1 /* 2 * SSL3 Protocol 3 * 4 * This Source Code Form is subject to the terms of the Mozilla Public 5 * License, v. 2.0. If a copy of the MPL was not distributed with this 6 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ 7 8 /* TLS extension code moved here from ssl3ecc.c */ 9 10 #include "nssrenam.h" 11 #include "nss.h" 12 #include "ssl.h" 13 #include "sslimpl.h" 14 #include "sslproto.h" 15 #include "pk11pub.h" 16 #ifdef NO_PKCS11_BYPASS 17 #include "blapit.h" 18 #else 19 #include "blapi.h" 20 #endif 21 #include "prinit.h" 22 23 static unsigned char key_name[SESS_TICKET_KEY_NAME_LEN]; 24 static PK11SymKey *session_ticket_enc_key_pkcs11 = NULL; 25 static PK11SymKey *session_ticket_mac_key_pkcs11 = NULL; 26 27 #ifndef NO_PKCS11_BYPASS 28 static unsigned char session_ticket_enc_key[AES_256_KEY_LENGTH]; 29 static unsigned char session_ticket_mac_key[SHA256_LENGTH]; 30 31 static PRBool session_ticket_keys_initialized = PR_FALSE; 32 #endif 33 static PRCallOnceType generate_session_keys_once; 34 35 /* forward static function declarations */ 36 static SECStatus ssl3_ParseEncryptedSessionTicket(sslSocket *ss, 37 SECItem *data, EncryptedSessionTicket *enc_session_ticket); 38 static SECStatus ssl3_AppendToItem(SECItem *item, const unsigned char *buf, 39 PRUint32 bytes); 40 static SECStatus ssl3_AppendNumberToItem(SECItem *item, PRUint32 num, 41 PRInt32 lenSize); 42 static SECStatus ssl3_GetSessionTicketKeysPKCS11(sslSocket *ss, 43 PK11SymKey **aes_key, PK11SymKey **mac_key); 44 #ifndef NO_PKCS11_BYPASS 45 static SECStatus ssl3_GetSessionTicketKeys(const unsigned char **aes_key, 46 PRUint32 *aes_key_length, const unsigned char **mac_key, 47 PRUint32 *mac_key_length); 48 #endif 49 static PRInt32 ssl3_SendRenegotiationInfoXtn(sslSocket * ss, 50 PRBool append, PRUint32 maxBytes); 51 static SECStatus ssl3_HandleRenegotiationInfoXtn(sslSocket *ss, 52 PRUint16 ex_type, SECItem *data); 53 static SECStatus ssl3_ClientHandleNextProtoNegoXtn(sslSocket *ss, 54 PRUint16 ex_type, SECItem *data); 55 static SECStatus ssl3_ClientHandleAppProtoXtn(sslSocket *ss, 56 PRUint16 ex_type, SECItem *data); 57 static SECStatus ssl3_ServerHandleNextProtoNegoXtn(sslSocket *ss, 58 PRUint16 ex_type, SECItem *data); 59 static PRInt32 ssl3_ClientSendAppProtoXtn(sslSocket *ss, PRBool append, 60 PRUint32 maxBytes); 61 static PRInt32 ssl3_ClientSendNextProtoNegoXtn(sslSocket *ss, PRBool append, 62 PRUint32 maxBytes); 63 static PRInt32 ssl3_SendUseSRTPXtn(sslSocket *ss, PRBool append, 64 PRUint32 maxBytes); 65 static SECStatus ssl3_HandleUseSRTPXtn(sslSocket * ss, PRUint16 ex_type, 66 SECItem *data); 67 static SECStatus ssl3_ClientHandleChannelIDXtn(sslSocket *ss, 68 PRUint16 ex_type, SECItem *data); 69 static PRInt32 ssl3_ClientSendChannelIDXtn(sslSocket *ss, PRBool append, 70 PRUint32 maxBytes); 71 static SECStatus ssl3_ServerSendStatusRequestXtn(sslSocket * ss, 72 PRBool append, PRUint32 maxBytes); 73 static SECStatus ssl3_ServerHandleStatusRequestXtn(sslSocket *ss, 74 PRUint16 ex_type, SECItem *data); 75 static SECStatus ssl3_ClientHandleStatusRequestXtn(sslSocket *ss, 76 PRUint16 ex_type, 77 SECItem *data); 78 static PRInt32 ssl3_ClientSendStatusRequestXtn(sslSocket * ss, PRBool append, 79 PRUint32 maxBytes); 80 static PRInt32 ssl3_ClientSendSigAlgsXtn(sslSocket *ss, PRBool append, 81 PRUint32 maxBytes); 82 static SECStatus ssl3_ServerHandleSigAlgsXtn(sslSocket *ss, PRUint16 ex_type, 83 SECItem *data); 84 static PRInt32 ssl3_ClientSendSignedCertTimestampXtn(sslSocket *ss, 85 PRBool append, 86 PRUint32 maxBytes); 87 static SECStatus ssl3_ClientHandleSignedCertTimestampXtn(sslSocket *ss, 88 PRUint16 ex_type, 89 SECItem *data); 90 91 /* 92 * Write bytes. Using this function means the SECItem structure 93 * cannot be freed. The caller is expected to call this function 94 * on a shallow copy of the structure. 95 */ 96 static SECStatus 97 ssl3_AppendToItem(SECItem *item, const unsigned char *buf, PRUint32 bytes) 98 { 99 if (bytes > item->len) 100 return SECFailure; 101 102 PORT_Memcpy(item->data, buf, bytes); 103 item->data += bytes; 104 item->len -= bytes; 105 return SECSuccess; 106 } 107 108 /* 109 * Write a number in network byte order. Using this function means the 110 * SECItem structure cannot be freed. The caller is expected to call 111 * this function on a shallow copy of the structure. 112 */ 113 static SECStatus 114 ssl3_AppendNumberToItem(SECItem *item, PRUint32 num, PRInt32 lenSize) 115 { 116 SECStatus rv; 117 PRUint8 b[4]; 118 PRUint8 * p = b; 119 120 switch (lenSize) { 121 case 4: 122 *p++ = (PRUint8) (num >> 24); 123 case 3: 124 *p++ = (PRUint8) (num >> 16); 125 case 2: 126 *p++ = (PRUint8) (num >> 8); 127 case 1: 128 *p = (PRUint8) num; 129 } 130 rv = ssl3_AppendToItem(item, &b[0], lenSize); 131 return rv; 132 } 133 134 static SECStatus ssl3_SessionTicketShutdown(void* appData, void* nssData) 135 { 136 if (session_ticket_enc_key_pkcs11) { 137 PK11_FreeSymKey(session_ticket_enc_key_pkcs11); 138 session_ticket_enc_key_pkcs11 = NULL; 139 } 140 if (session_ticket_mac_key_pkcs11) { 141 PK11_FreeSymKey(session_ticket_mac_key_pkcs11); 142 session_ticket_mac_key_pkcs11 = NULL; 143 } 144 PORT_Memset(&generate_session_keys_once, 0, 145 sizeof(generate_session_keys_once)); 146 return SECSuccess; 147 } 148 149 150 static PRStatus 151 ssl3_GenerateSessionTicketKeysPKCS11(void *data) 152 { 153 SECStatus rv; 154 sslSocket *ss = (sslSocket *)data; 155 SECKEYPrivateKey *svrPrivKey = ss->serverCerts[kt_rsa].SERVERKEY; 156 SECKEYPublicKey *svrPubKey = ss->serverCerts[kt_rsa].serverKeyPair->pubKey; 157 158 if (svrPrivKey == NULL || svrPubKey == NULL) { 159 SSL_DBG(("%d: SSL[%d]: Pub or priv key(s) is NULL.", 160 SSL_GETPID(), ss->fd)); 161 goto loser; 162 } 163 164 /* Get a copy of the session keys from shared memory. */ 165 PORT_Memcpy(key_name, SESS_TICKET_KEY_NAME_PREFIX, 166 sizeof(SESS_TICKET_KEY_NAME_PREFIX)); 167 if (!ssl_GetSessionTicketKeysPKCS11(svrPrivKey, svrPubKey, 168 ss->pkcs11PinArg, &key_name[SESS_TICKET_KEY_NAME_PREFIX_LEN], 169 &session_ticket_enc_key_pkcs11, &session_ticket_mac_key_pkcs11)) 170 return PR_FAILURE; 171 172 rv = NSS_RegisterShutdown(ssl3_SessionTicketShutdown, NULL); 173 if (rv != SECSuccess) 174 goto loser; 175 176 return PR_SUCCESS; 177 178 loser: 179 ssl3_SessionTicketShutdown(NULL, NULL); 180 return PR_FAILURE; 181 } 182 183 static SECStatus 184 ssl3_GetSessionTicketKeysPKCS11(sslSocket *ss, PK11SymKey **aes_key, 185 PK11SymKey **mac_key) 186 { 187 if (PR_CallOnceWithArg(&generate_session_keys_once, 188 ssl3_GenerateSessionTicketKeysPKCS11, ss) != PR_SUCCESS) 189 return SECFailure; 190 191 if (session_ticket_enc_key_pkcs11 == NULL || 192 session_ticket_mac_key_pkcs11 == NULL) 193 return SECFailure; 194 195 *aes_key = session_ticket_enc_key_pkcs11; 196 *mac_key = session_ticket_mac_key_pkcs11; 197 return SECSuccess; 198 } 199 200 #ifndef NO_PKCS11_BYPASS 201 static PRStatus 202 ssl3_GenerateSessionTicketKeys(void) 203 { 204 PORT_Memcpy(key_name, SESS_TICKET_KEY_NAME_PREFIX, 205 sizeof(SESS_TICKET_KEY_NAME_PREFIX)); 206 207 if (!ssl_GetSessionTicketKeys(&key_name[SESS_TICKET_KEY_NAME_PREFIX_LEN], 208 session_ticket_enc_key, session_ticket_mac_key)) 209 return PR_FAILURE; 210 211 session_ticket_keys_initialized = PR_TRUE; 212 return PR_SUCCESS; 213 } 214 215 static SECStatus 216 ssl3_GetSessionTicketKeys(const unsigned char **aes_key, 217 PRUint32 *aes_key_length, const unsigned char **mac_key, 218 PRUint32 *mac_key_length) 219 { 220 if (PR_CallOnce(&generate_session_keys_once, 221 ssl3_GenerateSessionTicketKeys) != PR_SUCCESS) 222 return SECFailure; 223 224 if (!session_ticket_keys_initialized) 225 return SECFailure; 226 227 *aes_key = session_ticket_enc_key; 228 *aes_key_length = sizeof(session_ticket_enc_key); 229 *mac_key = session_ticket_mac_key; 230 *mac_key_length = sizeof(session_ticket_mac_key); 231 232 return SECSuccess; 233 } 234 #endif 235 236 /* Table of handlers for received TLS hello extensions, one per extension. 237 * In the second generation, this table will be dynamic, and functions 238 * will be registered here. 239 */ 240 /* This table is used by the server, to handle client hello extensions. */ 241 static const ssl3HelloExtensionHandler clientHelloHandlers[] = { 242 { ssl_server_name_xtn, &ssl3_HandleServerNameXtn }, 243 #ifdef NSS_ENABLE_ECC 244 { ssl_elliptic_curves_xtn, &ssl3_HandleSupportedCurvesXtn }, 245 { ssl_ec_point_formats_xtn, &ssl3_HandleSupportedPointFormatsXtn }, 246 #endif 247 { ssl_session_ticket_xtn, &ssl3_ServerHandleSessionTicketXtn }, 248 { ssl_renegotiation_info_xtn, &ssl3_HandleRenegotiationInfoXtn }, 249 { ssl_next_proto_nego_xtn, &ssl3_ServerHandleNextProtoNegoXtn }, 250 { ssl_use_srtp_xtn, &ssl3_HandleUseSRTPXtn }, 251 { ssl_cert_status_xtn, &ssl3_ServerHandleStatusRequestXtn }, 252 { ssl_signature_algorithms_xtn, &ssl3_ServerHandleSigAlgsXtn }, 253 { -1, NULL } 254 }; 255 256 /* These two tables are used by the client, to handle server hello 257 * extensions. */ 258 static const ssl3HelloExtensionHandler serverHelloHandlersTLS[] = { 259 { ssl_server_name_xtn, &ssl3_HandleServerNameXtn }, 260 /* TODO: add a handler for ssl_ec_point_formats_xtn */ 261 { ssl_session_ticket_xtn, &ssl3_ClientHandleSessionTicketXtn }, 262 { ssl_renegotiation_info_xtn, &ssl3_HandleRenegotiationInfoXtn }, 263 { ssl_next_proto_nego_xtn, &ssl3_ClientHandleNextProtoNegoXtn }, 264 { ssl_app_layer_protocol_xtn, &ssl3_ClientHandleAppProtoXtn }, 265 { ssl_use_srtp_xtn, &ssl3_HandleUseSRTPXtn }, 266 { ssl_channel_id_xtn, &ssl3_ClientHandleChannelIDXtn }, 267 { ssl_cert_status_xtn, &ssl3_ClientHandleStatusRequestXtn }, 268 { ssl_signed_certificate_timestamp_xtn, 269 &ssl3_ClientHandleSignedCertTimestampXtn }, 270 { -1, NULL } 271 }; 272 273 static const ssl3HelloExtensionHandler serverHelloHandlersSSL3[] = { 274 { ssl_renegotiation_info_xtn, &ssl3_HandleRenegotiationInfoXtn }, 275 { -1, NULL } 276 }; 277 278 /* Tables of functions to format TLS hello extensions, one function per 279 * extension. 280 * These static tables are for the formatting of client hello extensions. 281 * The server's table of hello senders is dynamic, in the socket struct, 282 * and sender functions are registered there. 