OLD | NEW |
(Empty) | |
| 1 commit 58913147a052b19246ac946077484d033d309287 |
| 2 Author: Adam Langley <agl@chromium.org> |
| 3 Date: Thu Jul 21 11:34:32 2011 -0400 |
| 4 |
| 5 secret_extractor.patch |
| 6 |
| 7 diff --git a/mozilla/security/nss/lib/ssl/ssl.def b/mozilla/security/nss/lib/ssl
/ssl.def |
| 8 index 7ef15db..1993d3e 100644 |
| 9 --- a/mozilla/security/nss/lib/ssl/ssl.def |
| 10 +++ b/mozilla/security/nss/lib/ssl/ssl.def |
| 11 @@ -154,6 +154,7 @@ SSL_SNISocketConfigHook; |
| 12 ;+}; |
| 13 ;+NSS_CHROMIUM { |
| 14 ;+ global: |
| 15 +SSL_ExportKeyingMaterial; |
| 16 SSL_GetNextProto; |
| 17 SSL_GetStapledOCSPResponse; |
| 18 SSL_HandshakeResumedSession; |
| 19 diff --git a/mozilla/security/nss/lib/ssl/ssl.h b/mozilla/security/nss/lib/ssl/s
sl.h |
| 20 index 53ca301..1537aae 100644 |
| 21 --- a/mozilla/security/nss/lib/ssl/ssl.h |
| 22 +++ b/mozilla/security/nss/lib/ssl/ssl.h |
| 23 @@ -686,6 +686,17 @@ SSL_IMPORT SECStatus SSL_GetCipherSuiteInfo(PRUint16 cipher
Suite, |
| 24 /* Returnes negotiated through SNI host info. */ |
| 25 SSL_IMPORT SECItem *SSL_GetNegotiatedHostInfo(PRFileDesc *fd); |
| 26 |
| 27 +/* Export keying material according to RFC 5705. |
| 28 +** fd must correspond to a TLS 1.0 or higher socket and out must |
| 29 +** already be allocated. |
| 30 +*/ |
| 31 +SSL_IMPORT SECStatus SSL_ExportKeyingMaterial(PRFileDesc *fd, |
| 32 + const char *label, |
| 33 + const unsigned char *context, |
| 34 + unsigned int contextlen, |
| 35 + unsigned char *out, |
| 36 + unsigned int outlen); |
| 37 + |
| 38 /* |
| 39 ** Return a new reference to the certificate that was most recently sent |
| 40 ** to the peer on this SSL/TLS connection, or NULL if none has been sent. |
| 41 diff --git a/mozilla/security/nss/lib/ssl/ssl3con.c b/mozilla/security/nss/lib/s
sl/ssl3con.c |
| 42 index c39b8f8..dee5555 100644 |
| 43 --- a/mozilla/security/nss/lib/ssl/ssl3con.c |
| 44 +++ b/mozilla/security/nss/lib/ssl/ssl3con.c |
| 45 @@ -8442,18 +8442,17 @@ ssl3_RestartHandshakeAfterServerCert(sslSocket *ss) |
| 46 return rv; |
| 47 } |
| 48 |
| 49 -static SECStatus |
| 50 -ssl3_ComputeTLSFinished(ssl3CipherSpec *spec, |
| 51 - PRBool isServer, |
| 52 - const SSL3Finished * hashes, |
| 53 - TLSFinished * tlsFinished) |
| 54 +/* The calling function must acquire and release the appropriate lock (i.e., |
| 55 + * ssl_GetSpecReadLock / ssl_ReleaseSpecReadLock for ss->ssl3.crSpec). Any |
| 56 + * label must already be concatenated onto the beginning of val. |
| 57 + */ |
| 58 +SECStatus |
| 59 +ssl3_TLSPRFWithMasterSecret(ssl3CipherSpec *spec, const char *label, |
| 60 + unsigned int labelLen, const unsigned char *val, unsigned int valLen, |
| 61 + unsigned char *out, unsigned int outLen) |
| 62 { |
| 63 - const char * label; |
| 64 - unsigned int len; |
| 65 - SECStatus rv; |
| 66 - |
| 67 - label = isServer ? "server finished" : "client finished"; |
| 68 - len = 15; |
| 69 + SECStatus rv = SECSuccess; |
| 70 + unsigned int retLen; |
| 71 |
| 72 if (spec->master_secret && !spec->bypassCiphers) { |
| 73 SECItem param = {siBuffer, NULL, 0}; |
