OLD | NEW |
| (Empty) |
1 /* -*- Mode: C; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 4 -*- */ | |
2 /* | |
3 * SSL3 Protocol | |
4 * | |
5 * This Source Code Form is subject to the terms of the Mozilla Public | |
6 * License, v. 2.0. If a copy of the MPL was not distributed with this | |
7 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ | |
8 | |
9 /* TLS extension code moved here from ssl3ecc.c */ | |
10 | |
11 #include "nssrenam.h" | |
12 #include "nss.h" | |
13 #include "ssl.h" | |
14 #include "sslproto.h" | |
15 #include "sslimpl.h" | |
16 #include "pk11pub.h" | |
17 #ifdef NO_PKCS11_BYPASS | |
18 #include "blapit.h" | |
19 #else | |
20 #include "blapi.h" | |
21 #endif | |
22 #include "prinit.h" | |
23 | |
24 static unsigned char key_name[SESS_TICKET_KEY_NAME_LEN]; | |
25 static PK11SymKey *session_ticket_enc_key_pkcs11 = NULL; | |
26 static PK11SymKey *session_ticket_mac_key_pkcs11 = NULL; | |
27 | |
28 #ifndef NO_PKCS11_BYPASS | |
29 static unsigned char session_ticket_enc_key[AES_256_KEY_LENGTH]; | |
30 static unsigned char session_ticket_mac_key[SHA256_LENGTH]; | |
31 | |
32 static PRBool session_ticket_keys_initialized = PR_FALSE; | |
33 #endif | |
34 static PRCallOnceType generate_session_keys_once; | |
35 | |
36 /* forward static function declarations */ | |
37 static SECStatus ssl3_ParseEncryptedSessionTicket(sslSocket *ss, | |
38 SECItem *data, EncryptedSessio
nTicket *enc_session_ticket); | |
39 static SECStatus ssl3_AppendToItem(SECItem *item, const unsigned char *buf, | |
40 PRUint32 bytes); | |
41 static SECStatus ssl3_AppendNumberToItem(SECItem *item, PRUint32 num, | |
42 PRInt32 lenSize); | |
43 static SECStatus ssl3_GetSessionTicketKeysPKCS11(sslSocket *ss, | |
44 PK11SymKey **aes_key, PK11SymKe
y **mac_key); | |
45 #ifndef NO_PKCS11_BYPASS | |
46 static SECStatus ssl3_GetSessionTicketKeys(const unsigned char **aes_key, | |
47 PRUint32 *aes_key_length, const unsig
ned char **mac_key, | |
48 PRUint32 *mac_key_length); | |
49 #endif | |
50 static PRInt32 ssl3_SendRenegotiationInfoXtn(sslSocket *ss, | |
51 PRBool append, PRUint32 maxBytes); | |
52 static SECStatus ssl3_HandleRenegotiationInfoXtn(sslSocket *ss, | |
53 PRUint16 ex_type, SECItem *data
); | |
54 static SECStatus ssl3_ClientHandleNextProtoNegoXtn(sslSocket *ss, | |
55 PRUint16 ex_type, SECItem *da
ta); | |
56 static SECStatus ssl3_ClientHandleAppProtoXtn(sslSocket *ss, | |
57 PRUint16 ex_type, SECItem *data); | |
58 static SECStatus ssl3_ServerHandleNextProtoNegoXtn(sslSocket *ss, | |
59 PRUint16 ex_type, SECItem *da
ta); | |
60 static SECStatus ssl3_ServerHandleAppProtoXtn(sslSocket *ss, PRUint16 ex_type, | |
61 SECItem *data); | |
62 static PRInt32 ssl3_ClientSendNextProtoNegoXtn(sslSocket *ss, PRBool append, | |
63 PRUint32 maxBytes); | |
64 static PRInt32 ssl3_ClientSendAppProtoXtn(sslSocket *ss, PRBool append, | |
65 PRUint32 maxBytes); | |
66 static PRInt32 ssl3_ServerSendAppProtoXtn(sslSocket *ss, PRBool append, | |
67 PRUint32 maxBytes); | |
68 static PRInt32 ssl3_ClientSendUseSRTPXtn(sslSocket *ss, PRBool append, | |
69 PRUint32 maxBytes); | |
70 static PRInt32 ssl3_ServerSendUseSRTPXtn(sslSocket *ss, PRBool append, | |
71 PRUint32 maxBytes); | |
72 static SECStatus ssl3_ClientHandleUseSRTPXtn(sslSocket *ss, PRUint16 ex_type, | |
73 SECItem *data); | |
74 static SECStatus ssl3_ServerHandleUseSRTPXtn(sslSocket *ss, PRUint16 ex_type, | |
75 SECItem *data); | |
76 static SECStatus ssl3_ClientHandleChannelIDXtn(sslSocket *ss, | |
77 PRUint16 ex_type, SECItem *data); | |
78 static PRInt32 ssl3_ClientSendChannelIDXtn(sslSocket *ss, PRBool append, | |
79 PRUint32 maxBytes); | |
80 static PRInt32 ssl3_ServerSendStatusRequestXtn(sslSocket *ss, | |
81 PRBool append, PRUint32 maxBytes)
; | |
82 static SECStatus ssl3_ServerHandleStatusRequestXtn(sslSocket *ss, | |
83 PRUint16 ex_type, SECItem *da
ta); | |
84 static SECStatus ssl3_ClientHandleStatusRequestXtn(sslSocket *ss, | |
85 PRUint16 ex_type, | |
86 SECItem *data); | |
87 static PRInt32 ssl3_ClientSendStatusRequestXtn(sslSocket *ss, PRBool append, | |
88 PRUint32 maxBytes); | |
89 static PRInt32 ssl3_ClientSendSigAlgsXtn(sslSocket *ss, PRBool append, | |
90 PRUint32 maxBytes); | |
91 static SECStatus ssl3_ServerHandleSigAlgsXtn(sslSocket *ss, PRUint16 ex_type, | |
92 SECItem *data); | |
93 | |
94 static PRInt32 ssl3_ClientSendSignedCertTimestampXtn(sslSocket *ss, | |
95 PRBool append, | |
96 PRUint32 maxBytes); | |
97 static SECStatus ssl3_ClientHandleSignedCertTimestampXtn(sslSocket *ss, | |
98 PRUint16 ex_type, | |
99 SECItem *data); | |
100 static PRInt32 ssl3_ServerSendSignedCertTimestampXtn(sslSocket *ss, | |
101 PRBool append, | |
102 PRUint32 maxBytes); | |
103 static SECStatus ssl3_ServerHandleSignedCertTimestampXtn(sslSocket *ss, | |
104 PRUint16 ex_type, | |
105 SECItem *data); | |
106 static PRInt32 ssl3_ClientSendDraftVersionXtn(sslSocket *ss, PRBool append, | |
107 PRUint32 maxBytes); | |
108 static SECStatus ssl3_ServerHandleDraftVersionXtn(sslSocket *ss, PRUint16 ex_typ
e, | |
109 SECItem *data); | |
110 static PRInt32 ssl3_SendExtendedMasterSecretXtn(sslSocket *ss, PRBool append, | |
111 PRUint32 maxBytes); | |
112 static SECStatus ssl3_HandleExtendedMasterSecretXtn(sslSocket *ss, | |
113 PRUint16 ex_type, | |
114 SECItem *data); | |
115 static PRInt32 tls13_ClientSendKeyShareXtn(sslSocket *ss, PRBool append, | |
116 PRUint32 maxBytes); | |
117 static SECStatus tls13_ClientHandleKeyShareXtn(sslSocket *ss, | |
118 PRUint16 ex_type, | |
119 SECItem *data); | |
120 static SECStatus tls13_ServerHandleKeyShareXtn(sslSocket *ss, | |
121 PRUint16 ex_type, | |
122 SECItem *data); | |
123 | |
124 /* | |
125 * Write bytes. Using this function means the SECItem structure | |
126 * cannot be freed. The caller is expected to call this function | |
127 * on a shallow copy of the structure. | |
128 */ | |
129 static SECStatus | |
130 ssl3_AppendToItem(SECItem *item, const unsigned char *buf, PRUint32 bytes) | |
131 { | |
132 if (bytes > item->len) | |
133 return SECFailure; | |
134 | |
135 PORT_Memcpy(item->data, buf, bytes); | |
136 item->data += bytes; | |
137 item->len -= bytes; | |
138 return SECSuccess; | |
139 } | |
140 | |
141 /* | |
142 * Write a number in network byte order. Using this function means the | |
143 * SECItem structure cannot be freed. The caller is expected to call | |
144 * this function on a shallow copy of the structure. | |
145 */ | |
146 static SECStatus | |
147 ssl3_AppendNumberToItem(SECItem *item, PRUint32 num, PRInt32 lenSize) | |
148 { | |
149 SECStatus rv; | |
150 PRUint8 b[4]; | |
151 PRUint8 *p = b; | |
152 | |
153 switch (lenSize) { | |
154 case 4: | |
155 *p++ = (PRUint8)(num >> 24); | |
156 case 3: | |
157 *p++ = (PRUint8)(num >> 16); | |
158 case 2: | |
159 *p++ = (PRUint8)(num >> 8); | |
160 case 1: | |
161 *p = (PRUint8)num; | |
162 } | |
163 rv = ssl3_AppendToItem(item, &b[0], lenSize); | |
164 return rv; | |
165 } | |
166 | |
167 static SECStatus | |
168 ssl3_SessionTicketShutdown(void *appData, void *nssData) | |
169 { | |
170 if (session_ticket_enc_key_pkcs11) { | |
171 PK11_FreeSymKey(session_ticket_enc_key_pkcs11); | |
172 session_ticket_enc_key_pkcs11 = NULL; | |
173 } | |
174 if (session_ticket_mac_key_pkcs11) { | |
175 PK11_FreeSymKey(session_ticket_mac_key_pkcs11); | |
176 session_ticket_mac_key_pkcs11 = NULL; | |
177 } | |
178 PORT_Memset(&generate_session_keys_once, 0, | |
179 sizeof(generate_session_keys_once)); | |
180 return SECSuccess; | |
181 } | |
182 | |
183 static PRStatus | |
184 ssl3_GenerateSessionTicketKeysPKCS11(void *data) | |
185 { | |
186 SECStatus rv; | |
187 sslSocket *ss = (sslSocket *)data; | |
188 SECKEYPrivateKey *svrPrivKey = ss->serverCerts[kt_rsa].SERVERKEY; | |
189 SECKEYPublicKey *svrPubKey = ss->serverCerts[kt_rsa].serverKeyPair->pubKey; | |
190 | |
191 if (svrPrivKey == NULL || svrPubKey == NULL) { | |
192 SSL_DBG(("%d: SSL[%d]: Pub or priv key(s) is NULL.", | |
193 SSL_GETPID(), ss->fd)); | |
194 goto loser; | |
195 } | |
196 | |
197 /* Get a copy of the session keys from shared memory. */ | |
198 PORT_Memcpy(key_name, SESS_TICKET_KEY_NAME_PREFIX, | |
199 sizeof(SESS_TICKET_KEY_NAME_PREFIX)); | |
200 if (!ssl_GetSessionTicketKeysPKCS11(svrPrivKey, svrPubKey, | |
201 ss->pkcs11PinArg, &key_name[SESS_TICKET_
KEY_NAME_PREFIX_LEN], | |
202 &session_ticket_enc_key_pkcs11, &session
_ticket_mac_key_pkcs11)) | |
203 return PR_FAILURE; | |
204 | |
205 rv = NSS_RegisterShutdown(ssl3_SessionTicketShutdown, NULL); | |
206 if (rv != SECSuccess) | |
207 goto loser; | |
208 | |
209 return PR_SUCCESS; | |
210 | |
211 loser: | |
212 ssl3_SessionTicketShutdown(NULL, NULL); | |
213 return PR_FAILURE; | |
214 } | |
215 | |
216 static SECStatus | |
217 ssl3_GetSessionTicketKeysPKCS11(sslSocket *ss, PK11SymKey **aes_key, | |
218 PK11SymKey **mac_key) | |
219 { | |
220 if (PR_CallOnceWithArg(&generate_session_keys_once, | |
221 ssl3_GenerateSessionTicketKeysPKCS11, ss) != | |
222 PR_SUCCESS) | |
223 return SECFailure; | |
224 | |
225 if (session_ticket_enc_key_pkcs11 == NULL || | |
226 session_ticket_mac_key_pkcs11 == NULL) | |
227 return SECFailure; | |
228 | |
229 *aes_key = session_ticket_enc_key_pkcs11; | |
230 *mac_key = session_ticket_mac_key_pkcs11; | |
231 return SECSuccess; | |
232 } | |
233 | |
234 #ifndef NO_PKCS11_BYPASS | |
235 static PRStatus | |
236 ssl3_GenerateSessionTicketKeys(void) | |
237 { | |
238 PORT_Memcpy(key_name, SESS_TICKET_KEY_NAME_PREFIX, | |
239 sizeof(SESS_TICKET_KEY_NAME_PREFIX)); | |
240 | |
241 if (!ssl_GetSessionTicketKeys(&key_name[SESS_TICKET_KEY_NAME_PREFIX_LEN], | |
242 session_ticket_enc_key, session_ticket_mac_key
)) | |
243 return PR_FAILURE; | |
244 | |
245 session_ticket_keys_initialized = PR_TRUE; | |
246 return PR_SUCCESS; | |
247 } | |
248 | |
249 static SECStatus | |
250 ssl3_GetSessionTicketKeys(const unsigned char **aes_key, | |
251 PRUint32 *aes_key_length, const unsigned char **mac_ke
y, | |
252 PRUint32 *mac_key_length) | |
253 { | |
254 if (PR_CallOnce(&generate_session_keys_once, | |
255 ssl3_GenerateSessionTicketKeys) != PR_SUCCESS) | |
256 return SECFailure; | |
257 | |
258 if (!session_ticket_keys_initialized) | |
259 return SECFailure; | |
260 | |
261 *aes_key = session_ticket_enc_key; | |
262 *aes_key_length = sizeof(session_ticket_enc_key); | |
263 *mac_key = session_ticket_mac_key; | |
264 *mac_key_length = sizeof(session_ticket_mac_key); | |
265 | |
266 return SECSuccess; | |
267 } | |
268 #endif | |
269 | |
270 /* Table of handlers for received TLS hello extensions, one per extension. | |
271 * In the second generation, this table will be dynamic, and functions | |
272 * will be registered here. | |
273 */ | |
274 /* This table is used by the server, to handle client hello extensions. */ | |
275 static const ssl3HelloExtensionHandler clientHelloHandlers[] = { | |
276 { ssl_server_name_xtn, &ssl3_HandleServerNameXtn }, | |
277 #ifndef NSS_DISABLE_ECC | |
278 { ssl_elliptic_curves_xtn, &ssl3_HandleSupportedCurvesXtn }, | |
279 { ssl_ec_point_formats_xtn, &ssl3_HandleSupportedPointFormatsXtn }, | |
280 #endif | |
281 { ssl_session_ticket_xtn, &ssl3_ServerHandleSessionTicketXtn }, | |
282 { ssl_renegotiation_info_xtn, &ssl3_HandleRenegotiationInfoXtn }, | |
283 { ssl_next_proto_nego_xtn, &ssl3_ServerHandleNextProtoNegoXtn }, | |
284 { ssl_app_layer_protocol_xtn, &ssl3_ServerHandleAppProtoXtn }, | |
285 { ssl_use_srtp_xtn, &ssl3_ServerHandleUseSRTPXtn }, | |
286 { ssl_cert_status_xtn, &ssl3_ServerHandleStatusRequestXtn }, | |
287 { ssl_signature_algorithms_xtn, &ssl3_ServerHandleSigAlgsXtn }, | |
288 { ssl_tls13_draft_version_xtn, &ssl3_ServerHandleDraftVersionXtn }, | |
289 { ssl_extended_master_secret_xtn, &ssl3_HandleExtendedMasterSecretXtn }, | |
290 { ssl_signed_cert_timestamp_xtn, &ssl3_ServerHandleSignedCertTimestampXtn }, | |
291 { ssl_tls13_key_share_xtn, &tls13_ServerHandleKeyShareXtn }, | |
292 { -1, NULL } | |
293 }; | |
294 | |
295 /* These two tables are used by the client, to handle server hello | |
296 * extensions. */ | |
297 static const ssl3HelloExtensionHandler serverHelloHandlersTLS[] = { | |
298 { ssl_server_name_xtn, &ssl3_HandleServerNameXtn }, | |
299 /* TODO: add a handler for ssl_ec_point_formats_xtn */ | |
300 { ssl_session_ticket_xtn, &ssl3_ClientHandleSessionTicketXtn }, | |
301 { ssl_renegotiation_info_xtn, &ssl3_HandleRenegotiationInfoXtn }, | |
302 { ssl_next_proto_nego_xtn, &ssl3_ClientHandleNextProtoNegoXtn }, | |
303 { ssl_app_layer_protocol_xtn, &ssl3_ClientHandleAppProtoXtn }, | |
304 { ssl_use_srtp_xtn, &ssl3_ClientHandleUseSRTPXtn }, | |
305 { ssl_channel_id_xtn, &ssl3_ClientHandleChannelIDXtn }, | |
306 { ssl_cert_status_xtn, &ssl3_ClientHandleStatusRequestXtn }, | |
307 { ssl_extended_master_secret_xtn, &ssl3_HandleExtendedMasterSecretXtn }, | |
308 { ssl_signed_cert_timestamp_xtn, &ssl3_ClientHandleSignedCertTimestampXtn }, | |
309 { ssl_tls13_key_share_xtn, &tls13_ClientHandleKeyShareXtn }, | |
310 { -1, NULL } | |
311 }; | |
312 | |
313 static const ssl3HelloExtensionHandler serverHelloHandlersSSL3[] = { | |
314 { ssl_renegotiation_info_xtn, &ssl3_HandleRenegotiationInfoXtn }, | |
315 { -1, NULL } | |
316 }; | |
317 | |
318 /* Tables of functions to format TLS hello extensions, one function per | |
319 * extension. | |
320 * These static tables are for the formatting of client hello extensions. | |
321 * The server's table of hello senders is dynamic, in the socket struct, | |
322 * and sender functions are registered there. | |
323 */ | |
324 static const ssl3HelloExtensionSender clientHelloSendersTLS[SSL_MAX_EXTENSIONS]
= | |
325 { | |
326 { ssl_server_name_xtn, &ssl3_SendServerNameXtn }, | |
327 { ssl_extended_master_secret_xtn, &ssl3_SendExtendedMasterSecretXtn }, | |
328 { ssl_renegotiation_info_xtn, &ssl3_SendRenegotiationInfoXtn }, | |
329 #ifndef NSS_DISABLE_ECC | |
330 { ssl_elliptic_curves_xtn, &ssl3_SendSupportedCurvesXtn }, | |
331 { ssl_ec_point_formats_xtn, &ssl3_SendSupportedPointFormatsXtn }, | |
332 #endif | |
333 { ssl_session_ticket_xtn, &ssl3_SendSessionTicketXtn }, | |
334 { ssl_next_proto_nego_xtn, &ssl3_ClientSendNextProtoNegoXtn }, | |
335 { ssl_app_layer_protocol_xtn, &ssl3_ClientSendAppProtoXtn }, | |
336 { ssl_use_srtp_xtn, &ssl3_ClientSendUseSRTPXtn }, | |
337 { ssl_channel_id_xtn, &ssl3_ClientSendChannelIDXtn }, | |
338 { ssl_cert_status_xtn, &ssl3_ClientSendStatusRequestXtn }, | |
339 { ssl_tls13_draft_version_xtn, &ssl3_ClientSendDraftVersionXtn }, | |
340 { ssl_signed_cert_timestamp_xtn, &ssl3_ClientSendSignedCertTimestampXtn }, | |
341 { ssl_tls13_key_share_xtn, &tls13_ClientSendKeyShareXtn }, | |
342 /* Some servers (e.g. WebSphere Application Server 7.0 and Tomcat) will | |
343 * time out or terminate the connection if the last extension in the | |
344 * client hello is empty. They are not intolerant of TLS 1.2, so list | |
