summaryrefslogtreecommitdiffstats
path: root/security/nss/lib/ssl/ssl3exthandle.c
diff options
context:
space:
mode:
Diffstat (limited to 'security/nss/lib/ssl/ssl3exthandle.c')
-rw-r--r--security/nss/lib/ssl/ssl3exthandle.c2004
1 files changed, 2004 insertions, 0 deletions
diff --git a/security/nss/lib/ssl/ssl3exthandle.c b/security/nss/lib/ssl/ssl3exthandle.c
new file mode 100644
index 0000000000..cafddd81fd
--- /dev/null
+++ b/security/nss/lib/ssl/ssl3exthandle.c
@@ -0,0 +1,2004 @@
+/* -*- Mode: C; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 4 -*- */
+/*
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include "nssrenam.h"
+#include "nss.h"
+#include "ssl.h"
+#include "sslproto.h"
+#include "sslimpl.h"
+#include "pk11pub.h"
+#include "blapit.h"
+#include "prinit.h"
+#include "selfencrypt.h"
+#include "ssl3ext.h"
+#include "ssl3exthandle.h"
+#include "tls13ech.h"
+#include "tls13exthandle.h" /* For tls13_ServerSendStatusRequestXtn. */
+
+PRBool
+ssl_ShouldSendSNIExtension(const sslSocket *ss, const char *url)
+{
+ PRNetAddr netAddr;
+
+ /* must have a hostname */
+ if (!url || !url[0]) {
+ return PR_FALSE;
+ }
+ /* must not be an IPv4 or IPv6 address */
+ if (PR_SUCCESS == PR_StringToNetAddr(url, &netAddr)) {
+ /* is an IP address (v4 or v6) */
+ return PR_FALSE;
+ }
+
+ return PR_TRUE;
+}
+
+/* Format an SNI extension, using the name from the socket's URL,
+ * unless that name is a dotted decimal string.
+ * Used by client and server.
+ */
+SECStatus
+ssl3_ClientFormatServerNameXtn(const sslSocket *ss, const char *url,
+ unsigned int len, TLSExtensionData *xtnData,
+ sslBuffer *buf)
+{
+ SECStatus rv;
+
+ /* length of server_name_list */
+ rv = sslBuffer_AppendNumber(buf, len + 3, 2);
+ if (rv != SECSuccess) {
+ return SECFailure;
+ }
+ /* Name Type (sni_host_name) */
+ rv = sslBuffer_AppendNumber(buf, 0, 1);
+ if (rv != SECSuccess) {
+ return SECFailure;
+ }
+ /* HostName (length and value) */
+ rv = sslBuffer_AppendVariable(buf, (const PRUint8 *)url, len, 2);
+ if (rv != SECSuccess) {
+ return SECFailure;
+ }
+
+ return SECSuccess;
+}
+
+SECStatus
+ssl3_ClientSendServerNameXtn(const sslSocket *ss, TLSExtensionData *xtnData,
+ sslBuffer *buf, PRBool *added)
+{
+ SECStatus rv;
+
+ const char *url = ss->url;
+
+ if (!ssl_ShouldSendSNIExtension(ss, url)) {
+ return SECSuccess;
+ }
+
+ /* If ECH, write the public name. The real server name
+ * is emplaced while constructing CHInner extensions. */
+ sslEchConfig *cfg = (sslEchConfig *)PR_LIST_HEAD(&ss->echConfigs);
+ const char *sniContents = PR_CLIST_IS_EMPTY(&ss->echConfigs) ? url : cfg->contents.publicName;
+ rv = ssl3_ClientFormatServerNameXtn(ss, sniContents, strlen(sniContents), xtnData, buf);
+ if (rv != SECSuccess) {
+ return SECFailure;
+ }
+
+ *added = PR_TRUE;
+ return SECSuccess;
+}
+
+SECStatus
+ssl3_HandleServerNameXtn(const sslSocket *ss, TLSExtensionData *xtnData,
+ SECItem *data)
+{
+ SECItem *names = NULL;
+ PRUint32 listLenBytes = 0;
+ SECStatus rv;
+
+ if (!ss->sec.isServer) {
+ return SECSuccess; /* ignore extension */
+ }
+
+ /* Server side - consume client data and register server sender. */
+ /* do not parse the data if don't have user extension handling function. */
+ if (!ss->sniSocketConfig) {
+ return SECSuccess;
+ }
+
+ /* length of server_name_list */
+ rv = ssl3_ExtConsumeHandshakeNumber(ss, &listLenBytes, 2, &data->data, &data->len);
+ if (rv != SECSuccess) {
+ goto loser; /* alert already sent */
+ }
+ if (listLenBytes == 0 || listLenBytes != data->len) {
+ goto alert_loser;
+ }
+
+ /* Read ServerNameList. */
+ while (data->len > 0) {
+ SECItem tmp;
+ PRUint32 type;
+
+ /* Read Name Type. */
+ rv = ssl3_ExtConsumeHandshakeNumber(ss, &type, 1, &data->data, &data->len);
+ if (rv != SECSuccess) {
+ /* alert sent in ConsumeHandshakeNumber */
+ goto loser;
+ }
+
+ /* Read ServerName (length and value). */
+ rv = ssl3_ExtConsumeHandshakeVariable(ss, &tmp, 2, &data->data, &data->len);
+ if (rv != SECSuccess) {
+ goto loser;
+ }
+
+ /* Record the value for host_name(0). */
+ if (type == sni_nametype_hostname) {
+ /* Fail if we encounter a second host_name entry. */
+ if (names) {
+ goto alert_loser;
+ }
+
+ /* Create an array for the only supported NameType. */
+ names = PORT_ZNewArray(SECItem, 1);
+ if (!names) {
+ goto loser;
+ }
+
+ /* Copy ServerName into the array. */
+ if (SECITEM_CopyItem(NULL, &names[0], &tmp) != SECSuccess) {
+ goto loser;
+ }
+ }
+
+ /* Even if we don't support NameTypes other than host_name at the
+ * moment, we continue parsing the whole list to check its validity.
+ * We do not check for duplicate entries with NameType != host_name(0).
+ */
+ }
+ if (names) {
+ /* Free old and set the new data. */
+ ssl3_FreeSniNameArray(xtnData);
+ xtnData->sniNameArr = names;
+ xtnData->sniNameArrSize = 1;
+ xtnData->negotiated[xtnData->numNegotiated++] = ssl_server_name_xtn;
+ }
+ return SECSuccess;
+
+alert_loser:
+ ssl3_ExtDecodeError(ss);
+loser:
+ if (names) {
+ PORT_Free(names);
+ }
+ return SECFailure;
+}
+
+/* Frees a given xtnData->sniNameArr and its elements. */
+void
+ssl3_FreeSniNameArray(TLSExtensionData *xtnData)
+{
+ PRUint32 i;
+
+ if (!xtnData->sniNameArr) {
+ return;
+ }
+
+ for (i = 0; i < xtnData->sniNameArrSize; i++) {
+ SECITEM_FreeItem(&xtnData->sniNameArr[i], PR_FALSE);
+ }
+
+ PORT_Free(xtnData->sniNameArr);
+ xtnData->sniNameArr = NULL;
+ xtnData->sniNameArrSize = 0;
+}
+
+/* Called by both clients and servers.
+ * Clients sends a filled in session ticket if one is available, and otherwise
+ * sends an empty ticket. Servers always send empty tickets.
+ */
+SECStatus
+ssl3_ClientSendSessionTicketXtn(const sslSocket *ss, TLSExtensionData *xtnData,
+ sslBuffer *buf, PRBool *added)
+{
+ NewSessionTicket *session_ticket = NULL;
+ sslSessionID *sid = ss->sec.ci.sid;
+ SECStatus rv;
+
+ PORT_Assert(!ss->sec.isServer);
+
+ /* Never send an extension with a ticket for TLS 1.3, but
+ * OK to send the empty one in case the server does 1.2. */
+ if ((sid->cached == in_client_cache || sid->cached == in_external_cache) &&
+ sid->version >= SSL_LIBRARY_VERSION_TLS_1_3) {
+ return SECSuccess;
+ }
+
+ /* Ignore the SessionTicket extension if processing is disabled. */
+ if (!ss->opt.enableSessionTickets) {
+ return SECSuccess;
+ }
+
+ /* Send a session ticket if one is available.
+ *
+ * The caller must be holding sid->u.ssl3.lock for reading. We cannot
+ * just acquire and release the lock within this function because the
+ * caller will call this function twice, and we need the inputs to be
+ * consistent between the two calls. Note that currently the caller
+ * will only be holding the lock when we are the client and when we're
+ * attempting to resume an existing session.
+ */
+ session_ticket = &sid->u.ssl3.locked.sessionTicket;
+ if (session_ticket->ticket.data &&
+ (xtnData->ticketTimestampVerified ||
+ ssl_TicketTimeValid(ss, session_ticket))) {
+
+ xtnData->ticketTimestampVerified = PR_FALSE;
+
+ rv = sslBuffer_Append(buf, session_ticket->ticket.data,
+ session_ticket->ticket.len);
+ if (rv != SECSuccess) {
+ return SECFailure;
+ }
+
+ xtnData->sentSessionTicketInClientHello = PR_TRUE;
+ }
+
+ *added = PR_TRUE;
+ return SECSuccess;
+}
+
+PRBool
+ssl_AlpnTagAllowed(const sslSocket *ss, const SECItem *tag)
+{
+ const unsigned char *data = ss->opt.nextProtoNego.data;
+ unsigned int length = ss->opt.nextProtoNego.len;
+ unsigned int offset = 0;
+
+ if (!tag->len)
+ return PR_TRUE;
+
+ while (offset < length) {
+ unsigned int taglen = (unsigned int)data[offset];
+ if ((taglen == tag->len) &&
+ !PORT_Memcmp(data + offset + 1, tag->data, tag->len))
+ return PR_TRUE;
+ offset += 1 + taglen;
+ }
+
+ return PR_FALSE;
+}
+
+/* ssl3_ValidateAppProtocol checks that the given block of data is valid: none
+ * of the lengths may be 0 and the sum of the lengths must equal the length of
+ * the block. */
+SECStatus
+ssl3_ValidateAppProtocol(const unsigned char *data, unsigned int length)
+{
+ unsigned int offset = 0;
+
+ while (offset < length) {
+ unsigned int newOffset = offset + 1 + (unsigned int)data[offset];
+ /* Reject embedded nulls to protect against buggy applications that
+ * store protocol identifiers in null-terminated strings.
