Chromium Code Reviews| OLD | NEW |
|---|---|
| 1 /* -*- Mode: C; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 4 -*- */ | |
| 1 /* | 2 /* |
| 2 * SSL3 Protocol | 3 * SSL3 Protocol |
| 3 * | 4 * |
| 4 * ***** BEGIN LICENSE BLOCK ***** | 5 * ***** BEGIN LICENSE BLOCK ***** |
| 5 * Version: MPL 1.1/GPL 2.0/LGPL 2.1 | 6 * Version: MPL 1.1/GPL 2.0/LGPL 2.1 |
| 6 * | 7 * |
| 7 * The contents of this file are subject to the Mozilla Public License Version | 8 * The contents of this file are subject to the Mozilla Public License Version |
| 8 * 1.1 (the "License"); you may not use this file except in compliance with | 9 * 1.1 (the "License"); you may not use this file except in compliance with |
| 9 * the License. You may obtain a copy of the License at | 10 * the License. You may obtain a copy of the License at |
| 10 * http://www.mozilla.org/MPL/ | 11 * http://www.mozilla.org/MPL/ |
| (...skipping 21 matching lines...) Expand all Loading... | |
| 32 * in which case the provisions of the GPL or the LGPL are applicable instead | 33 * in which case the provisions of the GPL or the LGPL are applicable instead |
| 33 * of those above. If you wish to allow use of your version of this file only | 34 * of those above. If you wish to allow use of your version of this file only |
| 34 * under the terms of either the GPL or the LGPL, and not to allow others to | 35 * under the terms of either the GPL or the LGPL, and not to allow others to |
| 35 * use your version of this file under the terms of the MPL, indicate your | 36 * use your version of this file under the terms of the MPL, indicate your |
| 36 * decision by deleting the provisions above and replace them with the notice | 37 * decision by deleting the provisions above and replace them with the notice |
| 37 * and other provisions required by the GPL or the LGPL. If you do not delete | 38 * and other provisions required by the GPL or the LGPL. If you do not delete |
| 38 * the provisions above, a recipient may use your version of this file under | 39 * the provisions above, a recipient may use your version of this file under |
| 39 * the terms of any one of the MPL, the GPL or the LGPL. | 40 * the terms of any one of the MPL, the GPL or the LGPL. |
| 40 * | 41 * |
| 41 * ***** END LICENSE BLOCK ***** */ | 42 * ***** END LICENSE BLOCK ***** */ |
| 42 /* $Id: ssl3con.c,v 1.164 2012/02/17 09:50:04 kaie%kuix.de Exp $ */ | 43 /* $Id: ssl3con.c,v 1.173 2012/03/18 00:31:19 wtc%google.com Exp $ */ |
| 43 | 44 |
| 44 #include "cert.h" | 45 #include "cert.h" |
| 45 #include "ssl.h" | 46 #include "ssl.h" |
| 46 #include "cryptohi.h" /* for DSAU_ stuff */ | 47 #include "cryptohi.h" /* for DSAU_ stuff */ |
| 47 #include "keyhi.h" | 48 #include "keyhi.h" |
| 48 #include "secder.h" | 49 #include "secder.h" |
| 49 #include "secitem.h" | 50 #include "secitem.h" |
| 50 | 51 |
| 51 #include "sslimpl.h" | 52 #include "sslimpl.h" |
| 52 #include "sslproto.h" | 53 #include "sslproto.h" |
| (...skipping 82 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 135 { TLS_DHE_RSA_WITH_AES_128_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, | 136 { TLS_DHE_RSA_WITH_AES_128_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, |
| 136 { TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, | 137 { TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, |
| 137 #ifdef NSS_ENABLE_ECC | 138 #ifdef NSS_ENABLE_ECC |
| 138 { TLS_ECDH_RSA_WITH_RC4_128_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, | 139 { TLS_ECDH_RSA_WITH_RC4_128_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, |
| 139 { TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, | 140 { TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, |
| 140 { TLS_ECDH_ECDSA_WITH_RC4_128_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, | 141 { TLS_ECDH_ECDSA_WITH_RC4_128_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, |
| 141 { TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, | 142 { TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, |
| 142 #endif /* NSS_ENABLE_ECC */ | 143 #endif /* NSS_ENABLE_ECC */ |
| 143 { TLS_RSA_WITH_SEED_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, | 144 { TLS_RSA_WITH_SEED_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, |
| 144 { TLS_RSA_WITH_CAMELLIA_128_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, | 145 { TLS_RSA_WITH_CAMELLIA_128_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, |
| 146 { SSL_RSA_WITH_RC4_128_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, | |
| 145 { SSL_RSA_WITH_RC4_128_MD5, SSL_NOT_ALLOWED, PR_TRUE, PR_FALSE}, | 147 { SSL_RSA_WITH_RC4_128_MD5, SSL_NOT_ALLOWED, PR_TRUE, PR_FALSE}, |
| 146 { SSL_RSA_WITH_RC4_128_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, | |
| 147 { TLS_RSA_WITH_AES_128_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, | 148 { TLS_RSA_WITH_AES_128_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, |
| 148 | 149 |
| 149 #ifdef NSS_ENABLE_ECC | 150 #ifdef NSS_ENABLE_ECC |
| 150 { TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, | 151 { TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, |
| 151 { TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, | 152 { TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, |
| 152 #endif /* NSS_ENABLE_ECC */ | 153 #endif /* NSS_ENABLE_ECC */ |
| 153 { SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, | 154 { SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, |
| 154 { SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, | 155 { SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, |
| 155 #ifdef NSS_ENABLE_ECC | 156 #ifdef NSS_ENABLE_ECC |
| 156 { TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, | 157 { TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, |
| (...skipping 474 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 631 int numPresent = 0; | 632 int numPresent = 0; |
| 632 int numEnabled = 0; | 633 int numEnabled = 0; |
| 633 PRBool isServer; | 634 PRBool isServer; |
| 634 sslServerCerts *svrAuth; | 635 sslServerCerts *svrAuth; |
| 635 | 636 |
| 636 PORT_Assert(ss); | 637 PORT_Assert(ss); |
| 637 if (!ss) { | 638 if (!ss) { |
| 638 PORT_SetError(SEC_ERROR_INVALID_ARGS); | 639 PORT_SetError(SEC_ERROR_INVALID_ARGS); |
| 639 return 0; | 640 return 0; |
| 640 } | 641 } |
| 641 if (!ss->opt.enableSSL3 && !ss->opt.enableTLS) { | 642 if (SSL3_ALL_VERSIONS_DISABLED(&ss->vrange)) { |
| 642 return 0; | 643 return 0; |
| 643 } | 644 } |
| 644 isServer = (PRBool)(ss->sec.isServer != 0); | 645 isServer = (PRBool)(ss->sec.isServer != 0); |
| 645 | 646 |
| 646 for (i = 0; i < ssl_V3_SUITES_IMPLEMENTED; i++) { | 647 for (i = 0; i < ssl_V3_SUITES_IMPLEMENTED; i++) { |
| 647 suite = &ss->cipherSuites[i]; | 648 suite = &ss->cipherSuites[i]; |
| 648 if (suite->enabled) { | 649 if (suite->enabled) { |
| 649 ++numEnabled; | 650 ++numEnabled; |
| 650 /* We need the cipher defs to see if we have a token that can handle | 651 /* We need the cipher defs to see if we have a token that can handle |
| 651 * this cipher. It isn't part of the static definition. | 652 * this cipher. It isn't part of the static definition. |
| (...skipping 83 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 735 suite->policy <= policy); | 736 suite->policy <= policy); |
| 736 } | 737 } |
| 737 | 738 |
| 738 /* return number of cipher suites that match policy and enabled state */ | 739 /* return number of cipher suites that match policy and enabled state */ |
| 739 /* called from ssl3_SendClientHello and ssl3_ConstructV2CipherSpecsHack */ | 740 /* called from ssl3_SendClientHello and ssl3_ConstructV2CipherSpecsHack */ |
