Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(396)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: net/third_party/nss/ssl/ssl3con.c

Issue 394003: Linux: enable building with a local version of libssl. (Closed)
Patch Set: ... Created 11 years, 1 month ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« no previous file with comments | « net/third_party/nss/ssl/ssl.rc ('k') | net/third_party/nss/ssl/ssl3ecc.c » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
(Empty)
1 /*
2 * SSL3 Protocol
3 *
4 * ***** BEGIN LICENSE BLOCK *****
5 * Version: MPL 1.1/GPL 2.0/LGPL 2.1
6 *
7 * The contents of this file are subject to the Mozilla Public License Version
8 * 1.1 (the "License"); you may not use this file except in compliance with
9 * the License. You may obtain a copy of the License at
10 * http://www.mozilla.org/MPL/
11 *
12 * Software distributed under the License is distributed on an "AS IS" basis,
13 * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
14 * for the specific language governing rights and limitations under the
15 * License.
16 *
17 * The Original Code is the Netscape security libraries.
18 *
19 * The Initial Developer of the Original Code is
20 * Netscape Communications Corporation.
21 * Portions created by the Initial Developer are Copyright (C) 1994-2000
22 * the Initial Developer. All Rights Reserved.
23 *
24 * Contributor(s):
25 * Dr Stephen Henson <stephen.henson@gemplus.com>
26 * Dr Vipul Gupta <vipul.gupta@sun.com> and
27 * Douglas Stebila <douglas@stebila.ca>, Sun Microsystems Laboratories
28 *
29 * Alternatively, the contents of this file may be used under the terms of
30 * either the GNU General Public License Version 2 or later (the "GPL"), or
31 * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
32 * in which case the provisions of the GPL or the LGPL are applicable instead
33 * of those above. If you wish to allow use of your version of this file only
34 * under the terms of either the GPL or the LGPL, and not to allow others to
35 * use your version of this file under the terms of the MPL, indicate your
36 * decision by deleting the provisions above and replace them with the notice
37 * and other provisions required by the GPL or the LGPL. If you do not delete
38 * the provisions above, a recipient may use your version of this file under
39 * the terms of any one of the MPL, the GPL or the LGPL.
40 *
41 * ***** END LICENSE BLOCK ***** */
42 /* $Id: ssl3con.c,v 1.121 2009/11/12 05:08:27 wtc%google.com Exp $ */
43
44 #include "cert.h"
45 #include "ssl.h"
46 #include "cryptohi.h" /* for DSAU_ stuff */
47 #include "keyhi.h"
48 #include "secder.h"
49 #include "secitem.h"
50
51 #include "sslimpl.h"
52 #include "sslproto.h"
53 #include "sslerr.h"
54 #include "prtime.h"
55 #include "prinrval.h"
56 #include "prerror.h"
57 #include "pratom.h"
58 #include "prthread.h"
59
60 #include "pk11func.h"
61 #include "secmod.h"
62 #include "blapi.h"
63
64 #include <stdio.h>
65 #ifdef NSS_ENABLE_ZLIB
66 #include "zlib.h"
67 /* zconf.h may define compress as a macro, which interferes with our use
68 * of compress as a member of the ssl3CipherSpec structure. Undo that.
69 */
70 #undef compress
71 #endif
72
73 #ifndef PK11_SETATTRS
74 #define PK11_SETATTRS(x,id,v,l) (x)->type = (id); \
75 (x)->pValue=(v); (x)->ulValueLen = (l);
76 #endif
77
78 static void ssl3_CleanupPeerCerts(sslSocket *ss);
79 static PK11SymKey *ssl3_GenerateRSAPMS(sslSocket *ss, ssl3CipherSpec *spec,
80 PK11SlotInfo * serverKeySlot);
81 static SECStatus ssl3_DeriveMasterSecret(sslSocket *ss, PK11SymKey *pms);
82 static SECStatus ssl3_DeriveConnectionKeysPKCS11(sslSocket *ss);
83 static SECStatus ssl3_HandshakeFailure( sslSocket *ss);
84 static SECStatus ssl3_InitState( sslSocket *ss);
85 static SECStatus ssl3_SendCertificate( sslSocket *ss);
86 static SECStatus ssl3_SendEmptyCertificate( sslSocket *ss);
87 static SECStatus ssl3_SendCertificateRequest(sslSocket *ss);
88 static SECStatus ssl3_SendFinished( sslSocket *ss, PRInt32 flags);
89 static SECStatus ssl3_SendServerHello( sslSocket *ss);
90 static SECStatus ssl3_SendServerHelloDone( sslSocket *ss);
91 static SECStatus ssl3_SendServerKeyExchange( sslSocket *ss);
92 static SECStatus ssl3_NewHandshakeHashes( sslSocket *ss);
93 static SECStatus ssl3_UpdateHandshakeHashes( sslSocket *ss, unsigned char *b,
94 unsigned int l);
95
96 static SECStatus Null_Cipher(void *ctx, unsigned char *output, int *outputLen,
97 int maxOutputLen, const unsigned char *input,
98 int inputLen);
99
100 #define MAX_SEND_BUF_LENGTH 32000 /* watch for 16-bit integer overflow */
101 #define MIN_SEND_BUF_LENGTH 4000
102
103 #define MAX_CIPHER_SUITES 20
104
105 /* This list of SSL3 cipher suites is sorted in descending order of
106 * precedence (desirability). It only includes cipher suites we implement.
107 * This table is modified by SSL3_SetPolicy(). The ordering of cipher suites
108 * in this table must match the ordering in SSL_ImplementedCiphers (sslenum.c)
109 */
110 static ssl3CipherSuiteCfg cipherSuites[ssl_V3_SUITES_IMPLEMENTED] = {
111 /* cipher_suite policy enabled is_present*/
112 #ifdef NSS_ENABLE_ECC
113 { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
114 { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
115 #endif /* NSS_ENABLE_ECC */
116 { TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
117 { TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
118 { TLS_DHE_RSA_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
119 { TLS_DHE_DSS_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
120 #ifdef NSS_ENABLE_ECC
121 { TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
122 { TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
123 #endif /* NSS_ENABLE_ECC */
124 { TLS_RSA_WITH_CAMELLIA_256_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
125 { TLS_RSA_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
126
127 #ifdef NSS_ENABLE_ECC
128 { TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
129 { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
130 { TLS_ECDHE_RSA_WITH_RC4_128_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
131 { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
132 #endif /* NSS_ENABLE_ECC */
133 { TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
134 { TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
135 { TLS_DHE_DSS_WITH_RC4_128_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
136 { TLS_DHE_RSA_WITH_AES_128_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
137 { TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
138 #ifdef NSS_ENABLE_ECC
139 { TLS_ECDH_RSA_WITH_RC4_128_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
140 { TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
141 { TLS_ECDH_ECDSA_WITH_RC4_128_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
142 { TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
143 #endif /* NSS_ENABLE_ECC */
144 { TLS_RSA_WITH_SEED_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
145 { TLS_RSA_WITH_CAMELLIA_128_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
146 { SSL_RSA_WITH_RC4_128_MD5, SSL_NOT_ALLOWED, PR_TRUE, PR_FALSE},
147 { SSL_RSA_WITH_RC4_128_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
148 { TLS_RSA_WITH_AES_128_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
149
150 #ifdef NSS_ENABLE_ECC
151 { TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
152 { TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
153 #endif /* NSS_ENABLE_ECC */
154 { SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
155 { SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
156 #ifdef NSS_ENABLE_ECC
157 { TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
158 { TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
159 #endif /* NSS_ENABLE_ECC */
160 { SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA, SSL_NOT_ALLOWED, PR_TRUE, PR_FALSE},
161 { SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_NOT_ALLOWED, PR_TRUE, PR_FALSE},
162
163
164 { SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
165 { SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
166 { SSL_RSA_FIPS_WITH_DES_CBC_SHA, SSL_NOT_ALLOWED, PR_TRUE, PR_FALSE},
167 { SSL_RSA_WITH_DES_CBC_SHA, SSL_NOT_ALLOWED, PR_TRUE, PR_FALSE},
168 { TLS_RSA_EXPORT1024_WITH_RC4_56_SHA, SSL_NOT_ALLOWED, PR_TRUE, PR_FALSE},
169 { TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA, SSL_NOT_ALLOWED, PR_TRUE, PR_FALSE},
170
171 { SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_NOT_ALLOWED, PR_TRUE, PR_FALSE},
172 { SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5, SSL_NOT_ALLOWED, PR_TRUE, PR_FALSE},
173
174 #ifdef NSS_ENABLE_ECC
175 { TLS_ECDHE_ECDSA_WITH_NULL_SHA, SSL_NOT_ALLOWED, PR_FALSE, PR_FALSE},
176 { TLS_ECDHE_RSA_WITH_NULL_SHA, SSL_NOT_ALLOWED, PR_FALSE, PR_FALSE},
177 { TLS_ECDH_RSA_WITH_NULL_SHA, SSL_NOT_ALLOWED, PR_FALSE, PR_FALSE},
178 { TLS_ECDH_ECDSA_WITH_NULL_SHA, SSL_NOT_ALLOWED, PR_FALSE, PR_FALSE},
179 #endif /* NSS_ENABLE_ECC */
180 { SSL_RSA_WITH_NULL_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
181 { SSL_RSA_WITH_NULL_MD5, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
182
183 };
184
185 /* This list of SSL3 compression methods is sorted in descending order of
186 * precedence (desirability). It only includes compression methods we
187 * implement.
188 */
189 static const /*SSLCompressionMethod*/ uint8 compressions [] = {
190 #ifdef NSS_ENABLE_ZLIB
191 ssl_compression_deflate,
192 #endif
193 ssl_compression_null
194 };
195
196 static const int compressionMethodsCount =
197 sizeof(compressions) / sizeof(compressions[0]);
198
199 /* compressionEnabled returns true iff the compression algorithm is enabled
200 * for the given SSL socket. */
201 static PRBool
202 compressionEnabled(sslSocket *ss, SSLCompressionMethod compression)
203 {
204 switch (compression) {
205 case ssl_compression_null:
206 return PR_TRUE; /* Always enabled */
207 #ifdef NSS_ENABLE_ZLIB
208 case ssl_compression_deflate:
209 return ss->opt.enableDeflate;
210 #endif
211 default:
212 return PR_FALSE;
213 }
214 }
215
216 static const /*SSL3ClientCertificateType */ uint8 certificate_types [] = {
217 ct_RSA_sign,
218 ct_DSS_sign,
219 #ifdef NSS_ENABLE_ECC
220 ct_ECDSA_sign,
221 #endif /* NSS_ENABLE_ECC */
222 };
223
224 #ifdef NSS_ENABLE_ZLIB
225 /*
226 * The DEFLATE algorithm can result in an expansion of 0.1% + 12 bytes. For a
227 * maximum TLS record payload of 2**14 bytes, that's 29 bytes.
228 */
229 #define SSL3_COMPRESSION_MAX_EXPANSION 29
230 #else /* !NSS_ENABLE_ZLIB */
231 #define SSL3_COMPRESSION_MAX_EXPANSION 0
232 #endif
233
234 /*
235 * make sure there is room in the write buffer for padding and
236 * other compression and cryptographic expansions.
237 */
238 #define SSL3_BUFFER_FUDGE 100 + SSL3_COMPRESSION_MAX_EXPANSION
239
240 #define EXPORT_RSA_KEY_LENGTH 64 /* bytes */
241
242
243 /* This is a hack to make sure we don't do double handshakes for US policy */
244 PRBool ssl3_global_policy_some_restricted = PR_FALSE;
245
246 /* This global item is used only in servers. It is is initialized by
247 ** SSL_ConfigSecureServer(), and is used in ssl3_SendCertificateRequest().
248 */
249 CERTDistNames *ssl3_server_ca_list = NULL;
250 static SSL3Statistics ssl3stats;
251
252 /* indexed by SSL3BulkCipher */
253 static const ssl3BulkCipherDef bulk_cipher_defs[] = {
254 /* cipher calg keySz secretSz type ivSz BlkSz keygen */
255 {cipher_null, calg_null, 0, 0, type_stream, 0, 0, kg_null},
256 {cipher_rc4, calg_rc4, 16, 16, type_stream, 0, 0, kg_strong},
257 {cipher_rc4_40, calg_rc4, 16, 5, type_stream, 0, 0, kg_export},
258 {cipher_rc4_56, calg_rc4, 16, 7, type_stream, 0, 0, kg_export},
259 {cipher_rc2, calg_rc2, 16, 16, type_block, 8, 8, kg_strong},
260 {cipher_rc2_40, calg_rc2, 16, 5, type_block, 8, 8, kg_export},
261 {cipher_des, calg_des, 8, 8, type_block, 8, 8, kg_strong},
262 {cipher_3des, calg_3des, 24, 24, type_block, 8, 8, kg_strong},
263 {cipher_des40, calg_des, 8, 5, type_block, 8, 8, kg_export},
264 {cipher_idea, calg_idea, 16, 16, type_block, 8, 8, kg_strong},
265 {cipher_aes_128, calg_aes, 16, 16, type_block, 16,16, kg_strong},
266 {cipher_aes_256, calg_aes, 32, 32, type_block, 16,16, kg_strong},
267 {cipher_camellia_128, calg_camellia,16, 16, type_block, 16,16, kg_strong},
268 {cipher_camellia_256, calg_camellia,32, 32, type_block, 16,16, kg_strong},
269 {cipher_seed, calg_seed, 16, 16, type_block, 16,16, kg_strong},
270 {cipher_missing, calg_null, 0, 0, type_stream, 0, 0, kg_null},
271 };
272
273 static const ssl3KEADef kea_defs[] =
274 { /* indexed by SSL3KeyExchangeAlgorithm */
275 /* kea exchKeyType signKeyType is_limited limit tls_keygen */
276 {kea_null, kt_null, sign_null, PR_FALSE, 0, PR_FALSE},
277 {kea_rsa, kt_rsa, sign_rsa, PR_FALSE, 0, PR_FALSE},
278 {kea_rsa_export, kt_rsa, sign_rsa, PR_TRUE, 512, PR_FALSE},
279 {kea_rsa_export_1024,kt_rsa, sign_rsa, PR_TRUE, 1024, PR_FALSE},
280 {kea_dh_dss, kt_dh, sign_dsa, PR_FALSE, 0, PR_FALSE},
281 {kea_dh_dss_export, kt_dh, sign_dsa, PR_TRUE, 512, PR_FALSE},
282 {kea_dh_rsa, kt_dh, sign_rsa, PR_FALSE, 0, PR_FALSE},
283 {kea_dh_rsa_export, kt_dh, sign_rsa, PR_TRUE, 512, PR_FALSE},
284 {kea_dhe_dss, kt_dh, sign_dsa, PR_FALSE, 0, PR_FALSE},
285 {kea_dhe_dss_export, kt_dh, sign_dsa, PR_TRUE, 512, PR_FALSE},
286 {kea_dhe_rsa, kt_dh, sign_rsa, PR_FALSE, 0, PR_FALSE},
287 {kea_dhe_rsa_export, kt_dh, sign_rsa, PR_TRUE, 512, PR_FALSE},
288 {kea_dh_anon, kt_dh, sign_null, PR_FALSE, 0, PR_FALSE},
289 {kea_dh_anon_export, kt_dh, sign_null, PR_TRUE, 512, PR_FALSE},
290 {kea_rsa_fips, kt_rsa, sign_rsa, PR_FALSE, 0, PR_TRUE },
291 #ifdef NSS_ENABLE_ECC
292 {kea_ecdh_ecdsa, kt_ecdh, sign_ecdsa, PR_FALSE, 0, PR_FALSE},
293 {kea_ecdhe_ecdsa, kt_ecdh, sign_ecdsa, PR_FALSE, 0, PR_FALSE},
294 {kea_ecdh_rsa, kt_ecdh, sign_rsa, PR_FALSE, 0, PR_FALSE},
295 {kea_ecdhe_rsa, kt_ecdh, sign_rsa, PR_FALSE, 0, PR_FALSE},
296 {kea_ecdh_anon, kt_ecdh, sign_null, PR_FALSE, 0, PR_FALSE},
297 #endif /* NSS_ENABLE_ECC */
298 };
299
300 /* must use ssl_LookupCipherSuiteDef to access */
301 static const ssl3CipherSuiteDef cipher_suite_defs[] =
302 {
303 /* cipher_suite bulk_cipher_alg mac_alg key_exchange_alg */
304
305 {SSL_NULL_WITH_NULL_NULL, cipher_null, mac_null, kea_null},
306 {SSL_RSA_WITH_NULL_MD5, cipher_null, mac_md5, kea_rsa},
307 {SSL_RSA_WITH_NULL_SHA, cipher_null, mac_sha, kea_rsa},
308 {SSL_RSA_EXPORT_WITH_RC4_40_MD5,cipher_rc4_40, mac_md5, kea_rsa_export},
309 {SSL_RSA_WITH_RC4_128_MD5, cipher_rc4, mac_md5, kea_rsa},
310 {SSL_RSA_WITH_RC4_128_SHA, cipher_rc4, mac_sha, kea_rsa},
311 {SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5,
312 cipher_rc2_40, mac_md5, kea_rsa_export},
313 #if 0 /* not implemented */
314 {SSL_RSA_WITH_IDEA_CBC_SHA, cipher_idea, mac_sha, kea_rsa},
315 {SSL_RSA_EXPORT_WITH_DES40_CBC_SHA,
316 cipher_des40, mac_sha, kea_rsa_export},
317 #endif
318 {SSL_RSA_WITH_DES_CBC_SHA, cipher_des, mac_sha, kea_rsa},
319 {SSL_RSA_WITH_3DES_EDE_CBC_SHA, cipher_3des, mac_sha, kea_rsa},
320 {SSL_DHE_DSS_WITH_DES_CBC_SHA, cipher_des, mac_sha, kea_dhe_dss},
321 {SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA,
322 cipher_3des, mac_sha, kea_dhe_dss},
323 {TLS_DHE_DSS_WITH_RC4_128_SHA, cipher_rc4, mac_sha, kea_dhe_dss},
324 #if 0 /* not implemented */
325 {SSL_DH_DSS_EXPORT_WITH_DES40_CBC_SHA,
326 cipher_des40, mac_sha, kea_dh_dss_export},
327 {SSL_DH_DSS_DES_CBC_SHA, cipher_des, mac_sha, kea_dh_dss},
328 {SSL_DH_DSS_3DES_CBC_SHA, cipher_3des, mac_sha, kea_dh_dss},
329 {SSL_DH_RSA_EXPORT_WITH_DES40_CBC_SHA,
330 cipher_des40, mac_sha, kea_dh_rsa_export},
331 {SSL_DH_RSA_DES_CBC_SHA, cipher_des, mac_sha, kea_dh_rsa},
332 {SSL_DH_RSA_3DES_CBC_SHA, cipher_3des, mac_sha, kea_dh_rsa},
333 {SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA,
334 cipher_des40, mac_sha, kea_dh_dss_export},
335 {SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA,
336 cipher_des40, mac_sha, kea_dh_rsa_export},
337 #endif
338 {SSL_DHE_RSA_WITH_DES_CBC_SHA, cipher_des, mac_sha, kea_dhe_rsa},
339 {SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,
340 cipher_3des, mac_sha, kea_dhe_rsa},
341 #if 0
342 {SSL_DH_ANON_EXPORT_RC4_40_MD5, cipher_rc4_40, mac_md5, kea_dh_anon_export},
343 {SSL_DH_ANON_EXPORT_RC4_40_MD5, cipher_rc4, mac_md5, kea_dh_anon_export},
344 {SSL_DH_ANON_EXPORT_WITH_DES40_CBC_SHA,
345 cipher_des40, mac_sha, kea_dh_anon_export},
346 {SSL_DH_ANON_DES_CBC_SHA, cipher_des, mac_sha, kea_dh_anon},
347 {SSL_DH_ANON_3DES_CBC_SHA, cipher_3des, mac_sha, kea_dh_anon},
348 #endif
349
350
351 /* New TLS cipher suites */
352 {TLS_RSA_WITH_AES_128_CBC_SHA, cipher_aes_128, mac_sha, kea_rsa},
353 {TLS_DHE_DSS_WITH_AES_128_CBC_SHA, cipher_aes_128, mac_sha, kea_dhe_dss},
354 {TLS_DHE_RSA_WITH_AES_128_CBC_SHA, cipher_aes_128, mac_sha, kea_dhe_rsa},
355 {TLS_RSA_WITH_AES_256_CBC_SHA, cipher_aes_256, mac_sha, kea_rsa},
356 {TLS_DHE_DSS_WITH_AES_256_CBC_SHA, cipher_aes_256, mac_sha, kea_dhe_dss},
357 {TLS_DHE_RSA_WITH_AES_256_CBC_SHA, cipher_aes_256, mac_sha, kea_dhe_rsa},
358 #if 0
359 {TLS_DH_DSS_WITH_AES_128_CBC_SHA, cipher_aes_128, mac_sha, kea_dh_dss},
360 {TLS_DH_RSA_WITH_AES_128_CBC_SHA, cipher_aes_128, mac_sha, kea_dh_rsa},
361 {TLS_DH_ANON_WITH_AES_128_CBC_SHA, cipher_aes_128, mac_sha, kea_dh_anon},
362 {TLS_DH_DSS_WITH_AES_256_CBC_SHA, cipher_aes_256, mac_sha, kea_dh_dss},
363 {TLS_DH_RSA_WITH_AES_256_CBC_SHA, cipher_aes_256, mac_sha, kea_dh_rsa},
364 {TLS_DH_ANON_WITH_AES_256_CBC_SHA, cipher_aes_256, mac_sha, kea_dh_anon},
365 #endif
366
367 {TLS_RSA_WITH_SEED_CBC_SHA, cipher_seed, mac_sha, kea_rsa},
368
369 {TLS_RSA_WITH_CAMELLIA_128_CBC_SHA, cipher_camellia_128, mac_sha, kea_rsa},
370 {TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA,
371 cipher_camellia_128, mac_sha, kea_dhe_dss},
372 {TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA,
373 cipher_camellia_128, mac_sha, kea_dhe_rsa},
374 {TLS_RSA_WITH_CAMELLIA_256_CBC_SHA, cipher_camellia_256, mac_sha, kea_rsa},
375 {TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA,
376 cipher_camellia_256, mac_sha, kea_dhe_dss},
377 {TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA,
378 cipher_camellia_256, mac_sha, kea_dhe_rsa},
379
380 {TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA,
381 cipher_des, mac_sha,kea_rsa_export_1024},
382 {TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,
383 cipher_rc4_56, mac_sha,kea_rsa_export_1024},
384
385 {SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA, cipher_3des, mac_sha, kea_rsa_fips},
386 {SSL_RSA_FIPS_WITH_DES_CBC_SHA, cipher_des, mac_sha, kea_rsa_fips},
387
388 #ifdef NSS_ENABLE_ECC
389 {TLS_ECDH_ECDSA_WITH_NULL_SHA, cipher_null, mac_sha, kea_ecdh_ecdsa},
390 {TLS_ECDH_ECDSA_WITH_RC4_128_SHA, cipher_rc4, mac_sha, kea_ecdh_ecdsa},
391 {TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, cipher_3des, mac_sha, kea_ecdh_ecdsa} ,
392 {TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, cipher_aes_128, mac_sha, kea_ecdh_ecds a},
393 {TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, cipher_aes_256, mac_sha, kea_ecdh_ecds a},
394
395 {TLS_ECDHE_ECDSA_WITH_NULL_SHA, cipher_null, mac_sha, kea_ecdhe_ecdsa },
396 {TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, cipher_rc4, mac_sha, kea_ecdhe_ecdsa },
397 {TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, cipher_3des, mac_sha, kea_ecdhe_ecds a},
398 {TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, cipher_aes_128, mac_sha, kea_ecdhe_ec dsa},
399 {TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, cipher_aes_256, mac_sha, kea_ecdhe_ec dsa},
400
401 {TLS_ECDH_RSA_WITH_NULL_SHA, cipher_null, mac_sha, kea_ecdh_rsa},
402 {TLS_ECDH_RSA_WITH_RC4_128_SHA, cipher_rc4, mac_sha, kea_ecdh_rsa},
403 {TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, cipher_3des, mac_sha, kea_ecdh_rsa},
404 {TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, cipher_aes_128, mac_sha, kea_ecdh_rsa},
405 {TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, cipher_aes_256, mac_sha, kea_ecdh_rsa},
406
407 {TLS_ECDHE_RSA_WITH_NULL_SHA, cipher_null, mac_sha, kea_ecdhe_rsa },
408 {TLS_ECDHE_RSA_WITH_RC4_128_SHA, cipher_rc4, mac_sha, kea_ecdhe_rsa },
409 {TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, cipher_3des, mac_sha, kea_ecdhe_rsa },
410 {TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, cipher_aes_128, mac_sha, kea_ecdhe_rsa },
411 {TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, cipher_aes_256, mac_sha, kea_ecdhe_rsa },
412
413 #if 0
414 {TLS_ECDH_anon_WITH_NULL_SHA, cipher_null, mac_sha, kea_ecdh_anon },
415 {TLS_ECDH_anon_WITH_RC4_128_SHA, cipher_rc4, mac_sha, kea_ecdh_anon },
416 {TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA, cipher_3des, mac_sha, kea_ecdh_anon },
417 {TLS_ECDH_anon_WITH_AES_128_CBC_SHA, cipher_aes_128, mac_sha, kea_ecdh_anon },
418 {TLS_ECDH_anon_WITH_AES_256_CBC_SHA, cipher_aes_256, mac_sha, kea_ecdh_anon },
419 #endif
420 #endif /* NSS_ENABLE_ECC */
421 };
422
423 static const CK_MECHANISM_TYPE kea_alg_defs[] = {
424 0x80000000L,
425 CKM_RSA_PKCS,
426 CKM_DH_PKCS_DERIVE,
427 CKM_KEA_KEY_DERIVE,
428 CKM_ECDH1_DERIVE
429 };
430
431 typedef struct SSLCipher2MechStr {
432 SSLCipherAlgorithm calg;
433 CK_MECHANISM_TYPE cmech;
434 } SSLCipher2Mech;
435
436 /* indexed by type SSLCipherAlgorithm */
437 static const SSLCipher2Mech alg2Mech[] = {
438 /* calg, cmech */
439 { calg_null , (CK_MECHANISM_TYPE)0x80000000L },
440 { calg_rc4 , CKM_RC4 },
441 { calg_rc2 , CKM_RC2_CBC },
442 { calg_des , CKM_DES_CBC },
443 { calg_3des , CKM_DES3_CBC },
444 { calg_idea , CKM_IDEA_CBC },
445 { calg_fortezza , CKM_SKIPJACK_CBC64 },
446 { calg_aes , CKM_AES_CBC },
447 { calg_camellia , CKM_CAMELLIA_CBC },
448 { calg_seed , CKM_SEED_CBC },
449 /* { calg_init , (CK_MECHANISM_TYPE)0x7fffffffL } */
450 };
451
452 #define mmech_null (CK_MECHANISM_TYPE)0x80000000L
453 #define mmech_md5 CKM_SSL3_MD5_MAC
454 #define mmech_sha CKM_SSL3_SHA1_MAC
455 #define mmech_md5_hmac CKM_MD5_HMAC
456 #define mmech_sha_hmac CKM_SHA_1_HMAC
457
458 static const ssl3MACDef mac_defs[] = { /* indexed by SSL3MACAlgorithm */
459 /* mac mmech pad_size mac_size */
460 { mac_null, mmech_null, 0, 0 },
461 { mac_md5, mmech_md5, 48, MD5_LENGTH },
462 { mac_sha, mmech_sha, 40, SHA1_LENGTH},
463 {hmac_md5, mmech_md5_hmac, 48, MD5_LENGTH },
464 {hmac_sha, mmech_sha_hmac, 40, SHA1_LENGTH},
465 };
466
467 /* indexed by SSL3BulkCipher */
468 const char * const ssl3_cipherName[] = {
469 "NULL",
470 "RC4",
471 "RC4-40",
472 "RC4-56",
473 "RC2-CBC",
474 "RC2-CBC-40",
475 "DES-CBC",
476 "3DES-EDE-CBC",
477 "DES-CBC-40",
478 "IDEA-CBC",
479 "AES-128",
480 "AES-256",
481 "Camellia-128",
482 "Camellia-256",
483 "SEED-CBC",
484 "missing"
485 };
486
487 #ifdef NSS_ENABLE_ECC
488 /* The ECCWrappedKeyInfo structure defines how various pieces of
489 * information are laid out within wrappedSymmetricWrappingkey
490 * for ECDH key exchange. Since wrappedSymmetricWrappingkey is
491 * a 512-byte buffer (see sslimpl.h), the variable length field
492 * in ECCWrappedKeyInfo can be at most (512 - 8) = 504 bytes.
493 *
494 * XXX For now, NSS only supports named elliptic curves of size 571 bits
495 * or smaller. The public value will fit within 145 bytes and EC params
496 * will fit within 12 bytes. We'll need to revisit this when NSS
497 * supports arbitrary curves.
498 */
499 #define MAX_EC_WRAPPED_KEY_BUFLEN 504
500
501 typedef struct ECCWrappedKeyInfoStr {
502 PRUint16 size; /* EC public key size in bits */
503 PRUint16 encodedParamLen; /* length (in bytes) of DER encoded EC params */
504 PRUint16 pubValueLen; /* length (in bytes) of EC public value */
505 PRUint16 wrappedKeyLen; /* length (in bytes) of the wrapped key */
506 PRUint8 var[MAX_EC_WRAPPED_KEY_BUFLEN]; /* this buffer contains the */
507 /* EC public-key params, the EC public value and the wrapped key */
508 } ECCWrappedKeyInfo;
509 #endif /* NSS_ENABLE_ECC */
510
511 #if defined(TRACE)
512
513 static char *
514 ssl3_DecodeHandshakeType(int msgType)
515 {
516 char * rv;
517 static char line[40];
518
519 switch(msgType) {
520 case hello_request: rv = "hello_request (0)"; break;
521 case client_hello: rv = "client_hello (1)"; break;
522 case server_hello: rv = "server_hello (2)"; break;
523 case certificate: rv = "certificate (11)"; break;
524 case server_key_exchange: rv = "server_key_exchange (12)"; break;
525 case certificate_request: rv = "certificate_request (13)"; break;
526 case server_hello_done: rv = "server_hello_done (14)"; break;
527 case certificate_verify: rv = "certificate_verify (15)"; break;
528 case client_key_exchange: rv = "client_key_exchange (16)"; break;
529 case finished: rv = "finished (20)"; break;
530 default:
531 sprintf(line, "*UNKNOWN* handshake type! (%d)", msgType);
532 rv = line;
533 }
534 return rv;
535 }
536
537 static char *
538 ssl3_DecodeContentType(int msgType)
539 {
540 char * rv;
541 static char line[40];
542
543 switch(msgType) {
544 case content_change_cipher_spec:
545 rv = "change_cipher_spec (20)"; break;
546 case content_alert: rv = "alert (21)"; break;
547 case content_handshake: rv = "handshake (22)"; break;
548 case content_application_data:
549 rv = "application_data (23)"; break;
550 default:
551 sprintf(line, "*UNKNOWN* record type! (%d)", msgType);
552 rv = line;
553 }
554 return rv;
555 }
556
557 #endif
558
559 SSL3Statistics *
560 SSL_GetStatistics(void)
561 {
562 return &ssl3stats;
563 }
564
565 typedef struct tooLongStr {
566 #if defined(IS_LITTLE_ENDIAN)
567 PRInt32 low;
568 PRInt32 high;
569 #else
570 PRInt32 high;
571 PRInt32 low;
572 #endif
573 } tooLong;
574
575 void SSL_AtomicIncrementLong(long * x)
576 {
577 if ((sizeof *x) == sizeof(PRInt32)) {
578 PR_AtomicIncrement((PRInt32 *)x);
579 } else {
580 tooLong * tl = (tooLong *)x;
581 if (PR_AtomicIncrement(&tl->low) == 0)
582 PR_AtomicIncrement(&tl->high);
583 }
584 }
585
586 /* return pointer to ssl3CipherSuiteDef for suite, or NULL */
587 /* XXX This does a linear search. A binary search would be better. */
588 static const ssl3CipherSuiteDef *
589 ssl_LookupCipherSuiteDef(ssl3CipherSuite suite)
590 {
591 int cipher_suite_def_len =
592 sizeof(cipher_suite_defs) / sizeof(cipher_suite_defs[0]);
593 int i;
594
595 for (i = 0; i < cipher_suite_def_len; i++) {
596 if (cipher_suite_defs[i].cipher_suite == suite)
597 return &cipher_suite_defs[i];
598 }
599 PORT_Assert(PR_FALSE); /* We should never get here. */
600 PORT_SetError(SSL_ERROR_UNKNOWN_CIPHER_SUITE);
601 return NULL;
602 }
603
604 /* Find the cipher configuration struct associate with suite */
605 /* XXX This does a linear search. A binary search would be better. */
606 static ssl3CipherSuiteCfg *
607 ssl_LookupCipherSuiteCfg(ssl3CipherSuite suite, ssl3CipherSuiteCfg *suites)
608 {
609 int i;
610
611 for (i = 0; i < ssl_V3_SUITES_IMPLEMENTED; i++) {
612 if (suites[i].cipher_suite == suite)
613 return &suites[i];
614 }
615 /* return NULL and let the caller handle it. */
616 PORT_SetError(SSL_ERROR_UNKNOWN_CIPHER_SUITE);
617 return NULL;
618 }
619
620
621 /* Initialize the suite->isPresent value for config_match
622 * Returns count of enabled ciphers supported by extant tokens,
623 * regardless of policy or user preference.
624 * If this returns zero, the user cannot do SSL v3.
625 */
626 int
627 ssl3_config_match_init(sslSocket *ss)
628 {
629 ssl3CipherSuiteCfg * suite;
630 const ssl3CipherSuiteDef *cipher_def;
631 SSLCipherAlgorithm cipher_alg;
632 CK_MECHANISM_TYPE cipher_mech;
633 SSL3KEAType exchKeyType;
634 int i;
635 int numPresent = 0;
636 int numEnabled = 0;
637 PRBool isServer;
638 sslServerCerts *svrAuth;
639
640 PORT_Assert(ss);
641 if (!ss) {
642 PORT_SetError(SEC_ERROR_INVALID_ARGS);
643 return 0;
644 }
645 if (!ss->opt.enableSSL3 && !ss->opt.enableTLS) {
646 return 0;
647 }
648 isServer = (PRBool)(ss->sec.isServer != 0);
649
650 for (i = 0; i < ssl_V3_SUITES_IMPLEMENTED; i++) {
651 suite = &ss->cipherSuites[i];
652 if (suite->enabled) {
653 ++numEnabled;
654 /* We need the cipher defs to see if we have a token that can handle
655 * this cipher. It isn't part of the static definition.
656 */
657 cipher_def = ssl_LookupCipherSuiteDef(suite->cipher_suite);
658 if (!cipher_def) {
659 suite->isPresent = PR_FALSE;
660 continue;
661 }
662 cipher_alg=bulk_cipher_defs[cipher_def->bulk_cipher_alg ].calg;
663 PORT_Assert( alg2Mech[cipher_alg].calg == cipher_alg);
664 cipher_mech = alg2Mech[cipher_alg].cmech;
665 exchKeyType =
666 kea_defs[cipher_def->key_exchange_alg].exchKeyType;
667 #ifndef NSS_ENABLE_ECC
668 svrAuth = ss->serverCerts + exchKeyType;
669 #else
670 /* XXX SSLKEAType isn't really a good choice for
671 * indexing certificates. It doesn't work for
672 * (EC)DHE-* ciphers. Here we use a hack to ensure
673 * that the server uses an RSA cert for (EC)DHE-RSA.
674 */
675 switch (cipher_def->key_exchange_alg) {
676 case kea_ecdhe_rsa:
677 #if NSS_SERVER_DHE_IMPLEMENTED
678 /* XXX NSS does not yet implement the server side of _DHE_
679 * cipher suites. Correcting the computation for svrAuth,
680 * as the case below does, causes NSS SSL servers to begin to
681 * negotiate cipher suites they do not implement. So, until
682 * server side _DHE_ is implemented, keep this disabled.
683 */
684 case kea_dhe_rsa:
685 #endif
686 svrAuth = ss->serverCerts + kt_rsa;
687 break;
688 case kea_ecdh_ecdsa:
689 case kea_ecdh_rsa:
690 /*
691 * XXX We ought to have different indices for
692 * ECDSA- and RSA-signed EC certificates so
693 * we could support both key exchange mechanisms
694 * simultaneously. For now, both of them use
695 * whatever is in the certificate slot for kt_ecdh
696 */
697 default:
698 svrAuth = ss->serverCerts + exchKeyType;
699 break;
700 }
701 #endif /* NSS_ENABLE_ECC */
702
703 /* Mark the suites that are backed by real tokens, certs and keys */
704 suite->isPresent = (PRBool)
705 (((exchKeyType == kt_null) ||
706 ((!isServer || (svrAuth->serverKeyPair &&
707 svrAuth->SERVERKEY &&
708 svrAuth->serverCertChain)) &&
709 PK11_TokenExists(kea_alg_defs[exchKeyType]))) &&
710 ((cipher_alg == calg_null) || PK11_TokenExists(cipher_mech)));
711 if (suite->isPresent)
712 ++numPresent;
713 }
714 }
715 PORT_Assert(numPresent > 0 || numEnabled == 0);
716 if (numPresent <= 0) {
717 PORT_SetError(SSL_ERROR_NO_CIPHERS_SUPPORTED);
718 }
719 return numPresent;
720 }
721
722
723 /* return PR_TRUE if suite matches policy and enabled state */
724 /* It would be a REALLY BAD THING (tm) if we ever permitted the use
725 ** of a cipher that was NOT_ALLOWED. So, if this is ever called with
726 ** policy == SSL_NOT_ALLOWED, report no match.
727 */
728 /* adjust suite enabled to the availability of a token that can do the
729 * cipher suite. */
730 static PRBool
731 config_match(ssl3CipherSuiteCfg *suite, int policy, PRBool enabled)
732 {
733 PORT_Assert(policy != SSL_NOT_ALLOWED && enabled != PR_FALSE);
734 if (policy == SSL_NOT_ALLOWED || !enabled)
735 return PR_FALSE;
736 return (PRBool)(suite->enabled &&
737 suite->isPresent &&
738 suite->policy != SSL_NOT_ALLOWED &&
739 suite->policy <= policy);
740 }
741
742 /* return number of cipher suites that match policy and enabled state */
743 /* called from ssl3_SendClientHello and ssl3_ConstructV2CipherSpecsHack */
744 static int
745 count_cipher_suites(sslSocket *ss, int policy, PRBool enabled)
746 {
747 int i, count = 0;
748
749 if (!ss->opt.enableSSL3 && !ss->opt.enableTLS) {
750 return 0;
751 }
752 for (i = 0; i < ssl_V3_SUITES_IMPLEMENTED; i++) {
753 if (config_match(&ss->cipherSuites[i], policy, enabled))
754 count++;
755 }
756 if (count <= 0) {
757 PORT_SetError(SSL_ERROR_SSL_DISABLED);
758 }
759 return count;
760 }
761
762 static PRBool
763 anyRestrictedEnabled(sslSocket *ss)
764 {
765 int i;
766
767 if (!ss->opt.enableSSL3 && !ss->opt.enableTLS) {
768 return PR_FALSE;
769 }
770 for (i = 0; i < ssl_V3_SUITES_IMPLEMENTED; i++) {
771 ssl3CipherSuiteCfg *suite = &ss->cipherSuites[i];
772 if (suite->policy == SSL_RESTRICTED &&
773 suite->enabled &&
774 suite->isPresent)
775 return PR_TRUE;
776 }
777 return PR_FALSE;
778 }
779
780 /*
781 * Null compression, mac and encryption functions
782 */
783
784 static SECStatus
785 Null_Cipher(void *ctx, unsigned char *output, int *outputLen, int maxOutputLen,
786 const unsigned char *input, int inputLen)
787 {
788 *outputLen = inputLen;
789 if (input != output)
790 PORT_Memcpy(output, input, inputLen);
791 return SECSuccess;
792 }
793
794 /*
795 * SSL3 Utility functions
796 */
797
798 SECStatus
799 ssl3_NegotiateVersion(sslSocket *ss, SSL3ProtocolVersion peerVersion)
800 {
801 SSL3ProtocolVersion version;
802 SSL3ProtocolVersion maxVersion;
803
804 if (ss->opt.enableTLS) {
805 maxVersion = SSL_LIBRARY_VERSION_3_1_TLS;
806 } else if (ss->opt.enableSSL3) {
807 maxVersion = SSL_LIBRARY_VERSION_3_0;
808 } else {
809 /* what are we doing here? */
810 PORT_Assert(ss->opt.enableSSL3 || ss->opt.enableTLS);
811 PORT_SetError(SSL_ERROR_SSL_DISABLED);
812 return SECFailure;
813 }
814
815 ss->version = version = PR_MIN(maxVersion, peerVersion);
816
817 if ((version == SSL_LIBRARY_VERSION_3_1_TLS && ss->opt.enableTLS) ||
818 (version == SSL_LIBRARY_VERSION_3_0 && ss->opt.enableSSL3)) {
819 return SECSuccess;
820 }
821
822 PORT_SetError(SSL_ERROR_NO_CYPHER_OVERLAP);
823 return SECFailure;
824
825 }
826
827 static SECStatus
828 ssl3_GetNewRandom(SSL3Random *random)
829 {
830 PRUint32 gmt = ssl_Time();
831 SECStatus rv;
832
833 random->rand[0] = (unsigned char)(gmt >> 24);
834 random->rand[1] = (unsigned char)(gmt >> 16);
835 random->rand[2] = (unsigned char)(gmt >> 8);
836 random->rand[3] = (unsigned char)(gmt);
837
838 /* first 4 bytes are reserverd for time */
839 rv = PK11_GenerateRandom(&random->rand[4], SSL3_RANDOM_LENGTH - 4);
840 if (rv != SECSuccess) {
841 ssl_MapLowLevelError(SSL_ERROR_GENERATE_RANDOM_FAILURE);
842 }
843 return rv;
844 }
845
846 /* Called by ssl3_SendServerKeyExchange and ssl3_SendCertificateVerify */
847 SECStatus
848 ssl3_SignHashes(SSL3Hashes *hash, SECKEYPrivateKey *key, SECItem *buf,
849 PRBool isTLS)
850 {
851 SECStatus rv = SECFailure;
852 PRBool doDerEncode = PR_FALSE;
853 int signatureLen;
854 SECItem hashItem;
855
856 buf->data = NULL;
857 signatureLen = PK11_SignatureLen(key);
858 if (signatureLen <= 0) {
859 PORT_SetError(SEC_ERROR_INVALID_KEY);
860 goto done;
861 }
862
863 buf->len = (unsigned)signatureLen;
864 buf->data = (unsigned char *)PORT_Alloc(signatureLen);
865 if (!buf->data)
866 goto done; /* error code was set. */
867
868 switch (key->keyType) {
869 case rsaKey:
870 hashItem.data = hash->md5;
871 hashItem.len = sizeof(SSL3Hashes);
872 break;
873 case dsaKey:
874 doDerEncode = isTLS;
875 hashItem.data = hash->sha;
876 hashItem.len = sizeof(hash->sha);
877 break;
878 #ifdef NSS_ENABLE_ECC
879 case ecKey:
880 doDerEncode = PR_TRUE;
881 hashItem.data = hash->sha;
882 hashItem.len = sizeof(hash->sha);
883 break;
884 #endif /* NSS_ENABLE_ECC */
885 default:
886 PORT_SetError(SEC_ERROR_INVALID_KEY);
887 goto done;
888 }
889 PRINT_BUF(60, (NULL, "hash(es) to be signed", hashItem.data, hashItem.len));
890
891 rv = PK11_Sign(key, buf, &hashItem);
892 if (rv != SECSuccess) {
893 ssl_MapLowLevelError(SSL_ERROR_SIGN_HASHES_FAILURE);
894 } else if (doDerEncode) {
895 SECItem derSig = {siBuffer, NULL, 0};
896
897 /* This also works for an ECDSA signature */
898 rv = DSAU_EncodeDerSigWithLen(&derSig, buf, buf->len);
899 if (rv == SECSuccess) {
900 PORT_Free(buf->data); /* discard unencoded signature. */
901 *buf = derSig; /* give caller encoded signature. */
902 } else if (derSig.data) {
903 PORT_Free(derSig.data);
904 }
905 }
906
907 PRINT_BUF(60, (NULL, "signed hashes", (unsigned char*)buf->data, buf->len));
908 done:
909 if (rv != SECSuccess && buf->data) {
910 PORT_Free(buf->data);
911 buf->data = NULL;
912 }
913 return rv;
914 }
915
916 /* Called from ssl3_HandleServerKeyExchange, ssl3_HandleCertificateVerify */
917 SECStatus
918 ssl3_VerifySignedHashes(SSL3Hashes *hash, CERTCertificate *cert,
919 SECItem *buf, PRBool isTLS, void *pwArg)
920 {
921 SECKEYPublicKey * key;
922 SECItem * signature = NULL;
923 SECStatus rv;
924 SECItem hashItem;
925 #ifdef NSS_ENABLE_ECC
926 unsigned int len;
927 #endif /* NSS_ENABLE_ECC */
928
929
930 PRINT_BUF(60, (NULL, "check signed hashes",
931 buf->data, buf->len));
932
933 key = CERT_ExtractPublicKey(cert);
934 if (key == NULL) {
935 /* CERT_ExtractPublicKey doesn't set error code */
936 PORT_SetError(SSL_ERROR_EXTRACT_PUBLIC_KEY_FAILURE);
937 return SECFailure;
938 }
939
940 switch (key->keyType) {
941 case rsaKey:
942 hashItem.data = hash->md5;
943 hashItem.len = sizeof(SSL3Hashes);
944 break;
945 case dsaKey:
946 hashItem.data = hash->sha;
947 hashItem.len = sizeof(hash->sha);
948 /* Allow DER encoded DSA signatures in SSL 3.0 */
949 if (isTLS || buf->len != DSA_SIGNATURE_LEN) {
950 signature = DSAU_DecodeDerSig(buf);
951 if (!signature) {
952 PORT_SetError(SSL_ERROR_BAD_HANDSHAKE_HASH_VALUE);
953 return SECFailure;
954 }
955 buf = signature;
956 }
957 break;
958
959 #ifdef NSS_ENABLE_ECC
960 case ecKey:
961 hashItem.data = hash->sha;
962 hashItem.len = sizeof(hash->sha);
963 /*
964 * ECDSA signatures always encode the integers r and s
965 * using ASN (unlike DSA where ASN encoding is used
966 * with TLS but not with SSL3)
967 */
968 len = SECKEY_SignatureLen(key);
969 if (len == 0) {
970 SECKEY_DestroyPublicKey(key);
971 PORT_SetError(SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE);
972 return SECFailure;
973 }
974 signature = DSAU_DecodeDerSigToLen(buf, len);
975 if (!signature) {
976 PORT_SetError(SSL_ERROR_BAD_HANDSHAKE_HASH_VALUE);
977 return SECFailure;
978 }
979 buf = signature;
980 break;
981 #endif /* NSS_ENABLE_ECC */
982
983 default:
984 SECKEY_DestroyPublicKey(key);
985 PORT_SetError(SEC_ERROR_UNSUPPORTED_KEYALG);
986 return SECFailure;
987 }
988
989 PRINT_BUF(60, (NULL, "hash(es) to be verified",
990 hashItem.data, hashItem.len));
991
992 rv = PK11_Verify(key, buf, &hashItem, pwArg);
993 SECKEY_DestroyPublicKey(key);
994 if (signature) {
995 SECITEM_FreeItem(signature, PR_TRUE);
996 }
997 if (rv != SECSuccess) {
998 ssl_MapLowLevelError(SSL_ERROR_BAD_HANDSHAKE_HASH_VALUE);
999 }
1000 return rv;
1001 }
1002
1003
1004 /* Caller must set hiLevel error code. */
1005 /* Called from ssl3_ComputeExportRSAKeyHash
1006 * ssl3_ComputeDHKeyHash
1007 * which are called from ssl3_HandleServerKeyExchange.
1008 */
1009 SECStatus
1010 ssl3_ComputeCommonKeyHash(PRUint8 * hashBuf, unsigned int bufLen,
1011 SSL3Hashes *hashes, PRBool bypassPKCS11)
1012 {
1013 SECStatus rv = SECSuccess;
1014
1015 if (bypassPKCS11) {
1016 MD5_HashBuf (hashes->md5, hashBuf, bufLen);
1017 SHA1_HashBuf(hashes->sha, hashBuf, bufLen);
1018 } else {
1019 rv = PK11_HashBuf(SEC_OID_MD5, hashes->md5, hashBuf, bufLen);
1020 if (rv != SECSuccess) {
1021 ssl_MapLowLevelError(SSL_ERROR_MD5_DIGEST_FAILURE);
1022 rv = SECFailure;
1023 goto done;
1024 }
1025
1026 rv = PK11_HashBuf(SEC_OID_SHA1, hashes->sha, hashBuf, bufLen);
1027 if (rv != SECSuccess) {
1028 ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE);
1029 rv = SECFailure;
1030 }
1031 }
1032 done:
1033 return rv;
1034 }
1035
1036 /* Caller must set hiLevel error code.
1037 ** Called from ssl3_SendServerKeyExchange and
1038 ** ssl3_HandleServerKeyExchange.
