1 /* -*- Mode: C; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 4 -*- */ 2 /* 3 * This Source Code Form is subject to the terms of the Mozilla Public 4 * License, v. 2.0. If a copy of the MPL was not distributed with this 5 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ 6 7 #include "nss.h" 8 #include "pk11func.h" 9 #include "pk11hpke.h" 10 #include "ssl.h" 11 #include "sslproto.h" 12 #include "sslimpl.h" 13 #include "selfencrypt.h" 14 #include "ssl3exthandle.h" 15 #include "tls13ech.h" 16 #include "tls13exthandle.h" 17 #include "tls13hashstate.h" 18 #include "tls13hkdf.h" 19 20 extern SECStatus 21 ssl3_UpdateHandshakeHashesInt(sslSocket *ss, const unsigned char *b, 22 unsigned int l, sslBuffer *transcriptBuf); 23 extern SECStatus 24 ssl3_HandleClientHelloPreamble(sslSocket *ss, PRUint8 **b, PRUint32 *length, SECItem *sidBytes, 25 SECItem *cookieBytes, SECItem *suites, SECItem *comps); 26 extern SECStatus 27 tls13_DeriveSecret(sslSocket *ss, PK11SymKey *key, 28 const char *label, 29 unsigned int labelLen, 30 const SSL3Hashes *hashes, 31 PK11SymKey **dest, 32 SSLHashType hash); 33 34 void 35 tls13_DestroyEchConfig(sslEchConfig *config) 36 { 37 if (!config) { 38 return; 39 } 40 SECITEM_FreeItem(&config->contents.publicKey, PR_FALSE); 41 SECITEM_FreeItem(&config->contents.suites, PR_FALSE); 42 SECITEM_FreeItem(&config->raw, PR_FALSE); 43 PORT_Free(config->contents.publicName); 44 config->contents.publicName = NULL; 45 PORT_ZFree(config, sizeof(*config)); 46 } 47 48 void 49 tls13_DestroyEchConfigs(PRCList *list) 50 { 51 PRCList *cur_p; 52 while (!PR_CLIST_IS_EMPTY(list)) { 53 cur_p = PR_LIST_TAIL(list); 54 PR_REMOVE_LINK(cur_p); 55 tls13_DestroyEchConfig((sslEchConfig *)cur_p); 56 } 57 } 58 59 void 60 tls13_DestroyEchXtnState(sslEchXtnState *state) 61 { 62 if (!state) { 63 return; 64 } 65 SECITEM_FreeItem(&state->innerCh, PR_FALSE); 66 SECITEM_FreeItem(&state->senderPubKey, PR_FALSE); 67 SECITEM_FreeItem(&state->retryConfigs, PR_FALSE); 68 PORT_ZFree(state, sizeof(*state)); 69 } 70 71 SECStatus 72 tls13_CopyEchConfigs(PRCList *oConfigs, PRCList *configs) 73 { 74 SECStatus rv; 75 sslEchConfig *config; 76 sslEchConfig *newConfig = NULL; 77 78 for (PRCList *cur_p = PR_LIST_HEAD(oConfigs); 79 cur_p != oConfigs; 80 cur_p = PR_NEXT_LINK(cur_p)) { 81 config = (sslEchConfig *)PR_LIST_TAIL(oConfigs); 82 newConfig = PORT_ZNew(sslEchConfig); 83 if (!newConfig) { 84 goto loser; 85 } 86 87 rv = SECITEM_CopyItem(NULL, &newConfig->raw, &config->raw); 88 if (rv != SECSuccess) { 89 goto loser; 90 } 91 newConfig->contents.publicName = PORT_Strdup(config->contents.publicName); 92 if (!newConfig->contents.publicName) { 93 goto loser; 94 } 95 rv = SECITEM_CopyItem(NULL, &newConfig->contents.publicKey, 96 &config->contents.publicKey); 97 if (rv != SECSuccess) { 98 goto loser; 99 } 100 rv = SECITEM_CopyItem(NULL, &newConfig->contents.suites, 101 &config->contents.suites); 102 if (rv != SECSuccess) { 103 goto loser; 104 } 105 newConfig->contents.configId = config->contents.configId; 106 newConfig->contents.kemId = config->contents.kemId; 107 newConfig->contents.kdfId = config->contents.kdfId; 108 newConfig->contents.aeadId = config->contents.aeadId; 109 newConfig->contents.maxNameLen = config->contents.maxNameLen; 110 newConfig->version = config->version; 111 PR_APPEND_LINK(&newConfig->link, configs); 112 } 113 return SECSuccess; 114 115 loser: 116 tls13_DestroyEchConfig(newConfig); 117 tls13_DestroyEchConfigs(configs); 118 return SECFailure; 119 } 120 121 /* 122 * struct { 123 * HpkeKdfId kdf_id; 124 * HpkeAeadId aead_id; 125 * } HpkeSymmetricCipherSuite; 126 * 127 * struct { 128 * uint8 config_id; 129 * HpkeKemId kem_id; 130 * HpkePublicKey public_key; 131 * HpkeSymmetricCipherSuite cipher_suites<4..2^16-4>; 132 * } HpkeKeyConfig; 133 * 134 * struct { 135 * HpkeKeyConfig key_config; 136 * uint16 maximum_name_length; 137 * opaque public_name<1..2^16-1>; 138 * Extension extensions<0..2^16-1>; 139 * } ECHConfigContents; 140 * 141 * struct { 142 * uint16 version; 143 * uint16 length; 144 * select (ECHConfig.version) { 145 * case 0xfe0a: ECHConfigContents contents; 146 * } 147 * } ECHConfig; 148 */ 149 static SECStatus 150 tls13_DecodeEchConfigContents(const sslReadBuffer *rawConfig, 151 sslEchConfig **outConfig) 152 { 153 SECStatus rv; 154 sslEchConfigContents contents = { 0 }; 155 sslEchConfig *decodedConfig; 156 PRUint64 tmpn; 157 PRUint64 tmpn2; 158 sslReadBuffer tmpBuf; 159 PRUint16 *extensionTypes = NULL; 160 unsigned int extensionIndex = 0; 161 sslReader configReader = SSL_READER(rawConfig->buf, rawConfig->len); 162 sslReader suiteReader; 163 sslReader extensionReader; 164 PRBool hasValidSuite = PR_FALSE; 165 166 /* HpkeKeyConfig key_config */ 167 /* uint8 config_id */ 168 rv = sslRead_ReadNumber(&configReader, 1, &tmpn); 169 if (rv != SECSuccess) { 170 goto loser; 171 } 172 contents.configId = tmpn; 173 174 /* HpkeKemId kem_id */ 175 rv = sslRead_ReadNumber(&configReader, 2, &tmpn); 176 if (rv != SECSuccess) { 177 goto loser; 178 } 179 contents.kemId = tmpn; 180 181 /* HpkePublicKey public_key */ 182 rv = sslRead_ReadVariable(&configReader, 2, &tmpBuf); 183 if (rv != SECSuccess) { 184 goto loser; 185 } 186 rv = SECITEM_MakeItem(NULL, &contents.publicKey, (PRUint8 *)tmpBuf.buf, tmpBuf.len); 187 if (rv != SECSuccess) { 188 goto loser; 189 } 190 191 /* HpkeSymmetricCipherSuite cipher_suites<4..2^16-4> */ 192 rv = sslRead_ReadVariable(&configReader, 2, &tmpBuf); 193 if (rv != SECSuccess) { 194 goto loser; 195 } 196 if (tmpBuf.len & 1) { 197 PORT_SetError(SSL_ERROR_RX_MALFORMED_ECH_CONFIG); 198 goto loser; 199 } 200 suiteReader = (sslReader)SSL_READER(tmpBuf.buf, tmpBuf.len); 201 while (SSL_READER_REMAINING(&suiteReader)) { 202 /* HpkeKdfId kdf_id */ 203 rv = sslRead_ReadNumber(&suiteReader, 2, &tmpn); 204 if (rv != SECSuccess) { 205 goto loser; 206 } 207 /* HpkeAeadId aead_id */ 208 rv = sslRead_ReadNumber(&suiteReader, 2, &tmpn2); 209 if (rv != SECSuccess) { 210 goto loser; 211 } 212 if (!hasValidSuite) { 213 /* Use the first compatible ciphersuite. */ 214 rv = PK11_HPKE_ValidateParameters(contents.kemId, tmpn, tmpn2); 215 if (rv == SECSuccess) { 216 hasValidSuite = PR_TRUE; 217 contents.kdfId = tmpn; 218 contents.aeadId = tmpn2; 219 break; 220 } 221 } 222 } 223 224 rv = SECITEM_MakeItem(NULL, &contents.suites, (PRUint8 *)tmpBuf.buf, tmpBuf.len); 225 if (rv != SECSuccess) { 226 goto loser; 227 } 228 229 /* uint16 maximum_name_length */ 230 rv = sslRead_ReadNumber(&configReader, 2, &tmpn); 231 if (rv != SECSuccess) { 232 goto loser; 233 } 234 contents.maxNameLen = (PRUint16)tmpn; 235 236 /* opaque public_name<1..2^16-1> */ 237 rv = sslRead_ReadVariable(&configReader, 2, &tmpBuf); 238 if (rv != SECSuccess) { 239 goto loser; 240 } 241 242 if (tmpBuf.len == 0) { 243 PORT_SetError(SSL_ERROR_RX_MALFORMED_ECH_CONFIG); 244 goto loser; 245 } 246 if (!tls13_IsLDH(tmpBuf.buf, tmpBuf.len) || 247 tls13_IsIp(tmpBuf.buf, tmpBuf.len)) { 248 PORT_SetError(SSL_ERROR_RX_MALFORMED_ECH_CONFIG); 249 goto loser; 250 } 251 252 contents.publicName = PORT_ZAlloc(tmpBuf.len + 1); 253 if (!contents.publicName) { 254 goto loser; 255 } 256 PORT_Memcpy(contents.publicName, (PRUint8 *)tmpBuf.buf, tmpBuf.len); 257 258 /* Extensions. We don't support any, but must 259 * check for any that are marked critical. */ 260 rv = sslRead_ReadVariable(&configReader, 2, &tmpBuf); 261 if (rv != SECSuccess) { 262 goto loser; 263 } 264 265 extensionReader = (sslReader)SSL_READER(tmpBuf.buf, tmpBuf.len); 266 extensionTypes = PORT_NewArray(PRUint16, tmpBuf.len / 2 * sizeof(PRUint16)); 267 if (!extensionTypes) { 268 goto loser; 269 } 270 271 while (SSL_READER_REMAINING(&extensionReader)) { 272 /* Get the extension's type field */ 273 rv = sslRead_ReadNumber(&extensionReader, 2, &tmpn); 274 if (rv != SECSuccess) { 275 goto loser; 276 } 277 278 for (unsigned int i = 0; i < extensionIndex; i++) { 279 if (extensionTypes[i] == tmpn) { 280 PORT_SetError(SEC_ERROR_EXTENSION_VALUE_INVALID); 281 goto loser; 282 } 283 } 284 extensionTypes[extensionIndex++] = (PRUint16)tmpn; 285 286 /* If it's mandatory, fail. */ 287 if (tmpn & (1 << 15)) { 288 PORT_SetError(SEC_ERROR_UNKNOWN_CRITICAL_EXTENSION); 289 goto loser; 290 } 291 292 /* Skip. */ 293 rv = sslRead_ReadVariable(&extensionReader, 2, &tmpBuf); 294 if (rv != SECSuccess) { 295 goto loser; 296 } 297 } 298 299 /* Check that we consumed the entire ECHConfig */ 300 if (SSL_READER_REMAINING(&configReader)) { 301 PORT_SetError(SSL_ERROR_RX_MALFORMED_ECH_CONFIG); 302 goto loser; 303 } 304 305 /* If the ciphersuites weren't compatible, don't 306 * set the outparam. Return success to indicate 307 * the config was well-formed. */ 308 if (hasValidSuite) { 309 decodedConfig = PORT_ZNew(sslEchConfig); 310 if (!decodedConfig) { 311 goto loser; 312 } 313 decodedConfig->contents = contents; 314 *outConfig = decodedConfig; 315 } else { 316 PORT_Free(contents.publicName); 317 SECITEM_FreeItem(&contents.publicKey, PR_FALSE); 318 SECITEM_FreeItem(&contents.suites, PR_FALSE); 319 } 320 PORT_Free(extensionTypes); 321 return SECSuccess; 322 323 loser: 324 PORT_Free(extensionTypes); 325 PORT_Free(contents.publicName); 326 SECITEM_FreeItem(&contents.publicKey, PR_FALSE); 327 SECITEM_FreeItem(&contents.suites, PR_FALSE); 328 return SECFailure; 329 } 330 331 /* Decode an ECHConfigList struct and store each ECHConfig 332 * into |configs|. */ 333 SECStatus 334 tls13_DecodeEchConfigs(const SECItem *data, PRCList *configs) 335 { 336 SECStatus rv; 337 sslEchConfig *decodedConfig = NULL; 338 sslReader rdr = SSL_READER(data->data, data->len); 339 sslReadBuffer tmp; 340 sslReadBuffer singleConfig; 341 PRUint64 version; 342 PRUint64 length; 343 PORT_Assert(PR_CLIST_IS_EMPTY(configs)); 344 345 rv = sslRead_ReadVariable(&rdr, 2, &tmp); 346 if (rv != SECSuccess) { 347 return SECFailure; 348 } 349 350 if (SSL_READER_REMAINING(&rdr)) { 351 PORT_SetError(SEC_ERROR_BAD_DATA); 352 return SECFailure; 353 } 354 355 sslReader configsReader = SSL_READER(tmp.buf, tmp.len); 356 357 if (!SSL_READER_REMAINING(&configsReader)) { 358 PORT_SetError(SEC_ERROR_BAD_DATA); 359 return SECFailure; 360 } 361 362 /* Handle each ECHConfig. */ 363 while (SSL_READER_REMAINING(&configsReader)) { 364 singleConfig.buf = SSL_READER_CURRENT(&configsReader); 365 /* uint16 version */ 366 rv = sslRead_ReadNumber(&configsReader, 2, &version); 367 if (rv != SECSuccess) { 368 goto loser; 369 } 370 /* uint16 length */ 371 rv = sslRead_ReadNumber(&configsReader, 2, &length); 372 if (rv != SECSuccess) { 373 goto loser; 374 } 375 singleConfig.len = 4 + length; 376 377 rv = sslRead_Read(&configsReader, length, &tmp); 378 if (rv != SECSuccess) { 379 goto loser; 380 } 381 382 if (version == TLS13_ECH_VERSION) { 383 rv = tls13_DecodeEchConfigContents(&tmp, &decodedConfig); 384 if (rv != SECSuccess) { 385 goto loser; /* code set */ 386 } 387 388 if (decodedConfig) { 389 decodedConfig->version = version; 390 rv = SECITEM_MakeItem(NULL, &decodedConfig->raw, singleConfig.buf, 391 singleConfig.len); 392 if (rv != SECSuccess) { 393 goto loser; 394 } 395 396 PR_APPEND_LINK(&decodedConfig->link, configs); 397 decodedConfig = NULL; 398 } 399 } 400 } 401 return SECSuccess; 402 403 loser: 404 tls13_DestroyEchConfigs(configs); 405 return SECFailure; 406 } 407 408 /* Encode an ECHConfigList structure. We only create one config, and as the 409 * primary use for this function is to generate test inputs, we don't 410 * validate against what HPKE and libssl can actually support. */ 411 SECStatus 412 SSLExp_EncodeEchConfigId(PRUint8 configId, const char *publicName, unsigned int maxNameLen, 413 HpkeKemId kemId, const SECKEYPublicKey *pubKey, 414 const HpkeSymmetricSuite *hpkeSuites, unsigned int hpkeSuiteCount, 415 PRUint8 *out, unsigned int *outlen, unsigned int maxlen) 416 { 417 SECStatus rv; 418 unsigned int savedOffset; 419 unsigned int len; 420 sslBuffer b = SSL_BUFFER_EMPTY; 421 PRUint8 tmpBuf[66]; // Large enough for an EC public key, currently only X25519. 422 unsigned int tmpLen; 423 424 if (!publicName || !hpkeSuites || hpkeSuiteCount == 0 || 425 !pubKey || maxNameLen == 0 || !out || !outlen) { 426 PORT_SetError(SEC_ERROR_INVALID_ARGS); 427 return SECFailure; 428 } 429 430 /* ECHConfig ECHConfigList<1..2^16-1>; */ 431 rv = sslBuffer_Skip(&b, 2, NULL); 432 if (rv != SECSuccess) { 433 goto loser; 434 } 435 436 /* 437 * struct { 438 * uint16 version; 439 * uint16 length; 440 * select (ECHConfig.version) { 441 * case 0xfe0a: ECHConfigContents contents; 442 * } 443 * } ECHConfig; 444 */ 445 rv = sslBuffer_AppendNumber(&b, TLS13_ECH_VERSION, 2); 446 if (rv != SECSuccess) { 447 goto loser; 448 } 449 450 rv = sslBuffer_Skip(&b, 2, &savedOffset); 451 if (rv != SECSuccess) { 452 goto loser; 453 } 454 455 /* 456 * struct { 457 * uint8 config_id; 458 * HpkeKemId kem_id; 459 * HpkePublicKey public_key; 460 * HpkeSymmetricCipherSuite cipher_suites<4..2^16-4>; 461 * } HpkeKeyConfig; 462 */ 463 rv = sslBuffer_AppendNumber(&b, configId, 1); 464 if (rv != SECSuccess) { 465 goto loser; 466 } 467 468 rv = sslBuffer_AppendNumber(&b, kemId, 2); 469 if (rv != SECSuccess) { 470 goto loser; 471 } 472 473 rv = PK11_HPKE_Serialize(pubKey, tmpBuf, &tmpLen, sizeof(tmpBuf)); 474 if (rv != SECSuccess) { 475 goto loser; 476 } 477 rv = sslBuffer_AppendVariable(&b, tmpBuf, tmpLen, 2); 478 if (rv != SECSuccess) { 479 goto loser; 480 } 481 482 rv = sslBuffer_AppendNumber(&b, hpkeSuiteCount * 4, 2); 483 if (rv != SECSuccess) { 484 goto loser; 485 } 486 for (unsigned int i = 0; i < hpkeSuiteCount; i++) { 487 rv = sslBuffer_AppendNumber(&b, hpkeSuites[i].kdfId, 2); 488 if (rv != SECSuccess) { 489 goto loser; 490 } 491 rv = sslBuffer_AppendNumber(&b, hpkeSuites[i].aeadId, 2); 492 if (rv != SECSuccess) { 493 goto loser; 494 } 495 } 496 497 /* 498 * struct { 499 * HpkeKeyConfig key_config; 500 * uint16 maximum_name_length; 501 * opaque public_name<1..2^16-1>; 502 * Extension extensions<0..2^16-1>; 503 * } ECHConfigContents; 504 */ 505 rv = sslBuffer_AppendNumber(&b, maxNameLen, 2); 506 if (rv != SECSuccess) { 507 goto loser; 508 } 509 510 len = PORT_Strlen(publicName); 511 if (len > 0xffff) { 512 PORT_SetError(SEC_ERROR_INVALID_ARGS); 513 goto loser; 514 } 515 rv = sslBuffer_AppendVariable(&b, (const PRUint8 *)publicName, len, 2); 516 if (rv != SECSuccess) { 517 goto loser; 518 } 519 520 /* extensions */ 521 rv = sslBuffer_AppendNumber(&b, 0, 2); 522 if (rv != SECSuccess) { 523 goto loser; 524 } 525 526 /* Write the length now that we know it. */ 527 rv = sslBuffer_InsertLength(&b, 0, 2); 528 if (rv != SECSuccess) { 529 goto loser; 530 } 531 rv = sslBuffer_InsertLength(&b, savedOffset, 2); 532 if (rv != SECSuccess) { 533 goto loser; 534 } 535 536 if (SSL_BUFFER_LEN(&b) > maxlen) { 537 PORT_SetError(SEC_ERROR_INVALID_ARGS); 538 goto loser; 539 } 540 PORT_Memcpy(out, SSL_BUFFER_BASE(&b), SSL_BUFFER_LEN(&b)); 541 *outlen = SSL_BUFFER_LEN(&b); 542 sslBuffer_Clear(&b); 543 return SECSuccess; 544 545 loser: 546 sslBuffer_Clear(&b); 547 return SECFailure; 548 } 549 550 SECStatus 551 SSLExp_GetEchRetryConfigs(PRFileDesc *fd, SECItem *retryConfigs) 552 { 553 SECStatus rv; 554 sslSocket *ss; 555 SECItem out = { siBuffer, NULL, 0 }; 556 557 if (!fd || !retryConfigs) { 558 PORT_SetError(SEC_ERROR_INVALID_ARGS); 559 return SECFailure; 560 } 561 ss = ssl_FindSocket(fd); 562 if (!ss) { 563 SSL_DBG(("%d: SSL[%d]: bad socket in %s", 564 SSL_GETPID(), fd, __FUNCTION__)); 565 PORT_SetError(SEC_ERROR_INVALID_ARGS); 566 return SECFailure; 567 } 568 569 /* We don't distinguish between "handshake completed 570 * without retry configs", and "handshake not completed". 571 * An application should only call this after receiving a 572 * RETRY_WITH_ECH error code, which implies retry_configs. */ 573 if (!ss->xtnData.ech || !ss->xtnData.ech->retryConfigsValid) { 574 PORT_SetError(SSL_ERROR_HANDSHAKE_NOT_COMPLETED); 575 return SECFailure; 576 } 577 578 /* May be empty. */ 579 rv = SECITEM_CopyItem(NULL, &out, &ss->xtnData.ech->retryConfigs); 580 if (rv == SECFailure) { 581 return SECFailure; 582 } 583 *retryConfigs = out; 584 return SECSuccess; 585 } 586 587 SECStatus 588 SSLExp_RemoveEchConfigs(PRFileDesc *fd) 589 { 590 sslSocket *ss; 591 592 if (!fd) { 593 PORT_SetError(SEC_ERROR_INVALID_ARGS); 594 return SECFailure; 595 } 596 597 ss = ssl_FindSocket(fd); 598 if (!ss) { 599 SSL_DBG(("%d: SSL[%d]: bad socket in %s", 600 SSL_GETPID(), fd, __FUNCTION__)); 601 PORT_SetError(SEC_ERROR_INVALID_ARGS); 602 return SECFailure; 603 } 604 605 SECKEY_DestroyPrivateKey(ss->echPrivKey); 606 ss->echPrivKey = NULL; 607 SECKEY_DestroyPublicKey(ss->echPubKey); 608 ss->echPubKey = NULL; 609 tls13_DestroyEchConfigs(&ss->echConfigs); 610 611 /* Also remove any retry_configs and handshake context. */ 612 if (ss->xtnData.ech && ss->xtnData.ech->retryConfigs.len) { 613 SECITEM_FreeItem(&ss->xtnData.ech->retryConfigs, PR_FALSE); 614 } 615 616 if (ss->ssl3.hs.echHpkeCtx) { 617 PK11_HPKE_DestroyContext(ss->ssl3.hs.echHpkeCtx, PR_TRUE); 618 ss->ssl3.hs.echHpkeCtx = NULL; 619 } 620 PORT_Free(CONST_CAST(char, ss->ssl3.hs.echPublicName)); 621 ss->ssl3.hs.echPublicName = NULL; 622 623 return SECSuccess; 624 } 625 626 /* Import one or more ECHConfigs for the given keypair. The AEAD/KDF 627 * may differ , but only X25519 is supported for the KEM.