OLD | NEW |
1 /* -*- Mode: C; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 4 -*- */ | 1 /* -*- Mode: C; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 4 -*- */ |
2 /* | 2 /* |
3 * SSL3 Protocol | 3 * SSL3 Protocol |
4 * | 4 * |
5 * This Source Code Form is subject to the terms of the Mozilla Public | 5 * This Source Code Form is subject to the terms of the Mozilla Public |
6 * License, v. 2.0. If a copy of the MPL was not distributed with this | 6 * License, v. 2.0. If a copy of the MPL was not distributed with this |
7 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ | 7 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ |
8 | 8 |
9 /* TLS extension code moved here from ssl3ecc.c */ | 9 /* TLS extension code moved here from ssl3ecc.c */ |
10 | 10 |
(...skipping 83 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
94 PRBool append, | 94 PRBool append, |
95 PRUint32 maxBytes); | 95 PRUint32 maxBytes); |
96 static SECStatus ssl3_ClientHandleSignedCertTimestampXtn(sslSocket *ss, | 96 static SECStatus ssl3_ClientHandleSignedCertTimestampXtn(sslSocket *ss, |
97 PRUint16 ex_type, | 97 PRUint16 ex_type, |
98 SECItem *data); | 98 SECItem *data); |
99 | 99 |
100 static PRInt32 ssl3_ClientSendDraftVersionXtn(sslSocket *ss, PRBool append, | 100 static PRInt32 ssl3_ClientSendDraftVersionXtn(sslSocket *ss, PRBool append, |
101 PRUint32 maxBytes); | 101 PRUint32 maxBytes); |
102 static SECStatus ssl3_ServerHandleDraftVersionXtn(sslSocket *ss, PRUint16 ex_typ
e, | 102 static SECStatus ssl3_ServerHandleDraftVersionXtn(sslSocket *ss, PRUint16 ex_typ
e, |
103 SECItem *data); | 103 SECItem *data); |
| 104 static PRInt32 ssl3_SendExtendedMasterSecretXtn(sslSocket *ss, PRBool append, |
| 105 PRUint32 maxBytes); |
| 106 static SECStatus ssl3_HandleExtendedMasterSecretXtn(sslSocket *ss, |
| 107 PRUint16 ex_type, |
| 108 SECItem *data); |
| 109 |
104 | 110 |
105 /* | 111 /* |
106 * Write bytes. Using this function means the SECItem structure | 112 * Write bytes. Using this function means the SECItem structure |
107 * cannot be freed. The caller is expected to call this function | 113 * cannot be freed. The caller is expected to call this function |
108 * on a shallow copy of the structure. | 114 * on a shallow copy of the structure. |
109 */ | 115 */ |
110 static SECStatus | 116 static SECStatus |
111 ssl3_AppendToItem(SECItem *item, const unsigned char *buf, PRUint32 bytes) | 117 ssl3_AppendToItem(SECItem *item, const unsigned char *buf, PRUint32 bytes) |
112 { | 118 { |
113 if (bytes > item->len) | 119 if (bytes > item->len) |
(...skipping 145 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
259 { ssl_ec_point_formats_xtn, &ssl3_HandleSupportedPointFormatsXtn }, | 265 { ssl_ec_point_formats_xtn, &ssl3_HandleSupportedPointFormatsXtn }, |
260 #endif | 266 #endif |
261 { ssl_session_ticket_xtn, &ssl3_ServerHandleSessionTicketXtn }, | 267 { ssl_session_ticket_xtn, &ssl3_ServerHandleSessionTicketXtn }, |
262 { ssl_renegotiation_info_xtn, &ssl3_HandleRenegotiationInfoXtn }, | 268 { ssl_renegotiation_info_xtn, &ssl3_HandleRenegotiationInfoXtn }, |
263 { ssl_next_proto_nego_xtn, &ssl3_ServerHandleNextProtoNegoXtn }, | 269 { ssl_next_proto_nego_xtn, &ssl3_ServerHandleNextProtoNegoXtn }, |
264 { ssl_app_layer_protocol_xtn, &ssl3_ServerHandleAppProtoXtn }, | 270 { ssl_app_layer_protocol_xtn, &ssl3_ServerHandleAppProtoXtn }, |
265 { ssl_use_srtp_xtn, &ssl3_ServerHandleUseSRTPXtn }, | 271 { ssl_use_srtp_xtn, &ssl3_ServerHandleUseSRTPXtn }, |
266 { ssl_cert_status_xtn, &ssl3_ServerHandleStatusRequestXtn }, | 272 { ssl_cert_status_xtn, &ssl3_ServerHandleStatusRequestXtn }, |
267 { ssl_signature_algorithms_xtn, &ssl3_ServerHandleSigAlgsXtn }, | 273 { ssl_signature_algorithms_xtn, &ssl3_ServerHandleSigAlgsXtn }, |
268 { ssl_tls13_draft_version_xtn, &ssl3_ServerHandleDraftVersionXtn }, | 274 { ssl_tls13_draft_version_xtn, &ssl3_ServerHandleDraftVersionXtn }, |
| 275 { ssl_extended_master_secret_xtn, &ssl3_HandleExtendedMasterSecretXtn }, |
269 { -1, NULL } | 276 { -1, NULL } |
270 }; | 277 }; |
271 | 278 |
272 /* These two tables are used by the client, to handle server hello | 279 /* These two tables are used by the client, to handle server hello |
273 * extensions. */ | 280 * extensions. */ |
274 static const ssl3HelloExtensionHandler serverHelloHandlersTLS[] = { | 281 static const ssl3HelloExtensionHandler serverHelloHandlersTLS[] = { |
275 { ssl_server_name_xtn, &ssl3_HandleServerNameXtn }, | 282 { ssl_server_name_xtn, &ssl3_HandleServerNameXtn }, |
276 /* TODO: add a handler for ssl_ec_point_formats_xtn */ | 283 /* TODO: add a handler for ssl_ec_point_formats_xtn */ |
277 { ssl_session_ticket_xtn, &ssl3_ClientHandleSessionTicketXtn }, | 284 { ssl_session_ticket_xtn, &ssl3_ClientHandleSessionTicketXtn }, |
278 { ssl_renegotiation_info_xtn, &ssl3_HandleRenegotiationInfoXtn }, | 285 { ssl_renegotiation_info_xtn, &ssl3_HandleRenegotiationInfoXtn }, |
279 { ssl_next_proto_nego_xtn, &ssl3_ClientHandleNextProtoNegoXtn }, | 286 { ssl_next_proto_nego_xtn, &ssl3_ClientHandleNextProtoNegoXtn }, |
280 { ssl_app_layer_protocol_xtn, &ssl3_ClientHandleAppProtoXtn }, | 287 { ssl_app_layer_protocol_xtn, &ssl3_ClientHandleAppProtoXtn }, |
281 { ssl_use_srtp_xtn, &ssl3_ClientHandleUseSRTPXtn }, | 288 { ssl_use_srtp_xtn, &ssl3_ClientHandleUseSRTPXtn }, |
282 { ssl_channel_id_xtn, &ssl3_ClientHandleChannelIDXtn }, | 289 { ssl_channel_id_xtn, &ssl3_ClientHandleChannelIDXtn }, |
283 { ssl_cert_status_xtn, &ssl3_ClientHandleStatusRequestXtn }, | 290 { ssl_cert_status_xtn, &ssl3_ClientHandleStatusRequestXtn }, |
| 291 { ssl_extended_master_secret_xtn, &ssl3_HandleExtendedMasterSecretXtn }, |
284 { ssl_signed_certificate_timestamp_xtn, | 292 { ssl_signed_certificate_timestamp_xtn, |
285 &ssl3_ClientHandleSignedCertTimestampXtn }, | 293 &ssl3_ClientHandleSignedCertTimestampXtn }, |
286 { -1, NULL } | 294 { -1, NULL } |
287 }; | 295 }; |
288 | 296 |
289 static const ssl3HelloExtensionHandler serverHelloHandlersSSL3[] = { | 297 static const ssl3HelloExtensionHandler serverHelloHandlersSSL3[] = { |
290 { ssl_renegotiation_info_xtn, &ssl3_HandleRenegotiationInfoXtn }, | 298 { ssl_renegotiation_info_xtn, &ssl3_HandleRenegotiationInfoXtn }, |
291 { -1, NULL } | 299 { -1, NULL } |
292 }; | 300 }; |
293 | 301 |
(...skipping 18 matching lines...) Expand all Loading... |
312 { ssl_channel_id_xtn, &ssl3_ClientSendChannelIDXtn }, | 320 { ssl_channel_id_xtn, &ssl3_ClientSendChannelIDXtn }, |
313 { ssl_cert_status_xtn, &ssl3_ClientSendStatusRequestXtn }, | 321 { ssl_cert_status_xtn, &ssl3_ClientSendStatusRequestXtn }, |
314 { ssl_signed_certificate_timestamp_xtn, | 322 { ssl_signed_certificate_timestamp_xtn, |
315 &ssl3_ClientSendSignedCertTimestampXtn }, | 323 &ssl3_ClientSendSignedCertTimestampXtn }, |
316 /* WebSphere Application Server 7.0 is intolerant to the last extension | 324 /* WebSphere Application Server 7.0 is intolerant to the last extension |
317 * being zero-length. It is not intolerant of TLS 1.2, so ensure that | 325 * being zero-length. It is not intolerant of TLS 1.2, so ensure that |
318 * signature_algorithms is at the end to guarantee a non-empty | 326 * signature_algorithms is at the end to guarantee a non-empty |
319 * extension. */ | 327 * extension. */ |
320 { ssl_signature_algorithms_xtn, &ssl3_ClientSendSigAlgsXtn }, | 328 { ssl_signature_algorithms_xtn, &ssl3_ClientSendSigAlgsXtn }, |
321 { ssl_tls13_draft_version_xtn, &ssl3_ClientSendDraftVersionXtn }, | 329 { ssl_tls13_draft_version_xtn, &ssl3_ClientSendDraftVersionXtn }, |
| 330 { ssl_extended_master_secret_xtn, &ssl3_SendExtendedMasterSecretXtn}, |
322 /* any extra entries will appear as { 0, NULL } */ | 331 /* any extra entries will appear as { 0, NULL } */ |
323 }; | 332 }; |
324 | 333 |
325 static const | 334 static const |
326 ssl3HelloExtensionSender clientHelloSendersSSL3[SSL_MAX_EXTENSIONS] = { | 335 ssl3HelloExtensionSender clientHelloSendersSSL3[SSL_MAX_EXTENSIONS] = { |
327 { ssl_renegotiation_info_xtn, &ssl3_SendRenegotiationInfoXtn } | 336 { ssl_renegotiation_info_xtn, &ssl3_SendRenegotiationInfoXtn } |
328 /* any extra entries will appear as { 0, NULL } */ | 337 /* any extra entries will appear as { 0, NULL } */ |
329 }; | 338 }; |
330 | 339 |
331 static PRBool | 340 static PRBool |
332 arrayContainsExtension(const PRUint16 *array, PRUint32 len, PRUint16 ex_type) | 341 arrayContainsExtension(const PRUint16 *array, PRUint32 len, PRUint16 ex_type) |
333 { | 342 { |
334 int i; | 343 unsigned int i; |
335 for (i = 0; i < len; i++) { | 344 for (i = 0; i < len; i++) { |
336 if (ex_type == array[i]) | 345 if (ex_type == array[i]) |
337 return PR_TRUE; | 346 return PR_TRUE; |
338 } | 347 } |
339 return PR_FALSE; | 348 return PR_FALSE; |
340 } | 349 } |
341 | 350 |
342 PRBool | 351 PRBool |
343 ssl3_ExtensionNegotiated(sslSocket *ss, PRUint16 ex_type) { | 352 ssl3_ExtensionNegotiated(sslSocket *ss, PRUint16 ex_type) { |
344 TLSExtensionData *xtnData = &ss->xtnData; | 353 TLSExtensionData *xtnData = &ss->xtnData; |
(...skipping 81 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
426 return SECSuccess; /* ignore extension */ | 435 return SECSuccess; /* ignore extension */ |
427 } | 436 } |
428 | 437 |
429 /* Server side - consume client data and register server sender. */ | 438 /* Server side - consume client data and register server sender. */ |
430 /* do not parse the data if don't have user extension handling function. */ | 439 /* do not parse the data if don't have user extension handling function. */ |
431 if (!ss->sniSocketConfig) { | 440 if (!ss->sniSocketConfig) { |
432 return SECSuccess; | 441 return SECSuccess; |
433 } | 442 } |
434 /* length of server_name_list */ | 443 /* length of server_name_list */ |
435 listLenBytes = ssl3_ConsumeHandshakeNumber(ss, 2, &data->data, &data->len); | 444 listLenBytes = ssl3_ConsumeHandshakeNumber(ss, 2, &data->data, &data->len); |
436 if (listLenBytes < 0 || listLenBytes != data->len) { | 445 if (listLenBytes < 0) { |
| 446 return SECFailure; |
| 447 } |
| 448 if (listLenBytes == 0 || listLenBytes != data->len) { |
437 (void)ssl3_DecodeError(ss); | 449 (void)ssl3_DecodeError(ss); |
438 return SECFailure; | 450 return SECFailure; |
439 } | 451 } |
440 if (listLenBytes == 0) { | |
441 return SECSuccess; /* ignore an empty extension */ | |
442 } | |
443 ldata = *data; | 452 ldata = *data; |
444 /* Calculate the size of the array.*/ | 453 /* Calculate the size of the array.*/ |
445 while (listLenBytes > 0) { | 454 while (listLenBytes > 0) { |
446 SECItem litem; | 455 SECItem litem; |
447 SECStatus rv; | 456 SECStatus rv; |
448 PRInt32 type; | 457 PRInt32 type; |
449 /* Skip Name Type (sni_host_name); checks are on the second pass */ | 458 /* Skip Name Type (sni_host_name); checks are on the second pass */ |
450 type = ssl3_ConsumeHandshakeNumber(ss, 1, &ldata.data, &ldata.len); | 459 type = ssl3_ConsumeHandshakeNumber(ss, 1, &ldata.data, &ldata.len); |
