Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(74)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: net/third_party/nss/ssl/ssl3ext.c

Issue 1844813002: Uprev NSS to 3.23 on iOS (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master
Patch Set: One more GN fix Created 4 years, 8 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« no previous file with comments | « net/third_party/nss/ssl/ssl3ecc.c ('k') | net/third_party/nss/ssl/ssl3gthr.c » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 /* -*- Mode: C; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 4 -*- */ 1 /* -*- Mode: C; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 4 -*- */
2 /* 2 /*
3 * SSL3 Protocol 3 * SSL3 Protocol
4 * 4 *
5 * This Source Code Form is subject to the terms of the Mozilla Public 5 * This Source Code Form is subject to the terms of the Mozilla Public
6 * License, v. 2.0. If a copy of the MPL was not distributed with this 6 * License, v. 2.0. If a copy of the MPL was not distributed with this
7 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ 7 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
8 8
9 /* TLS extension code moved here from ssl3ecc.c */ 9 /* TLS extension code moved here from ssl3ecc.c */
10 10
11 #include "nssrenam.h" 11 #include "nssrenam.h"
12 #include "nss.h" 12 #include "nss.h"
13 #include "ssl.h" 13 #include "ssl.h"
14 #include "sslproto.h"
14 #include "sslimpl.h" 15 #include "sslimpl.h"
15 #include "sslproto.h"
16 #include "pk11pub.h" 16 #include "pk11pub.h"
17 #ifdef NO_PKCS11_BYPASS 17 #ifdef NO_PKCS11_BYPASS
18 #include "blapit.h" 18 #include "blapit.h"
19 #else 19 #else
20 #include "blapi.h" 20 #include "blapi.h"
21 #endif 21 #endif
22 #include "prinit.h" 22 #include "prinit.h"
23 23
24 static unsigned char key_name[SESS_TICKET_KEY_NAME_LEN]; 24 static unsigned char key_name[SESS_TICKET_KEY_NAME_LEN];
25 static PK11SymKey *session_ticket_enc_key_pkcs11 = NULL; 25 static PK11SymKey *session_ticket_enc_key_pkcs11 = NULL;
26 static PK11SymKey *session_ticket_mac_key_pkcs11 = NULL; 26 static PK11SymKey *session_ticket_mac_key_pkcs11 = NULL;
27 27
28 #ifndef NO_PKCS11_BYPASS 28 #ifndef NO_PKCS11_BYPASS
29 static unsigned char session_ticket_enc_key[AES_256_KEY_LENGTH]; 29 static unsigned char session_ticket_enc_key[AES_256_KEY_LENGTH];
30 static unsigned char session_ticket_mac_key[SHA256_LENGTH]; 30 static unsigned char session_ticket_mac_key[SHA256_LENGTH];
31 31
32 static PRBool session_ticket_keys_initialized = PR_FALSE; 32 static PRBool session_ticket_keys_initialized = PR_FALSE;
33 #endif 33 #endif
34 static PRCallOnceType generate_session_keys_once; 34 static PRCallOnceType generate_session_keys_once;
35 35
36 /* forward static function declarations */ 36 /* forward static function declarations */
37 static SECStatus ssl3_ParseEncryptedSessionTicket(sslSocket *ss, 37 static SECStatus ssl3_ParseEncryptedSessionTicket(sslSocket *ss,
38 SECItem *data, EncryptedSessionTicket *enc_session_ticket); 38 SECItem *data, EncryptedSessio nTicket *enc_session_ticket);
39 static SECStatus ssl3_AppendToItem(SECItem *item, const unsigned char *buf, 39 static SECStatus ssl3_AppendToItem(SECItem *item, const unsigned char *buf,
40 PRUint32 bytes); 40 PRUint32 bytes);
41 static SECStatus ssl3_AppendNumberToItem(SECItem *item, PRUint32 num, 41 static SECStatus ssl3_AppendNumberToItem(SECItem *item, PRUint32 num,
42 PRInt32 lenSize); 42 PRInt32 lenSize);
43 static SECStatus ssl3_GetSessionTicketKeysPKCS11(sslSocket *ss, 43 static SECStatus ssl3_GetSessionTicketKeysPKCS11(sslSocket *ss,
44 PK11SymKey **aes_key, PK11SymKey **mac_key); 44 PK11SymKey **aes_key, PK11SymKe y **mac_key);
45 #ifndef NO_PKCS11_BYPASS 45 #ifndef NO_PKCS11_BYPASS
46 static SECStatus ssl3_GetSessionTicketKeys(const unsigned char **aes_key, 46 static SECStatus ssl3_GetSessionTicketKeys(const unsigned char **aes_key,
47 PRUint32 *aes_key_length, const unsigned char **mac_key, 47 PRUint32 *aes_key_length, const unsig ned char **mac_key,
48 PRUint32 *mac_key_length); 48 PRUint32 *mac_key_length);
49 #endif 49 #endif
50 static PRInt32 ssl3_SendRenegotiationInfoXtn(sslSocket * ss, 50 static PRInt32 ssl3_SendRenegotiationInfoXtn(sslSocket *ss,
51 PRBool append, PRUint32 maxBytes); 51 PRBool append, PRUint32 maxBytes);
52 static SECStatus ssl3_HandleRenegotiationInfoXtn(sslSocket *ss, 52 static SECStatus ssl3_HandleRenegotiationInfoXtn(sslSocket *ss,
53 PRUint16 ex_type, SECItem *data); 53 PRUint16 ex_type, SECItem *data );
54 static SECStatus ssl3_ClientHandleNextProtoNegoXtn(sslSocket *ss, 54 static SECStatus ssl3_ClientHandleNextProtoNegoXtn(sslSocket *ss,
55 PRUint16 ex_type, SECItem *data); 55 PRUint16 ex_type, SECItem *da ta);
56 static SECStatus ssl3_ClientHandleAppProtoXtn(sslSocket *ss, 56 static SECStatus ssl3_ClientHandleAppProtoXtn(sslSocket *ss,
57 PRUint16 ex_type, SECItem *data); 57 PRUint16 ex_type, SECItem *data);
58 static SECStatus ssl3_ServerHandleNextProtoNegoXtn(sslSocket *ss, 58 static SECStatus ssl3_ServerHandleNextProtoNegoXtn(sslSocket *ss,
59 PRUint16 ex_type, SECItem *data); 59 PRUint16 ex_type, SECItem *da ta);
60 static SECStatus ssl3_ServerHandleAppProtoXtn(sslSocket *ss, PRUint16 ex_type, 60 static SECStatus ssl3_ServerHandleAppProtoXtn(sslSocket *ss, PRUint16 ex_type,
61 SECItem *data); 61 SECItem *data);
62 static PRInt32 ssl3_ClientSendNextProtoNegoXtn(sslSocket *ss, PRBool append, 62 static PRInt32 ssl3_ClientSendNextProtoNegoXtn(sslSocket *ss, PRBool append,
63 PRUint32 maxBytes); 63 PRUint32 maxBytes);
64 static PRInt32 ssl3_ClientSendAppProtoXtn(sslSocket *ss, PRBool append, 64 static PRInt32 ssl3_ClientSendAppProtoXtn(sslSocket *ss, PRBool append,
65 PRUint32 maxBytes); 65 PRUint32 maxBytes);
66 static PRInt32 ssl3_ServerSendAppProtoXtn(sslSocket *ss, PRBool append, 66 static PRInt32 ssl3_ServerSendAppProtoXtn(sslSocket *ss, PRBool append,
67 PRUint32 maxBytes); 67 PRUint32 maxBytes);
68 static PRInt32 ssl3_ClientSendUseSRTPXtn(sslSocket *ss, PRBool append, 68 static PRInt32 ssl3_ClientSendUseSRTPXtn(sslSocket *ss, PRBool append,
69 PRUint32 maxBytes); 69 PRUint32 maxBytes);
70 static PRInt32 ssl3_ServerSendUseSRTPXtn(sslSocket *ss, PRBool append, 70 static PRInt32 ssl3_ServerSendUseSRTPXtn(sslSocket *ss, PRBool append,
71 PRUint32 maxBytes); 71 PRUint32 maxBytes);
72 static SECStatus ssl3_ClientHandleUseSRTPXtn(sslSocket * ss, PRUint16 ex_type, 72 static SECStatus ssl3_ClientHandleUseSRTPXtn(sslSocket *ss, PRUint16 ex_type,
73 SECItem *data); 73 SECItem *data);
74 static SECStatus ssl3_ServerHandleUseSRTPXtn(sslSocket * ss, PRUint16 ex_type, 74 static SECStatus ssl3_ServerHandleUseSRTPXtn(sslSocket *ss, PRUint16 ex_type,
75 SECItem *data); 75 SECItem *data);
76 static SECStatus ssl3_ClientHandleChannelIDXtn(sslSocket *ss, 76 static SECStatus ssl3_ClientHandleChannelIDXtn(sslSocket *ss,
77 PRUint16 ex_type, SECItem *data); 77 PRUint16 ex_type, SECItem *data);
78 static PRInt32 ssl3_ClientSendChannelIDXtn(sslSocket *ss, PRBool append, 78 static PRInt32 ssl3_ClientSendChannelIDXtn(sslSocket *ss, PRBool append,
79 PRUint32 maxBytes); 79 PRUint32 maxBytes);
80 static PRInt32 ssl3_ServerSendStatusRequestXtn(sslSocket * ss, 80 static PRInt32 ssl3_ServerSendStatusRequestXtn(sslSocket *ss,
81 PRBool append, PRUint32 maxBytes); 81 PRBool append, PRUint32 maxBytes) ;
82 static SECStatus ssl3_ServerHandleStatusRequestXtn(sslSocket *ss, 82 static SECStatus ssl3_ServerHandleStatusRequestXtn(sslSocket *ss,
83 PRUint16 ex_type, SECItem *data); 83 PRUint16 ex_type, SECItem *da ta);
84 static SECStatus ssl3_ClientHandleStatusRequestXtn(sslSocket *ss, 84 static SECStatus ssl3_ClientHandleStatusRequestXtn(sslSocket *ss,
85 PRUint16 ex_type, 85 PRUint16 ex_type,
86 SECItem *data); 86 SECItem *data);
87 static PRInt32 ssl3_ClientSendStatusRequestXtn(sslSocket * ss, PRBool append, 87 static PRInt32 ssl3_ClientSendStatusRequestXtn(sslSocket *ss, PRBool append,
88 PRUint32 maxBytes); 88 PRUint32 maxBytes);
89 static PRInt32 ssl3_ClientSendSigAlgsXtn(sslSocket *ss, PRBool append, 89 static PRInt32 ssl3_ClientSendSigAlgsXtn(sslSocket *ss, PRBool append,
90 PRUint32 maxBytes); 90 PRUint32 maxBytes);
91 static SECStatus ssl3_ServerHandleSigAlgsXtn(sslSocket *ss, PRUint16 ex_type, 91 static SECStatus ssl3_ServerHandleSigAlgsXtn(sslSocket *ss, PRUint16 ex_type,
92 SECItem *data); 92 SECItem *data);
93
93 static PRInt32 ssl3_ClientSendSignedCertTimestampXtn(sslSocket *ss, 94 static PRInt32 ssl3_ClientSendSignedCertTimestampXtn(sslSocket *ss,
94 PRBool append, 95 PRBool append,
95 PRUint32 maxBytes); 96 PRUint32 maxBytes);
96 static SECStatus ssl3_ClientHandleSignedCertTimestampXtn(sslSocket *ss, 97 static SECStatus ssl3_ClientHandleSignedCertTimestampXtn(sslSocket *ss,
97 PRUint16 ex_type, 98 PRUint16 ex_type,
98 SECItem *data); 99 SECItem *data);
99 100 static PRInt32 ssl3_ServerSendSignedCertTimestampXtn(sslSocket *ss,
101 PRBool append,
102 PRUint32 maxBytes);
103 static SECStatus ssl3_ServerHandleSignedCertTimestampXtn(sslSocket *ss,
104 PRUint16 ex_type,
105 SECItem *data);
100 static PRInt32 ssl3_ClientSendDraftVersionXtn(sslSocket *ss, PRBool append, 106 static PRInt32 ssl3_ClientSendDraftVersionXtn(sslSocket *ss, PRBool append,
101 PRUint32 maxBytes); 107 PRUint32 maxBytes);
102 static SECStatus ssl3_ServerHandleDraftVersionXtn(sslSocket *ss, PRUint16 ex_typ e, 108 static SECStatus ssl3_ServerHandleDraftVersionXtn(sslSocket *ss, PRUint16 ex_typ e,
103 SECItem *data); 109 SECItem *data);
104 static PRInt32 ssl3_SendExtendedMasterSecretXtn(sslSocket *ss, PRBool append, 110 static PRInt32 ssl3_SendExtendedMasterSecretXtn(sslSocket *ss, PRBool append,
105 PRUint32 maxBytes); 111 PRUint32 maxBytes);
106 static SECStatus ssl3_HandleExtendedMasterSecretXtn(sslSocket *ss, 112 static SECStatus ssl3_HandleExtendedMasterSecretXtn(sslSocket *ss,
107 PRUint16 ex_type, 113 PRUint16 ex_type,
108 SECItem *data); 114 SECItem *data);
109 115 static PRInt32 tls13_ClientSendKeyShareXtn(sslSocket *ss, PRBool append,
116 PRUint32 maxBytes);
117 static SECStatus tls13_ClientHandleKeyShareXtn(sslSocket *ss,
118 PRUint16 ex_type,
119 SECItem *data);
120 static SECStatus tls13_ServerHandleKeyShareXtn(sslSocket *ss,
121 PRUint16 ex_type,
122 SECItem *data);
110 123
111 /* 124 /*
112 * Write bytes. Using this function means the SECItem structure 125 * Write bytes. Using this function means the SECItem structure
113 * cannot be freed. The caller is expected to call this function 126 * cannot be freed. The caller is expected to call this function
114 * on a shallow copy of the structure. 127 * on a shallow copy of the structure.
115 */ 128 */
116 static SECStatus 129 static SECStatus
117 ssl3_AppendToItem(SECItem *item, const unsigned char *buf, PRUint32 bytes) 130 ssl3_AppendToItem(SECItem *item, const unsigned char *buf, PRUint32 bytes)
118 { 131 {
119 if (bytes > item->len) 132 if (bytes > item->len)
120 return SECFailure; 133 return SECFailure;
121 134
122 PORT_Memcpy(item->data, buf, bytes); 135 PORT_Memcpy(item->data, buf, bytes);
123 item->data += bytes; 136 item->data += bytes;
124 item->len -= bytes; 137 item->len -= bytes;
125 return SECSuccess; 138 return SECSuccess;
126 } 139 }
127 140
128 /* 141 /*
129 * Write a number in network byte order. Using this function means the 142 * Write a number in network byte order. Using this function means the
130 * SECItem structure cannot be freed. The caller is expected to call 143 * SECItem structure cannot be freed. The caller is expected to call
131 * this function on a shallow copy of the structure. 144 * this function on a shallow copy of the structure.
132 */ 145 */
133 static SECStatus 146 static SECStatus
134 ssl3_AppendNumberToItem(SECItem *item, PRUint32 num, PRInt32 lenSize) 147 ssl3_AppendNumberToItem(SECItem *item, PRUint32 num, PRInt32 lenSize)
135 { 148 {
136 SECStatus rv; 149 SECStatus rv;
137 PRUint8 b[4]; 150 PRUint8 b[4];
138 PRUint8 * p = b; 151 PRUint8 *p = b;
139 152
140 switch (lenSize) { 153 switch (lenSize) {
141 case 4: 154 case 4:
142 *p++ = (PRUint8) (num >> 24); 155 *p++ = (PRUint8)(num >> 24);
143 case 3: 156 case 3:
144 *p++ = (PRUint8) (num >> 16); 157 *p++ = (PRUint8)(num >> 16);
145 case 2: 158 case 2:
146 *p++ = (PRUint8) (num >> 8); 159 *p++ = (PRUint8)(num >> 8);
147 case 1: 160 case 1:
148 *p = (PRUint8) num; 161 *p = (PRUint8)num;
149 } 162 }
150 rv = ssl3_AppendToItem(item, &b[0], lenSize); 163 rv = ssl3_AppendToItem(item, &b[0], lenSize);
151 return rv; 164 return rv;
152 } 165 }
153 166
154 static SECStatus ssl3_SessionTicketShutdown(void* appData, void* nssData) 167 static SECStatus
168 ssl3_SessionTicketShutdown(void *appData, void *nssData)
155 { 169 {
156 if (session_ticket_enc_key_pkcs11) { 170 if (session_ticket_enc_key_pkcs11) {
157 PK11_FreeSymKey(session_ticket_enc_key_pkcs11); 171 PK11_FreeSymKey(session_ticket_enc_key_pkcs11);
158 session_ticket_enc_key_pkcs11 = NULL; 172 session_ticket_enc_key_pkcs11 = NULL;
159 } 173 }
160 if (session_ticket_mac_key_pkcs11) { 174 if (session_ticket_mac_key_pkcs11) {
161 PK11_FreeSymKey(session_ticket_mac_key_pkcs11); 175 PK11_FreeSymKey(session_ticket_mac_key_pkcs11);
162 session_ticket_mac_key_pkcs11 = NULL; 176 session_ticket_mac_key_pkcs11 = NULL;
163 } 177 }
164 PORT_Memset(&generate_session_keys_once, 0, 178 PORT_Memset(&generate_session_keys_once, 0,
165 sizeof(generate_session_keys_once)); 179 sizeof(generate_session_keys_once));
166 return SECSuccess; 180 return SECSuccess;
167 } 181 }
168 182
169
170 static PRStatus 183 static PRStatus
171 ssl3_GenerateSessionTicketKeysPKCS11(void *data) 184 ssl3_GenerateSessionTicketKeysPKCS11(void *data)
172 { 185 {
173 SECStatus rv; 186 SECStatus rv;
174 sslSocket *ss = (sslSocket *)data; 187 sslSocket *ss = (sslSocket *)data;
175 SECKEYPrivateKey *svrPrivKey = ss->serverCerts[kt_rsa].SERVERKEY; 188 SECKEYPrivateKey *svrPrivKey = ss->serverCerts[kt_rsa].SERVERKEY;
176 SECKEYPublicKey *svrPubKey = ss->serverCerts[kt_rsa].serverKeyPair->pubKey; 189 SECKEYPublicKey *svrPubKey = ss->serverCerts[kt_rsa].serverKeyPair->pubKey;
177 190
178 if (svrPrivKey == NULL || svrPubKey == NULL) { 191 if (svrPrivKey == NULL || svrPubKey == NULL) {
179 SSL_DBG(("%d: SSL[%d]: Pub or priv key(s) is NULL.", 192 SSL_DBG(("%d: SSL[%d]: Pub or priv key(s) is NULL.",
180 SSL_GETPID(), ss->fd)); 193 SSL_GETPID(), ss->fd));
181 goto loser; 194 goto loser;
182 } 195 }
183 196
184 /* Get a copy of the session keys from shared memory. */ 197 /* Get a copy of the session keys from shared memory. */
185 PORT_Memcpy(key_name, SESS_TICKET_KEY_NAME_PREFIX, 198 PORT_Memcpy(key_name, SESS_TICKET_KEY_NAME_PREFIX,
186 sizeof(SESS_TICKET_KEY_NAME_PREFIX)); 199 sizeof(SESS_TICKET_KEY_NAME_PREFIX));
187 if (!ssl_GetSessionTicketKeysPKCS11(svrPrivKey, svrPubKey, 200 if (!ssl_GetSessionTicketKeysPKCS11(svrPrivKey, svrPubKey,
188 ss->pkcs11PinArg, &key_name[SESS_TICKET_KEY_NAME_PREFIX_LEN], 201 ss->pkcs11PinArg, &key_name[SESS_TICKET_ KEY_NAME_PREFIX_LEN],
189 &session_ticket_enc_key_pkcs11, &session_ticket_mac_key_pkcs11)) 202 &session_ticket_enc_key_pkcs11, &session _ticket_mac_key_pkcs11))
190 return PR_FAILURE; 203 return PR_FAILURE;
191 204
192 rv = NSS_RegisterShutdown(ssl3_SessionTicketShutdown, NULL); 205 rv = NSS_RegisterShutdown(ssl3_SessionTicketShutdown, NULL);
193 if (rv != SECSuccess) 206 if (rv != SECSuccess)
194 goto loser; 207 goto loser;
195 208
196 return PR_SUCCESS; 209 return PR_SUCCESS;
197 210
198 loser: 211 loser:
199 ssl3_SessionTicketShutdown(NULL, NULL); 212 ssl3_SessionTicketShutdown(NULL, NULL);
200 return PR_FAILURE; 213 return PR_FAILURE;
201 } 214 }
202 215
203 static SECStatus 216 static SECStatus
204 ssl3_GetSessionTicketKeysPKCS11(sslSocket *ss, PK11SymKey **aes_key, 217 ssl3_GetSessionTicketKeysPKCS11(sslSocket *ss, PK11SymKey **aes_key,
205 PK11SymKey **mac_key) 218 PK11SymKey **mac_key)
206 { 219 {
207 if (PR_CallOnceWithArg(&generate_session_keys_once, 220 if (PR_CallOnceWithArg(&generate_session_keys_once,
208 ssl3_GenerateSessionTicketKeysPKCS11, ss) != PR_SUCCESS) 221 ssl3_GenerateSessionTicketKeysPKCS11, ss) !=
222 PR_SUCCESS)
209 return SECFailure; 223 return SECFailure;
210 224
211 if (session_ticket_enc_key_pkcs11 == NULL || 225 if (session_ticket_enc_key_pkcs11 == NULL ||
212 session_ticket_mac_key_pkcs11 == NULL) 226 session_ticket_mac_key_pkcs11 == NULL)
213 return SECFailure; 227 return SECFailure;
214 228
215 *aes_key = session_ticket_enc_key_pkcs11; 229 *aes_key = session_ticket_enc_key_pkcs11;
216 *mac_key = session_ticket_mac_key_pkcs11; 230 *mac_key = session_ticket_mac_key_pkcs11;
217 return SECSuccess; 231 return SECSuccess;
218 } 232 }
219 233
220 #ifndef NO_PKCS11_BYPASS 234 #ifndef NO_PKCS11_BYPASS
221 static PRStatus 235 static PRStatus
222 ssl3_GenerateSessionTicketKeys(void) 236 ssl3_GenerateSessionTicketKeys(void)
223 { 237 {
224 PORT_Memcpy(key_name, SESS_TICKET_KEY_NAME_PREFIX, 238 PORT_Memcpy(key_name, SESS_TICKET_KEY_NAME_PREFIX,
225 sizeof(SESS_TICKET_KEY_NAME_PREFIX)); 239 sizeof(SESS_TICKET_KEY_NAME_PREFIX));
226 240
227 if (!ssl_GetSessionTicketKeys(&key_name[SESS_TICKET_KEY_NAME_PREFIX_LEN], 241 if (!ssl_GetSessionTicketKeys(&key_name[SESS_TICKET_KEY_NAME_PREFIX_LEN],
228 session_ticket_enc_key, session_ticket_mac_key)) 242 session_ticket_enc_key, session_ticket_mac_key ))
229 return PR_FAILURE; 243 return PR_FAILURE;
230 244
231 session_ticket_keys_initialized = PR_TRUE; 245 session_ticket_keys_initialized = PR_TRUE;
232 return PR_SUCCESS; 246 return PR_SUCCESS;
233 } 247 }
234 248
235 static SECStatus 249 static SECStatus
236 ssl3_GetSessionTicketKeys(const unsigned char **aes_key, 250 ssl3_GetSessionTicketKeys(const unsigned char **aes_key,
237 PRUint32 *aes_key_length, const unsigned char **mac_key, 251 PRUint32 *aes_key_length, const unsigned char **mac_ke y,
238 PRUint32 *mac_key_length) 252 PRUint32 *mac_key_length)
239 { 253 {
240 if (PR_CallOnce(&generate_session_keys_once, 254 if (PR_CallOnce(&generate_session_keys_once,
241 ssl3_GenerateSessionTicketKeys) != PR_SUCCESS) 255 ssl3_GenerateSessionTicketKeys) != PR_SUCCESS)
242 return SECFailure; 256 return SECFailure;
243 257
244 if (!session_ticket_keys_initialized) 258 if (!session_ticket_keys_initialized)
245 return SECFailure; 259 return SECFailure;
246 260
247 *aes_key = session_ticket_enc_key; 261 *aes_key = session_ticket_enc_key;
248 *aes_key_length = sizeof(session_ticket_enc_key); 262 *aes_key_length = sizeof(session_ticket_enc_key);
249 *mac_key = session_ticket_mac_key; 263 *mac_key = session_ticket_mac_key;
250 *mac_key_length = sizeof(session_ticket_mac_key); 264 *mac_key_length = sizeof(session_ticket_mac_key);
251 265
252 return SECSuccess; 266 return SECSuccess;
253 } 267 }
254 #endif 268 #endif
255 269
256 /* Table of handlers for received TLS hello extensions, one per extension. 270 /* Table of handlers for received TLS hello extensions, one per extension.
257 * In the second generation, this table will be dynamic, and functions 271 * In the second generation, this table will be dynamic, and functions
258 * will be registered here. 272 * will be registered here.
