security/nss/lib/ssl/ssl3ext.c@6474c204b198
security/nss/lib/ssl/ssl3ext.c
Wed, 31 Dec 2014 06:09:35 +0100
- author
- Michael Schloh von Bennewitz <michael@schloh.com>
- date
- Wed, 31 Dec 2014 06:09:35 +0100
- changeset 0
- 6474c204b198
- permissions
- -rw-r--r--
Cloned upstream origin tor-browser at tor-browser-31.3.0esr-4.5-1-build1
revision ID fc1c9ff7c1b2defdbc039f12214767608f46423f for hacking purpose.
1 /*
2 * SSL3 Protocol
3 *
4 * This Source Code Form is subject to the terms of the Mozilla Public
5 * License, v. 2.0. If a copy of the MPL was not distributed with this
6 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
8 /* TLS extension code moved here from ssl3ecc.c */
10 #include "nssrenam.h"
11 #include "nss.h"
12 #include "ssl.h"
13 #include "sslproto.h"
14 #include "sslimpl.h"
15 #include "pk11pub.h"
16 #ifdef NO_PKCS11_BYPASS
17 #include "blapit.h"
18 #else
19 #include "blapi.h"
20 #endif
21 #include "prinit.h"
23 static unsigned char key_name[SESS_TICKET_KEY_NAME_LEN];
24 static PK11SymKey *session_ticket_enc_key_pkcs11 = NULL;
25 static PK11SymKey *session_ticket_mac_key_pkcs11 = NULL;
27 #ifndef NO_PKCS11_BYPASS
28 static unsigned char session_ticket_enc_key[AES_256_KEY_LENGTH];
29 static unsigned char session_ticket_mac_key[SHA256_LENGTH];
31 static PRBool session_ticket_keys_initialized = PR_FALSE;
32 #endif
33 static PRCallOnceType generate_session_keys_once;
35 /* forward static function declarations */
36 static SECStatus ssl3_ParseEncryptedSessionTicket(sslSocket *ss,
37 SECItem *data, EncryptedSessionTicket *enc_session_ticket);
38 static SECStatus ssl3_AppendToItem(SECItem *item, const unsigned char *buf,
39 PRUint32 bytes);
40 static SECStatus ssl3_AppendNumberToItem(SECItem *item, PRUint32 num,
41 PRInt32 lenSize);
42 static SECStatus ssl3_GetSessionTicketKeysPKCS11(sslSocket *ss,
43 PK11SymKey **aes_key, PK11SymKey **mac_key);
44 #ifndef NO_PKCS11_BYPASS
45 static SECStatus ssl3_GetSessionTicketKeys(const unsigned char **aes_key,
46 PRUint32 *aes_key_length, const unsigned char **mac_key,
47 PRUint32 *mac_key_length);
48 #endif
49 static PRInt32 ssl3_SendRenegotiationInfoXtn(sslSocket * ss,
50 PRBool append, PRUint32 maxBytes);
51 static SECStatus ssl3_HandleRenegotiationInfoXtn(sslSocket *ss,
52 PRUint16 ex_type, SECItem *data);
53 static SECStatus ssl3_ClientHandleNextProtoNegoXtn(sslSocket *ss,
54 PRUint16 ex_type, SECItem *data);
55 static SECStatus ssl3_ClientHandleAppProtoXtn(sslSocket *ss,
56 PRUint16 ex_type, SECItem *data);
57 static SECStatus ssl3_ServerHandleNextProtoNegoXtn(sslSocket *ss,
58 PRUint16 ex_type, SECItem *data);
59 static SECStatus ssl3_ServerHandleAppProtoXtn(sslSocket *ss, PRUint16 ex_type,
60 SECItem *data);
61 static PRInt32 ssl3_ClientSendNextProtoNegoXtn(sslSocket *ss, PRBool append,
62 PRUint32 maxBytes);
63 static PRInt32 ssl3_ClientSendAppProtoXtn(sslSocket *ss, PRBool append,
64 PRUint32 maxBytes);
65 static PRInt32 ssl3_ServerSendAppProtoXtn(sslSocket *ss, PRBool append,
66 PRUint32 maxBytes);
67 static PRInt32 ssl3_SendUseSRTPXtn(sslSocket *ss, PRBool append,
68 PRUint32 maxBytes);
69 static SECStatus ssl3_HandleUseSRTPXtn(sslSocket * ss, PRUint16 ex_type,
70 SECItem *data);
71 static PRInt32 ssl3_ServerSendStatusRequestXtn(sslSocket * ss,
72 PRBool append, PRUint32 maxBytes);
73 static SECStatus ssl3_ServerHandleStatusRequestXtn(sslSocket *ss,
74 PRUint16 ex_type, SECItem *data);
75 static SECStatus ssl3_ClientHandleStatusRequestXtn(sslSocket *ss,
76 PRUint16 ex_type,
77 SECItem *data);
78 static PRInt32 ssl3_ClientSendStatusRequestXtn(sslSocket * ss, PRBool append,
79 PRUint32 maxBytes);
80 static PRInt32 ssl3_ClientSendSigAlgsXtn(sslSocket *ss, PRBool append,
81 PRUint32 maxBytes);
82 static SECStatus ssl3_ServerHandleSigAlgsXtn(sslSocket *ss, PRUint16 ex_type,
83 SECItem *data);
85 /*
86 * Write bytes. Using this function means the SECItem structure
87 * cannot be freed. The caller is expected to call this function
88 * on a shallow copy of the structure.
89 */
90 static SECStatus
91 ssl3_AppendToItem(SECItem *item, const unsigned char *buf, PRUint32 bytes)
92 {
93 if (bytes > item->len)
94 return SECFailure;
96 PORT_Memcpy(item->data, buf, bytes);
97 item->data += bytes;
98 item->len -= bytes;
99 return SECSuccess;
100 }
102 /*
103 * Write a number in network byte order. Using this function means the
104 * SECItem structure cannot be freed. The caller is expected to call
105 * this function on a shallow copy of the structure.
106 */
107 static SECStatus
108 ssl3_AppendNumberToItem(SECItem *item, PRUint32 num, PRInt32 lenSize)
109 {
110 SECStatus rv;
111 PRUint8 b[4];
112 PRUint8 * p = b;
114 switch (lenSize) {
115 case 4:
116 *p++ = (PRUint8) (num >> 24);
117 case 3:
118 *p++ = (PRUint8) (num >> 16);
119 case 2:
120 *p++ = (PRUint8) (num >> 8);
121 case 1:
122 *p = (PRUint8) num;
123 }
124 rv = ssl3_AppendToItem(item, &b[0], lenSize);
125 return rv;
126 }
128 static SECStatus ssl3_SessionTicketShutdown(void* appData, void* nssData)
129 {
130 if (session_ticket_enc_key_pkcs11) {
131 PK11_FreeSymKey(session_ticket_enc_key_pkcs11);
132 session_ticket_enc_key_pkcs11 = NULL;
133 }
134 if (session_ticket_mac_key_pkcs11) {
135 PK11_FreeSymKey(session_ticket_mac_key_pkcs11);
136 session_ticket_mac_key_pkcs11 = NULL;
137 }
138 PORT_Memset(&generate_session_keys_once, 0,
139 sizeof(generate_session_keys_once));
140 return SECSuccess;
141 }
144 static PRStatus
145 ssl3_GenerateSessionTicketKeysPKCS11(void *data)
146 {
147 SECStatus rv;
148 sslSocket *ss = (sslSocket *)data;
149 SECKEYPrivateKey *svrPrivKey = ss->serverCerts[kt_rsa].SERVERKEY;
150 SECKEYPublicKey *svrPubKey = ss->serverCerts[kt_rsa].serverKeyPair->pubKey;
152 if (svrPrivKey == NULL || svrPubKey == NULL) {
153 SSL_DBG(("%d: SSL[%d]: Pub or priv key(s) is NULL.",
154 SSL_GETPID(), ss->fd));
155 goto loser;
156 }
158 /* Get a copy of the session keys from shared memory. */
159 PORT_Memcpy(key_name, SESS_TICKET_KEY_NAME_PREFIX,
160 sizeof(SESS_TICKET_KEY_NAME_PREFIX));
161 if (!ssl_GetSessionTicketKeysPKCS11(svrPrivKey, svrPubKey,
162 ss->pkcs11PinArg, &key_name[SESS_TICKET_KEY_NAME_PREFIX_LEN],
163 &session_ticket_enc_key_pkcs11, &session_ticket_mac_key_pkcs11))
164 return PR_FAILURE;
166 rv = NSS_RegisterShutdown(ssl3_SessionTicketShutdown, NULL);
167 if (rv != SECSuccess)
168 goto loser;
170 return PR_SUCCESS;
172 loser:
173 ssl3_SessionTicketShutdown(NULL, NULL);
174 return PR_FAILURE;
175 }
177 static SECStatus
178 ssl3_GetSessionTicketKeysPKCS11(sslSocket *ss, PK11SymKey **aes_key,
179 PK11SymKey **mac_key)
180 {
181 if (PR_CallOnceWithArg(&generate_session_keys_once,
182 ssl3_GenerateSessionTicketKeysPKCS11, ss) != PR_SUCCESS)
183 return SECFailure;
185 if (session_ticket_enc_key_pkcs11 == NULL ||
186 session_ticket_mac_key_pkcs11 == NULL)
187 return SECFailure;
189 *aes_key = session_ticket_enc_key_pkcs11;
190 *mac_key = session_ticket_mac_key_pkcs11;
191 return SECSuccess;
192 }
194 #ifndef NO_PKCS11_BYPASS
195 static PRStatus
196 ssl3_GenerateSessionTicketKeys(void)
197 {
198 PORT_Memcpy(key_name, SESS_TICKET_KEY_NAME_PREFIX,
199 sizeof(SESS_TICKET_KEY_NAME_PREFIX));
201 if (!ssl_GetSessionTicketKeys(&key_name[SESS_TICKET_KEY_NAME_PREFIX_LEN],
202 session_ticket_enc_key, session_ticket_mac_key))
203 return PR_FAILURE;
205 session_ticket_keys_initialized = PR_TRUE;
206 return PR_SUCCESS;
207 }
209 static SECStatus
210 ssl3_GetSessionTicketKeys(const unsigned char **aes_key,
211 PRUint32 *aes_key_length, const unsigned char **mac_key,
212 PRUint32 *mac_key_length)
213 {
214 if (PR_CallOnce(&generate_session_keys_once,
215 ssl3_GenerateSessionTicketKeys) != PR_SUCCESS)
216 return SECFailure;
218 if (!session_ticket_keys_initialized)
219 return SECFailure;
221 *aes_key = session_ticket_enc_key;
222 *aes_key_length = sizeof(session_ticket_enc_key);
223 *mac_key = session_ticket_mac_key;
224 *mac_key_length = sizeof(session_ticket_mac_key);
226 return SECSuccess;
227 }
228 #endif
230 /* Table of handlers for received TLS hello extensions, one per extension.
231 * In the second generation, this table will be dynamic, and functions
232 * will be registered here.
233 */
234 /* This table is used by the server, to handle client hello extensions. */
235 static const ssl3HelloExtensionHandler clientHelloHandlers[] = {
236 { ssl_server_name_xtn, &ssl3_HandleServerNameXtn },
237 #ifndef NSS_DISABLE_ECC
238 { ssl_elliptic_curves_xtn, &ssl3_HandleSupportedCurvesXtn },
239 { ssl_ec_point_formats_xtn, &ssl3_HandleSupportedPointFormatsXtn },
240 #endif
241 { ssl_session_ticket_xtn, &ssl3_ServerHandleSessionTicketXtn },
242 { ssl_renegotiation_info_xtn, &ssl3_HandleRenegotiationInfoXtn },
243 { ssl_next_proto_nego_xtn, &ssl3_ServerHandleNextProtoNegoXtn },
244 { ssl_app_layer_protocol_xtn, &ssl3_ServerHandleAppProtoXtn },
245 { ssl_use_srtp_xtn, &ssl3_HandleUseSRTPXtn },
246 { ssl_cert_status_xtn, &ssl3_ServerHandleStatusRequestXtn },
247 { ssl_signature_algorithms_xtn, &ssl3_ServerHandleSigAlgsXtn },
248 { -1, NULL }
249 };
251 /* These two tables are used by the client, to handle server hello
252 * extensions. */
253 static const ssl3HelloExtensionHandler serverHelloHandlersTLS[] = {
254 { ssl_server_name_xtn, &ssl3_HandleServerNameXtn },
255 /* TODO: add a handler for ssl_ec_point_formats_xtn */
256 { ssl_session_ticket_xtn, &ssl3_ClientHandleSessionTicketXtn },
257 { ssl_renegotiation_info_xtn, &ssl3_HandleRenegotiationInfoXtn },
258 { ssl_next_proto_nego_xtn, &ssl3_ClientHandleNextProtoNegoXtn },
259 { ssl_app_layer_protocol_xtn, &ssl3_ClientHandleAppProtoXtn },
260 { ssl_use_srtp_xtn, &ssl3_HandleUseSRTPXtn },
261 { ssl_cert_status_xtn, &ssl3_ClientHandleStatusRequestXtn },
262 { -1, NULL }
263 };
265 static const ssl3HelloExtensionHandler serverHelloHandlersSSL3[] = {
266 { ssl_renegotiation_info_xtn, &ssl3_HandleRenegotiationInfoXtn },
267 { -1, NULL }
268 };
270 /* Tables of functions to format TLS hello extensions, one function per
271 * extension.
