OLD | NEW |
1 /* -*- Mode: C; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 4 -*- */ | 1 /* -*- Mode: C; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 4 -*- */ |
2 /* | 2 /* |
3 * SSL3 Protocol | 3 * SSL3 Protocol |
4 * | 4 * |
5 * This Source Code Form is subject to the terms of the Mozilla Public | 5 * This Source Code Form is subject to the terms of the Mozilla Public |
6 * License, v. 2.0. If a copy of the MPL was not distributed with this | 6 * License, v. 2.0. If a copy of the MPL was not distributed with this |
7 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ | 7 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ |
8 | 8 |
9 /* TLS extension code moved here from ssl3ecc.c */ | 9 /* TLS extension code moved here from ssl3ecc.c */ |
10 | 10 |
11 #include "nssrenam.h" | 11 #include "nssrenam.h" |
12 #include "nss.h" | 12 #include "nss.h" |
13 #include "ssl.h" | 13 #include "ssl.h" |
| 14 #include "sslproto.h" |
14 #include "sslimpl.h" | 15 #include "sslimpl.h" |
15 #include "sslproto.h" | |
16 #include "pk11pub.h" | 16 #include "pk11pub.h" |
17 #ifdef NO_PKCS11_BYPASS | 17 #ifdef NO_PKCS11_BYPASS |
18 #include "blapit.h" | 18 #include "blapit.h" |
19 #else | 19 #else |
20 #include "blapi.h" | 20 #include "blapi.h" |
21 #endif | 21 #endif |
22 #include "prinit.h" | 22 #include "prinit.h" |
23 | 23 |
24 static unsigned char key_name[SESS_TICKET_KEY_NAME_LEN]; | 24 static unsigned char key_name[SESS_TICKET_KEY_NAME_LEN]; |
25 static PK11SymKey *session_ticket_enc_key_pkcs11 = NULL; | 25 static PK11SymKey *session_ticket_enc_key_pkcs11 = NULL; |
26 static PK11SymKey *session_ticket_mac_key_pkcs11 = NULL; | 26 static PK11SymKey *session_ticket_mac_key_pkcs11 = NULL; |
27 | 27 |
28 #ifndef NO_PKCS11_BYPASS | 28 #ifndef NO_PKCS11_BYPASS |
29 static unsigned char session_ticket_enc_key[AES_256_KEY_LENGTH]; | 29 static unsigned char session_ticket_enc_key[AES_256_KEY_LENGTH]; |
30 static unsigned char session_ticket_mac_key[SHA256_LENGTH]; | 30 static unsigned char session_ticket_mac_key[SHA256_LENGTH]; |
31 | 31 |
32 static PRBool session_ticket_keys_initialized = PR_FALSE; | 32 static PRBool session_ticket_keys_initialized = PR_FALSE; |
33 #endif | 33 #endif |
34 static PRCallOnceType generate_session_keys_once; | 34 static PRCallOnceType generate_session_keys_once; |
35 | 35 |
36 /* forward static function declarations */ | 36 /* forward static function declarations */ |
37 static SECStatus ssl3_ParseEncryptedSessionTicket(sslSocket *ss, | 37 static SECStatus ssl3_ParseEncryptedSessionTicket(sslSocket *ss, |
38 SECItem *data, EncryptedSessionTicket *enc_session_ticket); | 38 SECItem *data, EncryptedSessio
nTicket *enc_session_ticket); |
39 static SECStatus ssl3_AppendToItem(SECItem *item, const unsigned char *buf, | 39 static SECStatus ssl3_AppendToItem(SECItem *item, const unsigned char *buf, |
40 PRUint32 bytes); | 40 PRUint32 bytes); |
41 static SECStatus ssl3_AppendNumberToItem(SECItem *item, PRUint32 num, | 41 static SECStatus ssl3_AppendNumberToItem(SECItem *item, PRUint32 num, |
42 PRInt32 lenSize); | 42 PRInt32 lenSize); |
43 static SECStatus ssl3_GetSessionTicketKeysPKCS11(sslSocket *ss, | 43 static SECStatus ssl3_GetSessionTicketKeysPKCS11(sslSocket *ss, |
44 PK11SymKey **aes_key, PK11SymKey **mac_key); | 44 PK11SymKey **aes_key, PK11SymKe
y **mac_key); |
45 #ifndef NO_PKCS11_BYPASS | 45 #ifndef NO_PKCS11_BYPASS |
46 static SECStatus ssl3_GetSessionTicketKeys(const unsigned char **aes_key, | 46 static SECStatus ssl3_GetSessionTicketKeys(const unsigned char **aes_key, |
47 PRUint32 *aes_key_length, const unsigned char **mac_key, | 47 PRUint32 *aes_key_length, const unsig
ned char **mac_key, |
48 PRUint32 *mac_key_length); | 48 PRUint32 *mac_key_length); |
49 #endif | 49 #endif |
50 static PRInt32 ssl3_SendRenegotiationInfoXtn(sslSocket * ss, | 50 static PRInt32 ssl3_SendRenegotiationInfoXtn(sslSocket *ss, |
51 PRBool append, PRUint32 maxBytes); | 51 PRBool append, PRUint32 maxBytes); |
52 static SECStatus ssl3_HandleRenegotiationInfoXtn(sslSocket *ss, | 52 static SECStatus ssl3_HandleRenegotiationInfoXtn(sslSocket *ss, |
53 PRUint16 ex_type, SECItem *data); | 53 PRUint16 ex_type, SECItem *data
); |
54 static SECStatus ssl3_ClientHandleNextProtoNegoXtn(sslSocket *ss, | 54 static SECStatus ssl3_ClientHandleNextProtoNegoXtn(sslSocket *ss, |
55 PRUint16 ex_type, SECItem *data); | 55 PRUint16 ex_type, SECItem *da
ta); |
56 static SECStatus ssl3_ClientHandleAppProtoXtn(sslSocket *ss, | 56 static SECStatus ssl3_ClientHandleAppProtoXtn(sslSocket *ss, |
57 PRUint16 ex_type, SECItem *data); | 57 PRUint16 ex_type, SECItem *data); |
58 static SECStatus ssl3_ServerHandleNextProtoNegoXtn(sslSocket *ss, | 58 static SECStatus ssl3_ServerHandleNextProtoNegoXtn(sslSocket *ss, |
59 PRUint16 ex_type, SECItem *data); | 59 PRUint16 ex_type, SECItem *da
ta); |
60 static SECStatus ssl3_ServerHandleAppProtoXtn(sslSocket *ss, PRUint16 ex_type, | 60 static SECStatus ssl3_ServerHandleAppProtoXtn(sslSocket *ss, PRUint16 ex_type, |
61 SECItem *data); | 61 SECItem *data); |
62 static PRInt32 ssl3_ClientSendNextProtoNegoXtn(sslSocket *ss, PRBool append, | 62 static PRInt32 ssl3_ClientSendNextProtoNegoXtn(sslSocket *ss, PRBool append, |
63 PRUint32 maxBytes); | 63 PRUint32 maxBytes); |
64 static PRInt32 ssl3_ClientSendAppProtoXtn(sslSocket *ss, PRBool append, | 64 static PRInt32 ssl3_ClientSendAppProtoXtn(sslSocket *ss, PRBool append, |
65 PRUint32 maxBytes); | 65 PRUint32 maxBytes); |
66 static PRInt32 ssl3_ServerSendAppProtoXtn(sslSocket *ss, PRBool append, | 66 static PRInt32 ssl3_ServerSendAppProtoXtn(sslSocket *ss, PRBool append, |
67 PRUint32 maxBytes); | 67 PRUint32 maxBytes); |
68 static PRInt32 ssl3_ClientSendUseSRTPXtn(sslSocket *ss, PRBool append, | 68 static PRInt32 ssl3_ClientSendUseSRTPXtn(sslSocket *ss, PRBool append, |
69 PRUint32 maxBytes); | 69 PRUint32 maxBytes); |
70 static PRInt32 ssl3_ServerSendUseSRTPXtn(sslSocket *ss, PRBool append, | 70 static PRInt32 ssl3_ServerSendUseSRTPXtn(sslSocket *ss, PRBool append, |
71 PRUint32 maxBytes); | 71 PRUint32 maxBytes); |
72 static SECStatus ssl3_ClientHandleUseSRTPXtn(sslSocket * ss, PRUint16 ex_type, | 72 static SECStatus ssl3_ClientHandleUseSRTPXtn(sslSocket *ss, PRUint16 ex_type, |
73 SECItem *data); | 73 SECItem *data); |
74 static SECStatus ssl3_ServerHandleUseSRTPXtn(sslSocket * ss, PRUint16 ex_type, | 74 static SECStatus ssl3_ServerHandleUseSRTPXtn(sslSocket *ss, PRUint16 ex_type, |
75 SECItem *data); | 75 SECItem *data); |
76 static SECStatus ssl3_ClientHandleChannelIDXtn(sslSocket *ss, | 76 static SECStatus ssl3_ClientHandleChannelIDXtn(sslSocket *ss, |
77 PRUint16 ex_type, SECItem *data); | 77 PRUint16 ex_type, SECItem *data); |
78 static PRInt32 ssl3_ClientSendChannelIDXtn(sslSocket *ss, PRBool append, | 78 static PRInt32 ssl3_ClientSendChannelIDXtn(sslSocket *ss, PRBool append, |
79 PRUint32 maxBytes); | 79 PRUint32 maxBytes); |
80 static PRInt32 ssl3_ServerSendStatusRequestXtn(sslSocket * ss, | 80 static PRInt32 ssl3_ServerSendStatusRequestXtn(sslSocket *ss, |
81 PRBool append, PRUint32 maxBytes); | 81 PRBool append, PRUint32 maxBytes)
; |
82 static SECStatus ssl3_ServerHandleStatusRequestXtn(sslSocket *ss, | 82 static SECStatus ssl3_ServerHandleStatusRequestXtn(sslSocket *ss, |
83 PRUint16 ex_type, SECItem *data); | 83 PRUint16 ex_type, SECItem *da
ta); |
84 static SECStatus ssl3_ClientHandleStatusRequestXtn(sslSocket *ss, | 84 static SECStatus ssl3_ClientHandleStatusRequestXtn(sslSocket *ss, |
85 PRUint16 ex_type, | 85 PRUint16 ex_type, |
86 SECItem *data); | 86 SECItem *data); |
87 static PRInt32 ssl3_ClientSendStatusRequestXtn(sslSocket * ss, PRBool append, | 87 static PRInt32 ssl3_ClientSendStatusRequestXtn(sslSocket *ss, PRBool append, |
88 PRUint32 maxBytes); | 88 PRUint32 maxBytes); |
89 static PRInt32 ssl3_ClientSendSigAlgsXtn(sslSocket *ss, PRBool append, | 89 static PRInt32 ssl3_ClientSendSigAlgsXtn(sslSocket *ss, PRBool append, |
90 PRUint32 maxBytes); | 90 PRUint32 maxBytes); |
91 static SECStatus ssl3_ServerHandleSigAlgsXtn(sslSocket *ss, PRUint16 ex_type, | 91 static SECStatus ssl3_ServerHandleSigAlgsXtn(sslSocket *ss, PRUint16 ex_type, |
92 SECItem *data); | 92 SECItem *data); |
| 93 |
93 static PRInt32 ssl3_ClientSendSignedCertTimestampXtn(sslSocket *ss, | 94 static PRInt32 ssl3_ClientSendSignedCertTimestampXtn(sslSocket *ss, |
94 PRBool append, | 95 PRBool append, |
95 PRUint32 maxBytes); | 96 PRUint32 maxBytes); |
96 static SECStatus ssl3_ClientHandleSignedCertTimestampXtn(sslSocket *ss, | 97 static SECStatus ssl3_ClientHandleSignedCertTimestampXtn(sslSocket *ss, |
97 PRUint16 ex_type, | 98 PRUint16 ex_type, |
98 SECItem *data); | 99 SECItem *data); |
99 | 100 static PRInt32 ssl3_ServerSendSignedCertTimestampXtn(sslSocket *ss, |
| 101 PRBool append, |
| 102 PRUint32 maxBytes); |
| 103 static SECStatus ssl3_ServerHandleSignedCertTimestampXtn(sslSocket *ss, |
| 104 PRUint16 ex_type, |
| 105 SECItem *data); |
100 static PRInt32 ssl3_ClientSendDraftVersionXtn(sslSocket *ss, PRBool append, | 106 static PRInt32 ssl3_ClientSendDraftVersionXtn(sslSocket *ss, PRBool append, |
101 PRUint32 maxBytes); | 107 PRUint32 maxBytes); |
102 static SECStatus ssl3_ServerHandleDraftVersionXtn(sslSocket *ss, PRUint16 ex_typ
e, | 108 static SECStatus ssl3_ServerHandleDraftVersionXtn(sslSocket *ss, PRUint16 ex_typ
e, |
103 SECItem *data); | 109 SECItem *data); |
104 static PRInt32 ssl3_SendExtendedMasterSecretXtn(sslSocket *ss, PRBool append, | 110 static PRInt32 ssl3_SendExtendedMasterSecretXtn(sslSocket *ss, PRBool append, |
105 PRUint32 maxBytes); | 111 PRUint32 maxBytes); |
106 static SECStatus ssl3_HandleExtendedMasterSecretXtn(sslSocket *ss, | 112 static SECStatus ssl3_HandleExtendedMasterSecretXtn(sslSocket *ss, |
107 PRUint16 ex_type, | 113 PRUint16 ex_type, |
108 SECItem *data); | 114 SECItem *data); |
109 | 115 static PRInt32 tls13_ClientSendKeyShareXtn(sslSocket *ss, PRBool append, |
| 116 PRUint32 maxBytes); |
| 117 static SECStatus tls13_ClientHandleKeyShareXtn(sslSocket *ss, |
| 118 PRUint16 ex_type, |
| 119 SECItem *data); |
| 120 static SECStatus tls13_ServerHandleKeyShareXtn(sslSocket *ss, |
| 121 PRUint16 ex_type, |
| 122 SECItem *data); |
110 | 123 |
111 /* | 124 /* |
112 * Write bytes. Using this function means the SECItem structure | 125 * Write bytes. Using this function means the SECItem structure |
113 * cannot be freed. The caller is expected to call this function | 126 * cannot be freed. The caller is expected to call this function |
114 * on a shallow copy of the structure. | 127 * on a shallow copy of the structure. |
115 */ | 128 */ |
116 static SECStatus | 129 static SECStatus |
117 ssl3_AppendToItem(SECItem *item, const unsigned char *buf, PRUint32 bytes) | 130 ssl3_AppendToItem(SECItem *item, const unsigned char *buf, PRUint32 bytes) |
118 { | 131 { |
119 if (bytes > item->len) | 132 if (bytes > item->len) |
120 return SECFailure; | 133 return SECFailure; |
121 | 134 |
122 PORT_Memcpy(item->data, buf, bytes); | 135 PORT_Memcpy(item->data, buf, bytes); |
123 item->data += bytes; | 136 item->data += bytes; |
124 item->len -= bytes; | 137 item->len -= bytes; |
125 return SECSuccess; | 138 return SECSuccess; |
126 } | 139 } |
127 | 140 |
128 /* | 141 /* |
129 * Write a number in network byte order. Using this function means the | 142 * Write a number in network byte order. Using this function means the |
130 * SECItem structure cannot be freed. The caller is expected to call | 143 * SECItem structure cannot be freed. The caller is expected to call |
131 * this function on a shallow copy of the structure. | 144 * this function on a shallow copy of the structure. |
132 */ | 145 */ |
133 static SECStatus | 146 static SECStatus |
134 ssl3_AppendNumberToItem(SECItem *item, PRUint32 num, PRInt32 lenSize) | 147 ssl3_AppendNumberToItem(SECItem *item, PRUint32 num, PRInt32 lenSize) |
135 { | 148 { |
136 SECStatus rv; | 149 SECStatus rv; |
137 PRUint8 b[4]; | 150 PRUint8 b[4]; |
138 PRUint8 * p = b; | 151 PRUint8 *p = b; |
139 | 152 |
140 switch (lenSize) { | 153 switch (lenSize) { |
141 case 4: | 154 case 4: |
142 *p++ = (PRUint8) (num >> 24); | 155 *p++ = (PRUint8)(num >> 24); |
143 case 3: | 156 case 3: |
144 *p++ = (PRUint8) (num >> 16); | 157 *p++ = (PRUint8)(num >> 16); |
145 case 2: | 158 case 2: |
146 *p++ = (PRUint8) (num >> 8); | 159 *p++ = (PRUint8)(num >> 8); |
147 case 1: | 160 case 1: |
148 *p = (PRUint8) num; | 161 *p = (PRUint8)num; |
149 } | 162 } |
150 rv = ssl3_AppendToItem(item, &b[0], lenSize); | 163 rv = ssl3_AppendToItem(item, &b[0], lenSize); |
151 return rv; | 164 return rv; |
152 } | 165 } |
153 | 166 |
154 static SECStatus ssl3_SessionTicketShutdown(void* appData, void* nssData) | 167 static SECStatus |
| 168 ssl3_SessionTicketShutdown(void *appData, void *nssData) |
155 { | 169 { |
156 if (session_ticket_enc_key_pkcs11) { | 170 if (session_ticket_enc_key_pkcs11) { |
157 PK11_FreeSymKey(session_ticket_enc_key_pkcs11); | 171 PK11_FreeSymKey(session_ticket_enc_key_pkcs11); |
158 session_ticket_enc_key_pkcs11 = NULL; | 172 session_ticket_enc_key_pkcs11 = NULL; |
159 } | 173 } |
160 if (session_ticket_mac_key_pkcs11) { | 174 if (session_ticket_mac_key_pkcs11) { |
161 PK11_FreeSymKey(session_ticket_mac_key_pkcs11); | 175 PK11_FreeSymKey(session_ticket_mac_key_pkcs11); |
162 session_ticket_mac_key_pkcs11 = NULL; | 176 session_ticket_mac_key_pkcs11 = NULL; |
163 } | 177 } |
164 PORT_Memset(&generate_session_keys_once, 0, | 178 PORT_Memset(&generate_session_keys_once, 0, |
165 sizeof(generate_session_keys_once)); | 179 sizeof(generate_session_keys_once)); |
166 return SECSuccess; | 180 return SECSuccess; |
167 } | 181 } |
168 | 182 |
169 | |
170 static PRStatus | 183 static PRStatus |
171 ssl3_GenerateSessionTicketKeysPKCS11(void *data) | 184 ssl3_GenerateSessionTicketKeysPKCS11(void *data) |
172 { | 185 { |
173 SECStatus rv; | 186 SECStatus rv; |
174 sslSocket *ss = (sslSocket *)data; | 187 sslSocket *ss = (sslSocket *)data; |
175 SECKEYPrivateKey *svrPrivKey = ss->serverCerts[kt_rsa].SERVERKEY; | 188 SECKEYPrivateKey *svrPrivKey = ss->serverCerts[kt_rsa].SERVERKEY; |
176 SECKEYPublicKey *svrPubKey = ss->serverCerts[kt_rsa].serverKeyPair->pubKey; | 189 SECKEYPublicKey *svrPubKey = ss->serverCerts[kt_rsa].serverKeyPair->pubKey; |
177 | 190 |
178 if (svrPrivKey == NULL || svrPubKey == NULL) { | 191 if (svrPrivKey == NULL || svrPubKey == NULL) { |
179 SSL_DBG(("%d: SSL[%d]: Pub or priv key(s) is NULL.", | 192 SSL_DBG(("%d: SSL[%d]: Pub or priv key(s) is NULL.", |
180 SSL_GETPID(), ss->fd)); | 193 SSL_GETPID(), ss->fd)); |
181 goto loser; | 194 goto loser; |
182 } | 195 } |
183 | 196 |
184 /* Get a copy of the session keys from shared memory. */ | 197 /* Get a copy of the session keys from shared memory. */ |
185 PORT_Memcpy(key_name, SESS_TICKET_KEY_NAME_PREFIX, | 198 PORT_Memcpy(key_name, SESS_TICKET_KEY_NAME_PREFIX, |
186 sizeof(SESS_TICKET_KEY_NAME_PREFIX)); | 199 sizeof(SESS_TICKET_KEY_NAME_PREFIX)); |
187 if (!ssl_GetSessionTicketKeysPKCS11(svrPrivKey, svrPubKey, | 200 if (!ssl_GetSessionTicketKeysPKCS11(svrPrivKey, svrPubKey, |
188 ss->pkcs11PinArg, &key_name[SESS_TICKET_KEY_NAME_PREFIX_LEN], | 201 ss->pkcs11PinArg, &key_name[SESS_TICKET_
KEY_NAME_PREFIX_LEN], |
189 &session_ticket_enc_key_pkcs11, &session_ticket_mac_key_pkcs11)) | 202 &session_ticket_enc_key_pkcs11, &session
_ticket_mac_key_pkcs11)) |
190 return PR_FAILURE; | 203 return PR_FAILURE; |
191 | 204 |
192 rv = NSS_RegisterShutdown(ssl3_SessionTicketShutdown, NULL); | 205 rv = NSS_RegisterShutdown(ssl3_SessionTicketShutdown, NULL); |
193 if (rv != SECSuccess) | 206 if (rv != SECSuccess) |
194 goto loser; | 207 goto loser; |
195 | 208 |
196 return PR_SUCCESS; | 209 return PR_SUCCESS; |
197 | 210 |
198 loser: | 211 loser: |
199 ssl3_SessionTicketShutdown(NULL, NULL); | 212 ssl3_SessionTicketShutdown(NULL, NULL); |
200 return PR_FAILURE; | 213 return PR_FAILURE; |
201 } | 214 } |
202 | 215 |
203 static SECStatus | 216 static SECStatus |
204 ssl3_GetSessionTicketKeysPKCS11(sslSocket *ss, PK11SymKey **aes_key, | 217 ssl3_GetSessionTicketKeysPKCS11(sslSocket *ss, PK11SymKey **aes_key, |
205 PK11SymKey **mac_key) | 218 PK11SymKey **mac_key) |
206 { | 219 { |
207 if (PR_CallOnceWithArg(&generate_session_keys_once, | 220 if (PR_CallOnceWithArg(&generate_session_keys_once, |
208 ssl3_GenerateSessionTicketKeysPKCS11, ss) != PR_SUCCESS) | 221 ssl3_GenerateSessionTicketKeysPKCS11, ss) != |
| 222 PR_SUCCESS) |
209 return SECFailure; | 223 return SECFailure; |
210 | 224 |
211 if (session_ticket_enc_key_pkcs11 == NULL || | 225 if (session_ticket_enc_key_pkcs11 == NULL || |
212 session_ticket_mac_key_pkcs11 == NULL) | 226 session_ticket_mac_key_pkcs11 == NULL) |
213 return SECFailure; | 227 return SECFailure; |
214 | 228 |
215 *aes_key = session_ticket_enc_key_pkcs11; | 229 *aes_key = session_ticket_enc_key_pkcs11; |
216 *mac_key = session_ticket_mac_key_pkcs11; | 230 *mac_key = session_ticket_mac_key_pkcs11; |
217 return SECSuccess; | 231 return SECSuccess; |
218 } | 232 } |
219 | 233 |
220 #ifndef NO_PKCS11_BYPASS | 234 #ifndef NO_PKCS11_BYPASS |
221 static PRStatus | 235 static PRStatus |
222 ssl3_GenerateSessionTicketKeys(void) | 236 ssl3_GenerateSessionTicketKeys(void) |
223 { | 237 { |
224 PORT_Memcpy(key_name, SESS_TICKET_KEY_NAME_PREFIX, | 238 PORT_Memcpy(key_name, SESS_TICKET_KEY_NAME_PREFIX, |
225 sizeof(SESS_TICKET_KEY_NAME_PREFIX)); | 239 sizeof(SESS_TICKET_KEY_NAME_PREFIX)); |
226 | 240 |
227 if (!ssl_GetSessionTicketKeys(&key_name[SESS_TICKET_KEY_NAME_PREFIX_LEN], | 241 if (!ssl_GetSessionTicketKeys(&key_name[SESS_TICKET_KEY_NAME_PREFIX_LEN], |
228 session_ticket_enc_key, session_ticket_mac_key)) | 242 session_ticket_enc_key, session_ticket_mac_key
)) |
229 return PR_FAILURE; | 243 return PR_FAILURE; |
230 | 244 |
231 session_ticket_keys_initialized = PR_TRUE; | 245 session_ticket_keys_initialized = PR_TRUE; |
232 return PR_SUCCESS; | 246 return PR_SUCCESS; |
233 } | 247 } |
234 | 248 |
235 static SECStatus | 249 static SECStatus |
236 ssl3_GetSessionTicketKeys(const unsigned char **aes_key, | 250 ssl3_GetSessionTicketKeys(const unsigned char **aes_key, |
237 PRUint32 *aes_key_length, const unsigned char **mac_key, | 251 PRUint32 *aes_key_length, const unsigned char **mac_ke
y, |
238 PRUint32 *mac_key_length) | 252 PRUint32 *mac_key_length) |
239 { | 253 { |
240 if (PR_CallOnce(&generate_session_keys_once, | 254 if (PR_CallOnce(&generate_session_keys_once, |
241 ssl3_GenerateSessionTicketKeys) != PR_SUCCESS) | 255 ssl3_GenerateSessionTicketKeys) != PR_SUCCESS) |
242 return SECFailure; | 256 return SECFailure; |
243 | 257 |
244 if (!session_ticket_keys_initialized) | 258 if (!session_ticket_keys_initialized) |
245 return SECFailure; | 259 return SECFailure; |
246 | 260 |
247 *aes_key = session_ticket_enc_key; | 261 *aes_key = session_ticket_enc_key; |
248 *aes_key_length = sizeof(session_ticket_enc_key); | 262 *aes_key_length = sizeof(session_ticket_enc_key); |
249 *mac_key = session_ticket_mac_key; | 263 *mac_key = session_ticket_mac_key; |
250 *mac_key_length = sizeof(session_ticket_mac_key); | 264 *mac_key_length = sizeof(session_ticket_mac_key); |
251 | 265 |
252 return SECSuccess; | 266 return SECSuccess; |
253 } | 267 } |
254 #endif | 268 #endif |
255 | 269 |
256 /* Table of handlers for received TLS hello extensions, one per extension. | 270 /* Table of handlers for received TLS hello extensions, one per extension. |
257 * In the second generation, this table will be dynamic, and functions | 271 * In the second generation, this table will be dynamic, and functions |
258 * will be registered here. | 272 * will be registered here. |
259 */ | 273 */ |
260 /* This table is used by the server, to handle client hello extensions. */ | 274 /* This table is used by the server, to handle client hello extensions. */ |
261 static const ssl3HelloExtensionHandler clientHelloHandlers[] = { | 275 static const ssl3HelloExtensionHandler clientHelloHandlers[] = { |
262 { ssl_server_name_xtn, &ssl3_HandleServerNameXtn }, | 276 { ssl_server_name_xtn, &ssl3_HandleServerNameXtn }, |
263 #ifndef NSS_DISABLE_ECC | 277 #ifndef NSS_DISABLE_ECC |
264 { ssl_elliptic_curves_xtn, &ssl3_HandleSupportedCurvesXtn }, | 278 { ssl_elliptic_curves_xtn, &ssl3_HandleSupportedCurvesXtn }, |
265 { ssl_ec_point_formats_xtn, &ssl3_HandleSupportedPointFormatsXtn }, | 279 { ssl_ec_point_formats_xtn, &ssl3_HandleSupportedPointFormatsXtn }, |
266 #endif | 280 #endif |
267 { ssl_session_ticket_xtn, &ssl3_ServerHandleSessionTicketXtn }, | 281 { ssl_session_ticket_xtn, &ssl3_ServerHandleSessionTicketXtn }, |
268 { ssl_renegotiation_info_xtn, &ssl3_HandleRenegotiationInfoXtn }, | 282 { ssl_renegotiation_info_xtn, &ssl3_HandleRenegotiationInfoXtn }, |
269 { ssl_next_proto_nego_xtn, &ssl3_ServerHandleNextProtoNegoXtn }, | 283 { ssl_next_proto_nego_xtn, &ssl3_ServerHandleNextProtoNegoXtn }, |
270 { ssl_app_layer_protocol_xtn, &ssl3_ServerHandleAppProtoXtn }, | 284 { ssl_app_layer_protocol_xtn, &ssl3_ServerHandleAppProtoXtn }, |
271 { ssl_use_srtp_xtn, &ssl3_ServerHandleUseSRTPXtn }, | 285 { ssl_use_srtp_xtn, &ssl3_ServerHandleUseSRTPXtn }, |
272 { ssl_cert_status_xtn, &ssl3_ServerHandleStatusRequestXtn }, | 286 { ssl_cert_status_xtn, &ssl3_ServerHandleStatusRequestXtn }, |
273 { ssl_signature_algorithms_xtn, &ssl3_ServerHandleSigAlgsXtn }, | 287 { ssl_signature_algorithms_xtn, &ssl3_ServerHandleSigAlgsXtn }, |
274 { ssl_tls13_draft_version_xtn, &ssl3_ServerHandleDraftVersionXtn }, | 288 { ssl_tls13_draft_version_xtn, &ssl3_ServerHandleDraftVersionXtn }, |
275 { ssl_extended_master_secret_xtn, &ssl3_HandleExtendedMasterSecretXtn }, | 289 { ssl_extended_master_secret_xtn, &ssl3_HandleExtendedMasterSecretXtn }, |
| 290 { ssl_signed_cert_timestamp_xtn, &ssl3_ServerHandleSignedCertTimestampXtn }, |
| 291 { ssl_tls13_key_share_xtn, &tls13_ServerHandleKeyShareXtn }, |
276 { -1, NULL } | 292 { -1, NULL } |
277 }; | 293 }; |
278 | 294 |
279 /* These two tables are used by the client, to handle server hello | 295 /* These two tables are used by the client, to handle server hello |
280 * extensions. */ | 296 * extensions. */ |
281 static const ssl3HelloExtensionHandler serverHelloHandlersTLS[] = { | 297 static const ssl3HelloExtensionHandler serverHelloHandlersTLS[] = { |
282 { ssl_server_name_xtn, &ssl3_HandleServerNameXtn }, | 298 { ssl_server_name_xtn, &ssl3_HandleServerNameXtn }, |
283 /* TODO: add a handler for ssl_ec_point_formats_xtn */ | 299 /* TODO: add a handler for ssl_ec_point_formats_xtn */ |
