File: | s/lib/ssl/tls13ech.c |
Warning: | line 938, column 5 Value stored to 'rv' is never read |
Press '?' to see keyboard shortcuts
Keyboard shortcuts:
1 | /* -*- Mode: C; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 4 -*- */ |
2 | /* |
3 | * This Source Code Form is subject to the terms of the Mozilla Public |
4 | * License, v. 2.0. If a copy of the MPL was not distributed with this |
5 | * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ |
6 | |
7 | #include "nss.h" |
8 | #include "pk11func.h" |
9 | #include "pk11hpke.h" |
10 | #include "ssl.h" |
11 | #include "sslproto.h" |
12 | #include "sslimpl.h" |
13 | #include "selfencrypt.h" |
14 | #include "ssl3exthandle.h" |
15 | #include "tls13ech.h" |
16 | #include "tls13exthandle.h" |
17 | #include "tls13hashstate.h" |
18 | #include "tls13hkdf.h" |
19 | |
20 | extern SECStatus |
21 | ssl3_UpdateHandshakeHashesInt(sslSocket *ss, const unsigned char *b, |
22 | unsigned int l, sslBuffer *transcriptBuf); |
23 | extern SECStatus |
24 | ssl3_HandleClientHelloPreamble(sslSocket *ss, PRUint8 **b, PRUint32 *length, SECItem *sidBytes, |
25 | SECItem *cookieBytes, SECItem *suites, SECItem *comps); |
26 | extern SECStatus |
27 | tls13_DeriveSecret(sslSocket *ss, PK11SymKey *key, |
28 | const char *label, |
29 | unsigned int labelLen, |
30 | const SSL3Hashes *hashes, |
31 | PK11SymKey **dest, |
32 | SSLHashType hash); |
33 | |
34 | PRBool |
35 | tls13_Debug_CheckXtnBegins(const PRUint8 *start, const PRUint16 xtnType) |
36 | { |
37 | #ifdef DEBUG1 |
38 | SECStatus rv; |
39 | sslReader ext_reader = SSL_READER(start, 2){ { start, 2 }, 0 }; |
40 | PRUint64 extension_number; |
41 | rv = sslRead_ReadNumber(&ext_reader, 2, &extension_number); |
42 | return ((rv == SECSuccess) && (extension_number == xtnType)); |
43 | #else |
44 | return PR_TRUE1; |
45 | #endif |
46 | } |
47 | |
48 | void |
49 | tls13_DestroyEchConfig(sslEchConfig *config) |
50 | { |
51 | if (!config) { |
52 | return; |
53 | } |
54 | SECITEM_FreeItemSECITEM_FreeItem_Util(&config->contents.publicKey, PR_FALSE0); |
55 | SECITEM_FreeItemSECITEM_FreeItem_Util(&config->contents.suites, PR_FALSE0); |
56 | SECITEM_FreeItemSECITEM_FreeItem_Util(&config->raw, PR_FALSE0); |
57 | PORT_FreePORT_Free_Util(config->contents.publicName); |
58 | config->contents.publicName = NULL((void*)0); |
59 | PORT_ZFreePORT_ZFree_Util(config, sizeof(*config)); |
60 | } |
61 | |
62 | void |
63 | tls13_DestroyEchConfigs(PRCList *list) |
64 | { |
65 | PRCList *cur_p; |
66 | while (!PR_CLIST_IS_EMPTY(list)((list)->next == (list))) { |
67 | cur_p = PR_LIST_TAIL(list)(list)->prev; |
68 | PR_REMOVE_LINK(cur_p)do { (cur_p)->prev->next = (cur_p)->next; (cur_p)-> next->prev = (cur_p)->prev; } while (0); |
69 | tls13_DestroyEchConfig((sslEchConfig *)cur_p); |
70 | } |
71 | } |
72 | |
73 | void |
74 | tls13_DestroyEchXtnState(sslEchXtnState *state) |
75 | { |
76 | if (!state) { |
77 | return; |
78 | } |
79 | SECITEM_FreeItemSECITEM_FreeItem_Util(&state->innerCh, PR_FALSE0); |
80 | SECITEM_FreeItemSECITEM_FreeItem_Util(&state->senderPubKey, PR_FALSE0); |
81 | SECITEM_FreeItemSECITEM_FreeItem_Util(&state->retryConfigs, PR_FALSE0); |
82 | PORT_ZFreePORT_ZFree_Util(state, sizeof(*state)); |
83 | } |
84 | |
85 | SECStatus |
86 | tls13_CopyEchConfigs(PRCList *oConfigs, PRCList *configs) |
87 | { |
88 | SECStatus rv; |
89 | sslEchConfig *config; |
90 | sslEchConfig *newConfig = NULL((void*)0); |
91 | |
92 | for (PRCList *cur_p = PR_LIST_HEAD(oConfigs)(oConfigs)->next; |
93 | cur_p != oConfigs; |
94 | cur_p = PR_NEXT_LINK(cur_p)((cur_p)->next)) { |
95 | config = (sslEchConfig *)PR_LIST_TAIL(oConfigs)(oConfigs)->prev; |
96 | newConfig = PORT_ZNew(sslEchConfig)(sslEchConfig *)PORT_ZAlloc_Util(sizeof(sslEchConfig)); |
97 | if (!newConfig) { |
98 | goto loser; |
99 | } |
100 | |
101 | rv = SECITEM_CopyItemSECITEM_CopyItem_Util(NULL((void*)0), &newConfig->raw, &config->raw); |
102 | if (rv != SECSuccess) { |
103 | goto loser; |
104 | } |
105 | newConfig->contents.publicName = PORT_StrdupPORT_Strdup_Util(config->contents.publicName); |
106 | if (!newConfig->contents.publicName) { |
107 | goto loser; |
108 | } |
109 | rv = SECITEM_CopyItemSECITEM_CopyItem_Util(NULL((void*)0), &newConfig->contents.publicKey, |
110 | &config->contents.publicKey); |
111 | if (rv != SECSuccess) { |
112 | goto loser; |
113 | } |
114 | rv = SECITEM_CopyItemSECITEM_CopyItem_Util(NULL((void*)0), &newConfig->contents.suites, |
115 | &config->contents.suites); |
116 | if (rv != SECSuccess) { |
117 | goto loser; |
118 | } |
119 | newConfig->contents.configId = config->contents.configId; |
120 | newConfig->contents.kemId = config->contents.kemId; |
121 | newConfig->contents.kdfId = config->contents.kdfId; |
122 | newConfig->contents.aeadId = config->contents.aeadId; |
123 | newConfig->contents.maxNameLen = config->contents.maxNameLen; |
124 | newConfig->version = config->version; |
125 | PR_APPEND_LINK(&newConfig->link, configs)do { (&newConfig->link)->next = (configs); (&newConfig ->link)->prev = (configs)->prev; (configs)->prev-> next = (&newConfig->link); (configs)->prev = (& newConfig->link); } while (0); |
126 | } |
127 | return SECSuccess; |
128 | |
129 | loser: |
130 | tls13_DestroyEchConfig(newConfig); |
131 | tls13_DestroyEchConfigs(configs); |
132 | return SECFailure; |
133 | } |
134 | |
135 | /* |
136 | * struct { |
137 | * HpkeKdfId kdf_id; |
138 | * HpkeAeadId aead_id; |
139 | * } HpkeSymmetricCipherSuite; |
140 | * |
141 | * struct { |
142 | * uint8 config_id; |
143 | * HpkeKemId kem_id; |
144 | * HpkePublicKey public_key; |
145 | * HpkeSymmetricCipherSuite cipher_suites<4..2^16-4>; |
146 | * } HpkeKeyConfig; |
147 | * |
148 | * struct { |
149 | * HpkeKeyConfig key_config; |
150 | * uint16 maximum_name_length; |
151 | * opaque public_name<1..2^16-1>; |
152 | * Extension extensions<0..2^16-1>; |
153 | * } ECHConfigContents; |
154 | * |
155 | * struct { |
156 | * uint16 version; |
157 | * uint16 length; |
158 | * select (ECHConfig.version) { |
159 | * case 0xfe0d: ECHConfigContents contents; |
160 | * } |
161 | * } ECHConfig; |
162 | */ |
163 | static SECStatus |
164 | tls13_DecodeEchConfigContents(const sslReadBuffer *rawConfig, |
165 | sslEchConfig **outConfig) |
166 | { |
167 | SECStatus rv; |
168 | sslEchConfigContents contents = { 0 }; |
169 | sslEchConfig *decodedConfig; |
170 | PRUint64 tmpn; |
171 | PRUint64 tmpn2; |
172 | sslReadBuffer tmpBuf; |
173 | PRUint16 *extensionTypes = NULL((void*)0); |
174 | unsigned int extensionIndex = 0; |
175 | sslReader configReader = SSL_READER(rawConfig->buf, rawConfig->len){ { rawConfig->buf, rawConfig->len }, 0 }; |
176 | sslReader suiteReader; |
177 | sslReader extensionReader; |
178 | PRBool hasValidSuite = PR_FALSE0; |
179 | PRBool unsupportedMandatoryXtn = PR_FALSE0; |
180 | |
181 | /* HpkeKeyConfig key_config */ |
182 | /* uint8 config_id */ |
183 | rv = sslRead_ReadNumber(&configReader, 1, &tmpn); |
184 | if (rv != SECSuccess) { |
185 | goto loser; |
186 | } |
187 | contents.configId = tmpn; |
188 | |
189 | /* HpkeKemId kem_id */ |
190 | rv = sslRead_ReadNumber(&configReader, 2, &tmpn); |
191 | if (rv != SECSuccess) { |
192 | goto loser; |
193 | } |
194 | contents.kemId = tmpn; |
195 | |
196 | /* HpkePublicKey public_key */ |
197 | rv = sslRead_ReadVariable(&configReader, 2, &tmpBuf); |
198 | if (rv != SECSuccess) { |
199 | goto loser; |
200 | } |
201 | rv = SECITEM_MakeItem(NULL((void*)0), &contents.publicKey, (PRUint8 *)tmpBuf.buf, tmpBuf.len); |
202 | if (rv != SECSuccess) { |
203 | goto loser; |
204 | } |
205 | |
206 | /* HpkeSymmetricCipherSuite cipher_suites<4..2^16-4> */ |
207 | rv = sslRead_ReadVariable(&configReader, 2, &tmpBuf); |
208 | if (rv != SECSuccess) { |
209 | goto loser; |
210 | } |
211 | if (tmpBuf.len & 1) { |
212 | PORT_SetErrorPORT_SetError_Util(SSL_ERROR_RX_MALFORMED_ECH_CONFIGSSL_ERROR_RX_MALFORMED_ESNI_KEYS); |
213 | goto loser; |
214 | } |
215 | suiteReader = (sslReader)SSL_READER(tmpBuf.buf, tmpBuf.len){ { tmpBuf.buf, tmpBuf.len }, 0 }; |
216 | while (SSL_READER_REMAINING(&suiteReader)((&suiteReader)->buf.len - (&suiteReader)->offset )) { |
217 | /* HpkeKdfId kdf_id */ |
218 | rv = sslRead_ReadNumber(&suiteReader, 2, &tmpn); |
219 | if (rv != SECSuccess) { |
220 | goto loser; |
221 | } |
222 | /* HpkeAeadId aead_id */ |
223 | rv = sslRead_ReadNumber(&suiteReader, 2, &tmpn2); |
224 | if (rv != SECSuccess) { |
225 | goto loser; |
226 | } |
227 | if (!hasValidSuite) { |
228 | /* Use the first compatible ciphersuite. */ |
229 | rv = PK11_HPKE_ValidateParameters(contents.kemId, tmpn, tmpn2); |
230 | if (rv == SECSuccess) { |
231 | hasValidSuite = PR_TRUE1; |
232 | contents.kdfId = tmpn; |
233 | contents.aeadId = tmpn2; |
234 | break; |
235 | } |
236 | } |
237 | } |
238 | |
239 | rv = SECITEM_MakeItem(NULL((void*)0), &contents.suites, (PRUint8 *)tmpBuf.buf, tmpBuf.len); |
240 | if (rv != SECSuccess) { |
241 | goto loser; |
242 | } |
243 | |
244 | /* uint8 maximum_name_length */ |
245 | rv = sslRead_ReadNumber(&configReader, 1, &tmpn); |
246 | if (rv != SECSuccess) { |
247 | goto loser; |
248 | } |
249 | contents.maxNameLen = (PRUint8)tmpn; |
250 | |
251 | /* opaque public_name<1..2^16-1> */ |
252 | rv = sslRead_ReadVariable(&configReader, 1, &tmpBuf); |
253 | if (rv != SECSuccess) { |
254 | goto loser; |
255 | } |
256 | |
257 | if (tmpBuf.len == 0) { |
258 | PORT_SetErrorPORT_SetError_Util(SSL_ERROR_RX_MALFORMED_ECH_CONFIGSSL_ERROR_RX_MALFORMED_ESNI_KEYS); |
259 | goto loser; |
260 | } |
261 | if (!tls13_IsLDH(tmpBuf.buf, tmpBuf.len) || |
262 | tls13_IsIp(tmpBuf.buf, tmpBuf.len)) { |
263 | PORT_SetErrorPORT_SetError_Util(SSL_ERROR_RX_MALFORMED_ECH_CONFIGSSL_ERROR_RX_MALFORMED_ESNI_KEYS); |
264 | goto loser; |
265 | } |
266 | |
267 | contents.publicName = PORT_ZAllocPORT_ZAlloc_Util(tmpBuf.len + 1); |
268 | if (!contents.publicName) { |
269 | goto loser; |
270 | } |
271 | PORT_Memcpymemcpy(contents.publicName, (PRUint8 *)tmpBuf.buf, tmpBuf.len); |
272 | |
273 | /* Extensions. We don't support any, but must |
274 | * check for any that are marked critical. */ |
275 | rv = sslRead_ReadVariable(&configReader, 2, &tmpBuf); |
276 | if (rv != SECSuccess) { |
277 | goto loser; |
278 | } |
279 | |
280 | extensionReader = (sslReader)SSL_READER(tmpBuf.buf, tmpBuf.len){ { tmpBuf.buf, tmpBuf.len }, 0 }; |
281 | extensionTypes = PORT_NewArray(PRUint16, tmpBuf.len / 2 * sizeof(PRUint16))(PRUint16 *)PORT_Alloc_Util(sizeof(PRUint16) * (tmpBuf.len / 2 * sizeof(PRUint16))); |
282 | if (!extensionTypes) { |
283 | goto loser; |
284 | } |
285 | |
286 | while (SSL_READER_REMAINING(&extensionReader)((&extensionReader)->buf.len - (&extensionReader)-> offset)) { |
287 | /* Get the extension's type field */ |
288 | rv = sslRead_ReadNumber(&extensionReader, 2, &tmpn); |
289 | if (rv != SECSuccess) { |
290 | goto loser; |
291 | } |
292 | |
293 | for (unsigned int i = 0; i < extensionIndex; i++) { |
294 | if (extensionTypes[i] == tmpn) { |
295 | PORT_SetErrorPORT_SetError_Util(SEC_ERROR_EXTENSION_VALUE_INVALID); |
296 | goto loser; |
297 | } |
298 | } |
299 | extensionTypes[extensionIndex++] = (PRUint16)tmpn; |
300 | |
301 | /* Clients MUST parse the extension list and check for unsupported |
302 | * mandatory extensions. If an unsupported mandatory extension is |
303 | * present, clients MUST ignore the ECHConfig |
304 | * [draft-ietf-tls-esni, Section 4.2]. */ |
305 | if (tmpn & (1 << 15)) { |
306 | unsupportedMandatoryXtn = PR_TRUE1; |
307 | } |
308 | |
309 | /* Skip. */ |
310 | rv = sslRead_ReadVariable(&extensionReader, 2, &tmpBuf); |
311 | if (rv != SECSuccess) { |
312 | goto loser; |
313 | } |
314 | } |
315 | |
316 | /* Check that we consumed the entire ECHConfig */ |
317 | if (SSL_READER_REMAINING(&configReader)((&configReader)->buf.len - (&configReader)->offset )) { |
318 | PORT_SetErrorPORT_SetError_Util(SSL_ERROR_RX_MALFORMED_ECH_CONFIGSSL_ERROR_RX_MALFORMED_ESNI_KEYS); |
319 | goto loser; |
320 | } |
321 | |
322 | /* If the ciphersuites were compatible AND if NO unsupported mandatory |
323 | * extensions were found set the outparam. Return success either way if the |
324 | * config was well-formed. */ |
325 | if (hasValidSuite && !unsupportedMandatoryXtn) { |
326 | decodedConfig = PORT_ZNew(sslEchConfig)(sslEchConfig *)PORT_ZAlloc_Util(sizeof(sslEchConfig)); |
327 | if (!decodedConfig) { |
328 | goto loser; |
329 | } |
330 | decodedConfig->contents = contents; |
331 | *outConfig = decodedConfig; |
332 | } else { |
333 | PORT_FreePORT_Free_Util(contents.publicName); |
334 | SECITEM_FreeItemSECITEM_FreeItem_Util(&contents.publicKey, PR_FALSE0); |
335 | SECITEM_FreeItemSECITEM_FreeItem_Util(&contents.suites, PR_FALSE0); |
336 | } |
337 | PORT_FreePORT_Free_Util(extensionTypes); |
338 | return SECSuccess; |
339 | |
340 | loser: |
341 | PORT_FreePORT_Free_Util(extensionTypes); |
342 | PORT_FreePORT_Free_Util(contents.publicName); |
343 | SECITEM_FreeItemSECITEM_FreeItem_Util(&contents.publicKey, PR_FALSE0); |
344 | SECITEM_FreeItemSECITEM_FreeItem_Util(&contents.suites, PR_FALSE0); |
345 | return SECFailure; |
346 | } |
347 | |
348 | /* Decode an ECHConfigList struct and store each ECHConfig |
349 | * into |configs|. */ |
350 | SECStatus |
351 | tls13_DecodeEchConfigs(const SECItem *data, PRCList *configs) |
352 | { |
353 | SECStatus rv; |
354 | sslEchConfig *decodedConfig = NULL((void*)0); |
355 | sslReader rdr = SSL_READER(data->data, data->len){ { data->data, data->len }, 0 }; |
356 | sslReadBuffer tmp; |
357 | sslReadBuffer singleConfig; |
358 | PRUint64 version; |
359 | PRUint64 length; |
360 | PORT_Assert(PR_CLIST_IS_EMPTY(configs))((((configs)->next == (configs)))?((void)0):PR_Assert("PR_CLIST_IS_EMPTY(configs)" ,"tls13ech.c",360)); |
361 | |
362 | rv = sslRead_ReadVariable(&rdr, 2, &tmp); |
363 | if (rv != SECSuccess) { |
364 | return SECFailure; |
365 | } |
366 | SSL_TRC(100, ("Read EchConfig list of size %u", SSL_READER_REMAINING(&rdr)))if (ssl_trace >= (100)) ssl_Trace ("Read EchConfig list of size %u" , ((&rdr)->buf.len - (&rdr)->offset)); |
367 | if (SSL_READER_REMAINING(&rdr)((&rdr)->buf.len - (&rdr)->offset)) { |
368 | PORT_SetErrorPORT_SetError_Util(SEC_ERROR_BAD_DATA); |
369 | return SECFailure; |
370 | } |
371 | |
372 | sslReader configsReader = SSL_READER(tmp.buf, tmp.len){ { tmp.buf, tmp.len }, 0 }; |
373 | |
374 | if (!SSL_READER_REMAINING(&configsReader)((&configsReader)->buf.len - (&configsReader)-> offset)) { |
375 | PORT_SetErrorPORT_SetError_Util(SEC_ERROR_BAD_DATA); |
376 | return SECFailure; |
377 | } |
378 | |
379 | /* Handle each ECHConfig. */ |
380 | while (SSL_READER_REMAINING(&configsReader)((&configsReader)->buf.len - (&configsReader)-> offset)) { |
381 | singleConfig.buf = SSL_READER_CURRENT(&configsReader)((&configsReader)->buf.buf + (&configsReader)-> offset); |
382 | /* uint16 version */ |
383 | rv = sslRead_ReadNumber(&configsReader, 2, &version); |
384 | if (rv != SECSuccess) { |
385 | goto loser; |
386 | } |
387 | /* uint16 length */ |
388 | rv = sslRead_ReadNumber(&configsReader, 2, &length); |
389 | if (rv != SECSuccess) { |
390 | goto loser; |
391 | } |
392 | singleConfig.len = 4 + length; |
393 | |
394 | rv = sslRead_Read(&configsReader, length, &tmp); |
395 | if (rv != SECSuccess) { |
396 | goto loser; |
397 | } |
398 | |
399 | if (version == TLS13_ECH_VERSION0xfe0d) { |
400 | rv = tls13_DecodeEchConfigContents(&tmp, &decodedConfig); |
401 | if (rv != SECSuccess) { |
402 | goto loser; /* code set */ |
403 | } |
404 | |
405 | if (decodedConfig) { |
406 | decodedConfig->version = version; |
407 | rv = SECITEM_MakeItem(NULL((void*)0), &decodedConfig->raw, singleConfig.buf, |
408 | singleConfig.len); |
409 | if (rv != SECSuccess) { |
410 | goto loser; |
411 | } |
412 | |
413 | PR_APPEND_LINK(&decodedConfig->link, configs)do { (&decodedConfig->link)->next = (configs); (& decodedConfig->link)->prev = (configs)->prev; (configs )->prev->next = (&decodedConfig->link); (configs )->prev = (&decodedConfig->link); } while (0); |
414 | decodedConfig = NULL((void*)0); |
415 | } |
416 | } |
417 | } |
418 | return SECSuccess; |
419 | |
420 | loser: |
