summaryrefslogtreecommitdiffstats
path: root/security/nss/lib/ssl/ssl3exthandle.c
diff options
context:
space:
mode:
Diffstat (limited to 'security/nss/lib/ssl/ssl3exthandle.c')
-rw-r--r--security/nss/lib/ssl/ssl3exthandle.c1217
1 files changed, 455 insertions, 762 deletions
diff --git a/security/nss/lib/ssl/ssl3exthandle.c b/security/nss/lib/ssl/ssl3exthandle.c
index 2a80e2690..370bd8b3e 100644
--- a/security/nss/lib/ssl/ssl3exthandle.c
+++ b/security/nss/lib/ssl/ssl3exthandle.c
@@ -12,147 +12,12 @@
#include "pk11pub.h"
#include "blapit.h"
#include "prinit.h"
+#include "selfencrypt.h"
+#include "ssl3encode.h"
#include "ssl3ext.h"
#include "ssl3exthandle.h"
#include "tls13exthandle.h" /* For tls13_ServerSendStatusRequestXtn. */
-static unsigned char key_name[SESS_TICKET_KEY_NAME_LEN];
-static PK11SymKey *session_ticket_enc_key = NULL;
-static PK11SymKey *session_ticket_mac_key = NULL;
-
-static PRCallOnceType generate_session_keys_once;
-
-static SECStatus ssl3_ParseEncryptedSessionTicket(sslSocket *ss,
- SECItem *data, EncryptedSessionTicket *enc_session_ticket);
-static SECStatus ssl3_AppendToItem(SECItem *item, const unsigned char *buf,
- PRUint32 bytes);
-static SECStatus ssl3_ConsumeFromItem(SECItem *item, unsigned char **buf, PRUint32 bytes);
-static SECStatus ssl3_AppendNumberToItem(SECItem *item, PRUint32 num,
- PRInt32 lenSize);
-static SECStatus ssl3_GetSessionTicketKeys(sslSocket *ss,
- PK11SymKey **aes_key, PK11SymKey **mac_key);
-static SECStatus ssl3_ConsumeFromItem(SECItem *item, unsigned char **buf, PRUint32 bytes);
-
-/*
- * Write bytes. Using this function means the SECItem structure
- * cannot be freed. The caller is expected to call this function
- * on a shallow copy of the structure.
- */
-static SECStatus
-ssl3_AppendToItem(SECItem *item, const unsigned char *buf, PRUint32 bytes)
-{
- if (bytes > item->len)
- return SECFailure;
-
- PORT_Memcpy(item->data, buf, bytes);
- item->data += bytes;
- item->len -= bytes;
- return SECSuccess;
-}
-
-/*
- * Write a number in network byte order. Using this function means the
- * SECItem structure cannot be freed. The caller is expected to call
- * this function on a shallow copy of the structure.
- */
-static SECStatus
-ssl3_AppendNumberToItem(SECItem *item, PRUint32 num, PRInt32 lenSize)
-{
- SECStatus rv;
- PRUint8 b[4];
- PRUint8 *p = b;
-
- switch (lenSize) {
- case 4:
- *p++ = (PRUint8)(num >> 24);
- case 3:
- *p++ = (PRUint8)(num >> 16);
- case 2:
- *p++ = (PRUint8)(num >> 8);
- case 1:
- *p = (PRUint8)num;
- }
- rv = ssl3_AppendToItem(item, &b[0], lenSize);
- return rv;
-}
-
-SECStatus
-ssl3_SessionTicketShutdown(void *appData, void *nssData)
-{
- if (session_ticket_enc_key) {
- PK11_FreeSymKey(session_ticket_enc_key);
- session_ticket_enc_key = NULL;
- }
- if (session_ticket_mac_key) {
- PK11_FreeSymKey(session_ticket_mac_key);
- session_ticket_mac_key = NULL;
- }
- PORT_Memset(&generate_session_keys_once, 0,
- sizeof(generate_session_keys_once));
- return SECSuccess;
-}
-
-static PRStatus
-ssl3_GenerateSessionTicketKeys(void *data)
-{
- SECStatus rv;
- sslSocket *ss = (sslSocket *)data;
- sslServerCertType certType = { ssl_auth_rsa_decrypt, NULL };
- const sslServerCert *sc;
- SECKEYPrivateKey *svrPrivKey;
- SECKEYPublicKey *svrPubKey;
-
- sc = ssl_FindServerCert(ss, &certType);
- if (!sc || !sc->serverKeyPair) {
- SSL_DBG(("%d: SSL[%d]: No ssl_auth_rsa_decrypt cert and key pair",
- SSL_GETPID(), ss->fd));
- goto loser;
- }
- svrPrivKey = sc->serverKeyPair->privKey;
- svrPubKey = sc->serverKeyPair->pubKey;
- if (svrPrivKey == NULL || svrPubKey == NULL) {
- SSL_DBG(("%d: SSL[%d]: Pub or priv key(s) is NULL.",
- SSL_GETPID(), ss->fd));
- goto loser;
- }
-
- /* Get a copy of the session keys from shared memory. */
- PORT_Memcpy(key_name, SESS_TICKET_KEY_NAME_PREFIX,
- sizeof(SESS_TICKET_KEY_NAME_PREFIX));
- if (!ssl_GetSessionTicketKeys(svrPrivKey, svrPubKey, ss->pkcs11PinArg,
- &key_name[SESS_TICKET_KEY_NAME_PREFIX_LEN],
- &session_ticket_enc_key, &session_ticket_mac_key))
- return PR_FAILURE;
-
- rv = NSS_RegisterShutdown(ssl3_SessionTicketShutdown, NULL);
- if (rv != SECSuccess)
- goto loser;
-
- return PR_SUCCESS;
-
-loser:
- ssl3_SessionTicketShutdown(NULL, NULL);
- return PR_FAILURE;
-}
-
-static SECStatus
-ssl3_GetSessionTicketKeys(sslSocket *ss, PK11SymKey **aes_key,
- PK11SymKey **mac_key)
-{
- if (PR_CallOnceWithArg(&generate_session_keys_once,
- ssl3_GenerateSessionTicketKeys, ss) !=
- PR_SUCCESS)
- return SECFailure;
-
- if (session_ticket_enc_key == NULL ||
- session_ticket_mac_key == NULL)
- return SECFailure;
-
- *aes_key = session_ticket_enc_key;
- *mac_key = session_ticket_mac_key;
- return SECSuccess;
-}
-
/* Format an SNI extension, using the name from the socket's URL,
* unless that name is a dotted decimal string.
* Used by client and server.
