Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(1135)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: net/third_party/nss/ssl/tls13con.c

Issue 1844813002: Uprev NSS to 3.23 on iOS (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master
Patch Set: One more GN fix Created 4 years, 8 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« no previous file with comments | « net/third_party/nss/ssl/tls13con.h ('k') | net/third_party/nss/ssl/tls13hkdf.h » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
(Empty)
1 /* -*- Mode: C; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 4 -*- */
2 /*
3 * TLS 1.3 Protocol
4 *
5 * This Source Code Form is subject to the terms of the Mozilla Public
6 * License, v. 2.0. If a copy of the MPL was not distributed with this
7 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
8
9 #include "stdarg.h"
10 #include "cert.h"
11 #include "ssl.h"
12 #include "keyhi.h"
13 #include "pk11func.h"
14 #include "secitem.h"
15 #include "sslimpl.h"
16 #include "sslproto.h"
17 #include "sslerr.h"
18 #include "tls13hkdf.h"
19 #include "tls13con.h"
20
21 typedef enum {
22 TrafficKeyEarlyData,
23 TrafficKeyHandshake,
24 TrafficKeyApplicationData
25 } TrafficKeyType;
26
27 typedef enum {
28 InstallCipherSpecRead,
29 InstallCipherSpecWrite,
30 InstallCipherSpecBoth
31 } InstallCipherSpecDirection;
32
33 #define MAX_FINISHED_SIZE 64
34
35 static SECStatus tls13_InitializeHandshakeEncryption(sslSocket *ss);
36 static SECStatus tls13_InstallCipherSpec(
37 sslSocket *ss, InstallCipherSpecDirection direction);
38 static SECStatus tls13_InitCipherSpec(
39 sslSocket *ss, TrafficKeyType type, InstallCipherSpecDirection install);
40 static SECStatus tls13_AESGCM(
41 ssl3KeyMaterial *keys,
42 PRBool doDecrypt,
43 unsigned char *out, int *outlen, int maxout,
44 const unsigned char *in, int inlen,
45 const unsigned char *additionalData, int additionalDataLen);
46 static SECStatus tls13_SendEncryptedExtensions(sslSocket *ss);
47 static SECStatus tls13_HandleEncryptedExtensions(sslSocket *ss, SSL3Opaque *b,
48 PRUint32 length);
49 static SECStatus tls13_HandleCertificate(
50 sslSocket *ss, SSL3Opaque *b, PRUint32 length);
51 static SECStatus tls13_HandleCertificateRequest(sslSocket *ss, SSL3Opaque *b,
52 PRUint32 length);
53 static SECStatus tls13_HandleCertificateStatus(sslSocket *ss, SSL3Opaque *b,
54 PRUint32 length);
55 static SECStatus tls13_HandleCertificateVerify(
56 sslSocket *ss, SSL3Opaque *b, PRUint32 length,
57 SSL3Hashes *hashes);
58 static SECStatus tls13_HkdfExtractSharedKey(sslSocket *ss, PK11SymKey *key,
59 SharedSecretType keyType);
60 static SECStatus tls13_SendFinished(sslSocket *ss);
61 static SECStatus tls13_HandleFinished(sslSocket *ss, SSL3Opaque *b, PRUint32 len gth,
62 const SSL3Hashes *hashes);
63 static SECStatus tls13_HandleNewSessionTicket(sslSocket *ss, SSL3Opaque *b,
64 PRUint32 length);
65 static SECStatus tls13_ComputeSecrets1(sslSocket *ss);
66 static SECStatus tls13_ComputeFinished(
67 sslSocket *ss, const SSL3Hashes *hashes,
68 PRBool sending,
69 PRUint8 *output, unsigned int *outputLen,
70 unsigned int maxOutputLen);
71 static SECStatus tls13_SendClientSecondRound(sslSocket *ss);
72 static SECStatus tls13_FinishHandshake(sslSocket *ss);
73
74 const char kHkdfLabelExpandedSs[] = "expanded static secret";
75 const char kHkdfLabelExpandedEs[] = "expanded ephemeral secret";
76 const char kHkdfLabelMasterSecret[] = "master secret";
77 const char kHkdfLabelTrafficSecret[] = "traffic secret";
78 const char kHkdfLabelClientFinishedSecret[] = "client finished";
79 const char kHkdfLabelServerFinishedSecret[] = "server finished";
80 const char kHkdfLabelResumptionMasterSecret[] = "resumption master secret";
81 const char kHkdfLabelExporterMasterSecret[] = "exporter master secret";
82 const char kHkdfPhaseEarlyHandshakeDataKeys[] = "early handshake key expansion";
83 const char kHkdfPhaseEarlyApplicationDataKeys[] = "early application data key ex pansion";
84 const char kHkdfPhaseHandshakeKeys[] = "handshake key expansion";
85 const char kHkdfPhaseApplicationDataKeys[] = "application data key expansion";
86 const char kHkdfPurposeClientWriteKey[] = "client write key";
87 const char kHkdfPurposeServerWriteKey[] = "server write key";
88 const char kHkdfPurposeClientWriteIv[] = "client write iv";
89 const char kHkdfPurposeServerWriteIv[] = "server write iv";
90 const char kClientFinishedLabel[] = "client finished";
91 const char kServerFinishedLabel[] = "server finished";
92
93 const SSL3ProtocolVersion kRecordVersion = 0x0301U;
94
95 #define FATAL_ERROR(ss, prError, desc) \
96 do { \
97 SSL_TRC(3, ("%d: TLS13[%d]: fatal error %d in %s (%s:%d)", \
98 SSL_GETPID(), ss->fd, prError, __func__, __FILE__, __LINE__) ); \
99 tls13_FatalError(ss, prError, desc); \
100 } while (0)
101
102 #define UNIMPLEMENTED() \
103 do { \
104 SSL_TRC(3, ("%d: TLS13[%d]: unimplemented feature in %s (%s:%d)", \
105 SSL_GETPID(), ss->fd, __func__, __FILE__, __LINE__)); \
106 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); \
107 PORT_Assert(0); \
108 return SECFailure; \
109 } while (0)
110
111 void
112 tls13_FatalError(sslSocket *ss, PRErrorCode prError, SSL3AlertDescription desc)
113 {
114 PORT_Assert(desc != internal_error); /* These should never happen */
115 (void)SSL3_SendAlert(ss, alert_fatal, desc);
116 PORT_SetError(prError);
117 }
118
119 #ifdef TRACE
120 #define STATE_CASE(a) \
121 case a: \
122 return #a
123 static char *
124 tls13_HandshakeState(SSL3WaitState st)
125 {
126 switch (st) {
127 STATE_CASE(wait_client_hello);
128 STATE_CASE(wait_client_cert);
129 STATE_CASE(wait_cert_verify);
130 STATE_CASE(wait_finished);
131 STATE_CASE(wait_server_hello);
132 STATE_CASE(wait_certificate_status);
133 STATE_CASE(wait_server_cert);
134 STATE_CASE(wait_cert_request);
135 STATE_CASE(wait_encrypted_extensions);
136 STATE_CASE(idle_handshake);
137 default:
138 break;
139 }
140 PORT_Assert(0);
141 return "unknown";
142 }
143 #endif
144
145 #define TLS13_WAIT_STATE_MASK 0x80
146
147 #define TLS13_BASE_WAIT_STATE(ws) (ws & ~TLS13_WAIT_STATE_MASK)
148 /* We don't mask idle_handshake because other parts of the code use it*/
149 #define TLS13_WAIT_STATE(ws) (ws == idle_handshake ? ws : ws | TLS13_WAIT_STATE_ MASK)
150 #define TLS13_CHECK_HS_STATE(ss, err, ...) \
151 tls13_CheckHsState(ss, err, #err, __func__, __FILE__, __LINE__, \
152 __VA_ARGS__, \
153 wait_invalid)
154 void
155 tls13_SetHsState(sslSocket *ss, SSL3WaitState ws,
156 const char *func, const char *file, int line)
157 {
158 #ifdef TRACE
159 const char *new_state_name =
160 tls13_HandshakeState(ws);
161
162 SSL_TRC(3, ("%d: TLS13[%d]: state change from %s->%s in %s (%s:%d)",
163 SSL_GETPID(), ss->fd,
164 tls13_HandshakeState(TLS13_BASE_WAIT_STATE(ss->ssl3.hs.ws)),
165 new_state_name,
166 func, file, line));
167 #endif
168
169 ss->ssl3.hs.ws = TLS13_WAIT_STATE(ws);
170 }
171
172 static PRBool
173 tls13_InHsStateV(sslSocket *ss, va_list ap)
174 {
175 SSL3WaitState ws;
176
177 while ((ws = va_arg(ap, SSL3WaitState)) != wait_invalid) {
178 if (ws == TLS13_BASE_WAIT_STATE(ss->ssl3.hs.ws)) {
179 return PR_TRUE;
180 }
181 }
182 return PR_FALSE;
183 }
184
185 PRBool
186 tls13_InHsState(sslSocket *ss, ...)
187 {
188 PRBool found;
189 va_list ap;
190
191 va_start(ap, ss);
192 found = tls13_InHsStateV(ss, ap);
193 va_end(ap);
194
195 return found;
196 }
197
198 static SECStatus
199 tls13_CheckHsState(sslSocket *ss, int err, const char *error_name,
200 const char *func, const char *file, int line,
201 ...)