+ */
+ if (newOffset > length || data[offset] == 0) {
+ return SECFailure;
+ }
+ offset = newOffset;
+ }
+
+ return SECSuccess;
+}
+
+/* Protocol selection handler for ALPN. */
+static SECStatus
+ssl3_SelectAppProtocol(const sslSocket *ss, TLSExtensionData *xtnData,
+ PRUint16 extension, SECItem *data)
+{
+ SECStatus rv;
+ unsigned char resultBuffer[255];
+ SECItem result = { siBuffer, resultBuffer, 0 };
+
+ rv = ssl3_ValidateAppProtocol(data->data, data->len);
+ if (rv != SECSuccess) {
+ ssl3_ExtSendAlert(ss, alert_fatal, decode_error);
+ PORT_SetError(SSL_ERROR_NEXT_PROTOCOL_DATA_INVALID);
+ return SECFailure;
+ }
+
+ PORT_Assert(ss->nextProtoCallback);
+ /* Neither the cipher suite nor ECH are selected yet Note that extensions
+ * sometimes affect what cipher suite is selected, e.g., for ECC. */
+ PORT_Assert((ss->ssl3.hs.preliminaryInfo &
+ ssl_preinfo_all & ~ssl_preinfo_cipher_suite & ~ssl_preinfo_ech) ==
+ (ssl_preinfo_all & ~ssl_preinfo_cipher_suite & ~ssl_preinfo_ech));
+ /* The callback has to make sure that either rv != SECSuccess or that result
+ * is not set if there is no common protocol. */
+ rv = ss->nextProtoCallback(ss->nextProtoArg, ss->fd, data->data, data->len,
+ result.data, &result.len, sizeof(resultBuffer));
+ if (rv != SECSuccess) {
+ /* Expect callback to call PORT_SetError() */
+ ssl3_ExtSendAlert(ss, alert_fatal, internal_error);
+ return SECFailure;
+ }
+
+ /* If the callback wrote more than allowed to |result| it has corrupted our
+ * stack. */
+ if (result.len > sizeof(resultBuffer)) {
+ PORT_SetError(SEC_ERROR_OUTPUT_LEN);
+ PORT_Assert(PR_FALSE);
+ return SECFailure;
+ }
+
+ SECITEM_FreeItem(&xtnData->nextProto, PR_FALSE);
+
+ if (result.len < 1 || !result.data) {
+ /* Check that we actually got a result. */
+ ssl3_ExtSendAlert(ss, alert_fatal, no_application_protocol);
+ PORT_SetError(SSL_ERROR_NEXT_PROTOCOL_NO_PROTOCOL);
+ return SECFailure;
+ }
+
+ xtnData->nextProtoState = SSL_NEXT_PROTO_NEGOTIATED;
+ xtnData->negotiated[xtnData->numNegotiated++] = extension;
+ return SECITEM_CopyItem(NULL, &xtnData->nextProto, &result);
+}
+
+/* handle an incoming ALPN extension at the server */
+SECStatus
+ssl3_ServerHandleAppProtoXtn(const sslSocket *ss, TLSExtensionData *xtnData,
+ SECItem *data)
+{
+ PRUint32 count;
+ SECStatus rv;
+
+ /* We expressly don't want to allow ALPN on renegotiation,
+ * despite it being permitted by the spec. */
+ if (ss->firstHsDone || data->len == 0) {
+ /* Clients MUST send a non-empty ALPN extension. */
+ ssl3_ExtSendAlert(ss, alert_fatal, illegal_parameter);
+ PORT_SetError(SSL_ERROR_NEXT_PROTOCOL_DATA_INVALID);
+ return SECFailure;
+ }
+
+ /* ALPN has extra redundant length information so that
+ * the extension is the same in both ClientHello and ServerHello. */
+ rv = ssl3_ExtConsumeHandshakeNumber(ss, &count, 2, &data->data, &data->len);
+ if (rv != SECSuccess || count != data->len) {
+ ssl3_ExtDecodeError(ss);
+ return SECFailure;
+ }
+
+ if (!ss->nextProtoCallback) {
+ /* we're not configured for it */
+ return SECSuccess;
+ }
+
+ rv = ssl3_SelectAppProtocol(ss, xtnData, ssl_app_layer_protocol_xtn, data);
+ if (rv != SECSuccess) {
+ return rv;
+ }
+
+ /* prepare to send back a response, if we negotiated */
+ if (xtnData->nextProtoState == SSL_NEXT_PROTO_NEGOTIATED) {
+ rv = ssl3_RegisterExtensionSender(ss, xtnData,
+ ssl_app_layer_protocol_xtn,
+ ssl3_ServerSendAppProtoXtn);
+ if (rv != SECSuccess) {
+ ssl3_ExtSendAlert(ss, alert_fatal, internal_error);
+ PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+ return rv;
+ }
+ }
+ return SECSuccess;
+}
+
+SECStatus
+ssl3_ClientHandleAppProtoXtn(const sslSocket *ss, TLSExtensionData *xtnData,
+ SECItem *data)
+{
+ SECStatus rv;
+ PRUint32 list_len;
+ SECItem protocol_name;
+
+ if (ssl3_ExtensionNegotiated(ss, ssl_next_proto_nego_xtn)) {
+ PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+ return SECFailure;
+ }
+
+ /* The extension data from the server has the following format:
+ * uint16 name_list_len;
+ * uint8 len; // where len >= 1
+ * uint8 protocol_name[len]; */
+ if (data->len < 4 || data->len > 2 + 1 + 255) {
+ ssl3_ExtSendAlert(ss, alert_fatal, decode_error);
+ PORT_SetError(SSL_ERROR_NEXT_PROTOCOL_DATA_INVALID);
+ return SECFailure;
+ }
+
+ rv = ssl3_ExtConsumeHandshakeNumber(ss, &list_len, 2, &data->data,
+ &data->len);
+ /* The list has to be the entire extension. */
+ if (rv != SECSuccess || list_len != data->len) {
+ ssl3_ExtSendAlert(ss, alert_fatal, decode_error);
+ PORT_SetError(SSL_ERROR_NEXT_PROTOCOL_DATA_INVALID);
+ return SECFailure;
+ }
+
+ rv = ssl3_ExtConsumeHandshakeVariable(ss, &protocol_name, 1,
+ &data->data, &data->len);
+ /* The list must have exactly one value. */
+ if (rv != SECSuccess || data->len != 0) {
+ ssl3_ExtSendAlert(ss, alert_fatal, decode_error);
+ PORT_SetError(SSL_ERROR_NEXT_PROTOCOL_DATA_INVALID);
+ return SECFailure;
+ }
+
+ if (!ssl_AlpnTagAllowed(ss, &protocol_name)) {
+ ssl3_ExtSendAlert(ss, alert_fatal, illegal_parameter);
+ PORT_SetError(SSL_ERROR_NEXT_PROTOCOL_DATA_INVALID);
+ return SECFailure;
+ }
+
+ SECITEM_FreeItem(&xtnData->nextProto, PR_FALSE);
+ xtnData->nextProtoState = SSL_NEXT_PROTO_SELECTED;
+ xtnData->negotiated[xtnData->numNegotiated++] = ssl_app_layer_protocol_xtn;
+ return SECITEM_CopyItem(NULL, &xtnData->nextProto, &protocol_name);
+}
+
+SECStatus
+ssl3_ClientSendAppProtoXtn(const sslSocket *ss, TLSExtensionData *xtnData,
+ sslBuffer *buf, PRBool *added)
+{
+ SECStatus rv;
+
+ /* Renegotiations do not send this extension. */
+ if (!ss->opt.enableALPN || !ss->opt.nextProtoNego.len || ss->firstHsDone) {
+ PR_ASSERT(!ss->opt.nextProtoNego.data);
+ return SECSuccess;
+ }
+ PRBool addGrease = ss->opt.enableGrease && ss->vrange.max >= SSL_LIBRARY_VERSION_TLS_1_3;
+
+ /* The list of protocol strings is prefixed with a 2-byte length */
+ rv = sslBuffer_AppendNumber(buf, ss->opt.nextProtoNego.len + (addGrease ? 3 : 0), 2);
+ if (rv != SECSuccess) {
+ return SECFailure;
+ }
+ /* The list of protocol strings */
+ rv = sslBuffer_Append(buf, ss->opt.nextProtoNego.data, ss->opt.nextProtoNego.len);
+ if (rv != SECSuccess) {
+ return SECFailure;
+ }
+ /* A client MAY select one or more GREASE ALPN identifiers and advertise
+ * them in the "application_layer_protocol_negotiation" extension, if sent
+ * [RFC8701, Section 3.1]. */
+ if (addGrease) {
+ rv = sslBuffer_AppendNumber(buf, 2, 1);
+ if (rv != SECSuccess) {
+ return SECFailure;
+ }
+ rv = sslBuffer_AppendNumber(buf, ss->ssl3.hs.grease->idx[grease_alpn], 2);
+ if (rv != SECSuccess) {
+ return SECFailure;
+ }
+ }
+
+ *added = PR_TRUE;
+ return SECSuccess;
+}
+
+SECStatus
+ssl3_ServerSendAppProtoXtn(const sslSocket *ss, TLSExtensionData *xtnData,
+ sslBuffer *buf, PRBool *added)
+{
+ SECStatus rv;
+
+ /* We're in over our heads if any of these fail */
+ PORT_Assert(ss->opt.enableALPN);
+ PORT_Assert(xtnData->nextProto.data);
+ PORT_Assert(xtnData->nextProto.len > 0);
+ PORT_Assert(xtnData->nextProtoState == SSL_NEXT_PROTO_NEGOTIATED);
+ PORT_Assert(!ss->firstHsDone);
+
+ rv = sslBuffer_AppendNumber(buf, xtnData->nextProto.len + 1, 2);
+ if (rv != SECSuccess) {
+ return SECFailure;
+ }
+ rv = sslBuffer_AppendVariable(buf, xtnData->nextProto.data,
+ xtnData->nextProto.len, 1);
+ if (rv != SECSuccess) {
+ return SECFailure;
+ }
+
+ *added = PR_TRUE;
+ return SECSuccess;
+}
+
+SECStatus
+ssl3_ServerHandleStatusRequestXtn(const sslSocket *ss, TLSExtensionData *xtnData,
+ SECItem *data)
+{
+ sslExtensionBuilderFunc sender;
+
+ PORT_Assert(ss->sec.isServer);
+
+ /* remember that we got this extension. */
+ xtnData->negotiated[xtnData->numNegotiated++] = ssl_cert_status_xtn;
+
+ if (ss->version >= SSL_LIBRARY_VERSION_TLS_1_3) {
+ sender = tls13_ServerSendStatusRequestXtn;
+ } else {
+ sender = ssl3_ServerSendStatusRequestXtn;
+ }
+ return ssl3_RegisterExtensionSender(ss, xtnData, ssl_cert_status_xtn, sender);
+}
+
+SECStatus
+ssl3_ServerSendStatusRequestXtn(const sslSocket *ss, TLSExtensionData *xtnData,
+ sslBuffer *buf, PRBool *added)
+{
+ const sslServerCert *serverCert = ss->sec.serverCert;
+
+ if (!serverCert->certStatusArray ||
+ !serverCert->certStatusArray->len) {
+ return SECSuccess;
+ }
+
+ *added = PR_TRUE;
+ return SECSuccess;
+}
+
+/* ssl3_ClientSendStatusRequestXtn builds the status_request extension on the
+ * client side. See RFC 6066 section 8. */
+SECStatus
+ssl3_ClientSendStatusRequestXtn(const sslSocket *ss, TLSExtensionData *xtnData,
+ sslBuffer *buf, PRBool *added)
+{
+ SECStatus rv;
+
+ if (!ss->opt.enableOCSPStapling) {
+ return SECSuccess;
+ }
+
+ rv = sslBuffer_AppendNumber(buf, 1 /* status_type ocsp */, 1);
+ if (rv != SECSuccess) {
+ return SECFailure;
+ }
+ /* A zero length responder_id_list means that the responders are
+ * implicitly known to the server. */
+ rv = sslBuffer_AppendNumber(buf, 0, 2);
+ if (rv != SECSuccess) {
+ return SECFailure;
+ }
+ /* A zero length request_extensions means that there are no extensions.
