/src/nss/lib/ssl/tls13exthandle.c
Line | Count | Source (jump to first uncovered line) |
1 | | /* -*- Mode: C; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 4 -*- */ |
2 | | /* |
3 | | * This Source Code Form is subject to the terms of the Mozilla Public |
4 | | * License, v. 2.0. If a copy of the MPL was not distributed with this |
5 | | * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ |
6 | | |
7 | | #include "nssrenam.h" |
8 | | #include "nss.h" |
9 | | #include "ssl.h" |
10 | | #include "sslproto.h" |
11 | | #include "sslimpl.h" |
12 | | #include "pk11pub.h" |
13 | | #include "ssl3ext.h" |
14 | | #include "ssl3exthandle.h" |
15 | | #include "sslt.h" |
16 | | #include "tls13con.h" |
17 | | #include "tls13ech.h" |
18 | | #include "tls13exthandle.h" |
19 | | #include "tls13psk.h" |
20 | | #include "tls13subcerts.h" |
21 | | |
22 | | SECStatus |
23 | | tls13_ServerSendStatusRequestXtn(const sslSocket *ss, TLSExtensionData *xtnData, |
24 | | sslBuffer *buf, PRBool *added) |
25 | 0 | { |
26 | 0 | const sslServerCert *serverCert = ss->sec.serverCert; |
27 | 0 | const SECItem *item; |
28 | 0 | SECStatus rv; |
29 | |
|
30 | 0 | if (!serverCert->certStatusArray || |
31 | 0 | !serverCert->certStatusArray->len) { |
32 | 0 | return SECSuccess; |
33 | 0 | } |
34 | | |
35 | 0 | item = &serverCert->certStatusArray->items[0]; |
36 | | |
37 | | /* Only send the first entry. */ |
38 | | /* status_type == ocsp */ |
39 | 0 | rv = sslBuffer_AppendNumber(buf, 1 /*ocsp*/, 1); |
40 | 0 | if (rv != SECSuccess) { |
41 | 0 | return SECFailure; |
42 | 0 | } |
43 | | /* opaque OCSPResponse<1..2^24-1> */ |
44 | 0 | rv = sslBuffer_AppendVariable(buf, item->data, item->len, 3); |
45 | 0 | if (rv != SECSuccess) { |
46 | 0 | return SECFailure; |
47 | 0 | } |
48 | | |
49 | 0 | *added = PR_TRUE; |
50 | 0 | return SECSuccess; |
51 | 0 | } |
52 | | |
53 | | /* |
54 | | * [RFC 8446] Section 4.2.8. |
55 | | * |
56 | | * struct { |
57 | | * NamedGroup group; |
58 | | * opaque key_exchange<1..2^16-1>; |
59 | | * } KeyShareEntry; |
60 | | * |
61 | | */ |
62 | | PRUint32 |
63 | | tls13_SizeOfKeyShareEntry(const sslEphemeralKeyPair *keyPair) |
64 | 0 | { |
65 | | /* Size = NamedGroup(2) + length(2) + opaque<?> share */ |
66 | 0 | PRUint32 size = 2 + 2; |
67 | |
|
68 | 0 | const SECKEYPublicKey *pubKey = keyPair->keys->pubKey; |
69 | 0 | switch (pubKey->keyType) { |
70 | 0 | case ecKey: |
71 | 0 | size += pubKey->u.ec.publicValue.len; |
72 | 0 | break; |
73 | 0 | case dhKey: |
74 | 0 | size += pubKey->u.dh.prime.len; |
75 | 0 | break; |
76 | 0 | default: |
77 | 0 | PORT_Assert(0); |
78 | 0 | return 0; |
79 | 0 | } |
80 | | |
81 | 0 | if (keyPair->kemKeys) { |
82 | 0 | PORT_Assert(!keyPair->kemCt); |
83 | 0 | PORT_Assert(keyPair->group->name == ssl_grp_kem_xyber768d00 || keyPair->group->name == ssl_grp_kem_mlkem768x25519); |
84 | 0 | pubKey = keyPair->kemKeys->pubKey; |
85 | 0 | size += pubKey->u.kyber.publicValue.len; |
86 | 0 | } |
87 | 0 | if (keyPair->kemCt) { |
88 | 0 | PORT_Assert(!keyPair->kemKeys); |
89 | 0 | PORT_Assert(keyPair->group->name == ssl_grp_kem_xyber768d00 || keyPair->group->name == ssl_grp_kem_mlkem768x25519); |
90 | 0 | size += keyPair->kemCt->len; |
91 | 0 | } |
92 | |
|
93 | 0 | return size; |
94 | 0 | } |
95 | | |
96 | | static SECStatus |
97 | | tls13_WriteXyber768D00KeyExchangeInfo(sslBuffer *buf, sslEphemeralKeyPair *keyPair) |
98 | 0 | { |
99 | 0 | PORT_Assert(keyPair->group->name == ssl_grp_kem_xyber768d00); |
100 | 0 | PORT_Assert(keyPair->keys->pubKey->keyType == ecKey); |
101 | | |
102 | | // Encode the X25519 share first, then the Kyber768 key or ciphertext. |
103 | 0 | SECStatus rv; |
104 | 0 | rv = sslBuffer_Append(buf, keyPair->keys->pubKey->u.ec.publicValue.data, |
105 | 0 | keyPair->keys->pubKey->u.ec.publicValue.len); |
106 | 0 | if (rv != SECSuccess) { |
107 | 0 | return rv; |
108 | 0 | } |
109 | | |
110 | 0 | if (keyPair->kemKeys) { |
111 | 0 | PORT_Assert(!keyPair->kemCt); |
112 | 0 | rv = sslBuffer_Append(buf, keyPair->kemKeys->pubKey->u.kyber.publicValue.data, keyPair->kemKeys->pubKey->u.kyber.publicValue.len); |
113 | 0 | } else if (keyPair->kemCt) { |
114 | 0 | rv = sslBuffer_Append(buf, keyPair->kemCt->data, keyPair->kemCt->len); |
115 | 0 | } else { |
116 | 0 | PORT_Assert(0); |
117 | 0 | PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); |
118 | 0 | rv = SECFailure; |
119 | 0 | } |
120 | 0 | return rv; |
121 | 0 | } |
122 | | |
123 | | static SECStatus |
124 | | tls13_WriteMLKEM768X25519KeyExchangeInfo(sslBuffer *buf, sslEphemeralKeyPair *keyPair) |
125 | 0 | { |
126 | 0 | PORT_Assert(keyPair->group->name == ssl_grp_kem_mlkem768x25519); |
127 | 0 | PORT_Assert(keyPair->keys->pubKey->keyType == ecKey); |
128 | | |
129 | | // Encode the ML-KEM-768 key or ciphertext first, then the X25519 share. |
130 | 0 | SECStatus rv; |
131 | 0 | if (keyPair->kemKeys) { |
132 | 0 | PORT_Assert(!keyPair->kemCt); |
133 | 0 | rv = sslBuffer_Append(buf, keyPair->kemKeys->pubKey->u.kyber.publicValue.data, keyPair->kemKeys->pubKey->u.kyber.publicValue.len); |
134 | 0 | } else if (keyPair->kemCt) { |
135 | 0 | rv = sslBuffer_Append(buf, keyPair->kemCt->data, keyPair->kemCt->len); |
136 | 0 | } else { |
137 | 0 | PORT_Assert(0); |
138 | 0 | PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); |
139 | 0 | rv = SECFailure; |
140 | 0 | } |
141 | 0 | if (rv != SECSuccess) { |
142 | 0 | return rv; |
143 | 0 | } |
144 | | |
145 | 0 | rv = sslBuffer_Append(buf, keyPair->keys->pubKey->u.ec.publicValue.data, |
146 | 0 | keyPair->keys->pubKey->u.ec.publicValue.len); |
147 | 0 | return rv; |
148 | 0 | } |
149 | | |
150 | | static SECStatus |
151 | | tls13_WriteKeyExchangeInfo(sslBuffer *buf, sslEphemeralKeyPair *keyPair) |
152 | 0 | { |
153 | 0 | SECStatus rv; |
154 | 0 | const SECKEYPublicKey *pubKey = keyPair->keys->pubKey; |
155 | 0 | switch (pubKey->keyType) { |
156 | 0 | case ecKey: |
157 | 0 | rv = sslBuffer_Append(buf, pubKey->u.ec.publicValue.data, |
158 | 0 | pubKey->u.ec.publicValue.len); |
159 | 0 | break; |
160 | 0 | case dhKey: |
161 | 0 | rv = ssl_AppendPaddedDHKeyShare(buf, pubKey, PR_FALSE); |
162 | 0 | break; |
163 | 0 | default: |
164 | 0 | PORT_Assert(0); |
165 | 0 | PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); |
166 | 0 | rv = SECFailure; |
167 | 0 | break; |
168 | 0 | } |
169 | | |
170 | 0 | return rv; |
171 | 0 | } |
172 | | |
173 | | SECStatus |
174 | | tls13_EncodeKeyShareEntry(sslBuffer *buf, sslEphemeralKeyPair *keyPair) |
175 | 0 | { |
176 | 0 | SECStatus rv; |
177 | 0 | unsigned int size = tls13_SizeOfKeyShareEntry(keyPair); |
178 | |
|
179 | 0 | rv = sslBuffer_AppendNumber(buf, keyPair->group->name, 2); |
180 | 0 | if (rv != SECSuccess) { |
181 | 0 | return rv; |
182 | 0 | } |
183 | | |
184 | 0 | rv = sslBuffer_AppendNumber(buf, size - 4, 2); |
185 | 0 | if (rv != SECSuccess) { |
186 | 0 | return rv; |
187 | 0 | } |
188 | | |
189 | 0 | switch (keyPair->group->name) { |
190 | 0 | case ssl_grp_kem_mlkem768x25519: |
191 | 0 | rv = tls13_WriteMLKEM768X25519KeyExchangeInfo(buf, keyPair); |
192 | 0 | break; |
193 | 0 | case ssl_grp_kem_xyber768d00: |
194 | 0 | rv = tls13_WriteXyber768D00KeyExchangeInfo(buf, keyPair); |
195 | 0 | break; |
196 | 0 | default: |
197 | 0 | rv = tls13_WriteKeyExchangeInfo(buf, keyPair); |
198 | 0 | break; |
199 | 0 | } |
200 | 0 | return rv; |
201 | 0 | } |
202 | | |
203 | | SECStatus |
204 | | tls13_ClientSendKeyShareXtn(const sslSocket *ss, TLSExtensionData *xtnData, |
205 | | sslBuffer *buf, PRBool *added) |
206 | 0 | { |
207 | 0 | SECStatus rv; |
208 | 0 | PRCList *cursor; |
209 | 0 | unsigned int lengthOffset; |
210 | |
|
211 | 0 | if (ss->vrange.max < SSL_LIBRARY_VERSION_TLS_1_3) { |
212 | 0 | return SECSuccess; |
213 | 0 | } |
214 | | |
215 | | /* Optimistically try to send an ECDHE key using the |
216 | | * preexisting key (in future will be keys) */ |
217 | 0 | SSL_TRC(3, ("%d: TLS13[%d]: send client key share xtn", |
218 | 0 | SSL_GETPID(), ss->fd)); |
219 | | |
220 | | /* Save the offset to the length. */ |
221 | 0 | rv = sslBuffer_Skip(buf, 2, &lengthOffset); |
222 | 0 | if (rv != SECSuccess) { |
223 | 0 | return SECFailure; |
224 | 0 | } |
225 | | |
226 | 0 | for (cursor = PR_NEXT_LINK(&ss->ephemeralKeyPairs); |
227 | 0 | cursor != &ss->ephemeralKeyPairs; |
228 | 0 | cursor = PR_NEXT_LINK(cursor)) { |
229 | 0 | sslEphemeralKeyPair *keyPair = (sslEphemeralKeyPair *)cursor; |
230 | 0 | rv = tls13_EncodeKeyShareEntry(buf, keyPair); |
231 | 0 | if (rv != SECSuccess) { |
232 | 0 | return SECFailure; |
233 | 0 | } |
234 | 0 | } |
235 | | |
236 | | /* GREASE KeyShareEntry: |
237 | | * [The client] MAY also send KeyShareEntry values for a subset of those |
238 | | * selected in the "key_share" extension. For each of these, the |
239 | | * "key_exchange" field MAY be any value [RFC8701, Section 3.1]. |
240 | | * |
241 | | * By default we do not send KeyShares for every NamedGroup so the |
242 | | * ServerKeyShare handshake message / additional round-trip is not |
243 | | * triggered by sending GREASE KeyShareEntries. */ |
244 | 0 | if (ss->opt.enableGrease) { |
245 | 0 | rv = sslBuffer_AppendNumber(buf, ss->ssl3.hs.grease->idx[grease_group], 2); |
246 | 0 | if (rv != SECSuccess) |
247 | 0 | return rv; |
248 | | /* Entry length */ |
249 | 0 | rv = sslBuffer_AppendNumber(buf, 2, 2); |
250 | 0 | if (rv != SECSuccess) |
251 | 0 | return rv; |
252 | | /* Entry value */ |
253 | 0 | rv = sslBuffer_AppendNumber(buf, 0xCD, 2); |
254 | 0 | if (rv != SECSuccess) |
255 | 0 | return rv; |
256 | 0 | } |
257 | | |
258 | 0 | rv = sslBuffer_InsertLength(buf, lengthOffset, 2); |
259 | 0 | if (rv != SECSuccess) { |