1039 */
1040 static SECStatus
1041 ssl3_ComputeExportRSAKeyHash(SECItem modulus, SECItem publicExponent,
1042 SSL3Random *client_rand, SSL3Random *server_rand,
1043 SSL3Hashes *hashes, PRBool bypassPKCS11)
1044 {
1045 PRUint8 * hashBuf;
1046 PRUint8 * pBuf;
1047 SECStatus rv = SECSuccess;
1048 unsigned int bufLen;
1049 PRUint8 buf[2*SSL3_RANDOM_LENGTH + 2 + 4096/8 + 2 + 4096/8];
1050
1051 bufLen = 2*SSL3_RANDOM_LENGTH + 2 + modulus.len + 2 + publicExponent.len;
1052 if (bufLen <= sizeof buf) {
1053 hashBuf = buf;
1054 } else {
1055 hashBuf = PORT_Alloc(bufLen);
1056 if (!hashBuf) {
1057 return SECFailure;
1058 }
1059 }
1060
1061 memcpy(hashBuf, client_rand, SSL3_RANDOM_LENGTH);
1062 pBuf = hashBuf + SSL3_RANDOM_LENGTH;
1063 memcpy(pBuf, server_rand, SSL3_RANDOM_LENGTH);
1064 pBuf += SSL3_RANDOM_LENGTH;
1065 pBuf[0] = (PRUint8)(modulus.len >> 8);
1066 pBuf[1] = (PRUint8)(modulus.len);
1067 pBuf += 2;
1068 memcpy(pBuf, modulus.data, modulus.len);
1069 pBuf += modulus.len;
1070 pBuf[0] = (PRUint8)(publicExponent.len >> 8);
1071 pBuf[1] = (PRUint8)(publicExponent.len);
1072 pBuf += 2;
1073 memcpy(pBuf, publicExponent.data, publicExponent.len);
1074 pBuf += publicExponent.len;
1075 PORT_Assert((unsigned int)(pBuf - hashBuf) == bufLen);
1076
1077 rv = ssl3_ComputeCommonKeyHash(hashBuf, bufLen, hashes, bypassPKCS11);
1078
1079 PRINT_BUF(95, (NULL, "RSAkey hash: ", hashBuf, bufLen));
1080 PRINT_BUF(95, (NULL, "RSAkey hash: MD5 result", hashes->md5, MD5_LENGTH));
1081 PRINT_BUF(95, (NULL, "RSAkey hash: SHA1 result", hashes->sha, SHA1_LENGTH));
1082
1083 if (hashBuf != buf && hashBuf != NULL)
1084 PORT_Free(hashBuf);
1085 return rv;
1086 }
1087
1088 /* Caller must set hiLevel error code. */
1089 /* Called from ssl3_HandleServerKeyExchange. */
1090 static SECStatus
1091 ssl3_ComputeDHKeyHash(SECItem dh_p, SECItem dh_g, SECItem dh_Ys,
1092 SSL3Random *client_rand, SSL3Random *server_rand,
1093 SSL3Hashes *hashes, PRBool bypassPKCS11)
1094 {
1095 PRUint8 * hashBuf;
1096 PRUint8 * pBuf;
1097 SECStatus rv = SECSuccess;
1098 unsigned int bufLen;
1099 PRUint8 buf[2*SSL3_RANDOM_LENGTH + 2 + 4096/8 + 2 + 4096/8];
1100
1101 bufLen = 2*SSL3_RANDOM_LENGTH + 2 + dh_p.len + 2 + dh_g.len + 2 + dh_Ys.len;
1102 if (bufLen <= sizeof buf) {
1103 hashBuf = buf;
1104 } else {
1105 hashBuf = PORT_Alloc(bufLen);
1106 if (!hashBuf) {
1107 return SECFailure;
1108 }
1109 }
1110
1111 memcpy(hashBuf, client_rand, SSL3_RANDOM_LENGTH);
1112 pBuf = hashBuf + SSL3_RANDOM_LENGTH;
1113 memcpy(pBuf, server_rand, SSL3_RANDOM_LENGTH);
1114 pBuf += SSL3_RANDOM_LENGTH;
1115 pBuf[0] = (PRUint8)(dh_p.len >> 8);
1116 pBuf[1] = (PRUint8)(dh_p.len);
1117 pBuf += 2;
1118 memcpy(pBuf, dh_p.data, dh_p.len);
1119 pBuf += dh_p.len;
1120 pBuf[0] = (PRUint8)(dh_g.len >> 8);
1121 pBuf[1] = (PRUint8)(dh_g.len);
1122 pBuf += 2;
1123 memcpy(pBuf, dh_g.data, dh_g.len);
1124 pBuf += dh_g.len;
1125 pBuf[0] = (PRUint8)(dh_Ys.len >> 8);
1126 pBuf[1] = (PRUint8)(dh_Ys.len);
1127 pBuf += 2;
1128 memcpy(pBuf, dh_Ys.data, dh_Ys.len);
1129 pBuf += dh_Ys.len;
1130 PORT_Assert((unsigned int)(pBuf - hashBuf) == bufLen);
1131
1132 rv = ssl3_ComputeCommonKeyHash(hashBuf, bufLen, hashes, bypassPKCS11);
1133
1134 PRINT_BUF(95, (NULL, "DHkey hash: ", hashBuf, bufLen));
1135 PRINT_BUF(95, (NULL, "DHkey hash: MD5 result", hashes->md5, MD5_LENGTH));
1136 PRINT_BUF(95, (NULL, "DHkey hash: SHA1 result", hashes->sha, SHA1_LENGTH));
1137
1138 if (hashBuf != buf && hashBuf != NULL)
1139 PORT_Free(hashBuf);
1140 return rv;
1141 }
1142
1143 static void
1144 ssl3_BumpSequenceNumber(SSL3SequenceNumber *num)
1145 {
1146 num->low++;
1147 if (num->low == 0)
1148 num->high++;
1149 }
1150
1151 /* Called twice, only from ssl3_DestroyCipherSpec (immediately below). */
1152 static void
1153 ssl3_CleanupKeyMaterial(ssl3KeyMaterial *mat)
1154 {
1155 if (mat->write_key != NULL) {
1156 PK11_FreeSymKey(mat->write_key);
1157 mat->write_key = NULL;
1158 }
1159 if (mat->write_mac_key != NULL) {
1160 PK11_FreeSymKey(mat->write_mac_key);
1161 mat->write_mac_key = NULL;
1162 }
1163 if (mat->write_mac_context != NULL) {
1164 PK11_DestroyContext(mat->write_mac_context, PR_TRUE);
1165 mat->write_mac_context = NULL;
1166 }
1167 }
1168
1169 /* Called from ssl3_SendChangeCipherSpecs() and
1170 ** ssl3_HandleChangeCipherSpecs()
1171 ** ssl3_DestroySSL3Info
1172 ** Caller must hold SpecWriteLock.
1173 */
1174 static void
1175 ssl3_DestroyCipherSpec(ssl3CipherSpec *spec)
1176 {
1177 PRBool freeit = (PRBool)(!spec->bypassCiphers);
1178 /* PORT_Assert( ss->opt.noLocks || ssl_HaveSpecWriteLock(ss)); Don't have ss! * /
1179 if (spec->destroy) {
1180 spec->destroy(spec->encodeContext, freeit);
1181 spec->destroy(spec->decodeContext, freeit);
1182 spec->encodeContext = NULL; /* paranoia */
1183 spec->decodeContext = NULL;
1184 }
1185 if (spec->destroyCompressContext && spec->compressContext) {
1186 spec->destroyCompressContext(spec->compressContext, 1);
1187 spec->compressContext = NULL;
1188 }
1189 if (spec->destroyDecompressContext && spec->decompressContext) {
1190 spec->destroyDecompressContext(spec->decompressContext, 1);
1191 spec->decompressContext = NULL;
1192 }
1193 if (spec->master_secret != NULL) {
1194 PK11_FreeSymKey(spec->master_secret);
1195 spec->master_secret = NULL;
1196 }
1197 spec->msItem.data = NULL;
1198 spec->msItem.len = 0;
1199 ssl3_CleanupKeyMaterial(&spec->client);
1200 ssl3_CleanupKeyMaterial(&spec->server);
1201 spec->bypassCiphers = PR_FALSE;
1202 spec->destroy=NULL;
1203 spec->destroyCompressContext = NULL;
1204 spec->destroyDecompressContext = NULL;
1205 }
1206
1207 /* Fill in the pending cipher spec with info from the selected ciphersuite.
1208 ** This is as much initialization as we can do without having key material.
1209 ** Called from ssl3_HandleServerHello(), ssl3_SendServerHello()
1210 ** Caller must hold the ssl3 handshake lock.
1211 ** Acquires & releases SpecWriteLock.
1212 */
1213 static SECStatus
1214 ssl3_SetupPendingCipherSpec(sslSocket *ss)
1215 {
1216 ssl3CipherSpec * pwSpec;
1217 ssl3CipherSpec * cwSpec;
1218 ssl3CipherSuite suite = ss->ssl3.hs.cipher_suite;
1219 SSL3MACAlgorithm mac;
1220 SSL3BulkCipher cipher;
1221 SSL3KeyExchangeAlgorithm kea;
1222 const ssl3CipherSuiteDef *suite_def;
1223 PRBool isTLS;
1224
1225 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
1226
1227 ssl_GetSpecWriteLock(ss); /*******************************/
1228
1229 pwSpec = ss->ssl3.pwSpec;
1230 PORT_Assert(pwSpec == ss->ssl3.prSpec);
1231
1232 /* This hack provides maximal interoperability with SSL 3 servers. */
1233 cwSpec = ss->ssl3.cwSpec;
1234 if (cwSpec->mac_def->mac == mac_null) {
1235 /* SSL records are not being MACed. */
1236 cwSpec->version = ss->version;
1237 }
1238
1239 pwSpec->version = ss->version;
1240 isTLS = (PRBool)(pwSpec->version > SSL_LIBRARY_VERSION_3_0);
1241
1242 SSL_TRC(3, ("%d: SSL3[%d]: Set XXX Pending Cipher Suite to 0x%04x",
1243 SSL_GETPID(), ss->fd, suite));
1244
1245 suite_def = ssl_LookupCipherSuiteDef(suite);
1246 if (suite_def == NULL) {
1247 ssl_ReleaseSpecWriteLock(ss);
1248 return SECFailure; /* error code set by ssl_LookupCipherSuiteDef */
1249 }
1250
1251
1252 cipher = suite_def->bulk_cipher_alg;
1253 kea = suite_def->key_exchange_alg;
1254 mac = suite_def->mac_alg;
1255 if (isTLS)
1256 mac += 2;
1257
1258 ss->ssl3.hs.suite_def = suite_def;
1259 ss->ssl3.hs.kea_def = &kea_defs[kea];
1260 PORT_Assert(ss->ssl3.hs.kea_def->kea == kea);
1261
1262 pwSpec->cipher_def = &bulk_cipher_defs[cipher];
1263 PORT_Assert(pwSpec->cipher_def->cipher == cipher);
1264
1265 pwSpec->mac_def = &mac_defs[mac];
1266 PORT_Assert(pwSpec->mac_def->mac == mac);
1267
1268 ss->sec.keyBits = pwSpec->cipher_def->key_size * BPB;
1269 ss->sec.secretKeyBits = pwSpec->cipher_def->secret_key_size * BPB;
1270 ss->sec.cipherType = cipher;
1271
1272 pwSpec->encodeContext = NULL;
1273 pwSpec->decodeContext = NULL;
1274
1275 pwSpec->mac_size = pwSpec->mac_def->mac_size;
1276
1277 pwSpec->compression_method = ss->ssl3.hs.compression;
1278 pwSpec->compressContext = NULL;
1279 pwSpec->decompressContext = NULL;
1280
1281 ssl_ReleaseSpecWriteLock(ss); /*******************************/
1282 return SECSuccess;
1283 }
1284
1285 #ifdef NSS_ENABLE_ZLIB
1286 #define SSL3_DEFLATE_CONTEXT_SIZE sizeof(z_stream)
1287
1288 static SECStatus
1289 ssl3_MapZlibError(int zlib_error)
1290 {
1291 switch (zlib_error) {
1292 case Z_OK:
1293 return SECSuccess;
1294 default:
1295 return SECFailure;
1296 }
1297 }
1298
1299 static SECStatus
1300 ssl3_DeflateInit(void *void_context)
1301 {
1302 z_stream* context = void_context;
1303 context->zalloc = NULL;
1304 context->zfree = NULL;
1305 context->opaque = NULL;
1306
1307 return ssl3_MapZlibError(deflateInit(context, Z_DEFAULT_COMPRESSION));
1308 }
1309
1310 static SECStatus
1311 ssl3_InflateInit(void *void_context)
1312 {
1313 z_stream* context = void_context;
1314 context->zalloc = NULL;
1315 context->zfree = NULL;
1316 context->opaque = NULL;
1317 context->next_in = NULL;
1318 context->avail_in = 0;
1319
1320 return ssl3_MapZlibError(inflateInit(context));
1321 }
1322
1323 static SECStatus
1324 ssl3_DeflateCompress(void *void_context, unsigned char *out, int *out_len,
1325 int maxout, const unsigned char *in, int inlen)
1326 {
1327 z_stream* context = void_context;
1328 context->next_in = (unsigned char*) in;
1329 context->avail_in = inlen;
1330 context->next_out = out;
1331 context->avail_out = maxout;
1332 if (deflate(context, Z_SYNC_FLUSH) != Z_OK) {
1333 return SECFailure;
1334 }
1335 if (context->avail_out == 0) {
1336 /* We ran out of space! */
1337 SSL_TRC(3, ("%d: SSL3[%d] Ran out of buffer while compressing",
1338 SSL_GETPID()));
1339 return SECFailure;
1340 }
1341
1342 *out_len = maxout - context->avail_out;
1343 return SECSuccess;
1344 }
1345
1346 static SECStatus
1347 ssl3_DeflateDecompress(void *void_context, unsigned char *out, int *out_len,
1348 int maxout, const unsigned char *in, int inlen)
1349 {
1350 z_stream* context = void_context;
1351 context->next_in = (unsigned char*) in;
1352 context->avail_in = inlen;
1353 context->next_out = out;
1354 context->avail_out = maxout;
1355 if (inflate(context, Z_SYNC_FLUSH) != Z_OK) {
1356 return SECFailure;
1357 }
1358
1359 *out_len = maxout - context->avail_out;
1360 return SECSuccess;
1361 }
1362
1363 static SECStatus
1364 ssl3_DestroyCompressContext(void *void_context, PRBool unused)
1365 {
1366 deflateEnd(void_context);
1367 PORT_Free(void_context);
1368 return SECSuccess;
1369 }
1370
1371 static SECStatus
1372 ssl3_DestroyDecompressContext(void *void_context, PRBool unused)
1373 {
1374 inflateEnd(void_context);
1375 PORT_Free(void_context);
1376 return SECSuccess;
1377 }
1378
1379 #endif /* NSS_ENABLE_ZLIB */
1380
1381 /* Initialize the compression functions and contexts for the given
1382 * CipherSpec. */
1383 static SECStatus
1384 ssl3_InitCompressionContext(ssl3CipherSpec *pwSpec)
1385 {
1386 /* Setup the compression functions */
1387 switch (pwSpec->compression_method) {
1388 case ssl_compression_null:
1389 pwSpec->compress = NULL;
1390 pwSpec->decompress = NULL;
1391 pwSpec->compressContext = NULL;
1392 pwSpec->decompressContext = NULL;
1393 pwSpec->destroyCompressContext = NULL;
1394 pwSpec->destroyDecompressContext = NULL;
1395 break;
1396 #ifdef NSS_ENABLE_ZLIB
1397 case ssl_compression_deflate:
1398 pwSpec->compress = ssl3_DeflateCompress;
1399 pwSpec->decompress = ssl3_DeflateDecompress;
1400 pwSpec->compressContext = PORT_Alloc(SSL3_DEFLATE_CONTEXT_SIZE);
1401 pwSpec->decompressContext = PORT_Alloc(SSL3_DEFLATE_CONTEXT_SIZE);
1402 pwSpec->destroyCompressContext = ssl3_DestroyCompressContext;
1403 pwSpec->destroyDecompressContext = ssl3_DestroyDecompressContext;
1404 ssl3_DeflateInit(pwSpec->compressContext);
1405 ssl3_InflateInit(pwSpec->decompressContext);
1406 break;
1407 #endif /* NSS_ENABLE_ZLIB */
1408 default:
1409 PORT_Assert(0);
1410 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
1411 return SECFailure;
1412 }
1413
1414 return SECSuccess;
1415 }
1416
1417 /* Initialize encryption and MAC contexts for pending spec.
1418 * Master Secret already is derived in spec->msItem
1419 * Caller holds Spec write lock.
1420 */
1421 static SECStatus
1422 ssl3_InitPendingContextsBypass(sslSocket *ss)
1423 {
1424 ssl3CipherSpec * pwSpec;
1425 const ssl3BulkCipherDef *cipher_def;
1426 void * serverContext = NULL;
1427 void * clientContext = NULL;
1428 BLapiInitContextFunc initFn = (BLapiInitContextFunc)NULL;
1429 int mode = 0;
1430 unsigned int optArg1 = 0;
1431 unsigned int optArg2 = 0;
1432 PRBool server_encrypts = ss->sec.isServer;
1433 CK_ULONG macLength;
1434 SSLCipherAlgorithm calg;
1435 SSLCompressionMethod compression_method;
1436 SECStatus rv;
1437
1438 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
1439
1440 PORT_Assert(ss->ssl3.prSpec == ss->ssl3.pwSpec);
1441
1442 pwSpec = ss->ssl3.pwSpec;
1443 cipher_def = pwSpec->cipher_def;
1444 macLength = pwSpec->mac_size;
1445
1446 /* MAC setup is done when computing the mac, not here.
1447 * Now setup the crypto contexts.
1448 */
1449
1450 calg = cipher_def->calg;
1451 compression_method = pwSpec->compression_method;
1452
1453 serverContext = pwSpec->server.cipher_context;
1454 clientContext = pwSpec->client.cipher_context;
1455
1456 switch (calg) {
1457 case ssl_calg_null:
1458 pwSpec->encode = Null_Cipher;
1459 pwSpec->decode = Null_Cipher;
1460 pwSpec->destroy = NULL;
1461 goto success;
1462
1463 case ssl_calg_rc4:
1464 initFn = (BLapiInitContextFunc)RC4_InitContext;
1465 pwSpec->encode = (SSLCipher) RC4_Encrypt;
1466 pwSpec->decode = (SSLCipher) RC4_Decrypt;
1467 pwSpec->destroy = (SSLDestroy) RC4_DestroyContext;
1468 break;
1469 case ssl_calg_rc2:
1470 initFn = (BLapiInitContextFunc)RC2_InitContext;
1471 mode = NSS_RC2_CBC;
1472 optArg1 = cipher_def->key_size;
1473 pwSpec->encode = (SSLCipher) RC2_Encrypt;
1474 pwSpec->decode = (SSLCipher) RC2_Decrypt;
1475 pwSpec->destroy = (SSLDestroy) RC2_DestroyContext;
1476 break;
1477 case ssl_calg_des:
1478 initFn = (BLapiInitContextFunc)DES_InitContext;
1479 mode = NSS_DES_CBC;
1480 optArg1 = server_encrypts;
1481 pwSpec->encode = (SSLCipher) DES_Encrypt;
1482 pwSpec->decode = (SSLCipher) DES_Decrypt;
1483 pwSpec->destroy = (SSLDestroy) DES_DestroyContext;
1484 break;
1485 case ssl_calg_3des:
1486 initFn = (BLapiInitContextFunc)DES_InitContext;
1487 mode = NSS_DES_EDE3_CBC;
1488 optArg1 = server_encrypts;
1489 pwSpec->encode = (SSLCipher) DES_Encrypt;
1490 pwSpec->decode = (SSLCipher) DES_Decrypt;
1491 pwSpec->destroy = (SSLDestroy) DES_DestroyContext;
1492 break;
1493 case ssl_calg_aes:
1494 initFn = (BLapiInitContextFunc)AES_InitContext;
1495 mode = NSS_AES_CBC;
1496 optArg1 = server_encrypts;
1497 optArg2 = AES_BLOCK_SIZE;
1498 pwSpec->encode = (SSLCipher) AES_Encrypt;
1499 pwSpec->decode = (SSLCipher) AES_Decrypt;
1500 pwSpec->destroy = (SSLDestroy) AES_DestroyContext;
1501 break;
1502
1503 case ssl_calg_camellia:
1504 initFn = (BLapiInitContextFunc)Camellia_InitContext;
1505 mode = NSS_CAMELLIA_CBC;
1506 optArg1 = server_encrypts;
1507 optArg2 = CAMELLIA_BLOCK_SIZE;
1508 pwSpec->encode = (SSLCipher) Camellia_Encrypt;
1509 pwSpec->decode = (SSLCipher) Camellia_Decrypt;
1510 pwSpec->destroy = (SSLDestroy) Camellia_DestroyContext;
1511 break;
1512
1513 case ssl_calg_seed:
1514 initFn = (BLapiInitContextFunc)SEED_InitContext;
1515 mode = NSS_SEED_CBC;
1516 optArg1 = server_encrypts;
1517 optArg2 = SEED_BLOCK_SIZE;
1518 pwSpec->encode = (SSLCipher) SEED_Encrypt;
1519 pwSpec->decode = (SSLCipher) SEED_Decrypt;
1520 pwSpec->destroy = (SSLDestroy) SEED_DestroyContext;
1521 break;
1522
1523 case ssl_calg_idea:
1524 case ssl_calg_fortezza :
1525 default:
1526 PORT_Assert(0);
1527 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
1528 goto bail_out;
1529 }
1530 rv = (*initFn)(serverContext,
1531 pwSpec->server.write_key_item.data,
1532 pwSpec->server.write_key_item.len,
1533 pwSpec->server.write_iv_item.data,
1534 mode, optArg1, optArg2);
1535 if (rv != SECSuccess) {
1536 PORT_Assert(0);
1537 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
1538 goto bail_out;
1539 }
1540
1541 switch (calg) {
1542 case ssl_calg_des:
1543 case ssl_calg_3des:
1544 case ssl_calg_aes:
1545 case ssl_calg_camellia:
1546 case ssl_calg_seed:
1547 /* For block ciphers, if the server is encrypting, then the client
1548 * is decrypting, and vice versa.
1549 */
1550 optArg1 = !optArg1;
1551 }
1552
1553 rv = (*initFn)(clientContext,
1554 pwSpec->client.write_key_item.data,
1555 pwSpec->client.write_key_item.len,
1556 pwSpec->client.write_iv_item.data,
1557 mode, optArg1, optArg2);
1558 if (rv != SECSuccess) {
1559 PORT_Assert(0);
1560 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
1561 goto bail_out;
1562 }
1563
1564 pwSpec->encodeContext = (ss->sec.isServer) ? serverContext : clientContext;
1565 pwSpec->decodeContext = (ss->sec.isServer) ? clientContext : serverContext;
1566
1567 ssl3_InitCompressionContext(pwSpec);
1568
1569 success:
1570 return SECSuccess;
1571
1572 bail_out:
1573 return SECFailure;
1574 }
1575
1576 /* This function should probably be moved to pk11wrap and be named
1577 * PK11_ParamFromIVAndEffectiveKeyBits
1578 */
1579 static SECItem *
1580 ssl3_ParamFromIV(CK_MECHANISM_TYPE mtype, SECItem *iv, CK_ULONG ulEffectiveBits)
1581 {
1582 SECItem * param = PK11_ParamFromIV(mtype, iv);
1583 if (param && param->data && param->len >= sizeof(CK_RC2_PARAMS)) {
1584 switch (mtype) {
1585 case CKM_RC2_KEY_GEN:
1586 case CKM_RC2_ECB:
1587 case CKM_RC2_CBC:
1588 case CKM_RC2_MAC:
1589 case CKM_RC2_MAC_GENERAL:
1590 case CKM_RC2_CBC_PAD:
1591 *(CK_RC2_PARAMS *)param->data = ulEffectiveBits;
1592 default: break;
1593 }
1594 }
1595 return param;
1596 }
1597
1598 /* Initialize encryption and MAC contexts for pending spec.
1599 * Master Secret already is derived.
1600 * Caller holds Spec write lock.
1601 */
1602 static SECStatus
1603 ssl3_InitPendingContextsPKCS11(sslSocket *ss)
1604 {
1605 ssl3CipherSpec * pwSpec;
1606 const ssl3BulkCipherDef *cipher_def;
1607 PK11Context * serverContext = NULL;
1608 PK11Context * clientContext = NULL;
1609 SECItem * param;
1610 CK_MECHANISM_TYPE mechanism;
1611 CK_MECHANISM_TYPE mac_mech;
1612 CK_ULONG macLength;
1613 CK_ULONG effKeyBits;
1614 SECItem iv;
1615 SECItem mac_param;
1616 SSLCipherAlgorithm calg;
1617
1618 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
1619
1620 PORT_Assert(ss->ssl3.prSpec == ss->ssl3.pwSpec);
1621
1622 pwSpec = ss->ssl3.pwSpec;
1623 cipher_def = pwSpec->cipher_def;
1624 macLength = pwSpec->mac_size;
1625
1626 /*
1627 ** Now setup the MAC contexts,
1628 ** crypto contexts are setup below.
1629 */
1630
1631 pwSpec->client.write_mac_context = NULL;
1632 pwSpec->server.write_mac_context = NULL;
1633 mac_mech = pwSpec->mac_def->mmech;
1634 mac_param.data = (unsigned char *)&macLength;
1635 mac_param.len = sizeof(macLength);
1636 mac_param.type = 0;
1637
1638 pwSpec->client.write_mac_context = PK11_CreateContextBySymKey(
1639 mac_mech, CKA_SIGN, pwSpec->client.write_mac_key, &mac_param);
1640 if (pwSpec->client.write_mac_context == NULL) {
1641 ssl_MapLowLevelError(SSL_ERROR_SYM_KEY_CONTEXT_FAILURE);
1642 goto fail;
1643 }
1644 pwSpec->server.write_mac_context = PK11_CreateContextBySymKey(
1645 mac_mech, CKA_SIGN, pwSpec->server.write_mac_key, &mac_param);
1646 if (pwSpec->server.write_mac_context == NULL) {
1647 ssl_MapLowLevelError(SSL_ERROR_SYM_KEY_CONTEXT_FAILURE);
1648 goto fail;
1649 }
1650
1651 /*
1652 ** Now setup the crypto contexts.
1653 */
1654
1655 calg = cipher_def->calg;
1656 PORT_Assert(alg2Mech[calg].calg == calg);
1657
1658 if (calg == calg_null) {
1659 pwSpec->encode = Null_Cipher;
1660 pwSpec->decode = Null_Cipher;
1661 pwSpec->destroy = NULL;
1662 return SECSuccess;
1663 }
1664 mechanism = alg2Mech[calg].cmech;
1665 effKeyBits = cipher_def->key_size * BPB;
1666
1667 /*
1668 * build the server context
1669 */
1670 iv.data = pwSpec->server.write_iv;
1671 iv.len = cipher_def->iv_size;
1672 param = ssl3_ParamFromIV(mechanism, &iv, effKeyBits);
1673 if (param == NULL) {
1674 ssl_MapLowLevelError(SSL_ERROR_IV_PARAM_FAILURE);
1675 goto fail;
1676 }
1677 serverContext = PK11_CreateContextBySymKey(mechanism,
1678 (ss->sec.isServer ? CKA_ENCRYPT : CKA_DECRYPT),
1679 pwSpec->server.write_key, param);
1680 iv.data = PK11_IVFromParam(mechanism, param, (int *)&iv.len);
1681 if (iv.data)
1682 PORT_Memcpy(pwSpec->server.write_iv, iv.data, iv.len);
1683 SECITEM_FreeItem(param, PR_TRUE);
1684 if (serverContext == NULL) {
1685 ssl_MapLowLevelError(SSL_ERROR_SYM_KEY_CONTEXT_FAILURE);
1686 goto fail;
1687 }
1688
1689 /*
1690 * build the client context
1691 */
1692 iv.data = pwSpec->client.write_iv;
1693 iv.len = cipher_def->iv_size;
1694
1695 param = ssl3_ParamFromIV(mechanism, &iv, effKeyBits);
1696 if (param == NULL) {
1697 ssl_MapLowLevelError(SSL_ERROR_IV_PARAM_FAILURE);
1698 goto fail;
1699 }
1700 clientContext = PK11_CreateContextBySymKey(mechanism,
1701 (ss->sec.isServer ? CKA_DECRYPT : CKA_ENCRYPT),
1702 pwSpec->client.write_key, param);
1703 iv.data = PK11_IVFromParam(mechanism, param, (int *)&iv.len);
1704 if (iv.data)
1705 PORT_Memcpy(pwSpec->client.write_iv, iv.data, iv.len);
1706 SECITEM_FreeItem(param,PR_TRUE);
1707 if (clientContext == NULL) {
1708 ssl_MapLowLevelError(SSL_ERROR_SYM_KEY_CONTEXT_FAILURE);
1709 goto fail;
1710 }
1711 pwSpec->encode = (SSLCipher) PK11_CipherOp;
1712 pwSpec->decode = (SSLCipher) PK11_CipherOp;
1713 pwSpec->destroy = (SSLDestroy) PK11_DestroyContext;
1714
1715 pwSpec->encodeContext = (ss->sec.isServer) ? serverContext : clientContext;
1716 pwSpec->decodeContext = (ss->sec.isServer) ? clientContext : serverContext;
1717
1718 serverContext = NULL;
1719 clientContext = NULL;
1720
1721 ssl3_InitCompressionContext(pwSpec);
1722
1723 return SECSuccess;
1724
1725 fail:
1726 if (serverContext != NULL) PK11_DestroyContext(serverContext, PR_TRUE);
1727 if (clientContext != NULL) PK11_DestroyContext(clientContext, PR_TRUE);
1728 if (pwSpec->client.write_mac_context != NULL) {
1729 PK11_DestroyContext(pwSpec->client.write_mac_context,PR_TRUE);
1730 pwSpec->client.write_mac_context = NULL;
1731 }
1732 if (pwSpec->server.write_mac_context != NULL) {
1733 PK11_DestroyContext(pwSpec->server.write_mac_context,PR_TRUE);
1734 pwSpec->server.write_mac_context = NULL;
1735 }
1736
1737 return SECFailure;
1738 }
1739
1740 /* Complete the initialization of all keys, ciphers, MACs and their contexts
1741 * for the pending Cipher Spec.
1742 * Called from: ssl3_SendClientKeyExchange (for Full handshake)
1743 * ssl3_HandleRSAClientKeyExchange (for Full handshake)
1744 * ssl3_HandleServerHello (for session restart)
1745 * ssl3_HandleClientHello (for session restart)
1746 * Sets error code, but caller probably should override to disambiguate.
1747 * NULL pms means re-use old master_secret.
1748 *
1749 * This code is common to the bypass and PKCS11 execution paths.
1750 * For the bypass case, pms is NULL.
1751 */
1752 SECStatus
1753 ssl3_InitPendingCipherSpec(sslSocket *ss, PK11SymKey *pms)
1754 {
1755 ssl3CipherSpec * pwSpec;
1756 SECStatus rv;
1757
1758 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
1759
1760 ssl_GetSpecWriteLock(ss); /**************************************/
1761
1762 PORT_Assert(ss->ssl3.prSpec == ss->ssl3.pwSpec);
1763
1764 pwSpec = ss->ssl3.pwSpec;
1765
1766 if (pms || (!pwSpec->msItem.len && !pwSpec->master_secret)) {
1767 rv = ssl3_DeriveMasterSecret(ss, pms);
1768 if (rv != SECSuccess) {
1769 goto done; /* err code set by ssl3_DeriveMasterSecret */
1770 }
1771 }
1772 if (ss->opt.bypassPKCS11 && pwSpec->msItem.len && pwSpec->msItem.data) {
1773 /* Double Bypass succeeded in extracting the master_secret */
1774 const ssl3KEADef * kea_def = ss->ssl3.hs.kea_def;
1775 PRBool isTLS = (PRBool)(kea_def->tls_keygen ||
1776 (pwSpec->version > SSL_LIBRARY_VERSION_3_0));
1777 pwSpec->bypassCiphers = PR_TRUE;
1778 rv = ssl3_KeyAndMacDeriveBypass( pwSpec,
1779 (const unsigned char *)&ss->ssl3.hs.client_random,
1780 (const unsigned char *)&ss->ssl3.hs.server_random,
1781 isTLS,
1782 (PRBool)(kea_def->is_limited));
1783 if (rv == SECSuccess) {
1784 rv = ssl3_InitPendingContextsBypass(ss);
1785 }
1786 } else if (pwSpec->master_secret) {
1787 rv = ssl3_DeriveConnectionKeysPKCS11(ss);
1788 if (rv == SECSuccess) {
1789 rv = ssl3_InitPendingContextsPKCS11(ss);
1790 }
1791 } else {
1792 PORT_Assert(pwSpec->master_secret);
1793 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
1794 rv = SECFailure;
1795 }
1796
1797 done:
1798 ssl_ReleaseSpecWriteLock(ss); /******************************/
1799 if (rv != SECSuccess)
1800 ssl_MapLowLevelError(SSL_ERROR_SESSION_KEY_GEN_FAILURE);
1801 return rv;
1802 }
1803
1804 /*
1805 * 60 bytes is 3 times the maximum length MAC size that is supported.
1806 */
1807 static const unsigned char mac_pad_1 [60] = {
1808 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
1809 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
1810 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
1811 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
1812 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
1813 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
1814 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
1815 0x36, 0x36, 0x36, 0x36
1816 };
1817 static const unsigned char mac_pad_2 [60] = {
1818 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
1819 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
1820 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
1821 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
1822 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
1823 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
1824 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
1825 0x5c, 0x5c, 0x5c, 0x5c
1826 };
1827
1828 /* Called from: ssl3_SendRecord()
1829 ** ssl3_HandleRecord()
1830 ** Caller must already hold the SpecReadLock. (wish we could assert that!)
1831 */
1832 static SECStatus
1833 ssl3_ComputeRecordMAC(
1834 ssl3CipherSpec * spec,
1835 PRBool useServerMacKey,
1836 SSL3ContentType type,
1837 SSL3ProtocolVersion version,
1838 SSL3SequenceNumber seq_num,
1839 const SSL3Opaque * input,
1840 int inputLength,
1841 unsigned char * outbuf,
1842 unsigned int * outLength)
1843 {
1844 const ssl3MACDef * mac_def;
1845 SECStatus rv;
1846 PRBool isTLS;
1847 unsigned int tempLen;
1848 unsigned char temp[MAX_MAC_LENGTH];
1849
1850 temp[0] = (unsigned char)(seq_num.high >> 24);
1851 temp[1] = (unsigned char)(seq_num.high >> 16);
1852 temp[2] = (unsigned char)(seq_num.high >> 8);
1853 temp[3] = (unsigned char)(seq_num.high >> 0);
1854 temp[4] = (unsigned char)(seq_num.low >> 24);
1855 temp[5] = (unsigned char)(seq_num.low >> 16);
1856 temp[6] = (unsigned char)(seq_num.low >> 8);
1857 temp[7] = (unsigned char)(seq_num.low >> 0);
1858 temp[8] = type;
1859
1860 /* TLS MAC includes the record's version field, SSL's doesn't.
1861 ** We decide which MAC defintiion to use based on the version of
1862 ** the protocol that was negotiated when the spec became current,
1863 ** NOT based on the version value in the record itself.
1864 ** But, we use the record'v version value in the computation.
1865 */
1866 if (spec->version <= SSL_LIBRARY_VERSION_3_0) {
1867 temp[9] = MSB(inputLength);
1868 temp[10] = LSB(inputLength);
1869 tempLen = 11;
1870 isTLS = PR_FALSE;
1871 } else {
1872 /* New TLS hash includes version. */
1873 temp[9] = MSB(version);
1874 temp[10] = LSB(version);
1875 temp[11] = MSB(inputLength);
1876 temp[12] = LSB(inputLength);
1877 tempLen = 13;
1878 isTLS = PR_TRUE;
1879 }
1880
1881 PRINT_BUF(95, (NULL, "frag hash1: temp", temp, tempLen));
1882 PRINT_BUF(95, (NULL, "frag hash1: input", input, inputLength));
1883
1884 mac_def = spec->mac_def;
1885 if (mac_def->mac == mac_null) {
1886 *outLength = 0;
1887 return SECSuccess;
1888 }
1889 if (! spec->bypassCiphers) {
1890 PK11Context *mac_context =
1891 (useServerMacKey ? spec->server.write_mac_context
1892 : spec->client.write_mac_context);
1893 rv = PK11_DigestBegin(mac_context);
1894 rv |= PK11_DigestOp(mac_context, temp, tempLen);
1895 rv |= PK11_DigestOp(mac_context, input, inputLength);
1896 rv |= PK11_DigestFinal(mac_context, outbuf, outLength, spec->mac_size);
1897 } else {
1898 /* bypass version */
1899 const SECHashObject *hashObj = NULL;
1900 unsigned int pad_bytes = 0;
1901 PRUint64 write_mac_context[MAX_MAC_CONTEXT_LLONGS];
1902
1903 switch (mac_def->mac) {
1904 case ssl_mac_null:
1905 *outLength = 0;
1906 return SECSuccess;
1907 case ssl_mac_md5:
1908 pad_bytes = 48;
1909 hashObj = HASH_GetRawHashObject(HASH_AlgMD5);
1910 break;
1911 case ssl_mac_sha:
1912 pad_bytes = 40;
1913 hashObj = HASH_GetRawHashObject(HASH_AlgSHA1);
1914 break;
1915 case ssl_hmac_md5: /* used with TLS */
1916 hashObj = HASH_GetRawHashObject(HASH_AlgMD5);
1917 break;
1918 case ssl_hmac_sha: /* used with TLS */
1919 hashObj = HASH_GetRawHashObject(HASH_AlgSHA1);
1920 break;
1921 default:
1922 break;
1923 }
1924 if (!hashObj) {
1925 PORT_Assert(0);
1926 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
1927 return SECFailure;
1928 }
1929
1930 if (!isTLS) {
1931 /* compute "inner" part of SSL3 MAC */
1932 hashObj->begin(write_mac_context);
1933 if (useServerMacKey)
1934 hashObj->update(write_mac_context,
1935 spec->server.write_mac_key_item.data,
1936 spec->server.write_mac_key_item.len);
1937 else
1938 hashObj->update(write_mac_context,
1939 spec->client.write_mac_key_item.data,
1940 spec->client.write_mac_key_item.len);
1941 hashObj->update(write_mac_context, mac_pad_1, pad_bytes);
1942 hashObj->update(write_mac_context, temp, tempLen);
1943 hashObj->update(write_mac_context, input, inputLength);
1944 hashObj->end(write_mac_context, temp, &tempLen, sizeof temp);
1945
1946 /* compute "outer" part of SSL3 MAC */
1947 hashObj->begin(write_mac_context);
1948 if (useServerMacKey)
1949 hashObj->update(write_mac_context,
1950 spec->server.write_mac_key_item.data,
1951 spec->server.write_mac_key_item.len);
1952 else
1953 hashObj->update(write_mac_context,
1954 spec->client.write_mac_key_item.data,
1955 spec->client.write_mac_key_item.len);
1956 hashObj->update(write_mac_context, mac_pad_2, pad_bytes);
1957 hashObj->update(write_mac_context, temp, tempLen);
1958 hashObj->end(write_mac_context, outbuf, outLength, spec->mac_size);
1959 rv = SECSuccess;
1960 } else { /* is TLS */
1961 #define cx ((HMACContext *)write_mac_context)
1962 if (useServerMacKey) {
1963 rv = HMAC_Init(cx, hashObj,
1964 spec->server.write_mac_key_item.data,
1965 spec->server.write_mac_key_item.len, PR_FALSE);
1966 } else {
1967 rv = HMAC_Init(cx, hashObj,
1968 spec->client.write_mac_key_item.data,
1969 spec->client.write_mac_key_item.len, PR_FALSE);
1970 }
1971 if (rv == SECSuccess) {
1972 HMAC_Begin(cx);
1973 HMAC_Update(cx, temp, tempLen);
1974 HMAC_Update(cx, input, inputLength);
1975 rv = HMAC_Finish(cx, outbuf, outLength, spec->mac_size);
1976 HMAC_Destroy(cx, PR_FALSE);
1977 }
1978 #undef cx
1979 }
1980 }
1981
1982 PORT_Assert(rv != SECSuccess || *outLength == (unsigned)spec->mac_size);
1983
1984 PRINT_BUF(95, (NULL, "frag hash2: result", outbuf, *outLength));
1985
1986 if (rv != SECSuccess) {
1987 rv = SECFailure;
1988 ssl_MapLowLevelError(SSL_ERROR_MAC_COMPUTATION_FAILURE);
1989 }
1990 return rv;
1991 }
1992
1993 static PRBool
1994 ssl3_ClientAuthTokenPresent(sslSessionID *sid) {
1995 PK11SlotInfo *slot = NULL;
1996 PRBool isPresent = PR_TRUE;
1997
1998 /* we only care if we are doing client auth */
1999 if (!sid || !sid->u.ssl3.clAuthValid) {
2000 return PR_TRUE;
2001 }
2002
2003 /* get the slot */
2004 slot = SECMOD_LookupSlot(sid->u.ssl3.clAuthModuleID,
2005 sid->u.ssl3.clAuthSlotID);
2006 if (slot == NULL ||
2007 !PK11_IsPresent(slot) ||
2008 sid->u.ssl3.clAuthSeries != PK11_GetSlotSeries(slot) ||
2009 sid->u.ssl3.clAuthSlotID != PK11_GetSlotID(slot) ||
2010 sid->u.ssl3.clAuthModuleID != PK11_GetModuleID(slot) ||
2011 (PK11_NeedLogin(slot) && !PK11_IsLoggedIn(slot, NULL))) {
2012 isPresent = PR_FALSE;
2013 }
2014 if (slot) {
2015 PK11_FreeSlot(slot);
2016 }
2017 return isPresent;
2018 }
2019
2020 static SECStatus
2021 ssl3_CompressMACEncryptRecord(sslSocket * ss,
2022 SSL3ContentType type,
2023 const SSL3Opaque * pIn,
2024 PRUint32 contentLen)
2025 {
2026 ssl3CipherSpec * cwSpec;
2027 const ssl3BulkCipherDef * cipher_def;
2028 sslBuffer * wrBuf = &ss->sec.writeBuf;
2029 SECStatus rv;
2030 PRUint32 macLen = 0;
2031 PRUint32 fragLen;
2032 PRUint32 p1Len, p2Len, oddLen = 0;
2033 PRInt32 cipherBytes = 0;
2034
2035 ssl_GetSpecReadLock(ss); /********************************/
2036
2037 cwSpec = ss->ssl3.cwSpec;
2038 cipher_def = cwSpec->cipher_def;
2039
2040 if (cwSpec->compress) {
2041 int outlen;
2042 rv = cwSpec->compress(
2043 cwSpec->compressContext, wrBuf->buf + SSL3_RECORD_HEADER_LENGTH,
2044 &outlen, wrBuf->space - SSL3_RECORD_HEADER_LENGTH, pIn, contentLen);
2045 if (rv != SECSuccess)
2046 return rv;
2047 pIn = wrBuf->buf + SSL3_RECORD_HEADER_LENGTH;
2048 contentLen = outlen;
2049 }
2050
2051 /*
2052 * Add the MAC
2053 */
2054 rv = ssl3_ComputeRecordMAC( cwSpec, (PRBool)(ss->sec.isServer),
2055 type, cwSpec->version, cwSpec->write_seq_num, pIn, contentLen,
2056 wrBuf->buf + contentLen + SSL3_RECORD_HEADER_LENGTH, &macLen);
2057 if (rv != SECSuccess) {
2058 ssl_MapLowLevelError(SSL_ERROR_MAC_COMPUTATION_FAILURE);
2059 goto spec_locked_loser;
2060 }
2061 p1Len = contentLen;
2062 p2Len = macLen;
2063 fragLen = contentLen + macLen; /* needs to be encrypted */
2064 PORT_Assert(fragLen <= MAX_FRAGMENT_LENGTH + 1024);
2065
2066 /*
2067 * Pad the text (if we're doing a block cipher)
2068 * then Encrypt it
2069 */
2070 if (cipher_def->type == type_block) {
2071 unsigned char * pBuf;
2072 int padding_length;
2073 int i;
2074
2075 oddLen = contentLen % cipher_def->block_size;
2076 /* Assume blockSize is a power of two */
2077 padding_length = cipher_def->block_size - 1 -
2078 ((fragLen) & (cipher_def->block_size - 1));
2079 fragLen += padding_length + 1;
2080 PORT_Assert((fragLen % cipher_def->block_size) == 0);
2081
2082 /* Pad according to TLS rules (also acceptable to SSL3). */
2083 pBuf = &wrBuf->buf[fragLen + SSL3_RECORD_HEADER_LENGTH - 1];
2084 for (i = padding_length + 1; i > 0; --i) {
2085 *pBuf-- = padding_length;
2086 }
2087 /* now, if contentLen is not a multiple of block size, fix it */
2088 p2Len = fragLen - p1Len;
2089 }
2090 if (p1Len < 256) {
2091 oddLen = p1Len;
2092 p1Len = 0;
2093 } else {
2094 p1Len -= oddLen;
2095 }
2096 if (oddLen) {
2097 p2Len += oddLen;
2098 PORT_Assert( (cipher_def->block_size < 2) || \
2099 (p2Len % cipher_def->block_size) == 0);
2100 memmove(wrBuf->buf + SSL3_RECORD_HEADER_LENGTH + p1Len,
2101 pIn + p1Len, oddLen);
2102 }
2103 if (p1Len > 0) {
2104 rv = cwSpec->encode( cwSpec->encodeContext,
2105 wrBuf->buf + SSL3_RECORD_HEADER_LENGTH, /* output */
2106 &cipherBytes, /* actual outlen */
2107 p1Len, /* max outlen */
2108 pIn, p1Len); /* input, and inputlen */
2109 PORT_Assert(rv == SECSuccess && cipherBytes == p1Len);
2110 if (rv != SECSuccess || cipherBytes != p1Len) {
2111 PORT_SetError(SSL_ERROR_ENCRYPTION_FAILURE);
2112 goto spec_locked_loser;
2113 }
2114 }
2115 if (p2Len > 0) {
2116 PRInt32 cipherBytesPart2 = -1;
2117 rv = cwSpec->encode( cwSpec->encodeContext,
2118 wrBuf->buf + SSL3_RECORD_HEADER_LENGTH + p1Len,
2119 &cipherBytesPart2, /* output and actual outLen */
2120 p2Len, /* max outlen */
2121 wrBuf->buf + SSL3_RECORD_HEADER_LENGTH + p1Len,
2122 p2Len); /* input and inputLen*/
2123 PORT_Assert(rv == SECSuccess && cipherBytesPart2 == p2Len);
2124 if (rv != SECSuccess || cipherBytesPart2 != p2Len) {
2125 PORT_SetError(SSL_ERROR_ENCRYPTION_FAILURE);
2126 goto spec_locked_loser;
2127 }
2128 cipherBytes += cipherBytesPart2;
2129 }
2130 PORT_Assert(cipherBytes <= MAX_FRAGMENT_LENGTH + 1024);
2131
2132 ssl3_BumpSequenceNumber(&cwSpec->write_seq_num);
2133
2134 wrBuf->len = cipherBytes + SSL3_RECORD_HEADER_LENGTH;
2135 wrBuf->buf[0] = type;
2136 wrBuf->buf[1] = MSB(cwSpec->version);
2137 wrBuf->buf[2] = LSB(cwSpec->version);
2138 wrBuf->buf[3] = MSB(cipherBytes);
2139 wrBuf->buf[4] = LSB(cipherBytes);
2140
2141 ssl_ReleaseSpecReadLock(ss); /************************************/
2142
2143 return SECSuccess;
2144
2145 spec_locked_loser:
2146 ssl_ReleaseSpecReadLock(ss);
2147 return SECFailure;
2148 }
2149
2150 /* Process the plain text before sending it.
2151 * Returns the number of bytes of plaintext that were successfully sent
2152 * plus the number of bytes of plaintext that were copied into the
2153 * output (write) buffer.
2154 * Returns SECFailure on a hard IO error, memory error, or crypto error.
2155 * Does NOT return SECWouldBlock.
2156 *
2157 * Notes on the use of the private ssl flags:
2158 * (no private SSL flags)
2159 * Attempt to make and send SSL records for all plaintext
2160 * If non-blocking and a send gets WOULD_BLOCK,
2161 * or if the pending (ciphertext) buffer is not empty,
2162 * then buffer remaining bytes of ciphertext into pending buf,
2163 * and continue to do that for all succssive records until all
2164 * bytes are used.
2165 * ssl_SEND_FLAG_FORCE_INTO_BUFFER
2166 * As above, except this suppresses all write attempts, and forces
2167 * all ciphertext into the pending ciphertext buffer.
2168 *
2169 */
2170 static PRInt32
2171 ssl3_SendRecord( sslSocket * ss,
2172 SSL3ContentType type,
2173 const SSL3Opaque * pIn, /* input buffer */
2174 PRInt32 nIn, /* bytes of input */
2175 PRInt32 flags)
2176 {
2177 sslBuffer * wrBuf = &ss->sec.writeBuf;
2178 SECStatus rv;
2179 PRInt32 totalSent = 0;
2180
2181 SSL_TRC(3, ("%d: SSL3[%d] SendRecord type: %s nIn=%d",
2182 SSL_GETPID(), ss->fd, ssl3_DecodeContentType(type),
2183 nIn));
2184 PRINT_BUF(3, (ss, "Send record (plain text)", pIn, nIn));
2185
2186 PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss) );
2187
2188 if (ss->ssl3.initialized == PR_FALSE) {
2189 /* This can happen on a server if the very first incoming record
2190 ** looks like a defective ssl3 record (e.g. too long), and we're
2191 ** trying to send an alert.
