OLD | NEW |
1 commit 58913147a052b19246ac946077484d033d309287 | 1 commit c92170f883e6cfdc2c2dc6dbb49d3e6b8e9928f1 |
2 Author: Adam Langley <agl@chromium.org> | 2 Author: Adam Langley <agl@chromium.org> |
3 Date: Thu Jul 21 11:34:32 2011 -0400 | 3 Date: Thu Jul 21 11:34:32 2011 -0400 |
4 | 4 |
5 secret_extractor.patch | 5 secret_extractor.patch |
6 | 6 |
7 diff --git a/mozilla/security/nss/lib/ssl/ssl.def b/mozilla/security/nss/lib/ssl
/ssl.def | 7 diff --git a/mozilla/security/nss/lib/ssl/ssl.def b/mozilla/security/nss/lib/ssl
/ssl.def |
8 index 7ef15db..1993d3e 100644 | 8 index 7ef15db..1993d3e 100644 |
9 --- a/mozilla/security/nss/lib/ssl/ssl.def | 9 --- a/mozilla/security/nss/lib/ssl/ssl.def |
10 +++ b/mozilla/security/nss/lib/ssl/ssl.def | 10 +++ b/mozilla/security/nss/lib/ssl/ssl.def |
11 @@ -154,6 +154,7 @@ SSL_SNISocketConfigHook; | 11 @@ -154,6 +154,7 @@ SSL_SNISocketConfigHook; |
12 ;+}; | 12 ;+}; |
13 ;+NSS_CHROMIUM { | 13 ;+NSS_CHROMIUM { |
14 ;+ global: | 14 ;+ global: |
15 +SSL_ExportKeyingMaterial; | 15 +SSL_ExportKeyingMaterial; |
16 SSL_GetNextProto; | 16 SSL_GetNextProto; |
17 SSL_GetStapledOCSPResponse; | 17 SSL_GetStapledOCSPResponse; |
18 SSL_HandshakeResumedSession; | 18 SSL_HandshakeResumedSession; |
19 diff --git a/mozilla/security/nss/lib/ssl/ssl.h b/mozilla/security/nss/lib/ssl/s
sl.h | 19 diff --git a/mozilla/security/nss/lib/ssl/ssl.h b/mozilla/security/nss/lib/ssl/s
sl.h |
20 index 53ca301..1537aae 100644 | 20 index 53ca301..6b364bb 100644 |
21 --- a/mozilla/security/nss/lib/ssl/ssl.h | 21 --- a/mozilla/security/nss/lib/ssl/ssl.h |
22 +++ b/mozilla/security/nss/lib/ssl/ssl.h | 22 +++ b/mozilla/security/nss/lib/ssl/ssl.h |
23 @@ -686,6 +686,17 @@ SSL_IMPORT SECStatus SSL_GetCipherSuiteInfo(PRUint16 cipher
Suite, | 23 @@ -686,6 +686,19 @@ SSL_IMPORT SECStatus SSL_GetCipherSuiteInfo(PRUint16 cipher
Suite, |
24 /* Returnes negotiated through SNI host info. */ | 24 /* Returnes negotiated through SNI host info. */ |
25 SSL_IMPORT SECItem *SSL_GetNegotiatedHostInfo(PRFileDesc *fd); | 25 SSL_IMPORT SECItem *SSL_GetNegotiatedHostInfo(PRFileDesc *fd); |
26 | 26 |
27 +/* Export keying material according to RFC 5705. | 27 +/* Export keying material according to RFC 5705. |
28 +** fd must correspond to a TLS 1.0 or higher socket and out must | 28 +** fd must correspond to a TLS 1.0 or higher socket and out must |
29 +** already be allocated. | 29 +** already be allocated. If contextLen is zero it uses the no-context |
| 30 +** construction from the RFC. |
30 +*/ | 31 +*/ |
31 +SSL_IMPORT SECStatus SSL_ExportKeyingMaterial(PRFileDesc *fd, | 32 +SSL_IMPORT SECStatus SSL_ExportKeyingMaterial(PRFileDesc *fd, |
32 + const char *label, | 33 + const char *label, |
| 34 + unsigned int labelLen, |
33 + const unsigned char *context, | 35 + const unsigned char *context, |
34 + unsigned int contextlen, | 36 + unsigned int contextLen, |
35 + unsigned char *out, | 37 + unsigned char *out, |
36 + unsigned int outlen); | 38 + unsigned int outLen); |
