OLD | NEW |
---|---|
1 /* -*- Mode: C; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 4 -*- */ | 1 /* -*- Mode: C; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 4 -*- */ |
2 /* TODO(ekr@rtfm.com): Implement HelloVerifyRequest on server side. OK for now. */ | |
2 /* | 3 /* |
3 * SSL3 Protocol | 4 * SSL3 Protocol |
4 * | 5 * |
5 * ***** BEGIN LICENSE BLOCK ***** | 6 * ***** BEGIN LICENSE BLOCK ***** |
6 * Version: MPL 1.1/GPL 2.0/LGPL 2.1 | 7 * Version: MPL 1.1/GPL 2.0/LGPL 2.1 |
7 * | 8 * |
8 * The contents of this file are subject to the Mozilla Public License Version | 9 * The contents of this file are subject to the Mozilla Public License Version |
9 * 1.1 (the "License"); you may not use this file except in compliance with | 10 * 1.1 (the "License"); you may not use this file except in compliance with |
10 * the License. You may obtain a copy of the License at | 11 * the License. You may obtain a copy of the License at |
11 * http://www.mozilla.org/MPL/ | 12 * http://www.mozilla.org/MPL/ |
(...skipping 73 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
85 static SECStatus ssl3_SendCertificateRequest(sslSocket *ss); | 86 static SECStatus ssl3_SendCertificateRequest(sslSocket *ss); |
86 static SECStatus ssl3_SendNextProto( sslSocket *ss); | 87 static SECStatus ssl3_SendNextProto( sslSocket *ss); |
87 static SECStatus ssl3_SendFinished( sslSocket *ss, PRInt32 flags); | 88 static SECStatus ssl3_SendFinished( sslSocket *ss, PRInt32 flags); |
88 static SECStatus ssl3_SendServerHello( sslSocket *ss); | 89 static SECStatus ssl3_SendServerHello( sslSocket *ss); |
89 static SECStatus ssl3_SendServerHelloDone( sslSocket *ss); | 90 static SECStatus ssl3_SendServerHelloDone( sslSocket *ss); |
90 static SECStatus ssl3_SendServerKeyExchange( sslSocket *ss); | 91 static SECStatus ssl3_SendServerKeyExchange( sslSocket *ss); |
91 static SECStatus ssl3_NewHandshakeHashes( sslSocket *ss); | 92 static SECStatus ssl3_NewHandshakeHashes( sslSocket *ss); |
92 static SECStatus ssl3_UpdateHandshakeHashes( sslSocket *ss, | 93 static SECStatus ssl3_UpdateHandshakeHashes( sslSocket *ss, |
93 const unsigned char *b, | 94 const unsigned char *b, |
94 unsigned int l); | 95 unsigned int l); |
96 static SECStatus ssl3_FlushHandshakeMessages(sslSocket *ss, PRInt32 flags); | |
97 | |
95 | 98 |
96 static SECStatus Null_Cipher(void *ctx, unsigned char *output, int *outputLen, | 99 static SECStatus Null_Cipher(void *ctx, unsigned char *output, int *outputLen, |
97 int maxOutputLen, const unsigned char *input, | 100 int maxOutputLen, const unsigned char *input, |
98 int inputLen); | 101 int inputLen); |
99 | 102 |
100 #define MAX_SEND_BUF_LENGTH 32000 /* watch for 16-bit integer overflow */ | 103 #define MAX_SEND_BUF_LENGTH 32000 /* watch for 16-bit integer overflow */ |
101 #define MIN_SEND_BUF_LENGTH 4000 | 104 #define MIN_SEND_BUF_LENGTH 4000 |
102 | 105 |
103 #define MAX_CIPHER_SUITES 20 | 106 #define MAX_CIPHER_SUITES 20 |
104 | 107 |
(...skipping 109 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
214 } | 217 } |
215 | 218 |
216 static const /*SSL3ClientCertificateType */ uint8 certificate_types [] = { | 219 static const /*SSL3ClientCertificateType */ uint8 certificate_types [] = { |
