tls13exthandle.c (66491B)
1 /* -*- Mode: C; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 4 -*- */ 2 /* 3 * This Source Code Form is subject to the terms of the Mozilla Public 4 * License, v. 2.0. If a copy of the MPL was not distributed with this 5 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ 6 7 #include "nssrenam.h" 8 #include "nss.h" 9 #include "ssl.h" 10 #include "sslproto.h" 11 #include "sslimpl.h" 12 #include "pk11pub.h" 13 #include "ssl3ext.h" 14 #include "ssl3exthandle.h" 15 #include "sslt.h" 16 #include "tls13con.h" 17 #include "tls13ech.h" 18 #include "tls13exthandle.h" 19 #include "tls13psk.h" 20 #include "tls13subcerts.h" 21 22 SECStatus 23 tls13_ServerSendStatusRequestXtn(const sslSocket *ss, TLSExtensionData *xtnData, 24 sslBuffer *buf, PRBool *added) 25 { 26 const sslServerCert *serverCert = ss->sec.serverCert; 27 const SECItem *item; 28 SECStatus rv; 29 30 if (!serverCert->certStatusArray || 31 !serverCert->certStatusArray->len) { 32 return SECSuccess; 33 } 34 35 item = &serverCert->certStatusArray->items[0]; 36 37 /* Only send the first entry. */ 38 /* status_type == ocsp */ 39 rv = sslBuffer_AppendNumber(buf, 1 /*ocsp*/, 1); 40 if (rv != SECSuccess) { 41 return SECFailure; 42 } 43 /* opaque OCSPResponse<1..2^24-1> */ 44 rv = sslBuffer_AppendVariable(buf, item->data, item->len, 3); 45 if (rv != SECSuccess) { 46 return SECFailure; 47 } 48 49 *added = PR_TRUE; 50 return SECSuccess; 51 } 52 53 /* 54 * [RFC 8446] Section 4.2.8. 55 * 56 * struct { 57 * NamedGroup group; 58 * opaque key_exchange<1..2^16-1>; 59 * } KeyShareEntry; 60 * 61 */ 62 PRUint32 63 tls13_SizeOfKeyShareEntry(const sslEphemeralKeyPair *keyPair) 64 { 65 /* Size = NamedGroup(2) + length(2) + opaque<?> share */ 66 PRUint32 size = 2 + 2; 67 68 const SECKEYPublicKey *pubKey = keyPair->keys->pubKey; 69 switch (pubKey->keyType) { 70 case ecKey: 71 size += pubKey->u.ec.publicValue.len; 72 break; 73 case dhKey: 74 size += pubKey->u.dh.prime.len; 75 break; 76 default: 77 PORT_Assert(0); 78 return 0; 79 } 80 81 if (keyPair->kemKeys) { 82 PORT_Assert(!keyPair->kemCt); 83 PORT_Assert(keyPair->group->name == ssl_grp_kem_xyber768d00 || 84 keyPair->group->name == ssl_grp_kem_mlkem768x25519 || 85 keyPair->group->name == ssl_grp_kem_secp256r1mlkem768 || 86 keyPair->group->name == ssl_grp_kem_secp384r1mlkem1024); 87 pubKey = keyPair->kemKeys->pubKey; 88 size += pubKey->u.kyber.publicValue.len; 89 } 90 if (keyPair->kemCt) { 91 PORT_Assert(!keyPair->kemKeys); 92 PORT_Assert(keyPair->group->name == ssl_grp_kem_xyber768d00 || 93 keyPair->group->name == ssl_grp_kem_mlkem768x25519 || 94 keyPair->group->name == ssl_grp_kem_secp256r1mlkem768 || 95 keyPair->group->name == ssl_grp_kem_secp384r1mlkem1024); 96 size += keyPair->kemCt->len; 97 } 98 99 return size; 100 } 101 102 static SECStatus 103 tls13_WriteHybridECCKeyFirst(sslBuffer *buf, sslEphemeralKeyPair *keyPair) 104 { 105 PORT_Assert(keyPair->group->name == ssl_grp_kem_xyber768d00 || 106 keyPair->group->name == ssl_grp_kem_secp256r1mlkem768 || 107 keyPair->group->name == ssl_grp_kem_secp384r1mlkem1024); 108 PORT_Assert(keyPair->keys->pubKey->keyType == ecKey); 109 110 // Encode the ecc share first, then the MLKEM key or ciphertext. 111 SECStatus rv; 112 rv = sslBuffer_Append(buf, keyPair->keys->pubKey->u.ec.publicValue.data, 113 keyPair->keys->pubKey->u.ec.publicValue.len); 114 if (rv != SECSuccess) { 115 return rv; 116 } 117 118 if (keyPair->kemKeys) { 119 PORT_Assert(!keyPair->kemCt); 120 rv = sslBuffer_Append(buf, keyPair->kemKeys->pubKey->u.kyber.publicValue.data, keyPair->kemKeys->pubKey->u.kyber.publicValue.len); 121 } else if (keyPair->kemCt) { 122 rv = sslBuffer_Append(buf, keyPair->kemCt->data, keyPair->kemCt->len); 123 } else { 124 PORT_Assert(0); 125 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); 126 rv = SECFailure; 127 } 128 return rv; 129 } 130 131 static SECStatus 132 tls13_WriteHybridHybridKeyFirst(sslBuffer *buf, sslEphemeralKeyPair *keyPair) 133 { 134 PORT_Assert(keyPair->group->name == ssl_grp_kem_mlkem768x25519); 135 PORT_Assert(keyPair->keys->pubKey->keyType == ecKey); 136 137 // Encode the ML-KEM-768 key or ciphertext first, then the X25519 share. 138 SECStatus rv; 139 if (keyPair->kemKeys) { 140 PORT_Assert(!keyPair->kemCt); 141 rv = sslBuffer_Append(buf, keyPair->kemKeys->pubKey->u.kyber.publicValue.data, keyPair->kemKeys->pubKey->u.kyber.publicValue.len); 142 } else if (keyPair->kemCt) { 143 rv = sslBuffer_Append(buf, keyPair->kemCt->data, keyPair->kemCt->len); 144 } else { 145 PORT_Assert(0); 146 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); 147 rv = SECFailure; 148 } 149 if (rv != SECSuccess) { 150 return rv; 151 } 152 153 rv = sslBuffer_Append(buf, keyPair->keys->pubKey->u.ec.publicValue.data, 154 keyPair->keys->pubKey->u.ec.publicValue.len); 155 return rv; 156 } 157 158 static SECStatus 159 tls13_WriteKeyExchangeInfo(sslBuffer *buf, sslEphemeralKeyPair *keyPair) 160 { 161 SECStatus rv; 162 const SECKEYPublicKey *pubKey = keyPair->keys->pubKey; 163 switch (pubKey->keyType) { 164 case ecKey: 165 rv = sslBuffer_Append(buf, pubKey->u.ec.publicValue.data, 166 pubKey->u.ec.publicValue.len); 167 break; 168 case dhKey: 169 rv = ssl_AppendPaddedDHKeyShare(buf, pubKey, PR_FALSE); 170 break; 171 default: 172 PORT_Assert(0); 173 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); 174 rv = SECFailure; 175 break; 176 } 177 178 return rv; 179 } 180 181 SECStatus 182 tls13_EncodeKeyShareEntry(sslBuffer *buf, sslEphemeralKeyPair *keyPair) 183 { 184 SECStatus rv; 185 unsigned int size = tls13_SizeOfKeyShareEntry(keyPair); 186 187 rv = sslBuffer_AppendNumber(buf, keyPair->group->name, 2); 188 if (rv != SECSuccess) { 189 return rv; 190 } 191 192 rv = sslBuffer_AppendNumber(buf, size - 4, 2); 193 if (rv != SECSuccess) { 194 return rv; 195 } 196 197 switch (keyPair->group->name) { 198 case ssl_grp_kem_mlkem768x25519: 199 rv = tls13_WriteHybridHybridKeyFirst(buf, keyPair); 200 break; 201 case ssl_grp_kem_secp256r1mlkem768: 202 case ssl_grp_kem_secp384r1mlkem1024: 203 case ssl_grp_kem_xyber768d00: 204 rv = tls13_WriteHybridECCKeyFirst(buf, keyPair); 205 break; 206 default: 207 rv = tls13_WriteKeyExchangeInfo(buf, keyPair); 208 break; 209 } 210 return rv; 211 } 212 213 SECStatus 214 tls13_ClientSendKeyShareXtn(const sslSocket *ss, TLSExtensionData *xtnData, 215 sslBuffer *buf, PRBool *added) 216 { 217 SECStatus rv; 218 PRCList *cursor; 219 unsigned int lengthOffset; 220 221 if (ss->vrange.max < SSL_LIBRARY_VERSION_TLS_1_3) { 222 return SECSuccess; 223 } 224 225 /* Optimistically try to send an ECDHE key using the 226 * preexisting key (in future will be keys) */ 227 SSL_TRC(3, ("%d: TLS13[%d]: send client key share xtn", 228 SSL_GETPID(), ss->fd)); 229 230 /* Save the offset to the length. */ 231 rv = sslBuffer_Skip(buf, 2, &lengthOffset); 232 if (rv != SECSuccess) { 233 return SECFailure; 234 } 235 236 for (cursor = PR_NEXT_LINK(&ss->ephemeralKeyPairs); 237 cursor != &ss->ephemeralKeyPairs; 238 cursor = PR_NEXT_LINK(cursor)) { 239 sslEphemeralKeyPair *keyPair = (sslEphemeralKeyPair *)cursor; 240 rv = tls13_EncodeKeyShareEntry(buf, keyPair); 241 if (rv != SECSuccess) { 242 return SECFailure; 243 } 244 } 245 246 /* GREASE KeyShareEntry: 247 * [The client] MAY also send KeyShareEntry values for a subset of those 248 * selected in the "key_share" extension. For each of these, the 249 * "key_exchange" field MAY be any value [RFC8701, Section 3.1]. 