| 740 static int | 741 static int |
| 741 count_cipher_suites(sslSocket *ss, int policy, PRBool enabled) | 742 count_cipher_suites(sslSocket *ss, int policy, PRBool enabled) |
| 742 { | 743 { |
| 743 int i, count = 0; | 744 int i, count = 0; |
| 744 | 745 |
| 745 if (!ss->opt.enableSSL3 && !ss->opt.enableTLS) { | 746 if (SSL3_ALL_VERSIONS_DISABLED(&ss->vrange)) { |
| 746 return 0; | 747 return 0; |
| 747 } | 748 } |
| 748 for (i = 0; i < ssl_V3_SUITES_IMPLEMENTED; i++) { | 749 for (i = 0; i < ssl_V3_SUITES_IMPLEMENTED; i++) { |
| 749 if (config_match(&ss->cipherSuites[i], policy, enabled)) | 750 if (config_match(&ss->cipherSuites[i], policy, enabled)) |
| 750 count++; | 751 count++; |
| 751 } | 752 } |
| 752 if (count <= 0) { | 753 if (count <= 0) { |
| 753 PORT_SetError(SSL_ERROR_SSL_DISABLED); | 754 PORT_SetError(SSL_ERROR_SSL_DISABLED); |
| 754 } | 755 } |
| 755 return count; | 756 return count; |
| 756 } | 757 } |
| 757 | 758 |
| 758 static PRBool | |
| 759 anyRestrictedEnabled(sslSocket *ss) | |
| 760 { | |
| 761 int i; | |
| 762 | |
| 763 if (!ss->opt.enableSSL3 && !ss->opt.enableTLS) { | |
| 764 return PR_FALSE; | |
| 765 } | |
| 766 for (i = 0; i < ssl_V3_SUITES_IMPLEMENTED; i++) { | |
| 767 ssl3CipherSuiteCfg *suite = &ss->cipherSuites[i]; | |
| 768 if (suite->policy == SSL_RESTRICTED && | |
| 769 suite->enabled && | |
| 770 suite->isPresent) | |
| 771 return PR_TRUE; | |
| 772 } | |
| 773 return PR_FALSE; | |
| 774 } | |
| 775 | |
| 776 /* | 759 /* |
| 777 * Null compression, mac and encryption functions | 760 * Null compression, mac and encryption functions |
| 778 */ | 761 */ |
| 779 | 762 |
| 780 static SECStatus | 763 static SECStatus |
| 781 Null_Cipher(void *ctx, unsigned char *output, int *outputLen, int maxOutputLen, | 764 Null_Cipher(void *ctx, unsigned char *output, int *outputLen, int maxOutputLen, |
| 782 const unsigned char *input, int inputLen) | 765 const unsigned char *input, int inputLen) |
| 783 { | 766 { |
| 784 *outputLen = inputLen; | 767 *outputLen = inputLen; |
| 785 if (input != output) | 768 if (input != output) |
| 786 PORT_Memcpy(output, input, inputLen); | 769 PORT_Memcpy(output, input, inputLen); |
| 787 return SECSuccess; | 770 return SECSuccess; |
| 788 } | 771 } |
| 789 | 772 |
| 790 /* | 773 /* |
| 791 * SSL3 Utility functions | 774 * SSL3 Utility functions |
| 792 */ | 775 */ |
| 793 | 776 |
| 777 /* allowLargerPeerVersion controls whether the function will select the | |
| 778 * highest enabled SSL version or fail when peerVersion is greater than the | |
| 779 * highest enabled version. | |
| 780 * | |
| 781 * If allowLargerPeerVersion is true, peerVersion is the peer's highest | |
| 782 * enabled version rather than the peer's selected version. | |
| 783 */ | |
| 794 SECStatus | 784 SECStatus |
| 795 ssl3_NegotiateVersion(sslSocket *ss, SSL3ProtocolVersion peerVersion) | 785 ssl3_NegotiateVersion(sslSocket *ss, SSL3ProtocolVersion peerVersion, |
| 786 » » PRBool allowLargerPeerVersion) | |
| 796 { | 787 { |
| 797 SSL3ProtocolVersion version; | 788 if (SSL3_ALL_VERSIONS_DISABLED(&ss->vrange)) { |
| 798 SSL3ProtocolVersion maxVersion; | |
| 799 | |
| 800 if (ss->opt.enableTLS) { | |
| 801 » maxVersion = SSL_LIBRARY_VERSION_3_1_TLS; | |
| 802 } else if (ss->opt.enableSSL3) { | |
| 803 » maxVersion = SSL_LIBRARY_VERSION_3_0; | |
| 804 } else { | |
| 805 » /* what are we doing here? */ | |
| 806 » PORT_Assert(ss->opt.enableSSL3 || ss->opt.enableTLS); | |
| 807 PORT_SetError(SSL_ERROR_SSL_DISABLED); | 789 PORT_SetError(SSL_ERROR_SSL_DISABLED); |
| 808 return SECFailure; | 790 return SECFailure; |
| 809 } | 791 } |
| 810 | 792 |
| 811 ss->version = version = PR_MIN(maxVersion, peerVersion); | 793 if (peerVersion < ss->vrange.min || |
| 812 | 794 » (peerVersion > ss->vrange.max && !allowLargerPeerVersion)) { |
| 813 if ((version == SSL_LIBRARY_VERSION_3_1_TLS && ss->opt.enableTLS) || | 795 » PORT_SetError(SSL_ERROR_NO_CYPHER_OVERLAP); |
| 814 » (version == SSL_LIBRARY_VERSION_3_0 && ss->opt.enableSSL3)) { | 796 » return SECFailure; |
| 815 » return SECSuccess; | |
| 816 } | 797 } |
| 817 | 798 |
| 818 PORT_SetError(SSL_ERROR_NO_CYPHER_OVERLAP); | 799 ss->version = PR_MIN(peerVersion, ss->vrange.max); |
| 819 return SECFailure; | 800 PORT_Assert(ssl3_VersionIsSupported(ssl_variant_stream, ss->version)); |
| 820 | 801 |
| 802 return SECSuccess; | |
| 821 } | 803 } |
| 822 | 804 |
| 823 static SECStatus | 805 static SECStatus |
| 824 ssl3_GetNewRandom(SSL3Random *random) | 806 ssl3_GetNewRandom(SSL3Random *random) |
| 825 { | 807 { |
| 826 PRUint32 gmt = ssl_Time(); | 808 PRUint32 gmt = ssl_Time(); |
| 827 SECStatus rv; | 809 SECStatus rv; |
| 828 | 810 |
| 829 random->rand[0] = (unsigned char)(gmt >> 24); | 811 random->rand[0] = (unsigned char)(gmt >> 24); |
| 830 random->rand[1] = (unsigned char)(gmt >> 16); | 812 random->rand[1] = (unsigned char)(gmt >> 16); |
| (...skipping 595 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 1426 } | 1408 } |
| 1427 | 1409 |
| 1428 /* Initialize encryption and MAC contexts for pending spec. | 1410 /* Initialize encryption and MAC contexts for pending spec. |
| 1429 * Master Secret already is derived in spec->msItem | 1411 * Master Secret already is derived in spec->msItem |
| 1430 * Caller holds Spec write lock. | 1412 * Caller holds Spec write lock. |
| 1431 */ | 1413 */ |
| 1432 static SECStatus | 1414 static SECStatus |
| 1433 ssl3_InitPendingContextsBypass(sslSocket *ss) | 1415 ssl3_InitPendingContextsBypass(sslSocket *ss) |
| 1434 { | 1416 { |
| 1435 ssl3CipherSpec * pwSpec; | 1417 ssl3CipherSpec * pwSpec; |
| 1436 const ssl3BulkCipherDef *cipher_def; | 1418 const ssl3BulkCipherDef *cipher_def; |
| 1437 void * serverContext = NULL; | 1419 void * serverContext = NULL; |
| 1438 void * clientContext = NULL; | 1420 void * clientContext = NULL; |
| 1439 BLapiInitContextFunc initFn = (BLapiInitContextFunc)NULL; | 1421 BLapiInitContextFunc initFn = (BLapiInitContextFunc)NULL; |
| 1440 int mode = 0; | 1422 int mode = 0; |
| 1441 unsigned int optArg1 = 0; | 1423 unsigned int optArg1 = 0; |
| 1442 unsigned int optArg2 = 0; | 1424 unsigned int optArg2 = 0; |
| 1443 PRBool server_encrypts = ss->sec.isServer; | 1425 PRBool server_encrypts = ss->sec.isServer; |
| 1444 CK_ULONG macLength; | 1426 CK_ULONG macLength; |
| 1445 SSLCipherAlgorithm calg; | 1427 SSLCipherAlgorithm calg; |
| 1446 SSLCompressionMethod compression_method; | 1428 SSLCompressionMethod compression_method; |
| (...skipping 168 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 1615 } | 1597 } |
| 1616 | 1598 |
| 1617 /* Initialize encryption and MAC contexts for pending spec. | 1599 /* Initialize encryption and MAC contexts for pending spec. |
| 1618 * Master Secret already is derived. | 1600 * Master Secret already is derived. |
| 1619 * Caller holds Spec write lock. | 1601 * Caller holds Spec write lock. |
| 1620 */ | 1602 */ |
| 1621 static SECStatus | 1603 static SECStatus |
| 1622 ssl3_InitPendingContextsPKCS11(sslSocket *ss) | 1604 ssl3_InitPendingContextsPKCS11(sslSocket *ss) |
| 1623 { | 1605 { |
| 1624 ssl3CipherSpec * pwSpec; | 1606 ssl3CipherSpec * pwSpec; |
| 1625 const ssl3BulkCipherDef *cipher_def; | 1607 const ssl3BulkCipherDef *cipher_def; |
| 1626 PK11Context * serverContext = NULL; | 1608 PK11Context * serverContext = NULL; |
| 1627 PK11Context * clientContext = NULL; | 1609 PK11Context * clientContext = NULL; |
| 1628 SECItem * param; | 1610 SECItem * param; |
| 1629 CK_MECHANISM_TYPE mechanism; | 1611 CK_MECHANISM_TYPE mechanism; |
| 1630 CK_MECHANISM_TYPE mac_mech; | 1612 CK_MECHANISM_TYPE mac_mech; |
