ssl3ext.c (43821B)
1 /* -*- Mode: C; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 4 -*- */ 2 /* 3 * SSL3 Protocol 4 * 5 * This Source Code Form is subject to the terms of the Mozilla Public 6 * License, v. 2.0. If a copy of the MPL was not distributed with this 7 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ 8 9 /* TLS extension code moved here from ssl3ecc.c */ 10 11 #include "nssrenam.h" 12 #include "nss.h" 13 #include "pk11pub.h" 14 #include "ssl.h" 15 #include "sslimpl.h" 16 #include "sslproto.h" 17 #include "ssl3exthandle.h" 18 #include "tls13ech.h" 19 #include "tls13err.h" 20 #include "tls13exthandle.h" 21 #include "tls13subcerts.h" 22 23 /* Callback function that handles a received extension. */ 24 typedef SECStatus (*ssl3ExtensionHandlerFunc)(const sslSocket *ss, 25 TLSExtensionData *xtnData, 26 SECItem *data); 27 28 /* Row in a table of hello extension handlers. */ 29 typedef struct { 30 SSLExtensionType ex_type; 31 ssl3ExtensionHandlerFunc ex_handler; 32 } ssl3ExtensionHandler; 33 34 /* Table of handlers for received TLS hello extensions, one per extension. 35 * In the second generation, this table will be dynamic, and functions 36 * will be registered here. 37 */ 38 /* This table is used by the server, to handle client hello extensions. */ 39 static const ssl3ExtensionHandler clientHelloHandlers[] = { 40 { ssl_server_name_xtn, &ssl3_HandleServerNameXtn }, 41 { ssl_supported_groups_xtn, &ssl_HandleSupportedGroupsXtn }, 42 { ssl_ec_point_formats_xtn, &ssl3_HandleSupportedPointFormatsXtn }, 43 { ssl_session_ticket_xtn, &ssl3_ServerHandleSessionTicketXtn }, 44 { ssl_renegotiation_info_xtn, &ssl3_HandleRenegotiationInfoXtn }, 45 { ssl_app_layer_protocol_xtn, &ssl3_ServerHandleAppProtoXtn }, 46 { ssl_use_srtp_xtn, &ssl3_ServerHandleUseSRTPXtn }, 47 { ssl_cert_status_xtn, &ssl3_ServerHandleStatusRequestXtn }, 48 { ssl_tls13_certificate_authorities_xtn, &tls13_ServerHandleCertAuthoritiesXtn }, 49 { ssl_signature_algorithms_xtn, &ssl3_HandleSigAlgsXtn }, 50 { ssl_extended_master_secret_xtn, &ssl3_HandleExtendedMasterSecretXtn }, 51 { ssl_signed_cert_timestamp_xtn, &ssl3_ServerHandleSignedCertTimestampXtn }, 52 { ssl_delegated_credentials_xtn, &tls13_ServerHandleDelegatedCredentialsXtn }, 53 { ssl_tls13_key_share_xtn, &tls13_ServerHandleKeyShareXtn }, 54 { ssl_tls13_pre_shared_key_xtn, &tls13_ServerHandlePreSharedKeyXtn }, 55 { ssl_tls13_early_data_xtn, &tls13_ServerHandleEarlyDataXtn }, 56 { ssl_tls13_psk_key_exchange_modes_xtn, &tls13_ServerHandlePskModesXtn }, 57 { ssl_tls13_cookie_xtn, &tls13_ServerHandleCookieXtn }, 58 { ssl_tls13_post_handshake_auth_xtn, &tls13_ServerHandlePostHandshakeAuthXtn }, 59 { ssl_record_size_limit_xtn, &ssl_HandleRecordSizeLimitXtn }, 60 { ssl_certificate_compression_xtn, &ssl3_HandleCertificateCompressionXtn }, 61 { 0, NULL } 62 }; 63 64 /* These two tables are used by the client, to handle server hello 65 * extensions. */ 66 static const ssl3ExtensionHandler serverHelloHandlersTLS[] = { 67 { ssl_server_name_xtn, &ssl3_HandleServerNameXtn }, 68 /* TODO: add a handler for ssl_ec_point_formats_xtn */ 69 { ssl_session_ticket_xtn, &ssl3_ClientHandleSessionTicketXtn }, 70 { ssl_renegotiation_info_xtn, &ssl3_HandleRenegotiationInfoXtn }, 71 { ssl_app_layer_protocol_xtn, &ssl3_ClientHandleAppProtoXtn }, 72 { ssl_use_srtp_xtn, &ssl3_ClientHandleUseSRTPXtn }, 73 { ssl_cert_status_xtn, &ssl3_ClientHandleStatusRequestXtn }, 74 { ssl_extended_master_secret_xtn, &ssl3_HandleExtendedMasterSecretXtn }, 75 { ssl_signed_cert_timestamp_xtn, &ssl3_ClientHandleSignedCertTimestampXtn }, 76 { ssl_tls13_key_share_xtn, &tls13_ClientHandleKeyShareXtn }, 77 { ssl_tls13_pre_shared_key_xtn, &tls13_ClientHandlePreSharedKeyXtn }, 78 { ssl_tls13_early_data_xtn, &tls13_ClientHandleEarlyDataXtn }, 79 { ssl_tls13_encrypted_client_hello_xtn, &tls13_ClientHandleEchXtn }, 80 { ssl_record_size_limit_xtn, &ssl_HandleRecordSizeLimitXtn }, 81 { 0, NULL } 82 }; 83 84 static const ssl3ExtensionHandler helloRetryRequestHandlers[] = { 85 { ssl_tls13_key_share_xtn, tls13_ClientHandleKeyShareXtnHrr }, 86 { ssl_tls13_cookie_xtn, tls13_ClientHandleHrrCookie }, 87 { ssl_tls13_encrypted_client_hello_xtn, tls13_ClientHandleHrrEchXtn }, 88 { 0, NULL } 89 }; 90 91 static const ssl3ExtensionHandler serverHelloHandlersSSL3[] = { 92 { ssl_renegotiation_info_xtn, &ssl3_HandleRenegotiationInfoXtn }, 93 { 0, NULL } 94 }; 95 96 static const ssl3ExtensionHandler newSessionTicketHandlers[] = { 97 { ssl_tls13_early_data_xtn, 98 &tls13_ClientHandleTicketEarlyDataXtn }, 99 { 0, NULL } 100 }; 101 102 /* This table is used by the client to handle server certificates in TLS 1.3 */ 103 static const ssl3ExtensionHandler serverCertificateHandlers[] = { 104 { ssl_signed_cert_timestamp_xtn, &ssl3_ClientHandleSignedCertTimestampXtn }, 105 { ssl_cert_status_xtn, &ssl3_ClientHandleStatusRequestXtn }, 106 { ssl_delegated_credentials_xtn, &tls13_ClientHandleDelegatedCredentialsXtn }, 107 { 0, NULL } 108 }; 109 110 static const ssl3ExtensionHandler certificateRequestHandlers[] = { 111 { ssl_signature_algorithms_xtn, &ssl3_HandleSigAlgsXtn }, 112 { ssl_tls13_certificate_authorities_xtn, 113 &tls13_ClientHandleCertAuthoritiesXtn }, 114 { ssl_certificate_compression_xtn, &ssl3_HandleCertificateCompressionXtn }, 115 { 0, NULL } 116 }; 117 118 /* Tables of functions to format TLS hello extensions, one function per 119 * extension. 