202 {
203 va_list ap;
204 va_start(ap, line);
205 if (tls13_InHsStateV(ss, ap)) {
206 va_end(ap);
207 return SECSuccess;
208 }
209 va_end(ap);
210
211 SSL_TRC(3, ("%d: TLS13[%d]: error %s state is (%s) at %s (%s:%d)",
212 SSL_GETPID(), ss->fd,
213 error_name,
214 tls13_HandshakeState(TLS13_BASE_WAIT_STATE(ss->ssl3.hs.ws)),
215 func, file, line));
216 tls13_FatalError(ss, err, unexpected_message);
217 return SECFailure;
218 }
219
220 SSLHashType
221 tls13_GetHash(sslSocket *ss)
222 {
223 /* TODO(ekr@rtfm.com): This needs to actually be looked up. */
224 return ssl_hash_sha256;
225 }
226
227 CK_MECHANISM_TYPE
228 tls13_GetHkdfMechanism(sslSocket *ss)
229 {
230 /* TODO(ekr@rtfm.com): This needs to actually be looked up. */
231 return CKM_NSS_HKDF_SHA256;
232 }
233
234 static CK_MECHANISM_TYPE
235 tls13_GetHmacMechanism(sslSocket *ss)
236 {
237 /* TODO(ekr@rtfm.com): This needs to actually be looked up. */
238 return CKM_SHA256_HMAC;
239 }
240
241 /*
242 * Called from ssl3_SendClientHello
243 */
244 SECStatus
245 tls13_SetupClientHello(sslSocket *ss)
246 {
247 SECStatus rv;
248 /* TODO(ekr@rtfm.com): Handle multiple curves here. */
249 ECName curves_to_try[] = { ec_secp256r1 };
250
251 PORT_Assert(ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
252 PORT_Assert(ss->opt.noLocks || ssl_HaveXmitBufLock(ss));
253
254 PORT_Assert(!ss->ephemeralECDHKeyPair);
255
256 rv = ssl3_CreateECDHEphemeralKeyPair(curves_to_try[0],
257 &ss->ephemeralECDHKeyPair);
258 if (rv != SECSuccess)
259 return rv;
260
261 return SECSuccess;
262 }
263
264 static SECStatus
265 tls13_HandleECDHEKeyShare(sslSocket *ss,
266 TLS13KeyShareEntry *entry,
267 SECKEYPrivateKey *privKey,
268 SharedSecretType type)
269 {
270 SECStatus rv;
271 SECKEYPublicKey *peerKey;
272 PK11SymKey *shared;
273
274 peerKey = tls13_ImportECDHKeyShare(ss, entry->key_exchange.data,
275 entry->key_exchange.len,
276 entry->group);
277 if (!peerKey)
278 return SECFailure; /* Error code set already. */
279
280 /* Compute shared key. */
281 shared = tls13_ComputeECDHSharedKey(ss, privKey, peerKey);
282 SECKEY_DestroyPublicKey(peerKey);
283 if (!shared) {
284 return SECFailure; /* Error code set already. */
285 }
286
287 /* Extract key. */
288 rv = tls13_HkdfExtractSharedKey(ss, shared, type);
289 PK11_FreeSymKey(shared);
290
291 return rv;
292 }
293
294 SECStatus
295 tls13_HandlePostHelloHandshakeMessage(sslSocket *ss, SSL3Opaque *b,
296 PRUint32 length, SSL3Hashes *hashesPtr)
297 {
298 /* TODO(ekr@rtfm.com): Would it be better to check all the states here? */
299 switch (ss->ssl3.hs.msg_type) {
300 case certificate:
301 return tls13_HandleCertificate(ss, b, length);
302
303 case certificate_status:
304 return tls13_HandleCertificateStatus(ss, b, length);
305
306 case certificate_request:
307 return tls13_HandleCertificateRequest(ss, b, length);
308
309 case certificate_verify:
310 return tls13_HandleCertificateVerify(ss, b, length, hashesPtr);
311
312 case encrypted_extensions:
313 return tls13_HandleEncryptedExtensions(ss, b, length);
314
315 case new_session_ticket:
316 return tls13_HandleNewSessionTicket(ss, b, length);
317
318 case finished:
319 return tls13_HandleFinished(ss, b, length, hashesPtr);
320
321 default:
322 FATAL_ERROR(ss, SSL_ERROR_RX_UNKNOWN_HANDSHAKE, unexpected_message);
323 return SECFailure;
324 }
325
326 PORT_Assert(0); /* Unreached */
327 return SECFailure;
328 }
329
330 /* Called from ssl3_HandleClientHello.
331 *
332 * Caller must hold Handshake and RecvBuf locks.
333 */
334 SECStatus
335 tls13_HandleClientKeyShare(sslSocket *ss)
336 {
337 ECName expectedGroup;
338 SECStatus rv;
339 TLS13KeyShareEntry *found = NULL;
340 PRCList *cur_p;
341
342 SSL_TRC(3, ("%d: TLS13[%d]: handle client_key_share handshake",
343 SSL_GETPID(), ss->fd));
344
345 PORT_Assert(ss->opt.noLocks || ssl_HaveRecvBufLock(ss));
346 PORT_Assert(ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
347
348 rv = ssl3_SetupPendingCipherSpec(ss);
349 if (rv != SECSuccess)
350 return SECFailure; /* Error code set below */
351
352 /* Figure out what group we expect */
353 switch (ss->ssl3.hs.kea_def->exchKeyType) {
354 #ifndef NSS_DISABLE_ECC
355 case ssl_kea_ecdh:
356 expectedGroup = ssl3_GetCurveNameForServerSocket(ss);
357 if (!expectedGroup) {
358 FATAL_ERROR(ss, SSL_ERROR_NO_CYPHER_OVERLAP,
359 handshake_failure);
360 return SECFailure;
361 }
362 break;
363 #endif
364 default:
365 /* Got an unknown or unsupported Key Exchange Algorithm.
366 * Can't happen. */
367 FATAL_ERROR(ss, SEC_ERROR_UNSUPPORTED_KEYALG,
368 internal_error);
369 return SECFailure;
370 }
371
372 /* Now walk through the keys until we find one for our group */
373 cur_p = PR_NEXT_LINK(&ss->ssl3.hs.remoteKeyShares);
374 while (cur_p != &ss->ssl3.hs.remoteKeyShares) {
375 TLS13KeyShareEntry *offer = (TLS13KeyShareEntry *)cur_p;
376
377 if (offer->group == expectedGroup) {
378 found = offer;
379 break;
380 }
381 cur_p = PR_NEXT_LINK(cur_p);
382 }
383
384 if (!found) {
385 /* No acceptable group. In future, we will need to correct the client.
386 * Currently just generate an error.
387 * TODO(ekr@rtfm.com): Write code to correct client.
388 */
389 FATAL_ERROR(ss, SSL_ERROR_NO_CYPHER_OVERLAP, handshake_failure);
390 return SECFailure;
391 }
392
393 /* Generate our key */
394 rv = ssl3_CreateECDHEphemeralKeyPair(expectedGroup, &ss->ephemeralECDHKeyPai r);
395 if (rv != SECSuccess)
396 return rv;
397
398 ss->sec.keaType = ss->ssl3.hs.kea_def->exchKeyType;
399 ss->sec.keaKeyBits = SECKEY_PublicKeyStrengthInBits(
400 ss->ephemeralECDHKeyPair->pubKey);
401
402 /* Register the sender */
403 rv = ssl3_RegisterServerHelloExtensionSender(ss, ssl_tls13_key_share_xtn,
404 tls13_ServerSendKeyShareXtn);
405 if (rv != SECSuccess)
406 return SECFailure; /* Error code set below */
407
408 rv = tls13_HandleECDHEKeyShare(ss, found,
409 ss->ephemeralECDHKeyPair->privKey,
410 EphemeralSharedSecret);
411 if (rv != SECSuccess)
412 return SECFailure; /* Error code set below */
413
414 return SECSuccess;
415 }
416
417 /*
418 * [draft-ietf-tls-tls13-11] Section 6.3.3.2
419 *
420 * opaque DistinguishedName<1..2^16-1>;
421 *
422 * struct {
423 * opaque certificate_extension_oid<1..2^8-1>;
424 * opaque certificate_extension_values<0..2^16-1>;
425 * } CertificateExtension;
426 *
427 * struct {
428 * opaque certificate_request_context<0..2^8-1>;
429 * SignatureAndHashAlgorithm
430 * supported_signature_algorithms<2..2^16-2>;
431 * DistinguishedName certificate_authorities<0..2^16-1>;
432 * CertificateExtension certificate_extensions<0..2^16-1>;
433 * } CertificateRequest;
434 */
435 static SECStatus
436 tls13_SendCertificateRequest(sslSocket *ss)
437 {
438 SECStatus rv;
439 int calen;
440 SECItem *names;
441 int nnames;
442 SECItem *name;
443 int i;
444 PRUint8 sigAlgs[MAX_SIGNATURE_ALGORITHMS * 2];
445 unsigned int sigAlgsLength = 0;
446 int length;
447
448 SSL_TRC(3, ("%d: TLS13[%d]: begin send certificate_request",
449 SSL_GETPID(), ss->fd));
450
451 /* Fixed context value. */
452 ss->ssl3.hs.certReqContext[0] = 0;
453 ss->ssl3.hs.certReqContextLen = 1;
454
455 rv = ssl3_EncodeCertificateRequestSigAlgs(ss, sigAlgs, sizeof(sigAlgs),
456 &sigAlgsLength);
457 if (rv != SECSuccess) {
458 return rv;
459 }
460
461 ssl3_GetCertificateRequestCAs(ss, &calen, &names, &nnames);
462 length = 1 + ss->ssl3.hs.certReqContextLen +
463 2 + sigAlgsLength + 2 + calen + 2;
464
465 rv = ssl3_AppendHandshakeHeader(ss, certificate_request, length);
466 if (rv != SECSuccess) {
467 return rv; /* err set by AppendHandshake. */
468 }
469 rv = ssl3_AppendHandshakeVariable(ss, ss->ssl3.hs.certReqContext,
470 ss->ssl3.hs.certReqContextLen, 1);
471 if (rv != SECSuccess) {
472 return rv; /* err set by AppendHandshake. */
473 }
474 rv = ssl3_AppendHandshakeVariable(ss, sigAlgs, sigAlgsLength, 2);
475 if (rv != SECSuccess) {
476 return rv; /* err set by AppendHandshake. */
477 }
478 rv = ssl3_AppendHandshakeNumber(ss, calen, 2);
479 if (rv != SECSuccess) {
480 return rv; /* err set by AppendHandshake. */
481 }
482 for (i = 0, name = names; i < nnames; i++, name++) {
483 rv = ssl3_AppendHandshakeVariable(ss, name->data, name->len, 2);
484 if (rv != SECSuccess) {
485 return rv; /* err set by AppendHandshake. */
486 }
487 }
488 rv = ssl3_AppendHandshakeNumber(ss, 0, 2);
489 if (rv != SECSuccess) {
490 return rv; /* err set by AppendHandshake. */
491 }
492
493 return SECSuccess;
494 }
495
496 static SECStatus
497 tls13_HandleCertificateRequest(sslSocket *ss, SSL3Opaque *b, PRUint32 length)
498 {
499 SECStatus rv;
500 SECItem context = { siBuffer, NULL, 0 };
501 SECItem algorithms = { siBuffer, NULL, 0 };
502 PLArenaPool *arena;
503 CERTDistNames ca_list;
504 PRInt32 extensionsLength;
505
506 SSL_TRC(3, ("%d: TLS13[%d]: handle certificate_request sequence",
507 SSL_GETPID(), ss->fd));
508
509 PORT_Assert(ss->opt.noLocks || ssl_HaveRecvBufLock(ss));
510 PORT_Assert(ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
511
512 /* Client */
513 rv = TLS13_CHECK_HS_STATE(ss, SSL_ERROR_RX_UNEXPECTED_CERT_REQUEST, wait_cer t_request);
514 if (rv != SECSuccess) {
515 return SECFailure;
516 }
517
518 PORT_Assert(ss->ssl3.clientCertChain == NULL);
519 PORT_Assert(ss->ssl3.clientCertificate == NULL);
520 PORT_Assert(ss->ssl3.clientPrivateKey == NULL);
521
522 rv = ssl3_ConsumeHandshakeVariable(ss, &context, 1, &b, &length);
523 if (rv != SECSuccess)
524 return SECFailure;
525 PORT_Assert(sizeof(ss->ssl3.hs.certReqContext) == 255);
526 PORT_Memcpy(ss->ssl3.hs.certReqContext, context.data, context.len);
527 ss->ssl3.hs.certReqContextLen = context.len;
528
529 rv = ssl3_ConsumeHandshakeVariable(ss, &algorithms, 2, &b, &length);
530 if (rv != SECSuccess)
531 return SECFailure;
532
533 if (algorithms.len == 0 || (algorithms.len & 1) != 0) {
534 FATAL_ERROR(ss, SSL_ERROR_RX_MALFORMED_CERT_REQUEST,
535 illegal_parameter);
536 return SECFailure;
537 }
538
539 arena = ca_list.arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
540 if (!arena) {
541 FATAL_ERROR(ss, SEC_ERROR_LIBRARY_FAILURE, internal_error);
542 return SECFailure;
543 }
544
545 rv = ssl3_ParseCertificateRequestCAs(ss, &b, &length, arena, &ca_list);
546 if (rv != SECSuccess)
547 goto loser; /* alert sent below */
548
549 /* Verify that the extensions length is correct. */
550 extensionsLength = ssl3_ConsumeHandshakeNumber(ss, 2, &b, &length);
551 if (extensionsLength < 0) {
552 goto loser; /* alert sent below */
553 }
554 if (extensionsLength != length) {
555 FATAL_ERROR(ss, SSL_ERROR_RX_MALFORMED_CERT_REQUEST,
556 illegal_parameter);
557 goto loser;
558 }
559
560 TLS13_SET_HS_STATE(ss, wait_server_cert);
561
562 rv = ssl3_CompleteHandleCertificateRequest(ss, &algorithms, &ca_list);
563 if (rv != SECSuccess) {
564 FATAL_ERROR(ss, SEC_ERROR_LIBRARY_FAILURE, internal_error);
565 goto loser;
566 }
567
568 return SECSuccess;
569
570 loser:
571 PORT_FreeArena(arena, PR_FALSE);
572 return SECFailure;
573 }
574
575 static SECStatus
576 tls13_InitializeHandshakeEncryption(sslSocket *ss)
577 {
578 SECStatus rv;
579
580 /* For all present cipher suites, SS = ES.