421 | tls13_DestroyEchConfigs(configs); |
422 | return SECFailure; |
423 | } |
424 | |
425 | /* Encode an ECHConfigList structure. We only create one config, and as the |
426 | * primary use for this function is to generate test inputs, we don't |
427 | * validate against what HPKE and libssl can actually support. */ |
428 | SECStatus |
429 | SSLExp_EncodeEchConfigId(PRUint8 configId, const char *publicName, unsigned int maxNameLen, |
430 | HpkeKemId kemId, const SECKEYPublicKey *pubKey, |
431 | const HpkeSymmetricSuite *hpkeSuites, unsigned int hpkeSuiteCount, |
432 | PRUint8 *out, unsigned int *outlen, unsigned int maxlen) |
433 | { |
434 | SECStatus rv; |
435 | unsigned int savedOffset; |
436 | unsigned int len; |
437 | sslBuffer b = SSL_BUFFER_EMPTY{ ((void*)0), 0, 0, 0 }; |
438 | PRUint8 tmpBuf[66]; // Large enough for an EC public key, currently only X25519. |
439 | unsigned int tmpLen; |
440 | |
441 | if (!publicName || !hpkeSuites || hpkeSuiteCount == 0 || |
442 | !pubKey || maxNameLen == 0 || !out || !outlen) { |
443 | PORT_SetErrorPORT_SetError_Util(SEC_ERROR_INVALID_ARGS); |
444 | return SECFailure; |
445 | } |
446 | |
447 | /* ECHConfig ECHConfigList<1..2^16-1>; */ |
448 | rv = sslBuffer_Skip(&b, 2, NULL((void*)0)); |
449 | if (rv != SECSuccess) { |
450 | goto loser; |
451 | } |
452 | |
453 | /* |
454 | * struct { |
455 | * uint16 version; |
456 | * uint16 length; |
457 | * select (ECHConfig.version) { |
458 | * case 0xfe0d: ECHConfigContents contents; |
459 | * } |
460 | * } ECHConfig; |
461 | */ |
462 | rv = sslBuffer_AppendNumber(&b, TLS13_ECH_VERSION0xfe0d, 2); |
463 | if (rv != SECSuccess) { |
464 | goto loser; |
465 | } |
466 | |
467 | rv = sslBuffer_Skip(&b, 2, &savedOffset); |
468 | if (rv != SECSuccess) { |
469 | goto loser; |
470 | } |
471 | |
472 | /* |
473 | * struct { |
474 | * uint8 config_id; |
475 | * HpkeKemId kem_id; |
476 | * HpkePublicKey public_key; |
477 | * HpkeSymmetricCipherSuite cipher_suites<4..2^16-4>; |
478 | * } HpkeKeyConfig; |
479 | */ |
480 | rv = sslBuffer_AppendNumber(&b, configId, 1); |
481 | if (rv != SECSuccess) { |
482 | goto loser; |
483 | } |
484 | |
485 | rv = sslBuffer_AppendNumber(&b, kemId, 2); |
486 | if (rv != SECSuccess) { |
487 | goto loser; |
488 | } |
489 | |
490 | rv = PK11_HPKE_Serialize(pubKey, tmpBuf, &tmpLen, sizeof(tmpBuf)); |
491 | if (rv != SECSuccess) { |
492 | goto loser; |
493 | } |
494 | rv = sslBuffer_AppendVariable(&b, tmpBuf, tmpLen, 2); |
495 | if (rv != SECSuccess) { |
496 | goto loser; |
497 | } |
498 | |
499 | rv = sslBuffer_AppendNumber(&b, hpkeSuiteCount * 4, 2); |
500 | if (rv != SECSuccess) { |
501 | goto loser; |
502 | } |
503 | for (unsigned int i = 0; i < hpkeSuiteCount; i++) { |
504 | rv = sslBuffer_AppendNumber(&b, hpkeSuites[i].kdfId, 2); |
505 | if (rv != SECSuccess) { |
506 | goto loser; |
507 | } |
508 | rv = sslBuffer_AppendNumber(&b, hpkeSuites[i].aeadId, 2); |
509 | if (rv != SECSuccess) { |
510 | goto loser; |
511 | } |
512 | } |
513 | |
514 | /* |
515 | * struct { |
516 | * HpkeKeyConfig key_config; |
517 | * uint8 maximum_name_length; |
518 | * opaque public_name<1..255>; |
519 | * Extension extensions<0..2^16-1>; |
520 | * } ECHConfigContents; |
521 | */ |
522 | rv = sslBuffer_AppendNumber(&b, maxNameLen, 1); |
523 | if (rv != SECSuccess) { |
524 | goto loser; |
525 | } |
526 | |
527 | len = PORT_Strlen(publicName)strlen(publicName); |
528 | if (len > 0xff) { |
529 | PORT_SetErrorPORT_SetError_Util(SEC_ERROR_INVALID_ARGS); |
530 | goto loser; |
531 | } |
532 | rv = sslBuffer_AppendVariable(&b, (const PRUint8 *)publicName, len, 1); |
533 | if (rv != SECSuccess) { |
534 | goto loser; |
535 | } |
536 | |
537 | /* extensions */ |
538 | rv = sslBuffer_AppendNumber(&b, 0, 2); |
539 | if (rv != SECSuccess) { |
540 | goto loser; |
541 | } |
542 | |
543 | /* Write the length now that we know it. */ |
544 | rv = sslBuffer_InsertLength(&b, 0, 2); |
545 | if (rv != SECSuccess) { |
546 | goto loser; |
547 | } |
548 | rv = sslBuffer_InsertLength(&b, savedOffset, 2); |
549 | if (rv != SECSuccess) { |
550 | goto loser; |
551 | } |
552 | |
553 | if (SSL_BUFFER_LEN(&b)((&b)->len) > maxlen) { |
554 | PORT_SetErrorPORT_SetError_Util(SEC_ERROR_INVALID_ARGS); |
555 | goto loser; |
556 | } |
557 | PORT_Memcpymemcpy(out, SSL_BUFFER_BASE(&b)((&b)->buf), SSL_BUFFER_LEN(&b)((&b)->len)); |
558 | *outlen = SSL_BUFFER_LEN(&b)((&b)->len); |
559 | sslBuffer_Clear(&b); |
560 | return SECSuccess; |
561 | |
562 | loser: |
563 | sslBuffer_Clear(&b); |
564 | return SECFailure; |
565 | } |
566 | |
567 | SECStatus |
568 | SSLExp_GetEchRetryConfigs(PRFileDesc *fd, SECItem *retryConfigs) |
569 | { |
570 | SECStatus rv; |
571 | sslSocket *ss; |
572 | SECItem out = { siBuffer, NULL((void*)0), 0 }; |
573 | |
574 | if (!fd || !retryConfigs) { |
575 | PORT_SetErrorPORT_SetError_Util(SEC_ERROR_INVALID_ARGS); |
576 | return SECFailure; |
577 | } |
578 | ss = ssl_FindSocket(fd); |
579 | if (!ss) { |
580 | SSL_DBG(("%d: SSL[%d]: bad socket in %s",if (ssl_debug) ssl_Trace ("%d: SSL[%d]: bad socket in %s", getpid (), fd, __FUNCTION__) |
581 | SSL_GETPID(), fd, __FUNCTION__))if (ssl_debug) ssl_Trace ("%d: SSL[%d]: bad socket in %s", getpid (), fd, __FUNCTION__); |
582 | PORT_SetErrorPORT_SetError_Util(SEC_ERROR_INVALID_ARGS); |
583 | return SECFailure; |
584 | } |
585 | |
586 | /* We don't distinguish between "handshake completed |
587 | * without retry configs", and "handshake not completed". |
588 | * An application should only call this after receiving a |
589 | * RETRY_WITH_ECH error code, which implies retry_configs. */ |
590 | if (!ss->xtnData.ech || !ss->xtnData.ech->retryConfigsValid) { |
591 | PORT_SetErrorPORT_SetError_Util(SSL_ERROR_HANDSHAKE_NOT_COMPLETED); |
592 | return SECFailure; |
593 | } |
594 | |
595 | /* May be empty. */ |
596 | rv = SECITEM_CopyItemSECITEM_CopyItem_Util(NULL((void*)0), &out, &ss->xtnData.ech->retryConfigs); |
597 | if (rv == SECFailure) { |
598 | return SECFailure; |
599 | } |
600 | *retryConfigs = out; |
601 | return SECSuccess; |
602 | } |
603 | |
604 | SECStatus |
605 | SSLExp_RemoveEchConfigs(PRFileDesc *fd) |
606 | { |
607 | sslSocket *ss; |
608 | |
609 | if (!fd) { |
610 | PORT_SetErrorPORT_SetError_Util(SEC_ERROR_INVALID_ARGS); |
611 | return SECFailure; |
612 | } |
613 | |
614 | ss = ssl_FindSocket(fd); |
615 | if (!ss) { |
616 | SSL_DBG(("%d: SSL[%d]: bad socket in %s",if (ssl_debug) ssl_Trace ("%d: SSL[%d]: bad socket in %s", getpid (), fd, __FUNCTION__) |
617 | SSL_GETPID(), fd, __FUNCTION__))if (ssl_debug) ssl_Trace ("%d: SSL[%d]: bad socket in %s", getpid (), fd, __FUNCTION__); |
618 | PORT_SetErrorPORT_SetError_Util(SEC_ERROR_INVALID_ARGS); |
619 | return SECFailure; |
620 | } |
621 | |
622 | SECKEY_DestroyPrivateKey(ss->echPrivKey); |
623 | ss->echPrivKey = NULL((void*)0); |
624 | SECKEY_DestroyPublicKey(ss->echPubKey); |
625 | ss->echPubKey = NULL((void*)0); |
626 | tls13_DestroyEchConfigs(&ss->echConfigs); |
627 | |
628 | /* Also remove any retry_configs and handshake context. */ |
629 | if (ss->xtnData.ech && ss->xtnData.ech->retryConfigs.len) { |
630 | SECITEM_FreeItemSECITEM_FreeItem_Util(&ss->xtnData.ech->retryConfigs, PR_FALSE0); |
631 | } |
632 | |
633 | if (ss->ssl3.hs.echHpkeCtx) { |
634 | PK11_HPKE_DestroyContext(ss->ssl3.hs.echHpkeCtx, PR_TRUE1); |
635 | ss->ssl3.hs.echHpkeCtx = NULL((void*)0); |
636 | } |
637 | PORT_FreePORT_Free_Util(CONST_CAST(char, ss->ssl3.hs.echPublicName)((char *)(ss->ssl3.hs.echPublicName))); |
638 | ss->ssl3.hs.echPublicName = NULL((void*)0); |
639 | |
640 | return SECSuccess; |
641 | } |
642 | |
643 | /* Import one or more ECHConfigs for the given keypair. The AEAD/KDF |
644 | * may differ , but only X25519 is supported for the KEM.*/ |
645 | SECStatus |
646 | SSLExp_SetServerEchConfigs(PRFileDesc *fd, |
647 | const SECKEYPublicKey *pubKey, const SECKEYPrivateKey *privKey, |
648 | const PRUint8 *echConfigs, unsigned int echConfigsLen) |
649 | { |
650 | sslSocket *ss; |
651 | SECStatus rv; |
652 | SECItem data = { siBuffer, CONST_CAST(PRUint8, echConfigs)((PRUint8 *)(echConfigs)), echConfigsLen }; |
653 | |
654 | if (!fd || !pubKey || !privKey || !echConfigs || echConfigsLen == 0) { |
655 | PORT_SetErrorPORT_SetError_Util(SEC_ERROR_INVALID_ARGS); |
656 | return SECFailure; |
657 | } |
658 | |
659 | ss = ssl_FindSocket(fd); |
660 | if (!ss) { |
661 | SSL_DBG(("%d: SSL[%d]: bad socket in %s",if (ssl_debug) ssl_Trace ("%d: SSL[%d]: bad socket in %s", getpid (), fd, __FUNCTION__) |
662 | SSL_GETPID(), fd, __FUNCTION__))if (ssl_debug) ssl_Trace ("%d: SSL[%d]: bad socket in %s", getpid (), fd, __FUNCTION__); |
663 | PORT_SetErrorPORT_SetError_Util(SEC_ERROR_INVALID_ARGS); |
664 | return SECFailure; |
665 | } |
666 | |
667 | if (IS_DTLS(ss)(ss->protocolVariant == ssl_variant_datagram)) { |
668 | return SECFailure; |
669 | } |
670 | |
671 | /* Overwrite if we're already configured. */ |
672 | rv = SSLExp_RemoveEchConfigs(fd); |
673 | if (rv != SECSuccess) { |
674 | return SECFailure; |
675 | } |
676 | |
677 | rv = tls13_DecodeEchConfigs(&data, &ss->echConfigs); |
678 | if (rv != SECSuccess) { |
679 | goto loser; |
680 | } |
681 | if (PR_CLIST_IS_EMPTY(&ss->echConfigs)((&ss->echConfigs)->next == (&ss->echConfigs ))) { |
682 | PORT_SetErrorPORT_SetError_Util(SEC_ERROR_INVALID_ARGS); |
683 | goto loser; |
684 | } |
685 | |
686 | ss->echPubKey = SECKEY_CopyPublicKey(pubKey); |
687 | if (!ss->echPubKey) { |
688 | goto loser; |
689 | } |
690 | ss->echPrivKey = SECKEY_CopyPrivateKey(privKey); |
691 | if (!ss->echPrivKey) { |
692 | goto loser; |
693 | } |
694 | return SECSuccess; |
695 | |
696 | loser: |
697 | tls13_DestroyEchConfigs(&ss->echConfigs); |
698 | SECKEY_DestroyPrivateKey(ss->echPrivKey); |
699 | SECKEY_DestroyPublicKey(ss->echPubKey); |
700 | ss->echPubKey = NULL((void*)0); |
701 | ss->echPrivKey = NULL((void*)0); |
702 | return SECFailure; |
703 | } |
704 | |
705 | /* Client enable. For now, we'll use the first |
706 | * compatible config (server preference). */ |
707 | SECStatus |
708 | SSLExp_SetClientEchConfigs(PRFileDesc *fd, |
709 | const PRUint8 *echConfigs, |
710 | unsigned int echConfigsLen) |
711 | { |
712 | SECStatus rv; |
713 | sslSocket *ss; |
714 | SECItem data = { siBuffer, CONST_CAST(PRUint8, echConfigs)((PRUint8 *)(echConfigs)), echConfigsLen }; |
715 | |
716 | if (!fd || !echConfigs || echConfigsLen == 0) { |
717 | PORT_SetErrorPORT_SetError_Util(SEC_ERROR_INVALID_ARGS); |
718 | return SECFailure; |
719 | } |
720 | |
721 | ss = ssl_FindSocket(fd); |
722 | if (!ss) { |
723 | SSL_DBG(("%d: SSL[%d]: bad socket in %s",if (ssl_debug) ssl_Trace ("%d: SSL[%d]: bad socket in %s", getpid (), fd, __FUNCTION__) |
724 | SSL_GETPID(), fd, __FUNCTION__))if (ssl_debug) ssl_Trace ("%d: SSL[%d]: bad socket in %s", getpid (), fd, __FUNCTION__); |
725 | PORT_SetErrorPORT_SetError_Util(SEC_ERROR_INVALID_ARGS); |
726 | return SECFailure; |
727 | } |
728 | |
729 | if (IS_DTLS(ss)(ss->protocolVariant == ssl_variant_datagram)) { |
730 | return SECFailure; |
731 | } |
732 | |
733 | /* Overwrite if we're already configured. */ |
734 | rv = SSLExp_RemoveEchConfigs(fd); |
735 | if (rv != SECSuccess) { |
736 | return SECFailure; |
737 | } |
738 | |
739 | rv = tls13_DecodeEchConfigs(&data, &ss->echConfigs); |
740 | if (rv != SECSuccess) { |
741 | return SECFailure; |
742 | } |
743 | if (PR_CLIST_IS_EMPTY(&ss->echConfigs)((&ss->echConfigs)->next == (&ss->echConfigs ))) { |
744 | PORT_SetErrorPORT_SetError_Util(SEC_ERROR_INVALID_ARGS); |
745 | return SECFailure; |
746 | } |
747 | |
748 | return SECSuccess; |
749 | } |
750 | |
751 | /* Set up ECH. This generates an ephemeral sender |
752 | * keypair and the HPKE context */ |
753 | SECStatus |
754 | tls13_ClientSetupEch(sslSocket *ss, sslClientHelloType type) |
755 | { |
756 | SECStatus rv; |
757 | HpkeContext *cx = NULL((void*)0); |
758 | SECKEYPublicKey *pkR = NULL((void*)0); |
759 | SECItem hpkeInfo = { siBuffer, NULL((void*)0), 0 }; |
760 | sslEchConfig *cfg = NULL((void*)0); |
761 | |
762 | if (PR_CLIST_IS_EMPTY(&ss->echConfigs)((&ss->echConfigs)->next == (&ss->echConfigs )) || |
763 | !ssl_ShouldSendSNIExtension(ss, ss->url) || |
764 | IS_DTLS(ss)(ss->protocolVariant == ssl_variant_datagram)) { |
765 | return SECSuccess; |
766 | } |
767 | |
768 | /* Maybe apply our own priority if >1. For now, we only support |
769 | * one version and one KEM. Each ECHConfig can specify multiple |
770 | * KDF/AEADs, so just use the first. */ |
771 | cfg = (sslEchConfig *)PR_LIST_HEAD(&ss->echConfigs)(&ss->echConfigs)->next; |
772 | |
773 | SSL_TRC(50, ("%d: TLS13[%d]: Setup client ECH",if (ssl_trace >= (50)) ssl_Trace ("%d: TLS13[%d]: Setup client ECH" , getpid(), ss->fd) |
774 | SSL_GETPID(), ss->fd))if (ssl_trace >= (50)) ssl_Trace ("%d: TLS13[%d]: Setup client ECH" , getpid(), ss->fd); |
775 | |
776 | switch (type) { |
777 | case client_hello_initial: |
778 | PORT_Assert(!ss->ssl3.hs.echHpkeCtx && !ss->ssl3.hs.echPublicName)((!ss->ssl3.hs.echHpkeCtx && !ss->ssl3.hs.echPublicName )?((void)0):PR_Assert("!ss->ssl3.hs.echHpkeCtx && !ss->ssl3.hs.echPublicName" ,"tls13ech.c",778)); |
779 | cx = PK11_HPKE_NewContext(cfg->contents.kemId, cfg->contents.kdfId, |
780 | cfg->contents.aeadId, NULL((void*)0), NULL((void*)0)); |
781 | break; |
782 | case client_hello_retry: |
783 | if (!ss->ssl3.hs.echHpkeCtx || !ss->ssl3.hs.echPublicName) { |
784 | FATAL_ERROR(ss, SEC_ERROR_LIBRARY_FAILURE, internal_error)do { do { if (ssl_trace >= (3)) ssl_Trace ("%d: TLS13[%d]: fatal error %d in %s (%s:%d)" , getpid(), ss->fd, SEC_ERROR_LIBRARY_FAILURE, __func__, "tls13ech.c" , 784); PORT_SetError_Util(SEC_ERROR_LIBRARY_FAILURE); } while (0); tls13_FatalError(ss, SEC_ERROR_LIBRARY_FAILURE, internal_error ); } while (0); |
785 | return SECFailure; |
786 | } |
787 | /* Nothing else to do. */ |
788 | return SECSuccess; |
789 | default: |
790 | PORT_Assert(0)((0)?((void)0):PR_Assert("0","tls13ech.c",790)); |
791 | goto loser; |
792 | } |
793 | if (!cx) { |
794 | goto loser; |
795 | } |
796 | |
797 | rv = PK11_HPKE_Deserialize(cx, cfg->contents.publicKey.data, cfg->contents.publicKey.len, &pkR); |
798 | if (rv != SECSuccess) { |
799 | goto loser; |
800 | } |
801 | |
802 | if (!SECITEM_AllocItemSECITEM_AllocItem_Util(NULL((void*)0), &hpkeInfo, strlen(kHpkeInfoEch) + 1 + cfg->raw.len)) { |
803 | goto loser; |
804 | } |
805 | PORT_Memcpymemcpy(&hpkeInfo.data[0], kHpkeInfoEch, strlen(kHpkeInfoEch)); |
806 | PORT_Memsetmemset(&hpkeInfo.data[strlen(kHpkeInfoEch)], 0, 1); |
807 | PORT_Memcpymemcpy(&hpkeInfo.data[strlen(kHpkeInfoEch) + 1], cfg->raw.data, cfg->raw.len); |
808 | |
809 | PRINT_BUF(50, (ss, "Info", hpkeInfo.data, hpkeInfo.len))if (ssl_trace >= (50)) ssl_PrintBuf (ss, "Info", hpkeInfo. data, hpkeInfo.len); |
810 | |
811 | /* Setup with an ephemeral sender keypair. */ |
812 | rv = PK11_HPKE_SetupS(cx, NULL((void*)0), NULL((void*)0), pkR, &hpkeInfo); |
813 | if (rv != SECSuccess) { |
814 | goto loser; |
815 | } |
816 | |
817 | rv = ssl3_GetNewRandom(ss->ssl3.hs.client_inner_random); |
818 | if (rv != SECSuccess) { |
819 | goto loser; /* code set */ |
820 | } |
821 | |
822 | /* If ECH is rejected, the application will use SSLChannelInfo |
823 | * to fetch this field and perform cert chain verification. */ |
824 | ss->ssl3.hs.echPublicName = PORT_StrdupPORT_Strdup_Util(cfg->contents.publicName); |
825 | if (!ss->ssl3.hs.echPublicName) { |
826 | goto loser; |
827 | } |
828 | |
829 | ss->ssl3.hs.echHpkeCtx = cx; |
830 | SECKEY_DestroyPublicKey(pkR); |
831 | SECITEM_FreeItemSECITEM_FreeItem_Util(&hpkeInfo, PR_FALSE0); |
832 | return SECSuccess; |
833 | |
834 | loser: |
835 | PK11_HPKE_DestroyContext(cx, PR_TRUE1); |
836 | SECKEY_DestroyPublicKey(pkR); |
837 | SECITEM_FreeItemSECITEM_FreeItem_Util(&hpkeInfo, PR_FALSE0); |
838 | PORT_Assert(PORT_GetError() != 0)((PORT_GetError_Util() != 0)?((void)0):PR_Assert("PORT_GetError() != 0" ,"tls13ech.c",838)); |
839 | return SECFailure; |
840 | } |
841 | |
842 | /* |
843 | * outerAAD - The associated data for the AEAD (the entire client hello with the ECH payload zeroed) |
844 | * chInner - The plaintext which will be encrypted (the ClientHelloInner plus padding) |
