Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(271)

Issues Search
    My Issues | Starred     Open | Closed | All

Unified Diff: net/third_party/nss/ssl/ssl3ext.c

Issue 1053903002: Update libssl to NSS 3.18 RTM (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master
Patch Set: Created 5 years, 9 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« net/third_party/nss/ssl/ssl3con.c ('K') | « net/third_party/nss/ssl/ssl3ecc.c ('k') | net/third_party/nss/ssl/ssl3prot.h » ('j') | net/third_party/nss/ssl/sslenum.c » ('J')
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: net/third_party/nss/ssl/ssl3ext.c
diff --git a/net/third_party/nss/ssl/ssl3ext.c b/net/third_party/nss/ssl/ssl3ext.c
index f6530fe7960d3a1e4e83349a869ddbaefc13824d..dfa1e8e48ab78cf7512916a9474c8daf121f6150 100644
--- a/net/third_party/nss/ssl/ssl3ext.c
+++ b/net/third_party/nss/ssl/ssl3ext.c
@@ -48,20 +48,20 @@ static SECStatus ssl3_GetSessionTicketKeys(const unsigned char **aes_key,
#endif
static PRInt32 ssl3_SendRenegotiationInfoXtn(sslSocket * ss,
PRBool append, PRUint32 maxBytes);
-static SECStatus ssl3_HandleRenegotiationInfoXtn(sslSocket *ss,
+static SECStatus ssl3_HandleRenegotiationInfoXtn(sslSocket *ss,
PRUint16 ex_type, SECItem *data);
static SECStatus ssl3_ClientHandleNextProtoNegoXtn(sslSocket *ss,
- PRUint16 ex_type, SECItem *data);
+ PRUint16 ex_type, SECItem *data);
static SECStatus ssl3_ClientHandleAppProtoXtn(sslSocket *ss,
- PRUint16 ex_type, SECItem *data);
+ PRUint16 ex_type, SECItem *data);
static SECStatus ssl3_ServerHandleNextProtoNegoXtn(sslSocket *ss,
- PRUint16 ex_type, SECItem *data);
+ PRUint16 ex_type, SECItem *data);
static SECStatus ssl3_ServerHandleAppProtoXtn(sslSocket *ss, PRUint16 ex_type,
SECItem *data);
static PRInt32 ssl3_ClientSendNextProtoNegoXtn(sslSocket *ss, PRBool append,
PRUint32 maxBytes);
static PRInt32 ssl3_ClientSendAppProtoXtn(sslSocket *ss, PRBool append,
- PRUint32 maxBytes);
+ PRUint32 maxBytes);
static PRInt32 ssl3_ServerSendAppProtoXtn(sslSocket *ss, PRBool append,
PRUint32 maxBytes);
static PRInt32 ssl3_SendUseSRTPXtn(sslSocket *ss, PRBool append,
@@ -72,7 +72,7 @@ static SECStatus ssl3_ClientHandleChannelIDXtn(sslSocket *ss,
PRUint16 ex_type, SECItem *data);
static PRInt32 ssl3_ClientSendChannelIDXtn(sslSocket *ss, PRBool append,
PRUint32 maxBytes);
-static SECStatus ssl3_ServerSendStatusRequestXtn(sslSocket * ss,
+static PRInt32 ssl3_ServerSendStatusRequestXtn(sslSocket * ss,
PRBool append, PRUint32 maxBytes);
static SECStatus ssl3_ServerHandleStatusRequestXtn(sslSocket *ss,
PRUint16 ex_type, SECItem *data);
@@ -86,11 +86,16 @@ static PRInt32 ssl3_ClientSendSigAlgsXtn(sslSocket *ss, PRBool append,
static SECStatus ssl3_ServerHandleSigAlgsXtn(sslSocket *ss, PRUint16 ex_type,
SECItem *data);
static PRInt32 ssl3_ClientSendSignedCertTimestampXtn(sslSocket *ss,
- PRBool append,
- PRUint32 maxBytes);
+ PRBool append,
+ PRUint32 maxBytes);
static SECStatus ssl3_ClientHandleSignedCertTimestampXtn(sslSocket *ss,
- PRUint16 ex_type,
- SECItem *data);
+ PRUint16 ex_type,
+ SECItem *data);
+
+static PRInt32 ssl3_ClientSendDraftVersionXtn(sslSocket *ss, PRBool append,
+ PRUint32 maxBytes);
+static SECStatus ssl3_ServerHandleDraftVersionXtn(sslSocket *ss, PRUint16 ex_type,
+ SECItem *data);
/*
* Write bytes. Using this function means the SECItem structure
@@ -101,7 +106,7 @@ static SECStatus
ssl3_AppendToItem(SECItem *item, const unsigned char *buf, PRUint32 bytes)
{
if (bytes > item->len)
- return SECFailure;
+ return SECFailure;
PORT_Memcpy(item->data, buf, bytes);
item->data += bytes;
@@ -123,13 +128,13 @@ ssl3_AppendNumberToItem(SECItem *item, PRUint32 num, PRInt32 lenSize)
switch (lenSize) {
case 4:
- *p++ = (PRUint8) (num >> 24);
+ *p++ = (PRUint8) (num >> 24);
case 3:
- *p++ = (PRUint8) (num >> 16);
+ *p++ = (PRUint8) (num >> 16);
case 2:
- *p++ = (PRUint8) (num >> 8);
+ *p++ = (PRUint8) (num >> 8);
case 1:
- *p = (PRUint8) num;
+ *p = (PRUint8) num;
}
rv = ssl3_AppendToItem(item, &b[0], lenSize);
return rv;
@@ -138,15 +143,15 @@ ssl3_AppendNumberToItem(SECItem *item, PRUint32 num, PRInt32 lenSize)
static SECStatus ssl3_SessionTicketShutdown(void* appData, void* nssData)
{
if (session_ticket_enc_key_pkcs11) {
- PK11_FreeSymKey(session_ticket_enc_key_pkcs11);
- session_ticket_enc_key_pkcs11 = NULL;
+ PK11_FreeSymKey(session_ticket_enc_key_pkcs11);
+ session_ticket_enc_key_pkcs11 = NULL;
}
if (session_ticket_mac_key_pkcs11) {
- PK11_FreeSymKey(session_ticket_mac_key_pkcs11);
- session_ticket_mac_key_pkcs11 = NULL;
+ PK11_FreeSymKey(session_ticket_mac_key_pkcs11);
+ session_ticket_mac_key_pkcs11 = NULL;
}
PORT_Memset(&generate_session_keys_once, 0,
- sizeof(generate_session_keys_once));
+ sizeof(generate_session_keys_once));
return SECSuccess;
}
@@ -160,22 +165,22 @@ ssl3_GenerateSessionTicketKeysPKCS11(void *data)
SECKEYPublicKey *svrPubKey = ss->serverCerts[kt_rsa].serverKeyPair->pubKey;
if (svrPrivKey == NULL || svrPubKey == NULL) {
- SSL_DBG(("%d: SSL[%d]: Pub or priv key(s) is NULL.",
- SSL_GETPID(), ss->fd));
- goto loser;
+ SSL_DBG(("%d: SSL[%d]: Pub or priv key(s) is NULL.",
+ SSL_GETPID(), ss->fd));
+ goto loser;
}
/* Get a copy of the session keys from shared memory. */
PORT_Memcpy(key_name, SESS_TICKET_KEY_NAME_PREFIX,
- sizeof(SESS_TICKET_KEY_NAME_PREFIX));
+ sizeof(SESS_TICKET_KEY_NAME_PREFIX));
if (!ssl_GetSessionTicketKeysPKCS11(svrPrivKey, svrPubKey,
- ss->pkcs11PinArg, &key_name[SESS_TICKET_KEY_NAME_PREFIX_LEN],
- &session_ticket_enc_key_pkcs11, &session_ticket_mac_key_pkcs11))
- return PR_FAILURE;
+ ss->pkcs11PinArg, &key_name[SESS_TICKET_KEY_NAME_PREFIX_LEN],
+ &session_ticket_enc_key_pkcs11, &session_ticket_mac_key_pkcs11))
+ return PR_FAILURE;
rv = NSS_RegisterShutdown(ssl3_SessionTicketShutdown, NULL);
if (rv != SECSuccess)
- goto loser;
+ goto loser;
return PR_SUCCESS;
@@ -189,12 +194,12 @@ ssl3_GetSessionTicketKeysPKCS11(sslSocket *ss, PK11SymKey **aes_key,
PK11SymKey **mac_key)
{
if (PR_CallOnceWithArg(&generate_session_keys_once,
- ssl3_GenerateSessionTicketKeysPKCS11, ss) != PR_SUCCESS)
- return SECFailure;
+ ssl3_GenerateSessionTicketKeysPKCS11, ss) != PR_SUCCESS)
+ return SECFailure;
if (session_ticket_enc_key_pkcs11 == NULL ||
- session_ticket_mac_key_pkcs11 == NULL)
- return SECFailure;
+ session_ticket_mac_key_pkcs11 == NULL)
+ return SECFailure;
*aes_key = session_ticket_enc_key_pkcs11;
*mac_key = session_ticket_mac_key_pkcs11;
@@ -206,11 +211,11 @@ static PRStatus
ssl3_GenerateSessionTicketKeys(void)
{
PORT_Memcpy(key_name, SESS_TICKET_KEY_NAME_PREFIX,
- sizeof(SESS_TICKET_KEY_NAME_PREFIX));
+ sizeof(SESS_TICKET_KEY_NAME_PREFIX));
if (!ssl_GetSessionTicketKeys(&key_name[SESS_TICKET_KEY_NAME_PREFIX_LEN],
- session_ticket_enc_key, session_ticket_mac_key))
- return PR_FAILURE;
+ session_ticket_enc_key, session_ticket_mac_key))
+ return PR_FAILURE;
session_ticket_keys_initialized = PR_TRUE;
return PR_SUCCESS;
@@ -222,11 +227,11 @@ ssl3_GetSessionTicketKeys(const unsigned char **aes_key,
PRUint32 *mac_key_length)
{
if (PR_CallOnce(&generate_session_keys_once,
- ssl3_GenerateSessionTicketKeys) != PR_SUCCESS)
- return SECFailure;
+ ssl3_GenerateSessionTicketKeys) != PR_SUCCESS)
+ return SECFailure;
if (!session_ticket_keys_initialized)
- return SECFailure;
+ return SECFailure;
*aes_key = session_ticket_enc_key;
*aes_key_length = sizeof(session_ticket_enc_key);
@@ -244,7 +249,7 @@ ssl3_GetSessionTicketKeys(const unsigned char **aes_key,
/* This table is used by the server, to handle client hello extensions. */
static const ssl3HelloExtensionHandler clientHelloHandlers[] = {
{ ssl_server_name_xtn, &ssl3_HandleServerNameXtn },
-#ifdef NSS_ENABLE_ECC
+#ifndef NSS_DISABLE_ECC
{ ssl_elliptic_curves_xtn, &ssl3_HandleSupportedCurvesXtn },
{ ssl_ec_point_formats_xtn, &ssl3_HandleSupportedPointFormatsXtn },
#endif
@@ -253,8 +258,10 @@ static const ssl3HelloExtensionHandler clientHelloHandlers[] = {
{ ssl_next_proto_nego_xtn, &ssl3_ServerHandleNextProtoNegoXtn },
{ ssl_app_layer_protocol_xtn, &ssl3_ServerHandleAppProtoXtn },
{ ssl_use_srtp_xtn, &ssl3_HandleUseSRTPXtn },
+ { ssl_channel_id_xtn, &ssl3_ClientSendChannelIDXtn },
{ ssl_cert_status_xtn, &ssl3_ServerHandleStatusRequestXtn },
{ ssl_signature_algorithms_xtn, &ssl3_ServerHandleSigAlgsXtn },
+ { ssl_tls13_draft_version_xtn, &ssl3_ServerHandleDraftVersionXtn },
{ -1, NULL }
};
@@ -286,11 +293,11 @@ static const ssl3HelloExtensionHandler serverHelloHandlersSSL3[] = {
* The server's table of hello senders is dynamic, in the socket struct,
* and sender functions are registered there.
*/
-static const
+static const
ssl3HelloExtensionSender clientHelloSendersTLS[SSL_MAX_EXTENSIONS] = {
{ ssl_server_name_xtn, &ssl3_SendServerNameXtn },
{ ssl_renegotiation_info_xtn, &ssl3_SendRenegotiationInfoXtn },
-#ifdef NSS_ENABLE_ECC
+#ifndef NSS_DISABLE_ECC
{ ssl_elliptic_curves_xtn, &ssl3_SendSupportedCurvesXtn },
{ ssl_ec_point_formats_xtn, &ssl3_SendSupportedPointFormatsXtn },
#endif
@@ -298,18 +305,15 @@ ssl3HelloExtensionSender clientHelloSendersTLS[SSL_MAX_EXTENSIONS] = {
{ ssl_next_proto_nego_xtn, &ssl3_ClientSendNextProtoNegoXtn },
{ ssl_app_layer_protocol_xtn, &ssl3_ClientSendAppProtoXtn },
{ ssl_use_srtp_xtn, &ssl3_SendUseSRTPXtn },
- { ssl_channel_id_xtn, &ssl3_ClientSendChannelIDXtn },
{ ssl_cert_status_xtn, &ssl3_ClientSendStatusRequestXtn },
+ { ssl_signature_algorithms_xtn, &ssl3_ClientSendSigAlgsXtn },
+ { ssl_tls13_draft_version_xtn, &ssl3_ClientSendDraftVersionXtn },
{ ssl_signed_certificate_timestamp_xtn,
&ssl3_ClientSendSignedCertTimestampXtn },
- /* WebSphere Application Server 7.0 is intolerant to the last extension
- * being zero-length. It is not intolerant of TLS 1.2, so move
- * signature_algorithms to the end. */
- { ssl_signature_algorithms_xtn, &ssl3_ClientSendSigAlgsXtn }
Ryan Sleevi 2015/04/02 23:35:40 this is the other bug; I'm not sure how my patch m
/* any extra entries will appear as { 0, NULL } */
};
-static const
+static const
ssl3HelloExtensionSender clientHelloSendersSSL3[SSL_MAX_EXTENSIONS] = {
{ ssl_renegotiation_info_xtn, &ssl3_SendRenegotiationInfoXtn }
/* any extra entries will appear as { 0, NULL } */
@@ -320,8 +324,8 @@ arrayContainsExtension(const PRUint16 *array, PRUint32 len, PRUint16 ex_type)
{
int i;
for (i = 0; i < len; i++) {
- if (ex_type == array[i])
- return PR_TRUE;
+ if (ex_type == array[i])
+ return PR_TRUE;
}
return PR_FALSE;
}
@@ -330,14 +334,14 @@ PRBool
ssl3_ExtensionNegotiated(sslSocket *ss, PRUint16 ex_type) {
TLSExtensionData *xtnData = &ss->xtnData;
return arrayContainsExtension(xtnData->negotiated,
- xtnData->numNegotiated, ex_type);
+ xtnData->numNegotiated, ex_type);
}
static PRBool
ssl3_ClientExtensionAdvertised(sslSocket *ss, PRUint16 ex_type) {
TLSExtensionData *xtnData = &ss->xtnData;
return arrayContainsExtension(xtnData->advertised,
- xtnData->numAdvertised, ex_type);
+ xtnData->numAdvertised, ex_type);
}
/* Format an SNI extension, using the name from the socket's URL,
@@ -350,11 +354,11 @@ ssl3_SendServerNameXtn(sslSocket * ss, PRBool append,
{
SECStatus rv;
if (!ss)
- return 0;
+ return 0;
if (!ss->sec.isServer) {
PRUint32 len;
PRNetAddr netAddr;
-
+
/* must have a hostname */
if (!ss->url || !ss->url[0])
return 0;
@@ -366,10 +370,10 @@ ssl3_SendServerNameXtn(sslSocket * ss, PRBool append,
len = PORT_Strlen(ss->url);
if (append && maxBytes >= len + 9) {
/* extension_type */
- rv = ssl3_AppendHandshakeNumber(ss, ssl_server_name_xtn, 2);
+ rv = ssl3_AppendHandshakeNumber(ss, ssl_server_name_xtn, 2);
if (rv != SECSuccess) return -1;
/* length of extension_data */
- rv = ssl3_AppendHandshakeNumber(ss, len + 5, 2);
+ rv = ssl3_AppendHandshakeNumber(ss, len + 5, 2);
if (rv != SECSuccess) return -1;
/* length of server_name_list */
rv = ssl3_AppendHandshakeNumber(ss, len + 3, 2);
@@ -382,8 +386,8 @@ ssl3_SendServerNameXtn(sslSocket * ss, PRBool append,
if (rv != SECSuccess) return -1;
if (!ss->sec.isServer) {
TLSExtensionData *xtnData = &ss->xtnData;
- xtnData->advertised[xtnData->numAdvertised++] =
- ssl_server_name_xtn;
+ xtnData->advertised[xtnData->numAdvertised++] =
+ ssl_server_name_xtn;
}
}
return len + 9;
@@ -425,7 +429,7 @@ ssl3_HandleServerNameXtn(sslSocket * ss, PRUint16 ex_type, SECItem *data)
return SECSuccess;
}
/* length of server_name_list */
- listLenBytes = ssl3_ConsumeHandshakeNumber(ss, 2, &data->data, &data->len);
+ listLenBytes = ssl3_ConsumeHandshakeNumber(ss, 2, &data->data, &data->len);
if (listLenBytes == 0 || listLenBytes != data->len) {
return SECFailure;
}
@@ -436,7 +440,7 @@ ssl3_HandleServerNameXtn(sslSocket * ss, PRUint16 ex_type, SECItem *data)
SECStatus rv;
PRInt32 type;
/* Name Type (sni_host_name) */
- type = ssl3_ConsumeHandshakeNumber(ss, 1, &ldata.data, &ldata.len);
+ type = ssl3_ConsumeHandshakeNumber(ss, 1, &ldata.data, &ldata.len);
if (!ldata.len) {
return SECFailure;
}
@@ -464,7 +468,7 @@ ssl3_HandleServerNameXtn(sslSocket * ss, PRUint16 ex_type, SECItem *data)
SECStatus rv;
PRBool nametypePresent = PR_FALSE;
/* Name Type (sni_host_name) */
- type = ssl3_ConsumeHandshakeNumber(ss, 1, &data->data, &data->len);
+ type = ssl3_ConsumeHandshakeNumber(ss, 1, &data->data, &data->len);
/* Check if we have such type in the list */
for (j = 0;j < listCount && names[j].data;j++) {
if (names[j].type == type) {
@@ -496,16 +500,16 @@ loser:
PORT_Free(names);
return SECFailure;
}
-
+
/* Called by both clients and servers.
