1 /* -*- Mode: C; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 4 -*- */
2 /*
3 * This Source Code Form is subject to the terms of the Mozilla Public
4 * License, v. 2.0. If a copy of the MPL was not distributed with this
5 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
6
7 #include "nssrenam.h"
8 #include "nss.h"
9 #include "ssl.h"
10 #include "sslproto.h"
11 #include "sslimpl.h"
12 #include "pk11pub.h"
13 #include "blapit.h"
14 #include "prinit.h"
15 #include "selfencrypt.h"
16 #include "ssl3ext.h"
17 #include "ssl3exthandle.h"
18 #include "tls13ech.h"
19 #include "tls13exthandle.h" /* For tls13_ServerSendStatusRequestXtn. */
20
21 PRBool
ssl_ShouldSendSNIExtension(const sslSocket * ss,const char * url)22 ssl_ShouldSendSNIExtension(const sslSocket *ss, const char *url)
23 {
24 PRNetAddr netAddr;
25
26 /* must have a hostname */
27 if (!url || !url[0]) {
28 return PR_FALSE;
29 }
30 /* must not be an IPv4 or IPv6 address */
31 if (PR_SUCCESS == PR_StringToNetAddr(url, &netAddr)) {
32 /* is an IP address (v4 or v6) */
33 return PR_FALSE;
34 }
35
36 return PR_TRUE;
37 }
38
39 /* Format an SNI extension, using the name from the socket's URL,
40 * unless that name is a dotted decimal string.
41 * Used by client and server.
42 */
43 SECStatus
ssl3_ClientFormatServerNameXtn(const sslSocket * ss,const char * url,unsigned int len,TLSExtensionData * xtnData,sslBuffer * buf)44 ssl3_ClientFormatServerNameXtn(const sslSocket *ss, const char *url,
45 unsigned int len, TLSExtensionData *xtnData,
46 sslBuffer *buf)
47 {
48 SECStatus rv;
49
50 /* length of server_name_list */
51 rv = sslBuffer_AppendNumber(buf, len + 3, 2);
52 if (rv != SECSuccess) {
53 return SECFailure;
54 }
55 /* Name Type (sni_host_name) */
56 rv = sslBuffer_AppendNumber(buf, 0, 1);
57 if (rv != SECSuccess) {
58 return SECFailure;
59 }
60 /* HostName (length and value) */
61 rv = sslBuffer_AppendVariable(buf, (const PRUint8 *)url, len, 2);
62 if (rv != SECSuccess) {
63 return SECFailure;
64 }
65
66 return SECSuccess;
67 }
68
69 SECStatus
ssl3_ClientSendServerNameXtn(const sslSocket * ss,TLSExtensionData * xtnData,sslBuffer * buf,PRBool * added)70 ssl3_ClientSendServerNameXtn(const sslSocket *ss, TLSExtensionData *xtnData,
71 sslBuffer *buf, PRBool *added)
72 {
73 SECStatus rv;
74
75 const char *url = ss->url;
76
77 if (!ssl_ShouldSendSNIExtension(ss, url)) {
78 return SECSuccess;
79 }
80
81 /* If ECH, write the public name. The real server name
82 * is emplaced while constructing CHInner extensions. */
83 sslEchConfig *cfg = (sslEchConfig *)PR_LIST_HEAD(&ss->echConfigs);
84 const char *sniContents = PR_CLIST_IS_EMPTY(&ss->echConfigs) ? url : cfg->contents.publicName;
85 rv = ssl3_ClientFormatServerNameXtn(ss, sniContents, strlen(sniContents), xtnData, buf);
86 if (rv != SECSuccess) {
87 return SECFailure;
88 }
89
90 *added = PR_TRUE;
91 return SECSuccess;
92 }
93
94 SECStatus
ssl3_HandleServerNameXtn(const sslSocket * ss,TLSExtensionData * xtnData,SECItem * data)95 ssl3_HandleServerNameXtn(const sslSocket *ss, TLSExtensionData *xtnData,
96 SECItem *data)
97 {
98 SECItem *names = NULL;
99 PRUint32 listLenBytes = 0;
100 SECStatus rv;
101
102 if (!ss->sec.isServer) {
103 return SECSuccess; /* ignore extension */
104 }
105
106 /* Server side - consume client data and register server sender. */
107 /* do not parse the data if don't have user extension handling function. */
108 if (!ss->sniSocketConfig) {
109 return SECSuccess;
110 }
111
112 /* length of server_name_list */
113 rv = ssl3_ExtConsumeHandshakeNumber(ss, &listLenBytes, 2, &data->data, &data->len);
114 if (rv != SECSuccess) {
115 goto loser; /* alert already sent */
116 }
117 if (listLenBytes == 0 || listLenBytes != data->len) {
118 goto alert_loser;
119 }
120
121 /* Read ServerNameList. */
122 while (data->len > 0) {
123 SECItem tmp;
124 PRUint32 type;
125
126 /* Read Name Type. */
127 rv = ssl3_ExtConsumeHandshakeNumber(ss, &type, 1, &data->data, &data->len);
128 if (rv != SECSuccess) {
129 /* alert sent in ConsumeHandshakeNumber */
130 goto loser;
131 }
132
133 /* Read ServerName (length and value). */
134 rv = ssl3_ExtConsumeHandshakeVariable(ss, &tmp, 2, &data->data, &data->len);
135 if (rv != SECSuccess) {
136 goto loser;
137 }
138
139 /* Record the value for host_name(0). */
140 if (type == sni_nametype_hostname) {
141 /* Fail if we encounter a second host_name entry. */
142 if (names) {
143 goto alert_loser;
144 }
145
146 /* Create an array for the only supported NameType. */
147 names = PORT_ZNewArray(SECItem, 1);
148 if (!names) {
149 goto loser;
150 }
151
152 /* Copy ServerName into the array. */
153 if (SECITEM_CopyItem(NULL, &names[0], &tmp) != SECSuccess) {
154 goto loser;
155 }
156 }
157
158 /* Even if we don't support NameTypes other than host_name at the
159 * moment, we continue parsing the whole list to check its validity.
160 * We do not check for duplicate entries with NameType != host_name(0).
161 */
162 }
163 if (names) {
164 /* Free old and set the new data. */
165 ssl3_FreeSniNameArray(xtnData);
166 xtnData->sniNameArr = names;
167 xtnData->sniNameArrSize = 1;
168 xtnData->negotiated[xtnData->numNegotiated++] = ssl_server_name_xtn;
169 }
170 return SECSuccess;
171
172 alert_loser:
173 ssl3_ExtDecodeError(ss);
174 loser:
175 if (names) {
176 PORT_Free(names);
177 }
178 return SECFailure;
179 }
180
181 /* Frees a given xtnData->sniNameArr and its elements. */
182 void
ssl3_FreeSniNameArray(TLSExtensionData * xtnData)183 ssl3_FreeSniNameArray(TLSExtensionData *xtnData)
184 {
185 PRUint32 i;
186
187 if (!xtnData->sniNameArr) {
188 return;
189 }
190
191 for (i = 0; i < xtnData->sniNameArrSize; i++) {
192 SECITEM_FreeItem(&xtnData->sniNameArr[i], PR_FALSE);
193 }
194
195 PORT_Free(xtnData->sniNameArr);
196 xtnData->sniNameArr = NULL;
197 xtnData->sniNameArrSize = 0;
198 }
199
200 /* Called by both clients and servers.
201 * Clients sends a filled in session ticket if one is available, and otherwise
202 * sends an empty ticket. Servers always send empty tickets.
203 */
204 PRInt32
ssl3_ClientSendSessionTicketXtn(const sslSocket * ss,TLSExtensionData * xtnData,sslBuffer * buf,PRBool * added)205 ssl3_ClientSendSessionTicketXtn(const sslSocket *ss, TLSExtensionData *xtnData,
206 sslBuffer *buf, PRBool *added)
207 {
208 NewSessionTicket *session_ticket = NULL;
209 sslSessionID *sid = ss->sec.ci.sid;
210 SECStatus rv;
211
212 PORT_Assert(!ss->sec.isServer);
213
214 /* Never send an extension with a ticket for TLS 1.3, but
215 * OK to send the empty one in case the server does 1.2. */
216 if ((sid->cached == in_client_cache || sid->cached == in_external_cache) &&
217 sid->version >= SSL_LIBRARY_VERSION_TLS_1_3) {
218 return SECSuccess;
219 }
220
221 /* Ignore the SessionTicket extension if processing is disabled. */
222 if (!ss->opt.enableSessionTickets) {
223 return SECSuccess;
224 }
225
226 /* Send a session ticket if one is available.
227 *
228 * The caller must be holding sid->u.ssl3.lock for reading. We cannot
229 * just acquire and release the lock within this function because the
230 * caller will call this function twice, and we need the inputs to be
231 * consistent between the two calls. Note that currently the caller
232 * will only be holding the lock when we are the client and when we're
233 * attempting to resume an existing session.
234 */
235 session_ticket = &sid->u.ssl3.locked.sessionTicket;
236 if (session_ticket->ticket.data &&
237 (xtnData->ticketTimestampVerified ||
238 ssl_TicketTimeValid(ss, session_ticket))) {
239
240 xtnData->ticketTimestampVerified = PR_FALSE;
241
242 rv = sslBuffer_Append(buf, session_ticket->ticket.data,
243 session_ticket->ticket.len);
244 if (rv != SECSuccess) {
245 return SECFailure;
246 }
247
248 xtnData->sentSessionTicketInClientHello = PR_TRUE;
249 }
250
251 *added = PR_TRUE;
252 return SECSuccess;
253 }
254
255 PRBool
ssl_AlpnTagAllowed(const sslSocket * ss,const SECItem * tag)256 ssl_AlpnTagAllowed(const sslSocket *ss, const SECItem *tag)
257 {
258 const unsigned char *data = ss->opt.nextProtoNego.data;
259 unsigned int length = ss->opt.nextProtoNego.len;
260 unsigned int offset = 0;
261
262 if (!tag->len)
263 return PR_TRUE;
264
265 while (offset < length) {
266 unsigned int taglen = (unsigned int)data[offset];
267 if ((taglen == tag->len) &&
268 !PORT_Memcmp(data + offset + 1, tag->data, tag->len))
269 return PR_TRUE;
270 offset += 1 + taglen;
271 }
272
273 return PR_FALSE;
274 }
275
276 /* ssl3_ValidateAppProtocol checks that the given block of data is valid: none
277 * of the lengths may be 0 and the sum of the lengths must equal the length of
278 * the block. */
279 SECStatus
ssl3_ValidateAppProtocol(const unsigned char * data,unsigned int length)280 ssl3_ValidateAppProtocol(const unsigned char *data, unsigned int length)
281 {
282 unsigned int offset = 0;
283
284 while (offset < length) {
285 unsigned int newOffset = offset + 1 + (unsigned int)data[offset];
286 /* Reject embedded nulls to protect against buggy applications that
287 * store protocol identifiers in null-terminated strings.
