ssl3exthandle.c (66617B)
1 /* -*- Mode: C; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 4 -*- */ 2 /* 3 * This Source Code Form is subject to the terms of the Mozilla Public 4 * License, v. 2.0. If a copy of the MPL was not distributed with this 5 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ 6 7 #include "nssrenam.h" 8 #include "nss.h" 9 #include "ssl.h" 10 #include "sslproto.h" 11 #include "sslimpl.h" 12 #include "pk11pub.h" 13 #include "blapit.h" 14 #include "prinit.h" 15 #include "selfencrypt.h" 16 #include "ssl3ext.h" 17 #include "ssl3exthandle.h" 18 #include "tls13ech.h" 19 #include "tls13exthandle.h" /* For tls13_ServerSendStatusRequestXtn. */ 20 21 PRBool 22 ssl_ShouldSendSNIExtension(const sslSocket *ss, const char *url) 23 { 24 PRNetAddr netAddr; 25 26 /* must have a hostname */ 27 if (!url || !url[0]) { 28 return PR_FALSE; 29 } 30 /* must not be an IPv4 or IPv6 address */ 31 if (PR_SUCCESS == PR_StringToNetAddr(url, &netAddr)) { 32 /* is an IP address (v4 or v6) */ 33 return PR_FALSE; 34 } 35 36 return PR_TRUE; 37 } 38 39 /* Format an SNI extension, using the name from the socket's URL, 40 * unless that name is a dotted decimal string. 41 * Used by client and server. 42 */ 43 SECStatus 44 ssl3_ClientFormatServerNameXtn(const sslSocket *ss, const char *url, 45 unsigned int len, TLSExtensionData *xtnData, 46 sslBuffer *buf) 47 { 48 SECStatus rv; 49 50 /* length of server_name_list */ 51 rv = sslBuffer_AppendNumber(buf, len + 3, 2); 52 if (rv != SECSuccess) { 53 return SECFailure; 54 } 55 /* Name Type (sni_host_name) */ 56 rv = sslBuffer_AppendNumber(buf, 0, 1); 57 if (rv != SECSuccess) { 58 return SECFailure; 59 } 60 /* HostName (length and value) */ 61 rv = sslBuffer_AppendVariable(buf, (const PRUint8 *)url, len, 2); 62 if (rv != SECSuccess) { 63 return SECFailure; 64 } 65 66 return SECSuccess; 67 } 68 69 SECStatus 70 ssl3_ClientSendServerNameXtn(const sslSocket *ss, TLSExtensionData *xtnData, 71 sslBuffer *buf, PRBool *added) 72 { 73 SECStatus rv; 74 75 const char *url = ss->url; 76 77 if (!ssl_ShouldSendSNIExtension(ss, url)) { 78 return SECSuccess; 79 } 80 81 /* If ECH, write the public name. The real server name 82 * is emplaced while constructing CHInner extensions. */ 83 const char *sniContents = ss->ssl3.hs.echHpkeCtx ? ss->ssl3.hs.echPublicName : url; 84 rv = ssl3_ClientFormatServerNameXtn(ss, sniContents, strlen(sniContents), xtnData, buf); 85 if (rv != SECSuccess) { 86 return SECFailure; 87 } 88 89 *added = PR_TRUE; 90 return SECSuccess; 91 } 92 93 SECStatus 94 ssl3_HandleServerNameXtn(const sslSocket *ss, TLSExtensionData *xtnData, 95 SECItem *data) 96 { 97 SECItem *names = NULL; 98 PRUint32 listLenBytes = 0; 99 SECStatus rv; 100 101 if (!ss->sec.isServer) { 102 return SECSuccess; /* ignore extension */ 103 } 104 105 /* Server side - consume client data and register server sender. */ 106 /* do not parse the data if don't have user extension handling function. */ 107 if (!ss->sniSocketConfig) { 108 return SECSuccess; 109 } 110 111 /* length of server_name_list */ 112 rv = ssl3_ExtConsumeHandshakeNumber(ss, &listLenBytes, 2, &data->data, &data->len); 113 if (rv != SECSuccess) { 114 goto loser; /* alert already sent */ 115 } 116 if (listLenBytes == 0 || listLenBytes != data->len) { 117 goto alert_loser; 118 } 119 120 /* Read ServerNameList. */ 121 while (data->len > 0) { 122 SECItem tmp; 123 PRUint32 type; 124 125 /* Read Name Type. */ 126 rv = ssl3_ExtConsumeHandshakeNumber(ss, &type, 1, &data->data, &data->len); 127 if (rv != SECSuccess) { 128 /* alert sent in ConsumeHandshakeNumber */ 129 goto loser; 130 } 131 132 /* Read ServerName (length and value). */ 133 rv = ssl3_ExtConsumeHandshakeVariable(ss, &tmp, 2, &data->data, &data->len); 134 if (rv != SECSuccess) { 135 goto loser; 136 } 137 138 /* Record the value for host_name(0). */ 139 if (type == sni_nametype_hostname) { 140 /* Fail if we encounter a second host_name entry. */ 141 if (names) { 142 goto alert_loser; 143 } 144 145 /* Create an array for the only supported NameType. */ 146 names = PORT_ZNewArray(SECItem, 1); 147 if (!names) { 148 goto loser; 149 } 150 151 /* Copy ServerName into the array. */ 152 if (SECITEM_CopyItem(NULL, &names[0], &tmp) != SECSuccess) { 153 goto loser; 154 } 155 } 156 157 /* Even if we don't support NameTypes other than host_name at the 158 * moment, we continue parsing the whole list to check its validity. 159 * We do not check for duplicate entries with NameType != host_name(0). 160 */ 161 } 162 if (names) { 163 /* Free old and set the new data. */ 164 ssl3_FreeSniNameArray(xtnData); 165 xtnData->sniNameArr = names; 166 xtnData->sniNameArrSize = 1; 167 xtnData->negotiated[xtnData->numNegotiated++] = ssl_server_name_xtn; 168 } 169 return SECSuccess; 170 171 alert_loser: 172 ssl3_ExtDecodeError(ss); 173 loser: 174 if (names) { 175 PORT_Free(names); 176 } 177 return SECFailure; 178 } 179 180 /* Frees a given xtnData->sniNameArr and its elements. */ 181 void 182 ssl3_FreeSniNameArray(TLSExtensionData *xtnData) 183 { 184 PRUint32 i; 185 186 if (!xtnData->sniNameArr) { 187 return; 188 } 189 190 for (i = 0; i < xtnData->sniNameArrSize; i++) { 191 SECITEM_FreeItem(&xtnData->sniNameArr[i], PR_FALSE); 192 } 193 194 PORT_Free(xtnData->sniNameArr); 195 xtnData->sniNameArr = NULL; 196 xtnData->sniNameArrSize = 0; 197 } 198 199 /* Called by both clients and servers. 200 * Clients sends a filled in session ticket if one is available, and otherwise 201 * sends an empty ticket. Servers always send empty tickets. 202 */ 203 SECStatus 204 ssl3_ClientSendSessionTicketXtn(const sslSocket *ss, TLSExtensionData *xtnData, 205 sslBuffer *buf, PRBool *added) 206 { 207 NewSessionTicket *session_ticket = NULL; 208 sslSessionID *sid = ss->sec.ci.sid; 209 SECStatus rv; 210 211 PORT_Assert(!ss->sec.isServer); 212 213 /* Never send an extension with a ticket for TLS 1.3, but 214 * OK to send the empty one in case the server does 1.2. */ 215 if ((sid->cached == in_client_cache || sid->cached == in_external_cache) && 216 sid->version >= SSL_LIBRARY_VERSION_TLS_1_3) { 217 return SECSuccess; 218 } 219 220 /* Ignore the SessionTicket extension if processing is disabled. */ 221 if (!ss->opt.enableSessionTickets) { 222 return SECSuccess; 223 } 224 225 /* Send a session ticket if one is available. 226 * 227 * The caller must be holding sid->u.ssl3.lock for reading. We cannot 228 * just acquire and release the lock within this function because the 229 * caller will call this function twice, and we need the inputs to be 230 * consistent between the two calls. Note that currently the caller 231 * will only be holding the lock when we are the client and when we're 232 * attempting to resume an existing session. 233 */ 234 session_ticket = &sid->u.ssl3.locked.sessionTicket; 235 if (session_ticket->ticket.data && 236 (xtnData->ticketTimestampVerified || 237 ssl_TicketTimeValid(ss, session_ticket))) { 238 239 xtnData->ticketTimestampVerified = PR_FALSE; 240 241 rv = sslBuffer_Append(buf, session_ticket->ticket.data, 242 session_ticket->ticket.len); 243 if (rv != SECSuccess) { 244 return SECFailure; 245 } 246 247 xtnData->sentSessionTicketInClientHello = PR_TRUE; 248 } 249 250 *added = PR_TRUE; 251 return SECSuccess; 252 } 253 254 PRBool 255 ssl_AlpnTagAllowed(const sslSocket *ss, const SECItem *tag) 256 { 257 const unsigned char *data = ss->opt.nextProtoNego.data; 258 unsigned int length = ss->opt.nextProtoNego.len; 259 unsigned int offset = 0; 260 261 if (!tag->len) 262 return PR_TRUE; 263 264 while (offset < length) { 265 unsigned int taglen = (unsigned int)data[offset]; 266 if ((taglen == tag->len) && 267 !PORT_Memcmp(data + offset + 1, tag->data, tag->len)) 268 return PR_TRUE; 269 offset += 1 + taglen; 270 } 271 272 return PR_FALSE; 273 } 274 275 /* ssl3_ValidateAppProtocol checks that the given block of data is valid: none 276 * of the lengths may be 0 and the sum of the lengths must equal the length of 277 * the block. */ 278 SECStatus 279 ssl3_ValidateAppProtocol(const unsigned char *data, unsigned int length) 280 { 281 unsigned int offset = 0; 282 283 while (offset < length) { 284 unsigned int newOffset = offset + 1 + (unsigned int)data[offset]; 285 /* Reject embedded nulls to protect against buggy applications that 286 * store protocol identifiers in null-terminated strings. 