| 1631 CK_ULONG macLength; | 1613 CK_ULONG macLength; |
| 1632 CK_ULONG effKeyBits; | 1614 CK_ULONG effKeyBits; |
| 1633 SECItem iv; | 1615 SECItem iv; |
| 1634 SECItem mac_param; | 1616 SECItem mac_param; |
| 1635 SSLCipherAlgorithm calg; | 1617 SSLCipherAlgorithm calg; |
| (...skipping 407 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 2043 static SECStatus | 2025 static SECStatus |
| 2044 ssl3_CompressMACEncryptRecord(ssl3CipherSpec * cwSpec, | 2026 ssl3_CompressMACEncryptRecord(ssl3CipherSpec * cwSpec, |
| 2045 PRBool isServer, | 2027 PRBool isServer, |
| 2046 SSL3ContentType type, | 2028 SSL3ContentType type, |
| 2047 const SSL3Opaque * pIn, | 2029 const SSL3Opaque * pIn, |
| 2048 PRUint32 contentLen, | 2030 PRUint32 contentLen, |
| 2049 sslBuffer * wrBuf) | 2031 sslBuffer * wrBuf) |
| 2050 { | 2032 { |
| 2051 const ssl3BulkCipherDef * cipher_def; | 2033 const ssl3BulkCipherDef * cipher_def; |
| 2052 SECStatus rv; | 2034 SECStatus rv; |
| 2053 PRUint32 macLen = 0; | 2035 PRUint32 macLen = 0; |
| 2054 PRUint32 fragLen; | 2036 PRUint32 fragLen; |
| 2055 PRUint32 p1Len, p2Len, oddLen = 0; | 2037 PRUint32 p1Len, p2Len, oddLen = 0; |
| 2056 PRInt32 cipherBytes = 0; | 2038 int ivLen = 0; |
| 2039 int cipherBytes = 0; | |
| 2057 | 2040 |
| 2058 cipher_def = cwSpec->cipher_def; | 2041 cipher_def = cwSpec->cipher_def; |
| 2059 | 2042 |
| 2043 if (cipher_def->type == type_block && | |
| 2044 cwSpec->version >= SSL_LIBRARY_VERSION_TLS_1_1) { | |
| 2045 /* Prepend the per-record explicit IV using technique 2b from | |
| 2046 * RFC 4346 section 6.2.3.2: The IV is a cryptographically | |
| 2047 * strong random number XORed with the CBC residue from the previous | |
| 2048 * record. | |
| 2049 */ | |
| 2050 ivLen = cipher_def->iv_size; | |
| 2051 if (ivLen > wrBuf->space - SSL3_RECORD_HEADER_LENGTH) { | |
| 2052 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); | |
| 2053 return SECFailure; | |
| 2054 } | |
| 2055 rv = PK11_GenerateRandom(wrBuf->buf + SSL3_RECORD_HEADER_LENGTH, ivLen); | |
| 2056 if (rv != SECSuccess) { | |
| 2057 ssl_MapLowLevelError(SSL_ERROR_GENERATE_RANDOM_FAILURE); | |
| 2058 return rv; | |
| 2059 } | |
| 2060 rv = cwSpec->encode( cwSpec->encodeContext, | |
| 2061 wrBuf->buf + SSL3_RECORD_HEADER_LENGTH, | |
| 2062 &cipherBytes, /* output and actual outLen */ | |
| 2063 ivLen, /* max outlen */ | |
| 2064 wrBuf->buf + SSL3_RECORD_HEADER_LENGTH, | |
| 2065 ivLen); /* input and inputLen*/ | |
| 2066 if (rv != SECSuccess || cipherBytes != ivLen) { | |
| 2067 PORT_SetError(SSL_ERROR_ENCRYPTION_FAILURE); | |
| 2068 return SECFailure; | |
| 2069 } | |
| 2070 } | |
| 2071 | |
| 2060 if (cwSpec->compressor) { | 2072 if (cwSpec->compressor) { |
| 2061 int outlen; | 2073 int outlen; |
| 2062 rv = cwSpec->compressor( | 2074 rv = cwSpec->compressor( |
| 2063 » cwSpec->compressContext, wrBuf->buf + SSL3_RECORD_HEADER_LENGTH, | 2075 » cwSpec->compressContext, |
| 2064 » &outlen, wrBuf->space - SSL3_RECORD_HEADER_LENGTH, pIn, contentLen); | 2076 » wrBuf->buf + SSL3_RECORD_HEADER_LENGTH + ivLen, &outlen, |
| 2077 » wrBuf->space - SSL3_RECORD_HEADER_LENGTH - ivLen, pIn, contentLen); | |
| 2065 if (rv != SECSuccess) | 2078 if (rv != SECSuccess) |
| 2066 return rv; | 2079 return rv; |
| 2067 » pIn = wrBuf->buf + SSL3_RECORD_HEADER_LENGTH; | 2080 » pIn = wrBuf->buf + SSL3_RECORD_HEADER_LENGTH + ivLen; |
| 2068 contentLen = outlen; | 2081 contentLen = outlen; |
| 2069 } | 2082 } |
| 2070 | 2083 |
| 2071 /* | 2084 /* |
| 2072 * Add the MAC | 2085 * Add the MAC |
| 2073 */ | 2086 */ |
| 2074 rv = ssl3_ComputeRecordMAC( cwSpec, isServer, | 2087 rv = ssl3_ComputeRecordMAC( cwSpec, isServer, |
| 2075 type, cwSpec->version, cwSpec->write_seq_num, pIn, contentLen, | 2088 type, cwSpec->version, cwSpec->write_seq_num, pIn, contentLen, |
| 2076 » wrBuf->buf + contentLen + SSL3_RECORD_HEADER_LENGTH, &macLen); | 2089 » wrBuf->buf + SSL3_RECORD_HEADER_LENGTH + ivLen + contentLen, &macLen); |
| 2077 if (rv != SECSuccess) { | 2090 if (rv != SECSuccess) { |
| 2078 ssl_MapLowLevelError(SSL_ERROR_MAC_COMPUTATION_FAILURE); | 2091 ssl_MapLowLevelError(SSL_ERROR_MAC_COMPUTATION_FAILURE); |
| 2079 return SECFailure; | 2092 return SECFailure; |
| 2080 } | 2093 } |
| 2081 p1Len = contentLen; | 2094 p1Len = contentLen; |
| 2082 p2Len = macLen; | 2095 p2Len = macLen; |
| 2083 fragLen = contentLen + macLen; /* needs to be encrypted */ | 2096 fragLen = contentLen + macLen; /* needs to be encrypted */ |
| 2084 PORT_Assert(fragLen <= MAX_FRAGMENT_LENGTH + 1024); | 2097 PORT_Assert(fragLen <= MAX_FRAGMENT_LENGTH + 1024); |
| 2085 | 2098 |
| 2086 /* | 2099 /* |
| 2087 * Pad the text (if we're doing a block cipher) | 2100 * Pad the text (if we're doing a block cipher) |
| 2088 * then Encrypt it | 2101 * then Encrypt it |
| 2089 */ | 2102 */ |
| 2090 if (cipher_def->type == type_block) { | 2103 if (cipher_def->type == type_block) { |
| 2091 unsigned char * pBuf; | 2104 unsigned char * pBuf; |
| 2092 int padding_length; | 2105 int padding_length; |
| 2093 int i; | 2106 int i; |
| 2094 | 2107 |
| 2095 oddLen = contentLen % cipher_def->block_size; | 2108 oddLen = contentLen % cipher_def->block_size; |
| 2096 /* Assume blockSize is a power of two */ | 2109 /* Assume blockSize is a power of two */ |
| 2097 padding_length = cipher_def->block_size - 1 - | 2110 padding_length = cipher_def->block_size - 1 - |
| 2098 ((fragLen) & (cipher_def->block_size - 1)); | 2111 ((fragLen) & (cipher_def->block_size - 1)); |
| 2099 fragLen += padding_length + 1; | 2112 fragLen += padding_length + 1; |
| 2100 PORT_Assert((fragLen % cipher_def->block_size) == 0); | 2113 PORT_Assert((fragLen % cipher_def->block_size) == 0); |
| 2101 | 2114 |
| 2102 /* Pad according to TLS rules (also acceptable to SSL3). */ | 2115 /* Pad according to TLS rules (also acceptable to SSL3). */ |
| 2103 » pBuf = &wrBuf->buf[fragLen + SSL3_RECORD_HEADER_LENGTH - 1]; | 2116 » pBuf = &wrBuf->buf[SSL3_RECORD_HEADER_LENGTH + ivLen + fragLen - 1]; |
| 2104 for (i = padding_length + 1; i > 0; --i) { | 2117 for (i = padding_length + 1; i > 0; --i) { |
| 2105 *pBuf-- = padding_length; | 2118 *pBuf-- = padding_length; |
| 2106 } | 2119 } |
| 2107 /* now, if contentLen is not a multiple of block size, fix it */ | 2120 /* now, if contentLen is not a multiple of block size, fix it */ |
| 2108 p2Len = fragLen - p1Len; | 2121 p2Len = fragLen - p1Len; |
| 2109 } | 2122 } |
| 2110 if (p1Len < 256) { | 2123 if (p1Len < 256) { |
| 2111 oddLen = p1Len; | 2124 oddLen = p1Len; |
| 2112 p1Len = 0; | 2125 p1Len = 0; |
| 2113 } else { | 2126 } else { |
| 2114 p1Len -= oddLen; | 2127 p1Len -= oddLen; |
| 2115 } | 2128 } |
| 2116 if (oddLen) { | 2129 if (oddLen) { |
| 2117 p2Len += oddLen; | 2130 p2Len += oddLen; |
| 2118 PORT_Assert( (cipher_def->block_size < 2) || \ | 2131 PORT_Assert( (cipher_def->block_size < 2) || \ |
| 2119 (p2Len % cipher_def->block_size) == 0); | 2132 (p2Len % cipher_def->block_size) == 0); |
| 2120 » memmove(wrBuf->buf + SSL3_RECORD_HEADER_LENGTH + p1Len, | 2133 » memmove(wrBuf->buf + SSL3_RECORD_HEADER_LENGTH + ivLen + p1Len, |
| 2121 pIn + p1Len, oddLen); | 2134 pIn + p1Len, oddLen); |
| 2122 } | 2135 } |
| 2123 if (p1Len > 0) { | 2136 if (p1Len > 0) { |
| 2137 int cipherBytesPart1 = -1; | |
| 2124 rv = cwSpec->encode( cwSpec->encodeContext, | 2138 rv = cwSpec->encode( cwSpec->encodeContext, |
| 2125 » wrBuf->buf + SSL3_RECORD_HEADER_LENGTH, /* output */ | 2139 » wrBuf->buf + SSL3_RECORD_HEADER_LENGTH + ivLen, /* output */ |
| 2126 » &cipherBytes, /* actual outlen */ | 2140 » &cipherBytesPart1, /* actual outlen */ |
| 2127 p1Len, /* max outlen */ | 2141 p1Len, /* max outlen */ |
