ssl3ext.c revision c2e0dbddbe15c98d52c4786dac06cb8952a8ae6d
1/* 2 * SSL3 Protocol 3 * 4 * This Source Code Form is subject to the terms of the Mozilla Public 5 * License, v. 2.0. If a copy of the MPL was not distributed with this 6 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ 7 8/* TLS extension code moved here from ssl3ecc.c */ 9/* $Id$ */ 10 11#include "nssrenam.h" 12#include "nss.h" 13#include "ssl.h" 14#include "sslimpl.h" 15#include "sslproto.h" 16#include "pk11pub.h" 17#ifdef NO_PKCS11_BYPASS 18#include "blapit.h" 19#else 20#include "blapi.h" 21#endif 22#include "prinit.h" 23 24static unsigned char key_name[SESS_TICKET_KEY_NAME_LEN]; 25static PK11SymKey *session_ticket_enc_key_pkcs11 = NULL; 26static PK11SymKey *session_ticket_mac_key_pkcs11 = NULL; 27 28#ifndef NO_PKCS11_BYPASS 29static unsigned char session_ticket_enc_key[AES_256_KEY_LENGTH]; 30static unsigned char session_ticket_mac_key[SHA256_LENGTH]; 31 32static PRBool session_ticket_keys_initialized = PR_FALSE; 33#endif 34static PRCallOnceType generate_session_keys_once; 35 36/* forward static function declarations */ 37static SECStatus ssl3_ParseEncryptedSessionTicket(sslSocket *ss, 38 SECItem *data, EncryptedSessionTicket *enc_session_ticket); 39static SECStatus ssl3_AppendToItem(SECItem *item, const unsigned char *buf, 40 PRUint32 bytes); 41static SECStatus ssl3_AppendNumberToItem(SECItem *item, PRUint32 num, 42 PRInt32 lenSize); 43static SECStatus ssl3_GetSessionTicketKeysPKCS11(sslSocket *ss, 44 PK11SymKey **aes_key, PK11SymKey **mac_key); 45#ifndef NO_PKCS11_BYPASS 46static SECStatus ssl3_GetSessionTicketKeys(const unsigned char **aes_key, 47 PRUint32 *aes_key_length, const unsigned char **mac_key, 48 PRUint32 *mac_key_length); 49#endif 50static PRInt32 ssl3_SendRenegotiationInfoXtn(sslSocket * ss, 51 PRBool append, PRUint32 maxBytes); 52static SECStatus ssl3_HandleRenegotiationInfoXtn(sslSocket *ss, 53 PRUint16 ex_type, SECItem *data); 54static SECStatus ssl3_ClientHandleNextProtoNegoXtn(sslSocket *ss, 55 PRUint16 ex_type, SECItem *data); 56static SECStatus ssl3_ServerHandleNextProtoNegoXtn(sslSocket *ss, 57 PRUint16 ex_type, SECItem *data); 58static PRInt32 ssl3_ClientSendNextProtoNegoXtn(sslSocket *ss, PRBool append, 59 PRUint32 maxBytes); 60static PRInt32 ssl3_SendUseSRTPXtn(sslSocket *ss, PRBool append, 61 PRUint32 maxBytes); 62static SECStatus ssl3_HandleUseSRTPXtn(sslSocket * ss, PRUint16 ex_type, 63 SECItem *data); 64static SECStatus ssl3_ClientHandleChannelIDXtn(sslSocket *ss, 65 PRUint16 ex_type, SECItem *data); 66static PRInt32 ssl3_ClientSendChannelIDXtn(sslSocket *ss, PRBool append, 67 PRUint32 maxBytes); 68static SECStatus ssl3_ServerSendStatusRequestXtn(sslSocket * ss, 69 PRBool append, PRUint32 maxBytes); 70static SECStatus ssl3_ServerHandleStatusRequestXtn(sslSocket *ss, 71 PRUint16 ex_type, SECItem *data); 72static SECStatus ssl3_ClientHandleStatusRequestXtn(sslSocket *ss, 73 PRUint16 ex_type, 74 SECItem *data); 75static PRInt32 ssl3_ClientSendStatusRequestXtn(sslSocket * ss, PRBool append, 76 PRUint32 maxBytes); 77 78/* 79 * Write bytes. Using this function means the SECItem structure 80 * cannot be freed. The caller is expected to call this function 81 * on a shallow copy of the structure. 82 */ 83static SECStatus 84ssl3_AppendToItem(SECItem *item, const unsigned char *buf, PRUint32 bytes) 85{ 86 if (bytes > item->len) 87 return SECFailure; 88 89 PORT_Memcpy(item->data, buf, bytes); 90 item->data += bytes; 91 item->len -= bytes; 92 return SECSuccess; 93} 94 95/* 96 * Write a number in network byte order. Using this function means the 97 * SECItem structure cannot be freed. The caller is expected to call 98 * this function on a shallow copy of the structure. 99 */ 100static SECStatus 101ssl3_AppendNumberToItem(SECItem *item, PRUint32 num, PRInt32 lenSize) 102{ 103 SECStatus rv; 104 uint8 b[4]; 105 uint8 * p = b; 106 107 switch (lenSize) { 108 case 4: 109 *p++ = (uint8) (num >> 24); 110 case 3: 111 *p++ = (uint8) (num >> 16); 112 case 2: 113 *p++ = (uint8) (num >> 8); 114 case 1: 115 *p = (uint8) num; 116 } 117 rv = ssl3_AppendToItem(item, &b[0], lenSize); 118 return rv; 119} 120 121static SECStatus ssl3_SessionTicketShutdown(void* appData, void* nssData) 122{ 123 if (session_ticket_enc_key_pkcs11) { 124 PK11_FreeSymKey(session_ticket_enc_key_pkcs11); 125 session_ticket_enc_key_pkcs11 = NULL; 126 } 127 if (session_ticket_mac_key_pkcs11) { 128 PK11_FreeSymKey(session_ticket_mac_key_pkcs11); 129 session_ticket_mac_key_pkcs11 = NULL; 130 } 131 PORT_Memset(&generate_session_keys_once, 0, 132 sizeof(generate_session_keys_once)); 133 return SECSuccess; 134} 135 136 137static PRStatus 138ssl3_GenerateSessionTicketKeysPKCS11(void *data) 139{ 140 SECStatus rv; 141 sslSocket *ss = (sslSocket *)data; 142 SECKEYPrivateKey *svrPrivKey = ss->serverCerts[kt_rsa].SERVERKEY; 143 SECKEYPublicKey *svrPubKey = ss->serverCerts[kt_rsa].serverKeyPair->pubKey; 144 145 if (svrPrivKey == NULL || svrPubKey == NULL) { 146 SSL_DBG(("%d: SSL[%d]: Pub or priv key(s) is NULL.", 147 SSL_GETPID(), ss->fd)); 148 goto loser; 149 } 150 151 /* Get a copy of the session keys from shared memory. */ 152 PORT_Memcpy(key_name, SESS_TICKET_KEY_NAME_PREFIX, 153 sizeof(SESS_TICKET_KEY_NAME_PREFIX)); 154 if (!ssl_GetSessionTicketKeysPKCS11(svrPrivKey, svrPubKey, 155 ss->pkcs11PinArg, &key_name[SESS_TICKET_KEY_NAME_PREFIX_LEN], 156 &session_ticket_enc_key_pkcs11, &session_ticket_mac_key_pkcs11)) 157 return PR_FAILURE; 158 159 rv = NSS_RegisterShutdown(ssl3_SessionTicketShutdown, NULL); 160 if (rv != SECSuccess) 161 goto loser; 162 163 return PR_SUCCESS; 164 165loser: 166 ssl3_SessionTicketShutdown(NULL, NULL); 167 return PR_FAILURE; 168} 169 170static SECStatus 171ssl3_GetSessionTicketKeysPKCS11(sslSocket *ss, PK11SymKey **aes_key, 172 PK11SymKey **mac_key) 173{ 174 if (PR_CallOnceWithArg(&generate_session_keys_once, 175 ssl3_GenerateSessionTicketKeysPKCS11, ss) != PR_SUCCESS) 176 return SECFailure; 177 178 if (session_ticket_enc_key_pkcs11 == NULL || 179 session_ticket_mac_key_pkcs11 == NULL) 180 return SECFailure; 181 182 *aes_key = session_ticket_enc_key_pkcs11; 183 *mac_key = session_ticket_mac_key_pkcs11; 184 return SECSuccess; 185} 186 187#ifndef NO_PKCS11_BYPASS 188static PRStatus 189ssl3_GenerateSessionTicketKeys(void) 190{ 191 PORT_Memcpy(key_name, SESS_TICKET_KEY_NAME_PREFIX, 192 sizeof(SESS_TICKET_KEY_NAME_PREFIX)); 193 194 if (!ssl_GetSessionTicketKeys(&key_name[SESS_TICKET_KEY_NAME_PREFIX_LEN], 195 session_ticket_enc_key, session_ticket_mac_key)) 196 return PR_FAILURE; 197 198 session_ticket_keys_initialized = PR_TRUE; 199 return PR_SUCCESS; 200} 201 202static SECStatus 203ssl3_GetSessionTicketKeys(const unsigned char **aes_key, 204 PRUint32 *aes_key_length, const unsigned char **mac_key, 205 PRUint32 *mac_key_length) 206{ 207 if (PR_CallOnce(&generate_session_keys_once, 208 ssl3_GenerateSessionTicketKeys) != SECSuccess) 209 return SECFailure; 210 211 if (!session_ticket_keys_initialized) 212 return SECFailure; 213 214 *aes_key = session_ticket_enc_key; 215 *aes_key_length = sizeof(session_ticket_enc_key); 216 *mac_key = session_ticket_mac_key; 217 *mac_key_length = sizeof(session_ticket_mac_key); 218 219 return SECSuccess; 220} 221#endif 222 223/* Table of handlers for received TLS hello extensions, one per extension. 224 * In the second generation, this table will be dynamic, and functions 225 * will be registered here. 226 */ 227/* This table is used by the server, to handle client hello extensions. */ 228static const ssl3HelloExtensionHandler clientHelloHandlers[] = { 229 { ssl_server_name_xtn, &ssl3_HandleServerNameXtn }, 230#ifdef NSS_ENABLE_ECC 231 { ssl_elliptic_curves_xtn, &ssl3_HandleSupportedCurvesXtn }, 232 { ssl_ec_point_formats_xtn, &ssl3_HandleSupportedPointFormatsXtn }, 233#endif 234 { ssl_session_ticket_xtn, &ssl3_ServerHandleSessionTicketXtn }, 235 { ssl_renegotiation_info_xtn, &ssl3_HandleRenegotiationInfoXtn }, 236 { ssl_next_proto_nego_xtn, &ssl3_ServerHandleNextProtoNegoXtn }, 237 { ssl_use_srtp_xtn, &ssl3_HandleUseSRTPXtn }, 238 { ssl_cert_status_xtn, &ssl3_ServerHandleStatusRequestXtn }, 239 { -1, NULL } 240}; 241 242/* These two tables are used by the client, to handle server hello 243 * extensions. */ 244static const ssl3HelloExtensionHandler serverHelloHandlersTLS[] = { 245 { ssl_server_name_xtn, &ssl3_HandleServerNameXtn }, 246 /* TODO: add a handler for ssl_ec_point_formats_xtn */ 247 { ssl_session_ticket_xtn, &ssl3_ClientHandleSessionTicketXtn }, 248 { ssl_renegotiation_info_xtn, &ssl3_HandleRenegotiationInfoXtn }, 249 { ssl_next_proto_nego_xtn, &ssl3_ClientHandleNextProtoNegoXtn }, 250 { ssl_use_srtp_xtn, &ssl3_HandleUseSRTPXtn }, 251 { ssl_channel_id_xtn, &ssl3_ClientHandleChannelIDXtn }, 252 { ssl_cert_status_xtn, &ssl3_ClientHandleStatusRequestXtn }, 253 { -1, NULL } 254}; 255 256static const ssl3HelloExtensionHandler serverHelloHandlersSSL3[] = { 257 { ssl_renegotiation_info_xtn, &ssl3_HandleRenegotiationInfoXtn }, 258 { -1, NULL } 259}; 260 261/* Tables of functions to format TLS hello extensions, one function per 262 * extension. 