284 { ssl_session_ticket_xtn, &ssl3_ClientHandleSessionTicketXtn }, | 300 { ssl_session_ticket_xtn, &ssl3_ClientHandleSessionTicketXtn }, |
285 { ssl_renegotiation_info_xtn, &ssl3_HandleRenegotiationInfoXtn }, | 301 { ssl_renegotiation_info_xtn, &ssl3_HandleRenegotiationInfoXtn }, |
286 { ssl_next_proto_nego_xtn, &ssl3_ClientHandleNextProtoNegoXtn }, | 302 { ssl_next_proto_nego_xtn, &ssl3_ClientHandleNextProtoNegoXtn }, |
287 { ssl_app_layer_protocol_xtn, &ssl3_ClientHandleAppProtoXtn }, | 303 { ssl_app_layer_protocol_xtn, &ssl3_ClientHandleAppProtoXtn }, |
288 { ssl_use_srtp_xtn, &ssl3_ClientHandleUseSRTPXtn }, | 304 { ssl_use_srtp_xtn, &ssl3_ClientHandleUseSRTPXtn }, |
289 { ssl_channel_id_xtn, &ssl3_ClientHandleChannelIDXtn }, | 305 { ssl_channel_id_xtn, &ssl3_ClientHandleChannelIDXtn }, |
290 { ssl_cert_status_xtn, &ssl3_ClientHandleStatusRequestXtn }, | 306 { ssl_cert_status_xtn, &ssl3_ClientHandleStatusRequestXtn }, |
291 { ssl_extended_master_secret_xtn, &ssl3_HandleExtendedMasterSecretXtn }, | 307 { ssl_extended_master_secret_xtn, &ssl3_HandleExtendedMasterSecretXtn }, |
292 { ssl_signed_certificate_timestamp_xtn, | 308 { ssl_signed_cert_timestamp_xtn, &ssl3_ClientHandleSignedCertTimestampXtn }, |
293 &ssl3_ClientHandleSignedCertTimestampXtn }, | 309 { ssl_tls13_key_share_xtn, &tls13_ClientHandleKeyShareXtn }, |
294 { -1, NULL } | 310 { -1, NULL } |
295 }; | 311 }; |
296 | 312 |
297 static const ssl3HelloExtensionHandler serverHelloHandlersSSL3[] = { | 313 static const ssl3HelloExtensionHandler serverHelloHandlersSSL3[] = { |
298 { ssl_renegotiation_info_xtn, &ssl3_HandleRenegotiationInfoXtn }, | 314 { ssl_renegotiation_info_xtn, &ssl3_HandleRenegotiationInfoXtn }, |
299 { -1, NULL } | 315 { -1, NULL } |
300 }; | 316 }; |
301 | 317 |
302 /* Tables of functions to format TLS hello extensions, one function per | 318 /* Tables of functions to format TLS hello extensions, one function per |
303 * extension. | 319 * extension. |
304 * These static tables are for the formatting of client hello extensions. | 320 * These static tables are for the formatting of client hello extensions. |
305 * The server's table of hello senders is dynamic, in the socket struct, | 321 * The server's table of hello senders is dynamic, in the socket struct, |
306 * and sender functions are registered there. | 322 * and sender functions are registered there. |
307 */ | 323 */ |
308 static const | 324 static const ssl3HelloExtensionSender clientHelloSendersTLS[SSL_MAX_EXTENSIONS]
= |
309 ssl3HelloExtensionSender clientHelloSendersTLS[SSL_MAX_EXTENSIONS] = { | 325 { |
310 { ssl_server_name_xtn, &ssl3_SendServerNameXtn }, | 326 { ssl_server_name_xtn, &ssl3_SendServerNameXtn }, |
311 { ssl_renegotiation_info_xtn, &ssl3_SendRenegotiationInfoXtn }, | 327 { ssl_extended_master_secret_xtn, &ssl3_SendExtendedMasterSecretXtn }, |
| 328 { ssl_renegotiation_info_xtn, &ssl3_SendRenegotiationInfoXtn }, |
312 #ifndef NSS_DISABLE_ECC | 329 #ifndef NSS_DISABLE_ECC |
313 { ssl_elliptic_curves_xtn, &ssl3_SendSupportedCurvesXtn }, | 330 { ssl_elliptic_curves_xtn, &ssl3_SendSupportedCurvesXtn }, |
314 { ssl_ec_point_formats_xtn, &ssl3_SendSupportedPointFormatsXtn }, | 331 { ssl_ec_point_formats_xtn, &ssl3_SendSupportedPointFormatsXtn }, |
315 #endif | 332 #endif |
316 { ssl_session_ticket_xtn, &ssl3_SendSessionTicketXtn }, | 333 { ssl_session_ticket_xtn, &ssl3_SendSessionTicketXtn }, |
317 { ssl_next_proto_nego_xtn, &ssl3_ClientSendNextProtoNegoXtn }, | 334 { ssl_next_proto_nego_xtn, &ssl3_ClientSendNextProtoNegoXtn }, |
318 { ssl_app_layer_protocol_xtn, &ssl3_ClientSendAppProtoXtn }, | 335 { ssl_app_layer_protocol_xtn, &ssl3_ClientSendAppProtoXtn }, |
319 { ssl_use_srtp_xtn, &ssl3_ClientSendUseSRTPXtn }, | 336 { ssl_use_srtp_xtn, &ssl3_ClientSendUseSRTPXtn }, |
320 { ssl_channel_id_xtn, &ssl3_ClientSendChannelIDXtn }, | 337 { ssl_channel_id_xtn, &ssl3_ClientSendChannelIDXtn }, |
321 { ssl_cert_status_xtn, &ssl3_ClientSendStatusRequestXtn }, | 338 { ssl_cert_status_xtn, &ssl3_ClientSendStatusRequestXtn }, |
322 { ssl_signed_certificate_timestamp_xtn, | 339 { ssl_tls13_draft_version_xtn, &ssl3_ClientSendDraftVersionXtn }, |
323 &ssl3_ClientSendSignedCertTimestampXtn }, | 340 { ssl_signed_cert_timestamp_xtn, &ssl3_ClientSendSignedCertTimestampXtn }, |
324 /* WebSphere Application Server 7.0 is intolerant to the last extension | 341 { ssl_tls13_key_share_xtn, &tls13_ClientSendKeyShareXtn }, |
325 * being zero-length. It is not intolerant of TLS 1.2, so ensure that | 342 /* Some servers (e.g. WebSphere Application Server 7.0 and Tomcat) will |
326 * signature_algorithms is at the end to guarantee a non-empty | 343 * time out or terminate the connection if the last extension in the |
327 * extension. */ | 344 * client hello is empty. They are not intolerant of TLS 1.2, so list |
328 { ssl_signature_algorithms_xtn, &ssl3_ClientSendSigAlgsXtn }, | 345 * signature_algorithms at the end. See bug 1243641. */ |
329 { ssl_tls13_draft_version_xtn, &ssl3_ClientSendDraftVersionXtn }, | 346 { ssl_signature_algorithms_xtn, &ssl3_ClientSendSigAlgsXtn }, |
330 { ssl_extended_master_secret_xtn, &ssl3_SendExtendedMasterSecretXtn}, | 347 /* any extra entries will appear as { 0, NULL } */ |
331 /* any extra entries will appear as { 0, NULL } */ | 348 }; |
332 }; | |
333 | 349 |
334 static const | 350 static const ssl3HelloExtensionSender clientHelloSendersSSL3[SSL_MAX_EXTENSIONS]
= |
335 ssl3HelloExtensionSender clientHelloSendersSSL3[SSL_MAX_EXTENSIONS] = { | 351 { |
336 { ssl_renegotiation_info_xtn, &ssl3_SendRenegotiationInfoXtn } | 352 { ssl_renegotiation_info_xtn, &ssl3_SendRenegotiationInfoXtn } |
337 /* any extra entries will appear as { 0, NULL } */ | 353 /* any extra entries will appear as { 0, NULL } */ |
338 }; | 354 }; |
339 | 355 |
340 static PRBool | 356 static PRBool |
341 arrayContainsExtension(const PRUint16 *array, PRUint32 len, PRUint16 ex_type) | 357 arrayContainsExtension(const PRUint16 *array, PRUint32 len, PRUint16 ex_type) |
342 { | 358 { |
343 unsigned int i; | 359 unsigned int i; |
344 for (i = 0; i < len; i++) { | 360 for (i = 0; i < len; i++) { |
345 if (ex_type == array[i]) | 361 if (ex_type == array[i]) |
346 return PR_TRUE; | 362 return PR_TRUE; |
347 } | 363 } |
348 return PR_FALSE; | 364 return PR_FALSE; |
349 } | 365 } |
350 | 366 |
351 PRBool | 367 PRBool |
352 ssl3_ExtensionNegotiated(sslSocket *ss, PRUint16 ex_type) { | 368 ssl3_ExtensionNegotiated(sslSocket *ss, PRUint16 ex_type) |
| 369 { |
353 TLSExtensionData *xtnData = &ss->xtnData; | 370 TLSExtensionData *xtnData = &ss->xtnData; |
354 return arrayContainsExtension(xtnData->negotiated, | 371 return arrayContainsExtension(xtnData->negotiated, |
355 xtnData->numNegotiated, ex_type); | 372 xtnData->numNegotiated, ex_type); |
356 } | 373 } |
357 | 374 |
358 static PRBool | 375 static PRBool |
359 ssl3_ClientExtensionAdvertised(sslSocket *ss, PRUint16 ex_type) { | 376 ssl3_ClientExtensionAdvertised(sslSocket *ss, PRUint16 ex_type) |
| 377 { |
360 TLSExtensionData *xtnData = &ss->xtnData; | 378 TLSExtensionData *xtnData = &ss->xtnData; |
361 return arrayContainsExtension(xtnData->advertised, | 379 return arrayContainsExtension(xtnData->advertised, |
362 xtnData->numAdvertised, ex_type); | 380 xtnData->numAdvertised, ex_type); |
363 } | 381 } |
364 | 382 |
365 /* Format an SNI extension, using the name from the socket's URL, | 383 /* Format an SNI extension, using the name from the socket's URL, |
366 * unless that name is a dotted decimal string. | 384 * unless that name is a dotted decimal string. |
367 * Used by client and server. | 385 * Used by client and server. |
368 */ | 386 */ |
369 PRInt32 | 387 PRInt32 |
370 ssl3_SendServerNameXtn(sslSocket * ss, PRBool append, | 388 ssl3_SendServerNameXtn(sslSocket *ss, PRBool append, |
371 PRUint32 maxBytes) | 389 PRUint32 maxBytes) |
372 { | 390 { |
373 SECStatus rv; | 391 SECStatus rv; |
374 if (!ss) | 392 if (!ss) |
375 return 0; | 393 return 0; |
376 if (!ss->sec.isServer) { | 394 if (!ss->sec.isServer) { |
377 PRUint32 len; | 395 PRUint32 len; |
378 PRNetAddr netAddr; | 396 PRNetAddr netAddr; |
379 | 397 |
380 /* must have a hostname */ | 398 /* must have a hostname */ |
381 if (!ss->url || !ss->url[0]) | 399 if (!ss->url || !ss->url[0]) |
382 return 0; | 400 return 0; |
383 /* must not be an IPv4 or IPv6 address */ | 401 /* must not be an IPv4 or IPv6 address */ |
384 if (PR_SUCCESS == PR_StringToNetAddr(ss->url, &netAddr)) { | 402 if (PR_SUCCESS == PR_StringToNetAddr(ss->url, &netAddr)) { |
385 /* is an IP address (v4 or v6) */ | 403 /* is an IP address (v4 or v6) */ |
386 return 0; | 404 return 0; |
387 } | 405 } |
388 len = PORT_Strlen(ss->url); | 406 len = PORT_Strlen(ss->url); |
389 if (append && maxBytes >= len + 9) { | 407 if (append && maxBytes >= len + 9) { |
390 /* extension_type */ | 408 /* extension_type */ |
391 rv = ssl3_AppendHandshakeNumber(ss, ssl_server_name_xtn, 2); | 409 rv = ssl3_AppendHandshakeNumber(ss, ssl_server_name_xtn, 2); |
392 if (rv != SECSuccess) return -1; | 410 if (rv != SECSuccess) |
| 411 return -1; |
393 /* length of extension_data */ | 412 /* length of extension_data */ |
394 rv = ssl3_AppendHandshakeNumber(ss, len + 5, 2); | 413 rv = ssl3_AppendHandshakeNumber(ss, len + 5, 2); |
395 if (rv != SECSuccess) return -1; | 414 if (rv != SECSuccess) |
| 415 return -1; |
396 /* length of server_name_list */ | 416 /* length of server_name_list */ |
397 rv = ssl3_AppendHandshakeNumber(ss, len + 3, 2); | 417 rv = ssl3_AppendHandshakeNumber(ss, len + 3, 2); |
398 if (rv != SECSuccess) return -1; | 418 if (rv != SECSuccess) |
| 419 return -1; |
399 /* Name Type (sni_host_name) */ | 420 /* Name Type (sni_host_name) */ |
400 rv = ssl3_AppendHandshake(ss, "\0", 1); | 421 rv = ssl3_AppendHandshake(ss, "\0", 1); |
401 if (rv != SECSuccess) return -1; | 422 if (rv != SECSuccess) |
| 423 return -1; |
402 /* HostName (length and value) */ | 424 /* HostName (length and value) */ |
403 rv = ssl3_AppendHandshakeVariable(ss, (PRUint8 *)ss->url, len, 2); | 425 rv = ssl3_AppendHandshakeVariable(ss, (PRUint8 *)ss->url, len, 2); |
404 if (rv != SECSuccess) return -1; | 426 if (rv != SECSuccess) |
| 427 return -1; |
405 if (!ss->sec.isServer) { | 428 if (!ss->sec.isServer) { |
406 TLSExtensionData *xtnData = &ss->xtnData; | 429 TLSExtensionData *xtnData = &ss->xtnData; |
407 xtnData->advertised[xtnData->numAdvertised++] = | 430 xtnData->advertised[xtnData->numAdvertised++] = |
408 ssl_server_name_xtn; | 431 ssl_server_name_xtn; |
409 } | 432 } |
410 } | 433 } |
411 return len + 9; | 434 return len + 9; |
412 } | 435 } |
413 /* Server side */ | 436 /* Server side */ |
414 if (append && maxBytes >= 4) { | 437 if (append && maxBytes >= 4) { |
415 rv = ssl3_AppendHandshakeNumber(ss, ssl_server_name_xtn, 2); | 438 rv = ssl3_AppendHandshakeNumber(ss, ssl_server_name_xtn, 2); |
416 if (rv != SECSuccess) return -1; | 439 if (rv != SECSuccess) |
| 440 return -1; |
417 /* length of extension_data */ | 441 /* length of extension_data */ |
418 rv = ssl3_AppendHandshakeNumber(ss, 0, 2); | 442 rv = ssl3_AppendHandshakeNumber(ss, 0, 2); |
419 if (rv != SECSuccess) return -1; | 443 if (rv != SECSuccess) |
| 444 return -1; |
420 } | 445 } |
421 return 4; | 446 return 4; |
422 } | 447 } |
423 | 448 |
424 /* handle an incoming SNI extension, by ignoring it. */ | 449 /* handle an incoming SNI extension, by ignoring it. */ |
425 SECStatus | 450 SECStatus |
426 ssl3_HandleServerNameXtn(sslSocket * ss, PRUint16 ex_type, SECItem *data) | 451 ssl3_HandleServerNameXtn(sslSocket *ss, PRUint16 ex_type, SECItem *data) |
427 { | 452 { |
428 SECItem *names = NULL; | 453 SECItem *names = NULL; |
429 PRUint32 listCount = 0, namesPos = 0, i; | 454 PRUint32 listCount = 0, namesPos = 0, i; |
430 TLSExtensionData *xtnData = &ss->xtnData; | 455 TLSExtensionData *xtnData = &ss->xtnData; |
431 SECItem ldata; | 456 SECItem ldata; |
432 PRInt32 listLenBytes = 0; | 457 PRInt32 listLenBytes = 0; |
433 | 458 |
434 if (!ss->sec.isServer) { | 459 if (!ss->sec.isServer) { |
435 return SECSuccess; /* ignore extension */ | 460 return SECSuccess; /* ignore extension */ |
436 } | 461 } |
437 | 462 |
438 /* Server side - consume client data and register server sender. */ | 463 /* Server side - consume client data and register server sender. */ |
439 /* do not parse the data if don't have user extension handling function. */ | 464 /* do not parse the data if don't have user extension handling function. */ |
440 if (!ss->sniSocketConfig) { | 465 if (!ss->sniSocketConfig) { |
441 return SECSuccess; | 466 return SECSuccess; |
442 } | 467 } |
(...skipping 26 matching lines...) Expand all Loading... |
469 if (listLenBytes > 0 && !ldata.len) { | 494 if (listLenBytes > 0 && !ldata.len) { |
470 (void)ssl3_DecodeError(ss); | 495 (void)ssl3_DecodeError(ss); |
471 return SECFailure; | 496 return SECFailure; |
472 } | 497 } |
473 listCount += 1; | 498 listCount += 1; |
474 } | 499 } |
475 names = PORT_ZNewArray(SECItem, listCount); | 500 names = PORT_ZNewArray(SECItem, listCount); |
476 if (!names) { | 501 if (!names) { |
477 return SECFailure; | 502 return SECFailure; |
478 } | 503 } |
479 for (i = 0;i < listCount;i++) { | 504 for (i = 0; i < listCount; i++) { |
480 unsigned int j; | 505 unsigned int j; |
481 PRInt32 type; | 506 PRInt32 type; |
482 SECStatus rv; | 507 SECStatus rv; |
483 PRBool nametypePresent = PR_FALSE; | 508 PRBool nametypePresent = PR_FALSE; |
484 /* Name Type (sni_host_name) */ | 509 /* Name Type (sni_host_name) */ |
485 type = ssl3_ConsumeHandshakeNumber(ss, 1, &data->data, &data->len); | 510 type = ssl3_ConsumeHandshakeNumber(ss, 1, &data->data, &data->len); |
486 /* Check if we have such type in the list */ | 511 /* Check if we have such type in the list */ |
487 for (j = 0;j < listCount && names[j].data;j++) { | 512 for (j = 0; j < listCount && names[j].data; j++) { |
488 /* TODO bug 998524: .type is not assigned a value */ | 513 /* TODO bug 998524: .type is not assigned a value */ |
489 if (names[j].type == type) { | 514 if (names[j].type == type) { |
490 nametypePresent = PR_TRUE; | 515 nametypePresent = PR_TRUE; |
491 break; | 516 break; |
492 } | 517 } |
493 } | 518 } |
494 /* HostName (length and value) */ | 519 /* HostName (length and value) */ |
495 rv = ssl3_ConsumeHandshakeVariable(ss, &names[namesPos], 2, | 520 rv = ssl3_ConsumeHandshakeVariable(ss, &names[namesPos], 2, |
496 &data->data, &data->len); | 521 &data->data, &data->len); |
497 if (rv != SECSuccess) { | 522 if (rv != SECSuccess) { |
(...skipping 16 matching lines...) Expand all Loading... |
514 | 539 |
515 return SECSuccess; | 540 return SECSuccess; |
516 } | 541 } |
517 | 542 |
518 /* Called by both clients and servers. | 543 /* Called by both clients and servers. |
519 * Clients sends a filled in session ticket if one is available, and otherwise | 544 * Clients sends a filled in session ticket if one is available, and otherwise |
520 * sends an empty ticket. Servers always send empty tickets. | 545 * sends an empty ticket. Servers always send empty tickets. |
521 */ | 546 */ |
522 PRInt32 | 547 PRInt32 |
523 ssl3_SendSessionTicketXtn( | 548 ssl3_SendSessionTicketXtn( |
524 sslSocket * ss, | 549 sslSocket *ss, |
525 PRBool append, | 550 PRBool append, |
526 PRUint32 maxBytes) | 551 PRUint32 maxBytes) |
527 { | 552 { |
528 PRInt32 extension_length; | 553 PRInt32 extension_length; |
529 NewSessionTicket *session_ticket = NULL; | 554 NewSessionTicket *session_ticket = NULL; |
530 sslSessionID *sid = ss->sec.ci.sid; | 555 sslSessionID *sid = ss->sec.ci.sid; |
531 | 556 |
532 /* Ignore the SessionTicket extension if processing is disabled. */ | 557 /* Ignore the SessionTicket extension if processing is disabled. */ |
533 if (!ss->opt.enableSessionTickets) | 558 if (!ss->opt.enableSessionTickets) |
534 return 0; | 559 return 0; |
535 | 560 |
536 /* Empty extension length = extension_type (2-bytes) + | 561 /* Empty extension length = extension_type (2-bytes) + |
(...skipping 12 matching lines...) Expand all Loading... |
549 * consistent between the two calls. Note that currently the caller | 574 * consistent between the two calls. Note that currently the caller |
550 * will only be holding the lock when we are the client and when we're | 575 * will only be holding the lock when we are the client and when we're |
551 * attempting to resume an existing session. | 576 * attempting to resume an existing session. |
552 */ | 577 */ |
553 | 578 |
554 session_ticket = &sid->u.ssl3.locked.sessionTicket; | 579 session_ticket = &sid->u.ssl3.locked.sessionTicket; |
555 if (session_ticket->ticket.data) { | 580 if (session_ticket->ticket.data) { |
556 if (ss->xtnData.ticketTimestampVerified) { | 581 if (ss->xtnData.ticketTimestampVerified) { |
557 extension_length += session_ticket->ticket.len; | 582 extension_length += session_ticket->ticket.len; |
558 } else if (!append && | 583 } else if (!append && |
559 (session_ticket->ticket_lifetime_hint == 0 || | 584 (session_ticket->ticket_lifetime_hint == 0 || |
560 (session_ticket->ticket_lifetime_hint + | 585 (session_ticket->ticket_lifetime_hint + |
561 session_ticket->received_timestamp > ssl_Time()))) { | 586 session_ticket->received_timestamp > |
| 587 ssl_Time()))) { |
562 extension_length += session_ticket->ticket.len; | 588 extension_length += session_ticket->ticket.len; |
563 ss->xtnData.ticketTimestampVerified = PR_TRUE; | 589 ss->xtnData.ticketTimestampVerified = PR_TRUE; |
564 } | 590 } |
565 } | 591 } |
566 } | 592 } |
567 | 593 |
568 if (maxBytes < (PRUint32)extension_length) { | 594 if (maxBytes < (PRUint32)extension_length) { |
569 PORT_Assert(0); | 595 PORT_Assert(0); |
570 return 0; | 596 return 0; |
571 } | 597 } |
572 if (append) { | 598 if (append) { |
573 SECStatus rv; | 599 SECStatus rv; |
574 /* extension_type */ | 600 /* extension_type */ |
575 rv = ssl3_AppendHandshakeNumber(ss, ssl_session_ticket_xtn, 2); | 601 rv = ssl3_AppendHandshakeNumber(ss, ssl_session_ticket_xtn, 2); |
576 if (rv != SECSuccess) | 602 if (rv != SECSuccess) |
577 goto loser; | 603 goto loser; |
578 if (session_ticket && session_ticket->ticket.data && | 604 if (session_ticket && session_ticket->ticket.data && |
579 ss->xtnData.ticketTimestampVerified) { | 605 ss->xtnData.ticketTimestampVerified) { |
580 rv = ssl3_AppendHandshakeVariable(ss, session_ticket->ticket.data, | 606 rv = ssl3_AppendHandshakeVariable(ss, session_ticket->ticket.data, |
581 session_ticket->ticket.len, 2); | 607 session_ticket->ticket.len, 2); |
582 ss->xtnData.ticketTimestampVerified = PR_FALSE; | 608 ss->xtnData.ticketTimestampVerified = PR_FALSE; |
583 ss->xtnData.sentSessionTicketInClientHello = PR_TRUE; | 609 ss->xtnData.sentSessionTicketInClientHello = PR_TRUE; |
584 } else { | 610 } else { |
585 rv = ssl3_AppendHandshakeNumber(ss, 0, 2); | 611 rv = ssl3_AppendHandshakeNumber(ss, 0, 2); |
586 } | 612 } |
587 if (rv != SECSuccess) | 613 if (rv != SECSuccess) |
588 goto loser; | 614 goto loser; |
589 | 615 |
590 if (!ss->sec.isServer) { | 616 if (!ss->sec.isServer) { |
591 TLSExtensionData *xtnData = &ss->xtnData; | 617 TLSExtensionData *xtnData = &ss->xtnData; |
592 xtnData->advertised[xtnData->numAdvertised++] = | 618 xtnData->advertised[xtnData->numAdvertised++] = |
593 ssl_session_ticket_xtn; | 619 ssl_session_ticket_xtn; |
594 } | 620 } |
595 } | 621 } |
596 return extension_length; | 622 return extension_length; |
597 | 623 |
598 loser: | 624 loser: |
599 ss->xtnData.ticketTimestampVerified = PR_FALSE; | 625 ss->xtnData.ticketTimestampVerified = PR_FALSE; |
600 return -1; | 626 return -1; |
601 } | 627 } |
602 | 628 |
603 /* handle an incoming Next Protocol Negotiation extension. */ | 629 /* handle an incoming Next Protocol Negotiation extension. */ |
604 static SECStatus | 630 static SECStatus |
605 ssl3_ServerHandleNextProtoNegoXtn(sslSocket * ss, PRUint16 ex_type, | 631 ssl3_ServerHandleNextProtoNegoXtn(sslSocket *ss, PRUint16 ex_type, |
606 SECItem *data) | 632 SECItem *data) |
607 { | 633 { |
608 if (ss->firstHsDone || data->len != 0) { | 634 if (ss->firstHsDone || data->len != 0) { |
609 /* Clients MUST send an empty NPN extension, if any. */ | 635 /* Clients MUST send an empty NPN extension, if any. */ |
610 PORT_SetError(SSL_ERROR_NEXT_PROTOCOL_DATA_INVALID); | 636 PORT_SetError(SSL_ERROR_NEXT_PROTOCOL_DATA_INVALID); |
611 return SECFailure; | 637 return SECFailure; |
612 } | 638 } |
613 | 639 |
614 ss->xtnData.negotiated[ss->xtnData.numNegotiated++] = ex_type; | 640 ss->xtnData.negotiated[ss->xtnData.numNegotiated++] = ex_type; |
615 | 641 |
616 /* TODO: server side NPN support would require calling | 642 /* TODO: server side NPN support would require calling |
617 * ssl3_RegisterServerHelloExtensionSender here in order to echo the | 643 * ssl3_RegisterServerHelloExtensionSender here in order to echo the |
618 * extension back to the client. */ | 644 * extension back to the client. */ |
619 | 645 |
620 return SECSuccess; | 646 return SECSuccess; |
621 } | 647 } |
622 | 648 |
623 /* ssl3_ValidateNextProtoNego checks that the given block of data is valid: none | 649 /* ssl3_ValidateNextProtoNego checks that the given block of data is valid: none |
624 * of the lengths may be 0 and the sum of the lengths must equal the length of | 650 * of the lengths may be 0 and the sum of the lengths must equal the length of |
625 * the block. */ | 651 * the block. */ |
626 SECStatus | 652 SECStatus |
627 ssl3_ValidateNextProtoNego(const unsigned char* data, unsigned int length) | 653 ssl3_ValidateNextProtoNego(const unsigned char *data, unsigned int length) |
628 { | 654 { |
629 unsigned int offset = 0; | 655 unsigned int offset = 0; |
630 | 656 |
631 while (offset < length) { | 657 while (offset < length) { |
632 unsigned int newOffset = offset + 1 + (unsigned int) data[offset]; | 658 unsigned int newOffset = offset + 1 + (unsigned int)data[offset]; |
633 /* Reject embedded nulls to protect against buggy applications that | 659 /* Reject embedded nulls to protect against buggy applications that |
634 * store protocol identifiers in null-terminated strings. | 660 * store protocol identifiers in null-terminated strings. |
635 */ | 661 */ |
636 if (newOffset > length || data[offset] == 0) { | 662 if (newOffset > length || data[offset] == 0) { |
637 return SECFailure; | 663 return SECFailure; |
638 } | 664 } |
639 offset = newOffset; | 665 offset = newOffset; |
640 } | 666 } |
641 | 667 |
642 return SECSuccess; | 668 return SECSuccess; |
(...skipping 75 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
