When renegotiating, continue to use the client_version used in the initial ClientHello

net/third_party/nss/ssl/ssl3con.c

 /* -*- Mode: C; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 4 -*- */
 /*
  * SSL3 Protocol
  *
  * ***** BEGIN LICENSE BLOCK *****
  * Version: MPL 1.1/GPL 2.0/LGPL 2.1
  *
  * The contents of this file are subject to the Mozilla Public License Version
  * 1.1 (the "License"); you may not use this file except in compliance with
  * the License. You may obtain a copy of the License at
@@ skipping 768 matching lines @@
         return SECFailure;
     }
 
     if (peerVersion < ss->vrange.min ||
         (peerVersion > ss->vrange.max && !allowLargerPeerVersion)) {
         PORT_SetError(SSL_ERROR_NO_CYPHER_OVERLAP);
         return SECFailure;
     }
 
     ss->version = PR_MIN(peerVersion, ss->vrange.max);
-    PORT_Assert(ssl3_VersionIsSupported(ssl_variant_stream, ss->version));
+    PORT_Assert(ssl3_VersionIsSupported(ss->protocolVariant, ss->version));

[Ryan Sleevi, 2012/08/15 03:39:07]

This is related to your change to ekr's patch, right?

[wtc, 2012/08/15 16:16:59]

Yes, this fixes an unrelated bug that I discovered while
studying the code that modifies ss->version.  I can remove
this bug fix from the CL.

 
     return SECSuccess;
 }
 
 static SECStatus
 ssl3_GetNewRandom(SSL3Random *random)
 {
     PRUint32 gmt = ssl_Time();
     SECStatus rv;
 
@@ skipping 1479 matching lines @@
                 SSL_GETPID(), ss->fd, ssl3_DecodeContentType(type),
                 nIn));
     PRINT_BUF(3, (ss, "Send record (plain text)", pIn, nIn));
 
     PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss) );
 
     capRecordVersion = ((flags & ssl_SEND_FLAG_CAP_RECORD_VERSION) != 0);
 
     if (capRecordVersion) {
         /* ssl_SEND_FLAG_CAP_RECORD_VERSION can only be used with
-         * TLS ClientHello. */
+         * TLS initial ClientHello. */

[agl, 2012/08/15 04:02:23]

(nit: I think there should be a 'the' in this comment.)

         PORT_Assert(!IS_DTLS(ss));
+        PORT_Assert(!ss->firstHsDone);
         PORT_Assert(type == content_handshake);
         PORT_Assert(ss->ssl3.hs.ws == wait_server_hello);
     }
 
     if (ss->ssl3.initialized == PR_FALSE) {
         /* This can happen on a server if the very first incoming record
         ** looks like a defective ssl3 record (e.g. too long), and we're
         ** trying to send an alert.
         */
         PR_ASSERT(type == content_alert);
@@ skipping 1702 matching lines @@
 ssl3_SendClientHello(sslSocket *ss, PRBool resending)
 {
     sslSessionID *   sid;
     ssl3CipherSpec * cwSpec;
     SECStatus        rv;
     int              i;
     int              length;
     int              num_suites;
     int              actual_count = 0;
     PRBool           isTLS = PR_FALSE;
-    PRBool           serverVersionKnown = PR_FALSE;
+    PRBool           requestingResume = PR_FALSE;
     PRInt32          total_exten_len = 0;
     unsigned         numCompressionMethods;
     PRInt32          flags;
 
     SSL_TRC(3, ("%d: SSL3[%d]: send client_hello handshake", SSL_GETPID(),
                 ss->fd));
 
     PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
     PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss) );
 
@@ skipping 56 matching lines @@
             }
         }
         /* If we previously did client-auth, make sure that the token that
         ** holds the private key still exists, is logged in, hasn't been
         ** removed, etc.
         */
         if (sidOK && !ssl3_ClientAuthTokenPresent(sid)) {
             sidOK = PR_FALSE;
         }
 
