/src/mozilla-central/security/nss/lib/ssl/tls13exthandle.c
Line | Count | Source (jump to first uncovered line) |
1 | | /* -*- Mode: C; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 4 -*- */ |
2 | | /* |
3 | | * This Source Code Form is subject to the terms of the Mozilla Public |
4 | | * License, v. 2.0. If a copy of the MPL was not distributed with this |
5 | | * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ |
6 | | |
7 | | #include "nssrenam.h" |
8 | | #include "nss.h" |
9 | | #include "ssl.h" |
10 | | #include "sslproto.h" |
11 | | #include "sslimpl.h" |
12 | | #include "pk11pub.h" |
13 | | #include "ssl3ext.h" |
14 | | #include "ssl3exthandle.h" |
15 | | #include "tls13exthandle.h" |
16 | | |
17 | | SECStatus |
18 | | tls13_ServerSendStatusRequestXtn(const sslSocket *ss, TLSExtensionData *xtnData, |
19 | | sslBuffer *buf, PRBool *added) |
20 | 0 | { |
21 | 0 | const sslServerCert *serverCert = ss->sec.serverCert; |
22 | 0 | const SECItem *item; |
23 | 0 | SECStatus rv; |
24 | 0 |
|
25 | 0 | if (!serverCert->certStatusArray || |
26 | 0 | !serverCert->certStatusArray->len) { |
27 | 0 | return SECSuccess; |
28 | 0 | } |
29 | 0 | |
30 | 0 | item = &serverCert->certStatusArray->items[0]; |
31 | 0 |
|
32 | 0 | /* Only send the first entry. */ |
33 | 0 | /* status_type == ocsp */ |
34 | 0 | rv = sslBuffer_AppendNumber(buf, 1 /*ocsp*/, 1); |
35 | 0 | if (rv != SECSuccess) { |
36 | 0 | return SECFailure; |
37 | 0 | } |
38 | 0 | /* opaque OCSPResponse<1..2^24-1> */ |
39 | 0 | rv = sslBuffer_AppendVariable(buf, item->data, item->len, 3); |
40 | 0 | if (rv != SECSuccess) { |
41 | 0 | return SECFailure; |
42 | 0 | } |
43 | 0 | |
44 | 0 | *added = PR_TRUE; |
45 | 0 | return SECSuccess; |
46 | 0 | } |
47 | | |
48 | | /* |
49 | | * [draft-ietf-tls-tls13-11] Section 6.3.2.3. |
50 | | * |
51 | | * struct { |
52 | | * NamedGroup group; |
53 | | * opaque key_exchange<1..2^16-1>; |
54 | | * } KeyShareEntry; |
55 | | * |
56 | | * struct { |
57 | | * select (role) { |
58 | | * case client: |
59 | | * KeyShareEntry client_shares<4..2^16-1>; |
60 | | * |
61 | | * case server: |
62 | | * KeyShareEntry server_share; |
63 | | * } |
64 | | * } KeyShare; |
65 | | * |
66 | | * DH is Section 6.3.2.3.1. |
67 | | * |
68 | | * opaque dh_Y<1..2^16-1>; |
69 | | * |
70 | | * ECDH is Section 6.3.2.3.2. |
71 | | * |
72 | | * opaque point <1..2^8-1>; |
73 | | */ |
74 | | static PRUint32 |
75 | | tls13_SizeOfKeyShareEntry(const SECKEYPublicKey *pubKey) |
76 | 0 | { |
77 | 0 | /* Size = NamedGroup(2) + length(2) + opaque<?> share */ |
78 | 0 | switch (pubKey->keyType) { |
79 | 0 | case ecKey: |
80 | 0 | return 2 + 2 + pubKey->u.ec.publicValue.len; |
81 | 0 | case dhKey: |
82 | 0 | return 2 + 2 + pubKey->u.dh.prime.len; |
83 | 0 | default: |
84 | 0 | PORT_Assert(0); |
85 | 0 | } |
86 | 0 | return 0; |
87 | 0 | } |
88 | | |
89 | | static SECStatus |
90 | | tls13_EncodeKeyShareEntry(sslBuffer *buf, const sslEphemeralKeyPair *keyPair) |
91 | 0 | { |
92 | 0 | SECStatus rv; |
93 | 0 | SECKEYPublicKey *pubKey = keyPair->keys->pubKey; |
94 | 0 | unsigned int size = tls13_SizeOfKeyShareEntry(pubKey); |
95 | 0 |
|
96 | 0 | rv = sslBuffer_AppendNumber(buf, keyPair->group->name, 2); |
97 | 0 | if (rv != SECSuccess) |
98 | 0 | return rv; |
99 | 0 | rv = sslBuffer_AppendNumber(buf, size - 4, 2); |
100 | 0 | if (rv != SECSuccess) |
101 | 0 | return rv; |
102 | 0 | |
103 | 0 | switch (pubKey->keyType) { |
104 | 0 | case ecKey: |
105 | 0 | rv = sslBuffer_Append(buf, pubKey->u.ec.publicValue.data, |
106 | 0 | pubKey->u.ec.publicValue.len); |
107 | 0 | break; |
108 | 0 | case dhKey: |
109 | 0 | rv = ssl_AppendPaddedDHKeyShare(buf, pubKey, PR_FALSE); |
110 | 0 | break; |
111 | 0 | default: |
112 | 0 | PORT_Assert(0); |
113 | 0 | PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); |
114 | 0 | break; |
115 | 0 | } |
116 | 0 |
|
117 | 0 | return rv; |
118 | 0 | } |
119 | | |
120 | | SECStatus |
121 | | tls13_ClientSendKeyShareXtn(const sslSocket *ss, TLSExtensionData *xtnData, |
122 | | sslBuffer *buf, PRBool *added) |
123 | 0 | { |
124 | 0 | SECStatus rv; |
125 | 0 | PRCList *cursor; |
126 | 0 | unsigned int lengthOffset; |
127 | 0 |
|
128 | 0 | if (ss->vrange.max < SSL_LIBRARY_VERSION_TLS_1_3) { |
129 | 0 | return SECSuccess; |
130 | 0 | } |
131 | 0 | |
132 | 0 | /* Optimistically try to send an ECDHE key using the |
133 | 0 | * preexisting key (in future will be keys) */ |
134 | 0 | SSL_TRC(3, ("%d: TLS13[%d]: send client key share xtn", |
135 | 0 | SSL_GETPID(), ss->fd)); |
136 | 0 |
|
137 | 0 | /* Save the offset to the length. */ |
138 | 0 | rv = sslBuffer_Skip(buf, 2, &lengthOffset); |
139 | 0 | if (rv != SECSuccess) { |
