OLD | NEW |
(Empty) | |
| 1 /* -*- Mode: C; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 4 -*- */ |
| 2 /* |
| 3 * TLS 1.3 Protocol |
| 4 * |
| 5 * This Source Code Form is subject to the terms of the Mozilla Public |
| 6 * License, v. 2.0. If a copy of the MPL was not distributed with this |
| 7 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ |
| 8 |
| 9 #include "stdarg.h" |
| 10 #include "cert.h" |
| 11 #include "ssl.h" |
| 12 #include "keyhi.h" |
| 13 #include "pk11func.h" |
| 14 #include "secitem.h" |
| 15 #include "sslimpl.h" |
| 16 #include "sslproto.h" |
| 17 #include "sslerr.h" |
| 18 #include "tls13hkdf.h" |
| 19 #include "tls13con.h" |
| 20 |
| 21 typedef enum { |
| 22 TrafficKeyEarlyData, |
| 23 TrafficKeyHandshake, |
| 24 TrafficKeyApplicationData |
| 25 } TrafficKeyType; |
| 26 |
| 27 typedef enum { |
| 28 InstallCipherSpecRead, |
| 29 InstallCipherSpecWrite, |
| 30 InstallCipherSpecBoth |
| 31 } InstallCipherSpecDirection; |
| 32 |
| 33 #define MAX_FINISHED_SIZE 64 |
| 34 |
| 35 static SECStatus tls13_InitializeHandshakeEncryption(sslSocket *ss); |
| 36 static SECStatus tls13_InstallCipherSpec( |
| 37 sslSocket *ss, InstallCipherSpecDirection direction); |
| 38 static SECStatus tls13_InitCipherSpec( |
| 39 sslSocket *ss, TrafficKeyType type, InstallCipherSpecDirection install); |
| 40 static SECStatus tls13_AESGCM( |
| 41 ssl3KeyMaterial *keys, |
| 42 PRBool doDecrypt, |
| 43 unsigned char *out, int *outlen, int maxout, |
| 44 const unsigned char *in, int inlen, |
| 45 const unsigned char *additionalData, int additionalDataLen); |
| 46 static SECStatus tls13_SendEncryptedExtensions(sslSocket *ss); |
| 47 static SECStatus tls13_HandleEncryptedExtensions(sslSocket *ss, SSL3Opaque *b, |
| 48 PRUint32 length); |
| 49 static SECStatus tls13_HandleCertificate( |
| 50 sslSocket *ss, SSL3Opaque *b, PRUint32 length); |
| 51 static SECStatus tls13_HandleCertificateRequest(sslSocket *ss, SSL3Opaque *b, |
| 52 PRUint32 length); |
| 53 static SECStatus tls13_HandleCertificateStatus(sslSocket *ss, SSL3Opaque *b, |
| 54 PRUint32 length); |
| 55 static SECStatus tls13_HandleCertificateVerify( |
| 56 sslSocket *ss, SSL3Opaque *b, PRUint32 length, |
| 57 SSL3Hashes *hashes); |
| 58 static SECStatus tls13_HkdfExtractSharedKey(sslSocket *ss, PK11SymKey *key, |
| 59 SharedSecretType keyType); |
| 60 static SECStatus tls13_SendFinished(sslSocket *ss); |
| 61 static SECStatus tls13_HandleFinished(sslSocket *ss, SSL3Opaque *b, PRUint32 len
gth, |
| 62 const SSL3Hashes *hashes); |
| 63 static SECStatus tls13_HandleNewSessionTicket(sslSocket *ss, SSL3Opaque *b, |
| 64 PRUint32 length); |
| 65 static SECStatus tls13_ComputeSecrets1(sslSocket *ss); |
| 66 static SECStatus tls13_ComputeFinished( |
| 67 sslSocket *ss, const SSL3Hashes *hashes, |
| 68 PRBool sending, |
| 69 PRUint8 *output, unsigned int *outputLen, |
| 70 unsigned int maxOutputLen); |
| 71 static SECStatus tls13_SendClientSecondRound(sslSocket *ss); |
| 72 static SECStatus tls13_FinishHandshake(sslSocket *ss); |
| 73 |
| 74 const char kHkdfLabelExpandedSs[] = "expanded static secret"; |
| 75 const char kHkdfLabelExpandedEs[] = "expanded ephemeral secret"; |
| 76 const char kHkdfLabelMasterSecret[] = "master secret"; |
| 77 const char kHkdfLabelTrafficSecret[] = "traffic secret"; |
| 78 const char kHkdfLabelClientFinishedSecret[] = "client finished"; |
| 79 const char kHkdfLabelServerFinishedSecret[] = "server finished"; |
| 80 const char kHkdfLabelResumptionMasterSecret[] = "resumption master secret"; |
| 81 const char kHkdfLabelExporterMasterSecret[] = "exporter master secret"; |
| 82 const char kHkdfPhaseEarlyHandshakeDataKeys[] = "early handshake key expansion"; |
| 83 const char kHkdfPhaseEarlyApplicationDataKeys[] = "early application data key ex
pansion"; |
| 84 const char kHkdfPhaseHandshakeKeys[] = "handshake key expansion"; |
| 85 const char kHkdfPhaseApplicationDataKeys[] = "application data key expansion"; |
| 86 const char kHkdfPurposeClientWriteKey[] = "client write key"; |
| 87 const char kHkdfPurposeServerWriteKey[] = "server write key"; |
| 88 const char kHkdfPurposeClientWriteIv[] = "client write iv"; |
| 89 const char kHkdfPurposeServerWriteIv[] = "server write iv"; |
| 90 const char kClientFinishedLabel[] = "client finished"; |
| 91 const char kServerFinishedLabel[] = "server finished"; |
| 92 |
| 93 const SSL3ProtocolVersion kRecordVersion = 0x0301U; |
| 94 |
| 95 #define FATAL_ERROR(ss, prError, desc)
\ |
| 96 do {
\ |
| 97 SSL_TRC(3, ("%d: TLS13[%d]: fatal error %d in %s (%s:%d)",
\ |
| 98 SSL_GETPID(), ss->fd, prError, __func__, __FILE__, __LINE__)
); \ |
| 99 tls13_FatalError(ss, prError, desc);
\ |
| 100 } while (0) |
| 101 |
| 102 #define UNIMPLEMENTED() \ |
| 103 do { \ |
| 104 SSL_TRC(3, ("%d: TLS13[%d]: unimplemented feature in %s (%s:%d)", \ |
| 105 SSL_GETPID(), ss->fd, __func__, __FILE__, __LINE__)); \ |
| 106 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); \ |
| 107 PORT_Assert(0); \ |
| 108 return SECFailure; \ |
| 109 } while (0) |
| 110 |
| 111 void |
| 112 tls13_FatalError(sslSocket *ss, PRErrorCode prError, SSL3AlertDescription desc) |
| 113 { |
| 114 PORT_Assert(desc != internal_error); /* These should never happen */ |
| 115 (void)SSL3_SendAlert(ss, alert_fatal, desc); |
| 116 PORT_SetError(prError); |
| 117 } |
| 118 |
| 119 #ifdef TRACE |
| 120 #define STATE_CASE(a) \ |
| 121 case a: \ |
| 122 return #a |
| 123 static char * |
| 124 tls13_HandshakeState(SSL3WaitState st) |
| 125 { |
| 126 switch (st) { |
| 127 STATE_CASE(wait_client_hello); |
| 128 STATE_CASE(wait_client_cert); |
| 129 STATE_CASE(wait_cert_verify); |
| 130 STATE_CASE(wait_finished); |
| 131 STATE_CASE(wait_server_hello); |
| 132 STATE_CASE(wait_certificate_status); |
| 133 STATE_CASE(wait_server_cert); |
| 134 STATE_CASE(wait_cert_request); |
| 135 STATE_CASE(wait_encrypted_extensions); |
| 136 STATE_CASE(idle_handshake); |
| 137 default: |
| 138 break; |
| 139 } |
| 140 PORT_Assert(0); |
| 141 return "unknown"; |
| 142 } |
| 143 #endif |
| 144 |
| 145 #define TLS13_WAIT_STATE_MASK 0x80 |
| 146 |
| 147 #define TLS13_BASE_WAIT_STATE(ws) (ws & ~TLS13_WAIT_STATE_MASK) |
| 148 /* We don't mask idle_handshake because other parts of the code use it*/ |
| 149 #define TLS13_WAIT_STATE(ws) (ws == idle_handshake ? ws : ws | TLS13_WAIT_STATE_
MASK) |
| 150 #define TLS13_CHECK_HS_STATE(ss, err, ...) \ |
| 151 tls13_CheckHsState(ss, err, #err, __func__, __FILE__, __LINE__, \ |
| 152 __VA_ARGS__, \ |
| 153 wait_invalid) |
| 154 void |
| 155 tls13_SetHsState(sslSocket *ss, SSL3WaitState ws, |
| 156 const char *func, const char *file, int line) |
| 157 { |
| 158 #ifdef TRACE |
| 159 const char *new_state_name = |
| 160 tls13_HandshakeState(ws); |
| 161 |
| 162 SSL_TRC(3, ("%d: TLS13[%d]: state change from %s->%s in %s (%s:%d)", |
| 163 SSL_GETPID(), ss->fd, |
| 164 tls13_HandshakeState(TLS13_BASE_WAIT_STATE(ss->ssl3.hs.ws)), |
| 165 new_state_name, |
| 166 func, file, line)); |
| 167 #endif |
| 168 |
| 169 ss->ssl3.hs.ws = TLS13_WAIT_STATE(ws); |
| 170 } |
| 171 |
| 172 static PRBool |
| 173 tls13_InHsStateV(sslSocket *ss, va_list ap) |
| 174 { |
| 175 SSL3WaitState ws; |
| 176 |
| 177 while ((ws = va_arg(ap, SSL3WaitState)) != wait_invalid) { |
| 178 if (ws == TLS13_BASE_WAIT_STATE(ss->ssl3.hs.ws)) { |
| 179 return PR_TRUE; |
| 180 } |
| 181 } |
| 182 return PR_FALSE; |
| 183 } |
| 184 |
| 185 PRBool |
| 186 tls13_InHsState(sslSocket *ss, ...) |
| 187 { |
| 188 PRBool found; |
| 189 va_list ap; |
| 190 |
| 191 va_start(ap, ss); |
| 192 found = tls13_InHsStateV(ss, ap); |
| 193 va_end(ap); |
| 194 |
| 195 return found; |
| 196 } |
| 197 |
| 198 static SECStatus |
| 199 tls13_CheckHsState(sslSocket *ss, int err, const char *error_name, |
| 200 const char *func, const char *file, int line, |
| 201 ...) |
| 202 { |
| 203 va_list ap; |
| 204 va_start(ap, line); |
| 205 if (tls13_InHsStateV(ss, ap)) { |
| 206 va_end(ap); |
| 207 return SECSuccess; |
| 208 } |
| 209 va_end(ap); |
| 210 |
| 211 SSL_TRC(3, ("%d: TLS13[%d]: error %s state is (%s) at %s (%s:%d)", |
| 212 SSL_GETPID(), ss->fd, |
| 213 error_name, |
| 214 tls13_HandshakeState(TLS13_BASE_WAIT_STATE(ss->ssl3.hs.ws)), |
| 215 func, file, line)); |
| 216 tls13_FatalError(ss, err, unexpected_message); |
| 217 return SECFailure; |
| 218 } |
| 219 |
| 220 SSLHashType |
| 221 tls13_GetHash(sslSocket *ss) |
| 222 { |
| 223 /* TODO(ekr@rtfm.com): This needs to actually be looked up. */ |
| 224 return ssl_hash_sha256; |
| 225 } |
| 226 |
| 227 CK_MECHANISM_TYPE |
| 228 tls13_GetHkdfMechanism(sslSocket *ss) |
| 229 { |
| 230 /* TODO(ekr@rtfm.com): This needs to actually be looked up. */ |
| 231 return CKM_NSS_HKDF_SHA256; |
| 232 } |
| 233 |
| 234 static CK_MECHANISM_TYPE |
| 235 tls13_GetHmacMechanism(sslSocket *ss) |
| 236 { |
| 237 /* TODO(ekr@rtfm.com): This needs to actually be looked up. */ |
| 238 return CKM_SHA256_HMAC; |
| 239 } |
| 240 |
| 241 /* |
| 242 * Called from ssl3_SendClientHello |
| 243 */ |
| 244 SECStatus |
