1 /* -*- Mode: C; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 4 -*- */
2 /*
3 * This Source Code Form is subject to the terms of the Mozilla Public
4 * License, v. 2.0. If a copy of the MPL was not distributed with this
5 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
6
7 #include "nssrenam.h"
8 #include "nss.h"
9 #include "ssl.h"
10 #include "sslproto.h"
11 #include "sslimpl.h"
12 #include "pk11pub.h"
13 #include "ssl3ext.h"
14 #include "ssl3exthandle.h"
15 #include "tls13exthandle.h"
16
17 SECStatus
tls13_ServerSendStatusRequestXtn(const sslSocket * ss,TLSExtensionData * xtnData,sslBuffer * buf,PRBool * added)18 tls13_ServerSendStatusRequestXtn(const sslSocket *ss, TLSExtensionData *xtnData,
19 sslBuffer *buf, PRBool *added)
20 {
21 const sslServerCert *serverCert = ss->sec.serverCert;
22 const SECItem *item;
23 SECStatus rv;
24
25 if (!serverCert->certStatusArray ||
26 !serverCert->certStatusArray->len) {
27 return SECSuccess;
28 }
29
30 item = &serverCert->certStatusArray->items[0];
31
32 /* Only send the first entry. */
33 /* status_type == ocsp */
34 rv = sslBuffer_AppendNumber(buf, 1 /*ocsp*/, 1);
35 if (rv != SECSuccess) {
36 return SECFailure;
37 }
38 /* opaque OCSPResponse<1..2^24-1> */
39 rv = sslBuffer_AppendVariable(buf, item->data, item->len, 3);
40 if (rv != SECSuccess) {
41 return SECFailure;
42 }
43
44 *added = PR_TRUE;
45 return SECSuccess;
46 }
47
48 /*
49 * [draft-ietf-tls-tls13-11] Section 6.3.2.3.
50 *
51 * struct {
52 * NamedGroup group;
53 * opaque key_exchange<1..2^16-1>;
54 * } KeyShareEntry;
55 *
56 * struct {
57 * select (role) {
58 * case client:
59 * KeyShareEntry client_shares<4..2^16-1>;
60 *
61 * case server:
62 * KeyShareEntry server_share;
63 * }
64 * } KeyShare;
65 *
66 * DH is Section 6.3.2.3.1.
67 *
68 * opaque dh_Y<1..2^16-1>;
69 *
70 * ECDH is Section 6.3.2.3.2.
71 *
72 * opaque point <1..2^8-1>;
73 */
74 static PRUint32
tls13_SizeOfKeyShareEntry(const SECKEYPublicKey * pubKey)75 tls13_SizeOfKeyShareEntry(const SECKEYPublicKey *pubKey)
76 {
77 /* Size = NamedGroup(2) + length(2) + opaque<?> share */
78 switch (pubKey->keyType) {
79 case ecKey:
80 return 2 + 2 + pubKey->u.ec.publicValue.len;
81 case dhKey:
82 return 2 + 2 + pubKey->u.dh.prime.len;
83 default:
84 PORT_Assert(0);
85 }
86 return 0;
87 }
88
89 static SECStatus
tls13_EncodeKeyShareEntry(sslBuffer * buf,const sslEphemeralKeyPair * keyPair)90 tls13_EncodeKeyShareEntry(sslBuffer *buf, const sslEphemeralKeyPair *keyPair)
91 {
92 SECStatus rv;
93 SECKEYPublicKey *pubKey = keyPair->keys->pubKey;
94 unsigned int size = tls13_SizeOfKeyShareEntry(pubKey);
95
96 rv = sslBuffer_AppendNumber(buf, keyPair->group->name, 2);
97 if (rv != SECSuccess)
98 return rv;
99 rv = sslBuffer_AppendNumber(buf, size - 4, 2);
100 if (rv != SECSuccess)
101 return rv;
102
103 switch (pubKey->keyType) {
104 case ecKey:
105 rv = sslBuffer_Append(buf, pubKey->u.ec.publicValue.data,
106 pubKey->u.ec.publicValue.len);
107 break;
108 case dhKey:
109 rv = ssl_AppendPaddedDHKeyShare(buf, pubKey, PR_FALSE);
110 break;
111 default:
112 PORT_Assert(0);
113 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
114 break;
115 }
116
117 return rv;
118 }
119
120 SECStatus
tls13_ClientSendKeyShareXtn(const sslSocket * ss,TLSExtensionData * xtnData,sslBuffer * buf,PRBool * added)121 tls13_ClientSendKeyShareXtn(const sslSocket *ss, TLSExtensionData *xtnData,
122 sslBuffer *buf, PRBool *added)
123 {
124 SECStatus rv;
125 PRCList *cursor;
126 unsigned int lengthOffset;
127
128 if (ss->vrange.max < SSL_LIBRARY_VERSION_TLS_1_3) {
129 return SECSuccess;
130 }
131
132 /* Optimistically try to send an ECDHE key using the
133 * preexisting key (in future will be keys) */