345 * signature_algorithms at the end. See bug 1243641. */ | |
346 { ssl_signature_algorithms_xtn, &ssl3_ClientSendSigAlgsXtn }, | |
347 /* any extra entries will appear as { 0, NULL } */ | |
348 }; | |
349 | |
350 static const ssl3HelloExtensionSender clientHelloSendersSSL3[SSL_MAX_EXTENSIONS]
= | |
351 { | |
352 { ssl_renegotiation_info_xtn, &ssl3_SendRenegotiationInfoXtn } | |
353 /* any extra entries will appear as { 0, NULL } */ | |
354 }; | |
355 | |
356 static PRBool | |
357 arrayContainsExtension(const PRUint16 *array, PRUint32 len, PRUint16 ex_type) | |
358 { | |
359 unsigned int i; | |
360 for (i = 0; i < len; i++) { | |
361 if (ex_type == array[i]) | |
362 return PR_TRUE; | |
363 } | |
364 return PR_FALSE; | |
365 } | |
366 | |
367 PRBool | |
368 ssl3_ExtensionNegotiated(sslSocket *ss, PRUint16 ex_type) | |
369 { | |
370 TLSExtensionData *xtnData = &ss->xtnData; | |
371 return arrayContainsExtension(xtnData->negotiated, | |
372 xtnData->numNegotiated, ex_type); | |
373 } | |
374 | |
375 static PRBool | |
376 ssl3_ClientExtensionAdvertised(sslSocket *ss, PRUint16 ex_type) | |
377 { | |
378 TLSExtensionData *xtnData = &ss->xtnData; | |
379 return arrayContainsExtension(xtnData->advertised, | |
380 xtnData->numAdvertised, ex_type); | |
381 } | |
382 | |
383 /* Format an SNI extension, using the name from the socket's URL, | |
384 * unless that name is a dotted decimal string. | |
385 * Used by client and server. | |
386 */ | |
387 PRInt32 | |
388 ssl3_SendServerNameXtn(sslSocket *ss, PRBool append, | |
389 PRUint32 maxBytes) | |
390 { | |
391 SECStatus rv; | |
392 if (!ss) | |
393 return 0; | |
394 if (!ss->sec.isServer) { | |
395 PRUint32 len; | |
396 PRNetAddr netAddr; | |
397 | |
398 /* must have a hostname */ | |
399 if (!ss->url || !ss->url[0]) | |
400 return 0; | |
401 /* must not be an IPv4 or IPv6 address */ | |
402 if (PR_SUCCESS == PR_StringToNetAddr(ss->url, &netAddr)) { | |
403 /* is an IP address (v4 or v6) */ | |
404 return 0; | |
405 } | |
406 len = PORT_Strlen(ss->url); | |
407 if (append && maxBytes >= len + 9) { | |
408 /* extension_type */ | |
409 rv = ssl3_AppendHandshakeNumber(ss, ssl_server_name_xtn, 2); | |
410 if (rv != SECSuccess) | |
411 return -1; | |
412 /* length of extension_data */ | |
413 rv = ssl3_AppendHandshakeNumber(ss, len + 5, 2); | |
414 if (rv != SECSuccess) | |
415 return -1; | |
416 /* length of server_name_list */ | |
417 rv = ssl3_AppendHandshakeNumber(ss, len + 3, 2); | |
418 if (rv != SECSuccess) | |
419 return -1; | |
420 /* Name Type (sni_host_name) */ | |
421 rv = ssl3_AppendHandshake(ss, "\0", 1); | |
422 if (rv != SECSuccess) | |
423 return -1; | |
424 /* HostName (length and value) */ | |
425 rv = ssl3_AppendHandshakeVariable(ss, (PRUint8 *)ss->url, len, 2); | |
426 if (rv != SECSuccess) | |
427 return -1; | |
428 if (!ss->sec.isServer) { | |
429 TLSExtensionData *xtnData = &ss->xtnData; | |
430 xtnData->advertised[xtnData->numAdvertised++] = | |
431 ssl_server_name_xtn; | |
432 } | |
433 } | |
434 return len + 9; | |
435 } | |
436 /* Server side */ | |
437 if (append && maxBytes >= 4) { | |
438 rv = ssl3_AppendHandshakeNumber(ss, ssl_server_name_xtn, 2); | |
439 if (rv != SECSuccess) | |
440 return -1; | |
441 /* length of extension_data */ | |
442 rv = ssl3_AppendHandshakeNumber(ss, 0, 2); | |
443 if (rv != SECSuccess) | |
444 return -1; | |
445 } | |
446 return 4; | |
447 } | |
448 | |
449 /* handle an incoming SNI extension, by ignoring it. */ | |
450 SECStatus | |
451 ssl3_HandleServerNameXtn(sslSocket *ss, PRUint16 ex_type, SECItem *data) | |
452 { | |
453 SECItem *names = NULL; | |
454 PRUint32 listCount = 0, namesPos = 0, i; | |
455 TLSExtensionData *xtnData = &ss->xtnData; | |
456 SECItem ldata; | |
457 PRInt32 listLenBytes = 0; | |
458 | |
459 if (!ss->sec.isServer) { | |
460 return SECSuccess; /* ignore extension */ | |
461 } | |
462 | |
463 /* Server side - consume client data and register server sender. */ | |
464 /* do not parse the data if don't have user extension handling function. */ | |
465 if (!ss->sniSocketConfig) { | |
466 return SECSuccess; | |
467 } | |
468 /* length of server_name_list */ | |
469 listLenBytes = ssl3_ConsumeHandshakeNumber(ss, 2, &data->data, &data->len); | |
470 if (listLenBytes < 0) { | |
471 return SECFailure; | |
472 } | |
473 if (listLenBytes == 0 || listLenBytes != data->len) { | |
474 (void)ssl3_DecodeError(ss); | |
475 return SECFailure; | |
476 } | |
477 ldata = *data; | |
478 /* Calculate the size of the array.*/ | |
479 while (listLenBytes > 0) { | |
480 SECItem litem; | |
481 SECStatus rv; | |
482 PRInt32 type; | |
483 /* Skip Name Type (sni_host_name); checks are on the second pass */ | |
484 type = ssl3_ConsumeHandshakeNumber(ss, 1, &ldata.data, &ldata.len); | |
485 if (type < 0) { /* i.e., SECFailure cast to PRint32 */ | |
486 return SECFailure; | |
487 } | |
488 rv = ssl3_ConsumeHandshakeVariable(ss, &litem, 2, &ldata.data, &ldata.le
n); | |
489 if (rv != SECSuccess) { | |
490 return rv; | |
491 } | |
492 /* Adjust total length for consumed item, item len and type.*/ | |
493 listLenBytes -= litem.len + 3; | |
494 if (listLenBytes > 0 && !ldata.len) { | |
495 (void)ssl3_DecodeError(ss); | |
496 return SECFailure; | |
497 } | |
498 listCount += 1; | |
499 } | |
500 names = PORT_ZNewArray(SECItem, listCount); | |
501 if (!names) { | |
502 return SECFailure; | |
503 } | |
504 for (i = 0; i < listCount; i++) { | |
505 unsigned int j; | |
506 PRInt32 type; | |
507 SECStatus rv; | |
508 PRBool nametypePresent = PR_FALSE; | |
509 /* Name Type (sni_host_name) */ | |
510 type = ssl3_ConsumeHandshakeNumber(ss, 1, &data->data, &data->len); | |
511 /* Check if we have such type in the list */ | |
512 for (j = 0; j < listCount && names[j].data; j++) { | |
513 /* TODO bug 998524: .type is not assigned a value */ | |
514 if (names[j].type == type) { | |
515 nametypePresent = PR_TRUE; | |
516 break; | |
517 } | |
518 } | |
519 /* HostName (length and value) */ | |
520 rv = ssl3_ConsumeHandshakeVariable(ss, &names[namesPos], 2, | |
521 &data->data, &data->len); | |
522 if (rv != SECSuccess) { | |
523 PORT_Assert(0); | |
524 PORT_Free(names); | |
525 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); | |
526 return rv; | |
527 } | |
528 if (nametypePresent == PR_FALSE) { | |
529 namesPos += 1; | |
530 } | |
531 } | |
532 /* Free old and set the new data. */ | |
533 if (xtnData->sniNameArr) { | |
534 PORT_Free(ss->xtnData.sniNameArr); | |
535 } | |
536 xtnData->sniNameArr = names; | |
537 xtnData->sniNameArrSize = namesPos; | |
538 xtnData->negotiated[xtnData->numNegotiated++] = ssl_server_name_xtn; | |
539 | |
540 return SECSuccess; | |
541 } | |
542 | |
543 /* Called by both clients and servers. | |
544 * Clients sends a filled in session ticket if one is available, and otherwise | |
545 * sends an empty ticket. Servers always send empty tickets. | |
546 */ | |
547 PRInt32 | |
548 ssl3_SendSessionTicketXtn( | |
549 sslSocket *ss, | |
550 PRBool append, | |
551 PRUint32 maxBytes) | |
552 { | |
553 PRInt32 extension_length; | |
554 NewSessionTicket *session_ticket = NULL; | |
555 sslSessionID *sid = ss->sec.ci.sid; | |
556 | |
557 /* Ignore the SessionTicket extension if processing is disabled. */ | |
558 if (!ss->opt.enableSessionTickets) | |
559 return 0; | |
560 | |
561 /* Empty extension length = extension_type (2-bytes) + | |
562 * length(extension_data) (2-bytes) | |
563 */ | |
564 extension_length = 4; | |
565 | |
566 /* If we are a client then send a session ticket if one is availble. | |
567 * Servers that support the extension and are willing to negotiate the | |
568 * the extension always respond with an empty extension. | |
569 */ | |
570 if (!ss->sec.isServer) { | |
571 /* The caller must be holding sid->u.ssl3.lock for reading. We cannot | |
572 * just acquire and release the lock within this function because the | |
573 * caller will call this function twice, and we need the inputs to be | |
574 * consistent between the two calls. Note that currently the caller | |
575 * will only be holding the lock when we are the client and when we're | |
576 * attempting to resume an existing session. | |
577 */ | |
578 | |
579 session_ticket = &sid->u.ssl3.locked.sessionTicket; | |
580 if (session_ticket->ticket.data) { | |
581 if (ss->xtnData.ticketTimestampVerified) { | |
582 extension_length += session_ticket->ticket.len; | |
583 } else if (!append && | |
584 (session_ticket->ticket_lifetime_hint == 0 || | |
585 (session_ticket->ticket_lifetime_hint + | |
586 session_ticket->received_timestamp > | |
587 ssl_Time()))) { | |
588 extension_length += session_ticket->ticket.len; | |
589 ss->xtnData.ticketTimestampVerified = PR_TRUE; | |
590 } | |
591 } | |
592 } | |
593 | |
594 if (maxBytes < (PRUint32)extension_length) { | |
595 PORT_Assert(0); | |
596 return 0; | |
597 } | |
598 if (append) { | |
599 SECStatus rv; | |
600 /* extension_type */ | |
601 rv = ssl3_AppendHandshakeNumber(ss, ssl_session_ticket_xtn, 2); | |
602 if (rv != SECSuccess) | |
603 goto loser; | |
604 if (session_ticket && session_ticket->ticket.data && | |
605 ss->xtnData.ticketTimestampVerified) { | |
606 rv = ssl3_AppendHandshakeVariable(ss, session_ticket->ticket.data, | |
607 session_ticket->ticket.len, 2); | |
608 ss->xtnData.ticketTimestampVerified = PR_FALSE; | |
609 ss->xtnData.sentSessionTicketInClientHello = PR_TRUE; | |
610 } else { | |
611 rv = ssl3_AppendHandshakeNumber(ss, 0, 2); | |
612 } | |
613 if (rv != SECSuccess) | |
614 goto loser; | |
615 | |
616 if (!ss->sec.isServer) { | |
617 TLSExtensionData *xtnData = &ss->xtnData; | |
618 xtnData->advertised[xtnData->numAdvertised++] = | |
619 ssl_session_ticket_xtn; | |
620 } | |
621 } | |
622 return extension_length; | |
623 | |
624 loser: | |
625 ss->xtnData.ticketTimestampVerified = PR_FALSE; | |
626 return -1; | |
627 } | |
628 | |
629 /* handle an incoming Next Protocol Negotiation extension. */ | |
630 static SECStatus | |
631 ssl3_ServerHandleNextProtoNegoXtn(sslSocket *ss, PRUint16 ex_type, | |
632 SECItem *data) | |
633 { | |
634 if (ss->firstHsDone || data->len != 0) { | |
635 /* Clients MUST send an empty NPN extension, if any. */ | |
636 PORT_SetError(SSL_ERROR_NEXT_PROTOCOL_DATA_INVALID); | |
637 return SECFailure; | |
638 } | |
639 | |
640 ss->xtnData.negotiated[ss->xtnData.numNegotiated++] = ex_type; | |
641 | |
642 /* TODO: server side NPN support would require calling | |
643 * ssl3_RegisterServerHelloExtensionSender here in order to echo the | |
644 * extension back to the client. */ | |
645 | |
646 return SECSuccess; | |
647 } | |
648 | |
649 /* ssl3_ValidateNextProtoNego checks that the given block of data is valid: none | |
650 * of the lengths may be 0 and the sum of the lengths must equal the length of | |
651 * the block. */ | |
652 SECStatus | |
653 ssl3_ValidateNextProtoNego(const unsigned char *data, unsigned int length) | |
654 { | |
655 unsigned int offset = 0; | |
656 | |
657 while (offset < length) { | |
658 unsigned int newOffset = offset + 1 + (unsigned int)data[offset]; | |
659 /* Reject embedded nulls to protect against buggy applications that | |
660 * store protocol identifiers in null-terminated strings. | |
661 */ | |
662 if (newOffset > length || data[offset] == 0) { | |
663 return SECFailure; | |
664 } | |
665 offset = newOffset; | |
666 } | |
667 | |
668 return SECSuccess; | |
669 } | |
670 | |
671 /* protocol selection handler for ALPN (server side) and NPN (client side) */ | |
672 static SECStatus | |
673 ssl3_SelectAppProtocol(sslSocket *ss, PRUint16 ex_type, SECItem *data) | |
674 { | |
675 SECStatus rv; | |
676 unsigned char resultBuffer[255]; | |
677 SECItem result = { siBuffer, resultBuffer, 0 }; | |
678 | |
679 rv = ssl3_ValidateNextProtoNego(data->data, data->len); | |
680 if (rv != SECSuccess) { | |
681 (void)SSL3_SendAlert(ss, alert_fatal, decode_error); | |
682 PORT_SetError(SSL_ERROR_NEXT_PROTOCOL_DATA_INVALID); | |
683 return rv; | |
684 } | |
685 | |
686 PORT_Assert(ss->nextProtoCallback); | |
687 /* For ALPN, the cipher suite isn't selected yet. Note that extensions | |
688 * sometimes affect what cipher suite is selected, e.g., for ECC. */ | |
689 PORT_Assert((ss->ssl3.hs.preliminaryInfo & | |
690 ssl_preinfo_all & ~ssl_preinfo_cipher_suite) == | |
691 (ssl_preinfo_all & ~ssl_preinfo_cipher_suite)); | |
692 rv = ss->nextProtoCallback(ss->nextProtoArg, ss->fd, data->data, data->len, | |
693 result.data, &result.len, sizeof(resultBuffer)); | |
694 if (rv != SECSuccess) { | |
695 /* Expect callback to call PORT_SetError() */ | |
696 (void)SSL3_SendAlert(ss, alert_fatal, internal_error); | |
697 return SECFailure; | |
698 } | |
699 | |
700 /* If the callback wrote more than allowed to |result| it has corrupted our | |
701 * stack. */ | |
702 if (result.len > sizeof(resultBuffer)) { | |
703 PORT_SetError(SEC_ERROR_OUTPUT_LEN); | |
704 /* TODO: crash */ | |
705 return SECFailure; | |
706 } | |
707 | |
708 SECITEM_FreeItem(&ss->ssl3.nextProto, PR_FALSE); | |
709 | |
710 if (ex_type == ssl_app_layer_protocol_xtn && | |
711 ss->ssl3.nextProtoState != SSL_NEXT_PROTO_NEGOTIATED) { | |
712 /* The callback might say OK, but then it picks a default value - one | |
713 * that was not listed. That's OK for NPN, but not ALPN. */ | |
714 (void)SSL3_SendAlert(ss, alert_fatal, no_application_protocol); | |
715 PORT_SetError(SSL_ERROR_NEXT_PROTOCOL_NO_PROTOCOL); | |
716 return SECFailure; | |
717 } | |
718 | |
719 ss->xtnData.negotiated[ss->xtnData.numNegotiated++] = ex_type; | |
720 return SECITEM_CopyItem(NULL, &ss->ssl3.nextProto, &result); | |
721 } | |
722 | |
723 /* handle an incoming ALPN extension at the server */ | |
724 static SECStatus | |
725 ssl3_ServerHandleAppProtoXtn(sslSocket *ss, PRUint16 ex_type, SECItem *data) | |
726 { | |
727 int count; | |
728 SECStatus rv; | |
729 | |
730 /* We expressly don't want to allow ALPN on renegotiation, | |
731 * despite it being permitted by the spec. */ | |
732 if (ss->firstHsDone || data->len == 0) { | |
733 /* Clients MUST send a non-empty ALPN extension. */ | |
734 (void)SSL3_SendAlert(ss, alert_fatal, illegal_parameter); | |
735 PORT_SetError(SSL_ERROR_NEXT_PROTOCOL_DATA_INVALID); | |
736 return SECFailure; | |
737 } | |
738 | |
739 /* Unlike NPN, ALPN has extra redundant length information so that | |
740 * the extension is the same in both ClientHello and ServerHello. */ | |
741 count = ssl3_ConsumeHandshakeNumber(ss, 2, &data->data, &data->len); | |
742 if (count != data->len) { | |
743 (void)ssl3_DecodeError(ss); | |
744 return SECFailure; | |
745 } | |
746 | |
747 if (!ss->nextProtoCallback) { | |
748 /* we're not configured for it */ | |
749 return SECSuccess; | |
750 } | |
751 | |
752 rv = ssl3_SelectAppProtocol(ss, ex_type, data); | |
753 if (rv != SECSuccess) { | |
754 return rv; | |
755 } | |
756 | |
757 /* prepare to send back a response, if we negotiated */ | |
