIgnore = ssl_0rtt_ignore_hrr; | |||
2602 | } | |||
2603 | ||||
2604 | return SECSuccess; | |||
2605 | ||||
2606 | loser: | |||
2607 | sslBuffer_Clear(&messageBuf); | |||
2608 | ssl_ReleaseXmitBufLock(ss){ if (!ss->opt.noLocks) PR_ExitMonitor(((ss)->xmitBufLock )); }; | |||
2609 | return SECFailure; | |||
2610 | } | |||
2611 | ||||
2612 | /* Called from tls13_HandleClientHello. | |||
2613 | * | |||
2614 | * Caller must hold Handshake and RecvBuf locks. | |||
2615 | */ | |||
2616 | ||||
2617 | static SECStatus | |||
2618 | tls13_HandleClientKeyShare(sslSocket *ss, TLS13KeyShareEntry *peerShare) | |||
2619 | { | |||
2620 | SECStatus rv; | |||
2621 | sslEphemeralKeyPair *keyPair; /* ours */ | |||
2622 | SECItem *ciphertext = NULL((void*)0); | |||
2623 | PK11SymKey *dheSecret = NULL((void*)0); | |||
2624 | PK11SymKey *kemSecret = NULL((void*)0); | |||
2625 | ||||
2626 | SSL_TRC(3, ("%d: TLS13[%d]: handle client_key_share handshake",if (ssl_trace >= (3)) ssl_Trace ("%d: TLS13[%d]: handle client_key_share handshake" , getpid(), ss->fd) | |||
2627 | SSL_GETPID(), ss->fd))if (ssl_trace >= (3)) ssl_Trace ("%d: TLS13[%d]: handle client_key_share handshake" , getpid(), ss->fd); | |||
2628 | ||||
2629 | PORT_Assert(ss->opt.noLocks || ssl_HaveRecvBufLock(ss))((ss->opt.noLocks || ((PR_GetMonitorEntryCount(((ss)->recvBufLock )) > 0)))?((void)0):PR_Assert("ss->opt.noLocks || ssl_HaveRecvBufLock(ss)" ,"tls13con.c",2629)); | |||
2630 | PORT_Assert(ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss))((ss->opt.noLocks || ((PR_GetMonitorEntryCount(((ss)->ssl3HandshakeLock )) > 0)))?((void)0):PR_Assert("ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)" ,"tls13con.c",2630)); | |||
2631 | PORT_Assert(peerShare)((peerShare)?((void)0):PR_Assert("peerShare","tls13con.c",2631 )); | |||
2632 | ||||
2633 | tls13_SetKeyExchangeType(ss, peerShare->group); | |||
2634 | ||||
2635 | /* Generate our key */ | |||
2636 | rv = tls13_AddKeyShare(ss, peerShare->group); | |||
2637 | if (rv != SECSuccess) { | |||
2638 | return rv; | |||
2639 | } | |||
2640 | ||||
2641 | /* We should have exactly one key share. */ | |||
2642 | PORT_Assert(!PR_CLIST_IS_EMPTY(&ss->ephemeralKeyPairs))((!((&ss->ephemeralKeyPairs)->next == (&ss-> ephemeralKeyPairs)))?((void)0):PR_Assert("!PR_CLIST_IS_EMPTY(&ss->ephemeralKeyPairs)" ,"tls13con.c",2642)); | |||
2643 | PORT_Assert(PR_PREV_LINK(&ss->ephemeralKeyPairs) ==((((&ss->ephemeralKeyPairs)->prev) == ((&ss-> ephemeralKeyPairs)->next))?((void)0):PR_Assert("PR_PREV_LINK(&ss->ephemeralKeyPairs) == PR_NEXT_LINK(&ss->ephemeralKeyPairs)" ,"tls13con.c",2644)) | |||
2644 | PR_NEXT_LINK(&ss->ephemeralKeyPairs))((((&ss->ephemeralKeyPairs)->prev) == ((&ss-> ephemeralKeyPairs)->next))?((void)0):PR_Assert("PR_PREV_LINK(&ss->ephemeralKeyPairs) == PR_NEXT_LINK(&ss->ephemeralKeyPairs)" ,"tls13con.c",2644)); | |||
2645 | ||||
2646 | keyPair = ((sslEphemeralKeyPair *)PR_NEXT_LINK(&ss->ephemeralKeyPairs)((&ss->ephemeralKeyPairs)->next)); | |||
2647 | ss->sec.keaKeyBits = SECKEY_PublicKeyStrengthInBits(keyPair->keys->pubKey); | |||
2648 | ||||
2649 | /* Register the sender */ | |||
2650 | rv = ssl3_RegisterExtensionSender(ss, &ss->xtnData, ssl_tls13_key_share_xtn, | |||
2651 | tls13_ServerSendKeyShareXtn); | |||
2652 | if (rv != SECSuccess) { | |||
2653 | return SECFailure; /* Error code set already. */ | |||
2654 | } | |||
2655 | ||||
2656 | rv = tls13_HandleKeyShare(ss, peerShare, keyPair->keys, | |||
2657 | tls13_GetHash(ss), | |||
2658 | &dheSecret); | |||
2659 | if (rv != SECSuccess) { | |||
2660 | goto loser; /* Error code already set. */ | |||
2661 | } | |||
2662 | ||||
2663 | if (peerShare->group->keaType == ssl_kea_ecdh_hybrid) { | |||
2664 | rv = tls13_HandleKEMKey(ss, peerShare, &kemSecret, &ciphertext); | |||
2665 | if (rv != SECSuccess) { | |||
2666 | goto loser; /* Error set by tls13_HandleKEMKey */ | |||
2667 | } | |||
2668 | // We may need to handle different "combiners" here in the future. For | |||
2669 | // now this is specific to xyber768d00. | |||
2670 | PORT_Assert(peerShare->group->name == ssl_grp_kem_xyber768d00)((peerShare->group->name == ssl_grp_kem_xyber768d00)?(( void)0):PR_Assert("peerShare->group->name == ssl_grp_kem_xyber768d00" ,"tls13con.c",2670)); | |||
2671 | ss->ssl3.hs.dheSecret = PK11_ConcatSymKeys(dheSecret, kemSecret, CKM_HKDF_DERIVE0x0000402aUL, CKA_DERIVE0x0000010CUL); | |||
2672 | if (!ss->ssl3.hs.dheSecret) { | |||
2673 | goto loser; /* Error set by PK11_ConcatSymKeys */ | |||
2674 | } | |||
2675 | keyPair->kemCt = ciphertext; | |||
2676 | PK11_FreeSymKey(dheSecret); | |||
2677 | PK11_FreeSymKey(kemSecret); | |||
2678 | } else { | |||
2679 | ss->ssl3.hs.dheSecret = dheSecret; | |||
2680 | } | |||
2681 | ||||
2682 | return SECSuccess; | |||
2683 | ||||
2684 | loser: | |||
2685 | SECITEM_FreeItemSECITEM_FreeItem_Util(ciphertext, PR_TRUE1); | |||
2686 | PK11_FreeSymKey(dheSecret); | |||
2687 | PK11_FreeSymKey(kemSecret); | |||
2688 | FATAL_ERROR(ss, PORT_GetError(), illegal_parameter)do { do { if (ssl_trace >= (3)) ssl_Trace ("%d: TLS13[%d]: fatal error %d in %s (%s:%d)" , getpid(), ss->fd, PORT_GetError_Util(), __func__, "tls13con.c" , 2688); PORT_SetError_Util(PORT_GetError_Util()); } while (0 ); tls13_FatalError(ss, PORT_GetError_Util(), illegal_parameter ); } while (0); | |||
2689 | return SECFailure; | |||
2690 | } | |||
2691 | ||||
2692 | /* | |||
2693 | * [draft-ietf-tls-tls13-11] Section 6.3.3.2 | |||
2694 | * | |||
2695 | * opaque DistinguishedName<1..2^16-1>; | |||
2696 | * | |||
2697 | * struct { | |||
2698 | * opaque certificate_extension_oid<1..2^8-1>; | |||
2699 | * opaque certificate_extension_values<0..2^16-1>; | |||
2700 | * } CertificateExtension; | |||
2701 | * | |||
2702 | * struct { | |||
2703 | * opaque certificate_request_context<0..2^8-1>; | |||
2704 | * SignatureAndHashAlgorithm | |||
2705 | * supported_signature_algorithms<2..2^16-2>; | |||
2706 | * DistinguishedName certificate_authorities<0..2^16-1>; | |||
2707 | * CertificateExtension certificate_extensions<0..2^16-1>; | |||
2708 | * } CertificateRequest; | |||
2709 | */ | |||
2710 | static SECStatus | |||
2711 | tls13_SendCertificateRequest(sslSocket *ss) | |||
2712 | { | |||
2713 | SECStatus rv; | |||
2714 | sslBuffer extensionBuf = SSL_BUFFER_EMPTY{ ((void*)0), 0, 0, 0 }; | |||
2715 | unsigned int offset = 0; | |||
2716 | ||||
2717 | SSL_TRC(3, ("%d: TLS13[%d]: begin send certificate_request",if (ssl_trace >= (3)) ssl_Trace ("%d: TLS13[%d]: begin send certificate_request" , getpid(), ss->fd) | |||
2718 | SSL_GETPID(), ss->fd))if (ssl_trace >= (3)) ssl_Trace ("%d: TLS13[%d]: begin send certificate_request" , getpid(), ss->fd); | |||
2719 | ||||
2720 | if (ss->firstHsDone) { | |||
2721 | PORT_Assert(ss->ssl3.hs.shaPostHandshake == NULL)((ss->ssl3.hs.shaPostHandshake == ((void*)0))?((void)0):PR_Assert ("ss->ssl3.hs.shaPostHandshake == NULL","tls13con.c",2721) ); | |||
2722 | ss->ssl3.hs.shaPostHandshake = PK11_CloneContext(ss->ssl3.hs.sha); | |||
2723 | if (ss->ssl3.hs.shaPostHandshake == NULL((void*)0)) { | |||
2724 | ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE); | |||
2725 | return SECFailure; | |||
2726 | } | |||
2727 | } | |||
2728 | ||||
2729 | rv = ssl_ConstructExtensions(ss, &extensionBuf, ssl_hs_certificate_request); | |||
2730 | if (rv != SECSuccess) { | |||
2731 | return SECFailure; /* Code already set. */ | |||
2732 | } | |||
2733 | /* We should always have at least one of these. */ | |||
2734 | PORT_Assert(SSL_BUFFER_LEN(&extensionBuf) > 0)((((&extensionBuf)->len) > 0)?((void)0):PR_Assert("SSL_BUFFER_LEN(&extensionBuf) > 0" ,"tls13con.c",2734)); | |||
2735 | ||||
2736 | /* Create a new request context for post-handshake authentication */ | |||
2737 | if (ss->firstHsDone) { | |||
2738 | PRUint8 context[16]; | |||
2739 | SECItem contextItem = { siBuffer, context, sizeof(context) }; | |||
2740 | ||||
2741 | rv = PK11_GenerateRandom(context, sizeof(context)); | |||
2742 | if (rv != SECSuccess) { | |||
2743 | goto loser; | |||
2744 | } | |||
2745 | ||||
2746 | SECITEM_FreeItemSECITEM_FreeItem_Util(&ss->xtnData.certReqContext, PR_FALSE0); | |||
2747 | rv = SECITEM_CopyItemSECITEM_CopyItem_Util(NULL((void*)0), &ss->xtnData.certReqContext, &contextItem); | |||
2748 | if (rv != SECSuccess) { | |||
2749 | FATAL_ERROR(ss, SEC_ERROR_NO_MEMORY, internal_error)do { do { if (ssl_trace >= (3)) ssl_Trace ("%d: TLS13[%d]: fatal error %d in %s (%s:%d)" , getpid(), ss->fd, SEC_ERROR_NO_MEMORY, __func__, "tls13con.c" , 2749); PORT_SetError_Util(SEC_ERROR_NO_MEMORY); } while (0) ; tls13_FatalError(ss, SEC_ERROR_NO_MEMORY, internal_error); } while (0); | |||
2750 | goto loser; | |||
2751 | } | |||
2752 | ||||
2753 | offset = SSL_BUFFER_LEN(&ss->sec.ci.sendBuf)((&ss->sec.ci.sendBuf)->len); | |||
2754 | } | |||
2755 | ||||
2756 | rv = ssl3_AppendHandshakeHeader(ss, ssl_hs_certificate_request, | |||
2757 | 1 + /* request context length */ | |||
2758 | ss->xtnData.certReqContext.len + | |||
2759 | 2 + /* extension length */ | |||
2760 | SSL_BUFFER_LEN(&extensionBuf)((&extensionBuf)->len)); | |||
2761 | if (rv != SECSuccess) { | |||
2762 | goto loser; /* err set by AppendHandshake. */ | |||
2763 | } | |||
2764 | ||||
2765 | /* Context. */ | |||
2766 | rv = ssl3_AppendHandshakeVariable(ss, ss->xtnData.certReqContext.data, | |||
2767 | ss->xtnData.certReqContext.len, 1); | |||
2768 | if (rv != SECSuccess) { | |||
2769 | goto loser; /* err set by AppendHandshake. */ | |||
2770 | } | |||
2771 | /* Extensions. */ | |||
2772 | rv = ssl3_AppendBufferToHandshakeVariable(ss, &extensionBuf, 2); | |||
2773 | if (rv != SECSuccess) { | |||
2774 | goto loser; /* err set by AppendHandshake. */ | |||
2775 | } | |||
2776 | ||||
2777 | if (ss->firstHsDone) { | |||
2778 | rv = ssl3_UpdatePostHandshakeHashes(ss, | |||
2779 | SSL_BUFFER_BASE(&ss->sec.ci.sendBuf)((&ss->sec.ci.sendBuf)->buf) + offset, | |||
2780 | SSL_BUFFER_LEN(&ss->sec.ci.sendBuf)((&ss->sec.ci.sendBuf)->len) - offset); | |||
2781 | if (rv != SECSuccess) { | |||
2782 | goto loser; | |||
2783 | } | |||
2784 | } | |||
2785 | ||||
2786 | sslBuffer_Clear(&extensionBuf); | |||
2787 | return SECSuccess; | |||
2788 | ||||
2789 | loser: | |||
2790 | sslBuffer_Clear(&extensionBuf); | |||
2791 | return SECFailure; | |||
2792 | } | |||
2793 | ||||
2794 | /* [draft-ietf-tls-tls13; S 4.4.1] says: | |||
2795 | * | |||
2796 | * Transcript-Hash(ClientHello1, HelloRetryRequest, ... MN) = | |||
2797 | * Hash(message_hash || // Handshake type | |||
2798 | * 00 00 Hash.length || // Handshake message length | |||
2799 | * Hash(ClientHello1) || // Hash of ClientHello1 | |||
2800 | * HelloRetryRequest ... MN) | |||
2801 | * | |||
2802 | * For an ECH handshake, the process occurs for the outer | |||
2803 | * transcript in |ss->ssl3.hs.messages| and the inner | |||
2804 | * transcript in |ss->ssl3.hs.echInnerMessages|. | |||
2805 | */ | |||
2806 | static SECStatus | |||
2807 | tls13_ReinjectHandshakeTranscript(sslSocket *ss) | |||
2808 | { | |||
2809 | SSL3Hashes hashes; | |||
2810 | SSL3Hashes echInnerHashes; | |||
2811 | SECStatus rv; | |||
2812 | ||||
2813 | /* First compute the hash. */ | |||
2814 | rv = tls13_ComputeHash(ss, &hashes, | |||
2815 | ss->ssl3.hs.messages.buf, | |||
2816 | ss->ssl3.hs.messages.len, | |||
2817 | tls13_GetHash(ss)); | |||
2818 | if (rv
| |||
2819 | return SECFailure; | |||
2820 | } | |||
2821 | ||||
2822 | if (ss->ssl3.hs.echHpkeCtx) { | |||
2823 | rv = tls13_ComputeHash(ss, &echInnerHashes, | |||
2824 | ss->ssl3.hs.echInnerMessages.buf, | |||
2825 | ss->ssl3.hs.echInnerMessages.len, | |||
2826 | tls13_GetHash(ss)); | |||
2827 | if (rv != SECSuccess) { | |||
2828 | return SECFailure; | |||
2829 | } | |||
2830 | } | |||
2831 | ||||
2832 | ssl3_RestartHandshakeHashes(ss); | |||
2833 | ||||
2834 | /* Reinject the message. The Default context variant updates | |||
2835 | * the default hash state. Use it for both non-ECH and ECH Outer. */ | |||
2836 | rv = ssl_HashHandshakeMessageDefault(ss, ssl_hs_message_hash, | |||
2837 | hashes.u.raw, hashes.len); | |||
2838 | if (rv != SECSuccess) { | |||
2839 | return SECFailure; | |||
2840 | } | |||
2841 | ||||
2842 | if (ss->ssl3.hs.echHpkeCtx) { | |||
2843 | rv = ssl_HashHandshakeMessageEchInner(ss, ssl_hs_message_hash, | |||
| ||||
2844 | echInnerHashes.u.raw, | |||
2845 | echInnerHashes.len); | |||
2846 | if (rv != SECSuccess) { | |||
2847 | return SECFailure; | |||
2848 | } | |||
2849 | } | |||
2850 | ||||
2851 | return SECSuccess; | |||
2852 | } | |||
2853 | static unsigned int | |||
2854 | ssl_ListCount(PRCList *list) | |||
2855 | { | |||
2856 | unsigned int c = 0; | |||
2857 | PRCList *cur; | |||
2858 | for (cur = PR_NEXT_LINK(list)((list)->next); cur != list; cur = PR_NEXT_LINK(cur)((cur)->next)) { | |||
2859 | ++c; | |||
2860 | } | |||
2861 | return c; | |||
2862 | } | |||
2863 | ||||
2864 | /* | |||
2865 | * savedMsg contains the HelloRetryRequest message. When its extensions are parsed | |||
2866 | * in ssl3_HandleParsedExtensions, the handler for ECH HRR extensions (tls13_ClientHandleHrrEchXtn) | |||
2867 | * will take a reference into the message buffer. | |||
2868 | * | |||
2869 | * This reference is then used in tls13_MaybeHandleEchSignal in order to compute | |||
2870 | * the transcript for the ECH signal calculation. This was felt to be preferable | |||
2871 | * to re-parsing the HelloRetryRequest message in order to create the transcript. | |||
2872 | * | |||
2873 | * Consequently, savedMsg should not be moved or mutated between these | |||
2874 | * function calls. | |||
2875 | */ | |||
2876 | SECStatus | |||
2877 | tls13_HandleHelloRetryRequest(sslSocket *ss, const PRUint8 *savedMsg, | |||
2878 | PRUint32 savedLength) | |||
2879 | { | |||
2880 | SECStatus rv; | |||
2881 | ||||
2882 | SSL_TRC(3, ("%d: TLS13[%d]: handle hello retry request",if (ssl_trace >= (3)) ssl_Trace ("%d: TLS13[%d]: handle hello retry request" , getpid(), ss->fd) | |||
| ||||
2883 | SSL_GETPID(), ss->fd))if (ssl_trace >= (3)) ssl_Trace ("%d: TLS13[%d]: handle hello retry request" , getpid(), ss->fd); | |||
2884 | ||||
2885 | PORT_Assert(ss->opt.noLocks || ssl_HaveRecvBufLock(ss))((ss->opt.noLocks || ((PR_GetMonitorEntryCount(((ss)->recvBufLock )) > 0)))?((void)0):PR_Assert("ss->opt.noLocks || ssl_HaveRecvBufLock(ss)" ,"tls13con.c",2885)); | |||
2886 | PORT_Assert(ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss))((ss->opt.noLocks || ((PR_GetMonitorEntryCount(((ss)->ssl3HandshakeLock )) > 0)))?((void)0):PR_Assert("ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)" ,"tls13con.c",2886)); | |||
2887 | ||||
2888 | if (ss->vrange.max < SSL_LIBRARY_VERSION_TLS_1_30x0304) { | |||
2889 | FATAL_ERROR(ss, SSL_ERROR_RX_UNEXPECTED_HELLO_RETRY_REQUEST,do { do { if (ssl_trace >= (3)) ssl_Trace ("%d: TLS13[%d]: fatal error %d in %s (%s:%d)" , getpid(), ss->fd, SSL_ERROR_RX_UNEXPECTED_HELLO_RETRY_REQUEST , __func__, "tls13con.c", 2890); PORT_SetError_Util(SSL_ERROR_RX_UNEXPECTED_HELLO_RETRY_REQUEST ); } while (0); tls13_FatalError(ss, SSL_ERROR_RX_UNEXPECTED_HELLO_RETRY_REQUEST , unexpected_message); } while (0) | |||
2890 | unexpected_message)do { do { if (ssl_trace >= (3)) ssl_Trace ("%d: TLS13[%d]: fatal error %d in %s (%s:%d)" , getpid(), ss->fd, SSL_ERROR_RX_UNEXPECTED_HELLO_RETRY_REQUEST , __func__, "tls13con.c", 2890); PORT_SetError_Util(SSL_ERROR_RX_UNEXPECTED_HELLO_RETRY_REQUEST ); } while (0); tls13_FatalError(ss, SSL_ERROR_RX_UNEXPECTED_HELLO_RETRY_REQUEST , unexpected_message); } while (0); | |||
2891 | return SECFailure; | |||
2892 | } | |||
2893 | PORT_Assert(ss->ssl3.hs.ws == wait_server_hello)((ss->ssl3.hs.ws == wait_server_hello)?((void)0):PR_Assert ("ss->ssl3.hs.ws == wait_server_hello","tls13con.c",2893)); | |||
2894 | ||||
2895 | if (ss->ssl3.hs.zeroRttState == ssl_0rtt_sent) { | |||
2896 | ss->ssl3.hs.zeroRttState = ssl_0rtt_ignored; | |||
2897 | /* Restore the null cipher spec for writing. */ | |||
2898 | ssl_GetSpecWriteLock(ss){ if (!ss->opt.noLocks) NSSRWLock_LockWrite_Util((ss)-> specLock); }; | |||
2899 | ssl_CipherSpecRelease(ss->ssl3.cwSpec); | |||
2900 | ss->ssl3.cwSpec = ssl_FindCipherSpecByEpoch(ss, ssl_secret_write, | |||
2901 | TrafficKeyClearText); | |||
2902 | PORT_Assert(ss->ssl3.cwSpec)((ss->ssl3.cwSpec)?((void)0):PR_Assert("ss->ssl3.cwSpec" ,"tls13con.c",2902)); | |||
2903 | ssl_ReleaseSpecWriteLock(ss){ if (!ss->opt.noLocks) NSSRWLock_UnlockWrite_Util((ss)-> specLock); }; | |||
2904 | } else { | |||
2905 | PORT_Assert(ss->ssl3.hs.zeroRttState == ssl_0rtt_none)((ss->ssl3.hs.zeroRttState == ssl_0rtt_none)?((void)0):PR_Assert ("ss->ssl3.hs.zeroRttState == ssl_0rtt_none","tls13con.c", 2905)); | |||
2906 | } | |||
2907 | /* Set the spec version, because we want to send CH now with 0303 */ | |||
2908 | tls13_SetSpecRecordVersion(ss, ss->ssl3.cwSpec); | |||
2909 | ||||
2910 | /* Extensions must contain more than just supported_versions. This will | |||
2911 | * ensure that a HelloRetryRequest isn't a no-op: we must have at least two | |||
2912 | * extensions, supported_versions plus one other. That other must be one | |||
2913 | * that we understand and recognize as being valid for HelloRetryRequest, | |||
2914 | * and should alter our next Client Hello. */ | |||
2915 | unsigned int requiredExtensions = 1; | |||
2916 | /* The ECH HRR extension is a no-op from the client's perspective. */ | |||
2917 | if (ss->xtnData.ech) { | |||
2918 | requiredExtensions++; | |||
2919 | } | |||
2920 | if (ssl_ListCount(&ss->ssl3.hs.remoteExtensions) <= requiredExtensions) { | |||
2921 | FATAL_ERROR(ss, SSL_ERROR_RX_MALFORMED_HELLO_RETRY_REQUEST,do { do { if (ssl_trace >= (3)) ssl_Trace ("%d: TLS13[%d]: fatal error %d in %s (%s:%d)" , getpid(), ss->fd, SSL_ERROR_RX_MALFORMED_HELLO_RETRY_REQUEST , __func__, "tls13con.c", 2922); PORT_SetError_Util(SSL_ERROR_RX_MALFORMED_HELLO_RETRY_REQUEST ); } while (0); tls13_FatalError(ss, SSL_ERROR_RX_MALFORMED_HELLO_RETRY_REQUEST , decode_error); } while (0) | |||
2922 | decode_error)do { do { if (ssl_trace >= (3)) ssl_Trace ("%d: TLS13[%d]: fatal error %d in %s (%s:%d)" , getpid(), ss->fd, SSL_ERROR_RX_MALFORMED_HELLO_RETRY_REQUEST , __func__, "tls13con.c", 2922); PORT_SetError_Util(SSL_ERROR_RX_MALFORMED_HELLO_RETRY_REQUEST ); } while (0); tls13_FatalError(ss, SSL_ERROR_RX_MALFORMED_HELLO_RETRY_REQUEST , decode_error); } while (0); | |||
2923 | return SECFailure; | |||
2924 | } | |||
2925 | ||||
2926 | rv = ssl3_HandleParsedExtensions(ss, ssl_hs_hello_retry_request); | |||
2927 | ssl3_DestroyRemoteExtensions(&ss->ssl3.hs.remoteExtensions); | |||
2928 | if (rv != SECSuccess) { | |||
2929 | return SECFailure; /* Error code set below */ | |||
2930 | } | |||
2931 | rv = tls13_MaybeHandleEchSignal(ss, savedMsg, savedLength, PR_TRUE1); | |||
2932 | if (rv != SECSuccess) { | |||
2933 | return SECFailure; | |||
2934 | } | |||
2935 | ss->ssl3.hs.helloRetry = PR_TRUE1; | |||
2936 | rv = tls13_ReinjectHandshakeTranscript(ss); | |||
2937 | if (rv != SECSuccess) { | |||
2938 | return rv; | |||
2939 | } | |||
2940 | ||||
2941 | rv = ssl_HashHandshakeMessage(ss, ssl_hs_server_hello, | |||
2942 | savedMsg, savedLength); | |||
2943 | if (rv != SECSuccess) { | |||
2944 | return SECFailure; | |||
2945 | } | |||
2946 | ||||
2947 | ssl_GetXmitBufLock(ss){ if (!ss->opt.noLocks) PR_EnterMonitor(((ss)->xmitBufLock )); }; | |||
2948 | if (ss->opt.enableTls13CompatMode && !IS_DTLS(ss)(ss->protocolVariant == ssl_variant_datagram) && | |||
2949 | ss->ssl3.hs.zeroRttState == ssl_0rtt_none) { | |||
2950 | rv = ssl3_SendChangeCipherSpecsInt(ss); | |||
2951 | if (rv != SECSuccess) { | |||
2952 | goto loser; | |||
2953 | } | |||
2954 | } | |||
2955 | ||||
2956 | rv = ssl3_SendClientHello(ss, client_hello_retry); | |||
2957 | if (rv != SECSuccess) { | |||
2958 | goto loser; | |||
2959 | } | |||
2960 | ||||
2961 | ssl_ReleaseXmitBufLock(ss){ if (!ss->opt.noLocks) PR_ExitMonitor(((ss)->xmitBufLock )); }; | |||
2962 | return SECSuccess; | |||
2963 | ||||
2964 | loser: | |||
2965 | ssl_ReleaseXmitBufLock(ss){ if (!ss->opt.noLocks) PR_ExitMonitor(((ss)->xmitBufLock )); }; | |||
2966 | return SECFailure; | |||
2967 | } | |||
2968 | ||||
2969 | static SECStatus | |||
2970 | tls13_SendPostHandshakeCertificate(sslSocket *ss) | |||
2971 | { | |||
2972 | SECStatus rv; | |||
2973 | if (ss->ssl3.hs.restartTarget) { | |||
2974 | PR_NOT_REACHED("unexpected ss->ssl3.hs.restartTarget")PR_Assert("unexpected ss->ssl3.hs.restartTarget","tls13con.c" ,2974); | |||
2975 | PORT_SetErrorPORT_SetError_Util(SEC_ERROR_LIBRARY_FAILURE); | |||
2976 | return SECFailure; | |||
2977 | } | |||
2978 | ||||
2979 | if (ss->ssl3.hs.clientCertificatePending) { | |||
2980 | SSL_TRC(3, ("%d: TLS13[%d]: deferring tls13_SendClientSecondFlight because"if (ssl_trace >= (3)) ssl_Trace ("%d: TLS13[%d]: deferring tls13_SendClientSecondFlight because" " certificate authentication is still pending.", getpid(), ss ->fd) | |||
2981 | " certificate authentication is still pending.",if (ssl_trace >= (3)) ssl_Trace ("%d: TLS13[%d]: deferring tls13_SendClientSecondFlight because" " certificate authentication is still pending.", getpid(), ss ->fd) | |||
2982 | SSL_GETPID(), ss->fd))if (ssl_trace >= (3)) ssl_Trace ("%d: TLS13[%d]: deferring tls13_SendClientSecondFlight because" " certificate authentication is still pending.", getpid(), ss ->fd); | |||
2983 | ss->ssl3.hs.restartTarget = tls13_SendPostHandshakeCertificate; | |||
2984 | PORT_SetErrorPORT_SetError_Util(PR_WOULD_BLOCK_ERROR(-5998L)); | |||
2985 | return SECFailure; | |||
2986 | } | |||
2987 | ||||
2988 | ssl_GetXmitBufLock(ss){ if (!ss->opt.noLocks) PR_EnterMonitor(((ss)->xmitBufLock )); }; | |||
2989 | rv = tls13_SendClientSecondFlight(ss); | |||
2990 | ssl_ReleaseXmitBufLock(ss){ if (!ss->opt.noLocks) PR_ExitMonitor(((ss)->xmitBufLock )); }; | |||
2991 | PORT_Assert(ss->ssl3.hs.ws == idle_handshake)((ss->ssl3.hs.ws == idle_handshake)?((void)0):PR_Assert("ss->ssl3.hs.ws == idle_handshake" ,"tls13con.c",2991)); | |||
2992 | PORT_Assert(ss->ssl3.hs.shaPostHandshake != NULL)((ss->ssl3.hs.shaPostHandshake != ((void*)0))?((void)0):PR_Assert ("ss->ssl3.hs.shaPostHandshake != NULL","tls13con.c",2992) ); | |||
2993 | PK11_DestroyContext(ss->ssl3.hs.shaPostHandshake, PR_TRUE1); | |||
2994 | ss->ssl3.hs.shaPostHandshake = NULL((void*)0); | |||
2995 | if (rv != SECSuccess) { | |||
2996 | return SECFailure; | |||
2997 | } | |||
2998 | return rv; | |||
2999 | } | |||
3000 | ||||
3001 | static SECStatus | |||
3002 | tls13_HandleCertificateRequest(sslSocket *ss, PRUint8 *b, PRUint32 length) | |||
3003 | { | |||
3004 | SECStatus rv; | |||
3005 | SECItem context = { siBuffer, NULL((void*)0), 0 }; | |||
3006 | SECItem extensionsData = { siBuffer, NULL((void*)0), 0 }; | |||
3007 | ||||
3008 | SSL_TRC(3, ("%d: TLS13[%d]: handle certificate_request sequence",if (ssl_trace >= (3)) ssl_Trace ("%d: TLS13[%d]: handle certificate_request sequence" , getpid(), ss->fd) | |||
3009 | SSL_GETPID(), ss->fd))if (ssl_trace >= (3)) ssl_Trace ("%d: TLS13[%d]: handle certificate_request sequence" , getpid(), ss->fd); | |||
3010 | ||||
3011 | PORT_Assert(ss->opt.noLocks || ssl_HaveRecvBufLock(ss))((ss->opt.noLocks || ((PR_GetMonitorEntryCount(((ss)->recvBufLock )) > 0)))?((void)0):PR_Assert("ss->opt.noLocks || ssl_HaveRecvBufLock(ss)" ,"tls13con.c",3011)); | |||
3012 | PORT_Assert(ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss))((ss->opt.noLocks || ((PR_GetMonitorEntryCount(((ss)->ssl3HandshakeLock )) > 0)))?((void)0):PR_Assert("ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)" ,"tls13con.c",3012)); | |||
3013 | ||||
3014 | /* Client */ | |||
3015 | if (ss->opt.enablePostHandshakeAuth) { | |||
3016 | rv = TLS13_CHECK_HS_STATE(ss, SSL_ERROR_RX_UNEXPECTED_CERT_REQUEST,tls13_CheckHsState(ss, SSL_ERROR_RX_UNEXPECTED_CERT_REQUEST, "SSL_ERROR_RX_UNEXPECTED_CERT_REQUEST" , __func__, "tls13con.c", 3017, wait_cert_request, idle_handshake , wait_invalid) | |||
3017 | wait_cert_request, idle_handshake)tls13_CheckHsState(ss, SSL_ERROR_RX_UNEXPECTED_CERT_REQUEST, "SSL_ERROR_RX_UNEXPECTED_CERT_REQUEST" , __func__, "tls13con.c", 3017, wait_cert_request, idle_handshake , wait_invalid); | |||
3018 | } else { | |||
3019 | rv = TLS13_CHECK_HS_STATE(ss, SSL_ERROR_RX_UNEXPECTED_CERT_REQUEST,tls13_CheckHsState(ss, SSL_ERROR_RX_UNEXPECTED_CERT_REQUEST, "SSL_ERROR_RX_UNEXPECTED_CERT_REQUEST" , __func__, "tls13con.c", 3020, wait_cert_request, wait_invalid ) | |||
3020 | wait_cert_request)tls13_CheckHsState(ss, SSL_ERROR_RX_UNEXPECTED_CERT_REQUEST, "SSL_ERROR_RX_UNEXPECTED_CERT_REQUEST" , __func__, "tls13con.c", 3020, wait_cert_request, wait_invalid ); | |||
3021 | } | |||
3022 | if (rv != SECSuccess) { | |||
3023 | return SECFailure; | |||
3024 | } | |||
3025 | ||||
3026 | /* MUST NOT combine external PSKs with certificate authentication. */ | |||
3027 | if (ss->sec.authType == ssl_auth_psk) { | |||
3028 | FATAL_ERROR(ss, SSL_ERROR_RX_UNEXPECTED_CERT_REQUEST, unexpected_message)do { do { if (ssl_trace >= (3)) ssl_Trace ("%d: TLS13[%d]: fatal error %d in %s (%s:%d)" , getpid(), ss->fd, SSL_ERROR_RX_UNEXPECTED_CERT_REQUEST, __func__ , "tls13con.c", 3028); PORT_SetError_Util(SSL_ERROR_RX_UNEXPECTED_CERT_REQUEST ); } while (0); tls13_FatalError(ss, SSL_ERROR_RX_UNEXPECTED_CERT_REQUEST , unexpected_message); } while (0); | |||
3029 | return SECFailure; | |||
3030 | } | |||
3031 | ||||
3032 | if (tls13_IsPostHandshake(ss)) { | |||
3033 | PORT_Assert(ss->ssl3.hs.shaPostHandshake == NULL)((ss->ssl3.hs.shaPostHandshake == ((void*)0))?((void)0):PR_Assert ("ss->ssl3.hs.shaPostHandshake == NULL","tls13con.c",3033) ); | |||
3034 | ss->ssl3.hs.shaPostHandshake = PK11_CloneContext(ss->ssl3.hs.sha); | |||
3035 | if (ss->ssl3.hs.shaPostHandshake == NULL((void*)0)) { | |||
3036 | ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE); | |||
3037 | return SECFailure; | |||
3038 | } | |||
3039 | rv = ssl_HashPostHandshakeMessage(ss, ssl_hs_certificate_request, b, length); | |||
3040 | if (rv != SECSuccess) { | |||
3041 | FATAL_ERROR(ss, SEC_ERROR_LIBRARY_FAILURE, internal_error)do { do { if (ssl_trace >= (3)) ssl_Trace ("%d: TLS13[%d]: fatal error %d in %s (%s:%d)" , getpid(), ss->fd, SEC_ERROR_LIBRARY_FAILURE, __func__, "tls13con.c" , 3041); PORT_SetError_Util(SEC_ERROR_LIBRARY_FAILURE); } while (0); tls13_FatalError(ss, SEC_ERROR_LIBRARY_FAILURE, internal_error ); } while (0); | |||
3042 | return SECFailure; | |||
3043 | } | |||
3044 | ||||
3045 | /* clean up anything left from previous handshake. */ | |||
3046 | if (ss->ssl3.clientCertChain != NULL((void*)0)) { | |||
3047 | CERT_DestroyCertificateList(ss->ssl3.clientCertChain); | |||
3048 | ss->ssl3.clientCertChain = NULL((void*)0); | |||
3049 | } | |||
3050 | if (ss->ssl3.clientCertificate != NULL((void*)0)) { | |||
3051 | CERT_DestroyCertificate(ss->ssl3.clientCertificate); | |||
3052 | ss->ssl3.clientCertificate = NULL((void*)0); | |||
3053 | } | |||
3054 | if (ss->ssl3.clientPrivateKey != NULL((void*)0)) { | |||
3055 | SECKEY_DestroyPrivateKey(ss->ssl3.clientPrivateKey); | |||
3056 | ss->ssl3.clientPrivateKey = NULL((void*)0); | |||
3057 | } | |||
3058 | if (ss->ssl3.hs.clientAuthSignatureSchemes != NULL((void*)0)) { | |||
3059 | PORT_FreePORT_Free_Util(ss->ssl3.hs.clientAuthSignatureSchemes); | |||
3060 | ss->ssl3.hs.clientAuthSignatureSchemes = NULL((void*)0); | |||
3061 | ss->ssl3.hs.clientAuthSignatureSchemesLen = 0; | |||
3062 | } | |||
3063 | SECITEM_FreeItemSECITEM_FreeItem_Util(&ss->xtnData.certReqContext, PR_FALSE0); | |||
3064 | ss->xtnData.certReqContext.data = NULL((void*)0); | |||
3065 | } else { | |||
3066 | PORT_Assert(ss->ssl3.clientCertChain == NULL)((ss->ssl3.clientCertChain == ((void*)0))?((void)0):PR_Assert ("ss->ssl3.clientCertChain == NULL","tls13con.c",3066)); | |||
3067 | PORT_Assert(ss->ssl3.clientCertificate == NULL)((ss->ssl3.clientCertificate == ((void*)0))?((void)0):PR_Assert ("ss->ssl3.clientCertificate == NULL","tls13con.c",3067)); | |||
3068 | PORT_Assert(ss->ssl3.clientPrivateKey == NULL)((ss->ssl3.clientPrivateKey == ((void*)0))?((void)0):PR_Assert ("ss->ssl3.clientPrivateKey == NULL","tls13con.c",3068)); | |||
3069 | PORT_Assert(ss->ssl3.hs.clientAuthSignatureSchemes == NULL)((ss->ssl3.hs.clientAuthSignatureSchemes == ((void*)0))?(( void)0):PR_Assert("ss->ssl3.hs.clientAuthSignatureSchemes == NULL" ,"tls13con.c",3069)); | |||
3070 | PORT_Assert(ss->ssl3.hs.clientAuthSignatureSchemesLen == 0)((ss->ssl3.hs.clientAuthSignatureSchemesLen == 0)?((void)0 ):PR_Assert("ss->ssl3.hs.clientAuthSignatureSchemesLen == 0" ,"tls13con.c",3070)); | |||
3071 | PORT_Assert(!ss->ssl3.hs.clientCertRequested)((!ss->ssl3.hs.clientCertRequested)?((void)0):PR_Assert("!ss->ssl3.hs.clientCertRequested" ,"tls13con.c",3071)); | |||
3072 | PORT_Assert(ss->xtnData.certReqContext.data == NULL)((ss->xtnData.certReqContext.data == ((void*)0))?((void)0) :PR_Assert("ss->xtnData.certReqContext.data == NULL","tls13con.c" ,3072)); | |||
3073 | } | |||
3074 | ||||
3075 | rv = ssl3_ConsumeHandshakeVariable(ss, &context, 1, &b, &length); | |||
3076 | if (rv != SECSuccess) { | |||
3077 | return SECFailure; | |||
3078 | } | |||
3079 | ||||
3080 | /* Unless it is a post-handshake client auth, the certificate | |||
3081 | * request context must be empty. */ | |||
3082 | if (!tls13_IsPostHandshake(ss) && context.len > 0) { | |||
3083 | FATAL_ERROR(ss, SSL_ERROR_RX_MALFORMED_CERT_REQUEST, illegal_parameter)do { do { if (ssl_trace >= (3)) ssl_Trace ("%d: TLS13[%d]: fatal error %d in %s (%s:%d)" , getpid(), ss->fd, SSL_ERROR_RX_MALFORMED_CERT_REQUEST, __func__ , "tls13con.c", 3083); PORT_SetError_Util(SSL_ERROR_RX_MALFORMED_CERT_REQUEST ); } while (0); tls13_FatalError(ss, SSL_ERROR_RX_MALFORMED_CERT_REQUEST , illegal_parameter); } while (0); | |||
3084 | return SECFailure; | |||
3085 | } | |||
3086 | ||||
3087 | rv = ssl3_ConsumeHandshakeVariable(ss, &extensionsData, 2, &b, &length); | |||
3088 | if (rv != SECSuccess) { | |||
3089 | return SECFailure; | |||
3090 | } | |||
3091 | ||||
3092 | if (length) { | |||
3093 | FATAL_ERROR(ss, SSL_ERROR_RX_MALFORMED_CERT_REQUEST, decode_error)do { do { if (ssl_trace >= (3)) ssl_Trace ("%d: TLS13[%d]: fatal error %d in %s (%s:%d)" , getpid(), ss->fd, SSL_ERROR_RX_MALFORMED_CERT_REQUEST, __func__ , "tls13con.c", 3093); PORT_SetError_Util(SSL_ERROR_RX_MALFORMED_CERT_REQUEST ); } while (0); tls13_FatalError(ss, SSL_ERROR_RX_MALFORMED_CERT_REQUEST , decode_error); } while (0); | |||
3094 | return SECFailure; | |||
3095 | } | |||
3096 | ||||
3097 | /* Process all the extensions. */ | |||
3098 | rv = ssl3_HandleExtensions(ss, &extensionsData.data, &extensionsData.len, | |||
3099 | ssl_hs_certificate_request); | |||
3100 | if (rv != SECSuccess) { | |||
3101 | return SECFailure; | |||
3102 | } | |||
3103 | ||||
3104 | if (!ss->xtnData.numSigSchemes) { | |||
3105 | FATAL_ERROR(ss, SSL_ERROR_MISSING_SIGNATURE_ALGORITHMS_EXTENSION,do { do { if (ssl_trace >= (3)) ssl_Trace ("%d: TLS13[%d]: fatal error %d in %s (%s:%d)" , getpid(), ss->fd, SSL_ERROR_MISSING_SIGNATURE_ALGORITHMS_EXTENSION , __func__, "tls13con.c", 3106); PORT_SetError_Util(SSL_ERROR_MISSING_SIGNATURE_ALGORITHMS_EXTENSION ); } while (0); tls13_FatalError(ss, SSL_ERROR_MISSING_SIGNATURE_ALGORITHMS_EXTENSION , missing_extension); } while (0) | |||
3106 | missing_extension)do { do { if (ssl_trace >= (3)) ssl_Trace ("%d: TLS13[%d]: fatal error %d in %s (%s:%d)" , getpid(), ss->fd, SSL_ERROR_MISSING_SIGNATURE_ALGORITHMS_EXTENSION , __func__, "tls13con.c", 3106); PORT_SetError_Util(SSL_ERROR_MISSING_SIGNATURE_ALGORITHMS_EXTENSION ); } while (0); tls13_FatalError(ss, SSL_ERROR_MISSING_SIGNATURE_ALGORITHMS_EXTENSION , missing_extension); } while (0); | |||
3107 | return SECFailure; | |||
3108 | } | |||
3109 | ||||
3110 | rv = SECITEM_CopyItemSECITEM_CopyItem_Util(NULL((void*)0), &ss->xtnData.certReqContext, &context); | |||
3111 | if (rv != SECSuccess) { | |||
3112 | return SECFailure; | |||
3113 | } | |||
3114 | ||||
3115 | ss->ssl3.hs.clientCertRequested = PR_TRUE1; | |||
3116 | ||||
3117 | if (ss->firstHsDone) { | |||
3118 | ||||
3119 | /* Request a client certificate. */ | |||
3120 | rv = ssl3_BeginHandleCertificateRequest( | |||
3121 | ss, ss->xtnData.sigSchemes, ss->xtnData.numSigSchemes, | |||
3122 | &ss->xtnData.certReqAuthorities); | |||
3123 | if (rv != SECSuccess) { | |||
3124 | FATAL_ERROR(ss, SEC_ERROR_LIBRARY_FAILURE, internal_error)do { do { if (ssl_trace >= (3)) ssl_Trace ("%d: TLS13[%d]: fatal error %d in %s (%s:%d)" , getpid(), ss->fd, SEC_ERROR_LIBRARY_FAILURE, __func__, "tls13con.c" , 3124); PORT_SetError_Util(SEC_ERROR_LIBRARY_FAILURE); } while (0); tls13_FatalError(ss, SEC_ERROR_LIBRARY_FAILURE, internal_error ); } while (0); | |||
3125 | return rv; | |||
3126 | } | |||
3127 | rv = tls13_SendPostHandshakeCertificate(ss); | |||
3128 | } else { | |||
3129 | TLS13_SET_HS_STATE(ss, wait_server_cert)tls13_SetHsState(ss, wait_server_cert, __func__, "tls13con.c" , 3129); | |||
3130 | } | |||
3131 | return SECSuccess; | |||
3132 | } | |||
3133 | ||||
3134 | PRBool | |||
3135 | tls13_ShouldRequestClientAuth(sslSocket *ss) | |||
3136 | { | |||
3137 | /* Even if we are configured to request a certificate, we can't | |||
3138 | * if this handshake used a PSK, even when we are resuming. */ | |||
3139 | return ss->opt.requestCertificate && | |||
3140 | ss->ssl3.hs.kea_def->authKeyType != ssl_auth_psk; | |||
3141 | } | |||
3142 | ||||
3143 | static SECStatus | |||
3144 | tls13_SendEncryptedServerSequence(sslSocket *ss) | |||
3145 | { | |||
3146 | SECStatus rv; | |||
3147 | ||||
3148 | rv = tls13_ComputeHandshakeSecrets(ss); | |||
3149 | if (rv != SECSuccess) { | |||
3150 | return SECFailure; /* error code is set. */ | |||
3151 | } | |||
3152 | ||||
3153 | rv = tls13_SetCipherSpec(ss, TrafficKeyHandshake, | |||
3154 | ssl_secret_write, PR_FALSE0); | |||
3155 | if (rv != SECSuccess) { | |||
3156 | LOG_ERROR(ss, SEC_ERROR_LIBRARY_FAILURE)do { if (ssl_trace >= (3)) ssl_Trace ("%d: TLS13[%d]: fatal error %d in %s (%s:%d)" , getpid(), ss->fd, SEC_ERROR_LIBRARY_FAILURE, __func__, "tls13con.c" , 3156); PORT_SetError_Util(SEC_ERROR_LIBRARY_FAILURE); } while (0); | |||
3157 | return SECFailure; | |||
3158 | } | |||
3159 | ||||
3160 | if (ss->ssl3.hs.zeroRttState == ssl_0rtt_accepted) { | |||
3161 | rv = ssl3_RegisterExtensionSender(ss, &ss->xtnData, | |||
3162 | ssl_tls13_early_data_xtn, | |||
3163 | ssl_SendEmptyExtension); | |||
3164 | if (rv != SECSuccess) { | |||