134 SSL_TRC(3, ("%d: TLS13[%d]: send client key share xtn",
135 SSL_GETPID(), ss->fd));
136
137 /* Save the offset to the length. */
138 rv = sslBuffer_Skip(buf, 2, &lengthOffset);
139 if (rv != SECSuccess) {
140 return SECFailure;
141 }
142
143 for (cursor = PR_NEXT_LINK(&ss->ephemeralKeyPairs);
144 cursor != &ss->ephemeralKeyPairs;
145 cursor = PR_NEXT_LINK(cursor)) {
146 sslEphemeralKeyPair *keyPair = (sslEphemeralKeyPair *)cursor;
147 rv = tls13_EncodeKeyShareEntry(buf, keyPair);
148 if (rv != SECSuccess) {
149 return SECFailure;
150 }
151 }
152 rv = sslBuffer_InsertLength(buf, lengthOffset, 2);
153 if (rv != SECSuccess) {
154 return SECFailure;
155 }
156
157 *added = PR_TRUE;
158 return SECSuccess;
159 }
160
161 static SECStatus
tls13_HandleKeyShareEntry(const sslSocket * ss,TLSExtensionData * xtnData,SECItem * data)162 tls13_HandleKeyShareEntry(const sslSocket *ss, TLSExtensionData *xtnData, SECItem *data)
163 {
164 SECStatus rv;
165 PRUint32 group;
166 const sslNamedGroupDef *groupDef;
167 TLS13KeyShareEntry *ks = NULL;
168 SECItem share = { siBuffer, NULL, 0 };
169
170 rv = ssl3_ExtConsumeHandshakeNumber(ss, &group, 2, &data->data, &data->len);
171 if (rv != SECSuccess) {
172 PORT_SetError(SSL_ERROR_RX_MALFORMED_KEY_SHARE);
173 goto loser;
174 }
175 groupDef = ssl_LookupNamedGroup(group);
176 rv = ssl3_ExtConsumeHandshakeVariable(ss, &share, 2, &data->data,
177 &data->len);
178 if (rv != SECSuccess) {
179 goto loser;
180 }
181 /* If the group is disabled, continue. */
182 if (!groupDef) {
183 return SECSuccess;
184 }
185
186 ks = PORT_ZNew(TLS13KeyShareEntry);
187 if (!ks)
188 goto loser;
189 ks->group = groupDef;
190
191 rv = SECITEM_CopyItem(NULL, &ks->key_exchange, &share);
192 if (rv != SECSuccess)
193 goto loser;
194
195 PR_APPEND_LINK(&ks->link, &xtnData->remoteKeyShares);
196 return SECSuccess;
197
198 loser:
199 if (ks)
200 tls13_DestroyKeyShareEntry(ks);
201 return SECFailure;
202 }
203 /* Handle an incoming KeyShare extension at the client and copy to
204 * |xtnData->remoteKeyShares| for future use. The key
205 * share is processed in tls13_HandleServerKeyShare(). */
206 SECStatus
tls13_ClientHandleKeyShareXtn(const sslSocket * ss,TLSExtensionData * xtnData,SECItem * data)207 tls13_ClientHandleKeyShareXtn(const sslSocket *ss, TLSExtensionData *xtnData,
208 SECItem *data)
209 {
210 SECStatus rv;
211 PORT_Assert(PR_CLIST_IS_EMPTY(&xtnData->remoteKeyShares));
212
213 PORT_Assert(!ss->sec.isServer);
214
215 /* The server must not send this extension when negotiating < TLS 1.3. */
216 if (ss->version < SSL_LIBRARY_VERSION_TLS_1_3) {
217 PORT_SetError(SSL_ERROR_EXTENSION_DISALLOWED_FOR_VERSION);
218 return SECFailure;
219 }
220
221 SSL_TRC(3, ("%d: SSL3[%d]: handle key_share extension",
222 SSL_GETPID(), ss->fd));
223
224 rv = tls13_HandleKeyShareEntry(ss, xtnData, data);
225 if (rv != SECSuccess) {
226 PORT_SetError(SSL_ERROR_RX_MALFORMED_KEY_SHARE);
227 return SECFailure;
228 }
229
230 if (data->len) {
231 PORT_SetError(SSL_ERROR_RX_MALFORMED_KEY_SHARE);
232 return SECFailure;
233 }
234
235 return SECSuccess;
236 }
237
238 SECStatus
tls13_ClientHandleKeyShareXtnHrr(const sslSocket * ss,TLSExtensionData * xtnData,SECItem * data)239 tls13_ClientHandleKeyShareXtnHrr(const sslSocket *ss, TLSExtensionData *xtnData,
240 SECItem *data)
241 {
242 SECStatus rv;
243 PRUint32 tmp;
244 const sslNamedGroupDef *group;
245
246 PORT_Assert(!ss->sec.isServer);
247 PORT_Assert(ss->vrange.max >= SSL_LIBRARY_VERSION_TLS_1_3);
248
249 SSL_TRC(3, ("%d: SSL3[%d]: handle key_share extension in HRR",
250 SSL_GETPID(), ss->fd));
251
252 rv = ssl3_ExtConsumeHandshakeNumber(ss, &tmp, 2, &data->data, &data->len);
253 if (rv != SECSuccess) {
254 return SECFailure; /* error code already set */