283 */ 284 static const 285 ssl3HelloExtensionSender clientHelloSendersTLS[SSL_MAX_EXTENSIONS] = { 286 { ssl_server_name_xtn, &ssl3_SendServerNameXtn }, 287 { ssl_renegotiation_info_xtn, &ssl3_SendRenegotiationInfoXtn }, 288 #ifdef NSS_ENABLE_ECC 289 { ssl_elliptic_curves_xtn, &ssl3_SendSupportedCurvesXtn }, 290 { ssl_ec_point_formats_xtn, &ssl3_SendSupportedPointFormatsXtn }, 291 #endif 292 { ssl_session_ticket_xtn, &ssl3_SendSessionTicketXtn }, 293 { ssl_next_proto_nego_xtn, &ssl3_ClientSendNextProtoNegoXtn }, 294 { ssl_app_layer_protocol_xtn, &ssl3_ClientSendAppProtoXtn }, 295 { ssl_use_srtp_xtn, &ssl3_SendUseSRTPXtn }, 296 { ssl_channel_id_xtn, &ssl3_ClientSendChannelIDXtn }, 297 { ssl_cert_status_xtn, &ssl3_ClientSendStatusRequestXtn }, 298 { ssl_signed_certificate_timestamp_xtn, 299 &ssl3_ClientSendSignedCertTimestampXtn }, 300 /* WebSphere Application Server 7.0 is intolerant to the last extension 301 * being zero-length. It is not intolerant of TLS 1.2, so move 302 * signature_algorithms to the end. */ 303 { ssl_signature_algorithms_xtn, &ssl3_ClientSendSigAlgsXtn } 304 /* any extra entries will appear as { 0, NULL } */ 305 }; 306 307 static const 308 ssl3HelloExtensionSender clientHelloSendersSSL3[SSL_MAX_EXTENSIONS] = { 309 { ssl_renegotiation_info_xtn, &ssl3_SendRenegotiationInfoXtn } 310 /* any extra entries will appear as { 0, NULL } */ 311 }; 312 313 static PRBool 314 arrayContainsExtension(const PRUint16 *array, PRUint32 len, PRUint16 ex_type) 315 { 316 int i; 317 for (i = 0; i < len; i++) { 318 if (ex_type == array[i]) 319 return PR_TRUE; 320 } 321 return PR_FALSE; 322 } 323 324 PRBool 325 ssl3_ExtensionNegotiated(sslSocket *ss, PRUint16 ex_type) { 326 TLSExtensionData *xtnData = &ss->xtnData; 327 return arrayContainsExtension(xtnData->negotiated, 328 xtnData->numNegotiated, ex_type); 329 } 330 331 static PRBool 332 ssl3_ClientExtensionAdvertised(sslSocket *ss, PRUint16 ex_type) { 333 TLSExtensionData *xtnData = &ss->xtnData; 334 return arrayContainsExtension(xtnData->advertised, 335 xtnData->numAdvertised, ex_type); 336 } 337 338 /* Format an SNI extension, using the name from the socket's URL, 339 * unless that name is a dotted decimal string. 340 * Used by client and server. 341 */ 342 PRInt32 343 ssl3_SendServerNameXtn(sslSocket * ss, PRBool append, 344 PRUint32 maxBytes) 345 { 346 SECStatus rv; 347 if (!ss) 348 return 0; 349 if (!ss->sec.isServer) { 350 PRUint32 len; 351 PRNetAddr netAddr; 352 353 /* must have a hostname */ 354 if (!ss->url || !ss->url[0]) 355 return 0; 356 /* must not be an IPv4 or IPv6 address */ 357 if (PR_SUCCESS == PR_StringToNetAddr(ss->url, &netAddr)) { 358 /* is an IP address (v4 or v6) */ 359 return 0; 360 } 361 len = PORT_Strlen(ss->url); 362 if (append && maxBytes >= len + 9) { 363 /* extension_type */ 364 rv = ssl3_AppendHandshakeNumber(ss, ssl_server_name_xtn, 2); 365 if (rv != SECSuccess) return -1; 366 /* length of extension_data */ 367 rv = ssl3_AppendHandshakeNumber(ss, len + 5, 2); 368 if (rv != SECSuccess) return -1; 369 /* length of server_name_list */ 370 rv = ssl3_AppendHandshakeNumber(ss, len + 3, 2); 371 if (rv != SECSuccess) return -1; 372 /* Name Type (sni_host_name) */ 373 rv = ssl3_AppendHandshake(ss, "\0", 1); 374 if (rv != SECSuccess) return -1; 375 /* HostName (length and value) */ 376 rv = ssl3_AppendHandshakeVariable(ss, (PRUint8 *)ss->url, len, 2); 377 if (rv != SECSuccess) return -1; 378 if (!ss->sec.isServer) { 379 TLSExtensionData *xtnData = &ss->xtnData; 380 xtnData->advertised[xtnData->numAdvertised++] = 381 ssl_server_name_xtn; 382 } 383 } 384 return len + 9; 385 } 386 /* Server side */ 387 if (append && maxBytes >= 4) { 388 rv = ssl3_AppendHandshakeNumber(ss, ssl_server_name_xtn, 2); 389 if (rv != SECSuccess) return -1; 390 /* length of extension_data */ 391 rv = ssl3_AppendHandshakeNumber(ss, 0, 2); 392 if (rv != SECSuccess) return -1; 393 } 394 return 4; 395 } 396 397 /* handle an incoming SNI extension, by ignoring it. */ 398 SECStatus 399 ssl3_HandleServerNameXtn(sslSocket * ss, PRUint16 ex_type, SECItem *data) 400 { 401 SECItem *names = NULL; 402 PRUint32 listCount = 0, namesPos = 0, i; 403 TLSExtensionData *xtnData = &ss->xtnData; 404 SECItem ldata; 405 PRInt32 listLenBytes = 0; 406 407 if (!ss->sec.isServer) { 408 /* Verify extension_data is empty. */ 409 if (data->data || data->len || 410 !ssl3_ExtensionNegotiated(ss, ssl_server_name_xtn)) { 411 /* malformed or was not initiated by the client.*/ 412 return SECFailure; 413 } 414 return SECSuccess; 415 } 416 417 /* Server side - consume client data and register server sender. */ 418 /* do not parse the data if don't have user extension handling function. */ 419 if (!ss->sniSocketConfig) { 420 return SECSuccess; 421 } 422 /* length of server_name_list */ 423 listLenBytes = ssl3_ConsumeHandshakeNumber(ss, 2, &data->data, &data->len); 424 if (listLenBytes == 0 || listLenBytes != data->len) { 425 return SECFailure; 426 } 427 ldata = *data; 428 /* Calculate the size of the array.*/ 429 while (listLenBytes > 0) { 430 SECItem litem; 431 SECStatus rv; 432 PRInt32 type; 433 /* Name Type (sni_host_name) */ 434 type = ssl3_ConsumeHandshakeNumber(ss, 1, &ldata.data, &ldata.len); 435 if (!ldata.len) { 436 return SECFailure; 437 } 438 rv = ssl3_ConsumeHandshakeVariable(ss, &litem, 2, &ldata.data, &ldata.len); 439 if (rv != SECSuccess) { 440 return SECFailure; 441 } 442 /* Adjust total length for cunsumed item, item len and type.*/ 443 listLenBytes -= litem.len + 3; 444 if (listLenBytes > 0 && !ldata.len) { 445 return SECFailure; 446 } 447 listCount += 1; 448 } 449 if (!listCount) { 450 return SECFailure; 451 } 452 names = PORT_ZNewArray(SECItem, listCount); 453 if (!names) { 454 return SECFailure; 455 } 456 for (i = 0;i < listCount;i++) { 457 int j; 458 PRInt32 type; 459 SECStatus rv; 460 PRBool nametypePresent = PR_FALSE; 461 /* Name Type (sni_host_name) */ 462 type = ssl3_ConsumeHandshakeNumber(ss, 1, &data->data, &data->len); 463 /* Check if we have such type in the list */ 464 for (j = 0;j < listCount && names[j].data;j++) { 465 if (names[j].type == type) { 466 nametypePresent = PR_TRUE; 467 break; 468 } 469 } 470 /* HostName (length and value) */ 471 rv = ssl3_ConsumeHandshakeVariable(ss, &names[namesPos], 2, 472 &data->data, &data->len); 473 if (rv != SECSuccess) { 474 goto loser; 475 } 476 if (nametypePresent == PR_FALSE) { 477 namesPos += 1; 478 } 479 } 480 /* Free old and set the new data. */ 481 if (xtnData->sniNameArr) { 482 PORT_Free(ss->xtnData.sniNameArr); 483 } 484 xtnData->sniNameArr = names; 485 xtnData->sniNameArrSize = namesPos; 486 xtnData->negotiated[xtnData->numNegotiated++] = ssl_server_name_xtn; 487 488 return SECSuccess; 489 490 loser: 491 PORT_Free(names); 492 return SECFailure; 493 } 494 495 /* Called by both clients and servers. 496 * Clients sends a filled in session ticket if one is available, and otherwise 497 * sends an empty ticket. Servers always send empty tickets. 498 */ 499 PRInt32 500 ssl3_SendSessionTicketXtn( 501 sslSocket * ss, 502 PRBool append, 503 PRUint32 maxBytes) 504 { 505 PRInt32 extension_length; 506 NewSessionTicket *session_ticket = NULL; 507 sslSessionID *sid = ss->sec.ci.sid; 508 509 /* Ignore the SessionTicket extension if processing is disabled. */ 510 if (!ss->opt.enableSessionTickets) 511 return 0; 512 513 /* Empty extension length = extension_type (2-bytes) + 514 * length(extension_data) (2-bytes) 515 */ 516 extension_length = 4; 517 518 /* If we are a client then send a session ticket if one is availble. 519 * Servers that support the extension and are willing to negotiate the 520 * the extension always respond with an empty extension. 521 */ 522 if (!ss->sec.isServer) { 523 /* The caller must be holding sid->u.ssl3.lock for reading. We cannot 524 * just acquire and release the lock within this function because the 525 * caller will call this function twice, and we need the inputs to be 526 * consistent between the two calls. Note that currently the caller 527 * will only be holding the lock when we are the client and when we're 528 * attempting to resume an existing session. 529 */ 530 531 session_ticket = &sid->u.ssl3.locked.sessionTicket; 532 if (session_ticket->ticket.data) { 533 if (ss->xtnData.ticketTimestampVerified) { 534 extension_length += session_ticket->ticket.len; 535 } else if (!append && 536 (session_ticket->ticket_lifetime_hint == 0 || 537 (session_ticket->ticket_lifetime_hint + 538 session_ticket->received_timestamp > ssl_Time()))) { 539 extension_length += session_ticket->ticket.len; 540 ss->xtnData.ticketTimestampVerified = PR_TRUE; 541 } 542 } 543 } 544 545 if (append && maxBytes >= extension_length) { 546 SECStatus rv; 547 /* extension_type */ 548 rv = ssl3_AppendHandshakeNumber(ss, ssl_session_ticket_xtn, 2); 549 if (rv != SECSuccess) 550 goto loser; 551 if (session_ticket && session_ticket->ticket.data && 552 ss->xtnData.ticketTimestampVerified) { 553 rv = ssl3_AppendHandshakeVariable(ss, session_ticket->ticket.data, 554 session_ticket->ticket.len, 2); 555 ss->xtnData.ticketTimestampVerified = PR_FALSE; 556 ss->xtnData.sentSessionTicketInClientHello = PR_TRUE; 557 } else { 558 rv = ssl3_AppendHandshakeNumber(ss, 0, 2); 559 } 560 if (rv != SECSuccess) 561 goto loser; 562 563 if (!ss->sec.isServer) { 564 TLSExtensionData *xtnData = &ss->xtnData; 565 xtnData->advertised[xtnData->numAdvertised++] = 566 ssl_session_ticket_xtn; 567 } 568 } else if (maxBytes < extension_length) { 569 PORT_Assert(0); 570 return 0; 571 } 572 return extension_length; 573 574 loser: 575 ss->xtnData.ticketTimestampVerified = PR_FALSE; 576 return -1; 577 } 578 579 /* handle an incoming Next Protocol Negotiation extension. */ 580 static SECStatus 581 ssl3_ServerHandleNextProtoNegoXtn(sslSocket * ss, PRUint16 ex_type, SECItem *data) 582 { 583 if (ss->firstHsDone || data->len != 0) { 584 /* Clients MUST send an empty NPN extension, if any. */ 585 PORT_SetError(SSL_ERROR_NEXT_PROTOCOL_DATA_INVALID); 586 return SECFailure; 587 } 588 589 ss->xtnData.negotiated[ss->xtnData.numNegotiated++] = ex_type; 590 591 /* TODO: server side NPN support would require calling 592 * ssl3_RegisterServerHelloExtensionSender here in order to echo the 593 * extension back to the client. */ 594 595 return SECSuccess; 596 } 597 598 /* ssl3_ValidateNextProtoNego checks that the given block of data is valid: none 599 * of the lengths may be 0 and the sum of the lengths must equal the length of 600 * the block. */ 601 SECStatus 602 ssl3_ValidateNextProtoNego(const unsigned char* data, unsigned int length) 603 { 604 unsigned int offset = 0; 605 606 while (offset < length) { 607 unsigned int newOffset = offset + 1 + (unsigned int) data[offset]; 608 /* Reject embedded nulls to protect against buggy applications that 609 * store protocol identifiers in null-terminated strings. 