718 return SECFailure; | 744 return SECFailure; |
719 } | 745 } |
720 | 746 |
721 if (!ss->nextProtoCallback) { | 747 if (!ss->nextProtoCallback) { |
722 /* we're not configured for it */ | 748 /* we're not configured for it */ |
723 return SECSuccess; | 749 return SECSuccess; |
724 } | 750 } |
725 | 751 |
726 rv = ssl3_SelectAppProtocol(ss, ex_type, data); | 752 rv = ssl3_SelectAppProtocol(ss, ex_type, data); |
727 if (rv != SECSuccess) { | 753 if (rv != SECSuccess) { |
728 return rv; | 754 return rv; |
729 } | 755 } |
730 | 756 |
731 /* prepare to send back a response, if we negotiated */ | 757 /* prepare to send back a response, if we negotiated */ |
732 if (ss->ssl3.nextProtoState == SSL_NEXT_PROTO_NEGOTIATED) { | 758 if (ss->ssl3.nextProtoState == SSL_NEXT_PROTO_NEGOTIATED) { |
733 rv = ssl3_RegisterServerHelloExtensionSender( | 759 rv = ssl3_RegisterServerHelloExtensionSender( |
734 ss, ex_type, ssl3_ServerSendAppProtoXtn); | 760 ss, ex_type, ssl3_ServerSendAppProtoXtn); |
735 if (rv != SECSuccess) { | 761 if (rv != SECSuccess) { |
736 (void)SSL3_SendAlert(ss, alert_fatal, internal_error); | 762 (void)SSL3_SendAlert(ss, alert_fatal, internal_error); |
737 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); | 763 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); |
738 return rv; | 764 return rv; |
(...skipping 73 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
812 return SECFailure; | 838 return SECFailure; |
813 } | 839 } |
814 | 840 |
815 SECITEM_FreeItem(&ss->ssl3.nextProto, PR_FALSE); | 841 SECITEM_FreeItem(&ss->ssl3.nextProto, PR_FALSE); |
816 ss->ssl3.nextProtoState = SSL_NEXT_PROTO_SELECTED; | 842 ss->ssl3.nextProtoState = SSL_NEXT_PROTO_SELECTED; |
817 ss->xtnData.negotiated[ss->xtnData.numNegotiated++] = ex_type; | 843 ss->xtnData.negotiated[ss->xtnData.numNegotiated++] = ex_type; |
818 return SECITEM_CopyItem(NULL, &ss->ssl3.nextProto, &protocol_name); | 844 return SECITEM_CopyItem(NULL, &ss->ssl3.nextProto, &protocol_name); |
819 } | 845 } |
820 | 846 |
821 static PRInt32 | 847 static PRInt32 |
822 ssl3_ClientSendNextProtoNegoXtn(sslSocket * ss, PRBool append, | 848 ssl3_ClientSendNextProtoNegoXtn(sslSocket *ss, PRBool append, |
823 PRUint32 maxBytes) | 849 PRUint32 maxBytes) |
824 { | 850 { |
825 PRInt32 extension_length; | 851 PRInt32 extension_length; |
826 | 852 |
827 /* Renegotiations do not send this extension. */ | 853 /* Renegotiations do not send this extension. */ |
828 if (!ss->opt.enableNPN || !ss->nextProtoCallback || ss->firstHsDone) { | 854 if (!ss->opt.enableNPN || !ss->nextProtoCallback || ss->firstHsDone) { |
829 return 0; | 855 return 0; |
830 } | 856 } |
831 | 857 |
832 extension_length = 4; | 858 extension_length = 4; |
833 | 859 |
834 if (maxBytes < (PRUint32)extension_length) { | 860 if (maxBytes < (PRUint32)extension_length) { |
835 return 0; | 861 return 0; |
836 } | 862 } |
837 if (append) { | 863 if (append) { |
838 SECStatus rv; | 864 SECStatus rv; |
839 rv = ssl3_AppendHandshakeNumber(ss, ssl_next_proto_nego_xtn, 2); | 865 rv = ssl3_AppendHandshakeNumber(ss, ssl_next_proto_nego_xtn, 2); |
840 if (rv != SECSuccess) | 866 if (rv != SECSuccess) |
841 goto loser; | 867 goto loser; |
842 rv = ssl3_AppendHandshakeNumber(ss, 0, 2); | 868 rv = ssl3_AppendHandshakeNumber(ss, 0, 2); |
843 if (rv != SECSuccess) | 869 if (rv != SECSuccess) |
844 goto loser; | 870 goto loser; |
845 ss->xtnData.advertised[ss->xtnData.numAdvertised++] = | 871 ss->xtnData.advertised[ss->xtnData.numAdvertised++] = |
846 ssl_next_proto_nego_xtn; | 872 ssl_next_proto_nego_xtn; |
847 } | 873 } |
848 | 874 |
849 return extension_length; | 875 return extension_length; |
850 | 876 |
851 loser: | 877 loser: |
852 return -1; | 878 return -1; |
853 } | 879 } |
854 | 880 |
855 static PRInt32 | 881 static PRInt32 |
856 ssl3_ClientSendAppProtoXtn(sslSocket * ss, PRBool append, PRUint32 maxBytes) | 882 ssl3_ClientSendAppProtoXtn(sslSocket *ss, PRBool append, PRUint32 maxBytes) |
857 { | 883 { |
858 PRInt32 extension_length; | 884 PRInt32 extension_length; |
859 unsigned char *alpn_protos = NULL; | 885 unsigned char *alpn_protos = NULL; |
860 | 886 |
861 /* Renegotiations do not send this extension. */ | 887 /* Renegotiations do not send this extension. */ |
862 if (!ss->opt.enableALPN || !ss->opt.nextProtoNego.data || ss->firstHsDone) { | 888 if (!ss->opt.enableALPN || !ss->opt.nextProtoNego.data || ss->firstHsDone) { |
863 return 0; | 889 return 0; |
864 } | 890 } |
865 | 891 |
866 extension_length = 2 /* extension type */ + 2 /* extension length */ + | 892 extension_length = 2 /* extension type */ + 2 /* extension length */ + |
(...skipping 35 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
902 if (rv != SECSuccess) { | 928 if (rv != SECSuccess) { |
903 goto loser; | 929 goto loser; |
904 } | 930 } |
905 rv = ssl3_AppendHandshakeVariable(ss, alpn_protos, len, 2); | 931 rv = ssl3_AppendHandshakeVariable(ss, alpn_protos, len, 2); |
906 PORT_Free(alpn_protos); | 932 PORT_Free(alpn_protos); |
907 alpn_protos = NULL; | 933 alpn_protos = NULL; |
908 if (rv != SECSuccess) { | 934 if (rv != SECSuccess) { |
909 goto loser; | 935 goto loser; |
910 } | 936 } |
911 ss->xtnData.advertised[ss->xtnData.numAdvertised++] = | 937 ss->xtnData.advertised[ss->xtnData.numAdvertised++] = |
912 ssl_app_layer_protocol_xtn; | 938 ssl_app_layer_protocol_xtn; |
913 } | 939 } |
914 | 940 |
915 return extension_length; | 941 return extension_length; |
916 | 942 |
917 loser: | 943 loser: |
918 if (alpn_protos) { | 944 if (alpn_protos) { |
919 PORT_Free(alpn_protos); | 945 PORT_Free(alpn_protos); |
920 } | 946 } |
921 return -1; | 947 return -1; |
922 } | 948 } |
923 | 949 |
924 static PRInt32 | 950 static PRInt32 |
925 ssl3_ServerSendAppProtoXtn(sslSocket * ss, PRBool append, PRUint32 maxBytes) | 951 ssl3_ServerSendAppProtoXtn(sslSocket *ss, PRBool append, PRUint32 maxBytes) |
926 { | 952 { |
927 PRInt32 extension_length; | 953 PRInt32 extension_length; |
928 | 954 |
929 /* we're in over our heads if any of these fail */ | 955 /* we're in over our heads if any of these fail */ |
930 PORT_Assert(ss->opt.enableALPN); | 956 PORT_Assert(ss->opt.enableALPN); |
931 PORT_Assert(ss->ssl3.nextProto.data); | 957 PORT_Assert(ss->ssl3.nextProto.data); |
932 PORT_Assert(ss->ssl3.nextProto.len > 0); | 958 PORT_Assert(ss->ssl3.nextProto.len > 0); |
933 PORT_Assert(ss->ssl3.nextProtoState == SSL_NEXT_PROTO_NEGOTIATED); | 959 PORT_Assert(ss->ssl3.nextProtoState == SSL_NEXT_PROTO_NEGOTIATED); |
934 PORT_Assert(!ss->firstHsDone); | 960 PORT_Assert(!ss->firstHsDone); |
935 | 961 |
(...skipping 23 matching lines...) Expand all Loading... |
959 if (rv != SECSuccess) { | 985 if (rv != SECSuccess) { |
960 return -1; | 986 return -1; |
961 } | 987 } |
962 } | 988 } |
963 | 989 |
964 return extension_length; | 990 return extension_length; |
965 } | 991 } |
966 | 992 |
967 static SECStatus | 993 static SECStatus |
968 ssl3_ClientHandleChannelIDXtn(sslSocket *ss, PRUint16 ex_type, | 994 ssl3_ClientHandleChannelIDXtn(sslSocket *ss, PRUint16 ex_type, |
969 » » » SECItem *data) | 995 SECItem *data) |
970 { | 996 { |
971 PORT_Assert(ss->getChannelID != NULL); | 997 PORT_Assert(ss->getChannelID != NULL); |
972 | 998 |
973 if (data->len) { | 999 if (data->len) { |
974 » PORT_SetError(SSL_ERROR_BAD_CHANNEL_ID_DATA); | 1000 PORT_SetError(SSL_ERROR_BAD_CHANNEL_ID_DATA); |
975 » return SECFailure; | 1001 return SECFailure; |
976 } | 1002 } |
977 ss->xtnData.negotiated[ss->xtnData.numNegotiated++] = ex_type; | 1003 ss->xtnData.negotiated[ss->xtnData.numNegotiated++] = ex_type; |
978 return SECSuccess; | 1004 return SECSuccess; |
979 } | 1005 } |
980 | 1006 |
981 static PRInt32 | 1007 static PRInt32 |
982 ssl3_ClientSendChannelIDXtn(sslSocket * ss, PRBool append, | 1008 ssl3_ClientSendChannelIDXtn(sslSocket *ss, PRBool append, |
983 » » » PRUint32 maxBytes) | 1009 PRUint32 maxBytes) |
984 { | 1010 { |
985 PRInt32 extension_length = 4; | 1011 PRInt32 extension_length = 4; |
986 | 1012 |
987 if (!ss->getChannelID) | 1013 if (!ss->getChannelID) |
988 » return 0; | 1014 return 0; |
989 | 1015 |
990 if (maxBytes < extension_length) { | 1016 if (maxBytes < extension_length) { |
991 » PORT_Assert(0); | 1017 PORT_Assert(0); |
992 » return 0; | 1018 return 0; |
993 } | 1019 } |
994 | 1020 |
995 if (ss->sec.ci.sid->cached != never_cached && | 1021 if (ss->sec.ci.sid->cached != never_cached && |
996 ss->sec.ci.sid->u.ssl3.originalHandshakeHash.len == 0) { | 1022 ss->sec.ci.sid->u.ssl3.originalHandshakeHash.len == 0) { |
997 /* We can't do ChannelID on a connection if we're resuming and didn't | 1023 /* We can't do ChannelID on a connection if we're resuming and didn't |
998 * do ChannelID on the original connection: without ChannelID on the | 1024 * do ChannelID on the original connection: without ChannelID on the |
999 * original connection we didn't record the handshake hashes needed for | 1025 * original connection we didn't record the handshake hashes needed for |
1000 * the signature. */ | 1026 * the signature. */ |
1001 » return 0; | 1027 return 0; |
1002 } | 1028 } |
1003 | 1029 |
1004 if (append) { | 1030 if (append) { |
1005 » SECStatus rv; | 1031 SECStatus rv; |
1006 » rv = ssl3_AppendHandshakeNumber(ss, ssl_channel_id_xtn, 2); | 1032 rv = ssl3_AppendHandshakeNumber(ss, ssl_channel_id_xtn, 2); |
1007 » if (rv != SECSuccess) | 1033 if (rv != SECSuccess) |
1008 » goto loser; | 1034 goto loser; |
1009 » rv = ssl3_AppendHandshakeNumber(ss, 0, 2); | 1035 rv = ssl3_AppendHandshakeNumber(ss, 0, 2); |
1010 » if (rv != SECSuccess) | 1036 if (rv != SECSuccess) |
1011 » goto loser; | 1037 goto loser; |
1012 » ss->xtnData.advertised[ss->xtnData.numAdvertised++] = | 1038 ss->xtnData.advertised[ss->xtnData.numAdvertised++] = |
1013 » » ssl_channel_id_xtn; | 1039 ssl_channel_id_xtn; |
1014 } | 1040 } |
1015 | 1041 |
1016 return extension_length; | 1042 return extension_length; |
1017 | 1043 |
1018 loser: | 1044 loser: |
1019 return -1; | 1045 return -1; |
1020 } | 1046 } |
1021 | 1047 |
1022 static SECStatus | 1048 static SECStatus |
1023 ssl3_ClientHandleStatusRequestXtn(sslSocket *ss, PRUint16 ex_type, | 1049 ssl3_ClientHandleStatusRequestXtn(sslSocket *ss, PRUint16 ex_type, |
1024 SECItem *data) | 1050 SECItem *data) |
1025 { | 1051 { |
1026 /* The echoed extension must be empty. */ | 1052 /* The echoed extension must be empty. */ |
1027 if (data->len != 0) { | 1053 if (data->len != 0) { |
1028 return SECSuccess; /* Ignore the extension. */ | 1054 return SECSuccess; /* Ignore the extension. */ |
1029 } | 1055 } |
1030 | 1056 |
1031 /* Keep track of negotiated extensions. */ | 1057 /* Keep track of negotiated extensions. */ |
1032 ss->xtnData.negotiated[ss->xtnData.numNegotiated++] = ex_type; | 1058 ss->xtnData.negotiated[ss->xtnData.numNegotiated++] = ex_type; |
1033 | 1059 |
1034 return SECSuccess; | 1060 return SECSuccess; |
1035 } | 1061 } |
1036 | 1062 |
1037 static PRInt32 | 1063 static PRInt32 |
1038 ssl3_ServerSendStatusRequestXtn( | 1064 ssl3_ServerSendStatusRequestXtn( |
1039 sslSocket * ss, | 1065 sslSocket *ss, |
1040 PRBool append, | 1066 PRBool append, |
1041 PRUint32 maxBytes) | 1067 PRUint32 maxBytes) |
1042 { | 1068 { |
1043 PRInt32 extension_length; | 1069 PRInt32 extension_length; |
| 1070 SSLKEAType effectiveExchKeyType; |
1044 SECStatus rv; | 1071 SECStatus rv; |
1045 int i; | |
1046 PRBool haveStatus = PR_FALSE; | |
1047 | 1072 |
1048 for (i = kt_null; i < kt_kea_size; i++) { | 1073 /* ssl3_SendCertificateStatus (which sents the certificate status data) |
1049 /* TODO: This is a temporary workaround. | 1074 * uses the exact same logic to select the server certificate |
1050 * The correct code needs to see if we have an OCSP response for | 1075 * and determine if we have the status for that certificate. */ |
1051 * the server certificate being used, rather than if we have any | 1076 |
1052 * OCSP response. See also ssl3_SendCertificateStatus. | 1077 if (ss->ssl3.hs.kea_def->kea == kea_ecdhe_rsa || |
1053 */ | 1078 ss->ssl3.hs.kea_def->kea == kea_dhe_rsa) { |
1054 if (ss->certStatusArray[i] && ss->certStatusArray[i]->len) { | 1079 effectiveExchKeyType = ssl_kea_rsa; |
1055 haveStatus = PR_TRUE; | 1080 } else { |
1056 break; | 1081 effectiveExchKeyType = ss->ssl3.hs.kea_def->exchKeyType; |
1057 } | |
1058 } | 1082 } |
1059 if (!haveStatus) | 1083 |
| 1084 if (!ss->certStatusArray[effectiveExchKeyType] || |
| 1085 !ss->certStatusArray[effectiveExchKeyType]->len) { |
1060 return 0; | 1086 return 0; |
| 1087 } |
1061 | 1088 |
1062 extension_length = 2 + 2; | 1089 extension_length = 2 + 2; |
1063 if (maxBytes < (PRUint32)extension_length) { | 1090 if (maxBytes < (PRUint32)extension_length) { |
1064 return 0; | 1091 return 0; |
1065 } | 1092 } |
1066 if (append) { | 1093 if (append) { |
1067 /* extension_type */ | 1094 /* extension_type */ |
1068 rv = ssl3_AppendHandshakeNumber(ss, ssl_cert_status_xtn, 2); | 1095 rv = ssl3_AppendHandshakeNumber(ss, ssl_cert_status_xtn, 2); |
1069 if (rv != SECSuccess) | 1096 if (rv != SECSuccess) |
1070 return -1; | 1097 return -1; |
1071 /* length of extension_data */ | 1098 /* length of extension_data */ |
1072 rv = ssl3_AppendHandshakeNumber(ss, 0, 2); | 1099 rv = ssl3_AppendHandshakeNumber(ss, 0, 2); |
1073 if (rv != SECSuccess) | 1100 if (rv != SECSuccess) |
1074 return -1; | 1101 return -1; |
| 1102 /* The certificate status data is sent in ssl3_SendCertificateStatus. */ |
1075 } | 1103 } |
1076 | 1104 |
1077 return extension_length; | 1105 return extension_length; |
1078 } | 1106 } |
1079 | 1107 |
1080 /* ssl3_ClientSendStatusRequestXtn builds the status_request extension on the | 1108 /* ssl3_ClientSendStatusRequestXtn builds the status_request extension on the |
1081 * client side. See RFC 4366 section 3.6. */ | 1109 * client side. See RFC 4366 section 3.6. */ |
1082 static PRInt32 | 1110 static PRInt32 |
1083 ssl3_ClientSendStatusRequestXtn(sslSocket * ss, PRBool append, | 1111 ssl3_ClientSendStatusRequestXtn(sslSocket *ss, PRBool append, |
1084 PRUint32 maxBytes) | 1112 PRUint32 maxBytes) |
1085 { | 1113 { |
1086 PRInt32 extension_length; | 1114 PRInt32 extension_length; |
1087 | 1115 |
1088 if (!ss->opt.enableOCSPStapling) | 1116 if (!ss->opt.enableOCSPStapling) |
1089 return 0; | 1117 return 0; |
1090 | 1118 |
1091 /* extension_type (2-bytes) + | 1119 /* extension_type (2-bytes) + |
1092 * length(extension_data) (2-bytes) + | 1120 * length(extension_data) (2-bytes) + |
1093 * status_type (1) + | 1121 * status_type (1) + |
1094 * responder_id_list length (2) + | 1122 * responder_id_list length (2) + |
1095 * request_extensions length (2) | 1123 * request_extensions length (2) |
1096 */ | 1124 */ |
1097 extension_length = 9; | 1125 extension_length = 9; |
1098 | 1126 |
1099 if (maxBytes < (PRUint32)extension_length) { | 1127 if (maxBytes < (PRUint32)extension_length) { |
1100 PORT_Assert(0); | 1128 PORT_Assert(0); |
1101 return 0; | 1129 return 0; |
1102 } | 1130 } |
1103 if (append) { | 1131 if (append) { |
1104 SECStatus rv; | 1132 SECStatus rv; |
1105 TLSExtensionData *xtnData; | 1133 TLSExtensionData *xtnData; |
1106 | 1134 |
1107 /* extension_type */ | 1135 /* extension_type */ |
1108 rv = ssl3_AppendHandshakeNumber(ss, ssl_cert_status_xtn, 2); | 1136 rv = ssl3_AppendHandshakeNumber(ss, ssl_cert_status_xtn, 2); |
1109 if (rv != SECSuccess) | 1137 if (rv != SECSuccess) |
1110 return -1; | 1138 return -1; |
1111 rv = ssl3_AppendHandshakeNumber(ss, extension_length - 4, 2); | 1139 rv = ssl3_AppendHandshakeNumber(ss, extension_length - 4, 2); |
1112 if (rv != SECSuccess) | 1140 if (rv != SECSuccess) |
1113 return -1; | 1141 return -1; |
1114 rv = ssl3_AppendHandshakeNumber(ss, 1 /* status_type ocsp */, 1); | 1142 rv = ssl3_AppendHandshakeNumber(ss, 1 /* status_type ocsp */, 1); |
1115 if (rv != SECSuccess) | 1143 if (rv != SECSuccess) |
1116 return -1; | 1144 return -1; |
1117 /* A zero length responder_id_list means that the responders are | 1145 /* A zero length responder_id_list means that the responders are |
1118 * implicitly known to the server. */ | 1146 * implicitly known to the server. */ |
1119 rv = ssl3_AppendHandshakeNumber(ss, 0, 2); | 1147 rv = ssl3_AppendHandshakeNumber(ss, 0, 2); |
1120 if (rv != SECSuccess) | 1148 if (rv != SECSuccess) |
1121 return -1; | 1149 return -1; |
1122 /* A zero length request_extensions means that there are no extensions. | 1150 /* A zero length request_extensions means that there are no extensions. |
1123 * Specifically, we don't set the id-pkix-ocsp-nonce extension. This | 1151 * Specifically, we don't set the id-pkix-ocsp-nonce extension. This |
1124 * means that the server can replay a cached OCSP response to us. */ | 1152 * means that the server can replay a cached OCSP response to us. */ |
1125 rv = ssl3_AppendHandshakeNumber(ss, 0, 2); | 1153 rv = ssl3_AppendHandshakeNumber(ss, 0, 2); |
1126 if (rv != SECSuccess) | 1154 if (rv != SECSuccess) |
1127 return -1; | 1155 return -1; |
1128 | 1156 |
1129 xtnData = &ss->xtnData; | 1157 xtnData = &ss->xtnData; |
1130 xtnData->advertised[xtnData->numAdvertised++] = ssl_cert_status_xtn; | 1158 xtnData->advertised[xtnData->numAdvertised++] = ssl_cert_status_xtn; |
1131 } | 1159 } |
1132 return extension_length; | 1160 return extension_length; |
1133 } | 1161 } |
1134 | 1162 |
1135 /* | 1163 /* |
1136 * NewSessionTicket | 1164 * NewSessionTicket |
1137 * Called from ssl3_HandleFinished | 1165 * Called from ssl3_HandleFinished |
1138 */ | 1166 */ |
1139 SECStatus | 1167 SECStatus |
1140 ssl3_SendNewSessionTicket(sslSocket *ss) | 1168 ssl3_SendNewSessionTicket(sslSocket *ss) |
1141 { | 1169 { |
1142 PRUint32 i; | 1170 PRUint32 i; |
1143 SECStatus rv; | 1171 SECStatus rv; |
1144 NewSessionTicket ticket; | 1172 NewSessionTicket ticket; |
1145 SECItem plaintext; | 1173 SECItem plaintext; |
1146 SECItem plaintext_item = {0, NULL, 0}; | 1174 SECItem plaintext_item = { 0, NULL, 0 }; |
1147 SECItem ciphertext = {0, NULL, 0}; | 1175 SECItem ciphertext = { 0, NULL, 0 }; |
1148 PRUint32 ciphertext_length; | 1176 PRUint32 ciphertext_length; |
1149 PRBool ms_is_wrapped; | 1177 PRBool ms_is_wrapped; |
1150 unsigned char wrapped_ms[SSL3_MASTER_SECRET_LENGTH]; | 1178 unsigned char wrapped_ms[SSL3_MASTER_SECRET_LENGTH]; |
1151 SECItem ms_item = {0, NULL, 0}; | 1179 SECItem ms_item = { 0, NULL, 0 }; |
1152 SSL3KEAType effectiveExchKeyType = ssl_kea_null; | 1180 SSL3KEAType effectiveExchKeyType = ssl_kea_null; |
1153 PRUint32 padding_length; | 1181 PRUint32 padding_length; |
1154 PRUint32 message_length; | 1182 PRUint32 message_length; |
1155 PRUint32 cert_length; | 1183 PRUint32 cert_length = 0; |
1156 PRUint8 length_buf[4]; | 1184 PRUint8 length_buf[4]; |
1157 PRUint32 now; | 1185 PRUint32 now; |
1158 PK11SymKey *aes_key_pkcs11; | 1186 PK11SymKey *aes_key_pkcs11; |
1159 PK11SymKey *mac_key_pkcs11; | 1187 PK11SymKey *mac_key_pkcs11; |
1160 #ifndef NO_PKCS11_BYPASS | 1188 #ifndef NO_PKCS11_BYPASS |
1161 const unsigned char *aes_key; | 1189 const unsigned char *aes_key; |
1162 const unsigned char *mac_key; | 1190 const unsigned char *mac_key; |
1163 PRUint32 aes_key_length; | 1191 PRUint32 aes_key_length; |
1164 PRUint32 mac_key_length; | 1192 PRUint32 mac_key_length; |
1165 PRUint64 aes_ctx_buf[MAX_CIPHER_CONTEXT_LLONGS]; | 1193 PRUint64 aes_ctx_buf[MAX_CIPHER_CONTEXT_LLONGS]; |
1166 AESContext *aes_ctx; | 1194 AESContext *aes_ctx; |
1167 const SECHashObject *hashObj = NULL; | 1195 const SECHashObject *hashObj = NULL; |
1168 PRUint64 hmac_ctx_buf[MAX_MAC_CONTEXT_LLONGS]; | 1196 PRUint64 hmac_ctx_buf[MAX_MAC_CONTEXT_LLONGS]; |
1169 HMACContext *hmac_ctx; | 1197 HMACContext *hmac_ctx; |
1170 #endif | 1198 #endif |
1171 CK_MECHANISM_TYPE cipherMech = CKM_AES_CBC; | 1199 CK_MECHANISM_TYPE cipherMech = CKM_AES_CBC; |
1172 PK11Context *aes_ctx_pkcs11; | 1200 PK11Context *aes_ctx_pkcs11; |
1173 CK_MECHANISM_TYPE macMech = CKM_SHA256_HMAC; | 1201 CK_MECHANISM_TYPE macMech = CKM_SHA256_HMAC; |
1174 PK11Context *hmac_ctx_pkcs11 = NULL; | 1202 PK11Context *hmac_ctx_pkcs11 = NULL; |
1175 unsigned char computed_mac[TLS_EX_SESS_TICKET_MAC_LENGTH]; | 1203 unsigned char computed_mac[TLS_EX_SESS_TICKET_MAC_LENGTH]; |
1176 unsigned int computed_mac_length; | 1204 unsigned int computed_mac_length; |
1177 unsigned char iv[AES_BLOCK_SIZE]; | 1205 unsigned char iv[AES_BLOCK_SIZE]; |
1178 SECItem ivItem; | 1206 SECItem ivItem; |
1179 SECItem *srvName = NULL; | 1207 SECItem *srvName = NULL; |
1180 PRUint32 srvNameLen = 0; | 1208 PRUint32 srvNameLen = 0; |
1181 CK_MECHANISM_TYPE msWrapMech = 0; /* dummy default value, | 1209 CK_MECHANISM_TYPE msWrapMech = 0; /* dummy default value, |
1182 * must be >= 0 */ | 1210 * must be >= 0 */ |
1183 | 1211 |
1184 SSL_TRC(3, ("%d: SSL3[%d]: send session_ticket handshake", | 1212 SSL_TRC(3, ("%d: SSL3[%d]: send session_ticket handshake", |
1185 SSL_GETPID(), ss->fd)); | 1213 SSL_GETPID(), ss->fd)); |
1186 | 1214 |
1187 PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss)); | 1215 PORT_Assert(ss->opt.noLocks || ssl_HaveXmitBufLock(ss)); |
1188 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); | 1216 PORT_Assert(ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); |
1189 | 1217 |
1190 ticket.ticket_lifetime_hint = TLS_EX_SESS_TICKET_LIFETIME_HINT; | 1218 ticket.ticket_lifetime_hint = TLS_EX_SESS_TICKET_LIFETIME_HINT; |
1191 cert_length = (ss->opt.requestCertificate && ss->sec.ci.sid->peerCert) ? | 1219 if (ss->opt.requestCertificate && ss->sec.ci.sid->peerCert) { |
1192 3 + ss->sec.ci.sid->peerCert->derCert.len : 0; | 1220 cert_length = 3 + ss->sec.ci.sid->peerCert->derCert.len; |
| 1221 } |
1193 | 1222 |
1194 /* Get IV and encryption keys */ | 1223 /* Get IV and encryption keys */ |
1195 ivItem.data = iv; | 1224 ivItem.data = iv; |
1196 ivItem.len = sizeof(iv); | 1225 ivItem.len = sizeof(iv); |
1197 rv = PK11_GenerateRandom(iv, sizeof(iv)); | 1226 rv = PK11_GenerateRandom(iv, sizeof(iv)); |
1198 if (rv != SECSuccess) goto loser; | 1227 if (rv != SECSuccess) |
| 1228 goto loser; |
1199 | 1229 |
1200 #ifndef NO_PKCS11_BYPASS | 1230 #ifndef NO_PKCS11_BYPASS |
1201 if (ss->opt.bypassPKCS11) { | 1231 if (ss->opt.bypassPKCS11) { |
1202 rv = ssl3_GetSessionTicketKeys(&aes_key, &aes_key_length, | 1232 rv = ssl3_GetSessionTicketKeys(&aes_key, &aes_key_length, |
1203 &mac_key, &mac_key_length); | 1233 &mac_key, &mac_key_length); |
1204 } else | 1234 } else |
1205 #endif | 1235 #endif |
1206 { | 1236 { |
1207 rv = ssl3_GetSessionTicketKeysPKCS11(ss, &aes_key_pkcs11, | 1237 rv = ssl3_GetSessionTicketKeysPKCS11(ss, &aes_key_pkcs11, |