255 }
256 if (data->len) {
257 ssl3_ExtSendAlert(ss, alert_fatal, decode_error);
258 PORT_SetError(SSL_ERROR_RX_MALFORMED_HELLO_RETRY_REQUEST);
259 return SECFailure;
260 }
261
262 group = ssl_LookupNamedGroup((SSLNamedGroup)tmp);
263 /* If the group is not enabled, or we already have a share for the
264 * requested group, abort. */
265 if (!ssl_NamedGroupEnabled(ss, group) ||
266 ssl_HaveEphemeralKeyPair(ss, group)) {
267 ssl3_ExtSendAlert(ss, alert_fatal, illegal_parameter);
268 PORT_SetError(SSL_ERROR_RX_MALFORMED_HELLO_RETRY_REQUEST);
269 return SECFailure;
270 }
271
272 /* Now delete all the key shares per [draft-ietf-tls-tls13 S 4.1.2] */
273 ssl_FreeEphemeralKeyPairs(CONST_CAST(sslSocket, ss));
274
275 /* And replace with our new share. */
276 rv = tls13_CreateKeyShare(CONST_CAST(sslSocket, ss), group);
277 if (rv != SECSuccess) {
278 ssl3_ExtSendAlert(ss, alert_fatal, internal_error);
279 PORT_SetError(SEC_ERROR_KEYGEN_FAIL);
280 return SECFailure;
281 }
282
283 return SECSuccess;
284 }
285
286 /* Handle an incoming KeyShare extension at the server and copy to
287 * |xtnData->remoteKeyShares| for future use. The key
288 * share is processed in tls13_HandleClientKeyShare(). */
289 SECStatus
tls13_ServerHandleKeyShareXtn(const sslSocket * ss,TLSExtensionData * xtnData,SECItem * data)290 tls13_ServerHandleKeyShareXtn(const sslSocket *ss, TLSExtensionData *xtnData,
291 SECItem *data)
292 {
293 SECStatus rv;
294 PRUint32 length;
295
296 PORT_Assert(ss->sec.isServer);
297 PORT_Assert(PR_CLIST_IS_EMPTY(&xtnData->remoteKeyShares));
298
299 if (ss->version < SSL_LIBRARY_VERSION_TLS_1_3) {
300 return SECSuccess;
301 }
302
303 SSL_TRC(3, ("%d: SSL3[%d]: handle key_share extension",
304 SSL_GETPID(), ss->fd));
305
306 /* Redundant length because of TLS encoding (this vector consumes
307 * the entire extension.) */
308 rv = ssl3_ExtConsumeHandshakeNumber(ss, &length, 2, &data->data,
309 &data->len);
310 if (rv != SECSuccess)
311 goto loser;
312 if (length != data->len) {
313 /* Check for consistency */
314 PORT_SetError(SSL_ERROR_RX_MALFORMED_KEY_SHARE);
315 goto loser;
316 }
317
318 while (data->len) {
319 rv = tls13_HandleKeyShareEntry(ss, xtnData, data);
320 if (rv != SECSuccess)
321 goto loser;
322 }
323
324 return SECSuccess;
325
326 loser:
327 tls13_DestroyKeyShares(&xtnData->remoteKeyShares);
328 return SECFailure;
329 }
330
331 SECStatus
tls13_ServerSendKeyShareXtn(const sslSocket * ss,TLSExtensionData * xtnData,sslBuffer * buf,PRBool * added)332 tls13_ServerSendKeyShareXtn(const sslSocket *ss, TLSExtensionData *xtnData,
333 sslBuffer *buf, PRBool *added)
334 {
335 SECStatus rv;
336 sslEphemeralKeyPair *keyPair;
337
338 /* There should be exactly one key share. */
339 PORT_Assert(!PR_CLIST_IS_EMPTY(&ss->ephemeralKeyPairs));
340 PORT_Assert(PR_PREV_LINK(&ss->ephemeralKeyPairs) ==
341 PR_NEXT_LINK(&ss->ephemeralKeyPairs));
342
343 keyPair = (sslEphemeralKeyPair *)PR_NEXT_LINK(&ss->ephemeralKeyPairs);
344
345 rv = tls13_EncodeKeyShareEntry(buf, keyPair);
346 if (rv != SECSuccess) {
347 return SECFailure;
348 }
349
350 *added = PR_TRUE;
351 return SECSuccess;
352 }
353
354 /* Called by clients.
355 *
356 * struct {
357 * opaque identity<0..2^16-1>;
358 * uint32 obfuscated_ticket_age;
359 * } PskIdentity;
360 *
361 * opaque PskBinderEntry<32..255>;
362 *
363 * struct {
364 * select (Handshake.msg_type) {
365 * case client_hello:
366 * PskIdentity identities<6..2^16-1>;
367 * PskBinderEntry binders<33..2^16-1>;
368 *
369 * case server_hello:
370 * uint16 selected_identity;
371 * };
372 *
373 * } PreSharedKeyExtension;
374
375 * Presently the only way to get a PSK is by resumption, so this is
376 * really a ticket label and there will be at most one.