120 * These static tables are for the formatting of client hello extensions. 121 * The server's table of hello senders is dynamic, in the socket struct, 122 * and sender functions are registered there. 123 * NB: the order of these extensions can have an impact on compatibility. Some 124 * servers (e.g. Tomcat) will terminate the connection if the last extension in 125 * the client hello is empty (for example, the extended master secret 126 * extension, if it were listed last). See bug 1243641. 127 */ 128 static const sslExtensionBuilder clientHelloSendersTLS[] = { 129 /* TLS 1.3 GREASE extensions - empty. */ 130 { ssl_tls13_grease_xtn, &tls13_SendEmptyGreaseXtn }, 131 { ssl_server_name_xtn, &ssl3_ClientSendServerNameXtn }, 132 { ssl_extended_master_secret_xtn, &ssl3_SendExtendedMasterSecretXtn }, 133 { ssl_renegotiation_info_xtn, &ssl3_SendRenegotiationInfoXtn }, 134 { ssl_supported_groups_xtn, &ssl_SendSupportedGroupsXtn }, 135 { ssl_ec_point_formats_xtn, &ssl3_SendSupportedPointFormatsXtn }, 136 { ssl_session_ticket_xtn, &ssl3_ClientSendSessionTicketXtn }, 137 { ssl_app_layer_protocol_xtn, &ssl3_ClientSendAppProtoXtn }, 138 { ssl_use_srtp_xtn, &ssl3_ClientSendUseSRTPXtn }, 139 { ssl_cert_status_xtn, &ssl3_ClientSendStatusRequestXtn }, 140 { ssl_delegated_credentials_xtn, &tls13_ClientSendDelegatedCredentialsXtn }, 141 { ssl_signed_cert_timestamp_xtn, &ssl3_ClientSendSignedCertTimestampXtn }, 142 { ssl_tls13_key_share_xtn, &tls13_ClientSendKeyShareXtn }, 143 { ssl_tls13_early_data_xtn, &tls13_ClientSendEarlyDataXtn }, 144 /* Some servers (e.g. WebSphere Application Server 7.0 and Tomcat) will 145 * time out or terminate the connection if the last extension in the 146 * client hello is empty. They are not intolerant of TLS 1.2, so list 147 * signature_algorithms at the end. See bug 1243641. */ 148 { ssl_tls13_supported_versions_xtn, &tls13_ClientSendSupportedVersionsXtn }, 149 { ssl_signature_algorithms_xtn, &ssl3_SendSigAlgsXtn }, 150 { ssl_tls13_cookie_xtn, &tls13_ClientSendHrrCookieXtn }, 151 { ssl_tls13_psk_key_exchange_modes_xtn, &tls13_ClientSendPskModesXtn }, 152 { ssl_tls13_post_handshake_auth_xtn, &tls13_ClientSendPostHandshakeAuthXtn }, 153 { ssl_record_size_limit_xtn, &ssl_SendRecordSizeLimitXtn }, 154 { ssl_certificate_compression_xtn, &ssl3_SendCertificateCompressionXtn }, 155 /* TLS 1.3 GREASE extensions - 1 zero byte. */ 156 { ssl_tls13_grease_xtn, &tls13_SendGreaseXtn }, 157 /* The pre_shared_key extension MUST be last. */ 158 { ssl_tls13_pre_shared_key_xtn, &tls13_ClientSendPreSharedKeyXtn }, 159 { 0, NULL } 160 }; 161 162 static const sslExtensionBuilder clientHelloSendersSSL3[] = { 163 { ssl_renegotiation_info_xtn, &ssl3_SendRenegotiationInfoXtn }, 164 { 0, NULL } 165 }; 166 167 static const sslExtensionBuilder tls13_cert_req_senders[] = { 168 { ssl_signature_algorithms_xtn, &ssl3_SendSigAlgsXtn }, 169 { ssl_tls13_certificate_authorities_xtn, &tls13_SendCertAuthoritiesXtn }, 170 /* TLS 1.3 GREASE extension. */ 171 { ssl_tls13_grease_xtn, &tls13_SendEmptyGreaseXtn }, 172 { ssl_certificate_compression_xtn, &ssl3_SendCertificateCompressionXtn }, 173 { 0, NULL } 174 }; 175 176 static const sslExtensionBuilder tls13_hrr_senders[] = { 177 { ssl_tls13_key_share_xtn, &tls13_ServerSendHrrKeyShareXtn }, 178 { ssl_tls13_cookie_xtn, &tls13_ServerSendHrrCookieXtn }, 179 { ssl_tls13_supported_versions_xtn, &tls13_ServerSendSupportedVersionsXtn }, 180 { ssl_tls13_encrypted_client_hello_xtn, &tls13_ServerSendHrrEchXtn }, 181 { 0, NULL } 182 }; 183 184 static const struct { 185 SSLExtensionType type; 186 SSLExtensionSupport support; 187 } ssl_supported_extensions[] = { 188 { ssl_server_name_xtn, ssl_ext_native_only }, 189 { ssl_cert_status_xtn, ssl_ext_native }, 190 { ssl_delegated_credentials_xtn, ssl_ext_native }, 191 { ssl_supported_groups_xtn, ssl_ext_native_only }, 192 { ssl_ec_point_formats_xtn, ssl_ext_native }, 193 { ssl_signature_algorithms_xtn, ssl_ext_native_only }, 194 { ssl_use_srtp_xtn, ssl_ext_native }, 195 { ssl_app_layer_protocol_xtn, ssl_ext_native_only }, 196 { ssl_signed_cert_timestamp_xtn, ssl_ext_native }, 197 { ssl_padding_xtn, ssl_ext_native }, 198 { ssl_extended_master_secret_xtn, ssl_ext_native_only }, 199 { ssl_session_ticket_xtn, ssl_ext_native_only }, 200 { ssl_tls13_key_share_xtn, ssl_ext_native_only }, 201 { ssl_tls13_pre_shared_key_xtn, ssl_ext_native_only }, 202 { ssl_tls13_early_data_xtn, ssl_ext_native_only }, 203 { ssl_tls13_supported_versions_xtn, ssl_ext_native_only }, 204 { ssl_tls13_cookie_xtn, ssl_ext_native_only }, 205 { ssl_tls13_psk_key_exchange_modes_xtn, ssl_ext_native_only }, 206 { ssl_tls13_ticket_early_data_info_xtn, ssl_ext_native_only }, 207 { ssl_tls13_certificate_authorities_xtn, ssl_ext_native }, 208 { ssl_renegotiation_info_xtn, ssl_ext_native }, 209 { ssl_tls13_encrypted_client_hello_xtn, ssl_ext_native_only }, 210 { ssl_certificate_compression_xtn, ssl_ext_native }, 211 }; 212 213 static SSLExtensionSupport 214 ssl_GetExtensionSupport(PRUint16 