260 | 0 | return SECFailure; |
261 | 0 | } |
262 | | |
263 | 0 | *added = PR_TRUE; |
264 | 0 | return SECSuccess; |
265 | 0 | } |
266 | | |
267 | | SECStatus |
268 | | tls13_DecodeKeyShareEntry(sslReader *rdr, TLS13KeyShareEntry **ksp) |
269 | 0 | { |
270 | 0 | SECStatus rv; |
271 | 0 | PRUint64 group; |
272 | 0 | const sslNamedGroupDef *groupDef; |
273 | 0 | TLS13KeyShareEntry *ks = NULL; |
274 | 0 | sslReadBuffer share; |
275 | |
|
276 | 0 | rv = sslRead_ReadNumber(rdr, 2, &group); |
277 | 0 | if (rv != SECSuccess) { |
278 | 0 | goto loser; |
279 | 0 | } |
280 | 0 | groupDef = ssl_LookupNamedGroup(group); |
281 | 0 | rv = sslRead_ReadVariable(rdr, 2, &share); |
282 | 0 | if (rv != SECSuccess) { |
283 | 0 | goto loser; |
284 | 0 | } |
285 | | |
286 | | /* This has to happen here because we want to consume |
287 | | * the entire entry even if the group is unknown |
288 | | * or disabled. */ |
289 | | /* If the group is disabled, continue. */ |
290 | 0 | if (!groupDef) { |
291 | 0 | return SECSuccess; |
292 | 0 | } |
293 | | |
294 | 0 | ks = PORT_ZNew(TLS13KeyShareEntry); |
295 | 0 | if (!ks) { |
296 | 0 | goto loser; |
297 | 0 | } |
298 | 0 | ks->group = groupDef; |
299 | |
|
300 | 0 | rv = SECITEM_MakeItem(NULL, &ks->key_exchange, |
301 | 0 | share.buf, share.len); |
302 | 0 | if (rv != SECSuccess) { |
303 | 0 | goto loser; |
304 | 0 | } |
305 | | |
306 | 0 | *ksp = ks; |
307 | 0 | return SECSuccess; |
308 | | |
309 | 0 | loser: |
310 | 0 | tls13_DestroyKeyShareEntry(ks); |
311 | |
|
312 | 0 | return SECFailure; |
313 | 0 | } |
314 | | /* Handle an incoming KeyShare extension at the client and copy to |
315 | | * |xtnData->remoteKeyShares| for future use. The key |
316 | | * share is processed in tls13_HandleServerKeyShare(). */ |
317 | | SECStatus |
318 | | tls13_ClientHandleKeyShareXtn(const sslSocket *ss, TLSExtensionData *xtnData, |
319 | | SECItem *data) |
320 | 0 | { |
321 | 0 | SECStatus rv; |
322 | 0 | PORT_Assert(PR_CLIST_IS_EMPTY(&xtnData->remoteKeyShares)); |
323 | 0 | TLS13KeyShareEntry *ks = NULL; |
324 | |
|
325 | 0 | PORT_Assert(!ss->sec.isServer); |
326 | | |
327 | | /* The server must not send this extension when negotiating < TLS 1.3. */ |
328 | 0 | if (ss->version < SSL_LIBRARY_VERSION_TLS_1_3) { |
329 | 0 | PORT_SetError(SSL_ERROR_EXTENSION_DISALLOWED_FOR_VERSION); |
330 | 0 | return SECFailure; |
331 | 0 | } |
332 | | |
333 | 0 | SSL_TRC(3, ("%d: SSL3[%d]: handle key_share extension", |
334 | 0 | SSL_GETPID(), ss->fd)); |
335 | |
|
336 | 0 | sslReader rdr = SSL_READER(data->data, data->len); |
337 | 0 | rv = tls13_DecodeKeyShareEntry(&rdr, &ks); |
338 | 0 | if ((rv != SECSuccess) || !ks) { |
339 | 0 | ssl3_ExtSendAlert(ss, alert_fatal, illegal_parameter); |
340 | 0 | PORT_SetError(SSL_ERROR_RX_MALFORMED_KEY_SHARE); |
341 | 0 | return SECFailure; |
342 | 0 | } |
343 | | |
344 | 0 | if (SSL_READER_REMAINING(&rdr)) { |
345 | 0 | tls13_DestroyKeyShareEntry(ks); |
346 | 0 | PORT_SetError(SSL_ERROR_RX_MALFORMED_KEY_SHARE); |
347 | 0 | return SECFailure; |
348 | 0 | } |
349 | 0 | PR_APPEND_LINK(&ks->link, &xtnData->remoteKeyShares); |
350 | |
|
351 | 0 | return SECSuccess; |
352 | 0 | } |
353 | | |
354 | | SECStatus |
355 | | tls13_ClientHandleKeyShareXtnHrr(const sslSocket *ss, TLSExtensionData *xtnData, |
356 | | SECItem *data) |
357 | 0 | { |
358 | 0 | SECStatus rv; |
359 | 0 | PRUint32 tmp; |
360 | 0 | const sslNamedGroupDef *group; |
361 | |
|
362 | 0 | PORT_Assert(!ss->sec.isServer); |
363 | 0 | PORT_Assert(ss->vrange.max >= SSL_LIBRARY_VERSION_TLS_1_3); |
364 | |
|
365 | 0 | SSL_TRC(3, ("%d: SSL3[%d]: handle key_share extension in HRR", |
366 | 0 | SSL_GETPID(), ss->fd)); |
367 | |
|
368 | 0 | rv = ssl3_ExtConsumeHandshakeNumber(ss, &tmp, 2, &data->data, &data->len); |
369 | 0 | if (rv != SECSuccess) { |
370 | 0 | return SECFailure; /* error code already set */ |
371 | 0 | } |
372 | 0 | if (data->len) { |
373 | 0 | ssl3_ExtSendAlert(ss, alert_fatal, decode_error); |
374 | 0 | PORT_SetError(SSL_ERROR_RX_MALFORMED_HELLO_RETRY_REQUEST); |
375 | 0 | return SECFailure; |
376 | 0 | } |
377 | | |
378 | 0 | group = ssl_LookupNamedGroup((SSLNamedGroup)tmp); |
379 | | /* If the group is not enabled, or we already have a share for the |
380 | | * requested group, abort. */ |
381 | 0 | if (!ssl_NamedGroupEnabled(ss, group) || |
382 | 0 | ssl_HaveEphemeralKeyPair(ss, group)) { |
383 | 0 | ssl3_ExtSendAlert(ss, alert_fatal, illegal_parameter); |
384 | 0 | PORT_SetError(SSL_ERROR_RX_MALFORMED_HELLO_RETRY_REQUEST); |
385 | 0 | return SECFailure; |
386 | 0 | } |
387 | | |
388 | | /* Now delete all the key shares per [draft-ietf-tls-tls13 S 4.1.2] */ |
389 | 0 | ssl_FreeEphemeralKeyPairs(CONST_CAST(sslSocket, ss)); |
390 | | |
391 | | /* And replace with our new share. */ |
392 | 0 | rv = tls13_AddKeyShare(CONST_CAST(sslSocket, ss), group); |
393 | 0 | if (rv != SECSuccess) { |
394 | 0 | ssl3_ExtSendAlert(ss, alert_fatal, internal_error); |
395 | 0 | PORT_SetError(SEC_ERROR_KEYGEN_FAIL); |
396 | 0 | return SECFailure; |
397 | 0 | } |
398 | | |
399 | 0 | return SECSuccess; |
400 | 0 | } |
401 | | |
402 | | /* Handle an incoming KeyShare extension at the server and copy to |
403 | | * |xtnData->remoteKeyShares| for future use. The key |
404 | | * share is processed in tls13_HandleClientKeyShare(). */ |
405 | | SECStatus |
406 | | tls13_ServerHandleKeyShareXtn(const sslSocket *ss, TLSExtensionData *xtnData, |
407 | | SECItem *data) |
408 | 0 | { |
409 | 0 | SECStatus rv; |
410 | 0 | PRUint32 length; |
411 | |
|
412 | 0 | PORT_Assert(ss->sec.isServer); |
413 | 0 | PORT_Assert(PR_CLIST_IS_EMPTY(&xtnData->remoteKeyShares)); |
414 | |
|
415 | 0 | if (ss->version < SSL_LIBRARY_VERSION_TLS_1_3) { |
416 | 0 | return SECSuccess; |
417 | 0 | } |
418 | | |
419 | 0 | SSL_TRC(3, ("%d: SSL3[%d]: handle key_share extension", |
420 | 0 | SSL_GETPID(), ss->fd)); |
421 | | |
422 | | /* Redundant length because of TLS encoding (this vector consumes |
423 | | * the entire extension.) */ |
424 | 0 | rv = ssl3_ExtConsumeHandshakeNumber(ss, &length, 2, &data->data, |
425 | 0 | &data->len); |
426 | 0 | if (rv != SECSuccess) |
427 | 0 | goto loser; |
428 | 0 | if (length != data->len) { |
429 | | /* Check for consistency */ |
430 | 0 | PORT_SetError(SSL_ERROR_RX_MALFORMED_KEY_SHARE); |
431 | 0 | goto loser; |
432 | 0 | } |
433 | | |
434 | 0 | sslReader rdr = SSL_READER(data->data, data->len); |
435 | 0 | while (SSL_READER_REMAINING(&rdr)) { |
436 | 0 | TLS13KeyShareEntry *ks = NULL; |
437 | 0 | rv = tls13_DecodeKeyShareEntry(&rdr, &ks); |
438 | 0 | if (rv != SECSuccess) { |
439 | 0 | PORT_SetError(SSL_ERROR_RX_MALFORMED_KEY_SHARE); |
440 | 0 | goto loser; |
441 | 0 | } |
442 | 0 | if (ks) { |
443 | | /* |ks| == NULL if this is an unknown group. */ |
444 | 0 | PR_APPEND_LINK(&ks->link, &xtnData->remoteKeyShares); |
445 | 0 | } |
446 | 0 | } |
447 | | |
448 | | /* Keep track of negotiated extensions. */ |
449 | 0 | xtnData->negotiated[xtnData->numNegotiated++] = |
450 | 0 | ssl_tls13_key_share_xtn; |
451 | |
|
452 | 0 | return SECSuccess; |
453 | | |
454 | 0 | loser: |
455 | 0 | tls13_DestroyKeyShares(&xtnData->remoteKeyShares); |
456 | 0 | return SECFailure; |
457 | 0 | } |
458 | | |
459 | | SECStatus |
460 | | tls13_ServerSendKeyShareXtn(const sslSocket *ss, TLSExtensionData *xtnData, |
461 | | sslBuffer *buf, PRBool *added) |
462 | 0 | { |
463 | 0 | SECStatus rv; |
464 | 0 | sslEphemeralKeyPair *keyPair; |
465 | | |
466 | | /* There should be exactly one key share. */ |
467 | 0 | PORT_Assert(!PR_CLIST_IS_EMPTY(&ss->ephemeralKeyPairs)); |
468 | 0 | PORT_Assert(PR_PREV_LINK(&ss->ephemeralKeyPairs) == |
469 | 0 | PR_NEXT_LINK(&ss->ephemeralKeyPairs)); |
470 | |
|
471 | 0 | keyPair = (sslEphemeralKeyPair *)PR_NEXT_LINK(&ss->ephemeralKeyPairs); |
472 | |
|
473 | 0 | rv = tls13_EncodeKeyShareEntry(buf, keyPair); |
474 | 0 | if (rv != SECSuccess) { |
475 | 0 | return SECFailure; |
476 | 0 | } |
477 | | |
478 | 0 | *added = PR_TRUE; |
479 | 0 | return SECSuccess; |
480 | 0 | } |
481 | | |
482 | | /* Called by clients. |
483 | | * |
484 | | * struct { |
485 | | * opaque identity<0..2^16-1>; |
486 | | * uint32 obfuscated_ticket_age; |
487 | | * } PskIdentity; |
488 | | * |
489 | | * opaque PskBinderEntry<32..255>; |
490 | | * |
491 | | * struct { |
492 | | * select (Handshake.msg_type) { |
493 | | * case client_hello: |
494 | | * PskIdentity identities<6..2^16-1>; |
495 | | * PskBinderEntry binders<33..2^16-1>; |
496 | | * |
497 | | * case server_hello: |
498 | | * uint16 selected_identity; |
499 | | * }; |
500 | | * |
501 | | * } PreSharedKeyExtension; |
502 | | */ |
503 | | SECStatus |
504 | | tls13_ClientSendPreSharedKeyXtn(const sslSocket *ss, TLSExtensionData *xtnData, |
505 | | sslBuffer *buf, PRBool *added) |
506 | 0 | { |
507 | 0 | const static PRUint8 binder[TLS13_MAX_FINISHED_SIZE] = { 0 }; |
508 | 0 | unsigned int binderLen; |
509 | 0 | unsigned int identityLen = 0; |
510 | 0 | const PRUint8 *identity = NULL; |
511 | 0 | PRTime age; |
512 | 0 | SECStatus rv; |
513 | | |
514 | | /* Exit early if no PSKs or max version < 1.3. */ |
515 | 0 | if (PR_CLIST_IS_EMPTY(&ss->ssl3.hs.psks) || |
516 | 0 | ss->vrange.max < SSL_LIBRARY_VERSION_TLS_1_3) { |
517 | 0 | return SECSuccess; |
518 | 0 | } |
519 | | |
520 | | /* ...or if PSK type is resumption, but we're not resuming. */ |
521 | 0 | sslPsk *psk = (sslPsk *)PR_LIST_HEAD(&ss->ssl3.hs.psks); |
522 | 0 | if (psk->type == ssl_psk_resume && !ss->statelessResume) { |
523 | 0 | return SECSuccess; |
524 | 0 | } |
525 | | |
526 | | /* ...or if PSKs are incompatible with negotiated ciphersuites |
527 | | * (different hash algorithms) on HRR. |