377 */
378 SECStatus
tls13_ClientSendPreSharedKeyXtn(const sslSocket * ss,TLSExtensionData * xtnData,sslBuffer * buf,PRBool * added)379 tls13_ClientSendPreSharedKeyXtn(const sslSocket *ss, TLSExtensionData *xtnData,
380 sslBuffer *buf, PRBool *added)
381 {
382 NewSessionTicket *session_ticket;
383 PRTime age;
384 const static PRUint8 binder[TLS13_MAX_FINISHED_SIZE] = { 0 };
385 unsigned int binderLen;
386 SECStatus rv;
387
388 /* We only set statelessResume on the client in TLS 1.3 code. */
389 if (!ss->statelessResume) {
390 return SECSuccess;
391 }
392
393 /* Save where this extension starts so that if we have to add padding, it
394 * can be inserted before this extension. */
395 PORT_Assert(buf->len >= 4);
396 xtnData->lastXtnOffset = buf->len - 4;
397
398 PORT_Assert(ss->vrange.max >= SSL_LIBRARY_VERSION_TLS_1_3);
399
400 /* Send a single ticket identity. */
401 session_ticket = &ss->sec.ci.sid->u.ssl3.locked.sessionTicket;
402 rv = sslBuffer_AppendNumber(buf, 2 + /* identity length */
403 session_ticket->ticket.len + /* ticket */
404 4 /* obfuscated_ticket_age */,
405 2);
406 if (rv != SECSuccess)
407 goto loser;
408 rv = sslBuffer_AppendVariable(buf, session_ticket->ticket.data,
409 session_ticket->ticket.len, 2);
410 if (rv != SECSuccess)
411 goto loser;
412
413 /* Obfuscated age. */
414 age = ssl_TimeUsec() - session_ticket->received_timestamp;
415 age /= PR_USEC_PER_MSEC;
416 age += session_ticket->ticket_age_add;
417 rv = sslBuffer_AppendNumber(buf, age, 4);
418 if (rv != SECSuccess)
419 goto loser;
420
421 /* Write out the binder list length. */
422 binderLen = tls13_GetHashSize(ss);
423 rv = sslBuffer_AppendNumber(buf, binderLen + 1, 2);
424 if (rv != SECSuccess)
425 goto loser;
426 /* Write zeroes for the binder for the moment. */
427 rv = sslBuffer_AppendVariable(buf, binder, binderLen, 1);
428 if (rv != SECSuccess)
429 goto loser;
430
431 PRINT_BUF(50, (ss, "Sending PreSharedKey value",
432 session_ticket->ticket.data,
433 session_ticket->ticket.len));
434
435 xtnData->sentSessionTicketInClientHello = PR_TRUE;
436 *added = PR_TRUE;
437 return SECSuccess;
438
439 loser:
440 xtnData->ticketTimestampVerified = PR_FALSE;
441 return SECFailure;
442 }
443
444 /* Handle a TLS 1.3 PreSharedKey Extension. We only accept PSKs
445 * that contain session tickets. */
446 SECStatus
tls13_ServerHandlePreSharedKeyXtn(const sslSocket * ss,TLSExtensionData * xtnData,SECItem * data)447 tls13_ServerHandlePreSharedKeyXtn(const sslSocket *ss, TLSExtensionData *xtnData,
448 SECItem *data)
449 {
450 SECItem inner;
451 SECStatus rv;
452 unsigned int numIdentities = 0;
453 unsigned int numBinders = 0;
454 SECItem *appToken;
455
456 SSL_TRC(3, ("%d: SSL3[%d]: handle pre_shared_key extension",
457 SSL_GETPID(), ss->fd));
458
459 /* If we are doing < TLS 1.3, then ignore this. */
460 if (ss->version < SSL_LIBRARY_VERSION_TLS_1_3) {
461 return SECSuccess;
462 }
463
464 /* The application token is set via the cookie extension if this is the
465 * second ClientHello. Don't set it twice. The cookie extension handler
466 * sets |helloRetry| and that will have been called already because this
467 * extension always comes last. */
468 if (!ss->ssl3.hs.helloRetry) {
469 appToken = &xtnData->applicationToken;
470 } else {
471 appToken = NULL;
472 }
473
474 /* Parse the identities list. */
475 rv = ssl3_ExtConsumeHandshakeVariable(ss, &inner, 2,
476 &data->data, &data->len);
477 if (rv != SECSuccess) {
478 return SECFailure;
479 }
480
481 while (inner.len) {
482 SECItem label;
483 PRUint32 obfuscatedAge;
484
485 rv = ssl3_ExtConsumeHandshakeVariable(ss, &label, 2,
486 &inner.data, &inner.len);
487 if (rv != SECSuccess)
488 return rv;
489 if (!label.len) {
490 goto alert_loser;
491 }
492
493 rv = ssl3_ExtConsumeHandshakeNumber(ss, &obfuscatedAge, 4,
494 &inner.data, &inner.len);
495 if (rv != SECSuccess)
496 return rv;
497
498 if (!numIdentities) {
499 PRINT_BUF(50, (ss, "Handling PreSharedKey value",
500 label.data, label.len));
501 rv = ssl3_ProcessSessionTicketCommon(
502 CONST_CAST(sslSocket, ss), &label, appToken);
503 /* This only happens if we have an internal error, not
504 * a malformed ticket. Bogus tickets just don't resume
505 * and return SECSuccess. */
506 if (rv != SECSuccess)
507 return SECFailure;
508
509 if (ss->sec.ci.sid) {
510 /* xtnData->ticketAge contains the baseline we use for
511 * calculating the ticket age (i.e., our RTT estimate less the
512 * value of ticket_age_add).
513 *
514 * Add that to the obfuscated ticket age to recover the client's
515 * view of the ticket age plus the estimated RTT.