* Clients sends a filled in session ticket if one is available, and otherwise
* sends an empty ticket. Servers always send empty tickets.
*/
PRInt32
ssl3_SendSessionTicketXtn(
- sslSocket * ss,
- PRBool append,
- PRUint32 maxBytes)
+ sslSocket * ss,
+ PRBool append,
+ PRUint32 maxBytes)
{
PRInt32 extension_length;
NewSessionTicket *session_ticket = NULL;
@@ -513,7 +517,7 @@ ssl3_SendSessionTicketXtn(
/* Ignore the SessionTicket extension if processing is disabled. */
if (!ss->opt.enableSessionTickets)
- return 0;
+ return 0;
/* Empty extension length = extension_type (2-bytes) +
* length(extension_data) (2-bytes)
@@ -525,53 +529,53 @@ ssl3_SendSessionTicketXtn(
* the extension always respond with an empty extension.
*/
if (!ss->sec.isServer) {
- /* The caller must be holding sid->u.ssl3.lock for reading. We cannot
- * just acquire and release the lock within this function because the
- * caller will call this function twice, and we need the inputs to be
- * consistent between the two calls. Note that currently the caller
- * will only be holding the lock when we are the client and when we're
- * attempting to resume an existing session.
- */
-
- session_ticket = &sid->u.ssl3.locked.sessionTicket;
- if (session_ticket->ticket.data) {
- if (ss->xtnData.ticketTimestampVerified) {
- extension_length += session_ticket->ticket.len;
- } else if (!append &&
- (session_ticket->ticket_lifetime_hint == 0 ||
- (session_ticket->ticket_lifetime_hint +
- session_ticket->received_timestamp > ssl_Time()))) {
- extension_length += session_ticket->ticket.len;
- ss->xtnData.ticketTimestampVerified = PR_TRUE;
- }
- }
+ /* The caller must be holding sid->u.ssl3.lock for reading. We cannot
+ * just acquire and release the lock within this function because the
+ * caller will call this function twice, and we need the inputs to be
+ * consistent between the two calls. Note that currently the caller
+ * will only be holding the lock when we are the client and when we're
+ * attempting to resume an existing session.
+ */
+
+ session_ticket = &sid->u.ssl3.locked.sessionTicket;
+ if (session_ticket->ticket.data) {
+ if (ss->xtnData.ticketTimestampVerified) {
+ extension_length += session_ticket->ticket.len;
+ } else if (!append &&
+ (session_ticket->ticket_lifetime_hint == 0 ||
+ (session_ticket->ticket_lifetime_hint +
+ session_ticket->received_timestamp > ssl_Time()))) {
+ extension_length += session_ticket->ticket.len;
+ ss->xtnData.ticketTimestampVerified = PR_TRUE;
+ }
+ }
}
if (append && maxBytes >= extension_length) {
- SECStatus rv;
- /* extension_type */
+ SECStatus rv;
+ /* extension_type */
rv = ssl3_AppendHandshakeNumber(ss, ssl_session_ticket_xtn, 2);
if (rv != SECSuccess)
- goto loser;
- if (session_ticket && session_ticket->ticket.data &&
- ss->xtnData.ticketTimestampVerified) {
- rv = ssl3_AppendHandshakeVariable(ss, session_ticket->ticket.data,
- session_ticket->ticket.len, 2);
- ss->xtnData.ticketTimestampVerified = PR_FALSE;
- ss->xtnData.sentSessionTicketInClientHello = PR_TRUE;
- } else {
- rv = ssl3_AppendHandshakeNumber(ss, 0, 2);
- }
+ goto loser;
+ if (session_ticket && session_ticket->ticket.data &&
+ ss->xtnData.ticketTimestampVerified) {
+ rv = ssl3_AppendHandshakeVariable(ss, session_ticket->ticket.data,
+ session_ticket->ticket.len, 2);
+ ss->xtnData.ticketTimestampVerified = PR_FALSE;
+ ss->xtnData.sentSessionTicketInClientHello = PR_TRUE;
+ } else {
+ rv = ssl3_AppendHandshakeNumber(ss, 0, 2);
+ }
if (rv != SECSuccess)
- goto loser;
+ goto loser;
- if (!ss->sec.isServer) {
- TLSExtensionData *xtnData = &ss->xtnData;
- xtnData->advertised[xtnData->numAdvertised++] =
- ssl_session_ticket_xtn;
- }
+ if (!ss->sec.isServer) {
+ TLSExtensionData *xtnData = &ss->xtnData;
+ xtnData->advertised[xtnData->numAdvertised++] =
+ ssl_session_ticket_xtn;
+ }
} else if (maxBytes < extension_length) {
- PORT_Assert(0);
+ PORT_Assert(0);
return 0;
}
return extension_length;
@@ -587,9 +591,9 @@ ssl3_ServerHandleNextProtoNegoXtn(sslSocket * ss, PRUint16 ex_type,
SECItem *data)
{
if (ss->firstHsDone || data->len != 0) {
- /* Clients MUST send an empty NPN extension, if any. */
- PORT_SetError(SSL_ERROR_NEXT_PROTOCOL_DATA_INVALID);
- return SECFailure;
+ /* Clients MUST send an empty NPN extension, if any. */
+ PORT_SetError(SSL_ERROR_NEXT_PROTOCOL_DATA_INVALID);
+ return SECFailure;
}
ss->xtnData.negotiated[ss->xtnData.numNegotiated++] = ex_type;
@@ -610,20 +614,20 @@ ssl3_ValidateNextProtoNego(const unsigned char* data, unsigned int length)
unsigned int offset = 0;
while (offset < length) {
- unsigned int newOffset = offset + 1 + (unsigned int) data[offset];
- /* Reject embedded nulls to protect against buggy applications that
- * store protocol identifiers in null-terminated strings.
- */
- if (newOffset > length || data[offset] == 0) {
- PORT_SetError(SSL_ERROR_NEXT_PROTOCOL_DATA_INVALID);
- return SECFailure;
- }
- offset = newOffset;
+ unsigned int newOffset = offset + 1 + (unsigned int) data[offset];
+ /* Reject embedded nulls to protect against buggy applications that
+ * store protocol identifiers in null-terminated strings.
+ */
+ if (newOffset > length || data[offset] == 0) {
+ PORT_SetError(SSL_ERROR_NEXT_PROTOCOL_DATA_INVALID);
+ return SECFailure;
+ }
+ offset = newOffset;
}
if (offset > length) {
- PORT_SetError(SSL_ERROR_NEXT_PROTOCOL_DATA_INVALID);
- return SECFailure;
+ PORT_SetError(SSL_ERROR_NEXT_PROTOCOL_DATA_INVALID);
+ return SECFailure;
}
return SECSuccess;
@@ -719,13 +723,14 @@ ssl3_ClientHandleNextProtoNegoXtn(sslSocket *ss, PRUint16 ex_type,
PORT_Assert(!ss->firstHsDone);
if (ssl3_ExtensionNegotiated(ss, ssl_app_layer_protocol_xtn)) {
- /* If the server negotiated ALPN then it has already told us what protocol
- * to use, so it doesn't make sense for us to try to negotiate a different
- * one by sending the NPN handshake message. However, if we've negotiated
- * NPN then we're required to send the NPN handshake message. Thus, these
- * two extensions cannot both be negotiated on the same connection. */
- PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
- return SECFailure;
+ /* If the server negotiated ALPN then it has already told us what
+ * protocol to use, so it doesn't make sense for us to try to negotiate
+ * a different one by sending the NPN handshake message. However, if
+ * we've negotiated NPN then we're required to send the NPN handshake
+ * message. Thus, these two extensions cannot both be negotiated on the
+ * same connection. */
+ PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+ return SECFailure;
}
/* We should only get this call if we sent the extension, so
@@ -733,8 +738,8 @@ ssl3_ClientHandleNextProtoNegoXtn(sslSocket *ss, PRUint16 ex_type,
* that an application erroneously cleared the callback between the time
* we sent the ClientHello and now. */
if (!ss->nextProtoCallback) {
- PORT_SetError(SSL_ERROR_NEXT_PROTOCOL_NO_CALLBACK);
- return SECFailure;
+ PORT_SetError(SSL_ERROR_NEXT_PROTOCOL_NO_CALLBACK);
+ return SECFailure;
}
return ssl3_SelectAppProtocol(ss, ex_type, data);
@@ -748,8 +753,8 @@ ssl3_ClientHandleAppProtoXtn(sslSocket *ss, PRUint16 ex_type, SECItem *data)
SECItem protocol_name;
if (ssl3_ExtensionNegotiated(ss, ssl_next_proto_nego_xtn)) {
- PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
- return SECFailure;
+ PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+ return SECFailure;
}
/* The extension data from the server has the following format:
@@ -757,15 +762,15 @@ ssl3_ClientHandleAppProtoXtn(sslSocket *ss, PRUint16 ex_type, SECItem *data)
* uint8 len;
* uint8 protocol_name[len]; */
if (data->len < 4 || data->len > 2 + 1 + 255) {
- PORT_SetError(SSL_ERROR_NEXT_PROTOCOL_DATA_INVALID);
- return SECFailure;
+ PORT_SetError(SSL_ERROR_NEXT_PROTOCOL_DATA_INVALID);
+ return SECFailure;
}
name_list_len = ((PRUint16) d[0]) << 8 |
- ((PRUint16) d[1]);
+ ((PRUint16) d[1]);
if (name_list_len != data->len - 2 || d[2] != data->len - 3) {
- PORT_SetError(SSL_ERROR_NEXT_PROTOCOL_DATA_INVALID);
- return SECFailure;
+ PORT_SetError(SSL_ERROR_NEXT_PROTOCOL_DATA_INVALID);
+ return SECFailure;
}
protocol_name.data = data->data + 3;
@@ -779,29 +784,29 @@ ssl3_ClientHandleAppProtoXtn(sslSocket *ss, PRUint16 ex_type, SECItem *data)
static PRInt32
ssl3_ClientSendNextProtoNegoXtn(sslSocket * ss, PRBool append,
- PRUint32 maxBytes)
+ PRUint32 maxBytes)
{
PRInt32 extension_length;
/* Renegotiations do not send this extension. */
if (!ss->opt.enableNPN || !ss->nextProtoCallback || ss->firstHsDone) {
- return 0;
+ return 0;
}
extension_length = 4;
if (append && maxBytes >= extension_length) {
- SECStatus rv;
- rv = ssl3_AppendHandshakeNumber(ss, ssl_next_proto_nego_xtn, 2);
- if (rv != SECSuccess)
- goto loser;
- rv = ssl3_AppendHandshakeNumber(ss, 0, 2);
- if (rv != SECSuccess)
- goto loser;
- ss->xtnData.advertised[ss->xtnData.numAdvertised++] =
- ssl_next_proto_nego_xtn;
+ SECStatus rv;
+ rv = ssl3_AppendHandshakeNumber(ss, ssl_next_proto_nego_xtn, 2);
+ if (rv != SECSuccess)
+ goto loser;
+ rv = ssl3_AppendHandshakeNumber(ss, 0, 2);
+ if (rv != SECSuccess)
+ goto loser;
+ ss->xtnData.advertised[ss->xtnData.numAdvertised++] =
+ ssl_next_proto_nego_xtn;
} else if (maxBytes < extension_length) {
- return 0;
+ return 0;
}
return extension_length;
@@ -818,62 +823,62 @@ ssl3_ClientSendAppProtoXtn(sslSocket * ss, PRBool append, PRUint32 maxBytes)
/* Renegotiations do not send this extension. */
if (!ss->opt.enableALPN || !ss->opt.nextProtoNego.data || ss->firstHsDone) {
- return 0;
+ return 0;
}
extension_length = 2 /* extension type */ + 2 /* extension length */ +
- 2 /* protocol name list length */ +
- ss->opt.nextProtoNego.len;
+ 2 /* protocol name list length */ +
+ ss->opt.nextProtoNego.len;
if (append && maxBytes >= extension_length) {
- /* NPN requires that the client's fallback protocol is first in the
- * list. However, ALPN sends protocols in preference order. So we
- * allocate a buffer and move the first protocol to the end of the
- * list. */
- SECStatus rv;
- const unsigned int len = ss->opt.nextProtoNego.len;
-
- alpn_protos = PORT_Alloc(len);
- if (alpn_protos == NULL) {
- return SECFailure;
- }
- if (len > 0) {
- /* Each protocol string is prefixed with a single byte length. */
- unsigned int i = ss->opt.nextProtoNego.data[0] + 1;
- if (i <= len) {
- memcpy(alpn_protos, &ss->opt.nextProtoNego.data[i], len - i);
- memcpy(alpn_protos + len - i, ss->opt.nextProtoNego.data, i);
- } else {
- /* This seems to be invalid data so we'll send as-is. */
- memcpy(alpn_protos, ss->opt.nextProtoNego.data, len);
- }
- }
-
- rv = ssl3_AppendHandshakeNumber(ss, ssl_app_layer_protocol_xtn, 2);
- if (rv != SECSuccess) {
- goto loser;
- }
- rv = ssl3_AppendHandshakeNumber(ss, extension_length - 4, 2);
- if (rv != SECSuccess) {
- goto loser;
- }
- rv = ssl3_AppendHandshakeVariable(ss, alpn_protos, len, 2);
- PORT_Free(alpn_protos);
- alpn_protos = NULL;
- if (rv != SECSuccess) {
- goto loser;
- }
- ss->xtnData.advertised[ss->xtnData.numAdvertised++] =
- ssl_app_layer_protocol_xtn;
+ /* NPN requires that the client's fallback protocol is first in the
+ * list. However, ALPN sends protocols in preference order. So we
+ * allocate a buffer and move the first protocol to the end of the
+ * list. */
+ SECStatus rv;
+ const unsigned int len = ss->opt.nextProtoNego.len;
+
+ alpn_protos = PORT_Alloc(len);
+ if (alpn_protos == NULL) {
+ return SECFailure;
+ }
+ if (len > 0) {
+ /* Each protocol string is prefixed with a single byte length. */
+ unsigned int i = ss->opt.nextProtoNego.data[0] + 1;
+ if (i <= len) {
+ memcpy(alpn_protos, &ss->opt.nextProtoNego.data[i], len - i);
+ memcpy(alpn_protos + len - i, ss->opt.nextProtoNego.data, i);
+ } else {
+ /* This seems to be invalid data so we'll send as-is. */
+ memcpy(alpn_protos, ss->opt.nextProtoNego.data, len);
+ }
+ }
+
+ rv = ssl3_AppendHandshakeNumber(ss, ssl_app_layer_protocol_xtn, 2);
+ if (rv != SECSuccess) {
+ goto loser;
+ }
+ rv = ssl3_AppendHandshakeNumber(ss, extension_length - 4, 2);
+ if (rv != SECSuccess) {
+ goto loser;
+ }
+ rv = ssl3_AppendHandshakeVariable(ss, alpn_protos, len, 2);
+ PORT_Free(alpn_protos);
+ alpn_protos = NULL;
+ if (rv != SECSuccess) {
+ goto loser;
+ }
+ ss->xtnData.advertised[ss->xtnData.numAdvertised++] =
+ ssl_app_layer_protocol_xtn;
} else if (maxBytes < extension_length) {
- return 0;
+ return 0;
}
return extension_length;
loser:
if (alpn_protos) {
- PORT_Free(alpn_protos);
+ PORT_Free(alpn_protos);
}
return -1;
}
@@ -883,6 +888,7 @@ ssl3_ServerSendAppProtoXtn(sslSocket * ss, PRBool append, PRUint32 maxBytes)
{
PRInt32 extension_length;
+ /* we're in over our heads if any of these fail */
PORT_Assert(ss->opt.enableALPN);
PORT_Assert(ss->ssl3.nextProto.data);
PORT_Assert(ss->ssl3.nextProto.len > 0);
@@ -979,8 +985,9 @@ ssl3_ClientHandleStatusRequestXtn(sslSocket *ss, PRUint16 ex_type,
SECItem *data)
{
/* The echoed extension must be empty. */
- if (data->len != 0)
- return SECFailure;
+ if (data->len != 0) {
+ return SECSuccess; /* Ignore the extension. */
+ }
/* Keep track of negotiated extensions. */
ss->xtnData.negotiated[ss->xtnData.numNegotiated++] = ex_type;
@@ -990,9 +997,9 @@ ssl3_ClientHandleStatusRequestXtn(sslSocket *ss, PRUint16 ex_type,
static PRInt32
ssl3_ServerSendStatusRequestXtn(
- sslSocket * ss,
- PRBool append,
- PRUint32 maxBytes)
+ sslSocket * ss,
+ PRBool append,
+ PRUint32 maxBytes)
{
PRInt32 extension_length;
SECStatus rv;
@@ -1000,29 +1007,29 @@ ssl3_ServerSendStatusRequestXtn(
PRBool haveStatus = PR_FALSE;
for (i = kt_null; i < kt_kea_size; i++) {
- /* TODO: This is a temporary workaround.