758 if (ss->ssl3.nextProtoState == SSL_NEXT_PROTO_NEGOTIATED) { | |
759 rv = ssl3_RegisterServerHelloExtensionSender( | |
760 ss, ex_type, ssl3_ServerSendAppProtoXtn); | |
761 if (rv != SECSuccess) { | |
762 (void)SSL3_SendAlert(ss, alert_fatal, internal_error); | |
763 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); | |
764 return rv; | |
765 } | |
766 } | |
767 return SECSuccess; | |
768 } | |
769 | |
770 static SECStatus | |
771 ssl3_ClientHandleNextProtoNegoXtn(sslSocket *ss, PRUint16 ex_type, | |
772 SECItem *data) | |
773 { | |
774 PORT_Assert(!ss->firstHsDone); | |
775 | |
776 if (ssl3_ExtensionNegotiated(ss, ssl_app_layer_protocol_xtn)) { | |
777 /* If the server negotiated ALPN then it has already told us what | |
778 * protocol to use, so it doesn't make sense for us to try to negotiate | |
779 * a different one by sending the NPN handshake message. However, if | |
780 * we've negotiated NPN then we're required to send the NPN handshake | |
781 * message. Thus, these two extensions cannot both be negotiated on the | |
782 * same connection. */ | |
783 (void)SSL3_SendAlert(ss, alert_fatal, illegal_parameter); | |
784 PORT_SetError(SSL_ERROR_BAD_SERVER); | |
785 return SECFailure; | |
786 } | |
787 | |
788 /* We should only get this call if we sent the extension, so | |
789 * ss->nextProtoCallback needs to be non-NULL. However, it is possible | |
790 * that an application erroneously cleared the callback between the time | |
791 * we sent the ClientHello and now. */ | |
792 if (!ss->nextProtoCallback) { | |
793 PORT_Assert(0); | |
794 (void)SSL3_SendAlert(ss, alert_fatal, internal_error); | |
795 PORT_SetError(SSL_ERROR_NEXT_PROTOCOL_NO_CALLBACK); | |
796 return SECFailure; | |
797 } | |
798 | |
799 return ssl3_SelectAppProtocol(ss, ex_type, data); | |
800 } | |
801 | |
802 static SECStatus | |
803 ssl3_ClientHandleAppProtoXtn(sslSocket *ss, PRUint16 ex_type, SECItem *data) | |
804 { | |
805 SECStatus rv; | |
806 PRInt32 list_len; | |
807 SECItem protocol_name; | |
808 | |
809 if (ssl3_ExtensionNegotiated(ss, ssl_next_proto_nego_xtn)) { | |
810 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); | |
811 return SECFailure; | |
812 } | |
813 | |
814 /* The extension data from the server has the following format: | |
815 * uint16 name_list_len; | |
816 * uint8 len; // where len >= 1 | |
817 * uint8 protocol_name[len]; */ | |
818 if (data->len < 4 || data->len > 2 + 1 + 255) { | |
819 (void)SSL3_SendAlert(ss, alert_fatal, decode_error); | |
820 PORT_SetError(SSL_ERROR_NEXT_PROTOCOL_DATA_INVALID); | |
821 return SECFailure; | |
822 } | |
823 | |
824 list_len = ssl3_ConsumeHandshakeNumber(ss, 2, &data->data, &data->len); | |
825 /* The list has to be the entire extension. */ | |
826 if (list_len != data->len) { | |
827 (void)SSL3_SendAlert(ss, alert_fatal, decode_error); | |
828 PORT_SetError(SSL_ERROR_NEXT_PROTOCOL_DATA_INVALID); | |
829 return SECFailure; | |
830 } | |
831 | |
832 rv = ssl3_ConsumeHandshakeVariable(ss, &protocol_name, 1, | |
833 &data->data, &data->len); | |
834 /* The list must have exactly one value. */ | |
835 if (rv != SECSuccess || data->len != 0) { | |
836 (void)SSL3_SendAlert(ss, alert_fatal, decode_error); | |
837 PORT_SetError(SSL_ERROR_NEXT_PROTOCOL_DATA_INVALID); | |
838 return SECFailure; | |
839 } | |
840 | |
841 SECITEM_FreeItem(&ss->ssl3.nextProto, PR_FALSE); | |
842 ss->ssl3.nextProtoState = SSL_NEXT_PROTO_SELECTED; | |
843 ss->xtnData.negotiated[ss->xtnData.numNegotiated++] = ex_type; | |
844 return SECITEM_CopyItem(NULL, &ss->ssl3.nextProto, &protocol_name); | |
845 } | |
846 | |
847 static PRInt32 | |
848 ssl3_ClientSendNextProtoNegoXtn(sslSocket *ss, PRBool append, | |
849 PRUint32 maxBytes) | |
850 { | |
851 PRInt32 extension_length; | |
852 | |
853 /* Renegotiations do not send this extension. */ | |
854 if (!ss->opt.enableNPN || !ss->nextProtoCallback || ss->firstHsDone) { | |
855 return 0; | |
856 } | |
857 | |
858 extension_length = 4; | |
859 | |
860 if (maxBytes < (PRUint32)extension_length) { | |
861 return 0; | |
862 } | |
863 if (append) { | |
864 SECStatus rv; | |
865 rv = ssl3_AppendHandshakeNumber(ss, ssl_next_proto_nego_xtn, 2); | |
866 if (rv != SECSuccess) | |
867 goto loser; | |
868 rv = ssl3_AppendHandshakeNumber(ss, 0, 2); | |
869 if (rv != SECSuccess) | |
870 goto loser; | |
871 ss->xtnData.advertised[ss->xtnData.numAdvertised++] = | |
872 ssl_next_proto_nego_xtn; | |
873 } | |
874 | |
875 return extension_length; | |
876 | |
877 loser: | |
878 return -1; | |
879 } | |
880 | |
881 static PRInt32 | |
882 ssl3_ClientSendAppProtoXtn(sslSocket *ss, PRBool append, PRUint32 maxBytes) | |
883 { | |
884 PRInt32 extension_length; | |
885 unsigned char *alpn_protos = NULL; | |
886 | |
887 /* Renegotiations do not send this extension. */ | |
888 if (!ss->opt.enableALPN || !ss->opt.nextProtoNego.data || ss->firstHsDone) { | |
889 return 0; | |
890 } | |
891 | |
892 extension_length = 2 /* extension type */ + 2 /* extension length */ + | |
893 2 /* protocol name list length */ + | |
894 ss->opt.nextProtoNego.len; | |
895 | |
896 if (maxBytes < (PRUint32)extension_length) { | |
897 return 0; | |
898 } | |
899 if (append) { | |
900 /* NPN requires that the client's fallback protocol is first in the | |
901 * list. However, ALPN sends protocols in preference order. So we | |
902 * allocate a buffer and move the first protocol to the end of the | |
903 * list. */ | |
904 SECStatus rv; | |
905 const unsigned int len = ss->opt.nextProtoNego.len; | |
906 | |
907 alpn_protos = PORT_Alloc(len); | |
908 if (alpn_protos == NULL) { | |
909 return SECFailure; | |
910 } | |
911 if (len > 0) { | |
912 /* Each protocol string is prefixed with a single byte length. */ | |
913 unsigned int i = ss->opt.nextProtoNego.data[0] + 1; | |
914 if (i <= len) { | |
915 memcpy(alpn_protos, &ss->opt.nextProtoNego.data[i], len - i); | |
916 memcpy(alpn_protos + len - i, ss->opt.nextProtoNego.data, i); | |
917 } else { | |
918 /* This seems to be invalid data so we'll send as-is. */ | |
919 memcpy(alpn_protos, ss->opt.nextProtoNego.data, len); | |
920 } | |
921 } | |
922 | |
923 rv = ssl3_AppendHandshakeNumber(ss, ssl_app_layer_protocol_xtn, 2); | |
924 if (rv != SECSuccess) { | |
925 goto loser; | |
926 } | |
927 rv = ssl3_AppendHandshakeNumber(ss, extension_length - 4, 2); | |
928 if (rv != SECSuccess) { | |
929 goto loser; | |
930 } | |
931 rv = ssl3_AppendHandshakeVariable(ss, alpn_protos, len, 2); | |
932 PORT_Free(alpn_protos); | |
933 alpn_protos = NULL; | |
934 if (rv != SECSuccess) { | |
935 goto loser; | |
936 } | |
937 ss->xtnData.advertised[ss->xtnData.numAdvertised++] = | |
938 ssl_app_layer_protocol_xtn; | |
939 } | |
940 | |
941 return extension_length; | |
942 | |
943 loser: | |
944 if (alpn_protos) { | |
945 PORT_Free(alpn_protos); | |
946 } | |
947 return -1; | |
948 } | |
949 | |
950 static PRInt32 | |
951 ssl3_ServerSendAppProtoXtn(sslSocket *ss, PRBool append, PRUint32 maxBytes) | |
952 { | |
953 PRInt32 extension_length; | |
954 | |
955 /* we're in over our heads if any of these fail */ | |
956 PORT_Assert(ss->opt.enableALPN); | |
957 PORT_Assert(ss->ssl3.nextProto.data); | |
958 PORT_Assert(ss->ssl3.nextProto.len > 0); | |
959 PORT_Assert(ss->ssl3.nextProtoState == SSL_NEXT_PROTO_NEGOTIATED); | |
960 PORT_Assert(!ss->firstHsDone); | |
961 | |
962 extension_length = 2 /* extension type */ + 2 /* extension length */ + | |
963 2 /* protocol name list */ + 1 /* name length */ + | |
964 ss->ssl3.nextProto.len; | |
965 | |
966 if (maxBytes < (PRUint32)extension_length) { | |
967 return 0; | |
968 } | |
969 if (append) { | |
970 SECStatus rv; | |
971 rv = ssl3_AppendHandshakeNumber(ss, ssl_app_layer_protocol_xtn, 2); | |
972 if (rv != SECSuccess) { | |
973 return -1; | |
974 } | |
975 rv = ssl3_AppendHandshakeNumber(ss, extension_length - 4, 2); | |
976 if (rv != SECSuccess) { | |
977 return -1; | |
978 } | |
979 rv = ssl3_AppendHandshakeNumber(ss, ss->ssl3.nextProto.len + 1, 2); | |
980 if (rv != SECSuccess) { | |
981 return -1; | |
982 } | |
983 rv = ssl3_AppendHandshakeVariable(ss, ss->ssl3.nextProto.data, | |
984 ss->ssl3.nextProto.len, 1); | |
985 if (rv != SECSuccess) { | |
986 return -1; | |
987 } | |
988 } | |
989 | |
990 return extension_length; | |
991 } | |
992 | |
993 static SECStatus | |
994 ssl3_ClientHandleChannelIDXtn(sslSocket *ss, PRUint16 ex_type, | |
995 SECItem *data) | |
996 { | |
997 PORT_Assert(ss->getChannelID != NULL); | |
998 | |
999 if (data->len) { | |
1000 PORT_SetError(SSL_ERROR_BAD_CHANNEL_ID_DATA); | |
1001 return SECFailure; | |
1002 } | |
1003 ss->xtnData.negotiated[ss->xtnData.numNegotiated++] = ex_type; | |
1004 return SECSuccess; | |
1005 } | |
1006 | |
1007 static PRInt32 | |
1008 ssl3_ClientSendChannelIDXtn(sslSocket *ss, PRBool append, | |
1009 PRUint32 maxBytes) | |
1010 { | |
1011 PRInt32 extension_length = 4; | |
1012 | |
1013 if (!ss->getChannelID) | |
1014 return 0; | |
1015 | |
1016 if (maxBytes < extension_length) { | |
1017 PORT_Assert(0); | |
1018 return 0; | |
1019 } | |
1020 | |
1021 if (ss->sec.ci.sid->cached != never_cached && | |
1022 ss->sec.ci.sid->u.ssl3.originalHandshakeHash.len == 0) { | |
1023 /* We can't do ChannelID on a connection if we're resuming and didn't | |
1024 * do ChannelID on the original connection: without ChannelID on the | |
1025 * original connection we didn't record the handshake hashes needed for | |
1026 * the signature. */ | |
1027 return 0; | |
1028 } | |
1029 | |
1030 if (append) { | |
1031 SECStatus rv; | |
1032 rv = ssl3_AppendHandshakeNumber(ss, ssl_channel_id_xtn, 2); | |
1033 if (rv != SECSuccess) | |
1034 goto loser; | |
1035 rv = ssl3_AppendHandshakeNumber(ss, 0, 2); | |
1036 if (rv != SECSuccess) | |
1037 goto loser; | |
1038 ss->xtnData.advertised[ss->xtnData.numAdvertised++] = | |
1039 ssl_channel_id_xtn; | |
1040 } | |
1041 | |
1042 return extension_length; | |
1043 | |
1044 loser: | |
1045 return -1; | |
1046 } | |
1047 | |
1048 static SECStatus | |
1049 ssl3_ClientHandleStatusRequestXtn(sslSocket *ss, PRUint16 ex_type, | |
1050 SECItem *data) | |
1051 { | |
1052 /* The echoed extension must be empty. */ | |
1053 if (data->len != 0) { | |
1054 return SECSuccess; /* Ignore the extension. */ | |
1055 } | |
1056 | |
1057 /* Keep track of negotiated extensions. */ | |
1058 ss->xtnData.negotiated[ss->xtnData.numNegotiated++] = ex_type; | |
1059 | |
1060 return SECSuccess; | |
1061 } | |
1062 | |
1063 static PRInt32 | |
1064 ssl3_ServerSendStatusRequestXtn( | |
1065 sslSocket *ss, | |
1066 PRBool append, | |
1067 PRUint32 maxBytes) | |
1068 { | |
1069 PRInt32 extension_length; | |
1070 SSLKEAType effectiveExchKeyType; | |
1071 SECStatus rv; | |
1072 | |
1073 /* ssl3_SendCertificateStatus (which sents the certificate status data) | |
1074 * uses the exact same logic to select the server certificate | |
1075 * and determine if we have the status for that certificate. */ | |
1076 | |
1077 if (ss->ssl3.hs.kea_def->kea == kea_ecdhe_rsa || | |
1078 ss->ssl3.hs.kea_def->kea == kea_dhe_rsa) { | |
1079 effectiveExchKeyType = ssl_kea_rsa; | |
1080 } else { | |
1081 effectiveExchKeyType = ss->ssl3.hs.kea_def->exchKeyType; | |
1082 } | |
1083 | |
1084 if (!ss->certStatusArray[effectiveExchKeyType] || | |
1085 !ss->certStatusArray[effectiveExchKeyType]->len) { | |
1086 return 0; | |
1087 } | |
1088 | |
1089 extension_length = 2 + 2; | |
1090 if (maxBytes < (PRUint32)extension_length) { | |
1091 return 0; | |
1092 } | |
1093 if (append) { | |
1094 /* extension_type */ | |
1095 rv = ssl3_AppendHandshakeNumber(ss, ssl_cert_status_xtn, 2); | |
1096 if (rv != SECSuccess) | |
1097 return -1; | |
1098 /* length of extension_data */ | |
1099 rv = ssl3_AppendHandshakeNumber(ss, 0, 2); | |
1100 if (rv != SECSuccess) | |
1101 return -1; | |
1102 /* The certificate status data is sent in ssl3_SendCertificateStatus. */ | |
1103 } | |
1104 | |
1105 return extension_length; | |
1106 } | |
1107 | |
1108 /* ssl3_ClientSendStatusRequestXtn builds the status_request extension on the | |
1109 * client side. See RFC 4366 section 3.6. */ | |
1110 static PRInt32 | |
1111 ssl3_ClientSendStatusRequestXtn(sslSocket *ss, PRBool append, | |
1112 PRUint32 maxBytes) | |
1113 { | |
1114 PRInt32 extension_length; | |
1115 | |
1116 if (!ss->opt.enableOCSPStapling) | |
1117 return 0; | |
1118 | |
1119 /* extension_type (2-bytes) + | |
1120 * length(extension_data) (2-bytes) + | |
1121 * status_type (1) + | |
1122 * responder_id_list length (2) + | |
1123 * request_extensions length (2) | |
1124 */ | |
1125 extension_length = 9; | |
1126 | |
1127 if (maxBytes < (PRUint32)extension_length) { | |
1128 PORT_Assert(0); | |
1129 return 0; | |
1130 } | |
1131 if (append) { | |
1132 SECStatus rv; | |
1133 TLSExtensionData *xtnData; | |
1134 | |
1135 /* extension_type */ | |
1136 rv = ssl3_AppendHandshakeNumber(ss, ssl_cert_status_xtn, 2); | |
1137 if (rv != SECSuccess) | |
1138 return -1; | |
1139 rv = ssl3_AppendHandshakeNumber(ss, extension_length - 4, 2); | |
1140 if (rv != SECSuccess) | |
1141 return -1; | |
1142 rv = ssl3_AppendHandshakeNumber(ss, 1 /* status_type ocsp */, 1); | |
1143 if (rv != SECSuccess) | |
1144 return -1; | |
1145 /* A zero length responder_id_list means that the responders are | |
1146 * implicitly known to the server. */ | |
1147 rv = ssl3_AppendHandshakeNumber(ss, 0, 2); | |
1148 if (rv != SECSuccess) | |
1149 return -1; | |
1150 /* A zero length request_extensions means that there are no extensions. | |
1151 * Specifically, we don't set the id-pkix-ocsp-nonce extension. This | |
1152 * means that the server can replay a cached OCSP response to us. */ | |
1153 rv = ssl3_AppendHandshakeNumber(ss, 0, 2); | |
1154 if (rv != SECSuccess) | |
1155 return -1; | |
1156 | |
1157 xtnData = &ss->xtnData; | |
1158 xtnData->advertised[xtnData->numAdvertised++] = ssl_cert_status_xtn; | |
1159 } | |
1160 return extension_length; | |
1161 } | |
1162 | |
1163 /* | |
1164 * NewSessionTicket | |
1165 * Called from ssl3_HandleFinished | |
1166 */ | |
1167 SECStatus | |
1168 ssl3_SendNewSessionTicket(sslSocket *ss) | |
1169 { | |
1170 PRUint32 i; | |
1171 SECStatus rv; | |
1172 NewSessionTicket ticket; | |
1173 SECItem plaintext; | |
1174 SECItem plaintext_item = { 0, NULL, 0 }; | |
1175 SECItem ciphertext = { 0, NULL, 0 }; | |
1176 PRUint32 ciphertext_length; | |
1177 PRBool ms_is_wrapped; | |
1178 unsigned char wrapped_ms[SSL3_MASTER_SECRET_LENGTH]; | |
1179 SECItem ms_item = { 0, NULL, 0 }; | |
1180 SSL3KEAType effectiveExchKeyType = ssl_kea_null; | |
1181 PRUint32 padding_length; | |
1182 PRUint32 message_length; | |
1183 PRUint32 cert_length = 0; | |
1184 PRUint8 length_buf[4]; | |
1185 PRUint32 now; | |
1186 PK11SymKey *aes_key_pkcs11; | |
1187 PK11SymKey *mac_key_pkcs11; | |
1188 #ifndef NO_PKCS11_BYPASS | |
1189 const unsigned char *aes_key; | |