@@ -223,7 +88,8 @@ SECStatus
ssl3_HandleServerNameXtn(const sslSocket *ss, TLSExtensionData *xtnData, PRUint16 ex_type, SECItem *data)
{
SECItem *names = NULL;
- PRInt32 listLenBytes = 0;
+ PRUint32 listLenBytes = 0;
+ SECStatus rv;
if (!ss->sec.isServer) {
return SECSuccess; /* ignore extension */
@@ -236,8 +102,8 @@ ssl3_HandleServerNameXtn(const sslSocket *ss, TLSExtensionData *xtnData, PRUint1
}
/* length of server_name_list */
- listLenBytes = ssl3_ExtConsumeHandshakeNumber(ss, 2, &data->data, &data->len);
- if (listLenBytes < 0) {
+ rv = ssl3_ExtConsumeHandshakeNumber(ss, &listLenBytes, 2, &data->data, &data->len);
+ if (rv != SECSuccess) {
goto loser; /* alert already sent */
}
if (listLenBytes == 0 || listLenBytes != data->len) {
@@ -247,12 +113,11 @@ ssl3_HandleServerNameXtn(const sslSocket *ss, TLSExtensionData *xtnData, PRUint1
/* Read ServerNameList. */
while (data->len > 0) {
SECItem tmp;
- SECStatus rv;
- PRInt32 type;
+ PRUint32 type;
/* Read Name Type. */
- type = ssl3_ExtConsumeHandshakeNumber(ss, 1, &data->data, &data->len);
- if (type < 0) { /* i.e., SECFailure cast to PRint32 */
+ rv = ssl3_ExtConsumeHandshakeNumber(ss, &type, 1, &data->data, &data->len);
+ if (rv != SECSuccess) {
/* alert sent in ConsumeHandshakeNumber */
goto loser;
}
@@ -372,11 +237,7 @@ ssl3_SendSessionTicketXtn(
if (session_ticket->ticket.data) {
if (xtnData->ticketTimestampVerified) {
extension_length += session_ticket->ticket.len;
- } else if (!append &&
- (session_ticket->ticket_lifetime_hint == 0 ||
- (session_ticket->ticket_lifetime_hint +
- session_ticket->received_timestamp >
- ssl_Time()))) {
+ } else if (!append && ssl_TicketTimeValid(session_ticket)) {
extension_length += session_ticket->ticket.len;
xtnData->ticketTimestampVerified = PR_TRUE;
}
@@ -417,30 +278,25 @@ loser:
return -1;
}
-static SECStatus
-ssl3_ParseEncryptedSessionTicket(sslSocket *ss, SECItem *data,
- EncryptedSessionTicket *enc_session_ticket)
+PRBool
+ssl_AlpnTagAllowed(const sslSocket *ss, const SECItem *tag)
{
- if (ssl3_ConsumeFromItem(data, &enc_session_ticket->key_name,
- SESS_TICKET_KEY_NAME_LEN) !=
- SECSuccess)
- return SECFailure;
- if (ssl3_ConsumeFromItem(data, &enc_session_ticket->iv,
- AES_BLOCK_SIZE) !=
- SECSuccess)
- return SECFailure;
- if (ssl3_ConsumeHandshakeVariable(ss, &enc_session_ticket->encrypted_state,
- 2, &data->data, &data->len) !=
- SECSuccess)
- return SECFailure;
- if (ssl3_ConsumeFromItem(data, &enc_session_ticket->mac,
- TLS_EX_SESS_TICKET_MAC_LENGTH) !=
- SECSuccess)
- return SECFailure;
- if (data->len != 0) /* Make sure that we have consumed all bytes. */
- return SECFailure;
+ const unsigned char *data = ss->opt.nextProtoNego.data;
+ unsigned int length = ss->opt.nextProtoNego.len;
+ unsigned int offset = 0;
- return SECSuccess;
+ if (!tag->len)
+ return PR_TRUE;
+
+ while (offset < length) {
+ unsigned int taglen = (unsigned int)data[offset];
+ if ((taglen == tag->len) &&
+ !PORT_Memcmp(data + offset + 1, tag->data, tag->len))
+ return PR_TRUE;
+ offset += 1 + taglen;
+ }
+
+ return PR_FALSE;
}
/* handle an incoming Next Protocol Negotiation extension. */
@@ -542,7 +398,7 @@ ssl3_SelectAppProtocol(const sslSocket *ss, TLSExtensionData *xtnData,
SECStatus
ssl3_ServerHandleAppProtoXtn(const sslSocket *ss, TLSExtensionData *xtnData, PRUint16 ex_type, SECItem *data)
{
- int count;
+ PRUint32 count;
SECStatus rv;
/* We expressly don't want to allow ALPN on renegotiation,
@@ -556,8 +412,8 @@ ssl3_ServerHandleAppProtoXtn(const sslSocket *ss, TLSExtensionData *xtnData, PRU
/* Unlike NPN, ALPN has extra redundant length information so that
* the extension is the same in both ClientHello and ServerHello. */
- count = ssl3_ExtConsumeHandshakeNumber(ss, 2, &data->data, &data->len);
- if (count != data->len) {
+ rv = ssl3_ExtConsumeHandshakeNumber(ss, &count, 2, &data->data, &data->len);
+ if (rv != SECSuccess || count != data->len) {
ssl3_ExtDecodeError(ss);
return SECFailure;
}
@@ -621,7 +477,7 @@ SECStatus
ssl3_ClientHandleAppProtoXtn(const sslSocket *ss, TLSExtensionData *xtnData, PRUint16 ex_type, SECItem *data)
{
SECStatus rv;
- PRInt32 list_len;
+ PRUint32 list_len;
SECItem protocol_name;
if (ssl3_ExtensionNegotiated(ss, ssl_next_proto_nego_xtn)) {
@@ -639,9 +495,10 @@ ssl3_ClientHandleAppProtoXtn(const sslSocket *ss, TLSExtensionData *xtnData, PRU
return SECFailure;
}
- list_len = ssl3_ExtConsumeHandshakeNumber(ss, 2, &data->data, &data->len);
+ rv = ssl3_ExtConsumeHandshakeNumber(ss, &list_len, 2, &data->data,
+ &data->len);
/* The list has to be the entire extension. */
- if (list_len != data->len) {
+ if (rv != SECSuccess || list_len != data->len) {
ssl3_ExtSendAlert(ss, alert_fatal, decode_error);
PORT_SetError(SSL_ERROR_NEXT_PROTOCOL_DATA_INVALID);
return SECFailure;
@@ -656,6 +513,12 @@ ssl3_ClientHandleAppProtoXtn(const sslSocket *ss, TLSExtensionData *xtnData, PRU
return SECFailure;
}
+ if (!ssl_AlpnTagAllowed(ss, &protocol_name)) {
+ ssl3_ExtSendAlert(ss, alert_fatal, illegal_parameter);
+ PORT_SetError(SSL_ERROR_NEXT_PROTOCOL_DATA_INVALID);
+ return SECFailure;
+ }
+
SECITEM_FreeItem(&xtnData->nextProto, PR_FALSE);
xtnData->nextProtoState = SSL_NEXT_PROTO_SELECTED;
xtnData->negotiated[xtnData->numNegotiated++] = ex_type;
@@ -938,6 +801,9 @@ ssl3_ClientHandleStatusRequestXtn(const sslSocket *ss, TLSExtensionData *xtnData
return SECSuccess;
}
+PRUint32 ssl_ticket_lifetime = 2 * 24 * 60 * 60; /* 2 days in seconds */
+#define TLS_EX_SESS_TICKET_VERSION (0x0105)
+
/*
* Called from ssl3_SendNewSessionTicket, tls13_SendNewSessionTicket
*/
@@ -946,40 +812,21 @@ ssl3_EncodeSessionTicket(sslSocket *ss,
const NewSessionTicket *ticket,
SECItem *ticket_data)
{
- PRUint32 i;
SECStatus rv;
SECItem plaintext;
SECItem plaintext_item = { 0, NULL, 0 };
- SECItem ciphertext = { 0, NULL, 0 };
- PRUint32 ciphertext_length;
+ PRUint32 plaintext_length;
SECItem ticket_buf = { 0, NULL, 0 };
- SECItem ticket_tmp = { 0, NULL, 0 };
- SECItem macParam = { 0, NULL, 0 };
PRBool ms_is_wrapped;
unsigned char wrapped_ms[SSL3_MASTER_SECRET_LENGTH];
SECItem ms_item = { 0, NULL, 0 };
- PRUint32 padding_length;
- PRUint32 ticket_length;
PRUint32 cert_length = 0;
- PRUint8 length_buf[4];
PRUint32 now;
- PK11SymKey *aes_key = NULL;
- PK11SymKey *mac_key = NULL;
- CK_MECHANISM_TYPE cipherMech = CKM_AES_CBC;
- PK11Context *aes_ctx;
- CK_MECHANISM_TYPE macMech = CKM_SHA256_HMAC;
- PK11Context *hmac_ctx = NULL;
- unsigned char computed_mac[TLS_EX_SESS_TICKET_MAC_LENGTH];
- unsigned int computed_mac_length;
- unsigned char iv[AES_BLOCK_SIZE];
- SECItem ivItem;