288 */
289 if (newOffset > length || data[offset] == 0) {
290 return SECFailure;
291 }
292 offset = newOffset;
293 }
294
295 return SECSuccess;
296 }
297
298 /* Protocol selection handler for ALPN. */
299 static SECStatus
ssl3_SelectAppProtocol(const sslSocket * ss,TLSExtensionData * xtnData,PRUint16 extension,SECItem * data)300 ssl3_SelectAppProtocol(const sslSocket *ss, TLSExtensionData *xtnData,
301 PRUint16 extension, SECItem *data)
302 {
303 SECStatus rv;
304 unsigned char resultBuffer[255];
305 SECItem result = { siBuffer, resultBuffer, 0 };
306
307 rv = ssl3_ValidateAppProtocol(data->data, data->len);
308 if (rv != SECSuccess) {
309 ssl3_ExtSendAlert(ss, alert_fatal, decode_error);
310 PORT_SetError(SSL_ERROR_NEXT_PROTOCOL_DATA_INVALID);
311 return SECFailure;
312 }
313
314 PORT_Assert(ss->nextProtoCallback);
315 /* Neither the cipher suite nor ECH are selected yet Note that extensions
316 * sometimes affect what cipher suite is selected, e.g., for ECC. */
317 PORT_Assert((ss->ssl3.hs.preliminaryInfo &
318 ssl_preinfo_all & ~ssl_preinfo_cipher_suite & ~ssl_preinfo_ech) ==
319 (ssl_preinfo_all & ~ssl_preinfo_cipher_suite & ~ssl_preinfo_ech));
320 /* The callback has to make sure that either rv != SECSuccess or that result
321 * is not set if there is no common protocol. */
322 rv = ss->nextProtoCallback(ss->nextProtoArg, ss->fd, data->data, data->len,
323 result.data, &result.len, sizeof(resultBuffer));
324 if (rv != SECSuccess) {
325 /* Expect callback to call PORT_SetError() */
326 ssl3_ExtSendAlert(ss, alert_fatal, internal_error);
327 return SECFailure;
328 }
329
330 /* If the callback wrote more than allowed to |result| it has corrupted our
331 * stack. */
332 if (result.len > sizeof(resultBuffer)) {
333 PORT_SetError(SEC_ERROR_OUTPUT_LEN);
334 PORT_Assert(PR_FALSE);
335 return SECFailure;
336 }
337
338 SECITEM_FreeItem(&xtnData->nextProto, PR_FALSE);
339
340 if (result.len < 1 || !result.data) {
341 /* Check that we actually got a result. */
342 ssl3_ExtSendAlert(ss, alert_fatal, no_application_protocol);
343 PORT_SetError(SSL_ERROR_NEXT_PROTOCOL_NO_PROTOCOL);
344 return SECFailure;
345 }
346
347 xtnData->nextProtoState = SSL_NEXT_PROTO_NEGOTIATED;
348 xtnData->negotiated[xtnData->numNegotiated++] = extension;
349 return SECITEM_CopyItem(NULL, &xtnData->nextProto, &result);
350 }
351
352 /* handle an incoming ALPN extension at the server */
353 SECStatus
ssl3_ServerHandleAppProtoXtn(const sslSocket * ss,TLSExtensionData * xtnData,SECItem * data)354 ssl3_ServerHandleAppProtoXtn(const sslSocket *ss, TLSExtensionData *xtnData,
355 SECItem *data)
356 {
357 PRUint32 count;
358 SECStatus rv;
359
360 /* We expressly don't want to allow ALPN on renegotiation,
361 * despite it being permitted by the spec. */
362 if (ss->firstHsDone || data->len == 0) {
363 /* Clients MUST send a non-empty ALPN extension. */
364 ssl3_ExtSendAlert(ss, alert_fatal, illegal_parameter);
365 PORT_SetError(SSL_ERROR_NEXT_PROTOCOL_DATA_INVALID);
366 return SECFailure;
367 }
368
369 /* ALPN has extra redundant length information so that
370 * the extension is the same in both ClientHello and ServerHello. */
371 rv = ssl3_ExtConsumeHandshakeNumber(ss, &count, 2, &data->data, &data->len);
372 if (rv != SECSuccess || count != data->len) {
373 ssl3_ExtDecodeError(ss);
374 return SECFailure;
375 }
376
377 if (!ss->nextProtoCallback) {
378 /* we're not configured for it */
379 return SECSuccess;
380 }
381
382 rv = ssl3_SelectAppProtocol(ss, xtnData, ssl_app_layer_protocol_xtn, data);
383 if (rv != SECSuccess) {
384 return rv;
385 }
386
387 /* prepare to send back a response, if we negotiated */
388 if (xtnData->nextProtoState == SSL_NEXT_PROTO_NEGOTIATED) {
389 rv = ssl3_RegisterExtensionSender(ss, xtnData,
390 ssl_app_layer_protocol_xtn,
391 ssl3_ServerSendAppProtoXtn);
392 if (rv != SECSuccess) {
393 ssl3_ExtSendAlert(ss, alert_fatal, internal_error);
394 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
395 return rv;
396 }
397 }
398 return SECSuccess;
399 }
400
401 SECStatus
ssl3_ClientHandleAppProtoXtn(const sslSocket * ss,TLSExtensionData * xtnData,SECItem * data)402 ssl3_ClientHandleAppProtoXtn(const sslSocket *ss, TLSExtensionData *xtnData,
403 SECItem *data)
404 {
405 SECStatus rv;
406 PRUint32 list_len;
407 SECItem protocol_name;
408
409 if (ssl3_ExtensionNegotiated(ss, ssl_next_proto_nego_xtn)) {
410 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
411 return SECFailure;
412 }
413
414 /* The extension data from the server has the following format:
415 * uint16 name_list_len;
416 * uint8 len; // where len >= 1
417 * uint8 protocol_name[len]; */
418 if (data->len < 4 || data->len > 2 + 1 + 255) {
419 ssl3_ExtSendAlert(ss, alert_fatal, decode_error);
420 PORT_SetError(SSL_ERROR_NEXT_PROTOCOL_DATA_INVALID);
421 return SECFailure;
422 }
423
424 rv = ssl3_ExtConsumeHandshakeNumber(ss, &list_len, 2, &data->data,
425 &data->len);
426 /* The list has to be the entire extension. */
427 if (rv != SECSuccess || list_len != data->len) {
428 ssl3_ExtSendAlert(ss, alert_fatal, decode_error);
429 PORT_SetError(SSL_ERROR_NEXT_PROTOCOL_DATA_INVALID);
430 return SECFailure;
431 }
432
433 rv = ssl3_ExtConsumeHandshakeVariable(ss, &protocol_name, 1,
434 &data->data, &data->len);
435 /* The list must have exactly one value. */
436 if (rv != SECSuccess || data->len != 0) {
437 ssl3_ExtSendAlert(ss, alert_fatal, decode_error);
438 PORT_SetError(SSL_ERROR_NEXT_PROTOCOL_DATA_INVALID);
439 return SECFailure;
440 }
441
442 if (!ssl_AlpnTagAllowed(ss, &protocol_name)) {
443 ssl3_ExtSendAlert(ss, alert_fatal, illegal_parameter);
444 PORT_SetError(SSL_ERROR_NEXT_PROTOCOL_DATA_INVALID);
445 return SECFailure;
446 }
447
448 SECITEM_FreeItem(&xtnData->nextProto, PR_FALSE);
449 xtnData->nextProtoState = SSL_NEXT_PROTO_SELECTED;
450 xtnData->negotiated[xtnData->numNegotiated++] = ssl_app_layer_protocol_xtn;
451 return SECITEM_CopyItem(NULL, &xtnData->nextProto, &protocol_name);
452 }
453
454 SECStatus
ssl3_ClientSendAppProtoXtn(const sslSocket * ss,TLSExtensionData * xtnData,sslBuffer * buf,PRBool * added)455 ssl3_ClientSendAppProtoXtn(const sslSocket *ss, TLSExtensionData *xtnData,
456 sslBuffer *buf, PRBool *added)
457 {
458 SECStatus rv;
459 const unsigned int len = ss->opt.nextProtoNego.len;
460
461 /* Renegotiations do not send this extension. */
462 if (!ss->opt.enableALPN || !ss->opt.nextProtoNego.data || ss->firstHsDone) {
463 return SECSuccess;
464 }
465
466 if (len > 0) {
467 /* Each protocol string is prefixed with a single byte length. */
468 rv = sslBuffer_AppendNumber(buf, len, 2);
469 if (rv != SECSuccess) {
470 return SECFailure;
471 }
472 rv = sslBuffer_Append(buf, ss->opt.nextProtoNego.data, len);
473 if (rv != SECSuccess) {
474 return SECFailure;
475 }
476 }
477
478 *added = PR_TRUE;
479 return SECSuccess;
480 }
481
482 SECStatus
ssl3_ServerSendAppProtoXtn(const sslSocket * ss,TLSExtensionData * xtnData,sslBuffer * buf,PRBool * added)483 ssl3_ServerSendAppProtoXtn(const sslSocket *ss, TLSExtensionData *xtnData,
484 sslBuffer *buf, PRBool *added)
485 {
486 SECStatus rv;
487
488 /* We're in over our heads if any of these fail */
489 PORT_Assert(ss->opt.enableALPN);
490 PORT_Assert(xtnData->nextProto.data);
491 PORT_Assert(xtnData->nextProto.len > 0);
492 PORT_Assert(xtnData->nextProtoState == SSL_NEXT_PROTO_NEGOTIATED);
493 PORT_Assert(!ss->firstHsDone);
494
495 rv = sslBuffer_AppendNumber(buf, xtnData->nextProto.len + 1, 2);
496 if (rv != SECSuccess) {
497 return SECFailure;
498 }
499 rv = sslBuffer_AppendVariable(buf, xtnData->nextProto.data,
500 xtnData->nextProto.len, 1);
501 if (rv != SECSuccess) {
502 return SECFailure;
503 }
504
505 *added = PR_TRUE;
506 return SECSuccess;
507 }
508
509 SECStatus
ssl3_ServerHandleStatusRequestXtn(const sslSocket * ss,TLSExtensionData * xtnData,SECItem * data)510 ssl3_ServerHandleStatusRequestXtn(const sslSocket *ss, TLSExtensionData *xtnData,
511 SECItem *data)
512 {
513 sslExtensionBuilderFunc sender;
514
515 PORT_Assert(ss->sec.isServer);
516
517 /* remember that we got this extension. */
518 xtnData->negotiated[xtnData->numNegotiated++] = ssl_cert_status_xtn;
519
520 if (ss->version >= SSL_LIBRARY_VERSION_TLS_1_3) {
521 sender = tls13_ServerSendStatusRequestXtn;
522 } else {
523 sender = ssl3_ServerSendStatusRequestXtn;
524 }
525 return ssl3_RegisterExtensionSender(ss, xtnData, ssl_cert_status_xtn, sender);
526 }
527
528 SECStatus
ssl3_ServerSendStatusRequestXtn(const sslSocket * ss,TLSExtensionData * xtnData,sslBuffer * buf,PRBool * added)529 ssl3_ServerSendStatusRequestXtn(const sslSocket *ss, TLSExtensionData *xtnData,
530 sslBuffer *buf, PRBool *added)
531 {
532 const sslServerCert *serverCert = ss->sec.serverCert;
533
534 if (!serverCert->certStatusArray ||
535 !serverCert->certStatusArray->len) {
536 return SECSuccess;
537 }
538
539 *added = PR_TRUE;
540 return SECSuccess;
541 }
542
543 /* ssl3_ClientSendStatusRequestXtn builds the status_request extension on the
544 * client side. See RFC 6066 section 8. */
545 SECStatus
ssl3_ClientSendStatusRequestXtn(const sslSocket * ss,TLSExtensionData * xtnData,sslBuffer * buf,PRBool * added)546 ssl3_ClientSendStatusRequestXtn(const sslSocket *ss, TLSExtensionData *xtnData,
547 sslBuffer *buf, PRBool *added)
548 {
549 SECStatus rv;
550
551 if (!ss->opt.enableOCSPStapling) {
552 return SECSuccess;
553 }
554
555 rv = sslBuffer_AppendNumber(buf, 1 /* status_type ocsp */, 1);
556 if (rv != SECSuccess) {
557 return SECFailure;
558 }
559 /* A zero length responder_id_list means that the responders are
560 * implicitly known to the server. */
561 rv = sslBuffer_AppendNumber(buf, 0, 2);
562 if (rv != SECSuccess) {
563 return SECFailure;
564 }
565 /* A zero length request_extensions means that there are no extensions.