37 + | 39 + |
38 /* | 40 /* |
39 ** Return a new reference to the certificate that was most recently sent | 41 ** Return a new reference to the certificate that was most recently sent |
40 ** to the peer on this SSL/TLS connection, or NULL if none has been sent. | 42 ** to the peer on this SSL/TLS connection, or NULL if none has been sent. |
41 diff --git a/mozilla/security/nss/lib/ssl/ssl3con.c b/mozilla/security/nss/lib/s
sl/ssl3con.c | 43 diff --git a/mozilla/security/nss/lib/ssl/ssl3con.c b/mozilla/security/nss/lib/s
sl/ssl3con.c |
42 index c39b8f8..dee5555 100644 | 44 index 66071d2..3bda2f3 100644 |
43 --- a/mozilla/security/nss/lib/ssl/ssl3con.c | 45 --- a/mozilla/security/nss/lib/ssl/ssl3con.c |
44 +++ b/mozilla/security/nss/lib/ssl/ssl3con.c | 46 +++ b/mozilla/security/nss/lib/ssl/ssl3con.c |
45 @@ -8442,18 +8442,17 @@ ssl3_RestartHandshakeAfterServerCert(sslSocket *ss) | 47 @@ -8443,33 +8443,33 @@ ssl3_RestartHandshakeAfterServerCert(sslSocket *ss) |
46 return rv; | 48 return rv; |
47 } | 49 } |
48 | 50 |
49 -static SECStatus | 51 -static SECStatus |
50 -ssl3_ComputeTLSFinished(ssl3CipherSpec *spec, | 52 -ssl3_ComputeTLSFinished(ssl3CipherSpec *spec, |
51 - PRBool isServer, | 53 - PRBool isServer, |
52 - const SSL3Finished * hashes, | 54 - const SSL3Finished * hashes, |
53 - TLSFinished * tlsFinished) | 55 - TLSFinished * tlsFinished) |
54 +/* The calling function must acquire and release the appropriate lock (i.e., | 56 +/* The calling function must acquire and release the appropriate lock (i.e., |
55 + * ssl_GetSpecReadLock / ssl_ReleaseSpecReadLock for ss->ssl3.crSpec). Any | 57 + * ssl_GetSpecReadLock / ssl_ReleaseSpecReadLock for ss->ssl3.crSpec). Any |
56 + * label must already be concatenated onto the beginning of val. | 58 + * label must already be concatenated onto the beginning of val. |
57 + */ | 59 + */ |
58 +SECStatus | 60 +SECStatus |
59 +ssl3_TLSPRFWithMasterSecret(ssl3CipherSpec *spec, const char *label, | 61 +ssl3_TLSPRFWithMasterSecret(ssl3CipherSpec *spec, const char *label, |
60 + unsigned int labelLen, const unsigned char *val, unsigned int valLen, | 62 + unsigned int labelLen, const unsigned char *val, unsigned int valLen, |
61 + unsigned char *out, unsigned int outLen) | 63 + unsigned char *out, unsigned int outLen) |
62 { | 64 { |
63 - const char * label; | 65 - const char * label; |
64 - unsigned int len; | 66 - unsigned int len; |
65 - SECStatus rv; | 67 - SECStatus rv; |
66 - | 68 - |
67 - label = isServer ? "server finished" : "client finished"; | 69 - label = isServer ? "server finished" : "client finished"; |
68 - len = 15; | 70 - len = 15; |
69 + SECStatus rv = SECSuccess; | 71 + SECStatus rv = SECSuccess; |
70 + unsigned int retLen; | |
71 | 72 |
72 if (spec->master_secret && !spec->bypassCiphers) { | 73 if (spec->master_secret && !spec->bypassCiphers) { |
73 SECItem param = {siBuffer, NULL, 0}; | 74 SECItem param = {siBuffer, NULL, 0}; |
