ssl3ext.c revision 2a99a7e74a7f215066514fe81d2bfa6639d9eddd
1/* 2 * SSL3 Protocol 3 * 4 * This Source Code Form is subject to the terms of the Mozilla Public 5 * License, v. 2.0. If a copy of the MPL was not distributed with this 6 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ 7 8/* TLS extension code moved here from ssl3ecc.c */ 9/* $Id: ssl3ext.c,v 1.28 2012/09/21 00:28:05 wtc%google.com Exp $ */ 10 11#include "nssrenam.h" 12#include "nss.h" 13#include "ssl.h" 14#include "sslimpl.h" 15#include "sslproto.h" 16#include "pk11pub.h" 17#ifdef NO_PKCS11_BYPASS 18#include "blapit.h" 19#else 20#include "blapi.h" 21#endif 22#include "prinit.h" 23 24static unsigned char key_name[SESS_TICKET_KEY_NAME_LEN]; 25static PK11SymKey *session_ticket_enc_key_pkcs11 = NULL; 26static PK11SymKey *session_ticket_mac_key_pkcs11 = NULL; 27 28#ifndef NO_PKCS11_BYPASS 29static unsigned char session_ticket_enc_key[AES_256_KEY_LENGTH]; 30static unsigned char session_ticket_mac_key[SHA256_LENGTH]; 31 32static PRBool session_ticket_keys_initialized = PR_FALSE; 33#endif 34static PRCallOnceType generate_session_keys_once; 35 36/* forward static function declarations */ 37static SECStatus ssl3_ParseEncryptedSessionTicket(sslSocket *ss, 38 SECItem *data, EncryptedSessionTicket *enc_session_ticket); 39static SECStatus ssl3_AppendToItem(SECItem *item, const unsigned char *buf, 40 PRUint32 bytes); 41static SECStatus ssl3_AppendNumberToItem(SECItem *item, PRUint32 num, 42 PRInt32 lenSize); 43static SECStatus ssl3_GetSessionTicketKeysPKCS11(sslSocket *ss, 44 PK11SymKey **aes_key, PK11SymKey **mac_key); 45#ifndef NO_PKCS11_BYPASS 46static SECStatus ssl3_GetSessionTicketKeys(const unsigned char **aes_key, 47 PRUint32 *aes_key_length, const unsigned char **mac_key, 48 PRUint32 *mac_key_length); 49#endif 50static PRInt32 ssl3_SendRenegotiationInfoXtn(sslSocket * ss, 51 PRBool append, PRUint32 maxBytes); 52static SECStatus ssl3_HandleRenegotiationInfoXtn(sslSocket *ss, 53 PRUint16 ex_type, SECItem *data); 54static SECStatus ssl3_ClientHandleNextProtoNegoXtn(sslSocket *ss, 55 PRUint16 ex_type, SECItem *data); 56static SECStatus ssl3_ServerHandleNextProtoNegoXtn(sslSocket *ss, 57 PRUint16 ex_type, SECItem *data); 58static PRInt32 ssl3_ClientSendNextProtoNegoXtn(sslSocket *ss, PRBool append, 59 PRUint32 maxBytes); 60static PRInt32 ssl3_SendUseSRTPXtn(sslSocket *ss, PRBool append, 61 PRUint32 maxBytes); 62static SECStatus ssl3_HandleUseSRTPXtn(sslSocket * ss, PRUint16 ex_type, 63 SECItem *data); 64static SECStatus ssl3_ClientHandleChannelIDXtn(sslSocket *ss, 65 PRUint16 ex_type, SECItem *data); 66static PRInt32 ssl3_ClientSendChannelIDXtn(sslSocket *ss, PRBool append, 67 PRUint32 maxBytes); 68 69/* 70 * Write bytes. Using this function means the SECItem structure 71 * cannot be freed. The caller is expected to call this function 72 * on a shallow copy of the structure. 73 */ 74static SECStatus 75ssl3_AppendToItem(SECItem *item, const unsigned char *buf, PRUint32 bytes) 76{ 77 if (bytes > item->len) 78 return SECFailure; 79 80 PORT_Memcpy(item->data, buf, bytes); 81 item->data += bytes; 82 item->len -= bytes; 83 return SECSuccess; 84} 85 86/* 87 * Write a number in network byte order. Using this function means the 88 * SECItem structure cannot be freed. The caller is expected to call 89 * this function on a shallow copy of the structure. 90 */ 91static SECStatus 92ssl3_AppendNumberToItem(SECItem *item, PRUint32 num, PRInt32 lenSize) 93{ 94 SECStatus rv; 95 uint8 b[4]; 96 uint8 * p = b; 97 98 switch (lenSize) { 99 case 4: 100 *p++ = (uint8) (num >> 24); 101 case 3: 102 *p++ = (uint8) (num >> 16); 103 case 2: 104 *p++ = (uint8) (num >> 8); 105 case 1: 106 *p = (uint8) num; 107 } 108 rv = ssl3_AppendToItem(item, &b[0], lenSize); 109 return rv; 110} 111 112static SECStatus ssl3_SessionTicketShutdown(void* appData, void* nssData) 113{ 114 if (session_ticket_enc_key_pkcs11) { 115 PK11_FreeSymKey(session_ticket_enc_key_pkcs11); 116 session_ticket_enc_key_pkcs11 = NULL; 117 } 118 if (session_ticket_mac_key_pkcs11) { 119 PK11_FreeSymKey(session_ticket_mac_key_pkcs11); 120 session_ticket_mac_key_pkcs11 = NULL; 121 } 122 PORT_Memset(&generate_session_keys_once, 0, 123 sizeof(generate_session_keys_once)); 124 return SECSuccess; 125} 126 127 128static PRStatus 129ssl3_GenerateSessionTicketKeysPKCS11(void *data) 130{ 131 SECStatus rv; 132 sslSocket *ss = (sslSocket *)data; 133 SECKEYPrivateKey *svrPrivKey = ss->serverCerts[kt_rsa].SERVERKEY; 134 SECKEYPublicKey *svrPubKey = ss->serverCerts[kt_rsa].serverKeyPair->pubKey; 135 136 if (svrPrivKey == NULL || svrPubKey == NULL) { 137 SSL_DBG(("%d: SSL[%d]: Pub or priv key(s) is NULL.", 138 SSL_GETPID(), ss->fd)); 139 goto loser; 140 } 141 142 /* Get a copy of the session keys from shared memory. */ 143 PORT_Memcpy(key_name, SESS_TICKET_KEY_NAME_PREFIX, 144 sizeof(SESS_TICKET_KEY_NAME_PREFIX)); 145 if (!ssl_GetSessionTicketKeysPKCS11(svrPrivKey, svrPubKey, 146 ss->pkcs11PinArg, &key_name[SESS_TICKET_KEY_NAME_PREFIX_LEN], 147 &session_ticket_enc_key_pkcs11, &session_ticket_mac_key_pkcs11)) 148 return PR_FAILURE; 149 150 rv = NSS_RegisterShutdown(ssl3_SessionTicketShutdown, NULL); 151 if (rv != SECSuccess) 152 goto loser; 153 154 return PR_SUCCESS; 155 156loser: 157 ssl3_SessionTicketShutdown(NULL, NULL); 158 return PR_FAILURE; 159} 160 161static SECStatus 162ssl3_GetSessionTicketKeysPKCS11(sslSocket *ss, PK11SymKey **aes_key, 163 PK11SymKey **mac_key) 164{ 165 if (PR_CallOnceWithArg(&generate_session_keys_once, 166 ssl3_GenerateSessionTicketKeysPKCS11, ss) != PR_SUCCESS) 167 return SECFailure; 168 169 if (session_ticket_enc_key_pkcs11 == NULL || 170 session_ticket_mac_key_pkcs11 == NULL) 171 return SECFailure; 172 173 *aes_key = session_ticket_enc_key_pkcs11; 174 *mac_key = session_ticket_mac_key_pkcs11; 175 return SECSuccess; 176} 177 178#ifndef NO_PKCS11_BYPASS 179static PRStatus 180ssl3_GenerateSessionTicketKeys(void) 181{ 182 PORT_Memcpy(key_name, SESS_TICKET_KEY_NAME_PREFIX, 183 sizeof(SESS_TICKET_KEY_NAME_PREFIX)); 184 185 if (!ssl_GetSessionTicketKeys(&key_name[SESS_TICKET_KEY_NAME_PREFIX_LEN], 186 session_ticket_enc_key, session_ticket_mac_key)) 187 return PR_FAILURE; 188 189 session_ticket_keys_initialized = PR_TRUE; 190 return PR_SUCCESS; 191} 192 193static SECStatus 194ssl3_GetSessionTicketKeys(const unsigned char **aes_key, 195 PRUint32 *aes_key_length, const unsigned char **mac_key, 196 PRUint32 *mac_key_length) 197{ 198 if (PR_CallOnce(&generate_session_keys_once, 199 ssl3_GenerateSessionTicketKeys) != SECSuccess) 200 return SECFailure; 201 202 if (!session_ticket_keys_initialized) 203 return SECFailure; 204 205 *aes_key = session_ticket_enc_key; 206 *aes_key_length = sizeof(session_ticket_enc_key); 207 *mac_key = session_ticket_mac_key; 208 *mac_key_length = sizeof(session_ticket_mac_key); 209 210 return SECSuccess; 211} 212#endif 213 214/* Table of handlers for received TLS hello extensions, one per extension. 215 * In the second generation, this table will be dynamic, and functions 216 * will be registered here. 217 */ 218/* This table is used by the server, to handle client hello extensions. */ 219static const ssl3HelloExtensionHandler clientHelloHandlers[] = { 220 { ssl_server_name_xtn, &ssl3_HandleServerNameXtn }, 221#ifdef NSS_ENABLE_ECC 222 { ssl_elliptic_curves_xtn, &ssl3_HandleSupportedCurvesXtn }, 223 { ssl_ec_point_formats_xtn, &ssl3_HandleSupportedPointFormatsXtn }, 224#endif 225 { ssl_session_ticket_xtn, &ssl3_ServerHandleSessionTicketXtn }, 226 { ssl_renegotiation_info_xtn, &ssl3_HandleRenegotiationInfoXtn }, 227 { ssl_next_proto_nego_xtn, &ssl3_ServerHandleNextProtoNegoXtn }, 228 { ssl_use_srtp_xtn, &ssl3_HandleUseSRTPXtn }, 229 { -1, NULL } 230}; 231 232/* These two tables are used by the client, to handle server hello 233 * extensions. */ 234static const ssl3HelloExtensionHandler serverHelloHandlersTLS[] = { 235 { ssl_server_name_xtn, &ssl3_HandleServerNameXtn }, 236 /* TODO: add a handler for ssl_ec_point_formats_xtn */ 237 { ssl_session_ticket_xtn, &ssl3_ClientHandleSessionTicketXtn }, 238 { ssl_renegotiation_info_xtn, &ssl3_HandleRenegotiationInfoXtn }, 239 { ssl_next_proto_nego_xtn, &ssl3_ClientHandleNextProtoNegoXtn }, 240 { ssl_use_srtp_xtn, &ssl3_HandleUseSRTPXtn }, 241 { ssl_channel_id_xtn, &ssl3_ClientHandleChannelIDXtn }, 242 { ssl_cert_status_xtn, &ssl3_ClientHandleStatusRequestXtn }, 243 { -1, NULL } 244}; 245 246static const ssl3HelloExtensionHandler serverHelloHandlersSSL3[] = { 247 { ssl_renegotiation_info_xtn, &ssl3_HandleRenegotiationInfoXtn }, 248 { -1, NULL } 249}; 250 251/* Tables of functions to format TLS hello extensions, one function per 252 * extension. 