259 */ 273 */
260 /* This table is used by the server, to handle client hello extensions. */ 274 /* This table is used by the server, to handle client hello extensions. */
261 static const ssl3HelloExtensionHandler clientHelloHandlers[] = { 275 static const ssl3HelloExtensionHandler clientHelloHandlers[] = {
262 { ssl_server_name_xtn, &ssl3_HandleServerNameXtn }, 276 { ssl_server_name_xtn, &ssl3_HandleServerNameXtn },
263 #ifndef NSS_DISABLE_ECC 277 #ifndef NSS_DISABLE_ECC
264 { ssl_elliptic_curves_xtn, &ssl3_HandleSupportedCurvesXtn }, 278 { ssl_elliptic_curves_xtn, &ssl3_HandleSupportedCurvesXtn },
265 { ssl_ec_point_formats_xtn, &ssl3_HandleSupportedPointFormatsXtn }, 279 { ssl_ec_point_formats_xtn, &ssl3_HandleSupportedPointFormatsXtn },
266 #endif 280 #endif
267 { ssl_session_ticket_xtn, &ssl3_ServerHandleSessionTicketXtn }, 281 { ssl_session_ticket_xtn, &ssl3_ServerHandleSessionTicketXtn },
268 { ssl_renegotiation_info_xtn, &ssl3_HandleRenegotiationInfoXtn }, 282 { ssl_renegotiation_info_xtn, &ssl3_HandleRenegotiationInfoXtn },
269 { ssl_next_proto_nego_xtn, &ssl3_ServerHandleNextProtoNegoXtn }, 283 { ssl_next_proto_nego_xtn, &ssl3_ServerHandleNextProtoNegoXtn },
270 { ssl_app_layer_protocol_xtn, &ssl3_ServerHandleAppProtoXtn }, 284 { ssl_app_layer_protocol_xtn, &ssl3_ServerHandleAppProtoXtn },
271 { ssl_use_srtp_xtn, &ssl3_ServerHandleUseSRTPXtn }, 285 { ssl_use_srtp_xtn, &ssl3_ServerHandleUseSRTPXtn },
272 { ssl_cert_status_xtn, &ssl3_ServerHandleStatusRequestXtn }, 286 { ssl_cert_status_xtn, &ssl3_ServerHandleStatusRequestXtn },
273 { ssl_signature_algorithms_xtn, &ssl3_ServerHandleSigAlgsXtn }, 287 { ssl_signature_algorithms_xtn, &ssl3_ServerHandleSigAlgsXtn },
274 { ssl_tls13_draft_version_xtn, &ssl3_ServerHandleDraftVersionXtn }, 288 { ssl_tls13_draft_version_xtn, &ssl3_ServerHandleDraftVersionXtn },
275 { ssl_extended_master_secret_xtn, &ssl3_HandleExtendedMasterSecretXtn }, 289 { ssl_extended_master_secret_xtn, &ssl3_HandleExtendedMasterSecretXtn },
290 { ssl_signed_cert_timestamp_xtn, &ssl3_ServerHandleSignedCertTimestampXtn },
291 { ssl_tls13_key_share_xtn, &tls13_ServerHandleKeyShareXtn },
276 { -1, NULL } 292 { -1, NULL }
277 }; 293 };
278 294
279 /* These two tables are used by the client, to handle server hello 295 /* These two tables are used by the client, to handle server hello
280 * extensions. */ 296 * extensions. */
281 static const ssl3HelloExtensionHandler serverHelloHandlersTLS[] = { 297 static const ssl3HelloExtensionHandler serverHelloHandlersTLS[] = {
282 { ssl_server_name_xtn, &ssl3_HandleServerNameXtn }, 298 { ssl_server_name_xtn, &ssl3_HandleServerNameXtn },
283 /* TODO: add a handler for ssl_ec_point_formats_xtn */ 299 /* TODO: add a handler for ssl_ec_point_formats_xtn */
284 { ssl_session_ticket_xtn, &ssl3_ClientHandleSessionTicketXtn }, 300 { ssl_session_ticket_xtn, &ssl3_ClientHandleSessionTicketXtn },
285 { ssl_renegotiation_info_xtn, &ssl3_HandleRenegotiationInfoXtn }, 301 { ssl_renegotiation_info_xtn, &ssl3_HandleRenegotiationInfoXtn },
286 { ssl_next_proto_nego_xtn, &ssl3_ClientHandleNextProtoNegoXtn }, 302 { ssl_next_proto_nego_xtn, &ssl3_ClientHandleNextProtoNegoXtn },
287 { ssl_app_layer_protocol_xtn, &ssl3_ClientHandleAppProtoXtn }, 303 { ssl_app_layer_protocol_xtn, &ssl3_ClientHandleAppProtoXtn },
288 { ssl_use_srtp_xtn, &ssl3_ClientHandleUseSRTPXtn }, 304 { ssl_use_srtp_xtn, &ssl3_ClientHandleUseSRTPXtn },
289 { ssl_channel_id_xtn, &ssl3_ClientHandleChannelIDXtn }, 305 { ssl_channel_id_xtn, &ssl3_ClientHandleChannelIDXtn },
290 { ssl_cert_status_xtn, &ssl3_ClientHandleStatusRequestXtn }, 306 { ssl_cert_status_xtn, &ssl3_ClientHandleStatusRequestXtn },
291 { ssl_extended_master_secret_xtn, &ssl3_HandleExtendedMasterSecretXtn }, 307 { ssl_extended_master_secret_xtn, &ssl3_HandleExtendedMasterSecretXtn },
292 { ssl_signed_certificate_timestamp_xtn, 308 { ssl_signed_cert_timestamp_xtn, &ssl3_ClientHandleSignedCertTimestampXtn },
293 &ssl3_ClientHandleSignedCertTimestampXtn }, 309 { ssl_tls13_key_share_xtn, &tls13_ClientHandleKeyShareXtn },
294 { -1, NULL } 310 { -1, NULL }
295 }; 311 };
296 312
297 static const ssl3HelloExtensionHandler serverHelloHandlersSSL3[] = { 313 static const ssl3HelloExtensionHandler serverHelloHandlersSSL3[] = {
298 { ssl_renegotiation_info_xtn, &ssl3_HandleRenegotiationInfoXtn }, 314 { ssl_renegotiation_info_xtn, &ssl3_HandleRenegotiationInfoXtn },
299 { -1, NULL } 315 { -1, NULL }
300 }; 316 };
301 317
302 /* Tables of functions to format TLS hello extensions, one function per 318 /* Tables of functions to format TLS hello extensions, one function per
303 * extension. 319 * extension.
304 * These static tables are for the formatting of client hello extensions. 320 * These static tables are for the formatting of client hello extensions.
305 * The server's table of hello senders is dynamic, in the socket struct, 321 * The server's table of hello senders is dynamic, in the socket struct,
306 * and sender functions are registered there. 322 * and sender functions are registered there.
307 */ 323 */
308 static const 324 static const ssl3HelloExtensionSender clientHelloSendersTLS[SSL_MAX_EXTENSIONS] =
309 ssl3HelloExtensionSender clientHelloSendersTLS[SSL_MAX_EXTENSIONS] = { 325 {
310 { ssl_server_name_xtn, &ssl3_SendServerNameXtn }, 326 { ssl_server_name_xtn, &ssl3_SendServerNameXtn },
311 { ssl_renegotiation_info_xtn, &ssl3_SendRenegotiationInfoXtn }, 327 { ssl_extended_master_secret_xtn, &ssl3_SendExtendedMasterSecretXtn },
328 { ssl_renegotiation_info_xtn, &ssl3_SendRenegotiationInfoXtn },
312 #ifndef NSS_DISABLE_ECC 329 #ifndef NSS_DISABLE_ECC
313 { ssl_elliptic_curves_xtn, &ssl3_SendSupportedCurvesXtn }, 330 { ssl_elliptic_curves_xtn, &ssl3_SendSupportedCurvesXtn },
314 { ssl_ec_point_formats_xtn, &ssl3_SendSupportedPointFormatsXtn }, 331 { ssl_ec_point_formats_xtn, &ssl3_SendSupportedPointFormatsXtn },
315 #endif 332 #endif
316 { ssl_session_ticket_xtn, &ssl3_SendSessionTicketXtn }, 333 { ssl_session_ticket_xtn, &ssl3_SendSessionTicketXtn },
317 { ssl_next_proto_nego_xtn, &ssl3_ClientSendNextProtoNegoXtn }, 334 { ssl_next_proto_nego_xtn, &ssl3_ClientSendNextProtoNegoXtn },
318 { ssl_app_layer_protocol_xtn, &ssl3_ClientSendAppProtoXtn }, 335 { ssl_app_layer_protocol_xtn, &ssl3_ClientSendAppProtoXtn },
319 { ssl_use_srtp_xtn, &ssl3_ClientSendUseSRTPXtn }, 336 { ssl_use_srtp_xtn, &ssl3_ClientSendUseSRTPXtn },
320 { ssl_channel_id_xtn, &ssl3_ClientSendChannelIDXtn }, 337 { ssl_channel_id_xtn, &ssl3_ClientSendChannelIDXtn },
321 { ssl_cert_status_xtn, &ssl3_ClientSendStatusRequestXtn }, 338 { ssl_cert_status_xtn, &ssl3_ClientSendStatusRequestXtn },
322 { ssl_signed_certificate_timestamp_xtn, 339 { ssl_tls13_draft_version_xtn, &ssl3_ClientSendDraftVersionXtn },
323 &ssl3_ClientSendSignedCertTimestampXtn }, 340 { ssl_signed_cert_timestamp_xtn, &ssl3_ClientSendSignedCertTimestampXtn },
324 /* WebSphere Application Server 7.0 is intolerant to the last extension 341 { ssl_tls13_key_share_xtn, &tls13_ClientSendKeyShareXtn },
325 * being zero-length. It is not intolerant of TLS 1.2, so ensure that 342 /* Some servers (e.g. WebSphere Application Server 7.0 and Tomcat) will
326 * signature_algorithms is at the end to guarantee a non-empty 343 * time out or terminate the connection if the last extension in the
327 * extension. */ 344 * client hello is empty. They are not intolerant of TLS 1.2, so list
328 { ssl_signature_algorithms_xtn, &ssl3_ClientSendSigAlgsXtn }, 345 * signature_algorithms at the end. See bug 1243641. */
329 { ssl_tls13_draft_version_xtn, &ssl3_ClientSendDraftVersionXtn }, 346 { ssl_signature_algorithms_xtn, &ssl3_ClientSendSigAlgsXtn },
330 { ssl_extended_master_secret_xtn, &ssl3_SendExtendedMasterSecretXtn}, 347 /* any extra entries will appear as { 0, NULL } */
331 /* any extra entries will appear as { 0, NULL } */ 348 };
332 };
333 349
334 static const 350 static const ssl3HelloExtensionSender clientHelloSendersSSL3[SSL_MAX_EXTENSIONS] =
335 ssl3HelloExtensionSender clientHelloSendersSSL3[SSL_MAX_EXTENSIONS] = { 351 {
336 { ssl_renegotiation_info_xtn, &ssl3_SendRenegotiationInfoXtn } 352 { ssl_renegotiation_info_xtn, &ssl3_SendRenegotiationInfoXtn }
337 /* any extra entries will appear as { 0, NULL } */ 353 /* any extra entries will appear as { 0, NULL } */
338 }; 354 };
339 355
340 static PRBool 356 static PRBool
341 arrayContainsExtension(const PRUint16 *array, PRUint32 len, PRUint16 ex_type) 357 arrayContainsExtension(const PRUint16 *array, PRUint32 len, PRUint16 ex_type)
342 { 358 {
343 unsigned int i; 359 unsigned int i;
344 for (i = 0; i < len; i++) { 360 for (i = 0; i < len; i++) {
345 if (ex_type == array[i]) 361 if (ex_type == array[i])
346 return PR_TRUE; 362 return PR_TRUE;
347 } 363 }
348 return PR_FALSE; 364 return PR_FALSE;
349 } 365 }
350 366
351 PRBool 367 PRBool
352 ssl3_ExtensionNegotiated(sslSocket *ss, PRUint16 ex_type) { 368 ssl3_ExtensionNegotiated(sslSocket *ss, PRUint16 ex_type)
369 {
353 TLSExtensionData *xtnData = &ss->xtnData; 370 TLSExtensionData *xtnData = &ss->xtnData;
354 return arrayContainsExtension(xtnData->negotiated, 371 return arrayContainsExtension(xtnData->negotiated,
355 xtnData->numNegotiated, ex_type); 372 xtnData->numNegotiated, ex_type);
356 } 373 }
357 374
358 static PRBool 375 static PRBool
359 ssl3_ClientExtensionAdvertised(sslSocket *ss, PRUint16 ex_type) { 376 ssl3_ClientExtensionAdvertised(sslSocket *ss, PRUint16 ex_type)
377 {
360 TLSExtensionData *xtnData = &ss->xtnData; 378 TLSExtensionData *xtnData = &ss->xtnData;
361 return arrayContainsExtension(xtnData->advertised, 379 return arrayContainsExtension(xtnData->advertised,
362 xtnData->numAdvertised, ex_type); 380 xtnData->numAdvertised, ex_type);
363 } 381 }
364 382
365 /* Format an SNI extension, using the name from the socket's URL, 383 /* Format an SNI extension, using the name from the socket's URL,
366 * unless that name is a dotted decimal string. 384 * unless that name is a dotted decimal string.
367 * Used by client and server. 385 * Used by client and server.
368 */ 386 */
369 PRInt32 387 PRInt32
370 ssl3_SendServerNameXtn(sslSocket * ss, PRBool append, 388 ssl3_SendServerNameXtn(sslSocket *ss, PRBool append,
371 PRUint32 maxBytes) 389 PRUint32 maxBytes)
372 { 390 {
373 SECStatus rv; 391 SECStatus rv;
374 if (!ss) 392 if (!ss)
375 return 0; 393 return 0;
376 if (!ss->sec.isServer) { 394 if (!ss->sec.isServer) {
377 PRUint32 len; 395 PRUint32 len;
378 PRNetAddr netAddr; 396 PRNetAddr netAddr;
379 397
380 /* must have a hostname */ 398 /* must have a hostname */
381 if (!ss->url || !ss->url[0]) 399 if (!ss->url || !ss->url[0])
382 return 0; 400 return 0;
383 /* must not be an IPv4 or IPv6 address */ 401 /* must not be an IPv4 or IPv6 address */
384 if (PR_SUCCESS == PR_StringToNetAddr(ss->url, &netAddr)) { 402 if (PR_SUCCESS == PR_StringToNetAddr(ss->url, &netAddr)) {
385 /* is an IP address (v4 or v6) */ 403 /* is an IP address (v4 or v6) */
386 return 0; 404 return 0;
387 } 405 }
388 len = PORT_Strlen(ss->url); 406 len = PORT_Strlen(ss->url);
389 if (append && maxBytes >= len + 9) { 407 if (append && maxBytes >= len + 9) {
390 /* extension_type */ 408 /* extension_type */
391 rv = ssl3_AppendHandshakeNumber(ss, ssl_server_name_xtn, 2); 409 rv = ssl3_AppendHandshakeNumber(ss, ssl_server_name_xtn, 2);
392 if (rv != SECSuccess) return -1; 410 if (rv != SECSuccess)
411 return -1;
393 /* length of extension_data */ 412 /* length of extension_data */
394 rv = ssl3_AppendHandshakeNumber(ss, len + 5, 2); 413 rv = ssl3_AppendHandshakeNumber(ss, len + 5, 2);
395 if (rv != SECSuccess) return -1; 414 if (rv != SECSuccess)
415 return -1;
396 /* length of server_name_list */ 416 /* length of server_name_list */
397 rv = ssl3_AppendHandshakeNumber(ss, len + 3, 2); 417 rv = ssl3_AppendHandshakeNumber(ss, len + 3, 2);
398 if (rv != SECSuccess) return -1; 418 if (rv != SECSuccess)
419 return -1;
399 /* Name Type (sni_host_name) */ 420 /* Name Type (sni_host_name) */
400 rv = ssl3_AppendHandshake(ss, "\0", 1); 421 rv = ssl3_AppendHandshake(ss, "\0", 1);
401 if (rv != SECSuccess) return -1; 422 if (rv != SECSuccess)
423 return -1;
402 /* HostName (length and value) */ 424 /* HostName (length and value) */
403 rv = ssl3_AppendHandshakeVariable(ss, (PRUint8 *)ss->url, len, 2); 425 rv = ssl3_AppendHandshakeVariable(ss, (PRUint8 *)ss->url, len, 2);
404 if (rv != SECSuccess) return -1; 426 if (rv != SECSuccess)
427 return -1;
405 if (!ss->sec.isServer) { 428 if (!ss->sec.isServer) {
406 TLSExtensionData *xtnData = &ss->xtnData; 429 TLSExtensionData *xtnData = &ss->xtnData;
407 xtnData->advertised[xtnData->numAdvertised++] = 430 xtnData->advertised[xtnData->numAdvertised++] =
408 ssl_server_name_xtn; 431 ssl_server_name_xtn;
409 } 432 }
410 } 433 }
411 return len + 9; 434 return len + 9;
412 } 435 }
413 /* Server side */ 436 /* Server side */
414 if (append && maxBytes >= 4) { 437 if (append && maxBytes >= 4) {
415 rv = ssl3_AppendHandshakeNumber(ss, ssl_server_name_xtn, 2); 438 rv = ssl3_AppendHandshakeNumber(ss, ssl_server_name_xtn, 2);
416 if (rv != SECSuccess) return -1; 439 if (rv != SECSuccess)
440 return -1;
417 /* length of extension_data */ 441 /* length of extension_data */
418 rv = ssl3_AppendHandshakeNumber(ss, 0, 2); 442 rv = ssl3_AppendHandshakeNumber(ss, 0, 2);
419 if (rv != SECSuccess) return -1; 443 if (rv != SECSuccess)
444 return -1;
420 } 445 }
421 return 4; 446 return 4;
422 } 447 }
423 448
424 /* handle an incoming SNI extension, by ignoring it. */ 449 /* handle an incoming SNI extension, by ignoring it. */
425 SECStatus 450 SECStatus
426 ssl3_HandleServerNameXtn(sslSocket * ss, PRUint16 ex_type, SECItem *data) 451 ssl3_HandleServerNameXtn(sslSocket *ss, PRUint16 ex_type, SECItem *data)
427 { 452 {
428 SECItem *names = NULL; 453 SECItem *names = NULL;
429 PRUint32 listCount = 0, namesPos = 0, i; 454 PRUint32 listCount = 0, namesPos = 0, i;
430 TLSExtensionData *xtnData = &ss->xtnData; 455 TLSExtensionData *xtnData = &ss->xtnData;
431 SECItem ldata; 456 SECItem ldata;
432 PRInt32 listLenBytes = 0; 457 PRInt32 listLenBytes = 0;
433 458
434 if (!ss->sec.isServer) { 459 if (!ss->sec.isServer) {
435 return SECSuccess; /* ignore extension */ 460 return SECSuccess; /* ignore extension */
436 } 461 }
437 462
438 /* Server side - consume client data and register server sender. */ 463 /* Server side - consume client data and register server sender. */
439 /* do not parse the data if don't have user extension handling function. */ 464 /* do not parse the data if don't have user extension handling function. */
440 if (!ss->sniSocketConfig) { 465 if (!ss->sniSocketConfig) {
441 return SECSuccess; 466 return SECSuccess;
442 } 467 }
(...skipping 26 matching lines...) Expand all
469 if (listLenBytes > 0 && !ldata.len) { 494 if (listLenBytes > 0 && !ldata.len) {
470 (void)ssl3_DecodeError(ss); 495 (void)ssl3_DecodeError(ss);
471 return SECFailure; 496 return SECFailure;
472 } 497 }
473 listCount += 1; 498 listCount += 1;
474 } 499 }
475 names = PORT_ZNewArray(SECItem, listCount); 500 names = PORT_ZNewArray(SECItem, listCount);
476 if (!names) { 501 if (!names) {
477 return SECFailure; 502 return SECFailure;
478 } 503 }
479 for (i = 0;i < listCount;i++) { 504 for (i = 0; i < listCount; i++) {
480 unsigned int j; 505 unsigned int j;
481 PRInt32 type; 506 PRInt32 type;
482 SECStatus rv; 507 SECStatus rv;
483 PRBool nametypePresent = PR_FALSE; 508 PRBool nametypePresent = PR_FALSE;
484 /* Name Type (sni_host_name) */ 509 /* Name Type (sni_host_name) */
485 type = ssl3_ConsumeHandshakeNumber(ss, 1, &data->data, &data->len); 510 type = ssl3_ConsumeHandshakeNumber(ss, 1, &data->data, &data->len);
486 /* Check if we have such type in the list */ 511 /* Check if we have such type in the list */
487 for (j = 0;j < listCount && names[j].data;j++) { 512 for (j = 0; j < listCount && names[j].data; j++) {
488 /* TODO bug 998524: .type is not assigned a value */ 513 /* TODO bug 998524: .type is not assigned a value */
489 if (names[j].type == type) { 514 if (names[j].type == type) {
490 nametypePresent = PR_TRUE; 515 nametypePresent = PR_TRUE;
491 break; 516 break;
492 } 517 }
493 } 518 }
494 /* HostName (length and value) */ 519 /* HostName (length and value) */
495 rv = ssl3_ConsumeHandshakeVariable(ss, &names[namesPos], 2, 520 rv = ssl3_ConsumeHandshakeVariable(ss, &names[namesPos], 2,
496 &data->data, &data->len); 521 &data->data, &data->len);
497 if (rv != SECSuccess) { 522 if (rv != SECSuccess) {
(...skipping 16 matching lines...) Expand all
514 539
515 return SECSuccess; 540 return SECSuccess;
516 } 541 }
517 542
518 /* Called by both clients and servers. 543 /* Called by both clients and servers.
519 * Clients sends a filled in session ticket if one is available, and otherwise 544 * Clients sends a filled in session ticket if one is available, and otherwise
520 * sends an empty ticket. Servers always send empty tickets. 545 * sends an empty ticket. Servers always send empty tickets.
521 */ 546 */
522 PRInt32 547 PRInt32
523 ssl3_SendSessionTicketXtn( 548 ssl3_SendSessionTicketXtn(
524 sslSocket * ss, 549 sslSocket *ss,
525 PRBool append, 550 PRBool append,
526 PRUint32 maxBytes) 551 PRUint32 maxBytes)
527 { 552 {
528 PRInt32 extension_length; 553 PRInt32 extension_length;
529 NewSessionTicket *session_ticket = NULL; 554 NewSessionTicket *session_ticket = NULL;
530 sslSessionID *sid = ss->sec.ci.sid; 555 sslSessionID *sid = ss->sec.ci.sid;
531 556
532 /* Ignore the SessionTicket extension if processing is disabled. */ 557 /* Ignore the SessionTicket extension if processing is disabled. */
533 if (!ss->opt.enableSessionTickets) 558 if (!ss->opt.enableSessionTickets)
534 return 0; 559 return 0;
535 560
536 /* Empty extension length = extension_type (2-bytes) + 561 /* Empty extension length = extension_type (2-bytes) +
(...skipping 12 matching lines...) Expand all
549 * consistent between the two calls. Note that currently the caller 574 * consistent between the two calls. Note that currently the caller
550 * will only be holding the lock when we are the client and when we're 575 * will only be holding the lock when we are the client and when we're
551 * attempting to resume an existing session. 576 * attempting to resume an existing session.
552 */ 577 */
553 578
554 session_ticket = &sid->u.ssl3.locked.sessionTicket; 579 session_ticket = &sid->u.ssl3.locked.sessionTicket;
555 if (session_ticket->ticket.data) { 580 if (session_ticket->ticket.data) {
556 if (ss->xtnData.ticketTimestampVerified) { 581 if (ss->xtnData.ticketTimestampVerified) {
557 extension_length += session_ticket->ticket.len; 582 extension_length += session_ticket->ticket.len;
558 } else if (!append && 583 } else if (!append &&
559 (session_ticket->ticket_lifetime_hint == 0 || 584 (session_ticket->ticket_lifetime_hint == 0 ||
560 (session_ticket->ticket_lifetime_hint + 585 (session_ticket->ticket_lifetime_hint +
561 session_ticket->received_timestamp > ssl_Time()))) { 586 session_ticket->received_timestamp >
587 ssl_Time()))) {
562 extension_length += session_ticket->ticket.len; 588 extension_length += session_ticket->ticket.len;
563 ss->xtnData.ticketTimestampVerified = PR_TRUE; 589 ss->xtnData.ticketTimestampVerified = PR_TRUE;
564 } 590 }
565 } 591 }
566 } 592 }
567 593
568 if (maxBytes < (PRUint32)extension_length) { 594 if (maxBytes < (PRUint32)extension_length) {
569 PORT_Assert(0); 595 PORT_Assert(0);
570 return 0; 596 return 0;
571 } 597 }
572 if (append) { 598 if (append) {
573 SECStatus rv; 599 SECStatus rv;
574 /* extension_type */ 600 /* extension_type */
575 rv = ssl3_AppendHandshakeNumber(ss, ssl_session_ticket_xtn, 2); 601 rv = ssl3_AppendHandshakeNumber(ss, ssl_session_ticket_xtn, 2);
576 if (rv != SECSuccess) 602 if (rv != SECSuccess)
577 goto loser; 603 goto loser;
578 if (session_ticket && session_ticket->ticket.data && 604 if (session_ticket && session_ticket->ticket.data &&
579 ss->xtnData.ticketTimestampVerified) { 605 ss->xtnData.ticketTimestampVerified) {
580 rv = ssl3_AppendHandshakeVariable(ss, session_ticket->ticket.data, 606 rv = ssl3_AppendHandshakeVariable(ss, session_ticket->ticket.data,
581 session_ticket->ticket.len, 2); 607 session_ticket->ticket.len, 2);
582 ss->xtnData.ticketTimestampVerified = PR_FALSE; 608 ss->xtnData.ticketTimestampVerified = PR_FALSE;
583 ss->xtnData.sentSessionTicketInClientHello = PR_TRUE; 609 ss->xtnData.sentSessionTicketInClientHello = PR_TRUE;
584 } else { 610 } else {
585 rv = ssl3_AppendHandshakeNumber(ss, 0, 2); 611 rv = ssl3_AppendHandshakeNumber(ss, 0, 2);
586 } 612 }
587 if (rv != SECSuccess) 613 if (rv != SECSuccess)
588 goto loser; 614 goto loser;
589 615
590 if (!ss->sec.isServer) { 616 if (!ss->sec.isServer) {
591 TLSExtensionData *xtnData = &ss->xtnData; 617 TLSExtensionData *xtnData = &ss->xtnData;
592 xtnData->advertised[xtnData->numAdvertised++] = 618 xtnData->advertised[xtnData->numAdvertised++] =
593 ssl_session_ticket_xtn; 619 ssl_session_ticket_xtn;
594 } 620 }
595 } 621 }
596 return extension_length; 622 return extension_length;
597 623
598 loser: 624 loser:
599 ss->xtnData.ticketTimestampVerified = PR_FALSE; 625 ss->xtnData.ticketTimestampVerified = PR_FALSE;
600 return -1; 626 return -1;
601 } 627 }
602 628
603 /* handle an incoming Next Protocol Negotiation extension. */ 629 /* handle an incoming Next Protocol Negotiation extension. */
604 static SECStatus 630 static SECStatus
605 ssl3_ServerHandleNextProtoNegoXtn(sslSocket * ss, PRUint16 ex_type, 631 ssl3_ServerHandleNextProtoNegoXtn(sslSocket *ss, PRUint16 ex_type,
606 SECItem *data) 632 SECItem *data)
607 { 633 {
608 if (ss->firstHsDone || data->len != 0) { 634 if (ss->firstHsDone || data->len != 0) {
609 /* Clients MUST send an empty NPN extension, if any. */ 635 /* Clients MUST send an empty NPN extension, if any. */
610 PORT_SetError(SSL_ERROR_NEXT_PROTOCOL_DATA_INVALID); 636 PORT_SetError(SSL_ERROR_NEXT_PROTOCOL_DATA_INVALID);
611 return SECFailure; 637 return SECFailure;
612 } 638 }
613 639
614 ss->xtnData.negotiated[ss->xtnData.numNegotiated++] = ex_type; 640 ss->xtnData.negotiated[ss->xtnData.numNegotiated++] = ex_type;
615 641
616 /* TODO: server side NPN support would require calling 642 /* TODO: server side NPN support would require calling
617 * ssl3_RegisterServerHelloExtensionSender here in order to echo the 643 * ssl3_RegisterServerHelloExtensionSender here in order to echo the
618 * extension back to the client. */ 644 * extension back to the client. */
619 645
620 return SECSuccess; 646 return SECSuccess;
621 } 647 }
622 648
623 /* ssl3_ValidateNextProtoNego checks that the given block of data is valid: none 649 /* ssl3_ValidateNextProtoNego checks that the given block of data is valid: none
624 * of the lengths may be 0 and the sum of the lengths must equal the length of 650 * of the lengths may be 0 and the sum of the lengths must equal the length of
625 * the block. */ 651 * the block. */
626 SECStatus 652 SECStatus
627 ssl3_ValidateNextProtoNego(const unsigned char* data, unsigned int length) 653 ssl3_ValidateNextProtoNego(const unsigned char *data, unsigned int length)
628 { 654 {
629 unsigned int offset = 0; 655 unsigned int offset = 0;
630 656
631 while (offset < length) { 657 while (offset < length) {
632 unsigned int newOffset = offset + 1 + (unsigned int) data[offset]; 658 unsigned int newOffset = offset + 1 + (unsigned int)data[offset];
633 /* Reject embedded nulls to protect against buggy applications that 659 /* Reject embedded nulls to protect against buggy applications that
634 * store protocol identifiers in null-terminated strings. 660 * store protocol identifiers in null-terminated strings.