845 | * echPayload - Output location. A buffer containing all-zeroes of at least chInner->len + TLS13_ECH_AEAD_TAG_LEN bytes. |
846 | * |
847 | * echPayload may point into outerAAD to avoid the need to duplicate the ClientHelloOuter buffer. |
848 | */ |
849 | static SECStatus |
850 | tls13_EncryptClientHello(sslSocket *ss, SECItem *aadItem, const sslBuffer *chInner, PRUint8 *echPayload) |
851 | { |
852 | SECStatus rv; |
853 | SECItem chPt = { siBuffer, chInner->buf, chInner->len }; |
854 | SECItem *chCt = NULL((void*)0); |
855 | |
856 | PRINT_BUF(50, (ss, "aad for ECH Encrypt", aadItem->data, aadItem->len))if (ssl_trace >= (50)) ssl_PrintBuf (ss, "aad for ECH Encrypt" , aadItem->data, aadItem->len); |
857 | PRINT_BUF(50, (ss, "plaintext for ECH Encrypt", chInner->buf, chInner->len))if (ssl_trace >= (50)) ssl_PrintBuf (ss, "plaintext for ECH Encrypt" , chInner->buf, chInner->len); |
858 | |
859 | #ifndef UNSAFE_FUZZER_MODE |
860 | rv = PK11_HPKE_Seal(ss->ssl3.hs.echHpkeCtx, aadItem, &chPt, &chCt); |
861 | if (rv != SECSuccess) { |
862 | goto loser; |
863 | } |
864 | PRINT_BUF(50, (ss, "ciphertext from ECH Encrypt", chCt->data, chCt->len))if (ssl_trace >= (50)) ssl_PrintBuf (ss, "ciphertext from ECH Encrypt" , chCt->data, chCt->len); |
865 | #else |
866 | /* Fake a tag. */ |
867 | SECITEM_AllocItemSECITEM_AllocItem_Util(NULL((void*)0), chCt, chPt.len + TLS13_ECH_AEAD_TAG_LEN16); |
868 | if (!chCt) { |
869 | goto loser; |
870 | } |
871 | PORT_Memcpymemcpy(chCt->data, chPt.data, chPt.len); |
872 | #endif |
873 | |
874 | #ifdef DEBUG1 |
875 | /* When encrypting in-place, the payload is part of the AAD and must be zeroed. */ |
876 | PRUint8 val = 0; |
877 | for (int i = 0; i < chCt->len; i++) { |
878 | val |= *(echPayload + i); |
879 | } |
880 | PRINT_BUF(100, (ss, "Empty Placeholder for output of ECH Encryption", echPayload, chCt->len))if (ssl_trace >= (100)) ssl_PrintBuf (ss, "Empty Placeholder for output of ECH Encryption" , echPayload, chCt->len); |
881 | PR_ASSERT(val == 0)((val == 0)?((void)0):PR_Assert("val == 0","tls13ech.c",881)); |
882 | #endif |
883 | |
884 | PORT_Memcpymemcpy(echPayload, chCt->data, chCt->len); |
885 | SECITEM_FreeItemSECITEM_FreeItem_Util(chCt, PR_TRUE1); |
886 | return SECSuccess; |
887 | |
888 | loser: |
889 | SECITEM_FreeItemSECITEM_FreeItem_Util(chCt, PR_TRUE1); |
890 | return SECFailure; |
891 | } |
892 | |
893 | SECStatus |
894 | tls13_GetMatchingEchConfigs(const sslSocket *ss, HpkeKdfId kdf, HpkeAeadId aead, |
895 | const PRUint8 configId, const sslEchConfig *cur, sslEchConfig **next) |
896 | { |
897 | SSL_TRC(50, ("%d: TLS13[%d]: GetMatchingEchConfig %d",if (ssl_trace >= (50)) ssl_Trace ("%d: TLS13[%d]: GetMatchingEchConfig %d" , getpid(), ss->fd, configId) |
898 | SSL_GETPID(), ss->fd, configId))if (ssl_trace >= (50)) ssl_Trace ("%d: TLS13[%d]: GetMatchingEchConfig %d" , getpid(), ss->fd, configId); |
899 | |
900 | /* If |cur|, resume the search at that node, else the list head. */ |
901 | for (PRCList *cur_p = cur ? ((PRCList *)cur)->next : PR_LIST_HEAD(&ss->echConfigs)(&ss->echConfigs)->next; |
902 | cur_p != &ss->echConfigs; |
903 | cur_p = PR_NEXT_LINK(cur_p)((cur_p)->next)) { |
904 | sslEchConfig *echConfig = (sslEchConfig *)cur_p; |
905 | if (echConfig->contents.configId == configId && |
906 | echConfig->contents.aeadId == aead && |
907 | echConfig->contents.kdfId == kdf) { |
908 | *next = echConfig; |
909 | return SECSuccess; |
910 | } |
911 | } |
912 | |
913 | *next = NULL((void*)0); |
914 | return SECSuccess; |
915 | } |
916 | |
917 | /* Given a CH with extensions, copy from the start up to the extensions |
918 | * into |writer| and return the extensions themselves in |extensions|. |
919 | * If |explicitSid|, place this value into |writer| as the SID. Else, |
920 | * the sid is copied from |reader| to |writer|. */ |
921 | static SECStatus |
922 | tls13_CopyChPreamble(sslSocket *ss, sslReader *reader, const SECItem *explicitSid, sslBuffer *writer, sslReadBuffer *extensions) |
923 | { |
924 | SECStatus rv; |
925 | sslReadBuffer tmpReadBuf; |
926 | |
927 | /* Locate the extensions. */ |
928 | rv = sslRead_Read(reader, 2 + SSL3_RANDOM_LENGTH32, &tmpReadBuf); |
929 | if (rv != SECSuccess) { |
930 | return SECFailure; |
931 | } |
932 | rv = sslBuffer_Append(writer, tmpReadBuf.buf, tmpReadBuf.len); |
933 | if (rv != SECSuccess) { |
934 | return SECFailure; |
935 | } |
936 | |
937 | /* legacy_session_id */ |
938 | rv = sslRead_ReadVariable(reader, 1, &tmpReadBuf); |
Value stored to 'rv' is never read | |
939 | if (explicitSid) { |
940 | /* Encoded SID should be empty when copying from CHOuter. */ |
941 | if (tmpReadBuf.len > 0) { |
942 | PORT_SetErrorPORT_SetError_Util(SSL_ERROR_RX_MALFORMED_ECH_EXTENSIONSSL_ERROR_RX_MALFORMED_ESNI_EXTENSION); |
943 | return SECFailure; |
944 | } |
945 | rv = sslBuffer_AppendVariable(writer, explicitSid->data, explicitSid->len, 1); |
946 | } else { |
947 | rv = sslBuffer_AppendVariable(writer, tmpReadBuf.buf, tmpReadBuf.len, 1); |
948 | } |
949 | if (rv != SECSuccess) { |
950 | return SECFailure; |
951 | } |
952 | |
953 | /* cipher suites */ |
954 | rv = sslRead_ReadVariable(reader, 2, &tmpReadBuf); |
955 | if (rv != SECSuccess) { |
956 | return SECFailure; |
957 | } |
958 | rv = sslBuffer_AppendVariable(writer, tmpReadBuf.buf, tmpReadBuf.len, 2); |
959 | if (rv != SECSuccess) { |
960 | return SECFailure; |
961 | } |
962 | |
963 | /* compression */ |
964 | rv = sslRead_ReadVariable(reader, 1, &tmpReadBuf); |
965 | if (rv != SECSuccess) { |
966 | return SECFailure; |
967 | } |
968 | rv = sslBuffer_AppendVariable(writer, tmpReadBuf.buf, tmpReadBuf.len, 1); |
969 | if (rv != SECSuccess) { |
970 | return SECFailure; |
971 | } |
972 | |
973 | /* extensions */ |
974 | rv = sslRead_ReadVariable(reader, 2, extensions); |
975 | if (rv != SECSuccess) { |
976 | return SECFailure; |
977 | } |
978 | |
979 | /* padding (optional) */ |
980 | sslReadBuffer padding; |
981 | rv = sslRead_Read(reader, SSL_READER_REMAINING(reader)((reader)->buf.len - (reader)->offset), &padding); |
982 | if (rv != SECSuccess) { |
983 | return SECFailure; |
984 | } |
985 | PRUint8 result = 0; |
986 | for (int i = 0; i < padding.len; i++) { |
987 | result |= padding.buf[i]; |
988 | } |
989 | if (result) { |
990 | SSL_TRC(50, ("%d: TLS13: Invalid ECH ClientHelloInner padding decoded", SSL_GETPID()))if (ssl_trace >= (50)) ssl_Trace ("%d: TLS13: Invalid ECH ClientHelloInner padding decoded" , getpid()); |
991 | FATAL_ERROR(ss, SSL_ERROR_RX_MALFORMED_ECH_EXTENSION, illegal_parameter)do { do { if (ssl_trace >= (3)) ssl_Trace ("%d: TLS13[%d]: fatal error %d in %s (%s:%d)" , getpid(), ss->fd, SSL_ERROR_RX_MALFORMED_ESNI_EXTENSION, __func__, "tls13ech.c", 991); PORT_SetError_Util(SSL_ERROR_RX_MALFORMED_ESNI_EXTENSION ); } while (0); tls13_FatalError(ss, SSL_ERROR_RX_MALFORMED_ESNI_EXTENSION , illegal_parameter); } while (0); |
992 | return SECFailure; |
993 | } |
994 | return SECSuccess; |
995 | } |
996 | |
997 | /* |
998 | * The ClientHelloOuterAAD is a serialized ClientHello structure, defined in |
999 | * Section 4.1.2 of [RFC8446], which matches the ClientHelloOuter except the |
1000 | * payload field of the "encrypted_client_hello" is replaced with a byte |
1001 | * string of the same length but whose contents are zeros. This value does |
1002 | * not include the four-byte header from the Handshake structure. |
1003 | */ |
1004 | static SECStatus |
1005 | tls13_ServerMakeChOuterAAD(sslSocket *ss, const PRUint8 *outerCh, unsigned int outerChLen, SECItem *outerAAD) |
1006 | { |
1007 | SECStatus rv; |
1008 | sslBuffer aad = SSL_BUFFER_EMPTY{ ((void*)0), 0, 0, 0 }; |
1009 | const unsigned int echPayloadLen = ss->xtnData.ech->innerCh.len; /* Length of incoming payload */ |
1010 | const unsigned int echPayloadOffset = ss->xtnData.ech->payloadStart - outerCh; /* Offset from start of CHO */ |
1011 | |
1012 | PORT_Assert(outerChLen > echPayloadLen)((outerChLen > echPayloadLen)?((void)0):PR_Assert("outerChLen > echPayloadLen" ,"tls13ech.c",1012)); |
1013 | PORT_Assert(echPayloadOffset + echPayloadLen <= outerChLen)((echPayloadOffset + echPayloadLen <= outerChLen)?((void)0 ):PR_Assert("echPayloadOffset + echPayloadLen <= outerChLen" ,"tls13ech.c",1013)); |
1014 | PORT_Assert(ss->sec.isServer)((ss->sec.isServer)?((void)0):PR_Assert("ss->sec.isServer" ,"tls13ech.c",1014)); |
1015 | PORT_Assert(ss->xtnData.ech)((ss->xtnData.ech)?((void)0):PR_Assert("ss->xtnData.ech" ,"tls13ech.c",1015)); |
1016 | |
1017 | #ifdef DEBUG1 |
1018 | /* Safety check that payload length pointed to by offset matches expected length */ |
1019 | sslReader echXtnReader = SSL_READER(outerCh + echPayloadOffset - 2, 2){ { outerCh + echPayloadOffset - 2, 2 }, 0 }; |
1020 | PRUint64 parsedXtnSize; |
1021 | rv = sslRead_ReadNumber(&echXtnReader, 2, &parsedXtnSize); |
1022 | PR_ASSERT(rv == SECSuccess)((rv == SECSuccess)?((void)0):PR_Assert("rv == SECSuccess","tls13ech.c" ,1022)); |
1023 | PR_ASSERT(parsedXtnSize == echPayloadLen)((parsedXtnSize == echPayloadLen)?((void)0):PR_Assert("parsedXtnSize == echPayloadLen" ,"tls13ech.c",1023)); |
1024 | #endif |
1025 | |
1026 | rv = sslBuffer_Append(&aad, outerCh, outerChLen); |
1027 | if (rv != SECSuccess) { |
1028 | goto loser; |
1029 | } |
1030 | PORT_Memsetmemset(aad.buf + echPayloadOffset, 0, echPayloadLen); |
1031 | |
1032 | PRINT_BUF(50, (ss, "AAD for ECH Decryption", aad.buf, aad.len))if (ssl_trace >= (50)) ssl_PrintBuf (ss, "AAD for ECH Decryption" , aad.buf, aad.len); |
1033 | |
1034 | outerAAD->data = aad.buf; |
1035 | outerAAD->len = aad.len; |
1036 | return SECSuccess; |
1037 | |
1038 | loser: |
1039 | sslBuffer_Clear(&aad); |
1040 | return SECFailure; |
1041 | } |
1042 | |
1043 | SECStatus |
1044 | tls13_OpenClientHelloInner(sslSocket *ss, const SECItem *outer, const SECItem *outerAAD, sslEchConfig *cfg, SECItem **chInner) |
1045 | { |
1046 | SECStatus rv; |
1047 | HpkeContext *cx = NULL((void*)0); |
1048 | SECItem *decryptedChInner = NULL((void*)0); |
1049 | SECItem hpkeInfo = { siBuffer, NULL((void*)0), 0 }; |
1050 | SSL_TRC(50, ("%d: TLS13[%d]: Server opening ECH Inner%s", SSL_GETPID(),if (ssl_trace >= (50)) ssl_Trace ("%d: TLS13[%d]: Server opening ECH Inner%s" , getpid(), ss->fd, ss->ssl3.hs.helloRetry ? " after HRR" : "") |
1051 | ss->fd, ss->ssl3.hs.helloRetry ? " after HRR" : ""))if (ssl_trace >= (50)) ssl_Trace ("%d: TLS13[%d]: Server opening ECH Inner%s" , getpid(), ss->fd, ss->ssl3.hs.helloRetry ? " after HRR" : ""); |
1052 | |
1053 | if (!ss->ssl3.hs.helloRetry) { |
1054 | PORT_Assert(!ss->ssl3.hs.echHpkeCtx)((!ss->ssl3.hs.echHpkeCtx)?((void)0):PR_Assert("!ss->ssl3.hs.echHpkeCtx" ,"tls13ech.c",1054)); |
1055 | cx = PK11_HPKE_NewContext(cfg->contents.kemId, cfg->contents.kdfId, |
1056 | cfg->contents.aeadId, NULL((void*)0), NULL((void*)0)); |
1057 | if (!cx) { |
1058 | goto loser; |
1059 | } |
1060 | |
1061 | if (!SECITEM_AllocItemSECITEM_AllocItem_Util(NULL((void*)0), &hpkeInfo, strlen(kHpkeInfoEch) + 1 + cfg->raw.len)) { |
1062 | goto loser; |
1063 | } |
1064 | PORT_Memcpymemcpy(&hpkeInfo.data[0], kHpkeInfoEch, strlen(kHpkeInfoEch)); |
1065 | PORT_Memsetmemset(&hpkeInfo.data[strlen(kHpkeInfoEch)], 0, 1); |
1066 | PORT_Memcpymemcpy(&hpkeInfo.data[strlen(kHpkeInfoEch) + 1], cfg->raw.data, cfg->raw.len); |
1067 | |
1068 | rv = PK11_HPKE_SetupR(cx, ss->echPubKey, ss->echPrivKey, |
1069 | &ss->xtnData.ech->senderPubKey, &hpkeInfo); |
1070 | if (rv != SECSuccess) { |
1071 | goto loser; /* code set */ |
1072 | } |
1073 | } else { |
1074 | PORT_Assert(ss->ssl3.hs.echHpkeCtx)((ss->ssl3.hs.echHpkeCtx)?((void)0):PR_Assert("ss->ssl3.hs.echHpkeCtx" ,"tls13ech.c",1074)); |
1075 | cx = ss->ssl3.hs.echHpkeCtx; |
1076 | } |
1077 | |
1078 | #ifndef UNSAFE_FUZZER_MODE |
1079 | rv = PK11_HPKE_Open(cx, outerAAD, &ss->xtnData.ech->innerCh, &decryptedChInner); |
1080 | if (rv != SECSuccess) { |
1081 | SSL_TRC(10, ("%d: SSL3[%d]: Failed to decrypt inner CH with this candidate",if (ssl_trace >= (10)) ssl_Trace ("%d: SSL3[%d]: Failed to decrypt inner CH with this candidate" , getpid(), ss->fd) |
1082 | SSL_GETPID(), ss->fd))if (ssl_trace >= (10)) ssl_Trace ("%d: SSL3[%d]: Failed to decrypt inner CH with this candidate" , getpid(), ss->fd); |
1083 | goto loser; /* code set */ |
1084 | } |
1085 | #else |
1086 | rv = SECITEM_CopyItemSECITEM_CopyItem_Util(NULL((void*)0), decryptedChInner, &ss->xtnData.ech->innerCh); |
1087 | if (rv != SECSuccess) { |
1088 | goto loser; |
1089 | } |
1090 | decryptedChInner->len -= TLS13_ECH_AEAD_TAG_LEN16; /* Fake tag */ |
1091 | #endif |
1092 | |
1093 | /* Stash the context, we may need it for HRR. */ |
1094 | ss->ssl3.hs.echHpkeCtx = cx; |
1095 | *chInner = decryptedChInner; |
1096 | PRINT_BUF(100, (ss, "Decrypted ECH Inner", decryptedChInner->data, decryptedChInner->len))if (ssl_trace >= (100)) ssl_PrintBuf (ss, "Decrypted ECH Inner" , decryptedChInner->data, decryptedChInner->len); |
1097 | SECITEM_FreeItemSECITEM_FreeItem_Util(&hpkeInfo, PR_FALSE0); |
1098 | return SECSuccess; |
1099 | |
1100 | loser: |
1101 | SECITEM_FreeItemSECITEM_FreeItem_Util(decryptedChInner, PR_TRUE1); |
1102 | SECITEM_FreeItemSECITEM_FreeItem_Util(&hpkeInfo, PR_FALSE0); |
1103 | if (cx != ss->ssl3.hs.echHpkeCtx) { |
1104 | /* Don't double-free if it's already global. */ |
1105 | PK11_HPKE_DestroyContext(cx, PR_TRUE1); |
1106 | } |
1107 | return SECFailure; |
1108 | } |
1109 | |
1110 | /* This is the maximum number of extension hooks that the following functions can handle. */ |
1111 | #define MAX_EXTENSION_WRITERS32 32 |
1112 | |
1113 | static SECStatus |
1114 | tls13_WriteDupXtnsToChInner(PRBool compressing, sslBuffer *dupXtns, sslBuffer *chInnerXtns) |
1115 | { |
1116 | SECStatus rv; |
1117 | if (compressing && SSL_BUFFER_LEN(dupXtns)((dupXtns)->len) > 0) { |
1118 | rv = sslBuffer_AppendNumber(chInnerXtns, ssl_tls13_outer_extensions_xtn, 2); |
1119 | if (rv != SECSuccess) { |
1120 | return SECFailure; |
1121 | } |
1122 | rv = sslBuffer_AppendNumber(chInnerXtns, dupXtns->len + 1, 2); |
1123 | if (rv != SECSuccess) { |
1124 | return SECFailure; |
1125 | } |
1126 | rv = sslBuffer_AppendBufferVariable(chInnerXtns, dupXtns, 1); |
1127 | if (rv != SECSuccess) { |
1128 | return SECFailure; |
1129 | } |
1130 | } else { |
1131 | /* dupXtns carries whole extensions with lengths on each. */ |
1132 | rv = sslBuffer_AppendBuffer(chInnerXtns, dupXtns); |
1133 | if (rv != SECSuccess) { |
1134 | return SECFailure; |
1135 | } |
1136 | } |
1137 | sslBuffer_Clear(dupXtns); |
1138 | return SECSuccess; |
1139 | } |
1140 | |
1141 | /* Add ordinary extensions to CHInner. |
1142 | * The value of the extension from CHOuter is in |extensionData|. |
1143 | * |
1144 | * If the value is to be compressed, it is written to |dupXtns|. |
1145 | * Otherwise, a full extension is written to |chInnerXtns|. |
1146 | * |
1147 | * This function is always called twice: |
1148 | * once without compression and once with compression if possible. |
1149 | * |
1150 | * Because we want to allow extensions that did not appear in CHOuter |
1151 | * to be included in CHInner, we also need to track which extensions |
1152 | * have been included. This is what |called| and |nCalled| track. |
1153 | */ |
1154 | static SECStatus |
1155 | tls13_ChInnerAppendExtension(sslSocket *ss, PRUint16 extensionType, |
1156 | const sslReadBuffer *extensionData, |
1157 | sslBuffer *dupXtns, sslBuffer *chInnerXtns, |
1158 | PRBool compressing, |
1159 | PRUint16 *called, unsigned int *nCalled) |
1160 | { |
1161 | PRUint8 buf[1024] = { 0 }; |
1162 | const PRUint8 *p; |
1163 | unsigned int len = 0; |
1164 | PRBool willCompress; |
1165 | |
1166 | PORT_Assert(extensionType != ssl_tls13_encrypted_client_hello_xtn)((extensionType != ssl_tls13_encrypted_client_hello_xtn)?((void )0):PR_Assert("extensionType != ssl_tls13_encrypted_client_hello_xtn" ,"tls13ech.c",1166)); |
1167 | sslCustomExtensionHooks *hook = ss->opt.callExtensionWriterOnEchInner |
1168 | ? ssl_FindCustomExtensionHooks(ss, extensionType) |
1169 | : NULL((void*)0); |
1170 | if (hook && hook->writer) { |