253 * These static tables are for the formatting of client hello extensions. 254 * The server's table of hello senders is dynamic, in the socket struct, 255 * and sender functions are registered there. 256 */ 257static const 258ssl3HelloExtensionSender clientHelloSendersTLS[SSL_MAX_EXTENSIONS] = { 259 { ssl_server_name_xtn, &ssl3_SendServerNameXtn }, 260 { ssl_renegotiation_info_xtn, &ssl3_SendRenegotiationInfoXtn }, 261#ifdef NSS_ENABLE_ECC 262 { ssl_elliptic_curves_xtn, &ssl3_SendSupportedCurvesXtn }, 263 { ssl_ec_point_formats_xtn, &ssl3_SendSupportedPointFormatsXtn }, 264#endif 265 { ssl_session_ticket_xtn, &ssl3_SendSessionTicketXtn }, 266 { ssl_next_proto_nego_xtn, &ssl3_ClientSendNextProtoNegoXtn }, 267 { ssl_use_srtp_xtn, &ssl3_SendUseSRTPXtn }, 268 { ssl_channel_id_xtn, &ssl3_ClientSendChannelIDXtn }, 269 { ssl_cert_status_xtn, &ssl3_ClientSendStatusRequestXtn } 270 /* any extra entries will appear as { 0, NULL } */ 271}; 272 273static const 274ssl3HelloExtensionSender clientHelloSendersSSL3[SSL_MAX_EXTENSIONS] = { 275 { ssl_renegotiation_info_xtn, &ssl3_SendRenegotiationInfoXtn } 276 /* any extra entries will appear as { 0, NULL } */ 277}; 278 279static PRBool 280arrayContainsExtension(const PRUint16 *array, PRUint32 len, PRUint16 ex_type) 281{ 282 int i; 283 for (i = 0; i < len; i++) { 284 if (ex_type == array[i]) 285 return PR_TRUE; 286 } 287 return PR_FALSE; 288} 289 290PRBool 291ssl3_ExtensionNegotiated(sslSocket *ss, PRUint16 ex_type) { 292 TLSExtensionData *xtnData = &ss->xtnData; 293 return arrayContainsExtension(xtnData->negotiated, 294 xtnData->numNegotiated, ex_type); 295} 296 297static PRBool 298ssl3_ClientExtensionAdvertised(sslSocket *ss, PRUint16 ex_type) { 299 TLSExtensionData *xtnData = &ss->xtnData; 300 return arrayContainsExtension(xtnData->advertised, 301 xtnData->numAdvertised, ex_type); 302} 303 304/* Format an SNI extension, using the name from the socket's URL, 305 * unless that name is a dotted decimal string. 306 * Used by client and server. 307 */ 308PRInt32 309ssl3_SendServerNameXtn(sslSocket * ss, PRBool append, 310 PRUint32 maxBytes) 311{ 312 SECStatus rv; 313 if (!ss) 314 return 0; 315 if (!ss->sec.isServer) { 316 PRUint32 len; 317 PRNetAddr netAddr; 318 319 /* must have a hostname */ 320 if (!ss->url || !ss->url[0]) 321 return 0; 322 /* must not be an IPv4 or IPv6 address */ 323 if (PR_SUCCESS == PR_StringToNetAddr(ss->url, &netAddr)) { 324 /* is an IP address (v4 or v6) */ 325 return 0; 326 } 327 len = PORT_Strlen(ss->url); 328 if (append && maxBytes >= len + 9) { 329 /* extension_type */ 330 rv = ssl3_AppendHandshakeNumber(ss, ssl_server_name_xtn, 2); 331 if (rv != SECSuccess) return -1; 332 /* length of extension_data */ 333 rv = ssl3_AppendHandshakeNumber(ss, len + 5, 2); 334 if (rv != SECSuccess) return -1; 335 /* length of server_name_list */ 336 rv = ssl3_AppendHandshakeNumber(ss, len + 3, 2); 337 if (rv != SECSuccess) return -1; 338 /* Name Type (sni_host_name) */ 339 rv = ssl3_AppendHandshake(ss, "\0", 1); 340 if (rv != SECSuccess) return -1; 341 /* HostName (length and value) */ 342 rv = ssl3_AppendHandshakeVariable(ss, (PRUint8 *)ss->url, len, 2); 343 if (rv != SECSuccess) return -1; 344 if (!ss->sec.isServer) { 345 TLSExtensionData *xtnData = &ss->xtnData; 346 xtnData->advertised[xtnData->numAdvertised++] = 347 ssl_server_name_xtn; 348 } 349 } 350 return len + 9; 351 } 352 /* Server side */ 353 if (append && maxBytes >= 4) { 354 rv = ssl3_AppendHandshakeNumber(ss, ssl_server_name_xtn, 2); 355 if (rv != SECSuccess) return -1; 356 /* length of extension_data */ 357 rv = ssl3_AppendHandshakeNumber(ss, 0, 2); 358 if (rv != SECSuccess) return -1; 359 } 360 return 4; 361} 362 363/* handle an incoming SNI extension, by ignoring it. */ 364SECStatus 365ssl3_HandleServerNameXtn(sslSocket * ss, PRUint16 ex_type, SECItem *data) 366{ 367 SECItem *names = NULL; 368 PRUint32 listCount = 0, namesPos = 0, i; 369 TLSExtensionData *xtnData = &ss->xtnData; 370 SECItem ldata; 371 PRInt32 listLenBytes = 0; 372 373 if (!ss->sec.isServer) { 374 /* Verify extension_data is empty. */ 375 if (data->data || data->len || 376 !ssl3_ExtensionNegotiated(ss, ssl_server_name_xtn)) { 377 /* malformed or was not initiated by the client.*/ 378 return SECFailure; 379 } 380 return SECSuccess; 381 } 382 383 /* Server side - consume client data and register server sender. */ 384 /* do not parse the data if don't have user extension handling function. */ 385 if (!ss->sniSocketConfig) { 386 return SECSuccess; 387 } 388 /* length of server_name_list */ 389 listLenBytes = ssl3_ConsumeHandshakeNumber(ss, 2, &data->data, &data->len); 390 if (listLenBytes == 0 || listLenBytes != data->len) { 391 return SECFailure; 392 } 393 ldata = *data; 394 /* Calculate the size of the array.*/ 395 while (listLenBytes > 0) { 396 SECItem litem; 397 SECStatus rv; 398 PRInt32 type; 399 /* Name Type (sni_host_name) */ 400 type = ssl3_ConsumeHandshakeNumber(ss, 1, &ldata.data, &ldata.len); 401 if (!ldata.len) { 402 return SECFailure; 403 } 404 rv = ssl3_ConsumeHandshakeVariable(ss, &litem, 2, &ldata.data, &ldata.len); 405 if (rv != SECSuccess) { 406 return SECFailure; 407 } 408 /* Adjust total length for cunsumed item, item len and type.*/ 409 listLenBytes -= litem.len + 3; 410 if (listLenBytes > 0 && !ldata.len) { 411 return SECFailure; 412 } 413 listCount += 1; 414 } 415 if (!listCount) { 416 return SECFailure; 417 } 418 names = PORT_ZNewArray(SECItem, listCount); 419 if (!names) { 420 return SECFailure; 421 } 422 for (i = 0;i < listCount;i++) { 423 int j; 424 PRInt32 type; 425 SECStatus rv; 426 PRBool nametypePresent = PR_FALSE; 427 /* Name Type (sni_host_name) */ 428 type = ssl3_ConsumeHandshakeNumber(ss, 1, &data->data, &data->len); 429 /* Check if we have such type in the list */ 430 for (j = 0;j < listCount && names[j].data;j++) { 431 if (names[j].type == type) { 432 nametypePresent = PR_TRUE; 433 break; 434 } 435 } 436 /* HostName (length and value) */ 437 rv = ssl3_ConsumeHandshakeVariable(ss, &names[namesPos], 2, 438 &data->data, &data->len); 439 if (rv != SECSuccess) { 440 goto loser; 441 } 442 if (nametypePresent == PR_FALSE) { 443 namesPos += 1; 444 } 445 } 446 /* Free old and set the new data. */ 447 if (xtnData->sniNameArr) { 448 PORT_Free(ss->xtnData.sniNameArr); 449 } 450 xtnData->sniNameArr = names; 451 xtnData->sniNameArrSize = namesPos; 452 xtnData->negotiated[xtnData->numNegotiated++] = ssl_server_name_xtn; 453 454 return SECSuccess; 455 456loser: 457 PORT_Free(names); 458 return SECFailure; 459} 460 461/* Called by both clients and servers. 462 * Clients sends a filled in session ticket if one is available, and otherwise 463 * sends an empty ticket. Servers always send empty tickets. 464 */ 465PRInt32 466ssl3_SendSessionTicketXtn( 467 sslSocket * ss, 468 PRBool append, 469 PRUint32 maxBytes) 470{ 471 PRInt32 extension_length; 472 NewSessionTicket *session_ticket = NULL; 473 474 /* Ignore the SessionTicket extension if processing is disabled. */ 475 if (!ss->opt.enableSessionTickets) 476 return 0; 477 478 /* Empty extension length = extension_type (2-bytes) + 479 * length(extension_data) (2-bytes) 480 */ 481 extension_length = 4; 482 483 /* If we are a client then send a session ticket if one is availble. 484 * Servers that support the extension and are willing to negotiate the 485 * the extension always respond with an empty extension. 