Source code
Revision control
Copy as Markdown
Other Tools
/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 4 -*- */
/* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
/*
* DTLS 1.3 Protocol
*/
#include "ssl.h"
#include "sslimpl.h"
#include "sslproto.h"
#include "keyhi.h"
#include "pk11func.h"
/*Figure 3: DTLS 1.3 Unified Header */
/*
* 0 1 2 3 4 5 6 7
* +-+-+-+-+-+-+-+-+
* |0|0|1|C|S|L|E E|
* +-+-+-+-+-+-+-+-+
* | Connection ID | Legend:
* | (if any, |
* / length as / C - CID present
* | negotiated) | S - Sequence number length
* +-+-+-+-+-+-+-+-+ L - Length present
* | 8 or 16 bit | E - Epoch
* |Sequence Number|
* +-+-+-+-+-+-+-+-+
* | 16 bit Length |
* | (if present) |
* +-+-+-+-+-+-+-+-+
*/
// E: The two low bits (0x03) include the low order two bits of the epoch.
#define MASK_TWO_LOW_BITS 0x3
// Fixed Bits: The three high bits of the first byte of the unified header are set to 001.
// The C bit is set if the Connection ID is present.
// The S bit (0x08) indicates the size of the sequence number, here 1 stands for 16 bits
// The L bit (0x04) is set if the length is present.
// The EE bits - mask of the epoch
// 0x2c = 0b001-0-1-1-00
// 001-C-S-L-EE
#define UNIFIED_HEADER_LONG 0x2c
// 0x20 = 0b001-0-0-1-00
// 001-C-S-L-EE
// The difference between the long and short header is in the S bit (1 for long, 0 for short).
// The S bit (0x08) indicates the size of the sequence number, here 0 stands for 8 bits
#define UNIFIED_HEADER_SHORT 0x20
// The masks to get the 8 (MASK_SEQUENCE_NUMBER_SHORT) or 16 bits (MASK_SEQUENCE_NUMBER_LONG) of the record sequence number.
#define MASK_SEQUENCE_NUMBER_SHORT 0xff
#define MASK_SEQUENCE_NUMBER_LONG 0xffff
/*The DTLS Record Layer - Figure 3 and further*/
SECStatus
dtls13_InsertCipherTextHeader(const sslSocket *ss, const ssl3CipherSpec *cwSpec,
sslBuffer *wrBuf, PRBool *needsLength)
{
/* Avoid using short records for the handshake. We pack multiple records
* into the one datagram for the handshake. */
/* The short header here means that the S bit is set to 0 (8-bit sequence number) */
if (ss->opt.enableDtlsShortHeader &&
cwSpec->epoch > TrafficKeyHandshake) {
*needsLength = PR_FALSE;
/* The short header is comprised of two octets in the form
* 0b001000eessssssss where 'e' is the low two bits of the
* epoch and 's' is the low 8 bits of the sequence number. */
PRUint8 ct = UNIFIED_HEADER_SHORT | ((uint64_t)cwSpec->epoch & MASK_TWO_LOW_BITS);
if (sslBuffer_AppendNumber(wrBuf, ct, sizeof(ct)) != SECSuccess) {
return SECFailure;
}
PRUint8 seq = cwSpec->nextSeqNum & MASK_SEQUENCE_NUMBER_SHORT;
return sslBuffer_AppendNumber(wrBuf, seq, sizeof(seq));
}
PRUint8 ct = UNIFIED_HEADER_LONG | ((PRUint8)cwSpec->epoch & MASK_TWO_LOW_BITS);
if (sslBuffer_AppendNumber(wrBuf, ct, sizeof(ct)) != SECSuccess) {
return SECFailure;
}
PRUint16 seq = cwSpec->nextSeqNum & MASK_SEQUENCE_NUMBER_LONG;
if (sslBuffer_AppendNumber(wrBuf, seq, sizeof(seq)) != SECSuccess) {
return SECFailure;
}
*needsLength = PR_TRUE;
return SECSuccess;
}
/* DTLS 1.3 Record map for ACK processing.
