OLD | NEW |
---|---|
1 /* | 1 /* |
2 * SSL3 Protocol | 2 * SSL3 Protocol |
3 * | 3 * |
4 * This Source Code Form is subject to the terms of the Mozilla Public | 4 * This Source Code Form is subject to the terms of the Mozilla Public |
5 * License, v. 2.0. If a copy of the MPL was not distributed with this | 5 * License, v. 2.0. If a copy of the MPL was not distributed with this |
6 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ | 6 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ |
7 | 7 |
8 /* TLS extension code moved here from ssl3ecc.c */ | 8 /* TLS extension code moved here from ssl3ecc.c */ |
9 | 9 |
10 #include "nssrenam.h" | 10 #include "nssrenam.h" |
(...skipping 30 matching lines...) Expand all Loading... | |
41 PRInt32 lenSize); | 41 PRInt32 lenSize); |
42 static SECStatus ssl3_GetSessionTicketKeysPKCS11(sslSocket *ss, | 42 static SECStatus ssl3_GetSessionTicketKeysPKCS11(sslSocket *ss, |
43 PK11SymKey **aes_key, PK11SymKey **mac_key); | 43 PK11SymKey **aes_key, PK11SymKey **mac_key); |
44 #ifndef NO_PKCS11_BYPASS | 44 #ifndef NO_PKCS11_BYPASS |
45 static SECStatus ssl3_GetSessionTicketKeys(const unsigned char **aes_key, | 45 static SECStatus ssl3_GetSessionTicketKeys(const unsigned char **aes_key, |
46 PRUint32 *aes_key_length, const unsigned char **mac_key, | 46 PRUint32 *aes_key_length, const unsigned char **mac_key, |
47 PRUint32 *mac_key_length); | 47 PRUint32 *mac_key_length); |
48 #endif | 48 #endif |
49 static PRInt32 ssl3_SendRenegotiationInfoXtn(sslSocket * ss, | 49 static PRInt32 ssl3_SendRenegotiationInfoXtn(sslSocket * ss, |
50 PRBool append, PRUint32 maxBytes); | 50 PRBool append, PRUint32 maxBytes); |
51 static SECStatus ssl3_HandleRenegotiationInfoXtn(sslSocket *ss, | 51 static SECStatus ssl3_HandleRenegotiationInfoXtn(sslSocket *ss, |
52 PRUint16 ex_type, SECItem *data); | 52 PRUint16 ex_type, SECItem *data); |
53 static SECStatus ssl3_ClientHandleNextProtoNegoXtn(sslSocket *ss, | 53 static SECStatus ssl3_ClientHandleNextProtoNegoXtn(sslSocket *ss, |
54 » » » PRUint16 ex_type, SECItem *data); | 54 PRUint16 ex_type, SECItem *data); |
55 static SECStatus ssl3_ClientHandleAppProtoXtn(sslSocket *ss, | 55 static SECStatus ssl3_ClientHandleAppProtoXtn(sslSocket *ss, |
56 » » » PRUint16 ex_type, SECItem *data); | 56 PRUint16 ex_type, SECItem *data); |
57 static SECStatus ssl3_ServerHandleNextProtoNegoXtn(sslSocket *ss, | 57 static SECStatus ssl3_ServerHandleNextProtoNegoXtn(sslSocket *ss, |
58 » » » PRUint16 ex_type, SECItem *data); | 58 PRUint16 ex_type, SECItem *data); |
59 static SECStatus ssl3_ServerHandleAppProtoXtn(sslSocket *ss, PRUint16 ex_type, | 59 static SECStatus ssl3_ServerHandleAppProtoXtn(sslSocket *ss, PRUint16 ex_type, |
60 SECItem *data); | 60 SECItem *data); |
61 static PRInt32 ssl3_ClientSendNextProtoNegoXtn(sslSocket *ss, PRBool append, | 61 static PRInt32 ssl3_ClientSendNextProtoNegoXtn(sslSocket *ss, PRBool append, |
62 PRUint32 maxBytes); | 62 PRUint32 maxBytes); |
63 static PRInt32 ssl3_ClientSendAppProtoXtn(sslSocket *ss, PRBool append, | 63 static PRInt32 ssl3_ClientSendAppProtoXtn(sslSocket *ss, PRBool append, |
64 » » » » » PRUint32 maxBytes); | 64 PRUint32 maxBytes); |
65 static PRInt32 ssl3_ServerSendAppProtoXtn(sslSocket *ss, PRBool append, | 65 static PRInt32 ssl3_ServerSendAppProtoXtn(sslSocket *ss, PRBool append, |
66 PRUint32 maxBytes); | 66 PRUint32 maxBytes); |
67 static PRInt32 ssl3_SendUseSRTPXtn(sslSocket *ss, PRBool append, | 67 static PRInt32 ssl3_SendUseSRTPXtn(sslSocket *ss, PRBool append, |
68 PRUint32 maxBytes); | 68 PRUint32 maxBytes); |
69 static SECStatus ssl3_HandleUseSRTPXtn(sslSocket * ss, PRUint16 ex_type, | 69 static SECStatus ssl3_HandleUseSRTPXtn(sslSocket * ss, PRUint16 ex_type, |
70 SECItem *data); | 70 SECItem *data); |
71 static SECStatus ssl3_ClientHandleChannelIDXtn(sslSocket *ss, | 71 static SECStatus ssl3_ClientHandleChannelIDXtn(sslSocket *ss, |
72 PRUint16 ex_type, SECItem *data); | 72 PRUint16 ex_type, SECItem *data); |
73 static PRInt32 ssl3_ClientSendChannelIDXtn(sslSocket *ss, PRBool append, | 73 static PRInt32 ssl3_ClientSendChannelIDXtn(sslSocket *ss, PRBool append, |
74 PRUint32 maxBytes); | 74 PRUint32 maxBytes); |
75 static SECStatus ssl3_ServerSendStatusRequestXtn(sslSocket * ss, | 75 static PRInt32 ssl3_ServerSendStatusRequestXtn(sslSocket * ss, |
76 PRBool append, PRUint32 maxBytes); | 76 PRBool append, PRUint32 maxBytes); |
77 static SECStatus ssl3_ServerHandleStatusRequestXtn(sslSocket *ss, | 77 static SECStatus ssl3_ServerHandleStatusRequestXtn(sslSocket *ss, |
78 PRUint16 ex_type, SECItem *data); | 78 PRUint16 ex_type, SECItem *data); |
79 static SECStatus ssl3_ClientHandleStatusRequestXtn(sslSocket *ss, | 79 static SECStatus ssl3_ClientHandleStatusRequestXtn(sslSocket *ss, |
80 PRUint16 ex_type, | 80 PRUint16 ex_type, |
81 SECItem *data); | 81 SECItem *data); |
82 static PRInt32 ssl3_ClientSendStatusRequestXtn(sslSocket * ss, PRBool append, | 82 static PRInt32 ssl3_ClientSendStatusRequestXtn(sslSocket * ss, PRBool append, |
83 PRUint32 maxBytes); | 83 PRUint32 maxBytes); |
84 static PRInt32 ssl3_ClientSendSigAlgsXtn(sslSocket *ss, PRBool append, | 84 static PRInt32 ssl3_ClientSendSigAlgsXtn(sslSocket *ss, PRBool append, |
85 PRUint32 maxBytes); | 85 PRUint32 maxBytes); |
86 static SECStatus ssl3_ServerHandleSigAlgsXtn(sslSocket *ss, PRUint16 ex_type, | 86 static SECStatus ssl3_ServerHandleSigAlgsXtn(sslSocket *ss, PRUint16 ex_type, |
87 SECItem *data); | 87 SECItem *data); |
88 static PRInt32 ssl3_ClientSendSignedCertTimestampXtn(sslSocket *ss, | 88 static PRInt32 ssl3_ClientSendSignedCertTimestampXtn(sslSocket *ss, |
89 » » » » » » PRBool append, | 89 PRBool append, |
90 » » » » » » PRUint32 maxBytes); | 90 PRUint32 maxBytes); |
91 static SECStatus ssl3_ClientHandleSignedCertTimestampXtn(sslSocket *ss, | 91 static SECStatus ssl3_ClientHandleSignedCertTimestampXtn(sslSocket *ss, |
92 » » » » » » » PRUint16 ex_type, | 92 PRUint16 ex_type, |
93 » » » » » » » SECItem *data); | 93 SECItem *data); |
94 | |
95 static PRInt32 ssl3_ClientSendDraftVersionXtn(sslSocket *ss, PRBool append, | |
96 PRUint32 maxBytes); | |
97 static SECStatus ssl3_ServerHandleDraftVersionXtn(sslSocket *ss, PRUint16 ex_typ e, | |
98 SECItem *data); | |
94 | 99 |
95 /* | 100 /* |
96 * Write bytes. Using this function means the SECItem structure | 101 * Write bytes. Using this function means the SECItem structure |
97 * cannot be freed. The caller is expected to call this function | 102 * cannot be freed. The caller is expected to call this function |
98 * on a shallow copy of the structure. | 103 * on a shallow copy of the structure. |
99 */ | 104 */ |
100 static SECStatus | 105 static SECStatus |
101 ssl3_AppendToItem(SECItem *item, const unsigned char *buf, PRUint32 bytes) | 106 ssl3_AppendToItem(SECItem *item, const unsigned char *buf, PRUint32 bytes) |
102 { | 107 { |
103 if (bytes > item->len) | 108 if (bytes > item->len) |
104 » return SECFailure; | 109 return SECFailure; |
105 | 110 |
106 PORT_Memcpy(item->data, buf, bytes); | 111 PORT_Memcpy(item->data, buf, bytes); |
107 item->data += bytes; | 112 item->data += bytes; |
108 item->len -= bytes; | 113 item->len -= bytes; |
109 return SECSuccess; | 114 return SECSuccess; |
110 } | 115 } |
111 | 116 |
112 /* | 117 /* |
113 * Write a number in network byte order. Using this function means the | 118 * Write a number in network byte order. Using this function means the |
114 * SECItem structure cannot be freed. The caller is expected to call | 119 * SECItem structure cannot be freed. The caller is expected to call |
115 * this function on a shallow copy of the structure. | 120 * this function on a shallow copy of the structure. |
116 */ | 121 */ |
117 static SECStatus | 122 static SECStatus |
118 ssl3_AppendNumberToItem(SECItem *item, PRUint32 num, PRInt32 lenSize) | 123 ssl3_AppendNumberToItem(SECItem *item, PRUint32 num, PRInt32 lenSize) |
119 { | 124 { |
120 SECStatus rv; | 125 SECStatus rv; |
121 PRUint8 b[4]; | 126 PRUint8 b[4]; |
122 PRUint8 * p = b; | 127 PRUint8 * p = b; |
123 | 128 |
124 switch (lenSize) { | 129 switch (lenSize) { |
125 case 4: | 130 case 4: |
126 » *p++ = (PRUint8) (num >> 24); | 131 *p++ = (PRUint8) (num >> 24); |
127 case 3: | 132 case 3: |
128 » *p++ = (PRUint8) (num >> 16); | 133 *p++ = (PRUint8) (num >> 16); |
129 case 2: | 134 case 2: |
130 » *p++ = (PRUint8) (num >> 8); | 135 *p++ = (PRUint8) (num >> 8); |
131 case 1: | 136 case 1: |
132 » *p = (PRUint8) num; | 137 *p = (PRUint8) num; |
133 } | 138 } |
134 rv = ssl3_AppendToItem(item, &b[0], lenSize); | 139 rv = ssl3_AppendToItem(item, &b[0], lenSize); |
135 return rv; | 140 return rv; |
136 } | 141 } |
137 | 142 |
138 static SECStatus ssl3_SessionTicketShutdown(void* appData, void* nssData) | 143 static SECStatus ssl3_SessionTicketShutdown(void* appData, void* nssData) |
139 { | 144 { |
140 if (session_ticket_enc_key_pkcs11) { | 145 if (session_ticket_enc_key_pkcs11) { |
141 » PK11_FreeSymKey(session_ticket_enc_key_pkcs11); | 146 PK11_FreeSymKey(session_ticket_enc_key_pkcs11); |
142 » session_ticket_enc_key_pkcs11 = NULL; | 147 session_ticket_enc_key_pkcs11 = NULL; |
143 } | 148 } |
144 if (session_ticket_mac_key_pkcs11) { | 149 if (session_ticket_mac_key_pkcs11) { |
145 » PK11_FreeSymKey(session_ticket_mac_key_pkcs11); | 150 PK11_FreeSymKey(session_ticket_mac_key_pkcs11); |
146 » session_ticket_mac_key_pkcs11 = NULL; | 151 session_ticket_mac_key_pkcs11 = NULL; |
147 } | 152 } |
148 PORT_Memset(&generate_session_keys_once, 0, | 153 PORT_Memset(&generate_session_keys_once, 0, |
149 » sizeof(generate_session_keys_once)); | 154 sizeof(generate_session_keys_once)); |
150 return SECSuccess; | 155 return SECSuccess; |
151 } | 156 } |
152 | 157 |
153 | 158 |
154 static PRStatus | 159 static PRStatus |
155 ssl3_GenerateSessionTicketKeysPKCS11(void *data) | 160 ssl3_GenerateSessionTicketKeysPKCS11(void *data) |
156 { | 161 { |
157 SECStatus rv; | 162 SECStatus rv; |
158 sslSocket *ss = (sslSocket *)data; | 163 sslSocket *ss = (sslSocket *)data; |
159 SECKEYPrivateKey *svrPrivKey = ss->serverCerts[kt_rsa].SERVERKEY; | 164 SECKEYPrivateKey *svrPrivKey = ss->serverCerts[kt_rsa].SERVERKEY; |
160 SECKEYPublicKey *svrPubKey = ss->serverCerts[kt_rsa].serverKeyPair->pubKey; | 165 SECKEYPublicKey *svrPubKey = ss->serverCerts[kt_rsa].serverKeyPair->pubKey; |
161 | 166 |
162 if (svrPrivKey == NULL || svrPubKey == NULL) { | 167 if (svrPrivKey == NULL || svrPubKey == NULL) { |
163 » SSL_DBG(("%d: SSL[%d]: Pub or priv key(s) is NULL.", | 168 SSL_DBG(("%d: SSL[%d]: Pub or priv key(s) is NULL.", |
164 » » » SSL_GETPID(), ss->fd)); | 169 SSL_GETPID(), ss->fd)); |
165 » goto loser; | 170 goto loser; |
166 } | 171 } |
167 | 172 |
168 /* Get a copy of the session keys from shared memory. */ | 173 /* Get a copy of the session keys from shared memory. */ |
169 PORT_Memcpy(key_name, SESS_TICKET_KEY_NAME_PREFIX, | 174 PORT_Memcpy(key_name, SESS_TICKET_KEY_NAME_PREFIX, |
170 » sizeof(SESS_TICKET_KEY_NAME_PREFIX)); | 175 sizeof(SESS_TICKET_KEY_NAME_PREFIX)); |
171 if (!ssl_GetSessionTicketKeysPKCS11(svrPrivKey, svrPubKey, | 176 if (!ssl_GetSessionTicketKeysPKCS11(svrPrivKey, svrPubKey, |
172 » ss->pkcs11PinArg, &key_name[SESS_TICKET_KEY_NAME_PREFIX_LEN], | 177 ss->pkcs11PinArg, &key_name[SESS_TICKET_KEY_NAME_PREFIX_LEN], |
173 » &session_ticket_enc_key_pkcs11, &session_ticket_mac_key_pkcs11)) | 178 &session_ticket_enc_key_pkcs11, &session_ticket_mac_key_pkcs11)) |
174 » return PR_FAILURE; | 179 return PR_FAILURE; |
175 | 180 |
176 rv = NSS_RegisterShutdown(ssl3_SessionTicketShutdown, NULL); | 181 rv = NSS_RegisterShutdown(ssl3_SessionTicketShutdown, NULL); |
177 if (rv != SECSuccess) | 182 if (rv != SECSuccess) |
178 » goto loser; | 183 goto loser; |
179 | 184 |
180 return PR_SUCCESS; | 185 return PR_SUCCESS; |
181 | 186 |
182 loser: | 187 loser: |
183 ssl3_SessionTicketShutdown(NULL, NULL); | 188 ssl3_SessionTicketShutdown(NULL, NULL); |
184 return PR_FAILURE; | 189 return PR_FAILURE; |
185 } | 190 } |
186 | 191 |
187 static SECStatus | 192 static SECStatus |
188 ssl3_GetSessionTicketKeysPKCS11(sslSocket *ss, PK11SymKey **aes_key, | 193 ssl3_GetSessionTicketKeysPKCS11(sslSocket *ss, PK11SymKey **aes_key, |
189 PK11SymKey **mac_key) | 194 PK11SymKey **mac_key) |
190 { | 195 { |
191 if (PR_CallOnceWithArg(&generate_session_keys_once, | 196 if (PR_CallOnceWithArg(&generate_session_keys_once, |
192 » ssl3_GenerateSessionTicketKeysPKCS11, ss) != PR_SUCCESS) | 197 ssl3_GenerateSessionTicketKeysPKCS11, ss) != PR_SUCCESS) |
193 » return SECFailure; | 198 return SECFailure; |
194 | 199 |
195 if (session_ticket_enc_key_pkcs11 == NULL || | 200 if (session_ticket_enc_key_pkcs11 == NULL || |
196 » session_ticket_mac_key_pkcs11 == NULL) | 201 session_ticket_mac_key_pkcs11 == NULL) |
197 » return SECFailure; | 202 return SECFailure; |
198 | 203 |
199 *aes_key = session_ticket_enc_key_pkcs11; | 204 *aes_key = session_ticket_enc_key_pkcs11; |
200 *mac_key = session_ticket_mac_key_pkcs11; | 205 *mac_key = session_ticket_mac_key_pkcs11; |
201 return SECSuccess; | 206 return SECSuccess; |
202 } | 207 } |
203 | 208 |
204 #ifndef NO_PKCS11_BYPASS | 209 #ifndef NO_PKCS11_BYPASS |
205 static PRStatus | 210 static PRStatus |
206 ssl3_GenerateSessionTicketKeys(void) | 211 ssl3_GenerateSessionTicketKeys(void) |
207 { | 212 { |
208 PORT_Memcpy(key_name, SESS_TICKET_KEY_NAME_PREFIX, | 213 PORT_Memcpy(key_name, SESS_TICKET_KEY_NAME_PREFIX, |
209 » sizeof(SESS_TICKET_KEY_NAME_PREFIX)); | 214 sizeof(SESS_TICKET_KEY_NAME_PREFIX)); |
210 | 215 |
211 if (!ssl_GetSessionTicketKeys(&key_name[SESS_TICKET_KEY_NAME_PREFIX_LEN], | 216 if (!ssl_GetSessionTicketKeys(&key_name[SESS_TICKET_KEY_NAME_PREFIX_LEN], |
212 » session_ticket_enc_key, session_ticket_mac_key)) | 217 session_ticket_enc_key, session_ticket_mac_key)) |
213 » return PR_FAILURE; | 218 return PR_FAILURE; |
214 | 219 |
215 session_ticket_keys_initialized = PR_TRUE; | 220 session_ticket_keys_initialized = PR_TRUE; |
216 return PR_SUCCESS; | 221 return PR_SUCCESS; |
217 } | 222 } |
218 | 223 |
219 static SECStatus | 224 static SECStatus |
220 ssl3_GetSessionTicketKeys(const unsigned char **aes_key, | 225 ssl3_GetSessionTicketKeys(const unsigned char **aes_key, |
221 PRUint32 *aes_key_length, const unsigned char **mac_key, | 226 PRUint32 *aes_key_length, const unsigned char **mac_key, |
222 PRUint32 *mac_key_length) | 227 PRUint32 *mac_key_length) |
223 { | 228 { |
224 if (PR_CallOnce(&generate_session_keys_once, | 229 if (PR_CallOnce(&generate_session_keys_once, |
225 » ssl3_GenerateSessionTicketKeys) != PR_SUCCESS) | 230 ssl3_GenerateSessionTicketKeys) != PR_SUCCESS) |
226 » return SECFailure; | 231 return SECFailure; |
227 | 232 |
228 if (!session_ticket_keys_initialized) | 233 if (!session_ticket_keys_initialized) |
229 » return SECFailure; | 234 return SECFailure; |
230 | 235 |
231 *aes_key = session_ticket_enc_key; | 236 *aes_key = session_ticket_enc_key; |
232 *aes_key_length = sizeof(session_ticket_enc_key); | 237 *aes_key_length = sizeof(session_ticket_enc_key); |
233 *mac_key = session_ticket_mac_key; | 238 *mac_key = session_ticket_mac_key; |
234 *mac_key_length = sizeof(session_ticket_mac_key); | 239 *mac_key_length = sizeof(session_ticket_mac_key); |
235 | 240 |
236 return SECSuccess; | 241 return SECSuccess; |
237 } | 242 } |
238 #endif | 243 #endif |
239 | 244 |
240 /* Table of handlers for received TLS hello extensions, one per extension. | 245 /* Table of handlers for received TLS hello extensions, one per extension. |
241 * In the second generation, this table will be dynamic, and functions | 246 * In the second generation, this table will be dynamic, and functions |
242 * will be registered here. | 247 * will be registered here. |
243 */ | 248 */ |
244 /* This table is used by the server, to handle client hello extensions. */ | 249 /* This table is used by the server, to handle client hello extensions. */ |
245 static const ssl3HelloExtensionHandler clientHelloHandlers[] = { | 250 static const ssl3HelloExtensionHandler clientHelloHandlers[] = { |
246 { ssl_server_name_xtn, &ssl3_HandleServerNameXtn }, | 251 { ssl_server_name_xtn, &ssl3_HandleServerNameXtn }, |
247 #ifdef NSS_ENABLE_ECC | 252 #ifndef NSS_DISABLE_ECC |
248 { ssl_elliptic_curves_xtn, &ssl3_HandleSupportedCurvesXtn }, | 253 { ssl_elliptic_curves_xtn, &ssl3_HandleSupportedCurvesXtn }, |
249 { ssl_ec_point_formats_xtn, &ssl3_HandleSupportedPointFormatsXtn }, | 254 { ssl_ec_point_formats_xtn, &ssl3_HandleSupportedPointFormatsXtn }, |
250 #endif | 255 #endif |
251 { ssl_session_ticket_xtn, &ssl3_ServerHandleSessionTicketXtn }, | 256 { ssl_session_ticket_xtn, &ssl3_ServerHandleSessionTicketXtn }, |
252 { ssl_renegotiation_info_xtn, &ssl3_HandleRenegotiationInfoXtn }, | 257 { ssl_renegotiation_info_xtn, &ssl3_HandleRenegotiationInfoXtn }, |
253 { ssl_next_proto_nego_xtn, &ssl3_ServerHandleNextProtoNegoXtn }, | 258 { ssl_next_proto_nego_xtn, &ssl3_ServerHandleNextProtoNegoXtn }, |
254 { ssl_app_layer_protocol_xtn, &ssl3_ServerHandleAppProtoXtn }, | 259 { ssl_app_layer_protocol_xtn, &ssl3_ServerHandleAppProtoXtn }, |
255 { ssl_use_srtp_xtn, &ssl3_HandleUseSRTPXtn }, | 260 { ssl_use_srtp_xtn, &ssl3_HandleUseSRTPXtn }, |
256 { ssl_cert_status_xtn, &ssl3_ServerHandleStatusRequestXtn }, | 261 { ssl_cert_status_xtn, &ssl3_ServerHandleStatusRequestXtn }, |
257 { ssl_signature_algorithms_xtn, &ssl3_ServerHandleSigAlgsXtn }, | 262 { ssl_signature_algorithms_xtn, &ssl3_ServerHandleSigAlgsXtn }, |
263 { ssl_tls13_draft_version_xtn, &ssl3_ServerHandleDraftVersionXtn }, | |
258 { -1, NULL } | 264 { -1, NULL } |
259 }; | 265 }; |
260 | 266 |
261 /* These two tables are used by the client, to handle server hello | 267 /* These two tables are used by the client, to handle server hello |
262 * extensions. */ | 268 * extensions. */ |
263 static const ssl3HelloExtensionHandler serverHelloHandlersTLS[] = { | 269 static const ssl3HelloExtensionHandler serverHelloHandlersTLS[] = { |
264 { ssl_server_name_xtn, &ssl3_HandleServerNameXtn }, | 270 { ssl_server_name_xtn, &ssl3_HandleServerNameXtn }, |
265 /* TODO: add a handler for ssl_ec_point_formats_xtn */ | 271 /* TODO: add a handler for ssl_ec_point_formats_xtn */ |
266 { ssl_session_ticket_xtn, &ssl3_ClientHandleSessionTicketXtn }, | 272 { ssl_session_ticket_xtn, &ssl3_ClientHandleSessionTicketXtn }, |
267 { ssl_renegotiation_info_xtn, &ssl3_HandleRenegotiationInfoXtn }, | 273 { ssl_renegotiation_info_xtn, &ssl3_HandleRenegotiationInfoXtn }, |
(...skipping 11 matching lines...) Expand all Loading... | |
279 { ssl_renegotiation_info_xtn, &ssl3_HandleRenegotiationInfoXtn }, | 285 { ssl_renegotiation_info_xtn, &ssl3_HandleRenegotiationInfoXtn }, |
280 { -1, NULL } | 286 { -1, NULL } |
281 }; | 287 }; |
282 | 288 |
283 /* Tables of functions to format TLS hello extensions, one function per | 289 /* Tables of functions to format TLS hello extensions, one function per |
284 * extension. | 290 * extension. |
285 * These static tables are for the formatting of client hello extensions. | 291 * These static tables are for the formatting of client hello extensions. |
286 * The server's table of hello senders is dynamic, in the socket struct, | 292 * The server's table of hello senders is dynamic, in the socket struct, |
287 * and sender functions are registered there. | 293 * and sender functions are registered there. |
288 */ | 294 */ |
289 static const | 295 static const |
290 ssl3HelloExtensionSender clientHelloSendersTLS[SSL_MAX_EXTENSIONS] = { | 296 ssl3HelloExtensionSender clientHelloSendersTLS[SSL_MAX_EXTENSIONS] = { |
291 { ssl_server_name_xtn, &ssl3_SendServerNameXtn }, | 297 { ssl_server_name_xtn, &ssl3_SendServerNameXtn }, |
292 { ssl_renegotiation_info_xtn, &ssl3_SendRenegotiationInfoXtn }, | 298 { ssl_renegotiation_info_xtn, &ssl3_SendRenegotiationInfoXtn }, |
293 #ifdef NSS_ENABLE_ECC | 299 #ifndef NSS_DISABLE_ECC |
294 { ssl_elliptic_curves_xtn, &ssl3_SendSupportedCurvesXtn }, | 300 { ssl_elliptic_curves_xtn, &ssl3_SendSupportedCurvesXtn }, |
295 { ssl_ec_point_formats_xtn, &ssl3_SendSupportedPointFormatsXtn }, | 301 { ssl_ec_point_formats_xtn, &ssl3_SendSupportedPointFormatsXtn }, |
296 #endif | 302 #endif |
297 { ssl_session_ticket_xtn, &ssl3_SendSessionTicketXtn }, | 303 { ssl_session_ticket_xtn, &ssl3_SendSessionTicketXtn }, |
298 { ssl_next_proto_nego_xtn, &ssl3_ClientSendNextProtoNegoXtn }, | 304 { ssl_next_proto_nego_xtn, &ssl3_ClientSendNextProtoNegoXtn }, |
299 { ssl_app_layer_protocol_xtn, &ssl3_ClientSendAppProtoXtn }, | 305 { ssl_app_layer_protocol_xtn, &ssl3_ClientSendAppProtoXtn }, |
300 { ssl_use_srtp_xtn, &ssl3_SendUseSRTPXtn }, | 306 { ssl_use_srtp_xtn, &ssl3_SendUseSRTPXtn }, |
301 { ssl_channel_id_xtn, &ssl3_ClientSendChannelIDXtn }, | 307 { ssl_channel_id_xtn, &ssl3_ClientSendChannelIDXtn }, |
