search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Revert "Merged all Chromoting Host code into remoting_core.dll (Windows)."
[chromium-blink-merge.git] / net / third_party / nss / ssl / ssl3ext.c
blob23bb44b2060463df2d7745c4bc1b4e924d25658e
1 /*
2 * SSL3 Protocol
3 *
4 * This Source Code Form is subject to the terms of the Mozilla Public
5 * License, v. 2.0. If a copy of the MPL was not distributed with this
6 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
7
8 /* TLS extension code moved here from ssl3ecc.c */
9 /* $Id: ssl3ext.c,v 1.28 2012/09/21 00:28:05 wtc%google.com Exp $ */
10
11 #include "nssrenam.h"
12 #include "nss.h"
13 #include "ssl.h"
14 #include "sslimpl.h"
15 #include "sslproto.h"
16 #include "pk11pub.h"
17 #ifdef NO_PKCS11_BYPASS
18 #include "blapit.h"
19 #else
20 #include "blapi.h"
21 #endif
22 #include "prinit.h"
23
24 static unsigned char key_name[SESS_TICKET_KEY_NAME_LEN];
25 static PK11SymKey *session_ticket_enc_key_pkcs11 = NULL;
26 static PK11SymKey *session_ticket_mac_key_pkcs11 = NULL;
27
28 #ifndef NO_PKCS11_BYPASS
29 static unsigned char session_ticket_enc_key[AES_256_KEY_LENGTH];
30 static unsigned char session_ticket_mac_key[SHA256_LENGTH];
31
32 static PRBool session_ticket_keys_initialized = PR_FALSE;
33 #endif
34 static PRCallOnceType generate_session_keys_once;
35
36 /* forward static function declarations */
37 static SECStatus ssl3_ParseEncryptedSessionTicket(sslSocket *ss,
38 SECItem *data, EncryptedSessionTicket *enc_session_ticket);
39 static SECStatus ssl3_AppendToItem(SECItem *item, const unsigned char *buf,
40 PRUint32 bytes);
41 static SECStatus ssl3_AppendNumberToItem(SECItem *item, PRUint32 num,
42 PRInt32 lenSize);
43 static SECStatus ssl3_GetSessionTicketKeysPKCS11(sslSocket *ss,
44 PK11SymKey **aes_key, PK11SymKey **mac_key);
45 #ifndef NO_PKCS11_BYPASS
46 static SECStatus ssl3_GetSessionTicketKeys(const unsigned char **aes_key,
47 PRUint32 *aes_key_length, const unsigned char **mac_key,
48 PRUint32 *mac_key_length);
49 #endif
50 static PRInt32 ssl3_SendRenegotiationInfoXtn(sslSocket * ss,
51 PRBool append, PRUint32 maxBytes);
52 static SECStatus ssl3_HandleRenegotiationInfoXtn(sslSocket *ss,
53 PRUint16 ex_type, SECItem *data);
54 static SECStatus ssl3_ClientHandleNextProtoNegoXtn(sslSocket *ss,
55 PRUint16 ex_type, SECItem *data);
56 static SECStatus ssl3_ServerHandleNextProtoNegoXtn(sslSocket *ss,
57 PRUint16 ex_type, SECItem *data);
58 static PRInt32 ssl3_ClientSendNextProtoNegoXtn(sslSocket *ss, PRBool append,
59 PRUint32 maxBytes);
60 static PRInt32 ssl3_SendUseSRTPXtn(sslSocket *ss, PRBool append,
61 PRUint32 maxBytes);
62 static SECStatus ssl3_HandleUseSRTPXtn(sslSocket * ss, PRUint16 ex_type,
63 SECItem *data);
64 static SECStatus ssl3_ClientHandleChannelIDXtn(sslSocket *ss,
65 PRUint16 ex_type, SECItem *data);
66 static PRInt32 ssl3_ClientSendChannelIDXtn(sslSocket *ss, PRBool append,
67 PRUint32 maxBytes);
68
69 /*
70 * Write bytes. Using this function means the SECItem structure
71 * cannot be freed. The caller is expected to call this function
72 * on a shallow copy of the structure.
73 */
74 static SECStatus
75 ssl3_AppendToItem(SECItem *item, const unsigned char *buf, PRUint32 bytes)
76 {
77 if (bytes > item->len)
78 return SECFailure;
79
80 PORT_Memcpy(item->data, buf, bytes);
81 item->data += bytes;
82 item->len -= bytes;
83 return SECSuccess;
84 }
85
86 /*
87 * Write a number in network byte order. Using this function means the
88 * SECItem structure cannot be freed. The caller is expected to call
89 * this function on a shallow copy of the structure.
90 */
91 static SECStatus
92 ssl3_AppendNumberToItem(SECItem *item, PRUint32 num, PRInt32 lenSize)
93 {
94 SECStatus rv;
95 uint8 b[4];
96 uint8 * p = b;
97
98 switch (lenSize) {
99 case 4:
100 *p++ = (uint8) (num >> 24);
101 case 3:
102 *p++ = (uint8) (num >> 16);
103 case 2:
104 *p++ = (uint8) (num >> 8);
105 case 1:
106 *p = (uint8) num;
107 }
108 rv = ssl3_AppendToItem(item, &b[0], lenSize);
109 return rv;
110 }
111
112 static SECStatus ssl3_SessionTicketShutdown(void* appData, void* nssData)
113 {
114 if (session_ticket_enc_key_pkcs11) {
115 PK11_FreeSymKey(session_ticket_enc_key_pkcs11);
116 session_ticket_enc_key_pkcs11 = NULL;
117 }
118 if (session_ticket_mac_key_pkcs11) {
119 PK11_FreeSymKey(session_ticket_mac_key_pkcs11);
120 session_ticket_mac_key_pkcs11 = NULL;
121 }
122 PORT_Memset(&generate_session_keys_once, 0,
123 sizeof(generate_session_keys_once));
124 return SECSuccess;
125 }
126
127
128 static PRStatus
129 ssl3_GenerateSessionTicketKeysPKCS11(void *data)
130 {
131 SECStatus rv;
132 sslSocket *ss = (sslSocket *)data;
133 SECKEYPrivateKey *svrPrivKey = ss->serverCerts[kt_rsa].SERVERKEY;
134 SECKEYPublicKey *svrPubKey = ss->serverCerts[kt_rsa].serverKeyPair->pubKey;
135
136 if (svrPrivKey == NULL || svrPubKey == NULL) {
137 SSL_DBG(("%d: SSL[%d]: Pub or priv key(s) is NULL.",
138 SSL_GETPID(), ss->fd));
139 goto loser;
140 }
141
142 /* Get a copy of the session keys from shared memory. */
143 PORT_Memcpy(key_name, SESS_TICKET_KEY_NAME_PREFIX,
144 sizeof(SESS_TICKET_KEY_NAME_PREFIX));
145 if (!ssl_GetSessionTicketKeysPKCS11(svrPrivKey, svrPubKey,
146 ss->pkcs11PinArg, &key_name[SESS_TICKET_KEY_NAME_PREFIX_LEN],
147 &session_ticket_enc_key_pkcs11, &session_ticket_mac_key_pkcs11))
148 return PR_FAILURE;
149
150 rv = NSS_RegisterShutdown(ssl3_SessionTicketShutdown, NULL);
151 if (rv != SECSuccess)
152 goto loser;
153
154 return PR_SUCCESS;
155
156 loser:
157 ssl3_SessionTicketShutdown(NULL, NULL);
158 return PR_FAILURE;
159 }
160
161 static SECStatus
162 ssl3_GetSessionTicketKeysPKCS11(sslSocket *ss, PK11SymKey **aes_key,
163 PK11SymKey **mac_key)
164 {
165 if (PR_CallOnceWithArg(&generate_session_keys_once,
166 ssl3_GenerateSessionTicketKeysPKCS11, ss) != PR_SUCCESS)
167 return SECFailure;
168
169 if (session_ticket_enc_key_pkcs11 == NULL ||
170 session_ticket_mac_key_pkcs11 == NULL)
171 return SECFailure;
172
173 *aes_key = session_ticket_enc_key_pkcs11;
174 *mac_key = session_ticket_mac_key_pkcs11;
175 return SECSuccess;
176 }
177
178 #ifndef NO_PKCS11_BYPASS
179 static PRStatus
180 ssl3_GenerateSessionTicketKeys(void)
181 {
182 PORT_Memcpy(key_name, SESS_TICKET_KEY_NAME_PREFIX,
183 sizeof(SESS_TICKET_KEY_NAME_PREFIX));
184
185 if (!ssl_GetSessionTicketKeys(&key_name[SESS_TICKET_KEY_NAME_PREFIX_LEN],
186 session_ticket_enc_key, session_ticket_mac_key))
187 return PR_FAILURE;
188
189 session_ticket_keys_initialized = PR_TRUE;
190 return PR_SUCCESS;
191 }
192
193 static SECStatus
194 ssl3_GetSessionTicketKeys(const unsigned char **aes_key,
195 PRUint32 *aes_key_length, const unsigned char **mac_key,
196 PRUint32 *mac_key_length)
197 {
198 if (PR_CallOnce(&generate_session_keys_once,
199 ssl3_GenerateSessionTicketKeys) != SECSuccess)
200 return SECFailure;
201
202 if (!session_ticket_keys_initialized)
203 return SECFailure;
204
205 *aes_key = session_ticket_enc_key;
206 *aes_key_length = sizeof(session_ticket_enc_key);
207 *mac_key = session_ticket_mac_key;
208 *mac_key_length = sizeof(session_ticket_mac_key);
209
210 return SECSuccess;
211 }
212 #endif
213
214 /* Table of handlers for received TLS hello extensions, one per extension.
215 * In the second generation, this table will be dynamic, and functions
216 * will be registered here.
217 */
218 /* This table is used by the server, to handle client hello extensions. */
219 static const ssl3HelloExtensionHandler clientHelloHandlers[] = {
220 { ssl_server_name_xtn, &ssl3_HandleServerNameXtn },
221 #ifdef NSS_ENABLE_ECC
222 { ssl_elliptic_curves_xtn, &ssl3_HandleSupportedCurvesXtn },
223 { ssl_ec_point_formats_xtn, &ssl3_HandleSupportedPointFormatsXtn },
224 #endif
225 { ssl_session_ticket_xtn, &ssl3_ServerHandleSessionTicketXtn },
226 { ssl_renegotiation_info_xtn, &ssl3_HandleRenegotiationInfoXtn },
227 { ssl_next_proto_nego_xtn, &ssl3_ServerHandleNextProtoNegoXtn },
228 { ssl_use_srtp_xtn, &ssl3_HandleUseSRTPXtn },
229 { -1, NULL }
230 };
231
232 /* These two tables are used by the client, to handle server hello
233 * extensions. */
234 static const ssl3HelloExtensionHandler serverHelloHandlersTLS[] = {
235 { ssl_server_name_xtn, &ssl3_HandleServerNameXtn },
236 /* TODO: add a handler for ssl_ec_point_formats_xtn */
237 { ssl_session_ticket_xtn, &ssl3_ClientHandleSessionTicketXtn },
238 { ssl_renegotiation_info_xtn, &ssl3_HandleRenegotiationInfoXtn },
239 { ssl_next_proto_nego_xtn, &ssl3_ClientHandleNextProtoNegoXtn },
240 { ssl_use_srtp_xtn, &ssl3_HandleUseSRTPXtn },
241 { ssl_channel_id_xtn, &ssl3_ClientHandleChannelIDXtn },
242 { ssl_cert_status_xtn, &ssl3_ClientHandleStatusRequestXtn },
243 { -1, NULL }
244 };
245
246 static const ssl3HelloExtensionHandler serverHelloHandlersSSL3[] = {
247 { ssl_renegotiation_info_xtn, &ssl3_HandleRenegotiationInfoXtn },
248 { -1, NULL }
249 };
250
251 /* Tables of functions to format TLS hello extensions, one function per
252 * extension.
