1 /* -*- Mode: C; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 4 -*- */ 2 /* 3 * SSL3 Protocol 4 * 5 * This Source Code Form is subject to the terms of the Mozilla Public 6 * License, v. 2.0. If a copy of the MPL was not distributed with this 7 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ 8 9 /* TLS extension code moved here from ssl3ecc.c */ 10 11 #include "nssrenam.h" 12 #include "nss.h" 13 #include "pk11pub.h" 14 #include "ssl.h" 15 #include "sslimpl.h" 16 #include "sslproto.h" 17 #include "ssl3exthandle.h" 18 #include "tls13ech.h" 19 #include "tls13err.h" 20 #include "tls13exthandle.h" 21 #include "tls13subcerts.h" 22 23 /* Callback function that handles a received extension. */ 24 typedef SECStatus (*ssl3ExtensionHandlerFunc)(const sslSocket *ss, 25 TLSExtensionData *xtnData, 26 SECItem *data); 27 28 /* Row in a table of hello extension handlers. */ 29 typedef struct { 30 SSLExtensionType ex_type; 31 ssl3ExtensionHandlerFunc ex_handler; 32 } ssl3ExtensionHandler; 33 34 /* Table of handlers for received TLS hello extensions, one per extension. 35 * In the second generation, this table will be dynamic, and functions 36 * will be registered here. 37 */ 38 /* This table is used by the server, to handle client hello extensions. */ 39 static const ssl3ExtensionHandler clientHelloHandlers[] = { 40 { ssl_server_name_xtn, &ssl3_HandleServerNameXtn }, 41 { ssl_supported_groups_xtn, &ssl_HandleSupportedGroupsXtn }, 42 { ssl_ec_point_formats_xtn, &ssl3_HandleSupportedPointFormatsXtn }, 43 { ssl_session_ticket_xtn, &ssl3_ServerHandleSessionTicketXtn }, 44 { ssl_renegotiation_info_xtn, &ssl3_HandleRenegotiationInfoXtn }, 45 { ssl_app_layer_protocol_xtn, &ssl3_ServerHandleAppProtoXtn }, 46 { ssl_use_srtp_xtn, &ssl3_ServerHandleUseSRTPXtn }, 47 { ssl_cert_status_xtn, &ssl3_ServerHandleStatusRequestXtn }, 48 { ssl_signature_algorithms_xtn, &ssl3_HandleSigAlgsXtn }, 49 { ssl_extended_master_secret_xtn, &ssl3_HandleExtendedMasterSecretXtn }, 50 { ssl_signed_cert_timestamp_xtn, &ssl3_ServerHandleSignedCertTimestampXtn }, 51 { ssl_delegated_credentials_xtn, &tls13_ServerHandleDelegatedCredentialsXtn }, 52 { ssl_tls13_key_share_xtn, &tls13_ServerHandleKeyShareXtn }, 53 { ssl_tls13_pre_shared_key_xtn, &tls13_ServerHandlePreSharedKeyXtn }, 54 { ssl_tls13_early_data_xtn, &tls13_ServerHandleEarlyDataXtn }, 55 { ssl_tls13_psk_key_exchange_modes_xtn, &tls13_ServerHandlePskModesXtn }, 56 { ssl_tls13_cookie_xtn, &tls13_ServerHandleCookieXtn }, 57 { ssl_tls13_post_handshake_auth_xtn, &tls13_ServerHandlePostHandshakeAuthXtn }, 58 { ssl_tls13_ech_is_inner_xtn, &tls13_ServerHandleEchIsInnerXtn }, 59 { ssl_record_size_limit_xtn, &ssl_HandleRecordSizeLimitXtn }, 60 { 0, NULL } 61 }; 62 63 /* These two tables are used by the client, to handle server hello 64 * extensions. */ 65 static const ssl3ExtensionHandler serverHelloHandlersTLS[] = { 66 { ssl_server_name_xtn, &ssl3_HandleServerNameXtn }, 67 /* TODO: add a handler for ssl_ec_point_formats_xtn */ 68 { ssl_session_ticket_xtn, &ssl3_ClientHandleSessionTicketXtn }, 69 { ssl_renegotiation_info_xtn, &ssl3_HandleRenegotiationInfoXtn }, 70 { ssl_app_layer_protocol_xtn, &ssl3_ClientHandleAppProtoXtn }, 71 { ssl_use_srtp_xtn, &ssl3_ClientHandleUseSRTPXtn }, 72 { ssl_cert_status_xtn, &ssl3_ClientHandleStatusRequestXtn }, 73 { ssl_extended_master_secret_xtn, &ssl3_HandleExtendedMasterSecretXtn }, 74 { ssl_signed_cert_timestamp_xtn, &ssl3_ClientHandleSignedCertTimestampXtn }, 75 { ssl_tls13_key_share_xtn, &tls13_ClientHandleKeyShareXtn }, 76 { ssl_tls13_pre_shared_key_xtn, &tls13_ClientHandlePreSharedKeyXtn }, 77 { ssl_tls13_early_data_xtn, &tls13_ClientHandleEarlyDataXtn }, 78 { ssl_tls13_encrypted_client_hello_xtn, &tls13_ClientHandleEchXtn }, 79 { ssl_record_size_limit_xtn, &ssl_HandleRecordSizeLimitXtn }, 80 { 0, NULL } 81 }; 82 83 static const ssl3ExtensionHandler helloRetryRequestHandlers[] = { 84 { ssl_tls13_key_share_xtn, tls13_ClientHandleKeyShareXtnHrr }, 85 { ssl_tls13_cookie_xtn, tls13_ClientHandleHrrCookie }, 86 { 0, NULL } 87 }; 88 89 static const ssl3ExtensionHandler serverHelloHandlersSSL3[] = { 90 { ssl_renegotiation_info_xtn, &ssl3_HandleRenegotiationInfoXtn }, 91 { 0, NULL } 92 }; 93 94 static const ssl3ExtensionHandler newSessionTicketHandlers[] = { 95 { ssl_tls13_early_data_xtn, 96 &tls13_ClientHandleTicketEarlyDataXtn }, 97 { 0, NULL } 98 }; 99 100 /* This table is used by the client to handle server certificates in TLS 1.3 */ 101 static const ssl3ExtensionHandler serverCertificateHandlers[] = { 102 { ssl_signed_cert_timestamp_xtn, &ssl3_ClientHandleSignedCertTimestampXtn }, 103 { ssl_cert_status_xtn, &ssl3_ClientHandleStatusRequestXtn }, 104 { ssl_delegated_credentials_xtn, &tls13_ClientHandleDelegatedCredentialsXtn }, 105 { 0, NULL } 106 }; 107 108 static const ssl3ExtensionHandler certificateRequestHandlers[] = { 109 { ssl_signature_algorithms_xtn, &ssl3_HandleSigAlgsXtn }, 110 { ssl_tls13_certificate_authorities_xtn, 111 &tls13_ClientHandleCertAuthoritiesXtn }, 112 { 0, NULL } 113 }; 114 115 /* Tables of functions to format TLS hello extensions, one function per 116 * extension. 