272 * These static tables are for the formatting of client hello extensions.
273 * The server's table of hello senders is dynamic, in the socket struct,
274 * and sender functions are registered there.
275 */
276 static const
277 ssl3HelloExtensionSender clientHelloSendersTLS[SSL_MAX_EXTENSIONS] = {
278 { ssl_server_name_xtn, &ssl3_SendServerNameXtn },
279 { ssl_renegotiation_info_xtn, &ssl3_SendRenegotiationInfoXtn },
280 #ifndef NSS_DISABLE_ECC
281 { ssl_elliptic_curves_xtn, &ssl3_SendSupportedCurvesXtn },
282 { ssl_ec_point_formats_xtn, &ssl3_SendSupportedPointFormatsXtn },
283 #endif
284 { ssl_session_ticket_xtn, &ssl3_SendSessionTicketXtn },
285 { ssl_next_proto_nego_xtn, &ssl3_ClientSendNextProtoNegoXtn },
286 { ssl_app_layer_protocol_xtn, &ssl3_ClientSendAppProtoXtn },
287 { ssl_use_srtp_xtn, &ssl3_SendUseSRTPXtn },
288 { ssl_cert_status_xtn, &ssl3_ClientSendStatusRequestXtn },
289 { ssl_signature_algorithms_xtn, &ssl3_ClientSendSigAlgsXtn }
290 /* any extra entries will appear as { 0, NULL } */
291 };
293 static const
294 ssl3HelloExtensionSender clientHelloSendersSSL3[SSL_MAX_EXTENSIONS] = {
295 { ssl_renegotiation_info_xtn, &ssl3_SendRenegotiationInfoXtn }
296 /* any extra entries will appear as { 0, NULL } */
297 };
299 static PRBool
300 arrayContainsExtension(const PRUint16 *array, PRUint32 len, PRUint16 ex_type)
301 {
302 int i;
303 for (i = 0; i < len; i++) {
304 if (ex_type == array[i])
305 return PR_TRUE;
306 }
307 return PR_FALSE;
308 }
310 PRBool
311 ssl3_ExtensionNegotiated(sslSocket *ss, PRUint16 ex_type) {
312 TLSExtensionData *xtnData = &ss->xtnData;
313 return arrayContainsExtension(xtnData->negotiated,
314 xtnData->numNegotiated, ex_type);
315 }
317 static PRBool
318 ssl3_ClientExtensionAdvertised(sslSocket *ss, PRUint16 ex_type) {
319 TLSExtensionData *xtnData = &ss->xtnData;
320 return arrayContainsExtension(xtnData->advertised,
321 xtnData->numAdvertised, ex_type);
322 }
324 /* Format an SNI extension, using the name from the socket's URL,
325 * unless that name is a dotted decimal string.
326 * Used by client and server.
327 */
328 PRInt32
329 ssl3_SendServerNameXtn(sslSocket * ss, PRBool append,
330 PRUint32 maxBytes)
331 {
332 SECStatus rv;
333 if (!ss)
334 return 0;
335 if (!ss->sec.isServer) {
336 PRUint32 len;
337 PRNetAddr netAddr;
339 /* must have a hostname */
340 if (!ss->url || !ss->url[0])
341 return 0;
342 /* must not be an IPv4 or IPv6 address */
343 if (PR_SUCCESS == PR_StringToNetAddr(ss->url, &netAddr)) {
344 /* is an IP address (v4 or v6) */
345 return 0;
346 }
347 len = PORT_Strlen(ss->url);
348 if (append && maxBytes >= len + 9) {
349 /* extension_type */
350 rv = ssl3_AppendHandshakeNumber(ss, ssl_server_name_xtn, 2);
351 if (rv != SECSuccess) return -1;
352 /* length of extension_data */
353 rv = ssl3_AppendHandshakeNumber(ss, len + 5, 2);
354 if (rv != SECSuccess) return -1;
355 /* length of server_name_list */
356 rv = ssl3_AppendHandshakeNumber(ss, len + 3, 2);
357 if (rv != SECSuccess) return -1;
358 /* Name Type (sni_host_name) */
359 rv = ssl3_AppendHandshake(ss, "\0", 1);
360 if (rv != SECSuccess) return -1;
361 /* HostName (length and value) */
362 rv = ssl3_AppendHandshakeVariable(ss, (PRUint8 *)ss->url, len, 2);
363 if (rv != SECSuccess) return -1;
364 if (!ss->sec.isServer) {
365 TLSExtensionData *xtnData = &ss->xtnData;
366 xtnData->advertised[xtnData->numAdvertised++] =
367 ssl_server_name_xtn;
368 }
369 }
370 return len + 9;
371 }
372 /* Server side */
373 if (append && maxBytes >= 4) {
374 rv = ssl3_AppendHandshakeNumber(ss, ssl_server_name_xtn, 2);
375 if (rv != SECSuccess) return -1;
376 /* length of extension_data */
377 rv = ssl3_AppendHandshakeNumber(ss, 0, 2);
378 if (rv != SECSuccess) return -1;
379 }
380 return 4;
381 }
383 /* handle an incoming SNI extension, by ignoring it. */
384 SECStatus
385 ssl3_HandleServerNameXtn(sslSocket * ss, PRUint16 ex_type, SECItem *data)
386 {
387 SECItem *names = NULL;
388 PRUint32 listCount = 0, namesPos = 0, i;
389 TLSExtensionData *xtnData = &ss->xtnData;
390 SECItem ldata;
391 PRInt32 listLenBytes = 0;
393 if (!ss->sec.isServer) {
394 /* Verify extension_data is empty. */
395 if (data->data || data->len ||
396 !ssl3_ExtensionNegotiated(ss, ssl_server_name_xtn)) {
397 /* malformed or was not initiated by the client.*/
398 return SECFailure;
399 }
400 return SECSuccess;
401 }
403 /* Server side - consume client data and register server sender. */
404 /* do not parse the data if don't have user extension handling function. */
405 if (!ss->sniSocketConfig) {
406 return SECSuccess;
407 }
408 /* length of server_name_list */
409 listLenBytes = ssl3_ConsumeHandshakeNumber(ss, 2, &data->data, &data->len);
410 if (listLenBytes == 0 || listLenBytes != data->len) {
411 return SECFailure;
412 }
413 ldata = *data;
414 /* Calculate the size of the array.*/
415 while (listLenBytes > 0) {
416 SECItem litem;
417 SECStatus rv;
418 PRInt32 type;
419 /* Name Type (sni_host_name) */
420 type = ssl3_ConsumeHandshakeNumber(ss, 1, &ldata.data, &ldata.len);
421 if (!ldata.len) {
422 return SECFailure;
423 }
424 rv = ssl3_ConsumeHandshakeVariable(ss, &litem, 2, &ldata.data, &ldata.len);
425 if (rv != SECSuccess) {
426 return SECFailure;
427 }
428 /* Adjust total length for cunsumed item, item len and type.*/
429 listLenBytes -= litem.len + 3;
430 if (listLenBytes > 0 && !ldata.len) {
431 return SECFailure;
432 }
433 listCount += 1;
434 }
435 if (!listCount) {
436 return SECFailure;
437 }
438 names = PORT_ZNewArray(SECItem, listCount);
439 if (!names) {
440 return SECFailure;
441 }
442 for (i = 0;i < listCount;i++) {
443 int j;
444 PRInt32 type;
445 SECStatus rv;
446 PRBool nametypePresent = PR_FALSE;
447 /* Name Type (sni_host_name) */
448 type = ssl3_ConsumeHandshakeNumber(ss, 1, &data->data, &data->len);
449 /* Check if we have such type in the list */
450 for (j = 0;j < listCount && names[j].data;j++) {
451 if (names[j].type == type) {
452 nametypePresent = PR_TRUE;
453 break;
454 }
455 }
456 /* HostName (length and value) */
457 rv = ssl3_ConsumeHandshakeVariable(ss, &names[namesPos], 2,
458 &data->data, &data->len);
459 if (rv != SECSuccess) {
460 goto loser;
461 }
462 if (nametypePresent == PR_FALSE) {
463 namesPos += 1;
464 }
465 }
466 /* Free old and set the new data. */
467 if (xtnData->sniNameArr) {
468 PORT_Free(ss->xtnData.sniNameArr);
469 }
470 xtnData->sniNameArr = names;
471 xtnData->sniNameArrSize = namesPos;
472 xtnData->negotiated[xtnData->numNegotiated++] = ssl_server_name_xtn;
474 return SECSuccess;
476 loser:
477 PORT_Free(names);
478 return SECFailure;
479 }
481 /* Called by both clients and servers.
482 * Clients sends a filled in session ticket if one is available, and otherwise
483 * sends an empty ticket. Servers always send empty tickets.
484 */
485 PRInt32
486 ssl3_SendSessionTicketXtn(
487 sslSocket * ss,
488 PRBool append,
489 PRUint32 maxBytes)
490 {
491 PRInt32 extension_length;
492 NewSessionTicket *session_ticket = NULL;
493 sslSessionID *sid = ss->sec.ci.sid;
495 /* Ignore the SessionTicket extension if processing is disabled. */
496 if (!ss->opt.enableSessionTickets)
497 return 0;
499 /* Empty extension length = extension_type (2-bytes) +
500 * length(extension_data) (2-bytes)
501 */
502 extension_length = 4;
504 /* If we are a client then send a session ticket if one is availble.
505 * Servers that support the extension and are willing to negotiate the
506 * the extension always respond with an empty extension.
507 */
508 if (!ss->sec.isServer) {
509 /* The caller must be holding sid->u.ssl3.lock for reading. We cannot
510 * just acquire and release the lock within this function because the
511 * caller will call this function twice, and we need the inputs to be
512 * consistent between the two calls. Note that currently the caller
513 * will only be holding the lock when we are the client and when we're
514 * attempting to resume an existing session.
515 */
517 session_ticket = &sid->u.ssl3.locked.sessionTicket;
518 if (session_ticket->ticket.data) {
519 if (ss->xtnData.ticketTimestampVerified) {
520 extension_length += session_ticket->ticket.len;
521 } else if (!append &&
522 (session_ticket->ticket_lifetime_hint == 0 ||
523 (session_ticket->ticket_lifetime_hint +
524 session_ticket->received_timestamp > ssl_Time()))) {
525 extension_length += session_ticket->ticket.len;
526 ss->xtnData.ticketTimestampVerified = PR_TRUE;
527 }
528 }
529 }
531 if (append && maxBytes >= extension_length) {
532 SECStatus rv;
533 /* extension_type */
534 rv = ssl3_AppendHandshakeNumber(ss, ssl_session_ticket_xtn, 2);
535 if (rv != SECSuccess)
536 goto loser;
537 if (session_ticket && session_ticket->ticket.data &&
538 ss->xtnData.ticketTimestampVerified) {
539 rv = ssl3_AppendHandshakeVariable(ss, session_ticket->ticket.data,
540 session_ticket->ticket.len, 2);
541 ss->xtnData.ticketTimestampVerified = PR_FALSE;
542 ss->xtnData.sentSessionTicketInClientHello = PR_TRUE;
543 } else {
544 rv = ssl3_AppendHandshakeNumber(ss, 0, 2);
545 }
546 if (rv != SECSuccess)
547 goto loser;
549 if (!ss->sec.isServer) {
550 TLSExtensionData *xtnData = &ss->xtnData;
551 xtnData->advertised[xtnData->numAdvertised++] =
552 ssl_session_ticket_xtn;
553 }
554 } else if (maxBytes < extension_length) {
555 PORT_Assert(0);
556 return 0;
557 }
558 return extension_length;
560 loser:
561 ss->xtnData.ticketTimestampVerified = PR_FALSE;
562 return -1;
563 }
565 /* handle an incoming Next Protocol Negotiation extension. */
566 static SECStatus
567 ssl3_ServerHandleNextProtoNegoXtn(sslSocket * ss, PRUint16 ex_type,
568 SECItem *data)
569 {
570 if (ss->firstHsDone || data->len != 0) {
571 /* Clients MUST send an empty NPN extension, if any. */
572 PORT_SetError(SSL_ERROR_NEXT_PROTOCOL_DATA_INVALID);
573 return SECFailure;
574 }
576 ss->xtnData.negotiated[ss->xtnData.numNegotiated++] = ex_type;
578 /* TODO: server side NPN support would require calling
579 * ssl3_RegisterServerHelloExtensionSender here in order to echo the
580 * extension back to the client. */
582 return SECSuccess;
583 }
585 /* ssl3_ValidateNextProtoNego checks that the given block of data is valid: none
586 * of the lengths may be 0 and the sum of the lengths must equal the length of
587 * the block. */
588 SECStatus
589 ssl3_ValidateNextProtoNego(const unsigned char* data, unsigned int length)
590 {
591 unsigned int offset = 0;
593 while (offset < length) {
594 unsigned int newOffset = offset + 1 + (unsigned int) data[offset];
595 /* Reject embedded nulls to protect against buggy applications that
596 * store protocol identifiers in null-terminated strings.