3165 | return SECFailure; /* Error code set already. */ | |||
3166 | } | |||
3167 | } | |||
3168 | ||||
3169 | rv = tls13_SendEncryptedExtensions(ss); | |||
3170 | if (rv != SECSuccess) { | |||
3171 | return SECFailure; /* error code is set. */ | |||
3172 | } | |||
3173 | ||||
3174 | if (tls13_ShouldRequestClientAuth(ss)) { | |||
3175 | rv = tls13_SendCertificateRequest(ss); | |||
3176 | if (rv != SECSuccess) { | |||
3177 | return SECFailure; /* error code is set. */ | |||
3178 | } | |||
3179 | } | |||
3180 | if (ss->ssl3.hs.signatureScheme != ssl_sig_none) { | |||
3181 | SECKEYPrivateKey *svrPrivKey; | |||
3182 | ||||
3183 | rv = tls13_SendCertificate(ss); | |||
3184 | if (rv != SECSuccess) { | |||
3185 | return SECFailure; /* error code is set. */ | |||
3186 | } | |||
3187 | ||||
3188 | if (tls13_IsSigningWithDelegatedCredential(ss)) { | |||
3189 | SSL_TRC(3, ("%d: TLS13[%d]: Signing with delegated credential",if (ssl_trace >= (3)) ssl_Trace ("%d: TLS13[%d]: Signing with delegated credential" , getpid(), ss->fd) | |||
3190 | SSL_GETPID(), ss->fd))if (ssl_trace >= (3)) ssl_Trace ("%d: TLS13[%d]: Signing with delegated credential" , getpid(), ss->fd); | |||
3191 | svrPrivKey = ss->sec.serverCert->delegCredKeyPair->privKey; | |||
3192 | } else { | |||
3193 | svrPrivKey = ss->sec.serverCert->serverKeyPair->privKey; | |||
3194 | } | |||
3195 | ||||
3196 | rv = tls13_SendCertificateVerify(ss, svrPrivKey); | |||
3197 | if (rv != SECSuccess) { | |||
3198 | return SECFailure; /* err code is set. */ | |||
3199 | } | |||
3200 | } | |||
3201 | ||||
3202 | rv = tls13_SendFinished(ss, ss->ssl3.hs.serverHsTrafficSecret); | |||
3203 | if (rv != SECSuccess) { | |||
3204 | return SECFailure; /* error code is set. */ | |||
3205 | } | |||
3206 | ||||
3207 | return SECSuccess; | |||
3208 | } | |||
3209 | ||||
3210 | /* Called from: ssl3_HandleClientHello */ | |||
3211 | static SECStatus | |||
3212 | tls13_SendServerHelloSequence(sslSocket *ss) | |||
3213 | { | |||
3214 | SECStatus rv; | |||
3215 | PRErrorCode err = 0; | |||
3216 | ||||
3217 | SSL_TRC(3, ("%d: TLS13[%d]: begin send server_hello sequence",if (ssl_trace >= (3)) ssl_Trace ("%d: TLS13[%d]: begin send server_hello sequence" , getpid(), ss->fd) | |||
3218 | SSL_GETPID(), ss->fd))if (ssl_trace >= (3)) ssl_Trace ("%d: TLS13[%d]: begin send server_hello sequence" , getpid(), ss->fd); | |||
3219 | ||||
3220 | PORT_Assert(ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss))((ss->opt.noLocks || ((PR_GetMonitorEntryCount(((ss)->ssl3HandshakeLock )) > 0)))?((void)0):PR_Assert("ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)" ,"tls13con.c",3220)); | |||
3221 | PORT_Assert(ss->opt.noLocks || ssl_HaveXmitBufLock(ss))((ss->opt.noLocks || ((PR_GetMonitorEntryCount(((ss)->xmitBufLock )) > 0)))?((void)0):PR_Assert("ss->opt.noLocks || ssl_HaveXmitBufLock(ss)" ,"tls13con.c",3221)); | |||
3222 | ||||
3223 | rv = ssl3_RegisterExtensionSender(ss, &ss->xtnData, | |||
3224 | ssl_tls13_supported_versions_xtn, | |||
3225 | tls13_ServerSendSupportedVersionsXtn); | |||
3226 | if (rv != SECSuccess) { | |||
3227 | return SECFailure; | |||
3228 | } | |||
3229 | ||||
3230 | rv = tls13_ComputeHandshakeSecret(ss); | |||
3231 | if (rv != SECSuccess) { | |||
3232 | return SECFailure; /* error code is set. */ | |||
3233 | } | |||
3234 | ||||
3235 | rv = ssl3_SendServerHello(ss); | |||
3236 | if (rv != SECSuccess) { | |||
3237 | return rv; /* err code is set. */ | |||
3238 | } | |||
3239 | ||||
3240 | if (ss->ssl3.hs.fakeSid.len) { | |||
3241 | PORT_Assert(!IS_DTLS(ss))((!(ss->protocolVariant == ssl_variant_datagram))?((void)0 ):PR_Assert("!IS_DTLS(ss)","tls13con.c",3241)); | |||
3242 | SECITEM_FreeItemSECITEM_FreeItem_Util(&ss->ssl3.hs.fakeSid, PR_FALSE0); | |||
3243 | if (!ss->ssl3.hs.helloRetry) { | |||
3244 | rv = ssl3_SendChangeCipherSpecsInt(ss); | |||
3245 | if (rv != SECSuccess) { | |||
3246 | return rv; | |||
3247 | } | |||
3248 | } | |||
3249 | } | |||
3250 | ||||
3251 | rv = tls13_SendEncryptedServerSequence(ss); | |||
3252 | if (rv != SECSuccess) { | |||
3253 | err = PORT_GetErrorPORT_GetError_Util(); | |||
3254 | } | |||
3255 | /* Even if we get an error, since the ServerHello was successfully | |||
3256 | * serialized, we should give it a chance to reach the network. This gives | |||
3257 | * the client a chance to perform the key exchange and decrypt the alert | |||
3258 | * we're about to send. */ | |||
3259 | rv |= ssl3_FlushHandshake(ss, 0); | |||
3260 | if (rv != SECSuccess) { | |||
3261 | if (err) { | |||
3262 | PORT_SetErrorPORT_SetError_Util(err); | |||
3263 | } | |||
3264 | return SECFailure; | |||
3265 | } | |||
3266 | ||||
3267 | /* Compute the rest of the secrets except for the resumption | |||
3268 | * and exporter secret. */ | |||
3269 | rv = tls13_ComputeApplicationSecrets(ss); | |||
3270 | if (rv != SECSuccess) { | |||
3271 | LOG_ERROR(ss, PORT_GetError())do { if (ssl_trace >= (3)) ssl_Trace ("%d: TLS13[%d]: fatal error %d in %s (%s:%d)" , getpid(), ss->fd, PORT_GetError_Util(), __func__, "tls13con.c" , 3271); PORT_SetError_Util(PORT_GetError_Util()); } while (0 ); | |||
3272 | return SECFailure; | |||
3273 | } | |||
3274 | ||||
3275 | rv = tls13_SetCipherSpec(ss, TrafficKeyApplicationData, | |||
3276 | ssl_secret_write, PR_FALSE0); | |||
3277 | if (rv != SECSuccess) { | |||
3278 | LOG_ERROR(ss, SEC_ERROR_LIBRARY_FAILURE)do { if (ssl_trace >= (3)) ssl_Trace ("%d: TLS13[%d]: fatal error %d in %s (%s:%d)" , getpid(), ss->fd, SEC_ERROR_LIBRARY_FAILURE, __func__, "tls13con.c" , 3278); PORT_SetError_Util(SEC_ERROR_LIBRARY_FAILURE); } while (0); | |||
3279 | return SECFailure; | |||
3280 | } | |||
3281 | ||||
3282 | if (IS_DTLS(ss)(ss->protocolVariant == ssl_variant_datagram)) { | |||
3283 | /* We need this for reading ACKs. */ | |||
3284 | ssl_CipherSpecAddRef(ss->ssl3.crSpec); | |||
3285 | } | |||
3286 | if (ss->ssl3.hs.zeroRttState == ssl_0rtt_accepted) { | |||
3287 | rv = tls13_SetCipherSpec(ss, TrafficKeyEarlyApplicationData, | |||
3288 | ssl_secret_read, PR_TRUE1); | |||
3289 | if (rv != SECSuccess) { | |||
3290 | LOG_ERROR(ss, SEC_ERROR_LIBRARY_FAILURE)do { if (ssl_trace >= (3)) ssl_Trace ("%d: TLS13[%d]: fatal error %d in %s (%s:%d)" , getpid(), ss->fd, SEC_ERROR_LIBRARY_FAILURE, __func__, "tls13con.c" , 3290); PORT_SetError_Util(SEC_ERROR_LIBRARY_FAILURE); } while (0); | |||
3291 | return SECFailure; | |||
3292 | } | |||
3293 | TLS13_SET_HS_STATE(ss, wait_end_of_early_data)tls13_SetHsState(ss, wait_end_of_early_data, __func__, "tls13con.c" , 3293); | |||
3294 | } else { | |||
3295 | PORT_Assert(ss->ssl3.hs.zeroRttState == ssl_0rtt_none ||((ss->ssl3.hs.zeroRttState == ssl_0rtt_none || ss->ssl3 .hs.zeroRttState == ssl_0rtt_ignored)?((void)0):PR_Assert("ss->ssl3.hs.zeroRttState == ssl_0rtt_none || ss->ssl3.hs.zeroRttState == ssl_0rtt_ignored" ,"tls13con.c",3296)) | |||
3296 | ss->ssl3.hs.zeroRttState == ssl_0rtt_ignored)((ss->ssl3.hs.zeroRttState == ssl_0rtt_none || ss->ssl3 .hs.zeroRttState == ssl_0rtt_ignored)?((void)0):PR_Assert("ss->ssl3.hs.zeroRttState == ssl_0rtt_none || ss->ssl3.hs.zeroRttState == ssl_0rtt_ignored" ,"tls13con.c",3296)); | |||
3297 | ||||
3298 | rv = tls13_SetCipherSpec(ss, | |||
3299 | TrafficKeyHandshake, | |||
3300 | ssl_secret_read, PR_FALSE0); | |||
3301 | if (rv != SECSuccess) { | |||
3302 | LOG_ERROR(ss, SEC_ERROR_LIBRARY_FAILURE)do { if (ssl_trace >= (3)) ssl_Trace ("%d: TLS13[%d]: fatal error %d in %s (%s:%d)" , getpid(), ss->fd, SEC_ERROR_LIBRARY_FAILURE, __func__, "tls13con.c" , 3302); PORT_SetError_Util(SEC_ERROR_LIBRARY_FAILURE); } while (0); | |||
3303 | return SECFailure; | |||
3304 | } | |||
3305 | if (tls13_ShouldRequestClientAuth(ss)) { | |||
3306 | TLS13_SET_HS_STATE(ss, wait_client_cert)tls13_SetHsState(ss, wait_client_cert, __func__, "tls13con.c" , 3306); | |||
3307 | } else { | |||
3308 | TLS13_SET_HS_STATE(ss, wait_finished)tls13_SetHsState(ss, wait_finished, __func__, "tls13con.c", 3308 ); | |||
3309 | } | |||
3310 | } | |||
3311 | ||||
3312 | /* Here we set a baseline value for our RTT estimation. | |||
3313 | * This value is updated when we get a response from the client. */ | |||
3314 | ss->ssl3.hs.rttEstimate = ssl_Time(ss); | |||
3315 | return SECSuccess; | |||
3316 | } | |||
3317 | ||||
3318 | SECStatus | |||
3319 | tls13_HandleServerHelloPart2(sslSocket *ss, const PRUint8 *savedMsg, PRUint32 savedLength) | |||
3320 | { | |||
3321 | SECStatus rv; | |||
3322 | sslSessionID *sid = ss->sec.ci.sid; | |||
3323 | SSL3Statistics *ssl3stats = SSL_GetStatistics(); | |||
3324 | ||||
3325 | if (ssl3_ExtensionNegotiated(ss, ssl_tls13_pre_shared_key_xtn)) { | |||
3326 | PORT_Assert(!PR_CLIST_IS_EMPTY(&ss->ssl3.hs.psks))((!((&ss->ssl3.hs.psks)->next == (&ss->ssl3. hs.psks)))?((void)0):PR_Assert("!PR_CLIST_IS_EMPTY(&ss->ssl3.hs.psks)" ,"tls13con.c",3326)); | |||
3327 | PORT_Assert(ss->xtnData.selectedPsk)((ss->xtnData.selectedPsk)?((void)0):PR_Assert("ss->xtnData.selectedPsk" ,"tls13con.c",3327)); | |||
3328 | ||||
3329 | if (ss->xtnData.selectedPsk->type != ssl_psk_resume) { | |||
3330 | ss->statelessResume = PR_FALSE0; | |||
3331 | } | |||
3332 | } else { | |||
3333 | /* We may have offered a PSK. If the server didn't negotiate | |||
3334 | * it, clear this state to re-extract the Early Secret. */ | |||
3335 | if (ss->ssl3.hs.currentSecret) { | |||
3336 | /* We might have dropped incompatible PSKs on HRR | |||
3337 | * (see RFC8466, Section 4.1.4). */ | |||
3338 | PORT_Assert(ss->ssl3.hs.helloRetry ||((ss->ssl3.hs.helloRetry || ssl3_ExtensionAdvertised(ss, ssl_tls13_pre_shared_key_xtn ))?((void)0):PR_Assert("ss->ssl3.hs.helloRetry || ssl3_ExtensionAdvertised(ss, ssl_tls13_pre_shared_key_xtn)" ,"tls13con.c",3339)) | |||
3339 | ssl3_ExtensionAdvertised(ss, ssl_tls13_pre_shared_key_xtn))((ss->ssl3.hs.helloRetry || ssl3_ExtensionAdvertised(ss, ssl_tls13_pre_shared_key_xtn ))?((void)0):PR_Assert("ss->ssl3.hs.helloRetry || ssl3_ExtensionAdvertised(ss, ssl_tls13_pre_shared_key_xtn)" ,"tls13con.c",3339)); | |||
3340 | PK11_FreeSymKey(ss->ssl3.hs.currentSecret); | |||
3341 | ss->ssl3.hs.currentSecret = NULL((void*)0); | |||
3342 | } | |||
3343 | ss->statelessResume = PR_FALSE0; | |||
3344 | ss->xtnData.selectedPsk = NULL((void*)0); | |||
3345 | } | |||
3346 | ||||
3347 | if (ss->statelessResume) { | |||
3348 | PORT_Assert(sid->version >= SSL_LIBRARY_VERSION_TLS_1_3)((sid->version >= 0x0304)?((void)0):PR_Assert("sid->version >= SSL_LIBRARY_VERSION_TLS_1_3" ,"tls13con.c",3348)); | |||
3349 | if (tls13_GetHash(ss) != | |||
3350 | tls13_GetHashForCipherSuite(sid->u.ssl3.cipherSuite)) { | |||
3351 | FATAL_ERROR(ss, SSL_ERROR_RX_MALFORMED_SERVER_HELLO,do { do { if (ssl_trace >= (3)) ssl_Trace ("%d: TLS13[%d]: fatal error %d in %s (%s:%d)" , getpid(), ss->fd, SSL_ERROR_RX_MALFORMED_SERVER_HELLO, __func__ , "tls13con.c", 3352); PORT_SetError_Util(SSL_ERROR_RX_MALFORMED_SERVER_HELLO ); } while (0); tls13_FatalError(ss, SSL_ERROR_RX_MALFORMED_SERVER_HELLO , illegal_parameter); } while (0) | |||
3352 | illegal_parameter)do { do { if (ssl_trace >= (3)) ssl_Trace ("%d: TLS13[%d]: fatal error %d in %s (%s:%d)" , getpid(), ss->fd, SSL_ERROR_RX_MALFORMED_SERVER_HELLO, __func__ , "tls13con.c", 3352); PORT_SetError_Util(SSL_ERROR_RX_MALFORMED_SERVER_HELLO ); } while (0); tls13_FatalError(ss, SSL_ERROR_RX_MALFORMED_SERVER_HELLO , illegal_parameter); } while (0); | |||
3353 | return SECFailure; | |||
3354 | } | |||
3355 | } | |||
3356 | ||||
3357 | /* Now create a synthetic kea_def that we can tweak. */ | |||
3358 | ss->ssl3.hs.kea_def_mutable = *ss->ssl3.hs.kea_def; | |||
3359 | ss->ssl3.hs.kea_def = &ss->ssl3.hs.kea_def_mutable; | |||
3360 | ||||
3361 | if (ss->xtnData.selectedPsk) { | |||
3362 | ss->ssl3.hs.kea_def_mutable.authKeyType = ssl_auth_psk; | |||
3363 | if (ss->statelessResume) { | |||
3364 | tls13_RestoreCipherInfo(ss, sid); | |||
3365 | if (sid->peerCert) { | |||
3366 | ss->sec.peerCert = CERT_DupCertificate(sid->peerCert); | |||
3367 | } | |||
3368 | ||||
3369 | SSL_AtomicIncrementLong(&ssl3stats->hsh_sid_cache_hits); | |||
3370 | SSL_AtomicIncrementLong(&ssl3stats->hsh_sid_stateless_resumes); | |||
3371 | } else { | |||
3372 | ss->sec.authType = ssl_auth_psk; | |||
3373 | } | |||
3374 | } else { | |||
3375 | if (ss->statelessResume && | |||
3376 | ssl3_ExtensionAdvertised(ss, ssl_tls13_pre_shared_key_xtn)) { | |||
3377 | SSL_AtomicIncrementLong(&ssl3stats->hsh_sid_cache_misses); | |||
3378 | } | |||
3379 | if (sid->cached == in_client_cache) { | |||
3380 | /* If we tried to resume and failed, let's not try again. */ | |||
3381 | ssl_UncacheSessionID(ss); | |||
3382 | } | |||
3383 | } | |||
3384 | ||||
3385 | /* Discard current SID and make a new one, though it may eventually | |||
3386 | * end up looking a lot like the old one. | |||
3387 | */ | |||
3388 | ssl_FreeSID(sid); | |||
3389 | ss->sec.ci.sid = sid = ssl3_NewSessionID(ss, PR_FALSE0); | |||
3390 | if (sid == NULL((void*)0)) { | |||
3391 | FATAL_ERROR(ss, PORT_GetError(), internal_error)do { do { if (ssl_trace >= (3)) ssl_Trace ("%d: TLS13[%d]: fatal error %d in %s (%s:%d)" , getpid(), ss->fd, PORT_GetError_Util(), __func__, "tls13con.c" , 3391); PORT_SetError_Util(PORT_GetError_Util()); } while (0 ); tls13_FatalError(ss, PORT_GetError_Util(), internal_error) ; } while (0); | |||
3392 | return SECFailure; | |||
3393 | } | |||
3394 | if (ss->statelessResume) { | |||
3395 | PORT_Assert(ss->sec.peerCert)((ss->sec.peerCert)?((void)0):PR_Assert("ss->sec.peerCert" ,"tls13con.c",3395)); | |||
3396 | sid->peerCert = CERT_DupCertificate(ss->sec.peerCert); | |||
3397 | } | |||
3398 | sid->version = ss->version; | |||
3399 | ||||
3400 | rv = tls13_HandleServerKeyShare(ss); | |||
3401 | if (rv != SECSuccess) { | |||
3402 | return SECFailure; | |||
3403 | } | |||
3404 | ||||
3405 | rv = tls13_ComputeHandshakeSecret(ss); | |||
3406 | if (rv != SECSuccess) { | |||
3407 | return SECFailure; /* error code is set. */ | |||
3408 | } | |||
3409 | ||||
3410 | rv = tls13_MaybeHandleEchSignal(ss, savedMsg, savedLength, PR_FALSE0); | |||
3411 | if (rv != SECSuccess) { | |||
3412 | return SECFailure; /* error code is set. */ | |||
3413 | } | |||
3414 | ||||
3415 | rv = tls13_ComputeHandshakeSecrets(ss); | |||
3416 | if (rv != SECSuccess) { | |||
3417 | return SECFailure; /* error code is set. */ | |||
3418 | } | |||
3419 | ||||
3420 | if (ss->ssl3.hs.zeroRttState == ssl_0rtt_sent) { | |||
3421 | /* When we send 0-RTT, we saved the null spec in case we needed it to | |||
3422 | * send another ClientHello in response to a HelloRetryRequest. Now | |||
3423 | * that we won't be receiving a HelloRetryRequest, release the spec. */ | |||
3424 | ssl_CipherSpecReleaseByEpoch(ss, ssl_secret_write, TrafficKeyClearText); | |||
3425 | } | |||
3426 | ||||
3427 | rv = tls13_SetCipherSpec(ss, TrafficKeyHandshake, | |||
3428 | ssl_secret_read, PR_FALSE0); | |||
3429 | if (rv != SECSuccess) { | |||
3430 | FATAL_ERROR(ss, SSL_ERROR_INIT_CIPHER_SUITE_FAILURE, internal_error)do { do { if (ssl_trace >= (3)) ssl_Trace ("%d: TLS13[%d]: fatal error %d in %s (%s:%d)" , getpid(), ss->fd, SSL_ERROR_INIT_CIPHER_SUITE_FAILURE, __func__ , "tls13con.c", 3430); PORT_SetError_Util(SSL_ERROR_INIT_CIPHER_SUITE_FAILURE ); } while (0); tls13_FatalError(ss, SSL_ERROR_INIT_CIPHER_SUITE_FAILURE , internal_error); } while (0); | |||
3431 | return SECFailure; | |||
3432 | } | |||
3433 | TLS13_SET_HS_STATE(ss, wait_encrypted_extensions)tls13_SetHsState(ss, wait_encrypted_extensions, __func__, "tls13con.c" , 3433); | |||
3434 | ||||
3435 | return SECSuccess; | |||
3436 | } | |||
3437 | ||||
3438 | static void | |||
3439 | tls13_SetKeyExchangeType(sslSocket *ss, const sslNamedGroupDef *group) | |||
3440 | { | |||
3441 | ss->sec.keaGroup = group; | |||
3442 | switch (group->keaType) { | |||
3443 | /* Note: These overwrite on resumption.... so if you start with ECDH | |||
3444 | * and resume with DH, we report DH. That's fine, since no answer | |||
3445 | * is really right. */ | |||
3446 | case ssl_kea_ecdh: | |||
3447 | ss->ssl3.hs.kea_def_mutable.exchKeyType = | |||
3448 | ss->statelessResume ? ssl_kea_ecdh_psk : ssl_kea_ecdh; | |||
3449 | ss->sec.keaType = ssl_kea_ecdh; | |||
3450 | break; | |||
3451 | case ssl_kea_ecdh_hybrid: | |||
3452 | ss->ssl3.hs.kea_def_mutable.exchKeyType = | |||
3453 | ss->statelessResume ? ssl_kea_ecdh_hybrid_psk : ssl_kea_ecdh_hybrid; | |||
3454 | ss->sec.keaType = ssl_kea_ecdh_hybrid; | |||
3455 | break; | |||
3456 | case ssl_kea_dh: | |||
3457 | ss->ssl3.hs.kea_def_mutable.exchKeyType = | |||
3458 | ss->statelessResume ? ssl_kea_dh_psk : ssl_kea_dh; | |||
3459 | ss->sec.keaType = ssl_kea_dh; | |||
3460 | break; | |||
3461 | default: | |||
3462 | PORT_Assert(0)((0)?((void)0):PR_Assert("0","tls13con.c",3462)); | |||
3463 | } | |||
3464 | } | |||
3465 | ||||
3466 | /* | |||
3467 | * Called from ssl3_HandleServerHello. | |||
3468 | * | |||
3469 | * Caller must hold Handshake and RecvBuf locks. | |||
3470 | */ | |||
3471 | static SECStatus | |||
3472 | tls13_HandleServerKeyShare(sslSocket *ss) | |||
3473 | { | |||
3474 | SECStatus rv; | |||
3475 | TLS13KeyShareEntry *entry; | |||
3476 | sslEphemeralKeyPair *keyPair; | |||
3477 | PK11SymKey *dheSecret = NULL((void*)0); | |||
3478 | PK11SymKey *kemSecret = NULL((void*)0); | |||
3479 | ||||
3480 | SSL_TRC(3, ("%d: TLS13[%d]: handle server_key_share handshake",if (ssl_trace >= (3)) ssl_Trace ("%d: TLS13[%d]: handle server_key_share handshake" , getpid(), ss->fd) | |||
3481 | SSL_GETPID(), ss->fd))if (ssl_trace >= (3)) ssl_Trace ("%d: TLS13[%d]: handle server_key_share handshake" , getpid(), ss->fd); | |||
3482 | PORT_Assert(ss->opt.noLocks || ssl_HaveRecvBufLock(ss))((ss->opt.noLocks || ((PR_GetMonitorEntryCount(((ss)->recvBufLock )) > 0)))?((void)0):PR_Assert("ss->opt.noLocks || ssl_HaveRecvBufLock(ss)" ,"tls13con.c",3482)); | |||
3483 | PORT_Assert(ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss))((ss->opt.noLocks || ((PR_GetMonitorEntryCount(((ss)->ssl3HandshakeLock )) > 0)))?((void)0):PR_Assert("ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)" ,"tls13con.c",3483)); | |||
3484 | ||||
3485 | /* This list should have one entry. */ | |||
3486 | if (PR_CLIST_IS_EMPTY(&ss->xtnData.remoteKeyShares)((&ss->xtnData.remoteKeyShares)->next == (&ss-> xtnData.remoteKeyShares))) { | |||
3487 | FATAL_ERROR(ss, SSL_ERROR_MISSING_KEY_SHARE, missing_extension)do { do { if (ssl_trace >= (3)) ssl_Trace ("%d: TLS13[%d]: fatal error %d in %s (%s:%d)" , getpid(), ss->fd, SSL_ERROR_MISSING_KEY_SHARE, __func__, "tls13con.c", 3487); PORT_SetError_Util(SSL_ERROR_MISSING_KEY_SHARE ); } while (0); tls13_FatalError(ss, SSL_ERROR_MISSING_KEY_SHARE , missing_extension); } while (0); | |||
3488 | return SECFailure; | |||
3489 | } | |||
3490 | ||||
3491 | entry = (TLS13KeyShareEntry *)PR_NEXT_LINK(&ss->xtnData.remoteKeyShares)((&ss->xtnData.remoteKeyShares)->next); | |||
3492 | PORT_Assert(PR_NEXT_LINK(&entry->link) == &ss->xtnData.remoteKeyShares)((((&entry->link)->next) == &ss->xtnData.remoteKeyShares )?((void)0):PR_Assert("PR_NEXT_LINK(&entry->link) == &ss->xtnData.remoteKeyShares" ,"tls13con.c",3492)); | |||
3493 | ||||
3494 | /* Now get our matching key. */ | |||
3495 | keyPair = ssl_LookupEphemeralKeyPair(ss, entry->group); | |||
3496 | if (!keyPair) { | |||
3497 | FATAL_ERROR(ss, SSL_ERROR_RX_MALFORMED_KEY_SHARE, illegal_parameter)do { do { if (ssl_trace >= (3)) ssl_Trace ("%d: TLS13[%d]: fatal error %d in %s (%s:%d)" , getpid(), ss->fd, SSL_ERROR_RX_MALFORMED_KEY_SHARE, __func__ , "tls13con.c", 3497); PORT_SetError_Util(SSL_ERROR_RX_MALFORMED_KEY_SHARE ); } while (0); tls13_FatalError(ss, SSL_ERROR_RX_MALFORMED_KEY_SHARE , illegal_parameter); } while (0); | |||
3498 | return SECFailure; | |||
3499 | } | |||
3500 | ||||
3501 | PORT_Assert(ssl_NamedGroupEnabled(ss, entry->group))((ssl_NamedGroupEnabled(ss, entry->group))?((void)0):PR_Assert ("ssl_NamedGroupEnabled(ss, entry->group)","tls13con.c",3501 )); | |||
3502 | ||||
3503 | rv = tls13_HandleKeyShare(ss, entry, keyPair->keys, | |||
3504 | tls13_GetHash(ss), | |||
3505 | &dheSecret); | |||
3506 | if (rv != SECSuccess) { | |||
3507 | goto loser; /* Error code already set. */ | |||
3508 | } | |||
3509 | ||||
3510 | if (entry->group->keaType == ssl_kea_ecdh_hybrid) { | |||
3511 | rv = tls13_HandleKEMCiphertext(ss, entry, keyPair->kemKeys, &kemSecret); | |||
3512 | if (rv != SECSuccess) { | |||
3513 | goto loser; /* Error set by tls13_HandleKEMCiphertext */ | |||
3514 | } | |||
3515 | // We may need to handle different "combiners" here in the future. For | |||
3516 | // now this is specific to xyber768d00. | |||
3517 | PORT_Assert(entry->group->name == ssl_grp_kem_xyber768d00)((entry->group->name == ssl_grp_kem_xyber768d00)?((void )0):PR_Assert("entry->group->name == ssl_grp_kem_xyber768d00" ,"tls13con.c",3517)); | |||
3518 | ss->ssl3.hs.dheSecret = PK11_ConcatSymKeys(dheSecret, kemSecret, CKM_HKDF_DERIVE0x0000402aUL, CKA_DERIVE0x0000010CUL); | |||
3519 | if (!ss->ssl3.hs.dheSecret) { | |||
3520 | goto loser; /* Error set by PK11_ConcatSymKeys */ | |||
3521 | } | |||
3522 | PK11_FreeSymKey(dheSecret); | |||
3523 | PK11_FreeSymKey(kemSecret); | |||
3524 | } else { | |||
3525 | ss->ssl3.hs.dheSecret = dheSecret; | |||
3526 | } | |||
3527 | ||||
3528 | tls13_SetKeyExchangeType(ss, entry->group); | |||
3529 | ss->sec.keaKeyBits = SECKEY_PublicKeyStrengthInBits(keyPair->keys->pubKey); | |||
3530 | ||||
3531 | return SECSuccess; | |||
3532 | ||||
3533 | loser: | |||
3534 | PK11_FreeSymKey(dheSecret); | |||
3535 | PK11_FreeSymKey(kemSecret); | |||
3536 | FATAL_ERROR(ss, PORT_GetError(), illegal_parameter)do { do { if (ssl_trace >= (3)) ssl_Trace ("%d: TLS13[%d]: fatal error %d in %s (%s:%d)" , getpid(), ss->fd, PORT_GetError_Util(), __func__, "tls13con.c" , 3536); PORT_SetError_Util(PORT_GetError_Util()); } while (0 ); tls13_FatalError(ss, PORT_GetError_Util(), illegal_parameter ); } while (0); | |||
3537 | return SECFailure; | |||
3538 | } | |||
3539 | ||||
3540 | static PRBool | |||
3541 | tls13_FindCompressionAlgAndCheckIfSupportsEncoding(sslSocket *ss) | |||
3542 | { | |||
3543 | PORT_Assert(ss->opt.noLocks || ssl_HaveXmitBufLock(ss))((ss->opt.noLocks || ((PR_GetMonitorEntryCount(((ss)->xmitBufLock )) > 0)))?((void)0):PR_Assert("ss->opt.noLocks || ssl_HaveXmitBufLock(ss)" ,"tls13con.c",3543)); | |||
3544 | PORT_Assert(ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss))((ss->opt.noLocks || ((PR_GetMonitorEntryCount(((ss)->ssl3HandshakeLock )) > 0)))?((void)0):PR_Assert("ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)" ,"tls13con.c",3544)); | |||
3545 | ||||
3546 | for (int j = 0; j < ss->ssl3.supportedCertCompressionAlgorithmsCount; j++) { | |||
3547 | if (ss->ssl3.supportedCertCompressionAlgorithms[j].id == ss->xtnData.compressionAlg) { | |||
3548 | if (ss->ssl3.supportedCertCompressionAlgorithms[j].encode != NULL((void*)0)) { | |||
3549 | return PR_TRUE1; | |||
3550 | } | |||
3551 | return PR_FALSE0; | |||
3552 | } | |||
3553 | } | |||
3554 | ||||
3555 | return PR_FALSE0; | |||
3556 | } | |||
3557 | ||||
3558 | static SECStatus | |||
3559 | tls13_FindCompressionAlgAndEncodeCertificate( | |||
3560 | sslSocket *ss, SECItem *certificateToEncode, SECItem *encodedCertificate) | |||
3561 | { | |||
3562 | PORT_Assert(ss->opt.noLocks || ssl_HaveXmitBufLock(ss))((ss->opt.noLocks || ((PR_GetMonitorEntryCount(((ss)->xmitBufLock )) > 0)))?((void)0):PR_Assert("ss->opt.noLocks || ssl_HaveXmitBufLock(ss)" ,"tls13con.c",3562)); | |||
3563 | PORT_Assert(ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss))((ss->opt.noLocks || ((PR_GetMonitorEntryCount(((ss)->ssl3HandshakeLock )) > 0)))?((void)0):PR_Assert("ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)" ,"tls13con.c",3563)); | |||
3564 | ||||
3565 | SECStatus rv = SECFailure; | |||
3566 | for (int j = 0; j < ss->ssl3.supportedCertCompressionAlgorithmsCount; j++) { | |||
3567 | if (ss->ssl3.supportedCertCompressionAlgorithms[j].id == ss->xtnData.compressionAlg && | |||
3568 | ss->ssl3.supportedCertCompressionAlgorithms[j].encode != NULL((void*)0)) { | |||
3569 | rv = ss->ssl3.supportedCertCompressionAlgorithms[j].encode( | |||
3570 | certificateToEncode, encodedCertificate); | |||
3571 | return rv; | |||
3572 | } | |||
3573 | } | |||
3574 | ||||
3575 | PORT_SetErrorPORT_SetError_Util(SEC_ERROR_CERTIFICATE_COMPRESSION_ALGORITHM_NOT_SUPPORTED); | |||
3576 | return SECFailure; | |||
3577 | } | |||
3578 | ||||
3579 | static SECStatus | |||
3580 | tls13_SendCompressedCertificate(sslSocket *ss, sslBuffer *bufferCertificate) | |||
3581 | { | |||
3582 | /* TLS Certificate Compression. RFC 8879 */ | |||
3583 | /* As the encoding function takes as input a SECItem, | |||
3584 | * we convert bufferCertificate to certificateToEncode. | |||
3585 | * | |||
3586 | * encodedCertificate is used to store the certificate | |||
3587 | * after encoding. | |||
3588 | */ | |||
3589 | SECItem encodedCertificate = { siBuffer, NULL((void*)0), 0 }; | |||
3590 | SECItem certificateToEncode = { siBuffer, NULL((void*)0), 0 }; | |||
3591 | SECStatus rv = SECFailure; | |||
3592 | ||||
3593 | PORT_Assert(ss->opt.noLocks || ssl_HaveXmitBufLock(ss))((ss->opt.noLocks || ((PR_GetMonitorEntryCount(((ss)->xmitBufLock )) > 0)))?((void)0):PR_Assert("ss->opt.noLocks || ssl_HaveXmitBufLock(ss)" ,"tls13con.c",3593)); | |||
3594 | PORT_Assert(ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss))((ss->opt.noLocks || ((PR_GetMonitorEntryCount(((ss)->ssl3HandshakeLock )) > 0)))?((void)0):PR_Assert("ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)" ,"tls13con.c",3594)); | |||
3595 | ||||
3596 | SSL_TRC(30, ("%d: TLS13[%d]: %s is encoding the certificate using the %s compression algorithm",if (ssl_trace >= (30)) ssl_Trace ("%d: TLS13[%d]: %s is encoding the certificate using the %s compression algorithm" , getpid(), ss->fd, (ss->sec.isServer ? "server" : "client" ), ssl3_mapCertificateCompressionAlgorithmToName(ss, ss->xtnData .compressionAlg)) | |||
3597 | SSL_GETPID(), ss->fd, SSL_ROLE(ss),if (ssl_trace >= (30)) ssl_Trace ("%d: TLS13[%d]: %s is encoding the certificate using the %s compression algorithm" , getpid(), ss->fd, (ss->sec.isServer ? "server" : "client" ), ssl3_mapCertificateCompressionAlgorithmToName(ss, ss->xtnData .compressionAlg)) | |||
3598 | ssl3_mapCertificateCompressionAlgorithmToName(ss, ss->xtnData.compressionAlg)))if (ssl_trace >= (30)) ssl_Trace ("%d: TLS13[%d]: %s is encoding the certificate using the %s compression algorithm" , getpid(), ss->fd, (ss->sec.isServer ? "server" : "client" ), ssl3_mapCertificateCompressionAlgorithmToName(ss, ss->xtnData .compressionAlg)); | |||
3599 | ||||
3600 | PRINT_BUF(50, (NULL, "The certificate before encoding:",if (ssl_trace >= (50)) ssl_PrintBuf (((void*)0), "The certificate before encoding:" , bufferCertificate->buf, bufferCertificate->len) | |||
3601 | bufferCertificate->buf, bufferCertificate->len))if (ssl_trace >= (50)) ssl_PrintBuf (((void*)0), "The certificate before encoding:" , bufferCertificate->buf, bufferCertificate->len); | |||
3602 | ||||
3603 | PRUint32 lengthUnencodedMessage = bufferCertificate->len; | |||
3604 | rv = ssl3_CopyToSECItem(bufferCertificate, &certificateToEncode); | |||
3605 | if (rv != SECSuccess) { | |||
3606 | SSL_TRC(50, ("%d: TLS13[%d]: %s has failed encoding the certificate.",if (ssl_trace >= (50)) ssl_Trace ("%d: TLS13[%d]: %s has failed encoding the certificate." , getpid(), ss->fd, (ss->sec.isServer ? "server" : "client" )) | |||
3607 | SSL_GETPID(), ss->fd, SSL_ROLE(ss)))if (ssl_trace >= (50)) ssl_Trace ("%d: TLS13[%d]: %s has failed encoding the certificate." , getpid(), ss->fd, (ss->sec.isServer ? "server" : "client" )); | |||
3608 | goto loser; /* Code already set. */ | |||
3609 | } | |||
3610 | ||||
3611 | rv = tls13_FindCompressionAlgAndEncodeCertificate(ss, &certificateToEncode, | |||
3612 | &encodedCertificate); | |||
3613 | if (rv != SECSuccess) { | |||
3614 | SSL_TRC(50, ("%d: TLS13[%d]: %s has failed encoding the certificate.",if (ssl_trace >= (50)) ssl_Trace ("%d: TLS13[%d]: %s has failed encoding the certificate." , getpid(), ss->fd, (ss->sec.isServer ? "server" : "client" )) | |||
3615 | SSL_GETPID(), ss->fd, SSL_ROLE(ss)))if (ssl_trace >= (50)) ssl_Trace ("%d: TLS13[%d]: %s has failed encoding the certificate." , getpid(), ss->fd, (ss->sec.isServer ? "server" : "client" )); | |||
3616 | PORT_SetErrorPORT_SetError_Util(SEC_ERROR_NO_MEMORY); | |||
3617 | goto loser; /* Code already set. */ | |||
3618 | } | |||
3619 | ||||
3620 | /* The CompressedCertificate message is formed as follows: | |||
3621 | * struct { | |||
3622 | * CertificateCompressionAlgorithm algorithm; | |||
3623 | * uint24 uncompressed_length; | |||
3624 | * opaque compressed_certificate_message<1..2^24-1>; | |||
3625 | * } CompressedCertificate; | |||
3626 | */ | |||
3627 | ||||
3628 | if (encodedCertificate.len < 1) { | |||
3629 | PORT_SetErrorPORT_SetError_Util(SEC_ERROR_LIBRARY_FAILURE); | |||
3630 | goto loser; | |||
3631 | } | |||
3632 | ||||
3633 | rv = ssl3_AppendHandshakeHeader(ss, ssl_hs_compressed_certificate, | |||
3634 | encodedCertificate.len + 2 + 3 + 3); | |||
3635 | if (rv != SECSuccess) { | |||
3636 | goto loser; /* err set by AppendHandshake. */ | |||
3637 | } | |||
3638 | ||||
3639 | rv = ssl3_AppendHandshakeNumber(ss, ss->xtnData.compressionAlg, 2); | |||
3640 | if (rv != SECSuccess) { | |||
3641 | goto loser; /* err set by AppendHandshake. */ | |||
3642 | } | |||
3643 | ||||
3644 | rv = ssl3_AppendHandshakeNumber(ss, lengthUnencodedMessage, 3); | |||
3645 | if (rv != SECSuccess) { | |||
3646 | goto loser; /* err set by AppendHandshake. */ | |||
3647 | } | |||
3648 | ||||
3649 | PRINT_BUF(30, (NULL, "The encoded certificate: ",if (ssl_trace >= (30)) ssl_PrintBuf (((void*)0), "The encoded certificate: " , encodedCertificate.data, encodedCertificate.len) | |||
3650 | encodedCertificate.data, encodedCertificate.len))if (ssl_trace >= (30)) ssl_PrintBuf (((void*)0), "The encoded certificate: " , encodedCertificate.data, encodedCertificate.len); | |||
3651 | ||||
3652 | rv = ssl3_AppendHandshakeVariable(ss, encodedCertificate.data, encodedCertificate.len, 3); | |||
3653 | if (rv != SECSuccess) { | |||
3654 | goto loser; /* err set by AppendHandshake. */ | |||
3655 | } | |||
3656 | ||||
3657 | SECITEM_FreeItemSECITEM_FreeItem_Util(&certificateToEncode, PR_FALSE0); | |||
3658 | SECITEM_FreeItemSECITEM_FreeItem_Util(&encodedCertificate, PR_FALSE0); | |||
3659 | return SECSuccess; | |||
3660 | ||||
3661 | loser: | |||
3662 | SECITEM_FreeItemSECITEM_FreeItem_Util(&certificateToEncode, PR_FALSE0); | |||
3663 | SECITEM_FreeItemSECITEM_FreeItem_Util(&encodedCertificate, PR_FALSE0); | |||
3664 | return SECFailure; | |||
3665 | } | |||
3666 | ||||
3667 | /* | |||
3668 | * opaque ASN1Cert<1..2^24-1>; | |||
3669 | * | |||
3670 | * struct { | |||
3671 | * ASN1Cert cert_data; | |||
3672 | * Extension extensions<0..2^16-1>; | |||
3673 | * } CertificateEntry; | |||
3674 | * | |||
3675 | * struct { | |||
3676 | * opaque certificate_request_context<0..2^8-1>; | |||
3677 | * CertificateEntry certificate_list<0..2^24-1>; | |||
3678 | * } Certificate; | |||
3679 | */ | |||
3680 | static SECStatus | |||
3681 | tls13_SendCertificate(sslSocket *ss) | |||
3682 | { | |||
3683 | SECStatus rv; | |||
3684 | CERTCertificateList *certChain; | |||
3685 | int certChainLen = 0; | |||
3686 | int i; | |||
3687 | SECItem context = { siBuffer, NULL((void*)0), 0 }; | |||
3688 | sslBuffer extensionBuf = SSL_BUFFER_EMPTY{ ((void*)0), 0, 0, 0 }; | |||
3689 | sslBuffer bufferCertificate = SSL_BUFFER_EMPTY{ ((void*)0), 0, 0, 0 }; | |||
3690 | ||||
3691 | SSL_TRC(3, ("%d: TLS1.3[%d]: send certificate handshake",if (ssl_trace >= (3)) ssl_Trace ("%d: TLS1.3[%d]: send certificate handshake" , getpid(), ss->fd) | |||
3692 | SSL_GETPID(), ss->fd))if (ssl_trace >= (3)) ssl_Trace ("%d: TLS1.3[%d]: send certificate handshake" , getpid(), ss->fd); | |||
3693 | ||||
3694 | PORT_Assert(ss->opt.noLocks || ssl_HaveXmitBufLock(ss))((ss->opt.noLocks || ((PR_GetMonitorEntryCount(((ss)->xmitBufLock )) > 0)))?((void)0):PR_Assert("ss->opt.noLocks || ssl_HaveXmitBufLock(ss)" ,"tls13con.c",3694)); | |||
3695 | PORT_Assert(ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss))((ss->opt.noLocks || ((PR_GetMonitorEntryCount(((ss)->ssl3HandshakeLock )) > 0)))?((void)0):PR_Assert("ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)" ,"tls13con.c",3695)); | |||
3696 | ||||
3697 | if (ss->sec.isServer) { | |||
3698 | PORT_Assert(!ss->sec.localCert)((!ss->sec.localCert)?((void)0):PR_Assert("!ss->sec.localCert" ,"tls13con.c",3698)); | |||
3699 | /* A server certificate is selected in tls13_SelectServerCert(). */ | |||
3700 | PORT_Assert(ss->sec.serverCert)((ss->sec.serverCert)?((void)0):PR_Assert("ss->sec.serverCert" ,"tls13con.c",3700)); | |||
3701 | ||||
3702 | certChain = ss->sec.serverCert->serverCertChain; | |||
3703 | ss->sec.localCert = CERT_DupCertificate(ss->sec.serverCert->serverCert); | |||
3704 | } else { | |||
3705 | if (ss->sec.localCert) | |||
3706 | CERT_DestroyCertificate(ss->sec.localCert); | |||
3707 | ||||
3708 | certChain = ss->ssl3.clientCertChain; | |||
3709 | ss->sec.localCert = CERT_DupCertificate(ss->ssl3.clientCertificate); | |||
3710 | } | |||
3711 | ||||
3712 | if (!ss->sec.isServer) { | |||
3713 | PORT_Assert(ss->ssl3.hs.clientCertRequested)((ss->ssl3.hs.clientCertRequested)?((void)0):PR_Assert("ss->ssl3.hs.clientCertRequested" ,"tls13con.c",3713)); | |||
3714 | context = ss->xtnData.certReqContext; | |||
3715 | } | |||
3716 | ||||
3717 | if (certChain) { | |||
3718 | for (i = 0; i < certChain->len; i++) { | |||
3719 | /* Each cert is 3 octet length, cert, and extensions */ | |||
3720 | certChainLen += 3 + certChain->certs[i].len + 2; | |||
3721 | } | |||
3722 | ||||
3723 | /* Build the extensions. This only applies to the leaf cert, because we | |||
3724 | * don't yet send extensions for non-leaf certs. */ | |||
3725 | rv = ssl_ConstructExtensions(ss, &extensionBuf, ssl_hs_certificate); | |||
3726 | if (rv != SECSuccess) { | |||
3727 | return SECFailure; /* code already set */ | |||
3728 | } | |||
3729 | /* extensionBuf.len is only added once, for the leaf cert. */ | |||
3730 | certChainLen += SSL_BUFFER_LEN(&extensionBuf)((&extensionBuf)->len); | |||
3731 | } | |||
3732 | ||||
3733 | rv = sslBuffer_AppendVariable(&bufferCertificate, context.data, context.len, 1); | |||
3734 | if (rv != SECSuccess) { | |||