287 */ 288 if (newOffset > length || data[offset] == 0) { 289 return SECFailure; 290 } 291 offset = newOffset; 292 } 293 294 return SECSuccess; 295 } 296 297 /* Protocol selection handler for ALPN. */ 298 static SECStatus 299 ssl3_SelectAppProtocol(const sslSocket *ss, TLSExtensionData *xtnData, 300 PRUint16 extension, SECItem *data) 301 { 302 SECStatus rv; 303 unsigned char resultBuffer[255]; 304 SECItem result = { siBuffer, resultBuffer, 0 }; 305 306 rv = ssl3_ValidateAppProtocol(data->data, data->len); 307 if (rv != SECSuccess) { 308 ssl3_ExtSendAlert(ss, alert_fatal, decode_error); 309 PORT_SetError(SSL_ERROR_NEXT_PROTOCOL_DATA_INVALID); 310 return SECFailure; 311 } 312 313 PORT_Assert(ss->nextProtoCallback); 314 /* Neither the cipher suite nor ECH are selected yet Note that extensions 315 * sometimes affect what cipher suite is selected, e.g., for ECC. */ 316 PORT_Assert((ss->ssl3.hs.preliminaryInfo & 317 ssl_preinfo_all & ~ssl_preinfo_cipher_suite & ~ssl_preinfo_ech) == 318 (ssl_preinfo_all & ~ssl_preinfo_cipher_suite & ~ssl_preinfo_ech)); 319 /* The callback has to make sure that either rv != SECSuccess or that result 320 * is not set if there is no common protocol. */ 321 rv = ss->nextProtoCallback(ss->nextProtoArg, ss->fd, data->data, data->len, 322 result.data, &result.len, sizeof(resultBuffer)); 323 if (rv != SECSuccess) { 324 /* Expect callback to call PORT_SetError() */ 325 ssl3_ExtSendAlert(ss, alert_fatal, internal_error); 326 return SECFailure; 327 } 328 329 /* If the callback wrote more than allowed to |result| it has corrupted our 330 * stack. */ 331 if (result.len > sizeof(resultBuffer)) { 332 PORT_SetError(SEC_ERROR_OUTPUT_LEN); 333 PORT_Assert(PR_FALSE); 334 return SECFailure; 335 } 336 337 SECITEM_FreeItem(&xtnData->nextProto, PR_FALSE); 338 339 if (result.len < 1 || !result.data) { 340 /* Check that we actually got a result. */ 341 ssl3_ExtSendAlert(ss, alert_fatal, no_application_protocol); 342 PORT_SetError(SSL_ERROR_NEXT_PROTOCOL_NO_PROTOCOL); 343 return SECFailure; 344 } 345 346 xtnData->nextProtoState = SSL_NEXT_PROTO_NEGOTIATED; 347 xtnData->negotiated[xtnData->numNegotiated++] = extension; 348 return SECITEM_CopyItem(NULL, &xtnData->nextProto, &result); 349 } 350 351 /* handle an incoming ALPN extension at the server */ 352 SECStatus 353 ssl3_ServerHandleAppProtoXtn(const sslSocket *ss, TLSExtensionData *xtnData, 354 SECItem *data) 355 { 356 PRUint32 count; 357 SECStatus rv; 358 359 /* We expressly don't want to allow ALPN on renegotiation, 360 * despite it being permitted by the spec. */ 361 if (ss->firstHsDone || data->len == 0) { 362 /* Clients MUST send a non-empty ALPN extension. */ 363 ssl3_ExtSendAlert(ss, alert_fatal, illegal_parameter); 364 PORT_SetError(SSL_ERROR_NEXT_PROTOCOL_DATA_INVALID); 365 return SECFailure; 366 } 367 368 /* ALPN has extra redundant length information so that 369 * the extension is the same in both ClientHello and ServerHello. */ 370 rv = ssl3_ExtConsumeHandshakeNumber(ss, &count, 2, &data->data, &data->len); 371 if (rv != SECSuccess || count != data->len) { 372 ssl3_ExtDecodeError(ss); 373 return SECFailure; 374 } 375 376 if (!ss->nextProtoCallback) { 377 /* we're not configured for it */ 378 return SECSuccess; 379 } 380 381 rv = ssl3_SelectAppProtocol(ss, xtnData, ssl_app_layer_protocol_xtn, data); 382 if (rv != SECSuccess) { 383 return rv; 384 } 385 386 /* prepare to send back a response, if we negotiated */ 387 if (xtnData->nextProtoState == SSL_NEXT_PROTO_NEGOTIATED) { 388 rv = ssl3_RegisterExtensionSender(ss, xtnData, 389 ssl_app_layer_protocol_xtn, 390 ssl3_ServerSendAppProtoXtn); 391 if (rv != SECSuccess) { 392 ssl3_ExtSendAlert(ss, alert_fatal, internal_error); 393 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); 394 return rv; 395 } 396 } 397 return SECSuccess; 398 } 399 400 SECStatus 401 ssl3_ClientHandleAppProtoXtn(const sslSocket *ss, TLSExtensionData *xtnData, 402 SECItem *data) 403 { 404 SECStatus rv; 405 PRUint32 list_len; 406 SECItem protocol_name; 407 408 if (ssl3_ExtensionNegotiated(ss, ssl_next_proto_nego_xtn)) { 409 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); 410 return SECFailure; 411 } 412 413 /* The extension data from the server has the following format: 414 * uint16 name_list_len; 415 * uint8 len; // where len >= 1 416 * uint8 protocol_name[len]; */ 417 if (data->len < 4 || data->len > 2 + 1 + 255) { 418 ssl3_ExtSendAlert(ss, alert_fatal, decode_error); 419 PORT_SetError(SSL_ERROR_NEXT_PROTOCOL_DATA_INVALID); 420 return SECFailure; 421 } 422 423 rv = ssl3_ExtConsumeHandshakeNumber(ss, &list_len, 2, &data->data, 424 &data->len); 425 /* The list has to be the entire extension. */ 426 if (rv != SECSuccess || list_len != data->len) { 427 ssl3_ExtSendAlert(ss, alert_fatal, decode_error); 428 PORT_SetError(SSL_ERROR_NEXT_PROTOCOL_DATA_INVALID); 429 return SECFailure; 430 } 431 432 rv = ssl3_ExtConsumeHandshakeVariable(ss, &protocol_name, 1, 433 &data->data, &data->len); 434 /* The list must have exactly one value. */ 435 if (rv != SECSuccess || data->len != 0) { 436 ssl3_ExtSendAlert(ss, alert_fatal, decode_error); 437 PORT_SetError(SSL_ERROR_NEXT_PROTOCOL_DATA_INVALID); 438 return SECFailure; 439 } 440 441 if (!ssl_AlpnTagAllowed(ss, &protocol_name)) { 442 ssl3_ExtSendAlert(ss, alert_fatal, illegal_parameter); 443 PORT_SetError(SSL_ERROR_NEXT_PROTOCOL_DATA_INVALID); 444 return SECFailure; 445 } 446 447 SECITEM_FreeItem(&xtnData->nextProto, PR_FALSE); 448 xtnData->nextProtoState = SSL_NEXT_PROTO_SELECTED; 449 xtnData->negotiated[xtnData->numNegotiated++] = ssl_app_layer_protocol_xtn; 450 return SECITEM_CopyItem(NULL, &xtnData->nextProto, &protocol_name); 451 } 452 453 SECStatus 454 ssl3_ClientSendAppProtoXtn(const sslSocket *ss, TLSExtensionData *xtnData, 455 sslBuffer *buf, PRBool *added) 456 { 457 SECStatus rv; 458 459 /* Renegotiations do not send this extension. */ 460 if (!ss->opt.enableALPN || !ss->opt.nextProtoNego.len || ss->firstHsDone) { 461 PR_ASSERT(!ss->opt.nextProtoNego.data); 462 return SECSuccess; 463 } 464 PRBool addGrease = ss->opt.enableGrease && ss->vrange.max >= SSL_LIBRARY_VERSION_TLS_1_3; 465 466 /* The list of protocol strings is prefixed with a 2-byte length */ 467 rv = sslBuffer_AppendNumber(buf, ss->opt.nextProtoNego.len + (addGrease ? 3 : 0), 2); 468 if (rv != SECSuccess) { 469 return SECFailure; 470 } 471 /* The list of protocol strings */ 472 rv = sslBuffer_Append(buf, ss->opt.nextProtoNego.data, ss->opt.nextProtoNego.len); 473 if (rv != SECSuccess) { 474 return SECFailure; 475 } 476 /* A client MAY select one or more GREASE ALPN identifiers and advertise 477 * them in the "application_layer_protocol_negotiation" extension, if sent 478 * [RFC8701, Section 3.1]. */ 479 if (addGrease) { 480 rv = sslBuffer_AppendNumber(buf, 2, 1); 481 if (rv != SECSuccess) { 482 return SECFailure; 483 } 484 rv = sslBuffer_AppendNumber(buf, ss->ssl3.hs.grease->idx[grease_alpn], 2); 485 if (rv != SECSuccess) { 486 return SECFailure; 487 } 488 } 489 490 *added = PR_TRUE; 491 return SECSuccess; 492 } 493 494 SECStatus 495 ssl3_ServerSendAppProtoXtn(const sslSocket *ss, TLSExtensionData *xtnData, 496 sslBuffer *buf, PRBool *added) 497 { 498 SECStatus rv; 499 500 /* We're in over our heads if any of these fail */ 501 PORT_Assert(ss->opt.enableALPN); 502 PORT_Assert(xtnData->nextProto.data); 503 PORT_Assert(xtnData->nextProto.len > 0); 504 PORT_Assert(xtnData->nextProtoState == SSL_NEXT_PROTO_NEGOTIATED); 505 PORT_Assert(!ss->firstHsDone); 506 507 rv = sslBuffer_AppendNumber(buf, xtnData->nextProto.len + 1, 2); 508 if (rv != SECSuccess) { 509 return SECFailure; 510 } 511 rv = sslBuffer_AppendVariable(buf, xtnData->nextProto.data, 