1 /* -*- Mode: C; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 4 -*- */
2 /*
3 * This Source Code Form is subject to the terms of the Mozilla Public
4 * License, v. 2.0. If a copy of the MPL was not distributed with this
5 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
6
7 #include "nssrenam.h"
8 #include "nss.h"
9 #include "ssl.h"
10 #include "sslproto.h"
11 #include "sslimpl.h"
12 #include "pk11pub.h"
13 #include "ssl3ext.h"
14 #include "ssl3exthandle.h"
15 #include "tls13exthandle.h"
16
17 PRInt32
tls13_ServerSendStatusRequestXtn(const sslSocket * ss,TLSExtensionData * xtnData,PRBool append,PRUint32 maxBytes)18 tls13_ServerSendStatusRequestXtn(
19 const sslSocket *ss,
20 TLSExtensionData *xtnData,
21 PRBool append,
22 PRUint32 maxBytes)
23 {
24 PRInt32 extension_length;
25 const sslServerCert *serverCert = ss->sec.serverCert;
26 const SECItem *item;
27 SECStatus rv;
28
29 if (!serverCert->certStatusArray ||
30 !serverCert->certStatusArray->len) {
31 return 0;
32 }
33
34 item = &serverCert->certStatusArray->items[0];
35
36 /* Only send the first entry. */
37 extension_length = 2 + 2 + 1 /* status_type */ + 3 + item->len;
38 if (maxBytes < (PRUint32)extension_length) {
39 return 0;
40 }
41 if (append) {
42 /* extension_type */
43 rv = ssl3_ExtAppendHandshakeNumber(ss, ssl_cert_status_xtn, 2);
44 if (rv != SECSuccess)
45 return -1;
46 /* length of extension_data */
47 rv = ssl3_ExtAppendHandshakeNumber(ss, extension_length - 4, 2);
48 if (rv != SECSuccess)
49 return -1;
50 /* status_type == ocsp */
51 rv = ssl3_ExtAppendHandshakeNumber(ss, 1 /*ocsp*/, 1);
52 if (rv != SECSuccess)
53 return rv; /* err set by AppendHandshake. */
54 /* opaque OCSPResponse<1..2^24-1> */
55 rv = ssl3_ExtAppendHandshakeVariable(ss, item->data, item->len, 3);
56 if (rv != SECSuccess)
57 return rv; /* err set by AppendHandshake. */
58 }
59
60 return extension_length;
61 }
62
63 /*
64 * [draft-ietf-tls-tls13-11] Section 6.3.2.3.
65 *
66 * struct {
67 * NamedGroup group;
68 * opaque key_exchange<1..2^16-1>;
69 * } KeyShareEntry;
70 *
71 * struct {
72 * select (role) {
73 * case client:
74 * KeyShareEntry client_shares<4..2^16-1>;
75 *
76 * case server:
77 * KeyShareEntry server_share;
78 * }
79 * } KeyShare;
80 *
81 * DH is Section 6.3.2.3.1.
82 *
83 * opaque dh_Y<1..2^16-1>;
84 *
85 * ECDH is Section 6.3.2.3.2.
86 *
87 * opaque point <1..2^8-1>;
88 */
89 static PRUint32
tls13_SizeOfKeyShareEntry(const SECKEYPublicKey * pubKey)90 tls13_SizeOfKeyShareEntry(const SECKEYPublicKey *pubKey)
91 {
92 /* Size = NamedGroup(2) + length(2) + opaque<?> share */
93 switch (pubKey->keyType) {
94 case ecKey:
95 return 2 + 2 + pubKey->u.ec.publicValue.len;
96 case dhKey:
97 return 2 + 2 + pubKey->u.dh.prime.len;
98 default:
99 PORT_Assert(0);
100 }
101 return 0;
102 }
103
104 static PRUint32
tls13_SizeOfClientKeyShareExtension(const sslSocket * ss)105 tls13_SizeOfClientKeyShareExtension(const sslSocket *ss)
106 {
107 PRCList *cursor;
108 /* Size is: extension(2) + extension_len(2) + client_shares(2) */
109 PRUint32 size = 2 + 2 + 2;
110 for (cursor = PR_NEXT_LINK(&ss->ephemeralKeyPairs);
111 cursor != &ss->ephemeralKeyPairs;
112 cursor = PR_NEXT_LINK(cursor)) {
113 sslEphemeralKeyPair *keyPair = (sslEphemeralKeyPair *)cursor;
114 size += tls13_SizeOfKeyShareEntry(keyPair->keys->pubKey);
115 }
116 return size;
117 }
118
119 static SECStatus
tls13_EncodeKeyShareEntry(const sslSocket * ss,const sslEphemeralKeyPair * keyPair)120 tls13_EncodeKeyShareEntry(const sslSocket *ss, const sslEphemeralKeyPair *keyPair)
121 {
122 SECStatus rv;
123 SECKEYPublicKey *pubKey = keyPair->keys->pubKey;
124 unsigned int size = tls13_SizeOfKeyShareEntry(pubKey);
125
126 rv = ssl3_ExtAppendHandshakeNumber(ss, keyPair->group->name, 2);
127 if (rv != SECSuccess)
128 return rv;
129 rv = ssl3_ExtAppendHandshakeNumber(ss, size - 4, 2);
130 if (rv != SECSuccess)
131 return rv;
132
133 switch (pubKey->keyType) {
134 case ecKey:
135 rv = tls13_EncodeECDHEKeyShareKEX(ss, pubKey);
136 break;
137 case dhKey:
138 rv = ssl_AppendPaddedDHKeyShare(ss, pubKey, PR_FALSE);
139 break;
140 default:
141 PORT_Assert(0);
142 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
143 break;
144 }
145
146 return rv;
147 }
148
149 PRInt32