+ * Specifically, we don't set the id-pkix-ocsp-nonce extension. This
+ * means that the server can replay a cached OCSP response to us. */
+ rv = sslBuffer_AppendNumber(buf, 0, 2);
+ if (rv != SECSuccess) {
+ return SECFailure;
+ }
+
+ *added = PR_TRUE;
+ return SECSuccess;
+}
+
+SECStatus
+ssl3_ClientHandleStatusRequestXtn(const sslSocket *ss, TLSExtensionData *xtnData,
+ SECItem *data)
+{
+ /* In TLS 1.3, the extension carries the OCSP response. */
+ if (ss->version >= SSL_LIBRARY_VERSION_TLS_1_3) {
+ SECStatus rv;
+ rv = ssl_ReadCertificateStatus(CONST_CAST(sslSocket, ss),
+ data->data, data->len);
+ if (rv != SECSuccess) {
+ return SECFailure; /* code already set */
+ }
+ } else if (data->len != 0) {
+ ssl3_ExtSendAlert(ss, alert_fatal, illegal_parameter);
+ PORT_SetError(SSL_ERROR_RX_MALFORMED_SERVER_HELLO);
+ return SECFailure;
+ }
+
+ /* Keep track of negotiated extensions. */
+ xtnData->negotiated[xtnData->numNegotiated++] = ssl_cert_status_xtn;
+ return SECSuccess;
+}
+
+#define TLS_EX_SESS_TICKET_VERSION (0x010a)
+
+/*
+ * Called from ssl3_SendNewSessionTicket, tls13_SendNewSessionTicket
+ */
+SECStatus
+ssl3_EncodeSessionTicket(sslSocket *ss, const NewSessionTicket *ticket,
+ const PRUint8 *appToken, unsigned int appTokenLen,
+ PK11SymKey *secret, SECItem *ticket_data)
+{
+ SECStatus rv;
+ sslBuffer plaintext = SSL_BUFFER_EMPTY;
+ SECItem ticket_buf = { 0, NULL, 0 };
+ sslSessionID sid;
+ unsigned char wrapped_ms[SSL3_MASTER_SECRET_LENGTH];
+ SECItem ms_item = { 0, NULL, 0 };
+ PRTime now;
+ SECItem *srvName = NULL;
+ CK_MECHANISM_TYPE msWrapMech;
+ SECItem *alpnSelection = NULL;
+ PRUint32 ticketAgeBaseline;
+
+ SSL_TRC(3, ("%d: SSL3[%d]: send session_ticket handshake",
+ SSL_GETPID(), ss->fd));
+
+ PORT_Assert(ss->opt.noLocks || ssl_HaveXmitBufLock(ss));
+ PORT_Assert(ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
+
+ /* Extract the master secret wrapped. */
+
+ PORT_Memset(&sid, 0, sizeof(sslSessionID));
+
+ PORT_Assert(secret);
+ rv = ssl3_CacheWrappedSecret(ss, &sid, secret);
+ if (rv == SECSuccess) {
+ if (sid.u.ssl3.keys.wrapped_master_secret_len > sizeof(wrapped_ms))
+ goto loser;
+ memcpy(wrapped_ms, sid.u.ssl3.keys.wrapped_master_secret,
+ sid.u.ssl3.keys.wrapped_master_secret_len);
+ ms_item.data = wrapped_ms;
+ ms_item.len = sid.u.ssl3.keys.wrapped_master_secret_len;
+ msWrapMech = sid.u.ssl3.masterWrapMech;
+ } else {
+ /* TODO: else send an empty ticket. */
+ goto loser;
+ }
+ /* Prep to send negotiated name */
+ srvName = &ss->sec.ci.sid->u.ssl3.srvName;
+
+ /* ticket version */
+ rv = sslBuffer_AppendNumber(&plaintext, TLS_EX_SESS_TICKET_VERSION,
+ sizeof(PRUint16));
+ if (rv != SECSuccess)
+ goto loser;
+
+ /* ssl_version */
+ rv = sslBuffer_AppendNumber(&plaintext, ss->version,
+ sizeof(SSL3ProtocolVersion));
+ if (rv != SECSuccess)
+ goto loser;
+
+ /* ciphersuite */
+ rv = sslBuffer_AppendNumber(&plaintext, ss->ssl3.hs.cipher_suite,
+ sizeof(ssl3CipherSuite));
+ if (rv != SECSuccess)
+ goto loser;
+
+ /* cipher spec parameters */
+ rv = sslBuffer_AppendNumber(&plaintext, ss->sec.authType, 1);
+ if (rv != SECSuccess)
+ goto loser;
+ rv = sslBuffer_AppendNumber(&plaintext, ss->sec.authKeyBits, 4);
+ if (rv != SECSuccess)
+ goto loser;
+ rv = sslBuffer_AppendNumber(&plaintext, ss->sec.keaType, 1);
+ if (rv != SECSuccess)
+ goto loser;
+ rv = sslBuffer_AppendNumber(&plaintext, ss->sec.keaKeyBits, 4);
+ if (rv != SECSuccess)
+ goto loser;
+ if (ss->sec.keaGroup) {
+ rv = sslBuffer_AppendNumber(&plaintext, ss->sec.keaGroup->name, 4);
+ if (rv != SECSuccess)
+ goto loser;
+ } else {
+ /* No kea group. Write 0 as invalid value. */
+ rv = sslBuffer_AppendNumber(&plaintext, 0, 4);
+ if (rv != SECSuccess)
+ goto loser;
+ }
+ rv = sslBuffer_AppendNumber(&plaintext, ss->sec.signatureScheme, 4);
+ if (rv != SECSuccess)
+ goto loser;
+
+ /* certificate type */
+ PORT_Assert(SSL_CERT_IS(ss->sec.serverCert, ss->sec.authType));
+ if (SSL_CERT_IS_EC(ss->sec.serverCert)) {
+ const sslServerCert *cert = ss->sec.serverCert;
+ PORT_Assert(cert->namedCurve);
+ /* EC curves only use the second of the two bytes. */
+ PORT_Assert(cert->namedCurve->name < 256);
+ rv = sslBuffer_AppendNumber(&plaintext, cert->namedCurve->name, 1);
+ } else {
+ rv = sslBuffer_AppendNumber(&plaintext, 0, 1);
+ }
+ if (rv != SECSuccess)
+ goto loser;
+
+ /* master_secret */
+ rv = sslBuffer_AppendNumber(&plaintext, msWrapMech, 4);
+ if (rv != SECSuccess)
+ goto loser;
+ rv = sslBuffer_AppendVariable(&plaintext, ms_item.data, ms_item.len, 2);
+ if (rv != SECSuccess)
+ goto loser;
+
+ /* client identity */
+ if (ss->opt.requestCertificate && ss->sec.ci.sid->peerCert) {
+ rv = sslBuffer_AppendNumber(&plaintext, CLIENT_AUTH_CERTIFICATE, 1);
+ if (rv != SECSuccess)
+ goto loser;
+ rv = sslBuffer_AppendVariable(&plaintext,
+ ss->sec.ci.sid->peerCert->derCert.data,
+ ss->sec.ci.sid->peerCert->derCert.len, 2);
+ if (rv != SECSuccess)
+ goto loser;
+ } else {
+ rv = sslBuffer_AppendNumber(&plaintext, 0, 1);
+ if (rv != SECSuccess)
+ goto loser;
+ }
+
+ /* timestamp */
+ now = ssl_Time(ss);
+ PORT_Assert(sizeof(now) == 8);
+ rv = sslBuffer_AppendNumber(&plaintext, now, 8);
+ if (rv != SECSuccess)
+ goto loser;
+
+ /* HostName (length and value) */
+ rv = sslBuffer_AppendVariable(&plaintext, srvName->data, srvName->len, 2);
+ if (rv != SECSuccess)
+ goto loser;
+
+ /* extendedMasterSecretUsed */
+ rv = sslBuffer_AppendNumber(
+ &plaintext, ss->sec.ci.sid->u.ssl3.keys.extendedMasterSecretUsed, 1);
+ if (rv != SECSuccess)
+ goto loser;
+
+ /* Flags */
+ rv = sslBuffer_AppendNumber(&plaintext, ticket->flags,
+ sizeof(ticket->flags));
+ if (rv != SECSuccess)
+ goto loser;
+
+ /* ALPN value. */
+ PORT_Assert(ss->xtnData.nextProtoState == SSL_NEXT_PROTO_SELECTED ||
+ ss->xtnData.nextProtoState == SSL_NEXT_PROTO_NEGOTIATED ||
+ ss->xtnData.nextProto.len == 0);
+ alpnSelection = &ss->xtnData.nextProto;
+ PORT_Assert(alpnSelection->len < 256);
+ rv = sslBuffer_AppendVariable(&plaintext, alpnSelection->data,
+ alpnSelection->len, 1);
+ if (rv != SECSuccess)
+ goto loser;
+
+ rv = sslBuffer_AppendNumber(&plaintext, ss->opt.maxEarlyDataSize, 4);
+ if (rv != SECSuccess)
+ goto loser;
+
+ /*
+ * We store this in the ticket:
+ * ticket_age_baseline = 1rtt - ticket_age_add
+ *
+ * When the client resumes, it will provide:
+ * obfuscated_age = ticket_age_client + ticket_age_add
+ *
+ * We expect to receive the ticket at:
+ * ticket_create + 1rtt + ticket_age_server
+ *
+ * We calculate the client's estimate of this as:
+ * ticket_create + ticket_age_baseline + obfuscated_age
+ * = ticket_create + 1rtt + ticket_age_client
+ *
+ * This is compared to the expected time, which should differ only as a
+ * result of clock errors or errors in the RTT estimate.