528 | | * |
529 | | * In addition, in its updated ClientHello, the client SHOULD NOT offer any |
530 | | * pre-shared keys associated with a hash other than that of the selected |
531 | | * cipher suite. This allows the client to avoid having to compute partial |
532 | | * hash transcripts for multiple hashes in the second ClientHello |
533 | | * [RFC8446, Section 4.1.4]. */ |
534 | 0 | if (ss->ssl3.hs.helloRetry && |
535 | 0 | (psk->hash != ss->ssl3.hs.suite_def->prf_hash)) { |
536 | 0 | return SECSuccess; |
537 | 0 | } |
538 | | |
539 | | /* Save where this extension starts so that if we have to add padding, it |
540 | | * can be inserted before this extension. */ |
541 | 0 | PORT_Assert(buf->len >= 4); |
542 | 0 | xtnData->lastXtnOffset = buf->len - 4; |
543 | 0 | PORT_Assert(psk->type == ssl_psk_resume || psk->type == ssl_psk_external); |
544 | 0 | binderLen = tls13_GetHashSizeForHash(psk->hash); |
545 | 0 | if (psk->type == ssl_psk_resume) { |
546 | | /* Send a single ticket identity. */ |
547 | 0 | NewSessionTicket *session_ticket = &ss->sec.ci.sid->u.ssl3.locked.sessionTicket; |
548 | 0 | identityLen = session_ticket->ticket.len; |
549 | 0 | identity = session_ticket->ticket.data; |
550 | | |
551 | | /* Obfuscated age. */ |
552 | 0 | age = ssl_Time(ss) - session_ticket->received_timestamp; |
553 | 0 | age /= PR_USEC_PER_MSEC; |
554 | 0 | age += session_ticket->ticket_age_add; |
555 | 0 | PRINT_BUF(50, (ss, "Sending Resumption PSK with identity", identity, identityLen)); |
556 | 0 | } else if (psk->type == ssl_psk_external) { |
557 | 0 | identityLen = psk->label.len; |
558 | 0 | identity = psk->label.data; |
559 | 0 | age = 0; |
560 | 0 | PRINT_BUF(50, (ss, "Sending External PSK with label", identity, identityLen)); |
561 | 0 | } else { |
562 | 0 | PORT_Assert(0); |
563 | 0 | PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); |
564 | 0 | return SECFailure; |
565 | 0 | } |
566 | | |
567 | | /* Length is len(identityLen) + identityLen + len(age) */ |
568 | 0 | rv = sslBuffer_AppendNumber(buf, 2 + identityLen + 4, 2); |
569 | 0 | if (rv != SECSuccess) { |
570 | 0 | goto loser; |
571 | 0 | } |
572 | | |
573 | 0 | rv = sslBuffer_AppendVariable(buf, identity, |
574 | 0 | identityLen, 2); |
575 | 0 | if (rv != SECSuccess) { |
576 | 0 | goto loser; |
577 | 0 | } |
578 | | |
579 | 0 | rv = sslBuffer_AppendNumber(buf, age, 4); |
580 | 0 | if (rv != SECSuccess) { |
581 | 0 | goto loser; |
582 | 0 | } |
583 | | |
584 | | /* Write out the binder list length. */ |
585 | 0 | rv = sslBuffer_AppendNumber(buf, binderLen + 1, 2); |
586 | 0 | if (rv != SECSuccess) { |
587 | 0 | goto loser; |
588 | 0 | } |
589 | | |
590 | | /* Write zeroes for the binder for the moment. These |
591 | | * are overwritten in tls13_WriteExtensionsWithBinder. */ |
592 | 0 | rv = sslBuffer_AppendVariable(buf, binder, binderLen, 1); |
593 | 0 | if (rv != SECSuccess) { |
594 | 0 | goto loser; |
595 | 0 | } |
596 | | |
597 | 0 | if (psk->type == ssl_psk_resume) { |
598 | 0 | xtnData->sentSessionTicketInClientHello = PR_TRUE; |
599 | 0 | } |
600 | |
|
601 | 0 | *added = PR_TRUE; |
602 | 0 | return SECSuccess; |
603 | | |
604 | 0 | loser: |
605 | 0 | xtnData->ticketTimestampVerified = PR_FALSE; |
606 | 0 | return SECFailure; |
607 | 0 | } |
608 | | |
609 | | /* Handle a TLS 1.3 PreSharedKey Extension. */ |
610 | | SECStatus |
611 | | tls13_ServerHandlePreSharedKeyXtn(const sslSocket *ss, TLSExtensionData *xtnData, |
612 | | SECItem *data) |
613 | 0 | { |
614 | 0 | SECItem inner; |
615 | 0 | SECStatus rv; |
616 | 0 | unsigned int numIdentities = 0; |
617 | 0 | unsigned int numBinders = 0; |
618 | 0 | SECItem *appToken; |
619 | |
|
620 | 0 | SSL_TRC(3, ("%d: SSL3[%d]: handle pre_shared_key extension", |
621 | 0 | SSL_GETPID(), ss->fd)); |
622 | | |
623 | | /* If we are doing < TLS 1.3, then ignore this. */ |
624 | 0 | if (ss->version < SSL_LIBRARY_VERSION_TLS_1_3) { |
625 | 0 | return SECSuccess; |
626 | 0 | } |
627 | | |
628 | | /* The application token is set via the cookie extension if this is the |
629 | | * second ClientHello. Don't set it twice. The cookie extension handler |
630 | | * sets |helloRetry| and that will have been called already because this |
631 | | * extension always comes last. */ |
632 | 0 | if (!ss->ssl3.hs.helloRetry) { |
633 | 0 | appToken = &xtnData->applicationToken; |
634 | 0 | } else { |
635 | 0 | appToken = NULL; |
636 | 0 | } |
637 | | |
638 | | /* Parse the identities list. */ |
639 | 0 | rv = ssl3_ExtConsumeHandshakeVariable(ss, &inner, 2, |
640 | 0 | &data->data, &data->len); |
641 | 0 | if (rv != SECSuccess) { |
642 | 0 | return SECFailure; |
643 | 0 | } |
644 | | |
645 | 0 | while (inner.len) { |
646 | 0 | SECItem label; |
647 | 0 | PRUint32 obfuscatedAge; |
648 | |
|
649 | 0 | rv = ssl3_ExtConsumeHandshakeVariable(ss, &label, 2, |
650 | 0 | &inner.data, &inner.len); |
651 | 0 | if (rv != SECSuccess) |
652 | 0 | return rv; |
653 | 0 | if (!label.len) { |
654 | 0 | goto alert_loser; |
655 | 0 | } |
656 | | |
657 | 0 | rv = ssl3_ExtConsumeHandshakeNumber(ss, &obfuscatedAge, 4, |
658 | 0 | &inner.data, &inner.len); |
659 | 0 | if (rv != SECSuccess) |
660 | 0 | return rv; |
661 | | |
662 | 0 | if (!numIdentities) { |
663 | | /* Check any configured external PSK for a matching label. |
664 | | * If none exists, try to parse it as a ticket. */ |
665 | 0 | PORT_Assert(!xtnData->selectedPsk); |
666 | 0 | for (PRCList *cur_p = PR_LIST_HEAD(&ss->ssl3.hs.psks); |
667 | 0 | cur_p != &ss->ssl3.hs.psks; |
668 | 0 | cur_p = PR_NEXT_LINK(cur_p)) { |
669 | 0 | sslPsk *psk = (sslPsk *)cur_p; |
670 | 0 | if (psk->type != ssl_psk_external || |
671 | 0 | SECITEM_CompareItem(&psk->label, &label) != SECEqual) { |
672 | 0 | continue; |
673 | 0 | } |
674 | 0 | PRINT_BUF(50, (ss, "Using External PSK with label", |
675 | 0 | psk->label.data, psk->label.len)); |
676 | 0 | xtnData->selectedPsk = psk; |
677 | 0 | } |
678 | |
|
679 | 0 | if (!xtnData->selectedPsk) { |
680 | 0 | PRINT_BUF(50, (ss, "Handling PreSharedKey value", |
681 | 0 | label.data, label.len)); |
682 | 0 | rv = ssl3_ProcessSessionTicketCommon( |
683 | 0 | CONST_CAST(sslSocket, ss), &label, appToken); |
684 | | /* This only happens if we have an internal error, not |
685 | | * a malformed ticket. Bogus tickets just don't resume |
686 | | * and return SECSuccess. */ |
687 | 0 | if (rv != SECSuccess) { |
688 | 0 | return SECFailure; |
689 | 0 | } |
690 | | |
691 | 0 | if (ss->sec.ci.sid) { |
692 | | /* xtnData->ticketAge contains the baseline we use for |
693 | | * calculating the ticket age (i.e., our RTT estimate less the |
694 | | * value of ticket_age_add). |
695 | | * |
696 | | * Add that to the obfuscated ticket age to recover the client's |
697 | | * view of the ticket age plus the estimated RTT. |
698 | | * |
699 | | * See ssl3_EncodeSessionTicket() for details. */ |
700 | 0 | xtnData->ticketAge += obfuscatedAge; |
701 | | |
702 | | /* We are not committed to resumption until after unwrapping the |
703 | | * RMS in tls13_HandleClientHelloPart2. The RPSK will be stored |
704 | | * in ss->xtnData.selectedPsk at that point, so continue. */ |
705 | 0 | } |
706 | 0 | } |
707 | 0 | } |
708 | | |
709 | 0 | ++numIdentities; |
710 | 0 | } |
711 | | |
712 | 0 | xtnData->pskBindersLen = data->len; |
713 | | |
714 | | /* Parse the binders list. */ |
715 | 0 | rv = ssl3_ExtConsumeHandshakeVariable(ss, |
716 | 0 | &inner, 2, &data->data, &data->len); |
717 | 0 | if (rv != SECSuccess) |
718 | 0 | return SECFailure; |
719 | 0 | if (data->len) { |
720 | 0 | goto alert_loser; |
721 | 0 | } |
722 | | |
723 | 0 | while (inner.len) { |
724 | 0 | SECItem binder; |
725 | 0 | rv = ssl3_ExtConsumeHandshakeVariable(ss, &binder, 1, |
726 | 0 | &inner.data, &inner.len); |
727 | 0 | if (rv != SECSuccess) |
728 | 0 | return rv; |
729 | 0 | if (binder.len < 32) { |
730 | 0 | goto alert_loser; |
731 | 0 | } |
732 | | |
733 | 0 | if (!numBinders) { |
734 | 0 | xtnData->pskBinder = binder; |
735 | 0 | } |
736 | 0 | ++numBinders; |
737 | 0 | } |
738 | | |
739 | 0 | if (numBinders != numIdentities) |
740 | 0 | goto alert_loser; |
741 | | |
742 | 0 | if (ss->statelessResume) { |
743 | 0 | PORT_Assert(!ss->xtnData.selectedPsk); |
744 | 0 | } else if (!xtnData->selectedPsk) { |
745 | | /* No matching EPSK. */ |
746 | 0 | return SECSuccess; |
747 | 0 | } |
748 | | |
749 | 0 | xtnData->negotiated[xtnData->numNegotiated++] = ssl_tls13_pre_shared_key_xtn; |
750 | 0 | return SECSuccess; |
751 | | |
752 | 0 | alert_loser: |
753 | 0 | ssl3_ExtSendAlert(ss, alert_fatal, illegal_parameter); |
754 | 0 | PORT_SetError(SSL_ERROR_MALFORMED_PRE_SHARED_KEY); |
755 | 0 | return SECFailure; |
756 | 0 | } |
757 | | |
758 | | SECStatus |
759 | | tls13_ServerSendPreSharedKeyXtn(const sslSocket *ss, TLSExtensionData *xtnData, |
760 | | sslBuffer *buf, PRBool *added) |
761 | 0 | { |
762 | 0 | SECStatus rv; |
763 | | |
764 | | /* We only process the first session ticket the client sends, |
765 | | * so the index is always 0. */ |
766 | 0 | rv = sslBuffer_AppendNumber(buf, 0, 2); |
767 | 0 | if (rv != SECSuccess) { |
768 | 0 | return SECFailure; |
769 | 0 | } |
770 | | |
771 | 0 | *added = PR_TRUE; |
772 | 0 | return SECSuccess; |
773 | 0 | } |
774 | | |
775 | | /* Handle a TLS 1.3 PreSharedKey Extension. */ |
776 | | SECStatus |
777 | | tls13_ClientHandlePreSharedKeyXtn(const sslSocket *ss, TLSExtensionData *xtnData, |
778 | | SECItem *data) |
779 | 0 | { |
780 | 0 | PRUint32 index; |
781 | 0 | SECStatus rv; |
782 | |
|
783 | 0 | SSL_TRC(3, ("%d: SSL3[%d]: handle pre_shared_key extension", |
784 | 0 | SSL_GETPID(), ss->fd)); |
785 | | |
786 | | /* The server must not send this extension when negotiating < TLS 1.3. */ |