217 ct_RSA_sign, | 220 ct_RSA_sign, |
218 ct_DSS_sign, | 221 ct_DSS_sign, |
219 #ifdef NSS_ENABLE_ECC | 222 #ifdef NSS_ENABLE_ECC |
220 ct_ECDSA_sign, | 223 ct_ECDSA_sign, |
221 #endif /* NSS_ENABLE_ECC */ | 224 #endif /* NSS_ENABLE_ECC */ |
222 }; | 225 }; |
223 | 226 |
224 #ifdef NSS_ENABLE_ZLIB | |
225 /* | |
226 * The DEFLATE algorithm can result in an expansion of 0.1% + 12 bytes. For a | |
227 * maximum TLS record payload of 2**14 bytes, that's 29 bytes. | |
228 */ | |
229 #define SSL3_COMPRESSION_MAX_EXPANSION 29 | |
230 #else /* !NSS_ENABLE_ZLIB */ | |
231 #define SSL3_COMPRESSION_MAX_EXPANSION 0 | |
232 #endif | |
233 | |
234 /* | |
235 * make sure there is room in the write buffer for padding and | |
236 * other compression and cryptographic expansions. | |
237 */ | |
238 #define SSL3_BUFFER_FUDGE 100 + SSL3_COMPRESSION_MAX_EXPANSION | |
239 | 227 |
240 #define EXPORT_RSA_KEY_LENGTH 64 /* bytes */ | 228 #define EXPORT_RSA_KEY_LENGTH 64 /* bytes */ |
241 | 229 |
230 #define RECORD_HEADER_LENGTH(ss_) ((!ss_->ssl3.isDtls) ? \ | |
ekr
2012/03/26 21:49:18
Looks to me like this is no longer used, which is
wtc
2012/03/27 00:28:25
Yes, I noticed (and verified) RECORD_HEADER_LENGTH
| |
231 SSL3_RECORD_HEADER_LENGTH : DTLS_RECORD_HEADER_LENGTH) | |
232 | |
242 | 233 |
243 /* This global item is used only in servers. It is is initialized by | 234 /* This global item is used only in servers. It is is initialized by |
244 ** SSL_ConfigSecureServer(), and is used in ssl3_SendCertificateRequest(). | 235 ** SSL_ConfigSecureServer(), and is used in ssl3_SendCertificateRequest(). |
245 */ | 236 */ |
246 CERTDistNames *ssl3_server_ca_list = NULL; | 237 CERTDistNames *ssl3_server_ca_list = NULL; |
247 static SSL3Statistics ssl3stats; | 238 static SSL3Statistics ssl3stats; |
248 | 239 |
249 /* indexed by SSL3BulkCipher */ | 240 /* indexed by SSL3BulkCipher */ |
250 static const ssl3BulkCipherDef bulk_cipher_defs[] = { | 241 static const ssl3BulkCipherDef bulk_cipher_defs[] = { |
251 /* cipher calg keySz secretSz type ivSz BlkSz keygen */ | 242 /* cipher calg keySz secretSz type ivSz BlkSz keygen */ |
(...skipping 258 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
510 static char * | 501 static char * |
511 ssl3_DecodeHandshakeType(int msgType) | 502 ssl3_DecodeHandshakeType(int msgType) |
512 { | 503 { |
513 char * rv; | 504 char * rv; |
514 static char line[40]; | 505 static char line[40]; |
515 | 506 |
516 switch(msgType) { | 507 switch(msgType) { |
517 case hello_request: rv = "hello_request (0)"; break; | 508 case hello_request: rv = "hello_request (0)"; break; |
518 case client_hello: rv = "client_hello (1)"; break; | 509 case client_hello: rv = "client_hello (1)"; break; |
519 case server_hello: rv = "server_hello (2)"; break; | 510 case server_hello: rv = "server_hello (2)"; break; |
511 case hello_verify_request: rv = "hello_verify_request (3)"; break; | |
520 case certificate: rv = "certificate (11)"; break; | 512 case certificate: rv = "certificate (11)"; break; |
521 case server_key_exchange: rv = "server_key_exchange (12)"; break; | 513 case server_key_exchange: rv = "server_key_exchange (12)"; break; |