3735 | goto loser; /* Code already set. */ | |||
3736 | } | |||
3737 | ||||
3738 | rv = sslBuffer_AppendNumber(&bufferCertificate, certChainLen, 3); | |||
3739 | if (rv != SECSuccess) { | |||
3740 | goto loser; /* Code already set. */ | |||
3741 | } | |||
3742 | ||||
3743 | if (certChain) { | |||
3744 | for (i = 0; i < certChain->len; i++) { | |||
3745 | rv = sslBuffer_AppendVariable(&bufferCertificate, certChain->certs[i].data, | |||
3746 | certChain->certs[i].len, 3); | |||
3747 | if (rv != SECSuccess) { | |||
3748 | goto loser; /* Code already set. */ | |||
3749 | } | |||
3750 | ||||
3751 | if (i) { | |||
3752 | /* Not end-entity. */ | |||
3753 | rv = sslBuffer_AppendNumber(&bufferCertificate, 0, 2); | |||
3754 | if (rv != SECSuccess) { | |||
3755 | goto loser; /* Code already set. */ | |||
3756 | } | |||
3757 | continue; | |||
3758 | } | |||
3759 | ||||
3760 | rv = sslBuffer_AppendBufferVariable(&bufferCertificate, &extensionBuf, 2); | |||
3761 | if (rv != SECSuccess) { | |||
3762 | goto loser; /* Code already set. */ | |||
3763 | } | |||
3764 | } | |||
3765 | } | |||
3766 | ||||
3767 | /* If no compression mechanism was established or | |||
3768 | * the compression mechanism supports only decoding, | |||
3769 | * we continue as before. */ | |||
3770 | if (ss->xtnData.compressionAlg == 0 || !tls13_FindCompressionAlgAndCheckIfSupportsEncoding(ss)) { | |||
3771 | rv = ssl3_AppendHandshakeHeader(ss, ssl_hs_certificate, | |||
3772 | 1 + context.len + 3 + certChainLen); | |||
3773 | if (rv != SECSuccess) { | |||
3774 | goto loser; /* err set by AppendHandshake. */ | |||
3775 | } | |||
3776 | rv = ssl3_AppendBufferToHandshake(ss, &bufferCertificate); | |||
3777 | if (rv != SECSuccess) { | |||
3778 | goto loser; /* err set by AppendHandshake. */ | |||
3779 | } | |||
3780 | } else { | |||
3781 | rv = tls13_SendCompressedCertificate(ss, &bufferCertificate); | |||
3782 | if (rv != SECSuccess) { | |||
3783 | goto loser; /* err set by tls13_SendCompressedCertificate. */ | |||
3784 | } | |||
3785 | } | |||
3786 | ||||
3787 | sslBuffer_Clear(&bufferCertificate); | |||
3788 | sslBuffer_Clear(&extensionBuf); | |||
3789 | return SECSuccess; | |||
3790 | ||||
3791 | loser: | |||
3792 | sslBuffer_Clear(&bufferCertificate); | |||
3793 | sslBuffer_Clear(&extensionBuf); | |||
3794 | return SECFailure; | |||
3795 | } | |||
3796 | ||||
3797 | static SECStatus | |||
3798 | tls13_HandleCertificateEntry(sslSocket *ss, SECItem *data, PRBool first, | |||
3799 | CERTCertificate **certp) | |||
3800 | { | |||
3801 | SECStatus rv; | |||
3802 | SECItem certData; | |||
3803 | SECItem extensionsData; | |||
3804 | CERTCertificate *cert = NULL((void*)0); | |||
3805 | ||||
3806 | rv = ssl3_ConsumeHandshakeVariable(ss, &certData, | |||
3807 | 3, &data->data, &data->len); | |||
3808 | if (rv != SECSuccess) { | |||
3809 | return SECFailure; | |||
3810 | } | |||
3811 | ||||
3812 | rv = ssl3_ConsumeHandshakeVariable(ss, &extensionsData, | |||
3813 | 2, &data->data, &data->len); | |||
3814 | if (rv != SECSuccess) { | |||
3815 | return SECFailure; | |||
3816 | } | |||
3817 | ||||
3818 | /* Parse all the extensions. */ | |||
3819 | if (first && !ss->sec.isServer) { | |||
3820 | rv = ssl3_HandleExtensions(ss, &extensionsData.data, | |||
3821 | &extensionsData.len, | |||
3822 | ssl_hs_certificate); | |||
3823 | if (rv != SECSuccess) { | |||
3824 | return SECFailure; | |||
3825 | } | |||
3826 | /* TODO(ekr@rtfm.com): Copy out SCTs. Bug 1315727. */ | |||
3827 | } | |||
3828 | ||||
3829 | cert = CERT_NewTempCertificate(ss->dbHandle, &certData, NULL((void*)0), | |||
3830 | PR_FALSE0, PR_TRUE1); | |||
3831 | ||||
3832 | if (!cert) { | |||
3833 | PRErrorCode errCode = PORT_GetErrorPORT_GetError_Util(); | |||
3834 | switch (errCode) { | |||
3835 | case PR_OUT_OF_MEMORY_ERROR(-6000L): | |||
3836 | case SEC_ERROR_BAD_DATABASE: | |||
3837 | case SEC_ERROR_NO_MEMORY: | |||
3838 | FATAL_ERROR(ss, errCode, internal_error)do { do { if (ssl_trace >= (3)) ssl_Trace ("%d: TLS13[%d]: fatal error %d in %s (%s:%d)" , getpid(), ss->fd, errCode, __func__, "tls13con.c", 3838) ; PORT_SetError_Util(errCode); } while (0); tls13_FatalError( ss, errCode, internal_error); } while (0); | |||
3839 | return SECFailure; | |||
3840 | default: | |||
3841 | ssl3_SendAlertForCertError(ss, errCode); | |||
3842 | return SECFailure; | |||
3843 | } | |||
3844 | } | |||
3845 | ||||
3846 | *certp = cert; | |||
3847 | ||||
3848 | return SECSuccess; | |||
3849 | } | |||
3850 | ||||
3851 | static SECStatus | |||
3852 | tls13_EnsureCerticateExpected(sslSocket *ss) | |||
3853 | { | |||
3854 | SECStatus rv = SECFailure; | |||
3855 | PORT_Assert(ss->opt.noLocks || ssl_HaveRecvBufLock(ss))((ss->opt.noLocks || ((PR_GetMonitorEntryCount(((ss)->recvBufLock )) > 0)))?((void)0):PR_Assert("ss->opt.noLocks || ssl_HaveRecvBufLock(ss)" ,"tls13con.c",3855)); | |||
3856 | PORT_Assert(ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss))((ss->opt.noLocks || ((PR_GetMonitorEntryCount(((ss)->ssl3HandshakeLock )) > 0)))?((void)0):PR_Assert("ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)" ,"tls13con.c",3856)); | |||
3857 | ||||
3858 | if (ss->sec.isServer) { | |||
3859 | /* Receiving this message might be the first sign we have that | |||
3860 | * early data is over, so pretend we received EOED. */ | |||
3861 | rv = tls13_MaybeHandleSuppressedEndOfEarlyData(ss); | |||
3862 | if (rv != SECSuccess) { | |||
3863 | return SECFailure; /* Code already set. */ | |||
3864 | } | |||
3865 | ||||
3866 | if (ss->ssl3.clientCertRequested) { | |||
3867 | rv = TLS13_CHECK_HS_STATE(ss, SSL_ERROR_RX_UNEXPECTED_CERTIFICATE,tls13_CheckHsState(ss, SSL_ERROR_RX_UNEXPECTED_CERTIFICATE, "SSL_ERROR_RX_UNEXPECTED_CERTIFICATE" , __func__, "tls13con.c", 3868, idle_handshake, wait_invalid) | |||
3868 | idle_handshake)tls13_CheckHsState(ss, SSL_ERROR_RX_UNEXPECTED_CERTIFICATE, "SSL_ERROR_RX_UNEXPECTED_CERTIFICATE" , __func__, "tls13con.c", 3868, idle_handshake, wait_invalid); | |||
3869 | } else { | |||
3870 | rv = TLS13_CHECK_HS_STATE(ss, SSL_ERROR_RX_UNEXPECTED_CERTIFICATE,tls13_CheckHsState(ss, SSL_ERROR_RX_UNEXPECTED_CERTIFICATE, "SSL_ERROR_RX_UNEXPECTED_CERTIFICATE" , __func__, "tls13con.c", 3871, wait_client_cert, wait_invalid ) | |||
3871 | wait_client_cert)tls13_CheckHsState(ss, SSL_ERROR_RX_UNEXPECTED_CERTIFICATE, "SSL_ERROR_RX_UNEXPECTED_CERTIFICATE" , __func__, "tls13con.c", 3871, wait_client_cert, wait_invalid ); | |||
3872 | } | |||
3873 | } else { | |||
3874 | rv = TLS13_CHECK_HS_STATE(ss, SSL_ERROR_RX_UNEXPECTED_CERTIFICATE,tls13_CheckHsState(ss, SSL_ERROR_RX_UNEXPECTED_CERTIFICATE, "SSL_ERROR_RX_UNEXPECTED_CERTIFICATE" , __func__, "tls13con.c", 3875, wait_cert_request, wait_server_cert , wait_invalid) | |||
3875 | wait_cert_request, wait_server_cert)tls13_CheckHsState(ss, SSL_ERROR_RX_UNEXPECTED_CERTIFICATE, "SSL_ERROR_RX_UNEXPECTED_CERTIFICATE" , __func__, "tls13con.c", 3875, wait_cert_request, wait_server_cert , wait_invalid); | |||
3876 | } | |||
3877 | return rv; | |||
3878 | } | |||
3879 | ||||
3880 | /* RFC 8879 TLS Certificate Compression | |||
3881 | * struct { | |||
3882 | * CertificateCompressionAlgorithm algorithm; | |||
3883 | * uint24 uncompressed_length; | |||
3884 | * opaque compressed_certificate_message<1..2^24-1>; | |||
3885 | * } CompressedCertificate; | |||
3886 | */ | |||
3887 | static SECStatus | |||
3888 | tls13_HandleCertificateDecode(sslSocket *ss, PRUint8 *b, PRUint32 length) | |||
3889 | { | |||
3890 | PORT_Assert(ss->opt.noLocks || ssl_HaveRecvBufLock(ss))((ss->opt.noLocks || ((PR_GetMonitorEntryCount(((ss)->recvBufLock )) > 0)))?((void)0):PR_Assert("ss->opt.noLocks || ssl_HaveRecvBufLock(ss)" ,"tls13con.c",3890)); | |||
3891 | PORT_Assert(ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss))((ss->opt.noLocks || ((PR_GetMonitorEntryCount(((ss)->ssl3HandshakeLock )) > 0)))?((void)0):PR_Assert("ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)" ,"tls13con.c",3891)); | |||
3892 | ||||
3893 | SECStatus rv = SECFailure; | |||
3894 | ||||
3895 | if (!ss->xtnData.certificateCompressionAdvertised) { | |||
3896 | FATAL_ERROR(ss, SEC_ERROR_UNEXPECTED_COMPRESSED_CERTIFICATE, decode_error)do { do { if (ssl_trace >= (3)) ssl_Trace ("%d: TLS13[%d]: fatal error %d in %s (%s:%d)" , getpid(), ss->fd, SEC_ERROR_UNEXPECTED_COMPRESSED_CERTIFICATE , __func__, "tls13con.c", 3896); PORT_SetError_Util(SEC_ERROR_UNEXPECTED_COMPRESSED_CERTIFICATE ); } while (0); tls13_FatalError(ss, SEC_ERROR_UNEXPECTED_COMPRESSED_CERTIFICATE , decode_error); } while (0); | |||
3897 | return SECFailure; | |||
3898 | } | |||
3899 | ||||
3900 | rv = tls13_EnsureCerticateExpected(ss); | |||
3901 | if (rv != SECSuccess) { | |||
3902 | return SECFailure; /* Code already set. */ | |||
3903 | } | |||
3904 | ||||
3905 | if (ss->firstHsDone) { | |||
3906 | rv = ssl_HashPostHandshakeMessage(ss, ssl_hs_compressed_certificate, b, length); | |||
3907 | if (rv != SECSuccess) { | |||
3908 | return rv; | |||
3909 | } | |||
3910 | } | |||
3911 | ||||
3912 | SSL_TRC(30, ("%d: TLS1.3[%d]: %s handles certificate compression handshake",if (ssl_trace >= (30)) ssl_Trace ("%d: TLS1.3[%d]: %s handles certificate compression handshake" , getpid(), ss->fd, (ss->sec.isServer ? "server" : "client" )) | |||
3913 | SSL_GETPID(), ss->fd, SSL_ROLE(ss)))if (ssl_trace >= (30)) ssl_Trace ("%d: TLS1.3[%d]: %s handles certificate compression handshake" , getpid(), ss->fd, (ss->sec.isServer ? "server" : "client" )); | |||
3914 | ||||
3915 | PRINT_BUF(50, (NULL, "The certificate before decoding:", b, length))if (ssl_trace >= (50)) ssl_PrintBuf (((void*)0), "The certificate before decoding:" , b, length); | |||
3916 | /* Reading CertificateCompressionAlgorithm. */ | |||
3917 | PRUint32 compressionAlg = 0; | |||
3918 | rv = ssl3_ConsumeHandshakeNumber(ss, &compressionAlg, 2, &b, &length); | |||
3919 | if (rv != SECSuccess) { | |||
3920 | return SECFailure; /* Alert already sent. */ | |||
3921 | } | |||
3922 | ||||
3923 | PRBool compressionAlgorithmIsSupported = PR_FALSE0; | |||
3924 | SECStatus (*certificateDecodingFunc)(const SECItem *, SECItem *, size_t) = NULL((void*)0); | |||
3925 | for (int i = 0; i < ss->ssl3.supportedCertCompressionAlgorithmsCount; i++) { | |||
3926 | if (ss->ssl3.supportedCertCompressionAlgorithms[i].id == compressionAlg) { | |||
3927 | compressionAlgorithmIsSupported = PR_TRUE1; | |||
3928 | certificateDecodingFunc = ss->ssl3.supportedCertCompressionAlgorithms[i].decode; | |||
3929 | } | |||
3930 | } | |||
3931 | ||||
3932 | /* Peer selected a compression algorithm we do not support (and did not advertise). */ | |||
3933 | if (!compressionAlgorithmIsSupported) { | |||
3934 | PORT_SetErrorPORT_SetError_Util(SEC_ERROR_CERTIFICATE_COMPRESSION_ALGORITHM_NOT_SUPPORTED); | |||
3935 | FATAL_ERROR(ss, PORT_GetError(), illegal_parameter)do { do { if (ssl_trace >= (3)) ssl_Trace ("%d: TLS13[%d]: fatal error %d in %s (%s:%d)" , getpid(), ss->fd, PORT_GetError_Util(), __func__, "tls13con.c" , 3935); PORT_SetError_Util(PORT_GetError_Util()); } while (0 ); tls13_FatalError(ss, PORT_GetError_Util(), illegal_parameter ); } while (0); | |||
3936 | return SECFailure; | |||
3937 | } | |||
3938 | ||||
3939 | /* The algorithm does not support decoding. */ | |||
3940 | if (certificateDecodingFunc == NULL((void*)0)) { | |||
3941 | PORT_SetErrorPORT_SetError_Util(SEC_ERROR_LIBRARY_FAILURE); | |||
3942 | FATAL_ERROR(ss, PORT_GetError(), illegal_parameter)do { do { if (ssl_trace >= (3)) ssl_Trace ("%d: TLS13[%d]: fatal error %d in %s (%s:%d)" , getpid(), ss->fd, PORT_GetError_Util(), __func__, "tls13con.c" , 3942); PORT_SetError_Util(PORT_GetError_Util()); } while (0 ); tls13_FatalError(ss, PORT_GetError_Util(), illegal_parameter ); } while (0); | |||
3943 | return SECFailure; | |||
3944 | } | |||
3945 | ||||
3946 | SSL_TRC(30, ("%d: TLS13[%d]: %s is decoding the certificate using the %s compression algorithm",if (ssl_trace >= (30)) ssl_Trace ("%d: TLS13[%d]: %s is decoding the certificate using the %s compression algorithm" , getpid(), ss->fd, (ss->sec.isServer ? "server" : "client" ), ssl3_mapCertificateCompressionAlgorithmToName(ss, compressionAlg )) | |||
3947 | SSL_GETPID(), ss->fd, SSL_ROLE(ss),if (ssl_trace >= (30)) ssl_Trace ("%d: TLS13[%d]: %s is decoding the certificate using the %s compression algorithm" , getpid(), ss->fd, (ss->sec.isServer ? "server" : "client" ), ssl3_mapCertificateCompressionAlgorithmToName(ss, compressionAlg )) | |||
3948 | ssl3_mapCertificateCompressionAlgorithmToName(ss, compressionAlg)))if (ssl_trace >= (30)) ssl_Trace ("%d: TLS13[%d]: %s is decoding the certificate using the %s compression algorithm" , getpid(), ss->fd, (ss->sec.isServer ? "server" : "client" ), ssl3_mapCertificateCompressionAlgorithmToName(ss, compressionAlg )); | |||
3949 | PRUint32 decodedCertificateLen = 0; | |||
3950 | rv = ssl3_ConsumeHandshakeNumber(ss, &decodedCertificateLen, 3, &b, &length); | |||
3951 | if (rv != SECSuccess) { | |||
3952 | return SECFailure; /* alert has been sent */ | |||
3953 | } | |||
3954 | ||||
3955 | /* If the received CompressedCertificate message cannot be decompressed, | |||
3956 | * he connection MUST be terminated with the "bad_certificate" alert. | |||
3957 | */ | |||
3958 | if (decodedCertificateLen == 0) { | |||
3959 | SSL_TRC(50, ("%d: TLS13[%d]: %s decoded certificate length is incorrect",if (ssl_trace >= (50)) ssl_Trace ("%d: TLS13[%d]: %s decoded certificate length is incorrect" , getpid(), ss->fd, (ss->sec.isServer ? "server" : "client" ), ssl3_mapCertificateCompressionAlgorithmToName(ss, compressionAlg )) | |||
3960 | SSL_GETPID(), ss->fd, SSL_ROLE(ss),if (ssl_trace >= (50)) ssl_Trace ("%d: TLS13[%d]: %s decoded certificate length is incorrect" , getpid(), ss->fd, (ss->sec.isServer ? "server" : "client" ), ssl3_mapCertificateCompressionAlgorithmToName(ss, compressionAlg )) | |||
3961 | ssl3_mapCertificateCompressionAlgorithmToName(ss, compressionAlg)))if (ssl_trace >= (50)) ssl_Trace ("%d: TLS13[%d]: %s decoded certificate length is incorrect" , getpid(), ss->fd, (ss->sec.isServer ? "server" : "client" ), ssl3_mapCertificateCompressionAlgorithmToName(ss, compressionAlg )); | |||
3962 | FATAL_ERROR(ss, SSL_ERROR_RX_MALFORMED_CERTIFICATE, bad_certificate)do { do { if (ssl_trace >= (3)) ssl_Trace ("%d: TLS13[%d]: fatal error %d in %s (%s:%d)" , getpid(), ss->fd, SSL_ERROR_RX_MALFORMED_CERTIFICATE, __func__ , "tls13con.c", 3962); PORT_SetError_Util(SSL_ERROR_RX_MALFORMED_CERTIFICATE ); } while (0); tls13_FatalError(ss, SSL_ERROR_RX_MALFORMED_CERTIFICATE , bad_certificate); } while (0); | |||
3963 | return SECFailure; | |||
3964 | } | |||
3965 | ||||
3966 | /* opaque compressed_certificate_message<1..2^24-1>; */ | |||
3967 | PRUint32 compressedCertificateMessageLen = 0; | |||
3968 | rv = ssl3_ConsumeHandshakeNumber(ss, &compressedCertificateMessageLen, 3, &b, &length); | |||
3969 | if (rv != SECSuccess) { | |||
3970 | return SECFailure; /* alert has been sent */ | |||
3971 | } | |||
3972 | ||||
3973 | if (compressedCertificateMessageLen == 0 || compressedCertificateMessageLen != length) { | |||
3974 | FATAL_ERROR(ss, SSL_ERROR_RX_MALFORMED_CERTIFICATE, bad_certificate)do { do { if (ssl_trace >= (3)) ssl_Trace ("%d: TLS13[%d]: fatal error %d in %s (%s:%d)" , getpid(), ss->fd, SSL_ERROR_RX_MALFORMED_CERTIFICATE, __func__ , "tls13con.c", 3974); PORT_SetError_Util(SSL_ERROR_RX_MALFORMED_CERTIFICATE ); } while (0); tls13_FatalError(ss, SSL_ERROR_RX_MALFORMED_CERTIFICATE , bad_certificate); } while (0); | |||
3975 | return SECFailure; | |||
3976 | } | |||
3977 | ||||
3978 | /* Decoding received certificate. */ | |||
3979 | SECItem decodedCertificate = { siBuffer, NULL((void*)0), 0 }; | |||
3980 | if (!SECITEM_AllocItemSECITEM_AllocItem_Util(NULL((void*)0), &decodedCertificate, decodedCertificateLen)) { | |||
3981 | FATAL_ERROR(ss, SEC_ERROR_NO_MEMORY, internal_error)do { do { if (ssl_trace >= (3)) ssl_Trace ("%d: TLS13[%d]: fatal error %d in %s (%s:%d)" , getpid(), ss->fd, SEC_ERROR_NO_MEMORY, __func__, "tls13con.c" , 3981); PORT_SetError_Util(SEC_ERROR_NO_MEMORY); } while (0) ; tls13_FatalError(ss, SEC_ERROR_NO_MEMORY, internal_error); } while (0); | |||
3982 | return SECFailure; | |||
3983 | } | |||
3984 | ||||
3985 | SECItem encodedCertAsSecItem = { siBuffer, b, compressedCertificateMessageLen }; | |||
3986 | rv = certificateDecodingFunc(&encodedCertAsSecItem, &decodedCertificate, decodedCertificateLen); | |||
3987 | ||||
3988 | if (rv != SECSuccess) { | |||
3989 | SSL_TRC(50, ("%d: TLS13[%d]: %s decoding of the certificate has failed",if (ssl_trace >= (50)) ssl_Trace ("%d: TLS13[%d]: %s decoding of the certificate has failed" , getpid(), ss->fd, (ss->sec.isServer ? "server" : "client" ), ssl3_mapCertificateCompressionAlgorithmToName(ss, compressionAlg )) | |||
3990 | SSL_GETPID(), ss->fd, SSL_ROLE(ss),if (ssl_trace >= (50)) ssl_Trace ("%d: TLS13[%d]: %s decoding of the certificate has failed" , getpid(), ss->fd, (ss->sec.isServer ? "server" : "client" ), ssl3_mapCertificateCompressionAlgorithmToName(ss, compressionAlg )) | |||
3991 | ssl3_mapCertificateCompressionAlgorithmToName(ss, compressionAlg)))if (ssl_trace >= (50)) ssl_Trace ("%d: TLS13[%d]: %s decoding of the certificate has failed" , getpid(), ss->fd, (ss->sec.isServer ? "server" : "client" ), ssl3_mapCertificateCompressionAlgorithmToName(ss, compressionAlg )); | |||
3992 | FATAL_ERROR(ss, SSL_ERROR_RX_MALFORMED_CERTIFICATE, bad_certificate)do { do { if (ssl_trace >= (3)) ssl_Trace ("%d: TLS13[%d]: fatal error %d in %s (%s:%d)" , getpid(), ss->fd, SSL_ERROR_RX_MALFORMED_CERTIFICATE, __func__ , "tls13con.c", 3992); PORT_SetError_Util(SSL_ERROR_RX_MALFORMED_CERTIFICATE ); } while (0); tls13_FatalError(ss, SSL_ERROR_RX_MALFORMED_CERTIFICATE , bad_certificate); } while (0); | |||
3993 | goto loser; | |||
3994 | } | |||
3995 | PRINT_BUF(60, (ss, "consume bytes:", b, compressedCertificateMessageLen))if (ssl_trace >= (60)) ssl_PrintBuf (ss, "consume bytes:", b, compressedCertificateMessageLen); | |||
3996 | *b += compressedCertificateMessageLen; | |||
3997 | length -= compressedCertificateMessageLen; | |||
3998 | ||||
3999 | /* If, after decompression, the specified length does not match the actual length, | |||
4000 | * the party receiving the invalid message MUST abort the connection | |||
4001 | * with the "bad_certificate" alert. | |||
4002 | */ | |||
4003 | if (decodedCertificateLen != decodedCertificate.len) { | |||
4004 | SSL_TRC(50, ("%d: TLS13[%d]: %s certificate length does not correspond to extension length",if (ssl_trace >= (50)) ssl_Trace ("%d: TLS13[%d]: %s certificate length does not correspond to extension length" , getpid(), ss->fd, (ss->sec.isServer ? "server" : "client" ), ssl3_mapCertificateCompressionAlgorithmToName(ss, compressionAlg )) | |||
4005 | SSL_GETPID(), ss->fd, SSL_ROLE(ss),if (ssl_trace >= (50)) ssl_Trace ("%d: TLS13[%d]: %s certificate length does not correspond to extension length" , getpid(), ss->fd, (ss->sec.isServer ? "server" : "client" ), ssl3_mapCertificateCompressionAlgorithmToName(ss, compressionAlg )) | |||
4006 | ssl3_mapCertificateCompressionAlgorithmToName(ss, compressionAlg)))if (ssl_trace >= (50)) ssl_Trace ("%d: TLS13[%d]: %s certificate length does not correspond to extension length" , getpid(), ss->fd, (ss->sec.isServer ? "server" : "client" ), ssl3_mapCertificateCompressionAlgorithmToName(ss, compressionAlg )); | |||
4007 | FATAL_ERROR(ss, SSL_ERROR_RX_MALFORMED_CERTIFICATE, bad_certificate)do { do { if (ssl_trace >= (3)) ssl_Trace ("%d: TLS13[%d]: fatal error %d in %s (%s:%d)" , getpid(), ss->fd, SSL_ERROR_RX_MALFORMED_CERTIFICATE, __func__ , "tls13con.c", 4007); PORT_SetError_Util(SSL_ERROR_RX_MALFORMED_CERTIFICATE ); } while (0); tls13_FatalError(ss, SSL_ERROR_RX_MALFORMED_CERTIFICATE , bad_certificate); } while (0); | |||
4008 | goto loser; | |||
4009 | } | |||
4010 | ||||
4011 | PRINT_BUF(50, (NULL, "Decoded certificate",if (ssl_trace >= (50)) ssl_PrintBuf (((void*)0), "Decoded certificate" , decodedCertificate.data, decodedCertificate.len) | |||
4012 | decodedCertificate.data, decodedCertificate.len))if (ssl_trace >= (50)) ssl_PrintBuf (((void*)0), "Decoded certificate" , decodedCertificate.data, decodedCertificate.len); | |||
4013 | ||||
4014 | /* compressed_certificate_message: The result of applying the indicated | |||
4015 | * compression algorithm to the encoded Certificate message that | |||
4016 | * would have been sent if certificate compression was not in use. | |||
4017 | * | |||
4018 | * After decompression, the Certificate message MUST be processed as if | |||
4019 | * it were encoded without being compressed. This way, the parsing and | |||
4020 | * the verification have the same security properties as they would have | |||
4021 | * in TLS normally. | |||
4022 | */ | |||
4023 | rv = tls13_HandleCertificate(ss, decodedCertificate.data, decodedCertificate.len, PR_TRUE1); | |||
4024 | if (rv != SECSuccess) { | |||
4025 | goto loser; | |||
4026 | } | |||
4027 | /* We allow only one compressed certificate to be handled after each | |||
4028 | certificate compression advertisement. | |||
4029 | See test CertificateCompression_TwoEncodedCertificateRequests. */ | |||
4030 | ss->xtnData.certificateCompressionAdvertised = PR_FALSE0; | |||
4031 | SECITEM_FreeItemSECITEM_FreeItem_Util(&decodedCertificate, PR_FALSE0); | |||
4032 | return SECSuccess; | |||
4033 | ||||
4034 | loser: | |||
4035 | SECITEM_FreeItemSECITEM_FreeItem_Util(&decodedCertificate, PR_FALSE0); | |||
4036 | return SECFailure; | |||
4037 | } | |||
4038 | ||||
4039 | /* Called from tls13_CompleteHandleHandshakeMessage() when it has deciphered a complete | |||
4040 | * tls13 Certificate message. | |||
4041 | * Caller must hold Handshake and RecvBuf locks. | |||
4042 | */ | |||
4043 | static SECStatus | |||
4044 | tls13_HandleCertificate(sslSocket *ss, PRUint8 *b, PRUint32 length, PRBool alreadyHashed) | |||
4045 | { | |||
4046 | SECStatus rv; | |||
4047 | SECItem context = { siBuffer, NULL((void*)0), 0 }; | |||
4048 | SECItem certList; | |||
4049 | PRBool first = PR_TRUE1; | |||
4050 | ssl3CertNode *lastCert = NULL((void*)0); | |||
4051 | ||||
4052 | SSL_TRC(3, ("%d: TLS13[%d]: handle certificate handshake",if (ssl_trace >= (3)) ssl_Trace ("%d: TLS13[%d]: handle certificate handshake" , getpid(), ss->fd) | |||
4053 | SSL_GETPID(), ss->fd))if (ssl_trace >= (3)) ssl_Trace ("%d: TLS13[%d]: handle certificate handshake" , getpid(), ss->fd); | |||
4054 | PORT_Assert(ss->opt.noLocks || ssl_HaveRecvBufLock(ss))((ss->opt.noLocks || ((PR_GetMonitorEntryCount(((ss)->recvBufLock )) > 0)))?((void)0):PR_Assert("ss->opt.noLocks || ssl_HaveRecvBufLock(ss)" ,"tls13con.c",4054)); | |||
4055 | PORT_Assert(ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss))((ss->opt.noLocks || ((PR_GetMonitorEntryCount(((ss)->ssl3HandshakeLock )) > 0)))?((void)0):PR_Assert("ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)" ,"tls13con.c",4055)); | |||
4056 | ||||
4057 | rv = tls13_EnsureCerticateExpected(ss); | |||
4058 | if (rv != SECSuccess) { | |||
4059 | return SECFailure; /* Code already set. */ | |||
4060 | } | |||
4061 | ||||
4062 | /* We can ignore any other cleartext from the client. */ | |||
4063 | if (ss->sec.isServer && IS_DTLS(ss)(ss->protocolVariant == ssl_variant_datagram)) { | |||
4064 | ssl_CipherSpecReleaseByEpoch(ss, ssl_secret_read, TrafficKeyClearText); | |||
4065 | dtls_ReceivedFirstMessageInFlight(ss); | |||
4066 | } | |||
4067 | ||||
4068 | /* AlreadyHashed is true only when Certificate Compression is used. */ | |||
4069 | if (ss->firstHsDone && !alreadyHashed) { | |||
4070 | rv = ssl_HashPostHandshakeMessage(ss, ssl_hs_certificate, b, length); | |||
4071 | if (rv != SECSuccess) { | |||
4072 | PORT_SetErrorPORT_SetError_Util(SEC_ERROR_LIBRARY_FAILURE); | |||
4073 | return SECFailure; | |||
4074 | } | |||
4075 | } | |||
4076 | ||||
4077 | if (!ss->firstHsDone && ss->sec.isServer) { | |||
4078 | /* Our first shot an getting an RTT estimate. If the client took extra | |||
4079 | * time to fetch a certificate, this will be bad, but we can't do much | |||
4080 | * about that. */ | |||
4081 | ss->ssl3.hs.rttEstimate = ssl_Time(ss) - ss->ssl3.hs.rttEstimate; | |||
4082 | } | |||
4083 | ||||
4084 | /* Process the context string */ | |||
4085 | rv = ssl3_ConsumeHandshakeVariable(ss, &context, 1, &b, &length); | |||
4086 | if (rv != SECSuccess) | |||
4087 | return SECFailure; | |||
4088 | ||||
4089 | if (ss->ssl3.clientCertRequested) { | |||
4090 | PORT_Assert(ss->sec.isServer)((ss->sec.isServer)?((void)0):PR_Assert("ss->sec.isServer" ,"tls13con.c",4090)); | |||
4091 | if (SECITEM_CompareItemSECITEM_CompareItem_Util(&context, &ss->xtnData.certReqContext) != 0) { | |||
4092 | FATAL_ERROR(ss, SSL_ERROR_RX_MALFORMED_CERTIFICATE, illegal_parameter)do { do { if (ssl_trace >= (3)) ssl_Trace ("%d: TLS13[%d]: fatal error %d in %s (%s:%d)" , getpid(), ss->fd, SSL_ERROR_RX_MALFORMED_CERTIFICATE, __func__ , "tls13con.c", 4092); PORT_SetError_Util(SSL_ERROR_RX_MALFORMED_CERTIFICATE ); } while (0); tls13_FatalError(ss, SSL_ERROR_RX_MALFORMED_CERTIFICATE , illegal_parameter); } while (0); | |||
4093 | return SECFailure; | |||
4094 | } | |||
4095 | } | |||
4096 | rv = ssl3_ConsumeHandshakeVariable(ss, &certList, 3, &b, &length); | |||
4097 | if (rv != SECSuccess) { | |||
4098 | return SECFailure; | |||
4099 | } | |||
4100 | if (length) { | |||
4101 | FATAL_ERROR(ss, SSL_ERROR_RX_MALFORMED_CERTIFICATE, illegal_parameter)do { do { if (ssl_trace >= (3)) ssl_Trace ("%d: TLS13[%d]: fatal error %d in %s (%s:%d)" , getpid(), ss->fd, SSL_ERROR_RX_MALFORMED_CERTIFICATE, __func__ , "tls13con.c", 4101); PORT_SetError_Util(SSL_ERROR_RX_MALFORMED_CERTIFICATE ); } while (0); tls13_FatalError(ss, SSL_ERROR_RX_MALFORMED_CERTIFICATE , illegal_parameter); } while (0); | |||
4102 | return SECFailure; | |||
4103 | } | |||
4104 | ||||
4105 | if (!certList.len) { | |||
4106 | if (!ss->sec.isServer) { | |||
4107 | /* Servers always need to send some cert. */ | |||
4108 | FATAL_ERROR(ss, SSL_ERROR_RX_MALFORMED_CERTIFICATE, bad_certificate)do { do { if (ssl_trace >= (3)) ssl_Trace ("%d: TLS13[%d]: fatal error %d in %s (%s:%d)" , getpid(), ss->fd, SSL_ERROR_RX_MALFORMED_CERTIFICATE, __func__ , "tls13con.c", 4108); PORT_SetError_Util(SSL_ERROR_RX_MALFORMED_CERTIFICATE ); } while (0); tls13_FatalError(ss, SSL_ERROR_RX_MALFORMED_CERTIFICATE , bad_certificate); } while (0); | |||
4109 | return SECFailure; | |||
4110 | } else { | |||
4111 | /* This is TLS's version of a no_certificate alert. */ | |||
4112 | /* I'm a server. I've requested a client cert. He hasn't got one. */ | |||
4113 | rv = ssl3_HandleNoCertificate(ss); | |||
4114 | if (rv != SECSuccess) { | |||
4115 | return SECFailure; | |||
4116 | } | |||
4117 | ||||
4118 | TLS13_SET_HS_STATE(ss, wait_finished)tls13_SetHsState(ss, wait_finished, __func__, "tls13con.c", 4118 ); | |||
4119 | return SECSuccess; | |||
4120 | } | |||
4121 | } | |||
4122 | ||||
4123 | /* Now clean up. */ | |||
4124 | ssl3_CleanupPeerCerts(ss); | |||
4125 | ss->ssl3.peerCertArena = PORT_NewArenaPORT_NewArena_Util(DER_DEFAULT_CHUNKSIZE(2048)); | |||
4126 | if (ss->ssl3.peerCertArena == NULL((void*)0)) { | |||
4127 | FATAL_ERROR(ss, SEC_ERROR_NO_MEMORY, internal_error)do { do { if (ssl_trace >= (3)) ssl_Trace ("%d: TLS13[%d]: fatal error %d in %s (%s:%d)" , getpid(), ss->fd, SEC_ERROR_NO_MEMORY, __func__, "tls13con.c" , 4127); PORT_SetError_Util(SEC_ERROR_NO_MEMORY); } while (0) ; tls13_FatalError(ss, SEC_ERROR_NO_MEMORY, internal_error); } while (0); | |||
4128 | return SECFailure; | |||
4129 | } | |||
4130 | ||||
4131 | while (certList.len) { | |||
4132 | CERTCertificate *cert; | |||
4133 | ||||
4134 | rv = tls13_HandleCertificateEntry(ss, &certList, first, | |||
4135 | &cert); | |||
4136 | if (rv != SECSuccess) { | |||
4137 | ss->xtnData.signedCertTimestamps.len = 0; | |||
4138 | return SECFailure; | |||
4139 | } | |||
4140 | ||||
4141 | if (first) { | |||
4142 | ss->sec.peerCert = cert; | |||
4143 | ||||
4144 | if (ss->xtnData.signedCertTimestamps.len) { | |||
4145 | sslSessionID *sid = ss->sec.ci.sid; | |||
4146 | rv = SECITEM_CopyItemSECITEM_CopyItem_Util(NULL((void*)0), &sid->u.ssl3.signedCertTimestamps, | |||
4147 | &ss->xtnData.signedCertTimestamps); | |||
4148 | ss->xtnData.signedCertTimestamps.len = 0; | |||
4149 | if (rv != SECSuccess) { | |||
4150 | FATAL_ERROR(ss, SEC_ERROR_NO_MEMORY, internal_error)do { do { if (ssl_trace >= (3)) ssl_Trace ("%d: TLS13[%d]: fatal error %d in %s (%s:%d)" , getpid(), ss->fd, SEC_ERROR_NO_MEMORY, __func__, "tls13con.c" , 4150); PORT_SetError_Util(SEC_ERROR_NO_MEMORY); } while (0) ; tls13_FatalError(ss, SEC_ERROR_NO_MEMORY, internal_error); } while (0); | |||
4151 | return SECFailure; | |||
4152 | } | |||
4153 | } | |||
4154 | } else { | |||
4155 | ssl3CertNode *c = PORT_ArenaNew(ss->ssl3.peerCertArena,(ssl3CertNode *)PORT_ArenaAlloc_Util(ss->ssl3.peerCertArena , sizeof(ssl3CertNode)) | |||
4156 | ssl3CertNode)(ssl3CertNode *)PORT_ArenaAlloc_Util(ss->ssl3.peerCertArena , sizeof(ssl3CertNode)); | |||
4157 | if (!c) { | |||
4158 | FATAL_ERROR(ss, SEC_ERROR_NO_MEMORY, internal_error)do { do { if (ssl_trace >= (3)) ssl_Trace ("%d: TLS13[%d]: fatal error %d in %s (%s:%d)" , getpid(), ss->fd, SEC_ERROR_NO_MEMORY, __func__, "tls13con.c" , 4158); PORT_SetError_Util(SEC_ERROR_NO_MEMORY); } while (0) ; tls13_FatalError(ss, SEC_ERROR_NO_MEMORY, internal_error); } while (0); | |||
4159 | return SECFailure; | |||
4160 | } | |||
4161 | c->cert = cert; | |||
4162 | c->next = NULL((void*)0); | |||
4163 | ||||
4164 | if (lastCert) { | |||
4165 | lastCert->next = c; | |||
4166 | } else { | |||
4167 | ss->ssl3.peerCertChain = c; | |||
4168 | } | |||
4169 | lastCert = c; | |||
4170 | } | |||
4171 | ||||
4172 | first = PR_FALSE0; | |||
4173 | } | |||
4174 | SECKEY_UpdateCertPQG(ss->sec.peerCert); | |||
4175 | ||||
4176 | return ssl3_AuthCertificate(ss); /* sets ss->ssl3.hs.ws */ | |||
4177 | } | |||
4178 | ||||
4179 | /* Add context to the hash functions as described in | |||
4180 | [draft-ietf-tls-tls13; Section 4.9.1] */ | |||
4181 | SECStatus | |||
4182 | tls13_AddContextToHashes(sslSocket *ss, const SSL3Hashes *hashes, | |||
4183 | SSLHashType algorithm, PRBool sending, | |||
4184 | SSL3Hashes *tbsHash) | |||
4185 | { | |||
4186 | SECStatus rv = SECSuccess; | |||
4187 | PK11Context *ctx; | |||
4188 | const unsigned char context_padding[] = { | |||
4189 | 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, | |||
4190 | 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, | |||
4191 | 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, | |||
4192 | 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, | |||
4193 | 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, | |||
4194 | 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, | |||
4195 | 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, | |||
4196 | 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20 | |||
4197 | }; | |||
4198 | ||||
4199 | const char *client_cert_verify_string = "TLS 1.3, client CertificateVerify"; | |||
4200 | const char *server_cert_verify_string = "TLS 1.3, server CertificateVerify"; | |||
4201 | const char *context_string = (sending ^ ss->sec.isServer) ? client_cert_verify_string | |||
4202 | : server_cert_verify_string; | |||
4203 | unsigned int hashlength; | |||
4204 | ||||
4205 | /* Double check that we are doing the same hash.*/ | |||
4206 | PORT_Assert(hashes->len == tls13_GetHashSize(ss))((hashes->len == tls13_GetHashSize(ss))?((void)0):PR_Assert ("hashes->len == tls13_GetHashSize(ss)","tls13con.c",4206) ); | |||
4207 | ||||
4208 | ctx = PK11_CreateDigestContext(ssl3_HashTypeToOID(algorithm)); | |||
4209 | if (!ctx) { | |||
4210 | PORT_SetErrorPORT_SetError_Util(SEC_ERROR_NO_MEMORY); | |||
4211 | goto loser; | |||
4212 | } | |||
4213 | ||||
4214 | PORT_Assert(SECFailure)((SECFailure)?((void)0):PR_Assert("SECFailure","tls13con.c",4214 )); | |||
4215 | PORT_Assert(!SECSuccess)((!SECSuccess)?((void)0):PR_Assert("!SECSuccess","tls13con.c" ,4215)); | |||
4216 | ||||
4217 | PRINT_BUF(50, (ss, "TLS 1.3 hash without context", hashes->u.raw, hashes->len))if (ssl_trace >= (50)) ssl_PrintBuf (ss, "TLS 1.3 hash without context" , hashes->u.raw, hashes->len); | |||
4218 | PRINT_BUF(50, (ss, "Context string", context_string, strlen(context_string)))if (ssl_trace >= (50)) ssl_PrintBuf (ss, "Context string", context_string, strlen(context_string)); | |||
4219 | rv |= PK11_DigestBegin(ctx); | |||
4220 | rv |= PK11_DigestOp(ctx, context_padding, sizeof(context_padding)); | |||
4221 | rv |= PK11_DigestOp(ctx, (unsigned char *)context_string, | |||
4222 | strlen(context_string) + 1); /* +1 includes the terminating 0 */ | |||
4223 | rv |= PK11_DigestOp(ctx, hashes->u.raw, hashes->len); | |||
4224 | /* Update the hash in-place */ | |||
4225 | rv |= PK11_DigestFinal(ctx, tbsHash->u.raw, &hashlength, sizeof(tbsHash->u.raw)); | |||
4226 | PK11_DestroyContext(ctx, PR_TRUE1); | |||
4227 | PRINT_BUF(50, (ss, "TLS 1.3 hash with context", tbsHash->u.raw, hashlength))if (ssl_trace >= (50)) ssl_PrintBuf (ss, "TLS 1.3 hash with context" , tbsHash->u.raw, hashlength); | |||
4228 | ||||
4229 | tbsHash->len = hashlength; | |||
4230 | tbsHash->hashAlg = algorithm; | |||
4231 | ||||
4232 | if (rv) { | |||
4233 | ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE); | |||
4234 | goto loser; | |||
4235 | } | |||
4236 | return SECSuccess; | |||
4237 | ||||
4238 | loser: | |||
4239 | return SECFailure; | |||
4240 | } | |||
4241 | ||||
4242 | /* | |||
4243 | * Derive-Secret(Secret, Label, Messages) = | |||
4244 | * HKDF-Expand-Label(Secret, Label, | |||
4245 | * Hash(Messages) + Hash(resumption_context), L)) | |||
4246 | */ | |||
4247 | SECStatus | |||
4248 | tls13_DeriveSecret(sslSocket *ss, PK11SymKey *key, | |||
4249 | const char *label, | |||
4250 | unsigned int labelLen, | |||
4251 | const SSL3Hashes *hashes, | |||
4252 | PK11SymKey **dest, | |||
4253 | SSLHashType hash) | |||
4254 | { | |||
4255 | SECStatus rv; | |||
4256 | ||||
4257 | rv = tls13_HkdfExpandLabel(key, hash, hashes->u.raw, hashes->len, | |||
4258 | label, labelLen, CKM_HKDF_DERIVE0x0000402aUL, | |||
4259 | tls13_GetHashSizeForHash(hash), | |||
4260 | ss->protocolVariant, dest); | |||
4261 | if (rv != SECSuccess) { | |||