1208 &mac_key_pkcs11); | 1238 &mac_key_pkcs11); |
1209 } | 1239 } |
1210 if (rv != SECSuccess) goto loser; | 1240 if (rv != SECSuccess) |
| 1241 goto loser; |
1211 | 1242 |
1212 if (ss->ssl3.pwSpec->msItem.len && ss->ssl3.pwSpec->msItem.data) { | 1243 if (ss->ssl3.pwSpec->msItem.len && ss->ssl3.pwSpec->msItem.data) { |
1213 /* The master secret is available unwrapped. */ | 1244 /* The master secret is available unwrapped. */ |
1214 ms_item.data = ss->ssl3.pwSpec->msItem.data; | 1245 ms_item.data = ss->ssl3.pwSpec->msItem.data; |
1215 ms_item.len = ss->ssl3.pwSpec->msItem.len; | 1246 ms_item.len = ss->ssl3.pwSpec->msItem.len; |
1216 ms_is_wrapped = PR_FALSE; | 1247 ms_is_wrapped = PR_FALSE; |
1217 } else { | 1248 } else { |
1218 /* Extract the master secret wrapped. */ | 1249 /* Extract the master secret wrapped. */ |
1219 sslSessionID sid; | 1250 sslSessionID sid; |
1220 PORT_Memset(&sid, 0, sizeof(sslSessionID)); | 1251 PORT_Memset(&sid, 0, sizeof(sslSessionID)); |
1221 | 1252 |
1222 if (ss->ssl3.hs.kea_def->kea == kea_ecdhe_rsa || | 1253 if (ss->ssl3.hs.kea_def->kea == kea_ecdhe_rsa || |
1223 ss->ssl3.hs.kea_def->kea == kea_dhe_rsa) { | 1254 ss->ssl3.hs.kea_def->kea == kea_dhe_rsa) { |
1224 effectiveExchKeyType = kt_rsa; | 1255 effectiveExchKeyType = kt_rsa; |
1225 } else { | 1256 } else { |
1226 effectiveExchKeyType = ss->ssl3.hs.kea_def->exchKeyType; | 1257 effectiveExchKeyType = ss->ssl3.hs.kea_def->exchKeyType; |
1227 } | 1258 } |
1228 | 1259 |
1229 rv = ssl3_CacheWrappedMasterSecret(ss, &sid, ss->ssl3.pwSpec, | 1260 rv = ssl3_CacheWrappedMasterSecret(ss, &sid, ss->ssl3.pwSpec, |
1230 effectiveExchKeyType); | 1261 effectiveExchKeyType); |
1231 if (rv == SECSuccess) { | 1262 if (rv == SECSuccess) { |
1232 if (sid.u.ssl3.keys.wrapped_master_secret_len > sizeof(wrapped_ms)) | 1263 if (sid.u.ssl3.keys.wrapped_master_secret_len > sizeof(wrapped_ms)) |
1233 goto loser; | 1264 goto loser; |
1234 memcpy(wrapped_ms, sid.u.ssl3.keys.wrapped_master_secret, | 1265 memcpy(wrapped_ms, sid.u.ssl3.keys.wrapped_master_secret, |
1235 sid.u.ssl3.keys.wrapped_master_secret_len); | 1266 sid.u.ssl3.keys.wrapped_master_secret_len); |
1236 ms_item.data = wrapped_ms; | 1267 ms_item.data = wrapped_ms; |
1237 ms_item.len = sid.u.ssl3.keys.wrapped_master_secret_len; | 1268 ms_item.len = sid.u.ssl3.keys.wrapped_master_secret_len; |
1238 msWrapMech = sid.u.ssl3.masterWrapMech; | 1269 msWrapMech = sid.u.ssl3.masterWrapMech; |
1239 } else { | 1270 } else { |
1240 /* TODO: else send an empty ticket. */ | 1271 /* TODO: else send an empty ticket. */ |
1241 goto loser; | 1272 goto loser; |
1242 } | 1273 } |
1243 ms_is_wrapped = PR_TRUE; | 1274 ms_is_wrapped = PR_TRUE; |
1244 } | 1275 } |
1245 /* Prep to send negotiated name */ | 1276 /* Prep to send negotiated name */ |
1246 srvName = &ss->ssl3.pwSpec->srvVirtName; | 1277 srvName = &ss->ssl3.pwSpec->srvVirtName; |
1247 if (srvName->data && srvName->len) { | 1278 if (srvName->data && srvName->len) { |
1248 srvNameLen = 2 + srvName->len; /* len bytes + name len */ | 1279 srvNameLen = 2 + srvName->len; /* len bytes + name len */ |
1249 } | 1280 } |
1250 | 1281 |
1251 ciphertext_length = | 1282 ciphertext_length = |
1252 sizeof(PRUint16) /* ticket_version */ | 1283 sizeof(PRUint16) /* ticket_version */ |
1253 + sizeof(SSL3ProtocolVersion) /* ssl_version */ | 1284 + sizeof(SSL3ProtocolVersion) /* ssl_version */ |
1254 + sizeof(ssl3CipherSuite) /* ciphersuite */ | 1285 + sizeof(ssl3CipherSuite) /* ciphersuite */ |
1255 + 1 /* compression */ | 1286 + 1 /* compression */ |
1256 + 10 /* cipher spec parameters */ | 1287 + 10 /* cipher spec parameters */ |
1257 + 1 /* SessionTicket.ms_is_wrapped */ | 1288 + 1 /* SessionTicket.ms_is_wrapped */ |
1258 + 1 /* effectiveExchKeyType */ | 1289 + 1 /* effectiveExchKeyType */ |
1259 + 4 /* msWrapMech */ | 1290 + 4 /* msWrapMech */ |
1260 + 2 /* master_secret.length */ | 1291 + 2 /* master_secret.length */ |
1261 + ms_item.len /* master_secret */ | 1292 + ms_item.len /* master_secret */ |
1262 + 1 /* client_auth_type */ | 1293 + 1 /* client_auth_type */ |
1263 + cert_length /* cert */ | 1294 + cert_length /* cert */ |
1264 + 1 /* server name type */ | 1295 + 1 /* server name type */ |
1265 + srvNameLen /* name len + length field */ | 1296 + srvNameLen /* name len + length field */ |
1266 + 1 /* extendedMasterSecretUsed */ | 1297 + 1 /* extendedMasterSecretUsed */ |
1267 + sizeof(ticket.ticket_lifetime_hint); | 1298 + sizeof(ticket.ticket_lifetime_hint); |
1268 padding_length = AES_BLOCK_SIZE - | 1299 padding_length = AES_BLOCK_SIZE - |
1269 (ciphertext_length % AES_BLOCK_SIZE); | 1300 (ciphertext_length % |
| 1301 AES_BLOCK_SIZE); |
1270 ciphertext_length += padding_length; | 1302 ciphertext_length += padding_length; |
1271 | 1303 |
1272 message_length = | 1304 message_length = |
1273 sizeof(ticket.ticket_lifetime_hint) /* ticket_lifetime_hint */ | 1305 sizeof(ticket.ticket_lifetime_hint) /* ticket_lifetime_hint */ |
1274 + 2 /* length field for NewSessionTicket.ticket */ | 1306 + 2 /* length field for NewSessionTicket
.ticket */ |
1275 + SESS_TICKET_KEY_NAME_LEN /* key_name */ | 1307 + SESS_TICKET_KEY_NAME_LEN /* key_name */ |
1276 + AES_BLOCK_SIZE /* iv */ | 1308 + AES_BLOCK_SIZE /* iv */ |
1277 + 2 /* length field for NewSessionTicket.ticket.encrypted_state */ | 1309 + 2 /* length field for NewSessionTicket
.ticket.encrypted_state */ |
1278 + ciphertext_length /* encrypted_state */ | 1310 + ciphertext_length /* encrypted_state */ |
1279 + TLS_EX_SESS_TICKET_MAC_LENGTH; /* mac */ | 1311 + TLS_EX_SESS_TICKET_MAC_LENGTH; /* mac */ |
1280 | 1312 |
1281 if (SECITEM_AllocItem(NULL, &plaintext_item, ciphertext_length) == NULL) | 1313 if (SECITEM_AllocItem(NULL, &plaintext_item, ciphertext_length) == NULL) |
1282 goto loser; | 1314 goto loser; |
1283 | 1315 |
1284 plaintext = plaintext_item; | 1316 plaintext = plaintext_item; |
1285 | 1317 |
1286 /* ticket_version */ | 1318 /* ticket_version */ |
1287 rv = ssl3_AppendNumberToItem(&plaintext, TLS_EX_SESS_TICKET_VERSION, | 1319 rv = ssl3_AppendNumberToItem(&plaintext, TLS_EX_SESS_TICKET_VERSION, |
1288 sizeof(PRUint16)); | 1320 sizeof(PRUint16)); |
1289 if (rv != SECSuccess) goto loser; | 1321 if (rv != SECSuccess) |
| 1322 goto loser; |
1290 | 1323 |
1291 /* ssl_version */ | 1324 /* ssl_version */ |
1292 rv = ssl3_AppendNumberToItem(&plaintext, ss->version, | 1325 rv = ssl3_AppendNumberToItem(&plaintext, ss->version, |
1293 sizeof(SSL3ProtocolVersion)); | 1326 sizeof(SSL3ProtocolVersion)); |
1294 if (rv != SECSuccess) goto loser; | 1327 if (rv != SECSuccess) |
| 1328 goto loser; |
1295 | 1329 |
1296 /* ciphersuite */ | 1330 /* ciphersuite */ |
1297 rv = ssl3_AppendNumberToItem(&plaintext, ss->ssl3.hs.cipher_suite, | 1331 rv = ssl3_AppendNumberToItem(&plaintext, ss->ssl3.hs.cipher_suite, |
1298 sizeof(ssl3CipherSuite)); | 1332 sizeof(ssl3CipherSuite)); |
1299 if (rv != SECSuccess) goto loser; | 1333 if (rv != SECSuccess) |
| 1334 goto loser; |
1300 | 1335 |
1301 /* compression */ | 1336 /* compression */ |
1302 rv = ssl3_AppendNumberToItem(&plaintext, ss->ssl3.hs.compression, 1); | 1337 rv = ssl3_AppendNumberToItem(&plaintext, ss->ssl3.hs.compression, 1); |
1303 if (rv != SECSuccess) goto loser; | 1338 if (rv != SECSuccess) |
| 1339 goto loser; |
1304 | 1340 |
1305 /* cipher spec parameters */ | 1341 /* cipher spec parameters */ |
1306 rv = ssl3_AppendNumberToItem(&plaintext, ss->sec.authAlgorithm, 1); | 1342 rv = ssl3_AppendNumberToItem(&plaintext, ss->sec.authAlgorithm, 1); |
1307 if (rv != SECSuccess) goto loser; | 1343 if (rv != SECSuccess) |
| 1344 goto loser; |
1308 rv = ssl3_AppendNumberToItem(&plaintext, ss->sec.authKeyBits, 4); | 1345 rv = ssl3_AppendNumberToItem(&plaintext, ss->sec.authKeyBits, 4); |
1309 if (rv != SECSuccess) goto loser; | 1346 if (rv != SECSuccess) |
| 1347 goto loser; |
1310 rv = ssl3_AppendNumberToItem(&plaintext, ss->sec.keaType, 1); | 1348 rv = ssl3_AppendNumberToItem(&plaintext, ss->sec.keaType, 1); |
1311 if (rv != SECSuccess) goto loser; | 1349 if (rv != SECSuccess) |
| 1350 goto loser; |
1312 rv = ssl3_AppendNumberToItem(&plaintext, ss->sec.keaKeyBits, 4); | 1351 rv = ssl3_AppendNumberToItem(&plaintext, ss->sec.keaKeyBits, 4); |
1313 if (rv != SECSuccess) goto loser; | 1352 if (rv != SECSuccess) |
| 1353 goto loser; |
1314 | 1354 |
1315 /* master_secret */ | 1355 /* master_secret */ |
1316 rv = ssl3_AppendNumberToItem(&plaintext, ms_is_wrapped, 1); | 1356 rv = ssl3_AppendNumberToItem(&plaintext, ms_is_wrapped, 1); |
1317 if (rv != SECSuccess) goto loser; | 1357 if (rv != SECSuccess) |
| 1358 goto loser; |
1318 rv = ssl3_AppendNumberToItem(&plaintext, effectiveExchKeyType, 1); | 1359 rv = ssl3_AppendNumberToItem(&plaintext, effectiveExchKeyType, 1); |
1319 if (rv != SECSuccess) goto loser; | 1360 if (rv != SECSuccess) |
| 1361 goto loser; |
1320 rv = ssl3_AppendNumberToItem(&plaintext, msWrapMech, 4); | 1362 rv = ssl3_AppendNumberToItem(&plaintext, msWrapMech, 4); |
1321 if (rv != SECSuccess) goto loser; | 1363 if (rv != SECSuccess) |
| 1364 goto loser; |
1322 rv = ssl3_AppendNumberToItem(&plaintext, ms_item.len, 2); | 1365 rv = ssl3_AppendNumberToItem(&plaintext, ms_item.len, 2); |
1323 if (rv != SECSuccess) goto loser; | 1366 if (rv != SECSuccess) |
| 1367 goto loser; |
1324 rv = ssl3_AppendToItem(&plaintext, ms_item.data, ms_item.len); | 1368 rv = ssl3_AppendToItem(&plaintext, ms_item.data, ms_item.len); |
1325 if (rv != SECSuccess) goto loser; | 1369 if (rv != SECSuccess) |
| 1370 goto loser; |
1326 | 1371 |
1327 /* client_identity */ | 1372 /* client_identity */ |
1328 if (ss->opt.requestCertificate && ss->sec.ci.sid->peerCert) { | 1373 if (ss->opt.requestCertificate && ss->sec.ci.sid->peerCert) { |
1329 rv = ssl3_AppendNumberToItem(&plaintext, CLIENT_AUTH_CERTIFICATE, 1); | 1374 rv = ssl3_AppendNumberToItem(&plaintext, CLIENT_AUTH_CERTIFICATE, 1); |
1330 if (rv != SECSuccess) goto loser; | 1375 if (rv != SECSuccess) |
| 1376 goto loser; |
1331 rv = ssl3_AppendNumberToItem(&plaintext, | 1377 rv = ssl3_AppendNumberToItem(&plaintext, |
1332 ss->sec.ci.sid->peerCert->derCert.len, 3); | 1378 ss->sec.ci.sid->peerCert->derCert.len, 3); |
1333 if (rv != SECSuccess) goto loser; | 1379 if (rv != SECSuccess) |
| 1380 goto loser; |
1334 rv = ssl3_AppendToItem(&plaintext, | 1381 rv = ssl3_AppendToItem(&plaintext, |
1335 ss->sec.ci.sid->peerCert->derCert.data, | 1382 ss->sec.ci.sid->peerCert->derCert.data, |
1336 ss->sec.ci.sid->peerCert->derCert.len); | 1383 ss->sec.ci.sid->peerCert->derCert.len); |
1337 if (rv != SECSuccess) goto loser; | 1384 if (rv != SECSuccess) |
| 1385 goto loser; |
1338 } else { | 1386 } else { |
1339 rv = ssl3_AppendNumberToItem(&plaintext, 0, 1); | 1387 rv = ssl3_AppendNumberToItem(&plaintext, 0, 1); |
1340 if (rv != SECSuccess) goto loser; | 1388 if (rv != SECSuccess) |
| 1389 goto loser; |
1341 } | 1390 } |
1342 | 1391 |
1343 /* timestamp */ | 1392 /* timestamp */ |
1344 now = ssl_Time(); | 1393 now = ssl_Time(); |
1345 rv = ssl3_AppendNumberToItem(&plaintext, now, | 1394 rv = ssl3_AppendNumberToItem(&plaintext, now, |
1346 sizeof(ticket.ticket_lifetime_hint)); | 1395 sizeof(ticket.ticket_lifetime_hint)); |
1347 if (rv != SECSuccess) goto loser; | 1396 if (rv != SECSuccess) |
| 1397 goto loser; |
1348 | 1398 |
1349 if (srvNameLen) { | 1399 if (srvNameLen) { |
1350 /* Name Type (sni_host_name) */ | 1400 /* Name Type (sni_host_name) */ |
1351 rv = ssl3_AppendNumberToItem(&plaintext, srvName->type, 1); | 1401 rv = ssl3_AppendNumberToItem(&plaintext, srvName->type, 1); |
1352 if (rv != SECSuccess) goto loser; | 1402 if (rv != SECSuccess) |
| 1403 goto loser; |
1353 /* HostName (length and value) */ | 1404 /* HostName (length and value) */ |
1354 rv = ssl3_AppendNumberToItem(&plaintext, srvName->len, 2); | 1405 rv = ssl3_AppendNumberToItem(&plaintext, srvName->len, 2); |
1355 if (rv != SECSuccess) goto loser; | 1406 if (rv != SECSuccess) |
| 1407 goto loser; |
1356 rv = ssl3_AppendToItem(&plaintext, srvName->data, srvName->len); | 1408 rv = ssl3_AppendToItem(&plaintext, srvName->data, srvName->len); |
1357 if (rv != SECSuccess) goto loser; | 1409 if (rv != SECSuccess) |
| 1410 goto loser; |
1358 } else { | 1411 } else { |
1359 /* No Name */ | 1412 /* No Name */ |
1360 rv = ssl3_AppendNumberToItem(&plaintext, (char)TLS_STE_NO_SERVER_NAME, | 1413 rv = ssl3_AppendNumberToItem(&plaintext, (char)TLS_STE_NO_SERVER_NAME, 1
); |
1361 1); | 1414 if (rv != SECSuccess) |
1362 if (rv != SECSuccess) goto loser; | 1415 goto loser; |
1363 } | 1416 } |
1364 | 1417 |
1365 /* extendedMasterSecretUsed */ | 1418 /* extendedMasterSecretUsed */ |
1366 rv = ssl3_AppendNumberToItem( | 1419 rv = ssl3_AppendNumberToItem( |
1367 &plaintext, ss->sec.ci.sid->u.ssl3.keys.extendedMasterSecretUsed, 1); | 1420 &plaintext, ss->sec.ci.sid->u.ssl3.keys.extendedMasterSecretUsed, 1); |
1368 if (rv != SECSuccess) goto loser; | 1421 if (rv != SECSuccess) |
| 1422 goto loser; |
1369 | 1423 |
1370 PORT_Assert(plaintext.len == padding_length); | 1424 PORT_Assert(plaintext.len == padding_length); |
1371 for (i = 0; i < padding_length; i++) | 1425 for (i = 0; i < padding_length; i++) |
1372 plaintext.data[i] = (unsigned char)padding_length; | 1426 plaintext.data[i] = (unsigned char)padding_length; |
1373 | 1427 |
1374 if (SECITEM_AllocItem(NULL, &ciphertext, ciphertext_length) == NULL) { | 1428 if (SECITEM_AllocItem(NULL, &ciphertext, ciphertext_length) == NULL) { |
1375 rv = SECFailure; | 1429 rv = SECFailure; |
1376 goto loser; | 1430 goto loser; |
1377 } | 1431 } |
1378 | 1432 |
1379 /* Generate encrypted portion of ticket. */ | 1433 /* Generate encrypted portion of ticket. */ |
1380 #ifndef NO_PKCS11_BYPASS | 1434 #ifndef NO_PKCS11_BYPASS |
1381 if (ss->opt.bypassPKCS11) { | 1435 if (ss->opt.bypassPKCS11) { |
1382 aes_ctx = (AESContext *)aes_ctx_buf; | 1436 aes_ctx = (AESContext *)aes_ctx_buf; |
1383 rv = AES_InitContext(aes_ctx, aes_key, aes_key_length, iv, | 1437 rv = AES_InitContext(aes_ctx, aes_key, aes_key_length, iv, |
1384 NSS_AES_CBC, 1, AES_BLOCK_SIZE); | 1438 NSS_AES_CBC, 1, AES_BLOCK_SIZE); |
1385 if (rv != SECSuccess) goto loser; | 1439 if (rv != SECSuccess) |
| 1440 goto loser; |
1386 | 1441 |
1387 rv = AES_Encrypt(aes_ctx, ciphertext.data, &ciphertext.len, | 1442 rv = AES_Encrypt(aes_ctx, ciphertext.data, &ciphertext.len, |
1388 ciphertext.len, plaintext_item.data, | 1443 ciphertext.len, plaintext_item.data, |
1389 plaintext_item.len); | 1444 plaintext_item.len); |
1390 if (rv != SECSuccess) goto loser; | 1445 if (rv != SECSuccess) |
| 1446 goto loser; |
1391 } else | 1447 } else |
1392 #endif | 1448 #endif |
1393 { | 1449 { |
1394 aes_ctx_pkcs11 = PK11_CreateContextBySymKey(cipherMech, | 1450 aes_ctx_pkcs11 = PK11_CreateContextBySymKey(cipherMech, |
1395 CKA_ENCRYPT, aes_key_pkcs11, &ivItem); | 1451 CKA_ENCRYPT, aes_key_pkcs11,
&ivItem); |
1396 if (!aes_ctx_pkcs11) | 1452 if (!aes_ctx_pkcs11) |
1397 goto loser; | 1453 goto loser; |
1398 | 1454 |
1399 rv = PK11_CipherOp(aes_ctx_pkcs11, ciphertext.data, | 1455 rv = PK11_CipherOp(aes_ctx_pkcs11, ciphertext.data, |
1400 (int *)&ciphertext.len, ciphertext.len, | 1456 (int *)&ciphertext.len, ciphertext.len, |
1401 plaintext_item.data, plaintext_item.len); | 1457 plaintext_item.data, plaintext_item.len); |
1402 PK11_Finalize(aes_ctx_pkcs11); | 1458 PK11_Finalize(aes_ctx_pkcs11); |
1403 PK11_DestroyContext(aes_ctx_pkcs11, PR_TRUE); | 1459 PK11_DestroyContext(aes_ctx_pkcs11, PR_TRUE); |
1404 if (rv != SECSuccess) goto loser; | 1460 if (rv != SECSuccess) |
| 1461 goto loser; |
1405 } | 1462 } |
1406 | 1463 |
1407 /* Convert ciphertext length to network order. */ | 1464 /* Convert ciphertext length to network order. */ |
1408 length_buf[0] = (ciphertext.len >> 8) & 0xff; | 1465 length_buf[0] = (ciphertext.len >> 8) & 0xff; |
1409 length_buf[1] = (ciphertext.len ) & 0xff; | 1466 length_buf[1] = (ciphertext.len) & 0xff; |
1410 | 1467 |
1411 /* Compute MAC. */ | 1468 /* Compute MAC. */ |
1412 #ifndef NO_PKCS11_BYPASS | 1469 #ifndef NO_PKCS11_BYPASS |
1413 if (ss->opt.bypassPKCS11) { | 1470 if (ss->opt.bypassPKCS11) { |
1414 hmac_ctx = (HMACContext *)hmac_ctx_buf; | 1471 hmac_ctx = (HMACContext *)hmac_ctx_buf; |
1415 hashObj = HASH_GetRawHashObject(HASH_AlgSHA256); | 1472 hashObj = HASH_GetRawHashObject(HASH_AlgSHA256); |
1416 if (HMAC_Init(hmac_ctx, hashObj, mac_key, | 1473 if (HMAC_Init(hmac_ctx, hashObj, mac_key, |
1417 mac_key_length, PR_FALSE) != SECSuccess) | 1474 mac_key_length, PR_FALSE) != SECSuccess) |
1418 goto loser; | 1475 goto loser; |
1419 | 1476 |
1420 HMAC_Begin(hmac_ctx); | 1477 HMAC_Begin(hmac_ctx); |
1421 HMAC_Update(hmac_ctx, key_name, SESS_TICKET_KEY_NAME_LEN); | 1478 HMAC_Update(hmac_ctx, key_name, SESS_TICKET_KEY_NAME_LEN); |
1422 HMAC_Update(hmac_ctx, iv, sizeof(iv)); | 1479 HMAC_Update(hmac_ctx, iv, sizeof(iv)); |
1423 HMAC_Update(hmac_ctx, (unsigned char *)length_buf, 2); | 1480 HMAC_Update(hmac_ctx, (unsigned char *)length_buf, 2); |
1424 HMAC_Update(hmac_ctx, ciphertext.data, ciphertext.len); | 1481 HMAC_Update(hmac_ctx, ciphertext.data, ciphertext.len); |
1425 HMAC_Finish(hmac_ctx, computed_mac, &computed_mac_length, | 1482 HMAC_Finish(hmac_ctx, computed_mac, &computed_mac_length, |
1426 sizeof(computed_mac)); | 1483 sizeof(computed_mac)); |
1427 } else | 1484 } else |
1428 #endif | 1485 #endif |
1429 { | 1486 { |
1430 SECItem macParam; | 1487 SECItem macParam; |
1431 macParam.data = NULL; | 1488 macParam.data = NULL; |
1432 macParam.len = 0; | 1489 macParam.len = 0; |
1433 hmac_ctx_pkcs11 = PK11_CreateContextBySymKey(macMech, | 1490 hmac_ctx_pkcs11 = PK11_CreateContextBySymKey(macMech, |
1434 CKA_SIGN, mac_key_pkcs11, &macParam); | 1491 CKA_SIGN, mac_key_pkcs11, &
macParam); |
1435 if (!hmac_ctx_pkcs11) | 1492 if (!hmac_ctx_pkcs11) |
1436 goto loser; | 1493 goto loser; |
1437 | 1494 |
1438 rv = PK11_DigestBegin(hmac_ctx_pkcs11); | 1495 rv = PK11_DigestBegin(hmac_ctx_pkcs11); |
1439 if (rv != SECSuccess) goto loser; | 1496 if (rv != SECSuccess) |
| 1497 goto loser; |
1440 rv = PK11_DigestOp(hmac_ctx_pkcs11, key_name, | 1498 rv = PK11_DigestOp(hmac_ctx_pkcs11, key_name, |
1441 SESS_TICKET_KEY_NAME_LEN); | 1499 SESS_TICKET_KEY_NAME_LEN); |
1442 if (rv != SECSuccess) goto loser; | 1500 if (rv != SECSuccess) |
| 1501 goto loser; |
1443 rv = PK11_DigestOp(hmac_ctx_pkcs11, iv, sizeof(iv)); | 1502 rv = PK11_DigestOp(hmac_ctx_pkcs11, iv, sizeof(iv)); |
1444 if (rv != SECSuccess) goto loser; | 1503 if (rv != SECSuccess) |
| 1504 goto loser; |
1445 rv = PK11_DigestOp(hmac_ctx_pkcs11, (unsigned char *)length_buf, 2); | 1505 rv = PK11_DigestOp(hmac_ctx_pkcs11, (unsigned char *)length_buf, 2); |
1446 if (rv != SECSuccess) goto loser; | 1506 if (rv != SECSuccess) |
| 1507 goto loser; |
1447 rv = PK11_DigestOp(hmac_ctx_pkcs11, ciphertext.data, ciphertext.len); | 1508 rv = PK11_DigestOp(hmac_ctx_pkcs11, ciphertext.data, ciphertext.len); |
1448 if (rv != SECSuccess) goto loser; | 1509 if (rv != SECSuccess) |
| 1510 goto loser; |
1449 rv = PK11_DigestFinal(hmac_ctx_pkcs11, computed_mac, | 1511 rv = PK11_DigestFinal(hmac_ctx_pkcs11, computed_mac, |
1450 &computed_mac_length, sizeof(computed_mac)); | 1512 &computed_mac_length, sizeof(computed_mac)); |
1451 if (rv != SECSuccess) goto loser; | 1513 if (rv != SECSuccess) |
| 1514 goto loser; |
1452 } | 1515 } |
1453 | 1516 |
1454 /* Serialize the handshake message. */ | 1517 /* Serialize the handshake message. */ |
1455 rv = ssl3_AppendHandshakeHeader(ss, new_session_ticket, message_length); | 1518 rv = ssl3_AppendHandshakeHeader(ss, new_session_ticket, message_length); |
1456 if (rv != SECSuccess) goto loser; | 1519 if (rv != SECSuccess) |
| 1520 goto loser; |
1457 | 1521 |
1458 rv = ssl3_AppendHandshakeNumber(ss, ticket.ticket_lifetime_hint, | 1522 rv = ssl3_AppendHandshakeNumber(ss, ticket.ticket_lifetime_hint, |
1459 sizeof(ticket.ticket_lifetime_hint)); | 1523 sizeof(ticket.ticket_lifetime_hint)); |
1460 if (rv != SECSuccess) goto loser; | 1524 if (rv != SECSuccess) |
| 1525 goto loser; |
1461 | 1526 |
1462 rv = ssl3_AppendHandshakeNumber(ss, | 1527 rv = ssl3_AppendHandshakeNumber(ss, |
1463 message_length - sizeof(ticket.ticket_lifetime_hint) - 2, 2); | 1528 message_length - sizeof(ticket.ticket_lifeti
me_hint) - 2, |
1464 if (rv != SECSuccess) goto loser; | 1529 2); |
| 1530 if (rv != SECSuccess) |
| 1531 goto loser; |
1465 | 1532 |
1466 rv = ssl3_AppendHandshake(ss, key_name, SESS_TICKET_KEY_NAME_LEN); | 1533 rv = ssl3_AppendHandshake(ss, key_name, SESS_TICKET_KEY_NAME_LEN); |
1467 if (rv != SECSuccess) goto loser; | 1534 if (rv != SECSuccess) |
| 1535 goto loser; |
1468 | 1536 |
1469 rv = ssl3_AppendHandshake(ss, iv, sizeof(iv)); | 1537 rv = ssl3_AppendHandshake(ss, iv, sizeof(iv)); |
1470 if (rv != SECSuccess) goto loser; | 1538 if (rv != SECSuccess) |
| 1539 goto loser; |
1471 | 1540 |
1472 rv = ssl3_AppendHandshakeVariable(ss, ciphertext.data, ciphertext.len, 2); | 1541 rv = ssl3_AppendHandshakeVariable(ss, ciphertext.data, ciphertext.len, 2); |
1473 if (rv != SECSuccess) goto loser; | 1542 if (rv != SECSuccess) |
| 1543 goto loser; |
1474 | 1544 |
1475 rv = ssl3_AppendHandshake(ss, computed_mac, computed_mac_length); | 1545 rv = ssl3_AppendHandshake(ss, computed_mac, computed_mac_length); |
1476 if (rv != SECSuccess) goto loser; | 1546 if (rv != SECSuccess) |
| 1547 goto loser; |
1477 | 1548 |
1478 loser: | 1549 loser: |
1479 if (hmac_ctx_pkcs11) | 1550 if (hmac_ctx_pkcs11) |
1480 PK11_DestroyContext(hmac_ctx_pkcs11, PR_TRUE); | 1551 PK11_DestroyContext(hmac_ctx_pkcs11, PR_TRUE); |
1481 if (plaintext_item.data) | 1552 if (plaintext_item.data) |
1482 SECITEM_FreeItem(&plaintext_item, PR_FALSE); | 1553 SECITEM_FreeItem(&plaintext_item, PR_FALSE); |
1483 if (ciphertext.data) | 1554 if (ciphertext.data) |
1484 SECITEM_FreeItem(&ciphertext, PR_FALSE); | 1555 SECITEM_FreeItem(&ciphertext, PR_FALSE); |
1485 | 1556 |
1486 return rv; | 1557 return rv; |
1487 } | 1558 } |
1488 | 1559 |
1489 /* When a client receives a SessionTicket extension a NewSessionTicket | 1560 /* When a client receives a SessionTicket extension a NewSessionTicket |
1490 * message is expected during the handshake. | 1561 * message is expected during the handshake. |
1491 */ | 1562 */ |
1492 SECStatus | 1563 SECStatus |
1493 ssl3_ClientHandleSessionTicketXtn(sslSocket *ss, PRUint16 ex_type, | 1564 ssl3_ClientHandleSessionTicketXtn(sslSocket *ss, PRUint16 ex_type, |
1494 SECItem *data) | 1565 SECItem *data) |
1495 { | 1566 { |
1496 if (data->len != 0) { | 1567 if (data->len != 0) { |