302 { ssl_cert_status_xtn, &ssl3_ClientSendStatusRequestXtn }, | 308 { ssl_cert_status_xtn, &ssl3_ClientSendStatusRequestXtn }, |
303 { ssl_signed_certificate_timestamp_xtn, | 309 { ssl_signed_certificate_timestamp_xtn, |
304 &ssl3_ClientSendSignedCertTimestampXtn }, | 310 &ssl3_ClientSendSignedCertTimestampXtn }, |
305 /* WebSphere Application Server 7.0 is intolerant to the last extension | 311 /* WebSphere Application Server 7.0 is intolerant to the last extension |
306 * being zero-length. It is not intolerant of TLS 1.2, so move | 312 * being zero-length. It is not intolerant of TLS 1.2, so ensure that |
307 * signature_algorithms to the end. */ | 313 * signature_algorithms is at the end to guarantee a non-empty |
308 { ssl_signature_algorithms_xtn, &ssl3_ClientSendSigAlgsXtn } | 314 * extension. */ |
315 { ssl_signature_algorithms_xtn, &ssl3_ClientSendSigAlgsXtn }, | |
316 { ssl_tls13_draft_version_xtn, &ssl3_ClientSendDraftVersionXtn }, | |
309 /* any extra entries will appear as { 0, NULL } */ | 317 /* any extra entries will appear as { 0, NULL } */ |
310 }; | 318 }; |
311 | 319 |
312 static const | 320 static const |
313 ssl3HelloExtensionSender clientHelloSendersSSL3[SSL_MAX_EXTENSIONS] = { | 321 ssl3HelloExtensionSender clientHelloSendersSSL3[SSL_MAX_EXTENSIONS] = { |
314 { ssl_renegotiation_info_xtn, &ssl3_SendRenegotiationInfoXtn } | 322 { ssl_renegotiation_info_xtn, &ssl3_SendRenegotiationInfoXtn } |
315 /* any extra entries will appear as { 0, NULL } */ | 323 /* any extra entries will appear as { 0, NULL } */ |
316 }; | 324 }; |
317 | 325 |
318 static PRBool | 326 static PRBool |
319 arrayContainsExtension(const PRUint16 *array, PRUint32 len, PRUint16 ex_type) | 327 arrayContainsExtension(const PRUint16 *array, PRUint32 len, PRUint16 ex_type) |
320 { | 328 { |
321 int i; | 329 int i; |
322 for (i = 0; i < len; i++) { | 330 for (i = 0; i < len; i++) { |
323 » if (ex_type == array[i]) | 331 if (ex_type == array[i]) |
324 » return PR_TRUE; | 332 return PR_TRUE; |
325 } | 333 } |
326 return PR_FALSE; | 334 return PR_FALSE; |
327 } | 335 } |
328 | 336 |
329 PRBool | 337 PRBool |
330 ssl3_ExtensionNegotiated(sslSocket *ss, PRUint16 ex_type) { | 338 ssl3_ExtensionNegotiated(sslSocket *ss, PRUint16 ex_type) { |
331 TLSExtensionData *xtnData = &ss->xtnData; | 339 TLSExtensionData *xtnData = &ss->xtnData; |
332 return arrayContainsExtension(xtnData->negotiated, | 340 return arrayContainsExtension(xtnData->negotiated, |
333 » xtnData->numNegotiated, ex_type); | 341 xtnData->numNegotiated, ex_type); |
334 } | 342 } |
335 | 343 |
336 static PRBool | 344 static PRBool |
337 ssl3_ClientExtensionAdvertised(sslSocket *ss, PRUint16 ex_type) { | 345 ssl3_ClientExtensionAdvertised(sslSocket *ss, PRUint16 ex_type) { |
338 TLSExtensionData *xtnData = &ss->xtnData; | 346 TLSExtensionData *xtnData = &ss->xtnData; |
339 return arrayContainsExtension(xtnData->advertised, | 347 return arrayContainsExtension(xtnData->advertised, |
340 » xtnData->numAdvertised, ex_type); | 348 xtnData->numAdvertised, ex_type); |
341 } | 349 } |
342 | 350 |
343 /* Format an SNI extension, using the name from the socket's URL, | 351 /* Format an SNI extension, using the name from the socket's URL, |
344 * unless that name is a dotted decimal string. | 352 * unless that name is a dotted decimal string. |
345 * Used by client and server. | 353 * Used by client and server. |
346 */ | 354 */ |
347 PRInt32 | 355 PRInt32 |
348 ssl3_SendServerNameXtn(sslSocket * ss, PRBool append, | 356 ssl3_SendServerNameXtn(sslSocket * ss, PRBool append, |
349 PRUint32 maxBytes) | 357 PRUint32 maxBytes) |
350 { | 358 { |
351 SECStatus rv; | 359 SECStatus rv; |
352 if (!ss) | 360 if (!ss) |
353 » return 0; | 361 return 0; |
354 if (!ss->sec.isServer) { | 362 if (!ss->sec.isServer) { |
355 PRUint32 len; | 363 PRUint32 len; |
356 PRNetAddr netAddr; | 364 PRNetAddr netAddr; |
357 | 365 |
358 /* must have a hostname */ | 366 /* must have a hostname */ |
359 if (!ss->url || !ss->url[0]) | 367 if (!ss->url || !ss->url[0]) |
360 return 0; | 368 return 0; |
361 /* must not be an IPv4 or IPv6 address */ | 369 /* must not be an IPv4 or IPv6 address */ |
362 if (PR_SUCCESS == PR_StringToNetAddr(ss->url, &netAddr)) { | 370 if (PR_SUCCESS == PR_StringToNetAddr(ss->url, &netAddr)) { |
363 /* is an IP address (v4 or v6) */ | 371 /* is an IP address (v4 or v6) */ |
364 return 0; | 372 return 0; |
365 } | 373 } |
366 len = PORT_Strlen(ss->url); | 374 len = PORT_Strlen(ss->url); |
367 if (append && maxBytes >= len + 9) { | 375 if (append && maxBytes >= len + 9) { |
368 /* extension_type */ | 376 /* extension_type */ |
369 rv = ssl3_AppendHandshakeNumber(ss, ssl_server_name_xtn, 2); | 377 rv = ssl3_AppendHandshakeNumber(ss, ssl_server_name_xtn, 2); |
370 if (rv != SECSuccess) return -1; | 378 if (rv != SECSuccess) return -1; |
371 /* length of extension_data */ | 379 /* length of extension_data */ |
372 rv = ssl3_AppendHandshakeNumber(ss, len + 5, 2); | 380 rv = ssl3_AppendHandshakeNumber(ss, len + 5, 2); |
373 if (rv != SECSuccess) return -1; | 381 if (rv != SECSuccess) return -1; |
374 /* length of server_name_list */ | 382 /* length of server_name_list */ |
375 rv = ssl3_AppendHandshakeNumber(ss, len + 3, 2); | 383 rv = ssl3_AppendHandshakeNumber(ss, len + 3, 2); |
376 if (rv != SECSuccess) return -1; | 384 if (rv != SECSuccess) return -1; |
377 /* Name Type (sni_host_name) */ | 385 /* Name Type (sni_host_name) */ |
378 rv = ssl3_AppendHandshake(ss, "\0", 1); | 386 rv = ssl3_AppendHandshake(ss, "\0", 1); |
379 if (rv != SECSuccess) return -1; | 387 if (rv != SECSuccess) return -1; |
380 /* HostName (length and value) */ | 388 /* HostName (length and value) */ |
381 rv = ssl3_AppendHandshakeVariable(ss, (PRUint8 *)ss->url, len, 2); | 389 rv = ssl3_AppendHandshakeVariable(ss, (PRUint8 *)ss->url, len, 2); |
382 if (rv != SECSuccess) return -1; | 390 if (rv != SECSuccess) return -1; |
383 if (!ss->sec.isServer) { | 391 if (!ss->sec.isServer) { |
384 TLSExtensionData *xtnData = &ss->xtnData; | 392 TLSExtensionData *xtnData = &ss->xtnData; |
385 xtnData->advertised[xtnData->numAdvertised++] = | 393 xtnData->advertised[xtnData->numAdvertised++] = |
386 » » ssl_server_name_xtn; | 394 ssl_server_name_xtn; |
387 } | 395 } |
388 } | 396 } |
389 return len + 9; | 397 return len + 9; |
390 } | 398 } |
391 /* Server side */ | 399 /* Server side */ |
392 if (append && maxBytes >= 4) { | 400 if (append && maxBytes >= 4) { |
393 rv = ssl3_AppendHandshakeNumber(ss, ssl_server_name_xtn, 2); | 401 rv = ssl3_AppendHandshakeNumber(ss, ssl_server_name_xtn, 2); |
394 if (rv != SECSuccess) return -1; | 402 if (rv != SECSuccess) return -1; |
395 /* length of extension_data */ | 403 /* length of extension_data */ |
396 rv = ssl3_AppendHandshakeNumber(ss, 0, 2); | 404 rv = ssl3_AppendHandshakeNumber(ss, 0, 2); |
(...skipping 21 matching lines...) Expand all Loading... | |
418 } | 426 } |
419 return SECSuccess; | 427 return SECSuccess; |
420 } | 428 } |
421 | 429 |
422 /* Server side - consume client data and register server sender. */ | 430 /* Server side - consume client data and register server sender. */ |
423 /* do not parse the data if don't have user extension handling function. */ | 431 /* do not parse the data if don't have user extension handling function. */ |
424 if (!ss->sniSocketConfig) { | 432 if (!ss->sniSocketConfig) { |
425 return SECSuccess; | 433 return SECSuccess; |
426 } | 434 } |
427 /* length of server_name_list */ | 435 /* length of server_name_list */ |
428 listLenBytes = ssl3_ConsumeHandshakeNumber(ss, 2, &data->data, &data->len); | 436 listLenBytes = ssl3_ConsumeHandshakeNumber(ss, 2, &data->data, &data->len); |
429 if (listLenBytes == 0 || listLenBytes != data->len) { | 437 if (listLenBytes == 0 || listLenBytes != data->len) { |
430 return SECFailure; | 438 return SECFailure; |
431 } | 439 } |
432 ldata = *data; | 440 ldata = *data; |
433 /* Calculate the size of the array.*/ | 441 /* Calculate the size of the array.*/ |
434 while (listLenBytes > 0) { | 442 while (listLenBytes > 0) { |
435 SECItem litem; | 443 SECItem litem; |
436 SECStatus rv; | 444 SECStatus rv; |
437 PRInt32 type; | 445 PRInt32 type; |
438 /* Name Type (sni_host_name) */ | 446 /* Name Type (sni_host_name) */ |
439 type = ssl3_ConsumeHandshakeNumber(ss, 1, &ldata.data, &ldata.len); | 447 type = ssl3_ConsumeHandshakeNumber(ss, 1, &ldata.data, &ldata.len); |
440 if (!ldata.len) { | 448 if (!ldata.len) { |
441 return SECFailure; | 449 return SECFailure; |
442 } | 450 } |
443 rv = ssl3_ConsumeHandshakeVariable(ss, &litem, 2, &ldata.data, &ldata.le n); | 451 rv = ssl3_ConsumeHandshakeVariable(ss, &litem, 2, &ldata.data, &ldata.le n); |
444 if (rv != SECSuccess) { | 452 if (rv != SECSuccess) { |
445 return SECFailure; | 453 return SECFailure; |
446 } | 454 } |
447 /* Adjust total length for cunsumed item, item len and type.*/ | 455 /* Adjust total length for cunsumed item, item len and type.*/ |
448 listLenBytes -= litem.len + 3; | 456 listLenBytes -= litem.len + 3; |
449 if (listLenBytes > 0 && !ldata.len) { | 457 if (listLenBytes > 0 && !ldata.len) { |
450 return SECFailure; | 458 return SECFailure; |
451 } | 459 } |
452 listCount += 1; | 460 listCount += 1; |
453 } | 461 } |
454 if (!listCount) { | 462 if (!listCount) { |
455 return SECFailure; | 463 return SECFailure; |
456 } | 464 } |
457 names = PORT_ZNewArray(SECItem, listCount); | 465 names = PORT_ZNewArray(SECItem, listCount); |
458 if (!names) { | 466 if (!names) { |
459 return SECFailure; | 467 return SECFailure; |
460 } | 468 } |
461 for (i = 0;i < listCount;i++) { | 469 for (i = 0;i < listCount;i++) { |
462 int j; | 470 int j; |
463 PRInt32 type; | 471 PRInt32 type; |
464 SECStatus rv; | 472 SECStatus rv; |
465 PRBool nametypePresent = PR_FALSE; | 473 PRBool nametypePresent = PR_FALSE; |
466 /* Name Type (sni_host_name) */ | 474 /* Name Type (sni_host_name) */ |
467 type = ssl3_ConsumeHandshakeNumber(ss, 1, &data->data, &data->len); | 475 type = ssl3_ConsumeHandshakeNumber(ss, 1, &data->data, &data->len); |
468 /* Check if we have such type in the list */ | 476 /* Check if we have such type in the list */ |
469 for (j = 0;j < listCount && names[j].data;j++) { | 477 for (j = 0;j < listCount && names[j].data;j++) { |
470 if (names[j].type == type) { | 478 if (names[j].type == type) { |
471 nametypePresent = PR_TRUE; | 479 nametypePresent = PR_TRUE; |
472 break; | 480 break; |
473 } | 481 } |
474 } | 482 } |
475 /* HostName (length and value) */ | 483 /* HostName (length and value) */ |
476 rv = ssl3_ConsumeHandshakeVariable(ss, &names[namesPos], 2, | 484 rv = ssl3_ConsumeHandshakeVariable(ss, &names[namesPos], 2, |
477 &data->data, &data->len); | 485 &data->data, &data->len); |
(...skipping 11 matching lines...) Expand all Loading... | |
489 xtnData->sniNameArr = names; | 497 xtnData->sniNameArr = names; |
490 xtnData->sniNameArrSize = namesPos; | 498 xtnData->sniNameArrSize = namesPos; |
491 xtnData->negotiated[xtnData->numNegotiated++] = ssl_server_name_xtn; | 499 xtnData->negotiated[xtnData->numNegotiated++] = ssl_server_name_xtn; |
492 | 500 |
493 return SECSuccess; | 501 return SECSuccess; |
494 | 502 |
495 loser: | 503 loser: |
496 PORT_Free(names); | 504 PORT_Free(names); |
497 return SECFailure; | 505 return SECFailure; |
498 } | 506 } |
499 | 507 |
500 /* Called by both clients and servers. | 508 /* Called by both clients and servers. |
501 * Clients sends a filled in session ticket if one is available, and otherwise | 509 * Clients sends a filled in session ticket if one is available, and otherwise |
502 * sends an empty ticket. Servers always send empty tickets. | 510 * sends an empty ticket. Servers always send empty tickets. |
503 */ | 511 */ |
504 PRInt32 | 512 PRInt32 |
505 ssl3_SendSessionTicketXtn( | 513 ssl3_SendSessionTicketXtn( |
506 » » » sslSocket * ss, | 514 sslSocket * ss, |
507 » » » PRBool append, | 515 PRBool append, |
508 » » » PRUint32 maxBytes) | 516 PRUint32 maxBytes) |
509 { | 517 { |
510 PRInt32 extension_length; | 518 PRInt32 extension_length; |
511 NewSessionTicket *session_ticket = NULL; | 519 NewSessionTicket *session_ticket = NULL; |
512 sslSessionID *sid = ss->sec.ci.sid; | 520 sslSessionID *sid = ss->sec.ci.sid; |
513 | 521 |
514 /* Ignore the SessionTicket extension if processing is disabled. */ | 522 /* Ignore the SessionTicket extension if processing is disabled. */ |
515 if (!ss->opt.enableSessionTickets) | 523 if (!ss->opt.enableSessionTickets) |
516 » return 0; | 524 return 0; |
517 | 525 |
518 /* Empty extension length = extension_type (2-bytes) + | 526 /* Empty extension length = extension_type (2-bytes) + |
519 * length(extension_data) (2-bytes) | 527 * length(extension_data) (2-bytes) |
520 */ | 528 */ |
521 extension_length = 4; | 529 extension_length = 4; |
522 | 530 |
523 /* If we are a client then send a session ticket if one is availble. | 531 /* If we are a client then send a session ticket if one is availble. |
524 * Servers that support the extension and are willing to negotiate the | 532 * Servers that support the extension and are willing to negotiate the |
525 * the extension always respond with an empty extension. | 533 * the extension always respond with an empty extension. |
526 */ | 534 */ |
527 if (!ss->sec.isServer) { | 535 if (!ss->sec.isServer) { |
528 » /* The caller must be holding sid->u.ssl3.lock for reading. We cannot | 536 /* The caller must be holding sid->u.ssl3.lock for reading. We cannot |
529 » * just acquire and release the lock within this function because the | 537 * just acquire and release the lock within this function because the |
530 » * caller will call this function twice, and we need the inputs to be | 538 * caller will call this function twice, and we need the inputs to be |
531 » * consistent between the two calls. Note that currently the caller | 539 * consistent between the two calls. Note that currently the caller |
532 » * will only be holding the lock when we are the client and when we're | 540 * will only be holding the lock when we are the client and when we're |
533 » * attempting to resume an existing session. | 541 * attempting to resume an existing session. |
534 » */ | 542 */ |
535 | 543 |
536 » session_ticket = &sid->u.ssl3.locked.sessionTicket; | 544 session_ticket = &sid->u.ssl3.locked.sessionTicket; |
537 » if (session_ticket->ticket.data) { | 545 if (session_ticket->ticket.data) { |
538 » if (ss->xtnData.ticketTimestampVerified) { | 546 if (ss->xtnData.ticketTimestampVerified) { |
539 » » extension_length += session_ticket->ticket.len; | 547 extension_length += session_ticket->ticket.len; |
540 » } else if (!append && | 548 } else if (!append && |
541 » » (session_ticket->ticket_lifetime_hint == 0 || | 549 (session_ticket->ticket_lifetime_hint == 0 || |
542 » » (session_ticket->ticket_lifetime_hint + | 550 (session_ticket->ticket_lifetime_hint + |
543 » » session_ticket->received_timestamp > ssl_Time()))) { | 551 session_ticket->received_timestamp > ssl_Time()))) { |
544 » » extension_length += session_ticket->ticket.len; | 552 extension_length += session_ticket->ticket.len; |
545 » » ss->xtnData.ticketTimestampVerified = PR_TRUE; | 553 ss->xtnData.ticketTimestampVerified = PR_TRUE; |
546 » } | 554 } |
547 » } | 555 } |
548 } | 556 } |
549 | 557 |
550 if (append && maxBytes >= extension_length) { | 558 if (append && maxBytes >= extension_length) { |
551 » SECStatus rv; | 559 SECStatus rv; |
552 » /* extension_type */ | 560 /* extension_type */ |
553 rv = ssl3_AppendHandshakeNumber(ss, ssl_session_ticket_xtn, 2); | 561 rv = ssl3_AppendHandshakeNumber(ss, ssl_session_ticket_xtn, 2); |
554 if (rv != SECSuccess) | 562 if (rv != SECSuccess) |
555 » goto loser; | 563 goto loser; |
556 » if (session_ticket && session_ticket->ticket.data && | 564 if (session_ticket && session_ticket->ticket.data && |
557 » ss->xtnData.ticketTimestampVerified) { | 565 ss->xtnData.ticketTimestampVerified) { |
558 » rv = ssl3_AppendHandshakeVariable(ss, session_ticket->ticket.data, | 566 rv = ssl3_AppendHandshakeVariable(ss, session_ticket->ticket.data, |
559 » » session_ticket->ticket.len, 2); | 567 session_ticket->ticket.len, 2); |
560 » ss->xtnData.ticketTimestampVerified = PR_FALSE; | 568 ss->xtnData.ticketTimestampVerified = PR_FALSE; |
561 » ss->xtnData.sentSessionTicketInClientHello = PR_TRUE; | 569 ss->xtnData.sentSessionTicketInClientHello = PR_TRUE; |
562 » } else { | 570 } else { |
563 » rv = ssl3_AppendHandshakeNumber(ss, 0, 2); | 571 rv = ssl3_AppendHandshakeNumber(ss, 0, 2); |
564 » } | 572 } |
565 if (rv != SECSuccess) | 573 if (rv != SECSuccess) |
566 » goto loser; | 574 goto loser; |
567 | 575 |
568 » if (!ss->sec.isServer) { | 576 if (!ss->sec.isServer) { |
569 » TLSExtensionData *xtnData = &ss->xtnData; | 577 TLSExtensionData *xtnData = &ss->xtnData; |
570 » xtnData->advertised[xtnData->numAdvertised++] = | 578 xtnData->advertised[xtnData->numAdvertised++] = |
571 » » ssl_session_ticket_xtn; | 579 ssl_session_ticket_xtn; |
572 » } | 580 } |
573 } else if (maxBytes < extension_length) { | 581 } else if (maxBytes < extension_length) { |
574 » PORT_Assert(0); | 582 PORT_Assert(0); |
575 return 0; | 583 return 0; |
576 } | 584 } |
577 return extension_length; | 585 return extension_length; |
578 | 586 |
579 loser: | 587 loser: |
580 ss->xtnData.ticketTimestampVerified = PR_FALSE; | 588 ss->xtnData.ticketTimestampVerified = PR_FALSE; |
581 return -1; | 589 return -1; |
582 } | 590 } |
583 | 591 |
584 /* handle an incoming Next Protocol Negotiation extension. */ | 592 /* handle an incoming Next Protocol Negotiation extension. */ |
585 static SECStatus | 593 static SECStatus |
586 ssl3_ServerHandleNextProtoNegoXtn(sslSocket * ss, PRUint16 ex_type, | 594 ssl3_ServerHandleNextProtoNegoXtn(sslSocket * ss, PRUint16 ex_type, |
587 SECItem *data) | 595 SECItem *data) |
588 { | 596 { |
589 if (ss->firstHsDone || data->len != 0) { | 597 if (ss->firstHsDone || data->len != 0) { |
590 » /* Clients MUST send an empty NPN extension, if any. */ | 598 /* Clients MUST send an empty NPN extension, if any. */ |
591 » PORT_SetError(SSL_ERROR_NEXT_PROTOCOL_DATA_INVALID); | 599 PORT_SetError(SSL_ERROR_NEXT_PROTOCOL_DATA_INVALID); |
592 » return SECFailure; | 600 return SECFailure; |
593 } | 601 } |
594 | 602 |
595 ss->xtnData.negotiated[ss->xtnData.numNegotiated++] = ex_type; | 603 ss->xtnData.negotiated[ss->xtnData.numNegotiated++] = ex_type; |
596 | 604 |
597 /* TODO: server side NPN support would require calling | 605 /* TODO: server side NPN support would require calling |
598 * ssl3_RegisterServerHelloExtensionSender here in order to echo the | 606 * ssl3_RegisterServerHelloExtensionSender here in order to echo the |
599 * extension back to the client. */ | 607 * extension back to the client. */ |
600 | 608 |
601 return SECSuccess; | 609 return SECSuccess; |
602 } | 610 } |
603 | 611 |
604 /* ssl3_ValidateNextProtoNego checks that the given block of data is valid: none | 612 /* ssl3_ValidateNextProtoNego checks that the given block of data is valid: none |
605 * of the lengths may be 0 and the sum of the lengths must equal the length of | 613 * of the lengths may be 0 and the sum of the lengths must equal the length of |
606 * the block. */ | 614 * the block. */ |
607 SECStatus | 615 SECStatus |
608 ssl3_ValidateNextProtoNego(const unsigned char* data, unsigned int length) | 616 ssl3_ValidateNextProtoNego(const unsigned char* data, unsigned int length) |
609 { | 617 { |
610 unsigned int offset = 0; | 618 unsigned int offset = 0; |
611 | 619 |
612 while (offset < length) { | 620 while (offset < length) { |
613 » unsigned int newOffset = offset + 1 + (unsigned int) data[offset]; | 621 unsigned int newOffset = offset + 1 + (unsigned int) data[offset]; |
614 » /* Reject embedded nulls to protect against buggy applications that | 622 /* Reject embedded nulls to protect against buggy applications that |
615 » * store protocol identifiers in null-terminated strings. | 623 * store protocol identifiers in null-terminated strings. |
616 » */ | 624 */ |
617 » if (newOffset > length || data[offset] == 0) { | 625 if (newOffset > length || data[offset] == 0) { |
618 » PORT_SetError(SSL_ERROR_NEXT_PROTOCOL_DATA_INVALID); | 626 PORT_SetError(SSL_ERROR_NEXT_PROTOCOL_DATA_INVALID); |
619 » return SECFailure; | 627 return SECFailure; |
620 » } | 628 } |
621 » offset = newOffset; | 629 offset = newOffset; |
622 } | 630 } |
623 | 631 |
624 if (offset > length) { | 632 if (offset > length) { |
625 » PORT_SetError(SSL_ERROR_NEXT_PROTOCOL_DATA_INVALID); | 633 PORT_SetError(SSL_ERROR_NEXT_PROTOCOL_DATA_INVALID); |
626 » return SECFailure; | 634 return SECFailure; |
627 } | 635 } |
628 | 636 |
629 return SECSuccess; | 637 return SECSuccess; |
630 } | 638 } |
631 | 639 |
