static DSSL_SessionKeyData* CreateSessionKeyData( DSSL_Session* sess )
{
DSSL_SessionKeyData* new_data;
_ASSERT( sess );
new_data = (DSSL_SessionKeyData*) malloc( sizeof(DSSL_SessionKeyData) );
if(!new_data) return NULL;
_ASSERT_STATIC( sizeof(new_data->id) == sizeof(sess->session_id ) );
memcpy( new_data->id, sess->session_id, sizeof(new_data->id) );
_ASSERT_STATIC( sizeof(new_data->master_secret) == sizeof(sess->master_secret ) );
memcpy( new_data->master_secret, sess->master_secret, sizeof(new_data->master_secret) );
new_data->refcount = 1;
new_data->next = NULL;
new_data->released_time = 0;
return new_data;
}
static int ssl3_decode_server_hello( DSSL_Session* sess, u_char* data, uint32_t len )
{
uint16_t server_version = 0;
u_char* org_data = data;
uint16_t session_id_len = 0;
int session_id_match = 0;
if( data[0] != 3 || data[1] > 3) return NM_ERROR( DSSL_E_SSL_UNKNOWN_VERSION );
if( len < SSL3_SERVER_HELLO_MIN_LEN ) return NM_ERROR( DSSL_E_SSL_INVALID_RECORD_LENGTH );
/* Server Version */
server_version = MAKE_UINT16( data[0], data[1] );
if( sess->version == 0 || server_version < sess->version )
{
ssls_set_session_version( sess, server_version );
}
data+= 2;
/* ServerRandom */
_ASSERT_STATIC( sizeof(sess->server_random) == 32 );
memcpy( sess->server_random, data, sizeof( sess->server_random ) );
data+= 32;
DEBUG_TRACE_BUF("server_random", sess->server_random, 32);
/* session ID */
_ASSERT_STATIC( sizeof(sess->session_id) == 32 );
session_id_len = data[0];
data++;
if( session_id_len > 0 )
{
if ( session_id_len > 32 ) return NM_ERROR( DSSL_E_SSL_PROTOCOL_ERROR );
if( !IS_ENOUGH_LENGTH( org_data, len, data, session_id_len ) )
{
return NM_ERROR( DSSL_E_SSL_INVALID_RECORD_LENGTH );
}
if( sess->flags & SSF_CLIENT_SESSION_ID_SET
&& memcmp( sess->session_id, data, session_id_len ) == 0 )
{
session_id_match = 1;
}
else
{
sess->flags &= ~SSF_CLIENT_SESSION_ID_SET;
memcpy( sess->session_id, data, session_id_len );
}
data += session_id_len;
}
/* Cipher Suite and Compression */
if( !IS_ENOUGH_LENGTH( org_data, len, data, 3 ) )
{
return NM_ERROR( DSSL_E_SSL_INVALID_RECORD_LENGTH );
}
sess->cipher_suite = MAKE_UINT16( data[0], data[1] );
sess->compression_method = data[2];
data += 3;
sess->flags &= ~SSF_TLS_SERVER_SESSION_TICKET; /* clear server side TLS Session Ticket flag */
/* Process SSL Extensions, if present */
if(IS_ENOUGH_LENGTH( org_data, len, data, 2 ))
{
int t_len = MAKE_UINT16(data[0], data[1]);
data += 2;
if(!IS_ENOUGH_LENGTH( org_data, len, data, t_len))
return NM_ERROR(DSSL_E_SSL_INVALID_RECORD_LENGTH);
/* cycle through extension records */
while(t_len >= 4)
{
int ext_type = MAKE_UINT16(data[0], data[1]); /* extension type */
int ext_len = MAKE_UINT16(data[2], data[3]);
#ifdef NM_TRACE_SSL_HANDSHAKE
DEBUG_TRACE2( "\nSSL extension: %s len: %d", SSL3_ExtensionTypeToString( ext_type ), ext_len );
#endif
/* TLS Session Ticket extension found, set the flag */
if( ext_type == 0x0023)
{
sess->flags |= SSF_TLS_SERVER_SESSION_TICKET;
}
data += ext_len + 4;
if(data > org_data + len) return NM_ERROR(DSSL_E_SSL_INVALID_RECORD_LENGTH);
t_len -= ext_len + 4;
}
}
if( session_id_match )
{
if( sess->flags & SSF_TLS_SESSION_TICKET_SET)
{
int rc = ssls_init_from_tls_ticket( sess );
if( NM_IS_FAILED( rc ) )
return rc;
}
else
{
/* lookup session from the cache for stateful SSL renegotiation */
int rc = ssls_lookup_session( sess );
if( NM_IS_FAILED( rc ) )
return rc;
}
}
if( sess->flags & SSF_CLIENT_SESSION_ID_SET )
{
int rc = ssls_generate_keys( sess );
if( NM_IS_FAILED( rc ) ) return rc;
}
return DSSL_RC_OK;
}
