/* -*- Mode: C; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 4 -*- */ /* This Source Code Form is subject to the terms of the Mozilla Public * License, v. 2.0. If a copy of the MPL was not distributed with this * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ #include "pk11pub.h" #include "ssl.h" #include "sslimpl.h" #include "sslproto.h" #include "tls13hkdf.h" #include "tls13psk.h" #include "tls13subcerts.h" SECStatus SSL_GetChannelInfo(PRFileDesc *fd, SSLChannelInfo *info, PRUintn len) { sslSocket *ss; SSLChannelInfo inf; sslSessionID *sid; /* Check if we can properly return the length of data written and that * we're not asked to return more information than we know how to provide. */ if (!info || len < sizeof inf.length || len > sizeof inf) { PORT_SetError(SEC_ERROR_INVALID_ARGS); return SECFailure; } ss = ssl_FindSocket(fd); if (!ss) { SSL_DBG(("%d: SSL[%d]: bad socket in SSL_GetChannelInfo", SSL_GETPID(), fd)); return SECFailure; } memset(&inf, 0, sizeof inf); inf.length = PR_MIN(sizeof inf, len); if (ss->opt.useSecurity && ss->enoughFirstHsDone) { SSLCipherSuiteInfo cinfo; SECStatus rv; sid = ss->sec.ci.sid; inf.protocolVersion = ss->version; inf.authKeyBits = ss->sec.authKeyBits; inf.keaKeyBits = ss->sec.keaKeyBits; ssl_GetSpecReadLock(ss); /* XXX The cipher suite should be in the specs and this * function should get it from cwSpec rather than from the "hs". * See bug 275744 comment 69 and bug 766137. */ inf.cipherSuite = ss->ssl3.hs.cipher_suite; ssl_ReleaseSpecReadLock(ss); inf.compressionMethod = ssl_compression_null; inf.compressionMethodName = "NULL"; /* Fill in the cipher details from the cipher suite. */ rv = SSL_GetCipherSuiteInfo(inf.cipherSuite, &cinfo, sizeof(cinfo)); if (rv != SECSuccess) { return SECFailure; /* Error code already set. */ } inf.symCipher = cinfo.symCipher; inf.macAlgorithm = cinfo.macAlgorithm; /* Get these fromm |ss->sec| because that is accurate * even with TLS 1.3 disaggregated cipher suites. */ inf.keaType = ss->sec.keaType; inf.originalKeaGroup = ss->sec.originalKeaGroup ? ss->sec.originalKeaGroup->name : ssl_grp_none; inf.keaGroup = ss->sec.keaGroup ? ss->sec.keaGroup->name : ssl_grp_none; inf.keaKeyBits = ss->sec.keaKeyBits; inf.authType = ss->sec.authType; inf.authKeyBits = ss->sec.authKeyBits; inf.signatureScheme = ss->sec.signatureScheme; /* If this is a resumed session, signatureScheme isn't set in ss->sec. * Use the signature scheme from the previous handshake. */ if (inf.signatureScheme == ssl_sig_none && sid->sigScheme) { inf.signatureScheme = sid->sigScheme; } inf.resumed = ss->statelessResume || ss->ssl3.hs.isResuming; if (inf.resumed) { inf.pskType = ssl_psk_resume; } else if (inf.authType == ssl_auth_psk) { inf.pskType = ssl_psk_external; } else { inf.pskType = ssl_psk_none; } inf.peerDelegCred = tls13_IsVerifyingWithDelegatedCredential(ss); inf.echAccepted = ss->ssl3.hs.echAccepted; if (sid) { unsigned int sidLen; inf.creationTime = sid->creationTime / PR_USEC_PER_SEC; inf.lastAccessTime = sid->lastAccessTime / PR_USEC_PER_SEC; inf.expirationTime = sid->expirationTime / PR_USEC_PER_SEC; inf.extendedMasterSecretUsed = (ss->version >= SSL_LIBRARY_VERSION_TLS_1_3 || sid->u.ssl3.keys.extendedMasterSecretUsed) ? PR_TRUE : PR_FALSE; inf.earlyDataAccepted = (ss->ssl3.hs.zeroRttState == ssl_0rtt_accepted || ss->ssl3.hs.zeroRttState == ssl_0rtt_done); sidLen = sid->u.ssl3.sessionIDLength; sidLen = PR_MIN(sidLen, sizeof inf.sessionID); inf.sessionIDLength = sidLen; memcpy(inf.sessionID, sid->u.ssl3.sessionID, sidLen); inf.isFIPS = ssl_isFIPS(ss); } } memcpy(info, &inf, inf.length); return SECSuccess; } SECStatus SSL_GetPreliminaryChannelInfo(PRFileDesc *fd, SSLPreliminaryChannelInfo *info, PRUintn len) { sslSocket *ss; SSLPreliminaryChannelInfo inf; /* Check if we can properly return the length of data written and that * we're not asked to return more information than we know how to provide. */ if (!info || len < sizeof inf.length || len > sizeof inf) { PORT_SetError(SEC_ERROR_INVALID_ARGS); return SECFailure; } ss = ssl_FindSocket(fd); if (!ss) { SSL_DBG(("%d: SSL[%d]: bad socket in SSL_GetPreliminaryChannelInfo", SSL_GETPID(), fd)); return SECFailure; } memset(&inf, 0, sizeof(inf)); inf.length = PR_MIN(sizeof(inf), len); inf.valuesSet = ss->ssl3.hs.preliminaryInfo; inf.protocolVersion = ss->version; inf.cipherSuite = ss->ssl3.hs.cipher_suite; inf.canSendEarlyData = !ss->sec.isServer && (ss->ssl3.hs.zeroRttState == ssl_0rtt_sent || ss->ssl3.hs.zeroRttState == ssl_0rtt_accepted); /* We shouldn't be able to send early data if the handshake is done. */ PORT_Assert(!ss->firstHsDone || !inf.canSendEarlyData); if (ss->sec.ci.sid && (ss->ssl3.hs.zeroRttState == ssl_0rtt_sent || ss->ssl3.hs.zeroRttState == ssl_0rtt_accepted)) { if (ss->statelessResume) { inf.maxEarlyDataSize = ss->sec.ci.sid->u.ssl3.locked.sessionTicket.max_early_data_size; } else if (ss->psk) { /* We may have cleared the handshake list, so check the socket. * This is permissable since we only support one EPSK at a time. */ inf.maxEarlyDataSize = ss->psk->maxEarlyData; } } else { inf.maxEarlyDataSize = 0; } inf.zeroRttCipherSuite = ss->ssl3.hs.zeroRttSuite; inf.peerDelegCred = tls13_IsVerifyingWithDelegatedCredential(ss); inf.authKeyBits = ss->sec.authKeyBits; inf.signatureScheme = ss->sec.signatureScheme; inf.echAccepted = ss->ssl3.hs.echAccepted; /* Only expose this if the application should use it for verification. */ inf.echPublicName = (inf.echAccepted == PR_FALSE) ? ss->ssl3.hs.echPublicName : NULL; memcpy(info, &inf, inf.length); return SECSuccess; } /* name */ #define CS_(x) x, #x #define CS(x) CS_(TLS_##x) /* legacy values for authAlgorithm */ #define S_DSA "DSA", ssl_auth_dsa /* S_RSA is incorrect for signature-based suites */ /* ECDH suites incorrectly report S_RSA or S_ECDSA */ #define S_RSA "RSA", ssl_auth_rsa_decrypt #define S_ECDSA "ECDSA", ssl_auth_ecdsa #define S_PSK "PSK", ssl_auth_psk #define S_ANY "TLS 1.3", ssl_auth_tls13_any /* real authentication algorithm */ #define A_DSA ssl_auth_dsa #define A_RSAD ssl_auth_rsa_decrypt #define A_RSAS ssl_auth_rsa_sign #define A_ECDSA ssl_auth_ecdsa #define A_ECDH_R ssl_auth_ecdh_rsa #define A_ECDH_E ssl_auth_ecdh_ecdsa #define A_PSK ssl_auth_psk /* Report ssl_auth_null for export suites that can't decide between * ssl_auth_rsa_sign and ssl_auth_rsa_decrypt. */ #define A_EXP ssl_auth_null #define A_ANY ssl_auth_tls13_any /* key exchange */ #define K_DHE "DHE", ssl_kea_dh #define K_RSA "RSA", ssl_kea_rsa #define K_KEA "KEA", ssl_kea_kea #define K_ECDH "ECDH", ssl_kea_ecdh #define K_ECDHE "ECDHE", ssl_kea_ecdh #define K_ECDHE_PSK "ECDHE-PSK", ssl_kea_ecdh_psk #define K_DHE_PSK "DHE-PSK", ssl_kea_dh_psk #define K_ANY "TLS 1.3", ssl_kea_tls13_any /* record protection cipher */ #define C_SEED "SEED", ssl_calg_seed #define C_CAMELLIA "CAMELLIA", ssl_calg_camellia #define C_AES "AES", ssl_calg_aes #define C_RC4 "RC4", ssl_calg_rc4 #define C_RC2 "RC2", ssl_calg_rc2 #define C_DES "DES", ssl_calg_des #define C_3DES "3DES", ssl_calg_3des #define C_NULL "NULL", ssl_calg_null #define C_SJ "SKIPJACK", ssl_calg_sj #define C_AESGCM "AES-GCM", ssl_calg_aes_gcm #define C_CHACHA20 "CHACHA20POLY1305", ssl_calg_chacha20 /* "block cipher" sizes */ #define B_256 256, 256, 256 #define B_128 128, 128, 128 #define B_3DES 192, 156, 112 #define B_SJ 96, 80, 80 #define B_DES 64, 56, 56 #define B_56 128, 56, 56 #define B_40 128, 40, 40 #define B_0 0, 0, 0 /* "mac algorithm" and size */ #define M_AEAD_128 "AEAD", ssl_mac_aead, 128 #define M_SHA384 "SHA384", ssl_hmac_sha384, 384 #define M_SHA256 "SHA256", ssl_hmac_sha256, 256 #define M_SHA "SHA1", ssl_mac_sha, 160 #define M_MD5 "MD5", ssl_mac_md5, 128 #define M_NULL "NULL", ssl_mac_null, 0 /* flags: FIPS, exportable, nonstandard, reserved */ #define F_FIPS_STD 1, 0, 0, 0 #define F_FIPS_NSTD 1, 0, 1, 0 #define F_NFIPS_STD 0, 0, 0, 0 #define F_NFIPS_NSTD 0, 0, 1, 0 /* i.e., trash */ #define F_EXPORT 0, 1, 0, 0 /* i.e., trash */ // RFC 5705 #define MAX_CONTEXT_LEN PR_UINT16_MAX - 1 static const SSLCipherSuiteInfo suiteInfo[] = { /* <------ Cipher suite --------------------> */ { 0, CS_(TLS_AES_128_GCM_SHA256), S_ANY, K_ANY, C_AESGCM, B_128, M_AEAD_128, F_FIPS_STD, A_ANY, ssl_hash_sha256 }, { 0, CS_(TLS_CHACHA20_POLY1305_SHA256), S_ANY, K_ANY, C_CHACHA20, B_256, M_AEAD_128, F_NFIPS_STD, A_ANY, ssl_hash_sha256 }, { 0, CS_(TLS_AES_256_GCM_SHA384), S_ANY, K_ANY, C_AESGCM, B_256, M_AEAD_128, F_FIPS_STD, A_ANY, ssl_hash_sha384 }, { 0, CS(RSA_WITH_AES_128_GCM_SHA256), S_RSA, K_RSA, C_AESGCM, B_128, M_AEAD_128, F_FIPS_STD, A_RSAD, ssl_hash_sha256 }, { 0, CS(DHE_RSA_WITH_CHACHA20_POLY1305_SHA256), S_RSA, K_DHE, C_CHACHA20, B_256, M_AEAD_128, F_NFIPS_STD, A_RSAS, ssl_hash_sha256 }, { 0, CS(DHE_RSA_WITH_CAMELLIA_256_CBC_SHA), S_RSA, K_DHE, C_CAMELLIA, B_256, M_SHA, F_NFIPS_STD, A_RSAS, ssl_hash_none }, { 0, CS(DHE_DSS_WITH_CAMELLIA_256_CBC_SHA), S_DSA, K_DHE, C_CAMELLIA, B_256, M_SHA, F_NFIPS_STD, A_DSA, ssl_hash_none }, { 0, CS(DHE_RSA_WITH_AES_256_CBC_SHA256), S_RSA, K_DHE, C_AES, B_256, M_SHA256, F_FIPS_STD, A_RSAS, ssl_hash_sha256 }, { 0, CS(DHE_RSA_WITH_AES_256_CBC_SHA), S_RSA, K_DHE, C_AES, B_256, M_SHA, F_FIPS_STD, A_RSAS, ssl_hash_none }, { 0, CS(DHE_DSS_WITH_AES_256_CBC_SHA), S_DSA, K_DHE, C_AES, B_256, M_SHA, F_FIPS_STD, A_DSA, ssl_hash_none }, { 0, CS(DHE_DSS_WITH_AES_256_CBC_SHA256), S_DSA, K_DHE, C_AES, B_256, M_SHA256, F_FIPS_STD, A_DSA, ssl_hash_sha256 }, { 0, CS(RSA_WITH_CAMELLIA_256_CBC_SHA), S_RSA, K_RSA, C_CAMELLIA, B_256, M_SHA, F_NFIPS_STD, A_RSAD, ssl_hash_none }, { 0, CS(RSA_WITH_AES_256_CBC_SHA256), S_RSA, K_RSA, C_AES, B_256, M_SHA256, F_FIPS_STD, A_RSAD, ssl_hash_sha256 }, { 0, CS(RSA_WITH_AES_256_CBC_SHA), S_RSA, K_RSA, C_AES, B_256, M_SHA, F_FIPS_STD, A_RSAD, ssl_hash_none }, { 0, CS(DHE_RSA_WITH_CAMELLIA_128_CBC_SHA), S_RSA, K_DHE, C_CAMELLIA, B_128, M_SHA, F_NFIPS_STD, A_RSAS, ssl_hash_none }, { 0, CS(DHE_DSS_WITH_CAMELLIA_128_CBC_SHA), S_DSA, K_DHE, C_CAMELLIA, B_128, M_SHA, F_NFIPS_STD, A_DSA, ssl_hash_none }, { 0, CS(DHE_DSS_WITH_RC4_128_SHA), S_DSA, K_DHE, C_RC4, B_128, M_SHA, F_NFIPS_STD, A_DSA, ssl_hash_none }, { 0, CS(DHE_RSA_WITH_AES_128_CBC_SHA256), S_RSA, K_DHE, C_AES, B_128, M_SHA256, F_FIPS_STD, A_RSAS, ssl_hash_sha256 }, { 0, CS(DHE_RSA_WITH_AES_128_GCM_SHA256), S_RSA, K_DHE, C_AESGCM, B_128, M_AEAD_128, F_FIPS_STD, A_RSAS, ssl_hash_sha256 }, { 0, CS(DHE_RSA_WITH_AES_128_CBC_SHA), S_RSA, K_DHE, C_AES, B_128, M_SHA, F_FIPS_STD, A_RSAS, ssl_hash_none }, { 0, CS(DHE_DSS_WITH_AES_128_GCM_SHA256), S_DSA, K_DHE, C_AESGCM, B_128, M_AEAD_128, F_FIPS_STD, A_DSA, ssl_hash_sha256 }, { 0, CS(DHE_DSS_WITH_AES_128_CBC_SHA), S_DSA, K_DHE, C_AES, B_128, M_SHA, F_FIPS_STD, A_DSA, ssl_hash_none }, { 0, CS(DHE_DSS_WITH_AES_128_CBC_SHA256), S_DSA, K_DHE, C_AES, B_128, M_SHA256, F_FIPS_STD, A_DSA, ssl_hash_sha256 }, { 0, CS(RSA_WITH_SEED_CBC_SHA), S_RSA, K_RSA, C_SEED, B_128, M_SHA, F_FIPS_STD, A_RSAD, ssl_hash_none }, { 