*/ 628 SECStatus 629 SSLExp_SetServerEchConfigs(PRFileDesc *fd, 630 const SECKEYPublicKey *pubKey, const SECKEYPrivateKey *privKey, 631 const PRUint8 *echConfigs, unsigned int echConfigsLen) 632 { 633 sslSocket *ss; 634 SECStatus rv; 635 SECItem data = { siBuffer, CONST_CAST(PRUint8, echConfigs), echConfigsLen }; 636 637 if (!fd || !pubKey || !privKey || !echConfigs || echConfigsLen == 0) { 638 PORT_SetError(SEC_ERROR_INVALID_ARGS); 639 return SECFailure; 640 } 641 642 ss = ssl_FindSocket(fd); 643 if (!ss) { 644 SSL_DBG(("%d: SSL[%d]: bad socket in %s", 645 SSL_GETPID(), fd, __FUNCTION__)); 646 PORT_SetError(SEC_ERROR_INVALID_ARGS); 647 return SECFailure; 648 } 649 650 /* Overwrite if we're already configured. */ 651 rv = SSLExp_RemoveEchConfigs(fd); 652 if (rv != SECSuccess) { 653 return SECFailure; 654 } 655 656 rv = tls13_DecodeEchConfigs(&data, &ss->echConfigs); 657 if (rv != SECSuccess) { 658 goto loser; 659 } 660 if (PR_CLIST_IS_EMPTY(&ss->echConfigs)) { 661 PORT_SetError(SEC_ERROR_INVALID_ARGS); 662 goto loser; 663 } 664 665 ss->echPubKey = SECKEY_CopyPublicKey(pubKey); 666 if (!ss->echPubKey) { 667 goto loser; 668 } 669 ss->echPrivKey = SECKEY_CopyPrivateKey(privKey); 670 if (!ss->echPrivKey) { 671 goto loser; 672 } 673 return SECSuccess; 674 675 loser: 676 tls13_DestroyEchConfigs(&ss->echConfigs); 677 SECKEY_DestroyPrivateKey(ss->echPrivKey); 678 SECKEY_DestroyPublicKey(ss->echPubKey); 679 ss->echPubKey = NULL; 680 ss->echPrivKey = NULL; 681 return SECFailure; 682 } 683 684 /* Client enable. For now, we'll use the first 685 * compatible config (server preference). */ 686 SECStatus 687 SSLExp_SetClientEchConfigs(PRFileDesc *fd, 688 const PRUint8 *echConfigs, 689 unsigned int echConfigsLen) 690 { 691 SECStatus rv; 692 sslSocket *ss; 693 SECItem data = { siBuffer, CONST_CAST(PRUint8, echConfigs), echConfigsLen }; 694 695 if (!fd || !echConfigs || echConfigsLen == 0) { 696 PORT_SetError(SEC_ERROR_INVALID_ARGS); 697 return SECFailure; 698 } 699 700 ss = ssl_FindSocket(fd); 701 if (!ss) { 702 SSL_DBG(("%d: SSL[%d]: bad socket in %s", 703 SSL_GETPID(), fd, __FUNCTION__)); 704 PORT_SetError(SEC_ERROR_INVALID_ARGS); 705 return SECFailure; 706 } 707 708 /* Overwrite if we're already configured. */ 709 rv = SSLExp_RemoveEchConfigs(fd); 710 if (rv != SECSuccess) { 711 return SECFailure; 712 } 713 714 rv = tls13_DecodeEchConfigs(&data, &ss->echConfigs); 715 if (rv != SECSuccess) { 716 return SECFailure; 717 } 718 if (PR_CLIST_IS_EMPTY(&ss->echConfigs)) { 719 PORT_SetError(SEC_ERROR_INVALID_ARGS); 720 return SECFailure; 721 } 722 723 return SECSuccess; 724 } 725 726 /* Set up ECH. This generates an ephemeral sender 727 * keypair and the HPKE context */ 728 SECStatus 729 tls13_ClientSetupEch(sslSocket *ss, sslClientHelloType type) 730 { 731 SECStatus rv; 732 HpkeContext *cx = NULL; 733 SECKEYPublicKey *pkR = NULL; 734 SECItem hpkeInfo = { siBuffer, NULL, 0 }; 735 sslEchConfig *cfg = NULL; 736 737 if (PR_CLIST_IS_EMPTY(&ss->echConfigs) || 738 !ssl_ShouldSendSNIExtension(ss, ss->url) || 739 IS_DTLS(ss)) { 740 return SECSuccess; 741 } 742 743 /* Maybe apply our own priority if >1. For now, we only support 744 * one version and one KEM. Each ECHConfig can specify multiple 745 * KDF/AEADs, so just use the first. */ 746 cfg = (sslEchConfig *)PR_LIST_HEAD(&ss->echConfigs); 747 748 /* Skip ECH if the public name matches the private name. */ 749 if (0 == PORT_Strcmp(cfg->contents.publicName, ss->url)) { 750 return SECSuccess; 751 } 752 753 SSL_TRC(50, ("%d: TLS13[%d]: Setup client ECH", 754 SSL_GETPID(), ss->fd)); 755 756 switch (type) { 757 case client_hello_initial: 758 PORT_Assert(!ss->ssl3.hs.echHpkeCtx && !ss->ssl3.hs.echPublicName); 759 cx = PK11_HPKE_NewContext(cfg->contents.kemId, cfg->contents.kdfId, 760 cfg->contents.aeadId, NULL, NULL); 761 break; 762 case client_hello_retry: 763 if (!ss->ssl3.hs.echHpkeCtx || !ss->ssl3.hs.echPublicName) { 764 FATAL_ERROR(ss, SEC_ERROR_LIBRARY_FAILURE, internal_error); 765 return SECFailure; 766 } 767 /* Nothing else to do. */ 768 return SECSuccess; 769 default: 770 PORT_Assert(0); 771 goto loser; 772 } 773 if (!cx) { 774 goto loser; 775 } 776 777 rv = PK11_HPKE_Deserialize(cx, cfg->contents.publicKey.data, cfg->contents.publicKey.len, &pkR); 778 if (rv != SECSuccess) { 779 goto loser; 780 } 781 782 if (!SECITEM_AllocItem(NULL, &hpkeInfo, strlen(kHpkeInfoEch) + 1 + cfg->raw.len)) { 783 goto loser; 784 } 785 PORT_Memcpy(&hpkeInfo.data[0], kHpkeInfoEch, strlen(kHpkeInfoEch)); 786 PORT_Memset(&hpkeInfo.data[strlen(kHpkeInfoEch)], 0, 1); 787 PORT_Memcpy(&hpkeInfo.data[strlen(kHpkeInfoEch) + 1], cfg->raw.data, cfg->raw.len); 788 789 PRINT_BUF(50, (ss, "Info", hpkeInfo.data, hpkeInfo.len)); 790 791 /* Setup with an ephemeral sender keypair. */ 792 rv = PK11_HPKE_SetupS(cx, NULL, NULL, pkR, &hpkeInfo); 793 if (rv != SECSuccess) { 794 goto loser; 795 } 796 797 rv = ssl3_GetNewRandom(ss->ssl3.hs.client_inner_random); 798 if (rv != SECSuccess) { 799 goto loser; /* code set */ 800 } 801 802 /* If ECH is rejected, the application will use SSLChannelInfo 803 * to fetch this field and perform cert chain verification. */ 804 ss->ssl3.hs.echPublicName = PORT_Strdup(cfg->contents.publicName); 805 if (!ss->ssl3.hs.echPublicName) { 806 goto loser; 807 } 808 809 ss->ssl3.hs.echHpkeCtx = cx; 810 SECKEY_DestroyPublicKey(pkR); 811 SECITEM_FreeItem(&hpkeInfo, PR_FALSE); 812 return SECSuccess; 813 814 loser: 815 PK11_HPKE_DestroyContext(cx, PR_TRUE); 816 SECKEY_DestroyPublicKey(pkR); 817 SECITEM_FreeItem(&hpkeInfo, PR_FALSE); 818 PORT_Assert(PORT_GetError() != 0); 819 return SECFailure; 820 } 821 822 /* 823 * enum { 824 * encrypted_client_hello(0xfe0a), (65535) 825 * } ExtensionType; 826 * 827 * struct { 828 * HpkeKdfId kdf_id; 829 * HpkeAeadId aead_id; 830 * } HpkeSymmetricCipherSuite; 831 * struct { 832 * HpkeSymmetricCipherSuite cipher_suite; 833 * uint8 config_id; 834 * opaque enc<1..2^16-1>; 835 * opaque payload<1..2^16-1>; 836 * } ClientECH; 837 * 838 * Takes as input the constructed ClientHelloInner and 839 * returns a constructed encrypted_client_hello extension 840 * (replacing the contents of |chInner|). 841 */ 842 static SECStatus 843 tls13_EncryptClientHello(sslSocket *ss, sslBuffer *outerAAD, sslBuffer *chInner) 844 { 845 SECStatus rv; 846 SECItem chPt = { siBuffer, chInner->buf, chInner->len }; 847 SECItem *chCt = NULL; 848 SECItem aadItem = { siBuffer, outerAAD ? outerAAD->buf : NULL, outerAAD ? outerAAD->len : 0 }; 849 const SECItem *hpkeEnc = NULL; 850 const sslEchConfig *cfg = (sslEchConfig *)PR_LIST_HEAD(&ss->echConfigs); 851 PORT_Assert(!PR_CLIST_IS_EMPTY(&ss->echConfigs)); 852 853 SSL_TRC(50, ("%d: TLS13[%d]: Encrypting Client Hello Inner", 854 SSL_GETPID(), ss->fd)); 855 PRINT_BUF(50, (ss, "aad", outerAAD->buf, outerAAD->len)); 856 PRINT_BUF(50, (ss, "inner", chInner->buf, chInner->len)); 857 858 hpkeEnc = PK11_HPKE_GetEncapPubKey(ss->ssl3.hs.echHpkeCtx); 859 if (!hpkeEnc) { 860 FATAL_ERROR(ss, SEC_ERROR_LIBRARY_FAILURE, internal_error); 861 goto loser; 862 } 863 864 #ifndef UNSAFE_FUZZER_MODE 865 rv = PK11_HPKE_Seal(ss->ssl3.hs.echHpkeCtx, &aadItem, &chPt, &chCt); 866 if (rv != SECSuccess) { 867 goto loser; 868 } 869 PRINT_BUF(50, (ss, "cipher", chCt->data, chCt->len)); 870 #else 871 /* Fake a tag. */ 872 SECITEM_AllocItem(NULL, chCt, chPt.len + 16); 873 if (!chCt) { 874 goto loser; 875 } 876 PORT_Memcpy(chCt->data, chPt.data, chPt.len); 877 #endif 878 879 /* Format the encrypted_client_hello extension. */ 880 sslBuffer_Clear(chInner); 881 rv = sslBuffer_AppendNumber(chInner, cfg->contents.kdfId, 2); 882 if (rv != SECSuccess) { 883 goto loser; 884 } 885 rv = sslBuffer_AppendNumber(chInner, cfg->contents.aeadId, 2); 886 if (rv != SECSuccess) { 887 goto loser; 888 } 889 890 rv = sslBuffer_AppendNumber(chInner, cfg->contents.configId, 1); 891 if (rv != SECSuccess) { 892 goto loser; 893 } 894 if (!ss->ssl3.hs.helloRetry) { 895 rv = sslBuffer_AppendVariable(chInner, hpkeEnc->data, hpkeEnc->len, 2); 896 if (rv != SECSuccess) { 897 goto loser; 898 } 899 } else { 900 /* |enc| is empty. */ 901 rv = sslBuffer_AppendNumber(chInner, 0, 2); 902 if (rv != SECSuccess) { 903 goto loser; 904 } 905 } 906 rv = sslBuffer_AppendVariable(chInner, chCt->data, chCt->len, 2); 907 if (rv != SECSuccess) { 908 goto loser; 909 } 910 SECITEM_FreeItem(chCt, PR_TRUE); 911 return SECSuccess; 912 913 loser: 914 SECITEM_FreeItem(chCt, PR_TRUE); 915 return SECFailure; 916 } 917 918 SECStatus 919 tls13_GetMatchingEchConfigs(const sslSocket *ss, HpkeKdfId kdf, HpkeAeadId aead, 920 const PRUint8 configId, const sslEchConfig *cur, sslEchConfig **next) 921 { 922 SSL_TRC(50, ("%d: TLS13[%d]: GetMatchingEchConfig %d", 923 SSL_GETPID(), ss->fd, configId)); 924 925 /* If |cur|, resume the search at that node, else the list head. */ 926 for (PRCList *cur_p = cur ? ((PRCList *)cur)->next : PR_LIST_HEAD(&ss->echConfigs); 927 cur_p != &ss->echConfigs; 928 cur_p = PR_NEXT_LINK(cur_p)) { 929 sslEchConfig *echConfig = (sslEchConfig *)cur_p; 930 if (echConfig->contents.configId == configId && 931 echConfig->contents.aeadId == aead && 932 echConfig->contents.kdfId == kdf) { 933 *next = echConfig; 934 return SECSuccess; 935 } 936 } 937 938 *next = NULL; 939 return SECSuccess; 940 } 941 942 /* Given a CH with extensions, copy from the start up to the extensions 943 * into |writer| and return the extensions themselves in |extensions|. 