1171 | if (*nCalled >= MAX_EXTENSION_WRITERS32) { |
1172 | PORT_SetErrorPORT_SetError_Util(SEC_ERROR_LIBRARY_FAILURE); /* TODO new code? */ |
1173 | return SECFailure; |
1174 | } |
1175 | |
1176 | PRBool append = (*hook->writer)(ss->fd, ssl_hs_client_hello, |
1177 | buf, &len, sizeof(buf), hook->writerArg); |
1178 | called[(*nCalled)++] = extensionType; |
1179 | if (!append) { |
1180 | /* This extension is not going to appear in CHInner. */ |
1181 | /* TODO: consider removing this extension from ss->xtnData.advertised. |
1182 | * The consequence of not removing it is that we won't complain |
1183 | * if the server accepts ECH and then includes this extension. |
1184 | * The cost is a complete reworking of ss->xtnData.advertised. |
1185 | */ |
1186 | return SECSuccess; |
1187 | } |
1188 | /* It can be compressed if it is the same as the outer value. */ |
1189 | willCompress = (len == extensionData->len && |
1190 | NSS_SecureMemcmp(buf, extensionData->buf, len) == 0); |
1191 | p = buf; |
1192 | } else { |
1193 | /* Non-custom extensions are duplicated when compressing. */ |
1194 | willCompress = PR_TRUE1; |
1195 | p = extensionData->buf; |
1196 | len = extensionData->len; |
1197 | } |
1198 | |
1199 | /* Duplicated extensions all need to go together. */ |
1200 | sslBuffer *dst = willCompress ? dupXtns : chInnerXtns; |
1201 | SECStatus rv = sslBuffer_AppendNumber(dst, extensionType, 2); |
1202 | if (rv != SECSuccess) { |
1203 | return SECFailure; |
1204 | } |
1205 | if (!willCompress || !compressing) { |
1206 | rv = sslBuffer_AppendVariable(dst, p, len, 2); |
1207 | if (rv != SECSuccess) { |
1208 | return SECFailure; |
1209 | } |
1210 | } |
1211 | /* As this function is called twice, we only want to update our state the second time. */ |
1212 | if (compressing) { |
1213 | ss->xtnData.echAdvertised[ss->xtnData.echNumAdvertised++] = extensionType; |
1214 | SSL_TRC(50, ("Appending extension=%d to the Client Hello Inner. Compressed?=%d", extensionType, willCompress))if (ssl_trace >= (50)) ssl_Trace ("Appending extension=%d to the Client Hello Inner. Compressed?=%d" , extensionType, willCompress); |
1215 | } |
1216 | return SECSuccess; |
1217 | } |
1218 | |
1219 | /* Call any custom extension handlers that didn't want to be added to CHOuter. */ |
1220 | static SECStatus |
1221 | tls13_ChInnerAdditionalExtensionWriters(sslSocket *ss, const PRUint16 *called, |
1222 | unsigned int nCalled, sslBuffer *chInnerXtns) |
1223 | { |
1224 | if (!ss->opt.callExtensionWriterOnEchInner) { |
1225 | return SECSuccess; |
1226 | } |
1227 | |
1228 | for (PRCList *cursor = PR_NEXT_LINK(&ss->extensionHooks)((&ss->extensionHooks)->next); |
1229 | cursor != &ss->extensionHooks; |
1230 | cursor = PR_NEXT_LINK(cursor)((cursor)->next)) { |
1231 | sslCustomExtensionHooks *hook = (sslCustomExtensionHooks *)cursor; |
1232 | |
1233 | /* Skip if this hook was already called. */ |
1234 | PRBool hookCalled = PR_FALSE0; |
1235 | for (unsigned int i = 0; i < nCalled; ++i) { |
1236 | if (called[i] == hook->type) { |
1237 | hookCalled = PR_TRUE1; |
1238 | break; |
1239 | } |
1240 | } |
1241 | if (hookCalled) { |
1242 | continue; |
1243 | } |
1244 | |
1245 | /* This is a cut-down version of ssl_CallCustomExtensionSenders(). */ |
1246 | PRUint8 buf[1024]; |
1247 | unsigned int len = 0; |
1248 | PRBool append = (*hook->writer)(ss->fd, ssl_hs_client_hello, |
1249 | buf, &len, sizeof(buf), hook->writerArg); |
1250 | if (!append) { |
1251 | continue; |
1252 | } |
1253 | |
1254 | SECStatus rv = sslBuffer_AppendNumber(chInnerXtns, hook->type, 2); |
1255 | if (rv != SECSuccess) { |
1256 | return SECFailure; |
1257 | } |
1258 | rv = sslBuffer_AppendVariable(chInnerXtns, buf, len, 2); |
1259 | if (rv != SECSuccess) { |
1260 | return SECFailure; |
1261 | } |
1262 | ss->xtnData.echAdvertised[ss->xtnData.echNumAdvertised++] = hook->type; |
1263 | } |
1264 | return SECSuccess; |
1265 | } |
1266 | |
1267 | /* Take the PSK extension CHOuter and fill it with junk. */ |
1268 | static SECStatus |
1269 | tls13_RandomizePsk(PRUint8 *buf, unsigned int len) |
1270 | { |
1271 | sslReader rdr = SSL_READER(buf, len){ { buf, len }, 0 }; |
1272 | |
1273 | /* Read the length of identities. */ |
1274 | PRUint64 outerLen = 0; |
1275 | SECStatus rv = sslRead_ReadNumber(&rdr, 2, &outerLen); |
1276 | if (rv != SECSuccess) { |
1277 | return SECFailure; |
1278 | } |
1279 | PORT_Assert(outerLen < len + 2)((outerLen < len + 2)?((void)0):PR_Assert("outerLen < len + 2" ,"tls13ech.c",1279)); |
1280 | |
1281 | /* Read the length of PskIdentity.identity */ |
1282 | PRUint64 innerLen = 0; |
1283 | rv = sslRead_ReadNumber(&rdr, 2, &innerLen); |
1284 | if (rv != SECSuccess) { |
1285 | return SECFailure; |
1286 | } |
1287 | /* identities should contain just one identity. */ |
1288 | PORT_Assert(outerLen == innerLen + 6)((outerLen == innerLen + 6)?((void)0):PR_Assert("outerLen == innerLen + 6" ,"tls13ech.c",1288)); |
1289 | |
1290 | /* Randomize PskIdentity.{identity,obfuscated_ticket_age}. */ |
1291 | rv = PK11_GenerateRandom(buf + rdr.offset, innerLen + 4); |
1292 | if (rv != SECSuccess) { |
1293 | return SECFailure; |
1294 | } |
1295 | rdr.offset += innerLen + 4; |
1296 | |
1297 | /* Read the length of binders. */ |
1298 | rv = sslRead_ReadNumber(&rdr, 2, &outerLen); |
1299 | if (rv != SECSuccess) { |
1300 | return SECFailure; |
1301 | } |
1302 | PORT_Assert(outerLen + rdr.offset == len)((outerLen + rdr.offset == len)?((void)0):PR_Assert("outerLen + rdr.offset == len" ,"tls13ech.c",1302)); |
1303 | |
1304 | /* Read the length of the binder. */ |
1305 | rv = sslRead_ReadNumber(&rdr, 1, &innerLen); |
1306 | if (rv != SECSuccess) { |
1307 | return SECFailure; |
1308 | } |
1309 | /* binders should contain just one binder. */ |
1310 | PORT_Assert(outerLen == innerLen + 1)((outerLen == innerLen + 1)?((void)0):PR_Assert("outerLen == innerLen + 1" ,"tls13ech.c",1310)); |
1311 | |
1312 | /* Randomize the binder. */ |
1313 | rv = PK11_GenerateRandom(buf + rdr.offset, innerLen); |
1314 | if (rv != SECSuccess) { |
1315 | return SECFailure; |
1316 | } |
1317 | |
1318 | return SECSuccess; |
1319 | } |
1320 | |
1321 | /* Given a buffer of extensions prepared for CHOuter, translate those extensions to a |
1322 | * buffer suitable for CHInner. This is intended to be called twice: once without |
1323 | * compression for the transcript hash and binders, and once with compression for |
1324 | * encoding the actual CHInner value. |
1325 | * |
1326 | * Compressed extensions are moved in both runs. When compressing, they are moved |
1327 | * to a single outer_extensions extension, which lists extensions from CHOuter. |
1328 | * When not compressing, this produces the ClientHello that will be reconstructed |
1329 | * from the compressed ClientHello (that is, what goes into the handshake transcript), |
1330 | * so all the compressed extensions need to appear in the same place that the |
1331 | * outer_extensions extension appears. |
1332 | * |
1333 | * On the first run, if |inOutPskXtn| and OuterXtnsBuf contains a PSK extension, |
1334 | * remove it and return in the outparam.he caller will compute the binder value |
1335 | * based on the uncompressed output. Next, if |compress|, consolidate duplicated |
1336 | * extensions (that would otherwise be copied) into a single outer_extensions |
1337 | * extension. If |inOutPskXtn|, the extension contains a binder, it is appended |
1338 | * after the deduplicated outer_extensions. In the case of GREASE ECH, one call |
1339 | * is made to estimate size (wiith compression, null inOutPskXtn). |
1340 | */ |
1341 | SECStatus |
1342 | tls13_ConstructInnerExtensionsFromOuter(sslSocket *ss, sslBuffer *chOuterXtnsBuf, |
1343 | sslBuffer *chInnerXtns, sslBuffer *inOutPskXtn, |
1344 | PRBool shouldCompress) |
1345 | { |
1346 | SECStatus rv; |
1347 | PRUint64 extensionType; |
1348 | sslReadBuffer extensionData; |
1349 | sslBuffer pskXtn = SSL_BUFFER_EMPTY{ ((void*)0), 0, 0, 0 }; |
1350 | sslBuffer dupXtns = SSL_BUFFER_EMPTY{ ((void*)0), 0, 0, 0 }; /* Duplicated extensions, types-only if |compress|. */ |
1351 | unsigned int tmpOffset; |
1352 | unsigned int tmpLen; |
1353 | unsigned int srcXtnBase; /* To truncate CHOuter and remove the PSK extension. */ |
1354 | |
1355 | PRUint16 called[MAX_EXTENSION_WRITERS32] = { 0 }; /* For tracking which has been called. */ |
1356 | unsigned int nCalled = 0; |
1357 | |
1358 | SSL_TRC(50, ("%d: TLS13[%d]: Constructing ECH inner extensions %s compression",if (ssl_trace >= (50)) ssl_Trace ("%d: TLS13[%d]: Constructing ECH inner extensions %s compression" , getpid(), ss->fd, shouldCompress ? "with" : "without") |
1359 | SSL_GETPID(), ss->fd, shouldCompress ? "with" : "without"))if (ssl_trace >= (50)) ssl_Trace ("%d: TLS13[%d]: Constructing ECH inner extensions %s compression" , getpid(), ss->fd, shouldCompress ? "with" : "without"); |
1360 | |
1361 | /* When offering the "encrypted_client_hello" extension in its |
1362 | * ClientHelloOuter, the client MUST also offer an empty |
1363 | * "encrypted_client_hello" extension in its ClientHelloInner. */ |
1364 | rv = sslBuffer_AppendNumber(chInnerXtns, ssl_tls13_encrypted_client_hello_xtn, 2); |
1365 | if (rv != SECSuccess) { |
1366 | goto loser; |
1367 | } |
1368 | rv = sslBuffer_AppendNumber(chInnerXtns, 1, 2); |
1369 | if (rv != SECSuccess) { |
1370 | goto loser; |
1371 | } |
1372 | rv = sslBuffer_AppendNumber(chInnerXtns, ech_xtn_type_inner, 1); |
1373 | if (rv != SECSuccess) { |
1374 | goto loser; |
1375 | } |
1376 | |
1377 | sslReader rdr = SSL_READER(chOuterXtnsBuf->buf, chOuterXtnsBuf->len){ { chOuterXtnsBuf->buf, chOuterXtnsBuf->len }, 0 }; |
1378 | while (SSL_READER_REMAINING(&rdr)((&rdr)->buf.len - (&rdr)->offset)) { |
1379 | srcXtnBase = rdr.offset; |
1380 | rv = sslRead_ReadNumber(&rdr, 2, &extensionType); |
1381 | if (rv != SECSuccess) { |
1382 | goto loser; |
1383 | } |
1384 | |
1385 | /* Get the extension data. */ |
1386 | rv = sslRead_ReadVariable(&rdr, 2, &extensionData); |
1387 | if (rv != SECSuccess) { |
1388 | goto loser; |
1389 | } |
1390 | |
1391 | /* Skip extensions that are TLS < 1.3 only, since CHInner MUST |
1392 | * negotiate TLS 1.3 or above. |
1393 | * If the extension is supported by default (sslSupported) but unknown |
1394 | * to TLS 1.3 it must be a TLS < 1.3 only extension. */ |
1395 | SSLExtensionSupport sslSupported; |
1396 | (void)SSLExp_GetExtensionSupport(extensionType, &sslSupported); |
1397 | if (sslSupported != ssl_ext_none && |
1398 | tls13_ExtensionStatus(extensionType, ssl_hs_client_hello) == tls13_extension_unknown) { |
1399 | continue; |
1400 | } |
1401 | |
1402 | switch (extensionType) { |
1403 | case ssl_server_name_xtn: |
1404 | /* Write the real (private) SNI value. */ |
1405 | rv = sslBuffer_AppendNumber(chInnerXtns, extensionType, 2); |
1406 | if (rv != SECSuccess) { |
1407 | goto loser; |
1408 | } |
1409 | rv = sslBuffer_Skip(chInnerXtns, 2, &tmpOffset); |
1410 | if (rv != SECSuccess) { |
1411 | goto loser; |
1412 | } |
1413 | tmpLen = SSL_BUFFER_LEN(chInnerXtns)((chInnerXtns)->len); |
1414 | rv = ssl3_ClientFormatServerNameXtn(ss, ss->url, |
1415 | strlen(ss->url), |
1416 | NULL((void*)0), chInnerXtns); |
1417 | if (rv != SECSuccess) { |
1418 | goto loser; |
1419 | } |
1420 | tmpLen = SSL_BUFFER_LEN(chInnerXtns)((chInnerXtns)->len) - tmpLen; |
1421 | rv = sslBuffer_InsertNumber(chInnerXtns, tmpOffset, tmpLen, 2); |
1422 | if (rv != SECSuccess) { |
1423 | goto loser; |
1424 | } |
1425 | /* Only update state on second invocation of this function */ |
1426 | if (shouldCompress) { |
1427 | ss->xtnData.echAdvertised[ss->xtnData.echNumAdvertised++] = extensionType; |
1428 | } |
1429 | break; |
1430 | case ssl_tls13_supported_versions_xtn: |
1431 | /* Only TLS 1.3 and GREASE on CHInner. */ |
1432 | rv = sslBuffer_AppendNumber(chInnerXtns, extensionType, 2); |
1433 | if (rv != SECSuccess) { |
1434 | goto loser; |
1435 | } |
1436 | /* Extension length. */ |
1437 | tmpLen = (ss->opt.enableGrease) ? 5 : 3; |
1438 | rv = sslBuffer_AppendNumber(chInnerXtns, tmpLen, 2); |
1439 | if (rv != SECSuccess) { |
1440 | goto loser; |
1441 | } |
1442 | /* ProtocolVersion length */ |
1443 | rv = sslBuffer_AppendNumber(chInnerXtns, tmpLen - 1, 1); |
1444 | if (rv != SECSuccess) { |
1445 | goto loser; |
1446 | } |
1447 | /* ProtocolVersion TLS 1.3 */ |
1448 | rv = sslBuffer_AppendNumber(chInnerXtns, SSL_LIBRARY_VERSION_TLS_1_30x0304, 2); |
1449 | if (rv != SECSuccess) { |
1450 | goto loser; |
1451 | } |
1452 | /* ProtocolVersion GREASE */ |
1453 | if (ss->opt.enableGrease) { |
1454 | rv = sslBuffer_AppendNumber(chInnerXtns, ss->ssl3.hs.grease->idx[grease_version], 2); |
1455 | if (rv != SECSuccess) { |
1456 | goto loser; |
1457 | } |
1458 | } |
1459 | /* Only update state on second invocation of this function */ |
1460 | if (shouldCompress) { |
1461 | ss->xtnData.echAdvertised[ss->xtnData.echNumAdvertised++] = extensionType; |
1462 | } |
1463 | break; |
1464 | case ssl_tls13_pre_shared_key_xtn: |
1465 | if (inOutPskXtn && !shouldCompress) { |
1466 | rv = sslBuffer_AppendNumber(&pskXtn, extensionType, 2); |
1467 | if (rv != SECSuccess) { |
1468 | goto loser; |
1469 | } |
1470 | rv = sslBuffer_AppendVariable(&pskXtn, extensionData.buf, |
1471 | extensionData.len, 2); |
1472 | if (rv != SECSuccess) { |
1473 | goto loser; |
1474 | } |
1475 | /* This should be the last extension. */ |
1476 | PORT_Assert(srcXtnBase == ss->xtnData.lastXtnOffset)((srcXtnBase == ss->xtnData.lastXtnOffset)?((void)0):PR_Assert ("srcXtnBase == ss->xtnData.lastXtnOffset","tls13ech.c",1476 )); |
1477 | PORT_Assert(chOuterXtnsBuf->len - srcXtnBase == extensionData.len + 4)((chOuterXtnsBuf->len - srcXtnBase == extensionData.len + 4 )?((void)0):PR_Assert("chOuterXtnsBuf->len - srcXtnBase == extensionData.len + 4" ,"tls13ech.c",1477)); |
1478 | rv = tls13_RandomizePsk(chOuterXtnsBuf->buf + srcXtnBase + 4, |
1479 | chOuterXtnsBuf->len - srcXtnBase - 4); |
1480 | if (rv != SECSuccess) { |
1481 | goto loser; |
1482 | } |
1483 | } else if (!inOutPskXtn) { |
1484 | /* When GREASEing, only the length is used. |
1485 | * Order doesn't matter, so just copy the extension. */ |
1486 | rv = sslBuffer_AppendNumber(chInnerXtns, extensionType, 2); |
1487 | if (rv != SECSuccess) { |
1488 | goto loser; |
1489 | } |
1490 | rv = sslBuffer_AppendVariable(chInnerXtns, extensionData.buf, |
1491 | extensionData.len, 2); |
1492 | if (rv != SECSuccess) { |
1493 | goto loser; |
1494 | } |
1495 | } |
1496 | /* Only update state on second invocation of this function */ |
1497 | if (shouldCompress) { |
1498 | ss->xtnData.echAdvertised[ss->xtnData.echNumAdvertised++] = extensionType; |
1499 | } |
1500 | break; |
1501 | default: { |
1502 | /* This is a regular extension. We can maybe compress these. */ |
1503 | rv = tls13_ChInnerAppendExtension(ss, extensionType, |
1504 | &extensionData, |
1505 | &dupXtns, chInnerXtns, |
1506 | shouldCompress, |
1507 | called, &nCalled); |
1508 | if (rv != SECSuccess) { |
1509 | goto loser; |
1510 | } |
1511 | break; |
1512 | } |
1513 | } |
1514 | } |
1515 | |
1516 | rv = tls13_WriteDupXtnsToChInner(shouldCompress, &dupXtns, chInnerXtns); |
1517 | if (rv != SECSuccess) { |
1518 | goto loser; |
1519 | } |
1520 | |
1521 | /* Now call custom extension handlers that didn't choose to append anything to |
1522 | * the outer ClientHello. */ |
1523 | rv = tls13_ChInnerAdditionalExtensionWriters(ss, called, nCalled, chInnerXtns); |
1524 | if (rv != SECSuccess) { |
1525 | goto loser; |
1526 | } |
1527 | |
1528 | if (inOutPskXtn) { |
1529 | /* On the first, non-compress run, append the (bad) PSK binder. |
1530 | * On the second compression run, the caller is responsible for |
1531 | * providing an extension with a valid binder, so append that. */ |
1532 | if (shouldCompress) { |
1533 | rv = sslBuffer_AppendBuffer(chInnerXtns, inOutPskXtn); |
1534 | } else { |
1535 | rv = sslBuffer_AppendBuffer(chInnerXtns, &pskXtn); |
1536 | *inOutPskXtn = pskXtn; |
1537 | } |
1538 | if (rv != SECSuccess) { |
1539 | goto loser; |
1540 | } |
1541 | } |
1542 | |
1543 | return SECSuccess; |
1544 | |
1545 | loser: |
1546 | sslBuffer_Clear(&pskXtn); |