| 2128 pIn, p1Len); /* input, and inputlen */ | 2142 pIn, p1Len); /* input, and inputlen */ |
| 2129 » PORT_Assert(rv == SECSuccess && cipherBytes == p1Len); | 2143 » PORT_Assert(rv == SECSuccess && cipherBytesPart1 == (int) p1Len); |
| 2130 » if (rv != SECSuccess || cipherBytes != p1Len) { | 2144 » if (rv != SECSuccess || cipherBytesPart1 != (int) p1Len) { |
| 2131 PORT_SetError(SSL_ERROR_ENCRYPTION_FAILURE); | 2145 PORT_SetError(SSL_ERROR_ENCRYPTION_FAILURE); |
| 2132 return SECFailure; | 2146 return SECFailure; |
| 2133 } | 2147 } |
| 2148 cipherBytes += cipherBytesPart1; | |
| 2134 } | 2149 } |
| 2135 if (p2Len > 0) { | 2150 if (p2Len > 0) { |
| 2136 » PRInt32 cipherBytesPart2 = -1; | 2151 » int cipherBytesPart2 = -1; |
| 2137 rv = cwSpec->encode( cwSpec->encodeContext, | 2152 rv = cwSpec->encode( cwSpec->encodeContext, |
| 2138 » wrBuf->buf + SSL3_RECORD_HEADER_LENGTH + p1Len, | 2153 » wrBuf->buf + SSL3_RECORD_HEADER_LENGTH + ivLen + p1Len, |
| 2139 &cipherBytesPart2, /* output and actual outLen */ | 2154 &cipherBytesPart2, /* output and actual outLen */ |
| 2140 p2Len, /* max outlen */ | 2155 p2Len, /* max outlen */ |
| 2141 » wrBuf->buf + SSL3_RECORD_HEADER_LENGTH + p1Len, | 2156 » wrBuf->buf + SSL3_RECORD_HEADER_LENGTH + ivLen + p1Len, |
| 2142 p2Len); /* input and inputLen*/ | 2157 p2Len); /* input and inputLen*/ |
| 2143 » PORT_Assert(rv == SECSuccess && cipherBytesPart2 == p2Len); | 2158 » PORT_Assert(rv == SECSuccess && cipherBytesPart2 == (int) p2Len); |
| 2144 » if (rv != SECSuccess || cipherBytesPart2 != p2Len) { | 2159 » if (rv != SECSuccess || cipherBytesPart2 != (int) p2Len) { |
| 2145 PORT_SetError(SSL_ERROR_ENCRYPTION_FAILURE); | 2160 PORT_SetError(SSL_ERROR_ENCRYPTION_FAILURE); |
| 2146 return SECFailure; | 2161 return SECFailure; |
| 2147 } | 2162 } |
| 2148 cipherBytes += cipherBytesPart2; | 2163 cipherBytes += cipherBytesPart2; |
| 2149 } | 2164 } |
| 2150 PORT_Assert(cipherBytes <= MAX_FRAGMENT_LENGTH + 1024); | 2165 PORT_Assert(cipherBytes <= MAX_FRAGMENT_LENGTH + 1024); |
| 2151 | 2166 |
| 2152 ssl3_BumpSequenceNumber(&cwSpec->write_seq_num); | 2167 ssl3_BumpSequenceNumber(&cwSpec->write_seq_num); |
| 2153 | 2168 |
| 2154 wrBuf->len = cipherBytes + SSL3_RECORD_HEADER_LENGTH; | 2169 wrBuf->len = cipherBytes + SSL3_RECORD_HEADER_LENGTH; |
| (...skipping 63 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 2218 } | 2233 } |
| 2219 | 2234 |
| 2220 while (nIn > 0) { | 2235 while (nIn > 0) { |
| 2221 PRUint32 contentLen = PR_MIN(nIn, MAX_FRAGMENT_LENGTH); | 2236 PRUint32 contentLen = PR_MIN(nIn, MAX_FRAGMENT_LENGTH); |
| 2222 unsigned int spaceNeeded; | 2237 unsigned int spaceNeeded; |
| 2223 unsigned int numRecords; | 2238 unsigned int numRecords; |
| 2224 | 2239 |
| 2225 ssl_GetSpecReadLock(ss); /********************************/ | 2240 ssl_GetSpecReadLock(ss); /********************************/ |
| 2226 | 2241 |
| 2227 if (nIn > 1 && ss->opt.cbcRandomIV && | 2242 if (nIn > 1 && ss->opt.cbcRandomIV && |
| 2228 » ss->ssl3.cwSpec->version <= SSL_LIBRARY_VERSION_3_1_TLS && | 2243 » ss->ssl3.cwSpec->version < SSL_LIBRARY_VERSION_TLS_1_1 && |
| 2229 type == content_application_data && | 2244 type == content_application_data && |
| 2230 ss->ssl3.cwSpec->cipher_def->type == type_block /* CBC mode */) { | 2245 ss->ssl3.cwSpec->cipher_def->type == type_block /* CBC mode */) { |
| 2231 /* We will split the first byte of the record into its own record, | 2246 /* We will split the first byte of the record into its own record, |
| 2232 * as explained in the documentation for SSL_CBC_RANDOM_IV in ssl.h | 2247 * as explained in the documentation for SSL_CBC_RANDOM_IV in ssl.h |
| 2233 */ | 2248 */ |
| 2234 numRecords = 2; | 2249 numRecords = 2; |
| 2235 } else { | 2250 } else { |
| 2236 numRecords = 1; | 2251 numRecords = 1; |
| 2237 } | 2252 } |
| 2238 | 2253 |
| 2239 spaceNeeded = contentLen + (numRecords * SSL3_BUFFER_FUDGE); | 2254 spaceNeeded = contentLen + (numRecords * SSL3_BUFFER_FUDGE); |
| 2255 if (ss->ssl3.cwSpec->version >= SSL_LIBRARY_VERSION_TLS_1_1 && | |
| 2256 ss->ssl3.cwSpec->cipher_def->type == type_block) { | |
| 2257 spaceNeeded += ss->ssl3.cwSpec->cipher_def->iv_size; | |
| 2258 } | |
| 2240 if (spaceNeeded > wrBuf->space) { | 2259 if (spaceNeeded > wrBuf->space) { |
| 2241 rv = sslBuffer_Grow(wrBuf, spaceNeeded); | 2260 rv = sslBuffer_Grow(wrBuf, spaceNeeded); |
| 2242 if (rv != SECSuccess) { | 2261 if (rv != SECSuccess) { |
| 2243 SSL_DBG(("%d: SSL3[%d]: SendRecord, tried to get %d bytes", | 2262 SSL_DBG(("%d: SSL3[%d]: SendRecord, tried to get %d bytes", |
| 2244 SSL_GETPID(), ss->fd, spaceNeeded)); | 2263 SSL_GETPID(), ss->fd, spaceNeeded)); |
| 2245 goto spec_locked_loser; /* sslBuffer_Grow set error code. */ | 2264 goto spec_locked_loser; /* sslBuffer_Grow set error code. */ |
| 2246 } | 2265 } |
| 2247 } | 2266 } |
| 2248 | 2267 |
| 2249 if (numRecords == 2) { | 2268 if (numRecords == 2) { |
| (...skipping 1633 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 3883 } | 3902 } |
| 3884 } | 3903 } |
| 3885 /* If we previously did client-auth, make sure that the token that | 3904 /* If we previously did client-auth, make sure that the token that |
| 3886 ** holds the private key still exists, is logged in, hasn't been | 3905 ** holds the private key still exists, is logged in, hasn't been |
| 3887 ** removed, etc. | 3906 ** removed, etc. |
| 3888 */ | 3907 */ |
| 3889 if (sidOK && !ssl3_ClientAuthTokenPresent(sid)) { | 3908 if (sidOK && !ssl3_ClientAuthTokenPresent(sid)) { |
| 3890 sidOK = PR_FALSE; | 3909 sidOK = PR_FALSE; |
| 3891 } | 3910 } |
| 3892 | 3911 |
| 3912 if (sidOK && ssl3_NegotiateVersion(ss, sid->version, | |
| 3913 PR_FALSE) != SECSuccess) { | |
| 3914 sidOK = PR_FALSE; | |
| 3915 } | |
| 3916 | |
| 3893 if (!sidOK) { | 3917 if (!sidOK) { |
| 3894 SSL_AtomicIncrementLong(& ssl3stats.sch_sid_cache_not_ok ); | 3918 SSL_AtomicIncrementLong(& ssl3stats.sch_sid_cache_not_ok ); |
| 3895 (*ss->sec.uncache)(sid); | 3919 (*ss->sec.uncache)(sid); |
| 3896 ssl_FreeSID(sid); | 3920 ssl_FreeSID(sid); |
| 3897 sid = NULL; | 3921 sid = NULL; |
| 3898 } | 3922 } |
| 3899 } | 3923 } |
| 3900 | 3924 |
| 3901 if (sid) { | 3925 if (sid) { |
| 3902 SSL_AtomicIncrementLong(& ssl3stats.sch_sid_cache_hits ); | 3926 SSL_AtomicIncrementLong(& ssl3stats.sch_sid_cache_hits ); |
| 3903 | 3927 |
| 3904 /* Are we attempting a stateless session resume? */ | 3928 /* Are we attempting a stateless session resume? */ |
| 3905 if (sid->version > SSL_LIBRARY_VERSION_3_0 && | 3929 if (sid->version > SSL_LIBRARY_VERSION_3_0 && |
| 3906 sid->u.ssl3.sessionTicket.ticket.data) | 3930 sid->u.ssl3.sessionTicket.ticket.data) |
| 3907 SSL_AtomicIncrementLong(& ssl3stats.sch_sid_stateless_resumes ); | 3931 SSL_AtomicIncrementLong(& ssl3stats.sch_sid_stateless_resumes ); |
| 3908 | 3932 |
| 3909 rv = ssl3_NegotiateVersion(ss, sid->version); | |
| 3910 if (rv != SECSuccess) | |
| 3911 return rv; /* error code was set */ | |
| 3912 | |
| 3913 PRINT_BUF(4, (ss, "client, found session-id:", sid->u.ssl3.sessionID, | 3933 PRINT_BUF(4, (ss, "client, found session-id:", sid->u.ssl3.sessionID, |
| 3914 sid->u.ssl3.sessionIDLength)); | 3934 sid->u.ssl3.sessionIDLength)); |
| 3915 | 3935 |
| 3916 ss->ssl3.policy = sid->u.ssl3.policy; | 3936 ss->ssl3.policy = sid->u.ssl3.policy; |
| 3917 } else { | 3937 } else { |
| 3918 SSL_AtomicIncrementLong(& ssl3stats.sch_sid_cache_misses ); | 3938 SSL_AtomicIncrementLong(& ssl3stats.sch_sid_cache_misses ); |
| 3919 | 3939 |
| 3920 » rv = ssl3_NegotiateVersion(ss, SSL_LIBRARY_VERSION_3_1_TLS); | 3940 » rv = ssl3_NegotiateVersion(ss, SSL_LIBRARY_VERSION_MAX_SUPPORTED, |
