"Fossies" - the Fresh Open Source Software Archive  

Source code changes of the file "nss/lib/ssl/tls13con.c" between
nss-3.61.tar.gz and nss-3.62.tar.gz

About: NSS is a set of libraries, APIs, utilities, and documentation designed to support cross-platform development of security-enabled client and server applications. It provides a complete implementation of the crypto libraries used by Mozilla and other companies.

tls13con.c  (nss-3.61):tls13con.c  (nss-3.62)
skipping to change at line 64 skipping to change at line 64
static SECStatus tls13_HandleCertificateVerify( static SECStatus tls13_HandleCertificateVerify(
sslSocket *ss, PRUint8 *b, PRUint32 length); sslSocket *ss, PRUint8 *b, PRUint32 length);
static SECStatus tls13_RecoverWrappedSharedSecret(sslSocket *ss, static SECStatus tls13_RecoverWrappedSharedSecret(sslSocket *ss,
sslSessionID *sid); sslSessionID *sid);
static SECStatus static SECStatus
tls13_DeriveSecretWrap(sslSocket *ss, PK11SymKey *key, tls13_DeriveSecretWrap(sslSocket *ss, PK11SymKey *key,
const char *prefix, const char *prefix,
const char *suffix, const char *suffix,
const char *keylogLabel, const char *keylogLabel,
PK11SymKey **dest); PK11SymKey **dest);
static SECStatus SECStatus
tls13_DeriveSecret(sslSocket *ss, PK11SymKey *key, tls13_DeriveSecret(sslSocket *ss, PK11SymKey *key,
const char *label, const char *label,
unsigned int labelLen, unsigned int labelLen,
const SSL3Hashes *hashes, const SSL3Hashes *hashes,
PK11SymKey **dest, PK11SymKey **dest,
SSLHashType hash); SSLHashType hash);
static SECStatus tls13_SendEndOfEarlyData(sslSocket *ss); static SECStatus tls13_SendEndOfEarlyData(sslSocket *ss);
static SECStatus tls13_HandleEndOfEarlyData(sslSocket *ss, const PRUint8 *b, static SECStatus tls13_HandleEndOfEarlyData(sslSocket *ss, const PRUint8 *b,
PRUint32 length); PRUint32 length);
static SECStatus tls13_MaybeHandleSuppressedEndOfEarlyData(sslSocket *ss); static SECStatus tls13_MaybeHandleSuppressedEndOfEarlyData(sslSocket *ss);
skipping to change at line 1187 skipping to change at line 1187
keylogLabelEarlyExporterSecret, keylogLabelEarlyExporterSecret,
&ss->ssl3.hs.earlyExporterSecret); &ss->ssl3.hs.earlyExporterSecret);
if (rv != SECSuccess) { if (rv != SECSuccess) {
return SECFailure; return SECFailure;
} }
return SECSuccess; return SECSuccess;
} }
static SECStatus static SECStatus
tls13_ComputeHandshakeSecrets(sslSocket *ss) tls13_ComputeHandshakeSecret(sslSocket *ss)
{ {
SECStatus rv; SECStatus rv;
PK11SymKey *derivedSecret = NULL; PK11SymKey *derivedSecret = NULL;
PK11SymKey *newSecret = NULL; PK11SymKey *newSecret = NULL;