610 */ 611 if (newOffset > length || data[offset] == 0) { 612 PORT_SetError(SSL_ERROR_NEXT_PROTOCOL_DATA_INVALID); 613 return SECFailure; 614 } 615 offset = newOffset; 616 } 617 618 if (offset > length) { 619 PORT_SetError(SSL_ERROR_NEXT_PROTOCOL_DATA_INVALID); 620 return SECFailure; 621 } 622 623 return SECSuccess; 624 } 625 626 static SECStatus 627 ssl3_ClientHandleNextProtoNegoXtn(sslSocket *ss, PRUint16 ex_type, 628 SECItem *data) 629 { 630 SECStatus rv; 631 unsigned char resultBuffer[255]; 632 SECItem result = { siBuffer, resultBuffer, 0 }; 633 634 PORT_Assert(!ss->firstHsDone); 635 636 if (ssl3_ExtensionNegotiated(ss, ssl_app_layer_protocol_xtn)) { 637 /* If the server negotiated ALPN then it has already told us what protocol 638 * to use, so it doesn't make sense for us to try to negotiate a different 639 * one by sending the NPN handshake message. However, if we've negotiated 640 * NPN then we're required to send the NPN handshake message. Thus, these 641 * two extensions cannot both be negotiated on the same connection. */ 642 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); 643 return SECFailure; 644 } 645 646 rv = ssl3_ValidateNextProtoNego(data->data, data->len); 647 if (rv != SECSuccess) 648 return rv; 649 650 /* ss->nextProtoCallback cannot normally be NULL if we negotiated the 651 * extension. However, It is possible that an application erroneously 652 * cleared the callback between the time we sent the ClientHello and now. 653 */ 654 PORT_Assert(ss->nextProtoCallback != NULL); 655 if (!ss->nextProtoCallback) { 656 /* XXX Use a better error code. This is an application error, not an 657 * NSS bug. */ 658 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); 659 return SECFailure; 660 } 661 662 rv = ss->nextProtoCallback(ss->nextProtoArg, ss->fd, data->data, data->len, 663 result.data, &result.len, sizeof resultBuffer); 664 if (rv != SECSuccess) 665 return rv; 666 /* If the callback wrote more than allowed to |result| it has corrupted our 667 * stack. */ 668 if (result.len > sizeof resultBuffer) { 669 PORT_SetError(SEC_ERROR_OUTPUT_LEN); 670 return SECFailure; 671 } 672 673 ss->xtnData.negotiated[ss->xtnData.numNegotiated++] = ex_type; 674 675 SECITEM_FreeItem(&ss->ssl3.nextProto, PR_FALSE); 676 return SECITEM_CopyItem(NULL, &ss->ssl3.nextProto, &result); 677 } 678 679 static SECStatus 680 ssl3_ClientHandleAppProtoXtn(sslSocket *ss, PRUint16 ex_type, SECItem *data) 681 { 682 const unsigned char* d = data->data; 683 PRUint16 name_list_len; 684 SECItem protocol_name; 685 686 if (ssl3_ExtensionNegotiated(ss, ssl_next_proto_nego_xtn)) { 687 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); 688 return SECFailure; 689 } 690 691 /* The extension data from the server has the following format: 692 * uint16 name_list_len; 693 * uint8 len; 694 * uint8 protocol_name[len]; */ 695 if (data->len < 4 || data->len > 2 + 1 + 255) { 696 PORT_SetError(SSL_ERROR_NEXT_PROTOCOL_DATA_INVALID); 697 return SECFailure; 698 } 699 700 name_list_len = ((PRUint16) d[0]) << 8 | 701 ((PRUint16) d[1]); 702 if (name_list_len != data->len - 2 || d[2] != data->len - 3) { 703 PORT_SetError(SSL_ERROR_NEXT_PROTOCOL_DATA_INVALID); 704 return SECFailure; 705 } 706 707 protocol_name.data = data->data + 3; 708 protocol_name.len = data->len - 3; 709 710 SECITEM_FreeItem(&ss->ssl3.nextProto, PR_FALSE); 711 ss->ssl3.nextProtoState = SSL_NEXT_PROTO_SELECTED; 712 ss->xtnData.negotiated[ss->xtnData.numNegotiated++] = ex_type; 713 return SECITEM_CopyItem(NULL, &ss->ssl3.nextProto, &protocol_name); 714 } 715 716 static PRInt32 717 ssl3_ClientSendNextProtoNegoXtn(sslSocket * ss, PRBool append, 718 PRUint32 maxBytes) 719 { 720 PRInt32 extension_length; 721 722 /* Renegotiations do not send this extension. */ 723 if (!ss->opt.enableNPN || !ss->nextProtoCallback || ss->firstHsDone) { 724 return 0; 725 } 726 727 extension_length = 4; 728 729 if (append && maxBytes >= extension_length) { 730 SECStatus rv; 731 rv = ssl3_AppendHandshakeNumber(ss, ssl_next_proto_nego_xtn, 2); 732 if (rv != SECSuccess) 733 goto loser; 734 rv = ssl3_AppendHandshakeNumber(ss, 0, 2); 735 if (rv != SECSuccess) 736 goto loser; 737 ss->xtnData.advertised[ss->xtnData.numAdvertised++] = 738 ssl_next_proto_nego_xtn; 739 } else if (maxBytes < extension_length) { 740 return 0; 741 } 742 743 return extension_length; 744 745 loser: 746 return -1; 747 } 748 749 static PRInt32 750 ssl3_ClientSendAppProtoXtn(sslSocket * ss, PRBool append, PRUint32 maxBytes) 751 { 752 PRInt32 extension_length; 753 unsigned char *alpn_protos = NULL; 754 755 /* Renegotiations do not send this extension. */ 756 if (!ss->opt.enableALPN || !ss->opt.nextProtoNego.data || ss->firstHsDone) { 757 return 0; 758 } 759 760 extension_length = 2 /* extension type */ + 2 /* extension length */ + 761 2 /* protocol name list length */ + 762 ss->opt.nextProtoNego.len; 763 764 if (append && maxBytes >= extension_length) { 765 /* NPN requires that the client's fallback protocol is first in the 766 * list. However, ALPN sends protocols in preference order. So we 767 * allocate a buffer and move the first protocol to the end of the 768 * list. */ 769 SECStatus rv; 770 const unsigned int len = ss->opt.nextProtoNego.len; 771 772 alpn_protos = PORT_Alloc(len); 773 if (alpn_protos == NULL) { 774 return SECFailure; 775 } 776 if (len > 0) { 777 /* Each protocol string is prefixed with a single byte length. */ 778 unsigned int i = ss->opt.nextProtoNego.data[0] + 1; 779 if (i <= len) { 780 memcpy(alpn_protos, &ss->opt.nextProtoNego.data[i], len - i); 781 memcpy(alpn_protos + len - i, ss->opt.nextProtoNego.data, i); 782 } else { 783 /* This seems to be invalid data so we'll send as-is. */ 784 memcpy(alpn_protos, ss->opt.nextProtoNego.data, len); 785 } 786 } 787 788 rv = ssl3_AppendHandshakeNumber(ss, ssl_app_layer_protocol_xtn, 2); 789 if (rv != SECSuccess) { 790 goto loser; 791 } 792 rv = ssl3_AppendHandshakeNumber(ss, extension_length - 4, 2); 793 if (rv != SECSuccess) { 794 goto loser; 795 } 796 rv = ssl3_AppendHandshakeVariable(ss, alpn_protos, len, 2); 797 PORT_Free(alpn_protos); 798 alpn_protos = NULL; 799 if (rv != SECSuccess) { 800 goto loser; 801 } 802 ss->xtnData.advertised[ss->xtnData.numAdvertised++] = 803 ssl_app_layer_protocol_xtn; 804 } else if (maxBytes < extension_length) { 805 return 0; 806 } 807 808 return extension_length; 809 810 loser: 811 if (alpn_protos) { 812 PORT_Free(alpn_protos); 813 } 814 return -1; 815 } 816 817 static SECStatus 818 ssl3_ClientHandleChannelIDXtn(sslSocket *ss, PRUint16 ex_type, 819 SECItem *data) 820 { 821 PORT_Assert(ss->getChannelID != NULL); 822 823 if (data->len) { 824 PORT_SetError(SSL_ERROR_BAD_CHANNEL_ID_DATA); 825 return SECFailure; 826 } 827 ss->xtnData.negotiated[ss->xtnData.numNegotiated++] = ex_type; 828 return SECSuccess; 829 } 830 831 static PRInt32 832 ssl3_ClientSendChannelIDXtn(sslSocket * ss, PRBool append, 833 PRUint32 maxBytes) 834 { 835 PRInt32 extension_length = 4; 836 837 if (!ss->getChannelID) 838 return 0; 839 840 if (maxBytes < extension_length) { 841 PORT_Assert(0); 842 return 0; 843 } 844 845 if (ss->sec.ci.sid->cached != never_cached && 846 ss->sec.ci.sid->u.ssl3.originalHandshakeHash.len == 0) { 847 /* We can't do ChannelID on a connection if we're resuming and didn't 848 * do ChannelID on the original connection: without ChannelID on the 849 * original connection we didn't record the handshake hashes needed for 850 * the signature. */ 851 return 0; 852 } 853 854 if (append) { 855 SECStatus rv; 856 rv = ssl3_AppendHandshakeNumber(ss, ssl_channel_id_xtn, 2); 857 if (rv != SECSuccess) 858 goto loser; 859 rv = ssl3_AppendHandshakeNumber(ss, 0, 2); 860 if (rv != SECSuccess) 861 goto loser; 862 ss->xtnData.advertised[ss->xtnData.numAdvertised++] = 863 ssl_channel_id_xtn; 864 } 865 866 return extension_length; 867 868 loser: 869 return -1; 870 } 871 872 static SECStatus 873 ssl3_ClientHandleStatusRequestXtn(sslSocket *ss, PRUint16 ex_type, 874 SECItem *data) 875 { 876 /* The echoed extension must be empty. */ 877 if (data->len != 0) 878 return SECFailure; 879 880 /* Keep track of negotiated extensions. */ 881 ss->xtnData.negotiated[ss->xtnData.numNegotiated++] = ex_type; 882 883 return SECSuccess; 884 } 885 886 static PRInt32 887 ssl3_ServerSendStatusRequestXtn( 888 sslSocket * ss, 889 PRBool append, 890 PRUint32 maxBytes) 891 { 892 PRInt32 extension_length; 893 SECStatus rv; 894 int i; 895 PRBool haveStatus = PR_FALSE; 896 897 for (i = kt_null; i < kt_kea_size; i++) { 898 /* TODO: This is a temporary workaround. 899 * The correct code needs to see if we have an OCSP response for 900 * the server certificate being used, rather than if we have any 901 * OCSP response. See also ssl3_SendCertificateStatus. 902 */ 903 if (ss->certStatusArray[i] && ss->certStatusArray[i]->len) { 904 haveStatus = PR_TRUE; 905 break; 906 } 907 } 908 if (!haveStatus) 909 return 0; 910 911 extension_length = 2 + 2; 912 if (append && maxBytes >= extension_length) { 913 /* extension_type */ 914 rv = ssl3_AppendHandshakeNumber(ss, ssl_cert_status_xtn, 2); 915 if (rv != SECSuccess) 916 return -1; 917 /* length of extension_data */ 918 rv = ssl3_AppendHandshakeNumber(ss, 0, 2); 919 if (rv != SECSuccess) 920 return -1; 921 } 922 923 return extension_length; 924 } 925 926 /* ssl3_ClientSendStatusRequestXtn builds the status_request extension on the 927 * client side. See RFC 4366 section 3.6. */ 928 static PRInt32 929 ssl3_ClientSendStatusRequestXtn(sslSocket * ss, PRBool append, 930 PRUint32 maxBytes) 931 { 932 PRInt32 extension_length; 933 934 if (!ss->opt.enableOCSPStapling) 935 return 0; 936 937 /* extension_type (2-bytes) + 938 * length(extension_data) (2-bytes) + 939 * status_type (1) + 940 * responder_id_list length (2) + 941 * request_extensions length (2) 942 */ 943 extension_length = 9; 944 945 if (append && maxBytes >= extension_length) { 946 SECStatus rv; 947 TLSExtensionData *xtnData; 948 949 /* extension_type */ 950 rv = ssl3_AppendHandshakeNumber(ss, ssl_cert_status_xtn, 2); 951 if (rv != SECSuccess) 952 return -1; 953 rv = ssl3_AppendHandshakeNumber(ss, extension_length - 4, 2); 954 if (rv != SECSuccess) 955 return -1; 956 rv = ssl3_AppendHandshakeNumber(ss, 1 /* status_type ocsp */, 1); 957 if (rv != SECSuccess) 958 return -1; 959 /* A zero length responder_id_list means that the responders are 960 * implicitly known to the server. */ 961 rv = ssl3_AppendHandshakeNumber(ss, 0, 2); 962 if (rv != SECSuccess) 963 return -1; 964 /* A zero length request_extensions means that there are no extensions. 