OLD | NEW |
| (Empty) |
1 /* -*- Mode: C; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 4 -*- */ | |
2 /* | |
3 * TLS 1.3 Protocol | |
4 * | |
5 * This Source Code Form is subject to the terms of the Mozilla Public | |
6 * License, v. 2.0. If a copy of the MPL was not distributed with this | |
7 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ | |
8 | |
9 #include "stdarg.h" | |
10 #include "cert.h" | |
11 #include "ssl.h" | |
12 #include "keyhi.h" | |
13 #include "pk11func.h" | |
14 #include "secitem.h" | |
15 #include "sslimpl.h" | |
16 #include "sslproto.h" | |
17 #include "sslerr.h" | |
18 #include "tls13hkdf.h" | |
19 #include "tls13con.h" | |
20 | |
21 typedef enum { | |
22 TrafficKeyEarlyData, | |
23 TrafficKeyHandshake, | |
24 TrafficKeyApplicationData | |
25 } TrafficKeyType; | |
26 | |
27 typedef enum { | |
28 InstallCipherSpecRead, | |
29 InstallCipherSpecWrite, | |
30 InstallCipherSpecBoth | |
31 } InstallCipherSpecDirection; | |
32 | |
33 #define MAX_FINISHED_SIZE 64 | |
34 | |
35 static SECStatus tls13_InitializeHandshakeEncryption(sslSocket *ss); | |
36 static SECStatus tls13_InstallCipherSpec( | |
37 sslSocket *ss, InstallCipherSpecDirection direction); | |
38 static SECStatus tls13_InitCipherSpec( | |
39 sslSocket *ss, TrafficKeyType type, InstallCipherSpecDirection install); | |
40 static SECStatus tls13_AESGCM( | |
41 ssl3KeyMaterial *keys, | |
42 PRBool doDecrypt, | |
43 unsigned char *out, int *outlen, int maxout, | |
44 const unsigned char *in, int inlen, | |
45 const unsigned char *additionalData, int additionalDataLen); | |
46 static SECStatus tls13_SendEncryptedExtensions(sslSocket *ss); | |
47 static SECStatus tls13_HandleEncryptedExtensions(sslSocket *ss, SSL3Opaque *b, | |
48 PRUint32 length); | |
49 static SECStatus tls13_HandleCertificate( | |
50 sslSocket *ss, SSL3Opaque *b, PRUint32 length); | |
51 static SECStatus tls13_HandleCertificateRequest(sslSocket *ss, SSL3Opaque *b, | |
52 PRUint32 length); | |
53 static SECStatus tls13_HandleCertificateStatus(sslSocket *ss, SSL3Opaque *b, | |
54 PRUint32 length); | |
55 static SECStatus tls13_HandleCertificateVerify( | |
56 sslSocket *ss, SSL3Opaque *b, PRUint32 length, | |
57 SSL3Hashes *hashes); | |
58 static SECStatus tls13_HkdfExtractSharedKey(sslSocket *ss, PK11SymKey *key, | |
59 SharedSecretType keyType); | |
60 static SECStatus tls13_SendFinished(sslSocket *ss); | |
61 static SECStatus tls13_HandleFinished(sslSocket *ss, SSL3Opaque *b, PRUint32 len
gth, | |
62 const SSL3Hashes *hashes); | |
63 static SECStatus tls13_HandleNewSessionTicket(sslSocket *ss, SSL3Opaque *b, | |
64 PRUint32 length); | |
65 static SECStatus tls13_ComputeSecrets1(sslSocket *ss); | |
66 static SECStatus tls13_ComputeFinished( | |
67 sslSocket *ss, const SSL3Hashes *hashes, | |
68 PRBool sending, | |
69 PRUint8 *output, unsigned int *outputLen, | |
70 unsigned int maxOutputLen); | |
71 static SECStatus tls13_SendClientSecondRound(sslSocket *ss); | |
72 static SECStatus tls13_FinishHandshake(sslSocket *ss); | |
73 | |
74 const char kHkdfLabelExpandedSs[] = "expanded static secret"; | |
75 const char kHkdfLabelExpandedEs[] = "expanded ephemeral secret"; | |
76 const char kHkdfLabelMasterSecret[] = "master secret"; | |
77 const char kHkdfLabelTrafficSecret[] = "traffic secret"; | |
78 const char kHkdfLabelClientFinishedSecret[] = "client finished"; | |
79 const char kHkdfLabelServerFinishedSecret[] = "server finished"; | |
80 const char kHkdfLabelResumptionMasterSecret[] = "resumption master secret"; | |
81 const char kHkdfLabelExporterMasterSecret[] = "exporter master secret"; | |
82 const char kHkdfPhaseEarlyHandshakeDataKeys[] = "early handshake key expansion"; | |
83 const char kHkdfPhaseEarlyApplicationDataKeys[] = "early application data key ex
pansion"; | |
84 const char kHkdfPhaseHandshakeKeys[] = "handshake key expansion"; | |
85 const char kHkdfPhaseApplicationDataKeys[] = "application data key expansion"; | |
86 const char kHkdfPurposeClientWriteKey[] = "client write key"; | |
87 const char kHkdfPurposeServerWriteKey[] = "server write key"; | |
88 const char kHkdfPurposeClientWriteIv[] = "client write iv"; | |
89 const char kHkdfPurposeServerWriteIv[] = "server write iv"; | |
90 const char kClientFinishedLabel[] = "client finished"; | |
91 const char kServerFinishedLabel[] = "server finished"; | |
92 | |
93 const SSL3ProtocolVersion kRecordVersion = 0x0301U; | |
94 | |
95 #define FATAL_ERROR(ss, prError, desc)
\ | |
96 do {
\ | |
97 SSL_TRC(3, ("%d: TLS13[%d]: fatal error %d in %s (%s:%d)",
\ | |
98 SSL_GETPID(), ss->fd, prError, __func__, __FILE__, __LINE__)
); \ | |
99 tls13_FatalError(ss, prError, desc);
\ | |
100 } while (0) | |
101 | |
102 #define UNIMPLEMENTED() \ | |
103 do { \ | |
104 SSL_TRC(3, ("%d: TLS13[%d]: unimplemented feature in %s (%s:%d)", \ | |
105 SSL_GETPID(), ss->fd, __func__, __FILE__, __LINE__)); \ | |
106 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); \ | |
107 PORT_Assert(0); \ | |
108 return SECFailure; \ | |
109 } while (0) | |
110 | |
111 void | |
112 tls13_FatalError(sslSocket *ss, PRErrorCode prError, SSL3AlertDescription desc) | |
113 { | |
114 PORT_Assert(desc != internal_error); /* These should never happen */ | |
115 (void)SSL3_SendAlert(ss, alert_fatal, desc); | |
116 PORT_SetError(prError); | |
117 } | |
118 | |
119 #ifdef TRACE | |
120 #define STATE_CASE(a) \ | |
121 case a: \ | |
122 return #a | |
123 static char * | |
124 tls13_HandshakeState(SSL3WaitState st) | |
125 { | |
126 switch (st) { | |
127 STATE_CASE(wait_client_hello); | |
128 STATE_CASE(wait_client_cert); | |
129 STATE_CASE(wait_cert_verify); | |
130 STATE_CASE(wait_finished); | |
131 STATE_CASE(wait_server_hello); | |
132 STATE_CASE(wait_certificate_status); | |
133 STATE_CASE(wait_server_cert); | |
134 STATE_CASE(wait_cert_request); | |
135 STATE_CASE(wait_encrypted_extensions); | |
136 STATE_CASE(idle_handshake); | |
137 default: | |
138 break; | |
139 } | |
140 PORT_Assert(0); | |
141 return "unknown"; | |
142 } | |
143 #endif | |
144 | |
145 #define TLS13_WAIT_STATE_MASK 0x80 | |
146 | |
147 #define TLS13_BASE_WAIT_STATE(ws) (ws & ~TLS13_WAIT_STATE_MASK) | |
148 /* We don't mask idle_handshake because other parts of the code use it*/ | |
149 #define TLS13_WAIT_STATE(ws) (ws == idle_handshake ? ws : ws | TLS13_WAIT_STATE_
MASK) | |
150 #define TLS13_CHECK_HS_STATE(ss, err, ...) \ | |
151 tls13_CheckHsState(ss, err, #err, __func__, __FILE__, __LINE__, \ | |
152 __VA_ARGS__, \ | |
153 wait_invalid) | |
154 void | |
155 tls13_SetHsState(sslSocket *ss, SSL3WaitState ws, | |
156 const char *func, const char *file, int line) | |
157 { | |
158 #ifdef TRACE | |
159 const char *new_state_name = | |
160 tls13_HandshakeState(ws); | |
161 | |
162 SSL_TRC(3, ("%d: TLS13[%d]: state change from %s->%s in %s (%s:%d)", | |
163 SSL_GETPID(), ss->fd, | |
164 tls13_HandshakeState(TLS13_BASE_WAIT_STATE(ss->ssl3.hs.ws)), | |
165 new_state_name, | |
166 func, file, line)); | |
167 #endif | |
168 | |
169 ss->ssl3.hs.ws = TLS13_WAIT_STATE(ws); | |
170 } | |
171 | |
172 static PRBool | |
173 tls13_InHsStateV(sslSocket *ss, va_list ap) | |
174 { | |
175 SSL3WaitState ws; | |
176 | |
177 while ((ws = va_arg(ap, SSL3WaitState)) != wait_invalid) { | |
178 if (ws == TLS13_BASE_WAIT_STATE(ss->ssl3.hs.ws)) { | |
179 return PR_TRUE; | |
180 } | |
181 } | |
182 return PR_FALSE; | |
183 } | |
184 | |
185 PRBool | |
186 tls13_InHsState(sslSocket *ss, ...) | |
187 { | |
188 PRBool found; | |
189 va_list ap; | |
190 | |
191 va_start(ap, ss); | |
192 found = tls13_InHsStateV(ss, ap); | |
193 va_end(ap); | |
194 | |
195 return found; | |
196 } | |
197 | |
198 static SECStatus | |
199 tls13_CheckHsState(sslSocket *ss, int err, const char *error_name, | |
200 const char *func, const char *file, int line, | |
201 ...) | |
202 { | |
203 va_list ap; | |
204 va_start(ap, line); | |
205 if (tls13_InHsStateV(ss, ap)) { | |
206 va_end(ap); | |
207 return SECSuccess; | |
208 } | |
209 va_end(ap); | |
210 | |
211 SSL_TRC(3, ("%d: TLS13[%d]: error %s state is (%s) at %s (%s:%d)", | |
212 SSL_GETPID(), ss->fd, | |
213 error_name, | |
214 tls13_HandshakeState(TLS13_BASE_WAIT_STATE(ss->ssl3.hs.ws)), | |
215 func, file, line)); | |
216 tls13_FatalError(ss, err, unexpected_message); | |
217 return SECFailure; | |
218 } | |
219 | |
220 SSLHashType | |
221 tls13_GetHash(sslSocket *ss) | |
222 { | |
223 /* TODO(ekr@rtfm.com): This needs to actually be looked up. */ | |
224 return ssl_hash_sha256; | |
225 } | |
226 | |
227 CK_MECHANISM_TYPE | |
228 tls13_GetHkdfMechanism(sslSocket *ss) | |
229 { | |
230 /* TODO(ekr@rtfm.com): This needs to actually be looked up. */ | |
231 return CKM_NSS_HKDF_SHA256; | |
232 } | |
233 | |
234 static CK_MECHANISM_TYPE | |
235 tls13_GetHmacMechanism(sslSocket *ss) | |
236 { | |
237 /* TODO(ekr@rtfm.com): This needs to actually be looked up. */ | |
238 return CKM_SHA256_HMAC; | |
239 } | |
240 | |
241 /* | |
242 * Called from ssl3_SendClientHello | |
243 */ | |
244 SECStatus | |