263 * These static tables are for the formatting of client hello extensions. 264 * The server's table of hello senders is dynamic, in the socket struct, 265 * and sender functions are registered there. 266 */ 267static const 268ssl3HelloExtensionSender clientHelloSendersTLS[SSL_MAX_EXTENSIONS] = { 269 { ssl_server_name_xtn, &ssl3_SendServerNameXtn }, 270 { ssl_renegotiation_info_xtn, &ssl3_SendRenegotiationInfoXtn }, 271#ifdef NSS_ENABLE_ECC 272 { ssl_elliptic_curves_xtn, &ssl3_SendSupportedCurvesXtn }, 273 { ssl_ec_point_formats_xtn, &ssl3_SendSupportedPointFormatsXtn }, 274#endif 275 { ssl_session_ticket_xtn, &ssl3_SendSessionTicketXtn }, 276 { ssl_next_proto_nego_xtn, &ssl3_ClientSendNextProtoNegoXtn }, 277 { ssl_use_srtp_xtn, &ssl3_SendUseSRTPXtn }, 278 { ssl_channel_id_xtn, &ssl3_ClientSendChannelIDXtn }, 279 { ssl_cert_status_xtn, &ssl3_ClientSendStatusRequestXtn } 280 /* any extra entries will appear as { 0, NULL } */ 281}; 282 283static const 284ssl3HelloExtensionSender clientHelloSendersSSL3[SSL_MAX_EXTENSIONS] = { 285 { ssl_renegotiation_info_xtn, &ssl3_SendRenegotiationInfoXtn } 286 /* any extra entries will appear as { 0, NULL } */ 287}; 288 289static PRBool 290arrayContainsExtension(const PRUint16 *array, PRUint32 len, PRUint16 ex_type) 291{ 292 int i; 293 for (i = 0; i < len; i++) { 294 if (ex_type == array[i]) 295 return PR_TRUE; 296 } 297 return PR_FALSE; 298} 299 300PRBool 301ssl3_ExtensionNegotiated(sslSocket *ss, PRUint16 ex_type) { 302 TLSExtensionData *xtnData = &ss->xtnData; 303 return arrayContainsExtension(xtnData->negotiated, 304 xtnData->numNegotiated, ex_type); 305} 306 307static PRBool 308ssl3_ClientExtensionAdvertised(sslSocket *ss, PRUint16 ex_type) { 309 TLSExtensionData *xtnData = &ss->xtnData; 310 return arrayContainsExtension(xtnData->advertised, 311 xtnData->numAdvertised, ex_type); 312} 313 314/* Format an SNI extension, using the name from the socket's URL, 315 * unless that name is a dotted decimal string. 316 * Used by client and server. 317 */ 318PRInt32 319ssl3_SendServerNameXtn(sslSocket * ss, PRBool append, 320 PRUint32 maxBytes) 321{ 322 SECStatus rv; 323 if (!ss) 324 return 0; 325 if (!ss->sec.isServer) { 326 PRUint32 len; 327 PRNetAddr netAddr; 328 329 /* must have a hostname */ 330 if (!ss->url || !ss->url[0]) 331 return 0; 332 /* must not be an IPv4 or IPv6 address */ 333 if (PR_SUCCESS == PR_StringToNetAddr(ss->url, &netAddr)) { 334 /* is an IP address (v4 or v6) */ 335 return 0; 336 } 337 len = PORT_Strlen(ss->url); 338 if (append && maxBytes >= len + 9) { 339 /* extension_type */ 340 rv = ssl3_AppendHandshakeNumber(ss, ssl_server_name_xtn, 2); 341 if (rv != SECSuccess) return -1; 342 /* length of extension_data */ 343 rv = ssl3_AppendHandshakeNumber(ss, len + 5, 2); 344 if (rv != SECSuccess) return -1; 345 /* length of server_name_list */ 346 rv = ssl3_AppendHandshakeNumber(ss, len + 3, 2); 347 if (rv != SECSuccess) return -1; 348 /* Name Type (sni_host_name) */ 349 rv = ssl3_AppendHandshake(ss, "\0", 1); 350 if (rv != SECSuccess) return -1; 351 /* HostName (length and value) */ 352 rv = ssl3_AppendHandshakeVariable(ss, (PRUint8 *)ss->url, len, 2); 353 if (rv != SECSuccess) return -1; 354 if (!ss->sec.isServer) { 355 TLSExtensionData *xtnData = &ss->xtnData; 356 xtnData->advertised[xtnData->numAdvertised++] = 357 ssl_server_name_xtn; 358 } 359 } 360 return len + 9; 361 } 362 /* Server side */ 363 if (append && maxBytes >= 4) { 364 rv = ssl3_AppendHandshakeNumber(ss, ssl_server_name_xtn, 2); 365 if (rv != SECSuccess) return -1; 366 /* length of extension_data */ 367 rv = ssl3_AppendHandshakeNumber(ss, 0, 2); 368 if (rv != SECSuccess) return -1; 369 } 370 return 4; 371} 372 373/* handle an incoming SNI extension, by ignoring it. */ 374SECStatus 375ssl3_HandleServerNameXtn(sslSocket * ss, PRUint16 ex_type, SECItem *data) 376{ 377 SECItem *names = NULL; 378 PRUint32 listCount = 0, namesPos = 0, i; 379 TLSExtensionData *xtnData = &ss->xtnData; 380 SECItem ldata; 381 PRInt32 listLenBytes = 0; 382 383 if (!ss->sec.isServer) { 384 /* Verify extension_data is empty. */ 385 if (data->data || data->len || 386 !ssl3_ExtensionNegotiated(ss, ssl_server_name_xtn)) { 387 /* malformed or was not initiated by the client.*/ 388 return SECFailure; 389 } 390 return SECSuccess; 391 } 392 393 /* Server side - consume client data and register server sender. */ 394 /* do not parse the data if don't have user extension handling function. */ 395 if (!ss->sniSocketConfig) { 396 return SECSuccess; 397 } 398 /* length of server_name_list */ 399 listLenBytes = ssl3_ConsumeHandshakeNumber(ss, 2, &data->data, &data->len); 400 if (listLenBytes == 0 || listLenBytes != data->len) { 401 return SECFailure; 402 } 403 ldata = *data; 404 /* Calculate the size of the array.*/ 405 while (listLenBytes > 0) { 406 SECItem litem; 407 SECStatus rv; 408 PRInt32 type; 409 /* Name Type (sni_host_name) */ 410 type = ssl3_ConsumeHandshakeNumber(ss, 1, &ldata.data, &ldata.len); 411 if (!ldata.len) { 412 return SECFailure; 413 } 414 rv = ssl3_ConsumeHandshakeVariable(ss, &litem, 2, &ldata.data, &ldata.len); 415 if (rv != SECSuccess) { 416 return SECFailure; 417 } 418 /* Adjust total length for cunsumed item, item len and type.*/ 419 listLenBytes -= litem.len + 3; 420 if (listLenBytes > 0 && !ldata.len) { 421 return SECFailure; 422 } 423 listCount += 1; 424 } 425 if (!listCount) { 426 return SECFailure; 427 } 428 names = PORT_ZNewArray(SECItem, listCount); 429 if (!names) { 430 return SECFailure; 431 } 432 for (i = 0;i < listCount;i++) { 433 int j; 434 PRInt32 type; 435 SECStatus rv; 436 PRBool nametypePresent = PR_FALSE; 437 /* Name Type (sni_host_name) */ 438 type = ssl3_ConsumeHandshakeNumber(ss, 1, &data->data, &data->len); 439 /* Check if we have such type in the list */ 440 for (j = 0;j < listCount && names[j].data;j++) { 441 if (names[j].type == type) { 442 nametypePresent = PR_TRUE; 443 break; 444 } 445 } 446 /* HostName (length and value) */ 447 rv = ssl3_ConsumeHandshakeVariable(ss, &names[namesPos], 2, 448 &data->data, &data->len); 449 if (rv != SECSuccess) { 450 goto loser; 451 } 452 if (nametypePresent == PR_FALSE) { 453 namesPos += 1; 454 } 455 } 456 /* Free old and set the new data. */ 457 if (xtnData->sniNameArr) { 458 PORT_Free(ss->xtnData.sniNameArr); 459 } 460 xtnData->sniNameArr = names; 461 xtnData->sniNameArrSize = namesPos; 462 xtnData->negotiated[xtnData->numNegotiated++] = ssl_server_name_xtn; 463 464 return SECSuccess; 465 466loser: 467 PORT_Free(names); 468 return SECFailure; 469} 470 471/* Called by both clients and servers. 472 * Clients sends a filled in session ticket if one is available, and otherwise 473 * sends an empty ticket. Servers always send empty tickets. 474 */ 475PRInt32 476ssl3_SendSessionTicketXtn( 477 sslSocket * ss, 478 PRBool append, 479 PRUint32 maxBytes) 480{ 481 PRInt32 extension_length; 482 NewSessionTicket *session_ticket = NULL; 483 484 /* Ignore the SessionTicket extension if processing is disabled. */ 485 if (!ss->opt.enableSessionTickets) 486 return 0; 487 488 /* Empty extension length = extension_type (2-bytes) + 489 * length(extension_data) (2-bytes) 490 */ 491 extension_length = 4; 492 493 /* If we are a client then send a session ticket if one is availble. 494 * Servers that support the extension and are willing to negotiate the 495 * the extension always respond with an empty extension. 