mozilla
/
gecko-dev
зеркало из https://github.com/mozilla/gecko-dev.git
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность
gecko-dev/security/nss/lib/ssl/ssl3exthandle.c

2273 строки
74 KiB
C
Исходник Ответственный История

/* -*- Mode: C; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 4 -*- */
/*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
#include "nssrenam.h"
#include "nss.h"
#include "ssl.h"
#include "sslproto.h"
#include "sslimpl.h"
#include "pk11pub.h"
#include "blapit.h"
#include "prinit.h"
#include "selfencrypt.h"
#include "ssl3encode.h"
#include "ssl3ext.h"
#include "ssl3exthandle.h"
#include "tls13exthandle.h" /* For tls13_ServerSendStatusRequestXtn. */
/* Format an SNI extension, using the name from the socket's URL,
* unless that name is a dotted decimal string.
* Used by client and server.
*/
PRInt32
ssl3_SendServerNameXtn(const sslSocket *ss, TLSExtensionData *xtnData, PRBool append,
PRUint32 maxBytes)
{
SECStatus rv;
if (!ss)
return 0;
if (!ss->sec.isServer) {
PRUint32 len;
PRNetAddr netAddr;
/* must have a hostname */
if (!ss->url || !ss->url[0])
return 0;
/* must not be an IPv4 or IPv6 address */
if (PR_SUCCESS == PR_StringToNetAddr(ss->url, &netAddr)) {
/* is an IP address (v4 or v6) */
return 0;
}
len = PORT_Strlen(ss->url);
if (append && maxBytes >= len + 9) {
/* extension_type */
rv = ssl3_ExtAppendHandshakeNumber(ss, ssl_server_name_xtn, 2);
if (rv != SECSuccess)
return -1;
/* length of extension_data */
rv = ssl3_ExtAppendHandshakeNumber(ss, len + 5, 2);
if (rv != SECSuccess)
return -1;
/* length of server_name_list */
rv = ssl3_ExtAppendHandshakeNumber(ss, len + 3, 2);
if (rv != SECSuccess)
return -1;
/* Name Type (sni_host_name) */
rv = ssl3_ExtAppendHandshake(ss, "\0", 1);
if (rv != SECSuccess)
return -1;
/* HostName (length and value) */
rv = ssl3_ExtAppendHandshakeVariable(ss, (PRUint8 *)ss->url, len, 2);
if (rv != SECSuccess)
return -1;
if (!ss->sec.isServer) {
xtnData->advertised[xtnData->numAdvertised++] =
ssl_server_name_xtn;
}
}
return len + 9;
}
/* Server side */
if (append && maxBytes >= 4) {
rv = ssl3_ExtAppendHandshakeNumber(ss, ssl_server_name_xtn, 2);
if (rv != SECSuccess)
return -1;
/* length of extension_data */
rv = ssl3_ExtAppendHandshakeNumber(ss, 0, 2);
if (rv != SECSuccess)
return -1;
}
return 4;
}
/* Handle an incoming SNI extension. */
SECStatus
ssl3_HandleServerNameXtn(const sslSocket *ss, TLSExtensionData *xtnData, PRUint16 ex_type, SECItem *data)
{
SECItem *names = NULL;
PRUint32 listLenBytes = 0;
SECStatus rv;
if (!ss->sec.isServer) {
return SECSuccess; /* ignore extension */
}
/* Server side - consume client data and register server sender. */
/* do not parse the data if don't have user extension handling function. */
if (!ss->sniSocketConfig) {
return SECSuccess;
}
/* length of server_name_list */
rv = ssl3_ExtConsumeHandshakeNumber(ss, &listLenBytes, 2, &data->data, &data->len);
if (rv != SECSuccess) {
goto loser; /* alert already sent */
}
if (listLenBytes == 0 || listLenBytes != data->len) {
goto alert_loser;
}
/* Read ServerNameList. */
while (data->len > 0) {
SECItem tmp;
PRUint32 type;
/* Read Name Type. */
rv = ssl3_ExtConsumeHandshakeNumber(ss, &type, 1, &data->data, &data->len);
if (rv != SECSuccess) {
/* alert sent in ConsumeHandshakeNumber */
goto loser;
}
/* Read ServerName (length and value). */
rv = ssl3_ExtConsumeHandshakeVariable(ss, &tmp, 2, &data->data, &data->len);
if (rv != SECSuccess) {
goto loser;
}
/* Record the value for host_name(0). */
if (type == sni_nametype_hostname) {
/* Fail if we encounter a second host_name entry. */
if (names) {
goto alert_loser;
}
/* Create an array for the only supported NameType. */
names = PORT_ZNewArray(SECItem, 1);
if (!names) {
goto loser;
}
/* Copy ServerName into the array. */
if (SECITEM_CopyItem(NULL, &names[0], &tmp) != SECSuccess) {
goto loser;
}
}
/* Even if we don't support NameTypes other than host_name at the
* moment, we continue parsing the whole list to check its validity.
* We do not check for duplicate entries with NameType != host_name(0).
*/
}
if (names) {
/* Free old and set the new data. */
ssl3_FreeSniNameArray(xtnData);
xtnData->sniNameArr = names;
xtnData->sniNameArrSize = 1;
xtnData->negotiated[xtnData->numNegotiated++] = ssl_server_name_xtn;
}
return SECSuccess;
alert_loser:
ssl3_ExtDecodeError(ss);
loser:
if (names) {
PORT_Free(names);
}
return SECFailure;
}
/* Frees a given xtnData->sniNameArr and its elements. */
void
ssl3_FreeSniNameArray(TLSExtensionData *xtnData)
{
PRUint32 i;
if (!xtnData->sniNameArr) {
return;
}
for (i = 0; i < xtnData->sniNameArrSize; i++) {
SECITEM_FreeItem(&xtnData->sniNameArr[i], PR_FALSE);
}
PORT_Free(xtnData->sniNameArr);
xtnData->sniNameArr = NULL;
xtnData->sniNameArrSize = 0;
}
/* Called by both clients and servers.
* Clients sends a filled in session ticket if one is available, and otherwise
* sends an empty ticket. Servers always send empty tickets.
*/
PRInt32
ssl3_SendSessionTicketXtn(
const sslSocket *ss,
TLSExtensionData *xtnData,
PRBool append,
PRUint32 maxBytes)
{
PRInt32 extension_length;
NewSessionTicket *session_ticket = NULL;
sslSessionID *sid = ss->sec.ci.sid;
/* Never send an extension with a ticket for TLS 1.3, but
* OK to send the empty one in case the server does 1.2. */
if (sid->cached == in_client_cache &&
sid->version >= SSL_LIBRARY_VERSION_TLS_1_3) {
return 0;
}
/* Ignore the SessionTicket extension if processing is disabled. */
if (!ss->opt.enableSessionTickets)
return 0;
/* Empty extension length = extension_type (2-bytes) +
* length(extension_data) (2-bytes)
*/
extension_length = 4;
/* If we are a client then send a session ticket if one is availble.
* Servers that support the extension and are willing to negotiate the
* the extension always respond with an empty extension.
*/
if (!ss->sec.isServer) {
/* The caller must be holding sid->u.ssl3.lock for reading. We cannot
* just acquire and release the lock within this function because the
* caller will call this function twice, and we need the inputs to be
* consistent between the two calls. Note that currently the caller
* will only be holding the lock when we are the client and when we're
* attempting to resume an existing session.
*/
session_ticket = &sid->u.ssl3.locked.sessionTicket;
if (session_ticket->ticket.data) {
if (xtnData->ticketTimestampVerified) {
extension_length += session_ticket->ticket.len;
} else if (!append && ssl_TicketTimeValid(session_ticket)) {
extension_length += session_ticket->ticket.len;
xtnData->ticketTimestampVerified = PR_TRUE;
}
}
}
if (maxBytes < (PRUint32)extension_length) {
PORT_Assert(0);
return 0;
}
if (append) {
SECStatus rv;
/* extension_type */
rv = ssl3_ExtAppendHandshakeNumber(ss, ssl_session_ticket_xtn, 2);
if (rv != SECSuccess)
goto loser;
if (session_ticket && session_ticket->ticket.data &&
xtnData->ticketTimestampVerified) {
rv = ssl3_ExtAppendHandshakeVariable(ss, session_ticket->ticket.data,
session_ticket->ticket.len, 2);
xtnData->ticketTimestampVerified = PR_FALSE;
xtnData->sentSessionTicketInClientHello = PR_TRUE;
} else {
rv = ssl3_ExtAppendHandshakeNumber(ss, 0, 2);
}
if (rv != SECSuccess)
goto loser;
if (!ss->sec.isServer) {
xtnData->advertised[xtnData->numAdvertised++] =
ssl_session_ticket_xtn;
}
}
return extension_length;
loser:
xtnData->ticketTimestampVerified = PR_FALSE;
return -1;
}
PRBool
ssl_AlpnTagAllowed(const sslSocket *ss, const SECItem *tag)
{
const unsigned char *data = ss->opt.nextProtoNego.data;
unsigned int length = ss->opt.nextProtoNego.len;
unsigned int offset = 0;
if (!tag->len)
return PR_TRUE;
while (offset < length) {
unsigned int taglen = (unsigned int)data[offset];
if ((taglen == tag->len) &&
!PORT_Memcmp(data + offset + 1, tag->data, tag->len))
return PR_TRUE;
offset += 1 + taglen;
}
return PR_FALSE;
}
/* handle an incoming Next Protocol Negotiation extension. */
SECStatus
ssl3_ServerHandleNextProtoNegoXtn(const sslSocket *ss, TLSExtensionData *xtnData, PRUint16 ex_type,
SECItem *data)
{
if (ss->firstHsDone || data->len != 0) {
/* Clients MUST send an empty NPN extension, if any. */
PORT_SetError(SSL_ERROR_NEXT_PROTOCOL_DATA_INVALID);
return SECFailure;
}
xtnData->negotiated[xtnData->numNegotiated++] = ex_type;
/* TODO: server side NPN support would require calling
* ssl3_RegisterServerHelloExtensionSender here in order to echo the
* extension back to the client. */
return SECSuccess;
}
/* ssl3_ValidateNextProtoNego checks that the given block of data is valid: none
* of the lengths may be 0 and the sum of the lengths must equal the length of
* the block. */
SECStatus
ssl3_ValidateNextProtoNego(const unsigned char *data, unsigned int length)
{
unsigned int offset = 0;
while (offset < length) {
unsigned int newOffset = offset + 1 + (unsigned int)data[offset];
/* Reject embedded nulls to protect against buggy applications that
* store protocol identifiers in null-terminated strings.