245 tls13_SetupClientHello(sslSocket *ss) | |
246 { | |
247 SECStatus rv; | |
248 /* TODO(ekr@rtfm.com): Handle multiple curves here. */ | |
249 ECName curves_to_try[] = { ec_secp256r1 }; | |
250 | |
251 PORT_Assert(ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); | |
252 PORT_Assert(ss->opt.noLocks || ssl_HaveXmitBufLock(ss)); | |
253 | |
254 PORT_Assert(!ss->ephemeralECDHKeyPair); | |
255 | |
256 rv = ssl3_CreateECDHEphemeralKeyPair(curves_to_try[0], | |
257 &ss->ephemeralECDHKeyPair); | |
258 if (rv != SECSuccess) | |
259 return rv; | |
260 | |
261 return SECSuccess; | |
262 } | |
263 | |
264 static SECStatus | |
265 tls13_HandleECDHEKeyShare(sslSocket *ss, | |
266 TLS13KeyShareEntry *entry, | |
267 SECKEYPrivateKey *privKey, | |
268 SharedSecretType type) | |
269 { | |
270 SECStatus rv; | |
271 SECKEYPublicKey *peerKey; | |
272 PK11SymKey *shared; | |
273 | |
274 peerKey = tls13_ImportECDHKeyShare(ss, entry->key_exchange.data, | |
275 entry->key_exchange.len, | |
276 entry->group); | |
277 if (!peerKey) | |
278 return SECFailure; /* Error code set already. */ | |
279 | |
280 /* Compute shared key. */ | |
281 shared = tls13_ComputeECDHSharedKey(ss, privKey, peerKey); | |
282 SECKEY_DestroyPublicKey(peerKey); | |
283 if (!shared) { | |
284 return SECFailure; /* Error code set already. */ | |
285 } | |
286 | |
287 /* Extract key. */ | |
288 rv = tls13_HkdfExtractSharedKey(ss, shared, type); | |
289 PK11_FreeSymKey(shared); | |
290 | |
291 return rv; | |
292 } | |
293 | |
294 SECStatus | |
295 tls13_HandlePostHelloHandshakeMessage(sslSocket *ss, SSL3Opaque *b, | |
296 PRUint32 length, SSL3Hashes *hashesPtr) | |
297 { | |
298 /* TODO(ekr@rtfm.com): Would it be better to check all the states here? */ | |
299 switch (ss->ssl3.hs.msg_type) { | |
300 case certificate: | |
301 return tls13_HandleCertificate(ss, b, length); | |
302 | |
303 case certificate_status: | |
304 return tls13_HandleCertificateStatus(ss, b, length); | |
305 | |
306 case certificate_request: | |
307 return tls13_HandleCertificateRequest(ss, b, length); | |
308 | |
309 case certificate_verify: | |
310 return tls13_HandleCertificateVerify(ss, b, length, hashesPtr); | |
311 | |
312 case encrypted_extensions: | |
313 return tls13_HandleEncryptedExtensions(ss, b, length); | |
314 | |
315 case new_session_ticket: | |
316 return tls13_HandleNewSessionTicket(ss, b, length); | |
317 | |
318 case finished: | |
319 return tls13_HandleFinished(ss, b, length, hashesPtr); | |
320 | |
321 default: | |
322 FATAL_ERROR(ss, SSL_ERROR_RX_UNKNOWN_HANDSHAKE, unexpected_message); | |
323 return SECFailure; | |
324 } | |
325 | |
326 PORT_Assert(0); /* Unreached */ | |
327 return SECFailure; | |
328 } | |
329 | |
330 /* Called from ssl3_HandleClientHello. | |
331 * | |
332 * Caller must hold Handshake and RecvBuf locks. | |
333 */ | |
334 SECStatus | |
335 tls13_HandleClientKeyShare(sslSocket *ss) | |
336 { | |
337 ECName expectedGroup; | |
338 SECStatus rv; | |
339 TLS13KeyShareEntry *found = NULL; | |
340 PRCList *cur_p; | |
341 | |
342 SSL_TRC(3, ("%d: TLS13[%d]: handle client_key_share handshake", | |
343 SSL_GETPID(), ss->fd)); | |
344 | |
345 PORT_Assert(ss->opt.noLocks || ssl_HaveRecvBufLock(ss)); | |
346 PORT_Assert(ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); | |
347 | |
348 rv = ssl3_SetupPendingCipherSpec(ss); | |
349 if (rv != SECSuccess) | |
350 return SECFailure; /* Error code set below */ | |
351 | |
352 /* Figure out what group we expect */ | |
353 switch (ss->ssl3.hs.kea_def->exchKeyType) { | |
354 #ifndef NSS_DISABLE_ECC | |
355 case ssl_kea_ecdh: | |
356 expectedGroup = ssl3_GetCurveNameForServerSocket(ss); | |
357 if (!expectedGroup) { | |
358 FATAL_ERROR(ss, SSL_ERROR_NO_CYPHER_OVERLAP, | |
359 handshake_failure); | |
360 return SECFailure; | |
361 } | |
362 break; | |
363 #endif | |
364 default: | |
365 /* Got an unknown or unsupported Key Exchange Algorithm. | |
366 * Can't happen. */ | |
367 FATAL_ERROR(ss, SEC_ERROR_UNSUPPORTED_KEYALG, | |
368 internal_error); | |
369 return SECFailure; | |
370 } | |
371 | |
372 /* Now walk through the keys until we find one for our group */ | |
373 cur_p = PR_NEXT_LINK(&ss->ssl3.hs.remoteKeyShares); | |
374 while (cur_p != &ss->ssl3.hs.remoteKeyShares) { | |
375 TLS13KeyShareEntry *offer = (TLS13KeyShareEntry *)cur_p; | |
376 | |
377 if (offer->group == expectedGroup) { | |
378 found = offer; | |
379 break; | |
380 } | |
381 cur_p = PR_NEXT_LINK(cur_p); | |
382 } | |
383 | |
384 if (!found) { | |
385 /* No acceptable group. In future, we will need to correct the client. | |
386 * Currently just generate an error. | |
387 * TODO(ekr@rtfm.com): Write code to correct client. | |
388 */ | |
389 FATAL_ERROR(ss, SSL_ERROR_NO_CYPHER_OVERLAP, handshake_failure); | |
390 return SECFailure; | |
391 } | |
392 | |
393 /* Generate our key */ | |
394 rv = ssl3_CreateECDHEphemeralKeyPair(expectedGroup, &ss->ephemeralECDHKeyPai
r); | |
395 if (rv != SECSuccess) | |
396 return rv; | |
397 | |
398 ss->sec.keaType = ss->ssl3.hs.kea_def->exchKeyType; | |
399 ss->sec.keaKeyBits = SECKEY_PublicKeyStrengthInBits( | |
400 ss->ephemeralECDHKeyPair->pubKey); | |
401 | |
402 /* Register the sender */ | |
403 rv = ssl3_RegisterServerHelloExtensionSender(ss, ssl_tls13_key_share_xtn, | |
404 tls13_ServerSendKeyShareXtn); | |
405 if (rv != SECSuccess) | |
406 return SECFailure; /* Error code set below */ | |
407 | |
408 rv = tls13_HandleECDHEKeyShare(ss, found, | |
409 ss->ephemeralECDHKeyPair->privKey, | |
410 EphemeralSharedSecret); | |
411 if (rv != SECSuccess) | |
412 return SECFailure; /* Error code set below */ | |
413 | |
414 return SECSuccess; | |
415 } | |
416 | |
417 /* | |
418 * [draft-ietf-tls-tls13-11] Section 6.3.3.2 | |
419 * | |
420 * opaque DistinguishedName<1..2^16-1>; | |
421 * | |
422 * struct { | |
423 * opaque certificate_extension_oid<1..2^8-1>; | |
424 * opaque certificate_extension_values<0..2^16-1>; | |
425 * } CertificateExtension; | |
426 * | |
427 * struct { | |
428 * opaque certificate_request_context<0..2^8-1>; | |
429 * SignatureAndHashAlgorithm | |
430 * supported_signature_algorithms<2..2^16-2>; | |
431 * DistinguishedName certificate_authorities<0..2^16-1>; | |
432 * CertificateExtension certificate_extensions<0..2^16-1>; | |
433 * } CertificateRequest; | |
434 */ | |
435 static SECStatus | |
436 tls13_SendCertificateRequest(sslSocket *ss) | |
437 { | |
438 SECStatus rv; | |
439 int calen; | |
440 SECItem *names; | |
441 int nnames; | |
442 SECItem *name; | |
443 int i; | |
444 PRUint8 sigAlgs[MAX_SIGNATURE_ALGORITHMS * 2]; | |
445 unsigned int sigAlgsLength = 0; | |
446 int length; | |
447 | |
448 SSL_TRC(3, ("%d: TLS13[%d]: begin send certificate_request", | |
449 SSL_GETPID(), ss->fd)); | |
450 | |
451 /* Fixed context value. */ | |
452 ss->ssl3.hs.certReqContext[0] = 0; | |
453 ss->ssl3.hs.certReqContextLen = 1; | |
454 | |
455 rv = ssl3_EncodeCertificateRequestSigAlgs(ss, sigAlgs, sizeof(sigAlgs), | |
456 &sigAlgsLength); | |
457 if (rv != SECSuccess) { | |
458 return rv; | |
459 } | |
460 | |
461 ssl3_GetCertificateRequestCAs(ss, &calen, &names, &nnames); | |
462 length = 1 + ss->ssl3.hs.certReqContextLen + | |
463 2 + sigAlgsLength + 2 + calen + 2; | |
464 | |
465 rv = ssl3_AppendHandshakeHeader(ss, certificate_request, length); | |
466 if (rv != SECSuccess) { | |
467 return rv; /* err set by AppendHandshake. */ | |
468 } | |
469 rv = ssl3_AppendHandshakeVariable(ss, ss->ssl3.hs.certReqContext, | |
470 ss->ssl3.hs.certReqContextLen, 1); | |
471 if (rv != SECSuccess) { | |
472 return rv; /* err set by AppendHandshake. */ | |
473 } | |
474 rv = ssl3_AppendHandshakeVariable(ss, sigAlgs, sigAlgsLength, 2); | |
475 if (rv != SECSuccess) { | |
476 return rv; /* err set by AppendHandshake. */ | |
477 } | |
478 rv = ssl3_AppendHandshakeNumber(ss, calen, 2); | |
479 if (rv != SECSuccess) { | |
480 return rv; /* err set by AppendHandshake. */ | |
481 } | |
482 for (i = 0, name = names; i < nnames; i++, name++) { | |
483 rv = ssl3_AppendHandshakeVariable(ss, name->data, name->len, 2); | |
484 if (rv != SECSuccess) { | |
485 return rv; /* err set by AppendHandshake. */ | |
486 } | |
487 } | |
488 rv = ssl3_AppendHandshakeNumber(ss, 0, 2); | |
489 if (rv != SECSuccess) { | |
490 return rv; /* err set by AppendHandshake. */ | |
491 } | |
492 | |
493 return SECSuccess; | |
494 } | |
495 | |
496 static SECStatus | |
497 tls13_HandleCertificateRequest(sslSocket *ss, SSL3Opaque *b, PRUint32 length) | |
498 { | |
499 SECStatus rv; | |
500 SECItem context = { siBuffer, NULL, 0 }; | |
501 SECItem algorithms = { siBuffer, NULL, 0 }; | |
502 PLArenaPool *arena; | |
503 CERTDistNames ca_list; | |
504 PRInt32 extensionsLength; | |
505 | |
506 SSL_TRC(3, ("%d: TLS13[%d]: handle certificate_request sequence", | |
507 SSL_GETPID(), ss->fd)); | |
508 | |
509 PORT_Assert(ss->opt.noLocks || ssl_HaveRecvBufLock(ss)); | |
510 PORT_Assert(ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); | |
511 | |
512 /* Client */ | |