496 */ 497 if (!ss->sec.isServer) { 498 sslSessionID *sid = ss->sec.ci.sid; 499 session_ticket = &sid->u.ssl3.sessionTicket; 500 if (session_ticket->ticket.data) { 501 if (ss->xtnData.ticketTimestampVerified) { 502 extension_length += session_ticket->ticket.len; 503 } else if (!append && 504 (session_ticket->ticket_lifetime_hint == 0 || 505 (session_ticket->ticket_lifetime_hint + 506 session_ticket->received_timestamp > ssl_Time()))) { 507 extension_length += session_ticket->ticket.len; 508 ss->xtnData.ticketTimestampVerified = PR_TRUE; 509 } 510 } 511 } 512 513 if (append && maxBytes >= extension_length) { 514 SECStatus rv; 515 /* extension_type */ 516 rv = ssl3_AppendHandshakeNumber(ss, ssl_session_ticket_xtn, 2); 517 if (rv != SECSuccess) 518 goto loser; 519 if (session_ticket && session_ticket->ticket.data && 520 ss->xtnData.ticketTimestampVerified) { 521 rv = ssl3_AppendHandshakeVariable(ss, session_ticket->ticket.data, 522 session_ticket->ticket.len, 2); 523 ss->xtnData.ticketTimestampVerified = PR_FALSE; 524 } else { 525 rv = ssl3_AppendHandshakeNumber(ss, 0, 2); 526 } 527 if (rv != SECSuccess) 528 goto loser; 529 530 if (!ss->sec.isServer) { 531 TLSExtensionData *xtnData = &ss->xtnData; 532 xtnData->advertised[xtnData->numAdvertised++] = 533 ssl_session_ticket_xtn; 534 } 535 } else if (maxBytes < extension_length) { 536 PORT_Assert(0); 537 return 0; 538 } 539 return extension_length; 540 541 loser: 542 ss->xtnData.ticketTimestampVerified = PR_FALSE; 543 return -1; 544} 545 546/* handle an incoming Next Protocol Negotiation extension. */ 547static SECStatus 548ssl3_ServerHandleNextProtoNegoXtn(sslSocket * ss, PRUint16 ex_type, SECItem *data) 549{ 550 if (ss->firstHsDone || data->len != 0) { 551 /* Clients MUST send an empty NPN extension, if any. */ 552 PORT_SetError(SSL_ERROR_NEXT_PROTOCOL_DATA_INVALID); 553 return SECFailure; 554 } 555 556 ss->xtnData.negotiated[ss->xtnData.numNegotiated++] = ex_type; 557 558 /* TODO: server side NPN support would require calling 559 * ssl3_RegisterServerHelloExtensionSender here in order to echo the 560 * extension back to the client. */ 561 562 return SECSuccess; 563} 564 565/* ssl3_ValidateNextProtoNego checks that the given block of data is valid: none 566 * of the lengths may be 0 and the sum of the lengths must equal the length of 567 * the block. */ 568SECStatus 569ssl3_ValidateNextProtoNego(const unsigned char* data, unsigned int length) 570{ 571 unsigned int offset = 0; 572 573 while (offset < length) { 574 unsigned int newOffset = offset + 1 + (unsigned int) data[offset]; 575 /* Reject embedded nulls to protect against buggy applications that 576 * store protocol identifiers in null-terminated strings. 577 */ 578 if (newOffset > length || data[offset] == 0) { 579 PORT_SetError(SSL_ERROR_NEXT_PROTOCOL_DATA_INVALID); 580 return SECFailure; 581 } 582 offset = newOffset; 583 } 584 585 if (offset > length) { 586 PORT_SetError(SSL_ERROR_NEXT_PROTOCOL_DATA_INVALID); 587 return SECFailure; 588 } 589 590 return SECSuccess; 591} 592 593static SECStatus 594ssl3_ClientHandleNextProtoNegoXtn(sslSocket *ss, PRUint16 ex_type, 595 SECItem *data) 596{ 597 SECStatus rv; 598 unsigned char resultBuffer[255]; 599 SECItem result = { siBuffer, resultBuffer, 0 }; 600 601 PORT_Assert(!ss->firstHsDone); 602 603 rv = ssl3_ValidateNextProtoNego(data->data, data->len); 604 if (rv != SECSuccess) 605 return rv; 606 607 /* ss->nextProtoCallback cannot normally be NULL if we negotiated the 608 * extension. However, It is possible that an application erroneously 609 * cleared the callback between the time we sent the ClientHello and now. 610 */ 611 PORT_Assert(ss->nextProtoCallback != NULL); 612 if (!ss->nextProtoCallback) { 613 /* XXX Use a better error code. This is an application error, not an 614 * NSS bug. */ 615 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); 616 return SECFailure; 617 } 618 619 rv = ss->nextProtoCallback(ss->nextProtoArg, ss->fd, data->data, data->len, 620 result.data, &result.len, sizeof resultBuffer); 621 if (rv != SECSuccess) 622 return rv; 623 /* If the callback wrote more than allowed to |result| it has corrupted our 624 * stack. */ 625 if (result.len > sizeof resultBuffer) { 626 PORT_SetError(SEC_ERROR_OUTPUT_LEN); 627 return SECFailure; 628 } 629 630 ss->xtnData.negotiated[ss->xtnData.numNegotiated++] = ex_type; 631 632 SECITEM_FreeItem(&ss->ssl3.nextProto, PR_FALSE); 633 return SECITEM_CopyItem(NULL, &ss->ssl3.nextProto, &result); 634} 635 636static PRInt32 637ssl3_ClientSendNextProtoNegoXtn(sslSocket * ss, PRBool append, 638 PRUint32 maxBytes) 639{ 640 PRInt32 extension_length; 641 642 /* Renegotiations do not send this extension. */ 643 if (!ss->nextProtoCallback || ss->firstHsDone) { 644 return 0; 645 } 646 647 extension_length = 4; 648 649 if (append && maxBytes >= extension_length) { 650 SECStatus rv; 651 rv = ssl3_AppendHandshakeNumber(ss, ssl_next_proto_nego_xtn, 2); 652 if (rv != SECSuccess) 653 goto loser; 654 rv = ssl3_AppendHandshakeNumber(ss, 0, 2); 655 if (rv != SECSuccess) 656 goto loser; 657 ss->xtnData.advertised[ss->xtnData.numAdvertised++] = 658 ssl_next_proto_nego_xtn; 659 } else if (maxBytes < extension_length) { 660 return 0; 661 } 662 663 return extension_length; 664 665loser: 666 return -1; 667} 668 669static SECStatus 670ssl3_ClientHandleChannelIDXtn(sslSocket *ss, PRUint16 ex_type, 671 SECItem *data) 672{ 673 PORT_Assert(ss->getChannelID != NULL); 674 675 if (data->len) { 676 PORT_SetError(SSL_ERROR_BAD_CHANNEL_ID_DATA); 677 return SECFailure; 678 } 679 ss->xtnData.negotiated[ss->xtnData.numNegotiated++] = ex_type; 680 return SECSuccess; 681} 682 683static PRInt32 684ssl3_ClientSendChannelIDXtn(sslSocket * ss, PRBool append, 685 PRUint32 maxBytes) 686{ 687 PRInt32 extension_length = 4; 688 689 if (!ss->getChannelID) 690 return 0; 691 692 if (maxBytes < extension_length) { 693 PORT_Assert(0); 694 return 0; 695 } 696 697 if (append) { 698 SECStatus rv; 699 rv = ssl3_AppendHandshakeNumber(ss, ssl_channel_id_xtn, 2); 700 if (rv != SECSuccess) 701 goto loser; 702 rv = ssl3_AppendHandshakeNumber(ss, 0, 2); 703 if (rv != SECSuccess) 704 goto loser; 705 ss->xtnData.advertised[ss->xtnData.numAdvertised++] = 706 ssl_channel_id_xtn; 707 } 708 709 return extension_length; 710 711loser: 712 return -1; 713} 714 715static SECStatus 716ssl3_ClientHandleStatusRequestXtn(sslSocket *ss, PRUint16 ex_type, 717 SECItem *data) 718{ 719 /* The echoed extension must be empty. */ 720 if (data->len != 0) 721 return SECFailure; 722 723 /* Keep track of negotiated extensions. */ 724 ss->xtnData.negotiated[ss->xtnData.numNegotiated++] = ex_type; 725 726 return SECSuccess; 727} 728 729static PRInt32 730ssl3_ServerSendStatusRequestXtn( 731 sslSocket * ss, 732 PRBool append, 733 PRUint32 maxBytes) 734{ 735 PRInt32 extension_length; 736 SECStatus rv; 737 738 if (!ss->certStatusArray) 739 return 0; 740 741 extension_length = 2 + 2; 742 if (append && maxBytes >= extension_length) { 743 /* extension_type */ 744 rv = ssl3_AppendHandshakeNumber(ss, ssl_cert_status_xtn, 2); 745 if (rv != SECSuccess) 746 return -1; 747 /* length of extension_data */ 748 rv = ssl3_AppendHandshakeNumber(ss, 0, 2); 749 if (rv != SECSuccess) 750 return -1; 751 } 752 753 return extension_length; 754} 755 756/* ssl3_ClientSendStatusRequestXtn builds the status_request extension on the 757 * client side. See RFC 4366 section 3.6. */ 758static PRInt32 759ssl3_ClientSendStatusRequestXtn(sslSocket * ss, PRBool append, 760 PRUint32 maxBytes) 761{ 762 PRInt32 extension_length; 763 764 if (!ss->opt.enableOCSPStapling) 765 return 0; 766 767 /* extension_type (2-bytes) + 768 * length(extension_data) (2-bytes) + 769 * status_type (1) + 770 * responder_id_list length (2) + 771 * request_extensions length (2) 772 */ 773 extension_length = 9; 774 775 if (append && maxBytes >= extension_length) { 776 SECStatus rv; 777 TLSExtensionData *xtnData; 778 779 /* extension_type */ 780 rv = ssl3_AppendHandshakeNumber(ss, ssl_cert_status_xtn, 2); 781 if (rv != SECSuccess) 782 return -1; 783 rv = ssl3_AppendHandshakeNumber(ss, extension_length - 4, 2); 784 if (rv != SECSuccess) 785 return -1; 786 rv = ssl3_AppendHandshakeNumber(ss, 1 /* status_type ocsp */, 1); 787 if (rv != SECSuccess) 788 return -1; 789 /* A zero length responder_id_list means that the responders are 790 * implicitly known to the server. */ 791 rv = ssl3_AppendHandshakeNumber(ss, 0, 2); 792 if (rv != SECSuccess) 793 return -1; 794 /* A zero length request_extensions means that there are no extensions. 