OLD | NEW |
---|---|
1 /* | 1 /* |
2 * SSL3 Protocol | 2 * SSL3 Protocol |
3 * | 3 * |
4 * This Source Code Form is subject to the terms of the Mozilla Public | 4 * This Source Code Form is subject to the terms of the Mozilla Public |
5 * License, v. 2.0. If a copy of the MPL was not distributed with this | 5 * License, v. 2.0. If a copy of the MPL was not distributed with this |
6 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ | 6 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ |
7 | 7 |
8 /* TLS extension code moved here from ssl3ecc.c */ | 8 /* TLS extension code moved here from ssl3ecc.c */ |
9 /* $Id$ */ | 9 /* $Id$ */ |
10 | 10 |
(...skipping 56 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
67 PRUint32 maxBytes); | 67 PRUint32 maxBytes); |
68 static SECStatus ssl3_ServerSendStatusRequestXtn(sslSocket * ss, | 68 static SECStatus ssl3_ServerSendStatusRequestXtn(sslSocket * ss, |
69 PRBool append, PRUint32 maxBytes); | 69 PRBool append, PRUint32 maxBytes); |
70 static SECStatus ssl3_ServerHandleStatusRequestXtn(sslSocket *ss, | 70 static SECStatus ssl3_ServerHandleStatusRequestXtn(sslSocket *ss, |
71 PRUint16 ex_type, SECItem *data); | 71 PRUint16 ex_type, SECItem *data); |
72 static SECStatus ssl3_ClientHandleStatusRequestXtn(sslSocket *ss, | 72 static SECStatus ssl3_ClientHandleStatusRequestXtn(sslSocket *ss, |
73 PRUint16 ex_type, | 73 PRUint16 ex_type, |
74 SECItem *data); | 74 SECItem *data); |
75 static PRInt32 ssl3_ClientSendStatusRequestXtn(sslSocket * ss, PRBool append, | 75 static PRInt32 ssl3_ClientSendStatusRequestXtn(sslSocket * ss, PRBool append, |
76 PRUint32 maxBytes); | 76 PRUint32 maxBytes); |
77 static PRInt32 ssl3_ClientSendSigAlgsXtn(sslSocket *ss, PRBool append, | |
78 PRUint32 maxBytes); | |
79 static SECStatus ssl3_ServerHandleSigAlgsXtn(sslSocket *ss, PRUint16 ex_type, | |
80 SECItem *data); | |
77 | 81 |
78 /* | 82 /* |
79 * Write bytes. Using this function means the SECItem structure | 83 * Write bytes. Using this function means the SECItem structure |
80 * cannot be freed. The caller is expected to call this function | 84 * cannot be freed. The caller is expected to call this function |
81 * on a shallow copy of the structure. | 85 * on a shallow copy of the structure. |
82 */ | 86 */ |
83 static SECStatus | 87 static SECStatus |
84 ssl3_AppendToItem(SECItem *item, const unsigned char *buf, PRUint32 bytes) | 88 ssl3_AppendToItem(SECItem *item, const unsigned char *buf, PRUint32 bytes) |
85 { | 89 { |
86 if (bytes > item->len) | 90 if (bytes > item->len) |
(...skipping 142 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
229 { ssl_server_name_xtn, &ssl3_HandleServerNameXtn }, | 233 { ssl_server_name_xtn, &ssl3_HandleServerNameXtn }, |
230 #ifdef NSS_ENABLE_ECC | 234 #ifdef NSS_ENABLE_ECC |
231 { ssl_elliptic_curves_xtn, &ssl3_HandleSupportedCurvesXtn }, | 235 { ssl_elliptic_curves_xtn, &ssl3_HandleSupportedCurvesXtn }, |
232 { ssl_ec_point_formats_xtn, &ssl3_HandleSupportedPointFormatsXtn }, | 236 { ssl_ec_point_formats_xtn, &ssl3_HandleSupportedPointFormatsXtn }, |
233 #endif | 237 #endif |
234 { ssl_session_ticket_xtn, &ssl3_ServerHandleSessionTicketXtn }, | 238 { ssl_session_ticket_xtn, &ssl3_ServerHandleSessionTicketXtn }, |