type) 215 { 216 unsigned int i; 217 for (i = 0; i < PR_ARRAY_SIZE(ssl_supported_extensions); ++i) { 218 if (type == ssl_supported_extensions[i].type) { 219 return ssl_supported_extensions[i].support; 220 } 221 } 222 return ssl_ext_none; 223 } 224 225 SECStatus 226 SSLExp_GetExtensionSupport(PRUint16 type, SSLExtensionSupport *support) 227 { 228 *support = ssl_GetExtensionSupport(type); 229 return SECSuccess; 230 } 231 232 SECStatus 233 SSLExp_InstallExtensionHooks(PRFileDesc *fd, PRUint16 extension, 234 SSLExtensionWriter writer, void *writerArg, 235 SSLExtensionHandler handler, void *handlerArg) 236 { 237 sslSocket *ss = ssl_FindSocket(fd); 238 PRCList *cursor; 239 sslCustomExtensionHooks *hook; 240 241 if (!ss) { 242 return SECFailure; /* Code already set. */ 243 } 244 245 /* Need to specify both or neither, but not just one. */ 246 if ((writer && !handler) || (!writer && handler)) { 247 PORT_SetError(SEC_ERROR_INVALID_ARGS); 248 return SECFailure; 249 } 250 251 if (ssl_GetExtensionSupport(extension) == ssl_ext_native_only) { 252 PORT_SetError(SEC_ERROR_INVALID_ARGS); 253 return SECFailure; 254 } 255 256 if (ss->firstHsDone || ((ss->ssl3.hs.ws != idle_handshake) && 257 (ss->ssl3.hs.ws != wait_client_hello))) { 258 PORT_SetError(PR_INVALID_STATE_ERROR); 259 return SECFailure; 260 } 261 262 /* Remove any old handler. */ 263 for (cursor = PR_NEXT_LINK(&ss->extensionHooks); 264 cursor != &ss->extensionHooks; 265 cursor = PR_NEXT_LINK(cursor)) { 266 hook = (sslCustomExtensionHooks *)cursor; 267 if (hook->type == extension) { 268 PR_REMOVE_LINK(&hook->link); 269 PORT_Free(hook); 270 break; 271 } 272 } 273 274 if (!writer && !handler) { 275 return SECSuccess; 276 } 277 278 hook = PORT_ZNew(sslCustomExtensionHooks); 279 if (!hook) { 280 return SECFailure; /* This removed the old one, oh well. */ 281 } 282 283 hook->type = extension; 284 hook->writer = writer; 285 hook->writerArg = writerArg; 286 hook->handler = handler; 287 hook->handlerArg = handlerArg; 288 PR_APPEND_LINK(&hook->link, &ss->extensionHooks); 289 return SECSuccess; 290 } 291 292 sslCustomExtensionHooks * 293 ssl_FindCustomExtensionHooks(sslSocket *ss, PRUint16 extension) 294 { 295 PRCList *cursor; 296 297 for (cursor = PR_NEXT_LINK(&ss->extensionHooks); 298 cursor != &ss->extensionHooks; 299 cursor = PR_NEXT_LINK(cursor)) { 300 sslCustomExtensionHooks *hook = (sslCustomExtensionHooks *)cursor; 301 if (hook->type == extension) { 302 return hook; 303 } 304 } 305 306 return NULL; 307 } 308 309 static PRBool 310 arrayContainsExtension(const PRUint16 *array, PRUint32 len, PRUint16 ex_type) 311 { 312 unsigned int i; 313 for (i = 0; i < len; i++) { 314 if (ex_type == array[i]) 315 return PR_TRUE; 316 } 317 return PR_FALSE; 318 } 319 320 PRBool 321 ssl3_ExtensionNegotiated(const sslSocket *ss, PRUint16 ex_type) 322 { 323 const TLSExtensionData *xtnData = &ss->xtnData; 324 return arrayContainsExtension(xtnData->negotiated, 325 xtnData->numNegotiated, ex_type); 326 } 327 328 /* This checks for whether an extension was advertised. On the client, this 329 * covers extensions that are sent in ClientHello; on the server, extensions 330 * sent in CertificateRequest (TLS 1.3 only). */ 331 PRBool 332 ssl3_ExtensionAdvertised(const sslSocket *ss, PRUint16 ex_type) 333 { 334 const TLSExtensionData *xtnData = &ss->xtnData; 335 return arrayContainsExtension(xtnData->advertised, 336 xtnData->numAdvertised, ex_type); 337 } 338 339 PRBool 340 ssl3_ExtensionAdvertisedClientHelloInner(const sslSocket *ss, PRUint16 ex_type) 341 { 342 const TLSExtensionData *xtnData = &ss->xtnData; 343 return arrayContainsExtension(xtnData->echAdvertised, 344 xtnData->echNumAdvertised, ex_type); 345 } 346 347 /* Go through hello extensions in |b| and deserialize 348 * them into the list in |ss->ssl3.hs.remoteExtensions|. 349 * The only checking we do in this point is for duplicates. 350 * 351 * IMPORTANT: This list just contains pointers to the incoming 352 * buffer so they can only be used during ClientHello processing. 353 */ 354 SECStatus 355 ssl3_ParseExtensions(sslSocket *ss, PRUint8 **b, PRUint32 *length) 356 { 357 /* Clean out the extensions list. */ 358 ssl3_DestroyRemoteExtensions(&ss->ssl3.hs.remoteExtensions); 359 360 while (*length) { 361 SECStatus rv; 362 PRUint32 extension_type; 363 SECItem extension_data = { siBuffer, NULL, 0 }; 364 TLSExtension *extension; 365 PRCList *cursor; 366 367 /* Get the extension's type field */ 368 rv = ssl3_ConsumeHandshakeNumber(ss, &extension_type, 2, b, length); 369 if (rv != SECSuccess) { 370 return SECFailure; /* alert already sent */ 371 } 372 373 /* Check whether an extension has been sent multiple times. */ 374 for (cursor = PR_NEXT_LINK(&ss->ssl3.hs.remoteExtensions); 375 cursor != &ss->ssl3.hs.remoteExtensions; 376 cursor = PR_NEXT_LINK(cursor)) { 377 if (((TLSExtension *)cursor)->type == extension_type) { 378 (void)SSL3_SendAlert(ss, alert_fatal, illegal_parameter); 379 PORT_SetError(SSL_ERROR_RX_UNEXPECTED_EXTENSION); 380 return SECFailure; 381 } 382 } 383 384 /* Get the data for this extension, so we can pass it or skip it. */ 385 rv = ssl3_ConsumeHandshakeVariable(ss, &extension_data, 2, b, length); 386 if (rv != SECSuccess) { 387 return rv; /* alert already sent */ 388 } 389 390 SSL_TRC(10, ("%d: SSL3[%d]: parsed extension %d len=%u", 391 SSL_GETPID(), ss->fd, extension_type, extension_data.len)); 392 393 extension = PORT_ZNew(TLSExtension); 394 if (!extension) { 395 return SECFailure; 396 } 397 398 extension->type = (PRUint16)extension_type; 399 extension->data = extension_data; 400 PR_APPEND_LINK(&extension->link, &ss->ssl3.hs.remoteExtensions); 401 } 402 403 return SECSuccess; 404 } 405 406 TLSExtension * 407 ssl3_FindExtension(sslSocket *ss, SSLExtensionType extension_type) 408 { 409 PRCList *cursor; 410 411 for (cursor = PR_NEXT_LINK(&ss->ssl3.hs.remoteExtensions); 412 cursor != &ss->ssl3.hs.remoteExtensions; 413 cursor = PR_NEXT_LINK(cursor)) { 414 TLSExtension *extension = (TLSExtension *)cursor; 415 416 if (extension->type == extension_type) { 417 return extension; 418 } 419 } 420 421 return NULL; 422 } 423 424 static SECStatus 425 ssl_CallExtensionHandler(sslSocket *ss, SSLHandshakeType handshakeMessage, 426 TLSExtension *extension, 427 const ssl3ExtensionHandler *handler) 428 { 429 SECStatus rv = SECSuccess; 430 SSLAlertDescription alert = handshake_failure; 431 sslCustomExtensionHooks *customHooks; 432 433 customHooks = ssl_FindCustomExtensionHooks(ss, extension->type); 434 if (customHooks) { 435 if (customHooks->handler) { 436 rv = customHooks->handler(ss->fd, handshakeMessage, 437 extension->data.data, 438 extension->data.len, 439 &alert, customHooks->handlerArg); 440 } 441 } else { 442 /* Find extension_type in table of Hello Extension Handlers. */ 443 for (; handler->ex_handler != NULL; ++handler) { 444 if (handler->ex_type == extension->type) { 445 SECItem tmp = extension->data; 446 447 rv = (*handler->ex_handler)(ss, &ss->xtnData, &tmp); 448 break; 449 } 450 } 451 } 452 453 if (rv != SECSuccess) { 454 if (!ss->ssl3.fatalAlertSent) { 455 /* Send an alert if the handler didn't already. */ 456 (void)SSL3_SendAlert(ss, alert_fatal, alert); 457 } 458 return SECFailure; 459 } 460 461 return SECSuccess; 462 } 463 464 /* Go through the hello extensions in |ss->ssl3.hs.remoteExtensions|. 465 * For each one, find the extension handler in the table, and 466 * if present, invoke that handler. 467 * Servers ignore any extensions with unknown extension types. 468 * Clients reject any extensions with unadvertised extension types 469 * 470 * In TLS >= 1.3, the client checks that extensions appear in the 471 * right phase. 472 */ 473 SECStatus 474 ssl3_HandleParsedExtensions(sslSocket *ss, SSLHandshakeType message) 475 { 476 const ssl3ExtensionHandler *handlers; 477 /* HelloRetryRequest doesn't set ss->version. It might be safe to 478 * do so, but we weren't entirely sure. TODO(ekr@rtfm.com). */ 479 PRBool isTLS13 = (ss->version >= SSL_LIBRARY_VERSION_TLS_1_3) || 480 (message == ssl_hs_hello_retry_request); 481 /* The following messages can include extensions that were not included in 482 * the original ClientHello. */ 483 PRBool allowNotOffered = (message == ssl_hs_client_hello) || 484 (message == ssl_hs_certificate_request) || 485 (message == ssl_hs_new_session_ticket); 486 PRCList *cursor; 487 488 switch (message) { 489 case ssl_hs_client_hello: 490 handlers = clientHelloHandlers; 491 break; 492 case ssl_hs_new_session_ticket: 493 PORT_Assert(ss->version >= SSL_LIBRARY_VERSION_TLS_1_3); 494 handlers = newSessionTicketHandlers; 495 break; 496 case ssl_hs_hello_retry_request: 497 handlers = helloRetryRequestHandlers; 498 break; 499 case ssl_hs_encrypted_extensions: 500 PORT_Assert(ss->version >= SSL_LIBRARY_VERSION_TLS_1_3); 501 /* fall through */ 502 case ssl_hs_server_hello: 503 if (ss->version > SSL_LIBRARY_VERSION_3_0) { 504 handlers = serverHelloHandlersTLS; 505 } else { 506 handlers = serverHelloHandlersSSL3; 507 } 508 break; 509 case ssl_hs_certificate: 510 PORT_Assert(!ss->sec.isServer); 511 handlers = serverCertificateHandlers; 512 break; 513 case ssl_hs_certificate_request: 514 PORT_Assert(!ss->sec.isServer); 515 handlers = certificateRequestHandlers; 516 break; 517 default: 518 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); 519 PORT_Assert(0); 520 return SECFailure; 521 } 522 523 for (cursor = PR_NEXT_LINK(&ss->ssl3.hs.remoteExtensions); 524 cursor != &ss->ssl3.hs.remoteExtensions; 525 cursor = PR_NEXT_LINK(cursor)) { 526 TLSExtension *extension = (TLSExtension *)cursor; 527 SECStatus rv; 528 529 /* Check whether the server sent an extension which was not advertised 530 * in the ClientHello. 