632 /* protocol selection handler for ALPN (server side) and NPN (client side) */ | 640 /* protocol selection handler for ALPN (server side) and NPN (client side) */ |
633 static SECStatus | 641 static SECStatus |
634 ssl3_SelectAppProtocol(sslSocket *ss, PRUint16 ex_type, SECItem *data) | 642 ssl3_SelectAppProtocol(sslSocket *ss, PRUint16 ex_type, SECItem *data) |
635 { | 643 { |
636 SECStatus rv; | 644 SECStatus rv; |
(...skipping 75 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
712 return SECSuccess; | 720 return SECSuccess; |
713 } | 721 } |
714 | 722 |
715 static SECStatus | 723 static SECStatus |
716 ssl3_ClientHandleNextProtoNegoXtn(sslSocket *ss, PRUint16 ex_type, | 724 ssl3_ClientHandleNextProtoNegoXtn(sslSocket *ss, PRUint16 ex_type, |
717 SECItem *data) | 725 SECItem *data) |
718 { | 726 { |
719 PORT_Assert(!ss->firstHsDone); | 727 PORT_Assert(!ss->firstHsDone); |
720 | 728 |
721 if (ssl3_ExtensionNegotiated(ss, ssl_app_layer_protocol_xtn)) { | 729 if (ssl3_ExtensionNegotiated(ss, ssl_app_layer_protocol_xtn)) { |
722 » /* If the server negotiated ALPN then it has already told us what protoc ol | 730 /* If the server negotiated ALPN then it has already told us what |
723 » * to use, so it doesn't make sense for us to try to negotiate a differe nt | 731 * protocol to use, so it doesn't make sense for us to try to negotiate |
724 » * one by sending the NPN handshake message. However, if we've negotiate d | 732 * a different one by sending the NPN handshake message. However, if |
725 » * NPN then we're required to send the NPN handshake message. Thus, thes e | 733 * we've negotiated NPN then we're required to send the NPN handshake |
726 » * two extensions cannot both be negotiated on the same connection. */ | 734 * message. Thus, these two extensions cannot both be negotiated on the |
727 » PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); | 735 * same connection. */ |
728 » return SECFailure; | 736 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); |
737 return SECFailure; | |
729 } | 738 } |
730 | 739 |
731 /* We should only get this call if we sent the extension, so | 740 /* We should only get this call if we sent the extension, so |
732 * ss->nextProtoCallback needs to be non-NULL. However, it is possible | 741 * ss->nextProtoCallback needs to be non-NULL. However, it is possible |
733 * that an application erroneously cleared the callback between the time | 742 * that an application erroneously cleared the callback between the time |
734 * we sent the ClientHello and now. */ | 743 * we sent the ClientHello and now. */ |
735 if (!ss->nextProtoCallback) { | 744 if (!ss->nextProtoCallback) { |
736 » PORT_SetError(SSL_ERROR_NEXT_PROTOCOL_NO_CALLBACK); | 745 PORT_SetError(SSL_ERROR_NEXT_PROTOCOL_NO_CALLBACK); |
737 » return SECFailure; | 746 return SECFailure; |
738 } | 747 } |
739 | 748 |
740 return ssl3_SelectAppProtocol(ss, ex_type, data); | 749 return ssl3_SelectAppProtocol(ss, ex_type, data); |
741 } | 750 } |
742 | 751 |
743 static SECStatus | 752 static SECStatus |
744 ssl3_ClientHandleAppProtoXtn(sslSocket *ss, PRUint16 ex_type, SECItem *data) | 753 ssl3_ClientHandleAppProtoXtn(sslSocket *ss, PRUint16 ex_type, SECItem *data) |
745 { | 754 { |
746 const unsigned char* d = data->data; | 755 const unsigned char* d = data->data; |
747 PRUint16 name_list_len; | 756 PRUint16 name_list_len; |
748 SECItem protocol_name; | 757 SECItem protocol_name; |
749 | 758 |
750 if (ssl3_ExtensionNegotiated(ss, ssl_next_proto_nego_xtn)) { | 759 if (ssl3_ExtensionNegotiated(ss, ssl_next_proto_nego_xtn)) { |
751 » PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); | 760 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); |
752 » return SECFailure; | 761 return SECFailure; |
753 } | 762 } |
754 | 763 |
755 /* The extension data from the server has the following format: | 764 /* The extension data from the server has the following format: |
756 * uint16 name_list_len; | 765 * uint16 name_list_len; |
757 * uint8 len; | 766 * uint8 len; |
758 * uint8 protocol_name[len]; */ | 767 * uint8 protocol_name[len]; */ |
759 if (data->len < 4 || data->len > 2 + 1 + 255) { | 768 if (data->len < 4 || data->len > 2 + 1 + 255) { |
760 » PORT_SetError(SSL_ERROR_NEXT_PROTOCOL_DATA_INVALID); | 769 PORT_SetError(SSL_ERROR_NEXT_PROTOCOL_DATA_INVALID); |
761 » return SECFailure; | 770 return SECFailure; |
762 } | 771 } |
763 | 772 |
764 name_list_len = ((PRUint16) d[0]) << 8 | | 773 name_list_len = ((PRUint16) d[0]) << 8 | |
765 » ((PRUint16) d[1]); | 774 ((PRUint16) d[1]); |
766 if (name_list_len != data->len - 2 || d[2] != data->len - 3) { | 775 if (name_list_len != data->len - 2 || d[2] != data->len - 3) { |
767 » PORT_SetError(SSL_ERROR_NEXT_PROTOCOL_DATA_INVALID); | 776 PORT_SetError(SSL_ERROR_NEXT_PROTOCOL_DATA_INVALID); |
768 » return SECFailure; | 777 return SECFailure; |
769 } | 778 } |
770 | 779 |
771 protocol_name.data = data->data + 3; | 780 protocol_name.data = data->data + 3; |
772 protocol_name.len = data->len - 3; | 781 protocol_name.len = data->len - 3; |
773 | 782 |
774 SECITEM_FreeItem(&ss->ssl3.nextProto, PR_FALSE); | 783 SECITEM_FreeItem(&ss->ssl3.nextProto, PR_FALSE); |
775 ss->ssl3.nextProtoState = SSL_NEXT_PROTO_SELECTED; | 784 ss->ssl3.nextProtoState = SSL_NEXT_PROTO_SELECTED; |
776 ss->xtnData.negotiated[ss->xtnData.numNegotiated++] = ex_type; | 785 ss->xtnData.negotiated[ss->xtnData.numNegotiated++] = ex_type; |
777 return SECITEM_CopyItem(NULL, &ss->ssl3.nextProto, &protocol_name); | 786 return SECITEM_CopyItem(NULL, &ss->ssl3.nextProto, &protocol_name); |
778 } | 787 } |
779 | 788 |
780 static PRInt32 | 789 static PRInt32 |
781 ssl3_ClientSendNextProtoNegoXtn(sslSocket * ss, PRBool append, | 790 ssl3_ClientSendNextProtoNegoXtn(sslSocket * ss, PRBool append, |
782 » » » » PRUint32 maxBytes) | 791 PRUint32 maxBytes) |
783 { | 792 { |
784 PRInt32 extension_length; | 793 PRInt32 extension_length; |
785 | 794 |
786 /* Renegotiations do not send this extension. */ | 795 /* Renegotiations do not send this extension. */ |
787 if (!ss->opt.enableNPN || !ss->nextProtoCallback || ss->firstHsDone) { | 796 if (!ss->opt.enableNPN || !ss->nextProtoCallback || ss->firstHsDone) { |
788 » return 0; | 797 return 0; |
789 } | 798 } |
790 | 799 |
791 extension_length = 4; | 800 extension_length = 4; |
792 | 801 |
793 if (append && maxBytes >= extension_length) { | 802 if (append && maxBytes >= extension_length) { |
794 » SECStatus rv; | 803 SECStatus rv; |
795 » rv = ssl3_AppendHandshakeNumber(ss, ssl_next_proto_nego_xtn, 2); | 804 rv = ssl3_AppendHandshakeNumber(ss, ssl_next_proto_nego_xtn, 2); |
796 » if (rv != SECSuccess) | 805 if (rv != SECSuccess) |
797 » goto loser; | 806 goto loser; |
798 » rv = ssl3_AppendHandshakeNumber(ss, 0, 2); | 807 rv = ssl3_AppendHandshakeNumber(ss, 0, 2); |
799 » if (rv != SECSuccess) | 808 if (rv != SECSuccess) |
800 » goto loser; | 809 goto loser; |
801 » ss->xtnData.advertised[ss->xtnData.numAdvertised++] = | 810 ss->xtnData.advertised[ss->xtnData.numAdvertised++] = |
802 » » ssl_next_proto_nego_xtn; | 811 ssl_next_proto_nego_xtn; |
803 } else if (maxBytes < extension_length) { | 812 } else if (maxBytes < extension_length) { |
804 » return 0; | 813 return 0; |
805 } | 814 } |
806 | 815 |
807 return extension_length; | 816 return extension_length; |
808 | 817 |
809 loser: | 818 loser: |
810 return -1; | 819 return -1; |
811 } | 820 } |
812 | 821 |
813 static PRInt32 | 822 static PRInt32 |
814 ssl3_ClientSendAppProtoXtn(sslSocket * ss, PRBool append, PRUint32 maxBytes) | 823 ssl3_ClientSendAppProtoXtn(sslSocket * ss, PRBool append, PRUint32 maxBytes) |
815 { | 824 { |
816 PRInt32 extension_length; | 825 PRInt32 extension_length; |
817 unsigned char *alpn_protos = NULL; | 826 unsigned char *alpn_protos = NULL; |
818 | 827 |
819 /* Renegotiations do not send this extension. */ | 828 /* Renegotiations do not send this extension. */ |
820 if (!ss->opt.enableALPN || !ss->opt.nextProtoNego.data || ss->firstHsDone) { | 829 if (!ss->opt.enableALPN || !ss->opt.nextProtoNego.data || ss->firstHsDone) { |
821 » return 0; | 830 return 0; |
822 } | 831 } |
823 | 832 |
824 extension_length = 2 /* extension type */ + 2 /* extension length */ + | 833 extension_length = 2 /* extension type */ + 2 /* extension length */ + |
825 » » 2 /* protocol name list length */ + | 834 2 /* protocol name list length */ + |
826 » » ss->opt.nextProtoNego.len; | 835 ss->opt.nextProtoNego.len; |
827 | 836 |
828 if (append && maxBytes >= extension_length) { | 837 if (append && maxBytes >= extension_length) { |
829 » /* NPN requires that the client's fallback protocol is first in the | 838 /* NPN requires that the client's fallback protocol is first in the |
830 » * list. However, ALPN sends protocols in preference order. So we | 839 * list. However, ALPN sends protocols in preference order. So we |
831 » * allocate a buffer and move the first protocol to the end of the | 840 * allocate a buffer and move the first protocol to the end of the |
832 » * list. */ | 841 * list. */ |
833 » SECStatus rv; | 842 SECStatus rv; |
834 » const unsigned int len = ss->opt.nextProtoNego.len; | 843 const unsigned int len = ss->opt.nextProtoNego.len; |
835 | 844 |
836 » alpn_protos = PORT_Alloc(len); | 845 alpn_protos = PORT_Alloc(len); |
837 » if (alpn_protos == NULL) { | 846 if (alpn_protos == NULL) { |
838 » return SECFailure; | 847 return SECFailure; |
839 » } | 848 } |
840 » if (len > 0) { | 849 if (len > 0) { |
841 » /* Each protocol string is prefixed with a single byte length. */ | 850 /* Each protocol string is prefixed with a single byte length. */ |
842 » unsigned int i = ss->opt.nextProtoNego.data[0] + 1; | 851 unsigned int i = ss->opt.nextProtoNego.data[0] + 1; |
843 » if (i <= len) { | 852 if (i <= len) { |
844 » » memcpy(alpn_protos, &ss->opt.nextProtoNego.data[i], len - i); | 853 memcpy(alpn_protos, &ss->opt.nextProtoNego.data[i], len - i); |
845 » » memcpy(alpn_protos + len - i, ss->opt.nextProtoNego.data, i); | 854 memcpy(alpn_protos + len - i, ss->opt.nextProtoNego.data, i); |
846 » } else { | 855 } else { |
847 » » /* This seems to be invalid data so we'll send as-is. */ | 856 /* This seems to be invalid data so we'll send as-is. */ |
848 » » memcpy(alpn_protos, ss->opt.nextProtoNego.data, len); | 857 memcpy(alpn_protos, ss->opt.nextProtoNego.data, len); |
849 » } | 858 } |
850 » } | 859 } |
851 | 860 |
852 » rv = ssl3_AppendHandshakeNumber(ss, ssl_app_layer_protocol_xtn, 2); | 861 rv = ssl3_AppendHandshakeNumber(ss, ssl_app_layer_protocol_xtn, 2); |
853 » if (rv != SECSuccess) { | 862 if (rv != SECSuccess) { |
854 » goto loser; | 863 goto loser; |
855 » } | 864 } |
856 » rv = ssl3_AppendHandshakeNumber(ss, extension_length - 4, 2); | 865 rv = ssl3_AppendHandshakeNumber(ss, extension_length - 4, 2); |
857 » if (rv != SECSuccess) { | 866 if (rv != SECSuccess) { |
858 » goto loser; | 867 goto loser; |
859 » } | 868 } |
860 » rv = ssl3_AppendHandshakeVariable(ss, alpn_protos, len, 2); | 869 rv = ssl3_AppendHandshakeVariable(ss, alpn_protos, len, 2); |
861 » PORT_Free(alpn_protos); | 870 PORT_Free(alpn_protos); |
862 » alpn_protos = NULL; | 871 alpn_protos = NULL; |
863 » if (rv != SECSuccess) { | 872 if (rv != SECSuccess) { |
864 » goto loser; | 873 goto loser; |
865 » } | 874 } |
866 » ss->xtnData.advertised[ss->xtnData.numAdvertised++] = | 875 ss->xtnData.advertised[ss->xtnData.numAdvertised++] = |
867 » » ssl_app_layer_protocol_xtn; | 876 ssl_app_layer_protocol_xtn; |
868 } else if (maxBytes < extension_length) { | 877 } else if (maxBytes < extension_length) { |
869 » return 0; | 878 return 0; |
870 } | 879 } |
871 | 880 |
872 return extension_length; | 881 return extension_length; |
873 | 882 |
874 loser: | 883 loser: |
875 if (alpn_protos) { | 884 if (alpn_protos) { |
876 » PORT_Free(alpn_protos); | 885 PORT_Free(alpn_protos); |
877 } | 886 } |
878 return -1; | 887 return -1; |
879 } | 888 } |
880 | 889 |
881 static PRInt32 | 890 static PRInt32 |
882 ssl3_ServerSendAppProtoXtn(sslSocket * ss, PRBool append, PRUint32 maxBytes) | 891 ssl3_ServerSendAppProtoXtn(sslSocket * ss, PRBool append, PRUint32 maxBytes) |
883 { | 892 { |
884 PRInt32 extension_length; | 893 PRInt32 extension_length; |
885 | 894 |
895 /* we're in over our heads if any of these fail */ | |
886 PORT_Assert(ss->opt.enableALPN); | 896 PORT_Assert(ss->opt.enableALPN); |
887 PORT_Assert(ss->ssl3.nextProto.data); | 897 PORT_Assert(ss->ssl3.nextProto.data); |
888 PORT_Assert(ss->ssl3.nextProto.len > 0); | 898 PORT_Assert(ss->ssl3.nextProto.len > 0); |
889 PORT_Assert(ss->ssl3.nextProtoState == SSL_NEXT_PROTO_NEGOTIATED); | 899 PORT_Assert(ss->ssl3.nextProtoState == SSL_NEXT_PROTO_NEGOTIATED); |
890 PORT_Assert(!ss->firstHsDone); | 900 PORT_Assert(!ss->firstHsDone); |
891 | 901 |
892 extension_length = 2 /* extension type */ + 2 /* extension length */ + | 902 extension_length = 2 /* extension type */ + 2 /* extension length */ + |
893 2 /* protocol name list */ + 1 /* name length */ + | 903 2 /* protocol name list */ + 1 /* name length */ + |
894 ss->ssl3.nextProto.len; | 904 ss->ssl3.nextProto.len; |
895 | 905 |
(...skipping 76 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
972 | 982 |
973 loser: | 983 loser: |
974 return -1; | 984 return -1; |
975 } | 985 } |
976 | 986 |
977 static SECStatus | 987 static SECStatus |
978 ssl3_ClientHandleStatusRequestXtn(sslSocket *ss, PRUint16 ex_type, | 988 ssl3_ClientHandleStatusRequestXtn(sslSocket *ss, PRUint16 ex_type, |
979 SECItem *data) | 989 SECItem *data) |
980 { | 990 { |
981 /* The echoed extension must be empty. */ | 991 /* The echoed extension must be empty. */ |
982 if (data->len != 0) | 992 if (data->len != 0) { |
983 return SECFailure; | 993 return SECSuccess; /* Ignore the extension. */ |
994 } | |
davidben
2015/04/03 19:06:18
Weird. Looks like this was done as part of https:/
| |
984 | 995 |
985 /* Keep track of negotiated extensions. */ | 996 /* Keep track of negotiated extensions. */ |
986 ss->xtnData.negotiated[ss->xtnData.numNegotiated++] = ex_type; | 997 ss->xtnData.negotiated[ss->xtnData.numNegotiated++] = ex_type; |
987 | 998 |
988 return SECSuccess; | 999 return SECSuccess; |
989 } | 1000 } |
990 | 1001 |
991 static PRInt32 | 1002 static PRInt32 |
992 ssl3_ServerSendStatusRequestXtn( | 1003 ssl3_ServerSendStatusRequestXtn( |
993 » » » sslSocket * ss, | 1004 sslSocket * ss, |
994 » » » PRBool append, | 1005 PRBool append, |
995 » » » PRUint32 maxBytes) | 1006 PRUint32 maxBytes) |
996 { | 1007 { |
997 PRInt32 extension_length; | 1008 PRInt32 extension_length; |
998 SECStatus rv; | 1009 SECStatus rv; |
999 int i; | 1010 int i; |
1000 PRBool haveStatus = PR_FALSE; | 1011 PRBool haveStatus = PR_FALSE; |
1001 | 1012 |
1002 for (i = kt_null; i < kt_kea_size; i++) { | 1013 for (i = kt_null; i < kt_kea_size; i++) { |
1003 » /* TODO: This is a temporary workaround. | 1014 /* TODO: This is a temporary workaround. |
1004 » * The correct code needs to see if we have an OCSP response for | 1015 * The correct code needs to see if we have an OCSP response for |
1005 » * the server certificate being used, rather than if we have any | 1016 * the server certificate being used, rather than if we have any |
1006 » * OCSP response. See also ssl3_SendCertificateStatus. | 1017 * OCSP response. See also ssl3_SendCertificateStatus. |
1007 » */ | 1018 */ |
1008 » if (ss->certStatusArray[i] && ss->certStatusArray[i]->len) { | 1019 if (ss->certStatusArray[i] && ss->certStatusArray[i]->len) { |
1009 » haveStatus = PR_TRUE; | 1020 haveStatus = PR_TRUE; |
1010 » break; | 1021 break; |
1011 » } | 1022 } |
1012 } | 1023 } |
1013 if (!haveStatus) | 1024 if (!haveStatus) |
1014 » return 0; | 1025 return 0; |
1015 | 1026 |
1016 extension_length = 2 + 2; | 1027 extension_length = 2 + 2; |
1017 if (append && maxBytes >= extension_length) { | 1028 if (append && maxBytes >= extension_length) { |
1018 » /* extension_type */ | 1029 /* extension_type */ |
1019 » rv = ssl3_AppendHandshakeNumber(ss, ssl_cert_status_xtn, 2); | 1030 rv = ssl3_AppendHandshakeNumber(ss, ssl_cert_status_xtn, 2); |
1020 » if (rv != SECSuccess) | 1031 if (rv != SECSuccess) |
1021 » return -1; | 1032 return -1; |
1022 » /* length of extension_data */ | 1033 /* length of extension_data */ |
1023 » rv = ssl3_AppendHandshakeNumber(ss, 0, 2); | 1034 rv = ssl3_AppendHandshakeNumber(ss, 0, 2); |
1024 » if (rv != SECSuccess) | 1035 if (rv != SECSuccess) |
1025 » return -1; | 1036 return -1; |
1026 } | 1037 } |
1027 | 1038 |
1028 return extension_length; | 1039 return extension_length; |
1029 } | 1040 } |
1030 | 1041 |
1031 /* ssl3_ClientSendStatusRequestXtn builds the status_request extension on the | 1042 /* ssl3_ClientSendStatusRequestXtn builds the status_request extension on the |
1032 * client side. See RFC 4366 section 3.6. */ | 1043 * client side. See RFC 4366 section 3.6. */ |
1033 static PRInt32 | 1044 static PRInt32 |
1034 ssl3_ClientSendStatusRequestXtn(sslSocket * ss, PRBool append, | 1045 ssl3_ClientSendStatusRequestXtn(sslSocket * ss, PRBool append, |
1035 PRUint32 maxBytes) | 1046 PRUint32 maxBytes) |
(...skipping 89 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
1125 unsigned char computed_mac[TLS_EX_SESS_TICKET_MAC_LENGTH]; | 1136 unsigned char computed_mac[TLS_EX_SESS_TICKET_MAC_LENGTH]; |
1126 unsigned int computed_mac_length; | 1137 unsigned int computed_mac_length; |
1127 unsigned char iv[AES_BLOCK_SIZE]; | 1138 unsigned char iv[AES_BLOCK_SIZE]; |
1128 SECItem ivItem; | 1139 SECItem ivItem; |
1129 SECItem *srvName = NULL; | 1140 SECItem *srvName = NULL; |
1130 PRUint32 srvNameLen = 0; | 1141 PRUint32 srvNameLen = 0; |
1131 CK_MECHANISM_TYPE msWrapMech = 0; /* dummy default value, | 1142 CK_MECHANISM_TYPE msWrapMech = 0; /* dummy default value, |
1132 * must be >= 0 */ | 1143 * must be >= 0 */ |
1133 | 1144 |
1134 SSL_TRC(3, ("%d: SSL3[%d]: send session_ticket handshake", | 1145 SSL_TRC(3, ("%d: SSL3[%d]: send session_ticket handshake", |
1135 » » SSL_GETPID(), ss->fd)); | 1146 SSL_GETPID(), ss->fd)); |
1136 | 1147 |
1137 PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss)); | 1148 PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss)); |
1138 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); | 1149 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); |
1139 | 1150 |
1140 ticket.ticket_lifetime_hint = TLS_EX_SESS_TICKET_LIFETIME_HINT; | 1151 ticket.ticket_lifetime_hint = TLS_EX_SESS_TICKET_LIFETIME_HINT; |
1141 cert_length = (ss->opt.requestCertificate && ss->sec.ci.sid->peerCert) ? | 1152 cert_length = (ss->opt.requestCertificate && ss->sec.ci.sid->peerCert) ? |
1142 » 3 + ss->sec.ci.sid->peerCert->derCert.len : 0; | 1153 3 + ss->sec.ci.sid->peerCert->derCert.len : 0; |
1143 | 1154 |
1144 /* Get IV and encryption keys */ | 1155 /* Get IV and encryption keys */ |
1145 ivItem.data = iv; | 1156 ivItem.data = iv; |
1146 ivItem.len = sizeof(iv); | 1157 ivItem.len = sizeof(iv); |
1147 rv = PK11_GenerateRandom(iv, sizeof(iv)); | 1158 rv = PK11_GenerateRandom(iv, sizeof(iv)); |
1148 if (rv != SECSuccess) goto loser; | 1159 if (rv != SECSuccess) goto loser; |
1149 | 1160 |
1150 #ifndef NO_PKCS11_BYPASS | 1161 #ifndef NO_PKCS11_BYPASS |
1151 if (ss->opt.bypassPKCS11) { | 1162 if (ss->opt.bypassPKCS11) { |
1152 » rv = ssl3_GetSessionTicketKeys(&aes_key, &aes_key_length, | 1163 rv = ssl3_GetSessionTicketKeys(&aes_key, &aes_key_length, |
1153 » &mac_key, &mac_key_length); | 1164 &mac_key, &mac_key_length); |
1154 } else | 1165 } else |
1155 #endif | 1166 #endif |
1156 { | 1167 { |
1157 » rv = ssl3_GetSessionTicketKeysPKCS11(ss, &aes_key_pkcs11, | 1168 rv = ssl3_GetSessionTicketKeysPKCS11(ss, &aes_key_pkcs11, |
1158 » &mac_key_pkcs11); | 1169 &mac_key_pkcs11); |
1159 } | 1170 } |
1160 if (rv != SECSuccess) goto loser; | 1171 if (rv != SECSuccess) goto loser; |
1161 | 1172 |
1162 if (ss->ssl3.pwSpec->msItem.len && ss->ssl3.pwSpec->msItem.data) { | 1173 if (ss->ssl3.pwSpec->msItem.len && ss->ssl3.pwSpec->msItem.data) { |
1163 » /* The master secret is available unwrapped. */ | 1174 /* The master secret is available unwrapped. */ |
1164 » ms_item.data = ss->ssl3.pwSpec->msItem.data; | 1175 ms_item.data = ss->ssl3.pwSpec->msItem.data; |
1165 » ms_item.len = ss->ssl3.pwSpec->msItem.len; | 1176 ms_item.len = ss->ssl3.pwSpec->msItem.len; |
1166 » ms_is_wrapped = PR_FALSE; | 1177 ms_is_wrapped = PR_FALSE; |
1167 } else { | 1178 } else { |
1168 » /* Extract the master secret wrapped. */ | 1179 /* Extract the master secret wrapped. */ |
1169 » sslSessionID sid; | 1180 sslSessionID sid; |
1170 » PORT_Memset(&sid, 0, sizeof(sslSessionID)); | 1181 PORT_Memset(&sid, 0, sizeof(sslSessionID)); |
1171 | 1182 |
1172 » if (ss->ssl3.hs.kea_def->kea == kea_ecdhe_rsa) { | 1183 if (ss->ssl3.hs.kea_def->kea == kea_ecdhe_rsa) { |
1173 » effectiveExchKeyType = kt_rsa; | 1184 effectiveExchKeyType = kt_rsa; |