* This represents a single fragment, so a record which includes
* multiple fragments will have one entry for each fragment on the
* sender. We use the same structure on the receiver for convenience
* but the only value we actually use is |record|.
*/
typedef struct DTLSHandshakeRecordEntryStr {
PRCList link;
PRUint16 messageSeq; /* The handshake message sequence number. */
PRUint32 offset; /* The offset into the handshake message. */
PRUint32 length; /* The length of the fragment. */
/* DTLS adds an epoch and sequence number to the TLS record header. */
sslSequenceNumber record; /* The record (includes epoch). */
PRBool acked; /* Has this packet been acked. */
} DTLSHandshakeRecordEntry;
/*The sequence number is set to be the low order 48
bits of the 64 bit sequence number.*/
#define LENGTH_SEQ_NUMBER 48
/* Combine the epoch and sequence number into a single value. */
static inline sslSequenceNumber
dtls_CombineSequenceNumber(DTLSEpoch epoch, sslSequenceNumber seqNum)
{
PORT_Assert(seqNum <= RECORD_SEQ_MAX);
return ((sslSequenceNumber)epoch << LENGTH_SEQ_NUMBER) | seqNum;
}
SECStatus
dtls13_RememberFragment(sslSocket *ss,
PRCList *list,
PRUint32 sequence,
PRUint32 offset,
PRUint32 length,
DTLSEpoch epoch,
sslSequenceNumber record)
{
DTLSHandshakeRecordEntry *entry;
PORT_Assert(IS_DTLS(ss));
/* We should never send an empty fragment with offset > 0. */
PORT_Assert(length || !offset);
if (!tls13_MaybeTls13(ss)) {
return SECSuccess;
}
SSL_TRC(20, ("%d: SSL3[%d]: %s remembering %s record=%llx msg=%d offset=%d",
SSL_GETPID(), ss->fd,
SSL_ROLE(ss),
list == &ss->ssl3.hs.dtlsSentHandshake ? "sent" : "received",
dtls_CombineSequenceNumber(epoch, record), sequence, offset));
entry = PORT_ZAlloc(sizeof(DTLSHandshakeRecordEntry));
if (!entry) {
return SECFailure;
}
entry->messageSeq = sequence;
entry->offset = offset;
entry->length = length;
entry->record = dtls_CombineSequenceNumber(epoch, record);
entry->acked = PR_FALSE;
PR_APPEND_LINK(&entry->link, list);
return SECSuccess;
}
/* RFC9147; section 7.1 */
SECStatus
dtls13_SendAck(sslSocket *ss)
{
sslBuffer buf = SSL_BUFFER_EMPTY;
SECStatus rv = SECSuccess;
PRCList *cursor;
PRInt32 sent;
unsigned int offset = 0;
SSL_TRC(10, ("%d: SSL3[%d]: Sending ACK",
SSL_GETPID(), ss->fd));
/* RecordNumber record_numbers<0..2^16-1>;
2 length bytes for the list of ACKs*/
PRUint32 sizeOfListACK = 2;
rv = sslBuffer_Skip(&buf, sizeOfListACK, &offset);
if (rv != SECSuccess) {
goto loser;
}
for (cursor = PR_LIST_HEAD(&ss->ssl3.hs.dtlsRcvdHandshake);
cursor != &ss->ssl3.hs.dtlsRcvdHandshake;
cursor = PR_NEXT_LINK(cursor)) {
DTLSHandshakeRecordEntry *entry = (DTLSHandshakeRecordEntry *)cursor;
SSL_TRC(10, ("%d: SSL3[%d]: ACK for record=%llx",
SSL_GETPID(), ss->fd, entry->record));
/*See dtls_CombineSequenceNumber function */
PRUint64 epoch = entry->record >> 48;
PRUint64 seqNum = entry->record & 0xffffffffffff;
rv = sslBuffer_AppendNumber(&buf, epoch, 8);
if (rv != SECSuccess) {
goto loser;
}
rv = sslBuffer_AppendNumber(&buf, seqNum, 8);