531 * 532 * Note that a TLS 1.3 server should check if CertificateRequest 533 * extensions were sent. But the extensions used for CertificateRequest 534 * do not have any response, so we rely on 535 * ssl3_ExtensionAdvertised to return false on the server. That 536 * results in the server only rejecting any extension. */ 537 if (!allowNotOffered && (extension->type != ssl_tls13_cookie_xtn)) { 538 if (!ssl3_ExtensionAdvertised(ss, extension->type)) { 539 SSL_TRC(10, ("Server sent xtn type=%d which is invalid for the CHO", extension->type)); 540 (void)SSL3_SendAlert(ss, alert_fatal, unsupported_extension); 541 PORT_SetError(SSL_ERROR_RX_UNEXPECTED_EXTENSION); 542 return SECFailure; 543 } 544 /* If we offered ECH, we also check whether the extension is compatible with 545 * the Client Hello Inner. We don't yet know whether the server accepted ECH, 546 * so we only store this for now. If we later accept, we check this boolean 547 * and reject with an unsupported_extension alert if it is set. */ 548 if (ss->ssl3.hs.echHpkeCtx && !ssl3_ExtensionAdvertisedClientHelloInner(ss, extension->type)) { 549 SSL_TRC(10, ("Server sent xtn type=%d which is invalid for the CHI", extension->type)); 550 ss->ssl3.hs.echInvalidExtension = PR_TRUE; 551 } 552 } 553 554 /* Check that this is a legal extension in TLS 1.3 */ 555 if (isTLS13 && 556 !ssl_FindCustomExtensionHooks(ss, extension->type)) { 557 switch (tls13_ExtensionStatus(extension->type, message)) { 558 case tls13_extension_allowed: 559 break; 560 case tls13_extension_unknown: 561 if (allowNotOffered) { 562 continue; /* Skip over unknown extensions. */ 563 } 564 /* RFC8446 Section 4.2 - Implementations MUST NOT send extension responses if 565 * the remote endpoint did not send the corresponding extension request ... 566 * Upon receiving such an extension, an endpoint MUST abort the handshake with 567 * an "unsupported_extension" alert. */ 568 SSL_TRC(3, ("%d: TLS13: unknown extension %d in message %d", 569 SSL_GETPID(), extension, message)); 570 tls13_FatalError(ss, SSL_ERROR_RX_UNEXPECTED_EXTENSION, 571 unsupported_extension); 572 return SECFailure; 573 case tls13_extension_disallowed: 574 /* RFC8446 Section 4.2 - If an implementation receives an extension which it 575 * recognizes and which is not specified for the message in which it appears, 576 * it MUST abort the handshake with an "illegal_parameter" alert. */ 577 SSL_TRC(3, ("%d: TLS13: disallowed extension %d in message %d", 578 SSL_GETPID(), extension, message)); 579 tls13_FatalError(ss, SSL_ERROR_EXTENSION_DISALLOWED_FOR_VERSION, 580 illegal_parameter); 581 return SECFailure; 582 } 583 } 584 585 /* Special check for this being the last extension if it's 586 * PreSharedKey */ 587 if (ss->sec.isServer && isTLS13 && 588 (extension->type == ssl_tls13_pre_shared_key_xtn) && 589 (PR_NEXT_LINK(cursor) != &ss->ssl3.hs.remoteExtensions)) { 590 tls13_FatalError(ss, 591 SSL_ERROR_RX_MALFORMED_CLIENT_HELLO, 592 illegal_parameter); 593 return SECFailure; 594 } 595 596 rv = ssl_CallExtensionHandler(ss, message, extension, handlers); 597 if (rv != SECSuccess) { 598 return SECFailure; 599 } 600 } 601 return SECSuccess; 602 } 603 604 /* Syntactic sugar around ssl3_ParseExtensions and 605 * ssl3_HandleParsedExtensions. */ 606 SECStatus 607 ssl3_HandleExtensions(sslSocket *ss, 608 PRUint8 **b, PRUint32 *length, 609 SSLHandshakeType handshakeMessage) 610 { 611 SECStatus rv; 612 613 rv = ssl3_ParseExtensions(ss, b, length); 614 if (rv != SECSuccess) 615 return rv; 616 617 rv = ssl3_HandleParsedExtensions(ss, handshakeMessage); 618 if (rv != SECSuccess) 619 return rv; 620 621 ssl3_DestroyRemoteExtensions(&ss->ssl3.hs.remoteExtensions); 622 return SECSuccess; 623 } 624 625 /* Add a callback function to the table of senders of server hello extensions. 626 */ 627 SECStatus 628 ssl3_RegisterExtensionSender(const sslSocket *ss, 629 TLSExtensionData *xtnData, 630 PRUint16 ex_type, 631 sslExtensionBuilderFunc cb) 632 { 633 int i; 634 sslExtensionBuilder *sender; 635 if (ss->version < SSL_LIBRARY_VERSION_TLS_1_3) { 636 sender = &xtnData->serverHelloSenders[0]; 637 } else { 638 if (tls13_ExtensionStatus(ex_type, ssl_hs_server_hello) == 639 tls13_extension_allowed) { 640 PORT_Assert(tls13_ExtensionStatus(ex_type, 641 ssl_hs_encrypted_extensions) == 642 tls13_extension_disallowed); 643 sender = &xtnData->serverHelloSenders[0]; 644 } else if (tls13_ExtensionStatus(ex_type, 645 ssl_hs_encrypted_extensions) == 646 tls13_extension_allowed) { 647 sender = &xtnData->encryptedExtensionsSenders[0]; 648 } else if (tls13_ExtensionStatus(ex_type, ssl_hs_certificate) == 649 tls13_extension_allowed) { 650 sender = &xtnData->certificateSenders[0]; 651 } else { 652 PORT_Assert(0); 653 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); 654 return SECFailure; 655 } 656 } 657 for (i = 0; i < SSL_MAX_EXTENSIONS; ++i, ++sender) { 658 if (!sender->ex_sender) { 659 sender->ex_type = ex_type; 660 sender->ex_sender = cb; 661 return SECSuccess; 662 } 663 /* detect duplicate senders */ 664 PORT_Assert(sender->ex_type != ex_type); 665 if (sender->ex_type == ex_type) { 666 /* duplicate */ 667 break; 668 } 669 } 670 PORT_Assert(i < SSL_MAX_EXTENSIONS); /* table needs to grow */ 671 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); 672 return SECFailure; 673 } 674 675 SECStatus 676 ssl_CallCustomExtensionSenders(sslSocket *ss, sslBuffer *buf, 677 SSLHandshakeType message) 678 { 679 sslBuffer tail = SSL_BUFFER_EMPTY; 680 SECStatus rv; 681 PRCList *cursor; 682 683 /* Save any extensions that want to be last. */ 684 if (ss->xtnData.lastXtnOffset) { 685 rv = sslBuffer_Append(&tail, buf->buf + ss->xtnData.lastXtnOffset, 686 buf->len - ss->xtnData.lastXtnOffset); 687 if (rv != SECSuccess) { 688 return SECFailure; 689 } 690 buf->len = ss->xtnData.lastXtnOffset; 691 } 692 693 /* Reserve the maximum amount of space possible. */ 694 rv = sslBuffer_Grow(buf, 