513 rv = TLS13_CHECK_HS_STATE(ss, SSL_ERROR_RX_UNEXPECTED_CERT_REQUEST, wait_cer
t_request); | |
514 if (rv != SECSuccess) { | |
515 return SECFailure; | |
516 } | |
517 | |
518 PORT_Assert(ss->ssl3.clientCertChain == NULL); | |
519 PORT_Assert(ss->ssl3.clientCertificate == NULL); | |
520 PORT_Assert(ss->ssl3.clientPrivateKey == NULL); | |
521 | |
522 rv = ssl3_ConsumeHandshakeVariable(ss, &context, 1, &b, &length); | |
523 if (rv != SECSuccess) | |
524 return SECFailure; | |
525 PORT_Assert(sizeof(ss->ssl3.hs.certReqContext) == 255); | |
526 PORT_Memcpy(ss->ssl3.hs.certReqContext, context.data, context.len); | |
527 ss->ssl3.hs.certReqContextLen = context.len; | |
528 | |
529 rv = ssl3_ConsumeHandshakeVariable(ss, &algorithms, 2, &b, &length); | |
530 if (rv != SECSuccess) | |
531 return SECFailure; | |
532 | |
533 if (algorithms.len == 0 || (algorithms.len & 1) != 0) { | |
534 FATAL_ERROR(ss, SSL_ERROR_RX_MALFORMED_CERT_REQUEST, | |
535 illegal_parameter); | |
536 return SECFailure; | |
537 } | |
538 | |
539 arena = ca_list.arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); | |
540 if (!arena) { | |
541 FATAL_ERROR(ss, SEC_ERROR_LIBRARY_FAILURE, internal_error); | |
542 return SECFailure; | |
543 } | |
544 | |
545 rv = ssl3_ParseCertificateRequestCAs(ss, &b, &length, arena, &ca_list); | |
546 if (rv != SECSuccess) | |
547 goto loser; /* alert sent below */ | |
548 | |
549 /* Verify that the extensions length is correct. */ | |
550 extensionsLength = ssl3_ConsumeHandshakeNumber(ss, 2, &b, &length); | |
551 if (extensionsLength < 0) { | |
552 goto loser; /* alert sent below */ | |
553 } | |
554 if (extensionsLength != length) { | |
555 FATAL_ERROR(ss, SSL_ERROR_RX_MALFORMED_CERT_REQUEST, | |
556 illegal_parameter); | |
557 goto loser; | |
558 } | |
559 | |
560 TLS13_SET_HS_STATE(ss, wait_server_cert); | |
561 | |
562 rv = ssl3_CompleteHandleCertificateRequest(ss, &algorithms, &ca_list); | |
563 if (rv != SECSuccess) { | |
564 FATAL_ERROR(ss, SEC_ERROR_LIBRARY_FAILURE, internal_error); | |
565 goto loser; | |
566 } | |
567 | |
568 return SECSuccess; | |
569 | |
570 loser: | |
571 PORT_FreeArena(arena, PR_FALSE); | |
572 return SECFailure; | |
573 } | |
574 | |
575 static SECStatus | |
576 tls13_InitializeHandshakeEncryption(sslSocket *ss) | |
577 { | |
578 SECStatus rv; | |
579 | |
580 /* For all present cipher suites, SS = ES. | |
581 * TODO(ekr@rtfm.com): Revisit for 0-RTT. */ | |
582 ss->ssl3.hs.xSS = PK11_ReferenceSymKey(ss->ssl3.hs.xES); | |
583 if (!ss->ssl3.hs.xSS) { | |
584 FATAL_ERROR(ss, SEC_ERROR_LIBRARY_FAILURE, internal_error); | |
585 return SECFailure; | |
586 } | |
587 | |
588 rv = tls13_InitCipherSpec(ss, TrafficKeyHandshake, | |
589 InstallCipherSpecBoth); | |
590 if (rv != SECSuccess) { | |
591 FATAL_ERROR(ss, SSL_ERROR_INIT_CIPHER_SUITE_FAILURE, internal_error); | |
592 return SECFailure; | |
593 } | |
594 | |
595 return rv; | |
596 } | |
597 | |
598 /* Called from: ssl3_HandleClientHello */ | |
599 SECStatus | |
600 tls13_SendServerHelloSequence(sslSocket *ss) | |
601 { | |
602 SECStatus rv; | |
603 SSL3KEAType certIndex; | |
604 | |
605 SSL_TRC(3, ("%d: TLS13[%d]: begin send server_hello sequence", | |
606 SSL_GETPID(), ss->fd)); | |
607 | |
608 PORT_Assert(ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); | |
609 PORT_Assert(ss->opt.noLocks || ssl_HaveXmitBufLock(ss)); | |
610 | |
611 rv = ssl3_SendServerHello(ss); | |
612 if (rv != SECSuccess) { | |
613 return rv; /* err code is set. */ | |
614 } | |
615 | |
616 rv = tls13_InitializeHandshakeEncryption(ss); | |
617 if (rv != SECSuccess) { | |
618 return SECFailure; /* error code is set. */ | |
619 } | |
620 | |
621 rv = tls13_SendEncryptedExtensions(ss); | |
622 if (rv != SECSuccess) { | |
623 return SECFailure; /* error code is set. */ | |
624 } | |
625 | |
626 if (ss->opt.requestCertificate) { | |
627 rv = tls13_SendCertificateRequest(ss); | |
628 if (rv != SECSuccess) { | |
629 return SECFailure; /* error code is set. */ | |
630 } | |
631 } | |
632 rv = ssl3_SendCertificate(ss); | |
633 if (rv != SECSuccess) { | |
634 return SECFailure; /* error code is set. */ | |
635 } | |
636 rv = ssl3_SendCertificateStatus(ss); | |
637 if (rv != SECSuccess) { | |
638 return SECFailure; /* error code is set. */ | |
639 } | |
640 | |
641 /* This was copied from: ssl3_SendCertificate. | |
642 * TODO(ekr@rtfm.com): Verify that this selection logic is correct. | |
643 * Bug 1237514. | |
644 */ | |
645 if ((ss->ssl3.hs.kea_def->kea == kea_ecdhe_rsa) || | |
646 (ss->ssl3.hs.kea_def->kea == kea_dhe_rsa)) { | |
647 certIndex = kt_rsa; | |
648 } else { | |
649 certIndex = ss->ssl3.hs.kea_def->exchKeyType; | |
650 } | |
651 rv = ssl3_SendCertificateVerify(ss, ss->serverCerts[certIndex].SERVERKEY); | |
652 if (rv != SECSuccess) { | |
653 return rv; /* err code is set. */ | |
654 } | |
655 | |
656 /* Compute the rest of the secrets except for the resumption | |
657 * and exporter secret. */ | |
658 rv = tls13_ComputeSecrets1(ss); | |
659 if (rv != SECSuccess) { | |
660 FATAL_ERROR(ss, SEC_ERROR_LIBRARY_FAILURE, internal_error); | |
661 return SECFailure; | |
662 } | |
663 | |
664 rv = tls13_SendFinished(ss); | |
665 if (rv != SECSuccess) { | |
666 return rv; /* error code is set. */ | |
667 } | |
668 | |
669 TLS13_SET_HS_STATE(ss, ss->opt.requestCertificate ? wait_client_cert | |
670 : wait_finished); | |
671 | |
672 return SECSuccess; | |
673 } | |
674 | |
675 /* | |
676 * Called from ssl3_HandleServerHello. | |
677 * | |
678 * Caller must hold Handshake and RecvBuf locks. | |
679 */ | |
680 SECStatus | |
681 tls13_HandleServerKeyShare(sslSocket *ss) | |
682 { | |
683 SECStatus rv; | |
684 ECName expectedGroup; | |
685 PRCList *cur_p; | |
686 TLS13KeyShareEntry *entry; | |
687 | |
688 SSL_TRC(3, ("%d: TLS13[%d]: handle server_key_share handshake", | |
689 SSL_GETPID(), ss->fd)); | |
690 PORT_Assert(ss->opt.noLocks || ssl_HaveRecvBufLock(ss)); | |
691 PORT_Assert(ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); | |
692 | |
693 switch (ss->ssl3.hs.kea_def->exchKeyType) { | |
694 #ifndef NSS_DISABLE_ECC | |
695 case ssl_kea_ecdh: | |
696 expectedGroup = ssl3_PubKey2ECName(ss->ephemeralECDHKeyPair->pubKey)
; | |
697 break; | |
698 #endif /* NSS_DISABLE_ECC */ | |
699 default: | |
700 FATAL_ERROR(ss, SEC_ERROR_UNSUPPORTED_KEYALG, handshake_failure); | |
701 return SECFailure; | |
702 } | |
703 | |
704 /* This list should have one entry. */ | |
705 cur_p = PR_NEXT_LINK(&ss->ssl3.hs.remoteKeyShares); | |
706 if (!cur_p) { | |
707 FATAL_ERROR(ss, SSL_ERROR_MISSING_KEY_SHARE, missing_extension); | |
708 return SECFailure; | |
709 } | |
710 PORT_Assert(PR_NEXT_LINK(cur_p) == &ss->ssl3.hs.remoteKeyShares); | |
711 | |
712 entry = (TLS13KeyShareEntry *)cur_p; | |
713 if (entry->group != expectedGroup) { | |
714 FATAL_ERROR(ss, SSL_ERROR_RX_MALFORMED_KEY_SHARE, illegal_parameter); | |
715 return SECFailure; | |
716 } | |
717 | |
718 rv = tls13_HandleECDHEKeyShare(ss, entry, | |
719 ss->ephemeralECDHKeyPair->privKey, | |
720 EphemeralSharedSecret); | |
721 | |
722 ss->sec.keaType = ss->ssl3.hs.kea_def->exchKeyType; | |
723 ss->sec.keaKeyBits = SECKEY_PublicKeyStrengthInBits( | |
724 ss->ephemeralECDHKeyPair->pubKey); | |
725 | |
726 if (rv != SECSuccess) | |
727 return SECFailure; /* Error code set below */ | |
728 | |
729 return tls13_InitializeHandshakeEncryption(ss); | |
730 } | |
731 | |
732 /* Called from tls13_CompleteHandleHandshakeMessage() when it has deciphered a c
omplete | |
733 * tls13 Certificate message. | |
734 * Caller must hold Handshake and RecvBuf locks. | |
735 */ | |
736 static SECStatus | |
737 tls13_HandleCertificate(sslSocket *ss, SSL3Opaque *b, PRUint32 length) | |
738 { | |
739 SECStatus rv; | |
740 SECItem context = { siBuffer, NULL, 0 }; | |
741 | |
742 SSL_TRC(3, ("%d: TLS13[%d]: handle certificate handshake", | |
743 SSL_GETPID(), ss->fd)); | |
744 PORT_Assert(ss->opt.noLocks || ssl_HaveRecvBufLock(ss)); | |
745 PORT_Assert(ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); | |
746 | |
747 if (ss->sec.isServer) { | |
748 rv = TLS13_CHECK_HS_STATE(ss, SSL_ERROR_RX_UNEXPECTED_CERTIFICATE, | |
749 wait_client_cert); | |
750 } else { | |
751 rv = TLS13_CHECK_HS_STATE(ss, SSL_ERROR_RX_UNEXPECTED_CERTIFICATE, | |
752 wait_cert_request, wait_server_cert); | |
753 } | |
754 if (rv != SECSuccess) | |
755 return SECFailure; | |
756 | |
757 /* Process the context string */ | |
758 rv = ssl3_ConsumeHandshakeVariable(ss, &context, 1, &b, &length); | |
759 if (rv != SECSuccess) | |
760 return SECFailure; | |
761 if (!ss->sec.isServer) { | |
762 if (context.len) { | |
763 /* The server's context string MUST be empty */ | |
764 FATAL_ERROR(ss, SSL_ERROR_RX_MALFORMED_CERTIFICATE, | |
765 illegal_parameter); | |
766 return SECFailure; | |
767 } | |
768 } else { | |
769 if (!context.len || context.len != ss->ssl3.hs.certReqContextLen || | |
770 (NSS_SecureMemcmp(ss->ssl3.hs.certReqContext, | |
771 context.data, context.len) != 0)) { | |
772 FATAL_ERROR(ss, SSL_ERROR_RX_MALFORMED_CERTIFICATE, | |
773 illegal_parameter); | |