451 if (type < 0) { /* i.e., SECFailure cast to PRint32 */ | 460 if (type < 0) { /* i.e., SECFailure cast to PRint32 */ |
452 return SECFailure; | 461 return SECFailure; |
453 } | 462 } |
454 rv = ssl3_ConsumeHandshakeVariable(ss, &litem, 2, &ldata.data, &ldata.le
n); | 463 rv = ssl3_ConsumeHandshakeVariable(ss, &litem, 2, &ldata.data, &ldata.le
n); |
455 if (rv != SECSuccess) { | 464 if (rv != SECSuccess) { |
456 return rv; | 465 return rv; |
457 } | 466 } |
458 /* Adjust total length for consumed item, item len and type.*/ | 467 /* Adjust total length for consumed item, item len and type.*/ |
459 listLenBytes -= litem.len + 3; | 468 listLenBytes -= litem.len + 3; |
460 if (listLenBytes > 0 && !ldata.len) { | 469 if (listLenBytes > 0 && !ldata.len) { |
461 (void)ssl3_DecodeError(ss); | 470 (void)ssl3_DecodeError(ss); |
462 return SECFailure; | 471 return SECFailure; |
463 } | 472 } |
464 listCount += 1; | 473 listCount += 1; |
465 } | 474 } |
466 if (!listCount) { | |
467 return SECFailure; /* nothing we can act on */ | |
468 } | |
469 names = PORT_ZNewArray(SECItem, listCount); | 475 names = PORT_ZNewArray(SECItem, listCount); |
470 if (!names) { | 476 if (!names) { |
471 return SECFailure; | 477 return SECFailure; |
472 } | 478 } |
473 for (i = 0;i < listCount;i++) { | 479 for (i = 0;i < listCount;i++) { |
474 int j; | 480 unsigned int j; |
475 PRInt32 type; | 481 PRInt32 type; |
476 SECStatus rv; | 482 SECStatus rv; |
477 PRBool nametypePresent = PR_FALSE; | 483 PRBool nametypePresent = PR_FALSE; |
478 /* Name Type (sni_host_name) */ | 484 /* Name Type (sni_host_name) */ |
479 type = ssl3_ConsumeHandshakeNumber(ss, 1, &data->data, &data->len); | 485 type = ssl3_ConsumeHandshakeNumber(ss, 1, &data->data, &data->len); |
480 /* Check if we have such type in the list */ | 486 /* Check if we have such type in the list */ |
481 for (j = 0;j < listCount && names[j].data;j++) { | 487 for (j = 0;j < listCount && names[j].data;j++) { |
482 /* TODO bug 998524: .type is not assigned a value */ | 488 /* TODO bug 998524: .type is not assigned a value */ |
483 if (names[j].type == type) { | 489 if (names[j].type == type) { |
484 nametypePresent = PR_TRUE; | 490 nametypePresent = PR_TRUE; |
(...skipping 67 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
552 } else if (!append && | 558 } else if (!append && |
553 (session_ticket->ticket_lifetime_hint == 0 || | 559 (session_ticket->ticket_lifetime_hint == 0 || |
554 (session_ticket->ticket_lifetime_hint + | 560 (session_ticket->ticket_lifetime_hint + |
555 session_ticket->received_timestamp > ssl_Time()))) { | 561 session_ticket->received_timestamp > ssl_Time()))) { |
556 extension_length += session_ticket->ticket.len; | 562 extension_length += session_ticket->ticket.len; |
557 ss->xtnData.ticketTimestampVerified = PR_TRUE; | 563 ss->xtnData.ticketTimestampVerified = PR_TRUE; |
558 } | 564 } |
559 } | 565 } |
560 } | 566 } |
561 | 567 |
562 if (append && maxBytes >= extension_length) { | 568 if (maxBytes < (PRUint32)extension_length) { |
| 569 PORT_Assert(0); |
| 570 return 0; |
| 571 } |
| 572 if (append) { |
563 SECStatus rv; | 573 SECStatus rv; |
564 /* extension_type */ | 574 /* extension_type */ |
565 rv = ssl3_AppendHandshakeNumber(ss, ssl_session_ticket_xtn, 2); | 575 rv = ssl3_AppendHandshakeNumber(ss, ssl_session_ticket_xtn, 2); |
566 if (rv != SECSuccess) | 576 if (rv != SECSuccess) |
567 goto loser; | 577 goto loser; |
568 if (session_ticket && session_ticket->ticket.data && | 578 if (session_ticket && session_ticket->ticket.data && |
569 ss->xtnData.ticketTimestampVerified) { | 579 ss->xtnData.ticketTimestampVerified) { |
570 rv = ssl3_AppendHandshakeVariable(ss, session_ticket->ticket.data, | 580 rv = ssl3_AppendHandshakeVariable(ss, session_ticket->ticket.data, |
571 session_ticket->ticket.len, 2); | 581 session_ticket->ticket.len, 2); |
572 ss->xtnData.ticketTimestampVerified = PR_FALSE; | 582 ss->xtnData.ticketTimestampVerified = PR_FALSE; |
573 ss->xtnData.sentSessionTicketInClientHello = PR_TRUE; | 583 ss->xtnData.sentSessionTicketInClientHello = PR_TRUE; |
574 } else { | 584 } else { |
575 rv = ssl3_AppendHandshakeNumber(ss, 0, 2); | 585 rv = ssl3_AppendHandshakeNumber(ss, 0, 2); |
576 } | 586 } |
577 if (rv != SECSuccess) | 587 if (rv != SECSuccess) |
578 goto loser; | 588 goto loser; |
579 | 589 |
580 if (!ss->sec.isServer) { | 590 if (!ss->sec.isServer) { |
581 TLSExtensionData *xtnData = &ss->xtnData; | 591 TLSExtensionData *xtnData = &ss->xtnData; |
582 xtnData->advertised[xtnData->numAdvertised++] = | 592 xtnData->advertised[xtnData->numAdvertised++] = |
583 ssl_session_ticket_xtn; | 593 ssl_session_ticket_xtn; |
584 } | 594 } |
585 } else if (maxBytes < extension_length) { | |
586 PORT_Assert(0); | |
587 return 0; | |
588 } | 595 } |
589 return extension_length; | 596 return extension_length; |
590 | 597 |
591 loser: | 598 loser: |
592 ss->xtnData.ticketTimestampVerified = PR_FALSE; | 599 ss->xtnData.ticketTimestampVerified = PR_FALSE; |
593 return -1; | 600 return -1; |
594 } | 601 } |
595 | 602 |
596 /* handle an incoming Next Protocol Negotiation extension. */ | 603 /* handle an incoming Next Protocol Negotiation extension. */ |
597 static SECStatus | 604 static SECStatus |
(...skipping 40 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
638 /* protocol selection handler for ALPN (server side) and NPN (client side) */ | 645 /* protocol selection handler for ALPN (server side) and NPN (client side) */ |
639 static SECStatus | 646 static SECStatus |
640 ssl3_SelectAppProtocol(sslSocket *ss, PRUint16 ex_type, SECItem *data) | 647 ssl3_SelectAppProtocol(sslSocket *ss, PRUint16 ex_type, SECItem *data) |
641 { | 648 { |
642 SECStatus rv; | 649 SECStatus rv; |
643 unsigned char resultBuffer[255]; | 650 unsigned char resultBuffer[255]; |
644 SECItem result = { siBuffer, resultBuffer, 0 }; | 651 SECItem result = { siBuffer, resultBuffer, 0 }; |
645 | 652 |
646 rv = ssl3_ValidateNextProtoNego(data->data, data->len); | 653 rv = ssl3_ValidateNextProtoNego(data->data, data->len); |
647 if (rv != SECSuccess) { | 654 if (rv != SECSuccess) { |
| 655 (void)SSL3_SendAlert(ss, alert_fatal, decode_error); |
648 PORT_SetError(SSL_ERROR_NEXT_PROTOCOL_DATA_INVALID); | 656 PORT_SetError(SSL_ERROR_NEXT_PROTOCOL_DATA_INVALID); |
649 (void)SSL3_SendAlert(ss, alert_fatal, decode_error); | |
650 return rv; | 657 return rv; |
651 } | 658 } |
652 | 659 |
653 PORT_Assert(ss->nextProtoCallback); | 660 PORT_Assert(ss->nextProtoCallback); |
| 661 /* For ALPN, the cipher suite isn't selected yet. Note that extensions |
| 662 * sometimes affect what cipher suite is selected, e.g., for ECC. */ |
| 663 PORT_Assert((ss->ssl3.hs.preliminaryInfo & |
| 664 ssl_preinfo_all & ~ssl_preinfo_cipher_suite) == |
| 665 (ssl_preinfo_all & ~ssl_preinfo_cipher_suite)); |
654 rv = ss->nextProtoCallback(ss->nextProtoArg, ss->fd, data->data, data->len, | 666 rv = ss->nextProtoCallback(ss->nextProtoArg, ss->fd, data->data, data->len, |
655 result.data, &result.len, sizeof(resultBuffer)); | 667 result.data, &result.len, sizeof(resultBuffer)); |
656 if (rv != SECSuccess) { | 668 if (rv != SECSuccess) { |
657 /* Expect callback to call PORT_SetError() */ | 669 /* Expect callback to call PORT_SetError() */ |
658 (void)SSL3_SendAlert(ss, alert_fatal, internal_error); | 670 (void)SSL3_SendAlert(ss, alert_fatal, internal_error); |
659 return SECFailure; | 671 return SECFailure; |
660 } | 672 } |
661 | 673 |
662 /* If the callback wrote more than allowed to |result| it has corrupted our | 674 /* If the callback wrote more than allowed to |result| it has corrupted our |
663 * stack. */ | 675 * stack. */ |
664 if (result.len > sizeof(resultBuffer)) { | 676 if (result.len > sizeof(resultBuffer)) { |
665 PORT_SetError(SEC_ERROR_OUTPUT_LEN); | 677 PORT_SetError(SEC_ERROR_OUTPUT_LEN); |
666 /* TODO: crash */ | 678 /* TODO: crash */ |
667 return SECFailure; | 679 return SECFailure; |
668 } | 680 } |
669 | 681 |
670 SECITEM_FreeItem(&ss->ssl3.nextProto, PR_FALSE); | 682 SECITEM_FreeItem(&ss->ssl3.nextProto, PR_FALSE); |
671 | 683 |
672 if (ex_type == ssl_app_layer_protocol_xtn && | 684 if (ex_type == ssl_app_layer_protocol_xtn && |
673 ss->ssl3.nextProtoState != SSL_NEXT_PROTO_NEGOTIATED) { | 685 ss->ssl3.nextProtoState != SSL_NEXT_PROTO_NEGOTIATED) { |
674 /* The callback might say OK, but then it picks a default value - one | 686 /* The callback might say OK, but then it picks a default value - one |
675 * that was not listed. That's OK for NPN, but not ALPN. */ | 687 * that was not listed. That's OK for NPN, but not ALPN. */ |
| 688 (void)SSL3_SendAlert(ss, alert_fatal, no_application_protocol); |
676 PORT_SetError(SSL_ERROR_NEXT_PROTOCOL_NO_PROTOCOL); | 689 PORT_SetError(SSL_ERROR_NEXT_PROTOCOL_NO_PROTOCOL); |
677 (void)SSL3_SendAlert(ss, alert_fatal, no_application_protocol); | |
678 return SECFailure; | 690 return SECFailure; |
679 } | 691 } |
680 | 692 |
681 ss->xtnData.negotiated[ss->xtnData.numNegotiated++] = ex_type; | 693 ss->xtnData.negotiated[ss->xtnData.numNegotiated++] = ex_type; |
682 return SECITEM_CopyItem(NULL, &ss->ssl3.nextProto, &result); | 694 return SECITEM_CopyItem(NULL, &ss->ssl3.nextProto, &result); |
683 } | 695 } |
684 | 696 |
685 /* handle an incoming ALPN extension at the server */ | 697 /* handle an incoming ALPN extension at the server */ |
686 static SECStatus | 698 static SECStatus |
687 ssl3_ServerHandleAppProtoXtn(sslSocket *ss, PRUint16 ex_type, SECItem *data) | 699 ssl3_ServerHandleAppProtoXtn(sslSocket *ss, PRUint16 ex_type, SECItem *data) |
688 { | 700 { |
689 int count; | 701 int count; |
690 SECStatus rv; | 702 SECStatus rv; |
691 | 703 |
692 /* We expressly don't want to allow ALPN on renegotiation, | 704 /* We expressly don't want to allow ALPN on renegotiation, |
693 * despite it being permitted by the spec. */ | 705 * despite it being permitted by the spec. */ |
694 if (ss->firstHsDone || data->len == 0) { | 706 if (ss->firstHsDone || data->len == 0) { |
695 /* Clients MUST send a non-empty ALPN extension. */ | 707 /* Clients MUST send a non-empty ALPN extension. */ |
| 708 (void)SSL3_SendAlert(ss, alert_fatal, illegal_parameter); |
696 PORT_SetError(SSL_ERROR_NEXT_PROTOCOL_DATA_INVALID); | 709 PORT_SetError(SSL_ERROR_NEXT_PROTOCOL_DATA_INVALID); |
697 (void)SSL3_SendAlert(ss, alert_fatal, illegal_parameter); | |
698 return SECFailure; | 710 return SECFailure; |
699 } | 711 } |
700 | 712 |
701 /* Unlike NPN, ALPN has extra redundant length information so that | 713 /* Unlike NPN, ALPN has extra redundant length information so that |
702 * the extension is the same in both ClientHello and ServerHello. */ | 714 * the extension is the same in both ClientHello and ServerHello. */ |
703 count = ssl3_ConsumeHandshakeNumber(ss, 2, &data->data, &data->len); | 715 count = ssl3_ConsumeHandshakeNumber(ss, 2, &data->data, &data->len); |
704 if (count != data->len) { | 716 if (count != data->len) { |
705 (void)ssl3_DecodeError(ss); | 717 (void)ssl3_DecodeError(ss); |