566 * Specifically, we don't set the id-pkix-ocsp-nonce extension. This
567 * means that the server can replay a cached OCSP response to us. */
568 rv = sslBuffer_AppendNumber(buf, 0, 2);
569 if (rv != SECSuccess) {
570 return SECFailure;
571 }
572
573 *added = PR_TRUE;
574 return SECSuccess;
575 }
576
577 SECStatus
ssl3_ClientHandleStatusRequestXtn(const sslSocket * ss,TLSExtensionData * xtnData,SECItem * data)578 ssl3_ClientHandleStatusRequestXtn(const sslSocket *ss, TLSExtensionData *xtnData,
579 SECItem *data)
580 {
581 /* In TLS 1.3, the extension carries the OCSP response. */
582 if (ss->version >= SSL_LIBRARY_VERSION_TLS_1_3) {
583 SECStatus rv;
584 rv = ssl_ReadCertificateStatus(CONST_CAST(sslSocket, ss),
585 data->data, data->len);
586 if (rv != SECSuccess) {
587 return SECFailure; /* code already set */
588 }
589 } else if (data->len != 0) {
590 ssl3_ExtSendAlert(ss, alert_fatal, illegal_parameter);
591 PORT_SetError(SSL_ERROR_RX_MALFORMED_SERVER_HELLO);
592 return SECFailure;
593 }
594
595 /* Keep track of negotiated extensions. */
596 xtnData->negotiated[xtnData->numNegotiated++] = ssl_cert_status_xtn;
597 return SECSuccess;
598 }
599
600 #define TLS_EX_SESS_TICKET_VERSION (0x010a)
601
602 /*
603 * Called from ssl3_SendNewSessionTicket, tls13_SendNewSessionTicket
604 */
605 SECStatus
ssl3_EncodeSessionTicket(sslSocket * ss,const NewSessionTicket * ticket,const PRUint8 * appToken,unsigned int appTokenLen,PK11SymKey * secret,SECItem * ticket_data)606 ssl3_EncodeSessionTicket(sslSocket *ss, const NewSessionTicket *ticket,
607 const PRUint8 *appToken, unsigned int appTokenLen,
608 PK11SymKey *secret, SECItem *ticket_data)
609 {
610 SECStatus rv;
611 sslBuffer plaintext = SSL_BUFFER_EMPTY;
612 SECItem ticket_buf = { 0, NULL, 0 };
613 sslSessionID sid;
614 unsigned char wrapped_ms[SSL3_MASTER_SECRET_LENGTH];
615 SECItem ms_item = { 0, NULL, 0 };
616 PRTime now;
617 SECItem *srvName = NULL;
618 CK_MECHANISM_TYPE msWrapMech;
619 SECItem *alpnSelection = NULL;
620 PRUint32 ticketAgeBaseline;
621
622 SSL_TRC(3, ("%d: SSL3[%d]: send session_ticket handshake",
623 SSL_GETPID(), ss->fd));
624
625 PORT_Assert(ss->opt.noLocks || ssl_HaveXmitBufLock(ss));
626 PORT_Assert(ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
627
628 /* Extract the master secret wrapped. */
629
630 PORT_Memset(&sid, 0, sizeof(sslSessionID));
631
632 PORT_Assert(secret);
633 rv = ssl3_CacheWrappedSecret(ss, &sid, secret);
634 if (rv == SECSuccess) {
635 if (sid.u.ssl3.keys.wrapped_master_secret_len > sizeof(wrapped_ms))
636 goto loser;
637 memcpy(wrapped_ms, sid.u.ssl3.keys.wrapped_master_secret,
638 sid.u.ssl3.keys.wrapped_master_secret_len);
639 ms_item.data = wrapped_ms;
640 ms_item.len = sid.u.ssl3.keys.wrapped_master_secret_len;
641 msWrapMech = sid.u.ssl3.masterWrapMech;
642 } else {
643 /* TODO: else send an empty ticket. */
644 goto loser;
645 }
646 /* Prep to send negotiated name */
647 srvName = &ss->sec.ci.sid->u.ssl3.srvName;
648
649 /* ticket version */
650 rv = sslBuffer_AppendNumber(&plaintext, TLS_EX_SESS_TICKET_VERSION,
651 sizeof(PRUint16));
652 if (rv != SECSuccess)
653 goto loser;
654
655 /* ssl_version */
656 rv = sslBuffer_AppendNumber(&plaintext, ss->version,
657 sizeof(SSL3ProtocolVersion));
658 if (rv != SECSuccess)
659 goto loser;
660
661 /* ciphersuite */
662 rv = sslBuffer_AppendNumber(&plaintext, ss->ssl3.hs.cipher_suite,
663 sizeof(ssl3CipherSuite));
664 if (rv != SECSuccess)
665 goto loser;
666
667 /* cipher spec parameters */
668 rv = sslBuffer_AppendNumber(&plaintext, ss->sec.authType, 1);
669 if (rv != SECSuccess)
670 goto loser;
671 rv = sslBuffer_AppendNumber(&plaintext, ss->sec.authKeyBits, 4);
672 if (rv != SECSuccess)
673 goto loser;
674 rv = sslBuffer_AppendNumber(&plaintext, ss->sec.keaType, 1);
675 if (rv != SECSuccess)
676 goto loser;
677 rv = sslBuffer_AppendNumber(&plaintext, ss->sec.keaKeyBits, 4);
678 if (rv != SECSuccess)
679 goto loser;
680 if (ss->sec.keaGroup) {
681 rv = sslBuffer_AppendNumber(&plaintext, ss->sec.keaGroup->name, 4);
682 if (rv != SECSuccess)
683 goto loser;
684 } else {
685 /* No kea group. Write 0 as invalid value. */
686 rv = sslBuffer_AppendNumber(&plaintext, 0, 4);
687 if (rv != SECSuccess)
688 goto loser;
689 }
690 rv = sslBuffer_AppendNumber(&plaintext, ss->sec.signatureScheme, 4);
691 if (rv != SECSuccess)
692 goto loser;
693
694 /* certificate type */
695 PORT_Assert(SSL_CERT_IS(ss->sec.serverCert, ss->sec.authType));
696 if (SSL_CERT_IS_EC(ss->sec.serverCert)) {
697 const sslServerCert *cert = ss->sec.serverCert;
698 PORT_Assert(cert->namedCurve);
699 /* EC curves only use the second of the two bytes. */
700 PORT_Assert(cert->namedCurve->name < 256);
701 rv = sslBuffer_AppendNumber(&plaintext, cert->namedCurve->name, 1);
702 } else {
703 rv = sslBuffer_AppendNumber(&plaintext, 0, 1);
704 }
705 if (rv != SECSuccess)
706 goto loser;
707
708 /* master_secret */
709 rv = sslBuffer_AppendNumber(&plaintext, msWrapMech, 4);
710 if (rv != SECSuccess)
711 goto loser;
712 rv = sslBuffer_AppendVariable(&plaintext, ms_item.data, ms_item.len, 2);
713 if (rv != SECSuccess)
714 goto loser;
715
716 /* client identity */
717 if (ss->opt.requestCertificate && ss->sec.ci.sid->peerCert) {
718 rv = sslBuffer_AppendNumber(&plaintext, CLIENT_AUTH_CERTIFICATE, 1);
719 if (rv != SECSuccess)
720 goto loser;
721 rv = sslBuffer_AppendVariable(&plaintext,
722 ss->sec.ci.sid->peerCert->derCert.data,
723 ss->sec.ci.sid->peerCert->derCert.len, 2);
724 if (rv != SECSuccess)
725 goto loser;
726 } else {
727 rv = sslBuffer_AppendNumber(&plaintext, 0, 1);
728 if (rv != SECSuccess)
729 goto loser;
730 }
731
732 /* timestamp */
733 now = ssl_Time(ss);
734 PORT_Assert(sizeof(now) == 8);
735 rv = sslBuffer_AppendNumber(&plaintext, now, 8);
736 if (rv != SECSuccess)
737 goto loser;
738
739 /* HostName (length and value) */
740 rv = sslBuffer_AppendVariable(&plaintext, srvName->data, srvName->len, 2);
741 if (rv != SECSuccess)
742 goto loser;
743
744 /* extendedMasterSecretUsed */
745 rv = sslBuffer_AppendNumber(
746 &plaintext, ss->sec.ci.sid->u.ssl3.keys.extendedMasterSecretUsed, 1);
747 if (rv != SECSuccess)
748 goto loser;
749
750 /* Flags */
751 rv = sslBuffer_AppendNumber(&plaintext, ticket->flags,
752 sizeof(ticket->flags));
753 if (rv != SECSuccess)
754 goto loser;
755
756 /* ALPN value. */
757 PORT_Assert(ss->xtnData.nextProtoState == SSL_NEXT_PROTO_SELECTED ||
758 ss->xtnData.nextProtoState == SSL_NEXT_PROTO_NEGOTIATED ||
759 ss->xtnData.nextProto.len == 0);
760 alpnSelection = &ss->xtnData.nextProto;
761 PORT_Assert(alpnSelection->len < 256);
762 rv = sslBuffer_AppendVariable(&plaintext, alpnSelection->data,
763 alpnSelection->len, 1);
764 if (rv != SECSuccess)
765 goto loser;
766
767 rv = sslBuffer_AppendNumber(&plaintext, ss->opt.maxEarlyDataSize, 4);
768 if (rv != SECSuccess)
769 goto loser;
770
771 /*
772 * We store this in the ticket:
773 * ticket_age_baseline = 1rtt - ticket_age_add
774 *
775 * When the client resumes, it will provide:
776 * obfuscated_age = ticket_age_client + ticket_age_add
777 *
778 * We expect to receive the ticket at:
779 * ticket_create + 1rtt + ticket_age_server
780 *
781 * We calculate the client's estimate of this as:
782 * ticket_create + ticket_age_baseline + obfuscated_age
783 * = ticket_create + 1rtt + ticket_age_client
784 *
785 * This is compared to the expected time, which should differ only as a
786 * result of clock errors or errors in the RTT estimate.