486 */ 487 if (!ss->sec.isServer) { 488 sslSessionID *sid = ss->sec.ci.sid; 489 session_ticket = &sid->u.ssl3.sessionTicket; 490 if (session_ticket->ticket.data) { 491 if (ss->xtnData.ticketTimestampVerified) { 492 extension_length += session_ticket->ticket.len; 493 } else if (!append && 494 (session_ticket->ticket_lifetime_hint == 0 || 495 (session_ticket->ticket_lifetime_hint + 496 session_ticket->received_timestamp > ssl_Time()))) { 497 extension_length += session_ticket->ticket.len; 498 ss->xtnData.ticketTimestampVerified = PR_TRUE; 499 } 500 } 501 } 502 503 if (append && maxBytes >= extension_length) { 504 SECStatus rv; 505 /* extension_type */ 506 rv = ssl3_AppendHandshakeNumber(ss, ssl_session_ticket_xtn, 2); 507 if (rv != SECSuccess) 508 goto loser; 509 if (session_ticket && session_ticket->ticket.data && 510 ss->xtnData.ticketTimestampVerified) { 511 rv = ssl3_AppendHandshakeVariable(ss, session_ticket->ticket.data, 512 session_ticket->ticket.len, 2); 513 ss->xtnData.ticketTimestampVerified = PR_FALSE; 514 } else { 515 rv = ssl3_AppendHandshakeNumber(ss, 0, 2); 516 } 517 if (rv != SECSuccess) 518 goto loser; 519 520 if (!ss->sec.isServer) { 521 TLSExtensionData *xtnData = &ss->xtnData; 522 xtnData->advertised[xtnData->numAdvertised++] = 523 ssl_session_ticket_xtn; 524 } 525 } else if (maxBytes < extension_length) { 526 PORT_Assert(0); 527 return 0; 528 } 529 return extension_length; 530 531 loser: 532 ss->xtnData.ticketTimestampVerified = PR_FALSE; 533 return -1; 534} 535 536/* handle an incoming Next Protocol Negotiation extension. */ 537static SECStatus 538ssl3_ServerHandleNextProtoNegoXtn(sslSocket * ss, PRUint16 ex_type, SECItem *data) 539{ 540 if (ss->firstHsDone || data->len != 0) { 541 /* Clients MUST send an empty NPN extension, if any. */ 542 PORT_SetError(SSL_ERROR_NEXT_PROTOCOL_DATA_INVALID); 543 return SECFailure; 544 } 545 546 ss->xtnData.negotiated[ss->xtnData.numNegotiated++] = ex_type; 547 548 /* TODO: server side NPN support would require calling 549 * ssl3_RegisterServerHelloExtensionSender here in order to echo the 550 * extension back to the client. */ 551 552 return SECSuccess; 553} 554 555/* ssl3_ValidateNextProtoNego checks that the given block of data is valid: none 556 * of the lengths may be 0 and the sum of the lengths must equal the length of 557 * the block. */ 558SECStatus 559ssl3_ValidateNextProtoNego(const unsigned char* data, unsigned int length) 560{ 561 unsigned int offset = 0; 562 563 while (offset < length) { 564 unsigned int newOffset = offset + 1 + (unsigned int) data[offset]; 565 /* Reject embedded nulls to protect against buggy applications that 566 * store protocol identifiers in null-terminated strings. 567 */ 568 if (newOffset > length || data[offset] == 0) { 569 PORT_SetError(SSL_ERROR_NEXT_PROTOCOL_DATA_INVALID); 570 return SECFailure; 571 } 572 offset = newOffset; 573 } 574 575 if (offset > length) { 576 PORT_SetError(SSL_ERROR_NEXT_PROTOCOL_DATA_INVALID); 577 return SECFailure; 578 } 579 580 return SECSuccess; 581} 582 583static SECStatus 584ssl3_ClientHandleNextProtoNegoXtn(sslSocket *ss, PRUint16 ex_type, 585 SECItem *data) 586{ 587 SECStatus rv; 588 unsigned char resultBuffer[255]; 589 SECItem result = { siBuffer, resultBuffer, 0 }; 590 591 PORT_Assert(!ss->firstHsDone); 592 593 rv = ssl3_ValidateNextProtoNego(data->data, data->len); 594 if (rv != SECSuccess) 595 return rv; 596 597 /* ss->nextProtoCallback cannot normally be NULL if we negotiated the 598 * extension. However, It is possible that an application erroneously 599 * cleared the callback between the time we sent the ClientHello and now. 600 */ 601 PORT_Assert(ss->nextProtoCallback != NULL); 602 if (!ss->nextProtoCallback) { 603 /* XXX Use a better error code. This is an application error, not an 604 * NSS bug. */ 605 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); 606 return SECFailure; 607 } 608 609 rv = ss->nextProtoCallback(ss->nextProtoArg, ss->fd, data->data, data->len, 610 result.data, &result.len, sizeof resultBuffer); 611 if (rv != SECSuccess) 612 return rv; 613 /* If the callback wrote more than allowed to |result| it has corrupted our 614 * stack. */ 615 if (result.len > sizeof resultBuffer) { 616 PORT_SetError(SEC_ERROR_OUTPUT_LEN); 617 return SECFailure; 618 } 619 620 ss->xtnData.negotiated[ss->xtnData.numNegotiated++] = ex_type; 621 622 SECITEM_FreeItem(&ss->ssl3.nextProto, PR_FALSE); 623 return SECITEM_CopyItem(NULL, &ss->ssl3.nextProto, &result); 624} 625 626static PRInt32 627ssl3_ClientSendNextProtoNegoXtn(sslSocket * ss, PRBool append, 628 PRUint32 maxBytes) 629{ 630 PRInt32 extension_length; 631 632 /* Renegotiations do not send this extension. */ 633 if (!ss->nextProtoCallback || ss->firstHsDone) { 634 return 0; 635 } 636 637 extension_length = 4; 638 639 if (append && maxBytes >= extension_length) { 640 SECStatus rv; 641 rv = ssl3_AppendHandshakeNumber(ss, ssl_next_proto_nego_xtn, 2); 642 if (rv != SECSuccess) 643 goto loser; 644 rv = ssl3_AppendHandshakeNumber(ss, 0, 2); 645 if (rv != SECSuccess) 646 goto loser; 647 ss->xtnData.advertised[ss->xtnData.numAdvertised++] = 648 ssl_next_proto_nego_xtn; 649 } else if (maxBytes < extension_length) { 650 return 0; 651 } 652 653 return extension_length; 654 655loser: 656 return -1; 657} 658 659static SECStatus 660ssl3_ClientHandleChannelIDXtn(sslSocket *ss, PRUint16 ex_type, 661 SECItem *data) 662{ 663 PORT_Assert(ss->getChannelID != NULL); 664 665 if (data->len) { 666 PORT_SetError(SSL_ERROR_BAD_CHANNEL_ID_DATA); 667 return SECFailure; 668 } 669 ss->xtnData.negotiated[ss->xtnData.numNegotiated++] = ex_type; 670 return SECSuccess; 671} 672 673static PRInt32 674ssl3_ClientSendChannelIDXtn(sslSocket * ss, PRBool append, 675 PRUint32 maxBytes) 676{ 677 PRInt32 extension_length = 4; 678 679 if (!ss->getChannelID) 680 return 0; 681 682 if (maxBytes < extension_length) { 683 PORT_Assert(0); 684 return 0; 685 } 686 687 if (append) { 688 SECStatus rv; 689 rv = ssl3_AppendHandshakeNumber(ss, ssl_channel_id_xtn, 2); 690 if (rv != SECSuccess) 691 goto loser; 692 rv = ssl3_AppendHandshakeNumber(ss, 0, 2); 693 if (rv != SECSuccess) 694 goto loser; 695 ss->xtnData.advertised[ss->xtnData.numAdvertised++] = 696 ssl_channel_id_xtn; 697 } 698 699 return extension_length; 700 701loser: 702 return -1; 703} 704 705SECStatus 706ssl3_ClientHandleStatusRequestXtn(sslSocket *ss, PRUint16 ex_type, 707 SECItem *data) 708{ 709 /* If we didn't request this extension, then the server may not echo it. */ 710 if (!ss->opt.enableOCSPStapling) 711 return SECFailure; 712 713 /* The echoed extension must be empty. */ 714 if (data->len != 0) 715 return SECFailure; 716 717 ss->ssl3.hs.may_get_cert_status = PR_TRUE; 718 719 /* Keep track of negotiated extensions. */ 720 ss->xtnData.negotiated[ss->xtnData.numNegotiated++] = ex_type; 721 722 return SECSuccess; 723} 724 725/* ssl3_ClientSendStatusRequestXtn builds the status_request extension on the 726 * client side. See RFC 4366 section 3.6. */ 727PRInt32 728ssl3_ClientSendStatusRequestXtn(sslSocket * ss, PRBool append, 729 PRUint32 maxBytes) 730{ 731 PRInt32 extension_length; 732 733 if (!ss->opt.enableOCSPStapling) 734 return 0; 735 736 /* extension_type (2-bytes) + 737 * length(extension_data) (2-bytes) + 738 * status_type (1) + 739 * responder_id_list length (2) + 740 * request_extensions length (2) 741 */ 742 extension_length = 9; 743 744 if (append && maxBytes >= extension_length) { 745 SECStatus rv; 746 TLSExtensionData *xtnData; 747 748 /* extension_type */ 749 rv = ssl3_AppendHandshakeNumber(ss, ssl_cert_status_xtn, 2); 750 if (rv != SECSuccess) 751 return -1; 752 rv = ssl3_AppendHandshakeNumber(ss, extension_length - 4, 2); 753 if (rv != SECSuccess) 754 return -1; 755 rv = ssl3_AppendHandshakeNumber(ss, 1 /* status_type ocsp */, 1); 756 if (rv != SECSuccess) 757 return -1; 758 /* A zero length responder_id_list means that the responders are 759 * implicitly known to the server. */ 760 rv = ssl3_AppendHandshakeNumber(ss, 0, 2); 761 if (rv != SECSuccess) 762 return -1; 763 /* A zero length request_extensions means that there are no extensions. 