1497 return SECSuccess; /* Ignore the extension. */ | 1568 return SECSuccess; /* Ignore the extension. */ |
1498 } | 1569 } |
1499 | 1570 |
1500 /* Keep track of negotiated extensions. */ | 1571 /* Keep track of negotiated extensions. */ |
1501 ss->xtnData.negotiated[ss->xtnData.numNegotiated++] = ex_type; | 1572 ss->xtnData.negotiated[ss->xtnData.numNegotiated++] = ex_type; |
1502 return SECSuccess; | 1573 return SECSuccess; |
1503 } | 1574 } |
1504 | 1575 |
1505 SECStatus | 1576 SECStatus |
1506 ssl3_ServerHandleSessionTicketXtn(sslSocket *ss, PRUint16 ex_type, | 1577 ssl3_ServerHandleSessionTicketXtn(sslSocket *ss, PRUint16 ex_type, |
1507 SECItem *data) | 1578 SECItem *data) |
(...skipping 13 matching lines...) Expand all Loading... |
1521 ss->xtnData.negotiated[ss->xtnData.numNegotiated++] = ex_type; | 1592 ss->xtnData.negotiated[ss->xtnData.numNegotiated++] = ex_type; |
1522 | 1593 |
1523 /* Parse the received ticket sent in by the client. We are | 1594 /* Parse the received ticket sent in by the client. We are |
1524 * lenient about some parse errors, falling back to a fullshake | 1595 * lenient about some parse errors, falling back to a fullshake |
1525 * instead of terminating the current connection. | 1596 * instead of terminating the current connection. |
1526 */ | 1597 */ |
1527 if (data->len == 0) { | 1598 if (data->len == 0) { |
1528 ss->xtnData.emptySessionTicket = PR_TRUE; | 1599 ss->xtnData.emptySessionTicket = PR_TRUE; |
1529 } else { | 1600 } else { |
1530 PRUint32 i; | 1601 PRUint32 i; |
1531 SECItem extension_data; | 1602 SECItem extension_data; |
1532 EncryptedSessionTicket enc_session_ticket; | 1603 EncryptedSessionTicket enc_session_ticket; |
1533 unsigned char computed_mac[TLS_EX_SESS_TICKET_MAC_LENGTH]; | 1604 unsigned char computed_mac[TLS_EX_SESS_TICKET_MAC_LENGTH]; |
1534 unsigned int computed_mac_length; | 1605 unsigned int computed_mac_length; |
1535 #ifndef NO_PKCS11_BYPASS | 1606 #ifndef NO_PKCS11_BYPASS |
1536 const SECHashObject *hashObj; | 1607 const SECHashObject *hashObj; |
1537 const unsigned char *aes_key; | 1608 const unsigned char *aes_key; |
1538 const unsigned char *mac_key; | 1609 const unsigned char *mac_key; |
1539 PRUint32 aes_key_length; | 1610 PRUint32 aes_key_length; |
1540 PRUint32 mac_key_length; | 1611 PRUint32 mac_key_length; |
1541 PRUint64 hmac_ctx_buf[MAX_MAC_CONTEXT_LLONGS]; | 1612 PRUint64 hmac_ctx_buf[MAX_MAC_CONTEXT_LLONGS]; |
1542 HMACContext *hmac_ctx; | 1613 HMACContext *hmac_ctx; |
1543 PRUint64 aes_ctx_buf[MAX_CIPHER_CONTEXT_LLONGS]; | 1614 PRUint64 aes_ctx_buf[MAX_CIPHER_CONTEXT_LLONGS]; |
1544 AESContext *aes_ctx; | 1615 AESContext *aes_ctx; |
1545 #endif | 1616 #endif |
1546 PK11SymKey *aes_key_pkcs11; | 1617 PK11SymKey *aes_key_pkcs11; |
1547 PK11SymKey *mac_key_pkcs11; | 1618 PK11SymKey *mac_key_pkcs11; |
1548 PK11Context *hmac_ctx_pkcs11; | 1619 PK11Context *hmac_ctx_pkcs11; |
1549 CK_MECHANISM_TYPE macMech = CKM_SHA256_HMAC; | 1620 CK_MECHANISM_TYPE macMech = CKM_SHA256_HMAC; |
1550 PK11Context *aes_ctx_pkcs11; | 1621 PK11Context *aes_ctx_pkcs11; |
1551 CK_MECHANISM_TYPE cipherMech = CKM_AES_CBC; | 1622 CK_MECHANISM_TYPE cipherMech = CKM_AES_CBC; |
1552 unsigned char * padding; | 1623 unsigned char *padding; |
1553 PRUint32 padding_length; | 1624 PRUint32 padding_length; |
1554 unsigned char *buffer; | 1625 unsigned char *buffer; |
1555 unsigned int buffer_len; | 1626 unsigned int buffer_len; |
1556 PRInt32 temp; | 1627 PRInt32 temp; |
1557 SECItem cert_item; | 1628 SECItem cert_item; |
1558 PRInt8 nameType = TLS_STE_NO_SERVER_NAME; | 1629 PRInt8 nameType = TLS_STE_NO_SERVER_NAME; |
1559 | 1630 |
1560 /* Turn off stateless session resumption if the client sends a | 1631 /* Turn off stateless session resumption if the client sends a |
1561 * SessionTicket extension, even if the extension turns out to be | 1632 * SessionTicket extension, even if the extension turns out to be |
1562 * malformed (ss->sec.ci.sid is non-NULL when doing session | 1633 * malformed (ss->sec.ci.sid is non-NULL when doing session |
1563 * renegotiation.) | 1634 * renegotiation.) |
1564 */ | 1635 */ |
1565 if (ss->sec.ci.sid != NULL) { | 1636 if (ss->sec.ci.sid != NULL) { |
1566 if (ss->sec.uncache) | 1637 if (ss->sec.uncache) |
1567 ss->sec.uncache(ss->sec.ci.sid); | 1638 ss->sec.uncache(ss->sec.ci.sid); |
1568 ssl_FreeSID(ss->sec.ci.sid); | 1639 ssl_FreeSID(ss->sec.ci.sid); |
1569 ss->sec.ci.sid = NULL; | 1640 ss->sec.ci.sid = NULL; |
1570 } | 1641 } |
1571 | 1642 |
1572 extension_data.data = data->data; /* Keep a copy for future use. */ | 1643 extension_data.data = data->data; /* Keep a copy for future use. */ |
1573 extension_data.len = data->len; | 1644 extension_data.len = data->len; |
1574 | 1645 |
1575 if (ssl3_ParseEncryptedSessionTicket(ss, data, &enc_session_ticket) | 1646 if (ssl3_ParseEncryptedSessionTicket(ss, data, &enc_session_ticket) != |
1576 != SECSuccess) { | 1647 SECSuccess) { |
1577 return SECSuccess; /* Pretend it isn't there */ | 1648 return SECSuccess; /* Pretend it isn't there */ |
1578 } | 1649 } |
1579 | 1650 |
1580 /* Get session ticket keys. */ | 1651 /* Get session ticket keys. */ |
1581 #ifndef NO_PKCS11_BYPASS | 1652 #ifndef NO_PKCS11_BYPASS |
1582 if (ss->opt.bypassPKCS11) { | 1653 if (ss->opt.bypassPKCS11) { |
1583 rv = ssl3_GetSessionTicketKeys(&aes_key, &aes_key_length, | 1654 rv = ssl3_GetSessionTicketKeys(&aes_key, &aes_key_length, |
1584 &mac_key, &mac_key_length); | 1655 &mac_key, &mac_key_length); |
1585 } else | 1656 } else |
1586 #endif | 1657 #endif |
1587 { | 1658 { |
1588 rv = ssl3_GetSessionTicketKeysPKCS11(ss, &aes_key_pkcs11, | 1659 rv = ssl3_GetSessionTicketKeysPKCS11(ss, &aes_key_pkcs11, |
1589 &mac_key_pkcs11); | 1660 &mac_key_pkcs11); |
1590 } | 1661 } |
1591 if (rv != SECSuccess) { | 1662 if (rv != SECSuccess) { |
1592 SSL_DBG(("%d: SSL[%d]: Unable to get/generate session ticket keys.", | 1663 SSL_DBG(("%d: SSL[%d]: Unable to get/generate session ticket keys.", |
1593 SSL_GETPID(), ss->fd)); | 1664 SSL_GETPID(), ss->fd)); |
1594 goto loser; | 1665 goto loser; |
1595 } | 1666 } |
1596 | 1667 |
1597 /* If the ticket sent by the client was generated under a key different | 1668 /* If the ticket sent by the client was generated under a key different |
1598 * from the one we have, bypass ticket processing. | 1669 * from the one we have, bypass ticket processing. |
1599 */ | 1670 */ |
1600 if (PORT_Memcmp(enc_session_ticket.key_name, key_name, | 1671 if (PORT_Memcmp(enc_session_ticket.key_name, key_name, |
1601 SESS_TICKET_KEY_NAME_LEN) != 0) { | 1672 SESS_TICKET_KEY_NAME_LEN) != 0) { |
1602 SSL_DBG(("%d: SSL[%d]: Session ticket key_name sent mismatch.", | 1673 SSL_DBG(("%d: SSL[%d]: Session ticket key_name sent mismatch.", |
1603 SSL_GETPID(), ss->fd)); | 1674 SSL_GETPID(), ss->fd)); |
1604 goto no_ticket; | 1675 goto no_ticket; |
1605 } | 1676 } |
1606 | 1677 |
1607 /* Verify the MAC on the ticket. MAC verification may also | 1678 /* Verify the MAC on the ticket. MAC verification may also |
1608 * fail if the MAC key has been recently refreshed. | 1679 * fail if the MAC key has been recently refreshed. |
1609 */ | 1680 */ |
1610 #ifndef NO_PKCS11_BYPASS | 1681 #ifndef NO_PKCS11_BYPASS |
1611 if (ss->opt.bypassPKCS11) { | 1682 if (ss->opt.bypassPKCS11) { |
1612 hmac_ctx = (HMACContext *)hmac_ctx_buf; | 1683 hmac_ctx = (HMACContext *)hmac_ctx_buf; |
1613 hashObj = HASH_GetRawHashObject(HASH_AlgSHA256); | 1684 hashObj = HASH_GetRawHashObject(HASH_AlgSHA256); |
1614 if (HMAC_Init(hmac_ctx, hashObj, mac_key, | 1685 if (HMAC_Init(hmac_ctx, hashObj, mac_key, |
1615 sizeof(session_ticket_mac_key), PR_FALSE) != SECSuccess) | 1686 sizeof(session_ticket_mac_key), PR_FALSE) != SECSucces
s) |
1616 goto no_ticket; | 1687 goto no_ticket; |
1617 HMAC_Begin(hmac_ctx); | 1688 HMAC_Begin(hmac_ctx); |
1618 HMAC_Update(hmac_ctx, extension_data.data, | 1689 HMAC_Update(hmac_ctx, extension_data.data, |
1619 extension_data.len - TLS_EX_SESS_TICKET_MAC_LENGTH); | 1690 extension_data.len - TLS_EX_SESS_TICKET_MAC_LENGTH); |
1620 if (HMAC_Finish(hmac_ctx, computed_mac, &computed_mac_length, | 1691 if (HMAC_Finish(hmac_ctx, computed_mac, &computed_mac_length, |
1621 sizeof(computed_mac)) != SECSuccess) | 1692 sizeof(computed_mac)) != SECSuccess) |
1622 goto no_ticket; | 1693 goto no_ticket; |
1623 } else | 1694 } else |
1624 #endif | 1695 #endif |
1625 { | 1696 { |
1626 SECItem macParam; | 1697 SECItem macParam; |
1627 macParam.data = NULL; | 1698 macParam.data = NULL; |
1628 macParam.len = 0; | 1699 macParam.len = 0; |
1629 hmac_ctx_pkcs11 = PK11_CreateContextBySymKey(macMech, | 1700 hmac_ctx_pkcs11 = PK11_CreateContextBySymKey(macMech, |
1630 CKA_SIGN, mac_key_pkcs11, &macParam); | 1701 CKA_SIGN, mac_key_pkcs1
1, &macParam); |
1631 if (!hmac_ctx_pkcs11) { | 1702 if (!hmac_ctx_pkcs11) { |
1632 SSL_DBG(("%d: SSL[%d]: Unable to create HMAC context: %d.", | 1703 SSL_DBG(("%d: SSL[%d]: Unable to create HMAC context: %d.", |
1633 SSL_GETPID(), ss->fd, PORT_GetError())); | 1704 SSL_GETPID(), ss->fd, PORT_GetError())); |
1634 goto no_ticket; | 1705 goto no_ticket; |
1635 } else { | 1706 } else { |
1636 SSL_DBG(("%d: SSL[%d]: Successfully created HMAC context.", | 1707 SSL_DBG(("%d: SSL[%d]: Successfully created HMAC context.", |
1637 SSL_GETPID(), ss->fd)); | 1708 SSL_GETPID(), ss->fd)); |
1638 } | 1709 } |
1639 rv = PK11_DigestBegin(hmac_ctx_pkcs11); | 1710 rv = PK11_DigestBegin(hmac_ctx_pkcs11); |
1640 rv = PK11_DigestOp(hmac_ctx_pkcs11, extension_data.data, | 1711 rv = PK11_DigestOp(hmac_ctx_pkcs11, extension_data.data, |
1641 extension_data.len - TLS_EX_SESS_TICKET_MAC_LENGTH); | 1712 extension_data.len - |
| 1713 TLS_EX_SESS_TICKET_MAC_LENGTH); |
1642 if (rv != SECSuccess) { | 1714 if (rv != SECSuccess) { |
1643 PK11_DestroyContext(hmac_ctx_pkcs11, PR_TRUE); | 1715 PK11_DestroyContext(hmac_ctx_pkcs11, PR_TRUE); |
1644 goto no_ticket; | 1716 goto no_ticket; |
1645 } | 1717 } |
1646 rv = PK11_DigestFinal(hmac_ctx_pkcs11, computed_mac, | 1718 rv = PK11_DigestFinal(hmac_ctx_pkcs11, computed_mac, |
1647 &computed_mac_length, sizeof(computed_mac)); | 1719 &computed_mac_length, sizeof(computed_mac)); |
1648 PK11_DestroyContext(hmac_ctx_pkcs11, PR_TRUE); | 1720 PK11_DestroyContext(hmac_ctx_pkcs11, PR_TRUE); |
1649 if (rv != SECSuccess) | 1721 if (rv != SECSuccess) |
1650 goto no_ticket; | 1722 goto no_ticket; |
1651 } | 1723 } |
1652 if (NSS_SecureMemcmp(computed_mac, enc_session_ticket.mac, | 1724 if (NSS_SecureMemcmp(computed_mac, enc_session_ticket.mac, |
1653 computed_mac_length) != 0) { | 1725 computed_mac_length) != |
| 1726 0) { |
1654 SSL_DBG(("%d: SSL[%d]: Session ticket MAC mismatch.", | 1727 SSL_DBG(("%d: SSL[%d]: Session ticket MAC mismatch.", |
1655 SSL_GETPID(), ss->fd)); | 1728 SSL_GETPID(), ss->fd)); |
1656 goto no_ticket; | 1729 goto no_ticket; |
1657 } | 1730 } |
1658 | 1731 |
1659 /* We ignore key_name for now. | 1732 /* We ignore key_name for now. |
1660 * This is ok as MAC verification succeeded. | 1733 * This is ok as MAC verification succeeded. |
1661 */ | 1734 */ |
1662 | 1735 |
1663 /* Decrypt the ticket. */ | 1736 /* Decrypt the ticket. */ |
1664 | 1737 |
1665 /* Plaintext is shorter than the ciphertext due to padding. */ | 1738 /* Plaintext is shorter than the ciphertext due to padding. */ |
1666 decrypted_state = SECITEM_AllocItem(NULL, NULL, | 1739 decrypted_state = SECITEM_AllocItem(NULL, NULL, |
1667 enc_session_ticket.encrypted_state.len); | 1740 enc_session_ticket.encrypted_state.l
en); |
1668 | 1741 |
1669 #ifndef NO_PKCS11_BYPASS | 1742 #ifndef NO_PKCS11_BYPASS |
1670 if (ss->opt.bypassPKCS11) { | 1743 if (ss->opt.bypassPKCS11) { |
1671 aes_ctx = (AESContext *)aes_ctx_buf; | 1744 aes_ctx = (AESContext *)aes_ctx_buf; |
1672 rv = AES_InitContext(aes_ctx, aes_key, | 1745 rv = AES_InitContext(aes_ctx, aes_key, |
1673 sizeof(session_ticket_enc_key), enc_session_ticket.iv, | 1746 sizeof(session_ticket_enc_key), enc_session_tic
ket.iv, |
1674 NSS_AES_CBC, 0,AES_BLOCK_SIZE); | 1747 NSS_AES_CBC, 0, AES_BLOCK_SIZE); |
1675 if (rv != SECSuccess) { | 1748 if (rv != SECSuccess) { |
1676 SSL_DBG(("%d: SSL[%d]: Unable to create AES context.", | 1749 SSL_DBG(("%d: SSL[%d]: Unable to create AES context.", |
1677 SSL_GETPID(), ss->fd)); | 1750 SSL_GETPID(), ss->fd)); |
1678 goto no_ticket; | 1751 goto no_ticket; |
1679 } | 1752 } |
1680 | 1753 |
1681 rv = AES_Decrypt(aes_ctx, decrypted_state->data, | 1754 rv = AES_Decrypt(aes_ctx, decrypted_state->data, |
1682 &decrypted_state->len, decrypted_state->len, | 1755 &decrypted_state->len, decrypted_state->len, |
1683 enc_session_ticket.encrypted_state.data, | 1756 enc_session_ticket.encrypted_state.data, |
1684 enc_session_ticket.encrypted_state.len); | 1757 enc_session_ticket.encrypted_state.len); |
1685 if (rv != SECSuccess) | 1758 if (rv != SECSuccess) |
1686 goto no_ticket; | 1759 goto no_ticket; |
1687 } else | 1760 } else |
1688 #endif | 1761 #endif |
1689 { | 1762 { |
1690 SECItem ivItem; | 1763 SECItem ivItem; |
1691 ivItem.data = enc_session_ticket.iv; | 1764 ivItem.data = enc_session_ticket.iv; |
1692 ivItem.len = AES_BLOCK_SIZE; | 1765 ivItem.len = AES_BLOCK_SIZE; |
1693 aes_ctx_pkcs11 = PK11_CreateContextBySymKey(cipherMech, | 1766 aes_ctx_pkcs11 = PK11_CreateContextBySymKey(cipherMech, |
1694 CKA_DECRYPT, aes_key_pkcs11, &ivItem); | 1767 CKA_DECRYPT, aes_key_pkc
s11, &ivItem); |
1695 if (!aes_ctx_pkcs11) { | 1768 if (!aes_ctx_pkcs11) { |
1696 SSL_DBG(("%d: SSL[%d]: Unable to create AES context.", | 1769 SSL_DBG(("%d: SSL[%d]: Unable to create AES context.", |
1697 SSL_GETPID(), ss->fd)); | 1770 SSL_GETPID(), ss->fd)); |
1698 goto no_ticket; | 1771 goto no_ticket; |
1699 } | 1772 } |
1700 | 1773 |
1701 rv = PK11_CipherOp(aes_ctx_pkcs11, decrypted_state->data, | 1774 rv = PK11_CipherOp(aes_ctx_pkcs11, decrypted_state->data, |
1702 (int *)&decrypted_state->len, decrypted_state->len, | 1775 (int *)&decrypted_state->len, decrypted_state->le
n, |
1703 enc_session_ticket.encrypted_state.data, | 1776 enc_session_ticket.encrypted_state.data, |
1704 enc_session_ticket.encrypted_state.len); | 1777 enc_session_ticket.encrypted_state.len); |
1705 PK11_Finalize(aes_ctx_pkcs11); | 1778 PK11_Finalize(aes_ctx_pkcs11); |
1706 PK11_DestroyContext(aes_ctx_pkcs11, PR_TRUE); | 1779 PK11_DestroyContext(aes_ctx_pkcs11, PR_TRUE); |
1707 if (rv != SECSuccess) | 1780 if (rv != SECSuccess) |
1708 goto no_ticket; | 1781 goto no_ticket; |
1709 } | 1782 } |
1710 | 1783 |
1711 /* Check padding. */ | 1784 /* Check padding. */ |
1712 padding_length = | 1785 padding_length = |
1713 (PRUint32)decrypted_state->data[decrypted_state->len - 1]; | 1786 (PRUint32)decrypted_state->data[decrypted_state->len - 1]; |
1714 if (padding_length == 0 || padding_length > AES_BLOCK_SIZE) | 1787 if (padding_length == 0 || padding_length > AES_BLOCK_SIZE) |
(...skipping 10 matching lines...) Expand all Loading... |
1725 buffer_len = decrypted_state->len; | 1798 buffer_len = decrypted_state->len; |
1726 | 1799 |
1727 parsed_session_ticket = PORT_ZAlloc(sizeof(SessionTicket)); | 1800 parsed_session_ticket = PORT_ZAlloc(sizeof(SessionTicket)); |
1728 if (parsed_session_ticket == NULL) { | 1801 if (parsed_session_ticket == NULL) { |
1729 rv = SECFailure; | 1802 rv = SECFailure; |
1730 goto loser; | 1803 goto loser; |
1731 } | 1804 } |
1732 | 1805 |
1733 /* Read ticket_version and reject if the version is wrong */ | 1806 /* Read ticket_version and reject if the version is wrong */ |
1734 temp = ssl3_ConsumeHandshakeNumber(ss, 2, &buffer, &buffer_len); | 1807 temp = ssl3_ConsumeHandshakeNumber(ss, 2, &buffer, &buffer_len); |
1735 if (temp != TLS_EX_SESS_TICKET_VERSION) goto no_ticket; | 1808 if (temp != TLS_EX_SESS_TICKET_VERSION) |
| 1809 goto no_ticket; |
1736 | 1810 |
1737 parsed_session_ticket->ticket_version = (SSL3ProtocolVersion)temp; | 1811 parsed_session_ticket->ticket_version = (SSL3ProtocolVersion)temp; |
1738 | 1812 |
1739 /* Read SSLVersion. */ | 1813 /* Read SSLVersion. */ |
1740 temp = ssl3_ConsumeHandshakeNumber(ss, 2, &buffer, &buffer_len); | 1814 temp = ssl3_ConsumeHandshakeNumber(ss, 2, &buffer, &buffer_len); |
1741 if (temp < 0) goto no_ticket; | 1815 if (temp < 0) |
| 1816 goto no_ticket; |
1742 parsed_session_ticket->ssl_version = (SSL3ProtocolVersion)temp; | 1817 parsed_session_ticket->ssl_version = (SSL3ProtocolVersion)temp; |
1743 | 1818 |
1744 /* Read cipher_suite. */ | 1819 /* Read cipher_suite. */ |
1745 temp = ssl3_ConsumeHandshakeNumber(ss, 2, &buffer, &buffer_len); | 1820 temp = ssl3_ConsumeHandshakeNumber(ss, 2, &buffer, &buffer_len); |
1746 if (temp < 0) goto no_ticket; | 1821 if (temp < 0) |
| 1822 goto no_ticket; |
1747 parsed_session_ticket->cipher_suite = (ssl3CipherSuite)temp; | 1823 parsed_session_ticket->cipher_suite = (ssl3CipherSuite)temp; |
1748 | 1824 |
1749 /* Read compression_method. */ | 1825 /* Read compression_method. */ |
1750 temp = ssl3_ConsumeHandshakeNumber(ss, 1, &buffer, &buffer_len); | 1826 temp = ssl3_ConsumeHandshakeNumber(ss, 1, &buffer, &buffer_len); |
1751 if (temp < 0) goto no_ticket; | 1827 if (temp < 0) |
| 1828 goto no_ticket; |
1752 parsed_session_ticket->compression_method = (SSLCompressionMethod)temp; | 1829 parsed_session_ticket->compression_method = (SSLCompressionMethod)temp; |
1753 | 1830 |
1754 /* Read cipher spec parameters. */ | 1831 /* Read cipher spec parameters. */ |
1755 temp = ssl3_ConsumeHandshakeNumber(ss, 1, &buffer, &buffer_len); | 1832 temp = ssl3_ConsumeHandshakeNumber(ss, 1, &buffer, &buffer_len); |
1756 if (temp < 0) goto no_ticket; | 1833 if (temp < 0) |
| 1834 goto no_ticket; |
1757 parsed_session_ticket->authAlgorithm = (SSLSignType)temp; | 1835 parsed_session_ticket->authAlgorithm = (SSLSignType)temp; |
1758 temp = ssl3_ConsumeHandshakeNumber(ss, 4, &buffer, &buffer_len); | 1836 temp = ssl3_ConsumeHandshakeNumber(ss, 4, &buffer, &buffer_len); |
1759 if (temp < 0) goto no_ticket; | 1837 if (temp < 0) |
| 1838 goto no_ticket; |
1760 parsed_session_ticket->authKeyBits = (PRUint32)temp; | 1839 parsed_session_ticket->authKeyBits = (PRUint32)temp; |
1761 temp = ssl3_ConsumeHandshakeNumber(ss, 1, &buffer, &buffer_len); | 1840 temp = ssl3_ConsumeHandshakeNumber(ss, 1, &buffer, &buffer_len); |
1762 if (temp < 0) goto no_ticket; | 1841 if (temp < 0) |
| 1842 goto no_ticket; |
1763 parsed_session_ticket->keaType = (SSLKEAType)temp; | 1843 parsed_session_ticket->keaType = (SSLKEAType)temp; |
1764 temp = ssl3_ConsumeHandshakeNumber(ss, 4, &buffer, &buffer_len); | 1844 temp = ssl3_ConsumeHandshakeNumber(ss, 4, &buffer, &buffer_len); |
1765 if (temp < 0) goto no_ticket; | 1845 if (temp < 0) |
| 1846 goto no_ticket; |
1766 parsed_session_ticket->keaKeyBits = (PRUint32)temp; | 1847 parsed_session_ticket->keaKeyBits = (PRUint32)temp; |
1767 | 1848 |
1768 /* Read wrapped master_secret. */ | 1849 /* Read wrapped master_secret. */ |
1769 temp = ssl3_ConsumeHandshakeNumber(ss, 1, &buffer, &buffer_len); | 1850 temp = ssl3_ConsumeHandshakeNumber(ss, 1, &buffer, &buffer_len); |
1770 if (temp < 0) goto no_ticket; | 1851 if (temp < 0) |
| 1852 goto no_ticket; |
1771 parsed_session_ticket->ms_is_wrapped = (PRBool)temp; | 1853 parsed_session_ticket->ms_is_wrapped = (PRBool)temp; |
1772 | 1854 |
1773 temp = ssl3_ConsumeHandshakeNumber(ss, 1, &buffer, &buffer_len); | 1855 temp = ssl3_ConsumeHandshakeNumber(ss, 1, &buffer, &buffer_len); |
1774 if (temp < 0) goto no_ticket; | 1856 if (temp < 0) |
| 1857 goto no_ticket; |
1775 parsed_session_ticket->exchKeyType = (SSL3KEAType)temp; | 1858 parsed_session_ticket->exchKeyType = (SSL3KEAType)temp; |
1776 | 1859 |
1777 temp = ssl3_ConsumeHandshakeNumber(ss, 4, &buffer, &buffer_len); | 1860 temp = ssl3_ConsumeHandshakeNumber(ss, 4, &buffer, &buffer_len); |
1778 if (temp < 0) goto no_ticket; | 1861 if (temp < 0) |
| 1862 goto no_ticket; |
1779 parsed_session_ticket->msWrapMech = (CK_MECHANISM_TYPE)temp; | 1863 parsed_session_ticket->msWrapMech = (CK_MECHANISM_TYPE)temp; |
1780 | 1864 |
1781 temp = ssl3_ConsumeHandshakeNumber(ss, 2, &buffer, &buffer_len); | 1865 temp = ssl3_ConsumeHandshakeNumber(ss, 2, &buffer, &buffer_len); |
1782 if (temp < 0) goto no_ticket; | 1866 if (temp < 0) |
| 1867 goto no_ticket; |
1783 parsed_session_ticket->ms_length = (PRUint16)temp; | 1868 parsed_session_ticket->ms_length = (PRUint16)temp; |
1784 if (parsed_session_ticket->ms_length == 0 || /* sanity check MS. */ | 1869 if (parsed_session_ticket->ms_length == 0 || /* sanity check MS. */ |
1785 parsed_session_ticket->ms_length > | 1870 parsed_session_ticket->ms_length > |
1786 sizeof(parsed_session_ticket->master_secret)) | 1871 sizeof(parsed_session_ticket->master_secret)) |
1787 goto no_ticket; | 1872 goto no_ticket; |
1788 | 1873 |
1789 /* Allow for the wrapped master secret to be longer. */ | 1874 /* Allow for the wrapped master secret to be longer. */ |
1790 if (buffer_len < parsed_session_ticket->ms_length) | 1875 if (buffer_len < parsed_session_ticket->ms_length) |
1791 goto no_ticket; | 1876 goto no_ticket; |
1792 PORT_Memcpy(parsed_session_ticket->master_secret, buffer, | 1877 PORT_Memcpy(parsed_session_ticket->master_secret, buffer, |
1793 parsed_session_ticket->ms_length); | 1878 parsed_session_ticket->ms_length); |
1794 buffer += parsed_session_ticket->ms_length; | 1879 buffer += parsed_session_ticket->ms_length; |
1795 buffer_len -= parsed_session_ticket->ms_length; | 1880 buffer_len -= parsed_session_ticket->ms_length; |
1796 | 1881 |
1797 /* Read client_identity */ | 1882 /* Read client_identity */ |
1798 temp = ssl3_ConsumeHandshakeNumber(ss, 1, &buffer, &buffer_len); | 1883 temp = ssl3_ConsumeHandshakeNumber(ss, 1, &buffer, &buffer_len); |
1799 if (temp < 0) | 1884 if (temp < 0) |
1800 goto no_ticket; | 1885 goto no_ticket; |
1801 parsed_session_ticket->client_identity.client_auth_type = | 1886 parsed_session_ticket->client_identity.client_auth_type = |
1802 (ClientAuthenticationType)temp; | 1887 (ClientAuthenticationType)temp; |
1803 switch(parsed_session_ticket->client_identity.client_auth_type) { | 1888 switch (parsed_session_ticket->client_identity.client_auth_type) { |
1804 case CLIENT_AUTH_ANONYMOUS: | 1889 case CLIENT_AUTH_ANONYMOUS: |
1805 break; | 1890 break; |
1806 case CLIENT_AUTH_CERTIFICATE: | 1891 case CLIENT_AUTH_CERTIFICATE: |
1807 rv = ssl3_ConsumeHandshakeVariable(ss, &cert_item, 3, | 1892 rv = ssl3_ConsumeHandshakeVariable(ss, &cert_item, 3, |
1808 &buffer, &buffer_len); | 1893 &buffer, &buffer_len); |
1809 if (rv != SECSuccess) goto no_ticket; | 1894 if (rv != SECSuccess) |
| 1895 goto no_ticket; |