250 * 251 * By default we do not send KeyShares for every NamedGroup so the 252 * ServerKeyShare handshake message / additional round-trip is not 253 * triggered by sending GREASE KeyShareEntries. */ 254 if (ss->opt.enableGrease) { 255 rv = sslBuffer_AppendNumber(buf, ss->ssl3.hs.grease->idx[grease_group], 2); 256 if (rv != SECSuccess) 257 return rv; 258 /* Entry length */ 259 rv = sslBuffer_AppendNumber(buf, 2, 2); 260 if (rv != SECSuccess) 261 return rv; 262 /* Entry value */ 263 rv = sslBuffer_AppendNumber(buf, 0xCD, 2); 264 if (rv != SECSuccess) 265 return rv; 266 } 267 268 rv = sslBuffer_InsertLength(buf, lengthOffset, 2); 269 if (rv != SECSuccess) { 270 return SECFailure; 271 } 272 273 *added = PR_TRUE; 274 return SECSuccess; 275 } 276 277 SECStatus 278 tls13_DecodeKeyShareEntry(sslReader *rdr, TLS13KeyShareEntry **ksp) 279 { 280 SECStatus rv; 281 PRUint64 group; 282 const sslNamedGroupDef *groupDef; 283 TLS13KeyShareEntry *ks = NULL; 284 sslReadBuffer share; 285 286 rv = sslRead_ReadNumber(rdr, 2, &group); 287 if (rv != SECSuccess) { 288 goto loser; 289 } 290 groupDef = ssl_LookupNamedGroup(group); 291 rv = sslRead_ReadVariable(rdr, 2, &share); 292 if (rv != SECSuccess) { 293 goto loser; 294 } 295 296 /* This has to happen here because we want to consume 297 * the entire entry even if the group is unknown 298 * or disabled. */ 299 /* If the group is disabled, continue. */ 300 if (!groupDef) { 301 return SECSuccess; 302 } 303 304 ks = PORT_ZNew(TLS13KeyShareEntry); 305 if (!ks) { 306 goto loser; 307 } 308 ks->group = groupDef; 309 310 rv = SECITEM_MakeItem(NULL, &ks->key_exchange, 311 share.buf, share.len); 312 if (rv != SECSuccess) { 313 goto loser; 314 } 315 316 *ksp = ks; 317 return SECSuccess; 318 319 loser: 320 tls13_DestroyKeyShareEntry(ks); 321 322 return SECFailure; 323 } 324 /* Handle an incoming KeyShare extension at the client and copy to 325 * |xtnData->remoteKeyShares| for future use. The key 326 * share is processed in tls13_HandleServerKeyShare(). */ 327 SECStatus 328 tls13_ClientHandleKeyShareXtn(const sslSocket *ss, TLSExtensionData *xtnData, 329 SECItem *data) 330 { 331 SECStatus rv; 332 PORT_Assert(PR_CLIST_IS_EMPTY(&xtnData->remoteKeyShares)); 333 TLS13KeyShareEntry *ks = NULL; 334 335 PORT_Assert(!ss->sec.isServer); 336 337 /* The server must not send this extension when negotiating < TLS 1.3. */ 338 if (ss->version < SSL_LIBRARY_VERSION_TLS_1_3) { 339 PORT_SetError(SSL_ERROR_EXTENSION_DISALLOWED_FOR_VERSION); 340 return SECFailure; 341 } 342 343 SSL_TRC(3, ("%d: SSL3[%d]: handle key_share extension", 344 SSL_GETPID(), ss->fd)); 345 346 sslReader rdr = SSL_READER(data->data, data->len); 347 rv = tls13_DecodeKeyShareEntry(&rdr, &ks); 348 if ((rv != SECSuccess) || !ks) { 349 ssl3_ExtSendAlert(ss, alert_fatal, illegal_parameter); 350 PORT_SetError(SSL_ERROR_RX_MALFORMED_KEY_SHARE); 351 return SECFailure; 352 } 353 354 if (SSL_READER_REMAINING(&rdr)) { 355 tls13_DestroyKeyShareEntry(ks); 356 PORT_SetError(SSL_ERROR_RX_MALFORMED_KEY_SHARE); 357 return SECFailure; 358 } 359 PR_APPEND_LINK(&ks->link, &xtnData->remoteKeyShares); 360 361 return SECSuccess; 362 } 363 364 SECStatus 365 tls13_ClientHandleKeyShareXtnHrr(const sslSocket *ss, TLSExtensionData *xtnData, 366 SECItem *data) 367 { 368 SECStatus rv; 369 PRUint32 tmp; 370 const sslNamedGroupDef *group; 371 372 PORT_Assert(!ss->sec.isServer); 373 PORT_Assert(ss->vrange.max >= SSL_LIBRARY_VERSION_TLS_1_3); 374 375 SSL_TRC(3, ("%d: SSL3[%d]: handle key_share extension in HRR", 376 SSL_GETPID(), ss->fd)); 377 378 rv = ssl3_ExtConsumeHandshakeNumber(ss, &tmp, 2, &data->data, &data->len); 379 if (rv != SECSuccess) { 380 return SECFailure; /* error code already set */ 381 } 382 if (data->len) { 383 ssl3_ExtSendAlert(ss, alert_fatal, decode_error); 384 PORT_SetError(SSL_ERROR_RX_MALFORMED_HELLO_RETRY_REQUEST); 385 return SECFailure; 386 } 387 388 group = ssl_LookupNamedGroup((SSLNamedGroup)tmp); 389 /* If the group is not enabled, or we already have a share for the 390 * requested group, abort. */ 391 if (!ssl_NamedGroupEnabled(ss, group) || 392 ssl_HaveEphemeralKeyPair(ss, group)) { 393 ssl3_ExtSendAlert(ss, alert_fatal, illegal_parameter); 394 PORT_SetError(SSL_ERROR_RX_MALFORMED_HELLO_RETRY_REQUEST); 395 return SECFailure; 396 } 397 398 /* Now delete all the key shares per [draft-ietf-tls-tls13 S 4.1.2] */ 399 ssl_FreeEphemeralKeyPairs(CONST_CAST(sslSocket, ss)); 400 401 /* And replace with our new share. */ 402 rv = tls13_AddKeyShare(CONST_CAST(sslSocket, ss), group); 403 if (rv != SECSuccess) { 404 ssl3_ExtSendAlert(ss, alert_fatal, internal_error); 405 PORT_SetError(SEC_ERROR_KEYGEN_FAIL); 406 return SECFailure; 407 } 408 409 return SECSuccess; 410 } 411 412 /* Handle an incoming KeyShare extension at the server and copy to 413 * |xtnData->remoteKeyShares| for future use. The key 414 * share is processed in tls13_HandleClientKeyShare(). */ 415 SECStatus 416 tls13_ServerHandleKeyShareXtn(const sslSocket *ss, TLSExtensionData *xtnData, 417 SECItem *data) 418 { 419 SECStatus rv; 420 PRUint32 length; 421 422 PORT_Assert(ss->sec.isServer); 423 PORT_Assert(PR_CLIST_IS_EMPTY(&xtnData->remoteKeyShares)); 424 425 if (ss->version < SSL_LIBRARY_VERSION_TLS_1_3) { 426 return SECSuccess; 427 } 428 429 SSL_TRC(3, ("%d: SSL3[%d]: handle key_share extension", 430 SSL_GETPID(), ss->fd)); 431 432 /* Redundant length because of TLS encoding (this vector consumes 433 * the entire extension.) */ 434 rv = ssl3_ExtConsumeHandshakeNumber(ss, &length, 2, &data->data, 435 &data->len); 436 if (rv != SECSuccess) 437 goto loser; 438 if (length != data->len) { 439 /* Check for consistency */ 440 PORT_SetError(SSL_ERROR_RX_MALFORMED_KEY_SHARE); 441 goto loser; 442 } 443 444 sslReader rdr = SSL_READER(data->data, data->len); 445 while (SSL_READER_REMAINING(&rdr)) { 446 TLS13KeyShareEntry *ks = NULL; 447 rv = tls13_DecodeKeyShareEntry(&rdr, &ks); 448 if (rv != SECSuccess) { 449 PORT_SetError(SSL_ERROR_RX_MALFORMED_KEY_SHARE); 450 goto loser; 451 } 452 if (ks) { 453 /* |ks| == NULL if this is an unknown group. */ 454 PR_APPEND_LINK(&ks->link, &xtnData->remoteKeyShares); 455 } 456 } 457 458 /* Keep track of negotiated extensions. */ 459 xtnData->negotiated[xtnData->numNegotiated++] = 460 ssl_tls13_key_share_xtn; 461 462 return SECSuccess; 463 464 loser: 465 tls13_DestroyKeyShares(&xtnData->remoteKeyShares); 466 return SECFailure; 467 } 468 469 SECStatus 470 tls13_ServerSendKeyShareXtn(const sslSocket *ss, TLSExtensionData *xtnData, 471 sslBuffer *buf, PRBool *added) 472 { 473 SECStatus rv; 474 sslEphemeralKeyPair *keyPair; 475 476 /* There should be exactly one key share. */ 477 PORT_Assert(!PR_CLIST_IS_EMPTY(&ss->ephemeralKeyPairs)); 478 PORT_Assert(PR_PREV_LINK(&ss->ephemeralKeyPairs) == 479 PR_NEXT_LINK(&ss->ephemeralKeyPairs)); 480 481 keyPair = (sslEphemeralKeyPair *)PR_NEXT_LINK(&ss->ephemeralKeyPairs); 482 483 rv = tls13_EncodeKeyShareEntry(buf, keyPair); 484 if (rv != SECSuccess) { 485 return SECFailure; 486 } 487 488 *added = PR_TRUE; 489 return SECSuccess; 490 } 491 492 /* Called by clients. 493 * 494 * struct { 495 * opaque identity<0..2^16-1>; 496 * uint32 obfuscated_ticket_age; 497 * } PskIdentity; 498 * 499 * opaque PskBinderEntry<32..255>; 500 * 501 * struct { 502 * select (Handshake.msg_type) { 503 * case client_hello: 504 * PskIdentity identities<6..2^16-1>; 505 * PskBinderEntry binders<33..2^16-1>; 506 * 507 * case server_hello: 508 * uint16 selected_identity; 509 * }; 510 * 511 * } PreSharedKeyExtension; 512 */ 513 SECStatus 514 tls13_ClientSendPreSharedKeyXtn(const sslSocket *ss, TLSExtensionData *xtnData, 515 sslBuffer *buf, PRBool *added) 516 { 517 const static PRUint8 binder[TLS13_MAX_FINISHED_SIZE] = { 0 }; 518 unsigned int binderLen; 519 unsigned int identityLen = 0; 520 const PRUint8 *identity = NULL; 521 PRTime age; 522 SECStatus rv; 523 524 /* Exit early if no PSKs or max version < 1.3. */ 525 if (PR_CLIST_IS_EMPTY(&ss->ssl3.hs.psks) || 526 ss->vrange.max < SSL_LIBRARY_VERSION_TLS_1_3) { 527 return SECSuccess; 528 } 529 530 /* ...or if PSK type is resumption, but we're not resuming. */ 531 sslPsk *psk = (sslPsk *)PR_LIST_HEAD(&ss->ssl3.hs.psks); 532 if (psk->type == ssl_psk_resume && !ss->statelessResume) { 533 return SECSuccess; 534 } 535 536 /* ...or if PSKs are incompatible with negotiated