2192 */
2193 PR_ASSERT(type == content_alert);
2194 rv = ssl3_InitState(ss);
2195 if (rv != SECSuccess) {
2196 return SECFailure; /* ssl3_InitState has set the error code. */
2197 }
2198 }
2199
2200 /* check for Token Presence */
2201 if (!ssl3_ClientAuthTokenPresent(ss->sec.ci.sid)) {
2202 PORT_SetError(SSL_ERROR_TOKEN_INSERTION_REMOVAL);
2203 return SECFailure;
2204 }
2205
2206 while (nIn > 0) {
2207 PRUint32 contentLen = PR_MIN(nIn, MAX_FRAGMENT_LENGTH);
2208
2209 if (wrBuf->space < contentLen + SSL3_BUFFER_FUDGE) {
2210 PRInt32 newSpace = PR_MAX(wrBuf->space * 2, contentLen);
2211 newSpace = PR_MIN(newSpace, MAX_FRAGMENT_LENGTH);
2212 newSpace += SSL3_BUFFER_FUDGE;
2213 rv = sslBuffer_Grow(wrBuf, newSpace);
2214 if (rv != SECSuccess) {
2215 SSL_DBG(("%d: SSL3[%d]: SendRecord, tried to get %d bytes",
2216 SSL_GETPID(), ss->fd, newSpace));
2217 return SECFailure; /* sslBuffer_Grow set a memory error code. */
2218 }
2219 }
2220
2221 rv = ssl3_CompressMACEncryptRecord( ss, type, pIn, contentLen);
2222 if (rv != SECSuccess)
2223 return SECFailure;
2224
2225 pIn += contentLen;
2226 nIn -= contentLen;
2227 PORT_Assert( nIn >= 0 );
2228
2229 PRINT_BUF(50, (ss, "send (encrypted) record data:", wrBuf->buf, wrBuf->l en));
2230
2231 /* If there's still some previously saved ciphertext,
2232 * or the caller doesn't want us to send the data yet,
2233 * then add all our new ciphertext to the amount previously saved.
2234 */
2235 if ((ss->pendingBuf.len > 0) ||
2236 (flags & ssl_SEND_FLAG_FORCE_INTO_BUFFER)) {
2237
2238 rv = ssl_SaveWriteData(ss, wrBuf->buf, wrBuf->len);
2239 if (rv != SECSuccess) {
2240 /* presumably a memory error, SEC_ERROR_NO_MEMORY */
2241 return SECFailure;
2242 }
2243 wrBuf->len = 0; /* All cipher text is saved away. */
2244
2245 if (!(flags & ssl_SEND_FLAG_FORCE_INTO_BUFFER)) {
2246 PRInt32 sent;
2247 ss->handshakeBegun = 1;
2248 sent = ssl_SendSavedWriteData(ss);
2249 if (sent < 0 && PR_GetError() != PR_WOULD_BLOCK_ERROR) {
2250 ssl_MapLowLevelError(SSL_ERROR_SOCKET_WRITE_FAILURE);
2251 return SECFailure;
2252 }
2253 if (ss->pendingBuf.len) {
2254 flags |= ssl_SEND_FLAG_FORCE_INTO_BUFFER;
2255 }
2256 }
2257 } else if (wrBuf->len > 0) {
2258 PRInt32 sent;
2259 ss->handshakeBegun = 1;
2260 sent = ssl_DefSend(ss, wrBuf->buf, wrBuf->len,
2261 flags & ~ssl_SEND_FLAG_MASK);
2262 if (sent < 0) {
2263 if (PR_GetError() != PR_WOULD_BLOCK_ERROR) {
2264 ssl_MapLowLevelError(SSL_ERROR_SOCKET_WRITE_FAILURE);
2265 return SECFailure;
2266 }
2267 /* we got PR_WOULD_BLOCK_ERROR, which means none was sent. */
2268 sent = 0;
2269 }
2270 wrBuf->len -= sent;
2271 if (wrBuf->len) {
2272 /* now take all the remaining unsent new ciphertext and
2273 * append it to the buffer of previously unsent ciphertext.
2274 */
2275 rv = ssl_SaveWriteData(ss, wrBuf->buf + sent, wrBuf->len);
2276 if (rv != SECSuccess) {
2277 /* presumably a memory error, SEC_ERROR_NO_MEMORY */
2278 return SECFailure;
2279 }
2280 }
2281 }
2282 totalSent += contentLen;
2283 }
2284 return totalSent;
2285 }
2286
2287 #define SSL3_PENDING_HIGH_WATER 1024
2288
2289 /* Attempt to send the content of "in" in an SSL application_data record.
2290 * Returns "len" or SECFailure, never SECWouldBlock, nor SECSuccess.
2291 */
2292 int
2293 ssl3_SendApplicationData(sslSocket *ss, const unsigned char *in,
2294 PRInt32 len, PRInt32 flags)
2295 {
2296 PRInt32 totalSent = 0;
2297 PRInt32 discarded = 0;
2298
2299 PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss) );
2300 if (len < 0 || !in) {
2301 PORT_SetError(PR_INVALID_ARGUMENT_ERROR);
2302 return SECFailure;
2303 }
2304
2305 if (ss->pendingBuf.len > SSL3_PENDING_HIGH_WATER &&
2306 !ssl_SocketIsBlocking(ss)) {
2307 PORT_Assert(!ssl_SocketIsBlocking(ss));
2308 PORT_SetError(PR_WOULD_BLOCK_ERROR);
2309 return SECFailure;
2310 }
2311
2312 if (ss->appDataBuffered && len) {
2313 PORT_Assert (in[0] == (unsigned char)(ss->appDataBuffered));
2314 if (in[0] != (unsigned char)(ss->appDataBuffered)) {
2315 PORT_SetError(PR_INVALID_ARGUMENT_ERROR);
2316 return SECFailure;
2317 }
2318 in++;
2319 len--;
2320 discarded = 1;
2321 }
2322 while (len > totalSent) {
2323 PRInt32 sent, toSend;
2324
2325 if (totalSent > 0) {
2326 /*
2327 * The thread yield is intended to give the reader thread a
2328 * chance to get some cycles while the writer thread is in
2329 * the middle of a large application data write. (See
2330 * Bugzilla bug 127740, comment #1.)
2331 */
2332 ssl_ReleaseXmitBufLock(ss);
2333 PR_Sleep(PR_INTERVAL_NO_WAIT); /* PR_Yield(); */
2334 ssl_GetXmitBufLock(ss);
2335 }
2336 toSend = PR_MIN(len - totalSent, MAX_FRAGMENT_LENGTH);
2337 sent = ssl3_SendRecord(ss, content_application_data,
2338 in + totalSent, toSend, flags);
2339 if (sent < 0) {
2340 if (totalSent > 0 && PR_GetError() == PR_WOULD_BLOCK_ERROR) {
2341 PORT_Assert(ss->lastWriteBlocked);
2342 break;
2343 }
2344 return SECFailure; /* error code set by ssl3_SendRecord */
2345 }
2346 totalSent += sent;
2347 if (ss->pendingBuf.len) {
2348 /* must be a non-blocking socket */
2349 PORT_Assert(!ssl_SocketIsBlocking(ss));
2350 PORT_Assert(ss->lastWriteBlocked);
2351 break;
2352 }
2353 }
2354 if (ss->pendingBuf.len) {
2355 /* Must be non-blocking. */
2356 PORT_Assert(!ssl_SocketIsBlocking(ss));
2357 if (totalSent > 0) {
2358 ss->appDataBuffered = 0x100 | in[totalSent - 1];
2359 }
2360
2361 totalSent = totalSent + discarded - 1;
2362 if (totalSent <= 0) {
2363 PORT_SetError(PR_WOULD_BLOCK_ERROR);
2364 totalSent = SECFailure;
2365 }
2366 return totalSent;
2367 }
2368 ss->appDataBuffered = 0;
2369 return totalSent + discarded;
2370 }
2371
2372 /* Attempt to send the content of sendBuf buffer in an SSL handshake record.
2373 * This function returns SECSuccess or SECFailure, never SECWouldBlock.
2374 * Always set sendBuf.len to 0, even when returning SECFailure.
2375 *
2376 * Called from SSL3_SendAlert(), ssl3_SendChangeCipherSpecs(),
2377 * ssl3_AppendHandshake(), ssl3_SendClientHello(),
2378 * ssl3_SendHelloRequest(), ssl3_SendServerHelloDone(),
2379 * ssl3_SendFinished(),
2380 */
2381 static SECStatus
2382 ssl3_FlushHandshake(sslSocket *ss, PRInt32 flags)
2383 {
2384 PRInt32 rv = SECSuccess;
2385
2386 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
2387 PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss) );
2388
2389 if (!ss->sec.ci.sendBuf.buf || !ss->sec.ci.sendBuf.len)
2390 return rv;
2391
2392 /* only this flag is allowed */
2393 PORT_Assert(!(flags & ~ssl_SEND_FLAG_FORCE_INTO_BUFFER));
2394 if ((flags & ~ssl_SEND_FLAG_FORCE_INTO_BUFFER) != 0) {
2395 PORT_SetError(SEC_ERROR_INVALID_ARGS);
2396 rv = SECFailure;
2397 } else {
2398 rv = ssl3_SendRecord(ss, content_handshake, ss->sec.ci.sendBuf.buf,
2399 ss->sec.ci.sendBuf.len, flags);
2400 }
2401 if (rv < 0) {
2402 int err = PORT_GetError();
2403 PORT_Assert(err != PR_WOULD_BLOCK_ERROR);
2404 if (err == PR_WOULD_BLOCK_ERROR) {
2405 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
2406 }
2407 } else if (rv < ss->sec.ci.sendBuf.len) {
2408 /* short write should never happen */
2409 PORT_Assert(rv >= ss->sec.ci.sendBuf.len);
2410 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
2411 rv = SECFailure;
2412 } else {
2413 rv = SECSuccess;
2414 }
2415
2416 /* Whether we succeeded or failed, toss the old handshake data. */
2417 ss->sec.ci.sendBuf.len = 0;
2418 return rv;
2419 }
2420
2421 /*
2422 * Called from ssl3_HandleAlert and from ssl3_HandleCertificate when
2423 * the remote client sends a negative response to our certificate request.
2424 * Returns SECFailure if the application has required client auth.
2425 * SECSuccess otherwise.
2426 */
2427 static SECStatus
2428 ssl3_HandleNoCertificate(sslSocket *ss)
2429 {
2430 if (ss->sec.peerCert != NULL) {
2431 if (ss->sec.peerKey != NULL) {
2432 SECKEY_DestroyPublicKey(ss->sec.peerKey);
2433 ss->sec.peerKey = NULL;
2434 }
2435 CERT_DestroyCertificate(ss->sec.peerCert);
2436 ss->sec.peerCert = NULL;
2437 }
2438 ssl3_CleanupPeerCerts(ss);
2439
2440 /* If the server has required client-auth blindly but doesn't
2441 * actually look at the certificate it won't know that no
2442 * certificate was presented so we shutdown the socket to ensure
2443 * an error. We only do this if we haven't already completed the
2444 * first handshake because if we're redoing the handshake we
2445 * know the server is paying attention to the certificate.
2446 */
2447 if ((ss->opt.requireCertificate == SSL_REQUIRE_ALWAYS) ||
2448 (!ss->firstHsDone &&
2449 (ss->opt.requireCertificate == SSL_REQUIRE_FIRST_HANDSHAKE))) {
2450 PRFileDesc * lower;
2451
2452 ss->sec.uncache(ss->sec.ci.sid);
2453 SSL3_SendAlert(ss, alert_fatal, bad_certificate);
2454
2455 lower = ss->fd->lower;
2456 #ifdef _WIN32
2457 lower->methods->shutdown(lower, PR_SHUTDOWN_SEND);
2458 #else
2459 lower->methods->shutdown(lower, PR_SHUTDOWN_BOTH);
2460 #endif
2461 PORT_SetError(SSL_ERROR_NO_CERTIFICATE);
2462 return SECFailure;
2463 }
2464 return SECSuccess;
2465 }
2466
2467 /************************************************************************
2468 * Alerts
2469 */
2470
2471 /*
2472 ** Acquires both handshake and XmitBuf locks.
2473 ** Called from: ssl3_IllegalParameter <-
2474 ** ssl3_HandshakeFailure <-
2475 ** ssl3_HandleAlert <- ssl3_HandleRecord.
2476 ** ssl3_HandleChangeCipherSpecs <- ssl3_HandleRecord
2477 ** ssl3_ConsumeHandshakeVariable <-
2478 ** ssl3_HandleHelloRequest <-
2479 ** ssl3_HandleServerHello <-
2480 ** ssl3_HandleServerKeyExchange <-
2481 ** ssl3_HandleCertificateRequest <-
2482 ** ssl3_HandleServerHelloDone <-
2483 ** ssl3_HandleClientHello <-
2484 ** ssl3_HandleV2ClientHello <-
2485 ** ssl3_HandleCertificateVerify <-
2486 ** ssl3_HandleClientKeyExchange <-
2487 ** ssl3_HandleCertificate <-
2488 ** ssl3_HandleFinished <-
2489 ** ssl3_HandleHandshakeMessage <-
2490 ** ssl3_HandleRecord <-
2491 **
2492 */
2493 SECStatus
2494 SSL3_SendAlert(sslSocket *ss, SSL3AlertLevel level, SSL3AlertDescription desc)
2495 {
2496 uint8 bytes[2];
2497 SECStatus rv;
2498
2499 SSL_TRC(3, ("%d: SSL3[%d]: send alert record, level=%d desc=%d",
2500 SSL_GETPID(), ss->fd, level, desc));
2501
2502 bytes[0] = level;
2503 bytes[1] = desc;
2504
2505 ssl_GetSSL3HandshakeLock(ss);
2506 if (level == alert_fatal) {
2507 if (ss->sec.ci.sid) {
2508 ss->sec.uncache(ss->sec.ci.sid);
2509 }
2510 }
2511 ssl_GetXmitBufLock(ss);
2512 rv = ssl3_FlushHandshake(ss, ssl_SEND_FLAG_FORCE_INTO_BUFFER);
2513 if (rv == SECSuccess) {
2514 PRInt32 sent;
2515 sent = ssl3_SendRecord(ss, content_alert, bytes, 2,
2516 desc == no_certificate
2517 ? ssl_SEND_FLAG_FORCE_INTO_BUFFER : 0);
2518 rv = (sent >= 0) ? SECSuccess : (SECStatus)sent;
2519 }
2520 ssl_ReleaseXmitBufLock(ss);
2521 ssl_ReleaseSSL3HandshakeLock(ss);
2522 return rv; /* error set by ssl3_FlushHandshake or ssl3_SendRecord */
2523 }
2524
2525 /*
2526 * Send illegal_parameter alert. Set generic error number.
2527 */
2528 static SECStatus
2529 ssl3_IllegalParameter(sslSocket *ss)
2530 {
2531 PRBool isTLS;
2532
2533 isTLS = (PRBool)(ss->ssl3.pwSpec->version > SSL_LIBRARY_VERSION_3_0);
2534 (void)SSL3_SendAlert(ss, alert_fatal, illegal_parameter);
2535 PORT_SetError(ss->sec.isServer ? SSL_ERROR_BAD_CLIENT
2536 : SSL_ERROR_BAD_SERVER );
2537 return SECFailure;
2538 }
2539
2540 /*
2541 * Send handshake_Failure alert. Set generic error number.
2542 */
2543 static SECStatus
2544 ssl3_HandshakeFailure(sslSocket *ss)
2545 {
2546 (void)SSL3_SendAlert(ss, alert_fatal, handshake_failure);
2547 PORT_SetError( ss->sec.isServer ? SSL_ERROR_BAD_CLIENT
2548 : SSL_ERROR_BAD_SERVER );
2549 return SECFailure;
2550 }
2551
2552 /*
2553 * Send handshake_Failure alert. Set generic error number.
2554 */
2555 static SECStatus
2556 ssl3_DecodeError(sslSocket *ss)
2557 {
2558 (void)SSL3_SendAlert(ss, alert_fatal,
2559 ss->version > SSL_LIBRARY_VERSION_3_0 ? decode_error
2560 : illegal_parameter);
2561 PORT_SetError( ss->sec.isServer ? SSL_ERROR_BAD_CLIENT
2562 : SSL_ERROR_BAD_SERVER );
2563 return SECFailure;
2564 }
2565
2566 /* Called from ssl3_HandleRecord.
2567 ** Caller must hold both RecvBuf and Handshake locks.
2568 */
2569 static SECStatus
2570 ssl3_HandleAlert(sslSocket *ss, sslBuffer *buf)
2571 {
2572 SSL3AlertLevel level;
2573 SSL3AlertDescription desc;
2574 int error;
2575
2576 PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
2577 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
2578
2579 SSL_TRC(3, ("%d: SSL3[%d]: handle alert record", SSL_GETPID(), ss->fd));
2580
2581 if (buf->len != 2) {
2582 (void)ssl3_DecodeError(ss);
2583 PORT_SetError(SSL_ERROR_RX_MALFORMED_ALERT);
2584 return SECFailure;
2585 }
2586 level = (SSL3AlertLevel)buf->buf[0];
2587 desc = (SSL3AlertDescription)buf->buf[1];
2588 buf->len = 0;
2589 SSL_TRC(5, ("%d: SSL3[%d] received alert, level = %d, description = %d",
2590 SSL_GETPID(), ss->fd, level, desc));
2591
2592 switch (desc) {
2593 case close_notify: ss->recvdCloseNotify = 1;
2594 error = SSL_ERROR_CLOSE_NOTIFY_ALERT; break;
2595 case unexpected_message: error = SSL_ERROR_HANDSHAKE_UNEXPECTED_ALERT;
2596 break;
2597 case bad_record_mac: error = SSL_ERROR_BAD_MAC_ALERT; break;
2598 case decryption_failed: error = SSL_ERROR_DECRYPTION_FAILED_ALERT;
2599 break;
2600 case record_overflow: error = SSL_ERROR_RECORD_OVERFLOW_ALERT; break;
2601 case decompression_failure: error = SSL_ERROR_DECOMPRESSION_FAILURE_ALERT;
2602 break;
2603 case handshake_failure: error = SSL_ERROR_HANDSHAKE_FAILURE_ALERT;
2604 break;
2605 case no_certificate: error = SSL_ERROR_NO_CERTIFICATE; break;
2606 case bad_certificate: error = SSL_ERROR_BAD_CERT_ALERT; break;
2607 case unsupported_certificate:error = SSL_ERROR_UNSUPPORTED_CERT_ALERT;break;
2608 case certificate_revoked: error = SSL_ERROR_REVOKED_CERT_ALERT; break;
2609 case certificate_expired: error = SSL_ERROR_EXPIRED_CERT_ALERT; break;
2610 case certificate_unknown: error = SSL_ERROR_CERTIFICATE_UNKNOWN_ALERT;
2611 break;
2612 case illegal_parameter: error = SSL_ERROR_ILLEGAL_PARAMETER_ALERT;break;
2613
2614 /* All alerts below are TLS only. */
2615 case unknown_ca: error = SSL_ERROR_UNKNOWN_CA_ALERT; break;
2616 case access_denied: error = SSL_ERROR_ACCESS_DENIED_ALERT; break;
2617 case decode_error: error = SSL_ERROR_DECODE_ERROR_ALERT; break;
2618 case decrypt_error: error = SSL_ERROR_DECRYPT_ERROR_ALERT; break;
2619 case export_restriction: error = SSL_ERROR_EXPORT_RESTRICTION_ALERT;
2620 break;
2621 case protocol_version: error = SSL_ERROR_PROTOCOL_VERSION_ALERT; break;
2622 case insufficient_security: error = SSL_ERROR_INSUFFICIENT_SECURITY_ALERT;
2623 break;
2624 case internal_error: error = SSL_ERROR_INTERNAL_ERROR_ALERT; break;
2625 case user_canceled: error = SSL_ERROR_USER_CANCELED_ALERT; break;
2626 case no_renegotiation: error = SSL_ERROR_NO_RENEGOTIATION_ALERT; break;
2627
2628 /* Alerts for TLS client hello extensions */
2629 case unsupported_extension:
2630 error = SSL_ERROR_UNSUPPORTED_EXTENSION_ALERT; break;
2631 case certificate_unobtainable:
2632 error = SSL_ERROR_CERTIFICATE_UNOBTAINABLE_ALERT; break;
2633 case unrecognized_name:
2634 error = SSL_ERROR_UNRECOGNIZED_NAME_ALERT; break;
2635 case bad_certificate_status_response:
2636 error = SSL_ERROR_BAD_CERT_STATUS_RESPONSE_ALERT; break;
2637 case bad_certificate_hash_value:
2638 error = SSL_ERROR_BAD_CERT_HASH_VALUE_ALERT; break;
2639 default: error = SSL_ERROR_RX_UNKNOWN_ALERT; break;
2640 }
2641 if (level == alert_fatal) {
2642 ss->sec.uncache(ss->sec.ci.sid);
2643 if ((ss->ssl3.hs.ws == wait_server_hello) &&
2644 (desc == handshake_failure)) {
2645 /* XXX This is a hack. We're assuming that any handshake failure
2646 * XXX on the client hello is a failure to match ciphers.
2647 */
2648 error = SSL_ERROR_NO_CYPHER_OVERLAP;
2649 }
2650 PORT_SetError(error);
2651 return SECFailure;
2652 }
2653 if ((desc == no_certificate) && (ss->ssl3.hs.ws == wait_client_cert)) {
2654 /* I'm a server. I've requested a client cert. He hasn't got one. */
2655 SECStatus rv;
2656
2657 PORT_Assert(ss->sec.isServer);
2658 ss->ssl3.hs.ws = wait_client_key;
2659 rv = ssl3_HandleNoCertificate(ss);
2660 return rv;
2661 }
2662 return SECSuccess;
2663 }
2664
2665 /*
2666 * Change Cipher Specs
2667 * Called from ssl3_HandleServerHelloDone,
2668 * ssl3_HandleClientHello,
2669 * and ssl3_HandleFinished
2670 *
2671 * Acquires and releases spec write lock, to protect switching the current
2672 * and pending write spec pointers.
2673 */
2674
2675 static SECStatus
2676 ssl3_SendChangeCipherSpecs(sslSocket *ss)
2677 {
2678 uint8 change = change_cipher_spec_choice;
2679 ssl3CipherSpec * pwSpec;
2680 SECStatus rv;
2681 PRInt32 sent;
2682
2683 SSL_TRC(3, ("%d: SSL3[%d]: send change_cipher_spec record",
2684 SSL_GETPID(), ss->fd));
2685
2686 PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss) );
2687 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
2688
2689 rv = ssl3_FlushHandshake(ss, ssl_SEND_FLAG_FORCE_INTO_BUFFER);
2690 if (rv != SECSuccess) {
2691 return rv; /* error code set by ssl3_FlushHandshake */
2692 }
2693 sent = ssl3_SendRecord(ss, content_change_cipher_spec, &change, 1,
2694 ssl_SEND_FLAG_FORCE_INTO_BUFFER);
2695 if (sent < 0) {
2696 return (SECStatus)sent; /* error code set by ssl3_SendRecord */
2697 }
2698
2699 /* swap the pending and current write specs. */
2700 ssl_GetSpecWriteLock(ss); /**************************************/
2701 pwSpec = ss->ssl3.pwSpec;
2702 pwSpec->write_seq_num.high = 0;
2703 pwSpec->write_seq_num.low = 0;
2704
2705 ss->ssl3.pwSpec = ss->ssl3.cwSpec;
2706 ss->ssl3.cwSpec = pwSpec;
2707
2708 SSL_TRC(3, ("%d: SSL3[%d] Set Current Write Cipher Suite to Pending",
2709 SSL_GETPID(), ss->fd ));
2710
2711 /* We need to free up the contexts, keys and certs ! */
2712 /* If we are really through with the old cipher spec
2713 * (Both the read and write sides have changed) destroy it.
2714 */
2715 if (ss->ssl3.prSpec == ss->ssl3.pwSpec) {
2716 ssl3_DestroyCipherSpec(ss->ssl3.pwSpec);
2717 }
2718 ssl_ReleaseSpecWriteLock(ss); /**************************************/
2719
2720 return SECSuccess;
2721 }
2722
2723 /* Called from ssl3_HandleRecord.
2724 ** Caller must hold both RecvBuf and Handshake locks.
2725 *
2726 * Acquires and releases spec write lock, to protect switching the current
2727 * and pending write spec pointers.
2728 */
2729 static SECStatus
2730 ssl3_HandleChangeCipherSpecs(sslSocket *ss, sslBuffer *buf)
2731 {
2732 ssl3CipherSpec * prSpec;
2733 SSL3WaitState ws = ss->ssl3.hs.ws;
2734 SSL3ChangeCipherSpecChoice change;
2735
2736 PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
2737 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
2738
2739 SSL_TRC(3, ("%d: SSL3[%d]: handle change_cipher_spec record",
2740 SSL_GETPID(), ss->fd));
2741
2742 if (ws != wait_change_cipher) {
2743 (void)SSL3_SendAlert(ss, alert_fatal, unexpected_message);
2744 PORT_SetError(SSL_ERROR_RX_UNEXPECTED_CHANGE_CIPHER);
2745 return SECFailure;
2746 }
2747
2748 if(buf->len != 1) {
2749 (void)ssl3_DecodeError(ss);
2750 PORT_SetError(SSL_ERROR_RX_MALFORMED_CHANGE_CIPHER);
2751 return SECFailure;
2752 }
2753 change = (SSL3ChangeCipherSpecChoice)buf->buf[0];
2754 if (change != change_cipher_spec_choice) {
2755 /* illegal_parameter is correct here for both SSL3 and TLS. */
2756 (void)ssl3_IllegalParameter(ss);
2757 PORT_SetError(SSL_ERROR_RX_MALFORMED_CHANGE_CIPHER);
2758 return SECFailure;
2759 }
2760 buf->len = 0;
2761
2762 /* Swap the pending and current read specs. */
2763 ssl_GetSpecWriteLock(ss); /*************************************/
2764 prSpec = ss->ssl3.prSpec;
2765 prSpec->read_seq_num.high = prSpec->read_seq_num.low = 0;
2766
2767 ss->ssl3.prSpec = ss->ssl3.crSpec;
2768 ss->ssl3.crSpec = prSpec;
2769 ss->ssl3.hs.ws = wait_finished;
2770
2771 SSL_TRC(3, ("%d: SSL3[%d] Set Current Read Cipher Suite to Pending",
2772 SSL_GETPID(), ss->fd ));
2773
2774 /* If we are really through with the old cipher prSpec
2775 * (Both the read and write sides have changed) destroy it.
2776 */
2777 if (ss->ssl3.prSpec == ss->ssl3.pwSpec) {
2778 ssl3_DestroyCipherSpec(ss->ssl3.prSpec);
2779 }
2780 ssl_ReleaseSpecWriteLock(ss); /*************************************/
2781 return SECSuccess;
2782 }
2783
2784 /* This method uses PKCS11 to derive the MS from the PMS, where PMS
2785 ** is a PKCS11 symkey. This is used in all cases except the
2786 ** "triple bypass" with RSA key exchange.
2787 ** Called from ssl3_InitPendingCipherSpec. prSpec is pwSpec.
2788 */
2789 static SECStatus
2790 ssl3_DeriveMasterSecret(sslSocket *ss, PK11SymKey *pms)
2791 {
2792 ssl3CipherSpec * pwSpec = ss->ssl3.pwSpec;
2793 const ssl3KEADef *kea_def= ss->ssl3.hs.kea_def;
2794 unsigned char * cr = (unsigned char *)&ss->ssl3.hs.client_random;
2795 unsigned char * sr = (unsigned char *)&ss->ssl3.hs.server_random;
2796 PRBool isTLS = (PRBool)(kea_def->tls_keygen ||
2797 (pwSpec->version > SSL_LIBRARY_VERSION_3_0));
2798 /*
2799 * Whenever isDH is true, we need to use CKM_TLS_MASTER_KEY_DERIVE_DH
2800 * which, unlike CKM_TLS_MASTER_KEY_DERIVE, converts arbitrary size
2801 * data into a 48-byte value.
2802 */
2803 PRBool isDH = (PRBool) ((ss->ssl3.hs.kea_def->exchKeyType == kt_dh) ||
2804 (ss->ssl3.hs.kea_def->exchKeyType == kt_ecdh));
2805 SECStatus rv = SECFailure;
2806 CK_MECHANISM_TYPE master_derive;
2807 CK_MECHANISM_TYPE key_derive;
2808 SECItem params;
2809 CK_FLAGS keyFlags;
2810 CK_VERSION pms_version;
2811 CK_SSL3_MASTER_KEY_DERIVE_PARAMS master_params;
2812
2813 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
2814 PORT_Assert( ss->opt.noLocks || ssl_HaveSpecWriteLock(ss));
2815 PORT_Assert(ss->ssl3.prSpec == ss->ssl3.pwSpec);
2816 if (isTLS) {
2817 if(isDH) master_derive = CKM_TLS_MASTER_KEY_DERIVE_DH;
2818 else master_derive = CKM_TLS_MASTER_KEY_DERIVE;
2819 key_derive = CKM_TLS_KEY_AND_MAC_DERIVE;
2820 keyFlags = CKF_SIGN | CKF_VERIFY;
2821 } else {
2822 if (isDH) master_derive = CKM_SSL3_MASTER_KEY_DERIVE_DH;
2823 else master_derive = CKM_SSL3_MASTER_KEY_DERIVE;
2824 key_derive = CKM_SSL3_KEY_AND_MAC_DERIVE;
2825 keyFlags = 0;
2826 }
2827
2828 if (pms || !pwSpec->master_secret) {
2829 master_params.pVersion = &pms_version;
2830 master_params.RandomInfo.pClientRandom = cr;
2831 master_params.RandomInfo.ulClientRandomLen = SSL3_RANDOM_LENGTH;
2832 master_params.RandomInfo.pServerRandom = sr;
2833 master_params.RandomInfo.ulServerRandomLen = SSL3_RANDOM_LENGTH;
2834
2835 params.data = (unsigned char *) &master_params;
2836 params.len = sizeof master_params;
2837 }
2838
2839 if (pms != NULL) {
2840 #if defined(TRACE)
2841 if (ssl_trace >= 100) {
2842 SECStatus extractRV = PK11_ExtractKeyValue(pms);
2843 if (extractRV == SECSuccess) {
2844 SECItem * keyData = PK11_GetKeyData(pms);
2845 if (keyData && keyData->data && keyData->len) {
2846 ssl_PrintBuf(ss, "Pre-Master Secret",
2847 keyData->data, keyData->len);
2848 }
2849 }
2850 }
2851 #endif
2852 pwSpec->master_secret = PK11_DeriveWithFlags(pms, master_derive,
2853 &params, key_derive, CKA_DERIVE, 0, keyFlags);
2854 if (!isDH && pwSpec->master_secret && ss->opt.detectRollBack) {
2855 SSL3ProtocolVersion client_version;
2856 client_version = pms_version.major << 8 | pms_version.minor;
2857 if (client_version != ss->clientHelloVersion) {
2858 /* Destroy it. Version roll-back detected. */
2859 PK11_FreeSymKey(pwSpec->master_secret);
2860 pwSpec->master_secret = NULL;
2861 }
2862 }
2863 if (pwSpec->master_secret == NULL) {
2864 /* Generate a faux master secret in the same slot as the old one. */
2865 PK11SlotInfo * slot = PK11_GetSlotFromKey((PK11SymKey *)pms);
2866 PK11SymKey * fpms = ssl3_GenerateRSAPMS(ss, pwSpec, slot);
2867
2868 PK11_FreeSlot(slot);
2869 if (fpms != NULL) {
2870 pwSpec->master_secret = PK11_DeriveWithFlags(fpms,
2871 master_derive, &params, key_derive,
2872 CKA_DERIVE, 0, keyFlags);
2873 PK11_FreeSymKey(fpms);
2874 }
2875 }
2876 }
2877 if (pwSpec->master_secret == NULL) {
2878 /* Generate a faux master secret from the internal slot. */
2879 PK11SlotInfo * slot = PK11_GetInternalSlot();
2880 PK11SymKey * fpms = ssl3_GenerateRSAPMS(ss, pwSpec, slot);
2881
2882 PK11_FreeSlot(slot);
2883 if (fpms != NULL) {
2884 pwSpec->master_secret = PK11_DeriveWithFlags(fpms,
2885 master_derive, &params, key_derive,
2886 CKA_DERIVE, 0, keyFlags);
2887 if (pwSpec->master_secret == NULL) {
2888 pwSpec->master_secret = fpms; /* use the fpms as the master. */
2889 fpms = NULL;
2890 }
2891 }
2892 if (fpms) {
2893 PK11_FreeSymKey(fpms);
2894 }
2895 }
2896 if (pwSpec->master_secret == NULL) {
2897 ssl_MapLowLevelError(SSL_ERROR_SESSION_KEY_GEN_FAILURE);
2898 return rv;
2899 }
2900 if (ss->opt.bypassPKCS11) {
2901 SECItem * keydata;
2902 /* In hope of doing a "double bypass",
2903 * need to extract the master secret's value from the key object
2904 * and store it raw in the sslSocket struct.
2905 */
2906 rv = PK11_ExtractKeyValue(pwSpec->master_secret);
2907 if (rv != SECSuccess) {
2908 #if defined(NSS_SURVIVE_DOUBLE_BYPASS_FAILURE)
2909 /* The double bypass failed.
2910 * Attempt to revert to an all PKCS#11, non-bypass method.
2911 * Do we need any unacquired locks here?
2912 */
2913 ss->opt.bypassPKCS11 = 0;
2914 rv = ssl3_NewHandshakeHashes(ss);
2915 if (rv == SECSuccess) {
2916 rv = ssl3_UpdateHandshakeHashes(ss, ss->ssl3.hs.messages.buf,
2917 ss->ssl3.hs.messages.len);
2918 }
2919 #endif
2920 return rv;
2921 }
2922 /* This returns the address of the secItem inside the key struct,
2923 * not a copy or a reference. So, there's no need to free it.
2924 */
2925 keydata = PK11_GetKeyData(pwSpec->master_secret);
2926 if (keydata && keydata->len <= sizeof pwSpec->raw_master_secret) {
2927 memcpy(pwSpec->raw_master_secret, keydata->data, keydata->len);
2928 pwSpec->msItem.data = pwSpec->raw_master_secret;
2929 pwSpec->msItem.len = keydata->len;
2930 } else {
2931 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
2932 return SECFailure;
2933 }
2934 }
2935 return SECSuccess;
2936 }
2937
2938
2939 /*
2940 * Derive encryption and MAC Keys (and IVs) from master secret
2941 * Sets a useful error code when returning SECFailure.
2942 *
2943 * Called only from ssl3_InitPendingCipherSpec(),
2944 * which in turn is called from
2945 * sendRSAClientKeyExchange (for Full handshake)
2946 * sendDHClientKeyExchange (for Full handshake)
2947 * ssl3_HandleClientKeyExchange (for Full handshake)
2948 * ssl3_HandleServerHello (for session restart)
2949 * ssl3_HandleClientHello (for session restart)
2950 * Caller MUST hold the specWriteLock, and SSL3HandshakeLock.
2951 * ssl3_InitPendingCipherSpec does that.
2952 *
2953 */
2954 static SECStatus
2955 ssl3_DeriveConnectionKeysPKCS11(sslSocket *ss)
2956 {
2957 ssl3CipherSpec * pwSpec = ss->ssl3.pwSpec;
2958 const ssl3KEADef * kea_def = ss->ssl3.hs.kea_def;
2959 unsigned char * cr = (unsigned char *)&ss->ssl3.hs.client_random;
2960 unsigned char * sr = (unsigned char *)&ss->ssl3.hs.server_random;
2961 PRBool isTLS = (PRBool)(kea_def->tls_keygen ||
2962 (pwSpec->version > SSL_LIBRARY_VERSION_3_0));
2963 /* following variables used in PKCS11 path */
2964 const ssl3BulkCipherDef *cipher_def = pwSpec->cipher_def;
2965 PK11SlotInfo * slot = NULL;
2966 PK11SymKey * symKey = NULL;
2967 void * pwArg = ss->pkcs11PinArg;
2968 int keySize;
2969 CK_SSL3_KEY_MAT_PARAMS key_material_params;
2970 CK_SSL3_KEY_MAT_OUT returnedKeys;
2971 CK_MECHANISM_TYPE key_derive;
2972 CK_MECHANISM_TYPE bulk_mechanism;
2973 SSLCipherAlgorithm calg;
2974 SECItem params;
2975 PRBool skipKeysAndIVs = (PRBool)(cipher_def->calg == calg_null);
2976
2977 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
2978 PORT_Assert( ss->opt.noLocks || ssl_HaveSpecWriteLock(ss));
2979 PORT_Assert(ss->ssl3.prSpec == ss->ssl3.pwSpec);
2980
2981 if (!pwSpec->master_secret) {
2982 PORT_SetError(SSL_ERROR_SESSION_KEY_GEN_FAILURE);
2983 return SECFailure;
2984 }
2985 /*
2986 * generate the key material
2987 */
2988 key_material_params.ulMacSizeInBits = pwSpec->mac_size * BPB;
2989 key_material_params.ulKeySizeInBits = cipher_def->secret_key_size* BPB;
2990 key_material_params.ulIVSizeInBits = cipher_def->iv_size * BPB;
2991
2992 key_material_params.bIsExport = (CK_BBOOL)(kea_def->is_limited);
2993 /* was: (CK_BBOOL)(cipher_def->keygen_mode != kg_strong); */
2994
2995 key_material_params.RandomInfo.pClientRandom = cr;
2996 key_material_params.RandomInfo.ulClientRandomLen = SSL3_RANDOM_LENGTH;
2997 key_material_params.RandomInfo.pServerRandom = sr;
2998 key_material_params.RandomInfo.ulServerRandomLen = SSL3_RANDOM_LENGTH;
2999 key_material_params.pReturnedKeyMaterial = &returnedKeys;
3000
3001 returnedKeys.pIVClient = pwSpec->client.write_iv;
3002 returnedKeys.pIVServer = pwSpec->server.write_iv;
3003 keySize = cipher_def->key_size;
3004
3005 if (skipKeysAndIVs) {
3006 keySize = 0;
3007 key_material_params.ulKeySizeInBits = 0;
3008 key_material_params.ulIVSizeInBits = 0;
3009 returnedKeys.pIVClient = NULL;
3010 returnedKeys.pIVServer = NULL;
3011 }
3012
3013 calg = cipher_def->calg;
3014 PORT_Assert( alg2Mech[calg].calg == calg);
3015 bulk_mechanism = alg2Mech[calg].cmech;
3016
3017 params.data = (unsigned char *)&key_material_params;
3018 params.len = sizeof(key_material_params);
3019
3020 if (isTLS) {
3021 key_derive = CKM_TLS_KEY_AND_MAC_DERIVE;
3022 } else {
3023 key_derive = CKM_SSL3_KEY_AND_MAC_DERIVE;
3024 }
3025
3026 /* CKM_SSL3_KEY_AND_MAC_DERIVE is defined to set ENCRYPT, DECRYPT, and
3027 * DERIVE by DEFAULT */
3028 symKey = PK11_Derive(pwSpec->master_secret, key_derive, &params,
3029 bulk_mechanism, CKA_ENCRYPT, keySize);
3030 if (!symKey) {
3031 ssl_MapLowLevelError(SSL_ERROR_SESSION_KEY_GEN_FAILURE);
3032 return SECFailure;
3033 }
3034 /* we really should use the actual mac'ing mechanism here, but we
3035 * don't because these types are used to map keytype anyway and both
3036 * mac's map to the same keytype.
3037 */
3038 slot = PK11_GetSlotFromKey(symKey);
3039
3040 PK11_FreeSlot(slot); /* slot is held until the key is freed */
3041 pwSpec->client.write_mac_key =
3042 PK11_SymKeyFromHandle(slot, symKey, PK11_OriginDerive,
3043 CKM_SSL3_SHA1_MAC, returnedKeys.hClientMacSecret, PR_TRUE, pwArg);
3044 if (pwSpec->client.write_mac_key == NULL ) {
3045 goto loser; /* loser sets err */
3046 }
3047 pwSpec->server.write_mac_key =
3048 PK11_SymKeyFromHandle(slot, symKey, PK11_OriginDerive,
3049 CKM_SSL3_SHA1_MAC, returnedKeys.hServerMacSecret, PR_TRUE, pwArg);
3050 if (pwSpec->server.write_mac_key == NULL ) {
3051 goto loser; /* loser sets err */
3052 }
3053 if (!skipKeysAndIVs) {
3054 pwSpec->client.write_key =
3055 PK11_SymKeyFromHandle(slot, symKey, PK11_OriginDerive,
3056 bulk_mechanism, returnedKeys.hClientKey, PR_TRUE, pwArg);
3057 if (pwSpec->client.write_key == NULL ) {
3058 goto loser; /* loser sets err */
3059 }
3060 pwSpec->server.write_key =
3061 PK11_SymKeyFromHandle(slot, symKey, PK11_OriginDerive,
3062 bulk_mechanism, returnedKeys.hServerKey, PR_TRUE, pwArg);
3063 if (pwSpec->server.write_key == NULL ) {
3064 goto loser; /* loser sets err */
3065 }
3066 }
3067 PK11_FreeSymKey(symKey);
3068 return SECSuccess;
3069
3070
3071 loser:
3072 if (symKey) PK11_FreeSymKey(symKey);
3073 ssl_MapLowLevelError(SSL_ERROR_SESSION_KEY_GEN_FAILURE);
3074 return SECFailure;
3075 }
3076
3077 static SECStatus
3078 ssl3_RestartHandshakeHashes(sslSocket *ss)
3079 {
3080 SECStatus rv = SECSuccess;
3081
3082 if (ss->opt.bypassPKCS11) {
3083 ss->ssl3.hs.messages.len = 0;
3084 MD5_Begin((MD5Context *)ss->ssl3.hs.md5_cx);
3085 SHA1_Begin((SHA1Context *)ss->ssl3.hs.sha_cx);
3086 } else {
3087 rv = PK11_DigestBegin(ss->ssl3.hs.md5);
3088 if (rv != SECSuccess) {
3089 ssl_MapLowLevelError(SSL_ERROR_MD5_DIGEST_FAILURE);
3090 return rv;
3091 }
3092 rv = PK11_DigestBegin(ss->ssl3.hs.sha);
3093 if (rv != SECSuccess) {
3094 ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE);
3095 return rv;
3096 }
3097 }
3098 return rv;
3099 }
3100
3101 static SECStatus
3102 ssl3_NewHandshakeHashes(sslSocket *ss)
3103 {
3104 PK11Context *md5 = NULL;
3105 PK11Context *sha = NULL;
3106
3107 /*
3108 * note: We should probably lookup an SSL3 slot for these
3109 * handshake hashes in hopes that we wind up with the same slots
3110 * that the master secret will wind up in ...
3111 */
3112 SSL_TRC(30,("%d: SSL3[%d]: start handshake hashes", SSL_GETPID(), ss->fd));
3113 if (ss->opt.bypassPKCS11) {
3114 PORT_Assert(!ss->ssl3.hs.messages.buf && !ss->ssl3.hs.messages.space);
3115 ss->ssl3.hs.messages.buf = NULL;
3116 ss->ssl3.hs.messages.space = 0;
3117 } else {
3118 ss->ssl3.hs.md5 = md5 = PK11_CreateDigestContext(SEC_OID_MD5);
3119 ss->ssl3.hs.sha = sha = PK11_CreateDigestContext(SEC_OID_SHA1);
3120 if (md5 == NULL) {
3121 ssl_MapLowLevelError(SSL_ERROR_MD5_DIGEST_FAILURE);
3122 goto loser;
3123 }
3124 if (sha == NULL) {
3125 ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE);
3126 goto loser;
3127 }
3128 }
3129 if (SECSuccess == ssl3_RestartHandshakeHashes(ss)) {
3130 return SECSuccess;
3131 }
3132
3133 loser:
3134 if (md5 != NULL) {
3135 PK11_DestroyContext(md5, PR_TRUE);
3136 ss->ssl3.hs.md5 = NULL;
3137 }
3138 if (sha != NULL) {
3139 PK11_DestroyContext(sha, PR_TRUE);
3140 ss->ssl3.hs.sha = NULL;
3141 }
3142 return SECFailure;
3143
3144 }
3145
3146 /*
3147 * Handshake messages
3148 */
3149 /* Called from ssl3_AppendHandshake()
3150 ** ssl3_StartHandshakeHash()
3151 ** ssl3_HandleV2ClientHello()
3152 ** ssl3_HandleHandshakeMessage()
3153 ** Caller must hold the ssl3Handshake lock.
3154 */
3155 static SECStatus
3156 ssl3_UpdateHandshakeHashes(sslSocket *ss, unsigned char *b, unsigned int l)
3157 {
3158 SECStatus rv = SECSuccess;
3159
3160 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
3161
3162 PRINT_BUF(90, (NULL, "MD5 & SHA handshake hash input:", b, l));
3163
3164 if (ss->opt.bypassPKCS11) {
3165 MD5_Update((MD5Context *)ss->ssl3.hs.md5_cx, b, l);
3166 SHA1_Update((SHA1Context *)ss->ssl3.hs.sha_cx, b, l);
3167 #if defined(NSS_SURVIVE_DOUBLE_BYPASS_FAILURE)
3168 rv = sslBuffer_Append(&ss->ssl3.hs.messages, b, l);
3169 #endif
3170 return rv;
3171 }
3172 rv = PK11_DigestOp(ss->ssl3.hs.md5, b, l);
3173 if (rv != SECSuccess) {
3174 ssl_MapLowLevelError(SSL_ERROR_MD5_DIGEST_FAILURE);
3175 return rv;
3176 }
3177 rv = PK11_DigestOp(ss->ssl3.hs.sha, b, l);
3178 if (rv != SECSuccess) {
3179 ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE);
3180 return rv;
3181 }
3182 return rv;
3183 }
3184
3185 /**************************************************************************
3186 * Append Handshake functions.
3187 * All these functions set appropriate error codes.
3188 * Most rely on ssl3_AppendHandshake to set the error code.
3189 **************************************************************************/
3190 SECStatus
3191 ssl3_AppendHandshake(sslSocket *ss, const void *void_src, PRInt32 bytes)
3192 {
3193 unsigned char * src = (unsigned char *)void_src;
3194 int room = ss->sec.ci.sendBuf.space - ss->sec.ci.sendBuf.len;
3195 SECStatus rv;
3196
3197 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) ); /* protects sendBuf. */
3198
3199 if (ss->sec.ci.sendBuf.space < MAX_SEND_BUF_LENGTH && room < bytes) {
3200 rv = sslBuffer_Grow(&ss->sec.ci.sendBuf, PR_MAX(MIN_SEND_BUF_LENGTH,
3201 PR_MIN(MAX_SEND_BUF_LENGTH, ss->sec.ci.sendBuf.len + bytes)));
3202 if (rv != SECSuccess)
3203 return rv; /* sslBuffer_Grow has set a memory error code. */
3204 room = ss->sec.ci.sendBuf.space - ss->sec.ci.sendBuf.len;
3205 }
3206
3207 PRINT_BUF(60, (ss, "Append to Handshake", (unsigned char*)void_src, bytes));
3208 rv = ssl3_UpdateHandshakeHashes(ss, src, bytes);
3209 if (rv != SECSuccess)
3210 return rv; /* error code set by ssl3_UpdateHandshakeHashes */
3211
3212 while (bytes > room) {
3213 if (room > 0)
3214 PORT_Memcpy(ss->sec.ci.sendBuf.buf + ss->sec.ci.sendBuf.len, src,
3215 room);
3216 ss->sec.ci.sendBuf.len += room;
3217 rv = ssl3_FlushHandshake(ss, ssl_SEND_FLAG_FORCE_INTO_BUFFER);
3218 if (rv != SECSuccess) {
3219 return rv; /* error code set by ssl3_FlushHandshake */
3220 }
3221 bytes -= room;
3222 src += room;
3223 room = ss->sec.ci.sendBuf.space;
3224 PORT_Assert(ss->sec.ci.sendBuf.len == 0);
3225 }
3226 PORT_Memcpy(ss->sec.ci.sendBuf.buf + ss->sec.ci.sendBuf.len, src, bytes);
3227 ss->sec.ci.sendBuf.len += bytes;
3228 return SECSuccess;
3229 }
3230
3231 SECStatus
3232 ssl3_AppendHandshakeNumber(sslSocket *ss, PRInt32 num, PRInt32 lenSize)
3233 {
3234 SECStatus rv;
3235 uint8 b[4];
3236 uint8 * p = b;
3237
3238 switch (lenSize) {
3239 case 4:
3240 *p++ = (num >> 24) & 0xff;
3241 case 3:
3242 *p++ = (num >> 16) & 0xff;
3243 case 2:
3244 *p++ = (num >> 8) & 0xff;
3245 case 1:
3246 *p = num & 0xff;
3247 }
3248 SSL_TRC(60, ("%d: number:", SSL_GETPID()));
3249 rv = ssl3_AppendHandshake(ss, &b[0], lenSize);
3250 return rv; /* error code set by AppendHandshake, if applicable. */
3251 }
3252
3253 SECStatus
3254 ssl3_AppendHandshakeVariable(
3255 sslSocket *ss, const SSL3Opaque *src, PRInt32 bytes, PRInt32 lenSize)
3256 {
3257 SECStatus rv;
3258
3259 PORT_Assert((bytes < (1<<8) && lenSize == 1) ||
3260 (bytes < (1L<<16) && lenSize == 2) ||
3261 (bytes < (1L<<24) && lenSize == 3));
3262
3263 SSL_TRC(60,("%d: append variable:", SSL_GETPID()));
3264 rv = ssl3_AppendHandshakeNumber(ss, bytes, lenSize);
3265 if (rv != SECSuccess) {
3266 return rv; /* error code set by AppendHandshake, if applicable. */
3267 }
3268 SSL_TRC(60, ("data:"));
3269 rv = ssl3_AppendHandshake(ss, src, bytes);
3270 return rv; /* error code set by AppendHandshake, if applicable. */
3271 }
3272
3273 SECStatus
3274 ssl3_AppendHandshakeHeader(sslSocket *ss, SSL3HandshakeType t, PRUint32 length)
3275 {
3276 SECStatus rv;
3277
3278 SSL_TRC(30,("%d: SSL3[%d]: append handshake header: type %s",
3279 SSL_GETPID(), ss->fd, ssl3_DecodeHandshakeType(t)));
3280 PRINT_BUF(60, (ss, "MD5 handshake hash:",
3281 (unsigned char*)ss->ssl3.hs.md5_cx, MD5_LENGTH));
3282 PRINT_BUF(95, (ss, "SHA handshake hash:",
3283 (unsigned char*)ss->ssl3.hs.sha_cx, SHA1_LENGTH));
3284
3285 rv = ssl3_AppendHandshakeNumber(ss, t, 1);
3286 if (rv != SECSuccess) {
3287 return rv; /* error code set by AppendHandshake, if applicable. */
3288 }
3289 rv = ssl3_AppendHandshakeNumber(ss, length, 3);
3290 return rv; /* error code set by AppendHandshake, if applicable. */
3291 }
3292
3293 /**************************************************************************
3294 * Consume Handshake functions.