1810 rv = SECITEM_CopyItem(NULL, &parsed_session_ticket->peer_cert, | 1896 rv = SECITEM_CopyItem(NULL, &parsed_session_ticket->peer_cert, |
1811 &cert_item); | 1897 &cert_item); |
1812 if (rv != SECSuccess) goto no_ticket; | 1898 if (rv != SECSuccess) |
| 1899 goto no_ticket; |
1813 break; | 1900 break; |
1814 default: | 1901 default: |
1815 goto no_ticket; | 1902 goto no_ticket; |
1816 } | 1903 } |
1817 /* Read timestamp. */ | 1904 /* Read timestamp. */ |
1818 temp = ssl3_ConsumeHandshakeNumber(ss, 4, &buffer, &buffer_len); | 1905 temp = ssl3_ConsumeHandshakeNumber(ss, 4, &buffer, &buffer_len); |
1819 if (temp < 0) | 1906 if (temp < 0) |
1820 goto no_ticket; | 1907 goto no_ticket; |
1821 parsed_session_ticket->timestamp = (PRUint32)temp; | 1908 parsed_session_ticket->timestamp = (PRUint32)temp; |
1822 | 1909 |
1823 /* Read server name */ | 1910 /* Read server name */ |
1824 nameType = | 1911 nameType = |
1825 ssl3_ConsumeHandshakeNumber(ss, 1, &buffer, &buffer_len); | 1912 ssl3_ConsumeHandshakeNumber(ss, 1, &buffer, &buffer_len); |
1826 if (nameType != TLS_STE_NO_SERVER_NAME) { | 1913 if (nameType != TLS_STE_NO_SERVER_NAME) { |
1827 SECItem name_item; | 1914 SECItem name_item; |
1828 rv = ssl3_ConsumeHandshakeVariable(ss, &name_item, 2, &buffer, | 1915 rv = ssl3_ConsumeHandshakeVariable(ss, &name_item, 2, &buffer, |
1829 &buffer_len); | 1916 &buffer_len); |
1830 if (rv != SECSuccess) goto no_ticket; | 1917 if (rv != SECSuccess) |
| 1918 goto no_ticket; |
1831 rv = SECITEM_CopyItem(NULL, &parsed_session_ticket->srvName, | 1919 rv = SECITEM_CopyItem(NULL, &parsed_session_ticket->srvName, |
1832 &name_item); | 1920 &name_item); |
1833 if (rv != SECSuccess) goto no_ticket; | 1921 if (rv != SECSuccess) |
| 1922 goto no_ticket; |
1834 parsed_session_ticket->srvName.type = nameType; | 1923 parsed_session_ticket->srvName.type = nameType; |
1835 } | 1924 } |
1836 | 1925 |
1837 /* Read extendedMasterSecretUsed */ | 1926 /* Read extendedMasterSecretUsed */ |
1838 temp = ssl3_ConsumeHandshakeNumber(ss, 1, &buffer, &buffer_len); | 1927 temp = ssl3_ConsumeHandshakeNumber(ss, 1, &buffer, &buffer_len); |
1839 if (temp < 0) | 1928 if (temp < 0) |
1840 goto no_ticket; | 1929 goto no_ticket; |
1841 PORT_Assert(temp == PR_TRUE || temp == PR_FALSE); | 1930 PORT_Assert(temp == PR_TRUE || temp == PR_FALSE); |
1842 parsed_session_ticket->extendedMasterSecretUsed = (PRBool)temp; | 1931 parsed_session_ticket->extendedMasterSecretUsed = (PRBool)temp; |
1843 | 1932 |
1844 /* Done parsing. Check that all bytes have been consumed. */ | 1933 /* Done parsing. Check that all bytes have been consumed. */ |
1845 if (buffer_len != padding_length) | 1934 if (buffer_len != padding_length) |
1846 goto no_ticket; | 1935 goto no_ticket; |
1847 | 1936 |
1848 /* Use the ticket if it has not expired, otherwise free the allocated | 1937 /* Use the ticket if it has not expired, otherwise free the allocated |
1849 * memory since the ticket is of no use. | 1938 * memory since the ticket is of no use. |
1850 */ | 1939 */ |
1851 if (parsed_session_ticket->timestamp != 0 && | 1940 if (parsed_session_ticket->timestamp != 0 && |
1852 parsed_session_ticket->timestamp + | 1941 parsed_session_ticket->timestamp + |
1853 TLS_EX_SESS_TICKET_LIFETIME_HINT > ssl_Time()) { | 1942 TLS_EX_SESS_TICKET_LIFETIME_HINT > |
| 1943 ssl_Time()) { |
1854 | 1944 |
1855 sid = ssl3_NewSessionID(ss, PR_TRUE); | 1945 sid = ssl3_NewSessionID(ss, PR_TRUE); |
1856 if (sid == NULL) { | 1946 if (sid == NULL) { |
1857 rv = SECFailure; | 1947 rv = SECFailure; |
1858 goto loser; | 1948 goto loser; |
1859 } | 1949 } |
1860 | 1950 |
1861 /* Copy over parameters. */ | 1951 /* Copy over parameters. */ |
1862 sid->version = parsed_session_ticket->ssl_version; | 1952 sid->version = parsed_session_ticket->ssl_version; |
1863 sid->u.ssl3.cipherSuite = parsed_session_ticket->cipher_suite; | 1953 sid->u.ssl3.cipherSuite = parsed_session_ticket->cipher_suite; |
1864 sid->u.ssl3.compression = parsed_session_ticket->compression_method; | 1954 sid->u.ssl3.compression = parsed_session_ticket->compression_method; |
1865 sid->authAlgorithm = parsed_session_ticket->authAlgorithm; | 1955 sid->authAlgorithm = parsed_session_ticket->authAlgorithm; |
1866 sid->authKeyBits = parsed_session_ticket->authKeyBits; | 1956 sid->authKeyBits = parsed_session_ticket->authKeyBits; |
1867 sid->keaType = parsed_session_ticket->keaType; | 1957 sid->keaType = parsed_session_ticket->keaType; |
1868 sid->keaKeyBits = parsed_session_ticket->keaKeyBits; | 1958 sid->keaKeyBits = parsed_session_ticket->keaKeyBits; |
1869 | 1959 |
1870 /* Copy master secret. */ | 1960 /* Copy master secret. */ |
1871 #ifndef NO_PKCS11_BYPASS | 1961 #ifndef NO_PKCS11_BYPASS |
1872 if (ss->opt.bypassPKCS11 && | 1962 if (ss->opt.bypassPKCS11 && |
1873 parsed_session_ticket->ms_is_wrapped) | 1963 parsed_session_ticket->ms_is_wrapped) |
1874 goto no_ticket; | 1964 goto no_ticket; |
1875 #endif | 1965 #endif |
1876 if (parsed_session_ticket->ms_length > | 1966 if (parsed_session_ticket->ms_length > |
1877 sizeof(sid->u.ssl3.keys.wrapped_master_secret)) | 1967 sizeof(sid->u.ssl3.keys.wrapped_master_secret)) |
1878 goto no_ticket; | 1968 goto no_ticket; |
1879 PORT_Memcpy(sid->u.ssl3.keys.wrapped_master_secret, | 1969 PORT_Memcpy(sid->u.ssl3.keys.wrapped_master_secret, |
1880 parsed_session_ticket->master_secret, | 1970 parsed_session_ticket->master_secret, |
1881 parsed_session_ticket->ms_length); | 1971 parsed_session_ticket->ms_length); |
1882 sid->u.ssl3.keys.wrapped_master_secret_len = | 1972 sid->u.ssl3.keys.wrapped_master_secret_len = |
1883 parsed_session_ticket->ms_length; | 1973 parsed_session_ticket->ms_length; |
1884 sid->u.ssl3.exchKeyType = parsed_session_ticket->exchKeyType; | 1974 sid->u.ssl3.exchKeyType = parsed_session_ticket->exchKeyType; |
1885 sid->u.ssl3.masterWrapMech = parsed_session_ticket->msWrapMech; | 1975 sid->u.ssl3.masterWrapMech = parsed_session_ticket->msWrapMech; |
1886 sid->u.ssl3.keys.msIsWrapped = | 1976 sid->u.ssl3.keys.msIsWrapped = |
1887 parsed_session_ticket->ms_is_wrapped; | 1977 parsed_session_ticket->ms_is_wrapped; |
1888 sid->u.ssl3.masterValid = PR_TRUE; | 1978 sid->u.ssl3.masterValid = PR_TRUE; |
1889 sid->u.ssl3.keys.resumable = PR_TRUE; | 1979 sid->u.ssl3.keys.resumable = PR_TRUE; |
1890 sid->u.ssl3.keys.extendedMasterSecretUsed = parsed_session_ticket-> | 1980 sid->u.ssl3.keys.extendedMasterSecretUsed = parsed_session_ticket->e
xtendedMasterSecretUsed; |
1891 extendedMasterSecretUsed; | |
1892 | 1981 |
1893 /* Copy over client cert from session ticket if there is one. */ | 1982 /* Copy over client cert from session ticket if there is one. */ |
1894 if (parsed_session_ticket->peer_cert.data != NULL) { | 1983 if (parsed_session_ticket->peer_cert.data != NULL) { |
1895 if (sid->peerCert != NULL) | 1984 if (sid->peerCert != NULL) |
1896 CERT_DestroyCertificate(sid->peerCert); | 1985 CERT_DestroyCertificate(sid->peerCert); |
1897 sid->peerCert = CERT_NewTempCertificate(ss->dbHandle, | 1986 sid->peerCert = CERT_NewTempCertificate(ss->dbHandle, |
1898 &parsed_session_ticket->peer_cert, NULL, PR_FALSE, PR_TRUE); | 1987 &parsed_session_ticket->
peer_cert, NULL, PR_FALSE, PR_TRUE); |
1899 if (sid->peerCert == NULL) { | 1988 if (sid->peerCert == NULL) { |
1900 rv = SECFailure; | 1989 rv = SECFailure; |
1901 goto loser; | 1990 goto loser; |
1902 } | 1991 } |
1903 } | 1992 } |
1904 if (parsed_session_ticket->srvName.data != NULL) { | 1993 if (parsed_session_ticket->srvName.data != NULL) { |
1905 sid->u.ssl3.srvName = parsed_session_ticket->srvName; | 1994 sid->u.ssl3.srvName = parsed_session_ticket->srvName; |
1906 } | 1995 } |
1907 ss->statelessResume = PR_TRUE; | 1996 ss->statelessResume = PR_TRUE; |
1908 ss->sec.ci.sid = sid; | 1997 ss->sec.ci.sid = sid; |
1909 } | 1998 } |
1910 } | 1999 } |
1911 | 2000 |
1912 if (0) { | 2001 if (0) { |
1913 no_ticket: | 2002 no_ticket: |
1914 SSL_DBG(("%d: SSL[%d]: Session ticket parsing failed.", | 2003 SSL_DBG(("%d: SSL[%d]: Session ticket parsing failed.", |
1915 SSL_GETPID(), ss->fd)); | 2004 SSL_GETPID(), ss->fd)); |
1916 ssl3stats = SSL_GetStatistics(); | 2005 ssl3stats = SSL_GetStatistics(); |
1917 SSL_AtomicIncrementLong(& ssl3stats->hch_sid_ticket_parse_failures ); | 2006 SSL_AtomicIncrementLong(&ssl3stats->hch_sid_ticket_parse_failures); |
1918 } | 2007 } |
1919 rv = SECSuccess; | 2008 rv = SECSuccess; |
1920 | 2009 |
1921 loser: | 2010 loser: |
1922 /* ss->sec.ci.sid == sid if it did NOT come here via goto statement | 2011 /* ss->sec.ci.sid == sid if it did NOT come here via goto statement |
1923 * in that case do not free sid | 2012 * in that case do not free sid |
1924 */ | 2013 */ |
1925 if (sid && (ss->sec.ci.sid != sid)) { | 2014 if (sid && (ss->sec.ci.sid != sid)) { |
1926 ssl_FreeSID(sid); | 2015 ssl_FreeSID(sid); |
1927 sid = NULL; | 2016 sid = NULL; |
1928 } | 2017 } |
1929 if (decrypted_state != NULL) { | 2018 if (decrypted_state != NULL) { |
1930 SECITEM_FreeItem(decrypted_state, PR_TRUE); | 2019 SECITEM_FreeItem(decrypted_state, PR_TRUE); |
1931 decrypted_state = NULL; | 2020 decrypted_state = NULL; |
1932 } | 2021 } |
1933 | 2022 |
1934 if (parsed_session_ticket != NULL) { | 2023 if (parsed_session_ticket != NULL) { |
1935 if (parsed_session_ticket->peer_cert.data) { | 2024 if (parsed_session_ticket->peer_cert.data) { |
1936 SECITEM_FreeItem(&parsed_session_ticket->peer_cert, PR_FALSE); | 2025 SECITEM_FreeItem(&parsed_session_ticket->peer_cert, PR_FALSE); |
1937 } | 2026 } |
1938 PORT_ZFree(parsed_session_ticket, sizeof(SessionTicket)); | 2027 PORT_ZFree(parsed_session_ticket, sizeof(SessionTicket)); |
(...skipping 17 matching lines...) Expand all Loading... |
1956 item->data += bytes; | 2045 item->data += bytes; |
1957 item->len -= bytes; | 2046 item->len -= bytes; |
1958 return SECSuccess; | 2047 return SECSuccess; |
1959 } | 2048 } |
1960 | 2049 |
1961 static SECStatus | 2050 static SECStatus |
1962 ssl3_ParseEncryptedSessionTicket(sslSocket *ss, SECItem *data, | 2051 ssl3_ParseEncryptedSessionTicket(sslSocket *ss, SECItem *data, |
1963 EncryptedSessionTicket *enc_session_ticket) | 2052 EncryptedSessionTicket *enc_session_ticket) |
1964 { | 2053 { |
1965 if (ssl3_ConsumeFromItem(data, &enc_session_ticket->key_name, | 2054 if (ssl3_ConsumeFromItem(data, &enc_session_ticket->key_name, |
1966 SESS_TICKET_KEY_NAME_LEN) != SECSuccess) | 2055 SESS_TICKET_KEY_NAME_LEN) != |
| 2056 SECSuccess) |
1967 return SECFailure; | 2057 return SECFailure; |
1968 if (ssl3_ConsumeFromItem(data, &enc_session_ticket->iv, | 2058 if (ssl3_ConsumeFromItem(data, &enc_session_ticket->iv, |
1969 AES_BLOCK_SIZE) != SECSuccess) | 2059 AES_BLOCK_SIZE) != |
| 2060 SECSuccess) |
1970 return SECFailure; | 2061 return SECFailure; |
1971 if (ssl3_ConsumeHandshakeVariable(ss, &enc_session_ticket->encrypted_state, | 2062 if (ssl3_ConsumeHandshakeVariable(ss, &enc_session_ticket->encrypted_state, |
1972 2, &data->data, &data->len) != SECSuccess) | 2063 2, &data->data, &data->len) != |
| 2064 SECSuccess) |
1973 return SECFailure; | 2065 return SECFailure; |
1974 if (ssl3_ConsumeFromItem(data, &enc_session_ticket->mac, | 2066 if (ssl3_ConsumeFromItem(data, &enc_session_ticket->mac, |
1975 TLS_EX_SESS_TICKET_MAC_LENGTH) != SECSuccess) | 2067 TLS_EX_SESS_TICKET_MAC_LENGTH) != |
| 2068 SECSuccess) |
1976 return SECFailure; | 2069 return SECFailure; |
1977 if (data->len != 0) /* Make sure that we have consumed all bytes. */ | 2070 if (data->len != 0) /* Make sure that we have consumed all bytes. */ |
1978 return SECFailure; | 2071 return SECFailure; |
1979 | 2072 |
1980 return SECSuccess; | 2073 return SECSuccess; |
1981 } | 2074 } |
1982 | 2075 |
1983 /* go through hello extensions in buffer "b". | 2076 /* go through hello extensions in buffer "b". |
1984 * For each one, find the extension handler in the table, and | 2077 * For each one, find the extension handler in the table, and |
1985 * if present, invoke that handler. | 2078 * if present, invoke that handler. |
1986 * Servers ignore any extensions with unknown extension types. | 2079 * Servers ignore any extensions with unknown extension types. |
1987 * Clients reject any extensions with unadvertised extension types. | 2080 * Clients reject any extensions with unadvertised extension types. |
| 2081 * In TLS >= 1.3, the client checks that extensions appear in the |
| 2082 * right phase. |
1988 */ | 2083 */ |
1989 SECStatus | 2084 SECStatus |
1990 ssl3_HandleHelloExtensions(sslSocket *ss, SSL3Opaque **b, PRUint32 *length) | 2085 ssl3_HandleHelloExtensions(sslSocket *ss, SSL3Opaque **b, PRUint32 *length, |
| 2086 SSL3HandshakeType handshakeMessage) |
1991 { | 2087 { |
1992 const ssl3HelloExtensionHandler * handlers; | 2088 const ssl3HelloExtensionHandler *handlers; |
| 2089 PRBool isTLS13 = ss->version >= SSL_LIBRARY_VERSION_TLS_1_3; |
1993 | 2090 |
1994 if (ss->sec.isServer) { | 2091 switch (handshakeMessage) { |
1995 handlers = clientHelloHandlers; | 2092 case client_hello: |
1996 } else if (ss->version > SSL_LIBRARY_VERSION_3_0) { | 2093 handlers = clientHelloHandlers; |
1997 handlers = serverHelloHandlersTLS; | 2094 break; |
1998 } else { | 2095 case encrypted_extensions: |
1999 handlers = serverHelloHandlersSSL3; | 2096 PORT_Assert(ss->version >= SSL_LIBRARY_VERSION_TLS_1_3); |
| 2097 /* fall through */ |
| 2098 case server_hello: |
| 2099 if (ss->version > SSL_LIBRARY_VERSION_3_0) { |
| 2100 handlers = serverHelloHandlersTLS; |
| 2101 } else { |
| 2102 handlers = serverHelloHandlersSSL3; |
| 2103 } |
| 2104 break; |
| 2105 default: |
| 2106 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); |
| 2107 PORT_Assert(0); |
| 2108 return SECFailure; |
2000 } | 2109 } |
2001 | 2110 |
2002 while (*length) { | 2111 while (*length) { |
2003 const ssl3HelloExtensionHandler * handler; | 2112 const ssl3HelloExtensionHandler *handler; |
2004 SECStatus rv; | 2113 SECStatus rv; |
2005 PRInt32 extension_type; | 2114 PRInt32 extension_type; |
2006 SECItem extension_data; | 2115 SECItem extension_data; |
2007 | 2116 |
2008 /* Get the extension's type field */ | 2117 /* Get the extension's type field */ |
2009 extension_type = ssl3_ConsumeHandshakeNumber(ss, 2, b, length); | 2118 extension_type = ssl3_ConsumeHandshakeNumber(ss, 2, b, length); |
2010 if (extension_type < 0) /* failure to decode extension_type */ | 2119 if (extension_type < 0) /* failure to decode extension_type */ |
2011 return SECFailure; /* alert already sent */ | 2120 return SECFailure; /* alert already sent */ |
2012 | 2121 |
2013 /* get the data for this extension, so we can pass it or skip it. */ | 2122 /* get the data for this extension, so we can pass it or skip it. */ |
2014 rv = ssl3_ConsumeHandshakeVariable(ss, &extension_data, 2, b, length); | 2123 rv = ssl3_ConsumeHandshakeVariable(ss, &extension_data, 2, b, length); |
2015 if (rv != SECSuccess) | 2124 if (rv != SECSuccess) |
2016 return rv; /* alert already sent */ | 2125 return rv; /* alert already sent */ |
2017 | 2126 |
2018 /* Check whether the server sent an extension which was not advertised | 2127 /* Check whether the server sent an extension which was not advertised |
2019 * in the ClientHello. | 2128 * in the ClientHello */ |
2020 */ | |
2021 if (!ss->sec.isServer && | 2129 if (!ss->sec.isServer && |
2022 !ssl3_ClientExtensionAdvertised(ss, extension_type)) { | 2130 !ssl3_ClientExtensionAdvertised(ss, extension_type)) { |
2023 (void)SSL3_SendAlert(ss, alert_fatal, unsupported_extension); | 2131 (void)SSL3_SendAlert(ss, alert_fatal, unsupported_extension); |
2024 return SECFailure; | 2132 return SECFailure; |
2025 } | 2133 } |
2026 | 2134 |
2027 /* Check whether an extension has been sent multiple times. */ | 2135 /* Check whether an extension has been sent multiple times. */ |
2028 if (ssl3_ExtensionNegotiated(ss, extension_type)) { | 2136 if (ssl3_ExtensionNegotiated(ss, extension_type)) { |
2029 (void)SSL3_SendAlert(ss, alert_fatal, illegal_parameter); | 2137 (void)SSL3_SendAlert(ss, alert_fatal, illegal_parameter); |
2030 return SECFailure; | 2138 return SECFailure; |
2031 } | 2139 } |
2032 | 2140 |
| 2141 /* Check that this is a legal extension in TLS 1.3 */ |
| 2142 if (isTLS13 && !tls13_ExtensionAllowed(extension_type, handshakeMessage)
) { |
| 2143 if (handshakeMessage == client_hello) { |
| 2144 /* Skip extensions not used in TLS 1.3 */ |
| 2145 continue; |
| 2146 } |
| 2147 tls13_FatalError(ss, SSL_ERROR_EXTENSION_DISALLOWED_FOR_VERSION, |
| 2148 unsupported_extension); |
| 2149 return SECFailure; |
| 2150 } |
| 2151 |
2033 /* find extension_type in table of Hello Extension Handlers */ | 2152 /* find extension_type in table of Hello Extension Handlers */ |
2034 for (handler = handlers; handler->ex_type >= 0; handler++) { | 2153 for (handler = handlers; handler->ex_type >= 0; handler++) { |
2035 /* if found, call this handler */ | 2154 /* if found, call this handler */ |
2036 if (handler->ex_type == extension_type) { | 2155 if (handler->ex_type == extension_type) { |
2037 rv = (*handler->ex_handler)(ss, (PRUint16)extension_type, | 2156 rv = (*handler->ex_handler)(ss, (PRUint16)extension_type, |
2038 &extension_data); | 2157 &extension_data); |
2039 if (rv != SECSuccess) { | 2158 if (rv != SECSuccess) { |
2040 if (!ss->ssl3.fatalAlertSent) { | 2159 if (!ss->ssl3.fatalAlertSent) { |
2041 /* send a generic alert if the handler didn't already */ | 2160 /* send a generic alert if the handler didn't already */ |
2042 (void)SSL3_SendAlert(ss, alert_fatal, handshake_failure)
; | 2161 (void)SSL3_SendAlert(ss, alert_fatal, handshake_failure)
; |
2043 } | 2162 } |
2044 return SECFailure; | 2163 return SECFailure; |
2045 } | 2164 } |
2046 } | 2165 } |
2047 } | 2166 } |
2048 } | 2167 } |
2049 return SECSuccess; | 2168 return SECSuccess; |
2050 } | 2169 } |
2051 | 2170 |
2052 /* Add a callback function to the table of senders of server hello extensions. | 2171 /* Add a callback function to the table of senders of server hello extensions. |
2053 */ | 2172 */ |
2054 SECStatus | 2173 SECStatus |
2055 ssl3_RegisterServerHelloExtensionSender(sslSocket *ss, PRUint16 ex_type, | 2174 ssl3_RegisterServerHelloExtensionSender(sslSocket *ss, PRUint16 ex_type, |
2056 ssl3HelloExtensionSenderFunc cb) | 2175 ssl3HelloExtensionSenderFunc cb) |
2057 { | 2176 { |
2058 int i; | 2177 int i; |
2059 ssl3HelloExtensionSender *sender = &ss->xtnData.serverSenders[0]; | 2178 ssl3HelloExtensionSender *sender; |
| 2179 if (ss->version < SSL_LIBRARY_VERSION_TLS_1_3) { |
| 2180 sender = &ss->xtnData.serverHelloSenders[0]; |
| 2181 } else { |
| 2182 if (tls13_ExtensionAllowed(ex_type, server_hello)) { |
| 2183 PORT_Assert(!tls13_ExtensionAllowed(ex_type, encrypted_extensions)); |
| 2184 sender = &ss->xtnData.serverHelloSenders[0]; |
| 2185 } else { |
| 2186 PORT_Assert(tls13_ExtensionAllowed(ex_type, encrypted_extensions)); |
| 2187 sender = &ss->xtnData.encryptedExtensionsSenders[0]; |
| 2188 } |
| 2189 } |
2060 | 2190 |
2061 for (i = 0; i < SSL_MAX_EXTENSIONS; ++i, ++sender) { | 2191 for (i = 0; i < SSL_MAX_EXTENSIONS; ++i, ++sender) { |
2062 if (!sender->ex_sender) { | 2192 if (!sender->ex_sender) { |
2063 sender->ex_type = ex_type; | 2193 sender->ex_type = ex_type; |
2064 sender->ex_sender = cb; | 2194 sender->ex_sender = cb; |
2065 return SECSuccess; | 2195 return SECSuccess; |
2066 } | 2196 } |
2067 /* detect duplicate senders */ | 2197 /* detect duplicate senders */ |
2068 PORT_Assert(sender->ex_type != ex_type); | 2198 PORT_Assert(sender->ex_type != ex_type); |
2069 if (sender->ex_type == ex_type) { | 2199 if (sender->ex_type == ex_type) { |
2070 /* duplicate */ | 2200 /* duplicate */ |
2071 break; | 2201 break; |
2072 } | 2202 } |
2073 } | 2203 } |
2074 PORT_Assert(i < SSL_MAX_EXTENSIONS); /* table needs to grow */ | 2204 PORT_Assert(i < SSL_MAX_EXTENSIONS); /* table needs to grow */ |
2075 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); | 2205 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); |
2076 return SECFailure; | 2206 return SECFailure; |
2077 } | 2207 } |
2078 | 2208 |
2079 /* call each of the extension senders and return the accumulated length */ | 2209 /* call each of the extension senders and return the accumulated length */ |
2080 PRInt32 | 2210 PRInt32 |
2081 ssl3_CallHelloExtensionSenders(sslSocket *ss, PRBool append, PRUint32 maxBytes, | 2211 ssl3_CallHelloExtensionSenders(sslSocket *ss, PRBool append, PRUint32 maxBytes, |
2082 const ssl3HelloExtensionSender *sender) | 2212 const ssl3HelloExtensionSender *sender) |
2083 { | 2213 { |
2084 PRInt32 total_exten_len = 0; | 2214 PRInt32 total_exten_len = 0; |
2085 int i; | 2215 int i; |
2086 | 2216 |
2087 if (!sender) { | 2217 if (!sender) { |
2088 sender = ss->version > SSL_LIBRARY_VERSION_3_0 ? | 2218 if (ss->version > SSL_LIBRARY_VERSION_3_0) { |
2089 &clientHelloSendersTLS[0] : &clientHelloSendersSSL3[0]; | 2219 sender = &clientHelloSendersTLS[0]; |
| 2220 } else { |
| 2221 sender = &clientHelloSendersSSL3[0]; |
| 2222 } |
2090 } | 2223 } |
2091 | 2224 |
2092 for (i = 0; i < SSL_MAX_EXTENSIONS; ++i, ++sender) { | 2225 for (i = 0; i < SSL_MAX_EXTENSIONS; ++i, ++sender) { |
2093 if (sender->ex_sender) { | 2226 if (sender->ex_sender) { |
2094 PRInt32 extLen = (*sender->ex_sender)(ss, append, maxBytes); | 2227 PRInt32 extLen = (*sender->ex_sender)(ss, append, maxBytes); |
2095 if (extLen < 0) | 2228 if (extLen < 0) |
2096 return -1; | 2229 return -1; |
2097 maxBytes -= extLen; | 2230 maxBytes -= extLen; |
2098 total_exten_len += extLen; | 2231 total_exten_len += extLen; |
2099 } | 2232 } |
2100 } | 2233 } |
2101 return total_exten_len; | 2234 return total_exten_len; |
2102 } | 2235 } |
2103 | 2236 |
2104 | |
2105 /* Extension format: | 2237 /* Extension format: |
2106 * Extension number: 2 bytes | 2238 * Extension number: 2 bytes |
2107 * Extension length: 2 bytes | 2239 * Extension length: 2 bytes |
2108 * Verify Data Length: 1 byte | 2240 * Verify Data Length: 1 byte |
2109 * Verify Data (TLS): 12 bytes (client) or 24 bytes (server) | 2241 * Verify Data (TLS): 12 bytes (client) or 24 bytes (server) |
2110 * Verify Data (SSL): 36 bytes (client) or 72 bytes (server) | 2242 * Verify Data (SSL): 36 bytes (client) or 72 bytes (server) |
2111 */ | 2243 */ |
2112 static PRInt32 | 2244 static PRInt32 |
2113 ssl3_SendRenegotiationInfoXtn( | 2245 ssl3_SendRenegotiationInfoXtn( |
2114 sslSocket * ss, | 2246 sslSocket *ss, |
2115 PRBool append, | 2247 PRBool append, |
2116 PRUint32 maxBytes) | 2248 PRUint32 maxBytes) |
2117 { | 2249 { |
2118 PRInt32 len, needed; | 2250 PRInt32 len = 0; |
| 2251 PRInt32 needed; |
2119 | 2252 |