253 * These static tables are for the formatting of client hello extensions.
254 * The server's table of hello senders is dynamic, in the socket struct,
255 * and sender functions are registered there.
256 */
257 static const
258 ssl3HelloExtensionSender clientHelloSendersTLS[SSL_MAX_EXTENSIONS] = {
259 { ssl_server_name_xtn, &ssl3_SendServerNameXtn },
260 { ssl_renegotiation_info_xtn, &ssl3_SendRenegotiationInfoXtn },
261 #ifdef NSS_ENABLE_ECC
262 { ssl_elliptic_curves_xtn, &ssl3_SendSupportedCurvesXtn },
263 { ssl_ec_point_formats_xtn, &ssl3_SendSupportedPointFormatsXtn },
264 #endif
265 { ssl_session_ticket_xtn, &ssl3_SendSessionTicketXtn },
266 { ssl_next_proto_nego_xtn, &ssl3_ClientSendNextProtoNegoXtn },
267 { ssl_use_srtp_xtn, &ssl3_SendUseSRTPXtn },
268 { ssl_channel_id_xtn, &ssl3_ClientSendChannelIDXtn },
269 { ssl_cert_status_xtn, &ssl3_ClientSendStatusRequestXtn }
270 /* any extra entries will appear as { 0, NULL } */
271 };
272
273 static const
274 ssl3HelloExtensionSender clientHelloSendersSSL3[SSL_MAX_EXTENSIONS] = {
275 { ssl_renegotiation_info_xtn, &ssl3_SendRenegotiationInfoXtn }
276 /* any extra entries will appear as { 0, NULL } */
277 };
278
279 static PRBool
280 arrayContainsExtension(const PRUint16 *array, PRUint32 len, PRUint16 ex_type)
281 {
282 int i;
283 for (i = 0; i < len; i++) {
284 if (ex_type == array[i])
285 return PR_TRUE;
286 }
287 return PR_FALSE;
288 }
289
290 PRBool
291 ssl3_ExtensionNegotiated(sslSocket *ss, PRUint16 ex_type) {
292 TLSExtensionData *xtnData = &ss->xtnData;
293 return arrayContainsExtension(xtnData->negotiated,
294 xtnData->numNegotiated, ex_type);
295 }
296
297 static PRBool
298 ssl3_ClientExtensionAdvertised(sslSocket *ss, PRUint16 ex_type) {
299 TLSExtensionData *xtnData = &ss->xtnData;
300 return arrayContainsExtension(xtnData->advertised,
301 xtnData->numAdvertised, ex_type);
302 }
303
304 /* Format an SNI extension, using the name from the socket's URL,
305 * unless that name is a dotted decimal string.
306 * Used by client and server.
307 */
308 PRInt32
309 ssl3_SendServerNameXtn(sslSocket * ss, PRBool append,
310 PRUint32 maxBytes)
311 {
312 SECStatus rv;
313 if (!ss)
314 return 0;
315 if (!ss->sec.isServer) {
316 PRUint32 len;
317 PRNetAddr netAddr;
318
319 /* must have a hostname */
320 if (!ss->url || !ss->url[0])
321 return 0;
322 /* must not be an IPv4 or IPv6 address */
323 if (PR_SUCCESS == PR_StringToNetAddr(ss->url, &netAddr)) {
324 /* is an IP address (v4 or v6) */
325 return 0;
326 }
327 len = PORT_Strlen(ss->url);
328 if (append && maxBytes >= len + 9) {
329 /* extension_type */
330 rv = ssl3_AppendHandshakeNumber(ss, ssl_server_name_xtn, 2);
331 if (rv != SECSuccess) return -1;
332 /* length of extension_data */
333 rv = ssl3_AppendHandshakeNumber(ss, len + 5, 2);
334 if (rv != SECSuccess) return -1;
335 /* length of server_name_list */
336 rv = ssl3_AppendHandshakeNumber(ss, len + 3, 2);
337 if (rv != SECSuccess) return -1;
338 /* Name Type (sni_host_name) */
339 rv = ssl3_AppendHandshake(ss, "\0", 1);
340 if (rv != SECSuccess) return -1;
341 /* HostName (length and value) */
342 rv = ssl3_AppendHandshakeVariable(ss, (PRUint8 *)ss->url, len, 2);
343 if (rv != SECSuccess) return -1;
344 if (!ss->sec.isServer) {
345 TLSExtensionData *xtnData = &ss->xtnData;
346 xtnData->advertised[xtnData->numAdvertised++] =
347 ssl_server_name_xtn;
348 }
349 }
350 return len + 9;
351 }
352 /* Server side */
353 if (append && maxBytes >= 4) {
354 rv = ssl3_AppendHandshakeNumber(ss, ssl_server_name_xtn, 2);
355 if (rv != SECSuccess) return -1;
356 /* length of extension_data */
357 rv = ssl3_AppendHandshakeNumber(ss, 0, 2);
358 if (rv != SECSuccess) return -1;
359 }
360 return 4;
361 }
362
363 /* handle an incoming SNI extension, by ignoring it. */
364 SECStatus
365 ssl3_HandleServerNameXtn(sslSocket * ss, PRUint16 ex_type, SECItem *data)
366 {
367 SECItem *names = NULL;
368 PRUint32 listCount = 0, namesPos = 0, i;
369 TLSExtensionData *xtnData = &ss->xtnData;
370 SECItem ldata;
371 PRInt32 listLenBytes = 0;
372
373 if (!ss->sec.isServer) {
374 /* Verify extension_data is empty. */
375 if (data->data || data->len ||
376 !ssl3_ExtensionNegotiated(ss, ssl_server_name_xtn)) {
377 /* malformed or was not initiated by the client.*/
378 return SECFailure;
379 }
380 return SECSuccess;
381 }
382
383 /* Server side - consume client data and register server sender. */
384 /* do not parse the data if don't have user extension handling function. */
385 if (!ss->sniSocketConfig) {
386 return SECSuccess;
387 }
388 /* length of server_name_list */
389 listLenBytes = ssl3_ConsumeHandshakeNumber(ss, 2, &data->data, &data->len);
390 if (listLenBytes == 0 || listLenBytes != data->len) {
391 return SECFailure;
392 }
393 ldata = *data;
394 /* Calculate the size of the array.*/
395 while (listLenBytes > 0) {
396 SECItem litem;
397 SECStatus rv;
398 PRInt32 type;
399 /* Name Type (sni_host_name) */
400 type = ssl3_ConsumeHandshakeNumber(ss, 1, &ldata.data, &ldata.len);
401 if (!ldata.len) {
402 return SECFailure;
403 }
404 rv = ssl3_ConsumeHandshakeVariable(ss, &litem, 2, &ldata.data, &ldata.len);
405 if (rv != SECSuccess) {
406 return SECFailure;
407 }
408 /* Adjust total length for cunsumed item, item len and type.*/
409 listLenBytes -= litem.len + 3;
410 if (listLenBytes > 0 && !ldata.len) {
411 return SECFailure;
412 }
413 listCount += 1;
414 }
415 if (!listCount) {
416 return SECFailure;
417 }
418 names = PORT_ZNewArray(SECItem, listCount);
419 if (!names) {
420 return SECFailure;
421 }
422 for (i = 0;i < listCount;i++) {
423 int j;
424 PRInt32 type;
425 SECStatus rv;
426 PRBool nametypePresent = PR_FALSE;
427 /* Name Type (sni_host_name) */
428 type = ssl3_ConsumeHandshakeNumber(ss, 1, &data->data, &data->len);
429 /* Check if we have such type in the list */
430 for (j = 0;j < listCount && names[j].data;j++) {
431 if (names[j].type == type) {
432 nametypePresent = PR_TRUE;
433 break;
434 }
435 }
436 /* HostName (length and value) */
437 rv = ssl3_ConsumeHandshakeVariable(ss, &names[namesPos], 2,
438 &data->data, &data->len);
439 if (rv != SECSuccess) {
440 goto loser;
441 }
442 if (nametypePresent == PR_FALSE) {
443 namesPos += 1;
444 }
445 }
446 /* Free old and set the new data. */
447 if (xtnData->sniNameArr) {
448 PORT_Free(ss->xtnData.sniNameArr);
449 }
450 xtnData->sniNameArr = names;
451 xtnData->sniNameArrSize = namesPos;
452 xtnData->negotiated[xtnData->numNegotiated++] = ssl_server_name_xtn;
453
454 return SECSuccess;
455
456 loser:
457 PORT_Free(names);
458 return SECFailure;
459 }
460
461 /* Called by both clients and servers.
462 * Clients sends a filled in session ticket if one is available, and otherwise
463 * sends an empty ticket. Servers always send empty tickets.
464 */
465 PRInt32
466 ssl3_SendSessionTicketXtn(
467 sslSocket * ss,
468 PRBool append,
469 PRUint32 maxBytes)
470 {
471 PRInt32 extension_length;
472 NewSessionTicket *session_ticket = NULL;
473
474 /* Ignore the SessionTicket extension if processing is disabled. */
475 if (!ss->opt.enableSessionTickets)
476 return 0;
477
478 /* Empty extension length = extension_type (2-bytes) +
479 * length(extension_data) (2-bytes)
480 */
481 extension_length = 4;
482
483 /* If we are a client then send a session ticket if one is availble.
484 * Servers that support the extension and are willing to negotiate the
485 * the extension always respond with an empty extension.