117 * These static tables are for the formatting of client hello extensions. 118 * The server's table of hello senders is dynamic, in the socket struct, 119 * and sender functions are registered there. 120 * NB: the order of these extensions can have an impact on compatibility. Some 121 * servers (e.g. Tomcat) will terminate the connection if the last extension in 122 * the client hello is empty (for example, the extended master secret 123 * extension, if it were listed last). See bug 1243641. 124 */ 125 static const sslExtensionBuilder clientHelloSendersTLS[] = 126 { 127 { ssl_server_name_xtn, &ssl3_ClientSendServerNameXtn }, 128 { ssl_extended_master_secret_xtn, &ssl3_SendExtendedMasterSecretXtn }, 129 { ssl_renegotiation_info_xtn, &ssl3_SendRenegotiationInfoXtn }, 130 { ssl_supported_groups_xtn, &ssl_SendSupportedGroupsXtn }, 131 { ssl_ec_point_formats_xtn, &ssl3_SendSupportedPointFormatsXtn }, 132 { ssl_session_ticket_xtn, &ssl3_ClientSendSessionTicketXtn }, 133 { ssl_app_layer_protocol_xtn, &ssl3_ClientSendAppProtoXtn }, 134 { ssl_use_srtp_xtn, &ssl3_ClientSendUseSRTPXtn }, 135 { ssl_cert_status_xtn, &ssl3_ClientSendStatusRequestXtn }, 136 { ssl_delegated_credentials_xtn, &tls13_ClientSendDelegatedCredentialsXtn }, 137 { ssl_signed_cert_timestamp_xtn, &ssl3_ClientSendSignedCertTimestampXtn }, 138 { ssl_tls13_key_share_xtn, &tls13_ClientSendKeyShareXtn }, 139 { ssl_tls13_early_data_xtn, &tls13_ClientSendEarlyDataXtn }, 140 /* Some servers (e.g. WebSphere Application Server 7.0 and Tomcat) will 141 * time out or terminate the connection if the last extension in the 142 * client hello is empty. They are not intolerant of TLS 1.2, so list 143 * signature_algorithms at the end. See bug 1243641. */ 144 { ssl_tls13_supported_versions_xtn, &tls13_ClientSendSupportedVersionsXtn }, 145 { ssl_signature_algorithms_xtn, &ssl3_SendSigAlgsXtn }, 146 { ssl_tls13_cookie_xtn, &tls13_ClientSendHrrCookieXtn }, 147 { ssl_tls13_psk_key_exchange_modes_xtn, &tls13_ClientSendPskModesXtn }, 148 { ssl_tls13_post_handshake_auth_xtn, &tls13_ClientSendPostHandshakeAuthXtn }, 149 { ssl_record_size_limit_xtn, &ssl_SendRecordSizeLimitXtn }, 150 /* The pre_shared_key extension MUST be last. */ 151 { ssl_tls13_pre_shared_key_xtn, &tls13_ClientSendPreSharedKeyXtn }, 152 { 0, NULL } 153 }; 154 155 static const sslExtensionBuilder clientHelloSendersSSL3[] = { 156 { ssl_renegotiation_info_xtn, &ssl3_SendRenegotiationInfoXtn }, 157 { 0, NULL } 158 }; 159 160 static const sslExtensionBuilder tls13_cert_req_senders[] = { 161 { ssl_signature_algorithms_xtn, &ssl3_SendSigAlgsXtn }, 162 { ssl_tls13_certificate_authorities_xtn, &tls13_SendCertAuthoritiesXtn }, 163 { 0, NULL } 164 }; 165 166 static const sslExtensionBuilder tls13_hrr_senders[] = { 167 { ssl_tls13_key_share_xtn, &tls13_ServerSendHrrKeyShareXtn }, 168 { ssl_tls13_cookie_xtn, &tls13_ServerSendHrrCookieXtn }, 169 { ssl_tls13_supported_versions_xtn, &tls13_ServerSendSupportedVersionsXtn }, 170 { 0, NULL } 171 }; 172 173 static const struct { 174 SSLExtensionType type; 175 SSLExtensionSupport support; 176 } ssl_supported_extensions[] = { 177 { ssl_server_name_xtn, ssl_ext_native_only }, 178 { ssl_cert_status_xtn, ssl_ext_native }, 179 { ssl_delegated_credentials_xtn, ssl_ext_native }, 180 { ssl_supported_groups_xtn, ssl_ext_native_only }, 181 { ssl_ec_point_formats_xtn, ssl_ext_native }, 182 { ssl_signature_algorithms_xtn, ssl_ext_native_only }, 183 { ssl_use_srtp_xtn, ssl_ext_native }, 184 { ssl_app_layer_protocol_xtn, ssl_ext_native_only }, 185 { ssl_signed_cert_timestamp_xtn, ssl_ext_native }, 186 { ssl_padding_xtn, ssl_ext_native }, 187 { ssl_extended_master_secret_xtn, ssl_ext_native_only }, 188 { ssl_session_ticket_xtn, ssl_ext_native_only }, 189 { ssl_tls13_key_share_xtn, ssl_ext_native_only }, 190 { ssl_tls13_pre_shared_key_xtn, ssl_ext_native_only }, 191 { ssl_tls13_early_data_xtn, ssl_ext_native_only }, 192 { ssl_tls13_supported_versions_xtn, ssl_ext_native_only }, 193 { ssl_tls13_cookie_xtn, ssl_ext_native_only }, 194 { ssl_tls13_psk_key_exchange_modes_xtn, ssl_ext_native_only }, 195 { ssl_tls13_ticket_early_data_info_xtn, ssl_ext_native_only }, 196 { ssl_tls13_certificate_authorities_xtn, ssl_ext_native }, 197 { ssl_renegotiation_info_xtn, ssl_ext_native }, 198 { ssl_tls13_encrypted_client_hello_xtn, ssl_ext_native_only }, 199 }; 200 201 static SSLExtensionSupport 202 ssl_GetExtensionSupport(PRUint16 type) 203 { 204 unsigned int i; 205 for (i = 0; i < PR_ARRAY_SIZE(ssl_supported_extensions); ++i) { 206 if (type == ssl_supported_extensions[i].type) { 207 return ssl_supported_extensions[i].support; 208 } 209 } 210 return ssl_ext_none; 211 } 212 213 SECStatus 214 SSLExp_GetExtensionSupport(PRUint16 type, SSLExtensionSupport *support) 215 { 216 *support = ssl_GetExtensionSupport(type); 217 return SECSuccess; 218 } 219 220 SECStatus 221 SSLExp_InstallExtensionHooks(PRFileDesc *fd, PRUint16 extension, 222 SSLExtensionWriter writer, void *writerArg, 223 SSLExtensionHandler handler, void *handlerArg) 224 { 225 sslSocket *ss = ssl_FindSocket(fd); 226 PRCList *cursor; 227 sslCustomExtensionHooks *hook; 228 229 if (!ss) { 230 return SECFailure; /* Code already set. */ 231 } 232 233 /* Need to specify both or neither, but not just one. */ 234 if ((writer && !handler) || (!writer && handler)) { 235 PORT_SetError(SEC_ERROR_INVALID_ARGS); 236 return SECFailure; 237 } 238 239 if (ssl_GetExtensionSupport(extension) == ssl_ext_native_only) { 240 PORT_SetError(SEC_ERROR_INVALID_ARGS); 241 return SECFailure; 242 } 243 244 if (ss->firstHsDone || ((ss->ssl3.hs.ws != idle_handshake) && 245 (ss->ssl3.hs.ws != wait_client_hello))) { 246 PORT_SetError(PR_INVALID_STATE_ERROR); 247 return SECFailure; 248 } 249 250 /* Remove any old handler. */ 251 for (cursor = PR_NEXT_LINK(&ss->extensionHooks); 252 cursor != &ss->extensionHooks; 253 cursor = PR_NEXT_LINK(cursor)) { 254 hook = (sslCustomExtensionHooks *)cursor; 255 if (hook->type == extension) { 256 PR_REMOVE_LINK(&hook->link); 257 PORT_Free(hook); 258 break; 259 } 260 } 261 262 if (!writer && !handler) { 263 return SECSuccess; 264 } 265 266 hook = PORT_ZNew(sslCustomExtensionHooks); 267 if (!hook) { 268 return SECFailure; /* This removed the old one, oh well. */ 269 } 270 271 hook->type = extension; 272 hook->writer = writer; 273 hook->writerArg = writerArg; 274 hook->handler = handler; 275 hook->handlerArg = handlerArg; 276 PR_APPEND_LINK(&hook->link, &ss->extensionHooks); 277 return SECSuccess; 278 } 279 280 static sslCustomExtensionHooks * 281 ssl_FindCustomExtensionHooks(sslSocket *ss, PRUint16 extension) 282 { 283 PRCList *cursor; 284 285 for (cursor = PR_NEXT_LINK(&ss->extensionHooks); 286 cursor != &ss->extensionHooks; 287 cursor = PR_NEXT_LINK(cursor)) { 288 sslCustomExtensionHooks *hook = (sslCustomExtensionHooks *)cursor; 289 if (hook->type == extension) { 290 return hook; 291 } 292 } 293 294 return NULL; 295 } 296 297 static PRBool 298 arrayContainsExtension(const PRUint16 *array, PRUint32 len, PRUint16 ex_type) 299 { 300 unsigned int i; 301 for (i = 0; i < len; i++) { 302 if (ex_type == array[i]) 303 return PR_TRUE; 304 } 305 return PR_FALSE; 306 } 307 308 PRBool 309 ssl3_ExtensionNegotiated(const sslSocket *ss, PRUint16 ex_type) 310 { 311 const TLSExtensionData *xtnData = &ss->xtnData; 312 return arrayContainsExtension(xtnData->negotiated, 313 xtnData->numNegotiated, ex_type); 314 } 315 316 /* This checks for whether an extension was advertised. On the client, this 317 * covers extensions that are sent in ClientHello; on the server, extensions 318 * sent in CertificateRequest (TLS 1.3 only). */ 319 PRBool 320 ssl3_ExtensionAdvertised(const sslSocket *ss, PRUint16 ex_type) 321 { 322 const TLSExtensionData *xtnData = &ss->xtnData; 323 return arrayContainsExtension(xtnData->advertised, 324 xtnData->numAdvertised, ex_type); 325 } 326 327 /* Go through hello extensions in |b| and deserialize 328 * them into the list in |ss->ssl3.hs.remoteExtensions|. 329 * The only checking we do in this point is for duplicates. 330 * 331 * IMPORTANT: This list just contains pointers to the incoming 332 * buffer so they can only be used during ClientHello processing. 