SSL_TRC(5, ("%d: TLS13[%d]: compute handshake secret (%s)",
SSL_TRC(5, ("%d: TLS13[%d]: compute handshake secrets (%s)",
SSL_GETPID(), ss->fd, SSL_ROLE(ss))); SSL_GETPID(), ss->fd, SSL_ROLE(ss)));
/* If no PSK, generate the default early secret. */ /* If no PSK, generate the default early secret. */
if (!ss->ssl3.hs.currentSecret) { if (!ss->ssl3.hs.currentSecret) {
PORT_Assert(!ss->xtnData.selectedPsk); PORT_Assert(!ss->xtnData.selectedPsk);
rv = tls13_HkdfExtract(NULL, NULL, rv = tls13_HkdfExtract(NULL, NULL,
tls13_GetHash(ss), &ss->ssl3.hs.currentSecret); tls13_GetHash(ss), &ss->ssl3.hs.currentSecret);
if (rv != SECSuccess) { if (rv != SECSuccess) {
return SECFailure; return SECFailure;
} }
} }
PORT_Assert(ss->ssl3.hs.currentSecret); PORT_Assert(ss->ssl3.hs.currentSecret);
PORT_Assert(ss->ssl3.hs.dheSecret); PORT_Assert(ss->ssl3.hs.dheSecret);
/* Expand before we extract. */ /* Derive-Secret(., "derived", "") */
rv = tls13_DeriveSecretNullHash(ss, ss->ssl3.hs.currentSecret, rv = tls13_DeriveSecretNullHash(ss, ss->ssl3.hs.currentSecret,
kHkdfLabelDerivedSecret, kHkdfLabelDerivedSecret,
strlen(kHkdfLabelDerivedSecret), strlen(kHkdfLabelDerivedSecret),
&derivedSecret, tls13_GetHash(ss)); &derivedSecret, tls13_GetHash(ss));
if (rv != SECSuccess) { if (rv != SECSuccess) {
LOG_ERROR(ss, SEC_ERROR_LIBRARY_FAILURE); LOG_ERROR(ss, SEC_ERROR_LIBRARY_FAILURE);
return rv; return rv;
} }
/* HKDF-Extract(ECDHE, .) = Handshake Secret */
rv = tls13_HkdfExtract(derivedSecret, ss->ssl3.hs.dheSecret, rv = tls13_HkdfExtract(derivedSecret, ss->ssl3.hs.dheSecret,
tls13_GetHash(ss), &newSecret); tls13_GetHash(ss), &newSecret);
PK11_FreeSymKey(derivedSecret); PK11_FreeSymKey(derivedSecret);
if (rv != SECSuccess) { if (rv != SECSuccess) {
LOG_ERROR(ss, SEC_ERROR_LIBRARY_FAILURE); LOG_ERROR(ss, SEC_ERROR_LIBRARY_FAILURE);
return rv; return rv;
} }
PK11_FreeSymKey(ss->ssl3.hs.dheSecret);
ss->ssl3.hs.dheSecret = NULL;
PK11_FreeSymKey(ss->ssl3.hs.currentSecret); PK11_FreeSymKey(ss->ssl3.hs.currentSecret);
ss->ssl3.hs.currentSecret = newSecret; ss->ssl3.hs.currentSecret = newSecret;
return SECSuccess;
}
static SECStatus
tls13_ComputeHandshakeSecrets(sslSocket *ss)
{
SECStatus rv;
PK11SymKey *derivedSecret = NULL;
PK11SymKey *newSecret = NULL;
PK11_FreeSymKey(ss->ssl3.hs.dheSecret);
ss->ssl3.hs.dheSecret = NULL;
SSL_TRC(5, ("%d: TLS13[%d]: compute handshake secrets (%s)",
SSL_GETPID(), ss->fd, SSL_ROLE(ss)));
/* Now compute |*HsTrafficSecret| */ /* Now compute |*HsTrafficSecret| */
rv = tls13_DeriveSecretWrap(ss, ss->ssl3.hs.currentSecret, rv = tls13_DeriveSecretWrap(ss, ss->ssl3.hs.currentSecret,