764 * Specifically, we don't set the id-pkix-ocsp-nonce extension. This 765 * means that the server can replay a cached OCSP response to us. */ 766 rv = ssl3_AppendHandshakeNumber(ss, 0, 2); 767 if (rv != SECSuccess) 768 return -1; 769 770 xtnData = &ss->xtnData; 771 xtnData->advertised[xtnData->numAdvertised++] = ssl_cert_status_xtn; 772 } else if (maxBytes < extension_length) { 773 PORT_Assert(0); 774 return 0; 775 } 776 return extension_length; 777} 778 779/* 780 * NewSessionTicket 781 * Called from ssl3_HandleFinished 782 */ 783SECStatus 784ssl3_SendNewSessionTicket(sslSocket *ss) 785{ 786 int i; 787 SECStatus rv; 788 NewSessionTicket ticket; 789 SECItem plaintext; 790 SECItem plaintext_item = {0, NULL, 0}; 791 SECItem ciphertext = {0, NULL, 0}; 792 PRUint32 ciphertext_length; 793 PRBool ms_is_wrapped; 794 unsigned char wrapped_ms[SSL3_MASTER_SECRET_LENGTH]; 795 SECItem ms_item = {0, NULL, 0}; 796 SSL3KEAType effectiveExchKeyType = ssl_kea_null; 797 PRUint32 padding_length; 798 PRUint32 message_length; 799 PRUint32 cert_length; 800 uint8 length_buf[4]; 801 PRUint32 now; 802 PK11SymKey *aes_key_pkcs11; 803 PK11SymKey *mac_key_pkcs11; 804#ifndef NO_PKCS11_BYPASS 805 const unsigned char *aes_key; 806 const unsigned char *mac_key; 807 PRUint32 aes_key_length; 808 PRUint32 mac_key_length; 809 PRUint64 aes_ctx_buf[MAX_CIPHER_CONTEXT_LLONGS]; 810 AESContext *aes_ctx; 811 const SECHashObject *hashObj = NULL; 812 PRUint64 hmac_ctx_buf[MAX_MAC_CONTEXT_LLONGS]; 813 HMACContext *hmac_ctx; 814#endif 815 CK_MECHANISM_TYPE cipherMech = CKM_AES_CBC; 816 PK11Context *aes_ctx_pkcs11; 817 CK_MECHANISM_TYPE macMech = CKM_SHA256_HMAC; 818 PK11Context *hmac_ctx_pkcs11; 819 unsigned char computed_mac[TLS_EX_SESS_TICKET_MAC_LENGTH]; 820 unsigned int computed_mac_length; 821 unsigned char iv[AES_BLOCK_SIZE]; 822 SECItem ivItem; 823 SECItem *srvName = NULL; 824 PRUint32 srvNameLen = 0; 825 CK_MECHANISM_TYPE msWrapMech = 0; /* dummy default value, 826 * must be >= 0 */ 827 828 SSL_TRC(3, ("%d: SSL3[%d]: send session_ticket handshake", 829 SSL_GETPID(), ss->fd)); 830 831 PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss)); 832 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); 833 834 ticket.ticket_lifetime_hint = TLS_EX_SESS_TICKET_LIFETIME_HINT; 835 cert_length = (ss->opt.requestCertificate && ss->sec.ci.sid->peerCert) ? 836 3 + ss->sec.ci.sid->peerCert->derCert.len : 0; 837 838 /* Get IV and encryption keys */ 839 ivItem.data = iv; 840 ivItem.len = sizeof(iv); 841 rv = PK11_GenerateRandom(iv, sizeof(iv)); 842 if (rv != SECSuccess) goto loser; 843 844#ifndef NO_PKCS11_BYPASS 845 if (ss->opt.bypassPKCS11) { 846 rv = ssl3_GetSessionTicketKeys(&aes_key, &aes_key_length, 847 &mac_key, &mac_key_length); 848 } else 849#endif 850 { 851 rv = ssl3_GetSessionTicketKeysPKCS11(ss, &aes_key_pkcs11, 852 &mac_key_pkcs11); 853 } 854 if (rv != SECSuccess) goto loser; 855 856 if (ss->ssl3.pwSpec->msItem.len && ss->ssl3.pwSpec->msItem.data) { 857 /* The master secret is available unwrapped. */ 858 ms_item.data = ss->ssl3.pwSpec->msItem.data; 859 ms_item.len = ss->ssl3.pwSpec->msItem.len; 860 ms_is_wrapped = PR_FALSE; 861 } else { 862 /* Extract the master secret wrapped. */ 863 sslSessionID sid; 864 PORT_Memset(&sid, 0, sizeof(sslSessionID)); 865 866 if (ss->ssl3.hs.kea_def->kea == kea_ecdhe_rsa) { 867 effectiveExchKeyType = kt_rsa; 868 } else { 869 effectiveExchKeyType = ss->ssl3.hs.kea_def->exchKeyType; 870 } 871 872 rv = ssl3_CacheWrappedMasterSecret(ss, &sid, ss->ssl3.pwSpec, 873 effectiveExchKeyType); 874 if (rv == SECSuccess) { 875 if (sid.u.ssl3.keys.wrapped_master_secret_len > sizeof(wrapped_ms)) 876 goto loser; 877 memcpy(wrapped_ms, sid.u.ssl3.keys.wrapped_master_secret, 878 sid.u.ssl3.keys.wrapped_master_secret_len); 879 ms_item.data = wrapped_ms; 880 ms_item.len = sid.u.ssl3.keys.wrapped_master_secret_len; 881 msWrapMech = sid.u.ssl3.masterWrapMech; 882 } else { 883 /* TODO: else send an empty ticket. */ 884 goto loser; 885 } 886 ms_is_wrapped = PR_TRUE; 887 } 888 /* Prep to send negotiated name */ 889 srvName = &ss->ssl3.pwSpec->srvVirtName; 890 if (srvName->data && srvName->len) { 891 srvNameLen = 2 + srvName->len; /* len bytes + name len */ 892 } 893 894 ciphertext_length = 895 sizeof(PRUint16) /* ticket_version */ 896 + sizeof(SSL3ProtocolVersion) /* ssl_version */ 897 + sizeof(ssl3CipherSuite) /* ciphersuite */ 898 + 1 /* compression */ 899 + 10 /* cipher spec parameters */ 900 + 1 /* SessionTicket.ms_is_wrapped */ 901 + 1 /* effectiveExchKeyType */ 902 + 4 /* msWrapMech */ 903 + 2 /* master_secret.length */ 904 + ms_item.len /* master_secret */ 905 + 1 /* client_auth_type */ 906 + cert_length /* cert */ 907 + 1 /* server name type */ 908 + srvNameLen /* name len + length field */ 909 + sizeof(ticket.ticket_lifetime_hint); 910 padding_length = AES_BLOCK_SIZE - 911 (ciphertext_length % AES_BLOCK_SIZE); 912 ciphertext_length += padding_length; 913 914 message_length = 915 sizeof(ticket.ticket_lifetime_hint) /* ticket_lifetime_hint */ 916 + 2 /* length field for NewSessionTicket.ticket */ 917 + SESS_TICKET_KEY_NAME_LEN /* key_name */ 918 + AES_BLOCK_SIZE /* iv */ 919 + 2 /* length field for NewSessionTicket.ticket.encrypted_state */ 920 + ciphertext_length /* encrypted_state */ 921 + TLS_EX_SESS_TICKET_MAC_LENGTH; /* mac */ 922 923 if (SECITEM_AllocItem(NULL, &plaintext_item, ciphertext_length) == NULL) 924 goto loser; 925 926 plaintext = plaintext_item; 927 928 /* ticket_version */ 929 rv = ssl3_AppendNumberToItem(&plaintext, TLS_EX_SESS_TICKET_VERSION, 930 sizeof(PRUint16)); 931 if (rv != SECSuccess) goto loser; 932 933 /* ssl_version */ 934 rv = ssl3_AppendNumberToItem(&plaintext, ss->version, 935 sizeof(SSL3ProtocolVersion)); 936 if (rv != SECSuccess) goto loser; 937 938 /* ciphersuite */ 939 rv = ssl3_AppendNumberToItem(&plaintext, ss->ssl3.hs.cipher_suite, 940 sizeof(ssl3CipherSuite)); 941 if (rv != SECSuccess) goto loser; 942 943 /* compression */ 944 rv = ssl3_AppendNumberToItem(&plaintext, ss->ssl3.hs.compression, 1); 945 if (rv != SECSuccess) goto loser; 946 947 /* cipher spec parameters */ 948 rv = ssl3_AppendNumberToItem(&plaintext, ss->sec.authAlgorithm, 1); 949 if (rv != SECSuccess) goto loser; 950 rv = ssl3_AppendNumberToItem(&plaintext, ss->sec.authKeyBits, 4); 951 if (rv != SECSuccess) goto loser; 952 rv = ssl3_AppendNumberToItem(&plaintext, ss->sec.keaType, 1); 953 if (rv != SECSuccess) goto loser; 954 rv = ssl3_AppendNumberToItem(&plaintext, ss->sec.keaKeyBits, 4); 955 if (rv != SECSuccess) goto loser; 956 957 /* master_secret */ 958 rv = ssl3_AppendNumberToItem(&plaintext, ms_is_wrapped, 1); 959 if (rv != SECSuccess) goto loser; 960 rv = ssl3_AppendNumberToItem(&plaintext, effectiveExchKeyType, 1); 961 if (rv != SECSuccess) goto loser; 962 rv = ssl3_AppendNumberToItem(&plaintext, msWrapMech, 4); 963 if (rv != SECSuccess) goto loser; 964 rv = ssl3_AppendNumberToItem(&plaintext, ms_item.len, 2); 965 if (rv != SECSuccess) goto loser; 966 rv = ssl3_AppendToItem(&plaintext, ms_item.data, ms_item.len); 967 if (rv != SECSuccess) goto loser; 968 969 /* client_identity */ 970 if (ss->opt.requestCertificate && ss->sec.ci.sid->peerCert) { 971 rv = ssl3_AppendNumberToItem(&plaintext, CLIENT_AUTH_CERTIFICATE, 1); 972 if (rv != SECSuccess) goto loser; 973 rv = ssl3_AppendNumberToItem(&plaintext, 974 ss->sec.ci.sid->peerCert->derCert.len, 3); 975 if (rv != SECSuccess) goto loser; 976 rv = ssl3_AppendToItem(&plaintext, 977 ss->sec.ci.sid->peerCert->derCert.data, 978 ss->sec.ci.sid->peerCert->derCert.len); 979 if (rv != SECSuccess) goto loser; 980 } else { 981 rv = ssl3_AppendNumberToItem(&plaintext, 0, 1); 982 if (rv != SECSuccess) goto loser; 983 } 984 985 /* timestamp */ 986 now = ssl_Time(); 987 rv = ssl3_AppendNumberToItem(&plaintext, now, 988 sizeof(ticket.ticket_lifetime_hint)); 989 if (rv != SECSuccess) goto loser; 990 991 if (srvNameLen) { 992 /* Name Type (sni_host_name) */ 993 rv = ssl3_AppendNumberToItem(&plaintext, srvName->type, 1); 994 if (rv != SECSuccess) goto loser; 995 /* HostName (length and value) */ 996 rv = ssl3_AppendNumberToItem(&plaintext, srvName->len, 2); 997 if (rv != SECSuccess) goto loser; 998 rv = ssl3_AppendToItem(&plaintext, srvName->data, srvName->len); 999 if (rv != SECSuccess) goto loser; 1000 } else { 1001 /* No Name */ 1002 rv = ssl3_AppendNumberToItem(&plaintext, (char)TLS_STE_NO_SERVER_NAME, 1003 1); 1004 if (rv != SECSuccess) goto loser; 1005 } 1006 1007 PORT_Assert(plaintext.len == padding_length); 1008 for (i = 0; i < padding_length; i++) 1009 plaintext.data[i] = (unsigned char)padding_length; 1010 1011 if (SECITEM_AllocItem(NULL, &ciphertext, ciphertext_length) == NULL) { 1012 rv = SECFailure; 1013 