333 */ 334 SECStatus 335 ssl3_ParseExtensions(sslSocket *ss, PRUint8 **b, PRUint32 *length) 336 { 337 /* Clean out the extensions list. */ 338 ssl3_DestroyRemoteExtensions(&ss->ssl3.hs.remoteExtensions); 339 340 while (*length) { 341 SECStatus rv; 342 PRUint32 extension_type; 343 SECItem extension_data = { siBuffer, NULL, 0 }; 344 TLSExtension *extension; 345 PRCList *cursor; 346 347 /* Get the extension's type field */ 348 rv = ssl3_ConsumeHandshakeNumber(ss, &extension_type, 2, b, length); 349 if (rv != SECSuccess) { 350 return SECFailure; /* alert already sent */ 351 } 352 353 /* Check whether an extension has been sent multiple times. */ 354 for (cursor = PR_NEXT_LINK(&ss->ssl3.hs.remoteExtensions); 355 cursor != &ss->ssl3.hs.remoteExtensions; 356 cursor = PR_NEXT_LINK(cursor)) { 357 if (((TLSExtension *)cursor)->type == extension_type) { 358 (void)SSL3_SendAlert(ss, alert_fatal, illegal_parameter); 359 PORT_SetError(SSL_ERROR_RX_UNEXPECTED_EXTENSION); 360 return SECFailure; 361 } 362 } 363 364 /* Get the data for this extension, so we can pass it or skip it. */ 365 rv = ssl3_ConsumeHandshakeVariable(ss, &extension_data, 2, b, length); 366 if (rv != SECSuccess) { 367 return rv; /* alert already sent */ 368 } 369 370 SSL_TRC(10, ("%d: SSL3[%d]: parsed extension %d len=%u", 371 SSL_GETPID(), ss->fd, extension_type, extension_data.len)); 372 373 extension = PORT_ZNew(TLSExtension); 374 if (!extension) { 375 return SECFailure; 376 } 377 378 extension->type = (PRUint16)extension_type; 379 extension->data = extension_data; 380 PR_APPEND_LINK(&extension->link, &ss->ssl3.hs.remoteExtensions); 381 } 382 383 return SECSuccess; 384 } 385 386 TLSExtension * 387 ssl3_FindExtension(sslSocket *ss, SSLExtensionType extension_type) 388 { 389 PRCList *cursor; 390 391 for (cursor = PR_NEXT_LINK(&ss->ssl3.hs.remoteExtensions); 392 cursor != &ss->ssl3.hs.remoteExtensions; 393 cursor = PR_NEXT_LINK(cursor)) { 394 TLSExtension *extension = (TLSExtension *)cursor; 395 396 if (extension->type == extension_type) { 397 return extension; 398 } 399 } 400 401 return NULL; 402 } 403 404 static SECStatus 405 ssl_CallExtensionHandler(sslSocket *ss, SSLHandshakeType handshakeMessage, 406 TLSExtension *extension, 407 const ssl3ExtensionHandler *handler) 408 { 409 SECStatus rv = SECSuccess; 410 SSLAlertDescription alert = handshake_failure; 411 sslCustomExtensionHooks *customHooks; 412 413 customHooks = ssl_FindCustomExtensionHooks(ss, extension->type); 414 if (customHooks) { 415 if (customHooks->handler) { 416 rv = customHooks->handler(ss->fd, handshakeMessage, 417 extension->data.data, 418 extension->data.len, 419 &alert, customHooks->handlerArg); 420 } 421 } else { 422 /* Find extension_type in table of Hello Extension Handlers. */ 423 for (; handler->ex_handler != NULL; ++handler) { 424 if (handler->ex_type == extension->type) { 425 SECItem tmp = extension->data; 426 427 rv = (*handler->ex_handler)(ss, &ss->xtnData, &tmp); 428 break; 429 } 430 } 431 } 432 433 if (rv != SECSuccess) { 434 if (!ss->ssl3.fatalAlertSent) { 435 /* Send an alert if the handler didn't already. */ 436 (void)SSL3_SendAlert(ss, alert_fatal, alert); 437 } 438 return SECFailure; 439 } 440 441 return SECSuccess; 442 } 443 444 /* Go through the hello extensions in |ss->ssl3.hs.remoteExtensions|. 445 * For each one, find the extension handler in the table, and 446 * if present, invoke that handler. 447 * Servers ignore any extensions with unknown extension types. 448 * Clients reject any extensions with unadvertised extension types 449 * 450 * In TLS >= 1.3, the client checks that extensions appear in the 451 * right phase. 452 */ 453 SECStatus 454 ssl3_HandleParsedExtensions(sslSocket *ss, SSLHandshakeType message) 455 { 456 const ssl3ExtensionHandler *handlers; 457 /* HelloRetryRequest doesn't set ss->version. It might be safe to 458 * do so, but we weren't entirely sure. TODO(ekr@rtfm.com). */ 459 PRBool isTLS13 = (ss->version >= SSL_LIBRARY_VERSION_TLS_1_3) || 460 (message == ssl_hs_hello_retry_request); 461 /* The following messages can include extensions that were not included in 462 * the original ClientHello. */ 463 PRBool allowNotOffered = (message == ssl_hs_client_hello) || 464 (message == ssl_hs_certificate_request) || 465 (message == ssl_hs_new_session_ticket); 466 PRCList *cursor; 467 468 switch (message) { 469 case ssl_hs_client_hello: 470 handlers = clientHelloHandlers; 471 break; 472 case ssl_hs_new_session_ticket: 473 PORT_Assert(ss->version >= SSL_LIBRARY_VERSION_TLS_1_3); 474 handlers = newSessionTicketHandlers; 475 break; 476 case ssl_hs_hello_retry_request: 477 handlers = helloRetryRequestHandlers; 478 break; 479 case ssl_hs_encrypted_extensions: 480 PORT_Assert(ss->version >= SSL_LIBRARY_VERSION_TLS_1_3); 481 /* fall