4262 | LOG_ERROR(ss, SEC_ERROR_LIBRARY_FAILURE)do { if (ssl_trace >= (3)) ssl_Trace ("%d: TLS13[%d]: fatal error %d in %s (%s:%d)" , getpid(), ss->fd, SEC_ERROR_LIBRARY_FAILURE, __func__, "tls13con.c" , 4262); PORT_SetError_Util(SEC_ERROR_LIBRARY_FAILURE); } while (0); | |||
4263 | return SECFailure; | |||
4264 | } | |||
4265 | return SECSuccess; | |||
4266 | } | |||
4267 | ||||
4268 | /* Convenience wrapper for the empty hash. */ | |||
4269 | SECStatus | |||
4270 | tls13_DeriveSecretNullHash(sslSocket *ss, PK11SymKey *key, | |||
4271 | const char *label, | |||
4272 | unsigned int labelLen, | |||
4273 | PK11SymKey **dest, | |||
4274 | SSLHashType hash) | |||
4275 | { | |||
4276 | SSL3Hashes hashes; | |||
4277 | SECStatus rv; | |||
4278 | PRUint8 buf[] = { 0 }; | |||
4279 | ||||
4280 | rv = tls13_ComputeHash(ss, &hashes, buf, 0, hash); | |||
4281 | if (rv != SECSuccess) { | |||
4282 | return SECFailure; | |||
4283 | } | |||
4284 | ||||
4285 | return tls13_DeriveSecret(ss, key, label, labelLen, &hashes, dest, hash); | |||
4286 | } | |||
4287 | ||||
4288 | /* Convenience wrapper that lets us supply a separate prefix and suffix. */ | |||
4289 | static SECStatus | |||
4290 | tls13_DeriveSecretWrap(sslSocket *ss, PK11SymKey *key, | |||
4291 | const char *prefix, | |||
4292 | const char *suffix, | |||
4293 | const char *keylogLabel, | |||
4294 | PK11SymKey **dest) | |||
4295 | { | |||
4296 | SECStatus rv; | |||
4297 | SSL3Hashes hashes; | |||
4298 | char buf[100]; | |||
4299 | const char *label; | |||
4300 | ||||
4301 | if (prefix) { | |||
4302 | if ((strlen(prefix) + strlen(suffix) + 2) > sizeof(buf)) { | |||
4303 | PORT_Assert(0)((0)?((void)0):PR_Assert("0","tls13con.c",4303)); | |||
4304 | PORT_SetErrorPORT_SetError_Util(SEC_ERROR_LIBRARY_FAILURE); | |||
4305 | return SECFailure; | |||
4306 | } | |||
4307 | (void)PR_snprintf(buf, sizeof(buf), "%s %s", | |||
4308 | prefix, suffix); | |||
4309 | label = buf; | |||
4310 | } else { | |||
4311 | label = suffix; | |||
4312 | } | |||
4313 | ||||
4314 | SSL_TRC(3, ("%d: TLS13[%d]: deriving secret '%s'",if (ssl_trace >= (3)) ssl_Trace ("%d: TLS13[%d]: deriving secret '%s'" , getpid(), ss->fd, label) | |||
4315 | SSL_GETPID(), ss->fd, label))if (ssl_trace >= (3)) ssl_Trace ("%d: TLS13[%d]: deriving secret '%s'" , getpid(), ss->fd, label); | |||
4316 | rv = tls13_ComputeHandshakeHashes(ss, &hashes); | |||
4317 | if (rv != SECSuccess) { | |||
4318 | PORT_Assert(0)((0)?((void)0):PR_Assert("0","tls13con.c",4318)); /* Should never fail */ | |||
4319 | ssl_MapLowLevelError(SEC_ERROR_LIBRARY_FAILURE); | |||
4320 | return SECFailure; | |||
4321 | } | |||
4322 | ||||
4323 | rv = tls13_DeriveSecret(ss, key, label, strlen(label), | |||
4324 | &hashes, dest, tls13_GetHash(ss)); | |||
4325 | if (rv != SECSuccess) { | |||
4326 | return SECFailure; | |||
4327 | } | |||
4328 | ||||
4329 | if (keylogLabel) { | |||
4330 | ssl3_RecordKeyLog(ss, keylogLabel, *dest); | |||
4331 | } | |||
4332 | return SECSuccess; | |||
4333 | } | |||
4334 | ||||
4335 | SECStatus | |||
4336 | SSLExp_SecretCallback(PRFileDesc *fd, SSLSecretCallback cb, void *arg) | |||
4337 | { | |||
4338 | sslSocket *ss = ssl_FindSocket(fd); | |||
4339 | if (!ss) { | |||
4340 | SSL_DBG(("%d: SSL[%d]: bad socket in SSL_SecretCallback",if (ssl_debug) ssl_Trace ("%d: SSL[%d]: bad socket in SSL_SecretCallback" , getpid(), fd) | |||
4341 | SSL_GETPID(), fd))if (ssl_debug) ssl_Trace ("%d: SSL[%d]: bad socket in SSL_SecretCallback" , getpid(), fd); | |||
4342 | return SECFailure; | |||
4343 | } | |||
4344 | ||||
4345 | ssl_Get1stHandshakeLock(ss){ if (!ss->opt.noLocks) { (((PR_GetMonitorEntryCount(((ss) ->firstHandshakeLock)) > 0) || !((PR_GetMonitorEntryCount (((ss)->recvBufLock)) > 0)))?((void)0):PR_Assert("PZ_InMonitor((ss)->firstHandshakeLock) || !ssl_HaveRecvBufLock(ss)" ,"tls13con.c",4345)); PR_EnterMonitor(((ss)->firstHandshakeLock )); } }; | |||
4346 | ssl_GetSSL3HandshakeLock(ss){ if (!ss->opt.noLocks) { ((!((PR_GetMonitorEntryCount(((ss )->xmitBufLock)) > 0)))?((void)0):PR_Assert("!ssl_HaveXmitBufLock(ss)" ,"tls13con.c",4346)); PR_EnterMonitor(((ss)->ssl3HandshakeLock )); } }; | |||
4347 | ss->secretCallback = cb; | |||
4348 | ss->secretCallbackArg = arg; | |||
4349 | ssl_ReleaseSSL3HandshakeLock(ss){ if (!ss->opt.noLocks) PR_ExitMonitor(((ss)->ssl3HandshakeLock )); }; | |||
4350 | ssl_Release1stHandshakeLock(ss){ if (!ss->opt.noLocks) PR_ExitMonitor(((ss)->firstHandshakeLock )); }; | |||
4351 | return SECSuccess; | |||
4352 | } | |||
4353 | ||||
4354 | /* Derive traffic keys for the next cipher spec in the queue. */ | |||
4355 | static SECStatus | |||
4356 | tls13_DeriveTrafficKeys(sslSocket *ss, ssl3CipherSpec *spec, | |||
4357 | TrafficKeyType type, | |||
4358 | PRBool deleteSecret) | |||
4359 | { | |||
4360 | size_t keySize = spec->cipherDef->key_size; | |||
4361 | size_t ivSize = spec->cipherDef->iv_size + | |||
4362 | spec->cipherDef->explicit_nonce_size; /* This isn't always going to | |||
4363 | * work, but it does for | |||
4364 | * AES-GCM */ | |||
4365 | CK_MECHANISM_TYPE bulkAlgorithm = ssl3_Alg2Mech(spec->cipherDef->calg); | |||
4366 | PK11SymKey **prkp = NULL((void*)0); | |||
4367 | PK11SymKey *prk = NULL((void*)0); | |||
4368 | PRBool clientSecret; | |||
4369 | SECStatus rv; | |||
4370 | /* These labels are just used for debugging. */ | |||
4371 | static const char kHkdfPhaseEarlyApplicationDataKeys[] = "early application data"; | |||
4372 | static const char kHkdfPhaseHandshakeKeys[] = "handshake data"; | |||
4373 | static const char kHkdfPhaseApplicationDataKeys[] = "application data"; | |||
4374 | ||||
4375 | PORT_Assert(ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss))((ss->opt.noLocks || ((PR_GetMonitorEntryCount(((ss)->ssl3HandshakeLock )) > 0)))?((void)0):PR_Assert("ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)" ,"tls13con.c",4375)); | |||
4376 | ||||
4377 | clientSecret = !tls13_UseServerSecret(ss, spec->direction); | |||
4378 | switch (type) { | |||
4379 | case TrafficKeyEarlyApplicationData: | |||
4380 | PORT_Assert(clientSecret)((clientSecret)?((void)0):PR_Assert("clientSecret","tls13con.c" ,4380)); | |||
4381 | prkp = &ss->ssl3.hs.clientEarlyTrafficSecret; | |||
4382 | spec->phase = kHkdfPhaseEarlyApplicationDataKeys; | |||
4383 | break; | |||
4384 | case TrafficKeyHandshake: | |||
4385 | prkp = clientSecret ? &ss->ssl3.hs.clientHsTrafficSecret | |||
4386 | : &ss->ssl3.hs.serverHsTrafficSecret; | |||
4387 | spec->phase = kHkdfPhaseHandshakeKeys; | |||
4388 | break; | |||
4389 | case TrafficKeyApplicationData: | |||
4390 | prkp = clientSecret ? &ss->ssl3.hs.clientTrafficSecret | |||
4391 | : &ss->ssl3.hs.serverTrafficSecret; | |||
4392 | spec->phase = kHkdfPhaseApplicationDataKeys; | |||
4393 | break; | |||
4394 | default: | |||
4395 | LOG_ERROR(ss, SEC_ERROR_LIBRARY_FAILURE)do { if (ssl_trace >= (3)) ssl_Trace ("%d: TLS13[%d]: fatal error %d in %s (%s:%d)" , getpid(), ss->fd, SEC_ERROR_LIBRARY_FAILURE, __func__, "tls13con.c" , 4395); PORT_SetError_Util(SEC_ERROR_LIBRARY_FAILURE); } while (0); | |||
4396 | PORT_Assert(0)((0)?((void)0):PR_Assert("0","tls13con.c",4396)); | |||
4397 | return SECFailure; | |||
4398 | } | |||
4399 | PORT_Assert(prkp != NULL)((prkp != ((void*)0))?((void)0):PR_Assert("prkp != NULL","tls13con.c" ,4399)); | |||
4400 | prk = *prkp; | |||
4401 | ||||
4402 | SSL_TRC(3, ("%d: TLS13[%d]: deriving %s traffic keys epoch=%d (%s)",if (ssl_trace >= (3)) ssl_Trace ("%d: TLS13[%d]: deriving %s traffic keys epoch=%d (%s)" , getpid(), ss->fd, ((spec->direction == ssl_secret_read ) ? "read" : "write"), spec->epoch, spec->phase) | |||
4403 | SSL_GETPID(), ss->fd, SPEC_DIR(spec),if (ssl_trace >= (3)) ssl_Trace ("%d: TLS13[%d]: deriving %s traffic keys epoch=%d (%s)" , getpid(), ss->fd, ((spec->direction == ssl_secret_read ) ? "read" : "write"), spec->epoch, spec->phase) | |||
4404 | spec->epoch, spec->phase))if (ssl_trace >= (3)) ssl_Trace ("%d: TLS13[%d]: deriving %s traffic keys epoch=%d (%s)" , getpid(), ss->fd, ((spec->direction == ssl_secret_read ) ? "read" : "write"), spec->epoch, spec->phase); | |||
4405 | ||||
4406 | rv = tls13_HkdfExpandLabel(prk, tls13_GetHash(ss), | |||
4407 | NULL((void*)0), 0, | |||
4408 | kHkdfPurposeKey, strlen(kHkdfPurposeKey), | |||
4409 | bulkAlgorithm, keySize, | |||
4410 | ss->protocolVariant, | |||
4411 | &spec->keyMaterial.key); | |||
4412 | if (rv != SECSuccess) { | |||
4413 | LOG_ERROR(ss, SEC_ERROR_LIBRARY_FAILURE)do { if (ssl_trace >= (3)) ssl_Trace ("%d: TLS13[%d]: fatal error %d in %s (%s:%d)" , getpid(), ss->fd, SEC_ERROR_LIBRARY_FAILURE, __func__, "tls13con.c" , 4413); PORT_SetError_Util(SEC_ERROR_LIBRARY_FAILURE); } while (0); | |||
4414 | PORT_Assert(0)((0)?((void)0):PR_Assert("0","tls13con.c",4414)); | |||
4415 | goto loser; | |||
4416 | } | |||
4417 | ||||
4418 | if (IS_DTLS(ss)(ss->protocolVariant == ssl_variant_datagram) && spec->epoch > 0) { | |||
4419 | rv = ssl_CreateMaskingContextInner(spec->version, ss->ssl3.hs.cipher_suite, | |||
4420 | ss->protocolVariant, prk, kHkdfPurposeSn, | |||
4421 | strlen(kHkdfPurposeSn), &spec->maskContext); | |||
4422 | if (rv != SECSuccess) { | |||
4423 | LOG_ERROR(ss, SEC_ERROR_LIBRARY_FAILURE)do { if (ssl_trace >= (3)) ssl_Trace ("%d: TLS13[%d]: fatal error %d in %s (%s:%d)" , getpid(), ss->fd, SEC_ERROR_LIBRARY_FAILURE, __func__, "tls13con.c" , 4423); PORT_SetError_Util(SEC_ERROR_LIBRARY_FAILURE); } while (0); | |||
4424 | PORT_Assert(0)((0)?((void)0):PR_Assert("0","tls13con.c",4424)); | |||
4425 | goto loser; | |||
4426 | } | |||
4427 | } | |||
4428 | ||||
4429 | rv = tls13_HkdfExpandLabelRaw(prk, tls13_GetHash(ss), | |||
4430 | NULL((void*)0), 0, | |||
4431 | kHkdfPurposeIv, strlen(kHkdfPurposeIv), | |||
4432 | ss->protocolVariant, | |||
4433 | spec->keyMaterial.iv, ivSize); | |||
4434 | if (rv != SECSuccess) { | |||
4435 | LOG_ERROR(ss, SEC_ERROR_LIBRARY_FAILURE)do { if (ssl_trace >= (3)) ssl_Trace ("%d: TLS13[%d]: fatal error %d in %s (%s:%d)" , getpid(), ss->fd, SEC_ERROR_LIBRARY_FAILURE, __func__, "tls13con.c" , 4435); PORT_SetError_Util(SEC_ERROR_LIBRARY_FAILURE); } while (0); | |||
4436 | PORT_Assert(0)((0)?((void)0):PR_Assert("0","tls13con.c",4436)); | |||
4437 | goto loser; | |||
4438 | } | |||
4439 | ||||
4440 | if (deleteSecret) { | |||
4441 | PK11_FreeSymKey(prk); | |||
4442 | *prkp = NULL((void*)0); | |||
4443 | } | |||
4444 | return SECSuccess; | |||
4445 | ||||
4446 | loser: | |||
4447 | return SECFailure; | |||
4448 | } | |||
4449 | ||||
4450 | void | |||
4451 | tls13_SetSpecRecordVersion(sslSocket *ss, ssl3CipherSpec *spec) | |||
4452 | { | |||
4453 | /* Set the record version to pretend to be (D)TLS 1.2. */ | |||
4454 | if (IS_DTLS(ss)(ss->protocolVariant == ssl_variant_datagram)) { | |||
4455 | spec->recordVersion = SSL_LIBRARY_VERSION_DTLS_1_2_WIRE((~0x0102) & 0xffff); | |||
4456 | } else { | |||
4457 | spec->recordVersion = SSL_LIBRARY_VERSION_TLS_1_20x0303; | |||
4458 | } | |||
4459 | SSL_TRC(10, ("%d: TLS13[%d]: set spec=%d record version to 0x%04x",if (ssl_trace >= (10)) ssl_Trace ("%d: TLS13[%d]: set spec=%d record version to 0x%04x" , getpid(), ss->fd, spec, spec->recordVersion) | |||
4460 | SSL_GETPID(), ss->fd, spec, spec->recordVersion))if (ssl_trace >= (10)) ssl_Trace ("%d: TLS13[%d]: set spec=%d record version to 0x%04x" , getpid(), ss->fd, spec, spec->recordVersion); | |||
4461 | } | |||
4462 | ||||
4463 | static SECStatus | |||
4464 | tls13_SetupPendingCipherSpec(sslSocket *ss, ssl3CipherSpec *spec) | |||
4465 | { | |||
4466 | ssl3CipherSuite suite = ss->ssl3.hs.cipher_suite; | |||
4467 | ||||
4468 | PORT_Assert(ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss))((ss->opt.noLocks || ((PR_GetMonitorEntryCount(((ss)->ssl3HandshakeLock )) > 0)))?((void)0):PR_Assert("ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)" ,"tls13con.c",4468)); | |||
4469 | PORT_Assert(spec->epoch)((spec->epoch)?((void)0):PR_Assert("spec->epoch","tls13con.c" ,4469)); | |||
4470 | ||||
4471 | /* Version isn't set when we send 0-RTT data. */ | |||
4472 | spec->version = PR_MAX(SSL_LIBRARY_VERSION_TLS_1_3, ss->version)((0x0304)>(ss->version)?(0x0304):(ss->version)); | |||
4473 | ||||
4474 | ssl_SaveCipherSpec(ss, spec); | |||
4475 | /* We want to keep read cipher specs around longer because | |||
4476 | * there are cases where we might get either epoch N or | |||
4477 | * epoch N+1. */ | |||
4478 | if (IS_DTLS(ss)(ss->protocolVariant == ssl_variant_datagram) && spec->direction == ssl_secret_read) { | |||
4479 | ssl_CipherSpecAddRef(spec); | |||
4480 | } | |||
4481 | ||||
4482 | SSL_TRC(3, ("%d: TLS13[%d]: Set Pending Cipher Suite to 0x%04x",if (ssl_trace >= (3)) ssl_Trace ("%d: TLS13[%d]: Set Pending Cipher Suite to 0x%04x" , getpid(), ss->fd, suite) | |||
4483 | SSL_GETPID(), ss->fd, suite))if (ssl_trace >= (3)) ssl_Trace ("%d: TLS13[%d]: Set Pending Cipher Suite to 0x%04x" , getpid(), ss->fd, suite); | |||
4484 | ||||
4485 | spec->cipherDef = ssl_GetBulkCipherDef(ssl_LookupCipherSuiteDef(suite)); | |||
4486 | ||||
4487 | if (spec->epoch == TrafficKeyEarlyApplicationData) { | |||
4488 | if (ss->xtnData.selectedPsk && | |||
4489 | ss->xtnData.selectedPsk->zeroRttSuite != TLS_NULL_WITH_NULL_NULL0x0000) { | |||
4490 | spec->earlyDataRemaining = ss->xtnData.selectedPsk->maxEarlyData; | |||
4491 | } | |||
4492 | } | |||
4493 | ||||
4494 | tls13_SetSpecRecordVersion(ss, spec); | |||
4495 | ||||
4496 | /* The record size limit is reduced by one so that the remainder of the | |||
4497 | * record handling code can use the same checks for all versions. */ | |||
4498 | if (ssl3_ExtensionNegotiated(ss, ssl_record_size_limit_xtn)) { | |||
4499 | spec->recordSizeLimit = ((spec->direction == ssl_secret_read) | |||
4500 | ? ss->opt.recordSizeLimit | |||
4501 | : ss->xtnData.recordSizeLimit) - | |||
4502 | 1; | |||
4503 | } else { | |||
4504 | spec->recordSizeLimit = MAX_FRAGMENT_LENGTH16384; | |||
4505 | } | |||
4506 | return SECSuccess; | |||
4507 | } | |||
4508 | ||||
4509 | /* | |||
4510 | * Initialize the cipher context. All TLS 1.3 operations are AEAD, | |||
4511 | * so they are all message contexts. | |||
4512 | */ | |||
4513 | static SECStatus | |||
4514 | tls13_InitPendingContext(sslSocket *ss, ssl3CipherSpec *spec) | |||
4515 | { | |||
4516 | CK_MECHANISM_TYPE encMechanism; | |||
4517 | CK_ATTRIBUTE_TYPE encMode; | |||
4518 | SECItem iv; | |||
4519 | SSLCipherAlgorithm calg; | |||
4520 | ||||
4521 | calg = spec->cipherDef->calg; | |||
4522 | ||||
4523 | encMechanism = ssl3_Alg2Mech(calg); | |||
4524 | encMode = CKA_NSS_MESSAGE0x82000000L | ((spec->direction == ssl_secret_write) ? CKA_ENCRYPT0x00000104UL : CKA_DECRYPT0x00000105UL); | |||
4525 | iv.data = NULL((void*)0); | |||
4526 | iv.len = 0; | |||
4527 | ||||
4528 | /* | |||
4529 | * build the context | |||
4530 | */ | |||
4531 | spec->cipherContext = PK11_CreateContextBySymKey(encMechanism, encMode, | |||
4532 | spec->keyMaterial.key, | |||
4533 | &iv); | |||
4534 | if (!spec->cipherContext) { | |||
4535 | ssl_MapLowLevelError(SSL_ERROR_SYM_KEY_CONTEXT_FAILURE); | |||
4536 | return SECFailure; | |||
4537 | } | |||
4538 | return SECSuccess; | |||
4539 | } | |||
4540 | ||||
4541 | /* | |||
4542 | * Called before sending alerts to set up the right key on the client. | |||
4543 | * We might encounter errors during the handshake where the current | |||
4544 | * key is ClearText or EarlyApplicationData. This | |||
4545 | * function switches to the Handshake key if possible. | |||
4546 | */ | |||
4547 | SECStatus | |||
4548 | tls13_SetAlertCipherSpec(sslSocket *ss) | |||
4549 | { | |||
4550 | SECStatus rv; | |||
4551 | ||||
4552 | if (ss->sec.isServer) { | |||
4553 | return SECSuccess; | |||
4554 | } | |||
4555 | if (ss->version < SSL_LIBRARY_VERSION_TLS_1_30x0304) { | |||
4556 | return SECSuccess; | |||
4557 | } | |||
4558 | if (TLS13_IN_HS_STATE(ss, wait_server_hello)tls13_InHsState(ss, wait_server_hello, wait_invalid)) { | |||
4559 | return SECSuccess; | |||
4560 | } | |||
4561 | if ((ss->ssl3.cwSpec->epoch != TrafficKeyClearText) && | |||
4562 | (ss->ssl3.cwSpec->epoch != TrafficKeyEarlyApplicationData)) { | |||
4563 | return SECSuccess; | |||
4564 | } | |||
4565 | ||||
4566 | rv = tls13_SetCipherSpec(ss, TrafficKeyHandshake, | |||
4567 | ssl_secret_write, PR_FALSE0); | |||
4568 | if (rv != SECSuccess) { | |||
4569 | PORT_SetErrorPORT_SetError_Util(SEC_ERROR_LIBRARY_FAILURE); | |||
4570 | return SECFailure; | |||
4571 | } | |||
4572 | return SECSuccess; | |||
4573 | } | |||
4574 | ||||
4575 | /* Install a new cipher spec for this direction. | |||
4576 | * | |||
4577 | * During the handshake, the values for |epoch| take values from the | |||
4578 | * TrafficKeyType enum. Afterwards, key update increments them. | |||
4579 | */ | |||
4580 | static SECStatus | |||
4581 | tls13_SetCipherSpec(sslSocket *ss, PRUint16 epoch, | |||
4582 | SSLSecretDirection direction, PRBool deleteSecret) | |||
4583 | { | |||
4584 | TrafficKeyType type; | |||
4585 | SECStatus rv; | |||
4586 | ssl3CipherSpec *spec = NULL((void*)0); | |||
4587 | ssl3CipherSpec **specp; | |||
4588 | ||||
4589 | /* Flush out old handshake data. */ | |||
4590 | ssl_GetXmitBufLock(ss){ if (!ss->opt.noLocks) PR_EnterMonitor(((ss)->xmitBufLock )); }; | |||
4591 | rv = ssl3_FlushHandshake(ss, ssl_SEND_FLAG_FORCE_INTO_BUFFER0x40000000); | |||
4592 | ssl_ReleaseXmitBufLock(ss){ if (!ss->opt.noLocks) PR_ExitMonitor(((ss)->xmitBufLock )); }; | |||
4593 | if (rv != SECSuccess) { | |||
4594 | return SECFailure; | |||
4595 | } | |||
4596 | ||||
4597 | /* Create the new spec. */ | |||
4598 | spec = ssl_CreateCipherSpec(ss, direction); | |||
4599 | if (!spec) { | |||
4600 | return SECFailure; | |||
4601 | } | |||
4602 | spec->epoch = epoch; | |||
4603 | spec->nextSeqNum = 0; | |||
4604 | if (IS_DTLS(ss)(ss->protocolVariant == ssl_variant_datagram)) { | |||
4605 | dtls_InitRecvdRecords(&spec->recvdRecords); | |||
4606 | } | |||
4607 | ||||
4608 | /* This depends on spec having a valid direction and epoch. */ | |||
4609 | rv = tls13_SetupPendingCipherSpec(ss, spec); | |||
4610 | if (rv != SECSuccess) { | |||
4611 | goto loser; | |||
4612 | } | |||
4613 | ||||
4614 | type = (TrafficKeyType)PR_MIN(TrafficKeyApplicationData, epoch)((TrafficKeyApplicationData)<(epoch)?(TrafficKeyApplicationData ):(epoch)); | |||
4615 | rv = tls13_DeriveTrafficKeys(ss, spec, type, deleteSecret); | |||
4616 | if (rv != SECSuccess) { | |||
4617 | goto loser; | |||
4618 | } | |||
4619 | ||||
4620 | rv = tls13_InitPendingContext(ss, spec); | |||
4621 | if (rv != SECSuccess) { | |||
4622 | goto loser; | |||
4623 | } | |||
4624 | ||||
4625 | /* Now that we've set almost everything up, finally cut over. */ | |||
4626 | specp = (direction == ssl_secret_read) ? &ss->ssl3.crSpec : &ss->ssl3.cwSpec; | |||
4627 | ssl_GetSpecWriteLock(ss){ if (!ss->opt.noLocks) NSSRWLock_LockWrite_Util((ss)-> specLock); }; | |||
4628 | ssl_CipherSpecRelease(*specp); /* May delete old cipher. */ | |||
4629 | *specp = spec; /* Overwrite. */ | |||
4630 | ssl_ReleaseSpecWriteLock(ss){ if (!ss->opt.noLocks) NSSRWLock_UnlockWrite_Util((ss)-> specLock); }; | |||
4631 | ||||
4632 | SSL_TRC(3, ("%d: TLS13[%d]: %s installed key for epoch=%d (%s) dir=%s",if (ssl_trace >= (3)) ssl_Trace ("%d: TLS13[%d]: %s installed key for epoch=%d (%s) dir=%s" , getpid(), ss->fd, (ss->sec.isServer ? "server" : "client" ), spec->epoch, spec->phase, ((spec->direction == ssl_secret_read ) ? "read" : "write")) | |||
4633 | SSL_GETPID(), ss->fd, SSL_ROLE(ss), spec->epoch,if (ssl_trace >= (3)) ssl_Trace ("%d: TLS13[%d]: %s installed key for epoch=%d (%s) dir=%s" , getpid(), ss->fd, (ss->sec.isServer ? "server" : "client" ), spec->epoch, spec->phase, ((spec->direction == ssl_secret_read ) ? "read" : "write")) | |||
4634 | spec->phase, SPEC_DIR(spec)))if (ssl_trace >= (3)) ssl_Trace ("%d: TLS13[%d]: %s installed key for epoch=%d (%s) dir=%s" , getpid(), ss->fd, (ss->sec.isServer ? "server" : "client" ), spec->epoch, spec->phase, ((spec->direction == ssl_secret_read ) ? "read" : "write")); | |||
4635 | return SECSuccess; | |||
4636 | ||||
4637 | loser: | |||
4638 | ssl_CipherSpecRelease(spec); | |||
4639 | return SECFailure; | |||
4640 | } | |||
4641 | ||||
4642 | SECStatus | |||
4643 | tls13_ComputeHandshakeHashes(sslSocket *ss, SSL3Hashes *hashes) | |||
4644 | { | |||
4645 | SECStatus rv; | |||
4646 | PK11Context *ctx = NULL((void*)0); | |||
4647 | PRBool useEchInner; | |||
4648 | sslBuffer *transcript; | |||
4649 | ||||
4650 | PORT_Assert(ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss))((ss->opt.noLocks || ((PR_GetMonitorEntryCount(((ss)->ssl3HandshakeLock )) > 0)))?((void)0):PR_Assert("ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)" ,"tls13con.c",4650)); | |||
4651 | if (ss->ssl3.hs.hashType == handshake_hash_unknown) { | |||
4652 | /* Backup: if we haven't done any hashing, then hash now. | |||
4653 | * This happens when we are doing 0-RTT on the client. */ | |||
4654 | ctx = PK11_CreateDigestContext(ssl3_HashTypeToOID(tls13_GetHash(ss))); | |||
4655 | if (!ctx) { | |||
4656 | ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE); | |||
4657 | return SECFailure; | |||
4658 | } | |||
4659 | ||||
4660 | if (PK11_DigestBegin(ctx) != SECSuccess) { | |||
4661 | ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE); | |||
4662 | goto loser; | |||
4663 | } | |||
4664 | ||||
4665 | /* One might expect this to use ss->ssl3.hs.echAccepted, | |||
4666 | * but with 0-RTT we don't know that yet. */ | |||
4667 | useEchInner = ss->sec.isServer ? PR_FALSE0 : !!ss->ssl3.hs.echHpkeCtx; | |||
4668 | transcript = useEchInner ? &ss->ssl3.hs.echInnerMessages : &ss->ssl3.hs.messages; | |||
4669 | ||||
4670 | PRINT_BUF(10, (ss, "Handshake hash computed over saved messages",if (ssl_trace >= (10)) ssl_PrintBuf (ss, "Handshake hash computed over saved messages" , transcript->buf, transcript->len) | |||
4671 | transcript->buf,if (ssl_trace >= (10)) ssl_PrintBuf (ss, "Handshake hash computed over saved messages" , transcript->buf, transcript->len) | |||
4672 | transcript->len))if (ssl_trace >= (10)) ssl_PrintBuf (ss, "Handshake hash computed over saved messages" , transcript->buf, transcript->len); | |||
4673 | ||||
4674 | if (PK11_DigestOp(ctx, | |||
4675 | transcript->buf, | |||
4676 | transcript->len) != SECSuccess) { | |||
4677 | ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE); | |||
4678 | goto loser; | |||
4679 | } | |||
4680 | } else { | |||
4681 | if (ss->firstHsDone) { | |||
4682 | ctx = PK11_CloneContext(ss->ssl3.hs.shaPostHandshake); | |||
4683 | } else { | |||
4684 | ctx = PK11_CloneContext(ss->ssl3.hs.sha); | |||
4685 | } | |||
4686 | if (!ctx) { | |||
4687 | ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE); | |||
4688 | return SECFailure; | |||
4689 | } | |||
4690 | } | |||
4691 | ||||
4692 | rv = PK11_DigestFinal(ctx, hashes->u.raw, | |||
4693 | &hashes->len, | |||
4694 | sizeof(hashes->u.raw)); | |||
4695 | if (rv != SECSuccess) { | |||
4696 | ssl_MapLowLevelError(SSL_ERROR_DIGEST_FAILURE); | |||
4697 | goto loser; | |||
4698 | } | |||
4699 | ||||
4700 | PRINT_BUF(10, (ss, "Handshake hash", hashes->u.raw, hashes->len))if (ssl_trace >= (10)) ssl_PrintBuf (ss, "Handshake hash", hashes->u.raw, hashes->len); | |||
4701 | PORT_Assert(hashes->len == tls13_GetHashSize(ss))((hashes->len == tls13_GetHashSize(ss))?((void)0):PR_Assert ("hashes->len == tls13_GetHashSize(ss)","tls13con.c",4701) ); | |||
4702 | PK11_DestroyContext(ctx, PR_TRUE1); | |||
4703 | ||||
4704 | return SECSuccess; | |||
4705 | ||||
4706 | loser: | |||
4707 | PK11_DestroyContext(ctx, PR_TRUE1); | |||
4708 | return SECFailure; | |||
4709 | } | |||
4710 | ||||
4711 | TLS13KeyShareEntry * | |||
4712 | tls13_CopyKeyShareEntry(TLS13KeyShareEntry *o) | |||
4713 | { | |||
4714 | TLS13KeyShareEntry *n; | |||
4715 | ||||
4716 | PORT_Assert(o)((o)?((void)0):PR_Assert("o","tls13con.c",4716)); | |||
4717 | n = PORT_ZNew(TLS13KeyShareEntry)(TLS13KeyShareEntry *)PORT_ZAlloc_Util(sizeof(TLS13KeyShareEntry )); | |||
4718 | if (!n) { | |||
4719 | return NULL((void*)0); | |||
4720 | } | |||
4721 | ||||
4722 | if (SECSuccess != SECITEM_CopyItemSECITEM_CopyItem_Util(NULL((void*)0), &n->key_exchange, &o->key_exchange)) { | |||
4723 | PORT_FreePORT_Free_Util(n); | |||
4724 | return NULL((void*)0); | |||
4725 | } | |||
4726 | n->group = o->group; | |||
4727 | return n; | |||
4728 | } | |||
4729 | ||||
4730 | void | |||
4731 | tls13_DestroyKeyShareEntry(TLS13KeyShareEntry *offer) | |||
4732 | { | |||
4733 | if (!offer) { | |||
4734 | return; | |||
4735 | } | |||
4736 | SECITEM_ZfreeItemSECITEM_ZfreeItem_Util(&offer->key_exchange, PR_FALSE0); | |||
4737 | PORT_ZFreePORT_ZFree_Util(offer, sizeof(*offer)); | |||
4738 | } | |||
4739 | ||||
4740 | void | |||
4741 | tls13_DestroyKeyShares(PRCList *list) | |||
4742 | { | |||
4743 | PRCList *cur_p; | |||
4744 | ||||
4745 | /* The list must be initialized. */ | |||
4746 | PORT_Assert(PR_LIST_HEAD(list))(((list)->next)?((void)0):PR_Assert("PR_LIST_HEAD(list)","tls13con.c" ,4746)); | |||
4747 | ||||
4748 | while (!PR_CLIST_IS_EMPTY(list)((list)->next == (list))) { | |||
4749 | cur_p = PR_LIST_TAIL(list)(list)->prev; | |||
4750 | PR_REMOVE_LINK(cur_p)do { (cur_p)->prev->next = (cur_p)->next; (cur_p)-> next->prev = (cur_p)->prev; } while (0); | |||
4751 | tls13_DestroyKeyShareEntry((TLS13KeyShareEntry *)cur_p); | |||
4752 | } | |||
4753 | } | |||
4754 | ||||
4755 | void | |||
4756 | tls13_DestroyEarlyData(PRCList *list) | |||
4757 | { | |||
4758 | PRCList *cur_p; | |||
4759 | ||||
4760 | while (!PR_CLIST_IS_EMPTY(list)((list)->next == (list))) { | |||
4761 | TLS13EarlyData *msg; | |||
4762 | ||||
4763 | cur_p = PR_LIST_TAIL(list)(list)->prev; | |||
4764 | msg = (TLS13EarlyData *)cur_p; | |||
4765 | ||||
4766 | PR_REMOVE_LINK(cur_p)do { (cur_p)->prev->next = (cur_p)->next; (cur_p)-> next->prev = (cur_p)->prev; } while (0); | |||
4767 | SECITEM_ZfreeItemSECITEM_ZfreeItem_Util(&msg->data, PR_FALSE0); | |||
4768 | PORT_ZFreePORT_ZFree_Util(msg, sizeof(*msg)); | |||
4769 | } | |||
4770 | } | |||
4771 | ||||
4772 | /* draft-ietf-tls-tls13 Section 5.2.2 specifies the following | |||
4773 | * nonce algorithm: | |||
4774 | * | |||
4775 | * The length of the per-record nonce (iv_length) is set to max(8 bytes, | |||
4776 | * N_MIN) for the AEAD algorithm (see [RFC5116] Section 4). An AEAD | |||
4777 | * algorithm where N_MAX is less than 8 bytes MUST NOT be used with TLS. | |||
4778 | * The per-record nonce for the AEAD construction is formed as follows: | |||
4779 | * | |||
4780 | * 1. The 64-bit record sequence number is padded to the left with | |||
4781 | * zeroes to iv_length. | |||
4782 | * | |||
4783 | * 2. The padded sequence number is XORed with the static | |||
4784 | * client_write_iv or server_write_iv, depending on the role. | |||
4785 | * | |||
4786 | * The resulting quantity (of length iv_length) is used as the per- | |||
4787 | * record nonce. | |||
4788 | * | |||
4789 | * Existing suites have the same nonce size: N_MIN = N_MAX = 12 bytes | |||
4790 | * | |||
4791 | * See RFC 5288 and https://tools.ietf.org/html/draft-ietf-tls-chacha20-poly1305-04#section-2 | |||
4792 | */ | |||
4793 | static void | |||
4794 | tls13_WriteNonce(const unsigned char *ivIn, unsigned int ivInLen, | |||
4795 | const unsigned char *nonce, unsigned int nonceLen, | |||
4796 | unsigned char *ivOut, unsigned int ivOutLen) | |||
4797 | { | |||
4798 | size_t i; | |||
4799 | unsigned int offset = ivOutLen - nonceLen; | |||
4800 | ||||
4801 | PORT_Assert(ivInLen <= ivOutLen)((ivInLen <= ivOutLen)?((void)0):PR_Assert("ivInLen <= ivOutLen" ,"tls13con.c",4801)); | |||
4802 | PORT_Assert(nonceLen <= ivOutLen)((nonceLen <= ivOutLen)?((void)0):PR_Assert("nonceLen <= ivOutLen" ,"tls13con.c",4802)); | |||
4803 | PORT_Memsetmemset(ivOut, 0, ivOutLen); | |||
4804 | PORT_Memcpymemcpy(ivOut, ivIn, ivInLen); | |||
4805 | ||||
4806 | /* XOR the last n bytes of the IV with the nonce (should be a counter). */ | |||
4807 | for (i = 0; i < nonceLen; ++i) { | |||
4808 | ivOut[offset + i] ^= nonce[i]; | |||
4809 | } | |||
4810 | PRINT_BUF(50, (NULL, "Nonce", ivOut, ivOutLen))if (ssl_trace >= (50)) ssl_PrintBuf (((void*)0), "Nonce", ivOut , ivOutLen); | |||
4811 | } | |||
4812 | ||||
4813 | /* Setup the IV for AEAD encrypt. The PKCS #11 module will add the | |||
4814 | * counter, but it doesn't know about the DTLS epic, so we add it here. | |||
4815 | */ | |||
4816 | unsigned int | |||
4817 | tls13_SetupAeadIv(PRBool isDTLS, SSL3ProtocolVersion v, unsigned char *ivOut, unsigned char *ivIn, | |||
4818 | unsigned int offset, unsigned int ivLen, DTLSEpoch epoch) | |||
4819 | { | |||
4820 | PORT_Memcpymemcpy(ivOut, ivIn, ivLen); | |||
4821 | if (isDTLS && v < SSL_LIBRARY_VERSION_TLS_1_30x0304) { | |||
4822 | /* handle the tls 1.2 counter mode case, the epoc is copied | |||
4823 | * instead of xored. We accomplish this by clearing ivOut | |||
4824 | * before running xor. */ | |||
4825 | if (offset >= ivLen) { | |||
4826 | ivOut[offset] = ivOut[offset + 1] = 0; | |||
4827 | } | |||
4828 | ivOut[offset] ^= (unsigned char)(epoch >> BPB8) & 0xff; | |||
4829 | ivOut[offset + 1] ^= (unsigned char)(epoch)&0xff; | |||
4830 | offset += 2; | |||
4831 | } | |||
4832 | ||||
4833 | return offset; | |||
4834 | } | |||
4835 | ||||
4836 | /* | |||
4837 | * Do a single AEAD for TLS. This differs from PK11_AEADOp in the following | |||
4838 | * ways. | |||
4839 | * 1) If context is not supplied, it treats the operation as a single shot | |||
4840 | * and creates a context from symKey and mech. | |||
4841 | * 2) It always assumes the tag will be at the end of the buffer | |||
4842 | * (in on decrypt, out on encrypt) just like the old single shot. | |||
4843 | * 3) If we aren't generating an IV, it uses tls13_WriteNonce to create the | |||
4844 | * nonce. | |||
4845 | * NOTE is context is supplied, symKey and mech are ignored | |||
4846 | */ | |||
4847 | SECStatus | |||
4848 | tls13_AEAD(PK11Context *context, PRBool decrypt, | |||
4849 | CK_GENERATOR_FUNCTION ivGen, unsigned int fixedbits, | |||
4850 | const unsigned char *ivIn, unsigned char *ivOut, unsigned int ivLen, | |||
4851 | const unsigned char *nonceIn, unsigned int nonceLen, | |||
4852 | const unsigned char *aad, unsigned int aadLen, | |||
4853 | unsigned char *out, unsigned int *outLen, unsigned int maxout, | |||
4854 | unsigned int tagLen, const unsigned char *in, unsigned int inLen) | |||
4855 | { | |||
4856 | unsigned char *tag; | |||
4857 | unsigned char iv[MAX_IV_LENGTH24]; | |||
4858 | unsigned char tagbuf[HASH_LENGTH_MAX64]; | |||
4859 | SECStatus rv; | |||
4860 | ||||
4861 | /* must have either context or the symKey set */ | |||
4862 | if (!context) { | |||
4863 | PORT_SetErrorPORT_SetError_Util(SEC_ERROR_INVALID_ARGS); | |||
4864 | return SECFailure; | |||
4865 | } | |||
4866 | ||||
4867 | PORT_Assert(ivLen <= MAX_IV_LENGTH)((ivLen <= 24)?((void)0):PR_Assert("ivLen <= MAX_IV_LENGTH" ,"tls13con.c",4867)); | |||
4868 | PORT_Assert(tagLen <= HASH_LENGTH_MAX)((tagLen <= 64)?((void)0):PR_Assert("tagLen <= HASH_LENGTH_MAX" ,"tls13con.c",4868)); | |||
4869 | if (!ivOut) { | |||
4870 | ivOut = iv; /* caller doesn't need a returned, iv */ | |||
4871 | } | |||
4872 | ||||
4873 | if (ivGen == CKG_NO_GENERATE0x00000000UL) { | |||
4874 | tls13_WriteNonce(ivIn, ivLen, nonceIn, nonceLen, ivOut, ivLen); | |||
4875 | } else if (ivIn != ivOut) { | |||
4876 | PORT_Memcpymemcpy(ivOut, ivIn, ivLen); | |||
4877 | } | |||
4878 | if (decrypt) { | |||
4879 | inLen = inLen - tagLen; | |||
4880 | tag = (unsigned char *)in + inLen; | |||
4881 | /* tag is const on decrypt, but returned on encrypt */ | |||
4882 | } else { | |||
4883 | /* tag is written to a separate buffer, then added to the end | |||
4884 | * of the actual output buffer. This allows output buffer to be larger | |||
4885 | * than the input buffer and everything still work */ | |||
4886 | tag = tagbuf; | |||
4887 | } | |||
4888 | rv = PK11_AEADOp(context, ivGen, fixedbits, ivOut, ivLen, aad, aadLen, | |||
4889 | out, (int *)outLen, maxout, tag, tagLen, in, inLen); | |||
4890 | /* on encrypt SSL always puts the tag at the end of the buffer */ | |||
4891 | if ((rv == SECSuccess) && !(decrypt)) { | |||
4892 | unsigned int len = *outLen; | |||
4893 | /* make sure there is still space */ | |||
4894 | if (len + tagLen > maxout) { | |||
4895 | PORT_SetErrorPORT_SetError_Util(SEC_ERROR_OUTPUT_LEN); | |||
4896 | return SECFailure; | |||
4897 | } | |||
4898 | PORT_Memcpymemcpy(out + len, tag, tagLen); | |||
4899 | *outLen += tagLen; | |||
4900 | } | |||
4901 | return rv; | |||
4902 | } | |||
4903 | ||||
4904 | static SECStatus | |||
4905 | tls13_HandleEncryptedExtensions(sslSocket *ss, PRUint8 *b, PRUint32 length) | |||
4906 | { | |||
4907 | SECStatus rv; | |||
4908 | PRUint32 innerLength; | |||
4909 | SECItem oldAlpn = { siBuffer, NULL((void*)0), 0 }; | |||
4910 | ||||
4911 | PORT_Assert(ss->opt.noLocks || ssl_HaveRecvBufLock(ss))((ss->opt.noLocks || ((PR_GetMonitorEntryCount(((ss)->recvBufLock )) > 0)))?((void)0):PR_Assert("ss->opt.noLocks || ssl_HaveRecvBufLock(ss)" ,"tls13con.c",4911)); | |||
4912 | PORT_Assert(ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss))((ss->opt.noLocks || ((PR_GetMonitorEntryCount(((ss)->ssl3HandshakeLock )) > 0)))?((void)0):PR_Assert("ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)" ,"tls13con.c",4912)); | |||
4913 | ||||
4914 | SSL_TRC(3, ("%d: TLS13[%d]: handle encrypted extensions",if (ssl_trace >= (3)) ssl_Trace ("%d: TLS13[%d]: handle encrypted extensions" , getpid(), ss->fd) | |||
4915 | SSL_GETPID(), ss->fd))if (ssl_trace >= (3)) ssl_Trace ("%d: TLS13[%d]: handle encrypted extensions" , getpid(), ss->fd); | |||
4916 | ||||
4917 | rv = TLS13_CHECK_HS_STATE(ss, SSL_ERROR_RX_UNEXPECTED_ENCRYPTED_EXTENSIONS,tls13_CheckHsState(ss, SSL_ERROR_RX_UNEXPECTED_ENCRYPTED_EXTENSIONS , "SSL_ERROR_RX_UNEXPECTED_ENCRYPTED_EXTENSIONS", __func__, "tls13con.c" , 4918, wait_encrypted_extensions, wait_invalid) | |||
4918 | wait_encrypted_extensions)tls13_CheckHsState(ss, SSL_ERROR_RX_UNEXPECTED_ENCRYPTED_EXTENSIONS , "SSL_ERROR_RX_UNEXPECTED_ENCRYPTED_EXTENSIONS", __func__, "tls13con.c" , 4918, wait_encrypted_extensions, wait_invalid); | |||
4919 | if (rv != SECSuccess) { | |||
4920 | return SECFailure; | |||
4921 | } | |||
4922 | ||||
4923 | rv = ssl3_ConsumeHandshakeNumber(ss, &innerLength, 2, &b, &length); | |||
4924 | if (rv != SECSuccess) { | |||
4925 | return SECFailure; /* Alert already sent. */ | |||
4926 | } | |||
4927 | if (innerLength != length) { | |||