486 */
487 if (!ss->sec.isServer) {
488 sslSessionID *sid = ss->sec.ci.sid;
489 session_ticket = &sid->u.ssl3.sessionTicket;
490 if (session_ticket->ticket.data) {
491 if (ss->xtnData.ticketTimestampVerified) {
492 extension_length += session_ticket->ticket.len;
493 } else if (!append &&
494 (session_ticket->ticket_lifetime_hint == 0 ||
495 (session_ticket->ticket_lifetime_hint +
496 session_ticket->received_timestamp > ssl_Time()))) {
497 extension_length += session_ticket->ticket.len;
498 ss->xtnData.ticketTimestampVerified = PR_TRUE;
499 }
500 }
501 }
502
503 if (append && maxBytes >= extension_length) {
504 SECStatus rv;
505 /* extension_type */
506 rv = ssl3_AppendHandshakeNumber(ss, ssl_session_ticket_xtn, 2);
507 if (rv != SECSuccess)
508 goto loser;
509 if (session_ticket && session_ticket->ticket.data &&
510 ss->xtnData.ticketTimestampVerified) {
511 rv = ssl3_AppendHandshakeVariable(ss, session_ticket->ticket.data,
512 session_ticket->ticket.len, 2);
513 ss->xtnData.ticketTimestampVerified = PR_FALSE;
514 } else {
515 rv = ssl3_AppendHandshakeNumber(ss, 0, 2);
516 }
517 if (rv != SECSuccess)
518 goto loser;
519
520 if (!ss->sec.isServer) {
521 TLSExtensionData *xtnData = &ss->xtnData;
522 xtnData->advertised[xtnData->numAdvertised++] =
523 ssl_session_ticket_xtn;
524 }
525 } else if (maxBytes < extension_length) {
526 PORT_Assert(0);
527 return 0;
528 }
529 return extension_length;
530
531 loser:
532 ss->xtnData.ticketTimestampVerified = PR_FALSE;
533 return -1;
534 }
535
536 /* handle an incoming Next Protocol Negotiation extension. */
537 static SECStatus
538 ssl3_ServerHandleNextProtoNegoXtn(sslSocket * ss, PRUint16 ex_type, SECItem *data)
539 {
540 if (ss->firstHsDone || data->len != 0) {
541 /* Clients MUST send an empty NPN extension, if any. */
542 PORT_SetError(SSL_ERROR_NEXT_PROTOCOL_DATA_INVALID);
543 return SECFailure;
544 }
545
546 ss->xtnData.negotiated[ss->xtnData.numNegotiated++] = ex_type;
547
548 /* TODO: server side NPN support would require calling
549 * ssl3_RegisterServerHelloExtensionSender here in order to echo the
550 * extension back to the client. */
551
552 return SECSuccess;
553 }
554
555 /* ssl3_ValidateNextProtoNego checks that the given block of data is valid: none
556 * of the lengths may be 0 and the sum of the lengths must equal the length of
557 * the block. */
558 SECStatus
559 ssl3_ValidateNextProtoNego(const unsigned char* data, unsigned int length)
560 {
561 unsigned int offset = 0;
562
563 while (offset < length) {
564 unsigned int newOffset = offset + 1 + (unsigned int) data[offset];
565 /* Reject embedded nulls to protect against buggy applications that
566 * store protocol identifiers in null-terminated strings.
567 */
568 if (newOffset > length || data[offset] == 0) {
569 PORT_SetError(SSL_ERROR_NEXT_PROTOCOL_DATA_INVALID);
570 return SECFailure;
571 }
572 offset = newOffset;
573 }
574
575 if (offset > length) {
576 PORT_SetError(SSL_ERROR_NEXT_PROTOCOL_DATA_INVALID);
577 return SECFailure;
578 }
579
580 return SECSuccess;
581 }
582
583 static SECStatus
584 ssl3_ClientHandleNextProtoNegoXtn(sslSocket *ss, PRUint16 ex_type,
585 SECItem *data)
586 {
587 SECStatus rv;
588 unsigned char resultBuffer[255];
589 SECItem result = { siBuffer, resultBuffer, 0 };
590
591 PORT_Assert(!ss->firstHsDone);
592
593 rv = ssl3_ValidateNextProtoNego(data->data, data->len);
594 if (rv != SECSuccess)
595 return rv;
596
597 /* ss->nextProtoCallback cannot normally be NULL if we negotiated the
598 * extension. However, It is possible that an application erroneously
599 * cleared the callback between the time we sent the ClientHello and now.
600 */
601 PORT_Assert(ss->nextProtoCallback != NULL);
602 if (!ss->nextProtoCallback) {
603 /* XXX Use a better error code. This is an application error, not an
604 * NSS bug. */
605 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
606 return SECFailure;
607 }
608
609 rv = ss->nextProtoCallback(ss->nextProtoArg, ss->fd, data->data, data->len,
610 result.data, &result.len, sizeof resultBuffer);
611 if (rv != SECSuccess)
612 return rv;
613 /* If the callback wrote more than allowed to |result| it has corrupted our
614 * stack. */
615 if (result.len > sizeof resultBuffer) {
616 PORT_SetError(SEC_ERROR_OUTPUT_LEN);
617 return SECFailure;
618 }
619
620 ss->xtnData.negotiated[ss->xtnData.numNegotiated++] = ex_type;
621
622 SECITEM_FreeItem(&ss->ssl3.nextProto, PR_FALSE);
623 return SECITEM_CopyItem(NULL, &ss->ssl3.nextProto, &result);
624 }
625
626 static PRInt32
627 ssl3_ClientSendNextProtoNegoXtn(sslSocket * ss, PRBool append,
628 PRUint32 maxBytes)
629 {
630 PRInt32 extension_length;
631
632 /* Renegotiations do not send this extension. */
633 if (!ss->nextProtoCallback || ss->firstHsDone) {
634 return 0;
635 }
636
637 extension_length = 4;
638
639 if (append && maxBytes >= extension_length) {
640 SECStatus rv;
641 rv = ssl3_AppendHandshakeNumber(ss, ssl_next_proto_nego_xtn, 2);
642 if (rv != SECSuccess)
643 goto loser;
644 rv = ssl3_AppendHandshakeNumber(ss, 0, 2);
645 if (rv != SECSuccess)
646 goto loser;
647 ss->xtnData.advertised[ss->xtnData.numAdvertised++] =
648 ssl_next_proto_nego_xtn;
649 } else if (maxBytes < extension_length) {
650 return 0;
651 }
652
653 return extension_length;
654
655 loser:
656 return -1;
657 }
658
659 static SECStatus
660 ssl3_ClientHandleChannelIDXtn(sslSocket *ss, PRUint16 ex_type,
661 SECItem *data)
662 {
663 PORT_Assert(ss->getChannelID != NULL);
664
665 if (data->len) {
666 PORT_SetError(SSL_ERROR_BAD_CHANNEL_ID_DATA);
667 return SECFailure;
668 }
669 ss->xtnData.negotiated[ss->xtnData.numNegotiated++] = ex_type;
670 return SECSuccess;
671 }
672
673 static PRInt32
674 ssl3_ClientSendChannelIDXtn(sslSocket * ss, PRBool append,
675 PRUint32 maxBytes)
676 {
677 PRInt32 extension_length = 4;
678
679 if (!ss->getChannelID)
680 return 0;
681
682 if (maxBytes < extension_length) {
683 PORT_Assert(0);
684 return 0;
685 }
686
687 if (append) {
688 SECStatus rv;
689 rv = ssl3_AppendHandshakeNumber(ss, ssl_channel_id_xtn, 2);
690 if (rv != SECSuccess)
691 goto loser;
692 rv = ssl3_AppendHandshakeNumber(ss, 0, 2);
693 if (rv != SECSuccess)
694 goto loser;
695 ss->xtnData.advertised[ss->xtnData.numAdvertised++] =
696 ssl_channel_id_xtn;
697 }
698
699 return extension_length;
700
701 loser:
702 return -1;
703 }
704
705 SECStatus
706 ssl3_ClientHandleStatusRequestXtn(sslSocket *ss, PRUint16 ex_type,
707 SECItem *data)
708 {
709 /* If we didn't request this extension, then the server may not echo it. */
710 if (!ss->opt.enableOCSPStapling)
711 return SECFailure;
712
713 /* The echoed extension must be empty. */
714 if (data->len != 0)
715 return SECFailure;
716
717 ss->ssl3.hs.may_get_cert_status = PR_TRUE;
718
719 /* Keep track of negotiated extensions. */
720 ss->xtnData.negotiated[ss->xtnData.numNegotiated++] = ex_type;
721
722 return SECSuccess;
723 }
724
725 /* ssl3_ClientSendStatusRequestXtn builds the status_request extension on the
726 * client side. See RFC 4366 section 3.6. */
727 PRInt32
728 ssl3_ClientSendStatusRequestXtn(sslSocket * ss, PRBool append,
729 PRUint32 maxBytes)
730 {
731 PRInt32 extension_length;
732
733 if (!ss->opt.enableOCSPStapling)
734 return 0;
735
736 /* extension_type (2-bytes) +
737 * length(extension_data) (2-bytes) +
738 * status_type (1) +
739 * responder_id_list length (2) +
740 * request_extensions length (2)
741 */
742 extension_length = 9;
743
744 if (append && maxBytes >= extension_length) {
745 SECStatus rv;
746 TLSExtensionData *xtnData;
747
748 /* extension_type */
749 rv = ssl3_AppendHandshakeNumber(ss, ssl_cert_status_xtn, 2);
750 if (rv != SECSuccess)
751 return -1;
752 rv = ssl3_AppendHandshakeNumber(ss, extension_length - 4, 2);
753 if (rv != SECSuccess)
754 return -1;
755 rv = ssl3_AppendHandshakeNumber(ss, 1 /* status_type ocsp */, 1);
756 if (rv != SECSuccess)
757 return -1;
758 /* A zero length responder_id_list means that the responders are
759 * implicitly known to the server. */
760 rv = ssl3_AppendHandshakeNumber(ss, 0, 2);
761 if (rv != SECSuccess)
762 return -1;
763 /* A zero length request_extensions means that there are no extensions.
764 * Specifically, we don't set the id-pkix-ocsp-nonce extension. This
765 * means that the server can replay a cached OCSP response to us. */
766 rv = ssl3_AppendHandshakeNumber(ss, 0, 2);
767 if (rv != SECSuccess)
768 return -1;
769
770 xtnData = &ss->xtnData;
771 xtnData->advertised[xtnData->numAdvertised++] = ssl_cert_status_xtn;
772 } else if (maxBytes < extension_length) {
773 PORT_Assert(0);
774 return 0;
775 }
776 return extension_length;
777 }
778
779 /*
780 * NewSessionTicket
781 * Called from ssl3_HandleFinished
782 */
783 SECStatus
784 ssl3_SendNewSessionTicket(sslSocket *ss)
785 {
786 int i;
787 SECStatus rv;
788 NewSessionTicket ticket;
789 SECItem plaintext;
790 SECItem plaintext_item = {0, NULL, 0};
791 SECItem ciphertext = {0, NULL, 0};
792 PRUint32 ciphertext_length;
793 PRBool ms_is_wrapped;
794 unsigned char wrapped_ms[SSL3_MASTER_SECRET_LENGTH];
795 SECItem ms_item = {0, NULL, 0};
796 SSL3KEAType effectiveExchKeyType = ssl_kea_null;
797 PRUint32 padding_length;
798 PRUint32 message_length;
799 PRUint32 cert_length;
800 uint8 length_buf[4];
801 PRUint32 now;
802 PK11SymKey *aes_key_pkcs11;
803 PK11SymKey *mac_key_pkcs11;
804 #ifndef NO_PKCS11_BYPASS
805 const unsigned char *aes_key;
806 const unsigned char *mac_key;
807 PRUint32 aes_key_length;
808 PRUint32 mac_key_length;
809 PRUint64 aes_ctx_buf[MAX_CIPHER_CONTEXT_LLONGS];
810 AESContext *aes_ctx;
811 const SECHashObject *hashObj = NULL;
812 PRUint64 hmac_ctx_buf[MAX_MAC_CONTEXT_LLONGS];
813 HMACContext *hmac_ctx;
814 #endif
815 CK_MECHANISM_TYPE cipherMech = CKM_AES_CBC;
816 PK11Context *aes_ctx_pkcs11;
817 CK_MECHANISM_TYPE macMech = CKM_SHA256_HMAC;
818 PK11Context *hmac_ctx_pkcs11;
819 unsigned char computed_mac[TLS_EX_SESS_TICKET_MAC_LENGTH];
820 unsigned int computed_mac_length;
821 unsigned char iv[AES_BLOCK_SIZE];
822 SECItem ivItem;
823 SECItem *srvName = NULL;
824 PRUint32 srvNameLen = 0;
825 CK_MECHANISM_TYPE msWrapMech = 0; /* dummy default value,
826 * must be >= 0 */
827
828 SSL_TRC(3, ("%d: SSL3[%d]: send session_ticket handshake",
829 SSL_GETPID(), ss->fd));
830
831 PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss));
832 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
833
834 ticket.ticket_lifetime_hint = TLS_EX_SESS_TICKET_LIFETIME_HINT;
835 cert_length = (ss->opt.requestCertificate && ss->sec.ci.sid->peerCert) ?