635 */ 661 */
636 if (newOffset > length || data[offset] == 0) { 662 if (newOffset > length || data[offset] == 0) {
637 return SECFailure; 663 return SECFailure;
638 } 664 }
639 offset = newOffset; 665 offset = newOffset;
640 } 666 }
641 667
642 return SECSuccess; 668 return SECSuccess;
(...skipping 75 matching lines...) Expand 10 before | Expand all | Expand 10 after
718 return SECFailure; 744 return SECFailure;
719 } 745 }
720 746
721 if (!ss->nextProtoCallback) { 747 if (!ss->nextProtoCallback) {
722 /* we're not configured for it */ 748 /* we're not configured for it */
723 return SECSuccess; 749 return SECSuccess;
724 } 750 }
725 751
726 rv = ssl3_SelectAppProtocol(ss, ex_type, data); 752 rv = ssl3_SelectAppProtocol(ss, ex_type, data);
727 if (rv != SECSuccess) { 753 if (rv != SECSuccess) {
728 return rv; 754 return rv;
729 } 755 }
730 756
731 /* prepare to send back a response, if we negotiated */ 757 /* prepare to send back a response, if we negotiated */
732 if (ss->ssl3.nextProtoState == SSL_NEXT_PROTO_NEGOTIATED) { 758 if (ss->ssl3.nextProtoState == SSL_NEXT_PROTO_NEGOTIATED) {
733 rv = ssl3_RegisterServerHelloExtensionSender( 759 rv = ssl3_RegisterServerHelloExtensionSender(
734 ss, ex_type, ssl3_ServerSendAppProtoXtn); 760 ss, ex_type, ssl3_ServerSendAppProtoXtn);
735 if (rv != SECSuccess) { 761 if (rv != SECSuccess) {
736 (void)SSL3_SendAlert(ss, alert_fatal, internal_error); 762 (void)SSL3_SendAlert(ss, alert_fatal, internal_error);
737 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); 763 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
738 return rv; 764 return rv;
(...skipping 73 matching lines...) Expand 10 before | Expand all | Expand 10 after
812 return SECFailure; 838 return SECFailure;
813 } 839 }
814 840
815 SECITEM_FreeItem(&ss->ssl3.nextProto, PR_FALSE); 841 SECITEM_FreeItem(&ss->ssl3.nextProto, PR_FALSE);
816 ss->ssl3.nextProtoState = SSL_NEXT_PROTO_SELECTED; 842 ss->ssl3.nextProtoState = SSL_NEXT_PROTO_SELECTED;
817 ss->xtnData.negotiated[ss->xtnData.numNegotiated++] = ex_type; 843 ss->xtnData.negotiated[ss->xtnData.numNegotiated++] = ex_type;
818 return SECITEM_CopyItem(NULL, &ss->ssl3.nextProto, &protocol_name); 844 return SECITEM_CopyItem(NULL, &ss->ssl3.nextProto, &protocol_name);
819 } 845 }
820 846
821 static PRInt32 847 static PRInt32
822 ssl3_ClientSendNextProtoNegoXtn(sslSocket * ss, PRBool append, 848 ssl3_ClientSendNextProtoNegoXtn(sslSocket *ss, PRBool append,
823 PRUint32 maxBytes) 849 PRUint32 maxBytes)
824 { 850 {
825 PRInt32 extension_length; 851 PRInt32 extension_length;
826 852
827 /* Renegotiations do not send this extension. */ 853 /* Renegotiations do not send this extension. */
828 if (!ss->opt.enableNPN || !ss->nextProtoCallback || ss->firstHsDone) { 854 if (!ss->opt.enableNPN || !ss->nextProtoCallback || ss->firstHsDone) {
829 return 0; 855 return 0;
830 } 856 }
831 857
832 extension_length = 4; 858 extension_length = 4;
833 859
834 if (maxBytes < (PRUint32)extension_length) { 860 if (maxBytes < (PRUint32)extension_length) {
835 return 0; 861 return 0;
836 } 862 }
837 if (append) { 863 if (append) {
838 SECStatus rv; 864 SECStatus rv;
839 rv = ssl3_AppendHandshakeNumber(ss, ssl_next_proto_nego_xtn, 2); 865 rv = ssl3_AppendHandshakeNumber(ss, ssl_next_proto_nego_xtn, 2);
840 if (rv != SECSuccess) 866 if (rv != SECSuccess)
841 goto loser; 867 goto loser;
842 rv = ssl3_AppendHandshakeNumber(ss, 0, 2); 868 rv = ssl3_AppendHandshakeNumber(ss, 0, 2);
843 if (rv != SECSuccess) 869 if (rv != SECSuccess)
844 goto loser; 870 goto loser;
845 ss->xtnData.advertised[ss->xtnData.numAdvertised++] = 871 ss->xtnData.advertised[ss->xtnData.numAdvertised++] =
846 ssl_next_proto_nego_xtn; 872 ssl_next_proto_nego_xtn;
847 } 873 }
848 874
849 return extension_length; 875 return extension_length;
850 876
851 loser: 877 loser:
852 return -1; 878 return -1;
853 } 879 }
854 880
855 static PRInt32 881 static PRInt32
856 ssl3_ClientSendAppProtoXtn(sslSocket * ss, PRBool append, PRUint32 maxBytes) 882 ssl3_ClientSendAppProtoXtn(sslSocket *ss, PRBool append, PRUint32 maxBytes)
857 { 883 {
858 PRInt32 extension_length; 884 PRInt32 extension_length;
859 unsigned char *alpn_protos = NULL; 885 unsigned char *alpn_protos = NULL;
860 886
861 /* Renegotiations do not send this extension. */ 887 /* Renegotiations do not send this extension. */
862 if (!ss->opt.enableALPN || !ss->opt.nextProtoNego.data || ss->firstHsDone) { 888 if (!ss->opt.enableALPN || !ss->opt.nextProtoNego.data || ss->firstHsDone) {
863 return 0; 889 return 0;
864 } 890 }
865 891
866 extension_length = 2 /* extension type */ + 2 /* extension length */ + 892 extension_length = 2 /* extension type */ + 2 /* extension length */ +
(...skipping 35 matching lines...) Expand 10 before | Expand all | Expand 10 after
902 if (rv != SECSuccess) { 928 if (rv != SECSuccess) {
903 goto loser; 929 goto loser;
904 } 930 }
905 rv = ssl3_AppendHandshakeVariable(ss, alpn_protos, len, 2); 931 rv = ssl3_AppendHandshakeVariable(ss, alpn_protos, len, 2);
906 PORT_Free(alpn_protos); 932 PORT_Free(alpn_protos);
907 alpn_protos = NULL; 933 alpn_protos = NULL;
908 if (rv != SECSuccess) { 934 if (rv != SECSuccess) {
909 goto loser; 935 goto loser;
910 } 936 }
911 ss->xtnData.advertised[ss->xtnData.numAdvertised++] = 937 ss->xtnData.advertised[ss->xtnData.numAdvertised++] =
912 ssl_app_layer_protocol_xtn; 938 ssl_app_layer_protocol_xtn;
913 } 939 }
914 940
915 return extension_length; 941 return extension_length;
916 942
917 loser: 943 loser:
918 if (alpn_protos) { 944 if (alpn_protos) {
919 PORT_Free(alpn_protos); 945 PORT_Free(alpn_protos);
920 } 946 }
921 return -1; 947 return -1;
922 } 948 }
923 949
924 static PRInt32 950 static PRInt32
925 ssl3_ServerSendAppProtoXtn(sslSocket * ss, PRBool append, PRUint32 maxBytes) 951 ssl3_ServerSendAppProtoXtn(sslSocket *ss, PRBool append, PRUint32 maxBytes)
926 { 952 {
927 PRInt32 extension_length; 953 PRInt32 extension_length;
928 954
929 /* we're in over our heads if any of these fail */ 955 /* we're in over our heads if any of these fail */
930 PORT_Assert(ss->opt.enableALPN); 956 PORT_Assert(ss->opt.enableALPN);
931 PORT_Assert(ss->ssl3.nextProto.data); 957 PORT_Assert(ss->ssl3.nextProto.data);
932 PORT_Assert(ss->ssl3.nextProto.len > 0); 958 PORT_Assert(ss->ssl3.nextProto.len > 0);
933 PORT_Assert(ss->ssl3.nextProtoState == SSL_NEXT_PROTO_NEGOTIATED); 959 PORT_Assert(ss->ssl3.nextProtoState == SSL_NEXT_PROTO_NEGOTIATED);
934 PORT_Assert(!ss->firstHsDone); 960 PORT_Assert(!ss->firstHsDone);
935 961
(...skipping 23 matching lines...) Expand all
959 if (rv != SECSuccess) { 985 if (rv != SECSuccess) {
960 return -1; 986 return -1;
961 } 987 }
962 } 988 }
963 989
964 return extension_length; 990 return extension_length;
965 } 991 }
966 992
967 static SECStatus 993 static SECStatus
968 ssl3_ClientHandleChannelIDXtn(sslSocket *ss, PRUint16 ex_type, 994 ssl3_ClientHandleChannelIDXtn(sslSocket *ss, PRUint16 ex_type,
969 » » » SECItem *data) 995 SECItem *data)
970 { 996 {
971 PORT_Assert(ss->getChannelID != NULL); 997 PORT_Assert(ss->getChannelID != NULL);
972 998
973 if (data->len) { 999 if (data->len) {
974 » PORT_SetError(SSL_ERROR_BAD_CHANNEL_ID_DATA); 1000 PORT_SetError(SSL_ERROR_BAD_CHANNEL_ID_DATA);
975 » return SECFailure; 1001 return SECFailure;
976 } 1002 }
977 ss->xtnData.negotiated[ss->xtnData.numNegotiated++] = ex_type; 1003 ss->xtnData.negotiated[ss->xtnData.numNegotiated++] = ex_type;
978 return SECSuccess; 1004 return SECSuccess;
979 } 1005 }
980 1006
981 static PRInt32 1007 static PRInt32
982 ssl3_ClientSendChannelIDXtn(sslSocket * ss, PRBool append, 1008 ssl3_ClientSendChannelIDXtn(sslSocket *ss, PRBool append,
983 » » » PRUint32 maxBytes) 1009 PRUint32 maxBytes)
984 { 1010 {
985 PRInt32 extension_length = 4; 1011 PRInt32 extension_length = 4;
986 1012
987 if (!ss->getChannelID) 1013 if (!ss->getChannelID)
988 » return 0; 1014 return 0;
989 1015
990 if (maxBytes < extension_length) { 1016 if (maxBytes < extension_length) {
991 » PORT_Assert(0); 1017 PORT_Assert(0);
992 » return 0; 1018 return 0;
993 } 1019 }
994 1020
995 if (ss->sec.ci.sid->cached != never_cached && 1021 if (ss->sec.ci.sid->cached != never_cached &&
996 ss->sec.ci.sid->u.ssl3.originalHandshakeHash.len == 0) { 1022 ss->sec.ci.sid->u.ssl3.originalHandshakeHash.len == 0) {
997 /* We can't do ChannelID on a connection if we're resuming and didn't 1023 /* We can't do ChannelID on a connection if we're resuming and didn't
998 * do ChannelID on the original connection: without ChannelID on the 1024 * do ChannelID on the original connection: without ChannelID on the
999 * original connection we didn't record the handshake hashes needed for 1025 * original connection we didn't record the handshake hashes needed for
1000 * the signature. */ 1026 * the signature. */
1001 » return 0; 1027 return 0;
1002 } 1028 }
1003 1029
1004 if (append) { 1030 if (append) {
1005 » SECStatus rv; 1031 SECStatus rv;
1006 » rv = ssl3_AppendHandshakeNumber(ss, ssl_channel_id_xtn, 2); 1032 rv = ssl3_AppendHandshakeNumber(ss, ssl_channel_id_xtn, 2);
1007 » if (rv != SECSuccess) 1033 if (rv != SECSuccess)
1008 » goto loser; 1034 goto loser;
1009 » rv = ssl3_AppendHandshakeNumber(ss, 0, 2); 1035 rv = ssl3_AppendHandshakeNumber(ss, 0, 2);
1010 » if (rv != SECSuccess) 1036 if (rv != SECSuccess)
1011 » goto loser; 1037 goto loser;
1012 » ss->xtnData.advertised[ss->xtnData.numAdvertised++] = 1038 ss->xtnData.advertised[ss->xtnData.numAdvertised++] =
1013 » » ssl_channel_id_xtn; 1039 ssl_channel_id_xtn;
1014 } 1040 }
1015 1041
1016 return extension_length; 1042 return extension_length;
1017 1043
1018 loser: 1044 loser:
1019 return -1; 1045 return -1;
1020 } 1046 }
1021 1047
1022 static SECStatus 1048 static SECStatus
1023 ssl3_ClientHandleStatusRequestXtn(sslSocket *ss, PRUint16 ex_type, 1049 ssl3_ClientHandleStatusRequestXtn(sslSocket *ss, PRUint16 ex_type,
1024 SECItem *data) 1050 SECItem *data)
1025 { 1051 {
1026 /* The echoed extension must be empty. */ 1052 /* The echoed extension must be empty. */
1027 if (data->len != 0) { 1053 if (data->len != 0) {
1028 return SECSuccess; /* Ignore the extension. */ 1054 return SECSuccess; /* Ignore the extension. */
1029 } 1055 }
1030 1056
1031 /* Keep track of negotiated extensions. */ 1057 /* Keep track of negotiated extensions. */
1032 ss->xtnData.negotiated[ss->xtnData.numNegotiated++] = ex_type; 1058 ss->xtnData.negotiated[ss->xtnData.numNegotiated++] = ex_type;
1033 1059
1034 return SECSuccess; 1060 return SECSuccess;
1035 } 1061 }
1036 1062
1037 static PRInt32 1063 static PRInt32
1038 ssl3_ServerSendStatusRequestXtn( 1064 ssl3_ServerSendStatusRequestXtn(
1039 sslSocket * ss, 1065 sslSocket *ss,
1040 PRBool append, 1066 PRBool append,
1041 PRUint32 maxBytes) 1067 PRUint32 maxBytes)
1042 { 1068 {
1043 PRInt32 extension_length; 1069 PRInt32 extension_length;
1070 SSLKEAType effectiveExchKeyType;
1044 SECStatus rv; 1071 SECStatus rv;
1045 int i;
1046 PRBool haveStatus = PR_FALSE;
1047 1072
1048 for (i = kt_null; i < kt_kea_size; i++) { 1073 /* ssl3_SendCertificateStatus (which sents the certificate status data)
1049 /* TODO: This is a temporary workaround. 1074 * uses the exact same logic to select the server certificate
1050 * The correct code needs to see if we have an OCSP response for 1075 * and determine if we have the status for that certificate. */
1051 * the server certificate being used, rather than if we have any 1076
1052 * OCSP response. See also ssl3_SendCertificateStatus. 1077 if (ss->ssl3.hs.kea_def->kea == kea_ecdhe_rsa ||
1053 */ 1078 ss->ssl3.hs.kea_def->kea == kea_dhe_rsa) {
1054 if (ss->certStatusArray[i] && ss->certStatusArray[i]->len) { 1079 effectiveExchKeyType = ssl_kea_rsa;
1055 haveStatus = PR_TRUE; 1080 } else {
1056 break; 1081 effectiveExchKeyType = ss->ssl3.hs.kea_def->exchKeyType;
1057 }
1058 } 1082 }
1059 if (!haveStatus) 1083
1084 if (!ss->certStatusArray[effectiveExchKeyType] ||
1085 !ss->certStatusArray[effectiveExchKeyType]->len) {
1060 return 0; 1086 return 0;
1087 }
1061 1088
1062 extension_length = 2 + 2; 1089 extension_length = 2 + 2;
1063 if (maxBytes < (PRUint32)extension_length) { 1090 if (maxBytes < (PRUint32)extension_length) {
1064 return 0; 1091 return 0;
1065 } 1092 }
1066 if (append) { 1093 if (append) {
1067 /* extension_type */ 1094 /* extension_type */
1068 rv = ssl3_AppendHandshakeNumber(ss, ssl_cert_status_xtn, 2); 1095 rv = ssl3_AppendHandshakeNumber(ss, ssl_cert_status_xtn, 2);
1069 if (rv != SECSuccess) 1096 if (rv != SECSuccess)
1070 return -1; 1097 return -1;
1071 /* length of extension_data */ 1098 /* length of extension_data */
1072 rv = ssl3_AppendHandshakeNumber(ss, 0, 2); 1099 rv = ssl3_AppendHandshakeNumber(ss, 0, 2);
1073 if (rv != SECSuccess) 1100 if (rv != SECSuccess)
1074 return -1; 1101 return -1;
1102 /* The certificate status data is sent in ssl3_SendCertificateStatus. */
1075 } 1103 }
1076 1104
1077 return extension_length; 1105 return extension_length;
1078 } 1106 }
1079 1107
1080 /* ssl3_ClientSendStatusRequestXtn builds the status_request extension on the 1108 /* ssl3_ClientSendStatusRequestXtn builds the status_request extension on the
1081 * client side. See RFC 4366 section 3.6. */ 1109 * client side. See RFC 4366 section 3.6. */
1082 static PRInt32 1110 static PRInt32
1083 ssl3_ClientSendStatusRequestXtn(sslSocket * ss, PRBool append, 1111 ssl3_ClientSendStatusRequestXtn(sslSocket *ss, PRBool append,
1084 PRUint32 maxBytes) 1112 PRUint32 maxBytes)
1085 { 1113 {
1086 PRInt32 extension_length; 1114 PRInt32 extension_length;
1087 1115
1088 if (!ss->opt.enableOCSPStapling) 1116 if (!ss->opt.enableOCSPStapling)
1089 return 0; 1117 return 0;
1090 1118
1091 /* extension_type (2-bytes) + 1119 /* extension_type (2-bytes) +
1092 * length(extension_data) (2-bytes) + 1120 * length(extension_data) (2-bytes) +
1093 * status_type (1) + 1121 * status_type (1) +
1094 * responder_id_list length (2) + 1122 * responder_id_list length (2) +
1095 * request_extensions length (2) 1123 * request_extensions length (2)
1096 */ 1124 */
1097 extension_length = 9; 1125 extension_length = 9;
1098 1126
1099 if (maxBytes < (PRUint32)extension_length) { 1127 if (maxBytes < (PRUint32)extension_length) {
1100 PORT_Assert(0); 1128 PORT_Assert(0);
1101 return 0; 1129 return 0;
1102 } 1130 }
1103 if (append) { 1131 if (append) {
1104 SECStatus rv; 1132 SECStatus rv;
1105 TLSExtensionData *xtnData; 1133 TLSExtensionData *xtnData;
1106 1134
1107 /* extension_type */ 1135 /* extension_type */
1108 rv = ssl3_AppendHandshakeNumber(ss, ssl_cert_status_xtn, 2); 1136 rv = ssl3_AppendHandshakeNumber(ss, ssl_cert_status_xtn, 2);
1109 if (rv != SECSuccess) 1137 if (rv != SECSuccess)
1110 return -1; 1138 return -1;
1111 rv = ssl3_AppendHandshakeNumber(ss, extension_length - 4, 2); 1139 rv = ssl3_AppendHandshakeNumber(ss, extension_length - 4, 2);
1112 if (rv != SECSuccess) 1140 if (rv != SECSuccess)
1113 return -1; 1141 return -1;
1114 rv = ssl3_AppendHandshakeNumber(ss, 1 /* status_type ocsp */, 1); 1142 rv = ssl3_AppendHandshakeNumber(ss, 1 /* status_type ocsp */, 1);
1115 if (rv != SECSuccess) 1143 if (rv != SECSuccess)
1116 return -1; 1144 return -1;
1117 /* A zero length responder_id_list means that the responders are 1145 /* A zero length responder_id_list means that the responders are
1118 * implicitly known to the server. */ 1146 * implicitly known to the server. */
1119 rv = ssl3_AppendHandshakeNumber(ss, 0, 2); 1147 rv = ssl3_AppendHandshakeNumber(ss, 0, 2);
1120 if (rv != SECSuccess) 1148 if (rv != SECSuccess)
1121 return -1; 1149 return -1;
1122 /* A zero length request_extensions means that there are no extensions. 1150 /* A zero length request_extensions means that there are no extensions.
1123 * Specifically, we don't set the id-pkix-ocsp-nonce extension. This 1151 * Specifically, we don't set the id-pkix-ocsp-nonce extension. This
1124 * means that the server can replay a cached OCSP response to us. */ 1152 * means that the server can replay a cached OCSP response to us. */
1125 rv = ssl3_AppendHandshakeNumber(ss, 0, 2); 1153 rv = ssl3_AppendHandshakeNumber(ss, 0, 2);
1126 if (rv != SECSuccess) 1154 if (rv != SECSuccess)
1127 return -1; 1155 return -1;
1128 1156
1129 xtnData = &ss->xtnData; 1157 xtnData = &ss->xtnData;
1130 xtnData->advertised[xtnData->numAdvertised++] = ssl_cert_status_xtn; 1158 xtnData->advertised[xtnData->numAdvertised++] = ssl_cert_status_xtn;
1131 } 1159 }
1132 return extension_length; 1160 return extension_length;
1133 } 1161 }
1134 1162
1135 /* 1163 /*
1136 * NewSessionTicket 1164 * NewSessionTicket
1137 * Called from ssl3_HandleFinished 1165 * Called from ssl3_HandleFinished
1138 */ 1166 */
1139 SECStatus 1167 SECStatus
1140 ssl3_SendNewSessionTicket(sslSocket *ss) 1168 ssl3_SendNewSessionTicket(sslSocket *ss)
1141 { 1169 {
1142 PRUint32 i; 1170 PRUint32 i;
1143 SECStatus rv; 1171 SECStatus rv;
1144 NewSessionTicket ticket; 1172 NewSessionTicket ticket;
1145 SECItem plaintext; 1173 SECItem plaintext;
1146 SECItem plaintext_item = {0, NULL, 0}; 1174 SECItem plaintext_item = { 0, NULL, 0 };
1147 SECItem ciphertext = {0, NULL, 0}; 1175 SECItem ciphertext = { 0, NULL, 0 };
1148 PRUint32 ciphertext_length; 1176 PRUint32 ciphertext_length;
1149 PRBool ms_is_wrapped; 1177 PRBool ms_is_wrapped;
1150 unsigned char wrapped_ms[SSL3_MASTER_SECRET_LENGTH]; 1178 unsigned char wrapped_ms[SSL3_MASTER_SECRET_LENGTH];
1151 SECItem ms_item = {0, NULL, 0}; 1179 SECItem ms_item = { 0, NULL, 0 };
1152 SSL3KEAType effectiveExchKeyType = ssl_kea_null; 1180 SSL3KEAType effectiveExchKeyType = ssl_kea_null;
1153 PRUint32 padding_length; 1181 PRUint32 padding_length;
1154 PRUint32 message_length; 1182 PRUint32 message_length;
1155 PRUint32 cert_length; 1183 PRUint32 cert_length = 0;
1156 PRUint8 length_buf[4]; 1184 PRUint8 length_buf[4];
1157 PRUint32 now; 1185 PRUint32 now;
1158 PK11SymKey *aes_key_pkcs11; 1186 PK11SymKey *aes_key_pkcs11;
1159 PK11SymKey *mac_key_pkcs11; 1187 PK11SymKey *mac_key_pkcs11;
1160 #ifndef NO_PKCS11_BYPASS 1188 #ifndef NO_PKCS11_BYPASS
1161 const unsigned char *aes_key; 1189 const unsigned char *aes_key;
1162 const unsigned char *mac_key; 1190 const unsigned char *mac_key;
1163 PRUint32 aes_key_length; 1191 PRUint32 aes_key_length;
1164 PRUint32 mac_key_length; 1192 PRUint32 mac_key_length;
1165 PRUint64 aes_ctx_buf[MAX_CIPHER_CONTEXT_LLONGS]; 1193 PRUint64 aes_ctx_buf[MAX_CIPHER_CONTEXT_LLONGS];
1166 AESContext *aes_ctx; 1194 AESContext *aes_ctx;
1167 const SECHashObject *hashObj = NULL; 1195 const SECHashObject *hashObj = NULL;
1168 PRUint64 hmac_ctx_buf[MAX_MAC_CONTEXT_LLONGS]; 1196 PRUint64 hmac_ctx_buf[MAX_MAC_CONTEXT_LLONGS];
1169 HMACContext *hmac_ctx; 1197 HMACContext *hmac_ctx;
1170 #endif 1198 #endif
1171 CK_MECHANISM_TYPE cipherMech = CKM_AES_CBC; 1199 CK_MECHANISM_TYPE cipherMech = CKM_AES_CBC;
1172 PK11Context *aes_ctx_pkcs11; 1200 PK11Context *aes_ctx_pkcs11;
1173 CK_MECHANISM_TYPE macMech = CKM_SHA256_HMAC; 1201 CK_MECHANISM_TYPE macMech = CKM_SHA256_HMAC;
1174 PK11Context *hmac_ctx_pkcs11 = NULL; 1202 PK11Context *hmac_ctx_pkcs11 = NULL;
1175 unsigned char computed_mac[TLS_EX_SESS_TICKET_MAC_LENGTH]; 1203 unsigned char computed_mac[TLS_EX_SESS_TICKET_MAC_LENGTH];
1176 unsigned int computed_mac_length; 1204 unsigned int computed_mac_length;
1177 unsigned char iv[AES_BLOCK_SIZE]; 1205 unsigned char iv[AES_BLOCK_SIZE];
1178 SECItem ivItem; 1206 SECItem ivItem;
1179 SECItem *srvName = NULL; 1207 SECItem *srvName = NULL;
1180 PRUint32 srvNameLen = 0; 1208 PRUint32 srvNameLen = 0;
1181 CK_MECHANISM_TYPE msWrapMech = 0; /* dummy default value, 1209 CK_MECHANISM_TYPE msWrapMech = 0; /* dummy default value,
1182 * must be >= 0 */ 1210 * must be >= 0 */
1183 1211
1184 SSL_TRC(3, ("%d: SSL3[%d]: send session_ticket handshake", 1212 SSL_TRC(3, ("%d: SSL3[%d]: send session_ticket handshake",
1185 SSL_GETPID(), ss->fd)); 1213 SSL_GETPID(), ss->fd));
1186 1214
1187 PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss)); 1215 PORT_Assert(ss->opt.noLocks || ssl_HaveXmitBufLock(ss));
1188 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); 1216 PORT_Assert(ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
1189 1217
1190 ticket.ticket_lifetime_hint = TLS_EX_SESS_TICKET_LIFETIME_HINT; 1218 ticket.ticket_lifetime_hint = TLS_EX_SESS_TICKET_LIFETIME_HINT;
1191 cert_length = (ss->opt.requestCertificate && ss->sec.ci.sid->peerCert) ? 1219 if (ss->opt.requestCertificate && ss->sec.ci.sid->peerCert) {
1192 3 + ss->sec.ci.sid->peerCert->derCert.len : 0; 1220 cert_length = 3 + ss->sec.ci.sid->peerCert->derCert.len;
1221 }
1193 1222
1194 /* Get IV and encryption keys */ 1223 /* Get IV and encryption keys */
1195 ivItem.data = iv; 1224 ivItem.data = iv;
1196 ivItem.len = sizeof(iv); 1225 ivItem.len = sizeof(iv);
1197 rv = PK11_GenerateRandom(iv, sizeof(iv)); 1226 rv = PK11_GenerateRandom(iv, sizeof(iv));
1198 if (rv != SECSuccess) goto loser; 1227 if (rv != SECSuccess)
1228 goto loser;
1199 1229
1200 #ifndef NO_PKCS11_BYPASS 1230 #ifndef NO_PKCS11_BYPASS
1201 if (ss->opt.bypassPKCS11) { 1231 if (ss->opt.bypassPKCS11) {
1202 rv = ssl3_GetSessionTicketKeys(&aes_key, &aes_key_length, 1232 rv = ssl3_GetSessionTicketKeys(&aes_key, &aes_key_length,