74 @@ -8464,11 +8463,11 @@ ssl3_ComputeTLSFinished(ssl3CipherSpec *spec, | 75 » PK11Context *prf_context = |
| 76 » PK11_CreateContextBySymKey(CKM_TLS_PRF_GENERAL, CKA_SIGN, |
| 77 » » » » spec->master_secret, ¶m); |
| 78 +» unsigned int retLen; |
| 79 + |
| 80 » if (!prf_context) |
75 return SECFailure; | 81 return SECFailure; |
76 | 82 |
77 rv = PK11_DigestBegin(prf_context); | 83 rv = PK11_DigestBegin(prf_context); |
78 - rv |= PK11_DigestOp(prf_context, (const unsigned char *) label, len); | 84 - rv |= PK11_DigestOp(prf_context, (const unsigned char *) label, len); |
79 - rv |= PK11_DigestOp(prf_context, hashes->md5, sizeof *hashes); | 85 - rv |= PK11_DigestOp(prf_context, hashes->md5, sizeof *hashes); |
80 - rv |= PK11_DigestFinal(prf_context, tlsFinished->verify_data, | 86 - rv |= PK11_DigestFinal(prf_context, tlsFinished->verify_data, |
81 - &len, sizeof tlsFinished->verify_data); | 87 - &len, sizeof tlsFinished->verify_data); |
82 - PORT_Assert(rv != SECSuccess || len == sizeof *tlsFinished); | 88 - PORT_Assert(rv != SECSuccess || len == sizeof *tlsFinished); |
83 + rv |= PK11_DigestOp(prf_context, (unsigned char *) label, labelLen); | 89 + rv |= PK11_DigestOp(prf_context, (unsigned char *) label, labelLen); |
84 + rv |= PK11_DigestOp(prf_context, val, valLen); | 90 + rv |= PK11_DigestOp(prf_context, val, valLen); |
85 + rv |= PK11_DigestFinal(prf_context, out, | 91 + rv |= PK11_DigestFinal(prf_context, out, |
86 + &retLen, outLen); | 92 + &retLen, outLen); |
87 + PORT_Assert(rv != SECSuccess || retLen == outLen); | 93 + PORT_Assert(rv != SECSuccess || retLen == outLen); |
88 | 94 |
89 PK11_DestroyContext(prf_context, PR_TRUE); | 95 PK11_DestroyContext(prf_context, PR_TRUE); |
90 } else { | 96 } else { |
91 @@ -8477,17 +8476,34 @@ ssl3_ComputeTLSFinished(ssl3CipherSpec *spec, | 97 @@ -8478,17 +8478,36 @@ ssl3_ComputeTLSFinished(ssl3CipherSpec *spec, |
92 SECItem outData = { siBuffer, }; | 98 SECItem outData = { siBuffer, }; |
93 PRBool isFIPS = PR_FALSE; | 99 PRBool isFIPS = PR_FALSE; |
94 | 100 |
95 - inData.data = (unsigned char *)hashes->md5; | 101 - inData.data = (unsigned char *)hashes->md5; |
96 - inData.len = sizeof hashes[0]; | 102 - inData.len = sizeof hashes[0]; |
97 - outData.data = tlsFinished->verify_data; | 103 - outData.data = tlsFinished->verify_data; |
98 - outData.len = sizeof tlsFinished->verify_data; | 104 - outData.len = sizeof tlsFinished->verify_data; |
99 + inData.data = (unsigned char *) val; | 105 + inData.data = (unsigned char *) val; |
100 + inData.len = valLen; | 106 + inData.len = valLen; |
101 + outData.data = out; | 107 + outData.data = out; |
102 + outData.len = outLen; | 108 + outData.len = outLen; |
103 rv = TLS_PRF(&spec->msItem, label, &inData, &outData, isFIPS); | 109 rv = TLS_PRF(&spec->msItem, label, &inData, &outData, isFIPS); |
104 - PORT_Assert(rv != SECSuccess || \ | 110 - PORT_Assert(rv != SECSuccess || \ |
105 - outData.len == sizeof tlsFinished->verify_data); | 111 - outData.len == sizeof tlsFinished->verify_data); |