140 | 0 | return SECFailure; |
141 | 0 | } |
142 | 0 | |
143 | 0 | for (cursor = PR_NEXT_LINK(&ss->ephemeralKeyPairs); |
144 | 0 | cursor != &ss->ephemeralKeyPairs; |
145 | 0 | cursor = PR_NEXT_LINK(cursor)) { |
146 | 0 | sslEphemeralKeyPair *keyPair = (sslEphemeralKeyPair *)cursor; |
147 | 0 | rv = tls13_EncodeKeyShareEntry(buf, keyPair); |
148 | 0 | if (rv != SECSuccess) { |
149 | 0 | return SECFailure; |
150 | 0 | } |
151 | 0 | } |
152 | 0 | rv = sslBuffer_InsertLength(buf, lengthOffset, 2); |
153 | 0 | if (rv != SECSuccess) { |
154 | 0 | return SECFailure; |
155 | 0 | } |
156 | 0 | |
157 | 0 | *added = PR_TRUE; |
158 | 0 | return SECSuccess; |
159 | 0 | } |
160 | | |
161 | | static SECStatus |
162 | | tls13_HandleKeyShareEntry(const sslSocket *ss, TLSExtensionData *xtnData, SECItem *data) |
163 | 0 | { |
164 | 0 | SECStatus rv; |
165 | 0 | PRUint32 group; |
166 | 0 | const sslNamedGroupDef *groupDef; |
167 | 0 | TLS13KeyShareEntry *ks = NULL; |
168 | 0 | SECItem share = { siBuffer, NULL, 0 }; |
169 | 0 |
|
170 | 0 | rv = ssl3_ExtConsumeHandshakeNumber(ss, &group, 2, &data->data, &data->len); |
171 | 0 | if (rv != SECSuccess) { |
172 | 0 | PORT_SetError(SSL_ERROR_RX_MALFORMED_KEY_SHARE); |
173 | 0 | goto loser; |
174 | 0 | } |
175 | 0 | groupDef = ssl_LookupNamedGroup(group); |
176 | 0 | rv = ssl3_ExtConsumeHandshakeVariable(ss, &share, 2, &data->data, |
177 | 0 | &data->len); |
178 | 0 | if (rv != SECSuccess) { |
179 | 0 | goto loser; |
180 | 0 | } |
181 | 0 | /* If the group is disabled, continue. */ |
182 | 0 | if (!groupDef) { |
183 | 0 | return SECSuccess; |
184 | 0 | } |
185 | 0 | |
186 | 0 | ks = PORT_ZNew(TLS13KeyShareEntry); |
187 | 0 | if (!ks) |
188 | 0 | goto loser; |
189 | 0 | ks->group = groupDef; |
190 | 0 |
|
191 | 0 | rv = SECITEM_CopyItem(NULL, &ks->key_exchange, &share); |
192 | 0 | if (rv != SECSuccess) |
193 | 0 | goto loser; |
194 | 0 | |
195 | 0 | PR_APPEND_LINK(&ks->link, &xtnData->remoteKeyShares); |
196 | 0 | return SECSuccess; |
197 | 0 | |
198 | 0 | loser: |
199 | 0 | if (ks) |
200 | 0 | tls13_DestroyKeyShareEntry(ks); |
201 | 0 | return SECFailure; |
202 | 0 | } |
203 | | /* Handle an incoming KeyShare extension at the client and copy to |
204 | | * |xtnData->remoteKeyShares| for future use. The key |
205 | | * share is processed in tls13_HandleServerKeyShare(). */ |
206 | | SECStatus |
207 | | tls13_ClientHandleKeyShareXtn(const sslSocket *ss, TLSExtensionData *xtnData, |
208 | | SECItem *data) |
209 | 0 | { |
210 | 0 | SECStatus rv; |
211 | 0 | PORT_Assert(PR_CLIST_IS_EMPTY(&xtnData->remoteKeyShares)); |
212 | 0 |
|
213 | 0 | PORT_Assert(!ss->sec.isServer); |
214 | 0 |
|
215 | 0 | /* The server must not send this extension when negotiating < TLS 1.3. */ |
216 | 0 | if (ss->version < SSL_LIBRARY_VERSION_TLS_1_3) { |
217 | 0 | PORT_SetError(SSL_ERROR_EXTENSION_DISALLOWED_FOR_VERSION); |
218 | 0 | return SECFailure; |
219 | 0 | } |
220 | 0 |
|
221 | 0 | SSL_TRC(3, ("%d: SSL3[%d]: handle key_share extension", |
222 | 0 | SSL_GETPID(), ss->fd)); |
223 | 0 |
|
224 | 0 | rv = tls13_HandleKeyShareEntry(ss, xtnData, data); |
225 | 0 | if (rv != SECSuccess) { |
226 | 0 | PORT_SetError(SSL_ERROR_RX_MALFORMED_KEY_SHARE); |
227 | 0 | return SECFailure; |
228 | 0 | } |
229 | 0 |
|
230 | 0 | if (data->len) { |
231 | 0 | PORT_SetError(SSL_ERROR_RX_MALFORMED_KEY_SHARE); |
232 | 0 | return SECFailure; |
233 | 0 | } |
234 | 0 |
|
235 | 0 | return SECSuccess; |
236 | 0 | } |
237 | | |
238 | | SECStatus |
239 | | tls13_ClientHandleKeyShareXtnHrr(const sslSocket *ss, TLSExtensionData *xtnData, |
240 | | SECItem *data) |
241 | 0 | { |
242 | 0 | SECStatus rv; |
243 | 0 | PRUint32 tmp; |
244 | 0 | const sslNamedGroupDef *group; |
245 | 0 |
|
246 | 0 | PORT_Assert(!ss->sec.isServer); |
247 | 0 | PORT_Assert(ss->vrange.max >= SSL_LIBRARY_VERSION_TLS_1_3); |
248 | 0 |
|
249 | 0 | SSL_TRC(3, ("%d: SSL3[%d]: handle key_share extension in HRR", |
250 | 0 | SSL_GETPID(), ss->fd)); |
251 | 0 |
|
252 | 0 | rv = ssl3_ExtConsumeHandshakeNumber(ss, &tmp, 2, &data->data, &data->len); |
253 | 0 | if (rv != SECSuccess) { |
254 | 0 | return SECFailure; /* error code already set */ |
255 | 0 | } |
256 | 0 | if (data->len) { |
257 | 0 | ssl3_ExtSendAlert(ss, alert_fatal, decode_error); |
258 | 0 | PORT_SetError(SSL_ERROR_RX_MALFORMED_HELLO_RETRY_REQUEST); |
259 | 0 | return SECFailure; |
260 | 0 | } |
261 | 0 |
|
262 | 0 | group = ssl_LookupNamedGroup((SSLNamedGroup)tmp); |
263 | 0 | /* If the group is not enabled, or we already have a share for the |
264 | 0 | * requested group, abort. */ |
265 | 0 | if (!ssl_NamedGroupEnabled(ss, group) || |
266 | 0 | ssl_HaveEphemeralKeyPair(ss, group)) { |