3295 *
3296 * All data used in these functions is protected by two locks,
3297 * the RecvBufLock and the SSL3HandshakeLock
3298 **************************************************************************/
3299
3300 /* Read up the next "bytes" number of bytes from the (decrypted) input
3301 * stream "b" (which is *length bytes long). Copy them into buffer "v".
3302 * Reduces *length by bytes. Advances *b by bytes.
3303 *
3304 * If this function returns SECFailure, it has already sent an alert,
3305 * and has set a generic error code. The caller should probably
3306 * override the generic error code by setting another.
3307 */
3308 SECStatus
3309 ssl3_ConsumeHandshake(sslSocket *ss, void *v, PRInt32 bytes, SSL3Opaque **b,
3310 PRUint32 *length)
3311 {
3312 PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
3313 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
3314
3315 if ((PRUint32)bytes > *length) {
3316 return ssl3_DecodeError(ss);
3317 }
3318 PORT_Memcpy(v, *b, bytes);
3319 PRINT_BUF(60, (ss, "consume bytes:", *b, bytes));
3320 *b += bytes;
3321 *length -= bytes;
3322 return SECSuccess;
3323 }
3324
3325 /* Read up the next "bytes" number of bytes from the (decrypted) input
3326 * stream "b" (which is *length bytes long), and interpret them as an
3327 * integer in network byte order. Returns the received value.
3328 * Reduces *length by bytes. Advances *b by bytes.
3329 *
3330 * Returns SECFailure (-1) on failure.
3331 * This value is indistinguishable from the equivalent received value.
3332 * Only positive numbers are to be received this way.
3333 * Thus, the largest value that may be sent this way is 0x7fffffff.
3334 * On error, an alert has been sent, and a generic error code has been set.
3335 */
3336 PRInt32
3337 ssl3_ConsumeHandshakeNumber(sslSocket *ss, PRInt32 bytes, SSL3Opaque **b,
3338 PRUint32 *length)
3339 {
3340 uint8 *buf = *b;
3341 int i;
3342 PRInt32 num = 0;
3343
3344 PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
3345 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
3346 PORT_Assert( bytes <= sizeof num);
3347
3348 if ((PRUint32)bytes > *length) {
3349 return ssl3_DecodeError(ss);
3350 }
3351 PRINT_BUF(60, (ss, "consume bytes:", *b, bytes));
3352
3353 for (i = 0; i < bytes; i++)
3354 num = (num << 8) + buf[i];
3355 *b += bytes;
3356 *length -= bytes;
3357 return num;
3358 }
3359
3360 /* Read in two values from the incoming decrypted byte stream "b", which is
3361 * *length bytes long. The first value is a number whose size is "bytes"
3362 * bytes long. The second value is a byte-string whose size is the value
3363 * of the first number received. The latter byte-string, and its length,
3364 * is returned in the SECItem i.
3365 *
3366 * Returns SECFailure (-1) on failure.
3367 * On error, an alert has been sent, and a generic error code has been set.
3368 *
3369 * RADICAL CHANGE for NSS 3.11. All callers of this function make copies
3370 * of the data returned in the SECItem *i, so making a copy of it here
3371 * is simply wasteful. So, This function now just sets SECItem *i to
3372 * point to the values in the buffer **b.
3373 */
3374 SECStatus
3375 ssl3_ConsumeHandshakeVariable(sslSocket *ss, SECItem *i, PRInt32 bytes,
3376 SSL3Opaque **b, PRUint32 *length)
3377 {
3378 PRInt32 count;
3379
3380 PORT_Assert(bytes <= 3);
3381 i->len = 0;
3382 i->data = NULL;
3383 count = ssl3_ConsumeHandshakeNumber(ss, bytes, b, length);
3384 if (count < 0) { /* Can't test for SECSuccess here. */
3385 return SECFailure;
3386 }
3387 if (count > 0) {
3388 if ((PRUint32)count > *length) {
3389 return ssl3_DecodeError(ss);
3390 }
3391 i->data = *b;
3392 i->len = count;
3393 *b += count;
3394 *length -= count;
3395 }
3396 return SECSuccess;
3397 }
3398
3399 /**************************************************************************
3400 * end of Consume Handshake functions.
3401 **************************************************************************/
3402
3403 /* Extract the hashes of handshake messages to this point.
3404 * Called from ssl3_SendCertificateVerify
3405 * ssl3_SendFinished
3406 * ssl3_HandleHandshakeMessage
3407 *
3408 * Caller must hold the SSL3HandshakeLock.
3409 * Caller must hold a read or write lock on the Spec R/W lock.
3410 * (There is presently no way to assert on a Read lock.)
3411 */
3412 static SECStatus
3413 ssl3_ComputeHandshakeHashes(sslSocket * ss,
3414 ssl3CipherSpec *spec, /* uses ->master_secret */
3415 SSL3Hashes * hashes, /* output goes here. */
3416 PRUint32 sender)
3417 {
3418 SECStatus rv = SECSuccess;
3419 PRBool isTLS = (PRBool)(spec->version > SSL_LIBRARY_VERSION_3_0);
3420 unsigned int outLength;
3421 SSL3Opaque md5_inner[MAX_MAC_LENGTH];
3422 SSL3Opaque sha_inner[MAX_MAC_LENGTH];
3423
3424 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
3425
3426 if (ss->opt.bypassPKCS11) {
3427 /* compute them without PKCS11 */
3428 PRUint64 md5_cx[MAX_MAC_CONTEXT_LLONGS];
3429 PRUint64 sha_cx[MAX_MAC_CONTEXT_LLONGS];
3430
3431 #define md5cx ((MD5Context *)md5_cx)
3432 #define shacx ((SHA1Context *)sha_cx)
3433
3434 if (!spec->msItem.data) {
3435 PORT_SetError(SSL_ERROR_RX_UNEXPECTED_HANDSHAKE);
3436 return SECFailure;
3437 }
3438
3439 MD5_Clone (md5cx, (MD5Context *)ss->ssl3.hs.md5_cx);
3440 SHA1_Clone(shacx, (SHA1Context *)ss->ssl3.hs.sha_cx);
3441
3442 if (!isTLS) {
3443 /* compute hashes for SSL3. */
3444 unsigned char s[4];
3445
3446 s[0] = (unsigned char)(sender >> 24);
3447 s[1] = (unsigned char)(sender >> 16);
3448 s[2] = (unsigned char)(sender >> 8);
3449 s[3] = (unsigned char)sender;
3450
3451 if (sender != 0) {
3452 MD5_Update(md5cx, s, 4);
3453 PRINT_BUF(95, (NULL, "MD5 inner: sender", s, 4));
3454 }
3455
3456 PRINT_BUF(95, (NULL, "MD5 inner: MAC Pad 1", mac_pad_1,
3457 mac_defs[mac_md5].pad_size));
3458
3459 MD5_Update(md5cx, spec->msItem.data, spec->msItem.len);
3460 MD5_Update(md5cx, mac_pad_1, mac_defs[mac_md5].pad_size);
3461 MD5_End(md5cx, md5_inner, &outLength, MD5_LENGTH);
3462
3463 PRINT_BUF(95, (NULL, "MD5 inner: result", md5_inner, outLength));
3464
3465 if (sender != 0) {
3466 SHA1_Update(shacx, s, 4);
3467 PRINT_BUF(95, (NULL, "SHA inner: sender", s, 4));
3468 }
3469
3470 PRINT_BUF(95, (NULL, "SHA inner: MAC Pad 1", mac_pad_1,
3471 mac_defs[mac_sha].pad_size));
3472
3473 SHA1_Update(shacx, spec->msItem.data, spec->msItem.len);
3474 SHA1_Update(shacx, mac_pad_1, mac_defs[mac_sha].pad_size);
3475 SHA1_End(shacx, sha_inner, &outLength, SHA1_LENGTH);
3476
3477 PRINT_BUF(95, (NULL, "SHA inner: result", sha_inner, outLength));
3478 PRINT_BUF(95, (NULL, "MD5 outer: MAC Pad 2", mac_pad_2,
3479 mac_defs[mac_md5].pad_size));
3480 PRINT_BUF(95, (NULL, "MD5 outer: MD5 inner", md5_inner, MD5_LENGTH)) ;
3481
3482 MD5_Begin(md5cx);
3483 MD5_Update(md5cx, spec->msItem.data, spec->msItem.len);
3484 MD5_Update(md5cx, mac_pad_2, mac_defs[mac_md5].pad_size);
3485 MD5_Update(md5cx, md5_inner, MD5_LENGTH);
3486 }
3487 MD5_End(md5cx, hashes->md5, &outLength, MD5_LENGTH);
3488
3489 PRINT_BUF(60, (NULL, "MD5 outer: result", hashes->md5, MD5_LENGTH));
3490
3491 if (!isTLS) {
3492 PRINT_BUF(95, (NULL, "SHA outer: MAC Pad 2", mac_pad_2,
3493 mac_defs[mac_sha].pad_size));
3494 PRINT_BUF(95, (NULL, "SHA outer: SHA inner", sha_inner, SHA1_LENGTH) );
3495
3496 SHA1_Begin(shacx);
3497 SHA1_Update(shacx, spec->msItem.data, spec->msItem.len);
3498 SHA1_Update(shacx, mac_pad_2, mac_defs[mac_sha].pad_size);
3499 SHA1_Update(shacx, sha_inner, SHA1_LENGTH);
3500 }
3501 SHA1_End(shacx, hashes->sha, &outLength, SHA1_LENGTH);
3502
3503 PRINT_BUF(60, (NULL, "SHA outer: result", hashes->sha, SHA1_LENGTH));
3504
3505 rv = SECSuccess;
3506 #undef md5cx
3507 #undef shacx
3508 } else {
3509 /* compute hases with PKCS11 */
3510 PK11Context * md5;
3511 PK11Context * sha = NULL;
3512 unsigned char *md5StateBuf = NULL;
3513 unsigned char *shaStateBuf = NULL;
3514 unsigned int md5StateLen, shaStateLen;
3515 unsigned char md5StackBuf[256];
3516 unsigned char shaStackBuf[512];
3517
3518 if (!spec->master_secret) {
3519 PORT_SetError(SSL_ERROR_RX_UNEXPECTED_HANDSHAKE);
3520 return SECFailure;
3521 }
3522
3523 md5StateBuf = PK11_SaveContextAlloc(ss->ssl3.hs.md5, md5StackBuf,
3524 sizeof md5StackBuf, &md5StateLen);
3525 if (md5StateBuf == NULL) {
3526 ssl_MapLowLevelError(SSL_ERROR_MD5_DIGEST_FAILURE);
3527 goto loser;
3528 }
3529 md5 = ss->ssl3.hs.md5;
3530
3531 shaStateBuf = PK11_SaveContextAlloc(ss->ssl3.hs.sha, shaStackBuf,
3532 sizeof shaStackBuf, &shaStateLen);
3533 if (shaStateBuf == NULL) {
3534 ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE);
3535 goto loser;
3536 }
3537 sha = ss->ssl3.hs.sha;
3538
3539 if (!isTLS) {
3540 /* compute hashes for SSL3. */
3541 unsigned char s[4];
3542
3543 s[0] = (unsigned char)(sender >> 24);
3544 s[1] = (unsigned char)(sender >> 16);
3545 s[2] = (unsigned char)(sender >> 8);
3546 s[3] = (unsigned char)sender;
3547
3548 if (sender != 0) {
3549 rv |= PK11_DigestOp(md5, s, 4);
3550 PRINT_BUF(95, (NULL, "MD5 inner: sender", s, 4));
3551 }
3552
3553 PRINT_BUF(95, (NULL, "MD5 inner: MAC Pad 1", mac_pad_1,
3554 mac_defs[mac_md5].pad_size));
3555
3556 rv |= PK11_DigestKey(md5,spec->master_secret);
3557 rv |= PK11_DigestOp(md5, mac_pad_1, mac_defs[mac_md5].pad_size);
3558 rv |= PK11_DigestFinal(md5, md5_inner, &outLength, MD5_LENGTH);
3559 PORT_Assert(rv != SECSuccess || outLength == MD5_LENGTH);
3560 if (rv != SECSuccess) {
3561 ssl_MapLowLevelError(SSL_ERROR_MD5_DIGEST_FAILURE);
3562 rv = SECFailure;
3563 goto loser;
3564 }
3565
3566 PRINT_BUF(95, (NULL, "MD5 inner: result", md5_inner, outLength));
3567
3568 if (sender != 0) {
3569 rv |= PK11_DigestOp(sha, s, 4);
3570 PRINT_BUF(95, (NULL, "SHA inner: sender", s, 4));
3571 }
3572
3573 PRINT_BUF(95, (NULL, "SHA inner: MAC Pad 1", mac_pad_1,
3574 mac_defs[mac_sha].pad_size));
3575
3576 rv |= PK11_DigestKey(sha, spec->master_secret);
3577 rv |= PK11_DigestOp(sha, mac_pad_1, mac_defs[mac_sha].pad_size);
3578 rv |= PK11_DigestFinal(sha, sha_inner, &outLength, SHA1_LENGTH);
3579 PORT_Assert(rv != SECSuccess || outLength == SHA1_LENGTH);
3580 if (rv != SECSuccess) {
3581 ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE);
3582 rv = SECFailure;
3583 goto loser;
3584 }
3585
3586 PRINT_BUF(95, (NULL, "SHA inner: result", sha_inner, outLength));
3587
3588 PRINT_BUF(95, (NULL, "MD5 outer: MAC Pad 2", mac_pad_2,
3589 mac_defs[mac_md5].pad_size));
3590 PRINT_BUF(95, (NULL, "MD5 outer: MD5 inner", md5_inner, MD5_LENGTH)) ;
3591
3592 rv |= PK11_DigestBegin(md5);
3593 rv |= PK11_DigestKey(md5, spec->master_secret);
3594 rv |= PK11_DigestOp(md5, mac_pad_2, mac_defs[mac_md5].pad_size);
3595 rv |= PK11_DigestOp(md5, md5_inner, MD5_LENGTH);
3596 }
3597 rv |= PK11_DigestFinal(md5, hashes->md5, &outLength, MD5_LENGTH);
3598 PORT_Assert(rv != SECSuccess || outLength == MD5_LENGTH);
3599 if (rv != SECSuccess) {
3600 ssl_MapLowLevelError(SSL_ERROR_MD5_DIGEST_FAILURE);
3601 rv = SECFailure;
3602 goto loser;
3603 }
3604
3605 PRINT_BUF(60, (NULL, "MD5 outer: result", hashes->md5, MD5_LENGTH));
3606
3607 if (!isTLS) {
3608 PRINT_BUF(95, (NULL, "SHA outer: MAC Pad 2", mac_pad_2,
3609 mac_defs[mac_sha].pad_size));
3610 PRINT_BUF(95, (NULL, "SHA outer: SHA inner", sha_inner, SHA1_LENGTH) );
3611
3612 rv |= PK11_DigestBegin(sha);
3613 rv |= PK11_DigestKey(sha,spec->master_secret);
3614 rv |= PK11_DigestOp(sha, mac_pad_2, mac_defs[mac_sha].pad_size);
3615 rv |= PK11_DigestOp(sha, sha_inner, SHA1_LENGTH);
3616 }
3617 rv |= PK11_DigestFinal(sha, hashes->sha, &outLength, SHA1_LENGTH);
3618 PORT_Assert(rv != SECSuccess || outLength == SHA1_LENGTH);
3619 if (rv != SECSuccess) {
3620 ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE);
3621 rv = SECFailure;
3622 goto loser;
3623 }
3624
3625 PRINT_BUF(60, (NULL, "SHA outer: result", hashes->sha, SHA1_LENGTH));
3626
3627 rv = SECSuccess;
3628
3629 loser:
3630 if (md5StateBuf) {
3631 if (PK11_RestoreContext(ss->ssl3.hs.md5, md5StateBuf, md5StateLen)
3632 != SECSuccess)
3633 {
3634 ssl_MapLowLevelError(SSL_ERROR_MD5_DIGEST_FAILURE);
3635 rv = SECFailure;
3636 }
3637 if (md5StateBuf != md5StackBuf) {
3638 PORT_ZFree(md5StateBuf, md5StateLen);
3639 }
3640 }
3641 if (shaStateBuf) {
3642 if (PK11_RestoreContext(ss->ssl3.hs.sha, shaStateBuf, shaStateLen)
3643 != SECSuccess)
3644 {
3645 ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE);
3646 rv = SECFailure;
3647 }
3648 if (shaStateBuf != shaStackBuf) {
3649 PORT_ZFree(shaStateBuf, shaStateLen);
3650 }
3651 }
3652 }
3653 return rv;
3654 }
3655
3656 /*
3657 * SSL 2 based implementations pass in the initial outbound buffer
3658 * so that the handshake hash can contain the included information.
3659 *
3660 * Called from ssl2_BeginClientHandshake() in sslcon.c
3661 */
3662 SECStatus
3663 ssl3_StartHandshakeHash(sslSocket *ss, unsigned char * buf, int length)
3664 {
3665 SECStatus rv;
3666
3667 ssl_GetSSL3HandshakeLock(ss); /**************************************/
3668
3669 rv = ssl3_InitState(ss);
3670 if (rv != SECSuccess) {
3671 goto done; /* ssl3_InitState has set the error code. */
3672 }
3673
3674 PORT_Memset(&ss->ssl3.hs.client_random, 0, SSL3_RANDOM_LENGTH);
3675 PORT_Memcpy(
3676 &ss->ssl3.hs.client_random.rand[SSL3_RANDOM_LENGTH - SSL_CHALLENGE_BYTES ],
3677 &ss->sec.ci.clientChallenge,
3678 SSL_CHALLENGE_BYTES);
3679
3680 rv = ssl3_UpdateHandshakeHashes(ss, buf, length);
3681 /* if it failed, ssl3_UpdateHandshakeHashes has set the error code. */
3682
3683 done:
3684 ssl_ReleaseSSL3HandshakeLock(ss); /**************************************/
3685 return rv;
3686 }
3687
3688 /**************************************************************************
3689 * end of Handshake Hash functions.
3690 * Begin Send and Handle functions for handshakes.
3691 **************************************************************************/
3692
3693 /* Called from ssl3_HandleHelloRequest(),
3694 * ssl3_HandleFinished() (for step-up)
3695 * ssl3_RedoHandshake()
3696 * ssl2_BeginClientHandshake (when resuming ssl3 session)
3697 */
3698 SECStatus
3699 ssl3_SendClientHello(sslSocket *ss)
3700 {
3701 sslSessionID * sid;
3702 ssl3CipherSpec * cwSpec;
3703 SECStatus rv;
3704 int i;
3705 int length;
3706 int num_suites;
3707 int actual_count = 0;
3708 PRInt32 total_exten_len = 0;
3709 unsigned numCompressionMethods;
3710
3711 SSL_TRC(3, ("%d: SSL3[%d]: send client_hello handshake", SSL_GETPID(),
3712 ss->fd));
3713
3714 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
3715 PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss) );
3716
3717 rv = ssl3_InitState(ss);
3718 if (rv != SECSuccess) {
3719 return rv; /* ssl3_InitState has set the error code. */
3720 }
3721
3722 /* We might be starting a session renegotiation in which case we should
3723 * clear previous state.
3724 */
3725 PORT_Memset(&ss->xtnData, 0, sizeof(TLSExtensionData));
3726
3727 SSL_TRC(30,("%d: SSL3[%d]: reset handshake hashes",
3728 SSL_GETPID(), ss->fd ));
3729 rv = ssl3_RestartHandshakeHashes(ss);
3730 if (rv != SECSuccess) {
3731 return rv;
3732 }
3733
3734 /* We ignore ss->sec.ci.sid here, and use ssl_Lookup because Lookup
3735 * handles expired entries and other details.
3736 * XXX If we've been called from ssl2_BeginClientHandshake, then
3737 * this lookup is duplicative and wasteful.
3738 */
3739 sid = (ss->opt.noCache) ? NULL
3740 : ssl_LookupSID(&ss->sec.ci.peer, ss->sec.ci.port, ss->peerID, ss->u rl);
3741
3742 /* We can't resume based on a different token. If the sid exists,
3743 * make sure the token that holds the master secret still exists ...
3744 * If we previously did client-auth, make sure that the token that holds
3745 * the private key still exists, is logged in, hasn't been removed, etc.
3746 */
3747 if (sid) {
3748 PRBool sidOK = PR_TRUE;
3749 if (sid->u.ssl3.keys.msIsWrapped) {
3750 /* Session key was wrapped, which means it was using PKCS11, */
3751 PK11SlotInfo *slot = NULL;
3752 if (sid->u.ssl3.masterValid && !ss->opt.bypassPKCS11) {
3753 slot = SECMOD_LookupSlot(sid->u.ssl3.masterModuleID,
3754 sid->u.ssl3.masterSlotID);
3755 }
3756 if (slot == NULL) {
3757 sidOK = PR_FALSE;
3758 } else {
3759 PK11SymKey *wrapKey = NULL;
3760 if (!PK11_IsPresent(slot) ||
3761 ((wrapKey = PK11_GetWrapKey(slot,
3762 sid->u.ssl3.masterWrapIndex,
3763 sid->u.ssl3.masterWrapMech,
3764 sid->u.ssl3.masterWrapSeries,
3765 ss->pkcs11PinArg)) == NULL) ) {
3766 sidOK = PR_FALSE;
3767 }
3768 if (wrapKey) PK11_FreeSymKey(wrapKey);
3769 PK11_FreeSlot(slot);
3770 slot = NULL;
3771 }
3772 }
3773 /* If we previously did client-auth, make sure that the token that
3774 ** holds the private key still exists, is logged in, hasn't been
3775 ** removed, etc.
3776 */
3777 if (sidOK && !ssl3_ClientAuthTokenPresent(sid)) {
3778 sidOK = PR_FALSE;
3779 }
3780
3781 if (!sidOK) {
3782 SSL_AtomicIncrementLong(& ssl3stats.sch_sid_cache_not_ok );
3783 (*ss->sec.uncache)(sid);
3784 ssl_FreeSID(sid);
3785 sid = NULL;
3786 }
3787 }
3788
3789 if (sid) {
3790 SSL_AtomicIncrementLong(& ssl3stats.sch_sid_cache_hits );
3791
3792 /* Are we attempting a stateless session resume? */
3793 if (sid->version > SSL_LIBRARY_VERSION_3_0 &&
3794 sid->u.ssl3.sessionTicket.ticket.data)
3795 SSL_AtomicIncrementLong(& ssl3stats.sch_sid_stateless_resumes );
3796
3797 rv = ssl3_NegotiateVersion(ss, sid->version);
3798 if (rv != SECSuccess)
3799 return rv; /* error code was set */
3800
3801 PRINT_BUF(4, (ss, "client, found session-id:", sid->u.ssl3.sessionID,
3802 sid->u.ssl3.sessionIDLength));
3803
3804 ss->ssl3.policy = sid->u.ssl3.policy;
3805 } else {
3806 SSL_AtomicIncrementLong(& ssl3stats.sch_sid_cache_misses );
3807
3808 rv = ssl3_NegotiateVersion(ss, SSL_LIBRARY_VERSION_3_1_TLS);
3809 if (rv != SECSuccess)
3810 return rv; /* error code was set */
3811
3812 sid = ssl3_NewSessionID(ss, PR_FALSE);
3813 if (!sid) {
3814 return SECFailure; /* memory error is set */
3815 }
3816 }
3817
3818 ssl_GetSpecWriteLock(ss);
3819 cwSpec = ss->ssl3.cwSpec;
3820 if (cwSpec->mac_def->mac == mac_null) {
3821 /* SSL records are not being MACed. */
3822 cwSpec->version = ss->version;
3823 }
3824 ssl_ReleaseSpecWriteLock(ss);
3825
3826 if (ss->sec.ci.sid != NULL) {
3827 ssl_FreeSID(ss->sec.ci.sid); /* decrement ref count, free if zero */
3828 }
3829 ss->sec.ci.sid = sid;
3830
3831 ss->sec.send = ssl3_SendApplicationData;
3832
3833 /* shouldn't get here if SSL3 is disabled, but ... */
3834 PORT_Assert(ss->opt.enableSSL3 || ss->opt.enableTLS);
3835 if (!ss->opt.enableSSL3 && !ss->opt.enableTLS) {
3836 PORT_SetError(SSL_ERROR_SSL_DISABLED);
3837 return SECFailure;
3838 }
3839
3840 /* how many suites does our PKCS11 support (regardless of policy)? */
3841 num_suites = ssl3_config_match_init(ss);
3842 if (!num_suites)
3843 return SECFailure; /* ssl3_config_match_init has set error code. */
3844
3845 if (ss->opt.enableTLS && ss->version > SSL_LIBRARY_VERSION_3_0) {
3846 PRUint32 maxBytes = 65535; /* 2^16 - 1 */
3847 PRInt32 extLen;
3848
3849 extLen = ssl3_CallHelloExtensionSenders(ss, PR_FALSE, maxBytes, NULL);
3850 if (extLen < 0) {
3851 return SECFailure;
3852 }
3853 maxBytes -= extLen;
3854 total_exten_len += extLen;
3855
3856 if (total_exten_len > 0)
3857 total_exten_len += 2;
3858 }
3859 #if defined(NSS_ENABLE_ECC) && !defined(NSS_ECC_MORE_THAN_SUITE_B)
3860 else { /* SSL3 only */
3861 ssl3_DisableECCSuites(ss, NULL); /* disable all ECC suites */
3862 }
3863 #endif
3864
3865 /* how many suites are permitted by policy and user preference? */
3866 num_suites = count_cipher_suites(ss, ss->ssl3.policy, PR_TRUE);
3867 if (!num_suites)
3868 return SECFailure; /* count_cipher_suites has set error code. */
3869
3870 /* count compression methods */
3871 numCompressionMethods = 0;
3872 for (i = 0; i < compressionMethodsCount; i++) {
3873 if (compressionEnabled(ss, compressions[i]))
3874 numCompressionMethods++;
3875 }
3876
3877 length = sizeof(SSL3ProtocolVersion) + SSL3_RANDOM_LENGTH +
3878 1 + ((sid == NULL) ? 0 : sid->u.ssl3.sessionIDLength) +
3879 2 + num_suites*sizeof(ssl3CipherSuite) +
3880 1 + numCompressionMethods + total_exten_len;
3881
3882 rv = ssl3_AppendHandshakeHeader(ss, client_hello, length);
3883 if (rv != SECSuccess) {
3884 return rv; /* err set by ssl3_AppendHandshake* */
3885 }
3886
3887 ss->clientHelloVersion = ss->version;
3888 rv = ssl3_AppendHandshakeNumber(ss, ss->clientHelloVersion, 2);
3889 if (rv != SECSuccess) {
3890 return rv; /* err set by ssl3_AppendHandshake* */
3891 }
3892 rv = ssl3_GetNewRandom(&ss->ssl3.hs.client_random);
3893 if (rv != SECSuccess) {
3894 return rv; /* err set by GetNewRandom. */
3895 }
3896 rv = ssl3_AppendHandshake(ss, &ss->ssl3.hs.client_random,
3897 SSL3_RANDOM_LENGTH);
3898 if (rv != SECSuccess) {
3899 return rv; /* err set by ssl3_AppendHandshake* */
3900 }
3901
3902 if (sid)
3903 rv = ssl3_AppendHandshakeVariable(
3904 ss, sid->u.ssl3.sessionID, sid->u.ssl3.sessionIDLength, 1);
3905 else
3906 rv = ssl3_AppendHandshakeVariable(ss, NULL, 0, 1);
3907 if (rv != SECSuccess) {
3908 return rv; /* err set by ssl3_AppendHandshake* */
3909 }
3910
3911 rv = ssl3_AppendHandshakeNumber(ss, num_suites*sizeof(ssl3CipherSuite), 2);
3912 if (rv != SECSuccess) {
3913 return rv; /* err set by ssl3_AppendHandshake* */
3914 }
3915
3916
3917 for (i = 0; i < ssl_V3_SUITES_IMPLEMENTED; i++) {
3918 ssl3CipherSuiteCfg *suite = &ss->cipherSuites[i];
3919 if (config_match(suite, ss->ssl3.policy, PR_TRUE)) {
3920 actual_count++;
3921 if (actual_count > num_suites) {
3922 /* set error card removal/insertion error */
3923 PORT_SetError(SSL_ERROR_TOKEN_INSERTION_REMOVAL);
3924 return SECFailure;
3925 }
3926 rv = ssl3_AppendHandshakeNumber(ss, suite->cipher_suite,
3927 sizeof(ssl3CipherSuite));
3928 if (rv != SECSuccess) {
3929 return rv; /* err set by ssl3_AppendHandshake* */
3930 }
3931 }
3932 }
3933
3934 /* if cards were removed or inserted between count_cipher_suites and
3935 * generating our list, detect the error here rather than send it off to
3936 * the server.. */
3937 if (actual_count != num_suites) {
3938 /* Card removal/insertion error */
3939 PORT_SetError(SSL_ERROR_TOKEN_INSERTION_REMOVAL);
3940 return SECFailure;
3941 }
3942
3943 rv = ssl3_AppendHandshakeNumber(ss, numCompressionMethods, 1);
3944 if (rv != SECSuccess) {
3945 return rv; /* err set by ssl3_AppendHandshake* */
3946 }
3947 for (i = 0; i < compressionMethodsCount; i++) {
3948 if (!compressionEnabled(ss, compressions[i]))
3949 continue;
3950 rv = ssl3_AppendHandshakeNumber(ss, compressions[i], 1);
3951 if (rv != SECSuccess) {
3952 return rv; /* err set by ssl3_AppendHandshake* */
3953 }
3954 }
3955
3956 if (total_exten_len) {
3957 PRUint32 maxBytes = total_exten_len - 2;
3958 PRInt32 extLen;
3959
3960 rv = ssl3_AppendHandshakeNumber(ss, maxBytes, 2);
3961 if (rv != SECSuccess) {
3962 return rv; /* err set by AppendHandshake. */
3963 }
3964
3965 extLen = ssl3_CallHelloExtensionSenders(ss, PR_TRUE, maxBytes, NULL);
3966 if (extLen < 0) {
3967 return SECFailure;
3968 }
3969 maxBytes -= extLen;
3970 PORT_Assert(!maxBytes);
3971 }
3972
3973
3974 rv = ssl3_FlushHandshake(ss, 0);
3975 if (rv != SECSuccess) {
3976 return rv; /* error code set by ssl3_FlushHandshake */
3977 }
3978
3979 ss->ssl3.hs.ws = wait_server_hello;
3980 return rv;
3981 }
3982
3983
3984 /* Called from ssl3_HandleHandshakeMessage() when it has deciphered a complete
3985 * ssl3 Hello Request.
3986 * Caller must hold Handshake and RecvBuf locks.
3987 */
3988 static SECStatus
3989 ssl3_HandleHelloRequest(sslSocket *ss)
3990 {
3991 sslSessionID *sid = ss->sec.ci.sid;
3992 SECStatus rv;
3993
3994 SSL_TRC(3, ("%d: SSL3[%d]: handle hello_request handshake",
3995 SSL_GETPID(), ss->fd));
3996
3997 PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
3998 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
3999
4000 if (ss->ssl3.hs.ws == wait_server_hello)
4001 return SECSuccess;
4002 if (ss->ssl3.hs.ws != idle_handshake || ss->sec.isServer) {
4003 (void)SSL3_SendAlert(ss, alert_fatal, unexpected_message);
4004 PORT_SetError(SSL_ERROR_RX_UNEXPECTED_HELLO_REQUEST);
4005 return SECFailure;
4006 }
4007 if (ss->opt.enableRenegotiation == SSL_RENEGOTIATE_NEVER) {
4008 ssl_GetXmitBufLock(ss);
4009 rv = SSL3_SendAlert(ss, alert_warning, no_renegotiation);
4010 ssl_ReleaseXmitBufLock(ss);
4011 PORT_SetError(SSL_ERROR_RENEGOTIATION_NOT_ALLOWED);
4012 return SECFailure;
4013 }
4014
4015 if (sid) {
4016 ss->sec.uncache(sid);
4017 ssl_FreeSID(sid);
4018 ss->sec.ci.sid = NULL;
4019 }
4020
4021 ssl_GetXmitBufLock(ss);
4022 rv = ssl3_SendClientHello(ss);
4023 ssl_ReleaseXmitBufLock(ss);
4024
4025 return rv;
4026 }
4027
4028 #define UNKNOWN_WRAP_MECHANISM 0x7fffffff
4029
4030 static const CK_MECHANISM_TYPE wrapMechanismList[SSL_NUM_WRAP_MECHS] = {
4031 CKM_DES3_ECB,
4032 CKM_CAST5_ECB,
4033 CKM_DES_ECB,
4034 CKM_KEY_WRAP_LYNKS,
4035 CKM_IDEA_ECB,
4036 CKM_CAST3_ECB,
4037 CKM_CAST_ECB,
4038 CKM_RC5_ECB,
4039 CKM_RC2_ECB,
4040 CKM_CDMF_ECB,
4041 CKM_SKIPJACK_WRAP,
4042 CKM_SKIPJACK_CBC64,
4043 CKM_AES_ECB,
4044 CKM_CAMELLIA_ECB,
4045 CKM_SEED_ECB,
4046 UNKNOWN_WRAP_MECHANISM
4047 };
4048
4049 static int
4050 ssl_FindIndexByWrapMechanism(CK_MECHANISM_TYPE mech)
4051 {
4052 const CK_MECHANISM_TYPE *pMech = wrapMechanismList;
4053
4054 while (mech != *pMech && *pMech != UNKNOWN_WRAP_MECHANISM) {
4055 ++pMech;
4056 }
4057 return (*pMech == UNKNOWN_WRAP_MECHANISM) ? -1
4058 : (pMech - wrapMechanismList);
4059 }
4060
4061 static PK11SymKey *
4062 ssl_UnwrapSymWrappingKey(
4063 SSLWrappedSymWrappingKey *pWswk,
4064 SECKEYPrivateKey * svrPrivKey,
4065 SSL3KEAType exchKeyType,
4066 CK_MECHANISM_TYPE masterWrapMech,
4067 void * pwArg)
4068 {
4069 PK11SymKey * unwrappedWrappingKey = NULL;
4070 SECItem wrappedKey;
4071 #ifdef NSS_ENABLE_ECC
4072 PK11SymKey * Ks;
4073 SECKEYPublicKey pubWrapKey;
4074 ECCWrappedKeyInfo *ecWrapped;
4075 #endif /* NSS_ENABLE_ECC */
4076
4077 /* found the wrapping key on disk. */
4078 PORT_Assert(pWswk->symWrapMechanism == masterWrapMech);
4079 PORT_Assert(pWswk->exchKeyType == exchKeyType);
4080 if (pWswk->symWrapMechanism != masterWrapMech ||
4081 pWswk->exchKeyType != exchKeyType) {
4082 goto loser;
4083 }
4084 wrappedKey.type = siBuffer;
4085 wrappedKey.data = pWswk->wrappedSymmetricWrappingkey;
4086 wrappedKey.len = pWswk->wrappedSymKeyLen;
4087 PORT_Assert(wrappedKey.len <= sizeof pWswk->wrappedSymmetricWrappingkey);
4088
4089 switch (exchKeyType) {
4090
4091 case kt_rsa:
4092 unwrappedWrappingKey =
4093 PK11_PubUnwrapSymKey(svrPrivKey, &wrappedKey,
4094 masterWrapMech, CKA_UNWRAP, 0);
4095 break;
4096
4097 #ifdef NSS_ENABLE_ECC
4098 case kt_ecdh:
4099 /*
4100 * For kt_ecdh, we first create an EC public key based on
4101 * data stored with the wrappedSymmetricWrappingkey. Next,
4102 * we do an ECDH computation involving this public key and
4103 * the SSL server's (long-term) EC private key. The resulting
4104 * shared secret is treated the same way as Fortezza's Ks, i.e.,
4105 * it is used to recover the symmetric wrapping key.
4106 *
4107 * The data in wrappedSymmetricWrappingkey is laid out as defined
4108 * in the ECCWrappedKeyInfo structure.
4109 */
4110 ecWrapped = (ECCWrappedKeyInfo *) pWswk->wrappedSymmetricWrappingkey;
4111
4112 PORT_Assert(ecWrapped->encodedParamLen + ecWrapped->pubValueLen +
4113 ecWrapped->wrappedKeyLen <= MAX_EC_WRAPPED_KEY_BUFLEN);
4114
4115 if (ecWrapped->encodedParamLen + ecWrapped->pubValueLen +
4116 ecWrapped->wrappedKeyLen > MAX_EC_WRAPPED_KEY_BUFLEN) {
4117 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
4118 goto loser;
4119 }
4120
4121 pubWrapKey.keyType = ecKey;
4122 pubWrapKey.u.ec.size = ecWrapped->size;
4123 pubWrapKey.u.ec.DEREncodedParams.len = ecWrapped->encodedParamLen;
4124 pubWrapKey.u.ec.DEREncodedParams.data = ecWrapped->var;
4125 pubWrapKey.u.ec.publicValue.len = ecWrapped->pubValueLen;
4126 pubWrapKey.u.ec.publicValue.data = ecWrapped->var +
4127 ecWrapped->encodedParamLen;
4128
4129 wrappedKey.len = ecWrapped->wrappedKeyLen;
4130 wrappedKey.data = ecWrapped->var + ecWrapped->encodedParamLen +
4131 ecWrapped->pubValueLen;
4132
4133 /* Derive Ks using ECDH */
4134 Ks = PK11_PubDeriveWithKDF(svrPrivKey, &pubWrapKey, PR_FALSE, NULL,
4135 NULL, CKM_ECDH1_DERIVE, masterWrapMech,
4136 CKA_DERIVE, 0, CKD_NULL, NULL, NULL);
4137 if (Ks == NULL) {
4138 goto loser;
4139 }
4140
4141 /* Use Ks to unwrap the wrapping key */
4142 unwrappedWrappingKey = PK11_UnwrapSymKey(Ks, masterWrapMech, NULL,
4143 &wrappedKey, masterWrapMech,
4144 CKA_UNWRAP, 0);
4145 PK11_FreeSymKey(Ks);
4146
4147 break;
4148 #endif
4149
4150 default:
4151 /* Assert? */
4152 SET_ERROR_CODE
4153 goto loser;
4154 }
4155 loser:
4156 return unwrappedWrappingKey;
4157 }
4158
4159 /* Each process sharing the server session ID cache has its own array of
4160 * SymKey pointers for the symmetric wrapping keys that are used to wrap
4161 * the master secrets. There is one key for each KEA type. These Symkeys
4162 * correspond to the wrapped SymKeys kept in the server session cache.
4163 */
4164
4165 typedef struct {
4166 PK11SymKey * symWrapKey[kt_kea_size];
4167 } ssl3SymWrapKey;
4168
4169 static PZLock * symWrapKeysLock = NULL;
4170 static ssl3SymWrapKey symWrapKeys[SSL_NUM_WRAP_MECHS];
4171
4172 SECStatus ssl_FreeSymWrapKeysLock(void)
4173 {
4174 if (symWrapKeysLock) {
4175 PZ_DestroyLock(symWrapKeysLock);
4176 symWrapKeysLock = NULL;
4177 return SECSuccess;
4178 }
4179 PORT_SetError(SEC_ERROR_NOT_INITIALIZED);
4180 return SECFailure;
4181 }
4182
4183 SECStatus
4184 SSL3_ShutdownServerCache(void)
4185 {
4186 int i, j;
4187
4188 if (!symWrapKeysLock)
4189 return SECSuccess; /* lock was never initialized */
4190 PZ_Lock(symWrapKeysLock);
4191 /* get rid of all symWrapKeys */
4192 for (i = 0; i < SSL_NUM_WRAP_MECHS; ++i) {
4193 for (j = 0; j < kt_kea_size; ++j) {
4194 PK11SymKey ** pSymWrapKey;
4195 pSymWrapKey = &symWrapKeys[i].symWrapKey[j];
4196 if (*pSymWrapKey) {
4197 PK11_FreeSymKey(*pSymWrapKey);
4198 *pSymWrapKey = NULL;
4199 }
4200 }
4201 }
4202
4203 PZ_Unlock(symWrapKeysLock);
4204 ssl_FreeSessionCacheLocks();
4205 return SECSuccess;
4206 }
4207
4208 SECStatus ssl_InitSymWrapKeysLock(void)
4209 {
4210 symWrapKeysLock = PZ_NewLock(nssILockOther);
4211 return symWrapKeysLock ? SECSuccess : SECFailure;
4212 }
4213
4214 /* Try to get wrapping key for mechanism from in-memory array.
4215 * If that fails, look for one on disk.
4216 * If that fails, generate a new one, put the new one on disk,
4217 * Put the new key in the in-memory array.
4218 */
4219 static PK11SymKey *
4220 getWrappingKey( sslSocket * ss,
4221 PK11SlotInfo * masterSecretSlot,
4222 SSL3KEAType exchKeyType,
4223 CK_MECHANISM_TYPE masterWrapMech,
4224 void * pwArg)
4225 {
4226 SECKEYPrivateKey * svrPrivKey;
4227 SECKEYPublicKey * svrPubKey = NULL;
4228 PK11SymKey * unwrappedWrappingKey = NULL;
4229 PK11SymKey ** pSymWrapKey;
4230 CK_MECHANISM_TYPE asymWrapMechanism = CKM_INVALID_MECHANISM;
4231 int length;
4232 int symWrapMechIndex;
4233 SECStatus rv;
4234 SECItem wrappedKey;
4235 SSLWrappedSymWrappingKey wswk;
4236
4237 svrPrivKey = ss->serverCerts[exchKeyType].SERVERKEY;
4238 PORT_Assert(svrPrivKey != NULL);
4239 if (!svrPrivKey) {
4240 return NULL; /* why are we here?!? */
4241 }
4242
4243 symWrapMechIndex = ssl_FindIndexByWrapMechanism(masterWrapMech);
4244 PORT_Assert(symWrapMechIndex >= 0);
4245 if (symWrapMechIndex < 0)
4246 return NULL; /* invalid masterWrapMech. */
4247
4248 pSymWrapKey = &symWrapKeys[symWrapMechIndex].symWrapKey[exchKeyType];
4249
4250 ssl_InitSessionCacheLocks(PR_TRUE);
4251
4252 PZ_Lock(symWrapKeysLock);
4253
4254 unwrappedWrappingKey = *pSymWrapKey;
4255 if (unwrappedWrappingKey != NULL) {
4256 if (PK11_VerifyKeyOK(unwrappedWrappingKey)) {
4257 unwrappedWrappingKey = PK11_ReferenceSymKey(unwrappedWrappingKey);
4258 goto done;
4259 }
4260 /* slot series has changed, so this key is no good any more. */
4261 PK11_FreeSymKey(unwrappedWrappingKey);
4262 *pSymWrapKey = unwrappedWrappingKey = NULL;
4263 }
4264
4265 /* Try to get wrapped SymWrapping key out of the (disk) cache. */
4266 /* Following call fills in wswk on success. */
4267 if (ssl_GetWrappingKey(symWrapMechIndex, exchKeyType, &wswk)) {
4268 /* found the wrapped sym wrapping key on disk. */
4269 unwrappedWrappingKey =
4270 ssl_UnwrapSymWrappingKey(&wswk, svrPrivKey, exchKeyType,
4271 masterWrapMech, pwArg);
4272 if (unwrappedWrappingKey) {
4273 goto install;
4274 }
4275 }
4276
4277 if (!masterSecretSlot) /* caller doesn't want to create a new one. */
4278 goto loser;
4279
4280 length = PK11_GetBestKeyLength(masterSecretSlot, masterWrapMech);
4281 /* Zero length means fixed key length algorithm, or error.
4282 * It's ambiguous.
4283 */
4284 unwrappedWrappingKey = PK11_KeyGen(masterSecretSlot, masterWrapMech, NULL,
4285 length, pwArg);
4286 if (!unwrappedWrappingKey) {
4287 goto loser;
4288 }
4289
4290 /* Prepare the buffer to receive the wrappedWrappingKey,
4291 * the symmetric wrapping key wrapped using the server's pub key.
4292 */
4293 PORT_Memset(&wswk, 0, sizeof wswk); /* eliminate UMRs. */
4294
4295 if (ss->serverCerts[exchKeyType].serverKeyPair) {
4296 svrPubKey = ss->serverCerts[exchKeyType].serverKeyPair->pubKey;
4297 }
4298 if (svrPubKey == NULL) {
4299 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
4300 goto loser;
4301 }
4302 wrappedKey.type = siBuffer;
4303 wrappedKey.len = SECKEY_PublicKeyStrength(svrPubKey);
4304 wrappedKey.data = wswk.wrappedSymmetricWrappingkey;
4305
4306 PORT_Assert(wrappedKey.len <= sizeof wswk.wrappedSymmetricWrappingkey);
4307 if (wrappedKey.len > sizeof wswk.wrappedSymmetricWrappingkey)
4308 goto loser;
4309
4310 /* wrap symmetric wrapping key in server's public key. */
4311 switch (exchKeyType) {
4312 #ifdef NSS_ENABLE_ECC
4313 PK11SymKey * Ks = NULL;
4314 SECKEYPublicKey *pubWrapKey = NULL;
4315 SECKEYPrivateKey *privWrapKey = NULL;
4316 ECCWrappedKeyInfo *ecWrapped;
4317 #endif /* NSS_ENABLE_ECC */
4318
4319 case kt_rsa:
4320 asymWrapMechanism = CKM_RSA_PKCS;
4321 rv = PK11_PubWrapSymKey(asymWrapMechanism, svrPubKey,
4322 unwrappedWrappingKey, &wrappedKey);
4323 break;
4324
4325 #ifdef NSS_ENABLE_ECC
4326 case kt_ecdh:
4327 /*
4328 * We generate an ephemeral EC key pair. Perform an ECDH
4329 * computation involving this ephemeral EC public key and
4330 * the SSL server's (long-term) EC private key. The resulting
4331 * shared secret is treated in the same way as Fortezza's Ks,
4332 * i.e., it is used to wrap the wrapping key. To facilitate
4333 * unwrapping in ssl_UnwrapWrappingKey, we also store all
4334 * relevant info about the ephemeral EC public key in
4335 * wswk.wrappedSymmetricWrappingkey and lay it out as
4336 * described in the ECCWrappedKeyInfo structure.
4337 */
4338 PORT_Assert(svrPubKey->keyType == ecKey);
4339 if (svrPubKey->keyType != ecKey) {
4340 /* something is wrong in sslsecur.c if this isn't an ecKey */
4341 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
4342 rv = SECFailure;
4343 goto ec_cleanup;
4344 }
4345
4346 privWrapKey = SECKEY_CreateECPrivateKey(
4347 &svrPubKey->u.ec.DEREncodedParams, &pubWrapKey, NULL);
4348 if ((privWrapKey == NULL) || (pubWrapKey == NULL)) {
4349 rv = SECFailure;
4350 goto ec_cleanup;
4351 }
4352
4353 /* Set the key size in bits */
4354 if (pubWrapKey->u.ec.size == 0) {
4355 pubWrapKey->u.ec.size = SECKEY_PublicKeyStrengthInBits(svrPubKey);
4356 }
4357
4358 PORT_Assert(pubWrapKey->u.ec.DEREncodedParams.len +
4359 pubWrapKey->u.ec.publicValue.len < MAX_EC_WRAPPED_KEY_BUFLEN);
4360 if (pubWrapKey->u.ec.DEREncodedParams.len +
4361 pubWrapKey->u.ec.publicValue.len >= MAX_EC_WRAPPED_KEY_BUFLEN) {
4362 PORT_SetError(SEC_ERROR_INVALID_KEY);
4363 rv = SECFailure;
4364 goto ec_cleanup;
4365 }
4366
4367 /* Derive Ks using ECDH */
4368 Ks = PK11_PubDeriveWithKDF(svrPrivKey, pubWrapKey, PR_FALSE, NULL,
4369 NULL, CKM_ECDH1_DERIVE, masterWrapMech,
4370 CKA_DERIVE, 0, CKD_NULL, NULL, NULL);
4371 if (Ks == NULL) {
4372 rv = SECFailure;
4373 goto ec_cleanup;
4374 }
4375
4376 ecWrapped = (ECCWrappedKeyInfo *) (wswk.wrappedSymmetricWrappingkey);
4377 ecWrapped->size = pubWrapKey->u.ec.size;
4378 ecWrapped->encodedParamLen = pubWrapKey->u.ec.DEREncodedParams.len;
4379 PORT_Memcpy(ecWrapped->var, pubWrapKey->u.ec.DEREncodedParams.data,
4380 pubWrapKey->u.ec.DEREncodedParams.len);
4381
4382 ecWrapped->pubValueLen = pubWrapKey->u.ec.publicValue.len;
4383 PORT_Memcpy(ecWrapped->var + ecWrapped->encodedParamLen,
4384 pubWrapKey->u.ec.publicValue.data,
4385 pubWrapKey->u.ec.publicValue.len);
4386
4387 wrappedKey.len = MAX_EC_WRAPPED_KEY_BUFLEN -
4388 (ecWrapped->encodedParamLen + ecWrapped->pubValueLen);
4389 wrappedKey.data = ecWrapped->var + ecWrapped->encodedParamLen +
4390 ecWrapped->pubValueLen;
4391
4392 /* wrap symmetricWrapping key with the local Ks */
4393 rv = PK11_WrapSymKey(masterWrapMech, NULL, Ks,
4394 unwrappedWrappingKey, &wrappedKey);
4395
4396 if (rv != SECSuccess) {
4397 goto ec_cleanup;
4398 }
4399
4400 /* Write down the length of wrapped key in the buffer
4401 * wswk.wrappedSymmetricWrappingkey at the appropriate offset
4402 */
4403 ecWrapped->wrappedKeyLen = wrappedKey.len;
4404
4405 ec_cleanup:
4406 if (privWrapKey) SECKEY_DestroyPrivateKey(privWrapKey);
4407 if (pubWrapKey) SECKEY_DestroyPublicKey(pubWrapKey);
4408 if (Ks) PK11_FreeSymKey(Ks);
4409 asymWrapMechanism = masterWrapMech;
4410 break;
4411 #endif /* NSS_ENABLE_ECC */
4412
4413 default:
4414 rv = SECFailure;
4415 break;
4416 }
4417
4418 if (rv != SECSuccess) {
4419 ssl_MapLowLevelError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE);
4420 goto loser;
4421 }
4422
4423 PORT_Assert(asymWrapMechanism != CKM_INVALID_MECHANISM);
4424
4425 wswk.symWrapMechanism = masterWrapMech;
4426 wswk.symWrapMechIndex = symWrapMechIndex;
4427 wswk.asymWrapMechanism = asymWrapMechanism;
4428 wswk.exchKeyType = exchKeyType;
4429 wswk.wrappedSymKeyLen = wrappedKey.len;
4430
4431 /* put it on disk. */
4432 /* If the wrapping key for this KEA type has already been set,
4433 * then abandon the value we just computed and
4434 * use the one we got from the disk.