4928 | FATAL_ERROR(ss, SSL_ERROR_RX_MALFORMED_ENCRYPTED_EXTENSIONS,do { do { if (ssl_trace >= (3)) ssl_Trace ("%d: TLS13[%d]: fatal error %d in %s (%s:%d)" , getpid(), ss->fd, SSL_ERROR_RX_MALFORMED_ENCRYPTED_EXTENSIONS , __func__, "tls13con.c", 4929); PORT_SetError_Util(SSL_ERROR_RX_MALFORMED_ENCRYPTED_EXTENSIONS ); } while (0); tls13_FatalError(ss, SSL_ERROR_RX_MALFORMED_ENCRYPTED_EXTENSIONS , illegal_parameter); } while (0) | |||
4929 | illegal_parameter)do { do { if (ssl_trace >= (3)) ssl_Trace ("%d: TLS13[%d]: fatal error %d in %s (%s:%d)" , getpid(), ss->fd, SSL_ERROR_RX_MALFORMED_ENCRYPTED_EXTENSIONS , __func__, "tls13con.c", 4929); PORT_SetError_Util(SSL_ERROR_RX_MALFORMED_ENCRYPTED_EXTENSIONS ); } while (0); tls13_FatalError(ss, SSL_ERROR_RX_MALFORMED_ENCRYPTED_EXTENSIONS , illegal_parameter); } while (0); | |||
4930 | return SECFailure; | |||
4931 | } | |||
4932 | ||||
4933 | /* If we are doing 0-RTT, then we already have an ALPN value. Stash | |||
4934 | * it for comparison. */ | |||
4935 | if (ss->ssl3.hs.zeroRttState == ssl_0rtt_sent && | |||
4936 | ss->xtnData.nextProtoState == SSL_NEXT_PROTO_EARLY_VALUE) { | |||
4937 | oldAlpn = ss->xtnData.nextProto; | |||
4938 | ss->xtnData.nextProto.data = NULL((void*)0); | |||
4939 | ss->xtnData.nextProtoState = SSL_NEXT_PROTO_NO_SUPPORT; | |||
4940 | } | |||
4941 | ||||
4942 | rv = ssl3_ParseExtensions(ss, &b, &length); | |||
4943 | if (rv != SECSuccess) { | |||
4944 | return SECFailure; /* Error code set below */ | |||
4945 | } | |||
4946 | ||||
4947 | /* Handle the rest of the extensions. */ | |||
4948 | rv = ssl3_HandleParsedExtensions(ss, ssl_hs_encrypted_extensions); | |||
4949 | if (rv != SECSuccess) { | |||
4950 | return SECFailure; /* Error code set below */ | |||
4951 | } | |||
4952 | ||||
4953 | /* We can only get here if we offered 0-RTT. */ | |||
4954 | if (ssl3_ExtensionNegotiated(ss, ssl_tls13_early_data_xtn)) { | |||
4955 | PORT_Assert(ss->ssl3.hs.zeroRttState == ssl_0rtt_sent)((ss->ssl3.hs.zeroRttState == ssl_0rtt_sent)?((void)0):PR_Assert ("ss->ssl3.hs.zeroRttState == ssl_0rtt_sent","tls13con.c", 4955)); | |||
4956 | if (!ss->xtnData.selectedPsk) { | |||
4957 | /* Illegal to accept 0-RTT without also accepting PSK. */ | |||
4958 | FATAL_ERROR(ss, SSL_ERROR_RX_MALFORMED_ENCRYPTED_EXTENSIONS,do { do { if (ssl_trace >= (3)) ssl_Trace ("%d: TLS13[%d]: fatal error %d in %s (%s:%d)" , getpid(), ss->fd, SSL_ERROR_RX_MALFORMED_ENCRYPTED_EXTENSIONS , __func__, "tls13con.c", 4959); PORT_SetError_Util(SSL_ERROR_RX_MALFORMED_ENCRYPTED_EXTENSIONS ); } while (0); tls13_FatalError(ss, SSL_ERROR_RX_MALFORMED_ENCRYPTED_EXTENSIONS , illegal_parameter); } while (0) | |||
4959 | illegal_parameter)do { do { if (ssl_trace >= (3)) ssl_Trace ("%d: TLS13[%d]: fatal error %d in %s (%s:%d)" , getpid(), ss->fd, SSL_ERROR_RX_MALFORMED_ENCRYPTED_EXTENSIONS , __func__, "tls13con.c", 4959); PORT_SetError_Util(SSL_ERROR_RX_MALFORMED_ENCRYPTED_EXTENSIONS ); } while (0); tls13_FatalError(ss, SSL_ERROR_RX_MALFORMED_ENCRYPTED_EXTENSIONS , illegal_parameter); } while (0); | |||
4960 | } | |||
4961 | ss->ssl3.hs.zeroRttState = ssl_0rtt_accepted; | |||
4962 | ||||
4963 | /* Check that the server negotiated the same ALPN (if any). */ | |||
4964 | if (SECITEM_CompareItemSECITEM_CompareItem_Util(&oldAlpn, &ss->xtnData.nextProto)) { | |||
4965 | SECITEM_FreeItemSECITEM_FreeItem_Util(&oldAlpn, PR_FALSE0); | |||
4966 | FATAL_ERROR(ss, SSL_ERROR_NEXT_PROTOCOL_DATA_INVALID,do { do { if (ssl_trace >= (3)) ssl_Trace ("%d: TLS13[%d]: fatal error %d in %s (%s:%d)" , getpid(), ss->fd, SSL_ERROR_NEXT_PROTOCOL_DATA_INVALID, __func__ , "tls13con.c", 4967); PORT_SetError_Util(SSL_ERROR_NEXT_PROTOCOL_DATA_INVALID ); } while (0); tls13_FatalError(ss, SSL_ERROR_NEXT_PROTOCOL_DATA_INVALID , illegal_parameter); } while (0) | |||
4967 | illegal_parameter)do { do { if (ssl_trace >= (3)) ssl_Trace ("%d: TLS13[%d]: fatal error %d in %s (%s:%d)" , getpid(), ss->fd, SSL_ERROR_NEXT_PROTOCOL_DATA_INVALID, __func__ , "tls13con.c", 4967); PORT_SetError_Util(SSL_ERROR_NEXT_PROTOCOL_DATA_INVALID ); } while (0); tls13_FatalError(ss, SSL_ERROR_NEXT_PROTOCOL_DATA_INVALID , illegal_parameter); } while (0); | |||
4968 | return SECFailure; | |||
4969 | } | |||
4970 | /* Check that the server negotiated the same cipher suite. */ | |||
4971 | if (ss->ssl3.hs.cipher_suite != ss->ssl3.hs.zeroRttSuite) { | |||
4972 | FATAL_ERROR(ss, SSL_ERROR_RX_MALFORMED_ENCRYPTED_EXTENSIONS,do { do { if (ssl_trace >= (3)) ssl_Trace ("%d: TLS13[%d]: fatal error %d in %s (%s:%d)" , getpid(), ss->fd, SSL_ERROR_RX_MALFORMED_ENCRYPTED_EXTENSIONS , __func__, "tls13con.c", 4973); PORT_SetError_Util(SSL_ERROR_RX_MALFORMED_ENCRYPTED_EXTENSIONS ); } while (0); tls13_FatalError(ss, SSL_ERROR_RX_MALFORMED_ENCRYPTED_EXTENSIONS , illegal_parameter); } while (0) | |||
4973 | illegal_parameter)do { do { if (ssl_trace >= (3)) ssl_Trace ("%d: TLS13[%d]: fatal error %d in %s (%s:%d)" , getpid(), ss->fd, SSL_ERROR_RX_MALFORMED_ENCRYPTED_EXTENSIONS , __func__, "tls13con.c", 4973); PORT_SetError_Util(SSL_ERROR_RX_MALFORMED_ENCRYPTED_EXTENSIONS ); } while (0); tls13_FatalError(ss, SSL_ERROR_RX_MALFORMED_ENCRYPTED_EXTENSIONS , illegal_parameter); } while (0); | |||
4974 | return SECFailure; | |||
4975 | } | |||
4976 | } else if (ss->ssl3.hs.zeroRttState == ssl_0rtt_sent) { | |||
4977 | /* Though we sent 0-RTT, the early_data extension wasn't present so the | |||
4978 | * state is unmodified; the server must have rejected 0-RTT. */ | |||
4979 | ss->ssl3.hs.zeroRttState = ssl_0rtt_ignored; | |||
4980 | ss->ssl3.hs.zeroRttIgnore = ssl_0rtt_ignore_trial; | |||
4981 | } else { | |||
4982 | PORT_Assert(ss->ssl3.hs.zeroRttState == ssl_0rtt_none ||((ss->ssl3.hs.zeroRttState == ssl_0rtt_none || (ss->ssl3 .hs.helloRetry && ss->ssl3.hs.zeroRttState == ssl_0rtt_ignored ))?((void)0):PR_Assert("ss->ssl3.hs.zeroRttState == ssl_0rtt_none || (ss->ssl3.hs.helloRetry && ss->ssl3.hs.zeroRttState == ssl_0rtt_ignored)" ,"tls13con.c",4984)) | |||
4983 | (ss->ssl3.hs.helloRetry &&((ss->ssl3.hs.zeroRttState == ssl_0rtt_none || (ss->ssl3 .hs.helloRetry && ss->ssl3.hs.zeroRttState == ssl_0rtt_ignored ))?((void)0):PR_Assert("ss->ssl3.hs.zeroRttState == ssl_0rtt_none || (ss->ssl3.hs.helloRetry && ss->ssl3.hs.zeroRttState == ssl_0rtt_ignored)" ,"tls13con.c",4984)) | |||
4984 | ss->ssl3.hs.zeroRttState == ssl_0rtt_ignored))((ss->ssl3.hs.zeroRttState == ssl_0rtt_none || (ss->ssl3 .hs.helloRetry && ss->ssl3.hs.zeroRttState == ssl_0rtt_ignored ))?((void)0):PR_Assert("ss->ssl3.hs.zeroRttState == ssl_0rtt_none || (ss->ssl3.hs.helloRetry && ss->ssl3.hs.zeroRttState == ssl_0rtt_ignored)" ,"tls13con.c",4984)); | |||
4985 | } | |||
4986 | ||||
4987 | SECITEM_FreeItemSECITEM_FreeItem_Util(&oldAlpn, PR_FALSE0); | |||
4988 | if (ss->ssl3.hs.kea_def->authKeyType == ssl_auth_psk) { | |||
4989 | TLS13_SET_HS_STATE(ss, wait_finished)tls13_SetHsState(ss, wait_finished, __func__, "tls13con.c", 4989 ); | |||
4990 | } else { | |||
4991 | TLS13_SET_HS_STATE(ss, wait_cert_request)tls13_SetHsState(ss, wait_cert_request, __func__, "tls13con.c" , 4991); | |||
4992 | } | |||
4993 | ||||
4994 | /* Client is done with any PSKs */ | |||
4995 | tls13_DestroyPskList(&ss->ssl3.hs.psks); | |||
4996 | ss->xtnData.selectedPsk = NULL((void*)0); | |||
4997 | ||||
4998 | return SECSuccess; | |||
4999 | } | |||
5000 | ||||
5001 | static SECStatus | |||
5002 | tls13_SendEncryptedExtensions(sslSocket *ss) | |||
5003 | { | |||
5004 | sslBuffer extensions = SSL_BUFFER_EMPTY{ ((void*)0), 0, 0, 0 }; | |||
5005 | SECStatus rv; | |||
5006 | ||||
5007 | SSL_TRC(3, ("%d: TLS13[%d]: send encrypted extensions handshake",if (ssl_trace >= (3)) ssl_Trace ("%d: TLS13[%d]: send encrypted extensions handshake" , getpid(), ss->fd) | |||
5008 | SSL_GETPID(), ss->fd))if (ssl_trace >= (3)) ssl_Trace ("%d: TLS13[%d]: send encrypted extensions handshake" , getpid(), ss->fd); | |||
5009 | ||||
5010 | PORT_Assert(ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss))((ss->opt.noLocks || ((PR_GetMonitorEntryCount(((ss)->ssl3HandshakeLock )) > 0)))?((void)0):PR_Assert("ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)" ,"tls13con.c",5010)); | |||
5011 | PORT_Assert(ss->opt.noLocks || ssl_HaveXmitBufLock(ss))((ss->opt.noLocks || ((PR_GetMonitorEntryCount(((ss)->xmitBufLock )) > 0)))?((void)0):PR_Assert("ss->opt.noLocks || ssl_HaveXmitBufLock(ss)" ,"tls13con.c",5011)); | |||
5012 | ||||
5013 | rv = ssl_ConstructExtensions(ss, &extensions, ssl_hs_encrypted_extensions); | |||
5014 | if (rv != SECSuccess) { | |||
5015 | return SECFailure; | |||
5016 | } | |||
5017 | ||||
5018 | rv = ssl3_AppendHandshakeHeader(ss, ssl_hs_encrypted_extensions, | |||
5019 | SSL_BUFFER_LEN(&extensions)((&extensions)->len) + 2); | |||
5020 | if (rv != SECSuccess) { | |||
5021 | LOG_ERROR(ss, SEC_ERROR_LIBRARY_FAILURE)do { if (ssl_trace >= (3)) ssl_Trace ("%d: TLS13[%d]: fatal error %d in %s (%s:%d)" , getpid(), ss->fd, SEC_ERROR_LIBRARY_FAILURE, __func__, "tls13con.c" , 5021); PORT_SetError_Util(SEC_ERROR_LIBRARY_FAILURE); } while (0); | |||
5022 | goto loser; | |||
5023 | } | |||
5024 | rv = ssl3_AppendBufferToHandshakeVariable(ss, &extensions, 2); | |||
5025 | if (rv != SECSuccess) { | |||
5026 | LOG_ERROR(ss, SEC_ERROR_LIBRARY_FAILURE)do { if (ssl_trace >= (3)) ssl_Trace ("%d: TLS13[%d]: fatal error %d in %s (%s:%d)" , getpid(), ss->fd, SEC_ERROR_LIBRARY_FAILURE, __func__, "tls13con.c" , 5026); PORT_SetError_Util(SEC_ERROR_LIBRARY_FAILURE); } while (0); | |||
5027 | goto loser; | |||
5028 | } | |||
5029 | sslBuffer_Clear(&extensions); | |||
5030 | return SECSuccess; | |||
5031 | ||||
5032 | loser: | |||
5033 | sslBuffer_Clear(&extensions); | |||
5034 | return SECFailure; | |||
5035 | } | |||
5036 | ||||
5037 | SECStatus | |||
5038 | tls13_SendCertificateVerify(sslSocket *ss, SECKEYPrivateKey *privKey) | |||
5039 | { | |||
5040 | SECStatus rv = SECFailure; | |||
5041 | SECItem buf = { siBuffer, NULL((void*)0), 0 }; | |||
5042 | unsigned int len; | |||
5043 | SSLHashType hashAlg; | |||
5044 | SSL3Hashes hash; | |||
5045 | SSL3Hashes tbsHash; /* The hash "to be signed". */ | |||
5046 | ||||
5047 | PORT_Assert(ss->opt.noLocks || ssl_HaveXmitBufLock(ss))((ss->opt.noLocks || ((PR_GetMonitorEntryCount(((ss)->xmitBufLock )) > 0)))?((void)0):PR_Assert("ss->opt.noLocks || ssl_HaveXmitBufLock(ss)" ,"tls13con.c",5047)); | |||
5048 | PORT_Assert(ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss))((ss->opt.noLocks || ((PR_GetMonitorEntryCount(((ss)->ssl3HandshakeLock )) > 0)))?((void)0):PR_Assert("ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)" ,"tls13con.c",5048)); | |||
5049 | ||||
5050 | SSL_TRC(3, ("%d: TLS13[%d]: send certificate_verify handshake",if (ssl_trace >= (3)) ssl_Trace ("%d: TLS13[%d]: send certificate_verify handshake" , getpid(), ss->fd) | |||
5051 | SSL_GETPID(), ss->fd))if (ssl_trace >= (3)) ssl_Trace ("%d: TLS13[%d]: send certificate_verify handshake" , getpid(), ss->fd); | |||
5052 | ||||
5053 | PORT_Assert(ss->ssl3.hs.hashType == handshake_hash_single)((ss->ssl3.hs.hashType == handshake_hash_single)?((void)0) :PR_Assert("ss->ssl3.hs.hashType == handshake_hash_single" ,"tls13con.c",5053)); | |||
5054 | rv = tls13_ComputeHandshakeHashes(ss, &hash); | |||
5055 | if (rv != SECSuccess) { | |||
5056 | return SECFailure; | |||
5057 | } | |||
5058 | ||||
5059 | /* We should have picked a signature scheme when we received a | |||
5060 | * CertificateRequest, or when we picked a server certificate. */ | |||
5061 | PORT_Assert(ss->ssl3.hs.signatureScheme != ssl_sig_none)((ss->ssl3.hs.signatureScheme != ssl_sig_none)?((void)0):PR_Assert ("ss->ssl3.hs.signatureScheme != ssl_sig_none","tls13con.c" ,5061)); | |||
5062 | if (ss->ssl3.hs.signatureScheme == ssl_sig_none) { | |||
5063 | PORT_SetErrorPORT_SetError_Util(SEC_ERROR_LIBRARY_FAILURE); | |||
5064 | return SECFailure; | |||
5065 | } | |||
5066 | hashAlg = ssl_SignatureSchemeToHashType(ss->ssl3.hs.signatureScheme); | |||
5067 | rv = tls13_AddContextToHashes(ss, &hash, hashAlg, | |||
5068 | PR_TRUE1, &tbsHash); | |||
5069 | if (rv != SECSuccess) { | |||
5070 | return SECFailure; | |||
5071 | } | |||
5072 | ||||
5073 | rv = ssl3_SignHashes(ss, &tbsHash, privKey, &buf); | |||
5074 | if (rv == SECSuccess && !ss->sec.isServer) { | |||
5075 | /* Remember the info about the slot that did the signing. | |||
5076 | * Later, when doing an SSL restart handshake, verify this. | |||
5077 | * These calls are mere accessors, and can't fail. | |||
5078 | */ | |||
5079 | PK11SlotInfo *slot; | |||
5080 | sslSessionID *sid = ss->sec.ci.sid; | |||
5081 | ||||
5082 | slot = PK11_GetSlotFromPrivateKey(privKey); | |||
5083 | sid->u.ssl3.clAuthSeries = PK11_GetSlotSeries(slot); | |||
5084 | sid->u.ssl3.clAuthSlotID = PK11_GetSlotID(slot); | |||
5085 | sid->u.ssl3.clAuthModuleID = PK11_GetModuleID(slot); | |||
5086 | sid->u.ssl3.clAuthValid = PR_TRUE1; | |||
5087 | PK11_FreeSlot(slot); | |||
5088 | } | |||
5089 | if (rv != SECSuccess) { | |||
5090 | goto done; /* err code was set by ssl3_SignHashes */ | |||
5091 | } | |||
5092 | ||||
5093 | len = buf.len + 2 + 2; | |||
5094 | ||||
5095 | rv = ssl3_AppendHandshakeHeader(ss, ssl_hs_certificate_verify, len); | |||
5096 | if (rv != SECSuccess) { | |||
5097 | goto done; /* error code set by AppendHandshake */ | |||
5098 | } | |||
5099 | ||||
5100 | rv = ssl3_AppendHandshakeNumber(ss, ss->ssl3.hs.signatureScheme, 2); | |||
5101 | if (rv != SECSuccess) { | |||
5102 | goto done; /* err set by AppendHandshakeNumber */ | |||
5103 | } | |||
5104 | ||||
5105 | rv = ssl3_AppendHandshakeVariable(ss, buf.data, buf.len, 2); | |||
5106 | if (rv != SECSuccess) { | |||
5107 | goto done; /* error code set by AppendHandshake */ | |||
5108 | } | |||
5109 | ||||
5110 | done: | |||
5111 | /* For parity with the allocation functions, which don't use | |||
5112 | * SECITEM_AllocItem(). */ | |||
5113 | if (buf.data) | |||
5114 | PORT_FreePORT_Free_Util(buf.data); | |||
5115 | return rv; | |||
5116 | } | |||
5117 | ||||
5118 | /* Called from tls13_CompleteHandleHandshakeMessage() when it has deciphered a complete | |||
5119 | * tls13 CertificateVerify message | |||
5120 | * Caller must hold Handshake and RecvBuf locks. | |||
5121 | */ | |||
5122 | SECStatus | |||
5123 | tls13_HandleCertificateVerify(sslSocket *ss, PRUint8 *b, PRUint32 length) | |||
5124 | { | |||
5125 | sslDelegatedCredential *dc = ss->xtnData.peerDelegCred; | |||
5126 | CERTSubjectPublicKeyInfo *spki; | |||
5127 | SECKEYPublicKey *pubKey = NULL((void*)0); | |||
5128 | SECItem signed_hash = { siBuffer, NULL((void*)0), 0 }; | |||
5129 | SECStatus rv; | |||
5130 | SSLSignatureScheme sigScheme; | |||
5131 | SSLHashType hashAlg; | |||
5132 | SSL3Hashes tbsHash; | |||
5133 | SSL3Hashes hashes; | |||
5134 | ||||
5135 | SSL_TRC(3, ("%d: TLS13[%d]: handle certificate_verify handshake",if (ssl_trace >= (3)) ssl_Trace ("%d: TLS13[%d]: handle certificate_verify handshake" , getpid(), ss->fd) | |||
5136 | SSL_GETPID(), ss->fd))if (ssl_trace >= (3)) ssl_Trace ("%d: TLS13[%d]: handle certificate_verify handshake" , getpid(), ss->fd); | |||
5137 | PORT_Assert(ss->opt.noLocks || ssl_HaveRecvBufLock(ss))((ss->opt.noLocks || ((PR_GetMonitorEntryCount(((ss)->recvBufLock )) > 0)))?((void)0):PR_Assert("ss->opt.noLocks || ssl_HaveRecvBufLock(ss)" ,"tls13con.c",5137)); | |||
5138 | PORT_Assert(ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss))((ss->opt.noLocks || ((PR_GetMonitorEntryCount(((ss)->ssl3HandshakeLock )) > 0)))?((void)0):PR_Assert("ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)" ,"tls13con.c",5138)); | |||
5139 | ||||
5140 | rv = TLS13_CHECK_HS_STATE(ss, SSL_ERROR_RX_UNEXPECTED_CERT_VERIFY,tls13_CheckHsState(ss, SSL_ERROR_RX_UNEXPECTED_CERT_VERIFY, "SSL_ERROR_RX_UNEXPECTED_CERT_VERIFY" , __func__, "tls13con.c", 5141, wait_cert_verify, wait_invalid ) | |||
5141 | wait_cert_verify)tls13_CheckHsState(ss, SSL_ERROR_RX_UNEXPECTED_CERT_VERIFY, "SSL_ERROR_RX_UNEXPECTED_CERT_VERIFY" , __func__, "tls13con.c", 5141, wait_cert_verify, wait_invalid ); | |||
5142 | if (rv != SECSuccess) { | |||
5143 | return SECFailure; | |||
5144 | } | |||
5145 | ||||
5146 | rv = tls13_ComputeHandshakeHashes(ss, &hashes); | |||
5147 | if (rv != SECSuccess) { | |||
5148 | return SECFailure; | |||
5149 | } | |||
5150 | ||||
5151 | if (ss->firstHsDone) { | |||
5152 | rv = ssl_HashPostHandshakeMessage(ss, ssl_hs_certificate_verify, b, length); | |||
5153 | } else { | |||
5154 | rv = ssl_HashHandshakeMessage(ss, ssl_hs_certificate_verify, b, length); | |||
5155 | } | |||
5156 | if (rv != SECSuccess) { | |||
5157 | PORT_SetErrorPORT_SetError_Util(SEC_ERROR_LIBRARY_FAILURE); | |||
5158 | return SECFailure; | |||
5159 | } | |||
5160 | ||||
5161 | rv = ssl_ConsumeSignatureScheme(ss, &b, &length, &sigScheme); | |||
5162 | if (rv != SECSuccess) { | |||
5163 | FATAL_ERROR(ss, SSL_ERROR_RX_MALFORMED_CERT_VERIFY, illegal_parameter)do { do { if (ssl_trace >= (3)) ssl_Trace ("%d: TLS13[%d]: fatal error %d in %s (%s:%d)" , getpid(), ss->fd, SSL_ERROR_RX_MALFORMED_CERT_VERIFY, __func__ , "tls13con.c", 5163); PORT_SetError_Util(SSL_ERROR_RX_MALFORMED_CERT_VERIFY ); } while (0); tls13_FatalError(ss, SSL_ERROR_RX_MALFORMED_CERT_VERIFY , illegal_parameter); } while (0); | |||
5164 | return SECFailure; | |||
5165 | } | |||
5166 | ||||
5167 | /* Set the |spki| used to verify the handshake. When verifying with a | |||
5168 | * delegated credential (DC), this corresponds to the DC public key; | |||
5169 | * otherwise it correspond to the public key of the peer's end-entity | |||
5170 | * certificate. | |||
5171 | */ | |||
5172 | if (tls13_IsVerifyingWithDelegatedCredential(ss)) { | |||
5173 | /* DelegatedCredential.cred.expected_cert_verify_algorithm is expected | |||
5174 | * to match CertificateVerify.scheme. | |||
5175 | * DelegatedCredential.cred.expected_cert_verify_algorithm must also be | |||
5176 | * the same as was reported in ssl3_AuthCertificate. | |||
5177 | */ | |||
5178 | if (sigScheme != dc->expectedCertVerifyAlg || sigScheme != ss->sec.signatureScheme) { | |||
5179 | FATAL_ERROR(ss, SSL_ERROR_DC_CERT_VERIFY_ALG_MISMATCH, illegal_parameter)do { do { if (ssl_trace >= (3)) ssl_Trace ("%d: TLS13[%d]: fatal error %d in %s (%s:%d)" , getpid(), ss->fd, SSL_ERROR_DC_CERT_VERIFY_ALG_MISMATCH, __func__, "tls13con.c", 5179); PORT_SetError_Util(SSL_ERROR_DC_CERT_VERIFY_ALG_MISMATCH ); } while (0); tls13_FatalError(ss, SSL_ERROR_DC_CERT_VERIFY_ALG_MISMATCH , illegal_parameter); } while (0); | |||
5180 | return SECFailure; | |||
5181 | } | |||
5182 | ||||
5183 | /* Verify the DC has three steps: (1) use the peer's end-entity | |||
5184 | * certificate to verify DelegatedCredential.signature, (2) check that | |||
5185 | * the certificate has the correct key usage, and (3) check that the DC | |||
5186 | * hasn't expired. | |||
5187 | */ | |||
5188 | rv = tls13_VerifyDelegatedCredential(ss, dc); | |||
5189 | if (rv != SECSuccess) { /* Calls FATAL_ERROR() */ | |||
5190 | return SECFailure; | |||
5191 | } | |||
5192 | ||||
5193 | SSL_TRC(3, ("%d: TLS13[%d]: Verifying with delegated credential",if (ssl_trace >= (3)) ssl_Trace ("%d: TLS13[%d]: Verifying with delegated credential" , getpid(), ss->fd) | |||
5194 | SSL_GETPID(), ss->fd))if (ssl_trace >= (3)) ssl_Trace ("%d: TLS13[%d]: Verifying with delegated credential" , getpid(), ss->fd); | |||
5195 | spki = dc->spki; | |||
5196 | } else { | |||
5197 | spki = &ss->sec.peerCert->subjectPublicKeyInfo; | |||
5198 | } | |||
5199 | ||||
5200 | rv = ssl_CheckSignatureSchemeConsistency(ss, sigScheme, spki); | |||
5201 | if (rv != SECSuccess) { | |||
5202 | /* Error set already */ | |||
5203 | FATAL_ERROR(ss, PORT_GetError(), illegal_parameter)do { do { if (ssl_trace >= (3)) ssl_Trace ("%d: TLS13[%d]: fatal error %d in %s (%s:%d)" , getpid(), ss->fd, PORT_GetError_Util(), __func__, "tls13con.c" , 5203); PORT_SetError_Util(PORT_GetError_Util()); } while (0 ); tls13_FatalError(ss, PORT_GetError_Util(), illegal_parameter ); } while (0); | |||
5204 | return SECFailure; | |||
5205 | } | |||
5206 | hashAlg = ssl_SignatureSchemeToHashType(sigScheme); | |||
5207 | ||||
5208 | rv = tls13_AddContextToHashes(ss, &hashes, hashAlg, PR_FALSE0, &tbsHash); | |||
5209 | if (rv != SECSuccess) { | |||
5210 | FATAL_ERROR(ss, SSL_ERROR_DIGEST_FAILURE, internal_error)do { do { if (ssl_trace >= (3)) ssl_Trace ("%d: TLS13[%d]: fatal error %d in %s (%s:%d)" , getpid(), ss->fd, SSL_ERROR_DIGEST_FAILURE, __func__, "tls13con.c" , 5210); PORT_SetError_Util(SSL_ERROR_DIGEST_FAILURE); } while (0); tls13_FatalError(ss, SSL_ERROR_DIGEST_FAILURE, internal_error ); } while (0); | |||
5211 | return SECFailure; | |||
5212 | } | |||
5213 | ||||
5214 | rv = ssl3_ConsumeHandshakeVariable(ss, &signed_hash, 2, &b, &length); | |||
5215 | if (rv != SECSuccess) { | |||
5216 | PORT_SetErrorPORT_SetError_Util(SSL_ERROR_RX_MALFORMED_CERT_VERIFY); | |||
5217 | return SECFailure; | |||
5218 | } | |||
5219 | ||||
5220 | if (length != 0) { | |||
5221 | FATAL_ERROR(ss, SSL_ERROR_RX_MALFORMED_CERT_VERIFY, decode_error)do { do { if (ssl_trace >= (3)) ssl_Trace ("%d: TLS13[%d]: fatal error %d in %s (%s:%d)" , getpid(), ss->fd, SSL_ERROR_RX_MALFORMED_CERT_VERIFY, __func__ , "tls13con.c", 5221); PORT_SetError_Util(SSL_ERROR_RX_MALFORMED_CERT_VERIFY ); } while (0); tls13_FatalError(ss, SSL_ERROR_RX_MALFORMED_CERT_VERIFY , decode_error); } while (0); | |||
5222 | return SECFailure; | |||
5223 | } | |||
5224 | ||||
5225 | pubKey = SECKEY_ExtractPublicKey(spki); | |||
5226 | if (pubKey == NULL((void*)0)) { | |||
5227 | ssl_MapLowLevelError(SSL_ERROR_EXTRACT_PUBLIC_KEY_FAILURE); | |||
5228 | return SECFailure; | |||
5229 | } | |||
5230 | ||||
5231 | rv = ssl_VerifySignedHashesWithPubKey(ss, pubKey, sigScheme, | |||
5232 | &tbsHash, &signed_hash); | |||
5233 | if (rv != SECSuccess) { | |||
5234 | FATAL_ERROR(ss, PORT_GetError(), decrypt_error)do { do { if (ssl_trace >= (3)) ssl_Trace ("%d: TLS13[%d]: fatal error %d in %s (%s:%d)" , getpid(), ss->fd, PORT_GetError_Util(), __func__, "tls13con.c" , 5234); PORT_SetError_Util(PORT_GetError_Util()); } while (0 ); tls13_FatalError(ss, PORT_GetError_Util(), decrypt_error); } while (0); | |||
5235 | goto loser; | |||
5236 | } | |||
5237 | ||||
5238 | /* Set the auth type and verify it is what we captured in ssl3_AuthCertificate */ | |||
5239 | if (!ss->sec.isServer) { | |||
5240 | ss->sec.authType = ssl_SignatureSchemeToAuthType(sigScheme); | |||
5241 | ||||
5242 | uint32_t prelimAuthKeyBits = ss->sec.authKeyBits; | |||
5243 | rv = ssl_SetAuthKeyBits(ss, pubKey); | |||
5244 | if (rv != SECSuccess) { | |||
5245 | goto loser; /* Alert sent and code set. */ | |||
5246 | } | |||
5247 | ||||
5248 | if (prelimAuthKeyBits != ss->sec.authKeyBits) { | |||
5249 | FATAL_ERROR(ss, SSL_ERROR_DC_CERT_VERIFY_ALG_MISMATCH, illegal_parameter)do { do { if (ssl_trace >= (3)) ssl_Trace ("%d: TLS13[%d]: fatal error %d in %s (%s:%d)" , getpid(), ss->fd, SSL_ERROR_DC_CERT_VERIFY_ALG_MISMATCH, __func__, "tls13con.c", 5249); PORT_SetError_Util(SSL_ERROR_DC_CERT_VERIFY_ALG_MISMATCH ); } while (0); tls13_FatalError(ss, SSL_ERROR_DC_CERT_VERIFY_ALG_MISMATCH , illegal_parameter); } while (0); | |||
5250 | goto loser; | |||
5251 | } | |||
5252 | } | |||
5253 | ||||
5254 | /* Request a client certificate now if one was requested. */ | |||
5255 | if (ss->ssl3.hs.clientCertRequested) { | |||
5256 | PORT_Assert(!ss->sec.isServer)((!ss->sec.isServer)?((void)0):PR_Assert("!ss->sec.isServer" ,"tls13con.c",5256)); | |||
5257 | rv = ssl3_BeginHandleCertificateRequest( | |||
5258 | ss, ss->xtnData.sigSchemes, ss->xtnData.numSigSchemes, | |||
5259 | &ss->xtnData.certReqAuthorities); | |||
5260 | if (rv != SECSuccess) { | |||
5261 | FATAL_ERROR(ss, SEC_ERROR_LIBRARY_FAILURE, internal_error)do { do { if (ssl_trace >= (3)) ssl_Trace ("%d: TLS13[%d]: fatal error %d in %s (%s:%d)" , getpid(), ss->fd, SEC_ERROR_LIBRARY_FAILURE, __func__, "tls13con.c" , 5261); PORT_SetError_Util(SEC_ERROR_LIBRARY_FAILURE); } while (0); tls13_FatalError(ss, SEC_ERROR_LIBRARY_FAILURE, internal_error ); } while (0); | |||
5262 | goto loser; | |||
5263 | } | |||
5264 | } | |||
5265 | ||||
5266 | SECKEY_DestroyPublicKey(pubKey); | |||
5267 | TLS13_SET_HS_STATE(ss, wait_finished)tls13_SetHsState(ss, wait_finished, __func__, "tls13con.c", 5267 ); | |||
5268 | return SECSuccess; | |||
5269 | ||||
5270 | loser: | |||
5271 | SECKEY_DestroyPublicKey(pubKey); | |||
5272 | return SECFailure; | |||
5273 | } | |||
5274 | ||||
5275 | /* Compute the PSK binder hash over: | |||
5276 | * Client HRR prefix, if present in ss->ssl3.hs.messages or ss->ssl3.hs.echInnerMessages, | |||
5277 | * |len| bytes of |buf| */ | |||
5278 | static SECStatus | |||
5279 | tls13_ComputePskBinderHash(sslSocket *ss, PRUint8 *b, size_t length, | |||
5280 | SSL3Hashes *hashes, SSLHashType hashType) | |||
5281 | { | |||
5282 | SECStatus rv; | |||
5283 | PK11Context *ctx = NULL((void*)0); | |||
5284 | sslBuffer *clientResidual = NULL((void*)0); | |||
5285 | if (!ss->sec.isServer) { | |||
5286 | /* On the server, HRR residual is already buffered. */ | |||
5287 | clientResidual = ss->ssl3.hs.echHpkeCtx ? &ss->ssl3.hs.echInnerMessages : &ss->ssl3.hs.messages; | |||
5288 | } | |||
5289 | PORT_Assert(ss->ssl3.hs.hashType == handshake_hash_unknown)((ss->ssl3.hs.hashType == handshake_hash_unknown)?((void)0 ):PR_Assert("ss->ssl3.hs.hashType == handshake_hash_unknown" ,"tls13con.c",5289)); | |||
5290 | PORT_Assert(ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss))((ss->opt.noLocks || ((PR_GetMonitorEntryCount(((ss)->ssl3HandshakeLock )) > 0)))?((void)0):PR_Assert("ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)" ,"tls13con.c",5290)); | |||
5291 | ||||
5292 | PRINT_BUF(10, (NULL, "Binder computed over ClientHello",if (ssl_trace >= (10)) ssl_PrintBuf (((void*)0), "Binder computed over ClientHello" , b, length) | |||
5293 | b, length))if (ssl_trace >= (10)) ssl_PrintBuf (((void*)0), "Binder computed over ClientHello" , b, length); | |||
5294 | ||||
5295 | ctx = PK11_CreateDigestContext(ssl3_HashTypeToOID(hashType)); | |||
5296 | if (!ctx) { | |||
5297 | goto loser; | |||
5298 | } | |||
5299 | rv = PK11_DigestBegin(ctx); | |||
5300 | if (rv != SECSuccess) { | |||
5301 | ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE); | |||
5302 | goto loser; | |||
5303 | } | |||
5304 | ||||
5305 | if (clientResidual && clientResidual->len) { | |||
5306 | PRINT_BUF(10, (NULL, " with HRR prefix", clientResidual->buf,if (ssl_trace >= (10)) ssl_PrintBuf (((void*)0), " with HRR prefix" , clientResidual->buf, clientResidual->len) | |||
5307 | clientResidual->len))if (ssl_trace >= (10)) ssl_PrintBuf (((void*)0), " with HRR prefix" , clientResidual->buf, clientResidual->len); | |||
5308 | rv = PK11_DigestOp(ctx, clientResidual->buf, clientResidual->len); | |||
5309 | if (rv != SECSuccess) { | |||
5310 | ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE); | |||
5311 | goto loser; | |||
5312 | } | |||
5313 | } | |||
5314 | ||||
5315 | if (IS_DTLS(ss)(ss->protocolVariant == ssl_variant_datagram) && !ss->sec.isServer) { | |||
5316 | /* Removing the unnecessary header fields. | |||
5317 | * See ssl3_AppendHandshakeHeader.*/ | |||
5318 | PORT_Assert(length >= 12)((length >= 12)?((void)0):PR_Assert("length >= 12","tls13con.c" ,5318)); | |||
5319 | rv = PK11_DigestOp(ctx, b, 4); | |||
5320 | if (rv != SECSuccess) { | |||
5321 | ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE); | |||
5322 | goto loser; | |||
5323 | } | |||
5324 | rv = PK11_DigestOp(ctx, b + 12, length - 12); | |||
5325 | } else { | |||
5326 | rv = PK11_DigestOp(ctx, b, length); | |||
5327 | } | |||
5328 | if (rv != SECSuccess) { | |||
5329 | ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE); | |||
5330 | goto loser; | |||
5331 | } | |||
5332 | rv = PK11_DigestFinal(ctx, hashes->u.raw, &hashes->len, sizeof(hashes->u.raw)); | |||
5333 | if (rv != SECSuccess) { | |||
5334 | ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE); | |||
5335 | goto loser; | |||
5336 | } | |||
5337 | ||||
5338 | PK11_DestroyContext(ctx, PR_TRUE1); | |||
5339 | PRINT_BUF(10, (NULL, "PSK Binder hash", hashes->u.raw, hashes->len))if (ssl_trace >= (10)) ssl_PrintBuf (((void*)0), "PSK Binder hash" , hashes->u.raw, hashes->len); | |||
5340 | return SECSuccess; | |||
5341 | ||||
5342 | loser: | |||
5343 | if (ctx) { | |||
5344 | PK11_DestroyContext(ctx, PR_TRUE1); | |||
5345 | } | |||
5346 | return SECFailure; | |||
5347 | } | |||
5348 | ||||
5349 | /* Compute and inject the PSK Binder for sending. | |||
5350 | * | |||
5351 | * When sending a ClientHello, we construct all the extensions with a dummy | |||
5352 | * value for the binder. To construct the binder, we commit the entire message | |||
5353 | * up to the point where the binders start. Then we calculate the hash using | |||
5354 | * the saved message (in ss->ssl3.hs.messages). This is written over the dummy | |||
5355 | * binder, after which we write the remainder of the binder extension. */ | |||
5356 | SECStatus | |||
5357 | tls13_WriteExtensionsWithBinder(sslSocket *ss, sslBuffer *extensions, sslBuffer *chBuf) | |||
5358 | { | |||
5359 | SSL3Hashes hashes; | |||
5360 | SECStatus rv; | |||
5361 | ||||
5362 | PORT_Assert(!PR_CLIST_IS_EMPTY(&ss->ssl3.hs.psks))((!((&ss->ssl3.hs.psks)->next == (&ss->ssl3. hs.psks)))?((void)0):PR_Assert("!PR_CLIST_IS_EMPTY(&ss->ssl3.hs.psks)" ,"tls13con.c",5362)); | |||
5363 | sslPsk *psk = (sslPsk *)PR_LIST_HEAD(&ss->ssl3.hs.psks)(&ss->ssl3.hs.psks)->next; | |||
5364 | unsigned int size = tls13_GetHashSizeForHash(psk->hash); | |||
5365 | unsigned int prefixLen = extensions->len - size - 3; | |||
5366 | unsigned int finishedLen; | |||
5367 | ||||
5368 | PORT_Assert(extensions->len >= size + 3)((extensions->len >= size + 3)?((void)0):PR_Assert("extensions->len >= size + 3" ,"tls13con.c",5368)); | |||
5369 | ||||
5370 | rv = sslBuffer_AppendNumber(chBuf, extensions->len, 2); | |||
5371 | if (rv != SECSuccess) { | |||
5372 | return SECFailure; | |||
5373 | } | |||
5374 | ||||
5375 | /* Only write the extension up to the point before the binders. Assume that | |||
5376 | * the pre_shared_key extension is at the end of the buffer. Don't write | |||
5377 | * the binder, or the lengths that precede it (a 2 octet length for the list | |||
5378 | * of all binders, plus a 1 octet length for the binder length). */ | |||
5379 | rv = sslBuffer_Append(chBuf, extensions->buf, prefixLen); | |||
5380 | if (rv != SECSuccess) { | |||
5381 | return SECFailure; | |||
5382 | } | |||
5383 | ||||
5384 | /* Calculate the binder based on what has been written out. */ | |||
5385 | rv = tls13_ComputePskBinderHash(ss, chBuf->buf, chBuf->len, &hashes, psk->hash); | |||
5386 | if (rv != SECSuccess) { | |||
5387 | return SECFailure; | |||
5388 | } | |||
5389 | ||||
5390 | /* Write the binder into the extensions buffer, over the zeros we reserved | |||
5391 | * previously. This avoids an allocation and means that we don't need a | |||
5392 | * separate write for the extra bits that precede the binder. */ | |||
5393 | PORT_Assert(psk->binderKey)((psk->binderKey)?((void)0):PR_Assert("psk->binderKey", "tls13con.c",5393)); | |||
5394 | rv = tls13_ComputeFinished(ss, psk->binderKey, | |||
5395 | psk->hash, &hashes, PR_TRUE1, | |||
5396 | extensions->buf + extensions->len - size, | |||
5397 | &finishedLen, size); | |||
5398 | if (rv != SECSuccess) { | |||
5399 | return SECFailure; | |||
5400 | } | |||
5401 | PORT_Assert(finishedLen == size)((finishedLen == size)?((void)0):PR_Assert("finishedLen == size" ,"tls13con.c",5401)); | |||
5402 | ||||
5403 | /* Write out the remainder of the extension. */ | |||
5404 | rv = sslBuffer_Append(chBuf, extensions->buf + prefixLen, | |||
5405 | extensions->len - prefixLen); | |||
5406 | if (rv != SECSuccess) { | |||
5407 | return SECFailure; | |||
5408 | } | |||
5409 | ||||
5410 | return SECSuccess; | |||
5411 | } | |||
5412 | ||||
5413 | static SECStatus | |||
5414 | tls13_ComputeFinished(sslSocket *ss, PK11SymKey *baseKey, | |||
5415 | SSLHashType hashType, const SSL3Hashes *hashes, | |||
5416 | PRBool sending, PRUint8 *output, unsigned int *outputLen, | |||
5417 | unsigned int maxOutputLen) | |||
5418 | { | |||
5419 | SECStatus rv; | |||
5420 | PK11Context *hmacCtx = NULL((void*)0); | |||
5421 | CK_MECHANISM_TYPE macAlg = tls13_GetHmacMechanismFromHash(hashType); | |||
5422 | SECItem param = { siBuffer, NULL((void*)0), 0 }; | |||
5423 | unsigned int outputLenUint; | |||
5424 | const char *label = kHkdfLabelFinishedSecret; | |||
5425 | PK11SymKey *secret = NULL((void*)0); | |||
5426 | ||||
5427 | PORT_Assert(baseKey)((baseKey)?((void)0):PR_Assert("baseKey","tls13con.c",5427)); | |||
5428 | SSL_TRC(3, ("%d: TLS13[%d]: %s calculate finished",if (ssl_trace >= (3)) ssl_Trace ("%d: TLS13[%d]: %s calculate finished" , getpid(), ss->fd, (ss->sec.isServer ? "server" : "client" )) | |||
5429 | SSL_GETPID(), ss->fd, SSL_ROLE(ss)))if (ssl_trace >= (3)) ssl_Trace ("%d: TLS13[%d]: %s calculate finished" , getpid(), ss->fd, (ss->sec.isServer ? "server" : "client" )); | |||
5430 | PRINT_BUF(50, (ss, "Handshake hash", hashes->u.raw, hashes->len))if (ssl_trace >= (50)) ssl_PrintBuf (ss, "Handshake hash", hashes->u.raw, hashes->len); | |||
5431 | ||||
5432 | /* Now derive the appropriate finished secret from the base secret. */ | |||
5433 | rv = tls13_HkdfExpandLabel(baseKey, hashType, | |||
5434 | NULL((void*)0), 0, label, strlen(label), | |||
5435 | tls13_GetHmacMechanismFromHash(hashType), | |||
5436 | tls13_GetHashSizeForHash(hashType), | |||
5437 | ss->protocolVariant, &secret); | |||
5438 | if (rv != SECSuccess) { | |||
5439 | goto abort; | |||
5440 | } | |||
5441 | ||||
5442 | PORT_Assert(hashes->len == tls13_GetHashSizeForHash(hashType))((hashes->len == tls13_GetHashSizeForHash(hashType))?((void )0):PR_Assert("hashes->len == tls13_GetHashSizeForHash(hashType)" ,"tls13con.c",5442)); | |||
5443 | hmacCtx = PK11_CreateContextBySymKey(macAlg, CKA_SIGN0x00000108UL, | |||
5444 | secret, ¶m); | |||
5445 | if (!hmacCtx) { | |||
5446 | goto abort; | |||
5447 | } | |||
5448 | ||||
5449 | rv = PK11_DigestBegin(hmacCtx); | |||
5450 | if (rv != SECSuccess) | |||
5451 | goto abort; | |||
5452 | ||||
5453 | rv = PK11_DigestOp(hmacCtx, hashes->u.raw, hashes->len); | |||
5454 | if (rv != SECSuccess) | |||
5455 | goto abort; | |||
5456 | ||||