1174 » } else { | 1185 } else { |
1175 » effectiveExchKeyType = ss->ssl3.hs.kea_def->exchKeyType; | 1186 effectiveExchKeyType = ss->ssl3.hs.kea_def->exchKeyType; |
1176 » } | 1187 } |
1177 | 1188 |
1178 » rv = ssl3_CacheWrappedMasterSecret(ss, &sid, ss->ssl3.pwSpec, | 1189 rv = ssl3_CacheWrappedMasterSecret(ss, &sid, ss->ssl3.pwSpec, |
1179 » effectiveExchKeyType); | 1190 effectiveExchKeyType); |
1180 » if (rv == SECSuccess) { | 1191 if (rv == SECSuccess) { |
1181 » if (sid.u.ssl3.keys.wrapped_master_secret_len > sizeof(wrapped_ms)) | 1192 if (sid.u.ssl3.keys.wrapped_master_secret_len > sizeof(wrapped_ms)) |
1182 » » goto loser; | 1193 goto loser; |
1183 » memcpy(wrapped_ms, sid.u.ssl3.keys.wrapped_master_secret, | 1194 memcpy(wrapped_ms, sid.u.ssl3.keys.wrapped_master_secret, |
1184 » » sid.u.ssl3.keys.wrapped_master_secret_len); | 1195 sid.u.ssl3.keys.wrapped_master_secret_len); |
1185 » ms_item.data = wrapped_ms; | 1196 ms_item.data = wrapped_ms; |
1186 » ms_item.len = sid.u.ssl3.keys.wrapped_master_secret_len; | 1197 ms_item.len = sid.u.ssl3.keys.wrapped_master_secret_len; |
1187 » msWrapMech = sid.u.ssl3.masterWrapMech; | 1198 msWrapMech = sid.u.ssl3.masterWrapMech; |
1188 » } else { | 1199 } else { |
1189 » /* TODO: else send an empty ticket. */ | 1200 /* TODO: else send an empty ticket. */ |
1190 » goto loser; | 1201 goto loser; |
1191 » } | 1202 } |
1192 » ms_is_wrapped = PR_TRUE; | 1203 ms_is_wrapped = PR_TRUE; |
1193 } | 1204 } |
1194 /* Prep to send negotiated name */ | 1205 /* Prep to send negotiated name */ |
1195 srvName = &ss->ssl3.pwSpec->srvVirtName; | 1206 srvName = &ss->ssl3.pwSpec->srvVirtName; |
1196 if (srvName->data && srvName->len) { | 1207 if (srvName->data && srvName->len) { |
1197 srvNameLen = 2 + srvName->len; /* len bytes + name len */ | 1208 srvNameLen = 2 + srvName->len; /* len bytes + name len */ |
1198 } | 1209 } |
1199 | 1210 |
1200 ciphertext_length = | 1211 ciphertext_length = |
1201 » sizeof(PRUint16) /* ticket_version */ | 1212 sizeof(PRUint16) /* ticket_version */ |
1202 » + sizeof(SSL3ProtocolVersion) /* ssl_version */ | 1213 + sizeof(SSL3ProtocolVersion) /* ssl_version */ |
1203 » + sizeof(ssl3CipherSuite) /* ciphersuite */ | 1214 + sizeof(ssl3CipherSuite) /* ciphersuite */ |
1204 » + 1 /* compression */ | 1215 + 1 /* compression */ |
1205 » + 10 /* cipher spec parameters */ | 1216 + 10 /* cipher spec parameters */ |
1206 » + 1 /* SessionTicket.ms_is_wrapped */ | 1217 + 1 /* SessionTicket.ms_is_wrapped */ |
1207 » + 1 /* effectiveExchKeyType */ | 1218 + 1 /* effectiveExchKeyType */ |
1208 » + 4 /* msWrapMech */ | 1219 + 4 /* msWrapMech */ |
1209 » + 2 /* master_secret.length */ | 1220 + 2 /* master_secret.length */ |
1210 » + ms_item.len /* master_secret */ | 1221 + ms_item.len /* master_secret */ |
1211 » + 1 /* client_auth_type */ | 1222 + 1 /* client_auth_type */ |
1212 » + cert_length /* cert */ | 1223 + cert_length /* cert */ |
1213 + 1 /* server name type */ | 1224 + 1 /* server name type */ |
1214 + srvNameLen /* name len + length field */ | 1225 + srvNameLen /* name len + length field */ |
1215 » + sizeof(ticket.ticket_lifetime_hint); | 1226 + sizeof(ticket.ticket_lifetime_hint); |
1216 padding_length = AES_BLOCK_SIZE - | 1227 padding_length = AES_BLOCK_SIZE - |
1217 » (ciphertext_length % AES_BLOCK_SIZE); | 1228 (ciphertext_length % AES_BLOCK_SIZE); |
1218 ciphertext_length += padding_length; | 1229 ciphertext_length += padding_length; |
1219 | 1230 |
1220 message_length = | 1231 message_length = |
1221 » sizeof(ticket.ticket_lifetime_hint) /* ticket_lifetime_hint */ | 1232 sizeof(ticket.ticket_lifetime_hint) /* ticket_lifetime_hint */ |
1222 » + 2 /* length field for NewSessionTicket.ticket */ | 1233 + 2 /* length field for NewSessionTicket.ticket */ |
1223 » + SESS_TICKET_KEY_NAME_LEN /* key_name */ | 1234 + SESS_TICKET_KEY_NAME_LEN /* key_name */ |
1224 » + AES_BLOCK_SIZE /* iv */ | 1235 + AES_BLOCK_SIZE /* iv */ |
1225 » + 2 /* length field for NewSessionTicket.ticket.encrypted_state */ | 1236 + 2 /* length field for NewSessionTicket.ticket.encrypted_state */ |
1226 » + ciphertext_length /* encrypted_state */ | 1237 + ciphertext_length /* encrypted_state */ |
1227 » + TLS_EX_SESS_TICKET_MAC_LENGTH; /* mac */ | 1238 + TLS_EX_SESS_TICKET_MAC_LENGTH; /* mac */ |
1228 | 1239 |
1229 if (SECITEM_AllocItem(NULL, &plaintext_item, ciphertext_length) == NULL) | 1240 if (SECITEM_AllocItem(NULL, &plaintext_item, ciphertext_length) == NULL) |
1230 » goto loser; | 1241 goto loser; |
1231 | 1242 |
1232 plaintext = plaintext_item; | 1243 plaintext = plaintext_item; |
1233 | 1244 |
1234 /* ticket_version */ | 1245 /* ticket_version */ |
1235 rv = ssl3_AppendNumberToItem(&plaintext, TLS_EX_SESS_TICKET_VERSION, | 1246 rv = ssl3_AppendNumberToItem(&plaintext, TLS_EX_SESS_TICKET_VERSION, |
1236 » sizeof(PRUint16)); | 1247 sizeof(PRUint16)); |
1237 if (rv != SECSuccess) goto loser; | 1248 if (rv != SECSuccess) goto loser; |
1238 | 1249 |
1239 /* ssl_version */ | 1250 /* ssl_version */ |
1240 rv = ssl3_AppendNumberToItem(&plaintext, ss->version, | 1251 rv = ssl3_AppendNumberToItem(&plaintext, ss->version, |
1241 » sizeof(SSL3ProtocolVersion)); | 1252 sizeof(SSL3ProtocolVersion)); |
1242 if (rv != SECSuccess) goto loser; | 1253 if (rv != SECSuccess) goto loser; |
1243 | 1254 |
1244 /* ciphersuite */ | 1255 /* ciphersuite */ |
1245 rv = ssl3_AppendNumberToItem(&plaintext, ss->ssl3.hs.cipher_suite, | 1256 rv = ssl3_AppendNumberToItem(&plaintext, ss->ssl3.hs.cipher_suite, |
1246 » sizeof(ssl3CipherSuite)); | 1257 sizeof(ssl3CipherSuite)); |
1247 if (rv != SECSuccess) goto loser; | 1258 if (rv != SECSuccess) goto loser; |
1248 | 1259 |
1249 /* compression */ | 1260 /* compression */ |
1250 rv = ssl3_AppendNumberToItem(&plaintext, ss->ssl3.hs.compression, 1); | 1261 rv = ssl3_AppendNumberToItem(&plaintext, ss->ssl3.hs.compression, 1); |
1251 if (rv != SECSuccess) goto loser; | 1262 if (rv != SECSuccess) goto loser; |
1252 | 1263 |
1253 /* cipher spec parameters */ | 1264 /* cipher spec parameters */ |
1254 rv = ssl3_AppendNumberToItem(&plaintext, ss->sec.authAlgorithm, 1); | 1265 rv = ssl3_AppendNumberToItem(&plaintext, ss->sec.authAlgorithm, 1); |
1255 if (rv != SECSuccess) goto loser; | 1266 if (rv != SECSuccess) goto loser; |
1256 rv = ssl3_AppendNumberToItem(&plaintext, ss->sec.authKeyBits, 4); | 1267 rv = ssl3_AppendNumberToItem(&plaintext, ss->sec.authKeyBits, 4); |
1257 if (rv != SECSuccess) goto loser; | 1268 if (rv != SECSuccess) goto loser; |
1258 rv = ssl3_AppendNumberToItem(&plaintext, ss->sec.keaType, 1); | 1269 rv = ssl3_AppendNumberToItem(&plaintext, ss->sec.keaType, 1); |
1259 if (rv != SECSuccess) goto loser; | 1270 if (rv != SECSuccess) goto loser; |
1260 rv = ssl3_AppendNumberToItem(&plaintext, ss->sec.keaKeyBits, 4); | 1271 rv = ssl3_AppendNumberToItem(&plaintext, ss->sec.keaKeyBits, 4); |
1261 if (rv != SECSuccess) goto loser; | 1272 if (rv != SECSuccess) goto loser; |
1262 | 1273 |
1263 /* master_secret */ | 1274 /* master_secret */ |
1264 rv = ssl3_AppendNumberToItem(&plaintext, ms_is_wrapped, 1); | 1275 rv = ssl3_AppendNumberToItem(&plaintext, ms_is_wrapped, 1); |
1265 if (rv != SECSuccess) goto loser; | 1276 if (rv != SECSuccess) goto loser; |
1266 rv = ssl3_AppendNumberToItem(&plaintext, effectiveExchKeyType, 1); | 1277 rv = ssl3_AppendNumberToItem(&plaintext, effectiveExchKeyType, 1); |
1267 if (rv != SECSuccess) goto loser; | 1278 if (rv != SECSuccess) goto loser; |
1268 rv = ssl3_AppendNumberToItem(&plaintext, msWrapMech, 4); | 1279 rv = ssl3_AppendNumberToItem(&plaintext, msWrapMech, 4); |
1269 if (rv != SECSuccess) goto loser; | 1280 if (rv != SECSuccess) goto loser; |
1270 rv = ssl3_AppendNumberToItem(&plaintext, ms_item.len, 2); | 1281 rv = ssl3_AppendNumberToItem(&plaintext, ms_item.len, 2); |
1271 if (rv != SECSuccess) goto loser; | 1282 if (rv != SECSuccess) goto loser; |
1272 rv = ssl3_AppendToItem(&plaintext, ms_item.data, ms_item.len); | 1283 rv = ssl3_AppendToItem(&plaintext, ms_item.data, ms_item.len); |
1273 if (rv != SECSuccess) goto loser; | 1284 if (rv != SECSuccess) goto loser; |
1274 | 1285 |
1275 /* client_identity */ | 1286 /* client_identity */ |
1276 if (ss->opt.requestCertificate && ss->sec.ci.sid->peerCert) { | 1287 if (ss->opt.requestCertificate && ss->sec.ci.sid->peerCert) { |
1277 » rv = ssl3_AppendNumberToItem(&plaintext, CLIENT_AUTH_CERTIFICATE, 1); | 1288 rv = ssl3_AppendNumberToItem(&plaintext, CLIENT_AUTH_CERTIFICATE, 1); |
1278 » if (rv != SECSuccess) goto loser; | 1289 if (rv != SECSuccess) goto loser; |
1279 » rv = ssl3_AppendNumberToItem(&plaintext, | 1290 rv = ssl3_AppendNumberToItem(&plaintext, |
1280 » ss->sec.ci.sid->peerCert->derCert.len, 3); | 1291 ss->sec.ci.sid->peerCert->derCert.len, 3); |
1281 » if (rv != SECSuccess) goto loser; | 1292 if (rv != SECSuccess) goto loser; |
1282 » rv = ssl3_AppendToItem(&plaintext, | 1293 rv = ssl3_AppendToItem(&plaintext, |
1283 » ss->sec.ci.sid->peerCert->derCert.data, | 1294 ss->sec.ci.sid->peerCert->derCert.data, |
1284 » ss->sec.ci.sid->peerCert->derCert.len); | 1295 ss->sec.ci.sid->peerCert->derCert.len); |
1285 » if (rv != SECSuccess) goto loser; | 1296 if (rv != SECSuccess) goto loser; |
1286 } else { | 1297 } else { |
1287 » rv = ssl3_AppendNumberToItem(&plaintext, 0, 1); | 1298 rv = ssl3_AppendNumberToItem(&plaintext, 0, 1); |
1288 » if (rv != SECSuccess) goto loser; | 1299 if (rv != SECSuccess) goto loser; |
1289 } | 1300 } |
1290 | 1301 |
1291 /* timestamp */ | 1302 /* timestamp */ |
1292 now = ssl_Time(); | 1303 now = ssl_Time(); |
1293 rv = ssl3_AppendNumberToItem(&plaintext, now, | 1304 rv = ssl3_AppendNumberToItem(&plaintext, now, |
1294 » sizeof(ticket.ticket_lifetime_hint)); | 1305 sizeof(ticket.ticket_lifetime_hint)); |
1295 if (rv != SECSuccess) goto loser; | 1306 if (rv != SECSuccess) goto loser; |
1296 | 1307 |
1297 if (srvNameLen) { | 1308 if (srvNameLen) { |
1298 /* Name Type (sni_host_name) */ | 1309 /* Name Type (sni_host_name) */ |
1299 rv = ssl3_AppendNumberToItem(&plaintext, srvName->type, 1); | 1310 rv = ssl3_AppendNumberToItem(&plaintext, srvName->type, 1); |
1300 if (rv != SECSuccess) goto loser; | 1311 if (rv != SECSuccess) goto loser; |
1301 /* HostName (length and value) */ | 1312 /* HostName (length and value) */ |
1302 rv = ssl3_AppendNumberToItem(&plaintext, srvName->len, 2); | 1313 rv = ssl3_AppendNumberToItem(&plaintext, srvName->len, 2); |
1303 if (rv != SECSuccess) goto loser; | 1314 if (rv != SECSuccess) goto loser; |
1304 rv = ssl3_AppendToItem(&plaintext, srvName->data, srvName->len); | 1315 rv = ssl3_AppendToItem(&plaintext, srvName->data, srvName->len); |
1305 if (rv != SECSuccess) goto loser; | 1316 if (rv != SECSuccess) goto loser; |
1306 } else { | 1317 } else { |
1307 /* No Name */ | 1318 /* No Name */ |
1308 rv = ssl3_AppendNumberToItem(&plaintext, (char)TLS_STE_NO_SERVER_NAME, | 1319 rv = ssl3_AppendNumberToItem(&plaintext, (char)TLS_STE_NO_SERVER_NAME, |
1309 1); | 1320 1); |
1310 if (rv != SECSuccess) goto loser; | 1321 if (rv != SECSuccess) goto loser; |
1311 } | 1322 } |
1312 | 1323 |
1313 PORT_Assert(plaintext.len == padding_length); | 1324 PORT_Assert(plaintext.len == padding_length); |
1314 for (i = 0; i < padding_length; i++) | 1325 for (i = 0; i < padding_length; i++) |
1315 » plaintext.data[i] = (unsigned char)padding_length; | 1326 plaintext.data[i] = (unsigned char)padding_length; |
1316 | 1327 |
1317 if (SECITEM_AllocItem(NULL, &ciphertext, ciphertext_length) == NULL) { | 1328 if (SECITEM_AllocItem(NULL, &ciphertext, ciphertext_length) == NULL) { |
1318 » rv = SECFailure; | 1329 rv = SECFailure; |
1319 » goto loser; | 1330 goto loser; |
1320 } | 1331 } |
1321 | 1332 |
1322 /* Generate encrypted portion of ticket. */ | 1333 /* Generate encrypted portion of ticket. */ |
1323 #ifndef NO_PKCS11_BYPASS | 1334 #ifndef NO_PKCS11_BYPASS |
1324 if (ss->opt.bypassPKCS11) { | 1335 if (ss->opt.bypassPKCS11) { |
1325 » aes_ctx = (AESContext *)aes_ctx_buf; | 1336 aes_ctx = (AESContext *)aes_ctx_buf; |
1326 » rv = AES_InitContext(aes_ctx, aes_key, aes_key_length, iv, | 1337 rv = AES_InitContext(aes_ctx, aes_key, aes_key_length, iv, |
1327 » NSS_AES_CBC, 1, AES_BLOCK_SIZE); | 1338 NSS_AES_CBC, 1, AES_BLOCK_SIZE); |
1328 » if (rv != SECSuccess) goto loser; | 1339 if (rv != SECSuccess) goto loser; |
1329 | 1340 |
1330 » rv = AES_Encrypt(aes_ctx, ciphertext.data, &ciphertext.len, | 1341 rv = AES_Encrypt(aes_ctx, ciphertext.data, &ciphertext.len, |
1331 » ciphertext.len, plaintext_item.data, | 1342 ciphertext.len, plaintext_item.data, |
1332 » plaintext_item.len); | 1343 plaintext_item.len); |
1333 » if (rv != SECSuccess) goto loser; | 1344 if (rv != SECSuccess) goto loser; |
1334 } else | 1345 } else |
1335 #endif | 1346 #endif |
1336 { | 1347 { |
1337 » aes_ctx_pkcs11 = PK11_CreateContextBySymKey(cipherMech, | 1348 aes_ctx_pkcs11 = PK11_CreateContextBySymKey(cipherMech, |
1338 » CKA_ENCRYPT, aes_key_pkcs11, &ivItem); | 1349 CKA_ENCRYPT, aes_key_pkcs11, &ivItem); |
1339 » if (!aes_ctx_pkcs11) | 1350 if (!aes_ctx_pkcs11) |
1340 » goto loser; | 1351 goto loser; |
1341 | 1352 |
1342 » rv = PK11_CipherOp(aes_ctx_pkcs11, ciphertext.data, | 1353 rv = PK11_CipherOp(aes_ctx_pkcs11, ciphertext.data, |
1343 » (int *)&ciphertext.len, ciphertext.len, | 1354 (int *)&ciphertext.len, ciphertext.len, |
1344 » plaintext_item.data, plaintext_item.len); | 1355 plaintext_item.data, plaintext_item.len); |
1345 » PK11_Finalize(aes_ctx_pkcs11); | 1356 PK11_Finalize(aes_ctx_pkcs11); |
1346 » PK11_DestroyContext(aes_ctx_pkcs11, PR_TRUE); | 1357 PK11_DestroyContext(aes_ctx_pkcs11, PR_TRUE); |
1347 » if (rv != SECSuccess) goto loser; | 1358 if (rv != SECSuccess) goto loser; |
1348 } | 1359 } |
1349 | 1360 |
1350 /* Convert ciphertext length to network order. */ | 1361 /* Convert ciphertext length to network order. */ |
1351 length_buf[0] = (ciphertext.len >> 8) & 0xff; | 1362 length_buf[0] = (ciphertext.len >> 8) & 0xff; |
1352 length_buf[1] = (ciphertext.len ) & 0xff; | 1363 length_buf[1] = (ciphertext.len ) & 0xff; |
1353 | 1364 |
1354 /* Compute MAC. */ | 1365 /* Compute MAC. */ |
1355 #ifndef NO_PKCS11_BYPASS | 1366 #ifndef NO_PKCS11_BYPASS |
1356 if (ss->opt.bypassPKCS11) { | 1367 if (ss->opt.bypassPKCS11) { |
1357 » hmac_ctx = (HMACContext *)hmac_ctx_buf; | 1368 hmac_ctx = (HMACContext *)hmac_ctx_buf; |
1358 » hashObj = HASH_GetRawHashObject(HASH_AlgSHA256); | 1369 hashObj = HASH_GetRawHashObject(HASH_AlgSHA256); |
1359 » if (HMAC_Init(hmac_ctx, hashObj, mac_key, | 1370 if (HMAC_Init(hmac_ctx, hashObj, mac_key, |
1360 » » mac_key_length, PR_FALSE) != SECSuccess) | 1371 mac_key_length, PR_FALSE) != SECSuccess) |
1361 » goto loser; | 1372 goto loser; |
1362 | 1373 |
1363 » HMAC_Begin(hmac_ctx); | 1374 HMAC_Begin(hmac_ctx); |
1364 » HMAC_Update(hmac_ctx, key_name, SESS_TICKET_KEY_NAME_LEN); | 1375 HMAC_Update(hmac_ctx, key_name, SESS_TICKET_KEY_NAME_LEN); |
1365 » HMAC_Update(hmac_ctx, iv, sizeof(iv)); | 1376 HMAC_Update(hmac_ctx, iv, sizeof(iv)); |
1366 » HMAC_Update(hmac_ctx, (unsigned char *)length_buf, 2); | 1377 HMAC_Update(hmac_ctx, (unsigned char *)length_buf, 2); |
1367 » HMAC_Update(hmac_ctx, ciphertext.data, ciphertext.len); | 1378 HMAC_Update(hmac_ctx, ciphertext.data, ciphertext.len); |
1368 » HMAC_Finish(hmac_ctx, computed_mac, &computed_mac_length, | 1379 HMAC_Finish(hmac_ctx, computed_mac, &computed_mac_length, |
1369 » sizeof(computed_mac)); | 1380 sizeof(computed_mac)); |
1370 } else | 1381 } else |
1371 #endif | 1382 #endif |
1372 { | 1383 { |
1373 » SECItem macParam; | 1384 SECItem macParam; |
1374 » macParam.data = NULL; | 1385 macParam.data = NULL; |
1375 » macParam.len = 0; | 1386 macParam.len = 0; |
1376 » hmac_ctx_pkcs11 = PK11_CreateContextBySymKey(macMech, | 1387 hmac_ctx_pkcs11 = PK11_CreateContextBySymKey(macMech, |
1377 » CKA_SIGN, mac_key_pkcs11, &macParam); | 1388 CKA_SIGN, mac_key_pkcs11, &macParam); |
1378 » if (!hmac_ctx_pkcs11) | 1389 if (!hmac_ctx_pkcs11) |
1379 » goto loser; | 1390 goto loser; |
1380 | 1391 |
1381 » rv = PK11_DigestBegin(hmac_ctx_pkcs11); | 1392 rv = PK11_DigestBegin(hmac_ctx_pkcs11); |
1382 » rv = PK11_DigestOp(hmac_ctx_pkcs11, key_name, | 1393 rv = PK11_DigestOp(hmac_ctx_pkcs11, key_name, |
1383 » SESS_TICKET_KEY_NAME_LEN); | 1394 SESS_TICKET_KEY_NAME_LEN); |
1384 » rv = PK11_DigestOp(hmac_ctx_pkcs11, iv, sizeof(iv)); | 1395 rv = PK11_DigestOp(hmac_ctx_pkcs11, iv, sizeof(iv)); |
1385 » rv = PK11_DigestOp(hmac_ctx_pkcs11, (unsigned char *)length_buf, 2); | 1396 rv = PK11_DigestOp(hmac_ctx_pkcs11, (unsigned char *)length_buf, 2); |
1386 » rv = PK11_DigestOp(hmac_ctx_pkcs11, ciphertext.data, ciphertext.len); | 1397 rv = PK11_DigestOp(hmac_ctx_pkcs11, ciphertext.data, ciphertext.len); |
1387 » rv = PK11_DigestFinal(hmac_ctx_pkcs11, computed_mac, | 1398 rv = PK11_DigestFinal(hmac_ctx_pkcs11, computed_mac, |
1388 » &computed_mac_length, sizeof(computed_mac)); | 1399 &computed_mac_length, sizeof(computed_mac)); |
1389 » PK11_DestroyContext(hmac_ctx_pkcs11, PR_TRUE); | 1400 PK11_DestroyContext(hmac_ctx_pkcs11, PR_TRUE); |
1390 » if (rv != SECSuccess) goto loser; | 1401 if (rv != SECSuccess) goto loser; |
1391 } | 1402 } |
1392 | 1403 |
1393 /* Serialize the handshake message. */ | 1404 /* Serialize the handshake message. */ |
1394 rv = ssl3_AppendHandshakeHeader(ss, new_session_ticket, message_length); | 1405 rv = ssl3_AppendHandshakeHeader(ss, new_session_ticket, message_length); |
1395 if (rv != SECSuccess) goto loser; | 1406 if (rv != SECSuccess) goto loser; |
1396 | 1407 |
1397 rv = ssl3_AppendHandshakeNumber(ss, ticket.ticket_lifetime_hint, | 1408 rv = ssl3_AppendHandshakeNumber(ss, ticket.ticket_lifetime_hint, |
1398 » sizeof(ticket.ticket_lifetime_hint)); | 1409 sizeof(ticket.ticket_lifetime_hint)); |
1399 if (rv != SECSuccess) goto loser; | 1410 if (rv != SECSuccess) goto loser; |
1400 | 1411 |
1401 rv = ssl3_AppendHandshakeNumber(ss, | 1412 rv = ssl3_AppendHandshakeNumber(ss, |
1402 » message_length - sizeof(ticket.ticket_lifetime_hint) - 2, 2); | 1413 message_length - sizeof(ticket.ticket_lifetime_hint) - 2, 2); |
1403 if (rv != SECSuccess) goto loser; | 1414 if (rv != SECSuccess) goto loser; |
1404 | 1415 |
1405 rv = ssl3_AppendHandshake(ss, key_name, SESS_TICKET_KEY_NAME_LEN); | 1416 rv = ssl3_AppendHandshake(ss, key_name, SESS_TICKET_KEY_NAME_LEN); |
1406 if (rv != SECSuccess) goto loser; | 1417 if (rv != SECSuccess) goto loser; |
1407 | 1418 |
1408 rv = ssl3_AppendHandshake(ss, iv, sizeof(iv)); | 1419 rv = ssl3_AppendHandshake(ss, iv, sizeof(iv)); |
1409 if (rv != SECSuccess) goto loser; | 1420 if (rv != SECSuccess) goto loser; |
1410 | 1421 |
1411 rv = ssl3_AppendHandshakeVariable(ss, ciphertext.data, ciphertext.len, 2); | 1422 rv = ssl3_AppendHandshakeVariable(ss, ciphertext.data, ciphertext.len, 2); |
1412 if (rv != SECSuccess) goto loser; | 1423 if (rv != SECSuccess) goto loser; |
1413 | 1424 |
1414 rv = ssl3_AppendHandshake(ss, computed_mac, computed_mac_length); | 1425 rv = ssl3_AppendHandshake(ss, computed_mac, computed_mac_length); |
1415 if (rv != SECSuccess) goto loser; | 1426 if (rv != SECSuccess) goto loser; |
1416 | 1427 |
1417 loser: | 1428 loser: |
1418 if (plaintext_item.data) | 1429 if (plaintext_item.data) |
1419 » SECITEM_FreeItem(&plaintext_item, PR_FALSE); | 1430 SECITEM_FreeItem(&plaintext_item, PR_FALSE); |
1420 if (ciphertext.data) | 1431 if (ciphertext.data) |
1421 » SECITEM_FreeItem(&ciphertext, PR_FALSE); | 1432 SECITEM_FreeItem(&ciphertext, PR_FALSE); |
1422 | 1433 |
1423 return rv; | 1434 return rv; |
1424 } | 1435 } |
1425 | 1436 |
1426 /* When a client receives a SessionTicket extension a NewSessionTicket | 1437 /* When a client receives a SessionTicket extension a NewSessionTicket |
1427 * message is expected during the handshake. | 1438 * message is expected during the handshake. |
1428 */ | 1439 */ |
1429 SECStatus | 1440 SECStatus |
1430 ssl3_ClientHandleSessionTicketXtn(sslSocket *ss, PRUint16 ex_type, | 1441 ssl3_ClientHandleSessionTicketXtn(sslSocket *ss, PRUint16 ex_type, |
1431 SECItem *data) | 1442 SECItem *data) |
1432 { | 1443 { |
1433 if (data->len != 0) | 1444 if (data->len != 0) { |
1434 » return SECFailure; | 1445 return SECSuccess; /* Ignore the extension. */ |
1446 } | |
1435 | 1447 |
1436 /* Keep track of negotiated extensions. */ | 1448 /* Keep track of negotiated extensions. */ |
1437 ss->xtnData.negotiated[ss->xtnData.numNegotiated++] = ex_type; | 1449 ss->xtnData.negotiated[ss->xtnData.numNegotiated++] = ex_type; |
1438 return SECSuccess; | 1450 return SECSuccess; |
1439 } | 1451 } |
1440 | 1452 |
1441 SECStatus | 1453 SECStatus |
1442 ssl3_ServerHandleSessionTicketXtn(sslSocket *ss, PRUint16 ex_type, | 1454 ssl3_ServerHandleSessionTicketXtn(sslSocket *ss, PRUint16 ex_type, |
1443 SECItem *data) | 1455 SECItem *data) |
1444 { | 1456 { |