516 *
517 * See ssl3_EncodeSessionTicket() for details. */
518 xtnData->ticketAge += obfuscatedAge;
519 }
520 }
521 ++numIdentities;
522 }
523
524 xtnData->pskBindersLen = data->len;
525
526 /* Parse the binders list. */
527 rv = ssl3_ExtConsumeHandshakeVariable(ss,
528 &inner, 2, &data->data, &data->len);
529 if (rv != SECSuccess)
530 return SECFailure;
531 if (data->len) {
532 goto alert_loser;
533 }
534
535 while (inner.len) {
536 SECItem binder;
537 rv = ssl3_ExtConsumeHandshakeVariable(ss, &binder, 1,
538 &inner.data, &inner.len);
539 if (rv != SECSuccess)
540 return rv;
541 if (binder.len < 32) {
542 goto alert_loser;
543 }
544
545 if (!numBinders) {
546 xtnData->pskBinder = binder;
547 }
548 ++numBinders;
549 }
550
551 if (numBinders != numIdentities)
552 goto alert_loser;
553
554 /* Keep track of negotiated extensions. Note that this does not
555 * mean we are resuming. */
556 xtnData->negotiated[xtnData->numNegotiated++] = ssl_tls13_pre_shared_key_xtn;
557
558 return SECSuccess;
559
560 alert_loser:
561 ssl3_ExtSendAlert(ss, alert_fatal, illegal_parameter);
562 PORT_SetError(SSL_ERROR_MALFORMED_PRE_SHARED_KEY);
563 return SECFailure;
564 }
565
566 SECStatus
tls13_ServerSendPreSharedKeyXtn(const sslSocket * ss,TLSExtensionData * xtnData,sslBuffer * buf,PRBool * added)567 tls13_ServerSendPreSharedKeyXtn(const sslSocket *ss, TLSExtensionData *xtnData,
568 sslBuffer *buf, PRBool *added)
569 {
570 SECStatus rv;
571
572 /* We only process the first session ticket the client sends,
573 * so the index is always 0. */
574 rv = sslBuffer_AppendNumber(buf, 0, 2);
575 if (rv != SECSuccess) {
576 return SECFailure;
577 }
578
579 *added = PR_TRUE;
580 return SECSuccess;
581 }
582
583 /* Handle a TLS 1.3 PreSharedKey Extension. We only accept PSKs
584 * that contain session tickets. */
585 SECStatus
tls13_ClientHandlePreSharedKeyXtn(const sslSocket * ss,TLSExtensionData * xtnData,SECItem * data)586 tls13_ClientHandlePreSharedKeyXtn(const sslSocket *ss, TLSExtensionData *xtnData,
587 SECItem *data)
588 {
589 PRUint32 index;
590 SECStatus rv;
591
592 SSL_TRC(3, ("%d: SSL3[%d]: handle pre_shared_key extension",
593 SSL_GETPID(), ss->fd));
594
595 /* The server must not send this extension when negotiating < TLS 1.3. */
596 if (ss->version < SSL_LIBRARY_VERSION_TLS_1_3) {
597 PORT_SetError(SSL_ERROR_EXTENSION_DISALLOWED_FOR_VERSION);
598 return SECFailure;
599 }
600
601 rv = ssl3_ExtConsumeHandshakeNumber(ss, &index, 2, &data->data, &data->len);
602 if (rv != SECSuccess)
603 return SECFailure;
604
605 /* This should be the end of the extension. */
606 if (data->len) {
607 PORT_SetError(SSL_ERROR_MALFORMED_PRE_SHARED_KEY);
608 return SECFailure;
609 }
610
611 /* We only sent one PSK label so index must be equal to 0 */
612 if (index) {
613 PORT_SetError(SSL_ERROR_MALFORMED_PRE_SHARED_KEY);
614 return SECFailure;
615 }
616
617 /* Keep track of negotiated extensions. */
618 xtnData->negotiated[xtnData->numNegotiated++] = ssl_tls13_pre_shared_key_xtn;
619
620 return SECSuccess;
621 }
622
623 /*
624 * struct { } EarlyDataIndication;
625 */
626 SECStatus
tls13_ClientSendEarlyDataXtn(const sslSocket * ss,TLSExtensionData * xtnData,sslBuffer * buf,PRBool * added)627 tls13_ClientSendEarlyDataXtn(const sslSocket *ss, TLSExtensionData *xtnData,
628 sslBuffer *buf, PRBool *added)
629 {
630 if (!tls13_ClientAllow0Rtt(ss, ss->sec.ci.sid)) {
631 return SECSuccess;
632 }
633
634 *added = PR_TRUE;
635 return SECSuccess;
636 }
637
638 SECStatus
tls13_ServerHandleEarlyDataXtn(const sslSocket * ss,TLSExtensionData * xtnData,SECItem * data)639 tls13_ServerHandleEarlyDataXtn(const sslSocket *ss, TLSExtensionData *xtnData,
640 SECItem *data)
641 {
642 SSL_TRC(3, ("%d: TLS13[%d]: handle early_data extension",
643 SSL_GETPID(), ss->fd));
644
645 /* If we are doing < TLS 1.3, then ignore this. */
646 if (ss->version < SSL_LIBRARY_VERSION_TLS_1_3) {
647 return SECSuccess;
648 }
649
650 if (ss->ssl3.hs.helloRetry) {
651 ssl3_ExtSendAlert(ss, alert_fatal, unsupported_extension);
652 PORT_SetError(SSL_ERROR_RX_UNEXPECTED_EXTENSION);