597 */
598 if (newOffset > length || data[offset] == 0) {
599 PORT_SetError(SSL_ERROR_NEXT_PROTOCOL_DATA_INVALID);
600 return SECFailure;
601 }
602 offset = newOffset;
603 }
605 if (offset > length) {
606 PORT_SetError(SSL_ERROR_NEXT_PROTOCOL_DATA_INVALID);
607 return SECFailure;
608 }
610 return SECSuccess;
611 }
613 /* protocol selection handler for ALPN (server side) and NPN (client side) */
614 static SECStatus
615 ssl3_SelectAppProtocol(sslSocket *ss, PRUint16 ex_type, SECItem *data)
616 {
617 SECStatus rv;
618 unsigned char resultBuffer[255];
619 SECItem result = { siBuffer, resultBuffer, 0 };
621 rv = ssl3_ValidateNextProtoNego(data->data, data->len);
622 if (rv != SECSuccess)
623 return rv;
625 PORT_Assert(ss->nextProtoCallback);
626 rv = ss->nextProtoCallback(ss->nextProtoArg, ss->fd, data->data, data->len,
627 result.data, &result.len, sizeof resultBuffer);
628 if (rv != SECSuccess)
629 return rv;
630 /* If the callback wrote more than allowed to |result| it has corrupted our
631 * stack. */
632 if (result.len > sizeof resultBuffer) {
633 PORT_SetError(SEC_ERROR_OUTPUT_LEN);
634 return SECFailure;
635 }
637 if (ex_type == ssl_app_layer_protocol_xtn &&
638 ss->ssl3.nextProtoState != SSL_NEXT_PROTO_NEGOTIATED) {
639 /* The callback might say OK, but then it's picked a default.
640 * That's OK for NPN, but not ALPN. */
641 SECITEM_FreeItem(&ss->ssl3.nextProto, PR_FALSE);
642 PORT_SetError(SSL_ERROR_NEXT_PROTOCOL_NO_PROTOCOL);
643 (void)SSL3_SendAlert(ss, alert_fatal, no_application_protocol);
644 return SECFailure;
645 }
647 ss->xtnData.negotiated[ss->xtnData.numNegotiated++] = ex_type;
649 SECITEM_FreeItem(&ss->ssl3.nextProto, PR_FALSE);
650 return SECITEM_CopyItem(NULL, &ss->ssl3.nextProto, &result);
651 }
653 /* handle an incoming ALPN extension at the server */
654 static SECStatus
655 ssl3_ServerHandleAppProtoXtn(sslSocket *ss, PRUint16 ex_type, SECItem *data)
656 {
657 int count;
658 SECStatus rv;
660 /* We expressly don't want to allow ALPN on renegotiation,
661 * despite it being permitted by the spec. */
662 if (ss->firstHsDone || data->len == 0) {
663 /* Clients MUST send a non-empty ALPN extension. */
664 PORT_SetError(SSL_ERROR_NEXT_PROTOCOL_DATA_INVALID);
665 return SECFailure;
666 }
668 /* unlike NPN, ALPN has extra redundant length information so that
669 * the extension is the same in both ClientHello and ServerHello */
670 count = ssl3_ConsumeHandshakeNumber(ss, 2, &data->data, &data->len);
671 if (count < 0) {
672 return SECFailure; /* fatal alert was sent */
673 }
674 if (count != data->len) {
675 return ssl3_DecodeError(ss);
676 }
678 if (!ss->nextProtoCallback) {
679 /* we're not configured for it */
680 return SECSuccess;
681 }
683 rv = ssl3_SelectAppProtocol(ss, ex_type, data);
684 if (rv != SECSuccess) {
685 return rv;
686 }
688 /* prepare to send back a response, if we negotiated */
689 if (ss->ssl3.nextProtoState == SSL_NEXT_PROTO_NEGOTIATED) {
690 return ssl3_RegisterServerHelloExtensionSender(
691 ss, ex_type, ssl3_ServerSendAppProtoXtn);
692 }
693 return SECSuccess;
694 }
696 static SECStatus
697 ssl3_ClientHandleNextProtoNegoXtn(sslSocket *ss, PRUint16 ex_type,
698 SECItem *data)
699 {
700 PORT_Assert(!ss->firstHsDone);
702 if (ssl3_ExtensionNegotiated(ss, ssl_app_layer_protocol_xtn)) {
703 /* If the server negotiated ALPN then it has already told us what
704 * protocol to use, so it doesn't make sense for us to try to negotiate
705 * a different one by sending the NPN handshake message. However, if
706 * we've negotiated NPN then we're required to send the NPN handshake
707 * message. Thus, these two extensions cannot both be negotiated on the
708 * same connection. */
709 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
710 return SECFailure;
711 }
713 /* We should only get this call if we sent the extension, so
714 * ss->nextProtoCallback needs to be non-NULL. However, it is possible
715 * that an application erroneously cleared the callback between the time
716 * we sent the ClientHello and now. */
717 if (!ss->nextProtoCallback) {
718 PORT_SetError(SSL_ERROR_NEXT_PROTOCOL_NO_CALLBACK);
719 return SECFailure;
720 }
722 return ssl3_SelectAppProtocol(ss, ex_type, data);
723 }
725 static SECStatus
726 ssl3_ClientHandleAppProtoXtn(sslSocket *ss, PRUint16 ex_type, SECItem *data)
727 {
728 const unsigned char* d = data->data;
729 PRUint16 name_list_len;
730 SECItem protocol_name;
732 if (ssl3_ExtensionNegotiated(ss, ssl_next_proto_nego_xtn)) {
733 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
734 return SECFailure;
735 }
737 /* The extension data from the server has the following format:
738 * uint16 name_list_len;
739 * uint8 len;
740 * uint8 protocol_name[len]; */
741 if (data->len < 4 || data->len > 2 + 1 + 255) {
742 PORT_SetError(SSL_ERROR_NEXT_PROTOCOL_DATA_INVALID);
743 return SECFailure;
744 }
746 name_list_len = ((PRUint16) d[0]) << 8 |
747 ((PRUint16) d[1]);
748 if (name_list_len != data->len - 2 || d[2] != data->len - 3) {
749 PORT_SetError(SSL_ERROR_NEXT_PROTOCOL_DATA_INVALID);
750 return SECFailure;
751 }
753 protocol_name.data = data->data + 3;
754 protocol_name.len = data->len - 3;
756 SECITEM_FreeItem(&ss->ssl3.nextProto, PR_FALSE);
757 ss->ssl3.nextProtoState = SSL_NEXT_PROTO_SELECTED;
758 ss->xtnData.negotiated[ss->xtnData.numNegotiated++] = ex_type;
759 return SECITEM_CopyItem(NULL, &ss->ssl3.nextProto, &protocol_name);
760 }
762 static PRInt32
763 ssl3_ClientSendNextProtoNegoXtn(sslSocket * ss, PRBool append,
764 PRUint32 maxBytes)
765 {
766 PRInt32 extension_length;
768 /* Renegotiations do not send this extension. */
769 if (!ss->opt.enableNPN || !ss->nextProtoCallback || ss->firstHsDone) {
770 return 0;
771 }
773 extension_length = 4;
775 if (append && maxBytes >= extension_length) {
776 SECStatus rv;
777 rv = ssl3_AppendHandshakeNumber(ss, ssl_next_proto_nego_xtn, 2);
778 if (rv != SECSuccess)
779 goto loser;
780 rv = ssl3_AppendHandshakeNumber(ss, 0, 2);
781 if (rv != SECSuccess)
782 goto loser;
783 ss->xtnData.advertised[ss->xtnData.numAdvertised++] =
784 ssl_next_proto_nego_xtn;
785 } else if (maxBytes < extension_length) {
786 return 0;
787 }
789 return extension_length;
791 loser:
792 return -1;
793 }
795 static PRInt32
796 ssl3_ClientSendAppProtoXtn(sslSocket * ss, PRBool append, PRUint32 maxBytes)
797 {
798 PRInt32 extension_length;
799 unsigned char *alpn_protos = NULL;
801 /* Renegotiations do not send this extension. */
802 if (!ss->opt.enableALPN || !ss->opt.nextProtoNego.data || ss->firstHsDone) {
803 return 0;
804 }
806 extension_length = 2 /* extension type */ + 2 /* extension length */ +
807 2 /* protocol name list length */ +
808 ss->opt.nextProtoNego.len;
810 if (append && maxBytes >= extension_length) {
811 /* NPN requires that the client's fallback protocol is first in the
812 * list. However, ALPN sends protocols in preference order. So we
813 * allocate a buffer and move the first protocol to the end of the
814 * list. */
815 SECStatus rv;
816 const unsigned int len = ss->opt.nextProtoNego.len;
818 alpn_protos = PORT_Alloc(len);
819 if (alpn_protos == NULL) {
820 return SECFailure;
821 }
822 if (len > 0) {
823 /* Each protocol string is prefixed with a single byte length. */
824 unsigned int i = ss->opt.nextProtoNego.data[0] + 1;
825 if (i <= len) {
826 memcpy(alpn_protos, &ss->opt.nextProtoNego.data[i], len - i);
827 memcpy(alpn_protos + len - i, ss->opt.nextProtoNego.data, i);
828 } else {
829 /* This seems to be invalid data so we'll send as-is. */
830 memcpy(alpn_protos, ss->opt.nextProtoNego.data, len);
831 }
832 }
834 rv = ssl3_AppendHandshakeNumber(ss, ssl_app_layer_protocol_xtn, 2);
835 if (rv != SECSuccess) {
836 goto loser;
837 }
838 rv = ssl3_AppendHandshakeNumber(ss, extension_length - 4, 2);
839 if (rv != SECSuccess) {
840 goto loser;
841 }
842 rv = ssl3_AppendHandshakeVariable(ss, alpn_protos, len, 2);
843 PORT_Free(alpn_protos);
844 alpn_protos = NULL;
845 if (rv != SECSuccess) {
846 goto loser;
847 }
848 ss->xtnData.advertised[ss->xtnData.numAdvertised++] =
849 ssl_app_layer_protocol_xtn;
850 } else if (maxBytes < extension_length) {
851 return 0;
852 }
854 return extension_length;
856 loser:
857 if (alpn_protos) {
858 PORT_Free(alpn_protos);
859 }
860 return -1;
861 }
863 static PRInt32
864 ssl3_ServerSendAppProtoXtn(sslSocket * ss, PRBool append, PRUint32 maxBytes)
865 {
866 PRInt32 extension_length;
868 /* we're in over our heads if any of these fail */
869 PORT_Assert(ss->opt.enableALPN);
870 PORT_Assert(ss->ssl3.nextProto.data);
871 PORT_Assert(ss->ssl3.nextProto.len > 0);
872 PORT_Assert(ss->ssl3.nextProtoState == SSL_NEXT_PROTO_NEGOTIATED);
873 PORT_Assert(!ss->firstHsDone);
875 extension_length = 2 /* extension type */ + 2 /* extension length */ +
876 2 /* protocol name list */ + 1 /* name length */ +
877 ss->ssl3.nextProto.len;
879 if (append && maxBytes >= extension_length) {
880 SECStatus rv;
881 rv = ssl3_AppendHandshakeNumber(ss, ssl_app_layer_protocol_xtn, 2);
882 if (rv != SECSuccess) {
883 return -1;
884 }
885 rv = ssl3_AppendHandshakeNumber(ss, extension_length - 4, 2);
886 if (rv != SECSuccess) {
887 return -1;
888 }
889 rv = ssl3_AppendHandshakeNumber(ss, ss->ssl3.nextProto.len + 1, 2);
890 if (rv != SECSuccess) {
891 return -1;
892 }
893 rv = ssl3_AppendHandshakeVariable(ss, ss->ssl3.nextProto.data,
894 ss->ssl3.nextProto.len, 1);
895 if (rv != SECSuccess) {
896 return -1;
897 }
898 } else if (maxBytes < extension_length) {
899 return 0;
900 }
902 return extension_length;
903 }
905 static SECStatus
906 ssl3_ClientHandleStatusRequestXtn(sslSocket *ss, PRUint16 ex_type,
907 SECItem *data)
908 {
909 /* The echoed extension must be empty. */
910 if (data->len != 0)
911 return SECFailure;
913 /* Keep track of negotiated extensions. */
914 ss->xtnData.negotiated[ss->xtnData.numNegotiated++] = ex_type;
916 return SECSuccess;
917 }
919 static PRInt32
920 ssl3_ServerSendStatusRequestXtn(
921 sslSocket * ss,
922 PRBool append,
923 PRUint32 maxBytes)
924 {
925 PRInt32 extension_length;
926 SECStatus rv;
927 int i;
928 PRBool haveStatus = PR_FALSE;
930 for (i = kt_null; i < kt_kea_size; i++) {
931 /* TODO: This is a temporary workaround.
932 * The correct code needs to see if we have an OCSP response for
933 * the server certificate being used, rather than if we have any
934 * OCSP response. See also ssl3_SendCertificateStatus.