+ */
+ ticketAgeBaseline = ss->ssl3.hs.rttEstimate / PR_USEC_PER_MSEC;
+ ticketAgeBaseline -= ticket->ticket_age_add;
+ rv = sslBuffer_AppendNumber(&plaintext, ticketAgeBaseline, 4);
+ if (rv != SECSuccess)
+ goto loser;
+
+ /* Application token */
+ rv = sslBuffer_AppendVariable(&plaintext, appToken, appTokenLen, 2);
+ if (rv != SECSuccess)
+ goto loser;
+
+ /* This really only happens if appTokenLen is too much, and that always
+ * comes from the using application. */
+ if (SSL_BUFFER_LEN(&plaintext) > 0xffff) {
+ PORT_SetError(SEC_ERROR_INVALID_ARGS);
+ goto loser;
+ }
+
+ ticket_buf.len = ssl_SelfEncryptGetProtectedSize(SSL_BUFFER_LEN(&plaintext));
+ PORT_Assert(ticket_buf.len > 0);
+ if (SECITEM_AllocItem(NULL, &ticket_buf, ticket_buf.len) == NULL) {
+ goto loser;
+ }
+
+ /* Finally, encrypt the ticket. */
+ rv = ssl_SelfEncryptProtect(ss, SSL_BUFFER_BASE(&plaintext),
+ SSL_BUFFER_LEN(&plaintext),
+ ticket_buf.data, &ticket_buf.len, ticket_buf.len);
+ if (rv != SECSuccess) {
+ goto loser;
+ }
+
+ /* Give ownership of memory to caller. */
+ *ticket_data = ticket_buf;
+
+ sslBuffer_Clear(&plaintext);
+ return SECSuccess;
+
+loser:
+ sslBuffer_Clear(&plaintext);
+ if (ticket_buf.data) {
+ SECITEM_FreeItem(&ticket_buf, PR_FALSE);
+ }
+
+ return SECFailure;
+}
+
+/* When a client receives a SessionTicket extension a NewSessionTicket
+ * message is expected during the handshake.
+ */
+SECStatus
+ssl3_ClientHandleSessionTicketXtn(const sslSocket *ss, TLSExtensionData *xtnData,
+ SECItem *data)
+{
+ PORT_Assert(ss->version < SSL_LIBRARY_VERSION_TLS_1_3);
+
+ if (data->len != 0) {
+ return SECSuccess; /* Ignore the extension. */
+ }
+
+ /* Keep track of negotiated extensions. */
+ xtnData->negotiated[xtnData->numNegotiated++] = ssl_session_ticket_xtn;
+ return SECSuccess;
+}
+
+PR_STATIC_ASSERT((TLS_EX_SESS_TICKET_VERSION >> 8) == 1);
+
+static SECStatus
+ssl_ParseSessionTicket(sslSocket *ss, const SECItem *decryptedTicket,
+ SessionTicket *parsedTicket)
+{
+ PRUint32 temp;
+ SECStatus rv;
+
+ PRUint8 *buffer = decryptedTicket->data;
+ unsigned int len = decryptedTicket->len;
+
+ PORT_Memset(parsedTicket, 0, sizeof(*parsedTicket));
+ parsedTicket->valid = PR_FALSE;
+
+ /* If the decrypted ticket is empty, then report success, but leave the
+ * ticket marked as invalid. */
+ if (decryptedTicket->len == 0) {
+ return SECSuccess;
+ }
+
+ /* Read ticket version. */
+ rv = ssl3_ExtConsumeHandshakeNumber(ss, &temp, 2, &buffer, &len);
+ if (rv != SECSuccess) {
+ PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+ return SECFailure;
+ }
+
+ /* All ticket versions start with 0x01, so check to see if this
+ * is a ticket or some other self-encrypted thing. */
+ if ((temp >> 8) != 1) {
+ PORT_SetError(SSL_ERROR_RX_MALFORMED_CLIENT_HELLO);
+ return SECFailure;
+ }
+ /* Skip the ticket if the version is wrong. This won't result in a
+ * handshake failure, just a failure to resume. */
+ if (temp != TLS_EX_SESS_TICKET_VERSION) {
+ return SECSuccess;
+ }
+
+ /* Read SSLVersion. */
+ rv = ssl3_ExtConsumeHandshakeNumber(ss, &temp, 2, &buffer, &len);
+ if (rv != SECSuccess) {
+ PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+ return SECFailure;
+ }
+ parsedTicket->ssl_version = (SSL3ProtocolVersion)temp;
+ if (!ssl3_VersionIsSupported(ss->protocolVariant,
+ parsedTicket->ssl_version)) {
+ /* This socket doesn't support the version from the ticket. */
+ return SECSuccess;
+ }
+
+ /* Read cipher_suite. */
+ rv = ssl3_ExtConsumeHandshakeNumber(ss, &temp, 2, &buffer, &len);
+ if (rv != SECSuccess) {
+ PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+ return SECFailure;
+ }
+ parsedTicket->cipher_suite = (ssl3CipherSuite)temp;
+
+ /* Read cipher spec parameters. */
+ rv = ssl3_ExtConsumeHandshakeNumber(ss, &temp, 1, &buffer, &len);
+ if (rv != SECSuccess) {
+ PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+ return SECFailure;
+ }
+
+#ifndef UNSAFE_FUZZER_MODE
+ PORT_Assert(temp < ssl_auth_size);
+#else
+ temp %= (8 * sizeof(SSLAuthType)) - 1;
+#endif
+
+ parsedTicket->authType = (SSLAuthType)temp;
+ rv = ssl3_ExtConsumeHandshakeNumber(ss, &temp, 4, &buffer, &len);
+ if (rv != SECSuccess) {
+ PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+ return SECFailure;
+ }
+ parsedTicket->authKeyBits = temp;
+ rv = ssl3_ExtConsumeHandshakeNumber(ss, &temp, 1, &buffer, &len);
+ if (rv != SECSuccess) {
+ PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+ return SECFailure;
+ }
+ parsedTicket->keaType = (SSLKEAType)temp;
+ rv = ssl3_ExtConsumeHandshakeNumber(ss, &temp, 4, &buffer, &len);
+ if (rv != SECSuccess) {
+ PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+ return SECFailure;
+ }
+ parsedTicket->keaKeyBits = temp;
+ rv = ssl3_ExtConsumeHandshakeNumber(ss, &temp, 4, &buffer, &len);
+ if (rv != SECSuccess) {
+ PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+ return SECFailure;
+ }
+ parsedTicket->originalKeaGroup = temp;
+ rv = ssl3_ExtConsumeHandshakeNumber(ss, &temp, 4, &buffer, &len);
+ if (rv != SECSuccess) {
+ PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+ return SECFailure;
+ }
+ parsedTicket->signatureScheme = (SSLSignatureScheme)temp;
+
+ /* Read the optional named curve. */
+ rv = ssl3_ExtConsumeHandshakeNumber(ss, &temp, 1, &buffer, &len);
+ if (rv != SECSuccess) {
+ PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+ return SECFailure;
+ }
+ if (parsedTicket->authType == ssl_auth_ecdsa ||
+ parsedTicket->authType == ssl_auth_ecdh_rsa ||
+ parsedTicket->authType == ssl_auth_ecdh_ecdsa) {
+ const sslNamedGroupDef *group =
+ ssl_LookupNamedGroup((SSLNamedGroup)temp);
+ if (!group || group->keaType != ssl_kea_ecdh) {
+ PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+ return SECFailure;
+ }
+ parsedTicket->namedCurve = group;
+ }
+
+ /* Read the master secret (and how it is wrapped). */
+ rv = ssl3_ExtConsumeHandshakeNumber(ss, &temp, 4, &buffer, &len);
+ if (rv != SECSuccess) {
+ PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+ return SECFailure;
+ }
+ parsedTicket->msWrapMech = (CK_MECHANISM_TYPE)temp;
+
+ rv = ssl3_ExtConsumeHandshakeNumber(ss, &temp, 2, &buffer, &len);
+ if (rv != SECSuccess) {
+ PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+ return SECFailure;
+ }
+ if (temp == 0 || temp > sizeof(parsedTicket->master_secret)) {
+ PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+ return SECFailure;
+ }
+ parsedTicket->ms_length = (PRUint16)temp;
+
+ /* Read the master secret. */
+ rv = ssl3_ExtConsumeHandshake(ss, parsedTicket->master_secret,
+ parsedTicket->ms_length, &buffer, &len);
+ if (rv != SECSuccess) {
+ PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+ return SECFailure;
+ }
+ /* Read client identity */
+ rv = ssl3_ExtConsumeHandshakeNumber(ss, &temp, 1, &buffer, &len);
+ if (rv != SECSuccess) {
+ PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+ return SECFailure;
+ }
+ parsedTicket->client_auth_type = (ClientAuthenticationType)temp;
+ switch (parsedTicket->client_auth_type) {
+ case CLIENT_AUTH_ANONYMOUS:
+ break;
+ case CLIENT_AUTH_CERTIFICATE:
+ rv = ssl3_ExtConsumeHandshakeVariable(ss, &parsedTicket->peer_cert, 2,
+ &buffer, &len);
+ if (rv != SECSuccess) {
+ PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+ return SECFailure;
+ }
+ break;
+ default:
+ PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+ return SECFailure;
+ }
+
+ /* Read timestamp. This is a 64-bit value and
+ * ssl3_ExtConsumeHandshakeNumber only reads 32-bits at a time. */
+ rv = ssl3_ExtConsumeHandshakeNumber(ss, &temp, 4, &buffer, &len);
+ if (rv != SECSuccess) {
+ PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+ return SECFailure;
+ }
+
+ /* Cast to avoid undefined behavior if the top bit is set. */
+ parsedTicket->timestamp = (PRTime)((PRUint64)temp << 32);
+ rv = ssl3_ExtConsumeHandshakeNumber(ss, &temp, 4, &buffer, &len);
+ if (rv != SECSuccess) {
+ PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+ return SECFailure;