836 3 + ss->sec.ci.sid->peerCert->derCert.len : 0;
837
838 /* Get IV and encryption keys */
839 ivItem.data = iv;
840 ivItem.len = sizeof(iv);
841 rv = PK11_GenerateRandom(iv, sizeof(iv));
842 if (rv != SECSuccess) goto loser;
843
844 #ifndef NO_PKCS11_BYPASS
845 if (ss->opt.bypassPKCS11) {
846 rv = ssl3_GetSessionTicketKeys(&aes_key, &aes_key_length,
847 &mac_key, &mac_key_length);
848 } else
849 #endif
850 {
851 rv = ssl3_GetSessionTicketKeysPKCS11(ss, &aes_key_pkcs11,
852 &mac_key_pkcs11);
853 }
854 if (rv != SECSuccess) goto loser;
855
856 if (ss->ssl3.pwSpec->msItem.len && ss->ssl3.pwSpec->msItem.data) {
857 /* The master secret is available unwrapped. */
858 ms_item.data = ss->ssl3.pwSpec->msItem.data;
859 ms_item.len = ss->ssl3.pwSpec->msItem.len;
860 ms_is_wrapped = PR_FALSE;
861 } else {
862 /* Extract the master secret wrapped. */
863 sslSessionID sid;
864 PORT_Memset(&sid, 0, sizeof(sslSessionID));
865
866 if (ss->ssl3.hs.kea_def->kea == kea_ecdhe_rsa) {
867 effectiveExchKeyType = kt_rsa;
868 } else {
869 effectiveExchKeyType = ss->ssl3.hs.kea_def->exchKeyType;
870 }
871
872 rv = ssl3_CacheWrappedMasterSecret(ss, &sid, ss->ssl3.pwSpec,
873 effectiveExchKeyType);
874 if (rv == SECSuccess) {
875 if (sid.u.ssl3.keys.wrapped_master_secret_len > sizeof(wrapped_ms))
876 goto loser;
877 memcpy(wrapped_ms, sid.u.ssl3.keys.wrapped_master_secret,
878 sid.u.ssl3.keys.wrapped_master_secret_len);
879 ms_item.data = wrapped_ms;
880 ms_item.len = sid.u.ssl3.keys.wrapped_master_secret_len;
881 msWrapMech = sid.u.ssl3.masterWrapMech;
882 } else {
883 /* TODO: else send an empty ticket. */
884 goto loser;
885 }
886 ms_is_wrapped = PR_TRUE;
887 }
888 /* Prep to send negotiated name */
889 srvName = &ss->ssl3.pwSpec->srvVirtName;
890 if (srvName->data && srvName->len) {
891 srvNameLen = 2 + srvName->len; /* len bytes + name len */
892 }
893
894 ciphertext_length =
895 sizeof(PRUint16) /* ticket_version */
896 + sizeof(SSL3ProtocolVersion) /* ssl_version */
897 + sizeof(ssl3CipherSuite) /* ciphersuite */
898 + 1 /* compression */
899 + 10 /* cipher spec parameters */
900 + 1 /* SessionTicket.ms_is_wrapped */
901 + 1 /* effectiveExchKeyType */
902 + 4 /* msWrapMech */
903 + 2 /* master_secret.length */
904 + ms_item.len /* master_secret */
905 + 1 /* client_auth_type */
906 + cert_length /* cert */
907 + 1 /* server name type */
908 + srvNameLen /* name len + length field */
909 + sizeof(ticket.ticket_lifetime_hint);
910 padding_length = AES_BLOCK_SIZE -
911 (ciphertext_length % AES_BLOCK_SIZE);
912 ciphertext_length += padding_length;
913
914 message_length =
915 sizeof(ticket.ticket_lifetime_hint) /* ticket_lifetime_hint */
916 + 2 /* length field for NewSessionTicket.ticket */
917 + SESS_TICKET_KEY_NAME_LEN /* key_name */
918 + AES_BLOCK_SIZE /* iv */
919 + 2 /* length field for NewSessionTicket.ticket.encrypted_state */
920 + ciphertext_length /* encrypted_state */
921 + TLS_EX_SESS_TICKET_MAC_LENGTH; /* mac */
922
923 if (SECITEM_AllocItem(NULL, &plaintext_item, ciphertext_length) == NULL)
924 goto loser;
925
926 plaintext = plaintext_item;
927
928 /* ticket_version */
929 rv = ssl3_AppendNumberToItem(&plaintext, TLS_EX_SESS_TICKET_VERSION,
930 sizeof(PRUint16));
931 if (rv != SECSuccess) goto loser;
932
933 /* ssl_version */
934 rv = ssl3_AppendNumberToItem(&plaintext, ss->version,
935 sizeof(SSL3ProtocolVersion));
936 if (rv != SECSuccess) goto loser;
937
938 /* ciphersuite */
939 rv = ssl3_AppendNumberToItem(&plaintext, ss->ssl3.hs.cipher_suite,
940 sizeof(ssl3CipherSuite));
941 if (rv != SECSuccess) goto loser;
942
943 /* compression */
944 rv = ssl3_AppendNumberToItem(&plaintext, ss->ssl3.hs.compression, 1);
945 if (rv != SECSuccess) goto loser;
946
947 /* cipher spec parameters */
948 rv = ssl3_AppendNumberToItem(&plaintext, ss->sec.authAlgorithm, 1);
949 if (rv != SECSuccess) goto loser;
950 rv = ssl3_AppendNumberToItem(&plaintext, ss->sec.authKeyBits, 4);
951 if (rv != SECSuccess) goto loser;
952 rv = ssl3_AppendNumberToItem(&plaintext, ss->sec.keaType, 1);
953 if (rv != SECSuccess) goto loser;
954 rv = ssl3_AppendNumberToItem(&plaintext, ss->sec.keaKeyBits, 4);
955 if (rv != SECSuccess) goto loser;
956
957 /* master_secret */
958 rv = ssl3_AppendNumberToItem(&plaintext, ms_is_wrapped, 1);
959 if (rv != SECSuccess) goto loser;
960 rv = ssl3_AppendNumberToItem(&plaintext, effectiveExchKeyType, 1);
961 if (rv != SECSuccess) goto loser;
962 rv = ssl3_AppendNumberToItem(&plaintext, msWrapMech, 4);
963 if (rv != SECSuccess) goto loser;
964 rv = ssl3_AppendNumberToItem(&plaintext, ms_item.len, 2);
965 if (rv != SECSuccess) goto loser;
966 rv = ssl3_AppendToItem(&plaintext, ms_item.data, ms_item.len);
967 if (rv != SECSuccess) goto loser;
968
969 /* client_identity */
970 if (ss->opt.requestCertificate && ss->sec.ci.sid->peerCert) {
971 rv = ssl3_AppendNumberToItem(&plaintext, CLIENT_AUTH_CERTIFICATE, 1);
972 if (rv != SECSuccess) goto loser;
973 rv = ssl3_AppendNumberToItem(&plaintext,
974 ss->sec.ci.sid->peerCert->derCert.len, 3);
975 if (rv != SECSuccess) goto loser;
976 rv = ssl3_AppendToItem(&plaintext,
977 ss->sec.ci.sid->peerCert->derCert.data,
978 ss->sec.ci.sid->peerCert->derCert.len);
979 if (rv != SECSuccess) goto loser;
980 } else {
981 rv = ssl3_AppendNumberToItem(&plaintext, 0, 1);
982 if (rv != SECSuccess) goto loser;
983 }
984
985 /* timestamp */
986 now = ssl_Time();
987 rv = ssl3_AppendNumberToItem(&plaintext, now,
988 sizeof(ticket.ticket_lifetime_hint));
989 if (rv != SECSuccess) goto loser;
990
991 if (srvNameLen) {
992 /* Name Type (sni_host_name) */
993 rv = ssl3_AppendNumberToItem(&plaintext, srvName->type, 1);
994 if (rv != SECSuccess) goto loser;
995 /* HostName (length and value) */
996 rv = ssl3_AppendNumberToItem(&plaintext, srvName->len, 2);
997 if (rv != SECSuccess) goto loser;
998 rv = ssl3_AppendToItem(&plaintext, srvName->data, srvName->len);
999 if (rv != SECSuccess) goto loser;
1000 } else {
1001 /* No Name */
1002 rv = ssl3_AppendNumberToItem(&plaintext, (char)TLS_STE_NO_SERVER_NAME,
1003 1);
1004 if (rv != SECSuccess) goto loser;
1005 }
1006
1007 PORT_Assert(plaintext.len == padding_length);
1008 for (i = 0; i < padding_length; i++)
1009 plaintext.data[i] = (unsigned char)padding_length;
1010
1011 if (SECITEM_AllocItem(NULL, &ciphertext, ciphertext_length) == NULL) {
1012 rv = SECFailure;
1013 goto loser;
1014 }
1015
1016 /* Generate encrypted portion of ticket. */
1017 #ifndef NO_PKCS11_BYPASS
1018 if (ss->opt.bypassPKCS11) {
1019 aes_ctx = (AESContext *)aes_ctx_buf;
1020 rv = AES_InitContext(aes_ctx, aes_key, aes_key_length, iv,
1021 NSS_AES_CBC, 1, AES_BLOCK_SIZE);
1022 if (rv != SECSuccess) goto loser;
1023
1024 rv = AES_Encrypt(aes_ctx, ciphertext.data, &ciphertext.len,
1025 ciphertext.len, plaintext_item.data,
1026 plaintext_item.len);
1027 if (rv != SECSuccess) goto loser;
1028 } else
1029 #endif
1030 {
1031 aes_ctx_pkcs11 = PK11_CreateContextBySymKey(cipherMech,
1032 CKA_ENCRYPT, aes_key_pkcs11, &ivItem);