-        if (sidOK && ssl3_NegotiateVersion(ss, sid->version,
-                                           PR_FALSE) != SECSuccess) {
-            sidOK = PR_FALSE;
+        /* TLS 1.0 (RFC 2246) Appendix E says:
+         *   Whenever a client already knows the highest protocol known to
+         *   a server (for example, when resuming a session), it should
+         *   initiate the connection in that native protocol.
+         * So we pass sid->version to ssl3_NegotiateVersion() here, except
+         * when renegotiating.
+         *
+         * Windows SChannel compares the client_version inside the RSA
+         * EncryptedPreMasterSecret of a renegotiation with the
+         * client_version of the initial ClientHello rather than the
+         * ClientHello in the renegotiation. To work around this bug, we
+         * continue to use the client_version used in the initial
+         * ClientHello when renegotiating.
+         */
+        if (sidOK) {
+            if (ss->firstHsDone) {

[Ryan Sleevi, 2012/08/15 03:39:07]

if (sidOK), isn't a guarantee that firstHsDone is true, since it means we have
previously negotiated a session?

[agl, 2012/08/15 04:02:23]

I'm not quite sure that I understand your question, but I read sidOK to be that
we have a session to attempt a resumption with. But that's doesn't mean that
we've already done a handshake.

[Ryan Sleevi, 2012/08/15 04:09:44]

If we have a session to attempt a resumption with, doesn't that mean we've
exchanged Finished messages at least once, hence we've done a handshake?

Where I'm trying to understand MSFTs bug and this implementation is what the
expected result is when
1) Resuming a previous session on a new connection
2) Resuming a previous session on an existing connection (since the session ID
is not invalidated until the server says it is, and it could request
renegotiation but not invalidate the session)

The intermingling of session variables (sidOK, sid->version) with connection
variables (ss->firstHsDone, ss->clientHelloVersion) is what is giving me trouble
in reasoning.

[wtc, 2012/08/15 16:16:59]

If ss->firstHsDone is true, it means the first handshake
on this SSL socket ('ss') is done.  The session we're
requesting to resume ('sid') was negotiated on some other
SSL socket.
This is the sidOK=true ss->firstHsDone=false case.  The
expected result is to set client_version of ClientHello
to the version in 'sid'.  NSS has always been doing this.
I just added a comment (lines 4091-4096) to explain the
rationale.
This is the sidOK=true ss->firstHsDone=true case.  This
CL changes the behavior of NSS in this case.  NSS used to
set client_version of the renegotiation ClientHello to
sid->version.  Because of the SChannel bug, NSS will need
to set client_version of the renegotiation ClientHello
to the client_version of the initial ClientHello, which
is still available in ss->clientHelloVersion at this point.
(That value will be overwritten on line 4263 below, where
I added an assertion.)

[wtc, 2012/08/16 01:40:06]

I found that my reply has a typo. It should read (with the
change highlighted in CAPS):

If ss->firstHsDone is true, it means the first handshake on this SSL socket
('ss') is done. The session we're requesting to resume ('sid') MAY HAVE BEEN
negotiated on
some other SSL socket.

+                if (sid->version <= ss->clientHelloVersion) {
+                    ss->version = ss->clientHelloVersion;

[Ryan Sleevi, 2012/08/15 03:39:07]

It seems implicit in this is the assumption that sid->version cannot be greater
than ss->clientHelloVersion, right? Is that a safe assumption [it would seem so,
I just want to confirm]

ssl3_NegotiateVersion ensures that sid->version is bounded within (min, max), so
I wanted to make sure we couldn't accidentally blow over max here.

[wtc, 2012/08/15 16:16:59]

In this case, the SChannel bug requires us to set
ss->version to ss->clientHelloVersion.  So if we want to
resume the session 'sid', we need to make sure sid->version
is enabled on this SSL socket.

Since the session 'sid' may have been negotiated on a
different SSL socket with a different version range,
sid->version may be greater than ss->clientHelloVersion.
While answering this question, I noticed that we should
also ensure sid->version >= ss->vrange.min.