through */ 482 case ssl_hs_server_hello: 483 if (ss->version > SSL_LIBRARY_VERSION_3_0) { 484 handlers = serverHelloHandlersTLS; 485 } else { 486 handlers = serverHelloHandlersSSL3; 487 } 488 break; 489 case ssl_hs_certificate: 490 PORT_Assert(!ss->sec.isServer); 491 handlers = serverCertificateHandlers; 492 break; 493 case ssl_hs_certificate_request: 494 PORT_Assert(!ss->sec.isServer); 495 handlers = certificateRequestHandlers; 496 break; 497 default: 498 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); 499 PORT_Assert(0); 500 return SECFailure; 501 } 502 503 for (cursor = PR_NEXT_LINK(&ss->ssl3.hs.remoteExtensions); 504 cursor != &ss->ssl3.hs.remoteExtensions; 505 cursor = PR_NEXT_LINK(cursor)) { 506 TLSExtension *extension = (TLSExtension *)cursor; 507 SECStatus rv; 508 509 /* Check whether the server sent an extension which was not advertised 510 * in the ClientHello. 511 * 512 * Note that a TLS 1.3 server should check if CertificateRequest 513 * extensions were sent. But the extensions used for CertificateRequest 514 * do not have any response, so we rely on 515 * ssl3_ExtensionAdvertised to return false on the server. That 516 * results in the server only rejecting any extension. */ 517 if (!allowNotOffered && (extension->type != ssl_tls13_cookie_xtn) && 518 !ssl3_ExtensionAdvertised(ss, extension->type)) { 519 (void)SSL3_SendAlert(ss, alert_fatal, unsupported_extension); 520 PORT_SetError(SSL_ERROR_RX_UNEXPECTED_EXTENSION); 521 return SECFailure; 522 } 523 524 /* Check that this is a legal extension in TLS 1.3 */ 525 if (isTLS13 && 526 !ssl_FindCustomExtensionHooks(ss, extension->type)) { 527 switch (tls13_ExtensionStatus(extension->type, message)) { 528 case tls13_extension_allowed: 529 break; 530 case tls13_extension_unknown: 531 if (allowNotOffered) { 532 continue; /* Skip over unknown extensions. */ 533 } 534 /* Fall through. */ 535 case tls13_extension_disallowed: 536 SSL_TRC(3, ("%d: TLS13: unexpected extension %d in message %d", 537 SSL_GETPID(), extension, message)); 538 tls13_FatalError(ss, SSL_ERROR_EXTENSION_DISALLOWED_FOR_VERSION, 539 unsupported_extension); 540 return SECFailure; 541 } 542 } 543 544 /* Special check for this being the last extension if it's 545 * PreSharedKey */ 546 if (ss->sec.isServer && isTLS13 && 547 (extension->type == ssl_tls13_pre_shared_key_xtn) && 548 (PR_NEXT_LINK(cursor) != &ss->ssl3.hs.remoteExtensions)) { 549 tls13_FatalError(ss, 550 SSL_ERROR_RX_MALFORMED_CLIENT_HELLO, 551 illegal_parameter); 552 return SECFailure; 553 } 554 555 rv = ssl_CallExtensionHandler(ss, message, extension, handlers); 556 if (rv != SECSuccess) { 557 return SECFailure; 558 } 559 } 560 return SECSuccess; 561 } 562 563 /* Syntactic sugar around ssl3_ParseExtensions and 564 * ssl3_HandleParsedExtensions. */ 565 SECStatus 566 ssl3_HandleExtensions(sslSocket *ss, 567 PRUint8 **b, PRUint32 *length, 568 SSLHandshakeType handshakeMessage) 569 { 570 SECStatus rv; 571 572 rv = ssl3_ParseExtensions(ss, b, length); 573 if (rv != SECSuccess) 574 return rv; 575 576 rv = ssl3_HandleParsedExtensions(ss, handshakeMessage); 577 if (rv != SECSuccess) 578 return rv; 579 580 ssl3_DestroyRemoteExtensions(&ss->ssl3.hs.remoteExtensions); 581 return SECSuccess; 582 } 583 584 /* Add a callback function to the table of senders of server hello extensions. 585 */ 586 SECStatus 587 ssl3_RegisterExtensionSender(const sslSocket *ss, 588 TLSExtensionData *xtnData, 589 PRUint16 ex_type, 590 sslExtensionBuilderFunc cb) 591 { 592 int i; 593 sslExtensionBuilder *sender; 594 if (ss->version < SSL_LIBRARY_VERSION_TLS_1_3) { 595 sender = &xtnData->serverHelloSenders[0]; 596 } else { 597 if (tls13_ExtensionStatus(ex_type, ssl_hs_server_hello) == 598 tls13_extension_allowed) { 599 PORT_Assert(tls13_ExtensionStatus(ex_type, 600 ssl_hs_encrypted_extensions) == 601 tls13_extension_disallowed); 602 sender = &xtnData->serverHelloSenders[0]; 603 } else if (tls13_ExtensionStatus(ex_type, 604 ssl_hs_encrypted_extensions) == 605 tls13_extension_allowed) { 606 sender = &xtnData->encryptedExtensionsSenders[0]; 607 } else if (tls13_ExtensionStatus(ex_type, ssl_hs_certificate) == 608 tls13_extension_allowed) { 609 sender = &xtnData->certificateSenders[0]; 610 } else { 611 PORT_Assert(0); 612 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); 613 return SECFailure; 614 } 615 } 616 for (i = 0; i < SSL_MAX_EXTENSIONS; ++i, ++sender) { 617 if (!sender->ex_sender) { 618 sender->ex_type = ex_type; 619 sender->ex_sender = cb; 620 return SECSuccess; 621 } 