1190 const unsigned char *mac_key; | |
1191 PRUint32 aes_key_length; | |
1192 PRUint32 mac_key_length; | |
1193 PRUint64 aes_ctx_buf[MAX_CIPHER_CONTEXT_LLONGS]; | |
1194 AESContext *aes_ctx; | |
1195 const SECHashObject *hashObj = NULL; | |
1196 PRUint64 hmac_ctx_buf[MAX_MAC_CONTEXT_LLONGS]; | |
1197 HMACContext *hmac_ctx; | |
1198 #endif | |
1199 CK_MECHANISM_TYPE cipherMech = CKM_AES_CBC; | |
1200 PK11Context *aes_ctx_pkcs11; | |
1201 CK_MECHANISM_TYPE macMech = CKM_SHA256_HMAC; | |
1202 PK11Context *hmac_ctx_pkcs11 = NULL; | |
1203 unsigned char computed_mac[TLS_EX_SESS_TICKET_MAC_LENGTH]; | |
1204 unsigned int computed_mac_length; | |
1205 unsigned char iv[AES_BLOCK_SIZE]; | |
1206 SECItem ivItem; | |
1207 SECItem *srvName = NULL; | |
1208 PRUint32 srvNameLen = 0; | |
1209 CK_MECHANISM_TYPE msWrapMech = 0; /* dummy default value, | |
1210 * must be >= 0 */ | |
1211 | |
1212 SSL_TRC(3, ("%d: SSL3[%d]: send session_ticket handshake", | |
1213 SSL_GETPID(), ss->fd)); | |
1214 | |
1215 PORT_Assert(ss->opt.noLocks || ssl_HaveXmitBufLock(ss)); | |
1216 PORT_Assert(ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); | |
1217 | |
1218 ticket.ticket_lifetime_hint = TLS_EX_SESS_TICKET_LIFETIME_HINT; | |
1219 if (ss->opt.requestCertificate && ss->sec.ci.sid->peerCert) { | |
1220 cert_length = 3 + ss->sec.ci.sid->peerCert->derCert.len; | |
1221 } | |
1222 | |
1223 /* Get IV and encryption keys */ | |
1224 ivItem.data = iv; | |
1225 ivItem.len = sizeof(iv); | |
1226 rv = PK11_GenerateRandom(iv, sizeof(iv)); | |
1227 if (rv != SECSuccess) | |
1228 goto loser; | |
1229 | |
1230 #ifndef NO_PKCS11_BYPASS | |
1231 if (ss->opt.bypassPKCS11) { | |
1232 rv = ssl3_GetSessionTicketKeys(&aes_key, &aes_key_length, | |
1233 &mac_key, &mac_key_length); | |
1234 } else | |
1235 #endif | |
1236 { | |
1237 rv = ssl3_GetSessionTicketKeysPKCS11(ss, &aes_key_pkcs11, | |
1238 &mac_key_pkcs11); | |
1239 } | |
1240 if (rv != SECSuccess) | |
1241 goto loser; | |
1242 | |
1243 if (ss->ssl3.pwSpec->msItem.len && ss->ssl3.pwSpec->msItem.data) { | |
1244 /* The master secret is available unwrapped. */ | |
1245 ms_item.data = ss->ssl3.pwSpec->msItem.data; | |
1246 ms_item.len = ss->ssl3.pwSpec->msItem.len; | |
1247 ms_is_wrapped = PR_FALSE; | |
1248 } else { | |
1249 /* Extract the master secret wrapped. */ | |
1250 sslSessionID sid; | |
1251 PORT_Memset(&sid, 0, sizeof(sslSessionID)); | |
1252 | |
1253 if (ss->ssl3.hs.kea_def->kea == kea_ecdhe_rsa || | |
1254 ss->ssl3.hs.kea_def->kea == kea_dhe_rsa) { | |
1255 effectiveExchKeyType = kt_rsa; | |
1256 } else { | |
1257 effectiveExchKeyType = ss->ssl3.hs.kea_def->exchKeyType; | |
1258 } | |
1259 | |
1260 rv = ssl3_CacheWrappedMasterSecret(ss, &sid, ss->ssl3.pwSpec, | |
1261 effectiveExchKeyType); | |
1262 if (rv == SECSuccess) { | |
1263 if (sid.u.ssl3.keys.wrapped_master_secret_len > sizeof(wrapped_ms)) | |
1264 goto loser; | |
1265 memcpy(wrapped_ms, sid.u.ssl3.keys.wrapped_master_secret, | |
1266 sid.u.ssl3.keys.wrapped_master_secret_len); | |
1267 ms_item.data = wrapped_ms; | |
1268 ms_item.len = sid.u.ssl3.keys.wrapped_master_secret_len; | |
1269 msWrapMech = sid.u.ssl3.masterWrapMech; | |
1270 } else { | |
1271 /* TODO: else send an empty ticket. */ | |
1272 goto loser; | |
1273 } | |
1274 ms_is_wrapped = PR_TRUE; | |
1275 } | |
1276 /* Prep to send negotiated name */ | |
1277 srvName = &ss->ssl3.pwSpec->srvVirtName; | |
1278 if (srvName->data && srvName->len) { | |
1279 srvNameLen = 2 + srvName->len; /* len bytes + name len */ | |
1280 } | |
1281 | |
1282 ciphertext_length = | |
1283 sizeof(PRUint16) /* ticket_version */ | |
1284 + sizeof(SSL3ProtocolVersion) /* ssl_version */ | |
1285 + sizeof(ssl3CipherSuite) /* ciphersuite */ | |
1286 + 1 /* compression */ | |
1287 + 10 /* cipher spec parameters */ | |
1288 + 1 /* SessionTicket.ms_is_wrapped */ | |
1289 + 1 /* effectiveExchKeyType */ | |
1290 + 4 /* msWrapMech */ | |
1291 + 2 /* master_secret.length */ | |
1292 + ms_item.len /* master_secret */ | |
1293 + 1 /* client_auth_type */ | |
1294 + cert_length /* cert */ | |
1295 + 1 /* server name type */ | |
1296 + srvNameLen /* name len + length field */ | |
1297 + 1 /* extendedMasterSecretUsed */ | |
1298 + sizeof(ticket.ticket_lifetime_hint); | |
1299 padding_length = AES_BLOCK_SIZE - | |
1300 (ciphertext_length % | |
1301 AES_BLOCK_SIZE); | |
1302 ciphertext_length += padding_length; | |
1303 | |
1304 message_length = | |
1305 sizeof(ticket.ticket_lifetime_hint) /* ticket_lifetime_hint */ | |
1306 + 2 /* length field for NewSessionTicket
.ticket */ | |
1307 + SESS_TICKET_KEY_NAME_LEN /* key_name */ | |
1308 + AES_BLOCK_SIZE /* iv */ | |
1309 + 2 /* length field for NewSessionTicket
.ticket.encrypted_state */ | |
1310 + ciphertext_length /* encrypted_state */ | |
1311 + TLS_EX_SESS_TICKET_MAC_LENGTH; /* mac */ | |
1312 | |
1313 if (SECITEM_AllocItem(NULL, &plaintext_item, ciphertext_length) == NULL) | |
1314 goto loser; | |
1315 | |
1316 plaintext = plaintext_item; | |
1317 | |
1318 /* ticket_version */ | |
1319 rv = ssl3_AppendNumberToItem(&plaintext, TLS_EX_SESS_TICKET_VERSION, | |
1320 sizeof(PRUint16)); | |
1321 if (rv != SECSuccess) | |
1322 goto loser; | |
1323 | |
1324 /* ssl_version */ | |
1325 rv = ssl3_AppendNumberToItem(&plaintext, ss->version, | |
1326 sizeof(SSL3ProtocolVersion)); | |
1327 if (rv != SECSuccess) | |
1328 goto loser; | |
1329 | |
1330 /* ciphersuite */ | |
1331 rv = ssl3_AppendNumberToItem(&plaintext, ss->ssl3.hs.cipher_suite, | |
1332 sizeof(ssl3CipherSuite)); | |
1333 if (rv != SECSuccess) | |
1334 goto loser; | |
1335 | |
1336 /* compression */ | |
1337 rv = ssl3_AppendNumberToItem(&plaintext, ss->ssl3.hs.compression, 1); | |
1338 if (rv != SECSuccess) | |
1339 goto loser; | |
1340 | |
1341 /* cipher spec parameters */ | |
1342 rv = ssl3_AppendNumberToItem(&plaintext, ss->sec.authAlgorithm, 1); | |
1343 if (rv != SECSuccess) | |
1344 goto loser; | |
1345 rv = ssl3_AppendNumberToItem(&plaintext, ss->sec.authKeyBits, 4); | |
1346 if (rv != SECSuccess) | |
1347 goto loser; | |
1348 rv = ssl3_AppendNumberToItem(&plaintext, ss->sec.keaType, 1); | |
1349 if (rv != SECSuccess) | |
1350 goto loser; | |
1351 rv = ssl3_AppendNumberToItem(&plaintext, ss->sec.keaKeyBits, 4); | |
1352 if (rv != SECSuccess) | |
1353 goto loser; | |
1354 | |
1355 /* master_secret */ | |
1356 rv = ssl3_AppendNumberToItem(&plaintext, ms_is_wrapped, 1); | |
1357 if (rv != SECSuccess) | |
1358 goto loser; | |
1359 rv = ssl3_AppendNumberToItem(&plaintext, effectiveExchKeyType, 1); | |
1360 if (rv != SECSuccess) | |
1361 goto loser; | |
1362 rv = ssl3_AppendNumberToItem(&plaintext, msWrapMech, 4); | |
1363 if (rv != SECSuccess) | |
1364 goto loser; | |
1365 rv = ssl3_AppendNumberToItem(&plaintext, ms_item.len, 2); | |
1366 if (rv != SECSuccess) | |
1367 goto loser; | |
1368 rv = ssl3_AppendToItem(&plaintext, ms_item.data, ms_item.len); | |
1369 if (rv != SECSuccess) | |
1370 goto loser; | |
1371 | |
1372 /* client_identity */ | |
1373 if (ss->opt.requestCertificate && ss->sec.ci.sid->peerCert) { | |
1374 rv = ssl3_AppendNumberToItem(&plaintext, CLIENT_AUTH_CERTIFICATE, 1); | |
1375 if (rv != SECSuccess) | |
1376 goto loser; | |
1377 rv = ssl3_AppendNumberToItem(&plaintext, | |
1378 ss->sec.ci.sid->peerCert->derCert.len, 3); | |
1379 if (rv != SECSuccess) | |
1380 goto loser; | |
1381 rv = ssl3_AppendToItem(&plaintext, | |
1382 ss->sec.ci.sid->peerCert->derCert.data, | |
1383 ss->sec.ci.sid->peerCert->derCert.len); | |
1384 if (rv != SECSuccess) | |
1385 goto loser; | |
1386 } else { | |
1387 rv = ssl3_AppendNumberToItem(&plaintext, 0, 1); | |
1388 if (rv != SECSuccess) | |
1389 goto loser; | |
1390 } | |
1391 | |
1392 /* timestamp */ | |
1393 now = ssl_Time(); | |
1394 rv = ssl3_AppendNumberToItem(&plaintext, now, | |
1395 sizeof(ticket.ticket_lifetime_hint)); | |
1396 if (rv != SECSuccess) | |
1397 goto loser; | |
1398 | |
1399 if (srvNameLen) { | |
1400 /* Name Type (sni_host_name) */ | |
1401 rv = ssl3_AppendNumberToItem(&plaintext, srvName->type, 1); | |
1402 if (rv != SECSuccess) | |
1403 goto loser; | |
1404 /* HostName (length and value) */ | |
1405 rv = ssl3_AppendNumberToItem(&plaintext, srvName->len, 2); | |
1406 if (rv != SECSuccess) | |
1407 goto loser; | |
1408 rv = ssl3_AppendToItem(&plaintext, srvName->data, srvName->len); | |
1409 if (rv != SECSuccess) | |
1410 goto loser; | |
1411 } else { | |
1412 /* No Name */ | |
1413 rv = ssl3_AppendNumberToItem(&plaintext, (char)TLS_STE_NO_SERVER_NAME, 1
); | |
1414 if (rv != SECSuccess) | |
1415 goto loser; | |
1416 } | |
1417 | |
1418 /* extendedMasterSecretUsed */ | |
1419 rv = ssl3_AppendNumberToItem( | |
1420 &plaintext, ss->sec.ci.sid->u.ssl3.keys.extendedMasterSecretUsed, 1); | |
1421 if (rv != SECSuccess) | |
1422 goto loser; | |
1423 | |
1424 PORT_Assert(plaintext.len == padding_length); | |
1425 for (i = 0; i < padding_length; i++) | |
1426 plaintext.data[i] = (unsigned char)padding_length; | |
1427 | |
1428 if (SECITEM_AllocItem(NULL, &ciphertext, ciphertext_length) == NULL) { | |
1429 rv = SECFailure; | |
1430 goto loser; | |
1431 } | |
1432 | |
1433 /* Generate encrypted portion of ticket. */ | |
1434 #ifndef NO_PKCS11_BYPASS | |
1435 if (ss->opt.bypassPKCS11) { | |
1436 aes_ctx = (AESContext *)aes_ctx_buf; | |
1437 rv = AES_InitContext(aes_ctx, aes_key, aes_key_length, iv, | |
1438 NSS_AES_CBC, 1, AES_BLOCK_SIZE); | |
1439 if (rv != SECSuccess) | |
1440 goto loser; | |
1441 | |
1442 rv = AES_Encrypt(aes_ctx, ciphertext.data, &ciphertext.len, | |
1443 ciphertext.len, plaintext_item.data, | |
1444 plaintext_item.len); | |
1445 if (rv != SECSuccess) | |
1446 goto loser; | |
1447 } else | |
1448 #endif | |
1449 { | |
1450 aes_ctx_pkcs11 = PK11_CreateContextBySymKey(cipherMech, | |
1451 CKA_ENCRYPT, aes_key_pkcs11,
&ivItem); | |
1452 if (!aes_ctx_pkcs11) | |
1453 goto loser; | |
1454 | |
1455 rv = PK11_CipherOp(aes_ctx_pkcs11, ciphertext.data, | |
1456 (int *)&ciphertext.len, ciphertext.len, | |
1457 plaintext_item.data, plaintext_item.len); | |
1458 PK11_Finalize(aes_ctx_pkcs11); | |
1459 PK11_DestroyContext(aes_ctx_pkcs11, PR_TRUE); | |
1460 if (rv != SECSuccess) | |
1461 goto loser; | |
1462 } | |
1463 | |
1464 /* Convert ciphertext length to network order. */ | |
1465 length_buf[0] = (ciphertext.len >> 8) & 0xff; | |
1466 length_buf[1] = (ciphertext.len) & 0xff; | |
1467 | |
1468 /* Compute MAC. */ | |
1469 #ifndef NO_PKCS11_BYPASS | |
1470 if (ss->opt.bypassPKCS11) { | |
1471 hmac_ctx = (HMACContext *)hmac_ctx_buf; | |
1472 hashObj = HASH_GetRawHashObject(HASH_AlgSHA256); | |
1473 if (HMAC_Init(hmac_ctx, hashObj, mac_key, | |
1474 mac_key_length, PR_FALSE) != SECSuccess) | |
1475 goto loser; | |
1476 | |
1477 HMAC_Begin(hmac_ctx); | |
1478 HMAC_Update(hmac_ctx, key_name, SESS_TICKET_KEY_NAME_LEN); | |
1479 HMAC_Update(hmac_ctx, iv, sizeof(iv)); | |
1480 HMAC_Update(hmac_ctx, (unsigned char *)length_buf, 2); | |
1481 HMAC_Update(hmac_ctx, ciphertext.data, ciphertext.len); | |
1482 HMAC_Finish(hmac_ctx, computed_mac, &computed_mac_length, | |
1483 sizeof(computed_mac)); | |
1484 } else | |
1485 #endif | |
1486 { | |
1487 SECItem macParam; | |
1488 macParam.data = NULL; | |
1489 macParam.len = 0; | |
1490 hmac_ctx_pkcs11 = PK11_CreateContextBySymKey(macMech, | |
1491 CKA_SIGN, mac_key_pkcs11, &
macParam); | |
1492 if (!hmac_ctx_pkcs11) | |
1493 goto loser; | |
1494 | |
1495 rv = PK11_DigestBegin(hmac_ctx_pkcs11); | |
1496 if (rv != SECSuccess) | |
1497 goto loser; | |
1498 rv = PK11_DigestOp(hmac_ctx_pkcs11, key_name, | |
1499 SESS_TICKET_KEY_NAME_LEN); | |
1500 if (rv != SECSuccess) | |
1501 goto loser; | |
1502 rv = PK11_DigestOp(hmac_ctx_pkcs11, iv, sizeof(iv)); | |
1503 if (rv != SECSuccess) | |
1504 goto loser; | |
1505 rv = PK11_DigestOp(hmac_ctx_pkcs11, (unsigned char *)length_buf, 2); | |
1506 if (rv != SECSuccess) | |
1507 goto loser; | |
1508 rv = PK11_DigestOp(hmac_ctx_pkcs11, ciphertext.data, ciphertext.len); | |
1509 if (rv != SECSuccess) | |
1510 goto loser; | |
1511 rv = PK11_DigestFinal(hmac_ctx_pkcs11, computed_mac, | |
1512 &computed_mac_length, sizeof(computed_mac)); | |
1513 if (rv != SECSuccess) | |
1514 goto loser; | |
1515 } | |
1516 | |
1517 /* Serialize the handshake message. */ | |
1518 rv = ssl3_AppendHandshakeHeader(ss, new_session_ticket, message_length); | |
1519 if (rv != SECSuccess) | |
1520 goto loser; | |
1521 | |
1522 rv = ssl3_AppendHandshakeNumber(ss, ticket.ticket_lifetime_hint, | |
1523 sizeof(ticket.ticket_lifetime_hint)); | |
1524 if (rv != SECSuccess) | |
1525 goto loser; | |
1526 | |
1527 rv = ssl3_AppendHandshakeNumber(ss, | |
1528 message_length - sizeof(ticket.ticket_lifeti
me_hint) - 2, | |
1529 2); | |
1530 if (rv != SECSuccess) | |
1531 goto loser; | |
1532 | |
1533 rv = ssl3_AppendHandshake(ss, key_name, SESS_TICKET_KEY_NAME_LEN); | |
1534 if (rv != SECSuccess) | |
1535 goto loser; | |
1536 | |
1537 rv = ssl3_AppendHandshake(ss, iv, sizeof(iv)); | |
1538 if (rv != SECSuccess) | |
1539 goto loser; | |
1540 | |
1541 rv = ssl3_AppendHandshakeVariable(ss, ciphertext.data, ciphertext.len, 2); | |
1542 if (rv != SECSuccess) | |
1543 goto loser; | |
1544 | |
1545 rv = ssl3_AppendHandshake(ss, computed_mac, computed_mac_length); | |
1546 if (rv != SECSuccess) | |
1547 goto loser; | |
1548 | |
1549 loser: | |
1550 if (hmac_ctx_pkcs11) | |
1551 PK11_DestroyContext(hmac_ctx_pkcs11, PR_TRUE); | |
1552 if (plaintext_item.data) | |
1553 SECITEM_FreeItem(&plaintext_item, PR_FALSE); | |
1554 if (ciphertext.data) | |
1555 SECITEM_FreeItem(&ciphertext, PR_FALSE); | |
1556 | |
1557 return rv; | |
1558 } | |
1559 | |
1560 /* When a client receives a SessionTicket extension a NewSessionTicket | |
1561 * message is expected during the handshake. | |
1562 */ | |
1563 SECStatus | |
1564 ssl3_ClientHandleSessionTicketXtn(sslSocket *ss, PRUint16 ex_type, | |
1565 SECItem *data) | |
1566 { | |
1567 if (data->len != 0) { | |
1568 return SECSuccess; /* Ignore the extension. */ | |
1569 } | |
1570 | |
1571 /* Keep track of negotiated extensions. */ | |
1572 ss->xtnData.negotiated[ss->xtnData.numNegotiated++] = ex_type; | |
1573 return SECSuccess; | |
1574 } | |
1575 | |
1576 SECStatus | |
1577 ssl3_ServerHandleSessionTicketXtn(sslSocket *ss, PRUint16 ex_type, | |
1578 SECItem *data) | |
1579 { | |
1580 SECStatus rv; | |
1581 SECItem *decrypted_state = NULL; | |
1582 SessionTicket *parsed_session_ticket = NULL; | |
1583 sslSessionID *sid = NULL; | |
1584 SSL3Statistics *ssl3stats; | |
1585 | |
1586 /* Ignore the SessionTicket extension if processing is disabled. */ | |
1587 if (!ss->opt.enableSessionTickets) { | |
1588 return SECSuccess; | |
1589 } | |
1590 | |
1591 /* Keep track of negotiated extensions. */ | |
1592 ss->xtnData.negotiated[ss->xtnData.numNegotiated++] = ex_type; | |
1593 | |
1594 /* Parse the received ticket sent in by the client. We are | |