795 * Specifically, we don't set the id-pkix-ocsp-nonce extension. This 796 * means that the server can replay a cached OCSP response to us. */ 797 rv = ssl3_AppendHandshakeNumber(ss, 0, 2); 798 if (rv != SECSuccess) 799 return -1; 800 801 xtnData = &ss->xtnData; 802 xtnData->advertised[xtnData->numAdvertised++] = ssl_cert_status_xtn; 803 } else if (maxBytes < extension_length) { 804 PORT_Assert(0); 805 return 0; 806 } 807 return extension_length; 808} 809 810/* 811 * NewSessionTicket 812 * Called from ssl3_HandleFinished 813 */ 814SECStatus 815ssl3_SendNewSessionTicket(sslSocket *ss) 816{ 817 int i; 818 SECStatus rv; 819 NewSessionTicket ticket; 820 SECItem plaintext; 821 SECItem plaintext_item = {0, NULL, 0}; 822 SECItem ciphertext = {0, NULL, 0}; 823 PRUint32 ciphertext_length; 824 PRBool ms_is_wrapped; 825 unsigned char wrapped_ms[SSL3_MASTER_SECRET_LENGTH]; 826 SECItem ms_item = {0, NULL, 0}; 827 SSL3KEAType effectiveExchKeyType = ssl_kea_null; 828 PRUint32 padding_length; 829 PRUint32 message_length; 830 PRUint32 cert_length; 831 uint8 length_buf[4]; 832 PRUint32 now; 833 PK11SymKey *aes_key_pkcs11; 834 PK11SymKey *mac_key_pkcs11; 835#ifndef NO_PKCS11_BYPASS 836 const unsigned char *aes_key; 837 const unsigned char *mac_key; 838 PRUint32 aes_key_length; 839 PRUint32 mac_key_length; 840 PRUint64 aes_ctx_buf[MAX_CIPHER_CONTEXT_LLONGS]; 841 AESContext *aes_ctx; 842 const SECHashObject *hashObj = NULL; 843 PRUint64 hmac_ctx_buf[MAX_MAC_CONTEXT_LLONGS]; 844 HMACContext *hmac_ctx; 845#endif 846 CK_MECHANISM_TYPE cipherMech = CKM_AES_CBC; 847 PK11Context *aes_ctx_pkcs11; 848 CK_MECHANISM_TYPE macMech = CKM_SHA256_HMAC; 849 PK11Context *hmac_ctx_pkcs11; 850 unsigned char computed_mac[TLS_EX_SESS_TICKET_MAC_LENGTH]; 851 unsigned int computed_mac_length; 852 unsigned char iv[AES_BLOCK_SIZE]; 853 SECItem ivItem; 854 SECItem *srvName = NULL; 855 PRUint32 srvNameLen = 0; 856 CK_MECHANISM_TYPE msWrapMech = 0; /* dummy default value, 857 * must be >= 0 */ 858 859 SSL_TRC(3, ("%d: SSL3[%d]: send session_ticket handshake", 860 SSL_GETPID(), ss->fd)); 861 862 PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss)); 863 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); 864 865 ticket.ticket_lifetime_hint = TLS_EX_SESS_TICKET_LIFETIME_HINT; 866 cert_length = (ss->opt.requestCertificate && ss->sec.ci.sid->peerCert) ? 867 3 + ss->sec.ci.sid->peerCert->derCert.len : 0; 868 869 /* Get IV and encryption keys */ 870 ivItem.data = iv; 871 ivItem.len = sizeof(iv); 872 rv = PK11_GenerateRandom(iv, sizeof(iv)); 873 if (rv != SECSuccess) goto loser; 874 875#ifndef NO_PKCS11_BYPASS 876 if (ss->opt.bypassPKCS11) { 877 rv = ssl3_GetSessionTicketKeys(&aes_key, &aes_key_length, 878 &mac_key, &mac_key_length); 879 } else 880#endif 881 { 882 rv = ssl3_GetSessionTicketKeysPKCS11(ss, &aes_key_pkcs11, 883 &mac_key_pkcs11); 884 } 885 if (rv != SECSuccess) goto loser; 886 887 if (ss->ssl3.pwSpec->msItem.len && ss->ssl3.pwSpec->msItem.data) { 888 /* The master secret is available unwrapped. */ 889 ms_item.data = ss->ssl3.pwSpec->msItem.data; 890 ms_item.len = ss->ssl3.pwSpec->msItem.len; 891 ms_is_wrapped = PR_FALSE; 892 } else { 893 /* Extract the master secret wrapped. */ 894 sslSessionID sid; 895 PORT_Memset(&sid, 0, sizeof(sslSessionID)); 896 897 if (ss->ssl3.hs.kea_def->kea == kea_ecdhe_rsa) { 898 effectiveExchKeyType = kt_rsa; 899 } else { 900 effectiveExchKeyType = ss->ssl3.hs.kea_def->exchKeyType; 901 } 902 903 rv = ssl3_CacheWrappedMasterSecret(ss, &sid, ss->ssl3.pwSpec, 904 effectiveExchKeyType); 905 if (rv == SECSuccess) { 906 if (sid.u.ssl3.keys.wrapped_master_secret_len > sizeof(wrapped_ms)) 907 goto loser; 908 memcpy(wrapped_ms, sid.u.ssl3.keys.wrapped_master_secret, 909 sid.u.ssl3.keys.wrapped_master_secret_len); 910 ms_item.data = wrapped_ms; 911 ms_item.len = sid.u.ssl3.keys.wrapped_master_secret_len; 912 msWrapMech = sid.u.ssl3.masterWrapMech; 913 } else { 914 /* TODO: else send an empty ticket. */ 915 goto loser; 916 } 917 ms_is_wrapped = PR_TRUE; 918 } 919 /* Prep to send negotiated name */ 920 srvName = &ss->ssl3.pwSpec->srvVirtName; 921 if (srvName->data && srvName->len) { 922 srvNameLen = 2 + srvName->len; /* len bytes + name len */ 923 } 924 925 ciphertext_length = 926 sizeof(PRUint16) /* ticket_version */ 927 + sizeof(SSL3ProtocolVersion) /* ssl_version */ 928 + sizeof(ssl3CipherSuite) /* ciphersuite */ 929 + 1 /* compression */ 930 + 10 /* cipher spec parameters */ 931 + 1 /* SessionTicket.ms_is_wrapped */ 932 + 1 /* effectiveExchKeyType */ 933 + 4 /* msWrapMech */ 934 + 2 /* master_secret.length */ 935 + ms_item.len /* master_secret */ 936 + 1 /* client_auth_type */ 937 + cert_length /* cert */ 938 + 1 /* server name type */ 939 + srvNameLen /* name len + length field */ 940 + sizeof(ticket.ticket_lifetime_hint); 941 padding_length = AES_BLOCK_SIZE - 942 (ciphertext_length % AES_BLOCK_SIZE); 943 ciphertext_length += padding_length; 944 945 message_length = 946 sizeof(ticket.ticket_lifetime_hint) /* ticket_lifetime_hint */ 947 + 2 /* length field for NewSessionTicket.ticket */ 948 + SESS_TICKET_KEY_NAME_LEN /* key_name */ 949 + AES_BLOCK_SIZE /* iv */ 950 + 2 /* length field for NewSessionTicket.ticket.encrypted_state */ 951 + ciphertext_length /* encrypted_state */ 952 + TLS_EX_SESS_TICKET_MAC_LENGTH; /* mac */ 953 954 if (SECITEM_AllocItem(NULL, &plaintext_item, ciphertext_length) == NULL) 955 goto loser; 956 957 plaintext = plaintext_item; 958 959 /* ticket_version */ 960 rv = ssl3_AppendNumberToItem(&plaintext, TLS_EX_SESS_TICKET_VERSION, 961 sizeof(PRUint16)); 962 if (rv != SECSuccess) goto loser; 963 964 /* ssl_version */ 965 rv = ssl3_AppendNumberToItem(&plaintext, ss->version, 966 sizeof(SSL3ProtocolVersion)); 967 if (rv != SECSuccess) goto loser; 968 969 /* ciphersuite */ 970 rv = ssl3_AppendNumberToItem(&plaintext, ss->ssl3.hs.cipher_suite, 971 sizeof(ssl3CipherSuite)); 972 if (rv != SECSuccess) goto loser; 973 974 /* compression */ 975 rv = ssl3_AppendNumberToItem(&plaintext, ss->ssl3.hs.compression, 1); 976 if (rv != SECSuccess) goto loser; 977 978 /* cipher spec parameters */ 979 rv = ssl3_AppendNumberToItem(&plaintext, ss->sec.authAlgorithm, 1); 980 if (rv != SECSuccess) goto loser; 981 rv = ssl3_AppendNumberToItem(&plaintext, ss->sec.authKeyBits, 4); 982 if (rv != SECSuccess) goto loser; 983 rv = ssl3_AppendNumberToItem(&plaintext, ss->sec.keaType, 1); 984 if (rv != SECSuccess) goto loser; 985 rv = ssl3_AppendNumberToItem(&plaintext, ss->sec.keaKeyBits, 4); 986 if (rv != SECSuccess) goto loser; 987 988 /* master_secret */ 989 rv = ssl3_AppendNumberToItem(&plaintext, ms_is_wrapped, 1); 990 if (rv != SECSuccess) goto loser; 991 rv = ssl3_AppendNumberToItem(&plaintext, effectiveExchKeyType, 1); 992 if (rv != SECSuccess) goto loser; 993 rv = ssl3_AppendNumberToItem(&plaintext, msWrapMech, 4); 994 if (rv != SECSuccess) goto loser; 995 rv = ssl3_AppendNumberToItem(&plaintext, ms_item.len, 2); 996 if (rv != SECSuccess) goto loser; 997 rv = ssl3_AppendToItem(&plaintext, ms_item.data, ms_item.len); 998 if (rv != SECSuccess) goto loser; 999 1000 /* client_identity */ 1001 if (ss->opt.requestCertificate && ss->sec.ci.sid->peerCert) { 1002 rv = ssl3_AppendNumberToItem(&plaintext, CLIENT_AUTH_CERTIFICATE, 1); 1003 if (rv != SECSuccess) goto loser; 1004 rv = ssl3_AppendNumberToItem(&plaintext, 1005 ss->sec.ci.sid->peerCert->derCert.len, 3); 1006 if (rv != SECSuccess) goto loser; 1007 rv = ssl3_AppendToItem(&plaintext, 1008 ss->sec.ci.sid->peerCert->derCert.data, 1009 ss->sec.ci.sid->peerCert->derCert.len); 1010 if (rv != SECSuccess) goto loser; 1011 } else { 1012 rv = ssl3_AppendNumberToItem(&plaintext, 0, 1); 1013 if (rv != SECSuccess) goto loser; 1014 } 1015 1016 /* timestamp */ 1017 now = ssl_Time(); 1018 rv = ssl3_AppendNumberToItem(&plaintext, now, 1019 sizeof(ticket.ticket_lifetime_hint)); 1020 if (rv != SECSuccess) goto loser; 1021 1022 if (srvNameLen) { 1023 /* Name Type (sni_host_name) */ 1024 rv = ssl3_AppendNumberToItem(&plaintext, srvName->type, 1); 1025 if (rv != SECSuccess) goto loser; 1026 /* HostName (length and value) */ 1027 rv = ssl3_AppendNumberToItem(&plaintext, srvName->len, 2); 1028 if (rv != SECSuccess) goto loser; 1029 rv = ssl3_AppendToItem(&plaintext, srvName->data, srvName->len); 1030 if (rv != SECSuccess) goto loser; 1031 } else { 1032 /* No Name */ 1033 rv = ssl3_AppendNumberToItem(&plaintext, (char)TLS_STE_NO_SERVER_NAME, 1034 1); 1035 if (rv != SECSuccess) goto loser; 1036 } 1037 1038 PORT_Assert(plaintext.len == padding_length); 1039 for (i = 0; i < padding_length; i++) 1040 plaintext.data[i] = (unsigned char)padding_length; 1041 1042 if (SECITEM_AllocItem(NULL, &ciphertext, ciphertext_length) == NULL) { 1043 rv = SECFailure; 1044 goto loser; 1045 } 1046 1047 /* Generate encrypted portion of ticket. */ 1048#ifndef NO_PKCS11_BYPASS 1049 if (ss->opt.bypassPKCS11) { 1050 aes_ctx = (AESContext *)aes_ctx_buf; 1051 rv = AES_InitContext(aes_ctx, aes_key, aes_key_length, iv, 1052 NSS_AES_CBC, 1, AES_BLOCK_SIZE); 1053 if (rv != SECSuccess) goto loser; 1054 1055 rv = AES_Encrypt(aes_ctx, ciphertext.data, &ciphertext.len, 1056 ciphertext.len, plaintext_item.data, 1057 plaintext_item.len); 1058 if (rv != SECSuccess) goto loser; 1059 } else 1060#endif 1061 { 1062 aes_ctx_pkcs11 = PK11_CreateContextBySymKey(cipherMech, 1063 CKA_ENCRYPT, aes_key_pkcs11, &ivItem); 1064 if (!aes_ctx_pkcs11) 1065 goto loser; 1066 1067 rv = PK11_CipherOp(aes_ctx_pkcs11, ciphertext.data, 1068 (int *)&ciphertext.len, ciphertext.len, 1069 plaintext_item.data, plaintext_item.len); 1070 PK11_Finalize(aes_ctx_pkcs11); 1071 PK11_DestroyContext(aes_ctx_pkcs11, PR_TRUE); 1072 if (rv != SECSuccess) goto loser; 1073 } 1074 1075 /* Convert ciphertext length to network order. */ 1076 length_buf[0] = (ciphertext.len >> 8) & 0xff; 1077 length_buf[1] = (ciphertext.len ) & 0xff; 1078 1079 /* Compute MAC. */ 1080#ifndef NO_PKCS11_BYPASS 1081 if (ss->opt.bypassPKCS11) { 1082 hmac_ctx = (HMACContext *)hmac_ctx_buf; 1083 hashObj = HASH_GetRawHashObject(HASH_AlgSHA256); 1084 if (HMAC_Init(hmac_ctx, hashObj, mac_key, 1085 mac_key_length, PR_FALSE) != SECSuccess) 1086 goto loser; 1087 1088 HMAC_Begin(hmac_ctx); 1089 HMAC_Update(hmac_ctx, key_name, SESS_TICKET_KEY_NAME_LEN); 1090 HMAC_Update(hmac_ctx, iv, sizeof(iv)); 1091 HMAC_Update(hmac_ctx, (unsigned char *)length_buf, 2); 1092 HMAC_Update(hmac_ctx, ciphertext.data, ciphertext.len); 1093 HMAC_Finish(hmac_ctx, computed_mac, &computed_mac_length, 1094 sizeof(computed_mac)); 1095 } else 1096#endif 1097 { 1098 SECItem macParam; 1099 macParam.data = NULL; 1100 macParam.len = 0; 1101 hmac_ctx_pkcs11 = PK11_CreateContextBySymKey(macMech, 1102 CKA_SIGN, mac_key_pkcs11, &macParam); 1103 if (!hmac_ctx_pkcs11) 1104 goto loser; 1105 1106 rv = PK11_DigestBegin(hmac_ctx_pkcs11); 1107 rv = PK11_DigestOp(hmac_ctx_pkcs11, key_name, 1108 SESS_TICKET_KEY_NAME_LEN); 1109 rv = PK11_DigestOp(hmac_ctx_pkcs11, iv, sizeof(iv)); 1110 rv = PK11_DigestOp(hmac_ctx_pkcs11, (unsigned char *)length_buf, 2); 1111 rv = PK11_DigestOp(hmac_ctx_pkcs11, ciphertext.data, ciphertext.len); 1112 rv = PK11_DigestFinal(hmac_ctx_pkcs11, computed_mac, 1113 &computed_mac_length, sizeof(computed_mac)); 1114 PK11_DestroyContext(hmac_ctx_pkcs11, PR_TRUE); 1115 if (rv != SECSuccess) goto loser; 1116 } 1117 1118 /* Serialize the handshake message. */ 1119 rv = ssl3_AppendHandshakeHeader(ss, new_session_ticket, message_length); 1120 if (rv != SECSuccess) goto loser; 1121 1122 rv = ssl3_AppendHandshakeNumber(ss, ticket.ticket_lifetime_hint, 1123 sizeof(ticket.ticket_lifetime_hint)); 1124 if (rv != SECSuccess) goto loser; 1125 1126 rv = ssl3_AppendHandshakeNumber(ss, 1127 message_length - sizeof(ticket.ticket_lifetime_hint) - 2, 2); 1128 if (rv != SECSuccess) goto loser; 1129 1130 rv = ssl3_AppendHandshake(ss, key_name, SESS_TICKET_KEY_NAME_LEN); 1131 if (rv != SECSuccess) goto loser; 1132 1133 rv = ssl3_AppendHandshake(ss, iv, sizeof(iv)); 1134 if (rv != SECSuccess) goto loser; 1135 1136 rv = ssl3_AppendHandshakeVariable(ss, ciphertext.data, ciphertext.len, 2); 1137 if (rv != SECSuccess) goto loser; 1138 1139 rv = ssl3_AppendHandshake(ss, computed_mac, computed_mac_length); 1140 if (rv != SECSuccess) goto loser; 1141 1142loser: 1143 if (plaintext_item.data) 1144 SECITEM_FreeItem(&plaintext_item, PR_FALSE); 1145 if (ciphertext.data) 1146 SECITEM_FreeItem(&ciphertext, PR_FALSE); 1147 1148 return rv; 1149} 1150 1151/* When a client receives a SessionTicket extension a NewSessionTicket 1152 * message is expected during the handshake. 1153 */ 1154SECStatus 1155ssl3_ClientHandleSessionTicketXtn(sslSocket *ss, PRUint16 ex_type, 1156 SECItem *data) 1157{ 1158 if (data->len != 0) 1159 return SECFailure; 1160 1161 /* Keep track of negotiated extensions. */ 1162 ss->xtnData.negotiated[ss->xtnData.numNegotiated++] = ex_type; 1163 return SECSuccess; 1164} 1165 1166SECStatus 1167ssl3_ServerHandleSessionTicketXtn(sslSocket *ss, PRUint16 ex_type, 1168 SECItem *data) 1169{ 1170 SECStatus rv; 1171 SECItem *decrypted_state = NULL; 1172 SessionTicket *parsed_session_ticket = NULL; 1173 sslSessionID *sid = NULL; 1174 SSL3Statistics *ssl3stats; 1175 1176 /* Ignore the SessionTicket extension if processing is disabled. */ 1177 if (!ss->opt.enableSessionTickets) 1178 return SECSuccess; 1179 1180 /* Keep track of negotiated extensions. */ 1181 ss->xtnData.negotiated[ss->xtnData.numNegotiated++] = ex_type; 1182 1183 /* Parse the received ticket sent in by the client. We are 1184 * lenient about some parse errors, falling back to a fullshake 1185 * instead of terminating the current connection. 1186 */ 1187 if (data->len == 0) { 1188 ss->xtnData.emptySessionTicket = PR_TRUE; 1189 } else { 1190 int i; 1191 SECItem extension_data; 1192 EncryptedSessionTicket enc_session_ticket; 1193 unsigned char computed_mac[TLS_EX_SESS_TICKET_MAC_LENGTH]; 1194 unsigned int computed_mac_length; 1195#ifndef NO_PKCS11_BYPASS 1196 const SECHashObject *hashObj; 1197 const unsigned char *aes_key; 1198 const unsigned char *mac_key; 1199 PRUint32 aes_key_length; 1200 PRUint32 mac_key_length; 1201 PRUint64 hmac_ctx_buf[MAX_MAC_CONTEXT_LLONGS]; 1202 HMACContext *hmac_ctx; 1203 PRUint64 aes_ctx_buf[MAX_CIPHER_CONTEXT_LLONGS]; 1204 AESContext *aes_ctx; 1205#endif 1206 PK11SymKey *aes_key_pkcs11; 1207 PK11SymKey *mac_key_pkcs11; 1208 PK11Context *hmac_ctx_pkcs11; 1209 CK_MECHANISM_TYPE macMech = CKM_SHA256_HMAC; 1210 PK11Context *aes_ctx_pkcs11; 1211 CK_MECHANISM_TYPE cipherMech = CKM_AES_CBC; 1212 unsigned char * padding; 1213 PRUint32 padding_length; 1214 unsigned char *buffer; 1215 unsigned int buffer_len; 1216 PRInt32 temp; 1217 SECItem cert_item; 1218 PRInt8 nameType = TLS_STE_NO_SERVER_NAME; 1219 1220 /* Turn off stateless session resumption if the client sends a 1221 * SessionTicket extension, even if the extension turns out to be 1222 * malformed (ss->sec.ci.sid is non-NULL when doing session 1223 * renegotiation.) 1224 */ 1225 if (ss->sec.ci.sid != NULL) { 1226 if (ss->sec.uncache) 1227 ss->sec.uncache(ss->sec.ci.sid); 1228 ssl_FreeSID(ss->sec.ci.sid); 1229 ss->sec.ci.sid = NULL; 1230 } 1231 1232 extension_data.data = data->data; /* Keep a copy for future use. */ 1233 extension_data.len = data->len; 1234 1235 if (ssl3_ParseEncryptedSessionTicket(ss, data, &enc_session_ticket) 1236 != SECSuccess) 1237 return SECFailure; 1238 1239 /* Get session ticket keys. */ 1240#ifndef NO_PKCS11_BYPASS 1241 if (ss->opt.bypassPKCS11) { 1242 rv = ssl3_GetSessionTicketKeys(&aes_key, &aes_key_length, 1243 &mac_key, &mac_key_length); 1244 } else 1245#endif 1246 { 1247 rv = ssl3_GetSessionTicketKeysPKCS11(ss, &aes_key_pkcs11, 1248 &mac_key_pkcs11); 1249 } 1250 if (rv != SECSuccess) { 1251 SSL_DBG(("%d: SSL[%d]: Unable to get/generate session ticket keys.", 1252 SSL_GETPID(), ss->fd)); 1253 goto loser; 1254 } 1255 1256 /* If the ticket sent by the client was generated under a key different 1257 * from the one we have, bypass ticket processing. 1258 */ 1259 if (PORT_Memcmp(enc_session_ticket.key_name, key_name, 1260 SESS_TICKET_KEY_NAME_LEN) != 0) { 1261 SSL_DBG(("%d: SSL[%d]: Session ticket key_name sent mismatch.", 1262 SSL_GETPID(), ss->fd)); 1263 goto no_ticket; 1264 } 1265 1266 /* Verify the MAC on the ticket. MAC verification may also 1267 * fail if the MAC key has been recently refreshed. 