| 245 tls13_SetupClientHello(sslSocket *ss) |
| 246 { |
| 247 SECStatus rv; |
| 248 /* TODO(ekr@rtfm.com): Handle multiple curves here. */ |
| 249 ECName curves_to_try[] = { ec_secp256r1 }; |
| 250 |
| 251 PORT_Assert(ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); |
| 252 PORT_Assert(ss->opt.noLocks || ssl_HaveXmitBufLock(ss)); |
| 253 |
| 254 PORT_Assert(!ss->ephemeralECDHKeyPair); |
| 255 |
| 256 rv = ssl3_CreateECDHEphemeralKeyPair(curves_to_try[0], |
| 257 &ss->ephemeralECDHKeyPair); |
| 258 if (rv != SECSuccess) |
| 259 return rv; |
| 260 |
| 261 return SECSuccess; |
| 262 } |
| 263 |
| 264 static SECStatus |
| 265 tls13_HandleECDHEKeyShare(sslSocket *ss, |
| 266 TLS13KeyShareEntry *entry, |
| 267 SECKEYPrivateKey *privKey, |
| 268 SharedSecretType type) |
| 269 { |
| 270 SECStatus rv; |
| 271 SECKEYPublicKey *peerKey; |
| 272 PK11SymKey *shared; |
| 273 |
| 274 peerKey = tls13_ImportECDHKeyShare(ss, entry->key_exchange.data, |
| 275 entry->key_exchange.len, |
| 276 entry->group); |
| 277 if (!peerKey) |
| 278 return SECFailure; /* Error code set already. */ |
| 279 |
| 280 /* Compute shared key. */ |
| 281 shared = tls13_ComputeECDHSharedKey(ss, privKey, peerKey); |
| 282 SECKEY_DestroyPublicKey(peerKey); |
| 283 if (!shared) { |
| 284 return SECFailure; /* Error code set already. */ |
| 285 } |
| 286 |
| 287 /* Extract key. */ |
| 288 rv = tls13_HkdfExtractSharedKey(ss, shared, type); |
| 289 PK11_FreeSymKey(shared); |
| 290 |
| 291 return rv; |
| 292 } |
| 293 |
| 294 SECStatus |
| 295 tls13_HandlePostHelloHandshakeMessage(sslSocket *ss, SSL3Opaque *b, |
| 296 PRUint32 length, SSL3Hashes *hashesPtr) |
| 297 { |
| 298 /* TODO(ekr@rtfm.com): Would it be better to check all the states here? */ |
| 299 switch (ss->ssl3.hs.msg_type) { |
| 300 case certificate: |
| 301 return tls13_HandleCertificate(ss, b, length); |
| 302 |
| 303 case certificate_status: |
| 304 return tls13_HandleCertificateStatus(ss, b, length); |
| 305 |
| 306 case certificate_request: |
| 307 return tls13_HandleCertificateRequest(ss, b, length); |
| 308 |
| 309 case certificate_verify: |
| 310 return tls13_HandleCertificateVerify(ss, b, length, hashesPtr); |
| 311 |
| 312 case encrypted_extensions: |
| 313 return tls13_HandleEncryptedExtensions(ss, b, length); |
| 314 |
| 315 case new_session_ticket: |
| 316 return tls13_HandleNewSessionTicket(ss, b, length); |
| 317 |
| 318 case finished: |
| 319 return tls13_HandleFinished(ss, b, length, hashesPtr); |
| 320 |
| 321 default: |
| 322 FATAL_ERROR(ss, SSL_ERROR_RX_UNKNOWN_HANDSHAKE, unexpected_message); |
| 323 return SECFailure; |
| 324 } |
| 325 |
| 326 PORT_Assert(0); /* Unreached */ |
| 327 return SECFailure; |
| 328 } |
| 329 |
| 330 /* Called from ssl3_HandleClientHello. |
| 331 * |
| 332 * Caller must hold Handshake and RecvBuf locks. |
| 333 */ |
| 334 SECStatus |
| 335 tls13_HandleClientKeyShare(sslSocket *ss) |
| 336 { |
| 337 ECName expectedGroup; |
| 338 SECStatus rv; |
| 339 TLS13KeyShareEntry *found = NULL; |
| 340 PRCList *cur_p; |
| 341 |
| 342 SSL_TRC(3, ("%d: TLS13[%d]: handle client_key_share handshake", |
| 343 SSL_GETPID(), ss->fd)); |
| 344 |
| 345 PORT_Assert(ss->opt.noLocks || ssl_HaveRecvBufLock(ss)); |
| 346 PORT_Assert(ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); |
| 347 |
| 348 rv = ssl3_SetupPendingCipherSpec(ss); |
| 349 if (rv != SECSuccess) |
| 350 return SECFailure; /* Error code set below */ |
| 351 |
| 352 /* Figure out what group we expect */ |
| 353 switch (ss->ssl3.hs.kea_def->exchKeyType) { |
| 354 #ifndef NSS_DISABLE_ECC |
| 355 case ssl_kea_ecdh: |
| 356 expectedGroup = ssl3_GetCurveNameForServerSocket(ss); |
| 357 if (!expectedGroup) { |
| 358 FATAL_ERROR(ss, SSL_ERROR_NO_CYPHER_OVERLAP, |
| 359 handshake_failure); |
| 360 return SECFailure; |
| 361 } |
| 362 break; |
| 363 #endif |
| 364 default: |
| 365 /* Got an unknown or unsupported Key Exchange Algorithm. |
| 366 * Can't happen. */ |
| 367 FATAL_ERROR(ss, SEC_ERROR_UNSUPPORTED_KEYALG, |
| 368 internal_error); |
| 369 return SECFailure; |
| 370 } |
| 371 |
| 372 /* Now walk through the keys until we find one for our group */ |
| 373 cur_p = PR_NEXT_LINK(&ss->ssl3.hs.remoteKeyShares); |
| 374 while (cur_p != &ss->ssl3.hs.remoteKeyShares) { |
| 375 TLS13KeyShareEntry *offer = (TLS13KeyShareEntry *)cur_p; |
| 376 |
| 377 if (offer->group == expectedGroup) { |
| 378 found = offer; |
| 379 break; |
| 380 } |
| 381 cur_p = PR_NEXT_LINK(cur_p); |
| 382 } |
| 383 |
| 384 if (!found) { |
| 385 /* No acceptable group. In future, we will need to correct the client. |
| 386 * Currently just generate an error. |
| 387 * TODO(ekr@rtfm.com): Write code to correct client. |
| 388 */ |
| 389 FATAL_ERROR(ss, SSL_ERROR_NO_CYPHER_OVERLAP, handshake_failure); |
| 390 return SECFailure; |
| 391 } |
| 392 |
| 393 /* Generate our key */ |
| 394 rv = ssl3_CreateECDHEphemeralKeyPair(expectedGroup, &ss->ephemeralECDHKeyPai
r); |
| 395 if (rv != SECSuccess) |
| 396 return rv; |
| 397 |
| 398 ss->sec.keaType = ss->ssl3.hs.kea_def->exchKeyType; |
| 399 ss->sec.keaKeyBits = SECKEY_PublicKeyStrengthInBits( |
| 400 ss->ephemeralECDHKeyPair->pubKey); |
| 401 |
| 402 /* Register the sender */ |
| 403 rv = ssl3_RegisterServerHelloExtensionSender(ss, ssl_tls13_key_share_xtn, |
| 404 tls13_ServerSendKeyShareXtn); |
| 405 if (rv != SECSuccess) |
| 406 return SECFailure; /* Error code set below */ |
| 407 |
| 408 rv = tls13_HandleECDHEKeyShare(ss, found, |
| 409 ss->ephemeralECDHKeyPair->privKey, |
| 410 EphemeralSharedSecret); |
| 411 if (rv != SECSuccess) |
| 412 return SECFailure; /* Error code set below */ |
| 413 |
| 414 return SECSuccess; |
| 415 } |
| 416 |
| 417 /* |
| 418 * [draft-ietf-tls-tls13-11] Section 6.3.3.2 |
| 419 * |
| 420 * opaque DistinguishedName<1..2^16-1>; |
| 421 * |
| 422 * struct { |
| 423 * opaque certificate_extension_oid<1..2^8-1>; |
| 424 * opaque certificate_extension_values<0..2^16-1>; |
| 425 * } CertificateExtension; |
| 426 * |
| 427 * struct { |
| 428 * opaque certificate_request_context<0..2^8-1>; |
| 429 * SignatureAndHashAlgorithm |
| 430 * supported_signature_algorithms<2..2^16-2>; |
| 431 * DistinguishedName certificate_authorities<0..2^16-1>; |
| 432 * CertificateExtension certificate_extensions<0..2^16-1>; |
| 433 * } CertificateRequest; |
| 434 */ |
| 435 static SECStatus |
| 436 tls13_SendCertificateRequest(sslSocket *ss) |
| 437 { |
| 438 SECStatus rv; |
| 439 int calen; |
| 440 SECItem *names; |
| 441 int nnames; |
| 442 SECItem *name; |
| 443 int i; |
| 444 PRUint8 sigAlgs[MAX_SIGNATURE_ALGORITHMS * 2]; |
| 445 unsigned int sigAlgsLength = 0; |
| 446 int length; |
| 447 |
| 448 SSL_TRC(3, ("%d: TLS13[%d]: begin send certificate_request", |
| 449 SSL_GETPID(), ss->fd)); |
| 450 |
| 451 /* Fixed context value. */ |
| 452 ss->ssl3.hs.certReqContext[0] = 0; |
| 453 ss->ssl3.hs.certReqContextLen = 1; |
| 454 |
| 455 rv = ssl3_EncodeCertificateRequestSigAlgs(ss, sigAlgs, sizeof(sigAlgs), |
| 456 &sigAlgsLength); |
| 457 if (rv != SECSuccess) { |
| 458 return rv; |
| 459 } |
| 460 |
| 461 ssl3_GetCertificateRequestCAs(ss, &calen, &names, &nnames); |
| 462 length = 1 + ss->ssl3.hs.certReqContextLen + |
| 463 2 + sigAlgsLength + 2 + calen + 2; |
| 464 |
| 465 rv = ssl3_AppendHandshakeHeader(ss, certificate_request, length); |
| 466 if (rv != SECSuccess) { |
| 467 return rv; /* err set by AppendHandshake. */ |
| 468 } |
| 469 rv = ssl3_AppendHandshakeVariable(ss, ss->ssl3.hs.certReqContext, |
| 470 ss->ssl3.hs.certReqContextLen, 1); |
| 471 if (rv != SECSuccess) { |
| 472 return rv; /* err set by AppendHandshake. */ |
| 473 } |
| 474 rv = ssl3_AppendHandshakeVariable(ss, sigAlgs, sigAlgsLength, 2); |
| 475 if (rv != SECSuccess) { |
| 476 return rv; /* err set by AppendHandshake. */ |
| 477 } |
| 478 rv = ssl3_AppendHandshakeNumber(ss, calen, 2); |
| 479 if (rv != SECSuccess) { |
| 480 return rv; /* err set by AppendHandshake. */ |
| 481 } |
| 482 for (i = 0, name = names; i < nnames; i++, name++) { |
| 483 rv = ssl3_AppendHandshakeVariable(ss, name->data, name->len, 2); |
| 484 if (rv != SECSuccess) { |
| 485 return rv; /* err set by AppendHandshake. */ |
| 486 } |
| 487 } |
| 488 rv = ssl3_AppendHandshakeNumber(ss, 0, 2); |
| 489 if (rv != SECSuccess) { |
| 490 return rv; /* err set by AppendHandshake. */ |
| 491 } |
| 492 |
| 493 return SECSuccess; |
| 494 } |
| 495 |
| 496 static SECStatus |
| 497 tls13_HandleCertificateRequest(sslSocket *ss, SSL3Opaque *b, PRUint32 length) |
| 498 { |
| 499 SECStatus rv; |
| 500 SECItem context = { siBuffer, NULL, 0 }; |
| 501 SECItem algorithms = { siBuffer, NULL, 0 }; |
| 502 PLArenaPool *arena; |
| 503 CERTDistNames ca_list; |
| 504 PRInt32 extensionsLength; |
| 505 |
| 506 SSL_TRC(3, ("%d: TLS13[%d]: handle certificate_request sequence", |
| 507 SSL_GETPID(), ss->fd)); |
| 508 |
| 509 PORT_Assert(ss->opt.noLocks || ssl_HaveRecvBufLock(ss)); |
| 510 PORT_Assert(ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); |
| 511 |
| 512 /* Client */ |