goto loser; 1014 } 1015 1016 /* Generate encrypted portion of ticket. */ 1017#ifndef NO_PKCS11_BYPASS 1018 if (ss->opt.bypassPKCS11) { 1019 aes_ctx = (AESContext *)aes_ctx_buf; 1020 rv = AES_InitContext(aes_ctx, aes_key, aes_key_length, iv, 1021 NSS_AES_CBC, 1, AES_BLOCK_SIZE); 1022 if (rv != SECSuccess) goto loser; 1023 1024 rv = AES_Encrypt(aes_ctx, ciphertext.data, &ciphertext.len, 1025 ciphertext.len, plaintext_item.data, 1026 plaintext_item.len); 1027 if (rv != SECSuccess) goto loser; 1028 } else 1029#endif 1030 { 1031 aes_ctx_pkcs11 = PK11_CreateContextBySymKey(cipherMech, 1032 CKA_ENCRYPT, aes_key_pkcs11, &ivItem); 1033 if (!aes_ctx_pkcs11) 1034 goto loser; 1035 1036 rv = PK11_CipherOp(aes_ctx_pkcs11, ciphertext.data, 1037 (int *)&ciphertext.len, ciphertext.len, 1038 plaintext_item.data, plaintext_item.len); 1039 PK11_Finalize(aes_ctx_pkcs11); 1040 PK11_DestroyContext(aes_ctx_pkcs11, PR_TRUE); 1041 if (rv != SECSuccess) goto loser; 1042 } 1043 1044 /* Convert ciphertext length to network order. */ 1045 length_buf[0] = (ciphertext.len >> 8) & 0xff; 1046 length_buf[1] = (ciphertext.len ) & 0xff; 1047 1048 /* Compute MAC. */ 1049#ifndef NO_PKCS11_BYPASS 1050 if (ss->opt.bypassPKCS11) { 1051 hmac_ctx = (HMACContext *)hmac_ctx_buf; 1052 hashObj = HASH_GetRawHashObject(HASH_AlgSHA256); 1053 if (HMAC_Init(hmac_ctx, hashObj, mac_key, 1054 mac_key_length, PR_FALSE) != SECSuccess) 1055 goto loser; 1056 1057 HMAC_Begin(hmac_ctx); 1058 HMAC_Update(hmac_ctx, key_name, SESS_TICKET_KEY_NAME_LEN); 1059 HMAC_Update(hmac_ctx, iv, sizeof(iv)); 1060 HMAC_Update(hmac_ctx, (unsigned char *)length_buf, 2); 1061 HMAC_Update(hmac_ctx, ciphertext.data, ciphertext.len); 1062 HMAC_Finish(hmac_ctx, computed_mac, &computed_mac_length, 1063 sizeof(computed_mac)); 1064 } else 1065#endif 1066 { 1067 SECItem macParam; 1068 macParam.data = NULL; 1069 macParam.len = 0; 1070 hmac_ctx_pkcs11 = PK11_CreateContextBySymKey(macMech, 1071 CKA_SIGN, mac_key_pkcs11, &macParam); 1072 if (!hmac_ctx_pkcs11) 1073 goto loser; 1074 1075 rv = PK11_DigestBegin(hmac_ctx_pkcs11); 1076 rv = PK11_DigestOp(hmac_ctx_pkcs11, key_name, 1077 SESS_TICKET_KEY_NAME_LEN); 1078 rv = PK11_DigestOp(hmac_ctx_pkcs11, iv, sizeof(iv)); 1079 rv = PK11_DigestOp(hmac_ctx_pkcs11, (unsigned char *)length_buf, 2); 1080 rv = PK11_DigestOp(hmac_ctx_pkcs11, ciphertext.data, ciphertext.len); 1081 rv = PK11_DigestFinal(hmac_ctx_pkcs11, computed_mac, 1082 &computed_mac_length, sizeof(computed_mac)); 1083 PK11_DestroyContext(hmac_ctx_pkcs11, PR_TRUE); 1084 if (rv != SECSuccess) goto loser; 1085 } 1086 1087 /* Serialize the handshake message. */ 1088 rv = ssl3_AppendHandshakeHeader(ss, new_session_ticket, message_length); 1089 if (rv != SECSuccess) goto loser; 1090 1091 rv = ssl3_AppendHandshakeNumber(ss, ticket.ticket_lifetime_hint, 1092 sizeof(ticket.ticket_lifetime_hint)); 1093 if (rv != SECSuccess) goto loser; 1094 1095 rv = ssl3_AppendHandshakeNumber(ss, 1096 message_length - sizeof(ticket.ticket_lifetime_hint) - 2, 2); 1097 if (rv != SECSuccess) goto loser; 1098 1099 rv = ssl3_AppendHandshake(ss, key_name, SESS_TICKET_KEY_NAME_LEN); 1100 if (rv != SECSuccess) goto loser; 1101 1102 rv = ssl3_AppendHandshake(ss, iv, sizeof(iv)); 1103 if (rv != SECSuccess) goto loser; 1104 1105 rv = ssl3_AppendHandshakeVariable(ss, ciphertext.data, ciphertext.len, 2); 1106 if (rv != SECSuccess) goto loser; 1107 1108 rv = ssl3_AppendHandshake(ss, computed_mac, computed_mac_length); 1109 if (rv != SECSuccess) goto loser; 1110 1111loser: 1112 if (plaintext_item.data) 1113 SECITEM_FreeItem(&plaintext_item, PR_FALSE); 1114 if (ciphertext.data) 1115 SECITEM_FreeItem(&ciphertext, PR_FALSE); 1116 1117 return rv; 1118} 1119 1120/* When a client receives a SessionTicket extension a NewSessionTicket 1121 * message is expected during the handshake. 1122 */ 1123SECStatus 1124ssl3_ClientHandleSessionTicketXtn(sslSocket *ss, PRUint16 ex_type, 1125 SECItem *data) 1126{ 1127 if (data->len != 0) 1128 return SECFailure; 1129 1130 /* Keep track of negotiated extensions. */ 1131 ss->xtnData.negotiated[ss->xtnData.numNegotiated++] = ex_type; 1132 return SECSuccess; 1133} 1134 1135SECStatus 1136ssl3_ServerHandleSessionTicketXtn(sslSocket *ss, PRUint16 ex_type, 1137 SECItem *data) 1138{ 1139 SECStatus rv; 1140 SECItem *decrypted_state = NULL; 1141 SessionTicket *parsed_session_ticket = NULL; 1142 sslSessionID *sid = NULL; 1143 SSL3Statistics *ssl3stats; 1144 1145 /* Ignore the SessionTicket extension if processing is disabled. */ 1146 if (!ss->opt.enableSessionTickets) 1147 return SECSuccess; 1148 1149 /* Keep track of negotiated extensions. */ 1150 ss->xtnData.negotiated[ss->xtnData.numNegotiated++] = ex_type; 1151 1152 /* Parse the received ticket sent in by the client. We are 1153 * lenient about some parse errors, falling back to a fullshake 1154 * instead of terminating the current connection. 1155 */ 1156 if (data->len == 0) { 1157 ss->xtnData.emptySessionTicket = PR_TRUE; 1158 } else { 1159 int i; 1160 SECItem extension_data; 1161 EncryptedSessionTicket enc_session_ticket; 1162 unsigned char computed_mac[TLS_EX_SESS_TICKET_MAC_LENGTH]; 1163 unsigned int computed_mac_length; 1164#ifndef NO_PKCS11_BYPASS 1165 const SECHashObject *hashObj; 1166 const unsigned char *aes_key; 1167 const unsigned char *mac_key; 1168 PRUint32 aes_key_length; 1169 PRUint32 mac_key_length; 1170 PRUint64 hmac_ctx_buf[MAX_MAC_CONTEXT_LLONGS]; 1171 HMACContext *hmac_ctx; 1172 PRUint64 aes_ctx_buf[MAX_CIPHER_CONTEXT_LLONGS]; 1173 AESContext *aes_ctx; 1174#endif 1175 PK11SymKey *aes_key_pkcs11; 1176 PK11SymKey *mac_key_pkcs11; 1177 PK11Context *hmac_ctx_pkcs11; 1178 CK_MECHANISM_TYPE macMech = CKM_SHA256_HMAC; 1179 PK11Context *aes_ctx_pkcs11; 1180 CK_MECHANISM_TYPE cipherMech = CKM_AES_CBC; 1181 unsigned char * padding; 1182 PRUint32 padding_length; 1183 unsigned char *buffer; 1184 unsigned int buffer_len; 1185 PRInt32 temp; 1186 SECItem cert_item; 1187 PRInt8 nameType = TLS_STE_NO_SERVER_NAME; 1188 1189 /* Turn off stateless session resumption if the client sends a 1190 * SessionTicket extension, even if the extension turns out to be 1191 * malformed (ss->sec.ci.sid is non-NULL when doing session 1192 * renegotiation.) 1193 */ 1194 if (ss->sec.ci.sid != NULL) { 1195 if (ss->sec.uncache) 1196 ss->sec.uncache(ss->sec.ci.sid); 1197 ssl_FreeSID(ss->sec.ci.sid); 1198 ss->sec.ci.sid = NULL; 1199 } 1200 1201 extension_data.data = data->data; /* Keep a copy for future use. */ 1202 extension_data.len = data->len; 1203 1204 if (ssl3_ParseEncryptedSessionTicket(ss, data, &enc_session_ticket) 1205 != SECSuccess) 1206 return SECFailure; 1207 1208 /* Get session ticket keys. */ 1209#ifndef NO_PKCS11_BYPASS 1210 if (ss->opt.bypassPKCS11) { 1211 rv = ssl3_GetSessionTicketKeys(&aes_key, &aes_key_length, 1212 &mac_key, &mac_key_length); 1213 } else 1214#endif 1215 { 1216 rv = ssl3_GetSessionTicketKeysPKCS11(ss, &aes_key_pkcs11, 1217 &mac_key_pkcs11); 1218 } 1219 if (rv != SECSuccess) { 1220 SSL_DBG(("%d: SSL[%d]: Unable to get/generate session ticket keys.", 1221 SSL_GETPID(), ss->fd)); 1222 goto loser; 1223 } 1224 1225 /* If the ticket sent by the client was generated under a key different 1226 * from the one we have, bypass ticket processing. 1227 */ 1228 if (PORT_Memcmp(enc_session_ticket.key_name, key_name, 1229 SESS_TICKET_KEY_NAME_LEN) != 0) { 1230 SSL_DBG(("%d: SSL[%d]: Session ticket key_name sent mismatch.", 1231 SSL_GETPID(), ss->fd)); 1232 goto no_ticket; 1233 } 1234 1235 /* Verify the MAC on the ticket. MAC verification may also 1236 * fail if the MAC key has been recently refreshed. 