512 xtnData->nextProto.len, 1); 513 if (rv != SECSuccess) { 514 return SECFailure; 515 } 516 517 *added = PR_TRUE; 518 return SECSuccess; 519 } 520 521 SECStatus 522 ssl3_ServerHandleStatusRequestXtn(const sslSocket *ss, TLSExtensionData *xtnData, 523 SECItem *data) 524 { 525 sslExtensionBuilderFunc sender; 526 527 PORT_Assert(ss->sec.isServer); 528 529 /* remember that we got this extension. */ 530 xtnData->negotiated[xtnData->numNegotiated++] = ssl_cert_status_xtn; 531 532 if (ss->version >= SSL_LIBRARY_VERSION_TLS_1_3) { 533 sender = tls13_ServerSendStatusRequestXtn; 534 } else { 535 sender = ssl3_ServerSendStatusRequestXtn; 536 } 537 return ssl3_RegisterExtensionSender(ss, xtnData, ssl_cert_status_xtn, sender); 538 } 539 540 SECStatus 541 ssl3_ServerSendStatusRequestXtn(const sslSocket *ss, TLSExtensionData *xtnData, 542 sslBuffer *buf, PRBool *added) 543 { 544 const sslServerCert *serverCert = ss->sec.serverCert; 545 546 if (!serverCert->certStatusArray || 547 !serverCert->certStatusArray->len) { 548 return SECSuccess; 549 } 550 551 *added = PR_TRUE; 552 return SECSuccess; 553 } 554 555 /* ssl3_ClientSendStatusRequestXtn builds the status_request extension on the 556 * client side. See RFC 6066 section 8. */ 557 SECStatus 558 ssl3_ClientSendStatusRequestXtn(const sslSocket *ss, TLSExtensionData *xtnData, 559 sslBuffer *buf, PRBool *added) 560 { 561 SECStatus rv; 562 563 if (!ss->opt.enableOCSPStapling) { 564 return SECSuccess; 565 } 566 567 rv = sslBuffer_AppendNumber(buf, 1 /* status_type ocsp */, 1); 568 if (rv != SECSuccess) { 569 return SECFailure; 570 } 571 /* A zero length responder_id_list means that the responders are 572 * implicitly known to the server. */ 573 rv = sslBuffer_AppendNumber(buf, 0, 2); 574 if (rv != SECSuccess) { 575 return SECFailure; 576 } 577 /* A zero length request_extensions means that there are no extensions. 578 * Specifically, we don't set the id-pkix-ocsp-nonce extension. This 579 * means that the server can replay a cached OCSP response to us. */ 580 rv = sslBuffer_AppendNumber(buf, 0, 2); 581 if (rv != SECSuccess) { 582 return SECFailure; 583 } 584 585 *added = PR_TRUE; 586 return SECSuccess; 587 } 588 589 SECStatus 590 ssl3_ClientHandleStatusRequestXtn(const sslSocket *ss, TLSExtensionData *xtnData, 591 SECItem *data) 592 { 593 /* In TLS 1.3, the extension carries the OCSP response. */ 594 if (ss->version >= SSL_LIBRARY_VERSION_TLS_1_3) { 595 SECStatus rv; 596 rv = ssl_ReadCertificateStatus(CONST_CAST(sslSocket, ss), 597 data->data, data->len); 598 if (rv != SECSuccess) { 599 return SECFailure; /* code already set */ 600 } 601 } else if (data->len != 0) { 602 ssl3_ExtSendAlert(ss, alert_fatal, illegal_parameter); 603 PORT_SetError(SSL_ERROR_RX_MALFORMED_SERVER_HELLO); 604 return SECFailure; 605 } 606 607 /* Keep track of negotiated extensions. */ 608 xtnData->negotiated[xtnData->numNegotiated++] = ssl_cert_status_xtn; 609 return SECSuccess; 610 } 611 612 #define TLS_EX_SESS_TICKET_VERSION (0x010a) 613 614 /* 615 * Called from ssl3_SendNewSessionTicket, tls13_SendNewSessionTicket 616 */ 617 SECStatus 618 ssl3_EncodeSessionTicket(sslSocket *ss, const NewSessionTicket *ticket, 619 const PRUint8 *appToken, unsigned int appTokenLen, 620 PK11SymKey *secret, SECItem *ticket_data) 621 { 622 SECStatus rv; 623 sslBuffer plaintext = SSL_BUFFER_EMPTY; 624 SECItem ticket_buf = { 0, NULL, 0 }; 625 sslSessionID sid; 626 unsigned char wrapped_ms[SSL3_MASTER_SECRET_LENGTH]; 627 SECItem ms_item = { 0, NULL, 0 }; 628 PRTime now; 629 SECItem *srvName = NULL; 630 CK_MECHANISM_TYPE msWrapMech; 631 SECItem *alpnSelection = NULL; 632 PRUint32 ticketAgeBaseline; 633 634 SSL_TRC(3, ("%d: SSL3[%d]: send session_ticket handshake", 635 SSL_GETPID(), ss->fd)); 636 637 PORT_Assert(ss->opt.noLocks || ssl_HaveXmitBufLock(ss)); 638 PORT_Assert(ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); 639 640 /* Extract the master secret wrapped. */ 641 642 PORT_Memset(&sid, 0, sizeof(sslSessionID)); 643 644 PORT_Assert(secret); 645 rv = ssl3_CacheWrappedSecret(ss, &sid, secret); 646 if (rv == SECSuccess) { 647 if (sid.u.ssl3.keys.wrapped_master_secret_len > sizeof(wrapped_ms)) 648 goto loser; 649 memcpy(wrapped_ms, sid.u.ssl3.keys.wrapped_master_secret, 650 sid.u.ssl3.keys.wrapped_master_secret_len); 651 ms_item.data = wrapped_ms; 652 ms_item.len = sid.u.ssl3.keys.wrapped_master_secret_len; 653 msWrapMech = sid.u.ssl3.masterWrapMech; 654 } else { 655 /* TODO: else send an empty ticket. */ 656 goto loser; 657 } 658 /* Prep to send negotiated name */ 659 srvName = &ss->sec.ci.sid->u.ssl3.srvName; 660 661 /* ticket version */ 662 rv = sslBuffer_AppendNumber(&plaintext, TLS_EX_SESS_TICKET_VERSION, 663 sizeof(PRUint16)); 664 if (rv != SECSuccess) 665 goto loser; 666 667 /* ssl_version */ 668 rv = sslBuffer_AppendNumber(&plaintext, ss->version, 669 sizeof(SSL3ProtocolVersion)); 670 if (rv != SECSuccess) 671 goto loser; 672 673 /* ciphersuite */ 674 rv = sslBuffer_AppendNumber(&plaintext, ss->ssl3.hs.cipher_suite, 675 sizeof(ssl3CipherSuite)); 676 if (rv != SECSuccess) 677 goto loser; 678 679 /* cipher spec parameters */ 680 rv = sslBuffer_AppendNumber(&plaintext, ss->sec.authType, 1); 681 if (rv != SECSuccess) 682 goto loser; 683 rv = sslBuffer_AppendNumber(&plaintext, ss->sec.authKeyBits, 4); 684 if (rv != SECSuccess) 685 goto loser; 686 rv = sslBuffer_AppendNumber(&plaintext, ss->sec.keaType, 1); 687 if (rv != SECSuccess) 688 goto loser; 689 rv = sslBuffer_AppendNumber(&plaintext, ss->sec.keaKeyBits, 4); 690 if (rv != SECSuccess) 691 goto loser; 692 if (ss->sec.keaGroup) { 693 rv = sslBuffer_AppendNumber(&plaintext, ss->sec.keaGroup->name, 4); 694 if (rv != SECSuccess) 695 goto loser; 696 } else { 697 /* No kea group. Write 0 as invalid value. */ 698 rv = sslBuffer_AppendNumber(&plaintext, 0, 4); 699 if (rv != SECSuccess) 700 goto loser; 701 } 702 rv = sslBuffer_AppendNumber(&plaintext, ss->sec.signatureScheme, 4); 703 if (rv != SECSuccess) 704 goto loser; 705 706 /* certificate type */ 707 PORT_Assert(SSL_CERT_IS(ss->sec.serverCert, ss->sec.authType)); 708 if (SSL_CERT_IS_EC(ss->sec.serverCert)) { 709 const sslServerCert *cert = ss->sec.serverCert; 710 PORT_Assert(cert->namedCurve); 711 /* EC curves only use the second of the two bytes. */ 712 PORT_Assert(cert->namedCurve->name < 256); 713 rv = sslBuffer_AppendNumber(&plaintext, cert->namedCurve->name, 1); 714 } else { 715 rv = sslBuffer_AppendNumber(&plaintext, 0, 1); 716 } 717 if (rv != SECSuccess) 718 goto loser; 719 720 /* master_secret */ 721 rv = sslBuffer_AppendNumber(&plaintext, msWrapMech, 4); 722 if (rv != SECSuccess) 723 goto loser; 724 rv = sslBuffer_AppendVariable(&plaintext, ms_item.data, ms_item.len, 2); 725 if (rv != SECSuccess) 726 goto loser; 727 728 /* client identity */ 729 if (ss->opt.requestCertificate && ss->sec.ci.sid->peerCert) { 730 rv = sslBuffer_AppendNumber(&plaintext, CLIENT_AUTH_CERTIFICATE, 1); 731 if (rv != SECSuccess) 732 goto loser; 733 rv = sslBuffer_AppendVariable(&plaintext, 734 ss->sec.ci.sid->peerCert->derCert.data, 735 ss->sec.ci.sid->peerCert->derCert.len, 2); 736 if (rv != SECSuccess) 737 goto loser; 738 } else { 739 rv = sslBuffer_AppendNumber(&plaintext, 0, 1); 740 if (rv != SECSuccess) 741 goto loser; 742 } 743 744 /* timestamp */ 745 now = ssl_Time(ss); 746 PORT_Assert(sizeof(now) == 8); 747 rv = sslBuffer_AppendNumber(&plaintext, now, 8); 748 if (rv != SECSuccess) 749 goto loser; 750 751 /* HostName (length and value) */ 752 rv = sslBuffer_AppendVariable(&plaintext, srvName->data, srvName->len, 2); 753 if (rv != SECSuccess) 754 goto loser; 755 756 /* extendedMasterSecretUsed */ 757 rv = sslBuffer_AppendNumber( 758 &plaintext, ss->sec.ci.sid->u.ssl3.keys.extendedMasterSecretUsed, 1); 759 if (rv != SECSuccess) 760 goto loser; 761 762 /* Flags */ 763 rv = sslBuffer_AppendNumber(&plaintext, ticket->flags, 764 sizeof(ticket->flags)); 765 if (rv != SECSuccess) 766 goto loser; 767 768 /* ALPN value. */ 769 PORT_Assert(ss->xtnData.nextProtoState == SSL_NEXT_PROTO_SELECTED || 770 ss->xtnData.nextProtoState == SSL_NEXT_PROTO_NEGOTIATED || 771 ss->xtnData.nextProto.len == 0); 772 alpnSelection = &ss->xtnData.nextProto; 773 PORT_Assert(alpnSelection->len < 256); 774 rv = sslBuffer_AppendVariable(&plaintext, alpnSelection->data, 775 alpnSelection->len, 1); 776 if (rv != SECSuccess) 777 goto loser; 778 779 rv = sslBuffer_AppendNumber(&plaintext, ss->opt.maxEarlyDataSize, 4); 780 if (rv != SECSuccess) 781 goto loser; 782 783 /* 784 * We store this in the ticket: 785 * ticket_age_baseline = 1rtt - ticket_age_add 786 * 787 * When the client resumes, it will provide: 788 * obfuscated_age = ticket_age_client + ticket_age_add 789 * 790 * We expect to receive the ticket at: 791 * ticket_create + 1rtt + ticket_age_server 792 * 793 * We calculate the client's estimate of this as: 794 * ticket_create + ticket_age_baseline + obfuscated_age 795 * = ticket_create + 1rtt + ticket_age_client 796 * 797 * This is compared to the expected time, which should differ only as a 798 * result of clock errors or errors in the RTT estimate. 