706 return SECFailure; | 718 return SECFailure; |
707 } | 719 } |
708 | 720 |
709 if (!ss->nextProtoCallback) { | 721 if (!ss->nextProtoCallback) { |
710 /* we're not configured for it */ | 722 /* we're not configured for it */ |
711 return SECSuccess; | 723 return SECSuccess; |
712 } | 724 } |
713 | 725 |
714 rv = ssl3_SelectAppProtocol(ss, ex_type, data); | 726 rv = ssl3_SelectAppProtocol(ss, ex_type, data); |
715 if (rv != SECSuccess) { | 727 if (rv != SECSuccess) { |
716 return rv; | 728 return rv; |
717 } | 729 } |
718 | 730 |
719 /* prepare to send back a response, if we negotiated */ | 731 /* prepare to send back a response, if we negotiated */ |
720 if (ss->ssl3.nextProtoState == SSL_NEXT_PROTO_NEGOTIATED) { | 732 if (ss->ssl3.nextProtoState == SSL_NEXT_PROTO_NEGOTIATED) { |
721 rv = ssl3_RegisterServerHelloExtensionSender( | 733 rv = ssl3_RegisterServerHelloExtensionSender( |
722 ss, ex_type, ssl3_ServerSendAppProtoXtn); | 734 ss, ex_type, ssl3_ServerSendAppProtoXtn); |
723 if (rv != SECSuccess) { | 735 if (rv != SECSuccess) { |
| 736 (void)SSL3_SendAlert(ss, alert_fatal, internal_error); |
724 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); | 737 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); |
725 (void)SSL3_SendAlert(ss, alert_fatal, internal_error); | |
726 return rv; | 738 return rv; |
727 } | 739 } |
728 } | 740 } |
729 return SECSuccess; | 741 return SECSuccess; |
730 } | 742 } |
731 | 743 |
732 static SECStatus | 744 static SECStatus |
733 ssl3_ClientHandleNextProtoNegoXtn(sslSocket *ss, PRUint16 ex_type, | 745 ssl3_ClientHandleNextProtoNegoXtn(sslSocket *ss, PRUint16 ex_type, |
734 SECItem *data) | 746 SECItem *data) |
735 { | 747 { |
736 PORT_Assert(!ss->firstHsDone); | 748 PORT_Assert(!ss->firstHsDone); |
737 | 749 |
738 if (ssl3_ExtensionNegotiated(ss, ssl_app_layer_protocol_xtn)) { | 750 if (ssl3_ExtensionNegotiated(ss, ssl_app_layer_protocol_xtn)) { |
739 /* If the server negotiated ALPN then it has already told us what | 751 /* If the server negotiated ALPN then it has already told us what |
740 * protocol to use, so it doesn't make sense for us to try to negotiate | 752 * protocol to use, so it doesn't make sense for us to try to negotiate |
741 * a different one by sending the NPN handshake message. However, if | 753 * a different one by sending the NPN handshake message. However, if |
742 * we've negotiated NPN then we're required to send the NPN handshake | 754 * we've negotiated NPN then we're required to send the NPN handshake |
743 * message. Thus, these two extensions cannot both be negotiated on the | 755 * message. Thus, these two extensions cannot both be negotiated on the |
744 * same connection. */ | 756 * same connection. */ |
| 757 (void)SSL3_SendAlert(ss, alert_fatal, illegal_parameter); |
745 PORT_SetError(SSL_ERROR_BAD_SERVER); | 758 PORT_SetError(SSL_ERROR_BAD_SERVER); |
746 (void)SSL3_SendAlert(ss, alert_fatal, illegal_parameter); | |
747 return SECFailure; | 759 return SECFailure; |
748 } | 760 } |
749 | 761 |
750 /* We should only get this call if we sent the extension, so | 762 /* We should only get this call if we sent the extension, so |
751 * ss->nextProtoCallback needs to be non-NULL. However, it is possible | 763 * ss->nextProtoCallback needs to be non-NULL. However, it is possible |
752 * that an application erroneously cleared the callback between the time | 764 * that an application erroneously cleared the callback between the time |
753 * we sent the ClientHello and now. */ | 765 * we sent the ClientHello and now. */ |
754 if (!ss->nextProtoCallback) { | 766 if (!ss->nextProtoCallback) { |
755 PORT_Assert(0); | 767 PORT_Assert(0); |
| 768 (void)SSL3_SendAlert(ss, alert_fatal, internal_error); |
756 PORT_SetError(SSL_ERROR_NEXT_PROTOCOL_NO_CALLBACK); | 769 PORT_SetError(SSL_ERROR_NEXT_PROTOCOL_NO_CALLBACK); |
757 (void)SSL3_SendAlert(ss, alert_fatal, internal_error); | |
758 return SECFailure; | 770 return SECFailure; |
759 } | 771 } |
760 | 772 |
761 return ssl3_SelectAppProtocol(ss, ex_type, data); | 773 return ssl3_SelectAppProtocol(ss, ex_type, data); |
762 } | 774 } |
763 | 775 |
764 static SECStatus | 776 static SECStatus |
765 ssl3_ClientHandleAppProtoXtn(sslSocket *ss, PRUint16 ex_type, SECItem *data) | 777 ssl3_ClientHandleAppProtoXtn(sslSocket *ss, PRUint16 ex_type, SECItem *data) |
766 { | 778 { |
767 SECStatus rv; | 779 SECStatus rv; |
768 PRInt32 list_len; | 780 PRInt32 list_len; |
769 SECItem protocol_name; | 781 SECItem protocol_name; |
770 | 782 |
771 if (ssl3_ExtensionNegotiated(ss, ssl_next_proto_nego_xtn)) { | 783 if (ssl3_ExtensionNegotiated(ss, ssl_next_proto_nego_xtn)) { |
772 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); | 784 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); |
773 return SECFailure; | 785 return SECFailure; |
774 } | 786 } |
775 | 787 |
776 /* The extension data from the server has the following format: | 788 /* The extension data from the server has the following format: |
777 * uint16 name_list_len; | 789 * uint16 name_list_len; |
778 * uint8 len; // where len >= 1 | 790 * uint8 len; // where len >= 1 |
779 * uint8 protocol_name[len]; */ | 791 * uint8 protocol_name[len]; */ |
780 if (data->len < 4 || data->len > 2 + 1 + 255) { | 792 if (data->len < 4 || data->len > 2 + 1 + 255) { |
| 793 (void)SSL3_SendAlert(ss, alert_fatal, decode_error); |
781 PORT_SetError(SSL_ERROR_NEXT_PROTOCOL_DATA_INVALID); | 794 PORT_SetError(SSL_ERROR_NEXT_PROTOCOL_DATA_INVALID); |
782 (void)SSL3_SendAlert(ss, alert_fatal, decode_error); | |
783 return SECFailure; | 795 return SECFailure; |
784 } | 796 } |
785 | 797 |
786 list_len = ssl3_ConsumeHandshakeNumber(ss, 2, &data->data, &data->len); | 798 list_len = ssl3_ConsumeHandshakeNumber(ss, 2, &data->data, &data->len); |
787 /* The list has to be the entire extension. */ | 799 /* The list has to be the entire extension. */ |
788 if (list_len != data->len) { | 800 if (list_len != data->len) { |
| 801 (void)SSL3_SendAlert(ss, alert_fatal, decode_error); |
789 PORT_SetError(SSL_ERROR_NEXT_PROTOCOL_DATA_INVALID); | 802 PORT_SetError(SSL_ERROR_NEXT_PROTOCOL_DATA_INVALID); |
790 (void)SSL3_SendAlert(ss, alert_fatal, decode_error); | |
791 return SECFailure; | 803 return SECFailure; |
792 } | 804 } |
793 | 805 |
794 rv = ssl3_ConsumeHandshakeVariable(ss, &protocol_name, 1, | 806 rv = ssl3_ConsumeHandshakeVariable(ss, &protocol_name, 1, |
795 &data->data, &data->len); | 807 &data->data, &data->len); |
796 /* The list must have exactly one value. */ | 808 /* The list must have exactly one value. */ |
797 if (rv != SECSuccess || data->len != 0) { | 809 if (rv != SECSuccess || data->len != 0) { |
| 810 (void)SSL3_SendAlert(ss, alert_fatal, decode_error); |
798 PORT_SetError(SSL_ERROR_NEXT_PROTOCOL_DATA_INVALID); | 811 PORT_SetError(SSL_ERROR_NEXT_PROTOCOL_DATA_INVALID); |
799 (void)SSL3_SendAlert(ss, alert_fatal, decode_error); | |
800 return SECFailure; | 812 return SECFailure; |
801 } | 813 } |
802 | 814 |
803 SECITEM_FreeItem(&ss->ssl3.nextProto, PR_FALSE); | 815 SECITEM_FreeItem(&ss->ssl3.nextProto, PR_FALSE); |
804 ss->ssl3.nextProtoState = SSL_NEXT_PROTO_SELECTED; | 816 ss->ssl3.nextProtoState = SSL_NEXT_PROTO_SELECTED; |
805 ss->xtnData.negotiated[ss->xtnData.numNegotiated++] = ex_type; | 817 ss->xtnData.negotiated[ss->xtnData.numNegotiated++] = ex_type; |
806 return SECITEM_CopyItem(NULL, &ss->ssl3.nextProto, &protocol_name); | 818 return SECITEM_CopyItem(NULL, &ss->ssl3.nextProto, &protocol_name); |
807 } | 819 } |
808 | 820 |
809 static PRInt32 | 821 static PRInt32 |
810 ssl3_ClientSendNextProtoNegoXtn(sslSocket * ss, PRBool append, | 822 ssl3_ClientSendNextProtoNegoXtn(sslSocket * ss, PRBool append, |
811 PRUint32 maxBytes) | 823 PRUint32 maxBytes) |
812 { | 824 { |
813 PRInt32 extension_length; | 825 PRInt32 extension_length; |
814 | 826 |
815 /* Renegotiations do not send this extension. */ | 827 /* Renegotiations do not send this extension. */ |
816 if (!ss->opt.enableNPN || !ss->nextProtoCallback || ss->firstHsDone) { | 828 if (!ss->opt.enableNPN || !ss->nextProtoCallback || ss->firstHsDone) { |
817 return 0; | 829 return 0; |
818 } | 830 } |
819 | 831 |
820 extension_length = 4; | 832 extension_length = 4; |
821 | 833 |
822 if (append && maxBytes >= extension_length) { | 834 if (maxBytes < (PRUint32)extension_length) { |
| 835 return 0; |
| 836 } |
| 837 if (append) { |
823 SECStatus rv; | 838 SECStatus rv; |
824 rv = ssl3_AppendHandshakeNumber(ss, ssl_next_proto_nego_xtn, 2); | 839 rv = ssl3_AppendHandshakeNumber(ss, ssl_next_proto_nego_xtn, 2); |
825 if (rv != SECSuccess) | 840 if (rv != SECSuccess) |
826 goto loser; | 841 goto loser; |
827 rv = ssl3_AppendHandshakeNumber(ss, 0, 2); | 842 rv = ssl3_AppendHandshakeNumber(ss, 0, 2); |
828 if (rv != SECSuccess) | 843 if (rv != SECSuccess) |
829 goto loser; | 844 goto loser; |
830 ss->xtnData.advertised[ss->xtnData.numAdvertised++] = | 845 ss->xtnData.advertised[ss->xtnData.numAdvertised++] = |
831 ssl_next_proto_nego_xtn; | 846 ssl_next_proto_nego_xtn; |
832 } else if (maxBytes < extension_length) { | |
833 return 0; | |
834 } | 847 } |
835 | 848 |
836 return extension_length; | 849 return extension_length; |
837 | 850 |
838 loser: | 851 loser: |
839 return -1; | 852 return -1; |
840 } | 853 } |
841 | 854 |
842 static PRInt32 | 855 static PRInt32 |
843 ssl3_ClientSendAppProtoXtn(sslSocket * ss, PRBool append, PRUint32 maxBytes) | 856 ssl3_ClientSendAppProtoXtn(sslSocket * ss, PRBool append, PRUint32 maxBytes) |
844 { | 857 { |
845 PRInt32 extension_length; | 858 PRInt32 extension_length; |
846 unsigned char *alpn_protos = NULL; | 859 unsigned char *alpn_protos = NULL; |
847 | 860 |
848 /* Renegotiations do not send this extension. */ | 861 /* Renegotiations do not send this extension. */ |
849 if (!ss->opt.enableALPN || !ss->opt.nextProtoNego.data || ss->firstHsDone) { | 862 if (!ss->opt.enableALPN || !ss->opt.nextProtoNego.data || ss->firstHsDone) { |
850 return 0; | 863 return 0; |
851 } | 864 } |
852 | 865 |
853 extension_length = 2 /* extension type */ + 2 /* extension length */ + | 866 extension_length = 2 /* extension type */ + 2 /* extension length */ + |
854 2 /* protocol name list length */ + | 867 2 /* protocol name list length */ + |
855 ss->opt.nextProtoNego.len; | 868 ss->opt.nextProtoNego.len; |
856 | 869 |
857 if (append && maxBytes >= extension_length) { | 870 if (maxBytes < (PRUint32)extension_length) { |
| 871 return 0; |
| 872 } |
| 873 if (append) { |
858 /* NPN requires that the client's fallback protocol is first in the | 874 /* NPN requires that the client's fallback protocol is first in the |
859 * list. However, ALPN sends protocols in preference order. So we | 875 * list. However, ALPN sends protocols in preference order. So we |
860 * allocate a buffer and move the first protocol to the end of the | 876 * allocate a buffer and move the first protocol to the end of the |
861 * list. */ | 877 * list. */ |