581 * TODO(ekr@rtfm.com): Revisit for 0-RTT. */
582 ss->ssl3.hs.xSS = PK11_ReferenceSymKey(ss->ssl3.hs.xES);
583 if (!ss->ssl3.hs.xSS) {
584 FATAL_ERROR(ss, SEC_ERROR_LIBRARY_FAILURE, internal_error);
585 return SECFailure;
586 }
587
588 rv = tls13_InitCipherSpec(ss, TrafficKeyHandshake,
589 InstallCipherSpecBoth);
590 if (rv != SECSuccess) {
591 FATAL_ERROR(ss, SSL_ERROR_INIT_CIPHER_SUITE_FAILURE, internal_error);
592 return SECFailure;
593 }
594
595 return rv;
596 }
597
598 /* Called from: ssl3_HandleClientHello */
599 SECStatus
600 tls13_SendServerHelloSequence(sslSocket *ss)
601 {
602 SECStatus rv;
603 SSL3KEAType certIndex;
604
605 SSL_TRC(3, ("%d: TLS13[%d]: begin send server_hello sequence",
606 SSL_GETPID(), ss->fd));
607
608 PORT_Assert(ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
609 PORT_Assert(ss->opt.noLocks || ssl_HaveXmitBufLock(ss));
610
611 rv = ssl3_SendServerHello(ss);
612 if (rv != SECSuccess) {
613 return rv; /* err code is set. */
614 }
615
616 rv = tls13_InitializeHandshakeEncryption(ss);
617 if (rv != SECSuccess) {
618 return SECFailure; /* error code is set. */
619 }
620
621 rv = tls13_SendEncryptedExtensions(ss);
622 if (rv != SECSuccess) {
623 return SECFailure; /* error code is set. */
624 }
625
626 if (ss->opt.requestCertificate) {
627 rv = tls13_SendCertificateRequest(ss);
628 if (rv != SECSuccess) {
629 return SECFailure; /* error code is set. */
630 }
631 }
632 rv = ssl3_SendCertificate(ss);
633 if (rv != SECSuccess) {
634 return SECFailure; /* error code is set. */
635 }
636 rv = ssl3_SendCertificateStatus(ss);
637 if (rv != SECSuccess) {
638 return SECFailure; /* error code is set. */
639 }
640
641 /* This was copied from: ssl3_SendCertificate.
642 * TODO(ekr@rtfm.com): Verify that this selection logic is correct.
643 * Bug 1237514.
644 */
645 if ((ss->ssl3.hs.kea_def->kea == kea_ecdhe_rsa) ||
646 (ss->ssl3.hs.kea_def->kea == kea_dhe_rsa)) {
647 certIndex = kt_rsa;
648 } else {
649 certIndex = ss->ssl3.hs.kea_def->exchKeyType;
650 }
651 rv = ssl3_SendCertificateVerify(ss, ss->serverCerts[certIndex].SERVERKEY);
652 if (rv != SECSuccess) {
653 return rv; /* err code is set. */
654 }
655
656 /* Compute the rest of the secrets except for the resumption
657 * and exporter secret. */
658 rv = tls13_ComputeSecrets1(ss);
659 if (rv != SECSuccess) {
660 FATAL_ERROR(ss, SEC_ERROR_LIBRARY_FAILURE, internal_error);
661 return SECFailure;
662 }
663
664 rv = tls13_SendFinished(ss);
665 if (rv != SECSuccess) {
666 return rv; /* error code is set. */
667 }
668
669 TLS13_SET_HS_STATE(ss, ss->opt.requestCertificate ? wait_client_cert
670 : wait_finished);
671
672 return SECSuccess;
673 }
674
675 /*
676 * Called from ssl3_HandleServerHello.
677 *
678 * Caller must hold Handshake and RecvBuf locks.
679 */
680 SECStatus
681 tls13_HandleServerKeyShare(sslSocket *ss)
682 {
683 SECStatus rv;
684 ECName expectedGroup;
685 PRCList *cur_p;
686 TLS13KeyShareEntry *entry;
687
688 SSL_TRC(3, ("%d: TLS13[%d]: handle server_key_share handshake",
689 SSL_GETPID(), ss->fd));
690 PORT_Assert(ss->opt.noLocks || ssl_HaveRecvBufLock(ss));
691 PORT_Assert(ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
692
693 switch (ss->ssl3.hs.kea_def->exchKeyType) {
694 #ifndef NSS_DISABLE_ECC
695 case ssl_kea_ecdh:
696 expectedGroup = ssl3_PubKey2ECName(ss->ephemeralECDHKeyPair->pubKey) ;
697 break;
698 #endif /* NSS_DISABLE_ECC */
699 default:
700 FATAL_ERROR(ss, SEC_ERROR_UNSUPPORTED_KEYALG, handshake_failure);
701 return SECFailure;
702 }
703
704 /* This list should have one entry. */
705 cur_p = PR_NEXT_LINK(&ss->ssl3.hs.remoteKeyShares);
706 if (!cur_p) {
707 FATAL_ERROR(ss, SSL_ERROR_MISSING_KEY_SHARE, missing_extension);
708 return SECFailure;
709 }
710 PORT_Assert(PR_NEXT_LINK(cur_p) == &ss->ssl3.hs.remoteKeyShares);
711
712 entry = (TLS13KeyShareEntry *)cur_p;
713 if (entry->group != expectedGroup) {
714 FATAL_ERROR(ss, SSL_ERROR_RX_MALFORMED_KEY_SHARE, illegal_parameter);
715 return SECFailure;
716 }
717
718 rv = tls13_HandleECDHEKeyShare(ss, entry,
719 ss->ephemeralECDHKeyPair->privKey,
720 EphemeralSharedSecret);
721
722 ss->sec.keaType = ss->ssl3.hs.kea_def->exchKeyType;
723 ss->sec.keaKeyBits = SECKEY_PublicKeyStrengthInBits(
724 ss->ephemeralECDHKeyPair->pubKey);
725
726 if (rv != SECSuccess)
727 return SECFailure; /* Error code set below */
728
729 return tls13_InitializeHandshakeEncryption(ss);
730 }
731
732 /* Called from tls13_CompleteHandleHandshakeMessage() when it has deciphered a c omplete
733 * tls13 Certificate message.
734 * Caller must hold Handshake and RecvBuf locks.
735 */
736 static SECStatus
737 tls13_HandleCertificate(sslSocket *ss, SSL3Opaque *b, PRUint32 length)
738 {
739 SECStatus rv;
740 SECItem context = { siBuffer, NULL, 0 };
741
742 SSL_TRC(3, ("%d: TLS13[%d]: handle certificate handshake",
743 SSL_GETPID(), ss->fd));
744 PORT_Assert(ss->opt.noLocks || ssl_HaveRecvBufLock(ss));
745 PORT_Assert(ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
746
747 if (ss->sec.isServer) {
748 rv = TLS13_CHECK_HS_STATE(ss, SSL_ERROR_RX_UNEXPECTED_CERTIFICATE,
749 wait_client_cert);
750 } else {
751 rv = TLS13_CHECK_HS_STATE(ss, SSL_ERROR_RX_UNEXPECTED_CERTIFICATE,
752 wait_cert_request, wait_server_cert);
753 }
754 if (rv != SECSuccess)
755 return SECFailure;
756
757 /* Process the context string */
758 rv = ssl3_ConsumeHandshakeVariable(ss, &context, 1, &b, &length);
759 if (rv != SECSuccess)
760 return SECFailure;
761 if (!ss->sec.isServer) {
762 if (context.len) {
763 /* The server's context string MUST be empty */
764 FATAL_ERROR(ss, SSL_ERROR_RX_MALFORMED_CERTIFICATE,
765 illegal_parameter);
766 return SECFailure;
767 }
768 } else {
769 if (!context.len || context.len != ss->ssl3.hs.certReqContextLen ||
770 (NSS_SecureMemcmp(ss->ssl3.hs.certReqContext,
771 context.data, context.len) != 0)) {
772 FATAL_ERROR(ss, SSL_ERROR_RX_MALFORMED_CERTIFICATE,
773 illegal_parameter);
774 return SECFailure;
775 }
776 context.len = 0; /* Belt and suspenders. Zero out the context. */
777 }
778
779 return ssl3_CompleteHandleCertificate(ss, b, length);
780 }
781
782 /* Called from tls13_CompleteHandleHandshakeMessage() when it has deciphered a c omplete
783 * ssl3 CertificateStatus message.