1445 SECStatus rv; | 1457 SECStatus rv; |
1446 SECItem *decrypted_state = NULL; | 1458 SECItem *decrypted_state = NULL; |
1447 SessionTicket *parsed_session_ticket = NULL; | 1459 SessionTicket *parsed_session_ticket = NULL; |
1448 sslSessionID *sid = NULL; | 1460 sslSessionID *sid = NULL; |
1449 SSL3Statistics *ssl3stats; | 1461 SSL3Statistics *ssl3stats; |
1450 | 1462 |
1451 /* Ignore the SessionTicket extension if processing is disabled. */ | 1463 /* Ignore the SessionTicket extension if processing is disabled. */ |
1452 if (!ss->opt.enableSessionTickets) | 1464 if (!ss->opt.enableSessionTickets) |
1453 » return SECSuccess; | 1465 return SECSuccess; |
1454 | 1466 |
1455 /* Keep track of negotiated extensions. */ | 1467 /* Keep track of negotiated extensions. */ |
1456 ss->xtnData.negotiated[ss->xtnData.numNegotiated++] = ex_type; | 1468 ss->xtnData.negotiated[ss->xtnData.numNegotiated++] = ex_type; |
1457 | 1469 |
1458 /* Parse the received ticket sent in by the client. We are | 1470 /* Parse the received ticket sent in by the client. We are |
1459 * lenient about some parse errors, falling back to a fullshake | 1471 * lenient about some parse errors, falling back to a fullshake |
1460 * instead of terminating the current connection. | 1472 * instead of terminating the current connection. |
1461 */ | 1473 */ |
1462 if (data->len == 0) { | 1474 if (data->len == 0) { |
1463 » ss->xtnData.emptySessionTicket = PR_TRUE; | 1475 ss->xtnData.emptySessionTicket = PR_TRUE; |
1464 } else { | 1476 } else { |
1465 » int i; | 1477 int i; |
1466 » SECItem extension_data; | 1478 SECItem extension_data; |
1467 » EncryptedSessionTicket enc_session_ticket; | 1479 EncryptedSessionTicket enc_session_ticket; |
1468 » unsigned char computed_mac[TLS_EX_SESS_TICKET_MAC_LENGTH]; | 1480 unsigned char computed_mac[TLS_EX_SESS_TICKET_MAC_LENGTH]; |
1469 » unsigned int computed_mac_length; | 1481 unsigned int computed_mac_length; |
1470 #ifndef NO_PKCS11_BYPASS | 1482 #ifndef NO_PKCS11_BYPASS |
1471 » const SECHashObject *hashObj; | 1483 const SECHashObject *hashObj; |
1472 » const unsigned char *aes_key; | 1484 const unsigned char *aes_key; |
1473 » const unsigned char *mac_key; | 1485 const unsigned char *mac_key; |
1474 » PRUint32 aes_key_length; | 1486 PRUint32 aes_key_length; |
1475 » PRUint32 mac_key_length; | 1487 PRUint32 mac_key_length; |
1476 » PRUint64 hmac_ctx_buf[MAX_MAC_CONTEXT_LLONGS]; | 1488 PRUint64 hmac_ctx_buf[MAX_MAC_CONTEXT_LLONGS]; |
1477 » HMACContext *hmac_ctx; | 1489 HMACContext *hmac_ctx; |
1478 » PRUint64 aes_ctx_buf[MAX_CIPHER_CONTEXT_LLONGS]; | 1490 PRUint64 aes_ctx_buf[MAX_CIPHER_CONTEXT_LLONGS]; |
1479 » AESContext *aes_ctx; | 1491 AESContext *aes_ctx; |
1480 #endif | 1492 #endif |
1481 » PK11SymKey *aes_key_pkcs11; | 1493 PK11SymKey *aes_key_pkcs11; |
1482 » PK11SymKey *mac_key_pkcs11; | 1494 PK11SymKey *mac_key_pkcs11; |
1483 » PK11Context *hmac_ctx_pkcs11; | 1495 PK11Context *hmac_ctx_pkcs11; |
1484 » CK_MECHANISM_TYPE macMech = CKM_SHA256_HMAC; | 1496 CK_MECHANISM_TYPE macMech = CKM_SHA256_HMAC; |
1485 » PK11Context *aes_ctx_pkcs11; | 1497 PK11Context *aes_ctx_pkcs11; |
1486 » CK_MECHANISM_TYPE cipherMech = CKM_AES_CBC; | 1498 CK_MECHANISM_TYPE cipherMech = CKM_AES_CBC; |
1487 » unsigned char * padding; | 1499 unsigned char * padding; |
1488 » PRUint32 padding_length; | 1500 PRUint32 padding_length; |
1489 » unsigned char *buffer; | 1501 unsigned char *buffer; |
1490 » unsigned int buffer_len; | 1502 unsigned int buffer_len; |
1491 » PRInt32 temp; | 1503 PRInt32 temp; |
1492 » SECItem cert_item; | 1504 SECItem cert_item; |
1493 PRInt8 nameType = TLS_STE_NO_SERVER_NAME; | 1505 PRInt8 nameType = TLS_STE_NO_SERVER_NAME; |
1494 | 1506 |
1495 » /* Turn off stateless session resumption if the client sends a | 1507 /* Turn off stateless session resumption if the client sends a |
1496 » * SessionTicket extension, even if the extension turns out to be | 1508 * SessionTicket extension, even if the extension turns out to be |
1497 » * malformed (ss->sec.ci.sid is non-NULL when doing session | 1509 * malformed (ss->sec.ci.sid is non-NULL when doing session |
1498 » * renegotiation.) | 1510 * renegotiation.) |
1499 » */ | 1511 */ |
1500 » if (ss->sec.ci.sid != NULL) { | 1512 if (ss->sec.ci.sid != NULL) { |
1501 » if (ss->sec.uncache) | 1513 if (ss->sec.uncache) |
1502 » » ss->sec.uncache(ss->sec.ci.sid); | 1514 ss->sec.uncache(ss->sec.ci.sid); |
1503 » ssl_FreeSID(ss->sec.ci.sid); | 1515 ssl_FreeSID(ss->sec.ci.sid); |
1504 » ss->sec.ci.sid = NULL; | 1516 ss->sec.ci.sid = NULL; |
1505 » } | 1517 } |
1506 | 1518 |
1507 » extension_data.data = data->data; /* Keep a copy for future use. */ | 1519 extension_data.data = data->data; /* Keep a copy for future use. */ |
1508 » extension_data.len = data->len; | 1520 extension_data.len = data->len; |
1509 | 1521 |
1510 » if (ssl3_ParseEncryptedSessionTicket(ss, data, &enc_session_ticket) | 1522 if (ssl3_ParseEncryptedSessionTicket(ss, data, &enc_session_ticket) |
1511 » != SECSuccess) | 1523 != SECSuccess) |
1512 » return SECFailure; | 1524 return SECFailure; |
1513 | 1525 |
1514 » /* Get session ticket keys. */ | 1526 /* Get session ticket keys. */ |
1515 #ifndef NO_PKCS11_BYPASS | 1527 #ifndef NO_PKCS11_BYPASS |
1516 » if (ss->opt.bypassPKCS11) { | 1528 if (ss->opt.bypassPKCS11) { |
1517 » rv = ssl3_GetSessionTicketKeys(&aes_key, &aes_key_length, | 1529 rv = ssl3_GetSessionTicketKeys(&aes_key, &aes_key_length, |
1518 » » &mac_key, &mac_key_length); | 1530 &mac_key, &mac_key_length); |
1519 » } else | 1531 } else |
1520 #endif | 1532 #endif |
1521 » { | 1533 { |
1522 » rv = ssl3_GetSessionTicketKeysPKCS11(ss, &aes_key_pkcs11, | 1534 rv = ssl3_GetSessionTicketKeysPKCS11(ss, &aes_key_pkcs11, |
1523 » » &mac_key_pkcs11); | 1535 &mac_key_pkcs11); |
1524 » } | 1536 } |
1525 » if (rv != SECSuccess) { | 1537 if (rv != SECSuccess) { |
1526 » SSL_DBG(("%d: SSL[%d]: Unable to get/generate session ticket keys.", | 1538 SSL_DBG(("%d: SSL[%d]: Unable to get/generate session ticket keys.", |
1527 » » » SSL_GETPID(), ss->fd)); | 1539 SSL_GETPID(), ss->fd)); |
1528 » goto loser; | 1540 goto loser; |
1529 » } | 1541 } |
1530 | 1542 |
1531 » /* If the ticket sent by the client was generated under a key different | 1543 /* If the ticket sent by the client was generated under a key different |
1532 » * from the one we have, bypass ticket processing. | 1544 * from the one we have, bypass ticket processing. |
1533 » */ | 1545 */ |
1534 » if (PORT_Memcmp(enc_session_ticket.key_name, key_name, | 1546 if (PORT_Memcmp(enc_session_ticket.key_name, key_name, |
1535 » » SESS_TICKET_KEY_NAME_LEN) != 0) { | 1547 SESS_TICKET_KEY_NAME_LEN) != 0) { |
1536 » SSL_DBG(("%d: SSL[%d]: Session ticket key_name sent mismatch.", | 1548 SSL_DBG(("%d: SSL[%d]: Session ticket key_name sent mismatch.", |
1537 » » » SSL_GETPID(), ss->fd)); | 1549 SSL_GETPID(), ss->fd)); |
1538 » goto no_ticket; | 1550 goto no_ticket; |
1539 » } | 1551 } |
1540 | 1552 |
1541 » /* Verify the MAC on the ticket. MAC verification may also | 1553 /* Verify the MAC on the ticket. MAC verification may also |
1542 » * fail if the MAC key has been recently refreshed. | 1554 * fail if the MAC key has been recently refreshed. |
1543 » */ | 1555 */ |
1544 #ifndef NO_PKCS11_BYPASS | 1556 #ifndef NO_PKCS11_BYPASS |
1545 » if (ss->opt.bypassPKCS11) { | 1557 if (ss->opt.bypassPKCS11) { |
1546 » hmac_ctx = (HMACContext *)hmac_ctx_buf; | 1558 hmac_ctx = (HMACContext *)hmac_ctx_buf; |
1547 » hashObj = HASH_GetRawHashObject(HASH_AlgSHA256); | 1559 hashObj = HASH_GetRawHashObject(HASH_AlgSHA256); |
1548 » if (HMAC_Init(hmac_ctx, hashObj, mac_key, | 1560 if (HMAC_Init(hmac_ctx, hashObj, mac_key, |
1549 » » sizeof(session_ticket_mac_key), PR_FALSE) != SECSuccess) | 1561 sizeof(session_ticket_mac_key), PR_FALSE) != SECSuccess) |
1550 » » goto no_ticket; | 1562 goto no_ticket; |
1551 » HMAC_Begin(hmac_ctx); | 1563 HMAC_Begin(hmac_ctx); |
1552 » HMAC_Update(hmac_ctx, extension_data.data, | 1564 HMAC_Update(hmac_ctx, extension_data.data, |
1553 » » extension_data.len - TLS_EX_SESS_TICKET_MAC_LENGTH); | 1565 extension_data.len - TLS_EX_SESS_TICKET_MAC_LENGTH); |
1554 » if (HMAC_Finish(hmac_ctx, computed_mac, &computed_mac_length, | 1566 if (HMAC_Finish(hmac_ctx, computed_mac, &computed_mac_length, |
1555 » » sizeof(computed_mac)) != SECSuccess) | 1567 sizeof(computed_mac)) != SECSuccess) |
1556 » » goto no_ticket; | 1568 goto no_ticket; |
1557 » } else | 1569 } else |
1558 #endif | 1570 #endif |
1559 » { | 1571 { |
1560 » SECItem macParam; | 1572 SECItem macParam; |
1561 » macParam.data = NULL; | 1573 macParam.data = NULL; |
1562 » macParam.len = 0; | 1574 macParam.len = 0; |
1563 » hmac_ctx_pkcs11 = PK11_CreateContextBySymKey(macMech, | 1575 hmac_ctx_pkcs11 = PK11_CreateContextBySymKey(macMech, |
1564 » » CKA_SIGN, mac_key_pkcs11, &macParam); | 1576 CKA_SIGN, mac_key_pkcs11, &macParam); |
1565 » if (!hmac_ctx_pkcs11) { | 1577 if (!hmac_ctx_pkcs11) { |
1566 » » SSL_DBG(("%d: SSL[%d]: Unable to create HMAC context: %d.", | 1578 SSL_DBG(("%d: SSL[%d]: Unable to create HMAC context: %d.", |
1567 » » » SSL_GETPID(), ss->fd, PORT_GetError())); | 1579 SSL_GETPID(), ss->fd, PORT_GetError())); |
1568 » » goto no_ticket; | 1580 goto no_ticket; |
1569 » } else { | 1581 } else { |
1570 » » SSL_DBG(("%d: SSL[%d]: Successfully created HMAC context.", | 1582 SSL_DBG(("%d: SSL[%d]: Successfully created HMAC context.", |
1571 » » » SSL_GETPID(), ss->fd)); | 1583 SSL_GETPID(), ss->fd)); |
1572 » } | 1584 } |
1573 » rv = PK11_DigestBegin(hmac_ctx_pkcs11); | 1585 rv = PK11_DigestBegin(hmac_ctx_pkcs11); |
1574 » rv = PK11_DigestOp(hmac_ctx_pkcs11, extension_data.data, | 1586 rv = PK11_DigestOp(hmac_ctx_pkcs11, extension_data.data, |
1575 » » extension_data.len - TLS_EX_SESS_TICKET_MAC_LENGTH); | 1587 extension_data.len - TLS_EX_SESS_TICKET_MAC_LENGTH); |
1576 » if (rv != SECSuccess) { | 1588 if (rv != SECSuccess) { |
1577 » » PK11_DestroyContext(hmac_ctx_pkcs11, PR_TRUE); | 1589 PK11_DestroyContext(hmac_ctx_pkcs11, PR_TRUE); |
1578 » » goto no_ticket; | 1590 goto no_ticket; |
1579 » } | 1591 } |
1580 » rv = PK11_DigestFinal(hmac_ctx_pkcs11, computed_mac, | 1592 rv = PK11_DigestFinal(hmac_ctx_pkcs11, computed_mac, |
1581 » » &computed_mac_length, sizeof(computed_mac)); | 1593 &computed_mac_length, sizeof(computed_mac)); |
1582 » PK11_DestroyContext(hmac_ctx_pkcs11, PR_TRUE); | 1594 PK11_DestroyContext(hmac_ctx_pkcs11, PR_TRUE); |
1583 » if (rv != SECSuccess) | 1595 if (rv != SECSuccess) |
1584 » » goto no_ticket; | 1596 goto no_ticket; |
1585 » } | 1597 } |
1586 » if (NSS_SecureMemcmp(computed_mac, enc_session_ticket.mac, | 1598 if (NSS_SecureMemcmp(computed_mac, enc_session_ticket.mac, |
1587 » » computed_mac_length) != 0) { | 1599 computed_mac_length) != 0) { |
1588 » SSL_DBG(("%d: SSL[%d]: Session ticket MAC mismatch.", | 1600 SSL_DBG(("%d: SSL[%d]: Session ticket MAC mismatch.", |
1589 » » » SSL_GETPID(), ss->fd)); | 1601 SSL_GETPID(), ss->fd)); |
1590 » goto no_ticket; | 1602 goto no_ticket; |
1591 » } | 1603 } |
1592 | 1604 |
1593 » /* We ignore key_name for now. | 1605 /* We ignore key_name for now. |
1594 » * This is ok as MAC verification succeeded. | 1606 * This is ok as MAC verification succeeded. |
1595 » */ | 1607 */ |
1596 | 1608 |
1597 » /* Decrypt the ticket. */ | 1609 /* Decrypt the ticket. */ |
1598 | 1610 |
1599 » /* Plaintext is shorter than the ciphertext due to padding. */ | 1611 /* Plaintext is shorter than the ciphertext due to padding. */ |
1600 » decrypted_state = SECITEM_AllocItem(NULL, NULL, | 1612 decrypted_state = SECITEM_AllocItem(NULL, NULL, |
1601 » enc_session_ticket.encrypted_state.len); | 1613 enc_session_ticket.encrypted_state.len); |
1602 | 1614 |
1603 #ifndef NO_PKCS11_BYPASS | 1615 #ifndef NO_PKCS11_BYPASS |
1604 » if (ss->opt.bypassPKCS11) { | 1616 if (ss->opt.bypassPKCS11) { |
1605 » aes_ctx = (AESContext *)aes_ctx_buf; | 1617 aes_ctx = (AESContext *)aes_ctx_buf; |
1606 » rv = AES_InitContext(aes_ctx, aes_key, | 1618 rv = AES_InitContext(aes_ctx, aes_key, |
1607 » » sizeof(session_ticket_enc_key), enc_session_ticket.iv, | 1619 sizeof(session_ticket_enc_key), enc_session_ticket.iv, |
1608 » » NSS_AES_CBC, 0,AES_BLOCK_SIZE); | 1620 NSS_AES_CBC, 0,AES_BLOCK_SIZE); |
1609 » if (rv != SECSuccess) { | 1621 if (rv != SECSuccess) { |
1610 » » SSL_DBG(("%d: SSL[%d]: Unable to create AES context.", | 1622 SSL_DBG(("%d: SSL[%d]: Unable to create AES context.", |
1611 » » » SSL_GETPID(), ss->fd)); | 1623 SSL_GETPID(), ss->fd)); |
1612 » » goto no_ticket; | 1624 goto no_ticket; |
1613 » } | 1625 } |
1614 | 1626 |
1615 » rv = AES_Decrypt(aes_ctx, decrypted_state->data, | 1627 rv = AES_Decrypt(aes_ctx, decrypted_state->data, |
1616 » » &decrypted_state->len, decrypted_state->len, | 1628 &decrypted_state->len, decrypted_state->len, |
1617 » » enc_session_ticket.encrypted_state.data, | 1629 enc_session_ticket.encrypted_state.data, |
1618 » » enc_session_ticket.encrypted_state.len); | 1630 enc_session_ticket.encrypted_state.len); |
1619 » if (rv != SECSuccess) | 1631 if (rv != SECSuccess) |
1620 » » goto no_ticket; | 1632 goto no_ticket; |
1621 » } else | 1633 } else |
1622 #endif | 1634 #endif |
1623 » { | 1635 { |
1624 » SECItem ivItem; | 1636 SECItem ivItem; |
1625 » ivItem.data = enc_session_ticket.iv; | 1637 ivItem.data = enc_session_ticket.iv; |
1626 » ivItem.len = AES_BLOCK_SIZE; | 1638 ivItem.len = AES_BLOCK_SIZE; |
1627 » aes_ctx_pkcs11 = PK11_CreateContextBySymKey(cipherMech, | 1639 aes_ctx_pkcs11 = PK11_CreateContextBySymKey(cipherMech, |
1628 » » CKA_DECRYPT, aes_key_pkcs11, &ivItem); | 1640 CKA_DECRYPT, aes_key_pkcs11, &ivItem); |
1629 » if (!aes_ctx_pkcs11) { | 1641 if (!aes_ctx_pkcs11) { |
1630 » » SSL_DBG(("%d: SSL[%d]: Unable to create AES context.", | 1642 SSL_DBG(("%d: SSL[%d]: Unable to create AES context.", |
1631 » » » SSL_GETPID(), ss->fd)); | 1643 SSL_GETPID(), ss->fd)); |
1632 » » goto no_ticket; | 1644 goto no_ticket; |
1633 » } | 1645 } |
1634 | 1646 |
1635 » rv = PK11_CipherOp(aes_ctx_pkcs11, decrypted_state->data, | 1647 rv = PK11_CipherOp(aes_ctx_pkcs11, decrypted_state->data, |
1636 » » (int *)&decrypted_state->len, decrypted_state->len, | 1648 (int *)&decrypted_state->len, decrypted_state->len, |
1637 » » enc_session_ticket.encrypted_state.data, | 1649 enc_session_ticket.encrypted_state.data, |
1638 » » enc_session_ticket.encrypted_state.len); | 1650 enc_session_ticket.encrypted_state.len); |
1639 » PK11_Finalize(aes_ctx_pkcs11); | 1651 PK11_Finalize(aes_ctx_pkcs11); |
1640 » PK11_DestroyContext(aes_ctx_pkcs11, PR_TRUE); | 1652 PK11_DestroyContext(aes_ctx_pkcs11, PR_TRUE); |
1641 » if (rv != SECSuccess) | 1653 if (rv != SECSuccess) |
1642 » » goto no_ticket; | 1654 goto no_ticket; |
1643 » } | 1655 } |
1644 | 1656 |
1645 » /* Check padding. */ | 1657 /* Check padding. */ |
1646 » padding_length = | 1658 padding_length = |
1647 » (PRUint32)decrypted_state->data[decrypted_state->len - 1]; | 1659 (PRUint32)decrypted_state->data[decrypted_state->len - 1]; |
1648 » if (padding_length == 0 || padding_length > AES_BLOCK_SIZE) | 1660 if (padding_length == 0 || padding_length > AES_BLOCK_SIZE) |
1649 » goto no_ticket; | 1661 goto no_ticket; |
1650 | 1662 |
1651 » padding = &decrypted_state->data[decrypted_state->len - padding_length]; | 1663 padding = &decrypted_state->data[decrypted_state->len - padding_length]; |
1652 » for (i = 0; i < padding_length; i++, padding++) { | 1664 for (i = 0; i < padding_length; i++, padding++) { |
1653 » if (padding_length != (PRUint32)*padding) | 1665 if (padding_length != (PRUint32)*padding) |
1654 » » goto no_ticket; | 1666 goto no_ticket; |
1655 » } | 1667 } |
1656 | 1668 |
1657 » /* Deserialize session state. */ | 1669 /* Deserialize session state. */ |
1658 » buffer = decrypted_state->data; | 1670 buffer = decrypted_state->data; |
1659 » buffer_len = decrypted_state->len; | 1671 buffer_len = decrypted_state->len; |
1660 | 1672 |
1661 » parsed_session_ticket = PORT_ZAlloc(sizeof(SessionTicket)); | 1673 parsed_session_ticket = PORT_ZAlloc(sizeof(SessionTicket)); |
1662 » if (parsed_session_ticket == NULL) { | 1674 if (parsed_session_ticket == NULL) { |
1663 » rv = SECFailure; | 1675 rv = SECFailure; |
1664 » goto loser; | 1676 goto loser; |
1665 » } | 1677 } |
1666 | 1678 |
1667 » /* Read ticket_version (which is ignored for now.) */ | 1679 /* Read ticket_version (which is ignored for now.) */ |
1668 » temp = ssl3_ConsumeHandshakeNumber(ss, 2, &buffer, &buffer_len); | 1680 temp = ssl3_ConsumeHandshakeNumber(ss, 2, &buffer, &buffer_len); |
1669 » if (temp < 0) goto no_ticket; | 1681 if (temp < 0) goto no_ticket; |
1670 » parsed_session_ticket->ticket_version = (SSL3ProtocolVersion)temp; | 1682 parsed_session_ticket->ticket_version = (SSL3ProtocolVersion)temp; |
1671 | 1683 |
1672 » /* Read SSLVersion. */ | 1684 /* Read SSLVersion. */ |
1673 » temp = ssl3_ConsumeHandshakeNumber(ss, 2, &buffer, &buffer_len); | 1685 temp = ssl3_ConsumeHandshakeNumber(ss, 2, &buffer, &buffer_len); |
1674 » if (temp < 0) goto no_ticket; | 1686 if (temp < 0) goto no_ticket; |
1675 » parsed_session_ticket->ssl_version = (SSL3ProtocolVersion)temp; | 1687 parsed_session_ticket->ssl_version = (SSL3ProtocolVersion)temp; |
1676 | 1688 |
1677 » /* Read cipher_suite. */ | 1689 /* Read cipher_suite. */ |
1678 » temp = ssl3_ConsumeHandshakeNumber(ss, 2, &buffer, &buffer_len); | 1690 temp = ssl3_ConsumeHandshakeNumber(ss, 2, &buffer, &buffer_len); |
1679 » if (temp < 0) goto no_ticket; | 1691 if (temp < 0) goto no_ticket; |
1680 » parsed_session_ticket->cipher_suite = (ssl3CipherSuite)temp; | 1692 parsed_session_ticket->cipher_suite = (ssl3CipherSuite)temp; |
1681 | 1693 |
1682 » /* Read compression_method. */ | 1694 /* Read compression_method. */ |
1683 » temp = ssl3_ConsumeHandshakeNumber(ss, 1, &buffer, &buffer_len); | 1695 temp = ssl3_ConsumeHandshakeNumber(ss, 1, &buffer, &buffer_len); |
1684 » if (temp < 0) goto no_ticket; | 1696 if (temp < 0) goto no_ticket; |
1685 » parsed_session_ticket->compression_method = (SSLCompressionMethod)temp; | 1697 parsed_session_ticket->compression_method = (SSLCompressionMethod)temp; |
1686 | 1698 |
1687 » /* Read cipher spec parameters. */ | 1699 /* Read cipher spec parameters. */ |
1688 » temp = ssl3_ConsumeHandshakeNumber(ss, 1, &buffer, &buffer_len); | 1700 temp = ssl3_ConsumeHandshakeNumber(ss, 1, &buffer, &buffer_len); |
1689 » if (temp < 0) goto no_ticket; | 1701 if (temp < 0) goto no_ticket; |
1690 » parsed_session_ticket->authAlgorithm = (SSLSignType)temp; | 1702 parsed_session_ticket->authAlgorithm = (SSLSignType)temp; |
1691 » temp = ssl3_ConsumeHandshakeNumber(ss, 4, &buffer, &buffer_len); | 1703 temp = ssl3_ConsumeHandshakeNumber(ss, 4, &buffer, &buffer_len); |
1692 » if (temp < 0) goto no_ticket; | 1704 if (temp < 0) goto no_ticket; |
1693 » parsed_session_ticket->authKeyBits = (PRUint32)temp; | 1705 parsed_session_ticket->authKeyBits = (PRUint32)temp; |
1694 » temp = ssl3_ConsumeHandshakeNumber(ss, 1, &buffer, &buffer_len); | 1706 temp = ssl3_ConsumeHandshakeNumber(ss, 1, &buffer, &buffer_len); |
1695 » if (temp < 0) goto no_ticket; | 1707 if (temp < 0) goto no_ticket; |
1696 » parsed_session_ticket->keaType = (SSLKEAType)temp; | 1708 parsed_session_ticket->keaType = (SSLKEAType)temp; |
1697 » temp = ssl3_ConsumeHandshakeNumber(ss, 4, &buffer, &buffer_len); | 1709 temp = ssl3_ConsumeHandshakeNumber(ss, 4, &buffer, &buffer_len); |
1698 » if (temp < 0) goto no_ticket; | 1710 if (temp < 0) goto no_ticket; |
1699 » parsed_session_ticket->keaKeyBits = (PRUint32)temp; | 1711 parsed_session_ticket->keaKeyBits = (PRUint32)temp; |
1700 | 1712 |
1701 » /* Read wrapped master_secret. */ | 1713 /* Read wrapped master_secret. */ |
1702 » temp = ssl3_ConsumeHandshakeNumber(ss, 1, &buffer, &buffer_len); | 1714 temp = ssl3_ConsumeHandshakeNumber(ss, 1, &buffer, &buffer_len); |
1703 » if (temp < 0) goto no_ticket; | 1715 if (temp < 0) goto no_ticket; |
1704 » parsed_session_ticket->ms_is_wrapped = (PRBool)temp; | 1716 parsed_session_ticket->ms_is_wrapped = (PRBool)temp; |
1705 | 1717 |
1706 » temp = ssl3_ConsumeHandshakeNumber(ss, 1, &buffer, &buffer_len); | 1718 temp = ssl3_ConsumeHandshakeNumber(ss, 1, &buffer, &buffer_len); |
1707 » if (temp < 0) goto no_ticket; | 1719 if (temp < 0) goto no_ticket; |
1708 » parsed_session_ticket->exchKeyType = (SSL3KEAType)temp; | 1720 parsed_session_ticket->exchKeyType = (SSL3KEAType)temp; |
1709 | 1721 |
1710 » temp = ssl3_ConsumeHandshakeNumber(ss, 4, &buffer, &buffer_len); | 1722 temp = ssl3_ConsumeHandshakeNumber(ss, 4, &buffer, &buffer_len); |
1711 » if (temp < 0) goto no_ticket; | 1723 if (temp < 0) goto no_ticket; |
1712 » parsed_session_ticket->msWrapMech = (CK_MECHANISM_TYPE)temp; | 1724 parsed_session_ticket->msWrapMech = (CK_MECHANISM_TYPE)temp; |
1713 | 1725 |