862 SECStatus rv; | 878 SECStatus rv; |
863 const unsigned int len = ss->opt.nextProtoNego.len; | 879 const unsigned int len = ss->opt.nextProtoNego.len; |
864 | 880 |
865 alpn_protos = PORT_Alloc(len); | 881 alpn_protos = PORT_Alloc(len); |
866 if (alpn_protos == NULL) { | 882 if (alpn_protos == NULL) { |
867 return SECFailure; | 883 return SECFailure; |
(...skipping 19 matching lines...) Expand all Loading... |
887 goto loser; | 903 goto loser; |
888 } | 904 } |
889 rv = ssl3_AppendHandshakeVariable(ss, alpn_protos, len, 2); | 905 rv = ssl3_AppendHandshakeVariable(ss, alpn_protos, len, 2); |
890 PORT_Free(alpn_protos); | 906 PORT_Free(alpn_protos); |
891 alpn_protos = NULL; | 907 alpn_protos = NULL; |
892 if (rv != SECSuccess) { | 908 if (rv != SECSuccess) { |
893 goto loser; | 909 goto loser; |
894 } | 910 } |
895 ss->xtnData.advertised[ss->xtnData.numAdvertised++] = | 911 ss->xtnData.advertised[ss->xtnData.numAdvertised++] = |
896 ssl_app_layer_protocol_xtn; | 912 ssl_app_layer_protocol_xtn; |
897 } else if (maxBytes < extension_length) { | |
898 return 0; | |
899 } | 913 } |
900 | 914 |
901 return extension_length; | 915 return extension_length; |
902 | 916 |
903 loser: | 917 loser: |
904 if (alpn_protos) { | 918 if (alpn_protos) { |
905 PORT_Free(alpn_protos); | 919 PORT_Free(alpn_protos); |
906 } | 920 } |
907 return -1; | 921 return -1; |
908 } | 922 } |
909 | 923 |
910 static PRInt32 | 924 static PRInt32 |
911 ssl3_ServerSendAppProtoXtn(sslSocket * ss, PRBool append, PRUint32 maxBytes) | 925 ssl3_ServerSendAppProtoXtn(sslSocket * ss, PRBool append, PRUint32 maxBytes) |
912 { | 926 { |
913 PRInt32 extension_length; | 927 PRInt32 extension_length; |
914 | 928 |
915 /* we're in over our heads if any of these fail */ | 929 /* we're in over our heads if any of these fail */ |
916 PORT_Assert(ss->opt.enableALPN); | 930 PORT_Assert(ss->opt.enableALPN); |
917 PORT_Assert(ss->ssl3.nextProto.data); | 931 PORT_Assert(ss->ssl3.nextProto.data); |
918 PORT_Assert(ss->ssl3.nextProto.len > 0); | 932 PORT_Assert(ss->ssl3.nextProto.len > 0); |
919 PORT_Assert(ss->ssl3.nextProtoState == SSL_NEXT_PROTO_NEGOTIATED); | 933 PORT_Assert(ss->ssl3.nextProtoState == SSL_NEXT_PROTO_NEGOTIATED); |
920 PORT_Assert(!ss->firstHsDone); | 934 PORT_Assert(!ss->firstHsDone); |
921 | 935 |
922 extension_length = 2 /* extension type */ + 2 /* extension length */ + | 936 extension_length = 2 /* extension type */ + 2 /* extension length */ + |
923 2 /* protocol name list */ + 1 /* name length */ + | 937 2 /* protocol name list */ + 1 /* name length */ + |
924 ss->ssl3.nextProto.len; | 938 ss->ssl3.nextProto.len; |
925 | 939 |
926 if (append && maxBytes >= extension_length) { | 940 if (maxBytes < (PRUint32)extension_length) { |
| 941 return 0; |
| 942 } |
| 943 if (append) { |
927 SECStatus rv; | 944 SECStatus rv; |
928 rv = ssl3_AppendHandshakeNumber(ss, ssl_app_layer_protocol_xtn, 2); | 945 rv = ssl3_AppendHandshakeNumber(ss, ssl_app_layer_protocol_xtn, 2); |
929 if (rv != SECSuccess) { | 946 if (rv != SECSuccess) { |
930 return -1; | 947 return -1; |
931 } | 948 } |
932 rv = ssl3_AppendHandshakeNumber(ss, extension_length - 4, 2); | 949 rv = ssl3_AppendHandshakeNumber(ss, extension_length - 4, 2); |
933 if (rv != SECSuccess) { | 950 if (rv != SECSuccess) { |
934 return -1; | 951 return -1; |
935 } | 952 } |
936 rv = ssl3_AppendHandshakeNumber(ss, ss->ssl3.nextProto.len + 1, 2); | 953 rv = ssl3_AppendHandshakeNumber(ss, ss->ssl3.nextProto.len + 1, 2); |
937 if (rv != SECSuccess) { | 954 if (rv != SECSuccess) { |
938 return -1; | 955 return -1; |
939 } | 956 } |
940 rv = ssl3_AppendHandshakeVariable(ss, ss->ssl3.nextProto.data, | 957 rv = ssl3_AppendHandshakeVariable(ss, ss->ssl3.nextProto.data, |
941 ss->ssl3.nextProto.len, 1); | 958 ss->ssl3.nextProto.len, 1); |
942 if (rv != SECSuccess) { | 959 if (rv != SECSuccess) { |
943 return -1; | 960 return -1; |
944 } | 961 } |
945 } else if (maxBytes < extension_length) { | |
946 return 0; | |
947 } | 962 } |
948 | 963 |
949 return extension_length; | 964 return extension_length; |
950 } | 965 } |
951 | 966 |
952 static SECStatus | 967 static SECStatus |
953 ssl3_ClientHandleChannelIDXtn(sslSocket *ss, PRUint16 ex_type, | 968 ssl3_ClientHandleChannelIDXtn(sslSocket *ss, PRUint16 ex_type, |
954 SECItem *data) | 969 SECItem *data) |
955 { | 970 { |
956 PORT_Assert(ss->getChannelID != NULL); | 971 PORT_Assert(ss->getChannelID != NULL); |
(...skipping 81 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
1038 */ | 1053 */ |
1039 if (ss->certStatusArray[i] && ss->certStatusArray[i]->len) { | 1054 if (ss->certStatusArray[i] && ss->certStatusArray[i]->len) { |
1040 haveStatus = PR_TRUE; | 1055 haveStatus = PR_TRUE; |
1041 break; | 1056 break; |
1042 } | 1057 } |
1043 } | 1058 } |
1044 if (!haveStatus) | 1059 if (!haveStatus) |
1045 return 0; | 1060 return 0; |
1046 | 1061 |
1047 extension_length = 2 + 2; | 1062 extension_length = 2 + 2; |
1048 if (append && maxBytes >= extension_length) { | 1063 if (maxBytes < (PRUint32)extension_length) { |
| 1064 return 0; |
| 1065 } |
| 1066 if (append) { |
1049 /* extension_type */ | 1067 /* extension_type */ |
1050 rv = ssl3_AppendHandshakeNumber(ss, ssl_cert_status_xtn, 2); | 1068 rv = ssl3_AppendHandshakeNumber(ss, ssl_cert_status_xtn, 2); |
1051 if (rv != SECSuccess) | 1069 if (rv != SECSuccess) |
1052 return -1; | 1070 return -1; |
1053 /* length of extension_data */ | 1071 /* length of extension_data */ |
1054 rv = ssl3_AppendHandshakeNumber(ss, 0, 2); | 1072 rv = ssl3_AppendHandshakeNumber(ss, 0, 2); |
1055 if (rv != SECSuccess) | 1073 if (rv != SECSuccess) |
1056 return -1; | 1074 return -1; |
1057 } | 1075 } |
1058 | 1076 |
(...skipping 12 matching lines...) Expand all Loading... |
1071 return 0; | 1089 return 0; |
1072 | 1090 |
1073 /* extension_type (2-bytes) + | 1091 /* extension_type (2-bytes) + |
1074 * length(extension_data) (2-bytes) + | 1092 * length(extension_data) (2-bytes) + |
1075 * status_type (1) + | 1093 * status_type (1) + |
1076 * responder_id_list length (2) + | 1094 * responder_id_list length (2) + |
1077 * request_extensions length (2) | 1095 * request_extensions length (2) |
1078 */ | 1096 */ |
1079 extension_length = 9; | 1097 extension_length = 9; |
1080 | 1098 |
1081 if (append && maxBytes >= extension_length) { | 1099 if (maxBytes < (PRUint32)extension_length) { |
| 1100 PORT_Assert(0); |
| 1101 return 0; |
| 1102 } |
| 1103 if (append) { |
1082 SECStatus rv; | 1104 SECStatus rv; |
1083 TLSExtensionData *xtnData; | 1105 TLSExtensionData *xtnData; |
1084 | 1106 |
1085 /* extension_type */ | 1107 /* extension_type */ |
1086 rv = ssl3_AppendHandshakeNumber(ss, ssl_cert_status_xtn, 2); | 1108 rv = ssl3_AppendHandshakeNumber(ss, ssl_cert_status_xtn, 2); |
1087 if (rv != SECSuccess) | 1109 if (rv != SECSuccess) |
1088 return -1; | 1110 return -1; |
1089 rv = ssl3_AppendHandshakeNumber(ss, extension_length - 4, 2); | 1111 rv = ssl3_AppendHandshakeNumber(ss, extension_length - 4, 2); |
1090 if (rv != SECSuccess) | 1112 if (rv != SECSuccess) |
1091 return -1; | 1113 return -1; |
1092 rv = ssl3_AppendHandshakeNumber(ss, 1 /* status_type ocsp */, 1); | 1114 rv = ssl3_AppendHandshakeNumber(ss, 1 /* status_type ocsp */, 1); |
1093 if (rv != SECSuccess) | 1115 if (rv != SECSuccess) |
1094 return -1; | 1116 return -1; |
1095 /* A zero length responder_id_list means that the responders are | 1117 /* A zero length responder_id_list means that the responders are |
1096 * implicitly known to the server. */ | 1118 * implicitly known to the server. */ |
1097 rv = ssl3_AppendHandshakeNumber(ss, 0, 2); | 1119 rv = ssl3_AppendHandshakeNumber(ss, 0, 2); |
1098 if (rv != SECSuccess) | 1120 if (rv != SECSuccess) |
1099 return -1; | 1121 return -1; |
1100 /* A zero length request_extensions means that there are no extensions. | 1122 /* A zero length request_extensions means that there are no extensions. |
1101 * Specifically, we don't set the id-pkix-ocsp-nonce extension. This | 1123 * Specifically, we don't set the id-pkix-ocsp-nonce extension. This |
1102 * means that the server can replay a cached OCSP response to us. */ | 1124 * means that the server can replay a cached OCSP response to us. */ |
1103 rv = ssl3_AppendHandshakeNumber(ss, 0, 2); | 1125 rv = ssl3_AppendHandshakeNumber(ss, 0, 2); |
1104 if (rv != SECSuccess) | 1126 if (rv != SECSuccess) |
1105 return -1; | 1127 return -1; |
1106 | 1128 |
1107 xtnData = &ss->xtnData; | 1129 xtnData = &ss->xtnData; |
1108 xtnData->advertised[xtnData->numAdvertised++] = ssl_cert_status_xtn; | 1130 xtnData->advertised[xtnData->numAdvertised++] = ssl_cert_status_xtn; |
1109 } else if (maxBytes < extension_length) { | |
1110 PORT_Assert(0); | |
1111 return 0; | |
1112 } | 1131 } |
1113 return extension_length; | 1132 return extension_length; |
1114 } | 1133 } |
1115 | 1134 |
1116 /* | 1135 /* |
1117 * NewSessionTicket | 1136 * NewSessionTicket |
1118 * Called from ssl3_HandleFinished | 1137 * Called from ssl3_HandleFinished |
1119 */ | 1138 */ |
1120 SECStatus | 1139 SECStatus |
1121 ssl3_SendNewSessionTicket(sslSocket *ss) | 1140 ssl3_SendNewSessionTicket(sslSocket *ss) |
1122 { | 1141 { |
1123 int i; | 1142 PRUint32 i; |
1124 SECStatus rv; | 1143 SECStatus rv; |
1125 NewSessionTicket ticket; | 1144 NewSessionTicket ticket; |
1126 SECItem plaintext; | 1145 SECItem plaintext; |
1127 SECItem plaintext_item = {0, NULL, 0}; | 1146 SECItem plaintext_item = {0, NULL, 0}; |
1128 SECItem ciphertext = {0, NULL, 0}; | 1147 SECItem ciphertext = {0, NULL, 0}; |
1129 PRUint32 ciphertext_length; | 1148 PRUint32 ciphertext_length; |
1130 PRBool ms_is_wrapped; | 1149 PRBool ms_is_wrapped; |
1131 unsigned char wrapped_ms[SSL3_MASTER_SECRET_LENGTH]; | 1150 unsigned char wrapped_ms[SSL3_MASTER_SECRET_LENGTH]; |
1132 SECItem ms_item = {0, NULL, 0}; | 1151 SECItem ms_item = {0, NULL, 0}; |
1133 SSL3KEAType effectiveExchKeyType = ssl_kea_null; | 1152 SSL3KEAType effectiveExchKeyType = ssl_kea_null; |
(...skipping 11 matching lines...) Expand all Loading... |
1145 PRUint32 mac_key_length; | 1164 PRUint32 mac_key_length; |
1146 PRUint64 aes_ctx_buf[MAX_CIPHER_CONTEXT_LLONGS]; | 1165 PRUint64 aes_ctx_buf[MAX_CIPHER_CONTEXT_LLONGS]; |
1147 AESContext *aes_ctx; | 1166 AESContext *aes_ctx; |
1148 const SECHashObject *hashObj = NULL; | 1167 const SECHashObject *hashObj = NULL; |
1149 PRUint64 hmac_ctx_buf[MAX_MAC_CONTEXT_LLONGS]; | 1168 PRUint64 hmac_ctx_buf[MAX_MAC_CONTEXT_LLONGS]; |
1150 HMACContext *hmac_ctx; | 1169 HMACContext *hmac_ctx; |
1151 #endif | 1170 #endif |
1152 CK_MECHANISM_TYPE cipherMech = CKM_AES_CBC; | 1171 CK_MECHANISM_TYPE cipherMech = CKM_AES_CBC; |
1153 PK11Context *aes_ctx_pkcs11; | 1172 PK11Context *aes_ctx_pkcs11; |
1154 CK_MECHANISM_TYPE macMech = CKM_SHA256_HMAC; | 1173 CK_MECHANISM_TYPE macMech = CKM_SHA256_HMAC; |
1155 PK11Context *hmac_ctx_pkcs11; | 1174 PK11Context *hmac_ctx_pkcs11 = NULL; |
1156 unsigned char computed_mac[TLS_EX_SESS_TICKET_MAC_LENGTH]; | 1175 unsigned char computed_mac[TLS_EX_SESS_TICKET_MAC_LENGTH]; |