1237 */ 1238#ifndef NO_PKCS11_BYPASS 1239 if (ss->opt.bypassPKCS11) { 1240 hmac_ctx = (HMACContext *)hmac_ctx_buf; 1241 hashObj = HASH_GetRawHashObject(HASH_AlgSHA256); 1242 if (HMAC_Init(hmac_ctx, hashObj, mac_key, 1243 sizeof(session_ticket_mac_key), PR_FALSE) != SECSuccess) 1244 goto no_ticket; 1245 HMAC_Begin(hmac_ctx); 1246 HMAC_Update(hmac_ctx, extension_data.data, 1247 extension_data.len - TLS_EX_SESS_TICKET_MAC_LENGTH); 1248 if (HMAC_Finish(hmac_ctx, computed_mac, &computed_mac_length, 1249 sizeof(computed_mac)) != SECSuccess) 1250 goto no_ticket; 1251 } else 1252#endif 1253 { 1254 SECItem macParam; 1255 macParam.data = NULL; 1256 macParam.len = 0; 1257 hmac_ctx_pkcs11 = PK11_CreateContextBySymKey(macMech, 1258 CKA_SIGN, mac_key_pkcs11, &macParam); 1259 if (!hmac_ctx_pkcs11) { 1260 SSL_DBG(("%d: SSL[%d]: Unable to create HMAC context: %d.", 1261 SSL_GETPID(), ss->fd, PORT_GetError())); 1262 goto no_ticket; 1263 } else { 1264 SSL_DBG(("%d: SSL[%d]: Successfully created HMAC context.", 1265 SSL_GETPID(), ss->fd)); 1266 } 1267 rv = PK11_DigestBegin(hmac_ctx_pkcs11); 1268 rv = PK11_DigestOp(hmac_ctx_pkcs11, extension_data.data, 1269 extension_data.len - TLS_EX_SESS_TICKET_MAC_LENGTH); 1270 if (rv != SECSuccess) { 1271 PK11_DestroyContext(hmac_ctx_pkcs11, PR_TRUE); 1272 goto no_ticket; 1273 } 1274 rv = PK11_DigestFinal(hmac_ctx_pkcs11, computed_mac, 1275 &computed_mac_length, sizeof(computed_mac)); 1276 PK11_DestroyContext(hmac_ctx_pkcs11, PR_TRUE); 1277 if (rv != SECSuccess) 1278 goto no_ticket; 1279 } 1280 if (NSS_SecureMemcmp(computed_mac, enc_session_ticket.mac, 1281 computed_mac_length) != 0) { 1282 SSL_DBG(("%d: SSL[%d]: Session ticket MAC mismatch.", 1283 SSL_GETPID(), ss->fd)); 1284 goto no_ticket; 1285 } 1286 1287 /* We ignore key_name for now. 1288 * This is ok as MAC verification succeeded. 1289 */ 1290 1291 /* Decrypt the ticket. */ 1292 1293 /* Plaintext is shorter than the ciphertext due to padding. */ 1294 decrypted_state = SECITEM_AllocItem(NULL, NULL, 1295 enc_session_ticket.encrypted_state.len); 1296 1297#ifndef NO_PKCS11_BYPASS 1298 if (ss->opt.bypassPKCS11) { 1299 aes_ctx = (AESContext *)aes_ctx_buf; 1300 rv = AES_InitContext(aes_ctx, aes_key, 1301 sizeof(session_ticket_enc_key), enc_session_ticket.iv, 1302 NSS_AES_CBC, 0,AES_BLOCK_SIZE); 1303 if (rv != SECSuccess) { 1304 SSL_DBG(("%d: SSL[%d]: Unable to create AES context.", 1305 SSL_GETPID(), ss->fd)); 1306 goto no_ticket; 1307 } 1308 1309 rv = AES_Decrypt(aes_ctx, decrypted_state->data, 1310 &decrypted_state->len, decrypted_state->len, 1311 enc_session_ticket.encrypted_state.data, 1312 enc_session_ticket.encrypted_state.len); 1313 if (rv != SECSuccess) 1314 goto no_ticket; 1315 } else 1316#endif 1317 { 1318 SECItem ivItem; 1319 ivItem.data = enc_session_ticket.iv; 1320 ivItem.len = AES_BLOCK_SIZE; 1321 aes_ctx_pkcs11 = PK11_CreateContextBySymKey(cipherMech, 1322 CKA_DECRYPT, aes_key_pkcs11, &ivItem); 1323 if (!aes_ctx_pkcs11) { 1324 SSL_DBG(("%d: SSL[%d]: Unable to create AES context.", 1325 SSL_GETPID(), ss->fd)); 1326 goto no_ticket; 1327 } 1328 1329 rv = PK11_CipherOp(aes_ctx_pkcs11, decrypted_state->data, 1330 (int *)&decrypted_state->len, decrypted_state->len, 1331 enc_session_ticket.encrypted_state.data, 1332 enc_session_ticket.encrypted_state.len); 1333 PK11_Finalize(aes_ctx_pkcs11); 1334 PK11_DestroyContext(aes_ctx_pkcs11, PR_TRUE); 1335 if (rv != SECSuccess) 1336 goto no_ticket; 1337 } 1338 1339 /* Check padding. */ 1340 padding_length = 1341 (PRUint32)decrypted_state->data[decrypted_state->len - 1]; 1342 if (padding_length == 0 || padding_length > AES_BLOCK_SIZE) 1343 goto no_ticket; 1344 1345 padding = &decrypted_state->data[decrypted_state->len - padding_length]; 1346 for (i = 0; i < padding_length; i++, padding++) { 1347 if (padding_length != (PRUint32)*padding) 1348 goto no_ticket; 1349 } 1350 1351 /* Deserialize session state. */ 1352 buffer = decrypted_state->data; 1353 buffer_len = decrypted_state->len; 1354 1355 parsed_session_ticket = PORT_ZAlloc(sizeof(SessionTicket)); 1356 if (parsed_session_ticket == NULL) { 1357 rv = SECFailure; 1358 goto loser; 1359 } 1360 1361 /* Read ticket_version (which is ignored for now.) */ 1362 temp = ssl3_ConsumeHandshakeNumber(ss, 2, &buffer, &buffer_len); 1363 if (temp < 0) goto no_ticket; 1364 parsed_session_ticket->ticket_version = (SSL3ProtocolVersion)temp; 1365 1366 /* Read SSLVersion. */ 1367 temp = ssl3_ConsumeHandshakeNumber(ss, 2, &buffer, &buffer_len); 1368 if (temp < 0) goto no_ticket; 1369 parsed_session_ticket->ssl_version = (SSL3ProtocolVersion)temp; 1370 1371 /* Read cipher_suite. */ 1372 temp = ssl3_ConsumeHandshakeNumber(ss, 2, &buffer, &buffer_len); 1373 if (temp < 0) goto no_ticket; 1374 parsed_session_ticket->cipher_suite = (ssl3CipherSuite)temp; 1375 1376 /* Read compression_method. */ 1377 temp = ssl3_ConsumeHandshakeNumber(ss, 1, &buffer, &buffer_len); 1378 if (temp < 0) goto no_ticket; 1379 parsed_session_ticket->compression_method = (SSLCompressionMethod)temp; 1380 1381 /* Read cipher spec parameters. */ 1382 temp = ssl3_ConsumeHandshakeNumber(ss, 1, &buffer, &buffer_len); 1383 if (temp < 0) goto no_ticket; 1384 parsed_session_ticket->authAlgorithm = (SSLSignType)temp; 1385 temp = ssl3_ConsumeHandshakeNumber(ss, 4, &buffer, &buffer_len); 1386 if (temp < 0) goto no_ticket; 1387 parsed_session_ticket->authKeyBits = (PRUint32)temp; 1388 temp = ssl3_ConsumeHandshakeNumber(ss, 1, &buffer, &buffer_len); 1389 if (temp < 0) goto no_ticket; 1390 parsed_session_ticket->keaType = (SSLKEAType)temp; 1391 temp = ssl3_ConsumeHandshakeNumber(ss, 4, &buffer, &buffer_len); 1392 if (temp < 0) goto no_ticket; 1393 parsed_session_ticket->keaKeyBits = (PRUint32)temp; 1394 1395 /* Read wrapped master_secret. */ 1396 temp = ssl3_ConsumeHandshakeNumber(ss, 1, &buffer, &buffer_len); 1397 if (temp < 0) goto no_ticket; 1398 parsed_session_ticket->ms_is_wrapped = (PRBool)temp; 1399 1400 temp = ssl3_ConsumeHandshakeNumber(ss, 1, &buffer, &buffer_len); 1401 if (temp < 0) goto no_ticket; 1402 parsed_session_ticket->exchKeyType = (SSL3KEAType)temp; 1403 1404 temp = ssl3_ConsumeHandshakeNumber(ss, 4, &buffer, &buffer_len); 1405 if (temp < 0) goto no_ticket; 1406 parsed_session_ticket->msWrapMech = (CK_MECHANISM_TYPE)temp; 1407 1408 temp = ssl3_ConsumeHandshakeNumber(ss, 2, &buffer, &buffer_len); 1409 if (temp < 0) goto no_ticket; 1410 parsed_session_ticket->ms_length = (PRUint16)temp; 1411 if (parsed_session_ticket->ms_length == 0 || /* sanity check MS. */ 1412 parsed_session_ticket->ms_length > 1413 sizeof(parsed_session_ticket->master_secret)) 1414 goto no_ticket; 1415 1416 /* Allow for the wrapped master secret to be longer. */ 1417 if (buffer_len < sizeof(SSL3_MASTER_SECRET_LENGTH)) 1418 goto no_ticket; 1419 PORT_Memcpy(parsed_session_ticket->master_secret, buffer, 1420 parsed_session_ticket->ms_length); 1421 buffer += parsed_session_ticket->ms_length; 1422 buffer_len -= parsed_session_ticket->ms_length; 1423 1424 /* Read client_identity */ 1425 temp = ssl3_ConsumeHandshakeNumber(ss, 1, &buffer, &buffer_len); 1426 if (temp < 0) 1427 goto no_ticket; 1428 parsed_session_ticket->client_identity.client_auth_type = 1429 (ClientAuthenticationType)temp; 1430 switch(parsed_session_ticket->client_identity.client_auth_type) { 1431 case CLIENT_AUTH_ANONYMOUS: 1432 break; 1433 case CLIENT_AUTH_CERTIFICATE: 1434 rv = ssl3_ConsumeHandshakeVariable(ss, &cert_item, 3, 1435 &buffer, &buffer_len); 1436 if (rv != SECSuccess) goto no_ticket; 1437 rv = SECITEM_CopyItem(NULL, &parsed_session_ticket->peer_cert, 1438 &cert_item); 1439 if (rv != SECSuccess) goto no_ticket; 1440 break; 1441 default: 1442 goto no_ticket; 1443 } 1444 /* Read timestamp. */ 1445 temp = ssl3_ConsumeHandshakeNumber(ss, 4, &buffer, &buffer_len); 1446 if (temp < 0) 1447 goto no_ticket; 1448 parsed_session_ticket->timestamp = (PRUint32)temp; 1449 1450 /* Read server name */ 1451 nameType = 1452 ssl3_ConsumeHandshakeNumber(ss, 1, &buffer, &buffer_len); 1453 if (nameType != TLS_STE_NO_SERVER_NAME) { 1454 SECItem name_item; 1455 rv = ssl3_ConsumeHandshakeVariable(ss, &name_item, 2, &buffer, 1456 &buffer_len); 1457 if (rv != SECSuccess) goto no_ticket; 1458 rv = SECITEM_CopyItem(NULL, &parsed_session_ticket->srvName, 1459 &name_item); 1460 if (rv != SECSuccess) goto no_ticket; 1461 parsed_session_ticket->srvName.type = nameType; 1462 } 1463 1464 /* Done parsing. Check that all bytes have been consumed. */ 1465 if (buffer_len != padding_length) 1466 goto no_ticket; 1467 1468 /* Use the ticket if it has not expired, otherwise free the allocated 1469 * memory since the ticket is of no use. 1470 */ 1471 if (parsed_session_ticket->timestamp != 0 && 1472 parsed_session_ticket->timestamp + 1473 TLS_EX_SESS_TICKET_LIFETIME_HINT > ssl_Time()) { 1474 1475 sid = ssl3_NewSessionID(ss, PR_TRUE); 1476 if (sid == NULL) { 