267 | 0 | ssl3_ExtSendAlert(ss, alert_fatal, illegal_parameter); |
268 | 0 | PORT_SetError(SSL_ERROR_RX_MALFORMED_HELLO_RETRY_REQUEST); |
269 | 0 | return SECFailure; |
270 | 0 | } |
271 | 0 |
|
272 | 0 | /* Now delete all the key shares per [draft-ietf-tls-tls13 S 4.1.2] */ |
273 | 0 | ssl_FreeEphemeralKeyPairs(CONST_CAST(sslSocket, ss)); |
274 | 0 |
|
275 | 0 | /* And replace with our new share. */ |
276 | 0 | rv = tls13_CreateKeyShare(CONST_CAST(sslSocket, ss), group); |
277 | 0 | if (rv != SECSuccess) { |
278 | 0 | ssl3_ExtSendAlert(ss, alert_fatal, internal_error); |
279 | 0 | PORT_SetError(SEC_ERROR_KEYGEN_FAIL); |
280 | 0 | return SECFailure; |
281 | 0 | } |
282 | 0 |
|
283 | 0 | return SECSuccess; |
284 | 0 | } |
285 | | |
286 | | /* Handle an incoming KeyShare extension at the server and copy to |
287 | | * |xtnData->remoteKeyShares| for future use. The key |
288 | | * share is processed in tls13_HandleClientKeyShare(). */ |
289 | | SECStatus |
290 | | tls13_ServerHandleKeyShareXtn(const sslSocket *ss, TLSExtensionData *xtnData, |
291 | | SECItem *data) |
292 | 0 | { |
293 | 0 | SECStatus rv; |
294 | 0 | PRUint32 length; |
295 | 0 |
|
296 | 0 | PORT_Assert(ss->sec.isServer); |
297 | 0 | PORT_Assert(PR_CLIST_IS_EMPTY(&xtnData->remoteKeyShares)); |
298 | 0 |
|
299 | 0 | if (ss->version < SSL_LIBRARY_VERSION_TLS_1_3) { |
300 | 0 | return SECSuccess; |
301 | 0 | } |
302 | 0 | |
303 | 0 | SSL_TRC(3, ("%d: SSL3[%d]: handle key_share extension", |
304 | 0 | SSL_GETPID(), ss->fd)); |
305 | 0 |
|
306 | 0 | /* Redundant length because of TLS encoding (this vector consumes |
307 | 0 | * the entire extension.) */ |
308 | 0 | rv = ssl3_ExtConsumeHandshakeNumber(ss, &length, 2, &data->data, |
309 | 0 | &data->len); |
310 | 0 | if (rv != SECSuccess) |
311 | 0 | goto loser; |
312 | 0 | if (length != data->len) { |
313 | 0 | /* Check for consistency */ |
314 | 0 | PORT_SetError(SSL_ERROR_RX_MALFORMED_KEY_SHARE); |
315 | 0 | goto loser; |
316 | 0 | } |
317 | 0 |
|
318 | 0 | while (data->len) { |
319 | 0 | rv = tls13_HandleKeyShareEntry(ss, xtnData, data); |
320 | 0 | if (rv != SECSuccess) |
321 | 0 | goto loser; |
322 | 0 | } |
323 | 0 |
|
324 | 0 | return SECSuccess; |
325 | 0 | |
326 | 0 | loser: |
327 | 0 | tls13_DestroyKeyShares(&xtnData->remoteKeyShares); |
328 | 0 | return SECFailure; |
329 | 0 | } |
330 | | |
331 | | SECStatus |
332 | | tls13_ServerSendKeyShareXtn(const sslSocket *ss, TLSExtensionData *xtnData, |
333 | | sslBuffer *buf, PRBool *added) |
334 | 0 | { |
335 | 0 | SECStatus rv; |
336 | 0 | sslEphemeralKeyPair *keyPair; |
337 | 0 |
|
338 | 0 | /* There should be exactly one key share. */ |
339 | 0 | PORT_Assert(!PR_CLIST_IS_EMPTY(&ss->ephemeralKeyPairs)); |
340 | 0 | PORT_Assert(PR_PREV_LINK(&ss->ephemeralKeyPairs) == |
341 | 0 | PR_NEXT_LINK(&ss->ephemeralKeyPairs)); |
342 | 0 |
|
343 | 0 | keyPair = (sslEphemeralKeyPair *)PR_NEXT_LINK(&ss->ephemeralKeyPairs); |
344 | 0 |
|
345 | 0 | rv = tls13_EncodeKeyShareEntry(buf, keyPair); |
346 | 0 | if (rv != SECSuccess) { |
347 | 0 | return SECFailure; |
348 | 0 | } |
349 | 0 | |
350 | 0 | *added = PR_TRUE; |
351 | 0 | return SECSuccess; |
352 | 0 | } |
353 | | |
354 | | /* Called by clients. |
355 | | * |
356 | | * struct { |
357 | | * opaque identity<0..2^16-1>; |
358 | | * uint32 obfuscated_ticket_age; |
359 | | * } PskIdentity; |
360 | | * |
361 | | * opaque PskBinderEntry<32..255>; |
362 | | * |
363 | | * struct { |
364 | | * select (Handshake.msg_type) { |
365 | | * case client_hello: |
366 | | * PskIdentity identities<6..2^16-1>; |
367 | | * PskBinderEntry binders<33..2^16-1>; |
368 | | * |
369 | | * case server_hello: |
370 | | * uint16 selected_identity; |
371 | | * }; |
372 | | * |
373 | | * } PreSharedKeyExtension; |
374 | | |
375 | | * Presently the only way to get a PSK is by resumption, so this is |
376 | | * really a ticket label and there will be at most one. |
377 | | */ |
378 | | SECStatus |
379 | | tls13_ClientSendPreSharedKeyXtn(const sslSocket *ss, TLSExtensionData *xtnData, |
380 | | sslBuffer *buf, PRBool *added) |
381 | 0 | { |
382 | 0 | NewSessionTicket *session_ticket; |
383 | 0 | PRTime age; |
384 | 0 | const static PRUint8 binder[TLS13_MAX_FINISHED_SIZE] = { 0 }; |
385 | 0 | unsigned int binderLen; |
386 | 0 | SECStatus rv; |
387 | 0 |
|
388 | 0 | /* We only set statelessResume on the client in TLS 1.3 code. */ |
389 | 0 | if (!ss->statelessResume) { |
390 | 0 | return SECSuccess; |
391 | 0 | } |
392 | 0 | |
393 | 0 | /* Save where this extension starts so that if we have to add padding, it |
394 | 0 | * can be inserted before this extension. */ |
395 | 0 | PORT_Assert(buf->len >= 4); |
