1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
|
/* -*- Mode: C; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 4 -*- */
/*
* Anti-replay measures for TLS 1.3.
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
#include "nss.h" /* for NSS_RegisterShutdown */
#include "nssilock.h" /* for PZMonitor */
#include "pk11pub.h"
#include "prinit.h" /* for PR_CallOnce */
#include "prmon.h"
#include "prtime.h"
#include "secerr.h"
#include "ssl.h"
#include "sslbloom.h"
#include "sslimpl.h"
#include "tls13hkdf.h"
static struct {
/* Used to ensure that we only initialize the cleanup function once. */
PRCallOnceType init;
/* Used to serialize access to the filters. */
PZMonitor *lock;
/* The filters, use of which alternates. */
sslBloomFilter filters[2];
/* Which of the two filters is active (0 or 1). */
PRUint8 current;
/* The time that we will next update. */
PRTime nextUpdate;
/* The width of the window; i.e., the period of updates. */
PRTime window;
/* This key ensures that the bloom filter index is unpredictable. */
PK11SymKey *key;
} ssl_anti_replay;
/* Clear the current state and free any resources we allocated. The signature
* here is odd to allow this to be called during shutdown. */
static SECStatus
tls13_AntiReplayReset(void *appData, void *nssData)
{
if (ssl_anti_replay.key) {
PK11_FreeSymKey(ssl_anti_replay.key);
ssl_anti_replay.key = NULL;
}
if (ssl_anti_replay.lock) {
PZ_DestroyMonitor(ssl_anti_replay.lock);
ssl_anti_replay.lock = NULL;
}
sslBloom_Destroy(&ssl_anti_replay.filters[0]);
sslBloom_Destroy(&ssl_anti_replay.filters[1]);
return SECSuccess;
}
static PRStatus
tls13_AntiReplayInit(void)
{
SECStatus rv = NSS_RegisterShutdown(tls13_AntiReplayReset, NULL);
if (rv != SECSuccess) {
return PR_FAILURE;
}
return PR_SUCCESS;
}
static SECStatus
tls13_AntiReplayKeyGen()
{
PRUint8 buf[32];
SECItem keyItem = { siBuffer, buf, sizeof(buf) };
PK11SlotInfo *slot;
SECStatus rv;
slot = PK11_GetInternalSlot();
if (!slot) {
PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
return SECFailure;
}
rv = PK11_GenerateRandomOnSlot(slot, buf, sizeof(buf));
if (rv != SECSuccess) {
goto loser;
}
ssl_anti_replay.key = PK11_ImportSymKey(slot, CKM_NSS_HKDF_SHA256,
PK11_OriginUnwrap, CKA_DERIVE,
&keyItem, NULL);
if (!ssl_anti_replay.key) {
goto loser;
}
PK11_FreeSlot(slot);
return SECSuccess;
loser:
PK11_FreeSlot(slot);
return SECFailure;
}
/* Set a limit on the combination of number of hashes and bits in each hash. */
#define SSL_MAX_BLOOM_FILTER_SIZE 64
/*
* The structures created by this function can be called concurrently on
* multiple threads if the server is multi-threaded. A monitor is used to
* ensure that only one thread can access the structures that change over time,
* but no such guarantee is provided for configuration data.
*
* Functions that read from static configuration data depend on there being a
* memory barrier between the setup and use of this function.