if (rv != SECSuccess) {
goto loser;
}
}
rv = sslBuffer_InsertLength(&buf, offset, sizeOfListACK);
if (rv != SECSuccess) {
goto loser;
}
ssl_GetXmitBufLock(ss);
sent = ssl3_SendRecord(ss, NULL, ssl_ct_ack,
buf.buf, buf.len, 0);
ssl_ReleaseXmitBufLock(ss);
if (sent != buf.len) {
rv = SECFailure;
if (sent != -1) {
PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
}
}
loser:
sslBuffer_Clear(&buf);
return rv;
}
void
dtls13_SendAckCb(sslSocket *ss)
{
if (!IS_DTLS(ss)) {
return;
}
(void)dtls13_SendAck(ss);
}
/* Limits from RFC9147; section 4.5.3. */
PRBool
dtls13_AeadLimitReached(ssl3CipherSpec *spec)
{
if (spec->version >= SSL_LIBRARY_VERSION_TLS_1_3) {
switch (spec->cipherDef->calg) {
case ssl_calg_chacha20:
case ssl_calg_aes_gcm:
return spec->deprotectionFailures >= (1ULL << 36);
#ifdef UNSAFE_FUZZER_MODE
case ssl_calg_null:
return PR_FALSE;
#endif
default:
PORT_Assert(0);
break;
}
}
return PR_FALSE;
}
/* Zero length messages are very simple to check. */
static PRBool
dtls_IsEmptyMessageAcknowledged(sslSocket *ss, PRUint16 msgSeq, PRUint32 offset)
{
PRCList *cursor;
for (cursor = PR_LIST_HEAD(&ss->ssl3.hs.dtlsSentHandshake);
cursor != &ss->ssl3.hs.dtlsSentHandshake;
cursor = PR_NEXT_LINK(cursor)) {
DTLSHandshakeRecordEntry *entry = (DTLSHandshakeRecordEntry *)cursor;
if (!entry->acked || msgSeq != entry->messageSeq) {
continue;
}
/* Empty fragments are always offset 0. */
if (entry->length == 0) {
PORT_Assert(!entry->offset);
return PR_TRUE;
}
}
return PR_FALSE;
}
/* Take a range starting at |*start| and that start forwards based on the
* contents of the acknowedgement in |entry|. Only move if the acknowledged
* range overlaps |*start|. Return PR_TRUE if it moves. */
static PRBool
dtls_MoveUnackedStartForward(DTLSHandshakeRecordEntry *entry, PRUint32 *start)
{
/* This entry starts too late. */
if (*start < entry->offset) {
return PR_FALSE;
}
/* This entry ends too early. */
if (*start >= entry->offset + entry->length) {
return PR_FALSE;
}
*start = entry->offset + entry->length;
return PR_TRUE;
}
/* Take a range ending at |*end| and move that end backwards based on the
* contents of the acknowedgement in |entry|. Only move if the acknowledged
* range overlaps |*end|. Return PR_TRUE if it moves. */
static PRBool
dtls_MoveUnackedEndBackward(DTLSHandshakeRecordEntry *entry, PRUint32 *end)
{
/* This entry ends too early. */
if (*end > entry->offset + entry->length) {
return PR_FALSE;
}
/* This entry starts too late. */
if (*end <= entry->offset) {
return PR_FALSE;
}
*end = entry->offset;
return PR_TRUE;
}
/* Get the next contiguous range of unacknowledged bytes from the handshake
* message identified by |msgSeq|. The search starts at the offset in |offset|.
* |len| contains the full length of the message.
*
* Returns PR_TRUE if there is an unacknowledged range. In this case, values at
* |start| and |end| are modified to contain the range.
*
* Returns PR_FALSE if the message is entirely acknowledged from |offset|
* onwards.