tls13_ClientSendKeyShareXtn(const sslSocket * ss,TLSExtensionData * xtnData,PRBool append,PRUint32 maxBytes)150 tls13_ClientSendKeyShareXtn(const sslSocket *ss, TLSExtensionData *xtnData, PRBool append,
151 PRUint32 maxBytes)
152 {
153 PRUint32 extension_length;
154
155 if (ss->vrange.max < SSL_LIBRARY_VERSION_TLS_1_3) {
156 return 0;
157 }
158
159 /* Optimistically try to send an ECDHE key using the
160 * preexisting key (in future will be keys) */
161 SSL_TRC(3, ("%d: TLS13[%d]: send client key share xtn",
162 SSL_GETPID(), ss->fd));
163
164 extension_length = tls13_SizeOfClientKeyShareExtension(ss);
165 if (maxBytes < extension_length) {
166 PORT_Assert(0);
167 return 0;
168 }
169
170 if (append) {
171 SECStatus rv;
172 PRCList *cursor;
173
174 rv = ssl3_ExtAppendHandshakeNumber(ss, ssl_tls13_key_share_xtn, 2);
175 if (rv != SECSuccess)
176 goto loser;
177
178 /* The extension length */
179 rv = ssl3_ExtAppendHandshakeNumber(ss, extension_length - 4, 2);
180 if (rv != SECSuccess)
181 goto loser;
182
183 /* The length of KeyShares */
184 rv = ssl3_ExtAppendHandshakeNumber(ss, extension_length - 6, 2);
185 if (rv != SECSuccess)
186 goto loser;
187
188 for (cursor = PR_NEXT_LINK(&ss->ephemeralKeyPairs);
189 cursor != &ss->ephemeralKeyPairs;
190 cursor = PR_NEXT_LINK(cursor)) {
191 sslEphemeralKeyPair *keyPair = (sslEphemeralKeyPair *)cursor;
192 rv = tls13_EncodeKeyShareEntry(ss, keyPair);
193 if (rv != SECSuccess)
194 goto loser;
195 }
196
197 xtnData->advertised[xtnData->numAdvertised++] =
198 ssl_tls13_key_share_xtn;
199 }
200
201 return extension_length;
202
203 loser:
204 return -1;
205 }
206
207 static SECStatus
tls13_HandleKeyShareEntry(const sslSocket * ss,TLSExtensionData * xtnData,SECItem * data)208 tls13_HandleKeyShareEntry(const sslSocket *ss, TLSExtensionData *xtnData, SECItem *data)
209 {
210 SECStatus rv;
211 PRInt32 group;
212 const sslNamedGroupDef *groupDef;
213 TLS13KeyShareEntry *ks = NULL;
214 SECItem share = { siBuffer, NULL, 0 };
215
216 group = ssl3_ExtConsumeHandshakeNumber(ss, 2, &data->data, &data->len);
217 if (group < 0) {
218 PORT_SetError(SSL_ERROR_RX_MALFORMED_KEY_SHARE);
219 goto loser;
220 }
221 groupDef = ssl_LookupNamedGroup(group);
222 rv = ssl3_ExtConsumeHandshakeVariable(ss, &share, 2, &data->data,
223 &data->len);
224 if (rv != SECSuccess) {
225 goto loser;
226 }
227 /* If the group is disabled, continue. */
228 if (!groupDef) {
229 return SECSuccess;
230 }
231
232 ks = PORT_ZNew(TLS13KeyShareEntry);
233 if (!ks)
234 goto loser;
235 ks->group = groupDef;
236
237 rv = SECITEM_CopyItem(NULL, &ks->key_exchange, &share);
238 if (rv != SECSuccess)
239 goto loser;
240
241 PR_APPEND_LINK(&ks->link, &xtnData->remoteKeyShares);
242 return SECSuccess;
243
244 loser:
245 if (ks)
246 tls13_DestroyKeyShareEntry(ks);
247 return SECFailure;
248 }
249 /* Handle an incoming KeyShare extension at the client and copy to
250 * |xtnData->remoteKeyShares| for future use. The key
251 * share is processed in tls13_HandleServerKeyShare(). */
252 SECStatus
tls13_ClientHandleKeyShareXtn(const sslSocket * ss,TLSExtensionData * xtnData,PRUint16 ex_type,SECItem * data)253 tls13_ClientHandleKeyShareXtn(const sslSocket *ss, TLSExtensionData *xtnData, PRUint16 ex_type, SECItem *data)
254 {
255 SECStatus rv;
256 PORT_Assert(PR_CLIST_IS_EMPTY(&xtnData->remoteKeyShares));
257
258 PORT_Assert(!ss->sec.isServer);
259 if (ss->version < SSL_LIBRARY_VERSION_TLS_1_3) {
260 /* This can't happen because the extension processing
261 * code filters out TLS 1.3 extensions when not in
262 * TLS 1.3 mode. */
263 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
264 return SECFailure;
265 }
266
267 SSL_TRC(3, ("%d: SSL3[%d]: handle key_share extension",
268 SSL_GETPID(), ss->fd));
269
270 rv = tls13_HandleKeyShareEntry(ss, xtnData, data);
271 if (rv != SECSuccess) {
272 PORT_SetError(SSL_ERROR_RX_MALFORMED_KEY_SHARE);
273 return SECFailure;
274 }
275
276 if (data->len) {
277 PORT_SetError(SSL_ERROR_RX_MALFORMED_KEY_SHARE);
278 return SECFailure;
279 }
280
281 return SECSuccess;
282 }
283
284 SECStatus
tls13_ClientHandleKeyShareXtnHrr(const sslSocket * ss,TLSExtensionData * xtnData,PRUint16 ex_type,SECItem * data)285 tls13_ClientHandleKeyShareXtnHrr(const sslSocket *ss, TLSExtensionData *xtnData, PRUint16 ex_type, SECItem *data)
286 {
287 SECStatus rv;
288 PRInt32 tmp;
289 const sslNamedGroupDef *group;
290
291 PORT_Assert(!ss->sec.isServer);