106 + PORT_Assert(rv != SECSuccess || outData.len == outLen); | 112 + PORT_Assert(rv != SECSuccess || outData.len == outLen); |
107 } | 113 } |
108 return rv; | 114 return rv; |
109 } | 115 } |
110 | 116 |
111 +static SECStatus | 117 +static SECStatus |
112 +ssl3_ComputeTLSFinished(ssl3CipherSpec *spec, | 118 +ssl3_ComputeTLSFinished(ssl3CipherSpec *spec, |
113 + PRBool isServer, | 119 + PRBool isServer, |
114 + const SSL3Finished * hashes, | 120 + const SSL3Finished * hashes, |
115 + TLSFinished * tlsFinished) | 121 + TLSFinished * tlsFinished) |
116 +{ | 122 +{ |
117 + const char * label; | 123 + const char * label; |
118 + SECStatus rv; | 124 + SECStatus rv; |
| 125 + unsigned int len; |
119 + | 126 + |
120 + label = isServer ? "server finished" : "client finished"; | 127 + label = isServer ? "server finished" : "client finished"; |
| 128 + len = 15; |
121 + | 129 + |
122 + rv = ssl3_TLSPRFWithMasterSecret(spec, label, 15, hashes->md5, | 130 + rv = ssl3_TLSPRFWithMasterSecret(spec, label, len, hashes->md5, |
123 + sizeof *hashes, tlsFinished->verify_data, | 131 + sizeof *hashes, tlsFinished->verify_data, |
124 + sizeof tlsFinished->verify_data); | 132 + sizeof tlsFinished->verify_data); |
125 + | 133 + |
126 + return rv; | 134 + return rv; |
127 +} | 135 +} |
128 + | 136 + |
129 /* called from ssl3_HandleServerHelloDone | 137 /* called from ssl3_HandleServerHelloDone |
130 */ | 138 */ |
131 static SECStatus | 139 static SECStatus |
132 diff --git a/mozilla/security/nss/lib/ssl/sslimpl.h b/mozilla/security/nss/lib/s
sl/sslimpl.h | 140 diff --git a/mozilla/security/nss/lib/ssl/sslimpl.h b/mozilla/security/nss/lib/s
sl/sslimpl.h |
133 index df30029..073616f 100644 | 141 index df30029..073616f 100644 |
134 --- a/mozilla/security/nss/lib/ssl/sslimpl.h | 142 --- a/mozilla/security/nss/lib/ssl/sslimpl.h |
135 +++ b/mozilla/security/nss/lib/ssl/sslimpl.h | 143 +++ b/mozilla/security/nss/lib/ssl/sslimpl.h |
136 @@ -1726,6 +1726,12 @@ SECStatus SSL_DisableDefaultExportCipherSuites(void); | 144 @@ -1726,6 +1726,12 @@ SECStatus SSL_DisableDefaultExportCipherSuites(void); |
137 SECStatus SSL_DisableExportCipherSuites(PRFileDesc * fd); | 145 SECStatus SSL_DisableExportCipherSuites(PRFileDesc * fd); |
138 PRBool SSL_IsExportCipherSuite(PRUint16 cipherSuite); | 146 PRBool SSL_IsExportCipherSuite(PRUint16 cipherSuite); |
139 | 147 |
140 +SECStatus ssl3_TLSPRFWithMasterSecret( | 148 +SECStatus ssl3_TLSPRFWithMasterSecret( |
141 + ssl3CipherSpec *spec, const char *label, | 149 + ssl3CipherSpec *spec, const char *label, |
142 + unsigned int labelLen, const unsigned char *val, | 150 + unsigned int labelLen, const unsigned char *val, |
143 + unsigned int valLen, unsigned char *out, | 151 + unsigned int valLen, unsigned char *out, |
144 + unsigned int outLen); | 152 + unsigned int outLen); |
145 + | 153 + |
146 /********************** FNV hash *********************/ | 154 /********************** FNV hash *********************/ |
147 | 155 |