944 * If |explicitSid|, place this value into |writer| as the SID. Else, 945 * the sid is copied from |reader| to |writer|. */ 946 static SECStatus 947 tls13_CopyChPreamble(sslReader *reader, const SECItem *explicitSid, sslBuffer *writer, sslReadBuffer *extensions) 948 { 949 SECStatus rv; 950 sslReadBuffer tmpReadBuf; 951 952 /* Locate the extensions. */ 953 rv = sslRead_Read(reader, 2 + SSL3_RANDOM_LENGTH, &tmpReadBuf); 954 if (rv != SECSuccess) { 955 return SECFailure; 956 } 957 rv = sslBuffer_Append(writer, tmpReadBuf.buf, tmpReadBuf.len); 958 if (rv != SECSuccess) { 959 return SECFailure; 960 } 961 962 /* legacy_session_id */ 963 rv = sslRead_ReadVariable(reader, 1, &tmpReadBuf); 964 if (explicitSid) { 965 /* Encoded SID should be empty when copying from CHOuter. */ 966 if (tmpReadBuf.len > 0) { 967 PORT_SetError(SSL_ERROR_RX_MALFORMED_ECH_EXTENSION); 968 return SECFailure; 969 } 970 rv = sslBuffer_AppendVariable(writer, explicitSid->data, explicitSid->len, 1); 971 } else { 972 rv = sslBuffer_AppendVariable(writer, tmpReadBuf.buf, tmpReadBuf.len, 1); 973 } 974 if (rv != SECSuccess) { 975 return SECFailure; 976 } 977 978 /* cipher suites */ 979 rv = sslRead_ReadVariable(reader, 2, &tmpReadBuf); 980 if (rv != SECSuccess) { 981 return SECFailure; 982 } 983 rv = sslBuffer_AppendVariable(writer, tmpReadBuf.buf, tmpReadBuf.len, 2); 984 if (rv != SECSuccess) { 985 return SECFailure; 986 } 987 988 /* compression */ 989 rv = sslRead_ReadVariable(reader, 1, &tmpReadBuf); 990 if (rv != SECSuccess) { 991 return SECFailure; 992 } 993 rv = sslBuffer_AppendVariable(writer, tmpReadBuf.buf, tmpReadBuf.len, 1); 994 if (rv != SECSuccess) { 995 return SECFailure; 996 } 997 998 /* extensions */ 999 rv = sslRead_ReadVariable(reader, 2, extensions); 1000 if (rv != SECSuccess) { 1001 return SECFailure; 1002 } 1003 1004 if (SSL_READER_REMAINING(reader) != 0) { 1005 PORT_SetError(SSL_ERROR_RX_MALFORMED_ECH_EXTENSION); 1006 return SECFailure; 1007 } 1008 1009 return SECSuccess; 1010 } 1011 1012 /* 1013 * struct { 1014 * HpkeSymmetricCipherSuite cipher_suite; // kdfid_, aead_id 1015 * uint8 config_id; 1016 * opaque enc<1..2^16-1>; 1017 * opaque outer_hello<1..2^24-1>; 1018 * } ClientHelloOuterAAD; 1019 */ 1020 static SECStatus 1021 tls13_MakeChOuterAAD(sslSocket *ss, const SECItem *outer, SECItem *outerAAD) 1022 { 1023 SECStatus rv; 1024 sslBuffer aad = SSL_BUFFER_EMPTY; 1025 sslReadBuffer aadXtns = { 0 }; 1026 sslReader chReader = SSL_READER(outer->data, outer->len); 1027 PRUint64 tmpn; 1028 sslReadBuffer tmpvar = { 0 }; 1029 unsigned int offset; 1030 unsigned int savedOffset; 1031 PORT_Assert(ss->xtnData.ech); 1032 1033 rv = sslBuffer_AppendNumber(&aad, ss->xtnData.ech->kdfId, 2); 1034 if (rv != SECSuccess) { 1035 goto loser; 1036 } 1037 rv = sslBuffer_AppendNumber(&aad, ss->xtnData.ech->aeadId, 2); 1038 if (rv != SECSuccess) { 1039 goto loser; 1040 } 1041 1042 rv = sslBuffer_AppendNumber(&aad, ss->xtnData.ech->configId, 1); 1043 if (rv != SECSuccess) { 1044 goto loser; 1045 } 1046 1047 if (!ss->ssl3.hs.helloRetry) { 1048 rv = sslBuffer_AppendVariable(&aad, ss->xtnData.ech->senderPubKey.data, 1049 ss->xtnData.ech->senderPubKey.len, 2); 1050 } else { 1051 /* |enc| is empty for HelloRetryRequest. */ 1052 rv = sslBuffer_AppendNumber(&aad, 0, 2); 1053 } 1054 if (rv != SECSuccess) { 1055 goto loser; 1056 } 1057 1058 /* Skip 3 bytes for the CHOuter length. */ 1059 rv = sslBuffer_Skip(&aad, 3, &savedOffset); 1060 if (rv != SECSuccess) { 1061 goto loser; 1062 } 1063 1064 /* aad := preamble, aadXtn := extensions */ 1065 rv = tls13_CopyChPreamble(&chReader, NULL, &aad, &aadXtns); 1066 if (rv != SECSuccess) { 1067 goto loser; 1068 } 1069 sslReader xtnsReader = SSL_READER(aadXtns.buf, aadXtns.len); 1070 1071 /* Save room for extensions length. */ 1072 rv = sslBuffer_Skip(&aad, 2, &offset); 1073 if (rv != SECSuccess) { 1074 goto loser; 1075 } 1076 1077 /* Append each extension, minus encrypted_client_hello_xtn. */ 1078 while (SSL_READER_REMAINING(&xtnsReader)) { 1079 rv = sslRead_ReadNumber(&xtnsReader, 2, &tmpn); 1080 if (rv != SECSuccess) { 1081 goto loser; 1082 } 1083 rv = sslRead_ReadVariable(&xtnsReader, 2, &tmpvar); 1084 if (rv != SECSuccess) { 1085 goto loser; 1086 } 1087 1088 if (tmpn != ssl_tls13_encrypted_client_hello_xtn) { 1089 rv = sslBuffer_AppendNumber(&aad, tmpn, 2); 1090 if (rv != SECSuccess) { 1091 goto loser; 1092 } 1093 rv = sslBuffer_AppendVariable(&aad, tmpvar.buf, tmpvar.len, 2); 1094 if (rv != SECSuccess) { 1095 goto loser; 1096 } 1097 } 1098 } 1099 1100 rv = sslBuffer_InsertLength(&aad, offset, 2); 1101 if (rv != SECSuccess) { 1102 goto loser; 1103 } 1104 1105 rv = sslBuffer_InsertLength(&aad, savedOffset, 3); 1106 if (rv != SECSuccess) { 1107 goto loser; 1108 } 1109 1110 outerAAD->data = aad.buf; 1111 outerAAD->len = aad.len; 1112 return SECSuccess; 1113 1114 loser: 1115 sslBuffer_Clear(&aad); 1116 return SECFailure; 1117 } 1118 1119 SECStatus 1120 tls13_OpenClientHelloInner(sslSocket *ss, const SECItem *outer, const SECItem *outerAAD, sslEchConfig *cfg, SECItem **chInner) 1121 { 1122 SECStatus rv; 1123 HpkeContext *cx = NULL; 1124 SECItem *decryptedChInner = NULL; 1125 SECItem hpkeInfo = { siBuffer, NULL, 0 }; 1126 SSL_TRC(50, ("%d: TLS13[%d]: Server opening ECH Inner%s", SSL_GETPID(), 1127 ss->fd, ss->ssl3.hs.helloRetry ? " after HRR" : "")); 1128 1129 if (!ss->ssl3.hs.helloRetry) { 1130 PORT_Assert(!ss->ssl3.hs.echHpkeCtx); 1131 cx = PK11_HPKE_NewContext(cfg->contents.kemId, cfg->contents.kdfId, 1132 cfg->contents.aeadId, NULL, NULL); 1133 if (!cx) { 1134 goto loser; 1135 } 1136 1137 if (!SECITEM_AllocItem(NULL, &hpkeInfo, strlen(kHpkeInfoEch) + 1 + cfg->raw.len)) { 1138 goto loser; 1139 } 1140 PORT_Memcpy(&hpkeInfo.data[0], kHpkeInfoEch, strlen(kHpkeInfoEch)); 1141 PORT_Memset(&hpkeInfo.data[strlen(kHpkeInfoEch)], 0, 1); 1142 PORT_Memcpy(&hpkeInfo.data[strlen(kHpkeInfoEch) + 1], cfg->raw.data, cfg->raw.len); 1143 1144 rv = PK11_HPKE_SetupR(cx, ss->echPubKey, ss->echPrivKey, 1145 &ss->xtnData.ech->senderPubKey, &hpkeInfo); 1146 if (rv != SECSuccess) { 1147 goto loser; /* code set */ 1148 } 1149 } else { 1150 PORT_Assert(ss->ssl3.hs.echHpkeCtx); 1151 cx = ss->ssl3.hs.echHpkeCtx; 1152 } 1153 1154 #ifndef UNSAFE_FUZZER_MODE 1155 rv = PK11_HPKE_Open(cx, outerAAD, &ss->xtnData.ech->innerCh, &decryptedChInner); 1156 if (rv != SECSuccess) { 1157 goto loser; /* code set */ 1158 } 1159 #else 1160 rv = SECITEM_CopyItem(NULL, decryptedChInner, &ss->xtnData.ech->innerCh); 1161 if (rv != SECSuccess) { 1162 goto loser; 1163 } 1164 decryptedChInner->len -= 16; /* Fake tag */ 1165 #endif 1166 1167 /* Stash the context, we may need it for HRR. */ 1168 ss->ssl3.hs.echHpkeCtx = cx; 1169 *chInner = decryptedChInner; 1170 SECITEM_FreeItem(&hpkeInfo, PR_FALSE); 1171 return SECSuccess; 1172 1173 loser: 1174 SECITEM_FreeItem(decryptedChInner, PR_TRUE); 1175 SECITEM_FreeItem(&hpkeInfo, PR_FALSE); 1176 if (cx != ss->ssl3.hs.echHpkeCtx) { 1177 /* Don't double-free if it's already global. */ 1178 PK11_HPKE_DestroyContext(cx, PR_TRUE); 1179 } 1180 return SECFailure; 1181 } 1182 1183 /* Given a buffer of extensions prepared for CHOuter, translate those extensions to a 1184 * buffer suitable for CHInner. This is intended to be called twice: once without 1185 * compression for the transcript hash and binders, and once with compression for 1186 * encoding the actual CHInner value. On the first run, if |inOutPskXtn| and 1187 * chOuterXtnsBuf contains a PSK extension, remove it and return in the outparam. 1188 * The caller will compute the binder value based on the uncompressed output. Next, 1189 * if |compress|, consolidate duplicated extensions (that would otherwise be copied) 1190 * into a single outer_extensions extension. If |inOutPskXtn|, the extension contains 1191 * a binder, it is appended after the deduplicated outer_extensions. In the case of 1192 * GREASE ECH, one call is made to estimate size (wiith compression, null inOutPskXtn). 