774 return SECFailure; | |
775 } | |
776 context.len = 0; /* Belt and suspenders. Zero out the context. */ | |
777 } | |
778 | |
779 return ssl3_CompleteHandleCertificate(ss, b, length); | |
780 } | |
781 | |
782 /* Called from tls13_CompleteHandleHandshakeMessage() when it has deciphered a c
omplete | |
783 * ssl3 CertificateStatus message. | |
784 * Caller must hold Handshake and RecvBuf locks. | |
785 */ | |
786 static SECStatus | |
787 tls13_HandleCertificateStatus(sslSocket *ss, SSL3Opaque *b, PRUint32 length) | |
788 { | |
789 SECStatus rv; | |
790 | |
791 rv = TLS13_CHECK_HS_STATE(ss, SSL_ERROR_RX_UNEXPECTED_CERT_STATUS, | |
792 wait_certificate_status); | |
793 if (rv != SECSuccess) | |
794 return rv; | |
795 | |
796 return ssl3_CompleteHandleCertificateStatus(ss, b, length); | |
797 } | |
798 | |
799 /* | |
800 * TODO(ekr@rtfm.com): This install logic needs renaming since it's | |
801 * what happens at various stages of cipher spec setup. Legacy from ssl3con.c. | |
802 */ | |
803 int | |
804 tls13_InstallCipherSpec(sslSocket *ss, InstallCipherSpecDirection direction) | |
805 { | |
806 SSL_TRC(3, ("%d: TLS13[%d]: Installing new cipher specs direction = %s", | |
807 SSL_GETPID(), ss->fd, | |
808 direction == InstallCipherSpecRead ? "read" : "write")); | |
809 | |
810 PORT_Assert(!IS_DTLS(ss)); /* TODO(ekr@rtfm.com): Update for DTLS */ | |
811 /* TODO(ekr@rtfm.com): Holddown timer for DTLS. */ | |
812 ssl_GetSpecWriteLock(ss); /**************************************/ | |
813 | |
814 /* Flush out any old stuff in the handshake buffers */ | |
815 switch (direction) { | |
816 case InstallCipherSpecWrite: { | |
817 ssl3CipherSpec *pwSpec; | |
818 pwSpec = ss->ssl3.pwSpec; | |
819 | |
820 ss->ssl3.pwSpec = ss->ssl3.cwSpec; | |
821 ss->ssl3.cwSpec = pwSpec; | |
822 break; | |
823 } break; | |
824 case InstallCipherSpecRead: { | |
825 ssl3CipherSpec *prSpec; | |
826 | |
827 prSpec = ss->ssl3.prSpec; | |
828 ss->ssl3.prSpec = ss->ssl3.crSpec; | |
829 ss->ssl3.crSpec = prSpec; | |
830 } break; | |
831 default: | |
832 PORT_Assert(0); | |
833 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); | |
834 ssl_ReleaseSpecWriteLock(ss); /*************************************
*/ | |
835 return SECFailure; | |
836 } | |
837 | |
838 /* If we are really through with the old cipher prSpec | |
839 * (Both the read and write sides have changed) destroy it. | |
840 */ | |
841 if (ss->ssl3.prSpec == ss->ssl3.pwSpec) { | |
842 ssl3_DestroyCipherSpec(ss->ssl3.prSpec, PR_FALSE /*freeSrvName*/); | |
843 } | |
844 ssl_ReleaseSpecWriteLock(ss); /**************************************/ | |
845 | |
846 return SECSuccess; | |
847 } | |
848 | |
849 /* Add context to the hash functions as described in | |
850 [draft-ietf-tls-tls13; Section 4.9.1] */ | |
851 SECStatus | |
852 tls13_AddContextToHashes(sslSocket *ss, SSL3Hashes *hashes /* IN/OUT */, | |
853 SSLHashType algorithm, PRBool sending) | |
854 { | |
855 SECStatus rv = SECSuccess; | |
856 PK11Context *ctx; | |
857 const unsigned char context_padding[] = { | |
858 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, | |
859 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, | |
860 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, | |
861 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, | |
862 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, | |
863 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, | |
864 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, | |
865 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, | |
866 }; | |
867 const char *client_cert_verify_string = "TLS 1.3, client CertificateVerify"; | |
868 const char *server_cert_verify_string = "TLS 1.3, server CertificateVerify"; | |
869 const char *context_string = (sending ^ ss->sec.isServer) ? client_cert_veri
fy_string | |
870 : server_cert_veri
fy_string; | |
871 unsigned int hashlength; | |
872 | |
873 /* Double check that we are doing SHA-256 for the handshake hash.*/ | |
874 PORT_Assert(hashes->hashAlg == ssl_hash_sha256); | |
875 if (hashes->hashAlg != ssl_hash_sha256) { | |
876 PORT_SetError(SEC_ERROR_INVALID_ARGS); | |
877 goto loser; | |
878 } | |
879 PORT_Assert(hashes->len == 32); | |
880 | |
881 ctx = PK11_CreateDigestContext(ssl3_TLSHashAlgorithmToOID(algorithm)); | |
882 if (!ctx) { | |
883 PORT_SetError(SEC_ERROR_NO_MEMORY); | |
884 goto loser; | |
885 } | |
886 | |
887 PORT_Assert(SECFailure); | |
888 PORT_Assert(!SECSuccess); | |
889 | |
890 rv |= PK11_DigestBegin(ctx); | |
891 rv |= PK11_DigestOp(ctx, context_padding, sizeof(context_padding)); | |
892 rv |= PK11_DigestOp(ctx, (unsigned char *)context_string, | |
893 strlen(context_string) + 1); /* +1 includes the terminat
ing 0 */ | |
894 rv |= PK11_DigestOp(ctx, hashes->u.raw, hashes->len); | |
895 /* Update the hash in-place */ | |
896 rv |= PK11_DigestFinal(ctx, hashes->u.raw, &hashlength, sizeof(hashes->u.raw
)); | |
897 PK11_DestroyContext(ctx, PR_TRUE); | |
898 PRINT_BUF(90, (NULL, "TLS 1.3 hash with context", hashes->u.raw, hashlength)
); | |
899 | |
900 hashes->len = hashlength; | |
901 hashes->hashAlg = algorithm; | |
902 | |
903 if (rv) { | |
904 ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE); | |
905 goto loser; | |
906 } | |
907 return SECSuccess; | |
908 | |
909 loser: | |
910 return SECFailure; | |
911 } | |
912 | |
913 static SECStatus | |
914 tls13_HkdfExtractSharedKey(sslSocket *ss, PK11SymKey *key, | |
915 SharedSecretType keyType) | |
916 { | |
917 PK11SymKey **destp; | |
918 | |
919 switch (keyType) { | |
920 case EphemeralSharedSecret: | |
921 destp = &ss->ssl3.hs.xES; | |
922 break; | |
923 case StaticSharedSecret: | |
924 destp = &ss->ssl3.hs.xSS; | |
925 break; | |
926 default: | |
927 PORT_Assert(0); | |
928 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); | |
929 return SECFailure; | |
930 } | |
931 | |
932 PORT_Assert(!*destp); | |
933 return tls13_HkdfExtract(NULL, key, tls13_GetHash(ss), destp); | |
934 } | |
935 | |
936 static SECStatus | |
937 tls13_DeriveTrafficKeys(sslSocket *ss, ssl3CipherSpec *pwSpec, | |
938 TrafficKeyType type) | |
939 { | |
940 size_t keySize = pwSpec->cipher_def->key_size; | |
941 size_t ivSize = pwSpec->cipher_def->iv_size + | |
942 pwSpec->cipher_def->explicit_nonce_size; /* This isn't alway
s going to | |
943 * work, but it doe
s for | |
944 * AES-GCM */ | |
945 CK_MECHANISM_TYPE bulkAlgorithm = ssl3_Alg2Mech(pwSpec->cipher_def->calg); | |
946 SSL3Hashes hashes; | |
947 PK11SymKey *prk = NULL; | |
948 const char *phase; | |
949 char label[256]; /* Arbitrary buffer large enough to hold the label */ | |
950 SECStatus rv; | |
951 | |
952 #define FORMAT_LABEL(phase_, purpose_)
\ | |
953 do {
\ | |
954 PRUint32 n = PR_snprintf(label, sizeof(label), "%s, %s", phase_, purpose
_); \ | |
955 /* Check for getting close. */
\ | |
956 if ((n + 1) >= sizeof(label)) {
\ | |
957 PORT_Assert(0);
\ | |
958 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
\ | |
959 goto loser;
\ | |
960 }
\ | |
961 } while (0) | |
962 #define EXPAND_TRAFFIC_KEY(purpose_, target_) \ | |
963 do { \ | |
964 FORMAT_LABEL(phase, purpose_); \ | |
965 rv = tls13_HkdfExpandLabel(prk, tls13_GetHash(ss), \ | |
966 hashes.u.raw, hashes.len, \ | |
967 label, strlen(label), \ | |
968 bulkAlgorithm, keySize, &pwSpec->target_); \ | |
969 if (rv != SECSuccess) { \ | |
970 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); \ | |
971 PORT_Assert(0); \ | |
972 goto loser; \ | |
973 } \ | |
974 } while (0) | |
975 | |
976 #define EXPAND_TRAFFIC_IV(purpose_, target_) \ | |
977 do { \ | |
978 FORMAT_LABEL(phase, purpose_); \ | |
979 rv = tls13_HkdfExpandLabelRaw(prk, tls13_GetHash(ss), \ | |
980 hashes.u.raw, hashes.len, \ | |
981 label, strlen(label), \ | |
982 pwSpec->target_, ivSize); \ | |
983 if (rv != SECSuccess) { \ | |
984 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); \ | |
985 PORT_Assert(0); \ | |
986 goto loser; \ | |
987 } \ | |
988 } while (0) | |
989 | |
990 PORT_Assert(ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); | |
991 PORT_Assert(ss->opt.noLocks || ssl_HaveSpecWriteLock(ss)); | |
992 PORT_Assert(ss->ssl3.prSpec == ss->ssl3.pwSpec); | |
993 | |
994 rv = ssl3_ComputeHandshakeHashes(ss, pwSpec, &hashes, 0); | |
995 if (rv != SECSuccess) { | |
996 PORT_Assert(0); /* Should never fail */ | |
997 ssl_MapLowLevelError(SSL_ERROR_SESSION_KEY_GEN_FAILURE); | |
998 return SECFailure; | |
999 } | |
1000 PRINT_BUF(60, (ss, "Deriving traffic keys. Session hash=", hashes.u.raw, | |
1001 hashes.len)); | |
1002 | |
1003 switch (type) { | |
1004 case TrafficKeyHandshake: | |
1005 phase = kHkdfPhaseHandshakeKeys; | |
1006 prk = ss->ssl3.hs.xES; | |
1007 break; | |
1008 case TrafficKeyApplicationData: | |
1009 phase = kHkdfPhaseApplicationDataKeys; | |
1010 prk = ss->ssl3.hs.trafficSecret; | |
1011 break; | |
1012 default: | |
1013 PORT_Assert(0); | |
1014 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); | |
1015 return SECFailure; | |
1016 } | |
1017 PORT_Assert(prk != NULL); | |
1018 | |