235 { ssl_renegotiation_info_xtn, &ssl3_HandleRenegotiationInfoXtn }, | 239 { ssl_renegotiation_info_xtn, &ssl3_HandleRenegotiationInfoXtn }, |
236 { ssl_next_proto_nego_xtn, &ssl3_ServerHandleNextProtoNegoXtn }, | 240 { ssl_next_proto_nego_xtn, &ssl3_ServerHandleNextProtoNegoXtn }, |
237 { ssl_use_srtp_xtn, &ssl3_HandleUseSRTPXtn }, | 241 { ssl_use_srtp_xtn, &ssl3_HandleUseSRTPXtn }, |
238 { ssl_cert_status_xtn, &ssl3_ServerHandleStatusRequestXtn }, | 242 { ssl_cert_status_xtn, &ssl3_ServerHandleStatusRequestXtn }, |
243 { ssl_signature_algorithms_xtn, &ssl3_ServerHandleSigAlgsXtn }, | |
239 { -1, NULL } | 244 { -1, NULL } |
240 }; | 245 }; |
241 | 246 |
242 /* These two tables are used by the client, to handle server hello | 247 /* These two tables are used by the client, to handle server hello |
243 * extensions. */ | 248 * extensions. */ |
244 static const ssl3HelloExtensionHandler serverHelloHandlersTLS[] = { | 249 static const ssl3HelloExtensionHandler serverHelloHandlersTLS[] = { |
245 { ssl_server_name_xtn, &ssl3_HandleServerNameXtn }, | 250 { ssl_server_name_xtn, &ssl3_HandleServerNameXtn }, |
246 /* TODO: add a handler for ssl_ec_point_formats_xtn */ | 251 /* TODO: add a handler for ssl_ec_point_formats_xtn */ |
247 { ssl_session_ticket_xtn, &ssl3_ClientHandleSessionTicketXtn }, | 252 { ssl_session_ticket_xtn, &ssl3_ClientHandleSessionTicketXtn }, |
248 { ssl_renegotiation_info_xtn, &ssl3_HandleRenegotiationInfoXtn }, | 253 { ssl_renegotiation_info_xtn, &ssl3_HandleRenegotiationInfoXtn }, |
(...skipping 20 matching lines...) Expand all Loading... | |
269 { ssl_server_name_xtn, &ssl3_SendServerNameXtn }, | 274 { ssl_server_name_xtn, &ssl3_SendServerNameXtn }, |
270 { ssl_renegotiation_info_xtn, &ssl3_SendRenegotiationInfoXtn }, | 275 { ssl_renegotiation_info_xtn, &ssl3_SendRenegotiationInfoXtn }, |
271 #ifdef NSS_ENABLE_ECC | 276 #ifdef NSS_ENABLE_ECC |
272 { ssl_elliptic_curves_xtn, &ssl3_SendSupportedCurvesXtn }, | 277 { ssl_elliptic_curves_xtn, &ssl3_SendSupportedCurvesXtn }, |
273 { ssl_ec_point_formats_xtn, &ssl3_SendSupportedPointFormatsXtn }, | 278 { ssl_ec_point_formats_xtn, &ssl3_SendSupportedPointFormatsXtn }, |
274 #endif | 279 #endif |
275 { ssl_session_ticket_xtn, &ssl3_SendSessionTicketXtn }, | 280 { ssl_session_ticket_xtn, &ssl3_SendSessionTicketXtn }, |
276 { ssl_next_proto_nego_xtn, &ssl3_ClientSendNextProtoNegoXtn }, | 281 { ssl_next_proto_nego_xtn, &ssl3_ClientSendNextProtoNegoXtn }, |
277 { ssl_use_srtp_xtn, &ssl3_SendUseSRTPXtn }, | 282 { ssl_use_srtp_xtn, &ssl3_SendUseSRTPXtn }, |
278 { ssl_channel_id_xtn, &ssl3_ClientSendChannelIDXtn }, | 283 { ssl_channel_id_xtn, &ssl3_ClientSendChannelIDXtn }, |
279 { ssl_cert_status_xtn, &ssl3_ClientSendStatusRequestXtn } | 284 { ssl_cert_status_xtn, &ssl3_ClientSendStatusRequestXtn }, |
285 { ssl_signature_algorithms_xtn, &ssl3_ClientSendSigAlgsXtn } | |
280 /* any extra entries will appear as { 0, NULL } */ | 286 /* any extra entries will appear as { 0, NULL } */ |
281 }; | 287 }; |
282 | 288 |
283 static const | 289 static const |
284 ssl3HelloExtensionSender clientHelloSendersSSL3[SSL_MAX_EXTENSIONS] = { | 290 ssl3HelloExtensionSender clientHelloSendersSSL3[SSL_MAX_EXTENSIONS] = { |