1193 */ 1194 SECStatus 1195 tls13_ConstructInnerExtensionsFromOuter(sslSocket *ss, sslBuffer *chOuterXtnsBuf, 1196 sslBuffer *chInnerXtns, sslBuffer *inOutPskXtn, 1197 PRBool compress) 1198 { 1199 SECStatus rv; 1200 PRUint64 extensionType; 1201 sslReadBuffer extensionData; 1202 sslBuffer pskXtn = SSL_BUFFER_EMPTY; 1203 sslBuffer dupXtns = SSL_BUFFER_EMPTY; /* Dupcliated extensions, types-only if |compress|. */ 1204 unsigned int tmpOffset; 1205 unsigned int tmpLen; 1206 unsigned int srcXtnBase; /* To truncate CHOuter and remove the PSK extension. */ 1207 SSL_TRC(50, ("%d: TLS13[%d]: Constructing ECH inner extensions %s compression", 1208 SSL_GETPID(), ss->fd, compress ? "with" : "without")); 1209 1210 /* When offering the "encrypted_client_hello" extension in its 1211 * ClientHelloOuter, the client MUST also offer an empty 1212 * "encrypted_client_hello" extension in its ClientHelloInner. */ 1213 rv = sslBuffer_AppendNumber(chInnerXtns, ssl_tls13_ech_is_inner_xtn, 2); 1214 if (rv != SECSuccess) { 1215 goto loser; 1216 } 1217 rv = sslBuffer_AppendNumber(chInnerXtns, 0, 2); 1218 if (rv != SECSuccess) { 1219 goto loser; 1220 } 1221 1222 sslReader rdr = SSL_READER(chOuterXtnsBuf->buf, chOuterXtnsBuf->len); 1223 while (SSL_READER_REMAINING(&rdr)) { 1224 srcXtnBase = rdr.offset; 1225 rv = sslRead_ReadNumber(&rdr, 2, &extensionType); 1226 if (rv != SECSuccess) { 1227 goto loser; 1228 } 1229 1230 /* Get the extension data. */ 1231 rv = sslRead_ReadVariable(&rdr, 2, &extensionData); 1232 if (rv != SECSuccess) { 1233 goto loser; 1234 } 1235 1236 switch (extensionType) { 1237 case ssl_server_name_xtn: 1238 /* Write the real (private) SNI value. */ 1239 rv = sslBuffer_AppendNumber(chInnerXtns, extensionType, 2); 1240 if (rv != SECSuccess) { 1241 goto loser; 1242 } 1243 rv = sslBuffer_Skip(chInnerXtns, 2, &tmpOffset); 1244 if (rv != SECSuccess) { 1245 goto loser; 1246 } 1247 tmpLen = SSL_BUFFER_LEN(chInnerXtns); 1248 rv = ssl3_ClientFormatServerNameXtn(ss, ss->url, 1249 strlen(ss->url), 1250 NULL, chInnerXtns); 1251 if (rv != SECSuccess) { 1252 goto loser; 1253 } 1254 tmpLen = SSL_BUFFER_LEN(chInnerXtns) - tmpLen; 1255 rv = sslBuffer_InsertNumber(chInnerXtns, tmpOffset, tmpLen, 2); 1256 if (rv != SECSuccess) { 1257 goto loser; 1258 } 1259 break; 1260 case ssl_tls13_supported_versions_xtn: 1261 /* Only TLS 1.3 on CHInner. */ 1262 rv = sslBuffer_AppendNumber(chInnerXtns, extensionType, 2); 1263 if (rv != SECSuccess) { 1264 goto loser; 1265 } 1266 rv = sslBuffer_AppendNumber(chInnerXtns, 3, 2); 1267 if (rv != SECSuccess) { 1268 goto loser; 1269 } 1270 rv = sslBuffer_AppendNumber(chInnerXtns, 2, 1); 1271 if (rv != SECSuccess) { 1272 goto loser; 1273 } 1274 rv = sslBuffer_AppendNumber(chInnerXtns, SSL_LIBRARY_VERSION_TLS_1_3, 2); 1275 if (rv != SECSuccess) { 1276 goto loser; 1277 } 1278 break; 1279 case ssl_tls13_pre_shared_key_xtn: 1280 /* If GREASEing, the estimated internal length 1281 * will be short. However, the presence of a PSK extension in 1282 * CHOuter is already a distinguisher. */ 1283 if (inOutPskXtn) { 1284 rv = sslBuffer_AppendNumber(&pskXtn, extensionType, 2); 1285 if (rv != SECSuccess) { 1286 goto loser; 1287 } 1288 rv = sslBuffer_AppendVariable(&pskXtn, extensionData.buf, 1289 extensionData.len, 2); 1290 if (rv != SECSuccess) { 1291 goto loser; 1292 } 1293 /* In terms of CHOuter, the PSK extension no longer exists. 1294 * 0 lastXtnOffset means insert padding at the end. */ 1295 SSL_BUFFER_LEN(chOuterXtnsBuf) = srcXtnBase; 1296 ss->xtnData.lastXtnOffset = 0; 1297 } 1298 break; 1299 default: 1300 PORT_Assert(extensionType != ssl_tls13_encrypted_client_hello_xtn); 1301 rv = sslBuffer_AppendNumber(&dupXtns, extensionType, 2); 1302 if (rv != SECSuccess) { 1303 goto loser; 1304 } 1305 if (!compress) { 1306 rv = sslBuffer_AppendVariable(&dupXtns, extensionData.buf, 1307 extensionData.len, 2); 1308 if (rv != SECSuccess) { 1309 goto loser; 1310 } 1311 } 1312 break; 1313 } 1314 } 1315 1316 /* Append duplicated extensions, compressing or not. */ 1317 if (SSL_BUFFER_LEN(&dupXtns) && compress) { 1318 rv = sslBuffer_AppendNumber(chInnerXtns, ssl_tls13_outer_extensions_xtn, 2); 1319 if (rv != SECSuccess) { 1320 goto loser; 1321 } 1322 rv = sslBuffer_AppendNumber(chInnerXtns, dupXtns.len + 1, 2); 1323 if (rv != SECSuccess) { 1324 goto loser; 1325 } 1326 rv = sslBuffer_AppendBufferVariable(chInnerXtns, &dupXtns, 1); 1327 } else if (SSL_BUFFER_LEN(&dupXtns)) { 1328 /* Each duplicated extension has its own length. */ 1329 rv = sslBuffer_AppendBuffer(chInnerXtns, &dupXtns); 1330 } 1331 if (rv != SECSuccess) { 1332 goto loser; 1333 } 1334 1335 /* On the compression run, append the completed PSK extension (if 1336 * provided). Else an incomplete (no binder) extension; the caller 1337 * will compute the binder and call again. */ 1338 if (compress && inOutPskXtn) { 1339 rv = sslBuffer_AppendBuffer(chInnerXtns, inOutPskXtn); 1340 } else if (pskXtn.len) { 1341 rv = sslBuffer_AppendBuffer(chInnerXtns, &pskXtn); 1342 if (inOutPskXtn) { 1343 *inOutPskXtn = pskXtn; 1344 } 1345 } 1346 if (rv != SECSuccess) { 1347 goto loser; 1348 } 1349 1350 sslBuffer_Clear(&dupXtns); 1351 return SECSuccess; 1352 1353 loser: 1354 sslBuffer_Clear(&pskXtn); 1355 sslBuffer_Clear(&dupXtns); 1356 return SECFailure; 1357 } 1358 1359 static SECStatus 1360 tls13_EncodeClientHelloInner(sslSocket *ss, sslBuffer *chInner, sslBuffer *chInnerXtns, sslBuffer *out) 1361 { 1362 PORT_Assert(ss && chInner && chInnerXtns && out); 1363 SECStatus rv; 1364 sslReadBuffer tmpReadBuf; 1365 sslReader chReader = SSL_READER(chInner->buf, chInner->len); 1366 1367 rv = sslRead_Read(&chReader, 4, &tmpReadBuf); 1368 if (rv != SECSuccess) { 1369 goto loser; 1370 } 1371 1372 rv = sslRead_Read(&chReader, 2 + SSL3_RANDOM_LENGTH, &tmpReadBuf); 1373 if (rv != SECSuccess) { 1374 goto loser; 1375 } 1376 rv = sslBuffer_Append(out, tmpReadBuf.buf, tmpReadBuf.len); 1377 if (rv != SECSuccess) { 1378 goto loser; 1379 } 1380 1381 /* Skip the legacy_session_id */ 1382 rv = sslRead_ReadVariable(&chReader, 1, &tmpReadBuf); 1383 if (rv != SECSuccess) { 1384 goto loser; 1385 } 1386 rv = sslBuffer_AppendNumber(out, 0, 1); 1387 if (rv != SECSuccess) { 1388 goto loser; 1389 } 1390 1391 /* cipher suites */ 1392 rv = sslRead_ReadVariable(&chReader, 2, &tmpReadBuf); 1393 if (rv != SECSuccess) { 1394 goto loser; 1395 } 1396 rv = sslBuffer_AppendVariable(out, tmpReadBuf.buf, tmpReadBuf.len, 2); 1397 if (rv != SECSuccess) { 1398 goto loser; 1399 } 1400 1401 /* compression methods */ 1402 rv = sslRead_ReadVariable(&chReader, 1, &tmpReadBuf); 1403 if (rv != SECSuccess) { 1404 goto loser; 1405 } 1406 rv = sslBuffer_AppendVariable(out, tmpReadBuf.buf, tmpReadBuf.len, 1); 1407 if (rv != SECSuccess) { 1408 goto loser; 1409 } 1410 1411 /* Append the extensions. */ 1412 rv = sslBuffer_AppendBufferVariable(out, chInnerXtns, 2); 1413 if (rv != SECSuccess) { 1414 goto loser; 1415 } 1416 return SECSuccess; 1417 1418 loser: 1419 sslBuffer_Clear(out); 1420 return SECFailure; 1421 } 1422 1423 SECStatus 1424 tls13_ConstructClientHelloWithEch(sslSocket *ss, const sslSessionID *sid, PRBool freshSid, 1425 sslBuffer *chOuter, sslBuffer *chOuterXtnsBuf) 1426 { 1427 SECStatus rv; 1428 sslBuffer chInner = SSL_BUFFER_EMPTY; 1429 sslBuffer encodedChInner = SSL_BUFFER_EMPTY; 1430 sslBuffer chInnerXtns = SSL_BUFFER_EMPTY; 1431 sslBuffer pskXtn = SSL_BUFFER_EMPTY; 1432 sslBuffer aad = SSL_BUFFER_EMPTY; 1433 unsigned int encodedChLen; 1434 unsigned int preambleLen; 1435 const SECItem *hpkeEnc = NULL; 1436 unsigned int savedOffset; 1437 1438 SSL_TRC(50, ("%d: TLS13[%d]: Constructing ECH inner", SSL_GETPID(), ss->fd)); 1439 1440 /* Create the full (uncompressed) inner extensions and steal any PSK extension. 1441 * NB: Neither chOuterXtnsBuf nor chInnerXtns are length-prefixed. */ 1442 rv = tls13_ConstructInnerExtensionsFromOuter(ss, chOuterXtnsBuf, &chInnerXtns, 1443 &pskXtn, PR_FALSE); 1444 if (rv != SECSuccess) { 1445 goto loser; /* code set */ 1446 } 1447 1448 rv = ssl3_CreateClientHelloPreamble(ss, sid, PR_FALSE, SSL_LIBRARY_VERSION_TLS_1_3, 1449 PR_TRUE, &chInnerXtns, &chInner); 1450 if (rv != SECSuccess) { 1451 goto loser; /* code set */ 1452 } 1453 preambleLen = SSL_BUFFER_LEN(&chInner); 1454 1455 /* Write handshake header length. tls13_EncryptClientHello will 1456 * remove this upon encoding, but the transcript needs it. This assumes 1457 * the 4B stream-variant header. */ 1458 PORT_Assert(!IS_DTLS(ss)); 1459 rv = sslBuffer_InsertNumber(&chInner, 1, 1460 chInner.len + 2 + chInnerXtns.len - 4, 3); 1461 if (rv != SECSuccess) { 1462 goto loser; 1463 } 1464 1465 if (pskXtn.len) { 1466 PORT_Assert(ssl3_ExtensionAdvertised(ss, ssl_tls13_pre_shared_key_xtn)); 1467 PORT_Assert(ss->xtnData.lastXtnOffset == 0); /* stolen from outer */ 1468 rv = tls13_WriteExtensionsWithBinder(ss, &chInnerXtns, &chInner); 1469 /* Update the stolen PSK extension with the binder value. */ 1470 PORT_Memcpy(pskXtn.buf, &chInnerXtns.buf[chInnerXtns.len - pskXtn.len], pskXtn.len); 1471 } else { 1472 rv = sslBuffer_AppendBufferVariable(&chInner, &chInnerXtns, 2); 1473 } 1474 if (rv != SECSuccess) { 1475 goto loser; 1476 } 1477 1478 rv = ssl3_UpdateHandshakeHashesInt(ss, chInner.buf, chInner.len, 1479 &ss->ssl3.hs.echInnerMessages); 1480 if (rv != SECSuccess) { 1481 goto loser; /* code set */ 1482 } 1483 1484 /* Un-append the extensions, then append compressed via Encoded. */ 1485 SSL_BUFFER_LEN(&chInner) = preambleLen; 1486 sslBuffer_Clear(&chInnerXtns); 1487 rv = tls13_ConstructInnerExtensionsFromOuter(ss, chOuterXtnsBuf, 1488 &chInnerXtns, &pskXtn, PR_TRUE); 1489 if (rv != SECSuccess) { 1490 goto loser; 1491 } 1492 1493 rv = tls13_EncodeClientHelloInner(ss, &chInner, &chInnerXtns, &encodedChInner); 1494 if (rv != SECSuccess) { 1495 goto loser; 1496 } 1497 1498 /* Pad the outer prior to appending ECH (for the AAD). 