1595 * lenient about some parse errors, falling back to a fullshake | |
1596 * instead of terminating the current connection. | |
1597 */ | |
1598 if (data->len == 0) { | |
1599 ss->xtnData.emptySessionTicket = PR_TRUE; | |
1600 } else { | |
1601 PRUint32 i; | |
1602 SECItem extension_data; | |
1603 EncryptedSessionTicket enc_session_ticket; | |
1604 unsigned char computed_mac[TLS_EX_SESS_TICKET_MAC_LENGTH]; | |
1605 unsigned int computed_mac_length; | |
1606 #ifndef NO_PKCS11_BYPASS | |
1607 const SECHashObject *hashObj; | |
1608 const unsigned char *aes_key; | |
1609 const unsigned char *mac_key; | |
1610 PRUint32 aes_key_length; | |
1611 PRUint32 mac_key_length; | |
1612 PRUint64 hmac_ctx_buf[MAX_MAC_CONTEXT_LLONGS]; | |
1613 HMACContext *hmac_ctx; | |
1614 PRUint64 aes_ctx_buf[MAX_CIPHER_CONTEXT_LLONGS]; | |
1615 AESContext *aes_ctx; | |
1616 #endif | |
1617 PK11SymKey *aes_key_pkcs11; | |
1618 PK11SymKey *mac_key_pkcs11; | |
1619 PK11Context *hmac_ctx_pkcs11; | |
1620 CK_MECHANISM_TYPE macMech = CKM_SHA256_HMAC; | |
1621 PK11Context *aes_ctx_pkcs11; | |
1622 CK_MECHANISM_TYPE cipherMech = CKM_AES_CBC; | |
1623 unsigned char *padding; | |
1624 PRUint32 padding_length; | |
1625 unsigned char *buffer; | |
1626 unsigned int buffer_len; | |
1627 PRInt32 temp; | |
1628 SECItem cert_item; | |
1629 PRInt8 nameType = TLS_STE_NO_SERVER_NAME; | |
1630 | |
1631 /* Turn off stateless session resumption if the client sends a | |
1632 * SessionTicket extension, even if the extension turns out to be | |
1633 * malformed (ss->sec.ci.sid is non-NULL when doing session | |
1634 * renegotiation.) | |
1635 */ | |
1636 if (ss->sec.ci.sid != NULL) { | |
1637 if (ss->sec.uncache) | |
1638 ss->sec.uncache(ss->sec.ci.sid); | |
1639 ssl_FreeSID(ss->sec.ci.sid); | |
1640 ss->sec.ci.sid = NULL; | |
1641 } | |
1642 | |
1643 extension_data.data = data->data; /* Keep a copy for future use. */ | |
1644 extension_data.len = data->len; | |
1645 | |
1646 if (ssl3_ParseEncryptedSessionTicket(ss, data, &enc_session_ticket) != | |
1647 SECSuccess) { | |
1648 return SECSuccess; /* Pretend it isn't there */ | |
1649 } | |
1650 | |
1651 /* Get session ticket keys. */ | |
1652 #ifndef NO_PKCS11_BYPASS | |
1653 if (ss->opt.bypassPKCS11) { | |
1654 rv = ssl3_GetSessionTicketKeys(&aes_key, &aes_key_length, | |
1655 &mac_key, &mac_key_length); | |
1656 } else | |
1657 #endif | |
1658 { | |
1659 rv = ssl3_GetSessionTicketKeysPKCS11(ss, &aes_key_pkcs11, | |
1660 &mac_key_pkcs11); | |
1661 } | |
1662 if (rv != SECSuccess) { | |
1663 SSL_DBG(("%d: SSL[%d]: Unable to get/generate session ticket keys.", | |
1664 SSL_GETPID(), ss->fd)); | |
1665 goto loser; | |
1666 } | |
1667 | |
1668 /* If the ticket sent by the client was generated under a key different | |
1669 * from the one we have, bypass ticket processing. | |
1670 */ | |
1671 if (PORT_Memcmp(enc_session_ticket.key_name, key_name, | |
1672 SESS_TICKET_KEY_NAME_LEN) != 0) { | |
1673 SSL_DBG(("%d: SSL[%d]: Session ticket key_name sent mismatch.", | |
1674 SSL_GETPID(), ss->fd)); | |
1675 goto no_ticket; | |
1676 } | |
1677 | |
1678 /* Verify the MAC on the ticket. MAC verification may also | |
1679 * fail if the MAC key has been recently refreshed. | |
1680 */ | |
1681 #ifndef NO_PKCS11_BYPASS | |
1682 if (ss->opt.bypassPKCS11) { | |
1683 hmac_ctx = (HMACContext *)hmac_ctx_buf; | |
1684 hashObj = HASH_GetRawHashObject(HASH_AlgSHA256); | |
1685 if (HMAC_Init(hmac_ctx, hashObj, mac_key, | |
1686 sizeof(session_ticket_mac_key), PR_FALSE) != SECSucces
s) | |
1687 goto no_ticket; | |
1688 HMAC_Begin(hmac_ctx); | |
1689 HMAC_Update(hmac_ctx, extension_data.data, | |
1690 extension_data.len - TLS_EX_SESS_TICKET_MAC_LENGTH); | |
1691 if (HMAC_Finish(hmac_ctx, computed_mac, &computed_mac_length, | |
1692 sizeof(computed_mac)) != SECSuccess) | |
1693 goto no_ticket; | |
1694 } else | |
1695 #endif | |
1696 { | |
1697 SECItem macParam; | |
1698 macParam.data = NULL; | |
1699 macParam.len = 0; | |
1700 hmac_ctx_pkcs11 = PK11_CreateContextBySymKey(macMech, | |
1701 CKA_SIGN, mac_key_pkcs1
1, &macParam); | |
1702 if (!hmac_ctx_pkcs11) { | |
1703 SSL_DBG(("%d: SSL[%d]: Unable to create HMAC context: %d.", | |
1704 SSL_GETPID(), ss->fd, PORT_GetError())); | |
1705 goto no_ticket; | |
1706 } else { | |
1707 SSL_DBG(("%d: SSL[%d]: Successfully created HMAC context.", | |
1708 SSL_GETPID(), ss->fd)); | |
1709 } | |
1710 rv = PK11_DigestBegin(hmac_ctx_pkcs11); | |
1711 rv = PK11_DigestOp(hmac_ctx_pkcs11, extension_data.data, | |
1712 extension_data.len - | |
1713 TLS_EX_SESS_TICKET_MAC_LENGTH); | |
1714 if (rv != SECSuccess) { | |
1715 PK11_DestroyContext(hmac_ctx_pkcs11, PR_TRUE); | |
1716 goto no_ticket; | |
1717 } | |
1718 rv = PK11_DigestFinal(hmac_ctx_pkcs11, computed_mac, | |
1719 &computed_mac_length, sizeof(computed_mac)); | |
1720 PK11_DestroyContext(hmac_ctx_pkcs11, PR_TRUE); | |
1721 if (rv != SECSuccess) | |
1722 goto no_ticket; | |
1723 } | |
1724 if (NSS_SecureMemcmp(computed_mac, enc_session_ticket.mac, | |
1725 computed_mac_length) != | |
1726 0) { | |
1727 SSL_DBG(("%d: SSL[%d]: Session ticket MAC mismatch.", | |
1728 SSL_GETPID(), ss->fd)); | |
1729 goto no_ticket; | |
1730 } | |
1731 | |
1732 /* We ignore key_name for now. | |
1733 * This is ok as MAC verification succeeded. | |
1734 */ | |
1735 | |
1736 /* Decrypt the ticket. */ | |
1737 | |
1738 /* Plaintext is shorter than the ciphertext due to padding. */ | |
1739 decrypted_state = SECITEM_AllocItem(NULL, NULL, | |
1740 enc_session_ticket.encrypted_state.l
en); | |
1741 | |
1742 #ifndef NO_PKCS11_BYPASS | |
1743 if (ss->opt.bypassPKCS11) { | |
1744 aes_ctx = (AESContext *)aes_ctx_buf; | |
1745 rv = AES_InitContext(aes_ctx, aes_key, | |
1746 sizeof(session_ticket_enc_key), enc_session_tic
ket.iv, | |
1747 NSS_AES_CBC, 0, AES_BLOCK_SIZE); | |
1748 if (rv != SECSuccess) { | |
1749 SSL_DBG(("%d: SSL[%d]: Unable to create AES context.", | |
1750 SSL_GETPID(), ss->fd)); | |
1751 goto no_ticket; | |
1752 } | |
1753 | |
1754 rv = AES_Decrypt(aes_ctx, decrypted_state->data, | |
1755 &decrypted_state->len, decrypted_state->len, | |
1756 enc_session_ticket.encrypted_state.data, | |
1757 enc_session_ticket.encrypted_state.len); | |
1758 if (rv != SECSuccess) | |
1759 goto no_ticket; | |
1760 } else | |
1761 #endif | |
1762 { | |
1763 SECItem ivItem; | |
1764 ivItem.data = enc_session_ticket.iv; | |
1765 ivItem.len = AES_BLOCK_SIZE; | |
1766 aes_ctx_pkcs11 = PK11_CreateContextBySymKey(cipherMech, | |
1767 CKA_DECRYPT, aes_key_pkc
s11, &ivItem); | |
1768 if (!aes_ctx_pkcs11) { | |
1769 SSL_DBG(("%d: SSL[%d]: Unable to create AES context.", | |
1770 SSL_GETPID(), ss->fd)); | |
1771 goto no_ticket; | |
1772 } | |
1773 | |
1774 rv = PK11_CipherOp(aes_ctx_pkcs11, decrypted_state->data, | |
1775 (int *)&decrypted_state->len, decrypted_state->le
n, | |
1776 enc_session_ticket.encrypted_state.data, | |
1777 enc_session_ticket.encrypted_state.len); | |
1778 PK11_Finalize(aes_ctx_pkcs11); | |
1779 PK11_DestroyContext(aes_ctx_pkcs11, PR_TRUE); | |
1780 if (rv != SECSuccess) | |
1781 goto no_ticket; | |
1782 } | |
1783 | |
1784 /* Check padding. */ | |
1785 padding_length = | |
1786 (PRUint32)decrypted_state->data[decrypted_state->len - 1]; | |
1787 if (padding_length == 0 || padding_length > AES_BLOCK_SIZE) | |
1788 goto no_ticket; | |
1789 | |
1790 padding = &decrypted_state->data[decrypted_state->len - padding_length]; | |
1791 for (i = 0; i < padding_length; i++, padding++) { | |
1792 if (padding_length != (PRUint32)*padding) | |
1793 goto no_ticket; | |
1794 } | |
1795 | |
1796 /* Deserialize session state. */ | |
1797 buffer = decrypted_state->data; | |
1798 buffer_len = decrypted_state->len; | |
1799 | |
1800 parsed_session_ticket = PORT_ZAlloc(sizeof(SessionTicket)); | |
1801 if (parsed_session_ticket == NULL) { | |
1802 rv = SECFailure; | |
1803 goto loser; | |
1804 } | |
1805 | |
1806 /* Read ticket_version and reject if the version is wrong */ | |
1807 temp = ssl3_ConsumeHandshakeNumber(ss, 2, &buffer, &buffer_len); | |
1808 if (temp != TLS_EX_SESS_TICKET_VERSION) | |
1809 goto no_ticket; | |
1810 | |
1811 parsed_session_ticket->ticket_version = (SSL3ProtocolVersion)temp; | |
1812 | |
1813 /* Read SSLVersion. */ | |
1814 temp = ssl3_ConsumeHandshakeNumber(ss, 2, &buffer, &buffer_len); | |
1815 if (temp < 0) | |
1816 goto no_ticket; | |
1817 parsed_session_ticket->ssl_version = (SSL3ProtocolVersion)temp; | |
1818 | |
1819 /* Read cipher_suite. */ | |
1820 temp = ssl3_ConsumeHandshakeNumber(ss, 2, &buffer, &buffer_len); | |
1821 if (temp < 0) | |
1822 goto no_ticket; | |
1823 parsed_session_ticket->cipher_suite = (ssl3CipherSuite)temp; | |
1824 | |
1825 /* Read compression_method. */ | |
1826 temp = ssl3_ConsumeHandshakeNumber(ss, 1, &buffer, &buffer_len); | |
1827 if (temp < 0) | |
1828 goto no_ticket; | |
1829 parsed_session_ticket->compression_method = (SSLCompressionMethod)temp; | |
1830 | |
1831 /* Read cipher spec parameters. */ | |
1832 temp = ssl3_ConsumeHandshakeNumber(ss, 1, &buffer, &buffer_len); | |
1833 if (temp < 0) | |
1834 goto no_ticket; | |
1835 parsed_session_ticket->authAlgorithm = (SSLSignType)temp; | |
1836 temp = ssl3_ConsumeHandshakeNumber(ss, 4, &buffer, &buffer_len); | |
1837 if (temp < 0) | |
1838 goto no_ticket; | |
1839 parsed_session_ticket->authKeyBits = (PRUint32)temp; | |
1840 temp = ssl3_ConsumeHandshakeNumber(ss, 1, &buffer, &buffer_len); | |
1841 if (temp < 0) | |
1842 goto no_ticket; | |
1843 parsed_session_ticket->keaType = (SSLKEAType)temp; | |
1844 temp = ssl3_ConsumeHandshakeNumber(ss, 4, &buffer, &buffer_len); | |
1845 if (temp < 0) | |
1846 goto no_ticket; | |
1847 parsed_session_ticket->keaKeyBits = (PRUint32)temp; | |
1848 | |
1849 /* Read wrapped master_secret. */ | |
1850 temp = ssl3_ConsumeHandshakeNumber(ss, 1, &buffer, &buffer_len); | |
1851 if (temp < 0) | |
1852 goto no_ticket; | |
1853 parsed_session_ticket->ms_is_wrapped = (PRBool)temp; | |
1854 | |
1855 temp = ssl3_ConsumeHandshakeNumber(ss, 1, &buffer, &buffer_len); | |
1856 if (temp < 0) | |
1857 goto no_ticket; | |
1858 parsed_session_ticket->exchKeyType = (SSL3KEAType)temp; | |
1859 | |
1860 temp = ssl3_ConsumeHandshakeNumber(ss, 4, &buffer, &buffer_len); | |
1861 if (temp < 0) | |
1862 goto no_ticket; | |
1863 parsed_session_ticket->msWrapMech = (CK_MECHANISM_TYPE)temp; | |
1864 | |
1865 temp = ssl3_ConsumeHandshakeNumber(ss, 2, &buffer, &buffer_len); | |
1866 if (temp < 0) | |
1867 goto no_ticket; | |
1868 parsed_session_ticket->ms_length = (PRUint16)temp; | |
1869 if (parsed_session_ticket->ms_length == 0 || /* sanity check MS. */ | |
1870 parsed_session_ticket->ms_length > | |
1871 sizeof(parsed_session_ticket->master_secret)) | |
1872 goto no_ticket; | |
1873 | |
1874 /* Allow for the wrapped master secret to be longer. */ | |
1875 if (buffer_len < parsed_session_ticket->ms_length) | |
1876 goto no_ticket; | |
1877 PORT_Memcpy(parsed_session_ticket->master_secret, buffer, | |
1878 parsed_session_ticket->ms_length); | |
1879 buffer += parsed_session_ticket->ms_length; | |
1880 buffer_len -= parsed_session_ticket->ms_length; | |
1881 | |
1882 /* Read client_identity */ | |
1883 temp = ssl3_ConsumeHandshakeNumber(ss, 1, &buffer, &buffer_len); | |
1884 if (temp < 0) | |
1885 goto no_ticket; | |
1886 parsed_session_ticket->client_identity.client_auth_type = | |
1887 (ClientAuthenticationType)temp; | |
1888 switch (parsed_session_ticket->client_identity.client_auth_type) { | |
1889 case CLIENT_AUTH_ANONYMOUS: | |
1890 break; | |
1891 case CLIENT_AUTH_CERTIFICATE: | |
1892 rv = ssl3_ConsumeHandshakeVariable(ss, &cert_item, 3, | |
1893 &buffer, &buffer_len); | |
1894 if (rv != SECSuccess) | |
1895 goto no_ticket; | |
1896 rv = SECITEM_CopyItem(NULL, &parsed_session_ticket->peer_cert, | |
1897 &cert_item); | |
1898 if (rv != SECSuccess) | |
1899 goto no_ticket; | |
1900 break; | |
1901 default: | |
1902 goto no_ticket; | |
1903 } | |
1904 /* Read timestamp. */ | |
1905 temp = ssl3_ConsumeHandshakeNumber(ss, 4, &buffer, &buffer_len); | |
1906 if (temp < 0) | |
1907 goto no_ticket; | |
1908 parsed_session_ticket->timestamp = (PRUint32)temp; | |
1909 | |
1910 /* Read server name */ | |
1911 nameType = | |
1912 ssl3_ConsumeHandshakeNumber(ss, 1, &buffer, &buffer_len); | |
1913 if (nameType != TLS_STE_NO_SERVER_NAME) { | |
1914 SECItem name_item; | |
1915 rv = ssl3_ConsumeHandshakeVariable(ss, &name_item, 2, &buffer, | |
1916 &buffer_len); | |
1917 if (rv != SECSuccess) | |
1918 goto no_ticket; | |
1919 rv = SECITEM_CopyItem(NULL, &parsed_session_ticket->srvName, | |
1920 &name_item); | |
1921 if (rv != SECSuccess) | |
1922 goto no_ticket; | |
1923 parsed_session_ticket->srvName.type = nameType; | |
1924 } | |
1925 | |
1926 /* Read extendedMasterSecretUsed */ | |
1927 temp = ssl3_ConsumeHandshakeNumber(ss, 1, &buffer, &buffer_len); | |
1928 if (temp < 0) | |
1929 goto no_ticket; | |
1930 PORT_Assert(temp == PR_TRUE || temp == PR_FALSE); | |
1931 parsed_session_ticket->extendedMasterSecretUsed = (PRBool)temp; | |
1932 | |
1933 /* Done parsing. Check that all bytes have been consumed. */ | |
1934 if (buffer_len != padding_length) | |
1935 goto no_ticket; | |
1936 | |
1937 /* Use the ticket if it has not expired, otherwise free the allocated | |
1938 * memory since the ticket is of no use. | |
1939 */ | |
1940 if (parsed_session_ticket->timestamp != 0 && | |
1941 parsed_session_ticket->timestamp + | |
1942 TLS_EX_SESS_TICKET_LIFETIME_HINT > | |
1943 ssl_Time()) { | |
1944 | |
1945 sid = ssl3_NewSessionID(ss, PR_TRUE); | |
1946 if (sid == NULL) { | |
1947 rv = SECFailure; | |
1948 goto loser; | |
1949 } | |
1950 | |
1951 /* Copy over parameters. */ | |
1952 sid->version = parsed_session_ticket->ssl_version; | |
1953 sid->u.ssl3.cipherSuite = parsed_session_ticket->cipher_suite; | |
1954 sid->u.ssl3.compression = parsed_session_ticket->compression_method; | |
1955 sid->authAlgorithm = parsed_session_ticket->authAlgorithm; | |
1956 sid->authKeyBits = parsed_session_ticket->authKeyBits; | |
1957 sid->keaType = parsed_session_ticket->keaType; | |
1958 sid->keaKeyBits = parsed_session_ticket->keaKeyBits; | |
1959 | |
1960 /* Copy master secret. */ | |
1961 #ifndef NO_PKCS11_BYPASS | |
1962 if (ss->opt.bypassPKCS11 && | |
1963 parsed_session_ticket->ms_is_wrapped) | |
1964 goto no_ticket; | |
1965 #endif | |
1966 if (parsed_session_ticket->ms_length > | |
1967 sizeof(sid->u.ssl3.keys.wrapped_master_secret)) | |
1968 goto no_ticket; | |
1969 PORT_Memcpy(sid->u.ssl3.keys.wrapped_master_secret, | |
1970 parsed_session_ticket->master_secret, | |
1971 parsed_session_ticket->ms_length); | |
1972 sid->u.ssl3.keys.wrapped_master_secret_len = | |
1973 parsed_session_ticket->ms_length; | |
1974 sid->u.ssl3.exchKeyType = parsed_session_ticket->exchKeyType; | |
1975 sid->u.ssl3.masterWrapMech = parsed_session_ticket->msWrapMech; | |
1976 sid->u.ssl3.keys.msIsWrapped = | |