+ }
+ parsedTicket->timestamp |= (PRTime)temp;
+
+ /* Read server name */
+ rv = ssl3_ExtConsumeHandshakeVariable(ss, &parsedTicket->srvName, 2,
+ &buffer, &len);
+ if (rv != SECSuccess) {
+ PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+ return SECFailure;
+ }
+
+ /* Read extendedMasterSecretUsed */
+ rv = ssl3_ExtConsumeHandshakeNumber(ss, &temp, 1, &buffer, &len);
+ if (rv != SECSuccess) {
+ PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+ return SECFailure;
+ }
+#ifndef UNSAFE_FUZZER_MODE
+ /* A well-behaving server should only write 0 or 1. */
+ PORT_Assert(temp == PR_TRUE || temp == PR_FALSE);
+#endif
+ parsedTicket->extendedMasterSecretUsed = temp ? PR_TRUE : PR_FALSE;
+
+ rv = ssl3_ExtConsumeHandshake(ss, &temp, 4, &buffer, &len);
+ if (rv != SECSuccess) {
+ PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+ return SECFailure;
+ }
+ parsedTicket->flags = PR_ntohl(temp);
+
+ rv = ssl3_ExtConsumeHandshakeVariable(ss, &parsedTicket->alpnSelection, 1,
+ &buffer, &len);
+ PORT_Assert(parsedTicket->alpnSelection.len < 256);
+ if (rv != SECSuccess) {
+ PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+ return SECFailure;
+ }
+
+ rv = ssl3_ExtConsumeHandshakeNumber(ss, &temp, 4, &buffer, &len);
+ if (rv != SECSuccess) {
+ PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+ return SECFailure;
+ }
+ parsedTicket->maxEarlyData = temp;
+
+ rv = ssl3_ExtConsumeHandshakeNumber(ss, &temp, 4, &buffer, &len);
+ if (rv != SECSuccess) {
+ PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+ return SECFailure;
+ }
+ parsedTicket->ticketAgeBaseline = temp;
+
+ rv = ssl3_ExtConsumeHandshakeVariable(ss, &parsedTicket->applicationToken,
+ 2, &buffer, &len);
+ if (rv != SECSuccess) {
+ PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+ return SECFailure;
+ }
+
+#ifndef UNSAFE_FUZZER_MODE
+ /* Done parsing. Check that all bytes have been consumed. */
+ if (len != 0) {
+ PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+ return SECFailure;
+ }
+#endif
+
+ parsedTicket->valid = PR_TRUE;
+ return SECSuccess;
+}
+
+static SECStatus
+ssl_CreateSIDFromTicket(sslSocket *ss, const SECItem *rawTicket,
+ SessionTicket *parsedTicket, sslSessionID **out)
+{
+ sslSessionID *sid;
+ SECStatus rv;
+
+ sid = ssl3_NewSessionID(ss, PR_TRUE);
+ if (sid == NULL) {
+ return SECFailure;
+ }
+
+ /* Copy over parameters. */
+ sid->version = parsedTicket->ssl_version;
+ sid->creationTime = parsedTicket->timestamp;
+ sid->u.ssl3.cipherSuite = parsedTicket->cipher_suite;
+ sid->authType = parsedTicket->authType;
+ sid->authKeyBits = parsedTicket->authKeyBits;
+ sid->keaType = parsedTicket->keaType;
+ sid->keaKeyBits = parsedTicket->keaKeyBits;
+ sid->keaGroup = parsedTicket->originalKeaGroup;
+ sid->namedCurve = parsedTicket->namedCurve;
+ sid->sigScheme = parsedTicket->signatureScheme;
+
+ rv = SECITEM_CopyItem(NULL, &sid->u.ssl3.locked.sessionTicket.ticket,
+ rawTicket);
+ if (rv != SECSuccess) {
+ goto loser;
+ }
+ sid->u.ssl3.locked.sessionTicket.flags = parsedTicket->flags;
+ sid->u.ssl3.locked.sessionTicket.max_early_data_size =
+ parsedTicket->maxEarlyData;
+
+ if (parsedTicket->ms_length >
+ sizeof(sid->u.ssl3.keys.wrapped_master_secret)) {
+ goto loser;
+ }
+ PORT_Memcpy(sid->u.ssl3.keys.wrapped_master_secret,
+ parsedTicket->master_secret, parsedTicket->ms_length);
+ sid->u.ssl3.keys.wrapped_master_secret_len = parsedTicket->ms_length;
+ sid->u.ssl3.masterWrapMech = parsedTicket->msWrapMech;
+ sid->u.ssl3.masterValid = PR_TRUE;
+ sid->u.ssl3.keys.resumable = PR_TRUE;
+ sid->u.ssl3.keys.extendedMasterSecretUsed = parsedTicket->extendedMasterSecretUsed;
+
+ /* Copy over client cert from session ticket if there is one. */
+ if (parsedTicket->peer_cert.data != NULL) {
+ PORT_Assert(!sid->peerCert);
+ sid->peerCert = CERT_NewTempCertificate(ss->dbHandle,
+ &parsedTicket->peer_cert,
+ NULL, PR_FALSE, PR_TRUE);
+ if (!sid->peerCert) {
+ goto loser;
+ }
+ }
+
+ /* Transfer ownership of the remaining items. */
+ if (parsedTicket->srvName.data != NULL) {
+ SECITEM_FreeItem(&sid->u.ssl3.srvName, PR_FALSE);
+ rv = SECITEM_CopyItem(NULL, &sid->u.ssl3.srvName,
+ &parsedTicket->srvName);
+ if (rv != SECSuccess) {
+ goto loser;
+ }
+ }
+ if (parsedTicket->alpnSelection.data != NULL) {
+ SECITEM_FreeItem(&sid->u.ssl3.alpnSelection, PR_FALSE);
+ rv = SECITEM_CopyItem(NULL, &sid->u.ssl3.alpnSelection,
+ &parsedTicket->alpnSelection);
+ if (rv != SECSuccess) {
+ goto loser;
+ }
+ }
+
+ *out = sid;
+ return SECSuccess;
+
+loser:
+ ssl_FreeSID(sid);
+ return SECFailure;
+}
+
+/* Generic ticket processing code, common to all TLS versions. */
+SECStatus
+ssl3_ProcessSessionTicketCommon(sslSocket *ss, const SECItem *ticket,
+ SECItem *appToken)
+{
+ SECItem decryptedTicket = { siBuffer, NULL, 0 };
+ SessionTicket parsedTicket;
+ sslSessionID *sid = NULL;
+ SECStatus rv;
+
+ if (ss->sec.ci.sid != NULL) {
+ ssl_UncacheSessionID(ss);
+ ssl_FreeSID(ss->sec.ci.sid);
+ ss->sec.ci.sid = NULL;
+ }
+
+ if (!SECITEM_AllocItem(NULL, &decryptedTicket, ticket->len)) {
+ return SECFailure;
+ }
+
+ /* Decrypt the ticket. */
+ rv = ssl_SelfEncryptUnprotect(ss, ticket->data, ticket->len,
+ decryptedTicket.data,
+ &decryptedTicket.len,
+ decryptedTicket.len);
+ if (rv != SECSuccess) {
+ /* Ignore decryption failure if we are doing TLS 1.3; that
+ * means the server rejects the client's resumption
+ * attempt. In TLS 1.2, however, it's a hard failure, unless
+ * it's just because we're not the recipient of the ticket. */
+ if (ss->version >= SSL_LIBRARY_VERSION_TLS_1_3 ||
+ PORT_GetError() == SEC_ERROR_NOT_A_RECIPIENT) {
+ SECITEM_ZfreeItem(&decryptedTicket, PR_FALSE);
+ return SECSuccess;
+ }
+
+ SSL3_SendAlert(ss, alert_fatal, illegal_parameter);
+ goto loser;
+ }
+
+ rv = ssl_ParseSessionTicket(ss, &decryptedTicket, &parsedTicket);
+ if (rv != SECSuccess) {
+ SSL3Statistics *ssl3stats;
+
+ SSL_DBG(("%d: SSL[%d]: Session ticket parsing failed.",
+ SSL_GETPID(), ss->fd));
+ ssl3stats = SSL_GetStatistics();
+ SSL_AtomicIncrementLong(&ssl3stats->hch_sid_ticket_parse_failures);
+ goto loser; /* code already set */
+ }
+
+ /* Use the ticket if it is valid and unexpired. */
+ PRTime end = parsedTicket.timestamp + (ssl_ticket_lifetime * PR_USEC_PER_SEC);
+ if (end > ssl_Time(ss)) {
+
+ rv = ssl_CreateSIDFromTicket(ss, ticket, &parsedTicket, &sid);
+ if (rv != SECSuccess) {
+ goto loser; /* code already set */
+ }
+ if (appToken && parsedTicket.applicationToken.len) {
+ rv = SECITEM_CopyItem(NULL, appToken,
+ &parsedTicket.applicationToken);
+ if (rv != SECSuccess) {
+ goto loser; /* code already set */
+ }
+ }
+
+ ss->statelessResume = PR_TRUE;
+ ss->sec.ci.sid = sid;
+
+ /* We have the baseline value for the obfuscated ticket age here. Save
+ * that in xtnData temporarily. This value is updated in
+ * tls13_ServerHandlePreSharedKeyXtn with the final estimate. */
+ ss->xtnData.ticketAge = parsedTicket.ticketAgeBaseline;
+ }
+
+ SECITEM_ZfreeItem(&decryptedTicket, PR_FALSE);
+ PORT_Memset(&parsedTicket, 0, sizeof(parsedTicket));
+ return SECSuccess;
+
+loser:
+ if (sid) {
+ ssl_FreeSID(sid);
+ }
+ SECITEM_ZfreeItem(&decryptedTicket, PR_FALSE);
+ PORT_Memset(&parsedTicket, 0, sizeof(parsedTicket));
+ return SECFailure;
+}
+
+SECStatus
+ssl3_ServerHandleSessionTicketXtn(const sslSocket *ss, TLSExtensionData *xtnData,
+ SECItem *data)
+{
+ PORT_Assert(ss->version < SSL_LIBRARY_VERSION_TLS_1_3);
+
+ /* Ignore the SessionTicket extension if processing is disabled. */
+ if (!ss->opt.enableSessionTickets) {
+ return SECSuccess;
+ }
+
+ /* If we are doing TLS 1.3, then ignore this. */
+ if (ss->version >= SSL_LIBRARY_VERSION_TLS_1_3) {
+ return SECSuccess;
+ }
+
+ /* Keep track of negotiated extensions. */
+ xtnData->negotiated[xtnData->numNegotiated++] = ssl_session_ticket_xtn;
+
+ /* Parse the received ticket sent in by the client. We are
+ * lenient about some parse errors, falling back to a fullshake
+ * instead of terminating the current connection.