1499 * Encoded extension size is (echCipherSuite + enc + configId + payload + tag). 1500 * Post-encryption, we'll assert that this was correct. */ 1501 encodedChLen = 4 + 1 + 2 + 2 + encodedChInner.len + 16; 1502 if (!ss->ssl3.hs.helloRetry) { 1503 encodedChLen += 32; /* enc */ 1504 } 1505 rv = ssl_InsertPaddingExtension(ss, chOuter->len + encodedChLen, chOuterXtnsBuf); 1506 if (rv != SECSuccess) { 1507 goto loser; 1508 } 1509 1510 PORT_Assert(!PR_CLIST_IS_EMPTY(&ss->echConfigs)); 1511 sslEchConfig *cfg = (sslEchConfig *)PR_LIST_HEAD(&ss->echConfigs); 1512 rv = sslBuffer_AppendNumber(&aad, cfg->contents.kdfId, 2); 1513 if (rv != SECSuccess) { 1514 goto loser; 1515 } 1516 rv = sslBuffer_AppendNumber(&aad, cfg->contents.aeadId, 2); 1517 if (rv != SECSuccess) { 1518 goto loser; 1519 } 1520 rv = sslBuffer_AppendNumber(&aad, cfg->contents.configId, 1); 1521 if (rv != SECSuccess) { 1522 goto loser; 1523 } 1524 1525 if (!ss->ssl3.hs.helloRetry) { 1526 hpkeEnc = PK11_HPKE_GetEncapPubKey(ss->ssl3.hs.echHpkeCtx); 1527 if (!hpkeEnc) { 1528 FATAL_ERROR(ss, SEC_ERROR_LIBRARY_FAILURE, internal_error); 1529 goto loser; 1530 } 1531 rv = sslBuffer_AppendVariable(&aad, hpkeEnc->data, hpkeEnc->len, 2); 1532 } else { 1533 /* 2B for empty enc length. */ 1534 rv = sslBuffer_AppendNumber(&aad, 0, 2); 1535 } 1536 if (rv != SECSuccess) { 1537 goto loser; 1538 } 1539 1540 rv = sslBuffer_Skip(&aad, 3, &savedOffset); 1541 if (rv != SECSuccess) { 1542 goto loser; 1543 } 1544 1545 /* Skip the handshake header. */ 1546 PORT_Assert(chOuter->len > 4); 1547 rv = sslBuffer_Append(&aad, &chOuter->buf[4], chOuter->len - 4); 1548 if (rv != SECSuccess) { 1549 goto loser; 1550 } 1551 rv = sslBuffer_AppendBufferVariable(&aad, chOuterXtnsBuf, 2); 1552 if (rv != SECSuccess) { 1553 goto loser; 1554 } 1555 rv = sslBuffer_InsertLength(&aad, savedOffset, 3); 1556 if (rv != SECSuccess) { 1557 goto loser; 1558 } 1559 1560 /* Insert the encrypted_client_hello xtn and coalesce. */ 1561 rv = tls13_EncryptClientHello(ss, &aad, &encodedChInner); 1562 if (rv != SECSuccess) { 1563 goto loser; 1564 } 1565 PORT_Assert(encodedChLen == encodedChInner.len); 1566 1567 rv = ssl3_EmplaceExtension(ss, chOuterXtnsBuf, ssl_tls13_encrypted_client_hello_xtn, 1568 encodedChInner.buf, encodedChInner.len, PR_TRUE); 1569 if (rv != SECSuccess) { 1570 goto loser; 1571 } 1572 1573 rv = ssl3_InsertChHeaderSize(ss, chOuter, chOuterXtnsBuf); 1574 if (rv != SECSuccess) { 1575 goto loser; 1576 } 1577 1578 rv = sslBuffer_AppendBufferVariable(chOuter, chOuterXtnsBuf, 2); 1579 if (rv != SECSuccess) { 1580 goto loser; 1581 } 1582 sslBuffer_Clear(&chInner); 1583 sslBuffer_Clear(&encodedChInner); 1584 sslBuffer_Clear(&chInnerXtns); 1585 sslBuffer_Clear(&pskXtn); 1586 sslBuffer_Clear(&aad); 1587 return SECSuccess; 1588 1589 loser: 1590 sslBuffer_Clear(&chInner); 1591 sslBuffer_Clear(&encodedChInner); 1592 sslBuffer_Clear(&chInnerXtns); 1593 sslBuffer_Clear(&pskXtn); 1594 sslBuffer_Clear(&aad); 1595 PORT_Assert(PORT_GetError() != 0); 1596 return SECFailure; 1597 } 1598 1599 /* Compute the ECH signal using the transcript (up to, excluding) Server Hello. 1600 * We'll append an artificial SH (ServerHelloECHConf). The server sources 1601 * this transcript prefix from ss->ssl3.hs.messages, as it never uses 1602 * ss->ssl3.hs.echInnerMessages. The client uses the inner transcript, echInnerMessages. */ 1603 static SECStatus 1604 tls13_ComputeEchSignal(sslSocket *ss, const PRUint8 *sh, unsigned int shLen, PRUint8 *out) 1605 { 1606 SECStatus rv; 1607 PK11SymKey *confirmationKey = NULL; 1608 sslBuffer confMsgs = SSL_BUFFER_EMPTY; 1609 sslBuffer *chSource = ss->sec.isServer ? &ss->ssl3.hs.messages : &ss->ssl3.hs.echInnerMessages; 1610 SSL3Hashes hashes; 1611 SECItem *confirmationBytes; 1612 unsigned int offset = sizeof(SSL3ProtocolVersion) + 1613 SSL3_RANDOM_LENGTH - TLS13_ECH_SIGNAL_LEN; 1614 PORT_Assert(sh && shLen > offset); 1615 PORT_Assert(TLS13_ECH_SIGNAL_LEN <= SSL3_RANDOM_LENGTH); 1616 1617 rv = sslBuffer_AppendBuffer(&confMsgs, chSource); 1618 if (rv != SECSuccess) { 1619 goto loser; 1620 } 1621 1622 /* Re-create the message header. */ 1623 rv = sslBuffer_AppendNumber(&confMsgs, ssl_hs_server_hello, 1); 1624 if (rv != SECSuccess) { 1625 goto loser; 1626 } 1627 1628 rv = sslBuffer_AppendNumber(&confMsgs, shLen, 3); 1629 if (rv != SECSuccess) { 1630 goto loser; 1631 } 1632 1633 /* Copy the version and 24B of server_random. */ 1634 rv = sslBuffer_Append(&confMsgs, sh, offset); 1635 if (rv != SECSuccess) { 1636 goto loser; 1637 } 1638 1639 /* Zero the signal placeholder. */ 1640 rv = sslBuffer_AppendNumber(&confMsgs, 0, TLS13_ECH_SIGNAL_LEN); 1641 if (rv != SECSuccess) { 1642 goto loser; 1643 } 1644 offset += TLS13_ECH_SIGNAL_LEN; 1645 1646 /* Use the remainder of SH. */ 1647 rv = sslBuffer_Append(&confMsgs, &sh[offset], shLen - offset); 1648 if (rv != SECSuccess) { 1649 goto loser; 1650 } 1651 1652 rv = tls13_ComputeHash(ss, &hashes, confMsgs.buf, confMsgs.len, 1653 tls13_GetHash(ss)); 1654 if (rv != SECSuccess) { 1655 goto loser; 1656 } 1657 1658 /* accept_confirmation = 1659 * Derive-Secret(Handshake Secret, 1660 * "ech accept confirmation", 1661 * ClientHelloInner...ServerHelloECHConf) 1662 */ 1663 rv = tls13_DeriveSecret(ss, ss->ssl3.hs.currentSecret, 1664 kHkdfInfoEchConfirm, strlen(kHkdfInfoEchConfirm), 1665 &hashes, &confirmationKey, tls13_GetHash(ss)); 1666 if (rv != SECSuccess) { 1667 return SECFailure; 1668 } 1669 1670 rv = PK11_ExtractKeyValue(confirmationKey); 1671 if (rv != SECSuccess) { 1672 goto loser; 1673 } 1674 confirmationBytes = PK11_GetKeyData(confirmationKey); 1675 if (!confirmationBytes) { 1676 rv = SECFailure; 1677 PORT_SetError(SSL_ERROR_ECH_FAILED); 1678 goto loser; 1679 } 1680 if (confirmationBytes->len < TLS13_ECH_SIGNAL_LEN) { 1681 FATAL_ERROR(ss, SEC_ERROR_LIBRARY_FAILURE, internal_error); 1682 goto loser; 1683 } 1684 SSL_TRC(50, ("%d: TLS13[%d]: %s computed ECH signal", SSL_GETPID(), ss->fd, SSL_ROLE(ss))); 1685 PRINT_BUF(50, (ss, "", out, TLS13_ECH_SIGNAL_LEN)); 1686 1687 PORT_Memcpy(out, confirmationBytes->data, TLS13_ECH_SIGNAL_LEN); 1688 PK11_FreeSymKey(confirmationKey); 1689 sslBuffer_Clear(&confMsgs); 1690 sslBuffer_Clear(&ss->ssl3.hs.messages); 1691 sslBuffer_Clear(&ss->ssl3.hs.echInnerMessages); 1692 return SECSuccess; 1693 1694 loser: 1695 PK11_FreeSymKey(confirmationKey); 1696 sslBuffer_Clear(&confMsgs); 1697 sslBuffer_Clear(&ss->ssl3.hs.messages); 1698 sslBuffer_Clear(&ss->ssl3.hs.echInnerMessages); 1699 return SECFailure; 1700 } 1701 1702 /* Called just prior to padding the CH. Use the size of the CH to estimate 1703 * the size of a corresponding ECH extension, then add it to the buffer. */ 1704 SECStatus 1705 tls13_MaybeGreaseEch(sslSocket *ss, unsigned int preambleLen, sslBuffer *buf) 1706 { 1707 SECStatus rv; 1708 sslBuffer chInnerXtns = SSL_BUFFER_EMPTY; 1709 sslBuffer greaseBuf = SSL_BUFFER_EMPTY; 1710 unsigned int payloadLen; 1711 HpkeAeadId aead; 1712 PK11SlotInfo *slot = NULL; 1713 PK11SymKey *hmacPrk = NULL; 1714 PK11SymKey *derivedData = NULL; 1715 SECItem *rawData; 1716 CK_HKDF_PARAMS params; 1717 SECItem paramsi; 1718 /* 1B aead determinant (don't send), 1B config_id, 32B enc, payload */ 1719 const int kNonPayloadLen = 34; 1720 1721 if (!ss->opt.enableTls13GreaseEch || ss->ssl3.hs.echHpkeCtx) { 1722 return SECSuccess; 1723 } 1724 1725 if (ss->vrange.max < SSL_LIBRARY_VERSION_TLS_1_3 || 1726 IS_DTLS(ss)) { 1727 return SECSuccess; 1728 } 1729 1730 /* In draft-09, CH2 sends exactly the same GREASE ECH extension. */ 1731 if (ss->ssl3.hs.helloRetry) { 1732 return ssl3_EmplaceExtension(ss, buf, ssl_tls13_encrypted_client_hello_xtn, 1733 ss->ssl3.hs.greaseEchBuf.buf, 1734 ss->ssl3.hs.greaseEchBuf.len, PR_TRUE); 1735 } 1736 1737 /* Compress the extensions for payload length. */ 1738 rv = tls13_ConstructInnerExtensionsFromOuter(ss, buf, &chInnerXtns, 1739 NULL, PR_TRUE); 1740 if (rv != SECSuccess) { 1741 goto loser; /* Code set */ 1742 } 1743 payloadLen = preambleLen + 2 /* Xtns len */ + chInnerXtns.len - 4 /* msg header */; 1744 payloadLen += 16; /* Aead tag */ 1745 1746 /* HMAC-Expand to get something that will pass for ciphertext. */ 1747 slot = PK11_GetBestSlot(CKM_HKDF_DERIVE, NULL); 1748 if (!slot) { 1749 goto loser; 1750 } 1751 1752 hmacPrk = PK11_KeyGen(slot, CKM_HKDF_DATA, NULL, SHA256_LENGTH, NULL); 1753 if (!hmacPrk) { 1754 goto loser; 1755 } 1756 1757 params.bExtract = CK_FALSE; 1758 params.bExpand = CK_TRUE; 1759 params.prfHashMechanism = CKM_SHA256; 1760 params.pInfo = NULL; 1761 