522 case certificate_request: rv = "certificate_request (13)"; break; | 514 case certificate_request: rv = "certificate_request (13)"; break; |
523 case server_hello_done: rv = "server_hello_done (14)"; break; | 515 case server_hello_done: rv = "server_hello_done (14)"; break; |
524 case certificate_verify: rv = "certificate_verify (15)"; break; | 516 case certificate_verify: rv = "certificate_verify (15)"; break; |
525 case client_key_exchange: rv = "client_key_exchange (16)"; break; | 517 case client_key_exchange: rv = "client_key_exchange (16)"; break; |
526 case finished: rv = "finished (20)"; break; | 518 case finished: rv = "finished (20)"; break; |
527 default: | 519 default: |
528 sprintf(line, "*UNKNOWN* handshake type! (%d)", msgType); | 520 sprintf(line, "*UNKNOWN* handshake type! (%d)", msgType); |
529 rv = line; | 521 rv = line; |
(...skipping 45 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
575 PR_ATOMIC_INCREMENT((PRInt32 *)x); | 567 PR_ATOMIC_INCREMENT((PRInt32 *)x); |
576 } else { | 568 } else { |
577 tooLong * tl = (tooLong *)x; | 569 tooLong * tl = (tooLong *)x; |
578 if (PR_ATOMIC_INCREMENT(&tl->low) == 0) | 570 if (PR_ATOMIC_INCREMENT(&tl->low) == 0) |
579 PR_ATOMIC_INCREMENT(&tl->high); | 571 PR_ATOMIC_INCREMENT(&tl->high); |
580 } | 572 } |
581 } | 573 } |
582 | 574 |
583 /* return pointer to ssl3CipherSuiteDef for suite, or NULL */ | 575 /* return pointer to ssl3CipherSuiteDef for suite, or NULL */ |
584 /* XXX This does a linear search. A binary search would be better. */ | 576 /* XXX This does a linear search. A binary search would be better. */ |
585 static const ssl3CipherSuiteDef * | 577 const ssl3CipherSuiteDef * |
586 ssl_LookupCipherSuiteDef(ssl3CipherSuite suite) | 578 ssl_LookupCipherSuiteDef(ssl3CipherSuite suite) |
587 { | 579 { |
588 int cipher_suite_def_len = | 580 int cipher_suite_def_len = |
589 sizeof(cipher_suite_defs) / sizeof(cipher_suite_defs[0]); | 581 sizeof(cipher_suite_defs) / sizeof(cipher_suite_defs[0]); |
590 int i; | 582 int i; |
591 | 583 |
592 for (i = 0; i < cipher_suite_def_len; i++) { | 584 for (i = 0; i < cipher_suite_def_len; i++) { |
593 if (cipher_suite_defs[i].cipher_suite == suite) | 585 if (cipher_suite_defs[i].cipher_suite == suite) |
594 return &cipher_suite_defs[i]; | 586 return &cipher_suite_defs[i]; |
595 } | 587 } |
(...skipping 45 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
641 } | 633 } |
642 if (SSL3_ALL_VERSIONS_DISABLED(&ss->vrange)) { | 634 if (SSL3_ALL_VERSIONS_DISABLED(&ss->vrange)) { |
643 return 0; | 635 return 0; |
644 } | 636 } |
645 isServer = (PRBool)(ss->sec.isServer != 0); | 637 isServer = (PRBool)(ss->sec.isServer != 0); |
646 | 638 |
647 for (i = 0; i < ssl_V3_SUITES_IMPLEMENTED; i++) { | 639 for (i = 0; i < ssl_V3_SUITES_IMPLEMENTED; i++) { |
648 suite = &ss->cipherSuites[i]; | 640 suite = &ss->cipherSuites[i]; |
649 if (suite->enabled) { | 641 if (suite->enabled) { |
650 ++numEnabled; | 642 ++numEnabled; |
643 | |
651 /* We need the cipher defs to see if we have a token that can handle | 644 /* We need the cipher defs to see if we have a token that can handle |
652 * this cipher. It isn't part of the static definition. | 645 * this cipher. It isn't part of the static definition. |