SECItem *srvName = NULL;
- PRUint32 srvNameLen = 0;
CK_MECHANISM_TYPE msWrapMech = 0; /* dummy default value,
* must be >= 0 */
ssl3CipherSpec *spec;
- const sslServerCertType *certType;
- SECItem alpnSelection = { siBuffer, NULL, 0 };
+ SECItem *alpnSelection = NULL;
SSL_TRC(3, ("%d: SSL3[%d]: send session_ticket handshake",
SSL_GETPID(), ss->fd));
@@ -988,20 +835,9 @@ ssl3_EncodeSessionTicket(sslSocket *ss,
PORT_Assert(ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
if (ss->opt.requestCertificate && ss->sec.ci.sid->peerCert) {
- cert_length = 3 + ss->sec.ci.sid->peerCert->derCert.len;
+ cert_length = 2 + ss->sec.ci.sid->peerCert->derCert.len;
}
- /* Get IV and encryption keys */
- ivItem.data = iv;
- ivItem.len = sizeof(iv);
- rv = PK11_GenerateRandom(iv, sizeof(iv));
- if (rv != SECSuccess)
- goto loser;
-
- rv = ssl3_GetSessionTicketKeys(ss, &aes_key, &mac_key);
- if (rv != SECSuccess)
- goto loser;
-
if (ss->version >= SSL_LIBRARY_VERSION_TLS_1_3) {
spec = ss->ssl3.cwSpec;
} else {
@@ -1017,8 +853,7 @@ ssl3_EncodeSessionTicket(sslSocket *ss,
sslSessionID sid;
PORT_Memset(&sid, 0, sizeof(sslSessionID));
- rv = ssl3_CacheWrappedMasterSecret(ss, &sid, spec,
- ss->ssl3.hs.kea_def->authKeyType);
+ rv = ssl3_CacheWrappedMasterSecret(ss, &sid, spec);
if (rv == SECSuccess) {
if (sid.u.ssl3.keys.wrapped_master_secret_len > sizeof(wrapped_ms))
goto loser;
@@ -1035,17 +870,14 @@ ssl3_EncodeSessionTicket(sslSocket *ss,
}
/* Prep to send negotiated name */
srvName = &ss->sec.ci.sid->u.ssl3.srvName;
- if (srvName->data && srvName->len) {
- srvNameLen = 2 + srvName->len; /* len bytes + name len */
- }
- if (ss->xtnData.nextProtoState != SSL_NEXT_PROTO_NO_SUPPORT &&
- ss->xtnData.nextProto.data) {
- alpnSelection = ss->xtnData.nextProto;
- }
+ PORT_Assert(ss->xtnData.nextProtoState == SSL_NEXT_PROTO_SELECTED ||
+ ss->xtnData.nextProtoState == SSL_NEXT_PROTO_NEGOTIATED ||
+ ss->xtnData.nextProto.len == 0);
+ alpnSelection = &ss->xtnData.nextProto;
- ciphertext_length =
- sizeof(PRUint16) /* ticket_version */
+ plaintext_length =
+ sizeof(PRUint16) /* ticket version */
+ sizeof(SSL3ProtocolVersion) /* ssl_version */
+ sizeof(ssl3CipherSuite) /* ciphersuite */
+ 1 /* compression */
@@ -1057,23 +889,19 @@ ssl3_EncodeSessionTicket(sslSocket *ss,
+ ms_item.len /* master_secret */
+ 1 /* client_auth_type */
+ cert_length /* cert */
- + 1 /* server name type */
- + srvNameLen /* name len + length field */
+ + 2 + srvName->len /* name len + length field */
+ 1 /* extendedMasterSecretUsed */
+ sizeof(ticket->ticket_lifetime_hint) /* ticket lifetime hint */
+ sizeof(ticket->flags) /* ticket flags */
- + 1 + alpnSelection.len; /* npn value + length field. */
- padding_length = AES_BLOCK_SIZE -
- (ciphertext_length %
- AES_BLOCK_SIZE);
- ciphertext_length += padding_length;
+ + 1 + alpnSelection->len /* alpn value + length field */
+ + 4; /* maxEarlyData */
- if (SECITEM_AllocItem(NULL, &plaintext_item, ciphertext_length) == NULL)
+ if (SECITEM_AllocItem(NULL, &plaintext_item, plaintext_length) == NULL)
goto loser;
plaintext = plaintext_item;
- /* ticket_version */
+ /* ticket version */
rv = ssl3_AppendNumberToItem(&plaintext, TLS_EX_SESS_TICKET_VERSION,
sizeof(PRUint16));
if (rv != SECSuccess)
@@ -1111,22 +939,15 @@ ssl3_EncodeSessionTicket(sslSocket *ss,
goto loser;
/* certificate type */
- certType = &ss->sec.serverCert->certType;
- PORT_Assert(certType->authType == ss->sec.authType);
- switch (ss->sec.authType) {
- case ssl_auth_ecdsa:
- case ssl_auth_ecdh_rsa:
- case ssl_auth_ecdh_ecdsa:
- PORT_Assert(certType->namedCurve);
- PORT_Assert(certType->namedCurve->keaType == ssl_kea_ecdh);
- /* EC curves only use the second of the two bytes. */
- PORT_Assert(certType->namedCurve->name < 256);
- rv = ssl3_AppendNumberToItem(&plaintext,
- certType->namedCurve->name, 1);
- break;
- default:
- rv = ssl3_AppendNumberToItem(&plaintext, 0, 1);
- break;
+ PORT_Assert(SSL_CERT_IS(ss->sec.serverCert, ss->sec.authType));
+ if (SSL_CERT_IS_EC(ss->sec.serverCert)) {
+ const sslServerCert *cert = ss->sec.serverCert;
+ PORT_Assert(cert->namedCurve);
+ /* EC curves only use the second of the two bytes. */
+ PORT_Assert(cert->namedCurve->name < 256);
+ rv = ssl3_AppendNumberToItem(&plaintext, cert->namedCurve->name, 1);
+ } else {
+ rv = ssl3_AppendNumberToItem(&plaintext, 0, 1);
}
if (rv != SECSuccess)
goto loser;
@@ -1145,13 +966,13 @@ ssl3_EncodeSessionTicket(sslSocket *ss,
if (rv != SECSuccess)
goto loser;
- /* client_identity */
+ /* client identity */
if (ss->opt.requestCertificate && ss->sec.ci.sid->peerCert) {
rv = ssl3_AppendNumberToItem(&plaintext, CLIENT_AUTH_CERTIFICATE, 1);
if (rv != SECSuccess)
goto loser;
rv = ssl3_AppendNumberToItem(&plaintext,
- ss->sec.ci.sid->peerCert->derCert.len, 3);
+ ss->sec.ci.sid->peerCert->derCert.len, 2);
if (rv != SECSuccess)
goto loser;
rv = ssl3_AppendToItem(&plaintext,
@@ -1172,23 +993,14 @@ ssl3_EncodeSessionTicket(sslSocket *ss,
if (rv != SECSuccess)
goto loser;
- if (srvNameLen) {
- /* Name Type (sni_host_name) */
- rv = ssl3_AppendNumberToItem(&plaintext, srvName->type, 1);
- if (rv != SECSuccess)
- goto loser;
- /* HostName (length and value) */
- rv = ssl3_AppendNumberToItem(&plaintext, srvName->len, 2);
- if (rv != SECSuccess)
- goto loser;
+ /* HostName (length and value) */
+ rv = ssl3_AppendNumberToItem(&plaintext, srvName->len, 2);
+ if (rv != SECSuccess)
+ goto loser;
+ if (srvName->len) {
rv = ssl3_AppendToItem(&plaintext, srvName->data, srvName->len);
if (rv != SECSuccess)
goto loser;
- } else {
- /* No Name */
- rv = ssl3_AppendNumberToItem(&plaintext, (char)TLS_STE_NO_SERVER_NAME, 1);
- if (rv != SECSuccess)
- goto loser;
}
/* extendedMasterSecretUsed */
@@ -1203,123 +1015,52 @@ ssl3_EncodeSessionTicket(sslSocket *ss,
if (rv != SECSuccess)
goto loser;
- /* NPN value. */
- PORT_Assert(alpnSelection.len < 256);
- rv = ssl3_AppendNumberToItem(&plaintext, alpnSelection.len, 1);
+ /* ALPN value. */
+ PORT_Assert(alpnSelection->len < 256);
+ rv = ssl3_AppendNumberToItem(&plaintext, alpnSelection->len, 1);
if (rv != SECSuccess)
goto loser;
- if (alpnSelection.len) {
- rv = ssl3_AppendToItem(&plaintext, alpnSelection.data, alpnSelection.len);
+ if (alpnSelection->len) {
+ rv = ssl3_AppendToItem(&plaintext, alpnSelection->data,
+ alpnSelection->len);
if (rv != SECSuccess)
goto loser;
}
- PORT_Assert(plaintext.len == padding_length);
- for (i = 0; i < padding_length; i++)
- plaintext.data[i] = (unsigned char)padding_length;
-
- if (SECITEM_AllocItem(NULL, &ciphertext, ciphertext_length) == NULL) {