+ */
+ if (data->len == 0) {
+ xtnData->emptySessionTicket = PR_TRUE;
+ return SECSuccess;
+ }
+
+ return ssl3_ProcessSessionTicketCommon(CONST_CAST(sslSocket, ss), data,
+ NULL);
+}
+
+/* Extension format:
+ * Extension number: 2 bytes
+ * Extension length: 2 bytes
+ * Verify Data Length: 1 byte
+ * Verify Data (TLS): 12 bytes (client) or 24 bytes (server)
+ * Verify Data (SSL): 36 bytes (client) or 72 bytes (server)
+ */
+SECStatus
+ssl3_SendRenegotiationInfoXtn(const sslSocket *ss, TLSExtensionData *xtnData,
+ sslBuffer *buf, PRBool *added)
+{
+ PRInt32 len = 0;
+ SECStatus rv;
+
+ /* In RFC 5746, it is NOT RECOMMENDED to send both the SCSV and the empty
+ * RI, so when we send SCSV in the initial handshake, we don't also send RI.
+ */
+ if (ss->ssl3.hs.sendingSCSV) {
+ return 0;
+ }
+ if (ss->firstHsDone) {
+ len = ss->sec.isServer ? ss->ssl3.hs.finishedBytes * 2
+ : ss->ssl3.hs.finishedBytes;
+ }
+
+ /* verify_Data from previous Finished message(s) */
+ rv = sslBuffer_AppendVariable(buf,
+ ss->ssl3.hs.finishedMsgs.data, len, 1);
+ if (rv != SECSuccess) {
+ return SECFailure;
+ }
+
+ *added = PR_TRUE;
+ return SECSuccess;
+}
+
+/* This function runs in both the client and server. */
+SECStatus
+ssl3_HandleRenegotiationInfoXtn(const sslSocket *ss, TLSExtensionData *xtnData,
+ SECItem *data)
+{
+ SECStatus rv = SECSuccess;
+ PRUint32 len = 0;
+
+ PORT_Assert(ss->version < SSL_LIBRARY_VERSION_TLS_1_3);
+
+ if (ss->firstHsDone) {
+ len = ss->sec.isServer ? ss->ssl3.hs.finishedBytes
+ : ss->ssl3.hs.finishedBytes * 2;
+ }
+ if (data->len != 1 + len || data->data[0] != len) {
+ ssl3_ExtDecodeError(ss);
+ return SECFailure;
+ }
+ if (len && NSS_SecureMemcmp(ss->ssl3.hs.finishedMsgs.data,
+ data->data + 1, len)) {
+ ssl3_ExtSendAlert(ss, alert_fatal, handshake_failure);
+ PORT_SetError(SSL_ERROR_BAD_HANDSHAKE_HASH_VALUE);
+ return SECFailure;
+ }
+ /* remember that we got this extension and it was correct. */
+ CONST_CAST(sslSocket, ss)
+ ->peerRequestedProtection = 1;
+ xtnData->negotiated[xtnData->numNegotiated++] = ssl_renegotiation_info_xtn;
+ if (ss->sec.isServer) {
+ /* prepare to send back the appropriate response */
+ rv = ssl3_RegisterExtensionSender(ss, xtnData,
+ ssl_renegotiation_info_xtn,
+ ssl3_SendRenegotiationInfoXtn);
+ }
+ return rv;
+}
+
+SECStatus
+ssl3_ClientSendUseSRTPXtn(const sslSocket *ss, TLSExtensionData *xtnData,
+ sslBuffer *buf, PRBool *added)
+{
+ unsigned int i;
+ SECStatus rv;
+
+ if (!IS_DTLS(ss) || !ss->ssl3.dtlsSRTPCipherCount) {
+ return SECSuccess; /* Not relevant */
+ }
+
+ /* Length of the SRTP cipher list */
+ rv = sslBuffer_AppendNumber(buf, 2 * ss->ssl3.dtlsSRTPCipherCount, 2);
+ if (rv != SECSuccess) {
+ return SECFailure;
+ }
+ /* The SRTP ciphers */
+ for (i = 0; i < ss->ssl3.dtlsSRTPCipherCount; i++) {
+ rv = sslBuffer_AppendNumber(buf, ss->ssl3.dtlsSRTPCiphers[i], 2);
+ if (rv != SECSuccess) {
+ return SECFailure;
+ }
+ }
+ /* Empty MKI value */
+ rv = sslBuffer_AppendNumber(buf, 0, 1);
+ if (rv != SECSuccess) {
+ return SECFailure;
+ }
+
+ *added = PR_TRUE;
+ return SECSuccess;
+}
+
+SECStatus
+ssl3_ServerSendUseSRTPXtn(const sslSocket *ss, TLSExtensionData *xtnData,
+ sslBuffer *buf, PRBool *added)
+{
+ SECStatus rv;
+
+ /* Length of the SRTP cipher list */
+ rv = sslBuffer_AppendNumber(buf, 2, 2);
+ if (rv != SECSuccess) {
+ return SECFailure;
+ }
+ /* The selected cipher */
+ rv = sslBuffer_AppendNumber(buf, xtnData->dtlsSRTPCipherSuite, 2);
+ if (rv != SECSuccess) {
+ return SECFailure;
+ }
+ /* Empty MKI value */
+ rv = sslBuffer_AppendNumber(buf, 0, 1);
+ if (rv != SECSuccess) {
+ return SECFailure;
+ }
+
+ *added = PR_TRUE;
+ return SECSuccess;
+}
+
+SECStatus
+ssl3_ClientHandleUseSRTPXtn(const sslSocket *ss, TLSExtensionData *xtnData,
+ SECItem *data)
+{
+ SECStatus rv;
+ SECItem ciphers = { siBuffer, NULL, 0 };
+ PRUint16 i;
+ PRUint16 cipher = 0;
+ PRBool found = PR_FALSE;
+ SECItem litem;
+
+ if (!data->data || !data->len) {
+ ssl3_ExtDecodeError(ss);
+ return SECFailure;
+ }
+
+ /* Get the cipher list */
+ rv = ssl3_ExtConsumeHandshakeVariable(ss, &ciphers, 2,
+ &data->data, &data->len);
+ if (rv != SECSuccess) {
+ return SECFailure; /* fatal alert already sent */
+ }
+ /* Now check that the server has picked just 1 (i.e., len = 2) */
+ if (ciphers.len != 2) {
+ ssl3_ExtDecodeError(ss);
+ return SECFailure;
+ }
+
+ /* Get the selected cipher */
+ cipher = (ciphers.data[0] << 8) | ciphers.data[1];
+
+ /* Now check that this is one of the ciphers we offered */
+ for (i = 0; i < ss->ssl3.dtlsSRTPCipherCount; i++) {
+ if (cipher == ss->ssl3.dtlsSRTPCiphers[i]) {
+ found = PR_TRUE;
+ break;
+ }
+ }
+
+ if (!found) {
+ ssl3_ExtSendAlert(ss, alert_fatal, illegal_parameter);
+ PORT_SetError(SSL_ERROR_RX_MALFORMED_SERVER_HELLO);
+ return SECFailure;
+ }
+
+ /* Get the srtp_mki value */
+ rv = ssl3_ExtConsumeHandshakeVariable(ss, &litem, 1,
+ &data->data, &data->len);
+ if (rv != SECSuccess) {
+ return SECFailure; /* alert already sent */
+ }
+
+ /* We didn't offer an MKI, so this must be 0 length */
+ if (litem.len != 0) {
+ ssl3_ExtSendAlert(ss, alert_fatal, illegal_parameter);
+ PORT_SetError(SSL_ERROR_RX_MALFORMED_SERVER_HELLO);
+ return SECFailure;
+ }
+
+ /* extra trailing bytes */
+ if (data->len != 0) {
+ ssl3_ExtDecodeError(ss);
+ return SECFailure;
+ }
+
+ /* OK, this looks fine. */
+ xtnData->negotiated[xtnData->numNegotiated++] = ssl_use_srtp_xtn;
+ xtnData->dtlsSRTPCipherSuite = cipher;
+ return SECSuccess;
+}
+
+SECStatus
+ssl3_ServerHandleUseSRTPXtn(const sslSocket *ss, TLSExtensionData *xtnData,
+ SECItem *data)
+{
+ SECStatus rv;
+ SECItem ciphers = { siBuffer, NULL, 0 };
+ PRUint16 i;
+ unsigned int j;
+ PRUint16 cipher = 0;
+ PRBool found = PR_FALSE;
+ SECItem litem;
+
+ if (!IS_DTLS(ss) || !ss->ssl3.dtlsSRTPCipherCount) {
+ /* Ignore the extension if we aren't doing DTLS or no DTLS-SRTP