653 */ | 646 */ |
654 cipher_def = ssl_LookupCipherSuiteDef(suite->cipher_suite); | 647 cipher_def = ssl_LookupCipherSuiteDef(suite->cipher_suite); |
655 if (!cipher_def) { | 648 if (!cipher_def) { |
656 suite->isPresent = PR_FALSE; | 649 suite->isPresent = PR_FALSE; |
657 continue; | 650 continue; |
658 } | 651 } |
659 » cipher_alg=bulk_cipher_defs[cipher_def->bulk_cipher_alg ].calg; | 652 |
653 » cipher_alg = bulk_cipher_defs[cipher_def->bulk_cipher_alg ].calg; | |
660 PORT_Assert( alg2Mech[cipher_alg].calg == cipher_alg); | 654 PORT_Assert( alg2Mech[cipher_alg].calg == cipher_alg); |
661 cipher_mech = alg2Mech[cipher_alg].cmech; | 655 cipher_mech = alg2Mech[cipher_alg].cmech; |
662 exchKeyType = | 656 exchKeyType = |
663 kea_defs[cipher_def->key_exchange_alg].exchKeyType; | 657 kea_defs[cipher_def->key_exchange_alg].exchKeyType; |
664 #ifndef NSS_ENABLE_ECC | 658 #ifndef NSS_ENABLE_ECC |
665 svrAuth = ss->serverCerts + exchKeyType; | 659 svrAuth = ss->serverCerts + exchKeyType; |
666 #else | 660 #else |
667 /* XXX SSLKEAType isn't really a good choice for | 661 /* XXX SSLKEAType isn't really a good choice for |
668 * indexing certificates. It doesn't work for | 662 * indexing certificates. It doesn't work for |
669 * (EC)DHE-* ciphers. Here we use a hack to ensure | 663 * (EC)DHE-* ciphers. Here we use a hack to ensure |
(...skipping 53 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
723 ** policy == SSL_NOT_ALLOWED, report no match. | 717 ** policy == SSL_NOT_ALLOWED, report no match. |
724 */ | 718 */ |
725 /* adjust suite enabled to the availability of a token that can do the | 719 /* adjust suite enabled to the availability of a token that can do the |
726 * cipher suite. */ | 720 * cipher suite. */ |
727 static PRBool | 721 static PRBool |
728 config_match(ssl3CipherSuiteCfg *suite, int policy, PRBool enabled) | 722 config_match(ssl3CipherSuiteCfg *suite, int policy, PRBool enabled) |
729 { | 723 { |
730 PORT_Assert(policy != SSL_NOT_ALLOWED && enabled != PR_FALSE); | 724 PORT_Assert(policy != SSL_NOT_ALLOWED && enabled != PR_FALSE); |
731 if (policy == SSL_NOT_ALLOWED || !enabled) | 725 if (policy == SSL_NOT_ALLOWED || !enabled) |
732 return PR_FALSE; | 726 return PR_FALSE; |
727 | |
733 return (PRBool)(suite->enabled && | 728 return (PRBool)(suite->enabled && |
734 suite->isPresent && | 729 suite->isPresent && |
735 suite->policy != SSL_NOT_ALLOWED && | 730 suite->policy != SSL_NOT_ALLOWED && |
736 suite->policy <= policy); | 731 suite->policy <= policy); |
737 } | 732 } |
738 | 733 |
739 /* return number of cipher suites that match policy and enabled state */ | 734 /* return number of cipher suites that match policy and enabled state */ |
740 /* called from ssl3_SendClientHello and ssl3_ConstructV2CipherSpecsHack */ | 735 /* called from ssl3_SendClientHello and ssl3_ConstructV2CipherSpecsHack */ |
741 static int | 736 static int |
742 count_cipher_suites(sslSocket *ss, int policy, PRBool enabled) | 737 count_cipher_suites(sslSocket *ss, int policy, PRBool enabled) |
743 { | 738 { |
744 int i, count = 0; | 739 int i, count = 0; |
745 | |
746 if (SSL3_ALL_VERSIONS_DISABLED(&ss->vrange)) { | 740 if (SSL3_ALL_VERSIONS_DISABLED(&ss->vrange)) { |