- rv = SECFailure;
- goto loser;
- }
-
- /* Generate encrypted portion of ticket. */
- PORT_Assert(aes_key);
- aes_ctx = PK11_CreateContextBySymKey(cipherMech, CKA_ENCRYPT, aes_key, &ivItem);
- if (!aes_ctx)
- goto loser;
-
- rv = PK11_CipherOp(aes_ctx, ciphertext.data,
- (int *)&ciphertext.len, ciphertext.len,
- plaintext_item.data, plaintext_item.len);
- PK11_Finalize(aes_ctx);
- PK11_DestroyContext(aes_ctx, PR_TRUE);
- if (rv != SECSuccess)
- goto loser;
-
- /* Convert ciphertext length to network order. */
- length_buf[0] = (ciphertext.len >> 8) & 0xff;
- length_buf[1] = (ciphertext.len) & 0xff;
-
- /* Compute MAC. */
- PORT_Assert(mac_key);
- hmac_ctx = PK11_CreateContextBySymKey(macMech, CKA_SIGN, mac_key, &macParam);
- if (!hmac_ctx)
- goto loser;
-
- rv = PK11_DigestBegin(hmac_ctx);
- if (rv != SECSuccess)
- goto loser;
- rv = PK11_DigestOp(hmac_ctx, key_name, SESS_TICKET_KEY_NAME_LEN);
- if (rv != SECSuccess)
- goto loser;
- rv = PK11_DigestOp(hmac_ctx, iv, sizeof(iv));
- if (rv != SECSuccess)
- goto loser;
- rv = PK11_DigestOp(hmac_ctx, (unsigned char *)length_buf, 2);
- if (rv != SECSuccess)
- goto loser;
- rv = PK11_DigestOp(hmac_ctx, ciphertext.data, ciphertext.len);
- if (rv != SECSuccess)
- goto loser;
- rv = PK11_DigestFinal(hmac_ctx, computed_mac,
- &computed_mac_length, sizeof(computed_mac));
+ rv = ssl3_AppendNumberToItem(&plaintext, ssl_max_early_data_size, 4);
if (rv != SECSuccess)
goto loser;
- ticket_length =
- +SESS_TICKET_KEY_NAME_LEN /* key_name */
- + AES_BLOCK_SIZE /* iv */
- + 2 /* length field for NewSessionTicket.ticket.encrypted_state */
- + ciphertext_length /* encrypted_state */
- + TLS_EX_SESS_TICKET_MAC_LENGTH; /* mac */
+ /* Check that we are totally full. */
+ PORT_Assert(plaintext.len == 0);
- if (SECITEM_AllocItem(NULL, &ticket_buf, ticket_length) == NULL) {
- rv = SECFailure;
+ /* 128 just gives us enough room for overhead. */
+ if (SECITEM_AllocItem(NULL, &ticket_buf, plaintext_length + 128) == NULL) {
goto loser;
}
- ticket_tmp = ticket_buf; /* Shallow copy because AppendToItem is
- * destructive. */
- rv = ssl3_AppendToItem(&ticket_tmp, key_name, SESS_TICKET_KEY_NAME_LEN);
- if (rv != SECSuccess)
- goto loser;
-
- rv = ssl3_AppendToItem(&ticket_tmp, iv, sizeof(iv));
- if (rv != SECSuccess)
- goto loser;
-
- rv = ssl3_AppendNumberToItem(&ticket_tmp, ciphertext.len, 2);
- if (rv != SECSuccess)
- goto loser;
-
- rv = ssl3_AppendToItem(&ticket_tmp, ciphertext.data, ciphertext.len);
- if (rv != SECSuccess)
- goto loser;
-
- rv = ssl3_AppendToItem(&ticket_tmp, computed_mac, computed_mac_length);
- if (rv != SECSuccess)
+ /* Finally, encrypt the ticket. */
+ rv = ssl_SelfEncryptProtect(ss, plaintext_item.data, plaintext_item.len,
+ ticket_buf.data, &ticket_buf.len, ticket_buf.len);
+ if (rv != SECSuccess) {
goto loser;
+ }
/* Give ownership of memory to caller. */
*ticket_data = ticket_buf;
- ticket_buf.data = NULL;
+
+ SECITEM_FreeItem(&plaintext_item, PR_FALSE);
+ return SECSuccess;
loser:
- if (hmac_ctx) {
- PK11_DestroyContext(hmac_ctx, PR_TRUE);
- }
if (plaintext_item.data) {
SECITEM_FreeItem(&plaintext_item, PR_FALSE);
}
- if (ciphertext.data) {
- SECITEM_FreeItem(&ciphertext, PR_FALSE);
- }
if (ticket_buf.data) {
SECITEM_FreeItem(&ticket_buf, PR_FALSE);
}
- return rv;
+ return SECFailure;
}
/* When a client receives a SessionTicket extension a NewSessionTicket
@@ -1338,434 +1079,375 @@ ssl3_ClientHandleSessionTicketXtn(const sslSocket *ss, TLSExtensionData *xtnData
return SECSuccess;
}
-/* Generic ticket processing code, common to TLS 1.0-1.2 and
- * TLS 1.3. */
-SECStatus
-ssl3_ProcessSessionTicketCommon(sslSocket *ss, SECItem *data)
+static SECStatus
+ssl_ParseSessionTicket(sslSocket *ss, const SECItem *decryptedTicket,
+ SessionTicket *parsedTicket)
{
+ PRUint32 temp;
SECStatus rv;
- SECItem *decrypted_state = NULL;
- SessionTicket *parsed_session_ticket = NULL;
- sslSessionID *sid = NULL;
- SSL3Statistics *ssl3stats;
- PRUint32 i;
- SECItem extension_data;
- EncryptedSessionTicket enc_session_ticket;
- unsigned char computed_mac[TLS_EX_SESS_TICKET_MAC_LENGTH];
- unsigned int computed_mac_length;
- PK11SymKey *aes_key = NULL;
- PK11SymKey *mac_key = NULL;
- PK11Context *hmac_ctx;
- CK_MECHANISM_TYPE macMech = CKM_SHA256_HMAC;
- PK11Context *aes_ctx;
- CK_MECHANISM_TYPE cipherMech = CKM_AES_CBC;
- unsigned char *padding;
- PRUint32 padding_length;
- unsigned char *buffer;
- unsigned int buffer_len;
- PRInt32 temp;
- SECItem cert_item;
- PRInt8 nameType = TLS_STE_NO_SERVER_NAME;
- SECItem macParam = { siBuffer, NULL, 0 };
- SECItem alpn_item;
- SECItem ivItem;
-
- /* Turn off stateless session resumption if the client sends a
- * SessionTicket extension, even if the extension turns out to be
- * malformed (ss->sec.ci.sid is non-NULL when doing session
- * renegotiation.)
- */
- if (ss->sec.ci.sid != NULL) {
- ss->sec.uncache(ss->sec.ci.sid);
- ssl_FreeSID(ss->sec.ci.sid);
- ss->sec.ci.sid = NULL;
- }
- extension_data.data = data->data; /* Keep a copy for future use. */
- extension_data.len = data->len;
+ PRUint8 *buffer = decryptedTicket->data;
+ unsigned int len = decryptedTicket->len;
+
+ PORT_Memset(parsedTicket, 0, sizeof(*parsedTicket));
+ parsedTicket->valid = PR_FALSE;
- if (ssl3_ParseEncryptedSessionTicket(ss, data, &enc_session_ticket) !=
- SECSuccess) {
- return SECSuccess; /* Pretend it isn't there */
+ /* If the decrypted ticket is empty, then report success, but leave the
+ * ticket marked as invalid. */
+ if (decryptedTicket->len == 0) {
+ return SECSuccess;
}
- /* Get session ticket keys. */
- rv = ssl3_GetSessionTicketKeys(ss, &aes_key, &mac_key);
+ /* Read ticket version. */
+ rv = ssl3_ExtConsumeHandshakeNumber(ss, &temp, 2, &buffer, &len);
if (rv != SECSuccess) {
- SSL_DBG(("%d: SSL[%d]: Unable to get/generate session ticket keys.",
- SSL_GETPID(), ss->fd));
- goto loser;
+ PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+ return SECFailure;
}
- /* If the ticket sent by the client was generated under a key different
- * from the one we have, bypass ticket processing.
- */
- if (PORT_Memcmp(enc_session_ticket.key_name, key_name,
- SESS_TICKET_KEY_NAME_LEN) != 0) {
- SSL_DBG(("%d: SSL[%d]: Session ticket key_name sent mismatch.",
- SSL_GETPID(), ss->fd));
- goto no_ticket;
+ /* Skip the ticket if the version is wrong. This won't result in a
+ * handshake failure, just a failure to resume. */
+ if (temp != TLS_EX_SESS_TICKET_VERSION) {
+ return SECSuccess;
}
- /* Verify the MAC on the ticket. MAC verification may also
- * fail if the MAC key has been recently refreshed.