| 3941 » » » » PR_TRUE); | |
| 3921 if (rv != SECSuccess) | 3942 if (rv != SECSuccess) |
| 3922 return rv; /* error code was set */ | 3943 return rv; /* error code was set */ |
| 3923 | 3944 |
| 3924 sid = ssl3_NewSessionID(ss, PR_FALSE); | 3945 sid = ssl3_NewSessionID(ss, PR_FALSE); |
| 3925 if (!sid) { | 3946 if (!sid) { |
| 3926 return SECFailure; /* memory error is set */ | 3947 return SECFailure; /* memory error is set */ |
| 3927 } | 3948 } |
| 3928 } | 3949 } |
| 3929 | 3950 |
| 3930 isTLS = (ss->version > SSL_LIBRARY_VERSION_3_0); | 3951 isTLS = (ss->version > SSL_LIBRARY_VERSION_3_0); |
| 3931 ssl_GetSpecWriteLock(ss); | 3952 ssl_GetSpecWriteLock(ss); |
| 3932 cwSpec = ss->ssl3.cwSpec; | 3953 cwSpec = ss->ssl3.cwSpec; |
| 3933 if (cwSpec->mac_def->mac == mac_null) { | 3954 if (cwSpec->mac_def->mac == mac_null) { |
| 3934 /* SSL records are not being MACed. */ | 3955 /* SSL records are not being MACed. */ |
| 3935 cwSpec->version = ss->version; | 3956 cwSpec->version = ss->version; |
| 3936 } | 3957 } |
| 3937 ssl_ReleaseSpecWriteLock(ss); | 3958 ssl_ReleaseSpecWriteLock(ss); |
| 3938 | 3959 |
| 3939 if (ss->sec.ci.sid != NULL) { | 3960 if (ss->sec.ci.sid != NULL) { |
| 3940 ssl_FreeSID(ss->sec.ci.sid); /* decrement ref count, free if zero */ | 3961 ssl_FreeSID(ss->sec.ci.sid); /* decrement ref count, free if zero */ |
| 3941 } | 3962 } |
| 3942 ss->sec.ci.sid = sid; | 3963 ss->sec.ci.sid = sid; |
| 3943 | 3964 |
| 3944 ss->sec.send = ssl3_SendApplicationData; | 3965 ss->sec.send = ssl3_SendApplicationData; |
| 3945 | 3966 |
| 3946 /* shouldn't get here if SSL3 is disabled, but ... */ | 3967 /* shouldn't get here if SSL3 is disabled, but ... */ |
| 3947 PORT_Assert(ss->opt.enableSSL3 || ss->opt.enableTLS); | 3968 if (SSL3_ALL_VERSIONS_DISABLED(&ss->vrange)) { |
| 3948 if (!ss->opt.enableSSL3 && !ss->opt.enableTLS) { | 3969 » PR_NOT_REACHED("No versions of SSL 3.0 or later are enabled"); |
| 3949 PORT_SetError(SSL_ERROR_SSL_DISABLED); | 3970 PORT_SetError(SSL_ERROR_SSL_DISABLED); |
| 3950 return SECFailure; | 3971 return SECFailure; |
| 3951 } | 3972 } |
| 3952 | 3973 |
| 3953 /* how many suites does our PKCS11 support (regardless of policy)? */ | 3974 /* how many suites does our PKCS11 support (regardless of policy)? */ |
| 3954 num_suites = ssl3_config_match_init(ss); | 3975 num_suites = ssl3_config_match_init(ss); |
| 3955 if (!num_suites) | 3976 if (!num_suites) |
| 3956 return SECFailure; /* ssl3_config_match_init has set error code. */ | 3977 return SECFailure; /* ssl3_config_match_init has set error code. */ |
| 3957 | 3978 |
| 3958 /* HACK for SCSV in SSL 3.0. On initial handshake, prepend SCSV, | 3979 /* HACK for SCSV in SSL 3.0. On initial handshake, prepend SCSV, |
| (...skipping 1049 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 5008 ss->ssl3.platformClientKey = (PlatformKey)NULL; | 5029 ss->ssl3.platformClientKey = (PlatformKey)NULL; |
| 5009 } | 5030 } |
| 5010 #endif /* NSS_PLATFORM_CLIENT_AUTH */ | 5031 #endif /* NSS_PLATFORM_CLIENT_AUTH */ |
| 5011 | 5032 |
| 5012 temp = ssl3_ConsumeHandshakeNumber(ss, 2, &b, &length); | 5033 temp = ssl3_ConsumeHandshakeNumber(ss, 2, &b, &length); |
| 5013 if (temp < 0) { | 5034 if (temp < 0) { |
| 5014 goto loser; /* alert has been sent */ | 5035 goto loser; /* alert has been sent */ |
| 5015 } | 5036 } |
| 5016 version = (SSL3ProtocolVersion)temp; | 5037 version = (SSL3ProtocolVersion)temp; |
| 5017 | 5038 |
| 5018 /* this is appropriate since the negotiation is complete, and we only | 5039 rv = ssl3_NegotiateVersion(ss, version, PR_FALSE); |
| 5019 ** know SSL 3.x. | |
| 5020 */ | |
| 5021 if (MSB(version) != MSB(SSL_LIBRARY_VERSION_3_0)) { | |
| 5022 » desc = (version > SSL_LIBRARY_VERSION_3_0) ? protocol_version | |
| 5023 » » » » » » : handshake_failure; | |
| 5024 » goto alert_loser; | |
| 5025 } | |
| 5026 | |
| 5027 rv = ssl3_NegotiateVersion(ss, version); | |
| 5028 if (rv != SECSuccess) { | 5040 if (rv != SECSuccess) { |
| 5029 desc = (version > SSL_LIBRARY_VERSION_3_0) ? protocol_version | 5041 desc = (version > SSL_LIBRARY_VERSION_3_0) ? protocol_version |
| 5030 : handshake_failure; | 5042 : handshake_failure; |
| 5031 errCode = SSL_ERROR_NO_CYPHER_OVERLAP; | 5043 errCode = SSL_ERROR_NO_CYPHER_OVERLAP; |
| 5032 goto alert_loser; | 5044 goto alert_loser; |
| 5033 } | 5045 } |
| 5034 isTLS = (ss->version > SSL_LIBRARY_VERSION_3_0); | 5046 isTLS = (ss->version > SSL_LIBRARY_VERSION_3_0); |
| 5035 | 5047 |
| 5036 rv = ssl3_ConsumeHandshake( | 5048 rv = ssl3_ConsumeHandshake( |
| 5037 ss, &ss->ssl3.hs.server_random, SSL3_RANDOM_LENGTH, &b, &length); | 5049 ss, &ss->ssl3.hs.server_random, SSL3_RANDOM_LENGTH, &b, &length); |
| (...skipping 1253 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 6291 desc = no_renegotiation; | 6303 desc = no_renegotiation; |
| 6292 level = alert_warning; | 6304 level = alert_warning; |
| 6293 errCode = SSL_ERROR_RENEGOTIATION_NOT_ALLOWED; | 6305 errCode = SSL_ERROR_RENEGOTIATION_NOT_ALLOWED; |
| 6294 goto alert_loser; | 6306 goto alert_loser; |
| 6295 } | 6307 } |
| 6296 | 6308 |
| 6297 tmp = ssl3_ConsumeHandshakeNumber(ss, 2, &b, &length); | 6309 tmp = ssl3_ConsumeHandshakeNumber(ss, 2, &b, &length); |
| 6298 if (tmp < 0) | 6310 if (tmp < 0) |
| 6299 goto loser; /* malformed, alert already sent */ | 6311 goto loser; /* malformed, alert already sent */ |
| 6300 ss->clientHelloVersion = version = (SSL3ProtocolVersion)tmp; | 6312 ss->clientHelloVersion = version = (SSL3ProtocolVersion)tmp; |
| 6301 rv = ssl3_NegotiateVersion(ss, version); | 6313 rv = ssl3_NegotiateVersion(ss, version, PR_TRUE); |
| 6302 if (rv != SECSuccess) { | 6314 if (rv != SECSuccess) { |
| 6303 desc = (version > SSL_LIBRARY_VERSION_3_0) ? protocol_version | 6315 desc = (version > SSL_LIBRARY_VERSION_3_0) ? protocol_version |
| 6304 : handshake_failure; | 6316 : handshake_failure; |
| 6305 errCode = SSL_ERROR_NO_CYPHER_OVERLAP; | 6317 errCode = SSL_ERROR_NO_CYPHER_OVERLAP; |
| 6306 goto alert_loser; | 6318 goto alert_loser; |
| 6307 } | 6319 } |
| 6308 | 6320 |
| 6309 /* grab the client random data. */ | 6321 /* grab the client random data. */ |
| 6310 rv = ssl3_ConsumeHandshake( | 6322 rv = ssl3_ConsumeHandshake( |
| 6311 ss, &ss->ssl3.hs.client_random, SSL3_RANDOM_LENGTH, &b, &length); | 6323 ss, &ss->ssl3.hs.client_random, SSL3_RANDOM_LENGTH, &b, &length); |
| (...skipping 687 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 6999 errCode = SSL_ERROR_RX_UNEXPECTED_CLIENT_HELLO; | 7011 errCode = SSL_ERROR_RX_UNEXPECTED_CLIENT_HELLO; |
| 7000 goto loser; /* alert_loser */ | 7012 goto loser; /* alert_loser */ |
| 7001 } | 7013 } |
| 7002 | 7014 |
| 7003 version = (buffer[1] << 8) | buffer[2]; | 7015 version = (buffer[1] << 8) | buffer[2]; |
| 7004 suite_length = (buffer[3] << 8) | buffer[4]; | 7016 suite_length = (buffer[3] << 8) | buffer[4]; |
| 7005 sid_length = (buffer[5] << 8) | buffer[6]; | 7017 sid_length = (buffer[5] << 8) | buffer[6]; |
| 7006 rand_length = (buffer[7] << 8) | buffer[8]; | 7018 rand_length = (buffer[7] << 8) | buffer[8]; |
| 7007 ss->clientHelloVersion = version; | 7019 ss->clientHelloVersion = version; |
| 7008 | 7020 |
| 7009 rv = ssl3_NegotiateVersion(ss, version); | 7021 rv = ssl3_NegotiateVersion(ss, version, PR_TRUE); |
| 7010 if (rv != SECSuccess) { | 7022 if (rv != SECSuccess) { |
| 7011 /* send back which ever alert client will understand. */ | 7023 /* send back which ever alert client will understand. */ |
| 7012 desc = (version > SSL_LIBRARY_VERSION_3_0) ? protocol_version : handshak e_failure; | 7024 desc = (version > SSL_LIBRARY_VERSION_3_0) ? protocol_version : handshak e_failure; |