1714 » temp = ssl3_ConsumeHandshakeNumber(ss, 2, &buffer, &buffer_len); | 1726 temp = ssl3_ConsumeHandshakeNumber(ss, 2, &buffer, &buffer_len); |
1715 » if (temp < 0) goto no_ticket; | 1727 if (temp < 0) goto no_ticket; |
1716 » parsed_session_ticket->ms_length = (PRUint16)temp; | 1728 parsed_session_ticket->ms_length = (PRUint16)temp; |
1717 » if (parsed_session_ticket->ms_length == 0 || /* sanity check MS. */ | 1729 if (parsed_session_ticket->ms_length == 0 || /* sanity check MS. */ |
1718 » parsed_session_ticket->ms_length > | 1730 parsed_session_ticket->ms_length > |
1719 » sizeof(parsed_session_ticket->master_secret)) | 1731 sizeof(parsed_session_ticket->master_secret)) |
1720 » goto no_ticket; | 1732 goto no_ticket; |
1721 » | 1733 |
1722 » /* Allow for the wrapped master secret to be longer. */ | 1734 /* Allow for the wrapped master secret to be longer. */ |
1723 » if (buffer_len < parsed_session_ticket->ms_length) | 1735 if (buffer_len < parsed_session_ticket->ms_length) |
1724 » goto no_ticket; | 1736 goto no_ticket; |
1725 » PORT_Memcpy(parsed_session_ticket->master_secret, buffer, | 1737 PORT_Memcpy(parsed_session_ticket->master_secret, buffer, |
1726 » parsed_session_ticket->ms_length); | 1738 parsed_session_ticket->ms_length); |
1727 » buffer += parsed_session_ticket->ms_length; | 1739 buffer += parsed_session_ticket->ms_length; |
1728 » buffer_len -= parsed_session_ticket->ms_length; | 1740 buffer_len -= parsed_session_ticket->ms_length; |
1729 | 1741 |
1730 » /* Read client_identity */ | 1742 /* Read client_identity */ |
1731 » temp = ssl3_ConsumeHandshakeNumber(ss, 1, &buffer, &buffer_len); | 1743 temp = ssl3_ConsumeHandshakeNumber(ss, 1, &buffer, &buffer_len); |
1732 » if (temp < 0) | 1744 if (temp < 0) |
1733 » goto no_ticket; | 1745 goto no_ticket; |
1734 » parsed_session_ticket->client_identity.client_auth_type = | 1746 parsed_session_ticket->client_identity.client_auth_type = |
1735 » (ClientAuthenticationType)temp; | 1747 (ClientAuthenticationType)temp; |
1736 » switch(parsed_session_ticket->client_identity.client_auth_type) { | 1748 switch(parsed_session_ticket->client_identity.client_auth_type) { |
1737 case CLIENT_AUTH_ANONYMOUS: | 1749 case CLIENT_AUTH_ANONYMOUS: |
1738 » » break; | 1750 break; |
1739 case CLIENT_AUTH_CERTIFICATE: | 1751 case CLIENT_AUTH_CERTIFICATE: |
1740 » » rv = ssl3_ConsumeHandshakeVariable(ss, &cert_item, 3, | 1752 rv = ssl3_ConsumeHandshakeVariable(ss, &cert_item, 3, |
1741 » » &buffer, &buffer_len); | 1753 &buffer, &buffer_len); |
1742 » » if (rv != SECSuccess) goto no_ticket; | 1754 if (rv != SECSuccess) goto no_ticket; |
1743 » » rv = SECITEM_CopyItem(NULL, &parsed_session_ticket->peer_cert, | 1755 rv = SECITEM_CopyItem(NULL, &parsed_session_ticket->peer_cert, |
1744 » » &cert_item); | 1756 &cert_item); |
1745 » » if (rv != SECSuccess) goto no_ticket; | 1757 if (rv != SECSuccess) goto no_ticket; |
1746 » » break; | 1758 break; |
1747 default: | 1759 default: |
1748 » » goto no_ticket; | 1760 goto no_ticket; |
1749 » } | 1761 } |
1750 » /* Read timestamp. */ | 1762 /* Read timestamp. */ |
1751 » temp = ssl3_ConsumeHandshakeNumber(ss, 4, &buffer, &buffer_len); | 1763 temp = ssl3_ConsumeHandshakeNumber(ss, 4, &buffer, &buffer_len); |
1752 » if (temp < 0) | 1764 if (temp < 0) |
1753 » goto no_ticket; | 1765 goto no_ticket; |
1754 » parsed_session_ticket->timestamp = (PRUint32)temp; | 1766 parsed_session_ticket->timestamp = (PRUint32)temp; |
1755 | 1767 |
1756 /* Read server name */ | 1768 /* Read server name */ |
1757 nameType = | 1769 nameType = |
1758 ssl3_ConsumeHandshakeNumber(ss, 1, &buffer, &buffer_len); | 1770 ssl3_ConsumeHandshakeNumber(ss, 1, &buffer, &buffer_len); |
1759 if (nameType != TLS_STE_NO_SERVER_NAME) { | 1771 if (nameType != TLS_STE_NO_SERVER_NAME) { |
1760 SECItem name_item; | 1772 SECItem name_item; |
1761 rv = ssl3_ConsumeHandshakeVariable(ss, &name_item, 2, &buffer, | 1773 rv = ssl3_ConsumeHandshakeVariable(ss, &name_item, 2, &buffer, |
1762 &buffer_len); | 1774 &buffer_len); |
1763 if (rv != SECSuccess) goto no_ticket; | 1775 if (rv != SECSuccess) goto no_ticket; |
1764 rv = SECITEM_CopyItem(NULL, &parsed_session_ticket->srvName, | 1776 rv = SECITEM_CopyItem(NULL, &parsed_session_ticket->srvName, |
1765 &name_item); | 1777 &name_item); |
1766 if (rv != SECSuccess) goto no_ticket; | 1778 if (rv != SECSuccess) goto no_ticket; |
1767 parsed_session_ticket->srvName.type = nameType; | 1779 parsed_session_ticket->srvName.type = nameType; |
1768 } | 1780 } |
1769 | 1781 |
1770 » /* Done parsing. Check that all bytes have been consumed. */ | 1782 /* Done parsing. Check that all bytes have been consumed. */ |
1771 » if (buffer_len != padding_length) | 1783 if (buffer_len != padding_length) |
1772 » goto no_ticket; | 1784 goto no_ticket; |
1773 | 1785 |
1774 » /* Use the ticket if it has not expired, otherwise free the allocated | 1786 /* Use the ticket if it has not expired, otherwise free the allocated |
1775 » * memory since the ticket is of no use. | 1787 * memory since the ticket is of no use. |
1776 » */ | 1788 */ |
1777 » if (parsed_session_ticket->timestamp != 0 && | 1789 if (parsed_session_ticket->timestamp != 0 && |
1778 » parsed_session_ticket->timestamp + | 1790 parsed_session_ticket->timestamp + |
1779 » TLS_EX_SESS_TICKET_LIFETIME_HINT > ssl_Time()) { | 1791 TLS_EX_SESS_TICKET_LIFETIME_HINT > ssl_Time()) { |
1780 | 1792 |
1781 » sid = ssl3_NewSessionID(ss, PR_TRUE); | 1793 sid = ssl3_NewSessionID(ss, PR_TRUE); |
1782 » if (sid == NULL) { | 1794 if (sid == NULL) { |
1783 » » rv = SECFailure; | 1795 rv = SECFailure; |
1784 » » goto loser; | 1796 goto loser; |
1785 » } | 1797 } |
1786 | 1798 |
1787 » /* Copy over parameters. */ | 1799 /* Copy over parameters. */ |
1788 » sid->version = parsed_session_ticket->ssl_version; | 1800 sid->version = parsed_session_ticket->ssl_version; |
1789 » sid->u.ssl3.cipherSuite = parsed_session_ticket->cipher_suite; | 1801 sid->u.ssl3.cipherSuite = parsed_session_ticket->cipher_suite; |
1790 » sid->u.ssl3.compression = parsed_session_ticket->compression_method; | 1802 sid->u.ssl3.compression = parsed_session_ticket->compression_method; |
1791 » sid->authAlgorithm = parsed_session_ticket->authAlgorithm; | 1803 sid->authAlgorithm = parsed_session_ticket->authAlgorithm; |
1792 » sid->authKeyBits = parsed_session_ticket->authKeyBits; | 1804 sid->authKeyBits = parsed_session_ticket->authKeyBits; |
1793 » sid->keaType = parsed_session_ticket->keaType; | 1805 sid->keaType = parsed_session_ticket->keaType; |
1794 » sid->keaKeyBits = parsed_session_ticket->keaKeyBits; | 1806 sid->keaKeyBits = parsed_session_ticket->keaKeyBits; |
1795 | 1807 |
1796 » /* Copy master secret. */ | 1808 /* Copy master secret. */ |
1797 #ifndef NO_PKCS11_BYPASS | 1809 #ifndef NO_PKCS11_BYPASS |
1798 » if (ss->opt.bypassPKCS11 && | 1810 if (ss->opt.bypassPKCS11 && |
1799 » » parsed_session_ticket->ms_is_wrapped) | 1811 parsed_session_ticket->ms_is_wrapped) |
1800 » » goto no_ticket; | 1812 goto no_ticket; |
1801 #endif | 1813 #endif |
1802 » if (parsed_session_ticket->ms_length > | 1814 if (parsed_session_ticket->ms_length > |
1803 » » sizeof(sid->u.ssl3.keys.wrapped_master_secret)) | 1815 sizeof(sid->u.ssl3.keys.wrapped_master_secret)) |
1804 » » goto no_ticket; | 1816 goto no_ticket; |
1805 » PORT_Memcpy(sid->u.ssl3.keys.wrapped_master_secret, | 1817 PORT_Memcpy(sid->u.ssl3.keys.wrapped_master_secret, |
1806 » » parsed_session_ticket->master_secret, | 1818 parsed_session_ticket->master_secret, |
1807 » » parsed_session_ticket->ms_length); | 1819 parsed_session_ticket->ms_length); |
1808 » sid->u.ssl3.keys.wrapped_master_secret_len = | 1820 sid->u.ssl3.keys.wrapped_master_secret_len = |
1809 » » parsed_session_ticket->ms_length; | 1821 parsed_session_ticket->ms_length; |
1810 » sid->u.ssl3.exchKeyType = parsed_session_ticket->exchKeyType; | 1822 sid->u.ssl3.exchKeyType = parsed_session_ticket->exchKeyType; |
1811 » sid->u.ssl3.masterWrapMech = parsed_session_ticket->msWrapMech; | 1823 sid->u.ssl3.masterWrapMech = parsed_session_ticket->msWrapMech; |
1812 » sid->u.ssl3.keys.msIsWrapped = | 1824 sid->u.ssl3.keys.msIsWrapped = |
1813 » » parsed_session_ticket->ms_is_wrapped; | 1825 parsed_session_ticket->ms_is_wrapped; |
1814 » sid->u.ssl3.masterValid = PR_TRUE; | 1826 sid->u.ssl3.masterValid = PR_TRUE; |
1815 » sid->u.ssl3.keys.resumable = PR_TRUE; | 1827 sid->u.ssl3.keys.resumable = PR_TRUE; |
1816 | 1828 |
1817 » /* Copy over client cert from session ticket if there is one. */ | 1829 /* Copy over client cert from session ticket if there is one. */ |
1818 » if (parsed_session_ticket->peer_cert.data != NULL) { | 1830 if (parsed_session_ticket->peer_cert.data != NULL) { |
1819 » » if (sid->peerCert != NULL) | 1831 if (sid->peerCert != NULL) |
1820 » » CERT_DestroyCertificate(sid->peerCert); | 1832 CERT_DestroyCertificate(sid->peerCert); |
1821 » » sid->peerCert = CERT_NewTempCertificate(ss->dbHandle, | 1833 sid->peerCert = CERT_NewTempCertificate(ss->dbHandle, |
1822 » » &parsed_session_ticket->peer_cert, NULL, PR_FALSE, PR_TRUE); | 1834 &parsed_session_ticket->peer_cert, NULL, PR_FALSE, PR_TRUE); |
1823 » » if (sid->peerCert == NULL) { | 1835 if (sid->peerCert == NULL) { |
1824 » » rv = SECFailure; | 1836 rv = SECFailure; |
1825 » » goto loser; | 1837 goto loser; |
1826 » » } | 1838 } |
1827 » } | 1839 } |
1828 » if (parsed_session_ticket->srvName.data != NULL) { | 1840 if (parsed_session_ticket->srvName.data != NULL) { |
1829 sid->u.ssl3.srvName = parsed_session_ticket->srvName; | 1841 sid->u.ssl3.srvName = parsed_session_ticket->srvName; |
1830 } | 1842 } |
1831 » ss->statelessResume = PR_TRUE; | 1843 ss->statelessResume = PR_TRUE; |
1832 » ss->sec.ci.sid = sid; | 1844 ss->sec.ci.sid = sid; |
1833 » } | 1845 } |
1834 } | 1846 } |
1835 | 1847 |
1836 if (0) { | 1848 if (0) { |
1837 no_ticket: | 1849 no_ticket: |
1838 » SSL_DBG(("%d: SSL[%d]: Session ticket parsing failed.", | 1850 SSL_DBG(("%d: SSL[%d]: Session ticket parsing failed.", |
1839 » » » SSL_GETPID(), ss->fd)); | 1851 SSL_GETPID(), ss->fd)); |
1840 » ssl3stats = SSL_GetStatistics(); | 1852 ssl3stats = SSL_GetStatistics(); |
1841 » SSL_AtomicIncrementLong(& ssl3stats->hch_sid_ticket_parse_failures ); | 1853 SSL_AtomicIncrementLong(& ssl3stats->hch_sid_ticket_parse_failures ); |
1842 } | 1854 } |
1843 rv = SECSuccess; | 1855 rv = SECSuccess; |
1844 | 1856 |
1845 loser: | 1857 loser: |
1846 » /* ss->sec.ci.sid == sid if it did NOT come here via goto statement | 1858 /* ss->sec.ci.sid == sid if it did NOT come here via goto statement |
1847 » * in that case do not free sid | 1859 * in that case do not free sid |
1848 » */ | 1860 */ |
1849 » if (sid && (ss->sec.ci.sid != sid)) { | 1861 if (sid && (ss->sec.ci.sid != sid)) { |
1850 » ssl_FreeSID(sid); | 1862 ssl_FreeSID(sid); |
1851 » sid = NULL; | 1863 sid = NULL; |
1852 » } | 1864 } |
1853 if (decrypted_state != NULL) { | 1865 if (decrypted_state != NULL) { |
1854 » SECITEM_FreeItem(decrypted_state, PR_TRUE); | 1866 SECITEM_FreeItem(decrypted_state, PR_TRUE); |
1855 » decrypted_state = NULL; | 1867 decrypted_state = NULL; |
1856 } | 1868 } |
1857 | 1869 |
1858 if (parsed_session_ticket != NULL) { | 1870 if (parsed_session_ticket != NULL) { |
1859 » if (parsed_session_ticket->peer_cert.data) { | 1871 if (parsed_session_ticket->peer_cert.data) { |
1860 » SECITEM_FreeItem(&parsed_session_ticket->peer_cert, PR_FALSE); | 1872 SECITEM_FreeItem(&parsed_session_ticket->peer_cert, PR_FALSE); |
1861 » } | 1873 } |
1862 » PORT_ZFree(parsed_session_ticket, sizeof(SessionTicket)); | 1874 PORT_ZFree(parsed_session_ticket, sizeof(SessionTicket)); |
1863 } | 1875 } |
1864 | 1876 |
1865 return rv; | 1877 return rv; |
1866 } | 1878 } |
1867 | 1879 |
1868 /* | 1880 /* |
1869 * Read bytes. Using this function means the SECItem structure | 1881 * Read bytes. Using this function means the SECItem structure |
1870 * cannot be freed. The caller is expected to call this function | 1882 * cannot be freed. The caller is expected to call this function |
1871 * on a shallow copy of the structure. | 1883 * on a shallow copy of the structure. |
1872 */ | 1884 */ |
1873 static SECStatus | 1885 static SECStatus |
1874 ssl3_ConsumeFromItem(SECItem *item, unsigned char **buf, PRUint32 bytes) | 1886 ssl3_ConsumeFromItem(SECItem *item, unsigned char **buf, PRUint32 bytes) |
1875 { | 1887 { |
1876 if (bytes > item->len) | 1888 if (bytes > item->len) |
1877 » return SECFailure; | 1889 return SECFailure; |
1878 | 1890 |
1879 *buf = item->data; | 1891 *buf = item->data; |
1880 item->data += bytes; | 1892 item->data += bytes; |
1881 item->len -= bytes; | 1893 item->len -= bytes; |
1882 return SECSuccess; | 1894 return SECSuccess; |
1883 } | 1895 } |
1884 | 1896 |
1885 static SECStatus | 1897 static SECStatus |
1886 ssl3_ParseEncryptedSessionTicket(sslSocket *ss, SECItem *data, | 1898 ssl3_ParseEncryptedSessionTicket(sslSocket *ss, SECItem *data, |
1887 EncryptedSessionTicket *enc_session_ticket) | 1899 EncryptedSessionTicket *enc_session_ticket) |
1888 { | 1900 { |
1889 if (ssl3_ConsumeFromItem(data, &enc_session_ticket->key_name, | 1901 if (ssl3_ConsumeFromItem(data, &enc_session_ticket->key_name, |
1890 » SESS_TICKET_KEY_NAME_LEN) != SECSuccess) | 1902 SESS_TICKET_KEY_NAME_LEN) != SECSuccess) |
1891 » return SECFailure; | 1903 return SECFailure; |
1892 if (ssl3_ConsumeFromItem(data, &enc_session_ticket->iv, | 1904 if (ssl3_ConsumeFromItem(data, &enc_session_ticket->iv, |
1893 » AES_BLOCK_SIZE) != SECSuccess) | 1905 AES_BLOCK_SIZE) != SECSuccess) |
1894 » return SECFailure; | 1906 return SECFailure; |
1895 if (ssl3_ConsumeHandshakeVariable(ss, &enc_session_ticket->encrypted_state, | 1907 if (ssl3_ConsumeHandshakeVariable(ss, &enc_session_ticket->encrypted_state, |
1896 » 2, &data->data, &data->len) != SECSuccess) | 1908 2, &data->data, &data->len) != SECSuccess) |
1897 » return SECFailure; | 1909 return SECFailure; |
1898 if (ssl3_ConsumeFromItem(data, &enc_session_ticket->mac, | 1910 if (ssl3_ConsumeFromItem(data, &enc_session_ticket->mac, |
1899 » TLS_EX_SESS_TICKET_MAC_LENGTH) != SECSuccess) | 1911 TLS_EX_SESS_TICKET_MAC_LENGTH) != SECSuccess) |
1900 » return SECFailure; | 1912 return SECFailure; |
1901 if (data->len != 0) /* Make sure that we have consumed all bytes. */ | 1913 if (data->len != 0) /* Make sure that we have consumed all bytes. */ |
1902 » return SECFailure; | 1914 return SECFailure; |
1903 | 1915 |
1904 return SECSuccess; | 1916 return SECSuccess; |
1905 } | 1917 } |
1906 | 1918 |
1907 /* go through hello extensions in buffer "b". | 1919 /* go through hello extensions in buffer "b". |
1908 * For each one, find the extension handler in the table, and | 1920 * For each one, find the extension handler in the table, and |
1909 * if present, invoke that handler. | 1921 * if present, invoke that handler. |
1910 * Servers ignore any extensions with unknown extension types. | 1922 * Servers ignore any extensions with unknown extension types. |
1911 * Clients reject any extensions with unadvertised extension types. | 1923 * Clients reject any extensions with unadvertised extension types. |
1912 */ | 1924 */ |
1913 SECStatus | 1925 SECStatus |
1914 ssl3_HandleHelloExtensions(sslSocket *ss, SSL3Opaque **b, PRUint32 *length) | 1926 ssl3_HandleHelloExtensions(sslSocket *ss, SSL3Opaque **b, PRUint32 *length) |
1915 { | 1927 { |
1916 const ssl3HelloExtensionHandler * handlers; | 1928 const ssl3HelloExtensionHandler * handlers; |
1917 | 1929 |
1918 if (ss->sec.isServer) { | 1930 if (ss->sec.isServer) { |
1919 handlers = clientHelloHandlers; | 1931 handlers = clientHelloHandlers; |
1920 } else if (ss->version > SSL_LIBRARY_VERSION_3_0) { | 1932 } else if (ss->version > SSL_LIBRARY_VERSION_3_0) { |
1921 handlers = serverHelloHandlersTLS; | 1933 handlers = serverHelloHandlersTLS; |
1922 } else { | 1934 } else { |
1923 handlers = serverHelloHandlersSSL3; | 1935 handlers = serverHelloHandlersSSL3; |
1924 } | 1936 } |
1925 | 1937 |
1926 while (*length) { | 1938 while (*length) { |
1927 » const ssl3HelloExtensionHandler * handler; | 1939 const ssl3HelloExtensionHandler * handler; |
1928 » SECStatus rv; | 1940 SECStatus rv; |
1929 » PRInt32 extension_type; | 1941 PRInt32 extension_type; |
1930 » SECItem extension_data; | 1942 SECItem extension_data; |
1931 | 1943 |
1932 » /* Get the extension's type field */ | 1944 /* Get the extension's type field */ |
1933 » extension_type = ssl3_ConsumeHandshakeNumber(ss, 2, b, length); | 1945 extension_type = ssl3_ConsumeHandshakeNumber(ss, 2, b, length); |
1934 » if (extension_type < 0) /* failure to decode extension_type */ | 1946 if (extension_type < 0) /* failure to decode extension_type */ |
1935 » return SECFailure; /* alert already sent */ | 1947 return SECFailure; /* alert already sent */ |
1936 | 1948 |
1937 » /* get the data for this extension, so we can pass it or skip it. */ | 1949 /* get the data for this extension, so we can pass it or skip it. */ |
1938 » rv = ssl3_ConsumeHandshakeVariable(ss, &extension_data, 2, b, length); | 1950 rv = ssl3_ConsumeHandshakeVariable(ss, &extension_data, 2, b, length); |
1939 » if (rv != SECSuccess) | 1951 if (rv != SECSuccess) |
1940 » return rv; | 1952 return rv; |
1941 | 1953 |
1942 » /* Check whether the server sent an extension which was not advertised | 1954 /* Check whether the server sent an extension which was not advertised |
1943 » * in the ClientHello. | 1955 * in the ClientHello. |
1944 » */ | 1956 */ |
1945 » if (!ss->sec.isServer && | 1957 if (!ss->sec.isServer && |
1946 » !ssl3_ClientExtensionAdvertised(ss, extension_type)) | 1958 !ssl3_ClientExtensionAdvertised(ss, extension_type)) |
1947 » return SECFailure; /* TODO: send unsupported_extension alert */ | 1959 return SECFailure; /* TODO: send unsupported_extension alert */ |
1948 | 1960 |
1949 » /* Check whether an extension has been sent multiple times. */ | 1961 /* Check whether an extension has been sent multiple times. */ |
1950 » if (ssl3_ExtensionNegotiated(ss, extension_type)) | 1962 if (ssl3_ExtensionNegotiated(ss, extension_type)) |
1951 » return SECFailure; | 1963 return SECFailure; |
1952 | 1964 |
1953 » /* find extension_type in table of Hello Extension Handlers */ | 1965 /* find extension_type in table of Hello Extension Handlers */ |
1954 » for (handler = handlers; handler->ex_type >= 0; handler++) { | 1966 for (handler = handlers; handler->ex_type >= 0; handler++) { |
1955 » /* if found, call this handler */ | 1967 /* if found, call this handler */ |
1956 » if (handler->ex_type == extension_type) { | 1968 if (handler->ex_type == extension_type) { |
1957 » » rv = (*handler->ex_handler)(ss, (PRUint16)extension_type, | 1969 rv = (*handler->ex_handler)(ss, (PRUint16)extension_type, |
1958 » » &extension_data); | 1970 &extension_data); |
1959 » » /* Ignore this result */ | 1971 /* Ignore this result */ |
1960 » » /* Treat all bad extensions as unrecognized types. */ | 1972 /* Treat all bad extensions as unrecognized types. */ |
1961 » break; | 1973 break; |
1962 » } | 1974 } |
1963 » } | 1975 } |
1964 } | 1976 } |
1965 return SECSuccess; | 1977 return SECSuccess; |
1966 } | 1978 } |
1967 | 1979 |
1968 /* Add a callback function to the table of senders of server hello extensions. | 1980 /* Add a callback function to the table of senders of server hello extensions. |
1969 */ | 1981 */ |
1970 SECStatus | 1982 SECStatus |
1971 ssl3_RegisterServerHelloExtensionSender(sslSocket *ss, PRUint16 ex_type, | 1983 ssl3_RegisterServerHelloExtensionSender(sslSocket *ss, PRUint16 ex_type, |
1972 » » » » ssl3HelloExtensionSenderFunc cb) | 1984 ssl3HelloExtensionSenderFunc cb) |
1973 { | 1985 { |
1974 int i; | 1986 int i; |
1975 ssl3HelloExtensionSender *sender = &ss->xtnData.serverSenders[0]; | 1987 ssl3HelloExtensionSender *sender = &ss->xtnData.serverSenders[0]; |
1976 | 1988 |
1977 for (i = 0; i < SSL_MAX_EXTENSIONS; ++i, ++sender) { | 1989 for (i = 0; i < SSL_MAX_EXTENSIONS; ++i, ++sender) { |
1978 if (!sender->ex_sender) { | 1990 if (!sender->ex_sender) { |
1979 » sender->ex_type = ex_type; | 1991 sender->ex_type = ex_type; |
1980 » sender->ex_sender = cb; | 1992 sender->ex_sender = cb; |
1981 » return SECSuccess; | 1993 return SECSuccess; |
1982 » } | 1994 } |
1983 » /* detect duplicate senders */ | 1995 /* detect duplicate senders */ |
1984 » PORT_Assert(sender->ex_type != ex_type); | 1996 PORT_Assert(sender->ex_type != ex_type); |
1985 » if (sender->ex_type == ex_type) { | 1997 if (sender->ex_type == ex_type) { |
1986 » /* duplicate */ | 1998 /* duplicate */ |
1987 » break; | 1999 break; |
1988 » } | 2000 } |
1989 } | 2001 } |
1990 PORT_Assert(i < SSL_MAX_EXTENSIONS); /* table needs to grow */ | 2002 PORT_Assert(i < SSL_MAX_EXTENSIONS); /* table needs to grow */ |
1991 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); | 2003 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); |