4435 */
4436 if (ssl_SetWrappingKey(&wswk)) {
4437 /* somebody beat us to it. The original contents of our wswk
4438 * has been replaced with the content on disk. Now, discard
4439 * the key we just created and unwrap this new one.
4440 */
4441 PK11_FreeSymKey(unwrappedWrappingKey);
4442
4443 unwrappedWrappingKey =
4444 ssl_UnwrapSymWrappingKey(&wswk, svrPrivKey, exchKeyType,
4445 masterWrapMech, pwArg);
4446 }
4447
4448 install:
4449 if (unwrappedWrappingKey) {
4450 *pSymWrapKey = PK11_ReferenceSymKey(unwrappedWrappingKey);
4451 }
4452
4453 loser:
4454 done:
4455 PZ_Unlock(symWrapKeysLock);
4456 return unwrappedWrappingKey;
4457 }
4458
4459
4460 /* Called from ssl3_SendClientKeyExchange(). */
4461 /* Presently, this always uses PKCS11. There is no bypass for this. */
4462 static SECStatus
4463 sendRSAClientKeyExchange(sslSocket * ss, SECKEYPublicKey * svrPubKey)
4464 {
4465 PK11SymKey * pms = NULL;
4466 SECStatus rv = SECFailure;
4467 SECItem enc_pms = {siBuffer, NULL, 0};
4468 PRBool isTLS;
4469
4470 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
4471 PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss));
4472
4473 /* Generate the pre-master secret ... */
4474 ssl_GetSpecWriteLock(ss);
4475 isTLS = (PRBool)(ss->ssl3.pwSpec->version > SSL_LIBRARY_VERSION_3_0);
4476
4477 pms = ssl3_GenerateRSAPMS(ss, ss->ssl3.pwSpec, NULL);
4478 ssl_ReleaseSpecWriteLock(ss);
4479 if (pms == NULL) {
4480 ssl_MapLowLevelError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE);
4481 goto loser;
4482 }
4483
4484 #if defined(TRACE)
4485 if (ssl_trace >= 100) {
4486 SECStatus extractRV = PK11_ExtractKeyValue(pms);
4487 if (extractRV == SECSuccess) {
4488 SECItem * keyData = PK11_GetKeyData(pms);
4489 if (keyData && keyData->data && keyData->len) {
4490 ssl_PrintBuf(ss, "Pre-Master Secret",
4491 keyData->data, keyData->len);
4492 }
4493 }
4494 }
4495 #endif
4496
4497 /* Get the wrapped (encrypted) pre-master secret, enc_pms */
4498 enc_pms.len = SECKEY_PublicKeyStrength(svrPubKey);
4499 enc_pms.data = (unsigned char*)PORT_Alloc(enc_pms.len);
4500 if (enc_pms.data == NULL) {
4501 goto loser; /* err set by PORT_Alloc */
4502 }
4503
4504 /* wrap pre-master secret in server's public key. */
4505 rv = PK11_PubWrapSymKey(CKM_RSA_PKCS, svrPubKey, pms, &enc_pms);
4506 if (rv != SECSuccess) {
4507 ssl_MapLowLevelError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE);
4508 goto loser;
4509 }
4510
4511 rv = ssl3_InitPendingCipherSpec(ss, pms);
4512 PK11_FreeSymKey(pms); pms = NULL;
4513
4514 if (rv != SECSuccess) {
4515 ssl_MapLowLevelError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE);
4516 goto loser;
4517 }
4518
4519 rv = ssl3_AppendHandshakeHeader(ss, client_key_exchange,
4520 isTLS ? enc_pms.len + 2 : enc_pms.len);
4521 if (rv != SECSuccess) {
4522 goto loser; /* err set by ssl3_AppendHandshake* */
4523 }
4524 if (isTLS) {
4525 rv = ssl3_AppendHandshakeVariable(ss, enc_pms.data, enc_pms.len, 2);
4526 } else {
4527 rv = ssl3_AppendHandshake(ss, enc_pms.data, enc_pms.len);
4528 }
4529 if (rv != SECSuccess) {
4530 goto loser; /* err set by ssl3_AppendHandshake* */
4531 }
4532
4533 rv = SECSuccess;
4534
4535 loser:
4536 if (enc_pms.data != NULL) {
4537 PORT_Free(enc_pms.data);
4538 }
4539 if (pms != NULL) {
4540 PK11_FreeSymKey(pms);
4541 }
4542 return rv;
4543 }
4544
4545 /* Called from ssl3_SendClientKeyExchange(). */
4546 /* Presently, this always uses PKCS11. There is no bypass for this. */
4547 static SECStatus
4548 sendDHClientKeyExchange(sslSocket * ss, SECKEYPublicKey * svrPubKey)
4549 {
4550 PK11SymKey * pms = NULL;
4551 SECStatus rv = SECFailure;
4552 PRBool isTLS;
4553 CK_MECHANISM_TYPE target;
4554
4555 SECKEYDHParams dhParam; /* DH parameters */
4556 SECKEYPublicKey *pubKey = NULL; /* Ephemeral DH key */
4557 SECKEYPrivateKey *privKey = NULL; /* Ephemeral DH key */
4558
4559 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
4560 PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss));
4561
4562 isTLS = (PRBool)(ss->ssl3.pwSpec->version > SSL_LIBRARY_VERSION_3_0);
4563
4564 /* Copy DH parameters from server key */
4565
4566 if (svrPubKey->keyType != dhKey) {
4567 PORT_SetError(SEC_ERROR_BAD_KEY);
4568 goto loser;
4569 }
4570 dhParam.prime.data = svrPubKey->u.dh.prime.data;
4571 dhParam.prime.len = svrPubKey->u.dh.prime.len;
4572 dhParam.base.data = svrPubKey->u.dh.base.data;
4573 dhParam.base.len = svrPubKey->u.dh.base.len;
4574
4575 /* Generate ephemeral DH keypair */
4576 privKey = SECKEY_CreateDHPrivateKey(&dhParam, &pubKey, NULL);
4577 if (!privKey || !pubKey) {
4578 ssl_MapLowLevelError(SEC_ERROR_KEYGEN_FAIL);
4579 rv = SECFailure;
4580 goto loser;
4581 }
4582 PRINT_BUF(50, (ss, "DH public value:",
4583 pubKey->u.dh.publicValue.data,
4584 pubKey->u.dh.publicValue.len));
4585
4586 if (isTLS) target = CKM_TLS_MASTER_KEY_DERIVE_DH;
4587 else target = CKM_SSL3_MASTER_KEY_DERIVE_DH;
4588
4589 /* Determine the PMS */
4590
4591 pms = PK11_PubDerive(privKey, svrPubKey, PR_FALSE, NULL, NULL,
4592 CKM_DH_PKCS_DERIVE, target, CKA_DERIVE, 0, NULL);
4593
4594 if (pms == NULL) {
4595 ssl_MapLowLevelError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE);
4596 goto loser;
4597 }
4598
4599 SECKEY_DestroyPrivateKey(privKey);
4600 privKey = NULL;
4601
4602 rv = ssl3_InitPendingCipherSpec(ss, pms);
4603 PK11_FreeSymKey(pms); pms = NULL;
4604
4605 if (rv != SECSuccess) {
4606 ssl_MapLowLevelError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE);
4607 goto loser;
4608 }
4609
4610 rv = ssl3_AppendHandshakeHeader(ss, client_key_exchange,
4611 pubKey->u.dh.publicValue.len + 2);
4612 if (rv != SECSuccess) {
4613 goto loser; /* err set by ssl3_AppendHandshake* */
4614 }
4615 rv = ssl3_AppendHandshakeVariable(ss,
4616 pubKey->u.dh.publicValue.data,
4617 pubKey->u.dh.publicValue.len, 2);
4618 SECKEY_DestroyPublicKey(pubKey);
4619 pubKey = NULL;
4620
4621 if (rv != SECSuccess) {
4622 goto loser; /* err set by ssl3_AppendHandshake* */
4623 }
4624
4625 rv = SECSuccess;
4626
4627
4628 loser:
4629
4630 if(pms) PK11_FreeSymKey(pms);
4631 if(privKey) SECKEY_DestroyPrivateKey(privKey);
4632 if(pubKey) SECKEY_DestroyPublicKey(pubKey);
4633 return rv;
4634 }
4635
4636
4637
4638
4639
4640 /* Called from ssl3_HandleServerHelloDone(). */
4641 static SECStatus
4642 ssl3_SendClientKeyExchange(sslSocket *ss)
4643 {
4644 SECKEYPublicKey * serverKey = NULL;
4645 SECStatus rv = SECFailure;
4646 PRBool isTLS;
4647
4648 SSL_TRC(3, ("%d: SSL3[%d]: send client_key_exchange handshake",
4649 SSL_GETPID(), ss->fd));
4650
4651 PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss));
4652 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
4653
4654 if (ss->sec.peerKey == NULL) {
4655 serverKey = CERT_ExtractPublicKey(ss->sec.peerCert);
4656 if (serverKey == NULL) {
4657 PORT_SetError(SSL_ERROR_EXTRACT_PUBLIC_KEY_FAILURE);
4658 return SECFailure;
4659 }
4660 } else {
4661 serverKey = ss->sec.peerKey;
4662 ss->sec.peerKey = NULL; /* we're done with it now */
4663 }
4664
4665 isTLS = (PRBool)(ss->ssl3.pwSpec->version > SSL_LIBRARY_VERSION_3_0);
4666 /* enforce limits on kea key sizes. */
4667 if (ss->ssl3.hs.kea_def->is_limited) {
4668 int keyLen = SECKEY_PublicKeyStrength(serverKey); /* bytes */
4669
4670 if (keyLen * BPB > ss->ssl3.hs.kea_def->key_size_limit) {
4671 if (isTLS)
4672 (void)SSL3_SendAlert(ss, alert_fatal, export_restriction);
4673 else
4674 (void)ssl3_HandshakeFailure(ss);
4675 PORT_SetError(SSL_ERROR_PUB_KEY_SIZE_LIMIT_EXCEEDED);
4676 goto loser;
4677 }
4678 }
4679
4680 ss->sec.keaType = ss->ssl3.hs.kea_def->exchKeyType;
4681 ss->sec.keaKeyBits = SECKEY_PublicKeyStrengthInBits(serverKey);
4682
4683 switch (ss->ssl3.hs.kea_def->exchKeyType) {
4684 case kt_rsa:
4685 rv = sendRSAClientKeyExchange(ss, serverKey);
4686 break;
4687
4688 case kt_dh:
4689 rv = sendDHClientKeyExchange(ss, serverKey);
4690 break;
4691
4692 #ifdef NSS_ENABLE_ECC
4693 case kt_ecdh:
4694 rv = ssl3_SendECDHClientKeyExchange(ss, serverKey);
4695 break;
4696 #endif /* NSS_ENABLE_ECC */
4697
4698 default:
4699 /* got an unknown or unsupported Key Exchange Algorithm. */
4700 SEND_ALERT
4701 PORT_SetError(SEC_ERROR_UNSUPPORTED_KEYALG);
4702 break;
4703 }
4704
4705 SSL_TRC(3, ("%d: SSL3[%d]: DONE sending client_key_exchange",
4706 SSL_GETPID(), ss->fd));
4707
4708 loser:
4709 if (serverKey)
4710 SECKEY_DestroyPublicKey(serverKey);
4711 return rv; /* err code already set. */
4712 }
4713
4714 /* Called from ssl3_HandleServerHelloDone(). */
4715 static SECStatus
4716 ssl3_SendCertificateVerify(sslSocket *ss)
4717 {
4718 SECStatus rv = SECFailure;
4719 PRBool isTLS;
4720 SECItem buf = {siBuffer, NULL, 0};
4721 SSL3Hashes hashes;
4722
4723 PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss));
4724 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
4725
4726 SSL_TRC(3, ("%d: SSL3[%d]: send certificate_verify handshake",
4727 SSL_GETPID(), ss->fd));
4728
4729 ssl_GetSpecReadLock(ss);
4730 rv = ssl3_ComputeHandshakeHashes(ss, ss->ssl3.pwSpec, &hashes, 0);
4731 ssl_ReleaseSpecReadLock(ss);
4732 if (rv != SECSuccess) {
4733 goto done; /* err code was set by ssl3_ComputeHandshakeHashes */
4734 }
4735
4736 isTLS = (PRBool)(ss->ssl3.pwSpec->version > SSL_LIBRARY_VERSION_3_0);
4737 rv = ssl3_SignHashes(&hashes, ss->ssl3.clientPrivateKey, &buf, isTLS);
4738 if (rv == SECSuccess) {
4739 PK11SlotInfo * slot;
4740 sslSessionID * sid = ss->sec.ci.sid;
4741
4742 /* Remember the info about the slot that did the signing.
4743 ** Later, when doing an SSL restart handshake, verify this.
4744 ** These calls are mere accessors, and can't fail.
4745 */
4746 slot = PK11_GetSlotFromPrivateKey(ss->ssl3.clientPrivateKey);
4747 sid->u.ssl3.clAuthSeries = PK11_GetSlotSeries(slot);
4748 sid->u.ssl3.clAuthSlotID = PK11_GetSlotID(slot);
4749 sid->u.ssl3.clAuthModuleID = PK11_GetModuleID(slot);
4750 sid->u.ssl3.clAuthValid = PR_TRUE;
4751 PK11_FreeSlot(slot);
4752 }
4753 /* If we're doing RSA key exchange, we're all done with the private key
4754 * here. Diffie-Hellman key exchanges need the client's
4755 * private key for the key exchange.
4756 */
4757 if (ss->ssl3.hs.kea_def->exchKeyType == kt_rsa) {
4758 SECKEY_DestroyPrivateKey(ss->ssl3.clientPrivateKey);
4759 ss->ssl3.clientPrivateKey = NULL;
4760 }
4761 if (rv != SECSuccess) {
4762 goto done; /* err code was set by ssl3_SignHashes */
4763 }
4764
4765 rv = ssl3_AppendHandshakeHeader(ss, certificate_verify, buf.len + 2);
4766 if (rv != SECSuccess) {
4767 goto done; /* error code set by AppendHandshake */
4768 }
4769 rv = ssl3_AppendHandshakeVariable(ss, buf.data, buf.len, 2);
4770 if (rv != SECSuccess) {
4771 goto done; /* error code set by AppendHandshake */
4772 }
4773
4774 done:
4775 if (buf.data)
4776 PORT_Free(buf.data);
4777 return rv;
4778 }
4779
4780 /* Called from ssl3_HandleHandshakeMessage() when it has deciphered a complete
4781 * ssl3 ServerHello message.
4782 * Caller must hold Handshake and RecvBuf locks.
4783 */
4784 static SECStatus
4785 ssl3_HandleServerHello(sslSocket *ss, SSL3Opaque *b, PRUint32 length)
4786 {
4787 sslSessionID *sid = ss->sec.ci.sid;
4788 PRInt32 temp; /* allow for consume number failure */
4789 PRBool suite_found = PR_FALSE;
4790 int i;
4791 int errCode = SSL_ERROR_RX_MALFORMED_SERVER_HELLO;
4792 SECStatus rv;
4793 SECItem sidBytes = {siBuffer, NULL, 0};
4794 PRBool sid_match;
4795 PRBool isTLS = PR_FALSE;
4796 SSL3AlertDescription desc = illegal_parameter;
4797 SSL3ProtocolVersion version;
4798
4799 SSL_TRC(3, ("%d: SSL3[%d]: handle server_hello handshake",
4800 SSL_GETPID(), ss->fd));
4801 PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
4802 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
4803
4804 rv = ssl3_InitState(ss);
4805 if (rv != SECSuccess) {
4806 errCode = PORT_GetError(); /* ssl3_InitState has set the error code. */
4807 goto alert_loser;
4808 }
4809 if (ss->ssl3.hs.ws != wait_server_hello) {
4810 errCode = SSL_ERROR_RX_UNEXPECTED_SERVER_HELLO;
4811 desc = unexpected_message;
4812 goto alert_loser;
4813 }
4814
4815 temp = ssl3_ConsumeHandshakeNumber(ss, 2, &b, &length);
4816 if (temp < 0) {
4817 goto loser; /* alert has been sent */
4818 }
4819 version = (SSL3ProtocolVersion)temp;
4820
4821 /* this is appropriate since the negotiation is complete, and we only
4822 ** know SSL 3.x.
4823 */
4824 if (MSB(version) != MSB(SSL_LIBRARY_VERSION_3_0)) {
4825 desc = (version > SSL_LIBRARY_VERSION_3_0) ? protocol_version
4826 : handshake_failure;
4827 goto alert_loser;
4828 }
4829
4830 rv = ssl3_NegotiateVersion(ss, version);
4831 if (rv != SECSuccess) {
4832 desc = (version > SSL_LIBRARY_VERSION_3_0) ? protocol_version
4833 : handshake_failure;
4834 errCode = SSL_ERROR_NO_CYPHER_OVERLAP;
4835 goto alert_loser;
4836 }
4837 isTLS = (ss->version > SSL_LIBRARY_VERSION_3_0);
4838
4839 rv = ssl3_ConsumeHandshake(
4840 ss, &ss->ssl3.hs.server_random, SSL3_RANDOM_LENGTH, &b, &length);
4841 if (rv != SECSuccess) {
4842 goto loser; /* alert has been sent */
4843 }
4844
4845 rv = ssl3_ConsumeHandshakeVariable(ss, &sidBytes, 1, &b, &length);
4846 if (rv != SECSuccess) {
4847 goto loser; /* alert has been sent */
4848 }
4849 if (sidBytes.len > SSL3_SESSIONID_BYTES) {
4850 if (isTLS)
4851 desc = decode_error;
4852 goto alert_loser; /* malformed. */
4853 }
4854
4855 /* find selected cipher suite in our list. */
4856 temp = ssl3_ConsumeHandshakeNumber(ss, 2, &b, &length);
4857 if (temp < 0) {
4858 goto loser; /* alert has been sent */
4859 }
4860 ssl3_config_match_init(ss);
4861 for (i = 0; i < ssl_V3_SUITES_IMPLEMENTED; i++) {
4862 ssl3CipherSuiteCfg *suite = &ss->cipherSuites[i];
4863 if ((temp == suite->cipher_suite) &&
4864 (config_match(suite, ss->ssl3.policy, PR_TRUE))) {
4865 suite_found = PR_TRUE;
4866 break; /* success */
4867 }
4868 }
4869 if (!suite_found) {
4870 desc = handshake_failure;
4871 errCode = SSL_ERROR_NO_CYPHER_OVERLAP;
4872 goto alert_loser;
4873 }
4874 ss->ssl3.hs.cipher_suite = (ssl3CipherSuite)temp;
4875 ss->ssl3.hs.suite_def = ssl_LookupCipherSuiteDef((ssl3CipherSuite)temp);
4876 PORT_Assert(ss->ssl3.hs.suite_def);
4877 if (!ss->ssl3.hs.suite_def) {
4878 PORT_SetError(errCode = SEC_ERROR_LIBRARY_FAILURE);
4879 goto loser; /* we don't send alerts for our screw-ups. */
4880 }
4881
4882 /* find selected compression method in our list. */
4883 temp = ssl3_ConsumeHandshakeNumber(ss, 1, &b, &length);
4884 if (temp < 0) {
4885 goto loser; /* alert has been sent */
4886 }
4887 suite_found = PR_FALSE;
4888 for (i = 0; i < compressionMethodsCount; i++) {
4889 if (temp == compressions[i] &&
4890 compressionEnabled(ss, compressions[i])) {
4891 suite_found = PR_TRUE;
4892 break; /* success */
4893 }
4894 }
4895 if (!suite_found) {
4896 desc = handshake_failure;
4897 errCode = SSL_ERROR_NO_COMPRESSION_OVERLAP;
4898 goto alert_loser;
4899 }
4900 ss->ssl3.hs.compression = (SSLCompressionMethod)temp;
4901
4902 /* Note that if !isTLS && length != 0, we do NOT goto alert_loser.
4903 * There are some old SSL 3.0 implementations that do send stuff
4904 * after the end of the server hello, and we deliberately ignore
4905 * such stuff in the interest of maximal interoperability (being
4906 * "generous in what you accept").
4907 */
4908 if (isTLS && length != 0) {
4909 SECItem extensions;
4910 rv = ssl3_ConsumeHandshakeVariable(ss, &extensions, 2, &b, &length);
4911 if (rv != SECSuccess || length != 0)
4912 goto alert_loser;
4913 rv = ssl3_HandleHelloExtensions(ss, &extensions.data, &extensions.len);
4914 if (rv != SECSuccess)
4915 goto alert_loser;
4916 }
4917
4918 /* Any errors after this point are not "malformed" errors. */
4919 desc = handshake_failure;
4920
4921 /* we need to call ssl3_SetupPendingCipherSpec here so we can check the
4922 * key exchange algorithm. */
4923 rv = ssl3_SetupPendingCipherSpec(ss);
4924 if (rv != SECSuccess) {
4925 goto alert_loser; /* error code is set. */
4926 }
4927
4928 /* We may or may not have sent a session id, we may get one back or
4929 * not and if so it may match the one we sent.
4930 * Attempt to restore the master secret to see if this is so...
4931 * Don't consider failure to find a matching SID an error.
4932 */
4933 sid_match = (PRBool)(sidBytes.len > 0 &&
4934 sidBytes.len == sid->u.ssl3.sessionIDLength &&
4935 !PORT_Memcmp(sid->u.ssl3.sessionID, sidBytes.data, sidBytes.len));
4936
4937 if (sid_match &&
4938 sid->version == ss->version &&
4939 sid->u.ssl3.cipherSuite == ss->ssl3.hs.cipher_suite) do {
4940 ssl3CipherSpec *pwSpec = ss->ssl3.pwSpec;
4941
4942 SECItem wrappedMS; /* wrapped master secret. */
4943
4944 ss->sec.authAlgorithm = sid->authAlgorithm;
4945 ss->sec.authKeyBits = sid->authKeyBits;
4946 ss->sec.keaType = sid->keaType;
4947 ss->sec.keaKeyBits = sid->keaKeyBits;
4948
4949 /* 3 cases here:
4950 * a) key is wrapped (implies using PKCS11)
4951 * b) key is unwrapped, but we're still using PKCS11
4952 * c) key is unwrapped, and we're bypassing PKCS11.
4953 */
4954 if (sid->u.ssl3.keys.msIsWrapped) {
4955 PK11SlotInfo *slot;
4956 PK11SymKey * wrapKey; /* wrapping key */
4957 CK_FLAGS keyFlags = 0;
4958
4959 if (ss->opt.bypassPKCS11) {
4960 /* we cannot restart a non-bypass session in a
4961 ** bypass socket.
4962 */
4963 break;
4964 }
4965 /* unwrap master secret with PKCS11 */
4966 slot = SECMOD_LookupSlot(sid->u.ssl3.masterModuleID,
4967 sid->u.ssl3.masterSlotID);
4968 if (slot == NULL) {
4969 break; /* not considered an error. */
4970 }
4971 if (!PK11_IsPresent(slot)) {
4972 PK11_FreeSlot(slot);
4973 break; /* not considered an error. */
4974 }
4975 wrapKey = PK11_GetWrapKey(slot, sid->u.ssl3.masterWrapIndex,
4976 sid->u.ssl3.masterWrapMech,
4977 sid->u.ssl3.masterWrapSeries,
4978 ss->pkcs11PinArg);
4979 PK11_FreeSlot(slot);
4980 if (wrapKey == NULL) {
4981 break; /* not considered an error. */
4982 }
4983
4984 if (ss->version > SSL_LIBRARY_VERSION_3_0) { /* isTLS */
4985 keyFlags = CKF_SIGN | CKF_VERIFY;
4986 }
4987
4988 wrappedMS.data = sid->u.ssl3.keys.wrapped_master_secret;
4989 wrappedMS.len = sid->u.ssl3.keys.wrapped_master_secret_len;
4990 pwSpec->master_secret =
4991 PK11_UnwrapSymKeyWithFlags(wrapKey, sid->u.ssl3.masterWrapMech,
4992 NULL, &wrappedMS, CKM_SSL3_MASTER_KEY_DERIVE,
4993 CKA_DERIVE, sizeof(SSL3MasterSecret), keyFlags);
4994 errCode = PORT_GetError();
4995 PK11_FreeSymKey(wrapKey);
4996 if (pwSpec->master_secret == NULL) {
4997 break; /* errorCode set just after call to UnwrapSymKey. */
4998 }
4999 } else if (ss->opt.bypassPKCS11) {
5000 /* MS is not wrapped */
5001 wrappedMS.data = sid->u.ssl3.keys.wrapped_master_secret;
5002 wrappedMS.len = sid->u.ssl3.keys.wrapped_master_secret_len;
5003 memcpy(pwSpec->raw_master_secret, wrappedMS.data, wrappedMS.len);
5004 pwSpec->msItem.data = pwSpec->raw_master_secret;
5005 pwSpec->msItem.len = wrappedMS.len;
5006 } else {
5007 /* We CAN restart a bypass session in a non-bypass socket. */
5008 /* need to import the raw master secret to session object */
5009 PK11SlotInfo *slot = PK11_GetInternalSlot();
5010 wrappedMS.data = sid->u.ssl3.keys.wrapped_master_secret;
5011 wrappedMS.len = sid->u.ssl3.keys.wrapped_master_secret_len;
5012 pwSpec->master_secret =
5013 PK11_ImportSymKey(slot, CKM_SSL3_MASTER_KEY_DERIVE,
5014 PK11_OriginUnwrap, CKA_ENCRYPT,
5015 &wrappedMS, NULL);
5016 PK11_FreeSlot(slot);
5017 if (pwSpec->master_secret == NULL) {
5018 break;
5019 }
5020 }
5021
5022 /* Got a Match */
5023 SSL_AtomicIncrementLong(& ssl3stats.hsh_sid_cache_hits );
5024
5025 /* If we sent a session ticket, then this is a stateless resume. */
5026 if (sid->version > SSL_LIBRARY_VERSION_3_0 &&
5027 sid->u.ssl3.sessionTicket.ticket.data != NULL)
5028 SSL_AtomicIncrementLong(& ssl3stats.hsh_sid_stateless_resumes );
5029
5030 if (ssl3_ExtensionNegotiated(ss, session_ticket_xtn))
5031 ss->ssl3.hs.ws = wait_new_session_ticket;
5032 else
5033 ss->ssl3.hs.ws = wait_change_cipher;
5034
5035 ss->ssl3.hs.isResuming = PR_TRUE;
5036
5037 /* copy the peer cert from the SID */
5038 if (sid->peerCert != NULL) {
5039 ss->sec.peerCert = CERT_DupCertificate(sid->peerCert);
5040 }
5041
5042
5043 /* NULL value for PMS signifies re-use of the old MS */
5044 rv = ssl3_InitPendingCipherSpec(ss, NULL);
5045 if (rv != SECSuccess) {
5046 goto alert_loser; /* err code was set */
5047 }
5048 return SECSuccess;
5049 } while (0);
5050
5051 if (sid_match)
5052 SSL_AtomicIncrementLong(& ssl3stats.hsh_sid_cache_not_ok );
5053 else
5054 SSL_AtomicIncrementLong(& ssl3stats.hsh_sid_cache_misses );
5055
5056 /* throw the old one away */
5057 sid->u.ssl3.keys.resumable = PR_FALSE;
5058 (*ss->sec.uncache)(sid);
5059 ssl_FreeSID(sid);
5060
5061 /* get a new sid */
5062 ss->sec.ci.sid = sid = ssl3_NewSessionID(ss, PR_FALSE);
5063 if (sid == NULL) {
5064 goto alert_loser; /* memory error is set. */
5065 }
5066
5067 sid->version = ss->version;
5068 sid->u.ssl3.sessionIDLength = sidBytes.len;
5069 PORT_Memcpy(sid->u.ssl3.sessionID, sidBytes.data, sidBytes.len);
5070
5071 ss->ssl3.hs.isResuming = PR_FALSE;
5072 ss->ssl3.hs.ws = wait_server_cert;
5073 return SECSuccess;
5074
5075 alert_loser:
5076 (void)SSL3_SendAlert(ss, alert_fatal, desc);
5077
5078 loser:
5079 errCode = ssl_MapLowLevelError(errCode);
5080 return SECFailure;
5081 }
5082
5083 /* Called from ssl3_HandleHandshakeMessage() when it has deciphered a complete
5084 * ssl3 ServerKeyExchange message.
5085 * Caller must hold Handshake and RecvBuf locks.
5086 */
5087 static SECStatus
5088 ssl3_HandleServerKeyExchange(sslSocket *ss, SSL3Opaque *b, PRUint32 length)
5089 {
5090 PRArenaPool * arena = NULL;
5091 SECKEYPublicKey *peerKey = NULL;
5092 PRBool isTLS;
5093 SECStatus rv;
5094 int errCode = SSL_ERROR_RX_MALFORMED_SERVER_KEY_EXCH;
5095 SSL3AlertDescription desc = illegal_parameter;
5096 SSL3Hashes hashes;
5097 SECItem signature = {siBuffer, NULL, 0};
5098
5099 SSL_TRC(3, ("%d: SSL3[%d]: handle server_key_exchange handshake",
5100 SSL_GETPID(), ss->fd));
5101 PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
5102 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
5103
5104 if (ss->ssl3.hs.ws != wait_server_key &&
5105 ss->ssl3.hs.ws != wait_server_cert) {
5106 errCode = SSL_ERROR_RX_UNEXPECTED_SERVER_KEY_EXCH;
5107 desc = unexpected_message;
5108 goto alert_loser;
5109 }
5110 if (ss->sec.peerCert == NULL) {
5111 errCode = SSL_ERROR_RX_UNEXPECTED_SERVER_KEY_EXCH;
5112 desc = unexpected_message;
5113 goto alert_loser;
5114 }
5115
5116 isTLS = (PRBool)(ss->ssl3.prSpec->version > SSL_LIBRARY_VERSION_3_0);
5117
5118 switch (ss->ssl3.hs.kea_def->exchKeyType) {
5119
5120 case kt_rsa: {
5121 SECItem modulus = {siBuffer, NULL, 0};
5122 SECItem exponent = {siBuffer, NULL, 0};
5123
5124 rv = ssl3_ConsumeHandshakeVariable(ss, &modulus, 2, &b, &length);
5125 if (rv != SECSuccess) {
5126 goto loser; /* malformed. */
5127 }
5128 rv = ssl3_ConsumeHandshakeVariable(ss, &exponent, 2, &b, &length);
5129 if (rv != SECSuccess) {
5130 goto loser; /* malformed. */
5131 }
5132 rv = ssl3_ConsumeHandshakeVariable(ss, &signature, 2, &b, &length);
5133 if (rv != SECSuccess) {
5134 goto loser; /* malformed. */
5135 }
5136 if (length != 0) {
5137 if (isTLS)
5138 desc = decode_error;
5139 goto alert_loser; /* malformed. */
5140 }
5141
5142 /* failures after this point are not malformed handshakes. */
5143 /* TLS: send decrypt_error if signature failed. */
5144 desc = isTLS ? decrypt_error : handshake_failure;
5145
5146 /*
5147 * check to make sure the hash is signed by right guy
5148 */
5149 rv = ssl3_ComputeExportRSAKeyHash(modulus, exponent,
5150 &ss->ssl3.hs.client_random,
5151 &ss->ssl3.hs.server_random,
5152 &hashes, ss->opt.bypassPKCS11);
5153 if (rv != SECSuccess) {
5154 errCode =
5155 ssl_MapLowLevelError(SSL_ERROR_SERVER_KEY_EXCHANGE_FAILURE);
5156 goto alert_loser;
5157 }
5158 rv = ssl3_VerifySignedHashes(&hashes, ss->sec.peerCert, &signature,
5159 isTLS, ss->pkcs11PinArg);
5160 if (rv != SECSuccess) {
5161 errCode =
5162 ssl_MapLowLevelError(SSL_ERROR_SERVER_KEY_EXCHANGE_FAILURE);
5163 goto alert_loser;
5164 }
5165
5166 /*
5167 * we really need to build a new key here because we can no longer
5168 * ignore calling SECKEY_DestroyPublicKey. Using the key may allocate
5169 * pkcs11 slots and ID's.
5170 */
5171 arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
5172 if (arena == NULL) {
5173 goto no_memory;
5174 }
5175
5176 peerKey = PORT_ArenaZNew(arena, SECKEYPublicKey);
5177 if (peerKey == NULL) {
5178 PORT_FreeArena(arena, PR_FALSE);
5179 goto no_memory;
5180 }
5181
5182 peerKey->arena = arena;
5183 peerKey->keyType = rsaKey;
5184 peerKey->pkcs11Slot = NULL;
5185 peerKey->pkcs11ID = CK_INVALID_HANDLE;
5186 if (SECITEM_CopyItem(arena, &peerKey->u.rsa.modulus, &modulus) ||
5187 SECITEM_CopyItem(arena, &peerKey->u.rsa.publicExponent, &exponent))
5188 {
5189 PORT_FreeArena(arena, PR_FALSE);
5190 goto no_memory;
5191 }
5192 ss->sec.peerKey = peerKey;
5193 ss->ssl3.hs.ws = wait_cert_request;
5194 return SECSuccess;
5195 }
5196
5197 case kt_dh: {
5198 SECItem dh_p = {siBuffer, NULL, 0};
5199 SECItem dh_g = {siBuffer, NULL, 0};
5200 SECItem dh_Ys = {siBuffer, NULL, 0};
5201
5202 rv = ssl3_ConsumeHandshakeVariable(ss, &dh_p, 2, &b, &length);
5203 if (rv != SECSuccess) {
5204 goto loser; /* malformed. */
5205 }
5206 rv = ssl3_ConsumeHandshakeVariable(ss, &dh_g, 2, &b, &length);
5207 if (rv != SECSuccess) {
5208 goto loser; /* malformed. */
5209 }
5210 rv = ssl3_ConsumeHandshakeVariable(ss, &dh_Ys, 2, &b, &length);
5211 if (rv != SECSuccess) {
5212 goto loser; /* malformed. */
5213 }
5214 rv = ssl3_ConsumeHandshakeVariable(ss, &signature, 2, &b, &length);
5215 if (rv != SECSuccess) {
5216 goto loser; /* malformed. */
5217 }
5218 if (length != 0) {
5219 if (isTLS)
5220 desc = decode_error;
5221 goto alert_loser; /* malformed. */
5222 }
5223
5224 PRINT_BUF(60, (NULL, "Server DH p", dh_p.data, dh_p.len));
5225 PRINT_BUF(60, (NULL, "Server DH g", dh_g.data, dh_g.len));
5226 PRINT_BUF(60, (NULL, "Server DH Ys", dh_Ys.data, dh_Ys.len));
5227
5228 /* failures after this point are not malformed handshakes. */
5229 /* TLS: send decrypt_error if signature failed. */
5230 desc = isTLS ? decrypt_error : handshake_failure;
5231
5232 /*
5233 * check to make sure the hash is signed by right guy
5234 */
5235 rv = ssl3_ComputeDHKeyHash(dh_p, dh_g, dh_Ys,
5236 &ss->ssl3.hs.client_random,
5237 &ss->ssl3.hs.server_random,
5238 &hashes, ss->opt.bypassPKCS11);
5239 if (rv != SECSuccess) {
5240 errCode =
5241 ssl_MapLowLevelError(SSL_ERROR_SERVER_KEY_EXCHANGE_FAILURE);
5242 goto alert_loser;
5243 }
5244 rv = ssl3_VerifySignedHashes(&hashes, ss->sec.peerCert, &signature,
5245 isTLS, ss->pkcs11PinArg);
5246 if (rv != SECSuccess) {
5247 errCode =
5248 ssl_MapLowLevelError(SSL_ERROR_SERVER_KEY_EXCHANGE_FAILURE);
5249 goto alert_loser;
5250 }
5251
5252 /*
5253 * we really need to build a new key here because we can no longer
5254 * ignore calling SECKEY_DestroyPublicKey. Using the key may allocate
5255 * pkcs11 slots and ID's.
5256 */
5257 arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
5258 if (arena == NULL) {
5259 goto no_memory;
5260 }
5261
5262 ss->sec.peerKey = peerKey = PORT_ArenaZNew(arena, SECKEYPublicKey);
5263 if (peerKey == NULL) {
5264 goto no_memory;
5265 }
5266
5267 peerKey->arena = arena;
5268 peerKey->keyType = dhKey;
5269 peerKey->pkcs11Slot = NULL;
5270 peerKey->pkcs11ID = CK_INVALID_HANDLE;
5271
5272 if (SECITEM_CopyItem(arena, &peerKey->u.dh.prime, &dh_p) ||
5273 SECITEM_CopyItem(arena, &peerKey->u.dh.base, &dh_g) ||
5274 SECITEM_CopyItem(arena, &peerKey->u.dh.publicValue, &dh_Ys))
5275 {
5276 PORT_FreeArena(arena, PR_FALSE);
5277 goto no_memory;
5278 }
5279 ss->sec.peerKey = peerKey;
5280 ss->ssl3.hs.ws = wait_cert_request;
5281 return SECSuccess;
5282 }
5283
5284 #ifdef NSS_ENABLE_ECC
5285 case kt_ecdh:
5286 rv = ssl3_HandleECDHServerKeyExchange(ss, b, length);
5287 return rv;
5288 #endif /* NSS_ENABLE_ECC */
5289
5290 default:
5291 desc = handshake_failure;
5292 errCode = SEC_ERROR_UNSUPPORTED_KEYALG;
5293 break; /* goto alert_loser; */
5294 }
5295
5296 alert_loser:
5297 (void)SSL3_SendAlert(ss, alert_fatal, desc);
5298 loser:
5299 PORT_SetError( errCode );
5300 return SECFailure;
5301
5302 no_memory: /* no-memory error has already been set. */
5303 ssl_MapLowLevelError(SSL_ERROR_SERVER_KEY_EXCHANGE_FAILURE);
5304 return SECFailure;
5305 }
5306
5307
5308 typedef struct dnameNode {
5309 struct dnameNode *next;
5310 SECItem name;
5311 } dnameNode;
5312
5313 /* Called from ssl3_HandleHandshakeMessage() when it has deciphered a complete
5314 * ssl3 Certificate Request message.
5315 * Caller must hold Handshake and RecvBuf locks.
5316 */
5317 static SECStatus
5318 ssl3_HandleCertificateRequest(sslSocket *ss, SSL3Opaque *b, PRUint32 length)
5319 {
5320 PRArenaPool * arena = NULL;
5321 dnameNode * node;
5322 PRInt32 remaining;
5323 PRBool isTLS = PR_FALSE;
5324 int i;
5325 int errCode = SSL_ERROR_RX_MALFORMED_CERT_REQUEST;
5326 int nnames = 0;
5327 SECStatus rv;
5328 SSL3AlertDescription desc = illegal_parameter;
5329 SECItem cert_types = {siBuffer, NULL, 0};
5330 CERTDistNames ca_list;
5331
5332 SSL_TRC(3, ("%d: SSL3[%d]: handle certificate_request handshake",
5333 SSL_GETPID(), ss->fd));
5334 PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
5335 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
5336
5337 if (ss->ssl3.hs.ws != wait_cert_request &&
5338 ss->ssl3.hs.ws != wait_server_key) {
5339 desc = unexpected_message;
5340 errCode = SSL_ERROR_RX_UNEXPECTED_CERT_REQUEST;
5341 goto alert_loser;
5342 }
5343
5344 /* clean up anything left from previous handshake. */
5345 if (ss->ssl3.clientCertChain != NULL) {
5346 CERT_DestroyCertificateList(ss->ssl3.clientCertChain);
5347 ss->ssl3.clientCertChain = NULL;
5348 }
5349 if (ss->ssl3.clientCertificate != NULL) {
5350 CERT_DestroyCertificate(ss->ssl3.clientCertificate);
5351 ss->ssl3.clientCertificate = NULL;
5352 }
5353 if (ss->ssl3.clientPrivateKey != NULL) {
5354 SECKEY_DestroyPrivateKey(ss->ssl3.clientPrivateKey);
5355 ss->ssl3.clientPrivateKey = NULL;
5356 }
5357
5358 isTLS = (PRBool)(ss->ssl3.prSpec->version > SSL_LIBRARY_VERSION_3_0);
5359 rv = ssl3_ConsumeHandshakeVariable(ss, &cert_types, 1, &b, &length);
5360 if (rv != SECSuccess)
5361 goto loser; /* malformed, alert has been sent */
5362
5363 arena = ca_list.arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
5364 if (arena == NULL)
5365 goto no_mem;
5366
5367 remaining = ssl3_ConsumeHandshakeNumber(ss, 2, &b, &length);
5368 if (remaining < 0)
5369 goto loser; /* malformed, alert has been sent */
5370
5371 if ((PRUint32)remaining > length)
5372 goto alert_loser;
5373
5374 ca_list.head = node = PORT_ArenaZNew(arena, dnameNode);
5375 if (node == NULL)
5376 goto no_mem;
5377
5378 while (remaining > 0) {
5379 PRInt32 len;
5380
5381 if (remaining < 2)
5382 goto alert_loser; /* malformed */
5383
5384 node->name.len = len = ssl3_ConsumeHandshakeNumber(ss, 2, &b, &length);
5385 if (len <= 0)
5386 goto loser; /* malformed, alert has been sent */
5387
5388 remaining -= 2;
5389 if (remaining < len)
5390 goto alert_loser; /* malformed */
5391
5392 node->name.data = b;
5393 b += len;
5394 length -= len;
5395 remaining -= len;
5396 nnames++;
5397 if (remaining <= 0)
5398 break; /* success */
5399
5400 node->next = PORT_ArenaZNew(arena, dnameNode);
5401 node = node->next;
5402 if (node == NULL)
5403 goto no_mem;
5404 }
5405
5406 ca_list.nnames = nnames;
5407 ca_list.names = PORT_ArenaNewArray(arena, SECItem, nnames);
5408 if (nnames > 0 && ca_list.names == NULL)
5409 goto no_mem;
5410
5411 for(i = 0, node = (dnameNode*)ca_list.head;
5412 i < nnames;
5413 i++, node = node->next) {
5414 ca_list.names[i] = node->name;
5415 }
5416
5417 if (length != 0)
5418 goto alert_loser; /* malformed */
5419
5420 desc = no_certificate;
5421 ss->ssl3.hs.ws = wait_hello_done;
5422
5423 if (ss->getClientAuthData == NULL) {
5424 rv = SECFailure; /* force it to send a no_certificate alert */
5425 } else {
5426 /* XXX Should pass cert_types in this call!! */
5427 rv = (SECStatus)(*ss->getClientAuthData)(ss->getClientAuthDataArg,
5428 ss->fd, &ca_list,
5429 &ss->ssl3.clientCertificate,
5430 &ss->ssl3.clientPrivateKey);
5431 }
5432 switch (rv) {
5433 case SECWouldBlock: /* getClientAuthData has put up a dialog box. */
5434 ssl_SetAlwaysBlock(ss);
5435 break; /* not an error */
5436
5437 case SECSuccess:
5438 /* check what the callback function returned */
5439 if ((!ss->ssl3.clientCertificate) || (!ss->ssl3.clientPrivateKey)) {
5440 /* we are missing either the key or cert */
5441 if (ss->ssl3.clientCertificate) {
5442 /* got a cert, but no key - free it */
5443 CERT_DestroyCertificate(ss->ssl3.clientCertificate);
5444 ss->ssl3.clientCertificate = NULL;
5445 }
5446 if (ss->ssl3.clientPrivateKey) {
5447 /* got a key, but no cert - free it */
5448 SECKEY_DestroyPrivateKey(ss->ssl3.clientPrivateKey);
5449 ss->ssl3.clientPrivateKey = NULL;
5450 }
5451 goto send_no_certificate;
5452 }
5453 /* Setting ssl3.clientCertChain non-NULL will cause
5454 * ssl3_HandleServerHelloDone to call SendCertificate.
5455 */
5456 ss->ssl3.clientCertChain = CERT_CertChainFromCert(
5457 ss->ssl3.clientCertificate,
5458 certUsageSSLClient, PR_FALSE);
5459 if (ss->ssl3.clientCertChain == NULL) {
5460 if (ss->ssl3.clientCertificate != NULL) {
5461 CERT_DestroyCertificate(ss->ssl3.clientCertificate);
5462 ss->ssl3.clientCertificate = NULL;
5463 }
5464 if (ss->ssl3.clientPrivateKey != NULL) {
5465 SECKEY_DestroyPrivateKey(ss->ssl3.clientPrivateKey);
5466 ss->ssl3.clientPrivateKey = NULL;
5467 }
5468 goto send_no_certificate;
5469 }
5470 break; /* not an error */
5471
5472 case SECFailure:
5473 default:
5474 send_no_certificate:
5475 if (isTLS) {
5476 ss->ssl3.sendEmptyCert = PR_TRUE;
5477 } else {
5478 (void)SSL3_SendAlert(ss, alert_warning, no_certificate);
5479 }
5480 rv = SECSuccess;
5481 break;
5482 }
5483 goto done;
5484
5485 no_mem:
5486 rv = SECFailure;
5487 PORT_SetError(SEC_ERROR_NO_MEMORY);
5488 goto done;
5489
5490 alert_loser:
5491 if (isTLS && desc == illegal_parameter)
5492 desc = decode_error;
5493 (void)SSL3_SendAlert(ss, alert_fatal, desc);
5494 loser:
5495 PORT_SetError(errCode);
5496 rv = SECFailure;
5497 done:
5498 if (arena != NULL)
5499 PORT_FreeArena(arena, PR_FALSE);
5500 return rv;
5501 }
5502
5503 /*
5504 * attempt to restart the handshake after asynchronously handling
5505 * a request for the client's certificate.
5506 *
5507 * inputs:
5508 * cert Client cert chosen by application.
5509 * Note: ssl takes this reference, and does not bump the
5510 * reference count. The caller should drop its reference
5511 * without calling CERT_DestroyCert after calling this function.
5512 *
5513 * key Private key associated with cert. This function makes a
5514 * copy of the private key, so the caller remains responsible
5515 * for destroying its copy after this function returns.
5516 *
5517 * certChain DER-encoded certs, client cert and its signers.
5518 * Note: ssl takes this reference, and does not copy the chain.
5519 * The caller should drop its reference without destroying the
5520 * chain. SSL will free the chain when it is done with it.
5521 *
5522 * Return value: XXX
5523 *
5524 * XXX This code only works on the initial handshake on a connection, XXX
5525 * It does not work on a subsequent handshake (redo).
5526 *
5527 * Caller holds 1stHandshakeLock.
5528 */
5529 SECStatus
5530 ssl3_RestartHandshakeAfterCertReq(sslSocket * ss,
5531 CERTCertificate * cert,
5532 SECKEYPrivateKey * key,
5533 CERTCertificateList *certChain)
5534 {
5535 SECStatus rv = SECSuccess;
5536
5537 if (MSB(ss->version) == MSB(SSL_LIBRARY_VERSION_3_0)) {
5538 /* XXX This code only works on the initial handshake on a connection,
5539 ** XXX It does not work on a subsequent handshake (redo).
5540 */
5541 if (ss->handshake != 0) {
5542 ss->handshake = ssl_GatherRecord1stHandshake;
5543 ss->ssl3.clientCertificate = cert;
5544 ss->ssl3.clientCertChain = certChain;
5545 if (key == NULL) {
5546 (void)SSL3_SendAlert(ss, alert_warning, no_certificate);
5547 ss->ssl3.clientPrivateKey = NULL;
5548 } else {
5549 ss->ssl3.clientPrivateKey = SECKEY_CopyPrivateKey(key);
5550 }
5551 ssl_GetRecvBufLock(ss);
5552 if (ss->ssl3.hs.msgState.buf != NULL) {
5553 rv = ssl3_HandleRecord(ss, NULL, &ss->gs.buf);
5554 }
5555 ssl_ReleaseRecvBufLock(ss);
5556 }
5557 }
5558 return rv;
5559 }
5560
5561
5562
5563 /* Called from ssl3_HandleHandshakeMessage() when it has deciphered a complete
5564 * ssl3 Server Hello Done message.
