net/third_party/nss/ssl/ssl3con.c - Issue 9558017: Update net/third_party/nss to NSS 3.13.3.

Unified Diff: net/third_party/nss/ssl/ssl3con.c

Issue 9558017: Update net/third_party/nss to NSS 3.13.3. (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src/

Patch Set: Add new files in NSS 3.13.3 Created 8 years, 10 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View side-by-side diff with in-line comments

Download patch

Index: net/third_party/nss/ssl/ssl3con.c

===================================================================

--- net/third_party/nss/ssl/ssl3con.c (revision 124359)

+++ net/third_party/nss/ssl/ssl3con.c (working copy)

@@ -39,7 +39,7 @@

* the terms of any one of the MPL, the GPL or the LGPL.

* ***** END LICENSE BLOCK ***** */

-/* $Id: ssl3con.c,v 1.142.2.4 2010/09/01 19:47:11 wtc%google.com Exp $ */

+/* $Id: ssl3con.c,v 1.164 2012/02/17 09:50:04 kaie%kuix.de Exp $ */

#include "cert.h"

#include "ssl.h"

@@ -88,7 +88,8 @@

static SECStatus ssl3_SendServerHelloDone( sslSocket *ss);

static SECStatus ssl3_SendServerKeyExchange( sslSocket *ss);

static SECStatus ssl3_NewHandshakeHashes( sslSocket *ss);

-static SECStatus ssl3_UpdateHandshakeHashes( sslSocket *ss, unsigned char *b,

+static SECStatus ssl3_UpdateHandshakeHashes( sslSocket *ss,

+ const unsigned char *b,

unsigned int l);

static SECStatus Null_Cipher(void *ctx, unsigned char *output, int *outputLen,

@@ -238,9 +239,6 @@

#define EXPORT_RSA_KEY_LENGTH 64 /* bytes */

-/* This is a hack to make sure we don't do double handshakes for US policy */

-PRBool ssl3_global_policy_some_restricted = PR_FALSE;

/* This global item is used only in servers. It is is initialized by

** SSL_ConfigSecureServer(), and is used in ssl3_SendCertificateRequest().

@@ -930,8 +928,7 @@

key = CERT_ExtractPublicKey(cert);

if (key == NULL) {

- /* CERT_ExtractPublicKey doesn't set error code */

- PORT_SetError(SSL_ERROR_EXTRACT_PUBLIC_KEY_FAILURE);

+ ssl_MapLowLevelError(SSL_ERROR_EXTRACT_PUBLIC_KEY_FAILURE);

return SECFailure;

}

@@ -2042,9 +2039,7 @@

return isPresent;

}

-/* Caller must hold the spec read lock. wrBuf is sometimes, but not always,

- * ss->sec.writeBuf.

- */

+/* Caller must hold the spec read lock. */

static SECStatus

ssl3_CompressMACEncryptRecord(ssl3CipherSpec * cwSpec,

PRBool isServer,

@@ -2229,8 +2224,7 @@

ssl_GetSpecReadLock(ss); /********************************/

- if (nIn > 1 &&

- ss->opt.enableFalseStart &&

+ if (nIn > 1 && ss->opt.cbcRandomIV &&

ss->ssl3.cwSpec->version <= SSL_LIBRARY_VERSION_3_1_TLS &&

type == content_application_data &&

ss->ssl3.cwSpec->cipher_def->type == type_block /* CBC mode */) {

@@ -2248,7 +2242,7 @@

if (rv != SECSuccess) {

SSL_DBG(("%d: SSL3[%d]: SendRecord, tried to get %d bytes",

SSL_GETPID(), ss->fd, spaceNeeded));

- goto spec_locked_loser; /* sslBuffer_Grow set a memory error code. */

+ goto spec_locked_loser; /* sslBuffer_Grow set error code. */

}

@@ -2281,7 +2275,7 @@

ss->sec.isServer, type, pIn,

contentLen, wrBuf);

if (rv == SECSuccess) {

- PRINT_BUF(50, (ss, "send (encrypted) record data [1/1]:",

+ PRINT_BUF(50, (ss, "send (encrypted) record data:",

wrBuf->buf, wrBuf->len));

}

@@ -2617,6 +2611,40 @@

return SECFailure;

}

+static void

+ssl3_SendAlertForCertError(sslSocket * ss, PRErrorCode errCode)

+ SSL3AlertDescription desc = bad_certificate;

+ PRBool isTLS = ss->version >= SSL_LIBRARY_VERSION_3_1_TLS;