1157 unsigned int computed_mac_length; | 1176 unsigned int computed_mac_length; |
1158 unsigned char iv[AES_BLOCK_SIZE]; | 1177 unsigned char iv[AES_BLOCK_SIZE]; |
1159 SECItem ivItem; | 1178 SECItem ivItem; |
1160 SECItem *srvName = NULL; | 1179 SECItem *srvName = NULL; |
1161 PRUint32 srvNameLen = 0; | 1180 PRUint32 srvNameLen = 0; |
1162 CK_MECHANISM_TYPE msWrapMech = 0; /* dummy default value, | 1181 CK_MECHANISM_TYPE msWrapMech = 0; /* dummy default value, |
1163 * must be >= 0 */ | 1182 * must be >= 0 */ |
1164 | 1183 |
1165 SSL_TRC(3, ("%d: SSL3[%d]: send session_ticket handshake", | 1184 SSL_TRC(3, ("%d: SSL3[%d]: send session_ticket handshake", |
(...skipping 27 matching lines...) Expand all Loading... |
1193 if (ss->ssl3.pwSpec->msItem.len && ss->ssl3.pwSpec->msItem.data) { | 1212 if (ss->ssl3.pwSpec->msItem.len && ss->ssl3.pwSpec->msItem.data) { |
1194 /* The master secret is available unwrapped. */ | 1213 /* The master secret is available unwrapped. */ |
1195 ms_item.data = ss->ssl3.pwSpec->msItem.data; | 1214 ms_item.data = ss->ssl3.pwSpec->msItem.data; |
1196 ms_item.len = ss->ssl3.pwSpec->msItem.len; | 1215 ms_item.len = ss->ssl3.pwSpec->msItem.len; |
1197 ms_is_wrapped = PR_FALSE; | 1216 ms_is_wrapped = PR_FALSE; |
1198 } else { | 1217 } else { |
1199 /* Extract the master secret wrapped. */ | 1218 /* Extract the master secret wrapped. */ |
1200 sslSessionID sid; | 1219 sslSessionID sid; |
1201 PORT_Memset(&sid, 0, sizeof(sslSessionID)); | 1220 PORT_Memset(&sid, 0, sizeof(sslSessionID)); |
1202 | 1221 |
1203 if (ss->ssl3.hs.kea_def->kea == kea_ecdhe_rsa) { | 1222 if (ss->ssl3.hs.kea_def->kea == kea_ecdhe_rsa || |
| 1223 ss->ssl3.hs.kea_def->kea == kea_dhe_rsa) { |
1204 effectiveExchKeyType = kt_rsa; | 1224 effectiveExchKeyType = kt_rsa; |
1205 } else { | 1225 } else { |
1206 effectiveExchKeyType = ss->ssl3.hs.kea_def->exchKeyType; | 1226 effectiveExchKeyType = ss->ssl3.hs.kea_def->exchKeyType; |
1207 } | 1227 } |
1208 | 1228 |
1209 rv = ssl3_CacheWrappedMasterSecret(ss, &sid, ss->ssl3.pwSpec, | 1229 rv = ssl3_CacheWrappedMasterSecret(ss, &sid, ss->ssl3.pwSpec, |
1210 effectiveExchKeyType); | 1230 effectiveExchKeyType); |
1211 if (rv == SECSuccess) { | 1231 if (rv == SECSuccess) { |
1212 if (sid.u.ssl3.keys.wrapped_master_secret_len > sizeof(wrapped_ms)) | 1232 if (sid.u.ssl3.keys.wrapped_master_secret_len > sizeof(wrapped_ms)) |
1213 goto loser; | 1233 goto loser; |
(...skipping 22 matching lines...) Expand all Loading... |
1236 + 10 /* cipher spec parameters */ | 1256 + 10 /* cipher spec parameters */ |
1237 + 1 /* SessionTicket.ms_is_wrapped */ | 1257 + 1 /* SessionTicket.ms_is_wrapped */ |
1238 + 1 /* effectiveExchKeyType */ | 1258 + 1 /* effectiveExchKeyType */ |
1239 + 4 /* msWrapMech */ | 1259 + 4 /* msWrapMech */ |
1240 + 2 /* master_secret.length */ | 1260 + 2 /* master_secret.length */ |
1241 + ms_item.len /* master_secret */ | 1261 + ms_item.len /* master_secret */ |
1242 + 1 /* client_auth_type */ | 1262 + 1 /* client_auth_type */ |
1243 + cert_length /* cert */ | 1263 + cert_length /* cert */ |
1244 + 1 /* server name type */ | 1264 + 1 /* server name type */ |
1245 + srvNameLen /* name len + length field */ | 1265 + srvNameLen /* name len + length field */ |
| 1266 + 1 /* extendedMasterSecretUsed */ |
1246 + sizeof(ticket.ticket_lifetime_hint); | 1267 + sizeof(ticket.ticket_lifetime_hint); |
1247 padding_length = AES_BLOCK_SIZE - | 1268 padding_length = AES_BLOCK_SIZE - |
1248 (ciphertext_length % AES_BLOCK_SIZE); | 1269 (ciphertext_length % AES_BLOCK_SIZE); |
1249 ciphertext_length += padding_length; | 1270 ciphertext_length += padding_length; |
1250 | 1271 |
1251 message_length = | 1272 message_length = |
1252 sizeof(ticket.ticket_lifetime_hint) /* ticket_lifetime_hint */ | 1273 sizeof(ticket.ticket_lifetime_hint) /* ticket_lifetime_hint */ |
1253 + 2 /* length field for NewSessionTicket.ticket */ | 1274 + 2 /* length field for NewSessionTicket.ticket */ |
1254 + SESS_TICKET_KEY_NAME_LEN /* key_name */ | 1275 + SESS_TICKET_KEY_NAME_LEN /* key_name */ |
1255 + AES_BLOCK_SIZE /* iv */ | 1276 + AES_BLOCK_SIZE /* iv */ |
(...skipping 78 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
1334 if (rv != SECSuccess) goto loser; | 1355 if (rv != SECSuccess) goto loser; |
1335 rv = ssl3_AppendToItem(&plaintext, srvName->data, srvName->len); | 1356 rv = ssl3_AppendToItem(&plaintext, srvName->data, srvName->len); |
1336 if (rv != SECSuccess) goto loser; | 1357 if (rv != SECSuccess) goto loser; |
1337 } else { | 1358 } else { |
1338 /* No Name */ | 1359 /* No Name */ |
1339 rv = ssl3_AppendNumberToItem(&plaintext, (char)TLS_STE_NO_SERVER_NAME, | 1360 rv = ssl3_AppendNumberToItem(&plaintext, (char)TLS_STE_NO_SERVER_NAME, |
1340 1); | 1361 1); |
1341 if (rv != SECSuccess) goto loser; | 1362 if (rv != SECSuccess) goto loser; |
1342 } | 1363 } |
1343 | 1364 |
| 1365 /* extendedMasterSecretUsed */ |
| 1366 rv = ssl3_AppendNumberToItem( |
| 1367 &plaintext, ss->sec.ci.sid->u.ssl3.keys.extendedMasterSecretUsed, 1); |
| 1368 if (rv != SECSuccess) goto loser; |
| 1369 |
1344 PORT_Assert(plaintext.len == padding_length); | 1370 PORT_Assert(plaintext.len == padding_length); |
1345 for (i = 0; i < padding_length; i++) | 1371 for (i = 0; i < padding_length; i++) |
1346 plaintext.data[i] = (unsigned char)padding_length; | 1372 plaintext.data[i] = (unsigned char)padding_length; |
1347 | 1373 |
1348 if (SECITEM_AllocItem(NULL, &ciphertext, ciphertext_length) == NULL) { | 1374 if (SECITEM_AllocItem(NULL, &ciphertext, ciphertext_length) == NULL) { |
1349 rv = SECFailure; | 1375 rv = SECFailure; |
1350 goto loser; | 1376 goto loser; |
1351 } | 1377 } |
1352 | 1378 |
1353 /* Generate encrypted portion of ticket. */ | 1379 /* Generate encrypted portion of ticket. */ |
(...skipping 49 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
1403 { | 1429 { |
1404 SECItem macParam; | 1430 SECItem macParam; |
1405 macParam.data = NULL; | 1431 macParam.data = NULL; |
1406 macParam.len = 0; | 1432 macParam.len = 0; |
1407 hmac_ctx_pkcs11 = PK11_CreateContextBySymKey(macMech, | 1433 hmac_ctx_pkcs11 = PK11_CreateContextBySymKey(macMech, |
1408 CKA_SIGN, mac_key_pkcs11, &macParam); | 1434 CKA_SIGN, mac_key_pkcs11, &macParam); |
1409 if (!hmac_ctx_pkcs11) | 1435 if (!hmac_ctx_pkcs11) |
1410 goto loser; | 1436 goto loser; |
1411 | 1437 |
1412 rv = PK11_DigestBegin(hmac_ctx_pkcs11); | 1438 rv = PK11_DigestBegin(hmac_ctx_pkcs11); |
| 1439 if (rv != SECSuccess) goto loser; |
1413 rv = PK11_DigestOp(hmac_ctx_pkcs11, key_name, | 1440 rv = PK11_DigestOp(hmac_ctx_pkcs11, key_name, |
1414 SESS_TICKET_KEY_NAME_LEN); | 1441 SESS_TICKET_KEY_NAME_LEN); |
| 1442 if (rv != SECSuccess) goto loser; |
1415 rv = PK11_DigestOp(hmac_ctx_pkcs11, iv, sizeof(iv)); | 1443 rv = PK11_DigestOp(hmac_ctx_pkcs11, iv, sizeof(iv)); |
| 1444 if (rv != SECSuccess) goto loser; |
1416 rv = PK11_DigestOp(hmac_ctx_pkcs11, (unsigned char *)length_buf, 2); | 1445 rv = PK11_DigestOp(hmac_ctx_pkcs11, (unsigned char *)length_buf, 2); |
| 1446 if (rv != SECSuccess) goto loser; |
1417 rv = PK11_DigestOp(hmac_ctx_pkcs11, ciphertext.data, ciphertext.len); | 1447 rv = PK11_DigestOp(hmac_ctx_pkcs11, ciphertext.data, ciphertext.len); |
| 1448 if (rv != SECSuccess) goto loser; |
1418 rv = PK11_DigestFinal(hmac_ctx_pkcs11, computed_mac, | 1449 rv = PK11_DigestFinal(hmac_ctx_pkcs11, computed_mac, |
1419 &computed_mac_length, sizeof(computed_mac)); | 1450 &computed_mac_length, sizeof(computed_mac)); |
1420 PK11_DestroyContext(hmac_ctx_pkcs11, PR_TRUE); | |
1421 if (rv != SECSuccess) goto loser; | 1451 if (rv != SECSuccess) goto loser; |
1422 } | 1452 } |
1423 | 1453 |
1424 /* Serialize the handshake message. */ | 1454 /* Serialize the handshake message. */ |
1425 rv = ssl3_AppendHandshakeHeader(ss, new_session_ticket, message_length); | 1455 rv = ssl3_AppendHandshakeHeader(ss, new_session_ticket, message_length); |
1426 if (rv != SECSuccess) goto loser; | 1456 if (rv != SECSuccess) goto loser; |
1427 | 1457 |
1428 rv = ssl3_AppendHandshakeNumber(ss, ticket.ticket_lifetime_hint, | 1458 rv = ssl3_AppendHandshakeNumber(ss, ticket.ticket_lifetime_hint, |
1429 sizeof(ticket.ticket_lifetime_hint)); | 1459 sizeof(ticket.ticket_lifetime_hint)); |
1430 if (rv != SECSuccess) goto loser; | 1460 if (rv != SECSuccess) goto loser; |
1431 | 1461 |
1432 rv = ssl3_AppendHandshakeNumber(ss, | 1462 rv = ssl3_AppendHandshakeNumber(ss, |
1433 message_length - sizeof(ticket.ticket_lifetime_hint) - 2, 2); | 1463 message_length - sizeof(ticket.ticket_lifetime_hint) - 2, 2); |
1434 if (rv != SECSuccess) goto loser; | 1464 if (rv != SECSuccess) goto loser; |
1435 | 1465 |
1436 rv = ssl3_AppendHandshake(ss, key_name, SESS_TICKET_KEY_NAME_LEN); | 1466 rv = ssl3_AppendHandshake(ss, key_name, SESS_TICKET_KEY_NAME_LEN); |
1437 if (rv != SECSuccess) goto loser; | 1467 if (rv != SECSuccess) goto loser; |
1438 | 1468 |
1439 rv = ssl3_AppendHandshake(ss, iv, sizeof(iv)); | 1469 rv = ssl3_AppendHandshake(ss, iv, sizeof(iv)); |
1440 if (rv != SECSuccess) goto loser; | 1470 if (rv != SECSuccess) goto loser; |
1441 | 1471 |
1442 rv = ssl3_AppendHandshakeVariable(ss, ciphertext.data, ciphertext.len, 2); | 1472 rv = ssl3_AppendHandshakeVariable(ss, ciphertext.data, ciphertext.len, 2); |
1443 if (rv != SECSuccess) goto loser; | 1473 if (rv != SECSuccess) goto loser; |
1444 | 1474 |
1445 rv = ssl3_AppendHandshake(ss, computed_mac, computed_mac_length); | 1475 rv = ssl3_AppendHandshake(ss, computed_mac, computed_mac_length); |
1446 if (rv != SECSuccess) goto loser; | 1476 if (rv != SECSuccess) goto loser; |
1447 | 1477 |
1448 loser: | 1478 loser: |
| 1479 if (hmac_ctx_pkcs11) |
| 1480 PK11_DestroyContext(hmac_ctx_pkcs11, PR_TRUE); |
1449 if (plaintext_item.data) | 1481 if (plaintext_item.data) |
1450 SECITEM_FreeItem(&plaintext_item, PR_FALSE); | 1482 SECITEM_FreeItem(&plaintext_item, PR_FALSE); |
1451 if (ciphertext.data) | 1483 if (ciphertext.data) |
1452 SECITEM_FreeItem(&ciphertext, PR_FALSE); | 1484 SECITEM_FreeItem(&ciphertext, PR_FALSE); |
1453 | 1485 |
1454 return rv; | 1486 return rv; |
1455 } | 1487 } |
1456 | 1488 |
1457 /* When a client receives a SessionTicket extension a NewSessionTicket | 1489 /* When a client receives a SessionTicket extension a NewSessionTicket |
1458 * message is expected during the handshake. | 1490 * message is expected during the handshake. |
(...skipping 29 matching lines...) Expand all Loading... |
1488 /* Keep track of negotiated extensions. */ | 1520 /* Keep track of negotiated extensions. */ |
1489 ss->xtnData.negotiated[ss->xtnData.numNegotiated++] = ex_type; | 1521 ss->xtnData.negotiated[ss->xtnData.numNegotiated++] = ex_type; |
1490 | 1522 |
1491 /* Parse the received ticket sent in by the client. We are | 1523 /* Parse the received ticket sent in by the client. We are |
1492 * lenient about some parse errors, falling back to a fullshake | 1524 * lenient about some parse errors, falling back to a fullshake |