- * The correct code needs to see if we have an OCSP response for
- * the server certificate being used, rather than if we have any
- * OCSP response. See also ssl3_SendCertificateStatus.
- */
- if (ss->certStatusArray[i] && ss->certStatusArray[i]->len) {
- haveStatus = PR_TRUE;
- break;
- }
+ /* TODO: This is a temporary workaround.
+ * The correct code needs to see if we have an OCSP response for
+ * the server certificate being used, rather than if we have any
+ * OCSP response. See also ssl3_SendCertificateStatus.
+ */
+ if (ss->certStatusArray[i] && ss->certStatusArray[i]->len) {
+ haveStatus = PR_TRUE;
+ break;
+ }
}
if (!haveStatus)
- return 0;
+ return 0;
extension_length = 2 + 2;
if (append && maxBytes >= extension_length) {
- /* extension_type */
- rv = ssl3_AppendHandshakeNumber(ss, ssl_cert_status_xtn, 2);
- if (rv != SECSuccess)
- return -1;
- /* length of extension_data */
- rv = ssl3_AppendHandshakeNumber(ss, 0, 2);
- if (rv != SECSuccess)
- return -1;
+ /* extension_type */
+ rv = ssl3_AppendHandshakeNumber(ss, ssl_cert_status_xtn, 2);
+ if (rv != SECSuccess)
+ return -1;
+ /* length of extension_data */
+ rv = ssl3_AppendHandshakeNumber(ss, 0, 2);
+ if (rv != SECSuccess)
+ return -1;
}
return extension_length;
@@ -1132,14 +1139,14 @@ ssl3_SendNewSessionTicket(sslSocket *ss)
* must be >= 0 */
SSL_TRC(3, ("%d: SSL3[%d]: send session_ticket handshake",
- SSL_GETPID(), ss->fd));
+ SSL_GETPID(), ss->fd));
PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss));
PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
ticket.ticket_lifetime_hint = TLS_EX_SESS_TICKET_LIFETIME_HINT;
cert_length = (ss->opt.requestCertificate && ss->sec.ci.sid->peerCert) ?
- 3 + ss->sec.ci.sid->peerCert->derCert.len : 0;
+ 3 + ss->sec.ci.sid->peerCert->derCert.len : 0;
/* Get IV and encryption keys */
ivItem.data = iv;
@@ -1149,47 +1156,47 @@ ssl3_SendNewSessionTicket(sslSocket *ss)
#ifndef NO_PKCS11_BYPASS
if (ss->opt.bypassPKCS11) {
- rv = ssl3_GetSessionTicketKeys(&aes_key, &aes_key_length,
- &mac_key, &mac_key_length);
- } else
+ rv = ssl3_GetSessionTicketKeys(&aes_key, &aes_key_length,
+ &mac_key, &mac_key_length);
+ } else
#endif
{
- rv = ssl3_GetSessionTicketKeysPKCS11(ss, &aes_key_pkcs11,
- &mac_key_pkcs11);
+ rv = ssl3_GetSessionTicketKeysPKCS11(ss, &aes_key_pkcs11,
+ &mac_key_pkcs11);
}
if (rv != SECSuccess) goto loser;
if (ss->ssl3.pwSpec->msItem.len && ss->ssl3.pwSpec->msItem.data) {
- /* The master secret is available unwrapped. */
- ms_item.data = ss->ssl3.pwSpec->msItem.data;
- ms_item.len = ss->ssl3.pwSpec->msItem.len;
- ms_is_wrapped = PR_FALSE;
+ /* The master secret is available unwrapped. */
+ ms_item.data = ss->ssl3.pwSpec->msItem.data;
+ ms_item.len = ss->ssl3.pwSpec->msItem.len;
+ ms_is_wrapped = PR_FALSE;
} else {
- /* Extract the master secret wrapped. */
- sslSessionID sid;
- PORT_Memset(&sid, 0, sizeof(sslSessionID));
-
- if (ss->ssl3.hs.kea_def->kea == kea_ecdhe_rsa) {
- effectiveExchKeyType = kt_rsa;
- } else {
- effectiveExchKeyType = ss->ssl3.hs.kea_def->exchKeyType;
- }
-
- rv = ssl3_CacheWrappedMasterSecret(ss, &sid, ss->ssl3.pwSpec,
- effectiveExchKeyType);
- if (rv == SECSuccess) {
- if (sid.u.ssl3.keys.wrapped_master_secret_len > sizeof(wrapped_ms))
- goto loser;
- memcpy(wrapped_ms, sid.u.ssl3.keys.wrapped_master_secret,
- sid.u.ssl3.keys.wrapped_master_secret_len);
- ms_item.data = wrapped_ms;
- ms_item.len = sid.u.ssl3.keys.wrapped_master_secret_len;
- msWrapMech = sid.u.ssl3.masterWrapMech;
- } else {
- /* TODO: else send an empty ticket. */
- goto loser;
- }
- ms_is_wrapped = PR_TRUE;
+ /* Extract the master secret wrapped. */
+ sslSessionID sid;
+ PORT_Memset(&sid, 0, sizeof(sslSessionID));
+
+ if (ss->ssl3.hs.kea_def->kea == kea_ecdhe_rsa) {
+ effectiveExchKeyType = kt_rsa;
+ } else {
+ effectiveExchKeyType = ss->ssl3.hs.kea_def->exchKeyType;
+ }
+
+ rv = ssl3_CacheWrappedMasterSecret(ss, &sid, ss->ssl3.pwSpec,
+ effectiveExchKeyType);
+ if (rv == SECSuccess) {
+ if (sid.u.ssl3.keys.wrapped_master_secret_len > sizeof(wrapped_ms))
+ goto loser;
+ memcpy(wrapped_ms, sid.u.ssl3.keys.wrapped_master_secret,
+ sid.u.ssl3.keys.wrapped_master_secret_len);
+ ms_item.data = wrapped_ms;
+ ms_item.len = sid.u.ssl3.keys.wrapped_master_secret_len;
+ msWrapMech = sid.u.ssl3.masterWrapMech;
+ } else {
+ /* TODO: else send an empty ticket. */
+ goto loser;
+ }
+ ms_is_wrapped = PR_TRUE;
}
/* Prep to send negotiated name */
srvName = &ss->ssl3.pwSpec->srvVirtName;
@@ -1197,55 +1204,55 @@ ssl3_SendNewSessionTicket(sslSocket *ss)
srvNameLen = 2 + srvName->len; /* len bytes + name len */
}
- ciphertext_length =
- sizeof(PRUint16) /* ticket_version */
- + sizeof(SSL3ProtocolVersion) /* ssl_version */
- + sizeof(ssl3CipherSuite) /* ciphersuite */
- + 1 /* compression */
- + 10 /* cipher spec parameters */
- + 1 /* SessionTicket.ms_is_wrapped */
- + 1 /* effectiveExchKeyType */
- + 4 /* msWrapMech */
- + 2 /* master_secret.length */
- + ms_item.len /* master_secret */
- + 1 /* client_auth_type */
- + cert_length /* cert */
+ ciphertext_length =
+ sizeof(PRUint16) /* ticket_version */
+ + sizeof(SSL3ProtocolVersion) /* ssl_version */
+ + sizeof(ssl3CipherSuite) /* ciphersuite */
+ + 1 /* compression */
+ + 10 /* cipher spec parameters */
+ + 1 /* SessionTicket.ms_is_wrapped */
+ + 1 /* effectiveExchKeyType */
+ + 4 /* msWrapMech */
+ + 2 /* master_secret.length */
+ + ms_item.len /* master_secret */
+ + 1 /* client_auth_type */
+ + cert_length /* cert */
+ 1 /* server name type */
+ srvNameLen /* name len + length field */
- + sizeof(ticket.ticket_lifetime_hint);
+ + sizeof(ticket.ticket_lifetime_hint);
padding_length = AES_BLOCK_SIZE -
- (ciphertext_length % AES_BLOCK_SIZE);
+ (ciphertext_length % AES_BLOCK_SIZE);
ciphertext_length += padding_length;
message_length =
- sizeof(ticket.ticket_lifetime_hint) /* ticket_lifetime_hint */
- + 2 /* length field for NewSessionTicket.ticket */
- + SESS_TICKET_KEY_NAME_LEN /* key_name */
- + AES_BLOCK_SIZE /* iv */
- + 2 /* length field for NewSessionTicket.ticket.encrypted_state */
- + ciphertext_length /* encrypted_state */
- + TLS_EX_SESS_TICKET_MAC_LENGTH; /* mac */
+ sizeof(ticket.ticket_lifetime_hint) /* ticket_lifetime_hint */
+ + 2 /* length field for NewSessionTicket.ticket */
+ + SESS_TICKET_KEY_NAME_LEN /* key_name */
+ + AES_BLOCK_SIZE /* iv */
+ + 2 /* length field for NewSessionTicket.ticket.encrypted_state */
+ + ciphertext_length /* encrypted_state */
+ + TLS_EX_SESS_TICKET_MAC_LENGTH; /* mac */
if (SECITEM_AllocItem(NULL, &plaintext_item, ciphertext_length) == NULL)
- goto loser;
+ goto loser;
plaintext = plaintext_item;
/* ticket_version */
rv = ssl3_AppendNumberToItem(&plaintext, TLS_EX_SESS_TICKET_VERSION,
- sizeof(PRUint16));
+ sizeof(PRUint16));
if (rv != SECSuccess) goto loser;
/* ssl_version */
rv = ssl3_AppendNumberToItem(&plaintext, ss->version,
- sizeof(SSL3ProtocolVersion));
+ sizeof(SSL3ProtocolVersion));
if (rv != SECSuccess) goto loser;
/* ciphersuite */
- rv = ssl3_AppendNumberToItem(&plaintext, ss->ssl3.hs.cipher_suite,
- sizeof(ssl3CipherSuite));
+ rv = ssl3_AppendNumberToItem(&plaintext, ss->ssl3.hs.cipher_suite,
+ sizeof(ssl3CipherSuite));
if (rv != SECSuccess) goto loser;
-
+
/* compression */
rv = ssl3_AppendNumberToItem(&plaintext, ss->ssl3.hs.compression, 1);
if (rv != SECSuccess) goto loser;
@@ -1274,24 +1281,24 @@ ssl3_SendNewSessionTicket(sslSocket *ss)
/* client_identity */
if (ss->opt.requestCertificate && ss->sec.ci.sid->peerCert) {
- rv = ssl3_AppendNumberToItem(&plaintext, CLIENT_AUTH_CERTIFICATE, 1);
- if (rv != SECSuccess) goto loser;
- rv = ssl3_AppendNumberToItem(&plaintext,
- ss->sec.ci.sid->peerCert->derCert.len, 3);
- if (rv != SECSuccess) goto loser;
- rv = ssl3_AppendToItem(&plaintext,
- ss->sec.ci.sid->peerCert->derCert.data,
- ss->sec.ci.sid->peerCert->derCert.len);
- if (rv != SECSuccess) goto loser;
+ rv = ssl3_AppendNumberToItem(&plaintext, CLIENT_AUTH_CERTIFICATE, 1);
+ if (rv != SECSuccess) goto loser;
+ rv = ssl3_AppendNumberToItem(&plaintext,
+ ss->sec.ci.sid->peerCert->derCert.len, 3);
+ if (rv != SECSuccess) goto loser;
+ rv = ssl3_AppendToItem(&plaintext,
+ ss->sec.ci.sid->peerCert->derCert.data,
+ ss->sec.ci.sid->peerCert->derCert.len);
+ if (rv != SECSuccess) goto loser;
} else {
- rv = ssl3_AppendNumberToItem(&plaintext, 0, 1);
- if (rv != SECSuccess) goto loser;
+ rv = ssl3_AppendNumberToItem(&plaintext, 0, 1);
+ if (rv != SECSuccess) goto loser;
}
/* timestamp */
now = ssl_Time();
rv = ssl3_AppendNumberToItem(&plaintext, now,
- sizeof(ticket.ticket_lifetime_hint));
+ sizeof(ticket.ticket_lifetime_hint));
if (rv != SECSuccess) goto loser;
if (srvNameLen) {
@@ -1312,39 +1319,39 @@ ssl3_SendNewSessionTicket(sslSocket *ss)
PORT_Assert(plaintext.len == padding_length);
for (i = 0; i < padding_length; i++)
- plaintext.data[i] = (unsigned char)padding_length;
+ plaintext.data[i] = (unsigned char)padding_length;
if (SECITEM_AllocItem(NULL, &ciphertext, ciphertext_length) == NULL) {
- rv = SECFailure;
- goto loser;
+ rv = SECFailure;
+ goto loser;
}
/* Generate encrypted portion of ticket. */
#ifndef NO_PKCS11_BYPASS
if (ss->opt.bypassPKCS11) {
- aes_ctx = (AESContext *)aes_ctx_buf;
- rv = AES_InitContext(aes_ctx, aes_key, aes_key_length, iv,
- NSS_AES_CBC, 1, AES_BLOCK_SIZE);
- if (rv != SECSuccess) goto loser;
-
- rv = AES_Encrypt(aes_ctx, ciphertext.data, &ciphertext.len,
- ciphertext.len, plaintext_item.data,
- plaintext_item.len);
- if (rv != SECSuccess) goto loser;
- } else
+ aes_ctx = (AESContext *)aes_ctx_buf;
+ rv = AES_InitContext(aes_ctx, aes_key, aes_key_length, iv,
+ NSS_AES_CBC, 1, AES_BLOCK_SIZE);
+ if (rv != SECSuccess) goto loser;
+
+ rv = AES_Encrypt(aes_ctx, ciphertext.data, &ciphertext.len,
+ ciphertext.len, plaintext_item.data,
+ plaintext_item.len);
+ if (rv != SECSuccess) goto loser;
+ } else
#endif
{
- aes_ctx_pkcs11 = PK11_CreateContextBySymKey(cipherMech,
- CKA_ENCRYPT, aes_key_pkcs11, &ivItem);
- if (!aes_ctx_pkcs11)
- goto loser;
+ aes_ctx_pkcs11 = PK11_CreateContextBySymKey(cipherMech,
+ CKA_ENCRYPT, aes_key_pkcs11, &ivItem);
+ if (!aes_ctx_pkcs11)
+ goto loser;
- rv = PK11_CipherOp(aes_ctx_pkcs11, ciphertext.data,
- (int *)&ciphertext.len, ciphertext.len,
- plaintext_item.data, plaintext_item.len);
- PK11_Finalize(aes_ctx_pkcs11);
- PK11_DestroyContext(aes_ctx_pkcs11, PR_TRUE);
- if (rv != SECSuccess) goto loser;
+ rv = PK11_CipherOp(aes_ctx_pkcs11, ciphertext.data,
+ (int *)&ciphertext.len, ciphertext.len,
+ plaintext_item.data, plaintext_item.len);
+ PK11_Finalize(aes_ctx_pkcs11);
+ PK11_DestroyContext(aes_ctx_pkcs11, PR_TRUE);
+ if (rv != SECSuccess) goto loser;
}
/* Convert ciphertext length to network order. */
@@ -1354,40 +1361,40 @@ ssl3_SendNewSessionTicket(sslSocket *ss)
/* Compute MAC. */
#ifndef NO_PKCS11_BYPASS
if (ss->opt.bypassPKCS11) {
- hmac_ctx = (HMACContext *)hmac_ctx_buf;
- hashObj = HASH_GetRawHashObject(HASH_AlgSHA256);
- if (HMAC_Init(hmac_ctx, hashObj, mac_key,