653 return SECFailure;
654 }
655
656 if (data->len) {
657 PORT_SetError(SSL_ERROR_MALFORMED_EARLY_DATA);
658 return SECFailure;
659 }
660
661 xtnData->negotiated[xtnData->numNegotiated++] = ssl_tls13_early_data_xtn;
662
663 return SECSuccess;
664 }
665
666 /* This will only be called if we also offered the extension. */
667 SECStatus
tls13_ClientHandleEarlyDataXtn(const sslSocket * ss,TLSExtensionData * xtnData,SECItem * data)668 tls13_ClientHandleEarlyDataXtn(const sslSocket *ss, TLSExtensionData *xtnData,
669 SECItem *data)
670 {
671 SSL_TRC(3, ("%d: TLS13[%d]: handle early_data extension",
672 SSL_GETPID(), ss->fd));
673
674 /* The server must not send this extension when negotiating < TLS 1.3. */
675 if (ss->version < SSL_LIBRARY_VERSION_TLS_1_3) {
676 PORT_SetError(SSL_ERROR_EXTENSION_DISALLOWED_FOR_VERSION);
677 return SECFailure;
678 }
679
680 if (data->len) {
681 PORT_SetError(SSL_ERROR_MALFORMED_EARLY_DATA);
682 return SECFailure;
683 }
684
685 /* Keep track of negotiated extensions. */
686 xtnData->negotiated[xtnData->numNegotiated++] = ssl_tls13_early_data_xtn;
687
688 return SECSuccess;
689 }
690
691 SECStatus
tls13_ClientHandleTicketEarlyDataXtn(const sslSocket * ss,TLSExtensionData * xtnData,SECItem * data)692 tls13_ClientHandleTicketEarlyDataXtn(const sslSocket *ss, TLSExtensionData *xtnData,
693 SECItem *data)
694 {
695 PRUint32 utmp;
696 SECStatus rv;
697
698 SSL_TRC(3, ("%d: TLS13[%d]: handle ticket early_data extension",
699 SSL_GETPID(), ss->fd));
700
701 /* The server must not send this extension when negotiating < TLS 1.3. */
702 if (ss->version < SSL_LIBRARY_VERSION_TLS_1_3) {
703 PORT_SetError(SSL_ERROR_EXTENSION_DISALLOWED_FOR_VERSION);
704 return SECFailure;
705 }
706
707 rv = ssl3_ExtConsumeHandshake(ss, &utmp, sizeof(utmp),
708 &data->data, &data->len);
709 if (rv != SECSuccess) {
710 PORT_SetError(SSL_ERROR_RX_MALFORMED_NEW_SESSION_TICKET);
711 return SECFailure;
712 }
713 if (data->len) {
714 PORT_SetError(SSL_ERROR_RX_MALFORMED_NEW_SESSION_TICKET);
715 return SECFailure;
716 }
717
718 xtnData->max_early_data_size = PR_ntohl(utmp);
719
720 return SECSuccess;
721 }
722
723 /*
724 * struct {
725 * select (Handshake.msg_type) {
726 * case client_hello:
727 * ProtocolVersion versions<2..254>;
728 * case server_hello:
729 * ProtocolVersion version;
730 * };
731 * } SupportedVersions;
732 */
733 SECStatus
tls13_ClientSendSupportedVersionsXtn(const sslSocket * ss,TLSExtensionData * xtnData,sslBuffer * buf,PRBool * added)734 tls13_ClientSendSupportedVersionsXtn(const sslSocket *ss, TLSExtensionData *xtnData,
735 sslBuffer *buf, PRBool *added)
736 {
737 PRUint16 version;
738 unsigned int lengthOffset;
739 SECStatus rv;
740
741 if (ss->vrange.max < SSL_LIBRARY_VERSION_TLS_1_3) {
742 return SECSuccess;
743 }
744
745 SSL_TRC(3, ("%d: TLS13[%d]: client send supported_versions extension",
746 SSL_GETPID(), ss->fd));
747
748 rv = sslBuffer_Skip(buf, 1, &lengthOffset);
749 if (rv != SECSuccess) {
750 return SECFailure;
751 }
752
753 for (version = ss->vrange.max; version >= ss->vrange.min; --version) {
754 rv = sslBuffer_AppendNumber(buf, tls13_EncodeDraftVersion(version), 2);
755 if (rv != SECSuccess) {
756 return SECFailure;
757 }
758 }
759
760 rv = sslBuffer_InsertLength(buf, lengthOffset, 1);
761 if (rv != SECSuccess) {
762 return SECFailure;
763 }
764
765 *added = PR_TRUE;
766 return SECSuccess;
767 }
768
769 SECStatus
tls13_ServerSendSupportedVersionsXtn(const sslSocket * ss,TLSExtensionData * xtnData,sslBuffer * buf,PRBool * added)770 tls13_ServerSendSupportedVersionsXtn(const sslSocket *ss, TLSExtensionData *xtnData,
771 sslBuffer *buf, PRBool *added)
772 {
773 SECStatus rv;
774
775 if (ss->version < SSL_LIBRARY_VERSION_TLS_1_3) {
776 return SECSuccess;
777 }
778
779 SSL_TRC(3, ("%d: TLS13[%d]: server send supported_versions extension",
780 SSL_GETPID(), ss->fd));
781
782 rv = sslBuffer_AppendNumber(
783 buf, tls13_EncodeDraftVersion(SSL_LIBRARY_VERSION_TLS_1_3), 2);
784 if (rv != SECSuccess) {
785 return SECFailure;
786 }
787
788 *added = PR_TRUE;
