1 /* -*- Mode: C; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 4 -*- */
2 /*
3  * This file is PRIVATE to SSL.
4  *
5  * This Source Code Form is subject to the terms of the Mozilla Public
6  * License, v. 2.0. If a copy of the MPL was not distributed with this
7  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
8 
9 #ifndef __tls13ech_h_
10 #define __tls13ech_h_
11 
12 #include "pk11hpke.h"
13 
14 /* draft-09, supporting shared-mode and split-mode as a backend server only.
15  * Notes on the implementation status:
16  * - Padding (https://tools.ietf.org/html/draft-ietf-tls-esni-08#section-6.2),
17  *   is not implemented (see bug 1677181).
18  * - When multiple ECHConfigs are provided by the server, the first compatible
19  *   config is selected by the client. Ciphersuite choices are limited and only
20  *   the AEAD may vary (AES-128-GCM or ChaCha20Poly1305).
21  * - Some of the buffering (construction/compression/decompression) could likely
22  *   be optimized, but the spec is still evolving so that work is deferred.
23  */
24 #define TLS13_ECH_VERSION 0xfe0a
25 #define TLS13_ECH_SIGNAL_LEN 8
26 
27 static const char kHpkeInfoEch[] = "tls ech";
28 static const char hHkdfInfoEchConfigID[] = "tls ech config id";
29 static const char kHkdfInfoEchConfirm[] = "ech accept confirmation";
30 
31 struct sslEchConfigContentsStr {
32     PRUint8 configId;
33     HpkeKemId kemId;
34     SECItem publicKey; /* NULL on server. Use the keypair in sslEchConfig instead. */
35     HpkeKdfId kdfId;
36     HpkeAeadId aeadId;
37     SECItem suites; /* One or more HpkeCipherSuites. The selected s
38                      * suite is placed in kdfId and aeadId. */
39     PRUint16 maxNameLen;
40     char *publicName;
41     /* No supported extensions. */
42 };
43 
44 struct sslEchConfigStr {
45     PRCList link;
46     SECItem raw;
47     PRUint16 version;
48     sslEchConfigContents contents;
49 };
50 
51 struct sslEchXtnStateStr {
52     SECItem innerCh;          /* Server: ClientECH.payload */
53     SECItem senderPubKey;     /* Server: ClientECH.enc */
54     PRUint8 configId;         /* Server: ClientECH.config_id  */
55     HpkeKdfId kdfId;          /* Server: ClientECH.cipher_suite.kdf */
56     HpkeAeadId aeadId;        /* Server: ClientECH.cipher_suite.aead */
57     SECItem retryConfigs;     /* Client: ServerECH.retry_configs*/
58     PRBool retryConfigsValid; /* Client: Extraction of retry_configss is allowed.
59                                *  This is set once the handshake completes (having
60                                *  verified to the ECHConfig public name). */
61 };
62 
63 SECStatus SSLExp_EncodeEchConfigId(PRUint8 configId, const char *publicName, unsigned int maxNameLen,
64                                    HpkeKemId kemId, const SECKEYPublicKey *pubKey,
65                                    const HpkeSymmetricSuite *hpkeSuites, unsigned int hpkeSuiteCount,
66                                    PRUint8 *out, unsigned int *outlen, unsigned int maxlen);
67 SECStatus SSLExp_GetEchRetryConfigs(PRFileDesc *fd, SECItem *retryConfigs);
68 SECStatus SSLExp_SetClientEchConfigs(PRFileDesc *fd, const PRUint8 *echConfigs,
69                                      unsigned int echConfigsLen);
70 SECStatus SSLExp_SetServerEchConfigs(PRFileDesc *fd,
71                                      const SECKEYPublicKey *pubKey, const SECKEYPrivateKey *privKey,
72                                      const PRUint8 *echConfigs, unsigned int numEchConfigs);
73 SECStatus SSLExp_RemoveEchConfigs(PRFileDesc *fd);
74 
75 SECStatus tls13_ClientSetupEch(sslSocket *ss, sslClientHelloType type);
76 SECStatus tls13_ConstructClientHelloWithEch(sslSocket *ss, const sslSessionID *sid,
77                                             PRBool freshSid, sslBuffer *chOuterBuf,
78                                             sslBuffer *chInnerXtnsBuf);
79 SECStatus tls13_CopyEchConfigs(PRCList *oconfigs, PRCList *configs);
80 SECStatus tls13_DecodeEchConfigs(const SECItem *data, PRCList *configs);
81 void tls13_DestroyEchConfigs(PRCList *list);
82 void tls13_DestroyEchXtnState(sslEchXtnState *state);
83 SECStatus tls13_GetMatchingEchConfig(const sslSocket *ss, HpkeKdfId kdf, HpkeAeadId aead,
84                                      const SECItem *configId, sslEchConfig **cfg);
85 SECStatus tls13_MaybeHandleEch(sslSocket *ss, const PRUint8 *msg, PRUint32 msgLen, SECItem *sidBytes,
86                                SECItem *comps, SECItem *cookieBytes, SECItem *suites, SECItem **echInner);
87 SECStatus tls13_MaybeHandleEchSignal(sslSocket *ss, const PRUint8 *savedMsg, PRUint32 savedLength);
88 SECStatus tls13_MaybeAcceptEch(sslSocket *ss, const SECItem *sidBytes, const PRUint8 *chOuter,
89                                unsigned int chOuterLen, SECItem **chInner);
90 SECStatus tls13_MaybeGreaseEch(sslSocket *ss, unsigned int prefixLen, sslBuffer *buf);
91 SECStatus tls13_WriteServerEchSignal(sslSocket *ss, PRUint8 *sh, unsigned int shLen);
92 
93 PRBool tls13_IsIp(const PRUint8 *str, unsigned int len);
94 PRBool tls13_IsLDH(const PRUint8 *str, unsigned int len);
95 
96 #endif
97