1033 if (!aes_ctx_pkcs11)
1034 goto loser;
1035
1036 rv = PK11_CipherOp(aes_ctx_pkcs11, ciphertext.data,
1037 (int *)&ciphertext.len, ciphertext.len,
1038 plaintext_item.data, plaintext_item.len);
1039 PK11_Finalize(aes_ctx_pkcs11);
1040 PK11_DestroyContext(aes_ctx_pkcs11, PR_TRUE);
1041 if (rv != SECSuccess) goto loser;
1042 }
1043
1044 /* Convert ciphertext length to network order. */
1045 length_buf[0] = (ciphertext.len >> 8) & 0xff;
1046 length_buf[1] = (ciphertext.len ) & 0xff;
1047
1048 /* Compute MAC. */
1049 #ifndef NO_PKCS11_BYPASS
1050 if (ss->opt.bypassPKCS11) {
1051 hmac_ctx = (HMACContext *)hmac_ctx_buf;
1052 hashObj = HASH_GetRawHashObject(HASH_AlgSHA256);
1053 if (HMAC_Init(hmac_ctx, hashObj, mac_key,
1054 mac_key_length, PR_FALSE) != SECSuccess)
1055 goto loser;
1056
1057 HMAC_Begin(hmac_ctx);
1058 HMAC_Update(hmac_ctx, key_name, SESS_TICKET_KEY_NAME_LEN);
1059 HMAC_Update(hmac_ctx, iv, sizeof(iv));
1060 HMAC_Update(hmac_ctx, (unsigned char *)length_buf, 2);
1061 HMAC_Update(hmac_ctx, ciphertext.data, ciphertext.len);
1062 HMAC_Finish(hmac_ctx, computed_mac, &computed_mac_length,
1063 sizeof(computed_mac));
1064 } else
1065 #endif
1066 {
1067 SECItem macParam;
1068 macParam.data = NULL;
1069 macParam.len = 0;
1070 hmac_ctx_pkcs11 = PK11_CreateContextBySymKey(macMech,
1071 CKA_SIGN, mac_key_pkcs11, &macParam);
1072 if (!hmac_ctx_pkcs11)
1073 goto loser;
1074
1075 rv = PK11_DigestBegin(hmac_ctx_pkcs11);
1076 rv = PK11_DigestOp(hmac_ctx_pkcs11, key_name,
1077 SESS_TICKET_KEY_NAME_LEN);
1078 rv = PK11_DigestOp(hmac_ctx_pkcs11, iv, sizeof(iv));
1079 rv = PK11_DigestOp(hmac_ctx_pkcs11, (unsigned char *)length_buf, 2);
1080 rv = PK11_DigestOp(hmac_ctx_pkcs11, ciphertext.data, ciphertext.len);
1081 rv = PK11_DigestFinal(hmac_ctx_pkcs11, computed_mac,
1082 &computed_mac_length, sizeof(computed_mac));
1083 PK11_DestroyContext(hmac_ctx_pkcs11, PR_TRUE);
1084 if (rv != SECSuccess) goto loser;
1085 }
1086
1087 /* Serialize the handshake message. */
1088 rv = ssl3_AppendHandshakeHeader(ss, new_session_ticket, message_length);
1089 if (rv != SECSuccess) goto loser;
1090
1091 rv = ssl3_AppendHandshakeNumber(ss, ticket.ticket_lifetime_hint,
1092 sizeof(ticket.ticket_lifetime_hint));
1093 if (rv != SECSuccess) goto loser;
1094
1095 rv = ssl3_AppendHandshakeNumber(ss,
1096 message_length - sizeof(ticket.ticket_lifetime_hint) - 2, 2);
1097 if (rv != SECSuccess) goto loser;
1098
1099 rv = ssl3_AppendHandshake(ss, key_name, SESS_TICKET_KEY_NAME_LEN);
1100 if (rv != SECSuccess) goto loser;
1101
1102 rv = ssl3_AppendHandshake(ss, iv, sizeof(iv));
1103 if (rv != SECSuccess) goto loser;
1104
1105 rv = ssl3_AppendHandshakeVariable(ss, ciphertext.data, ciphertext.len, 2);
1106 if (rv != SECSuccess) goto loser;
1107
1108 rv = ssl3_AppendHandshake(ss, computed_mac, computed_mac_length);
1109 if (rv != SECSuccess) goto loser;
1110
1111 loser:
1112 if (plaintext_item.data)
1113 SECITEM_FreeItem(&plaintext_item, PR_FALSE);
1114 if (ciphertext.data)
1115 SECITEM_FreeItem(&ciphertext, PR_FALSE);
1116
1117 return rv;
1118 }
1119
1120 /* When a client receives a SessionTicket extension a NewSessionTicket
1121 * message is expected during the handshake.
1122 */
1123 SECStatus
1124 ssl3_ClientHandleSessionTicketXtn(sslSocket *ss, PRUint16 ex_type,
1125 SECItem *data)
1126 {
1127 if (data->len != 0)
1128 return SECFailure;
1129
1130 /* Keep track of negotiated extensions. */
1131 ss->xtnData.negotiated[ss->xtnData.numNegotiated++] = ex_type;
1132 return SECSuccess;
1133 }
1134
1135 SECStatus
1136 ssl3_ServerHandleSessionTicketXtn(sslSocket *ss, PRUint16 ex_type,
1137 SECItem *data)
1138 {
1139 SECStatus rv;
1140 SECItem *decrypted_state = NULL;
1141 SessionTicket *parsed_session_ticket = NULL;
1142 sslSessionID *sid = NULL;
1143 SSL3Statistics *ssl3stats;
1144
1145 /* Ignore the SessionTicket extension if processing is disabled. */
1146 if (!ss->opt.enableSessionTickets)
1147 return SECSuccess;
1148
1149 /* Keep track of negotiated extensions. */
1150 ss->xtnData.negotiated[ss->xtnData.numNegotiated++] = ex_type;
1151
1152 /* Parse the received ticket sent in by the client. We are
1153 * lenient about some parse errors, falling back to a fullshake
1154 * instead of terminating the current connection.
1155 */
1156 if (data->len == 0) {
1157 ss->xtnData.emptySessionTicket = PR_TRUE;
1158 } else {
1159 int i;
1160 SECItem extension_data;
1161 EncryptedSessionTicket enc_session_ticket;
1162 unsigned char computed_mac[TLS_EX_SESS_TICKET_MAC_LENGTH];
1163 unsigned int computed_mac_length;
1164 #ifndef NO_PKCS11_BYPASS
1165 const SECHashObject *hashObj;
1166 const unsigned char *aes_key;
1167 const unsigned char *mac_key;
1168 PRUint32 aes_key_length;
1169 PRUint32 mac_key_length;
1170 PRUint64 hmac_ctx_buf[MAX_MAC_CONTEXT_LLONGS];
1171 HMACContext *hmac_ctx;
1172 PRUint64 aes_ctx_buf[MAX_CIPHER_CONTEXT_LLONGS];
1173 AESContext *aes_ctx;
1174 #endif
1175 PK11SymKey *aes_key_pkcs11;
1176 PK11SymKey *mac_key_pkcs11;
1177 PK11Context *hmac_ctx_pkcs11;
1178 CK_MECHANISM_TYPE macMech = CKM_SHA256_HMAC;
1179 PK11Context *aes_ctx_pkcs11;
1180 CK_MECHANISM_TYPE cipherMech = CKM_AES_CBC;
1181 unsigned char * padding;
1182 PRUint32 padding_length;
1183 unsigned char *buffer;
1184 unsigned int buffer_len;
1185 PRInt32 temp;
1186 SECItem cert_item;
1187 PRInt8 nameType = TLS_STE_NO_SERVER_NAME;
1188
1189 /* Turn off stateless session resumption if the client sends a
1190 * SessionTicket extension, even if the extension turns out to be
1191 * malformed (ss->sec.ci.sid is non-NULL when doing session
1192 * renegotiation.)
1193 */
1194 if (ss->sec.ci.sid != NULL) {
1195 if (ss->sec.uncache)
1196 ss->sec.uncache(ss->sec.ci.sid);
1197 ssl_FreeSID(ss->sec.ci.sid);
1198 ss->sec.ci.sid = NULL;
1199 }
1200
1201 extension_data.data = data->data; /* Keep a copy for future use. */
1202 extension_data.len = data->len;
1203
1204 if (ssl3_ParseEncryptedSessionTicket(ss, data, &enc_session_ticket)
1205 != SECSuccess)
1206 return SECFailure;
1207
1208 /* Get session ticket keys. */
1209 #ifndef NO_PKCS11_BYPASS
1210 if (ss->opt.bypassPKCS11) {
1211 rv = ssl3_GetSessionTicketKeys(&aes_key, &aes_key_length,
1212 &mac_key, &mac_key_length);
1213 } else
1214 #endif
1215 {
1216 rv = ssl3_GetSessionTicketKeysPKCS11(ss, &aes_key_pkcs11,
1217 &mac_key_pkcs11);
1218 }
1219 if (rv != SECSuccess) {
1220 SSL_DBG(("%d: SSL[%d]: Unable to get/generate session ticket keys.",
1221 SSL_GETPID(), ss->fd));
1222 goto loser;
1223 }
1224
1225 /* If the ticket sent by the client was generated under a key different
1226 * from the one we have, bypass ticket processing.
1227 */
1228 if (PORT_Memcmp(enc_session_ticket.key_name, key_name,
1229 SESS_TICKET_KEY_NAME_LEN) != 0) {
1230 SSL_DBG(("%d: SSL[%d]: Session ticket key_name sent mismatch.",
1231 SSL_GETPID(), ss->fd));
1232 goto no_ticket;
1233 }
1234
1235 /* Verify the MAC on the ticket. MAC verification may also
1236 * fail if the MAC key has been recently refreshed.