292 PORT_Assert(ss->vrange.max >= SSL_LIBRARY_VERSION_TLS_1_3);
293
294 SSL_TRC(3, ("%d: SSL3[%d]: handle key_share extension in HRR",
295 SSL_GETPID(), ss->fd));
296
297 tmp = ssl3_ExtConsumeHandshakeNumber(ss, 2, &data->data, &data->len);
298 if (tmp < 0) {
299 return SECFailure; /* error code already set */
300 }
301 if (data->len) {
302 ssl3_ExtSendAlert(ss, alert_fatal, decode_error);
303 PORT_SetError(SSL_ERROR_RX_MALFORMED_HELLO_RETRY_REQUEST);
304 return SECFailure;
305 }
306
307 group = ssl_LookupNamedGroup((SSLNamedGroup)tmp);
308 /* If the group is not enabled, or we already have a share for the
309 * requested group, abort. */
310 if (!ssl_NamedGroupEnabled(ss, group) ||
311 ssl_HaveEphemeralKeyPair(ss, group)) {
312 ssl3_ExtSendAlert(ss, alert_fatal, illegal_parameter);
313 PORT_SetError(SSL_ERROR_RX_MALFORMED_HELLO_RETRY_REQUEST);
314 return SECFailure;
315 }
316
317 /* Now delete all the key shares per [draft-ietf-tls-tls13 S 4.1.2] */
318 ssl_FreeEphemeralKeyPairs(CONST_CAST(sslSocket, ss));
319
320 /* And replace with our new share. */
321 rv = tls13_CreateKeyShare(CONST_CAST(sslSocket, ss), group);
322 if (rv != SECSuccess) {
323 ssl3_ExtSendAlert(ss, alert_fatal, internal_error);
324 PORT_SetError(SEC_ERROR_KEYGEN_FAIL);
325 return SECFailure;
326 }
327
328 return SECSuccess;
329 }
330
331 /* Handle an incoming KeyShare extension at the server and copy to
332 * |xtnData->remoteKeyShares| for future use. The key
333 * share is processed in tls13_HandleClientKeyShare(). */
334 SECStatus
tls13_ServerHandleKeyShareXtn(const sslSocket * ss,TLSExtensionData * xtnData,PRUint16 ex_type,SECItem * data)335 tls13_ServerHandleKeyShareXtn(const sslSocket *ss, TLSExtensionData *xtnData, PRUint16 ex_type, SECItem *data)
336 {
337 SECStatus rv;
338 PRInt32 length;
339
340 PORT_Assert(ss->sec.isServer);
341 PORT_Assert(PR_CLIST_IS_EMPTY(&xtnData->remoteKeyShares));
342
343 if (ss->version < SSL_LIBRARY_VERSION_TLS_1_3) {
344 return SECSuccess;
345 }
346
347 SSL_TRC(3, ("%d: SSL3[%d]: handle key_share extension",
348 SSL_GETPID(), ss->fd));
349
350 /* Redundant length because of TLS encoding (this vector consumes
351 * the entire extension.) */
352 length = ssl3_ExtConsumeHandshakeNumber(ss, 2, &data->data,
353 &data->len);
354 if (length < 0)
355 goto loser;
356 if (length != data->len) {
357 /* Check for consistency */
358 PORT_SetError(SSL_ERROR_RX_MALFORMED_KEY_SHARE);
359 goto loser;
360 }
361
362 while (data->len) {
363 rv = tls13_HandleKeyShareEntry(ss, xtnData, data);
364 if (rv != SECSuccess)
365 goto loser;
366 }
367
368 /* Check that the client only offered one share if this is
369 * after HRR. */
370 if (ss->ssl3.hs.helloRetry) {
371 if (PR_PREV_LINK(&xtnData->remoteKeyShares) !=
372 PR_NEXT_LINK(&xtnData->remoteKeyShares)) {
373 PORT_SetError(SSL_ERROR_RX_MALFORMED_CLIENT_HELLO);
374 goto loser;
375 }
376 }
377
378 return SECSuccess;
379
380 loser:
381 tls13_DestroyKeyShares(&xtnData->remoteKeyShares);
382 return SECFailure;
383 }
384
385 PRInt32
tls13_ServerSendKeyShareXtn(const sslSocket * ss,TLSExtensionData * xtnData,PRBool append,PRUint32 maxBytes)386 tls13_ServerSendKeyShareXtn(const sslSocket *ss, TLSExtensionData *xtnData, PRBool append,
387 PRUint32 maxBytes)
388 {
389 PRUint32 extension_length;
390 PRUint32 entry_length;
391 SECStatus rv;
392 sslEphemeralKeyPair *keyPair;
393
394 /* There should be exactly one key share. */
395 PORT_Assert(!PR_CLIST_IS_EMPTY(&ss->ephemeralKeyPairs));
396 PORT_Assert(PR_PREV_LINK(&ss->ephemeralKeyPairs) ==
397 PR_NEXT_LINK(&ss->ephemeralKeyPairs));
398
399 keyPair = (sslEphemeralKeyPair *)PR_NEXT_LINK(&ss->ephemeralKeyPairs);
400
401 entry_length = tls13_SizeOfKeyShareEntry(keyPair->keys->pubKey);
402 extension_length = 2 + 2 + entry_length; /* Type + length + entry_length */
403 if (maxBytes < extension_length) {
404 PORT_Assert(0);
405 return 0;
406 }
407
408 if (append) {
409 rv = ssl3_ExtAppendHandshakeNumber(ss, ssl_tls13_key_share_xtn, 2);
410 if (rv != SECSuccess)
411 goto loser;
412
413 rv = ssl3_ExtAppendHandshakeNumber(ss, entry_length, 2);
414 if (rv != SECSuccess)
415 goto loser;
416
417 rv = tls13_EncodeKeyShareEntry(ss, keyPair);
418 if (rv != SECSuccess)
419 goto loser;
420 }
421
422 return extension_length;
423
424 loser:
425 return -1;
426 }
427
428 /* Called by clients.