1019 SSL_TRC(3, ("%d: TLS13[%d]: deriving traffic keys phase='%s'", | |
1020 SSL_GETPID(), ss->fd, phase)); | |
1021 | |
1022 EXPAND_TRAFFIC_KEY(kHkdfPurposeClientWriteKey, client.write_key); | |
1023 EXPAND_TRAFFIC_KEY(kHkdfPurposeServerWriteKey, server.write_key); | |
1024 EXPAND_TRAFFIC_IV(kHkdfPurposeClientWriteIv, client.write_iv); | |
1025 EXPAND_TRAFFIC_IV(kHkdfPurposeServerWriteIv, server.write_iv); | |
1026 | |
1027 return SECSuccess; | |
1028 | |
1029 loser: | |
1030 return SECFailure; | |
1031 } | |
1032 | |
1033 /* Set up a cipher spec with keys. If install is nonzero, then also install | |
1034 * it as the current cipher spec for each value in the mask. */ | |
1035 SECStatus | |
1036 tls13_InitCipherSpec(sslSocket *ss, TrafficKeyType type, InstallCipherSpecDirect
ion install) | |
1037 { | |
1038 ssl3CipherSpec *pwSpec; | |
1039 ssl3CipherSpec *cwSpec; | |
1040 SECStatus rv; | |
1041 PORT_Assert(ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); | |
1042 | |
1043 if (install == InstallCipherSpecWrite || | |
1044 install == InstallCipherSpecBoth) { | |
1045 ssl_GetXmitBufLock(ss); | |
1046 | |
1047 rv = ssl3_FlushHandshake(ss, ssl_SEND_FLAG_FORCE_INTO_BUFFER); | |
1048 ssl_ReleaseXmitBufLock(ss); | |
1049 if (rv != SECSuccess) { | |
1050 goto loser; | |
1051 } | |
1052 } | |
1053 | |
1054 ssl_GetSpecWriteLock(ss); /**************************************/ | |
1055 | |
1056 PORT_Assert(ss->ssl3.prSpec == ss->ssl3.pwSpec); | |
1057 | |
1058 pwSpec = ss->ssl3.pwSpec; | |
1059 cwSpec = ss->ssl3.cwSpec; | |
1060 | |
1061 switch (pwSpec->cipher_def->calg) { | |
1062 case calg_aes_gcm: | |
1063 pwSpec->aead = tls13_AESGCM; | |
1064 break; | |
1065 default: | |
1066 PORT_Assert(0); | |
1067 goto loser; | |
1068 break; | |
1069 } | |
1070 | |
1071 /* Generic behaviors -- common to all crypto methods */ | |
1072 if (!IS_DTLS(ss)) { | |
1073 pwSpec->read_seq_num.high = pwSpec->write_seq_num.high = 0; | |
1074 } else { | |
1075 if (cwSpec->epoch == PR_UINT16_MAX) { | |
1076 /* The problem here is that we have rehandshaked too many | |
1077 * times (you are not allowed to wrap the epoch). The | |
1078 * spec says you should be discarding the connection | |
1079 * and start over, so not much we can do here. */ | |
1080 rv = SECFailure; | |
1081 goto loser; | |
1082 } | |
1083 /* The sequence number has the high 16 bits as the epoch. */ | |
1084 pwSpec->epoch = cwSpec->epoch + 1; | |
1085 pwSpec->read_seq_num.high = pwSpec->write_seq_num.high = | |
1086 pwSpec->epoch << 16; | |
1087 | |
1088 dtls_InitRecvdRecords(&pwSpec->recvdRecords); | |
1089 } | |
1090 pwSpec->read_seq_num.low = pwSpec->write_seq_num.low = 0; | |
1091 | |
1092 rv = tls13_DeriveTrafficKeys(ss, pwSpec, type); | |
1093 if (rv != SECSuccess) { | |
1094 goto loser; | |
1095 } | |
1096 if (install == InstallCipherSpecWrite || | |
1097 install == InstallCipherSpecBoth) { | |
1098 rv = tls13_InstallCipherSpec(ss, InstallCipherSpecWrite); | |
1099 if (rv != SECSuccess) { | |
1100 goto loser; | |
1101 } | |
1102 } | |
1103 if (install == InstallCipherSpecRead || | |
1104 install == InstallCipherSpecBoth) { | |
1105 rv = tls13_InstallCipherSpec(ss, InstallCipherSpecRead); | |
1106 if (rv != SECSuccess) { | |
1107 goto loser; | |
1108 } | |
1109 } | |
1110 ssl_ReleaseSpecWriteLock(ss); /**************************************/ | |
1111 | |
1112 return SECSuccess; | |
1113 | |
1114 loser: | |
1115 ssl_ReleaseSpecWriteLock(ss); /**************************************/ | |
1116 PORT_SetError(SSL_ERROR_INIT_CIPHER_SUITE_FAILURE); | |
1117 return SECFailure; | |
1118 } | |
1119 | |
1120 static SECStatus | |
1121 tls13_ComputeSecrets1(sslSocket *ss) | |
1122 { | |
1123 SECStatus rv; | |
1124 PK11SymKey *mSS = NULL; | |
1125 PK11SymKey *mES = NULL; | |
1126 PK11SymKey *masterSecret = NULL; | |
1127 SSL3Hashes hashes; | |
1128 | |
1129 rv = ssl3_SetupPendingCipherSpec(ss); | |
1130 if (rv != SECSuccess) { | |
1131 return rv; /* error code set below. */ | |
1132 } | |
1133 | |
1134 rv = ssl3_ComputeHandshakeHashes(ss, ss->ssl3.pwSpec, &hashes, 0); | |
1135 if (rv != SECSuccess) { | |
1136 PORT_Assert(0); /* Should never fail */ | |
1137 ssl_MapLowLevelError(SSL_ERROR_SESSION_KEY_GEN_FAILURE); | |
1138 return SECFailure; | |
1139 } | |
1140 | |
1141 PORT_Assert(ss->ssl3.hs.xSS); | |
1142 PORT_Assert(ss->ssl3.hs.xES); | |
1143 | |
1144 rv = tls13_HkdfExpandLabel(ss->ssl3.hs.xSS, | |
1145 tls13_GetHash(ss), | |
1146 hashes.u.raw, hashes.len, | |
1147 kHkdfLabelExpandedSs, | |
1148 strlen(kHkdfLabelExpandedSs), | |
1149 tls13_GetHkdfMechanism(ss), | |
1150 hashes.len, &mSS); | |
1151 if (rv != SECSuccess) { | |
1152 goto loser; | |
1153 } | |
1154 | |
1155 rv = tls13_HkdfExpandLabel(ss->ssl3.hs.xES, | |
1156 tls13_GetHash(ss), | |
1157 hashes.u.raw, hashes.len, | |
1158 kHkdfLabelExpandedEs, | |
1159 strlen(kHkdfLabelExpandedEs), | |
1160 tls13_GetHkdfMechanism(ss), | |
1161 hashes.len, &mES); | |
1162 if (rv != SECSuccess) { | |
1163 goto loser; | |
1164 } | |
1165 | |
1166 rv = tls13_HkdfExtract(mSS, mES, | |
1167 tls13_GetHash(ss), | |
1168 &masterSecret); | |
1169 | |
1170 if (rv != SECSuccess) { | |
1171 goto loser; | |
1172 } | |
1173 | |
1174 rv = tls13_HkdfExpandLabel(masterSecret, | |
1175 tls13_GetHash(ss), | |
1176 hashes.u.raw, hashes.len, | |
1177 kHkdfLabelTrafficSecret, | |
1178 strlen(kHkdfLabelTrafficSecret), | |
1179 tls13_GetHkdfMechanism(ss), | |
1180 hashes.len, &ss->ssl3.hs.trafficSecret); | |
1181 if (rv != SECSuccess) { | |
1182 goto loser; | |
1183 } | |
1184 | |
1185 rv = tls13_HkdfExpandLabel(masterSecret, | |
1186 tls13_GetHash(ss), | |
1187 NULL, 0, | |
1188 kHkdfLabelClientFinishedSecret, | |
1189 strlen(kHkdfLabelClientFinishedSecret), | |
1190 tls13_GetHmacMechanism(ss), | |
1191 hashes.len, &ss->ssl3.hs.clientFinishedSecret); | |
1192 if (rv != SECSuccess) { | |
1193 goto loser; | |
1194 } | |
1195 | |
1196 rv = tls13_HkdfExpandLabel(masterSecret, | |
1197 tls13_GetHash(ss), | |
1198 NULL, 0, | |
1199 kHkdfLabelServerFinishedSecret, | |
1200 strlen(kHkdfLabelServerFinishedSecret), | |
1201 tls13_GetHmacMechanism(ss), | |
1202 hashes.len, &ss->ssl3.hs.serverFinishedSecret); | |
1203 if (rv != SECSuccess) { | |
1204 goto loser; | |
1205 } | |
1206 | |
1207 loser: | |
1208 PK11_FreeSymKey(ss->ssl3.hs.xSS); | |
1209 ss->ssl3.hs.xSS = NULL; | |
1210 PK11_FreeSymKey(ss->ssl3.hs.xES); | |
1211 ss->ssl3.hs.xES = NULL; | |
1212 | |
1213 if (mSS) { | |
1214 PK11_FreeSymKey(mSS); | |
1215 } | |
1216 if (mES) { | |
1217 PK11_FreeSymKey(mES); | |
1218 } | |
1219 if (masterSecret) { | |
1220 PK11_FreeSymKey(masterSecret); | |
1221 } | |
1222 | |
1223 return rv; | |
1224 } | |
1225 | |
1226 void | |
1227 tls13_DestroyKeyShareEntry(TLS13KeyShareEntry *offer) | |
1228 { | |
1229 SECITEM_ZfreeItem(&offer->key_exchange, PR_FALSE); | |
1230 PORT_ZFree(offer, sizeof(*offer)); | |
1231 } | |
1232 | |
1233 void | |
1234 tls13_DestroyKeyShares(PRCList *list) | |
1235 { | |
1236 PRCList *cur_p; | |
1237 | |
1238 while (!PR_CLIST_IS_EMPTY(list)) { | |
1239 cur_p = PR_LIST_TAIL(list); | |
1240 PR_REMOVE_LINK(cur_p); | |
1241 tls13_DestroyKeyShareEntry((TLS13KeyShareEntry *)cur_p); | |
1242 } | |
1243 } | |
1244 | |
1245 /* Implement the SSLAEADCipher interface defined in sslimpl.h. | |
1246 * | |
1247 * That interface mixes the AD and the sequence number, but in | |
1248 * TLS 1.3 there is no additional data so this value is just the | |
1249 * encoded sequence number and we call it |seqNumBuf|. | |
1250 */ | |
1251 static SECStatus | |
1252 tls13_AESGCM(ssl3KeyMaterial *keys, | |
1253 PRBool doDecrypt, | |
1254 unsigned char *out, | |
1255 int *outlen, | |
1256 int maxout, | |
1257 const unsigned char *in, | |
1258 int inlen, | |
1259 const unsigned char *seqNumBuf, | |
1260 int seqNumLen) | |
1261 { | |
1262 SECItem param; | |
1263 SECStatus rv = SECFailure; | |
1264 unsigned char nonce[12]; | |
1265 size_t i; | |
1266 unsigned int uOutLen; | |
1267 CK_GCM_PARAMS gcmParams; | |
1268 static const int tagSize = 16; | |
1269 | |
1270 PORT_Assert(seqNumLen == 8); | |
1271 | |
1272 /* draft-ietf-tls-tls13 Section 5.2.2 specifies the following | |
1273 * nonce algorithm: | |
1274 * | |
1275 * The length of the per-record nonce (iv_length) is set to max(8 bytes, | |
1276 * N_MIN) for the AEAD algorithm (see [RFC5116] Section 4). An AEAD | |
1277 * algorithm where N_MAX is less than 8 bytes MUST NOT be used with TLS. | |
1278 * The per-record nonce for the AEAD construction is formed as follows: | |
1279 * | |
1280 * 1. The 64-bit record sequence number is padded to the left with | |
1281 * zeroes to iv_length. | |
1282 * | |
1283 * 2. The padded sequence number is XORed with the static | |
1284 * client_write_iv or server_write_iv, depending on the role. | |
1285 * | |
1286 * The resulting quantity (of length iv_length) is used as the per- | |
1287 * record nonce. | |
1288 * | |
1289 * Per RFC 5288: N_MIN = N_MAX = 12 bytes. | |
1290 * | |
1291 */ | |
1292 memcpy(nonce, keys->write_iv, sizeof(nonce)); | |