787 */
788 ticketAgeBaseline = ss->ssl3.hs.rttEstimate / PR_USEC_PER_MSEC;
789 ticketAgeBaseline -= ticket->ticket_age_add;
790 rv = sslBuffer_AppendNumber(&plaintext, ticketAgeBaseline, 4);
791 if (rv != SECSuccess)
792 goto loser;
793
794 /* Application token */
795 rv = sslBuffer_AppendVariable(&plaintext, appToken, appTokenLen, 2);
796 if (rv != SECSuccess)
797 goto loser;
798
799 /* This really only happens if appTokenLen is too much, and that always
800 * comes from the using application. */
801 if (SSL_BUFFER_LEN(&plaintext) > 0xffff) {
802 PORT_SetError(SEC_ERROR_INVALID_ARGS);
803 goto loser;
804 }
805
806 ticket_buf.len = ssl_SelfEncryptGetProtectedSize(SSL_BUFFER_LEN(&plaintext));
807 PORT_Assert(ticket_buf.len > 0);
808 if (SECITEM_AllocItem(NULL, &ticket_buf, ticket_buf.len) == NULL) {
809 goto loser;
810 }
811
812 /* Finally, encrypt the ticket. */
813 rv = ssl_SelfEncryptProtect(ss, SSL_BUFFER_BASE(&plaintext),
814 SSL_BUFFER_LEN(&plaintext),
815 ticket_buf.data, &ticket_buf.len, ticket_buf.len);
816 if (rv != SECSuccess) {
817 goto loser;
818 }
819
820 /* Give ownership of memory to caller. */
821 *ticket_data = ticket_buf;
822
823 sslBuffer_Clear(&plaintext);
824 return SECSuccess;
825
826 loser:
827 sslBuffer_Clear(&plaintext);
828 if (ticket_buf.data) {
829 SECITEM_FreeItem(&ticket_buf, PR_FALSE);
830 }
831
832 return SECFailure;
833 }
834
835 /* When a client receives a SessionTicket extension a NewSessionTicket
836 * message is expected during the handshake.
837 */
838 SECStatus
ssl3_ClientHandleSessionTicketXtn(const sslSocket * ss,TLSExtensionData * xtnData,SECItem * data)839 ssl3_ClientHandleSessionTicketXtn(const sslSocket *ss, TLSExtensionData *xtnData,
840 SECItem *data)
841 {
842 PORT_Assert(ss->version < SSL_LIBRARY_VERSION_TLS_1_3);
843
844 if (data->len != 0) {
845 return SECSuccess; /* Ignore the extension. */
846 }
847
848 /* Keep track of negotiated extensions. */
849 xtnData->negotiated[xtnData->numNegotiated++] = ssl_session_ticket_xtn;
850 return SECSuccess;
851 }
852
853 PR_STATIC_ASSERT((TLS_EX_SESS_TICKET_VERSION >> 8) == 1);
854
855 static SECStatus
ssl_ParseSessionTicket(sslSocket * ss,const SECItem * decryptedTicket,SessionTicket * parsedTicket)856 ssl_ParseSessionTicket(sslSocket *ss, const SECItem *decryptedTicket,
857 SessionTicket *parsedTicket)
858 {
859 PRUint32 temp;
860 SECStatus rv;
861
862 PRUint8 *buffer = decryptedTicket->data;
863 unsigned int len = decryptedTicket->len;
864
865 PORT_Memset(parsedTicket, 0, sizeof(*parsedTicket));
866 parsedTicket->valid = PR_FALSE;
867
868 /* If the decrypted ticket is empty, then report success, but leave the
869 * ticket marked as invalid. */
870 if (decryptedTicket->len == 0) {
871 return SECSuccess;
872 }
873
874 /* Read ticket version. */
875 rv = ssl3_ExtConsumeHandshakeNumber(ss, &temp, 2, &buffer, &len);
876 if (rv != SECSuccess) {
877 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
878 return SECFailure;
879 }
880
881 /* All ticket versions start with 0x01, so check to see if this
882 * is a ticket or some other self-encrypted thing. */
883 if ((temp >> 8) != 1) {
884 PORT_SetError(SSL_ERROR_RX_MALFORMED_CLIENT_HELLO);
885 return SECFailure;
886 }
887 /* Skip the ticket if the version is wrong. This won't result in a
888 * handshake failure, just a failure to resume. */
889 if (temp != TLS_EX_SESS_TICKET_VERSION) {
890 return SECSuccess;
891 }
892
893 /* Read SSLVersion. */
894 rv = ssl3_ExtConsumeHandshakeNumber(ss, &temp, 2, &buffer, &len);
895 if (rv != SECSuccess) {
896 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
897 return SECFailure;
898 }
899 parsedTicket->ssl_version = (SSL3ProtocolVersion)temp;
900 if (!ssl3_VersionIsSupported(ss->protocolVariant,
901 parsedTicket->ssl_version)) {
902 /* This socket doesn't support the version from the ticket. */
903 return SECSuccess;
904 }
905
906 /* Read cipher_suite. */
907 rv = ssl3_ExtConsumeHandshakeNumber(ss, &temp, 2, &buffer, &len);
908 if (rv != SECSuccess) {
909 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
910 return SECFailure;
911 }
912 parsedTicket->cipher_suite = (ssl3CipherSuite)temp;
913
914 /* Read cipher spec parameters. */
915 rv = ssl3_ExtConsumeHandshakeNumber(ss, &temp, 1, &buffer, &len);
916 if (rv != SECSuccess) {
917 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
918 return SECFailure;
919 }
920
921 #ifndef UNSAFE_FUZZER_MODE
922 PORT_Assert(temp < ssl_auth_size);
923 #else
924 temp %= (8 * sizeof(SSLAuthType)) - 1;
925 #endif
926
927 parsedTicket->authType = (SSLAuthType)temp;
928 rv = ssl3_ExtConsumeHandshakeNumber(ss, &temp, 4, &buffer, &len);
929 if (rv != SECSuccess) {
930 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
931 return SECFailure;
932 }
933 parsedTicket->authKeyBits = temp;
934 rv = ssl3_ExtConsumeHandshakeNumber(ss, &temp, 1, &buffer, &len);
935 if (rv != SECSuccess) {
936 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
937 return SECFailure;
938 }
939 parsedTicket->keaType = (SSLKEAType)temp;
940 rv = ssl3_ExtConsumeHandshakeNumber(ss, &temp, 4, &buffer, &len);
941 if (rv != SECSuccess) {
942 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
943 return SECFailure;
944 }
945 parsedTicket->keaKeyBits = temp;
946 rv = ssl3_ExtConsumeHandshakeNumber(ss, &temp, 4, &buffer, &len);
947 if (rv != SECSuccess) {
948 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
949 return SECFailure;
950 }
951 parsedTicket->originalKeaGroup = temp;
952 rv = ssl3_ExtConsumeHandshakeNumber(ss, &temp, 4, &buffer, &len);
953 if (rv != SECSuccess) {
954 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
955 return SECFailure;
956 }
957 parsedTicket->signatureScheme = (SSLSignatureScheme)temp;
958
959 /* Read the optional named curve. */
960 rv = ssl3_ExtConsumeHandshakeNumber(ss, &temp, 1, &buffer, &len);
961 if (rv != SECSuccess) {
962 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
963 return SECFailure;
964 }
965 if (parsedTicket->authType == ssl_auth_ecdsa ||
966 parsedTicket->authType == ssl_auth_ecdh_rsa ||
967 parsedTicket->authType == ssl_auth_ecdh_ecdsa) {
968 const sslNamedGroupDef *group =
969 ssl_LookupNamedGroup((SSLNamedGroup)temp);
970 if (!group || group->keaType != ssl_kea_ecdh) {
971 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
972 return SECFailure;
973 }
974 parsedTicket->namedCurve = group;
975 }
976
977 /* Read the master secret (and how it is wrapped). */
978 rv = ssl3_ExtConsumeHandshakeNumber(ss, &temp, 4, &buffer, &len);
979 if (rv != SECSuccess) {
980 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
981 return SECFailure;
982 }
983 parsedTicket->msWrapMech = (CK_MECHANISM_TYPE)temp;
984
985 rv = ssl3_ExtConsumeHandshakeNumber(ss, &temp, 2, &buffer, &len);
986 if (rv != SECSuccess) {
987 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
988 return SECFailure;
989 }
990 if (temp == 0 || temp > sizeof(parsedTicket->master_secret)) {
991 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
992 return SECFailure;
993 }
994 parsedTicket->ms_length = (PRUint16)temp;
995
996 /* Read the master secret. */
997 rv = ssl3_ExtConsumeHandshake(ss, parsedTicket->master_secret,
998 parsedTicket->ms_length, &buffer, &len);
999 if (rv != SECSuccess) {
1000 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
1001 return SECFailure;
1002 }
1003 /* Read client identity */
1004 rv = ssl3_ExtConsumeHandshakeNumber(ss, &temp, 1, &buffer, &len);
1005 if (rv != SECSuccess) {
1006 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
1007 return SECFailure;
1008 }
1009 parsedTicket->client_auth_type = (ClientAuthenticationType)temp;
1010 switch (parsedTicket->client_auth_type) {
1011 case CLIENT_AUTH_ANONYMOUS:
1012 break;
1013 case CLIENT_AUTH_CERTIFICATE:
1014 rv = ssl3_ExtConsumeHandshakeVariable(ss, &parsedTicket->peer_cert, 2,
1015 &buffer, &len);
1016 if (rv != SECSuccess) {
1017 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
1018 return SECFailure;
1019 }
1020 break;
1021 default:
1022 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
1023 return SECFailure;
1024 }
1025
1026 /* Read timestamp. This is a 64-bit value and
1027 * ssl3_ExtConsumeHandshakeNumber only reads 32-bits at a time. */
1028 rv = ssl3_ExtConsumeHandshakeNumber(ss, &temp, 4, &buffer, &len);
1029 if (rv != SECSuccess) {
1030 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
1031 return SECFailure;
1032 }
1033
1034 /* Cast to avoid undefined behavior if the top bit is set. */
1035 parsedTicket->timestamp = (PRTime)((PRUint64)temp << 32);
1036 rv = ssl3_ExtConsumeHandshakeNumber(ss, &temp, 4, &buffer, &len);
1037 if (rv != SECSuccess) {
1038 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
1039 return SECFailure;
1040 }
1041 parsedTicket->timestamp |= (PRTime)temp;
1042
1043 /* Read server name */
1044 rv = ssl3_ExtConsumeHandshakeVariable(ss, &parsedTicket->srvName, 2,
1045 &buffer, &len);