kHkdfLabelClient, kHkdfLabelClient,
kHkdfLabelHandshakeTrafficSecret, kHkdfLabelHandshakeTrafficSecret,
keylogLabelClientHsTrafficSecret, keylogLabelClientHsTrafficSecret,
&ss->ssl3.hs.clientHsTrafficSecret); &ss->ssl3.hs.clientHsTrafficSecret);
if (rv != SECSuccess) { if (rv != SECSuccess) {
LOG_ERROR(ss, SEC_ERROR_LIBRARY_FAILURE); LOG_ERROR(ss, SEC_ERROR_LIBRARY_FAILURE);
return rv; return rv;
skipping to change at line 1868 skipping to change at line 1881
if (!ssl3_ExtensionNegotiated(ss, ssl_tls13_cookie_xtn) || if (!ssl3_ExtensionNegotiated(ss, ssl_tls13_cookie_xtn) ||
!ss->xtnData.cookie.len) { !ss->xtnData.cookie.len) {
FATAL_ERROR(ss, SSL_ERROR_MISSING_COOKIE_EXTENSION, FATAL_ERROR(ss, SSL_ERROR_MISSING_COOKIE_EXTENSION,
missing_extension); missing_extension);
goto loser; goto loser;
} }
PRINT_BUF(50, (ss, "Client sent cookie", PRINT_BUF(50, (ss, "Client sent cookie",
ss->xtnData.cookie.data, ss->xtnData.cookie.len)); ss->xtnData.cookie.data, ss->xtnData.cookie.len));
rv = tls13_RecoverHashState(ss, ss->xtnData.cookie.data, rv = tls13_HandleHrrCookie(ss, ss->xtnData.cookie.data,
ss->xtnData.cookie.len, ss->xtnData.cookie.len,
&previousCipherSuite, &previousCipherSuite,
&previousGroup, &previousGroup,
&previousEchOffered); &previousEchOffered,
NULL, NULL, NULL, NULL, PR_TRUE);
if (rv != SECSuccess) { if (rv != SECSuccess) {
FATAL_ERROR(ss, SSL_ERROR_BAD_2ND_CLIENT_HELLO, illegal_parameter); FATAL_ERROR(ss, SSL_ERROR_BAD_2ND_CLIENT_HELLO, illegal_parameter);
goto loser; goto loser;
} }
/* CH1/CH2 must either both include ECH, or both exclude it. */
if ((ss->xtnData.echConfigId.len > 0) != previousEchOffered) {
FATAL_ERROR(ss, SSL_ERROR_BAD_2ND_CLIENT_HELLO,
illegal_parameter);
goto loser;
}
} }
/* Now merge the ClientHello into the hash state. */ /* Now merge the ClientHello into the hash state. */
rv = ssl_HashHandshakeMessage(ss, ssl_hs_client_hello, msg, len); rv = ssl_HashHandshakeMessage(ss, ssl_hs_client_hello, msg, len);
if (rv != SECSuccess) { if (rv != SECSuccess) {
FATAL_ERROR(ss, SEC_ERROR_LIBRARY_FAILURE, internal_error); FATAL_ERROR(ss, SEC_ERROR_LIBRARY_FAILURE, internal_error);
goto loser; goto loser;
} }
/* Now create a synthetic kea_def that we can tweak. */ /* Now create a synthetic kea_def that we can tweak. */
skipping to change at line 1939 skipping to change at line 1946
FATAL_ERROR(ss, SSL_ERROR_BAD_2ND_CLIENT_HELLO, FATAL_ERROR(ss, SSL_ERROR_BAD_2ND_CLIENT_HELLO,
illegal_parameter); illegal_parameter);
goto loser; goto loser;
} }
if (!clientShare) { if (!clientShare) {