799 */ 800 ticketAgeBaseline = ss->ssl3.hs.rttEstimate / PR_USEC_PER_MSEC; 801 ticketAgeBaseline -= ticket->ticket_age_add; 802 rv = sslBuffer_AppendNumber(&plaintext, ticketAgeBaseline, 4); 803 if (rv != SECSuccess) 804 goto loser; 805 806 /* Application token */ 807 rv = sslBuffer_AppendVariable(&plaintext, appToken, appTokenLen, 2); 808 if (rv != SECSuccess) 809 goto loser; 810 811 /* This really only happens if appTokenLen is too much, and that always 812 * comes from the using application. */ 813 if (SSL_BUFFER_LEN(&plaintext) > 0xffff) { 814 PORT_SetError(SEC_ERROR_INVALID_ARGS); 815 goto loser; 816 } 817 818 ticket_buf.len = ssl_SelfEncryptGetProtectedSize(SSL_BUFFER_LEN(&plaintext)); 819 PORT_Assert(ticket_buf.len > 0); 820 if (SECITEM_AllocItem(NULL, &ticket_buf, ticket_buf.len) == NULL) { 821 goto loser; 822 } 823 824 /* Finally, encrypt the ticket. */ 825 rv = ssl_SelfEncryptProtect(ss, SSL_BUFFER_BASE(&plaintext), 826 SSL_BUFFER_LEN(&plaintext), 827 ticket_buf.data, &ticket_buf.len, ticket_buf.len); 828 if (rv != SECSuccess) { 829 goto loser; 830 } 831 832 /* Give ownership of memory to caller. */ 833 *ticket_data = ticket_buf; 834 835 sslBuffer_Clear(&plaintext); 836 return SECSuccess; 837 838 loser: 839 sslBuffer_Clear(&plaintext); 840 if (ticket_buf.data) { 841 SECITEM_FreeItem(&ticket_buf, PR_FALSE); 842 } 843 844 return SECFailure; 845 } 846 847 /* When a client receives a SessionTicket extension a NewSessionTicket 848 * message is expected during the handshake. 849 */ 850 SECStatus 851 ssl3_ClientHandleSessionTicketXtn(const sslSocket *ss, TLSExtensionData *xtnData, 852 SECItem *data) 853 { 854 PORT_Assert(ss->version < SSL_LIBRARY_VERSION_TLS_1_3); 855 856 if (data->len != 0) { 857 return SECSuccess; /* Ignore the extension. */ 858 } 859 860 /* Keep track of negotiated extensions. */ 861 xtnData->negotiated[xtnData->numNegotiated++] = ssl_session_ticket_xtn; 862 return SECSuccess; 863 } 864 865 PR_STATIC_ASSERT((TLS_EX_SESS_TICKET_VERSION >> 8) == 1); 866 867 static SECStatus 868 ssl_ParseSessionTicket(sslSocket *ss, const SECItem *decryptedTicket, 869 SessionTicket *parsedTicket) 870 { 871 PRUint32 temp; 872 SECStatus rv; 873 874 PRUint8 *buffer = decryptedTicket->data; 875 unsigned int len = decryptedTicket->len; 876 877 PORT_Memset(parsedTicket, 0, sizeof(*parsedTicket)); 878 parsedTicket->valid = PR_FALSE; 879 880 /* If the decrypted ticket is empty, then report success, but leave the 881 * ticket marked as invalid. */ 882 if (decryptedTicket->len == 0) { 883 return SECSuccess; 884 } 885 886 /* Read ticket version. */ 887 rv = ssl3_ExtConsumeHandshakeNumber(ss, &temp, 2, &buffer, &len); 888 if (rv != SECSuccess) { 889 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); 890 return SECFailure; 891 } 892 893 /* All ticket versions start with 0x01, so check to see if this 894 * is a ticket or some other self-encrypted thing. */ 895 if ((temp >> 8) != 1) { 896 PORT_SetError(SSL_ERROR_RX_MALFORMED_CLIENT_HELLO); 897 return SECFailure; 898 } 899 /* Skip the ticket if the version is wrong. This won't result in a 900 * handshake failure, just a failure to resume. */ 901 if (temp != TLS_EX_SESS_TICKET_VERSION) { 902 return SECSuccess; 903 } 904 905 /* Read SSLVersion. */ 906 rv = ssl3_ExtConsumeHandshakeNumber(ss, &temp, 2, &buffer, &len); 907 if (rv != SECSuccess) { 908 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); 909 return SECFailure; 910 } 911 parsedTicket->ssl_version = (SSL3ProtocolVersion)temp; 912 if (!ssl3_VersionIsSupported(ss->protocolVariant, 913 parsedTicket->ssl_version)) { 914 /* This socket doesn't support the version from the ticket. */ 915 return SECSuccess; 916 } 917 918 /* Read cipher_suite. */ 919 rv = ssl3_ExtConsumeHandshakeNumber(ss, &temp, 2, &buffer, &len); 920 if (rv != SECSuccess) { 921 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); 922 return SECFailure; 923 } 924 parsedTicket->cipher_suite = (ssl3CipherSuite)temp; 925 926 /* Read cipher spec parameters. */ 927 rv = ssl3_ExtConsumeHandshakeNumber(ss, &temp, 1, &buffer, &len); 928 if (rv != SECSuccess) { 929 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); 930 return SECFailure; 931 } 932 933 #ifndef UNSAFE_FUZZER_MODE 934 PORT_Assert(temp < ssl_auth_size); 935 #else 936 temp %= (8 * sizeof(SSLAuthType)) - 1; 937 #endif 938 939 parsedTicket->authType = (SSLAuthType)temp; 940 rv = ssl3_ExtConsumeHandshakeNumber(ss, &temp, 4, &buffer, &len); 941 if (rv != SECSuccess) { 942 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); 943 return SECFailure; 944 } 945 parsedTicket->authKeyBits = temp; 946 rv = ssl3_ExtConsumeHandshakeNumber(ss, &temp, 1, &buffer, &len); 947 if (rv != SECSuccess) { 948 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); 949 return SECFailure; 950 } 951 parsedTicket->keaType = (SSLKEAType)temp; 952 rv = ssl3_ExtConsumeHandshakeNumber(ss, &temp, 4, &buffer, &len); 953 if (rv != SECSuccess) { 954 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); 955 return SECFailure; 956 } 957 parsedTicket->keaKeyBits = temp; 958 rv = ssl3_ExtConsumeHandshakeNumber(ss, &temp, 4, &buffer, &len); 959 if (rv != SECSuccess) { 960 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); 961 return SECFailure; 962 } 963 parsedTicket->originalKeaGroup = temp; 964 rv = ssl3_ExtConsumeHandshakeNumber(ss, &temp, 4, &buffer, &len); 965 if (rv != SECSuccess) { 966 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); 967 return SECFailure; 968 } 969 parsedTicket->signatureScheme = (SSLSignatureScheme)temp; 970 971 /* Read the optional named curve. */ 972 rv = ssl3_ExtConsumeHandshakeNumber(ss, &temp, 1, &buffer, &len); 973 if (rv != SECSuccess) { 974 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); 975 return SECFailure; 976 } 977 if (parsedTicket->authType == ssl_auth_ecdsa || 978 parsedTicket->authType == ssl_auth_ecdh_rsa || 979 parsedTicket->authType == ssl_auth_ecdh_ecdsa) { 980 const sslNamedGroupDef *group = 981 ssl_LookupNamedGroup((SSLNamedGroup)temp); 982 if (!group || group->keaType != ssl_kea_ecdh) { 983 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); 984 return SECFailure; 985 } 986 parsedTicket->namedCurve = group; 987 } 988 989 /* Read the master secret (and how it is wrapped). */ 990 rv = ssl3_ExtConsumeHandshakeNumber(ss, &temp, 4, &buffer, &len); 991 if (rv != SECSuccess) { 992 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); 993 return SECFailure; 994 } 995 parsedTicket->msWrapMech = (CK_MECHANISM_TYPE)temp; 996 997 rv = ssl3_ExtConsumeHandshakeNumber(ss, &temp, 2, &buffer, &len); 998 if (rv != SECSuccess) { 999 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); 1000 return SECFailure; 1001 } 1002 if (temp == 0 || temp > sizeof(parsedTicket->master_secret)) { 1003 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); 1004 return SECFailure; 1005 } 1006 parsedTicket->ms_length = (PRUint16)temp; 1007 1008 /* Read the master secret. */ 1009 rv = ssl3_ExtConsumeHandshake(ss, parsedTicket->master_secret, 1010 parsedTicket->ms_length, &buffer, &len); 1011 if (rv != SECSuccess) { 1012 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); 1013 return SECFailure; 1014 } 1015 /* Read client identity */ 1016 rv = ssl3_ExtConsumeHandshakeNumber(ss, &temp, 1, &buffer, &len); 1017 if (rv != SECSuccess) { 1018 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); 1019 return SECFailure; 1020 } 1021 parsedTicket->client_auth_type = (ClientAuthenticationType)temp; 1022 switch (parsedTicket->client_auth_type) { 1023 case CLIENT_AUTH_ANONYMOUS: 1024 break; 1025 case CLIENT_AUTH_CERTIFICATE: 1026 rv = ssl3_ExtConsumeHandshakeVariable(ss, &parsedTicket->peer_cert, 2, 1027 &buffer, &len); 1028 if (rv != SECSuccess) { 1029 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); 1030 return SECFailure; 1031 } 1032 break; 1033 default: 1034 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); 1035 return SECFailure; 1036 } 1037 1038 /* Read timestamp. This is a 64-bit value and 1039 * ssl3_ExtConsumeHandshakeNumber only reads 32-bits at a time. */ 1040 rv = ssl3_ExtConsumeHandshakeNumber(ss, &temp, 4, &buffer, &len); 1041 if (rv != SECSuccess) { 1042 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); 1043 return SECFailure; 1044 } 1045 1046 /* Cast to avoid undefined behavior if the top bit is set. */ 1047 parsedTicket->timestamp = (PRTime)((PRUint64)temp << 32); 1048 rv = ssl3_ExtConsumeHandshakeNumber(ss, &temp, 4, &buffer, &len); 1049 if (rv != SECSuccess) { 1050 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); 1051 return SECFailure; 1052 } 1053 parsedTicket->timestamp |= (PRTime)temp; 1054 1055 /* Read server name */ 1056 rv = ssl3_ExtConsumeHandshakeVariable(ss, &parsedTicket->srvName, 2, 1057 &buffer, &len); 1058 if (rv != SECSuccess) { 1059 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); 1060 return SECFailure; 1061 } 1062 1063 /* Read extendedMasterSecretUsed */ 1064 rv = ssl3_ExtConsumeHandshakeNumber(ss, &temp, 1, &buffer, &len); 1065 if (rv != SECSuccess) { 1066 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); 1067 return SECFailure; 1068 } 1069 #ifndef UNSAFE_FUZZER_MODE 1070 /* A well-behaving server should only write 0 or 1. */ 1071 PORT_Assert(temp == PR_TRUE || temp == PR_FALSE); 1072 #endif 1073 parsedTicket->extendedMasterSecretUsed = temp ? PR_TRUE : PR_FALSE; 1074 1075 rv = ssl3_ExtConsumeHandshake(ss, &temp, 4, &buffer, &len); 1076 if (rv != SECSuccess) { 1077 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); 1078 return SECFailure; 1079 } 1080 parsedTicket->flags = PR_ntohl(temp); 1081 1082 rv = ssl3_ExtConsumeHandshakeVariable(ss, &parsedTicket->alpnSelection, 1, 1083 &buffer, &len); 1084 PORT_Assert(parsedTicket->alpnSelection.len < 256); 1085 if (rv != SECSuccess) { 1086 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); 1087 return SECFailure; 1088 } 1089 1090 rv = ssl3_ExtConsumeHandshakeNumber(ss, &temp, 4, &buffer, &len); 1091 if (rv != SECSuccess) { 1092 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); 1093 return SECFailure; 1094 } 1095 parsedTicket->maxEarlyData = temp; 1096 1097 rv = ssl3_ExtConsumeHandshakeNumber(ss, &temp, 4, &buffer, &len); 1098 if (rv != SECSuccess) { 1099 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); 1100 return SECFailure; 1101 } 1102 parsedTicket->ticketAgeBaseline = temp; 1103 1104 rv = ssl3_ExtConsumeHandshakeVariable(ss, &parsedTicket->applicationToken, 1105 2, &buffer, &len); 1106 if (rv != SECSuccess) { 1107 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); 1108 return SECFailure; 1109 } 1110 1111 #ifndef UNSAFE_FUZZER_MODE 1112 /* Done parsing. Check that all bytes have been consumed. */ 1113 if (len != 0) { 1114 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); 1115 return SECFailure; 1116 } 1117 #endif 1118 1119 parsedTicket->valid = PR_TRUE; 1120 return SECSuccess; 1121 } 1122 1123 static SECStatus 1124 ssl_CreateSIDFromTicket(sslSocket *ss, const SECItem *rawTicket, 1125 SessionTicket *parsedTicket, sslSessionID **out) 1126 { 1127 sslSessionID *sid; 1128 SECStatus rv; 1129 1130 sid = ssl3_NewSessionID(ss, PR_TRUE); 1131 if (sid == NULL) { 1132 return SECFailure; 1133 } 1134 1135 /* Copy over parameters. */ 1136 sid->version = parsedTicket->ssl_version; 1137 sid->creationTime = parsedTicket->timestamp; 1138 sid->u.ssl3.cipherSuite = parsedTicket->cipher_suite; 1139 sid->authType = parsedTicket->authType; 1140 sid->authKeyBits = parsedTicket->authKeyBits; 1141 sid->keaType = parsedTicket->keaType; 1142 sid->keaKeyBits = parsedTicket->keaKeyBits; 1143 sid->keaGroup = parsedTicket->originalKeaGroup; 1144 sid->namedCurve = parsedTicket->namedCurve; 1145 sid->sigScheme = parsedTicket->signatureScheme; 1146 1147 rv = SECITEM_CopyItem(NULL, &sid->u.ssl3.locked.sessionTicket.ticket, 1148 rawTicket); 1149 if (rv != SECSuccess) { 1150 goto loser; 1151 } 1152 sid->u.ssl3.locked.sessionTicket.flags = parsedTicket->flags; 1153 sid->u.ssl3.locked.sessionTicket.max_early_data_size = 1154 parsedTicket->maxEarlyData; 1155 1156 if (parsedTicket->ms_length > 1157 sizeof(sid->u.ssl3.keys.wrapped_master_secret)) { 1158 goto loser; 1159 } 1160 PORT_Memcpy(sid->u.ssl3.keys.wrapped_master_secret, 1161 parsedTicket->master_secret, parsedTicket->ms_length); 1162 sid->u.ssl3.keys.wrapped_master_secret_len = parsedTicket->ms_length; 1163 sid->u.ssl3.masterWrapMech = parsedTicket->msWrapMech; 1164 sid->u.ssl3.masterValid = PR_TRUE; 1165 sid->u.ssl3.keys.resumable = PR_TRUE; 1166 sid->u.ssl3.keys.extendedMasterSecretUsed = parsedTicket->extendedMasterSecretUsed; 1167 1168 /* Copy over client cert from session ticket if there is one. */ 1169 if (parsedTicket->peer_cert.data != NULL) { 1170 PORT_Assert(!sid->peerCert); 1171 sid->peerCert = CERT_NewTempCertificate(ss->dbHandle, 1172 &parsedTicket->peer_cert, 1173 NULL, PR_FALSE, PR_TRUE); 1174 if (!sid->peerCert) { 1175 goto loser; 1176 } 1177 } 1178 1179 /* Transfer ownership of the remaining items. */ 1180 if (parsedTicket->srvName.data != NULL) { 1181 SECITEM_FreeItem(&sid->u.ssl3.srvName, PR_FALSE); 1182 rv = SECITEM_CopyItem(NULL, &sid->u.ssl3.srvName, 1183 &parsedTicket->srvName); 1184 if (rv != SECSuccess) { 1185 goto loser; 1186 } 1187 } 1188 if (parsedTicket->alpnSelection.data != NULL) { 1189 SECITEM_FreeItem(&sid->u.ssl3.alpnSelection, PR_FALSE); 1190 rv = SECITEM_CopyItem(NULL, &sid->u.ssl3.alpnSelection, 1191 &parsedTicket->alpnSelection); 1192 if (rv != SECSuccess) { 1193 goto loser; 1194 } 1195 } 1196 1197 *out = sid; 1198 return SECSuccess; 1199 1200 loser: 1201 ssl_FreeSID(sid); 1202 return SECFailure; 1203 } 1204 1205 /* Generic ticket processing code, common to all TLS versions. */ 1206 SECStatus 1207 ssl3_ProcessSessionTicketCommon(sslSocket *ss, const SECItem *ticket, 1208 SECItem *appToken) 1209 { 1210 SECItem decryptedTicket = { siBuffer, NULL, 0 }; 1211 SessionTicket parsedTicket; 1212 sslSessionID *sid = NULL; 1213 SECStatus rv; 1214 1215 if (ss->sec.ci.sid != NULL) { 1216 ssl_UncacheSessionID(ss); 1217 ssl_FreeSID(ss->sec.ci.sid); 1218 ss->sec.ci.sid = NULL; 1219 } 1220 1221 if (!SECITEM_AllocItem(NULL, &decryptedTicket, ticket->len)) { 1222 return SECFailure; 1223 } 1224 1225 /* Decrypt the ticket. */ 1226 rv = ssl_SelfEncryptUnprotect(ss, ticket->data, ticket->len, 1227 decryptedTicket.data, 1228 &decryptedTicket.len, 1229 decryptedTicket.len); 1230 if (rv != SECSuccess) { 1231 /* Ignore decryption failure if we are doing TLS 1.3; that 1232 * means the server rejects the client's resumption 1233 * attempt. In TLS 1.2, however, it's a hard failure, unless 1234 * it's just because we're not the recipient of the ticket. */ 1235 if (ss->version >= SSL_LIBRARY_VERSION_TLS_1_3 || 1236 PORT_GetError() == SEC_ERROR_NOT_A_RECIPIENT) { 1237 SECITEM_ZfreeItem(&decryptedTicket, PR_FALSE); 1238 return SECSuccess; 1239 } 1240 1241 SSL3_SendAlert(ss, alert_fatal, illegal_parameter); 1242 goto loser; 