1203 &mac_key, &mac_key_length); 1233 &mac_key, &mac_key_length);
1204 } else 1234 } else
1205 #endif 1235 #endif
1206 { 1236 {
1207 rv = ssl3_GetSessionTicketKeysPKCS11(ss, &aes_key_pkcs11, 1237 rv = ssl3_GetSessionTicketKeysPKCS11(ss, &aes_key_pkcs11,
1208 &mac_key_pkcs11); 1238 &mac_key_pkcs11);
1209 } 1239 }
1210 if (rv != SECSuccess) goto loser; 1240 if (rv != SECSuccess)
1241 goto loser;
1211 1242
1212 if (ss->ssl3.pwSpec->msItem.len && ss->ssl3.pwSpec->msItem.data) { 1243 if (ss->ssl3.pwSpec->msItem.len && ss->ssl3.pwSpec->msItem.data) {
1213 /* The master secret is available unwrapped. */ 1244 /* The master secret is available unwrapped. */
1214 ms_item.data = ss->ssl3.pwSpec->msItem.data; 1245 ms_item.data = ss->ssl3.pwSpec->msItem.data;
1215 ms_item.len = ss->ssl3.pwSpec->msItem.len; 1246 ms_item.len = ss->ssl3.pwSpec->msItem.len;
1216 ms_is_wrapped = PR_FALSE; 1247 ms_is_wrapped = PR_FALSE;
1217 } else { 1248 } else {
1218 /* Extract the master secret wrapped. */ 1249 /* Extract the master secret wrapped. */
1219 sslSessionID sid; 1250 sslSessionID sid;
1220 PORT_Memset(&sid, 0, sizeof(sslSessionID)); 1251 PORT_Memset(&sid, 0, sizeof(sslSessionID));
1221 1252
1222 if (ss->ssl3.hs.kea_def->kea == kea_ecdhe_rsa || 1253 if (ss->ssl3.hs.kea_def->kea == kea_ecdhe_rsa ||
1223 ss->ssl3.hs.kea_def->kea == kea_dhe_rsa) { 1254 ss->ssl3.hs.kea_def->kea == kea_dhe_rsa) {
1224 effectiveExchKeyType = kt_rsa; 1255 effectiveExchKeyType = kt_rsa;
1225 } else { 1256 } else {
1226 effectiveExchKeyType = ss->ssl3.hs.kea_def->exchKeyType; 1257 effectiveExchKeyType = ss->ssl3.hs.kea_def->exchKeyType;
1227 } 1258 }
1228 1259
1229 rv = ssl3_CacheWrappedMasterSecret(ss, &sid, ss->ssl3.pwSpec, 1260 rv = ssl3_CacheWrappedMasterSecret(ss, &sid, ss->ssl3.pwSpec,
1230 effectiveExchKeyType); 1261 effectiveExchKeyType);
1231 if (rv == SECSuccess) { 1262 if (rv == SECSuccess) {
1232 if (sid.u.ssl3.keys.wrapped_master_secret_len > sizeof(wrapped_ms)) 1263 if (sid.u.ssl3.keys.wrapped_master_secret_len > sizeof(wrapped_ms))
1233 goto loser; 1264 goto loser;
1234 memcpy(wrapped_ms, sid.u.ssl3.keys.wrapped_master_secret, 1265 memcpy(wrapped_ms, sid.u.ssl3.keys.wrapped_master_secret,
1235 sid.u.ssl3.keys.wrapped_master_secret_len); 1266 sid.u.ssl3.keys.wrapped_master_secret_len);
1236 ms_item.data = wrapped_ms; 1267 ms_item.data = wrapped_ms;
1237 ms_item.len = sid.u.ssl3.keys.wrapped_master_secret_len; 1268 ms_item.len = sid.u.ssl3.keys.wrapped_master_secret_len;
1238 msWrapMech = sid.u.ssl3.masterWrapMech; 1269 msWrapMech = sid.u.ssl3.masterWrapMech;
1239 } else { 1270 } else {
1240 /* TODO: else send an empty ticket. */ 1271 /* TODO: else send an empty ticket. */
1241 goto loser; 1272 goto loser;
1242 } 1273 }
1243 ms_is_wrapped = PR_TRUE; 1274 ms_is_wrapped = PR_TRUE;
1244 } 1275 }
1245 /* Prep to send negotiated name */ 1276 /* Prep to send negotiated name */
1246 srvName = &ss->ssl3.pwSpec->srvVirtName; 1277 srvName = &ss->ssl3.pwSpec->srvVirtName;
1247 if (srvName->data && srvName->len) { 1278 if (srvName->data && srvName->len) {
1248 srvNameLen = 2 + srvName->len; /* len bytes + name len */ 1279 srvNameLen = 2 + srvName->len; /* len bytes + name len */
1249 } 1280 }
1250 1281
1251 ciphertext_length = 1282 ciphertext_length =
1252 sizeof(PRUint16) /* ticket_version */ 1283 sizeof(PRUint16) /* ticket_version */
1253 + sizeof(SSL3ProtocolVersion) /* ssl_version */ 1284 + sizeof(SSL3ProtocolVersion) /* ssl_version */
1254 + sizeof(ssl3CipherSuite) /* ciphersuite */ 1285 + sizeof(ssl3CipherSuite) /* ciphersuite */
1255 + 1 /* compression */ 1286 + 1 /* compression */
1256 + 10 /* cipher spec parameters */ 1287 + 10 /* cipher spec parameters */
1257 + 1 /* SessionTicket.ms_is_wrapped */ 1288 + 1 /* SessionTicket.ms_is_wrapped */
1258 + 1 /* effectiveExchKeyType */ 1289 + 1 /* effectiveExchKeyType */
1259 + 4 /* msWrapMech */ 1290 + 4 /* msWrapMech */
1260 + 2 /* master_secret.length */ 1291 + 2 /* master_secret.length */
1261 + ms_item.len /* master_secret */ 1292 + ms_item.len /* master_secret */
1262 + 1 /* client_auth_type */ 1293 + 1 /* client_auth_type */
1263 + cert_length /* cert */ 1294 + cert_length /* cert */
1264 + 1 /* server name type */ 1295 + 1 /* server name type */
1265 + srvNameLen /* name len + length field */ 1296 + srvNameLen /* name len + length field */
1266 + 1 /* extendedMasterSecretUsed */ 1297 + 1 /* extendedMasterSecretUsed */
1267 + sizeof(ticket.ticket_lifetime_hint); 1298 + sizeof(ticket.ticket_lifetime_hint);
1268 padding_length = AES_BLOCK_SIZE - 1299 padding_length = AES_BLOCK_SIZE -
1269 (ciphertext_length % AES_BLOCK_SIZE); 1300 (ciphertext_length %
1301 AES_BLOCK_SIZE);
1270 ciphertext_length += padding_length; 1302 ciphertext_length += padding_length;
1271 1303
1272 message_length = 1304 message_length =
1273 sizeof(ticket.ticket_lifetime_hint) /* ticket_lifetime_hint */ 1305 sizeof(ticket.ticket_lifetime_hint) /* ticket_lifetime_hint */
1274 + 2 /* length field for NewSessionTicket.ticket */ 1306 + 2 /* length field for NewSessionTicket .ticket */
1275 + SESS_TICKET_KEY_NAME_LEN /* key_name */ 1307 + SESS_TICKET_KEY_NAME_LEN /* key_name */
1276 + AES_BLOCK_SIZE /* iv */ 1308 + AES_BLOCK_SIZE /* iv */
1277 + 2 /* length field for NewSessionTicket.ticket.encrypted_state */ 1309 + 2 /* length field for NewSessionTicket .ticket.encrypted_state */
1278 + ciphertext_length /* encrypted_state */ 1310 + ciphertext_length /* encrypted_state */
1279 + TLS_EX_SESS_TICKET_MAC_LENGTH; /* mac */ 1311 + TLS_EX_SESS_TICKET_MAC_LENGTH; /* mac */
1280 1312
1281 if (SECITEM_AllocItem(NULL, &plaintext_item, ciphertext_length) == NULL) 1313 if (SECITEM_AllocItem(NULL, &plaintext_item, ciphertext_length) == NULL)
1282 goto loser; 1314 goto loser;
1283 1315
1284 plaintext = plaintext_item; 1316 plaintext = plaintext_item;
1285 1317
1286 /* ticket_version */ 1318 /* ticket_version */
1287 rv = ssl3_AppendNumberToItem(&plaintext, TLS_EX_SESS_TICKET_VERSION, 1319 rv = ssl3_AppendNumberToItem(&plaintext, TLS_EX_SESS_TICKET_VERSION,
1288 sizeof(PRUint16)); 1320 sizeof(PRUint16));
1289 if (rv != SECSuccess) goto loser; 1321 if (rv != SECSuccess)
1322 goto loser;
1290 1323
1291 /* ssl_version */ 1324 /* ssl_version */
1292 rv = ssl3_AppendNumberToItem(&plaintext, ss->version, 1325 rv = ssl3_AppendNumberToItem(&plaintext, ss->version,
1293 sizeof(SSL3ProtocolVersion)); 1326 sizeof(SSL3ProtocolVersion));
1294 if (rv != SECSuccess) goto loser; 1327 if (rv != SECSuccess)
1328 goto loser;
1295 1329
1296 /* ciphersuite */ 1330 /* ciphersuite */
1297 rv = ssl3_AppendNumberToItem(&plaintext, ss->ssl3.hs.cipher_suite, 1331 rv = ssl3_AppendNumberToItem(&plaintext, ss->ssl3.hs.cipher_suite,
1298 sizeof(ssl3CipherSuite)); 1332 sizeof(ssl3CipherSuite));
1299 if (rv != SECSuccess) goto loser; 1333 if (rv != SECSuccess)
1334 goto loser;
1300 1335
1301 /* compression */ 1336 /* compression */
1302 rv = ssl3_AppendNumberToItem(&plaintext, ss->ssl3.hs.compression, 1); 1337 rv = ssl3_AppendNumberToItem(&plaintext, ss->ssl3.hs.compression, 1);
1303 if (rv != SECSuccess) goto loser; 1338 if (rv != SECSuccess)
1339 goto loser;
1304 1340
1305 /* cipher spec parameters */ 1341 /* cipher spec parameters */
1306 rv = ssl3_AppendNumberToItem(&plaintext, ss->sec.authAlgorithm, 1); 1342 rv = ssl3_AppendNumberToItem(&plaintext, ss->sec.authAlgorithm, 1);
1307 if (rv != SECSuccess) goto loser; 1343 if (rv != SECSuccess)
1344 goto loser;
1308 rv = ssl3_AppendNumberToItem(&plaintext, ss->sec.authKeyBits, 4); 1345 rv = ssl3_AppendNumberToItem(&plaintext, ss->sec.authKeyBits, 4);
1309 if (rv != SECSuccess) goto loser; 1346 if (rv != SECSuccess)
1347 goto loser;
1310 rv = ssl3_AppendNumberToItem(&plaintext, ss->sec.keaType, 1); 1348 rv = ssl3_AppendNumberToItem(&plaintext, ss->sec.keaType, 1);
1311 if (rv != SECSuccess) goto loser; 1349 if (rv != SECSuccess)
1350 goto loser;
1312 rv = ssl3_AppendNumberToItem(&plaintext, ss->sec.keaKeyBits, 4); 1351 rv = ssl3_AppendNumberToItem(&plaintext, ss->sec.keaKeyBits, 4);
1313 if (rv != SECSuccess) goto loser; 1352 if (rv != SECSuccess)
1353 goto loser;
1314 1354
1315 /* master_secret */ 1355 /* master_secret */
1316 rv = ssl3_AppendNumberToItem(&plaintext, ms_is_wrapped, 1); 1356 rv = ssl3_AppendNumberToItem(&plaintext, ms_is_wrapped, 1);
1317 if (rv != SECSuccess) goto loser; 1357 if (rv != SECSuccess)
1358 goto loser;
1318 rv = ssl3_AppendNumberToItem(&plaintext, effectiveExchKeyType, 1); 1359 rv = ssl3_AppendNumberToItem(&plaintext, effectiveExchKeyType, 1);
1319 if (rv != SECSuccess) goto loser; 1360 if (rv != SECSuccess)
1361 goto loser;
1320 rv = ssl3_AppendNumberToItem(&plaintext, msWrapMech, 4); 1362 rv = ssl3_AppendNumberToItem(&plaintext, msWrapMech, 4);
1321 if (rv != SECSuccess) goto loser; 1363 if (rv != SECSuccess)
1364 goto loser;
1322 rv = ssl3_AppendNumberToItem(&plaintext, ms_item.len, 2); 1365 rv = ssl3_AppendNumberToItem(&plaintext, ms_item.len, 2);
1323 if (rv != SECSuccess) goto loser; 1366 if (rv != SECSuccess)
1367 goto loser;
1324 rv = ssl3_AppendToItem(&plaintext, ms_item.data, ms_item.len); 1368 rv = ssl3_AppendToItem(&plaintext, ms_item.data, ms_item.len);
1325 if (rv != SECSuccess) goto loser; 1369 if (rv != SECSuccess)
1370 goto loser;
1326 1371
1327 /* client_identity */ 1372 /* client_identity */
1328 if (ss->opt.requestCertificate && ss->sec.ci.sid->peerCert) { 1373 if (ss->opt.requestCertificate && ss->sec.ci.sid->peerCert) {
1329 rv = ssl3_AppendNumberToItem(&plaintext, CLIENT_AUTH_CERTIFICATE, 1); 1374 rv = ssl3_AppendNumberToItem(&plaintext, CLIENT_AUTH_CERTIFICATE, 1);
1330 if (rv != SECSuccess) goto loser; 1375 if (rv != SECSuccess)
1376 goto loser;
1331 rv = ssl3_AppendNumberToItem(&plaintext, 1377 rv = ssl3_AppendNumberToItem(&plaintext,
1332 ss->sec.ci.sid->peerCert->derCert.len, 3); 1378 ss->sec.ci.sid->peerCert->derCert.len, 3);
1333 if (rv != SECSuccess) goto loser; 1379 if (rv != SECSuccess)
1380 goto loser;
1334 rv = ssl3_AppendToItem(&plaintext, 1381 rv = ssl3_AppendToItem(&plaintext,
1335 ss->sec.ci.sid->peerCert->derCert.data, 1382 ss->sec.ci.sid->peerCert->derCert.data,
1336 ss->sec.ci.sid->peerCert->derCert.len); 1383 ss->sec.ci.sid->peerCert->derCert.len);
1337 if (rv != SECSuccess) goto loser; 1384 if (rv != SECSuccess)
1385 goto loser;
1338 } else { 1386 } else {
1339 rv = ssl3_AppendNumberToItem(&plaintext, 0, 1); 1387 rv = ssl3_AppendNumberToItem(&plaintext, 0, 1);
1340 if (rv != SECSuccess) goto loser; 1388 if (rv != SECSuccess)
1389 goto loser;
1341 } 1390 }
1342 1391
1343 /* timestamp */ 1392 /* timestamp */
1344 now = ssl_Time(); 1393 now = ssl_Time();
1345 rv = ssl3_AppendNumberToItem(&plaintext, now, 1394 rv = ssl3_AppendNumberToItem(&plaintext, now,
1346 sizeof(ticket.ticket_lifetime_hint)); 1395 sizeof(ticket.ticket_lifetime_hint));
1347 if (rv != SECSuccess) goto loser; 1396 if (rv != SECSuccess)
1397 goto loser;
1348 1398
1349 if (srvNameLen) { 1399 if (srvNameLen) {
1350 /* Name Type (sni_host_name) */ 1400 /* Name Type (sni_host_name) */
1351 rv = ssl3_AppendNumberToItem(&plaintext, srvName->type, 1); 1401 rv = ssl3_AppendNumberToItem(&plaintext, srvName->type, 1);
1352 if (rv != SECSuccess) goto loser; 1402 if (rv != SECSuccess)
1403 goto loser;
1353 /* HostName (length and value) */ 1404 /* HostName (length and value) */
1354 rv = ssl3_AppendNumberToItem(&plaintext, srvName->len, 2); 1405 rv = ssl3_AppendNumberToItem(&plaintext, srvName->len, 2);
1355 if (rv != SECSuccess) goto loser; 1406 if (rv != SECSuccess)
1407 goto loser;
1356 rv = ssl3_AppendToItem(&plaintext, srvName->data, srvName->len); 1408 rv = ssl3_AppendToItem(&plaintext, srvName->data, srvName->len);
1357 if (rv != SECSuccess) goto loser; 1409 if (rv != SECSuccess)
1410 goto loser;
1358 } else { 1411 } else {
1359 /* No Name */ 1412 /* No Name */
1360 rv = ssl3_AppendNumberToItem(&plaintext, (char)TLS_STE_NO_SERVER_NAME, 1413 rv = ssl3_AppendNumberToItem(&plaintext, (char)TLS_STE_NO_SERVER_NAME, 1 );
1361 1); 1414 if (rv != SECSuccess)
1362 if (rv != SECSuccess) goto loser; 1415 goto loser;
1363 } 1416 }
1364 1417
1365 /* extendedMasterSecretUsed */ 1418 /* extendedMasterSecretUsed */
1366 rv = ssl3_AppendNumberToItem( 1419 rv = ssl3_AppendNumberToItem(
1367 &plaintext, ss->sec.ci.sid->u.ssl3.keys.extendedMasterSecretUsed, 1); 1420 &plaintext, ss->sec.ci.sid->u.ssl3.keys.extendedMasterSecretUsed, 1);
1368 if (rv != SECSuccess) goto loser; 1421 if (rv != SECSuccess)
1422 goto loser;
1369 1423
1370 PORT_Assert(plaintext.len == padding_length); 1424 PORT_Assert(plaintext.len == padding_length);
1371 for (i = 0; i < padding_length; i++) 1425 for (i = 0; i < padding_length; i++)
1372 plaintext.data[i] = (unsigned char)padding_length; 1426 plaintext.data[i] = (unsigned char)padding_length;
1373 1427
1374 if (SECITEM_AllocItem(NULL, &ciphertext, ciphertext_length) == NULL) { 1428 if (SECITEM_AllocItem(NULL, &ciphertext, ciphertext_length) == NULL) {
1375 rv = SECFailure; 1429 rv = SECFailure;
1376 goto loser; 1430 goto loser;
1377 } 1431 }
1378 1432
1379 /* Generate encrypted portion of ticket. */ 1433 /* Generate encrypted portion of ticket. */
1380 #ifndef NO_PKCS11_BYPASS 1434 #ifndef NO_PKCS11_BYPASS
1381 if (ss->opt.bypassPKCS11) { 1435 if (ss->opt.bypassPKCS11) {
1382 aes_ctx = (AESContext *)aes_ctx_buf; 1436 aes_ctx = (AESContext *)aes_ctx_buf;
1383 rv = AES_InitContext(aes_ctx, aes_key, aes_key_length, iv, 1437 rv = AES_InitContext(aes_ctx, aes_key, aes_key_length, iv,
1384 NSS_AES_CBC, 1, AES_BLOCK_SIZE); 1438 NSS_AES_CBC, 1, AES_BLOCK_SIZE);
1385 if (rv != SECSuccess) goto loser; 1439 if (rv != SECSuccess)
1440 goto loser;
1386 1441
1387 rv = AES_Encrypt(aes_ctx, ciphertext.data, &ciphertext.len, 1442 rv = AES_Encrypt(aes_ctx, ciphertext.data, &ciphertext.len,
1388 ciphertext.len, plaintext_item.data, 1443 ciphertext.len, plaintext_item.data,
1389 plaintext_item.len); 1444 plaintext_item.len);
1390 if (rv != SECSuccess) goto loser; 1445 if (rv != SECSuccess)
1446 goto loser;
1391 } else 1447 } else
1392 #endif 1448 #endif
1393 { 1449 {
1394 aes_ctx_pkcs11 = PK11_CreateContextBySymKey(cipherMech, 1450 aes_ctx_pkcs11 = PK11_CreateContextBySymKey(cipherMech,
1395 CKA_ENCRYPT, aes_key_pkcs11, &ivItem); 1451 CKA_ENCRYPT, aes_key_pkcs11, &ivItem);
1396 if (!aes_ctx_pkcs11) 1452 if (!aes_ctx_pkcs11)
1397 goto loser; 1453 goto loser;
1398 1454
1399 rv = PK11_CipherOp(aes_ctx_pkcs11, ciphertext.data, 1455 rv = PK11_CipherOp(aes_ctx_pkcs11, ciphertext.data,
1400 (int *)&ciphertext.len, ciphertext.len, 1456 (int *)&ciphertext.len, ciphertext.len,
1401 plaintext_item.data, plaintext_item.len); 1457 plaintext_item.data, plaintext_item.len);
1402 PK11_Finalize(aes_ctx_pkcs11); 1458 PK11_Finalize(aes_ctx_pkcs11);
1403 PK11_DestroyContext(aes_ctx_pkcs11, PR_TRUE); 1459 PK11_DestroyContext(aes_ctx_pkcs11, PR_TRUE);
1404 if (rv != SECSuccess) goto loser; 1460 if (rv != SECSuccess)
1461 goto loser;
1405 } 1462 }
1406 1463
1407 /* Convert ciphertext length to network order. */ 1464 /* Convert ciphertext length to network order. */
1408 length_buf[0] = (ciphertext.len >> 8) & 0xff; 1465 length_buf[0] = (ciphertext.len >> 8) & 0xff;
1409 length_buf[1] = (ciphertext.len ) & 0xff; 1466 length_buf[1] = (ciphertext.len) & 0xff;
1410 1467
1411 /* Compute MAC. */ 1468 /* Compute MAC. */
1412 #ifndef NO_PKCS11_BYPASS 1469 #ifndef NO_PKCS11_BYPASS
1413 if (ss->opt.bypassPKCS11) { 1470 if (ss->opt.bypassPKCS11) {
1414 hmac_ctx = (HMACContext *)hmac_ctx_buf; 1471 hmac_ctx = (HMACContext *)hmac_ctx_buf;
1415 hashObj = HASH_GetRawHashObject(HASH_AlgSHA256); 1472 hashObj = HASH_GetRawHashObject(HASH_AlgSHA256);
1416 if (HMAC_Init(hmac_ctx, hashObj, mac_key, 1473 if (HMAC_Init(hmac_ctx, hashObj, mac_key,
1417 mac_key_length, PR_FALSE) != SECSuccess) 1474 mac_key_length, PR_FALSE) != SECSuccess)
1418 goto loser; 1475 goto loser;
1419 1476
1420 HMAC_Begin(hmac_ctx); 1477 HMAC_Begin(hmac_ctx);
1421 HMAC_Update(hmac_ctx, key_name, SESS_TICKET_KEY_NAME_LEN); 1478 HMAC_Update(hmac_ctx, key_name, SESS_TICKET_KEY_NAME_LEN);
1422 HMAC_Update(hmac_ctx, iv, sizeof(iv)); 1479 HMAC_Update(hmac_ctx, iv, sizeof(iv));
1423 HMAC_Update(hmac_ctx, (unsigned char *)length_buf, 2); 1480 HMAC_Update(hmac_ctx, (unsigned char *)length_buf, 2);
1424 HMAC_Update(hmac_ctx, ciphertext.data, ciphertext.len); 1481 HMAC_Update(hmac_ctx, ciphertext.data, ciphertext.len);
1425 HMAC_Finish(hmac_ctx, computed_mac, &computed_mac_length, 1482 HMAC_Finish(hmac_ctx, computed_mac, &computed_mac_length,
1426 sizeof(computed_mac)); 1483 sizeof(computed_mac));
1427 } else 1484 } else
1428 #endif 1485 #endif
1429 { 1486 {
1430 SECItem macParam; 1487 SECItem macParam;
1431 macParam.data = NULL; 1488 macParam.data = NULL;
1432 macParam.len = 0; 1489 macParam.len = 0;
1433 hmac_ctx_pkcs11 = PK11_CreateContextBySymKey(macMech, 1490 hmac_ctx_pkcs11 = PK11_CreateContextBySymKey(macMech,
1434 CKA_SIGN, mac_key_pkcs11, &macParam); 1491 CKA_SIGN, mac_key_pkcs11, & macParam);
1435 if (!hmac_ctx_pkcs11) 1492 if (!hmac_ctx_pkcs11)
1436 goto loser; 1493 goto loser;
1437 1494
1438 rv = PK11_DigestBegin(hmac_ctx_pkcs11); 1495 rv = PK11_DigestBegin(hmac_ctx_pkcs11);
1439 if (rv != SECSuccess) goto loser; 1496 if (rv != SECSuccess)
1497 goto loser;
1440 rv = PK11_DigestOp(hmac_ctx_pkcs11, key_name, 1498 rv = PK11_DigestOp(hmac_ctx_pkcs11, key_name,
1441 SESS_TICKET_KEY_NAME_LEN); 1499 SESS_TICKET_KEY_NAME_LEN);
1442 if (rv != SECSuccess) goto loser; 1500 if (rv != SECSuccess)
1501 goto loser;
1443 rv = PK11_DigestOp(hmac_ctx_pkcs11, iv, sizeof(iv)); 1502 rv = PK11_DigestOp(hmac_ctx_pkcs11, iv, sizeof(iv));
1444 if (rv != SECSuccess) goto loser; 1503 if (rv != SECSuccess)
1504 goto loser;
1445 rv = PK11_DigestOp(hmac_ctx_pkcs11, (unsigned char *)length_buf, 2); 1505 rv = PK11_DigestOp(hmac_ctx_pkcs11, (unsigned char *)length_buf, 2);
1446 if (rv != SECSuccess) goto loser; 1506 if (rv != SECSuccess)
1507 goto loser;
1447 rv = PK11_DigestOp(hmac_ctx_pkcs11, ciphertext.data, ciphertext.len); 1508 rv = PK11_DigestOp(hmac_ctx_pkcs11, ciphertext.data, ciphertext.len);
1448 if (rv != SECSuccess) goto loser; 1509 if (rv != SECSuccess)
1510 goto loser;
1449 rv = PK11_DigestFinal(hmac_ctx_pkcs11, computed_mac, 1511 rv = PK11_DigestFinal(hmac_ctx_pkcs11, computed_mac,
1450 &computed_mac_length, sizeof(computed_mac)); 1512 &computed_mac_length, sizeof(computed_mac));
1451 if (rv != SECSuccess) goto loser; 1513 if (rv != SECSuccess)
1514 goto loser;
1452 } 1515 }
1453 1516
1454 /* Serialize the handshake message. */ 1517 /* Serialize the handshake message. */
1455 rv = ssl3_AppendHandshakeHeader(ss, new_session_ticket, message_length); 1518 rv = ssl3_AppendHandshakeHeader(ss, new_session_ticket, message_length);
1456 if (rv != SECSuccess) goto loser; 1519 if (rv != SECSuccess)
1520 goto loser;
1457 1521
1458 rv = ssl3_AppendHandshakeNumber(ss, ticket.ticket_lifetime_hint, 1522 rv = ssl3_AppendHandshakeNumber(ss, ticket.ticket_lifetime_hint,
1459 sizeof(ticket.ticket_lifetime_hint)); 1523 sizeof(ticket.ticket_lifetime_hint));
1460 if (rv != SECSuccess) goto loser; 1524 if (rv != SECSuccess)
1525 goto loser;
1461 1526
1462 rv = ssl3_AppendHandshakeNumber(ss, 1527 rv = ssl3_AppendHandshakeNumber(ss,
1463 message_length - sizeof(ticket.ticket_lifetime_hint) - 2, 2); 1528 message_length - sizeof(ticket.ticket_lifeti me_hint) - 2,
1464 if (rv != SECSuccess) goto loser; 1529 2);
1530 if (rv != SECSuccess)
1531 goto loser;
1465 1532
1466 rv = ssl3_AppendHandshake(ss, key_name, SESS_TICKET_KEY_NAME_LEN); 1533 rv = ssl3_AppendHandshake(ss, key_name, SESS_TICKET_KEY_NAME_LEN);
1467 if (rv != SECSuccess) goto loser; 1534 if (rv != SECSuccess)
1535 goto loser;
1468 1536
1469 rv = ssl3_AppendHandshake(ss, iv, sizeof(iv)); 1537 rv = ssl3_AppendHandshake(ss, iv, sizeof(iv));
1470 if (rv != SECSuccess) goto loser; 1538 if (rv != SECSuccess)
1539 goto loser;
1471 1540
1472 rv = ssl3_AppendHandshakeVariable(ss, ciphertext.data, ciphertext.len, 2); 1541 rv = ssl3_AppendHandshakeVariable(ss, ciphertext.data, ciphertext.len, 2);
1473 if (rv != SECSuccess) goto loser; 1542 if (rv != SECSuccess)
1543 goto loser;
1474 1544
1475 rv = ssl3_AppendHandshake(ss, computed_mac, computed_mac_length); 1545 rv = ssl3_AppendHandshake(ss, computed_mac, computed_mac_length);
1476 if (rv != SECSuccess) goto loser; 1546 if (rv != SECSuccess)
1547 goto loser;
1477 1548
1478 loser: 1549 loser:
1479 if (hmac_ctx_pkcs11) 1550 if (hmac_ctx_pkcs11)
1480 PK11_DestroyContext(hmac_ctx_pkcs11, PR_TRUE); 1551 PK11_DestroyContext(hmac_ctx_pkcs11, PR_TRUE);
1481 if (plaintext_item.data) 1552 if (plaintext_item.data)
1482 SECITEM_FreeItem(&plaintext_item, PR_FALSE); 1553 SECITEM_FreeItem(&plaintext_item, PR_FALSE);
1483 if (ciphertext.data) 1554 if (ciphertext.data)
1484 SECITEM_FreeItem(&ciphertext, PR_FALSE); 1555 SECITEM_FreeItem(&ciphertext, PR_FALSE);
1485 1556
1486 return rv; 1557 return rv;
1487 } 1558 }
1488 1559
1489 /* When a client receives a SessionTicket extension a NewSessionTicket 1560 /* When a client receives a SessionTicket extension a NewSessionTicket
1490 * message is expected during the handshake. 1561 * message is expected during the handshake.