789 return SECSuccess;
790 }
791
792 /*
793 * struct {
794 * opaque cookie<1..2^16-1>;
795 * } Cookie;
796 */
797 SECStatus
tls13_ClientHandleHrrCookie(const sslSocket * ss,TLSExtensionData * xtnData,SECItem * data)798 tls13_ClientHandleHrrCookie(const sslSocket *ss, TLSExtensionData *xtnData,
799 SECItem *data)
800 {
801 SECStatus rv;
802
803 SSL_TRC(3, ("%d: TLS13[%d]: handle cookie extension",
804 SSL_GETPID(), ss->fd));
805
806 PORT_Assert(ss->vrange.max >= SSL_LIBRARY_VERSION_TLS_1_3);
807
808 /* IMPORTANT: this is only valid while the HelloRetryRequest is still valid. */
809 rv = ssl3_ExtConsumeHandshakeVariable(
810 ss, &CONST_CAST(sslSocket, ss)->ssl3.hs.cookie, 2,
811 &data->data, &data->len);
812 if (rv != SECSuccess) {
813 PORT_SetError(SSL_ERROR_RX_MALFORMED_HELLO_RETRY_REQUEST);
814 return SECFailure;
815 }
816 if (!ss->ssl3.hs.cookie.len || data->len) {
817 ssl3_ExtSendAlert(ss, alert_fatal, decode_error);
818 PORT_SetError(SSL_ERROR_RX_MALFORMED_HELLO_RETRY_REQUEST);
819 return SECFailure;
820 }
821
822 return SECSuccess;
823 }
824
825 SECStatus
tls13_ClientSendHrrCookieXtn(const sslSocket * ss,TLSExtensionData * xtnData,sslBuffer * buf,PRBool * added)826 tls13_ClientSendHrrCookieXtn(const sslSocket *ss, TLSExtensionData *xtnData,
827 sslBuffer *buf, PRBool *added)
828 {
829 SECStatus rv;
830
831 if (ss->vrange.max < SSL_LIBRARY_VERSION_TLS_1_3 ||
832 !ss->ssl3.hs.cookie.len) {
833 return SECSuccess;
834 }
835
836 SSL_TRC(3, ("%d: TLS13[%d]: send cookie extension", SSL_GETPID(), ss->fd));
837 rv = sslBuffer_AppendVariable(buf, ss->ssl3.hs.cookie.data,
838 ss->ssl3.hs.cookie.len, 2);
839 if (rv != SECSuccess) {
840 return SECFailure;
841 }
842
843 *added = PR_TRUE;
844 return SECSuccess;
845 }
846
847 SECStatus
tls13_ServerHandleCookieXtn(const sslSocket * ss,TLSExtensionData * xtnData,SECItem * data)848 tls13_ServerHandleCookieXtn(const sslSocket *ss, TLSExtensionData *xtnData,
849 SECItem *data)
850 {
851 SECStatus rv;
852
853 SSL_TRC(3, ("%d: TLS13[%d]: handle cookie extension",
854 SSL_GETPID(), ss->fd));
855
856 rv = ssl3_ExtConsumeHandshakeVariable(ss, &xtnData->cookie, 2,
857 &data->data, &data->len);
858 if (rv != SECSuccess) {
859 return SECFailure;
860 }
861
862 if (xtnData->cookie.len == 0) {
863 PORT_SetError(SSL_ERROR_RX_MALFORMED_SERVER_HELLO);
864 return SECFailure;
865 }
866
867 if (data->len) {
868 PORT_SetError(SSL_ERROR_RX_MALFORMED_SERVER_HELLO);
869 return SECFailure;
870 }
871
872 /* Keep track of negotiated extensions. */
873 xtnData->negotiated[xtnData->numNegotiated++] = ssl_tls13_cookie_xtn;
874
875 return SECSuccess;
876 }
877
878 /*
879 * enum { psk_ke(0), psk_dhe_ke(1), (255) } PskKeyExchangeMode;
880 *
881 * struct {
882 * PskKeyExchangeMode ke_modes<1..255>;
883 * } PskKeyExchangeModes;
884 */
885 SECStatus
tls13_ClientSendPskModesXtn(const sslSocket * ss,TLSExtensionData * xtnData,sslBuffer * buf,PRBool * added)886 tls13_ClientSendPskModesXtn(const sslSocket *ss, TLSExtensionData *xtnData,
887 sslBuffer *buf, PRBool *added)
888 {
889 static const PRUint8 ke_modes[] = { tls13_psk_dh_ke };
890 SECStatus rv;
891
892 if (ss->vrange.max < SSL_LIBRARY_VERSION_TLS_1_3 ||
893 ss->opt.noCache) {
894 return SECSuccess;
895 }
896
897 SSL_TRC(3, ("%d: TLS13[%d]: send psk key exchange modes extension",
898 SSL_GETPID(), ss->fd));
899
900 rv = sslBuffer_AppendVariable(buf, ke_modes, sizeof(ke_modes), 1);
901 if (rv != SECSuccess) {
902 return SECFailure;
903 }
904
905 *added = PR_TRUE;
906 return SECSuccess;
907 }
908
909 SECStatus
tls13_ServerHandlePskModesXtn(const sslSocket * ss,TLSExtensionData * xtnData,SECItem * data)910 tls13_ServerHandlePskModesXtn(const sslSocket *ss, TLSExtensionData *xtnData,
911 SECItem *data)
912 {
913 SECStatus rv;
914
915 /* If we are doing < TLS 1.3, then ignore this. */
916 if (ss->version < SSL_LIBRARY_VERSION_TLS_1_3) {
917 return SECSuccess;
918 }
919
920 SSL_TRC(3, ("%d: TLS13[%d]: handle PSK key exchange modes extension",
921 SSL_GETPID(), ss->fd));
922
923 /* IMPORTANT: We aren't copying these values, just setting pointers.