1992 return SECFailure; | 2004 return SECFailure; |
1993 } | 2005 } |
1994 | 2006 |
1995 /* call each of the extension senders and return the accumulated length */ | 2007 /* call each of the extension senders and return the accumulated length */ |
1996 PRInt32 | 2008 PRInt32 |
1997 ssl3_CallHelloExtensionSenders(sslSocket *ss, PRBool append, PRUint32 maxBytes, | 2009 ssl3_CallHelloExtensionSenders(sslSocket *ss, PRBool append, PRUint32 maxBytes, |
1998 const ssl3HelloExtensionSender *sender) | 2010 const ssl3HelloExtensionSender *sender) |
1999 { | 2011 { |
2000 PRInt32 total_exten_len = 0; | 2012 PRInt32 total_exten_len = 0; |
2001 int i; | 2013 int i; |
2002 | 2014 |
2003 if (!sender) { | 2015 if (!sender) { |
2004 » sender = ss->version > SSL_LIBRARY_VERSION_3_0 ? | 2016 sender = ss->version > SSL_LIBRARY_VERSION_3_0 ? |
2005 &clientHelloSendersTLS[0] : &clientHelloSendersSSL3[0]; | 2017 &clientHelloSendersTLS[0] : &clientHelloSendersSSL3[0]; |
2006 } | 2018 } |
2007 | 2019 |
2008 for (i = 0; i < SSL_MAX_EXTENSIONS; ++i, ++sender) { | 2020 for (i = 0; i < SSL_MAX_EXTENSIONS; ++i, ++sender) { |
2009 » if (sender->ex_sender) { | 2021 if (sender->ex_sender) { |
2010 » PRInt32 extLen = (*sender->ex_sender)(ss, append, maxBytes); | 2022 PRInt32 extLen = (*sender->ex_sender)(ss, append, maxBytes); |
2011 » if (extLen < 0) | 2023 if (extLen < 0) |
2012 » » return -1; | 2024 return -1; |
2013 » maxBytes -= extLen; | 2025 maxBytes -= extLen; |
2014 » total_exten_len += extLen; | 2026 total_exten_len += extLen; |
2015 » } | 2027 } |
2016 } | 2028 } |
2017 return total_exten_len; | 2029 return total_exten_len; |
2018 } | 2030 } |
2019 | 2031 |
2020 | 2032 |
2021 /* Extension format: | 2033 /* Extension format: |
2022 * Extension number: 2 bytes | 2034 * Extension number: 2 bytes |
2023 * Extension length: 2 bytes | 2035 * Extension length: 2 bytes |
2024 * Verify Data Length: 1 byte | 2036 * Verify Data Length: 1 byte |
2025 * Verify Data (TLS): 12 bytes (client) or 24 bytes (server) | 2037 * Verify Data (TLS): 12 bytes (client) or 24 bytes (server) |
2026 * Verify Data (SSL): 36 bytes (client) or 72 bytes (server) | 2038 * Verify Data (SSL): 36 bytes (client) or 72 bytes (server) |
2027 */ | 2039 */ |
2028 static PRInt32 | 2040 static PRInt32 |
2029 ssl3_SendRenegotiationInfoXtn( | 2041 ssl3_SendRenegotiationInfoXtn( |
2030 » » » sslSocket * ss, | 2042 sslSocket * ss, |
2031 » » » PRBool append, | 2043 PRBool append, |
2032 » » » PRUint32 maxBytes) | 2044 PRUint32 maxBytes) |
2033 { | 2045 { |
2034 PRInt32 len, needed; | 2046 PRInt32 len, needed; |
2035 | 2047 |
2036 /* In draft-ietf-tls-renegotiation-03, it is NOT RECOMMENDED to send | 2048 /* In draft-ietf-tls-renegotiation-03, it is NOT RECOMMENDED to send |
2037 * both the SCSV and the empty RI, so when we send SCSV in | 2049 * both the SCSV and the empty RI, so when we send SCSV in |
2038 * the initial handshake, we don't also send RI. | 2050 * the initial handshake, we don't also send RI. |
2039 */ | 2051 */ |
2040 if (!ss || ss->ssl3.hs.sendingSCSV) | 2052 if (!ss || ss->ssl3.hs.sendingSCSV) |
2041 » return 0; | 2053 return 0; |
2042 len = !ss->firstHsDone ? 0 : | 2054 len = !ss->firstHsDone ? 0 : |
2043 » (ss->sec.isServer ? ss->ssl3.hs.finishedBytes * 2 | 2055 (ss->sec.isServer ? ss->ssl3.hs.finishedBytes * 2 |
2044 » » » : ss->ssl3.hs.finishedBytes); | 2056 : ss->ssl3.hs.finishedBytes); |
2045 needed = 5 + len; | 2057 needed = 5 + len; |
2046 if (append && maxBytes >= needed) { | 2058 if (append && maxBytes >= needed) { |
2047 » SECStatus rv; | 2059 SECStatus rv; |
2048 » /* extension_type */ | 2060 /* extension_type */ |
2049 » rv = ssl3_AppendHandshakeNumber(ss, ssl_renegotiation_info_xtn, 2); | 2061 rv = ssl3_AppendHandshakeNumber(ss, ssl_renegotiation_info_xtn, 2); |
2050 » if (rv != SECSuccess) return -1; | 2062 if (rv != SECSuccess) return -1; |
2051 » /* length of extension_data */ | 2063 /* length of extension_data */ |
2052 » rv = ssl3_AppendHandshakeNumber(ss, len + 1, 2); | 2064 rv = ssl3_AppendHandshakeNumber(ss, len + 1, 2); |
2053 » if (rv != SECSuccess) return -1; | 2065 if (rv != SECSuccess) return -1; |
2054 » /* verify_Data from previous Finished message(s) */ | 2066 /* verify_Data from previous Finished message(s) */ |
2055 » rv = ssl3_AppendHandshakeVariable(ss, | 2067 rv = ssl3_AppendHandshakeVariable(ss, |
2056 » » ss->ssl3.hs.finishedMsgs.data, len, 1); | 2068 ss->ssl3.hs.finishedMsgs.data, len, 1); |
2057 » if (rv != SECSuccess) return -1; | 2069 if (rv != SECSuccess) return -1; |
2058 » if (!ss->sec.isServer) { | 2070 if (!ss->sec.isServer) { |
2059 » TLSExtensionData *xtnData = &ss->xtnData; | 2071 TLSExtensionData *xtnData = &ss->xtnData; |
2060 » xtnData->advertised[xtnData->numAdvertised++] = | 2072 xtnData->advertised[xtnData->numAdvertised++] = |
2061 » ssl_renegotiation_info_xtn; | 2073 ssl_renegotiation_info_xtn; |
2062 » } | 2074 } |
2063 } | 2075 } |
2064 return needed; | 2076 return needed; |
2065 } | 2077 } |
2066 | 2078 |
2067 static SECStatus | 2079 static SECStatus |
2068 ssl3_ServerHandleStatusRequestXtn(sslSocket *ss, PRUint16 ex_type, | 2080 ssl3_ServerHandleStatusRequestXtn(sslSocket *ss, PRUint16 ex_type, |
2069 » » » » SECItem *data) | 2081 SECItem *data) |
2070 { | 2082 { |
2071 SECStatus rv = SECSuccess; | 2083 SECStatus rv = SECSuccess; |
2072 | 2084 |
2073 /* remember that we got this extension. */ | 2085 /* remember that we got this extension. */ |
2074 ss->xtnData.negotiated[ss->xtnData.numNegotiated++] = ex_type; | 2086 ss->xtnData.negotiated[ss->xtnData.numNegotiated++] = ex_type; |
2075 PORT_Assert(ss->sec.isServer); | 2087 PORT_Assert(ss->sec.isServer); |
2076 /* prepare to send back the appropriate response */ | 2088 /* prepare to send back the appropriate response */ |
2077 rv = ssl3_RegisterServerHelloExtensionSender(ss, ex_type, | 2089 rv = ssl3_RegisterServerHelloExtensionSender(ss, ex_type, |
2078 » » » » » ssl3_ServerSendStatusRequestXtn); | 2090 ssl3_ServerSendStatusRequestXtn); |
2079 return rv; | 2091 return rv; |
2080 } | 2092 } |
2081 | 2093 |
2082 /* This function runs in both the client and server. */ | 2094 /* This function runs in both the client and server. */ |
2083 static SECStatus | 2095 static SECStatus |
2084 ssl3_HandleRenegotiationInfoXtn(sslSocket *ss, PRUint16 ex_type, SECItem *data) | 2096 ssl3_HandleRenegotiationInfoXtn(sslSocket *ss, PRUint16 ex_type, SECItem *data) |
2085 { | 2097 { |
2086 SECStatus rv = SECSuccess; | 2098 SECStatus rv = SECSuccess; |
2087 PRUint32 len = 0; | 2099 PRUint32 len = 0; |
2088 | 2100 |
2089 if (ss->firstHsDone) { | 2101 if (ss->firstHsDone) { |
2090 » len = ss->sec.isServer ? ss->ssl3.hs.finishedBytes | 2102 len = ss->sec.isServer ? ss->ssl3.hs.finishedBytes |
2091 » : ss->ssl3.hs.finishedBytes * 2; | 2103 : ss->ssl3.hs.finishedBytes * 2; |
2092 } | 2104 } |
2093 if (data->len != 1 + len || | 2105 if (data->len != 1 + len || |
2094 » data->data[0] != len || (len && | 2106 data->data[0] != len || (len && |
2095 » NSS_SecureMemcmp(ss->ssl3.hs.finishedMsgs.data, | 2107 NSS_SecureMemcmp(ss->ssl3.hs.finishedMsgs.data, |
2096 » data->data + 1, len))) { | 2108 data->data + 1, len))) { |
2097 » /* Can we do this here? Or, must we arrange for the caller to do it? */ | 2109 /* Can we do this here? Or, must we arrange for the caller to do it? */ |
2098 » (void)SSL3_SendAlert(ss, alert_fatal, handshake_failure); | 2110 (void)SSL3_SendAlert(ss, alert_fatal, handshake_failure); |
2099 » PORT_SetError(SSL_ERROR_BAD_HANDSHAKE_HASH_VALUE); | 2111 PORT_SetError(SSL_ERROR_BAD_HANDSHAKE_HASH_VALUE); |
2100 » return SECFailure; | 2112 return SECFailure; |
2101 } | 2113 } |
2102 /* remember that we got this extension and it was correct. */ | 2114 /* remember that we got this extension and it was correct. */ |
2103 ss->peerRequestedProtection = 1; | 2115 ss->peerRequestedProtection = 1; |
2104 ss->xtnData.negotiated[ss->xtnData.numNegotiated++] = ex_type; | 2116 ss->xtnData.negotiated[ss->xtnData.numNegotiated++] = ex_type; |
2105 if (ss->sec.isServer) { | 2117 if (ss->sec.isServer) { |
2106 » /* prepare to send back the appropriate response */ | 2118 /* prepare to send back the appropriate response */ |
2107 » rv = ssl3_RegisterServerHelloExtensionSender(ss, ex_type, | 2119 rv = ssl3_RegisterServerHelloExtensionSender(ss, ex_type, |
2108 » » » » » ssl3_SendRenegotiationInfoXtn); | 2120 ssl3_SendRenegotiationInfoXtn); |
2109 } | 2121 } |
2110 return rv; | 2122 return rv; |
2111 } | 2123 } |
2112 | 2124 |
2113 static PRInt32 | 2125 static PRInt32 |
2114 ssl3_SendUseSRTPXtn(sslSocket *ss, PRBool append, PRUint32 maxBytes) | 2126 ssl3_SendUseSRTPXtn(sslSocket *ss, PRBool append, PRUint32 maxBytes) |
2115 { | 2127 { |
2116 PRUint32 ext_data_len; | 2128 PRUint32 ext_data_len; |
2117 PRInt16 i; | 2129 PRInt16 i; |
2118 SECStatus rv; | 2130 SECStatus rv; |
2119 | 2131 |
2120 if (!ss) | 2132 if (!ss) |
2121 » return 0; | 2133 return 0; |
2122 | 2134 |
2123 if (!ss->sec.isServer) { | 2135 if (!ss->sec.isServer) { |
2124 » /* Client side */ | 2136 /* Client side */ |
2125 | 2137 |
2126 » if (!IS_DTLS(ss) || !ss->ssl3.dtlsSRTPCipherCount) | 2138 if (!IS_DTLS(ss) || !ss->ssl3.dtlsSRTPCipherCount) |
2127 » return 0; /* Not relevant */ | 2139 return 0; /* Not relevant */ |
2128 | 2140 |
2129 » ext_data_len = 2 + 2 * ss->ssl3.dtlsSRTPCipherCount + 1; | 2141 ext_data_len = 2 + 2 * ss->ssl3.dtlsSRTPCipherCount + 1; |
2130 | 2142 |
2131 » if (append && maxBytes >= 4 + ext_data_len) { | 2143 if (append && maxBytes >= 4 + ext_data_len) { |
2132 » /* Extension type */ | 2144 /* Extension type */ |
2133 » rv = ssl3_AppendHandshakeNumber(ss, ssl_use_srtp_xtn, 2); | 2145 rv = ssl3_AppendHandshakeNumber(ss, ssl_use_srtp_xtn, 2); |
2134 » if (rv != SECSuccess) return -1; | 2146 if (rv != SECSuccess) return -1; |
2135 » /* Length of extension data */ | 2147 /* Length of extension data */ |
2136 » rv = ssl3_AppendHandshakeNumber(ss, ext_data_len, 2); | 2148 rv = ssl3_AppendHandshakeNumber(ss, ext_data_len, 2); |
2137 » if (rv != SECSuccess) return -1; | 2149 if (rv != SECSuccess) return -1; |
2138 » /* Length of the SRTP cipher list */ | 2150 /* Length of the SRTP cipher list */ |
2139 » rv = ssl3_AppendHandshakeNumber(ss, | 2151 rv = ssl3_AppendHandshakeNumber(ss, |
2140 » » » » » 2 * ss->ssl3.dtlsSRTPCipherCount, | 2152 2 * ss->ssl3.dtlsSRTPCipherCount, |
2141 » » » » » 2); | 2153 2); |
2142 » if (rv != SECSuccess) return -1; | 2154 if (rv != SECSuccess) return -1; |
2143 » /* The SRTP ciphers */ | 2155 /* The SRTP ciphers */ |
2144 » for (i = 0; i < ss->ssl3.dtlsSRTPCipherCount; i++) { | 2156 for (i = 0; i < ss->ssl3.dtlsSRTPCipherCount; i++) { |
2145 » » rv = ssl3_AppendHandshakeNumber(ss, | 2157 rv = ssl3_AppendHandshakeNumber(ss, |
2146 » » » » » » ss->ssl3.dtlsSRTPCiphers[i], | 2158 ss->ssl3.dtlsSRTPCiphers[i], |
2147 » » » » » » 2); | 2159 2); |
2148 » } | 2160 } |
2149 » /* Empty MKI value */ | 2161 /* Empty MKI value */ |
2150 » ssl3_AppendHandshakeVariable(ss, NULL, 0, 1); | 2162 ssl3_AppendHandshakeVariable(ss, NULL, 0, 1); |
2151 | 2163 |
2152 » ss->xtnData.advertised[ss->xtnData.numAdvertised++] = | 2164 ss->xtnData.advertised[ss->xtnData.numAdvertised++] = |
2153 » » ssl_use_srtp_xtn; | 2165 ssl_use_srtp_xtn; |
2154 » } | 2166 } |
2155 | 2167 |
2156 » return 4 + ext_data_len; | 2168 return 4 + ext_data_len; |
2157 } | 2169 } |
2158 | 2170 |
2159 /* Server side */ | 2171 /* Server side */ |
2160 if (append && maxBytes >= 9) { | 2172 if (append && maxBytes >= 9) { |
2161 » /* Extension type */ | 2173 /* Extension type */ |
2162 » rv = ssl3_AppendHandshakeNumber(ss, ssl_use_srtp_xtn, 2); | 2174 rv = ssl3_AppendHandshakeNumber(ss, ssl_use_srtp_xtn, 2); |
2163 » if (rv != SECSuccess) return -1; | 2175 if (rv != SECSuccess) return -1; |
2164 » /* Length of extension data */ | 2176 /* Length of extension data */ |
2165 » rv = ssl3_AppendHandshakeNumber(ss, 5, 2); | 2177 rv = ssl3_AppendHandshakeNumber(ss, 5, 2); |
2166 » if (rv != SECSuccess) return -1; | 2178 if (rv != SECSuccess) return -1; |
2167 » /* Length of the SRTP cipher list */ | 2179 /* Length of the SRTP cipher list */ |
2168 » rv = ssl3_AppendHandshakeNumber(ss, 2, 2); | 2180 rv = ssl3_AppendHandshakeNumber(ss, 2, 2); |
2169 » if (rv != SECSuccess) return -1; | 2181 if (rv != SECSuccess) return -1; |
2170 » /* The selected cipher */ | 2182 /* The selected cipher */ |
2171 » rv = ssl3_AppendHandshakeNumber(ss, ss->ssl3.dtlsSRTPCipherSuite, 2); | 2183 rv = ssl3_AppendHandshakeNumber(ss, ss->ssl3.dtlsSRTPCipherSuite, 2); |
2172 » if (rv != SECSuccess) return -1; | 2184 if (rv != SECSuccess) return -1; |
2173 » /* Empty MKI value */ | 2185 /* Empty MKI value */ |
2174 » ssl3_AppendHandshakeVariable(ss, NULL, 0, 1); | 2186 ssl3_AppendHandshakeVariable(ss, NULL, 0, 1); |
2175 } | 2187 } |
2176 | 2188 |
2177 return 9; | 2189 return 9; |
2178 } | 2190 } |
2179 | 2191 |
2180 static SECStatus | 2192 static SECStatus |
2181 ssl3_HandleUseSRTPXtn(sslSocket * ss, PRUint16 ex_type, SECItem *data) | 2193 ssl3_HandleUseSRTPXtn(sslSocket * ss, PRUint16 ex_type, SECItem *data) |
2182 { | 2194 { |
2183 SECStatus rv; | 2195 SECStatus rv; |
2184 SECItem ciphers = {siBuffer, NULL, 0}; | 2196 SECItem ciphers = {siBuffer, NULL, 0}; |
2185 PRUint16 i; | 2197 PRUint16 i; |
2186 unsigned int j; | 2198 unsigned int j; |
2187 PRUint16 cipher = 0; | 2199 PRUint16 cipher = 0; |
2188 PRBool found = PR_FALSE; | 2200 PRBool found = PR_FALSE; |
2189 SECItem litem; | 2201 SECItem litem; |
2190 | 2202 |
2191 if (!ss->sec.isServer) { | 2203 if (!ss->sec.isServer) { |
2192 » /* Client side */ | 2204 /* Client side */ |
2193 » if (!data->data || !data->len) { | 2205 if (!data->data || !data->len) { |
2194 /* malformed */ | 2206 /* malformed */ |
2195 return SECFailure; | 2207 return SECFailure; |
2196 » } | 2208 } |
2197 | 2209 |
2198 » /* Get the cipher list */ | 2210 /* Get the cipher list */ |
2199 » rv = ssl3_ConsumeHandshakeVariable(ss, &ciphers, 2, | 2211 rv = ssl3_ConsumeHandshakeVariable(ss, &ciphers, 2, |
2200 » » » » » &data->data, &data->len); | 2212 &data->data, &data->len); |
2201 » if (rv != SECSuccess) { | 2213 if (rv != SECSuccess) { |
2202 » return SECFailure; | 2214 return SECFailure; |
2203 » } | 2215 } |
2204 » /* Now check that the number of ciphers listed is 1 (len = 2) */ | 2216 /* Now check that the number of ciphers listed is 1 (len = 2) */ |
2205 » if (ciphers.len != 2) { | 2217 if (ciphers.len != 2) { |
2206 » return SECFailure; | 2218 return SECFailure; |
2207 » } | 2219 } |
2208 | 2220 |
2209 » /* Get the selected cipher */ | 2221 /* Get the selected cipher */ |
2210 » cipher = (ciphers.data[0] << 8) | ciphers.data[1]; | 2222 cipher = (ciphers.data[0] << 8) | ciphers.data[1]; |
2211 | 2223 |
2212 » /* Now check that this is one of the ciphers we offered */ | 2224 /* Now check that this is one of the ciphers we offered */ |
2213 » for (i = 0; i < ss->ssl3.dtlsSRTPCipherCount; i++) { | 2225 for (i = 0; i < ss->ssl3.dtlsSRTPCipherCount; i++) { |
2214 » if (cipher == ss->ssl3.dtlsSRTPCiphers[i]) { | 2226 if (cipher == ss->ssl3.dtlsSRTPCiphers[i]) { |
2215 » » found = PR_TRUE; | 2227 found = PR_TRUE; |
2216 » » break; | 2228 break; |
2217 » } | 2229 } |
2218 » } | 2230 } |
2219 | 2231 |
2220 » if (!found) { | 2232 if (!found) { |
2221 » return SECFailure; | 2233 return SECFailure; |
2222 » } | 2234 } |
2223 | 2235 |
2224 » /* Get the srtp_mki value */ | 2236 /* Get the srtp_mki value */ |
2225 rv = ssl3_ConsumeHandshakeVariable(ss, &litem, 1, | 2237 rv = ssl3_ConsumeHandshakeVariable(ss, &litem, 1, |
2226 » » » » » &data->data, &data->len); | 2238 &data->data, &data->len); |
2227 if (rv != SECSuccess) { | 2239 if (rv != SECSuccess) { |
2228 return SECFailure; | 2240 return SECFailure; |
2229 } | 2241 } |
2230 | 2242 |
2231 » /* We didn't offer an MKI, so this must be 0 length */ | 2243 /* We didn't offer an MKI, so this must be 0 length */ |
2232 » /* XXX RFC 5764 Section 4.1.3 says: | 2244 /* XXX RFC 5764 Section 4.1.3 says: |
2233 » * If the client detects a nonzero-length MKI in the server's | 2245 * If the client detects a nonzero-length MKI in the server's |
2234 » * response that is different than the one the client offered, | 2246 * response that is different than the one the client offered, |
2235 » * then the client MUST abort the handshake and SHOULD send an | 2247 * then the client MUST abort the handshake and SHOULD send an |
2236 » * invalid_parameter alert. | 2248 * invalid_parameter alert. |
2237 » * | 2249 * |
2238 » * Due to a limitation of the ssl3_HandleHelloExtensions function, | 2250 * Due to a limitation of the ssl3_HandleHelloExtensions function, |
2239 » * returning SECFailure here won't abort the handshake. It will | 2251 * returning SECFailure here won't abort the handshake. It will |
2240 » * merely cause the use_srtp extension to be not negotiated. We | 2252 * merely cause the use_srtp extension to be not negotiated. We |
2241 » * should fix this. See NSS bug 753136. | 2253 * should fix this. See NSS bug 753136. |
2242 » */ | 2254 */ |
2243 » if (litem.len != 0) { | 2255 if (litem.len != 0) { |
2244 » return SECFailure; | 2256 return SECFailure; |
2245 » } | 2257 } |
2246 | 2258 |
2247 » if (data->len != 0) { | 2259 if (data->len != 0) { |
2248 /* malformed */ | 2260 /* malformed */ |
2249 return SECFailure; | 2261 return SECFailure; |
2250 » } | 2262 } |
2251 | 2263 |
2252 » /* OK, this looks fine. */ | 2264 /* OK, this looks fine. */ |
2253 » ss->xtnData.negotiated[ss->xtnData.numNegotiated++] = ssl_use_srtp_xtn; | 2265 ss->xtnData.negotiated[ss->xtnData.numNegotiated++] = ssl_use_srtp_xtn; |
2254 » ss->ssl3.dtlsSRTPCipherSuite = cipher; | 2266 ss->ssl3.dtlsSRTPCipherSuite = cipher; |
2255 » return SECSuccess; | 2267 return SECSuccess; |
2256 } | 2268 } |
2257 | 2269 |
2258 /* Server side */ | 2270 /* Server side */ |
2259 if (!IS_DTLS(ss) || !ss->ssl3.dtlsSRTPCipherCount) { | 2271 if (!IS_DTLS(ss) || !ss->ssl3.dtlsSRTPCipherCount) { |
2260 » /* Ignore the extension if we aren't doing DTLS or no DTLS-SRTP | 2272 /* Ignore the extension if we aren't doing DTLS or no DTLS-SRTP |
2261 » * preferences have been set. */ | 2273 * preferences have been set. */ |
2262 » return SECSuccess; | 2274 return SECSuccess; |
2263 } | 2275 } |
2264 | 2276 |
2265 if (!data->data || data->len < 5) { | 2277 if (!data->data || data->len < 5) { |
2266 » /* malformed */ | 2278 /* malformed */ |
2267 » return SECFailure; | 2279 return SECFailure; |
2268 } | 2280 } |
2269 | 2281 |
2270 /* Get the cipher list */ | 2282 /* Get the cipher list */ |
2271 rv = ssl3_ConsumeHandshakeVariable(ss, &ciphers, 2, | 2283 rv = ssl3_ConsumeHandshakeVariable(ss, &ciphers, 2, |
2272 » » » » &data->data, &data->len); | 2284 &data->data, &data->len); |
2273 if (rv != SECSuccess) { | 2285 if (rv != SECSuccess) { |
2274 » return SECFailure; | 2286 return SECFailure; |
2275 } | 2287 } |
2276 /* Check that the list is even length */ | 2288 /* Check that the list is even length */ |
2277 if (ciphers.len % 2) { | 2289 if (ciphers.len % 2) { |
2278 » return SECFailure; | 2290 return SECFailure; |
2279 } | 2291 } |
2280 | 2292 |
2281 /* Walk through the offered list and pick the most preferred of our | 2293 /* Walk through the offered list and pick the most preferred of our |
2282 * ciphers, if any */ | 2294 * ciphers, if any */ |
2283 for (i = 0; !found && i < ss->ssl3.dtlsSRTPCipherCount; i++) { | 2295 for (i = 0; !found && i < ss->ssl3.dtlsSRTPCipherCount; i++) { |
2284 » for (j = 0; j + 1 < ciphers.len; j += 2) { | 2296 for (j = 0; j + 1 < ciphers.len; j += 2) { |
2285 » cipher = (ciphers.data[j] << 8) | ciphers.data[j + 1]; | 2297 cipher = (ciphers.data[j] << 8) | ciphers.data[j + 1]; |
2286 » if (cipher == ss->ssl3.dtlsSRTPCiphers[i]) { | 2298 if (cipher == ss->ssl3.dtlsSRTPCiphers[i]) { |
2287 » » found = PR_TRUE; | 2299 found = PR_TRUE; |
2288 » » break; | 2300 break; |
2289 » } | 2301 } |
2290 » } | 2302 } |
2291 } | 2303 } |
2292 | 2304 |
2293 /* Get the srtp_mki value */ | 2305 /* Get the srtp_mki value */ |
2294 rv = ssl3_ConsumeHandshakeVariable(ss, &litem, 1, &data->data, &data->len); | 2306 rv = ssl3_ConsumeHandshakeVariable(ss, &litem, 1, &data->data, &data->len); |
2295 if (rv != SECSuccess) { | 2307 if (rv != SECSuccess) { |
2296 » return SECFailure; | 2308 return SECFailure; |
2297 } | 2309 } |
2298 | 2310 |
2299 if (data->len != 0) { | 2311 if (data->len != 0) { |
2300 » return SECFailure; /* Malformed */ | 2312 return SECFailure; /* Malformed */ |
2301 } | 2313 } |
2302 | 2314 |
2303 /* Now figure out what to do */ | 2315 /* Now figure out what to do */ |
2304 if (!found) { | 2316 if (!found) { |
2305 » /* No matching ciphers */ | 2317 /* No matching ciphers */ |
2306 » return SECSuccess; | 2318 return SECSuccess; |
2307 } | 2319 } |