784 * Caller must hold Handshake and RecvBuf locks.
785 */
786 static SECStatus
787 tls13_HandleCertificateStatus(sslSocket *ss, SSL3Opaque *b, PRUint32 length)
788 {
789 SECStatus rv;
790
791 rv = TLS13_CHECK_HS_STATE(ss, SSL_ERROR_RX_UNEXPECTED_CERT_STATUS,
792 wait_certificate_status);
793 if (rv != SECSuccess)
794 return rv;
795
796 return ssl3_CompleteHandleCertificateStatus(ss, b, length);
797 }
798
799 /*
800 * TODO(ekr@rtfm.com): This install logic needs renaming since it's
801 * what happens at various stages of cipher spec setup. Legacy from ssl3con.c.
802 */
803 int
804 tls13_InstallCipherSpec(sslSocket *ss, InstallCipherSpecDirection direction)
805 {
806 SSL_TRC(3, ("%d: TLS13[%d]: Installing new cipher specs direction = %s",
807 SSL_GETPID(), ss->fd,
808 direction == InstallCipherSpecRead ? "read" : "write"));
809
810 PORT_Assert(!IS_DTLS(ss)); /* TODO(ekr@rtfm.com): Update for DTLS */
811 /* TODO(ekr@rtfm.com): Holddown timer for DTLS. */
812 ssl_GetSpecWriteLock(ss); /**************************************/
813
814 /* Flush out any old stuff in the handshake buffers */
815 switch (direction) {
816 case InstallCipherSpecWrite: {
817 ssl3CipherSpec *pwSpec;
818 pwSpec = ss->ssl3.pwSpec;
819
820 ss->ssl3.pwSpec = ss->ssl3.cwSpec;
821 ss->ssl3.cwSpec = pwSpec;
822 break;
823 } break;
824 case InstallCipherSpecRead: {
825 ssl3CipherSpec *prSpec;
826
827 prSpec = ss->ssl3.prSpec;
828 ss->ssl3.prSpec = ss->ssl3.crSpec;
829 ss->ssl3.crSpec = prSpec;
830 } break;
831 default:
832 PORT_Assert(0);
833 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
834 ssl_ReleaseSpecWriteLock(ss); /************************************* */
835 return SECFailure;
836 }
837
838 /* If we are really through with the old cipher prSpec
839 * (Both the read and write sides have changed) destroy it.
840 */
841 if (ss->ssl3.prSpec == ss->ssl3.pwSpec) {
842 ssl3_DestroyCipherSpec(ss->ssl3.prSpec, PR_FALSE /*freeSrvName*/);
843 }
844 ssl_ReleaseSpecWriteLock(ss); /**************************************/
845
846 return SECSuccess;
847 }
848
849 /* Add context to the hash functions as described in
850 [draft-ietf-tls-tls13; Section 4.9.1] */
851 SECStatus
852 tls13_AddContextToHashes(sslSocket *ss, SSL3Hashes *hashes /* IN/OUT */,
853 SSLHashType algorithm, PRBool sending)
854 {
855 SECStatus rv = SECSuccess;
856 PK11Context *ctx;
857 const unsigned char context_padding[] = {
858 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
859 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
860 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
861 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
862 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
863 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
864 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
865 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
866 };
867 const char *client_cert_verify_string = "TLS 1.3, client CertificateVerify";
868 const char *server_cert_verify_string = "TLS 1.3, server CertificateVerify";
869 const char *context_string = (sending ^ ss->sec.isServer) ? client_cert_veri fy_string
870 : server_cert_veri fy_string;
871 unsigned int hashlength;
872
873 /* Double check that we are doing SHA-256 for the handshake hash.*/
874 PORT_Assert(hashes->hashAlg == ssl_hash_sha256);
875 if (hashes->hashAlg != ssl_hash_sha256) {
876 PORT_SetError(SEC_ERROR_INVALID_ARGS);
877 goto loser;
878 }
879 PORT_Assert(hashes->len == 32);
880
881 ctx = PK11_CreateDigestContext(ssl3_TLSHashAlgorithmToOID(algorithm));
882 if (!ctx) {
883 PORT_SetError(SEC_ERROR_NO_MEMORY);
884 goto loser;
885 }
886
887 PORT_Assert(SECFailure);
888 PORT_Assert(!SECSuccess);
889
890 rv |= PK11_DigestBegin(ctx);
891 rv |= PK11_DigestOp(ctx, context_padding, sizeof(context_padding));
892 rv |= PK11_DigestOp(ctx, (unsigned char *)context_string,
893 strlen(context_string) + 1); /* +1 includes the terminat ing 0 */
894 rv |= PK11_DigestOp(ctx, hashes->u.raw, hashes->len);
895 /* Update the hash in-place */
896 rv |= PK11_DigestFinal(ctx, hashes->u.raw, &hashlength, sizeof(hashes->u.raw ));
897 PK11_DestroyContext(ctx, PR_TRUE);
898 PRINT_BUF(90, (NULL, "TLS 1.3 hash with context", hashes->u.raw, hashlength) );
899
900 hashes->len = hashlength;
901 hashes->hashAlg = algorithm;
902
903 if (rv) {
904 ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE);
905 goto loser;
906 }
907 return SECSuccess;
908
909 loser:
910 return SECFailure;
911 }
912
913 static SECStatus
914 tls13_HkdfExtractSharedKey(sslSocket *ss, PK11SymKey *key,
915 SharedSecretType keyType)
916 {
917 PK11SymKey **destp;
918
919 switch (keyType) {
920 case EphemeralSharedSecret:
921 destp = &ss->ssl3.hs.xES;
922 break;
923 case StaticSharedSecret:
924 destp = &ss->ssl3.hs.xSS;
925 break;
926 default:
927 PORT_Assert(0);
928 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
929 return SECFailure;
930 }
931
932 PORT_Assert(!*destp);
933 return tls13_HkdfExtract(NULL, key, tls13_GetHash(ss), destp);
934 }
935
936 static SECStatus
937 tls13_DeriveTrafficKeys(sslSocket *ss, ssl3CipherSpec *pwSpec,
938 TrafficKeyType type)
939 {
940 size_t keySize = pwSpec->cipher_def->key_size;
941 size_t ivSize = pwSpec->cipher_def->iv_size +
942 pwSpec->cipher_def->explicit_nonce_size; /* This isn't alway s going to
943 * work, but it doe s for
944 * AES-GCM */
945 CK_MECHANISM_TYPE bulkAlgorithm = ssl3_Alg2Mech(pwSpec->cipher_def->calg);
946 SSL3Hashes hashes;
947 PK11SymKey *prk = NULL;
948 const char *phase;
949 char label[256]; /* Arbitrary buffer large enough to hold the label */
950 SECStatus rv;
951
952 #define FORMAT_LABEL(phase_, purpose_) \
953 do { \
954 PRUint32 n = PR_snprintf(label, sizeof(label), "%s, %s", phase_, purpose _); \
955 /* Check for getting close. */ \
956 if ((n + 1) >= sizeof(label)) { \
957 PORT_Assert(0); \
958 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); \
959 goto loser; \
960 } \
961 } while (0)
962 #define EXPAND_TRAFFIC_KEY(purpose_, target_) \
963 do { \
964 FORMAT_LABEL(phase, purpose_); \
965 rv = tls13_HkdfExpandLabel(prk, tls13_GetHash(ss), \
966 hashes.u.raw, hashes.len, \
967 label, strlen(label), \
968 bulkAlgorithm, keySize, &pwSpec->target_); \
969 if (rv != SECSuccess) { \
970 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); \
971 PORT_Assert(0); \
972 goto loser; \
973 } \
974 } while (0)
975
976 #define EXPAND_TRAFFIC_IV(purpose_, target_) \
977 do { \
978 FORMAT_LABEL(phase, purpose_); \
979 rv = tls13_HkdfExpandLabelRaw(prk, tls13_GetHash(ss), \
980 hashes.u.raw, hashes.len, \
981 label, strlen(label), \
982 pwSpec->target_, ivSize); \
983 if (rv != SECSuccess) { \
984 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); \
985 PORT_Assert(0); \
986 goto loser; \
987 } \
988 } while (0)
989
990 PORT_Assert(ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
991 PORT_Assert(ss->opt.noLocks || ssl_HaveSpecWriteLock(ss));
992 PORT_Assert(ss->ssl3.prSpec == ss->ssl3.pwSpec);
993
994 rv = ssl3_ComputeHandshakeHashes(ss, pwSpec, &hashes, 0);
995 if (rv != SECSuccess) {
996 PORT_Assert(0); /* Should never fail */
997 ssl_MapLowLevelError(SSL_ERROR_SESSION_KEY_GEN_FAILURE);
998 return SECFailure;
999 }
1000 PRINT_BUF(60, (ss, "Deriving traffic keys. Session hash=", hashes.u.raw,
1001 hashes.len));
1002
1003 switch (type) {
1004 case TrafficKeyHandshake:
1005 phase = kHkdfPhaseHandshakeKeys;
1006 prk = ss->ssl3.hs.xES;
1007 break;
1008 case TrafficKeyApplicationData:
1009 phase = kHkdfPhaseApplicationDataKeys;
1010 prk = ss->ssl3.hs.trafficSecret;
1011 break;
1012 default:
1013 PORT_Assert(0);
1014 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
1015 return SECFailure;
1016 }
1017 PORT_Assert(prk != NULL);
1018
1019 SSL_TRC(3, ("%d: TLS13[%d]: deriving traffic keys phase='%s'",