0, CS(RSA_WITH_CAMELLIA_128_CBC_SHA), S_RSA, K_RSA, C_CAMELLIA, B_128, M_SHA, F_NFIPS_STD, A_RSAD, ssl_hash_none }, { 0, CS(RSA_WITH_RC4_128_SHA), S_RSA, K_RSA, C_RC4, B_128, M_SHA, F_NFIPS_STD, A_RSAD, ssl_hash_none }, { 0, CS(RSA_WITH_RC4_128_MD5), S_RSA, K_RSA, C_RC4, B_128, M_MD5, F_NFIPS_STD, A_RSAD, ssl_hash_none }, { 0, CS(RSA_WITH_AES_128_CBC_SHA256), S_RSA, K_RSA, C_AES, B_128, M_SHA256, F_FIPS_STD, A_RSAD, ssl_hash_sha256 }, { 0, CS(RSA_WITH_AES_128_CBC_SHA), S_RSA, K_RSA, C_AES, B_128, M_SHA, F_FIPS_STD, A_RSAD, ssl_hash_none }, { 0, CS(DHE_RSA_WITH_3DES_EDE_CBC_SHA), S_RSA, K_DHE, C_3DES, B_3DES, M_SHA, F_FIPS_STD, A_RSAS, ssl_hash_none }, { 0, CS(DHE_DSS_WITH_3DES_EDE_CBC_SHA), S_DSA, K_DHE, C_3DES, B_3DES, M_SHA, F_FIPS_STD, A_DSA, ssl_hash_none }, { 0, CS(RSA_WITH_3DES_EDE_CBC_SHA), S_RSA, K_RSA, C_3DES, B_3DES, M_SHA, F_FIPS_STD, A_RSAD, ssl_hash_none }, { 0, CS(DHE_RSA_WITH_DES_CBC_SHA), S_RSA, K_DHE, C_DES, B_DES, M_SHA, F_NFIPS_STD, A_RSAS, ssl_hash_none }, { 0, CS(DHE_DSS_WITH_DES_CBC_SHA), S_DSA, K_DHE, C_DES, B_DES, M_SHA, F_NFIPS_STD, A_DSA, ssl_hash_none }, { 0, CS(RSA_WITH_DES_CBC_SHA), S_RSA, K_RSA, C_DES, B_DES, M_SHA, F_NFIPS_STD, A_RSAD, ssl_hash_none }, { 0, CS(RSA_WITH_NULL_SHA256), S_RSA, K_RSA, C_NULL, B_0, M_SHA256, F_EXPORT, A_RSAD, ssl_hash_sha256 }, { 0, CS(RSA_WITH_NULL_SHA), S_RSA, K_RSA, C_NULL, B_0, M_SHA, F_EXPORT, A_RSAD, ssl_hash_none }, { 0, CS(RSA_WITH_NULL_MD5), S_RSA, K_RSA, C_NULL, B_0, M_MD5, F_EXPORT, A_RSAD, ssl_hash_none }, /* ECC cipher suites */ { 0, CS(ECDHE_RSA_WITH_AES_128_GCM_SHA256), S_RSA, K_ECDHE, C_AESGCM, B_128, M_AEAD_128, F_FIPS_STD, A_RSAS, ssl_hash_sha256 }, { 0, CS(ECDHE_ECDSA_WITH_AES_128_GCM_SHA256), S_ECDSA, K_ECDHE, C_AESGCM, B_128, M_AEAD_128, F_FIPS_STD, A_ECDSA, ssl_hash_sha256 }, { 0, CS(ECDH_ECDSA_WITH_NULL_SHA), S_ECDSA, K_ECDH, C_NULL, B_0, M_SHA, F_NFIPS_STD, A_ECDH_E, ssl_hash_none }, { 0, CS(ECDH_ECDSA_WITH_RC4_128_SHA), S_ECDSA, K_ECDH, C_RC4, B_128, M_SHA, F_NFIPS_STD, A_ECDH_E, ssl_hash_none }, { 0, CS(ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA), S_ECDSA, K_ECDH, C_3DES, B_3DES, M_SHA, F_FIPS_STD, A_ECDH_E, ssl_hash_none }, { 0, CS(ECDH_ECDSA_WITH_AES_128_CBC_SHA), S_ECDSA, K_ECDH, C_AES, B_128, M_SHA, F_FIPS_STD, A_ECDH_E, ssl_hash_none }, { 0, CS(ECDH_ECDSA_WITH_AES_256_CBC_SHA), S_ECDSA, K_ECDH, C_AES, B_256, M_SHA, F_FIPS_STD, A_ECDH_E, ssl_hash_none }, { 0, CS(ECDHE_ECDSA_WITH_NULL_SHA), S_ECDSA, K_ECDHE, C_NULL, B_0, M_SHA, F_NFIPS_STD, A_ECDSA, ssl_hash_none }, { 0, CS(ECDHE_ECDSA_WITH_RC4_128_SHA), S_ECDSA, K_ECDHE, C_RC4, B_128, M_SHA, F_NFIPS_STD, A_ECDSA, ssl_hash_none }, { 0, CS(ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA), S_ECDSA, K_ECDHE, C_3DES, B_3DES, M_SHA, F_FIPS_STD, A_ECDSA, ssl_hash_none }, { 0, CS(ECDHE_ECDSA_WITH_AES_128_CBC_SHA), S_ECDSA, K_ECDHE, C_AES, B_128, M_SHA, F_FIPS_STD, A_ECDSA, ssl_hash_none }, { 0, CS(ECDHE_ECDSA_WITH_AES_128_CBC_SHA256), S_ECDSA, K_ECDHE, C_AES, B_128, M_SHA256, F_FIPS_STD, A_ECDSA, ssl_hash_sha256 }, { 0, CS(ECDHE_ECDSA_WITH_AES_256_CBC_SHA), S_ECDSA, K_ECDHE, C_AES, B_256, M_SHA, F_FIPS_STD, A_ECDSA, ssl_hash_none }, { 0, CS(ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256), S_ECDSA, K_ECDHE, C_CHACHA20, B_256, M_AEAD_128, F_NFIPS_STD, A_ECDSA, ssl_hash_sha256 }, { 0, CS(ECDH_RSA_WITH_NULL_SHA), S_RSA, K_ECDH, C_NULL, B_0, M_SHA, F_NFIPS_STD, A_ECDH_R, ssl_hash_none }, { 0, CS(ECDH_RSA_WITH_RC4_128_SHA), S_RSA, K_ECDH, C_RC4, B_128, M_SHA, F_NFIPS_STD, A_ECDH_R, ssl_hash_none }, { 0, CS(ECDH_RSA_WITH_3DES_EDE_CBC_SHA), S_RSA, K_ECDH, C_3DES, B_3DES, M_SHA, F_FIPS_STD, A_ECDH_R, ssl_hash_none }, { 0, CS(ECDH_RSA_WITH_AES_128_CBC_SHA), S_RSA, K_ECDH, C_AES, B_128, M_SHA, F_FIPS_STD, A_ECDH_R, ssl_hash_none }, { 0, CS(ECDH_RSA_WITH_AES_256_CBC_SHA), S_RSA, K_ECDH, C_AES, B_256, M_SHA, F_FIPS_STD, A_ECDH_R, ssl_hash_none }, { 0, CS(ECDHE_RSA_WITH_NULL_SHA), S_RSA, K_ECDHE, C_NULL, B_0, M_SHA, F_NFIPS_STD, A_RSAS, ssl_hash_none }, { 0, CS(ECDHE_RSA_WITH_RC4_128_SHA), S_RSA, K_ECDHE, C_RC4, B_128, M_SHA, F_NFIPS_STD, A_RSAS, ssl_hash_none }, { 0, CS(ECDHE_RSA_WITH_3DES_EDE_CBC_SHA), S_RSA, K_ECDHE, C_3DES, B_3DES, M_SHA, F_FIPS_STD, A_RSAS, ssl_hash_none }, { 0, CS(ECDHE_RSA_WITH_AES_128_CBC_SHA), S_RSA, K_ECDHE, C_AES, B_128, M_SHA, F_FIPS_STD, A_RSAS, ssl_hash_none }, { 0, CS(ECDHE_RSA_WITH_AES_128_CBC_SHA256), S_RSA, K_ECDHE, C_AES, B_128, M_SHA256, F_FIPS_STD, A_RSAS, ssl_hash_sha256 }, { 0, CS(ECDHE_RSA_WITH_AES_256_CBC_SHA), S_RSA, K_ECDHE, C_AES, B_256, M_SHA, F_FIPS_STD, A_RSAS, ssl_hash_none }, { 0, CS(ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256), S_RSA, K_ECDHE, C_CHACHA20, B_256, M_AEAD_128, F_NFIPS_STD, A_RSAS, ssl_hash_sha256 }, { 0, CS(ECDHE_RSA_WITH_AES_256_CBC_SHA384), S_RSA, K_ECDHE, C_AES, B_256, M_SHA384, F_FIPS_STD, A_RSAS, ssl_hash_sha384 }, { 0, CS(ECDHE_ECDSA_WITH_AES_256_CBC_SHA384), S_ECDSA, K_ECDHE, C_AES, B_256, M_SHA384, F_FIPS_STD, A_ECDSA, ssl_hash_sha384 }, { 0, CS(ECDHE_ECDSA_WITH_AES_256_GCM_SHA384), S_ECDSA, K_ECDHE, C_AESGCM, B_256, M_AEAD_128, F_FIPS_STD, A_ECDSA, ssl_hash_sha384 }, { 0, CS(ECDHE_RSA_WITH_AES_256_GCM_SHA384), S_RSA, K_ECDHE, C_AESGCM, B_256, M_AEAD_128, F_FIPS_STD, A_RSAS, ssl_hash_sha384 }, { 0, CS(DHE_DSS_WITH_AES_256_GCM_SHA384), S_DSA, K_DHE, C_AESGCM, B_256, M_AEAD_128, F_FIPS_STD, A_DSA, ssl_hash_sha384 }, { 0, CS(DHE_RSA_WITH_AES_256_GCM_SHA384), S_RSA, K_DHE, C_AESGCM, B_256, M_AEAD_128, F_FIPS_STD, A_RSAS, ssl_hash_sha384 }, { 