1547 | sslBuffer_Clear(&dupXtns); |
1548 | return SECFailure; |
1549 | } |
1550 | |
1551 | static SECStatus |
1552 | tls13_EncodeClientHelloInner(sslSocket *ss, const sslBuffer *chInner, const sslBuffer *chInnerXtns, sslBuffer *out) |
1553 | { |
1554 | PORT_Assert(ss && chInner && chInnerXtns && out)((ss && chInner && chInnerXtns && out )?((void)0):PR_Assert("ss && chInner && chInnerXtns && out" ,"tls13ech.c",1554)); |
1555 | SECStatus rv; |
1556 | sslReadBuffer tmpReadBuf; |
1557 | sslReader chReader = SSL_READER(chInner->buf, chInner->len){ { chInner->buf, chInner->len }, 0 }; |
1558 | |
1559 | rv = sslRead_Read(&chReader, 4, &tmpReadBuf); |
1560 | if (rv != SECSuccess) { |
1561 | goto loser; |
1562 | } |
1563 | |
1564 | rv = sslRead_Read(&chReader, 2 + SSL3_RANDOM_LENGTH32, &tmpReadBuf); |
1565 | if (rv != SECSuccess) { |
1566 | goto loser; |
1567 | } |
1568 | rv = sslBuffer_Append(out, tmpReadBuf.buf, tmpReadBuf.len); |
1569 | if (rv != SECSuccess) { |
1570 | goto loser; |
1571 | } |
1572 | |
1573 | /* Skip the legacy_session_id */ |
1574 | rv = sslRead_ReadVariable(&chReader, 1, &tmpReadBuf); |
1575 | if (rv != SECSuccess) { |
1576 | goto loser; |
1577 | } |
1578 | rv = sslBuffer_AppendNumber(out, 0, 1); |
1579 | if (rv != SECSuccess) { |
1580 | goto loser; |
1581 | } |
1582 | |
1583 | /* cipher suites */ |
1584 | rv = sslRead_ReadVariable(&chReader, 2, &tmpReadBuf); |
1585 | if (rv != SECSuccess) { |
1586 | goto loser; |
1587 | } |
1588 | rv = sslBuffer_AppendVariable(out, tmpReadBuf.buf, tmpReadBuf.len, 2); |
1589 | if (rv != SECSuccess) { |
1590 | goto loser; |
1591 | } |
1592 | |
1593 | /* compression methods */ |
1594 | rv = sslRead_ReadVariable(&chReader, 1, &tmpReadBuf); |
1595 | if (rv != SECSuccess) { |
1596 | goto loser; |
1597 | } |
1598 | rv = sslBuffer_AppendVariable(out, tmpReadBuf.buf, tmpReadBuf.len, 1); |
1599 | if (rv != SECSuccess) { |
1600 | goto loser; |
1601 | } |
1602 | |
1603 | /* Append the extensions. */ |
1604 | rv = sslBuffer_AppendBufferVariable(out, chInnerXtns, 2); |
1605 | if (rv != SECSuccess) { |
1606 | goto loser; |
1607 | } |
1608 | return SECSuccess; |
1609 | |
1610 | loser: |
1611 | sslBuffer_Clear(out); |
1612 | return SECFailure; |
1613 | } |
1614 | |
1615 | SECStatus |
1616 | tls13_PadChInner(sslBuffer *chInner, uint8_t maxNameLen, uint8_t serverNameLen) |
1617 | { |
1618 | SECStatus rv; |
1619 | PORT_Assert(chInner)((chInner)?((void)0):PR_Assert("chInner","tls13ech.c",1619)); |
1620 | PORT_Assert(serverNameLen > 0)((serverNameLen > 0)?((void)0):PR_Assert("serverNameLen > 0" ,"tls13ech.c",1620)); |
1621 | static unsigned char padding[256 + 32] = { 0 }; |
1622 | int16_t name_padding = (int16_t)maxNameLen - (int16_t)serverNameLen; |
1623 | if (name_padding < 0) { |
1624 | name_padding = 0; |
1625 | } |
1626 | unsigned int rounding_padding = 31 - ((SSL_BUFFER_LEN(chInner)((chInner)->len) + name_padding) % 32); |
1627 | unsigned int total_padding = name_padding + rounding_padding; |
1628 | PORT_Assert(total_padding < sizeof(padding))((total_padding < sizeof(padding))?((void)0):PR_Assert("total_padding < sizeof(padding)" ,"tls13ech.c",1628)); |
1629 | SSL_TRC(100, ("computed ECH Inner Client Hello padding of size %u", total_padding))if (ssl_trace >= (100)) ssl_Trace ("computed ECH Inner Client Hello padding of size %u" , total_padding); |
1630 | rv = sslBuffer_Append(chInner, padding, total_padding); |
1631 | if (rv != SECSuccess) { |
1632 | sslBuffer_Clear(chInner); |
1633 | return SECFailure; |
1634 | } |
1635 | return SECSuccess; |
1636 | } |
1637 | |
1638 | /* Build an ECH Xtn body with a zeroed payload for the client hello inner |
1639 | * |
1640 | * enum { outer(0), inner(1) } ECHClientHelloType; |
1641 | * |
1642 | * struct { |
1643 | * ECHClientHelloType type; |
1644 | * select (ECHClientHello.type) { |
1645 | * case outer: |
1646 | * HpkeSymmetricCipherSuite cipher_suite; |
1647 | * uint8 config_id; |
1648 | * opaque enc<0..2^16-1>; |
1649 | * opaque payload<1..2^16-1>; |
1650 | * case inner: |
1651 | * Empty; |
1652 | * }; |
1653 | * } ECHClientHello; |
1654 | * |
1655 | * payloadLen = Size of zeroed placeholder field for payload. |
1656 | * payloadOffset = Out parameter, start of payload field |
1657 | * echXtn = Out parameter, constructed ECH Xtn with zeroed placeholder field. |
1658 | */ |
1659 | SECStatus |
1660 | tls13_BuildEchXtn(sslEchConfig *cfg, const SECItem *hpkeEnc, unsigned int payloadLen, PRUint16 *payloadOffset, sslBuffer *echXtn) |
1661 | { |
1662 | SECStatus rv; |
1663 | /* Format the encrypted_client_hello extension. */ |
1664 | rv = sslBuffer_AppendNumber(echXtn, ech_xtn_type_outer, 1); |
1665 | if (rv != SECSuccess) { |
1666 | goto loser; |
1667 | } |
1668 | rv = sslBuffer_AppendNumber(echXtn, cfg->contents.kdfId, 2); |
1669 | if (rv != SECSuccess) { |
1670 | goto loser; |
1671 | } |
1672 | rv = sslBuffer_AppendNumber(echXtn, cfg->contents.aeadId, 2); |
1673 | if (rv != SECSuccess) { |
1674 | goto loser; |
1675 | } |
1676 | |
1677 | rv = sslBuffer_AppendNumber(echXtn, cfg->contents.configId, 1); |
1678 | if (rv != SECSuccess) { |
1679 | goto loser; |
1680 | } |
1681 | if (hpkeEnc) { |
1682 | /* Public Key */ |
1683 | rv = sslBuffer_AppendVariable(echXtn, hpkeEnc->data, hpkeEnc->len, 2); |
1684 | if (rv != SECSuccess) { |
1685 | goto loser; |
1686 | } |
1687 | } else { |
1688 | /* |enc| is empty. */ |
1689 | rv = sslBuffer_AppendNumber(echXtn, 0, 2); |
1690 | if (rv != SECSuccess) { |
1691 | goto loser; |
1692 | } |
1693 | } |
1694 | payloadLen += TLS13_ECH_AEAD_TAG_LEN16; |
1695 | rv = sslBuffer_AppendNumber(echXtn, payloadLen, 2); |
1696 | if (rv != SECSuccess) { |
1697 | goto loser; |
1698 | } |
1699 | *payloadOffset = echXtn->len; |
1700 | rv = sslBuffer_Fill(echXtn, 0, payloadLen); |
1701 | if (rv != SECSuccess) { |
1702 | goto loser; |
1703 | } |
1704 | PRINT_BUF(100, (NULL, "ECH Xtn with Placeholder:", echXtn->buf, echXtn->len))if (ssl_trace >= (100)) ssl_PrintBuf (((void*)0), "ECH Xtn with Placeholder:" , echXtn->buf, echXtn->len); |
1705 | return SECSuccess; |
1706 | loser: |
1707 | sslBuffer_Clear(echXtn); |
1708 | return SECFailure; |
1709 | } |
1710 | |
1711 | SECStatus |
1712 | tls13_ConstructClientHelloWithEch(sslSocket *ss, const sslSessionID *sid, PRBool freshSid, |
1713 | sslBuffer *chOuter, sslBuffer *chOuterXtnsBuf) |
1714 | { |
1715 | SECStatus rv; |
1716 | sslBuffer chInner = SSL_BUFFER_EMPTY{ ((void*)0), 0, 0, 0 }; |
1717 | sslBuffer encodedChInner = SSL_BUFFER_EMPTY{ ((void*)0), 0, 0, 0 }; |
1718 | sslBuffer paddingChInner = SSL_BUFFER_EMPTY{ ((void*)0), 0, 0, 0 }; |
1719 | sslBuffer chInnerXtns = SSL_BUFFER_EMPTY{ ((void*)0), 0, 0, 0 }; |
1720 | sslBuffer pskXtn = SSL_BUFFER_EMPTY{ ((void*)0), 0, 0, 0 }; |
1721 | unsigned int preambleLen; |
1722 | |
1723 | SSL_TRC(50, ("%d: TLS13[%d]: Constructing ECH inner", SSL_GETPID(), ss->fd))if (ssl_trace >= (50)) ssl_Trace ("%d: TLS13[%d]: Constructing ECH inner" , getpid(), ss->fd); |
1724 | |
1725 | /* Create the full (uncompressed) inner extensions and steal any PSK extension. |
1726 | * NB: Neither chOuterXtnsBuf nor chInnerXtns are length-prefixed. */ |
1727 | rv = tls13_ConstructInnerExtensionsFromOuter(ss, chOuterXtnsBuf, &chInnerXtns, |
1728 | &pskXtn, PR_FALSE0); |
1729 | if (rv != SECSuccess) { |
1730 | goto loser; /* code set */ |
1731 | } |
1732 | |
1733 | rv = ssl3_CreateClientHelloPreamble(ss, sid, PR_FALSE0, SSL_LIBRARY_VERSION_TLS_1_30x0304, |
1734 | PR_TRUE1, &chInnerXtns, &chInner); |
1735 | if (rv != SECSuccess) { |
1736 | goto loser; /* code set */ |
1737 | } |
1738 | preambleLen = SSL_BUFFER_LEN(&chInner)((&chInner)->len); |
1739 | |
1740 | /* Write handshake header length. tls13_EncryptClientHello will |
1741 | * remove this upon encoding, but the transcript needs it. This assumes |
1742 | * the 4B stream-variant header. */ |
1743 | PORT_Assert(!IS_DTLS(ss))((!(ss->protocolVariant == ssl_variant_datagram))?((void)0 ):PR_Assert("!IS_DTLS(ss)","tls13ech.c",1743)); |
1744 | rv = sslBuffer_InsertNumber(&chInner, 1, |
1745 | chInner.len + 2 + chInnerXtns.len - 4, 3); |
1746 | if (rv != SECSuccess) { |
1747 | goto loser; |
1748 | } |
1749 | |
1750 | if (pskXtn.len) { |
1751 | PORT_Assert(ssl3_ExtensionAdvertised(ss, ssl_tls13_pre_shared_key_xtn))((ssl3_ExtensionAdvertised(ss, ssl_tls13_pre_shared_key_xtn)) ?((void)0):PR_Assert("ssl3_ExtensionAdvertised(ss, ssl_tls13_pre_shared_key_xtn)" ,"tls13ech.c",1751)); |
1752 | rv = tls13_WriteExtensionsWithBinder(ss, &chInnerXtns, &chInner); |
1753 | /* Update the stolen PSK extension with the binder value. */ |
1754 | PORT_Memcpymemcpy(pskXtn.buf, &chInnerXtns.buf[chInnerXtns.len - pskXtn.len], pskXtn.len); |
1755 | } else { |
1756 | rv = sslBuffer_AppendBufferVariable(&chInner, &chInnerXtns, 2); |
1757 | } |
1758 | if (rv != SECSuccess) { |
1759 | goto loser; |
1760 | } |
1761 | |
1762 | PRINT_BUF(50, (ss, "Uncompressed CHInner", chInner.buf, chInner.len))if (ssl_trace >= (50)) ssl_PrintBuf (ss, "Uncompressed CHInner" , chInner.buf, chInner.len); |
1763 | rv = ssl3_UpdateHandshakeHashesInt(ss, chInner.buf, chInner.len, |
1764 | &ss->ssl3.hs.echInnerMessages); |
1765 | if (rv != SECSuccess) { |
1766 | goto loser; /* code set */ |
1767 | } |
1768 | |
1769 | /* Un-append the extensions, then append compressed via Encoded. */ |
1770 | SSL_BUFFER_LEN(&chInner)((&chInner)->len) = preambleLen; |
1771 | sslBuffer_Clear(&chInnerXtns); |
1772 | rv = tls13_ConstructInnerExtensionsFromOuter(ss, chOuterXtnsBuf, |
1773 | &chInnerXtns, &pskXtn, PR_TRUE1); |
1774 | if (rv != SECSuccess) { |
1775 | goto loser; |
1776 | } |
1777 | |
1778 | rv = tls13_EncodeClientHelloInner(ss, &chInner, &chInnerXtns, &encodedChInner); |
1779 | if (rv != SECSuccess) { |
1780 | goto loser; |
1781 | } |
1782 | PRINT_BUF(50, (ss, "Compressed CHInner", encodedChInner.buf, encodedChInner.len))if (ssl_trace >= (50)) ssl_PrintBuf (ss, "Compressed CHInner" , encodedChInner.buf, encodedChInner.len); |
1783 | |
1784 | PORT_Assert(!PR_CLIST_IS_EMPTY(&ss->echConfigs))((!((&ss->echConfigs)->next == (&ss->echConfigs )))?((void)0):PR_Assert("!PR_CLIST_IS_EMPTY(&ss->echConfigs)" ,"tls13ech.c",1784)); |
1785 | sslEchConfig *cfg = (sslEchConfig *)PR_LIST_HEAD(&ss->echConfigs)(&ss->echConfigs)->next; |
1786 | |
1787 | /* We are using ECH so SNI must have been included */ |
1788 | rv = tls13_PadChInner(&encodedChInner, cfg->contents.maxNameLen, strlen(ss->url)); |
1789 | if (rv != SECSuccess) { |
1790 | goto loser; |
1791 | } |
1792 | |
1793 | /* Build the ECH Xtn with placeholder and put it in chOuterXtnsBuf */ |
1794 | sslBuffer echXtn = SSL_BUFFER_EMPTY{ ((void*)0), 0, 0, 0 }; |
1795 | const SECItem *hpkeEnc = NULL((void*)0); |
1796 | if (!ss->ssl3.hs.helloRetry) { |
1797 | hpkeEnc = PK11_HPKE_GetEncapPubKey(ss->ssl3.hs.echHpkeCtx); |
1798 | if (!hpkeEnc) { |
1799 | FATAL_ERROR(ss, SEC_ERROR_LIBRARY_FAILURE, internal_error)do { do { if (ssl_trace >= (3)) ssl_Trace ("%d: TLS13[%d]: fatal error %d in %s (%s:%d)" , getpid(), ss->fd, SEC_ERROR_LIBRARY_FAILURE, __func__, "tls13ech.c" , 1799); PORT_SetError_Util(SEC_ERROR_LIBRARY_FAILURE); } while (0); tls13_FatalError(ss, SEC_ERROR_LIBRARY_FAILURE, internal_error ); } while (0); |
1800 | goto loser; |
1801 | } |
1802 | } |
1803 | PRUint16 echXtnPayloadOffset; /* Offset from start of ECH Xtn to ECH Payload */ |
1804 | rv = tls13_BuildEchXtn(cfg, hpkeEnc, encodedChInner.len, &echXtnPayloadOffset, &echXtn); |
1805 | if (rv != SECSuccess) { |
1806 | goto loser; |
1807 | } |
1808 | ss->xtnData.echAdvertised[ss->xtnData.echNumAdvertised++] = ssl_tls13_encrypted_client_hello_xtn; |
1809 | rv = ssl3_EmplaceExtension(ss, chOuterXtnsBuf, ssl_tls13_encrypted_client_hello_xtn, |
1810 | echXtn.buf, echXtn.len, PR_TRUE1); |
1811 | if (rv != SECSuccess) { |
1812 | goto loser; |
1813 | } |
1814 | |
1815 | /* Add the padding */ |
1816 | rv = ssl_InsertPaddingExtension(ss, chOuter->len, chOuterXtnsBuf); |
1817 | if (rv != SECSuccess) { |
1818 | goto loser; |
1819 | } |
1820 | |
1821 | /* Finish the CHO with the ECH Xtn payload zeroed */ |
1822 | rv = ssl3_InsertChHeaderSize(ss, chOuter, chOuterXtnsBuf); |
1823 | if (rv != SECSuccess) { |
1824 | goto loser; |
1825 | } |
1826 | unsigned int chOuterXtnsOffset = chOuter->len + 2; /* From Start of CHO to Extensions list */ |
1827 | rv = sslBuffer_AppendBufferVariable(chOuter, chOuterXtnsBuf, 2); |
1828 | if (rv != SECSuccess) { |
1829 | goto loser; |
1830 | } |
1831 | |
1832 | /* AAD consists of entire CHO, minus the 4 byte handshake header */ |
1833 | SECItem aadItem = { siBuffer, chOuter->buf + 4, chOuter->len - 4 }; |
1834 | /* ECH Payload begins after CHO Header, after ECH Xtn start, after ECH Xtn header */ |
1835 | PRUint8 *echPayload = chOuter->buf + chOuterXtnsOffset + ss->xtnData.echXtnOffset + 4 + echXtnPayloadOffset; |
1836 | /* Insert the encrypted_client_hello xtn and coalesce. */ |
1837 | rv = tls13_EncryptClientHello(ss, &aadItem, &encodedChInner, echPayload); |
1838 | if (rv != SECSuccess) { |
1839 | goto loser; |
1840 | } |
1841 | |
1842 | sslBuffer_Clear(&echXtn); |
1843 | sslBuffer_Clear(&chInner); |
1844 | sslBuffer_Clear(&encodedChInner); |
1845 | sslBuffer_Clear(&paddingChInner); |
1846 | sslBuffer_Clear(&chInnerXtns); |
1847 | sslBuffer_Clear(&pskXtn); |
1848 | return SECSuccess; |
1849 | |
1850 | loser: |
1851 | sslBuffer_Clear(&chInner); |
1852 | sslBuffer_Clear(&encodedChInner); |
1853 | sslBuffer_Clear(&paddingChInner); |
1854 | sslBuffer_Clear(&chInnerXtns); |
1855 | sslBuffer_Clear(&pskXtn); |
1856 | PORT_Assert(PORT_GetError() != 0)((PORT_GetError_Util() != 0)?((void)0):PR_Assert("PORT_GetError() != 0" ,"tls13ech.c",1856)); |
1857 | return SECFailure; |
1858 | } |
1859 | |
1860 | static SECStatus |
1861 | tls13_ComputeEchHelloRetryTranscript(sslSocket *ss, const PRUint8 *sh, unsigned int shLen, sslBuffer *out) |
1862 | { |
1863 | SECStatus rv; |
1864 | PRUint8 zeroedEchSignal[TLS13_ECH_SIGNAL_LEN8] = { 0 }; |
1865 | sslBuffer *previousTranscript; |
1866 | |
1867 | if (ss->sec.isServer) { |
1868 | previousTranscript = &(ss->ssl3.hs.messages); |
1869 | } else { |
1870 | previousTranscript = &(ss->ssl3.hs.echInnerMessages); |
1871 | } |
1872 | /* |
1873 | * This segment calculates the hash of the Client Hello |
1874 | * TODO(djackson@mozilla.com) - Replace with existing function? |
1875 | * e.g. tls13_ReinjectHandshakeTranscript |
1876 | * TODO(djackson@mozilla.com) - Replace with streaming version |
1877 | */ |
1878 | if (!ss->ssl3.hs.helloRetry || !ss->sec.isServer) { |
1879 | /* |
1880 | * This function can be called in three situations: |
1881 | * - By the server, prior to sending the HRR, when ECH was accepted |
1882 | * - By the client, after receiving the HRR, but before it knows whether ECH was accepted |
1883 | * - By the server, after accepting ECH and receiving CH2 when it needs to reconstruct the HRR |
1884 | * In the first two situations, we need to include the message hash of inner ClientHello1 but don't |
1885 | * want to alter the buffer containing the current transcript. |
1886 | * In the last, the buffer already contains the message hash of inner ClientHello1. |
1887 | */ |
1888 | SSL3Hashes hashes; |
1889 | rv = tls13_ComputeHash(ss, &hashes, previousTranscript->buf, previousTranscript->len, tls13_GetHash(ss)); |
1890 | if (rv != SECSuccess) { |
1891 | goto loser; |
1892 | } |
1893 | rv = sslBuffer_AppendNumber(out, ssl_hs_message_hash, 1); |
1894 | if (rv != SECSuccess) { |
1895 | goto loser; |
1896 | } |
1897 | rv = sslBuffer_AppendNumber(out, hashes.len, 3); |
1898 | if (rv != SECSuccess) { |
1899 | goto loser; |
1900 | } |
1901 | rv = sslBuffer_Append(out, hashes.u.raw, hashes.len); |
1902 | if (rv != SECSuccess) { |
1903 | goto loser; |
1904 | } |
1905 | } else { |
1906 | rv = sslBuffer_AppendBuffer(out, previousTranscript); |
1907 | if (rv != SECSuccess) { |
1908 | goto loser; |
1909 | } |
1910 | } |
1911 | /* Ensure the first ClientHello has been hashed. */ |
1912 | PR_ASSERT(out->len == tls13_GetHashSize(ss) + 4)((out->len == tls13_GetHashSize(ss) + 4)?((void)0):PR_Assert ("out->len == tls13_GetHashSize(ss) + 4","tls13ech.c",1912 )); |