935 */
936 if (ss->certStatusArray[i] && ss->certStatusArray[i]->len) {
937 haveStatus = PR_TRUE;
938 break;
939 }
940 }
941 if (!haveStatus)
942 return 0;
944 extension_length = 2 + 2;
945 if (append && maxBytes >= extension_length) {
946 /* extension_type */
947 rv = ssl3_AppendHandshakeNumber(ss, ssl_cert_status_xtn, 2);
948 if (rv != SECSuccess)
949 return -1;
950 /* length of extension_data */
951 rv = ssl3_AppendHandshakeNumber(ss, 0, 2);
952 if (rv != SECSuccess)
953 return -1;
954 }
956 return extension_length;
957 }
959 /* ssl3_ClientSendStatusRequestXtn builds the status_request extension on the
960 * client side. See RFC 4366 section 3.6. */
961 static PRInt32
962 ssl3_ClientSendStatusRequestXtn(sslSocket * ss, PRBool append,
963 PRUint32 maxBytes)
964 {
965 PRInt32 extension_length;
967 if (!ss->opt.enableOCSPStapling)
968 return 0;
970 /* extension_type (2-bytes) +
971 * length(extension_data) (2-bytes) +
972 * status_type (1) +
973 * responder_id_list length (2) +
974 * request_extensions length (2)
975 */
976 extension_length = 9;
978 if (append && maxBytes >= extension_length) {
979 SECStatus rv;
980 TLSExtensionData *xtnData;
982 /* extension_type */
983 rv = ssl3_AppendHandshakeNumber(ss, ssl_cert_status_xtn, 2);
984 if (rv != SECSuccess)
985 return -1;
986 rv = ssl3_AppendHandshakeNumber(ss, extension_length - 4, 2);
987 if (rv != SECSuccess)
988 return -1;
989 rv = ssl3_AppendHandshakeNumber(ss, 1 /* status_type ocsp */, 1);
990 if (rv != SECSuccess)
991 return -1;
992 /* A zero length responder_id_list means that the responders are
993 * implicitly known to the server. */
994 rv = ssl3_AppendHandshakeNumber(ss, 0, 2);
995 if (rv != SECSuccess)
996 return -1;
997 /* A zero length request_extensions means that there are no extensions.
998 * Specifically, we don't set the id-pkix-ocsp-nonce extension. This
999 * means that the server can replay a cached OCSP response to us. */
1000 rv = ssl3_AppendHandshakeNumber(ss, 0, 2);
1001 if (rv != SECSuccess)
1002 return -1;
1004 xtnData = &ss->xtnData;
1005 xtnData->advertised[xtnData->numAdvertised++] = ssl_cert_status_xtn;
1006 } else if (maxBytes < extension_length) {
1007 PORT_Assert(0);
1008 return 0;
1009 }
1010 return extension_length;
1011 }
1013 /*
1014 * NewSessionTicket
1015 * Called from ssl3_HandleFinished
1016 */
1017 SECStatus
1018 ssl3_SendNewSessionTicket(sslSocket *ss)
1019 {
1020 int i;
1021 SECStatus rv;
1022 NewSessionTicket ticket;
1023 SECItem plaintext;
1024 SECItem plaintext_item = {0, NULL, 0};
1025 SECItem ciphertext = {0, NULL, 0};
1026 PRUint32 ciphertext_length;
1027 PRBool ms_is_wrapped;
1028 unsigned char wrapped_ms[SSL3_MASTER_SECRET_LENGTH];
1029 SECItem ms_item = {0, NULL, 0};
1030 SSL3KEAType effectiveExchKeyType = ssl_kea_null;
1031 PRUint32 padding_length;
1032 PRUint32 message_length;
1033 PRUint32 cert_length;
1034 PRUint8 length_buf[4];
1035 PRUint32 now;
1036 PK11SymKey *aes_key_pkcs11;
1037 PK11SymKey *mac_key_pkcs11;
1038 #ifndef NO_PKCS11_BYPASS
1039 const unsigned char *aes_key;
1040 const unsigned char *mac_key;
1041 PRUint32 aes_key_length;
1042 PRUint32 mac_key_length;
1043 PRUint64 aes_ctx_buf[MAX_CIPHER_CONTEXT_LLONGS];
1044 AESContext *aes_ctx;
1045 const SECHashObject *hashObj = NULL;
1046 PRUint64 hmac_ctx_buf[MAX_MAC_CONTEXT_LLONGS];
1047 HMACContext *hmac_ctx;
1048 #endif
1049 CK_MECHANISM_TYPE cipherMech = CKM_AES_CBC;
1050 PK11Context *aes_ctx_pkcs11;
1051 CK_MECHANISM_TYPE macMech = CKM_SHA256_HMAC;
1052 PK11Context *hmac_ctx_pkcs11;
1053 unsigned char computed_mac[TLS_EX_SESS_TICKET_MAC_LENGTH];
1054 unsigned int computed_mac_length;
1055 unsigned char iv[AES_BLOCK_SIZE];
1056 SECItem ivItem;
1057 SECItem *srvName = NULL;
1058 PRUint32 srvNameLen = 0;
1059 CK_MECHANISM_TYPE msWrapMech = 0; /* dummy default value,
1060 * must be >= 0 */
1062 SSL_TRC(3, ("%d: SSL3[%d]: send session_ticket handshake",
1063 SSL_GETPID(), ss->fd));
1065 PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss));
1066 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
1068 ticket.ticket_lifetime_hint = TLS_EX_SESS_TICKET_LIFETIME_HINT;
1069 cert_length = (ss->opt.requestCertificate && ss->sec.ci.sid->peerCert) ?
1070 3 + ss->sec.ci.sid->peerCert->derCert.len : 0;
1072 /* Get IV and encryption keys */
1073 ivItem.data = iv;
1074 ivItem.len = sizeof(iv);
1075 rv = PK11_GenerateRandom(iv, sizeof(iv));
1076 if (rv != SECSuccess) goto loser;
1078 #ifndef NO_PKCS11_BYPASS
1079 if (ss->opt.bypassPKCS11) {
1080 rv = ssl3_GetSessionTicketKeys(&aes_key, &aes_key_length,
1081 &mac_key, &mac_key_length);
1082 } else
1083 #endif
1084 {
1085 rv = ssl3_GetSessionTicketKeysPKCS11(ss, &aes_key_pkcs11,
1086 &mac_key_pkcs11);
1087 }
1088 if (rv != SECSuccess) goto loser;
1090 if (ss->ssl3.pwSpec->msItem.len && ss->ssl3.pwSpec->msItem.data) {
1091 /* The master secret is available unwrapped. */
1092 ms_item.data = ss->ssl3.pwSpec->msItem.data;
1093 ms_item.len = ss->ssl3.pwSpec->msItem.len;
1094 ms_is_wrapped = PR_FALSE;
1095 } else {
1096 /* Extract the master secret wrapped. */
1097 sslSessionID sid;
1098 PORT_Memset(&sid, 0, sizeof(sslSessionID));
1100 if (ss->ssl3.hs.kea_def->kea == kea_ecdhe_rsa) {
1101 effectiveExchKeyType = kt_rsa;
1102 } else {
1103 effectiveExchKeyType = ss->ssl3.hs.kea_def->exchKeyType;
1104 }
1106 rv = ssl3_CacheWrappedMasterSecret(ss, &sid, ss->ssl3.pwSpec,
1107 effectiveExchKeyType);
1108 if (rv == SECSuccess) {
1109 if (sid.u.ssl3.keys.wrapped_master_secret_len > sizeof(wrapped_ms))
1110 goto loser;
1111 memcpy(wrapped_ms, sid.u.ssl3.keys.wrapped_master_secret,
1112 sid.u.ssl3.keys.wrapped_master_secret_len);
1113 ms_item.data = wrapped_ms;
1114 ms_item.len = sid.u.ssl3.keys.wrapped_master_secret_len;
1115 msWrapMech = sid.u.ssl3.masterWrapMech;
1116 } else {
1117 /* TODO: else send an empty ticket. */
1118 goto loser;
1119 }
1120 ms_is_wrapped = PR_TRUE;
1121 }
1122 /* Prep to send negotiated name */
1123 srvName = &ss->ssl3.pwSpec->srvVirtName;
1124 if (srvName->data && srvName->len) {
1125 srvNameLen = 2 + srvName->len; /* len bytes + name len */
1126 }
1128 ciphertext_length =
1129 sizeof(PRUint16) /* ticket_version */
1130 + sizeof(SSL3ProtocolVersion) /* ssl_version */
1131 + sizeof(ssl3CipherSuite) /* ciphersuite */
1132 + 1 /* compression */
1133 + 10 /* cipher spec parameters */
1134 + 1 /* SessionTicket.ms_is_wrapped */
1135 + 1 /* effectiveExchKeyType */
1136 + 4 /* msWrapMech */
1137 + 2 /* master_secret.length */
1138 + ms_item.len /* master_secret */
1139 + 1 /* client_auth_type */
1140 + cert_length /* cert */
1141 + 1 /* server name type */
1142 + srvNameLen /* name len + length field */
1143 + sizeof(ticket.ticket_lifetime_hint);
1144 padding_length = AES_BLOCK_SIZE -
1145 (ciphertext_length % AES_BLOCK_SIZE);
1146 ciphertext_length += padding_length;
1148 message_length =
1149 sizeof(ticket.ticket_lifetime_hint) /* ticket_lifetime_hint */
1150 + 2 /* length field for NewSessionTicket.ticket */
1151 + SESS_TICKET_KEY_NAME_LEN /* key_name */
1152 + AES_BLOCK_SIZE /* iv */
1153 + 2 /* length field for NewSessionTicket.ticket.encrypted_state */
1154 + ciphertext_length /* encrypted_state */
1155 + TLS_EX_SESS_TICKET_MAC_LENGTH; /* mac */
1157 if (SECITEM_AllocItem(NULL, &plaintext_item, ciphertext_length) == NULL)
1158 goto loser;
1160 plaintext = plaintext_item;
1162 /* ticket_version */
1163 rv = ssl3_AppendNumberToItem(&plaintext, TLS_EX_SESS_TICKET_VERSION,
1164 sizeof(PRUint16));
1165 if (rv != SECSuccess) goto loser;
1167 /* ssl_version */
1168 rv = ssl3_AppendNumberToItem(&plaintext, ss->version,
1169 sizeof(SSL3ProtocolVersion));
1170 if (rv != SECSuccess) goto loser;
1172 /* ciphersuite */
1173 rv = ssl3_AppendNumberToItem(&plaintext, ss->ssl3.hs.cipher_suite,
1174 sizeof(ssl3CipherSuite));
1175 if (rv != SECSuccess) goto loser;
1177 /* compression */
1178 rv = ssl3_AppendNumberToItem(&plaintext, ss->ssl3.hs.compression, 1);
1179 if (rv != SECSuccess) goto loser;
1181 /* cipher spec parameters */
1182 rv = ssl3_AppendNumberToItem(&plaintext, ss->sec.authAlgorithm, 1);
1183 if (rv != SECSuccess) goto loser;
1184 rv = ssl3_AppendNumberToItem(&plaintext, ss->sec.authKeyBits, 4);
1185 if (rv != SECSuccess) goto loser;
1186 rv = ssl3_AppendNumberToItem(&plaintext, ss->sec.keaType, 1);
1187 if (rv != SECSuccess) goto loser;
1188 rv = ssl3_AppendNumberToItem(&plaintext, ss->sec.keaKeyBits, 4);
1189 if (rv != SECSuccess) goto loser;
1191 /* master_secret */
1192 rv = ssl3_AppendNumberToItem(&plaintext, ms_is_wrapped, 1);
1193 if (rv != SECSuccess) goto loser;
1194 rv = ssl3_AppendNumberToItem(&plaintext, effectiveExchKeyType, 1);
1195 if (rv != SECSuccess) goto loser;
1196 rv = ssl3_AppendNumberToItem(&plaintext, msWrapMech, 4);
1197 if (rv != SECSuccess) goto loser;
1198 rv = ssl3_AppendNumberToItem(&plaintext, ms_item.len, 2);
1199 if (rv != SECSuccess) goto loser;
1200 rv = ssl3_AppendToItem(&plaintext, ms_item.data, ms_item.len);
1201 if (rv != SECSuccess) goto loser;
1203 /* client_identity */
1204 if (ss->opt.requestCertificate && ss->sec.ci.sid->peerCert) {
1205 rv = ssl3_AppendNumberToItem(&plaintext, CLIENT_AUTH_CERTIFICATE, 1);
1206 if (rv != SECSuccess) goto loser;
1207 rv = ssl3_AppendNumberToItem(&plaintext,
1208 ss->sec.ci.sid->peerCert->derCert.len, 3);
1209 if (rv != SECSuccess) goto loser;
1210 rv = ssl3_AppendToItem(&plaintext,
1211 ss->sec.ci.sid->peerCert->derCert.data,
1212 ss->sec.ci.sid->peerCert->derCert.len);
1213 if (rv != SECSuccess) goto loser;
1214 } else {
1215 rv = ssl3_AppendNumberToItem(&plaintext, 0, 1);
1216 if (rv != SECSuccess) goto loser;
1217 }
1219 /* timestamp */
1220 now = ssl_Time();
1221 rv = ssl3_AppendNumberToItem(&plaintext, now,
1222 sizeof(ticket.ticket_lifetime_hint));
1223 if (rv != SECSuccess) goto loser;
1225 if (srvNameLen) {
1226 /* Name Type (sni_host_name) */
1227 rv = ssl3_AppendNumberToItem(&plaintext, srvName->type, 1);
1228 if (rv != SECSuccess) goto loser;