1977 parsed_session_ticket->ms_is_wrapped; | |
1978 sid->u.ssl3.masterValid = PR_TRUE; | |
1979 sid->u.ssl3.keys.resumable = PR_TRUE; | |
1980 sid->u.ssl3.keys.extendedMasterSecretUsed = parsed_session_ticket->e
xtendedMasterSecretUsed; | |
1981 | |
1982 /* Copy over client cert from session ticket if there is one. */ | |
1983 if (parsed_session_ticket->peer_cert.data != NULL) { | |
1984 if (sid->peerCert != NULL) | |
1985 CERT_DestroyCertificate(sid->peerCert); | |
1986 sid->peerCert = CERT_NewTempCertificate(ss->dbHandle, | |
1987 &parsed_session_ticket->
peer_cert, NULL, PR_FALSE, PR_TRUE); | |
1988 if (sid->peerCert == NULL) { | |
1989 rv = SECFailure; | |
1990 goto loser; | |
1991 } | |
1992 } | |
1993 if (parsed_session_ticket->srvName.data != NULL) { | |
1994 sid->u.ssl3.srvName = parsed_session_ticket->srvName; | |
1995 } | |
1996 ss->statelessResume = PR_TRUE; | |
1997 ss->sec.ci.sid = sid; | |
1998 } | |
1999 } | |
2000 | |
2001 if (0) { | |
2002 no_ticket: | |
2003 SSL_DBG(("%d: SSL[%d]: Session ticket parsing failed.", | |
2004 SSL_GETPID(), ss->fd)); | |
2005 ssl3stats = SSL_GetStatistics(); | |
2006 SSL_AtomicIncrementLong(&ssl3stats->hch_sid_ticket_parse_failures); | |
2007 } | |
2008 rv = SECSuccess; | |
2009 | |
2010 loser: | |
2011 /* ss->sec.ci.sid == sid if it did NOT come here via goto statement | |
2012 * in that case do not free sid | |
2013 */ | |
2014 if (sid && (ss->sec.ci.sid != sid)) { | |
2015 ssl_FreeSID(sid); | |
2016 sid = NULL; | |
2017 } | |
2018 if (decrypted_state != NULL) { | |
2019 SECITEM_FreeItem(decrypted_state, PR_TRUE); | |
2020 decrypted_state = NULL; | |
2021 } | |
2022 | |
2023 if (parsed_session_ticket != NULL) { | |
2024 if (parsed_session_ticket->peer_cert.data) { | |
2025 SECITEM_FreeItem(&parsed_session_ticket->peer_cert, PR_FALSE); | |
2026 } | |
2027 PORT_ZFree(parsed_session_ticket, sizeof(SessionTicket)); | |
2028 } | |
2029 | |
2030 return rv; | |
2031 } | |
2032 | |
2033 /* | |
2034 * Read bytes. Using this function means the SECItem structure | |
2035 * cannot be freed. The caller is expected to call this function | |
2036 * on a shallow copy of the structure. | |
2037 */ | |
2038 static SECStatus | |
2039 ssl3_ConsumeFromItem(SECItem *item, unsigned char **buf, PRUint32 bytes) | |
2040 { | |
2041 if (bytes > item->len) | |
2042 return SECFailure; | |
2043 | |
2044 *buf = item->data; | |
2045 item->data += bytes; | |
2046 item->len -= bytes; | |
2047 return SECSuccess; | |
2048 } | |
2049 | |
2050 static SECStatus | |
2051 ssl3_ParseEncryptedSessionTicket(sslSocket *ss, SECItem *data, | |
2052 EncryptedSessionTicket *enc_session_ticket) | |
2053 { | |
2054 if (ssl3_ConsumeFromItem(data, &enc_session_ticket->key_name, | |
2055 SESS_TICKET_KEY_NAME_LEN) != | |
2056 SECSuccess) | |
2057 return SECFailure; | |
2058 if (ssl3_ConsumeFromItem(data, &enc_session_ticket->iv, | |
2059 AES_BLOCK_SIZE) != | |
2060 SECSuccess) | |
2061 return SECFailure; | |
2062 if (ssl3_ConsumeHandshakeVariable(ss, &enc_session_ticket->encrypted_state, | |
2063 2, &data->data, &data->len) != | |
2064 SECSuccess) | |
2065 return SECFailure; | |
2066 if (ssl3_ConsumeFromItem(data, &enc_session_ticket->mac, | |
2067 TLS_EX_SESS_TICKET_MAC_LENGTH) != | |
2068 SECSuccess) | |
2069 return SECFailure; | |
2070 if (data->len != 0) /* Make sure that we have consumed all bytes. */ | |
2071 return SECFailure; | |
2072 | |
2073 return SECSuccess; | |
2074 } | |
2075 | |
2076 /* go through hello extensions in buffer "b". | |
2077 * For each one, find the extension handler in the table, and | |
2078 * if present, invoke that handler. | |
2079 * Servers ignore any extensions with unknown extension types. | |
2080 * Clients reject any extensions with unadvertised extension types. | |
2081 * In TLS >= 1.3, the client checks that extensions appear in the | |
2082 * right phase. | |
2083 */ | |
2084 SECStatus | |
2085 ssl3_HandleHelloExtensions(sslSocket *ss, SSL3Opaque **b, PRUint32 *length, | |
2086 SSL3HandshakeType handshakeMessage) | |
2087 { | |
2088 const ssl3HelloExtensionHandler *handlers; | |
2089 PRBool isTLS13 = ss->version >= SSL_LIBRARY_VERSION_TLS_1_3; | |
2090 | |
2091 switch (handshakeMessage) { | |
2092 case client_hello: | |
2093 handlers = clientHelloHandlers; | |
2094 break; | |
2095 case encrypted_extensions: | |
2096 PORT_Assert(ss->version >= SSL_LIBRARY_VERSION_TLS_1_3); | |
2097 /* fall through */ | |
2098 case server_hello: | |
2099 if (ss->version > SSL_LIBRARY_VERSION_3_0) { | |
2100 handlers = serverHelloHandlersTLS; | |
2101 } else { | |
2102 handlers = serverHelloHandlersSSL3; | |
2103 } | |
2104 break; | |
2105 default: | |
2106 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); | |
2107 PORT_Assert(0); | |
2108 return SECFailure; | |
2109 } | |
2110 | |
2111 while (*length) { | |
2112 const ssl3HelloExtensionHandler *handler; | |
2113 SECStatus rv; | |
2114 PRInt32 extension_type; | |
2115 SECItem extension_data; | |
2116 | |
2117 /* Get the extension's type field */ | |
2118 extension_type = ssl3_ConsumeHandshakeNumber(ss, 2, b, length); | |
2119 if (extension_type < 0) /* failure to decode extension_type */ | |
2120 return SECFailure; /* alert already sent */ | |
2121 | |
2122 /* get the data for this extension, so we can pass it or skip it. */ | |
2123 rv = ssl3_ConsumeHandshakeVariable(ss, &extension_data, 2, b, length); | |
2124 if (rv != SECSuccess) | |
2125 return rv; /* alert already sent */ | |
2126 | |
2127 /* Check whether the server sent an extension which was not advertised | |
2128 * in the ClientHello */ | |
2129 if (!ss->sec.isServer && | |
2130 !ssl3_ClientExtensionAdvertised(ss, extension_type)) { | |
2131 (void)SSL3_SendAlert(ss, alert_fatal, unsupported_extension); | |
2132 return SECFailure; | |
2133 } | |
2134 | |
2135 /* Check whether an extension has been sent multiple times. */ | |
2136 if (ssl3_ExtensionNegotiated(ss, extension_type)) { | |
2137 (void)SSL3_SendAlert(ss, alert_fatal, illegal_parameter); | |
2138 return SECFailure; | |
2139 } | |
2140 | |
2141 /* Check that this is a legal extension in TLS 1.3 */ | |
2142 if (isTLS13 && !tls13_ExtensionAllowed(extension_type, handshakeMessage)
) { | |
2143 if (handshakeMessage == client_hello) { | |
2144 /* Skip extensions not used in TLS 1.3 */ | |
2145 continue; | |
2146 } | |
2147 tls13_FatalError(ss, SSL_ERROR_EXTENSION_DISALLOWED_FOR_VERSION, | |
2148 unsupported_extension); | |
2149 return SECFailure; | |
2150 } | |
2151 | |
2152 /* find extension_type in table of Hello Extension Handlers */ | |
2153 for (handler = handlers; handler->ex_type >= 0; handler++) { | |
2154 /* if found, call this handler */ | |
2155 if (handler->ex_type == extension_type) { | |
2156 rv = (*handler->ex_handler)(ss, (PRUint16)extension_type, | |
2157 &extension_data); | |
2158 if (rv != SECSuccess) { | |
2159 if (!ss->ssl3.fatalAlertSent) { | |
2160 /* send a generic alert if the handler didn't already */ | |
2161 (void)SSL3_SendAlert(ss, alert_fatal, handshake_failure)
; | |
2162 } | |
2163 return SECFailure; | |
2164 } | |
2165 } | |
2166 } | |
2167 } | |
2168 return SECSuccess; | |
2169 } | |
2170 | |
2171 /* Add a callback function to the table of senders of server hello extensions. | |
2172 */ | |
2173 SECStatus | |
2174 ssl3_RegisterServerHelloExtensionSender(sslSocket *ss, PRUint16 ex_type, | |
2175 ssl3HelloExtensionSenderFunc cb) | |
2176 { | |
2177 int i; | |
2178 ssl3HelloExtensionSender *sender; | |
2179 if (ss->version < SSL_LIBRARY_VERSION_TLS_1_3) { | |
2180 sender = &ss->xtnData.serverHelloSenders[0]; | |
2181 } else { | |
2182 if (tls13_ExtensionAllowed(ex_type, server_hello)) { | |
2183 PORT_Assert(!tls13_ExtensionAllowed(ex_type, encrypted_extensions)); | |
2184 sender = &ss->xtnData.serverHelloSenders[0]; | |
2185 } else { | |
2186 PORT_Assert(tls13_ExtensionAllowed(ex_type, encrypted_extensions)); | |
2187 sender = &ss->xtnData.encryptedExtensionsSenders[0]; | |
2188 } | |
2189 } | |
2190 | |
2191 for (i = 0; i < SSL_MAX_EXTENSIONS; ++i, ++sender) { | |
2192 if (!sender->ex_sender) { | |
2193 sender->ex_type = ex_type; | |
2194 sender->ex_sender = cb; | |
2195 return SECSuccess; | |
2196 } | |
2197 /* detect duplicate senders */ | |
2198 PORT_Assert(sender->ex_type != ex_type); | |
2199 if (sender->ex_type == ex_type) { | |
2200 /* duplicate */ | |
2201 break; | |
2202 } | |
2203 } | |
2204 PORT_Assert(i < SSL_MAX_EXTENSIONS); /* table needs to grow */ | |
2205 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); | |
2206 return SECFailure; | |
2207 } | |
2208 | |
2209 /* call each of the extension senders and return the accumulated length */ | |
2210 PRInt32 | |
2211 ssl3_CallHelloExtensionSenders(sslSocket *ss, PRBool append, PRUint32 maxBytes, | |
2212 const ssl3HelloExtensionSender *sender) | |
2213 { | |
2214 PRInt32 total_exten_len = 0; | |
2215 int i; | |
2216 | |
2217 if (!sender) { | |
2218 if (ss->version > SSL_LIBRARY_VERSION_3_0) { | |
2219 sender = &clientHelloSendersTLS[0]; | |
2220 } else { | |
2221 sender = &clientHelloSendersSSL3[0]; | |
2222 } | |
2223 } | |
2224 | |
2225 for (i = 0; i < SSL_MAX_EXTENSIONS; ++i, ++sender) { | |
2226 if (sender->ex_sender) { | |
2227 PRInt32 extLen = (*sender->ex_sender)(ss, append, maxBytes); | |
2228 if (extLen < 0) | |
2229 return -1; | |
2230 maxBytes -= extLen; | |
2231 total_exten_len += extLen; | |
2232 } | |
2233 } | |
2234 return total_exten_len; | |
2235 } | |
2236 | |
2237 /* Extension format: | |
2238 * Extension number: 2 bytes | |
2239 * Extension length: 2 bytes | |
2240 * Verify Data Length: 1 byte | |
2241 * Verify Data (TLS): 12 bytes (client) or 24 bytes (server) | |
2242 * Verify Data (SSL): 36 bytes (client) or 72 bytes (server) | |
2243 */ | |
2244 static PRInt32 | |
2245 ssl3_SendRenegotiationInfoXtn( | |
2246 sslSocket *ss, | |
2247 PRBool append, | |
2248 PRUint32 maxBytes) | |
2249 { | |
2250 PRInt32 len = 0; | |
2251 PRInt32 needed; | |
2252 | |
2253 /* In draft-ietf-tls-renegotiation-03, it is NOT RECOMMENDED to send | |
2254 * both the SCSV and the empty RI, so when we send SCSV in | |
2255 * the initial handshake, we don't also send RI. | |
2256 */ | |
2257 if (!ss || ss->ssl3.hs.sendingSCSV) | |
2258 return 0; | |
2259 if (ss->firstHsDone) { | |
2260 len = ss->sec.isServer ? ss->ssl3.hs.finishedBytes * 2 | |
2261 : ss->ssl3.hs.finishedBytes; | |
2262 } | |
2263 needed = 5 + len; | |
2264 if (maxBytes < (PRUint32)needed) { | |
2265 return 0; | |
2266 } | |
2267 if (append) { | |
2268 SECStatus rv; | |
2269 /* extension_type */ | |
2270 rv = ssl3_AppendHandshakeNumber(ss, ssl_renegotiation_info_xtn, 2); | |
2271 if (rv != SECSuccess) | |
2272 return -1; | |
2273 /* length of extension_data */ | |
2274 rv = ssl3_AppendHandshakeNumber(ss, len + 1, 2); | |
2275 if (rv != SECSuccess) | |
2276 return -1; | |
2277 /* verify_Data from previous Finished message(s) */ | |
2278 rv = ssl3_AppendHandshakeVariable(ss, | |
2279 ss->ssl3.hs.finishedMsgs.data, len, 1)
; | |
2280 if (rv != SECSuccess) | |
2281 return -1; | |
2282 if (!ss->sec.isServer) { | |
2283 TLSExtensionData *xtnData = &ss->xtnData; | |
2284 xtnData->advertised[xtnData->numAdvertised++] = | |
2285 ssl_renegotiation_info_xtn; | |
2286 } | |
2287 } | |
2288 return needed; | |
2289 } | |
2290 | |
2291 static SECStatus | |
2292 ssl3_ServerHandleStatusRequestXtn(sslSocket *ss, PRUint16 ex_type, | |
2293 SECItem *data) | |
2294 { | |
2295 SECStatus rv = SECSuccess; | |
2296 | |
2297 /* remember that we got this extension. */ | |
2298 ss->xtnData.negotiated[ss->xtnData.numNegotiated++] = ex_type; | |
2299 PORT_Assert(ss->sec.isServer); | |
2300 /* prepare to send back the appropriate response */ | |
2301 rv = ssl3_RegisterServerHelloExtensionSender(ss, ex_type, | |
2302 ssl3_ServerSendStatusRequestXtn
); | |
2303 return rv; | |
2304 } | |
2305 | |
2306 /* This function runs in both the client and server. */ | |
2307 static SECStatus | |
2308 ssl3_HandleRenegotiationInfoXtn(sslSocket *ss, PRUint16 ex_type, SECItem *data) | |
2309 { | |
2310 SECStatus rv = SECSuccess; | |
2311 PRUint32 len = 0; | |
2312 | |
2313 if (ss->firstHsDone) { | |
2314 len = ss->sec.isServer ? ss->ssl3.hs.finishedBytes | |
2315 : ss->ssl3.hs.finishedBytes * 2; | |
2316 } | |
2317 if (data->len != 1 + len || data->data[0] != len) { | |
2318 (void)ssl3_DecodeError(ss); | |
2319 return SECFailure; | |
2320 } | |
2321 if (len && NSS_SecureMemcmp(ss->ssl3.hs.finishedMsgs.data, | |
2322 data->data + 1, len)) { | |
2323 (void)SSL3_SendAlert(ss, alert_fatal, handshake_failure); | |
2324 PORT_SetError(SSL_ERROR_BAD_HANDSHAKE_HASH_VALUE); | |
2325 return SECFailure; | |
2326 } | |
2327 /* remember that we got this extension and it was correct. */ | |
2328 ss->peerRequestedProtection = 1; | |
2329 ss->xtnData.negotiated[ss->xtnData.numNegotiated++] = ex_type; | |
2330 if (ss->sec.isServer) { | |
2331 /* prepare to send back the appropriate response */ | |
2332 rv = ssl3_RegisterServerHelloExtensionSender(ss, ex_type, | |
2333 ssl3_SendRenegotiationInfoX
tn); | |
2334 } | |
2335 return rv; | |
2336 } | |
2337 | |
2338 static PRInt32 | |
2339 ssl3_ClientSendUseSRTPXtn(sslSocket *ss, PRBool append, PRUint32 maxBytes) | |
2340 { | |
2341 PRUint32 ext_data_len; | |
2342 PRInt16 i; | |
2343 SECStatus rv; | |
2344 | |
2345 if (!ss) | |
2346 return 0; | |
2347 | |
2348 if (!IS_DTLS(ss) || !ss->ssl3.dtlsSRTPCipherCount) | |
2349 return 0; /* Not relevant */ | |
2350 | |
2351 ext_data_len = 2 + 2 * ss->ssl3.dtlsSRTPCipherCount + 1; | |
2352 | |
2353 if (append && maxBytes >= 4 + ext_data_len) { | |
2354 /* Extension type */ | |
2355 rv = ssl3_AppendHandshakeNumber(ss, ssl_use_srtp_xtn, 2); | |
2356 if (rv != SECSuccess) | |
2357 return -1; | |
2358 /* Length of extension data */ | |
2359 rv = ssl3_AppendHandshakeNumber(ss, ext_data_len, 2); | |
2360 if (rv != SECSuccess) | |
2361 return -1; | |
2362 /* Length of the SRTP cipher list */ | |
2363 rv = ssl3_AppendHandshakeNumber(ss, | |
2364 2 * ss->ssl3.dtlsSRTPCipherCount, | |
2365 2); | |
2366 if (rv != SECSuccess) | |
2367 return -1; | |
2368 /* The SRTP ciphers */ | |
2369 for (i = 0; i < ss->ssl3.dtlsSRTPCipherCount; i++) { | |
2370 rv = ssl3_AppendHandshakeNumber(ss, | |
2371 ss->ssl3.dtlsSRTPCiphers[i], | |
2372 2); | |
2373 } | |
2374 /* Empty MKI value */ | |
2375 ssl3_AppendHandshakeVariable(ss, NULL, 0, 1); | |
2376 | |
2377 ss->xtnData.advertised[ss->xtnData.numAdvertised++] = | |
2378 ssl_use_srtp_xtn; | |
2379 } | |
2380 | |
2381 return 4 + ext_data_len; | |
2382 } | |
2383 | |
2384 static PRInt32 | |
2385 ssl3_ServerSendUseSRTPXtn(sslSocket *ss, PRBool append, PRUint32 maxBytes) | |
2386 { | |
2387 SECStatus rv; | |
2388 | |
2389 /* Server side */ | |
2390 if (!append || maxBytes < 9) { | |
2391 return 9; | |
2392 } | |
2393 | |
2394 /* Extension type */ | |
2395 rv = ssl3_AppendHandshakeNumber(ss, ssl_use_srtp_xtn, 2); | |