1046 if (rv != SECSuccess) {
1047 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
1048 return SECFailure;
1049 }
1050
1051 /* Read extendedMasterSecretUsed */
1052 rv = ssl3_ExtConsumeHandshakeNumber(ss, &temp, 1, &buffer, &len);
1053 if (rv != SECSuccess) {
1054 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
1055 return SECFailure;
1056 }
1057 #ifndef UNSAFE_FUZZER_MODE
1058 /* A well-behaving server should only write 0 or 1. */
1059 PORT_Assert(temp == PR_TRUE || temp == PR_FALSE);
1060 #endif
1061 parsedTicket->extendedMasterSecretUsed = temp ? PR_TRUE : PR_FALSE;
1062
1063 rv = ssl3_ExtConsumeHandshake(ss, &temp, 4, &buffer, &len);
1064 if (rv != SECSuccess) {
1065 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
1066 return SECFailure;
1067 }
1068 parsedTicket->flags = PR_ntohl(temp);
1069
1070 rv = ssl3_ExtConsumeHandshakeVariable(ss, &parsedTicket->alpnSelection, 1,
1071 &buffer, &len);
1072 PORT_Assert(parsedTicket->alpnSelection.len < 256);
1073 if (rv != SECSuccess) {
1074 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
1075 return SECFailure;
1076 }
1077
1078 rv = ssl3_ExtConsumeHandshakeNumber(ss, &temp, 4, &buffer, &len);
1079 if (rv != SECSuccess) {
1080 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
1081 return SECFailure;
1082 }
1083 parsedTicket->maxEarlyData = temp;
1084
1085 rv = ssl3_ExtConsumeHandshakeNumber(ss, &temp, 4, &buffer, &len);
1086 if (rv != SECSuccess) {
1087 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
1088 return SECFailure;
1089 }
1090 parsedTicket->ticketAgeBaseline = temp;
1091
1092 rv = ssl3_ExtConsumeHandshakeVariable(ss, &parsedTicket->applicationToken,
1093 2, &buffer, &len);
1094 if (rv != SECSuccess) {
1095 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
1096 return SECFailure;
1097 }
1098
1099 #ifndef UNSAFE_FUZZER_MODE
1100 /* Done parsing. Check that all bytes have been consumed. */
1101 if (len != 0) {
1102 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
1103 return SECFailure;
1104 }
1105 #endif
1106
1107 parsedTicket->valid = PR_TRUE;
1108 return SECSuccess;
1109 }
1110
1111 static SECStatus
ssl_CreateSIDFromTicket(sslSocket * ss,const SECItem * rawTicket,SessionTicket * parsedTicket,sslSessionID ** out)1112 ssl_CreateSIDFromTicket(sslSocket *ss, const SECItem *rawTicket,
1113 SessionTicket *parsedTicket, sslSessionID **out)
1114 {
1115 sslSessionID *sid;
1116 SECStatus rv;
1117
1118 sid = ssl3_NewSessionID(ss, PR_TRUE);
1119 if (sid == NULL) {
1120 return SECFailure;
1121 }
1122
1123 /* Copy over parameters. */
1124 sid->version = parsedTicket->ssl_version;
1125 sid->creationTime = parsedTicket->timestamp;
1126 sid->u.ssl3.cipherSuite = parsedTicket->cipher_suite;
1127 sid->authType = parsedTicket->authType;
1128 sid->authKeyBits = parsedTicket->authKeyBits;
1129 sid->keaType = parsedTicket->keaType;
1130 sid->keaKeyBits = parsedTicket->keaKeyBits;
1131 sid->keaGroup = parsedTicket->originalKeaGroup;
1132 sid->namedCurve = parsedTicket->namedCurve;
1133 sid->sigScheme = parsedTicket->signatureScheme;
1134
1135 rv = SECITEM_CopyItem(NULL, &sid->u.ssl3.locked.sessionTicket.ticket,
1136 rawTicket);
1137 if (rv != SECSuccess) {
1138 goto loser;
1139 }
1140 sid->u.ssl3.locked.sessionTicket.flags = parsedTicket->flags;
1141 sid->u.ssl3.locked.sessionTicket.max_early_data_size =
1142 parsedTicket->maxEarlyData;
1143
1144 if (parsedTicket->ms_length >
1145 sizeof(sid->u.ssl3.keys.wrapped_master_secret)) {
1146 goto loser;
1147 }
1148 PORT_Memcpy(sid->u.ssl3.keys.wrapped_master_secret,
1149 parsedTicket->master_secret, parsedTicket->ms_length);
1150 sid->u.ssl3.keys.wrapped_master_secret_len = parsedTicket->ms_length;
1151 sid->u.ssl3.masterWrapMech = parsedTicket->msWrapMech;
1152 sid->u.ssl3.masterValid = PR_TRUE;
1153 sid->u.ssl3.keys.resumable = PR_TRUE;
1154 sid->u.ssl3.keys.extendedMasterSecretUsed = parsedTicket->extendedMasterSecretUsed;
1155
1156 /* Copy over client cert from session ticket if there is one. */
1157 if (parsedTicket->peer_cert.data != NULL) {
1158 PORT_Assert(!sid->peerCert);
1159 sid->peerCert = CERT_NewTempCertificate(ss->dbHandle,
1160 &parsedTicket->peer_cert,
1161 NULL, PR_FALSE, PR_TRUE);
1162 if (!sid->peerCert) {
1163 goto loser;
1164 }
1165 }
1166
1167 /* Transfer ownership of the remaining items. */
1168 if (parsedTicket->srvName.data != NULL) {
1169 SECITEM_FreeItem(&sid->u.ssl3.srvName, PR_FALSE);
1170 rv = SECITEM_CopyItem(NULL, &sid->u.ssl3.srvName,
1171 &parsedTicket->srvName);
1172 if (rv != SECSuccess) {
1173 goto loser;
1174 }
1175 }
1176 if (parsedTicket->alpnSelection.data != NULL) {
1177 SECITEM_FreeItem(&sid->u.ssl3.alpnSelection, PR_FALSE);
1178 rv = SECITEM_CopyItem(NULL, &sid->u.ssl3.alpnSelection,
1179 &parsedTicket->alpnSelection);
1180 if (rv != SECSuccess) {
1181 goto loser;
1182 }
1183 }
1184
1185 *out = sid;
1186 return SECSuccess;
1187
1188 loser:
1189 ssl_FreeSID(sid);
1190 return SECFailure;
1191 }
1192
1193 /* Generic ticket processing code, common to all TLS versions. */
1194 SECStatus
ssl3_ProcessSessionTicketCommon(sslSocket * ss,const SECItem * ticket,SECItem * appToken)1195 ssl3_ProcessSessionTicketCommon(sslSocket *ss, const SECItem *ticket,
1196 SECItem *appToken)
1197 {
1198 SECItem decryptedTicket = { siBuffer, NULL, 0 };
1199 SessionTicket parsedTicket;
1200 sslSessionID *sid = NULL;
1201 SECStatus rv;
1202
1203 if (ss->sec.ci.sid != NULL) {
1204 ssl_UncacheSessionID(ss);
1205 ssl_FreeSID(ss->sec.ci.sid);
1206 ss->sec.ci.sid = NULL;
1207 }
1208
1209 if (!SECITEM_AllocItem(NULL, &decryptedTicket, ticket->len)) {
1210 return SECFailure;
1211 }
1212
1213 /* Decrypt the ticket. */
1214 rv = ssl_SelfEncryptUnprotect(ss, ticket->data, ticket->len,
1215 decryptedTicket.data,
1216 &decryptedTicket.len,
1217 decryptedTicket.len);
1218 if (rv != SECSuccess) {
1219 /* Ignore decryption failure if we are doing TLS 1.3; that
1220 * means the server rejects the client's resumption
1221 * attempt. In TLS 1.2, however, it's a hard failure, unless
1222 * it's just because we're not the recipient of the ticket. */
1223 if (ss->version >= SSL_LIBRARY_VERSION_TLS_1_3 ||
1224 PORT_GetError() == SEC_ERROR_NOT_A_RECIPIENT) {
1225 SECITEM_ZfreeItem(&decryptedTicket, PR_FALSE);
1226 return SECSuccess;
1227 }
1228
1229 SSL3_SendAlert(ss, alert_fatal, illegal_parameter);
1230 goto loser;
1231 }
1232
1233 rv = ssl_ParseSessionTicket(ss, &decryptedTicket, &parsedTicket);
1234 if (rv != SECSuccess) {
1235 SSL3Statistics *ssl3stats;
1236
1237 SSL_DBG(("%d: SSL[%d]: Session ticket parsing failed.",
1238 SSL_GETPID(), ss->fd));
1239 ssl3stats = SSL_GetStatistics();
1240 SSL_AtomicIncrementLong(&ssl3stats->hch_sid_ticket_parse_failures);
1241 goto loser; /* code already set */
1242 }
1243
1244 /* Use the ticket if it is valid and unexpired. */
1245 PRTime end = parsedTicket.timestamp + (ssl_ticket_lifetime * PR_USEC_PER_SEC);
1246 if (end > ssl_Time(ss)) {
1247
1248 rv = ssl_CreateSIDFromTicket(ss, ticket, &parsedTicket, &sid);
1249 if (rv != SECSuccess) {
1250 goto loser; /* code already set */
1251 }
1252 if (appToken && parsedTicket.applicationToken.len) {
1253 rv = SECITEM_CopyItem(NULL, appToken,
1254 &parsedTicket.applicationToken);
1255 if (rv != SECSuccess) {
1256 goto loser; /* code already set */
1257 }
1258 }
1259
1260 ss->statelessResume = PR_TRUE;
1261 ss->sec.ci.sid = sid;
1262
1263 /* We have the baseline value for the obfuscated ticket age here. Save
1264 * that in xtnData temporarily. This value is updated in
1265 * tls13_ServerHandlePreSharedKeyXtn with the final estimate. */
1266 ss->xtnData.ticketAge = parsedTicket.ticketAgeBaseline;
1267 }
1268
1269 SECITEM_ZfreeItem(&decryptedTicket, PR_FALSE);
1270 PORT_Memset(&parsedTicket, 0, sizeof(parsedTicket));
1271 return SECSuccess;
1272
1273 loser:
1274 if (sid) {
1275 ssl_FreeSID(sid);
1276 }
1277 SECITEM_ZfreeItem(&decryptedTicket, PR_FALSE);
1278 PORT_Memset(&parsedTicket, 0, sizeof(parsedTicket));
1279 return SECFailure;
1280 }
1281
1282 SECStatus
ssl3_ServerHandleSessionTicketXtn(const sslSocket * ss,TLSExtensionData * xtnData,SECItem * data)1283 ssl3_ServerHandleSessionTicketXtn(const sslSocket *ss, TLSExtensionData *xtnData,
1284 SECItem *data)
1285 {
1286 PORT_Assert(ss->version < SSL_LIBRARY_VERSION_TLS_1_3);
1287
1288 /* Ignore the SessionTicket extension if processing is disabled. */
1289 if (!ss->opt.enableSessionTickets) {
1290 return SECSuccess;
1291 }
1292
1293 /* If we are doing TLS 1.3, then ignore this. */
1294 if (ss->version >= SSL_LIBRARY_VERSION_TLS_1_3) {
1295 return SECSuccess;
1296 }
1297
1298 /* Keep track of negotiated extensions. */
1299 xtnData->negotiated[xtnData->numNegotiated++] = ssl_session_ticket_xtn;
1300
1301 /* Parse the received ticket sent in by the client. We are
1302 * lenient about some parse errors, falling back to a fullshake
1303 * instead of terminating the current connection.