1020 SSL_GETPID(), ss->fd, phase));
1021
1022 EXPAND_TRAFFIC_KEY(kHkdfPurposeClientWriteKey, client.write_key);
1023 EXPAND_TRAFFIC_KEY(kHkdfPurposeServerWriteKey, server.write_key);
1024 EXPAND_TRAFFIC_IV(kHkdfPurposeClientWriteIv, client.write_iv);
1025 EXPAND_TRAFFIC_IV(kHkdfPurposeServerWriteIv, server.write_iv);
1026
1027 return SECSuccess;
1028
1029 loser:
1030 return SECFailure;
1031 }
1032
1033 /* Set up a cipher spec with keys. If install is nonzero, then also install
1034 * it as the current cipher spec for each value in the mask. */
1035 SECStatus
1036 tls13_InitCipherSpec(sslSocket *ss, TrafficKeyType type, InstallCipherSpecDirect ion install)
1037 {
1038 ssl3CipherSpec *pwSpec;
1039 ssl3CipherSpec *cwSpec;
1040 SECStatus rv;
1041 PORT_Assert(ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
1042
1043 if (install == InstallCipherSpecWrite ||
1044 install == InstallCipherSpecBoth) {
1045 ssl_GetXmitBufLock(ss);
1046
1047 rv = ssl3_FlushHandshake(ss, ssl_SEND_FLAG_FORCE_INTO_BUFFER);
1048 ssl_ReleaseXmitBufLock(ss);
1049 if (rv != SECSuccess) {
1050 goto loser;
1051 }
1052 }
1053
1054 ssl_GetSpecWriteLock(ss); /**************************************/
1055
1056 PORT_Assert(ss->ssl3.prSpec == ss->ssl3.pwSpec);
1057
1058 pwSpec = ss->ssl3.pwSpec;
1059 cwSpec = ss->ssl3.cwSpec;
1060
1061 switch (pwSpec->cipher_def->calg) {
1062 case calg_aes_gcm:
1063 pwSpec->aead = tls13_AESGCM;
1064 break;
1065 default:
1066 PORT_Assert(0);
1067 goto loser;
1068 break;
1069 }
1070
1071 /* Generic behaviors -- common to all crypto methods */
1072 if (!IS_DTLS(ss)) {
1073 pwSpec->read_seq_num.high = pwSpec->write_seq_num.high = 0;
1074 } else {
1075 if (cwSpec->epoch == PR_UINT16_MAX) {
1076 /* The problem here is that we have rehandshaked too many
1077 * times (you are not allowed to wrap the epoch). The
1078 * spec says you should be discarding the connection
1079 * and start over, so not much we can do here. */
1080 rv = SECFailure;
1081 goto loser;
1082 }
1083 /* The sequence number has the high 16 bits as the epoch. */
1084 pwSpec->epoch = cwSpec->epoch + 1;
1085 pwSpec->read_seq_num.high = pwSpec->write_seq_num.high =
1086 pwSpec->epoch << 16;
1087
1088 dtls_InitRecvdRecords(&pwSpec->recvdRecords);
1089 }
1090 pwSpec->read_seq_num.low = pwSpec->write_seq_num.low = 0;
1091
1092 rv = tls13_DeriveTrafficKeys(ss, pwSpec, type);
1093 if (rv != SECSuccess) {
1094 goto loser;
1095 }
1096 if (install == InstallCipherSpecWrite ||
1097 install == InstallCipherSpecBoth) {
1098 rv = tls13_InstallCipherSpec(ss, InstallCipherSpecWrite);
1099 if (rv != SECSuccess) {
1100 goto loser;
1101 }
1102 }
1103 if (install == InstallCipherSpecRead ||
1104 install == InstallCipherSpecBoth) {
1105 rv = tls13_InstallCipherSpec(ss, InstallCipherSpecRead);
1106 if (rv != SECSuccess) {
1107 goto loser;
1108 }
1109 }
1110 ssl_ReleaseSpecWriteLock(ss); /**************************************/
1111
1112 return SECSuccess;
1113
1114 loser:
1115 ssl_ReleaseSpecWriteLock(ss); /**************************************/
1116 PORT_SetError(SSL_ERROR_INIT_CIPHER_SUITE_FAILURE);
1117 return SECFailure;
1118 }
1119
1120 static SECStatus
1121 tls13_ComputeSecrets1(sslSocket *ss)
1122 {
1123 SECStatus rv;
1124 PK11SymKey *mSS = NULL;
1125 PK11SymKey *mES = NULL;
1126 PK11SymKey *masterSecret = NULL;
1127 SSL3Hashes hashes;
1128
1129 rv = ssl3_SetupPendingCipherSpec(ss);
1130 if (rv != SECSuccess) {
1131 return rv; /* error code set below. */
1132 }
1133
1134 rv = ssl3_ComputeHandshakeHashes(ss, ss->ssl3.pwSpec, &hashes, 0);
1135 if (rv != SECSuccess) {
1136 PORT_Assert(0); /* Should never fail */
1137 ssl_MapLowLevelError(SSL_ERROR_SESSION_KEY_GEN_FAILURE);
1138 return SECFailure;
1139 }
1140
1141 PORT_Assert(ss->ssl3.hs.xSS);
1142 PORT_Assert(ss->ssl3.hs.xES);
1143
1144 rv = tls13_HkdfExpandLabel(ss->ssl3.hs.xSS,
1145 tls13_GetHash(ss),
1146 hashes.u.raw, hashes.len,
1147 kHkdfLabelExpandedSs,
1148 strlen(kHkdfLabelExpandedSs),
1149 tls13_GetHkdfMechanism(ss),
1150 hashes.len, &mSS);
1151 if (rv != SECSuccess) {
1152 goto loser;
1153 }
1154
1155 rv = tls13_HkdfExpandLabel(ss->ssl3.hs.xES,
1156 tls13_GetHash(ss),
1157 hashes.u.raw, hashes.len,
1158 kHkdfLabelExpandedEs,
1159 strlen(kHkdfLabelExpandedEs),
1160 tls13_GetHkdfMechanism(ss),
1161 hashes.len, &mES);
1162 if (rv != SECSuccess) {
1163 goto loser;
1164 }
1165
1166 rv = tls13_HkdfExtract(mSS, mES,
1167 tls13_GetHash(ss),
1168 &masterSecret);
1169
1170 if (rv != SECSuccess) {
1171 goto loser;
1172 }
1173
1174 rv = tls13_HkdfExpandLabel(masterSecret,
1175 tls13_GetHash(ss),
1176 hashes.u.raw, hashes.len,
1177 kHkdfLabelTrafficSecret,
1178 strlen(kHkdfLabelTrafficSecret),
1179 tls13_GetHkdfMechanism(ss),
1180 hashes.len, &ss->ssl3.hs.trafficSecret);
1181 if (rv != SECSuccess) {
1182 goto loser;
1183 }
1184
1185 rv = tls13_HkdfExpandLabel(masterSecret,
1186 tls13_GetHash(ss),
1187 NULL, 0,
1188 kHkdfLabelClientFinishedSecret,
1189 strlen(kHkdfLabelClientFinishedSecret),
1190 tls13_GetHmacMechanism(ss),
1191 hashes.len, &ss->ssl3.hs.clientFinishedSecret);
1192 if (rv != SECSuccess) {
1193 goto loser;
1194 }
1195
1196 rv = tls13_HkdfExpandLabel(masterSecret,
1197 tls13_GetHash(ss),
1198 NULL, 0,
1199 kHkdfLabelServerFinishedSecret,
1200 strlen(kHkdfLabelServerFinishedSecret),
1201 tls13_GetHmacMechanism(ss),
1202 hashes.len, &ss->ssl3.hs.serverFinishedSecret);
1203 if (rv != SECSuccess) {
1204 goto loser;
1205 }
1206
1207 loser:
1208 PK11_FreeSymKey(ss->ssl3.hs.xSS);
1209 ss->ssl3.hs.xSS = NULL;
1210 PK11_FreeSymKey(ss->ssl3.hs.xES);
1211 ss->ssl3.hs.xES = NULL;
1212
1213 if (mSS) {
1214 PK11_FreeSymKey(mSS);
1215 }
1216 if (mES) {
1217 PK11_FreeSymKey(mES);
1218 }
1219 if (masterSecret) {
1220 PK11_FreeSymKey(masterSecret);
1221 }
1222
1223 return rv;
1224 }
1225
1226 void
1227 tls13_DestroyKeyShareEntry(TLS13KeyShareEntry *offer)
1228 {
1229 SECITEM_ZfreeItem(&offer->key_exchange, PR_FALSE);
1230 PORT_ZFree(offer, sizeof(*offer));
1231 }
1232
1233 void
1234 tls13_DestroyKeyShares(PRCList *list)
1235 {
1236 PRCList *cur_p;
1237
1238 while (!PR_CLIST_IS_EMPTY(list)) {
1239 cur_p = PR_LIST_TAIL(list);
1240 PR_REMOVE_LINK(cur_p);
1241 tls13_DestroyKeyShareEntry((TLS13KeyShareEntry *)cur_p);
1242 }
1243 }
1244
1245 /* Implement the SSLAEADCipher interface defined in sslimpl.h.
1246 *
1247 * That interface mixes the AD and the sequence number, but in
1248 * TLS 1.3 there is no additional data so this value is just the
1249 * encoded sequence number and we call it |seqNumBuf|.
1250 */
1251 static SECStatus
1252 tls13_AESGCM(ssl3KeyMaterial *keys,
1253 PRBool doDecrypt,
1254 unsigned char *out,
1255 int *outlen,
1256 int maxout,
1257 const unsigned char *in,
1258 int inlen,
1259 const unsigned char *seqNumBuf,
1260 int seqNumLen)
1261 {
1262 SECItem param;
1263 SECStatus rv = SECFailure;
1264 unsigned char nonce[12];
1265 size_t i;
1266 unsigned int uOutLen;
1267 CK_GCM_PARAMS gcmParams;
1268 static const int tagSize = 16;
1269
1270 PORT_Assert(seqNumLen == 8);
1271
1272 /* draft-ietf-tls-tls13 Section 5.2.2 specifies the following
1273 * nonce algorithm:
1274 *
1275 * The length of the per-record nonce (iv_length) is set to max(8 bytes,
1276 * N_MIN) for the AEAD algorithm (see [RFC5116] Section 4). An AEAD
1277 * algorithm where N_MAX is less than 8 bytes MUST NOT be used with TLS.
1278 * The per-record nonce for the AEAD construction is formed as follows:
1279 *
1280 * 1. The 64-bit record sequence number is padded to the left with
1281 * zeroes to iv_length.
1282 *
1283 * 2. The padded sequence number is XORed with the static
1284 * client_write_iv or server_write_iv, depending on the role.
1285 *
1286 * The resulting quantity (of length iv_length) is used as the per-
1287 * record nonce.
1288 *
1289 * Per RFC 5288: N_MIN = N_MAX = 12 bytes.