1493 * instead of terminating the current connection. | 1525 * instead of terminating the current connection. |
1494 */ | 1526 */ |
1495 if (data->len == 0) { | 1527 if (data->len == 0) { |
1496 ss->xtnData.emptySessionTicket = PR_TRUE; | 1528 ss->xtnData.emptySessionTicket = PR_TRUE; |
1497 } else { | 1529 } else { |
1498 int i; | 1530 PRUint32 i; |
1499 SECItem extension_data; | 1531 SECItem extension_data; |
1500 EncryptedSessionTicket enc_session_ticket; | 1532 EncryptedSessionTicket enc_session_ticket; |
1501 unsigned char computed_mac[TLS_EX_SESS_TICKET_MAC_LENGTH]; | 1533 unsigned char computed_mac[TLS_EX_SESS_TICKET_MAC_LENGTH]; |
1502 unsigned int computed_mac_length; | 1534 unsigned int computed_mac_length; |
1503 #ifndef NO_PKCS11_BYPASS | 1535 #ifndef NO_PKCS11_BYPASS |
1504 const SECHashObject *hashObj; | 1536 const SECHashObject *hashObj; |
1505 const unsigned char *aes_key; | 1537 const unsigned char *aes_key; |
1506 const unsigned char *mac_key; | 1538 const unsigned char *mac_key; |
1507 PRUint32 aes_key_length; | 1539 PRUint32 aes_key_length; |
1508 PRUint32 mac_key_length; | 1540 PRUint32 mac_key_length; |
(...skipping 182 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
1691 /* Deserialize session state. */ | 1723 /* Deserialize session state. */ |
1692 buffer = decrypted_state->data; | 1724 buffer = decrypted_state->data; |
1693 buffer_len = decrypted_state->len; | 1725 buffer_len = decrypted_state->len; |
1694 | 1726 |
1695 parsed_session_ticket = PORT_ZAlloc(sizeof(SessionTicket)); | 1727 parsed_session_ticket = PORT_ZAlloc(sizeof(SessionTicket)); |
1696 if (parsed_session_ticket == NULL) { | 1728 if (parsed_session_ticket == NULL) { |
1697 rv = SECFailure; | 1729 rv = SECFailure; |
1698 goto loser; | 1730 goto loser; |
1699 } | 1731 } |
1700 | 1732 |
1701 /* Read ticket_version (which is ignored for now.) */ | 1733 /* Read ticket_version and reject if the version is wrong */ |
1702 temp = ssl3_ConsumeHandshakeNumber(ss, 2, &buffer, &buffer_len); | 1734 temp = ssl3_ConsumeHandshakeNumber(ss, 2, &buffer, &buffer_len); |
1703 if (temp < 0) goto no_ticket; | 1735 if (temp != TLS_EX_SESS_TICKET_VERSION) goto no_ticket; |
| 1736 |
1704 parsed_session_ticket->ticket_version = (SSL3ProtocolVersion)temp; | 1737 parsed_session_ticket->ticket_version = (SSL3ProtocolVersion)temp; |
1705 | 1738 |
1706 /* Read SSLVersion. */ | 1739 /* Read SSLVersion. */ |
1707 temp = ssl3_ConsumeHandshakeNumber(ss, 2, &buffer, &buffer_len); | 1740 temp = ssl3_ConsumeHandshakeNumber(ss, 2, &buffer, &buffer_len); |
1708 if (temp < 0) goto no_ticket; | 1741 if (temp < 0) goto no_ticket; |
1709 parsed_session_ticket->ssl_version = (SSL3ProtocolVersion)temp; | 1742 parsed_session_ticket->ssl_version = (SSL3ProtocolVersion)temp; |
1710 | 1743 |
1711 /* Read cipher_suite. */ | 1744 /* Read cipher_suite. */ |
1712 temp = ssl3_ConsumeHandshakeNumber(ss, 2, &buffer, &buffer_len); | 1745 temp = ssl3_ConsumeHandshakeNumber(ss, 2, &buffer, &buffer_len); |
1713 if (temp < 0) goto no_ticket; | 1746 if (temp < 0) goto no_ticket; |
(...skipping 80 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
1794 SECItem name_item; | 1827 SECItem name_item; |
1795 rv = ssl3_ConsumeHandshakeVariable(ss, &name_item, 2, &buffer, | 1828 rv = ssl3_ConsumeHandshakeVariable(ss, &name_item, 2, &buffer, |
1796 &buffer_len); | 1829 &buffer_len); |
1797 if (rv != SECSuccess) goto no_ticket; | 1830 if (rv != SECSuccess) goto no_ticket; |
1798 rv = SECITEM_CopyItem(NULL, &parsed_session_ticket->srvName, | 1831 rv = SECITEM_CopyItem(NULL, &parsed_session_ticket->srvName, |
1799 &name_item); | 1832 &name_item); |
1800 if (rv != SECSuccess) goto no_ticket; | 1833 if (rv != SECSuccess) goto no_ticket; |
1801 parsed_session_ticket->srvName.type = nameType; | 1834 parsed_session_ticket->srvName.type = nameType; |
1802 } | 1835 } |
1803 | 1836 |
| 1837 /* Read extendedMasterSecretUsed */ |
| 1838 temp = ssl3_ConsumeHandshakeNumber(ss, 1, &buffer, &buffer_len); |
| 1839 if (temp < 0) |
| 1840 goto no_ticket; |
| 1841 PORT_Assert(temp == PR_TRUE || temp == PR_FALSE); |
| 1842 parsed_session_ticket->extendedMasterSecretUsed = (PRBool)temp; |
| 1843 |
1804 /* Done parsing. Check that all bytes have been consumed. */ | 1844 /* Done parsing. Check that all bytes have been consumed. */ |
1805 if (buffer_len != padding_length) | 1845 if (buffer_len != padding_length) |
1806 goto no_ticket; | 1846 goto no_ticket; |
1807 | 1847 |
1808 /* Use the ticket if it has not expired, otherwise free the allocated | 1848 /* Use the ticket if it has not expired, otherwise free the allocated |
1809 * memory since the ticket is of no use. | 1849 * memory since the ticket is of no use. |
1810 */ | 1850 */ |
1811 if (parsed_session_ticket->timestamp != 0 && | 1851 if (parsed_session_ticket->timestamp != 0 && |
1812 parsed_session_ticket->timestamp + | 1852 parsed_session_ticket->timestamp + |
1813 TLS_EX_SESS_TICKET_LIFETIME_HINT > ssl_Time()) { | 1853 TLS_EX_SESS_TICKET_LIFETIME_HINT > ssl_Time()) { |
(...skipping 26 matching lines...) Expand all Loading... |
1840 parsed_session_ticket->master_secret, | 1880 parsed_session_ticket->master_secret, |
1841 parsed_session_ticket->ms_length); | 1881 parsed_session_ticket->ms_length); |
1842 sid->u.ssl3.keys.wrapped_master_secret_len = | 1882 sid->u.ssl3.keys.wrapped_master_secret_len = |
1843 parsed_session_ticket->ms_length; | 1883 parsed_session_ticket->ms_length; |
1844 sid->u.ssl3.exchKeyType = parsed_session_ticket->exchKeyType; | 1884 sid->u.ssl3.exchKeyType = parsed_session_ticket->exchKeyType; |
1845 sid->u.ssl3.masterWrapMech = parsed_session_ticket->msWrapMech; | 1885 sid->u.ssl3.masterWrapMech = parsed_session_ticket->msWrapMech; |
1846 sid->u.ssl3.keys.msIsWrapped = | 1886 sid->u.ssl3.keys.msIsWrapped = |
1847 parsed_session_ticket->ms_is_wrapped; | 1887 parsed_session_ticket->ms_is_wrapped; |
1848 sid->u.ssl3.masterValid = PR_TRUE; | 1888 sid->u.ssl3.masterValid = PR_TRUE; |
1849 sid->u.ssl3.keys.resumable = PR_TRUE; | 1889 sid->u.ssl3.keys.resumable = PR_TRUE; |
| 1890 sid->u.ssl3.keys.extendedMasterSecretUsed = parsed_session_ticket-> |
| 1891 extendedMasterSecretUsed; |
1850 | 1892 |
1851 /* Copy over client cert from session ticket if there is one. */ | 1893 /* Copy over client cert from session ticket if there is one. */ |
1852 if (parsed_session_ticket->peer_cert.data != NULL) { | 1894 if (parsed_session_ticket->peer_cert.data != NULL) { |
1853 if (sid->peerCert != NULL) | 1895 if (sid->peerCert != NULL) |
1854 CERT_DestroyCertificate(sid->peerCert); | 1896 CERT_DestroyCertificate(sid->peerCert); |
1855 sid->peerCert = CERT_NewTempCertificate(ss->dbHandle, | 1897 sid->peerCert = CERT_NewTempCertificate(ss->dbHandle, |
1856 &parsed_session_ticket->peer_cert, NULL, PR_FALSE, PR_TRUE); | 1898 &parsed_session_ticket->peer_cert, NULL, PR_FALSE, PR_TRUE); |
1857 if (sid->peerCert == NULL) { | 1899 if (sid->peerCert == NULL) { |
1858 rv = SECFailure; | 1900 rv = SECFailure; |
1859 goto loser; | 1901 goto loser; |
(...skipping 218 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
2078 /* In draft-ietf-tls-renegotiation-03, it is NOT RECOMMENDED to send | 2120 /* In draft-ietf-tls-renegotiation-03, it is NOT RECOMMENDED to send |
2079 * both the SCSV and the empty RI, so when we send SCSV in | 2121 * both the SCSV and the empty RI, so when we send SCSV in |
2080 * the initial handshake, we don't also send RI. | 2122 * the initial handshake, we don't also send RI. |
2081 */ | 2123 */ |
2082 if (!ss || ss->ssl3.hs.sendingSCSV) | 2124 if (!ss || ss->ssl3.hs.sendingSCSV) |
2083 return 0; | 2125 return 0; |
2084 len = !ss->firstHsDone ? 0 : | 2126 len = !ss->firstHsDone ? 0 : |
2085 (ss->sec.isServer ? ss->ssl3.hs.finishedBytes * 2 | 2127 (ss->sec.isServer ? ss->ssl3.hs.finishedBytes * 2 |
2086 : ss->ssl3.hs.finishedBytes); | 2128 : ss->ssl3.hs.finishedBytes); |
2087 needed = 5 + len; | 2129 needed = 5 + len; |
2088 if (append && maxBytes >= needed) { | 2130 if (maxBytes < (PRUint32)needed) { |
| 2131 return 0; |
| 2132 } |
| 2133 if (append) { |
2089 SECStatus rv; | 2134 SECStatus rv; |
2090 /* extension_type */ | 2135 /* extension_type */ |
2091 rv = ssl3_AppendHandshakeNumber(ss, ssl_renegotiation_info_xtn, 2); | 2136 rv = ssl3_AppendHandshakeNumber(ss, ssl_renegotiation_info_xtn, 2); |
2092 if (rv != SECSuccess) return -1; | 2137 if (rv != SECSuccess) return -1; |
2093 /* length of extension_data */ | 2138 /* length of extension_data */ |
2094 rv = ssl3_AppendHandshakeNumber(ss, len + 1, 2); | 2139 rv = ssl3_AppendHandshakeNumber(ss, len + 1, 2); |
2095 if (rv != SECSuccess) return -1; | 2140 if (rv != SECSuccess) return -1; |
2096 /* verify_Data from previous Finished message(s) */ | 2141 /* verify_Data from previous Finished message(s) */ |
2097 rv = ssl3_AppendHandshakeVariable(ss, | 2142 rv = ssl3_AppendHandshakeVariable(ss, |
2098 ss->ssl3.hs.finishedMsgs.data, len, 1); | 2143 ss->ssl3.hs.finishedMsgs.data, len, 1); |
(...skipping 32 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
2131 if (ss->firstHsDone) { | 2176 if (ss->firstHsDone) { |
2132 len = ss->sec.isServer ? ss->ssl3.hs.finishedBytes | 2177 len = ss->sec.isServer ? ss->ssl3.hs.finishedBytes |
2133 : ss->ssl3.hs.finishedBytes * 2; | 2178 : ss->ssl3.hs.finishedBytes * 2; |
2134 } | 2179 } |
2135 if (data->len != 1 + len || data->data[0] != len ) { | 2180 if (data->len != 1 + len || data->data[0] != len ) { |
2136 (void)ssl3_DecodeError(ss); | 2181 (void)ssl3_DecodeError(ss); |
2137 return SECFailure; | 2182 return SECFailure; |
2138 } | 2183 } |
2139 if (len && NSS_SecureMemcmp(ss->ssl3.hs.finishedMsgs.data, | 2184 if (len && NSS_SecureMemcmp(ss->ssl3.hs.finishedMsgs.data, |
2140 data->data + 1, len)) { | 2185 data->data + 1, len)) { |
| 2186 (void)SSL3_SendAlert(ss, alert_fatal, handshake_failure); |
2141 PORT_SetError(SSL_ERROR_BAD_HANDSHAKE_HASH_VALUE); | 2187 PORT_SetError(SSL_ERROR_BAD_HANDSHAKE_HASH_VALUE); |
2142 (void)SSL3_SendAlert(ss, alert_fatal, handshake_failure); | |
2143 return SECFailure; | 2188 return SECFailure; |
2144 } | 2189 } |
2145 /* remember that we got this extension and it was correct. */ | 2190 /* remember that we got this extension and it was correct. */ |
2146 ss->peerRequestedProtection = 1; | 2191 ss->peerRequestedProtection = 1; |
2147 ss->xtnData.negotiated[ss->xtnData.numNegotiated++] = ex_type; | 2192 ss->xtnData.negotiated[ss->xtnData.numNegotiated++] = ex_type; |
2148 if (ss->sec.isServer) { | 2193 if (ss->sec.isServer) { |
2149 /* prepare to send back the appropriate response */ | 2194 /* prepare to send back the appropriate response */ |
2150 rv = ssl3_RegisterServerHelloExtensionSender(ss, ex_type, | 2195 rv = ssl3_RegisterServerHelloExtensionSender(ss, ex_type, |
2151 ssl3_SendRenegotiationInfoX
tn); | 2196 ssl3_SendRenegotiationInfoX
tn); |
2152 } | 2197 } |
(...skipping 103 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