*/
PRBool
dtls_NextUnackedRange(sslSocket *ss, PRUint16 msgSeq, PRUint32 offset,
PRUint32 len, PRUint32 *startOut, PRUint32 *endOut)
{
PRCList *cur_p;
PRBool done = PR_FALSE;
DTLSHandshakeRecordEntry *entry;
PRUint32 start;
PRUint32 end;
PORT_Assert(IS_DTLS(ss));
*startOut = offset;
*endOut = len;
if (!tls13_MaybeTls13(ss)) {
return PR_TRUE;
}
/* The message is empty. Use a simple search. */
if (!len) {
PORT_Assert(!offset);
return !dtls_IsEmptyMessageAcknowledged(ss, msgSeq, offset);
}
/* This iterates multiple times over the acknowledgments and only terminates
* when an entire iteration happens without start or end moving. If that
* happens without start and end crossing each other, then there is a range
* of unacknowledged data. If they meet, then the message is fully
* acknowledged. */
start = offset;
end = len;
while (!done) {
done = PR_TRUE;
for (cur_p = PR_LIST_HEAD(&ss->ssl3.hs.dtlsSentHandshake);
cur_p != &ss->ssl3.hs.dtlsSentHandshake;
cur_p = PR_NEXT_LINK(cur_p)) {
entry = (DTLSHandshakeRecordEntry *)cur_p;
if (!entry->acked || msgSeq != entry->messageSeq) {
continue;
}
if (dtls_MoveUnackedStartForward(entry, &start) ||
dtls_MoveUnackedEndBackward(entry, &end)) {
if (start >= end) {
/* The message is all acknowledged. */
return PR_FALSE;
}
/* Start over again and keep going until we don't move either
* start or end. */
done = PR_FALSE;
break;
}
}
}
PORT_Assert(start < end);
*startOut = start;
*endOut = end;
return PR_TRUE;
}
SECStatus
dtls13_SetupAcks(sslSocket *ss)
{
if (ss->version < SSL_LIBRARY_VERSION_TLS_1_3) {
return SECSuccess;
}
if (ss->ssl3.hs.endOfFlight) {
dtls_CancelTimer(ss, ss->ssl3.hs.ackTimer);
if (ss->ssl3.hs.ws == idle_handshake && ss->sec.isServer) {
SSL_TRC(10, ("%d: SSL3[%d]: dtls_HandleHandshake, sending ACK",
SSL_GETPID(), ss->fd));
return dtls13_SendAck(ss);
}
return SECSuccess;
}
/* We need to send an ACK. */
if (!ss->ssl3.hs.ackTimer->cb) {
/* We're not armed, so arm. */
SSL_TRC(10, ("%d: SSL3[%d]: dtls_HandleHandshake, arming ack timer",
SSL_GETPID(), ss->fd));
return dtls_StartTimer(ss, ss->ssl3.hs.ackTimer,
DTLS_RETRANSMIT_INITIAL_MS / 4,
dtls13_SendAckCb);
}
/* The ack timer is already armed, so just return. */
return SECSuccess;
}
/*
* Special case processing for out-of-epoch records.
* This can only handle ACKs for now and everything else generates
* an error. In future, may also handle KeyUpdate.
*
* The error checking here is as follows:
*
* - If it's not encrypted, out of epoch stuff is just discarded.
* - If it's encrypted and the message is a piece of an application data, it's discarded.
* - Else out of epoch stuff causes an error.
*
*/
SECStatus
dtls13_HandleOutOfEpochRecord(sslSocket *ss, const ssl3CipherSpec *spec,
SSLContentType rType,
sslBuffer *databuf)
{
SECStatus rv;
sslBuffer buf = *databuf;
databuf->len = 0; /* Discard data whatever happens. */
PORT_Assert(IS_DTLS(ss));
PORT_Assert(ss->version >= SSL_LIBRARY_VERSION_TLS_1_3);
/* Can't happen, but double check. */
if (!IS_DTLS(ss) || (ss->version < SSL_LIBRARY_VERSION_TLS_1_3)) {
tls13_FatalError(ss, SEC_ERROR_LIBRARY_FAILURE, internal_error);
return SECFailure;
}
SSL_TRC(30, ("%d: DTLS13[%d]: %s handles out of epoch record: type=%d", SSL_GETPID(),
ss->fd, SSL_ROLE(ss), rType));
if (rType == ssl_ct_ack) {
ssl_GetSSL3HandshakeLock(ss);
rv = dtls13_HandleAck(ss, &buf);
ssl_ReleaseSSL3HandshakeLock(ss);
PORT_Assert(databuf->len == 0);
return rv;
}
switch (spec->epoch) {
case TrafficKeyClearText:
/* Drop. */
return SECSuccess;
case TrafficKeyHandshake:
/* Drop out of order handshake messages, but if we are the
* server, we might have processed the client's Finished and
* moved on to application data keys, but the client has
* retransmitted Finished (e.g., because our ACK got lost.)