1477 rv = SECFailure; 1478 goto loser; 1479 } 1480 1481 /* Copy over parameters. */ 1482 sid->version = parsed_session_ticket->ssl_version; 1483 sid->u.ssl3.cipherSuite = parsed_session_ticket->cipher_suite; 1484 sid->u.ssl3.compression = parsed_session_ticket->compression_method; 1485 sid->authAlgorithm = parsed_session_ticket->authAlgorithm; 1486 sid->authKeyBits = parsed_session_ticket->authKeyBits; 1487 sid->keaType = parsed_session_ticket->keaType; 1488 sid->keaKeyBits = parsed_session_ticket->keaKeyBits; 1489 1490 /* Copy master secret. */ 1491#ifndef NO_PKCS11_BYPASS 1492 if (ss->opt.bypassPKCS11 && 1493 parsed_session_ticket->ms_is_wrapped) 1494 goto no_ticket; 1495#endif 1496 if (parsed_session_ticket->ms_length > 1497 sizeof(sid->u.ssl3.keys.wrapped_master_secret)) 1498 goto no_ticket; 1499 PORT_Memcpy(sid->u.ssl3.keys.wrapped_master_secret, 1500 parsed_session_ticket->master_secret, 1501 parsed_session_ticket->ms_length); 1502 sid->u.ssl3.keys.wrapped_master_secret_len = 1503 parsed_session_ticket->ms_length; 1504 sid->u.ssl3.exchKeyType = parsed_session_ticket->exchKeyType; 1505 sid->u.ssl3.masterWrapMech = parsed_session_ticket->msWrapMech; 1506 sid->u.ssl3.keys.msIsWrapped = 1507 parsed_session_ticket->ms_is_wrapped; 1508 sid->u.ssl3.masterValid = PR_TRUE; 1509 sid->u.ssl3.keys.resumable = PR_TRUE; 1510 1511 /* Copy over client cert from session ticket if there is one. */ 1512 if (parsed_session_ticket->peer_cert.data != NULL) { 1513 if (sid->peerCert != NULL) 1514 CERT_DestroyCertificate(sid->peerCert); 1515 sid->peerCert = CERT_NewTempCertificate(ss->dbHandle, 1516 &parsed_session_ticket->peer_cert, NULL, PR_FALSE, PR_TRUE); 1517 if (sid->peerCert == NULL) { 1518 rv = SECFailure; 1519 goto loser; 1520 } 1521 } 1522 if (parsed_session_ticket->srvName.data != NULL) { 1523 sid->u.ssl3.srvName = parsed_session_ticket->srvName; 1524 } 1525 ss->statelessResume = PR_TRUE; 1526 ss->sec.ci.sid = sid; 1527 } 1528 } 1529 1530 if (0) { 1531no_ticket: 1532 SSL_DBG(("%d: SSL[%d]: Session ticket parsing failed.", 1533 SSL_GETPID(), ss->fd)); 1534 ssl3stats = SSL_GetStatistics(); 1535 SSL_AtomicIncrementLong(& ssl3stats->hch_sid_ticket_parse_failures ); 1536 } 1537 rv = SECSuccess; 1538 1539loser: 1540 /* ss->sec.ci.sid == sid if it did NOT come here via goto statement 1541 * in that case do not free sid 1542 */ 1543 if (sid && (ss->sec.ci.sid != sid)) { 1544 ssl_FreeSID(sid); 1545 sid = NULL; 1546 } 1547 if (decrypted_state != NULL) { 1548 SECITEM_FreeItem(decrypted_state, PR_TRUE); 1549 decrypted_state = NULL; 1550 } 1551 1552 if (parsed_session_ticket != NULL) { 1553 if (parsed_session_ticket->peer_cert.data) { 1554 SECITEM_FreeItem(&parsed_session_ticket->peer_cert, PR_FALSE); 1555 } 1556 PORT_ZFree(parsed_session_ticket, sizeof(SessionTicket)); 1557 } 1558 1559 return rv; 1560} 1561 1562/* 1563 * Read bytes. Using this function means the SECItem structure 1564 * cannot be freed. The caller is expected to call this function 1565 * on a shallow copy of the structure. 1566 */ 1567static SECStatus 1568ssl3_ConsumeFromItem(SECItem *item, unsigned char **buf, PRUint32 bytes) 1569{ 1570 if (bytes > item->len) 1571 return SECFailure; 1572 1573 *buf = item->data; 1574 item->data += bytes; 1575 item->len -= bytes; 1576 return SECSuccess; 1577} 1578 1579static SECStatus 1580ssl3_ParseEncryptedSessionTicket(sslSocket *ss, SECItem *data, 1581 EncryptedSessionTicket *enc_session_ticket) 1582{ 1583 if (ssl3_ConsumeFromItem(data, &enc_session_ticket->key_name, 1584 SESS_TICKET_KEY_NAME_LEN) != SECSuccess) 1585 return SECFailure; 1586 if (ssl3_ConsumeFromItem(data, &enc_session_ticket->iv, 1587 AES_BLOCK_SIZE) != SECSuccess) 1588 return SECFailure; 1589 if (ssl3_ConsumeHandshakeVariable(ss, &enc_session_ticket->encrypted_state, 1590 2, &data->data, &data->len) != SECSuccess) 1591 return SECFailure; 1592 if (ssl3_ConsumeFromItem(data, &enc_session_ticket->mac, 1593 TLS_EX_SESS_TICKET_MAC_LENGTH) != SECSuccess) 1594 return SECFailure; 1595 if (data->len != 0) /* Make sure that we have consumed all bytes. */ 1596 return SECFailure; 1597 1598 return SECSuccess; 1599} 1600 1601/* go through hello extensions in buffer "b". 1602 * For each one, find the extension handler in the table, and 1603 * if present, invoke that handler. 1604 * Servers ignore any extensions with unknown extension types. 1605 * Clients reject any extensions with unadvertised extension types. 1606 */ 1607SECStatus 1608ssl3_HandleHelloExtensions(sslSocket *ss, SSL3Opaque **b, PRUint32 *length) 1609{ 1610 const ssl3HelloExtensionHandler * handlers; 1611 1612 if (ss->sec.isServer) { 1613 handlers = clientHelloHandlers; 1614 } else if (ss->version > SSL_LIBRARY_VERSION_3_0) { 1615 handlers = serverHelloHandlersTLS; 1616 } else { 1617 handlers = serverHelloHandlersSSL3; 1618 } 1619 1620 while (*length) { 1621 const ssl3HelloExtensionHandler * handler; 1622 SECStatus rv; 1623 PRInt32 extension_type; 1624 SECItem extension_data; 1625 1626 /* Get the extension's type field */ 1627 extension_type = ssl3_ConsumeHandshakeNumber(ss, 2, b, length); 1628 if (extension_type < 0) /* failure to decode extension_type */ 1629 return SECFailure; /* alert already sent */ 1630 1631 /* get the data for this extension, so we can pass it or skip it. */ 1632 rv = ssl3_ConsumeHandshakeVariable(ss, &extension_data, 2, b, length); 1633 if (rv != SECSuccess) 1634 return rv; 1635 1636 /* Check whether the server sent an extension which was not advertised 1637 * in the ClientHello. 1638 */ 1639 if (!ss->sec.isServer && 1640 !ssl3_ClientExtensionAdvertised(ss, extension_type)) 1641 return SECFailure; /* TODO: send unsupported_extension alert */ 1642 1643 /* Check whether an extension has been sent multiple times. */ 1644 if (ssl3_ExtensionNegotiated(ss, extension_type)) 1645 return SECFailure; 1646 1647 /* find extension_type in table of Hello Extension Handlers */ 1648 for (handler = handlers; handler->ex_type >= 0; handler++) { 1649 /* if found, call this handler */ 1650 if (handler->ex_type == extension_type) { 1651 rv = (*handler->ex_handler)(ss, (PRUint16)extension_type, 1652 &extension_data); 1653 /* Ignore this result */ 1654 /* Treat all bad extensions as unrecognized types. */ 1655 break; 1656 } 1657 } 1658 } 1659 return SECSuccess; 1660} 1661 1662/* Add a callback function to the table of senders of server hello extensions. 1663 */ 1664SECStatus 1665ssl3_RegisterServerHelloExtensionSender(sslSocket *ss, PRUint16 ex_type, 1666 ssl3HelloExtensionSenderFunc cb) 1667{ 1668 int i; 1669 ssl3HelloExtensionSender *sender = &ss->xtnData.serverSenders[0]; 1670 1671 for (i = 0; i < SSL_MAX_EXTENSIONS; ++i, ++sender) { 1672 if (!sender->ex_sender) { 1673 sender->ex_type = ex_type; 1674 sender->ex_sender = cb; 1675 return SECSuccess; 1676 } 1677 /* detect duplicate senders */ 1678 PORT_Assert(sender->ex_type != ex_type); 1679 if (sender->ex_type == ex_type) { 1680 /* duplicate */ 1681 break; 1682 } 1683 } 1684 PORT_Assert(i < SSL_MAX_EXTENSIONS); /* table needs to grow */ 1685 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); 1686 return SECFailure; 1687} 1688 1689/* call each of the extension senders and return the accumulated length */ 1690PRInt32 1691ssl3_CallHelloExtensionSenders(sslSocket *ss, PRBool append, PRUint32 maxBytes, 1692 const ssl3HelloExtensionSender *sender) 1693{ 1694 PRInt32 total_exten_len = 0; 1695 int i; 1696 1697 if (!sender) { 1698 sender = ss->version > SSL_LIBRARY_VERSION_3_0 ? 1699 &clientHelloSendersTLS[0] : &clientHelloSendersSSL3[0]; 1700 } 1701 1702 for (i = 0; i < SSL_MAX_EXTENSIONS; ++i, ++sender) { 1703 if (sender->ex_sender) { 1704 PRInt32 extLen = (*sender->ex_sender)(ss, append, maxBytes); 1705 if (extLen < 0) 1706 return -1; 1707 maxBytes -= extLen; 1708 total_exten_len += extLen; 1709 } 1710 } 1711 return total_exten_len; 1712} 1713 1714 1715/* Extension format: 1716 * Extension number: 2 bytes 1717 * Extension length: 2 bytes 1718 * Verify Data Length: 1 byte 1719 * Verify Data (TLS): 12 bytes (client) or 24 bytes (server) 1720 * Verify Data (SSL): 36 bytes (client) or 72 bytes (server) 1721 */ 1722static PRInt32 1723ssl3_SendRenegotiationInfoXtn( 1724 sslSocket * ss, 1725 PRBool append, 1726 PRUint32 maxBytes) 1727{ 1728 PRInt32 len, needed; 1729 1730 /* In draft-ietf-tls-renegotiation-03, it is NOT RECOMMENDED to send 1731 * both the SCSV and the empty RI, so when we send SCSV in 1732 * the initial handshake, we don't also send RI. 1733 */ 1734 if (!ss || ss->ssl3.hs.sendingSCSV) 1735 return 0; 1736 len = !ss->firstHsDone ? 