2396 if (rv != SECSuccess) | |
2397 return -1; | |
2398 /* Length of extension data */ | |
2399 rv = ssl3_AppendHandshakeNumber(ss, 5, 2); | |
2400 if (rv != SECSuccess) | |
2401 return -1; | |
2402 /* Length of the SRTP cipher list */ | |
2403 rv = ssl3_AppendHandshakeNumber(ss, 2, 2); | |
2404 if (rv != SECSuccess) | |
2405 return -1; | |
2406 /* The selected cipher */ | |
2407 rv = ssl3_AppendHandshakeNumber(ss, ss->ssl3.dtlsSRTPCipherSuite, 2); | |
2408 if (rv != SECSuccess) | |
2409 return -1; | |
2410 /* Empty MKI value */ | |
2411 ssl3_AppendHandshakeVariable(ss, NULL, 0, 1); | |
2412 | |
2413 return 9; | |
2414 } | |
2415 | |
2416 static SECStatus | |
2417 ssl3_ClientHandleUseSRTPXtn(sslSocket *ss, PRUint16 ex_type, SECItem *data) | |
2418 { | |
2419 SECStatus rv; | |
2420 SECItem ciphers = { siBuffer, NULL, 0 }; | |
2421 PRUint16 i; | |
2422 PRUint16 cipher = 0; | |
2423 PRBool found = PR_FALSE; | |
2424 SECItem litem; | |
2425 | |
2426 if (!data->data || !data->len) { | |
2427 (void)ssl3_DecodeError(ss); | |
2428 return SECFailure; | |
2429 } | |
2430 | |
2431 /* Get the cipher list */ | |
2432 rv = ssl3_ConsumeHandshakeVariable(ss, &ciphers, 2, | |
2433 &data->data, &data->len); | |
2434 if (rv != SECSuccess) { | |
2435 return SECFailure; /* fatal alert already sent */ | |
2436 } | |
2437 /* Now check that the server has picked just 1 (i.e., len = 2) */ | |
2438 if (ciphers.len != 2) { | |
2439 (void)ssl3_DecodeError(ss); | |
2440 return SECFailure; | |
2441 } | |
2442 | |
2443 /* Get the selected cipher */ | |
2444 cipher = (ciphers.data[0] << 8) | ciphers.data[1]; | |
2445 | |
2446 /* Now check that this is one of the ciphers we offered */ | |
2447 for (i = 0; i < ss->ssl3.dtlsSRTPCipherCount; i++) { | |
2448 if (cipher == ss->ssl3.dtlsSRTPCiphers[i]) { | |
2449 found = PR_TRUE; | |
2450 break; | |
2451 } | |
2452 } | |
2453 | |
2454 if (!found) { | |
2455 (void)SSL3_SendAlert(ss, alert_fatal, illegal_parameter); | |
2456 PORT_SetError(SSL_ERROR_RX_MALFORMED_SERVER_HELLO); | |
2457 return SECFailure; | |
2458 } | |
2459 | |
2460 /* Get the srtp_mki value */ | |
2461 rv = ssl3_ConsumeHandshakeVariable(ss, &litem, 1, | |
2462 &data->data, &data->len); | |
2463 if (rv != SECSuccess) { | |
2464 return SECFailure; /* alert already sent */ | |
2465 } | |
2466 | |
2467 /* We didn't offer an MKI, so this must be 0 length */ | |
2468 if (litem.len != 0) { | |
2469 (void)SSL3_SendAlert(ss, alert_fatal, illegal_parameter); | |
2470 PORT_SetError(SSL_ERROR_RX_MALFORMED_SERVER_HELLO); | |
2471 return SECFailure; | |
2472 } | |
2473 | |
2474 /* extra trailing bytes */ | |
2475 if (data->len != 0) { | |
2476 (void)ssl3_DecodeError(ss); | |
2477 return SECFailure; | |
2478 } | |
2479 | |
2480 /* OK, this looks fine. */ | |
2481 ss->xtnData.negotiated[ss->xtnData.numNegotiated++] = ssl_use_srtp_xtn; | |
2482 ss->ssl3.dtlsSRTPCipherSuite = cipher; | |
2483 return SECSuccess; | |
2484 } | |
2485 | |
2486 static SECStatus | |
2487 ssl3_ServerHandleUseSRTPXtn(sslSocket *ss, PRUint16 ex_type, SECItem *data) | |
2488 { | |
2489 SECStatus rv; | |
2490 SECItem ciphers = { siBuffer, NULL, 0 }; | |
2491 PRUint16 i; | |
2492 unsigned int j; | |
2493 PRUint16 cipher = 0; | |
2494 PRBool found = PR_FALSE; | |
2495 SECItem litem; | |
2496 | |
2497 if (!IS_DTLS(ss) || !ss->ssl3.dtlsSRTPCipherCount) { | |
2498 /* Ignore the extension if we aren't doing DTLS or no DTLS-SRTP | |
2499 * preferences have been set. */ | |
2500 return SECSuccess; | |
2501 } | |
2502 | |
2503 if (!data->data || data->len < 5) { | |
2504 (void)ssl3_DecodeError(ss); | |
2505 return SECFailure; | |
2506 } | |
2507 | |
2508 /* Get the cipher list */ | |
2509 rv = ssl3_ConsumeHandshakeVariable(ss, &ciphers, 2, | |
2510 &data->data, &data->len); | |
2511 if (rv != SECSuccess) { | |
2512 return SECFailure; /* alert already sent */ | |
2513 } | |
2514 /* Check that the list is even length */ | |
2515 if (ciphers.len % 2) { | |
2516 (void)ssl3_DecodeError(ss); | |
2517 return SECFailure; | |
2518 } | |
2519 | |
2520 /* Walk through the offered list and pick the most preferred of our | |
2521 * ciphers, if any */ | |
2522 for (i = 0; !found && i < ss->ssl3.dtlsSRTPCipherCount; i++) { | |
2523 for (j = 0; j + 1 < ciphers.len; j += 2) { | |
2524 cipher = (ciphers.data[j] << 8) | ciphers.data[j + 1]; | |
2525 if (cipher == ss->ssl3.dtlsSRTPCiphers[i]) { | |
2526 found = PR_TRUE; | |
2527 break; | |
2528 } | |
2529 } | |
2530 } | |
2531 | |
2532 /* Get the srtp_mki value */ | |
2533 rv = ssl3_ConsumeHandshakeVariable(ss, &litem, 1, &data->data, &data->len); | |
2534 if (rv != SECSuccess) { | |
2535 return SECFailure; | |
2536 } | |
2537 | |
2538 if (data->len != 0) { | |
2539 (void)ssl3_DecodeError(ss); /* trailing bytes */ | |
2540 return SECFailure; | |
2541 } | |
2542 | |
2543 /* Now figure out what to do */ | |
2544 if (!found) { | |
2545 /* No matching ciphers, pretend we don't support use_srtp */ | |
2546 return SECSuccess; | |
2547 } | |
2548 | |
2549 /* OK, we have a valid cipher and we've selected it */ | |
2550 ss->ssl3.dtlsSRTPCipherSuite = cipher; | |
2551 ss->xtnData.negotiated[ss->xtnData.numNegotiated++] = ssl_use_srtp_xtn; | |
2552 | |
2553 return ssl3_RegisterServerHelloExtensionSender(ss, ssl_use_srtp_xtn, | |
2554 ssl3_ServerSendUseSRTPXtn); | |
2555 } | |
2556 | |
2557 /* ssl3_ServerHandleSigAlgsXtn handles the signature_algorithms extension | |
2558 * from a client. | |
2559 * See https://tools.ietf.org/html/rfc5246#section-7.4.1.4.1 */ | |
2560 static SECStatus | |
2561 ssl3_ServerHandleSigAlgsXtn(sslSocket *ss, PRUint16 ex_type, SECItem *data) | |
2562 { | |
2563 SECStatus rv; | |
2564 SECItem algorithms; | |
2565 const unsigned char *b; | |
2566 unsigned int numAlgorithms, i; | |
2567 | |
2568 /* Ignore this extension if we aren't doing TLS 1.2 or greater. */ | |
2569 if (ss->version < SSL_LIBRARY_VERSION_TLS_1_2) { | |
2570 return SECSuccess; | |
2571 } | |
2572 | |
2573 rv = ssl3_ConsumeHandshakeVariable(ss, &algorithms, 2, &data->data, | |
2574 &data->len); | |
2575 if (rv != SECSuccess) { | |
2576 return SECFailure; | |
2577 } | |
2578 /* Trailing data, empty value, or odd-length value is invalid. */ | |
2579 if (data->len != 0 || algorithms.len == 0 || (algorithms.len & 1) != 0) { | |
2580 (void)SSL3_SendAlert(ss, alert_fatal, decode_error); | |
2581 PORT_SetError(SSL_ERROR_RX_MALFORMED_CLIENT_HELLO); | |
2582 return SECFailure; | |
2583 } | |
2584 | |
2585 numAlgorithms = algorithms.len / 2; | |
2586 | |
2587 /* We don't care to process excessive numbers of algorithms. */ | |
2588 if (numAlgorithms > 512) { | |
2589 numAlgorithms = 512; | |
2590 } | |
2591 | |
2592 ss->ssl3.hs.clientSigAndHash = | |
2593 PORT_NewArray(SSLSignatureAndHashAlg, numAlgorithms); | |
2594 if (!ss->ssl3.hs.clientSigAndHash) { | |
2595 (void)SSL3_SendAlert(ss, alert_fatal, internal_error); | |
2596 PORT_SetError(SSL_ERROR_RX_MALFORMED_CLIENT_HELLO); | |
2597 return SECFailure; | |
2598 } | |
2599 ss->ssl3.hs.numClientSigAndHash = 0; | |
2600 | |
2601 b = algorithms.data; | |
2602 ss->ssl3.hs.numClientSigAndHash = 0; | |
2603 for (i = 0; i < numAlgorithms; i++) { | |
2604 SSLSignatureAndHashAlg *sigAndHash = | |
2605 &ss->ssl3.hs.clientSigAndHash[ss->ssl3.hs.numClientSigAndHash]; | |
2606 sigAndHash->hashAlg = (SSLHashType) * (b++); | |
2607 sigAndHash->sigAlg = (SSLSignType) * (b++); | |
2608 if (ssl3_IsSupportedSignatureAlgorithm(sigAndHash)) { | |
2609 ++ss->ssl3.hs.numClientSigAndHash; | |
2610 } | |
2611 } | |
2612 | |
2613 if (!ss->ssl3.hs.numClientSigAndHash) { | |
2614 /* We didn't understand any of the client's requested signature | |
2615 * formats. We'll use the defaults. */ | |
2616 PORT_Free(ss->ssl3.hs.clientSigAndHash); | |
2617 ss->ssl3.hs.clientSigAndHash = NULL; | |
2618 } | |
2619 | |
2620 /* Keep track of negotiated extensions. */ | |
2621 ss->xtnData.negotiated[ss->xtnData.numNegotiated++] = ex_type; | |
2622 return SECSuccess; | |
2623 } | |
2624 | |
2625 /* ssl3_ClientSendSigAlgsXtn sends the signature_algorithm extension for TLS | |
2626 * 1.2 ClientHellos. */ | |
2627 static PRInt32 | |
2628 ssl3_ClientSendSigAlgsXtn(sslSocket *ss, PRBool append, PRUint32 maxBytes) | |
2629 { | |
2630 PRInt32 extension_length; | |
2631 unsigned int i; | |
2632 PRInt32 pos = 0; | |
2633 PRUint32 policy; | |
2634 PRUint8 buf[MAX_SIGNATURE_ALGORITHMS * 2]; | |
2635 | |
2636 if (ss->version < SSL_LIBRARY_VERSION_TLS_1_2) { | |
2637 return 0; | |
2638 } | |
2639 | |
2640 for (i = 0; i < ss->ssl3.signatureAlgorithmCount; i++) { | |
2641 SECOidTag hashOID = ssl3_TLSHashAlgorithmToOID( | |
2642 ss->ssl3.signatureAlgorithms[i].hashAlg); | |
2643 if ((NSS_GetAlgorithmPolicy(hashOID, &policy) != SECSuccess) || | |
2644 (policy & NSS_USE_ALG_IN_SSL_KX)) { | |
2645 buf[pos++] = ss->ssl3.signatureAlgorithms[i].hashAlg; | |
2646 buf[pos++] = ss->ssl3.signatureAlgorithms[i].sigAlg; | |
2647 } | |
2648 } | |
2649 | |
2650 extension_length = | |
2651 2 /* extension type */ + | |
2652 2 /* extension length */ + | |
2653 2 /* supported_signature_algorithms length */ + | |
2654 pos; | |
2655 | |
2656 if (maxBytes < extension_length) { | |
2657 PORT_Assert(0); | |
2658 return 0; | |
2659 } | |
2660 | |
2661 if (append) { | |
2662 SECStatus rv; | |
2663 rv = ssl3_AppendHandshakeNumber(ss, ssl_signature_algorithms_xtn, 2); | |
2664 if (rv != SECSuccess) { | |
2665 return -1; | |
2666 } | |
2667 rv = ssl3_AppendHandshakeNumber(ss, extension_length - 4, 2); | |
2668 if (rv != SECSuccess) { | |
2669 return -1; | |
2670 } | |
2671 | |
2672 rv = ssl3_AppendHandshakeVariable(ss, buf, extension_length - 6, 2); | |
2673 if (rv != SECSuccess) { | |
2674 return -1; | |
2675 } | |
2676 | |
2677 ss->xtnData.advertised[ss->xtnData.numAdvertised++] = | |
2678 ssl_signature_algorithms_xtn; | |
2679 } | |
2680 | |
2681 return extension_length; | |
2682 } | |
2683 | |
2684 unsigned int | |
2685 ssl3_CalculatePaddingExtensionLength(unsigned int clientHelloLength) | |
2686 { | |
2687 unsigned int recordLength = 1 /* handshake message type */ + | |
2688 3 /* handshake message length */ + | |
2689 clientHelloLength; | |
2690 unsigned int extensionLength; | |
2691 | |
2692 if (recordLength < 256 || recordLength >= 512) { | |
2693 return 0; | |
2694 } | |
2695 | |
2696 extensionLength = 512 - recordLength; | |
2697 /* Extensions take at least four bytes to encode. Always include at least | |
2698 * one byte of data if including the extension. WebSphere Application | |
2699 * Server 7.0 is intolerant to the last extension being zero-length. */ | |
2700 if (extensionLength < 4 + 1) { | |
2701 extensionLength = 4 + 1; | |
2702 } | |
2703 | |
2704 return extensionLength; | |
2705 } | |
2706 | |
2707 /* ssl3_AppendPaddingExtension possibly adds an extension which ensures that a | |
2708 * ClientHello record is either < 256 bytes or is >= 512 bytes. This ensures | |
2709 * that we don't trigger bugs in F5 products. */ | |
2710 PRInt32 | |
2711 ssl3_AppendPaddingExtension(sslSocket *ss, unsigned int extensionLen, | |
2712 PRUint32 maxBytes) | |
2713 { | |
2714 unsigned int paddingLen = extensionLen - 4; | |
2715 static unsigned char padding[256]; | |
2716 | |
2717 if (extensionLen == 0) { | |
2718 return 0; | |
2719 } | |
2720 | |
2721 if (extensionLen < 4 || | |
2722 extensionLen > maxBytes || | |
2723 paddingLen > sizeof(padding)) { | |
2724 PORT_Assert(0); | |
2725 return -1; | |
2726 } | |
2727 | |
2728 if (SECSuccess != ssl3_AppendHandshakeNumber(ss, ssl_padding_xtn, 2)) | |
2729 return -1; | |
2730 if (SECSuccess != ssl3_AppendHandshakeNumber(ss, paddingLen, 2)) | |
2731 return -1; | |
2732 if (SECSuccess != ssl3_AppendHandshake(ss, padding, paddingLen)) | |
2733 return -1; | |
2734 | |
2735 return extensionLen; | |
2736 } | |
2737 | |
2738 /* ssl3_ClientSendDraftVersionXtn sends the TLS 1.3 temporary draft | |
2739 * version extension. | |
2740 * TODO(ekr@rtfm.com): Remove when TLS 1.3 is published. */ | |
2741 static PRInt32 | |
2742 ssl3_ClientSendDraftVersionXtn(sslSocket *ss, PRBool append, PRUint32 maxBytes) | |
2743 { | |
2744 PRInt32 extension_length; | |
2745 | |
2746 if (ss->version != SSL_LIBRARY_VERSION_TLS_1_3) { | |
2747 return 0; | |
2748 } | |
2749 | |
2750 extension_length = 6; /* Type + length + number */ | |
2751 if (maxBytes < (PRUint32)extension_length) { | |
2752 PORT_Assert(0); | |
2753 return 0; | |
2754 } | |
2755 if (append) { | |
2756 SECStatus rv; | |
2757 rv = ssl3_AppendHandshakeNumber(ss, ssl_tls13_draft_version_xtn, 2); | |
2758 if (rv != SECSuccess) | |
2759 goto loser; | |
2760 rv = ssl3_AppendHandshakeNumber(ss, extension_length - 4, 2); | |
2761 if (rv != SECSuccess) | |
2762 goto loser; | |
2763 rv = ssl3_AppendHandshakeNumber(ss, TLS_1_3_DRAFT_VERSION, 2); | |
2764 if (rv != SECSuccess) | |
2765 goto loser; | |
2766 ss->xtnData.advertised[ss->xtnData.numAdvertised++] = | |
2767 ssl_tls13_draft_version_xtn; | |
2768 } | |
2769 | |
2770 return extension_length; | |
2771 | |
2772 loser: | |
2773 return -1; | |
2774 } | |
2775 | |
2776 /* ssl3_ServerHandleDraftVersionXtn handles the TLS 1.3 temporary draft | |
2777 * version extension. | |
2778 * TODO(ekr@rtfm.com): Remove when TLS 1.3 is published. */ | |
2779 static SECStatus | |
2780 ssl3_ServerHandleDraftVersionXtn(sslSocket *ss, PRUint16 ex_type, | |
2781 SECItem *data) | |
2782 { | |
2783 PRInt32 draft_version; | |
2784 | |
2785 /* Ignore this extension if we aren't doing TLS 1.3 */ | |
2786 if (ss->version != SSL_LIBRARY_VERSION_TLS_1_3) { | |
2787 return SECSuccess; | |
2788 } | |
2789 | |
2790 if (data->len != 2) { | |
2791 (void)ssl3_DecodeError(ss); | |
2792 return SECFailure; | |
2793 } | |
2794 | |
2795 /* Get the draft version out of the handshake */ | |
2796 draft_version = ssl3_ConsumeHandshakeNumber(ss, 2, | |
2797 &data->data, &data->len); | |
2798 if (draft_version < 0) { | |
2799 return SECFailure; | |
2800 } | |
2801 | |
2802 /* Keep track of negotiated extensions. */ | |
2803 ss->xtnData.negotiated[ss->xtnData.numNegotiated++] = ex_type; | |
2804 | |
2805 if (draft_version != TLS_1_3_DRAFT_VERSION) { | |
2806 /* | |
2807 * Incompatible/broken TLS 1.3 implementation. Fall back to TLS 1.2. | |
2808 * TODO(ekr@rtfm.com): It's not entirely clear it's safe to roll back | |
2809 * here. Need to double-check. | |
2810 */ | |
2811 SSL_TRC(30, ("%d: SSL3[%d]: Incompatible version of TLS 1.3 (%d), " | |
2812 "expected %d", | |
2813 SSL_GETPID(), ss->fd, draft_version, TLS_1_3_DRAFT_VERSION)
); | |
2814 ss->version = SSL_LIBRARY_VERSION_TLS_1_2; | |
2815 } | |
2816 | |
2817 return SECSuccess; | |
2818 } | |
2819 | |
2820 static PRInt32 | |
2821 ssl3_SendExtendedMasterSecretXtn(sslSocket *ss, PRBool append, | |
2822 PRUint32 maxBytes) | |
2823 { | |
2824 PRInt32 extension_length; | |
2825 | |
2826 if (!ss->opt.enableExtendedMS) { | |