FATAL_ERROR(ss, SSL_ERROR_BAD_2ND_CLIENT_HELLO, FATAL_ERROR(ss, SSL_ERROR_BAD_2ND_CLIENT_HELLO,
illegal_parameter); illegal_parameter);
goto loser; goto loser;
} }
/* CH1/CH2 must either both include ECH, or both exclude it. */
if (previousEchOffered != (ss->xtnData.ech != NULL)) {
FATAL_ERROR(ss, SSL_ERROR_BAD_2ND_CLIENT_HELLO,
previousEchOffered ? missing_extension : illegal_paramet
er);
goto loser;
}
/* If we requested a new key share, check that the client provided just /* If we requested a new key share, check that the client provided just
* one of the right type. */ * one of the right type. */
if (previousGroup) { if (previousGroup) {
if (PR_PREV_LINK(&ss->xtnData.remoteKeyShares) != if (PR_PREV_LINK(&ss->xtnData.remoteKeyShares) !=
PR_NEXT_LINK(&ss->xtnData.remoteKeyShares)) { PR_NEXT_LINK(&ss->xtnData.remoteKeyShares)) {
FATAL_ERROR(ss, SSL_ERROR_BAD_2ND_CLIENT_HELLO, FATAL_ERROR(ss, SSL_ERROR_BAD_2ND_CLIENT_HELLO,
illegal_parameter); illegal_parameter);
goto loser; goto loser;
} }
if (clientShare->group != previousGroup) { if (clientShare->group != previousGroup) {
skipping to change at line 2828 skipping to change at line 2842
PORT_Assert(ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); PORT_Assert(ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
PORT_Assert(ss->opt.noLocks || ssl_HaveXmitBufLock(ss)); PORT_Assert(ss->opt.noLocks || ssl_HaveXmitBufLock(ss));
rv = ssl3_RegisterExtensionSender(ss, &ss->xtnData, rv = ssl3_RegisterExtensionSender(ss, &ss->xtnData,
ssl_tls13_supported_versions_xtn, ssl_tls13_supported_versions_xtn,
tls13_ServerSendSupportedVersionsXtn); tls13_ServerSendSupportedVersionsXtn);
if (rv != SECSuccess) { if (rv != SECSuccess) {
return SECFailure; return SECFailure;
} }
rv = tls13_ComputeHandshakeSecret(ss);
if (rv != SECSuccess) {
return SECFailure; /* error code is set. */
}
rv = ssl3_SendServerHello(ss); rv = ssl3_SendServerHello(ss);
if (rv != SECSuccess) { if (rv != SECSuccess) {
return rv; /* err code is set. */ return rv; /* err code is set. */
} }
if (ss->ssl3.hs.fakeSid.len) { if (ss->ssl3.hs.fakeSid.len) {
PORT_Assert(!IS_DTLS(ss)); PORT_Assert(!IS_DTLS(ss));
SECITEM_FreeItem(&ss->ssl3.hs.fakeSid, PR_FALSE); SECITEM_FreeItem(&ss->ssl3.hs.fakeSid, PR_FALSE);
if (!ss->ssl3.hs.helloRetry) { if (!ss->ssl3.hs.helloRetry) {
rv = ssl3_SendChangeCipherSpecsInt(ss); rv = ssl3_SendChangeCipherSpecsInt(ss);
skipping to change at line 2912 skipping to change at line 2931
} }
} }
/* Here we set a baseline value for our RTT estimation. /* Here we set a baseline value for our RTT estimation.