396 | 0 | xtnData->lastXtnOffset = buf->len - 4; |
397 | 0 |
|
398 | 0 | PORT_Assert(ss->vrange.max >= SSL_LIBRARY_VERSION_TLS_1_3); |
399 | 0 | PORT_Assert(ss->sec.ci.sid->version >= SSL_LIBRARY_VERSION_TLS_1_3); |
400 | 0 |
|
401 | 0 | /* Send a single ticket identity. */ |
402 | 0 | session_ticket = &ss->sec.ci.sid->u.ssl3.locked.sessionTicket; |
403 | 0 | rv = sslBuffer_AppendNumber(buf, 2 + /* identity length */ |
404 | 0 | session_ticket->ticket.len + /* ticket */ |
405 | 0 | 4 /* obfuscated_ticket_age */, |
406 | 0 | 2); |
407 | 0 | if (rv != SECSuccess) |
408 | 0 | goto loser; |
409 | 0 | rv = sslBuffer_AppendVariable(buf, session_ticket->ticket.data, |
410 | 0 | session_ticket->ticket.len, 2); |
411 | 0 | if (rv != SECSuccess) |
412 | 0 | goto loser; |
413 | 0 | |
414 | 0 | /* Obfuscated age. */ |
415 | 0 | age = ssl_TimeUsec() - session_ticket->received_timestamp; |
416 | 0 | age /= PR_USEC_PER_MSEC; |
417 | 0 | age += session_ticket->ticket_age_add; |
418 | 0 | rv = sslBuffer_AppendNumber(buf, age, 4); |
419 | 0 | if (rv != SECSuccess) |
420 | 0 | goto loser; |
421 | 0 | |
422 | 0 | /* Write out the binder list length. */ |
423 | 0 | binderLen = tls13_GetHashSize(ss); |
424 | 0 | rv = sslBuffer_AppendNumber(buf, binderLen + 1, 2); |
425 | 0 | if (rv != SECSuccess) |
426 | 0 | goto loser; |
427 | 0 | /* Write zeroes for the binder for the moment. */ |
428 | 0 | rv = sslBuffer_AppendVariable(buf, binder, binderLen, 1); |
429 | 0 | if (rv != SECSuccess) |
430 | 0 | goto loser; |
431 | 0 | |
432 | 0 | PRINT_BUF(50, (ss, "Sending PreSharedKey value", |
433 | 0 | session_ticket->ticket.data, |
434 | 0 | session_ticket->ticket.len)); |
435 | 0 |
|
436 | 0 | xtnData->sentSessionTicketInClientHello = PR_TRUE; |
437 | 0 | *added = PR_TRUE; |
438 | 0 | return SECSuccess; |
439 | 0 |
|
440 | 0 | loser: |
441 | 0 | xtnData->ticketTimestampVerified = PR_FALSE; |
442 | 0 | return SECFailure; |
443 | 0 | } |
444 | | |
445 | | /* Handle a TLS 1.3 PreSharedKey Extension. We only accept PSKs |
446 | | * that contain session tickets. */ |
447 | | SECStatus |
448 | | tls13_ServerHandlePreSharedKeyXtn(const sslSocket *ss, TLSExtensionData *xtnData, |
449 | | SECItem *data) |
450 | 0 | { |
451 | 0 | SECItem inner; |
452 | 0 | SECStatus rv; |
453 | 0 | unsigned int numIdentities = 0; |
454 | 0 | unsigned int numBinders = 0; |
455 | 0 | SECItem *appToken; |
456 | 0 |
|
457 | 0 | SSL_TRC(3, ("%d: SSL3[%d]: handle pre_shared_key extension", |
458 | 0 | SSL_GETPID(), ss->fd)); |
459 | 0 |
|
460 | 0 | /* If we are doing < TLS 1.3, then ignore this. */ |
461 | 0 | if (ss->version < SSL_LIBRARY_VERSION_TLS_1_3) { |
462 | 0 | return SECSuccess; |
463 | 0 | } |
464 | 0 | |
465 | 0 | /* The application token is set via the cookie extension if this is the |
466 | 0 | * second ClientHello. Don't set it twice. The cookie extension handler |
467 | 0 | * sets |helloRetry| and that will have been called already because this |
468 | 0 | * extension always comes last. */ |
469 | 0 | if (!ss->ssl3.hs.helloRetry) { |
470 | 0 | appToken = &xtnData->applicationToken; |
471 | 0 | } else { |
472 | 0 | appToken = NULL; |
473 | 0 | } |
474 | 0 |
|
475 | 0 | /* Parse the identities list. */ |
476 | 0 | rv = ssl3_ExtConsumeHandshakeVariable(ss, &inner, 2, |
477 | 0 | &data->data, &data->len); |
478 | 0 | if (rv != SECSuccess) { |
479 | 0 | return SECFailure; |
480 | 0 | } |
481 | 0 | |
482 | 0 | while (inner.len) { |
483 | 0 | SECItem label; |
484 | 0 | PRUint32 obfuscatedAge; |
485 | 0 |
|
486 | 0 | rv = ssl3_ExtConsumeHandshakeVariable(ss, &label, 2, |
487 | 0 | &inner.data, &inner.len); |
488 | 0 | if (rv != SECSuccess) |
489 | 0 | return rv; |
490 | 0 | if (!label.len) { |
491 | 0 | goto alert_loser; |
492 | 0 | } |
493 | 0 | |
494 | 0 | rv = ssl3_ExtConsumeHandshakeNumber(ss, &obfuscatedAge, 4, |
495 | 0 | &inner.data, &inner.len); |
496 | 0 | if (rv != SECSuccess) |
497 | 0 | return rv; |
498 | 0 | |
499 | 0 | if (!numIdentities) { |
500 | 0 | PRINT_BUF(50, (ss, "Handling PreSharedKey value", |
501 | 0 | label.data, label.len)); |
502 | 0 | rv = ssl3_ProcessSessionTicketCommon( |
503 | 0 | CONST_CAST(sslSocket, ss), &label, appToken); |
504 | 0 | /* This only happens if we have an internal error, not |
505 | 0 | * a malformed ticket. Bogus tickets just don't resume |
506 | 0 | * and return SECSuccess. */ |
507 | 0 | if (rv != SECSuccess) |
508 | 0 | return SECFailure; |
509 | 0 | |
510 | 0 | if (ss->sec.ci.sid) { |
511 | 0 | /* xtnData->ticketAge contains the baseline we use for |
512 | 0 | * calculating the ticket age (i.e., our RTT estimate less the |
513 | 0 | * value of ticket_age_add). |
514 | 0 | * |