65535); 695 if (rv != SECSuccess) { 696 return SECFailure; 697 } 698 699 for (cursor = PR_NEXT_LINK(&ss->extensionHooks); 700 cursor != &ss->extensionHooks; 701 cursor = PR_NEXT_LINK(cursor)) { 702 sslCustomExtensionHooks *hook = 703 (sslCustomExtensionHooks *)cursor; 704 PRBool append = PR_FALSE; 705 unsigned int len = 0; 706 707 if (hook->writer) { 708 /* The writer writes directly into |buf|. Provide space that allows 709 * for the existing extensions, any tail, plus type and length. */ 710 unsigned int space = buf->space - (buf->len + tail.len + 4); 711 append = (*hook->writer)(ss->fd, message, 712 buf->buf + buf->len + 4, &len, space, 713 hook->writerArg); 714 if (len > space) { 715 PORT_SetError(SEC_ERROR_APPLICATION_CALLBACK_ERROR); 716 goto loser; 717 } 718 } 719 if (!append) { 720 continue; 721 } 722 723 rv = sslBuffer_AppendNumber(buf, hook->type, 2); 724 if (rv != SECSuccess) { 725 goto loser; /* Code already set. */ 726 } 727 rv = sslBuffer_AppendNumber(buf, len, 2); 728 if (rv != SECSuccess) { 729 goto loser; /* Code already set. */ 730 } 731 buf->len += len; 732 733 if (message == ssl_hs_client_hello || 734 message == ssl_hs_ech_outer_client_hello || 735 message == ssl_hs_certificate_request) { 736 ss->xtnData.advertised[ss->xtnData.numAdvertised++] = hook->type; 737 } 738 } 739 740 /* Restore saved extension and move the marker. */ 741 if (ss->xtnData.lastXtnOffset) { 742 ss->xtnData.lastXtnOffset = buf->len; 743 rv = sslBuffer_Append(buf, tail.buf, tail.len); 744 if (rv != SECSuccess) { 745 goto loser; /* Code already set. */ 746 } 747 } 748 749 sslBuffer_Clear(&tail); 750 return SECSuccess; 751 752 loser: 753 sslBuffer_Clear(&tail); 754 return SECFailure; 755 } 756 757 /* Call extension handlers for the given message. */ 758 SECStatus 759 ssl_ConstructExtensions(sslSocket *ss, sslBuffer *buf, SSLHandshakeType message) 760 { 761 const sslExtensionBuilder *sender; 762 SECStatus rv; 763 764 PORT_Assert(buf->len == 0); 765 766 /* Clear out any extensions previously advertised */ 767 ss->xtnData.numAdvertised = 0; 768 ss->xtnData.echNumAdvertised = 0; 769 770 switch (message) { 771 case ssl_hs_client_hello: 772 if (ss->vrange.max > SSL_LIBRARY_VERSION_3_0) { 773 /* Use TLS ClientHello Extension Permutation? */ 774 if (ss->opt.enableChXtnPermutation) { 775 sender = ss->ssl3.hs.chExtensionPermutation; 776 } else { 777 sender = clientHelloSendersTLS; 778 } 779 } else { 780 sender = clientHelloSendersSSL3; 781 } 782 break; 783 784 case ssl_hs_server_hello: 785 sender = ss->xtnData.serverHelloSenders; 786 break; 787 788 case ssl_hs_certificate_request: 789 PORT_Assert(ss->version >= SSL_LIBRARY_VERSION_TLS_1_3); 790 sender = tls13_cert_req_senders; 791 break; 792 793 case ssl_hs_certificate: 794 PORT_Assert(ss->version >= SSL_LIBRARY_VERSION_TLS_1_3); 795 sender = ss->xtnData.certificateSenders; 796 break; 797 798 case ssl_hs_encrypted_extensions: 799 PORT_Assert(ss->version >= SSL_LIBRARY_VERSION_TLS_1_3); 800 sender = ss->xtnData.encryptedExtensionsSenders; 801 break; 802 803 case ssl_hs_hello_retry_request: 804 PORT_Assert(ss->version >= SSL_LIBRARY_VERSION_TLS_1_3); 805 sender = tls13_hrr_senders; 806 break; 807 808 default: 809 PORT_Assert(0); 810 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); 811 return SECFailure; 812 } 813 814 for (; sender->ex_sender != NULL; ++sender) { 815 PRUint16 ex_type = sender->ex_type; 816 PRBool append = PR_FALSE; 817 unsigned int start = buf->len; 818 unsigned int length; 819 820 if (ssl_FindCustomExtensionHooks(ss, sender->ex_type)) { 821 continue; 822 } 823 824 /* Save space for the extension type and length. Note that we don't grow 825 * the buffer now; rely on sslBuffer_Append* to do that. */ 826 buf->len += 4; 827 rv = (*sender->ex_sender)(ss, &ss->xtnData, buf, &append); 828 if (rv != SECSuccess) { 829 goto loser; 830 } 831 832 /* Save the length and go back to the start. */ 833 length = buf->len - start - 4; 834 buf->len = start; 835 if (!append) { 836 continue; 837 } 838 839 /* If TLS 1.3 GREASE is enabled, replace ssl_tls13_grease_xtn dummy 840 * GREASE extension types with randomly generated GREASE value. */ 841 rv = tls13_MaybeGreaseExtensionType(ss, message, &ex_type); 842 if (rv != SECSuccess) { 843 goto loser; /* Code already set. */ 844 } 845 846 rv = sslBuffer_AppendNumber(buf, ex_type, 2); 847 if (rv != SECSuccess) { 848 goto loser; /* Code already set. */ 849 } 850 rv = sslBuffer_AppendNumber(buf, length, 2); 851 if (rv != SECSuccess) { 852 goto loser; /* Code already set. */ 853 } 854 /* Skip over the extension body. */ 855 buf->len += length; 856 857 if (message == ssl_hs_client_hello || 858 message == ssl_hs_certificate_request) { 859 ss->xtnData.advertised[ss->xtnData.numAdvertised++] = 860 ex_type; 861 } 862 } 863 864 if (!PR_CLIST_IS_EMPTY(&ss->extensionHooks)) { 865 if (message == ssl_hs_client_hello && ss->opt.callExtensionWriterOnEchInner) { 866 message = ssl_hs_ech_outer_client_hello; 867 } 868 rv = ssl_CallCustomExtensionSenders(ss, buf, message); 869 if (rv != SECSuccess) { 870 goto loser; 871 } 872 } 873 874 if (buf->len > 0xffff) { 875 PORT_SetError(SSL_ERROR_TX_RECORD_TOO_LONG); 876 goto loser; 877 } 878 