622 /* detect duplicate senders */ 623 PORT_Assert(sender->ex_type != ex_type); 624 if (sender->ex_type == ex_type) { 625 /* duplicate */ 626 break; 627 } 628 } 629 PORT_Assert(i < SSL_MAX_EXTENSIONS); /* table needs to grow */ 630 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); 631 return SECFailure; 632 } 633 634 static SECStatus 635 ssl_CallCustomExtensionSenders(sslSocket *ss, sslBuffer *buf, 636 SSLHandshakeType message) 637 { 638 sslBuffer tail = SSL_BUFFER_EMPTY; 639 SECStatus rv; 640 PRCList *cursor; 641 642 /* Save any extensions that want to be last. */ 643 if (ss->xtnData.lastXtnOffset) { 644 rv = sslBuffer_Append(&tail, buf->buf + ss->xtnData.lastXtnOffset, 645 buf->len - ss->xtnData.lastXtnOffset); 646 if (rv != SECSuccess) { 647 return SECFailure; 648 } 649 buf->len = ss->xtnData.lastXtnOffset; 650 } 651 652 /* Reserve the maximum amount of space possible. */ 653 rv = sslBuffer_Grow(buf, 65535); 654 if (rv != SECSuccess) { 655 return SECFailure; 656 } 657 658 for (cursor = PR_NEXT_LINK(&ss->extensionHooks); 659 cursor != &ss->extensionHooks; 660 cursor = PR_NEXT_LINK(cursor)) { 661 sslCustomExtensionHooks *hook = 662 (sslCustomExtensionHooks *)cursor; 663 PRBool append = PR_FALSE; 664 unsigned int len = 0; 665 666 if (hook->writer) { 667 /* The writer writes directly into |buf|. Provide space that allows 668 * for the existing extensions, any tail, plus type and length. */ 669 unsigned int space = buf->space - (buf->len + tail.len + 4); 670 append = (*hook->writer)(ss->fd, message, 671 buf->buf + buf->len + 4, &len, space, 672 hook->writerArg); 673 if (len > space) { 674 PORT_SetError(SEC_ERROR_APPLICATION_CALLBACK_ERROR); 675 goto loser; 676 } 677 } 678 if (!append) { 679 continue; 680 } 681 682 rv = sslBuffer_AppendNumber(buf, hook->type, 2); 683 if (rv != SECSuccess) { 684 goto loser; /* Code already set. */ 685 } 686 rv = sslBuffer_AppendNumber(buf, len, 2); 687 if (rv != SECSuccess) { 688 goto loser; /* Code already set. */ 689 } 690 buf->len += len; 691 692 if (message == ssl_hs_client_hello || 693 message == ssl_hs_certificate_request) { 694 ss->xtnData.advertised[ss->xtnData.numAdvertised++] = hook->type; 695 } 696 } 697 698 rv = sslBuffer_Append(buf, tail.buf, tail.len); 699 if (rv != SECSuccess) { 700 goto loser; /* Code already set. */ 701 } 702 703 sslBuffer_Clear(&tail); 704 return SECSuccess; 705 706 loser: 707 sslBuffer_Clear(&tail); 708 return SECFailure; 709 } 710 711 /* Call extension handlers for the given message. */ 712 SECStatus 713 ssl_ConstructExtensions(sslSocket *ss, sslBuffer *buf, SSLHandshakeType message) 714 { 715 const sslExtensionBuilder *sender; 716 SECStatus rv; 717 718 PORT_Assert(buf->len == 0); 719 720 /* Clear out any extensions previously advertised */ 721 ss->xtnData.numAdvertised = 0; 722 723 switch (message) { 724 case ssl_hs_client_hello: 725 if (ss->vrange.max > SSL_LIBRARY_VERSION_3_0) { 726 sender = clientHelloSendersTLS; 727 } else { 728 sender = clientHelloSendersSSL3; 729 } 730 break; 731 732 case ssl_hs_server_hello: 733 sender = ss->xtnData.serverHelloSenders; 734 break; 735 736 case ssl_hs_certificate_request: 737 PORT_Assert(ss->version >= SSL_LIBRARY_VERSION_TLS_1_3); 738 sender = tls13_cert_req_senders; 739 break; 740 741 case ssl_hs_certificate: 742 PORT_Assert(ss->version >= SSL_LIBRARY_VERSION_TLS_1_3); 743 sender = ss->xtnData.certificateSenders; 744 break; 745 746 case ssl_hs_encrypted_extensions: 747 PORT_Assert(ss->version >= SSL_LIBRARY_VERSION_TLS_1_3); 748 sender = ss->xtnData.encryptedExtensionsSenders; 749 break; 750 751 case ssl_hs_hello_retry_request: 752 PORT_Assert(ss->version >= SSL_LIBRARY_VERSION_TLS_1_3); 753 sender = tls13_hrr_senders; 754 break; 755 756 default: 757 PORT_Assert(0); 758 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); 759 return SECFailure; 760 } 761 762 for (; sender->ex_sender != NULL; ++sender) { 763 PRBool append = PR_FALSE; 764 unsigned int start = buf->len; 765 unsigned int length; 766 767 if (ssl_FindCustomExtensionHooks(ss, sender->ex_type)) { 768 continue; 769 } 770 771 /* Save space for the extension type and length. Note that we don't grow 772 * the buffer now; rely on sslBuffer_Append* to do that. */ 773 buf->len += 4; 774 rv = (*sender->ex_sender)(ss, &ss->xtnData, buf, &append); 775 if (rv != SECSuccess) { 776 goto loser; 777 } 778 779 /* Save the length and go back to the start. */ 780 length = buf->len - start - 4; 781 buf->len = start; 782 if (!append) { 783 continue; 784 } 785 786 buf->len = start; 787 rv = sslBuffer_AppendNumber(buf, sender->ex_type, 2); 788 if (rv != SECSuccess) { 789 goto loser; /* Code already set. */ 790 } 791 rv = sslBuffer_AppendNumber(buf, length, 2); 792 if (rv != SECSuccess) { 793 goto loser; /* Code already set. */ 794 } 795 /* Skip over the extension body. */ 796 buf->len += length; 797 798 if (message == ssl_hs_client_hello || 799 message == ssl_hs_certificate_request) { 800 ss->xtnData.advertised[ss->xtnData.numAdvertised++] = 801 sender->ex_type; 802 } 803 } 804 805 if (!PR_CLIST_IS_EMPTY(&ss->extensionHooks)) { 806 rv = ssl_CallCustomExtensionSenders(ss, buf, message); 807 if (rv != SECSuccess) { 808 goto loser; 809 } 810 } 811 812 if (buf->len > 0xffff) { 813 PORT_SetError(SSL_ERROR_TX_RECORD_TOO_LONG); 814 goto loser; 815 } 816 817 return SECSuccess; 818 819 loser: 820 sslBuffer_Clear(buf); 821 return SECFailure; 822 } 823 824 /* This extension sender can be used anywhere that an always empty extension is 825 * needed. Mostly that is for ServerHello where sender registration is dynamic; 826 * ClientHello senders are usually conditional in some way. */ 827 SECStatus 828 ssl_SendEmptyExtension(const sslSocket *ss, TLSExtensionData *xtnData, 829 sslBuffer *buf, PRBool *append) 830 { 831 *append = PR_TRUE; 832 return SECSuccess; 833 } 834 835 /* Takes the size of the ClientHello, less the record header, and determines how 836 * much padding is required. */ 837 static unsigned int 838 ssl_CalculatePaddingExtLen(const sslSocket *ss, unsigned int clientHelloLength) 839 { 840 unsigned int extensionLen; 841 842 /* Don't pad for DTLS, for SSLv3, or for renegotiation. */ 843 if (IS_DTLS(ss) || 844 ss->vrange.max < SSL_LIBRARY_VERSION_TLS_1_0 || 845 ss->firstHsDone) { 846 return 0; 847 } 848 849 /* A padding extension may be included to ensure that the record containing 850 * the ClientHello doesn't have a length between 256 and 511 bytes 851 * (inclusive). Initial ClientHello records with such lengths trigger bugs 852 * in F5 devices. */ 853 if (clientHelloLength < 256 || clientHelloLength >= 512) { 854 return 0; 855 } 856 857 extensionLen = 512 - clientHelloLength; 858 /* Extensions take at least four bytes to encode. Always include at least 859 * one byte of data if we are padding. Some servers will time out or 860 * terminate the connection if the last ClientHello extension is empty. */ 861 if (extensionLen < 5) { 862 extensionLen = 5; 863 } 864 865 return extensionLen - 4; 866 } 867 868 /* Manually insert an extension, retaining the position of the PSK 869 * extension, if present. */ 870 SECStatus 871 ssl3_EmplaceExtension(sslSocket *ss, sslBuffer *buf, PRUint16 exType, 872 const PRUint8 *data, unsigned int len, PRBool advertise) 873 { 874 SECStatus rv; 875 unsigned int tailLen; 876 877 /* Move the tail if there is one. This only happens if we are sending the 878 * TLS 1.3 PSK extension, which needs to be at the end. */ 879 if (ss->xtnData.lastXtnOffset) { 880 PORT_Assert(buf->len > ss->xtnData.lastXtnOffset); 881 tailLen = buf->len - ss->xtnData.lastXtnOffset; 882 rv = sslBuffer_Grow(buf, buf->len + 4 + len); 883 if (rv != SECSuccess) { 884 return SECFailure; 885 } 886 PORT_Memmove(buf->buf + ss->xtnData.lastXtnOffset + 4 + len, 887 buf->buf + ss->xtnData.lastXtnOffset, 888 tailLen); 889 buf->len = ss->xtnData.lastXtnOffset; 890 } else { 891 tailLen = 0; 892 } 893 894 rv = sslBuffer_AppendNumber(buf, exType, 2); 895 if (rv != SECSuccess) { 896 return SECFailure; /* Code already set. */ 897 } 898 rv = sslBuffer_AppendVariable(buf, data, len, 2); 899 if (rv != SECSuccess) { 900 return SECFailure; /* Code already set. */ 901 } 902 903 if (ss->xtnData.lastXtnOffset) { 904 ss->xtnData.lastXtnOffset += 4 + len; 905 } 906 907 buf->len += tailLen; 908 909 /* False only to retain behavior with padding_xtn. Maybe 910 * we can just mark that advertised as well? TODO */ 911 if (advertise) { 912 ss->xtnData.advertised[ss->xtnData.numAdvertised++] = exType; 913 } 914 915 return SECSuccess; 916 } 917 918 /* ssl3_SendPaddingExtension possibly adds an extension which ensures that a 919 * ClientHello record is either < 256 bytes or is >= 512 bytes. This ensures 920 * that we don't trigger bugs in F5 products. 921 * 922 * This takes an existing extension buffer, |buf|, and the length of the 923 * remainder of the ClientHello, |prefixLen|. It modifies the extension buffer 924 * to insert padding at the right place. 