1268 */ 1269#ifndef NO_PKCS11_BYPASS 1270 if (ss->opt.bypassPKCS11) { 1271 hmac_ctx = (HMACContext *)hmac_ctx_buf; 1272 hashObj = HASH_GetRawHashObject(HASH_AlgSHA256); 1273 if (HMAC_Init(hmac_ctx, hashObj, mac_key, 1274 sizeof(session_ticket_mac_key), PR_FALSE) != SECSuccess) 1275 goto no_ticket; 1276 HMAC_Begin(hmac_ctx); 1277 HMAC_Update(hmac_ctx, extension_data.data, 1278 extension_data.len - TLS_EX_SESS_TICKET_MAC_LENGTH); 1279 if (HMAC_Finish(hmac_ctx, computed_mac, &computed_mac_length, 1280 sizeof(computed_mac)) != SECSuccess) 1281 goto no_ticket; 1282 } else 1283#endif 1284 { 1285 SECItem macParam; 1286 macParam.data = NULL; 1287 macParam.len = 0; 1288 hmac_ctx_pkcs11 = PK11_CreateContextBySymKey(macMech, 1289 CKA_SIGN, mac_key_pkcs11, &macParam); 1290 if (!hmac_ctx_pkcs11) { 1291 SSL_DBG(("%d: SSL[%d]: Unable to create HMAC context: %d.", 1292 SSL_GETPID(), ss->fd, PORT_GetError())); 1293 goto no_ticket; 1294 } else { 1295 SSL_DBG(("%d: SSL[%d]: Successfully created HMAC context.", 1296 SSL_GETPID(), ss->fd)); 1297 } 1298 rv = PK11_DigestBegin(hmac_ctx_pkcs11); 1299 rv = PK11_DigestOp(hmac_ctx_pkcs11, extension_data.data, 1300 extension_data.len - TLS_EX_SESS_TICKET_MAC_LENGTH); 1301 if (rv != SECSuccess) { 1302 PK11_DestroyContext(hmac_ctx_pkcs11, PR_TRUE); 1303 goto no_ticket; 1304 } 1305 rv = PK11_DigestFinal(hmac_ctx_pkcs11, computed_mac, 1306 &computed_mac_length, sizeof(computed_mac)); 1307 PK11_DestroyContext(hmac_ctx_pkcs11, PR_TRUE); 1308 if (rv != SECSuccess) 1309 goto no_ticket; 1310 } 1311 if (NSS_SecureMemcmp(computed_mac, enc_session_ticket.mac, 1312 computed_mac_length) != 0) { 1313 SSL_DBG(("%d: SSL[%d]: Session ticket MAC mismatch.", 1314 SSL_GETPID(), ss->fd)); 1315 goto no_ticket; 1316 } 1317 1318 /* We ignore key_name for now. 1319 * This is ok as MAC verification succeeded. 1320 */ 1321 1322 /* Decrypt the ticket. */ 1323 1324 /* Plaintext is shorter than the ciphertext due to padding. */ 1325 decrypted_state = SECITEM_AllocItem(NULL, NULL, 1326 enc_session_ticket.encrypted_state.len); 1327 1328#ifndef NO_PKCS11_BYPASS 1329 if (ss->opt.bypassPKCS11) { 1330 aes_ctx = (AESContext *)aes_ctx_buf; 1331 rv = AES_InitContext(aes_ctx, aes_key, 1332 sizeof(session_ticket_enc_key), enc_session_ticket.iv, 1333 NSS_AES_CBC, 0,AES_BLOCK_SIZE); 1334 if (rv != SECSuccess) { 1335 SSL_DBG(("%d: SSL[%d]: Unable to create AES context.", 1336 SSL_GETPID(), ss->fd)); 1337 goto no_ticket; 1338 } 1339 1340 rv = AES_Decrypt(aes_ctx, decrypted_state->data, 1341 &decrypted_state->len, decrypted_state->len, 1342 enc_session_ticket.encrypted_state.data, 1343 enc_session_ticket.encrypted_state.len); 1344 if (rv != SECSuccess) 1345 goto no_ticket; 1346 } else 1347#endif 1348 { 1349 SECItem ivItem; 1350 ivItem.data = enc_session_ticket.iv; 1351 ivItem.len = AES_BLOCK_SIZE; 1352 aes_ctx_pkcs11 = PK11_CreateContextBySymKey(cipherMech, 1353 CKA_DECRYPT, aes_key_pkcs11, &ivItem); 1354 if (!aes_ctx_pkcs11) { 1355 SSL_DBG(("%d: SSL[%d]: Unable to create AES context.", 1356 SSL_GETPID(), ss->fd)); 1357 goto no_ticket; 1358 } 1359 1360 rv = PK11_CipherOp(aes_ctx_pkcs11, decrypted_state->data, 1361 (int *)&decrypted_state->len, decrypted_state->len, 1362 enc_session_ticket.encrypted_state.data, 1363 enc_session_ticket.encrypted_state.len); 1364 PK11_Finalize(aes_ctx_pkcs11); 1365 PK11_DestroyContext(aes_ctx_pkcs11, PR_TRUE); 1366 if (rv != SECSuccess) 1367 goto no_ticket; 1368 } 1369 1370 /* Check padding. */ 1371 padding_length = 1372 (PRUint32)decrypted_state->data[decrypted_state->len - 1]; 1373 if (padding_length == 0 || padding_length > AES_BLOCK_SIZE) 1374 goto no_ticket; 1375 1376 padding = &decrypted_state->data[decrypted_state->len - padding_length]; 1377 for (i = 0; i < padding_length; i++, padding++) { 1378 if (padding_length != (PRUint32)*padding) 1379 goto no_ticket; 1380 } 1381 1382 /* Deserialize session state. */ 1383 buffer = decrypted_state->data; 1384 buffer_len = decrypted_state->len; 1385 1386 parsed_session_ticket = PORT_ZAlloc(sizeof(SessionTicket)); 1387 if (parsed_session_ticket == NULL) { 1388 rv = SECFailure; 1389 goto loser; 1390 } 1391 1392 /* Read ticket_version (which is ignored for now.) */ 1393 temp = ssl3_ConsumeHandshakeNumber(ss, 2, &buffer, &buffer_len); 1394 if (temp < 0) goto no_ticket; 1395 parsed_session_ticket->ticket_version = (SSL3ProtocolVersion)temp; 1396 1397 /* Read SSLVersion. */ 1398 temp = ssl3_ConsumeHandshakeNumber(ss, 2, &buffer, &buffer_len); 1399 if (temp < 0) goto no_ticket; 1400 parsed_session_ticket->ssl_version = (SSL3ProtocolVersion)temp; 1401 1402 /* Read cipher_suite. */ 1403 temp = ssl3_ConsumeHandshakeNumber(ss, 2, &buffer, &buffer_len); 1404 if (temp < 0) goto no_ticket; 1405 parsed_session_ticket->cipher_suite = (ssl3CipherSuite)temp; 1406 1407 /* Read compression_method. */ 1408 temp = ssl3_ConsumeHandshakeNumber(ss, 1, &buffer, &buffer_len); 1409 if (temp < 0) goto no_ticket; 1410 parsed_session_ticket->compression_method = (SSLCompressionMethod)temp; 1411 1412 /* Read cipher spec parameters. */ 1413 temp = ssl3_ConsumeHandshakeNumber(ss, 1, &buffer, &buffer_len); 1414 if (temp < 0) goto no_ticket; 1415 parsed_session_ticket->authAlgorithm = (SSLSignType)temp; 1416 temp = ssl3_ConsumeHandshakeNumber(ss, 4, &buffer, &buffer_len); 1417 if (temp < 0) goto no_ticket; 1418 parsed_session_ticket->authKeyBits = (PRUint32)temp; 1419 temp = ssl3_ConsumeHandshakeNumber(ss, 1, &buffer, &buffer_len); 1420 if (temp < 0) goto no_ticket; 1421 parsed_session_ticket->keaType = (SSLKEAType)temp; 1422 temp = ssl3_ConsumeHandshakeNumber(ss, 4, &buffer, &buffer_len); 1423 if (temp < 0) goto no_ticket; 1424 parsed_session_ticket->keaKeyBits = (PRUint32)temp; 1425 1426 /* Read wrapped master_secret. */ 1427 temp = ssl3_ConsumeHandshakeNumber(ss, 1, &buffer, &buffer_len); 1428 if (temp < 0) goto no_ticket; 1429 parsed_session_ticket->ms_is_wrapped = (PRBool)temp; 1430 1431 temp = ssl3_ConsumeHandshakeNumber(ss, 1, &buffer, &buffer_len); 1432 if (temp < 0) goto no_ticket; 1433 parsed_session_ticket->exchKeyType = (SSL3KEAType)temp; 1434 1435 temp = ssl3_ConsumeHandshakeNumber(ss, 4, &buffer, &buffer_len); 1436 if (temp < 0) goto no_ticket; 1437 parsed_session_ticket->msWrapMech = (CK_MECHANISM_TYPE)temp; 1438 1439 temp = ssl3_ConsumeHandshakeNumber(ss, 2, &buffer, &buffer_len); 1440 if (temp < 0) goto no_ticket; 1441 parsed_session_ticket->ms_length = (PRUint16)temp; 1442 if (parsed_session_ticket->ms_length == 0 || /* sanity check MS. */ 1443 parsed_session_ticket->ms_length > 1444 sizeof(parsed_session_ticket->master_secret)) 1445 goto no_ticket; 1446 1447 /* Allow for the wrapped master secret to be longer. */ 1448 if (buffer_len < sizeof(SSL3_MASTER_SECRET_LENGTH)) 1449 goto no_ticket; 1450 PORT_Memcpy(parsed_session_ticket->master_secret, buffer, 1451 parsed_session_ticket->ms_length); 1452 buffer += parsed_session_ticket->ms_length; 1453 buffer_len -= parsed_session_ticket->ms_length; 1454 1455 /* Read client_identity */ 1456 temp = ssl3_ConsumeHandshakeNumber(ss, 1, &buffer, &buffer_len); 1457 if (temp < 0) 1458 goto no_ticket; 1459 parsed_session_ticket->client_identity.client_auth_type = 1460 (ClientAuthenticationType)temp; 1461 switch(parsed_session_ticket->client_identity.client_auth_type) { 1462 case CLIENT_AUTH_ANONYMOUS: 1463 break; 1464 case CLIENT_AUTH_CERTIFICATE: 1465 rv = ssl3_ConsumeHandshakeVariable(ss, &cert_item, 3, 1466 &buffer, &buffer_len); 1467 if (rv != SECSuccess) goto no_ticket; 1468 rv = SECITEM_CopyItem(NULL, &parsed_session_ticket->peer_cert, 1469 &cert_item); 1470 if (rv != SECSuccess) goto no_ticket; 1471 break; 1472 default: 1473 goto no_ticket; 1474 } 1475 /* Read timestamp. */ 1476 temp = ssl3_ConsumeHandshakeNumber(ss, 4, &buffer, &buffer_len); 1477 if (temp < 0) 1478 goto no_ticket; 1479 parsed_session_ticket->timestamp = (PRUint32)temp; 1480 1481 /* Read server name */ 1482 nameType = 1483 ssl3_ConsumeHandshakeNumber(ss, 1, &buffer, &buffer_len); 1484 if (nameType != TLS_STE_NO_SERVER_NAME) { 1485 SECItem name_item; 1486 rv = ssl3_ConsumeHandshakeVariable(ss, &name_item, 2, &buffer, 1487 &buffer_len); 1488 if (rv != SECSuccess) goto no_ticket; 1489 rv = SECITEM_CopyItem(NULL, &parsed_session_ticket->srvName, 1490 &name_item); 1491 if (rv != SECSuccess) goto no_ticket; 1492 parsed_session_ticket->srvName.type = nameType; 1493 } 1494 1495 /* Done parsing. Check that all bytes have been consumed. */ 1496 if (buffer_len != padding_length) 1497 goto no_ticket; 1498 1499 /* Use the ticket if it has not expired, otherwise free the allocated 1500 * memory since the ticket is of no use. 1501 */ 1502 if (parsed_session_ticket->timestamp != 0 && 1503 parsed_session_ticket->timestamp + 1504 TLS_EX_SESS_TICKET_LIFETIME_HINT > ssl_Time()) { 1505 1506 sid = ssl3_NewSessionID(ss, PR_TRUE); 1507 if (sid == NULL) { 1508 rv = SECFailure; 1509 goto loser; 1510 } 1511 1512 /* Copy over parameters. */ 1513 sid->version = parsed_session_ticket->ssl_version; 1514 sid->u.ssl3.cipherSuite = parsed_session_ticket->cipher_suite; 1515 sid->u.ssl3.compression = parsed_session_ticket->compression_method; 1516 sid->authAlgorithm = parsed_session_ticket->authAlgorithm; 1517 sid->authKeyBits = parsed_session_ticket->authKeyBits; 1518 sid->keaType = parsed_session_ticket->keaType; 1519 sid->keaKeyBits = parsed_session_ticket->keaKeyBits; 1520 1521 /* Copy master secret. */ 1522#ifndef NO_PKCS11_BYPASS 1523 if (ss->opt.bypassPKCS11 && 1524 parsed_session_ticket->ms_is_wrapped) 1525 goto no_ticket; 1526#endif 1527 if (parsed_session_ticket->ms_length > 1528 sizeof(sid->u.ssl3.keys.wrapped_master_secret)) 1529 goto no_ticket; 1530 PORT_Memcpy(sid->u.ssl3.keys.wrapped_master_secret, 1531 parsed_session_ticket->master_secret, 1532 parsed_session_ticket->ms_length); 1533 sid->u.ssl3.keys.wrapped_master_secret_len = 1534 parsed_session_ticket->ms_length; 1535 sid->u.ssl3.exchKeyType = parsed_session_ticket->exchKeyType; 1536 sid->u.ssl3.masterWrapMech = parsed_session_ticket->msWrapMech; 1537 sid->u.ssl3.keys.msIsWrapped = 1538 parsed_session_ticket->ms_is_wrapped; 1539 sid->u.ssl3.masterValid = PR_TRUE; 1540 sid->u.ssl3.keys.resumable = PR_TRUE; 1541 1542 /* Copy over client cert from session ticket if there is one. */ 1543 if (parsed_session_ticket->peer_cert.data != NULL) { 1544 if (sid->peerCert != NULL) 1545 CERT_DestroyCertificate(sid->peerCert); 1546 sid->peerCert = CERT_NewTempCertificate(ss->dbHandle, 1547 &parsed_session_ticket->peer_cert, NULL, PR_FALSE, PR_TRUE); 1548 if (sid->peerCert == NULL) { 1549 rv = SECFailure; 1550 goto loser; 1551 } 1552 } 1553 if (parsed_session_ticket->srvName.data != NULL) { 1554 sid->u.ssl3.srvName = parsed_session_ticket->srvName; 1555 } 1556 ss->statelessResume = PR_TRUE; 1557 ss->sec.ci.sid = sid; 1558 } 1559 } 1560 1561 if (0) { 1562no_ticket: 1563 SSL_DBG(("%d: SSL[%d]: Session ticket parsing failed.", 1564 SSL_GETPID(), ss->fd)); 1565 ssl3stats = SSL_GetStatistics(); 1566 SSL_AtomicIncrementLong(& ssl3stats->hch_sid_ticket_parse_failures ); 1567 } 1568 rv = SECSuccess; 1569 1570loser: 1571 /* ss->sec.ci.sid == sid if it did NOT come here via goto statement 1572 * in that case do not free sid 1573 */ 1574 if (sid && (ss->sec.ci.sid != sid)) { 1575 ssl_FreeSID(sid); 1576 sid = NULL; 1577 } 1578 if (decrypted_state != NULL) { 1579 SECITEM_FreeItem(decrypted_state, PR_TRUE); 1580 decrypted_state = NULL; 1581 } 1582 1583 if (parsed_session_ticket != NULL) { 1584 if (parsed_session_ticket->peer_cert.data) { 1585 SECITEM_FreeItem(&parsed_session_ticket->peer_cert, PR_FALSE); 1586 } 1587 PORT_ZFree(parsed_session_ticket, sizeof(SessionTicket)); 1588 } 1589 1590 return rv; 1591} 1592 1593/* 1594 * Read bytes. Using this function means the SECItem structure 1595 * cannot be freed. The caller is expected to call this function 1596 * on a shallow copy of the structure. 1597 */ 1598static SECStatus 1599ssl3_ConsumeFromItem(SECItem *item, unsigned char **buf, PRUint32 bytes) 1600{ 1601 if (bytes > item->len) 1602 return SECFailure; 1603 1604 *buf = item->data; 1605 item->data += bytes; 1606 item->len -= bytes; 1607 return SECSuccess; 1608} 1609 1610static SECStatus 1611ssl3_ParseEncryptedSessionTicket(sslSocket *ss, SECItem *data, 1612 EncryptedSessionTicket *enc_session_ticket) 1613{ 1614 if (ssl3_ConsumeFromItem(data, &enc_session_ticket->key_name, 1615 SESS_TICKET_KEY_NAME_LEN) != SECSuccess) 1616 return SECFailure; 1617 if (ssl3_ConsumeFromItem(data, &enc_session_ticket->iv, 1618 AES_BLOCK_SIZE) != SECSuccess) 1619 return SECFailure; 1620 if (ssl3_ConsumeHandshakeVariable(ss, &enc_session_ticket->encrypted_state, 1621 2, &data->data, &data->len) != SECSuccess) 1622 return SECFailure; 1623 if (ssl3_ConsumeFromItem(data, &enc_session_ticket->mac, 1624 TLS_EX_SESS_TICKET_MAC_LENGTH) != SECSuccess) 1625 return SECFailure; 1626 if (data->len != 0) /* Make sure that we have consumed all bytes. */ 1627 return SECFailure; 1628 1629 return SECSuccess; 1630} 1631 1632/* go through hello extensions in buffer "b". 1633 * For each one, find the extension handler in the table, and 1634 * if present, invoke that handler. 1635 * Servers ignore any extensions with unknown extension types. 1636 * Clients reject any extensions with unadvertised extension types. 1637 */ 1638SECStatus 1639ssl3_HandleHelloExtensions(sslSocket *ss, SSL3Opaque **b, PRUint32 *length) 1640{ 1641 const ssl3HelloExtensionHandler * handlers; 1642 1643 if (ss->sec.isServer) { 1644 handlers = clientHelloHandlers; 1645 } else if (ss->version > SSL_LIBRARY_VERSION_3_0) { 1646 handlers = serverHelloHandlersTLS; 1647 } else { 1648 handlers = serverHelloHandlersSSL3; 1649 } 1650 1651 while (*length) { 1652 const ssl3HelloExtensionHandler * handler; 1653 SECStatus rv; 1654 PRInt32 extension_type; 1655 SECItem extension_data; 1656 1657 /* Get the extension's type field */ 1658 extension_type = ssl3_ConsumeHandshakeNumber(ss, 2, b, length); 1659 if (extension_type < 0) /* failure to decode extension_type */ 1660 return SECFailure; /* alert already sent */ 1661 1662 /* get the data for this extension, so we can pass it or skip it. */ 1663 rv = ssl3_ConsumeHandshakeVariable(ss, &extension_data, 2, b, length); 1664 if (rv != SECSuccess) 1665 return rv; 1666 1667 /* Check whether the server sent an extension which was not advertised 1668 * in the ClientHello. 1669 */ 1670 if (!ss->sec.isServer && 1671 !ssl3_ClientExtensionAdvertised(ss, extension_type)) 1672 return SECFailure; /* TODO: send unsupported_extension alert */ 1673 1674 /* Check whether an extension has been sent multiple times. */ 1675 if (ssl3_ExtensionNegotiated(ss, extension_type)) 1676 return SECFailure; 1677 1678 /* find extension_type in table of Hello Extension Handlers */ 1679 for (handler = handlers; handler->ex_type >= 0; handler++) { 1680 /* if found, call this handler */ 1681 if (handler->ex_type == extension_type) { 1682 rv = (*handler->ex_handler)(ss, (PRUint16)extension_type, 1683 &extension_data); 1684 /* Ignore this result */ 1685 /* Treat all bad extensions as unrecognized types. */ 1686 break; 1687 } 1688 } 1689 } 1690 return SECSuccess; 1691} 1692 1693/* Add a callback function to the table of senders of server hello extensions. 1694 */ 1695SECStatus 1696ssl3_RegisterServerHelloExtensionSender(sslSocket *ss, PRUint16 ex_type, 1697 ssl3HelloExtensionSenderFunc cb) 1698{ 1699 int i; 1700 ssl3HelloExtensionSender *sender = &ss->xtnData.serverSenders[0]; 1701 1702 for (i = 0; i < SSL_MAX_EXTENSIONS; ++i, ++sender) { 1703 if (!sender->ex_sender) { 1704 sender->ex_type = ex_type; 1705 sender->ex_sender = cb; 1706 return SECSuccess; 1707 } 1708 /* detect duplicate senders */ 1709 PORT_Assert(sender->ex_type != ex_type); 1710 if (sender->ex_type == ex_type) { 1711 /* duplicate */ 1712 break; 1713 } 1714 } 1715 PORT_Assert(i < SSL_MAX_EXTENSIONS); /* table needs to grow */ 1716 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); 1717 return SECFailure; 1718} 1719 1720/* call each of the extension senders and return the accumulated length */ 1721PRInt32 1722ssl3_CallHelloExtensionSenders(sslSocket *ss, PRBool append, PRUint32 maxBytes, 1723 const ssl3HelloExtensionSender *sender) 1724{ 1725 PRInt32 total_exten_len = 0; 1726 int i; 1727 1728 if (!sender) { 1729 sender = ss->version > SSL_LIBRARY_VERSION_3_0 ? 1730 &clientHelloSendersTLS[0] : &clientHelloSendersSSL3[0]; 1731 } 1732 1733 for (i = 0; i < SSL_MAX_EXTENSIONS; ++i, ++sender) { 1734 if (sender->ex_sender) { 1735 PRInt32 extLen = (*sender->ex_sender)(ss, append, maxBytes); 1736 if (extLen < 0) 1737 return -1; 1738 maxBytes -= extLen; 1739 total_exten_len += extLen; 1740 } 1741 } 1742 return total_exten_len; 1743} 1744 1745 1746/* Extension format: 1747 * Extension number: 2 bytes 1748 * Extension length: 2 bytes 1749 * Verify Data Length: 1 byte 1750 * Verify Data (TLS): 12 bytes (client) or 24 bytes (server) 1751 * Verify Data (SSL): 36 bytes (client) or 72 bytes (server) 1752 */ 1753static PRInt32 1754ssl3_SendRenegotiationInfoXtn( 1755 sslSocket * ss, 1756 PRBool append, 1757 PRUint32 maxBytes) 1758{ 1759 PRInt32 len, needed; 1760 1761 /* In draft-ietf-tls-renegotiation-03, it is NOT RECOMMENDED to send 1762 * both the SCSV and the empty RI, so when we send SCSV in 1763 * the initial handshake, we don't also send RI. 1764 */ 1765 if (!ss || ss->ssl3.hs.sendingSCSV) 1766 return 0; 1767 len = !ss->firstHsDone ? 