1237 */
1238 #ifndef NO_PKCS11_BYPASS
1239 if (ss->opt.bypassPKCS11) {
1240 hmac_ctx = (HMACContext *)hmac_ctx_buf;
1241 hashObj = HASH_GetRawHashObject(HASH_AlgSHA256);
1242 if (HMAC_Init(hmac_ctx, hashObj, mac_key,
1243 sizeof(session_ticket_mac_key), PR_FALSE) != SECSuccess)
1244 goto no_ticket;
1245 HMAC_Begin(hmac_ctx);
1246 HMAC_Update(hmac_ctx, extension_data.data,
1247 extension_data.len - TLS_EX_SESS_TICKET_MAC_LENGTH);
1248 if (HMAC_Finish(hmac_ctx, computed_mac, &computed_mac_length,
1249 sizeof(computed_mac)) != SECSuccess)
1250 goto no_ticket;
1251 } else
1252 #endif
1253 {
1254 SECItem macParam;
1255 macParam.data = NULL;
1256 macParam.len = 0;
1257 hmac_ctx_pkcs11 = PK11_CreateContextBySymKey(macMech,
1258 CKA_SIGN, mac_key_pkcs11, &macParam);
1259 if (!hmac_ctx_pkcs11) {
1260 SSL_DBG(("%d: SSL[%d]: Unable to create HMAC context: %d.",
1261 SSL_GETPID(), ss->fd, PORT_GetError()));
1262 goto no_ticket;
1263 } else {
1264 SSL_DBG(("%d: SSL[%d]: Successfully created HMAC context.",
1265 SSL_GETPID(), ss->fd));
1266 }
1267 rv = PK11_DigestBegin(hmac_ctx_pkcs11);
1268 rv = PK11_DigestOp(hmac_ctx_pkcs11, extension_data.data,
1269 extension_data.len - TLS_EX_SESS_TICKET_MAC_LENGTH);
1270 if (rv != SECSuccess) {
1271 PK11_DestroyContext(hmac_ctx_pkcs11, PR_TRUE);
1272 goto no_ticket;
1273 }
1274 rv = PK11_DigestFinal(hmac_ctx_pkcs11, computed_mac,
1275 &computed_mac_length, sizeof(computed_mac));
1276 PK11_DestroyContext(hmac_ctx_pkcs11, PR_TRUE);
1277 if (rv != SECSuccess)
1278 goto no_ticket;
1279 }
1280 if (NSS_SecureMemcmp(computed_mac, enc_session_ticket.mac,
1281 computed_mac_length) != 0) {
1282 SSL_DBG(("%d: SSL[%d]: Session ticket MAC mismatch.",
1283 SSL_GETPID(), ss->fd));
1284 goto no_ticket;
1285 }
1286
1287 /* We ignore key_name for now.
1288 * This is ok as MAC verification succeeded.
1289 */
1290
1291 /* Decrypt the ticket. */
1292
1293 /* Plaintext is shorter than the ciphertext due to padding. */
1294 decrypted_state = SECITEM_AllocItem(NULL, NULL,
1295 enc_session_ticket.encrypted_state.len);
1296
1297 #ifndef NO_PKCS11_BYPASS
1298 if (ss->opt.bypassPKCS11) {
1299 aes_ctx = (AESContext *)aes_ctx_buf;
1300 rv = AES_InitContext(aes_ctx, aes_key,
1301 sizeof(session_ticket_enc_key), enc_session_ticket.iv,
1302 NSS_AES_CBC, 0,AES_BLOCK_SIZE);
1303 if (rv != SECSuccess) {
1304 SSL_DBG(("%d: SSL[%d]: Unable to create AES context.",
1305 SSL_GETPID(), ss->fd));
1306 goto no_ticket;
1307 }
1308
1309 rv = AES_Decrypt(aes_ctx, decrypted_state->data,
1310 &decrypted_state->len, decrypted_state->len,
1311 enc_session_ticket.encrypted_state.data,
1312 enc_session_ticket.encrypted_state.len);
1313 if (rv != SECSuccess)
1314 goto no_ticket;
1315 } else
1316 #endif
1317 {
1318 SECItem ivItem;
1319 ivItem.data = enc_session_ticket.iv;
1320 ivItem.len = AES_BLOCK_SIZE;
1321 aes_ctx_pkcs11 = PK11_CreateContextBySymKey(cipherMech,
1322 CKA_DECRYPT, aes_key_pkcs11, &ivItem);
1323 if (!aes_ctx_pkcs11) {
1324 SSL_DBG(("%d: SSL[%d]: Unable to create AES context.",
1325 SSL_GETPID(), ss->fd));
1326 goto no_ticket;
1327 }
1328
1329 rv = PK11_CipherOp(aes_ctx_pkcs11, decrypted_state->data,
1330 (int *)&decrypted_state->len, decrypted_state->len,
1331 enc_session_ticket.encrypted_state.data,
1332 enc_session_ticket.encrypted_state.len);
1333 PK11_Finalize(aes_ctx_pkcs11);
1334 PK11_DestroyContext(aes_ctx_pkcs11, PR_TRUE);
1335 if (rv != SECSuccess)
1336 goto no_ticket;
1337 }
1338
1339 /* Check padding. */
1340 padding_length =
1341 (PRUint32)decrypted_state->data[decrypted_state->len - 1];
1342 if (padding_length == 0 || padding_length > AES_BLOCK_SIZE)
1343 goto no_ticket;
1344
1345 padding = &decrypted_state->data[decrypted_state->len - padding_length];
1346 for (i = 0; i < padding_length; i++, padding++) {
1347 if (padding_length != (PRUint32)*padding)
1348 goto no_ticket;
1349 }
1350
1351 /* Deserialize session state. */
1352 buffer = decrypted_state->data;
1353 buffer_len = decrypted_state->len;
1354
1355 parsed_session_ticket = PORT_ZAlloc(sizeof(SessionTicket));
1356 if (parsed_session_ticket == NULL) {
1357 rv = SECFailure;
1358 goto loser;
1359 }
1360
1361 /* Read ticket_version (which is ignored for now.) */
1362 temp = ssl3_ConsumeHandshakeNumber(ss, 2, &buffer, &buffer_len);
1363 if (temp < 0) goto no_ticket;
1364 parsed_session_ticket->ticket_version = (SSL3ProtocolVersion)temp;
1365
1366 /* Read SSLVersion. */
1367 temp = ssl3_ConsumeHandshakeNumber(ss, 2, &buffer, &buffer_len);
1368 if (temp < 0) goto no_ticket;
1369 parsed_session_ticket->ssl_version = (SSL3ProtocolVersion)temp;
1370
1371 /* Read cipher_suite. */
1372 temp = ssl3_ConsumeHandshakeNumber(ss, 2, &buffer, &buffer_len);
1373 if (temp < 0) goto no_ticket;
1374 parsed_session_ticket->cipher_suite = (ssl3CipherSuite)temp;
1375
1376 /* Read compression_method. */
1377 temp = ssl3_ConsumeHandshakeNumber(ss, 1, &buffer, &buffer_len);
1378 if (temp < 0) goto no_ticket;
1379 parsed_session_ticket->compression_method = (SSLCompressionMethod)temp;
1380
1381 /* Read cipher spec parameters. */
1382 temp = ssl3_ConsumeHandshakeNumber(ss, 1, &buffer, &buffer_len);
1383 if (temp < 0) goto no_ticket;
1384 parsed_session_ticket->authAlgorithm = (SSLSignType)temp;
1385 temp = ssl3_ConsumeHandshakeNumber(ss, 4, &buffer, &buffer_len);
1386 if (temp < 0) goto no_ticket;
1387 parsed_session_ticket->authKeyBits = (PRUint32)temp;
1388 temp = ssl3_ConsumeHandshakeNumber(ss, 1, &buffer, &buffer_len);
1389 if (temp < 0) goto no_ticket;
1390 parsed_session_ticket->keaType = (SSLKEAType)temp;
1391 temp = ssl3_ConsumeHandshakeNumber(ss, 4, &buffer, &buffer_len);
1392 if (temp < 0) goto no_ticket;
1393 parsed_session_ticket->keaKeyBits = (PRUint32)temp;
1394
1395 /* Read wrapped master_secret. */
1396 temp = ssl3_ConsumeHandshakeNumber(ss, 1, &buffer, &buffer_len);
1397 if (temp < 0) goto no_ticket;
1398 parsed_session_ticket->ms_is_wrapped = (PRBool)temp;
1399
1400 temp = ssl3_ConsumeHandshakeNumber(ss, 1, &buffer, &buffer_len);
1401 if (temp < 0) goto no_ticket;
1402 parsed_session_ticket->exchKeyType = (SSL3KEAType)temp;
1403
1404 temp = ssl3_ConsumeHandshakeNumber(ss, 4, &buffer, &buffer_len);
1405 if (temp < 0) goto no_ticket;
1406 parsed_session_ticket->msWrapMech = (CK_MECHANISM_TYPE)temp;
1407
1408 temp = ssl3_ConsumeHandshakeNumber(ss, 2, &buffer, &buffer_len);
1409 if (temp < 0) goto no_ticket;
1410 parsed_session_ticket->ms_length = (PRUint16)temp;
1411 if (parsed_session_ticket->ms_length == 0 || /* sanity check MS. */
1412 parsed_session_ticket->ms_length >
1413 sizeof(parsed_session_ticket->master_secret))
1414 goto no_ticket;
1415
1416 /* Allow for the wrapped master secret to be longer. */
1417 if (buffer_len < sizeof(SSL3_MASTER_SECRET_LENGTH))
1418 goto no_ticket;
1419 PORT_Memcpy(parsed_session_ticket->master_secret, buffer,
1420 parsed_session_ticket->ms_length);
1421 buffer += parsed_session_ticket->ms_length;
1422 buffer_len -= parsed_session_ticket->ms_length;
1423
1424 /* Read client_identity */
1425 temp = ssl3_ConsumeHandshakeNumber(ss, 1, &buffer, &buffer_len);
1426 if (temp < 0)
1427 goto no_ticket;
1428 parsed_session_ticket->client_identity.client_auth_type =
1429 (ClientAuthenticationType)temp;
1430 switch(parsed_session_ticket->client_identity.client_auth_type) {
1431 case CLIENT_AUTH_ANONYMOUS:
1432 break;
1433 case CLIENT_AUTH_CERTIFICATE:
1434 rv = ssl3_ConsumeHandshakeVariable(ss, &cert_item, 3,
1435 &buffer, &buffer_len);
1436 if (rv != SECSuccess) goto no_ticket;
1437 rv = SECITEM_CopyItem(NULL, &parsed_session_ticket->peer_cert,
1438 &cert_item);
1439 if (rv != SECSuccess) goto no_ticket;
1440 break;
1441 default:
1442 goto no_ticket;
1443 }
1444 /* Read timestamp. */
1445 temp = ssl3_ConsumeHandshakeNumber(ss, 4, &buffer, &buffer_len);
1446 if (temp < 0)
1447 goto no_ticket;
1448 parsed_session_ticket->timestamp = (PRUint32)temp;
1449
1450 /* Read server name */
1451 nameType =
1452 ssl3_ConsumeHandshakeNumber(ss, 1, &buffer, &buffer_len);
1453 if (nameType != TLS_STE_NO_SERVER_NAME) {
1454 SECItem name_item;
1455 rv = ssl3_ConsumeHandshakeVariable(ss, &name_item, 2, &buffer,
1456 &buffer_len);
1457 if (rv != SECSuccess) goto no_ticket;
1458 rv = SECITEM_CopyItem(NULL, &parsed_session_ticket->srvName,
1459 &name_item);
1460 if (rv != SECSuccess) goto no_ticket;
1461 parsed_session_ticket->srvName.type = nameType;
1462 }
1463
1464 /* Done parsing. Check that all bytes have been consumed. */
1465 if (buffer_len != padding_length)
1466 goto no_ticket;
1467
1468 /* Use the ticket if it has not expired, otherwise free the allocated
1469 * memory since the ticket is of no use.