965 * Specifically, we don't set the id-pkix-ocsp-nonce extension. This 966 * means that the server can replay a cached OCSP response to us. */ 967 rv = ssl3_AppendHandshakeNumber(ss, 0, 2); 968 if (rv != SECSuccess) 969 return -1; 970 971 xtnData = &ss->xtnData; 972 xtnData->advertised[xtnData->numAdvertised++] = ssl_cert_status_xtn; 973 } else if (maxBytes < extension_length) { 974 PORT_Assert(0); 975 return 0; 976 } 977 return extension_length; 978 } 979 980 /* 981 * NewSessionTicket 982 * Called from ssl3_HandleFinished 983 */ 984 SECStatus 985 ssl3_SendNewSessionTicket(sslSocket *ss) 986 { 987 int i; 988 SECStatus rv; 989 NewSessionTicket ticket; 990 SECItem plaintext; 991 SECItem plaintext_item = {0, NULL, 0}; 992 SECItem ciphertext = {0, NULL, 0}; 993 PRUint32 ciphertext_length; 994 PRBool ms_is_wrapped; 995 unsigned char wrapped_ms[SSL3_MASTER_SECRET_LENGTH]; 996 SECItem ms_item = {0, NULL, 0}; 997 SSL3KEAType effectiveExchKeyType = ssl_kea_null; 998 PRUint32 padding_length; 999 PRUint32 message_length; 1000 PRUint32 cert_length; 1001 PRUint8 length_buf[4]; 1002 PRUint32 now; 1003 PK11SymKey *aes_key_pkcs11; 1004 PK11SymKey *mac_key_pkcs11; 1005 #ifndef NO_PKCS11_BYPASS 1006 const unsigned char *aes_key; 1007 const unsigned char *mac_key; 1008 PRUint32 aes_key_length; 1009 PRUint32 mac_key_length; 1010 PRUint64 aes_ctx_buf[MAX_CIPHER_CONTEXT_LLONGS]; 1011 AESContext *aes_ctx; 1012 const SECHashObject *hashObj = NULL; 1013 PRUint64 hmac_ctx_buf[MAX_MAC_CONTEXT_LLONGS]; 1014 HMACContext *hmac_ctx; 1015 #endif 1016 CK_MECHANISM_TYPE cipherMech = CKM_AES_CBC; 1017 PK11Context *aes_ctx_pkcs11; 1018 CK_MECHANISM_TYPE macMech = CKM_SHA256_HMAC; 1019 PK11Context *hmac_ctx_pkcs11; 1020 unsigned char computed_mac[TLS_EX_SESS_TICKET_MAC_LENGTH]; 1021 unsigned int computed_mac_length; 1022 unsigned char iv[AES_BLOCK_SIZE]; 1023 SECItem ivItem; 1024 SECItem *srvName = NULL; 1025 PRUint32 srvNameLen = 0; 1026 CK_MECHANISM_TYPE msWrapMech = 0; /* dummy default value, 1027 * must be >= 0 */ 1028 1029 SSL_TRC(3, ("%d: SSL3[%d]: send session_ticket handshake", 1030 SSL_GETPID(), ss->fd)); 1031 1032 PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss)); 1033 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); 1034 1035 ticket.ticket_lifetime_hint = TLS_EX_SESS_TICKET_LIFETIME_HINT; 1036 cert_length = (ss->opt.requestCertificate && ss->sec.ci.sid->peerCert) ? 1037 3 + ss->sec.ci.sid->peerCert->derCert.len : 0; 1038 1039 /* Get IV and encryption keys */ 1040 ivItem.data = iv; 1041 ivItem.len = sizeof(iv); 1042 rv = PK11_GenerateRandom(iv, sizeof(iv)); 1043 if (rv != SECSuccess) goto loser; 1044 1045 #ifndef NO_PKCS11_BYPASS 1046 if (ss->opt.bypassPKCS11) { 1047 rv = ssl3_GetSessionTicketKeys(&aes_key, &aes_key_length, 1048 &mac_key, &mac_key_length); 1049 } else 1050 #endif 1051 { 1052 rv = ssl3_GetSessionTicketKeysPKCS11(ss, &aes_key_pkcs11, 1053 &mac_key_pkcs11); 1054 } 1055 if (rv != SECSuccess) goto loser; 1056 1057 if (ss->ssl3.pwSpec->msItem.len && ss->ssl3.pwSpec->msItem.data) { 1058 /* The master secret is available unwrapped. */ 1059 ms_item.data = ss->ssl3.pwSpec->msItem.data; 1060 ms_item.len = ss->ssl3.pwSpec->msItem.len; 1061 ms_is_wrapped = PR_FALSE; 1062 } else { 1063 /* Extract the master secret wrapped. */ 1064 sslSessionID sid; 1065 PORT_Memset(&sid, 0, sizeof(sslSessionID)); 1066 1067 if (ss->ssl3.hs.kea_def->kea == kea_ecdhe_rsa) { 1068 effectiveExchKeyType = kt_rsa; 1069 } else { 1070 effectiveExchKeyType = ss->ssl3.hs.kea_def->exchKeyType; 1071 } 1072 1073 rv = ssl3_CacheWrappedMasterSecret(ss, &sid, ss->ssl3.pwSpec, 1074 effectiveExchKeyType); 1075 if (rv == SECSuccess) { 1076 if (sid.u.ssl3.keys.wrapped_master_secret_len > sizeof(wrapped_ms)) 1077 goto loser; 1078 memcpy(wrapped_ms, sid.u.ssl3.keys.wrapped_master_secret, 1079 sid.u.ssl3.keys.wrapped_master_secret_len); 1080 ms_item.data = wrapped_ms; 1081 ms_item.len = sid.u.ssl3.keys.wrapped_master_secret_len; 1082 msWrapMech = sid.u.ssl3.masterWrapMech; 1083 } else { 1084 /* TODO: else send an empty ticket. */ 1085 goto loser; 1086 } 1087 ms_is_wrapped = PR_TRUE; 1088 } 1089 /* Prep to send negotiated name */ 1090 srvName = &ss->ssl3.pwSpec->srvVirtName; 1091 if (srvName->data && srvName->len) { 1092 srvNameLen = 2 + srvName->len; /* len bytes + name len */ 1093 } 1094 1095 ciphertext_length = 1096 sizeof(PRUint16) /* ticket_version */ 1097 + sizeof(SSL3ProtocolVersion) /* ssl_version */ 1098 + sizeof(ssl3CipherSuite) /* ciphersuite */ 1099 + 1 /* compression */ 1100 + 10 /* cipher spec parameters */ 1101 + 1 /* SessionTicket.ms_is_wrapped */ 1102 + 1 /* effectiveExchKeyType */ 1103 + 4 /* msWrapMech */ 1104 + 2 /* master_secret.length */ 1105 + ms_item.len /* master_secret */ 1106 + 1 /* client_auth_type */ 1107 + cert_length /* cert */ 1108 + 1 /* server name type */ 1109 + srvNameLen /* name len + length field */ 1110 + sizeof(ticket.ticket_lifetime_hint); 1111 padding_length = AES_BLOCK_SIZE - 1112 (ciphertext_length % AES_BLOCK_SIZE); 1113 ciphertext_length += padding_length; 1114 1115 message_length = 1116 sizeof(ticket.ticket_lifetime_hint) /* ticket_lifetime_hint */ 1117 + 2 /* length field for NewSessionTicket.ticket */ 1118 + SESS_TICKET_KEY_NAME_LEN /* key_name */ 1119 + AES_BLOCK_SIZE /* iv */ 1120 + 2 /* length field for NewSessionTicket.ticket.encrypted_state */ 1121 + ciphertext_length /* encrypted_state */ 1122 + TLS_EX_SESS_TICKET_MAC_LENGTH; /* mac */ 1123 1124 if (SECITEM_AllocItem(NULL, &plaintext_item, ciphertext_length) == NULL) 1125 goto loser; 1126 1127 plaintext = plaintext_item; 1128 1129 /* ticket_version */ 1130 rv = ssl3_AppendNumberToItem(&plaintext, TLS_EX_SESS_TICKET_VERSION, 1131 sizeof(PRUint16)); 1132 if (rv != SECSuccess) goto loser; 1133 1134 /* ssl_version */ 1135 rv = ssl3_AppendNumberToItem(&plaintext, ss->version, 1136 sizeof(SSL3ProtocolVersion)); 1137 if (rv != SECSuccess) goto loser; 1138 1139 /* ciphersuite */ 1140 rv = ssl3_AppendNumberToItem(&plaintext, ss->ssl3.hs.cipher_suite, 1141 sizeof(ssl3CipherSuite)); 1142 if (rv != SECSuccess) goto loser; 1143 1144 /* compression */ 1145 rv = ssl3_AppendNumberToItem(&plaintext, ss->ssl3.hs.compression, 1); 1146 if (rv != SECSuccess) goto loser; 1147 1148 /* cipher spec parameters */ 1149 rv = ssl3_AppendNumberToItem(&plaintext, ss->sec.authAlgorithm, 1); 1150 if (rv != SECSuccess) goto loser; 1151 rv = ssl3_AppendNumberToItem(&plaintext, ss->sec.authKeyBits, 4); 1152 if (rv != SECSuccess) goto loser; 1153 rv = ssl3_AppendNumberToItem(&plaintext, ss->sec.keaType, 1); 1154 if (rv != SECSuccess) goto loser; 1155 rv = ssl3_AppendNumberToItem(&plaintext, ss->sec.keaKeyBits, 4); 1156 if (rv != SECSuccess) goto loser; 1157 1158 /* master_secret */ 1159 rv = ssl3_AppendNumberToItem(&plaintext, ms_is_wrapped, 1); 1160 if (rv != SECSuccess) goto loser; 1161 rv = ssl3_AppendNumberToItem(&plaintext, effectiveExchKeyType, 1); 1162 if (rv != SECSuccess) goto loser; 1163 rv = ssl3_AppendNumberToItem(&plaintext, msWrapMech, 4); 1164 if (rv != SECSuccess) goto loser; 1165 rv = ssl3_AppendNumberToItem(&plaintext, ms_item.len, 2); 1166 if (rv != SECSuccess) goto loser; 1167 rv = ssl3_AppendToItem(&plaintext, ms_item.data, ms_item.len); 1168 if (rv != SECSuccess) goto loser; 1169 1170 /* client_identity */ 1171 if (ss->opt.requestCertificate && ss->sec.ci.sid->peerCert) { 1172 rv = ssl3_AppendNumberToItem(&plaintext, CLIENT_AUTH_CERTIFICATE, 1); 1173 if (rv != SECSuccess) goto loser; 1174 rv = ssl3_AppendNumberToItem(&plaintext, 1175 ss->sec.ci.sid->peerCert->derCert.len, 3); 1176 if (rv != SECSuccess) goto loser; 1177 rv = ssl3_AppendToItem(&plaintext, 1178 ss->sec.ci.sid->peerCert->derCert.data, 1179 ss->sec.ci.sid->peerCert->derCert.len); 1180 if (rv != SECSuccess) goto loser; 1181 } else { 1182 rv = ssl3_AppendNumberToItem(&plaintext, 0, 1); 1183 if (rv != SECSuccess) goto loser; 1184 } 1185 1186 /* timestamp */ 1187 now = ssl_Time(); 1188 rv = ssl3_AppendNumberToItem(&plaintext, now, 1189 sizeof(ticket.ticket_lifetime_hint)); 1190 if (rv != SECSuccess) goto loser; 1191 1192 if (srvNameLen) { 1193 /* Name Type (sni_host_name) */ 1194 rv = ssl3_AppendNumberToItem(&plaintext, srvName->type, 1); 1195 if (rv != SECSuccess) goto loser; 1196 /* HostName (length and value) */ 1197 rv = ssl3_AppendNumberToItem(&plaintext, srvName->len, 2); 1198 if (rv != SECSuccess) goto loser; 1199 rv = ssl3_AppendToItem(&plaintext, srvName->data, srvName->len); 1200 if (rv != SECSuccess) goto loser; 1201 } else { 1202 /* No Name */ 1203 rv = ssl3_AppendNumberToItem(&plaintext, (char)TLS_STE_NO_SERVER_NAME, 1204 1); 1205 if (rv != SECSuccess) goto loser; 1206 } 1207 1208 PORT_Assert(plaintext.len == padding_length); 1209 for (i = 0; i < padding_length; i++) 1210 plaintext.data[i] = (unsigned char)padding_length; 1211 1212 if (SECITEM_AllocItem(NULL, &ciphertext, ciphertext_length) == NULL) { 1213 rv = SECFailure; 1214 goto loser; 1215 } 1216 1217 /* Generate encrypted portion of ticket. */ 1218 #ifndef NO_PKCS11_BYPASS 1219 if (ss->opt.bypassPKCS11) { 1220 aes_ctx = (AESContext *)aes_ctx_buf; 1221 rv = AES_InitContext(aes_ctx, aes_key, aes_key_length, iv, 1222 NSS_AES_CBC, 1, AES_BLOCK_SIZE); 1223 if (rv != SECSuccess) goto loser; 1224 1225 rv = AES_Encrypt(aes_ctx, ciphertext.data, &ciphertext.len, 1226 ciphertext.len, plaintext_item.data, 