* We just retransmit the ACK to let the client complete. */
if (rType == ssl_ct_handshake) {
if ((ss->sec.isServer) &&
(ss->ssl3.hs.ws == idle_handshake)) {
PORT_Assert(dtls_TimerActive(ss, ss->ssl3.hs.hdTimer));
return dtls13_SendAck(ss);
}
return SECSuccess;
}
/* This isn't a handshake record, so shouldn't be encrypted
* under the handshake key. */
break;
default:
if (rType == ssl_ct_application_data) {
return SECSuccess;
}
break;
}
SSL_TRC(10, ("%d: SSL3[%d]: unexpected out of epoch record type %d", SSL_GETPID(),
ss->fd, rType));
(void)SSL3_SendAlert(ss, alert_fatal, illegal_parameter);
PORT_SetError(SSL_ERROR_RX_UNKNOWN_RECORD_TYPE);
return SECFailure;
}
/* KeyUpdate in DTLS1.3 is required to be ACKed.
The dtls13_maybeProcessKeyUpdateAck function is called when we receive a message acknowledging KeyUpdate.
The function will then update the writing keys of the party started KeyUpdate.
*/
SECStatus
dtls13_maybeProcessKeyUpdateAck(sslSocket *ss, PRUint16 entrySeq)
{
/* RFC 9147. Section 8.
Due to the possibility of an ACK message for a KeyUpdate being lost
and thereby preventing the sender of KeyUpdate from updating its
keying material, receivers MUST retain the pre-update keying material
until receipt and successful decryption of a message using the new
keys.*/
if (ss->ssl3.hs.isKeyUpdateInProgress && entrySeq == ss->ssl3.hs.dtlsHandhakeKeyUpdateMessage) {
SSL_TRC(30, ("%d: DTLS13[%d]: %s key update is completed", SSL_GETPID(), ss->fd, SSL_ROLE(ss)));
PORT_Assert(ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
SECStatus rv = SECSuccess;
rv = tls13_UpdateTrafficKeys(ss, ssl_secret_write);
if (rv != SECSuccess) {
return SECFailure;
}
PORT_Assert(ss->ssl3.hs.isKeyUpdateInProgress);
ss->ssl3.hs.isKeyUpdateInProgress = PR_FALSE;
return rv;
}
else
return SECSuccess;
}
SECStatus
dtls13_HandleAck(sslSocket *ss, sslBuffer *databuf)
{
PRUint8 *b = databuf->buf;
PRUint32 l = databuf->len;
unsigned int length;
SECStatus rv;
PORT_Assert(ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
/* Ensure we don't loop. */
databuf->len = 0;
PORT_Assert(IS_DTLS(ss));
if (!tls13_MaybeTls13(ss)) {
tls13_FatalError(ss, SSL_ERROR_RX_UNKNOWN_RECORD_TYPE, illegal_parameter);
return SECFailure;
}
SSL_TRC(10, ("%d: SSL3[%d]: Handling ACK", SSL_GETPID(), ss->fd));
rv = ssl3_ConsumeHandshakeNumber(ss, &length, 2, &b, &l);
if (rv != SECSuccess) {
goto loser;
}
if (length != l) {
goto loser;
}
while (l > 0) {
PRUint64 seq;
PRUint64 epoch;
PRCList *cursor;
rv = ssl3_ConsumeHandshakeNumber64(ss, &epoch, 8, &b, &l);
if (rv != SECSuccess) {
goto loser;
}
rv = ssl3_ConsumeHandshakeNumber64(ss, &seq, 8, &b, &l);
if (rv != SECSuccess) {
goto loser;
}
if (epoch > RECORD_EPOCH_MAX) {
SSL_TRC(50, ("%d: SSL3[%d]: ACK message was rejected: the epoch exceeds the limit", SSL_GETPID(), ss->fd));
continue;
}
if (seq > RECORD_SEQ_MAX) {
SSL_TRC(50, ("%d: SSL3[%d]: ACK message was rejected: the sequence number exceeds the limit", SSL_GETPID(), ss->fd));
continue;
}
seq = dtls_CombineSequenceNumber(epoch, seq);
for (cursor = PR_LIST_HEAD(&ss->ssl3.hs.dtlsSentHandshake);
cursor != &ss->ssl3.hs.dtlsSentHandshake;
cursor = PR_NEXT_LINK(cursor)) {
DTLSHandshakeRecordEntry *entry = (DTLSHandshakeRecordEntry *)cursor;
if (entry->record == seq) {
SSL_TRC(30, (
"%d: DTLS13[%d]: Marking record=%llx message %d offset %d length=%d as ACKed",
SSL_GETPID(), ss->fd,
entry->record, entry->messageSeq, entry->offset, entry->length));
entry->acked = PR_TRUE;
/* When we sent a KeyUpdate message, we have recorded the identifier of the message.