2120 /* In draft-ietf-tls-renegotiation-03, it is NOT RECOMMENDED to send | 2253 /* In draft-ietf-tls-renegotiation-03, it is NOT RECOMMENDED to send |
2121 * both the SCSV and the empty RI, so when we send SCSV in | 2254 * both the SCSV and the empty RI, so when we send SCSV in |
2122 * the initial handshake, we don't also send RI. | 2255 * the initial handshake, we don't also send RI. |
2123 */ | 2256 */ |
2124 if (!ss || ss->ssl3.hs.sendingSCSV) | 2257 if (!ss || ss->ssl3.hs.sendingSCSV) |
2125 return 0; | 2258 return 0; |
2126 len = !ss->firstHsDone ? 0 : | 2259 if (ss->firstHsDone) { |
2127 (ss->sec.isServer ? ss->ssl3.hs.finishedBytes * 2 | 2260 len = ss->sec.isServer ? ss->ssl3.hs.finishedBytes * 2 |
2128 : ss->ssl3.hs.finishedBytes); | 2261 : ss->ssl3.hs.finishedBytes; |
| 2262 } |
2129 needed = 5 + len; | 2263 needed = 5 + len; |
2130 if (maxBytes < (PRUint32)needed) { | 2264 if (maxBytes < (PRUint32)needed) { |
2131 return 0; | 2265 return 0; |
2132 } | 2266 } |
2133 if (append) { | 2267 if (append) { |
2134 SECStatus rv; | 2268 SECStatus rv; |
2135 /* extension_type */ | 2269 /* extension_type */ |
2136 rv = ssl3_AppendHandshakeNumber(ss, ssl_renegotiation_info_xtn, 2); | 2270 rv = ssl3_AppendHandshakeNumber(ss, ssl_renegotiation_info_xtn, 2); |
2137 if (rv != SECSuccess) return -1; | 2271 if (rv != SECSuccess) |
| 2272 return -1; |
2138 /* length of extension_data */ | 2273 /* length of extension_data */ |
2139 rv = ssl3_AppendHandshakeNumber(ss, len + 1, 2); | 2274 rv = ssl3_AppendHandshakeNumber(ss, len + 1, 2); |
2140 if (rv != SECSuccess) return -1; | 2275 if (rv != SECSuccess) |
| 2276 return -1; |
2141 /* verify_Data from previous Finished message(s) */ | 2277 /* verify_Data from previous Finished message(s) */ |
2142 rv = ssl3_AppendHandshakeVariable(ss, | 2278 rv = ssl3_AppendHandshakeVariable(ss, |
2143 ss->ssl3.hs.finishedMsgs.data, len, 1); | 2279 ss->ssl3.hs.finishedMsgs.data, len, 1)
; |
2144 if (rv != SECSuccess) return -1; | 2280 if (rv != SECSuccess) |
| 2281 return -1; |
2145 if (!ss->sec.isServer) { | 2282 if (!ss->sec.isServer) { |
2146 TLSExtensionData *xtnData = &ss->xtnData; | 2283 TLSExtensionData *xtnData = &ss->xtnData; |
2147 xtnData->advertised[xtnData->numAdvertised++] = | 2284 xtnData->advertised[xtnData->numAdvertised++] = |
2148 ssl_renegotiation_info_xtn; | 2285 ssl_renegotiation_info_xtn; |
2149 } | 2286 } |
2150 } | 2287 } |
2151 return needed; | 2288 return needed; |
2152 } | 2289 } |
2153 | 2290 |
2154 static SECStatus | 2291 static SECStatus |
2155 ssl3_ServerHandleStatusRequestXtn(sslSocket *ss, PRUint16 ex_type, | 2292 ssl3_ServerHandleStatusRequestXtn(sslSocket *ss, PRUint16 ex_type, |
2156 SECItem *data) | 2293 SECItem *data) |
2157 { | 2294 { |
2158 SECStatus rv = SECSuccess; | 2295 SECStatus rv = SECSuccess; |
2159 | 2296 |
2160 /* remember that we got this extension. */ | 2297 /* remember that we got this extension. */ |
2161 ss->xtnData.negotiated[ss->xtnData.numNegotiated++] = ex_type; | 2298 ss->xtnData.negotiated[ss->xtnData.numNegotiated++] = ex_type; |
2162 PORT_Assert(ss->sec.isServer); | 2299 PORT_Assert(ss->sec.isServer); |
2163 /* prepare to send back the appropriate response */ | 2300 /* prepare to send back the appropriate response */ |
2164 rv = ssl3_RegisterServerHelloExtensionSender(ss, ex_type, | 2301 rv = ssl3_RegisterServerHelloExtensionSender(ss, ex_type, |
2165 ssl3_ServerSendStatusRequestXtn); | 2302 ssl3_ServerSendStatusRequestXtn
); |
2166 return rv; | 2303 return rv; |
2167 } | 2304 } |
2168 | 2305 |
2169 /* This function runs in both the client and server. */ | 2306 /* This function runs in both the client and server. */ |
2170 static SECStatus | 2307 static SECStatus |
2171 ssl3_HandleRenegotiationInfoXtn(sslSocket *ss, PRUint16 ex_type, SECItem *data) | 2308 ssl3_HandleRenegotiationInfoXtn(sslSocket *ss, PRUint16 ex_type, SECItem *data) |
2172 { | 2309 { |
2173 SECStatus rv = SECSuccess; | 2310 SECStatus rv = SECSuccess; |
2174 PRUint32 len = 0; | 2311 PRUint32 len = 0; |
2175 | 2312 |
2176 if (ss->firstHsDone) { | 2313 if (ss->firstHsDone) { |
2177 len = ss->sec.isServer ? ss->ssl3.hs.finishedBytes | 2314 len = ss->sec.isServer ? ss->ssl3.hs.finishedBytes |
2178 : ss->ssl3.hs.finishedBytes * 2; | 2315 : ss->ssl3.hs.finishedBytes * 2; |
2179 } | 2316 } |
2180 if (data->len != 1 + len || data->data[0] != len ) { | 2317 if (data->len != 1 + len || data->data[0] != len) { |
2181 (void)ssl3_DecodeError(ss); | 2318 (void)ssl3_DecodeError(ss); |
2182 return SECFailure; | 2319 return SECFailure; |
2183 } | 2320 } |
2184 if (len && NSS_SecureMemcmp(ss->ssl3.hs.finishedMsgs.data, | 2321 if (len && NSS_SecureMemcmp(ss->ssl3.hs.finishedMsgs.data, |
2185 data->data + 1, len)) { | 2322 data->data + 1, len)) { |
2186 (void)SSL3_SendAlert(ss, alert_fatal, handshake_failure); | 2323 (void)SSL3_SendAlert(ss, alert_fatal, handshake_failure); |
2187 PORT_SetError(SSL_ERROR_BAD_HANDSHAKE_HASH_VALUE); | 2324 PORT_SetError(SSL_ERROR_BAD_HANDSHAKE_HASH_VALUE); |
2188 return SECFailure; | 2325 return SECFailure; |
2189 } | 2326 } |
2190 /* remember that we got this extension and it was correct. */ | 2327 /* remember that we got this extension and it was correct. */ |
(...skipping 11 matching lines...) Expand all Loading... |
2202 ssl3_ClientSendUseSRTPXtn(sslSocket *ss, PRBool append, PRUint32 maxBytes) | 2339 ssl3_ClientSendUseSRTPXtn(sslSocket *ss, PRBool append, PRUint32 maxBytes) |
2203 { | 2340 { |
2204 PRUint32 ext_data_len; | 2341 PRUint32 ext_data_len; |
2205 PRInt16 i; | 2342 PRInt16 i; |
2206 SECStatus rv; | 2343 SECStatus rv; |
2207 | 2344 |
2208 if (!ss) | 2345 if (!ss) |
2209 return 0; | 2346 return 0; |
2210 | 2347 |
2211 if (!IS_DTLS(ss) || !ss->ssl3.dtlsSRTPCipherCount) | 2348 if (!IS_DTLS(ss) || !ss->ssl3.dtlsSRTPCipherCount) |
2212 return 0; /* Not relevant */ | 2349 return 0; /* Not relevant */ |
2213 | 2350 |
2214 ext_data_len = 2 + 2 * ss->ssl3.dtlsSRTPCipherCount + 1; | 2351 ext_data_len = 2 + 2 * ss->ssl3.dtlsSRTPCipherCount + 1; |
2215 | 2352 |
2216 if (append && maxBytes >= 4 + ext_data_len) { | 2353 if (append && maxBytes >= 4 + ext_data_len) { |
2217 /* Extension type */ | 2354 /* Extension type */ |
2218 rv = ssl3_AppendHandshakeNumber(ss, ssl_use_srtp_xtn, 2); | 2355 rv = ssl3_AppendHandshakeNumber(ss, ssl_use_srtp_xtn, 2); |
2219 if (rv != SECSuccess) return -1; | 2356 if (rv != SECSuccess) |
| 2357 return -1; |
2220 /* Length of extension data */ | 2358 /* Length of extension data */ |
2221 rv = ssl3_AppendHandshakeNumber(ss, ext_data_len, 2); | 2359 rv = ssl3_AppendHandshakeNumber(ss, ext_data_len, 2); |
2222 if (rv != SECSuccess) return -1; | 2360 if (rv != SECSuccess) |
| 2361 return -1; |
2223 /* Length of the SRTP cipher list */ | 2362 /* Length of the SRTP cipher list */ |
2224 rv = ssl3_AppendHandshakeNumber(ss, | 2363 rv = ssl3_AppendHandshakeNumber(ss, |
2225 2 * ss->ssl3.dtlsSRTPCipherCount, | 2364 2 * ss->ssl3.dtlsSRTPCipherCount, |
2226 2); | 2365 2); |
2227 if (rv != SECSuccess) return -1; | 2366 if (rv != SECSuccess) |
| 2367 return -1; |
2228 /* The SRTP ciphers */ | 2368 /* The SRTP ciphers */ |
2229 for (i = 0; i < ss->ssl3.dtlsSRTPCipherCount; i++) { | 2369 for (i = 0; i < ss->ssl3.dtlsSRTPCipherCount; i++) { |
2230 rv = ssl3_AppendHandshakeNumber(ss, | 2370 rv = ssl3_AppendHandshakeNumber(ss, |
2231 ss->ssl3.dtlsSRTPCiphers[i], | 2371 ss->ssl3.dtlsSRTPCiphers[i], |
2232 2); | 2372 2); |
2233 } | 2373 } |
2234 /* Empty MKI value */ | 2374 /* Empty MKI value */ |
2235 ssl3_AppendHandshakeVariable(ss, NULL, 0, 1); | 2375 ssl3_AppendHandshakeVariable(ss, NULL, 0, 1); |
2236 | 2376 |
2237 ss->xtnData.advertised[ss->xtnData.numAdvertised++] = | 2377 ss->xtnData.advertised[ss->xtnData.numAdvertised++] = |
2238 ssl_use_srtp_xtn; | 2378 ssl_use_srtp_xtn; |
2239 } | 2379 } |
2240 | 2380 |
2241 return 4 + ext_data_len; | 2381 return 4 + ext_data_len; |
2242 } | 2382 } |
2243 | 2383 |
2244 static PRInt32 | 2384 static PRInt32 |
2245 ssl3_ServerSendUseSRTPXtn(sslSocket *ss, PRBool append, PRUint32 maxBytes) | 2385 ssl3_ServerSendUseSRTPXtn(sslSocket *ss, PRBool append, PRUint32 maxBytes) |
2246 { | 2386 { |
2247 SECStatus rv; | 2387 SECStatus rv; |
2248 | 2388 |
2249 /* Server side */ | 2389 /* Server side */ |
2250 if (!append || maxBytes < 9) { | 2390 if (!append || maxBytes < 9) { |
2251 return 9; | 2391 return 9; |
2252 } | 2392 } |
2253 | 2393 |
2254 /* Extension type */ | 2394 /* Extension type */ |
2255 rv = ssl3_AppendHandshakeNumber(ss, ssl_use_srtp_xtn, 2); | 2395 rv = ssl3_AppendHandshakeNumber(ss, ssl_use_srtp_xtn, 2); |
2256 if (rv != SECSuccess) return -1; | 2396 if (rv != SECSuccess) |
| 2397 return -1; |
2257 /* Length of extension data */ | 2398 /* Length of extension data */ |
2258 rv = ssl3_AppendHandshakeNumber(ss, 5, 2); | 2399 rv = ssl3_AppendHandshakeNumber(ss, 5, 2); |
2259 if (rv != SECSuccess) return -1; | 2400 if (rv != SECSuccess) |
| 2401 return -1; |
2260 /* Length of the SRTP cipher list */ | 2402 /* Length of the SRTP cipher list */ |
2261 rv = ssl3_AppendHandshakeNumber(ss, 2, 2); | 2403 rv = ssl3_AppendHandshakeNumber(ss, 2, 2); |
2262 if (rv != SECSuccess) return -1; | 2404 if (rv != SECSuccess) |
| 2405 return -1; |
2263 /* The selected cipher */ | 2406 /* The selected cipher */ |
2264 rv = ssl3_AppendHandshakeNumber(ss, ss->ssl3.dtlsSRTPCipherSuite, 2); | 2407 rv = ssl3_AppendHandshakeNumber(ss, ss->ssl3.dtlsSRTPCipherSuite, 2); |
2265 if (rv != SECSuccess) return -1; | 2408 if (rv != SECSuccess) |
| 2409 return -1; |
2266 /* Empty MKI value */ | 2410 /* Empty MKI value */ |
2267 ssl3_AppendHandshakeVariable(ss, NULL, 0, 1); | 2411 ssl3_AppendHandshakeVariable(ss, NULL, 0, 1); |
2268 | 2412 |
2269 return 9; | 2413 return 9; |
2270 } | 2414 } |
2271 | 2415 |
2272 static SECStatus | 2416 static SECStatus |
2273 ssl3_ClientHandleUseSRTPXtn(sslSocket * ss, PRUint16 ex_type, SECItem *data) | 2417 ssl3_ClientHandleUseSRTPXtn(sslSocket *ss, PRUint16 ex_type, SECItem *data) |
2274 { | 2418 { |
2275 SECStatus rv; | 2419 SECStatus rv; |
2276 SECItem ciphers = {siBuffer, NULL, 0}; | 2420 SECItem ciphers = { siBuffer, NULL, 0 }; |
2277 PRUint16 i; | 2421 PRUint16 i; |
2278 PRUint16 cipher = 0; | 2422 PRUint16 cipher = 0; |
2279 PRBool found = PR_FALSE; | 2423 PRBool found = PR_FALSE; |
2280 SECItem litem; | 2424 SECItem litem; |
2281 | 2425 |
2282 if (!data->data || !data->len) { | 2426 if (!data->data || !data->len) { |
2283 (void)ssl3_DecodeError(ss); | 2427 (void)ssl3_DecodeError(ss); |
2284 return SECFailure; | 2428 return SECFailure; |
2285 } | 2429 } |
2286 | 2430 |
2287 /* Get the cipher list */ | 2431 /* Get the cipher list */ |
2288 rv = ssl3_ConsumeHandshakeVariable(ss, &ciphers, 2, | 2432 rv = ssl3_ConsumeHandshakeVariable(ss, &ciphers, 2, |
2289 &data->data, &data->len); | 2433 &data->data, &data->len); |
2290 if (rv != SECSuccess) { | 2434 if (rv != SECSuccess) { |
2291 return SECFailure; /* fatal alert already sent */ | 2435 return SECFailure; /* fatal alert already sent */ |
2292 } | 2436 } |
2293 /* Now check that the server has picked just 1 (i.e., len = 2) */ | 2437 /* Now check that the server has picked just 1 (i.e., len = 2) */ |
2294 if (ciphers.len != 2) { | 2438 if (ciphers.len != 2) { |
2295 (void)ssl3_DecodeError(ss); | 2439 (void)ssl3_DecodeError(ss); |
2296 return SECFailure; | 2440 return SECFailure; |
2297 } | 2441 } |
2298 | 2442 |
2299 /* Get the selected cipher */ | 2443 /* Get the selected cipher */ |
2300 cipher = (ciphers.data[0] << 8) | ciphers.data[1]; | 2444 cipher = (ciphers.data[0] << 8) | ciphers.data[1]; |
2301 | 2445 |
(...skipping 31 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
2333 return SECFailure; | 2477 return SECFailure; |
2334 } | 2478 } |
2335 | 2479 |
2336 /* OK, this looks fine. */ | 2480 /* OK, this looks fine. */ |
2337 ss->xtnData.negotiated[ss->xtnData.numNegotiated++] = ssl_use_srtp_xtn; | 2481 ss->xtnData.negotiated[ss->xtnData.numNegotiated++] = ssl_use_srtp_xtn; |
2338 ss->ssl3.dtlsSRTPCipherSuite = cipher; | 2482 ss->ssl3.dtlsSRTPCipherSuite = cipher; |
2339 return SECSuccess; | 2483 return SECSuccess; |
2340 } | 2484 } |
2341 | 2485 |
2342 static SECStatus | 2486 static SECStatus |
2343 ssl3_ServerHandleUseSRTPXtn(sslSocket * ss, PRUint16 ex_type, SECItem *data) | 2487 ssl3_ServerHandleUseSRTPXtn(sslSocket *ss, PRUint16 ex_type, SECItem *data) |
2344 { | 2488 { |
2345 SECStatus rv; | 2489 SECStatus rv; |
2346 SECItem ciphers = {siBuffer, NULL, 0}; | 2490 SECItem ciphers = { siBuffer, NULL, 0 }; |
2347 PRUint16 i; | 2491 PRUint16 i; |
2348 unsigned int j; | 2492 unsigned int j; |
2349 PRUint16 cipher = 0; | 2493 PRUint16 cipher = 0; |
2350 PRBool found = PR_FALSE; | 2494 PRBool found = PR_FALSE; |
2351 SECItem litem; | 2495 SECItem litem; |
2352 | 2496 |
2353 if (!IS_DTLS(ss) || !ss->ssl3.dtlsSRTPCipherCount) { | 2497 if (!IS_DTLS(ss) || !ss->ssl3.dtlsSRTPCipherCount) { |
2354 /* Ignore the extension if we aren't doing DTLS or no DTLS-SRTP | 2498 /* Ignore the extension if we aren't doing DTLS or no DTLS-SRTP |
2355 * preferences have been set. */ | 2499 * preferences have been set. */ |
2356 return SECSuccess; | 2500 return SECSuccess; |
(...skipping 50 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
2407 ss->xtnData.negotiated[ss->xtnData.numNegotiated++] = ssl_use_srtp_xtn; | 2551 ss->xtnData.negotiated[ss->xtnData.numNegotiated++] = ssl_use_srtp_xtn; |
2408 | 2552 |
2409 return ssl3_RegisterServerHelloExtensionSender(ss, ssl_use_srtp_xtn, | 2553 return ssl3_RegisterServerHelloExtensionSender(ss, ssl_use_srtp_xtn, |
2410 ssl3_ServerSendUseSRTPXtn); | 2554 ssl3_ServerSendUseSRTPXtn); |
2411 } | 2555 } |
2412 | 2556 |
2413 /* ssl3_ServerHandleSigAlgsXtn handles the signature_algorithms extension | 2557 /* ssl3_ServerHandleSigAlgsXtn handles the signature_algorithms extension |
2414 * from a client. | 2558 * from a client. |
2415 * See https://tools.ietf.org/html/rfc5246#section-7.4.1.4.1 */ | 2559 * See https://tools.ietf.org/html/rfc5246#section-7.4.1.4.1 */ |
2416 static SECStatus | 2560 static SECStatus |
2417 ssl3_ServerHandleSigAlgsXtn(sslSocket * ss, PRUint16 ex_type, SECItem *data) | 2561 ssl3_ServerHandleSigAlgsXtn(sslSocket *ss, PRUint16 ex_type, SECItem *data) |
2418 { | 2562 { |
2419 SECStatus rv; | 2563 SECStatus rv; |
2420 SECItem algorithms; | 2564 SECItem algorithms; |
2421 const unsigned char *b; | 2565 const unsigned char *b; |
2422 unsigned int numAlgorithms, i; | 2566 unsigned int numAlgorithms, i; |
2423 | 2567 |
2424 /* Ignore this extension if we aren't doing TLS 1.2 or greater. */ | 2568 /* Ignore this extension if we aren't doing TLS 1.2 or greater. */ |
2425 if (ss->version < SSL_LIBRARY_VERSION_TLS_1_2) { | 2569 if (ss->version < SSL_LIBRARY_VERSION_TLS_1_2) { |
2426 return SECSuccess; | 2570 return SECSuccess; |
2427 } | 2571 } |
2428 | 2572 |
2429 rv = ssl3_ConsumeHandshakeVariable(ss, &algorithms, 2, &data->data, | 2573 rv = ssl3_ConsumeHandshakeVariable(ss, &algorithms, 2, &data->data, |
2430 &data->len); | 2574 &data->len); |
2431 if (rv != SECSuccess) { | 2575 if (rv != SECSuccess) { |
2432 return SECFailure; | 2576 return SECFailure; |
2433 } | 2577 } |
2434 /* Trailing data, empty value, or odd-length value is invalid. */ | 2578 /* Trailing data, empty value, or odd-length value is invalid. */ |
2435 if (data->len != 0 || algorithms.len == 0 || (algorithms.len & 1) != 0) { | 2579 if (data->len != 0 || algorithms.len == 0 || (algorithms.len & 1) != 0) { |
2436 (void)SSL3_SendAlert(ss, alert_fatal, decode_error); | 2580 (void)SSL3_SendAlert(ss, alert_fatal, decode_error); |
2437 PORT_SetError(SSL_ERROR_RX_MALFORMED_CLIENT_HELLO); | 2581 PORT_SetError(SSL_ERROR_RX_MALFORMED_CLIENT_HELLO); |
2438 return SECFailure; | 2582 return SECFailure; |
2439 } | 2583 } |
2440 | 2584 |
2441 numAlgorithms = algorithms.len/2; | 2585 numAlgorithms = algorithms.len / 2; |
2442 | 2586 |
2443 /* We don't care to process excessive numbers of algorithms. */ | 2587 /* We don't care to process excessive numbers of algorithms. */ |
2444 if (numAlgorithms > 512) { | 2588 if (numAlgorithms > 512) { |
2445 numAlgorithms = 512; | 2589 numAlgorithms = 512; |
2446 } | 2590 } |
2447 | 2591 |
2448 ss->ssl3.hs.clientSigAndHash = | 2592 ss->ssl3.hs.clientSigAndHash = |
2449 PORT_NewArray(SSLSignatureAndHashAlg, numAlgorithms); | 2593 PORT_NewArray(SSLSignatureAndHashAlg, numAlgorithms); |
2450 if (!ss->ssl3.hs.clientSigAndHash) { | 2594 if (!ss->ssl3.hs.clientSigAndHash) { |
2451 (void)SSL3_SendAlert(ss, alert_fatal, internal_error); | 2595 (void)SSL3_SendAlert(ss, alert_fatal, internal_error); |
2452 PORT_SetError(SSL_ERROR_RX_MALFORMED_CLIENT_HELLO); | 2596 PORT_SetError(SSL_ERROR_RX_MALFORMED_CLIENT_HELLO); |
2453 return SECFailure; | 2597 return SECFailure; |
2454 } | 2598 } |
2455 ss->ssl3.hs.numClientSigAndHash = 0; | 2599 ss->ssl3.hs.numClientSigAndHash = 0; |
2456 | 2600 |
2457 b = algorithms.data; | 2601 b = algorithms.data; |
2458 ss->ssl3.hs.numClientSigAndHash = 0; | 2602 ss->ssl3.hs.numClientSigAndHash = 0; |
2459 for (i = 0; i < numAlgorithms; i++) { | 2603 for (i = 0; i < numAlgorithms; i++) { |
2460 SSLSignatureAndHashAlg *sigAndHash = | 2604 SSLSignatureAndHashAlg *sigAndHash = |
2461 &ss->ssl3.hs.clientSigAndHash[ss->ssl3.hs.numClientSigAndHash]; | 2605 &ss->ssl3.hs.clientSigAndHash[ss->ssl3.hs.numClientSigAndHash]; |
2462 sigAndHash->hashAlg = (SSLHashType)*(b++); | 2606 sigAndHash->hashAlg = (SSLHashType) * (b++); |
2463 sigAndHash->sigAlg = (SSLSignType)*(b++); | 2607 sigAndHash->sigAlg = (SSLSignType) * (b++); |
2464 if (ssl3_IsSupportedSignatureAlgorithm(sigAndHash)) { | 2608 if (ssl3_IsSupportedSignatureAlgorithm(sigAndHash)) { |
2465 ++ss->ssl3.hs.numClientSigAndHash; | 2609 ++ss->ssl3.hs.numClientSigAndHash; |
2466 } | 2610 } |
2467 } | 2611 } |
2468 | 2612 |
2469 if (!ss->ssl3.hs.numClientSigAndHash) { | 2613 if (!ss->ssl3.hs.numClientSigAndHash) { |
2470 /* We didn't understand any of the client's requested signature | 2614 /* We didn't understand any of the client's requested signature |
2471 * formats. We'll use the defaults. */ | 2615 * formats. We'll use the defaults. */ |
2472 PORT_Free(ss->ssl3.hs.clientSigAndHash); | 2616 PORT_Free(ss->ssl3.hs.clientSigAndHash); |
2473 ss->ssl3.hs.clientSigAndHash = NULL; | 2617 ss->ssl3.hs.clientSigAndHash = NULL; |
2474 } | 2618 } |
2475 | 2619 |
2476 /* Keep track of negotiated extensions. */ | 2620 /* Keep track of negotiated extensions. */ |
2477 ss->xtnData.negotiated[ss->xtnData.numNegotiated++] = ex_type; | 2621 ss->xtnData.negotiated[ss->xtnData.numNegotiated++] = ex_type; |
2478 return SECSuccess; | 2622 return SECSuccess; |
2479 } | 2623 } |
2480 | 2624 |
2481 /* ssl3_ClientSendSigAlgsXtn sends the signature_algorithm extension for TLS | 2625 /* ssl3_ClientSendSigAlgsXtn sends the signature_algorithm extension for TLS |
2482 * 1.2 ClientHellos. */ | 2626 * 1.2 ClientHellos. */ |
2483 static PRInt32 | 2627 static PRInt32 |
2484 ssl3_ClientSendSigAlgsXtn(sslSocket *ss, PRBool append, PRUint32 maxBytes) | 2628 ssl3_ClientSendSigAlgsXtn(sslSocket *ss, PRBool append, PRUint32 maxBytes) |
2485 { | 2629 { |
2486 PRInt32 extension_length; | 2630 PRInt32 extension_length; |
2487 unsigned int i; | 2631 unsigned int i; |
2488 PRInt32 pos=0; | 2632 PRInt32 pos = 0; |
2489 PRUint32 policy; | 2633 PRUint32 policy; |
2490 PRUint8 buf[MAX_SIGNATURE_ALGORITHMS * 2]; | 2634 PRUint8 buf[MAX_SIGNATURE_ALGORITHMS * 2]; |
2491 | 2635 |
2492 if (ss->version < SSL_LIBRARY_VERSION_TLS_1_2) { | 2636 if (ss->version < SSL_LIBRARY_VERSION_TLS_1_2) { |
2493 return 0; | 2637 return 0; |
2494 } | 2638 } |
2495 | 2639 |
2496 for (i=0; i < ss->ssl3.signatureAlgorithmCount; i++) { | 2640 for (i = 0; i < ss->ssl3.signatureAlgorithmCount; i++) { |
2497 » SECOidTag hashOID = ssl3_TLSHashAlgorithmToOID( | 2641 SECOidTag hashOID = ssl3_TLSHashAlgorithmToOID( |
2498 » » » » ss->ssl3.signatureAlgorithms[i].hashAlg); | 2642 ss->ssl3.signatureAlgorithms[i].hashAlg); |
2499 » if ((NSS_GetAlgorithmPolicy(hashOID, & policy) != SECSuccess) || | 2643 if ((NSS_GetAlgorithmPolicy(hashOID, &policy) != SECSuccess) || |
2500 » » (policy & NSS_USE_ALG_IN_SSL_KX)) { | 2644 (policy & NSS_USE_ALG_IN_SSL_KX)) { |
2501 » buf[pos++] = ss->ssl3.signatureAlgorithms[i].hashAlg; | 2645 buf[pos++] = ss->ssl3.signatureAlgorithms[i].hashAlg; |
2502 » buf[pos++] = ss->ssl3.signatureAlgorithms[i].sigAlg; | 2646 buf[pos++] = ss->ssl3.signatureAlgorithms[i].sigAlg; |
2503 » } | 2647 } |
2504 } | 2648 } |
2505 | 2649 |
2506 extension_length = | 2650 extension_length = |
2507 2 /* extension type */ + | 2651 2 /* extension type */ + |
2508 2 /* extension length */ + | 2652 2 /* extension length */ + |
2509 2 /* supported_signature_algorithms length */ + | 2653 2 /* supported_signature_algorithms length */ + |
2510 pos; | 2654 pos; |
2511 | 2655 |
2512 if (maxBytes < extension_length) { | 2656 if (maxBytes < extension_length) { |
2513 PORT_Assert(0); | 2657 PORT_Assert(0); |
(...skipping 10 matching lines...) Expand all Loading... |
2524 if (rv != SECSuccess) { | 2668 if (rv != SECSuccess) { |
2525 return -1; | 2669 return -1; |
2526 } | 2670 } |
2527 | 2671 |
2528 rv = ssl3_AppendHandshakeVariable(ss, buf, extension_length - 6, 2); | 2672 rv = ssl3_AppendHandshakeVariable(ss, buf, extension_length - 6, 2); |
2529 if (rv != SECSuccess) { | 2673 if (rv != SECSuccess) { |
2530 return -1; | 2674 return -1; |
2531 } | 2675 } |
2532 | 2676 |
2533 ss->xtnData.advertised[ss->xtnData.numAdvertised++] = | 2677 ss->xtnData.advertised[ss->xtnData.numAdvertised++] = |
2534 ssl_signature_algorithms_xtn; | 2678 ssl_signature_algorithms_xtn; |
2535 } | 2679 } |
2536 | 2680 |
2537 return extension_length; | 2681 return extension_length; |
2538 } | 2682 } |
2539 | 2683 |
2540 unsigned int | 2684 unsigned int |
2541 ssl3_CalculatePaddingExtensionLength(unsigned int clientHelloLength) | 2685 ssl3_CalculatePaddingExtensionLength(unsigned int clientHelloLength) |
2542 { | 2686 { |
2543 unsigned int recordLength = 1 /* handshake message type */ + | 2687 unsigned int recordLength = 1 /* handshake message type */ + |
2544 3 /* handshake message length */ + | 2688 3 /* handshake message length */ + |
(...skipping 43 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
2588 if (SECSuccess != ssl3_AppendHandshake(ss, padding, paddingLen)) | 2732 if (SECSuccess != ssl3_AppendHandshake(ss, padding, paddingLen)) |
2589 return -1; | 2733 return -1; |
2590 | 2734 |
2591 return extensionLen; | 2735 return extensionLen; |
2592 } | 2736 } |
2593 | 2737 |