5457 | PORT_Assert(maxOutputLen >= tls13_GetHashSizeForHash(hashType))((maxOutputLen >= tls13_GetHashSizeForHash(hashType))?((void )0):PR_Assert("maxOutputLen >= tls13_GetHashSizeForHash(hashType)" ,"tls13con.c",5457)); | |||
5458 | rv = PK11_DigestFinal(hmacCtx, output, &outputLenUint, maxOutputLen); | |||
5459 | if (rv != SECSuccess) | |||
5460 | goto abort; | |||
5461 | *outputLen = outputLenUint; | |||
5462 | ||||
5463 | PK11_FreeSymKey(secret); | |||
5464 | PK11_DestroyContext(hmacCtx, PR_TRUE1); | |||
5465 | PRINT_BUF(50, (ss, "finished value", output, outputLenUint))if (ssl_trace >= (50)) ssl_PrintBuf (ss, "finished value", output, outputLenUint); | |||
5466 | return SECSuccess; | |||
5467 | ||||
5468 | abort: | |||
5469 | if (secret) { | |||
5470 | PK11_FreeSymKey(secret); | |||
5471 | } | |||
5472 | ||||
5473 | if (hmacCtx) { | |||
5474 | PK11_DestroyContext(hmacCtx, PR_TRUE1); | |||
5475 | } | |||
5476 | ||||
5477 | PORT_SetErrorPORT_SetError_Util(SEC_ERROR_LIBRARY_FAILURE); | |||
5478 | return SECFailure; | |||
5479 | } | |||
5480 | ||||
5481 | static SECStatus | |||
5482 | tls13_SendFinished(sslSocket *ss, PK11SymKey *baseKey) | |||
5483 | { | |||
5484 | SECStatus rv; | |||
5485 | PRUint8 finishedBuf[TLS13_MAX_FINISHED_SIZE64]; | |||
5486 | unsigned int finishedLen; | |||
5487 | SSL3Hashes hashes; | |||
5488 | ||||
5489 | SSL_TRC(3, ("%d: TLS13[%d]: send finished handshake", SSL_GETPID(), ss->fd))if (ssl_trace >= (3)) ssl_Trace ("%d: TLS13[%d]: send finished handshake" , getpid(), ss->fd); | |||
5490 | ||||
5491 | PORT_Assert(ss->opt.noLocks || ssl_HaveXmitBufLock(ss))((ss->opt.noLocks || ((PR_GetMonitorEntryCount(((ss)->xmitBufLock )) > 0)))?((void)0):PR_Assert("ss->opt.noLocks || ssl_HaveXmitBufLock(ss)" ,"tls13con.c",5491)); | |||
5492 | PORT_Assert(ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss))((ss->opt.noLocks || ((PR_GetMonitorEntryCount(((ss)->ssl3HandshakeLock )) > 0)))?((void)0):PR_Assert("ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)" ,"tls13con.c",5492)); | |||
5493 | ||||
5494 | rv = tls13_ComputeHandshakeHashes(ss, &hashes); | |||
5495 | if (rv != SECSuccess) { | |||
5496 | LOG_ERROR(ss, SEC_ERROR_LIBRARY_FAILURE)do { if (ssl_trace >= (3)) ssl_Trace ("%d: TLS13[%d]: fatal error %d in %s (%s:%d)" , getpid(), ss->fd, SEC_ERROR_LIBRARY_FAILURE, __func__, "tls13con.c" , 5496); PORT_SetError_Util(SEC_ERROR_LIBRARY_FAILURE); } while (0); | |||
5497 | return SECFailure; | |||
5498 | } | |||
5499 | ||||
5500 | ssl_GetSpecReadLock(ss){ if (!ss->opt.noLocks) NSSRWLock_LockRead_Util((ss)->specLock ); }; | |||
5501 | rv = tls13_ComputeFinished(ss, baseKey, tls13_GetHash(ss), &hashes, PR_TRUE1, | |||
5502 | finishedBuf, &finishedLen, sizeof(finishedBuf)); | |||
5503 | ssl_ReleaseSpecReadLock(ss){ if (!ss->opt.noLocks) NSSRWLock_UnlockRead_Util((ss)-> specLock); }; | |||
5504 | if (rv != SECSuccess) { | |||
5505 | LOG_ERROR(ss, SEC_ERROR_LIBRARY_FAILURE)do { if (ssl_trace >= (3)) ssl_Trace ("%d: TLS13[%d]: fatal error %d in %s (%s:%d)" , getpid(), ss->fd, SEC_ERROR_LIBRARY_FAILURE, __func__, "tls13con.c" , 5505); PORT_SetError_Util(SEC_ERROR_LIBRARY_FAILURE); } while (0); | |||
5506 | return SECFailure; | |||
5507 | } | |||
5508 | ||||
5509 | rv = ssl3_AppendHandshakeHeader(ss, ssl_hs_finished, finishedLen); | |||
5510 | if (rv != SECSuccess) { | |||
5511 | return SECFailure; /* Error code already set. */ | |||
5512 | } | |||
5513 | ||||
5514 | rv = ssl3_AppendHandshake(ss, finishedBuf, finishedLen); | |||
5515 | if (rv != SECSuccess) { | |||
5516 | return SECFailure; /* Error code already set. */ | |||
5517 | } | |||
5518 | ||||
5519 | /* TODO(ekr@rtfm.com): Record key log */ | |||
5520 | return SECSuccess; | |||
5521 | } | |||
5522 | ||||
5523 | static SECStatus | |||
5524 | tls13_VerifyFinished(sslSocket *ss, SSLHandshakeType message, | |||
5525 | PK11SymKey *secret, | |||
5526 | PRUint8 *b, PRUint32 length, | |||
5527 | const SSL3Hashes *hashes) | |||
5528 | { | |||
5529 | SECStatus rv; | |||
5530 | PRUint8 finishedBuf[TLS13_MAX_FINISHED_SIZE64]; | |||
5531 | unsigned int finishedLen; | |||
5532 | ||||
5533 | if (!hashes) { | |||
5534 | FATAL_ERROR(ss, SEC_ERROR_LIBRARY_FAILURE, internal_error)do { do { if (ssl_trace >= (3)) ssl_Trace ("%d: TLS13[%d]: fatal error %d in %s (%s:%d)" , getpid(), ss->fd, SEC_ERROR_LIBRARY_FAILURE, __func__, "tls13con.c" , 5534); PORT_SetError_Util(SEC_ERROR_LIBRARY_FAILURE); } while (0); tls13_FatalError(ss, SEC_ERROR_LIBRARY_FAILURE, internal_error ); } while (0); | |||
5535 | return SECFailure; | |||
5536 | } | |||
5537 | ||||
5538 | rv = tls13_ComputeFinished(ss, secret, tls13_GetHash(ss), hashes, PR_FALSE0, | |||
5539 | finishedBuf, &finishedLen, sizeof(finishedBuf)); | |||
5540 | if (rv != SECSuccess) { | |||
5541 | FATAL_ERROR(ss, SEC_ERROR_LIBRARY_FAILURE, internal_error)do { do { if (ssl_trace >= (3)) ssl_Trace ("%d: TLS13[%d]: fatal error %d in %s (%s:%d)" , getpid(), ss->fd, SEC_ERROR_LIBRARY_FAILURE, __func__, "tls13con.c" , 5541); PORT_SetError_Util(SEC_ERROR_LIBRARY_FAILURE); } while (0); tls13_FatalError(ss, SEC_ERROR_LIBRARY_FAILURE, internal_error ); } while (0); | |||
5542 | return SECFailure; | |||
5543 | } | |||
5544 | ||||
5545 | if (length != finishedLen) { | |||
5546 | #ifndef UNSAFE_FUZZER_MODE | |||
5547 | FATAL_ERROR(ss, message == ssl_hs_finished ? SSL_ERROR_RX_MALFORMED_FINISHED : SSL_ERROR_RX_MALFORMED_CLIENT_HELLO, illegal_parameter)do { do { if (ssl_trace >= (3)) ssl_Trace ("%d: TLS13[%d]: fatal error %d in %s (%s:%d)" , getpid(), ss->fd, message == ssl_hs_finished ? SSL_ERROR_RX_MALFORMED_FINISHED : SSL_ERROR_RX_MALFORMED_CLIENT_HELLO, __func__, "tls13con.c" , 5547); PORT_SetError_Util(message == ssl_hs_finished ? SSL_ERROR_RX_MALFORMED_FINISHED : SSL_ERROR_RX_MALFORMED_CLIENT_HELLO); } while (0); tls13_FatalError (ss, message == ssl_hs_finished ? SSL_ERROR_RX_MALFORMED_FINISHED : SSL_ERROR_RX_MALFORMED_CLIENT_HELLO, illegal_parameter); } while (0); | |||
5548 | return SECFailure; | |||
5549 | #endif | |||
5550 | } | |||
5551 | ||||
5552 | if (NSS_SecureMemcmp(b, finishedBuf, finishedLen) != 0) { | |||
5553 | #ifndef UNSAFE_FUZZER_MODE | |||
5554 | FATAL_ERROR(ss, SSL_ERROR_BAD_HANDSHAKE_HASH_VALUE,do { do { if (ssl_trace >= (3)) ssl_Trace ("%d: TLS13[%d]: fatal error %d in %s (%s:%d)" , getpid(), ss->fd, SSL_ERROR_BAD_HANDSHAKE_HASH_VALUE, __func__ , "tls13con.c", 5555); PORT_SetError_Util(SSL_ERROR_BAD_HANDSHAKE_HASH_VALUE ); } while (0); tls13_FatalError(ss, SSL_ERROR_BAD_HANDSHAKE_HASH_VALUE , decrypt_error); } while (0) | |||
5555 | decrypt_error)do { do { if (ssl_trace >= (3)) ssl_Trace ("%d: TLS13[%d]: fatal error %d in %s (%s:%d)" , getpid(), ss->fd, SSL_ERROR_BAD_HANDSHAKE_HASH_VALUE, __func__ , "tls13con.c", 5555); PORT_SetError_Util(SSL_ERROR_BAD_HANDSHAKE_HASH_VALUE ); } while (0); tls13_FatalError(ss, SSL_ERROR_BAD_HANDSHAKE_HASH_VALUE , decrypt_error); } while (0); | |||
5556 | return SECFailure; | |||
5557 | #endif | |||
5558 | } | |||
5559 | ||||
5560 | return SECSuccess; | |||
5561 | } | |||
5562 | ||||
5563 | static SECStatus | |||
5564 | tls13_CommonHandleFinished(sslSocket *ss, PK11SymKey *key, | |||
5565 | PRUint8 *b, PRUint32 length) | |||
5566 | { | |||
5567 | SECStatus rv; | |||
5568 | SSL3Hashes hashes; | |||
5569 | ||||
5570 | rv = TLS13_CHECK_HS_STATE(ss, SSL_ERROR_RX_UNEXPECTED_FINISHED,tls13_CheckHsState(ss, SSL_ERROR_RX_UNEXPECTED_FINISHED, "SSL_ERROR_RX_UNEXPECTED_FINISHED" , __func__, "tls13con.c", 5571, wait_finished, wait_invalid) | |||
5571 | wait_finished)tls13_CheckHsState(ss, SSL_ERROR_RX_UNEXPECTED_FINISHED, "SSL_ERROR_RX_UNEXPECTED_FINISHED" , __func__, "tls13con.c", 5571, wait_finished, wait_invalid); | |||
5572 | if (rv != SECSuccess) { | |||
5573 | return SECFailure; | |||
5574 | } | |||
5575 | ss->ssl3.hs.endOfFlight = PR_TRUE1; | |||
5576 | ||||
5577 | rv = tls13_ComputeHandshakeHashes(ss, &hashes); | |||
5578 | if (rv != SECSuccess) { | |||
5579 | LOG_ERROR(ss, SEC_ERROR_LIBRARY_FAILURE)do { if (ssl_trace >= (3)) ssl_Trace ("%d: TLS13[%d]: fatal error %d in %s (%s:%d)" , getpid(), ss->fd, SEC_ERROR_LIBRARY_FAILURE, __func__, "tls13con.c" , 5579); PORT_SetError_Util(SEC_ERROR_LIBRARY_FAILURE); } while (0); | |||
5580 | return SECFailure; | |||
5581 | } | |||
5582 | ||||
5583 | if (ss->firstHsDone) { | |||
5584 | rv = ssl_HashPostHandshakeMessage(ss, ssl_hs_finished, b, length); | |||
5585 | } else { | |||
5586 | rv = ssl_HashHandshakeMessage(ss, ssl_hs_finished, b, length); | |||
5587 | } | |||
5588 | if (rv != SECSuccess) { | |||
5589 | PORT_SetErrorPORT_SetError_Util(SEC_ERROR_LIBRARY_FAILURE); | |||
5590 | return SECFailure; | |||
5591 | } | |||
5592 | ||||
5593 | return tls13_VerifyFinished(ss, ssl_hs_finished, | |||
5594 | key, b, length, &hashes); | |||
5595 | } | |||
5596 | ||||
5597 | static SECStatus | |||
5598 | tls13_ClientHandleFinished(sslSocket *ss, PRUint8 *b, PRUint32 length) | |||
5599 | { | |||
5600 | SECStatus rv; | |||
5601 | ||||
5602 | PORT_Assert(ss->opt.noLocks || ssl_HaveRecvBufLock(ss))((ss->opt.noLocks || ((PR_GetMonitorEntryCount(((ss)->recvBufLock )) > 0)))?((void)0):PR_Assert("ss->opt.noLocks || ssl_HaveRecvBufLock(ss)" ,"tls13con.c",5602)); | |||
5603 | PORT_Assert(ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss))((ss->opt.noLocks || ((PR_GetMonitorEntryCount(((ss)->ssl3HandshakeLock )) > 0)))?((void)0):PR_Assert("ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)" ,"tls13con.c",5603)); | |||
5604 | ||||
5605 | SSL_TRC(3, ("%d: TLS13[%d]: client handle finished handshake",if (ssl_trace >= (3)) ssl_Trace ("%d: TLS13[%d]: client handle finished handshake" , getpid(), ss->fd) | |||
5606 | SSL_GETPID(), ss->fd))if (ssl_trace >= (3)) ssl_Trace ("%d: TLS13[%d]: client handle finished handshake" , getpid(), ss->fd); | |||
5607 | ||||
5608 | rv = tls13_CommonHandleFinished(ss, ss->ssl3.hs.serverHsTrafficSecret, | |||
5609 | b, length); | |||
5610 | if (rv != SECSuccess) { | |||
5611 | return SECFailure; | |||
5612 | } | |||
5613 | ||||
5614 | return tls13_SendClientSecondRound(ss); | |||
5615 | } | |||
5616 | ||||
5617 | static SECStatus | |||
5618 | tls13_ServerHandleFinished(sslSocket *ss, PRUint8 *b, PRUint32 length) | |||
5619 | { | |||
5620 | SECStatus rv; | |||
5621 | ||||
5622 | PORT_Assert(ss->opt.noLocks || ssl_HaveRecvBufLock(ss))((ss->opt.noLocks || ((PR_GetMonitorEntryCount(((ss)->recvBufLock )) > 0)))?((void)0):PR_Assert("ss->opt.noLocks || ssl_HaveRecvBufLock(ss)" ,"tls13con.c",5622)); | |||
5623 | PORT_Assert(ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss))((ss->opt.noLocks || ((PR_GetMonitorEntryCount(((ss)->ssl3HandshakeLock )) > 0)))?((void)0):PR_Assert("ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)" ,"tls13con.c",5623)); | |||
5624 | ||||
5625 | SSL_TRC(3, ("%d: TLS13[%d]: server handle finished handshake",if (ssl_trace >= (3)) ssl_Trace ("%d: TLS13[%d]: server handle finished handshake" , getpid(), ss->fd) | |||
5626 | SSL_GETPID(), ss->fd))if (ssl_trace >= (3)) ssl_Trace ("%d: TLS13[%d]: server handle finished handshake" , getpid(), ss->fd); | |||
5627 | ||||
5628 | if (!tls13_ShouldRequestClientAuth(ss)) { | |||
5629 | /* Receiving this message might be the first sign we have that | |||
5630 | * early data is over, so pretend we received EOED. */ | |||
5631 | rv = tls13_MaybeHandleSuppressedEndOfEarlyData(ss); | |||
5632 | if (rv != SECSuccess) { | |||
5633 | return SECFailure; /* Code already set. */ | |||
5634 | } | |||
5635 | ||||
5636 | if (!tls13_IsPostHandshake(ss)) { | |||
5637 | /* Finalize the RTT estimate. */ | |||
5638 | ss->ssl3.hs.rttEstimate = ssl_Time(ss) - ss->ssl3.hs.rttEstimate; | |||
5639 | } | |||
5640 | } | |||
5641 | ||||
5642 | rv = tls13_CommonHandleFinished(ss, | |||
5643 | ss->firstHsDone ? ss->ssl3.hs.clientTrafficSecret : ss->ssl3.hs.clientHsTrafficSecret, | |||
5644 | b, length); | |||
5645 | if (rv != SECSuccess) { | |||
5646 | return SECFailure; | |||
5647 | } | |||
5648 | ||||
5649 | if (ss->firstHsDone) { | |||
5650 | TLS13_SET_HS_STATE(ss, idle_handshake)tls13_SetHsState(ss, idle_handshake, __func__, "tls13con.c", 5650 ); | |||
5651 | ||||
5652 | PORT_Assert(ss->ssl3.hs.shaPostHandshake != NULL)((ss->ssl3.hs.shaPostHandshake != ((void*)0))?((void)0):PR_Assert ("ss->ssl3.hs.shaPostHandshake != NULL","tls13con.c",5652) ); | |||
5653 | PK11_DestroyContext(ss->ssl3.hs.shaPostHandshake, PR_TRUE1); | |||
5654 | ss->ssl3.hs.shaPostHandshake = NULL((void*)0); | |||
5655 | ||||
5656 | ss->ssl3.clientCertRequested = PR_FALSE0; | |||
5657 | ||||
5658 | if (ss->ssl3.hs.keyUpdateDeferred) { | |||
5659 | rv = tls13_SendKeyUpdate(ss, ss->ssl3.hs.deferredKeyUpdateRequest, | |||
5660 | PR_FALSE0); | |||
5661 | if (rv != SECSuccess) { | |||
5662 | return SECFailure; /* error is set. */ | |||
5663 | } | |||
5664 | ss->ssl3.hs.keyUpdateDeferred = PR_FALSE0; | |||
5665 | } | |||
5666 | ||||
5667 | return SECSuccess; | |||
5668 | } | |||
5669 | ||||
5670 | if (!tls13_ShouldRequestClientAuth(ss) && | |||
5671 | (ss->ssl3.hs.zeroRttState != ssl_0rtt_done)) { | |||
5672 | dtls_ReceivedFirstMessageInFlight(ss); | |||
5673 | } | |||
5674 | ||||
5675 | rv = tls13_SetCipherSpec(ss, TrafficKeyApplicationData, | |||
5676 | ssl_secret_read, PR_FALSE0); | |||
5677 | if (rv != SECSuccess) { | |||
5678 | FATAL_ERROR(ss, SEC_ERROR_LIBRARY_FAILURE, internal_error)do { do { if (ssl_trace >= (3)) ssl_Trace ("%d: TLS13[%d]: fatal error %d in %s (%s:%d)" , getpid(), ss->fd, SEC_ERROR_LIBRARY_FAILURE, __func__, "tls13con.c" , 5678); PORT_SetError_Util(SEC_ERROR_LIBRARY_FAILURE); } while (0); tls13_FatalError(ss, SEC_ERROR_LIBRARY_FAILURE, internal_error ); } while (0); | |||
5679 | return SECFailure; | |||
5680 | } | |||
5681 | ||||
5682 | if (IS_DTLS(ss)(ss->protocolVariant == ssl_variant_datagram)) { | |||
5683 | ssl_CipherSpecReleaseByEpoch(ss, ssl_secret_read, TrafficKeyClearText); | |||
5684 | /* We need to keep the handshake cipher spec so we can | |||
5685 | * read re-transmitted client Finished. */ | |||
5686 | rv = dtls_StartTimer(ss, ss->ssl3.hs.hdTimer, | |||
5687 | DTLS_RETRANSMIT_FINISHED_MS30000, | |||
5688 | dtls13_HolddownTimerCb); | |||
5689 | if (rv != SECSuccess) { | |||
5690 | return SECFailure; | |||
5691 | } | |||
5692 | } | |||
5693 | ||||
5694 | rv = tls13_ComputeFinalSecrets(ss); | |||
5695 | if (rv != SECSuccess) { | |||
5696 | return SECFailure; | |||
5697 | } | |||
5698 | ||||
5699 | rv = tls13_FinishHandshake(ss); | |||
5700 | if (rv != SECSuccess) { | |||
5701 | return SECFailure; | |||
5702 | } | |||
5703 | ||||
5704 | ssl_GetXmitBufLock(ss){ if (!ss->opt.noLocks) PR_EnterMonitor(((ss)->xmitBufLock )); }; | |||
5705 | /* If resumption, authType is the original value and not ssl_auth_psk. */ | |||
5706 | if (ss->opt.enableSessionTickets && ss->sec.authType != ssl_auth_psk) { | |||
5707 | rv = tls13_SendNewSessionTicket(ss, NULL((void*)0), 0); | |||
5708 | if (rv != SECSuccess) { | |||
5709 | goto loser; | |||
5710 | } | |||
5711 | rv = ssl3_FlushHandshake(ss, 0); | |||
5712 | if (rv != SECSuccess) { | |||
5713 | goto loser; | |||
5714 | } | |||
5715 | } | |||
5716 | ssl_ReleaseXmitBufLock(ss){ if (!ss->opt.noLocks) PR_ExitMonitor(((ss)->xmitBufLock )); }; | |||
5717 | return SECSuccess; | |||
5718 | ||||
5719 | loser: | |||
5720 | ssl_ReleaseXmitBufLock(ss){ if (!ss->opt.noLocks) PR_ExitMonitor(((ss)->xmitBufLock )); }; | |||
5721 | return SECFailure; | |||
5722 | } | |||
5723 | ||||
5724 | static SECStatus | |||
5725 | tls13_FinishHandshake(sslSocket *ss) | |||
5726 | { | |||
5727 | PORT_Assert(ss->opt.noLocks || ssl_HaveRecvBufLock(ss))((ss->opt.noLocks || ((PR_GetMonitorEntryCount(((ss)->recvBufLock )) > 0)))?((void)0):PR_Assert("ss->opt.noLocks || ssl_HaveRecvBufLock(ss)" ,"tls13con.c",5727)); | |||
5728 | PORT_Assert(ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss))((ss->opt.noLocks || ((PR_GetMonitorEntryCount(((ss)->ssl3HandshakeLock )) > 0)))?((void)0):PR_Assert("ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)" ,"tls13con.c",5728)); | |||
5729 | PORT_Assert(ss->ssl3.hs.restartTarget == NULL)((ss->ssl3.hs.restartTarget == ((void*)0))?((void)0):PR_Assert ("ss->ssl3.hs.restartTarget == NULL","tls13con.c",5729)); | |||
5730 | ||||
5731 | /* The first handshake is now completed. */ | |||
5732 | ss->handshake = NULL((void*)0); | |||
5733 | ||||
5734 | /* Don't need this. */ | |||
5735 | PK11_FreeSymKey(ss->ssl3.hs.clientHsTrafficSecret); | |||
5736 | ss->ssl3.hs.clientHsTrafficSecret = NULL((void*)0); | |||
5737 | PK11_FreeSymKey(ss->ssl3.hs.serverHsTrafficSecret); | |||
5738 | ss->ssl3.hs.serverHsTrafficSecret = NULL((void*)0); | |||
5739 | ||||
5740 | TLS13_SET_HS_STATE(ss, idle_handshake)tls13_SetHsState(ss, idle_handshake, __func__, "tls13con.c", 5740 ); | |||
5741 | ||||
5742 | return ssl_FinishHandshake(ss); | |||
5743 | } | |||
5744 | ||||
5745 | /* Do the parts of sending the client's second round that require | |||
5746 | * the XmitBuf lock. */ | |||
5747 | static SECStatus | |||
5748 | tls13_SendClientSecondFlight(sslSocket *ss) | |||
5749 | { | |||
5750 | SECStatus rv; | |||
5751 | unsigned int offset = 0; | |||
5752 | ||||
5753 | PORT_Assert(ss->opt.noLocks || ssl_HaveXmitBufLock(ss))((ss->opt.noLocks || ((PR_GetMonitorEntryCount(((ss)->xmitBufLock )) > 0)))?((void)0):PR_Assert("ss->opt.noLocks || ssl_HaveXmitBufLock(ss)" ,"tls13con.c",5753)); | |||
5754 | PORT_Assert(!ss->ssl3.hs.clientCertificatePending)((!ss->ssl3.hs.clientCertificatePending)?((void)0):PR_Assert ("!ss->ssl3.hs.clientCertificatePending","tls13con.c",5754 )); | |||
5755 | ||||
5756 | PRBool sendClientCert = !ss->ssl3.sendEmptyCert && | |||
5757 | ss->ssl3.clientCertChain != NULL((void*)0) && | |||
5758 | ss->ssl3.clientPrivateKey != NULL((void*)0); | |||
5759 | ||||
5760 | if (ss->firstHsDone) { | |||
5761 | offset = SSL_BUFFER_LEN(&ss->sec.ci.sendBuf)((&ss->sec.ci.sendBuf)->len); | |||
5762 | } | |||
5763 | ||||
5764 | if (ss->ssl3.sendEmptyCert) { | |||
5765 | ss->ssl3.sendEmptyCert = PR_FALSE0; | |||
5766 | rv = ssl3_SendEmptyCertificate(ss); | |||
5767 | /* Don't send verify */ | |||
5768 | if (rv != SECSuccess) { | |||
5769 | goto alert_error; /* error code is set. */ | |||
5770 | } | |||
5771 | } else if (sendClientCert) { | |||
5772 | rv = tls13_SendCertificate(ss); | |||
5773 | if (rv != SECSuccess) { | |||
5774 | goto alert_error; /* err code was set. */ | |||
5775 | } | |||
5776 | } | |||
5777 | ||||
5778 | if (ss->firstHsDone) { | |||
5779 | rv = ssl3_UpdatePostHandshakeHashes(ss, | |||
5780 | SSL_BUFFER_BASE(&ss->sec.ci.sendBuf)((&ss->sec.ci.sendBuf)->buf) + offset, | |||
5781 | SSL_BUFFER_LEN(&ss->sec.ci.sendBuf)((&ss->sec.ci.sendBuf)->len) - offset); | |||
5782 | if (rv != SECSuccess) { | |||
5783 | goto alert_error; /* err code was set. */ | |||
5784 | } | |||
5785 | } | |||
5786 | ||||
5787 | if (ss->ssl3.hs.clientCertRequested) { | |||
5788 | SECITEM_FreeItemSECITEM_FreeItem_Util(&ss->xtnData.certReqContext, PR_FALSE0); | |||
5789 | if (ss->xtnData.certReqAuthorities.arena) { | |||
5790 | PORT_FreeArenaPORT_FreeArena_Util(ss->xtnData.certReqAuthorities.arena, PR_FALSE0); | |||
5791 | ss->xtnData.certReqAuthorities.arena = NULL((void*)0); | |||
5792 | } | |||
5793 | PORT_Memsetmemset(&ss->xtnData.certReqAuthorities, 0, | |||
5794 | sizeof(ss->xtnData.certReqAuthorities)); | |||
5795 | ss->ssl3.hs.clientCertRequested = PR_FALSE0; | |||
5796 | } | |||
5797 | ||||
5798 | if (sendClientCert) { | |||
5799 | if (ss->firstHsDone) { | |||
5800 | offset = SSL_BUFFER_LEN(&ss->sec.ci.sendBuf)((&ss->sec.ci.sendBuf)->len); | |||
5801 | } | |||
5802 | ||||
5803 | rv = tls13_SendCertificateVerify(ss, ss->ssl3.clientPrivateKey); | |||
5804 | SECKEY_DestroyPrivateKey(ss->ssl3.clientPrivateKey); | |||
5805 | ss->ssl3.clientPrivateKey = NULL((void*)0); | |||
5806 | if (rv != SECSuccess) { | |||
5807 | goto alert_error; /* err code was set. */ | |||
5808 | } | |||
5809 | ||||
5810 | if (ss->firstHsDone) { | |||
5811 | rv = ssl3_UpdatePostHandshakeHashes(ss, | |||
5812 | SSL_BUFFER_BASE(&ss->sec.ci.sendBuf)((&ss->sec.ci.sendBuf)->buf) + offset, | |||
5813 | SSL_BUFFER_LEN(&ss->sec.ci.sendBuf)((&ss->sec.ci.sendBuf)->len) - offset); | |||
5814 | if (rv != SECSuccess) { | |||
5815 | goto alert_error; /* err code was set. */ | |||
5816 | } | |||
5817 | } | |||
5818 | } | |||
5819 | ||||
5820 | rv = tls13_SendFinished(ss, ss->firstHsDone ? ss->ssl3.hs.clientTrafficSecret : ss->ssl3.hs.clientHsTrafficSecret); | |||
5821 | if (rv != SECSuccess) { | |||
5822 | goto alert_error; /* err code was set. */ | |||
5823 | } | |||
5824 | rv = ssl3_FlushHandshake(ss, 0); | |||
5825 | if (rv != SECSuccess) { | |||
5826 | /* No point in sending an alert here because we're not going to | |||
5827 | * be able to send it if we couldn't flush the handshake. */ | |||
5828 | goto error; | |||
5829 | } | |||
5830 | ||||
5831 | return SECSuccess; | |||
5832 | ||||
5833 | alert_error: | |||
5834 | FATAL_ERROR(ss, PORT_GetError(), internal_error)do { do { if (ssl_trace >= (3)) ssl_Trace ("%d: TLS13[%d]: fatal error %d in %s (%s:%d)" , getpid(), ss->fd, PORT_GetError_Util(), __func__, "tls13con.c" , 5834); PORT_SetError_Util(PORT_GetError_Util()); } while (0 ); tls13_FatalError(ss, PORT_GetError_Util(), internal_error) ; } while (0); | |||
5835 | return SECFailure; | |||
5836 | error: | |||
5837 | LOG_ERROR(ss, PORT_GetError())do { if (ssl_trace >= (3)) ssl_Trace ("%d: TLS13[%d]: fatal error %d in %s (%s:%d)" , getpid(), ss->fd, PORT_GetError_Util(), __func__, "tls13con.c" , 5837); PORT_SetError_Util(PORT_GetError_Util()); } while (0 ); | |||
5838 | return SECFailure; | |||
5839 | } | |||
5840 | ||||
5841 | static SECStatus | |||
5842 | tls13_SendClientSecondRound(sslSocket *ss) | |||
5843 | { | |||
5844 | SECStatus rv; | |||
5845 | ||||
5846 | PORT_Assert(ss->opt.noLocks || ssl_HaveRecvBufLock(ss))((ss->opt.noLocks || ((PR_GetMonitorEntryCount(((ss)->recvBufLock )) > 0)))?((void)0):PR_Assert("ss->opt.noLocks || ssl_HaveRecvBufLock(ss)" ,"tls13con.c",5846)); | |||
5847 | PORT_Assert(ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss))((ss->opt.noLocks || ((PR_GetMonitorEntryCount(((ss)->ssl3HandshakeLock )) > 0)))?((void)0):PR_Assert("ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)" ,"tls13con.c",5847)); | |||
5848 | ||||
5849 | /* Defer client authentication sending if we are still waiting for server | |||
5850 | * authentication. This avoids unnecessary disclosure of client credentials | |||
5851 | * to an unauthenticated server. | |||
5852 | */ | |||
5853 | if (ss->ssl3.hs.restartTarget) { | |||
5854 | PR_NOT_REACHED("unexpected ss->ssl3.hs.restartTarget")PR_Assert("unexpected ss->ssl3.hs.restartTarget","tls13con.c" ,5854); | |||
5855 | PORT_SetErrorPORT_SetError_Util(SEC_ERROR_LIBRARY_FAILURE); | |||
5856 | return SECFailure; | |||
5857 | } | |||
5858 | if (ss->ssl3.hs.authCertificatePending || ss->ssl3.hs.clientCertificatePending) { | |||
5859 | SSL_TRC(3, ("%d: TLS13[%d]: deferring tls13_SendClientSecondRound because"if (ssl_trace >= (3)) ssl_Trace ("%d: TLS13[%d]: deferring tls13_SendClientSecondRound because" " certificate authentication is still pending.", getpid(), ss ->fd) | |||
5860 | " certificate authentication is still pending.",if (ssl_trace >= (3)) ssl_Trace ("%d: TLS13[%d]: deferring tls13_SendClientSecondRound because" " certificate authentication is still pending.", getpid(), ss ->fd) | |||
5861 | SSL_GETPID(), ss->fd))if (ssl_trace >= (3)) ssl_Trace ("%d: TLS13[%d]: deferring tls13_SendClientSecondRound because" " certificate authentication is still pending.", getpid(), ss ->fd); | |||
5862 | ss->ssl3.hs.restartTarget = tls13_SendClientSecondRound; | |||
5863 | PORT_SetErrorPORT_SetError_Util(PR_WOULD_BLOCK_ERROR(-5998L)); | |||
5864 | return SECFailure; | |||
5865 | } | |||
5866 | ||||
5867 | rv = tls13_ComputeApplicationSecrets(ss); | |||
5868 | if (rv != SECSuccess) { | |||
5869 | FATAL_ERROR(ss, SEC_ERROR_LIBRARY_FAILURE, internal_error)do { do { if (ssl_trace >= (3)) ssl_Trace ("%d: TLS13[%d]: fatal error %d in %s (%s:%d)" , getpid(), ss->fd, SEC_ERROR_LIBRARY_FAILURE, __func__, "tls13con.c" , 5869); PORT_SetError_Util(SEC_ERROR_LIBRARY_FAILURE); } while (0); tls13_FatalError(ss, SEC_ERROR_LIBRARY_FAILURE, internal_error ); } while (0); | |||
5870 | return SECFailure; | |||
5871 | } | |||
5872 | ||||
5873 | if (ss->ssl3.hs.zeroRttState == ssl_0rtt_accepted) { | |||
5874 | ssl_GetXmitBufLock(ss){ if (!ss->opt.noLocks) PR_EnterMonitor(((ss)->xmitBufLock )); }; /*******************************/ | |||
5875 | rv = tls13_SendEndOfEarlyData(ss); | |||
5876 | ssl_ReleaseXmitBufLock(ss){ if (!ss->opt.noLocks) PR_ExitMonitor(((ss)->xmitBufLock )); }; /*******************************/ | |||
5877 | if (rv != SECSuccess) { | |||
5878 | return SECFailure; /* Error code already set. */ | |||
5879 | } | |||
5880 | } else if (ss->opt.enableTls13CompatMode && !IS_DTLS(ss)(ss->protocolVariant == ssl_variant_datagram) && | |||
5881 | ss->ssl3.hs.zeroRttState == ssl_0rtt_none && | |||
5882 | !ss->ssl3.hs.helloRetry) { | |||
5883 | ssl_GetXmitBufLock(ss){ if (!ss->opt.noLocks) PR_EnterMonitor(((ss)->xmitBufLock )); }; /*******************************/ | |||
5884 | rv = ssl3_SendChangeCipherSpecsInt(ss); | |||
5885 | ssl_ReleaseXmitBufLock(ss){ if (!ss->opt.noLocks) PR_ExitMonitor(((ss)->xmitBufLock )); }; /*******************************/ | |||
5886 | if (rv != SECSuccess) { | |||
5887 | return rv; | |||
5888 | } | |||
5889 | } | |||
5890 | ||||
5891 | rv = tls13_SetCipherSpec(ss, TrafficKeyHandshake, | |||
5892 | ssl_secret_write, PR_FALSE0); | |||
5893 | if (rv != SECSuccess) { | |||
5894 | FATAL_ERROR(ss, SSL_ERROR_INIT_CIPHER_SUITE_FAILURE, internal_error)do { do { if (ssl_trace >= (3)) ssl_Trace ("%d: TLS13[%d]: fatal error %d in %s (%s:%d)" , getpid(), ss->fd, SSL_ERROR_INIT_CIPHER_SUITE_FAILURE, __func__ , "tls13con.c", 5894); PORT_SetError_Util(SSL_ERROR_INIT_CIPHER_SUITE_FAILURE ); } while (0); tls13_FatalError(ss, SSL_ERROR_INIT_CIPHER_SUITE_FAILURE , internal_error); } while (0); | |||
5895 | return SECFailure; | |||
5896 | } | |||
5897 | ||||
5898 | rv = tls13_SetCipherSpec(ss, TrafficKeyApplicationData, | |||
5899 | ssl_secret_read, PR_FALSE0); | |||
5900 | if (rv != SECSuccess) { | |||
5901 | FATAL_ERROR(ss, SEC_ERROR_LIBRARY_FAILURE, internal_error)do { do { if (ssl_trace >= (3)) ssl_Trace ("%d: TLS13[%d]: fatal error %d in %s (%s:%d)" , getpid(), ss->fd, SEC_ERROR_LIBRARY_FAILURE, __func__, "tls13con.c" , 5901); PORT_SetError_Util(SEC_ERROR_LIBRARY_FAILURE); } while (0); tls13_FatalError(ss, SEC_ERROR_LIBRARY_FAILURE, internal_error ); } while (0); | |||
5902 | return SECFailure; | |||
5903 | } | |||
5904 | ||||
5905 | ssl_GetXmitBufLock(ss){ if (!ss->opt.noLocks) PR_EnterMonitor(((ss)->xmitBufLock )); }; /*******************************/ | |||
5906 | /* This call can't block, as clientAuthCertificatePending is checked above */ | |||
5907 | rv = tls13_SendClientSecondFlight(ss); | |||
5908 | ssl_ReleaseXmitBufLock(ss){ if (!ss->opt.noLocks) PR_ExitMonitor(((ss)->xmitBufLock )); }; /*******************************/ | |||
5909 | if (rv != SECSuccess) { | |||
5910 | return SECFailure; | |||
5911 | } | |||
5912 | rv = tls13_SetCipherSpec(ss, TrafficKeyApplicationData, | |||
5913 | ssl_secret_write, PR_FALSE0); | |||
5914 | if (rv != SECSuccess) { | |||
5915 | PORT_SetErrorPORT_SetError_Util(SEC_ERROR_LIBRARY_FAILURE); | |||
5916 | return SECFailure; | |||
5917 | } | |||
5918 | ||||
5919 | rv = tls13_ComputeFinalSecrets(ss); | |||
5920 | if (rv != SECSuccess) { | |||
5921 | return SECFailure; | |||
5922 | } | |||
5923 | ||||
5924 | /* The handshake is now finished */ | |||
5925 | return tls13_FinishHandshake(ss); | |||
5926 | } | |||
5927 | ||||
5928 | /* | |||
5929 | * enum { (65535) } TicketExtensionType; | |||
5930 | * | |||
5931 | * struct { | |||
5932 | * TicketExtensionType extension_type; | |||
5933 | * opaque extension_data<0..2^16-1>; | |||
5934 | * } TicketExtension; | |||
5935 | * | |||
5936 | * struct { | |||
5937 | * uint32 ticket_lifetime; | |||
5938 | * uint32 ticket_age_add; | |||
5939 | * opaque ticket_nonce<1..255>; | |||
5940 | * opaque ticket<1..2^16-1>; | |||
5941 | * TicketExtension extensions<0..2^16-2>; | |||
5942 | * } NewSessionTicket; | |||
5943 | */ | |||
5944 | ||||
5945 | static SECStatus | |||
5946 | tls13_SendNewSessionTicket(sslSocket *ss, const PRUint8 *appToken, | |||
5947 | unsigned int appTokenLen) | |||
5948 | { | |||
5949 | PRUint16 message_length; | |||
5950 | PK11SymKey *secret; | |||
5951 | SECItem ticket_data = { 0, NULL((void*)0), 0 }; | |||
5952 | SECStatus rv; | |||
5953 | NewSessionTicket ticket = { 0 }; | |||
5954 | PRUint32 max_early_data_size_len = 0; | |||
5955 | PRUint32 greaseLen = 0; | |||
5956 | PRUint8 ticketNonce[sizeof(ss->ssl3.hs.ticketNonce)]; | |||
5957 | sslBuffer ticketNonceBuf = SSL_BUFFER(ticketNonce){ ticketNonce, 0, sizeof(ticketNonce), 1 }; | |||
5958 | ||||
5959 | SSL_TRC(3, ("%d: TLS13[%d]: send new session ticket message %d",if (ssl_trace >= (3)) ssl_Trace ("%d: TLS13[%d]: send new session ticket message %d" , getpid(), ss->fd, ss->ssl3.hs.ticketNonce) | |||
5960 | SSL_GETPID(), ss->fd, ss->ssl3.hs.ticketNonce))if (ssl_trace >= (3)) ssl_Trace ("%d: TLS13[%d]: send new session ticket message %d" , getpid(), ss->fd, ss->ssl3.hs.ticketNonce); | |||
5961 | ||||
5962 | ticket.flags = 0; | |||
5963 | if (ss->opt.enable0RttData) { | |||
5964 | ticket.flags |= ticket_allow_early_data; | |||
5965 | max_early_data_size_len = 8; /* type + len + value. */ | |||
5966 | } | |||
5967 | ticket.ticket_lifetime_hint = ssl_ticket_lifetime; | |||
5968 | ||||
5969 | if (ss->opt.enableGrease) { | |||
5970 | greaseLen = 4; /* type + len + 0 (empty) */ | |||
5971 | } | |||
5972 | ||||
5973 | /* The ticket age obfuscator. */ | |||
5974 | rv = PK11_GenerateRandom((PRUint8 *)&ticket.ticket_age_add, | |||
5975 | sizeof(ticket.ticket_age_add)); | |||
5976 | if (rv != SECSuccess) | |||
5977 | goto loser; | |||
5978 | ||||
5979 | rv = sslBuffer_AppendNumber(&ticketNonceBuf, ss->ssl3.hs.ticketNonce, | |||
5980 | sizeof(ticketNonce)); | |||
5981 | if (rv != SECSuccess) { | |||
5982 | goto loser; | |||
5983 | } | |||
5984 | ++ss->ssl3.hs.ticketNonce; | |||
5985 | rv = tls13_HkdfExpandLabel(ss->ssl3.hs.resumptionMasterSecret, | |||
5986 | tls13_GetHash(ss), | |||
5987 | ticketNonce, sizeof(ticketNonce), | |||
5988 | kHkdfLabelResumption, | |||
5989 | strlen(kHkdfLabelResumption), | |||
5990 | CKM_HKDF_DERIVE0x0000402aUL, | |||
5991 | tls13_GetHashSize(ss), | |||
5992 | ss->protocolVariant, &secret); | |||
5993 | if (rv != SECSuccess) { | |||
5994 | goto loser; | |||
5995 | } | |||
5996 | ||||
5997 | rv = ssl3_EncodeSessionTicket(ss, &ticket, appToken, appTokenLen, | |||
5998 | secret, &ticket_data); | |||
5999 | PK11_FreeSymKey(secret); | |||
6000 | if (rv != SECSuccess) | |||
6001 | goto loser; | |||
6002 | ||||
6003 | message_length = | |||
6004 | 4 + /* lifetime */ | |||
6005 | 4 + /* ticket_age_add */ | |||
6006 | 1 + sizeof(ticketNonce) + /* ticket_nonce */ | |||
6007 | 2 + /* extensions lentgh */ | |||
6008 | max_early_data_size_len + /* max_early_data_size extension length */ | |||
6009 | greaseLen + /* GREASE extension length */ | |||
6010 | 2 + /* ticket length */ | |||
6011 | ticket_data.len; | |||
6012 | ||||
6013 | rv = ssl3_AppendHandshakeHeader(ss, ssl_hs_new_session_ticket, | |||
6014 | message_length); | |||
6015 | if (rv != SECSuccess) | |||
6016 | goto loser; | |||
6017 | ||||
6018 | /* This is a fixed value. */ | |||
6019 | rv = ssl3_AppendHandshakeNumber(ss, ssl_ticket_lifetime, 4); | |||
6020 | if (rv != SECSuccess) | |||
6021 | goto loser; | |||
6022 | ||||
6023 | rv = ssl3_AppendHandshakeNumber(ss, ticket.ticket_age_add, 4); | |||
6024 | if (rv != SECSuccess) | |||
6025 | goto loser; | |||
6026 | ||||
6027 | /* The ticket nonce. */ | |||
6028 | rv = ssl3_AppendHandshakeVariable(ss, ticketNonce, sizeof(ticketNonce), 1); | |||
6029 | if (rv != SECSuccess) | |||
6030 | goto loser; | |||
6031 | ||||
6032 | /* Encode the ticket. */ | |||
6033 | rv = ssl3_AppendHandshakeVariable( | |||
6034 | ss, ticket_data.data, ticket_data.len, 2); | |||
6035 | if (rv != SECSuccess) | |||
6036 | goto loser; | |||
6037 | ||||
6038 | /* Extensions */ | |||
6039 | rv = ssl3_AppendHandshakeNumber(ss, max_early_data_size_len + greaseLen, 2); | |||
6040 | if (rv != SECSuccess) | |||
6041 | goto loser; | |||
6042 | ||||
6043 | /* GREASE NewSessionTicket: | |||
6044 | * When sending a NewSessionTicket message in TLS 1.3, a server MAY select | |||
6045 | * one or more GREASE extension values and advertise them as extensions | |||
6046 | * with varying length and contents [RFC8701, SEction 4.1]. */ | |||
6047 | if (ss->opt.enableGrease) { | |||
6048 | PR_ASSERT(ss->version >= SSL_LIBRARY_VERSION_TLS_1_3)((ss->version >= 0x0304)?((void)0):PR_Assert("ss->version >= SSL_LIBRARY_VERSION_TLS_1_3" ,"tls13con.c",6048)); | |||
6049 | ||||
6050 | PRUint16 grease; | |||
6051 | rv = tls13_RandomGreaseValue(&grease); | |||
6052 | if (rv != SECSuccess) | |||
6053 | goto loser; | |||
6054 | /* Extension type */ | |||
6055 | rv = ssl3_AppendHandshakeNumber(ss, grease, 2); | |||
6056 | if (rv != SECSuccess) | |||
6057 | goto loser; | |||
6058 | /* Extension length */ | |||
6059 | rv = ssl3_AppendHandshakeNumber(ss, 0, 2); | |||
6060 | if (rv != SECSuccess) | |||
6061 | goto loser; | |||
6062 | } | |||
6063 | ||||
6064 | /* Max early data size extension. */ | |||
6065 | if (max_early_data_size_len) { | |||
6066 | rv = ssl3_AppendHandshakeNumber( | |||
6067 | ss, ssl_tls13_early_data_xtn, 2); | |||
6068 | if (rv != SECSuccess) | |||
6069 | goto loser; | |||
6070 | ||||
6071 | /* Length */ | |||
6072 | rv = ssl3_AppendHandshakeNumber(ss, 4, 2); | |||
6073 | if (rv != SECSuccess) | |||
6074 | goto loser; | |||
6075 | ||||
6076 | rv = ssl3_AppendHandshakeNumber(ss, ss->opt.maxEarlyDataSize, 4); | |||
6077 | if (rv != SECSuccess) | |||
6078 | goto loser; | |||
6079 | } | |||
6080 | ||||
6081 | SECITEM_FreeItemSECITEM_FreeItem_Util(&ticket_data, PR_FALSE0); | |||
6082 | return SECSuccess; | |||
6083 | ||||
6084 | loser: | |||
6085 | if (ticket_data.data) { | |||
6086 | SECITEM_FreeItemSECITEM_FreeItem_Util(&ticket_data, PR_FALSE0); | |||
6087 | } | |||
6088 | return SECFailure; | |||
6089 | } | |||
6090 | ||||
6091 | SECStatus | |||
6092 | SSLExp_SendSessionTicket(PRFileDesc *fd, const PRUint8 *token, | |||
6093 | unsigned int tokenLen) | |||
6094 | { | |||
6095 | sslSocket *ss; | |||