During the HandleACK we check if we received an ack for the KeyUpdate message we sent.*/
rv = dtls13_maybeProcessKeyUpdateAck(ss, entry->messageSeq);
if (rv != SECSuccess) {
return SECFailure;
}
}
}
}
/* Try to flush. */
rv = dtls_TransmitMessageFlight(ss);
if (rv != SECSuccess) {
return SECFailure;
}
/* Reset the retransmit timer. */
if (ss->ssl3.hs.rtTimer->cb) {
(void)dtls_RestartTimer(ss, ss->ssl3.hs.rtTimer);
}
/* If there are no more messages to send, cleanup. */
if (PR_CLIST_IS_EMPTY(&ss->ssl3.hs.lastMessageFlight)) {
SSL_TRC(10, ("%d: SSL3[%d]: No more unacked handshake messages",
SSL_GETPID(), ss->fd));
dtls_CancelTimer(ss, ss->ssl3.hs.rtTimer);
ssl_ClearPRCList(&ss->ssl3.hs.dtlsSentHandshake, NULL);
/* If the handshake is finished, and we're the client then
* also clean up the handshake read cipher spec. Any ACKs
* we receive will be with the application data cipher spec.
* The server needs to keep the handshake cipher spec around
* for the holddown period to process retransmitted Finisheds.
*/
if (!ss->sec.isServer && (ss->ssl3.hs.ws == idle_handshake)) {
ssl_CipherSpecReleaseByEpoch(ss, ssl_secret_read,
TrafficKeyHandshake);
}
}
return SECSuccess;
loser:
* ignore an invalid record here. */
SSL_TRC(11, ("%d: SSL3[%d]: Error processing DTLS1.3 ACK.",
SSL_GETPID(), ss->fd));
PORT_SetError(SSL_ERROR_RX_MALFORMED_DTLS_ACK);
return SECFailure;
}
/* Clean up the read timer for the handshake cipher suites on the
* server.
*
* In DTLS 1.3, the client speaks last (Finished), and will retransmit
* until the server ACKs that message (using application data cipher
* suites). I.e.,
*
* - The client uses the retransmit timer and retransmits using the
* saved write handshake cipher suite.
* - The server keeps the saved read handshake cipher suite around
* for the holddown period in case it needs to read the Finished.
*
* After the holddown period, the server assumes the client is happy
* and discards the handshake read cipher suite.
*/
void
dtls13_HolddownTimerCb(sslSocket *ss)
{
SSL_TRC(10, ("%d: SSL3[%d]: holddown timer fired",
SSL_GETPID(), ss->fd));
ssl_CipherSpecReleaseByEpoch(ss, ssl_secret_read, TrafficKeyHandshake);
ssl_ClearPRCList(&ss->ssl3.hs.dtlsRcvdHandshake, NULL);
}
/*RFC 9147. 4.2.3. Record Number Encryption*/
SECStatus
dtls13_MaskSequenceNumber(sslSocket *ss, ssl3CipherSpec *spec,
PRUint8 *hdr, PRUint8 *cipherText, PRUint32 cipherTextLen)
{
PORT_Assert(IS_DTLS(ss));
if (spec->version < SSL_LIBRARY_VERSION_TLS_1_3) {
return SECSuccess;
}
if (spec->maskContext) {
#ifdef UNSAFE_FUZZER_MODE
/* Use a null mask. */
PRUint8 mask[2] = { 0 };
#else
/* "This procedure requires the ciphertext length be at least 16 bytes.