0 : 1768 (ss->sec.isServer ? ss->ssl3.hs.finishedBytes * 2 1769 : ss->ssl3.hs.finishedBytes); 1770 needed = 5 + len; 1771 if (append && maxBytes >= needed) { 1772 SECStatus rv; 1773 /* extension_type */ 1774 rv = ssl3_AppendHandshakeNumber(ss, ssl_renegotiation_info_xtn, 2); 1775 if (rv != SECSuccess) return -1; 1776 /* length of extension_data */ 1777 rv = ssl3_AppendHandshakeNumber(ss, len + 1, 2); 1778 if (rv != SECSuccess) return -1; 1779 /* verify_Data from previous Finished message(s) */ 1780 rv = ssl3_AppendHandshakeVariable(ss, 1781 ss->ssl3.hs.finishedMsgs.data, len, 1); 1782 if (rv != SECSuccess) return -1; 1783 if (!ss->sec.isServer) { 1784 TLSExtensionData *xtnData = &ss->xtnData; 1785 xtnData->advertised[xtnData->numAdvertised++] = 1786 ssl_renegotiation_info_xtn; 1787 } 1788 } 1789 return needed; 1790} 1791 1792static SECStatus 1793ssl3_ServerHandleStatusRequestXtn(sslSocket *ss, PRUint16 ex_type, 1794 SECItem *data) 1795{ 1796 SECStatus rv = SECSuccess; 1797 PRUint32 len = 0; 1798 1799 /* remember that we got this extension. */ 1800 ss->xtnData.negotiated[ss->xtnData.numNegotiated++] = ex_type; 1801 PORT_Assert(ss->sec.isServer); 1802 /* prepare to send back the appropriate response */ 1803 rv = ssl3_RegisterServerHelloExtensionSender(ss, ex_type, 1804 ssl3_ServerSendStatusRequestXtn); 1805 return rv; 1806} 1807 1808/* This function runs in both the client and server. */ 1809static SECStatus 1810ssl3_HandleRenegotiationInfoXtn(sslSocket *ss, PRUint16 ex_type, SECItem *data) 1811{ 1812 SECStatus rv = SECSuccess; 1813 PRUint32 len = 0; 1814 1815 if (ss->firstHsDone) { 1816 len = ss->sec.isServer ? ss->ssl3.hs.finishedBytes 1817 : ss->ssl3.hs.finishedBytes * 2; 1818 } 1819 if (data->len != 1 + len || 1820 data->data[0] != len || (len && 1821 NSS_SecureMemcmp(ss->ssl3.hs.finishedMsgs.data, 1822 data->data + 1, len))) { 1823 /* Can we do this here? Or, must we arrange for the caller to do it? */ 1824 (void)SSL3_SendAlert(ss, alert_fatal, handshake_failure); 1825 PORT_SetError(SSL_ERROR_BAD_HANDSHAKE_HASH_VALUE); 1826 return SECFailure; 1827 } 1828 /* remember that we got this extension and it was correct. */ 1829 ss->peerRequestedProtection = 1; 1830 ss->xtnData.negotiated[ss->xtnData.numNegotiated++] = ex_type; 1831 if (ss->sec.isServer) { 1832 /* prepare to send back the appropriate response */ 1833 rv = ssl3_RegisterServerHelloExtensionSender(ss, ex_type, 1834 ssl3_SendRenegotiationInfoXtn); 1835 } 1836 return rv; 1837} 1838 1839static PRInt32 1840ssl3_SendUseSRTPXtn(sslSocket *ss, PRBool append, PRUint32 maxBytes) 1841{ 1842 PRUint32 ext_data_len; 1843 PRInt16 i; 1844 SECStatus rv; 1845 1846 if (!ss) 1847 return 0; 1848 1849 if (!ss->sec.isServer) { 1850 /* Client side */ 1851 1852 if (!IS_DTLS(ss) || !ss->ssl3.dtlsSRTPCipherCount) 1853 return 0; /* Not relevant */ 1854 1855 ext_data_len = 2 + 2 * ss->ssl3.dtlsSRTPCipherCount + 1; 1856 1857 if (append && maxBytes >= 4 + ext_data_len) { 1858 /* Extension type */ 1859 rv = ssl3_AppendHandshakeNumber(ss, ssl_use_srtp_xtn, 2); 1860 if (rv != SECSuccess) return -1; 1861 /* Length of extension data */ 1862 rv = ssl3_AppendHandshakeNumber(ss, ext_data_len, 2); 1863 if (rv != SECSuccess) return -1; 1864 /* Length of the SRTP cipher list */ 1865 rv = ssl3_AppendHandshakeNumber(ss, 1866 2 * ss->ssl3.dtlsSRTPCipherCount, 1867 2); 1868 if (rv != SECSuccess) return -1; 1869 /* The SRTP ciphers */ 1870 for (i = 0; i < ss->ssl3.dtlsSRTPCipherCount; i++) { 1871 rv = ssl3_AppendHandshakeNumber(ss, 1872 ss->ssl3.dtlsSRTPCiphers[i], 1873 2); 1874 } 1875 /* Empty MKI value */ 1876 ssl3_AppendHandshakeVariable(ss, NULL, 0, 1); 1877 1878 ss->xtnData.advertised[ss->xtnData.numAdvertised++] = 1879 ssl_use_srtp_xtn; 1880 } 1881 1882 return 4 + ext_data_len; 1883 } 1884 1885 /* Server side */ 1886 if (append && maxBytes >= 9) { 1887 /* Extension type */ 1888 rv = ssl3_AppendHandshakeNumber(ss, ssl_use_srtp_xtn, 2); 1889 if (rv != SECSuccess) return -1; 1890 /* Length of extension data */ 1891 rv = ssl3_AppendHandshakeNumber(ss, 5, 2); 1892 if (rv != SECSuccess) return -1; 1893 /* Length of the SRTP cipher list */ 1894 rv = ssl3_AppendHandshakeNumber(ss, 2, 2); 1895 if (rv != SECSuccess) return -1; 1896 /* The selected cipher */ 1897 rv = ssl3_AppendHandshakeNumber(ss, ss->ssl3.dtlsSRTPCipherSuite, 2); 1898 if (rv != SECSuccess) return -1; 1899 /* Empty MKI value */ 1900 ssl3_AppendHandshakeVariable(ss, NULL, 0, 1); 1901 } 1902 1903 return 9; 1904} 1905 1906static SECStatus 1907ssl3_HandleUseSRTPXtn(sslSocket * ss, PRUint16 ex_type, SECItem *data) 1908{ 1909 SECStatus rv; 1910 SECItem ciphers = {siBuffer, NULL, 0}; 1911 PRUint16 i; 1912 unsigned int j; 1913 PRUint16 cipher = 0; 1914 PRBool found = PR_FALSE; 1915 SECItem litem; 1916 1917 if (!ss->sec.isServer) { 1918 /* Client side */ 1919 if (!data->data || !data->len) { 1920 /* malformed */ 1921 return SECFailure; 1922 } 1923 1924 /* Get the cipher list */ 1925 rv = ssl3_ConsumeHandshakeVariable(ss, &ciphers, 2, 1926 &data->data, &data->len); 1927 if (rv != SECSuccess) { 1928 return SECFailure; 1929 } 1930 /* Now check that the number of ciphers listed is 1 (len = 2) */ 1931 if (ciphers.len != 2) { 1932 return SECFailure; 1933 } 1934 1935 /* Get the selected cipher */ 1936 cipher = (ciphers.data[0] << 8) | ciphers.data[1]; 1937 1938 /* Now check that this is one of the ciphers we offered */ 1939 for (i = 0; i < ss->ssl3.dtlsSRTPCipherCount; i++) { 1940 if (cipher == ss->ssl3.dtlsSRTPCiphers[i]) { 1941 found = PR_TRUE; 1942 break; 1943 } 1944 } 1945 1946 if (!found) { 1947 return SECFailure; 1948 } 1949 1950 /* Get the srtp_mki value */ 1951 rv = ssl3_ConsumeHandshakeVariable(ss, &litem, 1, 1952 &data->data, &data->len); 1953 if (rv != SECSuccess) { 1954 return SECFailure; 1955 } 1956 1957 /* We didn't offer an MKI, so this must be 0 length */ 1958 /* XXX RFC 5764 Section 4.1.3 says: 1959 * If the client detects a nonzero-length MKI in the server's 1960 * response that is different than the one the client offered, 1961 * then the client MUST abort the handshake and SHOULD send an 1962 * invalid_parameter alert. 1963 * 1964 * Due to a limitation of the ssl3_HandleHelloExtensions function, 1965 * returning SECFailure here won't abort the handshake. It will 1966 * merely cause the use_srtp extension to be not negotiated. We 1967 * should fix this. See NSS bug 753136. 1968 */ 1969 if (litem.len != 0) { 1970 return SECFailure; 1971 } 1972 1973 if (data->len != 0) { 1974 /* malformed */ 1975 return SECFailure; 1976 } 1977 1978 /* OK, this looks fine. */ 1979 ss->xtnData.negotiated[ss->xtnData.numNegotiated++] = ssl_use_srtp_xtn; 1980 ss->ssl3.dtlsSRTPCipherSuite = cipher; 1981 return SECSuccess; 1982 } 1983 1984 /* Server side */ 1985 if (!IS_DTLS(ss) || !ss->ssl3.dtlsSRTPCipherCount) { 1986 /* Ignore the extension if we aren't doing DTLS or no DTLS-SRTP 1987 * preferences have been set. */ 1988 return SECSuccess; 1989 } 1990 1991 if (!data->data || data->len < 5) { 1992 /* malformed */ 1993 return SECFailure; 1994 } 1995 1996 /* Get the cipher list */ 1997 rv = ssl3_ConsumeHandshakeVariable(ss, &ciphers, 2, 1998 &data->data, &data->len); 1999 if (rv != SECSuccess) { 2000 return SECFailure; 2001 } 2002 /* Check that the list is even length */ 2003 if (ciphers.len % 2) { 2004 return SECFailure; 2005 } 2006 2007 /* Walk through the offered list and pick the most preferred of our 2008 * ciphers, if any */ 2009 for (i = 0; !found && i < ss->ssl3.dtlsSRTPCipherCount; i++) { 2010 for (j = 0; j + 1 < ciphers.len; j += 2) { 2011 cipher = (ciphers.data[j] << 8) | ciphers.data[j + 1]; 2012 if (cipher == ss->ssl3.dtlsSRTPCiphers[i]) { 2013 found = PR_TRUE; 2014 break; 2015 } 2016 } 2017 } 2018 2019 /* Get the srtp_mki value */ 2020 rv = ssl3_ConsumeHandshakeVariable(ss, &litem, 1, &data->data, &data->len); 2021 if (rv != SECSuccess) { 2022 return SECFailure; 2023 } 2024 2025 if (data->len != 0) { 2026 return SECFailure; /* Malformed */ 2027 } 2028 2029 /* Now figure out what to do */ 2030 if (!found) { 2031 /* No matching ciphers */ 2032 return SECSuccess; 2033 } 2034 2035 /* OK, we have a valid cipher and we've selected it */ 2036 ss->ssl3.dtlsSRTPCipherSuite = cipher; 2037 ss->xtnData.negotiated[ss->xtnData.numNegotiated++] = ssl_use_srtp_xtn; 2038 2039 return ssl3_RegisterServerHelloExtensionSender(ss, ssl_use_srtp_xtn, 2040 ssl3_SendUseSRTPXtn); 2041} 2042