summaryrefslogtreecommitdiffstats
path: root/security/nss/lib/ssl/tls13replay.c
diff options
context:
space:
mode:
authorDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-07 19:33:14 +0000
committerDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-07 19:33:14 +0000
commit36d22d82aa202bb199967e9512281e9a53db42c9 (patch)
tree105e8c98ddea1c1e4784a60a5a6410fa416be2de /security/nss/lib/ssl/tls13replay.c
parentInitial commit. (diff)
downloadfirefox-esr-upstream.tar.xz
firefox-esr-upstream.zip
Adding upstream version 115.7.0esr.upstream/115.7.0esrupstream
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'security/nss/lib/ssl/tls13replay.c')
-rw-r--r--security/nss/lib/ssl/tls13replay.c285
1 files changed, 285 insertions, 0 deletions
diff --git a/security/nss/lib/ssl/tls13replay.c b/security/nss/lib/ssl/tls13replay.c
new file mode 100644
index 0000000000..7e00785e08
--- /dev/null
+++ b/security/nss/lib/ssl/tls13replay.c
@@ -0,0 +1,285 @@
+/* -*- Mode: C; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 4 -*- */
+/*
+ * Anti-replay measures for TLS 1.3.
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include "nss.h" /* for NSS_RegisterShutdown */
+#include "nssilock.h" /* for PZMonitor */
+#include "pk11pub.h"
+#include "prmon.h"
+#include "prtime.h"
+#include "secerr.h"
+#include "ssl.h"
+#include "sslbloom.h"
+#include "sslimpl.h"
+#include "tls13hkdf.h"
+#include "tls13psk.h"
+
+struct SSLAntiReplayContextStr {
+ /* The number of outstanding references to this context. */
+ PRInt32 refCount;
+ /* Used to serialize access. */
+ PZMonitor *lock;
+ /* The filters, use of which alternates. */
+ sslBloomFilter filters[2];
+ /* Which of the two filters is active (0 or 1). */
+ PRUint8 current;
+ /* The time that we will next update. */
+ PRTime nextUpdate;
+ /* The width of the window; i.e., the period of updates. */
+ PRTime window;
+ /* This key ensures that the bloom filter index is unpredictable. */
+ PK11SymKey *key;
+};
+
+void
+tls13_ReleaseAntiReplayContext(SSLAntiReplayContext *ctx)
+{
+ if (!ctx) {
+ return;
+ }
+ if (PR_ATOMIC_DECREMENT(&ctx->refCount) >= 1) {
+ return;
+ }
+
+ if (ctx->lock) {
+ PZ_DestroyMonitor(ctx->lock);
+ ctx->lock = NULL;
+ }
+ PK11_FreeSymKey(ctx->key);
+ ctx->key = NULL;
+ sslBloom_Destroy(&ctx->filters[0]);
+ sslBloom_Destroy(&ctx->filters[1]);
+ PORT_Free(ctx);
+}
+
+/* Clear the current state and free any resources we allocated. */
+SECStatus
+SSLExp_ReleaseAntiReplayContext(SSLAntiReplayContext *ctx)
+{
+ tls13_ReleaseAntiReplayContext(ctx);
+ return SECSuccess;
+}
+
+SSLAntiReplayContext *
+tls13_RefAntiReplayContext(SSLAntiReplayContext *ctx)
+{
+ PORT_Assert(ctx);
+ PR_ATOMIC_INCREMENT(&ctx->refCount);
+ return ctx;
+}
+
+static SECStatus
+tls13_AntiReplayKeyGen(SSLAntiReplayContext *ctx)
+{
+ PK11SlotInfo *slot;
+
+ PORT_Assert(ctx);
+
+ slot = PK11_GetBestSlot(CKM_HKDF_DERIVE, NULL);
+ if (!slot) {
+ PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+ return SECFailure;
+ }
+
+ ctx->key = PK11_KeyGen(slot, CKM_HKDF_KEY_GEN, NULL, 32, NULL);
+ if (!ctx->key) {
+ goto loser;
+ }
+
+ PK11_FreeSlot(slot);
+ return SECSuccess;
+
+loser:
+ PK11_FreeSlot(slot);
+ return SECFailure;
+}
+
+/* Set a limit on the combination of number of hashes and bits in each hash. */
+#define SSL_MAX_BLOOM_FILTER_SIZE 64
+
+/*
+ * The context created by this function can be called concurrently on multiple
+ * threads if the server is multi-threaded. A monitor is used to ensure that
+ * only one thread can access the structures that change over time, but no such
+ * guarantee is provided for configuration data.