| 7013 errCode = SSL_ERROR_NO_CYPHER_OVERLAP; | 7025 errCode = SSL_ERROR_NO_CYPHER_OVERLAP; |
| 7014 goto alert_loser; | 7026 goto alert_loser; |
| 7015 } | 7027 } |
| 7016 | 7028 |
| 7017 /* if we get a non-zero SID, just ignore it. */ | 7029 /* if we get a non-zero SID, just ignore it. */ |
| 7018 if (length != | 7030 if (length != |
| 7019 SSL_HL_CLIENT_HELLO_HBYTES + suite_length + sid_length + rand_length) { | 7031 SSL_HL_CLIENT_HELLO_HBYTES + suite_length + sid_length + rand_length) { |
| (...skipping 215 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 7235 return rv; /* err set by ssl3_SetupPendingCipherSpec */ | 7247 return rv; /* err set by ssl3_SetupPendingCipherSpec */ |
| 7236 } | 7248 } |
| 7237 | 7249 |
| 7238 return SECSuccess; | 7250 return SECSuccess; |
| 7239 } | 7251 } |
| 7240 | 7252 |
| 7241 | 7253 |
| 7242 static SECStatus | 7254 static SECStatus |
| 7243 ssl3_SendServerKeyExchange(sslSocket *ss) | 7255 ssl3_SendServerKeyExchange(sslSocket *ss) |
| 7244 { | 7256 { |
| 7245 const ssl3KEADef * kea_def = ss->ssl3.hs.kea_def; | 7257 const ssl3KEADef * kea_def = ss->ssl3.hs.kea_def; |
| 7246 SECStatus rv = SECFailure; | 7258 SECStatus rv = SECFailure; |
| 7247 int length; | 7259 int length; |
| 7248 PRBool isTLS; | 7260 PRBool isTLS; |
| 7249 SECItem signed_hash = {siBuffer, NULL, 0}; | 7261 SECItem signed_hash = {siBuffer, NULL, 0}; |
| 7250 SSL3Hashes hashes; | 7262 SSL3Hashes hashes; |
| 7251 SECKEYPublicKey * sdPub; /* public key for step-down */ | 7263 SECKEYPublicKey * sdPub; /* public key for step-down */ |
| 7252 | 7264 |
| 7253 SSL_TRC(3, ("%d: SSL3[%d]: send server_key_exchange handshake", | 7265 SSL_TRC(3, ("%d: SSL3[%d]: send server_key_exchange handshake", |
| 7254 SSL_GETPID(), ss->fd)); | 7266 SSL_GETPID(), ss->fd)); |
| 7255 | 7267 |
| (...skipping 78 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 7334 PORT_Free(signed_hash.data); | 7346 PORT_Free(signed_hash.data); |
| 7335 return SECFailure; | 7347 return SECFailure; |
| 7336 } | 7348 } |
| 7337 | 7349 |
| 7338 | 7350 |
| 7339 static SECStatus | 7351 static SECStatus |
| 7340 ssl3_SendCertificateRequest(sslSocket *ss) | 7352 ssl3_SendCertificateRequest(sslSocket *ss) |
| 7341 { | 7353 { |
| 7342 SECItem * name; | 7354 SECItem * name; |
| 7343 CERTDistNames *ca_list; | 7355 CERTDistNames *ca_list; |
| 7344 const uint8 * certTypes; | 7356 const uint8 * certTypes; |
| 7345 SECItem * names = NULL; | 7357 SECItem * names = NULL; |
| 7346 SECStatus rv; | 7358 SECStatus rv; |
| 7347 int length; | 7359 int length; |
| 7348 int i; | 7360 int i; |
| 7349 int calen = 0; | 7361 int calen = 0; |
| 7350 int nnames = 0; | 7362 int nnames = 0; |
| 7351 int certTypesLength; | 7363 int certTypesLength; |
| 7352 | 7364 |
| 7353 SSL_TRC(3, ("%d: SSL3[%d]: send certificate_request handshake", | 7365 SSL_TRC(3, ("%d: SSL3[%d]: send certificate_request handshake", |
| 7354 SSL_GETPID(), ss->fd)); | 7366 SSL_GETPID(), ss->fd)); |
| (...skipping 327 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 7682 | 7694 |
| 7683 /* Called from ssl3_HandleHandshakeMessage() when it has deciphered a complete | 7695 /* Called from ssl3_HandleHandshakeMessage() when it has deciphered a complete |
| 7684 * ssl3 ClientKeyExchange message from the remote client | 7696 * ssl3 ClientKeyExchange message from the remote client |
| 7685 * Caller must hold Handshake and RecvBuf locks. | 7697 * Caller must hold Handshake and RecvBuf locks. |
| 7686 */ | 7698 */ |
| 7687 static SECStatus | 7699 static SECStatus |
| 7688 ssl3_HandleClientKeyExchange(sslSocket *ss, SSL3Opaque *b, PRUint32 length) | 7700 ssl3_HandleClientKeyExchange(sslSocket *ss, SSL3Opaque *b, PRUint32 length) |
| 7689 { | 7701 { |
| 7690 SECKEYPrivateKey *serverKey = NULL; | 7702 SECKEYPrivateKey *serverKey = NULL; |
| 7691 SECStatus rv; | 7703 SECStatus rv; |
| 7692 const ssl3KEADef * kea_def; | 7704 const ssl3KEADef *kea_def; |
| 7693 ssl3KeyPair *serverKeyPair = NULL; | 7705 ssl3KeyPair *serverKeyPair = NULL; |
| 7694 #ifdef NSS_ENABLE_ECC | 7706 #ifdef NSS_ENABLE_ECC |
| 7695 SECKEYPublicKey *serverPubKey = NULL; | 7707 SECKEYPublicKey *serverPubKey = NULL; |
| 7696 #endif /* NSS_ENABLE_ECC */ | 7708 #endif /* NSS_ENABLE_ECC */ |
| 7697 | 7709 |
| 7698 SSL_TRC(3, ("%d: SSL3[%d]: handle client_key_exchange handshake", | 7710 SSL_TRC(3, ("%d: SSL3[%d]: handle client_key_exchange handshake", |
| 7699 SSL_GETPID(), ss->fd)); | 7711 SSL_GETPID(), ss->fd)); |
| 7700 | 7712 |
| 7701 PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) ); | 7713 PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) ); |
| 7702 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) ); | 7714 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) ); |
| (...skipping 774 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 8477 rv = SECSuccess; | 8489 rv = SECSuccess; |
| 8478 } | 8490 } |
| 8479 | 8491 |
| 8480 done: | 8492 done: |
| 8481 ssl_ReleaseSSL3HandshakeLock(ss); | 8493 ssl_ReleaseSSL3HandshakeLock(ss); |
| 8482 ssl_ReleaseRecvBufLock(ss); | 8494 ssl_ReleaseRecvBufLock(ss); |
| 8483 | 8495 |
| 8484 return rv; | 8496 return rv; |
| 8485 } | 8497 } |
| 8486 | 8498 |
| 8499 static SECStatus | |
| 8500 ssl3_ComputeTLSFinished(ssl3CipherSpec *spec, | |
| 8501 PRBool isServer, | |
| 8502 const SSL3Finished * hashes, | |
| 8503 TLSFinished * tlsFinished) | |
| 8504 { | |
| 8505 const char * label; | |
| 8506 unsigned int len; | |
| 8507 SECStatus rv; | |
| 8508 | |
| 8509 label = isServer ? "server finished" : "client finished"; | |
| 8510 len = 15; | |
| 8511 | |
| 8512 rv = ssl3_TLSPRFWithMasterSecret(spec, label, len, hashes->md5, | |
| 8513 sizeof *hashes, tlsFinished->verify_data, | |
| 8514 sizeof tlsFinished->verify_data); | |
| 8515 | |
| 8516 return rv; | |
| 8517 } | |
| 8518 | |
| 8487 /* The calling function must acquire and release the appropriate | 8519 /* The calling function must acquire and release the appropriate |
| 8488 * lock (e.g., ssl_GetSpecReadLock / ssl_ReleaseSpecReadLock for | 8520 * lock (e.g., ssl_GetSpecReadLock / ssl_ReleaseSpecReadLock for |
| 8489 * ss->ssl3.crSpec). | 8521 * ss->ssl3.crSpec). |
| 8490 */ | 8522 */ |
| 8491 SECStatus | 8523 SECStatus |
| 8492 ssl3_TLSPRFWithMasterSecret(ssl3CipherSpec *spec, const char *label, | 8524 ssl3_TLSPRFWithMasterSecret(ssl3CipherSpec *spec, const char *label, |
| 8493 unsigned int labelLen, const unsigned char *val, unsigned int valLen, | 8525 unsigned int labelLen, const unsigned char *val, unsigned int valLen, |
| 8494 unsigned char *out, unsigned int outLen) | 8526 unsigned char *out, unsigned int outLen) |
| 8495 { | 8527 { |
| 8496 SECStatus rv = SECSuccess; | 8528 SECStatus rv = SECSuccess; |
| (...skipping 24 matching lines...) Expand all Loading... | |
| 8521 inData.data = (unsigned char *) val; | 8553 inData.data = (unsigned char *) val; |
| 8522 inData.len = valLen; | 8554 inData.len = valLen; |
| 8523 outData.data = out; | 8555 outData.data = out; |
| 8524 outData.len = outLen; | 8556 outData.len = outLen; |
| 8525 rv = TLS_PRF(&spec->msItem, label, &inData, &outData, isFIPS); | 8557 rv = TLS_PRF(&spec->msItem, label, &inData, &outData, isFIPS); |
| 8526 PORT_Assert(rv != SECSuccess || outData.len == outLen); | 8558 PORT_Assert(rv != SECSuccess || outData.len == outLen); |
| 8527 } | 8559 } |
| 8528 return rv; | 8560 return rv; |
| 8529 } | 8561 } |
| 8530 | 8562 |
| 8531 static SECStatus | |
| 8532 ssl3_ComputeTLSFinished(ssl3CipherSpec *spec, | |
| 8533 PRBool isServer, | |
| 8534 const SSL3Finished * hashes, | |
| 8535 TLSFinished * tlsFinished) | |
| 8536 { | |
| 8537 const char * label; | |