1229 /* HostName (length and value) */
1230 rv = ssl3_AppendNumberToItem(&plaintext, srvName->len, 2);
1231 if (rv != SECSuccess) goto loser;
1232 rv = ssl3_AppendToItem(&plaintext, srvName->data, srvName->len);
1233 if (rv != SECSuccess) goto loser;
1234 } else {
1235 /* No Name */
1236 rv = ssl3_AppendNumberToItem(&plaintext, (char)TLS_STE_NO_SERVER_NAME,
1237 1);
1238 if (rv != SECSuccess) goto loser;
1239 }
1241 PORT_Assert(plaintext.len == padding_length);
1242 for (i = 0; i < padding_length; i++)
1243 plaintext.data[i] = (unsigned char)padding_length;
1245 if (SECITEM_AllocItem(NULL, &ciphertext, ciphertext_length) == NULL) {
1246 rv = SECFailure;
1247 goto loser;
1248 }
1250 /* Generate encrypted portion of ticket. */
1251 #ifndef NO_PKCS11_BYPASS
1252 if (ss->opt.bypassPKCS11) {
1253 aes_ctx = (AESContext *)aes_ctx_buf;
1254 rv = AES_InitContext(aes_ctx, aes_key, aes_key_length, iv,
1255 NSS_AES_CBC, 1, AES_BLOCK_SIZE);
1256 if (rv != SECSuccess) goto loser;
1258 rv = AES_Encrypt(aes_ctx, ciphertext.data, &ciphertext.len,
1259 ciphertext.len, plaintext_item.data,
1260 plaintext_item.len);
1261 if (rv != SECSuccess) goto loser;
1262 } else
1263 #endif
1264 {
1265 aes_ctx_pkcs11 = PK11_CreateContextBySymKey(cipherMech,
1266 CKA_ENCRYPT, aes_key_pkcs11, &ivItem);
1267 if (!aes_ctx_pkcs11)
1268 goto loser;
1270 rv = PK11_CipherOp(aes_ctx_pkcs11, ciphertext.data,
1271 (int *)&ciphertext.len, ciphertext.len,
1272 plaintext_item.data, plaintext_item.len);
1273 PK11_Finalize(aes_ctx_pkcs11);
1274 PK11_DestroyContext(aes_ctx_pkcs11, PR_TRUE);
1275 if (rv != SECSuccess) goto loser;
1276 }
1278 /* Convert ciphertext length to network order. */
1279 length_buf[0] = (ciphertext.len >> 8) & 0xff;
1280 length_buf[1] = (ciphertext.len ) & 0xff;
1282 /* Compute MAC. */
1283 #ifndef NO_PKCS11_BYPASS
1284 if (ss->opt.bypassPKCS11) {
1285 hmac_ctx = (HMACContext *)hmac_ctx_buf;
1286 hashObj = HASH_GetRawHashObject(HASH_AlgSHA256);
1287 if (HMAC_Init(hmac_ctx, hashObj, mac_key,
1288 mac_key_length, PR_FALSE) != SECSuccess)
1289 goto loser;
1291 HMAC_Begin(hmac_ctx);
1292 HMAC_Update(hmac_ctx, key_name, SESS_TICKET_KEY_NAME_LEN);
1293 HMAC_Update(hmac_ctx, iv, sizeof(iv));
1294 HMAC_Update(hmac_ctx, (unsigned char *)length_buf, 2);
1295 HMAC_Update(hmac_ctx, ciphertext.data, ciphertext.len);
1296 HMAC_Finish(hmac_ctx, computed_mac, &computed_mac_length,
1297 sizeof(computed_mac));
1298 } else
1299 #endif
1300 {
1301 SECItem macParam;
1302 macParam.data = NULL;
1303 macParam.len = 0;
1304 hmac_ctx_pkcs11 = PK11_CreateContextBySymKey(macMech,
1305 CKA_SIGN, mac_key_pkcs11, &macParam);
1306 if (!hmac_ctx_pkcs11)
1307 goto loser;
1309 rv = PK11_DigestBegin(hmac_ctx_pkcs11);
1310 rv = PK11_DigestOp(hmac_ctx_pkcs11, key_name,
1311 SESS_TICKET_KEY_NAME_LEN);
1312 rv = PK11_DigestOp(hmac_ctx_pkcs11, iv, sizeof(iv));
1313 rv = PK11_DigestOp(hmac_ctx_pkcs11, (unsigned char *)length_buf, 2);
1314 rv = PK11_DigestOp(hmac_ctx_pkcs11, ciphertext.data, ciphertext.len);
1315 rv = PK11_DigestFinal(hmac_ctx_pkcs11, computed_mac,
1316 &computed_mac_length, sizeof(computed_mac));
1317 PK11_DestroyContext(hmac_ctx_pkcs11, PR_TRUE);
1318 if (rv != SECSuccess) goto loser;
1319 }
1321 /* Serialize the handshake message. */
1322 rv = ssl3_AppendHandshakeHeader(ss, new_session_ticket, message_length);
1323 if (rv != SECSuccess) goto loser;
1325 rv = ssl3_AppendHandshakeNumber(ss, ticket.ticket_lifetime_hint,
1326 sizeof(ticket.ticket_lifetime_hint));
1327 if (rv != SECSuccess) goto loser;
1329 rv = ssl3_AppendHandshakeNumber(ss,
1330 message_length - sizeof(ticket.ticket_lifetime_hint) - 2, 2);
1331 if (rv != SECSuccess) goto loser;
1333 rv = ssl3_AppendHandshake(ss, key_name, SESS_TICKET_KEY_NAME_LEN);
1334 if (rv != SECSuccess) goto loser;
1336 rv = ssl3_AppendHandshake(ss, iv, sizeof(iv));
1337 if (rv != SECSuccess) goto loser;
1339 rv = ssl3_AppendHandshakeVariable(ss, ciphertext.data, ciphertext.len, 2);
1340 if (rv != SECSuccess) goto loser;
1342 rv = ssl3_AppendHandshake(ss, computed_mac, computed_mac_length);
1343 if (rv != SECSuccess) goto loser;
1345 loser:
1346 if (plaintext_item.data)
1347 SECITEM_FreeItem(&plaintext_item, PR_FALSE);
1348 if (ciphertext.data)
1349 SECITEM_FreeItem(&ciphertext, PR_FALSE);
1351 return rv;
1352 }
1354 /* When a client receives a SessionTicket extension a NewSessionTicket
1355 * message is expected during the handshake.
1356 */
1357 SECStatus
1358 ssl3_ClientHandleSessionTicketXtn(sslSocket *ss, PRUint16 ex_type,
1359 SECItem *data)
1360 {
1361 if (data->len != 0)
1362 return SECFailure;
1364 /* Keep track of negotiated extensions. */
1365 ss->xtnData.negotiated[ss->xtnData.numNegotiated++] = ex_type;
1366 return SECSuccess;
1367 }
1369 SECStatus
1370 ssl3_ServerHandleSessionTicketXtn(sslSocket *ss, PRUint16 ex_type,
1371 SECItem *data)
1372 {
1373 SECStatus rv;
1374 SECItem *decrypted_state = NULL;
1375 SessionTicket *parsed_session_ticket = NULL;
1376 sslSessionID *sid = NULL;
1377 SSL3Statistics *ssl3stats;
1379 /* Ignore the SessionTicket extension if processing is disabled. */
1380 if (!ss->opt.enableSessionTickets)
1381 return SECSuccess;
1383 /* Keep track of negotiated extensions. */
1384 ss->xtnData.negotiated[ss->xtnData.numNegotiated++] = ex_type;
1386 /* Parse the received ticket sent in by the client. We are
1387 * lenient about some parse errors, falling back to a fullshake
1388 * instead of terminating the current connection.
1389 */
1390 if (data->len == 0) {
1391 ss->xtnData.emptySessionTicket = PR_TRUE;
1392 } else {
1393 int i;
1394 SECItem extension_data;
1395 EncryptedSessionTicket enc_session_ticket;
1396 unsigned char computed_mac[TLS_EX_SESS_TICKET_MAC_LENGTH];
1397 unsigned int computed_mac_length;
1398 #ifndef NO_PKCS11_BYPASS
1399 const SECHashObject *hashObj;
1400 const unsigned char *aes_key;
1401 const unsigned char *mac_key;
1402 PRUint32 aes_key_length;
1403 PRUint32 mac_key_length;
1404 PRUint64 hmac_ctx_buf[MAX_MAC_CONTEXT_LLONGS];
1405 HMACContext *hmac_ctx;
1406 PRUint64 aes_ctx_buf[MAX_CIPHER_CONTEXT_LLONGS];
1407 AESContext *aes_ctx;
1408 #endif
1409 PK11SymKey *aes_key_pkcs11;
1410 PK11SymKey *mac_key_pkcs11;
1411 PK11Context *hmac_ctx_pkcs11;
1412 CK_MECHANISM_TYPE macMech = CKM_SHA256_HMAC;
1413 PK11Context *aes_ctx_pkcs11;
1414 CK_MECHANISM_TYPE cipherMech = CKM_AES_CBC;
1415 unsigned char * padding;
1416 PRUint32 padding_length;
1417 unsigned char *buffer;
1418 unsigned int buffer_len;
1419 PRInt32 temp;
1420 SECItem cert_item;
1421 PRInt8 nameType = TLS_STE_NO_SERVER_NAME;
1423 /* Turn off stateless session resumption if the client sends a
1424 * SessionTicket extension, even if the extension turns out to be
1425 * malformed (ss->sec.ci.sid is non-NULL when doing session
1426 * renegotiation.)
1427 */
1428 if (ss->sec.ci.sid != NULL) {
1429 if (ss->sec.uncache)
1430 ss->sec.uncache(ss->sec.ci.sid);
1431 ssl_FreeSID(ss->sec.ci.sid);
1432 ss->sec.ci.sid = NULL;
1433 }
1435 extension_data.data = data->data; /* Keep a copy for future use. */
1436 extension_data.len = data->len;
1438 if (ssl3_ParseEncryptedSessionTicket(ss, data, &enc_session_ticket)
1439 != SECSuccess)
1440 return SECFailure;
1442 /* Get session ticket keys. */
1443 #ifndef NO_PKCS11_BYPASS
1444 if (ss->opt.bypassPKCS11) {
1445 rv = ssl3_GetSessionTicketKeys(&aes_key, &aes_key_length,
1446 &mac_key, &mac_key_length);
1447 } else
1448 #endif
1449 {
1450 rv = ssl3_GetSessionTicketKeysPKCS11(ss, &aes_key_pkcs11,
1451 &mac_key_pkcs11);
1452 }
1453 if (rv != SECSuccess) {
1454 SSL_DBG(("%d: SSL[%d]: Unable to get/generate session ticket keys.",
1455 SSL_GETPID(), ss->fd));
1456 goto loser;
1457 }
1459 /* If the ticket sent by the client was generated under a key different
1460 * from the one we have, bypass ticket processing.
1461 */
1462 if (PORT_Memcmp(enc_session_ticket.key_name, key_name,
1463 SESS_TICKET_KEY_NAME_LEN) != 0) {
1464 SSL_DBG(("%d: SSL[%d]: Session ticket key_name sent mismatch.",
1465 SSL_GETPID(), ss->fd));
1466 goto no_ticket;
1467 }
1469 /* Verify the MAC on the ticket. MAC verification may also
1470 * fail if the MAC key has been recently refreshed.
1471 */
1472 #ifndef NO_PKCS11_BYPASS
1473 if (ss->opt.bypassPKCS11) {
1474 hmac_ctx = (HMACContext *)hmac_ctx_buf;
1475 hashObj = HASH_GetRawHashObject(HASH_AlgSHA256);
1476 if (HMAC_Init(hmac_ctx, hashObj, mac_key,
1477 sizeof(session_ticket_mac_key), PR_FALSE) != SECSuccess)
1478 goto no_ticket;
1479 HMAC_Begin(hmac_ctx);
1480 HMAC_Update(hmac_ctx, extension_data.data,
1481 extension_data.len - TLS_EX_SESS_TICKET_MAC_LENGTH);
1482 if (HMAC_Finish(hmac_ctx, computed_mac, &computed_mac_length,
1483 sizeof(computed_mac)) != SECSuccess)
1484 goto no_ticket;
1485 } else
1486 #endif
1487 {
1488 SECItem macParam;
1489 macParam.data = NULL;
1490 macParam.len = 0;
1491 hmac_ctx_pkcs11 = PK11_CreateContextBySymKey(macMech,
1492 CKA_SIGN, mac_key_pkcs11, &macParam);
1493 if (!hmac_ctx_pkcs11) {
1494 SSL_DBG(("%d: SSL[%d]: Unable to create HMAC context: %d.",
1495 SSL_GETPID(), ss->fd, PORT_GetError()));
1496 goto no_ticket;
1497 } else {
1498 SSL_DBG(("%d: SSL[%d]: Successfully created HMAC context.",
1499 SSL_GETPID(), ss->fd));
1500 }
1501 rv = PK11_DigestBegin(hmac_ctx_pkcs11);
1502 rv = PK11_DigestOp(hmac_ctx_pkcs11, extension_data.data,
1503 extension_data.len - TLS_EX_SESS_TICKET_MAC_LENGTH);
1504 if (rv != SECSuccess) {
1505 PK11_DestroyContext(hmac_ctx_pkcs11, PR_TRUE);
1506 goto no_ticket;
1507 }
1508 rv = PK11_DigestFinal(hmac_ctx_pkcs11, computed_mac,
1509 &computed_mac_length, sizeof(computed_mac));
1510 PK11_DestroyContext(hmac_ctx_pkcs11, PR_TRUE);
1511 if (rv != SECSuccess)
1512 goto no_ticket;
1513 }
1514 if (NSS_SecureMemcmp(computed_mac, enc_session_ticket.mac,
1515 computed_mac_length) != 0) {
1516 SSL_DBG(("%d: SSL[%d]: Session ticket MAC mismatch.",
1517 SSL_GETPID(), ss->fd));
1518 goto no_ticket;
1519 }
1521 /* We ignore key_name for now.