- */
- PORT_Assert(mac_key);
- hmac_ctx = PK11_CreateContextBySymKey(macMech, CKA_SIGN, mac_key, &macParam);
- if (!hmac_ctx) {
- SSL_DBG(("%d: SSL[%d]: Unable to create HMAC context: %d.",
- SSL_GETPID(), ss->fd, PORT_GetError()));
- goto no_ticket;
- } else {
- SSL_DBG(("%d: SSL[%d]: Successfully created HMAC context.",
- SSL_GETPID(), ss->fd));
- }
- rv = PK11_DigestBegin(hmac_ctx);
+ /* Read SSLVersion. */
+ rv = ssl3_ExtConsumeHandshakeNumber(ss, &temp, 2, &buffer, &len);
if (rv != SECSuccess) {
- PK11_DestroyContext(hmac_ctx, PR_TRUE);
- goto no_ticket;
+ PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+ return SECFailure;
}
- rv = PK11_DigestOp(hmac_ctx, extension_data.data,
- extension_data.len -
- TLS_EX_SESS_TICKET_MAC_LENGTH);
- if (rv != SECSuccess) {
- PK11_DestroyContext(hmac_ctx, PR_TRUE);
- goto no_ticket;
+ parsedTicket->ssl_version = (SSL3ProtocolVersion)temp;
+ if (!ssl3_VersionIsSupported(ss->protocolVariant,
+ parsedTicket->ssl_version)) {
+ /* This socket doesn't support the version from the ticket. */
+ return SECSuccess;
}
- rv = PK11_DigestFinal(hmac_ctx, computed_mac,
- &computed_mac_length, sizeof(computed_mac));
- PK11_DestroyContext(hmac_ctx, PR_TRUE);
- if (rv != SECSuccess)
- goto no_ticket;
- if (NSS_SecureMemcmp(computed_mac, enc_session_ticket.mac,
- computed_mac_length) !=
- 0) {
- SSL_DBG(("%d: SSL[%d]: Session ticket MAC mismatch.",
- SSL_GETPID(), ss->fd));
- goto no_ticket;
+ /* Read cipher_suite. */
+ rv = ssl3_ExtConsumeHandshakeNumber(ss, &temp, 2, &buffer, &len);
+ if (rv != SECSuccess) {
+ PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+ return SECFailure;
}
+ parsedTicket->cipher_suite = (ssl3CipherSuite)temp;
- /* We ignore key_name for now.
- * This is ok as MAC verification succeeded.
- */
-
- /* Decrypt the ticket. */
-
- /* Plaintext is shorter than the ciphertext due to padding. */
- decrypted_state = SECITEM_AllocItem(NULL, NULL,
- enc_session_ticket.encrypted_state.len);
-
- PORT_Assert(aes_key);
- ivItem.data = enc_session_ticket.iv;
- ivItem.len = AES_BLOCK_SIZE;
- aes_ctx = PK11_CreateContextBySymKey(cipherMech, CKA_DECRYPT,
- aes_key, &ivItem);
- if (!aes_ctx) {
- SSL_DBG(("%d: SSL[%d]: Unable to create AES context.",
- SSL_GETPID(), ss->fd));
- goto no_ticket;
+ /* Read compression_method. */
+ rv = ssl3_ExtConsumeHandshakeNumber(ss, &temp, 1, &buffer, &len);
+ if (rv != SECSuccess) {
+ PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+ return SECFailure;
}
+ parsedTicket->compression_method = (SSLCompressionMethod)temp;
- rv = PK11_CipherOp(aes_ctx, decrypted_state->data,
- (int *)&decrypted_state->len, decrypted_state->len,
- enc_session_ticket.encrypted_state.data,
- enc_session_ticket.encrypted_state.len);
- PK11_Finalize(aes_ctx);
- PK11_DestroyContext(aes_ctx, PR_TRUE);
- if (rv != SECSuccess)
- goto no_ticket;
-
- /* Check padding. */
- padding_length =
- (PRUint32)decrypted_state->data[decrypted_state->len - 1];
- if (padding_length == 0 || padding_length > AES_BLOCK_SIZE)
- goto no_ticket;
-
- padding = &decrypted_state->data[decrypted_state->len - padding_length];
- for (i = 0; i < padding_length; i++, padding++) {
- if (padding_length != (PRUint32)*padding)
- goto no_ticket;
+ /* Read cipher spec parameters. */
+ rv = ssl3_ExtConsumeHandshakeNumber(ss, &temp, 1, &buffer, &len);
+ if (rv != SECSuccess) {
+ PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+ return SECFailure;
}
-
- /* Deserialize session state. */
- buffer = decrypted_state->data;
- buffer_len = decrypted_state->len;
-
- parsed_session_ticket = PORT_ZAlloc(sizeof(SessionTicket));
- if (parsed_session_ticket == NULL) {
- rv = SECFailure;
- goto loser;
+ parsedTicket->authType = (SSLAuthType)temp;
+ rv = ssl3_ExtConsumeHandshakeNumber(ss, &temp, 4, &buffer, &len);
+ if (rv != SECSuccess) {
+ PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+ return SECFailure;
}
+ parsedTicket->authKeyBits = temp;
+ rv = ssl3_ExtConsumeHandshakeNumber(ss, &temp, 1, &buffer, &len);
+ if (rv != SECSuccess) {
+ PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+ return SECFailure;
+ }
+ parsedTicket->keaType = (SSLKEAType)temp;
+ rv = ssl3_ExtConsumeHandshakeNumber(ss, &temp, 4, &buffer, &len);
+ if (rv != SECSuccess) {
+ PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+ return SECFailure;
+ }
+ parsedTicket->keaKeyBits = temp;
- /* Read ticket_version and reject if the version is wrong */
- temp = ssl3_ExtConsumeHandshakeNumber(ss, 2, &buffer, &buffer_len);
- if (temp != TLS_EX_SESS_TICKET_VERSION)
- goto no_ticket;
-
- parsed_session_ticket->ticket_version = (SSL3ProtocolVersion)temp;
-
- /* Read SSLVersion. */
- temp = ssl3_ExtConsumeHandshakeNumber(ss, 2, &buffer, &buffer_len);
- if (temp < 0)
- goto no_ticket;
- parsed_session_ticket->ssl_version = (SSL3ProtocolVersion)temp;
+ /* Read the optional named curve. */
+ rv = ssl3_ExtConsumeHandshakeNumber(ss, &temp, 1, &buffer, &len);
+ if (rv != SECSuccess) {
+ PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+ return SECFailure;
+ }
+ if (parsedTicket->authType == ssl_auth_ecdsa ||
+ parsedTicket->authType == ssl_auth_ecdh_rsa ||
+ parsedTicket->authType == ssl_auth_ecdh_ecdsa) {
+ const sslNamedGroupDef *group =
+ ssl_LookupNamedGroup((SSLNamedGroup)temp);
+ if (!group || group->keaType != ssl_kea_ecdh) {
+ PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+ return SECFailure;
+ }
+ parsedTicket->namedCurve = group;
+ }
- /* Read cipher_suite. */
- temp = ssl3_ExtConsumeHandshakeNumber(ss, 2, &buffer, &buffer_len);
- if (temp < 0)
- goto no_ticket;
- parsed_session_ticket->cipher_suite = (ssl3CipherSuite)temp;
+ /* Read the master secret (and how it is wrapped). */
+ rv = ssl3_ExtConsumeHandshakeNumber(ss, &temp, 1, &buffer, &len);
+ if (rv != SECSuccess) {
+ PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+ return SECFailure;
+ }
+ PORT_Assert(temp == PR_TRUE || temp == PR_FALSE);
+ parsedTicket->ms_is_wrapped = (PRBool)temp;
- /* Read compression_method. */
- temp = ssl3_ExtConsumeHandshakeNumber(ss, 1, &buffer, &buffer_len);
- if (temp < 0)
- goto no_ticket;
- parsed_session_ticket->compression_method = (SSLCompressionMethod)temp;
+ rv = ssl3_ExtConsumeHandshakeNumber(ss, &temp, 4, &buffer, &len);
+ if (rv != SECSuccess) {
+ PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+ return SECFailure;
+ }
+ parsedTicket->msWrapMech = (CK_MECHANISM_TYPE)temp;
- /* Read cipher spec parameters. */
- temp = ssl3_ExtConsumeHandshakeNumber(ss, 1, &buffer, &buffer_len);
- if (temp < 0)
- goto no_ticket;
- parsed_session_ticket->authType = (SSLAuthType)temp;
- temp = ssl3_ExtConsumeHandshakeNumber(ss, 4, &buffer, &buffer_len);
- if (temp < 0)
- goto no_ticket;
- parsed_session_ticket->authKeyBits = (PRUint32)temp;
- temp = ssl3_ExtConsumeHandshakeNumber(ss, 1, &buffer, &buffer_len);