285 { ssl_renegotiation_info_xtn, &ssl3_SendRenegotiationInfoXtn } | 291 { ssl_renegotiation_info_xtn, &ssl3_SendRenegotiationInfoXtn } |
286 /* any extra entries will appear as { 0, NULL } */ | 292 /* any extra entries will appear as { 0, NULL } */ |
287 }; | 293 }; |
288 | 294 |
289 static PRBool | 295 static PRBool |
(...skipping 1742 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
2032 return SECSuccess; | 2038 return SECSuccess; |
2033 } | 2039 } |
2034 | 2040 |
2035 /* OK, we have a valid cipher and we've selected it */ | 2041 /* OK, we have a valid cipher and we've selected it */ |
2036 ss->ssl3.dtlsSRTPCipherSuite = cipher; | 2042 ss->ssl3.dtlsSRTPCipherSuite = cipher; |
2037 ss->xtnData.negotiated[ss->xtnData.numNegotiated++] = ssl_use_srtp_xtn; | 2043 ss->xtnData.negotiated[ss->xtnData.numNegotiated++] = ssl_use_srtp_xtn; |
2038 | 2044 |
2039 return ssl3_RegisterServerHelloExtensionSender(ss, ssl_use_srtp_xtn, | 2045 return ssl3_RegisterServerHelloExtensionSender(ss, ssl_use_srtp_xtn, |
2040 ssl3_SendUseSRTPXtn); | 2046 ssl3_SendUseSRTPXtn); |
2041 } | 2047 } |
2048 | |
2049 /* ssl3_ServerHandleSigAlgsXtn handles the signature_algorithms extension | |
2050 * from a client. | |
2051 * See https://tools.ietf.org/html/rfc5246#section-7.4.1.4.1 */ | |
2052 static SECStatus | |
2053 ssl3_ServerHandleSigAlgsXtn(sslSocket * ss, PRUint16 ex_type, SECItem *data) | |
2054 { | |
2055 SECStatus rv; | |
2056 SECItem algorithms; | |
2057 const unsigned char *b; | |
2058 unsigned int numAlgorithms, i; | |
2059 | |
2060 /* Ignore this extension if we aren't doing TLS 1.2 or greater. */ | |
2061 if (ss->version < SSL_LIBRARY_VERSION_TLS_1_2) { | |
2062 return SECSuccess; | |
2063 } | |
2064 | |
2065 /* Keep track of negotiated extensions. */ | |
2066 ss->xtnData.negotiated[ss->xtnData.numNegotiated++] = ex_type; | |
2067 | |
2068 rv = ssl3_ConsumeHandshakeVariable(ss, &algorithms, 2, &data->data, | |
2069 &data->len); | |
2070 if (rv != SECSuccess) { | |
2071 return SECFailure; | |
2072 } | |
2073 /* Trailing data or odd-length parameters is invalid. */ | |
2074 if (data->len != 0 || (algorithms.len & 1) != 0) { | |
2075 PORT_SetError(SSL_ERROR_RX_MALFORMED_CLIENT_HELLO); | |
2076 return SECFailure; | |
2077 } | |
2078 | |
2079 numAlgorithms = algorithms.len/2; | |
2080 | |
2081 if (numAlgorithms == 0) { | |
2082 return SECSuccess; | |
2083 } | |
2084 /* We don't care to process excessive numbers of algorithms. */ | |
2085 if (numAlgorithms > 512) { | |
2086 numAlgorithms = 512; | |
2087 } | |
2088 | |
2089 ss->ssl3.hs.clientSigAndHash = | |
2090 PORT_NewArray(SSL3SignatureAndHashAlgorithm, numAlgorithms); | |
2091 if (!ss->ssl3.hs.clientSigAndHash) { | |
2092 return SECFailure; | |
2093 } | |
2094 ss->ssl3.hs.numClientSigAndHash = 0; | |
2095 | |
2096 b = algorithms.data; | |
2097 for (i = 0; i < numAlgorithms; i++) { | |
2098 unsigned char tls_hash = *(b++); | |
2099 unsigned char tls_sig = *(b++); | |
2100 SECOidTag hash = ssl3_TLSHashAlgorithmToOID(tls_hash); | |
2101 | |
2102 if (hash == SEC_OID_UNKNOWN) { | |
2103 /* We ignore formats that we don't understand. */ | |
2104 continue; | |
2105 } | |
2106 /* XXX Should we check if we support tls_sig? */ | |
agl