787 | 0 | if (ss->version < SSL_LIBRARY_VERSION_TLS_1_3) { |
788 | 0 | PORT_SetError(SSL_ERROR_EXTENSION_DISALLOWED_FOR_VERSION); |
789 | 0 | return SECFailure; |
790 | 0 | } |
791 | | |
792 | 0 | rv = ssl3_ExtConsumeHandshakeNumber(ss, &index, 2, &data->data, &data->len); |
793 | 0 | if (rv != SECSuccess) |
794 | 0 | return SECFailure; |
795 | | |
796 | | /* This should be the end of the extension. */ |
797 | 0 | if (data->len) { |
798 | 0 | PORT_SetError(SSL_ERROR_MALFORMED_PRE_SHARED_KEY); |
799 | 0 | return SECFailure; |
800 | 0 | } |
801 | | |
802 | | /* We only sent one PSK label so index must be equal to 0 */ |
803 | 0 | if (index) { |
804 | 0 | ssl3_ExtSendAlert(ss, alert_fatal, illegal_parameter); |
805 | 0 | PORT_SetError(SSL_ERROR_MALFORMED_PRE_SHARED_KEY); |
806 | 0 | return SECFailure; |
807 | 0 | } |
808 | | |
809 | 0 | PORT_Assert(!PR_CLIST_IS_EMPTY(&ss->ssl3.hs.psks)); |
810 | 0 | sslPsk *candidate = (sslPsk *)PR_LIST_HEAD(&ss->ssl3.hs.psks); |
811 | | |
812 | | /* Check that the server-selected ciphersuite hash and PSK hash match. */ |
813 | 0 | if (candidate->hash != tls13_GetHashForCipherSuite(ss->ssl3.hs.cipher_suite)) { |
814 | 0 | ssl3_ExtSendAlert(ss, alert_fatal, illegal_parameter); |
815 | 0 | return SECFailure; |
816 | 0 | } |
817 | | |
818 | | /* Keep track of negotiated extensions. */ |
819 | 0 | xtnData->negotiated[xtnData->numNegotiated++] = ssl_tls13_pre_shared_key_xtn; |
820 | 0 | xtnData->selectedPsk = candidate; |
821 | |
|
822 | 0 | return SECSuccess; |
823 | 0 | } |
824 | | |
825 | | /* |
826 | | * struct { } EarlyDataIndication; |
827 | | */ |
828 | | SECStatus |
829 | | tls13_ClientSendEarlyDataXtn(const sslSocket *ss, TLSExtensionData *xtnData, |
830 | | sslBuffer *buf, PRBool *added) |
831 | 0 | { |
832 | 0 | if (!tls13_ClientAllow0Rtt(ss, ss->sec.ci.sid)) { |
833 | 0 | return SECSuccess; |
834 | 0 | } |
835 | | |
836 | 0 | *added = PR_TRUE; |
837 | 0 | return SECSuccess; |
838 | 0 | } |
839 | | |
840 | | SECStatus |
841 | | tls13_ServerHandleEarlyDataXtn(const sslSocket *ss, TLSExtensionData *xtnData, |
842 | | SECItem *data) |
843 | 0 | { |
844 | 0 | SSL_TRC(3, ("%d: TLS13[%d]: handle early_data extension", |
845 | 0 | SSL_GETPID(), ss->fd)); |
846 | | |
847 | | /* If we are doing < TLS 1.3, then ignore this. */ |
848 | 0 | if (ss->version < SSL_LIBRARY_VERSION_TLS_1_3) { |
849 | 0 | return SECSuccess; |
850 | 0 | } |
851 | | |
852 | 0 | if (ss->ssl3.hs.helloRetry) { |
853 | 0 | ssl3_ExtSendAlert(ss, alert_fatal, unsupported_extension); |
854 | 0 | PORT_SetError(SSL_ERROR_RX_UNEXPECTED_EXTENSION); |
855 | 0 | return SECFailure; |
856 | 0 | } |
857 | | |
858 | 0 | if (data->len) { |
859 | 0 | PORT_SetError(SSL_ERROR_MALFORMED_EARLY_DATA); |
860 | 0 | return SECFailure; |
861 | 0 | } |
862 | | |
863 | 0 | xtnData->negotiated[xtnData->numNegotiated++] = ssl_tls13_early_data_xtn; |
864 | |
|
865 | 0 | return SECSuccess; |
866 | 0 | } |
867 | | |
868 | | /* This will only be called if we also offered the extension. */ |
869 | | SECStatus |
870 | | tls13_ClientHandleEarlyDataXtn(const sslSocket *ss, TLSExtensionData *xtnData, |
871 | | SECItem *data) |
872 | 0 | { |
873 | 0 | SSL_TRC(3, ("%d: TLS13[%d]: handle early_data extension", |
874 | 0 | SSL_GETPID(), ss->fd)); |
875 | | |
876 | | /* The server must not send this extension when negotiating < TLS 1.3. */ |
877 | 0 | if (ss->version < SSL_LIBRARY_VERSION_TLS_1_3) { |
878 | 0 | PORT_SetError(SSL_ERROR_EXTENSION_DISALLOWED_FOR_VERSION); |
879 | 0 | return SECFailure; |
880 | 0 | } |
881 | | |
882 | 0 | if (data->len) { |
883 | 0 | PORT_SetError(SSL_ERROR_MALFORMED_EARLY_DATA); |
884 | 0 | return SECFailure; |
885 | 0 | } |
886 | | |
887 | | /* Keep track of negotiated extensions. */ |
888 | 0 | xtnData->negotiated[xtnData->numNegotiated++] = ssl_tls13_early_data_xtn; |
889 | |
|
890 | 0 | return SECSuccess; |
891 | 0 | } |
892 | | |
893 | | SECStatus |
894 | | tls13_ClientHandleTicketEarlyDataXtn(const sslSocket *ss, TLSExtensionData *xtnData, |
895 | | SECItem *data) |
896 | 0 | { |
897 | 0 | PRUint32 utmp; |
898 | 0 | SECStatus rv; |
899 | |
|
900 | 0 | SSL_TRC(3, ("%d: TLS13[%d]: handle ticket early_data extension", |
901 | 0 | SSL_GETPID(), ss->fd)); |
902 | | |
903 | | /* The server must not send this extension when negotiating < TLS 1.3. */ |
904 | 0 | if (ss->version < SSL_LIBRARY_VERSION_TLS_1_3) { |
905 | 0 | PORT_SetError(SSL_ERROR_EXTENSION_DISALLOWED_FOR_VERSION); |
906 | 0 | return SECFailure; |
907 | 0 | } |
908 | | |
909 | 0 | rv = ssl3_ExtConsumeHandshake(ss, &utmp, sizeof(utmp), |
910 | 0 | &data->data, &data->len); |
911 | 0 | if (rv != SECSuccess) { |
912 | 0 | PORT_SetError(SSL_ERROR_RX_MALFORMED_NEW_SESSION_TICKET); |
913 | 0 | return SECFailure; |
914 | 0 | } |
915 | 0 | if (data->len) { |
916 | 0 | PORT_SetError(SSL_ERROR_RX_MALFORMED_NEW_SESSION_TICKET); |
917 | 0 | return SECFailure; |
918 | 0 | } |
919 | | |
920 | 0 | xtnData->max_early_data_size = PR_ntohl(utmp); |
921 | |
|
922 | 0 | return SECSuccess; |
923 | 0 | } |
924 | | |
925 | | /* |
926 | | * struct { |
927 | | * select (Handshake.msg_type) { |
928 | | * case client_hello: |
929 | | * ProtocolVersion versions<2..254>; |
930 | | * case server_hello: |
931 | | * ProtocolVersion version; |
932 | | * }; |
933 | | * } SupportedVersions; |
934 | | */ |
935 | | SECStatus |
936 | | tls13_ClientSendSupportedVersionsXtn(const sslSocket *ss, TLSExtensionData *xtnData, |
937 | | sslBuffer *buf, PRBool *added) |
938 | 0 | { |
939 | 0 | PRUint16 version; |
940 | 0 | unsigned int lengthOffset; |
941 | 0 | SECStatus rv; |
942 | |
|
943 | 0 | if (ss->vrange.max < SSL_LIBRARY_VERSION_TLS_1_3) { |
944 | 0 | return SECSuccess; |
945 | 0 | } |
946 | | |
947 | 0 | SSL_TRC(3, ("%d: TLS13[%d]: client send supported_versions extension", |
948 | 0 | SSL_GETPID(), ss->fd)); |
949 | |
|
950 | 0 | rv = sslBuffer_Skip(buf, 1, &lengthOffset); |
951 | 0 | if (rv != SECSuccess) { |
952 | 0 | return SECFailure; |
953 | 0 | } |
954 | | |
955 | 0 | PORT_Assert(!ss->ssl3.hs.echHpkeCtx || ss->vrange.max >= SSL_LIBRARY_VERSION_TLS_1_3); |
956 | 0 | for (version = ss->vrange.max; version >= ss->vrange.min; --version) { |
957 | 0 | PRUint16 wire = tls13_EncodeVersion(version, |
958 | 0 | ss->protocolVariant); |
959 | 0 | rv = sslBuffer_AppendNumber(buf, wire, 2); |
960 | 0 | if (rv != SECSuccess) { |
961 | 0 | return SECFailure; |
962 | 0 | } |
963 | | |
964 | 0 | if (ss->opt.enableDtls13VersionCompat && |
965 | 0 | ss->protocolVariant == ssl_variant_datagram) { |
966 | 0 | switch (version) { |
967 | 0 | case SSL_LIBRARY_VERSION_TLS_1_2: |
968 | 0 | case SSL_LIBRARY_VERSION_TLS_1_1: |
969 | 0 | rv = sslBuffer_AppendNumber(buf, (PRUint16)version, 2); |
970 | 0 | break; |
971 | 0 | default: |
972 | 0 | continue; |
973 | 0 | } |
974 | 0 | if (rv != SECSuccess) { |
975 | 0 | return SECFailure; |
976 | 0 | } |
977 | 0 | } |
978 | 0 | } |
979 | | |
980 | | /* GREASE SupportedVersions: |
981 | | * A client MAY select one or more GREASE version values and advertise them |
982 | | * in the "supported_versions" extension, if sent [RFC8701, Section 3.1]. */ |
983 | 0 | if (ss->opt.enableGrease) { |
984 | 0 | rv = sslBuffer_AppendNumber(buf, ss->ssl3.hs.grease->idx[grease_version], 2); |
985 | 0 | if (rv != SECSuccess) { |
986 | 0 | return SECFailure; |
987 | 0 | } |
988 | 0 | } |
989 | | |
990 | 0 | rv = sslBuffer_InsertLength(buf, lengthOffset, 1); |
991 | 0 | if (rv != SECSuccess) { |
992 | 0 | return SECFailure; |
993 | 0 | } |
994 | | |
995 | 0 | *added = PR_TRUE; |
996 | 0 | return SECSuccess; |
997 | 0 | } |
998 | | |
999 | | SECStatus |
1000 | | tls13_ServerSendSupportedVersionsXtn(const sslSocket *ss, TLSExtensionData *xtnData, |
1001 | | sslBuffer *buf, PRBool *added) |
1002 | 0 | { |
1003 | 0 | SECStatus rv; |
1004 | |
|
1005 | 0 | if (ss->version < SSL_LIBRARY_VERSION_TLS_1_3) { |
1006 | 0 | return SECSuccess; |
1007 | 0 | } |
1008 | | |
1009 | 0 | SSL_TRC(3, ("%d: TLS13[%d]: server send supported_versions extension", |
1010 | 0 | SSL_GETPID(), ss->fd)); |
1011 | |
|
1012 | 0 | PRUint16 ver = tls13_EncodeVersion(SSL_LIBRARY_VERSION_TLS_1_3, |
1013 | 0 | ss->protocolVariant); |
1014 | 0 | rv = sslBuffer_AppendNumber(buf, ver, 2); |
1015 | 0 | if (rv != SECSuccess) { |
1016 | 0 | return SECFailure; |
1017 | 0 | } |
1018 | | |
1019 | 0 | *added = PR_TRUE; |
1020 | 0 | return SECSuccess; |
1021 | 0 | } |
1022 | | |
1023 | | /* |
1024 | | * struct { |
1025 | | * opaque cookie<1..2^16-1>; |
1026 | | * } Cookie; |
1027 | | */ |
1028 | | SECStatus |
1029 | | tls13_ClientHandleHrrCookie(const sslSocket *ss, TLSExtensionData *xtnData, |
1030 | | SECItem *data) |
1031 | 0 | { |
1032 | 0 | SECStatus rv; |
1033 | |
|
1034 | 0 | SSL_TRC(3, ("%d: TLS13[%d]: handle cookie extension", |
1035 | 0 | SSL_GETPID(), ss->fd)); |
1036 | |
|
1037 | 0 | PORT_Assert(ss->vrange.max >= SSL_LIBRARY_VERSION_TLS_1_3); |
1038 | | |
1039 | | /* IMPORTANT: this is only valid while the HelloRetryRequest is still valid. */ |
1040 | 0 | rv = ssl3_ExtConsumeHandshakeVariable( |
1041 | 0 | ss, &CONST_CAST(sslSocket, ss)->ssl3.hs.cookie, 2, |
1042 | 0 | &data->data, &data->len); |
1043 | 0 | if (rv != SECSuccess) { |
1044 | 0 | PORT_SetError(SSL_ERROR_RX_MALFORMED_HELLO_RETRY_REQUEST); |
1045 | 0 | return SECFailure; |
1046 | 0 | } |
1047 | 0 | if (!ss->ssl3.hs.cookie.len || data->len) { |
1048 | 0 | ssl3_ExtSendAlert(ss, alert_fatal, decode_error); |
1049 | 0 | PORT_SetError(SSL_ERROR_RX_MALFORMED_HELLO_RETRY_REQUEST); |
1050 | 0 | return SECFailure; |
1051 | 0 | } |
1052 | | |
1053 | 0 | return SECSuccess; |
1054 | 0 | } |