1491 */ 1562 */
1492 SECStatus 1563 SECStatus
1493 ssl3_ClientHandleSessionTicketXtn(sslSocket *ss, PRUint16 ex_type, 1564 ssl3_ClientHandleSessionTicketXtn(sslSocket *ss, PRUint16 ex_type,
1494 SECItem *data) 1565 SECItem *data)
1495 { 1566 {
1496 if (data->len != 0) { 1567 if (data->len != 0) {
1497 return SECSuccess; /* Ignore the extension. */ 1568 return SECSuccess; /* Ignore the extension. */
1498 } 1569 }
1499 1570
1500 /* Keep track of negotiated extensions. */ 1571 /* Keep track of negotiated extensions. */
1501 ss->xtnData.negotiated[ss->xtnData.numNegotiated++] = ex_type; 1572 ss->xtnData.negotiated[ss->xtnData.numNegotiated++] = ex_type;
1502 return SECSuccess; 1573 return SECSuccess;
1503 } 1574 }
1504 1575
1505 SECStatus 1576 SECStatus
1506 ssl3_ServerHandleSessionTicketXtn(sslSocket *ss, PRUint16 ex_type, 1577 ssl3_ServerHandleSessionTicketXtn(sslSocket *ss, PRUint16 ex_type,
1507 SECItem *data) 1578 SECItem *data)
(...skipping 13 matching lines...) Expand all
1521 ss->xtnData.negotiated[ss->xtnData.numNegotiated++] = ex_type; 1592 ss->xtnData.negotiated[ss->xtnData.numNegotiated++] = ex_type;
1522 1593
1523 /* Parse the received ticket sent in by the client. We are 1594 /* Parse the received ticket sent in by the client. We are
1524 * lenient about some parse errors, falling back to a fullshake 1595 * lenient about some parse errors, falling back to a fullshake
1525 * instead of terminating the current connection. 1596 * instead of terminating the current connection.
1526 */ 1597 */
1527 if (data->len == 0) { 1598 if (data->len == 0) {
1528 ss->xtnData.emptySessionTicket = PR_TRUE; 1599 ss->xtnData.emptySessionTicket = PR_TRUE;
1529 } else { 1600 } else {
1530 PRUint32 i; 1601 PRUint32 i;
1531 SECItem extension_data; 1602 SECItem extension_data;
1532 EncryptedSessionTicket enc_session_ticket; 1603 EncryptedSessionTicket enc_session_ticket;
1533 unsigned char computed_mac[TLS_EX_SESS_TICKET_MAC_LENGTH]; 1604 unsigned char computed_mac[TLS_EX_SESS_TICKET_MAC_LENGTH];
1534 unsigned int computed_mac_length; 1605 unsigned int computed_mac_length;
1535 #ifndef NO_PKCS11_BYPASS 1606 #ifndef NO_PKCS11_BYPASS
1536 const SECHashObject *hashObj; 1607 const SECHashObject *hashObj;
1537 const unsigned char *aes_key; 1608 const unsigned char *aes_key;
1538 const unsigned char *mac_key; 1609 const unsigned char *mac_key;
1539 PRUint32 aes_key_length; 1610 PRUint32 aes_key_length;
1540 PRUint32 mac_key_length; 1611 PRUint32 mac_key_length;
1541 PRUint64 hmac_ctx_buf[MAX_MAC_CONTEXT_LLONGS]; 1612 PRUint64 hmac_ctx_buf[MAX_MAC_CONTEXT_LLONGS];
1542 HMACContext *hmac_ctx; 1613 HMACContext *hmac_ctx;
1543 PRUint64 aes_ctx_buf[MAX_CIPHER_CONTEXT_LLONGS]; 1614 PRUint64 aes_ctx_buf[MAX_CIPHER_CONTEXT_LLONGS];
1544 AESContext *aes_ctx; 1615 AESContext *aes_ctx;
1545 #endif 1616 #endif
1546 PK11SymKey *aes_key_pkcs11; 1617 PK11SymKey *aes_key_pkcs11;
1547 PK11SymKey *mac_key_pkcs11; 1618 PK11SymKey *mac_key_pkcs11;
1548 PK11Context *hmac_ctx_pkcs11; 1619 PK11Context *hmac_ctx_pkcs11;
1549 CK_MECHANISM_TYPE macMech = CKM_SHA256_HMAC; 1620 CK_MECHANISM_TYPE macMech = CKM_SHA256_HMAC;
1550 PK11Context *aes_ctx_pkcs11; 1621 PK11Context *aes_ctx_pkcs11;
1551 CK_MECHANISM_TYPE cipherMech = CKM_AES_CBC; 1622 CK_MECHANISM_TYPE cipherMech = CKM_AES_CBC;
1552 unsigned char * padding; 1623 unsigned char *padding;
1553 PRUint32 padding_length; 1624 PRUint32 padding_length;
1554 unsigned char *buffer; 1625 unsigned char *buffer;
1555 unsigned int buffer_len; 1626 unsigned int buffer_len;
1556 PRInt32 temp; 1627 PRInt32 temp;
1557 SECItem cert_item; 1628 SECItem cert_item;
1558 PRInt8 nameType = TLS_STE_NO_SERVER_NAME; 1629 PRInt8 nameType = TLS_STE_NO_SERVER_NAME;
1559 1630
1560 /* Turn off stateless session resumption if the client sends a 1631 /* Turn off stateless session resumption if the client sends a
1561 * SessionTicket extension, even if the extension turns out to be 1632 * SessionTicket extension, even if the extension turns out to be
1562 * malformed (ss->sec.ci.sid is non-NULL when doing session 1633 * malformed (ss->sec.ci.sid is non-NULL when doing session
1563 * renegotiation.) 1634 * renegotiation.)
1564 */ 1635 */
1565 if (ss->sec.ci.sid != NULL) { 1636 if (ss->sec.ci.sid != NULL) {
1566 if (ss->sec.uncache) 1637 if (ss->sec.uncache)
1567 ss->sec.uncache(ss->sec.ci.sid); 1638 ss->sec.uncache(ss->sec.ci.sid);
1568 ssl_FreeSID(ss->sec.ci.sid); 1639 ssl_FreeSID(ss->sec.ci.sid);
1569 ss->sec.ci.sid = NULL; 1640 ss->sec.ci.sid = NULL;
1570 } 1641 }
1571 1642
1572 extension_data.data = data->data; /* Keep a copy for future use. */ 1643 extension_data.data = data->data; /* Keep a copy for future use. */
1573 extension_data.len = data->len; 1644 extension_data.len = data->len;
1574 1645
1575 if (ssl3_ParseEncryptedSessionTicket(ss, data, &enc_session_ticket) 1646 if (ssl3_ParseEncryptedSessionTicket(ss, data, &enc_session_ticket) !=
1576 != SECSuccess) { 1647 SECSuccess) {
1577 return SECSuccess; /* Pretend it isn't there */ 1648 return SECSuccess; /* Pretend it isn't there */
1578 } 1649 }
1579 1650
1580 /* Get session ticket keys. */ 1651 /* Get session ticket keys. */
1581 #ifndef NO_PKCS11_BYPASS 1652 #ifndef NO_PKCS11_BYPASS
1582 if (ss->opt.bypassPKCS11) { 1653 if (ss->opt.bypassPKCS11) {
1583 rv = ssl3_GetSessionTicketKeys(&aes_key, &aes_key_length, 1654 rv = ssl3_GetSessionTicketKeys(&aes_key, &aes_key_length,
1584 &mac_key, &mac_key_length); 1655 &mac_key, &mac_key_length);
1585 } else 1656 } else
1586 #endif 1657 #endif
1587 { 1658 {
1588 rv = ssl3_GetSessionTicketKeysPKCS11(ss, &aes_key_pkcs11, 1659 rv = ssl3_GetSessionTicketKeysPKCS11(ss, &aes_key_pkcs11,
1589 &mac_key_pkcs11); 1660 &mac_key_pkcs11);
1590 } 1661 }
1591 if (rv != SECSuccess) { 1662 if (rv != SECSuccess) {
1592 SSL_DBG(("%d: SSL[%d]: Unable to get/generate session ticket keys.", 1663 SSL_DBG(("%d: SSL[%d]: Unable to get/generate session ticket keys.",
1593 SSL_GETPID(), ss->fd)); 1664 SSL_GETPID(), ss->fd));
1594 goto loser; 1665 goto loser;
1595 } 1666 }
1596 1667
1597 /* If the ticket sent by the client was generated under a key different 1668 /* If the ticket sent by the client was generated under a key different
1598 * from the one we have, bypass ticket processing. 1669 * from the one we have, bypass ticket processing.
1599 */ 1670 */
1600 if (PORT_Memcmp(enc_session_ticket.key_name, key_name, 1671 if (PORT_Memcmp(enc_session_ticket.key_name, key_name,
1601 SESS_TICKET_KEY_NAME_LEN) != 0) { 1672 SESS_TICKET_KEY_NAME_LEN) != 0) {
1602 SSL_DBG(("%d: SSL[%d]: Session ticket key_name sent mismatch.", 1673 SSL_DBG(("%d: SSL[%d]: Session ticket key_name sent mismatch.",
1603 SSL_GETPID(), ss->fd)); 1674 SSL_GETPID(), ss->fd));
1604 goto no_ticket; 1675 goto no_ticket;
1605 } 1676 }
1606 1677
1607 /* Verify the MAC on the ticket. MAC verification may also 1678 /* Verify the MAC on the ticket. MAC verification may also
1608 * fail if the MAC key has been recently refreshed. 1679 * fail if the MAC key has been recently refreshed.
1609 */ 1680 */
1610 #ifndef NO_PKCS11_BYPASS 1681 #ifndef NO_PKCS11_BYPASS
1611 if (ss->opt.bypassPKCS11) { 1682 if (ss->opt.bypassPKCS11) {
1612 hmac_ctx = (HMACContext *)hmac_ctx_buf; 1683 hmac_ctx = (HMACContext *)hmac_ctx_buf;
1613 hashObj = HASH_GetRawHashObject(HASH_AlgSHA256); 1684 hashObj = HASH_GetRawHashObject(HASH_AlgSHA256);
1614 if (HMAC_Init(hmac_ctx, hashObj, mac_key, 1685 if (HMAC_Init(hmac_ctx, hashObj, mac_key,
1615 sizeof(session_ticket_mac_key), PR_FALSE) != SECSuccess) 1686 sizeof(session_ticket_mac_key), PR_FALSE) != SECSucces s)
1616 goto no_ticket; 1687 goto no_ticket;
1617 HMAC_Begin(hmac_ctx); 1688 HMAC_Begin(hmac_ctx);
1618 HMAC_Update(hmac_ctx, extension_data.data, 1689 HMAC_Update(hmac_ctx, extension_data.data,
1619 extension_data.len - TLS_EX_SESS_TICKET_MAC_LENGTH); 1690 extension_data.len - TLS_EX_SESS_TICKET_MAC_LENGTH);
1620 if (HMAC_Finish(hmac_ctx, computed_mac, &computed_mac_length, 1691 if (HMAC_Finish(hmac_ctx, computed_mac, &computed_mac_length,
1621 sizeof(computed_mac)) != SECSuccess) 1692 sizeof(computed_mac)) != SECSuccess)
1622 goto no_ticket; 1693 goto no_ticket;
1623 } else 1694 } else
1624 #endif 1695 #endif
1625 { 1696 {
1626 SECItem macParam; 1697 SECItem macParam;
1627 macParam.data = NULL; 1698 macParam.data = NULL;
1628 macParam.len = 0; 1699 macParam.len = 0;
1629 hmac_ctx_pkcs11 = PK11_CreateContextBySymKey(macMech, 1700 hmac_ctx_pkcs11 = PK11_CreateContextBySymKey(macMech,
1630 CKA_SIGN, mac_key_pkcs11, &macParam); 1701 CKA_SIGN, mac_key_pkcs1 1, &macParam);
1631 if (!hmac_ctx_pkcs11) { 1702 if (!hmac_ctx_pkcs11) {
1632 SSL_DBG(("%d: SSL[%d]: Unable to create HMAC context: %d.", 1703 SSL_DBG(("%d: SSL[%d]: Unable to create HMAC context: %d.",
1633 SSL_GETPID(), ss->fd, PORT_GetError())); 1704 SSL_GETPID(), ss->fd, PORT_GetError()));
1634 goto no_ticket; 1705 goto no_ticket;
1635 } else { 1706 } else {
1636 SSL_DBG(("%d: SSL[%d]: Successfully created HMAC context.", 1707 SSL_DBG(("%d: SSL[%d]: Successfully created HMAC context.",
1637 SSL_GETPID(), ss->fd)); 1708 SSL_GETPID(), ss->fd));
1638 } 1709 }
1639 rv = PK11_DigestBegin(hmac_ctx_pkcs11); 1710 rv = PK11_DigestBegin(hmac_ctx_pkcs11);
1640 rv = PK11_DigestOp(hmac_ctx_pkcs11, extension_data.data, 1711 rv = PK11_DigestOp(hmac_ctx_pkcs11, extension_data.data,
1641 extension_data.len - TLS_EX_SESS_TICKET_MAC_LENGTH); 1712 extension_data.len -
1713 TLS_EX_SESS_TICKET_MAC_LENGTH);
1642 if (rv != SECSuccess) { 1714 if (rv != SECSuccess) {
1643 PK11_DestroyContext(hmac_ctx_pkcs11, PR_TRUE); 1715 PK11_DestroyContext(hmac_ctx_pkcs11, PR_TRUE);
1644 goto no_ticket; 1716 goto no_ticket;
1645 } 1717 }
1646 rv = PK11_DigestFinal(hmac_ctx_pkcs11, computed_mac, 1718 rv = PK11_DigestFinal(hmac_ctx_pkcs11, computed_mac,
1647 &computed_mac_length, sizeof(computed_mac)); 1719 &computed_mac_length, sizeof(computed_mac));
1648 PK11_DestroyContext(hmac_ctx_pkcs11, PR_TRUE); 1720 PK11_DestroyContext(hmac_ctx_pkcs11, PR_TRUE);
1649 if (rv != SECSuccess) 1721 if (rv != SECSuccess)
1650 goto no_ticket; 1722 goto no_ticket;
1651 } 1723 }
1652 if (NSS_SecureMemcmp(computed_mac, enc_session_ticket.mac, 1724 if (NSS_SecureMemcmp(computed_mac, enc_session_ticket.mac,
1653 computed_mac_length) != 0) { 1725 computed_mac_length) !=
1726 0) {
1654 SSL_DBG(("%d: SSL[%d]: Session ticket MAC mismatch.", 1727 SSL_DBG(("%d: SSL[%d]: Session ticket MAC mismatch.",
1655 SSL_GETPID(), ss->fd)); 1728 SSL_GETPID(), ss->fd));
1656 goto no_ticket; 1729 goto no_ticket;
1657 } 1730 }
1658 1731
1659 /* We ignore key_name for now. 1732 /* We ignore key_name for now.
1660 * This is ok as MAC verification succeeded. 1733 * This is ok as MAC verification succeeded.
1661 */ 1734 */
1662 1735
1663 /* Decrypt the ticket. */ 1736 /* Decrypt the ticket. */
1664 1737
1665 /* Plaintext is shorter than the ciphertext due to padding. */ 1738 /* Plaintext is shorter than the ciphertext due to padding. */
1666 decrypted_state = SECITEM_AllocItem(NULL, NULL, 1739 decrypted_state = SECITEM_AllocItem(NULL, NULL,
1667 enc_session_ticket.encrypted_state.len); 1740 enc_session_ticket.encrypted_state.l en);
1668 1741
1669 #ifndef NO_PKCS11_BYPASS 1742 #ifndef NO_PKCS11_BYPASS
1670 if (ss->opt.bypassPKCS11) { 1743 if (ss->opt.bypassPKCS11) {
1671 aes_ctx = (AESContext *)aes_ctx_buf; 1744 aes_ctx = (AESContext *)aes_ctx_buf;
1672 rv = AES_InitContext(aes_ctx, aes_key, 1745 rv = AES_InitContext(aes_ctx, aes_key,
1673 sizeof(session_ticket_enc_key), enc_session_ticket.iv, 1746 sizeof(session_ticket_enc_key), enc_session_tic ket.iv,
1674 NSS_AES_CBC, 0,AES_BLOCK_SIZE); 1747 NSS_AES_CBC, 0, AES_BLOCK_SIZE);
1675 if (rv != SECSuccess) { 1748 if (rv != SECSuccess) {
1676 SSL_DBG(("%d: SSL[%d]: Unable to create AES context.", 1749 SSL_DBG(("%d: SSL[%d]: Unable to create AES context.",
1677 SSL_GETPID(), ss->fd)); 1750 SSL_GETPID(), ss->fd));
1678 goto no_ticket; 1751 goto no_ticket;
1679 } 1752 }
1680 1753
1681 rv = AES_Decrypt(aes_ctx, decrypted_state->data, 1754 rv = AES_Decrypt(aes_ctx, decrypted_state->data,
1682 &decrypted_state->len, decrypted_state->len, 1755 &decrypted_state->len, decrypted_state->len,
1683 enc_session_ticket.encrypted_state.data, 1756 enc_session_ticket.encrypted_state.data,
1684 enc_session_ticket.encrypted_state.len); 1757 enc_session_ticket.encrypted_state.len);
1685 if (rv != SECSuccess) 1758 if (rv != SECSuccess)
1686 goto no_ticket; 1759 goto no_ticket;
1687 } else 1760 } else
1688 #endif 1761 #endif
1689 { 1762 {
1690 SECItem ivItem; 1763 SECItem ivItem;
1691 ivItem.data = enc_session_ticket.iv; 1764 ivItem.data = enc_session_ticket.iv;
1692 ivItem.len = AES_BLOCK_SIZE; 1765 ivItem.len = AES_BLOCK_SIZE;
1693 aes_ctx_pkcs11 = PK11_CreateContextBySymKey(cipherMech, 1766 aes_ctx_pkcs11 = PK11_CreateContextBySymKey(cipherMech,
1694 CKA_DECRYPT, aes_key_pkcs11, &ivItem); 1767 CKA_DECRYPT, aes_key_pkc s11, &ivItem);
1695 if (!aes_ctx_pkcs11) { 1768 if (!aes_ctx_pkcs11) {
1696 SSL_DBG(("%d: SSL[%d]: Unable to create AES context.", 1769 SSL_DBG(("%d: SSL[%d]: Unable to create AES context.",
1697 SSL_GETPID(), ss->fd)); 1770 SSL_GETPID(), ss->fd));
1698 goto no_ticket; 1771 goto no_ticket;
1699 } 1772 }
1700 1773
1701 rv = PK11_CipherOp(aes_ctx_pkcs11, decrypted_state->data, 1774 rv = PK11_CipherOp(aes_ctx_pkcs11, decrypted_state->data,
1702 (int *)&decrypted_state->len, decrypted_state->len, 1775 (int *)&decrypted_state->len, decrypted_state->le n,
1703 enc_session_ticket.encrypted_state.data, 1776 enc_session_ticket.encrypted_state.data,
1704 enc_session_ticket.encrypted_state.len); 1777 enc_session_ticket.encrypted_state.len);
1705 PK11_Finalize(aes_ctx_pkcs11); 1778 PK11_Finalize(aes_ctx_pkcs11);
1706 PK11_DestroyContext(aes_ctx_pkcs11, PR_TRUE); 1779 PK11_DestroyContext(aes_ctx_pkcs11, PR_TRUE);
1707 if (rv != SECSuccess) 1780 if (rv != SECSuccess)
1708 goto no_ticket; 1781 goto no_ticket;
1709 } 1782 }
1710 1783
1711 /* Check padding. */ 1784 /* Check padding. */
1712 padding_length = 1785 padding_length =
1713 (PRUint32)decrypted_state->data[decrypted_state->len - 1]; 1786 (PRUint32)decrypted_state->data[decrypted_state->len - 1];
1714 if (padding_length == 0 || padding_length > AES_BLOCK_SIZE) 1787 if (padding_length == 0 || padding_length > AES_BLOCK_SIZE)
(...skipping 10 matching lines...) Expand all
1725 buffer_len = decrypted_state->len; 1798 buffer_len = decrypted_state->len;
1726 1799
1727 parsed_session_ticket = PORT_ZAlloc(sizeof(SessionTicket)); 1800 parsed_session_ticket = PORT_ZAlloc(sizeof(SessionTicket));
1728 if (parsed_session_ticket == NULL) { 1801 if (parsed_session_ticket == NULL) {
1729 rv = SECFailure; 1802 rv = SECFailure;
1730 goto loser; 1803 goto loser;
1731 } 1804 }
1732 1805
1733 /* Read ticket_version and reject if the version is wrong */ 1806 /* Read ticket_version and reject if the version is wrong */
1734 temp = ssl3_ConsumeHandshakeNumber(ss, 2, &buffer, &buffer_len); 1807 temp = ssl3_ConsumeHandshakeNumber(ss, 2, &buffer, &buffer_len);
1735 if (temp != TLS_EX_SESS_TICKET_VERSION) goto no_ticket; 1808 if (temp != TLS_EX_SESS_TICKET_VERSION)
1809 goto no_ticket;
1736 1810
1737 parsed_session_ticket->ticket_version = (SSL3ProtocolVersion)temp; 1811 parsed_session_ticket->ticket_version = (SSL3ProtocolVersion)temp;
1738 1812
1739 /* Read SSLVersion. */ 1813 /* Read SSLVersion. */
1740 temp = ssl3_ConsumeHandshakeNumber(ss, 2, &buffer, &buffer_len); 1814 temp = ssl3_ConsumeHandshakeNumber(ss, 2, &buffer, &buffer_len);
1741 if (temp < 0) goto no_ticket; 1815 if (temp < 0)
1816 goto no_ticket;
1742 parsed_session_ticket->ssl_version = (SSL3ProtocolVersion)temp; 1817 parsed_session_ticket->ssl_version = (SSL3ProtocolVersion)temp;
1743 1818
1744 /* Read cipher_suite. */ 1819 /* Read cipher_suite. */
1745 temp = ssl3_ConsumeHandshakeNumber(ss, 2, &buffer, &buffer_len); 1820 temp = ssl3_ConsumeHandshakeNumber(ss, 2, &buffer, &buffer_len);
1746 if (temp < 0) goto no_ticket; 1821 if (temp < 0)
1822 goto no_ticket;
1747 parsed_session_ticket->cipher_suite = (ssl3CipherSuite)temp; 1823 parsed_session_ticket->cipher_suite = (ssl3CipherSuite)temp;
1748 1824
1749 /* Read compression_method. */ 1825 /* Read compression_method. */
1750 temp = ssl3_ConsumeHandshakeNumber(ss, 1, &buffer, &buffer_len); 1826 temp = ssl3_ConsumeHandshakeNumber(ss, 1, &buffer, &buffer_len);
1751 if (temp < 0) goto no_ticket; 1827 if (temp < 0)
1828 goto no_ticket;
1752 parsed_session_ticket->compression_method = (SSLCompressionMethod)temp; 1829 parsed_session_ticket->compression_method = (SSLCompressionMethod)temp;
1753 1830
1754 /* Read cipher spec parameters. */ 1831 /* Read cipher spec parameters. */
1755 temp = ssl3_ConsumeHandshakeNumber(ss, 1, &buffer, &buffer_len); 1832 temp = ssl3_ConsumeHandshakeNumber(ss, 1, &buffer, &buffer_len);
1756 if (temp < 0) goto no_ticket; 1833 if (temp < 0)
1834 goto no_ticket;
1757 parsed_session_ticket->authAlgorithm = (SSLSignType)temp; 1835 parsed_session_ticket->authAlgorithm = (SSLSignType)temp;
1758 temp = ssl3_ConsumeHandshakeNumber(ss, 4, &buffer, &buffer_len); 1836 temp = ssl3_ConsumeHandshakeNumber(ss, 4, &buffer, &buffer_len);
1759 if (temp < 0) goto no_ticket; 1837 if (temp < 0)
1838 goto no_ticket;
1760 parsed_session_ticket->authKeyBits = (PRUint32)temp; 1839 parsed_session_ticket->authKeyBits = (PRUint32)temp;
1761 temp = ssl3_ConsumeHandshakeNumber(ss, 1, &buffer, &buffer_len); 1840 temp = ssl3_ConsumeHandshakeNumber(ss, 1, &buffer, &buffer_len);
1762 if (temp < 0) goto no_ticket; 1841 if (temp < 0)
1842 goto no_ticket;
1763 parsed_session_ticket->keaType = (SSLKEAType)temp; 1843 parsed_session_ticket->keaType = (SSLKEAType)temp;
1764 temp = ssl3_ConsumeHandshakeNumber(ss, 4, &buffer, &buffer_len); 1844 temp = ssl3_ConsumeHandshakeNumber(ss, 4, &buffer, &buffer_len);
1765 if (temp < 0) goto no_ticket; 1845 if (temp < 0)
1846 goto no_ticket;
1766 parsed_session_ticket->keaKeyBits = (PRUint32)temp; 1847 parsed_session_ticket->keaKeyBits = (PRUint32)temp;
1767 1848
1768 /* Read wrapped master_secret. */ 1849 /* Read wrapped master_secret. */
1769 temp = ssl3_ConsumeHandshakeNumber(ss, 1, &buffer, &buffer_len); 1850 temp = ssl3_ConsumeHandshakeNumber(ss, 1, &buffer, &buffer_len);
1770 if (temp < 0) goto no_ticket; 1851 if (temp < 0)
1852 goto no_ticket;
1771 parsed_session_ticket->ms_is_wrapped = (PRBool)temp; 1853 parsed_session_ticket->ms_is_wrapped = (PRBool)temp;
1772 1854
1773 temp = ssl3_ConsumeHandshakeNumber(ss, 1, &buffer, &buffer_len); 1855 temp = ssl3_ConsumeHandshakeNumber(ss, 1, &buffer, &buffer_len);
1774 if (temp < 0) goto no_ticket; 1856 if (temp < 0)
1857 goto no_ticket;
1775 parsed_session_ticket->exchKeyType = (SSL3KEAType)temp; 1858 parsed_session_ticket->exchKeyType = (SSL3KEAType)temp;
1776 1859
1777 temp = ssl3_ConsumeHandshakeNumber(ss, 4, &buffer, &buffer_len); 1860 temp = ssl3_ConsumeHandshakeNumber(ss, 4, &buffer, &buffer_len);
1778 if (temp < 0) goto no_ticket; 1861 if (temp < 0)
1862 goto no_ticket;
1779 parsed_session_ticket->msWrapMech = (CK_MECHANISM_TYPE)temp; 1863 parsed_session_ticket->msWrapMech = (CK_MECHANISM_TYPE)temp;
1780 1864
1781 temp = ssl3_ConsumeHandshakeNumber(ss, 2, &buffer, &buffer_len); 1865 temp = ssl3_ConsumeHandshakeNumber(ss, 2, &buffer, &buffer_len);
1782 if (temp < 0) goto no_ticket; 1866 if (temp < 0)
1867 goto no_ticket;
1783 parsed_session_ticket->ms_length = (PRUint16)temp; 1868 parsed_session_ticket->ms_length = (PRUint16)temp;
1784 if (parsed_session_ticket->ms_length == 0 || /* sanity check MS. */ 1869 if (parsed_session_ticket->ms_length == 0 || /* sanity check MS. */
1785 parsed_session_ticket->ms_length > 1870 parsed_session_ticket->ms_length >
1786 sizeof(parsed_session_ticket->master_secret)) 1871 sizeof(parsed_session_ticket->master_secret))
1787 goto no_ticket; 1872 goto no_ticket;
1788 1873
1789 /* Allow for the wrapped master secret to be longer. */ 1874 /* Allow for the wrapped master secret to be longer. */
1790 if (buffer_len < parsed_session_ticket->ms_length) 1875 if (buffer_len < parsed_session_ticket->ms_length)
1791 goto no_ticket; 1876 goto no_ticket;
1792 PORT_Memcpy(parsed_session_ticket->master_secret, buffer, 1877 PORT_Memcpy(parsed_session_ticket->master_secret, buffer,
1793 parsed_session_ticket->ms_length); 1878 parsed_session_ticket->ms_length);
1794 buffer += parsed_session_ticket->ms_length; 1879 buffer += parsed_session_ticket->ms_length;
1795 buffer_len -= parsed_session_ticket->ms_length; 1880 buffer_len -= parsed_session_ticket->ms_length;
1796 1881
1797 /* Read client_identity */ 1882 /* Read client_identity */
1798 temp = ssl3_ConsumeHandshakeNumber(ss, 1, &buffer, &buffer_len); 1883 temp = ssl3_ConsumeHandshakeNumber(ss, 1, &buffer, &buffer_len);
1799 if (temp < 0) 1884 if (temp < 0)
1800 goto no_ticket; 1885 goto no_ticket;
1801 parsed_session_ticket->client_identity.client_auth_type = 1886 parsed_session_ticket->client_identity.client_auth_type =
1802 (ClientAuthenticationType)temp; 1887 (ClientAuthenticationType)temp;
1803 switch(parsed_session_ticket->client_identity.client_auth_type) { 1888 switch (parsed_session_ticket->client_identity.client_auth_type) {
1804 case CLIENT_AUTH_ANONYMOUS: 1889 case CLIENT_AUTH_ANONYMOUS:
1805 break; 1890 break;
1806 case CLIENT_AUTH_CERTIFICATE: 1891 case CLIENT_AUTH_CERTIFICATE:
1807 rv = ssl3_ConsumeHandshakeVariable(ss, &cert_item, 3, 1892 rv = ssl3_ConsumeHandshakeVariable(ss, &cert_item, 3,
1808 &buffer, &buffer_len); 1893 &buffer, &buffer_len);
1809 if (rv != SECSuccess) goto no_ticket; 1894 if (rv != SECSuccess)
1895 goto no_ticket;
1810 rv = SECITEM_CopyItem(NULL, &parsed_session_ticket->peer_cert, 1896 rv = SECITEM_CopyItem(NULL, &parsed_session_ticket->peer_cert,
1811 &cert_item); 1897 &cert_item);
1812 if (rv != SECSuccess) goto no_ticket; 1898 if (rv != SECSuccess)
1899 goto no_ticket;
1813 break; 1900 break;
1814 default: 1901 default:
1815 goto no_ticket; 1902 goto no_ticket;
1816 } 1903 }
1817 /* Read timestamp. */ 1904 /* Read timestamp. */
1818 temp = ssl3_ConsumeHandshakeNumber(ss, 4, &buffer, &buffer_len); 1905 temp = ssl3_ConsumeHandshakeNumber(ss, 4, &buffer, &buffer_len);
1819 if (temp < 0) 1906 if (temp < 0)
1820 goto no_ticket; 1907 goto no_ticket;
1821 parsed_session_ticket->timestamp = (PRUint32)temp; 1908 parsed_session_ticket->timestamp = (PRUint32)temp;
1822 1909
1823 /* Read server name */ 1910 /* Read server name */
1824 nameType = 1911 nameType =
1825 ssl3_ConsumeHandshakeNumber(ss, 1, &buffer, &buffer_len); 1912 ssl3_ConsumeHandshakeNumber(ss, 1, &buffer, &buffer_len);
1826 if (nameType != TLS_STE_NO_SERVER_NAME) { 1913 if (nameType != TLS_STE_NO_SERVER_NAME) {
1827 SECItem name_item; 1914 SECItem name_item;
1828 rv = ssl3_ConsumeHandshakeVariable(ss, &name_item, 2, &buffer, 1915 rv = ssl3_ConsumeHandshakeVariable(ss, &name_item, 2, &buffer,
1829 &buffer_len); 1916 &buffer_len);
1830 if (rv != SECSuccess) goto no_ticket; 1917 if (rv != SECSuccess)
1918 goto no_ticket;
1831 rv = SECITEM_CopyItem(NULL, &parsed_session_ticket->srvName, 1919 rv = SECITEM_CopyItem(NULL, &parsed_session_ticket->srvName,
1832 &name_item); 1920 &name_item);
1833 if (rv != SECSuccess) goto no_ticket; 1921 if (rv != SECSuccess)
1922 goto no_ticket;
1834 parsed_session_ticket->srvName.type = nameType; 1923 parsed_session_ticket->srvName.type = nameType;
1835 } 1924 }
1836 1925
1837 /* Read extendedMasterSecretUsed */ 1926 /* Read extendedMasterSecretUsed */
1838 temp = ssl3_ConsumeHandshakeNumber(ss, 1, &buffer, &buffer_len); 1927 temp = ssl3_ConsumeHandshakeNumber(ss, 1, &buffer, &buffer_len);
1839 if (temp < 0) 1928 if (temp < 0)
1840 goto no_ticket; 1929 goto no_ticket;
1841 PORT_Assert(temp == PR_TRUE || temp == PR_FALSE); 1930 PORT_Assert(temp == PR_TRUE || temp == PR_FALSE);
1842 parsed_session_ticket->extendedMasterSecretUsed = (PRBool)temp; 1931 parsed_session_ticket->extendedMasterSecretUsed = (PRBool)temp;
1843 1932
1844 /* Done parsing. Check that all bytes have been consumed. */ 1933 /* Done parsing. Check that all bytes have been consumed. */
1845 if (buffer_len != padding_length) 1934 if (buffer_len != padding_length)
1846 goto no_ticket; 1935 goto no_ticket;
1847 1936
1848 /* Use the ticket if it has not expired, otherwise free the allocated 1937 /* Use the ticket if it has not expired, otherwise free the allocated
1849 * memory since the ticket is of no use. 1938 * memory since the ticket is of no use.