1522 * This is ok as MAC verification succeeded.
1523 */
1525 /* Decrypt the ticket. */
1527 /* Plaintext is shorter than the ciphertext due to padding. */
1528 decrypted_state = SECITEM_AllocItem(NULL, NULL,
1529 enc_session_ticket.encrypted_state.len);
1531 #ifndef NO_PKCS11_BYPASS
1532 if (ss->opt.bypassPKCS11) {
1533 aes_ctx = (AESContext *)aes_ctx_buf;
1534 rv = AES_InitContext(aes_ctx, aes_key,
1535 sizeof(session_ticket_enc_key), enc_session_ticket.iv,
1536 NSS_AES_CBC, 0,AES_BLOCK_SIZE);
1537 if (rv != SECSuccess) {
1538 SSL_DBG(("%d: SSL[%d]: Unable to create AES context.",
1539 SSL_GETPID(), ss->fd));
1540 goto no_ticket;
1541 }
1543 rv = AES_Decrypt(aes_ctx, decrypted_state->data,
1544 &decrypted_state->len, decrypted_state->len,
1545 enc_session_ticket.encrypted_state.data,
1546 enc_session_ticket.encrypted_state.len);
1547 if (rv != SECSuccess)
1548 goto no_ticket;
1549 } else
1550 #endif
1551 {
1552 SECItem ivItem;
1553 ivItem.data = enc_session_ticket.iv;
1554 ivItem.len = AES_BLOCK_SIZE;
1555 aes_ctx_pkcs11 = PK11_CreateContextBySymKey(cipherMech,
1556 CKA_DECRYPT, aes_key_pkcs11, &ivItem);
1557 if (!aes_ctx_pkcs11) {
1558 SSL_DBG(("%d: SSL[%d]: Unable to create AES context.",
1559 SSL_GETPID(), ss->fd));
1560 goto no_ticket;
1561 }
1563 rv = PK11_CipherOp(aes_ctx_pkcs11, decrypted_state->data,
1564 (int *)&decrypted_state->len, decrypted_state->len,
1565 enc_session_ticket.encrypted_state.data,
1566 enc_session_ticket.encrypted_state.len);
1567 PK11_Finalize(aes_ctx_pkcs11);
1568 PK11_DestroyContext(aes_ctx_pkcs11, PR_TRUE);
1569 if (rv != SECSuccess)
1570 goto no_ticket;
1571 }
1573 /* Check padding. */
1574 padding_length =
1575 (PRUint32)decrypted_state->data[decrypted_state->len - 1];
1576 if (padding_length == 0 || padding_length > AES_BLOCK_SIZE)
1577 goto no_ticket;
1579 padding = &decrypted_state->data[decrypted_state->len - padding_length];
1580 for (i = 0; i < padding_length; i++, padding++) {
1581 if (padding_length != (PRUint32)*padding)
1582 goto no_ticket;
1583 }
1585 /* Deserialize session state. */
1586 buffer = decrypted_state->data;
1587 buffer_len = decrypted_state->len;
1589 parsed_session_ticket = PORT_ZAlloc(sizeof(SessionTicket));
1590 if (parsed_session_ticket == NULL) {
1591 rv = SECFailure;
1592 goto loser;
1593 }
1595 /* Read ticket_version (which is ignored for now.) */
1596 temp = ssl3_ConsumeHandshakeNumber(ss, 2, &buffer, &buffer_len);
1597 if (temp < 0) goto no_ticket;
1598 parsed_session_ticket->ticket_version = (SSL3ProtocolVersion)temp;
1600 /* Read SSLVersion. */
1601 temp = ssl3_ConsumeHandshakeNumber(ss, 2, &buffer, &buffer_len);
1602 if (temp < 0) goto no_ticket;
1603 parsed_session_ticket->ssl_version = (SSL3ProtocolVersion)temp;
1605 /* Read cipher_suite. */
1606 temp = ssl3_ConsumeHandshakeNumber(ss, 2, &buffer, &buffer_len);
1607 if (temp < 0) goto no_ticket;
1608 parsed_session_ticket->cipher_suite = (ssl3CipherSuite)temp;
1610 /* Read compression_method. */
1611 temp = ssl3_ConsumeHandshakeNumber(ss, 1, &buffer, &buffer_len);
1612 if (temp < 0) goto no_ticket;
1613 parsed_session_ticket->compression_method = (SSLCompressionMethod)temp;
1615 /* Read cipher spec parameters. */
1616 temp = ssl3_ConsumeHandshakeNumber(ss, 1, &buffer, &buffer_len);
1617 if (temp < 0) goto no_ticket;
1618 parsed_session_ticket->authAlgorithm = (SSLSignType)temp;
1619 temp = ssl3_ConsumeHandshakeNumber(ss, 4, &buffer, &buffer_len);
1620 if (temp < 0) goto no_ticket;
1621 parsed_session_ticket->authKeyBits = (PRUint32)temp;
1622 temp = ssl3_ConsumeHandshakeNumber(ss, 1, &buffer, &buffer_len);
1623 if (temp < 0) goto no_ticket;
1624 parsed_session_ticket->keaType = (SSLKEAType)temp;
1625 temp = ssl3_ConsumeHandshakeNumber(ss, 4, &buffer, &buffer_len);
1626 if (temp < 0) goto no_ticket;
1627 parsed_session_ticket->keaKeyBits = (PRUint32)temp;
1629 /* Read wrapped master_secret. */
1630 temp = ssl3_ConsumeHandshakeNumber(ss, 1, &buffer, &buffer_len);
1631 if (temp < 0) goto no_ticket;
1632 parsed_session_ticket->ms_is_wrapped = (PRBool)temp;
1634 temp = ssl3_ConsumeHandshakeNumber(ss, 1, &buffer, &buffer_len);
1635 if (temp < 0) goto no_ticket;
1636 parsed_session_ticket->exchKeyType = (SSL3KEAType)temp;
1638 temp = ssl3_ConsumeHandshakeNumber(ss, 4, &buffer, &buffer_len);
1639 if (temp < 0) goto no_ticket;
1640 parsed_session_ticket->msWrapMech = (CK_MECHANISM_TYPE)temp;
1642 temp = ssl3_ConsumeHandshakeNumber(ss, 2, &buffer, &buffer_len);
1643 if (temp < 0) goto no_ticket;
1644 parsed_session_ticket->ms_length = (PRUint16)temp;
1645 if (parsed_session_ticket->ms_length == 0 || /* sanity check MS. */
1646 parsed_session_ticket->ms_length >
1647 sizeof(parsed_session_ticket->master_secret))
1648 goto no_ticket;
1650 /* Allow for the wrapped master secret to be longer. */
1651 if (buffer_len < parsed_session_ticket->ms_length)
1652 goto no_ticket;
1653 PORT_Memcpy(parsed_session_ticket->master_secret, buffer,
1654 parsed_session_ticket->ms_length);
1655 buffer += parsed_session_ticket->ms_length;
1656 buffer_len -= parsed_session_ticket->ms_length;
1658 /* Read client_identity */
1659 temp = ssl3_ConsumeHandshakeNumber(ss, 1, &buffer, &buffer_len);
1660 if (temp < 0)
1661 goto no_ticket;
1662 parsed_session_ticket->client_identity.client_auth_type =
1663 (ClientAuthenticationType)temp;
1664 switch(parsed_session_ticket->client_identity.client_auth_type) {
1665 case CLIENT_AUTH_ANONYMOUS:
1666 break;
1667 case CLIENT_AUTH_CERTIFICATE:
1668 rv = ssl3_ConsumeHandshakeVariable(ss, &cert_item, 3,
1669 &buffer, &buffer_len);
1670 if (rv != SECSuccess) goto no_ticket;
1671 rv = SECITEM_CopyItem(NULL, &parsed_session_ticket->peer_cert,
1672 &cert_item);
1673 if (rv != SECSuccess) goto no_ticket;
1674 break;
1675 default:
1676 goto no_ticket;
1677 }
1678 /* Read timestamp. */
1679 temp = ssl3_ConsumeHandshakeNumber(ss, 4, &buffer, &buffer_len);
1680 if (temp < 0)
1681 goto no_ticket;
1682 parsed_session_ticket->timestamp = (PRUint32)temp;
1684 /* Read server name */
1685 nameType =
1686 ssl3_ConsumeHandshakeNumber(ss, 1, &buffer, &buffer_len);
1687 if (nameType != TLS_STE_NO_SERVER_NAME) {
1688 SECItem name_item;
1689 rv = ssl3_ConsumeHandshakeVariable(ss, &name_item, 2, &buffer,
1690 &buffer_len);
1691 if (rv != SECSuccess) goto no_ticket;
1692 rv = SECITEM_CopyItem(NULL, &parsed_session_ticket->srvName,
1693 &name_item);
1694 if (rv != SECSuccess) goto no_ticket;
1695 parsed_session_ticket->srvName.type = nameType;
1696 }
1698 /* Done parsing. Check that all bytes have been consumed. */
1699 if (buffer_len != padding_length)
1700 goto no_ticket;
1702 /* Use the ticket if it has not expired, otherwise free the allocated
1703 * memory since the ticket is of no use.
1704 */
1705 if (parsed_session_ticket->timestamp != 0 &&
1706 parsed_session_ticket->timestamp +
1707 TLS_EX_SESS_TICKET_LIFETIME_HINT > ssl_Time()) {
1709 sid = ssl3_NewSessionID(ss, PR_TRUE);
1710 if (sid == NULL) {
1711 rv = SECFailure;
1712 goto loser;
1713 }
1715 /* Copy over parameters. */
1716 sid->version = parsed_session_ticket->ssl_version;
1717 sid->u.ssl3.cipherSuite = parsed_session_ticket->cipher_suite;
1718 sid->u.ssl3.compression = parsed_session_ticket->compression_method;
1719 sid->authAlgorithm = parsed_session_ticket->authAlgorithm;
1720 sid->authKeyBits = parsed_session_ticket->authKeyBits;
1721 sid->keaType = parsed_session_ticket->keaType;
1722 sid->keaKeyBits = parsed_session_ticket->keaKeyBits;
1724 /* Copy master secret. */
1725 #ifndef NO_PKCS11_BYPASS
1726 if (ss->opt.bypassPKCS11 &&
1727 parsed_session_ticket->ms_is_wrapped)
1728 goto no_ticket;
1729 #endif
1730 if (parsed_session_ticket->ms_length >
1731 sizeof(sid->u.ssl3.keys.wrapped_master_secret))
1732 goto no_ticket;
1733 PORT_Memcpy(sid->u.ssl3.keys.wrapped_master_secret,
1734 parsed_session_ticket->master_secret,
1735 parsed_session_ticket->ms_length);
1736 sid->u.ssl3.keys.wrapped_master_secret_len =
1737 parsed_session_ticket->ms_length;
1738 sid->u.ssl3.exchKeyType = parsed_session_ticket->exchKeyType;
1739 sid->u.ssl3.masterWrapMech = parsed_session_ticket->msWrapMech;
1740 sid->u.ssl3.keys.msIsWrapped =
1741 parsed_session_ticket->ms_is_wrapped;
1742 sid->u.ssl3.masterValid = PR_TRUE;
1743 sid->u.ssl3.keys.resumable = PR_TRUE;
1745 /* Copy over client cert from session ticket if there is one. */
1746 if (parsed_session_ticket->peer_cert.data != NULL) {
1747 if (sid->peerCert != NULL)
1748 CERT_DestroyCertificate(sid->peerCert);
1749 sid->peerCert = CERT_NewTempCertificate(ss->dbHandle,
1750 &parsed_session_ticket->peer_cert, NULL, PR_FALSE, PR_TRUE);
1751 if (sid->peerCert == NULL) {
1752 rv = SECFailure;
1753 goto loser;
1754 }
1755 }
1756 if (parsed_session_ticket->srvName.data != NULL) {
1757 sid->u.ssl3.srvName = parsed_session_ticket->srvName;
1758 }
1759 ss->statelessResume = PR_TRUE;
1760 ss->sec.ci.sid = sid;
1761 }
1762 }
1764 if (0) {
1765 no_ticket:
1766 SSL_DBG(("%d: SSL[%d]: Session ticket parsing failed.",
1767 SSL_GETPID(), ss->fd));
1768 ssl3stats = SSL_GetStatistics();
1769 SSL_AtomicIncrementLong(& ssl3stats->hch_sid_ticket_parse_failures );
1770 }
1771 rv = SECSuccess;
1773 loser:
1774 /* ss->sec.ci.sid == sid if it did NOT come here via goto statement
1775 * in that case do not free sid
1776 */
1777 if (sid && (ss->sec.ci.sid != sid)) {
1778 ssl_FreeSID(sid);
1779 sid = NULL;
1780 }
1781 if (decrypted_state != NULL) {
1782 SECITEM_FreeItem(decrypted_state, PR_TRUE);
1783 decrypted_state = NULL;
1784 }
1786 if (parsed_session_ticket != NULL) {
1787 if (parsed_session_ticket->peer_cert.data) {
1788 SECITEM_FreeItem(&parsed_session_ticket->peer_cert, PR_FALSE);
1789 }
1790 PORT_ZFree(parsed_session_ticket, sizeof(SessionTicket));
1791 }
1793 return rv;
1794 }
1796 /*
1797 * Read bytes. Using this function means the SECItem structure
1798 * cannot be freed. The caller is expected to call this function
1799 * on a shallow copy of the structure.