429 *
430 * struct {
431 * opaque identity<0..2^16-1>;
432 * uint32 obfuscated_ticket_age;
433 * } PskIdentity;
434 *
435 * opaque PskBinderEntry<32..255>;
436 *
437 * struct {
438 * select (Handshake.msg_type) {
439 * case client_hello:
440 * PskIdentity identities<6..2^16-1>;
441 * PskBinderEntry binders<33..2^16-1>;
442 *
443 * case server_hello:
444 * uint16 selected_identity;
445 * };
446 *
447 * } PreSharedKeyExtension;
448
449 * Presently the only way to get a PSK is by resumption, so this is
450 * really a ticket label and there will be at most one.
451 */
452 PRInt32
tls13_ClientSendPreSharedKeyXtn(const sslSocket * ss,TLSExtensionData * xtnData,PRBool append,PRUint32 maxBytes)453 tls13_ClientSendPreSharedKeyXtn(const sslSocket *ss, TLSExtensionData *xtnData,
454 PRBool append,
455 PRUint32 maxBytes)
456 {
457 PRInt32 extension_length;
458 PRInt32 identities_length;
459 PRInt32 binders_length;
460 NewSessionTicket *session_ticket;
461
462 /* We only set statelessResume on the client in TLS 1.3 code. */
463 if (!ss->statelessResume)
464 return 0;
465
466 PORT_Assert(ss->vrange.max >= SSL_LIBRARY_VERSION_TLS_1_3);
467
468 /* The length computations are simplified by the fact that there
469 * is just one ticket at most. */
470 session_ticket = &ss->sec.ci.sid->u.ssl3.locked.sessionTicket;
471 identities_length =
472 2 + /* vector length */
473 2 + session_ticket->ticket.len + /* identity length + ticket len */
474 4; /* obfuscated_ticket_age */
475 binders_length =
476 2 + /* vector length */
477 1 + tls13_GetHashSizeForHash(
478 tls13_GetHashForCipherSuite(ss->sec.ci.sid->u.ssl3.cipherSuite));
479 extension_length =
480 2 + 2 + /* Type + length */
481 identities_length + binders_length;
482
483 if (maxBytes < (PRUint32)extension_length) {
484 PORT_Assert(0);
485 return 0;
486 }
487
488 if (append) {
489 SECStatus rv;
490 PRUint32 age;
491 unsigned int prefixLength;
492 PRUint8 binder[TLS13_MAX_FINISHED_SIZE];
493 unsigned int binderLen;
494
495 /* extension_type */
496 rv = ssl3_ExtAppendHandshakeNumber(ss, ssl_tls13_pre_shared_key_xtn, 2);
497 if (rv != SECSuccess)
498 goto loser;
499 rv = ssl3_ExtAppendHandshakeNumber(ss, extension_length - 4, 2);
500 if (rv != SECSuccess)
501 goto loser;
502 rv = ssl3_ExtAppendHandshakeNumber(ss, identities_length - 2, 2);
503 if (rv != SECSuccess)
504 goto loser;
505 rv = ssl3_ExtAppendHandshakeVariable(ss, session_ticket->ticket.data,
506 session_ticket->ticket.len, 2);
507 if (rv != SECSuccess)
508 goto loser;
509
510 /* Obfuscated age. */
511 age = ssl_Time() - session_ticket->received_timestamp;
512 age += session_ticket->ticket_age_add;
513 rv = ssl3_ExtAppendHandshakeNumber(ss, age, 4);
514 if (rv != SECSuccess)
515 goto loser;
516
517 /* Now the binders. */
518 prefixLength = ss->ssl3.hs.messages.len;
519 rv = tls13_ComputePskBinder(CONST_CAST(sslSocket, ss), PR_TRUE,
520 prefixLength, binder, &binderLen,
521 sizeof(binder));
522 if (rv != SECSuccess)
523 goto loser;
524 PORT_Assert(binderLen == tls13_GetHashSize(ss));
525 rv = ssl3_ExtAppendHandshakeNumber(ss, binders_length - 2, 2);
526 if (rv != SECSuccess)
527 goto loser;
528 rv = ssl3_ExtAppendHandshakeVariable(ss,
529 binder, binderLen, 1);
530 if (rv != SECSuccess)
531 goto loser;
532
533 PRINT_BUF(50, (ss, "Sending PreSharedKey value",
534 session_ticket->ticket.data,
535 session_ticket->ticket.len));
536
537 xtnData->sentSessionTicketInClientHello = PR_TRUE;
538 xtnData->advertised[xtnData->numAdvertised++] =
539 ssl_tls13_pre_shared_key_xtn;
540 }
541 return extension_length;
542
543 loser:
544 xtnData->ticketTimestampVerified = PR_FALSE;
545 return -1;
546 }
547
548 /* Handle a TLS 1.3 PreSharedKey Extension. We only accept PSKs
549 * that contain session tickets. */
550 SECStatus
tls13_ServerHandlePreSharedKeyXtn(const sslSocket * ss,TLSExtensionData * xtnData,PRUint16 ex_type,SECItem * data)551 tls13_ServerHandlePreSharedKeyXtn(const sslSocket *ss, TLSExtensionData *xtnData, PRUint16 ex_type,
552 SECItem *data)
553 {
554 SECItem inner;
555 SECStatus rv;
556 unsigned int numIdentities = 0;
557 unsigned int numBinders = 0;
558
559 SSL_TRC(3, ("%d: SSL3[%d]: handle pre_shared_key extension",
560 SSL_GETPID(), ss->fd));
561
562 /* If we are doing < TLS 1.3, then ignore this. */
563 if (ss->version < SSL_LIBRARY_VERSION_TLS_1_3) {
564 return SECSuccess;
565 }
566
567 /* Parse the identities list. */
568 rv = ssl3_ExtConsumeHandshakeVariable(ss,
569 &inner, 2, &data->data, &data->len);
570 if (rv != SECSuccess) {
571 return SECFailure;
572 }
573
574 while (inner.len) {
575 SECItem label;
576 PRUint32 utmp;
577
578 rv = ssl3_ExtConsumeHandshakeVariable(ss, &label, 2,