515 | 0 | * Add that to the obfuscated ticket age to recover the client's |
516 | 0 | * view of the ticket age plus the estimated RTT. |
517 | 0 | * |
518 | 0 | * See ssl3_EncodeSessionTicket() for details. */ |
519 | 0 | xtnData->ticketAge += obfuscatedAge; |
520 | 0 | } |
521 | 0 | } |
522 | 0 | ++numIdentities; |
523 | 0 | } |
524 | 0 |
|
525 | 0 | xtnData->pskBindersLen = data->len; |
526 | 0 |
|
527 | 0 | /* Parse the binders list. */ |
528 | 0 | rv = ssl3_ExtConsumeHandshakeVariable(ss, |
529 | 0 | &inner, 2, &data->data, &data->len); |
530 | 0 | if (rv != SECSuccess) |
531 | 0 | return SECFailure; |
532 | 0 | if (data->len) { |
533 | 0 | goto alert_loser; |
534 | 0 | } |
535 | 0 | |
536 | 0 | while (inner.len) { |
537 | 0 | SECItem binder; |
538 | 0 | rv = ssl3_ExtConsumeHandshakeVariable(ss, &binder, 1, |
539 | 0 | &inner.data, &inner.len); |
540 | 0 | if (rv != SECSuccess) |
541 | 0 | return rv; |
542 | 0 | if (binder.len < 32) { |
543 | 0 | goto alert_loser; |
544 | 0 | } |
545 | 0 | |
546 | 0 | if (!numBinders) { |
547 | 0 | xtnData->pskBinder = binder; |
548 | 0 | } |
549 | 0 | ++numBinders; |
550 | 0 | } |
551 | 0 |
|
552 | 0 | if (numBinders != numIdentities) |
553 | 0 | goto alert_loser; |
554 | 0 | |
555 | 0 | /* Keep track of negotiated extensions. Note that this does not |
556 | 0 | * mean we are resuming. */ |
557 | 0 | xtnData->negotiated[xtnData->numNegotiated++] = ssl_tls13_pre_shared_key_xtn; |
558 | 0 |
|
559 | 0 | return SECSuccess; |
560 | 0 | |
561 | 0 | alert_loser: |
562 | 0 | ssl3_ExtSendAlert(ss, alert_fatal, illegal_parameter); |
563 | 0 | PORT_SetError(SSL_ERROR_MALFORMED_PRE_SHARED_KEY); |
564 | 0 | return SECFailure; |
565 | 0 | } |
566 | | |
567 | | SECStatus |
568 | | tls13_ServerSendPreSharedKeyXtn(const sslSocket *ss, TLSExtensionData *xtnData, |
569 | | sslBuffer *buf, PRBool *added) |
570 | 0 | { |
571 | 0 | SECStatus rv; |
572 | 0 |
|
573 | 0 | /* We only process the first session ticket the client sends, |
574 | 0 | * so the index is always 0. */ |
575 | 0 | rv = sslBuffer_AppendNumber(buf, 0, 2); |
576 | 0 | if (rv != SECSuccess) { |
577 | 0 | return SECFailure; |
578 | 0 | } |
579 | 0 | |
580 | 0 | *added = PR_TRUE; |
581 | 0 | return SECSuccess; |
582 | 0 | } |
583 | | |
584 | | /* Handle a TLS 1.3 PreSharedKey Extension. We only accept PSKs |
585 | | * that contain session tickets. */ |
586 | | SECStatus |
587 | | tls13_ClientHandlePreSharedKeyXtn(const sslSocket *ss, TLSExtensionData *xtnData, |
588 | | SECItem *data) |
589 | 0 | { |
590 | 0 | PRUint32 index; |
591 | 0 | SECStatus rv; |
592 | 0 |
|
593 | 0 | SSL_TRC(3, ("%d: SSL3[%d]: handle pre_shared_key extension", |
594 | 0 | SSL_GETPID(), ss->fd)); |
595 | 0 |
|
596 | 0 | /* The server must not send this extension when negotiating < TLS 1.3. */ |
597 | 0 | if (ss->version < SSL_LIBRARY_VERSION_TLS_1_3) { |
598 | 0 | PORT_SetError(SSL_ERROR_EXTENSION_DISALLOWED_FOR_VERSION); |
599 | 0 | return SECFailure; |
600 | 0 | } |
601 | 0 |
|
602 | 0 | rv = ssl3_ExtConsumeHandshakeNumber(ss, &index, 2, &data->data, &data->len); |
603 | 0 | if (rv != SECSuccess) |
604 | 0 | return SECFailure; |
605 | 0 | |
606 | 0 | /* This should be the end of the extension. */ |
607 | 0 | if (data->len) { |
608 | 0 | PORT_SetError(SSL_ERROR_MALFORMED_PRE_SHARED_KEY); |
609 | 0 | return SECFailure; |
610 | 0 | } |
611 | 0 |
|
612 | 0 | /* We only sent one PSK label so index must be equal to 0 */ |
613 | 0 | if (index) { |
614 | 0 | PORT_SetError(SSL_ERROR_MALFORMED_PRE_SHARED_KEY); |
615 | 0 | return SECFailure; |
616 | 0 | } |
617 | 0 |
|
618 | 0 | /* Keep track of negotiated extensions. */ |
619 | 0 | xtnData->negotiated[xtnData->numNegotiated++] = ssl_tls13_pre_shared_key_xtn; |
620 | 0 |
|
621 | 0 | return SECSuccess; |
622 | 0 | } |
623 | | |
624 | | /* |
625 | | * struct { } EarlyDataIndication; |
626 | | */ |
627 | | SECStatus |
628 | | tls13_ClientSendEarlyDataXtn(const sslSocket *ss, TLSExtensionData *xtnData, |
629 | | sslBuffer *buf, PRBool *added) |
630 | 0 | { |
631 | 0 | if (!tls13_ClientAllow0Rtt(ss, ss->sec.ci.sid)) { |
632 | 0 | return SECSuccess; |
633 | 0 | } |
634 | 0 | |
635 | 0 | *added = PR_TRUE; |
636 | 0 | return SECSuccess; |
637 | 0 | } |
638 | | |
639 | | SECStatus |
640 | | tls13_ServerHandleEarlyDataXtn(const sslSocket *ss, TLSExtensionData *xtnData, |
641 | | SECItem *data) |
642 | 0 | { |
643 | 0 | SSL_TRC(3, ("%d: TLS13[%d]: handle early_data extension", |
644 | 0 | SSL_GETPID(), ss->fd)); |
645 | 0 |
|
646 | 0 | /* If we are doing < TLS 1.3, then ignore this. */ |
647 | 0 | if (ss->version < SSL_LIBRARY_VERSION_TLS_1_3) { |
648 | 0 | return SECSuccess; |
649 | 0 | } |
650 | 0 | |