747 return 0; | 741 return 0; |
748 } | 742 } |
749 for (i = 0; i < ssl_V3_SUITES_IMPLEMENTED; i++) { | 743 for (i = 0; i < ssl_V3_SUITES_IMPLEMENTED; i++) { |
750 » if (config_match(&ss->cipherSuites[i], policy, enabled)) | 744 » if (config_match(&ss->cipherSuites[i], policy, enabled)) { |
751 count++; | 745 count++; |
746 } | |
752 } | 747 } |
753 if (count <= 0) { | 748 if (count <= 0) { |
754 PORT_SetError(SSL_ERROR_SSL_DISABLED); | 749 PORT_SetError(SSL_ERROR_SSL_DISABLED); |
755 } | 750 } |
756 return count; | 751 return count; |
757 } | 752 } |
758 | 753 |
759 /* | 754 /* |
760 * Null compression, mac and encryption functions | 755 * Null compression, mac and encryption functions |
761 */ | 756 */ |
(...skipping 33 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
795 PORT_SetError(SSL_ERROR_NO_CYPHER_OVERLAP); | 790 PORT_SetError(SSL_ERROR_NO_CYPHER_OVERLAP); |
796 return SECFailure; | 791 return SECFailure; |
797 } | 792 } |
798 | 793 |
799 ss->version = PR_MIN(peerVersion, ss->vrange.max); | 794 ss->version = PR_MIN(peerVersion, ss->vrange.max); |
800 PORT_Assert(ssl3_VersionIsSupported(ssl_variant_stream, ss->version)); | 795 PORT_Assert(ssl3_VersionIsSupported(ssl_variant_stream, ss->version)); |
801 | 796 |
802 return SECSuccess; | 797 return SECSuccess; |
803 } | 798 } |
804 | 799 |
800 | |
805 static SECStatus | 801 static SECStatus |
806 ssl3_GetNewRandom(SSL3Random *random) | 802 ssl3_GetNewRandom(SSL3Random *random) |
807 { | 803 { |
808 PRUint32 gmt = ssl_Time(); | 804 PRUint32 gmt = ssl_Time(); |
809 SECStatus rv; | 805 SECStatus rv; |
810 | 806 |
811 random->rand[0] = (unsigned char)(gmt >> 24); | 807 random->rand[0] = (unsigned char)(gmt >> 24); |
812 random->rand[1] = (unsigned char)(gmt >> 16); | 808 random->rand[1] = (unsigned char)(gmt >> 16); |
813 random->rand[2] = (unsigned char)(gmt >> 8); | 809 random->rand[2] = (unsigned char)(gmt >> 8); |
814 random->rand[3] = (unsigned char)(gmt); | 810 random->rand[3] = (unsigned char)(gmt); |
(...skipping 326 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
1141 PK11_DestroyContext(mat->write_mac_context, PR_TRUE); | 1137 PK11_DestroyContext(mat->write_mac_context, PR_TRUE); |
1142 mat->write_mac_context = NULL; | 1138 mat->write_mac_context = NULL; |
1143 } | 1139 } |
1144 } | 1140 } |
1145 | 1141 |
1146 /* Called from ssl3_SendChangeCipherSpecs() and | 1142 /* Called from ssl3_SendChangeCipherSpecs() and |
1147 ** ssl3_HandleChangeCipherSpecs() | 1143 ** ssl3_HandleChangeCipherSpecs() |
1148 ** ssl3_DestroySSL3Info | 1144 ** ssl3_DestroySSL3Info |
1149 ** Caller must hold SpecWriteLock. | 1145 ** Caller must hold SpecWriteLock. |
1150 */ | 1146 */ |
1151 static void | 1147 void |
1152 ssl3_DestroyCipherSpec(ssl3CipherSpec *spec, PRBool freeSrvName) | 1148 ssl3_DestroyCipherSpec(ssl3CipherSpec *spec, PRBool freeSrvName) |
1153 { | 1149 { |
1154 PRBool freeit = (PRBool)(!spec->bypassCiphers); | 1150 PRBool freeit = (PRBool)(!spec->bypassCiphers); |
1155 /* PORT_Assert( ss->opt.noLocks || ssl_HaveSpecWriteLock(ss)); Don't have ss! * / | 1151 /* PORT_Assert( ss->opt.noLocks || ssl_HaveSpecWriteLock(ss)); Don't have ss! * / |