1227 plaintext_item.len); 1228 if (rv != SECSuccess) goto loser; 1229 } else 1230 #endif 1231 { 1232 aes_ctx_pkcs11 = PK11_CreateContextBySymKey(cipherMech, 1233 CKA_ENCRYPT, aes_key_pkcs11, &ivItem); 1234 if (!aes_ctx_pkcs11) 1235 goto loser; 1236 1237 rv = PK11_CipherOp(aes_ctx_pkcs11, ciphertext.data, 1238 (int *)&ciphertext.len, ciphertext.len, 1239 plaintext_item.data, plaintext_item.len); 1240 PK11_Finalize(aes_ctx_pkcs11); 1241 PK11_DestroyContext(aes_ctx_pkcs11, PR_TRUE); 1242 if (rv != SECSuccess) goto loser; 1243 } 1244 1245 /* Convert ciphertext length to network order. */ 1246 length_buf[0] = (ciphertext.len >> 8) & 0xff; 1247 length_buf[1] = (ciphertext.len ) & 0xff; 1248 1249 /* Compute MAC. */ 1250 #ifndef NO_PKCS11_BYPASS 1251 if (ss->opt.bypassPKCS11) { 1252 hmac_ctx = (HMACContext *)hmac_ctx_buf; 1253 hashObj = HASH_GetRawHashObject(HASH_AlgSHA256); 1254 if (HMAC_Init(hmac_ctx, hashObj, mac_key, 1255 mac_key_length, PR_FALSE) != SECSuccess) 1256 goto loser; 1257 1258 HMAC_Begin(hmac_ctx); 1259 HMAC_Update(hmac_ctx, key_name, SESS_TICKET_KEY_NAME_LEN); 1260 HMAC_Update(hmac_ctx, iv, sizeof(iv)); 1261 HMAC_Update(hmac_ctx, (unsigned char *)length_buf, 2); 1262 HMAC_Update(hmac_ctx, ciphertext.data, ciphertext.len); 1263 HMAC_Finish(hmac_ctx, computed_mac, &computed_mac_length, 1264 sizeof(computed_mac)); 1265 } else 1266 #endif 1267 { 1268 SECItem macParam; 1269 macParam.data = NULL; 1270 macParam.len = 0; 1271 hmac_ctx_pkcs11 = PK11_CreateContextBySymKey(macMech, 1272 CKA_SIGN, mac_key_pkcs11, &macParam); 1273 if (!hmac_ctx_pkcs11) 1274 goto loser; 1275 1276 rv = PK11_DigestBegin(hmac_ctx_pkcs11); 1277 rv = PK11_DigestOp(hmac_ctx_pkcs11, key_name, 1278 SESS_TICKET_KEY_NAME_LEN); 1279 rv = PK11_DigestOp(hmac_ctx_pkcs11, iv, sizeof(iv)); 1280 rv = PK11_DigestOp(hmac_ctx_pkcs11, (unsigned char *)length_buf, 2); 1281 rv = PK11_DigestOp(hmac_ctx_pkcs11, ciphertext.data, ciphertext.len); 1282 rv = PK11_DigestFinal(hmac_ctx_pkcs11, computed_mac, 1283 &computed_mac_length, sizeof(computed_mac)); 1284 PK11_DestroyContext(hmac_ctx_pkcs11, PR_TRUE); 1285 if (rv != SECSuccess) goto loser; 1286 } 1287 1288 /* Serialize the handshake message. */ 1289 rv = ssl3_AppendHandshakeHeader(ss, new_session_ticket, message_length); 1290 if (rv != SECSuccess) goto loser; 1291 1292 rv = ssl3_AppendHandshakeNumber(ss, ticket.ticket_lifetime_hint, 1293 sizeof(ticket.ticket_lifetime_hint)); 1294 if (rv != SECSuccess) goto loser; 1295 1296 rv = ssl3_AppendHandshakeNumber(ss, 1297 message_length - sizeof(ticket.ticket_lifetime_hint) - 2, 2); 1298 if (rv != SECSuccess) goto loser; 1299 1300 rv = ssl3_AppendHandshake(ss, key_name, SESS_TICKET_KEY_NAME_LEN); 1301 if (rv != SECSuccess) goto loser; 1302 1303 rv = ssl3_AppendHandshake(ss, iv, sizeof(iv)); 1304 if (rv != SECSuccess) goto loser; 1305 1306 rv = ssl3_AppendHandshakeVariable(ss, ciphertext.data, ciphertext.len, 2); 1307 if (rv != SECSuccess) goto loser; 1308 1309 rv = ssl3_AppendHandshake(ss, computed_mac, computed_mac_length); 1310 if (rv != SECSuccess) goto loser; 1311 1312 loser: 1313 if (plaintext_item.data) 1314 SECITEM_FreeItem(&plaintext_item, PR_FALSE); 1315 if (ciphertext.data) 1316 SECITEM_FreeItem(&ciphertext, PR_FALSE); 1317 1318 return rv; 1319 } 1320 1321 /* When a client receives a SessionTicket extension a NewSessionTicket 1322 * message is expected during the handshake. 1323 */ 1324 SECStatus 1325 ssl3_ClientHandleSessionTicketXtn(sslSocket *ss, PRUint16 ex_type, 1326 SECItem *data) 1327 { 1328 if (data->len != 0) 1329 return SECFailure; 1330 1331 /* Keep track of negotiated extensions. */ 1332 ss->xtnData.negotiated[ss->xtnData.numNegotiated++] = ex_type; 1333 return SECSuccess; 1334 } 1335 1336 SECStatus 1337 ssl3_ServerHandleSessionTicketXtn(sslSocket *ss, PRUint16 ex_type, 1338 SECItem *data) 1339 { 1340 SECStatus rv; 1341 SECItem *decrypted_state = NULL; 1342 SessionTicket *parsed_session_ticket = NULL; 1343 sslSessionID *sid = NULL; 1344 SSL3Statistics *ssl3stats; 1345 1346 /* Ignore the SessionTicket extension if processing is disabled. */ 1347 if (!ss->opt.enableSessionTickets) 1348 return SECSuccess; 1349 1350 /* Keep track of negotiated extensions. */ 1351 ss->xtnData.negotiated[ss->xtnData.numNegotiated++] = ex_type; 1352 1353 /* Parse the received ticket sent in by the client. We are 1354 * lenient about some parse errors, falling back to a fullshake 1355 * instead of terminating the current connection. 1356 */ 1357 if (data->len == 0) { 1358 ss->xtnData.emptySessionTicket = PR_TRUE; 1359 } else { 1360 int i; 1361 SECItem extension_data; 1362 EncryptedSessionTicket enc_session_ticket; 1363 unsigned char computed_mac[TLS_EX_SESS_TICKET_MAC_LENGTH]; 1364 unsigned int computed_mac_length; 1365 #ifndef NO_PKCS11_BYPASS 1366 const SECHashObject *hashObj; 1367 const unsigned char *aes_key; 1368 const unsigned char *mac_key; 1369 PRUint32 aes_key_length; 1370 PRUint32 mac_key_length; 1371 PRUint64 hmac_ctx_buf[MAX_MAC_CONTEXT_LLONGS]; 1372 HMACContext *hmac_ctx; 1373 PRUint64 aes_ctx_buf[MAX_CIPHER_CONTEXT_LLONGS]; 1374 AESContext *aes_ctx; 1375 #endif 1376 PK11SymKey *aes_key_pkcs11; 1377 PK11SymKey *mac_key_pkcs11; 1378 PK11Context *hmac_ctx_pkcs11; 1379 CK_MECHANISM_TYPE macMech = CKM_SHA256_HMAC; 1380 PK11Context *aes_ctx_pkcs11; 1381 CK_MECHANISM_TYPE cipherMech = CKM_AES_CBC; 1382 unsigned char * padding; 1383 PRUint32 padding_length; 1384 unsigned char *buffer; 1385 unsigned int buffer_len; 1386 PRInt32 temp; 1387 SECItem cert_item; 1388 PRInt8 nameType = TLS_STE_NO_SERVER_NAME; 1389 1390 /* Turn off stateless session resumption if the client sends a 1391 * SessionTicket extension, even if the extension turns out to be 1392 * malformed (ss->sec.ci.sid is non-NULL when doing session 1393 * renegotiation.) 1394 */ 1395 if (ss->sec.ci.sid != NULL) { 1396 if (ss->sec.uncache) 1397 ss->sec.uncache(ss->sec.ci.sid); 1398 ssl_FreeSID(ss->sec.ci.sid); 1399 ss->sec.ci.sid = NULL; 1400 } 1401 1402 extension_data.data = data->data; /* Keep a copy for future use. */ 1403 extension_data.len = data->len; 1404 1405 if (ssl3_ParseEncryptedSessionTicket(ss, data, &enc_session_ticket) 1406 != SECSuccess) 1407 return SECFailure; 1408 1409 /* Get session ticket keys. */ 1410 #ifndef NO_PKCS11_BYPASS 1411 if (ss->opt.bypassPKCS11) { 1412 rv = ssl3_GetSessionTicketKeys(&aes_key, &aes_key_length, 1413 &mac_key, &mac_key_length); 1414 } else 1415 #endif 1416 { 1417 rv = ssl3_GetSessionTicketKeysPKCS11(ss, &aes_key_pkcs11, 1418 &mac_key_pkcs11); 1419 } 1420 if (rv != SECSuccess) { 1421 SSL_DBG(("%d: SSL[%d]: Unable to get/generate session ticket keys.", 1422 SSL_GETPID(), ss->fd)); 1423 goto loser; 1424 } 1425 1426 /* If the ticket sent by the client was generated under a key different 1427 * from the one we have, bypass ticket processing. 1428 */ 1429 if (PORT_Memcmp(enc_session_ticket.key_name, key_name, 1430 SESS_TICKET_KEY_NAME_LEN) != 0) { 1431 SSL_DBG(("%d: SSL[%d]: Session ticket key_name sent mismatch.", 1432 SSL_GETPID(), ss->fd)); 1433 goto no_ticket; 1434 } 1435 1436 /* Verify the MAC on the ticket. MAC verification may also 1437 * fail if the MAC key has been recently refreshed. 1438 */ 1439 #ifndef NO_PKCS11_BYPASS 1440 if (ss->opt.bypassPKCS11) { 1441 hmac_ctx = (HMACContext *)hmac_ctx_buf; 1442 hashObj = HASH_GetRawHashObject(HASH_AlgSHA256); 1443 if (HMAC_Init(hmac_ctx, hashObj, mac_key, 1444 sizeof(session_ticket_mac_key), PR_FALSE) != SECSuccess) 1445 goto no_ticket; 1446 HMAC_Begin(hmac_ctx); 1447 HMAC_Update(hmac_ctx, extension_data.data, 1448 extension_data.len - TLS_EX_SESS_TICKET_MAC_LENGTH); 1449 if (HMAC_Finish(hmac_ctx, computed_mac, &computed_mac_length, 1450 sizeof(computed_mac)) != SECSuccess) 1451 goto no_ticket; 1452 } else 1453 #endif 1454 { 1455 SECItem macParam; 1456 macParam.data = NULL; 1457 macParam.len = 0; 1458 hmac_ctx_pkcs11 = PK11_CreateContextBySymKey(macMech, 1459 CKA_SIGN, mac_key_pkcs11, &macParam); 1460 if (!hmac_ctx_pkcs11) { 1461 SSL_DBG(("%d: SSL[%d]: Unable to create HMAC context: %d.", 1462 SSL_GETPID(), ss->fd, PORT_GetError())); 1463 goto no_ticket; 1464 } else { 1465 SSL_DBG(("%d: SSL[%d]: Successfully created HMAC context.", 1466 SSL_GETPID(), ss->fd)); 1467 } 1468 rv = PK11_DigestBegin(hmac_ctx_pkcs11); 1469 rv = PK11_DigestOp(hmac_ctx_pkcs11, extension_data.data, 1470 extension_data.len - TLS_EX_SESS_TICKET_MAC_LENGTH); 1471 if (rv != SECSuccess) { 1472 PK11_DestroyContext(hmac_ctx_pkcs11, PR_TRUE); 1473 goto no_ticket; 1474 } 1475 rv = PK11_DigestFinal(hmac_ctx_pkcs11, computed_mac, 1476 &computed_mac_length, sizeof(computed_mac)); 1477 PK11_DestroyContext(hmac_ctx_pkcs11, PR_TRUE); 1478 if (rv != SECSuccess) 1479 goto no_ticket; 1480 } 1481 if (NSS_SecureMemcmp(computed_mac, enc_session_ticket.mac, 1482 computed_mac_length) != 0) { 1483 SSL_DBG(("%d: SSL[%d]: Session ticket MAC mismatch.", 1484 SSL_GETPID(), ss->fd)); 1485 goto no_ticket; 1486 } 1487 1488 /* We ignore key_name for now. 1489 * This is ok as MAC verification succeeded. 