* This value is updated when we get a response from the client. */ * This value is updated when we get a response from the client. */
ss->ssl3.hs.rttEstimate = ssl_Time(ss); ss->ssl3.hs.rttEstimate = ssl_Time(ss);
return SECSuccess; return SECSuccess;
} }
SECStatus SECStatus
tls13_HandleServerHelloPart2(sslSocket *ss) tls13_HandleServerHelloPart2(sslSocket *ss, const PRUint8 *savedMsg, PRUint32 sa vedLength)
{ {
SECStatus rv; SECStatus rv;
sslSessionID *sid = ss->sec.ci.sid; sslSessionID *sid = ss->sec.ci.sid;
SSL3Statistics *ssl3stats = SSL_GetStatistics(); SSL3Statistics *ssl3stats = SSL_GetStatistics();
if (ssl3_ExtensionNegotiated(ss, ssl_tls13_pre_shared_key_xtn)) { if (ssl3_ExtensionNegotiated(ss, ssl_tls13_pre_shared_key_xtn)) {
PORT_Assert(!PR_CLIST_IS_EMPTY(&ss->ssl3.hs.psks)); PORT_Assert(!PR_CLIST_IS_EMPTY(&ss->ssl3.hs.psks));
PORT_Assert(ss->xtnData.selectedPsk); PORT_Assert(ss->xtnData.selectedPsk);
if (ss->xtnData.selectedPsk->type != ssl_psk_resume) { if (ss->xtnData.selectedPsk->type != ssl_psk_resume) {
skipping to change at line 2994 skipping to change at line 3013
if (ss->statelessResume) { if (ss->statelessResume) {
PORT_Assert(ss->sec.peerCert); PORT_Assert(ss->sec.peerCert);
sid->peerCert = CERT_DupCertificate(ss->sec.peerCert); sid->peerCert = CERT_DupCertificate(ss->sec.peerCert);
} }
sid->version = ss->version; sid->version = ss->version;
rv = tls13_HandleServerKeyShare(ss); rv = tls13_HandleServerKeyShare(ss);
if (rv != SECSuccess) { if (rv != SECSuccess) {
return SECFailure; return SECFailure;
} }
rv = tls13_ComputeHandshakeSecret(ss);
if (rv != SECSuccess) {
return SECFailure; /* error code is set. */
}
rv = tls13_MaybeHandleEchSignal(ss, savedMsg, savedLength);
if (rv != SECSuccess) {
return SECFailure; /* error code is set. */
}
rv = tls13_ComputeHandshakeSecrets(ss); rv = tls13_ComputeHandshakeSecrets(ss);
if (rv != SECSuccess) { if (rv != SECSuccess) {
return SECFailure; /* error code is set. */ return SECFailure; /* error code is set. */
} }
if (ss->ssl3.hs.zeroRttState == ssl_0rtt_sent) { if (ss->ssl3.hs.zeroRttState == ssl_0rtt_sent) {
/* When we send 0-RTT, we saved the null spec in case we needed it to /* When we send 0-RTT, we saved the null spec in case we needed it to
* send another ClientHello in response to a HelloRetryRequest. Now * send another ClientHello in response to a HelloRetryRequest. Now
* that we won't be receiving a HelloRetryRequest, release the spec. */ * that we won't be receiving a HelloRetryRequest, release the spec. */
ssl_CipherSpecReleaseByEpoch(ss, ssl_secret_write, TrafficKeyClearText); ssl_CipherSpecReleaseByEpoch(ss, ssl_secret_write, TrafficKeyClearText);
skipping to change at line 4963 skipping to change at line 4993
ss->handshake = NULL; ss->handshake = NULL;
/* Don't need this. */ /* Don't need this. */
PK11_FreeSymKey(ss->ssl3.hs.clientHsTrafficSecret); PK11_FreeSymKey(ss->ssl3.hs.clientHsTrafficSecret);
ss->ssl3.hs.clientHsTrafficSecret = NULL; ss->ssl3.hs.clientHsTrafficSecret = NULL;
PK11_FreeSymKey(ss->ssl3.hs.serverHsTrafficSecret); PK11_FreeSymKey(ss->ssl3.hs.serverHsTrafficSecret);
ss->ssl3.hs.serverHsTrafficSecret = NULL; ss->ssl3.hs.serverHsTrafficSecret = NULL;