1156 if (spec->destroy) { | 1152 if (spec->destroy) { |
1157 spec->destroy(spec->encodeContext, freeit); | 1153 spec->destroy(spec->encodeContext, freeit); |
1158 spec->destroy(spec->decodeContext, freeit); | 1154 spec->destroy(spec->decodeContext, freeit); |
1159 spec->encodeContext = NULL; /* paranoia */ | 1155 spec->encodeContext = NULL; /* paranoia */ |
1160 spec->decodeContext = NULL; | 1156 spec->decodeContext = NULL; |
1161 } | 1157 } |
(...skipping 40 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
1202 const ssl3CipherSuiteDef *suite_def; | 1198 const ssl3CipherSuiteDef *suite_def; |
1203 PRBool isTLS; | 1199 PRBool isTLS; |
1204 | 1200 |
1205 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); | 1201 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); |
1206 | 1202 |
1207 ssl_GetSpecWriteLock(ss); /*******************************/ | 1203 ssl_GetSpecWriteLock(ss); /*******************************/ |
1208 | 1204 |
1209 pwSpec = ss->ssl3.pwSpec; | 1205 pwSpec = ss->ssl3.pwSpec; |
1210 PORT_Assert(pwSpec == ss->ssl3.prSpec); | 1206 PORT_Assert(pwSpec == ss->ssl3.prSpec); |
1211 | 1207 |
1208 | |
1212 /* This hack provides maximal interoperability with SSL 3 servers. */ | 1209 /* This hack provides maximal interoperability with SSL 3 servers. */ |
1213 cwSpec = ss->ssl3.cwSpec; | 1210 cwSpec = ss->ssl3.cwSpec; |
1214 if (cwSpec->mac_def->mac == mac_null) { | 1211 if (cwSpec->mac_def->mac == mac_null) { |
1215 /* SSL records are not being MACed. */ | 1212 /* SSL records are not being MACed. */ |
1216 cwSpec->version = ss->version; | 1213 cwSpec->version = ss->version; |
1217 } | 1214 } |
1218 | 1215 |
1219 pwSpec->version = ss->version; | 1216 pwSpec->version = ss->version; |
1220 isTLS = (PRBool)(pwSpec->version > SSL_LIBRARY_VERSION_3_0); | 1217 isTLS = (PRBool)((pwSpec->version > SSL_LIBRARY_VERSION_3_0)); |
1221 | 1218 |
1222 SSL_TRC(3, ("%d: SSL3[%d]: Set XXX Pending Cipher Suite to 0x%04x", | 1219 SSL_TRC(3, ("%d: SSL3[%d]: Set XXX Pending Cipher Suite to 0x%04x", |
1223 SSL_GETPID(), ss->fd, suite)); | 1220 SSL_GETPID(), ss->fd, suite)); |
1224 | 1221 |
1225 suite_def = ssl_LookupCipherSuiteDef(suite); | 1222 suite_def = ssl_LookupCipherSuiteDef(suite); |
1226 if (suite_def == NULL) { | 1223 if (suite_def == NULL) { |
1227 ssl_ReleaseSpecWriteLock(ss); | 1224 ssl_ReleaseSpecWriteLock(ss); |
1228 return SECFailure; /* error code set by ssl_LookupCipherSuiteDef */ | 1225 return SECFailure; /* error code set by ssl_LookupCipherSuiteDef */ |
1229 } | 1226 } |
1230 | 1227 |
1228 if (IS_DTLS(ss)) { | |
1229 /* Double-check that we did not pick an RC4 suite */ | |
1230 PORT_Assert( (suite_def->bulk_cipher_alg != cipher_rc4) && | |
1231 (suite_def->bulk_cipher_alg != cipher_rc4_40) && | |
1232 (suite_def->bulk_cipher_alg != cipher_rc4_56)); | |
1233 } | |
1231 | 1234 |
1232 cipher = suite_def->bulk_cipher_alg; | 1235 cipher = suite_def->bulk_cipher_alg; |
1233 kea = suite_def->key_exchange_alg; | 1236 kea = suite_def->key_exchange_alg; |
1234 mac = suite_def->mac_alg; | 1237 mac = suite_def->mac_alg; |
1235 if (isTLS) | 1238 if (isTLS) |
1236 mac += 2; | 1239 mac += 2; |
1237 | 1240 |
1238 ss->ssl3.hs.suite_def = suite_def; | 1241 ss->ssl3.hs.suite_def = suite_def; |