1913 | PRINT_BUF(100, (ss, "ECH Client Hello Message Hash", out->buf, out->len))if (ssl_trace >= (100)) ssl_PrintBuf (ss, "ECH Client Hello Message Hash" , out->buf, out->len); |
1914 | /* Message Header */ |
1915 | rv = sslBuffer_AppendNumber(out, ssl_hs_server_hello, 1); |
1916 | if (rv != SECSuccess) { |
1917 | goto loser; |
1918 | } |
1919 | /* Message Size */ |
1920 | rv = sslBuffer_AppendNumber(out, shLen, 3); |
1921 | if (rv != SECSuccess) { |
1922 | goto loser; |
1923 | } |
1924 | /* Calculate where the HRR ECH Xtn Signal begins */ |
1925 | unsigned int absEchOffset; |
1926 | if (ss->sec.isServer) { |
1927 | /* We know the ECH HRR Xtn is last */ |
1928 | PORT_Assert(shLen >= TLS13_ECH_SIGNAL_LEN)((shLen >= 8)?((void)0):PR_Assert("shLen >= TLS13_ECH_SIGNAL_LEN" ,"tls13ech.c",1928)); |
1929 | absEchOffset = shLen - TLS13_ECH_SIGNAL_LEN8; |
1930 | } else { |
1931 | /* We parsed the offset earlier */ |
1932 | /* The result of pointer comparision is unspecified |
1933 | * (and pointer arithemtic is undefined) if the pointers |
1934 | * do not point to the same array or struct. That means these |
1935 | * asserts cannot be relied on for correctness in compiled code, |
1936 | * but may help the reader understand the requirements. |
1937 | */ |
1938 | PORT_Assert(ss->xtnData.ech->hrrConfirmation > sh)((ss->xtnData.ech->hrrConfirmation > sh)?((void)0):PR_Assert ("ss->xtnData.ech->hrrConfirmation > sh","tls13ech.c" ,1938)); |
1939 | PORT_Assert(ss->xtnData.ech->hrrConfirmation < sh + shLen)((ss->xtnData.ech->hrrConfirmation < sh + shLen)?((void )0):PR_Assert("ss->xtnData.ech->hrrConfirmation < sh + shLen" ,"tls13ech.c",1939)); |
1940 | absEchOffset = ss->xtnData.ech->hrrConfirmation - sh; |
1941 | } |
1942 | PR_ASSERT(tls13_Debug_CheckXtnBegins(sh + absEchOffset - 4, ssl_tls13_encrypted_client_hello_xtn))((tls13_Debug_CheckXtnBegins(sh + absEchOffset - 4, ssl_tls13_encrypted_client_hello_xtn ))?((void)0):PR_Assert("tls13_Debug_CheckXtnBegins(sh + absEchOffset - 4, ssl_tls13_encrypted_client_hello_xtn)" ,"tls13ech.c",1942)); |
1943 | /* The HRR up to the ECH Xtn signal */ |
1944 | rv = sslBuffer_Append(out, sh, absEchOffset); |
1945 | if (rv != SECSuccess) { |
1946 | goto loser; |
1947 | } |
1948 | rv = sslBuffer_Append(out, zeroedEchSignal, sizeof(zeroedEchSignal)); |
1949 | if (rv != SECSuccess) { |
1950 | goto loser; |
1951 | } |
1952 | PR_ASSERT(absEchOffset + TLS13_ECH_SIGNAL_LEN <= shLen)((absEchOffset + 8 <= shLen)?((void)0):PR_Assert("absEchOffset + TLS13_ECH_SIGNAL_LEN <= shLen" ,"tls13ech.c",1952)); |
1953 | /* The remainder of the HRR */ |
1954 | rv = sslBuffer_Append(out, sh + absEchOffset + TLS13_ECH_SIGNAL_LEN8, shLen - absEchOffset - TLS13_ECH_SIGNAL_LEN8); |
1955 | if (rv != SECSuccess) { |
1956 | goto loser; |
1957 | } |
1958 | PR_ASSERT(out->len == tls13_GetHashSize(ss) + 4 + shLen + 4)((out->len == tls13_GetHashSize(ss) + 4 + shLen + 4)?((void )0):PR_Assert("out->len == tls13_GetHashSize(ss) + 4 + shLen + 4" ,"tls13ech.c",1958)); |
1959 | return SECSuccess; |
1960 | loser: |
1961 | sslBuffer_Clear(out); |
1962 | return SECFailure; |
1963 | } |
1964 | |
1965 | static SECStatus |
1966 | tls13_ComputeEchServerHelloTranscript(sslSocket *ss, const PRUint8 *sh, unsigned int shLen, sslBuffer *out) |
1967 | { |
1968 | SECStatus rv; |
1969 | sslBuffer *chSource = ss->sec.isServer ? &ss->ssl3.hs.messages : &ss->ssl3.hs.echInnerMessages; |
1970 | unsigned int offset = sizeof(SSL3ProtocolVersion) + |
1971 | SSL3_RANDOM_LENGTH32 - TLS13_ECH_SIGNAL_LEN8; |
1972 | PORT_Assert(sh && shLen > offset)((sh && shLen > offset)?((void)0):PR_Assert("sh && shLen > offset" ,"tls13ech.c",1972)); |
1973 | PORT_Assert(TLS13_ECH_SIGNAL_LEN <= SSL3_RANDOM_LENGTH)((8 <= 32)?((void)0):PR_Assert("TLS13_ECH_SIGNAL_LEN <= SSL3_RANDOM_LENGTH" ,"tls13ech.c",1973)); |
1974 | |
1975 | /* TODO(djackson@mozilla.com) - Replace with streaming version */ |
1976 | |
1977 | rv = sslBuffer_AppendBuffer(out, chSource); |
1978 | if (rv != SECSuccess) { |
1979 | goto loser; |
1980 | } |
1981 | |
1982 | /* Re-create the message header. */ |
1983 | rv = sslBuffer_AppendNumber(out, ssl_hs_server_hello, 1); |
1984 | if (rv != SECSuccess) { |
1985 | goto loser; |
1986 | } |
1987 | |
1988 | rv = sslBuffer_AppendNumber(out, shLen, 3); |
1989 | if (rv != SECSuccess) { |
1990 | goto loser; |
1991 | } |
1992 | |
1993 | /* Copy the version and 24B of server_random. */ |
1994 | rv = sslBuffer_Append(out, sh, offset); |
1995 | if (rv != SECSuccess) { |
1996 | goto loser; |
1997 | } |
1998 | |
1999 | /* Zero the signal placeholder. */ |
2000 | rv = sslBuffer_AppendNumber(out, 0, TLS13_ECH_SIGNAL_LEN8); |
2001 | if (rv != SECSuccess) { |
2002 | goto loser; |
2003 | } |
2004 | offset += TLS13_ECH_SIGNAL_LEN8; |
2005 | |
2006 | /* Use the remainder of SH. */ |
2007 | rv = sslBuffer_Append(out, &sh[offset], shLen - offset); |
2008 | if (rv != SECSuccess) { |
2009 | goto loser; |
2010 | } |
2011 | sslBuffer_Clear(&ss->ssl3.hs.messages); |
2012 | sslBuffer_Clear(&ss->ssl3.hs.echInnerMessages); |
2013 | return SECSuccess; |
2014 | loser: |
2015 | sslBuffer_Clear(&ss->ssl3.hs.messages); |
2016 | sslBuffer_Clear(&ss->ssl3.hs.echInnerMessages); |
2017 | sslBuffer_Clear(out); |
2018 | return SECFailure; |
2019 | } |
2020 | |
2021 | /* Compute the ECH signal using the transcript (up to, including) |
2022 | * ServerHello. The server sources this transcript prefix from |
2023 | * ss->ssl3.hs.messages, as it never uses ss->ssl3.hs.echInnerMessages. |
2024 | * The client uses the inner transcript, echInnerMessages. */ |
2025 | SECStatus |
2026 | tls13_ComputeEchSignal(sslSocket *ss, PRBool isHrr, const PRUint8 *sh, unsigned int shLen, PRUint8 *out) |
2027 | { |
2028 | SECStatus rv; |
2029 | sslBuffer confMsgs = SSL_BUFFER_EMPTY{ ((void*)0), 0, 0, 0 }; |
2030 | SSL3Hashes hashes; |
2031 | PK11SymKey *echSecret = NULL((void*)0); |
2032 | |
2033 | const char *hkdfInfo = isHrr ? kHkdfInfoEchHrrConfirm : kHkdfInfoEchConfirm; |
2034 | const size_t hkdfInfoLen = strlen(hkdfInfo); |
2035 | |
2036 | PRINT_BUF(100, (ss, "ECH Server Hello", sh, shLen))if (ssl_trace >= (100)) ssl_PrintBuf (ss, "ECH Server Hello" , sh, shLen); |
2037 | |
2038 | if (isHrr) { |
2039 | rv = tls13_ComputeEchHelloRetryTranscript(ss, sh, shLen, &confMsgs); |
2040 | } else { |
2041 | rv = tls13_ComputeEchServerHelloTranscript(ss, sh, shLen, &confMsgs); |
2042 | } |
2043 | if (rv != SECSuccess) { |
2044 | goto loser; |
2045 | } |
2046 | PRINT_BUF(100, (ss, "ECH Transcript", confMsgs.buf, confMsgs.len))if (ssl_trace >= (100)) ssl_PrintBuf (ss, "ECH Transcript" , confMsgs.buf, confMsgs.len); |
2047 | rv = tls13_ComputeHash(ss, &hashes, confMsgs.buf, confMsgs.len, |
2048 | tls13_GetHash(ss)); |
2049 | if (rv != SECSuccess) { |
2050 | goto loser; |
2051 | } |
2052 | PRINT_BUF(100, (ss, "ECH Transcript Hash", &hashes.u, hashes.len))if (ssl_trace >= (100)) ssl_PrintBuf (ss, "ECH Transcript Hash" , &hashes.u, hashes.len); |
2053 | rv = tls13_DeriveEchSecret(ss, &echSecret); |
2054 | if (rv != SECSuccess) { |
2055 | return SECFailure; |
2056 | } |
2057 | rv = tls13_HkdfExpandLabelRaw(echSecret, tls13_GetHash(ss), hashes.u.raw, |
2058 | hashes.len, hkdfInfo, hkdfInfoLen, ss->protocolVariant, |
2059 | out, TLS13_ECH_SIGNAL_LEN8); |
2060 | if (rv != SECSuccess) { |
2061 | return SECFailure; |
2062 | } |
2063 | SSL_TRC(50, ("%d: TLS13[%d]: %s computed ECH signal", SSL_GETPID(), ss->fd, SSL_ROLE(ss)))if (ssl_trace >= (50)) ssl_Trace ("%d: TLS13[%d]: %s computed ECH signal" , getpid(), ss->fd, (ss->sec.isServer ? "server" : "client" )); |
2064 | PRINT_BUF(50, (ss, "Computed ECH Signal", out, TLS13_ECH_SIGNAL_LEN))if (ssl_trace >= (50)) ssl_PrintBuf (ss, "Computed ECH Signal" , out, 8); |
2065 | PK11_FreeSymKey(echSecret); |
2066 | sslBuffer_Clear(&confMsgs); |
2067 | return SECSuccess; |
2068 | |
2069 | loser: |
2070 | PK11_FreeSymKey(echSecret); |
2071 | sslBuffer_Clear(&confMsgs); |
2072 | return SECFailure; |
2073 | } |
2074 | |
2075 | /* Ech Secret is HKDF-Extract(0, ClientHelloInner.random) where |
2076 | "0" is a string of Hash.len bytes of value 0. */ |
2077 | SECStatus |
2078 | tls13_DeriveEchSecret(const sslSocket *ss, PK11SymKey **output) |
2079 | { |
2080 | SECStatus rv; |
2081 | PK11SlotInfo *slot = NULL((void*)0); |
2082 | PK11SymKey *crKey = NULL((void*)0); |
2083 | SECItem rawKey; |
2084 | const unsigned char *client_random = ss->sec.isServer ? ss->ssl3.hs.client_random : ss->ssl3.hs.client_inner_random; |
2085 | PRINT_BUF(50, (ss, "Client Random for ECH", client_random, SSL3_RANDOM_LENGTH))if (ssl_trace >= (50)) ssl_PrintBuf (ss, "Client Random for ECH" , client_random, 32); |
2086 | /* We need a SECItem */ |
2087 | rv = SECITEM_MakeItem(NULL((void*)0), &rawKey, client_random, SSL3_RANDOM_LENGTH32); |
2088 | if (rv != SECSuccess) { |
2089 | goto cleanup; |
2090 | } |
2091 | /* We need a slot*/ |
2092 | slot = PK11_GetBestSlot(CKM_HKDF_DERIVE0x0000402aUL, NULL((void*)0)); |
2093 | if (!slot) { |
2094 | rv = SECFailure; |
2095 | goto cleanup; |
2096 | } |
2097 | /* We import the key */ |
2098 | crKey = PK11_ImportDataKey(slot, CKM_HKDF_DERIVE0x0000402aUL, PK11_OriginUnwrap, |
2099 | CKA_DERIVE0x0000010CUL, &rawKey, NULL((void*)0)); |
2100 | if (crKey == NULL((void*)0)) { |
2101 | rv = SECFailure; |
2102 | goto cleanup; |
2103 | } |
2104 | /* NULL will be expanded to 0s of hash length */ |
2105 | rv = tls13_HkdfExtract(NULL((void*)0), crKey, tls13_GetHash(ss), output); |
2106 | if (rv != SECSuccess) { |
2107 | goto cleanup; |
2108 | } |
2109 | SSL_TRC(50, ("%d: TLS13[%d]: ECH Confirmation Key Derived.",if (ssl_trace >= (50)) ssl_Trace ("%d: TLS13[%d]: ECH Confirmation Key Derived." , getpid(), ss->fd) |
2110 | SSL_GETPID(), ss->fd))if (ssl_trace >= (50)) ssl_Trace ("%d: TLS13[%d]: ECH Confirmation Key Derived." , getpid(), ss->fd); |
2111 | PRINT_KEY(50, (NULL, "ECH Confirmation Key", *output))if (ssl_trace >= (50)) ssl_PrintKey (((void*)0), "ECH Confirmation Key" , *output); |
2112 | cleanup: |
2113 | SECITEM_ZfreeItemSECITEM_ZfreeItem_Util(&rawKey, PR_FALSE0); |
2114 | if (slot) { |
2115 | PK11_FreeSlot(slot); |
2116 | } |
2117 | if (crKey) { |
2118 | PK11_FreeSymKey(crKey); |
2119 | } |
2120 | if (rv != SECSuccess && *output) { |
2121 | PK11_FreeSymKey(*output); |
2122 | *output = NULL((void*)0); |
2123 | } |
2124 | return rv; |
2125 | } |
2126 | |
2127 | /* Called just prior to padding the CH. Use the size of the CH to estimate |
2128 | * the size of a corresponding ECH extension, then add it to the buffer. */ |
2129 | SECStatus |
2130 | tls13_MaybeGreaseEch(sslSocket *ss, const sslBuffer *preamble, sslBuffer *buf) |
2131 | { |
2132 | SECStatus rv; |
2133 | sslBuffer chInnerXtns = SSL_BUFFER_EMPTY{ ((void*)0), 0, 0, 0 }; |
2134 | sslBuffer encodedCh = SSL_BUFFER_EMPTY{ ((void*)0), 0, 0, 0 }; |
2135 | sslBuffer greaseBuf = SSL_BUFFER_EMPTY{ ((void*)0), 0, 0, 0 }; |
2136 | unsigned int payloadLen; |
2137 | HpkeAeadId aead; |
2138 | PK11SlotInfo *slot = NULL((void*)0); |
2139 | PK11SymKey *hmacPrk = NULL((void*)0); |
2140 | PK11SymKey *derivedData = NULL((void*)0); |
2141 | SECItem *rawData; |
2142 | CK_HKDF_PARAMS params; |
2143 | SECItem paramsi; |
2144 | /* 1B aead determinant (don't send), 1B config_id, 32B enc, payload */ |
2145 | PR_ASSERT(!ss->sec.isServer)((!ss->sec.isServer)?((void)0):PR_Assert("!ss->sec.isServer" ,"tls13ech.c",2145)); |
2146 | const int kNonPayloadLen = 34; |
2147 | |
2148 | if (!ss->opt.enableTls13GreaseEch || ss->ssl3.hs.echHpkeCtx) { |
2149 | return SECSuccess; |
2150 | } |
2151 | |
2152 | if (ss->vrange.max < SSL_LIBRARY_VERSION_TLS_1_30x0304 || |
2153 | IS_DTLS(ss)(ss->protocolVariant == ssl_variant_datagram)) { |
2154 | return SECSuccess; |
2155 | } |
2156 | |
2157 | /* In draft-09, CH2 sends exactly the same GREASE ECH extension. */ |
2158 | if (ss->ssl3.hs.helloRetry) { |
2159 | return ssl3_EmplaceExtension(ss, buf, ssl_tls13_encrypted_client_hello_xtn, |
2160 | ss->ssl3.hs.greaseEchBuf.buf, |
2161 | ss->ssl3.hs.greaseEchBuf.len, PR_TRUE1); |
2162 | } |
2163 | |
2164 | /* Compress the extensions for payload length. */ |
2165 | rv = tls13_ConstructInnerExtensionsFromOuter(ss, buf, &chInnerXtns, |
2166 | NULL((void*)0), PR_TRUE1); |
2167 | if (rv != SECSuccess) { |
2168 | goto loser; /* Code set */ |
2169 | } |
2170 | rv = tls13_EncodeClientHelloInner(ss, preamble, &chInnerXtns, &encodedCh); |
2171 | if (rv != SECSuccess) { |
2172 | goto loser; /* Code set */ |
2173 | } |
2174 | rv = tls13_PadChInner(&encodedCh, ss->ssl3.hs.greaseEchSize, strlen(ss->url)); |
2175 | |
2176 | payloadLen = encodedCh.len; |
2177 | payloadLen += TLS13_ECH_AEAD_TAG_LEN16; /* Aead tag */ |
2178 | |
2179 | /* HMAC-Expand to get something that will pass for ciphertext. */ |
2180 | slot = PK11_GetBestSlot(CKM_HKDF_DERIVE0x0000402aUL, NULL((void*)0)); |
2181 | if (!slot) { |
2182 | goto loser; |
2183 | } |
2184 | |
2185 | hmacPrk = PK11_KeyGen(slot, CKM_HKDF_DATA0x0000402bUL, NULL((void*)0), SHA256_LENGTH32, NULL((void*)0)); |
2186 | if (!hmacPrk) { |
2187 | goto loser; |
2188 | } |
2189 | |
2190 | params.bExtract = CK_FALSE0; |
2191 | params.bExpand = CK_TRUE1; |
2192 | params.prfHashMechanism = CKM_SHA2560x00000250UL; |
2193 | params.pInfo = NULL((void*)0); |
2194 | params.ulInfoLen = 0; |
2195 | paramsi.data = (unsigned char *)¶ms; |
2196 | paramsi.len = sizeof(params); |
2197 | derivedData = PK11_DeriveWithFlags(hmacPrk, CKM_HKDF_DATA0x0000402bUL, |
2198 | ¶msi, CKM_HKDF_DATA0x0000402bUL, |
2199 | CKA_DERIVE0x0000010CUL, kNonPayloadLen + payloadLen, |
2200 | CKF_VERIFY0x00002000); |
2201 | if (!derivedData) { |
2202 | goto loser; |
2203 | } |
2204 | |
2205 | rv = PK11_ExtractKeyValue(derivedData); |
2206 | if (rv != SECSuccess) { |
2207 | goto loser; |
2208 | } |
2209 | |
2210 | rawData = PK11_GetKeyData(derivedData); |
2211 | if (!rawData) { |
2212 | goto loser; |
2213 | } |
2214 | PORT_Assert(rawData->len == kNonPayloadLen + payloadLen)((rawData->len == kNonPayloadLen + payloadLen)?((void)0):PR_Assert ("rawData->len == kNonPayloadLen + payloadLen","tls13ech.c" ,2214)); |
2215 | |
2216 | /* struct { |
2217 | HpkeSymmetricCipherSuite cipher_suite; // kdf_id, aead_id |
2218 | PRUint8 config_id; |
2219 | opaque enc<1..2^16-1>; |
2220 | opaque payload<1..2^16-1>; |
2221 | } ClientECH; */ |
2222 | |
2223 | rv = sslBuffer_AppendNumber(&greaseBuf, ech_xtn_type_outer, 1); |
2224 | if (rv != SECSuccess) { |
2225 | goto loser; |
2226 | } |
2227 | /* Only support SHA256. */ |
2228 | rv = sslBuffer_AppendNumber(&greaseBuf, HpkeKdfHkdfSha256, 2); |
2229 | if (rv != SECSuccess) { |
2230 | goto loser; |
2231 | } |
2232 | |
2233 | /* HpkeAeadAes128Gcm = 1, HpkeAeadChaCha20Poly1305 = 3, */ |
2234 | aead = (rawData->data[0] & 1) ? HpkeAeadAes128Gcm : HpkeAeadChaCha20Poly1305; |
2235 | rv = sslBuffer_AppendNumber(&greaseBuf, aead, 2); |
2236 | if (rv != SECSuccess) { |
2237 | goto loser; |
2238 | } |
2239 | |
2240 | /* config_id */ |
2241 | rv = sslBuffer_AppendNumber(&greaseBuf, rawData->data[1], 1); |
2242 | if (rv != SECSuccess) { |
2243 | goto loser; |
2244 | } |
2245 | |
2246 | /* enc len is fixed 32B for X25519. */ |
2247 | rv = sslBuffer_AppendVariable(&greaseBuf, &rawData->data[2], 32, 2); |
2248 | if (rv != SECSuccess) { |
2249 | goto loser; |
2250 | } |
2251 | |
2252 | rv = sslBuffer_AppendVariable(&greaseBuf, &rawData->data[kNonPayloadLen], payloadLen, 2); |
2253 | if (rv != SECSuccess) { |
2254 | goto loser; |
2255 | } |
2256 | |
2257 | /* Mark ECH as advertised so that we can validate any response. |
2258 | * We'll use echHpkeCtx to determine if we sent real or GREASE ECH. */ |
2259 | rv = ssl3_EmplaceExtension(ss, buf, ssl_tls13_encrypted_client_hello_xtn, |
2260 | greaseBuf.buf, greaseBuf.len, PR_TRUE1); |
2261 | if (rv != SECSuccess) { |
2262 | goto loser; |
2263 | } |
2264 | |
2265 | /* Stash the GREASE ECH extension - in the case of HRR, CH2 must echo it. */ |
2266 | ss->ssl3.hs.greaseEchBuf = greaseBuf; |
2267 | |
2268 | sslBuffer_Clear(&chInnerXtns); |
2269 | sslBuffer_Clear(&encodedCh); |
2270 | PK11_FreeSymKey(hmacPrk); |