+                } else {
+                    sidOK = PR_FALSE;

[agl, 2012/08/15 04:02:23]

Is this case ok? If we reject sid because it's version is greater than
clientHelloVersion, might we still end up sending a version other than
clientHelloVersion in the renegotiation?

I'm not sure why this section isn't just:

if (sidOK && ssl3_NegotiateVersion(ss, sid->version, PR_FALSE) != SECSuccess) {
    sidOK = PR_FALSE;
}

if (ss->firstHsDone)
  ss->version = ss->clientHelloVersion;

[wtc, 2012/08/15 16:16:59]

This case will be handled correctly on lines 4152-4153
below.
I considered writing the code that way before, but
ssl3_NegotiateVersion is quite right for the renegotiation
case, where the version upper bound is ss->clientHelloVersion
instead of ss->vrange.max.

I also considered moving the SChannel bug workaround logic
into the ssl3_NegotiateVersion function.  Since that
function is also used by server-side code, I didn't want
to make it more complicated.  I will look into that again.

+                }
+            } else {
+                if (ssl3_NegotiateVersion(ss, sid->version,
+                                          PR_FALSE) != SECSuccess) {

[Ryan Sleevi, 2012/08/15 03:39:07]

nit: Shouldn't it be two tabs, then 4 spaces (matching indent of the if), then
spaces to align the PR_FALSE with the opening paren on 4113?

Same with line 4156

[wtc, 2012/08/15 16:16:59]

The original code also uses the maximum number of tabs,
followed by just enough spaces to align.  I think as long
as the line starts with a tab, it'll look aligned in a
diff.

+                    sidOK = PR_FALSE;
+                }
+            }
         }
 
         if (!sidOK) {
             SSL_AtomicIncrementLong(& ssl3stats.sch_sid_cache_not_ok );
             (*ss->sec.uncache)(sid);
             ssl_FreeSID(sid);
             sid = NULL;
         }
     }
 
     if (sid) {
-        serverVersionKnown = PR_TRUE;
+        requestingResume = PR_TRUE;
         SSL_AtomicIncrementLong(& ssl3stats.sch_sid_cache_hits );
 
         /* Are we attempting a stateless session resume? */
         if (sid->version > SSL_LIBRARY_VERSION_3_0 &&
             sid->u.ssl3.sessionTicket.ticket.data)
             SSL_AtomicIncrementLong(& ssl3stats.sch_sid_stateless_resumes );
 
         PRINT_BUF(4, (ss, "client, found session-id:", sid->u.ssl3.sessionID,
                       sid->u.ssl3.sessionIDLength));
 
         ss->ssl3.policy = sid->u.ssl3.policy;
     } else {
         SSL_AtomicIncrementLong(& ssl3stats.sch_sid_cache_misses );
 
-        rv = ssl3_NegotiateVersion(ss, SSL_LIBRARY_VERSION_MAX_SUPPORTED,
-                                   PR_TRUE);
-        if (rv != SECSuccess)
-            return rv;  /* error code was set */
+        /*
+         * Windows SChannel compares the client_version inside the RSA
+         * EncryptedPreMasterSecret of a renegotiation with the
+         * client_version of the initial ClientHello rather than the
+         * ClientHello in the renegotiation. To work around this bug, we
+         * continue to use the client_version used in the initial
+         * ClientHello when renegotiating.
+         */
+        if (ss->firstHsDone) {
+            ss->version = ss->clientHelloVersion;
+        } else {
+            rv = ssl3_NegotiateVersion(ss, SSL_LIBRARY_VERSION_MAX_SUPPORTED,
+                                       PR_TRUE);
+            if (rv != SECSuccess)
+                return rv;      /* error code was set */
+        }
 
         sid = ssl3_NewSessionID(ss, PR_FALSE);
         if (!sid) {
             return SECFailure;  /* memory error is set */
         }
     }
 
     isTLS = (ss->version > SSL_LIBRARY_VERSION_3_0);
     ssl_GetSpecWriteLock(ss);
     cwSpec = ss->ssl3.cwSpec;
@@ skipping 79 matching lines @@
         1 + numCompressionMethods + total_exten_len;
     if (IS_DTLS(ss)) {
         length += 1 + ss->ssl3.hs.cookieLen;
     }
 
     rv = ssl3_AppendHandshakeHeader(ss, client_hello, length);
     if (rv != SECSuccess) {
         return rv;      /* err set by ssl3_AppendHandshake* */
     }
 