148 void FNV1A64_Init(PRUint64 *digest); | 156 void FNV1A64_Init(PRUint64 *digest); |
149 diff --git a/mozilla/security/nss/lib/ssl/sslinfo.c b/mozilla/security/nss/lib/s
sl/sslinfo.c | 157 diff --git a/mozilla/security/nss/lib/ssl/sslinfo.c b/mozilla/security/nss/lib/s
sl/sslinfo.c |
150 index 96377b0..9a58b4d 100644 | 158 index 96377b0..cf870c7 100644 |
151 --- a/mozilla/security/nss/lib/ssl/sslinfo.c | 159 --- a/mozilla/security/nss/lib/ssl/sslinfo.c |
152 +++ b/mozilla/security/nss/lib/ssl/sslinfo.c | 160 +++ b/mozilla/security/nss/lib/ssl/sslinfo.c |
153 @@ -20,6 +20,7 @@ | 161 @@ -20,6 +20,7 @@ |
154 * | 162 * |
155 * Contributor(s): | 163 * Contributor(s): |
156 * Dr Vipul Gupta <vipul.gupta@sun.com>, Sun Microsystems Laboratories | 164 * Dr Vipul Gupta <vipul.gupta@sun.com>, Sun Microsystems Laboratories |
157 + * Douglas Stebila <douglas@stebila.ca> | 165 + * Douglas Stebila <douglas@stebila.ca> |
158 * | 166 * |
159 * Alternatively, the contents of this file may be used under the terms of | 167 * Alternatively, the contents of this file may be used under the terms of |
160 * either the GNU General Public License Version 2 or later (the "GPL"), or | 168 * either the GNU General Public License Version 2 or later (the "GPL"), or |
161 @@ -38,6 +39,7 @@ | 169 @@ -316,6 +317,69 @@ SSL_IsExportCipherSuite(PRUint16 cipherSuite) |
162 #include "ssl.h" | |
163 #include "sslimpl.h" | |
164 #include "sslproto.h" | |
165 +#include "pk11func.h" | |
166 | |
167 static const char * | |
168 ssl_GetCompressionMethodName(SSLCompressionMethod compression) | |
169 @@ -316,6 +318,67 @@ SSL_IsExportCipherSuite(PRUint16 cipherSuite) | |
170 return PR_FALSE; | 170 return PR_FALSE; |
171 } | 171 } |
172 | 172 |
173 +/* Export keying material according to draft-ietf-tls-extractor-06. | 173 +/* Export keying material according to RFC 5705. |
174 +** fd must correspond to a TLS 1.0 or higher socket, out must | 174 +** fd must correspond to a TLS 1.0 or higher socket, out must |
175 +** be already allocated. | 175 +** be already allocated. |
176 +*/ | 176 +*/ |
177 +SECStatus | 177 +SECStatus |
178 +SSL_ExportKeyingMaterial(PRFileDesc *fd, const char *label, | 178 +SSL_ExportKeyingMaterial(PRFileDesc *fd, |
| 179 +» » » const char *label, |
| 180 +» » » unsigned int labelLen, |
179 + const unsigned char *context, | 181 + const unsigned char *context, |
180 + unsigned int contextLen, | 182 + unsigned int contextLen, |
181 + unsigned char *out, | 183 + unsigned char *out, |
182 + unsigned int outLen) | 184 + unsigned int outLen) |
183 +{ | 185 +{ |
184 + sslSocket *ss; | 186 + sslSocket *ss; |
185 + unsigned char *val = NULL; | 187 + unsigned char *val = NULL; |
186 + unsigned int valLen, i; | 188 + unsigned int valLen, i; |
187 + SECStatus rv = SECFailure; | 189 + SECStatus rv = SECFailure; |
188 + | 190 + |
189 + ss = ssl_FindSocket(fd); | 191 + ss = ssl_FindSocket(fd); |
190 + if (!ss) { | 192 + if (!ss) { |
