1 /* -*- Mode: C; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 4 -*- */
2 /*
3  * This file is PRIVATE to SSL.
4  *
5  * This Source Code Form is subject to the terms of the Mozilla Public
6  * License, v. 2.0. If a copy of the MPL was not distributed with this
7  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
8 
9 #ifndef __ssl3ext_h_
10 #define __ssl3ext_h_
11 
12 #include "pk11hpke.h"
13 #include "sslencode.h"
14 
15 typedef enum {
16     sni_nametype_hostname
17 } SNINameType;
18 typedef struct TLSExtensionDataStr TLSExtensionData;
19 
20 /* Registerable callback function that either appends extension to buffer
21  * or returns length of data that it would have appended.
22  */
23 typedef SECStatus (*sslExtensionBuilderFunc)(const sslSocket *ss,
24                                              TLSExtensionData *xtnData,
25                                              sslBuffer *buf, PRBool *added);
26 
27 /* row in a table of hello extension senders */
28 typedef struct {
29     PRInt32 ex_type;
30     sslExtensionBuilderFunc ex_sender;
31 } sslExtensionBuilder;
32 
33 struct TLSExtensionDataStr {
34     /* registered callbacks that send server hello extensions */
35     sslExtensionBuilder serverHelloSenders[SSL_MAX_EXTENSIONS];
36     sslExtensionBuilder encryptedExtensionsSenders[SSL_MAX_EXTENSIONS];
37     sslExtensionBuilder certificateSenders[SSL_MAX_EXTENSIONS];
38 
39     /* Keep track of the extensions that are advertised or negotiated. */
40     PRUint16 numAdvertised;
41     PRUint16 *advertised;      /* Allocated dynamically. */
42     PRUint16 echNumAdvertised; /* Tracks Xtns offered in ClientHelloInner. */
43     PRUint16 *echAdvertised;
44     PRUint16 numNegotiated;
45     PRUint16 negotiated[SSL_MAX_EXTENSIONS];
46 
47     /* SessionTicket Extension related data. */
48     PRBool ticketTimestampVerified;
49     PRBool emptySessionTicket;
50     PRBool sentSessionTicketInClientHello;
51     SECItem psk_ke_modes;
52     PRUint32 max_early_data_size;
53 
54     /* SNI Extension related data
55      * Names data is not coppied from the input buffer. It can not be
56      * used outside the scope where input buffer is defined and that
57      * is beyond ssl3_HandleClientHello function. */
58     SECItem *sniNameArr;
59     PRUint32 sniNameArrSize;
60 
61     /* Signed Certificate Timestamps extracted from the TLS extension.
62      * (client only).
63      * This container holds a temporary pointer to the extension data,
64      * until a session structure (the sec.ci.sid of an sslSocket) is setup
65      * that can hold a permanent copy of the data
66      * (in sec.ci.sid.u.ssl3.signedCertTimestamps).
67      * The data pointed to by this structure is neither explicitly allocated
68      * nor copied: the pointer points to the handshake message buffer and is
69      * only valid in the scope of ssl3_HandleServerHello.
70      */
71     SECItem signedCertTimestamps;
72 
73     PRBool peerSupportsFfdheGroups; /* if the peer supports named ffdhe groups */
74 
75     /* clientSigAndHash contains the contents of the signature_algorithms
76      * extension (if any) the other side supports. This is only valid for TLS
77      * 1.2 or later. In TLS 1.3, it is also used for CertificateRequest. */
78     SSLSignatureScheme *sigSchemes;
79     unsigned int numSigSchemes;
80 
81     /* Keep track of signature schemes that the remote peer supports for
82      * Delegated Credentials signatures, as well was those we have
83      * advertised (for purposes of validating any received DC).
84      * This list may not be the same as those supported for certificates.
85      * Only valid for TLS 1.3. */
86     SSLSignatureScheme *delegCredSigSchemes;
87     unsigned int numDelegCredSigSchemes;
88     SSLSignatureScheme *delegCredSigSchemesAdvertised;
89     unsigned int numDelegCredSigSchemesAdvertised;
90 
91     SECItem certReqContext;
92     CERTDistNames certReqAuthorities;
93 
94     /* In a client: if the server supports Next Protocol Negotiation, then
95      * this is the protocol that was negotiated.
96      */
97     SECItem nextProto;
98     SSLNextProtoState nextProtoState;
99 
100     PRUint16 dtlsSRTPCipherSuite; /* 0 if not selected */
101 
102     unsigned int echXtnOffset;  /* The start of the ECH Xtn (if any) */
103     unsigned int lastXtnOffset; /* Where to insert any other extensions.
104                                  * 0 = end, otherwise base of PSK xtn. */
105     PRCList remoteKeyShares;    /* The other side's public keys (TLS 1.3) */
106 
107     /* The following are used by a TLS 1.3 server. */
108     SECItem pskBinder;                     /* The binder for the first PSK. */
109     unsigned int pskBindersLen;            /* The length of the binders. */
110     PRUint32 ticketAge;                    /* Used to accept early data. */
111     SECItem cookie;                        /* HRR Cookie. */
112     const sslNamedGroupDef *selectedGroup; /* For HRR. */
113     /* The application token contains a value that was passed to the client via
114      * a session ticket, or the cookie in a HelloRetryRequest. */
115     SECItem applicationToken;
116 
117     /* The record size limit set by the peer. Our value is kept in ss->opt. */
118     PRUint16 recordSizeLimit;
119 
120     /* Delegated credentials.