+ * preferences have been set. */
+ return SECSuccess;
+ }
+
+ if (!data->data || data->len < 5) {
+ ssl3_ExtDecodeError(ss);
+ return SECFailure;
+ }
+
+ /* Get the cipher list */
+ rv = ssl3_ExtConsumeHandshakeVariable(ss, &ciphers, 2,
+ &data->data, &data->len);
+ if (rv != SECSuccess) {
+ return SECFailure; /* alert already sent */
+ }
+ /* Check that the list is even length */
+ if (ciphers.len % 2) {
+ ssl3_ExtDecodeError(ss);
+ return SECFailure;
+ }
+
+ /* Walk through the offered list and pick the most preferred of our
+ * ciphers, if any */
+ for (i = 0; !found && i < ss->ssl3.dtlsSRTPCipherCount; i++) {
+ for (j = 0; j + 1 < ciphers.len; j += 2) {
+ cipher = (ciphers.data[j] << 8) | ciphers.data[j + 1];
+ if (cipher == ss->ssl3.dtlsSRTPCiphers[i]) {
+ found = PR_TRUE;
+ break;
+ }
+ }
+ }
+
+ /* Get the srtp_mki value */
+ rv = ssl3_ExtConsumeHandshakeVariable(ss, &litem, 1, &data->data, &data->len);
+ if (rv != SECSuccess) {
+ return SECFailure;
+ }
+
+ if (data->len != 0) {
+ ssl3_ExtDecodeError(ss); /* trailing bytes */
+ return SECFailure;
+ }
+
+ /* Now figure out what to do */
+ if (!found) {
+ /* No matching ciphers, pretend we don't support use_srtp */
+ return SECSuccess;
+ }
+
+ /* OK, we have a valid cipher and we've selected it */
+ xtnData->dtlsSRTPCipherSuite = cipher;
+ xtnData->negotiated[xtnData->numNegotiated++] = ssl_use_srtp_xtn;
+
+ return ssl3_RegisterExtensionSender(ss, xtnData,
+ ssl_use_srtp_xtn,
+ ssl3_ServerSendUseSRTPXtn);
+}
+
+/* ssl3_HandleSigAlgsXtn handles the signature_algorithms extension from a
+ * client. In TLS 1.3, the client uses this to parse CertificateRequest
+ * extensions. See https://tools.ietf.org/html/rfc5246#section-7.4.1.4.1 */
+SECStatus
+ssl3_HandleSigAlgsXtn(const sslSocket *ss, TLSExtensionData *xtnData,
+ SECItem *data)
+{
+ SECStatus rv;
+
+ /* Ignore this extension if we aren't doing TLS 1.2 or greater. */
+ if (ss->version < SSL_LIBRARY_VERSION_TLS_1_2) {
+ return SECSuccess;
+ }
+
+ if (xtnData->sigSchemes) {
+ PORT_Free(xtnData->sigSchemes);
+ xtnData->sigSchemes = NULL;
+ }
+ rv = ssl_ParseSignatureSchemes(ss, NULL,
+ &xtnData->sigSchemes,
+ &xtnData->numSigSchemes,
+ &data->data, &data->len);
+ if (rv != SECSuccess) {
+ ssl3_ExtSendAlert(ss, alert_fatal, decode_error);
+ PORT_SetError(SSL_ERROR_RX_MALFORMED_CLIENT_HELLO);
+ return SECFailure;
+ }
+ if (xtnData->numSigSchemes == 0) {
+ ssl3_ExtSendAlert(ss, alert_fatal, handshake_failure);
+ PORT_SetError(SSL_ERROR_UNSUPPORTED_SIGNATURE_ALGORITHM);
+ return SECFailure;
+ }
+ /* Check for trailing data. */
+ if (data->len != 0) {
+ ssl3_ExtSendAlert(ss, alert_fatal, decode_error);
+ PORT_SetError(SSL_ERROR_RX_MALFORMED_CLIENT_HELLO);
+ return SECFailure;
+ }
+
+ /* Keep track of negotiated extensions. */
+ xtnData->negotiated[xtnData->numNegotiated++] = ssl_signature_algorithms_xtn;
+ return SECSuccess;
+}
+
+/* ssl3_ClientSendSigAlgsXtn sends the signature_algorithm extension for TLS
+ * 1.2 ClientHellos. */
+SECStatus
+ssl3_SendSigAlgsXtn(const sslSocket *ss, TLSExtensionData *xtnData,
+ sslBuffer *buf, PRBool *added)
+{
+ if (ss->vrange.max < SSL_LIBRARY_VERSION_TLS_1_2) {
+ return SECSuccess;
+ }
+
+ PRUint16 minVersion;
+ if (ss->sec.isServer) {
+ minVersion = ss->version; /* CertificateRequest */
+ } else {
+ minVersion = ss->vrange.min; /* ClientHello */
+ }
+
+ SECStatus rv = ssl3_EncodeSigAlgs(ss, minVersion, PR_TRUE /* forCert */,
+ ss->opt.enableGrease, buf);
+ if (rv != SECSuccess) {
+ return SECFailure;
+ }
+
+ *added = PR_TRUE;
+ return SECSuccess;
+}
+
+SECStatus
+ssl3_SendExtendedMasterSecretXtn(const sslSocket *ss, TLSExtensionData *xtnData,
+ sslBuffer *buf, PRBool *added)
+{
+ if (!ss->opt.enableExtendedMS) {
+ return SECSuccess;
+ }
+
+ /* Always send the extension in this function, since the
+ * client always sends it and this function is only called on
+ * the server if we negotiated the extension. */
+ *added = PR_TRUE;
+ return SECSuccess;
+}
+
+SECStatus
+ssl3_HandleExtendedMasterSecretXtn(const sslSocket *ss, TLSExtensionData *xtnData,
+ SECItem *data)
+{
+ PORT_Assert(ss->version < SSL_LIBRARY_VERSION_TLS_1_3);
+
+ if (ss->version < SSL_LIBRARY_VERSION_TLS_1_0) {
+ return SECSuccess;
+ }
+
+ if (!ss->opt.enableExtendedMS) {
+ return SECSuccess;
+ }
+
+ if (data->len != 0) {
+ SSL_TRC(30, ("%d: SSL3[%d]: Bogus extended master secret extension",
+ SSL_GETPID(), ss->fd));
+ ssl3_ExtSendAlert(ss, alert_fatal, decode_error);
+ return SECFailure;
+ }
+
+ SSL_DBG(("%d: SSL[%d]: Negotiated extended master secret extension.",
+ SSL_GETPID(), ss->fd));
+
+ /* Keep track of negotiated extensions. */
+ xtnData->negotiated[xtnData->numNegotiated++] = ssl_extended_master_secret_xtn;
+
+ if (ss->sec.isServer) {
+ return ssl3_RegisterExtensionSender(ss, xtnData,
+ ssl_extended_master_secret_xtn,
+ ssl_SendEmptyExtension);
+ }
+ return SECSuccess;
+}
+
+/* ssl3_ClientSendSignedCertTimestampXtn sends the signed_certificate_timestamp
+ * extension for TLS ClientHellos. */
+SECStatus
+ssl3_ClientSendSignedCertTimestampXtn(const sslSocket *ss,
+ TLSExtensionData *xtnData,
+ sslBuffer *buf, PRBool *added)
+{
+ /* Only send the extension if processing is enabled. */
+ if (!ss->opt.enableSignedCertTimestamps) {
+ return SECSuccess;
+ }
+
+ *added = PR_TRUE;
+ return SECSuccess;
+}
+
+SECStatus
+ssl3_ClientHandleSignedCertTimestampXtn(const sslSocket *ss, TLSExtensionData *xtnData,
+ SECItem *data)
+{
+ /* We do not yet know whether we'll be resuming a session or creating
+ * a new one, so we keep a pointer to the data in the TLSExtensionData
+ * structure. This pointer is only valid in the scope of
+ * ssl3_HandleServerHello, and, if not resuming a session, the data is
+ * copied once a new session structure has been set up.
+ * All parsing is currently left to the application and we accept
+ * everything, including empty data.
