michael@0: /* michael@0: * SSL3 Protocol michael@0: * michael@0: * This Source Code Form is subject to the terms of the Mozilla Public michael@0: * License, v. 2.0. If a copy of the MPL was not distributed with this michael@0: * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ michael@0: michael@0: /* TLS extension code moved here from ssl3ecc.c */ michael@0: michael@0: #include "nssrenam.h" michael@0: #include "nss.h" michael@0: #include "ssl.h" michael@0: #include "sslproto.h" michael@0: #include "sslimpl.h" michael@0: #include "pk11pub.h" michael@0: #ifdef NO_PKCS11_BYPASS michael@0: #include "blapit.h" michael@0: #else michael@0: #include "blapi.h" michael@0: #endif michael@0: #include "prinit.h" michael@0: michael@0: static unsigned char key_name[SESS_TICKET_KEY_NAME_LEN]; michael@0: static PK11SymKey *session_ticket_enc_key_pkcs11 = NULL; michael@0: static PK11SymKey *session_ticket_mac_key_pkcs11 = NULL; michael@0: michael@0: #ifndef NO_PKCS11_BYPASS michael@0: static unsigned char session_ticket_enc_key[AES_256_KEY_LENGTH]; michael@0: static unsigned char session_ticket_mac_key[SHA256_LENGTH]; michael@0: michael@0: static PRBool session_ticket_keys_initialized = PR_FALSE; michael@0: #endif michael@0: static PRCallOnceType generate_session_keys_once; michael@0: michael@0: /* forward static function declarations */ michael@0: static SECStatus ssl3_ParseEncryptedSessionTicket(sslSocket *ss, michael@0: SECItem *data, EncryptedSessionTicket *enc_session_ticket); michael@0: static SECStatus ssl3_AppendToItem(SECItem *item, const unsigned char *buf, michael@0: PRUint32 bytes); michael@0: static SECStatus ssl3_AppendNumberToItem(SECItem *item, PRUint32 num, michael@0: PRInt32 lenSize); michael@0: static SECStatus ssl3_GetSessionTicketKeysPKCS11(sslSocket *ss, michael@0: PK11SymKey **aes_key, PK11SymKey **mac_key); michael@0: #ifndef NO_PKCS11_BYPASS michael@0: static SECStatus ssl3_GetSessionTicketKeys(const unsigned char **aes_key, michael@0: PRUint32 *aes_key_length, const unsigned char **mac_key, michael@0: PRUint32 *mac_key_length); michael@0: #endif michael@0: static PRInt32 ssl3_SendRenegotiationInfoXtn(sslSocket * ss, michael@0: PRBool append, PRUint32 maxBytes); michael@0: static SECStatus ssl3_HandleRenegotiationInfoXtn(sslSocket *ss, michael@0: PRUint16 ex_type, SECItem *data); michael@0: static SECStatus ssl3_ClientHandleNextProtoNegoXtn(sslSocket *ss, michael@0: PRUint16 ex_type, SECItem *data); michael@0: static SECStatus ssl3_ClientHandleAppProtoXtn(sslSocket *ss, michael@0: PRUint16 ex_type, SECItem *data); michael@0: static SECStatus ssl3_ServerHandleNextProtoNegoXtn(sslSocket *ss, michael@0: PRUint16 ex_type, SECItem *data); michael@0: static SECStatus ssl3_ServerHandleAppProtoXtn(sslSocket *ss, PRUint16 ex_type, michael@0: SECItem *data); michael@0: static PRInt32 ssl3_ClientSendNextProtoNegoXtn(sslSocket *ss, PRBool append, michael@0: PRUint32 maxBytes); michael@0: static PRInt32 ssl3_ClientSendAppProtoXtn(sslSocket *ss, PRBool append, michael@0: PRUint32 maxBytes); michael@0: static PRInt32 ssl3_ServerSendAppProtoXtn(sslSocket *ss, PRBool append, michael@0: PRUint32 maxBytes); michael@0: static PRInt32 ssl3_SendUseSRTPXtn(sslSocket *ss, PRBool append, michael@0: PRUint32 maxBytes); michael@0: static SECStatus ssl3_HandleUseSRTPXtn(sslSocket * ss, PRUint16 ex_type, michael@0: SECItem *data); michael@0: static PRInt32 ssl3_ServerSendStatusRequestXtn(sslSocket * ss, michael@0: PRBool append, PRUint32 maxBytes); michael@0: static SECStatus ssl3_ServerHandleStatusRequestXtn(sslSocket *ss, michael@0: PRUint16 ex_type, SECItem *data); michael@0: static SECStatus ssl3_ClientHandleStatusRequestXtn(sslSocket *ss, michael@0: PRUint16 ex_type, michael@0: SECItem *data); michael@0: static PRInt32 ssl3_ClientSendStatusRequestXtn(sslSocket * ss, PRBool append, michael@0: PRUint32 maxBytes); michael@0: static PRInt32 ssl3_ClientSendSigAlgsXtn(sslSocket *ss, PRBool append, michael@0: PRUint32 maxBytes); michael@0: static SECStatus ssl3_ServerHandleSigAlgsXtn(sslSocket *ss, PRUint16 ex_type, michael@0: SECItem *data); michael@0: michael@0: /* michael@0: * Write bytes. Using this function means the SECItem structure michael@0: * cannot be freed. The caller is expected to call this function michael@0: * on a shallow copy of the structure. michael@0: */ michael@0: static SECStatus michael@0: ssl3_AppendToItem(SECItem *item, const unsigned char *buf, PRUint32 bytes) michael@0: { michael@0: if (bytes > item->len) michael@0: return SECFailure; michael@0: michael@0: PORT_Memcpy(item->data, buf, bytes); michael@0: item->data += bytes; michael@0: item->len -= bytes; michael@0: return SECSuccess; michael@0: } michael@0: michael@0: /* michael@0: * Write a number in network byte order. Using this function means the michael@0: * SECItem structure cannot be freed. The caller is expected to call michael@0: * this function on a shallow copy of the structure. michael@0: */ michael@0: static SECStatus michael@0: ssl3_AppendNumberToItem(SECItem *item, PRUint32 num, PRInt32 lenSize) michael@0: { michael@0: SECStatus rv; michael@0: PRUint8 b[4]; michael@0: PRUint8 * p = b; michael@0: michael@0: switch (lenSize) { michael@0: case 4: michael@0: *p++ = (PRUint8) (num >> 24); michael@0: case 3: michael@0: *p++ = (PRUint8) (num >> 16); michael@0: case 2: michael@0: *p++ = (PRUint8) (num >> 8); michael@0: case 1: michael@0: *p = (PRUint8) num; michael@0: } michael@0: rv = ssl3_AppendToItem(item, &b[0], lenSize); michael@0: return rv; michael@0: } michael@0: michael@0: static SECStatus ssl3_SessionTicketShutdown(void* appData, void* nssData) michael@0: { michael@0: if (session_ticket_enc_key_pkcs11) { michael@0: PK11_FreeSymKey(session_ticket_enc_key_pkcs11); michael@0: session_ticket_enc_key_pkcs11 = NULL; michael@0: } michael@0: if (session_ticket_mac_key_pkcs11) { michael@0: PK11_FreeSymKey(session_ticket_mac_key_pkcs11); michael@0: session_ticket_mac_key_pkcs11 = NULL; michael@0: } michael@0: PORT_Memset(&generate_session_keys_once, 0, michael@0: sizeof(generate_session_keys_once)); michael@0: return SECSuccess; michael@0: } michael@0: michael@0: michael@0: static PRStatus michael@0: ssl3_GenerateSessionTicketKeysPKCS11(void *data) michael@0: { michael@0: SECStatus rv; michael@0: sslSocket *ss = (sslSocket *)data; michael@0: SECKEYPrivateKey *svrPrivKey = ss->serverCerts[kt_rsa].SERVERKEY; michael@0: SECKEYPublicKey *svrPubKey = ss->serverCerts[kt_rsa].serverKeyPair->pubKey; michael@0: michael@0: if (svrPrivKey == NULL || svrPubKey == NULL) { michael@0: SSL_DBG(("%d: SSL[%d]: Pub or priv key(s) is NULL.", michael@0: SSL_GETPID(), ss->fd)); michael@0: goto loser; michael@0: } michael@0: michael@0: /* Get a copy of the session keys from shared memory. */ michael@0: PORT_Memcpy(key_name, SESS_TICKET_KEY_NAME_PREFIX, michael@0: sizeof(SESS_TICKET_KEY_NAME_PREFIX)); michael@0: if (!ssl_GetSessionTicketKeysPKCS11(svrPrivKey, svrPubKey, michael@0: ss->pkcs11PinArg, &key_name[SESS_TICKET_KEY_NAME_PREFIX_LEN], michael@0: &session_ticket_enc_key_pkcs11, &session_ticket_mac_key_pkcs11)) michael@0: return PR_FAILURE; michael@0: michael@0: rv = NSS_RegisterShutdown(ssl3_SessionTicketShutdown, NULL); michael@0: if (rv != SECSuccess) michael@0: goto loser; michael@0: michael@0: return PR_SUCCESS; michael@0: michael@0: loser: michael@0: ssl3_SessionTicketShutdown(NULL, NULL); michael@0: return PR_FAILURE; michael@0: } michael@0: michael@0: static SECStatus michael@0: ssl3_GetSessionTicketKeysPKCS11(sslSocket *ss, PK11SymKey **aes_key, michael@0: PK11SymKey **mac_key) michael@0: { michael@0: if (PR_CallOnceWithArg(&generate_session_keys_once, michael@0: ssl3_GenerateSessionTicketKeysPKCS11, ss) != PR_SUCCESS) michael@0: return SECFailure; michael@0: michael@0: if (session_ticket_enc_key_pkcs11 == NULL || michael@0: session_ticket_mac_key_pkcs11 == NULL) michael@0: return SECFailure; michael@0: michael@0: *aes_key = session_ticket_enc_key_pkcs11; michael@0: *mac_key = session_ticket_mac_key_pkcs11; michael@0: return SECSuccess; michael@0: } michael@0: michael@0: #ifndef NO_PKCS11_BYPASS michael@0: static PRStatus michael@0: ssl3_GenerateSessionTicketKeys(void) michael@0: { michael@0: PORT_Memcpy(key_name, SESS_TICKET_KEY_NAME_PREFIX, michael@0: sizeof(SESS_TICKET_KEY_NAME_PREFIX)); michael@0: michael@0: if (!ssl_GetSessionTicketKeys(&key_name[SESS_TICKET_KEY_NAME_PREFIX_LEN], michael@0: session_ticket_enc_key, session_ticket_mac_key)) michael@0: return PR_FAILURE; michael@0: michael@0: session_ticket_keys_initialized = PR_TRUE; michael@0: return PR_SUCCESS; michael@0: } michael@0: michael@0: static SECStatus michael@0: ssl3_GetSessionTicketKeys(const unsigned char **aes_key, michael@0: PRUint32 *aes_key_length, const unsigned char **mac_key, michael@0: PRUint32 *mac_key_length) michael@0: { michael@0: if (PR_CallOnce(&generate_session_keys_once, michael@0: ssl3_GenerateSessionTicketKeys) != PR_SUCCESS) michael@0: return SECFailure; michael@0: michael@0: if (!session_ticket_keys_initialized) michael@0: return SECFailure; michael@0: michael@0: *aes_key = session_ticket_enc_key; michael@0: *aes_key_length = sizeof(session_ticket_enc_key); michael@0: *mac_key = session_ticket_mac_key; michael@0: *mac_key_length = sizeof(session_ticket_mac_key); michael@0: michael@0: return SECSuccess; michael@0: } michael@0: #endif michael@0: michael@0: /* Table of handlers for received TLS hello extensions, one per extension. michael@0: * In the second generation, this table will be dynamic, and functions michael@0: * will be registered here. michael@0: */ michael@0: /* This table is used by the server, to handle client hello extensions. */ michael@0: static const ssl3HelloExtensionHandler clientHelloHandlers[] = { michael@0: { ssl_server_name_xtn, &ssl3_HandleServerNameXtn }, michael@0: #ifndef NSS_DISABLE_ECC michael@0: { ssl_elliptic_curves_xtn, &ssl3_HandleSupportedCurvesXtn }, michael@0: { ssl_ec_point_formats_xtn, &ssl3_HandleSupportedPointFormatsXtn }, michael@0: #endif michael@0: { ssl_session_ticket_xtn, &ssl3_ServerHandleSessionTicketXtn }, michael@0: { ssl_renegotiation_info_xtn, &ssl3_HandleRenegotiationInfoXtn }, michael@0: { ssl_next_proto_nego_xtn, &ssl3_ServerHandleNextProtoNegoXtn }, michael@0: { ssl_app_layer_protocol_xtn, &ssl3_ServerHandleAppProtoXtn }, michael@0: { ssl_use_srtp_xtn, &ssl3_HandleUseSRTPXtn }, michael@0: { ssl_cert_status_xtn, &ssl3_ServerHandleStatusRequestXtn }, michael@0: { ssl_signature_algorithms_xtn, &ssl3_ServerHandleSigAlgsXtn }, michael@0: { -1, NULL } michael@0: }; michael@0: michael@0: /* These two tables are used by the client, to handle server hello michael@0: * extensions. */ michael@0: static const ssl3HelloExtensionHandler serverHelloHandlersTLS[] = { michael@0: { ssl_server_name_xtn, &ssl3_HandleServerNameXtn }, michael@0: /* TODO: add a handler for ssl_ec_point_formats_xtn */ michael@0: { ssl_session_ticket_xtn, &ssl3_ClientHandleSessionTicketXtn }, michael@0: { ssl_renegotiation_info_xtn, &ssl3_HandleRenegotiationInfoXtn }, michael@0: { ssl_next_proto_nego_xtn, &ssl3_ClientHandleNextProtoNegoXtn }, michael@0: { ssl_app_layer_protocol_xtn, &ssl3_ClientHandleAppProtoXtn }, michael@0: { ssl_use_srtp_xtn, &ssl3_HandleUseSRTPXtn }, michael@0: { ssl_cert_status_xtn, &ssl3_ClientHandleStatusRequestXtn }, michael@0: { -1, NULL } michael@0: }; michael@0: michael@0: static const ssl3HelloExtensionHandler serverHelloHandlersSSL3[] = { michael@0: { ssl_renegotiation_info_xtn, &ssl3_HandleRenegotiationInfoXtn }, michael@0: { -1, NULL } michael@0: }; michael@0: michael@0: /* Tables of functions to format TLS hello extensions, one function per michael@0: * extension. michael@0: * These static tables are for the formatting of client hello extensions. michael@0: * The server's table of hello senders is dynamic, in the socket struct, michael@0: * and sender functions are registered there. michael@0: */ michael@0: static const michael@0: ssl3HelloExtensionSender clientHelloSendersTLS[SSL_MAX_EXTENSIONS] = { michael@0: { ssl_server_name_xtn, &ssl3_SendServerNameXtn }, michael@0: { ssl_renegotiation_info_xtn, &ssl3_SendRenegotiationInfoXtn }, michael@0: #ifndef NSS_DISABLE_ECC michael@0: { ssl_elliptic_curves_xtn, &ssl3_SendSupportedCurvesXtn }, michael@0: { ssl_ec_point_formats_xtn, &ssl3_SendSupportedPointFormatsXtn }, michael@0: #endif michael@0: { ssl_session_ticket_xtn, &ssl3_SendSessionTicketXtn }, michael@0: { ssl_next_proto_nego_xtn, &ssl3_ClientSendNextProtoNegoXtn }, michael@0: { ssl_app_layer_protocol_xtn, &ssl3_ClientSendAppProtoXtn }, michael@0: { ssl_use_srtp_xtn, &ssl3_SendUseSRTPXtn }, michael@0: { ssl_cert_status_xtn, &ssl3_ClientSendStatusRequestXtn }, michael@0: { ssl_signature_algorithms_xtn, &ssl3_ClientSendSigAlgsXtn } michael@0: /* any extra entries will appear as { 0, NULL } */ michael@0: }; michael@0: michael@0: static const michael@0: ssl3HelloExtensionSender clientHelloSendersSSL3[SSL_MAX_EXTENSIONS] = { michael@0: { ssl_renegotiation_info_xtn, &ssl3_SendRenegotiationInfoXtn } michael@0: /* any extra entries will appear as { 0, NULL } */ michael@0: }; michael@0: michael@0: static PRBool michael@0: arrayContainsExtension(const PRUint16 *array, PRUint32 len, PRUint16 ex_type) michael@0: { michael@0: int i; michael@0: for (i = 0; i < len; i++) { michael@0: if (ex_type == array[i]) michael@0: return PR_TRUE; michael@0: } michael@0: return PR_FALSE; michael@0: } michael@0: michael@0: PRBool michael@0: ssl3_ExtensionNegotiated(sslSocket *ss, PRUint16 ex_type) { michael@0: TLSExtensionData *xtnData = &ss->xtnData; michael@0: return arrayContainsExtension(xtnData->negotiated, michael@0: xtnData->numNegotiated, ex_type); michael@0: } michael@0: michael@0: static PRBool michael@0: ssl3_ClientExtensionAdvertised(sslSocket *ss, PRUint16 ex_type) { michael@0: TLSExtensionData *xtnData = &ss->xtnData; michael@0: return arrayContainsExtension(xtnData->advertised, michael@0: xtnData->numAdvertised, ex_type); michael@0: } michael@0: michael@0: /* Format an SNI extension, using the name from the socket's URL, michael@0: * unless that name is a dotted decimal string. michael@0: * Used by client and server. michael@0: */ michael@0: PRInt32 michael@0: ssl3_SendServerNameXtn(sslSocket * ss, PRBool append, michael@0: PRUint32 maxBytes) michael@0: { michael@0: SECStatus rv; michael@0: if (!ss) michael@0: return 0; michael@0: if (!ss->sec.isServer) { michael@0: PRUint32 len; michael@0: PRNetAddr netAddr; michael@0: michael@0: /* must have a hostname */ michael@0: if (!ss->url || !ss->url[0]) michael@0: return 0; michael@0: /* must not be an IPv4 or IPv6 address */ michael@0: if (PR_SUCCESS == PR_StringToNetAddr(ss->url, &netAddr)) { michael@0: /* is an IP address (v4 or v6) */ michael@0: return 0; michael@0: } michael@0: len = PORT_Strlen(ss->url); michael@0: if (append && maxBytes >= len + 9) { michael@0: /* extension_type */ michael@0: rv = ssl3_AppendHandshakeNumber(ss, ssl_server_name_xtn, 2); michael@0: if (rv != SECSuccess) return -1; michael@0: /* length of extension_data */ michael@0: rv = ssl3_AppendHandshakeNumber(ss, len + 5, 2); michael@0: if (rv != SECSuccess) return -1; michael@0: /* length of server_name_list */ michael@0: rv = ssl3_AppendHandshakeNumber(ss, len + 3, 2); michael@0: if (rv != SECSuccess) return -1; michael@0: /* Name Type (sni_host_name) */ michael@0: rv = ssl3_AppendHandshake(ss, "\0", 1); michael@0: if (rv != SECSuccess) return -1; michael@0: /* HostName (length and value) */ michael@0: rv = ssl3_AppendHandshakeVariable(ss, (PRUint8 *)ss->url, len, 2); michael@0: if (rv != SECSuccess) return -1; michael@0: if (!ss->sec.isServer) { michael@0: TLSExtensionData *xtnData = &ss->xtnData; michael@0: xtnData->advertised[xtnData->numAdvertised++] = michael@0: ssl_server_name_xtn; michael@0: } michael@0: } michael@0: return len + 9; michael@0: } michael@0: /* Server side */ michael@0: if (append && maxBytes >= 4) { michael@0: rv = ssl3_AppendHandshakeNumber(ss, ssl_server_name_xtn, 2); michael@0: if (rv != SECSuccess) return -1; michael@0: /* length of extension_data */ michael@0: rv = ssl3_AppendHandshakeNumber(ss, 0, 2); michael@0: if (rv != SECSuccess) return -1; michael@0: } michael@0: return 4; michael@0: } michael@0: michael@0: /* handle an incoming SNI extension, by ignoring it. */ michael@0: SECStatus michael@0: ssl3_HandleServerNameXtn(sslSocket * ss, PRUint16 ex_type, SECItem *data) michael@0: { michael@0: SECItem *names = NULL; michael@0: PRUint32 listCount = 0, namesPos = 0, i; michael@0: TLSExtensionData *xtnData = &ss->xtnData; michael@0: SECItem ldata; michael@0: PRInt32 listLenBytes = 0; michael@0: michael@0: if (!ss->sec.isServer) { michael@0: /* Verify extension_data is empty. */ michael@0: if (data->data || data->len || michael@0: !ssl3_ExtensionNegotiated(ss, ssl_server_name_xtn)) { michael@0: /* malformed or was not initiated by the client.*/ michael@0: return SECFailure; michael@0: } michael@0: return SECSuccess; michael@0: } michael@0: michael@0: /* Server side - consume client data and register server sender. */ michael@0: /* do not parse the data if don't have user extension handling function. */ michael@0: if (!ss->sniSocketConfig) { michael@0: return SECSuccess; michael@0: } michael@0: /* length of server_name_list */ michael@0: listLenBytes = ssl3_ConsumeHandshakeNumber(ss, 2, &data->data, &data->len); michael@0: if (listLenBytes == 0 || listLenBytes != data->len) { michael@0: return SECFailure; michael@0: } michael@0: ldata = *data; michael@0: /* Calculate the size of the array.*/ michael@0: while (listLenBytes > 0) { michael@0: SECItem litem; michael@0: SECStatus rv; michael@0: PRInt32 type; michael@0: /* Name Type (sni_host_name) */ michael@0: type = ssl3_ConsumeHandshakeNumber(ss, 1, &ldata.data, &ldata.len); michael@0: if (!ldata.len) { michael@0: return SECFailure; michael@0: } michael@0: rv = ssl3_ConsumeHandshakeVariable(ss, &litem, 2, &ldata.data, &ldata.len); michael@0: if (rv != SECSuccess) { michael@0: return SECFailure; michael@0: } michael@0: /* Adjust total length for cunsumed item, item len and type.*/ michael@0: listLenBytes -= litem.len + 3; michael@0: if (listLenBytes > 0 && !ldata.len) { michael@0: return SECFailure; michael@0: } michael@0: listCount += 1; michael@0: } michael@0: if (!listCount) { michael@0: return SECFailure; michael@0: } michael@0: names = PORT_ZNewArray(SECItem, listCount); michael@0: if (!names) { michael@0: return SECFailure; michael@0: } michael@0: for (i = 0;i < listCount;i++) { michael@0: int j; michael@0: PRInt32 type; michael@0: SECStatus rv; michael@0: PRBool nametypePresent = PR_FALSE; michael@0: /* Name Type (sni_host_name) */ michael@0: type = ssl3_ConsumeHandshakeNumber(ss, 1, &data->data, &data->len); michael@0: /* Check if we have such type in the list */ michael@0: for (j = 0;j < listCount && names[j].data;j++) { michael@0: if (names[j].type == type) { michael@0: nametypePresent = PR_TRUE; michael@0: break; michael@0: } michael@0: } michael@0: /* HostName (length and value) */ michael@0: rv = ssl3_ConsumeHandshakeVariable(ss, &names[namesPos], 2, michael@0: &data->data, &data->len); michael@0: if (rv != SECSuccess) { michael@0: goto loser; michael@0: } michael@0: if (nametypePresent == PR_FALSE) { michael@0: namesPos += 1; michael@0: } michael@0: } michael@0: /* Free old and set the new data. */ michael@0: if (xtnData->sniNameArr) { michael@0: PORT_Free(ss->xtnData.sniNameArr); michael@0: } michael@0: xtnData->sniNameArr = names; michael@0: xtnData->sniNameArrSize = namesPos; michael@0: xtnData->negotiated[xtnData->numNegotiated++] = ssl_server_name_xtn; michael@0: michael@0: return SECSuccess; michael@0: michael@0: loser: michael@0: PORT_Free(names); michael@0: return SECFailure; michael@0: } michael@0: michael@0: /* Called by both clients and servers. michael@0: * Clients sends a filled in session ticket if one is available, and otherwise michael@0: * sends an empty ticket. Servers always send empty tickets. michael@0: */ michael@0: PRInt32 michael@0: ssl3_SendSessionTicketXtn( michael@0: sslSocket * ss, michael@0: PRBool append, michael@0: PRUint32 maxBytes) michael@0: { michael@0: PRInt32 extension_length; michael@0: NewSessionTicket *session_ticket = NULL; michael@0: sslSessionID *sid = ss->sec.ci.sid; michael@0: michael@0: /* Ignore the SessionTicket extension if processing is disabled. */ michael@0: if (!ss->opt.enableSessionTickets) michael@0: return 0; michael@0: michael@0: /* Empty extension length = extension_type (2-bytes) + michael@0: * length(extension_data) (2-bytes) michael@0: */ michael@0: extension_length = 4; michael@0: michael@0: /* If we are a client then send a session ticket if one is availble. michael@0: * Servers that support the extension and are willing to negotiate the michael@0: * the extension always respond with an empty extension. michael@0: */ michael@0: if (!ss->sec.isServer) { michael@0: /* The caller must be holding sid->u.ssl3.lock for reading. We cannot michael@0: * just acquire and release the lock within this function because the michael@0: * caller will call this function twice, and we need the inputs to be michael@0: * consistent between the two calls. Note that currently the caller michael@0: * will only be holding the lock when we are the client and when we're michael@0: * attempting to resume an existing session. michael@0: */ michael@0: michael@0: session_ticket = &sid->u.ssl3.locked.sessionTicket; michael@0: if (session_ticket->ticket.data) { michael@0: if (ss->xtnData.ticketTimestampVerified) { michael@0: extension_length += session_ticket->ticket.len; michael@0: } else if (!append && michael@0: (session_ticket->ticket_lifetime_hint == 0 || michael@0: (session_ticket->ticket_lifetime_hint + michael@0: session_ticket->received_timestamp > ssl_Time()))) { michael@0: extension_length += session_ticket->ticket.len; michael@0: ss->xtnData.ticketTimestampVerified = PR_TRUE; michael@0: } michael@0: } michael@0: } michael@0: michael@0: if (append && maxBytes >= extension_length) { michael@0: SECStatus rv; michael@0: /* extension_type */ michael@0: rv = ssl3_AppendHandshakeNumber(ss, ssl_session_ticket_xtn, 2); michael@0: if (rv != SECSuccess) michael@0: goto loser; michael@0: if (session_ticket && session_ticket->ticket.data && michael@0: ss->xtnData.ticketTimestampVerified) { michael@0: rv = ssl3_AppendHandshakeVariable(ss, session_ticket->ticket.data, michael@0: session_ticket->ticket.len, 2); michael@0: ss->xtnData.ticketTimestampVerified = PR_FALSE; michael@0: ss->xtnData.sentSessionTicketInClientHello = PR_TRUE; michael@0: } else { michael@0: rv = ssl3_AppendHandshakeNumber(ss, 0, 2); michael@0: } michael@0: if (rv != SECSuccess) michael@0: goto loser; michael@0: michael@0: if (!ss->sec.isServer) { michael@0: TLSExtensionData *xtnData = &ss->xtnData; michael@0: xtnData->advertised[xtnData->numAdvertised++] = michael@0: ssl_session_ticket_xtn; michael@0: } michael@0: } else if (maxBytes < extension_length) { michael@0: PORT_Assert(0); michael@0: return 0; michael@0: } michael@0: return extension_length; michael@0: michael@0: loser: michael@0: ss->xtnData.ticketTimestampVerified = PR_FALSE; michael@0: return -1; michael@0: } michael@0: michael@0: /* handle an incoming Next Protocol Negotiation extension. */ michael@0: static SECStatus michael@0: ssl3_ServerHandleNextProtoNegoXtn(sslSocket * ss, PRUint16 ex_type, michael@0: SECItem *data) michael@0: { michael@0: if (ss->firstHsDone || data->len != 0) { michael@0: /* Clients MUST send an empty NPN extension, if any. */ michael@0: PORT_SetError(SSL_ERROR_NEXT_PROTOCOL_DATA_INVALID); michael@0: return SECFailure; michael@0: } michael@0: michael@0: ss->xtnData.negotiated[ss->xtnData.numNegotiated++] = ex_type; michael@0: michael@0: /* TODO: server side NPN support would require calling michael@0: * ssl3_RegisterServerHelloExtensionSender here in order to echo the michael@0: * extension back to the client. */ michael@0: michael@0: return SECSuccess; michael@0: } michael@0: michael@0: /* ssl3_ValidateNextProtoNego checks that the given block of