params.ulInfoLen = 0; 1762 paramsi.data = (unsigned char *)¶ms; 1763 paramsi.len = sizeof(params); 1764 derivedData = PK11_DeriveWithFlags(hmacPrk, CKM_HKDF_DATA, 1765 ¶msi, CKM_HKDF_DATA, 1766 CKA_DERIVE, kNonPayloadLen + payloadLen, 1767 CKF_VERIFY); 1768 if (!derivedData) { 1769 goto loser; 1770 } 1771 1772 rv = PK11_ExtractKeyValue(derivedData); 1773 if (rv != SECSuccess) { 1774 goto loser; 1775 } 1776 1777 rawData = PK11_GetKeyData(derivedData); 1778 if (!rawData) { 1779 goto loser; 1780 } 1781 PORT_Assert(rawData->len == kNonPayloadLen + payloadLen); 1782 1783 /* struct { 1784 HpkeSymmetricCipherSuite cipher_suite; // kdf_id, aead_id 1785 PRUint8 config_id; 1786 opaque enc<1..2^16-1>; 1787 opaque payload<1..2^16-1>; 1788 } ClientECH; */ 1789 1790 /* Only support SHA256. */ 1791 rv = sslBuffer_AppendNumber(&greaseBuf, HpkeKdfHkdfSha256, 2); 1792 if (rv != SECSuccess) { 1793 goto loser; 1794 } 1795 1796 /* HpkeAeadAes128Gcm = 1, HpkeAeadChaCha20Poly1305 = 3, */ 1797 aead = (rawData->data[0] & 1) ? HpkeAeadAes128Gcm : HpkeAeadChaCha20Poly1305; 1798 rv = sslBuffer_AppendNumber(&greaseBuf, aead, 2); 1799 if (rv != SECSuccess) { 1800 goto loser; 1801 } 1802 1803 /* config_id */ 1804 rv = sslBuffer_AppendNumber(&greaseBuf, rawData->data[1], 1); 1805 if (rv != SECSuccess) { 1806 goto loser; 1807 } 1808 1809 /* enc len is fixed 32B for X25519. */ 1810 rv = sslBuffer_AppendVariable(&greaseBuf, &rawData->data[2], 32, 2); 1811 if (rv != SECSuccess) { 1812 goto loser; 1813 } 1814 1815 rv = sslBuffer_AppendVariable(&greaseBuf, &rawData->data[kNonPayloadLen], payloadLen, 2); 1816 if (rv != SECSuccess) { 1817 goto loser; 1818 } 1819 1820 /* Mark ECH as advertised so that we can validate any response. 1821 * We'll use echHpkeCtx to determine if we sent real or GREASE ECH. */ 1822 rv = ssl3_EmplaceExtension(ss, buf, ssl_tls13_encrypted_client_hello_xtn, 1823 greaseBuf.buf, greaseBuf.len, PR_TRUE); 1824 if (rv != SECSuccess) { 1825 goto loser; 1826 } 1827 1828 /* Stash the GREASE ECH extension - in the case of HRR, CH2 must echo it. */ 1829 ss->ssl3.hs.greaseEchBuf = greaseBuf; 1830 1831 sslBuffer_Clear(&chInnerXtns); 1832 PK11_FreeSymKey(hmacPrk); 1833 PK11_FreeSymKey(derivedData); 1834 PK11_FreeSlot(slot); 1835 return SECSuccess; 1836 1837 loser: 1838 sslBuffer_Clear(&chInnerXtns); 1839 PK11_FreeSymKey(hmacPrk); 1840 PK11_FreeSymKey(derivedData); 1841 if (slot) { 1842 PK11_FreeSlot(slot); 1843 } 1844 return SECFailure; 1845 } 1846 1847 SECStatus 1848 tls13_MaybeHandleEch(sslSocket *ss, const PRUint8 *msg, PRUint32 msgLen, SECItem *sidBytes, 1849 SECItem *comps, SECItem *cookieBytes, SECItem *suites, SECItem **echInner) 1850 { 1851 SECStatus rv; 1852 int error; 1853 SSL3AlertDescription desc; 1854 SECItem *tmpEchInner = NULL; 1855 PRUint8 *b; 1856 PRUint32 length; 1857 TLSExtension *echExtension; 1858 TLSExtension *versionExtension; 1859 PORT_Assert(!ss->ssl3.hs.echAccepted); 1860 SECItem tmpSid = { siBuffer, NULL, 0 }; 1861 SECItem tmpCookie = { siBuffer, NULL, 0 }; 1862 SECItem tmpSuites = { siBuffer, NULL, 0 }; 1863 SECItem tmpComps = { siBuffer, NULL, 0 }; 1864 1865 echExtension = ssl3_FindExtension(ss, ssl_tls13_encrypted_client_hello_xtn); 1866 if (echExtension) { 1867 rv = tls13_ServerHandleEchXtn(ss, &ss->xtnData, &echExtension->data); 1868 if (rv != SECSuccess) { 1869 goto loser; /* code set, alert sent. */ 1870 } 1871 rv = tls13_MaybeAcceptEch(ss, sidBytes, msg, msgLen, &tmpEchInner); 1872 if (rv != SECSuccess) { 1873 goto loser; /* code set, alert sent. */ 1874 } 1875 } 1876 ss->ssl3.hs.preliminaryInfo |= ssl_preinfo_ech; 1877 1878 if (ss->ssl3.hs.echAccepted) { 1879 PORT_Assert(tmpEchInner); 1880 PORT_Assert(!PR_CLIST_IS_EMPTY(&ss->ssl3.hs.remoteExtensions)); 1881 1882 /* Start over on ECHInner */ 1883 b = tmpEchInner->data; 1884 length = tmpEchInner->len; 1885 rv = ssl3_HandleClientHelloPreamble(ss, &b, &length, &tmpSid, 1886 &tmpCookie, &tmpSuites, &tmpComps); 1887 if (rv != SECSuccess) { 1888 goto loser; /* code set, alert sent. */ 1889 } 1890 1891 /* Since in Outer we explicitly call the ECH handler, do the same on Inner. 1892 * Extensions are already parsed in tls13_MaybeAcceptEch. */ 1893 echExtension = ssl3_FindExtension(ss, ssl_tls13_ech_is_inner_xtn); 1894 if (!echExtension) { 1895 FATAL_ERROR(ss, SSL_ERROR_MISSING_ECH_EXTENSION, illegal_parameter); 1896 goto loser; 1897 } 1898 1899 versionExtension = ssl3_FindExtension(ss, ssl_tls13_supported_versions_xtn); 1900 if (!versionExtension) { 1901 FATAL_ERROR(ss, SSL_ERROR_UNSUPPORTED_VERSION, protocol_version); 1902 goto loser; 1903 } 1904 rv = tls13_NegotiateVersion(ss, versionExtension); 1905 if (rv != SECSuccess) { 1906 /* Could be malformed or not allowed in ECH. */ 1907 error = PORT_GetError(); 1908 desc = (error == SSL_ERROR_UNSUPPORTED_VERSION) ? protocol_version : illegal_parameter; 1909 FATAL_ERROR(ss, error, desc); 1910 goto loser; 1911 } 1912 1913 *comps = tmpComps; 1914 *cookieBytes = tmpCookie; 1915 *sidBytes = tmpSid; 1916 *suites = tmpSuites; 1917 *echInner = tmpEchInner; 1918 } 1919 return SECSuccess; 1920 1921 loser: 1922 SECITEM_FreeItem(tmpEchInner, PR_TRUE); 1923 PORT_Assert(PORT_GetError() != 0); 1924 return SECFailure; 1925 } 1926 1927 SECStatus 1928 tls13_MaybeHandleEchSignal(sslSocket *ss, const PRUint8 *sh, PRUint32 shLen) 1929 { 1930 SECStatus rv; 1931 PRUint8 computed[TLS13_ECH_SIGNAL_LEN]; 1932 const PRUint8 *signal = &ss->ssl3.hs.server_random[SSL3_RANDOM_LENGTH - TLS13_ECH_SIGNAL_LEN]; 1933 PORT_Assert(!ss->sec.isServer); 1934 1935 /* If !echHpkeCtx, we either didn't advertise or sent GREASE ECH. */ 1936 if (!ss->ssl3.hs.echHpkeCtx) { 1937 ss->ssl3.hs.preliminaryInfo |= ssl_preinfo_ech; 1938 return SECSuccess; 1939 } 1940 1941 PORT_Assert(ssl3_ExtensionAdvertised(ss, ssl_tls13_encrypted_client_hello_xtn)); 1942 rv = tls13_ComputeEchSignal(ss, sh, shLen, computed); 1943 if (rv != SECSuccess) { 1944 return SECFailure; 1945 } 1946 1947 ss->ssl3.hs.echAccepted = !PORT_Memcmp(computed, signal, TLS13_ECH_SIGNAL_LEN); 1948 ss->ssl3.hs.preliminaryInfo |= ssl_preinfo_ech; 1949 if (ss->ssl3.hs.echAccepted) { 1950 if (ss->version < SSL_LIBRARY_VERSION_TLS_1_3) { 1951 FATAL_ERROR(ss, SSL_ERROR_RX_MALFORMED_SERVER_HELLO, illegal_parameter); 1952 return SECFailure; 1953 } 1954 /* |enc| must not be included in CH2.ClientECH. */ 1955 if (ss->ssl3.hs.helloRetry && ss->sec.isServer && 1956 ss->xtnData.ech->senderPubKey.len) { 1957 ssl3_ExtSendAlert(ss, alert_fatal, illegal_parameter); 1958 PORT_SetError(SSL_ERROR_BAD_2ND_CLIENT_HELLO); 1959 return SECFailure; 1960 } 1961 1962 ss->xtnData.negotiated[ss->xtnData.numNegotiated++] = ssl_tls13_encrypted_client_hello_xtn; 1963 PORT_Memcpy(ss->ssl3.hs.client_random, ss->ssl3.hs.client_inner_random, SSL3_RANDOM_LENGTH); 1964 } 1965 /* If rejected, leave echHpkeCtx and echPublicName for rejection paths. */ 1966 ssl3_CoalesceEchHandshakeHashes(ss); 1967 SSL_TRC(50, ("%d: TLS13[%d]: ECH %s accepted by server", 1968 SSL_GETPID(), ss->fd, ss->ssl3.hs.echAccepted ? "is" : "is not")); 1969 return SECSuccess; 1970 } 1971 1972 static SECStatus 1973 tls13_UnencodeChInner(sslSocket *ss, const SECItem *sidBytes, SECItem **echInner) 1974 { 1975 SECStatus rv; 1976 sslReadBuffer outerExtensionsList; 1977 sslReadBuffer tmpReadBuf; 1978 sslBuffer unencodedChInner = SSL_BUFFER_EMPTY; 1979 PRCList *outerCursor; 1980 PRCList *innerCursor; 1981 PRBool outerFound; 1982 PRUint32 xtnsOffset; 1983 PRUint64 tmp; 1984 PRUint8 *tmpB; 1985 PRUint32 tmpLength; 1986 sslReader chReader = SSL_READER((*echInner)->data, (*echInner)->len); 1987 PORT_Assert(!PR_CLIST_IS_EMPTY(&ss->ssl3.hs.echOuterExtensions)); 1988 PORT_Assert(PR_CLIST_IS_EMPTY(&ss->ssl3.hs.remoteExtensions)); 1989 1990 /* unencodedChInner := preamble, tmpReadBuf := encoded extensions. */ 1991 rv = tls13_CopyChPreamble(&chReader, sidBytes, &unencodedChInner, &tmpReadBuf); 1992 if (rv != SECSuccess) { 1993 goto loser; /* code set */ 1994 } 1995 1996 /* Parse inner extensions into ss->ssl3.hs.remoteExtensions. */ 1997 tmpB = CONST_CAST(PRUint8, tmpReadBuf.buf); 1998 rv = ssl3_ParseExtensions(ss, &tmpB, &tmpReadBuf.len); 1999 if (rv != SECSuccess) { 2000 goto loser; /* malformed, alert sent. */ 2001 } 2002 2003 /* Exit early if there are no outer_extensions to decompress. */ 2004 if (!ssl3_FindExtension(ss, ssl_tls13_outer_extensions_xtn)) { 2005 rv = sslBuffer_AppendVariable(&unencodedChInner, tmpReadBuf.buf, tmpReadBuf.len, 2); 2006 if (rv != SECSuccess) { 2007 goto loser; 2008 } 2009 sslBuffer_Clear(&unencodedChInner); 2010 return SECSuccess; 2011 } 2012 2013 /* Save room for uncompressed length. */ 2014 rv = sslBuffer_Skip(&unencodedChInner, 2, &xtnsOffset); 2015 if (rv != SECSuccess) { 2016 goto loser; 2017 } 2018 2019 /* For each inner extension: If not outer_extensions, copy it to the output. 