651 | 0 | if (ss->ssl3.hs.helloRetry) { |
652 | 0 | ssl3_ExtSendAlert(ss, alert_fatal, unsupported_extension); |
653 | 0 | PORT_SetError(SSL_ERROR_RX_UNEXPECTED_EXTENSION); |
654 | 0 | return SECFailure; |
655 | 0 | } |
656 | 0 |
|
657 | 0 | if (data->len) { |
658 | 0 | PORT_SetError(SSL_ERROR_MALFORMED_EARLY_DATA); |
659 | 0 | return SECFailure; |
660 | 0 | } |
661 | 0 |
|
662 | 0 | xtnData->negotiated[xtnData->numNegotiated++] = ssl_tls13_early_data_xtn; |
663 | 0 |
|
664 | 0 | return SECSuccess; |
665 | 0 | } |
666 | | |
667 | | /* This will only be called if we also offered the extension. */ |
668 | | SECStatus |
669 | | tls13_ClientHandleEarlyDataXtn(const sslSocket *ss, TLSExtensionData *xtnData, |
670 | | SECItem *data) |
671 | 0 | { |
672 | 0 | SSL_TRC(3, ("%d: TLS13[%d]: handle early_data extension", |
673 | 0 | SSL_GETPID(), ss->fd)); |
674 | 0 |
|
675 | 0 | /* The server must not send this extension when negotiating < TLS 1.3. */ |
676 | 0 | if (ss->version < SSL_LIBRARY_VERSION_TLS_1_3) { |
677 | 0 | PORT_SetError(SSL_ERROR_EXTENSION_DISALLOWED_FOR_VERSION); |
678 | 0 | return SECFailure; |
679 | 0 | } |
680 | 0 |
|
681 | 0 | if (data->len) { |
682 | 0 | PORT_SetError(SSL_ERROR_MALFORMED_EARLY_DATA); |
683 | 0 | return SECFailure; |
684 | 0 | } |
685 | 0 |
|
686 | 0 | /* Keep track of negotiated extensions. */ |
687 | 0 | xtnData->negotiated[xtnData->numNegotiated++] = ssl_tls13_early_data_xtn; |
688 | 0 |
|
689 | 0 | return SECSuccess; |
690 | 0 | } |
691 | | |
692 | | SECStatus |
693 | | tls13_ClientHandleTicketEarlyDataXtn(const sslSocket *ss, TLSExtensionData *xtnData, |
694 | | SECItem *data) |
695 | 0 | { |
696 | 0 | PRUint32 utmp; |
697 | 0 | SECStatus rv; |
698 | 0 |
|
699 | 0 | SSL_TRC(3, ("%d: TLS13[%d]: handle ticket early_data extension", |
700 | 0 | SSL_GETPID(), ss->fd)); |
701 | 0 |
|
702 | 0 | /* The server must not send this extension when negotiating < TLS 1.3. */ |
703 | 0 | if (ss->version < SSL_LIBRARY_VERSION_TLS_1_3) { |
704 | 0 | PORT_SetError(SSL_ERROR_EXTENSION_DISALLOWED_FOR_VERSION); |
705 | 0 | return SECFailure; |
706 | 0 | } |
707 | 0 |
|
708 | 0 | rv = ssl3_ExtConsumeHandshake(ss, &utmp, sizeof(utmp), |
709 | 0 | &data->data, &data->len); |
710 | 0 | if (rv != SECSuccess) { |
711 | 0 | PORT_SetError(SSL_ERROR_RX_MALFORMED_NEW_SESSION_TICKET); |
712 | 0 | return SECFailure; |
713 | 0 | } |
714 | 0 | if (data->len) { |
715 | 0 | PORT_SetError(SSL_ERROR_RX_MALFORMED_NEW_SESSION_TICKET); |
716 | 0 | return SECFailure; |
717 | 0 | } |
718 | 0 |
|
719 | 0 | xtnData->max_early_data_size = PR_ntohl(utmp); |
720 | 0 |
|
721 | 0 | return SECSuccess; |
722 | 0 | } |
723 | | |
724 | | /* |
725 | | * struct { |
726 | | * select (Handshake.msg_type) { |
727 | | * case client_hello: |
728 | | * ProtocolVersion versions<2..254>; |
729 | | * case server_hello: |
730 | | * ProtocolVersion version; |
731 | | * }; |
732 | | * } SupportedVersions; |
733 | | */ |
734 | | SECStatus |
735 | | tls13_ClientSendSupportedVersionsXtn(const sslSocket *ss, TLSExtensionData *xtnData, |
736 | | sslBuffer *buf, PRBool *added) |
737 | 0 | { |
738 | 0 | PRUint16 version; |
739 | 0 | unsigned int lengthOffset; |
740 | 0 | SECStatus rv; |
741 | 0 |
|
742 | 0 | if (ss->vrange.max < SSL_LIBRARY_VERSION_TLS_1_3) { |
743 | 0 | return SECSuccess; |
744 | 0 | } |
745 | 0 | |
746 | 0 | SSL_TRC(3, ("%d: TLS13[%d]: client send supported_versions extension", |
747 | 0 | SSL_GETPID(), ss->fd)); |
748 | 0 |
|
749 | 0 | rv = sslBuffer_Skip(buf, 1, &lengthOffset); |
750 | 0 | if (rv != SECSuccess) { |
751 | 0 | return SECFailure; |
752 | 0 | } |
753 | 0 | |
754 | 0 | for (version = ss->vrange.max; version >= ss->vrange.min; --version) { |
755 | 0 | PRUint16 wire = tls13_EncodeDraftVersion(version, |
756 | 0 | ss->protocolVariant); |
757 | 0 | rv = sslBuffer_AppendNumber(buf, wire, 2); |
758 | 0 | if (rv != SECSuccess) { |
759 | 0 | return SECFailure; |
760 | 0 | } |
761 | 0 | } |
762 | 0 |
|
763 | 0 | rv = sslBuffer_InsertLength(buf, lengthOffset, 1); |
764 | 0 | if (rv != SECSuccess) { |
765 | 0 | return SECFailure; |
766 | 0 | } |
767 | 0 | |
768 | 0 | *added = PR_TRUE; |
769 | 0 | return SECSuccess; |
770 | 0 | } |
771 | | |
772 | | SECStatus |
773 | | tls13_ServerSendSupportedVersionsXtn(const sslSocket *ss, TLSExtensionData *xtnData, |
774 | | sslBuffer *buf, PRBool *added) |
775 | 0 | { |
776 | 0 | SECStatus rv; |
777 | 0 |
|
778 | 0 | if (ss->version < SSL_LIBRARY_VERSION_TLS_1_3) { |
779 | 0 | return SECSuccess; |
780 | 0 | } |
781 | 0 | |
782 | 0 | SSL_TRC(3, ("%d: TLS13[%d]: server send supported_versions extension", |
783 | 0 | SSL_GETPID(), ss->fd)); |
784 | 0 |
|