+ */
+SECStatus
+SSLExp_CreateAntiReplayContext(PRTime now, PRTime window, unsigned int k,
+ unsigned int bits, SSLAntiReplayContext **pctx)
+{
+ SECStatus rv;
+
+ if (window <= 0 || k == 0 || bits == 0 || pctx == NULL) {
+ PORT_SetError(SEC_ERROR_INVALID_ARGS);
+ return SECFailure;
+ }
+ if ((k * (bits + 7) / 8) > SSL_MAX_BLOOM_FILTER_SIZE) {
+ PORT_SetError(SEC_ERROR_INVALID_ARGS);
+ return SECFailure;
+ }
+
+ SSLAntiReplayContext *ctx = PORT_ZNew(SSLAntiReplayContext);
+ if (!ctx) {
+ return SECFailure; /* Code already set. */
+ }
+
+ ctx->refCount = 1;
+ ctx->lock = PZ_NewMonitor(nssILockSSL);
+ if (!ctx->lock) {
+ goto loser; /* Code already set. */
+ }
+
+ rv = tls13_AntiReplayKeyGen(ctx);
+ if (rv != SECSuccess) {
+ goto loser; /* Code already set. */
+ }
+
+ rv = sslBloom_Init(&ctx->filters[0], k, bits);
+ if (rv != SECSuccess) {
+ goto loser; /* Code already set. */
+ }
+ rv = sslBloom_Init(&ctx->filters[1], k, bits);
+ if (rv != SECSuccess) {
+ goto loser; /* Code already set. */
+ }
+ /* When starting out, ensure that 0-RTT is not accepted until the window is
+ * updated. A ClientHello might have been accepted prior to a restart. */
+ sslBloom_Fill(&ctx->filters[1]);
+
+ ctx->current = 0;
+ ctx->nextUpdate = now + window;
+ ctx->window = window;
+ *pctx = ctx;
+ return SECSuccess;
+
+loser:
+ tls13_ReleaseAntiReplayContext(ctx);
+ return SECFailure;
+}
+
+SECStatus
+SSLExp_SetAntiReplayContext(PRFileDesc *fd, SSLAntiReplayContext *ctx)
+{
+ sslSocket *ss = ssl_FindSocket(fd);
+ if (!ss) {
+ return SECFailure; /* Code already set. */
+ }
+ tls13_ReleaseAntiReplayContext(ss->antiReplay);
+ if (ctx != NULL) {
+ ss->antiReplay = tls13_RefAntiReplayContext(ctx);
+ } else {
+ ss->antiReplay = NULL;
+ }
+ return SECSuccess;
+}
+
+static void
+tls13_AntiReplayUpdate(SSLAntiReplayContext *ctx, PRTime now)
+{
+ PR_ASSERT_CURRENT_THREAD_IN_MONITOR(ctx->lock);
+ if (now >= ctx->nextUpdate) {
+ ctx->current ^= 1;
+ ctx->nextUpdate = now + ctx->window;
+ sslBloom_Zero(ctx->filters + ctx->current);
+ }
+}
+
+PRBool
+tls13_InWindow(const sslSocket *ss, const sslSessionID *sid)
+{
+ PRInt32 timeDelta;
+
+ /* Calculate the difference between the client's view of the age of the
+ * ticket (in |ss->xtnData.ticketAge|) and the server's view, which we now
+ * calculate. The result should be close to zero. timeDelta is signed to
+ * make the comparisons below easier. */
+ timeDelta = ss->xtnData.ticketAge -
+ ((ssl_Time(ss) - sid->creationTime) / PR_USEC_PER_MSEC);
+
+ /* Only allow the time delta to be at most half of our window. This is
+ * symmetrical, though it doesn't need to be; this assumes that clock errors
+ * on server and client will tend to cancel each other out.