191 + SSL_DBG(("%d: SSL[%d]: bad socket in ExportKeyingMaterial", | 193 + SSL_DBG(("%d: SSL[%d]: bad socket in ExportKeyingMaterial", |
192 + SSL_GETPID(), fd)); | 194 + SSL_GETPID(), fd)); |
193 + return SECFailure; | 195 + return SECFailure; |
194 + } | 196 + } |
195 + | 197 + |
196 + if (ss->version < SSL_LIBRARY_VERSION_3_1_TLS) { | 198 + if (ss->version < SSL_LIBRARY_VERSION_3_1_TLS) { |
197 + PORT_SetError(SSL_ERROR_UNSUPPORTED_VERSION); | 199 + PORT_SetError(SSL_ERROR_UNSUPPORTED_VERSION); |
198 + return SECFailure; | 200 + return SECFailure; |
199 + } | 201 + } |
200 + | 202 + |
201 + if (ss->ssl3.hs.ws != idle_handshake) { | |
202 + PORT_SetError(SSL_ERROR_HANDSHAKE_NOT_COMPLETED); | |
203 + return SECFailure; | |
204 + } | |
205 + | |
206 + valLen = SSL3_RANDOM_LENGTH * 2; | 203 + valLen = SSL3_RANDOM_LENGTH * 2; |
207 + if (contextLen > 0) | 204 + if (contextLen > 0) |
208 + valLen += 2 /* uint16 length */ + contextLen; | 205 + valLen += 2 /* uint16 length */ + contextLen; |
209 + val = PORT_Alloc(valLen); | 206 + val = PORT_Alloc(valLen); |
210 + if (val == NULL) | 207 + if (val == NULL) |
211 + return SECFailure; | 208 + return SECFailure; |
212 + i = 0; | 209 + i = 0; |
213 + PORT_Memcpy(val + i, &ss->ssl3.hs.client_random.rand, SSL3_RANDOM_LENGTH); | 210 + PORT_Memcpy(val + i, &ss->ssl3.hs.client_random.rand, SSL3_RANDOM_LENGTH); |
214 + i += SSL3_RANDOM_LENGTH; | 211 + i += SSL3_RANDOM_LENGTH; |
215 + PORT_Memcpy(val + i, &ss->ssl3.hs.server_random.rand, SSL3_RANDOM_LENGTH); | 212 + PORT_Memcpy(val + i, &ss->ssl3.hs.server_random.rand, SSL3_RANDOM_LENGTH); |
216 + i += SSL3_RANDOM_LENGTH; | 213 + i += SSL3_RANDOM_LENGTH; |
217 + if (contextLen > 0) { | 214 + if (contextLen > 0) { |
218 + val[i++] = contextLen >> 8; | 215 + val[i++] = contextLen >> 8; |
219 + val[i++] = contextLen; | 216 + val[i++] = contextLen; |
220 + PORT_Memcpy(val + i, context, contextLen); | 217 + PORT_Memcpy(val + i, context, contextLen); |
221 + i += contextLen; | 218 + i += contextLen; |
222 + } | 219 + } |
223 + PORT_Assert(i == valLen); | 220 + PORT_Assert(i == valLen); |
224 + | 221 + |
225 + ssl_GetSpecReadLock(ss); | 222 + ssl_GetSpecReadLock(ss); |
226 + rv = ssl3_TLSPRFWithMasterSecret(ss->ssl3.crSpec, label, strlen(label), val
, valLen, out, outLen); | 223 + if (!ss->ssl3.cwSpec->master_secret && !ss->ssl3.cwSpec->msItem.len) { |
| 224 +» PORT_SetError(SSL_ERROR_HANDSHAKE_NOT_COMPLETED); |
| 225 +» rv = SECFailure; |
| 226 + } else { |
| 227 +» rv = ssl3_TLSPRFWithMasterSecret(ss->ssl3.cwSpec, label, labelLen, val, |
| 228 +» » » » » valLen, out, outLen); |
| 229 + } |
227 + ssl_ReleaseSpecReadLock(ss); | 230 + ssl_ReleaseSpecReadLock(ss); |
228 + | 231 + |
229 + if (val != NULL) | 232 + PORT_ZFree(val, valLen); |
230 +» PORT_ZFree(val, valLen); | |
231 + return rv; | 233 + return rv; |
232 +} | 234 +} |
233 + | 235 + |
234 SECItem* | 236 SECItem* |
235 SSL_GetNegotiatedHostInfo(PRFileDesc *fd) | 237 SSL_GetNegotiatedHostInfo(PRFileDesc *fd) |
236 { | 238 { |
OLD | NEW |