+ switch (errCode) {

+ case SEC_ERROR_LIBRARY_FAILURE: desc = unsupported_certificate; break;

+ case SEC_ERROR_EXPIRED_CERTIFICATE: desc = certificate_expired; break;

+ case SEC_ERROR_REVOKED_CERTIFICATE: desc = certificate_revoked; break;

+ case SEC_ERROR_INADEQUATE_KEY_USAGE:

+ case SEC_ERROR_INADEQUATE_CERT_TYPE:

+ desc = certificate_unknown; break;

+ case SEC_ERROR_UNTRUSTED_CERT:

+ desc = isTLS ? access_denied : certificate_unknown; break;

+ case SEC_ERROR_UNKNOWN_ISSUER:

+ case SEC_ERROR_UNTRUSTED_ISSUER:

+ desc = isTLS ? unknown_ca : certificate_unknown; break;

+ case SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE:

+ desc = isTLS ? unknown_ca : certificate_expired; break;

+ case SEC_ERROR_CERT_NOT_IN_NAME_SPACE:

+ case SEC_ERROR_PATH_LEN_CONSTRAINT_INVALID:

+ case SEC_ERROR_CA_CERT_INVALID:

+ case SEC_ERROR_BAD_SIGNATURE:

+ default: desc = bad_certificate; break;

+ }

+ SSL_DBG(("%d: SSL3[%d]: peer certificate is no good: error=%d",

+ SSL_GETPID(), ss->fd, errCode));

+ (void) SSL3_SendAlert(ss, alert_fatal, desc);

* Send handshake_Failure alert. Set generic error number.

@@ -3233,7 +3261,8 @@

** Caller must hold the ssl3Handshake lock.

static SECStatus

-ssl3_UpdateHandshakeHashes(sslSocket *ss, unsigned char *b, unsigned int l)

+ssl3_UpdateHandshakeHashes(sslSocket *ss, const unsigned char *b,

+ unsigned int l)

{

SECStatus rv = SECSuccess;

@@ -3773,7 +3802,6 @@

**************************************************************************/

/* Called from ssl3_HandleHelloRequest(),

- * ssl3_HandleFinished() (for step-up)

* ssl3_RedoHandshake()

* ssl2_BeginClientHandshake (when resuming ssl3 session)

@@ -4346,6 +4374,12 @@

SECStatus rv;

SECItem wrappedKey;

SSLWrappedSymWrappingKey wswk;

+#ifdef NSS_ENABLE_ECC

+ PK11SymKey * Ks = NULL;

+ SECKEYPublicKey *pubWrapKey = NULL;

+ SECKEYPrivateKey *privWrapKey = NULL;

+ ECCWrappedKeyInfo *ecWrapped;

+#endif /* NSS_ENABLE_ECC */

svrPrivKey = ss->serverCerts[exchKeyType].SERVERKEY;

PORT_Assert(svrPrivKey != NULL);

@@ -4422,13 +4456,6 @@

/* wrap symmetric wrapping key in server's public key. */

switch (exchKeyType) {

-#ifdef NSS_ENABLE_ECC

- PK11SymKey * Ks = NULL;

- SECKEYPublicKey *pubWrapKey = NULL;

- SECKEYPrivateKey *privWrapKey = NULL;

- ECCWrappedKeyInfo *ecWrapped;

-#endif /* NSS_ENABLE_ECC */

case kt_rsa:

asymWrapMechanism = CKM_RSA_PKCS;

rv = PK11_PubWrapSymKey(asymWrapMechanism, svrPubKey,

@@ -4796,7 +4823,7 @@

if (ss->sec.peerKey == NULL) {

serverKey = CERT_ExtractPublicKey(ss->sec.peerCert);

if (serverKey == NULL) {

- PORT_SetError(SSL_ERROR_EXTRACT_PUBLIC_KEY_FAILURE);

+ ssl_MapLowLevelError(SSL_ERROR_EXTRACT_PUBLIC_KEY_FAILURE);

return SECFailure;

}

} else {

@@ -5226,6 +5253,7 @@

ssl3_CopyPeerCertsFromSID(ss, sid);

}

/* NULL value for PMS signifies re-use of the old MS */

rv = ssl3_InitPendingCipherSpec(ss, NULL);

if (rv != SECSuccess) {

@@ -5640,7 +5668,7 @@

#endif /* NSS_PLATFORM_CLIENT_AUTH */

switch (rv) {

case SECWouldBlock: /* getClientAuthData has put up a dialog box. */

- ssl_SetAlwaysBlock(ss);

+ ssl3_SetAlwaysBlock(ss);

break; /* not an error */

case SECSuccess:

@@ -5786,7 +5814,7 @@

SECKEYPrivateKey * key,

CERTCertificateList *certChain)

{

- SECStatus rv = SECFailure;

+ SECStatus rv = SECSuccess;

/* XXX This code only works on the initial handshake on a connection,

** XXX It does not work on a subsequent handshake (redo).

@@ -5816,11 +5844,6 @@

(void)SSL3_SendAlert(ss, alert_warning, no_certificate);

}

- ssl_GetRecvBufLock(ss);

- if (ss->ssl3.hs.msgState.buf != NULL) {

- rv = ssl3_HandleRecord(ss, NULL, &ss->gs.buf);

- }

- ssl_ReleaseRecvBufLock(ss);

} else {

if (cert) {

CERT_DestroyCertificate(cert);

@@ -5831,22 +5854,38 @@

if (certChain) {

CERT_DestroyCertificateList(certChain);

}

+ rv = SECFailure;

}

return rv;

}

PRBool

ssl3_CanFalseStart(sslSocket *ss) {

- return ss->opt.enableFalseStart &&

- !ss->sec.isServer &&

- !ss->ssl3.hs.isResuming &&

- ss->ssl3.cwSpec &&

- ss->ssl3.cwSpec->cipher_def->secret_key_size >= 10 &&

- (ss->ssl3.hs.kea_def->exchKeyType == ssl_kea_rsa ||

- ss->ssl3.hs.kea_def->exchKeyType == ssl_kea_dh ||

- ss->ssl3.hs.kea_def->exchKeyType == ssl_kea_ecdh);

+ PRBool rv;

+ PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );

+ /* XXX: does not take into account whether we are waiting for

+ * SSL_AuthCertificateComplete or SSL_RestartHandshakeAfterCertReq. If/when

+ * that is done, this function could return different results each time it

+ * would be called.

+ */

+ ssl_GetSpecReadLock(ss);

+ rv = ss->opt.enableFalseStart &&

+ !ss->sec.isServer &&

+ !ss->ssl3.hs.isResuming &&

+ ss->ssl3.cwSpec &&

+ ss->ssl3.cwSpec->cipher_def->secret_key_size >= 10 &&

+ (ss->ssl3.hs.kea_def->exchKeyType == ssl_kea_rsa ||

+ ss->ssl3.hs.kea_def->exchKeyType == ssl_kea_dh ||

+ ss->ssl3.hs.kea_def->exchKeyType == ssl_kea_ecdh);

+ ssl_ReleaseSpecReadLock(ss);

+ return rv;

}

+static SECStatus ssl3_SendClientSecondRound(sslSocket *ss);

/* Called from ssl3_HandleHandshakeMessage() when it has deciphered a complete

* ssl3 Server Hello Done message.

* Caller must hold Handshake and RecvBuf locks.

@@ -5856,10 +5895,6 @@

{

SECStatus rv;

SSL3WaitState ws = ss->ssl3.hs.ws;

- PRBool sendEmptyCert, sendCert;

- int n = 0, i;

- typedef SECStatus (*SendFunction)(sslSocket*);

- SendFunction send_funcs[5];

SSL_TRC(3, ("%d: SSL3[%d]: handle server_hello_done handshake",

SSL_GETPID(), ss->fd));

@@ -5875,14 +5910,72 @@

return SECFailure;

}

+ rv = ssl3_SendClientSecondRound(ss);

+ return rv;

+/* Called from ssl3_HandleServerHelloDone and ssl3_AuthCertificateComplete.

+ *

+ * Caller must hold Handshake and RecvBuf locks.

+ */

+static SECStatus

+ssl3_SendClientSecondRound(sslSocket *ss)

+ SECStatus rv;

+ PRBool sendClientCert;

+ PRBool sendEmptyCert;

+ int n = 0, i;

+ typedef SECStatus (*SendFunction)(sslSocket*);

+ SendFunction send_funcs[5];

+ PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );

+ PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );

+ sendClientCert = !ss->ssl3.sendEmptyCert &&

+ ss->ssl3.clientCertChain != NULL &&

+ (ss->ssl3.platformClientKey ||

+ ss->ssl3.clientPrivateKey != NULL);

+ /* We must wait for the server's certificate to be authenticated before

+ * sending the client certificate in order to disclosing the client

+ * certificate to an attacker that does not have a valid cert for the

+ * domain we are connecting to.

+ *

+ * XXX: We should do the same for the NPN extension, but for that we

+ * need an option to give the application the ability to leak the NPN

+ * information to get better performance.