+ *
+ * There are two anti-replay filters that roll over each window. In the
+ * worst case, immediately after a rollover of the filters, we only have a
+ * single window worth of recorded 0-RTT attempts. Thus, the period in
+ * which we can accept 0-RTT is at most one window wide. This uses PR_ABS()
+ * and half the window so that the first attempt can be up to half a window
+ * early and then replays will be caught until the attempts are half a
+ * window late.
+ *
+ * For example, a 0-RTT attempt arrives early, but near the end of window 1.
+ * The attempt is then recorded in window 1. Rollover to window 2 could
+ * occur immediately afterwards. Window 1 is still checked for new 0-RTT
+ * attempts for the remainder of window 2. Therefore, attempts to replay
+ * are detected because the value is recorded in window 1. When rollover
+ * occurs again, window 1 is erased and window 3 instated. If we allowed an
+ * attempt to be late by more than half a window, then this check would not
+ * prevent the same 0-RTT attempt from being accepted during window 1 and
+ * later window 3.
+ */
+ PRInt32 allowance = ss->antiReplay->window / (PR_USEC_PER_MSEC * 2);
+ SSL_TRC(10, ("%d: TLS13[%d]: replay check time delta=%d, allow=%d",
+ SSL_GETPID(), ss->fd, timeDelta, allowance));
+ return PR_ABS(timeDelta) < allowance;
+}
+
+/* Checks for a duplicate in the two filters we have. Performs maintenance on
+ * the filters as a side-effect. This only detects a probable replay, it's
+ * possible that this will return true when the 0-RTT attempt is not genuinely a
+ * replay. In that case, we reject 0-RTT unnecessarily, but that's OK because
+ * no client expects 0-RTT to work every time. */
+PRBool
+tls13_IsReplay(const sslSocket *ss, const sslSessionID *sid)
+{
+ PRBool replay;
+ unsigned int size;
+ PRUint8 index;
+ SECStatus rv;
+ static const char *label = "anti-replay";
+ PRUint8 buf[SSL_MAX_BLOOM_FILTER_SIZE];
+ SSLAntiReplayContext *ctx = ss->antiReplay;
+
+ /* If SSL_SetAntiReplayContext hasn't been called with a valid context, then
+ * treat all attempts at 0-RTT as a replay. */
+ if (ctx == NULL) {
+ return PR_TRUE;
+ }
+
+ if (!sid) {
+ PORT_Assert(ss->xtnData.selectedPsk->type == ssl_psk_external);
+ } else if (!tls13_InWindow(ss, sid)) {
+ return PR_TRUE;
+ }
+
+ size = ctx->filters[0].k * (ctx->filters[0].bits + 7) / 8;
+ PORT_Assert(size <= SSL_MAX_BLOOM_FILTER_SIZE);
+ rv = tls13_HkdfExpandLabelRaw(ctx->key, ssl_hash_sha256,
+ ss->xtnData.pskBinder.data,
+ ss->xtnData.pskBinder.len,
+ label, strlen(label),
+ ss->protocolVariant, buf, size);
+ if (rv != SECSuccess) {
+ return PR_TRUE;
+ }
+
+ PZ_EnterMonitor(ctx->lock);
+ tls13_AntiReplayUpdate(ctx, ssl_Time(ss));
+
+ index = ctx->current;
+ replay = sslBloom_Add(&ctx->filters[index], buf);
+ SSL_TRC(10, ("%d: TLS13[%d]: replay check current window: %s",
+ SSL_GETPID(), ss->fd, replay ? "replay" : "ok"));
+ if (!replay) {
+ replay = sslBloom_Check(&ctx->filters[index ^ 1], buf);
+ SSL_TRC(10, ("%d: TLS13[%d]: replay check previous window: %s",
+ SSL_GETPID(), ss->fd, replay ? "replay" : "ok"));
+ }
+
+ PZ_ExitMonitor(ctx->lock);
+ return replay;
+}