+ */
+ SECItem *scts = &xtnData->signedCertTimestamps;
+ PORT_Assert(!scts->data && !scts->len);
+
+ if (!data->len) {
+ /* Empty extension data: RFC 6962 mandates non-empty contents. */
+ return SECFailure;
+ }
+ *scts = *data;
+ /* Keep track of negotiated extensions. */
+ xtnData->negotiated[xtnData->numNegotiated++] = ssl_signed_cert_timestamp_xtn;
+ return SECSuccess;
+}
+
+SECStatus
+ssl3_ServerSendSignedCertTimestampXtn(const sslSocket *ss, TLSExtensionData *xtnData,
+ sslBuffer *buf, PRBool *added)
+{
+ const SECItem *scts = &ss->sec.serverCert->signedCertTimestamps;
+ SECStatus rv;
+
+ if (!scts->len) {
+ /* No timestamps to send */
+ return SECSuccess;
+ }
+
+ rv = sslBuffer_Append(buf, scts->data, scts->len);
+ if (rv != SECSuccess) {
+ return SECFailure;
+ }
+
+ *added = PR_TRUE;
+ return SECSuccess;
+}
+
+SECStatus
+ssl3_ServerHandleSignedCertTimestampXtn(const sslSocket *ss,
+ TLSExtensionData *xtnData,
+ SECItem *data)
+{
+ if (data->len != 0) {
+ ssl3_ExtSendAlert(ss, alert_fatal, decode_error);
+ PORT_SetError(SSL_ERROR_RX_MALFORMED_CLIENT_HELLO);
+ return SECFailure;
+ }
+
+ xtnData->negotiated[xtnData->numNegotiated++] = ssl_signed_cert_timestamp_xtn;
+ PORT_Assert(ss->sec.isServer);
+ return ssl3_RegisterExtensionSender(ss, xtnData,
+ ssl_signed_cert_timestamp_xtn,
+ ssl3_ServerSendSignedCertTimestampXtn);
+}
+
+/* Just make sure that the remote client supports uncompressed points,
+ * Since that is all we support. Disable ECC cipher suites if it doesn't.
+ */
+SECStatus
+ssl3_HandleSupportedPointFormatsXtn(const sslSocket *ss,
+ TLSExtensionData *xtnData,
+ SECItem *data)
+{
+ int i;
+
+ PORT_Assert(ss->version < SSL_LIBRARY_VERSION_TLS_1_3);
+
+ if (data->len < 2 || data->len > 255 || !data->data ||
+ data->len != (unsigned int)data->data[0] + 1) {
+ ssl3_ExtDecodeError(ss);
+ return SECFailure;
+ }
+ for (i = data->len; --i > 0;) {
+ if (data->data[i] == 0) {
+ /* indicate that we should send a reply */
+ return ssl3_RegisterExtensionSender(
+ ss, xtnData, ssl_ec_point_formats_xtn,
+ &ssl3_SendSupportedPointFormatsXtn);
+ }
+ }
+
+ /* Poor client doesn't support uncompressed points.
+ *
+ * If the client sends the extension and the extension does not contain the
+ * uncompressed point format, and the client has used the Supported Groups
+ * extension to indicate support for any of the curves defined in this
+ * specification, then the server MUST abort the handshake and return an
+ * illegal_parameter alert. [RFC8422, Section 5.1.2] */
+ ssl3_ExtSendAlert(ss, alert_fatal, illegal_parameter);
+ PORT_SetError(SSL_ERROR_RX_MALFORMED_HANDSHAKE);
+
+ return SECFailure;
+}
+
+static SECStatus
+ssl_UpdateSupportedGroups(sslSocket *ss, SECItem *data)
+{
+ SECStatus rv;
+ PRUint32 list_len;
+ unsigned int i;
+ const sslNamedGroupDef *enabled[SSL_NAMED_GROUP_COUNT] = { 0 };
+ PORT_Assert(SSL_NAMED_GROUP_COUNT == PR_ARRAY_SIZE(enabled));
+
+ if (!data->data || data->len < 4) {
+ (void)ssl3_DecodeError(ss);
+ return SECFailure;
+ }
+
+ /* get the length of elliptic_curve_list */
+ rv = ssl3_ConsumeHandshakeNumber(ss, &list_len, 2, &data->data, &data->len);
+ if (rv != SECSuccess || data->len != list_len || (data->len % 2) != 0) {
+ (void)ssl3_DecodeError(ss);
+ return SECFailure;
+ }
+
+ /* disable all groups and remember the enabled groups */
+ for (i = 0; i < SSL_NAMED_GROUP_COUNT; ++i) {
+ enabled[i] = ss->namedGroupPreferences[i];
+ ss->namedGroupPreferences[i] = NULL;
+ }
+
+ /* Read groups from data and enable if in |enabled| */
+ while (data->len) {
+ const sslNamedGroupDef *group;
+ PRUint32 curve_name;
+ rv = ssl3_ConsumeHandshakeNumber(ss, &curve_name, 2, &data->data,
+ &data->len);
+ if (rv != SECSuccess) {
+ return SECFailure; /* fatal alert already sent */
+ }
+ group = ssl_LookupNamedGroup(curve_name);
+ if (group) {
+ for (i = 0; i < SSL_NAMED_GROUP_COUNT; ++i) {
+ if (enabled[i] && group == enabled[i]) {
+ ss->namedGroupPreferences[i] = enabled[i];
+ break;
+ }
+ }
+ }
+
+ /* "Codepoints in the NamedCurve registry with a high byte of 0x01 (that
+ * is, between 256 and 511 inclusive) are set aside for FFDHE groups,"
+ * -- https://tools.ietf.org/html/draft-ietf-tls-negotiated-ff-dhe-10
+ */
+ if ((curve_name & 0xff00) == 0x0100) {
+ ss->xtnData.peerSupportsFfdheGroups = PR_TRUE;
+ }
+ }
+
+ /* Note: if ss->opt.requireDHENamedGroups is set, we disable DHE cipher
+ * suites, but we do that in ssl3_config_match(). */
+ if (ss->version < SSL_LIBRARY_VERSION_TLS_1_3 &&
+ !ss->opt.requireDHENamedGroups && !ss->xtnData.peerSupportsFfdheGroups) {
+ /* If we don't require that DHE use named groups, and no FFDHE was
+ * included, we pretend that they support all the FFDHE groups we do. */
+ for (i = 0; i < SSL_NAMED_GROUP_COUNT; ++i) {
+ if (enabled[i] && enabled[i]->keaType == ssl_kea_dh) {
+ ss->namedGroupPreferences[i] = enabled[i];
+ }
+ }
+ }
+
+ return SECSuccess;
+}
+
+/* Ensure that the curve in our server cert is one of the ones supported
+ * by the remote client, and disable all ECC cipher suites if not.
+ */
+SECStatus
+ssl_HandleSupportedGroupsXtn(const sslSocket *ss, TLSExtensionData *xtnData,
+ SECItem *data)
+{
+ SECStatus rv;
+
+ rv = ssl_UpdateSupportedGroups(CONST_CAST(sslSocket, ss), data);
+ if (rv != SECSuccess)
+ return SECFailure;
+
+ /* TLS 1.3 permits the server to send this extension so make it so. */
+ if (ss->sec.isServer && ss->version >= SSL_LIBRARY_VERSION_TLS_1_3) {
+ rv = ssl3_RegisterExtensionSender(ss, xtnData, ssl_supported_groups_xtn,
+ &ssl_SendSupportedGroupsXtn);
+ if (rv != SECSuccess) {
+ return SECFailure; /* error already set. */
+ }
+ }
+
+ /* Remember that we negotiated this extension. */
+ xtnData->negotiated[xtnData->numNegotiated++] = ssl_supported_groups_xtn;
+
+ return SECSuccess;
+}
+
+SECStatus
+ssl_HandleRecordSizeLimitXtn(const sslSocket *ss, TLSExtensionData *xtnData,
+ SECItem *data)
+{
+ SECStatus rv;
+ PRUint32 limit;
+ PRUint32 maxLimit = (ss->version >= SSL_LIBRARY_VERSION_TLS_1_3)
+ ? (MAX_FRAGMENT_LENGTH + 1)
+ : MAX_FRAGMENT_LENGTH;
+
+ rv = ssl3_ExtConsumeHandshakeNumber(ss, &limit, 2, &data->data, &data->len);
+ if (rv != SECSuccess) {
+ return SECFailure;
+ }
+ if (data->len != 0 || limit < 64) {
+ ssl3_ExtSendAlert(ss, alert_fatal, decode_error);
+ PORT_SetError(SSL_ERROR_RX_MALFORMED_HANDSHAKE);
+ return SECFailure;
+ }
+
+ if (ss->sec.isServer) {
+ rv = ssl3_RegisterExtensionSender(ss, xtnData, ssl_record_size_limit_xtn,
+ &ssl_SendRecordSizeLimitXtn);
+ if (rv != SECSuccess) {
+ return SECFailure; /* error already set. */
+ }
+ } else if (limit > maxLimit) {
+ /* The client can sensibly check the maximum. */
+ ssl3_ExtSendAlert(ss, alert_fatal, illegal_parameter);
+ PORT_SetError(SSL_ERROR_RX_MALFORMED_HANDSHAKE);
+ return SECFailure;
+ }
+
+ /* We can't enforce the maximum on a server. But we do need to ensure
+ * that we don't apply a limit that is too large. */
+ xtnData->recordSizeLimit = PR_MIN(maxLimit, limit);
+ xtnData->negotiated[xtnData->numNegotiated++] = ssl_record_size_limit_xtn;
+ return SECSuccess;
+}
+
+SECStatus
+ssl_SendRecordSizeLimitXtn(const sslSocket *ss, TLSExtensionData *xtnData,
+ sslBuffer *buf, PRBool *added)
+{
+ PRUint32 maxLimit;
+ if (ss->sec.isServer) {
+ maxLimit = (ss->version >= SSL_LIBRARY_VERSION_TLS_1_3)
+ ? (MAX_FRAGMENT_LENGTH + 1)
+ : MAX_FRAGMENT_LENGTH;
+ } else {
+ maxLimit = (ss->vrange.max >= SSL_LIBRARY_VERSION_TLS_1_3)
+ ? (MAX_FRAGMENT_LENGTH + 1)
+ : MAX_FRAGMENT_LENGTH;
+ }
+ PRUint32 limit = PR_MIN(ss->opt.recordSizeLimit, maxLimit);
+ SECStatus rv = sslBuffer_AppendNumber(buf, limit, 2);
+ if (rv != SECSuccess) {
+ return SECFailure;
+ }
+
+ *added = PR_TRUE;
+ return SECSuccess;
+}