* Receivers MUST reject shorter records as if they had failed
* deprotection, as described in Section 4.5.2." */
if (cipherTextLen < 16) {
PORT_SetError(SSL_ERROR_BAD_MAC_READ);
return SECFailure;
}
PRUint8 mask[2];
SECStatus rv = ssl_CreateMaskInner(spec->maskContext, cipherText, cipherTextLen, mask, sizeof(mask));
if (rv != SECSuccess) {
PORT_SetError(SSL_ERROR_BAD_MAC_READ);
return SECFailure;
}
#endif
/*
The encrypted sequence number is computed by XORing the leading bytes
of the mask with the on-the-wire representation of the sequence
number. Decryption is accomplished by the same process.
*/
PRUint32 maskSBitIsSet = 0x08;
hdr[1] ^= mask[0];
if (hdr[0] & maskSBitIsSet) {
hdr[2] ^= mask[1];
}
}
return SECSuccess;
}
CK_MECHANISM_TYPE
tls13_SequenceNumberEncryptionMechanism(SSLCipherAlgorithm bulkAlgorithm)
{
/*
When the AEAD is based on AES, then the mask is generated by
computing AES-ECB on the first 16 bytes of the ciphertext:
When the AEAD is based on ChaCha20, then the mask is generated by
treating the first 4 bytes of the ciphertext as the block counter and
the next 12 bytes as the nonce, passing them to the ChaCha20 block
function.
*/
switch (bulkAlgorithm) {
case ssl_calg_aes_gcm:
return CKM_AES_ECB;
case ssl_calg_chacha20:
return CKM_NSS_CHACHA20_CTR;
default:
PORT_Assert(PR_FALSE);
}
return CKM_INVALID_MECHANISM;
}
/* The function constucts the KeyUpdate Message.
The structure is presented in RFC 9147 Section 5.2. */
SECStatus
dtls13_EnqueueKeyUpdateMessage(sslSocket *ss, tls13KeyUpdateRequest request)
{
SECStatus rv = SECFailure;
/*
The epoch number is initially zero and is incremented each time
keying material changes and a sender aims to rekey.
More details are provided in RFC 9147 Section 6.1.*/
rv = ssl3_AppendHandshakeHeaderAndStashSeqNum(ss, ssl_hs_key_update, 1, &ss->ssl3.hs.dtlsHandhakeKeyUpdateMessage);
if (rv != SECSuccess) {
return rv; /* error code set by ssl3_AppendHandshakeHeader, if applicable. */
}
rv = ssl3_AppendHandshakeNumber(ss, request, 1);
if (rv != SECSuccess) {
return rv; /* error code set by ssl3_AppendHandshakeNumber, if applicable. */
}
return SECSuccess;
}
/* The ssl3CipherSpecStr (sslspec.h) structure describes a spec for r/w records.
For the specification, the epoch is defined as uint16 value,
So the maximum epoch is 2 ^ 16 - 1*/
#define DTLS13_MAX_EPOCH_TYPE PR_UINT16_MAX
/*RFC 9147. Section 8.