| 513 rv = TLS13_CHECK_HS_STATE(ss, SSL_ERROR_RX_UNEXPECTED_CERT_REQUEST, wait_cer
t_request); |
| 514 if (rv != SECSuccess) { |
| 515 return SECFailure; |
| 516 } |
| 517 |
| 518 PORT_Assert(ss->ssl3.clientCertChain == NULL); |
| 519 PORT_Assert(ss->ssl3.clientCertificate == NULL); |
| 520 PORT_Assert(ss->ssl3.clientPrivateKey == NULL); |
| 521 |
| 522 rv = ssl3_ConsumeHandshakeVariable(ss, &context, 1, &b, &length); |
| 523 if (rv != SECSuccess) |
| 524 return SECFailure; |
| 525 PORT_Assert(sizeof(ss->ssl3.hs.certReqContext) == 255); |
| 526 PORT_Memcpy(ss->ssl3.hs.certReqContext, context.data, context.len); |
| 527 ss->ssl3.hs.certReqContextLen = context.len; |
| 528 |
| 529 rv = ssl3_ConsumeHandshakeVariable(ss, &algorithms, 2, &b, &length); |
| 530 if (rv != SECSuccess) |
| 531 return SECFailure; |
| 532 |
| 533 if (algorithms.len == 0 || (algorithms.len & 1) != 0) { |
| 534 FATAL_ERROR(ss, SSL_ERROR_RX_MALFORMED_CERT_REQUEST, |
| 535 illegal_parameter); |
| 536 return SECFailure; |
| 537 } |
| 538 |
| 539 arena = ca_list.arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); |
| 540 if (!arena) { |
| 541 FATAL_ERROR(ss, SEC_ERROR_LIBRARY_FAILURE, internal_error); |
| 542 return SECFailure; |
| 543 } |
| 544 |
| 545 rv = ssl3_ParseCertificateRequestCAs(ss, &b, &length, arena, &ca_list); |
| 546 if (rv != SECSuccess) |
| 547 goto loser; /* alert sent below */ |
| 548 |
| 549 /* Verify that the extensions length is correct. */ |
| 550 extensionsLength = ssl3_ConsumeHandshakeNumber(ss, 2, &b, &length); |
| 551 if (extensionsLength < 0) { |
| 552 goto loser; /* alert sent below */ |
| 553 } |
| 554 if (extensionsLength != length) { |
| 555 FATAL_ERROR(ss, SSL_ERROR_RX_MALFORMED_CERT_REQUEST, |
| 556 illegal_parameter); |
| 557 goto loser; |
| 558 } |
| 559 |
| 560 TLS13_SET_HS_STATE(ss, wait_server_cert); |
| 561 |
| 562 rv = ssl3_CompleteHandleCertificateRequest(ss, &algorithms, &ca_list); |
| 563 if (rv != SECSuccess) { |
| 564 FATAL_ERROR(ss, SEC_ERROR_LIBRARY_FAILURE, internal_error); |
| 565 goto loser; |
| 566 } |
| 567 |
| 568 return SECSuccess; |
| 569 |
| 570 loser: |
| 571 PORT_FreeArena(arena, PR_FALSE); |
| 572 return SECFailure; |
| 573 } |
| 574 |
| 575 static SECStatus |
| 576 tls13_InitializeHandshakeEncryption(sslSocket *ss) |
| 577 { |
| 578 SECStatus rv; |
| 579 |
| 580 /* For all present cipher suites, SS = ES. |
| 581 * TODO(ekr@rtfm.com): Revisit for 0-RTT. */ |
| 582 ss->ssl3.hs.xSS = PK11_ReferenceSymKey(ss->ssl3.hs.xES); |
| 583 if (!ss->ssl3.hs.xSS) { |
| 584 FATAL_ERROR(ss, SEC_ERROR_LIBRARY_FAILURE, internal_error); |
| 585 return SECFailure; |
| 586 } |
| 587 |
| 588 rv = tls13_InitCipherSpec(ss, TrafficKeyHandshake, |
| 589 InstallCipherSpecBoth); |
| 590 if (rv != SECSuccess) { |
| 591 FATAL_ERROR(ss, SSL_ERROR_INIT_CIPHER_SUITE_FAILURE, internal_error); |
| 592 return SECFailure; |
| 593 } |
| 594 |
| 595 return rv; |
| 596 } |
| 597 |
| 598 /* Called from: ssl3_HandleClientHello */ |
| 599 SECStatus |
| 600 tls13_SendServerHelloSequence(sslSocket *ss) |
| 601 { |
| 602 SECStatus rv; |
| 603 SSL3KEAType certIndex; |
| 604 |
| 605 SSL_TRC(3, ("%d: TLS13[%d]: begin send server_hello sequence", |
| 606 SSL_GETPID(), ss->fd)); |
| 607 |
| 608 PORT_Assert(ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); |
| 609 PORT_Assert(ss->opt.noLocks || ssl_HaveXmitBufLock(ss)); |
| 610 |
| 611 rv = ssl3_SendServerHello(ss); |
| 612 if (rv != SECSuccess) { |
| 613 return rv; /* err code is set. */ |
| 614 } |
| 615 |
| 616 rv = tls13_InitializeHandshakeEncryption(ss); |
| 617 if (rv != SECSuccess) { |
| 618 return SECFailure; /* error code is set. */ |
| 619 } |
| 620 |
| 621 rv = tls13_SendEncryptedExtensions(ss); |
| 622 if (rv != SECSuccess) { |
| 623 return SECFailure; /* error code is set. */ |
| 624 } |
| 625 |
| 626 if (ss->opt.requestCertificate) { |
| 627 rv = tls13_SendCertificateRequest(ss); |
| 628 if (rv != SECSuccess) { |
| 629 return SECFailure; /* error code is set. */ |
| 630 } |
| 631 } |
| 632 rv = ssl3_SendCertificate(ss); |
| 633 if (rv != SECSuccess) { |
| 634 return SECFailure; /* error code is set. */ |
| 635 } |
| 636 rv = ssl3_SendCertificateStatus(ss); |
| 637 if (rv != SECSuccess) { |
| 638 return SECFailure; /* error code is set. */ |
| 639 } |
| 640 |
| 641 /* This was copied from: ssl3_SendCertificate. |
| 642 * TODO(ekr@rtfm.com): Verify that this selection logic is correct. |
| 643 * Bug 1237514. |
| 644 */ |
| 645 if ((ss->ssl3.hs.kea_def->kea == kea_ecdhe_rsa) || |
| 646 (ss->ssl3.hs.kea_def->kea == kea_dhe_rsa)) { |
| 647 certIndex = kt_rsa; |
| 648 } else { |
| 649 certIndex = ss->ssl3.hs.kea_def->exchKeyType; |
| 650 } |
| 651 rv = ssl3_SendCertificateVerify(ss, ss->serverCerts[certIndex].SERVERKEY); |
| 652 if (rv != SECSuccess) { |
| 653 return rv; /* err code is set. */ |
| 654 } |
| 655 |
| 656 /* Compute the rest of the secrets except for the resumption |
| 657 * and exporter secret. */ |
| 658 rv = tls13_ComputeSecrets1(ss); |
| 659 if (rv != SECSuccess) { |
| 660 FATAL_ERROR(ss, SEC_ERROR_LIBRARY_FAILURE, internal_error); |
| 661 return SECFailure; |
| 662 } |
| 663 |
| 664 rv = tls13_SendFinished(ss); |
| 665 if (rv != SECSuccess) { |
| 666 return rv; /* error code is set. */ |
| 667 } |
| 668 |
| 669 TLS13_SET_HS_STATE(ss, ss->opt.requestCertificate ? wait_client_cert |
| 670 : wait_finished); |
| 671 |
| 672 return SECSuccess; |
| 673 } |
| 674 |
| 675 /* |
| 676 * Called from ssl3_HandleServerHello. |
| 677 * |
| 678 * Caller must hold Handshake and RecvBuf locks. |
| 679 */ |
| 680 SECStatus |
| 681 tls13_HandleServerKeyShare(sslSocket *ss) |
| 682 { |
| 683 SECStatus rv; |
| 684 ECName expectedGroup; |
| 685 PRCList *cur_p; |
| 686 TLS13KeyShareEntry *entry; |
| 687 |
| 688 SSL_TRC(3, ("%d: TLS13[%d]: handle server_key_share handshake", |
| 689 SSL_GETPID(), ss->fd)); |
| 690 PORT_Assert(ss->opt.noLocks || ssl_HaveRecvBufLock(ss)); |
| 691 PORT_Assert(ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); |
| 692 |
| 693 switch (ss->ssl3.hs.kea_def->exchKeyType) { |
| 694 #ifndef NSS_DISABLE_ECC |
| 695 case ssl_kea_ecdh: |
| 696 expectedGroup = ssl3_PubKey2ECName(ss->ephemeralECDHKeyPair->pubKey)
; |
| 697 break; |
| 698 #endif /* NSS_DISABLE_ECC */ |
| 699 default: |
| 700 FATAL_ERROR(ss, SEC_ERROR_UNSUPPORTED_KEYALG, handshake_failure); |
| 701 return SECFailure; |
| 702 } |
| 703 |
| 704 /* This list should have one entry. */ |
| 705 cur_p = PR_NEXT_LINK(&ss->ssl3.hs.remoteKeyShares); |
| 706 if (!cur_p) { |
| 707 FATAL_ERROR(ss, SSL_ERROR_MISSING_KEY_SHARE, missing_extension); |
| 708 return SECFailure; |
| 709 } |
| 710 PORT_Assert(PR_NEXT_LINK(cur_p) == &ss->ssl3.hs.remoteKeyShares); |
| 711 |
| 712 entry = (TLS13KeyShareEntry *)cur_p; |
| 713 if (entry->group != expectedGroup) { |
| 714 FATAL_ERROR(ss, SSL_ERROR_RX_MALFORMED_KEY_SHARE, illegal_parameter); |
| 715 return SECFailure; |
| 716 } |
| 717 |
| 718 rv = tls13_HandleECDHEKeyShare(ss, entry, |
| 719 ss->ephemeralECDHKeyPair->privKey, |
| 720 EphemeralSharedSecret); |
| 721 |
| 722 ss->sec.keaType = ss->ssl3.hs.kea_def->exchKeyType; |
| 723 ss->sec.keaKeyBits = SECKEY_PublicKeyStrengthInBits( |
| 724 ss->ephemeralECDHKeyPair->pubKey); |
| 725 |
| 726 if (rv != SECSuccess) |
| 727 return SECFailure; /* Error code set below */ |
| 728 |
| 729 return tls13_InitializeHandshakeEncryption(ss); |
| 730 } |
| 731 |
| 732 /* Called from tls13_CompleteHandleHandshakeMessage() when it has deciphered a c
omplete |
| 733 * tls13 Certificate message. |
| 734 * Caller must hold Handshake and RecvBuf locks. |
| 735 */ |
| 736 static SECStatus |
| 737 tls13_HandleCertificate(sslSocket *ss, SSL3Opaque *b, PRUint32 length) |
| 738 { |
| 739 SECStatus rv; |
| 740 SECItem context = { siBuffer, NULL, 0 }; |
| 741 |
| 742 SSL_TRC(3, ("%d: TLS13[%d]: handle certificate handshake", |
| 743 SSL_GETPID(), ss->fd)); |
| 744 PORT_Assert(ss->opt.noLocks || ssl_HaveRecvBufLock(ss)); |
| 745 PORT_Assert(ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); |
| 746 |
| 747 if (ss->sec.isServer) { |
| 748 rv = TLS13_CHECK_HS_STATE(ss, SSL_ERROR_RX_UNEXPECTED_CERTIFICATE, |
| 749 wait_client_cert); |
| 750 } else { |
| 751 rv = TLS13_CHECK_HS_STATE(ss, SSL_ERROR_RX_UNEXPECTED_CERTIFICATE, |
| 752 wait_cert_request, wait_server_cert); |
| 753 } |
| 754 if (rv != SECSuccess) |
| 755 return SECFailure; |
| 756 |
| 757 /* Process the context string */ |
| 758 rv = ssl3_ConsumeHandshakeVariable(ss, &context, 1, &b, &length); |
| 759 if (rv != SECSuccess) |
| 760 return SECFailure; |
| 761 if (!ss->sec.isServer) { |
| 762 if (context.len) { |
| 763 /* The server's context string MUST be empty */ |
| 764 FATAL_ERROR(ss, SSL_ERROR_RX_MALFORMED_CERTIFICATE, |
| 765 illegal_parameter); |
| 766 return SECFailure; |
| 767 } |
| 768 } else { |
| 769 if (!context.len || context.len != ss->ssl3.hs.certReqContextLen || |
| 770 (NSS_SecureMemcmp(ss->ssl3.hs.certReqContext, |
| 771 context.data, context.len) != 0)) { |
| 772 FATAL_ERROR(ss, SSL_ERROR_RX_MALFORMED_CERTIFICATE, |
| 773 illegal_parameter); |