2308 | 2320 |
2309 /* OK, we have a valid cipher and we've selected it */ | 2321 /* OK, we have a valid cipher and we've selected it */ |
2310 ss->ssl3.dtlsSRTPCipherSuite = cipher; | 2322 ss->ssl3.dtlsSRTPCipherSuite = cipher; |
2311 ss->xtnData.negotiated[ss->xtnData.numNegotiated++] = ssl_use_srtp_xtn; | 2323 ss->xtnData.negotiated[ss->xtnData.numNegotiated++] = ssl_use_srtp_xtn; |
2312 | 2324 |
2313 return ssl3_RegisterServerHelloExtensionSender(ss, ssl_use_srtp_xtn, | 2325 return ssl3_RegisterServerHelloExtensionSender(ss, ssl_use_srtp_xtn, |
2314 » » » » » » ssl3_SendUseSRTPXtn); | 2326 ssl3_SendUseSRTPXtn); |
2315 } | 2327 } |
2316 | 2328 |
2317 /* ssl3_ServerHandleSigAlgsXtn handles the signature_algorithms extension | 2329 /* ssl3_ServerHandleSigAlgsXtn handles the signature_algorithms extension |
2318 * from a client. | 2330 * from a client. |
2319 * See https://tools.ietf.org/html/rfc5246#section-7.4.1.4.1 */ | 2331 * See https://tools.ietf.org/html/rfc5246#section-7.4.1.4.1 */ |
2320 static SECStatus | 2332 static SECStatus |
2321 ssl3_ServerHandleSigAlgsXtn(sslSocket * ss, PRUint16 ex_type, SECItem *data) | 2333 ssl3_ServerHandleSigAlgsXtn(sslSocket * ss, PRUint16 ex_type, SECItem *data) |
2322 { | 2334 { |
2323 SECStatus rv; | 2335 SECStatus rv; |
2324 SECItem algorithms; | 2336 SECItem algorithms; |
2325 const unsigned char *b; | 2337 const unsigned char *b; |
2326 unsigned int numAlgorithms, i; | 2338 unsigned int numAlgorithms, i, j; |
2327 | 2339 |
2328 /* Ignore this extension if we aren't doing TLS 1.2 or greater. */ | 2340 /* Ignore this extension if we aren't doing TLS 1.2 or greater. */ |
2329 if (ss->version < SSL_LIBRARY_VERSION_TLS_1_2) { | 2341 if (ss->version < SSL_LIBRARY_VERSION_TLS_1_2) { |
2330 » return SECSuccess; | 2342 return SECSuccess; |
2331 } | 2343 } |
2332 | 2344 |
2333 /* Keep track of negotiated extensions. */ | 2345 /* Keep track of negotiated extensions. */ |
2334 ss->xtnData.negotiated[ss->xtnData.numNegotiated++] = ex_type; | 2346 ss->xtnData.negotiated[ss->xtnData.numNegotiated++] = ex_type; |
2335 | 2347 |
2336 rv = ssl3_ConsumeHandshakeVariable(ss, &algorithms, 2, &data->data, | 2348 rv = ssl3_ConsumeHandshakeVariable(ss, &algorithms, 2, &data->data, |
2337 » » » » &data->len); | 2349 &data->len); |
2338 if (rv != SECSuccess) { | 2350 if (rv != SECSuccess) { |
2339 » return SECFailure; | 2351 return SECFailure; |
2340 } | 2352 } |
2341 /* Trailing data, empty value, or odd-length value is invalid. */ | 2353 /* Trailing data, empty value, or odd-length value is invalid. */ |
2342 if (data->len != 0 || algorithms.len == 0 || (algorithms.len & 1) != 0) { | 2354 if (data->len != 0 || algorithms.len == 0 || (algorithms.len & 1) != 0) { |
2343 » PORT_SetError(SSL_ERROR_RX_MALFORMED_CLIENT_HELLO); | 2355 PORT_SetError(SSL_ERROR_RX_MALFORMED_CLIENT_HELLO); |
2344 » return SECFailure; | 2356 return SECFailure; |
2345 } | 2357 } |
2346 | 2358 |
2347 numAlgorithms = algorithms.len/2; | 2359 numAlgorithms = algorithms.len/2; |
2348 | 2360 |
2349 /* We don't care to process excessive numbers of algorithms. */ | 2361 /* We don't care to process excessive numbers of algorithms. */ |
2350 if (numAlgorithms > 512) { | 2362 if (numAlgorithms > 512) { |
2351 » numAlgorithms = 512; | 2363 numAlgorithms = 512; |
2352 } | 2364 } |
2353 | 2365 |
2354 ss->ssl3.hs.clientSigAndHash = | 2366 ss->ssl3.hs.clientSigAndHash = |
2355 » PORT_NewArray(SSL3SignatureAndHashAlgorithm, numAlgorithms); | 2367 PORT_NewArray(SSL3SignatureAndHashAlgorithm, numAlgorithms); |
2356 if (!ss->ssl3.hs.clientSigAndHash) { | 2368 if (!ss->ssl3.hs.clientSigAndHash) { |
2357 » return SECFailure; | 2369 return SECFailure; |
2358 } | 2370 } |
2359 ss->ssl3.hs.numClientSigAndHash = 0; | 2371 ss->ssl3.hs.numClientSigAndHash = 0; |
2360 | 2372 |
2361 b = algorithms.data; | 2373 b = algorithms.data; |
2362 for (i = 0; i < numAlgorithms; i++) { | 2374 for (i = j = 0; i < numAlgorithms; i++) { |
2363 » unsigned char tls_hash = *(b++); | 2375 unsigned char tls_hash = *(b++); |
2364 » unsigned char tls_sig = *(b++); | 2376 unsigned char tls_sig = *(b++); |
2365 » SECOidTag hash = ssl3_TLSHashAlgorithmToOID(tls_hash); | 2377 SECOidTag hash = ssl3_TLSHashAlgorithmToOID(tls_hash); |
2366 | 2378 |
2367 » if (hash == SEC_OID_UNKNOWN) { | 2379 if (hash == SEC_OID_UNKNOWN) { |
2368 » /* We ignore formats that we don't understand. */ | 2380 /* We ignore formats that we don't understand. */ |
2369 » continue; | 2381 continue; |
2370 » } | 2382 } |
2371 » /* tls_sig support will be checked later in | 2383 /* tls_sig support will be checked later in |
2372 » * ssl3_PickSignatureHashAlgorithm. */ | 2384 * ssl3_PickSignatureHashAlgorithm. */ |
2373 » ss->ssl3.hs.clientSigAndHash[i].hashAlg = hash; | 2385 ss->ssl3.hs.clientSigAndHash[j].hashAlg = hash; |
2374 » ss->ssl3.hs.clientSigAndHash[i].sigAlg = tls_sig; | 2386 ss->ssl3.hs.clientSigAndHash[j].sigAlg = tls_sig; |
2375 » ss->ssl3.hs.numClientSigAndHash++; | 2387 ++j; |
2388 ++ss->ssl3.hs.numClientSigAndHash; | |
2376 } | 2389 } |
2377 | 2390 |
2378 if (!ss->ssl3.hs.numClientSigAndHash) { | 2391 if (!ss->ssl3.hs.numClientSigAndHash) { |
2379 » /* We didn't understand any of the client's requested signature | 2392 /* We didn't understand any of the client's requested signature |
2380 » * formats. We'll use the defaults. */ | 2393 * formats. We'll use the defaults. */ |
2381 » PORT_Free(ss->ssl3.hs.clientSigAndHash); | 2394 PORT_Free(ss->ssl3.hs.clientSigAndHash); |
2382 » ss->ssl3.hs.clientSigAndHash = NULL; | 2395 ss->ssl3.hs.clientSigAndHash = NULL; |
2383 } | 2396 } |
2384 | 2397 |
2385 return SECSuccess; | 2398 return SECSuccess; |
2386 } | 2399 } |
2387 | 2400 |
2388 /* ssl3_ClientSendSigAlgsXtn sends the signature_algorithm extension for TLS | 2401 /* ssl3_ClientSendSigAlgsXtn sends the signature_algorithm extension for TLS |
2389 * 1.2 ClientHellos. */ | 2402 * 1.2 ClientHellos. */ |
2390 static PRInt32 | 2403 static PRInt32 |
2391 ssl3_ClientSendSigAlgsXtn(sslSocket * ss, PRBool append, PRUint32 maxBytes) | 2404 ssl3_ClientSendSigAlgsXtn(sslSocket * ss, PRBool append, PRUint32 maxBytes) |
2392 { | 2405 { |
2393 static const unsigned char signatureAlgorithms[] = { | 2406 static const unsigned char signatureAlgorithms[] = { |
2394 » /* This block is the contents of our signature_algorithms extension, in | 2407 /* This block is the contents of our signature_algorithms extension, in |
2395 » * wire format. See | 2408 * wire format. See |
2396 » * https://tools.ietf.org/html/rfc5246#section-7.4.1.4.1 */ | 2409 * https://tools.ietf.org/html/rfc5246#section-7.4.1.4.1 */ |
2397 » tls_hash_sha256, tls_sig_rsa, | 2410 tls_hash_sha256, tls_sig_rsa, |
2398 » tls_hash_sha384, tls_sig_rsa, | 2411 tls_hash_sha384, tls_sig_rsa, |
2399 » tls_hash_sha1, tls_sig_rsa, | 2412 tls_hash_sha1, tls_sig_rsa, |
2400 #ifdef NSS_ENABLE_ECC | 2413 #ifndef NSS_DISABLE_ECC |
2401 » tls_hash_sha256, tls_sig_ecdsa, | 2414 tls_hash_sha256, tls_sig_ecdsa, |
2402 » tls_hash_sha384, tls_sig_ecdsa, | 2415 tls_hash_sha384, tls_sig_ecdsa, |
2403 » tls_hash_sha1, tls_sig_ecdsa, | 2416 tls_hash_sha1, tls_sig_ecdsa, |
2404 #endif | 2417 #endif |
2405 » tls_hash_sha256, tls_sig_dsa, | 2418 tls_hash_sha256, tls_sig_dsa, |
2406 » tls_hash_sha1, tls_sig_dsa, | 2419 tls_hash_sha1, tls_sig_dsa, |
2407 }; | 2420 }; |
2408 PRInt32 extension_length; | 2421 PRInt32 extension_length; |
2409 | 2422 |
2410 if (ss->version < SSL_LIBRARY_VERSION_TLS_1_2) { | 2423 if (ss->version < SSL_LIBRARY_VERSION_TLS_1_2) { |
2411 » return 0; | 2424 return 0; |
2412 } | 2425 } |
2413 | 2426 |
2414 extension_length = | 2427 extension_length = |
2415 » 2 /* extension type */ + | 2428 2 /* extension type */ + |
2416 » 2 /* extension length */ + | 2429 2 /* extension length */ + |
2417 » 2 /* supported_signature_algorithms length */ + | 2430 2 /* supported_signature_algorithms length */ + |
2418 » sizeof(signatureAlgorithms); | 2431 sizeof(signatureAlgorithms); |
2419 | 2432 |
2420 if (append && maxBytes >= extension_length) { | 2433 if (append && maxBytes >= extension_length) { |
2421 » SECStatus rv; | 2434 SECStatus rv; |
2422 » rv = ssl3_AppendHandshakeNumber(ss, ssl_signature_algorithms_xtn, 2); | 2435 rv = ssl3_AppendHandshakeNumber(ss, ssl_signature_algorithms_xtn, 2); |
2423 » if (rv != SECSuccess) | 2436 if (rv != SECSuccess) |
2424 » goto loser; | 2437 goto loser; |
2425 » rv = ssl3_AppendHandshakeNumber(ss, extension_length - 4, 2); | 2438 rv = ssl3_AppendHandshakeNumber(ss, extension_length - 4, 2); |
2426 » if (rv != SECSuccess) | 2439 if (rv != SECSuccess) |
2427 » goto loser; | 2440 goto loser; |
2428 » rv = ssl3_AppendHandshakeVariable(ss, signatureAlgorithms, | 2441 rv = ssl3_AppendHandshakeVariable(ss, signatureAlgorithms, |
2429 » » » » » sizeof(signatureAlgorithms), 2); | 2442 sizeof(signatureAlgorithms), 2); |
2430 » if (rv != SECSuccess) | 2443 if (rv != SECSuccess) |
2431 » goto loser; | 2444 goto loser; |
2432 » ss->xtnData.advertised[ss->xtnData.numAdvertised++] = | 2445 ss->xtnData.advertised[ss->xtnData.numAdvertised++] = |
2433 » » ssl_signature_algorithms_xtn; | 2446 ssl_signature_algorithms_xtn; |
2434 } else if (maxBytes < extension_length) { | 2447 } else if (maxBytes < extension_length) { |
2435 » PORT_Assert(0); | 2448 PORT_Assert(0); |
2436 » return 0; | 2449 return 0; |
2437 } | 2450 } |
2438 | 2451 |
2439 return extension_length; | 2452 return extension_length; |
2440 | 2453 |
2441 loser: | 2454 loser: |
2442 return -1; | 2455 return -1; |
2443 } | 2456 } |
2444 | 2457 |
2445 unsigned int | 2458 unsigned int |
2446 ssl3_CalculatePaddingExtensionLength(unsigned int clientHelloLength) | 2459 ssl3_CalculatePaddingExtensionLength(unsigned int clientHelloLength) |
2447 { | 2460 { |
2448 unsigned int recordLength = 1 /* handshake message type */ + | 2461 unsigned int recordLength = 1 /* handshake message type */ + |
2449 » » » » 3 /* handshake message length */ + | 2462 3 /* handshake message length */ + |
2450 » » » » clientHelloLength; | 2463 clientHelloLength; |
2451 unsigned int extensionLength; | 2464 unsigned int extensionLength; |
2452 | 2465 |
2453 if (recordLength < 256 || recordLength >= 512) { | 2466 if (recordLength < 256 || recordLength >= 512) { |
2454 » return 0; | 2467 return 0; |
2455 } | 2468 } |
2456 | 2469 |
2457 extensionLength = 512 - recordLength; | 2470 extensionLength = 512 - recordLength; |
2458 /* Extensions take at least four bytes to encode. Always include at least | 2471 /* Extensions take at least four bytes to encode. Always include at least |
2459 * one byte of data if including the extension. WebSphere Application Server | 2472 * one byte of data if including the extension. WebSphere Application |
2460 * 7.0 is intolerant to the last extension being zero-length. */ | 2473 * Server 7.0 is intolerant to the last extension being zero-length. */ |
2461 if (extensionLength < 4 + 1) { | 2474 if (extensionLength < 4 + 1) { |
2462 » extensionLength = 4 + 1; | 2475 extensionLength = 4 + 1; |
2463 } | 2476 } |
2464 | 2477 |
2465 return extensionLength; | 2478 return extensionLength; |
2466 } | 2479 } |
2467 | 2480 |
2468 /* ssl3_AppendPaddingExtension possibly adds an extension which ensures that a | 2481 /* ssl3_AppendPaddingExtension possibly adds an extension which ensures that a |
2469 * ClientHello record is either < 256 bytes or is >= 512 bytes. This ensures | 2482 * ClientHello record is either < 256 bytes or is >= 512 bytes. This ensures |
2470 * that we don't trigger bugs in F5 products. */ | 2483 * that we don't trigger bugs in F5 products. */ |
2471 PRInt32 | 2484 PRInt32 |
2472 ssl3_AppendPaddingExtension(sslSocket *ss, unsigned int extensionLen, | 2485 ssl3_AppendPaddingExtension(sslSocket *ss, unsigned int extensionLen, |
2473 » » » PRUint32 maxBytes) | 2486 PRUint32 maxBytes) |
2474 { | 2487 { |
2475 unsigned int paddingLen = extensionLen - 4; | 2488 unsigned int paddingLen = extensionLen - 4; |
2476 static unsigned char padding[256]; | 2489 static unsigned char padding[256]; |
2477 | 2490 |
2478 if (extensionLen == 0) { | 2491 if (extensionLen == 0) { |
2479 » return 0; | 2492 return 0; |
2480 } | 2493 } |
2481 | 2494 |
2482 if (extensionLen < 4 || | 2495 if (extensionLen < 4 || |
2483 » extensionLen > maxBytes || | 2496 extensionLen > maxBytes || |
2484 » paddingLen > sizeof(padding)) { | 2497 paddingLen > sizeof(padding)) { |
2485 » PORT_Assert(0); | 2498 PORT_Assert(0); |
2486 » return -1; | 2499 return -1; |
2487 } | 2500 } |
2488 | 2501 |
2489 if (SECSuccess != ssl3_AppendHandshakeNumber(ss, ssl_padding_xtn, 2)) | 2502 if (SECSuccess != ssl3_AppendHandshakeNumber(ss, ssl_padding_xtn, 2)) |
2490 » return -1; | 2503 return -1; |
2491 if (SECSuccess != ssl3_AppendHandshakeNumber(ss, paddingLen, 2)) | 2504 if (SECSuccess != ssl3_AppendHandshakeNumber(ss, paddingLen, 2)) |
2492 » return -1; | 2505 return -1; |
2493 if (SECSuccess != ssl3_AppendHandshake(ss, padding, paddingLen)) | 2506 if (SECSuccess != ssl3_AppendHandshake(ss, padding, paddingLen)) |
2494 » return -1; | 2507 return -1; |
2495 | 2508 |
2496 return extensionLen; | 2509 return extensionLen; |
2497 } | 2510 } |
2498 | 2511 |
2512 /* ssl3_ClientSendDraftVersionXtn sends the TLS 1.3 temporary draft | |
2513 * version extension. | |
2514 * TODO(ekr@rtfm.com): Remove when TLS 1.3 is published. */ | |
2515 static PRInt32 | |
2516 ssl3_ClientSendDraftVersionXtn(sslSocket * ss, PRBool append, PRUint32 maxBytes) | |
2517 { | |
2518 PRInt32 extension_length; | |
2519 | |
2520 if (ss->version != SSL_LIBRARY_VERSION_TLS_1_3) { | |
2521 return 0; | |
2522 } | |
2523 | |
2524 extension_length = 6; /* Type + length + number */ | |
2525 if (append && maxBytes >= extension_length) { | |
2526 SECStatus rv; | |
2527 rv = ssl3_AppendHandshakeNumber(ss, ssl_tls13_draft_version_xtn, 2); | |
2528 if (rv != SECSuccess) | |
2529 goto loser; | |
2530 rv = ssl3_AppendHandshakeNumber(ss, extension_length - 4, 2); | |
2531 if (rv != SECSuccess) | |
2532 goto loser; | |
2533 rv = ssl3_AppendHandshakeNumber(ss, TLS_1_3_DRAFT_VERSION, 2); | |
2534 if (rv != SECSuccess) | |
2535 goto loser; | |
2536 ss->xtnData.advertised[ss->xtnData.numAdvertised++] = | |
2537 ssl_tls13_draft_version_xtn; | |
2538 } else if (maxBytes < extension_length) { | |
2539 PORT_Assert(0); | |
2540 return 0; | |
2541 } | |
2542 | |
2543 return extension_length; | |
2544 | |
2545 loser: | |
2546 return -1; | |
2547 } | |
2548 | |
2549 /* ssl3_ServerHandleDraftVersionXtn handles the TLS 1.3 temporary draft | |
2550 * version extension. | |
2551 * TODO(ekr@rtfm.com): Remove when TLS 1.3 is published. */ | |
2552 static SECStatus | |
2553 ssl3_ServerHandleDraftVersionXtn(sslSocket * ss, PRUint16 ex_type, | |
2554 SECItem *data) | |
2555 { | |
2556 PRInt32 draft_version; | |
2557 | |
2558 /* Ignore this extension if we aren't doing TLS 1.3 */ | |
2559 if (ss->version != SSL_LIBRARY_VERSION_TLS_1_3) { | |
2560 return SECSuccess; | |
2561 } | |
2562 | |
2563 if (data->len != 2) | |
2564 goto loser; | |
2565 | |
2566 /* Get the draft version out of the handshake */ | |
2567 draft_version = ssl3_ConsumeHandshakeNumber(ss, 2, | |
2568 &data->data, &data->len); | |
2569 if (draft_version < 0) { | |
2570 goto loser; | |
2571 } | |
2572 | |
2573 /* Keep track of negotiated extensions. */ | |
2574 ss->xtnData.negotiated[ss->xtnData.numNegotiated++] = ex_type; | |
2575 | |
2576 /* Compare the version */ | |
2577 if (draft_version != TLS_1_3_DRAFT_VERSION) { | |
2578 SSL_TRC(30, ("%d: SSL3[%d]: Incompatible version of TLS 1.3 (%d), " | |
2579 "expected %d", | |
2580 SSL_GETPID(), ss->fd, draft_version, TLS_1_3_DRAFT_VERSION) ); | |
2581 goto loser; | |
2582 } | |
2583 | |
2584 return SECSuccess; | |
2585 | |
2586 loser: | |
2587 /* | |
2588 * Incompatible/broken TLS 1.3 implementation. Fall back to TLS 1.2. | |
2589 * TODO(ekr@rtfm.com): It's not entirely clear it's safe to roll back | |
2590 * here. Need to double-check. | |
2591 * TODO(ekr@rtfm.com): Currently we fall back even on broken extensions. | |
2592 * because SECFailure does not cause handshake failures. See bug | |
2593 * 753136. | |
2594 */ | |
2595 SSL_TRC(30, ("%d: SSL3[%d]: Rolling back to TLS 1.2", SSL_GETPID(), ss->fd)) ; | |
2596 ss->version = SSL_LIBRARY_VERSION_TLS_1_2; | |
2597 | |
2598 return SECSuccess; | |
2599 } | |
2600 | |
2499 /* ssl3_ClientSendSignedCertTimestampXtn sends the signed_certificate_timestamp | 2601 /* ssl3_ClientSendSignedCertTimestampXtn sends the signed_certificate_timestamp |
2500 * extension for TLS ClientHellos. */ | 2602 * extension for TLS ClientHellos. */ |
2501 static PRInt32 | 2603 static PRInt32 |
2502 ssl3_ClientSendSignedCertTimestampXtn(sslSocket *ss, PRBool append, | 2604 ssl3_ClientSendSignedCertTimestampXtn(sslSocket *ss, PRBool append, |
2503 » » » » PRUint32 maxBytes) | 2605 PRUint32 maxBytes) |
2504 { | 2606 { |
2505 PRInt32 extension_length = 2 /* extension_type */ + | 2607 PRInt32 extension_length = 2 /* extension_type */ + |
2506 » 2 /* length(extension_data) */; | 2608 2 /* length(extension_data) */; |
2507 | 2609 |
2508 /* Only send the extension if processing is enabled. */ | 2610 /* Only send the extension if processing is enabled. */ |
2509 if (!ss->opt.enableSignedCertTimestamps) | 2611 if (!ss->opt.enableSignedCertTimestamps) |
2510 » return 0; | 2612 return 0; |
2511 | 2613 |
2512 if (append && maxBytes >= extension_length) { | 2614 if (append && maxBytes >= extension_length) { |
2513 » SECStatus rv; | 2615 SECStatus rv; |
2514 » /* extension_type */ | 2616 /* extension_type */ |
2515 » rv = ssl3_AppendHandshakeNumber(ss, | 2617 rv = ssl3_AppendHandshakeNumber(ss, |
2516 » » » » » ssl_signed_certificate_timestamp_xtn, | 2618 ssl_signed_certificate_timestamp_xtn, |
2517 » » » » » 2); | 2619 2); |
2518 » if (rv != SECSuccess) | 2620 if (rv != SECSuccess) |
2519 » goto loser; | 2621 goto loser; |
2520 » /* zero length */ | 2622 /* zero length */ |
2521 » rv = ssl3_AppendHandshakeNumber(ss, 0, 2); | 2623 rv = ssl3_AppendHandshakeNumber(ss, 0, 2); |
2522 » if (rv != SECSuccess) | 2624 if (rv != SECSuccess) |
2523 » goto loser; | 2625 goto loser; |
2524 » ss->xtnData.advertised[ss->xtnData.numAdvertised++] = | 2626 ss->xtnData.advertised[ss->xtnData.numAdvertised++] = |
2525 » » ssl_signed_certificate_timestamp_xtn; | 2627 ssl_signed_certificate_timestamp_xtn; |
2526 } else if (maxBytes < extension_length) { | 2628 } else if (maxBytes < extension_length) { |
2527 » PORT_Assert(0); | 2629 PORT_Assert(0); |
2528 » return 0; | 2630 return 0; |
2529 } | 2631 } |
2530 | 2632 |
2531 return extension_length; | 2633 return extension_length; |
2532 loser: | 2634 loser: |
2533 return -1; | 2635 return -1; |
2534 } | 2636 } |
2535 | 2637 |
2536 static SECStatus | 2638 static SECStatus |
2537 ssl3_ClientHandleSignedCertTimestampXtn(sslSocket *ss, PRUint16 ex_type, | 2639 ssl3_ClientHandleSignedCertTimestampXtn(sslSocket *ss, PRUint16 ex_type, |
2538 » » » » » SECItem *data) | 2640 SECItem *data) |
2539 { | 2641 { |
2540 /* We do not yet know whether we'll be resuming a session or creating | 2642 /* We do not yet know whether we'll be resuming a session or creating |
2541 * a new one, so we keep a pointer to the data in the TLSExtensionData | 2643 * a new one, so we keep a pointer to the data in the TLSExtensionData |
2542 * structure. This pointer is only valid in the scope of | 2644 * structure. This pointer is only valid in the scope of |
2543 * ssl3_HandleServerHello, and, if not resuming a session, the data is | 2645 * ssl3_HandleServerHello, and, if not resuming a session, the data is |
2544 * copied once a new session structure has been set up. | 2646 * copied once a new session structure has been set up. |
2545 * All parsing is currently left to the application and we accept | 2647 * All parsing is currently left to the application and we accept |
2546 * everything, including empty data. | 2648 * everything, including empty data. |
2547 */ | 2649 */ |
2548 SECItem *scts = &ss->xtnData.signedCertTimestamps; | 2650 SECItem *scts = &ss->xtnData.signedCertTimestamps; |
2549 PORT_Assert(!scts->data && !scts->len); | 2651 PORT_Assert(!scts->data && !scts->len); |
2550 | 2652 |
2551 if (!data->len) { | 2653 if (!data->len) { |
2552 » /* Empty extension data: RFC 6962 mandates non-empty contents. */ | 2654 /* Empty extension data: RFC 6962 mandates non-empty contents. */ |
2553 » return SECFailure; | 2655 return SECFailure; |
2554 } | 2656 } |
2555 *scts = *data; | 2657 *scts = *data; |
2556 /* Keep track of negotiated extensions. */ | 2658 /* Keep track of negotiated extensions. */ |
2557 ss->xtnData.negotiated[ss->xtnData.numNegotiated++] = ex_type; | 2659 ss->xtnData.negotiated[ss->xtnData.numNegotiated++] = ex_type; |
2558 return SECSuccess; | 2660 return SECSuccess; |
2559 } | 2661 } |
OLD | NEW |