1239 ss->ssl3.hs.kea_def = &kea_defs[kea]; | 1242 ss->ssl3.hs.kea_def = &kea_defs[kea]; |
1240 PORT_Assert(ss->ssl3.hs.kea_def->kea == kea); | 1243 PORT_Assert(ss->ssl3.hs.kea_def->kea == kea); |
1241 | 1244 |
1242 pwSpec->cipher_def = &bulk_cipher_defs[cipher]; | 1245 pwSpec->cipher_def = &bulk_cipher_defs[cipher]; |
1243 PORT_Assert(pwSpec->cipher_def->cipher == cipher); | 1246 PORT_Assert(pwSpec->cipher_def->cipher == cipher); |
1244 | 1247 |
1245 pwSpec->mac_def = &mac_defs[mac]; | 1248 pwSpec->mac_def = &mac_defs[mac]; |
1246 PORT_Assert(pwSpec->mac_def->mac == mac); | 1249 PORT_Assert(pwSpec->mac_def->mac == mac); |
1247 | 1250 |
1248 ss->sec.keyBits = pwSpec->cipher_def->key_size * BPB; | 1251 ss->sec.keyBits = pwSpec->cipher_def->key_size * BPB; |
1249 ss->sec.secretKeyBits = pwSpec->cipher_def->secret_key_size * BPB; | 1252 ss->sec.secretKeyBits = pwSpec->cipher_def->secret_key_size * BPB; |
1250 ss->sec.cipherType = cipher; | 1253 ss->sec.cipherType = cipher; |
1251 | 1254 |
1252 pwSpec->encodeContext = NULL; | 1255 pwSpec->encodeContext = NULL; |
1253 pwSpec->decodeContext = NULL; | 1256 pwSpec->decodeContext = NULL; |
1254 | 1257 |
1255 pwSpec->mac_size = pwSpec->mac_def->mac_size; | 1258 pwSpec->mac_size = pwSpec->mac_def->mac_size; |
1256 | 1259 |
1257 pwSpec->compression_method = ss->ssl3.hs.compression; | 1260 pwSpec->compression_method = ss->ssl3.hs.compression; |
1258 pwSpec->compressContext = NULL; | 1261 pwSpec->compressContext = NULL; |
1259 pwSpec->decompressContext = NULL; | 1262 pwSpec->decompressContext = NULL; |
1263 | |
1264 /* Note: pwSpec == prSpec here so we're really doing the read side. | |
1265 The epoch is set up in InitPendingCipherSpec */ | |
1266 dtls_InitRecvdRecords(&pwSpec->recvdRecords); | |
1260 | 1267 |
1261 ssl_ReleaseSpecWriteLock(ss); /*******************************/ | 1268 ssl_ReleaseSpecWriteLock(ss); /*******************************/ |
1262 return SECSuccess; | 1269 return SECSuccess; |
1263 } | 1270 } |
1264 | 1271 |
1265 #ifdef NSS_ENABLE_ZLIB | 1272 #ifdef NSS_ENABLE_ZLIB |
1266 #define SSL3_DEFLATE_CONTEXT_SIZE sizeof(z_stream) | 1273 #define SSL3_DEFLATE_CONTEXT_SIZE sizeof(z_stream) |
1267 | 1274 |
1268 static SECStatus | 1275 static SECStatus |
1269 ssl3_MapZlibError(int zlib_error) | 1276 ssl3_MapZlibError(int zlib_error) |
(...skipping 477 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
1747 * Sets error code, but caller probably should override to disambiguate. | 1754 * Sets error code, but caller probably should override to disambiguate. |
1748 * NULL pms means re-use old master_secret. | 1755 * NULL pms means re-use old master_secret. |
1749 * | 1756 * |
1750 * This code is common to the bypass and PKCS11 execution paths. | 1757 * This code is common to the bypass and PKCS11 execution paths. |
1751 * For the bypass case, pms is NULL. | 1758 * For the bypass case, pms is NULL. |
1752 */ | 1759 */ |
1753 SECStatus | 1760 SECStatus |
1754 ssl3_InitPendingCipherSpec(sslSocket *ss, PK11SymKey *pms) | 1761 ssl3_InitPendingCipherSpec(sslSocket *ss, PK11SymKey *pms) |
1755 { | 1762 { |
1756 ssl3CipherSpec * pwSpec; | 1763 ssl3CipherSpec * pwSpec; |
1764 ssl3CipherSpec * cwSpec; | |