+ *

+ * During the initial handshake on a connection, we never send/receive

+ * application data until we have authenticated the server's certificate;

Ryan Sleevi 2012/03/02 01:30:18 Is this true, especially in the context of false s

wtc 2012/03/02 23:06:17 Yes. False start is disabled on line 8306 as a pr

+ * i.e. we have fully authenticated the handshake before using the cipher

+ * specs agreed upon for that handshake. During a renegotiation, we may

+ * continue sending and receiving application data during the handshake

+ * interleaved with the handshake records. If we were to send the client's

+ * second round for a renegotiation before the server's certificate was

+ * authenticated, then the application data sent/received after this point

+ * would be using cipher spec that hadn't been authenticated. By waiting

+ * until the server's certificate has been authenticated during

+ * renegotiations, we ensure that renegotiations have the same property

+ * as initial handshakes; i.e. we have fully authenticated the handshake

+ * before using the cipher specs agreed upon for that handshake for

+ * application data.

+ */

+ if (ss->ssl3.hs.restartTarget) {

+ PR_NOT_REACHED("unexpected ss->ssl3.hs.restartTarget");

+ PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);

+ return SECFailure;

+ }

+ if (ss->ssl3.hs.authCertificatePending &&

+ (sendClientCert || ss->ssl3.sendEmptyCert || ss->firstHsDone)) {

+ ss->ssl3.hs.restartTarget = ssl3_SendClientSecondRound;

+ return SECWouldBlock;

+ }

ssl_GetXmitBufLock(ss); /*******************************/

sendEmptyCert = ss->ssl3.sendEmptyCert;

ss->ssl3.sendEmptyCert = PR_FALSE;

- sendCert = !sendEmptyCert &&

- ss->ssl3.clientCertChain != NULL &&

- (ss->ssl3.platformClientKey ||

- ss->ssl3.clientPrivateKey != NULL);

if (ssl3_ExtensionNegotiated(ss, ssl_encrypted_client_certs)) {

send_funcs[n++] = ssl3_SendClientKeyExchange;

@@ -5890,7 +5983,7 @@

if (sendEmptyCert) {

send_funcs[n++] = ssl3_SendEmptyCertificate;

}

- if (sendCert) {

+ if (sendClientCert) {

send_funcs[n++] = ssl3_SendCertificate;

send_funcs[n++] = ssl3_SendCertificateVerify;

}

@@ -5898,11 +5991,11 @@

if (sendEmptyCert) {

send_funcs[n++] = ssl3_SendEmptyCertificate;

}

- if (sendCert) {

+ if (sendClientCert) {

send_funcs[n++] = ssl3_SendCertificate;

}

send_funcs[n++] = ssl3_SendClientKeyExchange;

- if (sendCert) {

+ if (sendClientCert) {

send_funcs[n++] = ssl3_SendCertificateVerify;

}

send_funcs[n++] = ssl3_SendChangeCipherSpecs;

@@ -5917,8 +6010,9 @@

}

- /* We don't send NPN in a renegotiation as it's explicitly disallowed by

- * the spec. */

+ /* XXX: If the server's certificate hasn't been authenticated by this

+ * point, then we may be leaking this NPN message to an attacker.

+ */

if (!ss->firstHsDone) {

rv = ssl3_SendNextProto(ss);

if (rv != SECSuccess) {

@@ -7899,69 +7993,6 @@

}

- if (ss->ssl3.cachedInfoCertChainDigestReceived) {

- /* Compute hash. */

- PRUint64 certChainHash;

- int i;

- FNV1A64_Init(&certChainHash);

- for (i = 0; i < certChain->len; i++) {

- unsigned int certLen = certChain->certs[i].len;

- unsigned char certLenArray[3] = {

- certLen >> 16,

- certLen >> 8,

- certLen

- };

- FNV1A64_Update(&certChainHash, certLenArray, sizeof(certLenArray));

- FNV1A64_Update(&certChainHash, certChain->certs[i].data, certLen);

- }

- FNV1A64_Final(&certChainHash);

- /* Both |&certChainHash| and |ss->ssl3.certChainDigest| should be in

- * network byte order since both are computed with the FNV1A64 hash,

- * which calls the function htonll.

- */

- if (memcmp(&certChainHash, ss->ssl3.certChainDigest,

- sizeof(certChainHash)) == 0) {

- /* The client correctly predicted the certificate chain. */

- /* Handshake type: certificate. */

- rv = ssl3_AppendHandshakeNumber(ss, certificate, 1);

- if (rv != SECSuccess) {