1470 */
1471 if (parsed_session_ticket->timestamp != 0 &&
1472 parsed_session_ticket->timestamp +
1473 TLS_EX_SESS_TICKET_LIFETIME_HINT > ssl_Time()) {
1474
1475 sid = ssl3_NewSessionID(ss, PR_TRUE);
1476 if (sid == NULL) {
1477 rv = SECFailure;
1478 goto loser;
1479 }
1480
1481 /* Copy over parameters. */
1482 sid->version = parsed_session_ticket->ssl_version;
1483 sid->u.ssl3.cipherSuite = parsed_session_ticket->cipher_suite;
1484 sid->u.ssl3.compression = parsed_session_ticket->compression_method;
1485 sid->authAlgorithm = parsed_session_ticket->authAlgorithm;
1486 sid->authKeyBits = parsed_session_ticket->authKeyBits;
1487 sid->keaType = parsed_session_ticket->keaType;
1488 sid->keaKeyBits = parsed_session_ticket->keaKeyBits;
1489
1490 /* Copy master secret. */
1491 #ifndef NO_PKCS11_BYPASS
1492 if (ss->opt.bypassPKCS11 &&
1493 parsed_session_ticket->ms_is_wrapped)
1494 goto no_ticket;
1495 #endif
1496 if (parsed_session_ticket->ms_length >
1497 sizeof(sid->u.ssl3.keys.wrapped_master_secret))
1498 goto no_ticket;
1499 PORT_Memcpy(sid->u.ssl3.keys.wrapped_master_secret,
1500 parsed_session_ticket->master_secret,
1501 parsed_session_ticket->ms_length);
1502 sid->u.ssl3.keys.wrapped_master_secret_len =
1503 parsed_session_ticket->ms_length;
1504 sid->u.ssl3.exchKeyType = parsed_session_ticket->exchKeyType;
1505 sid->u.ssl3.masterWrapMech = parsed_session_ticket->msWrapMech;
1506 sid->u.ssl3.keys.msIsWrapped =
1507 parsed_session_ticket->ms_is_wrapped;
1508 sid->u.ssl3.masterValid = PR_TRUE;
1509 sid->u.ssl3.keys.resumable = PR_TRUE;
1510
1511 /* Copy over client cert from session ticket if there is one. */
1512 if (parsed_session_ticket->peer_cert.data != NULL) {
1513 if (sid->peerCert != NULL)
1514 CERT_DestroyCertificate(sid->peerCert);
1515 sid->peerCert = CERT_NewTempCertificate(ss->dbHandle,
1516 &parsed_session_ticket->peer_cert, NULL, PR_FALSE, PR_TRUE);
1517 if (sid->peerCert == NULL) {
1518 rv = SECFailure;
1519 goto loser;
1520 }
1521 }
1522 if (parsed_session_ticket->srvName.data != NULL) {
1523 sid->u.ssl3.srvName = parsed_session_ticket->srvName;
1524 }
1525 ss->statelessResume = PR_TRUE;
1526 ss->sec.ci.sid = sid;
1527 }
1528 }
1529
1530 if (0) {
1531 no_ticket:
1532 SSL_DBG(("%d: SSL[%d]: Session ticket parsing failed.",
1533 SSL_GETPID(), ss->fd));
1534 ssl3stats = SSL_GetStatistics();
1535 SSL_AtomicIncrementLong(& ssl3stats->hch_sid_ticket_parse_failures );
1536 }
1537 rv = SECSuccess;
1538
1539 loser:
1540 /* ss->sec.ci.sid == sid if it did NOT come here via goto statement
1541 * in that case do not free sid
1542 */
1543 if (sid && (ss->sec.ci.sid != sid)) {
1544 ssl_FreeSID(sid);
1545 sid = NULL;
1546 }
1547 if (decrypted_state != NULL) {
1548 SECITEM_FreeItem(decrypted_state, PR_TRUE);
1549 decrypted_state = NULL;
1550 }
1551
1552 if (parsed_session_ticket != NULL) {
1553 if (parsed_session_ticket->peer_cert.data) {
1554 SECITEM_FreeItem(&parsed_session_ticket->peer_cert, PR_FALSE);
1555 }
1556 PORT_ZFree(parsed_session_ticket, sizeof(SessionTicket));
1557 }
1558
1559 return rv;
1560 }
1561
1562 /*
1563 * Read bytes. Using this function means the SECItem structure
1564 * cannot be freed. The caller is expected to call this function
1565 * on a shallow copy of the structure.
1566 */
1567 static SECStatus
1568 ssl3_ConsumeFromItem(SECItem *item, unsigned char **buf, PRUint32 bytes)
1569 {
1570 if (bytes > item->len)
1571 return SECFailure;
1572
1573 *buf = item->data;
1574 item->data += bytes;
1575 item->len -= bytes;
1576 return SECSuccess;
1577 }
1578
1579 static SECStatus
1580 ssl3_ParseEncryptedSessionTicket(sslSocket *ss, SECItem *data,
1581 EncryptedSessionTicket *enc_session_ticket)
1582 {
1583 if (ssl3_ConsumeFromItem(data, &enc_session_ticket->key_name,
1584 SESS_TICKET_KEY_NAME_LEN) != SECSuccess)
1585 return SECFailure;
1586 if (ssl3_ConsumeFromItem(data, &enc_session_ticket->iv,
1587 AES_BLOCK_SIZE) != SECSuccess)
1588 return SECFailure;
1589 if (ssl3_ConsumeHandshakeVariable(ss, &enc_session_ticket->encrypted_state,
1590 2, &data->data, &data->len) != SECSuccess)
1591 return SECFailure;
1592 if (ssl3_ConsumeFromItem(data, &enc_session_ticket->mac,
1593 TLS_EX_SESS_TICKET_MAC_LENGTH) != SECSuccess)
1594 return SECFailure;
1595 if (data->len != 0) /* Make sure that we have consumed all bytes. */
1596 return SECFailure;
1597
1598 return SECSuccess;
1599 }
1600
1601 /* go through hello extensions in buffer "b".
1602 * For each one, find the extension handler in the table, and
1603 * if present, invoke that handler.
1604 * Servers ignore any extensions with unknown extension types.
1605 * Clients reject any extensions with unadvertised extension types.
1606 */
1607 SECStatus
1608 ssl3_HandleHelloExtensions(sslSocket *ss, SSL3Opaque **b, PRUint32 *length)
1609 {
1610 const ssl3HelloExtensionHandler * handlers;
1611
1612 if (ss->sec.isServer) {
1613 handlers = clientHelloHandlers;
1614 } else if (ss->version > SSL_LIBRARY_VERSION_3_0) {
1615 handlers = serverHelloHandlersTLS;
1616 } else {
1617 handlers = serverHelloHandlersSSL3;
1618 }
1619
1620 while (*length) {
1621 const ssl3HelloExtensionHandler * handler;
1622 SECStatus rv;
1623 PRInt32 extension_type;
1624 SECItem extension_data;
1625
1626 /* Get the extension's type field */
1627 extension_type = ssl3_ConsumeHandshakeNumber(ss, 2, b, length);
1628 if (extension_type < 0) /* failure to decode extension_type */
1629 return SECFailure; /* alert already sent */
1630
1631 /* get the data for this extension, so we can pass it or skip it. */
1632 rv = ssl3_ConsumeHandshakeVariable(ss, &extension_data, 2, b, length);
1633 if (rv != SECSuccess)
1634 return rv;
1635
1636 /* Check whether the server sent an extension which was not advertised
1637 * in the ClientHello.
1638 */
1639 if (!ss->sec.isServer &&
1640 !ssl3_ClientExtensionAdvertised(ss, extension_type))
1641 return SECFailure; /* TODO: send unsupported_extension alert */
1642
1643 /* Check whether an extension has been sent multiple times. */
1644 if (ssl3_ExtensionNegotiated(ss, extension_type))
1645 return SECFailure;
1646
1647 /* find extension_type in table of Hello Extension Handlers */
1648 for (handler = handlers; handler->ex_type >= 0; handler++) {
1649 /* if found, call this handler */
1650 if (handler->ex_type == extension_type) {
1651 rv = (*handler->ex_handler)(ss, (PRUint16)extension_type,
1652 &extension_data);
1653 /* Ignore this result */
1654 /* Treat all bad extensions as unrecognized types. */
1655 break;
1656 }
1657 }
1658 }
1659 return SECSuccess;
1660 }
1661
1662 /* Add a callback function to the table of senders of server hello extensions.
1663 */
1664 SECStatus
1665 ssl3_RegisterServerHelloExtensionSender(sslSocket *ss, PRUint16 ex_type,
1666 ssl3HelloExtensionSenderFunc cb)
1667 {
1668 int i;
1669 ssl3HelloExtensionSender *sender = &ss->xtnData.serverSenders[0];
1670
1671 for (i = 0; i < SSL_MAX_EXTENSIONS; ++i, ++sender) {
1672 if (!sender->ex_sender) {
1673 sender->ex_type = ex_type;
1674 sender->ex_sender = cb;
1675 return SECSuccess;
1676 }
1677 /* detect duplicate senders */
1678 PORT_Assert(sender->ex_type != ex_type);
1679 if (sender->ex_type == ex_type) {
1680 /* duplicate */
1681 break;
1682 }
1683 }
1684 PORT_Assert(i < SSL_MAX_EXTENSIONS); /* table needs to grow */
1685 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
1686 return SECFailure;
1687 }
1688
1689 /* call each of the extension senders and return the accumulated length */
1690 PRInt32
1691 ssl3_CallHelloExtensionSenders(sslSocket *ss, PRBool append, PRUint32 maxBytes,
1692 const ssl3HelloExtensionSender *sender)
1693 {
1694 PRInt32 total_exten_len = 0;
1695 int i;
1696
1697 if (!sender) {
1698 sender = ss->version > SSL_LIBRARY_VERSION_3_0 ?
1699 &clientHelloSendersTLS[0] : &clientHelloSendersSSL3[0];
1700 }
1701
1702 for (i = 0; i < SSL_MAX_EXTENSIONS; ++i, ++sender) {
1703 if (sender->ex_sender) {
1704 PRInt32 extLen = (*sender->ex_sender)(ss, append, maxBytes);
1705 if (extLen < 0)
1706 return -1;
1707 maxBytes -= extLen;
1708 total_exten_len += extLen;
1709 }
1710 }
1711 return total_exten_len;
1712 }
1713
1714
1715 /* Extension format:
1716 * Extension number: 2 bytes
1717 * Extension length: 2 bytes
1718 * Verify Data Length: 1 byte
1719 * Verify Data (TLS): 12 bytes (client) or 24 bytes (server)
1720 * Verify Data (SSL): 36 bytes (client) or 72 bytes (server)
1721 */
1722 static PRInt32
1723 ssl3_SendRenegotiationInfoXtn(
1724 sslSocket * ss,
1725 PRBool append,
1726 PRUint32 maxBytes)
1727 {
1728 PRInt32 len, needed;
1729
1730 /* In draft-ietf-tls-renegotiation-03, it is NOT RECOMMENDED to send
1731 * both the SCSV and the empty RI, so when we send SCSV in
1732 * the initial handshake, we don't also send RI.