| 8538 unsigned int len; | |
| 8539 SECStatus rv; | |
| 8540 | |
| 8541 label = isServer ? "server finished" : "client finished"; | |
| 8542 len = 15; | |
| 8543 | |
| 8544 rv = ssl3_TLSPRFWithMasterSecret(spec, label, len, hashes->md5, | |
| 8545 sizeof *hashes, tlsFinished->verify_data, | |
| 8546 sizeof tlsFinished->verify_data); | |
| 8547 | |
| 8548 return rv; | |
| 8549 } | |
| 8550 | |
| 8551 /* called from ssl3_HandleServerHelloDone | 8563 /* called from ssl3_HandleServerHelloDone |
| 8552 */ | 8564 */ |
| 8553 static SECStatus | 8565 static SECStatus |
| 8554 ssl3_SendNextProto(sslSocket *ss) | 8566 ssl3_SendNextProto(sslSocket *ss) |
| 8555 { | 8567 { |
| 8556 SECStatus rv; | 8568 SECStatus rv; |
| 8557 int padding_len; | 8569 int padding_len; |
| 8558 static const unsigned char padding[32] = {0}; | 8570 static const unsigned char padding[32] = {0}; |
| 8559 | 8571 |
| 8560 if (ss->ssl3.nextProto.len == 0) | 8572 if (ss->ssl3.nextProto.len == 0) |
| (...skipping 353 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 8914 return SECWouldBlock; | 8926 return SECWouldBlock; |
| 8915 } | 8927 } |
| 8916 | 8928 |
| 8917 rv = ssl3_FinishHandshake(ss); | 8929 rv = ssl3_FinishHandshake(ss); |
| 8918 return rv; | 8930 return rv; |
| 8919 } | 8931 } |
| 8920 | 8932 |
| 8921 SECStatus | 8933 SECStatus |
| 8922 ssl3_FinishHandshake(sslSocket * ss) | 8934 ssl3_FinishHandshake(sslSocket * ss) |
| 8923 { | 8935 { |
| 8924 SECStatus rv; | |
| 8925 | |
| 8926 PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) ); | 8936 PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) ); |
| 8927 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) ); | 8937 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) ); |
| 8928 PORT_Assert( ss->ssl3.hs.restartTarget == NULL ); | 8938 PORT_Assert( ss->ssl3.hs.restartTarget == NULL ); |
| 8929 | 8939 |
| 8930 /* The first handshake is now completed. */ | 8940 /* The first handshake is now completed. */ |
| 8931 ss->handshake = NULL; | 8941 ss->handshake = NULL; |
| 8932 ss->firstHsDone = PR_TRUE; | 8942 ss->firstHsDone = PR_TRUE; |
| 8933 | 8943 |
| 8934 if (ss->sec.ci.sid->cached == never_cached && | 8944 if (ss->ssl3.hs.cacheSID) { |
| 8935 » !ss->opt.noCache && ss->sec.cache && ss->ssl3.hs.cacheSID) { | |
| 8936 (*ss->sec.cache)(ss->sec.ci.sid); | 8945 (*ss->sec.cache)(ss->sec.ci.sid); |
| 8946 ss->ssl3.hs.cacheSID = PR_FALSE; | |
| 8937 } | 8947 } |
| 8938 | 8948 |
| 8939 ss->ssl3.hs.ws = idle_handshake; | 8949 ss->ssl3.hs.ws = idle_handshake; |
| 8940 | 8950 |
| 8941 /* Do the handshake callback for sslv3 here, if we cannot false start. */ | 8951 /* Do the handshake callback for sslv3 here, if we cannot false start. */ |
| 8942 if (ss->handshakeCallback != NULL && !ssl3_CanFalseStart(ss)) { | 8952 if (ss->handshakeCallback != NULL && !ssl3_CanFalseStart(ss)) { |
| 8943 (ss->handshakeCallback)(ss->fd, ss->handshakeCallbackData); | 8953 (ss->handshakeCallback)(ss->fd, ss->handshakeCallbackData); |
| 8944 } | 8954 } |
| 8945 | 8955 |
| 8946 return SECSuccess; | 8956 return SECSuccess; |
| (...skipping 356 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 9303 * | 9313 * |
| 9304 * Caller must hold the RecvBufLock. | 9314 * Caller must hold the RecvBufLock. |
| 9305 * | 9315 * |
| 9306 * This function aquires and releases the SSL3Handshake Lock, holding the | 9316 * This function aquires and releases the SSL3Handshake Lock, holding the |
| 9307 * lock around any calls to functions that handle records other than | 9317 * lock around any calls to functions that handle records other than |
| 9308 * Application Data records. | 9318 * Application Data records. |
| 9309 */ | 9319 */ |
| 9310 SECStatus | 9320 SECStatus |
| 9311 ssl3_HandleRecord(sslSocket *ss, SSL3Ciphertext *cText, sslBuffer *databuf) | 9321 ssl3_HandleRecord(sslSocket *ss, SSL3Ciphertext *cText, sslBuffer *databuf) |
| 9312 { | 9322 { |
| 9313 const ssl3BulkCipherDef *cipher_def; | 9323 const ssl3BulkCipherDef *cipher_def; |
| 9314 ssl3CipherSpec * crSpec; | 9324 ssl3CipherSpec * crSpec; |
| 9315 SECStatus rv; | 9325 SECStatus rv; |
| 9316 unsigned int hashBytes» » = MAX_MAC_LENGTH + 1; | 9326 unsigned int hashBytes = MAX_MAC_LENGTH + 1; |
| 9317 unsigned int padding_length; | 9327 unsigned int padding_length; |
| 9318 PRBool isTLS; | 9328 PRBool isTLS; |
| 9319 PRBool padIsBad = PR_FALSE; | 9329 PRBool padIsBad = PR_FALSE; |
| 9320 SSL3ContentType rType; | 9330 SSL3ContentType rType; |
| 9321 SSL3Opaque hash[MAX_MAC_LENGTH]; | 9331 SSL3Opaque hash[MAX_MAC_LENGTH]; |
| 9322 sslBuffer *plaintext; | 9332 sslBuffer *plaintext; |
| 9323 sslBuffer temp_buf; | 9333 sslBuffer temp_buf; |
| 9334 unsigned int ivLen = 0; | |
| 9324 | 9335 |
| 9325 PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) ); | 9336 PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) ); |
| 9326 | 9337 |
| 9327 if (!ss->ssl3.initialized) { | 9338 if (!ss->ssl3.initialized) { |
| 9328 ssl_GetSSL3HandshakeLock(ss); | 9339 ssl_GetSSL3HandshakeLock(ss); |
| 9329 rv = ssl3_InitState(ss); | 9340 rv = ssl3_InitState(ss); |
| 9330 ssl_ReleaseSSL3HandshakeLock(ss); | 9341 ssl_ReleaseSSL3HandshakeLock(ss); |
| 9331 if (rv != SECSuccess) { | 9342 if (rv != SECSuccess) { |
| 9332 return rv; /* ssl3_InitState has set the error code. */ | 9343 return rv; /* ssl3_InitState has set the error code. */ |
| 9333 } | 9344 } |
| (...skipping 12 matching lines...) Expand all Loading... | |
| 9346 if (cText == NULL) { | 9357 if (cText == NULL) { |
| 9347 SSL_DBG(("%d: SSL3[%d]: HandleRecord, resuming handshake", | 9358 SSL_DBG(("%d: SSL3[%d]: HandleRecord, resuming handshake", |
| 9348 SSL_GETPID(), ss->fd)); | 9359 SSL_GETPID(), ss->fd)); |
| 9349 rType = content_handshake; | 9360 rType = content_handshake; |
| 9350 goto process_it; | 9361 goto process_it; |
| 9351 } | 9362 } |
| 9352 | 9363 |
| 9353 ssl_GetSpecReadLock(ss); /******************************************/ | 9364 ssl_GetSpecReadLock(ss); /******************************************/ |
| 9354 | 9365 |
| 9355 crSpec = ss->ssl3.crSpec; | 9366 crSpec = ss->ssl3.crSpec; |
| 9367 cipher_def = crSpec->cipher_def; | |
| 9368 | |
| 9369 if (cipher_def->type == type_block && | |
| 9370 crSpec->version >= SSL_LIBRARY_VERSION_TLS_1_1) { | |
| 9371 /* Consume the per-record explicit IV. RFC 4346 Section 6.2.3.2 states | |
| 9372 * "The receiver decrypts the entire GenericBlockCipher structure and | |
| 9373 * then discards the first cipher block corresponding to the IV | |
| 9374 * component." Instead, we decrypt the first cipher block and then | |
| 9375 * discard it before decrypting the rest. | |
|
Ryan Sleevi
2012/03/19 22:15:50
Really?
Does this have any timing side-effects?
wtc
2012/03/20 21:15:09
I think the use of "Instead" in this comment is a
| |
| 9376 */ | |
| 9377 SSL3Opaque iv[MAX_IV_LENGTH]; | |
| 9378 int decoded; | |
| 9379 | |
| 9380 ivLen = cipher_def->iv_size; | |
| 9381 if (ivLen < 8 || ivLen > sizeof(iv)) { | |
| 9382 ssl_ReleaseSpecReadLock(ss); | |
| 9383 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); | |
| 9384 return SECFailure; | |
| 9385 } | |
| 9386 if (ivLen > cText->buf->len) { | |
| 9387 SSL_DBG(("%d: SSL3[%d]: HandleRecord, IV length check failed", | |
| 9388 SSL_GETPID(), ss->fd)); | |
| 9389 /* must not hold spec lock when calling SSL3_SendAlert. */ | |
| 9390 ssl_ReleaseSpecReadLock(ss); | |
| 9391 SSL3_SendAlert(ss, alert_fatal, bad_record_mac); | |
| 9392 /* always log mac error, in case attacker can read server logs. */ | |
| 9393 PORT_SetError(SSL_ERROR_BAD_MAC_READ); | |
|
Ryan Sleevi
2012/03/19 22:15:50
Can't they also measure timing?