*/
if (newOffset > length || data[offset] == 0) {
return SECFailure;
}
offset = newOffset;
}
return SECSuccess;
}
/* protocol selection handler for ALPN (server side) and NPN (client side) */
static SECStatus
ssl3_SelectAppProtocol(const sslSocket *ss, TLSExtensionData *xtnData,
PRUint16 ex_type, SECItem *data)
{
SECStatus rv;
unsigned char resultBuffer[255];
SECItem result = { siBuffer, resultBuffer, 0 };
rv = ssl3_ValidateNextProtoNego(data->data, data->len);
if (rv != SECSuccess) {
ssl3_ExtSendAlert(ss, alert_fatal, decode_error);
PORT_SetError(SSL_ERROR_NEXT_PROTOCOL_DATA_INVALID);
return rv;
}
PORT_Assert(ss->nextProtoCallback);
/* For ALPN, the cipher suite isn't selected yet. Note that extensions
* sometimes affect what cipher suite is selected, e.g., for ECC. */
PORT_Assert((ss->ssl3.hs.preliminaryInfo &
ssl_preinfo_all & ~ssl_preinfo_cipher_suite) ==
(ssl_preinfo_all & ~ssl_preinfo_cipher_suite));
rv = ss->nextProtoCallback(ss->nextProtoArg, ss->fd, data->data, data->len,
result.data, &result.len, sizeof(resultBuffer));
if (rv != SECSuccess) {
/* Expect callback to call PORT_SetError() */
ssl3_ExtSendAlert(ss, alert_fatal, internal_error);
return SECFailure;
}
/* If the callback wrote more than allowed to |result| it has corrupted our
* stack. */
if (result.len > sizeof(resultBuffer)) {
PORT_SetError(SEC_ERROR_OUTPUT_LEN);
/* TODO: crash */
return SECFailure;
}
SECITEM_FreeItem(&xtnData->nextProto, PR_FALSE);
if (ex_type == ssl_app_layer_protocol_xtn &&
xtnData->nextProtoState != SSL_NEXT_PROTO_NEGOTIATED) {
/* The callback might say OK, but then it picks a default value - one
* that was not listed. That's OK for NPN, but not ALPN. */
ssl3_ExtSendAlert(ss, alert_fatal, no_application_protocol);
PORT_SetError(SSL_ERROR_NEXT_PROTOCOL_NO_PROTOCOL);
return SECFailure;
}
xtnData->negotiated[xtnData->numNegotiated++] = ex_type;
return SECITEM_CopyItem(NULL, &xtnData->nextProto, &result);
}
/* handle an incoming ALPN extension at the server */
SECStatus
ssl3_ServerHandleAppProtoXtn(const sslSocket *ss, TLSExtensionData *xtnData, PRUint16 ex_type, SECItem *data)
{
PRUint32 count;
SECStatus rv;
/* We expressly don't want to allow ALPN on renegotiation,
* despite it being permitted by the spec. */
if (ss->firstHsDone || data->len == 0) {
/* Clients MUST send a non-empty ALPN extension. */
ssl3_ExtSendAlert(ss, alert_fatal, illegal_parameter);
PORT_SetError(SSL_ERROR_NEXT_PROTOCOL_DATA_INVALID);
return SECFailure;
}
/* Unlike NPN, ALPN has extra redundant length information so that
* the extension is the same in both ClientHello and ServerHello. */
rv = ssl3_ExtConsumeHandshakeNumber(ss, &count, 2, &data->data, &data->len);
if (rv != SECSuccess || count != data->len) {
ssl3_ExtDecodeError(ss);
return SECFailure;
}
if (!ss->nextProtoCallback) {
/* we're not configured for it */
return SECSuccess;
}
rv = ssl3_SelectAppProtocol(ss, xtnData, ex_type, data);
if (rv != SECSuccess) {
return rv;
}
/* prepare to send back a response, if we negotiated */
if (xtnData->nextProtoState == SSL_NEXT_PROTO_NEGOTIATED) {
rv = ssl3_RegisterExtensionSender(
ss, xtnData, ex_type, ssl3_ServerSendAppProtoXtn);
if (rv != SECSuccess) {
ssl3_ExtSendAlert(ss, alert_fatal, internal_error);
PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
return rv;
}
}
return SECSuccess;
}
SECStatus
ssl3_ClientHandleNextProtoNegoXtn(const sslSocket *ss, TLSExtensionData *xtnData, PRUint16 ex_type,
SECItem *data)
{
PORT_Assert(!ss->firstHsDone);
if (ssl3_ExtensionNegotiated(ss, ssl_app_layer_protocol_xtn)) {
/* If the server negotiated ALPN then it has already told us what
* protocol to use, so it doesn't make sense for us to try to negotiate
* a different one by sending the NPN handshake message. However, if
* we've negotiated NPN then we're required to send the NPN handshake
* message. Thus, these two extensions cannot both be negotiated on the
* same connection. */
ssl3_ExtSendAlert(ss, alert_fatal, illegal_parameter);
PORT_SetError(SSL_ERROR_BAD_SERVER);
return SECFailure;
}
/* We should only get this call if we sent the extension, so
* ss->nextProtoCallback needs to be non-NULL. However, it is possible
* that an application erroneously cleared the callback between the time
* we sent the ClientHello and now. */
if (!ss->nextProtoCallback) {
PORT_Assert(0);
ssl3_ExtSendAlert(ss, alert_fatal, internal_error);
PORT_SetError(SSL_ERROR_NEXT_PROTOCOL_NO_CALLBACK);
return SECFailure;
}
return ssl3_SelectAppProtocol(ss, xtnData, ex_type, data);
}
SECStatus
ssl3_ClientHandleAppProtoXtn(const sslSocket *ss, TLSExtensionData *xtnData, PRUint16 ex_type, SECItem *data)
{
SECStatus rv;
PRUint32 list_len;
SECItem protocol_name;
if (ssl3_ExtensionNegotiated(ss, ssl_next_proto_nego_xtn)) {
PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
return SECFailure;
}
/* The extension data from the server has the following format:
* uint16 name_list_len;
* uint8 len; // where len >= 1
* uint8 protocol_name[len]; */
if (data->len < 4 || data->len > 2 + 1 + 255) {
ssl3_ExtSendAlert(ss, alert_fatal, decode_error);
PORT_SetError(SSL_ERROR_NEXT_PROTOCOL_DATA_INVALID);
return SECFailure;
}
rv = ssl3_ExtConsumeHandshakeNumber(ss, &list_len, 2, &data->data,
&data->len);
/* The list has to be the entire extension. */
if (rv != SECSuccess || list_len != data->len) {
ssl3_ExtSendAlert(ss, alert_fatal, decode_error);
PORT_SetError(SSL_ERROR_NEXT_PROTOCOL_DATA_INVALID);
return SECFailure;
}
rv = ssl3_ExtConsumeHandshakeVariable(ss, &protocol_name, 1,
&data->data, &data->len);
/* The list must have exactly one value. */
if (rv != SECSuccess || data->len != 0) {
ssl3_ExtSendAlert(ss, alert_fatal, decode_error);
PORT_SetError(SSL_ERROR_NEXT_PROTOCOL_DATA_INVALID);
return SECFailure;
}
if (!ssl_AlpnTagAllowed(ss, &protocol_name)) {
ssl3_ExtSendAlert(ss, alert_fatal, illegal_parameter);
PORT_SetError(SSL_ERROR_NEXT_PROTOCOL_DATA_INVALID);
return SECFailure;
}
SECITEM_FreeItem(&xtnData->nextProto, PR_FALSE);
xtnData->nextProtoState = SSL_NEXT_PROTO_SELECTED;
xtnData->negotiated[xtnData->numNegotiated++] = ex_type;
return SECITEM_CopyItem(NULL, &xtnData->nextProto, &protocol_name);
}
PRInt32
ssl3_ClientSendNextProtoNegoXtn(const sslSocket *ss, TLSExtensionData *xtnData, PRBool append,
PRUint32 maxBytes)
{
PRInt32 extension_length;
/* Renegotiations do not send this extension. */
if (!ss->opt.enableNPN || !ss->nextProtoCallback || ss->firstHsDone) {
return 0;
}
extension_length = 4;
if (maxBytes < (PRUint32)extension_length) {
return 0;
}
if (append) {
SECStatus rv;
rv = ssl3_ExtAppendHandshakeNumber(ss, ssl_next_proto_nego_xtn, 2);
if (rv != SECSuccess)
goto loser;
rv = ssl3_ExtAppendHandshakeNumber(ss, 0, 2);
if (rv != SECSuccess)
goto loser;
xtnData->advertised[xtnData->numAdvertised++] =
ssl_next_proto_nego_xtn;
}
return extension_length;
loser:
return -1;
