Bug 1822876: Add H3 ECH Telemetry. r=kershaw,necko-reviewers
This patch adds telemetry which records when H3 connections succeed / fail
and what kind of ECH they used. Our H3 ECH tests are extended to test these
different modes and that the telemetry is recorded correctly.
Differential Revision:
https://phabricator.services.mozilla.com/D172813
/*
* Basic SSL handshake functions.
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
#include "nssrenam.h"
#include "cert.h"
#include "secitem.h"
#include "sechash.h"
#include "cryptohi.h" /* for SGN_ funcs */
#include "keyhi.h" /* for SECKEY_ high level functions. */
#include "ssl.h"
#include "sslimpl.h"
#include "sslproto.h"
#include "ssl3prot.h"
#include "sslerr.h"
#include "pk11func.h"
#include "prinit.h"
/*
** Put a string tag in the library so that we can examine an executable
** and see what kind of security it supports.
*/
const char *ssl_version = "SECURITY_VERSION:"
" +us"
" +export"
#ifdef TRACE
" +trace"
#endif
#ifdef DEBUG
" +debug"
#endif
;
/***********************************************************************
* Gathers in and handles records/messages until either the handshake is
* complete or application data is available.
*
* Called from ssl_Do1stHandshake() via function pointer ss->handshake.
* Caller must hold handshake lock.
* This function acquires and releases the RecvBufLock.
*
* returns SECSuccess for success.
* returns SECFailure on error, setting PR_WOULD_BLOCK_ERROR if only blocked.
*
* The gather functions called by ssl_GatherRecord1stHandshake are expected
* to return values interpreted as follows:
* 1 : the function completed without error.
* 0 : the function read EOF.
* -1 : read error, or PR_WOULD_BLOCK_ERROR, or handleRecord error.
*
* This code is similar to, and easily confused with, DoRecv() in sslsecur.c
*
* This function is called from ssl_Do1stHandshake().
* The following functions put ssl_GatherRecord1stHandshake into ss->handshake:
* ssl_BeginClientHandshake
* ssl3_RestartHandshakeAfterCertReq
* ssl3_RestartHandshakeAfterServerCert
* ssl_BeginServerHandshake
*/
SECStatus
ssl_GatherRecord1stHandshake(sslSocket *ss)
{
int rv;
PORT_Assert(ss->opt.noLocks || ssl_Have1stHandshakeLock(ss));
ssl_GetRecvBufLock(ss);
/* Wait for handshake to complete, or application data to arrive. */
rv = ssl3_GatherCompleteHandshake(ss, 0);
SSL_TRC(10, ("%d: SSL[%d]: handshake gathering, rv=%d",
SSL_GETPID(), ss->fd, rv));
ssl_ReleaseRecvBufLock(ss);
if (rv <= 0) {
if (rv == 0) {
/* EOF. Loser */
PORT_SetError(PR_END_OF_FILE_ERROR);
}
if (PORT_GetError() == PR_WOULD_BLOCK_ERROR) {
SSL_TRC(10, ("%d: SSL[%d]: handshake blocked (need %d)",
SSL_GETPID(), ss->fd, ss->gs.remainder));
}
return SECFailure; /* rv is < 0 here. */
}
ss->handshake = NULL;
return SECSuccess;
}
/* This function is called at the beginning of a handshake to ensure that at
* least one SSL/TLS version is enabled. */
static SECStatus
ssl_CheckConfigSanity(sslSocket *ss)
{
if (SSL_ALL_VERSIONS_DISABLED(&ss->vrange)) {
SSL_DBG(("%d: SSL[%d]: Can't handshake! all versions disabled.",
SSL_GETPID(), ss->fd));
PORT_SetError(SSL_ERROR_SSL_DISABLED);
return SECFailure;
}
return SECSuccess;
}
/* Sends out the initial client Hello message on the connection.
* Acquires and releases the socket's xmitBufLock.