data is valid: none michael@0: * of the lengths may be 0 and the sum of the lengths must equal the length of michael@0: * the block. */ michael@0: SECStatus michael@0: ssl3_ValidateNextProtoNego(const unsigned char* data, unsigned int length) michael@0: { michael@0: unsigned int offset = 0; michael@0: michael@0: while (offset < length) { michael@0: unsigned int newOffset = offset + 1 + (unsigned int) data[offset]; michael@0: /* Reject embedded nulls to protect against buggy applications that michael@0: * store protocol identifiers in null-terminated strings. michael@0: */ michael@0: if (newOffset > length || data[offset] == 0) { michael@0: PORT_SetError(SSL_ERROR_NEXT_PROTOCOL_DATA_INVALID); michael@0: return SECFailure; michael@0: } michael@0: offset = newOffset; michael@0: } michael@0: michael@0: if (offset > length) { michael@0: PORT_SetError(SSL_ERROR_NEXT_PROTOCOL_DATA_INVALID); michael@0: return SECFailure; michael@0: } michael@0: michael@0: return SECSuccess; michael@0: } michael@0: michael@0: /* protocol selection handler for ALPN (server side) and NPN (client side) */ michael@0: static SECStatus michael@0: ssl3_SelectAppProtocol(sslSocket *ss, PRUint16 ex_type, SECItem *data) michael@0: { michael@0: SECStatus rv; michael@0: unsigned char resultBuffer[255]; michael@0: SECItem result = { siBuffer, resultBuffer, 0 }; michael@0: michael@0: rv = ssl3_ValidateNextProtoNego(data->data, data->len); michael@0: if (rv != SECSuccess) michael@0: return rv; michael@0: michael@0: PORT_Assert(ss->nextProtoCallback); michael@0: rv = ss->nextProtoCallback(ss->nextProtoArg, ss->fd, data->data, data->len, michael@0: result.data, &result.len, sizeof resultBuffer); michael@0: if (rv != SECSuccess) michael@0: return rv; michael@0: /* If the callback wrote more than allowed to |result| it has corrupted our michael@0: * stack. */ michael@0: if (result.len > sizeof resultBuffer) { michael@0: PORT_SetError(SEC_ERROR_OUTPUT_LEN); michael@0: return SECFailure; michael@0: } michael@0: michael@0: if (ex_type == ssl_app_layer_protocol_xtn && michael@0: ss->ssl3.nextProtoState != SSL_NEXT_PROTO_NEGOTIATED) { michael@0: /* The callback might say OK, but then it's picked a default. michael@0: * That's OK for NPN, but not ALPN. */ michael@0: SECITEM_FreeItem(&ss->ssl3.nextProto, PR_FALSE); michael@0: PORT_SetError(SSL_ERROR_NEXT_PROTOCOL_NO_PROTOCOL); michael@0: (void)SSL3_SendAlert(ss, alert_fatal, no_application_protocol); michael@0: return SECFailure; michael@0: } michael@0: michael@0: ss->xtnData.negotiated[ss->xtnData.numNegotiated++] = ex_type; michael@0: michael@0: SECITEM_FreeItem(&ss->ssl3.nextProto, PR_FALSE); michael@0: return SECITEM_CopyItem(NULL, &ss->ssl3.nextProto, &result); michael@0: } michael@0: michael@0: /* handle an incoming ALPN extension at the server */ michael@0: static SECStatus michael@0: ssl3_ServerHandleAppProtoXtn(sslSocket *ss, PRUint16 ex_type, SECItem *data) michael@0: { michael@0: int count; michael@0: SECStatus rv; michael@0: michael@0: /* We expressly don't want to allow ALPN on renegotiation, michael@0: * despite it being permitted by the spec. */ michael@0: if (ss->firstHsDone || data->len == 0) { michael@0: /* Clients MUST send a non-empty ALPN extension. */ michael@0: PORT_SetError(SSL_ERROR_NEXT_PROTOCOL_DATA_INVALID); michael@0: return SECFailure; michael@0: } michael@0: michael@0: /* unlike NPN, ALPN has extra redundant length information so that michael@0: * the extension is the same in both ClientHello and ServerHello */ michael@0: count = ssl3_ConsumeHandshakeNumber(ss, 2, &data->data, &data->len); michael@0: if (count < 0) { michael@0: return SECFailure; /* fatal alert was sent */ michael@0: } michael@0: if (count != data->len) { michael@0: return ssl3_DecodeError(ss); michael@0: } michael@0: michael@0: if (!ss->nextProtoCallback) { michael@0: /* we're not configured for it */ michael@0: return SECSuccess; michael@0: } michael@0: michael@0: rv = ssl3_SelectAppProtocol(ss, ex_type, data); michael@0: if (rv != SECSuccess) { michael@0: return rv; michael@0: } michael@0: michael@0: /* prepare to send back a response, if we negotiated */ michael@0: if (ss->ssl3.nextProtoState == SSL_NEXT_PROTO_NEGOTIATED) { michael@0: return ssl3_RegisterServerHelloExtensionSender( michael@0: ss, ex_type, ssl3_ServerSendAppProtoXtn); michael@0: } michael@0: return SECSuccess; michael@0: } michael@0: michael@0: static SECStatus michael@0: ssl3_ClientHandleNextProtoNegoXtn(sslSocket *ss, PRUint16 ex_type, michael@0: SECItem *data) michael@0: { michael@0: PORT_Assert(!ss->firstHsDone); michael@0: michael@0: if (ssl3_ExtensionNegotiated(ss, ssl_app_layer_protocol_xtn)) { michael@0: /* If the server negotiated ALPN then it has already told us what michael@0: * protocol to use, so it doesn't make sense for us to try to negotiate michael@0: * a different one by sending the NPN handshake message. However, if michael@0: * we've negotiated NPN then we're required to send the NPN handshake michael@0: * message. Thus, these two extensions cannot both be negotiated on the michael@0: * same connection. */ michael@0: PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); michael@0: return SECFailure; michael@0: } michael@0: michael@0: /* We should only get this call if we sent the extension, so michael@0: * ss->nextProtoCallback needs to be non-NULL. However, it is possible michael@0: * that an application erroneously cleared the callback between the time michael@0: * we sent the ClientHello and now. */ michael@0: if (!ss->nextProtoCallback) { michael@0: PORT_SetError(SSL_ERROR_NEXT_PROTOCOL_NO_CALLBACK); michael@0: return SECFailure; michael@0: } michael@0: michael@0: return ssl3_SelectAppProtocol(ss, ex_type, data); michael@0: } michael@0: michael@0: static SECStatus michael@0: ssl3_ClientHandleAppProtoXtn(sslSocket *ss, PRUint16 ex_type, SECItem *data) michael@0: { michael@0: const unsigned char* d = data->data; michael@0: PRUint16 name_list_len; michael@0: SECItem protocol_name; michael@0: michael@0: if (ssl3_ExtensionNegotiated(ss, ssl_next_proto_nego_xtn)) { michael@0: PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); michael@0: return SECFailure; michael@0: } michael@0: michael@0: /* The extension data from the server has the following format: michael@0: * uint16 name_list_len; michael@0: * uint8 len; michael@0: * uint8 protocol_name[len]; */ michael@0: if (data->len < 4 || data->len > 2 + 1 + 255) { michael@0: PORT_SetError(SSL_ERROR_NEXT_PROTOCOL_DATA_INVALID); michael@0: return SECFailure; michael@0: } michael@0: michael@0: name_list_len = ((PRUint16) d[0]) << 8 | michael@0: ((PRUint16) d[1]); michael@0: if (name_list_len != data->len - 2 || d[2] != data->len - 3) { michael@0: PORT_SetError(SSL_ERROR_NEXT_PROTOCOL_DATA_INVALID); michael@0: return SECFailure; michael@0: } michael@0: michael@0: protocol_name.data = data->data + 3; michael@0: protocol_name.len = data->len - 3; michael@0: michael@0: SECITEM_FreeItem(&ss->ssl3.nextProto, PR_FALSE); michael@0: ss->ssl3.nextProtoState = SSL_NEXT_PROTO_SELECTED; michael@0: ss->xtnData.negotiated[ss->xtnData.numNegotiated++] = ex_type; michael@0: return SECITEM_CopyItem(NULL, &ss->ssl3.nextProto, &protocol_name); michael@0: } michael@0: michael@0: static PRInt32 michael@0: ssl3_ClientSendNextProtoNegoXtn(sslSocket * ss, PRBool append, michael@0: PRUint32 maxBytes) michael@0: { michael@0: PRInt32 extension_length; michael@0: michael@0: /* Renegotiations do not send this extension. */ michael@0: if (!ss->opt.enableNPN || !ss->nextProtoCallback || ss->firstHsDone) { michael@0: return 0; michael@0: } michael@0: michael@0: extension_length = 4; michael@0: michael@0: if (append && maxBytes >= extension_length) { michael@0: SECStatus rv; michael@0: rv = ssl3_AppendHandshakeNumber(ss, ssl_next_proto_nego_xtn, 2); michael@0: if (rv != SECSuccess) michael@0: goto loser; michael@0: rv = ssl3_AppendHandshakeNumber(ss, 0, 2); michael@0: if (rv != SECSuccess) michael@0: goto loser; michael@0: ss->xtnData.advertised[ss->xtnData.numAdvertised++] = michael@0: ssl_next_proto_nego_xtn; michael@0: } else if (maxBytes < extension_length) { michael@0: return 0; michael@0: } michael@0: michael@0: return extension_length; michael@0: michael@0: loser: michael@0: return -1; michael@0: } michael@0: michael@0: static PRInt32 michael@0: ssl3_ClientSendAppProtoXtn(sslSocket * ss, PRBool append, PRUint32 maxBytes) michael@0: { michael@0: PRInt32 extension_length; michael@0: unsigned char *alpn_protos = NULL; michael@0: michael@0: /* Renegotiations do not send this extension. */ michael@0: if (!ss->opt.enableALPN || !ss->opt.nextProtoNego.data || ss->firstHsDone) { michael@0: return 0; michael@0: } michael@0: michael@0: extension_length = 2 /* extension type */ + 2 /* extension length */ + michael@0: 2 /* protocol name list length */ + michael@0: ss->opt.nextProtoNego.len; michael@0: michael@0: if (append && maxBytes >= extension_length) { michael@0: /* NPN requires that the client's fallback protocol is first in the michael@0: * list. However, ALPN sends protocols in preference order. So we michael@0: * allocate a buffer and move the first protocol to the end of the michael@0: * list. */ michael@0: SECStatus rv; michael@0: const unsigned int len = ss->opt.nextProtoNego.len; michael@0: michael@0: alpn_protos = PORT_Alloc(len); michael@0: if (alpn_protos == NULL) { michael@0: return SECFailure; michael@0: } michael@0: if (len > 0) { michael@0: /* Each protocol string is prefixed with a single byte length. */ michael@0: unsigned int i = ss->opt.nextProtoNego.data[0] + 1; michael@0: if (i <= len) { michael@0: memcpy(alpn_protos, &ss->opt.nextProtoNego.data[i], len - i); michael@0: memcpy(alpn_protos + len - i, ss->opt.nextProtoNego.data, i); michael@0: } else { michael@0: /* This seems to be invalid data so we'll send as-is. */ michael@0: memcpy(alpn_protos, ss->opt.nextProtoNego.data, len); michael@0: } michael@0: } michael@0: michael@0: rv = ssl3_AppendHandshakeNumber(ss, ssl_app_layer_protocol_xtn, 2); michael@0: if (rv != SECSuccess) { michael@0: goto loser; michael@0: } michael@0: rv = ssl3_AppendHandshakeNumber(ss, extension_length - 4, 2); michael@0: if (rv != SECSuccess) { michael@0: goto loser; michael@0: } michael@0: rv = ssl3_AppendHandshakeVariable(ss, alpn_protos, len, 2); michael@0: PORT_Free(alpn_protos); michael@0: alpn_protos = NULL; michael@0: if (rv != SECSuccess) { michael@0: goto loser; michael@0: } michael@0: ss->xtnData.advertised[ss->xtnData.numAdvertised++] = michael@0: ssl_app_layer_protocol_xtn; michael@0: } else if (maxBytes < extension_length) { michael@0: return 0; michael@0: } michael@0: michael@0: return extension_length; michael@0: michael@0: loser: michael@0: if (alpn_protos) { michael@0: PORT_Free(alpn_protos); michael@0: } michael@0: return -1; michael@0: } michael@0: michael@0: static PRInt32 michael@0: ssl3_ServerSendAppProtoXtn(sslSocket * ss, PRBool append, PRUint32 maxBytes) michael@0: { michael@0: PRInt32 extension_length; michael@0: michael@0: /* we're in over our heads if any of these fail */ michael@0: PORT_Assert(ss->opt.enableALPN); michael@0: PORT_Assert(ss->ssl3.nextProto.data); michael@0: PORT_Assert(ss->ssl3.nextProto.len > 0); michael@0: PORT_Assert(ss->ssl3.nextProtoState == SSL_NEXT_PROTO_NEGOTIATED); michael@0: PORT_Assert(!ss->firstHsDone); michael@0: michael@0: extension_length = 2 /* extension type */ + 2 /* extension length */ + michael@0: 2 /* protocol name list */ + 1 /* name length */ + michael@0: ss->ssl3.nextProto.len; michael@0: michael@0: if (append && maxBytes >= extension_length) { michael@0: SECStatus rv; michael@0: rv = ssl3_AppendHandshakeNumber(ss, ssl_app_layer_protocol_xtn, 2); michael@0: if (rv != SECSuccess) { michael@0: return -1; michael@0: } michael@0: rv = ssl3_AppendHandshakeNumber(ss, extension_length - 4, 2); michael@0: if (rv != SECSuccess) { michael@0: return -1; michael@0: } michael@0: rv = ssl3_AppendHandshakeNumber(ss, ss->ssl3.nextProto.len + 1, 2); michael@0: if (rv != SECSuccess) { michael@0: return -1; michael@0: } michael@0: rv = ssl3_AppendHandshakeVariable(ss, ss->ssl3.nextProto.data, michael@0: ss->ssl3.nextProto.len, 1); michael@0: if (rv != SECSuccess) { michael@0: return -1; michael@0: } michael@0: } else if (maxBytes < extension_length) { michael@0: return 0; michael@0: } michael@0: michael@0: return extension_length; michael@0: } michael@0: michael@0: static SECStatus michael@0: ssl3_ClientHandleStatusRequestXtn(sslSocket *ss, PRUint16 ex_type, michael@0: SECItem *data) michael@0: { michael@0: /* The echoed extension must be empty. */ michael@0: if (data->len != 0) michael@0: return SECFailure; michael@0: michael@0: /* Keep track of negotiated extensions. */ michael@0: ss->xtnData.negotiated[ss->xtnData.numNegotiated++] = ex_type; michael@0: michael@0: return SECSuccess; michael@0: } michael@0: michael@0: static PRInt32 michael@0: ssl3_ServerSendStatusRequestXtn( michael@0: sslSocket * ss, michael@0: PRBool append, michael@0: PRUint32 maxBytes) michael@0: { michael@0: PRInt32 extension_length; michael@0: SECStatus rv; michael@0: int i; michael@0: PRBool haveStatus = PR_FALSE; michael@0: michael@0: for (i = kt_null; i < kt_kea_size; i++) { michael@0: /* TODO: This is a temporary workaround. michael@0: * The correct code needs to see if we have an OCSP response for michael@0: * the server certificate being used, rather than if we have any michael@0: * OCSP response. See also ssl3_SendCertificateStatus. michael@0: */ michael@0: if (ss->certStatusArray[i] && ss->certStatusArray[i]->len) { michael@0: haveStatus = PR_TRUE; michael@0: break; michael@0: } michael@0: } michael@0: if (!haveStatus) michael@0: return 0; michael@0: michael@0: extension_length = 2 + 2; michael@0: if (append && maxBytes >= extension_length) { michael@0: /* extension_type */ michael@0: rv = ssl3_AppendHandshakeNumber(ss, ssl_cert_status_xtn, 2); michael@0: if (rv != SECSuccess) michael@0: return -1; michael@0: /* length of extension_data */ michael@0: rv = ssl3_AppendHandshakeNumber(ss, 0, 2); michael@0: if (rv != SECSuccess) michael@0: return -1; michael@0: } michael@0: michael@0: return extension_length; michael@0: } michael@0: michael@0: /* ssl3_ClientSendStatusRequestXtn builds the status_request extension on the michael@0: * client side. See RFC 4366 section 3.6. */ michael@0: static PRInt32 michael@0: ssl3_ClientSendStatusRequestXtn(sslSocket * ss, PRBool append, michael@0: PRUint32 maxBytes) michael@0: { michael@0: PRInt32 extension_length; michael@0: michael@0: if (!ss->opt.enableOCSPStapling) michael@0: return 0; michael@0: michael@0: /* extension_type (2-bytes) + michael@0: * length(extension_data) (2-bytes) + michael@0: * status_type (1) + michael@0: * responder_id_list length (2) + michael@0: * request_extensions length (2) michael@0: */ michael@0: extension_length = 9; michael@0: michael@0: if (append && maxBytes >= extension_length) { michael@0: SECStatus rv; michael@0: TLSExtensionData *xtnData; michael@0: michael@0: /* extension_type */ michael@0: rv = ssl3_AppendHandshakeNumber(ss, ssl_cert_status_xtn, 2); michael@0: if (rv != SECSuccess) michael@0: return -1; michael@0: rv = ssl3_AppendHandshakeNumber(ss, extension_length - 4, 2); michael@0: if (rv != SECSuccess) michael@0: return -1; michael@0: rv = ssl3_AppendHandshakeNumber(ss, 1 /* status_type ocsp */, 1); michael@0: if (rv != SECSuccess) michael@0: return -1; michael@0: /* A zero length responder_id_list means that the responders are michael@0: * implicitly known to the server. */ michael@0: rv = ssl3_AppendHandshakeNumber(ss, 0, 2); michael@0: if (rv != SECSuccess) michael@0: return -1; michael@0: /* A zero length request_extensions means that there are no extensions. michael@0: * Specifically, we don't set the id-pkix-ocsp-nonce extension. This michael@0: * means that the server can replay a cached OCSP response to us. */ michael@0: rv = ssl3_AppendHandshakeNumber(ss, 0, 2); michael@0: if (rv != SECSuccess) michael@0: return -1; michael@0: michael@0: xtnData = &ss->xtnData; michael@0: xtnData->advertised[xtnData->numAdvertised++] = ssl_cert_status_xtn; michael@0: } else if (maxBytes < extension_length) { michael@0: PORT_Assert(0); michael@0: return 0; michael@0: } michael@0: return extension_length; michael@0: } michael@0: michael@0: /* michael@0: * NewSessionTicket michael@0: * Called from ssl3_HandleFinished michael@0: */ michael@0: SECStatus michael@0: ssl3_SendNewSessionTicket(sslSocket *ss) michael@0: { michael@0: int i; michael@0: SECStatus rv; michael@0: NewSessionTicket ticket; michael@0: SECItem plaintext; michael@0: SECItem plaintext_item = {0, NULL, 0}; michael@0: SECItem ciphertext = {0, NULL, 0}; michael@0: PRUint32 ciphertext_length; michael@0: PRBool ms_is_wrapped; michael@0: unsigned char wrapped_ms[SSL3_MASTER_SECRET_LENGTH]; michael@0: SECItem ms_item = {0, NULL, 0}; michael@0: SSL3KEAType effectiveExchKeyType = ssl_kea_null; michael@0: PRUint32 padding_length; michael@0: PRUint32 message_length; michael@0: PRUint32 cert_length; michael@0: PRUint8 length_buf[4]; michael@0: PRUint32 now; michael@0: PK11SymKey *aes_key_pkcs11; michael@0: PK11SymKey *mac_key_pkcs11; michael@0: #ifndef NO_PKCS11_BYPASS michael@0: const unsigned char *aes_key; michael@0: const unsigned char *mac_key; michael@0: PRUint32 aes_key_length; michael@0: PRUint32 mac_key_length; michael@0: PRUint64 aes_ctx_buf[MAX_CIPHER_CONTEXT_LLONGS]; michael@0: AESContext *aes_ctx; michael@0: const SECHashObject *hashObj = NULL; michael@0: PRUint64 hmac_ctx_buf[MAX_MAC_CONTEXT_LLONGS]; michael@0: HMACContext *hmac_ctx; michael@0: #endif michael@0: CK_MECHANISM_TYPE cipherMech = CKM_AES_CBC; michael@0: PK11Context *aes_ctx_pkcs11; michael@0: CK_MECHANISM_TYPE macMech = CKM_SHA256_HMAC; michael@0: PK11Context *hmac_ctx_pkcs11; michael@0: unsigned char computed_mac[TLS_EX_SESS_TICKET_MAC_LENGTH]; michael@0: unsigned int computed_mac_length; michael@0: unsigned char iv[AES_BLOCK_SIZE]; michael@0: SECItem ivItem; michael@0: SECItem *srvName = NULL; michael@0: PRUint32 srvNameLen = 0; michael@0: CK_MECHANISM_TYPE msWrapMech = 0; /* dummy default value, michael@0: * must be >= 0 */ michael@0: michael@0: SSL_TRC(3, ("%d: SSL3[%d]: send session_ticket handshake", michael@0: SSL_GETPID(), ss->fd)); michael@0: michael@0: PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss)); michael@0: PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); michael@0: michael@0: ticket.ticket_lifetime_hint = TLS_EX_SESS_TICKET_LIFETIME_HINT; michael@0: cert_length = (ss->opt.requestCertificate && ss->sec.ci.sid->peerCert) ? michael@0: 3 + ss->sec.ci.sid->peerCert->derCert.len : 0; michael@0: michael@0: /* Get IV and encryption keys */ michael@0: ivItem.data = iv; michael@0: ivItem.len = sizeof(iv); michael@0: rv = PK11_GenerateRandom(iv, sizeof(iv)); michael@0: if (rv != SECSuccess) goto loser; michael@0: michael@0: #ifndef NO_PKCS11_BYPASS michael@0: if (ss->opt.bypassPKCS11) { michael@0: rv = ssl3_GetSessionTicketKeys(&aes_key, &aes_key_length, michael@0: &mac_key, &mac_key_length); michael@0: } else michael@0: #endif michael@0: { michael@0: rv = ssl3_GetSessionTicketKeysPKCS11(ss, &aes_key_pkcs11, michael@0: &mac_key_pkcs11); michael@0: } michael@0: if (rv != SECSuccess) goto loser; michael@0: michael@0: if (ss->ssl3.pwSpec->msItem.len && ss->ssl3.pwSpec->msItem.data) { michael@0: /* The master secret is available unwrapped. */ michael@0: ms_item.data = ss->ssl3.pwSpec->msItem.data; michael@0: ms_item.len = ss->ssl3.pwSpec->msItem.len; michael@0: ms_is_wrapped = PR_FALSE; michael@0: } else { michael@0: /* Extract the master secret wrapped. */ michael@0: sslSessionID sid; michael@0: PORT_Memset(&sid, 0, sizeof(sslSessionID)); michael@0: michael@0: if (ss->ssl3.hs.kea_def->kea == kea_ecdhe_rsa) { michael@0: effectiveExchKeyType = kt_rsa; michael@0: } else { michael@0: effectiveExchKeyType = ss->ssl3.hs.kea_def->exchKeyType; michael@0: } michael@0: michael@0: rv = ssl3_CacheWrappedMasterSecret(ss, &sid, ss->ssl3.pwSpec, michael@0: effectiveExchKeyType); michael@0: if (rv == SECSuccess) { michael@0: if (sid.u.ssl3.keys.wrapped_master_secret_len > sizeof(wrapped_ms)) michael@0: goto loser; michael@0: memcpy(wrapped_ms, sid.u.ssl3.keys.wrapped_master_secret, michael@0: sid.u.ssl3.keys.wrapped_master_secret_len); michael@0: ms_item.data = wrapped_ms; michael@0: ms_item.len = sid.u.ssl3.keys.wrapped_master_secret_len; michael@0: msWrapMech = sid.u.ssl3.masterWrapMech; michael@0: } else { michael@0: /* TODO: else send an empty ticket. */ michael@0: goto loser; michael@0: } michael@0: ms_is_wrapped = PR_TRUE; michael@0: } michael@0: /* Prep to send negotiated name */ michael@0: srvName = &ss->ssl3.pwSpec->srvVirtName; michael@0: if (srvName->data && srvName->len) { michael@0: srvNameLen = 2 + srvName->len; /* len bytes + name len */ michael@0: } michael@0: michael@0: ciphertext_length = michael@0: sizeof(PRUint16) /* ticket_version */ michael@0: + sizeof(SSL3ProtocolVersion) /* ssl_version */ michael@0: + sizeof(ssl3CipherSuite) /* ciphersuite */ michael@0: + 1 /* compression */ michael@0: + 10 /* cipher spec parameters */ michael@0: + 1 /* SessionTicket.ms_is_wrapped */ michael@0: + 1 /* effectiveExchKeyType */ michael@0: + 4 /* msWrapMech */ michael@0: + 2 /* master_secret.length */ michael@0: + ms_item.len /* master_secret */ michael@0: + 1 /* client_auth_type */ michael@0: + cert_length /* cert */ michael@0: + 1 /* server name type */ michael@0: + srvNameLen /* name len + length field */ michael@0: + sizeof(ticket.ticket_lifetime_hint); michael@0: padding_length = AES_BLOCK_SIZE - michael@0: (ciphertext_length % AES_BLOCK_SIZE); michael@0: ciphertext_length += padding_length; michael@0: michael@0: message_length = michael@0: sizeof(ticket.ticket_lifetime_hint) /* ticket_lifetime_hint */ michael@0: + 2 /* length field for NewSessionTicket.ticket */ michael@0: + SESS_TICKET_KEY_NAME_LEN /* key_name */ michael@0: + AES_BLOCK_SIZE /* iv */ michael@0: + 2 /* length field for NewSessionTicket.ticket.encrypted_state */ michael@0: + ciphertext_length /* encrypted_state */ michael@0: + TLS_EX_SESS_TICKET_MAC_LENGTH; /* mac */ michael@0: michael@0: if (SECITEM_AllocItem(NULL, &plaintext_item, ciphertext_length) == NULL) michael@0: goto loser; michael@0: michael@0: plaintext = plaintext_item; michael@0: michael@0: /* ticket_version */ michael@0: rv = ssl3_AppendNumberToItem(&plaintext, TLS_EX_SESS_TICKET_VERSION, michael@0: sizeof(PRUint16)); michael@0: if (rv != SECSuccess) goto loser; michael@0: michael@0: /* ssl_version */ michael@0: rv = ssl3_AppendNumberToItem(&plaintext, ss->version, michael@0: sizeof(SSL3ProtocolVersion)); michael@0: if (rv != SECSuccess) goto loser; michael@0: michael@0: /* ciphersuite */ michael@0: rv = ssl3_AppendNumberToItem(&plaintext, ss->ssl3.hs.cipher_suite, michael@0: sizeof(ssl3CipherSuite)); michael@0: if (rv != SECSuccess) goto loser; michael@0: michael@0: /* compression */ michael@0: rv = ssl3_AppendNumberToItem(&plaintext, ss->ssl3.hs.compression, 1); michael@0: if (rv != SECSuccess) goto loser; michael@0: michael@0: /* cipher spec parameters */ michael@0: rv = ssl3_AppendNumberToItem(&plaintext, ss->sec.authAlgorithm, 1); michael@0: if (rv != SECSuccess) goto loser; michael@0: rv = ssl3_AppendNumberToItem(&plaintext, ss->sec.authKeyBits, 4); michael@0: if (rv != SECSuccess) goto loser; michael@0: rv = ssl3_AppendNumberToItem(&plaintext, ss->sec.keaType, 1); michael@0: if (rv != SECSuccess) goto loser; michael@0: rv = ssl3_AppendNumberToItem(&plaintext, ss->sec.keaKeyBits, 4); michael@0: if (rv != SECSuccess) goto loser; michael@0: michael@0: /* master_secret */ michael@0: rv = ssl3_AppendNumberToItem(&plaintext, ms_is_wrapped, 1); michael@0: if (rv != SECSuccess) goto loser; michael@0: rv = ssl3_AppendNumberToItem(&plaintext, effectiveExchKeyType, 1); michael@0: if (rv != SECSuccess) goto loser; michael@0: rv = ssl3_AppendNumberToItem(&plaintext, msWrapMech, 4); michael@0: if (rv != SECSuccess) goto loser; michael@0: rv = ssl3_AppendNumberToItem(&plaintext, ms_item.len, 2); michael@0: if (rv != SECSuccess) goto loser; michael@0: rv = ssl3_AppendToItem(&plaintext, ms_item.data, ms_item.len); michael@0: if (rv != SECSuccess) goto loser; michael@0: michael@0: /* client_identity */ michael@0: if (ss->opt.requestCertificate && ss->sec.ci.sid->peerCert) { michael@0: rv = ssl3_AppendNumberToItem(&plaintext, CLIENT_AUTH_CERTIFICATE, 1); michael@0: if (rv != SECSuccess) goto loser; michael@0: rv = ssl3_AppendNumberToItem(&plaintext, michael@0: ss->sec.ci.sid->peerCert->derCert.len, 3); michael@0: if (rv != SECSuccess) goto loser; michael@0: rv = ssl3_AppendToItem(&plaintext, michael@0: ss->sec.ci.sid->peerCert->derCert.data, michael@0: ss->sec.ci.sid->peerCert->derCert.len); michael@0: if (rv != SECSuccess) goto loser; michael@0: } else { michael@0: rv = ssl3_AppendNumberToItem(&plaintext, 0, 1); michael@0: if (rv != SECSuccess) goto loser; michael@0: } michael@0: michael@0: /* timestamp */ michael@0: now = ssl_Time(); michael@0: rv = ssl3_AppendNumberToItem(&plaintext, now, michael@0: sizeof(ticket.ticket_lifetime_hint)); michael@0: if (rv != SECSuccess) goto loser; michael@0: michael@0: if (srvNameLen) { michael@0: /* Name Type (sni_host_name) */ michael@0: rv = ssl3_AppendNumberToItem(&plaintext, srvName->type, 1); michael@0: if (rv != SECSuccess) goto loser; michael@0: /* HostName (length and value) */ michael@0: rv = ssl3_AppendNumberToItem(&plaintext, srvName->len, 2); michael@0: if (rv != SECSuccess) goto loser; michael@0: rv = ssl3_AppendToItem(&plaintext, srvName->data, srvName->len); michael@0: if (rv != SECSuccess) goto loser; michael@0: } else { michael@0: /* No Name */ michael@0: rv = ssl3_AppendNumberToItem(&plaintext, (char)TLS_STE_NO_SERVER_NAME, michael@0: 1); michael@0: if (rv != SECSuccess) goto loser; michael@0: } michael@0: michael@0: PORT_Assert(plaintext.len == padding_length); michael@0: for (i = 0; i < padding_length; i++) michael@0: plaintext.data[i] = (unsigned char)padding_length; michael@0: michael@0: if (SECITEM_AllocItem(NULL, &ciphertext, ciphertext_length) == NULL) { michael@0: rv = SECFailure; michael@0: goto loser; michael@0: } michael@0: michael@0: /* Generate encrypted portion of ticket. */ michael@0: #ifndef NO_PKCS11_BYPASS michael@0: if (ss->opt.bypassPKCS11) { michael@0: aes_ctx = (AESContext *)aes_ctx_buf; michael@0: rv = AES_InitContext(aes_ctx, aes_key, aes_key_length, iv, michael@0: NSS_AES_CBC, 1, AES_BLOCK_SIZE); michael@0: if (rv != SECSuccess) goto loser; michael@0: michael@0: rv = AES_Encrypt(aes_ctx, ciphertext.data, &ciphertext.len, michael@0: ciphertext.len, plaintext_item.data, michael@0: plaintext_item.len); michael@0: if (rv != SECSuccess) goto loser; michael@0: } else michael@0: #endif michael@0: { michael@0: aes_ctx_pkcs11 = PK11_CreateContextBySymKey(cipherMech, michael@0: CKA_ENCRYPT, aes_key_pkcs11, &ivItem); michael@0: if (!aes_ctx_pkcs11) michael@0: goto loser; michael@0: michael@0: rv = PK11_CipherOp(aes_ctx_pkcs11, ciphertext.data, michael@0: (int *)&ciphertext.len, ciphertext.len, michael@0: plaintext_item.data, plaintext_item.len); michael@0: PK11_Finalize(aes_ctx_pkcs11); michael@0: PK11_DestroyContext(aes_ctx_pkcs11, PR_TRUE); michael@0: if (rv != SECSuccess) goto loser; michael@0: } michael@0: michael@0: /* Convert ciphertext length to network order. */ michael@0: length_buf[0] = (ciphertext.len >> 8) & 0xff; michael@0: length_buf[1] = (ciphertext.len ) & 0xff; michael@0: michael@0: /* Compute MAC. */ michael@0: #ifndef NO_PKCS11_BYPASS michael@0: if (ss->opt.bypassPKCS11) { michael@0: hmac_ctx = (HMACContext *)hmac_ctx_buf; michael@0: hashObj = HASH_GetRawHashObject(HASH_AlgSHA256); michael@0: if (HMAC_Init(hmac_ctx, hashObj, mac_key, michael@0: mac_key_length, PR_FALSE) != SECSuccess) michael@0: goto loser; michael@0: michael@0: HMAC_Begin(hmac_ctx); michael@0: HMAC_Update(hmac_ctx, key_name, SESS_TICKET_KEY_NAME_LEN); michael@0: HMAC_Update(hmac_ctx, iv, sizeof(iv)); michael@0: HMAC_Update(hmac_ctx, (unsigned char *)length_buf, 2); michael@0: HMAC_Update(hmac_ctx, ciphertext.data, ciphertext.len); michael@0: HMAC_Finish(hmac_ctx, computed_mac, &computed_mac_length, michael@0: sizeof(computed_mac)); michael@0: } else michael@0: #endif michael@0: { michael@0: SECItem macParam; michael@0: macParam.data = NULL; michael@0: macParam.len = 0; michael@0: hmac_ctx_pkcs11 = PK11_CreateContextBySymKey(macMech, michael@0: CKA_SIGN, mac_key_pkcs11, &macParam); michael@0: if (!hmac_ctx_pkcs11) michael@0: goto loser; michael@0: michael@0: rv = PK11_DigestBegin(hmac_ctx_pkcs11); michael@0: rv = PK11_DigestOp(hmac_ctx_pkcs11, key_name, michael@0: SESS_TICKET_KEY_NAME_LEN); michael@0: rv = PK11_DigestOp(hmac_ctx_pkcs11, iv, sizeof(iv)); michael@0: rv = PK11_DigestOp(hmac_ctx_pkcs11, (unsigned char *)length_buf, 2); michael@0: rv = PK11_DigestOp(hmac_ctx_pkcs11, ciphertext.data, ciphertext.len); michael@0: rv = PK11_DigestFinal(hmac_ctx_pkcs11, computed_mac, michael@0: &computed_mac_length, sizeof(computed_mac)); michael@0: PK11_DestroyContext(hmac_ctx_pkcs11, PR_TRUE); michael@0: if (rv != SECSuccess) goto loser; michael@0: } michael@0: michael@0: /* Serialize the handshake message. */ michael@0: rv = ssl3_AppendHandshakeHeader(ss, new_session_ticket, message_length); michael@0: if (rv != SECSuccess) goto loser; michael@0: michael@0: rv = ssl3_AppendHandshakeNumber(ss, ticket.ticket_lifetime_hint, michael@0: sizeof(ticket.ticket_lifetime_hint)); michael@0: if (rv != SECSuccess) goto loser; michael@0: michael@0: rv = ssl3_AppendHandshakeNumber(ss, michael@0: message_length - sizeof(ticket.ticket_lifetime_hint) - 2, 2); michael@0: if (rv != SECSuccess) goto loser; michael@0: michael@0: rv = ssl3_AppendHandshake(ss, key_name, SESS_TICKET_KEY_NAME_LEN); michael@0: if (rv != SECSuccess) goto loser; michael@0: michael@0: rv = ssl3_AppendHandshake(ss, iv, sizeof(iv)); michael@0: if (rv != SECSuccess) goto loser; michael@0: michael@0: rv = ssl3_AppendHandshakeVariable(ss, ciphertext.data, ciphertext.len, 2); michael@0: if (rv != SECSuccess) goto loser; michael@0: michael@0: rv = ssl3_AppendHandshake(ss, computed_mac, computed_mac_length); michael@0: if (rv != SECSuccess) goto loser; michael@0: michael@0: loser: michael@0: if (plaintext_item.data) michael@0: SECITEM_FreeItem(&plaintext_item, PR_FALSE); michael@0: if (ciphertext.data) michael@0: SECITEM_FreeItem(&ciphertext, PR_FALSE); michael@0: michael@0: return rv; michael@0: } michael@0: michael@0: /* When a client receives a SessionTicket extension a NewSessionTicket michael@0: * message is expected during the handshake. michael@0: */ michael@0: SECStatus michael@0: ssl3_ClientHandleSessionTicketXtn(sslSocket *ss, PRUint16 ex_type, michael@0: SECItem *data) michael@0: { michael@0: if (data->len != 0) michael@0: return SECFailure; michael@0: michael@0: /* Keep track of negotiated extensions. */ michael@0: ss->xtnData.negotiated[ss->xtnData.numNegotiated++] = ex_type; michael@0: return SECSuccess; michael@0: } michael@0: michael@0: SECStatus michael@0: ssl3_ServerHandleSessionTicketXtn(sslSocket *ss, PRUint16 ex_type, michael@0: SECItem *data) michael@0: { michael@0: SECStatus rv; michael@0: SECItem *decrypted_state = NULL; michael@0: SessionTicket *parsed_session_ticket = NULL; michael@0: sslSessionID *sid = NULL; michael@0: SSL3Statistics *ssl3stats; michael@0: michael@0: /* Ignore the SessionTicket extension if processing is disabled. */ michael@0: if (!ss->opt.enableSessionTickets) michael@0: return SECSuccess; michael@0: michael@0: /* Keep track of negotiated extensions. */ michael@0: ss->xtnData.negotiated[ss->xtnData.numNegotiated++] = ex_type; michael@0: michael@0: /* Parse the received ticket sent in by the client. We are michael@0: * lenient about some parse errors, falling back to a fullshake michael@0: * instead of terminating the current connection. michael@0: */ michael@0: if (data->len == 0) { michael@0: ss->xtnData.emptySessionTicket = PR_TRUE; michael@0: } else { michael@0: int i; michael@0: SECItem extension_data; michael@0: EncryptedSessionTicket enc_session_ticket; michael@0: unsigned char computed_mac[TLS_EX_SESS_TICKET_MAC_LENGTH]; michael@0: unsigned int computed_mac_length; michael@0: #ifndef NO_PKCS11_BYPASS michael@0: const SECHashObject *hashObj; michael@0: const unsigned char *aes_key; michael@0: const unsigned char *mac_key; michael@0: PRUint32 aes_key_length; michael@0: PRUint32 mac_key_length; michael@0: PRUint64 hmac_ctx_buf[MAX_MAC_CONTEXT_LLONGS]; michael@0: HMACContext *hmac_ctx; michael@0: PRUint64 aes_ctx_buf[MAX_CIPHER_CONTEXT_LLONGS]; michael@0: AESContext *aes_ctx; michael@0: #endif michael@0: PK11SymKey *aes_key_pkcs11; michael@0: PK11SymKey *mac_key_pkcs11; michael@0: PK11Context *hmac_ctx_pkcs11; michael@0: CK_MECHANISM_TYPE macMech = CKM_SHA256_HMAC; michael@0: PK11Context *aes_ctx_pkcs11; michael@0: CK_MECHANISM_TYPE cipherMech = CKM_AES_CBC; michael@0: unsigned char * padding; michael@0: PRUint32 padding_length; michael@0: unsigned char *buffer; michael@0: unsigned int buffer_len; michael@0: PRInt32 temp; michael@0: SECItem cert_item; michael@0: PRInt8 nameType = TLS_STE_NO_SERVER_NAME; michael@0: michael@0: /* Turn off stateless session resumption if the client sends a michael@0: * SessionTicket extension, even if the extension turns out to be michael@0: * malformed (ss->sec.ci.sid is non-NULL when doing session michael@0: * renegotiation.) michael@0: */ michael@0: if (ss->sec.ci.sid != NULL) { michael@0: if (ss->sec.uncache) michael@0: ss->sec.uncache(ss->sec.ci.sid); michael@0: ssl_FreeSID(ss->sec.ci.sid); michael@0: ss->sec.ci.sid = NULL; michael@0: } michael@0: michael@0: extension_data.data = data->data; /* Keep a copy for future use. */ michael@0: extension_data.len = data->len; michael@0: michael@0: if (ssl3_ParseEncryptedSessionTicket(ss, data, &enc_session_ticket) michael@0: != SECSuccess) michael@0: return SECFailure; michael@0: michael@0: /* Get session ticket keys. */ michael@0: #ifndef NO_PKCS11_BYPASS michael@0: if (ss->opt.bypassPKCS11) { michael@0: rv = ssl3_GetSessionTicketKeys(&aes_key, &aes_key_length, michael@0: &mac_key, &mac_key_length); michael@0: } else michael@0: #endif michael@0: { michael@0: rv = ssl3_GetSessionTicketKeysPKCS11(ss, &aes_key_pkcs11, michael@0: &mac_key_pkcs11); michael@0: } michael@0: if (rv != SECSuccess) { michael@0: SSL_DBG(("%d: SSL[%d]: Unable to get/generate session ticket keys.", michael@0: SSL_GETPID(), ss->fd)); michael@0: goto loser; michael@0: } michael@0: michael@0: /* If the ticket sent by the client was generated under a key different michael@0: * from the one we have, bypass ticket processing. michael@0: */ michael@0: if (PORT_Memcmp(enc_session_ticket.key_name, key_name, michael@0: SESS_TICKET_KEY_NAME_LEN) != 0) { michael@0: SSL_DBG(("%d: SSL[%d]: Session ticket key_name sent mismatch.", michael@0: SSL_GETPID(), ss->fd)); michael@0: goto no_ticket; michael@0: } michael@0: michael@0: /* Verify the MAC on the ticket. MAC verification may also michael@0: * fail if the MAC key has been recently refreshed. michael@0: */ michael@0: #ifndef NO_PKCS11_BYPASS michael@0: if (ss->opt.bypassPKCS11) { michael@0: hmac_ctx = (HMACContext *)hmac_ctx_buf; michael@0: hashObj = HASH_GetRawHashObject(HASH_AlgSHA256); michael@0: if (HMAC_Init(hmac_ctx, hashObj, mac_key, michael@0: sizeof(session_ticket_mac_key), PR_FALSE) != SECSuccess) michael@0: goto no_ticket; michael@0: HMAC_Begin(hmac_ctx); michael@0: HMAC_Update(hmac_ctx, extension_data.data, michael@0: extension_data.len - TLS_EX_SESS_TICKET_MAC_LENGTH); michael@0: if (HMAC_Finish(hmac_ctx, computed_mac, &computed_mac_length, michael@0: sizeof(computed_mac)) != SECSuccess) michael@0: goto no_ticket; michael@0: } else michael@0: #endif michael@0: { michael@0: SECItem macParam; michael@0: macParam.data = NULL; michael@0: macParam.len = 0; michael@0: hmac_ctx_pkcs11 = PK11_CreateContextBySymKey(macMech, michael@0: CKA_SIGN, mac_key_pkcs11, &macParam); michael@0: if (!hmac_ctx_pkcs11) { michael@0: SSL_DBG(("%d: SSL[%d]: Unable to create HMAC context: %d.", michael@0: SSL_GETPID(), ss->fd, PORT_GetError())); michael@0: goto no_ticket; michael@0: } else { michael@0: SSL_DBG(("%d: SSL[%d]: Successfully created HMAC context.", michael@0: SSL_GETPID(), ss->fd)); michael@0: } michael@0: rv = PK11_DigestBegin(hmac_ctx_pkcs11); michael@0: rv = PK11_DigestOp(hmac_ctx_pkcs11, extension_data.data, michael@0: extension_data.len - TLS_EX_SESS_TICKET_MAC_LENGTH); michael@0: if (rv != SECSuccess) { michael@0: PK11_DestroyContext(hmac_ctx_pkcs11, PR_TRUE); michael@0: goto no_ticket; michael@0: } michael@0: rv = PK11_DigestFinal(hmac_ctx_pkcs11, computed_mac, michael@0: &computed_mac_length, sizeof(computed_mac)); michael@0: PK11_DestroyContext(hmac_ctx_pkcs11, PR_TRUE); michael@0: if (rv != SECSuccess) michael@0: goto no_ticket; michael@0: } michael@0: if (NSS_SecureMemcmp(computed_mac, enc_session_ticket.mac, michael@0: computed_mac_length) != 0) { michael@0: SSL_DBG(("%d: SSL[%d]: Session ticket MAC mismatch.", michael@0: SSL_GETPID(), ss->fd)); michael@0: goto no_ticket; michael@0: } michael@0: michael@0: /* We ignore key_name for now. michael@0: * This is ok as MAC verification succeeded. michael@0: */ michael@0: michael@0: /* Decrypt the ticket. */ michael@0: michael@0: /* Plaintext is shorter than the ciphertext due to padding. */ michael@0: decrypted_state = SECITEM_AllocItem(NULL, NULL, michael@0: enc_session_ticket.encrypted_state.len); michael@0: michael@0: #ifndef NO_PKCS11_BYPASS michael@0: if (ss->opt.bypassPKCS11) { michael@0: aes_ctx = (AESContext *)aes_ctx_buf; michael@0: rv = AES_InitContext(aes_ctx, aes_key, michael@0: sizeof(session_ticket_enc_key), enc_session_ticket.iv, michael@0: NSS_AES_CBC, 0,AES_BLOCK_SIZE); michael@0: if (rv != SECSuccess) { michael@0: SSL_DBG(("%d: SSL[%d]: Unable to create AES context.", michael@0: SSL_GETPID(), ss->fd)); michael@0: goto no_ticket; michael@0: } michael@0: michael@0: rv = AES_Decrypt(aes_ctx, decrypted_state->data, michael@0: &decrypted_state->len, decrypted_state->len, michael@0: enc_session_ticket.encrypted_state.data, michael@0: enc_session_ticket.encrypted_state.len); michael@0: if (rv != SECSuccess) michael@0: goto no_ticket; michael@0: } else michael@0: #endif michael@0: { michael@0: SECItem ivItem; michael@0: ivItem.data = enc_session_ticket.iv; michael@0: ivItem.len = AES_BLOCK_SIZE; michael@0: aes_ctx_pkcs11 = PK11_CreateContextBySymKey(cipherMech, michael@0: CKA_DECRYPT, aes_key_pkcs11, &ivItem); michael@0: if (!aes_ctx_pkcs11) { michael@0: SSL_DBG(("%d: SSL[%d]: Unable to create AES context.", michael@0: SSL_GETPID(), ss->fd)); michael@0: goto no_ticket; michael@0: } michael@0: michael@0: rv = PK11_CipherOp(aes_ctx_pkcs11, decrypted_state->data, michael@0: (int *)&decrypted_state->len, decrypted_state->len, michael@0: enc_session_ticket.encrypted_state.data, michael@0: enc_session_ticket.encrypted_state.len); michael@0: PK11_Finalize(aes_ctx_pkcs11); michael@0: PK11_DestroyContext(aes_ctx_pkcs11, PR_TRUE); michael@0: if (rv != SECSuccess) michael@0: goto no_ticket; michael@0: } michael@0: michael@0: /* Check padding. */ michael@0: padding_length = michael@0: (PRUint32)decrypted_state->data[decrypted_state->len - 1]; michael@0: if (padding_length == 0 || padding_length > AES_BLOCK_SIZE) michael@0: goto no_ticket; michael@0: michael@0: padding = &decrypted_state->data[decrypted_state->len - padding_length]; michael@0: for (i = 0; i < padding_length; i++, padding++) { michael@0: if (padding_length != (PRUint32)*padding) michael@0: goto no_ticket; michael@0: } michael@0: michael@0: /* Deserialize session state. */ michael@0: buffer = decrypted_state->data; michael@0: buffer_len = decrypted_state->len; michael@0: michael@0: parsed_session_ticket = PORT_ZAlloc(sizeof(SessionTicket)); michael@0: if (parsed_session_ticket == NULL) { michael@0: rv = SECFailure; michael@0: goto loser; michael@0: } michael@0: michael@0: /* Read ticket_version (which is ignored for now.) */ michael@0: temp = ssl3_ConsumeHandshakeNumber(ss, 2, &buffer, &buffer_len); michael@0: if (temp < 0) goto no_ticket; michael@0: parsed_session_ticket->ticket_version = (SSL3ProtocolVersion)temp; michael@0: michael@0: /* Read SSLVersion. */ michael@0: temp = ssl3_ConsumeHandshakeNumber(ss, 2, &buffer, &buffer_len); michael@0: if (temp < 0) goto no_ticket; michael@0: parsed_session_ticket->ssl_version = (SSL3ProtocolVersion)temp; michael@0: michael@0: /* Read cipher_suite. */ michael@0: temp = ssl3_ConsumeHandshakeNumber(ss, 2, &buffer, &buffer_len); michael@0: if (temp < 0) goto no_ticket; michael@0: parsed_session_ticket->cipher_suite = (ssl3CipherSuite)temp; michael@0: michael@0: /* Read compression_method. */ michael@0: temp = ssl3_ConsumeHandshakeNumber(ss, 1, &buffer, &buffer_len); michael@0: if (temp < 0) goto no_ticket; michael@0: parsed_session_ticket->compression_method = (SSLCompressionMethod)temp; michael@0: michael@0: /* Read cipher spec parameters. */ michael@0: temp = ssl3_ConsumeHandshakeNumber(ss, 1, &buffer, &buffer_len); michael@0: if (temp < 0) goto no_ticket; michael@0: parsed_session_ticket->authAlgorithm = (SSLSignType)temp; michael@0: temp = ssl3_ConsumeHandshakeNumber(ss, 4, &buffer, &buffer_len); michael@0: if (temp < 0) goto no_ticket; michael@0: parsed_session_ticket->authKeyBits = (PRUint32)temp; michael@0: temp = ssl3_ConsumeHandshakeNumber(ss, 1, &buffer, &buffer_len); michael@0: if (temp < 0) goto no_ticket; michael@0: parsed_session_ticket->keaType = (SSLKEAType)temp; michael@0: temp = ssl3_ConsumeHandshakeNumber(ss, 4, &buffer, &buffer_len); michael@0: if (temp < 0) goto no_ticket; michael@0: parsed_session_ticket->keaKeyBits = (PRUint32)temp; michael@0: michael@0: /* Read wrapped master_secret. */ michael@0: temp = ssl3_ConsumeHandshakeNumber(ss, 1, &buffer, &buffer_len); michael@0: if (temp < 0) goto no_ticket; michael@0: parsed_session_ticket->ms_is_wrapped = (PRBool)temp; michael@0: michael@0: temp = ssl3_ConsumeHandshakeNumber(ss, 1, &buffer, &buffer_len); michael@0: if (temp < 0) goto no_ticket; michael@0: parsed_session_ticket->exchKeyType = (SSL3KEAType)temp; michael@0: michael@0: temp = ssl3_ConsumeHandshakeNumber(ss, 4, &buffer, &buffer_len); michael@0: if (temp < 0) goto no_ticket; michael@0: parsed_session_ticket->msWrapMech = (CK_MECHANISM_TYPE)temp; michael@0: michael@0: temp = ssl3_ConsumeHandshakeNumber(ss, 2, &buffer, &buffer_len); michael@0: if (temp < 0) goto no_ticket; michael@0: parsed_session_ticket->ms_length = (PRUint16)temp; michael@0: if (parsed_session_ticket->ms_length == 0 || /* sanity check MS. */ michael@0: parsed_session_ticket->ms_length > michael@0: sizeof(parsed_session_ticket->master_secret)) michael@0: goto no_ticket; michael@0: michael@0: /* Allow for the wrapped master secret to be longer. */ michael@0: if (buffer_len < parsed_session_ticket->ms_length) michael@0: goto no_ticket; michael@0: PORT_Memcpy(parsed_session_ticket->master_secret, buffer, michael@0: parsed_session_ticket->ms_length); michael@0: buffer += parsed_session_ticket->ms_length; michael@0: buffer_len -= parsed_session_ticket->ms_length; michael@0: michael@0: /* Read client_identity */ michael@0: temp = ssl3_ConsumeHandshakeNumber(ss, 1, &buffer, &buffer_len); michael@0: if (temp < 0) michael@0: goto no_ticket; michael@0: parsed_session_ticket->client_identity.client_auth_type = michael@0: (ClientAuthenticationType)temp; michael@0: switch(parsed_session_ticket->client_identity.client_auth_type) { michael@0: case CLIENT_AUTH_ANONYMOUS: michael@0: break; michael@0: case CLIENT_AUTH_CERTIFICATE: michael@0: rv = ssl3_ConsumeHandshakeVariable(ss, &cert_item, 3, michael@0: &buffer, &buffer_len); michael@0: if (rv != SECSuccess) goto no_ticket; michael@0: rv = SECITEM_CopyItem(NULL, &parsed_session_ticket->peer_cert, michael@0: &cert_item); michael@0: if (rv != SECSuccess) goto no_ticket; michael@0: break; michael@0: default: michael@0: goto no_ticket; michael@0: } michael@0: /* Read timestamp. */ michael@0: temp = ssl3_ConsumeHandshakeNumber(ss, 4, &buffer, &buffer_len); michael@0: if (temp < 0) michael@0: goto no_ticket; michael@0: parsed_session_ticket->timestamp = (PRUint32)temp; michael@0: michael@0: /* Read server name */ michael@0: nameType = michael@0: ssl3_ConsumeHandshakeNumber(ss, 1, &buffer, &buffer_len); michael@0: if (nameType != TLS_STE_NO_SERVER_NAME) { michael@0: SECItem name_item; michael@0: rv = ssl3_ConsumeHandshakeVariable(ss, &name_item, 2, &buffer, michael@0: &buffer_len); michael@0: if (rv != SECSuccess) goto no_ticket; michael@0: rv = SECITEM_CopyItem(NULL, &parsed_session_ticket->srvName, michael@0: &name_item); michael@0: if (rv != SECSuccess) goto no_ticket; michael@0: parsed_session_ticket->srvName.type = nameType; michael@0: } michael@0: michael@0: /* Done parsing. Check that all bytes have been consumed. */ michael@0: if (buffer_len != padding_length) michael@0: goto no_ticket; michael@0: michael@0: /* Use the ticket if it has not expired, otherwise free the allocated michael@0: * memory since the ticket is of no use. michael@0: */ michael@0: if (parsed_session_ticket->timestamp != 0 && michael@0: parsed_session_ticket->timestamp + michael@0: TLS_EX_SESS_TICKET_LIFETIME_HINT > ssl_Time()) { michael@0: michael@0: sid = ssl3_NewSessionID(ss, PR_TRUE); michael@0: if (sid == NULL) { michael@0: rv = SECFailure; michael@0: goto loser; michael@0: } michael@0: michael@0: /* Copy over parameters. */ michael@0: sid->version = parsed_session_ticket->ssl_version; michael@0: sid->u.ssl3.cipherSuite = parsed_session_ticket->cipher_suite; michael@0: sid->u.ssl3.compression = parsed_session_ticket->compression_method; michael@0: sid->authAlgorithm = parsed_session_ticket->authAlgorithm; michael@0: sid->authKeyBits = parsed_session_ticket->authKeyBits; michael@0: sid->keaType = parsed_session_ticket->keaType; michael@0: sid->keaKeyBits = parsed_session_ticket->keaKeyBits; michael@0: michael@0: /* Copy master secret. */ michael@0: #ifndef NO_PKCS11_BYPASS michael@0: if (ss->opt.bypassPKCS11 && michael@0: parsed_session_ticket->ms_is_wrapped) michael@0: goto no_ticket; michael@0: #endif michael@0: if (parsed_session_ticket->ms_length > michael@0: sizeof(sid->u.ssl3.keys.wrapped_master_secret)) michael@0: goto no_ticket; michael@0: PORT_Memcpy(sid->u.ssl3.keys.wrapped_master_secret, michael@0: parsed_session_ticket->master_secret, michael@0: parsed_session_ticket->ms_length); michael@0: sid->u.ssl3.keys.wrapped_master_secret_len = michael@0: parsed_session_ticket->ms_length; michael@0: sid->u.ssl3.exchKeyType = parsed_session_ticket->exchKeyType; michael@0: sid->u.ssl3.masterWrapMech = parsed_session_ticket->msWrapMech; michael@0: sid->u.ssl3.keys.msIsWrapped = michael@0: parsed_session_ticket->ms_is_wrapped; michael@0: sid->u.ssl3.masterValid = PR_TRUE; michael@0: sid->u.ssl3.keys.resumable = PR_TRUE; michael@0: michael@0: /* Copy over client cert from session ticket if there is one. */ michael@0: if (parsed_session_ticket->peer_cert.data != NULL) { michael@0: if (sid->peerCert != NULL) michael@0: CERT_DestroyCertificate(sid->peerCert); michael@0: sid->peerCert = CERT_NewTempCertificate(ss->dbHandle, michael@0: &parsed_session_ticket->peer_cert, NULL, PR_FALSE, PR_TRUE); michael@0: if (sid->peerCert == NULL) { michael@0: rv = SECFailure; michael@0: goto loser; michael@0: } michael@0: } michael@0: if (parsed_session_ticket->srvName.data != NULL) { michael@0: sid->u.ssl3.srvName = parsed_session_ticket->srvName; michael@0: } michael@0: ss->statelessResume = PR_TRUE; michael@0: ss->sec.ci.sid = sid; michael@0: } michael@0: } michael@0: michael@0: if (0) { michael@0: no_ticket: michael@0: SSL_DBG(("%d: SSL[%d]: Session ticket parsing failed.", michael@0: SSL_GETPID(), ss->fd)); michael@0: ssl3stats = SSL_GetStatistics(); michael@0: SSL_AtomicIncrementLong(& ssl3stats->hch_sid_ticket_parse_failures ); michael@0: } michael@0: rv = SECSuccess; michael@0: michael@0: loser: michael@0: /* ss->sec.ci.sid == sid if it did NOT come here via goto statement michael@0: * in that case do not free sid michael@0: */ michael@0: if (sid && (ss->sec.ci.sid != sid)) { michael@0: ssl_FreeSID(sid); michael@0: sid = NULL; michael@0: } michael@0: if (decrypted_state != NULL) { michael@0: SECITEM_FreeItem(decrypted_state, PR_TRUE); michael@0: decrypted_state = NULL; michael@0: } michael@0: michael@0: if (parsed_session_ticket != NULL) { michael@0: if (parsed_session_ticket->peer_cert.data) { michael@0: SECITEM_FreeItem(&parsed_session_ticket->peer_cert, PR_FALSE); michael@0: } michael@0: PORT_ZFree(parsed_session_ticket, sizeof(SessionTicket)); michael@0: } michael@0: michael@0: return rv; michael@0: } michael@0: michael@0: /* michael@0: * Read bytes. Using this function means the SECItem structure michael@0: * cannot be freed. The caller is expected to call this function michael@0: * on a shallow copy of the structure. michael@0: */ michael@0: static SECStatus michael@0: ssl3_ConsumeFromItem(SECItem *item, unsigned char **buf, PRUint32 bytes) michael@0: { michael@0: if (bytes > item->len) michael@0: return SECFailure; michael@0: michael@0: *buf = item->data; michael@0: item->data += bytes; michael@0: item->len -= bytes; michael@0: return SECSuccess; michael@0: } michael@0: michael@0: static SECStatus michael@0: ssl3_ParseEncryptedSessionTicket(sslSocket *ss, SECItem *data, michael@0: EncryptedSessionTicket *enc_session_ticket) michael@0: { michael@0: if (ssl3_ConsumeFromItem(data, &enc_session_ticket->key_name, michael@0: SESS_TICKET_KEY_NAME_LEN) != SECSuccess) michael@0: return SECFailure; michael@0: if (ssl3_ConsumeFromItem(data, &enc_session_ticket->iv, michael@0: AES_BLOCK_SIZE) != SECSuccess) michael@0: return SECFailure; michael@0: if (ssl3_ConsumeHandshakeVariable(ss, &enc_session_ticket->encrypted_state, michael@0: 2, &data->data, &data->len) != SECSuccess) michael@0: return SECFailure; michael@0: if (ssl3_ConsumeFromItem(data, &enc_session_ticket->mac, michael@0: TLS_EX_SESS_TICKET_MAC_LENGTH) != SECSuccess) michael@0: return SECFailure; michael@0: if (data->len != 0) /* Make sure that we have consumed all bytes. */ michael@0: return SECFailure; michael@0: michael@0: return SECSuccess; michael@0: } michael@0: michael@0: /* go through hello extensions in buffer "b". michael@0: * For each one, find the extension handler in the table, and michael@0: * if present, invoke that handler. michael@0: * Servers ignore any extensions with unknown extension types. michael@0: * Clients reject any extensions with unadvertised extension types. michael@0: */ michael@0: SECStatus michael@0: ssl3_HandleHelloExtensions(sslSocket *ss, SSL3Opaque **b, PRUint32 *length) michael@0: { michael@0: const ssl3HelloExtensionHandler * handlers; michael@0: michael@0: if (ss->sec.isServer) { michael@0: handlers = clientHelloHandlers; michael@0: } else if (ss->version > SSL_LIBRARY_VERSION_3_0) { michael@0: handlers = serverHelloHandlersTLS; michael@0: } else { michael@0: handlers = serverHelloHandlersSSL3; michael@0: } michael@0: michael@0: while (*length) { michael@0: const ssl3HelloExtensionHandler * handler; michael@0: SECStatus rv; michael@0: PRInt32 extension_type; michael@0: SECItem extension_data; michael@0: michael@0: /* Get the extension's type field */ michael@0: extension_type = ssl3_ConsumeHandshakeNumber(ss, 2, b, length); michael@0: if (extension_type < 0) /* failure to decode extension_type */ michael@0: return SECFailure; /* alert already sent */ michael@0: michael@0: /* get the data for this extension, so we can pass it or skip it. */ michael@0: rv = ssl3_ConsumeHandshakeVariable(ss, &extension_data, 2, b, length); michael@0: if (rv != SECSuccess) michael@0: return rv; michael@0: michael@0: /* Check whether the server sent an extension which was not advertised michael@0: * in the ClientHello. michael@0: */ michael@0: if (!ss->sec.isServer && michael@0: !ssl3_ClientExtensionAdvertised(ss, extension_type)) michael@0: return SECFailure; /* TODO: send unsupported_extension alert */ michael@0: michael@0: /* Check whether an extension has been sent multiple times. */ michael@0: if (ssl3_ExtensionNegotiated(ss, extension_type)) michael@0: return SECFailure; michael@0: michael@0: /* find extension_type in table of Hello Extension Handlers */ michael@0: for (handler = handlers; handler->ex_type >= 0; handler++) { michael@0: /* if found, call this handler */ michael@0: if (handler->ex_type == extension_type) { michael@0: rv = (*handler->ex_handler)(ss, (PRUint16)extension_type, michael@0: &extension_data); michael@0: /* Ignore this result */ michael@0: /* Treat all bad extensions as unrecognized types. */ michael@0: break; michael@0: } michael@0: } michael@0: } michael@0: return SECSuccess; michael@0: } michael@0: michael@0: /* Add a callback function to the table of senders of server hello extensions. michael@0: */ michael@0: SECStatus michael@0: ssl3_RegisterServerHelloExtensionSender(sslSocket *ss, PRUint16 ex_type, michael@0: ssl3HelloExtensionSenderFunc cb) michael@0: { michael@0: int i; michael@0: ssl3HelloExtensionSender *sender = &ss->xtnData.serverSenders[0]; michael@0: michael@0: for (i = 0; i < SSL_MAX_EXTENSIONS; ++i, ++sender) { michael@0: if (!sender->ex_sender) { michael@0: sender->ex_type = ex_type; michael@0: sender->ex_sender = cb; michael@0: return SECSuccess; michael@0: } michael@0: /* detect duplicate senders */ michael@0: PORT_Assert(sender->ex_type != ex_type); michael@0: if (sender->ex_type == ex_type) { michael@0: /* duplicate */ michael@0: break; michael@0: } michael@0: } michael@0: PORT_Assert(i < SSL_MAX_EXTENSIONS); /* table needs to grow */ michael@0: PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); michael@0: return SECFailure; michael@0: } michael@0: michael@0: /* call each of the extension senders and return the accumulated length */ michael@0: PRInt32 michael@0: ssl3_CallHelloExtensionSenders(sslSocket *ss, PRBool append, PRUint32 maxBytes, michael@0: const ssl3HelloExtensionSender *sender) michael@0: { michael@0: PRInt32 total_exten_len = 0; michael@0: int i; michael@0: michael@0: if (!sender) { michael@0: sender = ss->version > SSL_LIBRARY_VERSION_3_0 ? michael@0: &clientHelloSendersTLS[0] : &clientHelloSendersSSL3[0]; michael@0: } michael@0: michael@0: for (i = 0; i < SSL_MAX_EXTENSIONS; ++i, ++sender) { michael@0: if (sender->ex_sender) { michael@0: PRInt32 extLen = (*sender->ex_sender)(ss, append, maxBytes); michael@0: if (extLen < 0) michael@0: return -1; michael@0: maxBytes -= extLen; michael@0: total_exten_len += extLen; michael@0: } michael@0: } michael@0: return total_exten_len; michael@0: } michael@0: michael@0: michael@0: /* Extension format: michael@0: * Extension number: 2 bytes michael@0: * Extension length: 2 bytes michael@0: * Verify Data Length: 1 byte michael@0: * Verify Data (TLS): 12 bytes (client) or 24 bytes (server) michael@0: * Verify Data (SSL): 36 bytes (client) or 72 bytes (server) michael@0: */ michael@0: static PRInt32 michael@0: ssl3_SendRenegotiationInfoXtn( michael@0: sslSocket * ss, michael@0: PRBool append, michael@0: PRUint32 maxBytes) michael@0: { michael@0: PRInt32 len, needed; michael@0: michael@0: /* In draft-ietf-tls-renegotiation-03, it is NOT RECOMMENDED to send michael@0: * both the SCSV and the empty RI, so when we send SCSV in michael@0: * the initial handshake, we don't also send RI. michael@0: */ michael@0: if (!ss || ss->ssl3.hs.sendingSCSV) michael@0: return 0; michael@0: len = !ss->firstHsDone ? 0 : michael@0: (ss->sec.isServer ? ss->ssl3.hs.finishedBytes * 2 michael@0: : ss->ssl3.hs.finishedBytes); michael@0: needed = 5 + len; michael@0: if (append && maxBytes >= needed) { michael@0: SECStatus rv; michael@0: /* extension_type */ michael@0: rv = ssl3_AppendHandshakeNumber(ss, ssl_renegotiation_info_xtn, 2); michael@0: if (rv != SECSuccess) return -1; michael@0: /* length of extension_data */ michael@0: rv = ssl3_AppendHandshakeNumber(ss, len + 1, 2); michael@0: if (rv != SECSuccess) return -1; michael@0: /* verify_Data from previous Finished message(s) */ michael@0: rv = ssl3_AppendHandshakeVariable(ss, michael@0: ss->ssl3.hs.finishedMsgs.data, len, 1); michael@0: if (rv != SECSuccess) return -1; michael@0: if (!ss->sec.isServer) { michael@0: TLSExtensionData *xtnData = &ss->xtnData; michael@0: xtnData->advertised[xtnData->numAdvertised++] = michael@0: ssl_renegotiation_info_xtn; michael@0: } michael@0: } michael@0: return needed; michael@0: } michael@0: michael@0: static SECStatus michael@0: ssl3_ServerHandleStatusRequestXtn(sslSocket *ss, PRUint16 ex_type, michael@0: SECItem *data) michael@0: { michael@0: SECStatus rv = SECSuccess; michael@0: michael@0: /* remember that we got this extension. */ michael@0: ss->xtnData.negotiated[ss->xtnData.numNegotiated++] = ex_type; michael@0: PORT_Assert(ss->sec.isServer); michael@0: /* prepare to send back the appropriate response */ michael@0: rv = ssl3_RegisterServerHelloExtensionSender(ss, ex_type, michael@0: ssl3_ServerSendStatusRequestXtn); michael@0: return rv; michael@0: } michael@0: michael@0: /* This function runs in both the client and server. */ michael@0: static SECStatus michael@0: ssl3_HandleRenegotiationInfoXtn(sslSocket *ss, PRUint16 ex_type, SECItem *data) michael@0: { michael@0: SECStatus rv = SECSuccess; michael@0: PRUint32 len = 0; michael@0: michael@0: if (ss->firstHsDone) { michael@0: len = ss->sec.isServer ? ss->ssl3.hs.finishedBytes michael@0: : ss->ssl3.hs.finishedBytes * 2; michael@0: } michael@0: if (data->len != 1 + len || michael@0: data->data[0] != len || (len && michael@0: NSS_SecureMemcmp(ss->ssl3.hs.finishedMsgs.data, michael@0: data->data + 1, len))) { michael@0: /* Can we do this here? Or, must we arrange for the caller to do it? */ michael@0: (void)SSL3_SendAlert(ss, alert_fatal, handshake_failure); michael@0: PORT_SetError(SSL_ERROR_BAD_HANDSHAKE_HASH_VALUE); michael@0: return SECFailure; michael@0: } michael@0: /* remember that we got this extension and it was correct. */ michael@0: ss->peerRequestedProtection = 1; michael@0: ss->xtnData.negotiated[ss->xtnData.numNegotiated++] = ex_type; michael@0: if (ss->sec.isServer) { michael@0: /* prepare to send back the appropriate response */ michael@0: rv = ssl3_RegisterServerHelloExtensionSender(ss, ex_type, michael@0: ssl3_SendRenegotiationInfoXtn); michael@0: } michael@0: return rv; michael@0: } michael@0: michael@0: static PRInt32 michael@0: ssl3_SendUseSRTPXtn(sslSocket *ss, PRBool append, PRUint32 maxBytes) michael@0: { michael@0: PRUint32 ext_data_len; michael@0: PRInt16 i; michael@0: SECStatus rv; michael@0: michael@0: if (!ss) michael@0: return 0; michael@0: michael@0: if (!ss->sec.isServer) { michael@0: /* Client side */ michael@0: michael@0: if (!IS_DTLS(ss) || !ss->ssl3.dtlsSRTPCipherCount) michael@0: return 0; /* Not relevant */ michael@0: michael@0: ext_data_len = 2 + 2 * ss->ssl3.dtlsSRTPCipherCount + 1; michael@0: michael@0: if (append && maxBytes >= 4 + ext_data_len) { michael@0: /* Extension type */ michael@0: rv = ssl3_AppendHandshakeNumber(ss, ssl_use_srtp_xtn, 2); michael@0: if (rv != SECSuccess) return -1; michael@0: /* Length of extension data */ michael@0: rv = ssl3_AppendHandshakeNumber(ss, ext_data_len, 2); michael@0: if (rv != SECSuccess) return -1; michael@0: /* Length of the SRTP cipher list */ michael@0: rv = ssl3_AppendHandshakeNumber(ss, michael@0: 2 * ss->ssl3.dtlsSRTPCipherCount, michael@0: 2); michael@0: if (rv != SECSuccess) return -1; michael@0: /* The SRTP ciphers */ michael@0: for (i = 0; i < ss->ssl3.dtlsSRTPCipherCount; i++) { michael@0: rv = ssl3_AppendHandshakeNumber(ss, michael@0: ss->ssl3.dtlsSRTPCiphers[i], michael@0: 2); michael@0: } michael@0: /* Empty MKI value */ michael@0: ssl3_AppendHandshakeVariable(ss, NULL, 0, 1); michael@0: michael@0: ss->xtnData.advertised[ss->xtnData.numAdvertised++] = michael@0: ssl_use_srtp_xtn; michael@0: } michael@0: michael@0: return 4 + ext_data_len; michael@0: } michael@0: michael@0: /* Server side */ michael@0: if (append && maxBytes >= 9) { michael@0: /* Extension type */ michael@0: rv = ssl3_AppendHandshakeNumber(ss, ssl_use_srtp_xtn, 2); michael@0: if (rv != SECSuccess) return -1; michael@0: /* Length of extension data */ michael@0: rv = ssl3_AppendHandshakeNumber(ss, 5, 2); michael@0: if (rv != SECSuccess) return -1; michael@0: /* Length of the SRTP cipher list */ michael@0: rv = ssl3_AppendHandshakeNumber(ss, 2, 2); michael@0: if (rv != SECSuccess) return -1; michael@0: /* The selected cipher */ michael@0: rv = ssl3_AppendHandshakeNumber(ss, ss->ssl3.dtlsSRTPCipherSuite, 2); michael@0: if (rv != SECSuccess) return -1; michael@0: /* Empty MKI value */ michael@0: ssl3_AppendHandshakeVariable(ss, NULL, 0, 1); michael@0: } michael@0: michael@0: return 9; michael@0: } michael@0: michael@0: static SECStatus michael@0: ssl3_HandleUseSRTPXtn(sslSocket * ss, PRUint16 ex_type, SECItem *data) michael@0: { michael@0: SECStatus rv; michael@0: SECItem ciphers = {siBuffer, NULL, 0}; michael@0: PRUint16 i; michael@0: unsigned int j; michael@0: PRUint16 cipher = 0; michael@0: PRBool found = PR_FALSE; michael@0: SECItem litem; michael@0: michael@0: if (!ss->sec.isServer) { michael@0: /* Client side */ michael@0: if (!data->data || !data->len) { michael@0: /* malformed */ michael@0: return SECFailure; michael@0: } michael@0: michael@0: /* Get the cipher list */ michael@0: rv = ssl3_ConsumeHandshakeVariable(ss, &ciphers, 2, michael@0: &data->data, &data->len); michael@0: if (rv != SECSuccess) { michael@0: return SECFailure; michael@0: } michael@0: /* Now check that the number of ciphers listed is 1 (len = 2) */ michael@0: if (ciphers.len != 2) { michael@0: return SECFailure; michael@0: } michael@0: michael@0: /* Get the selected cipher */ michael@0: cipher = (ciphers.data[0] << 8) | ciphers.data[1]; michael@0: michael@0: /* Now check that this is one of the ciphers we offered */ michael@0: for (i = 0; i < ss->ssl3.dtlsSRTPCipherCount; i++) { michael@0: if (cipher == ss->ssl3.dtlsSRTPCiphers[i]) { michael@0: found = PR_TRUE; michael@0: break; michael@0: } michael@0: } michael@0: michael@0: if (!found) { michael@0: return SECFailure; michael@0: } michael@0: michael@0: /* Get the srtp_mki value */ michael@0: rv = ssl3_ConsumeHandshakeVariable(ss, &litem, 1, michael@0: &data->data, &data->len); michael@0: if (rv != SECSuccess) { michael@0: return SECFailure; michael@0: } michael@0: michael@0: /* We didn't offer an MKI, so this must be 0 length */ michael@0: /* XXX RFC 5764 Section 4.1.3 says: michael@0: * If the client detects a nonzero-length MKI in the server's michael@0: * response that is different than the one the client offered, michael@0: * then the client MUST abort the handshake and SHOULD send an michael@0: * invalid_parameter alert. michael@0: * michael@0: * Due to a limitation of the ssl3_HandleHelloExtensions function, michael@0: * returning SECFailure here won't abort the handshake. It will michael@0: * merely cause the use_srtp extension to be not negotiated. We michael@0: * should fix this. See NSS bug 753136. michael@0: */ michael@0: if (litem.len != 0) { michael@0: return SECFailure; michael@0: } michael@0: michael@0: if (data->len != 0) { michael@0: /* malformed */ michael@0: return SECFailure; michael@0: } michael@0: michael@0: /* OK, this looks fine. */ michael@0: ss->xtnData.negotiated[ss->xtnData.numNegotiated++] = ssl_use_srtp_xtn; michael@0: ss->ssl3.dtlsSRTPCipherSuite = cipher; michael@0: return SECSuccess; michael@0: } michael@0: michael@0: /* Server side */ michael@0: if (!IS_DTLS(ss) || !ss->ssl3.dtlsSRTPCipherCount) { michael@0: /* Ignore the extension if we aren't doing DTLS or no DTLS-SRTP michael@0: * preferences have been set. */ michael@0: return SECSuccess; michael@0: } michael@0: michael@0: if (!data->data || data->len < 5) { michael@0: /* malformed */ michael@0: return SECFailure; michael@0: } michael@0: michael@0: /* Get the cipher list */ michael@0: rv = ssl3_ConsumeHandshakeVariable(ss, &ciphers, 2, michael@0: &data->data, &data->len); michael@0: if (rv != SECSuccess) { michael@0: return SECFailure; michael@0: } michael@0: /* Check that the list is even length */ michael@0: if (ciphers.len % 2) { michael@0: return SECFailure; michael@0: } michael@0: michael@0: /* Walk through the offered list and pick the most preferred of our michael@0: * ciphers, if any */ michael@0: for (i = 0; !found && i < ss->ssl3.dtlsSRTPCipherCount; i++) { michael@0: for (j = 0; j + 1 < ciphers.len; j += 2) { michael@0: cipher = (ciphers.data[j] << 8) | ciphers.data[j + 1]; michael@0: if (cipher == ss->ssl3.dtlsSRTPCiphers[i]) { michael@0: found = PR_TRUE; michael@0: break; michael@0: } michael@0: } michael@0: } michael@0: michael@0: /* Get the srtp_mki value */ michael@0: rv = ssl3_ConsumeHandshakeVariable(ss, &litem, 1, &data->data, &data->len); michael@0: if (rv != SECSuccess) { michael@0: return SECFailure; michael@0: } michael@0: michael@0: if (data->len != 0) { michael@0: return SECFailure; /* Malformed */ michael@0: } michael@0: michael@0: /* Now figure out what to do */ michael@0: if (!found) { michael@0: /* No matching ciphers */ michael@0: return SECSuccess; michael@0: } michael@0: michael@0: /* OK, we have a valid cipher and we've selected it */ michael@0: ss->ssl3.dtlsSRTPCipherSuite = cipher; michael@0: ss->xtnData.negotiated[ss->xtnData.numNegotiated++] = ssl_use_srtp_xtn; michael@0: michael@0: return ssl3_RegisterServerHelloExtensionSender(ss, ssl_use_srtp_xtn, michael@0: ssl3_SendUseSRTPXtn); michael@0: } michael@0: michael@0: /* ssl3_ServerHandleSigAlgsXtn handles the signature_algorithms extension michael@0: * from a client. michael@0: * See https://tools.ietf.org/html/rfc5246#section-7.4.1.4.1 */ michael@0: static SECStatus michael@0: ssl3_ServerHandleSigAlgsXtn(sslSocket * ss, PRUint16 ex_type, SECItem *data) michael@0: { michael@0: SECStatus rv; michael@0: SECItem algorithms; michael@0: const unsigned char *b; michael@0: unsigned int numAlgorithms, i; michael@0: michael@0: /* Ignore this extension if we aren't doing TLS 1.2 or greater. */ michael@0: if (ss->version < SSL_LIBRARY_VERSION_TLS_1_2) { michael@0: return SECSuccess; michael@0: } michael@0: michael@0: /* Keep track of negotiated extensions. */ michael@0: ss->xtnData.negotiated[ss->xtnData.numNegotiated++] = ex_type; michael@0: michael@0: rv = ssl3_ConsumeHandshakeVariable(ss, &algorithms, 2, &data->data, michael@0: &data->len); michael@0: if (rv != SECSuccess) { michael@0: return SECFailure; michael@0: } michael@0: /* Trailing data, empty value, or odd-length value is invalid. */ michael@0: if (data->len != 0 || algorithms.len == 0 || (algorithms.len & 1) != 0) { michael@0: PORT_SetError(SSL_ERROR_RX_MALFORMED_CLIENT_HELLO); michael@0: return SECFailure; michael@0: } michael@0: michael@0: numAlgorithms = algorithms.len/2; michael@0: michael@0: /* We don't care to process excessive numbers of algorithms. */ michael@0: if (numAlgorithms > 512) { michael@0: numAlgorithms = 512; michael@0: } michael@0: michael@0: ss->ssl3.hs.clientSigAndHash = michael@0: PORT_NewArray(SSL3SignatureAndHashAlgorithm, numAlgorithms); michael@0: if (!ss->ssl3.hs.clientSigAndHash) { michael@0: return SECFailure; michael@0: } michael@0: ss->ssl3.hs.numClientSigAndHash = 0; michael@0: michael@0: b = algorithms.data; michael@0: for (i = 0; i < numAlgorithms; i++) { michael@0: unsigned char tls_hash = *(b++); michael@0: unsigned char tls_sig = *(b++); michael@0: SECOidTag hash = ssl3_TLSHashAlgorithmToOID(tls_hash); michael@0: michael@0: if (hash == SEC_OID_UNKNOWN) { michael@0: /* We ignore formats that we don't understand. */ michael@0: continue; michael@0: } michael@0: /* tls_sig support will be checked later in michael@0: * ssl3_PickSignatureHashAlgorithm. */ michael@0: ss->ssl3.hs.clientSigAndHash[i].hashAlg = hash; michael@0: ss->ssl3.hs.clientSigAndHash[i].sigAlg = tls_sig; michael@0: ss->ssl3.hs.numClientSigAndHash++; michael@0: } michael@0: michael@0: if (!ss->ssl3.hs.numClientSigAndHash) { michael@0: /* We didn't understand any of the client's requested signature michael@0: * formats. We'll use the defaults. */ michael@0: PORT_Free(ss->ssl3.hs.clientSigAndHash); michael@0: ss->ssl3.hs.clientSigAndHash = NULL; michael@0: } michael@0: michael@0: return SECSuccess; michael@0: } michael@0: michael@0: /* ssl3_ClientSendSigAlgsXtn sends the signature_algorithm extension for TLS michael@0: * 1.2 ClientHellos. */ michael@0: static PRInt32 michael@0: ssl3_ClientSendSigAlgsXtn(sslSocket * ss, PRBool append, PRUint32 maxBytes) michael@0: { michael@0: static const unsigned char signatureAlgorithms[] = { michael@0: /* This block is the contents of our signature_algorithms extension, in michael@0: * wire format. See michael@0: * https://tools.ietf.org/html/rfc5246#section-7.4.1.4.1 */ michael@0: tls_hash_sha256, tls_sig_rsa, michael@0: tls_hash_sha384, tls_sig_rsa, michael@0: tls_hash_sha1, tls_sig_rsa, michael@0: #ifndef NSS_DISABLE_ECC michael@0: tls_hash_sha256, tls_sig_ecdsa, michael@0: tls_hash_sha384, tls_sig_ecdsa, michael@0: tls_hash_sha1, tls_sig_ecdsa, michael@0: #endif michael@0: tls_hash_sha256, tls_sig_dsa, michael@0: tls_hash_sha1, tls_sig_dsa, michael@0: }; michael@0: PRInt32 extension_length; michael@0: michael@0: if (ss->version < SSL_LIBRARY_VERSION_TLS_1_2) { michael@0: return 0; michael@0: } michael@0: michael@0: extension_length = michael@0: 2 /* extension type */ + michael@0: 2 /* extension length */ + michael@0: 2 /* supported_signature_algorithms length */ + michael@0: sizeof(signatureAlgorithms); michael@0: michael@0: if (append && maxBytes >= extension_length) { michael@0: SECStatus rv; michael@0: rv = ssl3_AppendHandshakeNumber(ss, ssl_signature_algorithms_xtn, 2); michael@0: if (rv != SECSuccess) michael@0: goto loser; michael@0: rv = ssl3_AppendHandshakeNumber(ss, extension_length - 4, 2); michael@0: if (rv != SECSuccess) michael@0: goto loser; michael@0: rv = ssl3_AppendHandshakeVariable(ss, signatureAlgorithms, michael@0: sizeof(signatureAlgorithms), 2); michael@0: if (rv != SECSuccess) michael@0: goto loser; michael@0: ss->xtnData.advertised[ss->xtnData.numAdvertised++] = michael@0: ssl_signature_algorithms_xtn; michael@0: } else if (maxBytes < extension_length) { michael@0: PORT_Assert(0); michael@0: return 0; michael@0: } michael@0: michael@0: return extension_length; michael@0: michael@0: loser: michael@0: return -1; michael@0: } michael@0: michael@0: unsigned int michael@0: ssl3_CalculatePaddingExtensionLength(unsigned int clientHelloLength) michael@0: { michael@0: unsigned int recordLength = 1 /* handshake message type */ + michael@0: 3 /* handshake message length */ + michael@0: clientHelloLength; michael@0: unsigned int extensionLength; michael@0: michael@0: if (recordLength < 256 || recordLength >= 512) { michael@0: return 0; michael@0: } michael@0: michael@0: extensionLength = 512 - recordLength; michael@0: /* Extensions take at least four bytes to encode. */ michael@0: if (extensionLength < 4) { michael@0: extensionLength = 4; michael@0: } michael@0: michael@0: return extensionLength; michael@0: } michael@0: michael@0: /* ssl3_AppendPaddingExtension possibly adds an extension which ensures that a michael@0: * ClientHello record is either < 256 bytes or is >= 512 bytes. This ensures michael@0: * that we don't trigger bugs in F5 products. */ michael@0: PRInt32 michael@0: ssl3_AppendPaddingExtension(sslSocket *ss, unsigned int extensionLen, michael@0: PRUint32 maxBytes) michael@0: { michael@0: unsigned int paddingLen = extensionLen - 4; michael@0: static unsigned char padding[256]; michael@0: michael@0: if (extensionLen == 0) { michael@0: return 0; michael@0: } michael@0: michael@0: if (extensionLen < 4 || michael@0: extensionLen > maxBytes || michael@0: paddingLen > sizeof(padding)) { michael@0: PORT_Assert(0); michael@0: return -1; michael@0: } michael@0: michael@0: if (SECSuccess != ssl3_AppendHandshakeNumber(ss, ssl_padding_xtn, 2)) michael@0: return -1; michael@0: if (SECSuccess != ssl3_AppendHandshakeNumber(ss, paddingLen, 2)) michael@0: return -1; michael@0: if (SECSuccess != ssl3_AppendHandshake(ss, padding, paddingLen)) michael@0: return -1; michael@0: michael@0: return extensionLen; michael@0: }