1055 | | |
1056 | | SECStatus |
1057 | | tls13_ClientSendHrrCookieXtn(const sslSocket *ss, TLSExtensionData *xtnData, |
1058 | | sslBuffer *buf, PRBool *added) |
1059 | 0 | { |
1060 | 0 | SECStatus rv; |
1061 | |
|
1062 | 0 | if (ss->vrange.max < SSL_LIBRARY_VERSION_TLS_1_3 || |
1063 | 0 | !ss->ssl3.hs.cookie.len) { |
1064 | 0 | return SECSuccess; |
1065 | 0 | } |
1066 | | |
1067 | 0 | SSL_TRC(3, ("%d: TLS13[%d]: send cookie extension", SSL_GETPID(), ss->fd)); |
1068 | 0 | rv = sslBuffer_AppendVariable(buf, ss->ssl3.hs.cookie.data, |
1069 | 0 | ss->ssl3.hs.cookie.len, 2); |
1070 | 0 | if (rv != SECSuccess) { |
1071 | 0 | return SECFailure; |
1072 | 0 | } |
1073 | | |
1074 | 0 | *added = PR_TRUE; |
1075 | 0 | return SECSuccess; |
1076 | 0 | } |
1077 | | |
1078 | | SECStatus |
1079 | | tls13_ServerHandleCookieXtn(const sslSocket *ss, TLSExtensionData *xtnData, |
1080 | | SECItem *data) |
1081 | 0 | { |
1082 | 0 | SECStatus rv; |
1083 | |
|
1084 | 0 | SSL_TRC(3, ("%d: TLS13[%d]: handle cookie extension", |
1085 | 0 | SSL_GETPID(), ss->fd)); |
1086 | |
|
1087 | 0 | rv = ssl3_ExtConsumeHandshakeVariable(ss, &xtnData->cookie, 2, |
1088 | 0 | &data->data, &data->len); |
1089 | 0 | if (rv != SECSuccess) { |
1090 | 0 | return SECFailure; |
1091 | 0 | } |
1092 | | |
1093 | 0 | if (xtnData->cookie.len == 0) { |
1094 | 0 | PORT_SetError(SSL_ERROR_RX_MALFORMED_CLIENT_HELLO); |
1095 | 0 | return SECFailure; |
1096 | 0 | } |
1097 | | |
1098 | 0 | if (data->len) { |
1099 | 0 | PORT_SetError(SSL_ERROR_RX_MALFORMED_CLIENT_HELLO); |
1100 | 0 | return SECFailure; |
1101 | 0 | } |
1102 | | |
1103 | | /* Keep track of negotiated extensions. */ |
1104 | 0 | xtnData->negotiated[xtnData->numNegotiated++] = ssl_tls13_cookie_xtn; |
1105 | |
|
1106 | 0 | return SECSuccess; |
1107 | 0 | } |
1108 | | |
1109 | | SECStatus |
1110 | | tls13_ClientSendPostHandshakeAuthXtn(const sslSocket *ss, |
1111 | | TLSExtensionData *xtnData, |
1112 | | sslBuffer *buf, PRBool *added) |
1113 | 0 | { |
1114 | | /* Only one post-handshake message is supported: a single |
1115 | | * NST immediately following the client Finished. */ |
1116 | 0 | if (!IS_DTLS(ss)) { |
1117 | 0 | SSL_TRC(3, ("%d: TLS13[%d]: send post_handshake_auth extension", |
1118 | 0 | SSL_GETPID(), ss->fd)); |
1119 | 0 | *added = ss->opt.enablePostHandshakeAuth; |
1120 | 0 | } |
1121 | 0 | return SECSuccess; |
1122 | 0 | } |
1123 | | |
1124 | | SECStatus |
1125 | | tls13_ServerHandlePostHandshakeAuthXtn(const sslSocket *ss, |
1126 | | TLSExtensionData *xtnData, |
1127 | | SECItem *data) |
1128 | 0 | { |
1129 | 0 | SSL_TRC(3, ("%d: TLS13[%d]: handle post_handshake_auth extension", |
1130 | 0 | SSL_GETPID(), ss->fd)); |
1131 | |
|
1132 | 0 | if (data->len) { |
1133 | 0 | PORT_SetError(SSL_ERROR_RX_MALFORMED_CLIENT_HELLO); |
1134 | 0 | return SECFailure; |
1135 | 0 | } |
1136 | | |
1137 | | /* Only one post-handshake message is supported: a single |
1138 | | * NST immediately following the client Finished. */ |
1139 | 0 | if (!IS_DTLS(ss)) { |
1140 | | /* Keep track of negotiated extensions. */ |
1141 | 0 | xtnData->negotiated[xtnData->numNegotiated++] = ssl_tls13_post_handshake_auth_xtn; |
1142 | 0 | } |
1143 | |
|
1144 | 0 | return SECSuccess; |
1145 | 0 | } |
1146 | | |
1147 | | /* |
1148 | | * enum { psk_ke(0), psk_dhe_ke(1), (255) } PskKeyExchangeMode; |
1149 | | * |
1150 | | * struct { |
1151 | | * PskKeyExchangeMode ke_modes<1..255>; |
1152 | | * } PskKeyExchangeModes; |
1153 | | */ |
1154 | | SECStatus |
1155 | | tls13_ClientSendPskModesXtn(const sslSocket *ss, TLSExtensionData *xtnData, |
1156 | | sslBuffer *buf, PRBool *added) |
1157 | 0 | { |
1158 | 0 | SECStatus rv; |
1159 | |
|
1160 | 0 | if (ss->vrange.max < SSL_LIBRARY_VERSION_TLS_1_3 || |
1161 | 0 | ss->opt.noCache) { |
1162 | 0 | return SECSuccess; |
1163 | 0 | } |
1164 | | |
1165 | 0 | SSL_TRC(3, ("%d: TLS13[%d]: send psk key exchange modes extension", |
1166 | 0 | SSL_GETPID(), ss->fd)); |
1167 | | |
1168 | | /* GREASE PskKeyExchangeMode: |
1169 | | * A client MAY select one or more GREASE PskKeyExchangeMode values and |
1170 | | * advertise them in the "psk_key_exchange_modes" extension, if sent |
1171 | | * [RFC8701, Section 3.1]. */ |
1172 | 0 | if (ss->opt.enableGrease) { |
1173 | 0 | rv = sslBuffer_AppendVariable(buf, (PRUint8[]){ tls13_psk_dh_ke, ss->ssl3.hs.grease->pskKem }, 2, 1); |
1174 | 0 | } else { |
1175 | 0 | rv = sslBuffer_AppendVariable(buf, (PRUint8[]){ tls13_psk_dh_ke }, 1, 1); |
1176 | 0 | } |
1177 | 0 | if (rv != SECSuccess) { |
1178 | 0 | return SECFailure; |
1179 | 0 | } |
1180 | | |
1181 | 0 | *added = PR_TRUE; |
1182 | 0 | return SECSuccess; |
1183 | 0 | } |
1184 | | |
1185 | | SECStatus |
1186 | | tls13_ServerHandlePskModesXtn(const sslSocket *ss, TLSExtensionData *xtnData, |
1187 | | SECItem *data) |
1188 | 0 | { |
1189 | 0 | SECStatus rv; |
1190 | | |
1191 | | /* If we are doing < TLS 1.3, then ignore this. */ |
1192 | 0 | if (ss->version < SSL_LIBRARY_VERSION_TLS_1_3) { |
1193 | 0 | return SECSuccess; |
1194 | 0 | } |
1195 | | |
1196 | 0 | SSL_TRC(3, ("%d: TLS13[%d]: handle PSK key exchange modes extension", |
1197 | 0 | SSL_GETPID(), ss->fd)); |
1198 | | |
1199 | | /* IMPORTANT: We aren't copying these values, just setting pointers. |
1200 | | * They will only be valid as long as the ClientHello is in memory. */ |
1201 | 0 | rv = ssl3_ExtConsumeHandshakeVariable(ss, |
1202 | 0 | &xtnData->psk_ke_modes, 1, |
1203 | 0 | &data->data, &data->len); |
1204 | 0 | if (rv != SECSuccess) |
1205 | 0 | return rv; |
1206 | 0 | if (!xtnData->psk_ke_modes.len || data->len) { |
1207 | 0 | PORT_SetError(SSL_ERROR_MALFORMED_PSK_KEY_EXCHANGE_MODES); |
1208 | 0 | return SECFailure; |
1209 | 0 | } |
1210 | | |
1211 | | /* Keep track of negotiated extensions. */ |
1212 | 0 | xtnData->negotiated[xtnData->numNegotiated++] = |
1213 | 0 | ssl_tls13_psk_key_exchange_modes_xtn; |
1214 | |
|
1215 | 0 | return SECSuccess; |
1216 | 0 | } |
1217 | | |
1218 | | SECStatus |
1219 | | tls13_SendCertAuthoritiesXtn(const sslSocket *ss, TLSExtensionData *xtnData, |
1220 | | sslBuffer *buf, PRBool *added) |
1221 | 0 | { |
1222 | 0 | unsigned int calen; |
1223 | 0 | const SECItem *name; |
1224 | 0 | unsigned int nnames; |
1225 | 0 | SECStatus rv; |
1226 | |
|
1227 | 0 | PORT_Assert(ss->version >= SSL_LIBRARY_VERSION_TLS_1_3); |
1228 | |
|
1229 | 0 | rv = ssl_GetCertificateRequestCAs(ss, &calen, &name, &nnames); |
1230 | 0 | if (rv != SECSuccess) { |
1231 | 0 | return SECFailure; |
1232 | 0 | } |
1233 | | |
1234 | 0 | if (!calen) { |
1235 | 0 | return SECSuccess; |
1236 | 0 | } |
1237 | | |
1238 | 0 | rv = sslBuffer_AppendNumber(buf, calen, 2); |
1239 | 0 | if (rv != SECSuccess) { |
1240 | 0 | return SECFailure; |
1241 | 0 | } |
1242 | | |
1243 | 0 | while (nnames) { |
1244 | 0 | rv = sslBuffer_AppendVariable(buf, name->data, name->len, 2); |
1245 | 0 | if (rv != SECSuccess) { |
1246 | 0 | return SECFailure; |
1247 | 0 | } |
1248 | 0 | ++name; |
1249 | 0 | --nnames; |
1250 | 0 | } |
1251 | | |
1252 | 0 | *added = PR_TRUE; |
1253 | 0 | return SECSuccess; |
1254 | 0 | } |
1255 | | |
1256 | | SECStatus |
1257 | | tls13_ClientHandleCertAuthoritiesXtn(const sslSocket *ss, |
1258 | | TLSExtensionData *xtnData, |
1259 | | SECItem *data) |
1260 | 0 | { |
1261 | 0 | SECStatus rv; |
1262 | 0 | PLArenaPool *arena; |
1263 | |
|
1264 | 0 | if (!data->len) { |
1265 | 0 | ssl3_ExtSendAlert(ss, alert_fatal, decode_error); |
1266 | 0 | PORT_SetError(SSL_ERROR_RX_MALFORMED_CERT_REQUEST); |
1267 | 0 | return SECFailure; |
1268 | 0 | } |
1269 | | |
1270 | 0 | arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); |
1271 | 0 | if (!arena) { |
1272 | 0 | PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); |
1273 | 0 | return SECFailure; |
1274 | 0 | } |
1275 | | |
1276 | 0 | xtnData->certReqAuthorities.arena = arena; |
1277 | 0 | rv = ssl3_ParseCertificateRequestCAs((sslSocket *)ss, |
1278 | 0 | &data->data, &data->len, |
1279 | 0 | &xtnData->certReqAuthorities); |
1280 | 0 | if (rv != SECSuccess) { |
1281 | 0 | goto loser; |
1282 | 0 | } |
1283 | 0 | if (data->len) { |
1284 | 0 | ssl3_ExtSendAlert(ss, alert_fatal, decode_error); |
1285 | 0 | PORT_SetError(SSL_ERROR_RX_MALFORMED_CERT_REQUEST); |
1286 | 0 | goto loser; |
1287 | 0 | } |
1288 | 0 | return SECSuccess; |
1289 | | |
1290 | 0 | loser: |
1291 | 0 | PORT_FreeArena(arena, PR_FALSE); |
1292 | 0 | xtnData->certReqAuthorities.arena = NULL; |
1293 | 0 | return SECFailure; |
1294 | 0 | } |
1295 | | |
1296 | | SECStatus |
1297 | | tls13_ServerHandleCertAuthoritiesXtn(const sslSocket *ss, TLSExtensionData *xtnData, SECItem *data) |
1298 | 0 | { |
1299 | 0 | SSL_TRC(3, ("%d: TLS13[%d]: ignore certificate_authorities extension", |
1300 | 0 | SSL_GETPID(), ss->fd)); |
1301 | | /* NSS ignores certificate_authorities in the ClientHello */ |
1302 | 0 | return SECSuccess; |
1303 | 0 | } |
1304 | | |
1305 | | SECStatus |
1306 | | tls13_ServerSendHrrKeyShareXtn(const sslSocket *ss, TLSExtensionData *xtnData, |
1307 | | sslBuffer *buf, PRBool *added) |
1308 | 0 | { |
1309 | 0 | SECStatus rv; |
1310 | |
|
1311 | 0 | PORT_Assert(ss->version >= SSL_LIBRARY_VERSION_TLS_1_3); |
1312 | |
|
1313 | 0 | if (!xtnData->selectedGroup) { |
1314 | 0 | return SECSuccess; |
1315 | 0 | } |
1316 | | |
1317 | 0 | rv = sslBuffer_AppendNumber(buf, xtnData->selectedGroup->name, 2); |
1318 | 0 | if (rv != SECSuccess) { |
1319 | 0 | return SECFailure; |
1320 | 0 | } |
1321 | | |
1322 | 0 | *added = PR_TRUE; |
1323 | 0 | return SECSuccess; |
1324 | 0 | } |
1325 | | |
1326 | | SECStatus |
1327 | | tls13_ServerSendHrrCookieXtn(const sslSocket *ss, TLSExtensionData *xtnData, |