ciphersuites 537 * (different hash algorithms) on HRR. 538 * 539 * In addition, in its updated ClientHello, the client SHOULD NOT offer any 540 * pre-shared keys associated with a hash other than that of the selected 541 * cipher suite. This allows the client to avoid having to compute partial 542 * hash transcripts for multiple hashes in the second ClientHello 543 * [RFC8446, Section 4.1.4]. */ 544 if (ss->ssl3.hs.helloRetry && 545 (psk->hash != ss->ssl3.hs.suite_def->prf_hash)) { 546 return SECSuccess; 547 } 548 549 /* Save where this extension starts so that if we have to add padding, it 550 * can be inserted before this extension. */ 551 PORT_Assert(buf->len >= 4); 552 xtnData->lastXtnOffset = buf->len - 4; 553 PORT_Assert(psk->type == ssl_psk_resume || psk->type == ssl_psk_external); 554 binderLen = tls13_GetHashSizeForHash(psk->hash); 555 if (psk->type == ssl_psk_resume) { 556 /* Send a single ticket identity. */ 557 NewSessionTicket *session_ticket = &ss->sec.ci.sid->u.ssl3.locked.sessionTicket; 558 identityLen = session_ticket->ticket.len; 559 identity = session_ticket->ticket.data; 560 561 /* Obfuscated age. */ 562 age = ssl_Time(ss) - session_ticket->received_timestamp; 563 age /= PR_USEC_PER_MSEC; 564 age += session_ticket->ticket_age_add; 565 PRINT_BUF(50, (ss, "Sending Resumption PSK with identity", identity, identityLen)); 566 } else if (psk->type == ssl_psk_external) { 567 identityLen = psk->label.len; 568 identity = psk->label.data; 569 age = 0; 570 PRINT_BUF(50, (ss, "Sending External PSK with label", identity, identityLen)); 571 } else { 572 PORT_Assert(0); 573 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); 574 return SECFailure; 575 } 576 577 /* Length is len(identityLen) + identityLen + len(age) */ 578 rv = sslBuffer_AppendNumber(buf, 2 + identityLen + 4, 2); 579 if (rv != SECSuccess) { 580 goto loser; 581 } 582 583 rv = sslBuffer_AppendVariable(buf, identity, 584 identityLen, 2); 585 if (rv != SECSuccess) { 586 goto loser; 587 } 588 589 rv = sslBuffer_AppendNumber(buf, age, 4); 590 if (rv != SECSuccess) { 591 goto loser; 592 } 593 594 /* Write out the binder list length. */ 595 rv = sslBuffer_AppendNumber(buf, binderLen + 1, 2); 596 if (rv != SECSuccess) { 597 goto loser; 598 } 599 600 /* Write zeroes for the binder for the moment. These 601 * are overwritten in tls13_WriteExtensionsWithBinder. */ 602 rv = sslBuffer_AppendVariable(buf, binder, binderLen, 1); 603 if (rv != SECSuccess) { 604 goto loser; 605 } 606 607 if (psk->type == ssl_psk_resume) { 608 xtnData->sentSessionTicketInClientHello = PR_TRUE; 609 } 610 611 *added = PR_TRUE; 612 return SECSuccess; 613 614 loser: 615 xtnData->ticketTimestampVerified = PR_FALSE; 616 return SECFailure; 617 } 618 619 /* Handle a TLS 1.3 PreSharedKey Extension. */ 620 SECStatus 621 tls13_ServerHandlePreSharedKeyXtn(const sslSocket *ss, TLSExtensionData *xtnData, 622 SECItem *data) 623 { 624 SECItem inner; 625 SECStatus rv; 626 unsigned int numIdentities = 0; 627 unsigned int numBinders = 0; 628 SECItem *appToken; 629 630 SSL_TRC(3, ("%d: SSL3[%d]: handle pre_shared_key extension", 631 SSL_GETPID(), ss->fd)); 632 633 /* If we are doing < TLS 1.3, then ignore this. */ 634 if (ss->version < SSL_LIBRARY_VERSION_TLS_1_3) { 635 return SECSuccess; 636 } 637 638 /* The application token is set via the cookie extension if this is the 639 * second ClientHello. Don't set it twice. The cookie extension handler 640 * sets |helloRetry| and that will have been called already because this 641 * extension always comes last. */ 642 if (!ss->ssl3.hs.helloRetry) { 643 appToken = &xtnData->applicationToken; 644 } else { 645 appToken = NULL; 646 } 647 648 /* Parse the identities list. */ 649 rv = ssl3_ExtConsumeHandshakeVariable(ss, &inner, 2, 650 &data->data, &data->len); 651 if (rv != SECSuccess) { 652 return SECFailure; 653 } 654 655 while (inner.len) { 656 SECItem label; 657 PRUint32 obfuscatedAge; 658 659 rv = ssl3_ExtConsumeHandshakeVariable(ss, &label, 2, 660 &inner.data, &inner.len); 661 if (rv != SECSuccess) 662 return rv; 663 if (!label.len) { 664 goto alert_loser; 665 } 666 667 rv = ssl3_ExtConsumeHandshakeNumber(ss, &obfuscatedAge, 4, 668 &inner.data, &inner.len); 669 if (rv != SECSuccess) 670 return rv; 671 672 if (!numIdentities) { 673 /* Check any configured external PSK for a matching label. 674 * If none exists, try to parse it as a ticket. */ 675 PORT_Assert(!xtnData->selectedPsk); 676 for (PRCList *cur_p = PR_LIST_HEAD(&ss->ssl3.hs.psks); 677 cur_p != &ss->ssl3.hs.psks; 678 cur_p = PR_NEXT_LINK(cur_p)) { 679 sslPsk *psk = (sslPsk *)cur_p; 680 if (psk->type != ssl_psk_external || 681 SECITEM_CompareItem(&psk->label, &label) != SECEqual) { 682 continue; 683 } 684 PRINT_BUF(50, (ss, "Using External PSK with label", 685 psk->label.data, psk->label.len)); 686 xtnData->selectedPsk = psk; 687 } 688 689 if (!xtnData->selectedPsk) { 690 PRINT_BUF(50, (ss, "Handling PreSharedKey value", 691 label.data, label.len)); 692 rv = ssl3_ProcessSessionTicketCommon( 693 CONST_CAST(sslSocket, ss), &label, appToken); 694 /* This only happens if we have an internal error, not 695 * a malformed ticket. Bogus tickets just don't resume 696 * and return SECSuccess. */ 697 if (rv != SECSuccess) { 698 return SECFailure; 699 } 700 701 if (ss->sec.ci.sid) { 702 /* xtnData->ticketAge contains the baseline we use for 703 * calculating the ticket age (i.e., our RTT estimate less the 704 * value of ticket_age_add). 705 * 706 * Add that to the obfuscated ticket age to recover the client's 707 * view of the ticket age plus the estimated RTT. 708 * 709 * See ssl3_EncodeSessionTicket() for details. */ 710 xtnData->ticketAge += obfuscatedAge; 711 712 /* We are not committed to resumption until after unwrapping the 713 * RMS in tls13_HandleClientHelloPart2. The RPSK will be stored 714 * in ss->xtnData.selectedPsk at that point, so continue. */ 715 } 716 } 717 } 718 719 ++numIdentities; 720 } 721 722 xtnData->pskBindersLen = data->len; 723 724 /* Parse the binders list. */ 725 rv = ssl3_ExtConsumeHandshakeVariable(ss, 726 &inner, 2, &data->data, &data->len); 727 if (rv != SECSuccess) 728 return SECFailure; 729 if (data->len) { 730 goto alert_loser; 731 } 732 733 while (inner.len) { 734 SECItem binder; 735 rv = ssl3_ExtConsumeHandshakeVariable(ss, &binder, 1, 736 &inner.data, &inner.len); 737 if (rv != SECSuccess) 738 return rv; 739 if (binder.len < 32) { 740 goto alert_loser; 741 } 742 743 if (!numBinders) { 744 xtnData->pskBinder = binder; 745 } 746 ++numBinders; 747 } 748 749 if (numBinders != numIdentities) 750 goto alert_loser; 751 752 if (ss->statelessResume) { 753 PORT_Assert(!ss->xtnData.selectedPsk); 754 } else if (!xtnData->selectedPsk) { 755 /* No matching EPSK. */ 756 return SECSuccess; 757 } 758 759 xtnData->negotiated[xtnData->numNegotiated++] = ssl_tls13_pre_shared_key_xtn; 760 return SECSuccess; 761 762 alert_loser: 763 ssl3_ExtSendAlert(ss, alert_fatal, illegal_parameter); 764 PORT_SetError(SSL_ERROR_MALFORMED_PRE_SHARED_KEY); 765 return SECFailure; 766 } 767 768 SECStatus 769 tls13_ServerSendPreSharedKeyXtn(const sslSocket *ss, TLSExtensionData *xtnData, 770 sslBuffer *buf, PRBool *added) 771 { 772 SECStatus rv; 773 774 /* We only process the first session ticket the client sends, 775 * so the index is always 0. */ 776 rv = sslBuffer_AppendNumber(buf, 0, 2); 777 if (rv != SECSuccess) { 778 return SECFailure; 779 } 780 781 *added = PR_TRUE; 782 return SECSuccess; 783 } 784 785 /* Handle a TLS 1.3 PreSharedKey Extension. */ 786 SECStatus 787 tls13_ClientHandlePreSharedKeyXtn(const sslSocket *ss, TLSExtensionData *xtnData, 788 SECItem *data) 789 { 790 PRUint32 index; 791 SECStatus rv; 792 793 SSL_TRC(3, ("%d: SSL3[%d]: handle pre_shared_key extension", 794 SSL_GETPID(), ss->fd)); 795 796 /* The server must not send this extension when negotiating < TLS 1.3. */ 797 if (ss->version < SSL_LIBRARY_VERSION_TLS_1_3) { 798 PORT_SetError(SSL_ERROR_EXTENSION_DISALLOWED_FOR_VERSION); 799 return SECFailure; 800 } 801 802 rv = ssl3_ExtConsumeHandshakeNumber(ss, &index, 2, &data->data, &data->len); 803 if (rv != SECSuccess) 804 return SECFailure; 805 806 /* This should be the end of the extension. */ 807 if (data->len) { 808 PORT_SetError(SSL_ERROR_MALFORMED_PRE_SHARED_KEY); 809 return SECFailure; 810 } 811 812 /* We only sent one PSK label so index must be equal to 0 */ 813 if (index) { 814 ssl3_ExtSendAlert(ss, alert_fatal, illegal_parameter); 815 PORT_SetError(SSL_ERROR_MALFORMED_PRE_SHARED_KEY); 816 return SECFailure; 817 } 818 819 PORT_Assert(!PR_CLIST_IS_EMPTY(&ss->ssl3.hs.psks)); 820 sslPsk *candidate = (sslPsk *)PR_LIST_HEAD(&ss->ssl3.hs.psks); 821 822 /* Check that the server-selected ciphersuite hash and PSK hash match. */ 823 if (candidate->hash != tls13_GetHashForCipherSuite(ss->ssl3.hs.cipher_suite)) { 824 ssl3_ExtSendAlert(ss, alert_fatal, illegal_parameter); 825 return SECFailure; 826 } 827 828 /* Keep track of negotiated extensions. */ 829 xtnData->negotiated[xtnData->numNegotiated++] = ssl_tls13_pre_shared_key_xtn; 830 xtnData->selectedPsk = candidate; 831 832 return SECSuccess; 833 } 834 835 /* 836 * struct { } EarlyDataIndication; 837 */ 838 SECStatus 839 tls13_ClientSendEarlyDataXtn(const sslSocket *ss, TLSExtensionData *xtnData, 840 sslBuffer *buf, PRBool *added) 841 { 842 if (!tls13_ClientAllow0Rtt(ss, ss->sec.ci.sid)) { 843 return SECSuccess; 844 } 845 846 *added = PR_TRUE; 847 return SECSuccess; 848 } 849 850 SECStatus 851 tls13_ServerHandleEarlyDataXtn(const sslSocket *ss, TLSExtensionData *xtnData, 852 SECItem *data) 853 { 854 SSL_TRC(3, ("%d: TLS13[%d]: handle early_data extension", 855 SSL_GETPID(), ss->fd)); 856 857 /* If we are doing < TLS 1.3, then ignore this. */ 858 if (ss->version < SSL_LIBRARY_VERSION_TLS_1_3) { 859 return SECSuccess; 860 } 861 862 if (ss->ssl3.hs.helloRetry) { 863 ssl3_ExtSendAlert(ss, alert_fatal, unsupported_extension); 864 PORT_SetError(SSL_ERROR_RX_UNEXPECTED_EXTENSION); 865 return SECFailure; 866 } 867 868 if (data->len) { 869 PORT_SetError(SSL_ERROR_MALFORMED_EARLY_DATA); 870 return SECFailure; 871 } 872 873 xtnData->negotiated[xtnData->numNegotiated++] = ssl_tls13_early_data_xtn; 874 875 return SECSuccess; 876 } 877 878 /* This will only be called if we also offered the extension. */ 879 SECStatus 880 tls13_ClientHandleEarlyDataXtn(const sslSocket *ss, TLSExtensionData *xtnData, 881 SECItem *data) 882 { 883 SSL_TRC(3, ("%d: TLS13[%d]: handle early_data extension", 884 SSL_GETPID(), ss->fd)); 885 886 /* The server must not send this extension when negotiating < TLS 1.3. */ 887 if (ss->version < SSL_LIBRARY_VERSION_TLS_1_3) { 888 PORT_SetError(SSL_ERROR_EXTENSION_DISALLOWED_FOR_VERSION); 889 return SECFailure; 890 } 891 892 if (data->len) { 893 PORT_SetError(SSL_ERROR_MALFORMED_EARLY_DATA); 894 return SECFailure; 895 } 896 897 /* Keep track of negotiated extensions. */ 898 xtnData->negotiated[xtnData->numNegotiated++] = ssl_tls13_early_data_xtn; 899 900 return SECSuccess; 901 } 902 903 SECStatus 904 tls13_ClientHandleTicketEarlyDataXtn(const sslSocket *ss, TLSExtensionData *xtnData, 905 SECItem *data) 906 { 907 PRUint32 utmp; 908 SECStatus rv; 909 910 SSL_TRC(3, ("%d: TLS13[%d]: handle ticket early_data extension", 911 SSL_GETPID(), ss->fd)); 912 913 /* The server must not send this extension when negotiating < TLS 1.3. */ 914 if (ss->version < SSL_LIBRARY_VERSION_TLS_1_3) { 915 PORT_SetError(SSL_ERROR_EXTENSION_DISALLOWED_FOR_VERSION); 916 return SECFailure; 917 } 918 919 rv = ssl3_ExtConsumeHandshake(ss, &utmp, sizeof(utmp), 920 &data->data, &data->len); 921 if (rv != SECSuccess) { 922 PORT_SetError(SSL_ERROR_RX_MALFORMED_NEW_SESSION_TICKET); 923 return SECFailure; 924 } 925 if (data->len) { 926 PORT_SetError(SSL_ERROR_RX_MALFORMED_NEW_SESSION_TICKET); 927 return SECFailure; 928 } 929 930 xtnData->max_early_data_size = PR_ntohl(utmp); 931 932 return SECSuccess; 933 } 934 935 /* 936 * struct { 937 * select (Handshake.msg_type) { 938 * case client_hello: 939 * ProtocolVersion versions<2..254>; 940 * case server_hello: 941 * ProtocolVersion version; 942 * }; 943 * } SupportedVersions; 944 */ 945 SECStatus 946 tls13_ClientSendSupportedVersionsXtn(const sslSocket *ss, TLSExtensionData *xtnData, 947 sslBuffer *buf, PRBool *added) 948 { 949 PRUint16 version; 950 unsigned int lengthOffset; 951 SECStatus rv; 952 953 if (ss->vrange.max < SSL_LIBRARY_VERSION_TLS_1_3) { 954 return SECSuccess; 955 } 956 957 SSL_TRC(3, ("%d: TLS13[%d]: client send supported_versions extension", 958 SSL_GETPID(), ss->fd)); 959 960 rv = sslBuffer_Skip(buf, 1, &lengthOffset); 961 if (rv != SECSuccess) { 962 return SECFailure; 963 } 964 965 PORT_Assert(!ss->ssl3.hs.echHpkeCtx || ss->vrange.max >= SSL_LIBRARY_VERSION_TLS_1_3); 966 for (version = ss->vrange.max; version >= ss->vrange.min; --version) { 967 PRUint16 wire = tls13_EncodeVersion(version, 968 ss->protocolVariant); 969 rv = sslBuffer_AppendNumber(buf, wire, 2); 970 if (rv != SECSuccess) { 971 return SECFailure; 972 } 973 974 if (ss->opt.enableDtls13VersionCompat && 975 ss->protocolVariant == ssl_variant_datagram) { 976 switch (version) { 977 case SSL_LIBRARY_VERSION_TLS_1_2: 978 case SSL_LIBRARY_VERSION_TLS_1_1: 979 rv = sslBuffer_AppendNumber(buf, (PRUint16)version, 2); 980 break; 981 default: 982 continue; 983 } 984 if (rv != SECSuccess) { 985 return SECFailure; 986 } 987 } 988 } 989 990 /* GREASE SupportedVersions: 991 * A client MAY select one or more GREASE version values and advertise them 992 * in the "supported_versions" extension, if sent [RFC8701, Section 3.1]. */ 993 if (ss->opt.enableGrease) { 994 rv = sslBuffer_AppendNumber(buf, ss->ssl3.hs.grease->idx[grease_version], 2); 995 if (rv != SECSuccess) { 996 return SECFailure; 997 } 998 } 999 1000 rv = sslBuffer_InsertLength(buf, lengthOffset, 1); 1001 if (rv != SECSuccess) { 1002 return SECFailure; 1003 } 1004 1005 *added = PR_TRUE; 1006 return SECSuccess; 1007 } 1008 1009 SECStatus 1010 tls13_ServerSendSupportedVersionsXtn(const sslSocket *ss, TLSExtensionData *xtnData, 1011 sslBuffer *buf, PRBool *added) 1012 { 1013 SECStatus rv; 1014 1015 if (ss->version < SSL_LIBRARY_VERSION_TLS_1_3) { 1016 return SECSuccess; 1017 } 1018 1019 SSL_TRC(3, ("%d: TLS13[%d]: server send supported_versions extension", 1020 SSL_GETPID(), ss->fd)); 1021 1022 PRUint16 ver = tls13_EncodeVersion(SSL_LIBRARY_VERSION_TLS_1_3, 1023 ss->protocolVariant); 1024 rv = sslBuffer_AppendNumber(buf, ver, 2); 1025 if (rv != SECSuccess) { 1026 return SECFailure; 1027 } 1028 1029 *added = PR_TRUE; 1030 return SECSuccess; 1031 } 1032 1033 /* 1034 * struct { 1035 * opaque cookie<1..2^16-1>; 1036 * } Cookie; 1037 */ 1038 SECStatus 1039 tls13_ClientHandleHrrCookie(const sslSocket *ss, TLSExtensionData *xtnData, 1040 SECItem *data) 1041 { 1042 SECStatus rv; 1043 1044 SSL_TRC(3, ("%d: TLS13[%d]: handle cookie extension", 1045 SSL_GETPID(), ss->fd)); 1046 1047 PORT_Assert(ss->vrange.max >= SSL_LIBRARY_VERSION_TLS_1_3); 1048 1049 /* IMPORTANT: this is only valid while the HelloRetryRequest is still valid. */ 1050 rv = ssl3_ExtConsumeHandshakeVariable( 1051 ss, &CONST_CAST(sslSocket, ss)->ssl3.hs.cookie, 2, 1052 &data->data, &data->len); 1053 if (rv != SECSuccess) { 1054 PORT_SetError(SSL_ERROR_RX_MALFORMED_HELLO_RETRY_REQUEST); 1055 return SECFailure; 1056 } 1057 if (!ss->ssl3.hs.cookie.len || data->len) { 1058 ssl3_ExtSendAlert(ss, alert_fatal, decode_error); 1059 PORT_SetError(SSL_ERROR_RX_MALFORMED_HELLO_RETRY_REQUEST); 1060 return SECFailure; 1061 } 1062 1063 return SECSuccess; 1064 } 1065 1066 SECStatus 1067 tls13_ClientSendHrrCookieXtn(const sslSocket *ss, TLSExtensionData *xtnData, 1068 sslBuffer *buf, PRBool *added) 1069 { 1070 SECStatus rv; 1071 1072 /* Only send the TLS 1.3 Cookie extension in response to a 1073 * HelloRetryRequest. If we are replying to a DTLS 1.2 1074 * HelloVerifyRequest, the cookie must be carried in the DTLS 1075 * ClientHello cookie field, not as a TLS 1.3 extension. 