1490 */ 1491 1492 /* Decrypt the ticket. */ 1493 1494 /* Plaintext is shorter than the ciphertext due to padding. */ 1495 decrypted_state = SECITEM_AllocItem(NULL, NULL, 1496 enc_session_ticket.encrypted_state.len); 1497 1498 #ifndef NO_PKCS11_BYPASS 1499 if (ss->opt.bypassPKCS11) { 1500 aes_ctx = (AESContext *)aes_ctx_buf; 1501 rv = AES_InitContext(aes_ctx, aes_key, 1502 sizeof(session_ticket_enc_key), enc_session_ticket.iv, 1503 NSS_AES_CBC, 0,AES_BLOCK_SIZE); 1504 if (rv != SECSuccess) { 1505 SSL_DBG(("%d: SSL[%d]: Unable to create AES context.", 1506 SSL_GETPID(), ss->fd)); 1507 goto no_ticket; 1508 } 1509 1510 rv = AES_Decrypt(aes_ctx, decrypted_state->data, 1511 &decrypted_state->len, decrypted_state->len, 1512 enc_session_ticket.encrypted_state.data, 1513 enc_session_ticket.encrypted_state.len); 1514 if (rv != SECSuccess) 1515 goto no_ticket; 1516 } else 1517 #endif 1518 { 1519 SECItem ivItem; 1520 ivItem.data = enc_session_ticket.iv; 1521 ivItem.len = AES_BLOCK_SIZE; 1522 aes_ctx_pkcs11 = PK11_CreateContextBySymKey(cipherMech, 1523 CKA_DECRYPT, aes_key_pkcs11, &ivItem); 1524 if (!aes_ctx_pkcs11) { 1525 SSL_DBG(("%d: SSL[%d]: Unable to create AES context.", 1526 SSL_GETPID(), ss->fd)); 1527 goto no_ticket; 1528 } 1529 1530 rv = PK11_CipherOp(aes_ctx_pkcs11, decrypted_state->data, 1531 (int *)&decrypted_state->len, decrypted_state->len, 1532 enc_session_ticket.encrypted_state.data, 1533 enc_session_ticket.encrypted_state.len); 1534 PK11_Finalize(aes_ctx_pkcs11); 1535 PK11_DestroyContext(aes_ctx_pkcs11, PR_TRUE); 1536 if (rv != SECSuccess) 1537 goto no_ticket; 1538 } 1539 1540 /* Check padding. */ 1541 padding_length = 1542 (PRUint32)decrypted_state->data[decrypted_state->len - 1]; 1543 if (padding_length == 0 || padding_length > AES_BLOCK_SIZE) 1544 goto no_ticket; 1545 1546 padding = &decrypted_state->data[decrypted_state->len - padding_length]; 1547 for (i = 0; i < padding_length; i++, padding++) { 1548 if (padding_length != (PRUint32)*padding) 1549 goto no_ticket; 1550 } 1551 1552 /* Deserialize session state. */ 1553 buffer = decrypted_state->data; 1554 buffer_len = decrypted_state->len; 1555 1556 parsed_session_ticket = PORT_ZAlloc(sizeof(SessionTicket)); 1557 if (parsed_session_ticket == NULL) { 1558 rv = SECFailure; 1559 goto loser; 1560 } 1561 1562 /* Read ticket_version (which is ignored for now.) */ 1563 temp = ssl3_ConsumeHandshakeNumber(ss, 2, &buffer, &buffer_len); 1564 if (temp < 0) goto no_ticket; 1565 parsed_session_ticket->ticket_version = (SSL3ProtocolVersion)temp; 1566 1567 /* Read SSLVersion. */ 1568 temp = ssl3_ConsumeHandshakeNumber(ss, 2, &buffer, &buffer_len); 1569 if (temp < 0) goto no_ticket; 1570 parsed_session_ticket->ssl_version = (SSL3ProtocolVersion)temp; 1571 1572 /* Read cipher_suite. */ 1573 temp = ssl3_ConsumeHandshakeNumber(ss, 2, &buffer, &buffer_len); 1574 if (temp < 0) goto no_ticket; 1575 parsed_session_ticket->cipher_suite = (ssl3CipherSuite)temp; 1576 1577 /* Read compression_method. */ 1578 temp = ssl3_ConsumeHandshakeNumber(ss, 1, &buffer, &buffer_len); 1579 if (temp < 0) goto no_ticket; 1580 parsed_session_ticket->compression_method = (SSLCompressionMethod)temp; 1581 1582 /* Read cipher spec parameters. */ 1583 temp = ssl3_ConsumeHandshakeNumber(ss, 1, &buffer, &buffer_len); 1584 if (temp < 0) goto no_ticket; 1585 parsed_session_ticket->authAlgorithm = (SSLSignType)temp; 1586 temp = ssl3_ConsumeHandshakeNumber(ss, 4, &buffer, &buffer_len); 1587 if (temp < 0) goto no_ticket; 1588 parsed_session_ticket->authKeyBits = (PRUint32)temp; 1589 temp = ssl3_ConsumeHandshakeNumber(ss, 1, &buffer, &buffer_len); 1590 if (temp < 0) goto no_ticket; 1591 parsed_session_ticket->keaType = (SSLKEAType)temp; 1592 temp = ssl3_ConsumeHandshakeNumber(ss, 4, &buffer, &buffer_len); 1593 if (temp < 0) goto no_ticket; 1594 parsed_session_ticket->keaKeyBits = (PRUint32)temp; 1595 1596 /* Read wrapped master_secret. */ 1597 temp = ssl3_ConsumeHandshakeNumber(ss, 1, &buffer, &buffer_len); 1598 if (temp < 0) goto no_ticket; 1599 parsed_session_ticket->ms_is_wrapped = (PRBool)temp; 1600 1601 temp = ssl3_ConsumeHandshakeNumber(ss, 1, &buffer, &buffer_len); 1602 if (temp < 0) goto no_ticket; 1603 parsed_session_ticket->exchKeyType = (SSL3KEAType)temp; 1604 1605 temp = ssl3_ConsumeHandshakeNumber(ss, 4, &buffer, &buffer_len); 1606 if (temp < 0) goto no_ticket; 1607 parsed_session_ticket->msWrapMech = (CK_MECHANISM_TYPE)temp; 1608 1609 temp = ssl3_ConsumeHandshakeNumber(ss, 2, &buffer, &buffer_len); 1610 if (temp < 0) goto no_ticket; 1611 parsed_session_ticket->ms_length = (PRUint16)temp; 1612 if (parsed_session_ticket->ms_length == 0 || /* sanity check MS. */ 1613 parsed_session_ticket->ms_length > 1614 sizeof(parsed_session_ticket->master_secret)) 1615 goto no_ticket; 1616 1617 /* Allow for the wrapped master secret to be longer. */ 1618 if (buffer_len < parsed_session_ticket->ms_length) 1619 goto no_ticket; 1620 PORT_Memcpy(parsed_session_ticket->master_secret, buffer, 1621 parsed_session_ticket->ms_length); 1622 buffer += parsed_session_ticket->ms_length; 1623 buffer_len -= parsed_session_ticket->ms_length; 1624 1625 /* Read client_identity */ 1626 temp = ssl3_ConsumeHandshakeNumber(ss, 1, &buffer, &buffer_len); 1627 if (temp < 0) 1628 goto no_ticket; 1629 parsed_session_ticket->client_identity.client_auth_type = 1630 (ClientAuthenticationType)temp; 1631 switch(parsed_session_ticket->client_identity.client_auth_type) { 1632 case CLIENT_AUTH_ANONYMOUS: 1633 break; 1634 case CLIENT_AUTH_CERTIFICATE: 1635 rv = ssl3_ConsumeHandshakeVariable(ss, &cert_item, 3, 1636 &buffer, &buffer_len); 1637 if (rv != SECSuccess) goto no_ticket; 1638 rv = SECITEM_CopyItem(NULL, &parsed_session_ticket->peer_cert, 1639 &cert_item); 1640 if (rv != SECSuccess) goto no_ticket; 1641 break; 1642 default: 1643 goto no_ticket; 1644 } 1645 /* Read timestamp. */ 1646 temp = ssl3_ConsumeHandshakeNumber(ss, 4, &buffer, &buffer_len); 1647 if (temp < 0) 1648 goto no_ticket; 1649 parsed_session_ticket->timestamp = (PRUint32)temp; 1650 1651 /* Read server name */ 1652 nameType = 1653 ssl3_ConsumeHandshakeNumber(ss, 1, &buffer, &buffer_len); 1654 if (nameType != TLS_STE_NO_SERVER_NAME) { 1655 SECItem name_item; 1656 rv = ssl3_ConsumeHandshakeVariable(ss, &name_item, 2, &buffer, 1657 &buffer_len); 1658 if (rv != SECSuccess) goto no_ticket; 1659 rv = SECITEM_CopyItem(NULL, &parsed_session_ticket->srvName, 1660 &name_item); 1661 if (rv != SECSuccess) goto no_ticket; 1662 parsed_session_ticket->srvName.type = nameType; 1663 } 1664 1665 /* Done parsing. Check that all bytes have been consumed. */ 1666 if (buffer_len != padding_length) 1667 goto no_ticket; 1668 1669 /* Use the ticket if it has not expired, otherwise free the allocated 1670 * memory since the ticket is of no use. 1671 */ 1672 if (parsed_session_ticket->timestamp != 0 && 1673 parsed_session_ticket->timestamp + 1674 TLS_EX_SESS_TICKET_LIFETIME_HINT > ssl_Time()) { 1675 1676 sid = ssl3_NewSessionID(ss, PR_TRUE); 1677 if (sid == NULL) { 1678 rv = SECFailure; 1679 goto loser; 1680 } 1681 1682 /* Copy over parameters. */ 1683 sid->version = parsed_session_ticket->ssl_version; 1684 sid->u.ssl3.cipherSuite = parsed_session_ticket->cipher_suite; 1685 sid->u.ssl3.compression = parsed_session_ticket->compression_method; 1686 sid->authAlgorithm = parsed_session_ticket->authAlgorithm; 1687 sid->authKeyBits = parsed_session_ticket->authKeyBits; 1688 sid->keaType = parsed_session_ticket->keaType; 1689 sid->keaKeyBits = parsed_session_ticket->keaKeyBits; 1690 1691 /* Copy master secret. */ 1692 #ifndef NO_PKCS11_BYPASS 1693 if (ss->opt.bypassPKCS11 && 1694 parsed_session_ticket->ms_is_wrapped) 1695 goto no_ticket; 1696 #endif 1697 if (parsed_session_ticket->ms_length > 1698 sizeof(sid->u.ssl3.keys.wrapped_master_secret)) 1699 goto no_ticket; 1700 PORT_Memcpy(sid->u.ssl3.keys.wrapped_master_secret, 1701 parsed_session_ticket->master_secret, 1702 parsed_session_ticket->ms_length); 1703 sid->u.ssl3.keys.wrapped_master_secret_len = 1704 parsed_session_ticket->ms_length; 1705 sid->u.ssl3.exchKeyType = parsed_session_ticket->exchKeyType; 1706 sid->u.ssl3.masterWrapMech = parsed_session_ticket->msWrapMech; 1707 sid->u.ssl3.keys.msIsWrapped = 1708 parsed_session_ticket->ms_is_wrapped; 1709 sid->u.ssl3.masterValid = PR_TRUE; 1710 sid->u.ssl3.keys.resumable = PR_TRUE; 1711 1712 /* Copy over client cert from session ticket if there is one. */ 1713 if (parsed_session_ticket->peer_cert.data != NULL) { 1714 if (sid->peerCert != NULL) 1715 CERT_DestroyCertificate(sid->peerCert); 1716 sid->peerCert = CERT_NewTempCertificate(ss->dbHandle, 1717 &parsed_session_ticket->peer_cert, NULL, PR_FALSE, PR_TRUE); 1718 if (sid->peerCert == NULL) { 1719 rv = SECFailure; 1720 goto loser; 1721 } 1722 } 1723 if (parsed_session_ticket->srvName.data != NULL) { 1724 sid->u.ssl3.srvName = parsed_session_ticket->srvName; 1725 } 1726 ss->statelessResume = PR_TRUE; 1727 ss->sec.ci.sid = sid; 1728 } 1729 } 1730 1731 if (0) { 1732 no_ticket: 1733 SSL_DBG(("%d: SSL[%d]: Session ticket parsing failed.", 1734 SSL_GETPID(), ss->fd)); 1735 ssl3stats = SSL_GetStatistics(); 1736 SSL_AtomicIncrementLong(& ssl3stats->hch_sid_ticket_parse_failures ); 1737 } 1738 rv = SECSuccess; 1739 1740 loser: 1741 /* ss->sec.ci.sid == sid if it did NOT come here via goto statement 1742 * in that case do not free sid 1743 */ 1744 if (sid && (ss->sec.ci.sid != sid)) { 1745 ssl_FreeSID(sid); 1746 sid = NULL; 1747 } 1748 if (decrypted_state != NULL) { 1749 SECITEM_FreeItem(decrypted_state, PR_TRUE); 1750 decrypted_state = NULL; 1751 } 1752 1753 if (parsed_session_ticket != NULL) { 1754 if (parsed_session_ticket->peer_cert.data) { 1755 SECITEM_FreeItem(&parsed_session_ticket->peer_cert, PR_FALSE); 1756 } 1757 PORT_ZFree(parsed_session_ticket, sizeof(SessionTicket)); 1758 } 1759 1760 return rv; 1761 } 1762 1763 /* 1764 * Read bytes. Using this function means the SECItem structure 1765 * cannot be freed. The caller is expected to call this function 1766 * on a shallow copy of the structure. 1767 */ 1768 static SECStatus 1769 ssl3_ConsumeFromItem(SECItem *item, unsigned char **buf, PRUint32 bytes) 1770 { 1771 if (bytes > item->len) 1772 return SECFailure; 1773 1774 *buf = item->data; 1775 item->data += bytes; 1776 item->len -= bytes; 1777 return SECSuccess; 1778 } 1779 1780 static SECStatus 1781 ssl3_ParseEncryptedSessionTicket(sslSocket *ss, SECItem *data, 1782 EncryptedSessionTicket *enc_session_ticket) 1783 { 1784 if (ssl3_ConsumeFromItem(data, &enc_session_ticket->key_name, 1785 SESS_TICKET_KEY_NAME_LEN) != SECSuccess) 1786 return SECFailure; 1787 if (ssl3_ConsumeFromItem(data, &enc_session_ticket->iv, 1788 AES_BLOCK_SIZE) != SECSuccess) 1789 return SECFailure; 1790 if (ssl3_ConsumeHandshakeVariable(ss, &enc_session_ticket->encrypted_state, 1791 2, &data->data, &data->len) != SECSuccess) 1792 return SECFailure; 1793 if (ssl3_ConsumeFromItem(data, &enc_session_ticket->mac, 1794 TLS_EX_SESS_TICKET_MAC_LENGTH) != SECSuccess) 1795 return SECFailure; 1796 if (data->len != 0) /* Make sure that we have consumed all bytes. */ 1797 return SECFailure; 1798 1799 return SECSuccess; 1800 } 1801 1802 /* go through hello extensions in buffer "b". 1803 * For each one, find the extension handler in the table, and 1804 * if present, invoke that handler. 1805 * Servers ignore any extensions with unknown extension types. 1806 * Clients reject any extensions with unadvertised extension types. 