1293 for (i = 0; i < 8; ++i) { | |
1294 nonce[4 + i] ^= seqNumBuf[i]; | |
1295 } | |
1296 | |
1297 param.type = siBuffer; | |
1298 param.data = (unsigned char *)&gcmParams; | |
1299 param.len = sizeof(gcmParams); | |
1300 gcmParams.pIv = nonce; | |
1301 gcmParams.ulIvLen = sizeof(nonce); | |
1302 gcmParams.pAAD = NULL; | |
1303 gcmParams.ulAADLen = 0; | |
1304 gcmParams.ulTagBits = tagSize * 8; | |
1305 | |
1306 if (doDecrypt) { | |
1307 rv = PK11_Decrypt(keys->write_key, CKM_AES_GCM, ¶m, out, &uOutLen, | |
1308 maxout, in, inlen); | |
1309 } else { | |
1310 rv = PK11_Encrypt(keys->write_key, CKM_AES_GCM, ¶m, out, &uOutLen, | |
1311 maxout, in, inlen); | |
1312 } | |
1313 *outlen = (int)uOutLen; | |
1314 | |
1315 return rv; | |
1316 } | |
1317 | |
1318 static SECStatus | |
1319 tls13_HandleEncryptedExtensions(sslSocket *ss, SSL3Opaque *b, PRUint32 length) | |
1320 { | |
1321 SECStatus rv; | |
1322 PRInt32 innerLength; | |
1323 | |
1324 PORT_Assert(ss->opt.noLocks || ssl_HaveRecvBufLock(ss)); | |
1325 PORT_Assert(ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); | |
1326 | |
1327 SSL_TRC(3, ("%d: TLS13[%d]: handle encrypted extensions", | |
1328 SSL_GETPID(), ss->fd)); | |
1329 | |
1330 rv = TLS13_CHECK_HS_STATE(ss, SSL_ERROR_RX_UNEXPECTED_ENCRYPTED_EXTENSIONS, | |
1331 wait_encrypted_extensions); | |
1332 if (rv != SECSuccess) { | |
1333 return SECFailure; | |
1334 } | |
1335 | |
1336 innerLength = ssl3_ConsumeHandshakeNumber(ss, 2, &b, &length); | |
1337 if (innerLength < 0) { | |
1338 return SECFailure; /* Alert already sent. */ | |
1339 } | |
1340 if (innerLength != length) { | |
1341 FATAL_ERROR(ss, SSL_ERROR_RX_MALFORMED_ENCRYPTED_EXTENSIONS, | |
1342 illegal_parameter); | |
1343 return SECFailure; | |
1344 } | |
1345 | |
1346 rv = ssl3_HandleHelloExtensions(ss, &b, &length, encrypted_extensions); | |
1347 if (rv != SECSuccess) { | |
1348 return SECFailure; /* Error code set below */ | |
1349 } | |
1350 | |
1351 TLS13_SET_HS_STATE(ss, wait_cert_request); | |
1352 return SECSuccess; | |
1353 } | |
1354 | |
1355 static SECStatus | |
1356 tls13_SendEncryptedExtensions(sslSocket *ss) | |
1357 { | |
1358 SECStatus rv; | |
1359 PRInt32 extensions_len = 0; | |
1360 PRInt32 sent_len = 0; | |
1361 PRUint32 maxBytes = 65535; | |
1362 | |
1363 SSL_TRC(3, ("%d: TLS13[%d]: send encrypted extensions handshake", | |
1364 SSL_GETPID(), ss->fd)); | |
1365 | |
1366 PORT_Assert(ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); | |
1367 PORT_Assert(ss->opt.noLocks || ssl_HaveXmitBufLock(ss)); | |
1368 | |
1369 extensions_len = ssl3_CallHelloExtensionSenders( | |
1370 ss, PR_FALSE, maxBytes, &ss->xtnData.encryptedExtensionsSenders[0]); | |
1371 | |
1372 rv = ssl3_AppendHandshakeHeader(ss, encrypted_extensions, | |
1373 extensions_len + 2); | |
1374 if (rv != SECSuccess) { | |
1375 FATAL_ERROR(ss, SEC_ERROR_LIBRARY_FAILURE, internal_error); | |
1376 return SECFailure; | |
1377 } | |
1378 rv = ssl3_AppendHandshakeNumber(ss, extensions_len, 2); | |
1379 if (rv != SECSuccess) { | |
1380 FATAL_ERROR(ss, SEC_ERROR_LIBRARY_FAILURE, internal_error); | |
1381 return SECFailure; | |
1382 } | |
1383 sent_len = ssl3_CallHelloExtensionSenders( | |
1384 ss, PR_TRUE, extensions_len, | |
1385 &ss->xtnData.encryptedExtensionsSenders[0]); | |
1386 PORT_Assert(sent_len == extensions_len); | |
1387 if (sent_len != extensions_len) { | |
1388 PORT_Assert(sent_len == 0); | |
1389 FATAL_ERROR(ss, SEC_ERROR_LIBRARY_FAILURE, internal_error); | |
1390 return SECFailure; | |
1391 } | |
1392 | |
1393 return SECSuccess; | |
1394 } | |
1395 | |
1396 /* Called from tls13_CompleteHandleHandshakeMessage() when it has deciphered a c
omplete | |
1397 * tls13 CertificateVerify message | |
1398 * Caller must hold Handshake and RecvBuf locks. | |
1399 */ | |
1400 SECStatus | |
1401 tls13_HandleCertificateVerify(sslSocket *ss, SSL3Opaque *b, PRUint32 length, | |
1402 SSL3Hashes *hashes) | |
1403 { | |
1404 SECItem signed_hash = { siBuffer, NULL, 0 }; | |
1405 SECStatus rv; | |
1406 SSLSignatureAndHashAlg sigAndHash; | |
1407 | |
1408 SSL_TRC(3, ("%d: TLS13[%d]: handle certificate_verify handshake", | |
1409 SSL_GETPID(), ss->fd)); | |
1410 PORT_Assert(ss->opt.noLocks || ssl_HaveRecvBufLock(ss)); | |
1411 PORT_Assert(ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); | |
1412 | |
1413 rv = TLS13_CHECK_HS_STATE(ss, SSL_ERROR_RX_UNEXPECTED_CERT_VERIFY, | |
1414 wait_cert_verify); | |
1415 if (rv != SECSuccess) { | |
1416 return SECFailure; | |
1417 } | |
1418 | |
1419 if (!hashes) { | |
1420 FATAL_ERROR(ss, SEC_ERROR_LIBRARY_FAILURE, internal_error); | |
1421 return SECFailure; | |
1422 } | |
1423 | |
1424 /* We only support CertificateVerify messages that use the handshake | |
1425 * hash. | |
1426 * TODO(ekr@rtfm.com): This should be easy to relax in TLS 1.3 by | |
1427 * reading the client's hash algorithm first, but there may | |
1428 * be subtleties so retain the restriction for now. | |
1429 */ | |
1430 rv = tls13_AddContextToHashes(ss, hashes, hashes->hashAlg, PR_FALSE); | |
1431 if (rv != SECSuccess) { | |
1432 FATAL_ERROR(ss, SSL_ERROR_DIGEST_FAILURE, internal_error); | |
1433 return SECFailure; | |
1434 } | |
1435 | |
1436 rv = ssl3_ConsumeSignatureAndHashAlgorithm(ss, &b, &length, | |
1437 &sigAndHash); | |
1438 if (rv != SECSuccess) { | |
1439 PORT_SetError(SSL_ERROR_RX_MALFORMED_CERT_VERIFY); | |
1440 return SECFailure; | |
1441 } | |
1442 | |
1443 rv = ssl3_CheckSignatureAndHashAlgorithmConsistency( | |
1444 ss, &sigAndHash, ss->sec.peerCert); | |
1445 if (rv != SECSuccess) { | |
1446 FATAL_ERROR(ss, SSL_ERROR_RX_MALFORMED_CERT_VERIFY, decrypt_error); | |
1447 return SECFailure; | |
1448 } | |
1449 | |
1450 /* We only support CertificateVerify messages that use the handshake | |
1451 * hash. */ | |
1452 if (sigAndHash.hashAlg != hashes->hashAlg) { | |
1453 FATAL_ERROR(ss, SSL_ERROR_UNSUPPORTED_HASH_ALGORITHM, decrypt_error); | |
1454 return SECFailure; | |
1455 } | |
1456 | |
1457 rv = ssl3_ConsumeHandshakeVariable(ss, &signed_hash, 2, &b, &length); | |
1458 if (rv != SECSuccess) { | |
1459 PORT_SetError(SSL_ERROR_RX_MALFORMED_CERT_VERIFY); | |
1460 return SECFailure; | |
1461 } | |
1462 | |
1463 if (length != 0) { | |
1464 FATAL_ERROR(ss, SSL_ERROR_RX_MALFORMED_CERT_VERIFY, decode_error); | |
1465 return SECFailure; | |
1466 } | |
1467 | |
1468 rv = ssl3_VerifySignedHashes(hashes, ss->sec.peerCert, &signed_hash, | |
1469 PR_TRUE, ss->pkcs11PinArg); | |
1470 if (rv != SECSuccess) { | |
1471 FATAL_ERROR(ss, PORT_GetError(), decrypt_error); | |
1472 return SECFailure; | |
1473 } | |
1474 | |
1475 if (!ss->sec.isServer) { | |
1476 /* Compute the rest of the secrets except for the resumption | |
1477 * and exporter secret. */ | |
1478 rv = tls13_ComputeSecrets1(ss); | |
1479 if (rv != SECSuccess) { | |
1480 FATAL_ERROR(ss, SEC_ERROR_LIBRARY_FAILURE, internal_error); | |
1481 return SECFailure; | |
1482 } | |
1483 } | |
1484 TLS13_SET_HS_STATE(ss, wait_finished); | |
1485 | |
1486 return SECSuccess; | |
1487 } | |
1488 | |
1489 static SECStatus | |
1490 tls13_ComputeFinished(sslSocket *ss, const SSL3Hashes *hashes, PRBool sending, | |
1491 PRUint8 *output, unsigned int *outputLen, unsigned int max
OutputLen) | |
1492 { | |
1493 SECStatus rv; | |
1494 PK11Context *hmacCtx = NULL; | |
1495 CK_MECHANISM_TYPE macAlg = tls13_GetHmacMechanism(ss); | |
1496 SECItem param = { siBuffer, NULL, 0 }; | |
1497 unsigned int outputLenUint; | |
1498 PK11SymKey *secret = (ss->sec.isServer ^ sending) ? ss->ssl3.hs.clientFinish
edSecret | |
1499 : ss->ssl3.hs.serverFinish
edSecret; | |
1500 | |
1501 PORT_Assert(secret); | |
1502 PRINT_BUF(90, (NULL, "Handshake hash", hashes->u.raw, hashes->len)); | |
1503 | |
1504 hmacCtx = PK11_CreateContextBySymKey(macAlg, CKA_SIGN, | |
1505 secret, ¶m); | |
1506 if (!hmacCtx) { | |
1507 goto abort; | |
1508 } | |
1509 | |
1510 rv = PK11_DigestBegin(hmacCtx); | |
1511 if (rv != SECSuccess) | |
1512 goto abort; | |
1513 | |
1514 rv = PK11_DigestOp(hmacCtx, hashes->u.raw, hashes->len); | |
1515 if (rv != SECSuccess) | |
1516 goto abort; | |
1517 | |
1518 PORT_Assert(maxOutputLen >= hashes->len); | |
1519 rv = PK11_DigestFinal(hmacCtx, output, &outputLenUint, maxOutputLen); | |
1520 if (rv != SECSuccess) | |
1521 goto abort; | |
1522 *outputLen = outputLenUint; | |
1523 | |
1524 PK11_DestroyContext(hmacCtx, PR_TRUE); | |
1525 return SECSuccess; | |
1526 | |
1527 abort: | |
1528 if (hmacCtx) { | |
1529 PK11_DestroyContext(hmacCtx, PR_TRUE); | |
1530 } | |
1531 | |
1532 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); | |
1533 return SECFailure; | |
1534 } | |
1535 | |
1536 static SECStatus | |
1537 tls13_SendFinished(sslSocket *ss) | |
1538 { | |
1539 SECStatus rv; | |
1540 PRUint8 finishedBuf[MAX_FINISHED_SIZE]; | |
1541 unsigned int finishedLen; | |
1542 SSL3Hashes hashes; | |
1543 int errCode; | |
1544 | |
1545 SSL_TRC(3, ("%d: TLS13[%d]: send finished handshake", SSL_GETPID(), ss->fd))
; | |
1546 | |
1547 PORT_Assert(ss->opt.noLocks || ssl_HaveXmitBufLock(ss)); | |