1243 } 1244 1245 rv = ssl_ParseSessionTicket(ss, &decryptedTicket, &parsedTicket); 1246 if (rv != SECSuccess) { 1247 SSL3Statistics *ssl3stats; 1248 1249 SSL_DBG(("%d: SSL[%d]: Session ticket parsing failed.", 1250 SSL_GETPID(), ss->fd)); 1251 ssl3stats = SSL_GetStatistics(); 1252 SSL_AtomicIncrementLong(&ssl3stats->hch_sid_ticket_parse_failures); 1253 goto loser; /* code already set */ 1254 } 1255 1256 /* Use the ticket if it is valid and unexpired. */ 1257 PRTime end = parsedTicket.timestamp + (ssl_ticket_lifetime * PR_USEC_PER_SEC); 1258 if (end > ssl_Time(ss)) { 1259 1260 rv = ssl_CreateSIDFromTicket(ss, ticket, &parsedTicket, &sid); 1261 if (rv != SECSuccess) { 1262 goto loser; /* code already set */ 1263 } 1264 if (appToken && parsedTicket.applicationToken.len) { 1265 rv = SECITEM_CopyItem(NULL, appToken, 1266 &parsedTicket.applicationToken); 1267 if (rv != SECSuccess) { 1268 goto loser; /* code already set */ 1269 } 1270 } 1271 1272 ss->statelessResume = PR_TRUE; 1273 ss->sec.ci.sid = sid; 1274 1275 /* We have the baseline value for the obfuscated ticket age here. Save 1276 * that in xtnData temporarily. This value is updated in 1277 * tls13_ServerHandlePreSharedKeyXtn with the final estimate. */ 1278 ss->xtnData.ticketAge = parsedTicket.ticketAgeBaseline; 1279 } 1280 1281 SECITEM_ZfreeItem(&decryptedTicket, PR_FALSE); 1282 PORT_Memset(&parsedTicket, 0, sizeof(parsedTicket)); 1283 return SECSuccess; 1284 1285 loser: 1286 if (sid) { 1287 ssl_FreeSID(sid); 1288 } 1289 SECITEM_ZfreeItem(&decryptedTicket, PR_FALSE); 1290 PORT_Memset(&parsedTicket, 0, sizeof(parsedTicket)); 1291 return SECFailure; 1292 } 1293 1294 SECStatus 1295 ssl3_ServerHandleSessionTicketXtn(const sslSocket *ss, TLSExtensionData *xtnData, 1296 SECItem *data) 1297 { 1298 PORT_Assert(ss->version < SSL_LIBRARY_VERSION_TLS_1_3); 1299 1300 /* Ignore the SessionTicket extension if processing is disabled. */ 1301 if (!ss->opt.enableSessionTickets) { 1302 return SECSuccess; 1303 } 1304 1305 /* If we are doing TLS 1.3, then ignore this. */ 1306 if (ss->version >= SSL_LIBRARY_VERSION_TLS_1_3) { 1307 return SECSuccess; 1308 } 1309 1310 /* Keep track of negotiated extensions. */ 1311 xtnData->negotiated[xtnData->numNegotiated++] = ssl_session_ticket_xtn; 1312 1313 /* Parse the received ticket sent in by the client. We are 1314 * lenient about some parse errors, falling back to a fullshake 1315 * instead of terminating the current connection. 1316 */ 1317 if (data->len == 0) { 1318 xtnData->emptySessionTicket = PR_TRUE; 1319 return SECSuccess; 1320 } 1321 1322 return ssl3_ProcessSessionTicketCommon(CONST_CAST(sslSocket, ss), data, 1323 NULL); 1324 } 1325 1326 /* Extension format: 1327 * Extension number: 2 bytes 1328 * Extension length: 2 bytes 1329 * Verify Data Length: 1 byte 1330 * Verify Data (TLS): 12 bytes (client) or 24 bytes (server) 1331 * Verify Data (SSL): 36 bytes (client) or 72 bytes (server) 1332 */ 1333 SECStatus 1334 ssl3_SendRenegotiationInfoXtn(const sslSocket *ss, TLSExtensionData *xtnData, 1335 sslBuffer *buf, PRBool *added) 1336 { 1337 PRInt32 len = 0; 1338 SECStatus rv; 1339 1340 /* In RFC 5746, it is NOT RECOMMENDED to send both the SCSV and the empty 1341 * RI, so when we send SCSV in the initial handshake, we don't also send RI. 1342 */ 1343 if (ss->ssl3.hs.sendingSCSV) { 1344 return 0; 1345 } 1346 if (ss->firstHsDone) { 1347 len = ss->sec.isServer ? ss->ssl3.hs.finishedBytes * 2 1348 : ss->ssl3.hs.finishedBytes; 1349 } 1350 1351 /* verify_Data from previous Finished message(s) */ 1352 rv = sslBuffer_AppendVariable(buf, 1353 ss->ssl3.hs.finishedMsgs.data, len, 1); 1354 if (rv != SECSuccess) { 1355 return SECFailure; 1356 } 1357 1358 *added = PR_TRUE; 1359 return SECSuccess; 1360 } 1361 1362 /* This function runs in both the client and server. */ 1363 SECStatus 1364 ssl3_HandleRenegotiationInfoXtn(const sslSocket *ss, TLSExtensionData *xtnData, 1365 SECItem *data) 1366 { 1367 SECStatus rv = SECSuccess; 1368 PRUint32 len = 0; 1369 1370 PORT_Assert(ss->version < SSL_LIBRARY_VERSION_TLS_1_3); 1371 1372 if (ss->firstHsDone) { 1373 len = ss->sec.isServer ? ss->ssl3.hs.finishedBytes 1374 : ss->ssl3.hs.finishedBytes * 2; 1375 } 1376 if (data->len != 1 + len || data->data[0] != len) { 1377 ssl3_ExtDecodeError(ss); 1378 return SECFailure; 1379 } 1380 if (len && NSS_SecureMemcmp(ss->ssl3.hs.finishedMsgs.data, 1381 data->data + 1, len)) { 1382 ssl3_ExtSendAlert(ss, alert_fatal, handshake_failure); 1383 PORT_SetError(SSL_ERROR_BAD_HANDSHAKE_HASH_VALUE); 1384 return SECFailure; 1385 } 1386 /* remember that we got this extension and it was correct. */ 1387 CONST_CAST(sslSocket, ss) 1388 ->peerRequestedProtection = 1; 1389 xtnData->negotiated[xtnData->numNegotiated++] = ssl_renegotiation_info_xtn; 1390 if (ss->sec.isServer) { 1391 /* prepare to send back the appropriate response */ 1392 rv = ssl3_RegisterExtensionSender(ss, xtnData, 1393 ssl_renegotiation_info_xtn, 1394 ssl3_SendRenegotiationInfoXtn); 1395 } 1396 return rv; 1397 } 1398 1399 SECStatus 1400 ssl3_ClientSendUseSRTPXtn(const sslSocket *ss, TLSExtensionData *xtnData, 1401 sslBuffer *buf, PRBool *added) 1402 { 1403 unsigned int i; 1404 SECStatus rv; 1405 1406 if (!IS_DTLS(ss) || !ss->ssl3.dtlsSRTPCipherCount) { 1407 return SECSuccess; /* Not relevant */ 1408 } 1409 1410 /* Length of the SRTP cipher list */ 1411 rv = sslBuffer_AppendNumber(buf, 2 * ss->ssl3.dtlsSRTPCipherCount, 2); 1412 if (rv != SECSuccess) { 1413 return SECFailure; 1414 } 1415 /* The SRTP ciphers */ 1416 for (i = 0; i < ss->ssl3.dtlsSRTPCipherCount; i++) { 1417 rv = sslBuffer_AppendNumber(buf, ss->ssl3.dtlsSRTPCiphers[i], 2); 1418 if (rv != SECSuccess) { 1419 return SECFailure; 1420 } 1421 } 1422 /* Empty MKI value */ 1423 rv = sslBuffer_AppendNumber(buf, 0, 1); 1424 if (rv != SECSuccess) { 1425 return SECFailure; 1426 } 1427 1428 *added = PR_TRUE; 1429 return SECSuccess; 1430 } 1431 1432 SECStatus 1433 ssl3_ServerSendUseSRTPXtn(const sslSocket *ss, TLSExtensionData *xtnData, 1434 sslBuffer *buf, PRBool *added) 1435 { 1436 SECStatus rv; 1437 1438 /* Length of the SRTP cipher list */ 1439 rv = sslBuffer_AppendNumber(buf, 2, 2); 1440 if (rv != SECSuccess) { 1441 return SECFailure; 1442 } 1443 /* The selected cipher */ 1444 rv = sslBuffer_AppendNumber(buf, xtnData->dtlsSRTPCipherSuite, 2); 1445 if (rv != SECSuccess) { 1446 return SECFailure; 1447 } 1448 /* Empty MKI value */ 1449 rv = sslBuffer_AppendNumber(buf, 0, 1); 1450 if (rv != SECSuccess) { 1451 return SECFailure; 1452 } 1453 1454 *added = PR_TRUE; 1455 return SECSuccess; 1456 } 1457 1458 SECStatus 1459 ssl3_ClientHandleUseSRTPXtn(const sslSocket *ss, TLSExtensionData *xtnData, 1460 SECItem *data) 1461 { 1462 SECStatus rv; 1463 SECItem ciphers = { siBuffer, NULL, 0 }; 1464 PRUint16 i; 1465 PRUint16 cipher = 0; 1466 PRBool found = PR_FALSE; 1467 SECItem litem; 1468 1469 if (!data->data || !data->len) { 1470 ssl3_ExtDecodeError(ss); 1471 return SECFailure; 1472 } 1473 1474 /* Get the cipher list */ 1475 rv = ssl3_ExtConsumeHandshakeVariable(ss, &ciphers, 2, 1476 &data->data, &data->len); 1477 if (rv != SECSuccess) { 1478 return SECFailure; /* fatal alert already sent */ 1479 } 1480 /* Now check that the server has picked just 1 (i.e., len = 2) */ 1481 if (ciphers.len != 2) { 1482 ssl3_ExtDecodeError(ss); 1483 return SECFailure; 1484 } 1485 1486 /* Get the selected cipher */ 1487 cipher = (ciphers.data[0] << 8) | ciphers.data[1]; 1488 1489 /* Now check that this is one of the ciphers we offered */ 1490 for (i = 0; i < ss->ssl3.dtlsSRTPCipherCount; i++) { 1491 if (cipher == ss->ssl3.dtlsSRTPCiphers[i]) { 1492 found = PR_TRUE; 1493 break; 1494 } 1495 } 1496 1497 if (!found) { 1498 ssl3_ExtSendAlert(ss, alert_fatal, illegal_parameter); 1499 PORT_SetError(SSL_ERROR_RX_MALFORMED_SERVER_HELLO); 1500 return SECFailure; 1501 } 1502 1503 /* Get the srtp_mki value */ 1504 rv = ssl3_ExtConsumeHandshakeVariable(ss, &litem, 1, 1505 &data->data, &data->len); 1506 if (rv != SECSuccess) { 1507 return