- if (temp < 0)
- goto no_ticket;
- parsed_session_ticket->keaType = (SSLKEAType)temp;
- temp = ssl3_ExtConsumeHandshakeNumber(ss, 4, &buffer, &buffer_len);
- if (temp < 0)
- goto no_ticket;
- parsed_session_ticket->keaKeyBits = (PRUint32)temp;
-
- /* Read certificate slot */
- parsed_session_ticket->certType.authType = parsed_session_ticket->authType;
- temp = ssl3_ExtConsumeHandshakeNumber(ss, 1, &buffer, &buffer_len);
- if (temp < 0)
- goto no_ticket;
- switch (parsed_session_ticket->authType) {
- case ssl_auth_ecdsa:
- case ssl_auth_ecdh_rsa:
- case ssl_auth_ecdh_ecdsa: {
- const sslNamedGroupDef *group =
- ssl_LookupNamedGroup((SSLNamedGroup)temp);
- if (!group || group->keaType != ssl_kea_ecdh) {
- goto no_ticket;
- }
- parsed_session_ticket->certType.namedCurve = group;
- } break;
- default:
- break;
+ rv = ssl3_ExtConsumeHandshakeNumber(ss, &temp, 2, &buffer, &len);
+ if (rv != SECSuccess) {
+ PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+ return SECFailure;
}
+ if (temp == 0 || temp > sizeof(parsedTicket->master_secret)) {
+ PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+ return SECFailure;
+ }
+ parsedTicket->ms_length = (PRUint16)temp;
- /* Read wrapped master_secret. */
- temp = ssl3_ExtConsumeHandshakeNumber(ss, 1, &buffer, &buffer_len);
- if (temp < 0)
- goto no_ticket;
- parsed_session_ticket->ms_is_wrapped = (PRBool)temp;
-
- temp = ssl3_ExtConsumeHandshakeNumber(ss, 4, &buffer, &buffer_len);
- if (temp < 0)
- goto no_ticket;
- parsed_session_ticket->msWrapMech = (CK_MECHANISM_TYPE)temp;
-
- temp = ssl3_ExtConsumeHandshakeNumber(ss, 2, &buffer, &buffer_len);
- if (temp < 0)
- goto no_ticket;
- parsed_session_ticket->ms_length = (PRUint16)temp;
- if (parsed_session_ticket->ms_length == 0 || /* sanity check MS. */
- parsed_session_ticket->ms_length >
- sizeof(parsed_session_ticket->master_secret))
- goto no_ticket;
-
- /* Allow for the wrapped master secret to be longer. */
- if (buffer_len < parsed_session_ticket->ms_length)
- goto no_ticket;
- PORT_Memcpy(parsed_session_ticket->master_secret, buffer,
- parsed_session_ticket->ms_length);
- buffer += parsed_session_ticket->ms_length;
- buffer_len -= parsed_session_ticket->ms_length;
-
- /* Read client_identity */
- temp = ssl3_ExtConsumeHandshakeNumber(ss, 1, &buffer, &buffer_len);
- if (temp < 0)
- goto no_ticket;
- parsed_session_ticket->client_identity.client_auth_type =
- (ClientAuthenticationType)temp;
- switch (parsed_session_ticket->client_identity.client_auth_type) {
+ /* Read the master secret. */
+ rv = ssl3_ExtConsumeHandshake(ss, parsedTicket->master_secret,
+ parsedTicket->ms_length, &buffer, &len);
+ if (rv != SECSuccess) {
+ PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+ return SECFailure;
+ }
+ /* Read client identity */
+ rv = ssl3_ExtConsumeHandshakeNumber(ss, &temp, 1, &buffer, &len);
+ if (rv != SECSuccess) {
+ PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+ return SECFailure;
+ }
+ parsedTicket->client_auth_type = (ClientAuthenticationType)temp;
+ switch (parsedTicket->client_auth_type) {
case CLIENT_AUTH_ANONYMOUS:
break;
case CLIENT_AUTH_CERTIFICATE:
- rv = ssl3_ExtConsumeHandshakeVariable(ss, &cert_item, 3,
- &buffer, &buffer_len);
- if (rv != SECSuccess)
- goto no_ticket;
- rv = SECITEM_CopyItem(NULL, &parsed_session_ticket->peer_cert,
- &cert_item);
- if (rv != SECSuccess)
- goto no_ticket;
+ rv = ssl3_ExtConsumeHandshakeVariable(ss, &parsedTicket->peer_cert, 2,
+ &buffer, &len);
+ if (rv != SECSuccess) {
+ PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+ return SECFailure;
+ }
break;
default:
- goto no_ticket;
+ PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+ return SECFailure;
}
/* Read timestamp. */
- temp = ssl3_ExtConsumeHandshakeNumber(ss, 4, &buffer, &buffer_len);
- if (temp < 0)
- goto no_ticket;
- parsed_session_ticket->timestamp = (PRUint32)temp;
+ rv = ssl3_ExtConsumeHandshakeNumber(ss, &temp, 4, &buffer, &len);
+ if (rv != SECSuccess) {
+ PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+ return SECFailure;
+ }
+ parsedTicket->timestamp = temp;
/* Read server name */
- nameType =
- ssl3_ExtConsumeHandshakeNumber(ss, 1, &buffer, &buffer_len);
- if (nameType != TLS_STE_NO_SERVER_NAME) {
- SECItem name_item;
- rv = ssl3_ExtConsumeHandshakeVariable(ss, &name_item, 2, &buffer,
- &buffer_len);
- if (rv != SECSuccess)
- goto no_ticket;
- rv = SECITEM_CopyItem(NULL, &parsed_session_ticket->srvName,
- &name_item);
- if (rv != SECSuccess)
- goto no_ticket;
- parsed_session_ticket->srvName.type = nameType;
+ rv = ssl3_ExtConsumeHandshakeVariable(ss, &parsedTicket->srvName, 2,
+ &buffer, &len);
+ if (rv != SECSuccess) {
+ PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+ return SECFailure;
}
/* Read extendedMasterSecretUsed */
- temp = ssl3_ExtConsumeHandshakeNumber(ss, 1, &buffer, &buffer_len);
- if (temp < 0)
- goto no_ticket;
+ rv = ssl3_ExtConsumeHandshakeNumber(ss, &temp, 1, &buffer, &len);
+ if (rv != SECSuccess) {
+ PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+ return SECFailure;
+ }
PORT_Assert(temp == PR_TRUE || temp == PR_FALSE);
- parsed_session_ticket->extendedMasterSecretUsed = (PRBool)temp;
+ parsedTicket->extendedMasterSecretUsed = (PRBool)temp;
- rv = ssl3_ExtConsumeHandshake(ss, &parsed_session_ticket->flags, 4,
- &buffer, &buffer_len);
- if (rv != SECSuccess)
- goto no_ticket;
- parsed_session_ticket->flags = PR_ntohl(parsed_session_ticket->flags);
+ rv = ssl3_ExtConsumeHandshake(ss, &temp, 4, &buffer, &len);
+ if (rv != SECSuccess) {
+ PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+ return SECFailure;
+ }
+ parsedTicket->flags = PR_ntohl(temp);
- rv = ssl3_ExtConsumeHandshakeVariable(ss, &alpn_item, 1, &buffer, &buffer_len);
- if (rv != SECSuccess)
- goto no_ticket;
- if (alpn_item.len != 0) {
- rv = SECITEM_CopyItem(NULL, &parsed_session_ticket->alpnSelection,
- &alpn_item);
- if (rv != SECSuccess)
- goto no_ticket;
- if (alpn_item.len >= 256)
- goto no_ticket;
+ rv = ssl3_ExtConsumeHandshakeVariable(ss, &parsedTicket->alpnSelection, 1,
+ &buffer, &len);
+ PORT_Assert(parsedTicket->alpnSelection.len < 256);
+ if (rv != SECSuccess) {
+ PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+ return SECFailure;
+ }
+
+ rv = ssl3_ExtConsumeHandshakeNumber(ss, &temp, 4, &buffer, &len);
+ if (rv != SECSuccess) {
+ PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+ return SECFailure;
}
+ parsedTicket->maxEarlyData = temp;
+#ifndef UNSAFE_FUZZER_MODE
/* Done parsing. Check that all bytes have been consumed. */
- if (buffer_len != padding_length)
- goto no_ticket;
+ if (len != 0) {
+ PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+ return SECFailure;
+ }
+#endif
- /* Use the ticket if it has not expired, otherwise free the allocated
- * memory since the ticket is of no use.