+    if (ss->firstHsDone) {
+        /* Work around the Windows SChannel bug described above. */ 
+        PORT_Assert(ss->version == ss->clientHelloVersion);
+    }
     ss->clientHelloVersion = ss->version;
     if (IS_DTLS(ss)) {
         PRUint16 version;
 
         version = dtls_TLSVersionToDTLSVersion(ss->clientHelloVersion);
         rv = ssl3_AppendHandshakeNumber(ss, version, 2);
     } else {
         rv = ssl3_AppendHandshakeNumber(ss, ss->clientHelloVersion, 2);
     }
     if (rv != SECSuccess) {
@@ skipping 98 matching lines @@
         maxBytes -= extLen;
         PORT_Assert(!maxBytes);
     } 
     if (ss->ssl3.hs.sendingSCSV) {
         /* Since we sent the SCSV, pretend we sent empty RI extension. */
         TLSExtensionData *xtnData = &ss->xtnData;
         xtnData->advertised[xtnData->numAdvertised++] = 
             ssl_renegotiation_info_xtn;
     }
 
+    ss->ssl3.hs.ws = wait_server_hello;

[Ryan Sleevi, 2012/08/15 03:39:07]

Did you mean to move this? It doesn't seem related.

Previously, the wait state would only be updated if rv == SECSuccess, where rv
was set on 4386

[wtc, 2012/08/15 16:16:59]

Yes, this line needs to be moved here to support the
assertion on line 2293.

The NSS code that sets ss->ssl3.hs.ws when sending
ClientHello is not very clean.

For the initial ClientHello, ss->ssl3.hs.w3 is initialized
to wait_server_hello early in this function, inside the
ssl3_InitState call on line 4025:
http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/security/nss/lib/ssl/ssl3...

It then sets ss->ssl3.hs.ws to wait_server_hello again
here.

For a renegotiation ClientHello, the ssl3_InitState call
on line 4025 has no effect (because ss->ssl3.initialized
is true), so ss->ssl3.hs.ws is idle_handshake at this
point.  Therefore, if I don't move this assignment before
the ssl3_FlushHandshake call, the assertion on line 2293
will fail in a renegotiation.

Another solution would be to remove all the assertions
on line 2287-2294.  It does seem better to transition to
a new ss->ssl3.hs.ws only when everything succeeds.

     flags = 0;
-    if (!serverVersionKnown && !IS_DTLS(ss)) {
+    if (!ss->firstHsDone && !requestingResume && !IS_DTLS(ss)) {
         flags |= ssl_SEND_FLAG_CAP_RECORD_VERSION;
     }
     rv = ssl3_FlushHandshake(ss, flags);
     if (rv != SECSuccess) {
         return rv;      /* error code set by ssl3_FlushHandshake */
     }
 
-    ss->ssl3.hs.ws = wait_server_hello;
     return rv;
 }
 
 
 /* Called from ssl3_HandleHandshakeMessage() when it has deciphered a complete
  * ssl3 Hello Request.
  * Caller must hold Handshake and RecvBuf locks.
  */
 static SECStatus
 ssl3_HandleHelloRequest(sslSocket *ss)
@@ skipping 6432 matching lines @@
             PORT_Free(ss->ssl3.hs.recvdFragments.buf);
         }
     }
 
     ss->ssl3.initialized = PR_FALSE;
 
     SECITEM_FreeItem(&ss->ssl3.nextProto, PR_FALSE);
 }
 
 /* End of ssl3con.c */