879 return SECSuccess; 880 881 loser: 882 sslBuffer_Clear(buf); 883 return SECFailure; 884 } 885 886 /* This extension sender can be used anywhere that an always empty extension is 887 * needed. Mostly that is for ServerHello where sender registration is dynamic; 888 * ClientHello senders are usually conditional in some way. */ 889 SECStatus 890 ssl_SendEmptyExtension(const sslSocket *ss, TLSExtensionData *xtnData, 891 sslBuffer *buf, PRBool *append) 892 { 893 *append = PR_TRUE; 894 return SECSuccess; 895 } 896 897 /* Takes the size of the ClientHello, less the record header, and determines how 898 * much padding is required. */ 899 static unsigned int 900 ssl_CalculatePaddingExtLen(const sslSocket *ss, unsigned int clientHelloLength) 901 { 902 unsigned int extensionLen; 903 904 /* Don't pad for DTLS, for SSLv3, or for renegotiation. */ 905 if (IS_DTLS(ss) || 906 ss->vrange.max < SSL_LIBRARY_VERSION_TLS_1_0 || 907 ss->firstHsDone) { 908 return 0; 909 } 910 911 /* A padding extension may be included to ensure that the record containing 912 * the ClientHello doesn't have a length between 256 and 511 bytes 913 * (inclusive). Initial ClientHello records with such lengths trigger bugs 914 * in F5 devices. */ 915 if (clientHelloLength < 256 || clientHelloLength >= 512) { 916 return 0; 917 } 918 919 extensionLen = 512 - clientHelloLength; 920 /* Extensions take at least four bytes to encode. Always include at least 921 * one byte of data if we are padding. Some servers will time out or 922 * terminate the connection if the last ClientHello extension is empty. */ 923 if (extensionLen < 5) { 924 extensionLen = 5; 925 } 926 927 return extensionLen - 4; 928 } 929 930 /* Manually insert an extension, retaining the position of the PSK 931 * extension, if present. */ 932 SECStatus 933 ssl3_EmplaceExtension(sslSocket *ss, sslBuffer *buf, PRUint16 exType, 934 const PRUint8 *data, unsigned int len, PRBool advertise) 935 { 936 SECStatus rv; 937 unsigned int tailLen; 938 939 /* Move the tail if there is one. This only happens if we are sending the 940 * TLS 1.3 PSK extension, which needs to be at the end. */ 941 if (ss->xtnData.lastXtnOffset) { 942 PORT_Assert(buf->len > ss->xtnData.lastXtnOffset); 943 tailLen = buf->len - ss->xtnData.lastXtnOffset; 944 rv = sslBuffer_Grow(buf, buf->len + 4 + len); 945 if (rv != SECSuccess) { 946 return SECFailure; 947 } 948 PORT_Memmove(buf->buf + ss->xtnData.lastXtnOffset + 4 + len, 949 buf->buf + ss->xtnData.lastXtnOffset, 950 tailLen); 951 buf->len = ss->xtnData.lastXtnOffset; 952 } else { 953 tailLen = 0; 954 } 955 if (exType == ssl_tls13_encrypted_client_hello_xtn) { 956 ss->xtnData.echXtnOffset = buf->len; 957 } 958 rv = sslBuffer_AppendNumber(buf, exType, 2); 959 if (rv != SECSuccess) { 960 return SECFailure; /* Code already set. */ 961 } 962 rv = sslBuffer_AppendVariable(buf, data, len, 2); 963 if (rv != SECSuccess) { 964 return SECFailure; /* Code already set. */ 965 } 966 967 if (ss->xtnData.lastXtnOffset) { 968 ss->xtnData.lastXtnOffset += 4 + len; 969 } 970 971 buf->len += tailLen; 972 973 /* False only to retain behavior with padding_xtn. Maybe 974 * we can just mark that advertised as well? TODO */ 975 if (advertise) { 976 ss->xtnData.advertised[ss->xtnData.numAdvertised++] = exType; 977 } 978 979 return SECSuccess; 980 } 981 982 /* ssl3_SendPaddingExtension possibly adds an extension which ensures that a 983 * ClientHello record is either < 256 bytes or is >= 512 bytes. This ensures 984 * that we don't trigger bugs in F5 products. 985 * 986 * This takes an existing extension buffer, |buf|, and the length of the 987 * remainder of the ClientHello, |prefixLen|. It modifies the extension buffer 988 * to insert padding at the right place. 989 */ 990 SECStatus 991 ssl_InsertPaddingExtension(sslSocket *ss, unsigned int prefixLen, 992 sslBuffer *buf) 993 { 994 static unsigned char padding[252] = { 0 }; 995 unsigned int paddingLen; 996 /* Exit early if an application-provided extension hook 997 * already added padding. */ 998 if (ssl3_ExtensionAdvertised(ss, ssl_padding_xtn)) { 999 return SECSuccess; 1000 } 1001 1002 /* Account for the size of the header, the length field of the extensions 1003 * block and the size of the existing extensions. */ 1004 paddingLen = ssl_CalculatePaddingExtLen(ss, prefixLen + 2 + buf->len); 1005 if (!paddingLen) { 1006 return SECSuccess; 1007 } 1008 1009 return ssl3_EmplaceExtension(ss, buf, ssl_padding_xtn, padding, paddingLen, PR_FALSE); 1010 } 1011 1012 void 1013 ssl3_MoveRemoteExtensions(PRCList *dst, PRCList *src) 1014 { 1015 PRCList *cur_p; 1016 while (!PR_CLIST_IS_EMPTY(src)) { 1017 cur_p = PR_LIST_TAIL(src); 1018 PR_REMOVE_LINK(cur_p); 1019 PR_INSERT_LINK(cur_p, dst); 1020 } 1021 } 1022 1023 void 1024 ssl3_DestroyRemoteExtensions(PRCList *list) 1025 { 1026 PRCList *cur_p; 1027 1028 while (!PR_CLIST_IS_EMPTY(list)) { 1029 cur_p = PR_LIST_TAIL(list); 1030 PR_REMOVE_LINK(cur_p); 1031 PORT_Free(cur_p); 1032 } 1033 } 1034 1035 /* Initialize the extension data block. */ 1036 void 1037 ssl3_InitExtensionData(TLSExtensionData *xtnData, const sslSocket *ss) 1038 { 1039 unsigned int advertisedMax; 1040 PRCList *cursor; 1041 1042 /* Set things up