0, CS(RSA_WITH_AES_256_GCM_SHA384), S_RSA, K_RSA, C_AESGCM, B_256, M_AEAD_128, F_FIPS_STD, A_RSAD, ssl_hash_sha384 }, }; #define NUM_SUITEINFOS ((sizeof suiteInfo) / (sizeof suiteInfo[0])) SECStatus SSL_GetCipherSuiteInfo(PRUint16 cipherSuite, SSLCipherSuiteInfo *info, PRUintn len) { unsigned int i; /* Check if we can properly return the length of data written and that * we're not asked to return more information than we know how to provide. */ if (!info || len < sizeof suiteInfo[0].length || len > sizeof suiteInfo[0]) { PORT_SetError(SEC_ERROR_INVALID_ARGS); return SECFailure; } len = PR_MIN(len, sizeof suiteInfo[0]); for (i = 0; i < NUM_SUITEINFOS; i++) { if (suiteInfo[i].cipherSuite == cipherSuite) { memcpy(info, &suiteInfo[i], len); info->length = len; return SECSuccess; } } PORT_SetError(SEC_ERROR_INVALID_ARGS); return SECFailure; } SECItem * SSL_GetNegotiatedHostInfo(PRFileDesc *fd) { SECItem *sniName = NULL; sslSocket *ss; char *name = NULL; ss = ssl_FindSocket(fd); if (!ss) { SSL_DBG(("%d: SSL[%d]: bad socket in SSL_GetNegotiatedHostInfo", SSL_GETPID(), fd)); return NULL; } if (ss->sec.isServer) { if (ss->version > SSL_LIBRARY_VERSION_3_0) { /* TLS */ SECItem *crsName; ssl_GetSpecReadLock(ss); /*********************************/ crsName = &ss->ssl3.hs.srvVirtName; if (crsName->data) { sniName = SECITEM_DupItem(crsName); } ssl_ReleaseSpecReadLock(ss); /*----------------------------*/ } return sniName; } name = SSL_RevealURL(fd); if (name) { sniName = PORT_ZNew(SECItem); if (!sniName) { PORT_Free(name); return NULL; } sniName->data = (void *)name; sniName->len = PORT_Strlen(name); } return sniName; } /* * HKDF-Expand-Label(Derive-Secret(Secret, label, ""), * "exporter", Hash(context_value), key_length) */ static SECStatus tls13_Exporter(sslSocket *ss, PK11SymKey *secret, const char *label, unsigned int labelLen, const unsigned char *context, unsigned int contextLen, unsigned char *out, unsigned int outLen) { SSL3Hashes contextHash; PK11SymKey *innerSecret = NULL; SECStatus rv; static const char *kExporterInnerLabel = "exporter"; if (!secret) { PORT_SetError(SEC_ERROR_INVALID_ARGS); return SECFailure; } SSLHashType hashAlg; /* Early export requires a PSK. As in 0-RTT, default * to the first PSK if no suite is negotiated yet. */ if (secret == ss->ssl3.hs.earlyExporterSecret && !ss->ssl3.hs.suite_def) { if (PR_CLIST_IS_EMPTY(&ss->ssl3.hs.psks)) { PORT_SetError(SEC_ERROR_INVALID_ARGS); return SECFailure; } hashAlg = ((sslPsk *)PR_LIST_HEAD(&ss->ssl3.hs.psks))->hash; } else { hashAlg = tls13_GetHash(ss); } /* Pre-hash the context. */ rv = tls13_ComputeHash(ss, &contextHash, context, contextLen, hashAlg); if (rv != SECSuccess) { return rv; } rv = tls13_DeriveSecretNullHash(ss, secret, label, labelLen, &innerSecret, hashAlg); if (rv != SECSuccess) { return rv; } rv = tls13_HkdfExpandLabelRaw(innerSecret, hashAlg, contextHash.u.raw, contextHash.len, kExporterInnerLabel, strlen(kExporterInnerLabel), ss->protocolVariant, out, outLen); PK11_FreeSymKey(innerSecret); return rv; } SECStatus SSL_ExportKeyingMaterial(PRFileDesc *fd, const char *label, unsigned int labelLen, PRBool hasContext, const unsigned char *context, unsigned int contextLen, unsigned char *out, unsigned int outLen) { sslSocket *ss; unsigned char *val = NULL; unsigned int valLen, i; SECStatus rv = SECFailure; ss = ssl_FindSocket(fd); if (!ss) { SSL_DBG(("%d: SSL[%d]: bad socket in ExportKeyingMaterial", SSL_GETPID(), fd)); return SECFailure; } if (!label || !labelLen || !out || !outLen || (hasContext && (!context || !contextLen))) { PORT_SetError(SEC_ERROR_INVALID_ARGS); return SECFailure; } if (ss->version >= SSL_LIBRARY_VERSION_TLS_1_3) { return tls13_Exporter(ss, ss->ssl3.hs.exporterSecret, label, labelLen, context, hasContext ? contextLen : 0, out, outLen); } if (hasContext && contextLen > MAX_CONTEXT_LEN) { PORT_SetError(SEC_ERROR_INVALID_ARGS); return SECFailure; } /* construct PRF arguments */ valLen = SSL3_RANDOM_LENGTH * 2; if (hasContext) { valLen += 2 /* PRUint16 length */ + contextLen; } val = PORT_Alloc(valLen); if (!val) { return SECFailure; } i = 0; PORT_Memcpy(val + i, ss->ssl3.hs.client_random, SSL3_RANDOM_LENGTH); i += SSL3_RANDOM_LENGTH; PORT_Memcpy(val + i, ss->ssl3.hs.server_random, SSL3_RANDOM_LENGTH); i += SSL3_RANDOM_LENGTH; if (hasContext) { val[i++] = contextLen >> 8; val[i++] = contextLen; PORT_Memcpy(val + i, context, contextLen); i += contextLen; } PORT_Assert(i == valLen); /* Allow TLS keying material to be exported sooner, when the master * secret is available and we have sent ChangeCipherSpec. */ ssl_GetSpecReadLock(ss); if (!ss->ssl3.cwSpec->masterSecret) { PORT_SetError(SSL_ERROR_HANDSHAKE_NOT_COMPLETED); rv = SECFailure; } else { rv = ssl3_TLSPRFWithMasterSecret(ss, ss->ssl3.cwSpec, label, labelLen, val, valLen, out, outLen); } ssl_ReleaseSpecReadLock(ss); PORT_ZFree(val, valLen); return rv; } SECStatus SSL_ExportEarlyKeyingMaterial(PRFileDesc *fd, const char *label, unsigned int labelLen, const unsigned char *context, unsigned int contextLen, unsigned char *out, unsigned int outLen) { sslSocket *ss; ss = ssl_FindSocket(fd); if (!ss) { SSL_DBG(("%d: SSL[%d]: bad socket in SSL_ExportEarlyKeyingMaterial", SSL_GETPID(), fd)); return SECFailure; } if (!label || !labelLen || !out || !outLen || (!context && contextLen)) { PORT_SetError(SEC_ERROR_INVALID_ARGS); return SECFailure; } return tls13_Exporter(ss, ss->ssl3.hs.earlyExporterSecret, label, labelLen, context, contextLen, out, outLen); }