0 : 1737 (ss->sec.isServer ? ss->ssl3.hs.finishedBytes * 2 1738 : ss->ssl3.hs.finishedBytes); 1739 needed = 5 + len; 1740 if (append && maxBytes >= needed) { 1741 SECStatus rv; 1742 /* extension_type */ 1743 rv = ssl3_AppendHandshakeNumber(ss, ssl_renegotiation_info_xtn, 2); 1744 if (rv != SECSuccess) return -1; 1745 /* length of extension_data */ 1746 rv = ssl3_AppendHandshakeNumber(ss, len + 1, 2); 1747 if (rv != SECSuccess) return -1; 1748 /* verify_Data from previous Finished message(s) */ 1749 rv = ssl3_AppendHandshakeVariable(ss, 1750 ss->ssl3.hs.finishedMsgs.data, len, 1); 1751 if (rv != SECSuccess) return -1; 1752 if (!ss->sec.isServer) { 1753 TLSExtensionData *xtnData = &ss->xtnData; 1754 xtnData->advertised[xtnData->numAdvertised++] = 1755 ssl_renegotiation_info_xtn; 1756 } 1757 } 1758 return needed; 1759} 1760 1761/* This function runs in both the client and server. */ 1762static SECStatus 1763ssl3_HandleRenegotiationInfoXtn(sslSocket *ss, PRUint16 ex_type, SECItem *data) 1764{ 1765 SECStatus rv = SECSuccess; 1766 PRUint32 len = 0; 1767 1768 if (ss->firstHsDone) { 1769 len = ss->sec.isServer ? ss->ssl3.hs.finishedBytes 1770 : ss->ssl3.hs.finishedBytes * 2; 1771 } 1772 if (data->len != 1 + len || 1773 data->data[0] != len || (len && 1774 NSS_SecureMemcmp(ss->ssl3.hs.finishedMsgs.data, 1775 data->data + 1, len))) { 1776 /* Can we do this here? Or, must we arrange for the caller to do it? */ 1777 (void)SSL3_SendAlert(ss, alert_fatal, handshake_failure); 1778 PORT_SetError(SSL_ERROR_BAD_HANDSHAKE_HASH_VALUE); 1779 return SECFailure; 1780 } 1781 /* remember that we got this extension and it was correct. */ 1782 ss->peerRequestedProtection = 1; 1783 ss->xtnData.negotiated[ss->xtnData.numNegotiated++] = ex_type; 1784 if (ss->sec.isServer) { 1785 /* prepare to send back the appropriate response */ 1786 rv = ssl3_RegisterServerHelloExtensionSender(ss, ex_type, 1787 ssl3_SendRenegotiationInfoXtn); 1788 } 1789 return rv; 1790} 1791 1792static PRInt32 1793ssl3_SendUseSRTPXtn(sslSocket *ss, PRBool append, PRUint32 maxBytes) 1794{ 1795 PRUint32 ext_data_len; 1796 PRInt16 i; 1797 SECStatus rv; 1798 1799 if (!ss) 1800 return 0; 1801 1802 if (!ss->sec.isServer) { 1803 /* Client side */ 1804 1805 if (!IS_DTLS(ss) || !ss->ssl3.dtlsSRTPCipherCount) 1806 return 0; /* Not relevant */ 1807 1808 ext_data_len = 2 + 2 * ss->ssl3.dtlsSRTPCipherCount + 1; 1809 1810 if (append && maxBytes >= 4 + ext_data_len) { 1811 /* Extension type */ 1812 rv = ssl3_AppendHandshakeNumber(ss, ssl_use_srtp_xtn, 2); 1813 if (rv != SECSuccess) return -1; 1814 /* Length of extension data */ 1815 rv = ssl3_AppendHandshakeNumber(ss, ext_data_len, 2); 1816 if (rv != SECSuccess) return -1; 1817 /* Length of the SRTP cipher list */ 1818 rv = ssl3_AppendHandshakeNumber(ss, 1819 2 * ss->ssl3.dtlsSRTPCipherCount, 1820 2); 1821 if (rv != SECSuccess) return -1; 1822 /* The SRTP ciphers */ 1823 for (i = 0; i < ss->ssl3.dtlsSRTPCipherCount; i++) { 1824 rv = ssl3_AppendHandshakeNumber(ss, 1825 ss->ssl3.dtlsSRTPCiphers[i], 1826 2); 1827 } 1828 /* Empty MKI value */ 1829 ssl3_AppendHandshakeVariable(ss, NULL, 0, 1); 1830 1831 ss->xtnData.advertised[ss->xtnData.numAdvertised++] = 1832 ssl_use_srtp_xtn; 1833 } 1834 1835 return 4 + ext_data_len; 1836 } 1837 1838 /* Server side */ 1839 if (append && maxBytes >= 9) { 1840 /* Extension type */ 1841 rv = ssl3_AppendHandshakeNumber(ss, ssl_use_srtp_xtn, 2); 1842 if (rv != SECSuccess) return -1; 1843 /* Length of extension data */ 1844 rv = ssl3_AppendHandshakeNumber(ss, 5, 2); 1845 if (rv != SECSuccess) return -1; 1846 /* Length of the SRTP cipher list */ 1847 rv = ssl3_AppendHandshakeNumber(ss, 2, 2); 1848 if (rv != SECSuccess) return -1; 1849 /* The selected cipher */ 1850 rv = ssl3_AppendHandshakeNumber(ss, ss->ssl3.dtlsSRTPCipherSuite, 2); 1851 if (rv != SECSuccess) return -1; 1852 /* Empty MKI value */ 1853 ssl3_AppendHandshakeVariable(ss, NULL, 0, 1); 1854 } 1855 1856 return 9; 1857} 1858 1859static SECStatus 1860ssl3_HandleUseSRTPXtn(sslSocket * ss, PRUint16 ex_type, SECItem *data) 1861{ 1862 SECStatus rv; 1863 SECItem ciphers = {siBuffer, NULL, 0}; 1864 PRUint16 i; 1865 unsigned int j; 1866 PRUint16 cipher = 0; 1867 PRBool found = PR_FALSE; 1868 SECItem litem; 1869 1870 if (!ss->sec.isServer) { 1871 /* Client side */ 1872 if (!data->data || !data->len) { 1873 /* malformed */ 1874 return SECFailure; 1875 } 1876 1877 /* Get the cipher list */ 1878 rv = ssl3_ConsumeHandshakeVariable(ss, &ciphers, 2, 1879 &data->data, &data->len); 1880 if (rv != SECSuccess) { 1881 return SECFailure; 1882 } 1883 /* Now check that the number of ciphers listed is 1 (len = 2) */ 1884 if (ciphers.len != 2) { 1885 return SECFailure; 1886 } 1887 1888 /* Get the selected cipher */ 1889 cipher = (ciphers.data[0] << 8) | ciphers.data[1]; 1890 1891 /* Now check that this is one of the ciphers we offered */ 1892 for (i = 0; i < ss->ssl3.dtlsSRTPCipherCount; i++) { 1893 if (cipher == ss->ssl3.dtlsSRTPCiphers[i]) { 1894 found = PR_TRUE; 1895 break; 1896 } 1897 } 1898 1899 if (!found) { 1900 return SECFailure; 1901 } 1902 1903 /* Get the srtp_mki value */ 1904 rv = ssl3_ConsumeHandshakeVariable(ss, &litem, 1, 1905 &data->data, &data->len); 1906 if (rv != SECSuccess) { 1907 return SECFailure; 1908 } 1909 1910 /* We didn't offer an MKI, so this must be 0 length */ 1911 /* XXX RFC 5764 Section 4.1.3 says: 1912 * If the client detects a nonzero-length MKI in the server's 1913 * response that is different than the one the client offered, 1914 * then the client MUST abort the handshake and SHOULD send an 1915 * invalid_parameter alert. 1916 * 1917 * Due to a limitation of the ssl3_HandleHelloExtensions function, 1918 * returning SECFailure here won't abort the handshake. It will 1919 * merely cause the use_srtp extension to be not negotiated. We 1920 * should fix this. See NSS bug 753136. 1921 */ 1922 if (litem.len != 0) { 1923 return SECFailure; 1924 } 1925 1926 if (data->len != 0) { 1927 /* malformed */ 1928 return SECFailure; 1929 } 1930 1931 /* OK, this looks fine. */ 1932 ss->xtnData.negotiated[ss->xtnData.numNegotiated++] = ssl_use_srtp_xtn; 1933 ss->ssl3.dtlsSRTPCipherSuite = cipher; 1934 return SECSuccess; 1935 } 1936 1937 /* Server side */ 1938 if (!IS_DTLS(ss) || !ss->ssl3.dtlsSRTPCipherCount) { 1939 /* Ignore the extension if we aren't doing DTLS or no DTLS-SRTP 1940 * preferences have been set. */ 1941 return SECSuccess; 1942 } 1943 1944 if (!data->data || data->len < 5) { 1945 /* malformed */ 1946 return SECFailure; 1947 } 1948 1949 /* Get the cipher list */ 1950 rv = ssl3_ConsumeHandshakeVariable(ss, &ciphers, 2, 1951 &data->data, &data->len); 1952 if (rv != SECSuccess) { 1953 return SECFailure; 1954 } 1955 /* Check that the list is even length */ 1956 if (ciphers.len % 2) { 1957 return SECFailure; 1958 } 1959 1960 /* Walk through the offered list and pick the most preferred of our 1961 * ciphers, if any */ 1962 for (i = 0; !found && i < ss->ssl3.dtlsSRTPCipherCount; i++) { 1963 for (j = 0; j + 1 < ciphers.len; j += 2) { 1964 cipher = (ciphers.data[j] << 8) | ciphers.data[j + 1]; 1965 if (cipher == ss->ssl3.dtlsSRTPCiphers[i]) { 1966 found = PR_TRUE; 1967 break; 1968 } 1969 } 1970 } 1971 1972 /* Get the srtp_mki value */ 1973 rv = ssl3_ConsumeHandshakeVariable(ss, &litem, 1, &data->data, &data->len); 1974 if (rv != SECSuccess) { 1975 return SECFailure; 1976 } 1977 1978 if (data->len != 0) { 1979 return SECFailure; /* Malformed */ 1980 } 1981 1982 /* Now figure out what to do */ 1983 if (!found) { 1984 /* No matching ciphers */ 1985 return SECSuccess; 1986 } 1987 1988 /* OK, we have a valid cipher and we've selected it */ 1989 ss->ssl3.dtlsSRTPCipherSuite = cipher; 1990 ss->xtnData.negotiated[ss->xtnData.numNegotiated++] = ssl_use_srtp_xtn; 1991 1992 return ssl3_RegisterServerHelloExtensionSender(ss, ssl_use_srtp_xtn, 1993 ssl3_SendUseSRTPXtn); 1994} 1995