785 | 0 | PRUint16 ver = tls13_EncodeDraftVersion(SSL_LIBRARY_VERSION_TLS_1_3, |
786 | 0 | ss->protocolVariant); |
787 | 0 | rv = sslBuffer_AppendNumber(buf, ver, 2); |
788 | 0 | if (rv != SECSuccess) { |
789 | 0 | return SECFailure; |
790 | 0 | } |
791 | 0 | |
792 | 0 | *added = PR_TRUE; |
793 | 0 | return SECSuccess; |
794 | 0 | } |
795 | | |
796 | | /* |
797 | | * struct { |
798 | | * opaque cookie<1..2^16-1>; |
799 | | * } Cookie; |
800 | | */ |
801 | | SECStatus |
802 | | tls13_ClientHandleHrrCookie(const sslSocket *ss, TLSExtensionData *xtnData, |
803 | | SECItem *data) |
804 | 0 | { |
805 | 0 | SECStatus rv; |
806 | 0 |
|
807 | 0 | SSL_TRC(3, ("%d: TLS13[%d]: handle cookie extension", |
808 | 0 | SSL_GETPID(), ss->fd)); |
809 | 0 |
|
810 | 0 | PORT_Assert(ss->vrange.max >= SSL_LIBRARY_VERSION_TLS_1_3); |
811 | 0 |
|
812 | 0 | /* IMPORTANT: this is only valid while the HelloRetryRequest is still valid. */ |
813 | 0 | rv = ssl3_ExtConsumeHandshakeVariable( |
814 | 0 | ss, &CONST_CAST(sslSocket, ss)->ssl3.hs.cookie, 2, |
815 | 0 | &data->data, &data->len); |
816 | 0 | if (rv != SECSuccess) { |
817 | 0 | PORT_SetError(SSL_ERROR_RX_MALFORMED_HELLO_RETRY_REQUEST); |
818 | 0 | return SECFailure; |
819 | 0 | } |
820 | 0 | if (!ss->ssl3.hs.cookie.len || data->len) { |
821 | 0 | ssl3_ExtSendAlert(ss, alert_fatal, decode_error); |
822 | 0 | PORT_SetError(SSL_ERROR_RX_MALFORMED_HELLO_RETRY_REQUEST); |
823 | 0 | return SECFailure; |
824 | 0 | } |
825 | 0 |
|
826 | 0 | return SECSuccess; |
827 | 0 | } |
828 | | |
829 | | SECStatus |
830 | | tls13_ClientSendHrrCookieXtn(const sslSocket *ss, TLSExtensionData *xtnData, |
831 | | sslBuffer *buf, PRBool *added) |
832 | 0 | { |
833 | 0 | SECStatus rv; |
834 | 0 |
|
835 | 0 | if (ss->vrange.max < SSL_LIBRARY_VERSION_TLS_1_3 || |
836 | 0 | !ss->ssl3.hs.cookie.len) { |
837 | 0 | return SECSuccess; |
838 | 0 | } |
839 | 0 | |
840 | 0 | SSL_TRC(3, ("%d: TLS13[%d]: send cookie extension", SSL_GETPID(), ss->fd)); |
841 | 0 | rv = sslBuffer_AppendVariable(buf, ss->ssl3.hs.cookie.data, |
842 | 0 | ss->ssl3.hs.cookie.len, 2); |
843 | 0 | if (rv != SECSuccess) { |
844 | 0 | return SECFailure; |
845 | 0 | } |
846 | 0 | |
847 | 0 | *added = PR_TRUE; |
848 | 0 | return SECSuccess; |
849 | 0 | } |
850 | | |
851 | | SECStatus |
852 | | tls13_ServerHandleCookieXtn(const sslSocket *ss, TLSExtensionData *xtnData, |
853 | | SECItem *data) |
854 | 0 | { |
855 | 0 | SECStatus rv; |
856 | 0 |
|
857 | 0 | SSL_TRC(3, ("%d: TLS13[%d]: handle cookie extension", |
858 | 0 | SSL_GETPID(), ss->fd)); |
859 | 0 |
|
860 | 0 | rv = ssl3_ExtConsumeHandshakeVariable(ss, &xtnData->cookie, 2, |
861 | 0 | &data->data, &data->len); |
862 | 0 | if (rv != SECSuccess) { |
863 | 0 | return SECFailure; |
864 | 0 | } |
865 | 0 | |
866 | 0 | if (xtnData->cookie.len == 0) { |
867 | 0 | PORT_SetError(SSL_ERROR_RX_MALFORMED_CLIENT_HELLO); |
868 | 0 | return SECFailure; |
869 | 0 | } |
870 | 0 |
|
871 | 0 | if (data->len) { |
872 | 0 | PORT_SetError(SSL_ERROR_RX_MALFORMED_CLIENT_HELLO); |
873 | 0 | return SECFailure; |
874 | 0 | } |
875 | 0 |
|
876 | 0 | /* Keep track of negotiated extensions. */ |
877 | 0 | xtnData->negotiated[xtnData->numNegotiated++] = ssl_tls13_cookie_xtn; |
878 | 0 |
|
879 | 0 | return SECSuccess; |
880 | 0 | } |
881 | | |
882 | | /* |
883 | | * enum { psk_ke(0), psk_dhe_ke(1), (255) } PskKeyExchangeMode; |
884 | | * |
885 | | * struct { |
886 | | * PskKeyExchangeMode ke_modes<1..255>; |
887 | | * } PskKeyExchangeModes; |
888 | | */ |
889 | | SECStatus |
890 | | tls13_ClientSendPskModesXtn(const sslSocket *ss, TLSExtensionData *xtnData, |
891 | | sslBuffer *buf, PRBool *added) |
892 | 0 | { |
893 | 0 | static const PRUint8 ke_modes[] = { tls13_psk_dh_ke }; |
894 | 0 | SECStatus rv; |
895 | 0 |
|
896 | 0 | if (ss->vrange.max < SSL_LIBRARY_VERSION_TLS_1_3 || |
897 | 0 | ss->opt.noCache) { |
898 | 0 | return SECSuccess; |
899 | 0 | } |
900 | 0 | |
901 | 0 | SSL_TRC(3, ("%d: TLS13[%d]: send psk key exchange modes extension", |
902 | 0 | SSL_GETPID(), ss->fd)); |
903 | 0 |
|
904 | 0 | rv = sslBuffer_AppendVariable(buf, ke_modes, sizeof(ke_modes), 1); |
905 | 0 | if (rv != SECSuccess) { |
906 | 0 | return SECFailure; |
907 | 0 | } |
908 | 0 | |
909 | 0 | *added = PR_TRUE; |
910 | 0 | return SECSuccess; |
911 | 0 | } |
912 | | |
913 | | SECStatus |
914 | | tls13_ServerHandlePskModesXtn(const sslSocket *ss, TLSExtensionData *xtnData, |
915 | | SECItem *data) |
916 | 0 | { |
917 | 0 | SECStatus rv; |
918 | 0 |
|
919 | 0 | /* If we are doing < TLS 1.3, then ignore this. */ |
920 | 0 | if (ss->version < SSL_LIBRARY_VERSION_TLS_1_3) { |
921 | 0 | return SECSuccess; |
922 | 0 | } |
923 | 0 | |