2256 | 2301 |
2257 /* Now check that this is one of the ciphers we offered */ | 2302 /* Now check that this is one of the ciphers we offered */ |
2258 for (i = 0; i < ss->ssl3.dtlsSRTPCipherCount; i++) { | 2303 for (i = 0; i < ss->ssl3.dtlsSRTPCipherCount; i++) { |
2259 if (cipher == ss->ssl3.dtlsSRTPCiphers[i]) { | 2304 if (cipher == ss->ssl3.dtlsSRTPCiphers[i]) { |
2260 found = PR_TRUE; | 2305 found = PR_TRUE; |
2261 break; | 2306 break; |
2262 } | 2307 } |
2263 } | 2308 } |
2264 | 2309 |
2265 if (!found) { | 2310 if (!found) { |
| 2311 (void)SSL3_SendAlert(ss, alert_fatal, illegal_parameter); |
2266 PORT_SetError(SSL_ERROR_RX_MALFORMED_SERVER_HELLO); | 2312 PORT_SetError(SSL_ERROR_RX_MALFORMED_SERVER_HELLO); |
2267 (void)SSL3_SendAlert(ss, alert_fatal, illegal_parameter); | |
2268 return SECFailure; | 2313 return SECFailure; |
2269 } | 2314 } |
2270 | 2315 |
2271 /* Get the srtp_mki value */ | 2316 /* Get the srtp_mki value */ |
2272 rv = ssl3_ConsumeHandshakeVariable(ss, &litem, 1, | 2317 rv = ssl3_ConsumeHandshakeVariable(ss, &litem, 1, |
2273 &data->data, &data->len); | 2318 &data->data, &data->len); |
2274 if (rv != SECSuccess) { | 2319 if (rv != SECSuccess) { |
2275 return SECFailure; /* alert already sent */ | 2320 return SECFailure; /* alert already sent */ |
2276 } | 2321 } |
2277 | 2322 |
2278 /* We didn't offer an MKI, so this must be 0 length */ | 2323 /* We didn't offer an MKI, so this must be 0 length */ |
2279 if (litem.len != 0) { | 2324 if (litem.len != 0) { |
| 2325 (void)SSL3_SendAlert(ss, alert_fatal, illegal_parameter); |
2280 PORT_SetError(SSL_ERROR_RX_MALFORMED_SERVER_HELLO); | 2326 PORT_SetError(SSL_ERROR_RX_MALFORMED_SERVER_HELLO); |
2281 (void)SSL3_SendAlert(ss, alert_fatal, illegal_parameter); | |
2282 return SECFailure; | 2327 return SECFailure; |
2283 } | 2328 } |
2284 | 2329 |
2285 /* extra trailing bytes */ | 2330 /* extra trailing bytes */ |
2286 if (data->len != 0) { | 2331 if (data->len != 0) { |
2287 (void)ssl3_DecodeError(ss); | 2332 (void)ssl3_DecodeError(ss); |
2288 return SECFailure; | 2333 return SECFailure; |
2289 } | 2334 } |
2290 | 2335 |
2291 /* OK, this looks fine. */ | 2336 /* OK, this looks fine. */ |
(...skipping 75 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
2367 | 2412 |
2368 /* ssl3_ServerHandleSigAlgsXtn handles the signature_algorithms extension | 2413 /* ssl3_ServerHandleSigAlgsXtn handles the signature_algorithms extension |
2369 * from a client. | 2414 * from a client. |
2370 * See https://tools.ietf.org/html/rfc5246#section-7.4.1.4.1 */ | 2415 * See https://tools.ietf.org/html/rfc5246#section-7.4.1.4.1 */ |
2371 static SECStatus | 2416 static SECStatus |
2372 ssl3_ServerHandleSigAlgsXtn(sslSocket * ss, PRUint16 ex_type, SECItem *data) | 2417 ssl3_ServerHandleSigAlgsXtn(sslSocket * ss, PRUint16 ex_type, SECItem *data) |
2373 { | 2418 { |
2374 SECStatus rv; | 2419 SECStatus rv; |
2375 SECItem algorithms; | 2420 SECItem algorithms; |
2376 const unsigned char *b; | 2421 const unsigned char *b; |
2377 unsigned int numAlgorithms, i, j; | 2422 unsigned int numAlgorithms, i; |
2378 | 2423 |
2379 /* Ignore this extension if we aren't doing TLS 1.2 or greater. */ | 2424 /* Ignore this extension if we aren't doing TLS 1.2 or greater. */ |
2380 if (ss->version < SSL_LIBRARY_VERSION_TLS_1_2) { | 2425 if (ss->version < SSL_LIBRARY_VERSION_TLS_1_2) { |
2381 return SECSuccess; | 2426 return SECSuccess; |
2382 } | 2427 } |
2383 | 2428 |
2384 rv = ssl3_ConsumeHandshakeVariable(ss, &algorithms, 2, &data->data, | 2429 rv = ssl3_ConsumeHandshakeVariable(ss, &algorithms, 2, &data->data, |
2385 &data->len); | 2430 &data->len); |
2386 if (rv != SECSuccess) { | 2431 if (rv != SECSuccess) { |
2387 return SECFailure; | 2432 return SECFailure; |
2388 } | 2433 } |
2389 /* Trailing data, empty value, or odd-length value is invalid. */ | 2434 /* Trailing data, empty value, or odd-length value is invalid. */ |
2390 if (data->len != 0 || algorithms.len == 0 || (algorithms.len & 1) != 0) { | 2435 if (data->len != 0 || algorithms.len == 0 || (algorithms.len & 1) != 0) { |
| 2436 (void)SSL3_SendAlert(ss, alert_fatal, decode_error); |
2391 PORT_SetError(SSL_ERROR_RX_MALFORMED_CLIENT_HELLO); | 2437 PORT_SetError(SSL_ERROR_RX_MALFORMED_CLIENT_HELLO); |
2392 (void)SSL3_SendAlert(ss, alert_fatal, decode_error); | |
2393 return SECFailure; | 2438 return SECFailure; |
2394 } | 2439 } |
2395 | 2440 |
2396 numAlgorithms = algorithms.len/2; | 2441 numAlgorithms = algorithms.len/2; |
2397 | 2442 |
2398 /* We don't care to process excessive numbers of algorithms. */ | 2443 /* We don't care to process excessive numbers of algorithms. */ |
2399 if (numAlgorithms > 512) { | 2444 if (numAlgorithms > 512) { |
2400 numAlgorithms = 512; | 2445 numAlgorithms = 512; |
2401 } | 2446 } |
2402 | 2447 |
2403 ss->ssl3.hs.clientSigAndHash = | 2448 ss->ssl3.hs.clientSigAndHash = |
2404 PORT_NewArray(SSL3SignatureAndHashAlgorithm, numAlgorithms); | 2449 PORT_NewArray(SSLSignatureAndHashAlg, numAlgorithms); |
2405 if (!ss->ssl3.hs.clientSigAndHash) { | 2450 if (!ss->ssl3.hs.clientSigAndHash) { |
| 2451 (void)SSL3_SendAlert(ss, alert_fatal, internal_error); |
2406 PORT_SetError(SSL_ERROR_RX_MALFORMED_CLIENT_HELLO); | 2452 PORT_SetError(SSL_ERROR_RX_MALFORMED_CLIENT_HELLO); |
2407 (void)SSL3_SendAlert(ss, alert_fatal, internal_error); | |
2408 return SECFailure; | 2453 return SECFailure; |
2409 } | 2454 } |
2410 ss->ssl3.hs.numClientSigAndHash = 0; | 2455 ss->ssl3.hs.numClientSigAndHash = 0; |
2411 | 2456 |
2412 b = algorithms.data; | 2457 b = algorithms.data; |
2413 for (i = j = 0; i < numAlgorithms; i++) { | 2458 ss->ssl3.hs.numClientSigAndHash = 0; |
2414 unsigned char tls_hash = *(b++); | 2459 for (i = 0; i < numAlgorithms; i++) { |
2415 unsigned char tls_sig = *(b++); | 2460 SSLSignatureAndHashAlg *sigAndHash = |
2416 SECOidTag hash = ssl3_TLSHashAlgorithmToOID(tls_hash); | 2461 &ss->ssl3.hs.clientSigAndHash[ss->ssl3.hs.numClientSigAndHash]; |
2417 | 2462 sigAndHash->hashAlg = (SSLHashType)*(b++); |
2418 if (hash == SEC_OID_UNKNOWN) { | 2463 sigAndHash->sigAlg = (SSLSignType)*(b++); |
2419 /* We ignore formats that we don't understand. */ | 2464 if (ssl3_IsSupportedSignatureAlgorithm(sigAndHash)) { |
2420 continue; | 2465 ++ss->ssl3.hs.numClientSigAndHash; |
2421 } | 2466 } |
2422 /* tls_sig support will be checked later in | |
2423 * ssl3_PickSignatureHashAlgorithm. */ | |
2424 ss->ssl3.hs.clientSigAndHash[j].hashAlg = hash; | |
2425 ss->ssl3.hs.clientSigAndHash[j].sigAlg = tls_sig; | |
2426 ++j; | |
2427 ++ss->ssl3.hs.numClientSigAndHash; | |
2428 } | 2467 } |
2429 | 2468 |
2430 if (!ss->ssl3.hs.numClientSigAndHash) { | 2469 if (!ss->ssl3.hs.numClientSigAndHash) { |
2431 /* We didn't understand any of the client's requested signature | 2470 /* We didn't understand any of the client's requested signature |
2432 * formats. We'll use the defaults. */ | 2471 * formats. We'll use the defaults. */ |
2433 PORT_Free(ss->ssl3.hs.clientSigAndHash); | 2472 PORT_Free(ss->ssl3.hs.clientSigAndHash); |
2434 ss->ssl3.hs.clientSigAndHash = NULL; | 2473 ss->ssl3.hs.clientSigAndHash = NULL; |
2435 } | 2474 } |
2436 | 2475 |
2437 /* Keep track of negotiated extensions. */ | 2476 /* Keep track of negotiated extensions. */ |
2438 ss->xtnData.negotiated[ss->xtnData.numNegotiated++] = ex_type; | 2477 ss->xtnData.negotiated[ss->xtnData.numNegotiated++] = ex_type; |
2439 return SECSuccess; | 2478 return SECSuccess; |
2440 } | 2479 } |
2441 | 2480 |
2442 /* ssl3_ClientSendSigAlgsXtn sends the signature_algorithm extension for TLS | 2481 /* ssl3_ClientSendSigAlgsXtn sends the signature_algorithm extension for TLS |
2443 * 1.2 ClientHellos. */ | 2482 * 1.2 ClientHellos. */ |
2444 static PRInt32 | 2483 static PRInt32 |
2445 ssl3_ClientSendSigAlgsXtn(sslSocket * ss, PRBool append, PRUint32 maxBytes) | 2484 ssl3_ClientSendSigAlgsXtn(sslSocket *ss, PRBool append, PRUint32 maxBytes) |
2446 { | 2485 { |
2447 static const unsigned char signatureAlgorithms[] = { | |
2448 /* This block is the contents of our signature_algorithms extension, in | |
2449 * wire format. See | |
2450 * https://tools.ietf.org/html/rfc5246#section-7.4.1.4.1 */ | |
2451 tls_hash_sha256, tls_sig_rsa, | |
2452 tls_hash_sha384, tls_sig_rsa, | |
2453 tls_hash_sha512, tls_sig_rsa, | |
2454 tls_hash_sha1, tls_sig_rsa, | |
2455 #ifndef NSS_DISABLE_ECC | |
2456 tls_hash_sha256, tls_sig_ecdsa, | |
2457 tls_hash_sha384, tls_sig_ecdsa, | |
2458 tls_hash_sha512, tls_sig_ecdsa, | |
2459 tls_hash_sha1, tls_sig_ecdsa, | |
2460 #endif | |
2461 tls_hash_sha256, tls_sig_dsa, | |
2462 tls_hash_sha1, tls_sig_dsa, | |
2463 }; | |
2464 PRInt32 extension_length; | 2486 PRInt32 extension_length; |
| 2487 unsigned int i; |
| 2488 PRInt32 pos=0; |
| 2489 PRUint32 policy; |
| 2490 PRUint8 buf[MAX_SIGNATURE_ALGORITHMS * 2]; |
2465 | 2491 |
2466 if (ss->version < SSL_LIBRARY_VERSION_TLS_1_2) { | 2492 if (ss->version < SSL_LIBRARY_VERSION_TLS_1_2) { |
2467 return 0; | 2493 return 0; |
2468 } | 2494 } |
2469 | 2495 |
| 2496 for (i=0; i < ss->ssl3.signatureAlgorithmCount; i++) { |
| 2497 SECOidTag hashOID = ssl3_TLSHashAlgorithmToOID( |
| 2498 ss->ssl3.signatureAlgorithms[i].hashAlg); |
| 2499 if ((NSS_GetAlgorithmPolicy(hashOID, & policy) != SECSuccess) || |
| 2500 (policy & NSS_USE_ALG_IN_SSL_KX)) { |
| 2501 buf[pos++] = ss->ssl3.signatureAlgorithms[i].hashAlg; |
| 2502 buf[pos++] = ss->ssl3.signatureAlgorithms[i].sigAlg; |
| 2503 } |
| 2504 } |
| 2505 |
2470 extension_length = | 2506 extension_length = |
2471 2 /* extension type */ + | 2507 2 /* extension type */ + |
2472 2 /* extension length */ + | 2508 2 /* extension length */ + |
2473 2 /* supported_signature_algorithms length */ + | 2509 2 /* supported_signature_algorithms length */ + |
2474 sizeof(signatureAlgorithms); | 2510 pos; |
2475 | 2511 |
2476 if (append && maxBytes >= extension_length) { | 2512 if (maxBytes < extension_length) { |
2477 SECStatus rv; | |
2478 rv = ssl3_AppendHandshakeNumber(ss, ssl_signature_algorithms_xtn, 2); | |
2479 if (rv != SECSuccess) | |
2480 goto loser; | |
2481 rv = ssl3_AppendHandshakeNumber(ss, extension_length - 4, 2); | |
2482 if (rv != SECSuccess) | |
2483 goto loser; | |
2484 rv = ssl3_AppendHandshakeVariable(ss, signatureAlgorithms, | |
2485 sizeof(signatureAlgorithms), 2); | |
2486 if (rv != SECSuccess) | |
2487 goto loser; | |
2488 ss->xtnData.advertised[ss->xtnData.numAdvertised++] = | |
2489 ssl_signature_algorithms_xtn; | |
2490 } else if (maxBytes < extension_length) { | |
2491 PORT_Assert(0); | 2513 PORT_Assert(0); |
2492 return 0; | 2514 return 0; |
2493 } | 2515 } |
2494 | 2516 |
| 2517 if (append) { |
| 2518 SECStatus rv; |
| 2519 rv = ssl3_AppendHandshakeNumber(ss, ssl_signature_algorithms_xtn, 2); |
| 2520 if (rv != SECSuccess) { |
| 2521 return -1; |
| 2522 } |
| 2523 rv = ssl3_AppendHandshakeNumber(ss, extension_length - 4, 2); |
| 2524 if (rv != SECSuccess) { |
| 2525 return -1; |
| 2526 } |
| 2527 |