924 * They will only be valid as long as the ClientHello is in memory. */
925 rv = ssl3_ExtConsumeHandshakeVariable(ss,
926 &xtnData->psk_ke_modes, 1,
927 &data->data, &data->len);
928 if (rv != SECSuccess)
929 return rv;
930 if (!xtnData->psk_ke_modes.len || data->len) {
931 PORT_SetError(SSL_ERROR_MALFORMED_PSK_KEY_EXCHANGE_MODES);
932 return SECFailure;
933 }
934
935 /* Keep track of negotiated extensions. */
936 xtnData->negotiated[xtnData->numNegotiated++] =
937 ssl_tls13_psk_key_exchange_modes_xtn;
938
939 return SECSuccess;
940 }
941
942 SECStatus
tls13_SendCertAuthoritiesXtn(const sslSocket * ss,TLSExtensionData * xtnData,sslBuffer * buf,PRBool * added)943 tls13_SendCertAuthoritiesXtn(const sslSocket *ss, TLSExtensionData *xtnData,
944 sslBuffer *buf, PRBool *added)
945 {
946 unsigned int calen;
947 const SECItem *name;
948 unsigned int nnames;
949 SECStatus rv;
950
951 PORT_Assert(ss->version >= SSL_LIBRARY_VERSION_TLS_1_3);
952
953 rv = ssl_GetCertificateRequestCAs(ss, &calen, &name, &nnames);
954 if (rv != SECSuccess) {
955 return SECFailure;
956 }
957
958 if (!calen) {
959 return SECSuccess;
960 }
961
962 rv = sslBuffer_AppendNumber(buf, calen, 2);
963 if (rv != SECSuccess) {
964 return SECFailure;
965 }
966
967 while (nnames) {
968 rv = sslBuffer_AppendVariable(buf, name->data, name->len, 2);
969 if (rv != SECSuccess) {
970 return SECFailure;
971 }
972 ++name;
973 --nnames;
974 }
975
976 *added = PR_TRUE;
977 return SECSuccess;
978 }
979
980 SECStatus
tls13_ClientHandleCertAuthoritiesXtn(const sslSocket * ss,TLSExtensionData * xtnData,SECItem * data)981 tls13_ClientHandleCertAuthoritiesXtn(const sslSocket *ss,
982 TLSExtensionData *xtnData,
983 SECItem *data)
984 {
985 SECStatus rv;
986 PLArenaPool *arena;
987
988 if (!data->len) {
989 ssl3_ExtSendAlert(ss, alert_fatal, decode_error);
990 PORT_SetError(SSL_ERROR_RX_MALFORMED_CERT_REQUEST);
991 return SECFailure;
992 }
993
994 arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
995 if (!arena) {
996 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
997 return SECFailure;
998 }
999
1000 xtnData->certReqAuthorities.arena = arena;
1001 rv = ssl3_ParseCertificateRequestCAs((sslSocket *)ss,
1002 &data->data, &data->len,
1003 &xtnData->certReqAuthorities);
1004 if (rv != SECSuccess) {
1005 goto loser;
1006 }
1007 if (data->len) {
1008 ssl3_ExtSendAlert(ss, alert_fatal, decode_error);
1009 PORT_SetError(SSL_ERROR_RX_MALFORMED_CERT_REQUEST);
1010 goto loser;
1011 }
1012 return SECSuccess;
1013
1014 loser:
1015 PORT_FreeArena(arena, PR_FALSE);
1016 xtnData->certReqAuthorities.arena = NULL;
1017 return SECFailure;
1018 }
1019
1020 SECStatus
tls13_ServerSendHrrKeyShareXtn(const sslSocket * ss,TLSExtensionData * xtnData,sslBuffer * buf,PRBool * added)1021 tls13_ServerSendHrrKeyShareXtn(const sslSocket *ss, TLSExtensionData *xtnData,
1022 sslBuffer *buf, PRBool *added)
1023 {
1024 SECStatus rv;
1025
1026 PORT_Assert(ss->version >= SSL_LIBRARY_VERSION_TLS_1_3);
1027
1028 if (!xtnData->selectedGroup) {
1029 return SECSuccess;
1030 }
1031
1032 rv = sslBuffer_AppendNumber(buf, xtnData->selectedGroup->name, 2);
1033 if (rv != SECSuccess) {
1034 return SECFailure;
1035 }
1036
1037 *added = PR_TRUE;
1038 return SECSuccess;
1039 }
1040
1041 SECStatus
tls13_ServerSendHrrCookieXtn(const sslSocket * ss,TLSExtensionData * xtnData,sslBuffer * buf,PRBool * added)1042 tls13_ServerSendHrrCookieXtn(const sslSocket *ss, TLSExtensionData *xtnData,
1043 sslBuffer *buf, PRBool *added)
1044 {
1045 SECStatus rv;
1046
1047 PORT_Assert(ss->version >= SSL_LIBRARY_VERSION_TLS_1_3);
1048 PORT_Assert(xtnData->cookie.len > 0);
1049
1050 rv = sslBuffer_AppendVariable(buf,
1051 xtnData->cookie.data, xtnData->cookie.len, 2);
1052 if (rv != SECSuccess) {
1053 return SECFailure;
1054 }
1055
1056 *added = PR_TRUE;
1057 return SECSuccess;
1058 }
1059