924 | 0 | SSL_TRC(3, ("%d: TLS13[%d]: handle PSK key exchange modes extension", |
925 | 0 | SSL_GETPID(), ss->fd)); |
926 | 0 |
|
927 | 0 | /* IMPORTANT: We aren't copying these values, just setting pointers. |
928 | 0 | * They will only be valid as long as the ClientHello is in memory. */ |
929 | 0 | rv = ssl3_ExtConsumeHandshakeVariable(ss, |
930 | 0 | &xtnData->psk_ke_modes, 1, |
931 | 0 | &data->data, &data->len); |
932 | 0 | if (rv != SECSuccess) |
933 | 0 | return rv; |
934 | 0 | if (!xtnData->psk_ke_modes.len || data->len) { |
935 | 0 | PORT_SetError(SSL_ERROR_MALFORMED_PSK_KEY_EXCHANGE_MODES); |
936 | 0 | return SECFailure; |
937 | 0 | } |
938 | 0 |
|
939 | 0 | /* Keep track of negotiated extensions. */ |
940 | 0 | xtnData->negotiated[xtnData->numNegotiated++] = |
941 | 0 | ssl_tls13_psk_key_exchange_modes_xtn; |
942 | 0 |
|
943 | 0 | return SECSuccess; |
944 | 0 | } |
945 | | |
946 | | SECStatus |
947 | | tls13_SendCertAuthoritiesXtn(const sslSocket *ss, TLSExtensionData *xtnData, |
948 | | sslBuffer *buf, PRBool *added) |
949 | 0 | { |
950 | 0 | unsigned int calen; |
951 | 0 | const SECItem *name; |
952 | 0 | unsigned int nnames; |
953 | 0 | SECStatus rv; |
954 | 0 |
|
955 | 0 | PORT_Assert(ss->version >= SSL_LIBRARY_VERSION_TLS_1_3); |
956 | 0 |
|
957 | 0 | rv = ssl_GetCertificateRequestCAs(ss, &calen, &name, &nnames); |
958 | 0 | if (rv != SECSuccess) { |
959 | 0 | return SECFailure; |
960 | 0 | } |
961 | 0 | |
962 | 0 | if (!calen) { |
963 | 0 | return SECSuccess; |
964 | 0 | } |
965 | 0 | |
966 | 0 | rv = sslBuffer_AppendNumber(buf, calen, 2); |
967 | 0 | if (rv != SECSuccess) { |
968 | 0 | return SECFailure; |
969 | 0 | } |
970 | 0 | |
971 | 0 | while (nnames) { |
972 | 0 | rv = sslBuffer_AppendVariable(buf, name->data, name->len, 2); |
973 | 0 | if (rv != SECSuccess) { |
974 | 0 | return SECFailure; |
975 | 0 | } |
976 | 0 | ++name; |
977 | 0 | --nnames; |
978 | 0 | } |
979 | 0 |
|
980 | 0 | *added = PR_TRUE; |
981 | 0 | return SECSuccess; |
982 | 0 | } |
983 | | |
984 | | SECStatus |
985 | | tls13_ClientHandleCertAuthoritiesXtn(const sslSocket *ss, |
986 | | TLSExtensionData *xtnData, |
987 | | SECItem *data) |
988 | 0 | { |
989 | 0 | SECStatus rv; |
990 | 0 | PLArenaPool *arena; |
991 | 0 |
|
992 | 0 | if (!data->len) { |
993 | 0 | ssl3_ExtSendAlert(ss, alert_fatal, decode_error); |
994 | 0 | PORT_SetError(SSL_ERROR_RX_MALFORMED_CERT_REQUEST); |
995 | 0 | return SECFailure; |
996 | 0 | } |
997 | 0 |
|
998 | 0 | arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); |
999 | 0 | if (!arena) { |
1000 | 0 | PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); |
1001 | 0 | return SECFailure; |
1002 | 0 | } |
1003 | 0 |
|
1004 | 0 | xtnData->certReqAuthorities.arena = arena; |
1005 | 0 | rv = ssl3_ParseCertificateRequestCAs((sslSocket *)ss, |
1006 | 0 | &data->data, &data->len, |
1007 | 0 | &xtnData->certReqAuthorities); |
1008 | 0 | if (rv != SECSuccess) { |
1009 | 0 | goto loser; |
1010 | 0 | } |
1011 | 0 | if (data->len) { |
1012 | 0 | ssl3_ExtSendAlert(ss, alert_fatal, decode_error); |
1013 | 0 | PORT_SetError(SSL_ERROR_RX_MALFORMED_CERT_REQUEST); |
1014 | 0 | goto loser; |
1015 | 0 | } |
1016 | 0 | return SECSuccess; |
1017 | 0 | |
1018 | 0 | loser: |
1019 | 0 | PORT_FreeArena(arena, PR_FALSE); |
1020 | 0 | xtnData->certReqAuthorities.arena = NULL; |
1021 | 0 | return SECFailure; |
1022 | 0 | } |
1023 | | |
1024 | | SECStatus |
1025 | | tls13_ServerSendHrrKeyShareXtn(const sslSocket *ss, TLSExtensionData *xtnData, |
1026 | | sslBuffer *buf, PRBool *added) |
1027 | 0 | { |
1028 | 0 | SECStatus rv; |
1029 | 0 |
|
1030 | 0 | PORT_Assert(ss->version >= SSL_LIBRARY_VERSION_TLS_1_3); |
1031 | 0 |
|
1032 | 0 | if (!xtnData->selectedGroup) { |
1033 | 0 | return SECSuccess; |
1034 | 0 | } |
1035 | 0 | |
1036 | 0 | rv = sslBuffer_AppendNumber(buf, xtnData->selectedGroup->name, 2); |
1037 | 0 | if (rv != SECSuccess) { |
1038 | 0 | return SECFailure; |
1039 | 0 | } |
1040 | 0 | |
1041 | 0 | *added = PR_TRUE; |
1042 | 0 | return SECSuccess; |
1043 | 0 | } |
1044 | | |
1045 | | SECStatus |
1046 | | tls13_ServerSendHrrCookieXtn(const sslSocket *ss, TLSExtensionData *xtnData, |
1047 | | sslBuffer *buf, PRBool *added) |
1048 | 0 | { |
1049 | 0 | SECStatus rv; |
1050 | 0 |
|
1051 | 0 | PORT_Assert(ss->version >= SSL_LIBRARY_VERSION_TLS_1_3); |
1052 | 0 | PORT_Assert(xtnData->cookie.len > 0); |
1053 | 0 |
|
1054 | 0 | rv = sslBuffer_AppendVariable(buf, |
1055 | 0 | xtnData->cookie.data, xtnData->cookie.len, 2); |
1056 | 0 | if (rv != SECSuccess) { |
1057 | 0 | return SECFailure; |
1058 | 0 | } |
1059 | 0 | |
1060 | 0 | *added = PR_TRUE; |
1061 | 0 | return SECSuccess; |
1062 | 0 | } |