579 &inner.data, &inner.len);
580 if (rv != SECSuccess)
581 return rv;
582 if (!label.len) {
583 goto alert_loser;
584 }
585
586 /* Read and discard session ticket age. Bug 1295163 */
587 rv = ssl3_ExtConsumeHandshake(ss, &utmp, 4,
588 &inner.data, &inner.len);
589 if (rv != SECSuccess)
590 return rv;
591
592 if (!numIdentities) {
593 PRINT_BUF(50, (ss, "Handling PreSharedKey value",
594 label.data, label.len));
595 rv = ssl3_ProcessSessionTicketCommon(
596 CONST_CAST(sslSocket, ss), &label);
597 /* This only happens if we have an internal error, not
598 * a malformed ticket. Bogus tickets just don't resume
599 * and return SECSuccess. */
600 if (rv != SECSuccess)
601 return SECFailure;
602 }
603 ++numIdentities;
604 }
605
606 xtnData->pskBinderPrefixLen = ss->ssl3.hs.messages.len - data->len;
607
608 /* Parse the binders list. */
609 rv = ssl3_ExtConsumeHandshakeVariable(ss,
610 &inner, 2, &data->data, &data->len);
611 if (rv != SECSuccess)
612 return SECFailure;
613 if (data->len) {
614 goto alert_loser;
615 }
616
617 while (inner.len) {
618 SECItem binder;
619 rv = ssl3_ExtConsumeHandshakeVariable(ss, &binder, 1,
620 &inner.data, &inner.len);
621 if (rv != SECSuccess)
622 return rv;
623 if (binder.len < 32) {
624 goto alert_loser;
625 }
626
627 if (!numBinders) {
628 xtnData->pskBinder = binder;
629 }
630 ++numBinders;
631 }
632
633 if (numBinders != numIdentities)
634 goto alert_loser;
635
636 /* Keep track of negotiated extensions. Note that this does not
637 * mean we are resuming. */
638 xtnData->negotiated[xtnData->numNegotiated++] = ex_type;
639
640 return SECSuccess;
641
642 alert_loser:
643 ssl3_ExtSendAlert(ss, alert_fatal, illegal_parameter);
644 PORT_SetError(SSL_ERROR_MALFORMED_PRE_SHARED_KEY);
645 return SECFailure;
646 }
647
648 PRInt32
tls13_ServerSendPreSharedKeyXtn(const sslSocket * ss,TLSExtensionData * xtnData,PRBool append,PRUint32 maxBytes)649 tls13_ServerSendPreSharedKeyXtn(const sslSocket *ss, TLSExtensionData *xtnData,
650 PRBool append,
651 PRUint32 maxBytes)
652 {
653 PRInt32 extension_length =
654 2 + 2 + 2; /* type + len + index */
655 SECStatus rv;
656
657 if (maxBytes < (PRUint32)extension_length) {
658 PORT_Assert(0);
659 return 0;
660 }
661
662 if (append) {
663 rv = ssl3_ExtAppendHandshakeNumber(ss, ssl_tls13_pre_shared_key_xtn, 2);
664 if (rv != SECSuccess)
665 return -1;
666
667 rv = ssl3_ExtAppendHandshakeNumber(ss, 2, 2);
668 if (rv != SECSuccess)
669 return -1;
670
671 /* We only process the first session ticket the client sends,
672 * so the index is always 0. */
673 rv = ssl3_ExtAppendHandshakeNumber(ss, 0, 2);
674 if (rv != SECSuccess)
675 return -1;
676 }
677
678 return extension_length;
679 }
680
681 /* Handle a TLS 1.3 PreSharedKey Extension. We only accept PSKs
682 * that contain session tickets. */
683 SECStatus
tls13_ClientHandlePreSharedKeyXtn(const sslSocket * ss,TLSExtensionData * xtnData,PRUint16 ex_type,SECItem * data)684 tls13_ClientHandlePreSharedKeyXtn(const sslSocket *ss, TLSExtensionData *xtnData, PRUint16 ex_type,
685 SECItem *data)
686 {
687 PRInt32 index;
688
689 SSL_TRC(3, ("%d: SSL3[%d]: handle pre_shared_key extension",
690 SSL_GETPID(), ss->fd));
691
692 /* If we are doing < TLS 1.3, then ignore this. */
693 if (ss->version < SSL_LIBRARY_VERSION_TLS_1_3) {
694 return SECSuccess;
695 }
696
697 index = ssl3_ExtConsumeHandshakeNumber(ss, 2, &data->data, &data->len);
698 if (index < 0)
699 return SECFailure;
700
701 /* This should be the end of the extension. */
702 if (data->len) {
703 PORT_SetError(SSL_ERROR_MALFORMED_PRE_SHARED_KEY);
704 return SECFailure;
705 }
706
707 /* We only sent one PSK label so index must be equal to 0 */
708 if (index) {
709 PORT_SetError(SSL_ERROR_MALFORMED_PRE_SHARED_KEY);
710 return SECFailure;
711 }
712
713 /* Keep track of negotiated extensions. */
714 xtnData->negotiated[xtnData->numNegotiated++] = ex_type;
715
716 return SECSuccess;
717 }
718
719 /*
720 * struct { } EarlyDataIndication;
721 */
722 PRInt32
tls13_ClientSendEarlyDataXtn(const sslSocket * ss,TLSExtensionData * xtnData,PRBool append,PRUint32 maxBytes)723 tls13_ClientSendEarlyDataXtn(const sslSocket *ss, TLSExtensionData *xtnData,
724 PRBool append,
725 PRUint32 maxBytes)
726 {
727 SECStatus rv;
728 PRInt32 extension_length;
729
730 if (!tls13_ClientAllow0Rtt(ss, ss->sec.ci.sid))
731 return 0;
732
733 /* type + length */
734 extension_length = 2 + 2;
735
736 if (maxBytes < (PRUint32)extension_length) {
737 PORT_Assert(0);
738 return 0;
739 }
740
741 if (append) {
742 rv = ssl3_ExtAppendHandshakeNumber(ss, ssl_tls13_early_data_xtn, 2);
743 if (rv != SECSuccess)
744 return -1;
745
746 rv = ssl3_ExtAppendHandshakeNumber(ss, 0, 2);
747 if (rv != SECSuccess)