| 774 return SECFailure; |
| 775 } |
| 776 context.len = 0; /* Belt and suspenders. Zero out the context. */ |
| 777 } |
| 778 |
| 779 return ssl3_CompleteHandleCertificate(ss, b, length); |
| 780 } |
| 781 |
| 782 /* Called from tls13_CompleteHandleHandshakeMessage() when it has deciphered a c
omplete |
| 783 * ssl3 CertificateStatus message. |
| 784 * Caller must hold Handshake and RecvBuf locks. |
| 785 */ |
| 786 static SECStatus |
| 787 tls13_HandleCertificateStatus(sslSocket *ss, SSL3Opaque *b, PRUint32 length) |
| 788 { |
| 789 SECStatus rv; |
| 790 |
| 791 rv = TLS13_CHECK_HS_STATE(ss, SSL_ERROR_RX_UNEXPECTED_CERT_STATUS, |
| 792 wait_certificate_status); |
| 793 if (rv != SECSuccess) |
| 794 return rv; |
| 795 |
| 796 return ssl3_CompleteHandleCertificateStatus(ss, b, length); |
| 797 } |
| 798 |
| 799 /* |
| 800 * TODO(ekr@rtfm.com): This install logic needs renaming since it's |
| 801 * what happens at various stages of cipher spec setup. Legacy from ssl3con.c. |
| 802 */ |
| 803 int |
| 804 tls13_InstallCipherSpec(sslSocket *ss, InstallCipherSpecDirection direction) |
| 805 { |
| 806 SSL_TRC(3, ("%d: TLS13[%d]: Installing new cipher specs direction = %s", |
| 807 SSL_GETPID(), ss->fd, |
| 808 direction == InstallCipherSpecRead ? "read" : "write")); |
| 809 |
| 810 PORT_Assert(!IS_DTLS(ss)); /* TODO(ekr@rtfm.com): Update for DTLS */ |
| 811 /* TODO(ekr@rtfm.com): Holddown timer for DTLS. */ |
| 812 ssl_GetSpecWriteLock(ss); /**************************************/ |
| 813 |
| 814 /* Flush out any old stuff in the handshake buffers */ |
| 815 switch (direction) { |
| 816 case InstallCipherSpecWrite: { |
| 817 ssl3CipherSpec *pwSpec; |
| 818 pwSpec = ss->ssl3.pwSpec; |
| 819 |
| 820 ss->ssl3.pwSpec = ss->ssl3.cwSpec; |
| 821 ss->ssl3.cwSpec = pwSpec; |
| 822 break; |
| 823 } break; |
| 824 case InstallCipherSpecRead: { |
| 825 ssl3CipherSpec *prSpec; |
| 826 |
| 827 prSpec = ss->ssl3.prSpec; |
| 828 ss->ssl3.prSpec = ss->ssl3.crSpec; |
| 829 ss->ssl3.crSpec = prSpec; |
| 830 } break; |
| 831 default: |
| 832 PORT_Assert(0); |
| 833 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); |
| 834 ssl_ReleaseSpecWriteLock(ss); /*************************************
*/ |
| 835 return SECFailure; |
| 836 } |
| 837 |
| 838 /* If we are really through with the old cipher prSpec |
| 839 * (Both the read and write sides have changed) destroy it. |
| 840 */ |
| 841 if (ss->ssl3.prSpec == ss->ssl3.pwSpec) { |
| 842 ssl3_DestroyCipherSpec(ss->ssl3.prSpec, PR_FALSE /*freeSrvName*/); |
| 843 } |
| 844 ssl_ReleaseSpecWriteLock(ss); /**************************************/ |
| 845 |
| 846 return SECSuccess; |
| 847 } |
| 848 |
| 849 /* Add context to the hash functions as described in |
| 850 [draft-ietf-tls-tls13; Section 4.9.1] */ |
| 851 SECStatus |
| 852 tls13_AddContextToHashes(sslSocket *ss, SSL3Hashes *hashes /* IN/OUT */, |
| 853 SSLHashType algorithm, PRBool sending) |
| 854 { |
| 855 SECStatus rv = SECSuccess; |
| 856 PK11Context *ctx; |
| 857 const unsigned char context_padding[] = { |
| 858 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, |
| 859 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, |
| 860 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, |
| 861 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, |
| 862 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, |
| 863 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, |
| 864 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, |
| 865 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, |
| 866 }; |
| 867 const char *client_cert_verify_string = "TLS 1.3, client CertificateVerify"; |
| 868 const char *server_cert_verify_string = "TLS 1.3, server CertificateVerify"; |
| 869 const char *context_string = (sending ^ ss->sec.isServer) ? client_cert_veri
fy_string |
| 870 : server_cert_veri
fy_string; |
| 871 unsigned int hashlength; |
| 872 |
| 873 /* Double check that we are doing SHA-256 for the handshake hash.*/ |
| 874 PORT_Assert(hashes->hashAlg == ssl_hash_sha256); |
| 875 if (hashes->hashAlg != ssl_hash_sha256) { |
| 876 PORT_SetError(SEC_ERROR_INVALID_ARGS); |
| 877 goto loser; |
| 878 } |
| 879 PORT_Assert(hashes->len == 32); |
| 880 |
| 881 ctx = PK11_CreateDigestContext(ssl3_TLSHashAlgorithmToOID(algorithm)); |
| 882 if (!ctx) { |
| 883 PORT_SetError(SEC_ERROR_NO_MEMORY); |
| 884 goto loser; |
| 885 } |
| 886 |
| 887 PORT_Assert(SECFailure); |
| 888 PORT_Assert(!SECSuccess); |
| 889 |
| 890 rv |= PK11_DigestBegin(ctx); |
| 891 rv |= PK11_DigestOp(ctx, context_padding, sizeof(context_padding)); |
| 892 rv |= PK11_DigestOp(ctx, (unsigned char *)context_string, |
| 893 strlen(context_string) + 1); /* +1 includes the terminat
ing 0 */ |
| 894 rv |= PK11_DigestOp(ctx, hashes->u.raw, hashes->len); |
| 895 /* Update the hash in-place */ |
| 896 rv |= PK11_DigestFinal(ctx, hashes->u.raw, &hashlength, sizeof(hashes->u.raw
)); |
| 897 PK11_DestroyContext(ctx, PR_TRUE); |
| 898 PRINT_BUF(90, (NULL, "TLS 1.3 hash with context", hashes->u.raw, hashlength)
); |
| 899 |
| 900 hashes->len = hashlength; |
| 901 hashes->hashAlg = algorithm; |
| 902 |
| 903 if (rv) { |
| 904 ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE); |
| 905 goto loser; |
| 906 } |
| 907 return SECSuccess; |
| 908 |
| 909 loser: |
| 910 return SECFailure; |
| 911 } |
| 912 |
| 913 static SECStatus |
| 914 tls13_HkdfExtractSharedKey(sslSocket *ss, PK11SymKey *key, |
| 915 SharedSecretType keyType) |
| 916 { |
| 917 PK11SymKey **destp; |
| 918 |
| 919 switch (keyType) { |
| 920 case EphemeralSharedSecret: |
| 921 destp = &ss->ssl3.hs.xES; |
| 922 break; |
| 923 case StaticSharedSecret: |
| 924 destp = &ss->ssl3.hs.xSS; |
| 925 break; |
| 926 default: |
| 927 PORT_Assert(0); |
| 928 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); |
| 929 return SECFailure; |
| 930 } |
| 931 |
| 932 PORT_Assert(!*destp); |
| 933 return tls13_HkdfExtract(NULL, key, tls13_GetHash(ss), destp); |
| 934 } |
| 935 |
| 936 static SECStatus |
| 937 tls13_DeriveTrafficKeys(sslSocket *ss, ssl3CipherSpec *pwSpec, |
| 938 TrafficKeyType type) |
| 939 { |
| 940 size_t keySize = pwSpec->cipher_def->key_size; |
| 941 size_t ivSize = pwSpec->cipher_def->iv_size + |
| 942 pwSpec->cipher_def->explicit_nonce_size; /* This isn't alway
s going to |
| 943 * work, but it doe
s for |
| 944 * AES-GCM */ |
| 945 CK_MECHANISM_TYPE bulkAlgorithm = ssl3_Alg2Mech(pwSpec->cipher_def->calg); |
| 946 SSL3Hashes hashes; |
| 947 PK11SymKey *prk = NULL; |
| 948 const char *phase; |
| 949 char label[256]; /* Arbitrary buffer large enough to hold the label */ |
| 950 SECStatus rv; |
| 951 |
| 952 #define FORMAT_LABEL(phase_, purpose_)
\ |
| 953 do {
\ |
| 954 PRUint32 n = PR_snprintf(label, sizeof(label), "%s, %s", phase_, purpose
_); \ |
| 955 /* Check for getting close. */
\ |
| 956 if ((n + 1) >= sizeof(label)) {
\ |
| 957 PORT_Assert(0);
\ |
| 958 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
\ |
| 959 goto loser;
\ |
| 960 }
\ |
| 961 } while (0) |
| 962 #define EXPAND_TRAFFIC_KEY(purpose_, target_) \ |
| 963 do { \ |
| 964 FORMAT_LABEL(phase, purpose_); \ |
| 965 rv = tls13_HkdfExpandLabel(prk, tls13_GetHash(ss), \ |
| 966 hashes.u.raw, hashes.len, \ |
| 967 label, strlen(label), \ |
| 968 bulkAlgorithm, keySize, &pwSpec->target_); \ |
| 969 if (rv != SECSuccess) { \ |
| 970 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); \ |
| 971 PORT_Assert(0); \ |
| 972 goto loser; \ |
| 973 } \ |
| 974 } while (0) |
| 975 |
| 976 #define EXPAND_TRAFFIC_IV(purpose_, target_) \ |
| 977 do { \ |
| 978 FORMAT_LABEL(phase, purpose_); \ |
| 979 rv = tls13_HkdfExpandLabelRaw(prk, tls13_GetHash(ss), \ |
| 980 hashes.u.raw, hashes.len, \ |
| 981 label, strlen(label), \ |
| 982 pwSpec->target_, ivSize); \ |
| 983 if (rv != SECSuccess) { \ |
| 984 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); \ |
| 985 PORT_Assert(0); \ |
| 986 goto loser; \ |
| 987 } \ |
| 988 } while (0) |
| 989 |
| 990 PORT_Assert(ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); |
| 991 PORT_Assert(ss->opt.noLocks || ssl_HaveSpecWriteLock(ss)); |
| 992 PORT_Assert(ss->ssl3.prSpec == ss->ssl3.pwSpec); |
| 993 |
| 994 rv = ssl3_ComputeHandshakeHashes(ss, pwSpec, &hashes, 0); |
| 995 if (rv != SECSuccess) { |
| 996 PORT_Assert(0); /* Should never fail */ |
| 997 ssl_MapLowLevelError(SSL_ERROR_SESSION_KEY_GEN_FAILURE); |
| 998 return SECFailure; |
| 999 } |
| 1000 PRINT_BUF(60, (ss, "Deriving traffic keys. Session hash=", hashes.u.raw, |
| 1001 hashes.len)); |
| 1002 |
| 1003 switch (type) { |
| 1004 case TrafficKeyHandshake: |
| 1005 phase = kHkdfPhaseHandshakeKeys; |
| 1006 prk = ss->ssl3.hs.xES; |
| 1007 break; |
| 1008 case TrafficKeyApplicationData: |
| 1009 phase = kHkdfPhaseApplicationDataKeys; |
| 1010 prk = ss->ssl3.hs.trafficSecret; |
| 1011 break; |
| 1012 default: |
| 1013 PORT_Assert(0); |
| 1014 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); |
| 1015 return SECFailure; |
| 1016 } |
| 1017 PORT_Assert(prk != NULL); |
| 1018 |