6096 | SECStatus rv; | |||
6097 | ||||
6098 | ss = ssl_FindSocket(fd); | |||
6099 | if (!ss) { | |||
6100 | return SECFailure; | |||
6101 | } | |||
6102 | ||||
6103 | if (IS_DTLS(ss)(ss->protocolVariant == ssl_variant_datagram)) { | |||
6104 | PORT_SetErrorPORT_SetError_Util(SSL_ERROR_FEATURE_NOT_SUPPORTED_FOR_VERSION); | |||
6105 | return SECFailure; | |||
6106 | } | |||
6107 | ||||
6108 | if (!ss->sec.isServer || !tls13_IsPostHandshake(ss) || | |||
6109 | tokenLen > 0xffff) { | |||
6110 | PORT_SetErrorPORT_SetError_Util(SEC_ERROR_INVALID_ARGS); | |||
6111 | return SECFailure; | |||
6112 | } | |||
6113 | ||||
6114 | /* Disable tickets if we can trace this connection back to a PSK. | |||
6115 | * We aren't able to issue tickets (currently) without a certificate. | |||
6116 | * As PSK =~ resumption, there is no reason to do this. */ | |||
6117 | if (ss->sec.authType == ssl_auth_psk) { | |||
6118 | PORT_SetErrorPORT_SetError_Util(SSL_ERROR_FEATURE_DISABLED); | |||
6119 | return SECFailure; | |||
6120 | } | |||
6121 | ||||
6122 | ssl_GetSSL3HandshakeLock(ss){ if (!ss->opt.noLocks) { ((!((PR_GetMonitorEntryCount(((ss )->xmitBufLock)) > 0)))?((void)0):PR_Assert("!ssl_HaveXmitBufLock(ss)" ,"tls13con.c",6122)); PR_EnterMonitor(((ss)->ssl3HandshakeLock )); } }; | |||
6123 | ssl_GetXmitBufLock(ss){ if (!ss->opt.noLocks) PR_EnterMonitor(((ss)->xmitBufLock )); }; | |||
6124 | rv = tls13_SendNewSessionTicket(ss, token, tokenLen); | |||
6125 | if (rv == SECSuccess) { | |||
6126 | rv = ssl3_FlushHandshake(ss, 0); | |||
6127 | } | |||
6128 | ssl_ReleaseXmitBufLock(ss){ if (!ss->opt.noLocks) PR_ExitMonitor(((ss)->xmitBufLock )); }; | |||
6129 | ssl_ReleaseSSL3HandshakeLock(ss){ if (!ss->opt.noLocks) PR_ExitMonitor(((ss)->ssl3HandshakeLock )); }; | |||
6130 | ||||
6131 | return rv; | |||
6132 | } | |||
6133 | ||||
6134 | static SECStatus | |||
6135 | tls13_HandleNewSessionTicket(sslSocket *ss, PRUint8 *b, PRUint32 length) | |||
6136 | { | |||
6137 | SECStatus rv; | |||
6138 | PRUint32 utmp; | |||
6139 | NewSessionTicket ticket = { 0 }; | |||
6140 | SECItem data; | |||
6141 | SECItem ticket_nonce; | |||
6142 | SECItem ticket_data; | |||
6143 | ||||
6144 | SSL_TRC(3, ("%d: TLS13[%d]: handle new session ticket message",if (ssl_trace >= (3)) ssl_Trace ("%d: TLS13[%d]: handle new session ticket message" , getpid(), ss->fd) | |||
6145 | SSL_GETPID(), ss->fd))if (ssl_trace >= (3)) ssl_Trace ("%d: TLS13[%d]: handle new session ticket message" , getpid(), ss->fd); | |||
6146 | ||||
6147 | rv = TLS13_CHECK_HS_STATE(ss, SSL_ERROR_RX_UNEXPECTED_NEW_SESSION_TICKET,tls13_CheckHsState(ss, SSL_ERROR_RX_UNEXPECTED_NEW_SESSION_TICKET , "SSL_ERROR_RX_UNEXPECTED_NEW_SESSION_TICKET", __func__, "tls13con.c" , 6148, idle_handshake, wait_invalid) | |||
6148 | idle_handshake)tls13_CheckHsState(ss, SSL_ERROR_RX_UNEXPECTED_NEW_SESSION_TICKET , "SSL_ERROR_RX_UNEXPECTED_NEW_SESSION_TICKET", __func__, "tls13con.c" , 6148, idle_handshake, wait_invalid); | |||
6149 | if (rv != SECSuccess) { | |||
6150 | return SECFailure; | |||
6151 | } | |||
6152 | if (!tls13_IsPostHandshake(ss) || ss->sec.isServer) { | |||
6153 | FATAL_ERROR(ss, SSL_ERROR_RX_UNEXPECTED_NEW_SESSION_TICKET,do { do { if (ssl_trace >= (3)) ssl_Trace ("%d: TLS13[%d]: fatal error %d in %s (%s:%d)" , getpid(), ss->fd, SSL_ERROR_RX_UNEXPECTED_NEW_SESSION_TICKET , __func__, "tls13con.c", 6154); PORT_SetError_Util(SSL_ERROR_RX_UNEXPECTED_NEW_SESSION_TICKET ); } while (0); tls13_FatalError(ss, SSL_ERROR_RX_UNEXPECTED_NEW_SESSION_TICKET , unexpected_message); } while (0) | |||
6154 | unexpected_message)do { do { if (ssl_trace >= (3)) ssl_Trace ("%d: TLS13[%d]: fatal error %d in %s (%s:%d)" , getpid(), ss->fd, SSL_ERROR_RX_UNEXPECTED_NEW_SESSION_TICKET , __func__, "tls13con.c", 6154); PORT_SetError_Util(SSL_ERROR_RX_UNEXPECTED_NEW_SESSION_TICKET ); } while (0); tls13_FatalError(ss, SSL_ERROR_RX_UNEXPECTED_NEW_SESSION_TICKET , unexpected_message); } while (0); | |||
6155 | return SECFailure; | |||
6156 | } | |||
6157 | ||||
6158 | ticket.received_timestamp = ssl_Time(ss); | |||
6159 | rv = ssl3_ConsumeHandshakeNumber(ss, &ticket.ticket_lifetime_hint, 4, &b, | |||
6160 | &length); | |||
6161 | if (rv != SECSuccess) { | |||
6162 | FATAL_ERROR(ss, SSL_ERROR_RX_MALFORMED_NEW_SESSION_TICKET,do { do { if (ssl_trace >= (3)) ssl_Trace ("%d: TLS13[%d]: fatal error %d in %s (%s:%d)" , getpid(), ss->fd, SSL_ERROR_RX_MALFORMED_NEW_SESSION_TICKET , __func__, "tls13con.c", 6163); PORT_SetError_Util(SSL_ERROR_RX_MALFORMED_NEW_SESSION_TICKET ); } while (0); tls13_FatalError(ss, SSL_ERROR_RX_MALFORMED_NEW_SESSION_TICKET , decode_error); } while (0) | |||
6163 | decode_error)do { do { if (ssl_trace >= (3)) ssl_Trace ("%d: TLS13[%d]: fatal error %d in %s (%s:%d)" , getpid(), ss->fd, SSL_ERROR_RX_MALFORMED_NEW_SESSION_TICKET , __func__, "tls13con.c", 6163); PORT_SetError_Util(SSL_ERROR_RX_MALFORMED_NEW_SESSION_TICKET ); } while (0); tls13_FatalError(ss, SSL_ERROR_RX_MALFORMED_NEW_SESSION_TICKET , decode_error); } while (0); | |||
6164 | return SECFailure; | |||
6165 | } | |||
6166 | ticket.ticket.type = siBuffer; | |||
6167 | ||||
6168 | rv = ssl3_ConsumeHandshake(ss, &utmp, sizeof(utmp), | |||
6169 | &b, &length); | |||
6170 | if (rv != SECSuccess) { | |||
6171 | PORT_SetErrorPORT_SetError_Util(SSL_ERROR_RX_MALFORMED_NEW_SESSION_TICKET); | |||
6172 | return SECFailure; | |||
6173 | } | |||
6174 | ticket.ticket_age_add = PR_ntohl(utmp); | |||
6175 | ||||
6176 | /* The nonce. */ | |||
6177 | rv = ssl3_ConsumeHandshakeVariable(ss, &ticket_nonce, 1, &b, &length); | |||
6178 | if (rv != SECSuccess) { | |||
6179 | FATAL_ERROR(ss, SSL_ERROR_RX_MALFORMED_NEW_SESSION_TICKET,do { do { if (ssl_trace >= (3)) ssl_Trace ("%d: TLS13[%d]: fatal error %d in %s (%s:%d)" , getpid(), ss->fd, SSL_ERROR_RX_MALFORMED_NEW_SESSION_TICKET , __func__, "tls13con.c", 6180); PORT_SetError_Util(SSL_ERROR_RX_MALFORMED_NEW_SESSION_TICKET ); } while (0); tls13_FatalError(ss, SSL_ERROR_RX_MALFORMED_NEW_SESSION_TICKET , decode_error); } while (0) | |||
6180 | decode_error)do { do { if (ssl_trace >= (3)) ssl_Trace ("%d: TLS13[%d]: fatal error %d in %s (%s:%d)" , getpid(), ss->fd, SSL_ERROR_RX_MALFORMED_NEW_SESSION_TICKET , __func__, "tls13con.c", 6180); PORT_SetError_Util(SSL_ERROR_RX_MALFORMED_NEW_SESSION_TICKET ); } while (0); tls13_FatalError(ss, SSL_ERROR_RX_MALFORMED_NEW_SESSION_TICKET , decode_error); } while (0); | |||
6181 | return SECFailure; | |||
6182 | } | |||
6183 | ||||
6184 | /* Get the ticket value. */ | |||
6185 | rv = ssl3_ConsumeHandshakeVariable(ss, &ticket_data, 2, &b, &length); | |||
6186 | if (rv != SECSuccess || !ticket_data.len) { | |||
6187 | FATAL_ERROR(ss, SSL_ERROR_RX_MALFORMED_NEW_SESSION_TICKET,do { do { if (ssl_trace >= (3)) ssl_Trace ("%d: TLS13[%d]: fatal error %d in %s (%s:%d)" , getpid(), ss->fd, SSL_ERROR_RX_MALFORMED_NEW_SESSION_TICKET , __func__, "tls13con.c", 6188); PORT_SetError_Util(SSL_ERROR_RX_MALFORMED_NEW_SESSION_TICKET ); } while (0); tls13_FatalError(ss, SSL_ERROR_RX_MALFORMED_NEW_SESSION_TICKET , decode_error); } while (0) | |||
6188 | decode_error)do { do { if (ssl_trace >= (3)) ssl_Trace ("%d: TLS13[%d]: fatal error %d in %s (%s:%d)" , getpid(), ss->fd, SSL_ERROR_RX_MALFORMED_NEW_SESSION_TICKET , __func__, "tls13con.c", 6188); PORT_SetError_Util(SSL_ERROR_RX_MALFORMED_NEW_SESSION_TICKET ); } while (0); tls13_FatalError(ss, SSL_ERROR_RX_MALFORMED_NEW_SESSION_TICKET , decode_error); } while (0); | |||
6189 | return SECFailure; | |||
6190 | } | |||
6191 | ||||
6192 | /* Parse extensions. */ | |||
6193 | rv = ssl3_ConsumeHandshakeVariable(ss, &data, 2, &b, &length); | |||
6194 | if (rv != SECSuccess || length) { | |||
6195 | FATAL_ERROR(ss, SSL_ERROR_RX_MALFORMED_NEW_SESSION_TICKET,do { do { if (ssl_trace >= (3)) ssl_Trace ("%d: TLS13[%d]: fatal error %d in %s (%s:%d)" , getpid(), ss->fd, SSL_ERROR_RX_MALFORMED_NEW_SESSION_TICKET , __func__, "tls13con.c", 6196); PORT_SetError_Util(SSL_ERROR_RX_MALFORMED_NEW_SESSION_TICKET ); } while (0); tls13_FatalError(ss, SSL_ERROR_RX_MALFORMED_NEW_SESSION_TICKET , decode_error); } while (0) | |||
6196 | decode_error)do { do { if (ssl_trace >= (3)) ssl_Trace ("%d: TLS13[%d]: fatal error %d in %s (%s:%d)" , getpid(), ss->fd, SSL_ERROR_RX_MALFORMED_NEW_SESSION_TICKET , __func__, "tls13con.c", 6196); PORT_SetError_Util(SSL_ERROR_RX_MALFORMED_NEW_SESSION_TICKET ); } while (0); tls13_FatalError(ss, SSL_ERROR_RX_MALFORMED_NEW_SESSION_TICKET , decode_error); } while (0); | |||
6197 | return SECFailure; | |||
6198 | } | |||
6199 | ||||
6200 | rv = ssl3_HandleExtensions(ss, &data.data, | |||
6201 | &data.len, ssl_hs_new_session_ticket); | |||
6202 | if (rv != SECSuccess) { | |||
6203 | FATAL_ERROR(ss, SSL_ERROR_RX_MALFORMED_NEW_SESSION_TICKET,do { do { if (ssl_trace >= (3)) ssl_Trace ("%d: TLS13[%d]: fatal error %d in %s (%s:%d)" , getpid(), ss->fd, SSL_ERROR_RX_MALFORMED_NEW_SESSION_TICKET , __func__, "tls13con.c", 6204); PORT_SetError_Util(SSL_ERROR_RX_MALFORMED_NEW_SESSION_TICKET ); } while (0); tls13_FatalError(ss, SSL_ERROR_RX_MALFORMED_NEW_SESSION_TICKET , decode_error); } while (0) | |||
6204 | decode_error)do { do { if (ssl_trace >= (3)) ssl_Trace ("%d: TLS13[%d]: fatal error %d in %s (%s:%d)" , getpid(), ss->fd, SSL_ERROR_RX_MALFORMED_NEW_SESSION_TICKET , __func__, "tls13con.c", 6204); PORT_SetError_Util(SSL_ERROR_RX_MALFORMED_NEW_SESSION_TICKET ); } while (0); tls13_FatalError(ss, SSL_ERROR_RX_MALFORMED_NEW_SESSION_TICKET , decode_error); } while (0); | |||
6205 | return SECFailure; | |||
6206 | } | |||
6207 | if (ss->xtnData.max_early_data_size) { | |||
6208 | ticket.flags |= ticket_allow_early_data; | |||
6209 | ticket.max_early_data_size = ss->xtnData.max_early_data_size; | |||
6210 | } | |||
6211 | ||||
6212 | if (!ss->opt.noCache) { | |||
6213 | PK11SymKey *secret; | |||
6214 | ||||
6215 | PORT_Assert(ss->sec.ci.sid)((ss->sec.ci.sid)?((void)0):PR_Assert("ss->sec.ci.sid", "tls13con.c",6215)); | |||
6216 | rv = SECITEM_CopyItemSECITEM_CopyItem_Util(NULL((void*)0), &ticket.ticket, &ticket_data); | |||
6217 | if (rv != SECSuccess) { | |||
6218 | FATAL_ERROR(ss, SEC_ERROR_NO_MEMORY, internal_error)do { do { if (ssl_trace >= (3)) ssl_Trace ("%d: TLS13[%d]: fatal error %d in %s (%s:%d)" , getpid(), ss->fd, SEC_ERROR_NO_MEMORY, __func__, "tls13con.c" , 6218); PORT_SetError_Util(SEC_ERROR_NO_MEMORY); } while (0) ; tls13_FatalError(ss, SEC_ERROR_NO_MEMORY, internal_error); } while (0); | |||
6219 | return SECFailure; | |||
6220 | } | |||
6221 | PRINT_BUF(50, (ss, "Caching session ticket",if (ssl_trace >= (50)) ssl_PrintBuf (ss, "Caching session ticket" , ticket.ticket.data, ticket.ticket.len) | |||
6222 | ticket.ticket.data,if (ssl_trace >= (50)) ssl_PrintBuf (ss, "Caching session ticket" , ticket.ticket.data, ticket.ticket.len) | |||
6223 | ticket.ticket.len))if (ssl_trace >= (50)) ssl_PrintBuf (ss, "Caching session ticket" , ticket.ticket.data, ticket.ticket.len); | |||
6224 | ||||
6225 | /* Replace a previous session ticket when | |||
6226 | * we receive a second NewSessionTicket message. */ | |||
6227 | if (ss->sec.ci.sid->cached == in_client_cache || | |||
6228 | ss->sec.ci.sid->cached == in_external_cache) { | |||
6229 | /* Create a new session ID. */ | |||
6230 | sslSessionID *sid = ssl3_NewSessionID(ss, PR_FALSE0); | |||
6231 | if (!sid) { | |||
6232 | return SECFailure; | |||
6233 | } | |||
6234 | ||||
6235 | /* Copy over the peerCert. */ | |||
6236 | PORT_Assert(ss->sec.ci.sid->peerCert)((ss->sec.ci.sid->peerCert)?((void)0):PR_Assert("ss->sec.ci.sid->peerCert" ,"tls13con.c",6236)); | |||
6237 | sid->peerCert = CERT_DupCertificate(ss->sec.ci.sid->peerCert); | |||
6238 | if (!sid->peerCert) { | |||
6239 | ssl_FreeSID(sid); | |||
6240 | return SECFailure; | |||
6241 | } | |||
6242 | ||||
6243 | /* Destroy the old SID. */ | |||
6244 | ssl_UncacheSessionID(ss); | |||
6245 | ssl_FreeSID(ss->sec.ci.sid); | |||
6246 | ss->sec.ci.sid = sid; | |||
6247 | } | |||
6248 | ||||
6249 | ssl3_SetSIDSessionTicket(ss->sec.ci.sid, &ticket); | |||
6250 | PORT_Assert(!ticket.ticket.data)((!ticket.ticket.data)?((void)0):PR_Assert("!ticket.ticket.data" ,"tls13con.c",6250)); | |||
6251 | ||||
6252 | rv = tls13_HkdfExpandLabel(ss->ssl3.hs.resumptionMasterSecret, | |||
6253 | tls13_GetHash(ss), | |||
6254 | ticket_nonce.data, ticket_nonce.len, | |||
6255 | kHkdfLabelResumption, | |||
6256 | strlen(kHkdfLabelResumption), | |||
6257 | CKM_HKDF_DERIVE0x0000402aUL, | |||
6258 | tls13_GetHashSize(ss), | |||
6259 | ss->protocolVariant, &secret); | |||
6260 | if (rv != SECSuccess) { | |||
6261 | return SECFailure; | |||
6262 | } | |||
6263 | ||||
6264 | rv = ssl3_FillInCachedSID(ss, ss->sec.ci.sid, secret); | |||
6265 | PK11_FreeSymKey(secret); | |||
6266 | if (rv != SECSuccess) { | |||
6267 | return SECFailure; | |||
6268 | } | |||
6269 | ||||
6270 | /* Cache the session. */ | |||
6271 | ssl_CacheSessionID(ss); | |||
6272 | } | |||
6273 | ||||
6274 | return SECSuccess; | |||
6275 | } | |||
6276 | ||||
6277 | #define _M_NONE0 0 | |||
6278 | #define _M(a) (1 << PR_MIN(a, 31)((a)<(31)?(a):(31))) | |||
6279 | #define _M1(a) (_M(ssl_hs_##a)) | |||
6280 | #define _M2(a, b) (_M1(a) | _M1(b)) | |||
6281 | #define _M3(a, b, c) (_M1(a) | _M2(b, c)) | |||
6282 | ||||
6283 | static const struct { | |||
6284 | PRUint16 ex_value; | |||
6285 | PRUint32 messages; | |||
6286 | } KnownExtensions[] = { | |||
6287 | { ssl_server_name_xtn, _M2(client_hello, encrypted_extensions) }, | |||
6288 | { ssl_supported_groups_xtn, _M2(client_hello, encrypted_extensions) }, | |||
6289 | { ssl_signature_algorithms_xtn, _M2(client_hello, certificate_request) }, | |||
6290 | { ssl_signature_algorithms_cert_xtn, _M2(client_hello, | |||
6291 | certificate_request) }, | |||
6292 | { ssl_use_srtp_xtn, _M2(client_hello, encrypted_extensions) }, | |||
6293 | { ssl_app_layer_protocol_xtn, _M2(client_hello, encrypted_extensions) }, | |||
6294 | { ssl_padding_xtn, _M1(client_hello) }, | |||
6295 | { ssl_tls13_key_share_xtn, _M3(client_hello, server_hello, | |||
6296 | hello_retry_request) }, | |||
6297 | { ssl_tls13_pre_shared_key_xtn, _M2(client_hello, server_hello) }, | |||
6298 | { ssl_tls13_psk_key_exchange_modes_xtn, _M1(client_hello) }, | |||
6299 | { ssl_tls13_early_data_xtn, _M3(client_hello, encrypted_extensions, | |||
6300 | new_session_ticket) }, | |||
6301 | { ssl_signed_cert_timestamp_xtn, _M3(client_hello, certificate_request, | |||
6302 | certificate) }, | |||
6303 | { ssl_cert_status_xtn, _M3(client_hello, certificate_request, | |||
6304 | certificate) }, | |||
6305 | { ssl_delegated_credentials_xtn, _M2(client_hello, certificate) }, | |||
6306 | { ssl_tls13_cookie_xtn, _M2(client_hello, hello_retry_request) }, | |||
6307 | { ssl_tls13_certificate_authorities_xtn, _M2(client_hello, certificate_request) }, | |||
6308 | { ssl_tls13_supported_versions_xtn, _M3(client_hello, server_hello, | |||
6309 | hello_retry_request) }, | |||
6310 | { ssl_record_size_limit_xtn, _M2(client_hello, encrypted_extensions) }, | |||
6311 | { ssl_tls13_encrypted_client_hello_xtn, _M3(client_hello, encrypted_extensions, hello_retry_request) }, | |||
6312 | { ssl_tls13_outer_extensions_xtn, _M_NONE0 /* Encoding/decoding only */ }, | |||
6313 | { ssl_tls13_post_handshake_auth_xtn, _M1(client_hello) }, | |||
6314 | { ssl_certificate_compression_xtn, _M2(client_hello, certificate_request) } | |||
6315 | }; | |||
6316 | ||||
6317 | tls13ExtensionStatus | |||
6318 | tls13_ExtensionStatus(PRUint16 extension, SSLHandshakeType message) | |||
6319 | { | |||
6320 | unsigned int i; | |||
6321 | ||||
6322 | PORT_Assert((message == ssl_hs_client_hello) ||(((message == ssl_hs_client_hello) || (message == ssl_hs_server_hello ) || (message == ssl_hs_hello_retry_request) || (message == ssl_hs_encrypted_extensions ) || (message == ssl_hs_new_session_ticket) || (message == ssl_hs_certificate ) || (message == ssl_hs_certificate_request))?((void)0):PR_Assert ("(message == ssl_hs_client_hello) || (message == ssl_hs_server_hello) || (message == ssl_hs_hello_retry_request) || (message == ssl_hs_encrypted_extensions) || (message == ssl_hs_new_session_ticket) || (message == ssl_hs_certificate) || (message == ssl_hs_certificate_request)" ,"tls13con.c",6328)) | |||
6323 | (message == ssl_hs_server_hello) ||(((message == ssl_hs_client_hello) || (message == ssl_hs_server_hello ) || (message == ssl_hs_hello_retry_request) || (message == ssl_hs_encrypted_extensions ) || (message == ssl_hs_new_session_ticket) || (message == ssl_hs_certificate ) || (message == ssl_hs_certificate_request))?((void)0):PR_Assert ("(message == ssl_hs_client_hello) || (message == ssl_hs_server_hello) || (message == ssl_hs_hello_retry_request) || (message == ssl_hs_encrypted_extensions) || (message == ssl_hs_new_session_ticket) || (message == ssl_hs_certificate) || (message == ssl_hs_certificate_request)" ,"tls13con.c",6328)) | |||
6324 | (message == ssl_hs_hello_retry_request) ||(((message == ssl_hs_client_hello) || (message == ssl_hs_server_hello ) || (message == ssl_hs_hello_retry_request) || (message == ssl_hs_encrypted_extensions ) || (message == ssl_hs_new_session_ticket) || (message == ssl_hs_certificate ) || (message == ssl_hs_certificate_request))?((void)0):PR_Assert ("(message == ssl_hs_client_hello) || (message == ssl_hs_server_hello) || (message == ssl_hs_hello_retry_request) || (message == ssl_hs_encrypted_extensions) || (message == ssl_hs_new_session_ticket) || (message == ssl_hs_certificate) || (message == ssl_hs_certificate_request)" ,"tls13con.c",6328)) | |||
6325 | (message == ssl_hs_encrypted_extensions) ||(((message == ssl_hs_client_hello) || (message == ssl_hs_server_hello ) || (message == ssl_hs_hello_retry_request) || (message == ssl_hs_encrypted_extensions ) || (message == ssl_hs_new_session_ticket) || (message == ssl_hs_certificate ) || (message == ssl_hs_certificate_request))?((void)0):PR_Assert ("(message == ssl_hs_client_hello) || (message == ssl_hs_server_hello) || (message == ssl_hs_hello_retry_request) || (message == ssl_hs_encrypted_extensions) || (message == ssl_hs_new_session_ticket) || (message == ssl_hs_certificate) || (message == ssl_hs_certificate_request)" ,"tls13con.c",6328)) | |||
6326 | (message == ssl_hs_new_session_ticket) ||(((message == ssl_hs_client_hello) || (message == ssl_hs_server_hello ) || (message == ssl_hs_hello_retry_request) || (message == ssl_hs_encrypted_extensions ) || (message == ssl_hs_new_session_ticket) || (message == ssl_hs_certificate ) || (message == ssl_hs_certificate_request))?((void)0):PR_Assert ("(message == ssl_hs_client_hello) || (message == ssl_hs_server_hello) || (message == ssl_hs_hello_retry_request) || (message == ssl_hs_encrypted_extensions) || (message == ssl_hs_new_session_ticket) || (message == ssl_hs_certificate) || (message == ssl_hs_certificate_request)" ,"tls13con.c",6328)) | |||
6327 | (message == ssl_hs_certificate) ||(((message == ssl_hs_client_hello) || (message == ssl_hs_server_hello ) || (message == ssl_hs_hello_retry_request) || (message == ssl_hs_encrypted_extensions ) || (message == ssl_hs_new_session_ticket) || (message == ssl_hs_certificate ) || (message == ssl_hs_certificate_request))?((void)0):PR_Assert ("(message == ssl_hs_client_hello) || (message == ssl_hs_server_hello) || (message == ssl_hs_hello_retry_request) || (message == ssl_hs_encrypted_extensions) || (message == ssl_hs_new_session_ticket) || (message == ssl_hs_certificate) || (message == ssl_hs_certificate_request)" ,"tls13con.c",6328)) | |||
6328 | (message == ssl_hs_certificate_request))(((message == ssl_hs_client_hello) || (message == ssl_hs_server_hello ) || (message == ssl_hs_hello_retry_request) || (message == ssl_hs_encrypted_extensions ) || (message == ssl_hs_new_session_ticket) || (message == ssl_hs_certificate ) || (message == ssl_hs_certificate_request))?((void)0):PR_Assert ("(message == ssl_hs_client_hello) || (message == ssl_hs_server_hello) || (message == ssl_hs_hello_retry_request) || (message == ssl_hs_encrypted_extensions) || (message == ssl_hs_new_session_ticket) || (message == ssl_hs_certificate) || (message == ssl_hs_certificate_request)" ,"tls13con.c",6328)); | |||
6329 | ||||
6330 | for (i = 0; i < PR_ARRAY_SIZE(KnownExtensions)(sizeof(KnownExtensions)/sizeof((KnownExtensions)[0])); i++) { | |||
6331 | /* Hacky check for message numbers > 30. */ | |||
6332 | PORT_Assert(!(KnownExtensions[i].messages & (1U << 31)))((!(KnownExtensions[i].messages & (1U << 31)))?((void )0):PR_Assert("!(KnownExtensions[i].messages & (1U << 31))" ,"tls13con.c",6332)); | |||
6333 | if (KnownExtensions[i].ex_value == extension) { | |||
6334 | break; | |||
6335 | } | |||
6336 | } | |||
6337 | if (i >= PR_ARRAY_SIZE(KnownExtensions)(sizeof(KnownExtensions)/sizeof((KnownExtensions)[0]))) { | |||
6338 | return tls13_extension_unknown; | |||
6339 | } | |||
6340 | ||||
6341 | /* Return "disallowed" if the message mask bit isn't set. */ | |||
6342 | if (!(_M(message) & KnownExtensions[i].messages)) { | |||
6343 | return tls13_extension_disallowed; | |||
6344 | } | |||
6345 | ||||
6346 | return tls13_extension_allowed; | |||
6347 | } | |||
6348 | ||||
6349 | #undef _M | |||
6350 | #undef _M1 | |||
6351 | #undef _M2 | |||
6352 | #undef _M3 | |||
6353 | ||||
6354 | /* We cheat a bit on additional data because the AEAD interface | |||
6355 | * which doesn't have room for the record number. The AAD we | |||
6356 | * format is serialized record number followed by the true AD | |||
6357 | * (i.e., the record header) plus the serialized record number. */ | |||
6358 | static SECStatus | |||
6359 | tls13_FormatAdditionalData( | |||
6360 | sslSocket *ss, | |||
6361 | const PRUint8 *header, unsigned int headerLen, | |||
6362 | DTLSEpoch epoch, sslSequenceNumber seqNum, | |||
6363 | PRUint8 *aad, unsigned int *aadLength, unsigned int maxLength) | |||
6364 | { | |||
6365 | SECStatus rv; | |||
6366 | sslBuffer buf = SSL_BUFFER_FIXED(aad, maxLength){ aad, 0, maxLength, 1 }; | |||
6367 | ||||
6368 | if (IS_DTLS_1_OR_12(ss)((ss->protocolVariant == ssl_variant_datagram) && ss ->version < 0x0304)) { | |||
6369 | rv = sslBuffer_AppendNumber(&buf, epoch, 2); | |||
6370 | if (rv != SECSuccess) { | |||
6371 | return SECFailure; | |||
6372 | } | |||
6373 | } | |||
6374 | rv = sslBuffer_AppendNumber(&buf, seqNum, IS_DTLS_1_OR_12(ss)((ss->protocolVariant == ssl_variant_datagram) && ss ->version < 0x0304) ? 6 : 8); | |||
6375 | if (rv != SECSuccess) { | |||
6376 | return SECFailure; | |||
6377 | } | |||
6378 | ||||
6379 | rv = sslBuffer_Append(&buf, header, headerLen); | |||
6380 | if (rv != SECSuccess) { | |||
6381 | return SECFailure; | |||
6382 | } | |||
6383 | ||||
6384 | *aadLength = buf.len; | |||
6385 | ||||
6386 | return SECSuccess; | |||
6387 | } | |||
6388 | ||||
6389 | PRInt32 | |||
6390 | tls13_LimitEarlyData(sslSocket *ss, SSLContentType type, PRInt32 toSend) | |||
6391 | { | |||
6392 | PRInt32 reduced; | |||
6393 | ||||
6394 | PORT_Assert(type == ssl_ct_application_data)((type == ssl_ct_application_data)?((void)0):PR_Assert("type == ssl_ct_application_data" ,"tls13con.c",6394)); | |||
6395 | PORT_Assert(ss->vrange.max >= SSL_LIBRARY_VERSION_TLS_1_3)((ss->vrange.max >= 0x0304)?((void)0):PR_Assert("ss->vrange.max >= SSL_LIBRARY_VERSION_TLS_1_3" ,"tls13con.c",6395)); | |||
6396 | PORT_Assert(!ss->firstHsDone)((!ss->firstHsDone)?((void)0):PR_Assert("!ss->firstHsDone" ,"tls13con.c",6396)); | |||
6397 | if (ss->ssl3.cwSpec->epoch != TrafficKeyEarlyApplicationData) { | |||
6398 | return toSend; | |||
6399 | } | |||
6400 | ||||
6401 | if (IS_DTLS(ss)(ss->protocolVariant == ssl_variant_datagram) && toSend > ss->ssl3.cwSpec->earlyDataRemaining) { | |||
6402 | /* Don't split application data records in DTLS. */ | |||
6403 | return 0; | |||
6404 | } | |||
6405 | ||||
6406 | reduced = PR_MIN(toSend, ss->ssl3.cwSpec->earlyDataRemaining)((toSend)<(ss->ssl3.cwSpec->earlyDataRemaining)?(toSend ):(ss->ssl3.cwSpec->earlyDataRemaining)); | |||
6407 | ss->ssl3.cwSpec->earlyDataRemaining -= reduced; | |||
6408 | return reduced; | |||
6409 | } | |||
6410 | ||||
6411 | SECStatus | |||
6412 | tls13_ProtectRecord(sslSocket *ss, | |||
6413 | ssl3CipherSpec *cwSpec, | |||
6414 | SSLContentType type, | |||
6415 | const PRUint8 *pIn, | |||
6416 | PRUint32 contentLen, | |||
6417 | sslBuffer *wrBuf) | |||
6418 | { | |||
6419 | const ssl3BulkCipherDef *cipher_def = cwSpec->cipherDef; | |||
6420 | const int tagLen = cipher_def->tag_size; | |||
6421 | SECStatus rv; | |||
6422 | ||||
6423 | PORT_Assert(cwSpec->direction == ssl_secret_write)((cwSpec->direction == ssl_secret_write)?((void)0):PR_Assert ("cwSpec->direction == ssl_secret_write","tls13con.c",6423 )); | |||
6424 | SSL_TRC(3, ("%d: TLS13[%d]: spec=%d epoch=%d (%s) protect 0x%0llx len=%u",if (ssl_trace >= (3)) ssl_Trace ("%d: TLS13[%d]: spec=%d epoch=%d (%s) protect 0x%0llx len=%u" , getpid(), ss->fd, cwSpec, cwSpec->epoch, cwSpec->phase , cwSpec->nextSeqNum, contentLen) | |||
6425 | SSL_GETPID(), ss->fd, cwSpec, cwSpec->epoch, cwSpec->phase,if (ssl_trace >= (3)) ssl_Trace ("%d: TLS13[%d]: spec=%d epoch=%d (%s) protect 0x%0llx len=%u" , getpid(), ss->fd, cwSpec, cwSpec->epoch, cwSpec->phase , cwSpec->nextSeqNum, contentLen) | |||
6426 | cwSpec->nextSeqNum, contentLen))if (ssl_trace >= (3)) ssl_Trace ("%d: TLS13[%d]: spec=%d epoch=%d (%s) protect 0x%0llx len=%u" , getpid(), ss->fd, cwSpec, cwSpec->epoch, cwSpec->phase , cwSpec->nextSeqNum, contentLen); | |||
6427 | ||||
6428 | if (contentLen + 1 + tagLen > SSL_BUFFER_SPACE(wrBuf)((wrBuf)->space - (wrBuf)->len)) { | |||
6429 | PORT_SetErrorPORT_SetError_Util(SEC_ERROR_LIBRARY_FAILURE); | |||
6430 | return SECFailure; | |||
6431 | } | |||
6432 | ||||
6433 | /* Copy the data into the wrBuf. We're going to encrypt in-place | |||
6434 | * in the AEAD branch anyway */ | |||
6435 | PORT_Memcpymemcpy(SSL_BUFFER_NEXT(wrBuf)((wrBuf)->buf + (wrBuf)->len), pIn, contentLen); | |||
6436 | ||||
6437 | if (cipher_def->calg == ssl_calg_null) { | |||
6438 | /* Shortcut for plaintext */ | |||
6439 | rv = sslBuffer_Skip(wrBuf, contentLen, NULL((void*)0)); | |||
6440 | PORT_Assert(rv == SECSuccess)((rv == SECSuccess)?((void)0):PR_Assert("rv == SECSuccess","tls13con.c" ,6440)); | |||
6441 | } else { | |||
6442 | PRUint8 hdr[13]; | |||
6443 | sslBuffer buf = SSL_BUFFER_FIXED(hdr, sizeof(hdr)){ hdr, 0, sizeof(hdr), 1 }; | |||
6444 | PRBool needsLength; | |||
6445 | PRUint8 aad[21]; | |||
6446 | const int ivLen = cipher_def->iv_size + cipher_def->explicit_nonce_size; | |||
6447 | unsigned int ivOffset = ivLen - sizeof(sslSequenceNumber); | |||
6448 | unsigned char ivOut[MAX_IV_LENGTH24]; | |||
6449 | ||||
6450 | unsigned int aadLen; | |||
6451 | unsigned int len; | |||
6452 | ||||
6453 | PORT_Assert(cipher_def->type == type_aead)((cipher_def->type == type_aead)?((void)0):PR_Assert("cipher_def->type == type_aead" ,"tls13con.c",6453)); | |||
6454 | ||||
6455 | /* If the following condition holds, we can skip the padding logic for | |||
6456 | * DTLS 1.3 (4.2.3). This will be the case until we support a cipher | |||
6457 | * with tag length < 15B. */ | |||
6458 | PORT_Assert(tagLen + 1 /* cType */ >= 16)((tagLen + 1 >= 16)?((void)0):PR_Assert("tagLen + 1 >= 16" ,"tls13con.c",6458)); | |||
6459 | ||||
6460 | /* Add the content type at the end. */ | |||
6461 | *(SSL_BUFFER_NEXT(wrBuf)((wrBuf)->buf + (wrBuf)->len) + contentLen) = type; | |||
6462 | ||||
6463 | /* Create the header (ugly that we have to do it twice). */ | |||
6464 | rv = ssl_InsertRecordHeader(ss, cwSpec, ssl_ct_application_data, | |||
6465 | &buf, &needsLength); | |||
6466 | if (rv != SECSuccess) { | |||
6467 | return SECFailure; | |||
6468 | } | |||
6469 | if (needsLength) { | |||
6470 | rv = sslBuffer_AppendNumber(&buf, contentLen + 1 + tagLen, 2); | |||
6471 | if (rv != SECSuccess) { | |||
6472 | return SECFailure; | |||
6473 | } | |||
6474 | } | |||
6475 | rv = tls13_FormatAdditionalData(ss, SSL_BUFFER_BASE(&buf)((&buf)->buf), SSL_BUFFER_LEN(&buf)((&buf)->len), | |||
6476 | cwSpec->epoch, cwSpec->nextSeqNum, | |||
6477 | aad, &aadLen, sizeof(aad)); | |||
6478 | if (rv != SECSuccess) { | |||
6479 | return SECFailure; | |||
6480 | } | |||
6481 | /* set up initial IV value */ | |||
6482 | ivOffset = tls13_SetupAeadIv(IS_DTLS(ss)(ss->protocolVariant == ssl_variant_datagram), cwSpec->version, ivOut, cwSpec->keyMaterial.iv, | |||
6483 | ivOffset, ivLen, cwSpec->epoch); | |||
6484 | rv = tls13_AEAD(cwSpec->cipherContext, PR_FALSE0, | |||
6485 | CKG_GENERATE_COUNTER_XOR0x00000004UL, ivOffset * BPB8, | |||
6486 | ivOut, ivOut, ivLen, /* iv */ | |||
6487 | NULL((void*)0), 0, /* nonce */ | |||
6488 | aad + sizeof(sslSequenceNumber), /* aad */ | |||
6489 | aadLen - sizeof(sslSequenceNumber), | |||
6490 | SSL_BUFFER_NEXT(wrBuf)((wrBuf)->buf + (wrBuf)->len), /* output */ | |||
6491 | &len, /* out len */ | |||
6492 | SSL_BUFFER_SPACE(wrBuf)((wrBuf)->space - (wrBuf)->len), /* max out */ | |||
6493 | tagLen, | |||
6494 | SSL_BUFFER_NEXT(wrBuf)((wrBuf)->buf + (wrBuf)->len), /* input */ | |||
6495 | contentLen + 1); /* input len */ | |||
6496 | if (rv != SECSuccess) { | |||
6497 | PORT_SetErrorPORT_SetError_Util(SSL_ERROR_ENCRYPTION_FAILURE); | |||
6498 | return SECFailure; | |||
6499 | } | |||
6500 | rv = sslBuffer_Skip(wrBuf, len, NULL((void*)0)); | |||
6501 | PORT_Assert(rv == SECSuccess)((rv == SECSuccess)?((void)0):PR_Assert("rv == SECSuccess","tls13con.c" ,6501)); | |||
6502 | } | |||
6503 | ||||
6504 | return SECSuccess; | |||
6505 | } | |||
6506 | ||||
6507 | /* Unprotect a TLS 1.3 record and leave the result in plaintext. | |||
6508 | * | |||
6509 | * Called by ssl3_HandleRecord. Caller must hold the spec read lock. | |||
6510 | * Therefore, we MUST not call SSL3_SendAlert(). | |||
6511 | * | |||
6512 | * If SECFailure is returned, we: | |||
6513 | * 1. Set |*alert| to the alert to be sent. | |||
6514 | * 2. Call PORT_SetError() with an appropriate code. | |||
6515 | */ | |||
6516 | SECStatus | |||
6517 | tls13_UnprotectRecord(sslSocket *ss, | |||
6518 | ssl3CipherSpec *spec, | |||
6519 | SSL3Ciphertext *cText, | |||
6520 | sslBuffer *plaintext, | |||
6521 | SSLContentType *innerType, | |||
6522 | SSL3AlertDescription *alert) | |||
6523 | { | |||
6524 | const ssl3BulkCipherDef *cipher_def = spec->cipherDef; | |||
6525 | const int ivLen = cipher_def->iv_size + cipher_def->explicit_nonce_size; | |||
6526 | const int tagLen = cipher_def->tag_size; | |||
6527 | const int innerTypeLen = 1; | |||
6528 | ||||
6529 | PRUint8 aad[21]; | |||
6530 | unsigned int aadLen; | |||
6531 | SECStatus rv; | |||
6532 | ||||
6533 | *alert = bad_record_mac; /* Default alert for most issues. */ | |||
6534 | ||||
6535 | PORT_Assert(spec->direction == ssl_secret_read)((spec->direction == ssl_secret_read)?((void)0):PR_Assert( "spec->direction == ssl_secret_read","tls13con.c",6535)); | |||
6536 | SSL_TRC(3, ("%d: TLS13[%d]: spec=%d epoch=%d (%s) unprotect 0x%0llx len=%u",if (ssl_trace >= (3)) ssl_Trace ("%d: TLS13[%d]: spec=%d epoch=%d (%s) unprotect 0x%0llx len=%u" , getpid(), ss->fd, spec, spec->epoch, spec->phase, cText ->seqNum, cText->buf->len) | |||
6537 | SSL_GETPID(), ss->fd, spec, spec->epoch, spec->phase,if (ssl_trace >= (3)) ssl_Trace ("%d: TLS13[%d]: spec=%d epoch=%d (%s) unprotect 0x%0llx len=%u" , getpid(), ss->fd, spec, spec->epoch, spec->phase, cText ->seqNum, cText->buf->len) | |||
6538 | cText->seqNum, cText->buf->len))if (ssl_trace >= (3)) ssl_Trace ("%d: TLS13[%d]: spec=%d epoch=%d (%s) unprotect 0x%0llx len=%u" , getpid(), ss->fd, spec, spec->epoch, spec->phase, cText ->seqNum, cText->buf->len); | |||
6539 | ||||
6540 | /* Verify that the outer content type is right. | |||
6541 | * | |||
6542 | * For the inner content type as well as lower TLS versions this is checked | |||
6543 | * in ssl3con.c/ssl3_HandleNonApllicationData(). | |||
6544 | * | |||
6545 | * For DTLS 1.3 this is checked in ssl3gthr.c/dtls_GatherData(). DTLS drops | |||
6546 | * invalid records silently [RFC6347, Section 4.1.2.7]. | |||
6547 | * | |||
6548 | * Also allow the DTLS short header in TLS 1.3. */ | |||
6549 | if (!(cText->hdr[0] == ssl_ct_application_data || | |||
6550 | (IS_DTLS(ss)(ss->protocolVariant == ssl_variant_datagram) && | |||
6551 | ss->version >= SSL_LIBRARY_VERSION_TLS_1_30x0304 && | |||
6552 | (cText->hdr[0] & 0xe0) == 0x20))) { | |||
6553 | SSL_TRC(3,if (ssl_trace >= (3)) ssl_Trace ("%d: TLS13[%d]: record has invalid exterior type=%2.2x" , getpid(), ss->fd, cText->hdr[0]) | |||
6554 | ("%d: TLS13[%d]: record has invalid exterior type=%2.2x",if (ssl_trace >= (3)) ssl_Trace ("%d: TLS13[%d]: record has invalid exterior type=%2.2x" , getpid(), ss->fd, cText->hdr[0]) | |||
6555 | SSL_GETPID(), ss->fd, cText->hdr[0]))if (ssl_trace >= (3)) ssl_Trace ("%d: TLS13[%d]: record has invalid exterior type=%2.2x" , getpid(), ss->fd, cText->hdr[0]); | |||
6556 | PORT_SetErrorPORT_SetError_Util(SSL_ERROR_RX_UNEXPECTED_RECORD_TYPE); | |||
6557 | *alert = unexpected_message; | |||
6558 | return SECFailure; | |||
6559 | } | |||
6560 | ||||
6561 | /* We can perform this test in variable time because the record's total | |||
6562 | * length and the ciphersuite are both public knowledge. */ | |||
6563 | if (cText->buf->len < tagLen) { | |||
6564 | SSL_TRC(3,if (ssl_trace >= (3)) ssl_Trace ("%d: TLS13[%d]: record too short to contain valid AEAD data" , getpid(), ss->fd) | |||
6565 | ("%d: TLS13[%d]: record too short to contain valid AEAD data",if (ssl_trace >= (3)) ssl_Trace ("%d: TLS13[%d]: record too short to contain valid AEAD data" , getpid(), ss->fd) | |||
6566 | SSL_GETPID(), ss->fd))if (ssl_trace >= (3)) ssl_Trace ("%d: TLS13[%d]: record too short to contain valid AEAD data" , getpid(), ss->fd); | |||
6567 | PORT_SetErrorPORT_SetError_Util(SSL_ERROR_BAD_MAC_READ); | |||
6568 | return SECFailure; | |||
6569 | } | |||
6570 | ||||
6571 | /* Check if the ciphertext can be valid if we assume maximum plaintext and | |||
6572 | * add the specific ciphersuite expansion. | |||
6573 | * This way we detect overlong plaintexts/padding before decryption. | |||
6574 | * This check enforces size limitations more strict than the RFC. | |||
6575 | * (see RFC8446, Section 5.2) */ | |||
6576 | if (cText->buf->len > (spec->recordSizeLimit + innerTypeLen + tagLen)) { | |||
6577 | *alert = record_overflow; | |||
6578 | PORT_SetErrorPORT_SetError_Util(SSL_ERROR_RX_RECORD_TOO_LONG); | |||
6579 | return SECFailure; | |||
6580 | } | |||
6581 | ||||