1304 */
1305 if (data->len == 0) {
1306 xtnData->emptySessionTicket = PR_TRUE;
1307 return SECSuccess;
1308 }
1309
1310 return ssl3_ProcessSessionTicketCommon(CONST_CAST(sslSocket, ss), data,
1311 NULL);
1312 }
1313
1314 /* Extension format:
1315 * Extension number: 2 bytes
1316 * Extension length: 2 bytes
1317 * Verify Data Length: 1 byte
1318 * Verify Data (TLS): 12 bytes (client) or 24 bytes (server)
1319 * Verify Data (SSL): 36 bytes (client) or 72 bytes (server)
1320 */
1321 SECStatus
ssl3_SendRenegotiationInfoXtn(const sslSocket * ss,TLSExtensionData * xtnData,sslBuffer * buf,PRBool * added)1322 ssl3_SendRenegotiationInfoXtn(const sslSocket *ss, TLSExtensionData *xtnData,
1323 sslBuffer *buf, PRBool *added)
1324 {
1325 PRInt32 len = 0;
1326 SECStatus rv;
1327
1328 /* In RFC 5746, it is NOT RECOMMENDED to send both the SCSV and the empty
1329 * RI, so when we send SCSV in the initial handshake, we don't also send RI.
1330 */
1331 if (ss->ssl3.hs.sendingSCSV) {
1332 return 0;
1333 }
1334 if (ss->firstHsDone) {
1335 len = ss->sec.isServer ? ss->ssl3.hs.finishedBytes * 2
1336 : ss->ssl3.hs.finishedBytes;
1337 }
1338
1339 /* verify_Data from previous Finished message(s) */
1340 rv = sslBuffer_AppendVariable(buf,
1341 ss->ssl3.hs.finishedMsgs.data, len, 1);
1342 if (rv != SECSuccess) {
1343 return SECFailure;
1344 }
1345
1346 *added = PR_TRUE;
1347 return SECSuccess;
1348 }
1349
1350 /* This function runs in both the client and server. */
1351 SECStatus
ssl3_HandleRenegotiationInfoXtn(const sslSocket * ss,TLSExtensionData * xtnData,SECItem * data)1352 ssl3_HandleRenegotiationInfoXtn(const sslSocket *ss, TLSExtensionData *xtnData,
1353 SECItem *data)
1354 {
1355 SECStatus rv = SECSuccess;
1356 PRUint32 len = 0;
1357
1358 PORT_Assert(ss->version < SSL_LIBRARY_VERSION_TLS_1_3);
1359
1360 if (ss->firstHsDone) {
1361 len = ss->sec.isServer ? ss->ssl3.hs.finishedBytes
1362 : ss->ssl3.hs.finishedBytes * 2;
1363 }
1364 if (data->len != 1 + len || data->data[0] != len) {
1365 ssl3_ExtDecodeError(ss);
1366 return SECFailure;
1367 }
1368 if (len && NSS_SecureMemcmp(ss->ssl3.hs.finishedMsgs.data,
1369 data->data + 1, len)) {
1370 ssl3_ExtSendAlert(ss, alert_fatal, handshake_failure);
1371 PORT_SetError(SSL_ERROR_BAD_HANDSHAKE_HASH_VALUE);
1372 return SECFailure;
1373 }
1374 /* remember that we got this extension and it was correct. */
1375 CONST_CAST(sslSocket, ss)
1376 ->peerRequestedProtection = 1;
1377 xtnData->negotiated[xtnData->numNegotiated++] = ssl_renegotiation_info_xtn;
1378 if (ss->sec.isServer) {
1379 /* prepare to send back the appropriate response */
1380 rv = ssl3_RegisterExtensionSender(ss, xtnData,
1381 ssl_renegotiation_info_xtn,
1382 ssl3_SendRenegotiationInfoXtn);
1383 }
1384 return rv;
1385 }
1386
1387 SECStatus
ssl3_ClientSendUseSRTPXtn(const sslSocket * ss,TLSExtensionData * xtnData,sslBuffer * buf,PRBool * added)1388 ssl3_ClientSendUseSRTPXtn(const sslSocket *ss, TLSExtensionData *xtnData,
1389 sslBuffer *buf, PRBool *added)
1390 {
1391 unsigned int i;
1392 SECStatus rv;
1393
1394 if (!IS_DTLS(ss) || !ss->ssl3.dtlsSRTPCipherCount) {
1395 return SECSuccess; /* Not relevant */
1396 }
1397
1398 /* Length of the SRTP cipher list */
1399 rv = sslBuffer_AppendNumber(buf, 2 * ss->ssl3.dtlsSRTPCipherCount, 2);
1400 if (rv != SECSuccess) {
1401 return SECFailure;
1402 }
1403 /* The SRTP ciphers */
1404 for (i = 0; i < ss->ssl3.dtlsSRTPCipherCount; i++) {
1405 rv = sslBuffer_AppendNumber(buf, ss->ssl3.dtlsSRTPCiphers[i], 2);
1406 if (rv != SECSuccess) {
1407 return SECFailure;
1408 }
1409 }
1410 /* Empty MKI value */
1411 rv = sslBuffer_AppendNumber(buf, 0, 1);
1412 if (rv != SECSuccess) {
1413 return SECFailure;
1414 }
1415
1416 *added = PR_TRUE;
1417 return SECSuccess;
1418 }
1419
1420 SECStatus
ssl3_ServerSendUseSRTPXtn(const sslSocket * ss,TLSExtensionData * xtnData,sslBuffer * buf,PRBool * added)1421 ssl3_ServerSendUseSRTPXtn(const sslSocket *ss, TLSExtensionData *xtnData,
1422 sslBuffer *buf, PRBool *added)
1423 {
1424 SECStatus rv;
1425
1426 /* Length of the SRTP cipher list */
1427 rv = sslBuffer_AppendNumber(buf, 2, 2);
1428 if (rv != SECSuccess) {
1429 return SECFailure;
1430 }
1431 /* The selected cipher */
1432 rv = sslBuffer_AppendNumber(buf, xtnData->dtlsSRTPCipherSuite, 2);
1433 if (rv != SECSuccess) {
1434 return SECFailure;
1435 }
1436 /* Empty MKI value */
1437 rv = sslBuffer_AppendNumber(buf, 0, 1);
1438 if (rv != SECSuccess) {
1439 return SECFailure;
1440 }
1441
1442 *added = PR_TRUE;
1443 return SECSuccess;
1444 }
1445
1446 SECStatus
ssl3_ClientHandleUseSRTPXtn(const sslSocket * ss,TLSExtensionData * xtnData,SECItem * data)1447 ssl3_ClientHandleUseSRTPXtn(const sslSocket *ss, TLSExtensionData *xtnData,
1448 SECItem *data)
1449 {
1450 SECStatus rv;
1451 SECItem ciphers = { siBuffer, NULL, 0 };
1452 PRUint16 i;
1453 PRUint16 cipher = 0;
1454 PRBool found = PR_FALSE;
1455 SECItem litem;
1456
1457 if (!data->data || !data->len) {
1458 ssl3_ExtDecodeError(ss);
1459 return SECFailure;
1460 }
1461
1462 /* Get the cipher list */
1463 rv = ssl3_ExtConsumeHandshakeVariable(ss, &ciphers, 2,
1464 &data->data, &data->len);
1465 if (rv != SECSuccess) {
1466 return SECFailure; /* fatal alert already sent */
1467 }
1468 /* Now check that the server has picked just 1 (i.e., len = 2) */
1469 if (ciphers.len != 2) {
1470 ssl3_ExtDecodeError(ss);
1471 return SECFailure;
1472 }
1473
1474 /* Get the selected cipher */
1475 cipher = (ciphers.data[0] << 8) | ciphers.data[1];
1476
1477 /* Now check that this is one of the ciphers we offered */
1478 for (i = 0; i < ss->ssl3.dtlsSRTPCipherCount; i++) {
1479 if (cipher == ss->ssl3.dtlsSRTPCiphers[i]) {
1480 found = PR_TRUE;
1481 break;
1482 }
1483 }
1484
1485 if (!found) {
1486 ssl3_ExtSendAlert(ss, alert_fatal, illegal_parameter);
1487 PORT_SetError(SSL_ERROR_RX_MALFORMED_SERVER_HELLO);
1488 return SECFailure;
1489 }
1490
1491 /* Get the srtp_mki value */
1492 rv = ssl3_ExtConsumeHandshakeVariable(ss, &litem, 1,
1493 &data->data, &data->len);
1494 if (rv != SECSuccess) {
1495 return SECFailure; /* alert already sent */
1496 }
1497
1498 /* We didn't offer an MKI, so this must be 0 length */
1499 if (litem.len != 0) {
1500 ssl3_ExtSendAlert(ss, alert_fatal, illegal_parameter);
1501 PORT_SetError(SSL_ERROR_RX_MALFORMED_SERVER_HELLO);
1502 return SECFailure;
1503 }
1504
1505 /* extra trailing bytes */
1506 if (data->len != 0) {
1507 ssl3_ExtDecodeError(ss);
1508 return SECFailure;
1509 }
1510
1511 /* OK, this looks fine. */
1512 xtnData->negotiated[xtnData->numNegotiated++] = ssl_use_srtp_xtn;
1513 xtnData->dtlsSRTPCipherSuite = cipher;
1514 return SECSuccess;
1515 }
1516
1517 SECStatus
ssl3_ServerHandleUseSRTPXtn(const sslSocket * ss,TLSExtensionData * xtnData,SECItem * data)1518 ssl3_ServerHandleUseSRTPXtn(const sslSocket *ss, TLSExtensionData *xtnData,
1519 SECItem *data)
1520 {
1521 SECStatus rv;
1522 SECItem ciphers = { siBuffer, NULL, 0 };
1523 PRUint16 i;
1524 unsigned int j;
1525 PRUint16 cipher = 0;
1526 PRBool found = PR_FALSE;
1527 SECItem litem;
1528
1529 if (!IS_DTLS(ss) || !ss->ssl3.dtlsSRTPCipherCount) {