| 1019 SSL_TRC(3, ("%d: TLS13[%d]: deriving traffic keys phase='%s'", |
| 1020 SSL_GETPID(), ss->fd, phase)); |
| 1021 |
| 1022 EXPAND_TRAFFIC_KEY(kHkdfPurposeClientWriteKey, client.write_key); |
| 1023 EXPAND_TRAFFIC_KEY(kHkdfPurposeServerWriteKey, server.write_key); |
| 1024 EXPAND_TRAFFIC_IV(kHkdfPurposeClientWriteIv, client.write_iv); |
| 1025 EXPAND_TRAFFIC_IV(kHkdfPurposeServerWriteIv, server.write_iv); |
| 1026 |
| 1027 return SECSuccess; |
| 1028 |
| 1029 loser: |
| 1030 return SECFailure; |
| 1031 } |
| 1032 |
| 1033 /* Set up a cipher spec with keys. If install is nonzero, then also install |
| 1034 * it as the current cipher spec for each value in the mask. */ |
| 1035 SECStatus |
| 1036 tls13_InitCipherSpec(sslSocket *ss, TrafficKeyType type, InstallCipherSpecDirect
ion install) |
| 1037 { |
| 1038 ssl3CipherSpec *pwSpec; |
| 1039 ssl3CipherSpec *cwSpec; |
| 1040 SECStatus rv; |
| 1041 PORT_Assert(ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); |
| 1042 |
| 1043 if (install == InstallCipherSpecWrite || |
| 1044 install == InstallCipherSpecBoth) { |
| 1045 ssl_GetXmitBufLock(ss); |
| 1046 |
| 1047 rv = ssl3_FlushHandshake(ss, ssl_SEND_FLAG_FORCE_INTO_BUFFER); |
| 1048 ssl_ReleaseXmitBufLock(ss); |
| 1049 if (rv != SECSuccess) { |
| 1050 goto loser; |
| 1051 } |
| 1052 } |
| 1053 |
| 1054 ssl_GetSpecWriteLock(ss); /**************************************/ |
| 1055 |
| 1056 PORT_Assert(ss->ssl3.prSpec == ss->ssl3.pwSpec); |
| 1057 |
| 1058 pwSpec = ss->ssl3.pwSpec; |
| 1059 cwSpec = ss->ssl3.cwSpec; |
| 1060 |
| 1061 switch (pwSpec->cipher_def->calg) { |
| 1062 case calg_aes_gcm: |
| 1063 pwSpec->aead = tls13_AESGCM; |
| 1064 break; |
| 1065 default: |
| 1066 PORT_Assert(0); |
| 1067 goto loser; |
| 1068 break; |
| 1069 } |
| 1070 |
| 1071 /* Generic behaviors -- common to all crypto methods */ |
| 1072 if (!IS_DTLS(ss)) { |
| 1073 pwSpec->read_seq_num.high = pwSpec->write_seq_num.high = 0; |
| 1074 } else { |
| 1075 if (cwSpec->epoch == PR_UINT16_MAX) { |
| 1076 /* The problem here is that we have rehandshaked too many |
| 1077 * times (you are not allowed to wrap the epoch). The |
| 1078 * spec says you should be discarding the connection |
| 1079 * and start over, so not much we can do here. */ |
| 1080 rv = SECFailure; |
| 1081 goto loser; |
| 1082 } |
| 1083 /* The sequence number has the high 16 bits as the epoch. */ |
| 1084 pwSpec->epoch = cwSpec->epoch + 1; |
| 1085 pwSpec->read_seq_num.high = pwSpec->write_seq_num.high = |
| 1086 pwSpec->epoch << 16; |
| 1087 |
| 1088 dtls_InitRecvdRecords(&pwSpec->recvdRecords); |
| 1089 } |
| 1090 pwSpec->read_seq_num.low = pwSpec->write_seq_num.low = 0; |
| 1091 |
| 1092 rv = tls13_DeriveTrafficKeys(ss, pwSpec, type); |
| 1093 if (rv != SECSuccess) { |
| 1094 goto loser; |
| 1095 } |
| 1096 if (install == InstallCipherSpecWrite || |
| 1097 install == InstallCipherSpecBoth) { |
| 1098 rv = tls13_InstallCipherSpec(ss, InstallCipherSpecWrite); |
| 1099 if (rv != SECSuccess) { |
| 1100 goto loser; |
| 1101 } |
| 1102 } |
| 1103 if (install == InstallCipherSpecRead || |
| 1104 install == InstallCipherSpecBoth) { |
| 1105 rv = tls13_InstallCipherSpec(ss, InstallCipherSpecRead); |
| 1106 if (rv != SECSuccess) { |
| 1107 goto loser; |
| 1108 } |
| 1109 } |
| 1110 ssl_ReleaseSpecWriteLock(ss); /**************************************/ |
| 1111 |
| 1112 return SECSuccess; |
| 1113 |
| 1114 loser: |
| 1115 ssl_ReleaseSpecWriteLock(ss); /**************************************/ |
| 1116 PORT_SetError(SSL_ERROR_INIT_CIPHER_SUITE_FAILURE); |
| 1117 return SECFailure; |
| 1118 } |
| 1119 |
| 1120 static SECStatus |
| 1121 tls13_ComputeSecrets1(sslSocket *ss) |
| 1122 { |
| 1123 SECStatus rv; |
| 1124 PK11SymKey *mSS = NULL; |
| 1125 PK11SymKey *mES = NULL; |
| 1126 PK11SymKey *masterSecret = NULL; |
| 1127 SSL3Hashes hashes; |
| 1128 |
| 1129 rv = ssl3_SetupPendingCipherSpec(ss); |
| 1130 if (rv != SECSuccess) { |
| 1131 return rv; /* error code set below. */ |
| 1132 } |
| 1133 |
| 1134 rv = ssl3_ComputeHandshakeHashes(ss, ss->ssl3.pwSpec, &hashes, 0); |
| 1135 if (rv != SECSuccess) { |
| 1136 PORT_Assert(0); /* Should never fail */ |
| 1137 ssl_MapLowLevelError(SSL_ERROR_SESSION_KEY_GEN_FAILURE); |
| 1138 return SECFailure; |
| 1139 } |
| 1140 |
| 1141 PORT_Assert(ss->ssl3.hs.xSS); |
| 1142 PORT_Assert(ss->ssl3.hs.xES); |
| 1143 |
| 1144 rv = tls13_HkdfExpandLabel(ss->ssl3.hs.xSS, |
| 1145 tls13_GetHash(ss), |
| 1146 hashes.u.raw, hashes.len, |
| 1147 kHkdfLabelExpandedSs, |
| 1148 strlen(kHkdfLabelExpandedSs), |
| 1149 tls13_GetHkdfMechanism(ss), |
| 1150 hashes.len, &mSS); |
| 1151 if (rv != SECSuccess) { |
| 1152 goto loser; |
| 1153 } |
| 1154 |
| 1155 rv = tls13_HkdfExpandLabel(ss->ssl3.hs.xES, |
| 1156 tls13_GetHash(ss), |
| 1157 hashes.u.raw, hashes.len, |
| 1158 kHkdfLabelExpandedEs, |
| 1159 strlen(kHkdfLabelExpandedEs), |
| 1160 tls13_GetHkdfMechanism(ss), |
| 1161 hashes.len, &mES); |
| 1162 if (rv != SECSuccess) { |
| 1163 goto loser; |
| 1164 } |
| 1165 |
| 1166 rv = tls13_HkdfExtract(mSS, mES, |
| 1167 tls13_GetHash(ss), |
| 1168 &masterSecret); |
| 1169 |
| 1170 if (rv != SECSuccess) { |
| 1171 goto loser; |
| 1172 } |
| 1173 |
| 1174 rv = tls13_HkdfExpandLabel(masterSecret, |
| 1175 tls13_GetHash(ss), |
| 1176 hashes.u.raw, hashes.len, |
| 1177 kHkdfLabelTrafficSecret, |
| 1178 strlen(kHkdfLabelTrafficSecret), |
| 1179 tls13_GetHkdfMechanism(ss), |
| 1180 hashes.len, &ss->ssl3.hs.trafficSecret); |
| 1181 if (rv != SECSuccess) { |
| 1182 goto loser; |
| 1183 } |
| 1184 |
| 1185 rv = tls13_HkdfExpandLabel(masterSecret, |
| 1186 tls13_GetHash(ss), |
| 1187 NULL, 0, |
| 1188 kHkdfLabelClientFinishedSecret, |
| 1189 strlen(kHkdfLabelClientFinishedSecret), |
| 1190 tls13_GetHmacMechanism(ss), |
| 1191 hashes.len, &ss->ssl3.hs.clientFinishedSecret); |
| 1192 if (rv != SECSuccess) { |
| 1193 goto loser; |
| 1194 } |
| 1195 |
| 1196 rv = tls13_HkdfExpandLabel(masterSecret, |
| 1197 tls13_GetHash(ss), |
| 1198 NULL, 0, |
| 1199 kHkdfLabelServerFinishedSecret, |
| 1200 strlen(kHkdfLabelServerFinishedSecret), |
| 1201 tls13_GetHmacMechanism(ss), |
| 1202 hashes.len, &ss->ssl3.hs.serverFinishedSecret); |
| 1203 if (rv != SECSuccess) { |
| 1204 goto loser; |
| 1205 } |
| 1206 |
| 1207 loser: |
| 1208 PK11_FreeSymKey(ss->ssl3.hs.xSS); |
| 1209 ss->ssl3.hs.xSS = NULL; |
| 1210 PK11_FreeSymKey(ss->ssl3.hs.xES); |
| 1211 ss->ssl3.hs.xES = NULL; |
| 1212 |
| 1213 if (mSS) { |
| 1214 PK11_FreeSymKey(mSS); |
| 1215 } |
| 1216 if (mES) { |
| 1217 PK11_FreeSymKey(mES); |
| 1218 } |
| 1219 if (masterSecret) { |
| 1220 PK11_FreeSymKey(masterSecret); |
| 1221 } |
| 1222 |
| 1223 return rv; |
| 1224 } |
| 1225 |
| 1226 void |
| 1227 tls13_DestroyKeyShareEntry(TLS13KeyShareEntry *offer) |
| 1228 { |
| 1229 SECITEM_ZfreeItem(&offer->key_exchange, PR_FALSE); |
| 1230 PORT_ZFree(offer, sizeof(*offer)); |
| 1231 } |
| 1232 |
| 1233 void |
| 1234 tls13_DestroyKeyShares(PRCList *list) |
| 1235 { |
| 1236 PRCList *cur_p; |
| 1237 |
| 1238 while (!PR_CLIST_IS_EMPTY(list)) { |
| 1239 cur_p = PR_LIST_TAIL(list); |
| 1240 PR_REMOVE_LINK(cur_p); |
| 1241 tls13_DestroyKeyShareEntry((TLS13KeyShareEntry *)cur_p); |
| 1242 } |
| 1243 } |
| 1244 |
| 1245 /* Implement the SSLAEADCipher interface defined in sslimpl.h. |
| 1246 * |
| 1247 * That interface mixes the AD and the sequence number, but in |
| 1248 * TLS 1.3 there is no additional data so this value is just the |
| 1249 * encoded sequence number and we call it |seqNumBuf|. |
| 1250 */ |
| 1251 static SECStatus |
| 1252 tls13_AESGCM(ssl3KeyMaterial *keys, |
| 1253 PRBool doDecrypt, |
| 1254 unsigned char *out, |
| 1255 int *outlen, |
| 1256 int maxout, |
| 1257 const unsigned char *in, |
| 1258 int inlen, |
| 1259 const unsigned char *seqNumBuf, |
| 1260 int seqNumLen) |
| 1261 { |
| 1262 SECItem param; |
| 1263 SECStatus rv = SECFailure; |
| 1264 unsigned char nonce[12]; |
| 1265 size_t i; |
| 1266 unsigned int uOutLen; |
| 1267 CK_GCM_PARAMS gcmParams; |
| 1268 static const int tagSize = 16; |
| 1269 |
| 1270 PORT_Assert(seqNumLen == 8); |
| 1271 |
| 1272 /* draft-ietf-tls-tls13 Section 5.2.2 specifies the following |
| 1273 * nonce algorithm: |
| 1274 * |
| 1275 * The length of the per-record nonce (iv_length) is set to max(8 bytes, |
| 1276 * N_MIN) for the AEAD algorithm (see [RFC5116] Section 4). An AEAD |
| 1277 * algorithm where N_MAX is less than 8 bytes MUST NOT be used with TLS. |
| 1278 * The per-record nonce for the AEAD construction is formed as follows: |
| 1279 * |
| 1280 * 1. The 64-bit record sequence number is padded to the left with |
| 1281 * zeroes to iv_length. |
| 1282 * |
| 1283 * 2. The padded sequence number is XORed with the static |
| 1284 * client_write_iv or server_write_iv, depending on the role. |
| 1285 * |
| 1286 * The resulting quantity (of length iv_length) is used as the per- |
| 1287 * record nonce. |
| 1288 * |
| 1289 * Per RFC 5288: N_MIN = N_MAX = 12 bytes. |
| 1290 * |
| 1291 */ |
| 1292 memcpy(nonce, keys->write_iv, sizeof(nonce)); |