1328 | | sslBuffer *buf, PRBool *added) |
1329 | 0 | { |
1330 | 0 | SECStatus rv; |
1331 | |
|
1332 | 0 | PORT_Assert(ss->version >= SSL_LIBRARY_VERSION_TLS_1_3); |
1333 | 0 | PORT_Assert(xtnData->cookie.len > 0); |
1334 | |
|
1335 | 0 | rv = sslBuffer_AppendVariable(buf, |
1336 | 0 | xtnData->cookie.data, xtnData->cookie.len, 2); |
1337 | 0 | if (rv != SECSuccess) { |
1338 | 0 | return SECFailure; |
1339 | 0 | } |
1340 | | |
1341 | 0 | *added = PR_TRUE; |
1342 | 0 | return SECSuccess; |
1343 | 0 | } |
1344 | | |
1345 | | SECStatus |
1346 | | tls13_ClientHandleHrrEchXtn(const sslSocket *ss, TLSExtensionData *xtnData, |
1347 | | SECItem *data) |
1348 | 0 | { |
1349 | 0 | if (data->len != TLS13_ECH_SIGNAL_LEN) { |
1350 | 0 | ssl3_ExtSendAlert(ss, alert_fatal, decode_error); |
1351 | 0 | PORT_SetError(SSL_ERROR_RX_MALFORMED_ECH_EXTENSION); |
1352 | 0 | return SECFailure; |
1353 | 0 | } |
1354 | 0 | if (!ssl3_ExtensionAdvertised(ss, ssl_tls13_encrypted_client_hello_xtn)) { |
1355 | 0 | ssl3_ExtSendAlert(ss, alert_fatal, illegal_parameter); |
1356 | 0 | PORT_SetError(SSL_ERROR_RX_UNEXPECTED_EXTENSION); |
1357 | 0 | return SECFailure; |
1358 | 0 | } |
1359 | 0 | if (!ss->ssl3.hs.echHpkeCtx) { |
1360 | 0 | SSL_TRC(50, ("%d: TLS13[%d]: client received GREASEd ECH confirmation", |
1361 | 0 | SSL_GETPID(), ss->fd)); |
1362 | 0 | return SECSuccess; |
1363 | 0 | } |
1364 | 0 | SSL_TRC(50, ("%d: TLS13[%d]: client received HRR ECH confirmation", |
1365 | 0 | SSL_GETPID(), ss->fd)); |
1366 | 0 | PORT_Assert(!xtnData->ech); |
1367 | 0 | xtnData->ech = PORT_ZNew(sslEchXtnState); |
1368 | 0 | if (!xtnData->ech) { |
1369 | 0 | return SECFailure; |
1370 | 0 | } |
1371 | 0 | xtnData->ech->hrrConfirmation = data->data; |
1372 | 0 | return SECSuccess; |
1373 | 0 | } |
1374 | | |
1375 | | SECStatus |
1376 | | tls13_ClientHandleEchXtn(const sslSocket *ss, TLSExtensionData *xtnData, |
1377 | | SECItem *data) |
1378 | 0 | { |
1379 | 0 | SECStatus rv; |
1380 | 0 | PRCList parsedConfigs; |
1381 | 0 | PR_INIT_CLIST(&parsedConfigs); |
1382 | | |
1383 | | /* The [retry config] response is valid only when the server used the |
1384 | | * ClientHelloOuter. If the server sent this extension in response to the |
1385 | | * inner variant [ECH was accepted], then the client MUST abort with an |
1386 | | * "unsupported_extension" alert [draft-ietf-tls-esni-14, Section 5]. */ |
1387 | 0 | if (ss->ssl3.hs.echAccepted) { |
1388 | 0 | PORT_SetError(SSL_ERROR_RX_UNEXPECTED_EXTENSION); |
1389 | 0 | ssl3_ExtSendAlert(ss, alert_fatal, unsupported_extension); |
1390 | 0 | return SECFailure; |
1391 | 0 | } |
1392 | | |
1393 | | /* If the server is configured with any ECHConfigs, it MUST include the |
1394 | | * "encrypted_client_hello" extension in its EncryptedExtensions with the |
1395 | | * "retry_configs" field set to one or more ECHConfig structures with |
1396 | | * up-to-date keys [draft-ietf-tls-esni-14, Section 7.1]. */ |
1397 | 0 | if (ss->ssl3.hs.msg_type != ssl_hs_encrypted_extensions) { |
1398 | 0 | PORT_SetError(SSL_ERROR_RX_UNEXPECTED_EXTENSION); |
1399 | 0 | if (ss->version < SSL_LIBRARY_VERSION_TLS_1_3) { |
1400 | | /* For TLS < 1.3 the extension is unkown/unsupported. */ |
1401 | 0 | ssl3_ExtSendAlert(ss, alert_fatal, unsupported_extension); |
1402 | 0 | } else { |
1403 | | /* For TLS 1.3 the extension is known but prohibited outside EE |
1404 | | * (see RFC8446, Section 4.2 for alert rationale). */ |
1405 | 0 | ssl3_ExtSendAlert(ss, alert_fatal, illegal_parameter); |
1406 | 0 | } |
1407 | 0 | return SECFailure; |
1408 | 0 | } |
1409 | | |
1410 | 0 | PORT_Assert(!xtnData->ech); |
1411 | 0 | xtnData->ech = PORT_ZNew(sslEchXtnState); |
1412 | 0 | if (!xtnData->ech) { |
1413 | 0 | return SECFailure; |
1414 | 0 | } |
1415 | | |
1416 | | /* Parse the list to determine 1) That the configs are valid |
1417 | | * and properly encoded, and 2) If any are compatible. */ |
1418 | 0 | rv = tls13_DecodeEchConfigs(data, &parsedConfigs); |
1419 | 0 | if (rv == SECFailure) { |
1420 | 0 | ssl3_ExtSendAlert(ss, alert_fatal, decode_error); |
1421 | 0 | PORT_SetError(SSL_ERROR_RX_MALFORMED_ECH_CONFIG); |
1422 | 0 | return SECFailure; |
1423 | 0 | } |
1424 | | /* Don't mark ECH negotiated on rejection with retry_config. |
1425 | | * Save the the raw configs so the application can retry. If |
1426 | | * we sent GREASE ECH (no echHpkeCtx), don't apply retry_configs. */ |
1427 | 0 | if (ss->ssl3.hs.echHpkeCtx && !PR_CLIST_IS_EMPTY(&parsedConfigs)) { |
1428 | 0 | rv = SECITEM_CopyItem(NULL, &xtnData->ech->retryConfigs, data); |
1429 | 0 | } |
1430 | 0 | tls13_DestroyEchConfigs(&parsedConfigs); |
1431 | |
|
1432 | 0 | return rv; |
1433 | 0 | } |
1434 | | |
1435 | | /* Indicates support for the delegated credentials extension. This should be |
1436 | | * hooked while processing the ClientHello. */ |
1437 | | SECStatus |
1438 | | tls13_ClientSendDelegatedCredentialsXtn(const sslSocket *ss, |
1439 | | TLSExtensionData *xtnData, |
1440 | | sslBuffer *buf, PRBool *added) |
1441 | 0 | { |
1442 | | /* Only send the extension if support is enabled and the client can |
1443 | | * negotiate TLS 1.3. */ |
1444 | 0 | if (ss->vrange.max < SSL_LIBRARY_VERSION_TLS_1_3 || |
1445 | 0 | !ss->opt.enableDelegatedCredentials) { |
1446 | 0 | return SECSuccess; |
1447 | 0 | } |
1448 | | |
1449 | | /* Filter the schemes that are enabled and acceptable. Save these in |
1450 | | * the "advertised" list, then encode them to be sent. If we receive |
1451 | | * a DC in response, validate that it matches one of the advertised |
1452 | | * schemes. */ |
1453 | 0 | SSLSignatureScheme filtered[MAX_SIGNATURE_SCHEMES] = { 0 }; |
1454 | 0 | unsigned int filteredCount = 0; |
1455 | 0 | SECStatus rv = ssl3_FilterSigAlgs(ss, ss->vrange.max, |
1456 | 0 | PR_TRUE /* disableRsae */, |
1457 | 0 | PR_FALSE /* forCert */, |
1458 | 0 | MAX_SIGNATURE_SCHEMES, |
1459 | 0 | filtered, |
1460 | 0 | &filteredCount); |
1461 | 0 | if (rv != SECSuccess) { |
1462 | 0 | return SECFailure; |
1463 | 0 | } |
1464 | | |
1465 | | /* If no schemes available for the DC extension, don't send it. */ |
1466 | 0 | if (!filteredCount) { |
1467 | 0 | return SECSuccess; |
1468 | 0 | } |
1469 | | |
1470 | 0 | rv = ssl3_EncodeFilteredSigAlgs(ss, filtered, filteredCount, |
1471 | 0 | PR_FALSE /* GREASE */, buf); |
1472 | 0 | if (rv != SECSuccess) { |
1473 | 0 | return SECFailure; |
1474 | 0 | } |
1475 | | |
1476 | 0 | SSLSignatureScheme *dcSchemesAdvertised = PORT_ZNewArray(SSLSignatureScheme, |
1477 | 0 | filteredCount); |
1478 | 0 | if (!dcSchemesAdvertised) { |
1479 | 0 | return SECFailure; |
1480 | 0 | } |
1481 | 0 | for (unsigned int i = 0; i < filteredCount; i++) { |
1482 | 0 | dcSchemesAdvertised[i] = filtered[i]; |
1483 | 0 | } |
1484 | |
|
1485 | 0 | if (xtnData->delegCredSigSchemesAdvertised) { |
1486 | 0 | PORT_Free(xtnData->delegCredSigSchemesAdvertised); |
1487 | 0 | } |
1488 | 0 | xtnData->delegCredSigSchemesAdvertised = dcSchemesAdvertised; |
1489 | 0 | xtnData->numDelegCredSigSchemesAdvertised = filteredCount; |
1490 | 0 | *added = PR_TRUE; |
1491 | 0 | return SECSuccess; |
1492 | 0 | } |
1493 | | |
1494 | | /* Parses the delegated credential (DC) offered by the server. This should be |
1495 | | * hooked while processing the server's CertificateVerify. |
1496 | | * |
1497 | | * Only the DC sent with the end-entity certificate is to be parsed. This is |
1498 | | * ensured by |tls13_HandleCertificateEntry|, which only processes extensions |
1499 | | * for the first certificate in the chain. |
1500 | | */ |
1501 | | SECStatus |
1502 | | tls13_ClientHandleDelegatedCredentialsXtn(const sslSocket *ss, |
1503 | | TLSExtensionData *xtnData, |
1504 | | SECItem *data) |
1505 | 0 | { |
1506 | 0 | if (!ss->opt.enableDelegatedCredentials || |
1507 | 0 | ss->version < SSL_LIBRARY_VERSION_TLS_1_3) { |
1508 | 0 | ssl3_ExtSendAlert(ss, alert_fatal, illegal_parameter); |
1509 | 0 | PORT_SetError(SSL_ERROR_RX_UNEXPECTED_EXTENSION); |
1510 | 0 | return SECFailure; |
1511 | 0 | } |
1512 | | |
1513 | 0 | sslDelegatedCredential *dc = NULL; |
1514 | 0 | SECStatus rv = tls13_ReadDelegatedCredential(data->data, data->len, &dc); |
1515 | 0 | if (rv != SECSuccess) { |
1516 | 0 | goto loser; /* code already set */ |
1517 | 0 | } |
1518 | | |
1519 | | /* When using RSA, the public key MUST NOT use the rsaEncryption OID. */ |
1520 | 0 | if (dc->expectedCertVerifyAlg == ssl_sig_rsa_pss_rsae_sha256 || |
1521 | 0 | dc->expectedCertVerifyAlg == ssl_sig_rsa_pss_rsae_sha384 || |
1522 | 0 | dc->expectedCertVerifyAlg == ssl_sig_rsa_pss_rsae_sha512) { |
1523 | 0 | goto alert_loser; |
1524 | 0 | } |
1525 | | |
1526 | | /* The algorithm and expected_cert_verify_algorithm fields MUST be of a |
1527 | | * type advertised by the client in the SignatureSchemeList and are |
1528 | | * considered invalid otherwise. Clients that receive invalid delegated |
1529 | | * credentials MUST terminate the connection with an "illegal_parameter" |
1530 | | * alert. */ |
1531 | 0 | PRBool found = PR_FALSE; |
1532 | 0 | for (unsigned int i = 0; i < ss->xtnData.numDelegCredSigSchemesAdvertised; ++i) { |
1533 | 0 | if (dc->expectedCertVerifyAlg == ss->xtnData.delegCredSigSchemesAdvertised[i]) { |
1534 | 0 | found = PR_TRUE; |
1535 | 0 | break; |
1536 | 0 | } |
1537 | 0 | } |
1538 | 0 | if (found == PR_FALSE) { |
1539 | 0 | goto alert_loser; |
1540 | 0 | } |
1541 | | |
1542 | | // Check the dc->alg, if necessary. |
1543 | 0 | if (dc->alg != dc->expectedCertVerifyAlg) { |
1544 | 0 | found = PR_FALSE; |
1545 | 0 | for (unsigned int i = 0; i < ss->xtnData.numDelegCredSigSchemesAdvertised; ++i) { |
1546 | 0 | if (dc->alg == ss->xtnData.delegCredSigSchemesAdvertised[i]) { |