1076 */ 1077 if (ss->vrange.max < SSL_LIBRARY_VERSION_TLS_1_3 || 1078 !ss->ssl3.hs.cookie.len || !ss->ssl3.hs.helloRetry) { 1079 return SECSuccess; 1080 } 1081 1082 SSL_TRC(3, ("%d: TLS13[%d]: send cookie extension", SSL_GETPID(), ss->fd)); 1083 rv = sslBuffer_AppendVariable(buf, ss->ssl3.hs.cookie.data, 1084 ss->ssl3.hs.cookie.len, 2); 1085 if (rv != SECSuccess) { 1086 return SECFailure; 1087 } 1088 1089 *added = PR_TRUE; 1090 return SECSuccess; 1091 } 1092 1093 SECStatus 1094 tls13_ServerHandleCookieXtn(const sslSocket *ss, TLSExtensionData *xtnData, 1095 SECItem *data) 1096 { 1097 SECStatus rv; 1098 1099 SSL_TRC(3, ("%d: TLS13[%d]: handle cookie extension", 1100 SSL_GETPID(), ss->fd)); 1101 1102 rv = ssl3_ExtConsumeHandshakeVariable(ss, &xtnData->cookie, 2, 1103 &data->data, &data->len); 1104 if (rv != SECSuccess) { 1105 return SECFailure; 1106 } 1107 1108 if (xtnData->cookie.len == 0) { 1109 PORT_SetError(SSL_ERROR_RX_MALFORMED_CLIENT_HELLO); 1110 return SECFailure; 1111 } 1112 1113 if (data->len) { 1114 PORT_SetError(SSL_ERROR_RX_MALFORMED_CLIENT_HELLO); 1115 return SECFailure; 1116 } 1117 1118 /* Keep track of negotiated extensions. */ 1119 xtnData->negotiated[xtnData->numNegotiated++] = ssl_tls13_cookie_xtn; 1120 1121 return SECSuccess; 1122 } 1123 1124 SECStatus 1125 tls13_ClientSendPostHandshakeAuthXtn(const sslSocket *ss, 1126 TLSExtensionData *xtnData, 1127 sslBuffer *buf, PRBool *added) 1128 { 1129 /* Only one post-handshake message is supported: a single 1130 * NST immediately following the client Finished. */ 1131 if (!IS_DTLS(ss)) { 1132 SSL_TRC(3, ("%d: TLS13[%d]: send post_handshake_auth extension", 1133 SSL_GETPID(), ss->fd)); 1134 *added = ss->opt.enablePostHandshakeAuth; 1135 } 1136 return SECSuccess; 1137 } 1138 1139 SECStatus 1140 tls13_ServerHandlePostHandshakeAuthXtn(const sslSocket *ss, 1141 TLSExtensionData *xtnData, 1142 SECItem *data) 1143 { 1144 SSL_TRC(3, ("%d: TLS13[%d]: handle post_handshake_auth extension", 1145 SSL_GETPID(), ss->fd)); 1146 1147 if (data->len) { 1148 PORT_SetError(SSL_ERROR_RX_MALFORMED_CLIENT_HELLO); 1149 return SECFailure; 1150 } 1151 1152 /* Only one post-handshake message is supported: a single 1153 * NST immediately following the client Finished. */ 1154 if (!IS_DTLS(ss)) { 1155 /* Keep track of negotiated extensions. */ 1156 xtnData->negotiated[xtnData->numNegotiated++] = ssl_tls13_post_handshake_auth_xtn; 1157 } 1158 1159 return SECSuccess; 1160 } 1161 1162 /* 1163 * enum { psk_ke(0), psk_dhe_ke(1), (255) } PskKeyExchangeMode; 1164 * 1165 * struct { 1166 * PskKeyExchangeMode ke_modes<1..255>; 1167 * } PskKeyExchangeModes; 1168 */ 1169 SECStatus 1170 tls13_ClientSendPskModesXtn(const sslSocket *ss, TLSExtensionData *xtnData, 1171 sslBuffer *buf, PRBool *added) 1172 { 1173 SECStatus rv; 1174 1175 if (ss->vrange.max < SSL_LIBRARY_VERSION_TLS_1_3 || 1176 ss->opt.noCache) { 1177 return SECSuccess; 1178 } 1179 1180 SSL_TRC(3, ("%d: TLS13[%d]: send psk key exchange modes extension", 1181 SSL_GETPID(), ss->fd)); 1182 1183 /* GREASE PskKeyExchangeMode: 1184 * A client MAY select one or more GREASE PskKeyExchangeMode values and 1185 * advertise them in the "psk_key_exchange_modes" extension, if sent 1186 * [RFC8701, Section 3.1]. */ 1187 if (ss->opt.enableGrease) { 1188 rv = sslBuffer_AppendVariable(buf, (PRUint8[]){ tls13_psk_dh_ke, ss->ssl3.hs.grease->pskKem }, 2, 1); 1189 } else { 1190 rv = sslBuffer_AppendVariable(buf, (PRUint8[]){ tls13_psk_dh_ke }, 1, 1); 1191 } 1192 if (rv != SECSuccess) { 1193 return SECFailure; 1194 } 1195 1196 *added = PR_TRUE; 1197 return SECSuccess; 1198 } 1199 1200 SECStatus 1201 tls13_ServerHandlePskModesXtn(const sslSocket *ss, TLSExtensionData *xtnData, 1202 SECItem *data) 1203 { 1204 SECStatus rv; 1205 1206 /* If we are doing < TLS 1.3, then ignore this. */ 1207 if (ss->version < SSL_LIBRARY_VERSION_TLS_1_3) { 1208 return SECSuccess; 1209 } 1210 1211 SSL_TRC(3, ("%d: TLS13[%d]: handle PSK key exchange modes extension", 1212 SSL_GETPID(), ss->fd)); 1213 1214 /* IMPORTANT: We aren't copying these values, just setting pointers. 1215 * They will only be valid as long as the ClientHello is in memory. */ 1216 rv = ssl3_ExtConsumeHandshakeVariable(ss, 1217 &xtnData->psk_ke_modes, 1, 1218 &data->data, &data->len); 1219 if (rv != SECSuccess) 1220 return rv; 1221 if (!xtnData->psk_ke_modes.len || data->len) { 1222 PORT_SetError(SSL_ERROR_MALFORMED_PSK_KEY_EXCHANGE_MODES); 1223 return SECFailure; 1224 } 1225 1226 /* Keep track of negotiated extensions. */ 1227 xtnData->negotiated[xtnData->numNegotiated++] = 1228 ssl_tls13_psk_key_exchange_modes_xtn; 1229 1230 return SECSuccess; 1231 } 1232 1233 SECStatus 1234 tls13_SendCertAuthoritiesXtn(const sslSocket *ss, TLSExtensionData *xtnData, 1235 sslBuffer *buf, PRBool *added) 1236 { 1237 unsigned int calen; 1238 const SECItem *name; 1239 unsigned int nnames; 1240 SECStatus rv; 1241 1242 PORT_Assert(ss->version >= SSL_LIBRARY_VERSION_TLS_1_3); 1243 1244 rv = ssl_GetCertificateRequestCAs(ss, &calen, &name, &nnames); 1245 if (rv != SECSuccess) { 1246 return SECFailure; 1247 } 1248 1249 if (!calen) { 1250 return SECSuccess; 1251 } 1252 1253 rv = sslBuffer_AppendNumber(buf, calen, 2); 1254 if (rv != SECSuccess) { 1255 return SECFailure; 1256 } 1257 1258 while (nnames) { 1259 rv = sslBuffer_AppendVariable(buf, name->data, name->len, 2); 1260 if (rv != SECSuccess) { 1261 return SECFailure; 1262 } 1263 ++name; 1264 --nnames; 1265 } 1266 1267 *added = PR_TRUE; 1268 return SECSuccess; 1269 } 1270 1271 SECStatus 1272 tls13_ClientHandleCertAuthoritiesXtn(const sslSocket *ss, 1273 TLSExtensionData *xtnData, 1274 SECItem *data) 1275 { 1276 SECStatus rv; 1277 PLArenaPool *arena; 1278 1279 if (!data->len) { 1280 ssl3_ExtSendAlert(ss, alert_fatal, decode_error); 1281 PORT_SetError(SSL_ERROR_RX_MALFORMED_CERT_REQUEST); 1282 return SECFailure; 1283 } 1284 1285 arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); 1286 if (!arena) { 1287 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); 1288 return SECFailure; 1289 } 1290 1291 xtnData->certReqAuthorities.arena = arena; 1292 rv = ssl3_ParseCertificateRequestCAs((sslSocket *)ss, 1293 &data->data, &data->len, 1294 &xtnData->certReqAuthorities); 1295 if (rv != SECSuccess) { 1296 goto loser; 1297 } 1298 if (data->len) { 1299 ssl3_ExtSendAlert(ss, alert_fatal, decode_error); 1300 PORT_SetError(SSL_ERROR_RX_MALFORMED_CERT_REQUEST); 1301 goto loser; 1302 } 1303 return SECSuccess; 1304 1305 loser: 1306 PORT_FreeArena(arena, PR_FALSE); 1307 xtnData->certReqAuthorities.arena = NULL; 1308 return SECFailure; 1309 } 1310 1311 SECStatus 1312 tls13_ServerHandleCertAuthoritiesXtn(const sslSocket *ss, TLSExtensionData *xtnData, SECItem *data) 1313 { 1314 SSL_TRC(3, ("%d: TLS13[%d]: ignore certificate_authorities extension", 1315 SSL_GETPID(), ss->fd)); 1316 /* NSS ignores certificate_authorities in the ClientHello */ 1317 return SECSuccess; 1318 } 1319 1320 SECStatus 1321 tls13_ServerSendHrrKeyShareXtn(const sslSocket *ss, TLSExtensionData *xtnData, 1322 sslBuffer *buf, PRBool *added) 1323 { 1324 SECStatus rv; 1325 1326 PORT_Assert(ss->version >= SSL_LIBRARY_VERSION_TLS_1_3); 1327 1328 if (!xtnData->selectedGroup) { 1329 return SECSuccess; 1330 } 1331 1332 rv = sslBuffer_AppendNumber(buf, xtnData->selectedGroup->name, 2); 1333 if (rv != SECSuccess) { 1334 return SECFailure; 1335 } 1336 1337 *added = PR_TRUE; 1338 return SECSuccess; 1339 } 1340 1341 SECStatus 1342 tls13_ServerSendHrrCookieXtn(const sslSocket *ss, TLSExtensionData *xtnData, 1343 sslBuffer *buf, PRBool *added) 1344 { 1345 SECStatus rv; 1346 1347 PORT_Assert(ss->version >= SSL_LIBRARY_VERSION_TLS_1_3); 1348 PORT_Assert(xtnData->cookie.len > 0); 1349 