| 1293 for (i = 0; i < 8; ++i) { |
| 1294 nonce[4 + i] ^= seqNumBuf[i]; |
| 1295 } |
| 1296 |
| 1297 param.type = siBuffer; |
| 1298 param.data = (unsigned char *)&gcmParams; |
| 1299 param.len = sizeof(gcmParams); |
| 1300 gcmParams.pIv = nonce; |
| 1301 gcmParams.ulIvLen = sizeof(nonce); |
| 1302 gcmParams.pAAD = NULL; |
| 1303 gcmParams.ulAADLen = 0; |
| 1304 gcmParams.ulTagBits = tagSize * 8; |
| 1305 |
| 1306 if (doDecrypt) { |
| 1307 rv = PK11_Decrypt(keys->write_key, CKM_AES_GCM, ¶m, out, &uOutLen, |
| 1308 maxout, in, inlen); |
| 1309 } else { |
| 1310 rv = PK11_Encrypt(keys->write_key, CKM_AES_GCM, ¶m, out, &uOutLen, |
| 1311 maxout, in, inlen); |
| 1312 } |
| 1313 *outlen = (int)uOutLen; |
| 1314 |
| 1315 return rv; |
| 1316 } |
| 1317 |
| 1318 static SECStatus |
| 1319 tls13_HandleEncryptedExtensions(sslSocket *ss, SSL3Opaque *b, PRUint32 length) |
| 1320 { |
| 1321 SECStatus rv; |
| 1322 PRInt32 innerLength; |
| 1323 |
| 1324 PORT_Assert(ss->opt.noLocks || ssl_HaveRecvBufLock(ss)); |
| 1325 PORT_Assert(ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); |
| 1326 |
| 1327 SSL_TRC(3, ("%d: TLS13[%d]: handle encrypted extensions", |
| 1328 SSL_GETPID(), ss->fd)); |
| 1329 |
| 1330 rv = TLS13_CHECK_HS_STATE(ss, SSL_ERROR_RX_UNEXPECTED_ENCRYPTED_EXTENSIONS, |
| 1331 wait_encrypted_extensions); |
| 1332 if (rv != SECSuccess) { |
| 1333 return SECFailure; |
| 1334 } |
| 1335 |
| 1336 innerLength = ssl3_ConsumeHandshakeNumber(ss, 2, &b, &length); |
| 1337 if (innerLength < 0) { |
| 1338 return SECFailure; /* Alert already sent. */ |
| 1339 } |
| 1340 if (innerLength != length) { |
| 1341 FATAL_ERROR(ss, SSL_ERROR_RX_MALFORMED_ENCRYPTED_EXTENSIONS, |
| 1342 illegal_parameter); |
| 1343 return SECFailure; |
| 1344 } |
| 1345 |
| 1346 rv = ssl3_HandleHelloExtensions(ss, &b, &length, encrypted_extensions); |
| 1347 if (rv != SECSuccess) { |
| 1348 return SECFailure; /* Error code set below */ |
| 1349 } |
| 1350 |
| 1351 TLS13_SET_HS_STATE(ss, wait_cert_request); |
| 1352 return SECSuccess; |
| 1353 } |
| 1354 |
| 1355 static SECStatus |
| 1356 tls13_SendEncryptedExtensions(sslSocket *ss) |
| 1357 { |
| 1358 SECStatus rv; |
| 1359 PRInt32 extensions_len = 0; |
| 1360 PRInt32 sent_len = 0; |
| 1361 PRUint32 maxBytes = 65535; |
| 1362 |
| 1363 SSL_TRC(3, ("%d: TLS13[%d]: send encrypted extensions handshake", |
| 1364 SSL_GETPID(), ss->fd)); |
| 1365 |
| 1366 PORT_Assert(ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); |
| 1367 PORT_Assert(ss->opt.noLocks || ssl_HaveXmitBufLock(ss)); |
| 1368 |
| 1369 extensions_len = ssl3_CallHelloExtensionSenders( |
| 1370 ss, PR_FALSE, maxBytes, &ss->xtnData.encryptedExtensionsSenders[0]); |
| 1371 |
| 1372 rv = ssl3_AppendHandshakeHeader(ss, encrypted_extensions, |
| 1373 extensions_len + 2); |
| 1374 if (rv != SECSuccess) { |
| 1375 FATAL_ERROR(ss, SEC_ERROR_LIBRARY_FAILURE, internal_error); |
| 1376 return SECFailure; |
| 1377 } |
| 1378 rv = ssl3_AppendHandshakeNumber(ss, extensions_len, 2); |
| 1379 if (rv != SECSuccess) { |
| 1380 FATAL_ERROR(ss, SEC_ERROR_LIBRARY_FAILURE, internal_error); |
| 1381 return SECFailure; |
| 1382 } |
| 1383 sent_len = ssl3_CallHelloExtensionSenders( |
| 1384 ss, PR_TRUE, extensions_len, |
| 1385 &ss->xtnData.encryptedExtensionsSenders[0]); |
| 1386 PORT_Assert(sent_len == extensions_len); |
| 1387 if (sent_len != extensions_len) { |
| 1388 PORT_Assert(sent_len == 0); |
| 1389 FATAL_ERROR(ss, SEC_ERROR_LIBRARY_FAILURE, internal_error); |
| 1390 return SECFailure; |
| 1391 } |
| 1392 |
| 1393 return SECSuccess; |
| 1394 } |
| 1395 |
| 1396 /* Called from tls13_CompleteHandleHandshakeMessage() when it has deciphered a c
omplete |
| 1397 * tls13 CertificateVerify message |
| 1398 * Caller must hold Handshake and RecvBuf locks. |
| 1399 */ |
| 1400 SECStatus |
| 1401 tls13_HandleCertificateVerify(sslSocket *ss, SSL3Opaque *b, PRUint32 length, |
| 1402 SSL3Hashes *hashes) |
| 1403 { |
| 1404 SECItem signed_hash = { siBuffer, NULL, 0 }; |
| 1405 SECStatus rv; |
| 1406 SSLSignatureAndHashAlg sigAndHash; |
| 1407 |
| 1408 SSL_TRC(3, ("%d: TLS13[%d]: handle certificate_verify handshake", |
| 1409 SSL_GETPID(), ss->fd)); |
| 1410 PORT_Assert(ss->opt.noLocks || ssl_HaveRecvBufLock(ss)); |
| 1411 PORT_Assert(ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); |
| 1412 |
| 1413 rv = TLS13_CHECK_HS_STATE(ss, SSL_ERROR_RX_UNEXPECTED_CERT_VERIFY, |
| 1414 wait_cert_verify); |
| 1415 if (rv != SECSuccess) { |
| 1416 return SECFailure; |
| 1417 } |
| 1418 |
| 1419 if (!hashes) { |
| 1420 FATAL_ERROR(ss, SEC_ERROR_LIBRARY_FAILURE, internal_error); |
| 1421 return SECFailure; |
| 1422 } |
| 1423 |
| 1424 /* We only support CertificateVerify messages that use the handshake |
| 1425 * hash. |
| 1426 * TODO(ekr@rtfm.com): This should be easy to relax in TLS 1.3 by |
| 1427 * reading the client's hash algorithm first, but there may |
| 1428 * be subtleties so retain the restriction for now. |
| 1429 */ |
| 1430 rv = tls13_AddContextToHashes(ss, hashes, hashes->hashAlg, PR_FALSE); |
| 1431 if (rv != SECSuccess) { |
| 1432 FATAL_ERROR(ss, SSL_ERROR_DIGEST_FAILURE, internal_error); |
| 1433 return SECFailure; |
| 1434 } |
| 1435 |
| 1436 rv = ssl3_ConsumeSignatureAndHashAlgorithm(ss, &b, &length, |
| 1437 &sigAndHash); |
| 1438 if (rv != SECSuccess) { |
| 1439 PORT_SetError(SSL_ERROR_RX_MALFORMED_CERT_VERIFY); |
| 1440 return SECFailure; |
| 1441 } |
| 1442 |
| 1443 rv = ssl3_CheckSignatureAndHashAlgorithmConsistency( |
| 1444 ss, &sigAndHash, ss->sec.peerCert); |
| 1445 if (rv != SECSuccess) { |
| 1446 FATAL_ERROR(ss, SSL_ERROR_RX_MALFORMED_CERT_VERIFY, decrypt_error); |
| 1447 return SECFailure; |
| 1448 } |
| 1449 |
| 1450 /* We only support CertificateVerify messages that use the handshake |
| 1451 * hash. */ |
| 1452 if (sigAndHash.hashAlg != hashes->hashAlg) { |
| 1453 FATAL_ERROR(ss, SSL_ERROR_UNSUPPORTED_HASH_ALGORITHM, decrypt_error); |
| 1454 return SECFailure; |
| 1455 } |
| 1456 |
| 1457 rv = ssl3_ConsumeHandshakeVariable(ss, &signed_hash, 2, &b, &length); |
| 1458 if (rv != SECSuccess) { |
| 1459 PORT_SetError(SSL_ERROR_RX_MALFORMED_CERT_VERIFY); |
| 1460 return SECFailure; |
| 1461 } |
| 1462 |
| 1463 if (length != 0) { |
| 1464 FATAL_ERROR(ss, SSL_ERROR_RX_MALFORMED_CERT_VERIFY, decode_error); |
| 1465 return SECFailure; |
| 1466 } |
| 1467 |
| 1468 rv = ssl3_VerifySignedHashes(hashes, ss->sec.peerCert, &signed_hash, |
| 1469 PR_TRUE, ss->pkcs11PinArg); |
| 1470 if (rv != SECSuccess) { |
| 1471 FATAL_ERROR(ss, PORT_GetError(), decrypt_error); |
| 1472 return SECFailure; |
| 1473 } |
| 1474 |
| 1475 if (!ss->sec.isServer) { |
| 1476 /* Compute the rest of the secrets except for the resumption |
| 1477 * and exporter secret. */ |
| 1478 rv = tls13_ComputeSecrets1(ss); |
| 1479 if (rv != SECSuccess) { |
| 1480 FATAL_ERROR(ss, SEC_ERROR_LIBRARY_FAILURE, internal_error); |
| 1481 return SECFailure; |
| 1482 } |
| 1483 } |
| 1484 TLS13_SET_HS_STATE(ss, wait_finished); |
| 1485 |
| 1486 return SECSuccess; |
| 1487 } |
| 1488 |
| 1489 static SECStatus |
| 1490 tls13_ComputeFinished(sslSocket *ss, const SSL3Hashes *hashes, PRBool sending, |
| 1491 PRUint8 *output, unsigned int *outputLen, unsigned int max
OutputLen) |
| 1492 { |
| 1493 SECStatus rv; |
| 1494 PK11Context *hmacCtx = NULL; |
| 1495 CK_MECHANISM_TYPE macAlg = tls13_GetHmacMechanism(ss); |
| 1496 SECItem param = { siBuffer, NULL, 0 }; |
| 1497 unsigned int outputLenUint; |
| 1498 PK11SymKey *secret = (ss->sec.isServer ^ sending) ? ss->ssl3.hs.clientFinish
edSecret |
| 1499 : ss->ssl3.hs.serverFinish
edSecret; |
| 1500 |
| 1501 PORT_Assert(secret); |
| 1502 PRINT_BUF(90, (NULL, "Handshake hash", hashes->u.raw, hashes->len)); |
| 1503 |
| 1504 hmacCtx = PK11_CreateContextBySymKey(macAlg, CKA_SIGN, |
| 1505 secret, ¶m); |
| 1506 if (!hmacCtx) { |
| 1507 goto abort; |
| 1508 } |
| 1509 |
| 1510 rv = PK11_DigestBegin(hmacCtx); |
| 1511 if (rv != SECSuccess) |
| 1512 goto abort; |
| 1513 |
| 1514 rv = PK11_DigestOp(hmacCtx, hashes->u.raw, hashes->len); |
| 1515 if (rv != SECSuccess) |
| 1516 goto abort; |
| 1517 |
| 1518 PORT_Assert(maxOutputLen >= hashes->len); |
| 1519 rv = PK11_DigestFinal(hmacCtx, output, &outputLenUint, maxOutputLen); |
| 1520 if (rv != SECSuccess) |
| 1521 goto abort; |
| 1522 *outputLen = outputLenUint; |
| 1523 |
| 1524 PK11_DestroyContext(hmacCtx, PR_TRUE); |
| 1525 return SECSuccess; |
| 1526 |
| 1527 abort: |
| 1528 if (hmacCtx) { |
| 1529 PK11_DestroyContext(hmacCtx, PR_TRUE); |
| 1530 } |
| 1531 |
| 1532 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); |
| 1533 return SECFailure; |
| 1534 } |
| 1535 |
| 1536 static SECStatus |
| 1537 tls13_SendFinished(sslSocket *ss) |
| 1538 { |
| 1539 SECStatus rv; |
| 1540 PRUint8 finishedBuf[MAX_FINISHED_SIZE]; |
| 1541 unsigned int finishedLen; |
| 1542 SSL3Hashes hashes; |
| 1543 int errCode; |
| 1544 |
| 1545 SSL_TRC(3, ("%d: TLS13[%d]: send finished handshake", SSL_GETPID(), ss->fd))
; |
| 1546 |
| 1547 PORT_Assert(ss->opt.noLocks || ssl_HaveXmitBufLock(ss)); |