}
PRInt32
ssl3_ClientSendAppProtoXtn(const sslSocket *ss, TLSExtensionData *xtnData, PRBool append, PRUint32 maxBytes)
{
PRInt32 extension_length;
unsigned char *alpn_protos = NULL;
/* Renegotiations do not send this extension. */
if (!ss->opt.enableALPN || !ss->opt.nextProtoNego.data || ss->firstHsDone) {
return 0;
}
extension_length = 2 /* extension type */ + 2 /* extension length */ +
2 /* protocol name list length */ +
ss->opt.nextProtoNego.len;
if (maxBytes < (PRUint32)extension_length) {
return 0;
}
if (append) {
/* NPN requires that the client's fallback protocol is first in the
* list. However, ALPN sends protocols in preference order. So we
* allocate a buffer and move the first protocol to the end of the
* list. */
SECStatus rv;
const unsigned int len = ss->opt.nextProtoNego.len;
alpn_protos = PORT_Alloc(len);
if (alpn_protos == NULL) {
return SECFailure;
}
if (len > 0) {
/* Each protocol string is prefixed with a single byte length. */
unsigned int i = ss->opt.nextProtoNego.data[0] + 1;
if (i <= len) {
memcpy(alpn_protos, &ss->opt.nextProtoNego.data[i], len - i);
memcpy(alpn_protos + len - i, ss->opt.nextProtoNego.data, i);
} else {
/* This seems to be invalid data so we'll send as-is. */
memcpy(alpn_protos, ss->opt.nextProtoNego.data, len);
}
}
rv = ssl3_ExtAppendHandshakeNumber(ss, ssl_app_layer_protocol_xtn, 2);
if (rv != SECSuccess) {
goto loser;
}
rv = ssl3_ExtAppendHandshakeNumber(ss, extension_length - 4, 2);
if (rv != SECSuccess) {
goto loser;
}
rv = ssl3_ExtAppendHandshakeVariable(ss, alpn_protos, len, 2);
PORT_Free(alpn_protos);
alpn_protos = NULL;
if (rv != SECSuccess) {
goto loser;
}
xtnData->advertised[xtnData->numAdvertised++] =
ssl_app_layer_protocol_xtn;
}
return extension_length;
loser:
if (alpn_protos) {
PORT_Free(alpn_protos);
}
return -1;
}
PRInt32
ssl3_ServerSendAppProtoXtn(const sslSocket *ss, TLSExtensionData *xtnData, PRBool append, PRUint32 maxBytes)
{
PRInt32 extension_length;
/* we're in over our heads if any of these fail */
PORT_Assert(ss->opt.enableALPN);
PORT_Assert(xtnData->nextProto.data);
PORT_Assert(xtnData->nextProto.len > 0);
PORT_Assert(xtnData->nextProtoState == SSL_NEXT_PROTO_NEGOTIATED);
PORT_Assert(!ss->firstHsDone);
extension_length = 2 /* extension type */ + 2 /* extension length */ +
2 /* protocol name list */ + 1 /* name length */ +
xtnData->nextProto.len;
if (maxBytes < (PRUint32)extension_length) {
return 0;
}
if (append) {
SECStatus rv;
rv = ssl3_ExtAppendHandshakeNumber(ss, ssl_app_layer_protocol_xtn, 2);
if (rv != SECSuccess) {
return -1;
}
rv = ssl3_ExtAppendHandshakeNumber(ss, extension_length - 4, 2);
if (rv != SECSuccess) {
return -1;
}
rv = ssl3_ExtAppendHandshakeNumber(ss, xtnData->nextProto.len + 1, 2);
if (rv != SECSuccess) {
return -1;
}
rv = ssl3_ExtAppendHandshakeVariable(ss, xtnData->nextProto.data,
xtnData->nextProto.len, 1);
if (rv != SECSuccess) {
return -1;
}
}
return extension_length;
}
SECStatus
ssl3_ServerHandleStatusRequestXtn(const sslSocket *ss, TLSExtensionData *xtnData, PRUint16 ex_type,
SECItem *data)
{
ssl3HelloExtensionSenderFunc sender;
PORT_Assert(ss->sec.isServer);
/* remember that we got this extension. */
xtnData->negotiated[xtnData->numNegotiated++] = ex_type;
if (ss->version >= SSL_LIBRARY_VERSION_TLS_1_3) {
sender = tls13_ServerSendStatusRequestXtn;
} else {
sender = ssl3_ServerSendStatusRequestXtn;
}
return ssl3_RegisterExtensionSender(ss, xtnData, ex_type, sender);
}
PRInt32
ssl3_ServerSendStatusRequestXtn(
const sslSocket *ss,
TLSExtensionData *xtnData,
PRBool append,
PRUint32 maxBytes)
{
PRInt32 extension_length;
const sslServerCert *serverCert = ss->sec.serverCert;
SECStatus rv;
if (!serverCert->certStatusArray ||
!serverCert->certStatusArray->len) {
return 0;
}
extension_length = 2 + 2;
if (maxBytes < (PRUint32)extension_length) {
return 0;
}
if (append) {
/* extension_type */
rv = ssl3_ExtAppendHandshakeNumber(ss, ssl_cert_status_xtn, 2);
if (rv != SECSuccess)
return -1;
/* length of extension_data */
rv = ssl3_ExtAppendHandshakeNumber(ss, 0, 2);
if (rv != SECSuccess)
return -1;
/* The certificate status data is sent in ssl3_SendCertificateStatus. */
}
return extension_length;
}
/* ssl3_ClientSendStatusRequestXtn builds the status_request extension on the
* client side. See RFC 6066 section 8. */
PRInt32
ssl3_ClientSendStatusRequestXtn(const sslSocket *ss, TLSExtensionData *xtnData, PRBool append,
PRUint32 maxBytes)
{
PRInt32 extension_length;
if (!ss->opt.enableOCSPStapling)
return 0;
/* extension_type (2-bytes) +
* length(extension_data) (2-bytes) +
* status_type (1) +
* responder_id_list length (2) +
* request_extensions length (2)
*/
extension_length = 9;
if (maxBytes < (PRUint32)extension_length) {
PORT_Assert(0);
return 0;
}
if (append) {
SECStatus rv;
/* extension_type */
rv = ssl3_ExtAppendHandshakeNumber(ss, ssl_cert_status_xtn, 2);
if (rv != SECSuccess)
return -1;
rv = ssl3_ExtAppendHandshakeNumber(ss, extension_length - 4, 2);
if (rv != SECSuccess)
return -1;
rv = ssl3_ExtAppendHandshakeNumber(ss, 1 /* status_type ocsp */, 1);
if (rv != SECSuccess)
return -1;
/* A zero length responder_id_list means that the responders are
* implicitly known to the server. */
rv = ssl3_ExtAppendHandshakeNumber(ss, 0, 2);
if (rv != SECSuccess)
return -1;
/* A zero length request_extensions means that there are no extensions.
* Specifically, we don't set the id-pkix-ocsp-nonce extension. This
* means that the server can replay a cached OCSP response to us. */
rv = ssl3_ExtAppendHandshakeNumber(ss, 0, 2);
if (rv != SECSuccess)
return -1;
xtnData->advertised[xtnData->numAdvertised++] = ssl_cert_status_xtn;
}
return extension_length;
}
SECStatus
ssl3_ClientHandleStatusRequestXtn(const sslSocket *ss, TLSExtensionData *xtnData, PRUint16 ex_type,
SECItem *data)
{
/* In TLS 1.3, the extension carries the OCSP response. */
if (ss->version >= SSL_LIBRARY_VERSION_TLS_1_3) {
SECStatus rv;
rv = ssl_ReadCertificateStatus(CONST_CAST(sslSocket, ss),
data->data, data->len);
if (rv != SECSuccess) {
return SECFailure; /* code already set */
}
} else if (data->len != 0) {
ssl3_ExtSendAlert(ss, alert_fatal, illegal_parameter);
PORT_SetError(SSL_ERROR_RX_MALFORMED_SERVER_HELLO);
return SECFailure;
}
/* Keep track of negotiated extensions. */
xtnData->negotiated[xtnData->numNegotiated++] = ex_type;
return SECSuccess;
}
PRUint32 ssl_ticket_lifetime = 2 * 24 * 60 * 60; /* 2 days in seconds */
#define TLS_EX_SESS_TICKET_VERSION (0x0105)
/*
* Called from ssl3_SendNewSessionTicket, tls13_SendNewSessionTicket
*/
SECStatus
ssl3_EncodeSessionTicket(sslSocket *ss,
const NewSessionTicket *ticket,
SECItem *ticket_data)
{
SECStatus rv;
SECItem plaintext;
SECItem plaintext_item = { 0, NULL, 0 };
PRUint32 plaintext_length;
SECItem ticket_buf = { 0, NULL, 0 };
PRBool ms_is_wrapped;
unsigned char wrapped_ms[SSL3_MASTER_SECRET_LENGTH];