1530 /* Ignore the extension if we aren't doing DTLS or no DTLS-SRTP
1531 * preferences have been set. */
1532 return SECSuccess;
1533 }
1534
1535 if (!data->data || data->len < 5) {
1536 ssl3_ExtDecodeError(ss);
1537 return SECFailure;
1538 }
1539
1540 /* Get the cipher list */
1541 rv = ssl3_ExtConsumeHandshakeVariable(ss, &ciphers, 2,
1542 &data->data, &data->len);
1543 if (rv != SECSuccess) {
1544 return SECFailure; /* alert already sent */
1545 }
1546 /* Check that the list is even length */
1547 if (ciphers.len % 2) {
1548 ssl3_ExtDecodeError(ss);
1549 return SECFailure;
1550 }
1551
1552 /* Walk through the offered list and pick the most preferred of our
1553 * ciphers, if any */
1554 for (i = 0; !found && i < ss->ssl3.dtlsSRTPCipherCount; i++) {
1555 for (j = 0; j + 1 < ciphers.len; j += 2) {
1556 cipher = (ciphers.data[j] << 8) | ciphers.data[j + 1];
1557 if (cipher == ss->ssl3.dtlsSRTPCiphers[i]) {
1558 found = PR_TRUE;
1559 break;
1560 }
1561 }
1562 }
1563
1564 /* Get the srtp_mki value */
1565 rv = ssl3_ExtConsumeHandshakeVariable(ss, &litem, 1, &data->data, &data->len);
1566 if (rv != SECSuccess) {
1567 return SECFailure;
1568 }
1569
1570 if (data->len != 0) {
1571 ssl3_ExtDecodeError(ss); /* trailing bytes */
1572 return SECFailure;
1573 }
1574
1575 /* Now figure out what to do */
1576 if (!found) {
1577 /* No matching ciphers, pretend we don't support use_srtp */
1578 return SECSuccess;
1579 }
1580
1581 /* OK, we have a valid cipher and we've selected it */
1582 xtnData->dtlsSRTPCipherSuite = cipher;
1583 xtnData->negotiated[xtnData->numNegotiated++] = ssl_use_srtp_xtn;
1584
1585 return ssl3_RegisterExtensionSender(ss, xtnData,
1586 ssl_use_srtp_xtn,
1587 ssl3_ServerSendUseSRTPXtn);
1588 }
1589
1590 /* ssl3_HandleSigAlgsXtn handles the signature_algorithms extension from a
1591 * client. In TLS 1.3, the client uses this to parse CertificateRequest
1592 * extensions. See https://tools.ietf.org/html/rfc5246#section-7.4.1.4.1 */
1593 SECStatus
ssl3_HandleSigAlgsXtn(const sslSocket * ss,TLSExtensionData * xtnData,SECItem * data)1594 ssl3_HandleSigAlgsXtn(const sslSocket *ss, TLSExtensionData *xtnData,
1595 SECItem *data)
1596 {
1597 SECStatus rv;
1598
1599 /* Ignore this extension if we aren't doing TLS 1.2 or greater. */
1600 if (ss->version < SSL_LIBRARY_VERSION_TLS_1_2) {
1601 return SECSuccess;
1602 }
1603
1604 if (xtnData->sigSchemes) {
1605 PORT_Free(xtnData->sigSchemes);
1606 xtnData->sigSchemes = NULL;
1607 }
1608 rv = ssl_ParseSignatureSchemes(ss, NULL,
1609 &xtnData->sigSchemes,
1610 &xtnData->numSigSchemes,
1611 &data->data, &data->len);
1612 if (rv != SECSuccess) {
1613 ssl3_ExtSendAlert(ss, alert_fatal, decode_error);
1614 PORT_SetError(SSL_ERROR_RX_MALFORMED_CLIENT_HELLO);
1615 return SECFailure;
1616 }
1617 if (xtnData->numSigSchemes == 0) {
1618 ssl3_ExtSendAlert(ss, alert_fatal, handshake_failure);
1619 PORT_SetError(SSL_ERROR_UNSUPPORTED_SIGNATURE_ALGORITHM);
1620 return SECFailure;
1621 }
1622 /* Check for trailing data. */
1623 if (data->len != 0) {
1624 ssl3_ExtSendAlert(ss, alert_fatal, decode_error);
1625 PORT_SetError(SSL_ERROR_RX_MALFORMED_CLIENT_HELLO);
1626 return SECFailure;
1627 }
1628
1629 /* Keep track of negotiated extensions. */
1630 xtnData->negotiated[xtnData->numNegotiated++] = ssl_signature_algorithms_xtn;
1631 return SECSuccess;
1632 }
1633
1634 /* ssl3_ClientSendSigAlgsXtn sends the signature_algorithm extension for TLS
1635 * 1.2 ClientHellos. */
1636 SECStatus
ssl3_SendSigAlgsXtn(const sslSocket * ss,TLSExtensionData * xtnData,sslBuffer * buf,PRBool * added)1637 ssl3_SendSigAlgsXtn(const sslSocket *ss, TLSExtensionData *xtnData,
1638 sslBuffer *buf, PRBool *added)
1639 {
1640 if (ss->vrange.max < SSL_LIBRARY_VERSION_TLS_1_2) {
1641 return SECSuccess;
1642 }
1643
1644 PRUint16 minVersion;
1645 if (ss->sec.isServer) {
1646 minVersion = ss->version; /* CertificateRequest */
1647 } else {
1648 minVersion = ss->vrange.min; /* ClientHello */
1649 }
1650
1651 SECStatus rv = ssl3_EncodeSigAlgs(ss, minVersion, PR_TRUE /* forCert */, buf);
1652 if (rv != SECSuccess) {
1653 return SECFailure;
1654 }
1655
1656 *added = PR_TRUE;
1657 return SECSuccess;
1658 }
1659
1660 SECStatus
ssl3_SendExtendedMasterSecretXtn(const sslSocket * ss,TLSExtensionData * xtnData,sslBuffer * buf,PRBool * added)1661 ssl3_SendExtendedMasterSecretXtn(const sslSocket *ss, TLSExtensionData *xtnData,
1662 sslBuffer *buf, PRBool *added)
1663 {
1664 if (!ss->opt.enableExtendedMS) {
1665 return SECSuccess;
1666 }
1667
1668 /* Always send the extension in this function, since the
1669 * client always sends it and this function is only called on
1670 * the server if we negotiated the extension. */
1671 *added = PR_TRUE;
1672 return SECSuccess;
1673 }
1674
1675 SECStatus
ssl3_HandleExtendedMasterSecretXtn(const sslSocket * ss,TLSExtensionData * xtnData,SECItem * data)1676 ssl3_HandleExtendedMasterSecretXtn(const sslSocket *ss, TLSExtensionData *xtnData,
1677 SECItem *data)
1678 {
1679 PORT_Assert(ss->version < SSL_LIBRARY_VERSION_TLS_1_3);
1680
1681 if (ss->version < SSL_LIBRARY_VERSION_TLS_1_0) {
1682 return SECSuccess;
1683 }
1684
1685 if (!ss->opt.enableExtendedMS) {
1686 return SECSuccess;
1687 }
1688
1689 if (data->len != 0) {
1690 SSL_TRC(30, ("%d: SSL3[%d]: Bogus extended master secret extension",
1691 SSL_GETPID(), ss->fd));
1692 ssl3_ExtSendAlert(ss, alert_fatal, decode_error);
1693 return SECFailure;
1694 }
1695
1696 SSL_DBG(("%d: SSL[%d]: Negotiated extended master secret extension.",
1697 SSL_GETPID(), ss->fd));
1698
1699 /* Keep track of negotiated extensions. */
1700 xtnData->negotiated[xtnData->numNegotiated++] = ssl_extended_master_secret_xtn;
1701
1702 if (ss->sec.isServer) {
1703 return ssl3_RegisterExtensionSender(ss, xtnData,
1704 ssl_extended_master_secret_xtn,
1705 ssl_SendEmptyExtension);
1706 }
1707 return SECSuccess;
1708 }
1709
1710 /* ssl3_ClientSendSignedCertTimestampXtn sends the signed_certificate_timestamp
1711 * extension for TLS ClientHellos. */
1712 SECStatus
ssl3_ClientSendSignedCertTimestampXtn(const sslSocket * ss,TLSExtensionData * xtnData,sslBuffer * buf,PRBool * added)1713 ssl3_ClientSendSignedCertTimestampXtn(const sslSocket *ss,
1714 TLSExtensionData *xtnData,
1715 sslBuffer *buf, PRBool *added)
1716 {
1717 /* Only send the extension if processing is enabled. */
1718 if (!ss->opt.enableSignedCertTimestamps) {
1719 return SECSuccess;
1720 }
1721
1722 *added = PR_TRUE;
1723 return SECSuccess;
1724 }
1725
1726 SECStatus
ssl3_ClientHandleSignedCertTimestampXtn(const sslSocket * ss,TLSExtensionData * xtnData,SECItem * data)1727 ssl3_ClientHandleSignedCertTimestampXtn(const sslSocket *ss, TLSExtensionData *xtnData,
1728 SECItem *data)
1729 {
1730 /* We do not yet know whether we'll be resuming a session or creating
1731 * a new one, so we keep a pointer to the data in the TLSExtensionData
1732 * structure. This pointer is only valid in the scope of
1733 * ssl3_HandleServerHello, and, if not resuming a session, the data is
1734 * copied once a new session structure has been set up.
1735 * All parsing is currently left to the application and we accept
1736 * everything, including empty data.