SECFailure; /* alert already sent */ 1508 } 1509 1510 /* We didn't offer an MKI, so this must be 0 length */ 1511 if (litem.len != 0) { 1512 ssl3_ExtSendAlert(ss, alert_fatal, illegal_parameter); 1513 PORT_SetError(SSL_ERROR_RX_MALFORMED_SERVER_HELLO); 1514 return SECFailure; 1515 } 1516 1517 /* extra trailing bytes */ 1518 if (data->len != 0) { 1519 ssl3_ExtDecodeError(ss); 1520 return SECFailure; 1521 } 1522 1523 /* OK, this looks fine. */ 1524 xtnData->negotiated[xtnData->numNegotiated++] = ssl_use_srtp_xtn; 1525 xtnData->dtlsSRTPCipherSuite = cipher; 1526 return SECSuccess; 1527 } 1528 1529 SECStatus 1530 ssl3_ServerHandleUseSRTPXtn(const sslSocket *ss, TLSExtensionData *xtnData, 1531 SECItem *data) 1532 { 1533 SECStatus rv; 1534 SECItem ciphers = { siBuffer, NULL, 0 }; 1535 PRUint16 i; 1536 unsigned int j; 1537 PRUint16 cipher = 0; 1538 PRBool found = PR_FALSE; 1539 SECItem litem; 1540 1541 if (!IS_DTLS(ss) || !ss->ssl3.dtlsSRTPCipherCount) { 1542 /* Ignore the extension if we aren't doing DTLS or no DTLS-SRTP 1543 * preferences have been set. */ 1544 return SECSuccess; 1545 } 1546 1547 if (!data->data || data->len < 5) { 1548 ssl3_ExtDecodeError(ss); 1549 return SECFailure; 1550 } 1551 1552 /* Get the cipher list */ 1553 rv = ssl3_ExtConsumeHandshakeVariable(ss, &ciphers, 2, 1554 &data->data, &data->len); 1555 if (rv != SECSuccess) { 1556 return SECFailure; /* alert already sent */ 1557 } 1558 /* Check that the list is even length */ 1559 if (ciphers.len % 2) { 1560 ssl3_ExtDecodeError(ss); 1561 return SECFailure; 1562 } 1563 1564 /* Walk through the offered list and pick the most preferred of our 1565 * ciphers, if any */ 1566 for (i = 0; !found && i < ss->ssl3.dtlsSRTPCipherCount; i++) { 1567 for (j = 0; j + 1 < ciphers.len; j += 2) { 1568 cipher = (ciphers.data[j] << 8) | ciphers.data[j + 1]; 1569 if (cipher == ss->ssl3.dtlsSRTPCiphers[i]) { 1570 found = PR_TRUE; 1571 break; 1572 } 1573 } 1574 } 1575 1576 /* Get the srtp_mki value */ 1577 rv = ssl3_ExtConsumeHandshakeVariable(ss, &litem, 1, &data->data, &data->len); 1578 if (rv != SECSuccess) { 1579 return SECFailure; 1580 } 1581 1582 if (data->len != 0) { 1583 ssl3_ExtDecodeError(ss); /* trailing bytes */ 1584 return SECFailure; 1585 } 1586 1587 /* Now figure out what to do */ 1588 if (!found) { 1589 /* No matching ciphers, pretend we don't support use_srtp */ 1590 return SECSuccess; 1591 } 1592 1593 /* OK, we have a valid cipher and we've selected it */ 1594 xtnData->dtlsSRTPCipherSuite = cipher; 1595 xtnData->negotiated[xtnData->numNegotiated++] = ssl_use_srtp_xtn; 1596 1597 return ssl3_RegisterExtensionSender(ss, xtnData, 1598 ssl_use_srtp_xtn, 1599 ssl3_ServerSendUseSRTPXtn); 1600 } 1601 1602 /* ssl3_HandleSigAlgsXtn handles the signature_algorithms extension from a 1603 * client. In TLS 1.3, the client uses this to parse CertificateRequest 1604 * extensions. See https://tools.ietf.org/html/rfc5246#section-7.4.1.4.1 */ 1605 SECStatus 1606 ssl3_HandleSigAlgsXtn(const sslSocket *ss, TLSExtensionData *xtnData, 1607 SECItem *data) 1608 { 1609 SECStatus rv; 1610 1611 /* Ignore this extension if we aren't doing TLS 1.2 or greater. */ 1612 if (ss->version < SSL_LIBRARY_VERSION_TLS_1_2) { 1613 return SECSuccess; 1614 } 1615 1616 if (xtnData->sigSchemes) { 1617 PORT_Free(xtnData->sigSchemes); 1618 xtnData->sigSchemes = NULL; 1619 } 1620 rv = ssl_ParseSignatureSchemes(ss, NULL, 1621 &xtnData->sigSchemes, 1622 &xtnData->numSigSchemes, 1623 &data->data, &data->len); 1624 if (rv != SECSuccess) { 1625 ssl3_ExtSendAlert(ss, alert_fatal, decode_error); 1626 PORT_SetError(SSL_ERROR_RX_MALFORMED_CLIENT_HELLO); 1627 return SECFailure; 1628 } 1629 if (xtnData->numSigSchemes == 0) { 1630 ssl3_ExtSendAlert(ss, alert_fatal, handshake_failure); 1631 PORT_SetError(SSL_ERROR_UNSUPPORTED_SIGNATURE_ALGORITHM); 1632 return SECFailure; 1633 } 1634 /* Check for trailing data. */ 1635 if (data->len != 0) { 1636 ssl3_ExtSendAlert(ss, alert_fatal, decode_error); 1637 PORT_SetError(SSL_ERROR_RX_MALFORMED_CLIENT_HELLO); 1638 return SECFailure; 1639 } 1640 1641 /* Keep track of negotiated extensions. */ 1642 xtnData->negotiated[xtnData->numNegotiated++] = ssl_signature_algorithms_xtn; 1643 return SECSuccess; 1644 } 1645 1646 /* ssl3_ClientSendSigAlgsXtn sends the signature_algorithm extension for TLS 1647 * 1.2 ClientHellos. */ 1648 SECStatus 1649 ssl3_SendSigAlgsXtn(const sslSocket *ss, TLSExtensionData *xtnData, 1650 sslBuffer *buf, PRBool *added) 1651 { 1652 if (ss->vrange.max < SSL_LIBRARY_VERSION_TLS_1_2) { 1653 return SECSuccess; 1654 } 1655 1656 PRUint16 minVersion; 1657 if (ss->sec.isServer) { 1658 minVersion = ss->version; /* CertificateRequest */ 1659 } else { 1660 minVersion = ss->vrange.min; /* ClientHello */ 1661 } 1662 1663 SECStatus rv = ssl3_EncodeSigAlgs(ss, minVersion, PR_TRUE /* forCert */, 1664 ss->opt.enableGrease, buf); 1665 if (rv != SECSuccess) { 1666 return SECFailure; 1667 } 1668 1669 *added = PR_TRUE; 1670 return SECSuccess; 1671 } 1672 1673 SECStatus 1674 ssl3_SendExtendedMasterSecretXtn(const sslSocket *ss, TLSExtensionData *xtnData, 1675 sslBuffer *buf, PRBool *added) 1676 { 1677 if (!ss->opt.enableExtendedMS) { 1678 return SECSuccess; 1679 } 1680 1681 /* Always send the extension in this function, since the 1682 * client always sends it and this function is only called on 1683 * the server if we negotiated the extension. */ 1684 *added = PR_TRUE; 1685 return SECSuccess; 1686 } 1687 1688 SECStatus 1689 ssl3_HandleExtendedMasterSecretXtn(const sslSocket *ss, TLSExtensionData *xtnData, 1690 SECItem *data) 1691 { 1692 PORT_Assert(ss->version < SSL_LIBRARY_VERSION_TLS_1_3); 1693 1694 if (ss->version < SSL_LIBRARY_VERSION_TLS_1_0) { 1695 return SECSuccess; 1696 } 1697 1698 if (!ss->opt.enableExtendedMS) { 1699 return SECSuccess; 1700 } 1701 1702 if (data->len != 0) { 1703 SSL_TRC(30, ("%d: SSL3[%d]: Bogus extended master secret extension", 1704 SSL_GETPID(), ss->fd)); 1705 ssl3_ExtSendAlert(ss, alert_fatal, decode_error); 1706 return SECFailure; 1707 } 1708 1709 SSL_DBG(("%d: SSL[%d]: Negotiated extended master secret extension.", 1710 SSL_GETPID(), ss->fd)); 1711 1712 /* Keep track of negotiated extensions. */ 1713 xtnData->negotiated[xtnData->numNegotiated++] = ssl_extended_master_secret_xtn; 1714 1715 if (ss->sec.isServer) { 1716 return ssl3_RegisterExtensionSender(ss, xtnData, 1717 ssl_extended_master_secret_xtn, 1718 ssl_SendEmptyExtension); 1719 } 1720 return SECSuccess; 1721 } 1722 1723 /* ssl3_ClientSendSignedCertTimestampXtn sends the signed_certificate_timestamp 1724 * extension for TLS ClientHellos. */ 1725 SECStatus 1726 ssl3_ClientSendSignedCertTimestampXtn(const sslSocket *ss, 1727 TLSExtensionData *xtnData, 1728 sslBuffer *buf, PRBool *added) 1729 { 1730 /* Only send the extension if processing is enabled. */ 1731 if (!ss->opt.enableSignedCertTimestamps) { 1732 return SECSuccess; 1733 } 1734 1735 *added = PR_TRUE; 1736 return SECSuccess; 1737 } 1738 1739 SECStatus 1740 ssl3_ClientHandleSignedCertTimestampXtn(const sslSocket *ss, TLSExtensionData *xtnData, 1741 SECItem *data) 1742 { 1743 /* We do not yet know whether we'll be resuming a session or creating 1744 * a new one, so we keep a pointer to the data in the TLSExtensionData 1745 * structure. This pointer is only valid in the scope of 1746 * ssl3_HandleServerHello, and, if not resuming a session, the data is 1747 * copied once a new session structure has been set up. 1748 * All parsing is currently left to the application and we accept 1749 * everything, including empty data. 1750 */ 1751 SECItem *scts = &xtnData->signedCertTimestamps; 1752 PORT_Assert(!scts->data && !scts->len); 1753 1754 if (!data->len) { 1755 /* Empty extension data: RFC 6962 mandates non-empty contents. */ 1756 return SECFailure; 1757 } 1758 *scts = *data; 1759 /* Keep track of negotiated extensions. */ 1760 xtnData->negotiated[xtnData->numNegotiated++] = ssl_signed_cert_timestamp_xtn; 1761 return SECSuccess; 1762 } 1763 1764 SECStatus 1765 