SECItem ms_item = { 0, NULL, 0 };
PRUint32 cert_length = 0;
PRUint32 now;
SECItem *srvName = NULL;
CK_MECHANISM_TYPE msWrapMech = 0; /* dummy default value,
* must be >= 0 */
ssl3CipherSpec *spec;
SECItem *alpnSelection = NULL;
SSL_TRC(3, ("%d: SSL3[%d]: send session_ticket handshake",
SSL_GETPID(), ss->fd));
PORT_Assert(ss->opt.noLocks || ssl_HaveXmitBufLock(ss));
PORT_Assert(ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
if (ss->opt.requestCertificate && ss->sec.ci.sid->peerCert) {
cert_length = 2 + ss->sec.ci.sid->peerCert->derCert.len;
}
if (ss->version >= SSL_LIBRARY_VERSION_TLS_1_3) {
spec = ss->ssl3.cwSpec;
} else {
spec = ss->ssl3.pwSpec;
}
if (spec->msItem.len && spec->msItem.data) {
/* The master secret is available unwrapped. */
ms_item.data = spec->msItem.data;
ms_item.len = spec->msItem.len;
ms_is_wrapped = PR_FALSE;
} else {
/* Extract the master secret wrapped. */
sslSessionID sid;
PORT_Memset(&sid, 0, sizeof(sslSessionID));
rv = ssl3_CacheWrappedMasterSecret(ss, &sid, spec);
if (rv == SECSuccess) {
if (sid.u.ssl3.keys.wrapped_master_secret_len > sizeof(wrapped_ms))
goto loser;
memcpy(wrapped_ms, sid.u.ssl3.keys.wrapped_master_secret,
sid.u.ssl3.keys.wrapped_master_secret_len);
ms_item.data = wrapped_ms;
ms_item.len = sid.u.ssl3.keys.wrapped_master_secret_len;
msWrapMech = sid.u.ssl3.masterWrapMech;
} else {
/* TODO: else send an empty ticket. */
goto loser;
}
ms_is_wrapped = PR_TRUE;
}
/* Prep to send negotiated name */
srvName = &ss->sec.ci.sid->u.ssl3.srvName;
PORT_Assert(ss->xtnData.nextProtoState == SSL_NEXT_PROTO_SELECTED ||
ss->xtnData.nextProtoState == SSL_NEXT_PROTO_NEGOTIATED ||
ss->xtnData.nextProto.len == 0);
alpnSelection = &ss->xtnData.nextProto;
plaintext_length =
sizeof(PRUint16) /* ticket version */
+ sizeof(SSL3ProtocolVersion) /* ssl_version */
+ sizeof(ssl3CipherSuite) /* ciphersuite */
+ 1 /* compression */
+ 10 /* cipher spec parameters */
+ 1 /* certType arguments */
+ 1 /* SessionTicket.ms_is_wrapped */
+ 4 /* msWrapMech */
+ 2 /* master_secret.length */
+ ms_item.len /* master_secret */
+ 1 /* client_auth_type */
+ cert_length /* cert */
+ 2 + srvName->len /* name len + length field */
+ 1 /* extendedMasterSecretUsed */
+ sizeof(ticket->ticket_lifetime_hint) /* ticket lifetime hint */
+ sizeof(ticket->flags) /* ticket flags */
+ 1 + alpnSelection->len /* alpn value + length field */
+ 4; /* maxEarlyData */
if (SECITEM_AllocItem(NULL, &plaintext_item, plaintext_length) == NULL)
goto loser;
plaintext = plaintext_item;
/* ticket version */
rv = ssl3_AppendNumberToItem(&plaintext, TLS_EX_SESS_TICKET_VERSION,
sizeof(PRUint16));
if (rv != SECSuccess)
goto loser;
/* ssl_version */
rv = ssl3_AppendNumberToItem(&plaintext, ss->version,
sizeof(SSL3ProtocolVersion));
if (rv != SECSuccess)
goto loser;
/* ciphersuite */
rv = ssl3_AppendNumberToItem(&plaintext, ss->ssl3.hs.cipher_suite,
sizeof(ssl3CipherSuite));
if (rv != SECSuccess)
goto loser;
/* compression */
rv = ssl3_AppendNumberToItem(&plaintext, ss->ssl3.hs.compression, 1);
if (rv != SECSuccess)
goto loser;
/* cipher spec parameters */
rv = ssl3_AppendNumberToItem(&plaintext, ss->sec.authType, 1);
if (rv != SECSuccess)
goto loser;
rv = ssl3_AppendNumberToItem(&plaintext, ss->sec.authKeyBits, 4);
if (rv != SECSuccess)
goto loser;
rv = ssl3_AppendNumberToItem(&plaintext, ss->sec.keaType, 1);
if (rv != SECSuccess)
goto loser;
rv = ssl3_AppendNumberToItem(&plaintext, ss->sec.keaKeyBits, 4);
if (rv != SECSuccess)
goto loser;
/* certificate type */
PORT_Assert(SSL_CERT_IS(ss->sec.serverCert, ss->sec.authType));
if (SSL_CERT_IS_EC(ss->sec.serverCert)) {
const sslServerCert *cert = ss->sec.serverCert;
PORT_Assert(cert->namedCurve);
/* EC curves only use the second of the two bytes. */
PORT_Assert(cert->namedCurve->name < 256);
rv = ssl3_AppendNumberToItem(&plaintext, cert->namedCurve->name, 1);
} else {
rv = ssl3_AppendNumberToItem(&plaintext, 0, 1);
}
if (rv != SECSuccess)
goto loser;
/* master_secret */
rv = ssl3_AppendNumberToItem(&plaintext, ms_is_wrapped, 1);
if (rv != SECSuccess)
goto loser;
rv = ssl3_AppendNumberToItem(&plaintext, msWrapMech, 4);
if (rv != SECSuccess)
goto loser;
rv = ssl3_AppendNumberToItem(&plaintext, ms_item.len, 2);
if (rv != SECSuccess)
goto loser;
rv = ssl3_AppendToItem(&plaintext, ms_item.data, ms_item.len);
if (rv != SECSuccess)
goto loser;
/* client identity */
if (ss->opt.requestCertificate && ss->sec.ci.sid->peerCert) {
rv = ssl3_AppendNumberToItem(&plaintext, CLIENT_AUTH_CERTIFICATE, 1);
if (rv != SECSuccess)
goto loser;
rv = ssl3_AppendNumberToItem(&plaintext,
ss->sec.ci.sid->peerCert->derCert.len, 2);
if (rv != SECSuccess)
goto loser;
rv = ssl3_AppendToItem(&plaintext,
ss->sec.ci.sid->peerCert->derCert.data,
ss->sec.ci.sid->peerCert->derCert.len);
if (rv != SECSuccess)
goto loser;
} else {
rv = ssl3_AppendNumberToItem(&plaintext, 0, 1);
if (rv != SECSuccess)
goto loser;
}
/* timestamp */
now = ssl_Time();
rv = ssl3_AppendNumberToItem(&plaintext, now,
sizeof(ticket->ticket_lifetime_hint));
if (rv != SECSuccess)
goto loser;
/* HostName (length and value) */
rv = ssl3_AppendNumberToItem(&plaintext, srvName->len, 2);
if (rv != SECSuccess)
goto loser;
if (srvName->len) {
rv = ssl3_AppendToItem(&plaintext, srvName->data, srvName->len);
if (rv != SECSuccess)
goto loser;
}
/* extendedMasterSecretUsed */
rv = ssl3_AppendNumberToItem(
&plaintext, ss->sec.ci.sid->u.ssl3.keys.extendedMasterSecretUsed, 1);
if (rv != SECSuccess)
goto loser;
/* Flags */
rv = ssl3_AppendNumberToItem(&plaintext, ticket->flags,
sizeof(ticket->flags));
if (rv != SECSuccess)
goto loser;
/* ALPN value. */
PORT_Assert(alpnSelection->len < 256);
rv = ssl3_AppendNumberToItem(&plaintext, alpnSelection->len, 1);
if (rv != SECSuccess)
goto loser;
if (alpnSelection->len) {
rv = ssl3_AppendToItem(&plaintext, alpnSelection->data,
alpnSelection->len);
if (rv != SECSuccess)
goto loser;
}
rv = ssl3_AppendNumberToItem(&plaintext, ssl_max_early_data_size, 4);
if (rv != SECSuccess)
goto loser;
/* Check that we are totally full. */
PORT_Assert(plaintext.len == 0);
/* 128 just gives us enough room for overhead. */
if (SECITEM_AllocItem(NULL, &ticket_buf, plaintext_length + 128) == NULL) {
goto loser;
}
/* Finally, encrypt the ticket. */
rv = ssl_SelfEncryptProtect(ss, plaintext_item.data, plaintext_item.len,
ticket_buf.data, &ticket_buf.len, ticket_buf.len);
if (rv != SECSuccess) {
goto loser;
}
/* Give ownership of memory to caller. */
*ticket_data = ticket_buf;
SECITEM_FreeItem(&plaintext_item, PR_FALSE);
return SECSuccess;
loser:
if (plaintext_item.data) {
SECITEM_FreeItem(&plaintext_item, PR_FALSE);
}
if (ticket_buf.data) {
SECITEM_FreeItem(&ticket_buf, PR_FALSE);
}
return SECFailure;
}
/* When a client receives a SessionTicket extension a NewSessionTicket
* message is expected during the handshake.