1807 */ 1808 SECStatus 1809 ssl3_HandleHelloExtensions(sslSocket *ss, SSL3Opaque **b, PRUint32 *length) 1810 { 1811 const ssl3HelloExtensionHandler * handlers; 1812 1813 if (ss->sec.isServer) { 1814 handlers = clientHelloHandlers; 1815 } else if (ss->version > SSL_LIBRARY_VERSION_3_0) { 1816 handlers = serverHelloHandlersTLS; 1817 } else { 1818 handlers = serverHelloHandlersSSL3; 1819 } 1820 1821 while (*length) { 1822 const ssl3HelloExtensionHandler * handler; 1823 SECStatus rv; 1824 PRInt32 extension_type; 1825 SECItem extension_data; 1826 1827 /* Get the extension's type field */ 1828 extension_type = ssl3_ConsumeHandshakeNumber(ss, 2, b, length); 1829 if (extension_type < 0) /* failure to decode extension_type */ 1830 return SECFailure; /* alert already sent */ 1831 1832 /* get the data for this extension, so we can pass it or skip it. */ 1833 rv = ssl3_ConsumeHandshakeVariable(ss, &extension_data, 2, b, length); 1834 if (rv != SECSuccess) 1835 return rv; 1836 1837 /* Check whether the server sent an extension which was not advertised 1838 * in the ClientHello. 1839 */ 1840 if (!ss->sec.isServer && 1841 !ssl3_ClientExtensionAdvertised(ss, extension_type)) 1842 return SECFailure; /* TODO: send unsupported_extension alert */ 1843 1844 /* Check whether an extension has been sent multiple times. */ 1845 if (ssl3_ExtensionNegotiated(ss, extension_type)) 1846 return SECFailure; 1847 1848 /* find extension_type in table of Hello Extension Handlers */ 1849 for (handler = handlers; handler->ex_type >= 0; handler++) { 1850 /* if found, call this handler */ 1851 if (handler->ex_type == extension_type) { 1852 rv = (*handler->ex_handler)(ss, (PRUint16)extension_type, 1853 &extension_data); 1854 /* Ignore this result */ 1855 /* Treat all bad extensions as unrecognized types. */ 1856 break; 1857 } 1858 } 1859 } 1860 return SECSuccess; 1861 } 1862 1863 /* Add a callback function to the table of senders of server hello extensions. 1864 */ 1865 SECStatus 1866 ssl3_RegisterServerHelloExtensionSender(sslSocket *ss, PRUint16 ex_type, 1867 ssl3HelloExtensionSenderFunc cb) 1868 { 1869 int i; 1870 ssl3HelloExtensionSender *sender = &ss->xtnData.serverSenders[0]; 1871 1872 for (i = 0; i < SSL_MAX_EXTENSIONS; ++i, ++sender) { 1873 if (!sender->ex_sender) { 1874 sender->ex_type = ex_type; 1875 sender->ex_sender = cb; 1876 return SECSuccess; 1877 } 1878 /* detect duplicate senders */ 1879 PORT_Assert(sender->ex_type != ex_type); 1880 if (sender->ex_type == ex_type) { 1881 /* duplicate */ 1882 break; 1883 } 1884 } 1885 PORT_Assert(i < SSL_MAX_EXTENSIONS); /* table needs to grow */ 1886 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); 1887 return SECFailure; 1888 } 1889 1890 /* call each of the extension senders and return the accumulated length */ 1891 PRInt32 1892 ssl3_CallHelloExtensionSenders(sslSocket *ss, PRBool append, PRUint32 maxBytes, 1893 const ssl3HelloExtensionSender *sender) 1894 { 1895 PRInt32 total_exten_len = 0; 1896 int i; 1897 1898 if (!sender) { 1899 sender = ss->version > SSL_LIBRARY_VERSION_3_0 ? 1900 &clientHelloSendersTLS[0] : &clientHelloSendersSSL3[0]; 1901 } 1902 1903 for (i = 0; i < SSL_MAX_EXTENSIONS; ++i, ++sender) { 1904 if (sender->ex_sender) { 1905 PRInt32 extLen = (*sender->ex_sender)(ss, append, maxBytes); 1906 if (extLen < 0) 1907 return -1; 1908 maxBytes -= extLen; 1909 total_exten_len += extLen; 1910 } 1911 } 1912 return total_exten_len; 1913 } 1914 1915 1916 /* Extension format: 1917 * Extension number: 2 bytes 1918 * Extension length: 2 bytes 1919 * Verify Data Length: 1 byte 1920 * Verify Data (TLS): 12 bytes (client) or 24 bytes (server) 1921 * Verify Data (SSL): 36 bytes (client) or 72 bytes (server) 1922 */ 1923 static PRInt32 1924 ssl3_SendRenegotiationInfoXtn( 1925 sslSocket * ss, 1926 PRBool append, 1927 PRUint32 maxBytes) 1928 { 1929 PRInt32 len, needed; 1930 1931 /* In draft-ietf-tls-renegotiation-03, it is NOT RECOMMENDED to send 1932 * both the SCSV and the empty RI, so when we send SCSV in 1933 * the initial handshake, we don't also send RI. 1934 */ 1935 if (!ss || ss->ssl3.hs.sendingSCSV) 1936 return 0; 1937 len = !ss->firstHsDone ? 0 : 1938 (ss->sec.isServer ? ss->ssl3.hs.finishedBytes * 2 1939 : ss->ssl3.hs.finishedBytes); 1940 needed = 5 + len; 1941 if (append && maxBytes >= needed) { 1942 SECStatus rv; 1943 /* extension_type */ 1944 rv = ssl3_AppendHandshakeNumber(ss, ssl_renegotiation_info_xtn, 2); 1945 if (rv != SECSuccess) return -1; 1946 /* length of extension_data */ 1947 rv = ssl3_AppendHandshakeNumber(ss, len + 1, 2); 1948 if (rv != SECSuccess) return -1; 1949 /* verify_Data from previous Finished message(s) */ 1950 rv = ssl3_AppendHandshakeVariable(ss, 1951 ss->ssl3.hs.finishedMsgs.data, len, 1); 1952 if (rv != SECSuccess) return -1; 1953 if (!ss->sec.isServer) { 1954 TLSExtensionData *xtnData = &ss->xtnData; 1955 xtnData->advertised[xtnData->numAdvertised++] = 1956 ssl_renegotiation_info_xtn; 1957 } 1958 } 1959 return needed; 1960 } 1961 1962 static SECStatus 1963 ssl3_ServerHandleStatusRequestXtn(sslSocket *ss, PRUint16 ex_type, 1964 SECItem *data) 1965 { 1966 SECStatus rv = SECSuccess; 1967 1968 /* remember that we got this extension. */ 1969 ss->xtnData.negotiated[ss->xtnData.numNegotiated++] = ex_type; 1970 PORT_Assert(ss->sec.isServer); 1971 /* prepare to send back the appropriate response */ 1972 rv = ssl3_RegisterServerHelloExtensionSender(ss, ex_type, 1973 ssl3_ServerSendStatusRequestXtn); 1974 return rv; 1975 } 1976 1977 /* This function runs in both the client and server. */ 1978 static SECStatus 1979 ssl3_HandleRenegotiationInfoXtn(sslSocket *ss, PRUint16 ex_type, SECItem *data) 1980 { 1981 SECStatus rv = SECSuccess; 1982 PRUint32 len = 0; 1983 1984 if (ss->firstHsDone) { 1985 len = ss->sec.isServer ? ss->ssl3.hs.finishedBytes 1986 : ss->ssl3.hs.finishedBytes * 2; 1987 } 1988 if (data->len != 1 + len || 1989 data->data[0] != len || (len && 1990 NSS_SecureMemcmp(ss->ssl3.hs.finishedMsgs.data, 1991 data->data + 1, len))) { 1992 /* Can we do this here? Or, must we arrange for the caller to do it? */ 1993 (void)SSL3_SendAlert(ss, alert_fatal, handshake_failure); 1994 PORT_SetError(SSL_ERROR_BAD_HANDSHAKE_HASH_VALUE); 1995 return SECFailure; 1996 } 1997 /* remember that we got this extension and it was correct. */ 1998 ss->peerRequestedProtection = 1; 1999 ss->xtnData.negotiated[ss->xtnData.numNegotiated++] = ex_type; 2000 if (ss->sec.isServer) { 2001 /* prepare to send back the appropriate response */ 2002 rv = ssl3_RegisterServerHelloExtensionSender(ss, ex_type, 2003 ssl3_SendRenegotiationInfoXtn); 2004 } 2005 return rv; 2006 } 2007 2008 static PRInt32 2009 ssl3_SendUseSRTPXtn(sslSocket *ss, PRBool append, PRUint32 maxBytes) 2010 { 2011 PRUint32 ext_data_len; 2012 PRInt16 i; 2013 SECStatus rv; 2014 2015 if (!ss) 2016 return 0; 2017 2018 if (!ss->sec.isServer) { 2019 /* Client side */ 2020 2021 if (!IS_DTLS(ss) || !ss->ssl3.dtlsSRTPCipherCount) 2022 return 0; /* Not relevant */ 2023 2024 ext_data_len = 2 + 2 * ss->ssl3.dtlsSRTPCipherCount + 1; 2025 2026 if (append && maxBytes >= 4 + ext_data_len) { 2027 /* Extension type */ 2028 rv = ssl3_AppendHandshakeNumber(ss, ssl_use_srtp_xtn, 2); 2029 if (rv != SECSuccess) return -1; 2030 /* Length of extension data */ 2031 rv = ssl3_AppendHandshakeNumber(ss, ext_data_len, 2); 2032 if (rv != SECSuccess) return -1; 2033 /* Length of the SRTP cipher list */ 2034 rv = ssl3_AppendHandshakeNumber(ss, 2035 2 * ss->ssl3.dtlsSRTPCipherCount, 2036 2); 2037 if (rv != SECSuccess) return -1; 2038 /* The SRTP ciphers */ 2039 for (i = 0; i < ss->ssl3.dtlsSRTPCipherCount; i++) { 2040 rv = ssl3_AppendHandshakeNumber(ss, 2041 ss->ssl3.dtlsSRTPCiphers[i], 2042 2); 2043 } 2044 /* Empty MKI value */ 2045 ssl3_AppendHandshakeVariable(ss, NULL, 0, 1); 2046 2047 ss->xtnData.advertised[ss->xtnData.numAdvertised++] = 2048 ssl_use_srtp_xtn; 2049 } 2050 2051 return 4 + ext_data_len; 2052 } 2053 2054 /* Server side */ 2055 if (append && maxBytes >= 9) { 2056 /* Extension type */ 2057 rv = ssl3_AppendHandshakeNumber(ss, ssl_use_srtp_xtn, 2); 2058 if (rv != SECSuccess) return -1; 2059 /* Length of extension data */ 2060 rv = ssl3_AppendHandshakeNumber(ss, 5, 2); 2061 if (rv != SECSuccess) return -1; 2062 /* Length of the SRTP cipher list */ 2063 rv = ssl3_AppendHandshakeNumber(ss, 2, 2); 2064 if (rv != SECSuccess) return -1; 2065 /* The selected cipher */ 2066 rv = ssl3_AppendHandshakeNumber(ss, ss->ssl3.dtlsSRTPCipherSuite, 2); 2067 if (rv != SECSuccess) return -1; 2068 /* Empty MKI value */ 2069 ssl3_AppendHandshakeVariable(ss, NULL, 0, 1); 2070 } 2071 2072 return 9; 2073 } 2074 2075 static SECStatus 2076 ssl3_HandleUseSRTPXtn(sslSocket * ss, PRUint16 ex_type, SECItem *data) 2077 { 2078 SECStatus rv; 2079 SECItem ciphers = {siBuffer, NULL, 0}; 2080 PRUint16 i; 2081 unsigned int j; 2082 PRUint16 cipher = 0; 2083 PRBool found = PR_FALSE; 2084 SECItem litem; 2085 2086 if (!ss->sec.isServer) { 2087 /* Client side */ 2088 if (!data->data || !data->len) { 2089 /* malformed */ 2090 return SECFailure; 2091 } 2092 2093 /* Get the cipher list */ 2094 rv = ssl3_ConsumeHandshakeVariable(ss, &ciphers, 2, 2095 &data->data, &data->len); 2096 if (rv != SECSuccess) { 2097 return SECFailure; 2098 } 2099 /* Now check that the number of ciphers listed is 1 (len = 2) */ 2100 if (ciphers.len != 2) { 2101 return SECFailure; 2102 } 2103 2104 /* Get the selected cipher */ 2105 cipher = (ciphers.data[0] << 8) | ciphers.data[1]; 2106 2107 /* Now check that this is one of the ciphers we offered */ 2108 for (i = 0; i < ss->ssl3.dtlsSRTPCipherCount; i++) { 2109 if (cipher == ss->ssl3.dtlsSRTPCiphers[i]) { 2110 found = PR_TRUE; 2111 break; 2112 } 2113 } 2114 2115 if (!found) { 2116 return SECFailure; 2117 } 2118 2119 /* Get the srtp_mki value */ 2120 rv = ssl3_ConsumeHandshakeVariable(ss, &litem, 1, 2121 &data->data, &data->len); 2122 if (rv != SECSuccess) { 2123 return SECFailure; 2124 } 2125 2126 /* We didn't offer an MKI, so this must be 0 length */ 2127 /* XXX RFC 5764 Section 4.1.3 says: 2128 * If the client detects a nonzero-length MKI in the server's 2129 * response that is different than the one the client offered, 2130 * then the client MUST abort the handshake and SHOULD send an 2131 * invalid_parameter alert. 