1290 *
1291 */
1292 memcpy(nonce, keys->write_iv, sizeof(nonce));
1293 for (i = 0; i < 8; ++i) {
1294 nonce[4 + i] ^= seqNumBuf[i];
1295 }
1296
1297 param.type = siBuffer;
1298 param.data = (unsigned char *)&gcmParams;
1299 param.len = sizeof(gcmParams);
1300 gcmParams.pIv = nonce;
1301 gcmParams.ulIvLen = sizeof(nonce);
1302 gcmParams.pAAD = NULL;
1303 gcmParams.ulAADLen = 0;
1304 gcmParams.ulTagBits = tagSize * 8;
1305
1306 if (doDecrypt) {
1307 rv = PK11_Decrypt(keys->write_key, CKM_AES_GCM, &param, out, &uOutLen,
1308 maxout, in, inlen);
1309 } else {
1310 rv = PK11_Encrypt(keys->write_key, CKM_AES_GCM, &param, out, &uOutLen,
1311 maxout, in, inlen);
1312 }
1313 *outlen = (int)uOutLen;
1314
1315 return rv;
1316 }
1317
1318 static SECStatus
1319 tls13_HandleEncryptedExtensions(sslSocket *ss, SSL3Opaque *b, PRUint32 length)
1320 {
1321 SECStatus rv;
1322 PRInt32 innerLength;
1323
1324 PORT_Assert(ss->opt.noLocks || ssl_HaveRecvBufLock(ss));
1325 PORT_Assert(ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
1326
1327 SSL_TRC(3, ("%d: TLS13[%d]: handle encrypted extensions",
1328 SSL_GETPID(), ss->fd));
1329
1330 rv = TLS13_CHECK_HS_STATE(ss, SSL_ERROR_RX_UNEXPECTED_ENCRYPTED_EXTENSIONS,
1331 wait_encrypted_extensions);
1332 if (rv != SECSuccess) {
1333 return SECFailure;
1334 }
1335
1336 innerLength = ssl3_ConsumeHandshakeNumber(ss, 2, &b, &length);
1337 if (innerLength < 0) {
1338 return SECFailure; /* Alert already sent. */
1339 }
1340 if (innerLength != length) {
1341 FATAL_ERROR(ss, SSL_ERROR_RX_MALFORMED_ENCRYPTED_EXTENSIONS,
1342 illegal_parameter);
1343 return SECFailure;
1344 }
1345
1346 rv = ssl3_HandleHelloExtensions(ss, &b, &length, encrypted_extensions);
1347 if (rv != SECSuccess) {
1348 return SECFailure; /* Error code set below */
1349 }
1350
1351 TLS13_SET_HS_STATE(ss, wait_cert_request);
1352 return SECSuccess;
1353 }
1354
1355 static SECStatus
1356 tls13_SendEncryptedExtensions(sslSocket *ss)
1357 {
1358 SECStatus rv;
1359 PRInt32 extensions_len = 0;
1360 PRInt32 sent_len = 0;
1361 PRUint32 maxBytes = 65535;
1362
1363 SSL_TRC(3, ("%d: TLS13[%d]: send encrypted extensions handshake",
1364 SSL_GETPID(), ss->fd));
1365
1366 PORT_Assert(ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
1367 PORT_Assert(ss->opt.noLocks || ssl_HaveXmitBufLock(ss));
1368
1369 extensions_len = ssl3_CallHelloExtensionSenders(
1370 ss, PR_FALSE, maxBytes, &ss->xtnData.encryptedExtensionsSenders[0]);
1371
1372 rv = ssl3_AppendHandshakeHeader(ss, encrypted_extensions,
1373 extensions_len + 2);
1374 if (rv != SECSuccess) {
1375 FATAL_ERROR(ss, SEC_ERROR_LIBRARY_FAILURE, internal_error);
1376 return SECFailure;
1377 }
1378 rv = ssl3_AppendHandshakeNumber(ss, extensions_len, 2);
1379 if (rv != SECSuccess) {
1380 FATAL_ERROR(ss, SEC_ERROR_LIBRARY_FAILURE, internal_error);
1381 return SECFailure;
1382 }
1383 sent_len = ssl3_CallHelloExtensionSenders(
1384 ss, PR_TRUE, extensions_len,
1385 &ss->xtnData.encryptedExtensionsSenders[0]);
1386 PORT_Assert(sent_len == extensions_len);
1387 if (sent_len != extensions_len) {
1388 PORT_Assert(sent_len == 0);
1389 FATAL_ERROR(ss, SEC_ERROR_LIBRARY_FAILURE, internal_error);
1390 return SECFailure;
1391 }
1392
1393 return SECSuccess;
1394 }
1395
1396 /* Called from tls13_CompleteHandleHandshakeMessage() when it has deciphered a c omplete
1397 * tls13 CertificateVerify message
1398 * Caller must hold Handshake and RecvBuf locks.
1399 */
1400 SECStatus
1401 tls13_HandleCertificateVerify(sslSocket *ss, SSL3Opaque *b, PRUint32 length,
1402 SSL3Hashes *hashes)
1403 {
1404 SECItem signed_hash = { siBuffer, NULL, 0 };
1405 SECStatus rv;
1406 SSLSignatureAndHashAlg sigAndHash;
1407
1408 SSL_TRC(3, ("%d: TLS13[%d]: handle certificate_verify handshake",
1409 SSL_GETPID(), ss->fd));
1410 PORT_Assert(ss->opt.noLocks || ssl_HaveRecvBufLock(ss));
1411 PORT_Assert(ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
1412
1413 rv = TLS13_CHECK_HS_STATE(ss, SSL_ERROR_RX_UNEXPECTED_CERT_VERIFY,
1414 wait_cert_verify);
1415 if (rv != SECSuccess) {
1416 return SECFailure;
1417 }
1418
1419 if (!hashes) {
1420 FATAL_ERROR(ss, SEC_ERROR_LIBRARY_FAILURE, internal_error);
1421 return SECFailure;
1422 }
1423
1424 /* We only support CertificateVerify messages that use the handshake
1425 * hash.
1426 * TODO(ekr@rtfm.com): This should be easy to relax in TLS 1.3 by
1427 * reading the client's hash algorithm first, but there may
1428 * be subtleties so retain the restriction for now.
1429 */
1430 rv = tls13_AddContextToHashes(ss, hashes, hashes->hashAlg, PR_FALSE);
1431 if (rv != SECSuccess) {
1432 FATAL_ERROR(ss, SSL_ERROR_DIGEST_FAILURE, internal_error);
1433 return SECFailure;
1434 }
1435
1436 rv = ssl3_ConsumeSignatureAndHashAlgorithm(ss, &b, &length,
1437 &sigAndHash);
1438 if (rv != SECSuccess) {
1439 PORT_SetError(SSL_ERROR_RX_MALFORMED_CERT_VERIFY);
1440 return SECFailure;
1441 }
1442
1443 rv = ssl3_CheckSignatureAndHashAlgorithmConsistency(
1444 ss, &sigAndHash, ss->sec.peerCert);
1445 if (rv != SECSuccess) {
1446 FATAL_ERROR(ss, SSL_ERROR_RX_MALFORMED_CERT_VERIFY, decrypt_error);
1447 return SECFailure;
1448 }
1449
1450 /* We only support CertificateVerify messages that use the handshake
1451 * hash. */
1452 if (sigAndHash.hashAlg != hashes->hashAlg) {
1453 FATAL_ERROR(ss, SSL_ERROR_UNSUPPORTED_HASH_ALGORITHM, decrypt_error);
1454 return SECFailure;
1455 }
1456
1457 rv = ssl3_ConsumeHandshakeVariable(ss, &signed_hash, 2, &b, &length);
1458 if (rv != SECSuccess) {
1459 PORT_SetError(SSL_ERROR_RX_MALFORMED_CERT_VERIFY);
1460 return SECFailure;
1461 }
1462
1463 if (length != 0) {
1464 FATAL_ERROR(ss, SSL_ERROR_RX_MALFORMED_CERT_VERIFY, decode_error);
1465 return SECFailure;
1466 }
1467
1468 rv = ssl3_VerifySignedHashes(hashes, ss->sec.peerCert, &signed_hash,
1469 PR_TRUE, ss->pkcs11PinArg);
1470 if (rv != SECSuccess) {
1471 FATAL_ERROR(ss, PORT_GetError(), decrypt_error);
1472 return SECFailure;
1473 }
1474
1475 if (!ss->sec.isServer) {
1476 /* Compute the rest of the secrets except for the resumption
1477 * and exporter secret. */
1478 rv = tls13_ComputeSecrets1(ss);
1479 if (rv != SECSuccess) {
1480 FATAL_ERROR(ss, SEC_ERROR_LIBRARY_FAILURE, internal_error);
1481 return SECFailure;
1482 }
1483 }
1484 TLS13_SET_HS_STATE(ss, wait_finished);
1485
1486 return SECSuccess;
1487 }
1488
1489 static SECStatus
1490 tls13_ComputeFinished(sslSocket *ss, const SSL3Hashes *hashes, PRBool sending,
1491 PRUint8 *output, unsigned int *outputLen, unsigned int max OutputLen)
1492 {
1493 SECStatus rv;
1494 PK11Context *hmacCtx = NULL;
1495 CK_MECHANISM_TYPE macAlg = tls13_GetHmacMechanism(ss);
1496 SECItem param = { siBuffer, NULL, 0 };
1497 unsigned int outputLenUint;
1498 PK11SymKey *secret = (ss->sec.isServer ^ sending) ? ss->ssl3.hs.clientFinish edSecret
1499 : ss->ssl3.hs.serverFinish edSecret;
1500
1501 PORT_Assert(secret);
1502 PRINT_BUF(90, (NULL, "Handshake hash", hashes->u.raw, hashes->len));
1503
1504 hmacCtx = PK11_CreateContextBySymKey(macAlg, CKA_SIGN,
1505 secret, &param);
1506 if (!hmacCtx) {
1507 goto abort;
1508 }
1509
1510 rv = PK11_DigestBegin(hmacCtx);
1511 if (rv != SECSuccess)
1512 goto abort;
1513
1514 rv = PK11_DigestOp(hmacCtx, hashes->u.raw, hashes->len);
1515 if (rv != SECSuccess)
1516 goto abort;
1517
1518 PORT_Assert(maxOutputLen >= hashes->len);
1519 rv = PK11_DigestFinal(hmacCtx, output, &outputLenUint, maxOutputLen);
1520 if (rv != SECSuccess)
1521 goto abort;
1522 *outputLen = outputLenUint;
1523
1524 PK11_DestroyContext(hmacCtx, PR_TRUE);
1525 return SECSuccess;
1526
1527 abort:
1528 if (hmacCtx) {
1529 PK11_DestroyContext(hmacCtx, PR_TRUE);
1530 }
1531
1532 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
1533 return SECFailure;
1534 }
1535
1536 static SECStatus
1537 tls13_SendFinished(sslSocket *ss)
1538 {
1539 SECStatus rv;
1540 PRUint8 finishedBuf[MAX_FINISHED_SIZE];
1541 unsigned int finishedLen;
1542 SSL3Hashes hashes;
1543 int errCode;
1544
1545 SSL_TRC(3, ("%d: TLS13[%d]: send finished handshake", SSL_GETPID(), ss->fd)) ;
1546
1547 PORT_Assert(ss->opt.noLocks || ssl_HaveXmitBufLock(ss));