1547 | 0 | found = PR_TRUE; |
1548 | 0 | break; |
1549 | 0 | } |
1550 | 0 | } |
1551 | 0 | if (found == PR_FALSE) { |
1552 | 0 | goto alert_loser; |
1553 | 0 | } |
1554 | 0 | } |
1555 | | |
1556 | 0 | xtnData->peerDelegCred = dc; |
1557 | 0 | xtnData->negotiated[xtnData->numNegotiated++] = |
1558 | 0 | ssl_delegated_credentials_xtn; |
1559 | 0 | return SECSuccess; |
1560 | 0 | alert_loser: |
1561 | 0 | ssl3_ExtSendAlert(ss, alert_fatal, illegal_parameter); |
1562 | 0 | PORT_SetError(SSL_ERROR_UNSUPPORTED_SIGNATURE_ALGORITHM); |
1563 | 0 | loser: |
1564 | 0 | tls13_DestroyDelegatedCredential(dc); |
1565 | 0 | return SECFailure; |
1566 | 0 | } |
1567 | | |
1568 | | /* Adds the DC extension if we're committed to authenticating with a DC. */ |
1569 | | static SECStatus |
1570 | | tls13_ServerSendDelegatedCredentialsXtn(const sslSocket *ss, |
1571 | | TLSExtensionData *xtnData, |
1572 | | sslBuffer *buf, PRBool *added) |
1573 | 0 | { |
1574 | 0 | if (tls13_IsSigningWithDelegatedCredential(ss)) { |
1575 | 0 | const SECItem *dc = &ss->sec.serverCert->delegCred; |
1576 | 0 | SECStatus rv; |
1577 | 0 | rv = sslBuffer_Append(buf, dc->data, dc->len); |
1578 | 0 | if (rv != SECSuccess) { |
1579 | 0 | return SECFailure; |
1580 | 0 | } |
1581 | 0 | *added = PR_TRUE; |
1582 | 0 | } |
1583 | 0 | return SECSuccess; |
1584 | 0 | } |
1585 | | |
1586 | | /* The client has indicated support of DCs. We can't act on this information |
1587 | | * until we've committed to signing with a DC, so just set a callback for |
1588 | | * sending the DC extension later. */ |
1589 | | SECStatus |
1590 | | tls13_ServerHandleDelegatedCredentialsXtn(const sslSocket *ss, |
1591 | | TLSExtensionData *xtnData, |
1592 | | SECItem *data) |
1593 | 0 | { |
1594 | 0 | if (xtnData->delegCredSigSchemes) { |
1595 | 0 | PORT_Free(xtnData->delegCredSigSchemes); |
1596 | 0 | xtnData->delegCredSigSchemes = NULL; |
1597 | 0 | xtnData->numDelegCredSigSchemes = 0; |
1598 | 0 | } |
1599 | 0 | SECStatus rv = ssl_ParseSignatureSchemes(ss, NULL, |
1600 | 0 | &xtnData->delegCredSigSchemes, |
1601 | 0 | &xtnData->numDelegCredSigSchemes, |
1602 | 0 | &data->data, &data->len); |
1603 | 0 | if (rv != SECSuccess) { |
1604 | 0 | ssl3_ExtSendAlert(ss, alert_fatal, decode_error); |
1605 | 0 | PORT_SetError(SSL_ERROR_RX_MALFORMED_CLIENT_HELLO); |
1606 | 0 | return SECFailure; |
1607 | 0 | } |
1608 | 0 | if (xtnData->numDelegCredSigSchemes == 0) { |
1609 | 0 | ssl3_ExtSendAlert(ss, alert_fatal, handshake_failure); |
1610 | 0 | PORT_SetError(SSL_ERROR_UNSUPPORTED_SIGNATURE_ALGORITHM); |
1611 | 0 | return SECFailure; |
1612 | 0 | } |
1613 | | /* Check for trailing data. */ |
1614 | 0 | if (data->len != 0) { |
1615 | 0 | ssl3_ExtSendAlert(ss, alert_fatal, decode_error); |
1616 | 0 | PORT_SetError(SSL_ERROR_RX_MALFORMED_CLIENT_HELLO); |
1617 | 0 | return SECFailure; |
1618 | 0 | } |
1619 | | |
1620 | | /* Keep track of negotiated extensions. */ |
1621 | 0 | xtnData->peerRequestedDelegCred = PR_TRUE; |
1622 | 0 | xtnData->negotiated[xtnData->numNegotiated++] = |
1623 | 0 | ssl_delegated_credentials_xtn; |
1624 | |
|
1625 | 0 | return ssl3_RegisterExtensionSender( |
1626 | 0 | ss, xtnData, ssl_delegated_credentials_xtn, |
1627 | 0 | tls13_ServerSendDelegatedCredentialsXtn); |
1628 | 0 | } |
1629 | | |
1630 | | /* Adds the ECH extension containing server retry_configs */ |
1631 | | SECStatus |
1632 | | tls13_ServerSendEchXtn(const sslSocket *ss, |
1633 | | TLSExtensionData *xtnData, |
1634 | | sslBuffer *buf, PRBool *added) |
1635 | 0 | { |
1636 | 0 | SECStatus rv; |
1637 | 0 | PORT_Assert(ss->version >= SSL_LIBRARY_VERSION_TLS_1_3); |
1638 | 0 | if (PR_CLIST_IS_EMPTY(&ss->echConfigs)) { |
1639 | 0 | return SECSuccess; |
1640 | 0 | } |
1641 | | |
1642 | 0 | const sslEchConfig *cfg = (sslEchConfig *)PR_LIST_HEAD(&ss->echConfigs); |
1643 | 0 | rv = sslBuffer_AppendVariable(buf, cfg->raw.data, cfg->raw.len, 2); |
1644 | 0 | if (rv != SECSuccess) { |
1645 | 0 | return SECFailure; |
1646 | 0 | } |
1647 | | |
1648 | 0 | *added = PR_TRUE; |
1649 | 0 | return SECSuccess; |
1650 | 0 | } |
1651 | | |
1652 | | /* If an ECH server sends the HRR ECH extension after it accepted ECH, the |
1653 | | * extension's payload must be set to 8 zero bytes, these are overwritten with |
1654 | | * the accept_confirmation value after the required transcript calculation. |
1655 | | * If a client-facing/shared-mode server did not accept ECH when offered in CH |
1656 | | * or if ECH GREASE is enabled on the server and a ECH extension was received, |
1657 | | * a 8 byte random value is set as the extension's payload |
1658 | | * [draft-ietf-tls-esni-14, Section 7]. |
1659 | | * |
1660 | | * Depending on the acceptance of ECH, zero or random bytes are written to |
1661 | | * ss->ssl3.hs.greaseEchBuf.buf in tls13con.c/tls13_SendHelloRetryRequest(). */ |
1662 | | SECStatus |
1663 | | tls13_ServerSendHrrEchXtn(const sslSocket *ss, TLSExtensionData *xtnData, |
1664 | | sslBuffer *buf, PRBool *added) |
1665 | 0 | { |
1666 | 0 | SECStatus rv; |
1667 | | /* Do not send HRR ECH extension if TLS < 1.3 was negotiated OR no ECH |
1668 | | * extension was received OR the server is NOT in any ECH server mode AND |
1669 | | * ECH GREASE is NOT enabled. */ |
1670 | 0 | if (ss->version < SSL_LIBRARY_VERSION_TLS_1_3 || |
1671 | 0 | !xtnData->ech || |
1672 | 0 | (!ss->echPubKey && !ss->opt.enableTls13BackendEch && !ss->opt.enableTls13GreaseEch)) { |
1673 | 0 | SSL_TRC(100, ("%d: TLS13[%d]: server not sending HRR ECH Xtn", |
1674 | 0 | SSL_GETPID(), ss->fd)); |
1675 | 0 | return SECSuccess; |
1676 | 0 | } |
1677 | 0 | SSL_TRC(100, ("%d: TLS13[%d]: server sending HRR ECH Xtn", |
1678 | 0 | SSL_GETPID(), ss->fd)); |
1679 | 0 | PR_ASSERT(SSL_BUFFER_LEN(&ss->ssl3.hs.greaseEchBuf) == TLS13_ECH_SIGNAL_LEN); |
1680 | 0 | PRINT_BUF(100, (ss, "grease_ech_confirmation", ss->ssl3.hs.greaseEchBuf.buf, TLS13_ECH_SIGNAL_LEN)); |
1681 | 0 | rv = sslBuffer_AppendBuffer(buf, &ss->ssl3.hs.greaseEchBuf); |
1682 | 0 | if (rv != SECSuccess) { |
1683 | 0 | return SECFailure; |
1684 | 0 | } |
1685 | 0 | *added = PR_TRUE; |
1686 | 0 | return SECSuccess; |
1687 | 0 | } |
1688 | | |
1689 | | SECStatus |
1690 | | tls13_ServerHandleInnerEchXtn(const sslSocket *ss, TLSExtensionData *xtnData, |
1691 | | SECItem *data) |
1692 | 0 | { |
1693 | 0 | PRUint64 xtn_type; |
1694 | 0 | sslReader xtnReader = SSL_READER(data->data, data->len); |
1695 | |
|
1696 | 0 | PR_ASSERT(ss->ssl3.hs.echAccepted || ss->opt.enableTls13BackendEch); |
1697 | 0 | PR_ASSERT(!xtnData->ech->receivedInnerXtn); |
1698 | |
|
1699 | 0 | SECStatus rv = sslRead_ReadNumber(&xtnReader, 1, &xtn_type); |
1700 | 0 | if (rv != SECSuccess) { |
1701 | 0 | goto alert_loser; |
1702 | 0 | } |
1703 | 0 | if (xtn_type != ech_xtn_type_inner) { |
1704 | 0 | goto alert_loser; |
1705 | 0 | } |
1706 | 0 | if (SSL_READER_REMAINING(&xtnReader)) { |
1707 | | /* Inner ECH Extension must contain only type enum */ |
1708 | 0 | goto alert_loser; |
1709 | 0 | } |
1710 | | |
1711 | 0 | xtnData->ech->receivedInnerXtn = PR_TRUE; |
1712 | 0 | xtnData->negotiated[xtnData->numNegotiated++] = ssl_tls13_encrypted_client_hello_xtn; |
1713 | 0 | return SECSuccess; |
1714 | | |
1715 | 0 | alert_loser: |
1716 | 0 | ssl3_ExtSendAlert(ss, alert_fatal, decode_error); |
1717 | 0 | PORT_SetError(SSL_ERROR_RX_MALFORMED_ECH_EXTENSION); |
1718 | 0 | return SECFailure; |
1719 | 0 | } |
1720 | | |
1721 | | SECStatus |
1722 | | tls13_ServerHandleOuterEchXtn(const sslSocket *ss, TLSExtensionData *xtnData, |
1723 | | SECItem *data) |
1724 | 0 | { |
1725 | 0 | SECStatus rv; |
1726 | 0 | HpkeKdfId kdf; |
1727 | 0 | HpkeAeadId aead; |
1728 | 0 | PRUint32 tmp; |
1729 | 0 | PRUint8 configId; |
1730 | 0 | SECItem senderPubKey; |
1731 | 0 | SECItem encryptedCh; |
1732 | |
|
1733 | 0 | PRUint32 xtn_type; |
1734 | 0 | rv = ssl3_ExtConsumeHandshakeNumber(ss, &xtn_type, 1, &data->data, &data->len); |
1735 | 0 | if (rv != SECSuccess) { |
1736 | 0 | goto alert_loser; |
1737 | 0 | } |
1738 | 0 | if (xtn_type != ech_xtn_type_outer && xtn_type != ech_xtn_type_inner) { |
1739 | 0 | SSL_TRC(3, ("%d: TLS13[%d]: unexpected ECH extension type in client hello outer, alert", |
1740 | 0 | SSL_GETPID(), ss->fd)); |
1741 | 0 | goto alert_loser; |
1742 | 0 | } |
1743 | | /* If we are operating in shared mode, we can accept an inner xtn in the ClientHelloOuter */ |
1744 | 0 | if (xtn_type == ech_xtn_type_inner) { |
1745 | 0 | if (!ss->opt.enableTls13BackendEch) { |
1746 | 0 | ssl3_ExtSendAlert(ss, alert_fatal, illegal_parameter); |
1747 | 0 | PORT_SetError(SSL_ERROR_RX_UNEXPECTED_EXTENSION); |
1748 | 0 | return SECFailure; |
1749 | 0 | } |
1750 | 0 | PORT_Assert(!xtnData->ech); |
1751 | 0 | xtnData->ech = PORT_ZNew(sslEchXtnState); |
1752 | 0 | if (!xtnData->ech) { |
1753 | 0 | return SECFailure; |
1754 | 0 | } |
1755 | | /* We have to rewind the buffer advanced by ssl3_ExtConsumeHandshakeNumber */ |
1756 | 0 | data->data--; |
1757 | 0 | data->len++; |
1758 | 0 | return tls13_ServerHandleInnerEchXtn(ss, xtnData, data); |
1759 | 0 | } |
1760 | 0 | if (ss->ssl3.hs.echAccepted) { |
1761 | 0 | ssl3_ExtSendAlert(ss, alert_fatal, illegal_parameter); |
1762 | 0 | PORT_SetError(SSL_ERROR_RX_UNEXPECTED_EXTENSION); |
1763 | 0 | return SECFailure; |
1764 | 0 | } |
1765 | | |
1766 | 0 | SSL_TRC(3, ("%d: TLS13[%d]: handle outer ECH extension", |
1767 | 0 | SSL_GETPID(), ss->fd)); |
1768 | |
|
1769 | 0 | PORT_Assert(!xtnData->ech); |
1770 | 0 | xtnData->ech = PORT_ZNew(sslEchXtnState); |
1771 | 0 | if (!xtnData->ech) { |
1772 | 0 | return SECFailure; |
1773 | 0 | } |
1774 | | |
1775 | | /* Parse the KDF and AEAD. */ |