1800 */
1801 static SECStatus
1802 ssl3_ConsumeFromItem(SECItem *item, unsigned char **buf, PRUint32 bytes)
1803 {
1804 if (bytes > item->len)
1805 return SECFailure;
1807 *buf = item->data;
1808 item->data += bytes;
1809 item->len -= bytes;
1810 return SECSuccess;
1811 }
1813 static SECStatus
1814 ssl3_ParseEncryptedSessionTicket(sslSocket *ss, SECItem *data,
1815 EncryptedSessionTicket *enc_session_ticket)
1816 {
1817 if (ssl3_ConsumeFromItem(data, &enc_session_ticket->key_name,
1818 SESS_TICKET_KEY_NAME_LEN) != SECSuccess)
1819 return SECFailure;
1820 if (ssl3_ConsumeFromItem(data, &enc_session_ticket->iv,
1821 AES_BLOCK_SIZE) != SECSuccess)
1822 return SECFailure;
1823 if (ssl3_ConsumeHandshakeVariable(ss, &enc_session_ticket->encrypted_state,
1824 2, &data->data, &data->len) != SECSuccess)
1825 return SECFailure;
1826 if (ssl3_ConsumeFromItem(data, &enc_session_ticket->mac,
1827 TLS_EX_SESS_TICKET_MAC_LENGTH) != SECSuccess)
1828 return SECFailure;
1829 if (data->len != 0) /* Make sure that we have consumed all bytes. */
1830 return SECFailure;
1832 return SECSuccess;
1833 }
1835 /* go through hello extensions in buffer "b".
1836 * For each one, find the extension handler in the table, and
1837 * if present, invoke that handler.
1838 * Servers ignore any extensions with unknown extension types.
1839 * Clients reject any extensions with unadvertised extension types.
1840 */
1841 SECStatus
1842 ssl3_HandleHelloExtensions(sslSocket *ss, SSL3Opaque **b, PRUint32 *length)
1843 {
1844 const ssl3HelloExtensionHandler * handlers;
1846 if (ss->sec.isServer) {
1847 handlers = clientHelloHandlers;
1848 } else if (ss->version > SSL_LIBRARY_VERSION_3_0) {
1849 handlers = serverHelloHandlersTLS;
1850 } else {
1851 handlers = serverHelloHandlersSSL3;
1852 }
1854 while (*length) {
1855 const ssl3HelloExtensionHandler * handler;
1856 SECStatus rv;
1857 PRInt32 extension_type;
1858 SECItem extension_data;
1860 /* Get the extension's type field */
1861 extension_type = ssl3_ConsumeHandshakeNumber(ss, 2, b, length);
1862 if (extension_type < 0) /* failure to decode extension_type */
1863 return SECFailure; /* alert already sent */
1865 /* get the data for this extension, so we can pass it or skip it. */
1866 rv = ssl3_ConsumeHandshakeVariable(ss, &extension_data, 2, b, length);
1867 if (rv != SECSuccess)
1868 return rv;
1870 /* Check whether the server sent an extension which was not advertised
1871 * in the ClientHello.
1872 */
1873 if (!ss->sec.isServer &&
1874 !ssl3_ClientExtensionAdvertised(ss, extension_type))
1875 return SECFailure; /* TODO: send unsupported_extension alert */
1877 /* Check whether an extension has been sent multiple times. */
1878 if (ssl3_ExtensionNegotiated(ss, extension_type))
1879 return SECFailure;
1881 /* find extension_type in table of Hello Extension Handlers */
1882 for (handler = handlers; handler->ex_type >= 0; handler++) {
1883 /* if found, call this handler */
1884 if (handler->ex_type == extension_type) {
1885 rv = (*handler->ex_handler)(ss, (PRUint16)extension_type,
1886 &extension_data);
1887 /* Ignore this result */
1888 /* Treat all bad extensions as unrecognized types. */
1889 break;
1890 }
1891 }
1892 }
1893 return SECSuccess;
1894 }
1896 /* Add a callback function to the table of senders of server hello extensions.
1897 */
1898 SECStatus
1899 ssl3_RegisterServerHelloExtensionSender(sslSocket *ss, PRUint16 ex_type,
1900 ssl3HelloExtensionSenderFunc cb)
1901 {
1902 int i;
1903 ssl3HelloExtensionSender *sender = &ss->xtnData.serverSenders[0];
1905 for (i = 0; i < SSL_MAX_EXTENSIONS; ++i, ++sender) {
1906 if (!sender->ex_sender) {
1907 sender->ex_type = ex_type;
1908 sender->ex_sender = cb;
1909 return SECSuccess;
1910 }
1911 /* detect duplicate senders */
1912 PORT_Assert(sender->ex_type != ex_type);
1913 if (sender->ex_type == ex_type) {
1914 /* duplicate */
1915 break;
1916 }
1917 }
1918 PORT_Assert(i < SSL_MAX_EXTENSIONS); /* table needs to grow */
1919 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
1920 return SECFailure;
1921 }
1923 /* call each of the extension senders and return the accumulated length */
1924 PRInt32
1925 ssl3_CallHelloExtensionSenders(sslSocket *ss, PRBool append, PRUint32 maxBytes,
1926 const ssl3HelloExtensionSender *sender)
1927 {
1928 PRInt32 total_exten_len = 0;
1929 int i;
1931 if (!sender) {
1932 sender = ss->version > SSL_LIBRARY_VERSION_3_0 ?
1933 &clientHelloSendersTLS[0] : &clientHelloSendersSSL3[0];
1934 }
1936 for (i = 0; i < SSL_MAX_EXTENSIONS; ++i, ++sender) {
1937 if (sender->ex_sender) {
1938 PRInt32 extLen = (*sender->ex_sender)(ss, append, maxBytes);
1939 if (extLen < 0)
1940 return -1;
1941 maxBytes -= extLen;
1942 total_exten_len += extLen;
1943 }
1944 }
1945 return total_exten_len;
1946 }
1949 /* Extension format:
1950 * Extension number: 2 bytes
1951 * Extension length: 2 bytes
1952 * Verify Data Length: 1 byte
1953 * Verify Data (TLS): 12 bytes (client) or 24 bytes (server)
1954 * Verify Data (SSL): 36 bytes (client) or 72 bytes (server)
1955 */
1956 static PRInt32
1957 ssl3_SendRenegotiationInfoXtn(
1958 sslSocket * ss,
1959 PRBool append,
1960 PRUint32 maxBytes)
1961 {
1962 PRInt32 len, needed;
1964 /* In draft-ietf-tls-renegotiation-03, it is NOT RECOMMENDED to send
1965 * both the SCSV and the empty RI, so when we send SCSV in
1966 * the initial handshake, we don't also send RI.
1967 */
1968 if (!ss || ss->ssl3.hs.sendingSCSV)
1969 return 0;
1970 len = !ss->firstHsDone ? 0 :
1971 (ss->sec.isServer ? ss->ssl3.hs.finishedBytes * 2
1972 : ss->ssl3.hs.finishedBytes);
1973 needed = 5 + len;
1974 if (append && maxBytes >= needed) {
1975 SECStatus rv;
1976 /* extension_type */
1977 rv = ssl3_AppendHandshakeNumber(ss, ssl_renegotiation_info_xtn, 2);
1978 if (rv != SECSuccess) return -1;
1979 /* length of extension_data */
1980 rv = ssl3_AppendHandshakeNumber(ss, len + 1, 2);
1981 if (rv != SECSuccess) return -1;
1982 /* verify_Data from previous Finished message(s) */
1983 rv = ssl3_AppendHandshakeVariable(ss,
1984 ss->ssl3.hs.finishedMsgs.data, len, 1);
1985 if (rv != SECSuccess) return -1;
1986 if (!ss->sec.isServer) {
1987 TLSExtensionData *xtnData = &ss->xtnData;
1988 xtnData->advertised[xtnData->numAdvertised++] =
1989 ssl_renegotiation_info_xtn;
1990 }
1991 }
1992 return needed;
1993 }
1995 static SECStatus
1996 ssl3_ServerHandleStatusRequestXtn(sslSocket *ss, PRUint16 ex_type,
1997 SECItem *data)
1998 {
1999 SECStatus rv = SECSuccess;
2001 /* remember that we got this extension. */
2002 ss->xtnData.negotiated[ss->xtnData.numNegotiated++] = ex_type;
2003 PORT_Assert(ss->sec.isServer);
2004 /* prepare to send back the appropriate response */
2005 rv = ssl3_RegisterServerHelloExtensionSender(ss, ex_type,
2006 ssl3_ServerSendStatusRequestXtn);
2007 return rv;
2008 }
2010 /* This function runs in both the client and server. */
2011 static SECStatus
2012 ssl3_HandleRenegotiationInfoXtn(sslSocket *ss, PRUint16 ex_type, SECItem *data)
2013 {
2014 SECStatus rv = SECSuccess;
2015 PRUint32 len = 0;
2017 if (ss->firstHsDone) {
2018 len = ss->sec.isServer ? ss->ssl3.hs.finishedBytes
2019 : ss->ssl3.hs.finishedBytes * 2;
2020 }
2021 if (data->len != 1 + len ||
2022 data->data[0] != len || (len &&
2023 NSS_SecureMemcmp(ss->ssl3.hs.finishedMsgs.data,
2024 data->data + 1, len))) {
2025 /* Can we do this here? Or, must we arrange for the caller to do it? */
2026 (void)SSL3_SendAlert(ss, alert_fatal, handshake_failure);
2027 PORT_SetError(SSL_ERROR_BAD_HANDSHAKE_HASH_VALUE);
2028 return SECFailure;
2029 }
2030 /* remember that we got this extension and it was correct. */
2031 ss->peerRequestedProtection = 1;
2032 ss->xtnData.negotiated[ss->xtnData.numNegotiated++] = ex_type;
2033 if (ss->sec.isServer) {
2034 /* prepare to send back the appropriate response */
2035 rv = ssl3_RegisterServerHelloExtensionSender(ss, ex_type,
2036 ssl3_SendRenegotiationInfoXtn);
2037 }
2038 return rv;
2039 }
2041 static PRInt32
2042 ssl3_SendUseSRTPXtn(sslSocket *ss, PRBool append, PRUint32 maxBytes)
2043 {
2044 PRUint32 ext_data_len;
2045 PRInt16 i;
2046 SECStatus rv;
2048 if (!ss)
2049 return 0;
2051 if (!ss->sec.isServer) {
2052 /* Client side */
2054 if (!IS_DTLS(ss) || !ss->ssl3.dtlsSRTPCipherCount)
2055 return 0; /* Not relevant */
2057 ext_data_len = 2 + 2 * ss->ssl3.dtlsSRTPCipherCount + 1;
2059 if (append && maxBytes >= 4 + ext_data_len) {
2060 /* Extension type */
2061 rv = ssl3_AppendHandshakeNumber(ss, ssl_use_srtp_xtn, 2);
2062 if (rv != SECSuccess) return -1;
2063 /* Length of extension data */
2064 rv = ssl3_AppendHandshakeNumber(ss, ext_data_len, 2);
2065 if (rv != SECSuccess) return -1;
2066 /* Length of the SRTP cipher list */
2067 rv = ssl3_AppendHandshakeNumber(ss,
2068 2 * ss->ssl3.dtlsSRTPCipherCount,
2069 2);
2070 if (rv != SECSuccess) return -1;
2071 /* The SRTP ciphers */
2072 for (i = 0; i < ss->ssl3.dtlsSRTPCipherCount; i++) {
2073 rv = ssl3_AppendHandshakeNumber(ss,
2074 ss->ssl3.dtlsSRTPCiphers[i],
2075 2);
2076 }
2077 /* Empty MKI value */
2078 ssl3_AppendHandshakeVariable(ss, NULL, 0, 1);
2080 ss->xtnData.advertised[ss->xtnData.numAdvertised++] =
2081 ssl_use_srtp_xtn;
2082 }
2084 return 4 + ext_data_len;
2085 }
2087 /* Server side */
2088 if (append && maxBytes >= 9) {
2089 /* Extension type */
2090 rv = ssl3_AppendHandshakeNumber(ss, ssl_use_srtp_xtn, 2);
2091 if (rv != SECSuccess) return -1;
2092 /* Length of extension data */
2093 rv = ssl3_AppendHandshakeNumber(ss, 5, 2);
2094 if (rv != SECSuccess) return -1;
2095 /* Length of the SRTP cipher list */
2096 rv = ssl3_AppendHandshakeNumber(ss, 2, 2);
2097 if (rv != SECSuccess) return -1;
2098 /* The selected cipher */
2099 rv = ssl3_AppendHandshakeNumber(ss, ss->ssl3.dtlsSRTPCipherSuite, 2);
2100 if (rv != SECSuccess) return -1;
2101 /* Empty MKI value */
2102 ssl3_AppendHandshakeVariable(ss, NULL, 0, 1);
2103 }
2105 return 9;
2106 }
2108 static SECStatus
2109 ssl3_HandleUseSRTPXtn(sslSocket * ss, PRUint16 ex_type, SECItem *data)
2110 {
2111 SECStatus rv;
2112 SECItem ciphers = {siBuffer, NULL, 0};
2113 PRUint16 i;
2114 unsigned int j;
2115 PRUint16 cipher = 0;
2116 PRBool found = PR_FALSE;
2117 SECItem litem;
2119 if (!ss->sec.isServer) {
2120 /* Client side */
2121 if (!data->data || !data->len) {
2122 /* malformed */
2123 return SECFailure;
2124 }
2126 /* Get the cipher list */
2127 rv = ssl3_ConsumeHandshakeVariable(ss, &ciphers, 2,
2128 &data->data, &data->len);
2129 if (rv != SECSuccess) {
2130 return SECFailure;
2131 }
2132 /* Now check that the number of ciphers listed is 1 (len = 2) */
2133 if (ciphers.len != 2) {
2134 return SECFailure;
2135 }
2137 /* Get the selected cipher */
2138 cipher = (ciphers.data[0] << 8) | ciphers.data[1];
2140 /* Now check that this is one of the ciphers we offered */
2141 for (i = 0; i < ss->ssl3.dtlsSRTPCipherCount; i++) {
2142 if (cipher == ss->ssl3.dtlsSRTPCiphers[i]) {
2143 found = PR_TRUE;
2144 break;
2145 }
2146 }
2148 if (!found) {
2149 return SECFailure;
2150 }
2152 /* Get the srtp_mki value */
2153 rv = ssl3_ConsumeHandshakeVariable(ss, &litem, 1,
2154 &data->data, &data->len);
2155 if (rv != SECSuccess) {
2156 return SECFailure;
2157 }
2159 /* We didn't offer an MKI, so this must be 0 length */
2160 /* XXX RFC 5764 Section 4.1.3 says:
2161 * If the client detects a nonzero-length MKI in the server's
2162 * response that is different than the one the client offered,
2163 * then the client MUST abort the handshake and SHOULD send an
2164 * invalid_parameter alert.