1850 */ 1939 */
1851 if (parsed_session_ticket->timestamp != 0 && 1940 if (parsed_session_ticket->timestamp != 0 &&
1852 parsed_session_ticket->timestamp + 1941 parsed_session_ticket->timestamp +
1853 TLS_EX_SESS_TICKET_LIFETIME_HINT > ssl_Time()) { 1942 TLS_EX_SESS_TICKET_LIFETIME_HINT >
1943 ssl_Time()) {
1854 1944
1855 sid = ssl3_NewSessionID(ss, PR_TRUE); 1945 sid = ssl3_NewSessionID(ss, PR_TRUE);
1856 if (sid == NULL) { 1946 if (sid == NULL) {
1857 rv = SECFailure; 1947 rv = SECFailure;
1858 goto loser; 1948 goto loser;
1859 } 1949 }
1860 1950
1861 /* Copy over parameters. */ 1951 /* Copy over parameters. */
1862 sid->version = parsed_session_ticket->ssl_version; 1952 sid->version = parsed_session_ticket->ssl_version;
1863 sid->u.ssl3.cipherSuite = parsed_session_ticket->cipher_suite; 1953 sid->u.ssl3.cipherSuite = parsed_session_ticket->cipher_suite;
1864 sid->u.ssl3.compression = parsed_session_ticket->compression_method; 1954 sid->u.ssl3.compression = parsed_session_ticket->compression_method;
1865 sid->authAlgorithm = parsed_session_ticket->authAlgorithm; 1955 sid->authAlgorithm = parsed_session_ticket->authAlgorithm;
1866 sid->authKeyBits = parsed_session_ticket->authKeyBits; 1956 sid->authKeyBits = parsed_session_ticket->authKeyBits;
1867 sid->keaType = parsed_session_ticket->keaType; 1957 sid->keaType = parsed_session_ticket->keaType;
1868 sid->keaKeyBits = parsed_session_ticket->keaKeyBits; 1958 sid->keaKeyBits = parsed_session_ticket->keaKeyBits;
1869 1959
1870 /* Copy master secret. */ 1960 /* Copy master secret. */
1871 #ifndef NO_PKCS11_BYPASS 1961 #ifndef NO_PKCS11_BYPASS
1872 if (ss->opt.bypassPKCS11 && 1962 if (ss->opt.bypassPKCS11 &&
1873 parsed_session_ticket->ms_is_wrapped) 1963 parsed_session_ticket->ms_is_wrapped)
1874 goto no_ticket; 1964 goto no_ticket;
1875 #endif 1965 #endif
1876 if (parsed_session_ticket->ms_length > 1966 if (parsed_session_ticket->ms_length >
1877 sizeof(sid->u.ssl3.keys.wrapped_master_secret)) 1967 sizeof(sid->u.ssl3.keys.wrapped_master_secret))
1878 goto no_ticket; 1968 goto no_ticket;
1879 PORT_Memcpy(sid->u.ssl3.keys.wrapped_master_secret, 1969 PORT_Memcpy(sid->u.ssl3.keys.wrapped_master_secret,
1880 parsed_session_ticket->master_secret, 1970 parsed_session_ticket->master_secret,
1881 parsed_session_ticket->ms_length); 1971 parsed_session_ticket->ms_length);
1882 sid->u.ssl3.keys.wrapped_master_secret_len = 1972 sid->u.ssl3.keys.wrapped_master_secret_len =
1883 parsed_session_ticket->ms_length; 1973 parsed_session_ticket->ms_length;
1884 sid->u.ssl3.exchKeyType = parsed_session_ticket->exchKeyType; 1974 sid->u.ssl3.exchKeyType = parsed_session_ticket->exchKeyType;
1885 sid->u.ssl3.masterWrapMech = parsed_session_ticket->msWrapMech; 1975 sid->u.ssl3.masterWrapMech = parsed_session_ticket->msWrapMech;
1886 sid->u.ssl3.keys.msIsWrapped = 1976 sid->u.ssl3.keys.msIsWrapped =
1887 parsed_session_ticket->ms_is_wrapped; 1977 parsed_session_ticket->ms_is_wrapped;
1888 sid->u.ssl3.masterValid = PR_TRUE; 1978 sid->u.ssl3.masterValid = PR_TRUE;
1889 sid->u.ssl3.keys.resumable = PR_TRUE; 1979 sid->u.ssl3.keys.resumable = PR_TRUE;
1890 sid->u.ssl3.keys.extendedMasterSecretUsed = parsed_session_ticket-> 1980 sid->u.ssl3.keys.extendedMasterSecretUsed = parsed_session_ticket->e xtendedMasterSecretUsed;
1891 extendedMasterSecretUsed;
1892 1981
1893 /* Copy over client cert from session ticket if there is one. */ 1982 /* Copy over client cert from session ticket if there is one. */
1894 if (parsed_session_ticket->peer_cert.data != NULL) { 1983 if (parsed_session_ticket->peer_cert.data != NULL) {
1895 if (sid->peerCert != NULL) 1984 if (sid->peerCert != NULL)
1896 CERT_DestroyCertificate(sid->peerCert); 1985 CERT_DestroyCertificate(sid->peerCert);
1897 sid->peerCert = CERT_NewTempCertificate(ss->dbHandle, 1986 sid->peerCert = CERT_NewTempCertificate(ss->dbHandle,
1898 &parsed_session_ticket->peer_cert, NULL, PR_FALSE, PR_TRUE); 1987 &parsed_session_ticket-> peer_cert, NULL, PR_FALSE, PR_TRUE);
1899 if (sid->peerCert == NULL) { 1988 if (sid->peerCert == NULL) {
1900 rv = SECFailure; 1989 rv = SECFailure;
1901 goto loser; 1990 goto loser;
1902 } 1991 }
1903 } 1992 }
1904 if (parsed_session_ticket->srvName.data != NULL) { 1993 if (parsed_session_ticket->srvName.data != NULL) {
1905 sid->u.ssl3.srvName = parsed_session_ticket->srvName; 1994 sid->u.ssl3.srvName = parsed_session_ticket->srvName;
1906 } 1995 }
1907 ss->statelessResume = PR_TRUE; 1996 ss->statelessResume = PR_TRUE;
1908 ss->sec.ci.sid = sid; 1997 ss->sec.ci.sid = sid;
1909 } 1998 }
1910 } 1999 }
1911 2000
1912 if (0) { 2001 if (0) {
1913 no_ticket: 2002 no_ticket:
1914 SSL_DBG(("%d: SSL[%d]: Session ticket parsing failed.", 2003 SSL_DBG(("%d: SSL[%d]: Session ticket parsing failed.",
1915 SSL_GETPID(), ss->fd)); 2004 SSL_GETPID(), ss->fd));
1916 ssl3stats = SSL_GetStatistics(); 2005 ssl3stats = SSL_GetStatistics();
1917 SSL_AtomicIncrementLong(& ssl3stats->hch_sid_ticket_parse_failures ); 2006 SSL_AtomicIncrementLong(&ssl3stats->hch_sid_ticket_parse_failures);
1918 } 2007 }
1919 rv = SECSuccess; 2008 rv = SECSuccess;
1920 2009
1921 loser: 2010 loser:
1922 /* ss->sec.ci.sid == sid if it did NOT come here via goto statement 2011 /* ss->sec.ci.sid == sid if it did NOT come here via goto statement
1923 * in that case do not free sid 2012 * in that case do not free sid
1924 */ 2013 */
1925 if (sid && (ss->sec.ci.sid != sid)) { 2014 if (sid && (ss->sec.ci.sid != sid)) {
1926 ssl_FreeSID(sid); 2015 ssl_FreeSID(sid);
1927 sid = NULL; 2016 sid = NULL;
1928 } 2017 }
1929 if (decrypted_state != NULL) { 2018 if (decrypted_state != NULL) {
1930 SECITEM_FreeItem(decrypted_state, PR_TRUE); 2019 SECITEM_FreeItem(decrypted_state, PR_TRUE);
1931 decrypted_state = NULL; 2020 decrypted_state = NULL;
1932 } 2021 }
1933 2022
1934 if (parsed_session_ticket != NULL) { 2023 if (parsed_session_ticket != NULL) {
1935 if (parsed_session_ticket->peer_cert.data) { 2024 if (parsed_session_ticket->peer_cert.data) {
1936 SECITEM_FreeItem(&parsed_session_ticket->peer_cert, PR_FALSE); 2025 SECITEM_FreeItem(&parsed_session_ticket->peer_cert, PR_FALSE);
1937 } 2026 }
1938 PORT_ZFree(parsed_session_ticket, sizeof(SessionTicket)); 2027 PORT_ZFree(parsed_session_ticket, sizeof(SessionTicket));
(...skipping 17 matching lines...) Expand all
1956 item->data += bytes; 2045 item->data += bytes;
1957 item->len -= bytes; 2046 item->len -= bytes;
1958 return SECSuccess; 2047 return SECSuccess;
1959 } 2048 }
1960 2049
1961 static SECStatus 2050 static SECStatus
1962 ssl3_ParseEncryptedSessionTicket(sslSocket *ss, SECItem *data, 2051 ssl3_ParseEncryptedSessionTicket(sslSocket *ss, SECItem *data,
1963 EncryptedSessionTicket *enc_session_ticket) 2052 EncryptedSessionTicket *enc_session_ticket)
1964 { 2053 {
1965 if (ssl3_ConsumeFromItem(data, &enc_session_ticket->key_name, 2054 if (ssl3_ConsumeFromItem(data, &enc_session_ticket->key_name,
1966 SESS_TICKET_KEY_NAME_LEN) != SECSuccess) 2055 SESS_TICKET_KEY_NAME_LEN) !=
2056 SECSuccess)
1967 return SECFailure; 2057 return SECFailure;
1968 if (ssl3_ConsumeFromItem(data, &enc_session_ticket->iv, 2058 if (ssl3_ConsumeFromItem(data, &enc_session_ticket->iv,
1969 AES_BLOCK_SIZE) != SECSuccess) 2059 AES_BLOCK_SIZE) !=
2060 SECSuccess)
1970 return SECFailure; 2061 return SECFailure;
1971 if (ssl3_ConsumeHandshakeVariable(ss, &enc_session_ticket->encrypted_state, 2062 if (ssl3_ConsumeHandshakeVariable(ss, &enc_session_ticket->encrypted_state,
1972 2, &data->data, &data->len) != SECSuccess) 2063 2, &data->data, &data->len) !=
2064 SECSuccess)
1973 return SECFailure; 2065 return SECFailure;
1974 if (ssl3_ConsumeFromItem(data, &enc_session_ticket->mac, 2066 if (ssl3_ConsumeFromItem(data, &enc_session_ticket->mac,
1975 TLS_EX_SESS_TICKET_MAC_LENGTH) != SECSuccess) 2067 TLS_EX_SESS_TICKET_MAC_LENGTH) !=
2068 SECSuccess)
1976 return SECFailure; 2069 return SECFailure;
1977 if (data->len != 0) /* Make sure that we have consumed all bytes. */ 2070 if (data->len != 0) /* Make sure that we have consumed all bytes. */
1978 return SECFailure; 2071 return SECFailure;
1979 2072
1980 return SECSuccess; 2073 return SECSuccess;
1981 } 2074 }
1982 2075
1983 /* go through hello extensions in buffer "b". 2076 /* go through hello extensions in buffer "b".
1984 * For each one, find the extension handler in the table, and 2077 * For each one, find the extension handler in the table, and
1985 * if present, invoke that handler. 2078 * if present, invoke that handler.
1986 * Servers ignore any extensions with unknown extension types. 2079 * Servers ignore any extensions with unknown extension types.
1987 * Clients reject any extensions with unadvertised extension types. 2080 * Clients reject any extensions with unadvertised extension types.
2081 * In TLS >= 1.3, the client checks that extensions appear in the
2082 * right phase.
1988 */ 2083 */
1989 SECStatus 2084 SECStatus
1990 ssl3_HandleHelloExtensions(sslSocket *ss, SSL3Opaque **b, PRUint32 *length) 2085 ssl3_HandleHelloExtensions(sslSocket *ss, SSL3Opaque **b, PRUint32 *length,
2086 SSL3HandshakeType handshakeMessage)
1991 { 2087 {
1992 const ssl3HelloExtensionHandler * handlers; 2088 const ssl3HelloExtensionHandler *handlers;
2089 PRBool isTLS13 = ss->version >= SSL_LIBRARY_VERSION_TLS_1_3;
1993 2090
1994 if (ss->sec.isServer) { 2091 switch (handshakeMessage) {
1995 handlers = clientHelloHandlers; 2092 case client_hello:
1996 } else if (ss->version > SSL_LIBRARY_VERSION_3_0) { 2093 handlers = clientHelloHandlers;
1997 handlers = serverHelloHandlersTLS; 2094 break;
1998 } else { 2095 case encrypted_extensions:
1999 handlers = serverHelloHandlersSSL3; 2096 PORT_Assert(ss->version >= SSL_LIBRARY_VERSION_TLS_1_3);
2097 /* fall through */
2098 case server_hello:
2099 if (ss->version > SSL_LIBRARY_VERSION_3_0) {
2100 handlers = serverHelloHandlersTLS;
2101 } else {
2102 handlers = serverHelloHandlersSSL3;
2103 }
2104 break;
2105 default:
2106 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
2107 PORT_Assert(0);
2108 return SECFailure;
2000 } 2109 }
2001 2110
2002 while (*length) { 2111 while (*length) {
2003 const ssl3HelloExtensionHandler * handler; 2112 const ssl3HelloExtensionHandler *handler;
2004 SECStatus rv; 2113 SECStatus rv;
2005 PRInt32 extension_type; 2114 PRInt32 extension_type;
2006 SECItem extension_data; 2115 SECItem extension_data;
2007 2116
2008 /* Get the extension's type field */ 2117 /* Get the extension's type field */
2009 extension_type = ssl3_ConsumeHandshakeNumber(ss, 2, b, length); 2118 extension_type = ssl3_ConsumeHandshakeNumber(ss, 2, b, length);
2010 if (extension_type < 0) /* failure to decode extension_type */ 2119 if (extension_type < 0) /* failure to decode extension_type */
2011 return SECFailure; /* alert already sent */ 2120 return SECFailure; /* alert already sent */
2012 2121
2013 /* get the data for this extension, so we can pass it or skip it. */ 2122 /* get the data for this extension, so we can pass it or skip it. */
2014 rv = ssl3_ConsumeHandshakeVariable(ss, &extension_data, 2, b, length); 2123 rv = ssl3_ConsumeHandshakeVariable(ss, &extension_data, 2, b, length);
2015 if (rv != SECSuccess) 2124 if (rv != SECSuccess)
2016 return rv; /* alert already sent */ 2125 return rv; /* alert already sent */
2017 2126
2018 /* Check whether the server sent an extension which was not advertised 2127 /* Check whether the server sent an extension which was not advertised
2019 * in the ClientHello. 2128 * in the ClientHello */
2020 */
2021 if (!ss->sec.isServer && 2129 if (!ss->sec.isServer &&
2022 !ssl3_ClientExtensionAdvertised(ss, extension_type)) { 2130 !ssl3_ClientExtensionAdvertised(ss, extension_type)) {
2023 (void)SSL3_SendAlert(ss, alert_fatal, unsupported_extension); 2131 (void)SSL3_SendAlert(ss, alert_fatal, unsupported_extension);
2024 return SECFailure; 2132 return SECFailure;
2025 } 2133 }
2026 2134
2027 /* Check whether an extension has been sent multiple times. */ 2135 /* Check whether an extension has been sent multiple times. */
2028 if (ssl3_ExtensionNegotiated(ss, extension_type)) { 2136 if (ssl3_ExtensionNegotiated(ss, extension_type)) {
2029 (void)SSL3_SendAlert(ss, alert_fatal, illegal_parameter); 2137 (void)SSL3_SendAlert(ss, alert_fatal, illegal_parameter);
2030 return SECFailure; 2138 return SECFailure;
2031 } 2139 }
2032 2140
2141 /* Check that this is a legal extension in TLS 1.3 */
2142 if (isTLS13 && !tls13_ExtensionAllowed(extension_type, handshakeMessage) ) {
2143 if (handshakeMessage == client_hello) {
2144 /* Skip extensions not used in TLS 1.3 */
2145 continue;
2146 }
2147 tls13_FatalError(ss, SSL_ERROR_EXTENSION_DISALLOWED_FOR_VERSION,
2148 unsupported_extension);
2149 return SECFailure;
2150 }
2151
2033 /* find extension_type in table of Hello Extension Handlers */ 2152 /* find extension_type in table of Hello Extension Handlers */
2034 for (handler = handlers; handler->ex_type >= 0; handler++) { 2153 for (handler = handlers; handler->ex_type >= 0; handler++) {
2035 /* if found, call this handler */ 2154 /* if found, call this handler */
2036 if (handler->ex_type == extension_type) { 2155 if (handler->ex_type == extension_type) {
2037 rv = (*handler->ex_handler)(ss, (PRUint16)extension_type, 2156 rv = (*handler->ex_handler)(ss, (PRUint16)extension_type,
2038 &extension_data); 2157 &extension_data);
2039 if (rv != SECSuccess) { 2158 if (rv != SECSuccess) {
2040 if (!ss->ssl3.fatalAlertSent) { 2159 if (!ss->ssl3.fatalAlertSent) {
2041 /* send a generic alert if the handler didn't already */ 2160 /* send a generic alert if the handler didn't already */
2042 (void)SSL3_SendAlert(ss, alert_fatal, handshake_failure) ; 2161 (void)SSL3_SendAlert(ss, alert_fatal, handshake_failure) ;
2043 } 2162 }
2044 return SECFailure; 2163 return SECFailure;
2045 } 2164 }
2046 } 2165 }
2047 } 2166 }
2048 } 2167 }
2049 return SECSuccess; 2168 return SECSuccess;
2050 } 2169 }
2051 2170
2052 /* Add a callback function to the table of senders of server hello extensions. 2171 /* Add a callback function to the table of senders of server hello extensions.
2053 */ 2172 */
2054 SECStatus 2173 SECStatus
2055 ssl3_RegisterServerHelloExtensionSender(sslSocket *ss, PRUint16 ex_type, 2174 ssl3_RegisterServerHelloExtensionSender(sslSocket *ss, PRUint16 ex_type,
2056 ssl3HelloExtensionSenderFunc cb) 2175 ssl3HelloExtensionSenderFunc cb)
2057 { 2176 {
2058 int i; 2177 int i;
2059 ssl3HelloExtensionSender *sender = &ss->xtnData.serverSenders[0]; 2178 ssl3HelloExtensionSender *sender;
2179 if (ss->version < SSL_LIBRARY_VERSION_TLS_1_3) {
2180 sender = &ss->xtnData.serverHelloSenders[0];
2181 } else {
2182 if (tls13_ExtensionAllowed(ex_type, server_hello)) {
2183 PORT_Assert(!tls13_ExtensionAllowed(ex_type, encrypted_extensions));
2184 sender = &ss->xtnData.serverHelloSenders[0];
2185 } else {
2186 PORT_Assert(tls13_ExtensionAllowed(ex_type, encrypted_extensions));
2187 sender = &ss->xtnData.encryptedExtensionsSenders[0];
2188 }
2189 }
2060 2190
2061 for (i = 0; i < SSL_MAX_EXTENSIONS; ++i, ++sender) { 2191 for (i = 0; i < SSL_MAX_EXTENSIONS; ++i, ++sender) {
2062 if (!sender->ex_sender) { 2192 if (!sender->ex_sender) {
2063 sender->ex_type = ex_type; 2193 sender->ex_type = ex_type;
2064 sender->ex_sender = cb; 2194 sender->ex_sender = cb;
2065 return SECSuccess; 2195 return SECSuccess;
2066 } 2196 }
2067 /* detect duplicate senders */ 2197 /* detect duplicate senders */
2068 PORT_Assert(sender->ex_type != ex_type); 2198 PORT_Assert(sender->ex_type != ex_type);
2069 if (sender->ex_type == ex_type) { 2199 if (sender->ex_type == ex_type) {
2070 /* duplicate */ 2200 /* duplicate */
2071 break; 2201 break;
2072 } 2202 }
2073 } 2203 }
2074 PORT_Assert(i < SSL_MAX_EXTENSIONS); /* table needs to grow */ 2204 PORT_Assert(i < SSL_MAX_EXTENSIONS); /* table needs to grow */
2075 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); 2205 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
2076 return SECFailure; 2206 return SECFailure;
2077 } 2207 }
2078 2208
2079 /* call each of the extension senders and return the accumulated length */ 2209 /* call each of the extension senders and return the accumulated length */
2080 PRInt32 2210 PRInt32
2081 ssl3_CallHelloExtensionSenders(sslSocket *ss, PRBool append, PRUint32 maxBytes, 2211 ssl3_CallHelloExtensionSenders(sslSocket *ss, PRBool append, PRUint32 maxBytes,
2082 const ssl3HelloExtensionSender *sender) 2212 const ssl3HelloExtensionSender *sender)
2083 { 2213 {
2084 PRInt32 total_exten_len = 0; 2214 PRInt32 total_exten_len = 0;
2085 int i; 2215 int i;
2086 2216
2087 if (!sender) { 2217 if (!sender) {
2088 sender = ss->version > SSL_LIBRARY_VERSION_3_0 ? 2218 if (ss->version > SSL_LIBRARY_VERSION_3_0) {
2089 &clientHelloSendersTLS[0] : &clientHelloSendersSSL3[0]; 2219 sender = &clientHelloSendersTLS[0];
2220 } else {
2221 sender = &clientHelloSendersSSL3[0];
2222 }
2090 } 2223 }
2091 2224
2092 for (i = 0; i < SSL_MAX_EXTENSIONS; ++i, ++sender) { 2225 for (i = 0; i < SSL_MAX_EXTENSIONS; ++i, ++sender) {
2093 if (sender->ex_sender) { 2226 if (sender->ex_sender) {
2094 PRInt32 extLen = (*sender->ex_sender)(ss, append, maxBytes); 2227 PRInt32 extLen = (*sender->ex_sender)(ss, append, maxBytes);
2095 if (extLen < 0) 2228 if (extLen < 0)
2096 return -1; 2229 return -1;
2097 maxBytes -= extLen; 2230 maxBytes -= extLen;
2098 total_exten_len += extLen; 2231 total_exten_len += extLen;
2099 } 2232 }
2100 } 2233 }
2101 return total_exten_len; 2234 return total_exten_len;
2102 } 2235 }
2103 2236
2104
2105 /* Extension format: 2237 /* Extension format:
2106 * Extension number: 2 bytes 2238 * Extension number: 2 bytes
2107 * Extension length: 2 bytes 2239 * Extension length: 2 bytes
2108 * Verify Data Length: 1 byte 2240 * Verify Data Length: 1 byte
2109 * Verify Data (TLS): 12 bytes (client) or 24 bytes (server) 2241 * Verify Data (TLS): 12 bytes (client) or 24 bytes (server)
2110 * Verify Data (SSL): 36 bytes (client) or 72 bytes (server) 2242 * Verify Data (SSL): 36 bytes (client) or 72 bytes (server)
2111 */ 2243 */
2112 static PRInt32 2244 static PRInt32
2113 ssl3_SendRenegotiationInfoXtn( 2245 ssl3_SendRenegotiationInfoXtn(
2114 sslSocket * ss, 2246 sslSocket *ss,
2115 PRBool append, 2247 PRBool append,
2116 PRUint32 maxBytes) 2248 PRUint32 maxBytes)
2117 { 2249 {
2118 PRInt32 len, needed; 2250 PRInt32 len = 0;
2251 PRInt32 needed;
2119 2252
2120 /* In draft-ietf-tls-renegotiation-03, it is NOT RECOMMENDED to send 2253 /* In draft-ietf-tls-renegotiation-03, it is NOT RECOMMENDED to send
2121 * both the SCSV and the empty RI, so when we send SCSV in 2254 * both the SCSV and the empty RI, so when we send SCSV in
2122 * the initial handshake, we don't also send RI. 2255 * the initial handshake, we don't also send RI.