- mac_key_length, PR_FALSE) != SECSuccess)
- goto loser;
+ hmac_ctx = (HMACContext *)hmac_ctx_buf;
+ hashObj = HASH_GetRawHashObject(HASH_AlgSHA256);
+ if (HMAC_Init(hmac_ctx, hashObj, mac_key,
+ mac_key_length, PR_FALSE) != SECSuccess)
+ goto loser;
- HMAC_Begin(hmac_ctx);
- HMAC_Update(hmac_ctx, key_name, SESS_TICKET_KEY_NAME_LEN);
- HMAC_Update(hmac_ctx, iv, sizeof(iv));
- HMAC_Update(hmac_ctx, (unsigned char *)length_buf, 2);
- HMAC_Update(hmac_ctx, ciphertext.data, ciphertext.len);
- HMAC_Finish(hmac_ctx, computed_mac, &computed_mac_length,
- sizeof(computed_mac));
- } else
+ HMAC_Begin(hmac_ctx);
+ HMAC_Update(hmac_ctx, key_name, SESS_TICKET_KEY_NAME_LEN);
+ HMAC_Update(hmac_ctx, iv, sizeof(iv));
+ HMAC_Update(hmac_ctx, (unsigned char *)length_buf, 2);
+ HMAC_Update(hmac_ctx, ciphertext.data, ciphertext.len);
+ HMAC_Finish(hmac_ctx, computed_mac, &computed_mac_length,
+ sizeof(computed_mac));
+ } else
#endif
{
- SECItem macParam;
- macParam.data = NULL;
- macParam.len = 0;
- hmac_ctx_pkcs11 = PK11_CreateContextBySymKey(macMech,
- CKA_SIGN, mac_key_pkcs11, &macParam);
- if (!hmac_ctx_pkcs11)
- goto loser;
+ SECItem macParam;
+ macParam.data = NULL;
+ macParam.len = 0;
+ hmac_ctx_pkcs11 = PK11_CreateContextBySymKey(macMech,
+ CKA_SIGN, mac_key_pkcs11, &macParam);
+ if (!hmac_ctx_pkcs11)
+ goto loser;
- rv = PK11_DigestBegin(hmac_ctx_pkcs11);
- rv = PK11_DigestOp(hmac_ctx_pkcs11, key_name,
- SESS_TICKET_KEY_NAME_LEN);
- rv = PK11_DigestOp(hmac_ctx_pkcs11, iv, sizeof(iv));
- rv = PK11_DigestOp(hmac_ctx_pkcs11, (unsigned char *)length_buf, 2);
- rv = PK11_DigestOp(hmac_ctx_pkcs11, ciphertext.data, ciphertext.len);
- rv = PK11_DigestFinal(hmac_ctx_pkcs11, computed_mac,
- &computed_mac_length, sizeof(computed_mac));
- PK11_DestroyContext(hmac_ctx_pkcs11, PR_TRUE);
- if (rv != SECSuccess) goto loser;
+ rv = PK11_DigestBegin(hmac_ctx_pkcs11);
+ rv = PK11_DigestOp(hmac_ctx_pkcs11, key_name,
+ SESS_TICKET_KEY_NAME_LEN);
+ rv = PK11_DigestOp(hmac_ctx_pkcs11, iv, sizeof(iv));
+ rv = PK11_DigestOp(hmac_ctx_pkcs11, (unsigned char *)length_buf, 2);
+ rv = PK11_DigestOp(hmac_ctx_pkcs11, ciphertext.data, ciphertext.len);
+ rv = PK11_DigestFinal(hmac_ctx_pkcs11, computed_mac,
+ &computed_mac_length, sizeof(computed_mac));
+ PK11_DestroyContext(hmac_ctx_pkcs11, PR_TRUE);
+ if (rv != SECSuccess) goto loser;
}
/* Serialize the handshake message. */
@@ -1395,11 +1402,11 @@ ssl3_SendNewSessionTicket(sslSocket *ss)
if (rv != SECSuccess) goto loser;
rv = ssl3_AppendHandshakeNumber(ss, ticket.ticket_lifetime_hint,
- sizeof(ticket.ticket_lifetime_hint));
+ sizeof(ticket.ticket_lifetime_hint));
if (rv != SECSuccess) goto loser;
rv = ssl3_AppendHandshakeNumber(ss,
- message_length - sizeof(ticket.ticket_lifetime_hint) - 2, 2);
+ message_length - sizeof(ticket.ticket_lifetime_hint) - 2, 2);
if (rv != SECSuccess) goto loser;
rv = ssl3_AppendHandshake(ss, key_name, SESS_TICKET_KEY_NAME_LEN);
@@ -1416,9 +1423,9 @@ ssl3_SendNewSessionTicket(sslSocket *ss)
loser:
if (plaintext_item.data)
- SECITEM_FreeItem(&plaintext_item, PR_FALSE);
+ SECITEM_FreeItem(&plaintext_item, PR_FALSE);
if (ciphertext.data)
- SECITEM_FreeItem(&ciphertext, PR_FALSE);
+ SECITEM_FreeItem(&ciphertext, PR_FALSE);
return rv;
}
@@ -1430,8 +1437,9 @@ SECStatus
ssl3_ClientHandleSessionTicketXtn(sslSocket *ss, PRUint16 ex_type,
SECItem *data)
{
- if (data->len != 0)
- return SECFailure;
+ if (data->len != 0) {
+ return SECSuccess; /* Ignore the extension. */
+ }
/* Keep track of negotiated extensions. */
ss->xtnData.negotiated[ss->xtnData.numNegotiated++] = ex_type;
@@ -1450,7 +1458,7 @@ ssl3_ServerHandleSessionTicketXtn(sslSocket *ss, PRUint16 ex_type,
/* Ignore the SessionTicket extension if processing is disabled. */
if (!ss->opt.enableSessionTickets)
- return SECSuccess;
+ return SECSuccess;
/* Keep track of negotiated extensions. */
ss->xtnData.negotiated[ss->xtnData.numNegotiated++] = ex_type;
@@ -1460,302 +1468,302 @@ ssl3_ServerHandleSessionTicketXtn(sslSocket *ss, PRUint16 ex_type,
* instead of terminating the current connection.
*/
if (data->len == 0) {
- ss->xtnData.emptySessionTicket = PR_TRUE;
+ ss->xtnData.emptySessionTicket = PR_TRUE;
} else {
- int i;
- SECItem extension_data;
- EncryptedSessionTicket enc_session_ticket;
- unsigned char computed_mac[TLS_EX_SESS_TICKET_MAC_LENGTH];
- unsigned int computed_mac_length;
+ int i;
+ SECItem extension_data;
+ EncryptedSessionTicket enc_session_ticket;
+ unsigned char computed_mac[TLS_EX_SESS_TICKET_MAC_LENGTH];
+ unsigned int computed_mac_length;
#ifndef NO_PKCS11_BYPASS
- const SECHashObject *hashObj;
- const unsigned char *aes_key;
- const unsigned char *mac_key;
- PRUint32 aes_key_length;
- PRUint32 mac_key_length;
- PRUint64 hmac_ctx_buf[MAX_MAC_CONTEXT_LLONGS];
- HMACContext *hmac_ctx;
- PRUint64 aes_ctx_buf[MAX_CIPHER_CONTEXT_LLONGS];
- AESContext *aes_ctx;
+ const SECHashObject *hashObj;
+ const unsigned char *aes_key;
+ const unsigned char *mac_key;
+ PRUint32 aes_key_length;
+ PRUint32 mac_key_length;
+ PRUint64 hmac_ctx_buf[MAX_MAC_CONTEXT_LLONGS];
+ HMACContext *hmac_ctx;
+ PRUint64 aes_ctx_buf[MAX_CIPHER_CONTEXT_LLONGS];
+ AESContext *aes_ctx;
#endif
- PK11SymKey *aes_key_pkcs11;
- PK11SymKey *mac_key_pkcs11;
- PK11Context *hmac_ctx_pkcs11;
- CK_MECHANISM_TYPE macMech = CKM_SHA256_HMAC;
- PK11Context *aes_ctx_pkcs11;
- CK_MECHANISM_TYPE cipherMech = CKM_AES_CBC;
- unsigned char * padding;
- PRUint32 padding_length;
- unsigned char *buffer;
- unsigned int buffer_len;
- PRInt32 temp;
- SECItem cert_item;
+ PK11SymKey *aes_key_pkcs11;
+ PK11SymKey *mac_key_pkcs11;
+ PK11Context *hmac_ctx_pkcs11;
+ CK_MECHANISM_TYPE macMech = CKM_SHA256_HMAC;
+ PK11Context *aes_ctx_pkcs11;
+ CK_MECHANISM_TYPE cipherMech = CKM_AES_CBC;
+ unsigned char * padding;
+ PRUint32 padding_length;
+ unsigned char *buffer;
+ unsigned int buffer_len;
+ PRInt32 temp;
+ SECItem cert_item;
PRInt8 nameType = TLS_STE_NO_SERVER_NAME;
- /* Turn off stateless session resumption if the client sends a
- * SessionTicket extension, even if the extension turns out to be
- * malformed (ss->sec.ci.sid is non-NULL when doing session
- * renegotiation.)
- */
- if (ss->sec.ci.sid != NULL) {
- if (ss->sec.uncache)
- ss->sec.uncache(ss->sec.ci.sid);
- ssl_FreeSID(ss->sec.ci.sid);
- ss->sec.ci.sid = NULL;
- }
-
- extension_data.data = data->data; /* Keep a copy for future use. */
- extension_data.len = data->len;
-
- if (ssl3_ParseEncryptedSessionTicket(ss, data, &enc_session_ticket)
- != SECSuccess)
- return SECFailure;
-
- /* Get session ticket keys. */
+ /* Turn off stateless session resumption if the client sends a
+ * SessionTicket extension, even if the extension turns out to be
+ * malformed (ss->sec.ci.sid is non-NULL when doing session
+ * renegotiation.)
+ */
+ if (ss->sec.ci.sid != NULL) {
+ if (ss->sec.uncache)
+ ss->sec.uncache(ss->sec.ci.sid);
+ ssl_FreeSID(ss->sec.ci.sid);
+ ss->sec.ci.sid = NULL;
+ }
+
+ extension_data.data = data->data; /* Keep a copy for future use. */
+ extension_data.len = data->len;
+
+ if (ssl3_ParseEncryptedSessionTicket(ss, data, &enc_session_ticket)
+ != SECSuccess)
+ return SECFailure;
+
+ /* Get session ticket keys. */
#ifndef NO_PKCS11_BYPASS
- if (ss->opt.bypassPKCS11) {
- rv = ssl3_GetSessionTicketKeys(&aes_key, &aes_key_length,
- &mac_key, &mac_key_length);
- } else
+ if (ss->opt.bypassPKCS11) {
+ rv = ssl3_GetSessionTicketKeys(&aes_key, &aes_key_length,
+ &mac_key, &mac_key_length);
+ } else
#endif
- {
- rv = ssl3_GetSessionTicketKeysPKCS11(ss, &aes_key_pkcs11,
- &mac_key_pkcs11);
- }
- if (rv != SECSuccess) {
- SSL_DBG(("%d: SSL[%d]: Unable to get/generate session ticket keys.",
- SSL_GETPID(), ss->fd));
- goto loser;
- }
-
- /* If the ticket sent by the client was generated under a key different
- * from the one we have, bypass ticket processing.
- */
- if (PORT_Memcmp(enc_session_ticket.key_name, key_name,
- SESS_TICKET_KEY_NAME_LEN) != 0) {
- SSL_DBG(("%d: SSL[%d]: Session ticket key_name sent mismatch.",
- SSL_GETPID(), ss->fd));
- goto no_ticket;
- }
-
- /* Verify the MAC on the ticket. MAC verification may also
- * fail if the MAC key has been recently refreshed.
- */
+ {
+ rv = ssl3_GetSessionTicketKeysPKCS11(ss, &aes_key_pkcs11,
+ &mac_key_pkcs11);
+ }
+ if (rv != SECSuccess) {
+ SSL_DBG(("%d: SSL[%d]: Unable to get/generate session ticket keys.",
+ SSL_GETPID(), ss->fd));
+ goto loser;
+ }
+
+ /* If the ticket sent by the client was generated under a key different
+ * from the one we have, bypass ticket processing.
+ */
+ if (PORT_Memcmp(enc_session_ticket.key_name, key_name,
+ SESS_TICKET_KEY_NAME_LEN) != 0) {
+ SSL_DBG(("%d: SSL[%d]: Session ticket key_name sent mismatch.",
+ SSL_GETPID(), ss->fd));
+ goto no_ticket;
+ }
+
+ /* Verify the MAC on the ticket. MAC verification may also
+ * fail if the MAC key has been recently refreshed.
+ */
#ifndef NO_PKCS11_BYPASS
- if (ss->opt.bypassPKCS11) {
- hmac_ctx = (HMACContext *)hmac_ctx_buf;
- hashObj = HASH_GetRawHashObject(HASH_AlgSHA256);
- if (HMAC_Init(hmac_ctx, hashObj, mac_key,
- sizeof(session_ticket_mac_key), PR_FALSE) != SECSuccess)
- goto no_ticket;
- HMAC_Begin(hmac_ctx);
- HMAC_Update(hmac_ctx, extension_data.data,
- extension_data.len - TLS_EX_SESS_TICKET_MAC_LENGTH);
- if (HMAC_Finish(hmac_ctx, computed_mac, &computed_mac_length,
- sizeof(computed_mac)) != SECSuccess)
- goto no_ticket;
- } else
+ if (ss->opt.bypassPKCS11) {
+ hmac_ctx = (HMACContext *)hmac_ctx_buf;
+ hashObj = HASH_GetRawHashObject(HASH_AlgSHA256);
+ if (HMAC_Init(hmac_ctx, hashObj, mac_key,
+ sizeof(session_ticket_mac_key), PR_FALSE) != SECSuccess)
+ goto no_ticket;
+ HMAC_Begin(hmac_ctx);
+ HMAC_Update(hmac_ctx, extension_data.data,
+ extension_data.len - TLS_EX_SESS_TICKET_MAC_LENGTH);
+ if (HMAC_Finish(hmac_ctx, computed_mac, &computed_mac_length,
+ sizeof(computed_mac)) != SECSuccess)
+ goto no_ticket;
+ } else
#endif
- {
- SECItem macParam;
- macParam.data = NULL;
- macParam.len = 0;
- hmac_ctx_pkcs11 = PK11_CreateContextBySymKey(macMech,
- CKA_SIGN, mac_key_pkcs11, &macParam);
- if (!hmac_ctx_pkcs11) {
- SSL_DBG(("%d: SSL[%d]: Unable to create HMAC context: %d.",
- SSL_GETPID(), ss->fd, PORT_GetError()));
- goto no_ticket;
- } else {
- SSL_DBG(("%d: SSL[%d]: Successfully created HMAC context.",
- SSL_GETPID(), ss->fd));
- }
- rv = PK11_DigestBegin(hmac_ctx_pkcs11);
- rv = PK11_DigestOp(hmac_ctx_pkcs11, extension_data.data,
- extension_data.len - TLS_EX_SESS_TICKET_MAC_LENGTH);
- if (rv != SECSuccess) {
- PK11_DestroyContext(hmac_ctx_pkcs11, PR_TRUE);
- goto no_ticket;
- }
- rv = PK11_DigestFinal(hmac_ctx_pkcs11, computed_mac,
- &computed_mac_length, sizeof(computed_mac));
- PK11_DestroyContext(hmac_ctx_pkcs11, PR_TRUE);
- if (rv != SECSuccess)
- goto no_ticket;
- }
- if (NSS_SecureMemcmp(computed_mac, enc_session_ticket.mac,
- computed_mac_length) != 0) {
- SSL_DBG(("%d: SSL[%d]: Session ticket MAC mismatch.",
- SSL_GETPID(), ss->fd));
- goto no_ticket;
- }
-
- /* We ignore key_name for now.