2594 /* ssl3_ClientSendDraftVersionXtn sends the TLS 1.3 temporary draft | 2738 /* ssl3_ClientSendDraftVersionXtn sends the TLS 1.3 temporary draft |
2595 * version extension. | 2739 * version extension. |
2596 * TODO(ekr@rtfm.com): Remove when TLS 1.3 is published. */ | 2740 * TODO(ekr@rtfm.com): Remove when TLS 1.3 is published. */ |
2597 static PRInt32 | 2741 static PRInt32 |
2598 ssl3_ClientSendDraftVersionXtn(sslSocket * ss, PRBool append, PRUint32 maxBytes) | 2742 ssl3_ClientSendDraftVersionXtn(sslSocket *ss, PRBool append, PRUint32 maxBytes) |
2599 { | 2743 { |
2600 PRInt32 extension_length; | 2744 PRInt32 extension_length; |
2601 | 2745 |
2602 if (ss->version != SSL_LIBRARY_VERSION_TLS_1_3) { | 2746 if (ss->version != SSL_LIBRARY_VERSION_TLS_1_3) { |
2603 return 0; | 2747 return 0; |
2604 } | 2748 } |
2605 | 2749 |
2606 extension_length = 6; /* Type + length + number */ | 2750 extension_length = 6; /* Type + length + number */ |
2607 if (maxBytes < (PRUint32)extension_length) { | 2751 if (maxBytes < (PRUint32)extension_length) { |
2608 PORT_Assert(0); | 2752 PORT_Assert(0); |
2609 return 0; | 2753 return 0; |
2610 } | 2754 } |
2611 if (append) { | 2755 if (append) { |
2612 SECStatus rv; | 2756 SECStatus rv; |
2613 rv = ssl3_AppendHandshakeNumber(ss, ssl_tls13_draft_version_xtn, 2); | 2757 rv = ssl3_AppendHandshakeNumber(ss, ssl_tls13_draft_version_xtn, 2); |
2614 if (rv != SECSuccess) | 2758 if (rv != SECSuccess) |
2615 goto loser; | 2759 goto loser; |
2616 rv = ssl3_AppendHandshakeNumber(ss, extension_length - 4, 2); | 2760 rv = ssl3_AppendHandshakeNumber(ss, extension_length - 4, 2); |
2617 if (rv != SECSuccess) | 2761 if (rv != SECSuccess) |
2618 goto loser; | 2762 goto loser; |
2619 rv = ssl3_AppendHandshakeNumber(ss, TLS_1_3_DRAFT_VERSION, 2); | 2763 rv = ssl3_AppendHandshakeNumber(ss, TLS_1_3_DRAFT_VERSION, 2); |
2620 if (rv != SECSuccess) | 2764 if (rv != SECSuccess) |
2621 goto loser; | 2765 goto loser; |
2622 ss->xtnData.advertised[ss->xtnData.numAdvertised++] = | 2766 ss->xtnData.advertised[ss->xtnData.numAdvertised++] = |
2623 ssl_tls13_draft_version_xtn; | 2767 ssl_tls13_draft_version_xtn; |
2624 } | 2768 } |
2625 | 2769 |
2626 return extension_length; | 2770 return extension_length; |
2627 | 2771 |
2628 loser: | 2772 loser: |
2629 return -1; | 2773 return -1; |
2630 } | 2774 } |
2631 | 2775 |
2632 /* ssl3_ServerHandleDraftVersionXtn handles the TLS 1.3 temporary draft | 2776 /* ssl3_ServerHandleDraftVersionXtn handles the TLS 1.3 temporary draft |
2633 * version extension. | 2777 * version extension. |
2634 * TODO(ekr@rtfm.com): Remove when TLS 1.3 is published. */ | 2778 * TODO(ekr@rtfm.com): Remove when TLS 1.3 is published. */ |
2635 static SECStatus | 2779 static SECStatus |
2636 ssl3_ServerHandleDraftVersionXtn(sslSocket * ss, PRUint16 ex_type, | 2780 ssl3_ServerHandleDraftVersionXtn(sslSocket *ss, PRUint16 ex_type, |
2637 SECItem *data) | 2781 SECItem *data) |
2638 { | 2782 { |
2639 PRInt32 draft_version; | 2783 PRInt32 draft_version; |
2640 | 2784 |
2641 /* Ignore this extension if we aren't doing TLS 1.3 */ | 2785 /* Ignore this extension if we aren't doing TLS 1.3 */ |
2642 if (ss->version != SSL_LIBRARY_VERSION_TLS_1_3) { | 2786 if (ss->version != SSL_LIBRARY_VERSION_TLS_1_3) { |
2643 return SECSuccess; | 2787 return SECSuccess; |
2644 } | 2788 } |
2645 | 2789 |
2646 if (data->len != 2) { | 2790 if (data->len != 2) { |
(...skipping 20 matching lines...) Expand all Loading... |
2667 SSL_TRC(30, ("%d: SSL3[%d]: Incompatible version of TLS 1.3 (%d), " | 2811 SSL_TRC(30, ("%d: SSL3[%d]: Incompatible version of TLS 1.3 (%d), " |
2668 "expected %d", | 2812 "expected %d", |
2669 SSL_GETPID(), ss->fd, draft_version, TLS_1_3_DRAFT_VERSION)
); | 2813 SSL_GETPID(), ss->fd, draft_version, TLS_1_3_DRAFT_VERSION)
); |
2670 ss->version = SSL_LIBRARY_VERSION_TLS_1_2; | 2814 ss->version = SSL_LIBRARY_VERSION_TLS_1_2; |
2671 } | 2815 } |
2672 | 2816 |
2673 return SECSuccess; | 2817 return SECSuccess; |
2674 } | 2818 } |
2675 | 2819 |
2676 static PRInt32 | 2820 static PRInt32 |
2677 ssl3_SendExtendedMasterSecretXtn(sslSocket * ss, PRBool append, | 2821 ssl3_SendExtendedMasterSecretXtn(sslSocket *ss, PRBool append, |
2678 PRUint32 maxBytes) | 2822 PRUint32 maxBytes) |
2679 { | 2823 { |
2680 PRInt32 extension_length; | 2824 PRInt32 extension_length; |
2681 | 2825 |
2682 if (!ss->opt.enableExtendedMS) { | 2826 if (!ss->opt.enableExtendedMS) { |
2683 return 0; | 2827 return 0; |
2684 } | 2828 } |
2685 | 2829 |
2686 #ifndef NO_PKCS11_BYPASS | 2830 #ifndef NO_PKCS11_BYPASS |
2687 /* Extended MS can only be used w/o bypass mode */ | 2831 /* Extended MS can only be used w/o bypass mode */ |
2688 if (ss->opt.bypassPKCS11) { | 2832 if (ss->opt.bypassPKCS11) { |
2689 PORT_Assert(0); | 2833 PORT_Assert(0); |
2690 PORT_SetError(PR_NOT_IMPLEMENTED_ERROR); | 2834 PORT_SetError(PR_NOT_IMPLEMENTED_ERROR); |
2691 return -1; | 2835 return -1; |
2692 } | 2836 } |
2693 #endif | 2837 #endif |
2694 | 2838 |
2695 /* Always send the extension in this function, since the | 2839 /* Always send the extension in this function, since the |
2696 * client always sends it and this function is only called on | 2840 * client always sends it and this function is only called on |
2697 * the server if we negotiated the extension. */ | 2841 * the server if we negotiated the extension. */ |
2698 extension_length = 4; /* Type + length (0) */ | 2842 extension_length = 4; /* Type + length (0) */ |
2699 if (maxBytes < extension_length) { | 2843 if (maxBytes < extension_length) { |
2700 PORT_Assert(0); | 2844 PORT_Assert(0); |
2701 return 0; | 2845 return 0; |
2702 } | 2846 } |
2703 | 2847 |
2704 if (append) { | 2848 if (append) { |
2705 SECStatus rv; | 2849 SECStatus rv; |
2706 rv = ssl3_AppendHandshakeNumber(ss, ssl_extended_master_secret_xtn, 2); | 2850 rv = ssl3_AppendHandshakeNumber(ss, ssl_extended_master_secret_xtn, 2); |
2707 if (rv != SECSuccess) | 2851 if (rv != SECSuccess) |
2708 goto loser; | 2852 goto loser; |
2709 rv = ssl3_AppendHandshakeNumber(ss, 0, 2); | 2853 rv = ssl3_AppendHandshakeNumber(ss, 0, 2); |
2710 if (rv != SECSuccess) | 2854 if (rv != SECSuccess) |
2711 goto loser; | 2855 goto loser; |
2712 ss->xtnData.advertised[ss->xtnData.numAdvertised++] = | 2856 ss->xtnData.advertised[ss->xtnData.numAdvertised++] = |
2713 ssl_extended_master_secret_xtn; | 2857 ssl_extended_master_secret_xtn; |
2714 } | 2858 } |
2715 | 2859 |
2716 return extension_length; | 2860 return extension_length; |
2717 loser: | |
2718 return -1; | |
2719 } | |
2720 | 2861 |
2721 /* ssl3_ClientSendSignedCertTimestampXtn sends the signed_certificate_timestamp | |
2722 * extension for TLS ClientHellos. */ | |
2723 static PRInt32 | |
2724 ssl3_ClientSendSignedCertTimestampXtn(sslSocket *ss, PRBool append, | |
2725 PRUint32 maxBytes) | |
2726 { | |
2727 PRInt32 extension_length = 2 /* extension_type */ + | |
2728 2 /* length(extension_data) */; | |
2729 | |
2730 /* Only send the extension if processing is enabled. */ | |
2731 if (!ss->opt.enableSignedCertTimestamps) | |
2732 return 0; | |
2733 | |
2734 if (maxBytes < extension_length) { | |
2735 PORT_Assert(0); | |
2736 return 0; | |
2737 } | |
2738 | |
2739 if (append) { | |
2740 SECStatus rv; | |
2741 /* extension_type */ | |
2742 rv = ssl3_AppendHandshakeNumber(ss, | |
2743 ssl_signed_certificate_timestamp_xtn, | |
2744 2); | |
2745 if (rv != SECSuccess) | |
2746 goto loser; | |
2747 /* zero length */ | |
2748 rv = ssl3_AppendHandshakeNumber(ss, 0, 2); | |
2749 if (rv != SECSuccess) | |
2750 goto loser; | |
2751 ss->xtnData.advertised[ss->xtnData.numAdvertised++] = | |
2752 ssl_signed_certificate_timestamp_xtn; | |
2753 } | |
2754 | |
2755 return extension_length; | |
2756 loser: | 2862 loser: |
2757 return -1; | 2863 return -1; |
2758 } | 2864 } |
2759 | 2865 |
2760 static SECStatus | 2866 static SECStatus |
2761 ssl3_HandleExtendedMasterSecretXtn(sslSocket * ss, PRUint16 ex_type, | 2867 ssl3_HandleExtendedMasterSecretXtn(sslSocket *ss, PRUint16 ex_type, |
2762 SECItem *data) | 2868 SECItem *data) |
2763 { | 2869 { |
2764 if (ss->version < SSL_LIBRARY_VERSION_TLS_1_0) { | 2870 if (ss->version < SSL_LIBRARY_VERSION_TLS_1_0) { |
2765 return SECSuccess; | 2871 return SECSuccess; |
2766 } | 2872 } |
2767 | 2873 |
2768 if (!ss->opt.enableExtendedMS) { | 2874 if (!ss->opt.enableExtendedMS) { |
2769 return SECSuccess; | 2875 return SECSuccess; |
2770 } | 2876 } |
2771 | 2877 |
(...skipping 18 matching lines...) Expand all Loading... |
2790 /* Keep track of negotiated extensions. */ | 2896 /* Keep track of negotiated extensions. */ |
2791 ss->xtnData.negotiated[ss->xtnData.numNegotiated++] = ex_type; | 2897 ss->xtnData.negotiated[ss->xtnData.numNegotiated++] = ex_type; |
2792 | 2898 |
2793 if (ss->sec.isServer) { | 2899 if (ss->sec.isServer) { |
2794 return ssl3_RegisterServerHelloExtensionSender( | 2900 return ssl3_RegisterServerHelloExtensionSender( |
2795 ss, ex_type, ssl3_SendExtendedMasterSecretXtn); | 2901 ss, ex_type, ssl3_SendExtendedMasterSecretXtn); |
2796 } | 2902 } |
2797 return SECSuccess; | 2903 return SECSuccess; |
2798 } | 2904 } |
2799 | 2905 |
| 2906 /* ssl3_ClientSendSignedCertTimestampXtn sends the signed_certificate_timestamp |
| 2907 * extension for TLS ClientHellos. */ |
| 2908 static PRInt32 |
| 2909 ssl3_ClientSendSignedCertTimestampXtn(sslSocket *ss, PRBool append, |
| 2910 PRUint32 maxBytes) |
| 2911 { |
| 2912 PRInt32 extension_length = 2 /* extension_type */ + |
| 2913 2 /* length(extension_data) */; |
| 2914 |
| 2915 /* Only send the extension if processing is enabled. */ |
| 2916 if (!ss->opt.enableSignedCertTimestamps) |
| 2917 return 0; |
| 2918 |
| 2919 if (append && maxBytes >= extension_length) { |
| 2920 SECStatus rv; |
| 2921 /* extension_type */ |
| 2922 rv = ssl3_AppendHandshakeNumber(ss, |
| 2923 ssl_signed_cert_timestamp_xtn, |
| 2924 2); |
| 2925 if (rv != SECSuccess) |
| 2926 goto loser; |
| 2927 /* zero length */ |
| 2928 rv = ssl3_AppendHandshakeNumber(ss, 0, 2); |
| 2929 if (rv != SECSuccess) |
| 2930 goto loser; |
| 2931 ss->xtnData.advertised[ss->xtnData.numAdvertised++] = |
| 2932 ssl_signed_cert_timestamp_xtn; |
| 2933 } else if (maxBytes < extension_length) { |
| 2934 PORT_Assert(0); |
| 2935 return 0; |
| 2936 } |
| 2937 |
| 2938 return extension_length; |
| 2939 loser: |
| 2940 return -1; |
| 2941 } |
| 2942 |
2800 static SECStatus | 2943 static SECStatus |
2801 ssl3_ClientHandleSignedCertTimestampXtn(sslSocket *ss, PRUint16 ex_type, | 2944 ssl3_ClientHandleSignedCertTimestampXtn(sslSocket *ss, PRUint16 ex_type, |
2802 SECItem *data) | 2945 SECItem *data) |
2803 { | 2946 { |
2804 /* We do not yet know whether we'll be resuming a session or creating | 2947 /* We do not yet know whether we'll be resuming a session or creating |
2805 * a new one, so we keep a pointer to the data in the TLSExtensionData | 2948 * a new one, so we keep a pointer to the data in the TLSExtensionData |
2806 * structure. This pointer is only valid in the scope of | 2949 * structure. This pointer is only valid in the scope of |
2807 * ssl3_HandleServerHello, and, if not resuming a session, the data is | 2950 * ssl3_HandleServerHello, and, if not resuming a session, the data is |
2808 * copied once a new session structure has been set up. | 2951 * copied once a new session structure has been set up. |
2809 * All parsing is currently left to the application and we accept | 2952 * All parsing is currently left to the application and we accept |
2810 * everything, including empty data. | 2953 * everything, including empty data. |
2811 */ | 2954 */ |
2812 SECItem *scts = &ss->xtnData.signedCertTimestamps; | 2955 SECItem *scts = &ss->xtnData.signedCertTimestamps; |
2813 PORT_Assert(!scts->data && !scts->len); | 2956 PORT_Assert(!scts->data && !scts->len); |
2814 | 2957 |
2815 if (!data->len) { | 2958 if (!data->len) { |
2816 /* Empty extension data: RFC 6962 mandates non-empty contents. */ | 2959 /* Empty extension data: RFC 6962 mandates non-empty contents. */ |
2817 return SECFailure; | 2960 return SECFailure; |
2818 } | 2961 } |
2819 *scts = *data; | 2962 *scts = *data; |
2820 /* Keep track of negotiated extensions. */ | 2963 /* Keep track of negotiated extensions. */ |
2821 ss->xtnData.negotiated[ss->xtnData.numNegotiated++] = ex_type; | 2964 ss->xtnData.negotiated[ss->xtnData.numNegotiated++] = ex_type; |
2822 return SECSuccess; | 2965 return SECSuccess; |
2823 } | 2966 } |
| 2967 |
| 2968 static PRInt32 |
| 2969 ssl3_ServerSendSignedCertTimestampXtn(sslSocket *ss, |
| 2970 PRBool append, |
| 2971 PRUint32 maxBytes) |
| 2972 { |
| 2973 PRInt32 extension_length; |
| 2974 SSLKEAType effectiveExchKeyType; |
| 2975 const SECItem *scts; |
| 2976 |
| 2977 if (ss->ssl3.hs.kea_def->kea == kea_ecdhe_rsa || |
| 2978 ss->ssl3.hs.kea_def->kea == kea_dhe_rsa) { |
| 2979 effectiveExchKeyType = ssl_kea_rsa; |
| 2980 } else { |
| 2981 effectiveExchKeyType = ss->ssl3.hs.kea_def->exchKeyType; |
| 2982 } |
| 2983 |
| 2984 scts = &ss->signedCertTimestamps[effectiveExchKeyType]; |
| 2985 |
| 2986 if (!scts->len) { |
| 2987 /* No timestamps to send */ |
| 2988 return 0; |
| 2989 } |
| 2990 |
| 2991 extension_length = 2 /* extension_type */ + |
| 2992 2 /* length(extension_data) */ + |
| 2993 scts->len; |
| 2994 |
| 2995 if (maxBytes < extension_length) { |
| 2996 PORT_Assert(0); |
| 2997 return 0; |
| 2998 } |
| 2999 if (append) { |
| 3000 SECStatus rv; |
| 3001 /* extension_type */ |
| 3002 rv = ssl3_AppendHandshakeNumber(ss, |
| 3003 ssl_signed_cert_timestamp_xtn, |
| 3004 2); |
| 3005 if (rv != SECSuccess) |
| 3006 goto loser; |
| 3007 /* extension_data */ |
| 3008 rv = ssl3_AppendHandshakeVariable(ss, scts->data, scts->len, 2); |
| 3009 if (rv != SECSuccess) |
| 3010 goto loser; |
| 3011 } |
| 3012 |
| 3013 return extension_length; |
| 3014 |
| 3015 loser: |
| 3016 return -1; |
| 3017 } |
| 3018 |
| 3019 static SECStatus |
| 3020 ssl3_ServerHandleSignedCertTimestampXtn(sslSocket *ss, PRUint16 ex_type, |
| 3021 SECItem *data) |
| 3022 { |
| 3023 ss->xtnData.negotiated[ss->xtnData.numNegotiated++] = ex_type; |
| 3024 PORT_Assert(ss->sec.isServer); |
| 3025 return ssl3_RegisterServerHelloExtensionSender(ss, ex_type, |
| 3026 ssl3_ServerSendSignedCertTime
stampXtn); |
| 3027 } |
| 3028 |
| 3029 /* |
| 3030 * [draft-ietf-tls-tls13-11] Section 6.3.2.3. |
| 3031 * |
| 3032 * struct { |
| 3033 * NamedGroup group; |
| 3034 * opaque key_exchange<1..2^16-1>; |
| 3035 * } KeyShareEntry; |
| 3036 * |
| 3037 * struct { |
| 3038 * select (role) { |
| 3039 * case client: |
| 3040 * KeyShareEntry client_shares<4..2^16-1>; |
| 3041 * |
| 3042 * case server: |
| 3043 * KeyShareEntry server_share; |
| 3044 * } |
| 3045 * } KeyShare; |
| 3046 */ |
| 3047 static SECStatus |
| 3048 tls13_SizeOfKeyShareEntry(ssl3KeyPair *pair) |
| 3049 { |
| 3050 return 2 + 2 + tls13_SizeOfECDHEKeyShareKEX(pair); |
| 3051 } |
| 3052 |
| 3053 static SECStatus |
| 3054 tls13_EncodeKeyShareEntry(sslSocket *ss, ssl3KeyPair *pair) |
| 3055 { |
| 3056 SECStatus rv; |
| 3057 |
| 3058 /* This currently only works for ECC keys */ |
| 3059 PORT_Assert(pair->pubKey->keyType == ecKey); |
| 3060 if (pair->pubKey->keyType != ecKey) { |
| 3061 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); |
| 3062 return SECFailure; |
| 3063 } |
| 3064 |
| 3065 rv = ssl3_AppendHandshakeNumber(ss, tls13_GroupForECDHEKeyShare(pair), 2); |
| 3066 if (rv != SECSuccess) |
| 3067 return rv; |
| 3068 |
| 3069 rv = ssl3_AppendHandshakeNumber(ss, tls13_SizeOfECDHEKeyShareKEX(pair), 2); |
| 3070 if (rv != SECSuccess) |
| 3071 return rv; |
| 3072 |
| 3073 rv = tls13_EncodeECDHEKeyShareKEX(ss, pair); |
| 3074 if (rv != SECSuccess) |
| 3075 return rv; |
| 3076 |
| 3077 return SECSuccess; |
| 3078 } |
| 3079 |
| 3080 static PRInt32 |
| 3081 tls13_ClientSendKeyShareXtn(sslSocket *ss, PRBool append, |
| 3082 PRUint32 maxBytes) |
| 3083 { |
| 3084 SECStatus rv; |
| 3085 PRUint32 entry_length; |
| 3086 PRUint32 extension_length; |
| 3087 |
| 3088 if (ss->version < SSL_LIBRARY_VERSION_TLS_1_3) { |
| 3089 return 0; |
| 3090 } |
| 3091 |
| 3092 /* Optimistically try to send an ECDHE key using the |
| 3093 * preexisting key (in future will be keys) */ |
| 3094 SSL_TRC(3, ("%d: TLS13[%d]: send client key share xtn", |
| 3095 SSL_GETPID(), ss->fd)); |
| 3096 |
| 3097 entry_length = tls13_SizeOfKeyShareEntry(ss->ephemeralECDHKeyPair); |
| 3098 /* Type + length + vector_length + entry */ |
| 3099 extension_length = 2 + 2 + 2 + entry_length; |
| 3100 |
| 3101 if (maxBytes < extension_length) { |
| 3102 PORT_Assert(0); |
| 3103 return 0; |
| 3104 } |
| 3105 |
| 3106 if (append) { |
| 3107 rv = ssl3_AppendHandshakeNumber(ss, ssl_tls13_key_share_xtn, 2); |
| 3108 if (rv != SECSuccess) |
| 3109 goto loser; |
| 3110 rv = ssl3_AppendHandshakeNumber(ss, entry_length + 2, 2); /* Extension l
ength */ |
| 3111 if (rv != SECSuccess) |
| 3112 goto loser; |
| 3113 rv = ssl3_AppendHandshakeNumber(ss, entry_length, 2); /* Vector length *
/ |
| 3114 if (rv != SECSuccess) |
| 3115 goto loser; |
| 3116 rv = tls13_EncodeKeyShareEntry(ss, ss->ephemeralECDHKeyPair); |
| 3117 if (rv != SECSuccess) |
| 3118 goto loser; |
| 3119 |
| 3120 ss->xtnData.advertised[ss->xtnData.numAdvertised++] = |
| 3121 ssl_tls13_key_share_xtn; |
| 3122 } |
| 3123 |
| 3124 return extension_length; |
| 3125 |
| 3126 loser: |
| 3127 return -1; |
| 3128 } |
| 3129 |
| 3130 static SECStatus |
| 3131 tls13_HandleKeyShareEntry(sslSocket *ss, SECItem *data) |
| 3132 { |
| 3133 SECStatus rv; |
| 3134 PRInt32 group; |
| 3135 TLS13KeyShareEntry *ks = NULL; |
| 3136 SECItem share = { siBuffer, NULL, 0 }; |
| 3137 |
| 3138 group = ssl3_ConsumeHandshakeNumber(ss, 2, &data->data, &data->len); |
| 3139 if (group < 0) { |
| 3140 PORT_SetError(SSL_ERROR_RX_MALFORMED_KEY_SHARE); |
| 3141 goto loser; |
| 3142 } |
| 3143 |
| 3144 rv = ssl3_ConsumeHandshakeVariable(ss, &share, 2, &data->data, |
| 3145 &data->len); |
| 3146 if (rv != SECSuccess) |
| 3147 goto loser; |
| 3148 |
| 3149 ks = PORT_ZNew(TLS13KeyShareEntry); |
| 3150 if (!ks) |
| 3151 goto loser; |
| 3152 ks->group = group; |
| 3153 |
| 3154 rv = SECITEM_CopyItem(NULL, &ks->key_exchange, &share); |
| 3155 if (rv != SECSuccess) |
| 3156 goto loser; |
| 3157 |
| 3158 PR_APPEND_LINK(&ks->link, &ss->ssl3.hs.remoteKeyShares); |
| 3159 return SECSuccess; |
| 3160 |
| 3161 loser: |
| 3162 if (ks) |
| 3163 tls13_DestroyKeyShareEntry(ks); |
| 3164 return SECFailure; |
| 3165 } |
| 3166 |
| 3167 /* Handle an incoming KeyShare extension at the client and copy to |
| 3168 * |ss->ssl3.hs.remoteKeyShares| for future use. The key |
| 3169 * share is processed in tls13_HandleServerKeyShare(). */ |
| 3170 static SECStatus |
| 3171 tls13_ClientHandleKeyShareXtn(sslSocket *ss, PRUint16 ex_type, SECItem *data) |
| 3172 { |
| 3173 SECStatus rv; |
| 3174 |
| 3175 PORT_Assert(!ss->sec.isServer); |
| 3176 if (ss->version < SSL_LIBRARY_VERSION_TLS_1_3) { |
| 3177 /* This can't happen because the extension processing |
| 3178 * code filters out TLS 1.3 extensions when not in |
| 3179 * TLS 1.3 mode. */ |
| 3180 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); |
| 3181 return SECFailure; |
| 3182 } |
| 3183 |
| 3184 SSL_TRC(3, ("%d: SSL3[%d]: handle key_share extension", |
| 3185 SSL_GETPID(), ss->fd)); |
| 3186 |
| 3187 rv = tls13_HandleKeyShareEntry(ss, data); |
| 3188 if (rv != SECSuccess) { |
| 3189 PORT_SetError(SSL_ERROR_RX_MALFORMED_KEY_SHARE); |
| 3190 return SECFailure; |
| 3191 } |
| 3192 |
| 3193 if (data->len) { |
| 3194 PORT_SetError(SSL_ERROR_RX_MALFORMED_KEY_SHARE); |
| 3195 return SECFailure; |
| 3196 } |
| 3197 |
| 3198 return SECSuccess; |
| 3199 } |
| 3200 |
| 3201 /* Handle an incoming KeyShare extension at the server and copy to |
| 3202 * |ss->ssl3.hs.remoteKeyShares| for future use. The key |
| 3203 * share is processed in tls13_HandleClientKeyShare(). */ |
| 3204 static SECStatus |
| 3205 tls13_ServerHandleKeyShareXtn(sslSocket *ss, PRUint16 ex_type, SECItem *data) |
| 3206 { |
| 3207 SECStatus rv; |
| 3208 PRInt32 length; |
| 3209 |
| 3210 PORT_Assert(ss->sec.isServer); |
| 3211 if (ss->version < SSL_LIBRARY_VERSION_TLS_1_3) { |
| 3212 return SECSuccess; |
| 3213 } |
| 3214 |
| 3215 SSL_TRC(3, ("%d: SSL3[%d]: handle key_share extension", |
| 3216 SSL_GETPID(), ss->fd)); |
| 3217 |
| 3218 /* Redundant length because of TLS encoding (this vector consumes |
| 3219 * the entire extension.) */ |
| 3220 length = ssl3_ConsumeHandshakeNumber(ss, 2, &data->data, |
| 3221 &data->len); |
| 3222 if (length < 0) |
| 3223 goto loser; |
| 3224 if (length != data->len) { |
| 3225 /* Check for consistency */ |
| 3226 PORT_SetError(SSL_ERROR_RX_MALFORMED_KEY_SHARE); |
| 3227 goto loser; |
| 3228 } |
| 3229 |
| 3230 while (data->len) { |
| 3231 rv = tls13_HandleKeyShareEntry(ss, data); |
| 3232 if (rv != SECSuccess) |
| 3233 goto loser; |
| 3234 } |
| 3235 return SECSuccess; |
| 3236 |
| 3237 loser: |
| 3238 tls13_DestroyKeyShares(&ss->ssl3.hs.remoteKeyShares); |
| 3239 return SECFailure; |
| 3240 } |
| 3241 |
| 3242 PRInt32 |
| 3243 tls13_ServerSendKeyShareXtn(sslSocket *ss, PRBool append, |
| 3244 PRUint32 maxBytes) |
| 3245 { |
| 3246 PRUint32 extension_length; |
| 3247 PRUint32 entry_length; |
| 3248 SECStatus rv; |
| 3249 |
| 3250 switch (ss->ssl3.hs.kea_def->exchKeyType) { |
| 3251 #ifndef NSS_DISABLE_ECC |
| 3252 case ssl_kea_ecdh: |
| 3253 PORT_Assert(ss->ephemeralECDHKeyPair); |
| 3254 break; |
| 3255 #endif |
| 3256 default: |
| 3257 /* got an unknown or unsupported Key Exchange Algorithm. |
| 3258 * Can't happen because tls13_HandleClientKeyShare |
| 3259 * enforces that we are ssl_kea_ecdh. */ |
| 3260 PORT_Assert(0); |
| 3261 tls13_FatalError(ss, SEC_ERROR_UNSUPPORTED_KEYALG, internal_error); |
| 3262 return SECFailure; |
| 3263 } |
| 3264 |
| 3265 entry_length = tls13_SizeOfKeyShareEntry(ss->ephemeralECDHKeyPair); |
| 3266 extension_length = 2 + 2 + entry_length; /* Type + length + entry_length */ |
| 3267 if (maxBytes < extension_length) { |
| 3268 PORT_Assert(0); |
| 3269 return 0; |
| 3270 } |
| 3271 |
| 3272 if (append) { |
| 3273 rv = ssl3_AppendHandshakeNumber(ss, ssl_tls13_key_share_xtn, 2); |
| 3274 if (rv != SECSuccess) |
| 3275 goto loser; |
| 3276 |
| 3277 rv = ssl3_AppendHandshakeNumber(ss, entry_length, 2); |
| 3278 if (rv != SECSuccess) |
| 3279 goto loser; |
| 3280 |
| 3281 rv = tls13_EncodeKeyShareEntry(ss, ss->ephemeralECDHKeyPair); |
| 3282 if (rv != SECSuccess) |
| 3283 goto loser; |
| 3284 } |
| 3285 |
| 3286 return extension_length; |
| 3287 |
| 3288 loser: |
| 3289 return -1; |
| 3290 } |
OLD | NEW |