121      *
122      * The delegated credential sent by the peer. Set by
123      * |tls13_ReadDelegatedCredential|.
124      */
125     sslDelegatedCredential *peerDelegCred;
126     /* Whether the peer requested a delegated credential. */
127     PRBool peerRequestedDelegCred;
128     /* Whether the host is committed to using a delegated credential. Set by
129      * |tls13_MaybeSetDelegatedCredential|.
130      */
131     PRBool sendingDelegCredToPeer;
132 
133     /* A non-owning reference to the selected PSKs. MUST NOT be freed directly,
134      * rather through tls13_DestoryPskList(). */
135     sslPsk *selectedPsk;
136 
137     /* ECH working state. Non-null when a valid Encrypted Client Hello extension
138      * was received. */
139     sslEchXtnState *ech;
140 };
141 
142 typedef struct TLSExtensionStr {
143     PRCList link;  /* The linked list link */
144     PRUint16 type; /* Extension type */
145     SECItem data;  /* Pointers into the handshake data. */
146 } TLSExtension;
147 
148 typedef struct sslCustomExtensionHooks {
149     PRCList link;
150     PRUint16 type;
151     SSLExtensionWriter writer;
152     void *writerArg;
153     SSLExtensionHandler handler;
154     void *handlerArg;
155 } sslCustomExtensionHooks;
156 
157 SECStatus ssl3_HandleExtensions(sslSocket *ss,
158                                 PRUint8 **b, PRUint32 *length,
159                                 SSLHandshakeType handshakeMessage);
160 SECStatus ssl3_ParseExtensions(sslSocket *ss,
161                                PRUint8 **b, PRUint32 *length);
162 SECStatus ssl3_HandleParsedExtensions(sslSocket *ss,
163                                       SSLHandshakeType handshakeMessage);
164 TLSExtension *ssl3_FindExtension(sslSocket *ss,
165                                  SSLExtensionType extension_type);
166 void ssl3_DestroyRemoteExtensions(PRCList *list);
167 void ssl3_MoveRemoteExtensions(PRCList *dst, PRCList *src);
168 void ssl3_InitExtensionData(TLSExtensionData *xtnData, const sslSocket *ss);
169 void ssl3_DestroyExtensionData(TLSExtensionData *xtnData);
170 void ssl3_ResetExtensionData(TLSExtensionData *xtnData, const sslSocket *ss);
171 
172 PRBool ssl3_ExtensionNegotiated(const sslSocket *ss, PRUint16 ex_type);
173 PRBool ssl3_ExtensionAdvertised(const sslSocket *ss, PRUint16 ex_type);
174 
175 SECStatus ssl3_RegisterExtensionSender(const sslSocket *ss,
176                                        TLSExtensionData *xtnData,
177                                        PRUint16 ex_type,
178                                        sslExtensionBuilderFunc cb);
179 SECStatus ssl_ConstructExtensions(sslSocket *ss, sslBuffer *buf,
180                                   SSLHandshakeType message);
181 SECStatus ssl_SendEmptyExtension(const sslSocket *ss, TLSExtensionData *xtnData,
182                                  sslBuffer *buf, PRBool *append);
183 SECStatus ssl3_EmplaceExtension(sslSocket *ss, sslBuffer *buf, PRUint16 exType,
184                                 const PRUint8 *data, unsigned int len, PRBool advertise);
185 SECStatus ssl_InsertPaddingExtension(sslSocket *ss, unsigned int prefixLen,
186                                      sslBuffer *buf);
187 
188 /* Thunks to let us operate on const sslSocket* objects. */
189 void ssl3_ExtSendAlert(const sslSocket *ss, SSL3AlertLevel level,
190                        SSL3AlertDescription desc);
191 void ssl3_ExtDecodeError(const sslSocket *ss);
192 SECStatus ssl3_ExtConsumeHandshake(const sslSocket *ss, void *v, PRUint32 bytes,
193                                    PRUint8 **b, PRUint32 *length);
194 SECStatus ssl3_ExtConsumeHandshakeNumber(const sslSocket *ss, PRUint32 *num,
195                                          PRUint32 bytes, PRUint8 **b,
196                                          PRUint32 *length);
197 SECStatus ssl3_ExtConsumeHandshakeVariable(const sslSocket *ss, SECItem *i,
198                                            PRUint32 bytes, PRUint8 **b,
199                                            PRUint32 *length);
200 
201 SECStatus SSLExp_GetExtensionSupport(PRUint16 type,
202                                      SSLExtensionSupport *support);
203 SECStatus SSLExp_InstallExtensionHooks(
204     PRFileDesc *fd, PRUint16 extension, SSLExtensionWriter writer,
205     void *writerArg, SSLExtensionHandler handler, void *handlerArg);
206 sslCustomExtensionHooks *ssl_FindCustomExtensionHooks(sslSocket *ss, PRUint16 extension);
207 SECStatus ssl_CallCustomExtensionSenders(sslSocket *ss, sslBuffer *buf,
208                                          SSLHandshakeType message);
209 
210 #endif
211