- * This is ok as MAC verification succeeded.
- */
-
- /* Decrypt the ticket. */
-
- /* Plaintext is shorter than the ciphertext due to padding. */
- decrypted_state = SECITEM_AllocItem(NULL, NULL,
- enc_session_ticket.encrypted_state.len);
+ {
+ SECItem macParam;
+ macParam.data = NULL;
+ macParam.len = 0;
+ hmac_ctx_pkcs11 = PK11_CreateContextBySymKey(macMech,
+ CKA_SIGN, mac_key_pkcs11, &macParam);
+ if (!hmac_ctx_pkcs11) {
+ SSL_DBG(("%d: SSL[%d]: Unable to create HMAC context: %d.",
+ SSL_GETPID(), ss->fd, PORT_GetError()));
+ goto no_ticket;
+ } else {
+ SSL_DBG(("%d: SSL[%d]: Successfully created HMAC context.",
+ SSL_GETPID(), ss->fd));
+ }
+ rv = PK11_DigestBegin(hmac_ctx_pkcs11);
+ rv = PK11_DigestOp(hmac_ctx_pkcs11, extension_data.data,
+ extension_data.len - TLS_EX_SESS_TICKET_MAC_LENGTH);
+ if (rv != SECSuccess) {
+ PK11_DestroyContext(hmac_ctx_pkcs11, PR_TRUE);
+ goto no_ticket;
+ }
+ rv = PK11_DigestFinal(hmac_ctx_pkcs11, computed_mac,
+ &computed_mac_length, sizeof(computed_mac));
+ PK11_DestroyContext(hmac_ctx_pkcs11, PR_TRUE);
+ if (rv != SECSuccess)
+ goto no_ticket;
+ }
+ if (NSS_SecureMemcmp(computed_mac, enc_session_ticket.mac,
+ computed_mac_length) != 0) {
+ SSL_DBG(("%d: SSL[%d]: Session ticket MAC mismatch.",
+ SSL_GETPID(), ss->fd));
+ goto no_ticket;
+ }
+
+ /* We ignore key_name for now.
+ * This is ok as MAC verification succeeded.
+ */
+
+ /* Decrypt the ticket. */
+
+ /* Plaintext is shorter than the ciphertext due to padding. */
+ decrypted_state = SECITEM_AllocItem(NULL, NULL,
+ enc_session_ticket.encrypted_state.len);
#ifndef NO_PKCS11_BYPASS
- if (ss->opt.bypassPKCS11) {
- aes_ctx = (AESContext *)aes_ctx_buf;
- rv = AES_InitContext(aes_ctx, aes_key,
- sizeof(session_ticket_enc_key), enc_session_ticket.iv,
- NSS_AES_CBC, 0,AES_BLOCK_SIZE);
- if (rv != SECSuccess) {
- SSL_DBG(("%d: SSL[%d]: Unable to create AES context.",
- SSL_GETPID(), ss->fd));
- goto no_ticket;
- }
-
- rv = AES_Decrypt(aes_ctx, decrypted_state->data,
- &decrypted_state->len, decrypted_state->len,
- enc_session_ticket.encrypted_state.data,
- enc_session_ticket.encrypted_state.len);
- if (rv != SECSuccess)
- goto no_ticket;
- } else
+ if (ss->opt.bypassPKCS11) {
+ aes_ctx = (AESContext *)aes_ctx_buf;
+ rv = AES_InitContext(aes_ctx, aes_key,
+ sizeof(session_ticket_enc_key), enc_session_ticket.iv,
+ NSS_AES_CBC, 0,AES_BLOCK_SIZE);
+ if (rv != SECSuccess) {
+ SSL_DBG(("%d: SSL[%d]: Unable to create AES context.",
+ SSL_GETPID(), ss->fd));
+ goto no_ticket;
+ }
+
+ rv = AES_Decrypt(aes_ctx, decrypted_state->data,
+ &decrypted_state->len, decrypted_state->len,
+ enc_session_ticket.encrypted_state.data,
+ enc_session_ticket.encrypted_state.len);
+ if (rv != SECSuccess)
+ goto no_ticket;
+ } else
#endif
- {
- SECItem ivItem;
- ivItem.data = enc_session_ticket.iv;
- ivItem.len = AES_BLOCK_SIZE;
- aes_ctx_pkcs11 = PK11_CreateContextBySymKey(cipherMech,
- CKA_DECRYPT, aes_key_pkcs11, &ivItem);
- if (!aes_ctx_pkcs11) {
- SSL_DBG(("%d: SSL[%d]: Unable to create AES context.",
- SSL_GETPID(), ss->fd));
- goto no_ticket;
- }
-
- rv = PK11_CipherOp(aes_ctx_pkcs11, decrypted_state->data,
- (int *)&decrypted_state->len, decrypted_state->len,
- enc_session_ticket.encrypted_state.data,
- enc_session_ticket.encrypted_state.len);
- PK11_Finalize(aes_ctx_pkcs11);
- PK11_DestroyContext(aes_ctx_pkcs11, PR_TRUE);
- if (rv != SECSuccess)
- goto no_ticket;
- }
-
- /* Check padding. */
- padding_length =
- (PRUint32)decrypted_state->data[decrypted_state->len - 1];
- if (padding_length == 0 || padding_length > AES_BLOCK_SIZE)
- goto no_ticket;
-
- padding = &decrypted_state->data[decrypted_state->len - padding_length];
- for (i = 0; i < padding_length; i++, padding++) {
- if (padding_length != (PRUint32)*padding)
- goto no_ticket;
- }
-
- /* Deserialize session state. */
- buffer = decrypted_state->data;
- buffer_len = decrypted_state->len;
-
- parsed_session_ticket = PORT_ZAlloc(sizeof(SessionTicket));
- if (parsed_session_ticket == NULL) {
- rv = SECFailure;
- goto loser;
- }
-
- /* Read ticket_version (which is ignored for now.) */
- temp = ssl3_ConsumeHandshakeNumber(ss, 2, &buffer, &buffer_len);
- if (temp < 0) goto no_ticket;
- parsed_session_ticket->ticket_version = (SSL3ProtocolVersion)temp;
-
- /* Read SSLVersion. */
- temp = ssl3_ConsumeHandshakeNumber(ss, 2, &buffer, &buffer_len);
- if (temp < 0) goto no_ticket;
- parsed_session_ticket->ssl_version = (SSL3ProtocolVersion)temp;
-
- /* Read cipher_suite. */
- temp = ssl3_ConsumeHandshakeNumber(ss, 2, &buffer, &buffer_len);
- if (temp < 0) goto no_ticket;
- parsed_session_ticket->cipher_suite = (ssl3CipherSuite)temp;
-
- /* Read compression_method. */
- temp = ssl3_ConsumeHandshakeNumber(ss, 1, &buffer, &buffer_len);
- if (temp < 0) goto no_ticket;
- parsed_session_ticket->compression_method = (SSLCompressionMethod)temp;
-
- /* Read cipher spec parameters. */
- temp = ssl3_ConsumeHandshakeNumber(ss, 1, &buffer, &buffer_len);
- if (temp < 0) goto no_ticket;
- parsed_session_ticket->authAlgorithm = (SSLSignType)temp;
- temp = ssl3_ConsumeHandshakeNumber(ss, 4, &buffer, &buffer_len);
- if (temp < 0) goto no_ticket;
- parsed_session_ticket->authKeyBits = (PRUint32)temp;
- temp = ssl3_ConsumeHandshakeNumber(ss, 1, &buffer, &buffer_len);
- if (temp < 0) goto no_ticket;
- parsed_session_ticket->keaType = (SSLKEAType)temp;
- temp = ssl3_ConsumeHandshakeNumber(ss, 4, &buffer, &buffer_len);
- if (temp < 0) goto no_ticket;
- parsed_session_ticket->keaKeyBits = (PRUint32)temp;
-
- /* Read wrapped master_secret. */
- temp = ssl3_ConsumeHandshakeNumber(ss, 1, &buffer, &buffer_len);
- if (temp < 0) goto no_ticket;
- parsed_session_ticket->ms_is_wrapped = (PRBool)temp;
-
- temp = ssl3_ConsumeHandshakeNumber(ss, 1, &buffer, &buffer_len);
- if (temp < 0) goto no_ticket;
- parsed_session_ticket->exchKeyType = (SSL3KEAType)temp;
-
- temp = ssl3_ConsumeHandshakeNumber(ss, 4, &buffer, &buffer_len);
- if (temp < 0) goto no_ticket;
- parsed_session_ticket->msWrapMech = (CK_MECHANISM_TYPE)temp;
-
- temp = ssl3_ConsumeHandshakeNumber(ss, 2, &buffer, &buffer_len);
- if (temp < 0) goto no_ticket;
- parsed_session_ticket->ms_length = (PRUint16)temp;
- if (parsed_session_ticket->ms_length == 0 || /* sanity check MS. */
- parsed_session_ticket->ms_length >
- sizeof(parsed_session_ticket->master_secret))
- goto no_ticket;
-
- /* Allow for the wrapped master secret to be longer. */
- if (buffer_len < parsed_session_ticket->ms_length)
- goto no_ticket;
- PORT_Memcpy(parsed_session_ticket->master_secret, buffer,
- parsed_session_ticket->ms_length);
- buffer += parsed_session_ticket->ms_length;
- buffer_len -= parsed_session_ticket->ms_length;
-
- /* Read client_identity */
- temp = ssl3_ConsumeHandshakeNumber(ss, 1, &buffer, &buffer_len);
- if (temp < 0)
- goto no_ticket;
- parsed_session_ticket->client_identity.client_auth_type =
- (ClientAuthenticationType)temp;
- switch(parsed_session_ticket->client_identity.client_auth_type) {
+ {
+ SECItem ivItem;
+ ivItem.data = enc_session_ticket.iv;
+ ivItem.len = AES_BLOCK_SIZE;
+ aes_ctx_pkcs11 = PK11_CreateContextBySymKey(cipherMech,
+ CKA_DECRYPT, aes_key_pkcs11, &ivItem);
+ if (!aes_ctx_pkcs11) {
+ SSL_DBG(("%d: SSL[%d]: Unable to create AES context.",
+ SSL_GETPID(), ss->fd));
+ goto no_ticket;
+ }
+
+ rv = PK11_CipherOp(aes_ctx_pkcs11, decrypted_state->data,
+ (int *)&decrypted_state->len, decrypted_state->len,
+ enc_session_ticket.encrypted_state.data,
+ enc_session_ticket.encrypted_state.len);
+ PK11_Finalize(aes_ctx_pkcs11);
+ PK11_DestroyContext(aes_ctx_pkcs11, PR_TRUE);
+ if (rv != SECSuccess)
+ goto no_ticket;
+ }
+
+ /* Check padding. */
+ padding_length =
+ (PRUint32)decrypted_state->data[decrypted_state->len - 1];
+ if (padding_length == 0 || padding_length > AES_BLOCK_SIZE)
+ goto no_ticket;
+
+ padding = &decrypted_state->data[decrypted_state->len - padding_length];
+ for (i = 0; i < padding_length; i++, padding++) {
+ if (padding_length != (PRUint32)*padding)
+ goto no_ticket;
+ }
+
+ /* Deserialize session state. */
+ buffer = decrypted_state->data;
+ buffer_len = decrypted_state->len;
+
+ parsed_session_ticket = PORT_ZAlloc(sizeof(SessionTicket));
+ if (parsed_session_ticket == NULL) {
+ rv = SECFailure;
+ goto loser;
+ }
+
+ /* Read ticket_version (which is ignored for now.) */
+ temp = ssl3_ConsumeHandshakeNumber(ss, 2, &buffer, &buffer_len);
+ if (temp < 0) goto no_ticket;
+ parsed_session_ticket->ticket_version = (SSL3ProtocolVersion)temp;
+
+ /* Read SSLVersion. */
+ temp = ssl3_ConsumeHandshakeNumber(ss, 2, &buffer, &buffer_len);
+ if (temp < 0) goto no_ticket;
+ parsed_session_ticket->ssl_version = (SSL3ProtocolVersion)temp;
+
+ /* Read cipher_suite. */
+ temp = ssl3_ConsumeHandshakeNumber(ss, 2, &buffer, &buffer_len);
+ if (temp < 0) goto no_ticket;
+ parsed_session_ticket->cipher_suite = (ssl3CipherSuite)temp;
+
+ /* Read compression_method. */
+ temp = ssl3_ConsumeHandshakeNumber(ss, 1, &buffer, &buffer_len);
+ if (temp < 0) goto no_ticket;
+ parsed_session_ticket->compression_method = (SSLCompressionMethod)temp;
+
+ /* Read cipher spec parameters. */
+ temp = ssl3_ConsumeHandshakeNumber(ss, 1, &buffer, &buffer_len);
+ if (temp < 0) goto no_ticket;
+ parsed_session_ticket->authAlgorithm = (SSLSignType)temp;
+ temp = ssl3_ConsumeHandshakeNumber(ss, 4, &buffer, &buffer_len);
+ if (temp < 0) goto no_ticket;
+ parsed_session_ticket->authKeyBits = (PRUint32)temp;
+ temp = ssl3_ConsumeHandshakeNumber(ss, 1, &buffer, &buffer_len);
+ if (temp < 0) goto no_ticket;
+ parsed_session_ticket->keaType = (SSLKEAType)temp;
+ temp = ssl3_ConsumeHandshakeNumber(ss, 4, &buffer, &buffer_len);
+ if (temp < 0) goto no_ticket;
+ parsed_session_ticket->keaKeyBits = (PRUint32)temp;
+
+ /* Read wrapped master_secret. */
+ temp = ssl3_ConsumeHandshakeNumber(ss, 1, &buffer, &buffer_len);
+ if (temp < 0) goto no_ticket;
+ parsed_session_ticket->ms_is_wrapped = (PRBool)temp;
+
+ temp = ssl3_ConsumeHandshakeNumber(ss, 1, &buffer, &buffer_len);
+ if (temp < 0) goto no_ticket;
+ parsed_session_ticket->exchKeyType = (SSL3KEAType)temp;
+
+ temp = ssl3_ConsumeHandshakeNumber(ss, 4, &buffer, &buffer_len);
+ if (temp < 0) goto no_ticket;
+ parsed_session_ticket->msWrapMech = (CK_MECHANISM_TYPE)temp;
+
+ temp = ssl3_ConsumeHandshakeNumber(ss, 2, &buffer, &buffer_len);
+ if (temp < 0) goto no_ticket;
+ parsed_session_ticket->ms_length = (PRUint16)temp;
+ if (parsed_session_ticket->ms_length == 0 || /* sanity check MS. */
+ parsed_session_ticket->ms_length >
+ sizeof(parsed_session_ticket->master_secret))
+ goto no_ticket;
+
+ /* Allow for the wrapped master secret to be longer. */
+ if (buffer_len < parsed_session_ticket->ms_length)
+ goto no_ticket;
+ PORT_Memcpy(parsed_session_ticket->master_secret, buffer,
+ parsed_session_ticket->ms_length);
+ buffer += parsed_session_ticket->ms_length;
+ buffer_len -= parsed_session_ticket->ms_length;
+
+ /* Read client_identity */
+ temp = ssl3_ConsumeHandshakeNumber(ss, 1, &buffer, &buffer_len);
+ if (temp < 0)
+ goto no_ticket;
+ parsed_session_ticket->client_identity.client_auth_type =
+ (ClientAuthenticationType)temp;
+ switch(parsed_session_ticket->client_identity.client_auth_type) {
case CLIENT_AUTH_ANONYMOUS:
- break;
+ break;
case CLIENT_AUTH_CERTIFICATE:
- rv = ssl3_ConsumeHandshakeVariable(ss, &cert_item, 3,
- &buffer, &buffer_len);
- if (rv != SECSuccess) goto no_ticket;
- rv = SECITEM_CopyItem(NULL, &parsed_session_ticket->peer_cert,
- &cert_item);
- if (rv != SECSuccess) goto no_ticket;
- break;
+ rv = ssl3_ConsumeHandshakeVariable(ss, &cert_item, 3,
+ &buffer, &buffer_len);
+ if (rv != SECSuccess) goto no_ticket;
+ rv = SECITEM_CopyItem(NULL, &parsed_session_ticket->peer_cert,
+ &cert_item);
+ if (rv != SECSuccess) goto no_ticket;
+ break;
default:
- goto no_ticket;
- }
- /* Read timestamp. */
- temp = ssl3_ConsumeHandshakeNumber(ss, 4, &buffer, &buffer_len);
- if (temp < 0)
- goto no_ticket;
- parsed_session_ticket->timestamp = (PRUint32)temp;
+ goto no_ticket;
+ }
+ /* Read timestamp. */
+ temp = ssl3_ConsumeHandshakeNumber(ss, 4, &buffer, &buffer_len);
+ if (temp < 0)
+ goto no_ticket;
+ parsed_session_ticket->timestamp = (PRUint32)temp;
/* Read server name */
nameType =
- ssl3_ConsumeHandshakeNumber(ss, 1, &buffer, &buffer_len);
+ ssl3_ConsumeHandshakeNumber(ss, 1, &buffer, &buffer_len);
if (nameType != TLS_STE_NO_SERVER_NAME) {
SECItem name_item;
rv = ssl3_ConsumeHandshakeVariable(ss, &name_item, 2, &buffer,
@@ -1767,99 +1775,99 @@ ssl3_ServerHandleSessionTicketXtn(sslSocket *ss, PRUint16 ex_type,
parsed_session_ticket->srvName.type = nameType;
}
- /* Done parsing. Check that all bytes have been consumed. */
- if (buffer_len != padding_length)
- goto no_ticket;
-
- /* Use the ticket if it has not expired, otherwise free the allocated
- * memory since the ticket is of no use.