*/
SECStatus
ssl3_ClientHandleSessionTicketXtn(const sslSocket *ss, TLSExtensionData *xtnData, PRUint16 ex_type,
SECItem *data)
{
if (data->len != 0) {
return SECSuccess; /* Ignore the extension. */
}
/* Keep track of negotiated extensions. */
xtnData->negotiated[xtnData->numNegotiated++] = ex_type;
return SECSuccess;
}
static SECStatus
ssl_ParseSessionTicket(sslSocket *ss, const SECItem *decryptedTicket,
SessionTicket *parsedTicket)
{
PRUint32 temp;
SECStatus rv;
PRUint8 *buffer = decryptedTicket->data;
unsigned int len = decryptedTicket->len;
PORT_Memset(parsedTicket, 0, sizeof(*parsedTicket));
parsedTicket->valid = PR_FALSE;
/* If the decrypted ticket is empty, then report success, but leave the
* ticket marked as invalid. */
if (decryptedTicket->len == 0) {
return SECSuccess;
}
/* Read ticket version. */
rv = ssl3_ExtConsumeHandshakeNumber(ss, &temp, 2, &buffer, &len);
if (rv != SECSuccess) {
PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
return SECFailure;
}
/* Skip the ticket if the version is wrong. This won't result in a
* handshake failure, just a failure to resume. */
if (temp != TLS_EX_SESS_TICKET_VERSION) {
return SECSuccess;
}
/* Read SSLVersion. */
rv = ssl3_ExtConsumeHandshakeNumber(ss, &temp, 2, &buffer, &len);
if (rv != SECSuccess) {
PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
return SECFailure;
}
parsedTicket->ssl_version = (SSL3ProtocolVersion)temp;
if (!ssl3_VersionIsSupported(ss->protocolVariant,
parsedTicket->ssl_version)) {
/* This socket doesn't support the version from the ticket. */
return SECSuccess;
}
/* Read cipher_suite. */
rv = ssl3_ExtConsumeHandshakeNumber(ss, &temp, 2, &buffer, &len);
if (rv != SECSuccess) {
PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
return SECFailure;
}
parsedTicket->cipher_suite = (ssl3CipherSuite)temp;
/* Read compression_method. */
rv = ssl3_ExtConsumeHandshakeNumber(ss, &temp, 1, &buffer, &len);
if (rv != SECSuccess) {
PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
return SECFailure;
}
parsedTicket->compression_method = (SSLCompressionMethod)temp;
/* Read cipher spec parameters. */
rv = ssl3_ExtConsumeHandshakeNumber(ss, &temp, 1, &buffer, &len);
if (rv != SECSuccess) {
PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
return SECFailure;
}
parsedTicket->authType = (SSLAuthType)temp;
rv = ssl3_ExtConsumeHandshakeNumber(ss, &temp, 4, &buffer, &len);
if (rv != SECSuccess) {
PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
return SECFailure;
}
parsedTicket->authKeyBits = temp;
rv = ssl3_ExtConsumeHandshakeNumber(ss, &temp, 1, &buffer, &len);
if (rv != SECSuccess) {
PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
return SECFailure;
}
parsedTicket->keaType = (SSLKEAType)temp;
rv = ssl3_ExtConsumeHandshakeNumber(ss, &temp, 4, &buffer, &len);
if (rv != SECSuccess) {
PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
return SECFailure;
}
parsedTicket->keaKeyBits = temp;
/* Read the optional named curve. */
rv = ssl3_ExtConsumeHandshakeNumber(ss, &temp, 1, &buffer, &len);
if (rv != SECSuccess) {
PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
return SECFailure;
}
if (parsedTicket->authType == ssl_auth_ecdsa ||
parsedTicket->authType == ssl_auth_ecdh_rsa ||
parsedTicket->authType == ssl_auth_ecdh_ecdsa) {
const sslNamedGroupDef *group =
ssl_LookupNamedGroup((SSLNamedGroup)temp);
if (!group || group->keaType != ssl_kea_ecdh) {
PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
return SECFailure;
}
parsedTicket->namedCurve = group;
}
/* Read the master secret (and how it is wrapped). */
rv = ssl3_ExtConsumeHandshakeNumber(ss, &temp, 1, &buffer, &len);
if (rv != SECSuccess) {
PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
return SECFailure;
}
PORT_Assert(temp == PR_TRUE || temp == PR_FALSE);
parsedTicket->ms_is_wrapped = (PRBool)temp;
rv = ssl3_ExtConsumeHandshakeNumber(ss, &temp, 4, &buffer, &len);
if (rv != SECSuccess) {
PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
return SECFailure;
}
parsedTicket->msWrapMech = (CK_MECHANISM_TYPE)temp;
rv = ssl3_ExtConsumeHandshakeNumber(ss, &temp, 2, &buffer, &len);
if (rv != SECSuccess) {
PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
return SECFailure;
}
if (temp == 0 || temp > sizeof(parsedTicket->master_secret)) {
PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
return SECFailure;
}
parsedTicket->ms_length = (PRUint16)temp;
/* Read the master secret. */
rv = ssl3_ExtConsumeHandshake(ss, parsedTicket->master_secret,
parsedTicket->ms_length, &buffer, &len);
if (rv != SECSuccess) {
PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
return SECFailure;
}
/* Read client identity */
rv = ssl3_ExtConsumeHandshakeNumber(ss, &temp, 1, &buffer, &len);
if (rv != SECSuccess) {
PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
return SECFailure;
}
parsedTicket->client_auth_type = (ClientAuthenticationType)temp;
switch (parsedTicket->client_auth_type) {
case CLIENT_AUTH_ANONYMOUS:
break;
case CLIENT_AUTH_CERTIFICATE:
rv = ssl3_ExtConsumeHandshakeVariable(ss, &parsedTicket->peer_cert, 2,
&buffer, &len);
if (rv != SECSuccess) {
PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
return SECFailure;
}
break;
default:
PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
return SECFailure;
}
/* Read timestamp. */
rv = ssl3_ExtConsumeHandshakeNumber(ss, &temp, 4, &buffer, &len);
if (rv != SECSuccess) {
PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
return SECFailure;
}
parsedTicket->timestamp = temp;
/* Read server name */
rv = ssl3_ExtConsumeHandshakeVariable(ss, &parsedTicket->srvName, 2,
&buffer, &len);
if (rv != SECSuccess) {
PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
return SECFailure;
}
/* Read extendedMasterSecretUsed */
rv = ssl3_ExtConsumeHandshakeNumber(ss, &temp, 1, &buffer, &len);
if (rv != SECSuccess) {
PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
return SECFailure;
}
PORT_Assert(temp == PR_TRUE || temp == PR_FALSE);
parsedTicket->extendedMasterSecretUsed = (PRBool)temp;
rv = ssl3_ExtConsumeHandshake(ss, &temp, 4, &buffer, &len);
if (rv != SECSuccess) {
PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
return SECFailure;
}
parsedTicket->flags = PR_ntohl(temp);
rv = ssl3_ExtConsumeHandshakeVariable(ss, &parsedTicket->alpnSelection, 1,
&buffer, &len);
PORT_Assert(parsedTicket->alpnSelection.len < 256);
if (rv != SECSuccess) {
PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
return SECFailure;
}
rv = ssl3_ExtConsumeHandshakeNumber(ss, &temp, 4, &buffer, &len);
if (rv != SECSuccess) {
PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
return SECFailure;
}
parsedTicket->maxEarlyData = temp;
#ifndef UNSAFE_FUZZER_MODE
/* Done parsing. Check that all bytes have been consumed. */
if (len != 0) {
PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
return SECFailure;
}
#endif
parsedTicket->valid = PR_TRUE;
return SECSuccess;
}
static SECStatus
ssl_CreateSIDFromTicket(sslSocket *ss, const SECItem *rawTicket,
SessionTicket *parsedTicket, sslSessionID **out)
{
sslSessionID *sid;
SECStatus rv;
sid = ssl3_NewSessionID(ss, PR_TRUE);
if (sid == NULL) {
return SECFailure;
}
/* Copy over parameters. */
sid->version = parsedTicket->ssl_version;
sid->u.ssl3.cipherSuite = parsedTicket->cipher_suite;
sid->u.ssl3.compression = parsedTicket->compression_method;
sid->authType = parsedTicket->authType;
sid->authKeyBits = parsedTicket->authKeyBits;
sid->keaType = parsedTicket->keaType;
sid->keaKeyBits = parsedTicket->keaKeyBits;
sid->namedCurve = parsedTicket->namedCurve;
rv = SECITEM_CopyItem(NULL, &sid->u.ssl3.locked.sessionTicket.ticket,
rawTicket);
if (rv != SECSuccess) {
goto loser;
}
sid->u.ssl3.locked.sessionTicket.flags = parsedTicket->flags;
sid->u.ssl3.locked.sessionTicket.max_early_data_size =
parsedTicket->maxEarlyData;
if (parsedTicket->ms_length >
sizeof(sid->u.ssl3.keys.wrapped_master_secret)) {
goto loser;
}
PORT_Memcpy(sid->u.ssl3.keys.wrapped_master_secret,
parsedTicket->master_secret, parsedTicket->ms_length);
sid->u.ssl3.keys.wrapped_master_secret_len = parsedTicket->ms_length;
sid->u.ssl3.masterWrapMech = parsedTicket->msWrapMech;
sid->u.ssl3.keys.msIsWrapped = parsedTicket->ms_is_wrapped;
sid->u.ssl3.masterValid = PR_TRUE;
sid->u.ssl3.keys.resumable = PR_TRUE;
sid->u.ssl3.keys.extendedMasterSecretUsed = parsedTicket->extendedMasterSecretUsed;
/* Copy over client cert from session ticket if there is one. */
if (parsedTicket->peer_cert.data != NULL) {
PORT_Assert(!sid->peerCert);
sid->peerCert = CERT_NewTempCertificate(ss->dbHandle,
&parsedTicket->peer_cert,
NULL, PR_FALSE, PR_TRUE);
if (!sid->peerCert) {
goto loser;
}
}
/* Transfer ownership of the remaining items. */
if (parsedTicket->srvName.data != NULL) {
SECITEM_FreeItem(&sid->u.ssl3.srvName, PR_FALSE);
rv = SECITEM_CopyItem(NULL, &sid->u.ssl3.srvName,
&parsedTicket->srvName);
if (rv != SECSuccess) {
goto loser;
}
}
if (parsedTicket->alpnSelection.data != NULL) {
rv = SECITEM_CopyItem(NULL, &sid->u.ssl3.alpnSelection,
&parsedTicket->alpnSelection);
if (rv != SECSuccess) {
goto loser;
}
}
*out = sid;
return SECSuccess;
loser:
ssl_FreeSID(sid);
return SECFailure;
}
/* Generic ticket processing code, common to all TLS versions. */
SECStatus
ssl3_ProcessSessionTicketCommon(sslSocket *ss, SECItem *data)
{
SECItem decryptedTicket = { siBuffer, NULL, 0 };
SessionTicket parsedTicket;
SECStatus rv;
if (ss->sec.ci.sid != NULL) {
ss->sec.uncache(ss->sec.ci.sid);
ssl_FreeSID(ss->sec.ci.sid);
ss->sec.ci.sid = NULL;
}
if (!SECITEM_AllocItem(NULL, &decryptedTicket, data->len)) {
return SECFailure;
}
/* Decrypt the ticket. */
rv = ssl_SelfEncryptUnprotect(ss, data->data, data->len,
decryptedTicket.data,
&decryptedTicket.len,
decryptedTicket.len);
if (rv != SECSuccess) {
SECITEM_ZfreeItem(&decryptedTicket, PR_FALSE);
/* Fail with no ticket if we're not a recipient. Otherwise
* it's a hard failure. */
if (PORT_GetError() != SEC_ERROR_NOT_A_RECIPIENT) {
SSL3_SendAlert(ss, alert_fatal, illegal_parameter);
return SECFailure;
}
/* We didn't have the right key, so pretend we don't have a
* ticket. */
}
rv = ssl_ParseSessionTicket(ss, &decryptedTicket, &parsedTicket);
if (rv != SECSuccess) {
SSL3Statistics *ssl3stats;
SSL_DBG(("%d: SSL[%d]: Session ticket parsing failed.",
SSL_GETPID(), ss->fd));
ssl3stats = SSL_GetStatistics();
SSL_AtomicIncrementLong(&ssl3stats->hch_sid_ticket_parse_failures);
goto loser; /* code already set */
}
/* Use the ticket if it is valid and unexpired. */
if (parsedTicket.valid &&
parsedTicket.timestamp + ssl_ticket_lifetime > ssl_Time()) {
sslSessionID *sid;
rv = ssl_CreateSIDFromTicket(ss, data, &parsedTicket, &sid);
if (rv != SECSuccess) {
goto loser; /* code already set */
}
ss->statelessResume = PR_TRUE;
ss->sec.ci.sid = sid;
}
SECITEM_ZfreeItem(&decryptedTicket, PR_FALSE);
PORT_Memset(&parsedTicket, 0, sizeof(parsedTicket));
return SECSuccess;
loser:
SECITEM_ZfreeItem(&decryptedTicket, PR_FALSE);
PORT_Memset(&parsedTicket, 0, sizeof(parsedTicket));
return SECFailure;
}
SECStatus
ssl3_ServerHandleSessionTicketXtn(const sslSocket *ss, TLSExtensionData *xtnData, PRUint16 ex_type,
SECItem *data)
{
/* Ignore the SessionTicket extension if processing is disabled. */
if (!ss->opt.enableSessionTickets) {
return SECSuccess;
}
/* If we are doing TLS 1.3, then ignore this. */
if (ss->version >= SSL_LIBRARY_VERSION_TLS_1_3) {
return SECSuccess;
}
/* Keep track of negotiated extensions. */
xtnData->negotiated[xtnData->numNegotiated++] = ex_type;
/* Parse the received ticket sent in by the client. We are
* lenient about some parse errors, falling back to a fullshake
* instead of terminating the current connection.