1548 PORT_Assert(ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); | |
1549 | |
1550 rv = ssl3_ComputeHandshakeHashes(ss, ss->ssl3.cwSpec, &hashes, 0); | |
1551 if (rv != SECSuccess) { | |
1552 FATAL_ERROR(ss, SEC_ERROR_LIBRARY_FAILURE, internal_error); | |
1553 return SECFailure; | |
1554 } | |
1555 | |
1556 ssl_GetSpecReadLock(ss); | |
1557 rv = tls13_ComputeFinished(ss, &hashes, PR_TRUE, | |
1558 finishedBuf, &finishedLen, sizeof(finishedBuf)); | |
1559 ssl_ReleaseSpecReadLock(ss); | |
1560 if (rv != SECSuccess) { | |
1561 FATAL_ERROR(ss, SEC_ERROR_LIBRARY_FAILURE, internal_error); | |
1562 return SECFailure; | |
1563 } | |
1564 | |
1565 rv = ssl3_AppendHandshakeHeader(ss, finished, finishedLen); | |
1566 if (rv != SECSuccess) { | |
1567 errCode = PR_GetError(); | |
1568 goto alert_loser; | |
1569 } | |
1570 | |
1571 rv = ssl3_AppendHandshake(ss, finishedBuf, finishedLen); | |
1572 if (rv != SECSuccess) { | |
1573 errCode = PR_GetError(); | |
1574 goto alert_loser; | |
1575 } | |
1576 | |
1577 rv = ssl3_FlushHandshake(ss, 0); | |
1578 if (rv != SECSuccess) { | |
1579 errCode = PR_GetError(); | |
1580 goto alert_loser; | |
1581 } | |
1582 | |
1583 if (ss->sec.isServer) { | |
1584 rv = tls13_InitCipherSpec(ss, TrafficKeyApplicationData, | |
1585 InstallCipherSpecWrite); | |
1586 } else { | |
1587 rv = tls13_InstallCipherSpec(ss, InstallCipherSpecWrite); | |
1588 } | |
1589 if (rv != SECSuccess) { | |
1590 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); | |
1591 return SECFailure; | |
1592 } | |
1593 | |
1594 /* TODO(ekr@rtfm.com): Record key log */ | |
1595 return SECSuccess; | |
1596 | |
1597 alert_loser: | |
1598 (void)SSL3_SendAlert(ss, alert_fatal, internal_error); | |
1599 PORT_SetError(errCode); /* Restore error code */ | |
1600 return rv; | |
1601 } | |
1602 | |
1603 static SECStatus | |
1604 tls13_HandleFinished(sslSocket *ss, SSL3Opaque *b, PRUint32 length, | |
1605 const SSL3Hashes *hashes) | |
1606 { | |
1607 SECStatus rv; | |
1608 PRUint8 finishedBuf[MAX_FINISHED_SIZE]; | |
1609 unsigned int finishedLen; | |
1610 | |
1611 PORT_Assert(ss->opt.noLocks || ssl_HaveRecvBufLock(ss)); | |
1612 PORT_Assert(ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); | |
1613 | |
1614 SSL_TRC(3, ("%d: TLS13[%d]: handle finished handshake", | |
1615 SSL_GETPID(), ss->fd)); | |
1616 | |
1617 rv = TLS13_CHECK_HS_STATE(ss, SSL_ERROR_RX_UNEXPECTED_FINISHED, wait_finishe
d); | |
1618 if (rv != SECSuccess) { | |
1619 return SECFailure; | |
1620 } | |
1621 if (!hashes) { | |
1622 FATAL_ERROR(ss, SEC_ERROR_LIBRARY_FAILURE, internal_error); | |
1623 return SECFailure; | |
1624 } | |
1625 | |
1626 ssl_GetSpecReadLock(ss); | |
1627 rv = tls13_ComputeFinished(ss, hashes, PR_FALSE, | |
1628 finishedBuf, &finishedLen, sizeof(finishedBuf)); | |
1629 ssl_ReleaseSpecReadLock(ss); | |
1630 if (rv != SECSuccess) { | |
1631 FATAL_ERROR(ss, SEC_ERROR_LIBRARY_FAILURE, internal_error); | |
1632 return SECFailure; | |
1633 } | |
1634 | |
1635 if (length != finishedLen) { | |
1636 FATAL_ERROR(ss, SSL_ERROR_RX_MALFORMED_FINISHED, decode_error); | |
1637 return SECFailure; | |
1638 } | |
1639 | |
1640 if (NSS_SecureMemcmp(b, finishedBuf, finishedLen) != 0) { | |
1641 FATAL_ERROR(ss, SSL_ERROR_BAD_HANDSHAKE_HASH_VALUE, | |
1642 decrypt_error); | |
1643 return SECFailure; | |
1644 } | |
1645 | |
1646 /* Server is now finished. | |
1647 * Client sends second flight | |
1648 */ | |
1649 /* TODO(ekr@rtfm.com): Send NewSession Ticket if server. */ | |
1650 if (ss->sec.isServer) { | |
1651 rv = tls13_InstallCipherSpec(ss, InstallCipherSpecRead); | |
1652 if (rv != SECSuccess) { | |
1653 FATAL_ERROR(ss, SEC_ERROR_LIBRARY_FAILURE, internal_error); | |
1654 return SECFailure; | |
1655 } | |
1656 | |
1657 rv = tls13_FinishHandshake(ss); | |
1658 } else { | |
1659 if (ss->ssl3.hs.authCertificatePending) { | |
1660 /* TODO(ekr@rtfm.com): Handle pending auth */ | |
1661 FATAL_ERROR(ss, SEC_ERROR_LIBRARY_FAILURE, internal_error); | |
1662 PORT_Assert(0); | |
1663 return SECFailure; | |
1664 } | |
1665 rv = tls13_InitCipherSpec(ss, TrafficKeyApplicationData, | |
1666 InstallCipherSpecRead); | |
1667 if (rv != SECSuccess) { | |
1668 FATAL_ERROR(ss, SEC_ERROR_LIBRARY_FAILURE, internal_error); | |
1669 return SECFailure; | |
1670 } | |
1671 | |
1672 rv = tls13_SendClientSecondRound(ss); | |
1673 if (rv != SECSuccess) | |
1674 return SECFailure; /* Error code and alerts handled below */ | |
1675 } | |
1676 | |
1677 return rv; | |
1678 } | |
1679 | |
1680 static SECStatus | |
1681 tls13_FinishHandshake(sslSocket *ss) | |
1682 { | |
1683 PORT_Assert(ss->opt.noLocks || ssl_HaveRecvBufLock(ss)); | |
1684 PORT_Assert(ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); | |
1685 PORT_Assert(ss->ssl3.hs.restartTarget == NULL); | |
1686 | |
1687 /* The first handshake is now completed. */ | |
1688 ss->handshake = NULL; | |
1689 | |
1690 TLS13_SET_HS_STATE(ss, idle_handshake); | |
1691 | |
1692 ssl_FinishHandshake(ss); | |
1693 | |
1694 return SECSuccess; | |
1695 } | |
1696 | |
1697 static SECStatus | |
1698 tls13_SendClientSecondRound(sslSocket *ss) | |
1699 { | |
1700 SECStatus rv; | |
1701 PRBool sendClientCert; | |
1702 | |
1703 PORT_Assert(ss->opt.noLocks || ssl_HaveRecvBufLock(ss)); | |
1704 PORT_Assert(ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); | |
1705 | |
1706 sendClientCert = !ss->ssl3.sendEmptyCert && | |
1707 ss->ssl3.clientCertChain != NULL && | |
1708 ss->ssl3.clientPrivateKey != NULL; | |
1709 | |
1710 /* Defer client authentication sending if we are still | |
1711 * waiting for server authentication. See the long block | |
1712 * comment in ssl3_SendClientSecondRound for more detail. | |
1713 */ | |
1714 if (ss->ssl3.hs.restartTarget) { | |
1715 PR_NOT_REACHED("unexpected ss->ssl3.hs.restartTarget"); | |
1716 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); | |
1717 return SECFailure; | |
1718 } | |
1719 if (ss->ssl3.hs.authCertificatePending && (sendClientCert || | |
1720 ss->ssl3.sendEmptyCert)) { | |
1721 SSL_TRC(3, ("%d: TLS13[%p]: deferring ssl3_SendClientSecondRound because
" | |
1722 " certificate authentication is still pending.", | |
1723 SSL_GETPID(), ss->fd)); | |
1724 ss->ssl3.hs.restartTarget = tls13_SendClientSecondRound; | |
1725 return SECWouldBlock; | |
1726 } | |
1727 | |
1728 ssl_GetXmitBufLock(ss); /*******************************/ | |
1729 if (ss->ssl3.sendEmptyCert) { | |
1730 ss->ssl3.sendEmptyCert = PR_FALSE; | |
1731 rv = ssl3_SendEmptyCertificate(ss); | |
1732 /* Don't send verify */ | |
1733 if (rv != SECSuccess) { | |
1734 goto loser; /* error code is set. */ | |
1735 } | |
1736 } else if (sendClientCert) { | |
1737 rv = ssl3_SendCertificate(ss); | |
1738 if (rv != SECSuccess) { | |
1739 goto loser; /* error code is set. */ | |
1740 } | |
1741 } | |
1742 | |
1743 if (sendClientCert) { | |
1744 rv = ssl3_SendCertificateVerify(ss, ss->ssl3.clientPrivateKey); | |
1745 SECKEY_DestroyPrivateKey(ss->ssl3.clientPrivateKey); | |
1746 ss->ssl3.clientPrivateKey = NULL; | |
1747 if (rv != SECSuccess) { | |
1748 goto loser; /* err is set. */ | |
1749 } | |
1750 } | |
1751 | |
1752 rv = tls13_SendFinished(ss); | |
1753 if (rv != SECSuccess) { | |
1754 goto loser; /* err code was set. */ | |
1755 } | |
1756 ssl_ReleaseXmitBufLock(ss); /*******************************/ | |
1757 | |
1758 /* The handshake is now finished */ | |
1759 return tls13_FinishHandshake(ss); | |
1760 | |
1761 loser: | |
1762 ssl_ReleaseXmitBufLock(ss); /*******************************/ | |
1763 return SECFailure; | |
1764 } | |
1765 | |
1766 static SECStatus | |
1767 tls13_HandleNewSessionTicket(sslSocket *ss, SSL3Opaque *b, PRUint32 length) | |
1768 { | |
1769 SECStatus rv; | |
1770 | |
1771 rv = TLS13_CHECK_HS_STATE(ss, SSL_ERROR_RX_UNEXPECTED_NEW_SESSION_TICKET, | |
1772 idle_handshake); | |
1773 if (rv != SECSuccess) { | |
1774 return SECFailure; | |
1775 } | |
1776 | |
1777 UNIMPLEMENTED(); | |
1778 | |
1779 /* Ignore */ | |
1780 return SECSuccess; | |
1781 } | |
1782 | |
1783 typedef enum { | |
1784 ExtensionNotUsed, | |
1785 ExtensionClientOnly, | |
1786 ExtensionSendClear, | |
1787 ExtensionSendEncrypted, | |
1788 } Tls13ExtensionStatus; | |
1789 | |
1790 static const struct { | |
1791 SSLExtensionType ex_value; | |
1792 Tls13ExtensionStatus status; | |
1793 } KnownExtensions[] = { | |
1794 { ssl_server_name_xtn, | |
1795 ExtensionSendEncrypted }, | |
1796 { | |
1797 ssl_cert_status_xtn, | |
1798 ExtensionNotUsed /* TODO(ekr@rtfm.com): Disabled because broken | |
1799 in TLS 1.3. */ | |
1800 /* ExtensionSendEncrypted */ | |
1801 }, | |
1802 { ssl_elliptic_curves_xtn, | |
1803 ExtensionSendClear }, | |
1804 { ssl_ec_point_formats_xtn, | |
1805 ExtensionNotUsed }, | |
1806 { ssl_signature_algorithms_xtn, | |
1807 ExtensionClientOnly }, | |
1808 { ssl_use_srtp_xtn, | |
1809 ExtensionSendEncrypted }, | |
1810 { ssl_app_layer_protocol_xtn, | |
1811 ExtensionSendEncrypted }, | |
1812 { ssl_padding_xtn, | |
1813 ExtensionNotUsed }, | |