2271 | PK11_FreeSymKey(derivedData); |
2272 | PK11_FreeSlot(slot); |
2273 | return SECSuccess; |
2274 | |
2275 | loser: |
2276 | sslBuffer_Clear(&chInnerXtns); |
2277 | sslBuffer_Clear(&encodedCh); |
2278 | PK11_FreeSymKey(hmacPrk); |
2279 | PK11_FreeSymKey(derivedData); |
2280 | if (slot) { |
2281 | PK11_FreeSlot(slot); |
2282 | } |
2283 | return SECFailure; |
2284 | } |
2285 | |
2286 | SECStatus |
2287 | tls13_MaybeHandleEch(sslSocket *ss, const PRUint8 *msg, PRUint32 msgLen, SECItem *sidBytes, |
2288 | SECItem *comps, SECItem *cookieBytes, SECItem *suites, SECItem **echInner) |
2289 | { |
2290 | SECStatus rv; |
2291 | SECItem *tmpEchInner = NULL((void*)0); |
2292 | PRUint8 *b; |
2293 | PRUint32 length; |
2294 | TLSExtension *echExtension; |
2295 | TLSExtension *versionExtension; |
2296 | PORT_Assert(!ss->ssl3.hs.echAccepted)((!ss->ssl3.hs.echAccepted)?((void)0):PR_Assert("!ss->ssl3.hs.echAccepted" ,"tls13ech.c",2296)); |
2297 | SECItem tmpSid = { siBuffer, NULL((void*)0), 0 }; |
2298 | SECItem tmpCookie = { siBuffer, NULL((void*)0), 0 }; |
2299 | SECItem tmpSuites = { siBuffer, NULL((void*)0), 0 }; |
2300 | SECItem tmpComps = { siBuffer, NULL((void*)0), 0 }; |
2301 | |
2302 | echExtension = ssl3_FindExtension(ss, ssl_tls13_encrypted_client_hello_xtn); |
2303 | if (echExtension) { |
2304 | rv = tls13_ServerHandleOuterEchXtn(ss, &ss->xtnData, &echExtension->data); |
2305 | if (rv != SECSuccess) { |
2306 | goto loser; /* code set, alert sent. */ |
2307 | } |
2308 | rv = tls13_MaybeAcceptEch(ss, sidBytes, msg, msgLen, &tmpEchInner); |
2309 | if (rv != SECSuccess) { |
2310 | goto loser; /* code set, alert sent. */ |
2311 | } |
2312 | } |
2313 | ss->ssl3.hs.preliminaryInfo |= ssl_preinfo_ech(1U << 4); |
2314 | |
2315 | if (ss->ssl3.hs.echAccepted) { |
2316 | PORT_Assert(tmpEchInner)((tmpEchInner)?((void)0):PR_Assert("tmpEchInner","tls13ech.c" ,2316)); |
2317 | PORT_Assert(!PR_CLIST_IS_EMPTY(&ss->ssl3.hs.remoteExtensions))((!((&ss->ssl3.hs.remoteExtensions)->next == (& ss->ssl3.hs.remoteExtensions)))?((void)0):PR_Assert("!PR_CLIST_IS_EMPTY(&ss->ssl3.hs.remoteExtensions)" ,"tls13ech.c",2317)); |
2318 | |
2319 | /* Start over on ECHInner */ |
2320 | b = tmpEchInner->data; |
2321 | length = tmpEchInner->len; |
2322 | rv = ssl3_HandleClientHelloPreamble(ss, &b, &length, &tmpSid, |
2323 | &tmpCookie, &tmpSuites, &tmpComps); |
2324 | if (rv != SECSuccess) { |
2325 | goto loser; /* code set, alert sent. */ |
2326 | } |
2327 | |
2328 | versionExtension = ssl3_FindExtension(ss, ssl_tls13_supported_versions_xtn); |
2329 | if (!versionExtension) { |
2330 | FATAL_ERROR(ss, SSL_ERROR_UNSUPPORTED_VERSION, illegal_parameter)do { do { if (ssl_trace >= (3)) ssl_Trace ("%d: TLS13[%d]: fatal error %d in %s (%s:%d)" , getpid(), ss->fd, SSL_ERROR_UNSUPPORTED_VERSION, __func__ , "tls13ech.c", 2330); PORT_SetError_Util(SSL_ERROR_UNSUPPORTED_VERSION ); } while (0); tls13_FatalError(ss, SSL_ERROR_UNSUPPORTED_VERSION , illegal_parameter); } while (0); |
2331 | goto loser; |
2332 | } |
2333 | rv = tls13_NegotiateVersion(ss, versionExtension); |
2334 | if (rv != SECSuccess) { |
2335 | /* code and alert set by tls13_NegotiateVersion */ |
2336 | goto loser; |
2337 | } |
2338 | |
2339 | *comps = tmpComps; |
2340 | *cookieBytes = tmpCookie; |
2341 | *sidBytes = tmpSid; |
2342 | *suites = tmpSuites; |
2343 | *echInner = tmpEchInner; |
2344 | } |
2345 | return SECSuccess; |
2346 | |
2347 | loser: |
2348 | SECITEM_FreeItemSECITEM_FreeItem_Util(tmpEchInner, PR_TRUE1); |
2349 | PORT_Assert(PORT_GetError() != 0)((PORT_GetError_Util() != 0)?((void)0):PR_Assert("PORT_GetError() != 0" ,"tls13ech.c",2349)); |
2350 | return SECFailure; |
2351 | } |
2352 | |
2353 | SECStatus |
2354 | tls13_MaybeHandleEchSignal(sslSocket *ss, const PRUint8 *sh, PRUint32 shLen, PRBool isHrr) |
2355 | { |
2356 | SECStatus rv; |
2357 | PRUint8 computed[TLS13_ECH_SIGNAL_LEN8]; |
2358 | const PRUint8 *signal; |
2359 | PORT_Assert(!ss->sec.isServer)((!ss->sec.isServer)?((void)0):PR_Assert("!ss->sec.isServer" ,"tls13ech.c",2359)); |
2360 | |
2361 | /* If !echHpkeCtx, we either didn't advertise or sent GREASE ECH. */ |
2362 | if (!ss->ssl3.hs.echHpkeCtx) { |
2363 | SSL_TRC(50, ("%d: TLS13[%d]: client only sent GREASE ECH",if (ssl_trace >= (50)) ssl_Trace ("%d: TLS13[%d]: client only sent GREASE ECH" , getpid(), ss->fd) |
2364 | SSL_GETPID(), ss->fd))if (ssl_trace >= (50)) ssl_Trace ("%d: TLS13[%d]: client only sent GREASE ECH" , getpid(), ss->fd); |
2365 | ss->ssl3.hs.preliminaryInfo |= ssl_preinfo_ech(1U << 4); |
2366 | return SECSuccess; |
2367 | } |
2368 | |
2369 | PORT_Assert(!IS_DTLS(ss))((!(ss->protocolVariant == ssl_variant_datagram))?((void)0 ):PR_Assert("!IS_DTLS(ss)","tls13ech.c",2369)); |
2370 | |
2371 | if (isHrr) { |
2372 | if (ss->xtnData.ech) { |
2373 | signal = ss->xtnData.ech->hrrConfirmation; |
2374 | } else { |
2375 | SSL_TRC(50, ("%d: TLS13[%d]: client did not receive ECH Xtn from Server HRR",if (ssl_trace >= (50)) ssl_Trace ("%d: TLS13[%d]: client did not receive ECH Xtn from Server HRR" , getpid(), ss->fd) |
2376 | SSL_GETPID(), ss->fd))if (ssl_trace >= (50)) ssl_Trace ("%d: TLS13[%d]: client did not receive ECH Xtn from Server HRR" , getpid(), ss->fd); |
2377 | signal = NULL((void*)0); |
2378 | ss->ssl3.hs.echAccepted = PR_FALSE0; |
2379 | ss->ssl3.hs.echDecided = PR_TRUE1; |
2380 | } |
2381 | } else { |
2382 | signal = &ss->ssl3.hs.server_random[SSL3_RANDOM_LENGTH32 - TLS13_ECH_SIGNAL_LEN8]; |
2383 | } |
2384 | |
2385 | PORT_Assert(ssl3_ExtensionAdvertised(ss, ssl_tls13_encrypted_client_hello_xtn))((ssl3_ExtensionAdvertised(ss, ssl_tls13_encrypted_client_hello_xtn ))?((void)0):PR_Assert("ssl3_ExtensionAdvertised(ss, ssl_tls13_encrypted_client_hello_xtn)" ,"tls13ech.c",2385)); |
2386 | |
2387 | /* Check ECH Confirmation for HRR ECH Xtn or ServerHello Random */ |
2388 | if (signal) { |
2389 | rv = tls13_ComputeEchSignal(ss, isHrr, sh, shLen, computed); |
2390 | if (rv != SECSuccess) { |
2391 | return SECFailure; |
2392 | } |
2393 | PRINT_BUF(100, (ss, "Server Signal", signal, TLS13_ECH_SIGNAL_LEN))if (ssl_trace >= (100)) ssl_PrintBuf (ss, "Server Signal", signal, 8); |
2394 | PRBool new_decision = !NSS_SecureMemcmp(computed, signal, TLS13_ECH_SIGNAL_LEN8); |
2395 | /* Server can't change its mind on whether to accept ECH */ |
2396 | if (ss->ssl3.hs.echDecided && new_decision != ss->ssl3.hs.echAccepted) { |
2397 | FATAL_ERROR(ss, SSL_ERROR_RX_MALFORMED_SERVER_HELLO, illegal_parameter)do { do { if (ssl_trace >= (3)) ssl_Trace ("%d: TLS13[%d]: fatal error %d in %s (%s:%d)" , getpid(), ss->fd, SSL_ERROR_RX_MALFORMED_SERVER_HELLO, __func__ , "tls13ech.c", 2397); PORT_SetError_Util(SSL_ERROR_RX_MALFORMED_SERVER_HELLO ); } while (0); tls13_FatalError(ss, SSL_ERROR_RX_MALFORMED_SERVER_HELLO , illegal_parameter); } while (0); |
2398 | return SECFailure; |
2399 | } |
2400 | ss->ssl3.hs.echAccepted = new_decision; |
2401 | ss->ssl3.hs.echDecided = PR_TRUE1; |
2402 | } |
2403 | |
2404 | ss->ssl3.hs.preliminaryInfo |= ssl_preinfo_ech(1U << 4); |
2405 | if (ss->ssl3.hs.echAccepted) { |
2406 | if (ss->version < SSL_LIBRARY_VERSION_TLS_1_30x0304) { |
2407 | FATAL_ERROR(ss, SSL_ERROR_RX_MALFORMED_SERVER_HELLO, illegal_parameter)do { do { if (ssl_trace >= (3)) ssl_Trace ("%d: TLS13[%d]: fatal error %d in %s (%s:%d)" , getpid(), ss->fd, SSL_ERROR_RX_MALFORMED_SERVER_HELLO, __func__ , "tls13ech.c", 2407); PORT_SetError_Util(SSL_ERROR_RX_MALFORMED_SERVER_HELLO ); } while (0); tls13_FatalError(ss, SSL_ERROR_RX_MALFORMED_SERVER_HELLO , illegal_parameter); } while (0); |
2408 | return SECFailure; |
2409 | } |
2410 | /* Server accepted, but sent an extension which was only advertised in the ClientHelloOuter */ |
2411 | if (ss->ssl3.hs.echInvalidExtension) { |
2412 | (void)SSL3_SendAlert(ss, alert_fatal, unsupported_extension); |
2413 | PORT_SetErrorPORT_SetError_Util(SSL_ERROR_RX_UNEXPECTED_EXTENSION); |
2414 | return SECFailure; |
2415 | } |
2416 | |
2417 | /* Swap the advertised lists as we've accepted ECH. */ |
2418 | PRUint16 *tempArray = ss->xtnData.advertised; |
2419 | PRUint16 tempNum = ss->xtnData.numAdvertised; |
2420 | |
2421 | ss->xtnData.advertised = ss->xtnData.echAdvertised; |
2422 | ss->xtnData.numAdvertised = ss->xtnData.echNumAdvertised; |
2423 | |
2424 | ss->xtnData.echAdvertised = tempArray; |
2425 | ss->xtnData.echNumAdvertised = tempNum; |
2426 | |
2427 | /* |enc| must not be included in CH2.ClientECH. */ |
2428 | if (ss->ssl3.hs.helloRetry && ss->sec.isServer && |
2429 | ss->xtnData.ech->senderPubKey.len) { |
2430 | ssl3_ExtSendAlert(ss, alert_fatal, illegal_parameter); |
2431 | PORT_SetErrorPORT_SetError_Util(SSL_ERROR_BAD_2ND_CLIENT_HELLO); |
2432 | return SECFailure; |
2433 | } |
2434 | ss->xtnData.negotiated[ss->xtnData.numNegotiated++] = ssl_tls13_encrypted_client_hello_xtn; |
2435 | |
2436 | /* Only overwrite client_random with client_inner_random if CHInner was |
2437 | * succesfully used for handshake (NOT if HRR is received). */ |
2438 | if (!isHrr) { |
2439 | PORT_Memcpymemcpy(ss->ssl3.hs.client_random, ss->ssl3.hs.client_inner_random, SSL3_RANDOM_LENGTH32); |
2440 | } |
2441 | } |
2442 | /* If rejected, leave echHpkeCtx and echPublicName for rejection paths. */ |
2443 | ssl3_CoalesceEchHandshakeHashes(ss); |
2444 | SSL_TRC(3, ("%d: TLS13[%d]: ECH %s accepted by server",if (ssl_trace >= (3)) ssl_Trace ("%d: TLS13[%d]: ECH %s accepted by server" , getpid(), ss->fd, ss->ssl3.hs.echAccepted ? "is" : "is not" ) |
2445 | SSL_GETPID(), ss->fd, ss->ssl3.hs.echAccepted ? "is" : "is not"))if (ssl_trace >= (3)) ssl_Trace ("%d: TLS13[%d]: ECH %s accepted by server" , getpid(), ss->fd, ss->ssl3.hs.echAccepted ? "is" : "is not" ); |
2446 | return SECSuccess; |
2447 | } |
2448 | |
2449 | static SECStatus |
2450 | tls13_UnencodeChInner(sslSocket *ss, const SECItem *sidBytes, SECItem **echInner) |
2451 | { |
2452 | SECStatus rv; |
2453 | sslReadBuffer outerExtensionsList; |
2454 | sslReadBuffer tmpReadBuf; |
2455 | sslBuffer unencodedChInner = SSL_BUFFER_EMPTY{ ((void*)0), 0, 0, 0 }; |
2456 | PRCList *outerCursor; |
2457 | PRCList *innerCursor; |
2458 | PRBool outerFound; |
2459 | PRUint32 xtnsOffset; |
2460 | PRUint64 tmp; |
2461 | PRUint8 *tmpB; |
2462 | PRUint32 tmpLength; |
2463 | sslReader chReader = SSL_READER((*echInner)->data, (*echInner)->len){ { (*echInner)->data, (*echInner)->len }, 0 }; |
2464 | PORT_Assert(!PR_CLIST_IS_EMPTY(&ss->ssl3.hs.echOuterExtensions))((!((&ss->ssl3.hs.echOuterExtensions)->next == (& ss->ssl3.hs.echOuterExtensions)))?((void)0):PR_Assert("!PR_CLIST_IS_EMPTY(&ss->ssl3.hs.echOuterExtensions)" ,"tls13ech.c",2464)); |
2465 | PORT_Assert(PR_CLIST_IS_EMPTY(&ss->ssl3.hs.remoteExtensions))((((&ss->ssl3.hs.remoteExtensions)->next == (&ss ->ssl3.hs.remoteExtensions)))?((void)0):PR_Assert("PR_CLIST_IS_EMPTY(&ss->ssl3.hs.remoteExtensions)" ,"tls13ech.c",2465)); |
2466 | TLSExtension *echExtension; |
2467 | int error = SSL_ERROR_INTERNAL_ERROR_ALERT; |
2468 | int errDesc = internal_error; |
2469 | |
2470 | PRINT_BUF(100, (ss, "ECH Inner", chReader.buf.buf, chReader.buf.len))if (ssl_trace >= (100)) ssl_PrintBuf (ss, "ECH Inner", chReader .buf.buf, chReader.buf.len); |
2471 | |
2472 | /* unencodedChInner := preamble, tmpReadBuf := encoded extensions. */ |
2473 | rv = tls13_CopyChPreamble(ss, &chReader, sidBytes, &unencodedChInner, &tmpReadBuf); |
2474 | if (rv != SECSuccess) { |
2475 | goto loser; /* code set */ |
2476 | } |
2477 | |
2478 | /* Parse inner extensions into ss->ssl3.hs.remoteExtensions. */ |
2479 | tmpB = CONST_CAST(PRUint8, tmpReadBuf.buf)((PRUint8 *)(tmpReadBuf.buf)); |
2480 | rv = ssl3_ParseExtensions(ss, &tmpB, &tmpReadBuf.len); |
2481 | if (rv != SECSuccess) { |
2482 | goto loser; /* malformed, alert sent. */ |
2483 | } |
2484 | |
2485 | echExtension = ssl3_FindExtension(ss, ssl_tls13_encrypted_client_hello_xtn); |
2486 | if (!echExtension) { |
2487 | error = SSL_ERROR_MISSING_ECH_EXTENSIONSSL_ERROR_MISSING_ESNI_EXTENSION; |
2488 | errDesc = illegal_parameter; |
2489 | goto alert_loser; /* Must have an inner Extension */ |
2490 | } |
2491 | rv = tls13_ServerHandleInnerEchXtn(ss, &ss->xtnData, &echExtension->data); |
2492 | if (rv != SECSuccess) { |
2493 | goto loser; /* code set, alert sent. */ |
2494 | } |
2495 | |
2496 | /* Exit early if there are no outer_extensions to decompress. */ |
2497 | if (!ssl3_FindExtension(ss, ssl_tls13_outer_extensions_xtn)) { |
2498 | rv = sslBuffer_AppendVariable(&unencodedChInner, tmpReadBuf.buf, tmpReadBuf.len, 2); |
2499 | if (rv != SECSuccess) { |
2500 | goto loser; |
2501 | } |
2502 | sslBuffer_Clear(&unencodedChInner); |
2503 | return SECSuccess; |
2504 | } |
2505 | |
2506 | /* Save room for uncompressed length. */ |
2507 | rv = sslBuffer_Skip(&unencodedChInner, 2, &xtnsOffset); |
2508 | if (rv != SECSuccess) { |
2509 | goto loser; |
2510 | } |
2511 | |
2512 | /* For each inner extension: If not outer_extensions, copy it to the output. |
2513 | * Else if outer_extensions, iterate the compressed extension list and append |
2514 | * each full extension as contained in CHOuter. Compressed extensions must be |
2515 | * contiguous, so decompress at the point at which outer_extensions appears. */ |
2516 | for (innerCursor = PR_NEXT_LINK(&ss->ssl3.hs.remoteExtensions)((&ss->ssl3.hs.remoteExtensions)->next); |
2517 | innerCursor != &ss->ssl3.hs.remoteExtensions; |
2518 | innerCursor = PR_NEXT_LINK(innerCursor)((innerCursor)->next)) { |
2519 | TLSExtension *innerExtension = (TLSExtension *)innerCursor; |
2520 | if (innerExtension->type != ssl_tls13_outer_extensions_xtn) { |
2521 | SSL_TRC(10, ("%d: SSL3[%d]: copying inner extension of type %d and size %d directly", SSL_GETPID(),if (ssl_trace >= (10)) ssl_Trace ("%d: SSL3[%d]: copying inner extension of type %d and size %d directly" , getpid(), ss->fd, innerExtension->type, innerExtension ->data.len) |
2522 | ss->fd, innerExtension->type, innerExtension->data.len))if (ssl_trace >= (10)) ssl_Trace ("%d: SSL3[%d]: copying inner extension of type %d and size %d directly" , getpid(), ss->fd, innerExtension->type, innerExtension ->data.len); |
2523 | rv = sslBuffer_AppendNumber(&unencodedChInner, |
2524 | innerExtension->type, 2); |
2525 | if (rv != SECSuccess) { |
2526 | goto loser; |
2527 | } |
2528 | rv = sslBuffer_AppendVariable(&unencodedChInner, |
2529 | innerExtension->data.data, |
2530 | innerExtension->data.len, 2); |
2531 | if (rv != SECSuccess) { |
2532 | goto loser; |
2533 | } |
2534 | continue; |
2535 | } |
2536 | |
2537 | /* Decompress */ |
2538 | sslReader extensionRdr = SSL_READER(innerExtension->data.data,{ { innerExtension->data.data, innerExtension->data.len }, 0 } |
2539 | innerExtension->data.len){ { innerExtension->data.data, innerExtension->data.len }, 0 }; |
2540 | rv = sslRead_ReadVariable(&extensionRdr, 1, &outerExtensionsList); |
2541 | if (rv != SECSuccess) { |
2542 | SSL_TRC(10, ("%d: SSL3[%d]: ECH Outer Extensions has invalid size.",if (ssl_trace >= (10)) ssl_Trace ("%d: SSL3[%d]: ECH Outer Extensions has invalid size." , getpid(), ss->fd) |
2543 | SSL_GETPID(), ss->fd))if (ssl_trace >= (10)) ssl_Trace ("%d: SSL3[%d]: ECH Outer Extensions has invalid size." , getpid(), ss->fd); |
2544 | error = SSL_ERROR_RX_MALFORMED_ECH_EXTENSIONSSL_ERROR_RX_MALFORMED_ESNI_EXTENSION; |
2545 | errDesc = illegal_parameter; |
2546 | goto alert_loser; |
2547 | } |
2548 | if (SSL_READER_REMAINING(&extensionRdr)((&extensionRdr)->buf.len - (&extensionRdr)->offset ) || (outerExtensionsList.len % 2) != 0 || !outerExtensionsList.len) { |
2549 | SSL_TRC(10, ("%d: SSL3[%d]: ECH Outer Extensions has invalid size.",if (ssl_trace >= (10)) ssl_Trace ("%d: SSL3[%d]: ECH Outer Extensions has invalid size." , getpid(), ss->fd) |
2550 | SSL_GETPID(), ss->fd))if (ssl_trace >= (10)) ssl_Trace ("%d: SSL3[%d]: ECH Outer Extensions has invalid size." , getpid(), ss->fd); |
2551 | error = SSL_ERROR_RX_MALFORMED_ECH_EXTENSIONSSL_ERROR_RX_MALFORMED_ESNI_EXTENSION; |
2552 | errDesc = illegal_parameter; |
2553 | goto alert_loser; |
2554 | } |
2555 | |
2556 | outerCursor = &ss->ssl3.hs.echOuterExtensions; |