2165 *
2166 * Due to a limitation of the ssl3_HandleHelloExtensions function,
2167 * returning SECFailure here won't abort the handshake. It will
2168 * merely cause the use_srtp extension to be not negotiated. We
2169 * should fix this. See NSS bug 753136.
2170 */
2171 if (litem.len != 0) {
2172 return SECFailure;
2173 }
2175 if (data->len != 0) {
2176 /* malformed */
2177 return SECFailure;
2178 }
2180 /* OK, this looks fine. */
2181 ss->xtnData.negotiated[ss->xtnData.numNegotiated++] = ssl_use_srtp_xtn;
2182 ss->ssl3.dtlsSRTPCipherSuite = cipher;
2183 return SECSuccess;
2184 }
2186 /* Server side */
2187 if (!IS_DTLS(ss) || !ss->ssl3.dtlsSRTPCipherCount) {
2188 /* Ignore the extension if we aren't doing DTLS or no DTLS-SRTP
2189 * preferences have been set. */
2190 return SECSuccess;
2191 }
2193 if (!data->data || data->len < 5) {
2194 /* malformed */
2195 return SECFailure;
2196 }
2198 /* Get the cipher list */
2199 rv = ssl3_ConsumeHandshakeVariable(ss, &ciphers, 2,
2200 &data->data, &data->len);
2201 if (rv != SECSuccess) {
2202 return SECFailure;
2203 }
2204 /* Check that the list is even length */
2205 if (ciphers.len % 2) {
2206 return SECFailure;
2207 }
2209 /* Walk through the offered list and pick the most preferred of our
2210 * ciphers, if any */
2211 for (i = 0; !found && i < ss->ssl3.dtlsSRTPCipherCount; i++) {
2212 for (j = 0; j + 1 < ciphers.len; j += 2) {
2213 cipher = (ciphers.data[j] << 8) | ciphers.data[j + 1];
2214 if (cipher == ss->ssl3.dtlsSRTPCiphers[i]) {
2215 found = PR_TRUE;
2216 break;
2217 }
2218 }
2219 }
2221 /* Get the srtp_mki value */
2222 rv = ssl3_ConsumeHandshakeVariable(ss, &litem, 1, &data->data, &data->len);
2223 if (rv != SECSuccess) {
2224 return SECFailure;
2225 }
2227 if (data->len != 0) {
2228 return SECFailure; /* Malformed */
2229 }
2231 /* Now figure out what to do */
2232 if (!found) {
2233 /* No matching ciphers */
2234 return SECSuccess;
2235 }
2237 /* OK, we have a valid cipher and we've selected it */
2238 ss->ssl3.dtlsSRTPCipherSuite = cipher;
2239 ss->xtnData.negotiated[ss->xtnData.numNegotiated++] = ssl_use_srtp_xtn;
2241 return ssl3_RegisterServerHelloExtensionSender(ss, ssl_use_srtp_xtn,
2242 ssl3_SendUseSRTPXtn);
2243 }
2245 /* ssl3_ServerHandleSigAlgsXtn handles the signature_algorithms extension
2246 * from a client.
2247 * See https://tools.ietf.org/html/rfc5246#section-7.4.1.4.1 */
2248 static SECStatus
2249 ssl3_ServerHandleSigAlgsXtn(sslSocket * ss, PRUint16 ex_type, SECItem *data)
2250 {
2251 SECStatus rv;
2252 SECItem algorithms;
2253 const unsigned char *b;
2254 unsigned int numAlgorithms, i;
2256 /* Ignore this extension if we aren't doing TLS 1.2 or greater. */
2257 if (ss->version < SSL_LIBRARY_VERSION_TLS_1_2) {
2258 return SECSuccess;
2259 }
2261 /* Keep track of negotiated extensions. */
2262 ss->xtnData.negotiated[ss->xtnData.numNegotiated++] = ex_type;
2264 rv = ssl3_ConsumeHandshakeVariable(ss, &algorithms, 2, &data->data,
2265 &data->len);
2266 if (rv != SECSuccess) {
2267 return SECFailure;
2268 }
2269 /* Trailing data, empty value, or odd-length value is invalid. */
2270 if (data->len != 0 || algorithms.len == 0 || (algorithms.len & 1) != 0) {
2271 PORT_SetError(SSL_ERROR_RX_MALFORMED_CLIENT_HELLO);
2272 return SECFailure;
2273 }
2275 numAlgorithms = algorithms.len/2;
2277 /* We don't care to process excessive numbers of algorithms. */
2278 if (numAlgorithms > 512) {
2279 numAlgorithms = 512;
2280 }
2282 ss->ssl3.hs.clientSigAndHash =
2283 PORT_NewArray(SSL3SignatureAndHashAlgorithm, numAlgorithms);
2284 if (!ss->ssl3.hs.clientSigAndHash) {
2285 return SECFailure;
2286 }
2287 ss->ssl3.hs.numClientSigAndHash = 0;
2289 b = algorithms.data;
2290 for (i = 0; i < numAlgorithms; i++) {
2291 unsigned char tls_hash = *(b++);
2292 unsigned char tls_sig = *(b++);
2293 SECOidTag hash = ssl3_TLSHashAlgorithmToOID(tls_hash);
2295 if (hash == SEC_OID_UNKNOWN) {
2296 /* We ignore formats that we don't understand. */
2297 continue;
2298 }
2299 /* tls_sig support will be checked later in
2300 * ssl3_PickSignatureHashAlgorithm. */
2301 ss->ssl3.hs.clientSigAndHash[i].hashAlg = hash;
2302 ss->ssl3.hs.clientSigAndHash[i].sigAlg = tls_sig;
2303 ss->ssl3.hs.numClientSigAndHash++;
2304 }
2306 if (!ss->ssl3.hs.numClientSigAndHash) {
2307 /* We didn't understand any of the client's requested signature
2308 * formats. We'll use the defaults. */
2309 PORT_Free(ss->ssl3.hs.clientSigAndHash);
2310 ss->ssl3.hs.clientSigAndHash = NULL;
2311 }
2313 return SECSuccess;
2314 }
2316 /* ssl3_ClientSendSigAlgsXtn sends the signature_algorithm extension for TLS
2317 * 1.2 ClientHellos. */
2318 static PRInt32
2319 ssl3_ClientSendSigAlgsXtn(sslSocket * ss, PRBool append, PRUint32 maxBytes)
2320 {
2321 static const unsigned char signatureAlgorithms[] = {
2322 /* This block is the contents of our signature_algorithms extension, in
2323 * wire format. See
2324 * https://tools.ietf.org/html/rfc5246#section-7.4.1.4.1 */
2325 tls_hash_sha256, tls_sig_rsa,
2326 tls_hash_sha384, tls_sig_rsa,
2327 tls_hash_sha1, tls_sig_rsa,
2328 #ifndef NSS_DISABLE_ECC
2329 tls_hash_sha256, tls_sig_ecdsa,
2330 tls_hash_sha384, tls_sig_ecdsa,
2331 tls_hash_sha1, tls_sig_ecdsa,
2332 #endif
2333 tls_hash_sha256, tls_sig_dsa,
2334 tls_hash_sha1, tls_sig_dsa,
2335 };
2336 PRInt32 extension_length;
2338 if (ss->version < SSL_LIBRARY_VERSION_TLS_1_2) {
2339 return 0;
2340 }
2342 extension_length =
2343 2 /* extension type */ +
2344 2 /* extension length */ +
2345 2 /* supported_signature_algorithms length */ +
2346 sizeof(signatureAlgorithms);
2348 if (append && maxBytes >= extension_length) {
2349 SECStatus rv;
2350 rv = ssl3_AppendHandshakeNumber(ss, ssl_signature_algorithms_xtn, 2);
2351 if (rv != SECSuccess)
2352 goto loser;
2353 rv = ssl3_AppendHandshakeNumber(ss, extension_length - 4, 2);
2354 if (rv != SECSuccess)
2355 goto loser;
2356 rv = ssl3_AppendHandshakeVariable(ss, signatureAlgorithms,
2357 sizeof(signatureAlgorithms), 2);
2358 if (rv != SECSuccess)
2359 goto loser;
2360 ss->xtnData.advertised[ss->xtnData.numAdvertised++] =
2361 ssl_signature_algorithms_xtn;
2362 } else if (maxBytes < extension_length) {
2363 PORT_Assert(0);
2364 return 0;
2365 }
2367 return extension_length;
2369 loser:
2370 return -1;
2371 }
2373 unsigned int
2374 ssl3_CalculatePaddingExtensionLength(unsigned int clientHelloLength)
2375 {
2376 unsigned int recordLength = 1 /* handshake message type */ +
2377 3 /* handshake message length */ +
2378 clientHelloLength;
2379 unsigned int extensionLength;
2381 if (recordLength < 256 || recordLength >= 512) {
2382 return 0;
2383 }
2385 extensionLength = 512 - recordLength;
2386 /* Extensions take at least four bytes to encode. */
2387 if (extensionLength < 4) {
2388 extensionLength = 4;
2389 }
2391 return extensionLength;
2392 }
2394 /* ssl3_AppendPaddingExtension possibly adds an extension which ensures that a
2395 * ClientHello record is either < 256 bytes or is >= 512 bytes. This ensures
2396 * that we don't trigger bugs in F5 products. */
2397 PRInt32
2398 ssl3_AppendPaddingExtension(sslSocket *ss, unsigned int extensionLen,
2399 PRUint32 maxBytes)
2400 {
2401 unsigned int paddingLen = extensionLen - 4;
2402 static unsigned char padding[256];
2404 if (extensionLen == 0) {
2405 return 0;
2406 }
2408 if (extensionLen < 4 ||
2409 extensionLen > maxBytes ||
2410 paddingLen > sizeof(padding)) {
2411 PORT_Assert(0);
2412 return -1;
2413 }
2415 if (SECSuccess != ssl3_AppendHandshakeNumber(ss, ssl_padding_xtn, 2))
2416 return -1;
2417 if (SECSuccess != ssl3_AppendHandshakeNumber(ss, paddingLen, 2))
2418 return -1;
2419 if (SECSuccess != ssl3_AppendHandshake(ss, padding, paddingLen))
2420 return -1;
2422 return extensionLen;
2423 }