- */
- if (parsed_session_ticket->timestamp != 0 &&
- parsed_session_ticket->timestamp +
- TLS_EX_SESS_TICKET_LIFETIME_HINT >
- ssl_Time()) {
-
- sid = ssl3_NewSessionID(ss, PR_TRUE);
- if (sid == NULL) {
- rv = SECFailure;
+ parsedTicket->valid = PR_TRUE;
+ return SECSuccess;
+}
+
+static SECStatus
+ssl_CreateSIDFromTicket(sslSocket *ss, const SECItem *rawTicket,
+ SessionTicket *parsedTicket, sslSessionID **out)
+{
+ sslSessionID *sid;
+ SECStatus rv;
+
+ sid = ssl3_NewSessionID(ss, PR_TRUE);
+ if (sid == NULL) {
+ return SECFailure;
+ }
+
+ /* Copy over parameters. */
+ sid->version = parsedTicket->ssl_version;
+ sid->u.ssl3.cipherSuite = parsedTicket->cipher_suite;
+ sid->u.ssl3.compression = parsedTicket->compression_method;
+ sid->authType = parsedTicket->authType;
+ sid->authKeyBits = parsedTicket->authKeyBits;
+ sid->keaType = parsedTicket->keaType;
+ sid->keaKeyBits = parsedTicket->keaKeyBits;
+ sid->namedCurve = parsedTicket->namedCurve;
+
+ rv = SECITEM_CopyItem(NULL, &sid->u.ssl3.locked.sessionTicket.ticket,
+ rawTicket);
+ if (rv != SECSuccess) {
+ goto loser;
+ }
+ sid->u.ssl3.locked.sessionTicket.flags = parsedTicket->flags;
+ sid->u.ssl3.locked.sessionTicket.max_early_data_size =
+ parsedTicket->maxEarlyData;
+
+ if (parsedTicket->ms_length >
+ sizeof(sid->u.ssl3.keys.wrapped_master_secret)) {
+ goto loser;
+ }
+ PORT_Memcpy(sid->u.ssl3.keys.wrapped_master_secret,
+ parsedTicket->master_secret, parsedTicket->ms_length);
+ sid->u.ssl3.keys.wrapped_master_secret_len = parsedTicket->ms_length;
+ sid->u.ssl3.masterWrapMech = parsedTicket->msWrapMech;
+ sid->u.ssl3.keys.msIsWrapped = parsedTicket->ms_is_wrapped;
+ sid->u.ssl3.masterValid = PR_TRUE;
+ sid->u.ssl3.keys.resumable = PR_TRUE;
+ sid->u.ssl3.keys.extendedMasterSecretUsed = parsedTicket->extendedMasterSecretUsed;
+
+ /* Copy over client cert from session ticket if there is one. */
+ if (parsedTicket->peer_cert.data != NULL) {
+ PORT_Assert(!sid->peerCert);
+ sid->peerCert = CERT_NewTempCertificate(ss->dbHandle,
+ &parsedTicket->peer_cert,
+ NULL, PR_FALSE, PR_TRUE);
+ if (!sid->peerCert) {
goto loser;
}
+ }
- /* Copy over parameters. */
- sid->version = parsed_session_ticket->ssl_version;
- sid->u.ssl3.cipherSuite = parsed_session_ticket->cipher_suite;
- sid->u.ssl3.compression = parsed_session_ticket->compression_method;
- sid->authType = parsed_session_ticket->authType;
- sid->authKeyBits = parsed_session_ticket->authKeyBits;
- sid->keaType = parsed_session_ticket->keaType;
- sid->keaKeyBits = parsed_session_ticket->keaKeyBits;
- memcpy(&sid->certType, &parsed_session_ticket->certType,
- sizeof(sslServerCertType));
-
- if (SECITEM_CopyItem(NULL, &sid->u.ssl3.locked.sessionTicket.ticket,
- &extension_data) != SECSuccess)
- goto no_ticket;
- sid->u.ssl3.locked.sessionTicket.flags = parsed_session_ticket->flags;
-
- if (parsed_session_ticket->ms_length >
- sizeof(sid->u.ssl3.keys.wrapped_master_secret))
- goto no_ticket;
- PORT_Memcpy(sid->u.ssl3.keys.wrapped_master_secret,
- parsed_session_ticket->master_secret,
- parsed_session_ticket->ms_length);
- sid->u.ssl3.keys.wrapped_master_secret_len =
- parsed_session_ticket->ms_length;
- sid->u.ssl3.masterWrapMech = parsed_session_ticket->msWrapMech;
- sid->u.ssl3.keys.msIsWrapped =
- parsed_session_ticket->ms_is_wrapped;
- sid->u.ssl3.masterValid = PR_TRUE;
- sid->u.ssl3.keys.resumable = PR_TRUE;
- sid->u.ssl3.keys.extendedMasterSecretUsed = parsed_session_ticket->extendedMasterSecretUsed;
-
- /* Copy over client cert from session ticket if there is one. */
- if (parsed_session_ticket->peer_cert.data != NULL) {
- if (sid->peerCert != NULL)
- CERT_DestroyCertificate(sid->peerCert);
- sid->peerCert = CERT_NewTempCertificate(ss->dbHandle,
- &parsed_session_ticket->peer_cert, NULL, PR_FALSE, PR_TRUE);
- if (sid->peerCert == NULL) {
- rv = SECFailure;
- goto loser;
- }
+ /* Transfer ownership of the remaining items. */
+ if (parsedTicket->srvName.data != NULL) {
+ SECITEM_FreeItem(&sid->u.ssl3.srvName, PR_FALSE);
+ rv = SECITEM_CopyItem(NULL, &sid->u.ssl3.srvName,
+ &parsedTicket->srvName);
+ if (rv != SECSuccess) {
+ goto loser;
}
- if (parsed_session_ticket->srvName.data != NULL) {
- if (sid->u.ssl3.srvName.data) {
- SECITEM_FreeItem(&sid->u.ssl3.srvName, PR_FALSE);
- }
- sid->u.ssl3.srvName = parsed_session_ticket->srvName;
+ }
+ if (parsedTicket->alpnSelection.data != NULL) {
+ rv = SECITEM_CopyItem(NULL, &sid->u.ssl3.alpnSelection,
+ &parsedTicket->alpnSelection);
+ if (rv != SECSuccess) {
+ goto loser;
}
- if (parsed_session_ticket->alpnSelection.data != NULL) {
- sid->u.ssl3.alpnSelection = parsed_session_ticket->alpnSelection;
- /* So we don't free below. */
- parsed_session_ticket->alpnSelection.data = NULL;
+ }
+
+ *out = sid;
+ return SECSuccess;
+
+loser:
+ ssl_FreeSID(sid);
+ return SECFailure;
+}
+
+/* Generic ticket processing code, common to all TLS versions. */
+SECStatus
+ssl3_ProcessSessionTicketCommon(sslSocket *ss, SECItem *data)
+{
+ SECItem decryptedTicket = { siBuffer, NULL, 0 };
+ SessionTicket parsedTicket;
+ SECStatus rv;
+
+ if (ss->sec.ci.sid != NULL) {
+ ss->sec.uncache(ss->sec.ci.sid);
+ ssl_FreeSID(ss->sec.ci.sid);
+ ss->sec.ci.sid = NULL;
+ }
+
+ if (!SECITEM_AllocItem(NULL, &decryptedTicket, data->len)) {
+ return SECFailure;
+ }
+
+ /* Decrypt the ticket. */
+ rv = ssl_SelfEncryptUnprotect(ss, data->data, data->len,
+ decryptedTicket.data,
+ &decryptedTicket.len,
+ decryptedTicket.len);
+ if (rv != SECSuccess) {
+ SECITEM_ZfreeItem(&decryptedTicket, PR_FALSE);
+
+ /* Fail with no ticket if we're not a recipient. Otherwise
+ * it's a hard failure. */
+ if (PORT_GetError() != SEC_ERROR_NOT_A_RECIPIENT) {
+ SSL3_SendAlert(ss, alert_fatal, illegal_parameter);
+ return SECFailure;
}
- ss->statelessResume = PR_TRUE;
- ss->sec.ci.sid = sid;
+
+ /* We didn't have the right key, so pretend we don't have a
+ * ticket. */
}
- if (0) {
- no_ticket:
+ rv = ssl_ParseSessionTicket(ss, &decryptedTicket, &parsedTicket);
+ if (rv != SECSuccess) {
+ SSL3Statistics *ssl3stats;
+
SSL_DBG(("%d: SSL[%d]: Session ticket parsing failed.",
SSL_GETPID(), ss->fd));
ssl3stats = SSL_GetStatistics();
SSL_AtomicIncrementLong(&ssl3stats->hch_sid_ticket_parse_failures);
+ goto loser; /* code already set */
}
- rv = SECSuccess;
-loser:
- /* ss->sec.ci.sid == sid if it did NOT come here via goto statement
- * in that case do not free sid
- */
- if (sid && (ss->sec.ci.sid != sid)) {
- ssl_FreeSID(sid);
- sid = NULL;
- }
- if (decrypted_state != NULL) {
- SECITEM_FreeItem(decrypted_state, PR_TRUE);
- decrypted_state = NULL;
- }
+ /* Use the ticket if it is valid and unexpired. */
+ if (parsedTicket.valid &&
+ parsedTicket.timestamp + ssl_ticket_lifetime > ssl_Time()) {
+ sslSessionID *sid;
- if (parsed_session_ticket != NULL) {
- if (parsed_session_ticket->peer_cert.data) {
- SECITEM_FreeItem(&parsed_session_ticket->peer_cert, PR_FALSE);
- }
- if (parsed_session_ticket->alpnSelection.data) {
- SECITEM_FreeItem(&parsed_session_ticket->alpnSelection, PR_FALSE);
+ rv = ssl_CreateSIDFromTicket(ss, data, &parsedTicket, &sid);
+ if (rv != SECSuccess) {
+ goto loser; /* code already set */
}
- PORT_ZFree(parsed_session_ticket, sizeof(SessionTicket));
+ ss->statelessResume = PR_TRUE;
+ ss->sec.ci.sid = sid;
}
- return rv;
+ SECITEM_ZfreeItem(&decryptedTicket, PR_FALSE);
+ PORT_Memset(&parsedTicket, 0, sizeof(parsedTicket));
+ return SECSuccess;
+
+loser:
+ SECITEM_ZfreeItem(&decryptedTicket, PR_FALSE);
+ PORT_Memset(&parsedTicket, 0, sizeof(parsedTicket));
+ return SECFailure;
}
SECStatus
@@ -1798,23 +1480,6 @@ ssl3_ServerHandleSessionTicketXtn(const sslSocket *ss, TLSExtensionData *xtnData
return ssl3_ProcessSessionTicketCommon(CONST_CAST(sslSocket, ss), data);
}
-/*
- * Read bytes. Using this function means the SECItem structure
- * cannot be freed. The caller is expected to call this function
- * on a shallow copy of the structure.