| 74 @@ -8464,11 +8463,11 @@ ssl3_ComputeTLSFinished(ssl3CipherSpec *spec, |
| 75 return SECFailure; |
| 76 |
| 77 rv = PK11_DigestBegin(prf_context); |
| 78 - rv |= PK11_DigestOp(prf_context, (const unsigned char *) label, len); |
| 79 - rv |= PK11_DigestOp(prf_context, hashes->md5, sizeof *hashes); |
| 80 - rv |= PK11_DigestFinal(prf_context, tlsFinished->verify_data, |
| 81 - &len, sizeof tlsFinished->verify_data); |
| 82 - PORT_Assert(rv != SECSuccess || len == sizeof *tlsFinished); |
| 83 + rv |= PK11_DigestOp(prf_context, (unsigned char *) label, labelLen); |
| 84 + rv |= PK11_DigestOp(prf_context, val, valLen); |
| 85 + rv |= PK11_DigestFinal(prf_context, out, |
| 86 + &retLen, outLen); |
| 87 + PORT_Assert(rv != SECSuccess || retLen == outLen); |
| 88 |
| 89 PK11_DestroyContext(prf_context, PR_TRUE); |
| 90 } else { |
| 91 @@ -8477,17 +8476,34 @@ ssl3_ComputeTLSFinished(ssl3CipherSpec *spec, |
| 92 SECItem outData = { siBuffer, }; |
| 93 PRBool isFIPS = PR_FALSE; |
| 94 |
| 95 - inData.data = (unsigned char *)hashes->md5; |
| 96 - inData.len = sizeof hashes[0]; |
| 97 - outData.data = tlsFinished->verify_data; |
| 98 - outData.len = sizeof tlsFinished->verify_data; |
| 99 + inData.data = (unsigned char *) val; |
| 100 + inData.len = valLen; |
| 101 + outData.data = out; |
| 102 + outData.len = outLen; |
| 103 rv = TLS_PRF(&spec->msItem, label, &inData, &outData, isFIPS); |
| 104 - PORT_Assert(rv != SECSuccess || \ |
| 105 - outData.len == sizeof tlsFinished->verify_data); |
| 106 + PORT_Assert(rv != SECSuccess || outData.len == outLen); |
| 107 } |
| 108 return rv; |
| 109 } |
| 110 |
| 111 +static SECStatus |
| 112 +ssl3_ComputeTLSFinished(ssl3CipherSpec *spec, |
| 113 + PRBool isServer, |
| 114 + const SSL3Finished * hashes, |
| 115 + TLSFinished * tlsFinished) |
| 116 +{ |
| 117 + const char * label; |
| 118 + SECStatus rv; |
| 119 + |
| 120 + label = isServer ? "server finished" : "client finished"; |
| 121 + |
| 122 + rv = ssl3_TLSPRFWithMasterSecret(spec, label, 15, hashes->md5, |
| 123 + sizeof *hashes, tlsFinished->verify_data, |
| 124 + sizeof tlsFinished->verify_data); |
| 125 + |
| 126 + return rv; |
| 127 +} |
| 128 + |
| 129 /* called from ssl3_HandleServerHelloDone |
| 130 */ |
| 131 static SECStatus |
| 132 diff --git a/mozilla/security/nss/lib/ssl/sslimpl.h b/mozilla/security/nss/lib/s
sl/sslimpl.h |
| 133 index df30029..073616f 100644 |
| 134 --- a/mozilla/security/nss/lib/ssl/sslimpl.h |
| 135 +++ b/mozilla/security/nss/lib/ssl/sslimpl.h |
| 136 @@ -1726,6 +1726,12 @@ SECStatus SSL_DisableDefaultExportCipherSuites(void); |
| 137 SECStatus SSL_DisableExportCipherSuites(PRFileDesc * fd); |
| 138 PRBool SSL_IsExportCipherSuite(PRUint16 cipherSuite); |
| 139 |
| 140 +SECStatus ssl3_TLSPRFWithMasterSecret( |
| 141 + ssl3CipherSpec *spec, const char *label, |
| 142 + unsigned int labelLen, const unsigned char *val, |
| 143 + unsigned int valLen, unsigned char *out, |
| 144 + unsigned int outLen); |
| 145 + |
| 146 /********************** FNV hash *********************/ |
| 147 |
| 148 void FNV1A64_Init(PRUint64 *digest); |
| 149 diff --git a/mozilla/security/nss/lib/ssl/sslinfo.c b/mozilla/security/nss/lib/s