| 2528 rv = ssl3_AppendHandshakeVariable(ss, buf, extension_length - 6, 2); |
| 2529 if (rv != SECSuccess) { |
| 2530 return -1; |
| 2531 } |
| 2532 |
| 2533 ss->xtnData.advertised[ss->xtnData.numAdvertised++] = |
| 2534 ssl_signature_algorithms_xtn; |
| 2535 } |
| 2536 |
2495 return extension_length; | 2537 return extension_length; |
2496 | |
2497 loser: | |
2498 return -1; | |
2499 } | 2538 } |
2500 | 2539 |
2501 unsigned int | 2540 unsigned int |
2502 ssl3_CalculatePaddingExtensionLength(unsigned int clientHelloLength) | 2541 ssl3_CalculatePaddingExtensionLength(unsigned int clientHelloLength) |
2503 { | 2542 { |
2504 unsigned int recordLength = 1 /* handshake message type */ + | 2543 unsigned int recordLength = 1 /* handshake message type */ + |
2505 3 /* handshake message length */ + | 2544 3 /* handshake message length */ + |
2506 clientHelloLength; | 2545 clientHelloLength; |
2507 unsigned int extensionLength; | 2546 unsigned int extensionLength; |
2508 | 2547 |
(...skipping 49 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
2558 static PRInt32 | 2597 static PRInt32 |
2559 ssl3_ClientSendDraftVersionXtn(sslSocket * ss, PRBool append, PRUint32 maxBytes) | 2598 ssl3_ClientSendDraftVersionXtn(sslSocket * ss, PRBool append, PRUint32 maxBytes) |
2560 { | 2599 { |
2561 PRInt32 extension_length; | 2600 PRInt32 extension_length; |
2562 | 2601 |
2563 if (ss->version != SSL_LIBRARY_VERSION_TLS_1_3) { | 2602 if (ss->version != SSL_LIBRARY_VERSION_TLS_1_3) { |
2564 return 0; | 2603 return 0; |
2565 } | 2604 } |
2566 | 2605 |
2567 extension_length = 6; /* Type + length + number */ | 2606 extension_length = 6; /* Type + length + number */ |
2568 if (append && maxBytes >= extension_length) { | 2607 if (maxBytes < (PRUint32)extension_length) { |
| 2608 PORT_Assert(0); |
| 2609 return 0; |
| 2610 } |
| 2611 if (append) { |
2569 SECStatus rv; | 2612 SECStatus rv; |
2570 rv = ssl3_AppendHandshakeNumber(ss, ssl_tls13_draft_version_xtn, 2); | 2613 rv = ssl3_AppendHandshakeNumber(ss, ssl_tls13_draft_version_xtn, 2); |
2571 if (rv != SECSuccess) | 2614 if (rv != SECSuccess) |
2572 goto loser; | 2615 goto loser; |
2573 rv = ssl3_AppendHandshakeNumber(ss, extension_length - 4, 2); | 2616 rv = ssl3_AppendHandshakeNumber(ss, extension_length - 4, 2); |
2574 if (rv != SECSuccess) | 2617 if (rv != SECSuccess) |
2575 goto loser; | 2618 goto loser; |
2576 rv = ssl3_AppendHandshakeNumber(ss, TLS_1_3_DRAFT_VERSION, 2); | 2619 rv = ssl3_AppendHandshakeNumber(ss, TLS_1_3_DRAFT_VERSION, 2); |
2577 if (rv != SECSuccess) | 2620 if (rv != SECSuccess) |
2578 goto loser; | 2621 goto loser; |
2579 ss->xtnData.advertised[ss->xtnData.numAdvertised++] = | 2622 ss->xtnData.advertised[ss->xtnData.numAdvertised++] = |
2580 ssl_tls13_draft_version_xtn; | 2623 ssl_tls13_draft_version_xtn; |
2581 } else if (maxBytes < extension_length) { | |
2582 PORT_Assert(0); | |
2583 return 0; | |
2584 } | 2624 } |
2585 | 2625 |
2586 return extension_length; | 2626 return extension_length; |
2587 | 2627 |
2588 loser: | 2628 loser: |
2589 return -1; | 2629 return -1; |
2590 } | 2630 } |
2591 | 2631 |
2592 /* ssl3_ServerHandleDraftVersionXtn handles the TLS 1.3 temporary draft | 2632 /* ssl3_ServerHandleDraftVersionXtn handles the TLS 1.3 temporary draft |
2593 * version extension. | 2633 * version extension. |
(...skipping 32 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
2626 */ | 2666 */ |
2627 SSL_TRC(30, ("%d: SSL3[%d]: Incompatible version of TLS 1.3 (%d), " | 2667 SSL_TRC(30, ("%d: SSL3[%d]: Incompatible version of TLS 1.3 (%d), " |
2628 "expected %d", | 2668 "expected %d", |
2629 SSL_GETPID(), ss->fd, draft_version, TLS_1_3_DRAFT_VERSION)
); | 2669 SSL_GETPID(), ss->fd, draft_version, TLS_1_3_DRAFT_VERSION)
); |
2630 ss->version = SSL_LIBRARY_VERSION_TLS_1_2; | 2670 ss->version = SSL_LIBRARY_VERSION_TLS_1_2; |
2631 } | 2671 } |
2632 | 2672 |
2633 return SECSuccess; | 2673 return SECSuccess; |
2634 } | 2674 } |
2635 | 2675 |
| 2676 static PRInt32 |
| 2677 ssl3_SendExtendedMasterSecretXtn(sslSocket * ss, PRBool append, |
| 2678 PRUint32 maxBytes) |
| 2679 { |
| 2680 PRInt32 extension_length; |
| 2681 |
| 2682 if (!ss->opt.enableExtendedMS) { |
| 2683 return 0; |
| 2684 } |
| 2685 |
| 2686 #ifndef NO_PKCS11_BYPASS |
| 2687 /* Extended MS can only be used w/o bypass mode */ |
| 2688 if (ss->opt.bypassPKCS11) { |
| 2689 PORT_Assert(0); |
| 2690 PORT_SetError(PR_NOT_IMPLEMENTED_ERROR); |
| 2691 return -1; |
| 2692 } |
| 2693 #endif |
| 2694 |
| 2695 /* Always send the extension in this function, since the |
| 2696 * client always sends it and this function is only called on |
| 2697 * the server if we negotiated the extension. */ |
| 2698 extension_length = 4; /* Type + length (0) */ |
| 2699 if (maxBytes < extension_length) { |
| 2700 PORT_Assert(0); |
| 2701 return 0; |
| 2702 } |
| 2703 |
| 2704 if (append) { |
| 2705 SECStatus rv; |
| 2706 rv = ssl3_AppendHandshakeNumber(ss, ssl_extended_master_secret_xtn, 2); |
| 2707 if (rv != SECSuccess) |
| 2708 goto loser; |
| 2709 rv = ssl3_AppendHandshakeNumber(ss, 0, 2); |
| 2710 if (rv != SECSuccess) |
| 2711 goto loser; |
| 2712 ss->xtnData.advertised[ss->xtnData.numAdvertised++] = |
| 2713 ssl_extended_master_secret_xtn; |
| 2714 } |
| 2715 |
| 2716 return extension_length; |
| 2717 loser: |
| 2718 return -1; |
| 2719 } |
| 2720 |
2636 /* ssl3_ClientSendSignedCertTimestampXtn sends the signed_certificate_timestamp | 2721 /* ssl3_ClientSendSignedCertTimestampXtn sends the signed_certificate_timestamp |
2637 * extension for TLS ClientHellos. */ | 2722 * extension for TLS ClientHellos. */ |
2638 static PRInt32 | 2723 static PRInt32 |
2639 ssl3_ClientSendSignedCertTimestampXtn(sslSocket *ss, PRBool append, | 2724 ssl3_ClientSendSignedCertTimestampXtn(sslSocket *ss, PRBool append, |
2640 PRUint32 maxBytes) | 2725 PRUint32 maxBytes) |
2641 { | 2726 { |
2642 PRInt32 extension_length = 2 /* extension_type */ + | 2727 PRInt32 extension_length = 2 /* extension_type */ + |
2643 2 /* length(extension_data) */; | 2728 2 /* length(extension_data) */; |
2644 | 2729 |
2645 /* Only send the extension if processing is enabled. */ | 2730 /* Only send the extension if processing is enabled. */ |
2646 if (!ss->opt.enableSignedCertTimestamps) | 2731 if (!ss->opt.enableSignedCertTimestamps) |
2647 return 0; | 2732 return 0; |
2648 | 2733 |
2649 if (append && maxBytes >= extension_length) { | 2734 if (maxBytes < extension_length) { |
| 2735 PORT_Assert(0); |
| 2736 return 0; |
| 2737 } |
| 2738 |
| 2739 if (append) { |
2650 SECStatus rv; | 2740 SECStatus rv; |
2651 /* extension_type */ | 2741 /* extension_type */ |
2652 rv = ssl3_AppendHandshakeNumber(ss, | 2742 rv = ssl3_AppendHandshakeNumber(ss, |
2653 ssl_signed_certificate_timestamp_xtn, | 2743 ssl_signed_certificate_timestamp_xtn, |
2654 2); | 2744 2); |
2655 if (rv != SECSuccess) | 2745 if (rv != SECSuccess) |
2656 goto loser; | 2746 goto loser; |
2657 /* zero length */ | 2747 /* zero length */ |
2658 rv = ssl3_AppendHandshakeNumber(ss, 0, 2); | 2748 rv = ssl3_AppendHandshakeNumber(ss, 0, 2); |
2659 if (rv != SECSuccess) | 2749 if (rv != SECSuccess) |
2660 goto loser; | 2750 goto loser; |
2661 ss->xtnData.advertised[ss->xtnData.numAdvertised++] = | 2751 ss->xtnData.advertised[ss->xtnData.numAdvertised++] = |
2662 ssl_signed_certificate_timestamp_xtn; | 2752 ssl_signed_certificate_timestamp_xtn; |
2663 } else if (maxBytes < extension_length) { | |
2664 PORT_Assert(0); | |
2665 return 0; | |
2666 } | 2753 } |
2667 | 2754 |
2668 return extension_length; | 2755 return extension_length; |
2669 loser: | 2756 loser: |
2670 return -1; | 2757 return -1; |
2671 } | 2758 } |
2672 | 2759 |
2673 static SECStatus | 2760 static SECStatus |
| 2761 ssl3_HandleExtendedMasterSecretXtn(sslSocket * ss, PRUint16 ex_type, |
| 2762 SECItem *data) |
| 2763 { |
| 2764 if (ss->version < SSL_LIBRARY_VERSION_TLS_1_0) { |
| 2765 return SECSuccess; |
| 2766 } |
| 2767 |
| 2768 if (!ss->opt.enableExtendedMS) { |
| 2769 return SECSuccess; |
| 2770 } |
| 2771 |
| 2772 #ifndef NO_PKCS11_BYPASS |
| 2773 /* Extended MS can only be used w/o bypass mode */ |
| 2774 if (ss->opt.bypassPKCS11) { |
| 2775 PORT_Assert(0); |
| 2776 PORT_SetError(PR_NOT_IMPLEMENTED_ERROR); |
| 2777 return SECFailure; |
| 2778 } |
| 2779 #endif |
| 2780 |
| 2781 if (data->len != 0) { |
| 2782 SSL_TRC(30, ("%d: SSL3[%d]: Bogus extended master secret extension", |
| 2783 SSL_GETPID(), ss->fd)); |
| 2784 return SECFailure; |
| 2785 } |
| 2786 |
| 2787 SSL_DBG(("%d: SSL[%d]: Negotiated extended master secret extension.", |
| 2788 SSL_GETPID(), ss->fd)); |
| 2789 |
| 2790 /* Keep track of negotiated extensions. */ |
| 2791 ss->xtnData.negotiated[ss->xtnData.numNegotiated++] = ex_type; |
| 2792 |
| 2793 if (ss->sec.isServer) { |
| 2794 return ssl3_RegisterServerHelloExtensionSender( |
| 2795 ss, ex_type, ssl3_SendExtendedMasterSecretXtn); |
| 2796 } |
| 2797 return SECSuccess; |
| 2798 } |
| 2799 |
| 2800 static SECStatus |
2674 ssl3_ClientHandleSignedCertTimestampXtn(sslSocket *ss, PRUint16 ex_type, | 2801 ssl3_ClientHandleSignedCertTimestampXtn(sslSocket *ss, PRUint16 ex_type, |
2675 SECItem *data) | 2802 SECItem *data) |
2676 { | 2803 { |
2677 /* We do not yet know whether we'll be resuming a session or creating | 2804 /* We do not yet know whether we'll be resuming a session or creating |
2678 * a new one, so we keep a pointer to the data in the TLSExtensionData | 2805 * a new one, so we keep a pointer to the data in the TLSExtensionData |
2679 * structure. This pointer is only valid in the scope of | 2806 * structure. This pointer is only valid in the scope of |
2680 * ssl3_HandleServerHello, and, if not resuming a session, the data is | 2807 * ssl3_HandleServerHello, and, if not resuming a session, the data is |
2681 * copied once a new session structure has been set up. | 2808 * copied once a new session structure has been set up. |
2682 * All parsing is currently left to the application and we accept | 2809 * All parsing is currently left to the application and we accept |
2683 * everything, including empty data. | 2810 * everything, including empty data. |
2684 */ | 2811 */ |
2685 SECItem *scts = &ss->xtnData.signedCertTimestamps; | 2812 SECItem *scts = &ss->xtnData.signedCertTimestamps; |
2686 PORT_Assert(!scts->data && !scts->len); | 2813 PORT_Assert(!scts->data && !scts->len); |
2687 | 2814 |
2688 if (!data->len) { | 2815 if (!data->len) { |
2689 /* Empty extension data: RFC 6962 mandates non-empty contents. */ | 2816 /* Empty extension data: RFC 6962 mandates non-empty contents. */ |
2690 return SECFailure; | 2817 return SECFailure; |
2691 } | 2818 } |
2692 *scts = *data; | 2819 *scts = *data; |
2693 /* Keep track of negotiated extensions. */ | 2820 /* Keep track of negotiated extensions. */ |
2694 ss->xtnData.negotiated[ss->xtnData.numNegotiated++] = ex_type; | 2821 ss->xtnData.negotiated[ss->xtnData.numNegotiated++] = ex_type; |
2695 return SECSuccess; | 2822 return SECSuccess; |
2696 } | 2823 } |
OLD | NEW |