1350 rv = sslBuffer_AppendVariable(buf, 1351 xtnData->cookie.data, xtnData->cookie.len, 2); 1352 if (rv != SECSuccess) { 1353 return SECFailure; 1354 } 1355 1356 *added = PR_TRUE; 1357 return SECSuccess; 1358 } 1359 1360 SECStatus 1361 tls13_ClientHandleHrrEchXtn(const sslSocket *ss, TLSExtensionData *xtnData, 1362 SECItem *data) 1363 { 1364 if (data->len != TLS13_ECH_SIGNAL_LEN) { 1365 ssl3_ExtSendAlert(ss, alert_fatal, decode_error); 1366 PORT_SetError(SSL_ERROR_RX_MALFORMED_ECH_EXTENSION); 1367 return SECFailure; 1368 } 1369 if (!ssl3_ExtensionAdvertised(ss, ssl_tls13_encrypted_client_hello_xtn)) { 1370 ssl3_ExtSendAlert(ss, alert_fatal, illegal_parameter); 1371 PORT_SetError(SSL_ERROR_RX_UNEXPECTED_EXTENSION); 1372 return SECFailure; 1373 } 1374 if (!ss->ssl3.hs.echHpkeCtx) { 1375 SSL_TRC(50, ("%d: TLS13[%d]: client received GREASEd ECH confirmation", 1376 SSL_GETPID(), ss->fd)); 1377 return SECSuccess; 1378 } 1379 SSL_TRC(50, ("%d: TLS13[%d]: client received HRR ECH confirmation", 1380 SSL_GETPID(), ss->fd)); 1381 PORT_Assert(!xtnData->ech); 1382 xtnData->ech = PORT_ZNew(sslEchXtnState); 1383 if (!xtnData->ech) { 1384 return SECFailure; 1385 } 1386 xtnData->ech->hrrConfirmation = data->data; 1387 return SECSuccess; 1388 } 1389 1390 SECStatus 1391 tls13_ClientHandleEchXtn(const sslSocket *ss, TLSExtensionData *xtnData, 1392 SECItem *data) 1393 { 1394 SECStatus rv; 1395 PRCList parsedConfigs; 1396 PR_INIT_CLIST(&parsedConfigs); 1397 1398 /* The [retry config] response is valid only when the server used the 1399 * ClientHelloOuter. If the server sent this extension in response to the 1400 * inner variant [ECH was accepted], then the client MUST abort with an 1401 * "unsupported_extension" alert [draft-ietf-tls-esni-14, Section 5]. */ 1402 if (ss->ssl3.hs.echAccepted) { 1403 PORT_SetError(SSL_ERROR_RX_UNEXPECTED_EXTENSION); 1404 ssl3_ExtSendAlert(ss, alert_fatal, unsupported_extension); 1405 return SECFailure; 1406 } 1407 1408 /* If the server is configured with any ECHConfigs, it MUST include the 1409 * "encrypted_client_hello" extension in its EncryptedExtensions with the 1410 * "retry_configs" field set to one or more ECHConfig structures with 1411 * up-to-date keys [draft-ietf-tls-esni-14, Section 7.1]. */ 1412 if (ss->ssl3.hs.msg_type != ssl_hs_encrypted_extensions) { 1413 PORT_SetError(SSL_ERROR_RX_UNEXPECTED_EXTENSION); 1414 if (ss->version < SSL_LIBRARY_VERSION_TLS_1_3) { 1415 /* For TLS < 1.3 the extension is unkown/unsupported. */ 1416 ssl3_ExtSendAlert(ss, alert_fatal, unsupported_extension); 1417 } else { 1418 /* For TLS 1.3 the extension is known but prohibited outside EE 1419 * (see RFC8446, Section 4.2 for alert rationale). */ 1420 ssl3_ExtSendAlert(ss, alert_fatal, illegal_parameter); 1421 } 1422 return SECFailure; 1423 } 1424 1425 PORT_Assert(!xtnData->ech); 1426 xtnData->ech = PORT_ZNew(sslEchXtnState); 1427 if (!xtnData->ech) { 1428 return SECFailure; 1429 } 1430 1431 /* Parse the list to determine 1) That the configs are valid 1432 * and properly encoded, and 2) If any are compatible. */ 1433 rv = tls13_DecodeEchConfigs(data, &parsedConfigs); 1434 if (rv == SECFailure) { 1435 ssl3_ExtSendAlert(ss, alert_fatal, decode_error); 1436 PORT_SetError(SSL_ERROR_RX_MALFORMED_ECH_CONFIG); 1437 return SECFailure; 1438 } 1439 /* Don't mark ECH negotiated on rejection with retry_config. 1440 * Save the the raw configs so the application can retry. If 1441 * we sent GREASE ECH (no echHpkeCtx), don't apply retry_configs. */ 1442 if (ss->ssl3.hs.echHpkeCtx && !PR_CLIST_IS_EMPTY(&parsedConfigs)) { 1443 rv = SECITEM_CopyItem(NULL, &xtnData->ech->retryConfigs, data); 1444 } 1445 tls13_DestroyEchConfigs(&parsedConfigs); 1446 1447 return rv; 1448 } 1449 1450 /* Indicates support for the delegated credentials extension. This should be 1451 * hooked while processing the ClientHello. */ 1452 SECStatus 1453 tls13_ClientSendDelegatedCredentialsXtn(const sslSocket *ss, 1454 TLSExtensionData *xtnData, 1455 sslBuffer *buf, PRBool *added) 1456 { 1457 /* Only send the extension if support is enabled and the client can 1458 * negotiate TLS 1.3. */ 1459 if (ss->vrange.max < SSL_LIBRARY_VERSION_TLS_1_3 || 1460 !ss->opt.enableDelegatedCredentials) { 1461 return SECSuccess; 1462 } 1463 1464 /* Filter the schemes that are enabled and acceptable. Save these in 1465 * the "advertised" list, then encode them to be sent. If we receive 1466 * a DC in response, validate that it matches one of the advertised 1467 * schemes. */ 1468 SSLSignatureScheme filtered[MAX_SIGNATURE_SCHEMES] = { 0 }; 1469 unsigned int filteredCount = 0; 1470 SECStatus rv = ssl3_FilterSigAlgs(ss, ss->vrange.max, 1471 PR_TRUE /* disableRsae */, 1472 PR_FALSE /* forCert */, 1473 MAX_SIGNATURE_SCHEMES, 1474 filtered, 1475 &filteredCount); 1476 if (rv != SECSuccess) { 1477 return SECFailure; 1478 } 1479 1480 /* If no schemes available for the DC extension, don't send it. */ 1481 if (!filteredCount) { 1482 return SECSuccess; 1483 } 1484 1485 rv = ssl3_EncodeFilteredSigAlgs(ss, filtered, filteredCount, 1486 PR_FALSE /* GREASE */, buf); 1487 if (rv != SECSuccess) { 1488 return SECFailure; 1489 } 1490 1491 SSLSignatureScheme *dcSchemesAdvertised = PORT_ZNewArray(SSLSignatureScheme, 1492 filteredCount); 1493 if (!dcSchemesAdvertised) { 1494 return SECFailure; 1495 } 1496 for (unsigned int i = 0; i < filteredCount; i++) { 1497 dcSchemesAdvertised[i] = filtered[i]; 1498 } 1499 1500 if (xtnData->delegCredSigSchemesAdvertised) { 1501 PORT_Free(xtnData->delegCredSigSchemesAdvertised); 1502 } 1503 xtnData->delegCredSigSchemesAdvertised = dcSchemesAdvertised; 1504 xtnData->numDelegCredSigSchemesAdvertised = filteredCount; 1505 *added = PR_TRUE; 1506 return SECSuccess; 1507 } 1508 1509 /* Parses the delegated credential (DC) offered by the server. This should be 1510 * hooked while processing the server's CertificateVerify. 1511 * 1512 * Only the DC sent with the end-entity certificate is to be parsed. This is 1513 * ensured by |tls13_HandleCertificateEntry|, which only processes extensions 1514 * for the first certificate in the chain. 1515 */ 1516 SECStatus 1517 tls13_ClientHandleDelegatedCredentialsXtn(const sslSocket *ss, 1518 TLSExtensionData *xtnData, 1519 SECItem *data) 1520 { 1521 if (!ss->opt.enableDelegatedCredentials || 1522 ss->version < SSL_LIBRARY_VERSION_TLS_1_3) { 1523 ssl3_ExtSendAlert(ss, alert_fatal, illegal_parameter); 1524 PORT_SetError(SSL_ERROR_RX_UNEXPECTED_EXTENSION); 1525 return SECFailure; 1526 } 1527 1528 sslDelegatedCredential *dc = NULL; 1529 SECStatus rv = tls13_ReadDelegatedCredential(data->data, data->len, &dc); 1530 if (rv != SECSuccess) { 1531 goto loser; /* code already set */ 1532 } 1533 1534 /* When using RSA, the public key MUST NOT use the rsaEncryption OID. */ 1535 if (dc->expectedCertVerifyAlg == ssl_sig_rsa_pss_rsae_sha256 || 1536 dc->expectedCertVerifyAlg == ssl_sig_rsa_pss_rsae_sha384 || 1537 dc->expectedCertVerifyAlg == ssl_sig_rsa_pss_rsae_sha512) { 1538 goto alert_loser; 1539 } 1540 1541 /* The algorithm and expected_cert_verify_algorithm fields MUST be of a 1542 * type advertised by the client in the SignatureSchemeList and are 1543 * considered invalid otherwise. Clients that receive invalid delegated 1544 * credentials MUST terminate the connection with an "illegal_parameter" 1545 * alert. */ 1546 PRBool found = PR_FALSE; 1547 for (unsigned int i = 0; i < ss->xtnData.numDelegCredSigSchemesAdvertised; ++i) { 1548 if (dc->expectedCertVerifyAlg == ss->xtnData.delegCredSigSchemesAdvertised[i]) { 1549 found = PR_TRUE; 1550 break; 1551 } 1552 } 1553 if (found == PR_FALSE) { 1554 goto alert_loser; 1555 } 1556 1557 // Check the dc->alg, if necessary. 