*/
SECStatus
SSLExp_SetupAntiReplay(PRTime window, unsigned int k, unsigned int bits)
{
SECStatus rv;
if (k == 0 || bits == 0) {
PORT_SetError(SEC_ERROR_INVALID_ARGS);
return SECFailure;
}
if ((k * (bits + 7) / 8) > SSL_MAX_BLOOM_FILTER_SIZE) {
PORT_SetError(SEC_ERROR_INVALID_ARGS);
return SECFailure;
}
if (PR_SUCCESS != PR_CallOnce(&ssl_anti_replay.init,
tls13_AntiReplayInit)) {
PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
return SECFailure;
}
(void)tls13_AntiReplayReset(NULL, NULL);
ssl_anti_replay.lock = PZ_NewMonitor(nssILockSSL);
if (!ssl_anti_replay.lock) {
goto loser; /* Code already set. */
}
rv = tls13_AntiReplayKeyGen();
if (rv != SECSuccess) {
goto loser; /* Code already set. */
}
rv = sslBloom_Init(&ssl_anti_replay.filters[0], k, bits);
if (rv != SECSuccess) {
goto loser; /* Code already set. */
}
rv = sslBloom_Init(&ssl_anti_replay.filters[1], k, bits);
if (rv != SECSuccess) {
goto loser; /* Code already set. */
}
/* When starting out, ensure that 0-RTT is not accepted until the window is
* updated. A ClientHello might have been accepted prior to a restart. */
sslBloom_Fill(&ssl_anti_replay.filters[1]);
ssl_anti_replay.current = 0;
ssl_anti_replay.nextUpdate = ssl_TimeUsec() + window;
ssl_anti_replay.window = window;
return SECSuccess;
loser:
(void)tls13_AntiReplayReset(NULL, NULL);
return SECFailure;
}
/* This is exposed to tests. Though it could, this doesn't take the lock on the
* basis that those tests use thread confinement. */
void
tls13_AntiReplayRollover(PRTime now)
{
ssl_anti_replay.current ^= 1;
ssl_anti_replay.nextUpdate = now + ssl_anti_replay.window;
sslBloom_Zero(ssl_anti_replay.filters + ssl_anti_replay.current);
}
static void
tls13_AntiReplayUpdate()
{
PRTime now;
PR_ASSERT_CURRENT_THREAD_IN_MONITOR(ssl_anti_replay.lock);
now = ssl_TimeUsec();
if (now < ssl_anti_replay.nextUpdate) {
return;
}
tls13_AntiReplayRollover(now);
}
PRBool
tls13_InWindow(const sslSocket *ss, const sslSessionID *sid)
{
PRInt32 timeDelta;
/* Calculate the difference between the client's view of the age of the
* ticket (in |ss->xtnData.ticketAge|) and the server's view, which we now
* calculate. The result should be close to zero. timeDelta is signed to
* make the comparisons below easier. */
timeDelta = ss->xtnData.ticketAge -
((ssl_TimeUsec() - sid->creationTime) / PR_USEC_PER_MSEC);
/* Only allow the time delta to be at most half of our window. This is
* symmetrical, though it doesn't need to be; this assumes that clock errors
* on server and client will tend to cancel each other out.
*
* There are two anti-replay filters that roll over each window. In the
* worst case, immediately after a rollover of the filters, we only have a
* single window worth of recorded 0-RTT attempts. Thus, the period in
* which we can accept 0-RTT is at most one window wide. This uses PR_ABS()
* and half the window so that the first attempt can be up to half a window
* early and then replays will be caught until the attempts are half a
* window late.
*
* For example, a 0-RTT attempt arrives early, but near the end of window 1.
* The attempt is then recorded in window 1. Rollover to window 2 could
* occur immediately afterwards. Window 1 is still checked for new 0-RTT
* attempts for the remainder of window 2. Therefore, attempts to replay
* are detected because the value is recorded in window 1. When rollover
* occurs again, window 1 is erased and window 3 instated. If we allowed an
* attempt to be late by more than half a window, then this check would not
* prevent the same 0-RTT attempt from being accepted during window 1 and
* later window 3.
*/
return PR_ABS(timeDelta) < (ssl_anti_replay.window / 2);
}
/* Checks for a duplicate in the two filters we have. Performs maintenance on
* the filters as a side-effect. This only detects a probable replay, it's
* possible that this will return true when the 0-RTT attempt is not genuinely a
* replay. In that case, we reject 0-RTT unnecessarily, but that's OK because
* no client expects 0-RTT to work every time. */
PRBool
tls13_IsReplay(const sslSocket *ss, const sslSessionID *sid)
{
PRBool replay;
unsigned int size;
PRUint8 index;
SECStatus rv;
static const char *label = "tls13 anti-replay";
PRUint8 buf[SSL_MAX_BLOOM_FILTER_SIZE];
/* If SSL_SetupAntiReplay hasn't been called, then treat all attempts at
* 0-RTT as a replay. */
if (!ssl_anti_replay.init.initialized) {
return PR_TRUE;
}
if (!tls13_InWindow(ss, sid)) {
return PR_TRUE;
}
size = ssl_anti_replay.filters[0].k *
(ssl_anti_replay.filters[0].bits + 7) / 8;
PORT_Assert(size <= SSL_MAX_BLOOM_FILTER_SIZE);
rv = tls13_HkdfExpandLabelRaw(ssl_anti_replay.key, ssl_hash_sha256,
ss->xtnData.pskBinder.data,
ss->xtnData.pskBinder.len,
label, strlen(label),
buf, size);
if (rv != SECSuccess) {
return PR_TRUE;
}
PZ_EnterMonitor(ssl_anti_replay.lock);
tls13_AntiReplayUpdate();
index = ssl_anti_replay.current;
replay = sslBloom_Add(&ssl_anti_replay.filters[index], buf);
if (!replay) {
replay = sslBloom_Check(&ssl_anti_replay.filters[index ^ 1],
buf);
}
PZ_ExitMonitor(ssl_anti_replay.lock);
return replay;
}
|