748 return -1;
749 }
750
751 xtnData->advertised[xtnData->numAdvertised++] =
752 ssl_tls13_early_data_xtn;
753
754 return extension_length;
755 }
756
757 SECStatus
tls13_ServerHandleEarlyDataXtn(const sslSocket * ss,TLSExtensionData * xtnData,PRUint16 ex_type,SECItem * data)758 tls13_ServerHandleEarlyDataXtn(const sslSocket *ss, TLSExtensionData *xtnData, PRUint16 ex_type,
759 SECItem *data)
760 {
761 SSL_TRC(3, ("%d: TLS13[%d]: handle early_data extension",
762 SSL_GETPID(), ss->fd));
763
764 /* If we are doing < TLS 1.3, then ignore this. */
765 if (ss->version < SSL_LIBRARY_VERSION_TLS_1_3) {
766 return SECSuccess;
767 }
768
769 if (data->len) {
770 PORT_SetError(SSL_ERROR_MALFORMED_EARLY_DATA);
771 return SECFailure;
772 }
773
774 xtnData->negotiated[xtnData->numNegotiated++] = ex_type;
775
776 return SECSuccess;
777 }
778
779 /* This is only registered if we are sending it. */
780 PRInt32
tls13_ServerSendEarlyDataXtn(const sslSocket * ss,TLSExtensionData * xtnData,PRBool append,PRUint32 maxBytes)781 tls13_ServerSendEarlyDataXtn(const sslSocket *ss, TLSExtensionData *xtnData,
782 PRBool append,
783 PRUint32 maxBytes)
784 {
785 SSL_TRC(3, ("%d: TLS13[%d]: send early_data extension",
786 SSL_GETPID(), ss->fd));
787
788 PORT_Assert(ss->ssl3.hs.zeroRttState == ssl_0rtt_accepted);
789 if (maxBytes < 4) {
790 PORT_Assert(0);
791 return 0;
792 }
793
794 if (append) {
795 SECStatus rv;
796
797 rv = ssl3_ExtAppendHandshakeNumber(ss, ssl_tls13_early_data_xtn, 2);
798 if (rv != SECSuccess)
799 return -1;
800
801 rv = ssl3_ExtAppendHandshakeNumber(ss, 0, 2);
802 if (rv != SECSuccess)
803 return -1;
804 }
805
806 return 4;
807 }
808
809 /* This will only be called if we also offered the extension. */
810 SECStatus
tls13_ClientHandleEarlyDataXtn(const sslSocket * ss,TLSExtensionData * xtnData,PRUint16 ex_type,SECItem * data)811 tls13_ClientHandleEarlyDataXtn(const sslSocket *ss, TLSExtensionData *xtnData, PRUint16 ex_type,
812 SECItem *data)
813 {
814 SSL_TRC(3, ("%d: TLS13[%d]: handle early_data extension",
815 SSL_GETPID(), ss->fd));
816
817 /* If we are doing < TLS 1.3, then ignore this. */
818 if (ss->version < SSL_LIBRARY_VERSION_TLS_1_3) {
819 PORT_SetError(SSL_ERROR_EXTENSION_DISALLOWED_FOR_VERSION);
820 return SECFailure;
821 }
822
823 if (data->len) {
824 PORT_SetError(SSL_ERROR_MALFORMED_EARLY_DATA);
825 return SECFailure;
826 }
827
828 /* Keep track of negotiated extensions. */
829 xtnData->negotiated[xtnData->numNegotiated++] = ex_type;
830
831 return SECSuccess;
832 }
833
834 SECStatus
tls13_ClientHandleTicketEarlyDataInfoXtn(const sslSocket * ss,TLSExtensionData * xtnData,PRUint16 ex_type,SECItem * data)835 tls13_ClientHandleTicketEarlyDataInfoXtn(const sslSocket *ss, TLSExtensionData *xtnData, PRUint16 ex_type,
836 SECItem *data)
837 {
838 PRUint32 utmp;
839 SECStatus rv;
840
841 SSL_TRC(3, ("%d: TLS13[%d]: handle early_data_info extension",
842 SSL_GETPID(), ss->fd));
843
844 /* If we are doing < TLS 1.3, then ignore this. */
845 if (ss->version < SSL_LIBRARY_VERSION_TLS_1_3) {
846 PORT_SetError(SSL_ERROR_EXTENSION_DISALLOWED_FOR_VERSION);
847 return SECFailure;
848 }
849
850 rv = ssl3_ExtConsumeHandshake(ss, &utmp, sizeof(utmp),
851 &data->data, &data->len);
852 if (rv != SECSuccess) {
853 PORT_SetError(SSL_ERROR_RX_MALFORMED_NEW_SESSION_TICKET);
854 return SECFailure;
855 }
856 if (data->len) {
857 PORT_SetError(SSL_ERROR_RX_MALFORMED_NEW_SESSION_TICKET);
858 return SECFailure;
859 }
860
861 xtnData->max_early_data_size = PR_ntohl(utmp);
862
863 return SECSuccess;
864 }
865
866 /*
867 * struct {
868 * ProtocolVersion versions<2..254>;
869 * } SupportedVersions;
870 */
871 PRInt32
tls13_ClientSendSupportedVersionsXtn(const sslSocket * ss,TLSExtensionData * xtnData,PRBool append,PRUint32 maxBytes)872 tls13_ClientSendSupportedVersionsXtn(const sslSocket *ss, TLSExtensionData *xtnData, PRBool append,
873 PRUint32 maxBytes)
874 {
875 PRInt32 extensions_len;
876 PRUint16 version;
877 SECStatus rv;
878
879 if (ss->vrange.max < SSL_LIBRARY_VERSION_TLS_1_3) {
880 return 0;
881 }
882
883 SSL_TRC(3, ("%d: TLS13[%d]: send supported_versions extension",
884 SSL_GETPID(), ss->fd));
885
886 /* Extension type, extension len fiels, vector len field,
887 * length of the values. */
888 extensions_len = 2 + 2 + 1 +
889 2 * (ss->vrange.max - ss->vrange.min + 1);
890
891 if (maxBytes < (PRUint32)extensions_len) {
892 PORT_Assert(0);
893 return 0;
894 }
895
896 if (append) {
897 rv = ssl3_ExtAppendHandshakeNumber(ss, ssl_tls13_supported_versions_xtn, 2);
898 if (rv != SECSuccess)
899 return -1;
900
901 rv = ssl3_ExtAppendHandshakeNumber(ss, extensions_len - 4, 2);
902 if (rv != SECSuccess)