6582 | /* Check the version number in the record. Stream only. */ | |||
6583 | if (!IS_DTLS(ss)(ss->protocolVariant == ssl_variant_datagram)) { | |||
6584 | SSL3ProtocolVersion version = | |||
6585 | ((SSL3ProtocolVersion)cText->hdr[1] << 8) | | |||
6586 | (SSL3ProtocolVersion)cText->hdr[2]; | |||
6587 | if (version != spec->recordVersion) { | |||
6588 | /* Do we need a better error here? */ | |||
6589 | SSL_TRC(3, ("%d: TLS13[%d]: record has bogus version",if (ssl_trace >= (3)) ssl_Trace ("%d: TLS13[%d]: record has bogus version" , getpid(), ss->fd) | |||
6590 | SSL_GETPID(), ss->fd))if (ssl_trace >= (3)) ssl_Trace ("%d: TLS13[%d]: record has bogus version" , getpid(), ss->fd); | |||
6591 | return SECFailure; | |||
6592 | } | |||
6593 | } | |||
6594 | ||||
6595 | /* Decrypt */ | |||
6596 | PORT_Assert(cipher_def->type == type_aead)((cipher_def->type == type_aead)?((void)0):PR_Assert("cipher_def->type == type_aead" ,"tls13con.c",6596)); | |||
6597 | rv = tls13_FormatAdditionalData(ss, cText->hdr, cText->hdrLen, | |||
6598 | spec->epoch, cText->seqNum, | |||
6599 | aad, &aadLen, sizeof(aad)); | |||
6600 | if (rv != SECSuccess) { | |||
6601 | ||||
6602 | return SECFailure; | |||
6603 | } | |||
6604 | rv = tls13_AEAD(spec->cipherContext, PR_TRUE1, | |||
6605 | CKG_NO_GENERATE0x00000000UL, 0, /* ignored for decrypt */ | |||
6606 | spec->keyMaterial.iv, NULL((void*)0), ivLen, /* iv */ | |||
6607 | aad, sizeof(sslSequenceNumber), /* nonce */ | |||
6608 | aad + sizeof(sslSequenceNumber), /* aad */ | |||
6609 | aadLen - sizeof(sslSequenceNumber), | |||
6610 | plaintext->buf, /* output */ | |||
6611 | &plaintext->len, /* outlen */ | |||
6612 | plaintext->space, /* maxout */ | |||
6613 | tagLen, | |||
6614 | cText->buf->buf, /* in */ | |||
6615 | cText->buf->len); /* inlen */ | |||
6616 | if (rv != SECSuccess) { | |||
6617 | if (IS_DTLS(ss)(ss->protocolVariant == ssl_variant_datagram)) { | |||
6618 | spec->deprotectionFailures++; | |||
6619 | } | |||
6620 | ||||
6621 | SSL_TRC(3,if (ssl_trace >= (3)) ssl_Trace ("%d: TLS13[%d]: record has bogus MAC" , getpid(), ss->fd) | |||
6622 | ("%d: TLS13[%d]: record has bogus MAC",if (ssl_trace >= (3)) ssl_Trace ("%d: TLS13[%d]: record has bogus MAC" , getpid(), ss->fd) | |||
6623 | SSL_GETPID(), ss->fd))if (ssl_trace >= (3)) ssl_Trace ("%d: TLS13[%d]: record has bogus MAC" , getpid(), ss->fd); | |||
6624 | PORT_SetErrorPORT_SetError_Util(SSL_ERROR_BAD_MAC_READ); | |||
6625 | return SECFailure; | |||
6626 | } | |||
6627 | ||||
6628 | /* There is a similar test in ssl3_HandleRecord, but this test is needed to | |||
6629 | * account for padding. */ | |||
6630 | if (plaintext->len > spec->recordSizeLimit + innerTypeLen) { | |||
6631 | *alert = record_overflow; | |||
6632 | PORT_SetErrorPORT_SetError_Util(SSL_ERROR_RX_RECORD_TOO_LONG); | |||
6633 | return SECFailure; | |||
6634 | } | |||
6635 | ||||
6636 | /* The record is right-padded with 0s, followed by the true | |||
6637 | * content type, so read from the right until we receive a | |||
6638 | * nonzero byte. */ | |||
6639 | while (plaintext->len > 0 && !(plaintext->buf[plaintext->len - 1])) { | |||
6640 | --plaintext->len; | |||
6641 | } | |||
6642 | ||||
6643 | /* Bogus padding. */ | |||
6644 | if (plaintext->len < 1) { | |||
6645 | SSL_TRC(3, ("%d: TLS13[%d]: empty record", SSL_GETPID(), ss->fd))if (ssl_trace >= (3)) ssl_Trace ("%d: TLS13[%d]: empty record" , getpid(), ss->fd); | |||
6646 | /* It's safe to report this specifically because it happened | |||
6647 | * after the MAC has been verified. */ | |||
6648 | *alert = unexpected_message; | |||
6649 | PORT_SetErrorPORT_SetError_Util(SSL_ERROR_BAD_BLOCK_PADDING); | |||
6650 | return SECFailure; | |||
6651 | } | |||
6652 | ||||
6653 | /* Record the type. */ | |||
6654 | *innerType = (SSLContentType)plaintext->buf[plaintext->len - 1]; | |||
6655 | --plaintext->len; | |||
6656 | ||||
6657 | /* Check for zero-length encrypted Alert and Handshake fragments | |||
6658 | * (zero-length + inner content type byte). | |||
6659 | * | |||
6660 | * Implementations MUST NOT send Handshake and Alert records that have a | |||
6661 | * zero-length TLSInnerPlaintext.content; if such a message is received, | |||
6662 | * the receiving implementation MUST terminate the connection with an | |||
6663 | * "unexpected_message" alert [RFC8446, Section 5.4]. */ | |||
6664 | if (!plaintext->len && ((!IS_DTLS(ss)(ss->protocolVariant == ssl_variant_datagram) && cText->hdr[0] == ssl_ct_application_data) || | |||
6665 | (IS_DTLS(ss)(ss->protocolVariant == ssl_variant_datagram) && dtls_IsDtls13Ciphertext(spec->version, cText->hdr[0])))) { | |||
6666 | switch (*innerType) { | |||
6667 | case ssl_ct_alert: | |||
6668 | *alert = unexpected_message; | |||
6669 | PORT_SetErrorPORT_SetError_Util(SSL_ERROR_RX_MALFORMED_ALERT); | |||
6670 | return SECFailure; | |||
6671 | case ssl_ct_handshake: | |||
6672 | *alert = unexpected_message; | |||
6673 | PORT_SetErrorPORT_SetError_Util(SSL_ERROR_RX_MALFORMED_HANDSHAKE); | |||
6674 | return SECFailure; | |||
6675 | default: | |||
6676 | break; | |||
6677 | } | |||
6678 | } | |||
6679 | ||||
6680 | /* Check that we haven't received too much 0-RTT data. */ | |||
6681 | if (spec->epoch == TrafficKeyEarlyApplicationData && | |||
6682 | *innerType == ssl_ct_application_data) { | |||
6683 | if (plaintext->len > spec->earlyDataRemaining) { | |||
6684 | *alert = unexpected_message; | |||
6685 | PORT_SetErrorPORT_SetError_Util(SSL_ERROR_TOO_MUCH_EARLY_DATA); | |||
6686 | return SECFailure; | |||
6687 | } | |||
6688 | spec->earlyDataRemaining -= plaintext->len; | |||
6689 | } | |||
6690 | ||||
6691 | SSL_TRC(10,if (ssl_trace >= (10)) ssl_Trace ("%d: TLS13[%d]: %s received record of length=%d, type=%d" , getpid(), ss->fd, (ss->sec.isServer ? "server" : "client" ), plaintext->len, *innerType) | |||
6692 | ("%d: TLS13[%d]: %s received record of length=%d, type=%d",if (ssl_trace >= (10)) ssl_Trace ("%d: TLS13[%d]: %s received record of length=%d, type=%d" , getpid(), ss->fd, (ss->sec.isServer ? "server" : "client" ), plaintext->len, *innerType) | |||
6693 | SSL_GETPID(), ss->fd, SSL_ROLE(ss), plaintext->len, *innerType))if (ssl_trace >= (10)) ssl_Trace ("%d: TLS13[%d]: %s received record of length=%d, type=%d" , getpid(), ss->fd, (ss->sec.isServer ? "server" : "client" ), plaintext->len, *innerType); | |||
6694 | ||||
6695 | return SECSuccess; | |||
6696 | } | |||
6697 | ||||
6698 | /* 0-RTT is only permitted if: | |||
6699 | * | |||
6700 | * 1. We are doing TLS 1.3 | |||
6701 | * 2. This isn't a second ClientHello (in response to HelloRetryRequest) | |||
6702 | * 3. The 0-RTT option is set. | |||
6703 | * 4. We have a valid ticket or an External PSK. | |||
6704 | * 5. If resuming: | |||
6705 | * 5a. The server is willing to accept 0-RTT. | |||
6706 | * 5b. We have not changed our ALPN settings to disallow the ALPN tag | |||
6707 | * in the ticket. | |||
6708 | * | |||
6709 | * Called from tls13_ClientSendEarlyDataXtn(). | |||
6710 | */ | |||
6711 | PRBool | |||
6712 | tls13_ClientAllow0Rtt(const sslSocket *ss, const sslSessionID *sid) | |||
6713 | { | |||
6714 | /* We checked that the cipher suite was still allowed back in | |||
6715 | * ssl3_SendClientHello. */ | |||
6716 | if (sid->version < SSL_LIBRARY_VERSION_TLS_1_30x0304) { | |||
6717 | return PR_FALSE0; | |||
6718 | } | |||
6719 | if (ss->ssl3.hs.helloRetry) { | |||
6720 | return PR_FALSE0; | |||
6721 | } | |||
6722 | if (!ss->opt.enable0RttData) { | |||
6723 | return PR_FALSE0; | |||
6724 | } | |||
6725 | if (PR_CLIST_IS_EMPTY(&ss->ssl3.hs.psks)((&ss->ssl3.hs.psks)->next == (&ss->ssl3.hs. psks))) { | |||
6726 | return PR_FALSE0; | |||
6727 | } | |||
6728 | sslPsk *psk = (sslPsk *)PR_LIST_HEAD(&ss->ssl3.hs.psks)(&ss->ssl3.hs.psks)->next; | |||
6729 | ||||
6730 | if (psk->zeroRttSuite == TLS_NULL_WITH_NULL_NULL0x0000) { | |||
6731 | return PR_FALSE0; | |||
6732 | } | |||
6733 | if (!psk->maxEarlyData) { | |||
6734 | return PR_FALSE0; | |||
6735 | } | |||
6736 | ||||
6737 | if (psk->type == ssl_psk_external) { | |||
6738 | return psk->hash == tls13_GetHashForCipherSuite(psk->zeroRttSuite); | |||
6739 | } | |||
6740 | if (psk->type == ssl_psk_resume) { | |||
6741 | if (!ss->statelessResume) | |||
6742 | return PR_FALSE0; | |||
6743 | if ((sid->u.ssl3.locked.sessionTicket.flags & ticket_allow_early_data) == 0) | |||
6744 | return PR_FALSE0; | |||
6745 | return ssl_AlpnTagAllowed(ss, &sid->u.ssl3.alpnSelection); | |||
6746 | } | |||
6747 | PORT_Assert(0)((0)?((void)0):PR_Assert("0","tls13con.c",6747)); | |||
6748 | return PR_FALSE0; | |||
6749 | } | |||
6750 | ||||
6751 | SECStatus | |||
6752 | tls13_MaybeDo0RTTHandshake(sslSocket *ss) | |||
6753 | { | |||
6754 | SECStatus rv; | |||
6755 | ||||
6756 | /* Don't do anything if there is no early_data xtn, which means we're | |||
6757 | * not doing early data. */ | |||
6758 | if (!ssl3_ExtensionAdvertised(ss, ssl_tls13_early_data_xtn)) { | |||
6759 | return SECSuccess; | |||
6760 | } | |||
6761 | ||||
6762 | ss->ssl3.hs.zeroRttState = ssl_0rtt_sent; | |||
6763 | ss->ssl3.hs.zeroRttSuite = ss->ssl3.hs.cipher_suite; | |||
6764 | /* Note: Reset the preliminary info here rather than just add 0-RTT. We are | |||
6765 | * only guessing what might happen at this point.*/ | |||
6766 | ss->ssl3.hs.preliminaryInfo = ssl_preinfo_0rtt_cipher_suite(1U << 2); | |||
6767 | ||||
6768 | SSL_TRC(3, ("%d: TLS13[%d]: in 0-RTT mode", SSL_GETPID(), ss->fd))if (ssl_trace >= (3)) ssl_Trace ("%d: TLS13[%d]: in 0-RTT mode" , getpid(), ss->fd); | |||
6769 | ||||
6770 | /* Set the ALPN data as if it was negotiated. We check in the ServerHello | |||
6771 | * handler that the server negotiates the same value. */ | |||
6772 | if (ss->sec.ci.sid->u.ssl3.alpnSelection.len) { | |||
6773 | ss->xtnData.nextProtoState = SSL_NEXT_PROTO_EARLY_VALUE; | |||
6774 | rv = SECITEM_CopyItemSECITEM_CopyItem_Util(NULL((void*)0), &ss->xtnData.nextProto, | |||
6775 | &ss->sec.ci.sid->u.ssl3.alpnSelection); | |||
6776 | if (rv != SECSuccess) { | |||
6777 | return SECFailure; | |||
6778 | } | |||
6779 | } | |||
6780 | ||||
6781 | if (ss->opt.enableTls13CompatMode && !IS_DTLS(ss)(ss->protocolVariant == ssl_variant_datagram)) { | |||
6782 | /* Pretend that this is a proper ChangeCipherSpec even though it is sent | |||
6783 | * before receiving the ServerHello. */ | |||
6784 | ssl_GetSpecWriteLock(ss){ if (!ss->opt.noLocks) NSSRWLock_LockWrite_Util((ss)-> specLock); }; | |||
6785 | tls13_SetSpecRecordVersion(ss, ss->ssl3.cwSpec); | |||
6786 | ssl_ReleaseSpecWriteLock(ss){ if (!ss->opt.noLocks) NSSRWLock_UnlockWrite_Util((ss)-> specLock); }; | |||
6787 | ssl_GetXmitBufLock(ss){ if (!ss->opt.noLocks) PR_EnterMonitor(((ss)->xmitBufLock )); }; | |||
6788 | rv = ssl3_SendChangeCipherSpecsInt(ss); | |||
6789 | ssl_ReleaseXmitBufLock(ss){ if (!ss->opt.noLocks) PR_ExitMonitor(((ss)->xmitBufLock )); }; | |||
6790 | if (rv != SECSuccess) { | |||
6791 | return SECFailure; | |||
6792 | } | |||
6793 | } | |||
6794 | ||||
6795 | /* If we have any message that was saved for later hashing. | |||
6796 | * The updated hash is then used in tls13_DeriveEarlySecrets. */ | |||
6797 | rv = ssl3_MaybeUpdateHashWithSavedRecord(ss); | |||
6798 | if (rv != SECSuccess) { | |||
6799 | return SECFailure; | |||
6800 | } | |||
6801 | ||||
6802 | /* If we're trying 0-RTT, derive from the first PSK */ | |||
6803 | PORT_Assert(!PR_CLIST_IS_EMPTY(&ss->ssl3.hs.psks) && !ss->xtnData.selectedPsk)((!((&ss->ssl3.hs.psks)->next == (&ss->ssl3. hs.psks)) && !ss->xtnData.selectedPsk)?((void)0):PR_Assert ("!PR_CLIST_IS_EMPTY(&ss->ssl3.hs.psks) && !ss->xtnData.selectedPsk" ,"tls13con.c",6803)); | |||
6804 | ss->xtnData.selectedPsk = (sslPsk *)PR_LIST_HEAD(&ss->ssl3.hs.psks)(&ss->ssl3.hs.psks)->next; | |||
6805 | rv = tls13_DeriveEarlySecrets(ss); | |||
6806 | if (rv != SECSuccess) { | |||
6807 | return SECFailure; | |||
6808 | } | |||
6809 | ||||
6810 | /* Save cwSpec in case we get a HelloRetryRequest and have to send another | |||
6811 | * ClientHello. */ | |||
6812 | ssl_CipherSpecAddRef(ss->ssl3.cwSpec); | |||
6813 | ||||
6814 | rv = tls13_SetCipherSpec(ss, TrafficKeyEarlyApplicationData, | |||
6815 | ssl_secret_write, PR_TRUE1); | |||
6816 | ss->xtnData.selectedPsk = NULL((void*)0); | |||
6817 | if (rv != SECSuccess) { | |||
6818 | return SECFailure; | |||
6819 | } | |||
6820 | ||||
6821 | return SECSuccess; | |||
6822 | } | |||
6823 | ||||
6824 | PRInt32 | |||
6825 | tls13_Read0RttData(sslSocket *ss, PRUint8 *buf, PRInt32 len) | |||
6826 | { | |||
6827 | PORT_Assert(!PR_CLIST_IS_EMPTY(&ss->ssl3.hs.bufferedEarlyData))((!((&ss->ssl3.hs.bufferedEarlyData)->next == (& ss->ssl3.hs.bufferedEarlyData)))?((void)0):PR_Assert("!PR_CLIST_IS_EMPTY(&ss->ssl3.hs.bufferedEarlyData)" ,"tls13con.c",6827)); | |||
6828 | PRInt32 offset = 0; | |||
6829 | while (!PR_CLIST_IS_EMPTY(&ss->ssl3.hs.bufferedEarlyData)((&ss->ssl3.hs.bufferedEarlyData)->next == (&ss ->ssl3.hs.bufferedEarlyData))) { | |||
6830 | TLS13EarlyData *msg = | |||
6831 | (TLS13EarlyData *)PR_NEXT_LINK(&ss->ssl3.hs.bufferedEarlyData)((&ss->ssl3.hs.bufferedEarlyData)->next); | |||
6832 | unsigned int tocpy = msg->data.len - msg->consumed; | |||
6833 | ||||
6834 | if (tocpy > (len - offset)) { | |||
6835 | if (IS_DTLS(ss)(ss->protocolVariant == ssl_variant_datagram)) { | |||
6836 | /* In DTLS, we only return entire records. | |||
6837 | * So offset and consumed are always zero. */ | |||
6838 | PORT_Assert(offset == 0)((offset == 0)?((void)0):PR_Assert("offset == 0","tls13con.c" ,6838)); | |||
6839 | PORT_Assert(msg->consumed == 0)((msg->consumed == 0)?((void)0):PR_Assert("msg->consumed == 0" ,"tls13con.c",6839)); | |||
6840 | PORT_SetErrorPORT_SetError_Util(SSL_ERROR_RX_SHORT_DTLS_READ); | |||
6841 | return -1; | |||
6842 | } | |||
6843 | ||||
6844 | tocpy = len - offset; | |||
6845 | } | |||
6846 | ||||
6847 | PORT_Memcpymemcpy(buf + offset, msg->data.data + msg->consumed, tocpy); | |||
6848 | offset += tocpy; | |||
6849 | msg->consumed += tocpy; | |||
6850 | ||||
6851 | if (msg->consumed == msg->data.len) { | |||
6852 | PR_REMOVE_LINK(&msg->link)do { (&msg->link)->prev->next = (&msg->link )->next; (&msg->link)->next->prev = (&msg ->link)->prev; } while (0); | |||
6853 | SECITEM_ZfreeItemSECITEM_ZfreeItem_Util(&msg->data, PR_FALSE0); | |||
6854 | PORT_ZFreePORT_ZFree_Util(msg, sizeof(*msg)); | |||
6855 | } | |||
6856 | ||||
6857 | /* We are done after one record for DTLS; otherwise, when the buffer fills up. */ | |||
6858 | if (IS_DTLS(ss)(ss->protocolVariant == ssl_variant_datagram) || offset == len) { | |||
6859 | break; | |||
6860 | } | |||
6861 | } | |||
6862 | ||||
6863 | return offset; | |||
6864 | } | |||
6865 | ||||
6866 | static SECStatus | |||
6867 | tls13_SendEndOfEarlyData(sslSocket *ss) | |||
6868 | { | |||
6869 | SECStatus rv; | |||
6870 | ||||
6871 | PORT_Assert(ss->opt.noLocks || ssl_HaveXmitBufLock(ss))((ss->opt.noLocks || ((PR_GetMonitorEntryCount(((ss)->xmitBufLock )) > 0)))?((void)0):PR_Assert("ss->opt.noLocks || ssl_HaveXmitBufLock(ss)" ,"tls13con.c",6871)); | |||
6872 | ||||
6873 | if (!ss->opt.suppressEndOfEarlyData) { | |||
6874 | SSL_TRC(3, ("%d: TLS13[%d]: send EndOfEarlyData", SSL_GETPID(), ss->fd))if (ssl_trace >= (3)) ssl_Trace ("%d: TLS13[%d]: send EndOfEarlyData" , getpid(), ss->fd); | |||
6875 | rv = ssl3_AppendHandshakeHeader(ss, ssl_hs_end_of_early_data, 0); | |||
6876 | if (rv != SECSuccess) { | |||
6877 | return rv; /* err set by AppendHandshake. */ | |||
6878 | } | |||
6879 | } | |||
6880 | ||||
6881 | ss->ssl3.hs.zeroRttState = ssl_0rtt_done; | |||
6882 | return SECSuccess; | |||
6883 | } | |||
6884 | ||||
6885 | static SECStatus | |||
6886 | tls13_HandleEndOfEarlyData(sslSocket *ss, const PRUint8 *b, PRUint32 length) | |||
6887 | { | |||
6888 | SECStatus rv; | |||
6889 | ||||
6890 | PORT_Assert(ss->version >= SSL_LIBRARY_VERSION_TLS_1_3)((ss->version >= 0x0304)?((void)0):PR_Assert("ss->version >= SSL_LIBRARY_VERSION_TLS_1_3" ,"tls13con.c",6890)); | |||
6891 | ||||
6892 | rv = TLS13_CHECK_HS_STATE(ss, SSL_ERROR_RX_UNEXPECTED_END_OF_EARLY_DATA,tls13_CheckHsState(ss, SSL_ERROR_RX_UNEXPECTED_END_OF_EARLY_DATA , "SSL_ERROR_RX_UNEXPECTED_END_OF_EARLY_DATA", __func__, "tls13con.c" , 6893, wait_end_of_early_data, wait_invalid) | |||
6893 | wait_end_of_early_data)tls13_CheckHsState(ss, SSL_ERROR_RX_UNEXPECTED_END_OF_EARLY_DATA , "SSL_ERROR_RX_UNEXPECTED_END_OF_EARLY_DATA", __func__, "tls13con.c" , 6893, wait_end_of_early_data, wait_invalid); | |||
6894 | if (rv != SECSuccess) { | |||
6895 | return SECFailure; | |||
6896 | } | |||
6897 | ||||
6898 | /* We shouldn't be getting any more early data, and if we do, | |||
6899 | * it is because of reordering and we drop it. */ | |||
6900 | if (IS_DTLS(ss)(ss->protocolVariant == ssl_variant_datagram)) { | |||
6901 | ssl_CipherSpecReleaseByEpoch(ss, ssl_secret_read, | |||
6902 | TrafficKeyEarlyApplicationData); | |||
6903 | dtls_ReceivedFirstMessageInFlight(ss); | |||
6904 | } | |||
6905 | ||||
6906 | PORT_Assert(ss->ssl3.hs.zeroRttState == ssl_0rtt_accepted)((ss->ssl3.hs.zeroRttState == ssl_0rtt_accepted)?((void)0) :PR_Assert("ss->ssl3.hs.zeroRttState == ssl_0rtt_accepted" ,"tls13con.c",6906)); | |||
6907 | ||||
6908 | if (length) { | |||
6909 | FATAL_ERROR(ss, SSL_ERROR_RX_MALFORMED_END_OF_EARLY_DATA, decode_error)do { do { if (ssl_trace >= (3)) ssl_Trace ("%d: TLS13[%d]: fatal error %d in %s (%s:%d)" , getpid(), ss->fd, SSL_ERROR_RX_MALFORMED_END_OF_EARLY_DATA , __func__, "tls13con.c", 6909); PORT_SetError_Util(SSL_ERROR_RX_MALFORMED_END_OF_EARLY_DATA ); } while (0); tls13_FatalError(ss, SSL_ERROR_RX_MALFORMED_END_OF_EARLY_DATA , decode_error); } while (0); | |||
6910 | return SECFailure; | |||
6911 | } | |||
6912 | ||||
6913 | rv = tls13_SetCipherSpec(ss, TrafficKeyHandshake, | |||
6914 | ssl_secret_read, PR_FALSE0); | |||
6915 | if (rv != SECSuccess) { | |||
6916 | PORT_SetErrorPORT_SetError_Util(SEC_ERROR_LIBRARY_FAILURE); | |||
6917 | return SECFailure; | |||
6918 | } | |||
6919 | ||||
6920 | ss->ssl3.hs.zeroRttState = ssl_0rtt_done; | |||
6921 | if (tls13_ShouldRequestClientAuth(ss)) { | |||
6922 | TLS13_SET_HS_STATE(ss, wait_client_cert)tls13_SetHsState(ss, wait_client_cert, __func__, "tls13con.c" , 6922); | |||
6923 | } else { | |||
6924 | TLS13_SET_HS_STATE(ss, wait_finished)tls13_SetHsState(ss, wait_finished, __func__, "tls13con.c", 6924 ); | |||
6925 | } | |||
6926 | return SECSuccess; | |||
6927 | } | |||
6928 | ||||
6929 | static SECStatus | |||
6930 | tls13_MaybeHandleSuppressedEndOfEarlyData(sslSocket *ss) | |||
6931 | { | |||
6932 | PORT_Assert(ss->sec.isServer)((ss->sec.isServer)?((void)0):PR_Assert("ss->sec.isServer" ,"tls13con.c",6932)); | |||
6933 | if (!ss->opt.suppressEndOfEarlyData || | |||
6934 | ss->ssl3.hs.zeroRttState != ssl_0rtt_accepted) { | |||
6935 | return SECSuccess; | |||
6936 | } | |||
6937 | ||||
6938 | return tls13_HandleEndOfEarlyData(ss, NULL((void*)0), 0); | |||
6939 | } | |||
6940 | ||||
6941 | SECStatus | |||
6942 | tls13_HandleEarlyApplicationData(sslSocket *ss, sslBuffer *origBuf) | |||
6943 | { | |||
6944 | TLS13EarlyData *ed; | |||
6945 | SECItem it = { siBuffer, NULL((void*)0), 0 }; | |||
6946 | ||||
6947 | PORT_Assert(ss->sec.isServer)((ss->sec.isServer)?((void)0):PR_Assert("ss->sec.isServer" ,"tls13con.c",6947)); | |||
6948 | PORT_Assert(ss->ssl3.hs.zeroRttState == ssl_0rtt_accepted)((ss->ssl3.hs.zeroRttState == ssl_0rtt_accepted)?((void)0) :PR_Assert("ss->ssl3.hs.zeroRttState == ssl_0rtt_accepted" ,"tls13con.c",6948)); | |||
6949 | if (ss->ssl3.hs.zeroRttState != ssl_0rtt_accepted) { | |||
6950 | /* Belt and suspenders. */ | |||
6951 | FATAL_ERROR(ss, SEC_ERROR_LIBRARY_FAILURE, internal_error)do { do { if (ssl_trace >= (3)) ssl_Trace ("%d: TLS13[%d]: fatal error %d in %s (%s:%d)" , getpid(), ss->fd, SEC_ERROR_LIBRARY_FAILURE, __func__, "tls13con.c" , 6951); PORT_SetError_Util(SEC_ERROR_LIBRARY_FAILURE); } while (0); tls13_FatalError(ss, SEC_ERROR_LIBRARY_FAILURE, internal_error ); } while (0); | |||
6952 | return SECFailure; | |||
6953 | } | |||
6954 | ||||
6955 | PRINT_BUF(3, (NULL, "Received early application data",if (ssl_trace >= (3)) ssl_PrintBuf (((void*)0), "Received early application data" , origBuf->buf, origBuf->len) | |||
6956 | origBuf->buf, origBuf->len))if (ssl_trace >= (3)) ssl_PrintBuf (((void*)0), "Received early application data" , origBuf->buf, origBuf->len); | |||
6957 | ed = PORT_ZNew(TLS13EarlyData)(TLS13EarlyData *)PORT_ZAlloc_Util(sizeof(TLS13EarlyData)); | |||
6958 | if (!ed) { | |||
6959 | FATAL_ERROR(ss, SEC_ERROR_NO_MEMORY, internal_error)do { do { if (ssl_trace >= (3)) ssl_Trace ("%d: TLS13[%d]: fatal error %d in %s (%s:%d)" , getpid(), ss->fd, SEC_ERROR_NO_MEMORY, __func__, "tls13con.c" , 6959); PORT_SetError_Util(SEC_ERROR_NO_MEMORY); } while (0) ; tls13_FatalError(ss, SEC_ERROR_NO_MEMORY, internal_error); } while (0); | |||
6960 | return SECFailure; | |||
6961 | } | |||
6962 | it.data = origBuf->buf; | |||
6963 | it.len = origBuf->len; | |||
6964 | if (SECITEM_CopyItemSECITEM_CopyItem_Util(NULL((void*)0), &ed->data, &it) != SECSuccess) { | |||
6965 | FATAL_ERROR(ss, SEC_ERROR_NO_MEMORY, internal_error)do { do { if (ssl_trace >= (3)) ssl_Trace ("%d: TLS13[%d]: fatal error %d in %s (%s:%d)" , getpid(), ss->fd, SEC_ERROR_NO_MEMORY, __func__, "tls13con.c" , 6965); PORT_SetError_Util(SEC_ERROR_NO_MEMORY); } while (0) ; tls13_FatalError(ss, SEC_ERROR_NO_MEMORY, internal_error); } while (0); | |||
6966 | return SECFailure; | |||
6967 | } | |||
6968 | PR_APPEND_LINK(&ed->link, &ss->ssl3.hs.bufferedEarlyData)do { (&ed->link)->next = (&ss->ssl3.hs.bufferedEarlyData ); (&ed->link)->prev = (&ss->ssl3.hs.bufferedEarlyData )->prev; (&ss->ssl3.hs.bufferedEarlyData)->prev-> next = (&ed->link); (&ss->ssl3.hs.bufferedEarlyData )->prev = (&ed->link); } while (0); | |||
6969 | ||||
6970 | origBuf->len = 0; /* So ssl3_GatherAppDataRecord will keep looping. */ | |||
6971 | ||||
6972 | return SECSuccess; | |||
6973 | } | |||
6974 | ||||
6975 | PRUint16 | |||
6976 | tls13_EncodeVersion(SSL3ProtocolVersion version, SSLProtocolVariant variant) | |||
6977 | { | |||
6978 | if (variant == ssl_variant_datagram) { | |||
6979 | return dtls_TLSVersionToDTLSVersion(version); | |||
6980 | } | |||
6981 | /* Stream-variant encodings do not change. */ | |||
6982 | return (PRUint16)version; | |||
6983 | } | |||
6984 | ||||
6985 | SECStatus | |||
6986 | tls13_ClientReadSupportedVersion(sslSocket *ss) | |||
6987 | { | |||
6988 | PRUint32 temp; | |||
6989 | TLSExtension *versionExtension; | |||
6990 | SECItem it; | |||
6991 | SECStatus rv; | |||
6992 | ||||
6993 | /* Update the version based on the extension, as necessary. */ | |||
6994 | versionExtension = ssl3_FindExtension(ss, ssl_tls13_supported_versions_xtn); | |||
6995 | if (!versionExtension) { | |||
6996 | return SECSuccess; | |||
6997 | } | |||
6998 | ||||
6999 | /* Struct copy so we don't damage the extension. */ | |||
7000 | it = versionExtension->data; | |||
7001 | ||||
7002 | rv = ssl3_ConsumeHandshakeNumber(ss, &temp, 2, &it.data, &it.len); | |||
7003 | if (rv != SECSuccess) { | |||
7004 | return SECFailure; | |||
7005 | } | |||
7006 | if (it.len) { | |||
7007 | FATAL_ERROR(ss, SSL_ERROR_RX_MALFORMED_SERVER_HELLO, illegal_parameter)do { do { if (ssl_trace >= (3)) ssl_Trace ("%d: TLS13[%d]: fatal error %d in %s (%s:%d)" , getpid(), ss->fd, SSL_ERROR_RX_MALFORMED_SERVER_HELLO, __func__ , "tls13con.c", 7007); PORT_SetError_Util(SSL_ERROR_RX_MALFORMED_SERVER_HELLO ); } while (0); tls13_FatalError(ss, SSL_ERROR_RX_MALFORMED_SERVER_HELLO , illegal_parameter); } while (0); | |||
7008 | return SECFailure; | |||
7009 | } | |||
7010 | ||||
7011 | if (temp != tls13_EncodeVersion(SSL_LIBRARY_VERSION_TLS_1_30x0304, | |||
7012 | ss->protocolVariant)) { | |||
7013 | /* You cannot negotiate < TLS 1.3 with supported_versions. */ | |||
7014 | FATAL_ERROR(ss, SSL_ERROR_RX_MALFORMED_SERVER_HELLO, illegal_parameter)do { do { if (ssl_trace >= (3)) ssl_Trace ("%d: TLS13[%d]: fatal error %d in %s (%s:%d)" , getpid(), ss->fd, SSL_ERROR_RX_MALFORMED_SERVER_HELLO, __func__ , "tls13con.c", 7014); PORT_SetError_Util(SSL_ERROR_RX_MALFORMED_SERVER_HELLO ); } while (0); tls13_FatalError(ss, SSL_ERROR_RX_MALFORMED_SERVER_HELLO , illegal_parameter); } while (0); | |||
7015 | return SECFailure; | |||
7016 | } | |||
7017 | ||||
7018 | /* Any endpoint receiving a Hello message with...ServerHello.legacy_version | |||
7019 | * set to 0x0300 (SSL3) MUST abort the handshake with a "protocol_version" | |||
7020 | * alert. [RFC8446, Section D.5] | |||
7021 | * | |||
7022 | * The ServerHello.legacy_version is read into the ss->version field by | |||
7023 | * ssl_ClientReadVersion(). */ | |||
7024 | if (ss->version == SSL_LIBRARY_VERSION_3_00x0300) { | |||
7025 | FATAL_ERROR(ss, SSL_ERROR_RX_MALFORMED_SERVER_HELLO, protocol_version)do { do { if (ssl_trace >= (3)) ssl_Trace ("%d: TLS13[%d]: fatal error %d in %s (%s:%d)" , getpid(), ss->fd, SSL_ERROR_RX_MALFORMED_SERVER_HELLO, __func__ , "tls13con.c", 7025); PORT_SetError_Util(SSL_ERROR_RX_MALFORMED_SERVER_HELLO ); } while (0); tls13_FatalError(ss, SSL_ERROR_RX_MALFORMED_SERVER_HELLO , protocol_version); } while (0); | |||
7026 | return SECFailure; | |||
7027 | } | |||
7028 | ||||
7029 | ss->version = SSL_LIBRARY_VERSION_TLS_1_30x0304; | |||
7030 | return SECSuccess; | |||
7031 | } | |||
7032 | ||||
7033 | /* Pick the highest version we support that is also advertised. */ | |||
7034 | SECStatus | |||
7035 | tls13_NegotiateVersion(sslSocket *ss, const TLSExtension *supportedVersions) | |||
7036 | { | |||
7037 | PRUint16 version; | |||
7038 | /* Make a copy so we're nondestructive. */ | |||
7039 | SECItem data = supportedVersions->data; | |||
7040 | SECItem versions; | |||
7041 | SECStatus rv; | |||
7042 | ||||
7043 | rv = ssl3_ConsumeHandshakeVariable(ss, &versions, 1, | |||
7044 | &data.data, &data.len); | |||
7045 | if (rv != SECSuccess) { | |||
7046 | return SECFailure; | |||
7047 | } | |||
7048 | if (data.len || !versions.len || (versions.len & 1)) { | |||
7049 | FATAL_ERROR(ss, SSL_ERROR_RX_MALFORMED_CLIENT_HELLO, illegal_parameter)do { do { if (ssl_trace >= (3)) ssl_Trace ("%d: TLS13[%d]: fatal error %d in %s (%s:%d)" , getpid(), ss->fd, SSL_ERROR_RX_MALFORMED_CLIENT_HELLO, __func__ , "tls13con.c", 7049); PORT_SetError_Util(SSL_ERROR_RX_MALFORMED_CLIENT_HELLO ); } while (0); tls13_FatalError(ss, SSL_ERROR_RX_MALFORMED_CLIENT_HELLO , illegal_parameter); } while (0); | |||
7050 | return SECFailure; | |||
7051 | } | |||
7052 | for (version = ss->vrange.max; version >= ss->vrange.min; --version) { | |||
7053 | if (version < SSL_LIBRARY_VERSION_TLS_1_30x0304 && | |||
7054 | (ss->ssl3.hs.helloRetry || ss->ssl3.hs.echAccepted)) { | |||
7055 | /* Prevent negotiating to a lower version after 1.3 HRR or ECH | |||
7056 | * When accepting ECH, a different alert is generated. | |||
7057 | */ | |||
7058 | SSL3AlertDescription alert = ss->ssl3.hs.echAccepted ? illegal_parameter : protocol_version; | |||
7059 | PORT_SetErrorPORT_SetError_Util(SSL_ERROR_UNSUPPORTED_VERSION); | |||
7060 | FATAL_ERROR(ss, SSL_ERROR_UNSUPPORTED_VERSION, alert)do { do { if (ssl_trace >= (3)) ssl_Trace ("%d: TLS13[%d]: fatal error %d in %s (%s:%d)" , getpid(), ss->fd, SSL_ERROR_UNSUPPORTED_VERSION, __func__ , "tls13con.c", 7060); PORT_SetError_Util(SSL_ERROR_UNSUPPORTED_VERSION ); } while (0); tls13_FatalError(ss, SSL_ERROR_UNSUPPORTED_VERSION , alert); } while (0); | |||
7061 | return SECFailure; | |||
7062 | } | |||
7063 | ||||
7064 | PRUint16 wire = tls13_EncodeVersion(version, ss->protocolVariant); | |||
7065 | unsigned long offset; | |||
7066 | ||||
7067 | for (offset = 0; offset < versions.len; offset += 2) { | |||
7068 | PRUint16 supported = | |||
7069 | (versions.data[offset] << 8) | versions.data[offset + 1]; | |||
7070 | if (supported == wire) { | |||
7071 | ss->version = version; | |||
7072 | return SECSuccess; | |||
7073 | } | |||
7074 | } | |||
7075 | } | |||
7076 | ||||
7077 | FATAL_ERROR(ss, SSL_ERROR_UNSUPPORTED_VERSION, protocol_version)do { do { if (ssl_trace >= (3)) ssl_Trace ("%d: TLS13[%d]: fatal error %d in %s (%s:%d)" , getpid(), ss->fd, SSL_ERROR_UNSUPPORTED_VERSION, __func__ , "tls13con.c", 7077); PORT_SetError_Util(SSL_ERROR_UNSUPPORTED_VERSION ); } while (0); tls13_FatalError(ss, SSL_ERROR_UNSUPPORTED_VERSION , protocol_version); } while (0); | |||
7078 | return SECFailure; | |||
7079 | } | |||
7080 | ||||
7081 | /* This is TLS 1.3 or might negotiate to it. */ | |||
7082 | PRBool | |||
7083 | tls13_MaybeTls13(sslSocket *ss) | |||
7084 | { | |||
7085 | if (ss->version >= SSL_LIBRARY_VERSION_TLS_1_30x0304) { | |||
7086 | return PR_TRUE1; | |||
7087 | } | |||
7088 | ||||
7089 | if (ss->vrange.max < SSL_LIBRARY_VERSION_TLS_1_30x0304) { | |||
7090 | return PR_FALSE0; | |||
7091 | } | |||
7092 | ||||
7093 | if (!(ss->ssl3.hs.preliminaryInfo & ssl_preinfo_version(1U << 0))) { | |||
7094 | return PR_TRUE1; | |||
7095 | } | |||
7096 | ||||
7097 | return PR_FALSE0; | |||
7098 | } | |||
7099 | ||||
7100 | /* Setup random client GREASE values according to RFC8701. State must be kept | |||
7101 | * so an equal ClientHello might be send on HelloRetryRequest. */ | |||
7102 | SECStatus | |||
7103 | tls13_ClientGreaseSetup(sslSocket *ss) | |||
7104 | { | |||
7105 | if (!ss->opt.enableGrease) { | |||
7106 | return SECSuccess; | |||
7107 | } | |||
7108 | ||||
7109 | PORT_Assert(ss->vrange.max >= SSL_LIBRARY_VERSION_TLS_1_3)((ss->vrange.max >= 0x0304)?((void)0):PR_Assert("ss->vrange.max >= SSL_LIBRARY_VERSION_TLS_1_3" ,"tls13con.c",7109)); | |||
7110 | ||||
7111 | if (ss->ssl3.hs.grease) { | |||
7112 | return SECFailure; | |||
7113 | } | |||
7114 | ss->ssl3.hs.grease = PORT_AllocPORT_Alloc_Util(sizeof(tls13ClientGrease)); | |||
7115 | if (!ss->ssl3.hs.grease) { | |||
7116 | return SECFailure; | |||
7117 | } | |||
7118 | ||||
7119 | tls13ClientGrease *grease = ss->ssl3.hs.grease; | |||
7120 | /* We require eight GREASE values and randoms. */ | |||
7121 | PRUint8 random[8]; | |||
7122 | ||||
7123 | /* Generate random GREASE values. */ | |||
7124 | if (PK11_GenerateRandom(random, sizeof(random)) != SECSuccess) { | |||
7125 | return SECFailure; | |||
7126 | } | |||
7127 | for (size_t i = 0; i < PR_ARRAY_SIZE(grease->idx)(sizeof(grease->idx)/sizeof((grease->idx)[0])); i++) { | |||
7128 | random[i] = ((random[i] & 0xf0) | 0x0a); | |||
7129 | grease->idx[i] = ((random[i] << 8) | random[i]); | |||
7130 | } | |||
7131 | /* Specific PskKeyExchangeMode GREASE value. */ | |||
7132 | grease->pskKem = 0x0b + ((random[8 - 1] >> 5) * 0x1f); | |||
7133 | ||||
7134 | /* Duplicate extensions are not allowed. */ | |||
7135 | if (grease->idx[grease_extension1] == grease->idx[grease_extension2]) { | |||
7136 | grease->idx[grease_extension2] ^= 0x1010; | |||
7137 | } | |||
7138 | ||||
7139 | return SECSuccess; | |||
7140 | } | |||
7141 | ||||
7142 | /* Destroy client GREASE state. */ | |||
7143 | void | |||
7144 | tls13_ClientGreaseDestroy(sslSocket *ss) | |||
7145 | { | |||
7146 | if (ss->ssl3.hs.grease) { | |||
7147 | PORT_FreePORT_Free_Util(ss->ssl3.hs.grease); | |||
7148 | ss->ssl3.hs.grease = NULL((void*)0); | |||
7149 | } | |||
7150 | } | |||
7151 | ||||
7152 | /* Generate a random GREASE value according to RFC8701. | |||
7153 | * This function does not provide valid PskKeyExchangeMode GREASE values! */ | |||
7154 | SECStatus | |||
7155 | tls13_RandomGreaseValue(PRUint16 *out) | |||
7156 | { | |||
7157 | PRUint8 random; | |||
7158 | ||||
7159 | if (PK11_GenerateRandom(&random, sizeof(random)) != SECSuccess) { | |||
7160 | return SECFailure; | |||
7161 | } | |||
7162 | ||||
7163 | random = ((random & 0xf0) | 0x0a); | |||
7164 | *out = ((random << 8) | random); | |||
7165 | ||||
7166 | return SECSuccess; | |||
7167 | } | |||
7168 | ||||
7169 | /* Set TLS 1.3 GREASE Extension random GREASE type. */ | |||
7170 | SECStatus | |||
7171 | tls13_MaybeGreaseExtensionType(const sslSocket *ss, | |||
7172 | const SSLHandshakeType message, | |||
7173 | PRUint16 *exType) | |||
7174 | { | |||
7175 | if (*exType != ssl_tls13_grease_xtn) { | |||
7176 | return SECSuccess; | |||
7177 | } | |||
7178 | ||||
7179 | PR_ASSERT(ss->opt.enableGrease)((ss->opt.enableGrease)?((void)0):PR_Assert("ss->opt.enableGrease" ,"tls13con.c",7179)); | |||
7180 | PR_ASSERT(message == ssl_hs_client_hello ||((message == ssl_hs_client_hello || message == ssl_hs_certificate_request )?((void)0):PR_Assert("message == ssl_hs_client_hello || message == ssl_hs_certificate_request" ,"tls13con.c",7181)) | |||
7181 | message == ssl_hs_certificate_request)((message == ssl_hs_client_hello || message == ssl_hs_certificate_request )?((void)0):PR_Assert("message == ssl_hs_client_hello || message == ssl_hs_certificate_request" ,"tls13con.c",7181)); | |||
7182 | ||||
7183 | /* GREASE ClientHello: | |||
7184 | * A client MAY select one or more GREASE extension values and | |||
7185 | * advertise them as extensions with varying length and contents | |||
7186 | * [RFC8701, Section 3.1]. */ | |||
7187 | if (message == ssl_hs_client_hello) { | |||
7188 | PR_ASSERT(ss->vrange.max >= SSL_LIBRARY_VERSION_TLS_1_3)((ss->vrange.max >= 0x0304)?((void)0):PR_Assert("ss->vrange.max >= SSL_LIBRARY_VERSION_TLS_1_3" ,"tls13con.c",7188)); | |||
7189 | /* Check if the first GREASE extension was already added. */ | |||
7190 | if (!ssl3_ExtensionAdvertised(ss, ss->ssl3.hs.grease->idx[grease_extension1])) { | |||
7191 | *exType = ss->ssl3.hs.grease->idx[grease_extension1]; | |||
7192 | } else { | |||
7193 | *exType = ss->ssl3.hs.grease->idx[grease_extension2]; | |||
7194 | } | |||
7195 | } | |||
7196 | /* GREASE CertificateRequest: | |||
7197 | * When sending a CertificateRequest in TLS 1.3, a server MAY behave as | |||
7198 | * follows: A server MAY select one or more GREASE extension values and | |||
7199 | * advertise them as extensions with varying length and contents | |||
7200 | * [RFC8701, Section 4.1]. */ | |||
7201 | else if (message == ssl_hs_certificate_request) { | |||
7202 | PR_ASSERT(ss->version >= SSL_LIBRARY_VERSION_TLS_1_3)((ss->version >= 0x0304)?((void)0):PR_Assert("ss->version >= SSL_LIBRARY_VERSION_TLS_1_3" ,"tls13con.c",7202)); | |||
7203 | /* Get random grease extension type. */ | |||
7204 | SECStatus rv = tls13_RandomGreaseValue(exType); | |||
7205 | if (rv != SECSuccess) { | |||
7206 | return SECFailure; | |||
7207 | } | |||
7208 | } | |||
7209 | ||||
7210 | return SECSuccess; | |||
7211 | } |