2123 */ 2256 */
2124 if (!ss || ss->ssl3.hs.sendingSCSV) 2257 if (!ss || ss->ssl3.hs.sendingSCSV)
2125 return 0; 2258 return 0;
2126 len = !ss->firstHsDone ? 0 : 2259 if (ss->firstHsDone) {
2127 (ss->sec.isServer ? ss->ssl3.hs.finishedBytes * 2 2260 len = ss->sec.isServer ? ss->ssl3.hs.finishedBytes * 2
2128 : ss->ssl3.hs.finishedBytes); 2261 : ss->ssl3.hs.finishedBytes;
2262 }
2129 needed = 5 + len; 2263 needed = 5 + len;
2130 if (maxBytes < (PRUint32)needed) { 2264 if (maxBytes < (PRUint32)needed) {
2131 return 0; 2265 return 0;
2132 } 2266 }
2133 if (append) { 2267 if (append) {
2134 SECStatus rv; 2268 SECStatus rv;
2135 /* extension_type */ 2269 /* extension_type */
2136 rv = ssl3_AppendHandshakeNumber(ss, ssl_renegotiation_info_xtn, 2); 2270 rv = ssl3_AppendHandshakeNumber(ss, ssl_renegotiation_info_xtn, 2);
2137 if (rv != SECSuccess) return -1; 2271 if (rv != SECSuccess)
2272 return -1;
2138 /* length of extension_data */ 2273 /* length of extension_data */
2139 rv = ssl3_AppendHandshakeNumber(ss, len + 1, 2); 2274 rv = ssl3_AppendHandshakeNumber(ss, len + 1, 2);
2140 if (rv != SECSuccess) return -1; 2275 if (rv != SECSuccess)
2276 return -1;
2141 /* verify_Data from previous Finished message(s) */ 2277 /* verify_Data from previous Finished message(s) */
2142 rv = ssl3_AppendHandshakeVariable(ss, 2278 rv = ssl3_AppendHandshakeVariable(ss,
2143 ss->ssl3.hs.finishedMsgs.data, len, 1); 2279 ss->ssl3.hs.finishedMsgs.data, len, 1) ;
2144 if (rv != SECSuccess) return -1; 2280 if (rv != SECSuccess)
2281 return -1;
2145 if (!ss->sec.isServer) { 2282 if (!ss->sec.isServer) {
2146 TLSExtensionData *xtnData = &ss->xtnData; 2283 TLSExtensionData *xtnData = &ss->xtnData;
2147 xtnData->advertised[xtnData->numAdvertised++] = 2284 xtnData->advertised[xtnData->numAdvertised++] =
2148 ssl_renegotiation_info_xtn; 2285 ssl_renegotiation_info_xtn;
2149 } 2286 }
2150 } 2287 }
2151 return needed; 2288 return needed;
2152 } 2289 }
2153 2290
2154 static SECStatus 2291 static SECStatus
2155 ssl3_ServerHandleStatusRequestXtn(sslSocket *ss, PRUint16 ex_type, 2292 ssl3_ServerHandleStatusRequestXtn(sslSocket *ss, PRUint16 ex_type,
2156 SECItem *data) 2293 SECItem *data)
2157 { 2294 {
2158 SECStatus rv = SECSuccess; 2295 SECStatus rv = SECSuccess;
2159 2296
2160 /* remember that we got this extension. */ 2297 /* remember that we got this extension. */
2161 ss->xtnData.negotiated[ss->xtnData.numNegotiated++] = ex_type; 2298 ss->xtnData.negotiated[ss->xtnData.numNegotiated++] = ex_type;
2162 PORT_Assert(ss->sec.isServer); 2299 PORT_Assert(ss->sec.isServer);
2163 /* prepare to send back the appropriate response */ 2300 /* prepare to send back the appropriate response */
2164 rv = ssl3_RegisterServerHelloExtensionSender(ss, ex_type, 2301 rv = ssl3_RegisterServerHelloExtensionSender(ss, ex_type,
2165 ssl3_ServerSendStatusRequestXtn); 2302 ssl3_ServerSendStatusRequestXtn );
2166 return rv; 2303 return rv;
2167 } 2304 }
2168 2305
2169 /* This function runs in both the client and server. */ 2306 /* This function runs in both the client and server. */
2170 static SECStatus 2307 static SECStatus
2171 ssl3_HandleRenegotiationInfoXtn(sslSocket *ss, PRUint16 ex_type, SECItem *data) 2308 ssl3_HandleRenegotiationInfoXtn(sslSocket *ss, PRUint16 ex_type, SECItem *data)
2172 { 2309 {
2173 SECStatus rv = SECSuccess; 2310 SECStatus rv = SECSuccess;
2174 PRUint32 len = 0; 2311 PRUint32 len = 0;
2175 2312
2176 if (ss->firstHsDone) { 2313 if (ss->firstHsDone) {
2177 len = ss->sec.isServer ? ss->ssl3.hs.finishedBytes 2314 len = ss->sec.isServer ? ss->ssl3.hs.finishedBytes
2178 : ss->ssl3.hs.finishedBytes * 2; 2315 : ss->ssl3.hs.finishedBytes * 2;
2179 } 2316 }
2180 if (data->len != 1 + len || data->data[0] != len ) { 2317 if (data->len != 1 + len || data->data[0] != len) {
2181 (void)ssl3_DecodeError(ss); 2318 (void)ssl3_DecodeError(ss);
2182 return SECFailure; 2319 return SECFailure;
2183 } 2320 }
2184 if (len && NSS_SecureMemcmp(ss->ssl3.hs.finishedMsgs.data, 2321 if (len && NSS_SecureMemcmp(ss->ssl3.hs.finishedMsgs.data,
2185 data->data + 1, len)) { 2322 data->data + 1, len)) {
2186 (void)SSL3_SendAlert(ss, alert_fatal, handshake_failure); 2323 (void)SSL3_SendAlert(ss, alert_fatal, handshake_failure);
2187 PORT_SetError(SSL_ERROR_BAD_HANDSHAKE_HASH_VALUE); 2324 PORT_SetError(SSL_ERROR_BAD_HANDSHAKE_HASH_VALUE);
2188 return SECFailure; 2325 return SECFailure;
2189 } 2326 }
2190 /* remember that we got this extension and it was correct. */ 2327 /* remember that we got this extension and it was correct. */
(...skipping 11 matching lines...) Expand all
2202 ssl3_ClientSendUseSRTPXtn(sslSocket *ss, PRBool append, PRUint32 maxBytes) 2339 ssl3_ClientSendUseSRTPXtn(sslSocket *ss, PRBool append, PRUint32 maxBytes)
2203 { 2340 {
2204 PRUint32 ext_data_len; 2341 PRUint32 ext_data_len;
2205 PRInt16 i; 2342 PRInt16 i;
2206 SECStatus rv; 2343 SECStatus rv;
2207 2344
2208 if (!ss) 2345 if (!ss)
2209 return 0; 2346 return 0;
2210 2347
2211 if (!IS_DTLS(ss) || !ss->ssl3.dtlsSRTPCipherCount) 2348 if (!IS_DTLS(ss) || !ss->ssl3.dtlsSRTPCipherCount)
2212 return 0; /* Not relevant */ 2349 return 0; /* Not relevant */
2213 2350
2214 ext_data_len = 2 + 2 * ss->ssl3.dtlsSRTPCipherCount + 1; 2351 ext_data_len = 2 + 2 * ss->ssl3.dtlsSRTPCipherCount + 1;
2215 2352
2216 if (append && maxBytes >= 4 + ext_data_len) { 2353 if (append && maxBytes >= 4 + ext_data_len) {
2217 /* Extension type */ 2354 /* Extension type */
2218 rv = ssl3_AppendHandshakeNumber(ss, ssl_use_srtp_xtn, 2); 2355 rv = ssl3_AppendHandshakeNumber(ss, ssl_use_srtp_xtn, 2);
2219 if (rv != SECSuccess) return -1; 2356 if (rv != SECSuccess)
2357 return -1;
2220 /* Length of extension data */ 2358 /* Length of extension data */
2221 rv = ssl3_AppendHandshakeNumber(ss, ext_data_len, 2); 2359 rv = ssl3_AppendHandshakeNumber(ss, ext_data_len, 2);
2222 if (rv != SECSuccess) return -1; 2360 if (rv != SECSuccess)
2361 return -1;
2223 /* Length of the SRTP cipher list */ 2362 /* Length of the SRTP cipher list */
2224 rv = ssl3_AppendHandshakeNumber(ss, 2363 rv = ssl3_AppendHandshakeNumber(ss,
2225 2 * ss->ssl3.dtlsSRTPCipherCount, 2364 2 * ss->ssl3.dtlsSRTPCipherCount,
2226 2); 2365 2);
2227 if (rv != SECSuccess) return -1; 2366 if (rv != SECSuccess)
2367 return -1;
2228 /* The SRTP ciphers */ 2368 /* The SRTP ciphers */
2229 for (i = 0; i < ss->ssl3.dtlsSRTPCipherCount; i++) { 2369 for (i = 0; i < ss->ssl3.dtlsSRTPCipherCount; i++) {
2230 rv = ssl3_AppendHandshakeNumber(ss, 2370 rv = ssl3_AppendHandshakeNumber(ss,
2231 ss->ssl3.dtlsSRTPCiphers[i], 2371 ss->ssl3.dtlsSRTPCiphers[i],
2232 2); 2372 2);
2233 } 2373 }
2234 /* Empty MKI value */ 2374 /* Empty MKI value */
2235 ssl3_AppendHandshakeVariable(ss, NULL, 0, 1); 2375 ssl3_AppendHandshakeVariable(ss, NULL, 0, 1);
2236 2376
2237 ss->xtnData.advertised[ss->xtnData.numAdvertised++] = 2377 ss->xtnData.advertised[ss->xtnData.numAdvertised++] =
2238 ssl_use_srtp_xtn; 2378 ssl_use_srtp_xtn;
2239 } 2379 }
2240 2380
2241 return 4 + ext_data_len; 2381 return 4 + ext_data_len;
2242 } 2382 }
2243 2383
2244 static PRInt32 2384 static PRInt32
2245 ssl3_ServerSendUseSRTPXtn(sslSocket *ss, PRBool append, PRUint32 maxBytes) 2385 ssl3_ServerSendUseSRTPXtn(sslSocket *ss, PRBool append, PRUint32 maxBytes)
2246 { 2386 {
2247 SECStatus rv; 2387 SECStatus rv;
2248 2388
2249 /* Server side */ 2389 /* Server side */
2250 if (!append || maxBytes < 9) { 2390 if (!append || maxBytes < 9) {
2251 return 9; 2391 return 9;
2252 } 2392 }
2253 2393
2254 /* Extension type */ 2394 /* Extension type */
2255 rv = ssl3_AppendHandshakeNumber(ss, ssl_use_srtp_xtn, 2); 2395 rv = ssl3_AppendHandshakeNumber(ss, ssl_use_srtp_xtn, 2);
2256 if (rv != SECSuccess) return -1; 2396 if (rv != SECSuccess)
2397 return -1;
2257 /* Length of extension data */ 2398 /* Length of extension data */
2258 rv = ssl3_AppendHandshakeNumber(ss, 5, 2); 2399 rv = ssl3_AppendHandshakeNumber(ss, 5, 2);
2259 if (rv != SECSuccess) return -1; 2400 if (rv != SECSuccess)
2401 return -1;
2260 /* Length of the SRTP cipher list */ 2402 /* Length of the SRTP cipher list */
2261 rv = ssl3_AppendHandshakeNumber(ss, 2, 2); 2403 rv = ssl3_AppendHandshakeNumber(ss, 2, 2);
2262 if (rv != SECSuccess) return -1; 2404 if (rv != SECSuccess)
2405 return -1;
2263 /* The selected cipher */ 2406 /* The selected cipher */
2264 rv = ssl3_AppendHandshakeNumber(ss, ss->ssl3.dtlsSRTPCipherSuite, 2); 2407 rv = ssl3_AppendHandshakeNumber(ss, ss->ssl3.dtlsSRTPCipherSuite, 2);
2265 if (rv != SECSuccess) return -1; 2408 if (rv != SECSuccess)
2409 return -1;
2266 /* Empty MKI value */ 2410 /* Empty MKI value */
2267 ssl3_AppendHandshakeVariable(ss, NULL, 0, 1); 2411 ssl3_AppendHandshakeVariable(ss, NULL, 0, 1);
2268 2412
2269 return 9; 2413 return 9;
2270 } 2414 }
2271 2415
2272 static SECStatus 2416 static SECStatus
2273 ssl3_ClientHandleUseSRTPXtn(sslSocket * ss, PRUint16 ex_type, SECItem *data) 2417 ssl3_ClientHandleUseSRTPXtn(sslSocket *ss, PRUint16 ex_type, SECItem *data)
2274 { 2418 {
2275 SECStatus rv; 2419 SECStatus rv;
2276 SECItem ciphers = {siBuffer, NULL, 0}; 2420 SECItem ciphers = { siBuffer, NULL, 0 };
2277 PRUint16 i; 2421 PRUint16 i;
2278 PRUint16 cipher = 0; 2422 PRUint16 cipher = 0;
2279 PRBool found = PR_FALSE; 2423 PRBool found = PR_FALSE;
2280 SECItem litem; 2424 SECItem litem;
2281 2425
2282 if (!data->data || !data->len) { 2426 if (!data->data || !data->len) {
2283 (void)ssl3_DecodeError(ss); 2427 (void)ssl3_DecodeError(ss);
2284 return SECFailure; 2428 return SECFailure;
2285 } 2429 }
2286 2430
2287 /* Get the cipher list */ 2431 /* Get the cipher list */
2288 rv = ssl3_ConsumeHandshakeVariable(ss, &ciphers, 2, 2432 rv = ssl3_ConsumeHandshakeVariable(ss, &ciphers, 2,
2289 &data->data, &data->len); 2433 &data->data, &data->len);
2290 if (rv != SECSuccess) { 2434 if (rv != SECSuccess) {
2291 return SECFailure; /* fatal alert already sent */ 2435 return SECFailure; /* fatal alert already sent */
2292 } 2436 }
2293 /* Now check that the server has picked just 1 (i.e., len = 2) */ 2437 /* Now check that the server has picked just 1 (i.e., len = 2) */
2294 if (ciphers.len != 2) { 2438 if (ciphers.len != 2) {
2295 (void)ssl3_DecodeError(ss); 2439 (void)ssl3_DecodeError(ss);
2296 return SECFailure; 2440 return SECFailure;
2297 } 2441 }
2298 2442
2299 /* Get the selected cipher */ 2443 /* Get the selected cipher */
2300 cipher = (ciphers.data[0] << 8) | ciphers.data[1]; 2444 cipher = (ciphers.data[0] << 8) | ciphers.data[1];
2301 2445
(...skipping 31 matching lines...) Expand 10 before | Expand all | Expand 10 after
2333 return SECFailure; 2477 return SECFailure;
2334 } 2478 }
2335 2479
2336 /* OK, this looks fine. */ 2480 /* OK, this looks fine. */
2337 ss->xtnData.negotiated[ss->xtnData.numNegotiated++] = ssl_use_srtp_xtn; 2481 ss->xtnData.negotiated[ss->xtnData.numNegotiated++] = ssl_use_srtp_xtn;
2338 ss->ssl3.dtlsSRTPCipherSuite = cipher; 2482 ss->ssl3.dtlsSRTPCipherSuite = cipher;
2339 return SECSuccess; 2483 return SECSuccess;
2340 } 2484 }
2341 2485
2342 static SECStatus 2486 static SECStatus
2343 ssl3_ServerHandleUseSRTPXtn(sslSocket * ss, PRUint16 ex_type, SECItem *data) 2487 ssl3_ServerHandleUseSRTPXtn(sslSocket *ss, PRUint16 ex_type, SECItem *data)
2344 { 2488 {
2345 SECStatus rv; 2489 SECStatus rv;
2346 SECItem ciphers = {siBuffer, NULL, 0}; 2490 SECItem ciphers = { siBuffer, NULL, 0 };
2347 PRUint16 i; 2491 PRUint16 i;
2348 unsigned int j; 2492 unsigned int j;
2349 PRUint16 cipher = 0; 2493 PRUint16 cipher = 0;
2350 PRBool found = PR_FALSE; 2494 PRBool found = PR_FALSE;
2351 SECItem litem; 2495 SECItem litem;
2352 2496
2353 if (!IS_DTLS(ss) || !ss->ssl3.dtlsSRTPCipherCount) { 2497 if (!IS_DTLS(ss) || !ss->ssl3.dtlsSRTPCipherCount) {
2354 /* Ignore the extension if we aren't doing DTLS or no DTLS-SRTP 2498 /* Ignore the extension if we aren't doing DTLS or no DTLS-SRTP
2355 * preferences have been set. */ 2499 * preferences have been set. */
2356 return SECSuccess; 2500 return SECSuccess;
(...skipping 50 matching lines...) Expand 10 before | Expand all | Expand 10 after
2407 ss->xtnData.negotiated[ss->xtnData.numNegotiated++] = ssl_use_srtp_xtn; 2551 ss->xtnData.negotiated[ss->xtnData.numNegotiated++] = ssl_use_srtp_xtn;
2408 2552
2409 return ssl3_RegisterServerHelloExtensionSender(ss, ssl_use_srtp_xtn, 2553 return ssl3_RegisterServerHelloExtensionSender(ss, ssl_use_srtp_xtn,
2410 ssl3_ServerSendUseSRTPXtn); 2554 ssl3_ServerSendUseSRTPXtn);
2411 } 2555 }
2412 2556
2413 /* ssl3_ServerHandleSigAlgsXtn handles the signature_algorithms extension 2557 /* ssl3_ServerHandleSigAlgsXtn handles the signature_algorithms extension
2414 * from a client. 2558 * from a client.
2415 * See https://tools.ietf.org/html/rfc5246#section-7.4.1.4.1 */ 2559 * See https://tools.ietf.org/html/rfc5246#section-7.4.1.4.1 */
2416 static SECStatus 2560 static SECStatus
2417 ssl3_ServerHandleSigAlgsXtn(sslSocket * ss, PRUint16 ex_type, SECItem *data) 2561 ssl3_ServerHandleSigAlgsXtn(sslSocket *ss, PRUint16 ex_type, SECItem *data)
2418 { 2562 {
2419 SECStatus rv; 2563 SECStatus rv;
2420 SECItem algorithms; 2564 SECItem algorithms;
2421 const unsigned char *b; 2565 const unsigned char *b;
2422 unsigned int numAlgorithms, i; 2566 unsigned int numAlgorithms, i;
2423 2567
2424 /* Ignore this extension if we aren't doing TLS 1.2 or greater. */ 2568 /* Ignore this extension if we aren't doing TLS 1.2 or greater. */
2425 if (ss->version < SSL_LIBRARY_VERSION_TLS_1_2) { 2569 if (ss->version < SSL_LIBRARY_VERSION_TLS_1_2) {
2426 return SECSuccess; 2570 return SECSuccess;
2427 } 2571 }
2428 2572
2429 rv = ssl3_ConsumeHandshakeVariable(ss, &algorithms, 2, &data->data, 2573 rv = ssl3_ConsumeHandshakeVariable(ss, &algorithms, 2, &data->data,
2430 &data->len); 2574 &data->len);
2431 if (rv != SECSuccess) { 2575 if (rv != SECSuccess) {
2432 return SECFailure; 2576 return SECFailure;
2433 } 2577 }
2434 /* Trailing data, empty value, or odd-length value is invalid. */ 2578 /* Trailing data, empty value, or odd-length value is invalid. */
2435 if (data->len != 0 || algorithms.len == 0 || (algorithms.len & 1) != 0) { 2579 if (data->len != 0 || algorithms.len == 0 || (algorithms.len & 1) != 0) {
2436 (void)SSL3_SendAlert(ss, alert_fatal, decode_error); 2580 (void)SSL3_SendAlert(ss, alert_fatal, decode_error);
2437 PORT_SetError(SSL_ERROR_RX_MALFORMED_CLIENT_HELLO); 2581 PORT_SetError(SSL_ERROR_RX_MALFORMED_CLIENT_HELLO);
2438 return SECFailure; 2582 return SECFailure;
2439 } 2583 }
2440 2584
2441 numAlgorithms = algorithms.len/2; 2585 numAlgorithms = algorithms.len / 2;
2442 2586
2443 /* We don't care to process excessive numbers of algorithms. */ 2587 /* We don't care to process excessive numbers of algorithms. */
2444 if (numAlgorithms > 512) { 2588 if (numAlgorithms > 512) {
2445 numAlgorithms = 512; 2589 numAlgorithms = 512;
2446 } 2590 }
2447 2591
2448 ss->ssl3.hs.clientSigAndHash = 2592 ss->ssl3.hs.clientSigAndHash =
2449 PORT_NewArray(SSLSignatureAndHashAlg, numAlgorithms); 2593 PORT_NewArray(SSLSignatureAndHashAlg, numAlgorithms);
2450 if (!ss->ssl3.hs.clientSigAndHash) { 2594 if (!ss->ssl3.hs.clientSigAndHash) {
2451 (void)SSL3_SendAlert(ss, alert_fatal, internal_error); 2595 (void)SSL3_SendAlert(ss, alert_fatal, internal_error);
2452 PORT_SetError(SSL_ERROR_RX_MALFORMED_CLIENT_HELLO); 2596 PORT_SetError(SSL_ERROR_RX_MALFORMED_CLIENT_HELLO);
2453 return SECFailure; 2597 return SECFailure;
2454 } 2598 }
2455 ss->ssl3.hs.numClientSigAndHash = 0; 2599 ss->ssl3.hs.numClientSigAndHash = 0;
2456 2600
2457 b = algorithms.data; 2601 b = algorithms.data;
2458 ss->ssl3.hs.numClientSigAndHash = 0; 2602 ss->ssl3.hs.numClientSigAndHash = 0;
2459 for (i = 0; i < numAlgorithms; i++) { 2603 for (i = 0; i < numAlgorithms; i++) {
2460 SSLSignatureAndHashAlg *sigAndHash = 2604 SSLSignatureAndHashAlg *sigAndHash =
2461 &ss->ssl3.hs.clientSigAndHash[ss->ssl3.hs.numClientSigAndHash]; 2605 &ss->ssl3.hs.clientSigAndHash[ss->ssl3.hs.numClientSigAndHash];
2462 sigAndHash->hashAlg = (SSLHashType)*(b++); 2606 sigAndHash->hashAlg = (SSLHashType) * (b++);
2463 sigAndHash->sigAlg = (SSLSignType)*(b++); 2607 sigAndHash->sigAlg = (SSLSignType) * (b++);
2464 if (ssl3_IsSupportedSignatureAlgorithm(sigAndHash)) { 2608 if (ssl3_IsSupportedSignatureAlgorithm(sigAndHash)) {
2465 ++ss->ssl3.hs.numClientSigAndHash; 2609 ++ss->ssl3.hs.numClientSigAndHash;
2466 } 2610 }
2467 } 2611 }
2468 2612
2469 if (!ss->ssl3.hs.numClientSigAndHash) { 2613 if (!ss->ssl3.hs.numClientSigAndHash) {
2470 /* We didn't understand any of the client's requested signature 2614 /* We didn't understand any of the client's requested signature
2471 * formats. We'll use the defaults. */ 2615 * formats. We'll use the defaults. */
2472 PORT_Free(ss->ssl3.hs.clientSigAndHash); 2616 PORT_Free(ss->ssl3.hs.clientSigAndHash);
2473 ss->ssl3.hs.clientSigAndHash = NULL; 2617 ss->ssl3.hs.clientSigAndHash = NULL;
2474 } 2618 }
2475 2619
2476 /* Keep track of negotiated extensions. */ 2620 /* Keep track of negotiated extensions. */
2477 ss->xtnData.negotiated[ss->xtnData.numNegotiated++] = ex_type; 2621 ss->xtnData.negotiated[ss->xtnData.numNegotiated++] = ex_type;
2478 return SECSuccess; 2622 return SECSuccess;
2479 } 2623 }
2480 2624
2481 /* ssl3_ClientSendSigAlgsXtn sends the signature_algorithm extension for TLS 2625 /* ssl3_ClientSendSigAlgsXtn sends the signature_algorithm extension for TLS
2482 * 1.2 ClientHellos. */ 2626 * 1.2 ClientHellos. */
2483 static PRInt32 2627 static PRInt32
2484 ssl3_ClientSendSigAlgsXtn(sslSocket *ss, PRBool append, PRUint32 maxBytes) 2628 ssl3_ClientSendSigAlgsXtn(sslSocket *ss, PRBool append, PRUint32 maxBytes)
2485 { 2629 {
2486 PRInt32 extension_length; 2630 PRInt32 extension_length;
2487 unsigned int i; 2631 unsigned int i;
2488 PRInt32 pos=0; 2632 PRInt32 pos = 0;
2489 PRUint32 policy; 2633 PRUint32 policy;
2490 PRUint8 buf[MAX_SIGNATURE_ALGORITHMS * 2]; 2634 PRUint8 buf[MAX_SIGNATURE_ALGORITHMS * 2];
2491 2635
2492 if (ss->version < SSL_LIBRARY_VERSION_TLS_1_2) { 2636 if (ss->version < SSL_LIBRARY_VERSION_TLS_1_2) {
2493 return 0; 2637 return 0;
2494 } 2638 }
2495 2639
2496 for (i=0; i < ss->ssl3.signatureAlgorithmCount; i++) { 2640 for (i = 0; i < ss->ssl3.signatureAlgorithmCount; i++) {
2497 » SECOidTag hashOID = ssl3_TLSHashAlgorithmToOID( 2641 SECOidTag hashOID = ssl3_TLSHashAlgorithmToOID(
2498 » » » » ss->ssl3.signatureAlgorithms[i].hashAlg); 2642 ss->ssl3.signatureAlgorithms[i].hashAlg);
2499 » if ((NSS_GetAlgorithmPolicy(hashOID, & policy) != SECSuccess) || 2643 if ((NSS_GetAlgorithmPolicy(hashOID, &policy) != SECSuccess) ||
2500 » » (policy & NSS_USE_ALG_IN_SSL_KX)) { 2644 (policy & NSS_USE_ALG_IN_SSL_KX)) {
2501 » buf[pos++] = ss->ssl3.signatureAlgorithms[i].hashAlg; 2645 buf[pos++] = ss->ssl3.signatureAlgorithms[i].hashAlg;
2502 » buf[pos++] = ss->ssl3.signatureAlgorithms[i].sigAlg; 2646 buf[pos++] = ss->ssl3.signatureAlgorithms[i].sigAlg;
2503 » } 2647 }
2504 } 2648 }
2505 2649
2506 extension_length = 2650 extension_length =
2507 2 /* extension type */ + 2651 2 /* extension type */ +
2508 2 /* extension length */ + 2652 2 /* extension length */ +
2509 2 /* supported_signature_algorithms length */ + 2653 2 /* supported_signature_algorithms length */ +
2510 pos; 2654 pos;
2511 2655
2512 if (maxBytes < extension_length) { 2656 if (maxBytes < extension_length) {
2513 PORT_Assert(0); 2657 PORT_Assert(0);
(...skipping 10 matching lines...) Expand all
2524 if (rv != SECSuccess) { 2668 if (rv != SECSuccess) {
2525 return -1; 2669 return -1;
2526 } 2670 }
2527 2671
2528 rv = ssl3_AppendHandshakeVariable(ss, buf, extension_length - 6, 2); 2672 rv = ssl3_AppendHandshakeVariable(ss, buf, extension_length - 6, 2);
2529 if (rv != SECSuccess) { 2673 if (rv != SECSuccess) {
2530 return -1; 2674 return -1;
2531 } 2675 }
2532 2676
2533 ss->xtnData.advertised[ss->xtnData.numAdvertised++] = 2677 ss->xtnData.advertised[ss->xtnData.numAdvertised++] =
2534 ssl_signature_algorithms_xtn; 2678 ssl_signature_algorithms_xtn;
2535 } 2679 }
2536 2680
2537 return extension_length; 2681 return extension_length;
2538 } 2682 }
2539 2683
2540 unsigned int 2684 unsigned int
2541 ssl3_CalculatePaddingExtensionLength(unsigned int clientHelloLength) 2685 ssl3_CalculatePaddingExtensionLength(unsigned int clientHelloLength)
2542 { 2686 {
2543 unsigned int recordLength = 1 /* handshake message type */ + 2687 unsigned int recordLength = 1 /* handshake message type */ +
2544 3 /* handshake message length */ + 2688 3 /* handshake message length */ +
(...skipping 43 matching lines...) Expand 10 before | Expand all | Expand 10 after
2588 if (SECSuccess != ssl3_AppendHandshake(ss, padding, paddingLen)) 2732 if (SECSuccess != ssl3_AppendHandshake(ss, padding, paddingLen))
2589 return -1; 2733 return -1;
2590 2734
2591 return extensionLen; 2735 return extensionLen;
2592 } 2736 }
2593 2737
2594 /* ssl3_ClientSendDraftVersionXtn sends the TLS 1.3 temporary draft 2738 /* ssl3_ClientSendDraftVersionXtn sends the TLS 1.3 temporary draft
2595 * version extension. 2739 * version extension.