ssl3_ServerSendSignedCertTimestampXtn(const sslSocket *ss, TLSExtensionData *xtnData, 1766 sslBuffer *buf, PRBool *added) 1767 { 1768 const SECItem *scts = &ss->sec.serverCert->signedCertTimestamps; 1769 SECStatus rv; 1770 1771 if (!scts->len) { 1772 /* No timestamps to send */ 1773 return SECSuccess; 1774 } 1775 1776 rv = sslBuffer_Append(buf, scts->data, scts->len); 1777 if (rv != SECSuccess) { 1778 return SECFailure; 1779 } 1780 1781 *added = PR_TRUE; 1782 return SECSuccess; 1783 } 1784 1785 SECStatus 1786 ssl3_ServerHandleSignedCertTimestampXtn(const sslSocket *ss, 1787 TLSExtensionData *xtnData, 1788 SECItem *data) 1789 { 1790 if (data->len != 0) { 1791 ssl3_ExtSendAlert(ss, alert_fatal, decode_error); 1792 PORT_SetError(SSL_ERROR_RX_MALFORMED_CLIENT_HELLO); 1793 return SECFailure; 1794 } 1795 1796 xtnData->negotiated[xtnData->numNegotiated++] = ssl_signed_cert_timestamp_xtn; 1797 PORT_Assert(ss->sec.isServer); 1798 return ssl3_RegisterExtensionSender(ss, xtnData, 1799 ssl_signed_cert_timestamp_xtn, 1800 ssl3_ServerSendSignedCertTimestampXtn); 1801 } 1802 1803 /* Just make sure that the remote client supports uncompressed points, 1804 * Since that is all we support. Disable ECC cipher suites if it doesn't. 1805 */ 1806 SECStatus 1807 ssl3_HandleSupportedPointFormatsXtn(const sslSocket *ss, 1808 TLSExtensionData *xtnData, 1809 SECItem *data) 1810 { 1811 int i; 1812 1813 PORT_Assert(ss->version < SSL_LIBRARY_VERSION_TLS_1_3); 1814 1815 if (data->len < 2 || data->len > 255 || !data->data || 1816 data->len != (unsigned int)data->data[0] + 1) { 1817 ssl3_ExtDecodeError(ss); 1818 return SECFailure; 1819 } 1820 for (i = data->len; --i > 0;) { 1821 if (data->data[i] == 0) { 1822 /* indicate that we should send a reply */ 1823 return ssl3_RegisterExtensionSender( 1824 ss, xtnData, ssl_ec_point_formats_xtn, 1825 &ssl3_SendSupportedPointFormatsXtn); 1826 } 1827 } 1828 1829 /* Poor client doesn't support uncompressed points. 1830 * 1831 * If the client sends the extension and the extension does not contain the 1832 * uncompressed point format, and the client has used the Supported Groups 1833 * extension to indicate support for any of the curves defined in this 1834 * specification, then the server MUST abort the handshake and return an 1835 * illegal_parameter alert. [RFC8422, Section 5.1.2] */ 1836 ssl3_ExtSendAlert(ss, alert_fatal, illegal_parameter); 1837 PORT_SetError(SSL_ERROR_RX_MALFORMED_HANDSHAKE); 1838 1839 return SECFailure; 1840 } 1841 1842 static SECStatus 1843 ssl_UpdateSupportedGroups(sslSocket *ss, SECItem *data) 1844 { 1845 SECStatus rv; 1846 PRUint32 list_len; 1847 unsigned int i; 1848 const sslNamedGroupDef *enabled[SSL_NAMED_GROUP_COUNT] = { 0 }; 1849 PORT_Assert(SSL_NAMED_GROUP_COUNT == PR_ARRAY_SIZE(enabled)); 1850 1851 if (!data->data || data->len < 4) { 1852 (void)ssl3_DecodeError(ss); 1853 return SECFailure; 1854 } 1855 1856 /* get the length of elliptic_curve_list */ 1857 rv = ssl3_ConsumeHandshakeNumber(ss, &list_len, 2, &data->data, &data->len); 1858 if (rv != SECSuccess || data->len != list_len || (data->len % 2) != 0) { 1859 (void)ssl3_DecodeError(ss); 1860 return SECFailure; 1861 } 1862 1863 /* disable all groups and remember the enabled groups */ 1864 for (i = 0; i < SSL_NAMED_GROUP_COUNT; ++i) { 1865 enabled[i] = ss->namedGroupPreferences[i]; 1866 ss->namedGroupPreferences[i] = NULL; 1867 } 1868 1869 /* Read groups from data and enable if in |enabled| */ 1870 while (data->len) { 1871 const sslNamedGroupDef *group; 1872 PRUint32 curve_name; 1873 rv = ssl3_ConsumeHandshakeNumber(ss, &curve_name, 2, &data->data, 1874 &data->len); 1875 if (rv != SECSuccess) { 1876 return SECFailure; /* fatal alert already sent */ 1877 } 1878 group = ssl_LookupNamedGroup(curve_name); 1879 if (group) { 1880 for (i = 0; i < SSL_NAMED_GROUP_COUNT; ++i) { 1881 if (enabled[i] && group == enabled[i]) { 1882 ss->namedGroupPreferences[i] = enabled[i]; 1883 break; 1884 } 1885 } 1886 } 1887 1888 /* "Codepoints in the NamedCurve registry with a high byte of 0x01 (that 1889 * is, between 256 and 511 inclusive) are set aside for FFDHE groups," 1890 * -- https://tools.ietf.org/html/draft-ietf-tls-negotiated-ff-dhe-10 1891 */ 1892 if ((curve_name & 0xff00) == 0x0100) { 1893 ss->xtnData.peerSupportsFfdheGroups = PR_TRUE; 1894 } 1895 } 1896 1897 /* Note: if ss->opt.requireDHENamedGroups is set, we disable DHE cipher 1898 * suites, but we do that in ssl3_config_match(). */ 1899 if (ss->version < SSL_LIBRARY_VERSION_TLS_1_3 && 1900 !ss->opt.requireDHENamedGroups && !ss->xtnData.peerSupportsFfdheGroups) { 1901 /* If we don't require that DHE use named groups, and no FFDHE was 1902 * included, we pretend that they support all the FFDHE groups we do. */ 1903 for (i = 0; i < SSL_NAMED_GROUP_COUNT; ++i) { 1904 if (enabled[i] && enabled[i]->keaType == ssl_kea_dh) { 1905 ss->namedGroupPreferences[i] = enabled[i]; 1906 } 1907 } 1908 } 1909 1910 return SECSuccess; 1911 } 1912 1913 /* Ensure that the curve in our server cert is one of the ones supported 1914 * by the remote client, and disable all ECC cipher suites if not. 1915 */ 1916 SECStatus 1917 ssl_HandleSupportedGroupsXtn(const sslSocket *ss, TLSExtensionData *xtnData, 1918 SECItem *data) 1919 { 1920 SECStatus rv; 1921 1922 rv = ssl_UpdateSupportedGroups(CONST_CAST(sslSocket, ss), data); 1923 if (rv != SECSuccess) 1924 return SECFailure; 1925 1926 /* TLS 1.3 permits the server to send this extension so make it so. */ 1927 if (ss->sec.isServer && ss->version >= SSL_LIBRARY_VERSION_TLS_1_3) { 1928 rv = ssl3_RegisterExtensionSender(ss, xtnData, ssl_supported_groups_xtn, 1929 &ssl_SendSupportedGroupsXtn); 1930 if (rv != SECSuccess) { 1931 return SECFailure; /* error already set. */ 1932 } 1933 } 1934 1935 /* Remember that we negotiated this extension. */ 1936 xtnData->negotiated[xtnData->numNegotiated++] = ssl_supported_groups_xtn; 1937 1938 return SECSuccess; 1939 } 1940 1941 SECStatus 1942 ssl_HandleRecordSizeLimitXtn(const sslSocket *ss, TLSExtensionData *xtnData, 1943 SECItem *data) 1944 { 1945 SECStatus rv; 1946 PRUint32 limit; 1947 PRUint32 maxLimit = (ss->version >= SSL_LIBRARY_VERSION_TLS_1_3) 1948 ? (MAX_FRAGMENT_LENGTH + 1) 1949 : MAX_FRAGMENT_LENGTH; 1950 1951 rv = ssl3_ExtConsumeHandshakeNumber(ss, &limit, 2, &data->data, &data->len); 1952 if (rv != SECSuccess) { 1953 return SECFailure; 1954 } 1955 if (data->len != 0 || limit < 64) { 1956 ssl3_ExtSendAlert(ss, alert_fatal, decode_error); 1957 PORT_SetError(SSL_ERROR_RX_MALFORMED_HANDSHAKE); 1958 return SECFailure; 1959 } 1960 1961 if (ss->sec.isServer) { 1962 rv = ssl3_RegisterExtensionSender(ss, xtnData, ssl_record_size_limit_xtn, 1963 &ssl_SendRecordSizeLimitXtn); 1964 if (rv != SECSuccess) { 1965 return SECFailure; /* error already set. */ 1966 } 1967 } else if (limit > maxLimit) { 1968 /* The client can sensibly check the maximum. */ 1969 ssl3_ExtSendAlert(ss, alert_fatal, illegal_parameter); 1970 PORT_SetError(SSL_ERROR_RX_MALFORMED_HANDSHAKE); 1971 return SECFailure; 1972 } 1973 1974 /* We can't enforce the maximum on a server. But we do need to ensure 1975 * that we don't apply a limit that is too large. */ 1976 xtnData->recordSizeLimit = PR_MIN(maxLimit, limit); 1977 xtnData->negotiated[xtnData->numNegotiated++] = ssl_record_size_limit_xtn; 1978 return SECSuccess; 1979 } 1980 1981 SECStatus 1982 ssl_SendRecordSizeLimitXtn(const sslSocket *ss, TLSExtensionData *xtnData, 1983 sslBuffer *buf, PRBool *added) 1984 { 1985 PRUint32 maxLimit; 1986 if (ss->sec.isServer) { 1987 maxLimit = (ss->version >= SSL_LIBRARY_VERSION_TLS_1_3) 1988 ? (MAX_FRAGMENT_LENGTH + 1) 1989 : MAX_FRAGMENT_LENGTH; 1990 } else { 1991 maxLimit = (ss->vrange.max >= SSL_LIBRARY_VERSION_TLS_1_3) 1992 ? (MAX_FRAGMENT_LENGTH + 1) 1993 : MAX_FRAGMENT_LENGTH; 1994 } 1995 PRUint32 limit = PR_MIN(ss->opt.recordSizeLimit, maxLimit); 1996 SECStatus rv = sslBuffer_AppendNumber(buf, limit, 2); 1997 if (rv != SECSuccess) { 1998 return SECFailure; 1999 } 2000 2001 *added = PR_TRUE; 2002 return SECSuccess; 2003 }