2827 return 0; | |
2828 } | |
2829 | |
2830 #ifndef NO_PKCS11_BYPASS | |
2831 /* Extended MS can only be used w/o bypass mode */ | |
2832 if (ss->opt.bypassPKCS11) { | |
2833 PORT_Assert(0); | |
2834 PORT_SetError(PR_NOT_IMPLEMENTED_ERROR); | |
2835 return -1; | |
2836 } | |
2837 #endif | |
2838 | |
2839 /* Always send the extension in this function, since the | |
2840 * client always sends it and this function is only called on | |
2841 * the server if we negotiated the extension. */ | |
2842 extension_length = 4; /* Type + length (0) */ | |
2843 if (maxBytes < extension_length) { | |
2844 PORT_Assert(0); | |
2845 return 0; | |
2846 } | |
2847 | |
2848 if (append) { | |
2849 SECStatus rv; | |
2850 rv = ssl3_AppendHandshakeNumber(ss, ssl_extended_master_secret_xtn, 2); | |
2851 if (rv != SECSuccess) | |
2852 goto loser; | |
2853 rv = ssl3_AppendHandshakeNumber(ss, 0, 2); | |
2854 if (rv != SECSuccess) | |
2855 goto loser; | |
2856 ss->xtnData.advertised[ss->xtnData.numAdvertised++] = | |
2857 ssl_extended_master_secret_xtn; | |
2858 } | |
2859 | |
2860 return extension_length; | |
2861 | |
2862 loser: | |
2863 return -1; | |
2864 } | |
2865 | |
2866 static SECStatus | |
2867 ssl3_HandleExtendedMasterSecretXtn(sslSocket *ss, PRUint16 ex_type, | |
2868 SECItem *data) | |
2869 { | |
2870 if (ss->version < SSL_LIBRARY_VERSION_TLS_1_0) { | |
2871 return SECSuccess; | |
2872 } | |
2873 | |
2874 if (!ss->opt.enableExtendedMS) { | |
2875 return SECSuccess; | |
2876 } | |
2877 | |
2878 #ifndef NO_PKCS11_BYPASS | |
2879 /* Extended MS can only be used w/o bypass mode */ | |
2880 if (ss->opt.bypassPKCS11) { | |
2881 PORT_Assert(0); | |
2882 PORT_SetError(PR_NOT_IMPLEMENTED_ERROR); | |
2883 return SECFailure; | |
2884 } | |
2885 #endif | |
2886 | |
2887 if (data->len != 0) { | |
2888 SSL_TRC(30, ("%d: SSL3[%d]: Bogus extended master secret extension", | |
2889 SSL_GETPID(), ss->fd)); | |
2890 return SECFailure; | |
2891 } | |
2892 | |
2893 SSL_DBG(("%d: SSL[%d]: Negotiated extended master secret extension.", | |
2894 SSL_GETPID(), ss->fd)); | |
2895 | |
2896 /* Keep track of negotiated extensions. */ | |
2897 ss->xtnData.negotiated[ss->xtnData.numNegotiated++] = ex_type; | |
2898 | |
2899 if (ss->sec.isServer) { | |
2900 return ssl3_RegisterServerHelloExtensionSender( | |
2901 ss, ex_type, ssl3_SendExtendedMasterSecretXtn); | |
2902 } | |
2903 return SECSuccess; | |
2904 } | |
2905 | |
2906 /* ssl3_ClientSendSignedCertTimestampXtn sends the signed_certificate_timestamp | |
2907 * extension for TLS ClientHellos. */ | |
2908 static PRInt32 | |
2909 ssl3_ClientSendSignedCertTimestampXtn(sslSocket *ss, PRBool append, | |
2910 PRUint32 maxBytes) | |
2911 { | |
2912 PRInt32 extension_length = 2 /* extension_type */ + | |
2913 2 /* length(extension_data) */; | |
2914 | |
2915 /* Only send the extension if processing is enabled. */ | |
2916 if (!ss->opt.enableSignedCertTimestamps) | |
2917 return 0; | |
2918 | |
2919 if (append && maxBytes >= extension_length) { | |
2920 SECStatus rv; | |
2921 /* extension_type */ | |
2922 rv = ssl3_AppendHandshakeNumber(ss, | |
2923 ssl_signed_cert_timestamp_xtn, | |
2924 2); | |
2925 if (rv != SECSuccess) | |
2926 goto loser; | |
2927 /* zero length */ | |
2928 rv = ssl3_AppendHandshakeNumber(ss, 0, 2); | |
2929 if (rv != SECSuccess) | |
2930 goto loser; | |
2931 ss->xtnData.advertised[ss->xtnData.numAdvertised++] = | |
2932 ssl_signed_cert_timestamp_xtn; | |
2933 } else if (maxBytes < extension_length) { | |
2934 PORT_Assert(0); | |
2935 return 0; | |
2936 } | |
2937 | |
2938 return extension_length; | |
2939 loser: | |
2940 return -1; | |
2941 } | |
2942 | |
2943 static SECStatus | |
2944 ssl3_ClientHandleSignedCertTimestampXtn(sslSocket *ss, PRUint16 ex_type, | |
2945 SECItem *data) | |
2946 { | |
2947 /* We do not yet know whether we'll be resuming a session or creating | |
2948 * a new one, so we keep a pointer to the data in the TLSExtensionData | |
2949 * structure. This pointer is only valid in the scope of | |
2950 * ssl3_HandleServerHello, and, if not resuming a session, the data is | |
2951 * copied once a new session structure has been set up. | |
2952 * All parsing is currently left to the application and we accept | |
2953 * everything, including empty data. | |
2954 */ | |
2955 SECItem *scts = &ss->xtnData.signedCertTimestamps; | |
2956 PORT_Assert(!scts->data && !scts->len); | |
2957 | |
2958 if (!data->len) { | |
2959 /* Empty extension data: RFC 6962 mandates non-empty contents. */ | |
2960 return SECFailure; | |
2961 } | |
2962 *scts = *data; | |
2963 /* Keep track of negotiated extensions. */ | |
2964 ss->xtnData.negotiated[ss->xtnData.numNegotiated++] = ex_type; | |
2965 return SECSuccess; | |
2966 } | |
2967 | |
2968 static PRInt32 | |
2969 ssl3_ServerSendSignedCertTimestampXtn(sslSocket *ss, | |
2970 PRBool append, | |
2971 PRUint32 maxBytes) | |
2972 { | |
2973 PRInt32 extension_length; | |
2974 SSLKEAType effectiveExchKeyType; | |
2975 const SECItem *scts; | |
2976 | |
2977 if (ss->ssl3.hs.kea_def->kea == kea_ecdhe_rsa || | |
2978 ss->ssl3.hs.kea_def->kea == kea_dhe_rsa) { | |
2979 effectiveExchKeyType = ssl_kea_rsa; | |
2980 } else { | |
2981 effectiveExchKeyType = ss->ssl3.hs.kea_def->exchKeyType; | |
2982 } | |
2983 | |
2984 scts = &ss->signedCertTimestamps[effectiveExchKeyType]; | |
2985 | |
2986 if (!scts->len) { | |
2987 /* No timestamps to send */ | |
2988 return 0; | |
2989 } | |
2990 | |
2991 extension_length = 2 /* extension_type */ + | |
2992 2 /* length(extension_data) */ + | |
2993 scts->len; | |
2994 | |
2995 if (maxBytes < extension_length) { | |
2996 PORT_Assert(0); | |
2997 return 0; | |
2998 } | |
2999 if (append) { | |
3000 SECStatus rv; | |
3001 /* extension_type */ | |
3002 rv = ssl3_AppendHandshakeNumber(ss, | |
3003 ssl_signed_cert_timestamp_xtn, | |
3004 2); | |
3005 if (rv != SECSuccess) | |
3006 goto loser; | |
3007 /* extension_data */ | |
3008 rv = ssl3_AppendHandshakeVariable(ss, scts->data, scts->len, 2); | |
3009 if (rv != SECSuccess) | |
3010 goto loser; | |
3011 } | |
3012 | |
3013 return extension_length; | |
3014 | |
3015 loser: | |
3016 return -1; | |
3017 } | |
3018 | |
3019 static SECStatus | |
3020 ssl3_ServerHandleSignedCertTimestampXtn(sslSocket *ss, PRUint16 ex_type, | |
3021 SECItem *data) | |
3022 { | |
3023 ss->xtnData.negotiated[ss->xtnData.numNegotiated++] = ex_type; | |
3024 PORT_Assert(ss->sec.isServer); | |
3025 return ssl3_RegisterServerHelloExtensionSender(ss, ex_type, | |
3026 ssl3_ServerSendSignedCertTime
stampXtn); | |
3027 } | |
3028 | |
3029 /* | |
3030 * [draft-ietf-tls-tls13-11] Section 6.3.2.3. | |
3031 * | |
3032 * struct { | |
3033 * NamedGroup group; | |
3034 * opaque key_exchange<1..2^16-1>; | |
3035 * } KeyShareEntry; | |
3036 * | |
3037 * struct { | |
3038 * select (role) { | |
3039 * case client: | |
3040 * KeyShareEntry client_shares<4..2^16-1>; | |
3041 * | |
3042 * case server: | |
3043 * KeyShareEntry server_share; | |
3044 * } | |
3045 * } KeyShare; | |
3046 */ | |
3047 static SECStatus | |
3048 tls13_SizeOfKeyShareEntry(ssl3KeyPair *pair) | |
3049 { | |
3050 return 2 + 2 + tls13_SizeOfECDHEKeyShareKEX(pair); | |
3051 } | |
3052 | |
3053 static SECStatus | |
3054 tls13_EncodeKeyShareEntry(sslSocket *ss, ssl3KeyPair *pair) | |
3055 { | |
3056 SECStatus rv; | |
3057 | |
3058 /* This currently only works for ECC keys */ | |
3059 PORT_Assert(pair->pubKey->keyType == ecKey); | |
3060 if (pair->pubKey->keyType != ecKey) { | |
3061 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); | |
3062 return SECFailure; | |
3063 } | |
3064 | |
3065 rv = ssl3_AppendHandshakeNumber(ss, tls13_GroupForECDHEKeyShare(pair), 2); | |
3066 if (rv != SECSuccess) | |
3067 return rv; | |
3068 | |
3069 rv = ssl3_AppendHandshakeNumber(ss, tls13_SizeOfECDHEKeyShareKEX(pair), 2); | |
3070 if (rv != SECSuccess) | |
3071 return rv; | |
3072 | |
3073 rv = tls13_EncodeECDHEKeyShareKEX(ss, pair); | |
3074 if (rv != SECSuccess) | |
3075 return rv; | |
3076 | |
3077 return SECSuccess; | |
3078 } | |
3079 | |
3080 static PRInt32 | |
3081 tls13_ClientSendKeyShareXtn(sslSocket *ss, PRBool append, | |
3082 PRUint32 maxBytes) | |
3083 { | |
3084 SECStatus rv; | |
3085 PRUint32 entry_length; | |
3086 PRUint32 extension_length; | |
3087 | |
3088 if (ss->version < SSL_LIBRARY_VERSION_TLS_1_3) { | |
3089 return 0; | |
3090 } | |
3091 | |
3092 /* Optimistically try to send an ECDHE key using the | |
3093 * preexisting key (in future will be keys) */ | |
3094 SSL_TRC(3, ("%d: TLS13[%d]: send client key share xtn", | |
3095 SSL_GETPID(), ss->fd)); | |
3096 | |
3097 entry_length = tls13_SizeOfKeyShareEntry(ss->ephemeralECDHKeyPair); | |
3098 /* Type + length + vector_length + entry */ | |
3099 extension_length = 2 + 2 + 2 + entry_length; | |
3100 | |
3101 if (maxBytes < extension_length) { | |
3102 PORT_Assert(0); | |
3103 return 0; | |
3104 } | |
3105 | |
3106 if (append) { | |
3107 rv = ssl3_AppendHandshakeNumber(ss, ssl_tls13_key_share_xtn, 2); | |
3108 if (rv != SECSuccess) | |
3109 goto loser; | |
3110 rv = ssl3_AppendHandshakeNumber(ss, entry_length + 2, 2); /* Extension l
ength */ | |
3111 if (rv != SECSuccess) | |
3112 goto loser; | |
3113 rv = ssl3_AppendHandshakeNumber(ss, entry_length, 2); /* Vector length *
/ | |
3114 if (rv != SECSuccess) | |
3115 goto loser; | |
3116 rv = tls13_EncodeKeyShareEntry(ss, ss->ephemeralECDHKeyPair); | |
3117 if (rv != SECSuccess) | |
3118 goto loser; | |
3119 | |
3120 ss->xtnData.advertised[ss->xtnData.numAdvertised++] = | |
3121 ssl_tls13_key_share_xtn; | |
3122 } | |
3123 | |
3124 return extension_length; | |
3125 | |
3126 loser: | |
3127 return -1; | |
3128 } | |
3129 | |
3130 static SECStatus | |
3131 tls13_HandleKeyShareEntry(sslSocket *ss, SECItem *data) | |
3132 { | |
3133 SECStatus rv; | |
3134 PRInt32 group; | |
3135 TLS13KeyShareEntry *ks = NULL; | |
3136 SECItem share = { siBuffer, NULL, 0 }; | |
3137 | |
3138 group = ssl3_ConsumeHandshakeNumber(ss, 2, &data->data, &data->len); | |
3139 if (group < 0) { | |
3140 PORT_SetError(SSL_ERROR_RX_MALFORMED_KEY_SHARE); | |
3141 goto loser; | |
3142 } | |
3143 | |
3144 rv = ssl3_ConsumeHandshakeVariable(ss, &share, 2, &data->data, | |
3145 &data->len); | |
3146 if (rv != SECSuccess) | |
3147 goto loser; | |
3148 | |
3149 ks = PORT_ZNew(TLS13KeyShareEntry); | |
3150 if (!ks) | |
3151 goto loser; | |
3152 ks->group = group; | |
3153 | |
3154 rv = SECITEM_CopyItem(NULL, &ks->key_exchange, &share); | |
3155 if (rv != SECSuccess) | |
3156 goto loser; | |
3157 | |
3158 PR_APPEND_LINK(&ks->link, &ss->ssl3.hs.remoteKeyShares); | |
3159 return SECSuccess; | |
3160 | |
3161 loser: | |
3162 if (ks) | |
3163 tls13_DestroyKeyShareEntry(ks); | |
3164 return SECFailure; | |
3165 } | |
3166 | |
3167 /* Handle an incoming KeyShare extension at the client and copy to | |
3168 * |ss->ssl3.hs.remoteKeyShares| for future use. The key | |
3169 * share is processed in tls13_HandleServerKeyShare(). */ | |
3170 static SECStatus | |
3171 tls13_ClientHandleKeyShareXtn(sslSocket *ss, PRUint16 ex_type, SECItem *data) | |
3172 { | |
3173 SECStatus rv; | |
3174 | |
3175 PORT_Assert(!ss->sec.isServer); | |
3176 if (ss->version < SSL_LIBRARY_VERSION_TLS_1_3) { | |
3177 /* This can't happen because the extension processing | |
3178 * code filters out TLS 1.3 extensions when not in | |
3179 * TLS 1.3 mode. */ | |
3180 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); | |
3181 return SECFailure; | |
3182 } | |
3183 | |
3184 SSL_TRC(3, ("%d: SSL3[%d]: handle key_share extension", | |
3185 SSL_GETPID(), ss->fd)); | |
3186 | |
3187 rv = tls13_HandleKeyShareEntry(ss, data); | |
3188 if (rv != SECSuccess) { | |
3189 PORT_SetError(SSL_ERROR_RX_MALFORMED_KEY_SHARE); | |
3190 return SECFailure; | |
3191 } | |
3192 | |
3193 if (data->len) { | |
3194 PORT_SetError(SSL_ERROR_RX_MALFORMED_KEY_SHARE); | |
3195 return SECFailure; | |
3196 } | |
3197 | |
3198 return SECSuccess; | |
3199 } | |
3200 | |
3201 /* Handle an incoming KeyShare extension at the server and copy to | |
3202 * |ss->ssl3.hs.remoteKeyShares| for future use. The key | |
3203 * share is processed in tls13_HandleClientKeyShare(). */ | |
3204 static SECStatus | |
3205 tls13_ServerHandleKeyShareXtn(sslSocket *ss, PRUint16 ex_type, SECItem *data) | |
3206 { | |
3207 SECStatus rv; | |
3208 PRInt32 length; | |
3209 | |
3210 PORT_Assert(ss->sec.isServer); | |
3211 if (ss->version < SSL_LIBRARY_VERSION_TLS_1_3) { | |
3212 return SECSuccess; | |
3213 } | |
3214 | |
3215 SSL_TRC(3, ("%d: SSL3[%d]: handle key_share extension", | |
3216 SSL_GETPID(), ss->fd)); | |
3217 | |
3218 /* Redundant length because of TLS encoding (this vector consumes | |
3219 * the entire extension.) */ | |
3220 length = ssl3_ConsumeHandshakeNumber(ss, 2, &data->data, | |
3221 &data->len); | |
3222 if (length < 0) | |
3223 goto loser; | |
3224 if (length != data->len) { | |
3225 /* Check for consistency */ | |
3226 PORT_SetError(SSL_ERROR_RX_MALFORMED_KEY_SHARE); | |
3227 goto loser; | |
3228 } | |
3229 | |
3230 while (data->len) { | |
3231 rv = tls13_HandleKeyShareEntry(ss, data); | |
3232 if (rv != SECSuccess) | |
3233 goto loser; | |
3234 } | |
3235 return SECSuccess; | |
3236 | |
3237 loser: | |
3238 tls13_DestroyKeyShares(&ss->ssl3.hs.remoteKeyShares); | |
3239 return SECFailure; | |
3240 } | |
3241 | |
3242 PRInt32 | |
3243 tls13_ServerSendKeyShareXtn(sslSocket *ss, PRBool append, | |
3244 PRUint32 maxBytes) | |
3245 { | |
3246 PRUint32 extension_length; | |
3247 PRUint32 entry_length; | |
3248 SECStatus rv; | |
3249 | |
3250 switch (ss->ssl3.hs.kea_def->exchKeyType) { | |
3251 #ifndef NSS_DISABLE_ECC | |
3252 case ssl_kea_ecdh: | |
3253 PORT_Assert(ss->ephemeralECDHKeyPair); | |
3254 break; | |
3255 #endif | |
3256 default: | |
3257 /* got an unknown or unsupported Key Exchange Algorithm. | |
3258 * Can't happen because tls13_HandleClientKeyShare | |
3259 * enforces that we are ssl_kea_ecdh. */ | |
3260 PORT_Assert(0); | |
3261 tls13_FatalError(ss, SEC_ERROR_UNSUPPORTED_KEYALG, internal_error); | |
3262 return SECFailure; | |
3263 } | |
3264 | |
3265 entry_length = tls13_SizeOfKeyShareEntry(ss->ephemeralECDHKeyPair); | |
3266 extension_length = 2 + 2 + entry_length; /* Type + length + entry_length */ | |
3267 if (maxBytes < extension_length) { | |
3268 PORT_Assert(0); | |
3269 return 0; | |
3270 } | |
3271 | |
3272 if (append) { | |
3273 rv = ssl3_AppendHandshakeNumber(ss, ssl_tls13_key_share_xtn, 2); | |
3274 if (rv != SECSuccess) | |
3275 goto loser; | |
3276 | |
3277 rv = ssl3_AppendHandshakeNumber(ss, entry_length, 2); | |
3278 if (rv != SECSuccess) | |
3279 goto loser; | |
3280 | |
3281 rv = tls13_EncodeKeyShareEntry(ss, ss->ephemeralECDHKeyPair); | |
3282 if (rv != SECSuccess) | |
3283 goto loser; | |
3284 } | |
3285 | |
3286 return extension_length; | |
3287 | |
3288 loser: | |
3289 return -1; | |
3290 } | |
OLD | NEW |