2596 * TODO(ekr@rtfm.com): Remove when TLS 1.3 is published. */ 2740 * TODO(ekr@rtfm.com): Remove when TLS 1.3 is published. */
2597 static PRInt32 2741 static PRInt32
2598 ssl3_ClientSendDraftVersionXtn(sslSocket * ss, PRBool append, PRUint32 maxBytes) 2742 ssl3_ClientSendDraftVersionXtn(sslSocket *ss, PRBool append, PRUint32 maxBytes)
2599 { 2743 {
2600 PRInt32 extension_length; 2744 PRInt32 extension_length;
2601 2745
2602 if (ss->version != SSL_LIBRARY_VERSION_TLS_1_3) { 2746 if (ss->version != SSL_LIBRARY_VERSION_TLS_1_3) {
2603 return 0; 2747 return 0;
2604 } 2748 }
2605 2749
2606 extension_length = 6; /* Type + length + number */ 2750 extension_length = 6; /* Type + length + number */
2607 if (maxBytes < (PRUint32)extension_length) { 2751 if (maxBytes < (PRUint32)extension_length) {
2608 PORT_Assert(0); 2752 PORT_Assert(0);
2609 return 0; 2753 return 0;
2610 } 2754 }
2611 if (append) { 2755 if (append) {
2612 SECStatus rv; 2756 SECStatus rv;
2613 rv = ssl3_AppendHandshakeNumber(ss, ssl_tls13_draft_version_xtn, 2); 2757 rv = ssl3_AppendHandshakeNumber(ss, ssl_tls13_draft_version_xtn, 2);
2614 if (rv != SECSuccess) 2758 if (rv != SECSuccess)
2615 goto loser; 2759 goto loser;
2616 rv = ssl3_AppendHandshakeNumber(ss, extension_length - 4, 2); 2760 rv = ssl3_AppendHandshakeNumber(ss, extension_length - 4, 2);
2617 if (rv != SECSuccess) 2761 if (rv != SECSuccess)
2618 goto loser; 2762 goto loser;
2619 rv = ssl3_AppendHandshakeNumber(ss, TLS_1_3_DRAFT_VERSION, 2); 2763 rv = ssl3_AppendHandshakeNumber(ss, TLS_1_3_DRAFT_VERSION, 2);
2620 if (rv != SECSuccess) 2764 if (rv != SECSuccess)
2621 goto loser; 2765 goto loser;
2622 ss->xtnData.advertised[ss->xtnData.numAdvertised++] = 2766 ss->xtnData.advertised[ss->xtnData.numAdvertised++] =
2623 ssl_tls13_draft_version_xtn; 2767 ssl_tls13_draft_version_xtn;
2624 } 2768 }
2625 2769
2626 return extension_length; 2770 return extension_length;
2627 2771
2628 loser: 2772 loser:
2629 return -1; 2773 return -1;
2630 } 2774 }
2631 2775
2632 /* ssl3_ServerHandleDraftVersionXtn handles the TLS 1.3 temporary draft 2776 /* ssl3_ServerHandleDraftVersionXtn handles the TLS 1.3 temporary draft
2633 * version extension. 2777 * version extension.
2634 * TODO(ekr@rtfm.com): Remove when TLS 1.3 is published. */ 2778 * TODO(ekr@rtfm.com): Remove when TLS 1.3 is published. */
2635 static SECStatus 2779 static SECStatus
2636 ssl3_ServerHandleDraftVersionXtn(sslSocket * ss, PRUint16 ex_type, 2780 ssl3_ServerHandleDraftVersionXtn(sslSocket *ss, PRUint16 ex_type,
2637 SECItem *data) 2781 SECItem *data)
2638 { 2782 {
2639 PRInt32 draft_version; 2783 PRInt32 draft_version;
2640 2784
2641 /* Ignore this extension if we aren't doing TLS 1.3 */ 2785 /* Ignore this extension if we aren't doing TLS 1.3 */
2642 if (ss->version != SSL_LIBRARY_VERSION_TLS_1_3) { 2786 if (ss->version != SSL_LIBRARY_VERSION_TLS_1_3) {
2643 return SECSuccess; 2787 return SECSuccess;
2644 } 2788 }
2645 2789
2646 if (data->len != 2) { 2790 if (data->len != 2) {
(...skipping 20 matching lines...) Expand all
2667 SSL_TRC(30, ("%d: SSL3[%d]: Incompatible version of TLS 1.3 (%d), " 2811 SSL_TRC(30, ("%d: SSL3[%d]: Incompatible version of TLS 1.3 (%d), "
2668 "expected %d", 2812 "expected %d",
2669 SSL_GETPID(), ss->fd, draft_version, TLS_1_3_DRAFT_VERSION) ); 2813 SSL_GETPID(), ss->fd, draft_version, TLS_1_3_DRAFT_VERSION) );
2670 ss->version = SSL_LIBRARY_VERSION_TLS_1_2; 2814 ss->version = SSL_LIBRARY_VERSION_TLS_1_2;
2671 } 2815 }
2672 2816
2673 return SECSuccess; 2817 return SECSuccess;
2674 } 2818 }
2675 2819
2676 static PRInt32 2820 static PRInt32
2677 ssl3_SendExtendedMasterSecretXtn(sslSocket * ss, PRBool append, 2821 ssl3_SendExtendedMasterSecretXtn(sslSocket *ss, PRBool append,
2678 PRUint32 maxBytes) 2822 PRUint32 maxBytes)
2679 { 2823 {
2680 PRInt32 extension_length; 2824 PRInt32 extension_length;
2681 2825
2682 if (!ss->opt.enableExtendedMS) { 2826 if (!ss->opt.enableExtendedMS) {
2683 return 0; 2827 return 0;
2684 } 2828 }
2685 2829
2686 #ifndef NO_PKCS11_BYPASS 2830 #ifndef NO_PKCS11_BYPASS
2687 /* Extended MS can only be used w/o bypass mode */ 2831 /* Extended MS can only be used w/o bypass mode */
2688 if (ss->opt.bypassPKCS11) { 2832 if (ss->opt.bypassPKCS11) {
2689 PORT_Assert(0); 2833 PORT_Assert(0);
2690 PORT_SetError(PR_NOT_IMPLEMENTED_ERROR); 2834 PORT_SetError(PR_NOT_IMPLEMENTED_ERROR);
2691 return -1; 2835 return -1;
2692 } 2836 }
2693 #endif 2837 #endif
2694 2838
2695 /* Always send the extension in this function, since the 2839 /* Always send the extension in this function, since the
2696 * client always sends it and this function is only called on 2840 * client always sends it and this function is only called on
2697 * the server if we negotiated the extension. */ 2841 * the server if we negotiated the extension. */
2698 extension_length = 4; /* Type + length (0) */ 2842 extension_length = 4; /* Type + length (0) */
2699 if (maxBytes < extension_length) { 2843 if (maxBytes < extension_length) {
2700 PORT_Assert(0); 2844 PORT_Assert(0);
2701 return 0; 2845 return 0;
2702 } 2846 }
2703 2847
2704 if (append) { 2848 if (append) {
2705 SECStatus rv; 2849 SECStatus rv;
2706 rv = ssl3_AppendHandshakeNumber(ss, ssl_extended_master_secret_xtn, 2); 2850 rv = ssl3_AppendHandshakeNumber(ss, ssl_extended_master_secret_xtn, 2);
2707 if (rv != SECSuccess) 2851 if (rv != SECSuccess)
2708 goto loser; 2852 goto loser;
2709 rv = ssl3_AppendHandshakeNumber(ss, 0, 2); 2853 rv = ssl3_AppendHandshakeNumber(ss, 0, 2);
2710 if (rv != SECSuccess) 2854 if (rv != SECSuccess)
2711 goto loser; 2855 goto loser;
2712 ss->xtnData.advertised[ss->xtnData.numAdvertised++] = 2856 ss->xtnData.advertised[ss->xtnData.numAdvertised++] =
2713 ssl_extended_master_secret_xtn; 2857 ssl_extended_master_secret_xtn;
2714 } 2858 }
2715 2859
2716 return extension_length; 2860 return extension_length;
2717 loser:
2718 return -1;
2719 }
2720 2861
2721 /* ssl3_ClientSendSignedCertTimestampXtn sends the signed_certificate_timestamp
2722 * extension for TLS ClientHellos. */
2723 static PRInt32
2724 ssl3_ClientSendSignedCertTimestampXtn(sslSocket *ss, PRBool append,
2725 PRUint32 maxBytes)
2726 {
2727 PRInt32 extension_length = 2 /* extension_type */ +
2728 2 /* length(extension_data) */;
2729
2730 /* Only send the extension if processing is enabled. */
2731 if (!ss->opt.enableSignedCertTimestamps)
2732 return 0;
2733
2734 if (maxBytes < extension_length) {
2735 PORT_Assert(0);
2736 return 0;
2737 }
2738
2739 if (append) {
2740 SECStatus rv;
2741 /* extension_type */
2742 rv = ssl3_AppendHandshakeNumber(ss,
2743 ssl_signed_certificate_timestamp_xtn,
2744 2);
2745 if (rv != SECSuccess)
2746 goto loser;
2747 /* zero length */
2748 rv = ssl3_AppendHandshakeNumber(ss, 0, 2);
2749 if (rv != SECSuccess)
2750 goto loser;
2751 ss->xtnData.advertised[ss->xtnData.numAdvertised++] =
2752 ssl_signed_certificate_timestamp_xtn;
2753 }
2754
2755 return extension_length;
2756 loser: 2862 loser:
2757 return -1; 2863 return -1;
2758 } 2864 }
2759 2865
2760 static SECStatus 2866 static SECStatus
2761 ssl3_HandleExtendedMasterSecretXtn(sslSocket * ss, PRUint16 ex_type, 2867 ssl3_HandleExtendedMasterSecretXtn(sslSocket *ss, PRUint16 ex_type,
2762 SECItem *data) 2868 SECItem *data)
2763 { 2869 {
2764 if (ss->version < SSL_LIBRARY_VERSION_TLS_1_0) { 2870 if (ss->version < SSL_LIBRARY_VERSION_TLS_1_0) {
2765 return SECSuccess; 2871 return SECSuccess;
2766 } 2872 }
2767 2873
2768 if (!ss->opt.enableExtendedMS) { 2874 if (!ss->opt.enableExtendedMS) {
2769 return SECSuccess; 2875 return SECSuccess;
2770 } 2876 }
2771 2877
(...skipping 18 matching lines...) Expand all
2790 /* Keep track of negotiated extensions. */ 2896 /* Keep track of negotiated extensions. */
2791 ss->xtnData.negotiated[ss->xtnData.numNegotiated++] = ex_type; 2897 ss->xtnData.negotiated[ss->xtnData.numNegotiated++] = ex_type;
2792 2898
2793 if (ss->sec.isServer) { 2899 if (ss->sec.isServer) {
2794 return ssl3_RegisterServerHelloExtensionSender( 2900 return ssl3_RegisterServerHelloExtensionSender(
2795 ss, ex_type, ssl3_SendExtendedMasterSecretXtn); 2901 ss, ex_type, ssl3_SendExtendedMasterSecretXtn);
2796 } 2902 }
2797 return SECSuccess; 2903 return SECSuccess;
2798 } 2904 }
2799 2905
2906 /* ssl3_ClientSendSignedCertTimestampXtn sends the signed_certificate_timestamp
2907 * extension for TLS ClientHellos. */
2908 static PRInt32
2909 ssl3_ClientSendSignedCertTimestampXtn(sslSocket *ss, PRBool append,
2910 PRUint32 maxBytes)
2911 {
2912 PRInt32 extension_length = 2 /* extension_type */ +
2913 2 /* length(extension_data) */;
2914
2915 /* Only send the extension if processing is enabled. */
2916 if (!ss->opt.enableSignedCertTimestamps)
2917 return 0;
2918
2919 if (append && maxBytes >= extension_length) {
2920 SECStatus rv;
2921 /* extension_type */
2922 rv = ssl3_AppendHandshakeNumber(ss,
2923 ssl_signed_cert_timestamp_xtn,
2924 2);
2925 if (rv != SECSuccess)
2926 goto loser;
2927 /* zero length */
2928 rv = ssl3_AppendHandshakeNumber(ss, 0, 2);
2929 if (rv != SECSuccess)
2930 goto loser;
2931 ss->xtnData.advertised[ss->xtnData.numAdvertised++] =
2932 ssl_signed_cert_timestamp_xtn;
2933 } else if (maxBytes < extension_length) {
2934 PORT_Assert(0);
2935 return 0;
2936 }
2937
2938 return extension_length;
2939 loser:
2940 return -1;
2941 }
2942
2800 static SECStatus 2943 static SECStatus
2801 ssl3_ClientHandleSignedCertTimestampXtn(sslSocket *ss, PRUint16 ex_type, 2944 ssl3_ClientHandleSignedCertTimestampXtn(sslSocket *ss, PRUint16 ex_type,
2802 SECItem *data) 2945 SECItem *data)
2803 { 2946 {
2804 /* We do not yet know whether we'll be resuming a session or creating 2947 /* We do not yet know whether we'll be resuming a session or creating
2805 * a new one, so we keep a pointer to the data in the TLSExtensionData 2948 * a new one, so we keep a pointer to the data in the TLSExtensionData
2806 * structure. This pointer is only valid in the scope of 2949 * structure. This pointer is only valid in the scope of
2807 * ssl3_HandleServerHello, and, if not resuming a session, the data is 2950 * ssl3_HandleServerHello, and, if not resuming a session, the data is
2808 * copied once a new session structure has been set up. 2951 * copied once a new session structure has been set up.
2809 * All parsing is currently left to the application and we accept 2952 * All parsing is currently left to the application and we accept
2810 * everything, including empty data. 2953 * everything, including empty data.
2811 */ 2954 */
2812 SECItem *scts = &ss->xtnData.signedCertTimestamps; 2955 SECItem *scts = &ss->xtnData.signedCertTimestamps;
2813 PORT_Assert(!scts->data && !scts->len); 2956 PORT_Assert(!scts->data && !scts->len);
2814 2957
2815 if (!data->len) { 2958 if (!data->len) {
2816 /* Empty extension data: RFC 6962 mandates non-empty contents. */ 2959 /* Empty extension data: RFC 6962 mandates non-empty contents. */
2817 return SECFailure; 2960 return SECFailure;
2818 } 2961 }
2819 *scts = *data; 2962 *scts = *data;
2820 /* Keep track of negotiated extensions. */ 2963 /* Keep track of negotiated extensions. */
2821 ss->xtnData.negotiated[ss->xtnData.numNegotiated++] = ex_type; 2964 ss->xtnData.negotiated[ss->xtnData.numNegotiated++] = ex_type;
2822 return SECSuccess; 2965 return SECSuccess;
2823 } 2966 }
2967
2968 static PRInt32
2969 ssl3_ServerSendSignedCertTimestampXtn(sslSocket *ss,
2970 PRBool append,
2971 PRUint32 maxBytes)
2972 {
2973 PRInt32 extension_length;
2974 SSLKEAType effectiveExchKeyType;
2975 const SECItem *scts;
2976
2977 if (ss->ssl3.hs.kea_def->kea == kea_ecdhe_rsa ||
2978 ss->ssl3.hs.kea_def->kea == kea_dhe_rsa) {
2979 effectiveExchKeyType = ssl_kea_rsa;
2980 } else {
2981 effectiveExchKeyType = ss->ssl3.hs.kea_def->exchKeyType;
2982 }
2983
2984 scts = &ss->signedCertTimestamps[effectiveExchKeyType];
2985
2986 if (!scts->len) {
2987 /* No timestamps to send */
2988 return 0;
2989 }
2990
2991 extension_length = 2 /* extension_type */ +
2992 2 /* length(extension_data) */ +
2993 scts->len;
2994
2995 if (maxBytes < extension_length) {
2996 PORT_Assert(0);
2997 return 0;
2998 }
2999 if (append) {
3000 SECStatus rv;
3001 /* extension_type */
3002 rv = ssl3_AppendHandshakeNumber(ss,
3003 ssl_signed_cert_timestamp_xtn,
3004 2);
3005 if (rv != SECSuccess)
3006 goto loser;
3007 /* extension_data */
3008 rv = ssl3_AppendHandshakeVariable(ss, scts->data, scts->len, 2);
3009 if (rv != SECSuccess)
3010 goto loser;
3011 }
3012
3013 return extension_length;
3014
3015 loser:
3016 return -1;
3017 }
3018
3019 static SECStatus
3020 ssl3_ServerHandleSignedCertTimestampXtn(sslSocket *ss, PRUint16 ex_type,
3021 SECItem *data)
3022 {
3023 ss->xtnData.negotiated[ss->xtnData.numNegotiated++] = ex_type;
3024 PORT_Assert(ss->sec.isServer);
3025 return ssl3_RegisterServerHelloExtensionSender(ss, ex_type,
3026 ssl3_ServerSendSignedCertTime stampXtn);
3027 }
3028
3029 /*
3030 * [draft-ietf-tls-tls13-11] Section 6.3.2.3.
3031 *
3032 * struct {
3033 * NamedGroup group;
3034 * opaque key_exchange<1..2^16-1>;
3035 * } KeyShareEntry;
3036 *
3037 * struct {
3038 * select (role) {
3039 * case client:
3040 * KeyShareEntry client_shares<4..2^16-1>;
3041 *
3042 * case server:
3043 * KeyShareEntry server_share;
3044 * }
3045 * } KeyShare;
3046 */
3047 static SECStatus
3048 tls13_SizeOfKeyShareEntry(ssl3KeyPair *pair)
3049 {
3050 return 2 + 2 + tls13_SizeOfECDHEKeyShareKEX(pair);
3051 }
3052
3053 static SECStatus
3054 tls13_EncodeKeyShareEntry(sslSocket *ss, ssl3KeyPair *pair)
3055 {
3056 SECStatus rv;
3057
3058 /* This currently only works for ECC keys */
3059 PORT_Assert(pair->pubKey->keyType == ecKey);
3060 if (pair->pubKey->keyType != ecKey) {
3061 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
3062 return SECFailure;
3063 }
3064
3065 rv = ssl3_AppendHandshakeNumber(ss, tls13_GroupForECDHEKeyShare(pair), 2);
3066 if (rv != SECSuccess)
3067 return rv;
3068
3069 rv = ssl3_AppendHandshakeNumber(ss, tls13_SizeOfECDHEKeyShareKEX(pair), 2);
3070 if (rv != SECSuccess)
3071 return rv;
3072
3073 rv = tls13_EncodeECDHEKeyShareKEX(ss, pair);
3074 if (rv != SECSuccess)
3075 return rv;
3076
3077 return SECSuccess;
3078 }
3079
3080 static PRInt32
3081 tls13_ClientSendKeyShareXtn(sslSocket *ss, PRBool append,
3082 PRUint32 maxBytes)
3083 {
3084 SECStatus rv;
3085 PRUint32 entry_length;
3086 PRUint32 extension_length;
3087
3088 if (ss->version < SSL_LIBRARY_VERSION_TLS_1_3) {
3089 return 0;
3090 }
3091
3092 /* Optimistically try to send an ECDHE key using the
3093 * preexisting key (in future will be keys) */
3094 SSL_TRC(3, ("%d: TLS13[%d]: send client key share xtn",
3095 SSL_GETPID(), ss->fd));
3096
3097 entry_length = tls13_SizeOfKeyShareEntry(ss->ephemeralECDHKeyPair);
3098 /* Type + length + vector_length + entry */
3099 extension_length = 2 + 2 + 2 + entry_length;
3100
3101 if (maxBytes < extension_length) {
3102 PORT_Assert(0);
3103 return 0;
3104 }
3105
3106 if (append) {
3107 rv = ssl3_AppendHandshakeNumber(ss, ssl_tls13_key_share_xtn, 2);
3108 if (rv != SECSuccess)
3109 goto loser;
3110 rv = ssl3_AppendHandshakeNumber(ss, entry_length + 2, 2); /* Extension l ength */
3111 if (rv != SECSuccess)
3112 goto loser;
3113 rv = ssl3_AppendHandshakeNumber(ss, entry_length, 2); /* Vector length * /
3114 if (rv != SECSuccess)
3115 goto loser;
3116 rv = tls13_EncodeKeyShareEntry(ss, ss->ephemeralECDHKeyPair);
3117 if (rv != SECSuccess)
3118 goto loser;
3119
3120 ss->xtnData.advertised[ss->xtnData.numAdvertised++] =
3121 ssl_tls13_key_share_xtn;
3122 }
3123
3124 return extension_length;
3125
3126 loser:
3127 return -1;
3128 }
3129
3130 static SECStatus
3131 tls13_HandleKeyShareEntry(sslSocket *ss, SECItem *data)
3132 {
3133 SECStatus rv;
3134 PRInt32 group;
3135 TLS13KeyShareEntry *ks = NULL;
3136 SECItem share = { siBuffer, NULL, 0 };
3137
3138 group = ssl3_ConsumeHandshakeNumber(ss, 2, &data->data, &data->len);
3139 if (group < 0) {
3140 PORT_SetError(SSL_ERROR_RX_MALFORMED_KEY_SHARE);
3141 goto loser;
3142 }
3143
3144 rv = ssl3_ConsumeHandshakeVariable(ss, &share, 2, &data->data,
3145 &data->len);
3146 if (rv != SECSuccess)
3147 goto loser;
3148
3149 ks = PORT_ZNew(TLS13KeyShareEntry);
3150 if (!ks)
3151 goto loser;
3152 ks->group = group;
3153
3154 rv = SECITEM_CopyItem(NULL, &ks->key_exchange, &share);
3155 if (rv != SECSuccess)
3156 goto loser;
3157
3158 PR_APPEND_LINK(&ks->link, &ss->ssl3.hs.remoteKeyShares);
3159 return SECSuccess;
3160
3161 loser:
3162 if (ks)
3163 tls13_DestroyKeyShareEntry(ks);
3164 return SECFailure;
3165 }
3166
3167 /* Handle an incoming KeyShare extension at the client and copy to
3168 * |ss->ssl3.hs.remoteKeyShares| for future use. The key
3169 * share is processed in tls13_HandleServerKeyShare(). */
3170 static SECStatus
3171 tls13_ClientHandleKeyShareXtn(sslSocket *ss, PRUint16 ex_type, SECItem *data)
3172 {
3173 SECStatus rv;
3174
3175 PORT_Assert(!ss->sec.isServer);
3176 if (ss->version < SSL_LIBRARY_VERSION_TLS_1_3) {
3177 /* This can't happen because the extension processing
3178 * code filters out TLS 1.3 extensions when not in
3179 * TLS 1.3 mode. */
3180 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
3181 return SECFailure;
3182 }
3183
3184 SSL_TRC(3, ("%d: SSL3[%d]: handle key_share extension",
3185 SSL_GETPID(), ss->fd));
3186
3187 rv = tls13_HandleKeyShareEntry(ss, data);
3188 if (rv != SECSuccess) {
3189 PORT_SetError(SSL_ERROR_RX_MALFORMED_KEY_SHARE);
3190 return SECFailure;
3191 }
3192
3193 if (data->len) {
3194 PORT_SetError(SSL_ERROR_RX_MALFORMED_KEY_SHARE);
3195 return SECFailure;
3196 }
3197
3198 return SECSuccess;
3199 }
3200
3201 /* Handle an incoming KeyShare extension at the server and copy to
3202 * |ss->ssl3.hs.remoteKeyShares| for future use. The key
3203 * share is processed in tls13_HandleClientKeyShare(). */
3204 static SECStatus
3205 tls13_ServerHandleKeyShareXtn(sslSocket *ss, PRUint16 ex_type, SECItem *data)
3206 {
3207 SECStatus rv;
3208 PRInt32 length;
3209
3210 PORT_Assert(ss->sec.isServer);
3211 if (ss->version < SSL_LIBRARY_VERSION_TLS_1_3) {
3212 return SECSuccess;
3213 }
3214
3215 SSL_TRC(3, ("%d: SSL3[%d]: handle key_share extension",
3216 SSL_GETPID(), ss->fd));
3217
3218 /* Redundant length because of TLS encoding (this vector consumes
3219 * the entire extension.) */
3220 length = ssl3_ConsumeHandshakeNumber(ss, 2, &data->data,
3221 &data->len);
3222 if (length < 0)
3223 goto loser;
3224 if (length != data->len) {
3225 /* Check for consistency */
3226 PORT_SetError(SSL_ERROR_RX_MALFORMED_KEY_SHARE);
3227 goto loser;
3228 }
3229
3230 while (data->len) {
3231 rv = tls13_HandleKeyShareEntry(ss, data);
3232 if (rv != SECSuccess)
3233 goto loser;
3234 }
3235 return SECSuccess;
3236
3237 loser:
3238 tls13_DestroyKeyShares(&ss->ssl3.hs.remoteKeyShares);
3239 return SECFailure;
3240 }
3241
3242 PRInt32
3243 tls13_ServerSendKeyShareXtn(sslSocket *ss, PRBool append,
3244 PRUint32 maxBytes)
3245 {
3246 PRUint32 extension_length;
3247 PRUint32 entry_length;
3248 SECStatus rv;
3249
3250 switch (ss->ssl3.hs.kea_def->exchKeyType) {
3251 #ifndef NSS_DISABLE_ECC
3252 case ssl_kea_ecdh:
3253 PORT_Assert(ss->ephemeralECDHKeyPair);
3254 break;
3255 #endif
3256 default:
3257 /* got an unknown or unsupported Key Exchange Algorithm.
3258 * Can't happen because tls13_HandleClientKeyShare
3259 * enforces that we are ssl_kea_ecdh. */
3260 PORT_Assert(0);
3261 tls13_FatalError(ss, SEC_ERROR_UNSUPPORTED_KEYALG, internal_error);
3262 return SECFailure;
3263 }
3264
3265 entry_length = tls13_SizeOfKeyShareEntry(ss->ephemeralECDHKeyPair);
3266 extension_length = 2 + 2 + entry_length; /* Type + length + entry_length */
3267 if (maxBytes < extension_length) {
3268 PORT_Assert(0);
3269 return 0;
3270 }
3271
3272 if (append) {
3273 rv = ssl3_AppendHandshakeNumber(ss, ssl_tls13_key_share_xtn, 2);
3274 if (rv != SECSuccess)
3275 goto loser;
3276
3277 rv = ssl3_AppendHandshakeNumber(ss, entry_length, 2);
3278 if (rv != SECSuccess)
3279 goto loser;
3280
3281 rv = tls13_EncodeKeyShareEntry(ss, ss->ephemeralECDHKeyPair);
3282 if (rv != SECSuccess)
3283 goto loser;
3284 }
3285
3286 return extension_length;
3287
3288 loser:
3289 return -1;
3290 }
OLDNEW
« no previous file with comments | « net/third_party/nss/ssl/ssl3ecc.c ('k') | net/third_party/nss/ssl/ssl3gthr.c » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698