*/
if (data->len == 0) {
xtnData->emptySessionTicket = PR_TRUE;
return SECSuccess;
}
return ssl3_ProcessSessionTicketCommon(CONST_CAST(sslSocket, ss), data);
}
/* Extension format:
* Extension number: 2 bytes
* Extension length: 2 bytes
* Verify Data Length: 1 byte
* Verify Data (TLS): 12 bytes (client) or 24 bytes (server)
* Verify Data (SSL): 36 bytes (client) or 72 bytes (server)
*/
PRInt32
ssl3_SendRenegotiationInfoXtn(
const sslSocket *ss,
TLSExtensionData *xtnData,
PRBool append,
PRUint32 maxBytes)
{
PRInt32 len = 0;
PRInt32 needed;
/* In draft-ietf-tls-renegotiation-03, it is NOT RECOMMENDED to send
* both the SCSV and the empty RI, so when we send SCSV in
* the initial handshake, we don't also send RI.
*/
if (!ss || ss->ssl3.hs.sendingSCSV)
return 0;
if (ss->firstHsDone) {
len = ss->sec.isServer ? ss->ssl3.hs.finishedBytes * 2
: ss->ssl3.hs.finishedBytes;
}
needed = 5 + len;
if (maxBytes < (PRUint32)needed) {
return 0;
}
if (append) {
SECStatus rv;
/* extension_type */
rv = ssl3_ExtAppendHandshakeNumber(ss, ssl_renegotiation_info_xtn, 2);
if (rv != SECSuccess)
return -1;
/* length of extension_data */
rv = ssl3_ExtAppendHandshakeNumber(ss, len + 1, 2);
if (rv != SECSuccess)
return -1;
/* verify_Data from previous Finished message(s) */
rv = ssl3_ExtAppendHandshakeVariable(ss,
ss->ssl3.hs.finishedMsgs.data, len, 1);
if (rv != SECSuccess)
return -1;
if (!ss->sec.isServer) {
xtnData->advertised[xtnData->numAdvertised++] =
ssl_renegotiation_info_xtn;
}
}
return needed;
}
/* This function runs in both the client and server. */
SECStatus
ssl3_HandleRenegotiationInfoXtn(const sslSocket *ss, TLSExtensionData *xtnData, PRUint16 ex_type, SECItem *data)
{
SECStatus rv = SECSuccess;
PRUint32 len = 0;
if (ss->firstHsDone) {
len = ss->sec.isServer ? ss->ssl3.hs.finishedBytes
: ss->ssl3.hs.finishedBytes * 2;
}
if (data->len != 1 + len || data->data[0] != len) {
ssl3_ExtDecodeError(ss);
return SECFailure;
}
if (len && NSS_SecureMemcmp(ss->ssl3.hs.finishedMsgs.data,
data->data + 1, len)) {
ssl3_ExtSendAlert(ss, alert_fatal, handshake_failure);
PORT_SetError(SSL_ERROR_BAD_HANDSHAKE_HASH_VALUE);
return SECFailure;
}
/* remember that we got this extension and it was correct. */
CONST_CAST(sslSocket, ss)
->peerRequestedProtection = 1;
xtnData->negotiated[xtnData->numNegotiated++] = ex_type;
if (ss->sec.isServer) {
/* prepare to send back the appropriate response */
rv = ssl3_RegisterExtensionSender(ss, xtnData, ex_type,
ssl3_SendRenegotiationInfoXtn);
}
return rv;
}
PRInt32
ssl3_ClientSendUseSRTPXtn(const sslSocket *ss, TLSExtensionData *xtnData, PRBool append, PRUint32 maxBytes)
{
PRUint32 ext_data_len;
PRInt16 i;
SECStatus rv;
if (!ss)
return 0;
if (!IS_DTLS(ss) || !ss->ssl3.dtlsSRTPCipherCount)
return 0; /* Not relevant */
ext_data_len = 2 + 2 * ss->ssl3.dtlsSRTPCipherCount + 1;
if (append && maxBytes >= 4 + ext_data_len) {
/* Extension type */
rv = ssl3_ExtAppendHandshakeNumber(ss, ssl_use_srtp_xtn, 2);
if (rv != SECSuccess)
return -1;
/* Length of extension data */
rv = ssl3_ExtAppendHandshakeNumber(ss, ext_data_len, 2);
if (rv != SECSuccess)
return -1;
/* Length of the SRTP cipher list */
rv = ssl3_ExtAppendHandshakeNumber(ss,
2 * ss->ssl3.dtlsSRTPCipherCount,
2);
if (rv != SECSuccess)
return -1;
/* The SRTP ciphers */
for (i = 0; i < ss->ssl3.dtlsSRTPCipherCount; i++) {
rv = ssl3_ExtAppendHandshakeNumber(ss,
ss->ssl3.dtlsSRTPCiphers[i],
2);
if (rv != SECSuccess)
return -1;
}
/* Empty MKI value */
ssl3_ExtAppendHandshakeVariable(ss, NULL, 0, 1);
xtnData->advertised[xtnData->numAdvertised++] =
ssl_use_srtp_xtn;
}
return 4 + ext_data_len;
}
PRInt32
ssl3_ServerSendUseSRTPXtn(const sslSocket *ss, TLSExtensionData *xtnData, PRBool append, PRUint32 maxBytes)
{
SECStatus rv;
/* Server side */
if (!append || maxBytes < 9) {
return 9;
}
/* Extension type */
rv = ssl3_ExtAppendHandshakeNumber(ss, ssl_use_srtp_xtn, 2);
if (rv != SECSuccess)
return -1;
/* Length of extension data */
rv = ssl3_ExtAppendHandshakeNumber(ss, 5, 2);
if (rv != SECSuccess)
return -1;
/* Length of the SRTP cipher list */
rv = ssl3_ExtAppendHandshakeNumber(ss, 2, 2);
if (rv != SECSuccess)
return -1;
/* The selected cipher */
rv = ssl3_ExtAppendHandshakeNumber(ss, xtnData->dtlsSRTPCipherSuite, 2);
if (rv != SECSuccess)
return -1;
/* Empty MKI value */
ssl3_ExtAppendHandshakeVariable(ss, NULL, 0, 1);
return 9;
}
SECStatus
ssl3_ClientHandleUseSRTPXtn(const sslSocket *ss, TLSExtensionData *xtnData, PRUint16 ex_type, SECItem *data)
{
SECStatus rv;
SECItem ciphers = { siBuffer, NULL, 0 };
PRUint16 i;
PRUint16 cipher = 0;
PRBool found = PR_FALSE;
SECItem litem;
if (!data->data || !data->len) {
ssl3_ExtDecodeError(ss);
return SECFailure;
}
/* Get the cipher list */
rv = ssl3_ExtConsumeHandshakeVariable(ss, &ciphers, 2,
&data->data, &data->len);
if (rv != SECSuccess) {
return SECFailure; /* fatal alert already sent */
}
/* Now check that the server has picked just 1 (i.e., len = 2) */
if (ciphers.len != 2) {
ssl3_ExtDecodeError(ss);
return SECFailure;
}
/* Get the selected cipher */
cipher = (ciphers.data[0] << 8) | ciphers.data[1];
/* Now check that this is one of the ciphers we offered */
for (i = 0; i < ss->ssl3.dtlsSRTPCipherCount; i++) {
if (cipher == ss->ssl3.dtlsSRTPCiphers[i]) {
found = PR_TRUE;
break;
}
}
if (!found) {
ssl3_ExtSendAlert(ss, alert_fatal, illegal_parameter);
PORT_SetError(SSL_ERROR_RX_MALFORMED_SERVER_HELLO);
return SECFailure;
}
/* Get the srtp_mki value */
rv = ssl3_ExtConsumeHandshakeVariable(ss, &litem, 1,
&data->data, &data->len);
if (rv != SECSuccess) {
return SECFailure; /* alert already sent */
}
/* We didn't offer an MKI, so this must be 0 length */
if (litem.len != 0) {
ssl3_ExtSendAlert(ss, alert_fatal, illegal_parameter);
PORT_SetError(SSL_ERROR_RX_MALFORMED_SERVER_HELLO);
return SECFailure;
}
/* extra trailing bytes */
if (data->len != 0) {
ssl3_ExtDecodeError(ss);
return SECFailure;
}
/* OK, this looks fine. */
xtnData->negotiated[xtnData->numNegotiated++] = ssl_use_srtp_xtn;
xtnData->dtlsSRTPCipherSuite = cipher;
return SECSuccess;
}
SECStatus
ssl3_ServerHandleUseSRTPXtn(const sslSocket *ss, TLSExtensionData *xtnData, PRUint16 ex_type, SECItem *data)
{
SECStatus rv;
SECItem ciphers = { siBuffer, NULL, 0 };
PRUint16 i;
unsigned int j;
PRUint16 cipher = 0;
PRBool found = PR_FALSE;
SECItem litem;
if (!IS_DTLS(ss) || !ss->ssl3.dtlsSRTPCipherCount) {
/* Ignore the extension if we aren't doing DTLS or no DTLS-SRTP
* preferences have been set. */
return SECSuccess;
}
if (!data->data || data->len < 5) {
ssl3_ExtDecodeError(ss);
return SECFailure;
}
/* Get the cipher list */
rv = ssl3_ExtConsumeHandshakeVariable(ss, &ciphers, 2,
&data->data, &data->len);
if (rv != SECSuccess) {
return SECFailure; /* alert already sent */
}
/* Check that the list is even length */
if (ciphers.len % 2) {
ssl3_ExtDecodeError(ss);
return SECFailure;
}
/* Walk through the offered list and pick the most preferred of our
* ciphers, if any */
for (i = 0; !found && i < ss->ssl3.dtlsSRTPCipherCount; i++) {
for (j = 0; j + 1 < ciphers.len; j += 2) {
cipher = (ciphers.data[j] << 8) | ciphers.data[j + 1];
if (cipher == ss->ssl3.dtlsSRTPCiphers[i]) {
found = PR_TRUE;
break;
}
}
}
/* Get the srtp_mki value */
rv = ssl3_ExtConsumeHandshakeVariable(ss, &litem, 1, &data->data, &data->len);
if (rv != SECSuccess) {
return SECFailure;
}
if (data->len != 0) {
ssl3_ExtDecodeError(ss); /* trailing bytes */
return SECFailure;
}
/* Now figure out what to do */
if (!found) {
/* No matching ciphers, pretend we don't support use_srtp */
return SECSuccess;