- */
- if (parsed_session_ticket->timestamp != 0 &&
- parsed_session_ticket->timestamp +
- TLS_EX_SESS_TICKET_LIFETIME_HINT > ssl_Time()) {
-
- sid = ssl3_NewSessionID(ss, PR_TRUE);
- if (sid == NULL) {
- rv = SECFailure;
- goto loser;
- }
-
- /* Copy over parameters. */
- sid->version = parsed_session_ticket->ssl_version;
- sid->u.ssl3.cipherSuite = parsed_session_ticket->cipher_suite;
- sid->u.ssl3.compression = parsed_session_ticket->compression_method;
- sid->authAlgorithm = parsed_session_ticket->authAlgorithm;
- sid->authKeyBits = parsed_session_ticket->authKeyBits;
- sid->keaType = parsed_session_ticket->keaType;
- sid->keaKeyBits = parsed_session_ticket->keaKeyBits;
-
- /* Copy master secret. */
+ /* Done parsing. Check that all bytes have been consumed. */
+ if (buffer_len != padding_length)
+ goto no_ticket;
+
+ /* Use the ticket if it has not expired, otherwise free the allocated
+ * memory since the ticket is of no use.
+ */
+ if (parsed_session_ticket->timestamp != 0 &&
+ parsed_session_ticket->timestamp +
+ TLS_EX_SESS_TICKET_LIFETIME_HINT > ssl_Time()) {
+
+ sid = ssl3_NewSessionID(ss, PR_TRUE);
+ if (sid == NULL) {
+ rv = SECFailure;
+ goto loser;
+ }
+
+ /* Copy over parameters. */
+ sid->version = parsed_session_ticket->ssl_version;
+ sid->u.ssl3.cipherSuite = parsed_session_ticket->cipher_suite;
+ sid->u.ssl3.compression = parsed_session_ticket->compression_method;
+ sid->authAlgorithm = parsed_session_ticket->authAlgorithm;
+ sid->authKeyBits = parsed_session_ticket->authKeyBits;
+ sid->keaType = parsed_session_ticket->keaType;
+ sid->keaKeyBits = parsed_session_ticket->keaKeyBits;
+
+ /* Copy master secret. */
#ifndef NO_PKCS11_BYPASS
- if (ss->opt.bypassPKCS11 &&
- parsed_session_ticket->ms_is_wrapped)
- goto no_ticket;
+ if (ss->opt.bypassPKCS11 &&
+ parsed_session_ticket->ms_is_wrapped)
+ goto no_ticket;
#endif
- if (parsed_session_ticket->ms_length >
- sizeof(sid->u.ssl3.keys.wrapped_master_secret))
- goto no_ticket;
- PORT_Memcpy(sid->u.ssl3.keys.wrapped_master_secret,
- parsed_session_ticket->master_secret,
- parsed_session_ticket->ms_length);
- sid->u.ssl3.keys.wrapped_master_secret_len =
- parsed_session_ticket->ms_length;
- sid->u.ssl3.exchKeyType = parsed_session_ticket->exchKeyType;
- sid->u.ssl3.masterWrapMech = parsed_session_ticket->msWrapMech;
- sid->u.ssl3.keys.msIsWrapped =
- parsed_session_ticket->ms_is_wrapped;
- sid->u.ssl3.masterValid = PR_TRUE;
- sid->u.ssl3.keys.resumable = PR_TRUE;
-
- /* Copy over client cert from session ticket if there is one. */
- if (parsed_session_ticket->peer_cert.data != NULL) {
- if (sid->peerCert != NULL)
- CERT_DestroyCertificate(sid->peerCert);
- sid->peerCert = CERT_NewTempCertificate(ss->dbHandle,
- &parsed_session_ticket->peer_cert, NULL, PR_FALSE, PR_TRUE);
- if (sid->peerCert == NULL) {
- rv = SECFailure;
- goto loser;
- }
- }
- if (parsed_session_ticket->srvName.data != NULL) {
+ if (parsed_session_ticket->ms_length >
+ sizeof(sid->u.ssl3.keys.wrapped_master_secret))
+ goto no_ticket;
+ PORT_Memcpy(sid->u.ssl3.keys.wrapped_master_secret,
+ parsed_session_ticket->master_secret,
+ parsed_session_ticket->ms_length);
+ sid->u.ssl3.keys.wrapped_master_secret_len =
+ parsed_session_ticket->ms_length;
+ sid->u.ssl3.exchKeyType = parsed_session_ticket->exchKeyType;
+ sid->u.ssl3.masterWrapMech = parsed_session_ticket->msWrapMech;
+ sid->u.ssl3.keys.msIsWrapped =
+ parsed_session_ticket->ms_is_wrapped;
+ sid->u.ssl3.masterValid = PR_TRUE;
+ sid->u.ssl3.keys.resumable = PR_TRUE;
+
+ /* Copy over client cert from session ticket if there is one. */
+ if (parsed_session_ticket->peer_cert.data != NULL) {
+ if (sid->peerCert != NULL)
+ CERT_DestroyCertificate(sid->peerCert);
+ sid->peerCert = CERT_NewTempCertificate(ss->dbHandle,
+ &parsed_session_ticket->peer_cert, NULL, PR_FALSE, PR_TRUE);
+ if (sid->peerCert == NULL) {
+ rv = SECFailure;
+ goto loser;
+ }
+ }
+ if (parsed_session_ticket->srvName.data != NULL) {
sid->u.ssl3.srvName = parsed_session_ticket->srvName;
}
- ss->statelessResume = PR_TRUE;
- ss->sec.ci.sid = sid;
- }
+ ss->statelessResume = PR_TRUE;
+ ss->sec.ci.sid = sid;
+ }
}
if (0) {
no_ticket:
- SSL_DBG(("%d: SSL[%d]: Session ticket parsing failed.",
- SSL_GETPID(), ss->fd));
- ssl3stats = SSL_GetStatistics();
- SSL_AtomicIncrementLong(& ssl3stats->hch_sid_ticket_parse_failures );
+ SSL_DBG(("%d: SSL[%d]: Session ticket parsing failed.",
+ SSL_GETPID(), ss->fd));
+ ssl3stats = SSL_GetStatistics();
+ SSL_AtomicIncrementLong(& ssl3stats->hch_sid_ticket_parse_failures );
}
rv = SECSuccess;
loser:
- /* ss->sec.ci.sid == sid if it did NOT come here via goto statement
- * in that case do not free sid
- */
- if (sid && (ss->sec.ci.sid != sid)) {
- ssl_FreeSID(sid);
- sid = NULL;
- }
+ /* ss->sec.ci.sid == sid if it did NOT come here via goto statement
+ * in that case do not free sid
+ */
+ if (sid && (ss->sec.ci.sid != sid)) {
+ ssl_FreeSID(sid);
+ sid = NULL;
+ }
if (decrypted_state != NULL) {
- SECITEM_FreeItem(decrypted_state, PR_TRUE);
- decrypted_state = NULL;
+ SECITEM_FreeItem(decrypted_state, PR_TRUE);
+ decrypted_state = NULL;
}
if (parsed_session_ticket != NULL) {
- if (parsed_session_ticket->peer_cert.data) {
- SECITEM_FreeItem(&parsed_session_ticket->peer_cert, PR_FALSE);
- }
- PORT_ZFree(parsed_session_ticket, sizeof(SessionTicket));
+ if (parsed_session_ticket->peer_cert.data) {
+ SECITEM_FreeItem(&parsed_session_ticket->peer_cert, PR_FALSE);
+ }
+ PORT_ZFree(parsed_session_ticket, sizeof(SessionTicket));
}
return rv;
@@ -1870,11 +1878,11 @@ loser:
* cannot be freed. The caller is expected to call this function
* on a shallow copy of the structure.
*/
-static SECStatus
+static SECStatus
ssl3_ConsumeFromItem(SECItem *item, unsigned char **buf, PRUint32 bytes)
{
if (bytes > item->len)
- return SECFailure;
+ return SECFailure;
*buf = item->data;
item->data += bytes;
@@ -1887,30 +1895,30 @@ ssl3_ParseEncryptedSessionTicket(sslSocket *ss, SECItem *data,
EncryptedSessionTicket *enc_session_ticket)
{
if (ssl3_ConsumeFromItem(data, &enc_session_ticket->key_name,
- SESS_TICKET_KEY_NAME_LEN) != SECSuccess)
- return SECFailure;
+ SESS_TICKET_KEY_NAME_LEN) != SECSuccess)
+ return SECFailure;
if (ssl3_ConsumeFromItem(data, &enc_session_ticket->iv,
- AES_BLOCK_SIZE) != SECSuccess)
- return SECFailure;
+ AES_BLOCK_SIZE) != SECSuccess)
+ return SECFailure;
if (ssl3_ConsumeHandshakeVariable(ss, &enc_session_ticket->encrypted_state,
- 2, &data->data, &data->len) != SECSuccess)
- return SECFailure;
+ 2, &data->data, &data->len) != SECSuccess)
+ return SECFailure;
if (ssl3_ConsumeFromItem(data, &enc_session_ticket->mac,
- TLS_EX_SESS_TICKET_MAC_LENGTH) != SECSuccess)
- return SECFailure;
+ TLS_EX_SESS_TICKET_MAC_LENGTH) != SECSuccess)
+ return SECFailure;
if (data->len != 0) /* Make sure that we have consumed all bytes. */
- return SECFailure;
+ return SECFailure;
return SECSuccess;
}
/* go through hello extensions in buffer "b".
- * For each one, find the extension handler in the table, and
- * if present, invoke that handler.
+ * For each one, find the extension handler in the table, and
+ * if present, invoke that handler.
* Servers ignore any extensions with unknown extension types.
* Clients reject any extensions with unadvertised extension types.
*/
-SECStatus
+SECStatus
ssl3_HandleHelloExtensions(sslSocket *ss, SSL3Opaque **b, PRUint32 *length)
{
const ssl3HelloExtensionHandler * handlers;
@@ -1924,68 +1932,68 @@ ssl3_HandleHelloExtensions(sslSocket *ss, SSL3Opaque **b, PRUint32 *length)
}
while (*length) {
- const ssl3HelloExtensionHandler * handler;
- SECStatus rv;
- PRInt32 extension_type;
- SECItem extension_data;
+ const ssl3HelloExtensionHandler * handler;
+ SECStatus rv;
+ PRInt32 extension_type;
+ SECItem extension_data;
- /* Get the extension's type field */
- extension_type = ssl3_ConsumeHandshakeNumber(ss, 2, b, length);
- if (extension_type < 0) /* failure to decode extension_type */
- return SECFailure; /* alert already sent */
+ /* Get the extension's type field */
+ extension_type = ssl3_ConsumeHandshakeNumber(ss, 2, b, length);
+ if (extension_type < 0) /* failure to decode extension_type */
+ return SECFailure; /* alert already sent */
- /* get the data for this extension, so we can pass it or skip it. */
- rv = ssl3_ConsumeHandshakeVariable(ss, &extension_data, 2, b, length);
- if (rv != SECSuccess)
- return rv;
-
- /* Check whether the server sent an extension which was not advertised
- * in the ClientHello.
- */
- if (!ss->sec.isServer &&
- !ssl3_ClientExtensionAdvertised(ss, extension_type))
- return SECFailure; /* TODO: send unsupported_extension alert */
-
- /* Check whether an extension has been sent multiple times. */
- if (ssl3_ExtensionNegotiated(ss, extension_type))
- return SECFailure;
-
- /* find extension_type in table of Hello Extension Handlers */
- for (handler = handlers; handler->ex_type >= 0; handler++) {
- /* if found, call this handler */
- if (handler->ex_type == extension_type) {
- rv = (*handler->ex_handler)(ss, (PRUint16)extension_type,
- &extension_data);
- /* Ignore this result */
- /* Treat all bad extensions as unrecognized types. */
- break;
- }
- }
+ /* get the data for this extension, so we can pass it or skip it. */
+ rv = ssl3_ConsumeHandshakeVariable(ss, &extension_data, 2, b, length);
+ if (rv != SECSuccess)
+ return rv;
+
+ /* Check whether the server sent an extension which was not advertised
+ * in the ClientHello.
+ */
+ if (!ss->sec.isServer &&
+ !ssl3_ClientExtensionAdvertised(ss, extension_type))
+ return SECFailure; /* TODO: send unsupported_extension alert */
+
+ /* Check whether an extension has been sent multiple times. */
+ if (ssl3_ExtensionNegotiated(ss, extension_type))
+ return SECFailure;
+
+ /* find extension_type in table of Hello Extension Handlers */
+ for (handler = handlers; handler->ex_type >= 0; handler++) {
+ /* if found, call this handler */
+ if (handler->ex_type == extension_type) {
+ rv = (*handler->ex_handler)(ss, (PRUint16)extension_type,
+ &extension_data);
+ /* Ignore this result */
+ /* Treat all bad extensions as unrecognized types. */
+ break;
+ }
+ }
}
return SECSuccess;
}
/* Add a callback function to the table of senders of server hello extensions.
*/
-SECStatus
+SECStatus
ssl3_RegisterServerHelloExtensionSender(sslSocket *ss, PRUint16 ex_type,
- ssl3HelloExtensionSenderFunc cb)
+ ssl3HelloExtensionSenderFunc cb)
{
int i;
ssl3HelloExtensionSender *sender = &ss->xtnData.serverSenders[0];
for (i = 0; i < SSL_MAX_EXTENSIONS; ++i, ++sender) {
if (!sender->ex_sender) {
- sender->ex_type = ex_type;
- sender->ex_sender = cb;
- return SECSuccess;
- }
- /* detect duplicate senders */
- PORT_Assert(sender->ex_type != ex_type);
- if (sender->ex_type == ex_type) {
- /* duplicate */
- break;
- }
+ sender->ex_type = ex_type;
+ sender->ex_sender = cb;
+ return SECSuccess;
+ }
+ /* detect duplicate senders */
+ PORT_Assert(sender->ex_type != ex_type);
+ if (sender->ex_type == ex_type) {
+ /* duplicate */
+ break;
+ }
}
PORT_Assert(i < SSL_MAX_EXTENSIONS); /* table needs to grow */
PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
@@ -2001,18 +2009,18 @@ ssl3_CallHelloExtensionSenders(sslSocket *ss, PRBool append, PRUint32 maxBytes,
int i;
if (!sender) {
- sender = ss->version > SSL_LIBRARY_VERSION_3_0 ?
+ sender = ss->version > SSL_LIBRARY_VERSION_3_0 ?
&clientHelloSendersTLS[0] : &clientHelloSendersSSL3[0];
}
for (i = 0; i < SSL_MAX_EXTENSIONS; ++i, ++sender) {
- if (sender->ex_sender) {
- PRInt32 extLen = (*sender->ex_sender)(ss, append, maxBytes);
- if (extLen < 0)
- return -1;
- maxBytes -= extLen;
- total_exten_len += extLen;
- }
+ if (sender->ex_sender) {
+ PRInt32 extLen = (*sender->ex_sender)(ss, append, maxBytes);
+ if (extLen < 0)
+ return -1;
+ maxBytes -= extLen;
+ total_exten_len += extLen;
+ }
}
return total_exten_len;
}
@@ -2025,48 +2033,48 @@ ssl3_CallHelloExtensionSenders(sslSocket *ss, PRBool append, PRUint32 maxBytes,
* Verify Data (TLS): 12 bytes (client) or 24 bytes (server)
* Verify Data (SSL): 36 bytes (client) or 72 bytes (server)
*/
-static PRInt32
+static PRInt32
ssl3_SendRenegotiationInfoXtn(
- sslSocket * ss,
- PRBool append,
- PRUint32 maxBytes)
+ sslSocket * ss,
+ PRBool append,
+ PRUint32 maxBytes)
{
PRInt32 len, needed;
/* In draft-ietf-tls-renegotiation-03, it is NOT RECOMMENDED to send
- * both the SCSV and the empty RI, so when we send SCSV in
+ * both the SCSV and the empty RI, so when we send SCSV in
* the initial handshake, we don't also send RI.