1558 if (dc->alg != dc->expectedCertVerifyAlg) { 1559 found = PR_FALSE; 1560 for (unsigned int i = 0; i < ss->xtnData.numDelegCredSigSchemesAdvertised; ++i) { 1561 if (dc->alg == ss->xtnData.delegCredSigSchemesAdvertised[i]) { 1562 found = PR_TRUE; 1563 break; 1564 } 1565 } 1566 if (found == PR_FALSE) { 1567 goto alert_loser; 1568 } 1569 } 1570 1571 xtnData->peerDelegCred = dc; 1572 xtnData->negotiated[xtnData->numNegotiated++] = 1573 ssl_delegated_credentials_xtn; 1574 return SECSuccess; 1575 alert_loser: 1576 ssl3_ExtSendAlert(ss, alert_fatal, illegal_parameter); 1577 PORT_SetError(SSL_ERROR_UNSUPPORTED_SIGNATURE_ALGORITHM); 1578 loser: 1579 tls13_DestroyDelegatedCredential(dc); 1580 return SECFailure; 1581 } 1582 1583 /* Adds the DC extension if we're committed to authenticating with a DC. */ 1584 static SECStatus 1585 tls13_ServerSendDelegatedCredentialsXtn(const sslSocket *ss, 1586 TLSExtensionData *xtnData, 1587 sslBuffer *buf, PRBool *added) 1588 { 1589 if (tls13_IsSigningWithDelegatedCredential(ss)) { 1590 const SECItem *dc = &ss->sec.serverCert->delegCred; 1591 SECStatus rv; 1592 rv = sslBuffer_Append(buf, dc->data, dc->len); 1593 if (rv != SECSuccess) { 1594 return SECFailure; 1595 } 1596 *added = PR_TRUE; 1597 } 1598 return SECSuccess; 1599 } 1600 1601 /* The client has indicated support of DCs. We can't act on this information 1602 * until we've committed to signing with a DC, so just set a callback for 1603 * sending the DC extension later. */ 1604 SECStatus 1605 tls13_ServerHandleDelegatedCredentialsXtn(const sslSocket *ss, 1606 TLSExtensionData *xtnData, 1607 SECItem *data) 1608 { 1609 if (xtnData->delegCredSigSchemes) { 1610 PORT_Free(xtnData->delegCredSigSchemes); 1611 xtnData->delegCredSigSchemes = NULL; 1612 xtnData->numDelegCredSigSchemes = 0; 1613 } 1614 SECStatus rv = ssl_ParseSignatureSchemes(ss, NULL, 1615 &xtnData->delegCredSigSchemes, 1616 &xtnData->numDelegCredSigSchemes, 1617 &data->data, &data->len); 1618 if (rv != SECSuccess) { 1619 ssl3_ExtSendAlert(ss, alert_fatal, decode_error); 1620 PORT_SetError(SSL_ERROR_RX_MALFORMED_CLIENT_HELLO); 1621 return SECFailure; 1622 } 1623 if (xtnData->numDelegCredSigSchemes == 0) { 1624 ssl3_ExtSendAlert(ss, alert_fatal, handshake_failure); 1625 PORT_SetError(SSL_ERROR_UNSUPPORTED_SIGNATURE_ALGORITHM); 1626 return SECFailure; 1627 } 1628 /* Check for trailing data. */ 1629 if (data->len != 0) { 1630 ssl3_ExtSendAlert(ss, alert_fatal, decode_error); 1631 PORT_SetError(SSL_ERROR_RX_MALFORMED_CLIENT_HELLO); 1632 return SECFailure; 1633 } 1634 1635 /* Keep track of negotiated extensions. */ 1636 xtnData->peerRequestedDelegCred = PR_TRUE; 1637 xtnData->negotiated[xtnData->numNegotiated++] = 1638 ssl_delegated_credentials_xtn; 1639 1640 return ssl3_RegisterExtensionSender( 1641 ss, xtnData, ssl_delegated_credentials_xtn, 1642 tls13_ServerSendDelegatedCredentialsXtn); 1643 } 1644 1645 /* Adds the ECH extension containing server retry_configs */ 1646 SECStatus 1647 tls13_ServerSendEchXtn(const sslSocket *ss, 1648 TLSExtensionData *xtnData, 1649 sslBuffer *buf, PRBool *added) 1650 { 1651 SECStatus rv; 1652 PORT_Assert(ss->version >= SSL_LIBRARY_VERSION_TLS_1_3); 1653 if (PR_CLIST_IS_EMPTY(&ss->echConfigs)) { 1654 return SECSuccess; 1655 } 1656 1657 const sslEchConfig *cfg = (sslEchConfig *)PR_LIST_HEAD(&ss->echConfigs); 1658 rv = sslBuffer_AppendVariable(buf, cfg->raw.data, cfg->raw.len, 2); 1659 if (rv != SECSuccess) { 1660 return SECFailure; 1661 } 1662 1663 *added = PR_TRUE; 1664 return SECSuccess; 1665 } 1666 1667 /* If an ECH server sends the HRR ECH extension after it accepted ECH, the 1668 * extension's payload must be set to 8 zero bytes, these are overwritten with 1669 * the accept_confirmation value after the required transcript calculation. 1670 * If a client-facing/shared-mode server did not accept ECH when offered in CH 1671 * or if ECH GREASE is enabled on the server and a ECH extension was received, 1672 * a 8 byte random value is set as the extension's payload 1673 * [draft-ietf-tls-esni-14, Section 7]. 1674 * 1675 * Depending on the acceptance of ECH, zero or random bytes are written to 1676 * ss->ssl3.hs.greaseEchBuf.buf in tls13con.c/tls13_SendHelloRetryRequest(). */ 1677 SECStatus 1678 tls13_ServerSendHrrEchXtn(const sslSocket *ss, TLSExtensionData *xtnData, 1679 sslBuffer *buf, PRBool *added) 1680 { 1681 SECStatus rv; 1682 /* Do not send HRR ECH extension if TLS < 1.3 was negotiated OR no ECH 1683 * extension was received OR the server is NOT in any ECH server mode AND 1684 * ECH GREASE is NOT enabled. */ 1685 if (ss->version < SSL_LIBRARY_VERSION_TLS_1_3 || 1686 !xtnData->ech || 1687 (!ss->echPubKey && !ss->opt.enableTls13BackendEch && !ss->opt.enableTls13GreaseEch)) { 1688 SSL_TRC(100, ("%d: TLS13[%d]: server not sending HRR ECH Xtn", 1689 SSL_GETPID(), ss->fd)); 1690 return SECSuccess; 1691 } 1692 SSL_TRC(100, ("%d: TLS13[%d]: server sending HRR ECH Xtn", 1693 SSL_GETPID(), ss->fd)); 1694 PR_ASSERT(SSL_BUFFER_LEN(&ss->ssl3.hs.greaseEchBuf) == TLS13_ECH_SIGNAL_LEN); 1695 PRINT_BUF(100, (ss, "grease_ech_confirmation", ss->ssl3.hs.greaseEchBuf.buf, TLS13_ECH_SIGNAL_LEN)); 1696 rv = sslBuffer_AppendBuffer(buf, &ss->ssl3.hs.greaseEchBuf); 1697 if (rv != SECSuccess) { 1698 return SECFailure; 1699 } 1700 *added = PR_TRUE; 1701 return SECSuccess; 1702 } 1703 1704 SECStatus 1705 tls13_ServerHandleInnerEchXtn(const sslSocket *ss, TLSExtensionData *xtnData, 1706 SECItem *data) 1707 { 1708 PRUint64 xtn_type; 1709 sslReader xtnReader = SSL_READER(data->data, data->len); 1710 1711 PR_ASSERT(ss->ssl3.hs.echAccepted || ss->opt.enableTls13BackendEch); 1712 PR_ASSERT(!xtnData->ech->receivedInnerXtn); 1713 1714 SECStatus rv = sslRead_ReadNumber(&xtnReader, 1, &xtn_type); 1715 if (rv != SECSuccess) { 1716 goto alert_loser; 1717 } 1718 if (xtn_type != ech_xtn_type_inner) { 1719 goto alert_loser; 1720 } 1721 if (SSL_READER_REMAINING(&xtnReader)) { 1722 /* Inner ECH Extension must contain only type enum */ 1723 goto alert_loser; 1724 } 1725 1726 xtnData->ech->receivedInnerXtn = PR_TRUE; 1727 xtnData->negotiated[xtnData->numNegotiated++] = ssl_tls13_encrypted_client_hello_xtn; 1728 return SECSuccess; 1729 1730 alert_loser: 1731 ssl3_ExtSendAlert(ss, alert_fatal, decode_error); 1732 PORT_SetError(SSL_ERROR_RX_MALFORMED_ECH_EXTENSION); 1733 return SECFailure; 1734 } 1735 1736 SECStatus 1737 tls13_ServerHandleOuterEchXtn(const sslSocket *ss, TLSExtensionData *xtnData, 1738 SECItem *data) 1739 { 1740 SECStatus rv; 1741 HpkeKdfId kdf; 1742 HpkeAeadId aead; 1743 PRUint32 tmp; 1744 PRUint8 configId; 1745 SECItem senderPubKey; 1746 SECItem encryptedCh; 1747 1748 PRUint32 xtn_type; 1749 rv = ssl3_ExtConsumeHandshakeNumber(ss, &xtn_type, 1, &data->data, &data->len); 1750 if (rv != SECSuccess) { 1751 goto alert_loser; 1752 } 1753 if (xtn_type != ech_xtn_type_outer && xtn_type != ech_xtn_type_inner) { 1754 SSL_TRC(3, ("%d: TLS13[%d]: unexpected ECH extension type in client hello outer, alert", 1755 SSL_GETPID(), ss->fd)); 1756 goto alert_loser; 1757 } 1758 /* If we are operating in shared mode, we can accept an inner xtn in the ClientHelloOuter */ 1759 if (xtn_type == ech_xtn_type_inner) { 1760 if (!ss->opt.enableTls13BackendEch) { 1761 ssl3_ExtSendAlert(ss, alert_fatal, illegal_parameter); 1762 PORT_SetError(SSL_ERROR_RX_UNEXPECTED_EXTENSION); 1763 return SECFailure; 1764 } 1765 PORT_Assert(!xtnData->ech); 1766 xtnData->ech = PORT_ZNew(sslEchXtnState); 1767 if (!xtnData->ech) { 1768 return SECFailure; 1769 } 1770 /* We have to rewind the buffer advanced by ssl3_ExtConsumeHandshakeNumber */ 1771 data->data--; 1772 data->len++; 1773 return tls13_ServerHandleInnerEchXtn(ss, xtnData, data); 1774 } 1775 if (ss->ssl3.hs.echAccepted) { 1776 ssl3_ExtSendAlert(ss, alert_fatal, illegal_parameter); 1777 PORT_SetError(SSL_ERROR_RX_UNEXPECTED_EXTENSION); 1778 return SECFailure; 1779 } 1780 1781 SSL_TRC(3, ("%d: TLS13[%d]: handle outer ECH extension", 1782 SSL_GETPID(), ss->fd)); 1783 1784 PORT_Assert(!xtnData->ech); 1785 xtnData->ech = PORT_ZNew(sslEchXtnState); 1786 if (!xtnData->ech) { 1787 