5565 * Caller must hold Handshake and RecvBuf locks.
5566 */
5567 static SECStatus
5568 ssl3_HandleServerHelloDone(sslSocket *ss)
5569 {
5570 SECStatus rv;
5571 SSL3WaitState ws = ss->ssl3.hs.ws;
5572 PRBool send_verify = PR_FALSE;
5573
5574 SSL_TRC(3, ("%d: SSL3[%d]: handle server_hello_done handshake",
5575 SSL_GETPID(), ss->fd));
5576 PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
5577 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
5578
5579 if (ws != wait_hello_done &&
5580 ws != wait_server_cert &&
5581 ws != wait_server_key &&
5582 ws != wait_cert_request) {
5583 SSL3_SendAlert(ss, alert_fatal, unexpected_message);
5584 PORT_SetError(SSL_ERROR_RX_UNEXPECTED_HELLO_DONE);
5585 return SECFailure;
5586 }
5587
5588 ssl_GetXmitBufLock(ss); /*******************************/
5589
5590 if (ss->ssl3.sendEmptyCert) {
5591 ss->ssl3.sendEmptyCert = PR_FALSE;
5592 rv = ssl3_SendEmptyCertificate(ss);
5593 /* Don't send verify */
5594 if (rv != SECSuccess) {
5595 goto loser; /* error code is set. */
5596 }
5597 } else
5598 if (ss->ssl3.clientCertChain != NULL &&
5599 ss->ssl3.clientPrivateKey != NULL) {
5600 send_verify = PR_TRUE;
5601 rv = ssl3_SendCertificate(ss);
5602 if (rv != SECSuccess) {
5603 goto loser; /* error code is set. */
5604 }
5605 }
5606
5607 rv = ssl3_SendClientKeyExchange(ss);
5608 if (rv != SECSuccess) {
5609 goto loser; /* err is set. */
5610 }
5611
5612 if (send_verify) {
5613 rv = ssl3_SendCertificateVerify(ss);
5614 if (rv != SECSuccess) {
5615 goto loser; /* err is set. */
5616 }
5617 }
5618 rv = ssl3_SendChangeCipherSpecs(ss);
5619 if (rv != SECSuccess) {
5620 goto loser; /* err code was set. */
5621 }
5622 rv = ssl3_SendFinished(ss, 0);
5623 if (rv != SECSuccess) {
5624 goto loser; /* err code was set. */
5625 }
5626
5627 ssl_ReleaseXmitBufLock(ss); /*******************************/
5628
5629 if (ssl3_ExtensionNegotiated(ss, session_ticket_xtn))
5630 ss->ssl3.hs.ws = wait_new_session_ticket;
5631 else
5632 ss->ssl3.hs.ws = wait_change_cipher;
5633 return SECSuccess;
5634
5635 loser:
5636 ssl_ReleaseXmitBufLock(ss);
5637 return rv;
5638 }
5639
5640 /*
5641 * Routines used by servers
5642 */
5643 static SECStatus
5644 ssl3_SendHelloRequest(sslSocket *ss)
5645 {
5646 SECStatus rv;
5647
5648 SSL_TRC(3, ("%d: SSL3[%d]: send hello_request handshake", SSL_GETPID(),
5649 ss->fd));
5650
5651 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
5652 PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss) );
5653
5654 rv = ssl3_AppendHandshakeHeader(ss, hello_request, 0);
5655 if (rv != SECSuccess) {
5656 return rv; /* err set by AppendHandshake */
5657 }
5658 rv = ssl3_FlushHandshake(ss, 0);
5659 if (rv != SECSuccess) {
5660 return rv; /* error code set by ssl3_FlushHandshake */
5661 }
5662 ss->ssl3.hs.ws = wait_client_hello;
5663 return SECSuccess;
5664 }
5665
5666 /* Sets memory error when returning NULL.
5667 * Called from:
5668 * ssl3_SendClientHello()
5669 * ssl3_HandleServerHello()
5670 * ssl3_HandleClientHello()
5671 * ssl3_HandleV2ClientHello()
5672 */
5673 sslSessionID *
5674 ssl3_NewSessionID(sslSocket *ss, PRBool is_server)
5675 {
5676 sslSessionID *sid;
5677
5678 sid = PORT_ZNew(sslSessionID);
5679 if (sid == NULL)
5680 return sid;
5681
5682 sid->peerID = (ss->peerID == NULL) ? NULL : PORT_Strdup(ss->peerID);
5683 sid->urlSvrName = (ss->url == NULL) ? NULL : PORT_Strdup(ss->url);
5684 sid->addr = ss->sec.ci.peer;
5685 sid->port = ss->sec.ci.port;
5686 sid->references = 1;
5687 sid->cached = never_cached;
5688 sid->version = ss->version;
5689
5690 sid->u.ssl3.keys.resumable = PR_TRUE;
5691 sid->u.ssl3.policy = SSL_ALLOWED;
5692 sid->u.ssl3.clientWriteKey = NULL;
5693 sid->u.ssl3.serverWriteKey = NULL;
5694
5695 if (is_server) {
5696 SECStatus rv;
5697 int pid = SSL_GETPID();
5698
5699 sid->u.ssl3.sessionIDLength = SSL3_SESSIONID_BYTES;
5700 sid->u.ssl3.sessionID[0] = (pid >> 8) & 0xff;
5701 sid->u.ssl3.sessionID[1] = pid & 0xff;
5702 rv = PK11_GenerateRandom(sid->u.ssl3.sessionID + 2,
5703 SSL3_SESSIONID_BYTES -2);
5704 if (rv != SECSuccess) {
5705 ssl_FreeSID(sid);
5706 ssl_MapLowLevelError(SSL_ERROR_GENERATE_RANDOM_FAILURE);
5707 return NULL;
5708 }
5709 }
5710 return sid;
5711 }
5712
5713 /* Called from: ssl3_HandleClientHello, ssl3_HandleV2ClientHello */
5714 static SECStatus
5715 ssl3_SendServerHelloSequence(sslSocket *ss)
5716 {
5717 const ssl3KEADef *kea_def;
5718 SECStatus rv;
5719
5720 SSL_TRC(3, ("%d: SSL3[%d]: begin send server_hello sequence",
5721 SSL_GETPID(), ss->fd));
5722
5723 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
5724 PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss) );
5725
5726 rv = ssl3_SendServerHello(ss);
5727 if (rv != SECSuccess) {
5728 return rv; /* err code is set. */
5729 }
5730 rv = ssl3_SendCertificate(ss);
5731 if (rv != SECSuccess) {
5732 return rv; /* error code is set. */
5733 }
5734 /* We have to do this after the call to ssl3_SendServerHello,
5735 * because kea_def is set up by ssl3_SendServerHello().
5736 */
5737 kea_def = ss->ssl3.hs.kea_def;
5738 ss->ssl3.hs.usedStepDownKey = PR_FALSE;
5739
5740 if (kea_def->is_limited && kea_def->exchKeyType == kt_rsa) {
5741 /* see if we can legally use the key in the cert. */
5742 int keyLen; /* bytes */
5743
5744 keyLen = PK11_GetPrivateModulusLen(
5745 ss->serverCerts[kea_def->exchKeyType].SERVERKEY);
5746
5747 if (keyLen > 0 &&
5748 keyLen * BPB <= kea_def->key_size_limit ) {
5749 /* XXX AND cert is not signing only!! */
5750 /* just fall through and use it. */
5751 } else if (ss->stepDownKeyPair != NULL) {
5752 ss->ssl3.hs.usedStepDownKey = PR_TRUE;
5753 rv = ssl3_SendServerKeyExchange(ss);
5754 if (rv != SECSuccess) {
5755 return rv; /* err code was set. */
5756 }
5757 } else {
5758 #ifndef HACKED_EXPORT_SERVER
5759 PORT_SetError(SSL_ERROR_PUB_KEY_SIZE_LIMIT_EXCEEDED);
5760 return rv;
5761 #endif
5762 }
5763 #ifdef NSS_ENABLE_ECC
5764 } else if ((kea_def->kea == kea_ecdhe_rsa) ||
5765 (kea_def->kea == kea_ecdhe_ecdsa)) {
5766 rv = ssl3_SendServerKeyExchange(ss);
5767 if (rv != SECSuccess) {
5768 return rv; /* err code was set. */
5769 }
5770 #endif /* NSS_ENABLE_ECC */
5771 }
5772
5773 if (ss->opt.requestCertificate) {
5774 rv = ssl3_SendCertificateRequest(ss);
5775 if (rv != SECSuccess) {
5776 return rv; /* err code is set. */
5777 }
5778 }
5779 rv = ssl3_SendServerHelloDone(ss);
5780 if (rv != SECSuccess) {
5781 return rv; /* err code is set. */
5782 }
5783
5784 ss->ssl3.hs.ws = (ss->opt.requestCertificate) ? wait_client_cert
5785 : wait_client_key;
5786 return SECSuccess;
5787 }
5788
5789 /* Called from ssl3_HandleHandshakeMessage() when it has deciphered a complete
5790 * ssl3 Client Hello message.
5791 * Caller must hold Handshake and RecvBuf locks.
5792 */
5793 static SECStatus
5794 ssl3_HandleClientHello(sslSocket *ss, SSL3Opaque *b, PRUint32 length)
5795 {
5796 sslSessionID * sid = NULL;
5797 PRInt32 tmp;
5798 unsigned int i;
5799 int j;
5800 SECStatus rv;
5801 int errCode = SSL_ERROR_RX_MALFORMED_CLIENT_HELLO;
5802 SSL3AlertDescription desc = illegal_parameter;
5803 SSL3AlertLevel level = alert_fatal;
5804 SSL3ProtocolVersion version;
5805 SECItem sidBytes = {siBuffer, NULL, 0};
5806 SECItem suites = {siBuffer, NULL, 0};
5807 SECItem comps = {siBuffer, NULL, 0};
5808 PRBool haveSpecWriteLock = PR_FALSE;
5809 PRBool haveXmitBufLock = PR_FALSE;
5810
5811 SSL_TRC(3, ("%d: SSL3[%d]: handle client_hello handshake",
5812 SSL_GETPID(), ss->fd));
5813
5814 PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
5815 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
5816
5817 /* Get peer name of client */
5818 rv = ssl_GetPeerInfo(ss);
5819 if (rv != SECSuccess) {
5820 return rv; /* error code is set. */
5821 }
5822
5823 /* We might be starting session renegotiation in which case we should
5824 * clear previous state.
5825 */
5826 PORT_Memset(&ss->xtnData, 0, sizeof(TLSExtensionData));
5827 ss->statelessResume = PR_FALSE;
5828
5829 rv = ssl3_InitState(ss);
5830 if (rv != SECSuccess) {
5831 return rv; /* ssl3_InitState has set the error code. */
5832 }
5833
5834 if ((ss->ssl3.hs.ws != wait_client_hello) &&
5835 (ss->ssl3.hs.ws != idle_handshake)) {
5836 desc = unexpected_message;
5837 errCode = SSL_ERROR_RX_UNEXPECTED_CLIENT_HELLO;
5838 goto alert_loser;
5839 }
5840 if (ss->ssl3.hs.ws == idle_handshake &&
5841 ss->opt.enableRenegotiation == SSL_RENEGOTIATE_NEVER) {
5842 desc = no_renegotiation;
5843 level = alert_warning;
5844 errCode = SSL_ERROR_RENEGOTIATION_NOT_ALLOWED;
5845 goto alert_loser;
5846 }
5847
5848 tmp = ssl3_ConsumeHandshakeNumber(ss, 2, &b, &length);
5849 if (tmp < 0)
5850 goto loser; /* malformed, alert already sent */
5851 ss->clientHelloVersion = version = (SSL3ProtocolVersion)tmp;
5852 rv = ssl3_NegotiateVersion(ss, version);
5853 if (rv != SECSuccess) {
5854 desc = (version > SSL_LIBRARY_VERSION_3_0) ? protocol_version
5855 : handshake_failure;
5856 errCode = SSL_ERROR_NO_CYPHER_OVERLAP;
5857 goto alert_loser;
5858 }
5859
5860 /* grab the client random data. */
5861 rv = ssl3_ConsumeHandshake(
5862 ss, &ss->ssl3.hs.client_random, SSL3_RANDOM_LENGTH, &b, &length);
5863 if (rv != SECSuccess) {
5864 goto loser; /* malformed */
5865 }
5866
5867 /* grab the client's SID, if present. */
5868 rv = ssl3_ConsumeHandshakeVariable(ss, &sidBytes, 1, &b, &length);
5869 if (rv != SECSuccess) {
5870 goto loser; /* malformed */
5871 }
5872
5873 /* grab the list of cipher suites. */
5874 rv = ssl3_ConsumeHandshakeVariable(ss, &suites, 2, &b, &length);
5875 if (rv != SECSuccess) {
5876 goto loser; /* malformed */
5877 }
5878
5879 /* grab the list of compression methods. */
5880 rv = ssl3_ConsumeHandshakeVariable(ss, &comps, 1, &b, &length);
5881 if (rv != SECSuccess) {
5882 goto loser; /* malformed */
5883 }
5884
5885 desc = handshake_failure;
5886
5887 /* Handle TLS hello extensions for SSL3 & TLS. We do not know if
5888 * we are restarting a previous session until extensions have been
5889 * parsed, since we might have received a SessionTicket extension.
5890 * Note: we allow extensions even when negotiating SSL3 for the sake
5891 * of interoperability (and backwards compatibility).
5892 */
5893
5894 if (length) {
5895 /* Get length of hello extensions */
5896 PRInt32 extension_length;
5897 extension_length = ssl3_ConsumeHandshakeNumber(ss, 2, &b, &length);
5898 if (extension_length < 0) {
5899 goto loser; /* alert already sent */
5900 }
5901 if (extension_length != length) {
5902 ssl3_DecodeError(ss); /* send alert */
5903 goto loser;
5904 }
5905 rv = ssl3_HandleHelloExtensions(ss, &b, &length);
5906 if (rv != SECSuccess) {
5907 goto loser; /* malformed */
5908 }
5909 }
5910
5911 /* We do stateful resumes only if either of the following
5912 * conditions are satisfied: (1) the client does not support the
5913 * session ticket extension, or (2) the client support the session
5914 * ticket extension, but sent an empty ticket.
5915 */
5916 if (!ssl3_ExtensionNegotiated(ss, session_ticket_xtn) ||
5917 ss->xtnData.emptySessionTicket) {
5918 if (sidBytes.len > 0 && !ss->opt.noCache) {
5919 SSL_TRC(7, ("%d: SSL3[%d]: server, lookup client session-id for 0x%0 8x%08x%08x%08x",
5920 SSL_GETPID(), ss->fd, ss->sec.ci.peer.pr_s6_addr32[0],
5921 ss->sec.ci.peer.pr_s6_addr32[1],
5922 ss->sec.ci.peer.pr_s6_addr32[2],
5923 ss->sec.ci.peer.pr_s6_addr32[3]));
5924 if (ssl_sid_lookup) {
5925 sid = (*ssl_sid_lookup)(&ss->sec.ci.peer, sidBytes.data,
5926 sidBytes.len, ss->dbHandle);
5927 } else {
5928 errCode = SSL_ERROR_SERVER_CACHE_NOT_CONFIGURED;
5929 goto loser;
5930 }
5931 }
5932 } else if (ss->statelessResume) {
5933 /* Fill in the client's session ID if doing a stateless resume.
5934 * (When doing stateless resumes, server echos client's SessionID.)
5935 */
5936 sid = ss->sec.ci.sid;
5937 PORT_Assert(sid != NULL); /* Should have already been filled in.*/
5938
5939 if (sidBytes.len > 0 && sidBytes.len <= SSL3_SESSIONID_BYTES) {
5940 sid->u.ssl3.sessionIDLength = sidBytes.len;
5941 PORT_Memcpy(sid->u.ssl3.sessionID, sidBytes.data,
5942 sidBytes.len);
5943 sid->u.ssl3.sessionIDLength = sidBytes.len;
5944 } else {
5945 sid->u.ssl3.sessionIDLength = 0;
5946 }
5947 ss->sec.ci.sid = NULL;
5948 }
5949
5950 /* We only send a session ticket extension if the client supports
5951 * the extension and we are unable to do either a stateful or
5952 * stateless resume.
5953 *
5954 * TODO: send a session ticket if performing a stateful
5955 * resumption. (As per RFC4507, a server may issue a session
5956 * ticket while doing a (stateless or stateful) session resume,
5957 * but OpenSSL-0.9.8g does not accept session tickets while
5958 * resuming.)
5959 */
5960 if (ssl3_ExtensionNegotiated(ss, session_ticket_xtn) && sid == NULL) {
5961 ssl3_RegisterServerHelloExtensionSender(ss,
5962 session_ticket_xtn, ssl3_SendSessionTicketXtn);
5963 }
5964
5965 if (sid != NULL) {
5966 /* We've found a session cache entry for this client.
5967 * Now, if we're going to require a client-auth cert,
5968 * and we don't already have this client's cert in the session cache,
5969 * and this is the first handshake on this connection (not a redo),
5970 * then drop this old cache entry and start a new session.
5971 */
5972 if ((sid->peerCert == NULL) && ss->opt.requestCertificate &&
5973 ((ss->opt.requireCertificate == SSL_REQUIRE_ALWAYS) ||
5974 (ss->opt.requireCertificate == SSL_REQUIRE_NO_ERROR) ||
5975 ((ss->opt.requireCertificate == SSL_REQUIRE_FIRST_HANDSHAKE)
5976 && !ss->firstHsDone))) {
5977
5978 SSL_AtomicIncrementLong(& ssl3stats.hch_sid_cache_not_ok );
5979 ss->sec.uncache(sid);
5980 ssl_FreeSID(sid);
5981 sid = NULL;
5982 }
5983 }
5984
5985 #ifdef NSS_ENABLE_ECC
5986 /* Disable any ECC cipher suites for which we have no cert. */
5987 ssl3_FilterECCipherSuitesByServerCerts(ss);
5988 #endif
5989
5990 #ifdef PARANOID
5991 /* Look for a matching cipher suite. */
5992 j = ssl3_config_match_init(ss);
5993 if (j <= 0) { /* no ciphers are working/supported by PK11 */
5994 errCode = PORT_GetError(); /* error code is already set. */
5995 goto alert_loser;
5996 }
5997 #endif
5998
5999 /* If we already have a session for this client, be sure to pick the
6000 ** same cipher suite we picked before.
6001 ** This is not a loop, despite appearances.
6002 */
6003 if (sid) do {
6004 /* First check that the compression method in the session was
6005 ** advertised by the client.
6006 */
6007
6008 for (i = 0; i < comps.len; i++) {
6009 if (comps.data[i] == sid->u.ssl3.compression)
6010 break;
6011 }
6012
6013 if (i == comps.len)
6014 break;
6015
6016 #ifdef PARANOID
6017 /* Check that the compression method is still enabled. */
6018 if (!compressionEnabled(ss, sid->u.ssl3.compression))
6019 break;
6020 #endif
6021
6022 ssl3CipherSuiteCfg *suite = ss->cipherSuites;
6023 /* Find the entry for the cipher suite used in the cached session. */
6024 for (j = ssl_V3_SUITES_IMPLEMENTED; j > 0; --j, ++suite) {
6025 if (suite->cipher_suite == sid->u.ssl3.cipherSuite)
6026 break;
6027 }
6028 PORT_Assert(j > 0);
6029 if (j <= 0)
6030 break;
6031 #ifdef PARANOID
6032 /* Double check that the cached cipher suite is still enabled,
6033 * implemented, and allowed by policy. Might have been disabled.
6034 * The product policy won't change during the process lifetime.
6035 * Implemented ("isPresent") shouldn't change for servers.
6036 */
6037 if (!config_match(suite, ss->ssl3.policy, PR_TRUE))
6038 break;
6039 #else
6040 if (!suite->enabled)
6041 break;
6042 #endif
6043 /* Double check that the cached cipher suite is in the client's list */
6044 for (i = 0; i < suites.len; i += 2) {
6045 if ((suites.data[i] == MSB(suite->cipher_suite)) &&
6046 (suites.data[i + 1] == LSB(suite->cipher_suite))) {
6047
6048 ss->ssl3.hs.cipher_suite = suite->cipher_suite;
6049 ss->ssl3.hs.suite_def =
6050 ssl_LookupCipherSuiteDef(ss->ssl3.hs.cipher_suite);
6051 goto suite_found;
6052 }
6053 }
6054 } while (0);
6055
6056 /* START A NEW SESSION */
6057
6058 #ifndef PARANOID
6059 /* Look for a matching cipher suite. */
6060 j = ssl3_config_match_init(ss);
6061 if (j <= 0) { /* no ciphers are working/supported by PK11 */
6062 errCode = PORT_GetError(); /* error code is already set. */
6063 goto alert_loser;
6064 }
6065 #endif
6066
6067 /* Select a cipher suite.
6068 ** NOTE: This suite selection algorithm should be the same as the one in
6069 ** ssl3_HandleV2ClientHello().
6070 */
6071 for (j = 0; j < ssl_V3_SUITES_IMPLEMENTED; j++) {
6072 ssl3CipherSuiteCfg *suite = &ss->cipherSuites[j];
6073 if (!config_match(suite, ss->ssl3.policy, PR_TRUE))
6074 continue;
6075 for (i = 0; i < suites.len; i += 2) {
6076 if ((suites.data[i] == MSB(suite->cipher_suite)) &&
6077 (suites.data[i + 1] == LSB(suite->cipher_suite))) {
6078
6079 ss->ssl3.hs.cipher_suite = suite->cipher_suite;
6080 ss->ssl3.hs.suite_def =
6081 ssl_LookupCipherSuiteDef(ss->ssl3.hs.cipher_suite);
6082 goto suite_found;
6083 }
6084 }
6085 }
6086 errCode = SSL_ERROR_NO_CYPHER_OVERLAP;
6087 goto alert_loser;
6088
6089 suite_found:
6090 /* If we are resuming, we use the previous compression algorithm */
6091 if (sid) {
6092 ss->ssl3.hs.compression = sid->u.ssl3.compression;
6093 goto compression_found;
6094 }
6095
6096 /* Look for a matching compression algorithm. */
6097 for (i = 0; i < comps.len; i++) {
6098 for (j = 0; j < compressionMethodsCount; j++) {
6099 if (comps.data[i] == compressions[j] &&
6100 compressionEnabled(ss, compressions[j])) {
6101 ss->ssl3.hs.compression =
6102 (SSLCompressionMethod)compressions[j];
6103 goto compression_found;
6104 }
6105 }
6106 }
6107 errCode = SSL_ERROR_NO_COMPRESSION_OVERLAP;
6108 /* null compression must be supported */
6109 goto alert_loser;
6110
6111 compression_found:
6112 suites.data = NULL;
6113 comps.data = NULL;
6114
6115 ss->sec.send = ssl3_SendApplicationData;
6116
6117 /* If there are any failures while processing the old sid,
6118 * we don't consider them to be errors. Instead, We just behave
6119 * as if the client had sent us no sid to begin with, and make a new one.
6120 */
6121 if (sid != NULL) do {
6122 ssl3CipherSpec *pwSpec;
6123 SECItem wrappedMS; /* wrapped key */
6124
6125 if (sid->version != ss->version ||
6126 sid->u.ssl3.cipherSuite != ss->ssl3.hs.cipher_suite) {
6127 break; /* not an error */
6128 }
6129
6130 if (ss->sec.ci.sid) {
6131 ss->sec.uncache(ss->sec.ci.sid);
6132 PORT_Assert(ss->sec.ci.sid != sid); /* should be impossible, but .. . */
6133 if (ss->sec.ci.sid != sid) {
6134 ssl_FreeSID(ss->sec.ci.sid);
6135 }
6136 ss->sec.ci.sid = NULL;
6137 }
6138 /* we need to resurrect the master secret.... */
6139
6140 ssl_GetSpecWriteLock(ss); haveSpecWriteLock = PR_TRUE;
6141 pwSpec = ss->ssl3.pwSpec;
6142 if (sid->u.ssl3.keys.msIsWrapped) {
6143 PK11SymKey * wrapKey; /* wrapping key */
6144 CK_FLAGS keyFlags = 0;
6145 if (ss->opt.bypassPKCS11) {
6146 /* we cannot restart a non-bypass session in a
6147 ** bypass socket.
6148 */
6149 break;
6150 }
6151
6152 wrapKey = getWrappingKey(ss, NULL, sid->u.ssl3.exchKeyType,
6153 sid->u.ssl3.masterWrapMech,
6154 ss->pkcs11PinArg);
6155 if (!wrapKey) {
6156 /* we have a SID cache entry, but no wrapping key for it??? */
6157 break;
6158 }
6159
6160 if (ss->version > SSL_LIBRARY_VERSION_3_0) { /* isTLS */
6161 keyFlags = CKF_SIGN | CKF_VERIFY;
6162 }
6163
6164 wrappedMS.data = sid->u.ssl3.keys.wrapped_master_secret;
6165 wrappedMS.len = sid->u.ssl3.keys.wrapped_master_secret_len;
6166
6167 /* unwrap the master secret. */
6168 pwSpec->master_secret =
6169 PK11_UnwrapSymKeyWithFlags(wrapKey, sid->u.ssl3.masterWrapMech,
6170 NULL, &wrappedMS, CKM_SSL3_MASTER_KEY_DERIVE,
6171 CKA_DERIVE, sizeof(SSL3MasterSecret), keyFlags);
6172 PK11_FreeSymKey(wrapKey);
6173 if (pwSpec->master_secret == NULL) {
6174 break; /* not an error */
6175 }
6176 } else if (ss->opt.bypassPKCS11) {
6177 wrappedMS.data = sid->u.ssl3.keys.wrapped_master_secret;
6178 wrappedMS.len = sid->u.ssl3.keys.wrapped_master_secret_len;
6179 memcpy(pwSpec->raw_master_secret, wrappedMS.data, wrappedMS.len);
6180 pwSpec->msItem.data = pwSpec->raw_master_secret;
6181 pwSpec->msItem.len = wrappedMS.len;
6182 } else {
6183 /* We CAN restart a bypass session in a non-bypass socket. */
6184 /* need to import the raw master secret to session object */
6185 PK11SlotInfo * slot;
6186 wrappedMS.data = sid->u.ssl3.keys.wrapped_master_secret;
6187 wrappedMS.len = sid->u.ssl3.keys.wrapped_master_secret_len;
6188 slot = PK11_GetInternalSlot();
6189 pwSpec->master_secret =
6190 PK11_ImportSymKey(slot, CKM_SSL3_MASTER_KEY_DERIVE,
6191 PK11_OriginUnwrap, CKA_ENCRYPT, &wrappedMS,
6192 NULL);
6193 PK11_FreeSlot(slot);
6194 if (pwSpec->master_secret == NULL) {
6195 break; /* not an error */
6196 }
6197 }
6198 ss->sec.ci.sid = sid;
6199 if (sid->peerCert != NULL) {
6200 ss->sec.peerCert = CERT_DupCertificate(sid->peerCert);
6201 }
6202
6203 /*
6204 * Old SID passed all tests, so resume this old session.
6205 *
6206 * XXX make sure compression still matches
6207 */
6208 SSL_AtomicIncrementLong(& ssl3stats.hch_sid_cache_hits );
6209 if (ss->statelessResume)
6210 SSL_AtomicIncrementLong(& ssl3stats.hch_sid_stateless_resumes );
6211 ss->ssl3.hs.isResuming = PR_TRUE;
6212
6213 ss->sec.authAlgorithm = sid->authAlgorithm;
6214 ss->sec.authKeyBits = sid->authKeyBits;
6215 ss->sec.keaType = sid->keaType;
6216 ss->sec.keaKeyBits = sid->keaKeyBits;
6217
6218 /* server sids don't remember the server cert we previously sent,
6219 ** but they do remember the kea type we originally used, so we
6220 ** can locate it again, provided that the current ssl socket
6221 ** has had its server certs configured the same as the previous one.
6222 */
6223 ss->sec.localCert =
6224 CERT_DupCertificate(ss->serverCerts[sid->keaType].serverCert);
6225
6226 ssl_GetXmitBufLock(ss); haveXmitBufLock = PR_TRUE;
6227
6228 rv = ssl3_SendServerHello(ss);
6229 if (rv != SECSuccess) {
6230 errCode = PORT_GetError();
6231 goto loser;
6232 }
6233
6234 if (haveSpecWriteLock) {
6235 ssl_ReleaseSpecWriteLock(ss);
6236 haveSpecWriteLock = PR_FALSE;
6237 }
6238
6239 /* NULL value for PMS signifies re-use of the old MS */
6240 rv = ssl3_InitPendingCipherSpec(ss, NULL);
6241 if (rv != SECSuccess) {
6242 errCode = PORT_GetError();
6243 goto loser;
6244 }
6245
6246 rv = ssl3_SendChangeCipherSpecs(ss);
6247 if (rv != SECSuccess) {
6248 errCode = PORT_GetError();
6249 goto loser;
6250 }
6251 rv = ssl3_SendFinished(ss, 0);
6252 ss->ssl3.hs.ws = wait_change_cipher;
6253 if (rv != SECSuccess) {
6254 errCode = PORT_GetError();
6255 goto loser;
6256 }
6257
6258 if (haveXmitBufLock) {
6259 ssl_ReleaseXmitBufLock(ss);
6260 haveXmitBufLock = PR_FALSE;
6261 }
6262
6263 return SECSuccess;
6264 } while (0);
6265
6266 if (haveSpecWriteLock) {
6267 ssl_ReleaseSpecWriteLock(ss);
6268 haveSpecWriteLock = PR_FALSE;
6269 }
6270
6271 if (sid) { /* we had a sid, but it's no longer valid, free it */
6272 SSL_AtomicIncrementLong(& ssl3stats.hch_sid_cache_not_ok );
6273 ss->sec.uncache(sid);
6274 ssl_FreeSID(sid);
6275 sid = NULL;
6276 }
6277 SSL_AtomicIncrementLong(& ssl3stats.hch_sid_cache_misses );
6278
6279 sid = ssl3_NewSessionID(ss, PR_TRUE);
6280 if (sid == NULL) {
6281 errCode = PORT_GetError();
6282 goto loser; /* memory error is set. */
6283 }
6284 ss->sec.ci.sid = sid;
6285
6286 ss->ssl3.hs.isResuming = PR_FALSE;
6287 ssl_GetXmitBufLock(ss);
6288 rv = ssl3_SendServerHelloSequence(ss);
6289 ssl_ReleaseXmitBufLock(ss);
6290 if (rv != SECSuccess) {
6291 errCode = PORT_GetError();
6292 goto loser;
6293 }
6294
6295 if (haveXmitBufLock) {
6296 ssl_ReleaseXmitBufLock(ss);
6297 haveXmitBufLock = PR_FALSE;
6298 }
6299
6300 return SECSuccess;
6301
6302 alert_loser:
6303 if (haveSpecWriteLock) {
6304 ssl_ReleaseSpecWriteLock(ss);
6305 haveSpecWriteLock = PR_FALSE;
6306 }
6307 (void)SSL3_SendAlert(ss, level, desc);
6308 /* FALLTHRU */
6309 loser:
6310 if (haveSpecWriteLock) {
6311 ssl_ReleaseSpecWriteLock(ss);
6312 haveSpecWriteLock = PR_FALSE;
6313 }
6314
6315 if (haveXmitBufLock) {
6316 ssl_ReleaseXmitBufLock(ss);
6317 haveXmitBufLock = PR_FALSE;
6318 }
6319
6320 PORT_SetError(errCode);
6321 return SECFailure;
6322 }
6323
6324 /*
6325 * ssl3_HandleV2ClientHello is used when a V2 formatted hello comes
6326 * in asking to use the V3 handshake.
6327 * Called from ssl2_HandleClientHelloMessage() in sslcon.c
6328 */
6329 SECStatus
6330 ssl3_HandleV2ClientHello(sslSocket *ss, unsigned char *buffer, int length)
6331 {
6332 sslSessionID * sid = NULL;
6333 unsigned char * suites;
6334 unsigned char * random;
6335 SSL3ProtocolVersion version;
6336 SECStatus rv;
6337 int i;
6338 int j;
6339 int sid_length;
6340 int suite_length;
6341 int rand_length;
6342 int errCode = SSL_ERROR_RX_MALFORMED_CLIENT_HELLO;
6343 SSL3AlertDescription desc = handshake_failure;
6344
6345 SSL_TRC(3, ("%d: SSL3[%d]: handle v2 client_hello", SSL_GETPID(), ss->fd));
6346
6347 PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
6348
6349 ssl_GetSSL3HandshakeLock(ss);
6350
6351 PORT_Memset(&ss->xtnData, 0, sizeof(TLSExtensionData));
6352
6353 rv = ssl3_InitState(ss);
6354 if (rv != SECSuccess) {
6355 ssl_ReleaseSSL3HandshakeLock(ss);
6356 return rv; /* ssl3_InitState has set the error code. */
6357 }
6358
6359 if (ss->ssl3.hs.ws != wait_client_hello) {
6360 desc = unexpected_message;
6361 errCode = SSL_ERROR_RX_UNEXPECTED_CLIENT_HELLO;
6362 goto loser; /* alert_loser */
6363 }
6364
6365 version = (buffer[1] << 8) | buffer[2];
6366 suite_length = (buffer[3] << 8) | buffer[4];
6367 sid_length = (buffer[5] << 8) | buffer[6];
6368 rand_length = (buffer[7] << 8) | buffer[8];
6369 ss->clientHelloVersion = version;
6370
6371 rv = ssl3_NegotiateVersion(ss, version);
6372 if (rv != SECSuccess) {
6373 /* send back which ever alert client will understand. */
6374 desc = (version > SSL_LIBRARY_VERSION_3_0) ? protocol_version : handshak e_failure;
6375 errCode = SSL_ERROR_NO_CYPHER_OVERLAP;
6376 goto alert_loser;
6377 }
6378
6379 /* if we get a non-zero SID, just ignore it. */
6380 if (length !=
6381 SSL_HL_CLIENT_HELLO_HBYTES + suite_length + sid_length + rand_length) {
6382 SSL_DBG(("%d: SSL3[%d]: bad v2 client hello message, len=%d should=%d",
6383 SSL_GETPID(), ss->fd, length,
6384 SSL_HL_CLIENT_HELLO_HBYTES + suite_length + sid_length +
6385 rand_length));
6386 goto loser; /* malformed */ /* alert_loser */
6387 }
6388
6389 suites = buffer + SSL_HL_CLIENT_HELLO_HBYTES;
6390 random = suites + suite_length + sid_length;
6391
6392 if (rand_length < SSL_MIN_CHALLENGE_BYTES ||
6393 rand_length > SSL_MAX_CHALLENGE_BYTES) {
6394 goto loser; /* malformed */ /* alert_loser */
6395 }
6396
6397 PORT_Assert(SSL_MAX_CHALLENGE_BYTES == SSL3_RANDOM_LENGTH);
6398
6399 PORT_Memset(&ss->ssl3.hs.client_random, 0, SSL3_RANDOM_LENGTH);
6400 PORT_Memcpy(
6401 &ss->ssl3.hs.client_random.rand[SSL3_RANDOM_LENGTH - rand_length],
6402 random, rand_length);
6403
6404 PRINT_BUF(60, (ss, "client random:", &ss->ssl3.hs.client_random.rand[0],
6405 SSL3_RANDOM_LENGTH));
6406 #ifdef NSS_ENABLE_ECC
6407 /* Disable any ECC cipher suites for which we have no cert. */
6408 ssl3_FilterECCipherSuitesByServerCerts(ss);
6409 #endif
6410 i = ssl3_config_match_init(ss);
6411 if (i <= 0) {
6412 errCode = PORT_GetError(); /* error code is already set. */
6413 goto alert_loser;
6414 }
6415
6416 /* Select a cipher suite.
6417 ** NOTE: This suite selection algorithm should be the same as the one in
6418 ** ssl3_HandleClientHello().
6419 */
6420 for (j = 0; j < ssl_V3_SUITES_IMPLEMENTED; j++) {
6421 ssl3CipherSuiteCfg *suite = &ss->cipherSuites[j];
6422 if (!config_match(suite, ss->ssl3.policy, PR_TRUE))
6423 continue;
6424 for (i = 0; i < suite_length; i += 3) {
6425 if ((suites[i] == 0) &&
6426 (suites[i+1] == MSB(suite->cipher_suite)) &&
6427 (suites[i+2] == LSB(suite->cipher_suite))) {
6428
6429 ss->ssl3.hs.cipher_suite = suite->cipher_suite;
6430 ss->ssl3.hs.suite_def =
6431 ssl_LookupCipherSuiteDef(ss->ssl3.hs.cipher_suite);
6432 goto suite_found;
6433 }
6434 }
6435 }
6436 errCode = SSL_ERROR_NO_CYPHER_OVERLAP;
6437 goto alert_loser;
6438
6439 suite_found:
6440
6441 ss->ssl3.hs.compression = ssl_compression_null;
6442 ss->sec.send = ssl3_SendApplicationData;
6443
6444 /* we don't even search for a cache hit here. It's just a miss. */
6445 SSL_AtomicIncrementLong(& ssl3stats.hch_sid_cache_misses );
6446 sid = ssl3_NewSessionID(ss, PR_TRUE);
6447 if (sid == NULL) {
6448 errCode = PORT_GetError();
6449 goto loser; /* memory error is set. */
6450 }
6451 ss->sec.ci.sid = sid;
6452 /* do not worry about memory leak of sid since it now belongs to ci */
6453
6454 /* We have to update the handshake hashes before we can send stuff */
6455 rv = ssl3_UpdateHandshakeHashes(ss, buffer, length);
6456 if (rv != SECSuccess) {
6457 errCode = PORT_GetError();
6458 goto loser;
6459 }
6460
6461 ssl_GetXmitBufLock(ss);
6462 rv = ssl3_SendServerHelloSequence(ss);
6463 ssl_ReleaseXmitBufLock(ss);
6464 if (rv != SECSuccess) {
6465 errCode = PORT_GetError();
6466 goto loser;
6467 }
6468
6469 /* XXX_1 The call stack to here is:
6470 * ssl_Do1stHandshake -> ssl2_HandleClientHelloMessage -> here.
6471 * ssl2_HandleClientHelloMessage returns whatever we return here.
6472 * ssl_Do1stHandshake will continue looping if it gets back either
6473 * SECSuccess or SECWouldBlock.
6474 * SECSuccess is preferable here. See XXX_1 in sslgathr.c.
6475 */
6476 ssl_ReleaseSSL3HandshakeLock(ss);
6477 return SECSuccess;
6478
6479 alert_loser:
6480 SSL3_SendAlert(ss, alert_fatal, desc);
6481 loser:
6482 ssl_ReleaseSSL3HandshakeLock(ss);
6483 PORT_SetError(errCode);
6484 return SECFailure;
6485 }
6486
6487 /* The negotiated version number has been already placed in ss->version.
6488 **
6489 ** Called from: ssl3_HandleClientHello (resuming session),
6490 ** ssl3_SendServerHelloSequence <- ssl3_HandleClientHello (new session),
6491 ** ssl3_SendServerHelloSequence <- ssl3_HandleV2ClientHello (new session)
6492 */
6493 static SECStatus
6494 ssl3_SendServerHello(sslSocket *ss)
6495 {
6496 sslSessionID *sid;
6497 SECStatus rv;
6498 PRUint32 maxBytes = 65535;
6499 PRUint32 length;
6500 PRInt32 extensions_len = 0;
6501
6502 SSL_TRC(3, ("%d: SSL3[%d]: send server_hello handshake", SSL_GETPID(),
6503 ss->fd));
6504
6505 PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss));
6506 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
6507 PORT_Assert( MSB(ss->version) == MSB(SSL_LIBRARY_VERSION_3_0));
6508
6509 if (MSB(ss->version) != MSB(SSL_LIBRARY_VERSION_3_0)) {
6510 PORT_SetError(SSL_ERROR_NO_CYPHER_OVERLAP);
6511 return SECFailure;
6512 }
6513
6514 sid = ss->sec.ci.sid;
6515
6516 extensions_len = ssl3_CallHelloExtensionSenders(ss, PR_FALSE, maxBytes,
6517 &ss->xtnData.serverSenders[0]);
6518 if (extensions_len > 0)
6519 extensions_len += 2; /* Add sizeof total extension length */
6520
6521 length = sizeof(SSL3ProtocolVersion) + SSL3_RANDOM_LENGTH + 1 +
6522 ((sid == NULL) ? 0: sid->u.ssl3.sessionIDLength) +
6523 sizeof(ssl3CipherSuite) + 1 + extensions_len;
6524 rv = ssl3_AppendHandshakeHeader(ss, server_hello, length);
6525 if (rv != SECSuccess) {
6526 return rv; /* err set by AppendHandshake. */
6527 }
6528
6529 rv = ssl3_AppendHandshakeNumber(ss, ss->version, 2);
6530 if (rv != SECSuccess) {
6531 return rv; /* err set by AppendHandshake. */
6532 }
6533 rv = ssl3_GetNewRandom(&ss->ssl3.hs.server_random);
6534 if (rv != SECSuccess) {
6535 ssl_MapLowLevelError(SSL_ERROR_GENERATE_RANDOM_FAILURE);
6536 return rv;
6537 }
6538 rv = ssl3_AppendHandshake(
6539 ss, &ss->ssl3.hs.server_random, SSL3_RANDOM_LENGTH);
6540 if (rv != SECSuccess) {
6541 return rv; /* err set by AppendHandshake. */
6542 }
6543
6544 if (sid)
6545 rv = ssl3_AppendHandshakeVariable(
6546 ss, sid->u.ssl3.sessionID, sid->u.ssl3.sessionIDLength, 1);
6547 else
6548 rv = ssl3_AppendHandshakeVariable(ss, NULL, 0, 1);
6549 if (rv != SECSuccess) {
6550 return rv; /* err set by AppendHandshake. */
6551 }
6552
6553 rv = ssl3_AppendHandshakeNumber(ss, ss->ssl3.hs.cipher_suite, 2);
6554 if (rv != SECSuccess) {
6555 return rv; /* err set by AppendHandshake. */
6556 }
6557 rv = ssl3_AppendHandshakeNumber(ss, ss->ssl3.hs.compression, 1);
6558 if (rv != SECSuccess) {
6559 return rv; /* err set by AppendHandshake. */
6560 }
6561 if (extensions_len) {
6562 PRInt32 sent_len;
6563
6564 extensions_len -= 2;
6565 rv = ssl3_AppendHandshakeNumber(ss, extensions_len, 2);
6566 if (rv != SECSuccess)
6567 return rv; /* err set by ssl3_SetupPendingCipherSpec */
6568 sent_len = ssl3_CallHelloExtensionSenders(ss, PR_TRUE, extensions_len,
6569 &ss->xtnData.serverSenders[0]);
6570 PORT_Assert(sent_len == extensions_len);
6571 if (sent_len != extensions_len) {
6572 if (sent_len >= 0)
6573 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
6574 return SECFailure;
6575 }
6576 }
6577 rv = ssl3_SetupPendingCipherSpec(ss);
6578 if (rv != SECSuccess) {
6579 return rv; /* err set by ssl3_SetupPendingCipherSpec */
6580 }
6581
6582 return SECSuccess;
6583 }
6584
6585
6586 static SECStatus
6587 ssl3_SendServerKeyExchange(sslSocket *ss)
6588 {
6589 const ssl3KEADef * kea_def = ss->ssl3.hs.kea_def;
6590 SECStatus rv = SECFailure;
6591 int length;
6592 PRBool isTLS;
6593 SECItem signed_hash = {siBuffer, NULL, 0};
6594 SSL3Hashes hashes;
6595 SECKEYPublicKey * sdPub; /* public key for step-down */
6596
6597 SSL_TRC(3, ("%d: SSL3[%d]: send server_key_exchange handshake",
6598 SSL_GETPID(), ss->fd));
6599
6600 PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss));
6601 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
6602
6603 switch (kea_def->exchKeyType) {
6604 case kt_rsa:
6605 /* Perform SSL Step-Down here. */
6606 sdPub = ss->stepDownKeyPair->pubKey;
6607 PORT_Assert(sdPub != NULL);
6608 if (!sdPub) {
6609 PORT_SetError(SSL_ERROR_SERVER_KEY_EXCHANGE_FAILURE);
6610 return SECFailure;
6611 }
6612 rv = ssl3_ComputeExportRSAKeyHash(sdPub->u.rsa.modulus,
6613 sdPub->u.rsa.publicExponent,
6614 &ss->ssl3.hs.client_random,
6615 &ss->ssl3.hs.server_random,
6616 &hashes, ss->opt.bypassPKCS11);
6617 if (rv != SECSuccess) {
6618 ssl_MapLowLevelError(SSL_ERROR_SERVER_KEY_EXCHANGE_FAILURE);
6619 return rv;
6620 }
6621
6622 isTLS = (PRBool)(ss->ssl3.pwSpec->version > SSL_LIBRARY_VERSION_3_0);
6623 rv = ssl3_SignHashes(&hashes, ss->serverCerts[kt_rsa].SERVERKEY,
6624 &signed_hash, isTLS);
6625 if (rv != SECSuccess) {
6626 goto loser; /* ssl3_SignHashes has set err. */
6627 }
6628 if (signed_hash.data == NULL) {
6629 /* how can this happen and rv == SECSuccess ?? */
6630 PORT_SetError(SSL_ERROR_SERVER_KEY_EXCHANGE_FAILURE);
6631 goto loser;
6632 }
6633 length = 2 + sdPub->u.rsa.modulus.len +
6634 2 + sdPub->u.rsa.publicExponent.len +
6635 2 + signed_hash.len;
6636
6637 rv = ssl3_AppendHandshakeHeader(ss, server_key_exchange, length);
6638 if (rv != SECSuccess) {
6639 goto loser; /* err set by AppendHandshake. */
6640 }
6641
6642 rv = ssl3_AppendHandshakeVariable(ss, sdPub->u.rsa.modulus.data,
6643 sdPub->u.rsa.modulus.len, 2);
6644 if (rv != SECSuccess) {
6645 goto loser; /* err set by AppendHandshake. */
6646 }
6647
6648 rv = ssl3_AppendHandshakeVariable(
6649 ss, sdPub->u.rsa.publicExponent.data,
6650 sdPub->u.rsa.publicExponent.len, 2);
6651 if (rv != SECSuccess) {
6652 goto loser; /* err set by AppendHandshake. */
6653 }
6654
6655 rv = ssl3_AppendHandshakeVariable(ss, signed_hash.data,
6656 signed_hash.len, 2);
6657 if (rv != SECSuccess) {
6658 goto loser; /* err set by AppendHandshake. */
6659 }
6660 PORT_Free(signed_hash.data);
6661 return SECSuccess;
6662
6663 #ifdef NSS_ENABLE_ECC
6664 case kt_ecdh: {
6665 rv = ssl3_SendECDHServerKeyExchange(ss);
6666 return rv;
6667 }
6668 #endif /* NSS_ENABLE_ECC */
6669
6670 case kt_dh:
6671 case kt_null:
6672 default:
6673 PORT_SetError(SEC_ERROR_UNSUPPORTED_KEYALG);
6674 break;
6675 }
6676 loser:
6677 if (signed_hash.data != NULL)
6678 PORT_Free(signed_hash.data);
6679 return SECFailure;
6680 }
6681
6682
6683 static SECStatus
6684 ssl3_SendCertificateRequest(sslSocket *ss)
6685 {
6686 SECItem * name;
6687 CERTDistNames *ca_list;
6688 const uint8 * certTypes;
6689 SECItem * names = NULL;
6690 SECStatus rv;
6691 int length;
6692 int i;
6693 int calen = 0;
6694 int nnames = 0;
6695 int certTypesLength;
6696
6697 SSL_TRC(3, ("%d: SSL3[%d]: send certificate_request handshake",
6698 SSL_GETPID(), ss->fd));
6699
6700 PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss));
6701 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
6702
6703 /* ssl3.ca_list is initialized to NULL, and never changed. */
6704 ca_list = ss->ssl3.ca_list;
6705 if (!ca_list) {
6706 ca_list = ssl3_server_ca_list;
6707 }
6708
6709 if (ca_list != NULL) {
6710 names = ca_list->names;
6711 nnames = ca_list->nnames;
6712 }
6713
6714 if (!nnames) {
6715 PORT_SetError(SSL_ERROR_NO_TRUSTED_SSL_CLIENT_CA);
6716 return SECFailure;
6717 }
6718
6719 for (i = 0, name = names; i < nnames; i++, name++) {
6720 calen += 2 + name->len;
6721 }
6722
6723 certTypes = certificate_types;
6724 certTypesLength = sizeof certificate_types;
6725
6726 length = 1 + certTypesLength + 2 + calen;
6727
6728 rv = ssl3_AppendHandshakeHeader(ss, certificate_request, length);
6729 if (rv != SECSuccess) {
6730 return rv; /* err set by AppendHandshake. */
6731 }
6732 rv = ssl3_AppendHandshakeVariable(ss, certTypes, certTypesLength, 1);
6733 if (rv != SECSuccess) {
6734 return rv; /* err set by AppendHandshake. */
6735 }
6736 rv = ssl3_AppendHandshakeNumber(ss, calen, 2);
6737 if (rv != SECSuccess) {
6738 return rv; /* err set by AppendHandshake. */
6739 }
6740 for (i = 0, name = names; i < nnames; i++, name++) {
6741 rv = ssl3_AppendHandshakeVariable(ss, name->data, name->len, 2);
6742 if (rv != SECSuccess) {
6743 return rv; /* err set by AppendHandshake. */
6744 }
6745 }
6746
6747 return SECSuccess;
6748 }
6749
6750 static SECStatus
6751 ssl3_SendServerHelloDone(sslSocket *ss)
6752 {
6753 SECStatus rv;
6754
6755 SSL_TRC(3, ("%d: SSL3[%d]: send server_hello_done handshake",
6756 SSL_GETPID(), ss->fd));
6757
6758 PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss));
6759 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
6760
6761 rv = ssl3_AppendHandshakeHeader(ss, server_hello_done, 0);
6762 if (rv != SECSuccess) {
6763 return rv; /* err set by AppendHandshake. */
6764 }
6765 rv = ssl3_FlushHandshake(ss, 0);
6766 if (rv != SECSuccess) {
6767 return rv; /* error code set by ssl3_FlushHandshake */
6768 }
6769 return SECSuccess;
6770 }
6771
6772 /* Called from ssl3_HandleHandshakeMessage() when it has deciphered a complete
6773 * ssl3 Certificate Verify message
6774 * Caller must hold Handshake and RecvBuf locks.