*/
if (!ss || ss->ssl3.hs.sendingSCSV)
- return 0;
- len = !ss->firstHsDone ? 0 :
- (ss->sec.isServer ? ss->ssl3.hs.finishedBytes * 2
- : ss->ssl3.hs.finishedBytes);
+ return 0;
+ len = !ss->firstHsDone ? 0 :
+ (ss->sec.isServer ? ss->ssl3.hs.finishedBytes * 2
+ : ss->ssl3.hs.finishedBytes);
needed = 5 + len;
if (append && maxBytes >= needed) {
- SECStatus rv;
- /* extension_type */
- rv = ssl3_AppendHandshakeNumber(ss, ssl_renegotiation_info_xtn, 2);
- if (rv != SECSuccess) return -1;
- /* length of extension_data */
- rv = ssl3_AppendHandshakeNumber(ss, len + 1, 2);
- if (rv != SECSuccess) return -1;
- /* verify_Data from previous Finished message(s) */
- rv = ssl3_AppendHandshakeVariable(ss,
- ss->ssl3.hs.finishedMsgs.data, len, 1);
- if (rv != SECSuccess) return -1;
- if (!ss->sec.isServer) {
- TLSExtensionData *xtnData = &ss->xtnData;
- xtnData->advertised[xtnData->numAdvertised++] =
- ssl_renegotiation_info_xtn;
- }
+ SECStatus rv;
+ /* extension_type */
+ rv = ssl3_AppendHandshakeNumber(ss, ssl_renegotiation_info_xtn, 2);
+ if (rv != SECSuccess) return -1;
+ /* length of extension_data */
+ rv = ssl3_AppendHandshakeNumber(ss, len + 1, 2);
+ if (rv != SECSuccess) return -1;
+ /* verify_Data from previous Finished message(s) */
+ rv = ssl3_AppendHandshakeVariable(ss,
+ ss->ssl3.hs.finishedMsgs.data, len, 1);
+ if (rv != SECSuccess) return -1;
+ if (!ss->sec.isServer) {
+ TLSExtensionData *xtnData = &ss->xtnData;
+ xtnData->advertised[xtnData->numAdvertised++] =
+ ssl_renegotiation_info_xtn;
+ }
}
return needed;
}
static SECStatus
ssl3_ServerHandleStatusRequestXtn(sslSocket *ss, PRUint16 ex_type,
- SECItem *data)
+ SECItem *data)
{
SECStatus rv = SECSuccess;
@@ -2075,7 +2083,7 @@ ssl3_ServerHandleStatusRequestXtn(sslSocket *ss, PRUint16 ex_type,
PORT_Assert(ss->sec.isServer);
/* prepare to send back the appropriate response */
rv = ssl3_RegisterServerHelloExtensionSender(ss, ex_type,
- ssl3_ServerSendStatusRequestXtn);
+ ssl3_ServerSendStatusRequestXtn);
return rv;
}
@@ -2087,25 +2095,25 @@ ssl3_HandleRenegotiationInfoXtn(sslSocket *ss, PRUint16 ex_type, SECItem *data)
PRUint32 len = 0;
if (ss->firstHsDone) {
- len = ss->sec.isServer ? ss->ssl3.hs.finishedBytes
- : ss->ssl3.hs.finishedBytes * 2;
+ len = ss->sec.isServer ? ss->ssl3.hs.finishedBytes
+ : ss->ssl3.hs.finishedBytes * 2;
}
if (data->len != 1 + len ||
- data->data[0] != len || (len &&
- NSS_SecureMemcmp(ss->ssl3.hs.finishedMsgs.data,
- data->data + 1, len))) {
- /* Can we do this here? Or, must we arrange for the caller to do it? */
- (void)SSL3_SendAlert(ss, alert_fatal, handshake_failure);
- PORT_SetError(SSL_ERROR_BAD_HANDSHAKE_HASH_VALUE);
- return SECFailure;
+ data->data[0] != len || (len &&
+ NSS_SecureMemcmp(ss->ssl3.hs.finishedMsgs.data,
+ data->data + 1, len))) {
+ /* Can we do this here? Or, must we arrange for the caller to do it? */
+ (void)SSL3_SendAlert(ss, alert_fatal, handshake_failure);
+ PORT_SetError(SSL_ERROR_BAD_HANDSHAKE_HASH_VALUE);
+ return SECFailure;
}
/* remember that we got this extension and it was correct. */
ss->peerRequestedProtection = 1;
ss->xtnData.negotiated[ss->xtnData.numNegotiated++] = ex_type;
if (ss->sec.isServer) {
- /* prepare to send back the appropriate response */
- rv = ssl3_RegisterServerHelloExtensionSender(ss, ex_type,
- ssl3_SendRenegotiationInfoXtn);
+ /* prepare to send back the appropriate response */
+ rv = ssl3_RegisterServerHelloExtensionSender(ss, ex_type,
+ ssl3_SendRenegotiationInfoXtn);
}
return rv;
}
@@ -2118,60 +2126,60 @@ ssl3_SendUseSRTPXtn(sslSocket *ss, PRBool append, PRUint32 maxBytes)
SECStatus rv;
if (!ss)
- return 0;
+ return 0;
if (!ss->sec.isServer) {
- /* Client side */
-
- if (!IS_DTLS(ss) || !ss->ssl3.dtlsSRTPCipherCount)
- return 0; /* Not relevant */
-
- ext_data_len = 2 + 2 * ss->ssl3.dtlsSRTPCipherCount + 1;
-
- if (append && maxBytes >= 4 + ext_data_len) {
- /* Extension type */
- rv = ssl3_AppendHandshakeNumber(ss, ssl_use_srtp_xtn, 2);
- if (rv != SECSuccess) return -1;
- /* Length of extension data */
- rv = ssl3_AppendHandshakeNumber(ss, ext_data_len, 2);
- if (rv != SECSuccess) return -1;
- /* Length of the SRTP cipher list */
- rv = ssl3_AppendHandshakeNumber(ss,
- 2 * ss->ssl3.dtlsSRTPCipherCount,
- 2);
- if (rv != SECSuccess) return -1;
- /* The SRTP ciphers */
- for (i = 0; i < ss->ssl3.dtlsSRTPCipherCount; i++) {
- rv = ssl3_AppendHandshakeNumber(ss,
- ss->ssl3.dtlsSRTPCiphers[i],
- 2);
- }
- /* Empty MKI value */
- ssl3_AppendHandshakeVariable(ss, NULL, 0, 1);
-
- ss->xtnData.advertised[ss->xtnData.numAdvertised++] =
- ssl_use_srtp_xtn;
- }
-
- return 4 + ext_data_len;
+ /* Client side */
+
+ if (!IS_DTLS(ss) || !ss->ssl3.dtlsSRTPCipherCount)
+ return 0; /* Not relevant */
+
+ ext_data_len = 2 + 2 * ss->ssl3.dtlsSRTPCipherCount + 1;
+
+ if (append && maxBytes >= 4 + ext_data_len) {
+ /* Extension type */
+ rv = ssl3_AppendHandshakeNumber(ss, ssl_use_srtp_xtn, 2);
+ if (rv != SECSuccess) return -1;
+ /* Length of extension data */
+ rv = ssl3_AppendHandshakeNumber(ss, ext_data_len, 2);
+ if (rv != SECSuccess) return -1;
+ /* Length of the SRTP cipher list */
+ rv = ssl3_AppendHandshakeNumber(ss,
+ 2 * ss->ssl3.dtlsSRTPCipherCount,
+ 2);
+ if (rv != SECSuccess) return -1;
+ /* The SRTP ciphers */
+ for (i = 0; i < ss->ssl3.dtlsSRTPCipherCount; i++) {
+ rv = ssl3_AppendHandshakeNumber(ss,
+ ss->ssl3.dtlsSRTPCiphers[i],
+ 2);
+ }
+ /* Empty MKI value */
+ ssl3_AppendHandshakeVariable(ss, NULL, 0, 1);
+
+ ss->xtnData.advertised[ss->xtnData.numAdvertised++] =
+ ssl_use_srtp_xtn;
+ }
+
+ return 4 + ext_data_len;
}
/* Server side */
if (append && maxBytes >= 9) {
- /* Extension type */
- rv = ssl3_AppendHandshakeNumber(ss, ssl_use_srtp_xtn, 2);
- if (rv != SECSuccess) return -1;
- /* Length of extension data */
- rv = ssl3_AppendHandshakeNumber(ss, 5, 2);
- if (rv != SECSuccess) return -1;
- /* Length of the SRTP cipher list */
- rv = ssl3_AppendHandshakeNumber(ss, 2, 2);
- if (rv != SECSuccess) return -1;
- /* The selected cipher */
- rv = ssl3_AppendHandshakeNumber(ss, ss->ssl3.dtlsSRTPCipherSuite, 2);
- if (rv != SECSuccess) return -1;
- /* Empty MKI value */
- ssl3_AppendHandshakeVariable(ss, NULL, 0, 1);
+ /* Extension type */
+ rv = ssl3_AppendHandshakeNumber(ss, ssl_use_srtp_xtn, 2);
+ if (rv != SECSuccess) return -1;
+ /* Length of extension data */
+ rv = ssl3_AppendHandshakeNumber(ss, 5, 2);
+ if (rv != SECSuccess) return -1;
+ /* Length of the SRTP cipher list */
+ rv = ssl3_AppendHandshakeNumber(ss, 2, 2);
+ if (rv != SECSuccess) return -1;
+ /* The selected cipher */
+ rv = ssl3_AppendHandshakeNumber(ss, ss->ssl3.dtlsSRTPCipherSuite, 2);
+ if (rv != SECSuccess) return -1;
+ /* Empty MKI value */
+ ssl3_AppendHandshakeVariable(ss, NULL, 0, 1);
}
return 9;
@@ -2189,121 +2197,121 @@ ssl3_HandleUseSRTPXtn(sslSocket * ss, PRUint16 ex_type, SECItem *data)
SECItem litem;
if (!ss->sec.isServer) {
- /* Client side */
- if (!data->data || !data->len) {
+ /* Client side */
+ if (!data->data || !data->len) {
/* malformed */
return SECFailure;
- }
-
- /* Get the cipher list */
- rv = ssl3_ConsumeHandshakeVariable(ss, &ciphers, 2,
- &data->data, &data->len);
- if (rv != SECSuccess) {
- return SECFailure;
- }
- /* Now check that the number of ciphers listed is 1 (len = 2) */
- if (ciphers.len != 2) {
- return SECFailure;
- }
-
- /* Get the selected cipher */
- cipher = (ciphers.data[0] << 8) | ciphers.data[1];
-
- /* Now check that this is one of the ciphers we offered */
- for (i = 0; i < ss->ssl3.dtlsSRTPCipherCount; i++) {
- if (cipher == ss->ssl3.dtlsSRTPCiphers[i]) {
- found = PR_TRUE;
- break;
- }
- }
-
- if (!found) {
- return SECFailure;
- }
-
- /* Get the srtp_mki value */
+ }
+
+ /* Get the cipher list */
+ rv = ssl3_ConsumeHandshakeVariable(ss, &ciphers, 2,
+ &data->data, &data->len);
+ if (rv != SECSuccess) {
+ return SECFailure;
+ }
+ /* Now check that the number of ciphers listed is 1 (len = 2) */
+ if (ciphers.len != 2) {
+ return SECFailure;
+ }
+
+ /* Get the selected cipher */
+ cipher = (ciphers.data[0] << 8) | ciphers.data[1];
+
+ /* Now check that this is one of the ciphers we offered */
+ for (i = 0; i < ss->ssl3.dtlsSRTPCipherCount; i++) {
+ if (cipher == ss->ssl3.dtlsSRTPCiphers[i]) {
+ found = PR_TRUE;
+ break;
+ }
+ }
+
+ if (!found) {
+ return SECFailure;
+ }
+
+ /* Get the srtp_mki value */
rv = ssl3_ConsumeHandshakeVariable(ss, &litem, 1,
- &data->data, &data->len);
+ &data->data, &data->len);
if (rv != SECSuccess) {
return SECFailure;
}
- /* We didn't offer an MKI, so this must be 0 length */
- /* XXX RFC 5764 Section 4.1.3 says:
- * If the client detects a nonzero-length MKI in the server's
- * response that is different than the one the client offered,
- * then the client MUST abort the handshake and SHOULD send an
- * invalid_parameter alert.
- *
- * Due to a limitation of the ssl3_HandleHelloExtensions function,
- * returning SECFailure here won't abort the handshake. It will
- * merely cause the use_srtp extension to be not negotiated. We
- * should fix this. See NSS bug 753136.
- */
- if (litem.len != 0) {
- return SECFailure;
- }
-
- if (data->len != 0) {
+ /* We didn't offer an MKI, so this must be 0 length */
+ /* XXX RFC 5764 Section 4.1.3 says:
+ * If the client detects a nonzero-length MKI in the server's
+ * response that is different than the one the client offered,
+ * then the client MUST abort the handshake and SHOULD send an
+ * invalid_parameter alert.
+ *
+ * Due to a limitation of the ssl3_HandleHelloExtensions function,
+ * returning SECFailure here won't abort the handshake. It will
+ * merely cause the use_srtp extension to be not negotiated. We
+ * should fix this. See NSS bug 753136.