2020 * Else if outer_extensions, iterate the compressed extension list and append 2021 * each full extension as contained in CHOuter. Compressed extensions must be 2022 * contiguous, so decompress at the point at which outer_extensions appears. */ 2023 for (innerCursor = PR_NEXT_LINK(&ss->ssl3.hs.remoteExtensions); 2024 innerCursor != &ss->ssl3.hs.remoteExtensions; 2025 innerCursor = PR_NEXT_LINK(innerCursor)) { 2026 TLSExtension *innerExtension = (TLSExtension *)innerCursor; 2027 if (innerExtension->type != ssl_tls13_outer_extensions_xtn) { 2028 rv = sslBuffer_AppendNumber(&unencodedChInner, 2029 innerExtension->type, 2); 2030 if (rv != SECSuccess) { 2031 goto loser; 2032 } 2033 rv = sslBuffer_AppendVariable(&unencodedChInner, 2034 innerExtension->data.data, 2035 innerExtension->data.len, 2); 2036 if (rv != SECSuccess) { 2037 goto loser; 2038 } 2039 continue; 2040 } 2041 2042 /* Decompress */ 2043 sslReader extensionRdr = SSL_READER(innerExtension->data.data, 2044 innerExtension->data.len); 2045 rv = sslRead_ReadVariable(&extensionRdr, 1, &outerExtensionsList); 2046 if (rv != SECSuccess) { 2047 goto loser; 2048 } 2049 if (SSL_READER_REMAINING(&extensionRdr) || (outerExtensionsList.len % 2) != 0) { 2050 PORT_SetError(SSL_ERROR_RX_MALFORMED_ECH_EXTENSION); 2051 goto loser; 2052 } 2053 2054 sslReader compressedTypes = SSL_READER(outerExtensionsList.buf, outerExtensionsList.len); 2055 while (SSL_READER_REMAINING(&compressedTypes)) { 2056 outerFound = PR_FALSE; 2057 rv = sslRead_ReadNumber(&compressedTypes, 2, &tmp); 2058 if (rv != SECSuccess) { 2059 goto loser; 2060 } 2061 if (tmp == ssl_tls13_encrypted_client_hello_xtn || 2062 tmp == ssl_tls13_outer_extensions_xtn) { 2063 FATAL_ERROR(ss, SSL_ERROR_RX_MALFORMED_ECH_EXTENSION, illegal_parameter); 2064 goto loser; 2065 } 2066 for (outerCursor = PR_NEXT_LINK(&ss->ssl3.hs.echOuterExtensions); 2067 outerCursor != &ss->ssl3.hs.echOuterExtensions; 2068 outerCursor = PR_NEXT_LINK(outerCursor)) { 2069 if (((TLSExtension *)outerCursor)->type == tmp) { 2070 outerFound = PR_TRUE; 2071 rv = sslBuffer_AppendNumber(&unencodedChInner, 2072 ((TLSExtension *)outerCursor)->type, 2); 2073 if (rv != SECSuccess) { 2074 goto loser; 2075 } 2076 rv = sslBuffer_AppendVariable(&unencodedChInner, 2077 ((TLSExtension *)outerCursor)->data.data, 2078 ((TLSExtension *)outerCursor)->data.len, 2); 2079 if (rv != SECSuccess) { 2080 goto loser; 2081 } 2082 break; 2083 } 2084 } 2085 if (!outerFound) { 2086 FATAL_ERROR(ss, SSL_ERROR_RX_MALFORMED_ECH_EXTENSION, illegal_parameter); 2087 goto loser; 2088 } 2089 } 2090 } 2091 ssl3_DestroyRemoteExtensions(&ss->ssl3.hs.echOuterExtensions); 2092 ssl3_DestroyRemoteExtensions(&ss->ssl3.hs.remoteExtensions); 2093 2094 /* Correct the message and extensions sizes. */ 2095 rv = sslBuffer_InsertNumber(&unencodedChInner, xtnsOffset, 2096 unencodedChInner.len - xtnsOffset - 2, 2); 2097 if (rv != SECSuccess) { 2098 goto loser; 2099 } 2100 2101 tmpB = &unencodedChInner.buf[xtnsOffset]; 2102 tmpLength = unencodedChInner.len - xtnsOffset; 2103 rv = ssl3_ConsumeHandshakeNumber64(ss, &tmp, 2, &tmpB, &tmpLength); 2104 if (rv != SECSuccess || tmpLength != tmp) { 2105 FATAL_ERROR(ss, SSL_ERROR_RX_MALFORMED_CLIENT_HELLO, internal_error); 2106 goto loser; 2107 } 2108 2109 rv = ssl3_ParseExtensions(ss, &tmpB, &tmpLength); 2110 if (rv != SECSuccess) { 2111 goto loser; 2112 } 2113 2114 SECITEM_FreeItem(*echInner, PR_FALSE); 2115 (*echInner)->data = unencodedChInner.buf; 2116 (*echInner)->len = unencodedChInner.len; 2117 return SECSuccess; 2118 2119 loser: 2120 sslBuffer_Clear(&unencodedChInner); 2121 return SECFailure; 2122 } 2123 2124 SECStatus 2125 tls13_MaybeAcceptEch(sslSocket *ss, const SECItem *sidBytes, const PRUint8 *chOuter, 2126 unsigned int chOuterLen, SECItem **chInner) 2127 { 2128 SECStatus rv; 2129 SECItem outer = { siBuffer, CONST_CAST(PRUint8, chOuter), chOuterLen }; 2130 SECItem *decryptedChInner = NULL; 2131 SECItem outerAAD = { siBuffer, NULL, 0 }; 2132 SECItem cookieData = { siBuffer, NULL, 0 }; 2133 sslEchConfig *candidate = NULL; /* non-owning */ 2134 TLSExtension *hrrXtn; 2135 2136 if (!ss->xtnData.ech) { 2137 return SECSuccess; 2138 } 2139 2140 PORT_Assert(ss->xtnData.ech->innerCh.data); 2141 2142 if (ss->ssl3.hs.helloRetry) { 2143 PORT_Assert(!ss->ssl3.hs.echHpkeCtx); 2144 hrrXtn = ssl3_FindExtension(ss, ssl_tls13_cookie_xtn); 2145 if (!hrrXtn) { 2146 /* If the client doesn't echo cookie, we can't decrypt. */ 2147 return SECSuccess; 2148 } 2149 2150 PORT_Assert(!ss->ssl3.hs.echHpkeCtx); 2151 2152 PRUint8 *tmp = hrrXtn->data.data; 2153 PRUint32 len = hrrXtn->data.len; 2154 rv = ssl3_ExtConsumeHandshakeVariable(ss, &cookieData, 2, 2155 &tmp, &len); 2156 if (rv != SECSuccess) { 2157 return SECFailure; 2158 } 2159 2160 /* Extract ECH info without restoring hash state. If there's 2161 * something wrong with the cookie, continue without ECH 2162 * and let HRR code handle the problem. */ 2163 HpkeContext *ch1EchHpkeCtx = NULL; 2164 PRUint8 echConfigId; 2165 HpkeKdfId echKdfId; 2166 HpkeAeadId echAeadId; 2167 rv = tls13_HandleHrrCookie(ss, cookieData.data, cookieData.len, 2168 NULL, NULL, NULL, &echKdfId, &echAeadId, 2169 &echConfigId, &ch1EchHpkeCtx, PR_FALSE); 2170 if (rv != SECSuccess) { 2171 return SECSuccess; 2172 } 2173 2174 ss->ssl3.hs.echHpkeCtx = ch1EchHpkeCtx; 2175 2176 if (echConfigId != ss->xtnData.ech->configId || 2177 echKdfId != ss->xtnData.ech->kdfId || 2178 echAeadId != ss->xtnData.ech->aeadId) { 2179 FATAL_ERROR(ss, SSL_ERROR_BAD_2ND_CLIENT_HELLO, 2180 illegal_parameter); 2181 return SECFailure; 2182 } 2183 2184 if (!ss->ssl3.hs.echHpkeCtx) { 2185 return SECSuccess; 2186 } 2187 } 2188 2189 /* Cookie data was good, proceed with ECH. */ 2190 rv = tls13_GetMatchingEchConfigs(ss, ss->xtnData.ech->kdfId, ss->xtnData.ech->aeadId, 2191 ss->xtnData.ech->configId, candidate, &candidate); 2192 if (rv != SECSuccess) { 2193 FATAL_ERROR(ss, SEC_ERROR_LIBRARY_FAILURE, internal_error); 2194 return SECFailure; 2195 } 2196 2197 if (candidate) { 2198 rv = tls13_MakeChOuterAAD(ss, &outer, &outerAAD); 2199 if (rv != SECSuccess) { 2200 return SECFailure; 2201 } 2202 } 2203 2204 while (candidate) { 2205 rv = tls13_OpenClientHelloInner(ss, &outer, &outerAAD, candidate, &decryptedChInner); 2206 if (rv != SECSuccess) { 2207 /* Get the next matching config */ 2208 rv = tls13_GetMatchingEchConfigs(ss, ss->xtnData.ech->kdfId, ss->xtnData.ech->aeadId, 2209 ss->xtnData.ech->configId, candidate, &candidate); 2210 if (rv != SECSuccess) { 2211 FATAL_ERROR(ss, SEC_ERROR_LIBRARY_FAILURE, internal_error); 2212 SECITEM_FreeItem(&outerAAD, PR_FALSE); 2213 return SECFailure; 2214 } 2215 continue; 2216 } 2217 break; 2218 } 2219 SECITEM_FreeItem(&outerAAD, PR_FALSE); 2220 2221 if (rv != SECSuccess || !decryptedChInner) { 2222 if (ss->ssl3.hs.helloRetry) { 2223 FATAL_ERROR(ss, SSL_ERROR_RX_MALFORMED_ECH_EXTENSION, decrypt_error); 2224 return SECFailure; 2225 } else { 2226 /* Send retry_configs (if we have any) when we fail to decrypt or 2227 * found no candidates. This does *not* count as negotiating ECH. */ 2228 return ssl3_RegisterExtensionSender(ss, &ss->xtnData, 2229 ssl_tls13_encrypted_client_hello_xtn, 2230 tls13_ServerSendEchXtn); 2231 } 2232 } 2233 2234 SSL_TRC(20, ("%d: TLS13[%d]: Successfully opened ECH inner CH", 2235 SSL_GETPID(), ss->fd)); 2236 ss->ssl3.hs.echAccepted = PR_TRUE; 2237 2238 /* Stash the CHOuter extensions. They're not yet handled (only parsed). If 2239 * the CHInner contains outer_extensions_xtn, we'll need to reference them. */ 2240 ssl3_MoveRemoteExtensions(&ss->ssl3.hs.echOuterExtensions, &ss->ssl3.hs.remoteExtensions); 2241 2242 rv = tls13_UnencodeChInner(ss, sidBytes, &decryptedChInner); 2243 if (rv != SECSuccess) { 2244 SECITEM_FreeItem(decryptedChInner, PR_TRUE); 2245 return SECFailure; /* code set */ 2246 } 2247 *chInner = decryptedChInner; 2248 return SECSuccess; 2249 } 2250 2251 SECStatus 2252 tls13_WriteServerEchSignal(sslSocket *ss, PRUint8 *sh, unsigned int shLen) 2253 { 2254 SECStatus rv; 2255 PRUint8 signal[TLS13_ECH_SIGNAL_LEN]; 2256 PRUint8 *msg_random = &sh[sizeof(SSL3ProtocolVersion)]; 2257 2258 PORT_Assert(shLen > sizeof(SSL3ProtocolVersion) + SSL3_RANDOM_LENGTH); 2259 PORT_Assert(ss->version >= SSL_LIBRARY_VERSION_TLS_1_3); 2260 2261 rv = tls13_ComputeEchSignal(ss, sh, shLen, signal); 2262 if (rv != SECSuccess) { 2263 return SECFailure; 2264 } 2265 PRUint8 *dest = &msg_random[SSL3_RANDOM_LENGTH - TLS13_ECH_SIGNAL_LEN]; 2266 PORT_Memcpy(dest, signal, TLS13_ECH_SIGNAL_LEN); 2267 2268 /* Keep the socket copy consistent. */ 2269 PORT_Assert(0 == memcmp(msg_random, &ss->ssl3.hs.server_random, SSL3_RANDOM_LENGTH - TLS13_ECH_SIGNAL_LEN)); 2270 dest = &ss->ssl3.hs.server_random[SSL3_RANDOM_LENGTH - TLS13_ECH_SIGNAL_LEN]; 2271 PORT_Memcpy(dest, signal, TLS13_ECH_SIGNAL_LEN); 2272 2273 return SECSuccess; 2274 } 2275