In order to provide an extra margin of security,
sending implementations MUST NOT allow the epoch to exceed 2^48-1.*/
#define DTLS13_MAX_EPOCH ((0x1ULL << 48) - 1)
SECStatus
dtls13_MaybeSendKeyUpdate(sslSocket *ss, tls13KeyUpdateRequest request, PRBool buffer)
{
SSL_TRC(30, ("%d: DTLS13[%d]: %s sends key update, response %s",
SSL_GETPID(), ss->fd, SSL_ROLE(ss),
(request == update_requested) ? "requested"
: "not requested"));
PORT_Assert(ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
SECStatus rv = SECFailure;
/*
and the sendKeyUpdate will update the writing keys
so, if the epoch is already maximum, KeyUpdate will be cancelled.*/
ssl_GetSpecWriteLock(ss);
/* This check is done as well in the updateTrafficKey function */
if (ss->ssl3.cwSpec->epoch >= DTLS13_MAX_EPOCH_TYPE) {
ssl_ReleaseSpecWriteLock(ss);
SSL_TRC(30, ("%d: DTLS13[%d]: %s keyUpdate request was cancelled, as the writing epoch arrived to the maximum possible",
SSL_GETPID(), ss->fd, SSL_ROLE(ss)));
PORT_SetError(SSL_ERROR_RENEGOTIATION_NOT_ALLOWED);
return SECFailure;
} else {
ssl_ReleaseSpecWriteLock(ss);
}
PORT_Assert(DTLS13_MAX_EPOCH_TYPE <= DTLS13_MAX_EPOCH);
ssl_GetSpecReadLock(ss);
if (request == update_requested && ss->ssl3.crSpec->epoch >= DTLS13_MAX_EPOCH_TYPE) {
SSL_TRC(30, ("%d: DTLS13[%d]: %s keyUpdate request update_requested was cancelled, as the reading epoch arrived to the maximum possible",
SSL_GETPID(), ss->fd, SSL_ROLE(ss)));
request = update_not_requested;
}
ssl_ReleaseSpecReadLock(ss);
/* RFC 9147. Section 5.8.4.
In contrast, implementations MUST NOT send KeyUpdate, NewConnectionId, or
RequestConnectionId messages if an earlier message of the same type
has not yet been acknowledged.*/
if (ss->ssl3.hs.isKeyUpdateInProgress) {
SSL_TRC(30, ("%d: DTLS13[%d]: the previous %s KeyUpdate message was not yet ack-ed, dropping",
SSL_GETPID(), ss->fd, SSL_ROLE(ss), ss->ssl3.hs.sendMessageSeq));
return SECSuccess;
}
ssl_GetXmitBufLock(ss);
rv = dtls13_EnqueueKeyUpdateMessage(ss, request);
if (rv != SECSuccess) {
return rv; /* error code already set */
}
/* Trying to send the message - without buffering. */
/* TODO[AW]: As I just emulated the API, I am not sure that it's necessary to buffer. */
rv = ssl3_FlushHandshake(ss, 0);
if (rv != SECSuccess) {
return SECFailure; /* error code set by ssl3_FlushHandshake */
}
ssl_ReleaseXmitBufLock(ss);
/* The keyUpdate is started. */
PORT_Assert(ss->ssl3.hs.isKeyUpdateInProgress == PR_FALSE);
ss->ssl3.hs.isKeyUpdateInProgress = PR_TRUE;
SSL_TRC(30, ("%d: DTLS13[%d]: %s has just sent keyUpdate request #%d and is waiting for ack",
SSL_GETPID(), ss->fd, SSL_ROLE(ss), ss->ssl3.hs.dtlsHandhakeKeyUpdateMessage));
return SECSuccess;
}
SECStatus
dtls13_HandleKeyUpdate(sslSocket *ss, PRUint8 *b, unsigned int length, PRBool update)
{
SSL_TRC(10, ("%d: DTLS13[%d]: %s handles Key Update",
SSL_GETPID(), ss->fd, SSL_ROLE(ss)));
PORT_Assert(ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
SECStatus rv = SECSuccess;
if (update == update_requested) {
/* Respond immediately (don't buffer). */
rv = tls13_SendKeyUpdate(ss, update_not_requested, PR_FALSE);
if (rv != SECSuccess) {
return SECFailure; /* Error already set. */
}
}
SSL_TRC(30, ("%d: DTLS13[%d]: now %s is allowing the messages from the previous epoch",
SSL_GETPID(), ss->fd, SSL_ROLE(ss)));
ss->ssl3.hs.allowPreviousEpoch = PR_TRUE;
/* Updating the reading key. */
rv = tls13_UpdateTrafficKeys(ss, ssl_secret_read);
if (rv != SECSuccess) {
return SECFailure; /* Error code set by tls13_UpdateTrafficKeys. */
}
return SECSuccess;
}