+ */
+ if (litem.len != 0) {
+ return SECFailure;
+ }
+
+ if (data->len != 0) {
/* malformed */
return SECFailure;
- }
+ }
- /* OK, this looks fine. */
- ss->xtnData.negotiated[ss->xtnData.numNegotiated++] = ssl_use_srtp_xtn;
- ss->ssl3.dtlsSRTPCipherSuite = cipher;
- return SECSuccess;
+ /* OK, this looks fine. */
+ ss->xtnData.negotiated[ss->xtnData.numNegotiated++] = ssl_use_srtp_xtn;
+ ss->ssl3.dtlsSRTPCipherSuite = cipher;
+ return SECSuccess;
}
/* Server side */
if (!IS_DTLS(ss) || !ss->ssl3.dtlsSRTPCipherCount) {
- /* Ignore the extension if we aren't doing DTLS or no DTLS-SRTP
- * preferences have been set. */
- return SECSuccess;
+ /* Ignore the extension if we aren't doing DTLS or no DTLS-SRTP
+ * preferences have been set. */
+ return SECSuccess;
}
if (!data->data || data->len < 5) {
- /* malformed */
- return SECFailure;
+ /* malformed */
+ return SECFailure;
}
/* Get the cipher list */
rv = ssl3_ConsumeHandshakeVariable(ss, &ciphers, 2,
- &data->data, &data->len);
+ &data->data, &data->len);
if (rv != SECSuccess) {
- return SECFailure;
+ return SECFailure;
}
/* Check that the list is even length */
if (ciphers.len % 2) {
- return SECFailure;
+ return SECFailure;
}
/* Walk through the offered list and pick the most preferred of our
* ciphers, if any */
for (i = 0; !found && i < ss->ssl3.dtlsSRTPCipherCount; i++) {
- for (j = 0; j + 1 < ciphers.len; j += 2) {
- cipher = (ciphers.data[j] << 8) | ciphers.data[j + 1];
- if (cipher == ss->ssl3.dtlsSRTPCiphers[i]) {
- found = PR_TRUE;
- break;
- }
- }
+ for (j = 0; j + 1 < ciphers.len; j += 2) {
+ cipher = (ciphers.data[j] << 8) | ciphers.data[j + 1];
+ if (cipher == ss->ssl3.dtlsSRTPCiphers[i]) {
+ found = PR_TRUE;
+ break;
+ }
+ }
}
/* Get the srtp_mki value */
rv = ssl3_ConsumeHandshakeVariable(ss, &litem, 1, &data->data, &data->len);
if (rv != SECSuccess) {
- return SECFailure;
+ return SECFailure;
}
if (data->len != 0) {
- return SECFailure; /* Malformed */
+ return SECFailure; /* Malformed */
}
/* Now figure out what to do */
if (!found) {
- /* No matching ciphers */
- return SECSuccess;
+ /* No matching ciphers */
+ return SECSuccess;
}
/* OK, we have a valid cipher and we've selected it */
@@ -2311,7 +2319,7 @@ ssl3_HandleUseSRTPXtn(sslSocket * ss, PRUint16 ex_type, SECItem *data)
ss->xtnData.negotiated[ss->xtnData.numNegotiated++] = ssl_use_srtp_xtn;
return ssl3_RegisterServerHelloExtensionSender(ss, ssl_use_srtp_xtn,
- ssl3_SendUseSRTPXtn);
+ ssl3_SendUseSRTPXtn);
}
/* ssl3_ServerHandleSigAlgsXtn handles the signature_algorithms extension
@@ -2323,63 +2331,64 @@ ssl3_ServerHandleSigAlgsXtn(sslSocket * ss, PRUint16 ex_type, SECItem *data)
SECStatus rv;
SECItem algorithms;
const unsigned char *b;
- unsigned int numAlgorithms, i;
+ unsigned int numAlgorithms, i, j;
/* Ignore this extension if we aren't doing TLS 1.2 or greater. */
if (ss->version < SSL_LIBRARY_VERSION_TLS_1_2) {
- return SECSuccess;
+ return SECSuccess;
}
/* Keep track of negotiated extensions. */
ss->xtnData.negotiated[ss->xtnData.numNegotiated++] = ex_type;
rv = ssl3_ConsumeHandshakeVariable(ss, &algorithms, 2, &data->data,
- &data->len);
+ &data->len);
if (rv != SECSuccess) {
- return SECFailure;
+ return SECFailure;
}
/* Trailing data, empty value, or odd-length value is invalid. */
if (data->len != 0 || algorithms.len == 0 || (algorithms.len & 1) != 0) {
- PORT_SetError(SSL_ERROR_RX_MALFORMED_CLIENT_HELLO);
- return SECFailure;
+ PORT_SetError(SSL_ERROR_RX_MALFORMED_CLIENT_HELLO);
+ return SECFailure;
}
numAlgorithms = algorithms.len/2;
/* We don't care to process excessive numbers of algorithms. */
if (numAlgorithms > 512) {
- numAlgorithms = 512;
+ numAlgorithms = 512;
}
ss->ssl3.hs.clientSigAndHash =
- PORT_NewArray(SSL3SignatureAndHashAlgorithm, numAlgorithms);
+ PORT_NewArray(SSL3SignatureAndHashAlgorithm, numAlgorithms);
if (!ss->ssl3.hs.clientSigAndHash) {
- return SECFailure;
+ return SECFailure;
}
ss->ssl3.hs.numClientSigAndHash = 0;
b = algorithms.data;
- for (i = 0; i < numAlgorithms; i++) {
- unsigned char tls_hash = *(b++);
- unsigned char tls_sig = *(b++);
- SECOidTag hash = ssl3_TLSHashAlgorithmToOID(tls_hash);
-
- if (hash == SEC_OID_UNKNOWN) {
- /* We ignore formats that we don't understand. */
- continue;
- }
- /* tls_sig support will be checked later in
- * ssl3_PickSignatureHashAlgorithm. */
- ss->ssl3.hs.clientSigAndHash[i].hashAlg = hash;
- ss->ssl3.hs.clientSigAndHash[i].sigAlg = tls_sig;
- ss->ssl3.hs.numClientSigAndHash++;
+ for (i = j = 0; i < numAlgorithms; i++) {
+ unsigned char tls_hash = *(b++);
+ unsigned char tls_sig = *(b++);
+ SECOidTag hash = ssl3_TLSHashAlgorithmToOID(tls_hash);
+
+ if (hash == SEC_OID_UNKNOWN) {
+ /* We ignore formats that we don't understand. */
+ continue;
+ }
+ /* tls_sig support will be checked later in
+ * ssl3_PickSignatureHashAlgorithm. */
+ ss->ssl3.hs.clientSigAndHash[j].hashAlg = hash;
+ ss->ssl3.hs.clientSigAndHash[j].sigAlg = tls_sig;
+ ++j;
+ ++ss->ssl3.hs.numClientSigAndHash;
}
if (!ss->ssl3.hs.numClientSigAndHash) {
- /* We didn't understand any of the client's requested signature
- * formats. We'll use the defaults. */
- PORT_Free(ss->ssl3.hs.clientSigAndHash);
- ss->ssl3.hs.clientSigAndHash = NULL;
+ /* We didn't understand any of the client's requested signature
+ * formats. We'll use the defaults. */
+ PORT_Free(ss->ssl3.hs.clientSigAndHash);
+ ss->ssl3.hs.clientSigAndHash = NULL;
}
return SECSuccess;
@@ -2391,49 +2400,49 @@ static PRInt32
ssl3_ClientSendSigAlgsXtn(sslSocket * ss, PRBool append, PRUint32 maxBytes)
{
static const unsigned char signatureAlgorithms[] = {
- /* This block is the contents of our signature_algorithms extension, in
- * wire format. See
- * https://tools.ietf.org/html/rfc5246#section-7.4.1.4.1 */
- tls_hash_sha256, tls_sig_rsa,
- tls_hash_sha384, tls_sig_rsa,
- tls_hash_sha1, tls_sig_rsa,
-#ifdef NSS_ENABLE_ECC
- tls_hash_sha256, tls_sig_ecdsa,
- tls_hash_sha384, tls_sig_ecdsa,
- tls_hash_sha1, tls_sig_ecdsa,
+ /* This block is the contents of our signature_algorithms extension, in
+ * wire format. See
+ * https://tools.ietf.org/html/rfc5246#section-7.4.1.4.1 */
+ tls_hash_sha256, tls_sig_rsa,
+ tls_hash_sha384, tls_sig_rsa,
+ tls_hash_sha1, tls_sig_rsa,
+#ifndef NSS_DISABLE_ECC
+ tls_hash_sha256, tls_sig_ecdsa,
+ tls_hash_sha384, tls_sig_ecdsa,
+ tls_hash_sha1, tls_sig_ecdsa,
#endif
- tls_hash_sha256, tls_sig_dsa,
- tls_hash_sha1, tls_sig_dsa,
+ tls_hash_sha256, tls_sig_dsa,
+ tls_hash_sha1, tls_sig_dsa,
};
PRInt32 extension_length;
if (ss->version < SSL_LIBRARY_VERSION_TLS_1_2) {
- return 0;
+ return 0;
}
extension_length =
- 2 /* extension type */ +
- 2 /* extension length */ +
- 2 /* supported_signature_algorithms length */ +
- sizeof(signatureAlgorithms);
+ 2 /* extension type */ +
+ 2 /* extension length */ +
+ 2 /* supported_signature_algorithms length */ +
+ sizeof(signatureAlgorithms);
if (append && maxBytes >= extension_length) {
- SECStatus rv;
- rv = ssl3_AppendHandshakeNumber(ss, ssl_signature_algorithms_xtn, 2);
- if (rv != SECSuccess)
- goto loser;
- rv = ssl3_AppendHandshakeNumber(ss, extension_length - 4, 2);
- if (rv != SECSuccess)
- goto loser;
- rv = ssl3_AppendHandshakeVariable(ss, signatureAlgorithms,
- sizeof(signatureAlgorithms), 2);
- if (rv != SECSuccess)
- goto loser;
- ss->xtnData.advertised[ss->xtnData.numAdvertised++] =
- ssl_signature_algorithms_xtn;
+ SECStatus rv;
+ rv = ssl3_AppendHandshakeNumber(ss, ssl_signature_algorithms_xtn, 2);
+ if (rv != SECSuccess)
+ goto loser;
+ rv = ssl3_AppendHandshakeNumber(ss, extension_length - 4, 2);
+ if (rv != SECSuccess)
+ goto loser;
+ rv = ssl3_AppendHandshakeVariable(ss, signatureAlgorithms,
+ sizeof(signatureAlgorithms), 2);
+ if (rv != SECSuccess)
+ goto loser;
+ ss->xtnData.advertised[ss->xtnData.numAdvertised++] =
+ ssl_signature_algorithms_xtn;
} else if (maxBytes < extension_length) {
- PORT_Assert(0);
- return 0;
+ PORT_Assert(0);
+ return 0;
}
return extension_length;
@@ -2446,20 +2455,18 @@ unsigned int
ssl3_CalculatePaddingExtensionLength(unsigned int clientHelloLength)
{
unsigned int recordLength = 1 /* handshake message type */ +
- 3 /* handshake message length */ +
- clientHelloLength;
+ 3 /* handshake message length */ +
+ clientHelloLength;
unsigned int extensionLength;
if (recordLength < 256 || recordLength >= 512) {
- return 0;
+ return 0;
}
extensionLength = 512 - recordLength;
- /* Extensions take at least four bytes to encode. Always include at least
- * one byte of data if including the extension. WebSphere Application Server
- * 7.0 is intolerant to the last extension being zero-length. */
- if (extensionLength < 4 + 1) {
- extensionLength = 4 + 1;
+ /* Extensions take at least four bytes to encode. */
+ if (extensionLength < 4) {
+ extensionLength = 4;
}
return extensionLength;
@@ -2470,62 +2477,151 @@ ssl3_CalculatePaddingExtensionLength(unsigned int clientHelloLength)
* that we don't trigger bugs in F5 products. */
PRInt32
ssl3_AppendPaddingExtension(sslSocket *ss, unsigned int extensionLen,
- PRUint32 maxBytes)
+ PRUint32 maxBytes)
{
unsigned int paddingLen = extensionLen - 4;
static unsigned char padding[256];
if (extensionLen == 0) {
- return 0;
+ return 0;
}
if (extensionLen < 4 ||
- extensionLen > maxBytes ||
- paddingLen > sizeof(padding)) {
- PORT_Assert(0);
- return -1;
+ extensionLen > maxBytes ||
+ paddingLen > sizeof(padding)) {
+ PORT_Assert(0);
+ return -1;
}
if (SECSuccess != ssl3_AppendHandshakeNumber(ss, ssl_padding_xtn, 2))
- return -1;
+ return -1;
if (SECSuccess != ssl3_AppendHandshakeNumber(ss, paddingLen, 2))
- return -1;
+ return -1;
if (SECSuccess != ssl3_AppendHandshake(ss, padding, paddingLen))
- return -1;
+ return -1;
return extensionLen;
}
+/* ssl3_ClientSendDraftVersionXtn sends the TLS 1.3 temporary draft
+ * version extension.
+ * TODO(ekr@rtfm.com): Remove when TLS 1.3 is published. */
+static PRInt32
+ssl3_ClientSendDraftVersionXtn(sslSocket * ss, PRBool append, PRUint32 maxBytes)
+{
+ PRInt32 extension_length;
+
+ if (ss->version != SSL_LIBRARY_VERSION_TLS_1_3) {
+ return 0;
+ }
+
+ extension_length = 6; /* Type + length + number */
+ if (append && maxBytes >= extension_length) {
+ SECStatus rv;
+ rv = ssl3_AppendHandshakeNumber(ss, ssl_tls13_draft_version_xtn, 2);
+ if (rv != SECSuccess)
+ goto loser;
+ rv = ssl3_AppendHandshakeNumber(ss, extension_length - 4, 2);
+ if (rv != SECSuccess)
+ goto loser;
+ rv = ssl3_AppendHandshakeNumber(ss, TLS_1_3_DRAFT_VERSION, 2);
+ if (rv != SECSuccess)
+ goto loser;
+ ss->xtnData.advertised[ss->xtnData.numAdvertised++] =
+ ssl_tls13_draft_version_xtn;
+ } else if (maxBytes < extension_length) {
+ PORT_Assert(0);
+ return 0;
+ }
+
+ return extension_length;
+
+loser:
+ return -1;
+}
+
+/* ssl3_ServerHandleDraftVersionXtn handles the TLS 1.3 temporary draft
+ * version extension.
+ * TODO(ekr@rtfm.com): Remove when TLS 1.3 is published. */
+static SECStatus
+ssl3_ServerHandleDraftVersionXtn(sslSocket * ss, PRUint16 ex_type,
+ SECItem *data)
+{
+ PRInt32 draft_version;
+
+ /* Ignore this extension if we aren't doing TLS 1.3 */
+ if (ss->version != SSL_LIBRARY_VERSION_TLS_1_3) {
+ return SECSuccess;
+ }
+
+ if (data->len != 2)
+ goto loser;
+
+ /* Get the draft version out of the handshake */
+ draft_version = ssl3_ConsumeHandshakeNumber(ss, 2,
+ &data->data, &data->len);
+ if (draft_version < 0) {
+ goto loser;
+ }
+
+ /* Keep track of negotiated extensions. */
+ ss->xtnData.negotiated[ss->xtnData.numNegotiated++] = ex_type;
+
+ /* Compare the version */
+ if (draft_version != TLS_1_3_DRAFT_VERSION) {
+ SSL_TRC(30, ("%d: SSL3[%d]: Incompatible version of TLS 1.3 (%d), "
+ "expected %d",
+ SSL_GETPID(), ss->fd, draft_version, TLS_1_3_DRAFT_VERSION));
+ goto loser;
+ }
+
+ return SECSuccess;
+
+loser:
+ /*
+ * Incompatible/broken TLS 1.3 implementation. Fall back to TLS 1.2.
+ * TODO(ekr@rtfm.com): It's not entirely clear it's safe to roll back
+ * here. Need to double-check.
+ * TODO(ekr@rtfm.com): Currently we fall back even on broken extensions.
+ * because SECFailure does not cause handshake failures. See bug
+ * 753136.
+ */
+ SSL_TRC(30, ("%d: SSL3[%d]: Rolling back to TLS 1.2", SSL_GETPID(), ss->fd));
+ ss->version = SSL_LIBRARY_VERSION_TLS_1_2;
+
+ return SECSuccess;
+}
+
/* ssl3_ClientSendSignedCertTimestampXtn sends the signed_certificate_timestamp
* extension for TLS ClientHellos. */
static PRInt32
ssl3_ClientSendSignedCertTimestampXtn(sslSocket *ss, PRBool append,
- PRUint32 maxBytes)
+ PRUint32 maxBytes)
{
PRInt32 extension_length = 2 /* extension_type */ +
- 2 /* length(extension_data) */;
+ 2 /* length(extension_data) */;
/* Only send the extension if processing is enabled. */
if (!ss->opt.enableSignedCertTimestamps)
- return 0;
+ return 0;
if (append && maxBytes >= extension_length) {
- SECStatus rv;
- /* extension_type */
- rv = ssl3_AppendHandshakeNumber(ss,
- ssl_signed_certificate_timestamp_xtn,
- 2);
- if (rv != SECSuccess)
- goto loser;
- /* zero length */
- rv = ssl3_AppendHandshakeNumber(ss, 0, 2);
- if (rv != SECSuccess)
- goto loser;
- ss->xtnData.advertised[ss->xtnData.numAdvertised++] =
- ssl_signed_certificate_timestamp_xtn;
+ SECStatus rv;
+ /* extension_type */
+ rv = ssl3_AppendHandshakeNumber(ss,
+ ssl_signed_certificate_timestamp_xtn,
+ 2);
+ if (rv != SECSuccess)
+ goto loser;
+ /* zero length */
+ rv = ssl3_AppendHandshakeNumber(ss, 0, 2);
+ if (rv != SECSuccess)
+ goto loser;
+ ss->xtnData.advertised[ss->xtnData.numAdvertised++] =
+ ssl_signed_certificate_timestamp_xtn;
} else if (maxBytes < extension_length) {
- PORT_Assert(0);
- return 0;
+ PORT_Assert(0);
+ return 0;
}
return extension_length;
@@ -2535,7 +2631,7 @@ loser:
static SECStatus
ssl3_ClientHandleSignedCertTimestampXtn(sslSocket *ss, PRUint16 ex_type,
- SECItem *data)
+ SECItem *data)
{
/* We do not yet know whether we'll be resuming a session or creating
* a new one, so we keep a pointer to the data in the TLSExtensionData
@@ -2549,8 +2645,8 @@ ssl3_ClientHandleSignedCertTimestampXtn(sslSocket *ss, PRUint16 ex_type,
PORT_Assert(!scts->data && !scts->len);
if (!data->len) {
- /* Empty extension data: RFC 6962 mandates non-empty contents. */
- return SECFailure;
+ /* Empty extension data: RFC 6962 mandates non-empty contents. */
+ return SECFailure;
}
*scts = *data;
/* Keep track of negotiated extensions. */
« net/third_party/nss/ssl/ssl3con.c ('K') | « net/third_party/nss/ssl/ssl3ecc.c ('k') | net/third_party/nss/ssl/ssl3prot.h » ('j') | net/third_party/nss/ssl/sslenum.c » ('J')

Powered by Google App Engine
This is Rietveld 408576698