- */
-static SECStatus
-ssl3_ConsumeFromItem(SECItem *item, unsigned char **buf, PRUint32 bytes)
-{
- if (bytes > item->len)
- return SECFailure;
-
- *buf = item->data;
- item->data += bytes;
- item->len -= bytes;
- return SECSuccess;
-}
-
/* Extension format:
* Extension number: 2 bytes
* Extension length: 2 bytes
@@ -2145,7 +1810,8 @@ ssl3_ServerHandleSigAlgsXtn(const sslSocket *ss, TLSExtensionData *xtnData, PRUi
&xtnData->clientSigSchemes,
&xtnData->numClientSigScheme,
&data->data, &data->len);
- if (rv != SECSuccess) {
+ if (rv != SECSuccess || xtnData->numClientSigScheme == 0) {
+ ssl3_ExtSendAlert(ss, alert_fatal, decode_error);
PORT_SetError(SSL_ERROR_RX_MALFORMED_CLIENT_HELLO);
return SECFailure;
}
@@ -2216,55 +1882,73 @@ ssl3_ClientSendSigAlgsXtn(const sslSocket *ss, TLSExtensionData *xtnData, PRBool
/* Takes the size of the ClientHello, less the record header, and determines how
* much padding is required. */
-unsigned int
-ssl3_CalculatePaddingExtensionLength(unsigned int clientHelloLength)
+void
+ssl3_CalculatePaddingExtLen(sslSocket *ss,
+ unsigned int clientHelloLength)
{
unsigned int recordLength = 1 /* handshake message type */ +
3 /* handshake message length */ +
clientHelloLength;
- unsigned int extensionLength;
+ unsigned int extensionLen;
+
+ /* Don't pad for DTLS, for SSLv3, or for renegotiation. */
+ if (IS_DTLS(ss) ||
+ ss->vrange.max < SSL_LIBRARY_VERSION_TLS_1_0 ||
+ ss->firstHsDone) {
+ return;
+ }
+ /* A padding extension may be included to ensure that the record containing
+ * the ClientHello doesn't have a length between 256 and 511 bytes
+ * (inclusive). Initial ClientHello records with such lengths trigger bugs
+ * in F5 devices. */
if (recordLength < 256 || recordLength >= 512) {
- return 0;
+ return;
}
- extensionLength = 512 - recordLength;
+ extensionLen = 512 - recordLength;
/* Extensions take at least four bytes to encode. Always include at least
- * one byte of data if including the extension. Some servers (e.g.
- * WebSphere Application Server 7.0 and Tomcat) will time out or terminate
- * the connection if the last extension in the client hello is empty. */
- if (extensionLength < 4 + 1) {
- extensionLength = 4 + 1;
+ * one byte of data if we are padding. Some servers will time out or
+ * terminate the connection if the last ClientHello extension is empty. */
+ if (extensionLen < 4 + 1) {
+ extensionLen = 4 + 1;
}
- return extensionLength;
+ ss->xtnData.paddingLen = extensionLen - 4;
}
-/* ssl3_AppendPaddingExtension possibly adds an extension which ensures that a
+/* ssl3_SendPaddingExtension possibly adds an extension which ensures that a
* ClientHello record is either < 256 bytes or is >= 512 bytes. This ensures
* that we don't trigger bugs in F5 products. */
PRInt32
-ssl3_AppendPaddingExtension(sslSocket *ss, unsigned int extensionLen,
- PRUint32 maxBytes)
+ssl3_ClientSendPaddingExtension(const sslSocket *ss, TLSExtensionData *xtnData,
+ PRBool append, PRUint32 maxBytes)
{
- unsigned int paddingLen = extensionLen - 4;
- static unsigned char padding[252];
+ static unsigned char padding[252] = { 0 };
+ unsigned int extensionLen;
+ SECStatus rv;
- if (extensionLen == 0) {
+ /* On the length-calculation pass, report zero total length. The record
+ * will be larger on the second pass if needed. */
+ if (!append || !xtnData->paddingLen) {
return 0;
}
+ extensionLen = xtnData->paddingLen + 4;
if (extensionLen > maxBytes ||
- !paddingLen ||
- paddingLen > sizeof(padding)) {
+ xtnData->paddingLen > sizeof(padding)) {
PORT_Assert(0);
return -1;
}
- if (SECSuccess != ssl3_ExtAppendHandshakeNumber(ss, ssl_padding_xtn, 2))
+ rv = ssl3_ExtAppendHandshakeNumber(ss, ssl_padding_xtn, 2);
+ if (rv != SECSuccess) {
return -1;
- if (SECSuccess != ssl3_ExtAppendHandshakeVariable(ss, padding, paddingLen, 2))
+ }
+ rv = ssl3_ExtAppendHandshakeVariable(ss, padding, xtnData->paddingLen, 2);
+ if (rv != SECSuccess) {
return -1;
+ }
return extensionLen;
}
@@ -2321,6 +2005,7 @@ ssl3_HandleExtendedMasterSecretXtn(const sslSocket *ss, TLSExtensionData *xtnDat
if (data->len != 0) {
SSL_TRC(30, ("%d: SSL3[%d]: Bogus extended master secret extension",
SSL_GETPID(), ss->fd));
+ ssl3_ExtSendAlert(ss, alert_fatal, decode_error);
return SECFailure;
}
@@ -2445,6 +2130,12 @@ ssl3_ServerHandleSignedCertTimestampXtn(const sslSocket *ss,
PRUint16 ex_type,
SECItem *data)
{
+ if (data->len != 0) {
+ ssl3_ExtSendAlert(ss, alert_fatal, decode_error);
+ PORT_SetError(SSL_ERROR_RX_MALFORMED_CLIENT_HELLO);
+ return SECFailure;
+ }
+
xtnData->negotiated[xtnData->numNegotiated++] = ex_type;
PORT_Assert(ss->sec.isServer);
return ssl3_RegisterExtensionSender(
@@ -2484,7 +2175,8 @@ ssl3_HandleSupportedPointFormatsXtn(const sslSocket *ss, TLSExtensionData *xtnDa
static SECStatus
ssl_UpdateSupportedGroups(sslSocket *ss, SECItem *data)
{
- PRInt32 list_len;
+ SECStatus rv;
+ PRUint32 list_len;
unsigned int i;
const sslNamedGroupDef *enabled[SSL_NAMED_GROUP_COUNT] = { 0 };
PORT_Assert(SSL_NAMED_GROUP_COUNT == PR_ARRAY_SIZE(enabled));
@@ -2495,8 +2187,8 @@ ssl_UpdateSupportedGroups(sslSocket *ss, SECItem *data)
}
/* get the length of elliptic_curve_list */
- list_len = ssl3_ConsumeHandshakeNumber(ss, 2, &data->data, &data->len);
- if (list_len < 0 || data->len != list_len || (data->len % 2) != 0) {
+ rv = ssl3_ConsumeHandshakeNumber(ss, &list_len, 2, &data->data, &data->len);
+ if (rv != SECSuccess || data->len != list_len || (data->len % 2) != 0) {
(void)ssl3_DecodeError(ss);
return SECFailure;
}
@@ -2510,9 +2202,10 @@ ssl_UpdateSupportedGroups(sslSocket *ss, SECItem *data)
/* Read groups from data and enable if in |enabled| */
while (data->len) {
const sslNamedGroupDef *group;
- PRInt32 curve_name =
- ssl3_ConsumeHandshakeNumber(ss, 2, &data->data, &data->len);
- if (curve_name < 0) {
+ PRUint32 curve_name;
+ rv = ssl3_ConsumeHandshakeNumber(ss, &curve_name, 2, &data->data,
+ &data->len);
+ if (rv != SECSuccess) {
return SECFailure; /* fatal alert already sent */
}
group = ssl_LookupNamedGroup(curve_name);