*/
SECStatus
ssl_BeginClientHandshake(sslSocket *ss)
{
sslSessionID *sid = NULL;
SECStatus rv;
PORT_Assert(ss->opt.noLocks || ssl_Have1stHandshakeLock(ss));
ss->sec.isServer = PR_FALSE;
rv = ssl_CheckConfigSanity(ss);
if (rv != SECSuccess)
goto loser;
/* Get peer name of server */
rv = ssl_GetPeerInfo(ss);
if (rv < 0) {
#ifdef HPUX11
/*
* On some HP-UX B.11.00 systems, getpeername() occasionally
* fails with ENOTCONN after a successful completion of
* non-blocking connect. I found that if we do a write()
* and then retry getpeername(), it will work.
*/
if (PR_GetError() == PR_NOT_CONNECTED_ERROR) {
char dummy;
(void)PR_Write(ss->fd->lower, &dummy, 0);
rv = ssl_GetPeerInfo(ss);
if (rv < 0) {
goto loser;
}
}
#else
goto loser;
#endif
}
SSL_TRC(3, ("%d: SSL[%d]: sending client-hello", SSL_GETPID(), ss->fd));
/* If there's an sid set from an external cache, use it. */
if (ss->sec.ci.sid && ss->sec.ci.sid->cached == in_external_cache) {
sid = ss->sec.ci.sid;
SSL_TRC(3, ("%d: SSL[%d]: using external token", SSL_GETPID(), ss->fd));
} else if (!ss->opt.noCache) {
/* Try to find server in our session-id cache */
sid = ssl_LookupSID(ssl_Time(ss), &ss->sec.ci.peer,
ss->sec.ci.port, ss->peerID, ss->url);
}
if (sid) {
if (sid->version >= ss->vrange.min && sid->version <= ss->vrange.max) {
PORT_Assert(!ss->sec.localCert);
ss->sec.localCert = CERT_DupCertificate(sid->localCert);
} else {
ssl_UncacheSessionID(ss);
ssl_FreeSID(sid);
sid = NULL;
}
}
if (!sid) {
sid = ssl3_NewSessionID(ss, PR_FALSE);
if (!sid) {
goto loser;
}
/* This session is a dummy, which we don't want to resume. */
sid->u.ssl3.keys.resumable = PR_FALSE;
}
ss->sec.ci.sid = sid;
ss->gs.state = GS_INIT;
ss->handshake = ssl_GatherRecord1stHandshake;
/* ssl3_SendClientHello will override this if it succeeds. */
ss->version = SSL_LIBRARY_VERSION_3_0;
ssl_GetSSL3HandshakeLock(ss);
ssl_GetXmitBufLock(ss);
rv = ssl3_SendClientHello(ss, client_hello_initial);
ssl_ReleaseXmitBufLock(ss);
ssl_ReleaseSSL3HandshakeLock(ss);
return rv;
loser:
return SECFailure;
}
SECStatus
ssl_BeginServerHandshake(sslSocket *ss)
{
SECStatus rv;
ss->sec.isServer = PR_TRUE;
ss->ssl3.hs.ws = wait_client_hello;
rv = ssl_CheckConfigSanity(ss);
if (rv != SECSuccess)
goto loser;
ss->handshake = ssl_GatherRecord1stHandshake;
return SECSuccess;
loser:
return SECFailure;
}
/* This function doesn't really belong in this file.
** It's here to keep AIX compilers from optimizing it away,
** and not including it in the DSO.
*/
#include "nss.h"
extern const char __nss_ssl_version[];
PRBool
NSSSSL_VersionCheck(const char *importedVersion)
{
#define NSS_VERSION_VARIABLE __nss_ssl_version
#include "verref.h"
/*
* This is the secret handshake algorithm.
*
* This release has a simple version compatibility
* check algorithm. This release is not backward
* compatible with previous major releases. It is
* not compatible with future major, minor, or
* patch releases.
*/
return NSS_VersionCheck(importedVersion);
}
const char *
NSSSSL_GetVersion(void)
{
return NSS_VERSION;
}