to the right starting state. */ 1043 PORT_Memset(xtnData, 0, sizeof(*xtnData)); 1044 xtnData->peerSupportsFfdheGroups = PR_FALSE; 1045 PR_INIT_CLIST(&xtnData->remoteKeyShares); 1046 1047 /* Allocate enough to allow for native extensions, plus any custom ones. */ 1048 if (ss->sec.isServer) { 1049 advertisedMax = PR_MAX(PR_ARRAY_SIZE(certificateRequestHandlers), 1050 PR_ARRAY_SIZE(tls13_cert_req_senders)); 1051 } else { 1052 advertisedMax = PR_MAX(PR_ARRAY_SIZE(clientHelloHandlers), 1053 PR_ARRAY_SIZE(clientHelloSendersTLS)); 1054 ++advertisedMax; /* For the RI SCSV, which we also track. */ 1055 } 1056 for (cursor = PR_NEXT_LINK(&ss->extensionHooks); 1057 cursor != &ss->extensionHooks; 1058 cursor = PR_NEXT_LINK(cursor)) { 1059 ++advertisedMax; 1060 } 1061 xtnData->advertised = PORT_ZNewArray(PRUint16, advertisedMax); 1062 xtnData->echAdvertised = PORT_ZNewArray(PRUint16, advertisedMax); 1063 1064 xtnData->peerDelegCred = NULL; 1065 xtnData->peerRequestedDelegCred = PR_FALSE; 1066 xtnData->sendingDelegCredToPeer = PR_FALSE; 1067 xtnData->selectedPsk = NULL; 1068 } 1069 1070 void 1071 ssl3_DestroyExtensionData(TLSExtensionData *xtnData) 1072 { 1073 ssl3_FreeSniNameArray(xtnData); 1074 PORT_Free(xtnData->sigSchemes); 1075 PORT_Free(xtnData->delegCredSigSchemes); 1076 PORT_Free(xtnData->delegCredSigSchemesAdvertised); 1077 SECITEM_FreeItem(&xtnData->nextProto, PR_FALSE); 1078 tls13_DestroyKeyShares(&xtnData->remoteKeyShares); 1079 SECITEM_FreeItem(&xtnData->certReqContext, PR_FALSE); 1080 SECITEM_FreeItem(&xtnData->applicationToken, PR_FALSE); 1081 if (xtnData->certReqAuthorities.arena) { 1082 PORT_FreeArena(xtnData->certReqAuthorities.arena, PR_FALSE); 1083 xtnData->certReqAuthorities.arena = NULL; 1084 } 1085 PORT_Free(xtnData->advertised); 1086 PORT_Free(xtnData->echAdvertised); 1087 tls13_DestroyDelegatedCredential(xtnData->peerDelegCred); 1088 1089 tls13_DestroyEchXtnState(xtnData->ech); 1090 xtnData->ech = NULL; 1091 } 1092 1093 /* Free everything that has been allocated and then reset back to 1094 * the starting state. */ 1095 void 1096 ssl3_ResetExtensionData(TLSExtensionData *xtnData, const sslSocket *ss) 1097 { 1098 ssl3_DestroyExtensionData(xtnData); 1099 ssl3_InitExtensionData(xtnData, ss); 1100 } 1101 1102 /* Thunks to let extension handlers operate on const sslSocket* objects. */ 1103 void 1104 ssl3_ExtSendAlert(const sslSocket *ss, SSL3AlertLevel level, 1105 SSL3AlertDescription desc) 1106 { 1107 (void)SSL3_SendAlert((sslSocket *)ss, level, desc); 1108 } 1109 1110 void 1111 ssl3_ExtDecodeError(const sslSocket *ss) 1112 { 1113 (void)ssl3_DecodeError((sslSocket *)ss); 1114 } 1115 1116 SECStatus 1117 ssl3_ExtConsumeHandshake(const sslSocket *ss, void *v, PRUint32 bytes, 1118 PRUint8 **b, PRUint32 *length) 1119 { 1120 return ssl3_ConsumeHandshake((sslSocket *)ss, v, bytes, b, length); 1121 } 1122 1123 SECStatus 1124 ssl3_ExtConsumeHandshakeNumber(const sslSocket *ss, PRUint32 *num, 1125 PRUint32 bytes, PRUint8 **b, PRUint32 *length) 1126 { 1127 return ssl3_ConsumeHandshakeNumber((sslSocket *)ss, num, bytes, b, length); 1128 } 1129 1130 SECStatus 1131 ssl3_ExtConsumeHandshakeVariable(const sslSocket *ss, SECItem *i, 1132 PRUint32 bytes, PRUint8 **b, 1133 PRUint32 *length) 1134 { 1135 return ssl3_ConsumeHandshakeVariable((sslSocket *)ss, i, bytes, b, length); 1136 } 1137 1138 SECStatus 1139 tls_ClientHelloExtensionPermutationSetup(sslSocket *ss) 1140 { 1141 size_t buildersLen = PR_ARRAY_SIZE(clientHelloSendersTLS); 1142 const size_t buildersSize = (sizeof(sslExtensionBuilder) * buildersLen); 1143 /* Psk Extension and then NULL entry MUST be last. */ 1144 const size_t permutationLen = buildersLen - 2; 1145 1146 /* There shouldn't already be a stored permutation. */ 1147 PR_ASSERT(!ss->ssl3.hs.chExtensionPermutation); 1148 1149 /* This shuffle handles up to 256 extensions. */ 1150 PR_ASSERT(buildersLen < 256); 1151 uint8_t permutation[256] = { 0 }; 1152 1153 sslExtensionBuilder *builders = PORT_ZAlloc(buildersSize); 1154 if (!builders) { 1155 return SECFailure; 1156 } 1157 1158 /* Get a working copy of default builders. */ 1159 PORT_Memcpy(builders, clientHelloSendersTLS, buildersSize); 1160 1161 /* Get permutation randoms. */ 1162 if (PK11_GenerateRandom(permutation, permutationLen) != SECSuccess) { 1163 PORT_Free(builders); 1164 return SECFailure; 1165 } 1166 1167 /* Fisher-Yates Shuffle */ 1168 for (size_t i = permutationLen - 1; i > 0; i--) { 1169 size_t idx = permutation[i - 1] % (i + 1); 1170 sslExtensionBuilder tmp = builders[i]; 1171 builders[i] = builders[idx]; 1172 builders[idx] = tmp; 1173 } 1174 1175 /* Make sure that Psk extension is penultimate (before NULL entry). */ 1176 PR_ASSERT(builders[buildersLen - 2].ex_type == ssl_tls13_pre_shared_key_xtn); 1177 PR_ASSERT(builders[buildersLen - 2].ex_sender == clientHelloSendersTLS[buildersLen - 2].ex_sender); 1178 1179 ss->ssl3.hs.chExtensionPermutation = builders; 1180 return SECSuccess; 1181 } 1182 1183 void 1184 tls_ClientHelloExtensionPermutationDestroy(sslSocket *ss) 1185 { 1186 if (ss->ssl3.hs.chExtensionPermutation) { 1187 PORT_Free(ss->ssl3.hs.chExtensionPermutation); 1188 ss->ssl3.hs.chExtensionPermutation = NULL; 1189 } 1190 }