1548 PORT_Assert(ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
1549
1550 rv = ssl3_ComputeHandshakeHashes(ss, ss->ssl3.cwSpec, &hashes, 0);
1551 if (rv != SECSuccess) {
1552 FATAL_ERROR(ss, SEC_ERROR_LIBRARY_FAILURE, internal_error);
1553 return SECFailure;
1554 }
1555
1556 ssl_GetSpecReadLock(ss);
1557 rv = tls13_ComputeFinished(ss, &hashes, PR_TRUE,
1558 finishedBuf, &finishedLen, sizeof(finishedBuf));
1559 ssl_ReleaseSpecReadLock(ss);
1560 if (rv != SECSuccess) {
1561 FATAL_ERROR(ss, SEC_ERROR_LIBRARY_FAILURE, internal_error);
1562 return SECFailure;
1563 }
1564
1565 rv = ssl3_AppendHandshakeHeader(ss, finished, finishedLen);
1566 if (rv != SECSuccess) {
1567 errCode = PR_GetError();
1568 goto alert_loser;
1569 }
1570
1571 rv = ssl3_AppendHandshake(ss, finishedBuf, finishedLen);
1572 if (rv != SECSuccess) {
1573 errCode = PR_GetError();
1574 goto alert_loser;
1575 }
1576
1577 rv = ssl3_FlushHandshake(ss, 0);
1578 if (rv != SECSuccess) {
1579 errCode = PR_GetError();
1580 goto alert_loser;
1581 }
1582
1583 if (ss->sec.isServer) {
1584 rv = tls13_InitCipherSpec(ss, TrafficKeyApplicationData,
1585 InstallCipherSpecWrite);
1586 } else {
1587 rv = tls13_InstallCipherSpec(ss, InstallCipherSpecWrite);
1588 }
1589 if (rv != SECSuccess) {
1590 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
1591 return SECFailure;
1592 }
1593
1594 /* TODO(ekr@rtfm.com): Record key log */
1595 return SECSuccess;
1596
1597 alert_loser:
1598 (void)SSL3_SendAlert(ss, alert_fatal, internal_error);
1599 PORT_SetError(errCode); /* Restore error code */
1600 return rv;
1601 }
1602
1603 static SECStatus
1604 tls13_HandleFinished(sslSocket *ss, SSL3Opaque *b, PRUint32 length,
1605 const SSL3Hashes *hashes)
1606 {
1607 SECStatus rv;
1608 PRUint8 finishedBuf[MAX_FINISHED_SIZE];
1609 unsigned int finishedLen;
1610
1611 PORT_Assert(ss->opt.noLocks || ssl_HaveRecvBufLock(ss));
1612 PORT_Assert(ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
1613
1614 SSL_TRC(3, ("%d: TLS13[%d]: handle finished handshake",
1615 SSL_GETPID(), ss->fd));
1616
1617 rv = TLS13_CHECK_HS_STATE(ss, SSL_ERROR_RX_UNEXPECTED_FINISHED, wait_finishe d);
1618 if (rv != SECSuccess) {
1619 return SECFailure;
1620 }
1621 if (!hashes) {
1622 FATAL_ERROR(ss, SEC_ERROR_LIBRARY_FAILURE, internal_error);
1623 return SECFailure;
1624 }
1625
1626 ssl_GetSpecReadLock(ss);
1627 rv = tls13_ComputeFinished(ss, hashes, PR_FALSE,
1628 finishedBuf, &finishedLen, sizeof(finishedBuf));
1629 ssl_ReleaseSpecReadLock(ss);
1630 if (rv != SECSuccess) {
1631 FATAL_ERROR(ss, SEC_ERROR_LIBRARY_FAILURE, internal_error);
1632 return SECFailure;
1633 }
1634
1635 if (length != finishedLen) {
1636 FATAL_ERROR(ss, SSL_ERROR_RX_MALFORMED_FINISHED, decode_error);
1637 return SECFailure;
1638 }
1639
1640 if (NSS_SecureMemcmp(b, finishedBuf, finishedLen) != 0) {
1641 FATAL_ERROR(ss, SSL_ERROR_BAD_HANDSHAKE_HASH_VALUE,
1642 decrypt_error);
1643 return SECFailure;
1644 }
1645
1646 /* Server is now finished.
1647 * Client sends second flight
1648 */
1649 /* TODO(ekr@rtfm.com): Send NewSession Ticket if server. */
1650 if (ss->sec.isServer) {
1651 rv = tls13_InstallCipherSpec(ss, InstallCipherSpecRead);
1652 if (rv != SECSuccess) {
1653 FATAL_ERROR(ss, SEC_ERROR_LIBRARY_FAILURE, internal_error);
1654 return SECFailure;
1655 }
1656
1657 rv = tls13_FinishHandshake(ss);
1658 } else {
1659 if (ss->ssl3.hs.authCertificatePending) {
1660 /* TODO(ekr@rtfm.com): Handle pending auth */
1661 FATAL_ERROR(ss, SEC_ERROR_LIBRARY_FAILURE, internal_error);
1662 PORT_Assert(0);
1663 return SECFailure;
1664 }
1665 rv = tls13_InitCipherSpec(ss, TrafficKeyApplicationData,
1666 InstallCipherSpecRead);
1667 if (rv != SECSuccess) {
1668 FATAL_ERROR(ss, SEC_ERROR_LIBRARY_FAILURE, internal_error);
1669 return SECFailure;
1670 }
1671
1672 rv = tls13_SendClientSecondRound(ss);
1673 if (rv != SECSuccess)
1674 return SECFailure; /* Error code and alerts handled below */
1675 }
1676
1677 return rv;
1678 }
1679
1680 static SECStatus
1681 tls13_FinishHandshake(sslSocket *ss)
1682 {
1683 PORT_Assert(ss->opt.noLocks || ssl_HaveRecvBufLock(ss));
1684 PORT_Assert(ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
1685 PORT_Assert(ss->ssl3.hs.restartTarget == NULL);
1686
1687 /* The first handshake is now completed. */
1688 ss->handshake = NULL;
1689
1690 TLS13_SET_HS_STATE(ss, idle_handshake);
1691
1692 ssl_FinishHandshake(ss);
1693
1694 return SECSuccess;
1695 }
1696
1697 static SECStatus
1698 tls13_SendClientSecondRound(sslSocket *ss)
1699 {
1700 SECStatus rv;
1701 PRBool sendClientCert;
1702
1703 PORT_Assert(ss->opt.noLocks || ssl_HaveRecvBufLock(ss));
1704 PORT_Assert(ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
1705
1706 sendClientCert = !ss->ssl3.sendEmptyCert &&
1707 ss->ssl3.clientCertChain != NULL &&
1708 ss->ssl3.clientPrivateKey != NULL;
1709
1710 /* Defer client authentication sending if we are still
1711 * waiting for server authentication. See the long block
1712 * comment in ssl3_SendClientSecondRound for more detail.
1713 */
1714 if (ss->ssl3.hs.restartTarget) {
1715 PR_NOT_REACHED("unexpected ss->ssl3.hs.restartTarget");
1716 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
1717 return SECFailure;
1718 }
1719 if (ss->ssl3.hs.authCertificatePending && (sendClientCert ||
1720 ss->ssl3.sendEmptyCert)) {
1721 SSL_TRC(3, ("%d: TLS13[%p]: deferring ssl3_SendClientSecondRound because "
1722 " certificate authentication is still pending.",
1723 SSL_GETPID(), ss->fd));
1724 ss->ssl3.hs.restartTarget = tls13_SendClientSecondRound;
1725 return SECWouldBlock;
1726 }
1727
1728 ssl_GetXmitBufLock(ss); /*******************************/
1729 if (ss->ssl3.sendEmptyCert) {
1730 ss->ssl3.sendEmptyCert = PR_FALSE;
1731 rv = ssl3_SendEmptyCertificate(ss);
1732 /* Don't send verify */
1733 if (rv != SECSuccess) {
1734 goto loser; /* error code is set. */
1735 }
1736 } else if (sendClientCert) {
1737 rv = ssl3_SendCertificate(ss);
1738 if (rv != SECSuccess) {
1739 goto loser; /* error code is set. */
1740 }
1741 }
1742
1743 if (sendClientCert) {
1744 rv = ssl3_SendCertificateVerify(ss, ss->ssl3.clientPrivateKey);
1745 SECKEY_DestroyPrivateKey(ss->ssl3.clientPrivateKey);
1746 ss->ssl3.clientPrivateKey = NULL;
1747 if (rv != SECSuccess) {
1748 goto loser; /* err is set. */
1749 }
1750 }
1751
1752 rv = tls13_SendFinished(ss);
1753 if (rv != SECSuccess) {
1754 goto loser; /* err code was set. */
1755 }
1756 ssl_ReleaseXmitBufLock(ss); /*******************************/
1757
1758 /* The handshake is now finished */
1759 return tls13_FinishHandshake(ss);
1760
1761 loser:
1762 ssl_ReleaseXmitBufLock(ss); /*******************************/
1763 return SECFailure;
1764 }
1765
1766 static SECStatus
1767 tls13_HandleNewSessionTicket(sslSocket *ss, SSL3Opaque *b, PRUint32 length)
1768 {
1769 SECStatus rv;
1770
1771 rv = TLS13_CHECK_HS_STATE(ss, SSL_ERROR_RX_UNEXPECTED_NEW_SESSION_TICKET,
1772 idle_handshake);
1773 if (rv != SECSuccess) {
1774 return SECFailure;
1775 }
1776
1777 UNIMPLEMENTED();
1778
1779 /* Ignore */
1780 return SECSuccess;
1781 }
1782
1783 typedef enum {
1784 ExtensionNotUsed,
1785 ExtensionClientOnly,
1786 ExtensionSendClear,
1787 ExtensionSendEncrypted,
1788 } Tls13ExtensionStatus;
1789
1790 static const struct {
1791 SSLExtensionType ex_value;
1792 Tls13ExtensionStatus status;
1793 } KnownExtensions[] = {
1794 { ssl_server_name_xtn,
1795 ExtensionSendEncrypted },
1796 {
1797 ssl_cert_status_xtn,
1798 ExtensionNotUsed /* TODO(ekr@rtfm.com): Disabled because broken
1799 in TLS 1.3. */
1800 /* ExtensionSendEncrypted */
1801 },
1802 { ssl_elliptic_curves_xtn,
1803 ExtensionSendClear },
1804 { ssl_ec_point_formats_xtn,
1805 ExtensionNotUsed },
1806 { ssl_signature_algorithms_xtn,
1807 ExtensionClientOnly },
1808 { ssl_use_srtp_xtn,
1809 ExtensionSendEncrypted },
1810 { ssl_app_layer_protocol_xtn,
1811 ExtensionSendEncrypted },
1812 { ssl_padding_xtn,
1813 ExtensionNotUsed },
1814 { ssl_extended_master_secret_xtn,
1815 ExtensionNotUsed },
1816 { ssl_session_ticket_xtn,
1817 ExtensionClientOnly },
1818 { ssl_tls13_key_share_xtn,