| 1548 PORT_Assert(ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); |
| 1549 |
| 1550 rv = ssl3_ComputeHandshakeHashes(ss, ss->ssl3.cwSpec, &hashes, 0); |
| 1551 if (rv != SECSuccess) { |
| 1552 FATAL_ERROR(ss, SEC_ERROR_LIBRARY_FAILURE, internal_error); |
| 1553 return SECFailure; |
| 1554 } |
| 1555 |
| 1556 ssl_GetSpecReadLock(ss); |
| 1557 rv = tls13_ComputeFinished(ss, &hashes, PR_TRUE, |
| 1558 finishedBuf, &finishedLen, sizeof(finishedBuf)); |
| 1559 ssl_ReleaseSpecReadLock(ss); |
| 1560 if (rv != SECSuccess) { |
| 1561 FATAL_ERROR(ss, SEC_ERROR_LIBRARY_FAILURE, internal_error); |
| 1562 return SECFailure; |
| 1563 } |
| 1564 |
| 1565 rv = ssl3_AppendHandshakeHeader(ss, finished, finishedLen); |
| 1566 if (rv != SECSuccess) { |
| 1567 errCode = PR_GetError(); |
| 1568 goto alert_loser; |
| 1569 } |
| 1570 |
| 1571 rv = ssl3_AppendHandshake(ss, finishedBuf, finishedLen); |
| 1572 if (rv != SECSuccess) { |
| 1573 errCode = PR_GetError(); |
| 1574 goto alert_loser; |
| 1575 } |
| 1576 |
| 1577 rv = ssl3_FlushHandshake(ss, 0); |
| 1578 if (rv != SECSuccess) { |
| 1579 errCode = PR_GetError(); |
| 1580 goto alert_loser; |
| 1581 } |
| 1582 |
| 1583 if (ss->sec.isServer) { |
| 1584 rv = tls13_InitCipherSpec(ss, TrafficKeyApplicationData, |
| 1585 InstallCipherSpecWrite); |
| 1586 } else { |
| 1587 rv = tls13_InstallCipherSpec(ss, InstallCipherSpecWrite); |
| 1588 } |
| 1589 if (rv != SECSuccess) { |
| 1590 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); |
| 1591 return SECFailure; |
| 1592 } |
| 1593 |
| 1594 /* TODO(ekr@rtfm.com): Record key log */ |
| 1595 return SECSuccess; |
| 1596 |
| 1597 alert_loser: |
| 1598 (void)SSL3_SendAlert(ss, alert_fatal, internal_error); |
| 1599 PORT_SetError(errCode); /* Restore error code */ |
| 1600 return rv; |
| 1601 } |
| 1602 |
| 1603 static SECStatus |
| 1604 tls13_HandleFinished(sslSocket *ss, SSL3Opaque *b, PRUint32 length, |
| 1605 const SSL3Hashes *hashes) |
| 1606 { |
| 1607 SECStatus rv; |
| 1608 PRUint8 finishedBuf[MAX_FINISHED_SIZE]; |
| 1609 unsigned int finishedLen; |
| 1610 |
| 1611 PORT_Assert(ss->opt.noLocks || ssl_HaveRecvBufLock(ss)); |
| 1612 PORT_Assert(ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); |
| 1613 |
| 1614 SSL_TRC(3, ("%d: TLS13[%d]: handle finished handshake", |
| 1615 SSL_GETPID(), ss->fd)); |
| 1616 |
| 1617 rv = TLS13_CHECK_HS_STATE(ss, SSL_ERROR_RX_UNEXPECTED_FINISHED, wait_finishe
d); |
| 1618 if (rv != SECSuccess) { |
| 1619 return SECFailure; |
| 1620 } |
| 1621 if (!hashes) { |
| 1622 FATAL_ERROR(ss, SEC_ERROR_LIBRARY_FAILURE, internal_error); |
| 1623 return SECFailure; |
| 1624 } |
| 1625 |
| 1626 ssl_GetSpecReadLock(ss); |
| 1627 rv = tls13_ComputeFinished(ss, hashes, PR_FALSE, |
| 1628 finishedBuf, &finishedLen, sizeof(finishedBuf)); |
| 1629 ssl_ReleaseSpecReadLock(ss); |
| 1630 if (rv != SECSuccess) { |
| 1631 FATAL_ERROR(ss, SEC_ERROR_LIBRARY_FAILURE, internal_error); |
| 1632 return SECFailure; |
| 1633 } |
| 1634 |
| 1635 if (length != finishedLen) { |
| 1636 FATAL_ERROR(ss, SSL_ERROR_RX_MALFORMED_FINISHED, decode_error); |
| 1637 return SECFailure; |
| 1638 } |
| 1639 |
| 1640 if (NSS_SecureMemcmp(b, finishedBuf, finishedLen) != 0) { |
| 1641 FATAL_ERROR(ss, SSL_ERROR_BAD_HANDSHAKE_HASH_VALUE, |
| 1642 decrypt_error); |
| 1643 return SECFailure; |
| 1644 } |
| 1645 |
| 1646 /* Server is now finished. |
| 1647 * Client sends second flight |
| 1648 */ |
| 1649 /* TODO(ekr@rtfm.com): Send NewSession Ticket if server. */ |
| 1650 if (ss->sec.isServer) { |
| 1651 rv = tls13_InstallCipherSpec(ss, InstallCipherSpecRead); |
| 1652 if (rv != SECSuccess) { |
| 1653 FATAL_ERROR(ss, SEC_ERROR_LIBRARY_FAILURE, internal_error); |
| 1654 return SECFailure; |
| 1655 } |
| 1656 |
| 1657 rv = tls13_FinishHandshake(ss); |
| 1658 } else { |
| 1659 if (ss->ssl3.hs.authCertificatePending) { |
| 1660 /* TODO(ekr@rtfm.com): Handle pending auth */ |
| 1661 FATAL_ERROR(ss, SEC_ERROR_LIBRARY_FAILURE, internal_error); |
| 1662 PORT_Assert(0); |
| 1663 return SECFailure; |
| 1664 } |
| 1665 rv = tls13_InitCipherSpec(ss, TrafficKeyApplicationData, |
| 1666 InstallCipherSpecRead); |
| 1667 if (rv != SECSuccess) { |
| 1668 FATAL_ERROR(ss, SEC_ERROR_LIBRARY_FAILURE, internal_error); |
| 1669 return SECFailure; |
| 1670 } |
| 1671 |
| 1672 rv = tls13_SendClientSecondRound(ss); |
| 1673 if (rv != SECSuccess) |
| 1674 return SECFailure; /* Error code and alerts handled below */ |
| 1675 } |
| 1676 |
| 1677 return rv; |
| 1678 } |
| 1679 |
| 1680 static SECStatus |
| 1681 tls13_FinishHandshake(sslSocket *ss) |
| 1682 { |
| 1683 PORT_Assert(ss->opt.noLocks || ssl_HaveRecvBufLock(ss)); |
| 1684 PORT_Assert(ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); |
| 1685 PORT_Assert(ss->ssl3.hs.restartTarget == NULL); |
| 1686 |
| 1687 /* The first handshake is now completed. */ |
| 1688 ss->handshake = NULL; |
| 1689 |
| 1690 TLS13_SET_HS_STATE(ss, idle_handshake); |
| 1691 |
| 1692 ssl_FinishHandshake(ss); |
| 1693 |
| 1694 return SECSuccess; |
| 1695 } |
| 1696 |
| 1697 static SECStatus |
| 1698 tls13_SendClientSecondRound(sslSocket *ss) |
| 1699 { |
| 1700 SECStatus rv; |
| 1701 PRBool sendClientCert; |
| 1702 |
| 1703 PORT_Assert(ss->opt.noLocks || ssl_HaveRecvBufLock(ss)); |
| 1704 PORT_Assert(ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); |
| 1705 |
| 1706 sendClientCert = !ss->ssl3.sendEmptyCert && |
| 1707 ss->ssl3.clientCertChain != NULL && |
| 1708 ss->ssl3.clientPrivateKey != NULL; |
| 1709 |
| 1710 /* Defer client authentication sending if we are still |
| 1711 * waiting for server authentication. See the long block |
| 1712 * comment in ssl3_SendClientSecondRound for more detail. |
| 1713 */ |
| 1714 if (ss->ssl3.hs.restartTarget) { |
| 1715 PR_NOT_REACHED("unexpected ss->ssl3.hs.restartTarget"); |
| 1716 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); |
| 1717 return SECFailure; |
| 1718 } |
| 1719 if (ss->ssl3.hs.authCertificatePending && (sendClientCert || |
| 1720 ss->ssl3.sendEmptyCert)) { |
| 1721 SSL_TRC(3, ("%d: TLS13[%p]: deferring ssl3_SendClientSecondRound because
" |
| 1722 " certificate authentication is still pending.", |
| 1723 SSL_GETPID(), ss->fd)); |
| 1724 ss->ssl3.hs.restartTarget = tls13_SendClientSecondRound; |
| 1725 return SECWouldBlock; |
| 1726 } |
| 1727 |
| 1728 ssl_GetXmitBufLock(ss); /*******************************/ |
| 1729 if (ss->ssl3.sendEmptyCert) { |
| 1730 ss->ssl3.sendEmptyCert = PR_FALSE; |
| 1731 rv = ssl3_SendEmptyCertificate(ss); |
| 1732 /* Don't send verify */ |
| 1733 if (rv != SECSuccess) { |
| 1734 goto loser; /* error code is set. */ |
| 1735 } |
| 1736 } else if (sendClientCert) { |
| 1737 rv = ssl3_SendCertificate(ss); |
| 1738 if (rv != SECSuccess) { |
| 1739 goto loser; /* error code is set. */ |
| 1740 } |
| 1741 } |
| 1742 |
| 1743 if (sendClientCert) { |
| 1744 rv = ssl3_SendCertificateVerify(ss, ss->ssl3.clientPrivateKey); |
| 1745 SECKEY_DestroyPrivateKey(ss->ssl3.clientPrivateKey); |
| 1746 ss->ssl3.clientPrivateKey = NULL; |
| 1747 if (rv != SECSuccess) { |
| 1748 goto loser; /* err is set. */ |
| 1749 } |
| 1750 } |
| 1751 |
| 1752 rv = tls13_SendFinished(ss); |
| 1753 if (rv != SECSuccess) { |
| 1754 goto loser; /* err code was set. */ |
| 1755 } |
| 1756 ssl_ReleaseXmitBufLock(ss); /*******************************/ |
| 1757 |
| 1758 /* The handshake is now finished */ |
| 1759 return tls13_FinishHandshake(ss); |
| 1760 |
| 1761 loser: |
| 1762 ssl_ReleaseXmitBufLock(ss); /*******************************/ |
| 1763 return SECFailure; |
| 1764 } |
| 1765 |
| 1766 static SECStatus |
| 1767 tls13_HandleNewSessionTicket(sslSocket *ss, SSL3Opaque *b, PRUint32 length) |
| 1768 { |
| 1769 SECStatus rv; |
| 1770 |
| 1771 rv = TLS13_CHECK_HS_STATE(ss, SSL_ERROR_RX_UNEXPECTED_NEW_SESSION_TICKET, |
| 1772 idle_handshake); |
| 1773 if (rv != SECSuccess) { |
| 1774 return SECFailure; |
| 1775 } |
| 1776 |
| 1777 UNIMPLEMENTED(); |
| 1778 |
| 1779 /* Ignore */ |
| 1780 return SECSuccess; |
| 1781 } |
| 1782 |
| 1783 typedef enum { |
| 1784 ExtensionNotUsed, |
| 1785 ExtensionClientOnly, |
| 1786 ExtensionSendClear, |
| 1787 ExtensionSendEncrypted, |
| 1788 } Tls13ExtensionStatus; |
| 1789 |
| 1790 static const struct { |
| 1791 SSLExtensionType ex_value; |
| 1792 Tls13ExtensionStatus status; |
| 1793 } KnownExtensions[] = { |
| 1794 { ssl_server_name_xtn, |
| 1795 ExtensionSendEncrypted }, |
| 1796 { |
| 1797 ssl_cert_status_xtn, |
| 1798 ExtensionNotUsed /* TODO(ekr@rtfm.com): Disabled because broken |
| 1799 in TLS 1.3. */ |
| 1800 /* ExtensionSendEncrypted */ |
| 1801 }, |
| 1802 { ssl_elliptic_curves_xtn, |
| 1803 ExtensionSendClear }, |
| 1804 { ssl_ec_point_formats_xtn, |
| 1805 ExtensionNotUsed }, |
| 1806 { ssl_signature_algorithms_xtn, |
| 1807 ExtensionClientOnly }, |
| 1808 { ssl_use_srtp_xtn, |
| 1809 ExtensionSendEncrypted }, |
| 1810 { ssl_app_layer_protocol_xtn, |
| 1811 ExtensionSendEncrypted }, |
| 1812 { ssl_padding_xtn, |
| 1813 ExtensionNotUsed }, |