}
/* OK, we have a valid cipher and we've selected it */
xtnData->dtlsSRTPCipherSuite = cipher;
xtnData->negotiated[xtnData->numNegotiated++] = ssl_use_srtp_xtn;
return ssl3_RegisterExtensionSender(ss, xtnData,
ssl_use_srtp_xtn,
ssl3_ServerSendUseSRTPXtn);
}
/* ssl3_ServerHandleSigAlgsXtn handles the signature_algorithms extension
* from a client.
* See https://tools.ietf.org/html/rfc5246#section-7.4.1.4.1 */
SECStatus
ssl3_ServerHandleSigAlgsXtn(const sslSocket *ss, TLSExtensionData *xtnData, PRUint16 ex_type, SECItem *data)
{
SECStatus rv;
/* Ignore this extension if we aren't doing TLS 1.2 or greater. */
if (ss->version < SSL_LIBRARY_VERSION_TLS_1_2) {
return SECSuccess;
}
if (xtnData->clientSigSchemes) {
PORT_Free(xtnData->clientSigSchemes);
xtnData->clientSigSchemes = NULL;
}
rv = ssl_ParseSignatureSchemes(ss, NULL,
&xtnData->clientSigSchemes,
&xtnData->numClientSigScheme,
&data->data, &data->len);
if (rv != SECSuccess || xtnData->numClientSigScheme == 0) {
ssl3_ExtSendAlert(ss, alert_fatal, decode_error);
PORT_SetError(SSL_ERROR_RX_MALFORMED_CLIENT_HELLO);
return SECFailure;
}
/* Check for trailing data. */
if (data->len != 0) {
ssl3_ExtSendAlert(ss, alert_fatal, decode_error);
PORT_SetError(SSL_ERROR_RX_MALFORMED_CLIENT_HELLO);
return SECFailure;
}
/* Keep track of negotiated extensions. */
xtnData->negotiated[xtnData->numNegotiated++] = ex_type;
return SECSuccess;
}
/* ssl3_ClientSendSigAlgsXtn sends the signature_algorithm extension for TLS
* 1.2 ClientHellos. */
PRInt32
ssl3_ClientSendSigAlgsXtn(const sslSocket *ss, TLSExtensionData *xtnData, PRBool append, PRUint32 maxBytes)
{
PRInt32 extension_length;
PRUint8 buf[MAX_SIGNATURE_SCHEMES * 2];
PRUint32 len;
SECStatus rv;
if (ss->vrange.max < SSL_LIBRARY_VERSION_TLS_1_2) {
return 0;
}
rv = ssl3_EncodeSigAlgs(ss, buf, sizeof(buf), &len);
if (rv != SECSuccess) {
return -1;
}
extension_length =
2 /* extension type */ +
2 /* extension length */ +
2 /* supported_signature_algorithms length */ +
len;
if (maxBytes < extension_length) {
PORT_Assert(0);
return 0;
}
if (append) {
SECStatus rv;
rv = ssl3_ExtAppendHandshakeNumber(ss, ssl_signature_algorithms_xtn, 2);
if (rv != SECSuccess) {
return -1;
}
rv = ssl3_ExtAppendHandshakeNumber(ss, len + 2, 2);
if (rv != SECSuccess) {
return -1;
}
rv = ssl3_ExtAppendHandshakeVariable(ss, buf, len, 2);
if (rv != SECSuccess) {
return -1;
}
xtnData->advertised[xtnData->numAdvertised++] =
ssl_signature_algorithms_xtn;
}
return extension_length;
}
/* Takes the size of the ClientHello, less the record header, and determines how
* much padding is required. */
void
ssl3_CalculatePaddingExtLen(sslSocket *ss,
unsigned int clientHelloLength)
{
unsigned int recordLength = 1 /* handshake message type */ +
3 /* handshake message length */ +
clientHelloLength;
unsigned int extensionLen;
/* Don't pad for DTLS, for SSLv3, or for renegotiation. */
if (IS_DTLS(ss) ||
ss->vrange.max < SSL_LIBRARY_VERSION_TLS_1_0 ||
ss->firstHsDone) {
return;
}
/* A padding extension may be included to ensure that the record containing
* the ClientHello doesn't have a length between 256 and 511 bytes
* (inclusive). Initial ClientHello records with such lengths trigger bugs
* in F5 devices. */
if (recordLength < 256 || recordLength >= 512) {
return;
}
extensionLen = 512 - recordLength;
/* Extensions take at least four bytes to encode. Always include at least
* one byte of data if we are padding. Some servers will time out or
* terminate the connection if the last ClientHello extension is empty. */
if (extensionLen < 4 + 1) {
extensionLen = 4 + 1;
}
ss->xtnData.paddingLen = extensionLen - 4;
}
/* ssl3_SendPaddingExtension possibly adds an extension which ensures that a
* ClientHello record is either < 256 bytes or is >= 512 bytes. This ensures
* that we don't trigger bugs in F5 products. */
PRInt32
ssl3_ClientSendPaddingExtension(const sslSocket *ss, TLSExtensionData *xtnData,
PRBool append, PRUint32 maxBytes)
{
static unsigned char padding[252] = { 0 };
unsigned int extensionLen;
SECStatus rv;
/* On the length-calculation pass, report zero total length. The record
* will be larger on the second pass if needed. */
if (!append || !xtnData->paddingLen) {
return 0;
}
extensionLen = xtnData->paddingLen + 4;
if (extensionLen > maxBytes ||
xtnData->paddingLen > sizeof(padding)) {
PORT_Assert(0);
return -1;
}
rv = ssl3_ExtAppendHandshakeNumber(ss, ssl_padding_xtn, 2);
if (rv != SECSuccess) {
return -1;
}
rv = ssl3_ExtAppendHandshakeVariable(ss, padding, xtnData->paddingLen, 2);
if (rv != SECSuccess) {
return -1;
}
return extensionLen;
}
PRInt32
ssl3_SendExtendedMasterSecretXtn(const sslSocket *ss, TLSExtensionData *xtnData, PRBool append,
PRUint32 maxBytes)
{
PRInt32 extension_length;
if (!ss->opt.enableExtendedMS) {
return 0;
}
/* Always send the extension in this function, since the
* client always sends it and this function is only called on
* the server if we negotiated the extension. */
extension_length = 4; /* Type + length (0) */
if (maxBytes < extension_length) {
PORT_Assert(0);
return 0;
}
if (append) {
SECStatus rv;
rv = ssl3_ExtAppendHandshakeNumber(ss, ssl_extended_master_secret_xtn, 2);
if (rv != SECSuccess)
goto loser;
rv = ssl3_ExtAppendHandshakeNumber(ss, 0, 2);
if (rv != SECSuccess)
goto loser;
xtnData->advertised[xtnData->numAdvertised++] =
ssl_extended_master_secret_xtn;
}
return extension_length;
loser:
return -1;
}
SECStatus
ssl3_HandleExtendedMasterSecretXtn(const sslSocket *ss, TLSExtensionData *xtnData, PRUint16 ex_type,
SECItem *data)
{
if (ss->version < SSL_LIBRARY_VERSION_TLS_1_0) {
return SECSuccess;
}
if (!ss->opt.enableExtendedMS) {
return SECSuccess;
}
if (data->len != 0) {
SSL_TRC(30, ("%d: SSL3[%d]: Bogus extended master secret extension",
SSL_GETPID(), ss->fd));
ssl3_ExtSendAlert(ss, alert_fatal, decode_error);
return SECFailure;
}
SSL_DBG(("%d: SSL[%d]: Negotiated extended master secret extension.",
SSL_GETPID(), ss->fd));
/* Keep track of negotiated extensions. */
xtnData->negotiated[xtnData->numNegotiated++] = ex_type;
if (ss->sec.isServer) {
return ssl3_RegisterExtensionSender(
ss, xtnData, ex_type, ssl3_SendExtendedMasterSecretXtn);
}
return SECSuccess;
}
/* ssl3_ClientSendSignedCertTimestampXtn sends the signed_certificate_timestamp
* extension for TLS ClientHellos. */
PRInt32
ssl3_ClientSendSignedCertTimestampXtn(const sslSocket *ss, TLSExtensionData *xtnData, PRBool append,
PRUint32 maxBytes)
{
PRInt32 extension_length = 2 /* extension_type */ +
2 /* length(extension_data) */;
/* Only send the extension if processing is enabled. */
if (!ss->opt.enableSignedCertTimestamps)
return 0;
if (append && maxBytes >= extension_length) {
SECStatus rv;
/* extension_type */
rv = ssl3_ExtAppendHandshakeNumber(ss,
ssl_signed_cert_timestamp_xtn,
2);
if (rv != SECSuccess)
goto loser;
/* zero length */
rv = ssl3_ExtAppendHandshakeNumber(ss, 0, 2);
if (rv != SECSuccess)
goto loser;
xtnData->advertised[xtnData->numAdvertised++] =
ssl_signed_cert_timestamp_xtn;
} else if (maxBytes < extension_length) {
PORT_Assert(0);
return 0;
}
return extension_length;
loser:
return -1;
}
SECStatus
ssl3_ClientHandleSignedCertTimestampXtn(const sslSocket *ss, TLSExtensionData *xtnData, PRUint16 ex_type,
SECItem *data)
{
/* We do not yet know whether we'll be resuming a session or creating
* a new one, so we keep a pointer to the data in the TLSExtensionData
* structure. This pointer is only valid in the scope of
* ssl3_HandleServerHello, and, if not resuming a session, the data is
* copied once a new session structure has been set up.