return SECFailure; 1788 } 1789 1790 /* Parse the KDF and AEAD. */ 1791 rv = ssl3_ExtConsumeHandshakeNumber(ss, &tmp, 2, 1792 &data->data, &data->len); 1793 if (rv != SECSuccess) { 1794 goto alert_loser; 1795 } 1796 kdf = (HpkeKdfId)tmp; 1797 rv = ssl3_ExtConsumeHandshakeNumber(ss, &tmp, 2, 1798 &data->data, &data->len); 1799 if (rv != SECSuccess) { 1800 goto alert_loser; 1801 } 1802 aead = (HpkeAeadId)tmp; 1803 1804 /* config_id */ 1805 rv = ssl3_ExtConsumeHandshakeNumber(ss, &tmp, 1, 1806 &data->data, &data->len); 1807 if (rv != SECSuccess) { 1808 goto alert_loser; 1809 } 1810 configId = tmp; 1811 1812 /* enc */ 1813 rv = ssl3_ExtConsumeHandshakeVariable(ss, &senderPubKey, 2, 1814 &data->data, &data->len); 1815 if (rv != SECSuccess) { 1816 goto alert_loser; 1817 } 1818 1819 /* payload, which must be final and non-empty. */ 1820 xtnData->ech->payloadStart = data->data + 2; /* Move past length */ 1821 rv = ssl3_ExtConsumeHandshakeVariable(ss, &encryptedCh, 2, 1822 &data->data, &data->len); 1823 if (rv != SECSuccess) { 1824 goto alert_loser; 1825 } 1826 if (data->len || !encryptedCh.len) { 1827 goto alert_loser; 1828 } 1829 1830 if (!ss->ssl3.hs.helloRetry) { 1831 /* In the real ECH HRR case, config_id and enc should be empty. This 1832 * is checked after acceptance, because it might be GREASE ECH. */ 1833 if (!senderPubKey.len) { 1834 goto alert_loser; 1835 } 1836 1837 rv = SECITEM_CopyItem(NULL, &xtnData->ech->senderPubKey, &senderPubKey); 1838 if (rv == SECFailure) { 1839 return SECFailure; 1840 } 1841 } 1842 1843 rv = SECITEM_CopyItem(NULL, &xtnData->ech->innerCh, &encryptedCh); 1844 PRINT_BUF(100, (ss, "CT for ECH Decryption", encryptedCh.data, encryptedCh.len)); 1845 if (rv == SECFailure) { 1846 return SECFailure; 1847 } 1848 xtnData->ech->configId = configId; 1849 xtnData->ech->kdfId = kdf; 1850 xtnData->ech->aeadId = aead; 1851 1852 /* Not negotiated until tls13_MaybeAcceptEch. */ 1853 return SECSuccess; 1854 1855 alert_loser: 1856 ssl3_ExtSendAlert(ss, alert_fatal, decode_error); 1857 PORT_SetError(SSL_ERROR_RX_MALFORMED_ECH_EXTENSION); 1858 return SECFailure; 1859 } 1860 1861 SECStatus 1862 tls13_SendEmptyGreaseXtn(const sslSocket *ss, 1863 TLSExtensionData *xtnData, 1864 sslBuffer *buf, PRBool *added) 1865 { 1866 if (!ss->opt.enableGrease || 1867 (!ss->sec.isServer && ss->vrange.max < SSL_LIBRARY_VERSION_TLS_1_3) || 1868 (ss->sec.isServer && ss->version < SSL_LIBRARY_VERSION_TLS_1_3)) { 1869 return SECSuccess; 1870 } 1871 1872 *added = PR_TRUE; 1873 return SECSuccess; 1874 } 1875 1876 SECStatus 1877 tls13_SendGreaseXtn(const sslSocket *ss, 1878 TLSExtensionData *xtnData, 1879 sslBuffer *buf, PRBool *added) 1880 { 1881 if (!ss->opt.enableGrease || 1882 (!ss->sec.isServer && ss->vrange.max < SSL_LIBRARY_VERSION_TLS_1_3) || 1883 (ss->sec.isServer && ss->version < SSL_LIBRARY_VERSION_TLS_1_3)) { 1884 return SECSuccess; 1885 } 1886 1887 SECStatus rv = sslBuffer_AppendVariable(buf, (PRUint8[]){ 0x00 }, 1, 2); 1888 if (rv != SECSuccess) { 1889 return SECFailure; 1890 } 1891 1892 *added = PR_TRUE; 1893 return SECSuccess; 1894 } 1895 1896 SECStatus 1897 ssl3_SendCertificateCompressionXtn(const sslSocket *ss, 1898 TLSExtensionData *xtnData, 1899 sslBuffer *buf, PRBool *added) 1900 { 1901 /* enum { 1902 * zlib(1), 1903 * brotli(2), 1904 * zstd(3), 1905 * (65535) 1906 * } CertificateCompressionAlgorithm; 1907 * 1908 * struct { 1909 * CertificateCompressionAlgorithm algorithms<2..2^8-2>; 1910 * } CertificateCompressionAlgorithms; 1911 */ 1912 1913 SECStatus rv = SECFailure; 1914 if (ss->ssl3.cwSpec->version < SSL_LIBRARY_VERSION_TLS_1_3) { 1915 SSL_TRC(50, ("%d: TLS13[%d]: certificate_compression_algorithm extension requires TLS1.3 and above", 1916 SSL_GETPID(), ss->fd)); 1917 return SECSuccess; 1918 } 1919 1920 size_t certificateCompressionAlgorithmsLen = ss->ssl3.supportedCertCompressionAlgorithmsCount; 1921 if (certificateCompressionAlgorithmsLen == 0) { 1922 SSL_TRC(30, ("%d: TLS13[%d]: %s does not support any certificate compression algorithm", 1923 SSL_GETPID(), ss->fd, SSL_ROLE(ss))); 1924 return SECSuccess; 1925 } 1926 1927 SSL_TRC(30, ("%d: TLS13[%d]: %s sends certificate_compression_algorithm extension", 1928 SSL_GETPID(), ss->fd, SSL_ROLE(ss))); 1929 PORT_Assert(certificateCompressionAlgorithmsLen < (0x1u << 8) - 1); 1930 1931 rv = sslBuffer_AppendNumber(buf, certificateCompressionAlgorithmsLen << 1, 1); 1932 if (rv != SECSuccess) { 1933 return SECFailure; 1934 } 1935 1936 for (size_t i = 0; i < certificateCompressionAlgorithmsLen; i++) { 1937 rv = sslBuffer_AppendNumber(buf, ss->ssl3.supportedCertCompressionAlgorithms[i].id, 2); 1938 if (rv != SECSuccess) { 1939 return SECFailure; 1940 } 1941 } 1942 1943 xtnData->certificateCompressionAdvertised = PR_TRUE; 1944 *added = PR_TRUE; 1945 return SECSuccess; 1946 } 1947 1948 const char * 1949 ssl3_mapCertificateCompressionAlgorithmToName(const sslSocket *ss, SSLCertificateCompressionAlgorithmID alg) 1950 { 1951 for (int i = 0; i < ss->ssl3.supportedCertCompressionAlgorithmsCount; i++) { 1952 if (ss->ssl3.supportedCertCompressionAlgorithms[i].id == alg) { 1953 return ss->ssl3.supportedCertCompressionAlgorithms[i].name; 1954 } 1955 } 1956 return "unknown"; 1957 } 1958 1959 SECStatus 1960 ssl3_HandleCertificateCompressionXtn(const sslSocket *ss, 1961 TLSExtensionData *xtnData, 1962 SECItem *data) 1963 { 1964 /* This extension is only supported with TLS 1.3 [RFC8446] and newer; 1965 * if TLS 1.2 [RFC5246] or earlier is negotiated, the peers MUST ignore this extension. 1966 */ 1967 if (ss->version < SSL_LIBRARY_VERSION_TLS_1_3) { 1968 SSL_TRC(50, ("%d: TLS13[%d]: ignore certificate_compression extension", 1969 SSL_GETPID(), ss->fd)); 1970 return SECSuccess; 1971 } 1972 1973 SECStatus rv = SECFailure; 1974 PRUint32 lengthSupportedAlgorithms = 0; 1975 PRUint32 certComprAlgId = 0; 1976 1977 SSL_TRC(30, ("%d: TLS13[%d]: %s handles certificate_compression_algorithm extension", 1978 SSL_GETPID(), ss->fd, SSL_ROLE(ss))); 1979 1980 rv = ssl3_ExtConsumeHandshakeNumber(ss, &lengthSupportedAlgorithms, 1, &data->data, &data->len); 1981 if (rv != SECSuccess) { 1982 goto alert_loser; 1983 } 1984 1985 /* Each of the algorithm is 2 bytes. */ 1986 if (lengthSupportedAlgorithms % 2 != 0) { 1987 goto alert_loser; 1988 } 1989 1990 if (data->len != lengthSupportedAlgorithms) { 1991 goto alert_loser; 1992 } 1993 1994 SECStatus algFound = SECFailure; 1995 1996 /* We use the first common algorithm we found. */ 1997 for (int i = 0; i < lengthSupportedAlgorithms / 2; i++) { 1998 rv = ssl3_ExtConsumeHandshakeNumber(ss, &certComprAlgId, 2, &data->data, &data->len); 1999 if (rv != SECSuccess) { 2000 goto alert_loser; 2001 } 2002 2003 SSLCertificateCompressionAlgorithmID alg = (SSLCertificateCompressionAlgorithmID)certComprAlgId; 2004 if (alg == 0) { 2005 SSL_TRC(50, ("%d: TLS13[%d]: certificate compression ignores reserved algorithm %02x", 2006 SSL_GETPID(), ss->fd, alg)); 2007 continue; 2008 } 2009 2010 for (int j = 0; j < ss->ssl3.supportedCertCompressionAlgorithmsCount; j++) { 2011 if (ss->ssl3.supportedCertCompressionAlgorithms[j].id == alg) { 2012 xtnData->compressionAlg = alg; 2013 xtnData->negotiated[xtnData->numNegotiated++] = ssl_certificate_compression_xtn; 2014 algFound = SECSuccess; 2015 break; 2016 } 2017 } 2018 2019 if (algFound == SECSuccess) { 2020 break; 2021 } 2022 } 2023 2024 if (algFound == SECSuccess) { 2025 SSL_TRC(30, ("%d: TLS13[%d]: %s established certificate compression algorithm %s", 2026 SSL_GETPID(), ss->fd, SSL_ROLE(ss), 2027 ssl3_mapCertificateCompressionAlgorithmToName(ss, xtnData->compressionAlg))); 2028 } else { 2029 SSL_TRC(30, ("%d: TLS13[%d]: no common certificate compression algorithms found on the %s side", 2030 SSL_GETPID(), ss->fd, SSL_ROLE(ss))); 2031 } 2032 2033 return SECSuccess; 2034 2035 alert_loser: 2036 ssl3_ExtDecodeError(ss); 2037 return SECFailure; 2038 }