wtc
2012/03/20 21:15:09
Should I remove this comment? I copied this comme
wtc
2012/03/20 21:36:55
If you could suggest better wording for that comme
| |
| 9394 return SECFailure; | |
| 9395 } | |
| 9396 | |
| 9397 PRINT_BUF(80, (ss, "IV (ciphertext):", cText->buf->buf, ivLen)); | |
| 9398 | |
| 9399 /* The decryption result is garbage, but since we just throw away | |
| 9400 * the block it doesn't matter. The decryption of the next block | |
| 9401 * depends only on the ciphertext of the IV block. | |
| 9402 */ | |
| 9403 rv = crSpec->decode(crSpec->decodeContext, iv, &decoded, | |
| 9404 sizeof(iv), cText->buf->buf, ivLen); | |
| 9405 | |
| 9406 if (rv != SECSuccess) { | |
| 9407 /* All decryption failures must be treated like a bad record | |
| 9408 * MAC; see RFC 5246 (TLS 1.2). | |
| 9409 */ | |
| 9410 padIsBad = PR_TRUE; | |
| 9411 } | |
| 9412 } | |
| 9356 | 9413 |
| 9357 /* If we will be decompressing the buffer we need to decrypt somewhere | 9414 /* If we will be decompressing the buffer we need to decrypt somewhere |
| 9358 * other than into databuf */ | 9415 * other than into databuf */ |
| 9359 if (crSpec->decompressor) { | 9416 if (crSpec->decompressor) { |
| 9360 temp_buf.buf = NULL; | 9417 temp_buf.buf = NULL; |
| 9361 temp_buf.space = 0; | 9418 temp_buf.space = 0; |
| 9362 plaintext = &temp_buf; | 9419 plaintext = &temp_buf; |
| 9363 } else { | 9420 } else { |
| 9364 plaintext = databuf; | 9421 plaintext = databuf; |
| 9365 } | 9422 } |
| 9366 | 9423 |
| 9367 plaintext->len = 0; /* filled in by decode call below. */ | 9424 plaintext->len = 0; /* filled in by decode call below. */ |
| 9368 if (plaintext->space < MAX_FRAGMENT_LENGTH) { | 9425 if (plaintext->space < MAX_FRAGMENT_LENGTH) { |
| 9369 rv = sslBuffer_Grow(plaintext, MAX_FRAGMENT_LENGTH + 2048); | 9426 rv = sslBuffer_Grow(plaintext, MAX_FRAGMENT_LENGTH + 2048); |
| 9370 if (rv != SECSuccess) { | 9427 if (rv != SECSuccess) { |
| 9371 ssl_ReleaseSpecReadLock(ss); | 9428 ssl_ReleaseSpecReadLock(ss); |
| 9372 SSL_DBG(("%d: SSL3[%d]: HandleRecord, tried to get %d bytes", | 9429 SSL_DBG(("%d: SSL3[%d]: HandleRecord, tried to get %d bytes", |
| 9373 SSL_GETPID(), ss->fd, MAX_FRAGMENT_LENGTH + 2048)); | 9430 SSL_GETPID(), ss->fd, MAX_FRAGMENT_LENGTH + 2048)); |
| 9374 /* sslBuffer_Grow has set a memory error code. */ | 9431 /* sslBuffer_Grow has set a memory error code. */ |
| 9375 /* Perhaps we should send an alert. (but we have no memory!) */ | 9432 /* Perhaps we should send an alert. (but we have no memory!) */ |
| 9376 return SECFailure; | 9433 return SECFailure; |
| 9377 } | 9434 } |
| 9378 } | 9435 } |
| 9379 | 9436 |
| 9380 PRINT_BUF(80, (ss, "ciphertext:", cText->buf->buf, cText->buf->len)); | 9437 PRINT_BUF(80, (ss, "ciphertext:", cText->buf->buf + ivLen, |
| 9438 » » » » cText->buf->len - ivLen)); | |
| 9381 | 9439 |
| 9382 cipher_def = crSpec->cipher_def; | |
| 9383 isTLS = (PRBool)(crSpec->version > SSL_LIBRARY_VERSION_3_0); | 9440 isTLS = (PRBool)(crSpec->version > SSL_LIBRARY_VERSION_3_0); |
| 9384 | 9441 |
| 9385 if (isTLS && cText->buf->len > (MAX_FRAGMENT_LENGTH + 2048)) { | 9442 if (isTLS && cText->buf->len - ivLen > (MAX_FRAGMENT_LENGTH + 2048)) { |
| 9386 ssl_ReleaseSpecReadLock(ss); | 9443 ssl_ReleaseSpecReadLock(ss); |
| 9387 SSL3_SendAlert(ss, alert_fatal, record_overflow); | 9444 SSL3_SendAlert(ss, alert_fatal, record_overflow); |
| 9388 PORT_SetError(SSL_ERROR_RX_RECORD_TOO_LONG); | 9445 PORT_SetError(SSL_ERROR_RX_RECORD_TOO_LONG); |
| 9389 return SECFailure; | 9446 return SECFailure; |
| 9390 } | 9447 } |
| 9391 | 9448 |
| 9392 /* decrypt from cText buf to plaintext. */ | 9449 /* decrypt from cText buf to plaintext. */ |
| 9393 rv = crSpec->decode( | 9450 rv = crSpec->decode( |
| 9394 crSpec->decodeContext, plaintext->buf, (int *)&plaintext->len, | 9451 crSpec->decodeContext, plaintext->buf, (int *)&plaintext->len, |
| 9395 » plaintext->space, cText->buf->buf, cText->buf->len); | 9452 » plaintext->space, cText->buf->buf + ivLen, cText->buf->len - ivLen); |
| 9396 | 9453 |
| 9397 PRINT_BUF(80, (ss, "cleartext:", plaintext->buf, plaintext->len)); | 9454 PRINT_BUF(80, (ss, "cleartext:", plaintext->buf, plaintext->len)); |
| 9398 if (rv != SECSuccess) { | 9455 if (rv != SECSuccess) { |
| 9399 /* All decryption failures must be treated like a bad record | 9456 /* All decryption failures must be treated like a bad record |
| 9400 * MAC; see RFC 5246 (TLS 1.2). | 9457 * MAC; see RFC 5246 (TLS 1.2). |
| 9401 */ | 9458 */ |
| 9402 padIsBad = PR_TRUE; | 9459 padIsBad = PR_TRUE; |
| 9403 } | 9460 } |
| 9404 | 9461 |
| 9405 /* If it's a block cipher, check and strip the padding. */ | 9462 /* If it's a block cipher, check and strip the padding. */ |
| (...skipping 205 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 9611 spec->server.write_key = NULL; | 9668 spec->server.write_key = NULL; |
| 9612 spec->server.write_mac_key = NULL; | 9669 spec->server.write_mac_key = NULL; |
| 9613 spec->server.write_mac_context = NULL; | 9670 spec->server.write_mac_context = NULL; |
| 9614 | 9671 |
| 9615 spec->write_seq_num.high = 0; | 9672 spec->write_seq_num.high = 0; |
| 9616 spec->write_seq_num.low = 0; | 9673 spec->write_seq_num.low = 0; |
| 9617 | 9674 |
| 9618 spec->read_seq_num.high = 0; | 9675 spec->read_seq_num.high = 0; |
| 9619 spec->read_seq_num.low = 0; | 9676 spec->read_seq_num.low = 0; |
| 9620 | 9677 |
| 9621 spec->version = ss->opt.enableTLS | 9678 spec->version = ss->vrange.max; |
| 9622 ? SSL_LIBRARY_VERSION_3_1_TLS | |
| 9623 : SSL_LIBRARY_VERSION_3_0; | |
| 9624 } | 9679 } |
| 9625 | 9680 |
| 9626 /* Called from: ssl3_SendRecord | 9681 /* Called from: ssl3_SendRecord |
| 9627 ** ssl3_StartHandshakeHash() <- ssl2_BeginClientHandshake() | 9682 ** ssl3_StartHandshakeHash() <- ssl2_BeginClientHandshake() |
| 9628 ** ssl3_SendClientHello() | 9683 ** ssl3_SendClientHello() |
| 9629 ** ssl3_HandleServerHello() | 9684 ** ssl3_HandleServerHello() |
| 9630 ** ssl3_HandleClientHello() | 9685 ** ssl3_HandleClientHello() |
| 9631 ** ssl3_HandleV2ClientHello() | 9686 ** ssl3_HandleV2ClientHello() |
| 9632 ** ssl3_HandleRecord() | 9687 ** ssl3_HandleRecord() |
| 9633 ** | 9688 ** |
| (...skipping 224 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 9858 SECStatus | 9913 SECStatus |
| 9859 ssl3_ConstructV2CipherSpecsHack(sslSocket *ss, unsigned char *cs, int *size) | 9914 ssl3_ConstructV2CipherSpecsHack(sslSocket *ss, unsigned char *cs, int *size) |
| 9860 { | 9915 { |
| 9861 int i, count = 0; | 9916 int i, count = 0; |
| 9862 | 9917 |
| 9863 PORT_Assert(ss != 0); | 9918 PORT_Assert(ss != 0); |
| 9864 if (!ss) { | 9919 if (!ss) { |
| 9865 PORT_SetError(PR_INVALID_ARGUMENT_ERROR); | 9920 PORT_SetError(PR_INVALID_ARGUMENT_ERROR); |
| 9866 return SECFailure; | 9921 return SECFailure; |
| 9867 } | 9922 } |
| 9868 if (!ss->opt.enableSSL3 && !ss->opt.enableTLS) { | 9923 if (SSL3_ALL_VERSIONS_DISABLED(&ss->vrange)) { |
| 9869 *size = 0; | 9924 *size = 0; |
| 9870 return SECSuccess; | 9925 return SECSuccess; |
| 9871 } | 9926 } |
| 9872 if (cs == NULL) { | 9927 if (cs == NULL) { |
| 9873 *size = count_cipher_suites(ss, SSL_ALLOWED, PR_TRUE); | 9928 *size = count_cipher_suites(ss, SSL_ALLOWED, PR_TRUE); |
| 9874 return SECSuccess; | 9929 return SECSuccess; |
| 9875 } | 9930 } |
| 9876 | 9931 |
| 9877 /* ssl3_config_match_init was called by the caller of this function. */ | 9932 /* ssl3_config_match_init was called by the caller of this function. */ |
| 9878 for (i = 0; i < ssl_V3_SUITES_IMPLEMENTED; i++) { | 9933 for (i = 0; i < ssl_V3_SUITES_IMPLEMENTED; i++) { |
| (...skipping 107 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 9986 /* free up the CipherSpecs */ | 10041 /* free up the CipherSpecs */ |
| 9987 ssl3_DestroyCipherSpec(&ss->ssl3.specs[0], PR_TRUE/*freeSrvName*/); | 10042 ssl3_DestroyCipherSpec(&ss->ssl3.specs[0], PR_TRUE/*freeSrvName*/); |
| 9988 ssl3_DestroyCipherSpec(&ss->ssl3.specs[1], PR_TRUE/*freeSrvName*/); | 10043 ssl3_DestroyCipherSpec(&ss->ssl3.specs[1], PR_TRUE/*freeSrvName*/); |
| 9989 | 10044 |
| 9990 ss->ssl3.initialized = PR_FALSE; | 10045 ss->ssl3.initialized = PR_FALSE; |
| 9991 | 10046 |
| 9992 SECITEM_FreeItem(&ss->ssl3.nextProto, PR_FALSE); | 10047 SECITEM_FreeItem(&ss->ssl3.nextProto, PR_FALSE); |
| 9993 } | 10048 } |
| 9994 | 10049 |
| 9995 /* End of ssl3con.c */ | 10050 /* End of ssl3con.c */ |
| OLD | NEW |