| 1814 { ssl_extended_master_secret_xtn, |
| 1815 ExtensionNotUsed }, |
| 1816 { ssl_session_ticket_xtn, |
| 1817 ExtensionClientOnly }, |
| 1818 { ssl_tls13_key_share_xtn, |
| 1819 ExtensionSendClear }, |
| 1820 { ssl_next_proto_nego_xtn, |
| 1821 ExtensionNotUsed }, |
| 1822 { ssl_renegotiation_info_xtn, |
| 1823 ExtensionNotUsed }, |
| 1824 { ssl_tls13_draft_version_xtn, |
| 1825 ExtensionClientOnly } |
| 1826 }; |
| 1827 |
| 1828 PRBool |
| 1829 tls13_ExtensionAllowed(PRUint16 extension, SSL3HandshakeType message) |
| 1830 { |
| 1831 unsigned int i; |
| 1832 |
| 1833 PORT_Assert((message == client_hello) || |
| 1834 (message == server_hello) || |
| 1835 (message == encrypted_extensions)); |
| 1836 |
| 1837 for (i = 0; i < PR_ARRAY_SIZE(KnownExtensions); i++) { |
| 1838 if (KnownExtensions[i].ex_value == extension) |
| 1839 break; |
| 1840 } |
| 1841 if (i == PR_ARRAY_SIZE(KnownExtensions)) { |
| 1842 /* We have never heard of this extension which is OK on |
| 1843 * the server but not the client. */ |
| 1844 return message == client_hello; |
| 1845 } |
| 1846 |
| 1847 switch (KnownExtensions[i].status) { |
| 1848 case ExtensionNotUsed: |
| 1849 return PR_FALSE; |
| 1850 case ExtensionClientOnly: |
| 1851 return message == client_hello; |
| 1852 case ExtensionSendClear: |
| 1853 return message == client_hello || |
| 1854 message == server_hello; |
| 1855 case ExtensionSendEncrypted: |
| 1856 return message == client_hello || |
| 1857 message == encrypted_extensions; |
| 1858 } |
| 1859 |
| 1860 PORT_Assert(0); |
| 1861 |
| 1862 /* Not reached */ |
| 1863 return PR_TRUE; |
| 1864 } |
| 1865 |
| 1866 /* Helper function to encode a uint32 into a buffer */ |
| 1867 unsigned char * |
| 1868 tls13_EncodeUintX(PRUint32 value, unsigned int bytes, unsigned char *to) |
| 1869 { |
| 1870 PRUint32 encoded; |
| 1871 |
| 1872 PORT_Assert(bytes > 0 && bytes <= 4); |
| 1873 |
| 1874 encoded = PR_htonl(value); |
| 1875 memcpy(to, ((unsigned char *)(&encoded)) + (4 - bytes), bytes); |
| 1876 return to + bytes; |
| 1877 } |
| 1878 |
| 1879 /* TLS 1.3 doesn't actually have additional data but the aead function |
| 1880 * signature overloads additional data to carry the record sequence |
| 1881 * number and that's what we put here. The TLS 1.3 AEAD functions |
| 1882 * just use this input as the sequence number and not as additional |
| 1883 * data. */ |
| 1884 static void |
| 1885 tls13_FormatAdditionalData(unsigned char *aad, unsigned int length, |
| 1886 SSL3SequenceNumber seqNum) |
| 1887 { |
| 1888 unsigned char *ptr = aad; |
| 1889 |
| 1890 PORT_Assert(length == 8); |
| 1891 ptr = tls13_EncodeUintX(seqNum.high, 4, ptr); |
| 1892 ptr = tls13_EncodeUintX(seqNum.low, 4, ptr); |
| 1893 PORT_Assert((ptr - aad) == length); |
| 1894 } |
| 1895 |
| 1896 SECStatus |
| 1897 tls13_ProtectRecord(sslSocket *ss, |
| 1898 SSL3ContentType type, |
| 1899 const SSL3Opaque *pIn, |
| 1900 PRUint32 contentLen, |
| 1901 sslBuffer *wrBuf) |
| 1902 { |
| 1903 ssl3CipherSpec *cwSpec = ss->ssl3.cwSpec; |
| 1904 const ssl3BulkCipherDef *cipher_def = cwSpec->cipher_def; |
| 1905 SECStatus rv; |
| 1906 PRUint16 headerLen; |
| 1907 int cipherBytes = 0; |
| 1908 const int tagLen = cipher_def->tag_size; |
| 1909 |
| 1910 SSL_TRC(3, ("%d: TLS13[%d]: protect record of length %u, seq=0x%0x%0x", |
| 1911 SSL_GETPID(), ss->fd, contentLen, |
| 1912 cwSpec->write_seq_num.high, |
| 1913 cwSpec->write_seq_num.low)); |
| 1914 |
| 1915 headerLen = IS_DTLS(ss) ? DTLS_RECORD_HEADER_LENGTH : SSL3_RECORD_HEADER_LEN
GTH; |
| 1916 |
| 1917 if (headerLen + contentLen + 1 + tagLen > wrBuf->space) { |
| 1918 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); |
| 1919 return SECFailure; |
| 1920 } |
| 1921 |
| 1922 /* Copy the data into the wrBuf. We're going to encrypt in-place |
| 1923 * in the AEAD branch anyway */ |
| 1924 PORT_Memcpy(wrBuf->buf + headerLen, pIn, contentLen); |
| 1925 |
| 1926 if (cipher_def->calg == ssl_calg_null) { |
| 1927 /* Shortcut for plaintext */ |
| 1928 cipherBytes = contentLen; |
| 1929 } else { |
| 1930 unsigned char aad[8]; |
| 1931 PORT_Assert(cipher_def->type == type_aead); |
| 1932 |
| 1933 /* Add the content type at the end. */ |
| 1934 wrBuf->buf[headerLen + contentLen] = type; |
| 1935 |
| 1936 /* Stomp the content type to be application_data */ |
| 1937 type = content_application_data; |
| 1938 |
| 1939 tls13_FormatAdditionalData(aad, sizeof(aad), |
| 1940 cwSpec->write_seq_num); |
| 1941 cipherBytes = contentLen + 1; /* Room for the content type on the end. *
/ |
| 1942 rv = cwSpec->aead( |
| 1943 ss->sec.isServer ? &cwSpec->server : &cwSpec->client, |
| 1944 PR_FALSE, /* do encrypt */ |
| 1945 wrBuf->buf + headerLen, /* output */ |
| 1946 &cipherBytes, /* out len */ |
| 1947 wrBuf->space - headerLen, /* max out */ |
| 1948 wrBuf->buf + headerLen, contentLen + 1, /* input */ |
| 1949 aad, sizeof(aad)); |
| 1950 if (rv != SECSuccess) { |
| 1951 PORT_SetError(SSL_ERROR_ENCRYPTION_FAILURE); |
| 1952 return SECFailure; |
| 1953 } |
| 1954 } |
| 1955 |
| 1956 PORT_Assert(cipherBytes <= MAX_FRAGMENT_LENGTH + 256); |
| 1957 |
| 1958 wrBuf->len = cipherBytes + headerLen; |
| 1959 wrBuf->buf[0] = type; |
| 1960 |
| 1961 if (IS_DTLS(ss)) { |
| 1962 (void)tls13_EncodeUintX(2, dtls_TLSVersionToDTLSVersion(kRecordVersion), |
| 1963 &wrBuf->buf[1]); |
| 1964 (void)tls13_EncodeUintX(cwSpec->write_seq_num.high, 4, &wrBuf->buf[3]); |
| 1965 (void)tls13_EncodeUintX(cwSpec->write_seq_num.low, 4, &wrBuf->buf[7]); |
| 1966 (void)tls13_EncodeUintX(cipherBytes, 2, &wrBuf->buf[11]); |
| 1967 } else { |
| 1968 (void)tls13_EncodeUintX(kRecordVersion, 2, &wrBuf->buf[1]); |
| 1969 (void)tls13_EncodeUintX(cipherBytes, 2, &wrBuf->buf[3]); |
| 1970 } |
| 1971 ssl3_BumpSequenceNumber(&cwSpec->write_seq_num); |
| 1972 |
| 1973 return SECSuccess; |
| 1974 } |
| 1975 |
| 1976 /* Unprotect a TLS 1.3 record and leave the result in plaintext. |
| 1977 * |
| 1978 * Called by ssl3_HandleRecord. Caller must hold the spec read lock. |
| 1979 * Therefore, we MUST not call SSL3_SendAlert(). |
| 1980 * |
| 1981 * If SECFailure is returned, we: |
| 1982 * 1. Set |*alert| to the alert to be sent. |
| 1983 * 2. Call PORT_SetError() witn an appropriate code. |
| 1984 */ |
| 1985 SECStatus |
| 1986 tls13_UnprotectRecord(sslSocket *ss, SSL3Ciphertext *cText, sslBuffer *plaintext
, |
| 1987 SSL3AlertDescription *alert) |
| 1988 { |
| 1989 ssl3CipherSpec *crSpec = ss->ssl3.crSpec; |
| 1990 const ssl3BulkCipherDef *cipher_def = crSpec->cipher_def; |
| 1991 unsigned char aad[8]; |
| 1992 SECStatus rv; |
| 1993 |
| 1994 *alert = bad_record_mac; /* Default alert for most issues. */ |
| 1995 |
| 1996 SSL_TRC(3, ("%d: TLS13[%d]: unprotect record of length %u", |
| 1997 SSL_GETPID(), ss->fd, cText->buf->len)); |
| 1998 |
| 1999 /* We can perform this test in variable time because the record's total |
| 2000 * length and the ciphersuite are both public knowledge. */ |
| 2001 if (cText->buf->len < cipher_def->tag_size) { |
| 2002 PORT_SetError(SSL_ERROR_RX_RECORD_TOO_LONG); |
| 2003 return SECFailure; |
| 2004 } |
| 2005 |
| 2006 /* Verify that the content type is right, even though we overwrite it. */ |
| 2007 if (cText->type != content_application_data) { |
| 2008 /* Do we need a better error here? */ |
| 2009 PORT_SetError(SSL_ERROR_BAD_MAC_READ); |
| 2010 return SECFailure; |
| 2011 } |
| 2012 |
| 2013 /* Check the version number in the record */ |
| 2014 if (cText->version != kRecordVersion) { |
| 2015 /* Do we need a better error here? */ |
| 2016 PORT_SetError(SSL_ERROR_BAD_MAC_READ); |
| 2017 return SECFailure; |
| 2018 } |
| 2019 |
| 2020 /* Decrypt */ |
| 2021 PORT_Assert(cipher_def->type == type_aead); |
| 2022 tls13_FormatAdditionalData(aad, sizeof(aad), |
| 2023 IS_DTLS(ss) ? cText->seq_num |
| 2024 : crSpec->read_seq_num); |
| 2025 rv = crSpec->aead( |
| 2026 ss->sec.isServer ? &crSpec->client : &crSpec->server, |
| 2027 PR_TRUE, /* do decrypt */ |
| 2028 plaintext->buf, /* out */ |
| 2029 (int *)&plaintext->len, /* outlen */ |
| 2030 plaintext->space, /* maxout */ |
| 2031 cText->buf->buf, /* in */ |
| 2032 cText->buf->len, /* inlen */ |
| 2033 aad, sizeof(aad)); |
| 2034 if (rv != SECSuccess) { |
| 2035 PORT_SetError(SSL_ERROR_BAD_MAC_READ); |
| 2036 return SECFailure; |
| 2037 } |
| 2038 |
| 2039 /* The record is right-padded with 0s, followed by the true |
| 2040 * content type, so read from the right until we receive a |
| 2041 * nonzero byte. */ |
| 2042 while (plaintext->len > 0 && !(plaintext->buf[plaintext->len - 1])) { |
| 2043 --plaintext->len; |
| 2044 } |
| 2045 |
| 2046 /* Bogus padding. */ |
| 2047 if (plaintext->len < 1) { |
| 2048 /* It's safe to report this specifically because it happened |
| 2049 * after the MAC has been verified. */ |
| 2050 PORT_SetError(SSL_ERROR_BAD_BLOCK_PADDING); |
| 2051 return SECFailure; |
| 2052 } |
| 2053 |
| 2054 /* Record the type. */ |
| 2055 cText->type = plaintext->buf[plaintext->len - 1]; |
| 2056 --plaintext->len; |
| 2057 |
| 2058 return SECSuccess; |
| 2059 } |
OLD | NEW |