1814 { ssl_extended_master_secret_xtn, | |
1815 ExtensionNotUsed }, | |
1816 { ssl_session_ticket_xtn, | |
1817 ExtensionClientOnly }, | |
1818 { ssl_tls13_key_share_xtn, | |
1819 ExtensionSendClear }, | |
1820 { ssl_next_proto_nego_xtn, | |
1821 ExtensionNotUsed }, | |
1822 { ssl_renegotiation_info_xtn, | |
1823 ExtensionNotUsed }, | |
1824 { ssl_tls13_draft_version_xtn, | |
1825 ExtensionClientOnly } | |
1826 }; | |
1827 | |
1828 PRBool | |
1829 tls13_ExtensionAllowed(PRUint16 extension, SSL3HandshakeType message) | |
1830 { | |
1831 unsigned int i; | |
1832 | |
1833 PORT_Assert((message == client_hello) || | |
1834 (message == server_hello) || | |
1835 (message == encrypted_extensions)); | |
1836 | |
1837 for (i = 0; i < PR_ARRAY_SIZE(KnownExtensions); i++) { | |
1838 if (KnownExtensions[i].ex_value == extension) | |
1839 break; | |
1840 } | |
1841 if (i == PR_ARRAY_SIZE(KnownExtensions)) { | |
1842 /* We have never heard of this extension which is OK on | |
1843 * the server but not the client. */ | |
1844 return message == client_hello; | |
1845 } | |
1846 | |
1847 switch (KnownExtensions[i].status) { | |
1848 case ExtensionNotUsed: | |
1849 return PR_FALSE; | |
1850 case ExtensionClientOnly: | |
1851 return message == client_hello; | |
1852 case ExtensionSendClear: | |
1853 return message == client_hello || | |
1854 message == server_hello; | |
1855 case ExtensionSendEncrypted: | |
1856 return message == client_hello || | |
1857 message == encrypted_extensions; | |
1858 } | |
1859 | |
1860 PORT_Assert(0); | |
1861 | |
1862 /* Not reached */ | |
1863 return PR_TRUE; | |
1864 } | |
1865 | |
1866 /* Helper function to encode a uint32 into a buffer */ | |
1867 unsigned char * | |
1868 tls13_EncodeUintX(PRUint32 value, unsigned int bytes, unsigned char *to) | |
1869 { | |
1870 PRUint32 encoded; | |
1871 | |
1872 PORT_Assert(bytes > 0 && bytes <= 4); | |
1873 | |
1874 encoded = PR_htonl(value); | |
1875 memcpy(to, ((unsigned char *)(&encoded)) + (4 - bytes), bytes); | |
1876 return to + bytes; | |
1877 } | |
1878 | |
1879 /* TLS 1.3 doesn't actually have additional data but the aead function | |
1880 * signature overloads additional data to carry the record sequence | |
1881 * number and that's what we put here. The TLS 1.3 AEAD functions | |
1882 * just use this input as the sequence number and not as additional | |
1883 * data. */ | |
1884 static void | |
1885 tls13_FormatAdditionalData(unsigned char *aad, unsigned int length, | |
1886 SSL3SequenceNumber seqNum) | |
1887 { | |
1888 unsigned char *ptr = aad; | |
1889 | |
1890 PORT_Assert(length == 8); | |
1891 ptr = tls13_EncodeUintX(seqNum.high, 4, ptr); | |
1892 ptr = tls13_EncodeUintX(seqNum.low, 4, ptr); | |
1893 PORT_Assert((ptr - aad) == length); | |
1894 } | |
1895 | |
1896 SECStatus | |
1897 tls13_ProtectRecord(sslSocket *ss, | |
1898 SSL3ContentType type, | |
1899 const SSL3Opaque *pIn, | |
1900 PRUint32 contentLen, | |
1901 sslBuffer *wrBuf) | |
1902 { | |
1903 ssl3CipherSpec *cwSpec = ss->ssl3.cwSpec; | |
1904 const ssl3BulkCipherDef *cipher_def = cwSpec->cipher_def; | |
1905 SECStatus rv; | |
1906 PRUint16 headerLen; | |
1907 int cipherBytes = 0; | |
1908 const int tagLen = cipher_def->tag_size; | |
1909 | |
1910 SSL_TRC(3, ("%d: TLS13[%d]: protect record of length %u, seq=0x%0x%0x", | |
1911 SSL_GETPID(), ss->fd, contentLen, | |
1912 cwSpec->write_seq_num.high, | |
1913 cwSpec->write_seq_num.low)); | |
1914 | |
1915 headerLen = IS_DTLS(ss) ? DTLS_RECORD_HEADER_LENGTH : SSL3_RECORD_HEADER_LEN
GTH; | |
1916 | |
1917 if (headerLen + contentLen + 1 + tagLen > wrBuf->space) { | |
1918 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); | |
1919 return SECFailure; | |
1920 } | |
1921 | |
1922 /* Copy the data into the wrBuf. We're going to encrypt in-place | |
1923 * in the AEAD branch anyway */ | |
1924 PORT_Memcpy(wrBuf->buf + headerLen, pIn, contentLen); | |
1925 | |
1926 if (cipher_def->calg == ssl_calg_null) { | |
1927 /* Shortcut for plaintext */ | |
1928 cipherBytes = contentLen; | |
1929 } else { | |
1930 unsigned char aad[8]; | |
1931 PORT_Assert(cipher_def->type == type_aead); | |
1932 | |
1933 /* Add the content type at the end. */ | |
1934 wrBuf->buf[headerLen + contentLen] = type; | |
1935 | |
1936 /* Stomp the content type to be application_data */ | |
1937 type = content_application_data; | |
1938 | |
1939 tls13_FormatAdditionalData(aad, sizeof(aad), | |
1940 cwSpec->write_seq_num); | |
1941 cipherBytes = contentLen + 1; /* Room for the content type on the end. *
/ | |
1942 rv = cwSpec->aead( | |
1943 ss->sec.isServer ? &cwSpec->server : &cwSpec->client, | |
1944 PR_FALSE, /* do encrypt */ | |
1945 wrBuf->buf + headerLen, /* output */ | |
1946 &cipherBytes, /* out len */ | |
1947 wrBuf->space - headerLen, /* max out */ | |
1948 wrBuf->buf + headerLen, contentLen + 1, /* input */ | |
1949 aad, sizeof(aad)); | |
1950 if (rv != SECSuccess) { | |
1951 PORT_SetError(SSL_ERROR_ENCRYPTION_FAILURE); | |
1952 return SECFailure; | |
1953 } | |
1954 } | |
1955 | |
1956 PORT_Assert(cipherBytes <= MAX_FRAGMENT_LENGTH + 256); | |
1957 | |
1958 wrBuf->len = cipherBytes + headerLen; | |
1959 wrBuf->buf[0] = type; | |
1960 | |
1961 if (IS_DTLS(ss)) { | |
1962 (void)tls13_EncodeUintX(2, dtls_TLSVersionToDTLSVersion(kRecordVersion), | |
1963 &wrBuf->buf[1]); | |
1964 (void)tls13_EncodeUintX(cwSpec->write_seq_num.high, 4, &wrBuf->buf[3]); | |
1965 (void)tls13_EncodeUintX(cwSpec->write_seq_num.low, 4, &wrBuf->buf[7]); | |
1966 (void)tls13_EncodeUintX(cipherBytes, 2, &wrBuf->buf[11]); | |
1967 } else { | |
1968 (void)tls13_EncodeUintX(kRecordVersion, 2, &wrBuf->buf[1]); | |
1969 (void)tls13_EncodeUintX(cipherBytes, 2, &wrBuf->buf[3]); | |
1970 } | |
1971 ssl3_BumpSequenceNumber(&cwSpec->write_seq_num); | |
1972 | |
1973 return SECSuccess; | |
1974 } | |
1975 | |
1976 /* Unprotect a TLS 1.3 record and leave the result in plaintext. | |
1977 * | |
1978 * Called by ssl3_HandleRecord. Caller must hold the spec read lock. | |
1979 * Therefore, we MUST not call SSL3_SendAlert(). | |
1980 * | |
1981 * If SECFailure is returned, we: | |
1982 * 1. Set |*alert| to the alert to be sent. | |
1983 * 2. Call PORT_SetError() witn an appropriate code. | |
1984 */ | |
1985 SECStatus | |
1986 tls13_UnprotectRecord(sslSocket *ss, SSL3Ciphertext *cText, sslBuffer *plaintext
, | |
1987 SSL3AlertDescription *alert) | |
1988 { | |
1989 ssl3CipherSpec *crSpec = ss->ssl3.crSpec; | |
1990 const ssl3BulkCipherDef *cipher_def = crSpec->cipher_def; | |
1991 unsigned char aad[8]; | |
1992 SECStatus rv; | |
1993 | |
1994 *alert = bad_record_mac; /* Default alert for most issues. */ | |
1995 | |
1996 SSL_TRC(3, ("%d: TLS13[%d]: unprotect record of length %u", | |
1997 SSL_GETPID(), ss->fd, cText->buf->len)); | |
1998 | |
1999 /* We can perform this test in variable time because the record's total | |
2000 * length and the ciphersuite are both public knowledge. */ | |
2001 if (cText->buf->len < cipher_def->tag_size) { | |
2002 PORT_SetError(SSL_ERROR_RX_RECORD_TOO_LONG); | |
2003 return SECFailure; | |
2004 } | |
2005 | |
2006 /* Verify that the content type is right, even though we overwrite it. */ | |
2007 if (cText->type != content_application_data) { | |
2008 /* Do we need a better error here? */ | |
2009 PORT_SetError(SSL_ERROR_BAD_MAC_READ); | |
2010 return SECFailure; | |
2011 } | |
2012 | |
2013 /* Check the version number in the record */ | |
2014 if (cText->version != kRecordVersion) { | |
2015 /* Do we need a better error here? */ | |
2016 PORT_SetError(SSL_ERROR_BAD_MAC_READ); | |
2017 return SECFailure; | |
2018 } | |
2019 | |
2020 /* Decrypt */ | |
2021 PORT_Assert(cipher_def->type == type_aead); | |
2022 tls13_FormatAdditionalData(aad, sizeof(aad), | |
2023 IS_DTLS(ss) ? cText->seq_num | |
2024 : crSpec->read_seq_num); | |
2025 rv = crSpec->aead( | |
2026 ss->sec.isServer ? &crSpec->client : &crSpec->server, | |
2027 PR_TRUE, /* do decrypt */ | |
2028 plaintext->buf, /* out */ | |
2029 (int *)&plaintext->len, /* outlen */ | |
2030 plaintext->space, /* maxout */ | |
2031 cText->buf->buf, /* in */ | |
2032 cText->buf->len, /* inlen */ | |
2033 aad, sizeof(aad)); | |
2034 if (rv != SECSuccess) { | |
2035 PORT_SetError(SSL_ERROR_BAD_MAC_READ); | |
2036 return SECFailure; | |
2037 } | |
2038 | |
2039 /* The record is right-padded with 0s, followed by the true | |
2040 * content type, so read from the right until we receive a | |
2041 * nonzero byte. */ | |
2042 while (plaintext->len > 0 && !(plaintext->buf[plaintext->len - 1])) { | |
2043 --plaintext->len; | |
2044 } | |
2045 | |
2046 /* Bogus padding. */ | |
2047 if (plaintext->len < 1) { | |
2048 /* It's safe to report this specifically because it happened | |
2049 * after the MAC has been verified. */ | |
2050 PORT_SetError(SSL_ERROR_BAD_BLOCK_PADDING); | |
2051 return SECFailure; | |
2052 } | |
2053 | |
2054 /* Record the type. */ | |
2055 cText->type = plaintext->buf[plaintext->len - 1]; | |
2056 --plaintext->len; | |
2057 | |
2058 return SECSuccess; | |
2059 } | |
OLD | NEW |