2132 * 2133 * Due to a limitation of the ssl3_HandleHelloExtensions function, 2134 * returning SECFailure here won't abort the handshake. It will 2135 * merely cause the use_srtp extension to be not negotiated. We 2136 * should fix this. See NSS bug 753136. 2137 */ 2138 if (litem.len != 0) { 2139 return SECFailure; 2140 } 2141 2142 if (data->len != 0) { 2143 /* malformed */ 2144 return SECFailure; 2145 } 2146 2147 /* OK, this looks fine. */ 2148 ss->xtnData.negotiated[ss->xtnData.numNegotiated++] = ssl_use_srtp_xtn; 2149 ss->ssl3.dtlsSRTPCipherSuite = cipher; 2150 return SECSuccess; 2151 } 2152 2153 /* Server side */ 2154 if (!IS_DTLS(ss) || !ss->ssl3.dtlsSRTPCipherCount) { 2155 /* Ignore the extension if we aren't doing DTLS or no DTLS-SRTP 2156 * preferences have been set. */ 2157 return SECSuccess; 2158 } 2159 2160 if (!data->data || data->len < 5) { 2161 /* malformed */ 2162 return SECFailure; 2163 } 2164 2165 /* Get the cipher list */ 2166 rv = ssl3_ConsumeHandshakeVariable(ss, &ciphers, 2, 2167 &data->data, &data->len); 2168 if (rv != SECSuccess) { 2169 return SECFailure; 2170 } 2171 /* Check that the list is even length */ 2172 if (ciphers.len % 2) { 2173 return SECFailure; 2174 } 2175 2176 /* Walk through the offered list and pick the most preferred of our 2177 * ciphers, if any */ 2178 for (i = 0; !found && i < ss->ssl3.dtlsSRTPCipherCount; i++) { 2179 for (j = 0; j + 1 < ciphers.len; j += 2) { 2180 cipher = (ciphers.data[j] << 8) | ciphers.data[j + 1]; 2181 if (cipher == ss->ssl3.dtlsSRTPCiphers[i]) { 2182 found = PR_TRUE; 2183 break; 2184 } 2185 } 2186 } 2187 2188 /* Get the srtp_mki value */ 2189 rv = ssl3_ConsumeHandshakeVariable(ss, &litem, 1, &data->data, &data->len); 2190 if (rv != SECSuccess) { 2191 return SECFailure; 2192 } 2193 2194 if (data->len != 0) { 2195 return SECFailure; /* Malformed */ 2196 } 2197 2198 /* Now figure out what to do */ 2199 if (!found) { 2200 /* No matching ciphers */ 2201 return SECSuccess; 2202 } 2203 2204 /* OK, we have a valid cipher and we've selected it */ 2205 ss->ssl3.dtlsSRTPCipherSuite = cipher; 2206 ss->xtnData.negotiated[ss->xtnData.numNegotiated++] = ssl_use_srtp_xtn; 2207 2208 return ssl3_RegisterServerHelloExtensionSender(ss, ssl_use_srtp_xtn, 2209 ssl3_SendUseSRTPXtn); 2210 } 2211 2212 /* ssl3_ServerHandleSigAlgsXtn handles the signature_algorithms extension 2213 * from a client. 2214 * See https://tools.ietf.org/html/rfc5246#section-7.4.1.4.1 */ 2215 static SECStatus 2216 ssl3_ServerHandleSigAlgsXtn(sslSocket * ss, PRUint16 ex_type, SECItem *data) 2217 { 2218 SECStatus rv; 2219 SECItem algorithms; 2220 const unsigned char *b; 2221 unsigned int numAlgorithms, i; 2222 2223 /* Ignore this extension if we aren't doing TLS 1.2 or greater. */ 2224 if (ss->version < SSL_LIBRARY_VERSION_TLS_1_2) { 2225 return SECSuccess; 2226 } 2227 2228 /* Keep track of negotiated extensions. */ 2229 ss->xtnData.negotiated[ss->xtnData.numNegotiated++] = ex_type; 2230 2231 rv = ssl3_ConsumeHandshakeVariable(ss, &algorithms, 2, &data->data, 2232 &data->len); 2233 if (rv != SECSuccess) { 2234 return SECFailure; 2235 } 2236 /* Trailing data, empty value, or odd-length value is invalid. */ 2237 if (data->len != 0 || algorithms.len == 0 || (algorithms.len & 1) != 0) { 2238 PORT_SetError(SSL_ERROR_RX_MALFORMED_CLIENT_HELLO); 2239 return SECFailure; 2240 } 2241 2242 numAlgorithms = algorithms.len/2; 2243 2244 /* We don't care to process excessive numbers of algorithms. */ 2245 if (numAlgorithms > 512) { 2246 numAlgorithms = 512; 2247 } 2248 2249 ss->ssl3.hs.clientSigAndHash = 2250 PORT_NewArray(SSL3SignatureAndHashAlgorithm, numAlgorithms); 2251 if (!ss->ssl3.hs.clientSigAndHash) { 2252 return SECFailure; 2253 } 2254 ss->ssl3.hs.numClientSigAndHash = 0; 2255 2256 b = algorithms.data; 2257 for (i = 0; i < numAlgorithms; i++) { 2258 unsigned char tls_hash = *(b++); 2259 unsigned char tls_sig = *(b++); 2260 SECOidTag hash = ssl3_TLSHashAlgorithmToOID(tls_hash); 2261 2262 if (hash == SEC_OID_UNKNOWN) { 2263 /* We ignore formats that we don't understand. */ 2264 continue; 2265 } 2266 /* tls_sig support will be checked later in 2267 * ssl3_PickSignatureHashAlgorithm. */ 2268 ss->ssl3.hs.clientSigAndHash[i].hashAlg = hash; 2269 ss->ssl3.hs.clientSigAndHash[i].sigAlg = tls_sig; 2270 ss->ssl3.hs.numClientSigAndHash++; 2271 } 2272 2273 if (!ss->ssl3.hs.numClientSigAndHash) { 2274 /* We didn't understand any of the client's requested signature 2275 * formats. We'll use the defaults. */ 2276 PORT_Free(ss->ssl3.hs.clientSigAndHash); 2277 ss->ssl3.hs.clientSigAndHash = NULL; 2278 } 2279 2280 return SECSuccess; 2281 } 2282 2283 /* ssl3_ClientSendSigAlgsXtn sends the signature_algorithm extension for TLS 2284 * 1.2 ClientHellos. */ 2285 static PRInt32 2286 ssl3_ClientSendSigAlgsXtn(sslSocket * ss, PRBool append, PRUint32 maxBytes) 2287 { 2288 static const unsigned char signatureAlgorithms[] = { 2289 /* This block is the contents of our signature_algorithms extension, in 2290 * wire format. See 2291 * https://tools.ietf.org/html/rfc5246#section-7.4.1.4.1 */ 2292 tls_hash_sha256, tls_sig_rsa, 2293 tls_hash_sha384, tls_sig_rsa, 2294 tls_hash_sha1, tls_sig_rsa, 2295 #ifdef NSS_ENABLE_ECC 2296 tls_hash_sha256, tls_sig_ecdsa, 2297 tls_hash_sha384, tls_sig_ecdsa, 2298 tls_hash_sha1, tls_sig_ecdsa, 2299 #endif 2300 tls_hash_sha256, tls_sig_dsa, 2301 tls_hash_sha1, tls_sig_dsa, 2302 }; 2303 PRInt32 extension_length; 2304 2305 if (ss->version < SSL_LIBRARY_VERSION_TLS_1_2) { 2306 return 0; 2307 } 2308 2309 extension_length = 2310 2 /* extension type */ + 2311 2 /* extension length */ + 2312 2 /* supported_signature_algorithms length */ + 2313 sizeof(signatureAlgorithms); 2314 2315 if (append && maxBytes >= extension_length) { 2316 SECStatus rv; 2317 rv = ssl3_AppendHandshakeNumber(ss, ssl_signature_algorithms_xtn, 2); 2318 if (rv != SECSuccess) 2319 goto loser; 2320 rv = ssl3_AppendHandshakeNumber(ss, extension_length - 4, 2); 2321 if (rv != SECSuccess) 2322 goto loser; 2323 rv = ssl3_AppendHandshakeVariable(ss, signatureAlgorithms, 2324 sizeof(signatureAlgorithms), 2); 2325 if (rv != SECSuccess) 2326 goto loser; 2327 ss->xtnData.advertised[ss->xtnData.numAdvertised++] = 2328 ssl_signature_algorithms_xtn; 2329 } else if (maxBytes < extension_length) { 2330 PORT_Assert(0); 2331 return 0; 2332 } 2333 2334 return extension_length; 2335 2336 loser: 2337 return -1; 2338 } 2339 2340 unsigned int 2341 ssl3_CalculatePaddingExtensionLength(unsigned int clientHelloLength) 2342 { 2343 unsigned int recordLength = 1 /* handshake message type */ + 2344 3 /* handshake message length */ + 2345 clientHelloLength; 2346 unsigned int extensionLength; 2347 2348 if (recordLength < 256 || recordLength >= 512) { 2349 return 0; 2350 } 2351 2352 extensionLength = 512 - recordLength; 2353 /* Extensions take at least four bytes to encode. Always include at least 2354 * one byte of data if including the extension. WebSphere Application Server 2355 * 7.0 is intolerant to the last extension being zero-length. */ 2356 if (extensionLength < 4 + 1) { 2357 extensionLength = 4 + 1; 2358 } 2359 2360 return extensionLength; 2361 } 2362 2363 /* ssl3_AppendPaddingExtension possibly adds an extension which ensures that a 2364 * ClientHello record is either < 256 bytes or is >= 512 bytes. This ensures 2365 * that we don't trigger bugs in F5 products. */ 2366 PRInt32 2367 ssl3_AppendPaddingExtension(sslSocket *ss, unsigned int extensionLen, 2368 PRUint32 maxBytes) 2369 { 2370 unsigned int paddingLen = extensionLen - 4; 2371 static unsigned char padding[256]; 2372 2373 if (extensionLen == 0) { 2374 return 0; 2375 } 2376 2377 if (extensionLen < 4 || 2378 extensionLen > maxBytes || 2379 paddingLen > sizeof(padding)) { 2380 PORT_Assert(0); 2381 return -1; 2382 } 2383 2384 if (SECSuccess != ssl3_AppendHandshakeNumber(ss, ssl_padding_xtn, 2)) 2385 return -1; 2386 if (SECSuccess != ssl3_AppendHandshakeNumber(ss, paddingLen, 2)) 2387 return -1; 2388 if (SECSuccess != ssl3_AppendHandshake(ss, padding, paddingLen)) 2389 return -1; 2390 2391 return extensionLen; 2392 } 2393 2394 /* ssl3_ClientSendSignedCertTimestampXtn sends the signed_certificate_timestamp 2395 * extension for TLS ClientHellos. */ 2396 static PRInt32 2397 ssl3_ClientSendSignedCertTimestampXtn(sslSocket *ss, PRBool append, 2398 PRUint32 maxBytes) 2399 { 2400 PRInt32 extension_length = 2 /* extension_type */ + 2401 2 /* length(extension_data) */; 2402 2403 /* Only send the extension if processing is enabled. */ 2404 if (!ss->opt.enableSignedCertTimestamps) 2405 return 0; 2406 2407 if (append && maxBytes >= extension_length) { 2408 SECStatus rv; 2409 /* extension_type */ 2410 rv = ssl3_AppendHandshakeNumber(ss, 2411 ssl_signed_certificate_timestamp_xtn, 2412 2); 2413 if (rv != SECSuccess) 2414 goto loser; 2415 /* zero length */ 2416 rv = ssl3_AppendHandshakeNumber(ss, 0, 2); 2417 if (rv != SECSuccess) 2418 goto loser; 2419 ss->xtnData.advertised[ss->xtnData.numAdvertised++] = 2420 ssl_signed_certificate_timestamp_xtn; 2421 } else if (maxBytes < extension_length) { 2422 PORT_Assert(0); 2423 return 0; 2424 } 2425 2426 return extension_length; 2427 loser: 2428 return -1; 2429 } 2430 2431 static SECStatus 2432 ssl3_ClientHandleSignedCertTimestampXtn(sslSocket *ss, PRUint16 ex_type, 2433 SECItem *data) 2434 { 2435 /* We do not yet know whether we'll be resuming a session or creating 2436 * a new one, so we keep a pointer to the data in the TLSExtensionData 2437 * structure. This pointer is only valid in the scope of 2438 * ssl3_HandleServerHello, and, if not resuming a session, the data is 2439 * copied once a new session structure has been set up. 2440 * All parsing is currently left to the application and we accept 2441 * everything, including empty data. 2442 */ 2443 SECItem *scts = &ss->xtnData.signedCertTimestamps; 2444 PORT_Assert(!scts->data && !scts->len); 2445 2446 if (!data->len) { 2447 /* Empty extension data: RFC 6962 mandates non-empty contents. */ 2448 return SECFailure; 2449 } 2450 *scts = *data; 2451 /* Keep track of negotiated extensions. */ 2452 ss->xtnData.negotiated[ss->xtnData.numNegotiated++] = ex_type; 2453 return SECSuccess; 2454 } 2455