1733 */
1734 if (!ss || ss->ssl3.hs.sendingSCSV)
1735 return 0;
1736 len = !ss->firstHsDone ? 0 :
1737 (ss->sec.isServer ? ss->ssl3.hs.finishedBytes * 2
1738 : ss->ssl3.hs.finishedBytes);
1739 needed = 5 + len;
1740 if (append && maxBytes >= needed) {
1741 SECStatus rv;
1742 /* extension_type */
1743 rv = ssl3_AppendHandshakeNumber(ss, ssl_renegotiation_info_xtn, 2);
1744 if (rv != SECSuccess) return -1;
1745 /* length of extension_data */
1746 rv = ssl3_AppendHandshakeNumber(ss, len + 1, 2);
1747 if (rv != SECSuccess) return -1;
1748 /* verify_Data from previous Finished message(s) */
1749 rv = ssl3_AppendHandshakeVariable(ss,
1750 ss->ssl3.hs.finishedMsgs.data, len, 1);
1751 if (rv != SECSuccess) return -1;
1752 if (!ss->sec.isServer) {
1753 TLSExtensionData *xtnData = &ss->xtnData;
1754 xtnData->advertised[xtnData->numAdvertised++] =
1755 ssl_renegotiation_info_xtn;
1756 }
1757 }
1758 return needed;
1759 }
1760
1761 /* This function runs in both the client and server. */
1762 static SECStatus
1763 ssl3_HandleRenegotiationInfoXtn(sslSocket *ss, PRUint16 ex_type, SECItem *data)
1764 {
1765 SECStatus rv = SECSuccess;
1766 PRUint32 len = 0;
1767
1768 if (ss->firstHsDone) {
1769 len = ss->sec.isServer ? ss->ssl3.hs.finishedBytes
1770 : ss->ssl3.hs.finishedBytes * 2;
1771 }
1772 if (data->len != 1 + len ||
1773 data->data[0] != len || (len &&
1774 NSS_SecureMemcmp(ss->ssl3.hs.finishedMsgs.data,
1775 data->data + 1, len))) {
1776 /* Can we do this here? Or, must we arrange for the caller to do it? */
1777 (void)SSL3_SendAlert(ss, alert_fatal, handshake_failure);
1778 PORT_SetError(SSL_ERROR_BAD_HANDSHAKE_HASH_VALUE);
1779 return SECFailure;
1780 }
1781 /* remember that we got this extension and it was correct. */
1782 ss->peerRequestedProtection = 1;
1783 ss->xtnData.negotiated[ss->xtnData.numNegotiated++] = ex_type;
1784 if (ss->sec.isServer) {
1785 /* prepare to send back the appropriate response */
1786 rv = ssl3_RegisterServerHelloExtensionSender(ss, ex_type,
1787 ssl3_SendRenegotiationInfoXtn);
1788 }
1789 return rv;
1790 }
1791
1792 static PRInt32
1793 ssl3_SendUseSRTPXtn(sslSocket *ss, PRBool append, PRUint32 maxBytes)
1794 {
1795 PRUint32 ext_data_len;
1796 PRInt16 i;
1797 SECStatus rv;
1798
1799 if (!ss)
1800 return 0;
1801
1802 if (!ss->sec.isServer) {
1803 /* Client side */
1804
1805 if (!IS_DTLS(ss) || !ss->ssl3.dtlsSRTPCipherCount)
1806 return 0; /* Not relevant */
1807
1808 ext_data_len = 2 + 2 * ss->ssl3.dtlsSRTPCipherCount + 1;
1809
1810 if (append && maxBytes >= 4 + ext_data_len) {
1811 /* Extension type */
1812 rv = ssl3_AppendHandshakeNumber(ss, ssl_use_srtp_xtn, 2);
1813 if (rv != SECSuccess) return -1;
1814 /* Length of extension data */
1815 rv = ssl3_AppendHandshakeNumber(ss, ext_data_len, 2);
1816 if (rv != SECSuccess) return -1;
1817 /* Length of the SRTP cipher list */
1818 rv = ssl3_AppendHandshakeNumber(ss,
1819 2 * ss->ssl3.dtlsSRTPCipherCount,
1820 2);
1821 if (rv != SECSuccess) return -1;
1822 /* The SRTP ciphers */
1823 for (i = 0; i < ss->ssl3.dtlsSRTPCipherCount; i++) {
1824 rv = ssl3_AppendHandshakeNumber(ss,
1825 ss->ssl3.dtlsSRTPCiphers[i],
1826 2);
1827 }
1828 /* Empty MKI value */
1829 ssl3_AppendHandshakeVariable(ss, NULL, 0, 1);
1830
1831 ss->xtnData.advertised[ss->xtnData.numAdvertised++] =
1832 ssl_use_srtp_xtn;
1833 }
1834
1835 return 4 + ext_data_len;
1836 }
1837
1838 /* Server side */
1839 if (append && maxBytes >= 9) {
1840 /* Extension type */
1841 rv = ssl3_AppendHandshakeNumber(ss, ssl_use_srtp_xtn, 2);
1842 if (rv != SECSuccess) return -1;
1843 /* Length of extension data */
1844 rv = ssl3_AppendHandshakeNumber(ss, 5, 2);
1845 if (rv != SECSuccess) return -1;
1846 /* Length of the SRTP cipher list */
1847 rv = ssl3_AppendHandshakeNumber(ss, 2, 2);
1848 if (rv != SECSuccess) return -1;
1849 /* The selected cipher */
1850 rv = ssl3_AppendHandshakeNumber(ss, ss->ssl3.dtlsSRTPCipherSuite, 2);
1851 if (rv != SECSuccess) return -1;
1852 /* Empty MKI value */
1853 ssl3_AppendHandshakeVariable(ss, NULL, 0, 1);
1854 }
1855
1856 return 9;
1857 }
1858
1859 static SECStatus
1860 ssl3_HandleUseSRTPXtn(sslSocket * ss, PRUint16 ex_type, SECItem *data)
1861 {
1862 SECStatus rv;
1863 SECItem ciphers = {siBuffer, NULL, 0};
1864 PRUint16 i;
1865 unsigned int j;
1866 PRUint16 cipher = 0;
1867 PRBool found = PR_FALSE;
1868 SECItem litem;
1869
1870 if (!ss->sec.isServer) {
1871 /* Client side */
1872 if (!data->data || !data->len) {
1873 /* malformed */
1874 return SECFailure;
1875 }
1876
1877 /* Get the cipher list */
1878 rv = ssl3_ConsumeHandshakeVariable(ss, &ciphers, 2,
1879 &data->data, &data->len);
1880 if (rv != SECSuccess) {
1881 return SECFailure;
1882 }
1883 /* Now check that the number of ciphers listed is 1 (len = 2) */
1884 if (ciphers.len != 2) {
1885 return SECFailure;
1886 }
1887
1888 /* Get the selected cipher */
1889 cipher = (ciphers.data[0] << 8) | ciphers.data[1];
1890
1891 /* Now check that this is one of the ciphers we offered */
1892 for (i = 0; i < ss->ssl3.dtlsSRTPCipherCount; i++) {
1893 if (cipher == ss->ssl3.dtlsSRTPCiphers[i]) {
1894 found = PR_TRUE;
1895 break;
1896 }
1897 }
1898
1899 if (!found) {
1900 return SECFailure;
1901 }
1902
1903 /* Get the srtp_mki value */
1904 rv = ssl3_ConsumeHandshakeVariable(ss, &litem, 1,
1905 &data->data, &data->len);
1906 if (rv != SECSuccess) {
1907 return SECFailure;
1908 }
1909
1910 /* We didn't offer an MKI, so this must be 0 length */
1911 /* XXX RFC 5764 Section 4.1.3 says:
1912 * If the client detects a nonzero-length MKI in the server's
1913 * response that is different than the one the client offered,
1914 * then the client MUST abort the handshake and SHOULD send an
1915 * invalid_parameter alert.
1916 *
1917 * Due to a limitation of the ssl3_HandleHelloExtensions function,
1918 * returning SECFailure here won't abort the handshake. It will
1919 * merely cause the use_srtp extension to be not negotiated. We
1920 * should fix this. See NSS bug 753136.
1921 */
1922 if (litem.len != 0) {
1923 return SECFailure;
1924 }
1925
1926 if (data->len != 0) {
1927 /* malformed */
1928 return SECFailure;
1929 }
1930
1931 /* OK, this looks fine. */
1932 ss->xtnData.negotiated[ss->xtnData.numNegotiated++] = ssl_use_srtp_xtn;
1933 ss->ssl3.dtlsSRTPCipherSuite = cipher;
1934 return SECSuccess;
1935 }
1936
1937 /* Server side */
1938 if (!IS_DTLS(ss) || !ss->ssl3.dtlsSRTPCipherCount) {
1939 /* Ignore the extension if we aren't doing DTLS or no DTLS-SRTP
1940 * preferences have been set. */
1941 return SECSuccess;
1942 }
1943
1944 if (!data->data || data->len < 5) {
1945 /* malformed */
1946 return SECFailure;
1947 }
1948
1949 /* Get the cipher list */
1950 rv = ssl3_ConsumeHandshakeVariable(ss, &ciphers, 2,
1951 &data->data, &data->len);
1952 if (rv != SECSuccess) {
1953 return SECFailure;
1954 }
1955 /* Check that the list is even length */
1956 if (ciphers.len % 2) {
1957 return SECFailure;
1958 }
1959
1960 /* Walk through the offered list and pick the most preferred of our
1961 * ciphers, if any */
1962 for (i = 0; !found && i < ss->ssl3.dtlsSRTPCipherCount; i++) {
1963 for (j = 0; j + 1 < ciphers.len; j += 2) {
1964 cipher = (ciphers.data[j] << 8) | ciphers.data[j + 1];
1965 if (cipher == ss->ssl3.dtlsSRTPCiphers[i]) {
1966 found = PR_TRUE;
1967 break;
1968 }
1969 }
1970 }
1971
1972 /* Get the srtp_mki value */
1973 rv = ssl3_ConsumeHandshakeVariable(ss, &litem, 1, &data->data, &data->len);
1974 if (rv != SECSuccess) {
1975 return SECFailure;
1976 }
1977
1978 if (data->len != 0) {
1979 return SECFailure; /* Malformed */
1980 }
1981
1982 /* Now figure out what to do */
1983 if (!found) {
1984 /* No matching ciphers */
1985 return SECSuccess;
1986 }
1987
1988 /* OK, we have a valid cipher and we've selected it */
1989 ss->ssl3.dtlsSRTPCipherSuite = cipher;
1990 ss->xtnData.negotiated[ss->xtnData.numNegotiated++] = ssl_use_srtp_xtn;
1991
1992 return ssl3_RegisterServerHelloExtensionSender(ss, ssl_use_srtp_xtn,
1993 ssl3_SendUseSRTPXtn);
1994 }