2013/05/28 20:21:13
Hmm, probably yes although it's just an optimisati
wtc
2013/05/28 23:22:19
Because we will check tls_sig later in ssl3_PickSi
agl
2013/05/28 23:36:36
Right. This filtering is just removing the options
| |
2107 ss->ssl3.hs.clientSigAndHash[i].hashAlg = hash; | |
2108 ss->ssl3.hs.clientSigAndHash[i].sigAlg = tls_sig; | |
2109 ss->ssl3.hs.numClientSigAndHash++; | |
2110 } | |
2111 | |
2112 if (!ss->ssl3.hs.numClientSigAndHash) { | |
2113 /* We didn't understand any of the client's requested signature | |
2114 * formats. We'll use the defaults. */ | |
2115 /* XXX Should we fail the handshake in this case? */ | |
wtc
2013/05/28 17:50:25
agl: these two XXX comments are also questions for
agl
2013/05/28 20:21:13
The handshake may not need to sign anything, in wh
| |
2116 PORT_Free(ss->ssl3.hs.clientSigAndHash); | |
2117 ss->ssl3.hs.clientSigAndHash = NULL; | |
2118 } | |
2119 | |
2120 return SECSuccess; | |
2121 } | |
2122 | |
2123 /* ssl3_ClientSendSigAlgsXtn sends the signature_algorithm extension for TLS | |
2124 * 1.2 ClientHellos. */ | |
2125 static PRInt32 | |
2126 ssl3_ClientSendSigAlgsXtn(sslSocket * ss, PRBool append, PRUint32 maxBytes) | |
2127 { | |
2128 static const unsigned char signatureAlgorithms[] = { | |
2129 /* This block is the contents of our signature_algorithms extension, in | |
2130 * wire format. See | |
2131 * https://tools.ietf.org/html/rfc5246#section-7.4.1.4.1 */ | |
2132 tls_hash_sha256, tls_sig_rsa, | |
2133 tls_hash_sha384, tls_sig_rsa, | |
wtc
2013/05/28 17:50:25
Should we add tls_hash_sha512 entries to this arra
agl
2013/05/28 20:21:13
I was just trying to cover Suite-B. I think SHA-51
wtc
2013/05/28 23:22:19
OK, I replaced tls_hash_sha384 with tls_hash_sha22
| |
2134 tls_hash_sha1, tls_sig_rsa, | |
2135 #ifdef NSS_ENABLE_ECC | |
2136 tls_hash_sha256, tls_sig_ecdsa, | |
2137 tls_hash_sha384, tls_sig_ecdsa, | |
2138 tls_hash_sha1, tls_sig_ecdsa, | |
2139 #endif | |
2140 tls_hash_sha256, tls_sig_dsa, | |
2141 tls_hash_sha384, tls_sig_dsa, | |
2142 tls_hash_sha1, tls_sig_dsa, | |
2143 }; | |
2144 PRInt32 extension_length; | |
2145 | |
2146 if (ss->version < SSL_LIBRARY_VERSION_TLS_1_2) { | |
2147 return 0; | |
2148 } | |
2149 | |
2150 extension_length = | |
2151 2 /* extension type */ + | |
2152 2 /* extension length */ + | |
2153 2 /* supported_signature_algorithms length */ + | |
2154 sizeof(signatureAlgorithms); | |
2155 | |
2156 if (append && maxBytes >= extension_length) { | |
2157 SECStatus rv; | |
2158 rv = ssl3_AppendHandshakeNumber(ss, ssl_signature_algorithms_xtn, 2); | |
2159 if (rv != SECSuccess) | |
2160 goto loser; | |
2161 rv = ssl3_AppendHandshakeNumber(ss, extension_length - 4, 2); | |
2162 if (rv != SECSuccess) | |
2163 goto loser; | |
2164 rv = ssl3_AppendHandshakeVariable(ss, signatureAlgorithms, | |
2165 sizeof(signatureAlgorithms), 2); | |
2166 if (rv != SECSuccess) | |
2167 goto loser; | |
2168 ss->xtnData.advertised[ss->xtnData.numAdvertised++] = | |
2169 ssl_signature_algorithms_xtn; | |
2170 } else if (maxBytes < extension_length) { | |
2171 PORT_Assert(0); | |
2172 return 0; | |
2173 } | |
2174 | |
2175 return extension_length; | |
2176 | |
2177 loser: | |
2178 return -1; | |
2179 } | |
OLD | NEW |