* All parsing is currently left to the application and we accept
* everything, including empty data.
*/
SECItem *scts = &xtnData->signedCertTimestamps;
PORT_Assert(!scts->data && !scts->len);
if (!data->len) {
/* Empty extension data: RFC 6962 mandates non-empty contents. */
return SECFailure;
}
*scts = *data;
/* Keep track of negotiated extensions. */
xtnData->negotiated[xtnData->numNegotiated++] = ex_type;
return SECSuccess;
}
PRInt32
ssl3_ServerSendSignedCertTimestampXtn(const sslSocket *ss, TLSExtensionData *xtnData,
PRBool append,
PRUint32 maxBytes)
{
PRInt32 extension_length;
const SECItem *scts = &ss->sec.serverCert->signedCertTimestamps;
if (!scts->len) {
/* No timestamps to send */
return 0;
}
extension_length = 2 /* extension_type */ +
2 /* length(extension_data) */ +
scts->len;
if (maxBytes < extension_length) {
PORT_Assert(0);
return 0;
}
if (append) {
SECStatus rv;
/* extension_type */
rv = ssl3_ExtAppendHandshakeNumber(ss,
ssl_signed_cert_timestamp_xtn,
2);
if (rv != SECSuccess) {
return -1;
}
/* extension_data */
rv = ssl3_ExtAppendHandshakeVariable(ss, scts->data, scts->len, 2);
if (rv != SECSuccess) {
return -1;
}
}
return extension_length;
}
SECStatus
ssl3_ServerHandleSignedCertTimestampXtn(const sslSocket *ss,
TLSExtensionData *xtnData,
PRUint16 ex_type,
SECItem *data)
{
if (data->len != 0) {
ssl3_ExtSendAlert(ss, alert_fatal, decode_error);
PORT_SetError(SSL_ERROR_RX_MALFORMED_CLIENT_HELLO);
return SECFailure;
}
xtnData->negotiated[xtnData->numNegotiated++] = ex_type;
PORT_Assert(ss->sec.isServer);
return ssl3_RegisterExtensionSender(
ss, xtnData, ex_type, ssl3_ServerSendSignedCertTimestampXtn);
}
/* Just make sure that the remote client supports uncompressed points,
* Since that is all we support. Disable ECC cipher suites if it doesn't.
*/
SECStatus
ssl3_HandleSupportedPointFormatsXtn(const sslSocket *ss, TLSExtensionData *xtnData,
PRUint16 ex_type,
SECItem *data)
{
int i;
if (data->len < 2 || data->len > 255 || !data->data ||
data->len != (unsigned int)data->data[0] + 1) {
ssl3_ExtDecodeError(ss);
return SECFailure;
}
for (i = data->len; --i > 0;) {
if (data->data[i] == 0) {
/* indicate that we should send a reply */
SECStatus rv;
rv = ssl3_RegisterExtensionSender(ss, xtnData, ex_type,
&ssl3_SendSupportedPointFormatsXtn);
return rv;
}
}
/* Poor client doesn't support uncompressed points. */
PORT_SetError(SSL_ERROR_RX_MALFORMED_HANDSHAKE);
return SECFailure;
}
static SECStatus
ssl_UpdateSupportedGroups(sslSocket *ss, SECItem *data)
{
SECStatus rv;
PRUint32 list_len;
unsigned int i;
const sslNamedGroupDef *enabled[SSL_NAMED_GROUP_COUNT] = { 0 };
PORT_Assert(SSL_NAMED_GROUP_COUNT == PR_ARRAY_SIZE(enabled));
if (!data->data || data->len < 4) {
(void)ssl3_DecodeError(ss);
return SECFailure;
}
/* get the length of elliptic_curve_list */
rv = ssl3_ConsumeHandshakeNumber(ss, &list_len, 2, &data->data, &data->len);
if (rv != SECSuccess || data->len != list_len || (data->len % 2) != 0) {
(void)ssl3_DecodeError(ss);
return SECFailure;
}
/* disable all groups and remember the enabled groups */
for (i = 0; i < SSL_NAMED_GROUP_COUNT; ++i) {
enabled[i] = ss->namedGroupPreferences[i];
ss->namedGroupPreferences[i] = NULL;
}
/* Read groups from data and enable if in |enabled| */
while (data->len) {
const sslNamedGroupDef *group;
PRUint32 curve_name;
rv = ssl3_ConsumeHandshakeNumber(ss, &curve_name, 2, &data->data,
&data->len);
if (rv != SECSuccess) {
return SECFailure; /* fatal alert already sent */
}
group = ssl_LookupNamedGroup(curve_name);
if (group) {
for (i = 0; i < SSL_NAMED_GROUP_COUNT; ++i) {
if (enabled[i] && group == enabled[i]) {
ss->namedGroupPreferences[i] = enabled[i];
break;
}
}
}
/* "Codepoints in the NamedCurve registry with a high byte of 0x01 (that
* is, between 256 and 511 inclusive) are set aside for FFDHE groups,"
* -- https://tools.ietf.org/html/draft-ietf-tls-negotiated-ff-dhe-10
*/
if ((curve_name & 0xff00) == 0x0100) {
ss->xtnData.peerSupportsFfdheGroups = PR_TRUE;
}
}
/* Note: if ss->opt.requireDHENamedGroups is set, we disable DHE cipher
* suites, but we do that in ssl3_config_match(). */
if (ss->version < SSL_LIBRARY_VERSION_TLS_1_3 &&
!ss->opt.requireDHENamedGroups && !ss->xtnData.peerSupportsFfdheGroups) {
/* If we don't require that DHE use named groups, and no FFDHE was
* included, we pretend that they support all the FFDHE groups we do. */
for (i = 0; i < SSL_NAMED_GROUP_COUNT; ++i) {
if (enabled[i] && enabled[i]->keaType == ssl_kea_dh) {
ss->namedGroupPreferences[i] = enabled[i];
}
}
}
return SECSuccess;
}
/* Ensure that the curve in our server cert is one of the ones supported
* by the remote client, and disable all ECC cipher suites if not.
*/
SECStatus
ssl_HandleSupportedGroupsXtn(const sslSocket *ss, TLSExtensionData *xtnData,
PRUint16 ex_type, SECItem *data)
{
SECStatus rv;
rv = ssl_UpdateSupportedGroups(CONST_CAST(sslSocket, ss), data);
if (rv != SECSuccess)
return SECFailure;
/* TLS 1.3 permits the server to send this extension so make it so. */
if (ss->sec.isServer && ss->version >= SSL_LIBRARY_VERSION_TLS_1_3) {
rv = ssl3_RegisterExtensionSender(ss, xtnData, ex_type,
&ssl_SendSupportedGroupsXtn);
if (rv != SECSuccess) {
return SECFailure; /* error already set. */
}
}
/* Remember that we negotiated this extension. */
xtnData->negotiated[xtnData->numNegotiated++] = ex_type;
return SECSuccess;
}
Ссылка в новой задаче Показать git blame Копировать постоянную ссылку