1776 | 0 | rv = ssl3_ExtConsumeHandshakeNumber(ss, &tmp, 2, |
1777 | 0 | &data->data, &data->len); |
1778 | 0 | if (rv != SECSuccess) { |
1779 | 0 | goto alert_loser; |
1780 | 0 | } |
1781 | 0 | kdf = (HpkeKdfId)tmp; |
1782 | 0 | rv = ssl3_ExtConsumeHandshakeNumber(ss, &tmp, 2, |
1783 | 0 | &data->data, &data->len); |
1784 | 0 | if (rv != SECSuccess) { |
1785 | 0 | goto alert_loser; |
1786 | 0 | } |
1787 | 0 | aead = (HpkeAeadId)tmp; |
1788 | | |
1789 | | /* config_id */ |
1790 | 0 | rv = ssl3_ExtConsumeHandshakeNumber(ss, &tmp, 1, |
1791 | 0 | &data->data, &data->len); |
1792 | 0 | if (rv != SECSuccess) { |
1793 | 0 | goto alert_loser; |
1794 | 0 | } |
1795 | 0 | configId = tmp; |
1796 | | |
1797 | | /* enc */ |
1798 | 0 | rv = ssl3_ExtConsumeHandshakeVariable(ss, &senderPubKey, 2, |
1799 | 0 | &data->data, &data->len); |
1800 | 0 | if (rv != SECSuccess) { |
1801 | 0 | goto alert_loser; |
1802 | 0 | } |
1803 | | |
1804 | | /* payload, which must be final and non-empty. */ |
1805 | 0 | xtnData->ech->payloadStart = data->data + 2; /* Move past length */ |
1806 | 0 | rv = ssl3_ExtConsumeHandshakeVariable(ss, &encryptedCh, 2, |
1807 | 0 | &data->data, &data->len); |
1808 | 0 | if (rv != SECSuccess) { |
1809 | 0 | goto alert_loser; |
1810 | 0 | } |
1811 | 0 | if (data->len || !encryptedCh.len) { |
1812 | 0 | goto alert_loser; |
1813 | 0 | } |
1814 | | |
1815 | 0 | if (!ss->ssl3.hs.helloRetry) { |
1816 | | /* In the real ECH HRR case, config_id and enc should be empty. This |
1817 | | * is checked after acceptance, because it might be GREASE ECH. */ |
1818 | 0 | if (!senderPubKey.len) { |
1819 | 0 | goto alert_loser; |
1820 | 0 | } |
1821 | | |
1822 | 0 | rv = SECITEM_CopyItem(NULL, &xtnData->ech->senderPubKey, &senderPubKey); |
1823 | 0 | if (rv == SECFailure) { |
1824 | 0 | return SECFailure; |
1825 | 0 | } |
1826 | 0 | } |
1827 | | |
1828 | 0 | rv = SECITEM_CopyItem(NULL, &xtnData->ech->innerCh, &encryptedCh); |
1829 | 0 | PRINT_BUF(100, (ss, "CT for ECH Decryption", encryptedCh.data, encryptedCh.len)); |
1830 | 0 | if (rv == SECFailure) { |
1831 | 0 | return SECFailure; |
1832 | 0 | } |
1833 | 0 | xtnData->ech->configId = configId; |
1834 | 0 | xtnData->ech->kdfId = kdf; |
1835 | 0 | xtnData->ech->aeadId = aead; |
1836 | | |
1837 | | /* Not negotiated until tls13_MaybeAcceptEch. */ |
1838 | 0 | return SECSuccess; |
1839 | | |
1840 | 0 | alert_loser: |
1841 | 0 | ssl3_ExtSendAlert(ss, alert_fatal, decode_error); |
1842 | 0 | PORT_SetError(SSL_ERROR_RX_MALFORMED_ECH_EXTENSION); |
1843 | 0 | return SECFailure; |
1844 | 0 | } |
1845 | | |
1846 | | SECStatus |
1847 | | tls13_SendEmptyGreaseXtn(const sslSocket *ss, |
1848 | | TLSExtensionData *xtnData, |
1849 | | sslBuffer *buf, PRBool *added) |
1850 | 0 | { |
1851 | 0 | if (!ss->opt.enableGrease || |
1852 | 0 | (!ss->sec.isServer && ss->vrange.max < SSL_LIBRARY_VERSION_TLS_1_3) || |
1853 | 0 | (ss->sec.isServer && ss->version < SSL_LIBRARY_VERSION_TLS_1_3)) { |
1854 | 0 | return SECSuccess; |
1855 | 0 | } |
1856 | | |
1857 | 0 | *added = PR_TRUE; |
1858 | 0 | return SECSuccess; |
1859 | 0 | } |
1860 | | |
1861 | | SECStatus |
1862 | | tls13_SendGreaseXtn(const sslSocket *ss, |
1863 | | TLSExtensionData *xtnData, |
1864 | | sslBuffer *buf, PRBool *added) |
1865 | 0 | { |
1866 | 0 | if (!ss->opt.enableGrease || |
1867 | 0 | (!ss->sec.isServer && ss->vrange.max < SSL_LIBRARY_VERSION_TLS_1_3) || |
1868 | 0 | (ss->sec.isServer && ss->version < SSL_LIBRARY_VERSION_TLS_1_3)) { |
1869 | 0 | return SECSuccess; |
1870 | 0 | } |
1871 | | |
1872 | 0 | SECStatus rv = sslBuffer_AppendVariable(buf, (PRUint8[]){ 0x00 }, 1, 2); |
1873 | 0 | if (rv != SECSuccess) { |
1874 | 0 | return SECFailure; |
1875 | 0 | } |
1876 | | |
1877 | 0 | *added = PR_TRUE; |
1878 | 0 | return SECSuccess; |
1879 | 0 | } |
1880 | | |
1881 | | SECStatus |
1882 | | ssl3_SendCertificateCompressionXtn(const sslSocket *ss, |
1883 | | TLSExtensionData *xtnData, |
1884 | | sslBuffer *buf, PRBool *added) |
1885 | 0 | { |
1886 | | /* enum { |
1887 | | * zlib(1), |
1888 | | * brotli(2), |
1889 | | * zstd(3), |
1890 | | * (65535) |
1891 | | * } CertificateCompressionAlgorithm; |
1892 | | * |
1893 | | * struct { |
1894 | | * CertificateCompressionAlgorithm algorithms<2..2^8-2>; |
1895 | | * } CertificateCompressionAlgorithms; |
1896 | | */ |
1897 | |
|
1898 | 0 | SECStatus rv = SECFailure; |
1899 | 0 | if (ss->ssl3.cwSpec->version < SSL_LIBRARY_VERSION_TLS_1_3) { |
1900 | 0 | SSL_TRC(50, ("%d: TLS13[%d]: certificate_compression_algorithm extension requires TLS1.3 and above", |
1901 | 0 | SSL_GETPID(), ss->fd)); |
1902 | 0 | return SECSuccess; |
1903 | 0 | } |
1904 | | |
1905 | 0 | size_t certificateCompressionAlgorithmsLen = ss->ssl3.supportedCertCompressionAlgorithmsCount; |
1906 | 0 | if (certificateCompressionAlgorithmsLen == 0) { |
1907 | 0 | SSL_TRC(30, ("%d: TLS13[%d]: %s does not support any certificate compression algorithm", |
1908 | 0 | SSL_GETPID(), ss->fd, SSL_ROLE(ss))); |
1909 | 0 | return SECSuccess; |
1910 | 0 | } |
1911 | | |
1912 | 0 | SSL_TRC(30, ("%d: TLS13[%d]: %s sends certificate_compression_algorithm extension", |
1913 | 0 | SSL_GETPID(), ss->fd, SSL_ROLE(ss))); |
1914 | 0 | PORT_Assert(certificateCompressionAlgorithmsLen < (0x1u << 8) - 1); |
1915 | |
|
1916 | 0 | rv = sslBuffer_AppendNumber(buf, certificateCompressionAlgorithmsLen << 1, 1); |
1917 | 0 | if (rv != SECSuccess) { |
1918 | 0 | return SECFailure; |
1919 | 0 | } |
1920 | | |
1921 | 0 | for (size_t i = 0; i < certificateCompressionAlgorithmsLen; i++) { |
1922 | 0 | rv = sslBuffer_AppendNumber(buf, ss->ssl3.supportedCertCompressionAlgorithms[i].id, 2); |
1923 | 0 | if (rv != SECSuccess) { |
1924 | 0 | return SECFailure; |
1925 | 0 | } |
1926 | 0 | } |
1927 | | |
1928 | 0 | xtnData->certificateCompressionAdvertised = PR_TRUE; |
1929 | 0 | *added = PR_TRUE; |
1930 | 0 | return SECSuccess; |
1931 | 0 | } |
1932 | | |
1933 | | const char * |
1934 | | ssl3_mapCertificateCompressionAlgorithmToName(const sslSocket *ss, SSLCertificateCompressionAlgorithmID alg) |
1935 | 0 | { |
1936 | 0 | for (int i = 0; i < ss->ssl3.supportedCertCompressionAlgorithmsCount; i++) { |
1937 | 0 | if (ss->ssl3.supportedCertCompressionAlgorithms[i].id == alg) { |
1938 | 0 | return ss->ssl3.supportedCertCompressionAlgorithms[i].name; |
1939 | 0 | } |
1940 | 0 | } |
1941 | 0 | return "unknown"; |
1942 | 0 | } |
1943 | | |
1944 | | SECStatus |
1945 | | ssl3_HandleCertificateCompressionXtn(const sslSocket *ss, |
1946 | | TLSExtensionData *xtnData, |
1947 | | SECItem *data) |
1948 | 0 | { |
1949 | | /* This extension is only supported with TLS 1.3 [RFC8446] and newer; |
1950 | | * if TLS 1.2 [RFC5246] or earlier is negotiated, the peers MUST ignore this extension. |
1951 | | */ |
1952 | 0 | if (ss->version < SSL_LIBRARY_VERSION_TLS_1_3) { |
1953 | 0 | SSL_TRC(50, ("%d: TLS13[%d]: ignore certificate_compression extension", |
1954 | 0 | SSL_GETPID(), ss->fd)); |
1955 | 0 | return SECSuccess; |
1956 | 0 | } |
1957 | | |
1958 | 0 | SECStatus rv = SECFailure; |
1959 | 0 | PRUint32 lengthSupportedAlgorithms = 0; |
1960 | 0 | PRUint32 certComprAlgId = 0; |
1961 | |
|
1962 | 0 | SSL_TRC(30, ("%d: TLS13[%d]: %s handles certificate_compression_algorithm extension", |
1963 | 0 | SSL_GETPID(), ss->fd, SSL_ROLE(ss))); |
1964 | |
|
1965 | 0 | rv = ssl3_ExtConsumeHandshakeNumber(ss, &lengthSupportedAlgorithms, 1, &data->data, &data->len); |
1966 | 0 | if (rv != SECSuccess) { |
1967 | 0 | goto alert_loser; |
1968 | 0 | } |
1969 | | |
1970 | | /* Each of the algorithm is 2 bytes. */ |
1971 | 0 | if (lengthSupportedAlgorithms % 2 != 0) { |
1972 | 0 | goto alert_loser; |
1973 | 0 | } |
1974 | | |
1975 | 0 | if (data->len != lengthSupportedAlgorithms) { |
1976 | 0 | goto alert_loser; |
1977 | 0 | } |
1978 | | |
1979 | 0 | SECStatus algFound = SECFailure; |
1980 | | |
1981 | | /* We use the first common algorithm we found. */ |
1982 | 0 | for (int i = 0; i < lengthSupportedAlgorithms / 2; i++) { |
1983 | 0 | rv = ssl3_ExtConsumeHandshakeNumber(ss, &certComprAlgId, 2, &data->data, &data->len); |
1984 | 0 | if (rv != SECSuccess) { |
1985 | 0 | goto alert_loser; |
1986 | 0 | } |
1987 | | |
1988 | 0 | SSLCertificateCompressionAlgorithmID alg = (SSLCertificateCompressionAlgorithmID)certComprAlgId; |
1989 | 0 | if (alg == 0) { |
1990 | 0 | SSL_TRC(50, ("%d: TLS13[%d]: certificate compression ignores reserved algorithm %02x", |
1991 | 0 | SSL_GETPID(), ss->fd, alg)); |
1992 | 0 | continue; |
1993 | 0 | } |
1994 | | |
1995 | 0 | for (int j = 0; j < ss->ssl3.supportedCertCompressionAlgorithmsCount; j++) { |
1996 | 0 | if (ss->ssl3.supportedCertCompressionAlgorithms[j].id == alg) { |
1997 | 0 | xtnData->compressionAlg = alg; |
1998 | 0 | xtnData->negotiated[xtnData->numNegotiated++] = ssl_certificate_compression_xtn; |
1999 | 0 | algFound = SECSuccess; |
2000 | 0 | break; |
2001 | 0 | } |
2002 | 0 | } |
2003 | |
|
2004 | 0 | if (algFound == SECSuccess) { |
2005 | 0 | break; |
2006 | 0 | } |
2007 | 0 | } |
2008 | | |
2009 | 0 | if (algFound == SECSuccess) { |
2010 | 0 | SSL_TRC(30, ("%d: TLS13[%d]: %s established certificate compression algorithm %s", |
2011 | 0 | SSL_GETPID(), ss->fd, SSL_ROLE(ss), |
2012 | 0 | ssl3_mapCertificateCompressionAlgorithmToName(ss, xtnData->compressionAlg))); |
2013 | 0 | } else { |
2014 | 0 | SSL_TRC(30, ("%d: TLS13[%d]: no common certificate compression algorithms found on the %s side", |
2015 | 0 | SSL_GETPID(), ss->fd, SSL_ROLE(ss))); |
2016 | 0 | } |
2017 | |
|
2018 | 0 | return SECSuccess; |
2019 | | |
2020 | 0 | alert_loser: |
2021 | 0 | ssl3_ExtDecodeError(ss); |
2022 | 0 | return SECFailure; |
2023 | 0 | } |