6775 */
6776 static SECStatus
6777 ssl3_HandleCertificateVerify(sslSocket *ss, SSL3Opaque *b, PRUint32 length,
6778 SSL3Hashes *hashes)
6779 {
6780 SECItem signed_hash = {siBuffer, NULL, 0};
6781 SECStatus rv;
6782 int errCode = SSL_ERROR_RX_MALFORMED_CERT_VERIFY;
6783 SSL3AlertDescription desc = handshake_failure;
6784 PRBool isTLS;
6785
6786 SSL_TRC(3, ("%d: SSL3[%d]: handle certificate_verify handshake",
6787 SSL_GETPID(), ss->fd));
6788 PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
6789 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
6790
6791 if (ss->ssl3.hs.ws != wait_cert_verify || ss->sec.peerCert == NULL) {
6792 desc = unexpected_message;
6793 errCode = SSL_ERROR_RX_UNEXPECTED_CERT_VERIFY;
6794 goto alert_loser;
6795 }
6796
6797 rv = ssl3_ConsumeHandshakeVariable(ss, &signed_hash, 2, &b, &length);
6798 if (rv != SECSuccess) {
6799 goto loser; /* malformed. */
6800 }
6801
6802 isTLS = (PRBool)(ss->ssl3.prSpec->version > SSL_LIBRARY_VERSION_3_0);
6803
6804 /* XXX verify that the key & kea match */
6805 rv = ssl3_VerifySignedHashes(hashes, ss->sec.peerCert, &signed_hash,
6806 isTLS, ss->pkcs11PinArg);
6807 if (rv != SECSuccess) {
6808 errCode = PORT_GetError();
6809 desc = isTLS ? decrypt_error : handshake_failure;
6810 goto alert_loser;
6811 }
6812
6813 signed_hash.data = NULL;
6814
6815 if (length != 0) {
6816 desc = isTLS ? decode_error : illegal_parameter;
6817 goto alert_loser; /* malformed */
6818 }
6819 ss->ssl3.hs.ws = wait_change_cipher;
6820 return SECSuccess;
6821
6822 alert_loser:
6823 SSL3_SendAlert(ss, alert_fatal, desc);
6824 loser:
6825 PORT_SetError(errCode);
6826 return SECFailure;
6827 }
6828
6829
6830 /* find a slot that is able to generate a PMS and wrap it with RSA.
6831 * Then generate and return the PMS.
6832 * If the serverKeySlot parameter is non-null, this function will use
6833 * that slot to do the job, otherwise it will find a slot.
6834 *
6835 * Called from ssl3_DeriveConnectionKeysPKCS11() (above)
6836 * sendRSAClientKeyExchange() (above)
6837 * ssl3_HandleRSAClientKeyExchange() (below)
6838 * Caller must hold the SpecWriteLock, the SSL3HandshakeLock
6839 */
6840 static PK11SymKey *
6841 ssl3_GenerateRSAPMS(sslSocket *ss, ssl3CipherSpec *spec,
6842 PK11SlotInfo * serverKeySlot)
6843 {
6844 PK11SymKey * pms = NULL;
6845 PK11SlotInfo * slot = serverKeySlot;
6846 void * pwArg = ss->pkcs11PinArg;
6847 SECItem param;
6848 CK_VERSION version;
6849 CK_MECHANISM_TYPE mechanism_array[3];
6850
6851 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
6852
6853 if (slot == NULL) {
6854 SSLCipherAlgorithm calg;
6855 /* The specReadLock would suffice here, but we cannot assert on
6856 ** read locks. Also, all the callers who call with a non-null
6857 ** slot already hold the SpecWriteLock.
6858 */
6859 PORT_Assert( ss->opt.noLocks || ssl_HaveSpecWriteLock(ss));
6860 PORT_Assert(ss->ssl3.prSpec == ss->ssl3.pwSpec);
6861
6862 calg = spec->cipher_def->calg;
6863 PORT_Assert(alg2Mech[calg].calg == calg);
6864
6865 /* First get an appropriate slot. */
6866 mechanism_array[0] = CKM_SSL3_PRE_MASTER_KEY_GEN;
6867 mechanism_array[1] = CKM_RSA_PKCS;
6868 mechanism_array[2] = alg2Mech[calg].cmech;
6869
6870 slot = PK11_GetBestSlotMultiple(mechanism_array, 3, pwArg);
6871 if (slot == NULL) {
6872 /* can't find a slot with all three, find a slot with the minimum */
6873 slot = PK11_GetBestSlotMultiple(mechanism_array, 2, pwArg);
6874 if (slot == NULL) {
6875 PORT_SetError(SSL_ERROR_TOKEN_SLOT_NOT_FOUND);
6876 return pms; /* which is NULL */
6877 }
6878 }
6879 }
6880
6881 /* Generate the pre-master secret ... */
6882 version.major = MSB(ss->clientHelloVersion);
6883 version.minor = LSB(ss->clientHelloVersion);
6884
6885 param.data = (unsigned char *)&version;
6886 param.len = sizeof version;
6887
6888 pms = PK11_KeyGen(slot, CKM_SSL3_PRE_MASTER_KEY_GEN, &param, 0, pwArg);
6889 if (!serverKeySlot)
6890 PK11_FreeSlot(slot);
6891 if (pms == NULL) {
6892 ssl_MapLowLevelError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE);
6893 }
6894 return pms;
6895 }
6896
6897 /* Note: The Bleichenbacher attack on PKCS#1 necessitates that we NEVER
6898 * return any indication of failure of the Client Key Exchange message,
6899 * where that failure is caused by the content of the client's message.
6900 * This function must not return SECFailure for any reason that is directly
6901 * or indirectly caused by the content of the client's encrypted PMS.
6902 * We must not send an alert and also not drop the connection.
6903 * Instead, we generate a random PMS. This will cause a failure
6904 * in the processing the finished message, which is exactly where
6905 * the failure must occur.
6906 *
6907 * Called from ssl3_HandleClientKeyExchange
6908 */
6909 static SECStatus
6910 ssl3_HandleRSAClientKeyExchange(sslSocket *ss,
6911 SSL3Opaque *b,
6912 PRUint32 length,
6913 SECKEYPrivateKey *serverKey)
6914 {
6915 PK11SymKey * pms;
6916 unsigned char * cr = (unsigned char *)&ss->ssl3.hs.client_random;
6917 unsigned char * sr = (unsigned char *)&ss->ssl3.hs.server_random;
6918 ssl3CipherSpec * pwSpec = ss->ssl3.pwSpec;
6919 unsigned int outLen = 0;
6920 PRBool isTLS = PR_FALSE;
6921 SECStatus rv;
6922 SECItem enc_pms;
6923 unsigned char rsaPmsBuf[SSL3_RSA_PMS_LENGTH];
6924 SECItem pmsItem = {siBuffer, NULL, 0};
6925
6926 PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
6927 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
6928
6929 enc_pms.data = b;
6930 enc_pms.len = length;
6931 pmsItem.data = rsaPmsBuf;
6932 pmsItem.len = sizeof rsaPmsBuf;
6933
6934 if (ss->ssl3.prSpec->version > SSL_LIBRARY_VERSION_3_0) { /* isTLS */
6935 PRInt32 kLen;
6936 kLen = ssl3_ConsumeHandshakeNumber(ss, 2, &enc_pms.data, &enc_pms.len);
6937 if (kLen < 0) {
6938 PORT_SetError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE);
6939 return SECFailure;
6940 }
6941 if ((unsigned)kLen < enc_pms.len) {
6942 enc_pms.len = kLen;
6943 }
6944 isTLS = PR_TRUE;
6945 } else {
6946 isTLS = (PRBool)(ss->ssl3.hs.kea_def->tls_keygen != 0);
6947 }
6948
6949 if (ss->opt.bypassPKCS11) {
6950 /* TRIPLE BYPASS, get PMS directly from RSA decryption.
6951 * Use PK11_PrivDecryptPKCS1 to decrypt the PMS to a buffer,
6952 * then, check for version rollback attack, then
6953 * do the equivalent of ssl3_DeriveMasterSecret, placing the MS in
6954 * pwSpec->msItem. Finally call ssl3_InitPendingCipherSpec with
6955 * ss and NULL, so that it will use the MS we've already derived here.
6956 */
6957
6958 rv = PK11_PrivDecryptPKCS1(serverKey, rsaPmsBuf, &outLen,
6959 sizeof rsaPmsBuf, enc_pms.data, enc_pms.len);
6960 if (rv != SECSuccess) {
6961 /* triple bypass failed. Let's try for a double bypass. */
6962 goto double_bypass;
6963 } else if (ss->opt.detectRollBack) {
6964 SSL3ProtocolVersion client_version =
6965 (rsaPmsBuf[0] << 8) | rsaPmsBuf[1];
6966 if (client_version != ss->clientHelloVersion) {
6967 /* Version roll-back detected. ensure failure. */
6968 rv = PK11_GenerateRandom(rsaPmsBuf, sizeof rsaPmsBuf);
6969 }
6970 }
6971 /* have PMS, build MS without PKCS11 */
6972 rv = ssl3_MasterKeyDeriveBypass(pwSpec, cr, sr, &pmsItem, isTLS,
6973 PR_TRUE);
6974 if (rv != SECSuccess) {
6975 pwSpec->msItem.data = pwSpec->raw_master_secret;
6976 pwSpec->msItem.len = SSL3_MASTER_SECRET_LENGTH;
6977 PK11_GenerateRandom(pwSpec->msItem.data, pwSpec->msItem.len);
6978 }
6979 rv = ssl3_InitPendingCipherSpec(ss, NULL);
6980 } else {
6981 double_bypass:
6982 /*
6983 * unwrap pms out of the incoming buffer
6984 * Note: CKM_SSL3_MASTER_KEY_DERIVE is NOT the mechanism used to do
6985 * the unwrap. Rather, it is the mechanism with which the
6986 * unwrapped pms will be used.
6987 */
6988 pms = PK11_PubUnwrapSymKey(serverKey, &enc_pms,
6989 CKM_SSL3_MASTER_KEY_DERIVE, CKA_DERIVE, 0);
6990 if (pms != NULL) {
6991 PRINT_BUF(60, (ss, "decrypted premaster secret:",
6992 PK11_GetKeyData(pms)->data,
6993 PK11_GetKeyData(pms)->len));
6994 } else {
6995 /* unwrap failed. Generate a bogus PMS and carry on. */
6996 PK11SlotInfo * slot = PK11_GetSlotFromPrivateKey(serverKey);
6997
6998 ssl_GetSpecWriteLock(ss);
6999 pms = ssl3_GenerateRSAPMS(ss, ss->ssl3.prSpec, slot);
7000 ssl_ReleaseSpecWriteLock(ss);
7001 PK11_FreeSlot(slot);
7002 }
7003
7004 if (pms == NULL) {
7005 /* last gasp. */
7006 ssl_MapLowLevelError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE);
7007 return SECFailure;
7008 }
7009
7010 /* This step will derive the MS from the PMS, among other things. */
7011 rv = ssl3_InitPendingCipherSpec(ss, pms);
7012 PK11_FreeSymKey(pms);
7013 }
7014
7015 if (rv != SECSuccess) {
7016 SEND_ALERT
7017 return SECFailure; /* error code set by ssl3_InitPendingCipherSpec */
7018 }
7019 return SECSuccess;
7020 }
7021
7022
7023 /* Called from ssl3_HandleHandshakeMessage() when it has deciphered a complete
7024 * ssl3 ClientKeyExchange message from the remote client
7025 * Caller must hold Handshake and RecvBuf locks.
7026 */
7027 static SECStatus
7028 ssl3_HandleClientKeyExchange(sslSocket *ss, SSL3Opaque *b, PRUint32 length)
7029 {
7030 SECKEYPrivateKey *serverKey = NULL;
7031 SECStatus rv;
7032 const ssl3KEADef * kea_def;
7033 ssl3KeyPair *serverKeyPair = NULL;
7034 #ifdef NSS_ENABLE_ECC
7035 SECKEYPublicKey *serverPubKey = NULL;
7036 #endif /* NSS_ENABLE_ECC */
7037
7038 SSL_TRC(3, ("%d: SSL3[%d]: handle client_key_exchange handshake",
7039 SSL_GETPID(), ss->fd));
7040
7041 PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
7042 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
7043
7044 if (ss->ssl3.hs.ws != wait_client_key) {
7045 SSL3_SendAlert(ss, alert_fatal, unexpected_message);
7046 PORT_SetError(SSL_ERROR_RX_UNEXPECTED_CLIENT_KEY_EXCH);
7047 return SECFailure;
7048 }
7049
7050 kea_def = ss->ssl3.hs.kea_def;
7051
7052 if (ss->ssl3.hs.usedStepDownKey) {
7053 PORT_Assert(kea_def->is_limited /* XXX OR cert is signing only */
7054 && kea_def->exchKeyType == kt_rsa
7055 && ss->stepDownKeyPair != NULL);
7056 if (!kea_def->is_limited ||
7057 kea_def->exchKeyType != kt_rsa ||
7058 ss->stepDownKeyPair == NULL) {
7059 /* shouldn't happen, don't use step down if it does */
7060 goto skip;
7061 }
7062 serverKeyPair = ss->stepDownKeyPair;
7063 ss->sec.keaKeyBits = EXPORT_RSA_KEY_LENGTH * BPB;
7064 } else
7065 skip:
7066 #ifdef NSS_ENABLE_ECC
7067 /* XXX Using SSLKEAType to index server certifiates
7068 * does not work for (EC)DHE ciphers. Until we have
7069 * an indexing mechanism general enough for all key
7070 * exchange algorithms, we'll need to deal with each
7071 * one seprately.
7072 */
7073 if ((kea_def->kea == kea_ecdhe_rsa) ||
7074 (kea_def->kea == kea_ecdhe_ecdsa)) {
7075 if (ss->ephemeralECDHKeyPair != NULL) {
7076 serverKeyPair = ss->ephemeralECDHKeyPair;
7077 if (serverKeyPair->pubKey) {
7078 ss->sec.keaKeyBits =
7079 SECKEY_PublicKeyStrengthInBits(serverKeyPair->pubKey);
7080 }
7081 }
7082 } else
7083 #endif
7084 {
7085 sslServerCerts * sc = ss->serverCerts + kea_def->exchKeyType;
7086 serverKeyPair = sc->serverKeyPair;
7087 ss->sec.keaKeyBits = sc->serverKeyBits;
7088 }
7089
7090 if (serverKeyPair) {
7091 serverKey = serverKeyPair->privKey;
7092 }
7093
7094 if (serverKey == NULL) {
7095 SEND_ALERT
7096 PORT_SetError(SSL_ERROR_NO_SERVER_KEY_FOR_ALG);
7097 return SECFailure;
7098 }
7099
7100 ss->sec.keaType = kea_def->exchKeyType;
7101
7102 switch (kea_def->exchKeyType) {
7103 case kt_rsa:
7104 rv = ssl3_HandleRSAClientKeyExchange(ss, b, length, serverKey);
7105 if (rv != SECSuccess) {
7106 SEND_ALERT
7107 return SECFailure; /* error code set */
7108 }
7109 break;
7110
7111
7112 #ifdef NSS_ENABLE_ECC
7113 case kt_ecdh:
7114 /* XXX We really ought to be able to store multiple
7115 * EC certs (a requirement if we wish to support both
7116 * ECDH-RSA and ECDH-ECDSA key exchanges concurrently).
7117 * When we make that change, we'll need an index other
7118 * than kt_ecdh to pick the right EC certificate.
7119 */
7120 if (serverKeyPair) {
7121 serverPubKey = serverKeyPair->pubKey;
7122 }
7123 if (serverPubKey == NULL) {
7124 /* XXX Is this the right error code? */
7125 PORT_SetError(SSL_ERROR_EXTRACT_PUBLIC_KEY_FAILURE);
7126 return SECFailure;
7127 }
7128 rv = ssl3_HandleECDHClientKeyExchange(ss, b, length,
7129 serverPubKey, serverKey);
7130 if (rv != SECSuccess) {
7131 return SECFailure; /* error code set */
7132 }
7133 break;
7134 #endif /* NSS_ENABLE_ECC */
7135
7136 default:
7137 (void) ssl3_HandshakeFailure(ss);
7138 PORT_SetError(SEC_ERROR_UNSUPPORTED_KEYALG);
7139 return SECFailure;
7140 }
7141 ss->ssl3.hs.ws = ss->sec.peerCert ? wait_cert_verify : wait_change_cipher;
7142 return SECSuccess;
7143
7144 }
7145
7146 /* This is TLS's equivalent of sending a no_certificate alert. */
7147 static SECStatus
7148 ssl3_SendEmptyCertificate(sslSocket *ss)
7149 {
7150 SECStatus rv;
7151
7152 rv = ssl3_AppendHandshakeHeader(ss, certificate, 3);
7153 if (rv == SECSuccess) {
7154 rv = ssl3_AppendHandshakeNumber(ss, 0, 3);
7155 }
7156 return rv; /* error, if any, set by functions called above. */
7157 }
7158
7159 SECStatus
7160 ssl3_HandleNewSessionTicket(sslSocket *ss, SSL3Opaque *b, PRUint32 length)
7161 {
7162 SECStatus rv;
7163 NewSessionTicket session_ticket;
7164
7165 SSL_TRC(3, ("%d: SSL3[%d]: handle session_ticket handshake",
7166 SSL_GETPID(), ss->fd));
7167
7168 PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
7169 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
7170
7171 if (ss->ssl3.hs.ws != wait_new_session_ticket) {
7172 SSL3_SendAlert(ss, alert_fatal, unexpected_message);
7173 PORT_SetError(SSL_ERROR_RX_UNEXPECTED_NEW_SESSION_TICKET);
7174 return SECFailure;
7175 }
7176
7177 session_ticket.received_timestamp = ssl_Time();
7178 if (length < 4) {
7179 (void)SSL3_SendAlert(ss, alert_fatal, decode_error);
7180 PORT_SetError(SSL_ERROR_RX_MALFORMED_NEW_SESSION_TICKET);
7181 return SECFailure;
7182 }
7183 session_ticket.ticket_lifetime_hint =
7184 (PRUint32)ssl3_ConsumeHandshakeNumber(ss, 4, &b, &length);
7185
7186 rv = ssl3_ConsumeHandshakeVariable(ss, &session_ticket.ticket, 2,
7187 &b, &length);
7188 if (length != 0 || rv != SECSuccess) {
7189 (void)SSL3_SendAlert(ss, alert_fatal, decode_error);
7190 PORT_SetError(SSL_ERROR_RX_MALFORMED_NEW_SESSION_TICKET);
7191 return SECFailure; /* malformed */
7192 }
7193
7194 rv = ssl3_SetSIDSessionTicket(ss->sec.ci.sid, &session_ticket);
7195 if (rv != SECSuccess) {
7196 (void)SSL3_SendAlert(ss, alert_fatal, handshake_failure);
7197 PORT_SetError(SSL_ERROR_INTERNAL_ERROR_ALERT);
7198 return SECFailure;
7199 }
7200 ss->ssl3.hs.ws = wait_change_cipher;
7201 return SECSuccess;
7202 }
7203
7204 #ifdef NISCC_TEST
7205 static PRInt32 connNum = 0;
7206
7207 static SECStatus
7208 get_fake_cert(SECItem *pCertItem, int *pIndex)
7209 {
7210 PRFileDesc *cf;
7211 char * testdir;
7212 char * startat;
7213 char * stopat;
7214 const char *extension;
7215 int fileNum;
7216 PRInt32 numBytes = 0;
7217 PRStatus prStatus;
7218 PRFileInfo info;
7219 char cfn[100];
7220
7221 pCertItem->data = 0;
7222 if ((testdir = PR_GetEnv("NISCC_TEST")) == NULL) {
7223 return SECSuccess;
7224 }
7225 *pIndex = (NULL != strstr(testdir, "root"));
7226 extension = (strstr(testdir, "simple") ? "" : ".der");
7227 fileNum = PR_AtomicIncrement(&connNum) - 1;
7228 if ((startat = PR_GetEnv("START_AT")) != NULL) {
7229 fileNum += atoi(startat);
7230 }
7231 if ((stopat = PR_GetEnv("STOP_AT")) != NULL &&
7232 fileNum >= atoi(stopat)) {
7233 *pIndex = -1;
7234 return SECSuccess;
7235 }
7236 sprintf(cfn, "%s/%08d%s", testdir, fileNum, extension);
7237 cf = PR_Open(cfn, PR_RDONLY, 0);
7238 if (!cf) {
7239 goto loser;
7240 }
7241 prStatus = PR_GetOpenFileInfo(cf, &info);
7242 if (prStatus != PR_SUCCESS) {
7243 PR_Close(cf);
7244 goto loser;
7245 }
7246 pCertItem = SECITEM_AllocItem(NULL, pCertItem, info.size);
7247 if (pCertItem) {
7248 numBytes = PR_Read(cf, pCertItem->data, info.size);
7249 }
7250 PR_Close(cf);
7251 if (numBytes != info.size) {
7252 SECITEM_FreeItem(pCertItem, PR_FALSE);
7253 PORT_SetError(SEC_ERROR_IO);
7254 goto loser;
7255 }
7256 fprintf(stderr, "using %s\n", cfn);
7257 return SECSuccess;
7258
7259 loser:
7260 fprintf(stderr, "failed to use %s\n", cfn);
7261 *pIndex = -1;
7262 return SECFailure;
7263 }
7264 #endif
7265
7266 /*
7267 * Used by both client and server.
7268 * Called from HandleServerHelloDone and from SendServerHelloSequence.
7269 */
7270 static SECStatus
7271 ssl3_SendCertificate(sslSocket *ss)
7272 {
7273 SECStatus rv;
7274 CERTCertificateList *certChain;
7275 int len = 0;
7276 int i;
7277 SSL3KEAType certIndex;
7278 #ifdef NISCC_TEST
7279 SECItem fakeCert;
7280 int ndex = -1;
7281 #endif
7282
7283 SSL_TRC(3, ("%d: SSL3[%d]: send certificate handshake",
7284 SSL_GETPID(), ss->fd));
7285
7286 PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss));
7287 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
7288
7289 if (ss->sec.localCert)
7290 CERT_DestroyCertificate(ss->sec.localCert);
7291 if (ss->sec.isServer) {
7292 sslServerCerts * sc = NULL;
7293
7294 /* XXX SSLKEAType isn't really a good choice for
7295 * indexing certificates (it breaks when we deal
7296 * with (EC)DHE-* cipher suites. This hack ensures
7297 * the RSA cert is picked for (EC)DHE-RSA.
7298 * Revisit this when we add server side support
7299 * for ECDHE-ECDSA or client-side authentication
7300 * using EC certificates.
7301 */
7302 if ((ss->ssl3.hs.kea_def->kea == kea_ecdhe_rsa) ||
7303 (ss->ssl3.hs.kea_def->kea == kea_dhe_rsa)) {
7304 certIndex = kt_rsa;
7305 } else {
7306 certIndex = ss->ssl3.hs.kea_def->exchKeyType;
7307 }
7308 sc = ss->serverCerts + certIndex;
7309 certChain = sc->serverCertChain;
7310 ss->sec.authKeyBits = sc->serverKeyBits;
7311 ss->sec.authAlgorithm = ss->ssl3.hs.kea_def->signKeyType;
7312 ss->sec.localCert = CERT_DupCertificate(sc->serverCert);
7313 } else {
7314 certChain = ss->ssl3.clientCertChain;
7315 ss->sec.localCert = CERT_DupCertificate(ss->ssl3.clientCertificate);
7316 }
7317
7318 #ifdef NISCC_TEST
7319 rv = get_fake_cert(&fakeCert, &ndex);
7320 #endif
7321
7322 if (certChain) {
7323 for (i = 0; i < certChain->len; i++) {
7324 #ifdef NISCC_TEST
7325 if (fakeCert.len > 0 && i == ndex) {
7326 len += fakeCert.len + 3;
7327 } else {
7328 len += certChain->certs[i].len + 3;
7329 }
7330 #else
7331 len += certChain->certs[i].len + 3;
7332 #endif
7333 }
7334 }
7335
7336 rv = ssl3_AppendHandshakeHeader(ss, certificate, len + 3);
7337 if (rv != SECSuccess) {
7338 return rv; /* err set by AppendHandshake. */
7339 }
7340 rv = ssl3_AppendHandshakeNumber(ss, len, 3);
7341 if (rv != SECSuccess) {
7342 return rv; /* err set by AppendHandshake. */
7343 }
7344 if (certChain) {
7345 for (i = 0; i < certChain->len; i++) {
7346 #ifdef NISCC_TEST
7347 if (fakeCert.len > 0 && i == ndex) {
7348 rv = ssl3_AppendHandshakeVariable(ss, fakeCert.data,
7349 fakeCert.len, 3);
7350 SECITEM_FreeItem(&fakeCert, PR_FALSE);
7351 } else {
7352 rv = ssl3_AppendHandshakeVariable(ss, certChain->certs[i].data,
7353 certChain->certs[i].len, 3);
7354 }
7355 #else
7356 rv = ssl3_AppendHandshakeVariable(ss, certChain->certs[i].data,
7357 certChain->certs[i].len, 3);
7358 #endif
7359 if (rv != SECSuccess) {
7360 return rv; /* err set by AppendHandshake. */
7361 }
7362 }
7363 }
7364
7365 return SECSuccess;
7366 }
7367
7368 /* This is used to delete the CA certificates in the peer certificate chain
7369 * from the cert database after they've been validated.
7370 */
7371 static void
7372 ssl3_CleanupPeerCerts(sslSocket *ss)
7373 {
7374 PRArenaPool * arena = ss->ssl3.peerCertArena;
7375 ssl3CertNode *certs = (ssl3CertNode *)ss->ssl3.peerCertChain;
7376
7377 for (; certs; certs = certs->next) {
7378 CERT_DestroyCertificate(certs->cert);
7379 }
7380 if (arena) PORT_FreeArena(arena, PR_FALSE);
7381 ss->ssl3.peerCertArena = NULL;
7382 ss->ssl3.peerCertChain = NULL;
7383 }
7384
7385 /* Called from ssl3_HandleHandshakeMessage() when it has deciphered a complete
7386 * ssl3 Certificate message.
7387 * Caller must hold Handshake and RecvBuf locks.
7388 */
7389 static SECStatus
7390 ssl3_HandleCertificate(sslSocket *ss, SSL3Opaque *b, PRUint32 length)
7391 {
7392 ssl3CertNode * c;
7393 ssl3CertNode * certs = NULL;
7394 PRArenaPool * arena = NULL;
7395 CERTCertificate *cert;
7396 PRInt32 remaining = 0;
7397 PRInt32 size;
7398 SECStatus rv;
7399 PRBool isServer = (PRBool)(!!ss->sec.isServer);
7400 PRBool trusted = PR_FALSE;
7401 PRBool isTLS;
7402 SSL3AlertDescription desc = bad_certificate;
7403 int errCode = SSL_ERROR_RX_MALFORMED_CERTIFICATE;
7404 SECItem certItem;
7405
7406 SSL_TRC(3, ("%d: SSL3[%d]: handle certificate handshake",
7407 SSL_GETPID(), ss->fd));
7408 PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
7409 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
7410
7411 if ((ss->ssl3.hs.ws != wait_server_cert) &&
7412 (ss->ssl3.hs.ws != wait_client_cert)) {
7413 desc = unexpected_message;
7414 errCode = SSL_ERROR_RX_UNEXPECTED_CERTIFICATE;
7415 goto alert_loser;
7416 }
7417
7418 if (ss->sec.peerCert != NULL) {
7419 if (ss->sec.peerKey) {
7420 SECKEY_DestroyPublicKey(ss->sec.peerKey);
7421 ss->sec.peerKey = NULL;
7422 }
7423 CERT_DestroyCertificate(ss->sec.peerCert);
7424 ss->sec.peerCert = NULL;
7425 }
7426
7427 ssl3_CleanupPeerCerts(ss);
7428 isTLS = (PRBool)(ss->ssl3.prSpec->version > SSL_LIBRARY_VERSION_3_0);
7429
7430 /* It is reported that some TLS client sends a Certificate message
7431 ** with a zero-length message body. We'll treat that case like a
7432 ** normal no_certificates message to maximize interoperability.
7433 */
7434 if (length) {
7435 remaining = ssl3_ConsumeHandshakeNumber(ss, 3, &b, &length);
7436 if (remaining < 0)
7437 goto loser; /* fatal alert already sent by ConsumeHandshake. */
7438 if ((PRUint32)remaining > length)
7439 goto decode_loser;
7440 }
7441
7442 if (!remaining) {
7443 if (!(isTLS && isServer))
7444 goto alert_loser;
7445 /* This is TLS's version of a no_certificate alert. */
7446 /* I'm a server. I've requested a client cert. He hasn't got one. */
7447 rv = ssl3_HandleNoCertificate(ss);
7448 if (rv != SECSuccess) {
7449 errCode = PORT_GetError();
7450 goto loser;
7451 }
7452 goto cert_block;
7453 }
7454
7455 ss->ssl3.peerCertArena = arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
7456 if ( arena == NULL ) {
7457 goto loser; /* don't send alerts on memory errors */
7458 }
7459
7460 /* First get the peer cert. */
7461 remaining -= 3;
7462 if (remaining < 0)
7463 goto decode_loser;
7464
7465 size = ssl3_ConsumeHandshakeNumber(ss, 3, &b, &length);
7466 if (size <= 0)
7467 goto loser; /* fatal alert already sent by ConsumeHandshake. */
7468
7469 if (remaining < size)
7470 goto decode_loser;
7471
7472 certItem.data = b;
7473 certItem.len = size;
7474 b += size;
7475 length -= size;
7476 remaining -= size;
7477
7478 ss->sec.peerCert = CERT_NewTempCertificate(ss->dbHandle, &certItem, NULL,
7479 PR_FALSE, PR_TRUE);
7480 if (ss->sec.peerCert == NULL) {
7481 /* We should report an alert if the cert was bad, but not if the
7482 * problem was just some local problem, like memory error.
7483 */
7484 goto ambiguous_err;
7485 }
7486
7487 /* Now get all of the CA certs. */
7488 while (remaining > 0) {
7489 remaining -= 3;
7490 if (remaining < 0)
7491 goto decode_loser;
7492
7493 size = ssl3_ConsumeHandshakeNumber(ss, 3, &b, &length);
7494 if (size <= 0)
7495 goto loser; /* fatal alert already sent by ConsumeHandshake. */
7496
7497 if (remaining < size)
7498 goto decode_loser;
7499
7500 certItem.data = b;
7501 certItem.len = size;
7502 b += size;
7503 length -= size;
7504 remaining -= size;
7505
7506 c = PORT_ArenaNew(arena, ssl3CertNode);
7507 if (c == NULL) {
7508 goto loser; /* don't send alerts on memory errors */
7509 }
7510
7511 c->cert = CERT_NewTempCertificate(ss->dbHandle, &certItem, NULL,
7512 PR_FALSE, PR_TRUE);
7513 if (c->cert == NULL) {
7514 goto ambiguous_err;
7515 }
7516
7517 if (c->cert->trust)
7518 trusted = PR_TRUE;
7519
7520 c->next = certs;
7521 certs = c;
7522 }
7523
7524 if (remaining != 0)
7525 goto decode_loser;
7526
7527 SECKEY_UpdateCertPQG(ss->sec.peerCert);
7528
7529 /*
7530 * Ask caller-supplied callback function to validate cert chain.
7531 */
7532 rv = (SECStatus)(*ss->authCertificate)(ss->authCertificateArg, ss->fd,
7533 PR_TRUE, isServer);
7534 if (rv) {
7535 errCode = PORT_GetError();
7536 if (!ss->handleBadCert) {
7537 goto bad_cert;
7538 }
7539 rv = (SECStatus)(*ss->handleBadCert)(ss->badCertArg, ss->fd);
7540 if ( rv ) {
7541 if ( rv == SECWouldBlock ) {
7542 /* someone will handle this connection asynchronously*/
7543 SSL_DBG(("%d: SSL3[%d]: go to async cert handler",
7544 SSL_GETPID(), ss->fd));
7545 ss->ssl3.peerCertChain = certs;
7546 certs = NULL;
7547 ssl_SetAlwaysBlock(ss);
7548 goto cert_block;
7549 }
7550 /* cert is bad */
7551 goto bad_cert;
7552 }
7553 /* cert is good */
7554 }
7555
7556 /* start SSL Step Up, if appropriate */
7557 cert = ss->sec.peerCert;
7558 if (!isServer &&
7559 ssl3_global_policy_some_restricted &&
7560 ss->ssl3.policy == SSL_ALLOWED &&
7561 anyRestrictedEnabled(ss) &&
7562 SECSuccess == CERT_VerifyCertNow(cert->dbhandle, cert,
7563 PR_FALSE, /* checkSig */
7564 certUsageSSLServerWithStepUp,
7565 /*XXX*/ ss->authCertificateArg) ) {
7566 ss->ssl3.policy = SSL_RESTRICTED;
7567 ss->ssl3.hs.rehandshake = PR_TRUE;
7568 }
7569
7570 ss->sec.ci.sid->peerCert = CERT_DupCertificate(ss->sec.peerCert);
7571
7572 if (!ss->sec.isServer) {
7573 /* set the server authentication and key exchange types and sizes
7574 ** from the value in the cert. If the key exchange key is different,
7575 ** it will get fixed when we handle the server key exchange message.
7576 */
7577 SECKEYPublicKey * pubKey = CERT_ExtractPublicKey(cert);
7578 ss->sec.authAlgorithm = ss->ssl3.hs.kea_def->signKeyType;
7579 ss->sec.keaType = ss->ssl3.hs.kea_def->exchKeyType;
7580 if (pubKey) {
7581 ss->sec.keaKeyBits = ss->sec.authKeyBits =
7582 SECKEY_PublicKeyStrengthInBits(pubKey);
7583 #ifdef NSS_ENABLE_ECC
7584 if (ss->sec.keaType == kt_ecdh) {
7585 /* Get authKeyBits from signing key.
7586 * XXX The code below uses a quick approximation of
7587 * key size based on cert->signatureWrap.signature.data
7588 * (which contains the DER encoded signature). The field
7589 * cert->signatureWrap.signature.len contains the
7590 * length of the encoded signature in bits.
7591 */
7592 if (ss->ssl3.hs.kea_def->kea == kea_ecdh_ecdsa) {
7593 ss->sec.authKeyBits =
7594 cert->signatureWrap.signature.data[3]*8;
7595 if (cert->signatureWrap.signature.data[4] == 0x00)
7596 ss->sec.authKeyBits -= 8;
7597 /*
7598 * XXX: if cert is not signed by ecdsa we should
7599 * destroy pubKey and goto bad_cert
7600 */
7601 } else if (ss->ssl3.hs.kea_def->kea == kea_ecdh_rsa) {
7602 ss->sec.authKeyBits = cert->signatureWrap.signature.len;
7603 /*
7604 * XXX: if cert is not signed by rsa we should
7605 * destroy pubKey and goto bad_cert
7606 */
7607 }
7608 }
7609 #endif /* NSS_ENABLE_ECC */
7610 SECKEY_DestroyPublicKey(pubKey);
7611 pubKey = NULL;
7612 }
7613 }
7614
7615 ss->ssl3.peerCertChain = certs; certs = NULL; arena = NULL;
7616
7617 cert_block:
7618 if (ss->sec.isServer) {
7619 ss->ssl3.hs.ws = wait_client_key;
7620 } else {
7621 ss->ssl3.hs.ws = wait_cert_request; /* disallow server_key_exchange */
7622 if (ss->ssl3.hs.kea_def->is_limited ||
7623 /* XXX OR server cert is signing only. */
7624 #ifdef NSS_ENABLE_ECC
7625 ss->ssl3.hs.kea_def->kea == kea_ecdhe_ecdsa ||
7626 ss->ssl3.hs.kea_def->kea == kea_ecdhe_rsa ||
7627 #endif /* NSS_ENABLE_ECC */
7628 ss->ssl3.hs.kea_def->exchKeyType == kt_dh) {
7629 ss->ssl3.hs.ws = wait_server_key; /* allow server_key_exchange */
7630 }
7631 }
7632
7633 /* rv must normally be equal to SECSuccess here. If we called
7634 * handleBadCert, it can also be SECWouldBlock.
7635 */
7636 return rv;
7637
7638 ambiguous_err:
7639 errCode = PORT_GetError();
7640 switch (errCode) {
7641 case PR_OUT_OF_MEMORY_ERROR:
7642 case SEC_ERROR_BAD_DATABASE:
7643 case SEC_ERROR_NO_MEMORY:
7644 if (isTLS) {
7645 desc = internal_error;
7646 goto alert_loser;
7647 }
7648 goto loser;
7649 }
7650 /* fall through to bad_cert. */
7651
7652 bad_cert: /* caller has set errCode. */
7653 switch (errCode) {
7654 case SEC_ERROR_LIBRARY_FAILURE: desc = unsupported_certificate; break;
7655 case SEC_ERROR_EXPIRED_CERTIFICATE: desc = certificate_expired; break;
7656 case SEC_ERROR_REVOKED_CERTIFICATE: desc = certificate_revoked; break;
7657 case SEC_ERROR_INADEQUATE_KEY_USAGE:
7658 case SEC_ERROR_INADEQUATE_CERT_TYPE:
7659 desc = certificate_unknown; break;
7660 case SEC_ERROR_UNTRUSTED_CERT:
7661 desc = isTLS ? access_denied : certificate_unknown; break;
7662 case SEC_ERROR_UNKNOWN_ISSUER:
7663 case SEC_ERROR_UNTRUSTED_ISSUER:
7664 desc = isTLS ? unknown_ca : certificate_unknown; break;
7665 case SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE:
7666 desc = isTLS ? unknown_ca : certificate_expired; break;
7667
7668 case SEC_ERROR_CERT_NOT_IN_NAME_SPACE:
7669 case SEC_ERROR_PATH_LEN_CONSTRAINT_INVALID:
7670 case SEC_ERROR_CA_CERT_INVALID:
7671 case SEC_ERROR_BAD_SIGNATURE:
7672 default: desc = bad_certificate; break;
7673 }
7674 SSL_DBG(("%d: SSL3[%d]: peer certificate is no good: error=%d",
7675 SSL_GETPID(), ss->fd, errCode));
7676
7677 goto alert_loser;
7678
7679 decode_loser:
7680 desc = isTLS ? decode_error : bad_certificate;
7681
7682 alert_loser:
7683 (void)SSL3_SendAlert(ss, alert_fatal, desc);
7684
7685 loser:
7686 ss->ssl3.peerCertChain = certs; certs = NULL; arena = NULL;
7687 ssl3_CleanupPeerCerts(ss);
7688
7689 if (ss->sec.peerCert != NULL) {
7690 CERT_DestroyCertificate(ss->sec.peerCert);
7691 ss->sec.peerCert = NULL;
7692 }
7693 (void)ssl_MapLowLevelError(errCode);
7694 return SECFailure;
7695 }
7696
7697
7698 /* restart an SSL connection that we stopped to run certificate dialogs
7699 ** XXX Need to document here how an application marks a cert to show that
7700 ** the application has accepted it (overridden CERT_VerifyCert).
7701 *
7702 * XXX This code only works on the initial handshake on a connection, XXX
7703 * It does not work on a subsequent handshake (redo).
7704 *
7705 * Return value: XXX
7706 *
7707 * Caller holds 1stHandshakeLock.
7708 */
7709 int
7710 ssl3_RestartHandshakeAfterServerCert(sslSocket *ss)
7711 {
7712 CERTCertificate * cert;
7713 int rv = SECSuccess;
7714
7715 if (MSB(ss->version) != MSB(SSL_LIBRARY_VERSION_3_0)) {
7716 SET_ERROR_CODE
7717 return SECFailure;
7718 }
7719 if (!ss->ssl3.initialized) {
7720 SET_ERROR_CODE
7721 return SECFailure;
7722 }
7723
7724 cert = ss->sec.peerCert;
7725
7726 /* Permit step up if user decided to accept the cert */
7727 if (!ss->sec.isServer &&
7728 ssl3_global_policy_some_restricted &&
7729 ss->ssl3.policy == SSL_ALLOWED &&
7730 anyRestrictedEnabled(ss) &&
7731 (SECSuccess == CERT_VerifyCertNow(cert->dbhandle, cert,
7732 PR_FALSE, /* checksig */
7733 certUsageSSLServerWithStepUp,
7734 /*XXX*/ ss->authCertificateArg) )) {
7735 ss->ssl3.policy = SSL_RESTRICTED;
7736 ss->ssl3.hs.rehandshake = PR_TRUE;
7737 }
7738
7739 if (ss->handshake != NULL) {
7740 ss->handshake = ssl_GatherRecord1stHandshake;
7741 ss->sec.ci.sid->peerCert = CERT_DupCertificate(ss->sec.peerCert);
7742
7743 ssl_GetRecvBufLock(ss);
7744 if (ss->ssl3.hs.msgState.buf != NULL) {
7745 rv = ssl3_HandleRecord(ss, NULL, &ss->gs.buf);
7746 }
7747 ssl_ReleaseRecvBufLock(ss);
7748 }
7749
7750 return rv;
7751 }
7752
7753 static SECStatus
7754 ssl3_ComputeTLSFinished(ssl3CipherSpec *spec,
7755 PRBool isServer,
7756 const SSL3Finished * hashes,
7757 TLSFinished * tlsFinished)
7758 {
7759 const char * label;
7760 unsigned int len;
7761 SECStatus rv;
7762
7763 label = isServer ? "server finished" : "client finished";
7764 len = 15;
7765
7766 if (spec->master_secret && !spec->bypassCiphers) {
7767 SECItem param = {siBuffer, NULL, 0};
7768 PK11Context *prf_context =
7769 PK11_CreateContextBySymKey(CKM_TLS_PRF_GENERAL, CKA_SIGN,
7770 spec->master_secret, &param);
7771 if (!prf_context)
7772 return SECFailure;
7773
7774 rv = PK11_DigestBegin(prf_context);
7775 rv |= PK11_DigestOp(prf_context, (const unsigned char *) label, len);
7776 rv |= PK11_DigestOp(prf_context, hashes->md5, sizeof *hashes);
7777 rv |= PK11_DigestFinal(prf_context, tlsFinished->verify_data,
7778 &len, sizeof tlsFinished->verify_data);
7779 PORT_Assert(rv != SECSuccess || len == sizeof *tlsFinished);
7780
7781 PK11_DestroyContext(prf_context, PR_TRUE);
7782 } else {
7783 /* bypass PKCS11 */
7784 SECItem inData = { siBuffer, };
7785 SECItem outData = { siBuffer, };
7786 PRBool isFIPS = PR_FALSE;
7787
7788 inData.data = (unsigned char *)hashes->md5;
7789 inData.len = sizeof hashes[0];
7790 outData.data = tlsFinished->verify_data;
7791 outData.len = sizeof tlsFinished->verify_data;
7792 rv = TLS_PRF(&spec->msItem, label, &inData, &outData, isFIPS);
7793 PORT_Assert(rv != SECSuccess || \
7794 outData.len == sizeof tlsFinished->verify_data);
7795 }
7796 return rv;
7797 }
7798
7799 /* called from ssl3_HandleServerHelloDone
7800 * ssl3_HandleClientHello
7801 * ssl3_HandleFinished
7802 */
7803 static SECStatus
7804 ssl3_SendFinished(sslSocket *ss, PRInt32 flags)
7805 {
7806 ssl3CipherSpec *cwSpec;
7807 PRBool isTLS;
7808 PRBool isServer = ss->sec.isServer;
7809 SECStatus rv;
7810 SSL3Sender sender = isServer ? sender_server : sender_client;
7811 SSL3Finished hashes;
7812 TLSFinished tlsFinished;
7813
7814 SSL_TRC(3, ("%d: SSL3[%d]: send finished handshake", SSL_GETPID(), ss->fd));
7815
7816 PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss));
7817 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
7818
7819 ssl_GetSpecReadLock(ss);
7820 cwSpec = ss->ssl3.cwSpec;
7821 isTLS = (PRBool)(cwSpec->version > SSL_LIBRARY_VERSION_3_0);
7822 rv = ssl3_ComputeHandshakeHashes(ss, cwSpec, &hashes, sender);
7823 if (isTLS && rv == SECSuccess) {
7824 rv = ssl3_ComputeTLSFinished(cwSpec, isServer, &hashes, &tlsFinished);
7825 }
7826 ssl_ReleaseSpecReadLock(ss);
7827 if (rv != SECSuccess) {
7828 goto fail; /* err code was set by ssl3_ComputeHandshakeHashes */
7829 }
7830
7831 if (isTLS) {
7832 rv = ssl3_AppendHandshakeHeader(ss, finished, sizeof tlsFinished);
7833 if (rv != SECSuccess)
7834 goto fail; /* err set by AppendHandshake. */
7835 rv = ssl3_AppendHandshake(ss, &tlsFinished, sizeof tlsFinished);
7836 if (rv != SECSuccess)
7837 goto fail; /* err set by AppendHandshake. */
7838 } else {
7839 rv = ssl3_AppendHandshakeHeader(ss, finished, sizeof hashes);
7840 if (rv != SECSuccess)
7841 goto fail; /* err set by AppendHandshake. */
7842 rv = ssl3_AppendHandshake(ss, &hashes, sizeof hashes);
7843 if (rv != SECSuccess)
7844 goto fail; /* err set by AppendHandshake. */
7845 }
7846 rv = ssl3_FlushHandshake(ss, flags);
7847 if (rv != SECSuccess) {
7848 goto fail; /* error code set by ssl3_FlushHandshake */
7849 }
7850 return SECSuccess;
7851
7852 fail:
7853 return rv;
7854 }
7855
7856 /* wrap the master secret, and put it into the SID.
7857 * Caller holds the Spec read lock.
7858 */
7859 SECStatus
7860 ssl3_CacheWrappedMasterSecret(sslSocket *ss, sslSessionID *sid,
7861 ssl3CipherSpec *spec, SSL3KEAType effectiveExchKeyType)
7862 {
7863 PK11SymKey * wrappingKey = NULL;
7864 PK11SlotInfo * symKeySlot;
7865 void * pwArg = ss->pkcs11PinArg;
7866 SECStatus rv = SECFailure;
7867 PRBool isServer = ss->sec.isServer;
7868 CK_MECHANISM_TYPE mechanism = CKM_INVALID_MECHANISM;
7869 symKeySlot = PK11_GetSlotFromKey(spec->master_secret);
7870 if (!isServer) {
7871 int wrapKeyIndex;
7872 int incarnation;
7873
7874 /* these next few functions are mere accessors and don't fail. */
7875 sid->u.ssl3.masterWrapIndex = wrapKeyIndex =
7876 PK11_GetCurrentWrapIndex(symKeySlot);
7877 PORT_Assert(wrapKeyIndex == 0); /* array has only one entry! */
7878
7879 sid->u.ssl3.masterWrapSeries = incarnation =
7880 PK11_GetSlotSeries(symKeySlot);
7881 sid->u.ssl3.masterSlotID = PK11_GetSlotID(symKeySlot);
7882 sid->u.ssl3.masterModuleID = PK11_GetModuleID(symKeySlot);
7883 sid->u.ssl3.masterValid = PR_TRUE;
7884 /* Get the default wrapping key, for wrapping the master secret before
7885 * placing it in the SID cache entry. */
7886 wrappingKey = PK11_GetWrapKey(symKeySlot, wrapKeyIndex,
7887 CKM_INVALID_MECHANISM, incarnation,
7888 pwArg);
7889 if (wrappingKey) {
7890 mechanism = PK11_GetMechanism(wrappingKey); /* can't fail. */
7891 } else {
7892 int keyLength;
7893 /* if the wrappingKey doesn't exist, attempt to create it.
7894 * Note: we intentionally ignore errors here. If we cannot
7895 * generate a wrapping key, it is not fatal to this SSL connection,
7896 * but we will not be able to restart this session.
7897 */
7898 mechanism = PK11_GetBestWrapMechanism(symKeySlot);
7899 keyLength = PK11_GetBestKeyLength(symKeySlot, mechanism);
7900 /* Zero length means fixed key length algorithm, or error.
7901 * It's ambiguous.
7902 */
7903 wrappingKey = PK11_KeyGen(symKeySlot, mechanism, NULL,
7904 keyLength, pwArg);
7905 if (wrappingKey) {
7906 PK11_SetWrapKey(symKeySlot, wrapKeyIndex, wrappingKey);
7907 }
7908 }
7909 } else {
7910 /* server socket using session cache. */
7911 mechanism = PK11_GetBestWrapMechanism(symKeySlot);
7912 if (mechanism != CKM_INVALID_MECHANISM) {
7913 wrappingKey =
7914 getWrappingKey(ss, symKeySlot, effectiveExchKeyType,
7915 mechanism, pwArg);
7916 if (wrappingKey) {
7917 mechanism = PK11_GetMechanism(wrappingKey); /* can't fail. */
7918 }
7919 }
7920 }
7921
7922 sid->u.ssl3.masterWrapMech = mechanism;
7923 PK11_FreeSlot(symKeySlot);
7924
7925 if (wrappingKey) {
7926 SECItem wmsItem;
7927
7928 wmsItem.data = sid->u.ssl3.keys.wrapped_master_secret;
7929 wmsItem.len = sizeof sid->u.ssl3.keys.wrapped_master_secret;
7930 rv = PK11_WrapSymKey(mechanism, NULL, wrappingKey,
7931 spec->master_secret, &wmsItem);
7932 /* rv is examined below. */
7933 sid->u.ssl3.keys.wrapped_master_secret_len = wmsItem.len;
7934 PK11_FreeSymKey(wrappingKey);
7935 }
7936 return rv;
7937 }
7938
7939 /* Called from ssl3_HandleHandshakeMessage() when it has deciphered a complete
7940 * ssl3 Finished message from the peer.