2557 | sslReader compressedTypes = SSL_READER(outerExtensionsList.buf, outerExtensionsList.len){ { outerExtensionsList.buf, outerExtensionsList.len }, 0 }; |
2558 | while (SSL_READER_REMAINING(&compressedTypes)((&compressedTypes)->buf.len - (&compressedTypes)-> offset)) { |
2559 | outerFound = PR_FALSE0; |
2560 | rv = sslRead_ReadNumber(&compressedTypes, 2, &tmp); |
2561 | if (rv != SECSuccess) { |
2562 | SSL_TRC(10, ("%d: SSL3[%d]: ECH Outer Extensions has invalid contents.",if (ssl_trace >= (10)) ssl_Trace ("%d: SSL3[%d]: ECH Outer Extensions has invalid contents." , getpid(), ss->fd) |
2563 | SSL_GETPID(), ss->fd))if (ssl_trace >= (10)) ssl_Trace ("%d: SSL3[%d]: ECH Outer Extensions has invalid contents." , getpid(), ss->fd); |
2564 | error = SSL_ERROR_RX_MALFORMED_ECH_EXTENSIONSSL_ERROR_RX_MALFORMED_ESNI_EXTENSION; |
2565 | errDesc = illegal_parameter; |
2566 | goto alert_loser; |
2567 | } |
2568 | if (tmp == ssl_tls13_encrypted_client_hello_xtn || |
2569 | tmp == ssl_tls13_outer_extensions_xtn) { |
2570 | SSL_TRC(10, ("%d: SSL3[%d]: ECH Outer Extensions contains an invalid reference.",if (ssl_trace >= (10)) ssl_Trace ("%d: SSL3[%d]: ECH Outer Extensions contains an invalid reference." , getpid(), ss->fd) |
2571 | SSL_GETPID(), ss->fd))if (ssl_trace >= (10)) ssl_Trace ("%d: SSL3[%d]: ECH Outer Extensions contains an invalid reference." , getpid(), ss->fd); |
2572 | error = SSL_ERROR_RX_MALFORMED_ECH_EXTENSIONSSL_ERROR_RX_MALFORMED_ESNI_EXTENSION; |
2573 | errDesc = illegal_parameter; |
2574 | goto alert_loser; |
2575 | } |
2576 | do { |
2577 | const TLSExtension *candidate = (TLSExtension *)outerCursor; |
2578 | /* Advance the outerCursor, we never consider the same xtn twice. */ |
2579 | outerCursor = PR_NEXT_LINK(outerCursor)((outerCursor)->next); |
2580 | if (candidate->type == tmp) { |
2581 | outerFound = PR_TRUE1; |
2582 | SSL_TRC(100, ("%d: SSL3[%d]: Decompressing ECH Inner Extension of type %d",if (ssl_trace >= (100)) ssl_Trace ("%d: SSL3[%d]: Decompressing ECH Inner Extension of type %d" , getpid(), ss->fd, tmp) |
2583 | SSL_GETPID(), ss->fd, tmp))if (ssl_trace >= (100)) ssl_Trace ("%d: SSL3[%d]: Decompressing ECH Inner Extension of type %d" , getpid(), ss->fd, tmp); |
2584 | rv = sslBuffer_AppendNumber(&unencodedChInner, |
2585 | candidate->type, 2); |
2586 | if (rv != SECSuccess) { |
2587 | goto loser; |
2588 | } |
2589 | rv = sslBuffer_AppendVariable(&unencodedChInner, |
2590 | candidate->data.data, |
2591 | candidate->data.len, 2); |
2592 | if (rv != SECSuccess) { |
2593 | goto loser; |
2594 | } |
2595 | break; |
2596 | } |
2597 | } while (outerCursor != &ss->ssl3.hs.echOuterExtensions); |
2598 | if (!outerFound) { |
2599 | SSL_TRC(10, ("%d: SSL3[%d]: ECH Outer Extensions has missing,"if (ssl_trace >= (10)) ssl_Trace ("%d: SSL3[%d]: ECH Outer Extensions has missing," " out of order or duplicate references.", getpid(), ss->fd ) |
2600 | " out of order or duplicate references.",if (ssl_trace >= (10)) ssl_Trace ("%d: SSL3[%d]: ECH Outer Extensions has missing," " out of order or duplicate references.", getpid(), ss->fd ) |
2601 | SSL_GETPID(), ss->fd))if (ssl_trace >= (10)) ssl_Trace ("%d: SSL3[%d]: ECH Outer Extensions has missing," " out of order or duplicate references.", getpid(), ss->fd ); |
2602 | error = SSL_ERROR_RX_MALFORMED_ECH_EXTENSIONSSL_ERROR_RX_MALFORMED_ESNI_EXTENSION; |
2603 | errDesc = illegal_parameter; |
2604 | goto alert_loser; |
2605 | } |
2606 | } |
2607 | } |
2608 | ssl3_DestroyRemoteExtensions(&ss->ssl3.hs.echOuterExtensions); |
2609 | ssl3_DestroyRemoteExtensions(&ss->ssl3.hs.remoteExtensions); |
2610 | |
2611 | /* Correct the message and extensions sizes. */ |
2612 | rv = sslBuffer_InsertNumber(&unencodedChInner, xtnsOffset, |
2613 | unencodedChInner.len - xtnsOffset - 2, 2); |
2614 | if (rv != SECSuccess) { |
2615 | goto loser; |
2616 | } |
2617 | |
2618 | tmpB = &unencodedChInner.buf[xtnsOffset]; |
2619 | tmpLength = unencodedChInner.len - xtnsOffset; |
2620 | rv = ssl3_ConsumeHandshakeNumber64(ss, &tmp, 2, &tmpB, &tmpLength); |
2621 | if (rv != SECSuccess || tmpLength != tmp) { |
2622 | error = SSL_ERROR_RX_MALFORMED_CLIENT_HELLO; |
2623 | errDesc = internal_error; |
2624 | goto alert_loser; |
2625 | } |
2626 | |
2627 | rv = ssl3_ParseExtensions(ss, &tmpB, &tmpLength); |
2628 | if (rv != SECSuccess) { |
2629 | goto loser; /* Error set and alert already sent */ |
2630 | } |
2631 | |
2632 | SECITEM_FreeItemSECITEM_FreeItem_Util(*echInner, PR_FALSE0); |
2633 | (*echInner)->data = unencodedChInner.buf; |
2634 | (*echInner)->len = unencodedChInner.len; |
2635 | return SECSuccess; |
2636 | alert_loser: |
2637 | FATAL_ERROR(ss, error, errDesc)do { do { if (ssl_trace >= (3)) ssl_Trace ("%d: TLS13[%d]: fatal error %d in %s (%s:%d)" , getpid(), ss->fd, error, __func__, "tls13ech.c", 2637); PORT_SetError_Util (error); } while (0); tls13_FatalError(ss, error, errDesc); } while (0); |
2638 | loser: |
2639 | sslBuffer_Clear(&unencodedChInner); |
2640 | return SECFailure; |
2641 | } |
2642 | |
2643 | SECStatus |
2644 | tls13_MaybeAcceptEch(sslSocket *ss, const SECItem *sidBytes, const PRUint8 *chOuter, |
2645 | unsigned int chOuterLen, SECItem **chInner) |
2646 | { |
2647 | SECStatus rv; |
2648 | SECItem outer = { siBuffer, CONST_CAST(PRUint8, chOuter)((PRUint8 *)(chOuter)), chOuterLen }; |
2649 | SECItem *decryptedChInner = NULL((void*)0); |
2650 | SECItem outerAAD = { siBuffer, NULL((void*)0), 0 }; |
2651 | SECItem cookieData = { siBuffer, NULL((void*)0), 0 }; |
2652 | sslEchCookieData echData; |
2653 | sslEchConfig *candidate = NULL((void*)0); /* non-owning */ |
2654 | TLSExtension *hrrXtn; |
2655 | PRBool previouslyOfferedEch; |
2656 | |
2657 | if (!ss->xtnData.ech || ss->xtnData.ech->receivedInnerXtn || IS_DTLS(ss)(ss->protocolVariant == ssl_variant_datagram)) { |
2658 | ss->ssl3.hs.echDecided = PR_TRUE1; |
2659 | return SECSuccess; |
2660 | } |
2661 | |
2662 | PORT_Assert(ss->xtnData.ech->innerCh.data)((ss->xtnData.ech->innerCh.data)?((void)0):PR_Assert("ss->xtnData.ech->innerCh.data" ,"tls13ech.c",2662)); |
2663 | |
2664 | if (ss->ssl3.hs.helloRetry) { |
2665 | ss->ssl3.hs.echDecided = PR_TRUE1; |
2666 | PORT_Assert(!ss->ssl3.hs.echHpkeCtx)((!ss->ssl3.hs.echHpkeCtx)?((void)0):PR_Assert("!ss->ssl3.hs.echHpkeCtx" ,"tls13ech.c",2666)); |
2667 | hrrXtn = ssl3_FindExtension(ss, ssl_tls13_cookie_xtn); |
2668 | if (!hrrXtn) { |
2669 | /* If the client doesn't echo cookie, we can't decrypt. */ |
2670 | return SECSuccess; |
2671 | } |
2672 | |
2673 | PORT_Assert(!ss->ssl3.hs.echHpkeCtx)((!ss->ssl3.hs.echHpkeCtx)?((void)0):PR_Assert("!ss->ssl3.hs.echHpkeCtx" ,"tls13ech.c",2673)); |
2674 | |
2675 | PRUint8 *tmp = hrrXtn->data.data; |
2676 | PRUint32 len = hrrXtn->data.len; |
2677 | rv = ssl3_ExtConsumeHandshakeVariable(ss, &cookieData, 2, |
2678 | &tmp, &len); |
2679 | if (rv != SECSuccess) { |
2680 | return SECFailure; |
2681 | } |
2682 | |
2683 | /* Extract ECH info without restoring hash state. If there's |
2684 | * something wrong with the cookie, continue without ECH |
2685 | * and let HRR code handle the problem. */ |
2686 | rv = tls13_HandleHrrCookie(ss, cookieData.data, cookieData.len, |
2687 | NULL((void*)0), NULL((void*)0), &previouslyOfferedEch, &echData, PR_FALSE0); |
2688 | if (rv != SECSuccess) { |
2689 | return SECSuccess; |
2690 | } |
2691 | |
2692 | ss->ssl3.hs.echHpkeCtx = echData.hpkeCtx; |
2693 | |
2694 | const PRUint8 greaseConstant[TLS13_ECH_SIGNAL_LEN8] = { 0 }; |
2695 | ss->ssl3.hs.echAccepted = previouslyOfferedEch && |
2696 | !NSS_SecureMemcmp(greaseConstant, echData.signal, TLS13_ECH_SIGNAL_LEN8); |
2697 | |
2698 | if (echData.configId != ss->xtnData.ech->configId || |
2699 | echData.kdfId != ss->xtnData.ech->kdfId || |
2700 | echData.aeadId != ss->xtnData.ech->aeadId) { |
2701 | FATAL_ERROR(ss, SSL_ERROR_BAD_2ND_CLIENT_HELLO,do { do { if (ssl_trace >= (3)) ssl_Trace ("%d: TLS13[%d]: fatal error %d in %s (%s:%d)" , getpid(), ss->fd, SSL_ERROR_BAD_2ND_CLIENT_HELLO, __func__ , "tls13ech.c", 2702); PORT_SetError_Util(SSL_ERROR_BAD_2ND_CLIENT_HELLO ); } while (0); tls13_FatalError(ss, SSL_ERROR_BAD_2ND_CLIENT_HELLO , illegal_parameter); } while (0) |
2702 | illegal_parameter)do { do { if (ssl_trace >= (3)) ssl_Trace ("%d: TLS13[%d]: fatal error %d in %s (%s:%d)" , getpid(), ss->fd, SSL_ERROR_BAD_2ND_CLIENT_HELLO, __func__ , "tls13ech.c", 2702); PORT_SetError_Util(SSL_ERROR_BAD_2ND_CLIENT_HELLO ); } while (0); tls13_FatalError(ss, SSL_ERROR_BAD_2ND_CLIENT_HELLO , illegal_parameter); } while (0); |
2703 | return SECFailure; |
2704 | } |
2705 | |
2706 | if (!ss->ssl3.hs.echHpkeCtx) { |
2707 | return SECSuccess; |
2708 | } |
2709 | } |
2710 | |
2711 | if (ss->ssl3.hs.echDecided && !ss->ssl3.hs.echAccepted) { |
2712 | /* We don't change our mind */ |
2713 | return SECSuccess; |
2714 | } |
2715 | /* Regardless of where we return, the outcome is decided */ |
2716 | ss->ssl3.hs.echDecided = PR_TRUE1; |
2717 | |
2718 | /* Cookie data was good, proceed with ECH. */ |
2719 | rv = tls13_GetMatchingEchConfigs(ss, ss->xtnData.ech->kdfId, ss->xtnData.ech->aeadId, |
2720 | ss->xtnData.ech->configId, candidate, &candidate); |
2721 | if (rv != SECSuccess) { |
2722 | FATAL_ERROR(ss, SEC_ERROR_LIBRARY_FAILURE, internal_error)do { do { if (ssl_trace >= (3)) ssl_Trace ("%d: TLS13[%d]: fatal error %d in %s (%s:%d)" , getpid(), ss->fd, SEC_ERROR_LIBRARY_FAILURE, __func__, "tls13ech.c" , 2722); PORT_SetError_Util(SEC_ERROR_LIBRARY_FAILURE); } while (0); tls13_FatalError(ss, SEC_ERROR_LIBRARY_FAILURE, internal_error ); } while (0); |
2723 | return SECFailure; |
2724 | } |
2725 | |
2726 | if (candidate) { |
2727 | rv = tls13_ServerMakeChOuterAAD(ss, chOuter, chOuterLen, &outerAAD); |
2728 | if (rv != SECSuccess) { |
2729 | return SECFailure; |
2730 | } |
2731 | } |
2732 | |
2733 | while (candidate) { |
2734 | rv = tls13_OpenClientHelloInner(ss, &outer, &outerAAD, candidate, &decryptedChInner); |
2735 | if (rv != SECSuccess) { |
2736 | /* Get the next matching config */ |
2737 | rv = tls13_GetMatchingEchConfigs(ss, ss->xtnData.ech->kdfId, ss->xtnData.ech->aeadId, |
2738 | ss->xtnData.ech->configId, candidate, &candidate); |
2739 | if (rv != SECSuccess) { |
2740 | FATAL_ERROR(ss, SEC_ERROR_LIBRARY_FAILURE, internal_error)do { do { if (ssl_trace >= (3)) ssl_Trace ("%d: TLS13[%d]: fatal error %d in %s (%s:%d)" , getpid(), ss->fd, SEC_ERROR_LIBRARY_FAILURE, __func__, "tls13ech.c" , 2740); PORT_SetError_Util(SEC_ERROR_LIBRARY_FAILURE); } while (0); tls13_FatalError(ss, SEC_ERROR_LIBRARY_FAILURE, internal_error ); } while (0); |
2741 | SECITEM_FreeItemSECITEM_FreeItem_Util(&outerAAD, PR_FALSE0); |
2742 | return SECFailure; |
2743 | } |
2744 | continue; |
2745 | } |
2746 | break; |
2747 | } |
2748 | SECITEM_FreeItemSECITEM_FreeItem_Util(&outerAAD, PR_FALSE0); |
2749 | |
2750 | if (rv != SECSuccess || !decryptedChInner) { |
2751 | if (ss->ssl3.hs.helloRetry) { |
2752 | FATAL_ERROR(ss, SSL_ERROR_RX_MALFORMED_ECH_EXTENSION, decrypt_error)do { do { if (ssl_trace >= (3)) ssl_Trace ("%d: TLS13[%d]: fatal error %d in %s (%s:%d)" , getpid(), ss->fd, SSL_ERROR_RX_MALFORMED_ESNI_EXTENSION, __func__, "tls13ech.c", 2752); PORT_SetError_Util(SSL_ERROR_RX_MALFORMED_ESNI_EXTENSION ); } while (0); tls13_FatalError(ss, SSL_ERROR_RX_MALFORMED_ESNI_EXTENSION , decrypt_error); } while (0); |
2753 | return SECFailure; |
2754 | } else { |
2755 | /* Send retry_configs (if we have any) when we fail to decrypt or |
2756 | * found no candidates. This does *not* count as negotiating ECH. */ |
2757 | return ssl3_RegisterExtensionSender(ss, &ss->xtnData, |
2758 | ssl_tls13_encrypted_client_hello_xtn, |
2759 | tls13_ServerSendEchXtn); |
2760 | } |
2761 | } |
2762 | |
2763 | SSL_TRC(20, ("%d: TLS13[%d]: Successfully opened ECH inner CH",if (ssl_trace >= (20)) ssl_Trace ("%d: TLS13[%d]: Successfully opened ECH inner CH" , getpid(), ss->fd) |
2764 | SSL_GETPID(), ss->fd))if (ssl_trace >= (20)) ssl_Trace ("%d: TLS13[%d]: Successfully opened ECH inner CH" , getpid(), ss->fd); |
2765 | PRINT_BUF(50, (ss, "Compressed CHInner", decryptedChInner->data,if (ssl_trace >= (50)) ssl_PrintBuf (ss, "Compressed CHInner" , decryptedChInner->data, decryptedChInner->len) |
2766 | decryptedChInner->len))if (ssl_trace >= (50)) ssl_PrintBuf (ss, "Compressed CHInner" , decryptedChInner->data, decryptedChInner->len); |
2767 | |
2768 | ss->ssl3.hs.echAccepted = PR_TRUE1; |
2769 | |
2770 | /* Stash the CHOuter extensions. They're not yet handled (only parsed). If |
2771 | * the CHInner contains outer_extensions_xtn, we'll need to reference them. */ |
2772 | ssl3_MoveRemoteExtensions(&ss->ssl3.hs.echOuterExtensions, &ss->ssl3.hs.remoteExtensions); |
2773 | |
2774 | rv = tls13_UnencodeChInner(ss, sidBytes, &decryptedChInner); |
2775 | if (rv != SECSuccess) { |
2776 | SECITEM_FreeItemSECITEM_FreeItem_Util(decryptedChInner, PR_TRUE1); |
2777 | return SECFailure; /* code set */ |
2778 | } |
2779 | PRINT_BUF(50, (ss, "Uncompressed CHInner", decryptedChInner->data,if (ssl_trace >= (50)) ssl_PrintBuf (ss, "Uncompressed CHInner" , decryptedChInner->data, decryptedChInner->len) |
2780 | decryptedChInner->len))if (ssl_trace >= (50)) ssl_PrintBuf (ss, "Uncompressed CHInner" , decryptedChInner->data, decryptedChInner->len); |
2781 | *chInner = decryptedChInner; |
2782 | return SECSuccess; |
2783 | } |
2784 | |
2785 | SECStatus |
2786 | tls13_WriteServerEchSignal(sslSocket *ss, PRUint8 *sh, unsigned int shLen) |
2787 | { |
2788 | SECStatus rv; |
2789 | PRUint8 signal[TLS13_ECH_SIGNAL_LEN8]; |
2790 | PRUint8 *msg_random = &sh[sizeof(SSL3ProtocolVersion)]; |
2791 | |
2792 | PORT_Assert(shLen > sizeof(SSL3ProtocolVersion) + SSL3_RANDOM_LENGTH)((shLen > sizeof(SSL3ProtocolVersion) + 32)?((void)0):PR_Assert ("shLen > sizeof(SSL3ProtocolVersion) + SSL3_RANDOM_LENGTH" ,"tls13ech.c",2792)); |
2793 | PORT_Assert(ss->version >= SSL_LIBRARY_VERSION_TLS_1_3)((ss->version >= 0x0304)?((void)0):PR_Assert("ss->version >= SSL_LIBRARY_VERSION_TLS_1_3" ,"tls13ech.c",2793)); |
2794 | |
2795 | rv = tls13_ComputeEchSignal(ss, PR_FALSE0, sh, shLen, signal); |
2796 | if (rv != SECSuccess) { |
2797 | return SECFailure; |
2798 | } |
2799 | PRUint8 *dest = &msg_random[SSL3_RANDOM_LENGTH32 - TLS13_ECH_SIGNAL_LEN8]; |
2800 | PORT_Memcpymemcpy(dest, signal, TLS13_ECH_SIGNAL_LEN8); |
2801 | |
2802 | /* Keep the socket copy consistent. */ |
2803 | PORT_Assert(0 == memcmp(msg_random, &ss->ssl3.hs.server_random, SSL3_RANDOM_LENGTH - TLS13_ECH_SIGNAL_LEN))((0 == memcmp(msg_random, &ss->ssl3.hs.server_random, 32 - 8))?((void)0):PR_Assert("0 == memcmp(msg_random, &ss->ssl3.hs.server_random, SSL3_RANDOM_LENGTH - TLS13_ECH_SIGNAL_LEN)" ,"tls13ech.c",2803)); |
2804 | dest = &ss->ssl3.hs.server_random[SSL3_RANDOM_LENGTH32 - TLS13_ECH_SIGNAL_LEN8]; |
2805 | PORT_Memcpymemcpy(dest, signal, TLS13_ECH_SIGNAL_LEN8); |
2806 | |
2807 | return SECSuccess; |
2808 | } |
2809 | |
2810 | SECStatus |
2811 | tls13_WriteServerEchHrrSignal(sslSocket *ss, PRUint8 *sh, unsigned int shLen) |
2812 | { |
2813 | SECStatus rv; |
2814 | PR_ASSERT(shLen >= 4 + TLS13_ECH_SIGNAL_LEN)((shLen >= 4 + 8)?((void)0):PR_Assert("shLen >= 4 + TLS13_ECH_SIGNAL_LEN" ,"tls13ech.c",2814)); |
2815 | /* We put the HRR ECH extension last. */ |
2816 | PRUint8 *placeholder_location = sh + shLen - TLS13_ECH_SIGNAL_LEN8; |
2817 | /* Defensive check that we are overwriting the contents of the right extension */ |
2818 | PR_ASSERT(tls13_Debug_CheckXtnBegins(placeholder_location - 4, ssl_tls13_encrypted_client_hello_xtn))((tls13_Debug_CheckXtnBegins(placeholder_location - 4, ssl_tls13_encrypted_client_hello_xtn ))?((void)0):PR_Assert("tls13_Debug_CheckXtnBegins(placeholder_location - 4, ssl_tls13_encrypted_client_hello_xtn)" ,"tls13ech.c",2818)); |
2819 | /* Calculate signal and overwrite */ |
2820 | rv = tls13_ComputeEchSignal(ss, PR_TRUE1, sh, shLen, placeholder_location); |
2821 | if (rv != SECSuccess) { |
2822 | return SECFailure; |
2823 | } |
2824 | /* Free HRR GREASE/accept_confirmation value, it MUST be restored from |
2825 | * cookie when handling CH2 after HRR. */ |
2826 | sslBuffer_Clear(&ss->ssl3.hs.greaseEchBuf); |
2827 | return SECSuccess; |
2828 | } |