903 return -1;
904
905 rv = ssl3_ExtAppendHandshakeNumber(ss, extensions_len - 5, 1);
906 if (rv != SECSuccess)
907 return -1;
908
909 for (version = ss->vrange.max; version >= ss->vrange.min; --version) {
910 rv = ssl3_ExtAppendHandshakeNumber(
911 ss, tls13_EncodeDraftVersion(version), 2);
912 if (rv != SECSuccess)
913 return -1;
914 }
915 }
916
917 return extensions_len;
918 }
919
920 /*
921 * struct {
922 * opaque cookie<1..2^16-1>;
923 * } Cookie;
924 */
925 SECStatus
tls13_ClientHandleHrrCookie(const sslSocket * ss,TLSExtensionData * xtnData,PRUint16 ex_type,SECItem * data)926 tls13_ClientHandleHrrCookie(const sslSocket *ss, TLSExtensionData *xtnData, PRUint16 ex_type, SECItem *data)
927 {
928 SECStatus rv;
929
930 SSL_TRC(3, ("%d: TLS13[%d]: handle cookie extension",
931 SSL_GETPID(), ss->fd));
932
933 PORT_Assert(ss->vrange.max >= SSL_LIBRARY_VERSION_TLS_1_3);
934
935 /* IMPORTANT: this is only valid while the HelloRetryRequest is still valid. */
936 rv = ssl3_ExtConsumeHandshakeVariable(
937 ss, &CONST_CAST(sslSocket, ss)->ssl3.hs.cookie, 2,
938 &data->data, &data->len);
939 if (rv != SECSuccess) {
940 PORT_SetError(SSL_ERROR_RX_MALFORMED_HELLO_RETRY_REQUEST);
941 return SECFailure;
942 }
943 if (!ss->ssl3.hs.cookie.len || data->len) {
944 ssl3_ExtSendAlert(ss, alert_fatal, decode_error);
945 PORT_SetError(SSL_ERROR_RX_MALFORMED_HELLO_RETRY_REQUEST);
946 return SECFailure;
947 }
948
949 return SECSuccess;
950 }
951
952 PRInt32
tls13_ClientSendHrrCookieXtn(const sslSocket * ss,TLSExtensionData * xtnData,PRBool append,PRUint32 maxBytes)953 tls13_ClientSendHrrCookieXtn(const sslSocket *ss, TLSExtensionData *xtnData, PRBool append, PRUint32 maxBytes)
954 {
955 PRInt32 extension_len;
956
957 if (ss->vrange.max < SSL_LIBRARY_VERSION_TLS_1_3 ||
958 !ss->ssl3.hs.cookie.len) {
959 return 0;
960 }
961
962 SSL_TRC(3, ("%d: TLS13[%d]: send cookie extension", SSL_GETPID(), ss->fd));
963
964 /* Extension type, length, cookie length, cookie value. */
965 extension_len = 2 + 2 + 2 + ss->ssl3.hs.cookie.len;
966
967 if (maxBytes < (PRUint32)extension_len) {
968 PORT_Assert(0);
969 return 0;
970 }
971
972 if (append) {
973 SECStatus rv = ssl3_ExtAppendHandshakeNumber(ss, ssl_tls13_cookie_xtn, 2);
974 if (rv != SECSuccess)
975 return -1;
976
977 rv = ssl3_ExtAppendHandshakeNumber(ss, extension_len - 4, 2);
978 if (rv != SECSuccess)
979 return -1;
980
981 rv = ssl3_ExtAppendHandshakeVariable(ss, ss->ssl3.hs.cookie.data,
982 ss->ssl3.hs.cookie.len, 2);
983 if (rv != SECSuccess)
984 return -1;
985 }
986 return extension_len;
987 }
988
989 /*
990 * enum { psk_ke(0), psk_dhe_ke(1), (255) } PskKeyExchangeMode;
991 *
992 * struct {
993 * PskKeyExchangeMode ke_modes<1..255>;
994 * } PskKeyExchangeModes;
995 */
996 PRInt32
tls13_ClientSendPskKeyExchangeModesXtn(const sslSocket * ss,TLSExtensionData * xtnData,PRBool append,PRUint32 maxBytes)997 tls13_ClientSendPskKeyExchangeModesXtn(const sslSocket *ss,
998 TLSExtensionData *xtnData,
999 PRBool append, PRUint32 maxBytes)
1000 {
1001 static const PRUint8 ke_modes[] = { tls13_psk_dh_ke };
1002 static const unsigned long ke_modes_len = sizeof(ke_modes);
1003 PRInt32 extension_len;
1004
1005 if (ss->vrange.max < SSL_LIBRARY_VERSION_TLS_1_3 ||
1006 ss->opt.noCache) {
1007 return 0;
1008 }
1009
1010 extension_len =
1011 2 + 2 + /* Type + length */
1012 1 + ke_modes_len; /* key exchange modes vector */
1013
1014 SSL_TRC(3, ("%d: TLS13[%d]: send psk key exchange modes extension",
1015 SSL_GETPID(), ss->fd));
1016
1017 if (maxBytes < (PRUint32)extension_len) {
1018 PORT_Assert(0);
1019 return 0;
1020 }
1021
1022 if (append) {
1023 SECStatus rv = ssl3_ExtAppendHandshakeNumber(
1024 ss, ssl_tls13_psk_key_exchange_modes_xtn, 2);
1025 if (rv != SECSuccess)
1026 return -1;
1027
1028 rv = ssl3_ExtAppendHandshakeNumber(ss, extension_len - 4, 2);
1029 if (rv != SECSuccess)
1030 return -1;
1031
1032 rv = ssl3_ExtAppendHandshakeVariable(
1033 ss, ke_modes, ke_modes_len, 1);
1034 if (rv != SECSuccess)
1035 return -1;
1036 }
1037 return extension_len;
1038 }
1039
1040 SECStatus
tls13_ServerHandlePskKeyExchangeModesXtn(const sslSocket * ss,TLSExtensionData * xtnData,PRUint16 ex_type,SECItem * data)1041 tls13_ServerHandlePskKeyExchangeModesXtn(const sslSocket *ss,
1042 TLSExtensionData *xtnData,
1043 PRUint16 ex_type, SECItem *data)
1044 {
1045 SECStatus rv;
1046
1047 /* If we are doing < TLS 1.3, then ignore this. */
1048 if (ss->version < SSL_LIBRARY_VERSION_TLS_1_3) {
1049 return SECSuccess;
1050 }
1051
1052 SSL_TRC(3, ("%d: TLS13[%d]: handle PSK key exchange modes extension",
1053 SSL_GETPID(), ss->fd));
1054
1055 /* IMPORTANT: We aren't copying these values, just setting pointers.