925 */ 926 SECStatus 927 ssl_InsertPaddingExtension(sslSocket *ss, unsigned int prefixLen, 928 sslBuffer *buf) 929 { 930 static unsigned char padding[252] = { 0 }; 931 unsigned int paddingLen; 932 /* Exit early if an application-provided extension hook 933 * already added padding. */ 934 if (ssl3_ExtensionAdvertised(ss, ssl_padding_xtn)) { 935 return SECSuccess; 936 } 937 938 /* Account for the size of the header, the length field of the extensions 939 * block and the size of the existing extensions. */ 940 paddingLen = ssl_CalculatePaddingExtLen(ss, prefixLen + 2 + buf->len); 941 if (!paddingLen) { 942 return SECSuccess; 943 } 944 945 return ssl3_EmplaceExtension(ss, buf, ssl_padding_xtn, padding, paddingLen, PR_FALSE); 946 } 947 948 void 949 ssl3_MoveRemoteExtensions(PRCList *dst, PRCList *src) 950 { 951 PRCList *cur_p; 952 while (!PR_CLIST_IS_EMPTY(src)) { 953 cur_p = PR_LIST_TAIL(src); 954 PR_REMOVE_LINK(cur_p); 955 PR_APPEND_LINK(cur_p, dst); 956 } 957 } 958 959 void 960 ssl3_DestroyRemoteExtensions(PRCList *list) 961 { 962 PRCList *cur_p; 963 964 while (!PR_CLIST_IS_EMPTY(list)) { 965 cur_p = PR_LIST_TAIL(list); 966 PR_REMOVE_LINK(cur_p); 967 PORT_Free(cur_p); 968 } 969 } 970 971 /* Initialize the extension data block. */ 972 void 973 ssl3_InitExtensionData(TLSExtensionData *xtnData, const sslSocket *ss) 974 { 975 unsigned int advertisedMax; 976 PRCList *cursor; 977 978 /* Set things up to the right starting state. */ 979 PORT_Memset(xtnData, 0, sizeof(*xtnData)); 980 xtnData->peerSupportsFfdheGroups = PR_FALSE; 981 PR_INIT_CLIST(&xtnData->remoteKeyShares); 982 983 /* Allocate enough to allow for native extensions, plus any custom ones. */ 984 if (ss->sec.isServer) { 985 advertisedMax = PR_MAX(PR_ARRAY_SIZE(certificateRequestHandlers), 986 PR_ARRAY_SIZE(tls13_cert_req_senders)); 987 } else { 988 advertisedMax = PR_MAX(PR_ARRAY_SIZE(clientHelloHandlers), 989 PR_ARRAY_SIZE(clientHelloSendersTLS)); 990 ++advertisedMax; /* For the RI SCSV, which we also track. */ 991 } 992 for (cursor = PR_NEXT_LINK(&ss->extensionHooks); 993 cursor != &ss->extensionHooks; 994 cursor = PR_NEXT_LINK(cursor)) { 995 ++advertisedMax; 996 } 997 xtnData->advertised = PORT_ZNewArray(PRUint16, advertisedMax); 998 xtnData->peerDelegCred = NULL; 999 xtnData->peerRequestedDelegCred = PR_FALSE; 1000 xtnData->sendingDelegCredToPeer = PR_FALSE; 1001 xtnData->selectedPsk = NULL; 1002 } 1003 1004 void 1005 ssl3_DestroyExtensionData(TLSExtensionData *xtnData) 1006 { 1007 ssl3_FreeSniNameArray(xtnData); 1008 PORT_Free(xtnData->sigSchemes); 1009 PORT_Free(xtnData->delegCredSigSchemes); 1010 PORT_Free(xtnData->delegCredSigSchemesAdvertised); 1011 SECITEM_FreeItem(&xtnData->nextProto, PR_FALSE); 1012 tls13_DestroyKeyShares(&xtnData->remoteKeyShares); 1013 SECITEM_FreeItem(&xtnData->certReqContext, PR_FALSE); 1014 SECITEM_FreeItem(&xtnData->applicationToken, PR_FALSE); 1015 if (xtnData->certReqAuthorities.arena) { 1016 PORT_FreeArena(xtnData->certReqAuthorities.arena, PR_FALSE); 1017 xtnData->certReqAuthorities.arena = NULL; 1018 } 1019 PORT_Free(xtnData->advertised); 1020 tls13_DestroyDelegatedCredential(xtnData->peerDelegCred); 1021 1022 tls13_DestroyEchXtnState(xtnData->ech); 1023 xtnData->ech = NULL; 1024 } 1025 1026 /* Free everything that has been allocated and then reset back to 1027 * the starting state. */ 1028 void 1029 ssl3_ResetExtensionData(TLSExtensionData *xtnData, const sslSocket *ss) 1030 { 1031 ssl3_DestroyExtensionData(xtnData); 1032 ssl3_InitExtensionData(xtnData, ss); 1033 } 1034 1035 /* Thunks to let extension handlers operate on const sslSocket* objects. */ 1036 void 1037 ssl3_ExtSendAlert(const sslSocket *ss, SSL3AlertLevel level, 1038 SSL3AlertDescription desc) 1039 { 1040 (void)SSL3_SendAlert((sslSocket *)ss, level, desc); 1041 } 1042 1043 void 1044 ssl3_ExtDecodeError(const sslSocket *ss) 1045 { 1046 (void)ssl3_DecodeError((sslSocket *)ss); 1047 } 1048 1049 SECStatus 1050 ssl3_ExtConsumeHandshake(const sslSocket *ss, void *v, PRUint32 bytes, 1051 PRUint8 **b, PRUint32 *length) 1052 { 1053 return ssl3_ConsumeHandshake((sslSocket *)ss, v, bytes, b, length); 1054 } 1055 1056 SECStatus 1057 ssl3_ExtConsumeHandshakeNumber(const sslSocket *ss, PRUint32 *num, 1058 PRUint32 bytes, PRUint8 **b, PRUint32 *length) 1059 { 1060 return ssl3_ConsumeHandshakeNumber((sslSocket *)ss, num, bytes, b, length); 1061 } 1062 1063 SECStatus 1064 ssl3_ExtConsumeHandshakeVariable(const sslSocket *ss, SECItem *i, 1065 PRUint32 bytes, PRUint8 **b, 1066 PRUint32 *length) 1067 { 1068 return ssl3_ConsumeHandshakeVariable((sslSocket *)ss, i, bytes, b, length); 1069 } 1070