1737 */
1738 SECItem *scts = &xtnData->signedCertTimestamps;
1739 PORT_Assert(!scts->data && !scts->len);
1740
1741 if (!data->len) {
1742 /* Empty extension data: RFC 6962 mandates non-empty contents. */
1743 return SECFailure;
1744 }
1745 *scts = *data;
1746 /* Keep track of negotiated extensions. */
1747 xtnData->negotiated[xtnData->numNegotiated++] = ssl_signed_cert_timestamp_xtn;
1748 return SECSuccess;
1749 }
1750
1751 SECStatus
ssl3_ServerSendSignedCertTimestampXtn(const sslSocket * ss,TLSExtensionData * xtnData,sslBuffer * buf,PRBool * added)1752 ssl3_ServerSendSignedCertTimestampXtn(const sslSocket *ss, TLSExtensionData *xtnData,
1753 sslBuffer *buf, PRBool *added)
1754 {
1755 const SECItem *scts = &ss->sec.serverCert->signedCertTimestamps;
1756 SECStatus rv;
1757
1758 if (!scts->len) {
1759 /* No timestamps to send */
1760 return SECSuccess;
1761 }
1762
1763 rv = sslBuffer_Append(buf, scts->data, scts->len);
1764 if (rv != SECSuccess) {
1765 return SECFailure;
1766 }
1767
1768 *added = PR_TRUE;
1769 return SECSuccess;
1770 }
1771
1772 SECStatus
ssl3_ServerHandleSignedCertTimestampXtn(const sslSocket * ss,TLSExtensionData * xtnData,SECItem * data)1773 ssl3_ServerHandleSignedCertTimestampXtn(const sslSocket *ss,
1774 TLSExtensionData *xtnData,
1775 SECItem *data)
1776 {
1777 if (data->len != 0) {
1778 ssl3_ExtSendAlert(ss, alert_fatal, decode_error);
1779 PORT_SetError(SSL_ERROR_RX_MALFORMED_CLIENT_HELLO);
1780 return SECFailure;
1781 }
1782
1783 xtnData->negotiated[xtnData->numNegotiated++] = ssl_signed_cert_timestamp_xtn;
1784 PORT_Assert(ss->sec.isServer);
1785 return ssl3_RegisterExtensionSender(ss, xtnData,
1786 ssl_signed_cert_timestamp_xtn,
1787 ssl3_ServerSendSignedCertTimestampXtn);
1788 }
1789
1790 /* Just make sure that the remote client supports uncompressed points,
1791 * Since that is all we support. Disable ECC cipher suites if it doesn't.
1792 */
1793 SECStatus
ssl3_HandleSupportedPointFormatsXtn(const sslSocket * ss,TLSExtensionData * xtnData,SECItem * data)1794 ssl3_HandleSupportedPointFormatsXtn(const sslSocket *ss,
1795 TLSExtensionData *xtnData,
1796 SECItem *data)
1797 {
1798 int i;
1799
1800 PORT_Assert(ss->version < SSL_LIBRARY_VERSION_TLS_1_3);
1801
1802 if (data->len < 2 || data->len > 255 || !data->data ||
1803 data->len != (unsigned int)data->data[0] + 1) {
1804 ssl3_ExtDecodeError(ss);
1805 return SECFailure;
1806 }
1807 for (i = data->len; --i > 0;) {
1808 if (data->data[i] == 0) {
1809 /* indicate that we should send a reply */
1810 return ssl3_RegisterExtensionSender(
1811 ss, xtnData, ssl_ec_point_formats_xtn,
1812 &ssl3_SendSupportedPointFormatsXtn);
1813 }
1814 }
1815
1816 /* Poor client doesn't support uncompressed points. */
1817 PORT_SetError(SSL_ERROR_RX_MALFORMED_HANDSHAKE);
1818 return SECFailure;
1819 }
1820
1821 static SECStatus
ssl_UpdateSupportedGroups(sslSocket * ss,SECItem * data)1822 ssl_UpdateSupportedGroups(sslSocket *ss, SECItem *data)
1823 {
1824 SECStatus rv;
1825 PRUint32 list_len;
1826 unsigned int i;
1827 const sslNamedGroupDef *enabled[SSL_NAMED_GROUP_COUNT] = { 0 };
1828 PORT_Assert(SSL_NAMED_GROUP_COUNT == PR_ARRAY_SIZE(enabled));
1829
1830 if (!data->data || data->len < 4) {
1831 (void)ssl3_DecodeError(ss);
1832 return SECFailure;
1833 }
1834
1835 /* get the length of elliptic_curve_list */
1836 rv = ssl3_ConsumeHandshakeNumber(ss, &list_len, 2, &data->data, &data->len);
1837 if (rv != SECSuccess || data->len != list_len || (data->len % 2) != 0) {
1838 (void)ssl3_DecodeError(ss);
1839 return SECFailure;
1840 }
1841
1842 /* disable all groups and remember the enabled groups */
1843 for (i = 0; i < SSL_NAMED_GROUP_COUNT; ++i) {
1844 enabled[i] = ss->namedGroupPreferences[i];
1845 ss->namedGroupPreferences[i] = NULL;
1846 }
1847
1848 /* Read groups from data and enable if in |enabled| */
1849 while (data->len) {
1850 const sslNamedGroupDef *group;
1851 PRUint32 curve_name;
1852 rv = ssl3_ConsumeHandshakeNumber(ss, &curve_name, 2, &data->data,
1853 &data->len);
1854 if (rv != SECSuccess) {
1855 return SECFailure; /* fatal alert already sent */
1856 }
1857 group = ssl_LookupNamedGroup(curve_name);
1858 if (group) {
1859 for (i = 0; i < SSL_NAMED_GROUP_COUNT; ++i) {
1860 if (enabled[i] && group == enabled[i]) {
1861 ss->namedGroupPreferences[i] = enabled[i];
1862 break;
1863 }
1864 }
1865 }
1866
1867 /* "Codepoints in the NamedCurve registry with a high byte of 0x01 (that
1868 * is, between 256 and 511 inclusive) are set aside for FFDHE groups,"
1869 * -- https://tools.ietf.org/html/draft-ietf-tls-negotiated-ff-dhe-10
1870 */
1871 if ((curve_name & 0xff00) == 0x0100) {
1872 ss->xtnData.peerSupportsFfdheGroups = PR_TRUE;
1873 }
1874 }
1875
1876 /* Note: if ss->opt.requireDHENamedGroups is set, we disable DHE cipher
1877 * suites, but we do that in ssl3_config_match(). */
1878 if (ss->version < SSL_LIBRARY_VERSION_TLS_1_3 &&
1879 !ss->opt.requireDHENamedGroups && !ss->xtnData.peerSupportsFfdheGroups) {
1880 /* If we don't require that DHE use named groups, and no FFDHE was
1881 * included, we pretend that they support all the FFDHE groups we do. */
1882 for (i = 0; i < SSL_NAMED_GROUP_COUNT; ++i) {
1883 if (enabled[i] && enabled[i]->keaType == ssl_kea_dh) {
1884 ss->namedGroupPreferences[i] = enabled[i];
1885 }
1886 }
1887 }
1888
1889 return SECSuccess;
1890 }
1891
1892 /* Ensure that the curve in our server cert is one of the ones supported
1893 * by the remote client, and disable all ECC cipher suites if not.
1894 */
1895 SECStatus
ssl_HandleSupportedGroupsXtn(const sslSocket * ss,TLSExtensionData * xtnData,SECItem * data)1896 ssl_HandleSupportedGroupsXtn(const sslSocket *ss, TLSExtensionData *xtnData,
1897 SECItem *data)
1898 {
1899 SECStatus rv;
1900
1901 rv = ssl_UpdateSupportedGroups(CONST_CAST(sslSocket, ss), data);
1902 if (rv != SECSuccess)
1903 return SECFailure;
1904
1905 /* TLS 1.3 permits the server to send this extension so make it so. */
1906 if (ss->sec.isServer && ss->version >= SSL_LIBRARY_VERSION_TLS_1_3) {
1907 rv = ssl3_RegisterExtensionSender(ss, xtnData, ssl_supported_groups_xtn,
1908 &ssl_SendSupportedGroupsXtn);
1909 if (rv != SECSuccess) {
1910 return SECFailure; /* error already set. */
1911 }
1912 }
1913
1914 /* Remember that we negotiated this extension. */
1915 xtnData->negotiated[xtnData->numNegotiated++] = ssl_supported_groups_xtn;
1916
1917 return SECSuccess;
1918 }
1919
1920 SECStatus
ssl_HandleRecordSizeLimitXtn(const sslSocket * ss,TLSExtensionData * xtnData,SECItem * data)1921 ssl_HandleRecordSizeLimitXtn(const sslSocket *ss, TLSExtensionData *xtnData,
1922 SECItem *data)
1923 {
1924 SECStatus rv;
1925 PRUint32 limit;
1926 PRUint32 maxLimit = (ss->version >= SSL_LIBRARY_VERSION_TLS_1_3)
1927 ? (MAX_FRAGMENT_LENGTH + 1)
1928 : MAX_FRAGMENT_LENGTH;
1929
1930 rv = ssl3_ExtConsumeHandshakeNumber(ss, &limit, 2, &data->data, &data->len);
1931 if (rv != SECSuccess) {
1932 return SECFailure;
1933 }
1934 if (data->len != 0 || limit < 64) {
1935 ssl3_ExtSendAlert(ss, alert_fatal, decode_error);
1936 PORT_SetError(SSL_ERROR_RX_MALFORMED_HANDSHAKE);
1937 return SECFailure;
1938 }
1939
1940 if (ss->sec.isServer) {
1941 rv = ssl3_RegisterExtensionSender(ss, xtnData, ssl_record_size_limit_xtn,
1942 &ssl_SendRecordSizeLimitXtn);
1943 if (rv != SECSuccess) {
1944 return SECFailure; /* error already set. */
1945 }
1946 } else if (limit > maxLimit) {
1947 /* The client can sensibly check the maximum. */
1948 ssl3_ExtSendAlert(ss, alert_fatal, illegal_parameter);
1949 PORT_SetError(SSL_ERROR_RX_MALFORMED_HANDSHAKE);
1950 return SECFailure;
1951 }
1952
1953 /* We can't enforce the maximum on a server. But we do need to ensure
1954 * that we don't apply a limit that is too large. */
1955 xtnData->recordSizeLimit = PR_MIN(maxLimit, limit);
1956 xtnData->negotiated[xtnData->numNegotiated++] = ssl_record_size_limit_xtn;
1957 return SECSuccess;
1958 }
1959
1960 SECStatus
ssl_SendRecordSizeLimitXtn(const sslSocket * ss,TLSExtensionData * xtnData,sslBuffer * buf,PRBool * added)1961 ssl_SendRecordSizeLimitXtn(const sslSocket *ss, TLSExtensionData *xtnData,
1962 sslBuffer *buf, PRBool *added)
1963 {
1964 PRUint32 maxLimit;
1965 if (ss->sec.isServer) {
1966 maxLimit = (ss->version >= SSL_LIBRARY_VERSION_TLS_1_3)
1967 ? (MAX_FRAGMENT_LENGTH + 1)
1968 : MAX_FRAGMENT_LENGTH;
1969 } else {
1970 maxLimit = (ss->vrange.max >= SSL_LIBRARY_VERSION_TLS_1_3)
1971 ? (MAX_FRAGMENT_LENGTH + 1)
1972 : MAX_FRAGMENT_LENGTH;
1973 }
1974 PRUint32 limit = PR_MIN(ss->opt.recordSizeLimit, maxLimit);
1975 SECStatus rv = sslBuffer_AppendNumber(buf, limit, 2);
1976 if (rv != SECSuccess) {
1977 return SECFailure;
1978 }
1979
1980 *added = PR_TRUE;
1981 return SECSuccess;
1982 }
1983