1056 * They will only be valid as long as the ClientHello is in memory. */
1057 rv = ssl3_ExtConsumeHandshakeVariable(ss,
1058 &xtnData->psk_ke_modes, 1,
1059 &data->data, &data->len);
1060 if (rv != SECSuccess)
1061 return rv;
1062 if (!xtnData->psk_ke_modes.len || data->len) {
1063 PORT_SetError(SSL_ERROR_MALFORMED_PSK_KEY_EXCHANGE_MODES);
1064 return SECFailure;
1065 }
1066
1067 /* Keep track of negotiated extensions. */
1068 xtnData->negotiated[xtnData->numNegotiated++] = ex_type;
1069
1070 return SECSuccess;
1071 }
1072
1073 PRInt32
tls13_SendShortHeaderXtn(const sslSocket * ss,TLSExtensionData * xtnData,PRBool append,PRUint32 maxBytes)1074 tls13_SendShortHeaderXtn(const sslSocket *ss,
1075 TLSExtensionData *xtnData,
1076 PRBool append, PRUint32 maxBytes)
1077 {
1078 PRUint32 extension_len = 2 + 2; /* Type + length (0). */
1079
1080 if (!ss->opt.enableShortHeaders) {
1081 return 0;
1082 }
1083
1084 /* Presently this is incompatible with 0-RTT. We will fix if
1085 * it becomes more than an experiment. */
1086 if (ss->opt.enable0RttData) {
1087 return 0;
1088 }
1089
1090 if (IS_DTLS(ss)) {
1091 return 0;
1092 }
1093
1094 SSL_TRC(3, ("%d: TLS13[%d]: send short_header extension",
1095 SSL_GETPID(), ss->fd));
1096
1097 if (maxBytes < extension_len) {
1098 PORT_Assert(0);
1099 return 0;
1100 }
1101
1102 if (append) {
1103 SECStatus rv;
1104
1105 rv = ssl3_ExtAppendHandshakeNumber(ss, ssl_tls13_short_header_xtn, 2);
1106 if (rv != SECSuccess)
1107 return -1;
1108
1109 rv = ssl3_ExtAppendHandshakeNumber(ss, 0, 2);
1110 if (rv != SECSuccess)
1111 return -1;
1112
1113 xtnData->advertised[xtnData->numAdvertised++] =
1114 ssl_tls13_short_header_xtn;
1115 }
1116
1117 return extension_len;
1118 }
1119
1120 SECStatus
tls13_HandleShortHeaderXtn(const sslSocket * ss,TLSExtensionData * xtnData,PRUint16 ex_type,SECItem * data)1121 tls13_HandleShortHeaderXtn(
1122 const sslSocket *ss, TLSExtensionData *xtnData, PRUint16 ex_type,
1123 SECItem *data)
1124 {
1125 SSL_TRC(3, ("%d: TLS13[%d]: handle early_data extension",
1126 SSL_GETPID(), ss->fd));
1127
1128 /* If we are doing < TLS 1.3, then ignore this. */
1129 if (ss->version < SSL_LIBRARY_VERSION_TLS_1_3) {
1130 return SECSuccess;
1131 }
1132
1133 /* Presently this is incompatible with 0-RTT. We will fix if
1134 * it becomes more than an experiment. */
1135 if (ss->opt.enable0RttData) {
1136 return SECSuccess;
1137 }
1138
1139 if (IS_DTLS(ss)) {
1140 PORT_SetError(SSL_ERROR_EXTENSION_DISALLOWED_FOR_VERSION);
1141 return SECFailure;
1142 }
1143
1144 if (data->len) {
1145 PORT_SetError(SSL_ERROR_RX_MALFORMED_HANDSHAKE);
1146 return SECFailure;
1147 }
1148
1149 if (!ss->opt.enableShortHeaders) {
1150 /* Ignore. */
1151 return SECSuccess;
1152 }
1153
1154 /* Keep track of negotiated extensions. */
1155 xtnData->negotiated[xtnData->numNegotiated++] = ex_type;
1156
1157 if (ss->sec.isServer) {
1158 SECStatus rv;
1159
1160 rv = ssl3_RegisterExtensionSender(ss, xtnData,
1161 ssl_tls13_short_header_xtn,
1162 tls13_SendShortHeaderXtn);
1163 if (rv != SECSuccess) {
1164 return SECFailure;
1165 }
1166 }
1167
1168 return SECSuccess;
1169 }
1170