1819 ExtensionSendClear },
1820 { ssl_next_proto_nego_xtn,
1821 ExtensionNotUsed },
1822 { ssl_renegotiation_info_xtn,
1823 ExtensionNotUsed },
1824 { ssl_tls13_draft_version_xtn,
1825 ExtensionClientOnly }
1826 };
1827
1828 PRBool
1829 tls13_ExtensionAllowed(PRUint16 extension, SSL3HandshakeType message)
1830 {
1831 unsigned int i;
1832
1833 PORT_Assert((message == client_hello) ||
1834 (message == server_hello) ||
1835 (message == encrypted_extensions));
1836
1837 for (i = 0; i < PR_ARRAY_SIZE(KnownExtensions); i++) {
1838 if (KnownExtensions[i].ex_value == extension)
1839 break;
1840 }
1841 if (i == PR_ARRAY_SIZE(KnownExtensions)) {
1842 /* We have never heard of this extension which is OK on
1843 * the server but not the client. */
1844 return message == client_hello;
1845 }
1846
1847 switch (KnownExtensions[i].status) {
1848 case ExtensionNotUsed:
1849 return PR_FALSE;
1850 case ExtensionClientOnly:
1851 return message == client_hello;
1852 case ExtensionSendClear:
1853 return message == client_hello ||
1854 message == server_hello;
1855 case ExtensionSendEncrypted:
1856 return message == client_hello ||
1857 message == encrypted_extensions;
1858 }
1859
1860 PORT_Assert(0);
1861
1862 /* Not reached */
1863 return PR_TRUE;
1864 }
1865
1866 /* Helper function to encode a uint32 into a buffer */
1867 unsigned char *
1868 tls13_EncodeUintX(PRUint32 value, unsigned int bytes, unsigned char *to)
1869 {
1870 PRUint32 encoded;
1871
1872 PORT_Assert(bytes > 0 && bytes <= 4);
1873
1874 encoded = PR_htonl(value);
1875 memcpy(to, ((unsigned char *)(&encoded)) + (4 - bytes), bytes);
1876 return to + bytes;
1877 }
1878
1879 /* TLS 1.3 doesn't actually have additional data but the aead function
1880 * signature overloads additional data to carry the record sequence
1881 * number and that's what we put here. The TLS 1.3 AEAD functions
1882 * just use this input as the sequence number and not as additional
1883 * data. */
1884 static void
1885 tls13_FormatAdditionalData(unsigned char *aad, unsigned int length,
1886 SSL3SequenceNumber seqNum)
1887 {
1888 unsigned char *ptr = aad;
1889
1890 PORT_Assert(length == 8);
1891 ptr = tls13_EncodeUintX(seqNum.high, 4, ptr);
1892 ptr = tls13_EncodeUintX(seqNum.low, 4, ptr);
1893 PORT_Assert((ptr - aad) == length);
1894 }
1895
1896 SECStatus
1897 tls13_ProtectRecord(sslSocket *ss,
1898 SSL3ContentType type,
1899 const SSL3Opaque *pIn,
1900 PRUint32 contentLen,
1901 sslBuffer *wrBuf)
1902 {
1903 ssl3CipherSpec *cwSpec = ss->ssl3.cwSpec;
1904 const ssl3BulkCipherDef *cipher_def = cwSpec->cipher_def;
1905 SECStatus rv;
1906 PRUint16 headerLen;
1907 int cipherBytes = 0;
1908 const int tagLen = cipher_def->tag_size;
1909
1910 SSL_TRC(3, ("%d: TLS13[%d]: protect record of length %u, seq=0x%0x%0x",
1911 SSL_GETPID(), ss->fd, contentLen,
1912 cwSpec->write_seq_num.high,
1913 cwSpec->write_seq_num.low));
1914
1915 headerLen = IS_DTLS(ss) ? DTLS_RECORD_HEADER_LENGTH : SSL3_RECORD_HEADER_LEN GTH;
1916
1917 if (headerLen + contentLen + 1 + tagLen > wrBuf->space) {
1918 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
1919 return SECFailure;
1920 }
1921
1922 /* Copy the data into the wrBuf. We're going to encrypt in-place
1923 * in the AEAD branch anyway */
1924 PORT_Memcpy(wrBuf->buf + headerLen, pIn, contentLen);
1925
1926 if (cipher_def->calg == ssl_calg_null) {
1927 /* Shortcut for plaintext */
1928 cipherBytes = contentLen;
1929 } else {
1930 unsigned char aad[8];
1931 PORT_Assert(cipher_def->type == type_aead);
1932
1933 /* Add the content type at the end. */
1934 wrBuf->buf[headerLen + contentLen] = type;
1935
1936 /* Stomp the content type to be application_data */
1937 type = content_application_data;
1938
1939 tls13_FormatAdditionalData(aad, sizeof(aad),
1940 cwSpec->write_seq_num);
1941 cipherBytes = contentLen + 1; /* Room for the content type on the end. * /
1942 rv = cwSpec->aead(
1943 ss->sec.isServer ? &cwSpec->server : &cwSpec->client,
1944 PR_FALSE, /* do encrypt */
1945 wrBuf->buf + headerLen, /* output */
1946 &cipherBytes, /* out len */
1947 wrBuf->space - headerLen, /* max out */
1948 wrBuf->buf + headerLen, contentLen + 1, /* input */
1949 aad, sizeof(aad));
1950 if (rv != SECSuccess) {
1951 PORT_SetError(SSL_ERROR_ENCRYPTION_FAILURE);
1952 return SECFailure;
1953 }
1954 }
1955
1956 PORT_Assert(cipherBytes <= MAX_FRAGMENT_LENGTH + 256);
1957
1958 wrBuf->len = cipherBytes + headerLen;
1959 wrBuf->buf[0] = type;
1960
1961 if (IS_DTLS(ss)) {
1962 (void)tls13_EncodeUintX(2, dtls_TLSVersionToDTLSVersion(kRecordVersion),
1963 &wrBuf->buf[1]);
1964 (void)tls13_EncodeUintX(cwSpec->write_seq_num.high, 4, &wrBuf->buf[3]);
1965 (void)tls13_EncodeUintX(cwSpec->write_seq_num.low, 4, &wrBuf->buf[7]);
1966 (void)tls13_EncodeUintX(cipherBytes, 2, &wrBuf->buf[11]);
1967 } else {
1968 (void)tls13_EncodeUintX(kRecordVersion, 2, &wrBuf->buf[1]);
1969 (void)tls13_EncodeUintX(cipherBytes, 2, &wrBuf->buf[3]);
1970 }
1971 ssl3_BumpSequenceNumber(&cwSpec->write_seq_num);
1972
1973 return SECSuccess;
1974 }
1975
1976 /* Unprotect a TLS 1.3 record and leave the result in plaintext.
1977 *
1978 * Called by ssl3_HandleRecord. Caller must hold the spec read lock.
1979 * Therefore, we MUST not call SSL3_SendAlert().
1980 *
1981 * If SECFailure is returned, we:
1982 * 1. Set |*alert| to the alert to be sent.
1983 * 2. Call PORT_SetError() witn an appropriate code.
1984 */
1985 SECStatus
1986 tls13_UnprotectRecord(sslSocket *ss, SSL3Ciphertext *cText, sslBuffer *plaintext ,
1987 SSL3AlertDescription *alert)
1988 {
1989 ssl3CipherSpec *crSpec = ss->ssl3.crSpec;
1990 const ssl3BulkCipherDef *cipher_def = crSpec->cipher_def;
1991 unsigned char aad[8];
1992 SECStatus rv;
1993
1994 *alert = bad_record_mac; /* Default alert for most issues. */
1995
1996 SSL_TRC(3, ("%d: TLS13[%d]: unprotect record of length %u",
1997 SSL_GETPID(), ss->fd, cText->buf->len));
1998
1999 /* We can perform this test in variable time because the record's total
2000 * length and the ciphersuite are both public knowledge. */
2001 if (cText->buf->len < cipher_def->tag_size) {
2002 PORT_SetError(SSL_ERROR_RX_RECORD_TOO_LONG);
2003 return SECFailure;
2004 }
2005
2006 /* Verify that the content type is right, even though we overwrite it. */
2007 if (cText->type != content_application_data) {
2008 /* Do we need a better error here? */
2009 PORT_SetError(SSL_ERROR_BAD_MAC_READ);
2010 return SECFailure;
2011 }
2012
2013 /* Check the version number in the record */
2014 if (cText->version != kRecordVersion) {
2015 /* Do we need a better error here? */
2016 PORT_SetError(SSL_ERROR_BAD_MAC_READ);
2017 return SECFailure;
2018 }
2019
2020 /* Decrypt */
2021 PORT_Assert(cipher_def->type == type_aead);
2022 tls13_FormatAdditionalData(aad, sizeof(aad),
2023 IS_DTLS(ss) ? cText->seq_num
2024 : crSpec->read_seq_num);
2025 rv = crSpec->aead(
2026 ss->sec.isServer ? &crSpec->client : &crSpec->server,
2027 PR_TRUE, /* do decrypt */
2028 plaintext->buf, /* out */
2029 (int *)&plaintext->len, /* outlen */
2030 plaintext->space, /* maxout */
2031 cText->buf->buf, /* in */
2032 cText->buf->len, /* inlen */
2033 aad, sizeof(aad));
2034 if (rv != SECSuccess) {
2035 PORT_SetError(SSL_ERROR_BAD_MAC_READ);
2036 return SECFailure;
2037 }
2038
2039 /* The record is right-padded with 0s, followed by the true
2040 * content type, so read from the right until we receive a
2041 * nonzero byte. */
2042 while (plaintext->len > 0 && !(plaintext->buf[plaintext->len - 1])) {
2043 --plaintext->len;
2044 }
2045
2046 /* Bogus padding. */
2047 if (plaintext->len < 1) {
2048 /* It's safe to report this specifically because it happened
2049 * after the MAC has been verified. */
2050 PORT_SetError(SSL_ERROR_BAD_BLOCK_PADDING);
2051 return SECFailure;
2052 }
2053
2054 /* Record the type. */
2055 cText->type = plaintext->buf[plaintext->len - 1];
2056 --plaintext->len;
2057
2058 return SECSuccess;
2059 }
OLDNEW
« no previous file with comments | « net/third_party/nss/ssl/tls13con.h ('k') | net/third_party/nss/ssl/tls13hkdf.h » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698