sl/sslinfo.c |
| 150 index 96377b0..9a58b4d 100644 |
| 151 --- a/mozilla/security/nss/lib/ssl/sslinfo.c |
| 152 +++ b/mozilla/security/nss/lib/ssl/sslinfo.c |
| 153 @@ -20,6 +20,7 @@ |
| 154 * |
| 155 * Contributor(s): |
| 156 * Dr Vipul Gupta <vipul.gupta@sun.com>, Sun Microsystems Laboratories |
| 157 + * Douglas Stebila <douglas@stebila.ca> |
| 158 * |
| 159 * Alternatively, the contents of this file may be used under the terms of |
| 160 * either the GNU General Public License Version 2 or later (the "GPL"), or |
| 161 @@ -38,6 +39,7 @@ |
| 162 #include "ssl.h" |
| 163 #include "sslimpl.h" |
| 164 #include "sslproto.h" |
| 165 +#include "pk11func.h" |
| 166 |
| 167 static const char * |
| 168 ssl_GetCompressionMethodName(SSLCompressionMethod compression) |
| 169 @@ -316,6 +318,67 @@ SSL_IsExportCipherSuite(PRUint16 cipherSuite) |
| 170 return PR_FALSE; |
| 171 } |
| 172 |
| 173 +/* Export keying material according to draft-ietf-tls-extractor-06. |
| 174 +** fd must correspond to a TLS 1.0 or higher socket, out must |
| 175 +** be already allocated. |
| 176 +*/ |
| 177 +SECStatus |
| 178 +SSL_ExportKeyingMaterial(PRFileDesc *fd, const char *label, |
| 179 + const unsigned char *context, |
| 180 + unsigned int contextLen, |
| 181 + unsigned char *out, |
| 182 + unsigned int outLen) |
| 183 +{ |
| 184 + sslSocket *ss; |
| 185 + unsigned char *val = NULL; |
| 186 + unsigned int valLen, i; |
| 187 + SECStatus rv = SECFailure; |
| 188 + |
| 189 + ss = ssl_FindSocket(fd); |
| 190 + if (!ss) { |
| 191 + SSL_DBG(("%d: SSL[%d]: bad socket in ExportKeyingMaterial", |
| 192 + SSL_GETPID(), fd)); |
| 193 + return SECFailure; |
| 194 + } |
| 195 + |
| 196 + if (ss->version < SSL_LIBRARY_VERSION_3_1_TLS) { |
| 197 + PORT_SetError(SSL_ERROR_UNSUPPORTED_VERSION); |
| 198 + return SECFailure; |
| 199 + } |
| 200 + |
| 201 + if (ss->ssl3.hs.ws != idle_handshake) { |
| 202 + PORT_SetError(SSL_ERROR_HANDSHAKE_NOT_COMPLETED); |
| 203 + return SECFailure; |
| 204 + } |
| 205 + |
| 206 + valLen = SSL3_RANDOM_LENGTH * 2; |
| 207 + if (contextLen > 0) |
| 208 + valLen += 2 /* uint16 length */ + contextLen; |
| 209 + val = PORT_Alloc(valLen); |
| 210 + if (val == NULL) |
| 211 + return SECFailure; |
| 212 + i = 0; |
| 213 + PORT_Memcpy(val + i, &ss->ssl3.hs.client_random.rand, SSL3_RANDOM_LENGTH); |
| 214 + i += SSL3_RANDOM_LENGTH; |
| 215 + PORT_Memcpy(val + i, &ss->ssl3.hs.server_random.rand, SSL3_RANDOM_LENGTH); |
| 216 + i += SSL3_RANDOM_LENGTH; |
| 217 + if (contextLen > 0) { |
| 218 + val[i++] = contextLen >> 8; |
| 219 + val[i++] = contextLen; |
| 220 + PORT_Memcpy(val + i, context, contextLen); |
| 221 + i += contextLen; |
| 222 + } |
| 223 + PORT_Assert(i == valLen); |
| 224 + |
| 225 + ssl_GetSpecReadLock(ss); |
| 226 + rv = ssl3_TLSPRFWithMasterSecret(ss->ssl3.crSpec, label, strlen(label), val
, valLen, out, outLen); |
| 227 + ssl_ReleaseSpecReadLock(ss); |
| 228 + |
| 229 + if (val != NULL) |
| 230 + PORT_ZFree(val, valLen); |
| 231 + return rv; |
| 232 +} |
| 233 + |
| 234 SECItem* |
| 235 SSL_GetNegotiatedHostInfo(PRFileDesc *fd) |
| 236 { |
OLD | NEW |