7941 * Caller must hold Handshake and RecvBuf locks.
7942 */
7943 static SECStatus
7944 ssl3_HandleFinished(sslSocket *ss, SSL3Opaque *b, PRUint32 length,
7945 const SSL3Hashes *hashes)
7946 {
7947 sslSessionID * sid = ss->sec.ci.sid;
7948 SECStatus rv = SECSuccess;
7949 PRBool isServer = ss->sec.isServer;
7950 PRBool isTLS;
7951 PRBool doStepUp;
7952 SSL3KEAType effectiveExchKeyType;
7953
7954 PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
7955 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
7956
7957 SSL_TRC(3, ("%d: SSL3[%d]: handle finished handshake",
7958 SSL_GETPID(), ss->fd));
7959
7960 if (ss->ssl3.hs.ws != wait_finished) {
7961 SSL3_SendAlert(ss, alert_fatal, unexpected_message);
7962 PORT_SetError(SSL_ERROR_RX_UNEXPECTED_FINISHED);
7963 return SECFailure;
7964 }
7965
7966 isTLS = (PRBool)(ss->ssl3.crSpec->version > SSL_LIBRARY_VERSION_3_0);
7967 if (isTLS) {
7968 TLSFinished tlsFinished;
7969
7970 if (length != sizeof tlsFinished) {
7971 (void)SSL3_SendAlert(ss, alert_fatal, decode_error);
7972 PORT_SetError(SSL_ERROR_RX_MALFORMED_FINISHED);
7973 return SECFailure;
7974 }
7975 rv = ssl3_ComputeTLSFinished(ss->ssl3.crSpec, !isServer,
7976 hashes, &tlsFinished);
7977 if (rv != SECSuccess ||
7978 0 != NSS_SecureMemcmp(&tlsFinished, b, length)) {
7979 (void)SSL3_SendAlert(ss, alert_fatal, decrypt_error);
7980 PORT_SetError(SSL_ERROR_BAD_HANDSHAKE_HASH_VALUE);
7981 return SECFailure;
7982 }
7983 } else {
7984 if (length != sizeof(SSL3Hashes)) {
7985 (void)ssl3_IllegalParameter(ss);
7986 PORT_SetError(SSL_ERROR_RX_MALFORMED_FINISHED);
7987 return SECFailure;
7988 }
7989
7990 if (0 != NSS_SecureMemcmp(hashes, b, length)) {
7991 (void)ssl3_HandshakeFailure(ss);
7992 PORT_SetError(SSL_ERROR_BAD_HANDSHAKE_HASH_VALUE);
7993 return SECFailure;
7994 }
7995 }
7996
7997 doStepUp = (PRBool)(!isServer && ss->ssl3.hs.rehandshake);
7998
7999 ssl_GetXmitBufLock(ss); /*************************************/
8000
8001 if ((isServer && !ss->ssl3.hs.isResuming) ||
8002 (!isServer && ss->ssl3.hs.isResuming)) {
8003 PRInt32 flags = 0;
8004
8005 /* Send a NewSessionTicket message if the client sent us
8006 * either an empty session ticket, or one that did not verify.
8007 * (Note that if either of these conditions was met, then the
8008 * server has sent a SessionTicket extension in the
8009 * ServerHello message.)
8010 */
8011 if (isServer && !ss->ssl3.hs.isResuming &&
8012 ssl3_ExtensionNegotiated(ss, session_ticket_xtn)) {
8013 rv = ssl3_SendNewSessionTicket(ss);
8014 if (rv != SECSuccess) {
8015 goto xmit_loser;
8016 }
8017 }
8018
8019 rv = ssl3_SendChangeCipherSpecs(ss);
8020 if (rv != SECSuccess) {
8021 goto xmit_loser; /* err is set. */
8022 }
8023 /* If this thread is in SSL_SecureSend (trying to write some data)
8024 ** or if it is going to step up,
8025 ** then set the ssl_SEND_FLAG_FORCE_INTO_BUFFER flag, so that the
8026 ** last two handshake messages (change cipher spec and finished)
8027 ** will be sent in the same send/write call as the application data.
8028 */
8029 if (doStepUp || ss->writerThread == PR_GetCurrentThread()) {
8030 flags = ssl_SEND_FLAG_FORCE_INTO_BUFFER;
8031 }
8032 rv = ssl3_SendFinished(ss, flags);
8033 if (rv != SECSuccess) {
8034 goto xmit_loser; /* err is set. */
8035 }
8036 }
8037
8038 /* Optimization: don't cache this connection if we're going to step up. */
8039 if (doStepUp) {
8040 ssl_FreeSID(sid);
8041 ss->sec.ci.sid = sid = NULL;
8042 ss->ssl3.hs.rehandshake = PR_FALSE;
8043 rv = ssl3_SendClientHello(ss);
8044 xmit_loser:
8045 ssl_ReleaseXmitBufLock(ss);
8046 return rv; /* err code is set if appropriate. */
8047 }
8048
8049 ssl_ReleaseXmitBufLock(ss); /*************************************/
8050
8051 /* The first handshake is now completed. */
8052 ss->handshake = NULL;
8053 ss->firstHsDone = PR_TRUE;
8054 ss->gs.writeOffset = 0;
8055 ss->gs.readOffset = 0;
8056
8057 if (ss->ssl3.hs.kea_def->kea == kea_ecdhe_rsa) {
8058 effectiveExchKeyType = kt_rsa;
8059 } else {
8060 effectiveExchKeyType = ss->ssl3.hs.kea_def->exchKeyType;
8061 }
8062
8063 if (sid->cached == never_cached && !ss->opt.noCache && ss->sec.cache) {
8064 /* fill in the sid */
8065 sid->u.ssl3.cipherSuite = ss->ssl3.hs.cipher_suite;
8066 sid->u.ssl3.compression = ss->ssl3.hs.compression;
8067 sid->u.ssl3.policy = ss->ssl3.policy;
8068 #ifdef NSS_ENABLE_ECC
8069 sid->u.ssl3.negotiatedECCurves = ss->ssl3.hs.negotiatedECCurves;
8070 #endif
8071 sid->u.ssl3.exchKeyType = effectiveExchKeyType;
8072 sid->version = ss->version;
8073 sid->authAlgorithm = ss->sec.authAlgorithm;
8074 sid->authKeyBits = ss->sec.authKeyBits;
8075 sid->keaType = ss->sec.keaType;
8076 sid->keaKeyBits = ss->sec.keaKeyBits;
8077 sid->lastAccessTime = sid->creationTime = ssl_Time();
8078 sid->expirationTime = sid->creationTime + ssl3_sid_timeout;
8079 sid->localCert = CERT_DupCertificate(ss->sec.localCert);
8080
8081 ssl_GetSpecReadLock(ss); /*************************************/
8082
8083 /* Copy the master secret (wrapped or unwrapped) into the sid */
8084 if (ss->ssl3.crSpec->msItem.len && ss->ssl3.crSpec->msItem.data) {
8085 sid->u.ssl3.keys.wrapped_master_secret_len =
8086 ss->ssl3.crSpec->msItem.len;
8087 memcpy(sid->u.ssl3.keys.wrapped_master_secret,
8088 ss->ssl3.crSpec->msItem.data, ss->ssl3.crSpec->msItem.len);
8089 sid->u.ssl3.masterValid = PR_TRUE;
8090 sid->u.ssl3.keys.msIsWrapped = PR_FALSE;
8091 rv = SECSuccess;
8092 } else {
8093 rv = ssl3_CacheWrappedMasterSecret(ss, ss->sec.ci.sid,
8094 ss->ssl3.crSpec,
8095 effectiveExchKeyType);
8096 sid->u.ssl3.keys.msIsWrapped = PR_TRUE;
8097 }
8098 ssl_ReleaseSpecReadLock(ss); /*************************************/
8099
8100 /* If the wrap failed, we don't cache the sid.
8101 * The connection continues normally however.
8102 */
8103 if (rv == SECSuccess) {
8104 (*ss->sec.cache)(sid);
8105 }
8106 }
8107 ss->ssl3.hs.ws = idle_handshake;
8108
8109 /* Do the handshake callback for sslv3 here. */
8110 if (ss->handshakeCallback != NULL) {
8111 (ss->handshakeCallback)(ss->fd, ss->handshakeCallbackData);
8112 }
8113
8114 return SECSuccess;
8115 }
8116
8117 /* Called from ssl3_HandleHandshake() when it has gathered a complete ssl3
8118 * hanshake message.
8119 * Caller must hold Handshake and RecvBuf locks.
8120 */
8121 static SECStatus
8122 ssl3_HandleHandshakeMessage(sslSocket *ss, SSL3Opaque *b, PRUint32 length)
8123 {
8124 SECStatus rv = SECSuccess;
8125 SSL3HandshakeType type = ss->ssl3.hs.msg_type;
8126 SSL3Hashes hashes; /* computed hashes are put here. */
8127 PRUint8 hdr[4];
8128
8129 PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
8130 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
8131 /*
8132 * We have to compute the hashes before we update them with the
8133 * current message.
8134 */
8135 ssl_GetSpecReadLock(ss); /************************************/
8136 if((type == finished) || (type == certificate_verify)) {
8137 SSL3Sender sender = (SSL3Sender)0;
8138 ssl3CipherSpec *rSpec = ss->ssl3.prSpec;
8139
8140 if (type == finished) {
8141 sender = ss->sec.isServer ? sender_client : sender_server;
8142 rSpec = ss->ssl3.crSpec;
8143 }
8144 rv = ssl3_ComputeHandshakeHashes(ss, rSpec, &hashes, sender);
8145 }
8146 ssl_ReleaseSpecReadLock(ss); /************************************/
8147 if (rv != SECSuccess) {
8148 return rv; /* error code was set by ssl3_ComputeHandshakeHashes*/
8149 }
8150 SSL_TRC(30,("%d: SSL3[%d]: handle handshake message: %s", SSL_GETPID(),
8151 ss->fd, ssl3_DecodeHandshakeType(ss->ssl3.hs.msg_type)));
8152 PRINT_BUF(60, (ss, "MD5 handshake hash:",
8153 (unsigned char*)ss->ssl3.hs.md5_cx, MD5_LENGTH));
8154 PRINT_BUF(95, (ss, "SHA handshake hash:",
8155 (unsigned char*)ss->ssl3.hs.sha_cx, SHA1_LENGTH));
8156
8157 hdr[0] = (PRUint8)ss->ssl3.hs.msg_type;
8158 hdr[1] = (PRUint8)(length >> 16);
8159 hdr[2] = (PRUint8)(length >> 8);
8160 hdr[3] = (PRUint8)(length );
8161
8162 /* Start new handshake hashes when we start a new handshake */
8163 if (ss->ssl3.hs.msg_type == client_hello) {
8164 SSL_TRC(30,("%d: SSL3[%d]: reset handshake hashes",
8165 SSL_GETPID(), ss->fd ));
8166 rv = ssl3_RestartHandshakeHashes(ss);
8167 if (rv != SECSuccess) {
8168 return rv;
8169 }
8170 }
8171 /* We should not include hello_request messages in the handshake hashes */
8172 if (ss->ssl3.hs.msg_type != hello_request) {
8173 rv = ssl3_UpdateHandshakeHashes(ss, (unsigned char*) hdr, 4);
8174 if (rv != SECSuccess) return rv; /* err code already set. */
8175 rv = ssl3_UpdateHandshakeHashes(ss, b, length);
8176 if (rv != SECSuccess) return rv; /* err code already set. */
8177 }
8178
8179 PORT_SetError(0); /* each message starts with no error. */
8180 switch (ss->ssl3.hs.msg_type) {
8181 case hello_request:
8182 if (length != 0) {
8183 (void)ssl3_DecodeError(ss);
8184 PORT_SetError(SSL_ERROR_RX_MALFORMED_HELLO_REQUEST);
8185 return SECFailure;
8186 }
8187 if (ss->sec.isServer) {
8188 (void)SSL3_SendAlert(ss, alert_fatal, unexpected_message);
8189 PORT_SetError(SSL_ERROR_RX_UNEXPECTED_HELLO_REQUEST);
8190 return SECFailure;
8191 }
8192 rv = ssl3_HandleHelloRequest(ss);
8193 break;
8194 case client_hello:
8195 if (!ss->sec.isServer) {
8196 (void)SSL3_SendAlert(ss, alert_fatal, unexpected_message);
8197 PORT_SetError(SSL_ERROR_RX_UNEXPECTED_CLIENT_HELLO);
8198 return SECFailure;
8199 }
8200 rv = ssl3_HandleClientHello(ss, b, length);
8201 break;
8202 case server_hello:
8203 if (ss->sec.isServer) {
8204 (void)SSL3_SendAlert(ss, alert_fatal, unexpected_message);
8205 PORT_SetError(SSL_ERROR_RX_UNEXPECTED_SERVER_HELLO);
8206 return SECFailure;
8207 }
8208 rv = ssl3_HandleServerHello(ss, b, length);
8209 break;
8210 case certificate:
8211 rv = ssl3_HandleCertificate(ss, b, length);
8212 break;
8213 case server_key_exchange:
8214 if (ss->sec.isServer) {
8215 (void)SSL3_SendAlert(ss, alert_fatal, unexpected_message);
8216 PORT_SetError(SSL_ERROR_RX_UNEXPECTED_SERVER_KEY_EXCH);
8217 return SECFailure;
8218 }
8219 rv = ssl3_HandleServerKeyExchange(ss, b, length);
8220 break;
8221 case certificate_request:
8222 if (ss->sec.isServer) {
8223 (void)SSL3_SendAlert(ss, alert_fatal, unexpected_message);
8224 PORT_SetError(SSL_ERROR_RX_UNEXPECTED_CERT_REQUEST);
8225 return SECFailure;
8226 }
8227 rv = ssl3_HandleCertificateRequest(ss, b, length);
8228 break;
8229 case server_hello_done:
8230 if (length != 0) {
8231 (void)ssl3_DecodeError(ss);
8232 PORT_SetError(SSL_ERROR_RX_MALFORMED_HELLO_DONE);
8233 return SECFailure;
8234 }
8235 if (ss->sec.isServer) {
8236 (void)SSL3_SendAlert(ss, alert_fatal, unexpected_message);
8237 PORT_SetError(SSL_ERROR_RX_UNEXPECTED_HELLO_DONE);
8238 return SECFailure;
8239 }
8240 rv = ssl3_HandleServerHelloDone(ss);
8241 break;
8242 case certificate_verify:
8243 if (!ss->sec.isServer) {
8244 (void)SSL3_SendAlert(ss, alert_fatal, unexpected_message);
8245 PORT_SetError(SSL_ERROR_RX_UNEXPECTED_CERT_VERIFY);
8246 return SECFailure;
8247 }
8248 rv = ssl3_HandleCertificateVerify(ss, b, length, &hashes);
8249 break;
8250 case client_key_exchange:
8251 if (!ss->sec.isServer) {
8252 (void)SSL3_SendAlert(ss, alert_fatal, unexpected_message);
8253 PORT_SetError(SSL_ERROR_RX_UNEXPECTED_CLIENT_KEY_EXCH);
8254 return SECFailure;
8255 }
8256 rv = ssl3_HandleClientKeyExchange(ss, b, length);
8257 break;
8258 case new_session_ticket:
8259 if (ss->sec.isServer) {
8260 (void)SSL3_SendAlert(ss, alert_fatal, unexpected_message);
8261 PORT_SetError(SSL_ERROR_RX_UNEXPECTED_NEW_SESSION_TICKET);
8262 return SECFailure;
8263 }
8264 rv = ssl3_HandleNewSessionTicket(ss, b, length);
8265 break;
8266 case finished:
8267 rv = ssl3_HandleFinished(ss, b, length, &hashes);
8268 break;
8269 default:
8270 (void)SSL3_SendAlert(ss, alert_fatal, unexpected_message);
8271 PORT_SetError(SSL_ERROR_RX_UNKNOWN_HANDSHAKE);
8272 rv = SECFailure;
8273 }
8274 return rv;
8275 }
8276
8277 /* Called only from ssl3_HandleRecord, for each (deciphered) ssl3 record.
8278 * origBuf is the decrypted ssl record content.
8279 * Caller must hold the handshake and RecvBuf locks.
8280 */
8281 static SECStatus
8282 ssl3_HandleHandshake(sslSocket *ss, sslBuffer *origBuf)
8283 {
8284 /*
8285 * There may be a partial handshake message already in the handshake
8286 * state. The incoming buffer may contain another portion, or a
8287 * complete message or several messages followed by another portion.
8288 *
8289 * Each message is made contiguous before being passed to the actual
8290 * message parser.
8291 */
8292 sslBuffer *buf = &ss->ssl3.hs.msgState; /* do not lose the original buffer p ointer */
8293 SECStatus rv;
8294
8295 PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
8296 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
8297
8298 if (buf->buf == NULL) {
8299 *buf = *origBuf;
8300 }
8301 while (buf->len > 0) {
8302 if (ss->ssl3.hs.header_bytes < 4) {
8303 uint8 t;
8304 t = *(buf->buf++);
8305 buf->len--;
8306 if (ss->ssl3.hs.header_bytes++ == 0)
8307 ss->ssl3.hs.msg_type = (SSL3HandshakeType)t;
8308 else
8309 ss->ssl3.hs.msg_len = (ss->ssl3.hs.msg_len << 8) + t;
8310 if (ss->ssl3.hs.header_bytes < 4)
8311 continue;
8312
8313 #define MAX_HANDSHAKE_MSG_LEN 0x1ffff /* 128k - 1 */
8314 if (ss->ssl3.hs.msg_len > MAX_HANDSHAKE_MSG_LEN) {
8315 (void)ssl3_DecodeError(ss);
8316 PORT_SetError(SSL_ERROR_RX_RECORD_TOO_LONG);
8317 return SECFailure;
8318 }
8319 #undef MAX_HANDSHAKE_MSG_LEN
8320
8321 /* If msg_len is zero, be sure we fall through,
8322 ** even if buf->len is zero.
8323 */
8324 if (ss->ssl3.hs.msg_len > 0)
8325 continue;
8326 }
8327
8328 /*
8329 * Header has been gathered and there is at least one byte of new
8330 * data available for this message. If it can be done right out
8331 * of the original buffer, then use it from there.
8332 */
8333 if (ss->ssl3.hs.msg_body.len == 0 && buf->len >= ss->ssl3.hs.msg_len) {
8334 /* handle it from input buffer */
8335 rv = ssl3_HandleHandshakeMessage(ss, buf->buf, ss->ssl3.hs.msg_len);
8336 if (rv == SECFailure) {
8337 /* This test wants to fall through on either
8338 * SECSuccess or SECWouldBlock.
8339 * ssl3_HandleHandshakeMessage MUST set the error code.
8340 */
8341 return rv;
8342 }
8343 buf->buf += ss->ssl3.hs.msg_len;
8344 buf->len -= ss->ssl3.hs.msg_len;
8345 ss->ssl3.hs.msg_len = 0;
8346 ss->ssl3.hs.header_bytes = 0;
8347 if (rv != SECSuccess) { /* return if SECWouldBlock. */
8348 return rv;
8349 }
8350 } else {
8351 /* must be copied to msg_body and dealt with from there */
8352 unsigned int bytes;
8353
8354 PORT_Assert(ss->ssl3.hs.msg_body.len <= ss->ssl3.hs.msg_len);
8355 bytes = PR_MIN(buf->len, ss->ssl3.hs.msg_len - ss->ssl3.hs.msg_body. len);
8356
8357 /* Grow the buffer if needed */
8358 rv = sslBuffer_Grow(&ss->ssl3.hs.msg_body, ss->ssl3.hs.msg_len);
8359 if (rv != SECSuccess) {
8360 /* sslBuffer_Grow has set a memory error code. */
8361 return SECFailure;
8362 }
8363
8364 PORT_Memcpy(ss->ssl3.hs.msg_body.buf + ss->ssl3.hs.msg_body.len,
8365 buf->buf, bytes);
8366 ss->ssl3.hs.msg_body.len += bytes;
8367 buf->buf += bytes;
8368 buf->len -= bytes;
8369
8370 PORT_Assert(ss->ssl3.hs.msg_body.len <= ss->ssl3.hs.msg_len);
8371
8372 /* if we have a whole message, do it */
8373 if (ss->ssl3.hs.msg_body.len == ss->ssl3.hs.msg_len) {
8374 rv = ssl3_HandleHandshakeMessage(
8375 ss, ss->ssl3.hs.msg_body.buf, ss->ssl3.hs.msg_len);
8376 /*
8377 * XXX This appears to be wrong. This error handling
8378 * should clean up after a SECWouldBlock return, like the
8379 * error handling used 40 lines before/above this one,
8380 */
8381 if (rv != SECSuccess) {
8382 /* ssl3_HandleHandshakeMessage MUST set error code. */
8383 return rv;
8384 }
8385 ss->ssl3.hs.msg_body.len = 0;
8386 ss->ssl3.hs.msg_len = 0;
8387 ss->ssl3.hs.header_bytes = 0;
8388 } else {
8389 PORT_Assert(buf->len == 0);
8390 break;
8391 }
8392 }
8393 } /* end loop */
8394
8395 origBuf->len = 0; /* So ssl3_GatherAppDataRecord will keep looping. */
8396 buf->buf = NULL; /* not a leak. */
8397 return SECSuccess;
8398 }
8399
8400 /* if cText is non-null, then decipher, check MAC, and decompress the
8401 * SSL record from cText->buf (typically gs->inbuf)
8402 * into databuf (typically gs->buf), and any previous contents of databuf
8403 * is lost. Then handle databuf according to its SSL record type,
8404 * unless it's an application record.
8405 *
8406 * If cText is NULL, then the ciphertext has previously been deciphered and
8407 * checked, and is already sitting in databuf. It is processed as an SSL
8408 * Handshake message.
8409 *
8410 * DOES NOT process the decrypted/decompressed application data.
8411 * On return, databuf contains the decrypted/decompressed record.
8412 *
8413 * Called from ssl3_GatherCompleteHandshake
8414 * ssl3_RestartHandshakeAfterCertReq
8415 * ssl3_RestartHandshakeAfterServerCert
8416 *
8417 * Caller must hold the RecvBufLock.
8418 *
8419 * This function aquires and releases the SSL3Handshake Lock, holding the
8420 * lock around any calls to functions that handle records other than
8421 * Application Data records.
8422 */
8423 SECStatus
8424 ssl3_HandleRecord(sslSocket *ss, SSL3Ciphertext *cText, sslBuffer *databuf)
8425 {
8426 const ssl3BulkCipherDef *cipher_def;
8427 ssl3CipherSpec * crSpec;
8428 SECStatus rv;
8429 unsigned int hashBytes = MAX_MAC_LENGTH + 1;
8430 unsigned int padding_length;
8431 PRBool isTLS;
8432 PRBool padIsBad = PR_FALSE;
8433 SSL3ContentType rType;
8434 SSL3Opaque hash[MAX_MAC_LENGTH];
8435 sslBuffer *plaintext;
8436 sslBuffer temp_buf;
8437
8438 PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
8439
8440 if (!ss->ssl3.initialized) {
8441 ssl_GetSSL3HandshakeLock(ss);
8442 rv = ssl3_InitState(ss);
8443 ssl_ReleaseSSL3HandshakeLock(ss);
8444 if (rv != SECSuccess) {
8445 return rv; /* ssl3_InitState has set the error code. */
8446 }
8447 }
8448
8449 /* check for Token Presence */
8450 if (!ssl3_ClientAuthTokenPresent(ss->sec.ci.sid)) {
8451 PORT_SetError(SSL_ERROR_TOKEN_INSERTION_REMOVAL);
8452 return SECFailure;
8453 }
8454
8455 /* cText is NULL when we're called from ssl3_RestartHandshakeAfterXXX().
8456 * This implies that databuf holds a previously deciphered SSL Handshake
8457 * message.
8458 */
8459 if (cText == NULL) {
8460 SSL_DBG(("%d: SSL3[%d]: HandleRecord, resuming handshake",
8461 SSL_GETPID(), ss->fd));
8462 rType = content_handshake;
8463 goto process_it;
8464 }
8465
8466 ssl_GetSpecReadLock(ss); /******************************************/
8467
8468 crSpec = ss->ssl3.crSpec;
8469
8470 /* If we will be decompressing the buffer we need to decrypt somewhere
8471 * other than into databuf */
8472 if (crSpec->decompress) {
8473 temp_buf.buf = NULL;
8474 temp_buf.space = 0;
8475 plaintext = &temp_buf;
8476 } else {
8477 plaintext = databuf;
8478 }
8479
8480 plaintext->len = 0; /* filled in by decode call below. */
8481 if (plaintext->space < MAX_FRAGMENT_LENGTH) {
8482 rv = sslBuffer_Grow(plaintext, MAX_FRAGMENT_LENGTH + 2048);
8483 if (rv != SECSuccess) {
8484 ssl_ReleaseSpecReadLock(ss);
8485 SSL_DBG(("%d: SSL3[%d]: HandleRecord, tried to get %d bytes",
8486 SSL_GETPID(), ss->fd, MAX_FRAGMENT_LENGTH + 2048));
8487 /* sslBuffer_Grow has set a memory error code. */
8488 /* Perhaps we should send an alert. (but we have no memory!) */
8489 return SECFailure;
8490 }
8491 }
8492
8493 PRINT_BUF(80, (ss, "ciphertext:", cText->buf->buf, cText->buf->len));
8494
8495 cipher_def = crSpec->cipher_def;
8496 isTLS = (PRBool)(crSpec->version > SSL_LIBRARY_VERSION_3_0);
8497
8498 if (isTLS && cText->buf->len > (MAX_FRAGMENT_LENGTH + 2048)) {
8499 ssl_ReleaseSpecReadLock(ss);
8500 SSL3_SendAlert(ss, alert_fatal, record_overflow);
8501 PORT_SetError(SSL_ERROR_RX_RECORD_TOO_LONG);
8502 return SECFailure;
8503 }
8504
8505 /* decrypt from cText buf to plaintext. */
8506 rv = crSpec->decode(
8507 crSpec->decodeContext, plaintext->buf, (int *)&plaintext->len,
8508 plaintext->space, cText->buf->buf, cText->buf->len);
8509
8510 PRINT_BUF(80, (ss, "cleartext:", plaintext->buf, plaintext->len));
8511 if (rv != SECSuccess) {
8512 int err = ssl_MapLowLevelError(SSL_ERROR_DECRYPTION_FAILURE);
8513 ssl_ReleaseSpecReadLock(ss);
8514 SSL3_SendAlert(ss, alert_fatal,
8515 isTLS ? decryption_failed : bad_record_mac);
8516 PORT_SetError(err);
8517 return SECFailure;
8518 }
8519
8520 /* If it's a block cipher, check and strip the padding. */
8521 if (cipher_def->type == type_block) {
8522 padding_length = *(plaintext->buf + plaintext->len - 1);
8523 /* TLS permits padding to exceed the block size, up to 255 bytes. */
8524 if (padding_length + 1 + crSpec->mac_size > plaintext->len)
8525 padIsBad = PR_TRUE;
8526 /* if TLS, check value of first padding byte. */
8527 else if (padding_length && isTLS &&
8528 padding_length != *(plaintext->buf +
8529 plaintext->len - (padding_length + 1)))
8530 padIsBad = PR_TRUE;
8531 else
8532 plaintext->len -= padding_length + 1;
8533 }
8534
8535 /* Remove the MAC. */
8536 if (plaintext->len >= crSpec->mac_size)
8537 plaintext->len -= crSpec->mac_size;
8538 else
8539 padIsBad = PR_TRUE; /* really macIsBad */
8540
8541 /* compute the MAC */
8542 rType = cText->type;
8543 rv = ssl3_ComputeRecordMAC( crSpec, (PRBool)(!ss->sec.isServer),
8544 rType, cText->version, crSpec->read_seq_num,
8545 plaintext->buf, plaintext->len, hash, &hashBytes);
8546 if (rv != SECSuccess) {
8547 int err = ssl_MapLowLevelError(SSL_ERROR_MAC_COMPUTATION_FAILURE);
8548 ssl_ReleaseSpecReadLock(ss);
8549 SSL3_SendAlert(ss, alert_fatal, bad_record_mac);
8550 PORT_SetError(err);
8551 return rv;
8552 }
8553
8554 /* Check the MAC */
8555 if (hashBytes != (unsigned)crSpec->mac_size || padIsBad ||
8556 NSS_SecureMemcmp(plaintext->buf + plaintext->len, hash,
8557 crSpec->mac_size) != 0) {
8558 /* must not hold spec lock when calling SSL3_SendAlert. */
8559 ssl_ReleaseSpecReadLock(ss);
8560 SSL3_SendAlert(ss, alert_fatal, bad_record_mac);
8561 /* always log mac error, in case attacker can read server logs. */
8562 PORT_SetError(SSL_ERROR_BAD_MAC_READ);
8563
8564 SSL_DBG(("%d: SSL3[%d]: mac check failed", SSL_GETPID(), ss->fd));
8565
8566 return SECFailure;
8567 }
8568
8569
8570
8571 ssl3_BumpSequenceNumber(&crSpec->read_seq_num);
8572
8573 ssl_ReleaseSpecReadLock(ss); /*****************************************/
8574
8575 /*
8576 * The decrypted data is now in plaintext.
8577 */
8578
8579 /* possibly decompress the record. If we aren't using compression then
8580 * plaintext == databuf and so the uncompressed data is already in
8581 * databuf. */
8582 if (crSpec->decompress) {
8583 if (databuf->space < plaintext->len + SSL3_COMPRESSION_MAX_EXPANSION) {
8584 rv = sslBuffer_Grow(
8585 databuf, plaintext->len + SSL3_COMPRESSION_MAX_EXPANSION);
8586 if (rv != SECSuccess) {
8587 SSL_DBG(("%d: SSL3[%d]: HandleRecord, tried to get %d bytes",
8588 SSL_GETPID(), ss->fd,
8589 plaintext->len + SSL3_COMPRESSION_MAX_EXPANSION));
8590 /* sslBuffer_Grow has set a memory error code. */
8591 /* Perhaps we should send an alert. (but we have no memory!) */
8592 PORT_Free(plaintext->buf);
8593 return SECFailure;
8594 }
8595 }
8596
8597 rv = crSpec->decompress(crSpec->decompressContext,
8598 databuf->buf,
8599 (int*) &databuf->len,
8600 databuf->space,
8601 plaintext->buf,
8602 plaintext->len);
8603 if (rv != SECSuccess) {
8604 int err = ssl_MapLowLevelError(SSL_ERROR_DECOMPRESSION_FAILURE);
8605 PORT_Free(plaintext->buf);
8606 ssl_ReleaseSpecReadLock(ss);
8607 SSL3_SendAlert(ss, alert_fatal,
8608 isTLS ? decompression_failure : bad_record_mac);
8609 PORT_SetError(err);
8610 return SECFailure;
8611 }
8612
8613 PORT_Free(plaintext->buf);
8614 }
8615
8616 /*
8617 ** Having completed the decompression, check the length again.
8618 */
8619 if (isTLS && databuf->len > (MAX_FRAGMENT_LENGTH + 1024)) {
8620 SSL3_SendAlert(ss, alert_fatal, record_overflow);
8621 PORT_SetError(SSL_ERROR_RX_RECORD_TOO_LONG);
8622 return SECFailure;
8623 }
8624
8625 /* Application data records are processed by the caller of this
8626 ** function, not by this function.
8627 */
8628 if (rType == content_application_data) {
8629 return SECSuccess;
8630 }
8631
8632 /* It's a record that must be handled by ssl itself, not the application.
8633 */
8634 process_it:
8635 /* XXX Get the xmit lock here. Odds are very high that we'll be xmiting
8636 * data ang getting the xmit lock here prevents deadlocks.
8637 */
8638 ssl_GetSSL3HandshakeLock(ss);
8639
8640 /* All the functions called in this switch MUST set error code if
8641 ** they return SECFailure or SECWouldBlock.
8642 */
8643 switch (rType) {
8644 case content_change_cipher_spec:
8645 rv = ssl3_HandleChangeCipherSpecs(ss, databuf);
8646 break;
8647 case content_alert:
8648 rv = ssl3_HandleAlert(ss, databuf);
8649 break;
8650 case content_handshake:
8651 rv = ssl3_HandleHandshake(ss, databuf);
8652 break;
8653 /*
8654 case content_application_data is handled before this switch
8655 */
8656 default:
8657 SSL_DBG(("%d: SSL3[%d]: bogus content type=%d",
8658 SSL_GETPID(), ss->fd, cText->type));
8659 /* XXX Send an alert ??? */
8660 PORT_SetError(SSL_ERROR_RX_UNKNOWN_RECORD_TYPE);
8661 rv = SECFailure;
8662 break;
8663 }
8664
8665 ssl_ReleaseSSL3HandshakeLock(ss);
8666 return rv;
8667
8668 }
8669
8670 /*
8671 * Initialization functions
8672 */
8673
8674 /* Called from ssl3_InitState, immediately below. */
8675 /* Caller must hold the SpecWriteLock. */
8676 static void
8677 ssl3_InitCipherSpec(sslSocket *ss, ssl3CipherSpec *spec)
8678 {
8679 spec->cipher_def = &bulk_cipher_defs[cipher_null];
8680 PORT_Assert(spec->cipher_def->cipher == cipher_null);
8681 spec->mac_def = &mac_defs[mac_null];
8682 PORT_Assert(spec->mac_def->mac == mac_null);
8683 spec->encode = Null_Cipher;
8684 spec->decode = Null_Cipher;
8685 spec->destroy = NULL;
8686 spec->compress = NULL;
8687 spec->decompress = NULL;
8688 spec->destroyCompressContext = NULL;
8689 spec->destroyDecompressContext = NULL;
8690 spec->mac_size = 0;
8691 spec->master_secret = NULL;
8692 spec->bypassCiphers = PR_FALSE;
8693
8694 spec->msItem.data = NULL;
8695 spec->msItem.len = 0;
8696
8697 spec->client.write_key = NULL;
8698 spec->client.write_mac_key = NULL;
8699 spec->client.write_mac_context = NULL;
8700
8701 spec->server.write_key = NULL;
8702 spec->server.write_mac_key = NULL;
8703 spec->server.write_mac_context = NULL;
8704
8705 spec->write_seq_num.high = 0;
8706 spec->write_seq_num.low = 0;
8707
8708 spec->read_seq_num.high = 0;
8709 spec->read_seq_num.low = 0;
8710
8711 spec->version = ss->opt.enableTLS
8712 ? SSL_LIBRARY_VERSION_3_1_TLS
8713 : SSL_LIBRARY_VERSION_3_0;
8714 }
8715
8716 /* Called from: ssl3_SendRecord
8717 ** ssl3_StartHandshakeHash() <- ssl2_BeginClientHandshake()
8718 ** ssl3_SendClientHello()
8719 ** ssl3_HandleServerHello()
8720 ** ssl3_HandleClientHello()
8721 ** ssl3_HandleV2ClientHello()
8722 ** ssl3_HandleRecord()
8723 **
8724 ** This function should perhaps acquire and release the SpecWriteLock.
8725 **
8726 **
8727 */
8728 static SECStatus
8729 ssl3_InitState(sslSocket *ss)
8730 {
8731 SECStatus rv;
8732 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
8733
8734 if (ss->ssl3.initialized)
8735 return SECSuccess; /* Function should be idempotent */
8736
8737 ss->ssl3.policy = SSL_ALLOWED;
8738
8739 ssl_GetSpecWriteLock(ss);
8740 ss->ssl3.crSpec = ss->ssl3.cwSpec = &ss->ssl3.specs[0];
8741 ss->ssl3.prSpec = ss->ssl3.pwSpec = &ss->ssl3.specs[1];
8742 ss->ssl3.hs.rehandshake = PR_FALSE;
8743 ssl3_InitCipherSpec(ss, ss->ssl3.crSpec);
8744 ssl3_InitCipherSpec(ss, ss->ssl3.prSpec);
8745
8746 ss->ssl3.hs.ws = (ss->sec.isServer) ? wait_client_hello : wait_server_hello;
8747 #ifdef NSS_ENABLE_ECC
8748 ss->ssl3.hs.negotiatedECCurves = SSL3_SUPPORTED_CURVES_MASK;
8749 #endif
8750 ssl_ReleaseSpecWriteLock(ss);
8751
8752 PORT_Memset(&ss->xtnData, 0, sizeof(TLSExtensionData));
8753
8754 rv = ssl3_NewHandshakeHashes(ss);
8755 if (rv == SECSuccess) {
8756 ss->ssl3.initialized = PR_TRUE;
8757 }
8758
8759 return rv;
8760 }
8761
8762 /* Returns a reference counted object that contains a key pair.
8763 * Or NULL on failure. Initial ref count is 1.
8764 * Uses the keys in the pair as input.
8765 */
8766 ssl3KeyPair *
8767 ssl3_NewKeyPair( SECKEYPrivateKey * privKey, SECKEYPublicKey * pubKey)
8768 {
8769 ssl3KeyPair * pair;
8770
8771 if (!privKey || !pubKey) {
8772 PORT_SetError(PR_INVALID_ARGUMENT_ERROR);
8773 return NULL;
8774 }
8775 pair = PORT_ZNew(ssl3KeyPair);
8776 if (!pair)
8777 return NULL; /* error code is set. */
8778 pair->refCount = 1;
8779 pair->privKey = privKey;
8780 pair->pubKey = pubKey;
8781 return pair; /* success */
8782 }
8783
8784 ssl3KeyPair *
8785 ssl3_GetKeyPairRef(ssl3KeyPair * keyPair)
8786 {
8787 PR_AtomicIncrement(&keyPair->refCount);
8788 return keyPair;
8789 }
8790
8791 void
8792 ssl3_FreeKeyPair(ssl3KeyPair * keyPair)
8793 {
8794 PRInt32 newCount = PR_AtomicDecrement(&keyPair->refCount);
8795 if (!newCount) {
8796 if (keyPair->privKey)
8797 SECKEY_DestroyPrivateKey(keyPair->privKey);
8798 if (keyPair->pubKey)
8799 SECKEY_DestroyPublicKey( keyPair->pubKey);
8800 PORT_Free(keyPair);
8801 }
8802 }
8803
8804
8805
8806 /*
8807 * Creates the public and private RSA keys for SSL Step down.
8808 * Called from SSL_ConfigSecureServer in sslsecur.c
8809 */
8810 SECStatus
8811 ssl3_CreateRSAStepDownKeys(sslSocket *ss)
8812 {
8813 SECStatus rv = SECSuccess;
8814 SECKEYPrivateKey * privKey; /* RSA step down key */
8815 SECKEYPublicKey * pubKey; /* RSA step down key */
8816
8817 if (ss->stepDownKeyPair)
8818 ssl3_FreeKeyPair(ss->stepDownKeyPair);
8819 ss->stepDownKeyPair = NULL;
8820 #ifndef HACKED_EXPORT_SERVER
8821 /* Sigh, should have a get key strength call for private keys */
8822 if (PK11_GetPrivateModulusLen(ss->serverCerts[kt_rsa].SERVERKEY) >
8823 EXPORT_RSA_KEY_LENGTH) {
8824 /* need to ask for the key size in bits */
8825 privKey = SECKEY_CreateRSAPrivateKey(EXPORT_RSA_KEY_LENGTH * BPB,
8826 &pubKey, NULL);
8827 if (!privKey || !pubKey ||
8828 !(ss->stepDownKeyPair = ssl3_NewKeyPair(privKey, pubKey))) {
8829 ssl_MapLowLevelError(SEC_ERROR_KEYGEN_FAIL);
8830 rv = SECFailure;
8831 }
8832 }
8833 #endif
8834 return rv;
8835 }
8836
8837
8838 /* record the export policy for this cipher suite */
8839 SECStatus
8840 ssl3_SetPolicy(ssl3CipherSuite which, int policy)
8841 {
8842 ssl3CipherSuiteCfg *suite;
8843
8844 suite = ssl_LookupCipherSuiteCfg(which, cipherSuites);
8845 if (suite == NULL) {
8846 return SECFailure; /* err code was set by ssl_LookupCipherSuiteCfg */
8847 }
8848 suite->policy = policy;
8849
8850 if (policy == SSL_RESTRICTED) {
8851 ssl3_global_policy_some_restricted = PR_TRUE;
8852 }
8853
8854 return SECSuccess;
8855 }
8856
8857 SECStatus
8858 ssl3_GetPolicy(ssl3CipherSuite which, PRInt32 *oPolicy)
8859 {
8860 ssl3CipherSuiteCfg *suite;
8861 PRInt32 policy;
8862 SECStatus rv;
8863
8864 suite = ssl_LookupCipherSuiteCfg(which, cipherSuites);
8865 if (suite) {
8866 policy = suite->policy;
8867 rv = SECSuccess;
8868 } else {
8869 policy = SSL_NOT_ALLOWED;
8870 rv = SECFailure; /* err code was set by Lookup. */
8871 }
8872 *oPolicy = policy;
8873 return rv;
8874 }
8875
8876 /* record the user preference for this suite */
8877 SECStatus
8878 ssl3_CipherPrefSetDefault(ssl3CipherSuite which, PRBool enabled)
8879 {
8880 ssl3CipherSuiteCfg *suite;
8881
8882 suite = ssl_LookupCipherSuiteCfg(which, cipherSuites);
8883 if (suite == NULL) {
8884 return SECFailure; /* err code was set by ssl_LookupCipherSuiteCfg */
8885 }
8886 suite->enabled = enabled;
8887 return SECSuccess;
8888 }
8889
8890 /* return the user preference for this suite */
8891 SECStatus
8892 ssl3_CipherPrefGetDefault(ssl3CipherSuite which, PRBool *enabled)
8893 {
8894 ssl3CipherSuiteCfg *suite;
8895 PRBool pref;
8896 SECStatus rv;
8897
8898 suite = ssl_LookupCipherSuiteCfg(which, cipherSuites);
8899 if (suite) {
8900 pref = suite->enabled;
8901 rv = SECSuccess;
8902 } else {
8903 pref = SSL_NOT_ALLOWED;
8904 rv = SECFailure; /* err code was set by Lookup. */
8905 }
8906 *enabled = pref;
8907 return rv;
8908 }
8909
8910 SECStatus
8911 ssl3_CipherPrefSet(sslSocket *ss, ssl3CipherSuite which, PRBool enabled)
8912 {
8913 ssl3CipherSuiteCfg *suite;
8914
8915 suite = ssl_LookupCipherSuiteCfg(which, ss->cipherSuites);
8916 if (suite == NULL) {
8917 return SECFailure; /* err code was set by ssl_LookupCipherSuiteCfg */
8918 }
8919 suite->enabled = enabled;
8920 return SECSuccess;
8921 }
8922
8923 SECStatus
8924 ssl3_CipherPrefGet(sslSocket *ss, ssl3CipherSuite which, PRBool *enabled)
8925 {
8926 ssl3CipherSuiteCfg *suite;
8927 PRBool pref;
8928 SECStatus rv;
8929
8930 suite = ssl_LookupCipherSuiteCfg(which, ss->cipherSuites);
8931 if (suite) {
8932 pref = suite->enabled;
8933 rv = SECSuccess;
8934 } else {
8935 pref = SSL_NOT_ALLOWED;
8936 rv = SECFailure; /* err code was set by Lookup. */
8937 }
8938 *enabled = pref;
8939 return rv;
8940 }
8941
8942 /* copy global default policy into socket. */
8943 void
8944 ssl3_InitSocketPolicy(sslSocket *ss)
8945 {
8946 PORT_Memcpy(ss->cipherSuites, cipherSuites, sizeof cipherSuites);
8947 }
8948
8949 /* ssl3_config_match_init must have already been called by
8950 * the caller of this function.
8951 */
8952 SECStatus
8953 ssl3_ConstructV2CipherSpecsHack(sslSocket *ss, unsigned char *cs, int *size)
8954 {
8955 int i, count = 0;
8956
8957 PORT_Assert(ss != 0);
8958 if (!ss) {
8959 PORT_SetError(PR_INVALID_ARGUMENT_ERROR);
8960 return SECFailure;
8961 }
8962 if (!ss->opt.enableSSL3 && !ss->opt.enableTLS) {
8963 *size = 0;
8964 return SECSuccess;
8965 }
8966 if (cs == NULL) {
8967 *size = count_cipher_suites(ss, SSL_ALLOWED, PR_TRUE);
8968 return SECSuccess;
8969 }
8970
8971 /* ssl3_config_match_init was called by the caller of this function. */
8972 for (i = 0; i < ssl_V3_SUITES_IMPLEMENTED; i++) {
8973 ssl3CipherSuiteCfg *suite = &ss->cipherSuites[i];
8974 if (config_match(suite, SSL_ALLOWED, PR_TRUE)) {
8975 if (cs != NULL) {
8976 *cs++ = 0x00;
8977 *cs++ = (suite->cipher_suite >> 8) & 0xFF;
8978 *cs++ = suite->cipher_suite & 0xFF;
8979 }
8980 count++;
8981 }
8982 }
8983 *size = count;
8984 return SECSuccess;
8985 }
8986
8987 /*
8988 ** If ssl3 socket has completed the first handshake, and is in idle state,
8989 ** then start a new handshake.
8990 ** If flushCache is true, the SID cache will be flushed first, forcing a
8991 ** "Full" handshake (not a session restart handshake), to be done.
8992 **
8993 ** called from SSL_RedoHandshake(), which already holds the handshake locks.
8994 */
8995 SECStatus
8996 ssl3_RedoHandshake(sslSocket *ss, PRBool flushCache)
8997 {
8998 sslSessionID * sid = ss->sec.ci.sid;
8999 SECStatus rv;
9000
9001 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
9002
9003 if (!ss->firstHsDone ||
9004 ((ss->version >= SSL_LIBRARY_VERSION_3_0) &&
9005 ss->ssl3.initialized &&
9006 (ss->ssl3.hs.ws != idle_handshake))) {
9007 PORT_SetError(SSL_ERROR_HANDSHAKE_NOT_COMPLETED);
9008 return SECFailure;
9009 }
9010 if (ss->opt.enableRenegotiation == SSL_RENEGOTIATE_NEVER) {
9011 PORT_SetError(SSL_ERROR_RENEGOTIATION_NOT_ALLOWED);
9012 return SECFailure;
9013 }
9014 if (sid && flushCache) {
9015 ss->sec.uncache(sid); /* remove it from whichever cache it's in. */
9016 ssl_FreeSID(sid); /* dec ref count and free if zero. */
9017 ss->sec.ci.sid = NULL;
9018 }
9019
9020 ssl_GetXmitBufLock(ss); /**************************************/
9021
9022 /* start off a new handshake. */
9023 rv = (ss->sec.isServer) ? ssl3_SendHelloRequest(ss)
9024 : ssl3_SendClientHello(ss);
9025
9026 ssl_ReleaseXmitBufLock(ss); /**************************************/
9027 return rv;
9028 }
9029
9030 /* Called from ssl_DestroySocketContents() in sslsock.c */
9031 void
9032 ssl3_DestroySSL3Info(sslSocket *ss)
9033 {
9034
9035 if (ss->ssl3.clientCertificate != NULL)
9036 CERT_DestroyCertificate(ss->ssl3.clientCertificate);
9037
9038 if (ss->ssl3.clientPrivateKey != NULL)
9039 SECKEY_DestroyPrivateKey(ss->ssl3.clientPrivateKey);
9040
9041 if (ss->ssl3.peerCertArena != NULL)
9042 ssl3_CleanupPeerCerts(ss);
9043
9044 if (ss->ssl3.clientCertChain != NULL) {
9045 CERT_DestroyCertificateList(ss->ssl3.clientCertChain);
9046 ss->ssl3.clientCertChain = NULL;
9047 }
9048
9049 /* clean up handshake */
9050 if (ss->opt.bypassPKCS11) {
9051 SHA1_DestroyContext((SHA1Context *)ss->ssl3.hs.sha_cx, PR_FALSE);
9052 MD5_DestroyContext((MD5Context *)ss->ssl3.hs.md5_cx, PR_FALSE);
9053 }
9054 if (ss->ssl3.hs.md5) {
9055 PK11_DestroyContext(ss->ssl3.hs.md5,PR_TRUE);
9056 }
9057 if (ss->ssl3.hs.sha) {
9058 PK11_DestroyContext(ss->ssl3.hs.sha,PR_TRUE);
9059 }
9060 if (ss->ssl3.hs.messages.buf) {
9061 PORT_Free(ss->ssl3.hs.messages.buf);
9062 ss->ssl3.hs.messages.buf = NULL;
9063 ss->ssl3.hs.messages.len = 0;
9064 ss->ssl3.hs.messages.space = 0;
9065 }
9066
9067 /* free the SSL3Buffer (msg_body) */
9068 PORT_Free(ss->ssl3.hs.msg_body.buf);
9069
9070 /* free up the CipherSpecs */
9071 ssl3_DestroyCipherSpec(&ss->ssl3.specs[0]);
9072 ssl3_DestroyCipherSpec(&ss->ssl3.specs[1]);
9073
9074 ss->ssl3.initialized = PR_FALSE;
9075 }
9076
9077 /* End of ssl3con.c */
OLDNEW
« no previous file with comments | « net/third_party/nss/ssl/ssl.rc ('k') | net/third_party/nss/ssl/ssl3ecc.c » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698