TLS13_SET_HS_STATE(ss, idle_handshake); TLS13_SET_HS_STATE(ss, idle_handshake);
if (offeredEch && PORT_Assert(ss->ssl3.hs.echAccepted ==
!ssl3_ExtensionNegotiated(ss, ssl_tls13_encrypted_client_hello_xtn)) { ssl3_ExtensionNegotiated(ss, ssl_tls13_encrypted_client_hello_xt
n));
if (offeredEch && !ss->ssl3.hs.echAccepted) {
SSL3_SendAlert(ss, alert_fatal, ech_required); SSL3_SendAlert(ss, alert_fatal, ech_required);
/* "If [one, none] of the values contains a supported version, the clien t can /* "If [one, none] of the retry_configs contains a supported version, th e client can
* regard ECH as securely [replaced, disabled] by the server." */ * regard ECH as securely [replaced, disabled] by the server." */
if (ss->xtnData.echRetryConfigs.len) { if (ss->xtnData.ech && ss->xtnData.ech->retryConfigs.len) {
PORT_SetError(SSL_ERROR_ECH_RETRY_WITH_ECH); PORT_SetError(SSL_ERROR_ECH_RETRY_WITH_ECH);
ss->xtnData.echRetryConfigsValid = PR_TRUE; ss->xtnData.ech->retryConfigsValid = PR_TRUE;
} else { } else {
PORT_SetError(SSL_ERROR_ECH_RETRY_WITHOUT_ECH); PORT_SetError(SSL_ERROR_ECH_RETRY_WITHOUT_ECH);
} }
return SECFailure; return SECFailure;
} }
ssl_FinishHandshake(ss); ssl_FinishHandshake(ss);
return SECSuccess; return SECSuccess;
} }
skipping to change at line 5523 skipping to change at line 5554
certificate) }, certificate) },
{ ssl_cert_status_xtn, _M3(client_hello, certificate_request, { ssl_cert_status_xtn, _M3(client_hello, certificate_request,
certificate) }, certificate) },
{ ssl_delegated_credentials_xtn, _M2(client_hello, certificate) }, { ssl_delegated_credentials_xtn, _M2(client_hello, certificate) },
{ ssl_tls13_cookie_xtn, _M2(client_hello, hello_retry_request) }, { ssl_tls13_cookie_xtn, _M2(client_hello, hello_retry_request) },
{ ssl_tls13_certificate_authorities_xtn, _M1(certificate_request) }, { ssl_tls13_certificate_authorities_xtn, _M1(certificate_request) },
{ ssl_tls13_supported_versions_xtn, _M3(client_hello, server_hello, { ssl_tls13_supported_versions_xtn, _M3(client_hello, server_hello,
hello_retry_request) }, hello_retry_request) },
{ ssl_record_size_limit_xtn, _M2(client_hello, encrypted_extensions) }, { ssl_record_size_limit_xtn, _M2(client_hello, encrypted_extensions) },
{ ssl_tls13_encrypted_client_hello_xtn, _M2(client_hello, encrypted_extensio ns) }, { ssl_tls13_encrypted_client_hello_xtn, _M2(client_hello, encrypted_extensio ns) },
{ ssl_tls13_ech_is_inner_xtn, _M1(client_hello) },
{ ssl_tls13_outer_extensions_xtn, _M_NONE /* Encoding/decoding only */ }, { ssl_tls13_outer_extensions_xtn, _M_NONE /* Encoding/decoding only */ },
{ ssl_tls13_post_handshake_auth_xtn, _M1(client_hello) } { ssl_tls13_post_handshake_auth_xtn, _M1(client_hello) }
}; };
tls13ExtensionStatus tls13ExtensionStatus
tls13_ExtensionStatus(PRUint16 extension, SSLHandshakeType message) tls13_ExtensionStatus(PRUint16 extension, SSLHandshakeType message)
{ {
unsigned int i; unsigned int i;
PORT_Assert((message == ssl_hs_client_hello) || PORT_Assert((message == ssl_hs_client_hello) ||
 End of changes. 19 change blocks. 
26 lines changed or deleted 60 lines changed or added

Home  |  About  |  Features  |  All  |  Newest  |  Dox  |  Diffs  |  RSS Feeds  |  Screenshots  |  Comments  |  Imprint  |  Privacy  |  HTTP(S)