1757 SECStatus rv; | 1765 SECStatus rv; |
1758 | 1766 |
1759 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); | 1767 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); |
1760 | 1768 |
1761 ssl_GetSpecWriteLock(ss); /**************************************/ | 1769 ssl_GetSpecWriteLock(ss); /**************************************/ |
1762 | 1770 |
1763 PORT_Assert(ss->ssl3.prSpec == ss->ssl3.pwSpec); | 1771 PORT_Assert(ss->ssl3.prSpec == ss->ssl3.pwSpec); |
1764 | 1772 |
1773 cwSpec = ss->ssl3.cwSpec; | |
1765 pwSpec = ss->ssl3.pwSpec; | 1774 pwSpec = ss->ssl3.pwSpec; |
1766 | 1775 |
1767 if (pms || (!pwSpec->msItem.len && !pwSpec->master_secret)) { | 1776 if (pms || (!pwSpec->msItem.len && !pwSpec->master_secret)) { |
1768 rv = ssl3_DeriveMasterSecret(ss, pms); | 1777 rv = ssl3_DeriveMasterSecret(ss, pms); |
1769 if (rv != SECSuccess) { | 1778 if (rv != SECSuccess) { |
1770 goto done; /* err code set by ssl3_DeriveMasterSecret */ | 1779 goto done; /* err code set by ssl3_DeriveMasterSecret */ |
1771 } | 1780 } |
1772 } | 1781 } |
1773 if (ss->opt.bypassPKCS11 && pwSpec->msItem.len && pwSpec->msItem.data) { | 1782 if (ss->opt.bypassPKCS11 && pwSpec->msItem.len && pwSpec->msItem.data) { |
1774 /* Double Bypass succeeded in extracting the master_secret */ | 1783 /* Double Bypass succeeded in extracting the master_secret */ |
1775 const ssl3KEADef * kea_def = ss->ssl3.hs.kea_def; | 1784 const ssl3KEADef * kea_def = ss->ssl3.hs.kea_def; |
1776 PRBool isTLS = (PRBool)(kea_def->tls_keygen || | 1785 PRBool isTLS = (PRBool)(kea_def->tls_keygen || |
1777 (pwSpec->version > SSL_LIBRARY_VERSION_3_0)); | 1786 (pwSpec->version > |
1787 SSL_LIBRARY_VERSION_3_0)); | |
1778 pwSpec->bypassCiphers = PR_TRUE; | 1788 pwSpec->bypassCiphers = PR_TRUE; |
1779 » rv = ssl3_KeyAndMacDeriveBypass( pwSpec, | 1789 » rv = ssl3_KeyAndMacDeriveBypass(pwSpec, |
1780 (const unsigned char *)&ss->ssl3.hs.client_random, | 1790 (const unsigned char *)&ss->ssl3.hs.client_random, |
1781 (const unsigned char *)&ss->ssl3.hs.server_random, | 1791 (const unsigned char *)&ss->ssl3.hs.server_random, |
1782 isTLS, | 1792 isTLS, |
1783 (PRBool)(kea_def->is_limited)); | 1793 (PRBool)(kea_def->is_limited)); |
1784 if (rv == SECSuccess) { | 1794 if (rv == SECSuccess) { |
1785 rv = ssl3_InitPendingContextsBypass(ss); | 1795 rv = ssl3_InitPendingContextsBypass(ss); |
1786 } | 1796 } |
1787 } else if (pwSpec->master_secret) { | 1797 } else if (pwSpec->master_secret) { |
1788 rv = ssl3_DeriveConnectionKeysPKCS11(ss); | 1798 rv = ssl3_DeriveConnectionKeysPKCS11(ss); |
1789 if (rv == SECSuccess) { | 1799 if (rv == SECSuccess) { |
1790 rv = ssl3_InitPendingContextsPKCS11(ss); | 1800 rv = ssl3_InitPendingContextsPKCS11(ss); |
1791 } | 1801 } |
1792 } else { | 1802 } else { |
1793 PORT_Assert(pwSpec->master_secret); | 1803 PORT_Assert(pwSpec->master_secret); |
1794 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); | 1804 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); |
1795 rv = SECFailure; | 1805 rv = SECFailure; |
1796 } | 1806 } |
1797 | 1807 |
1808 /* Generic behaviors -- common to all crypto methods*/ | |
1809 if (!IS_DTLS(ss)) { | |
1810 pwSpec->read_seq_num.high = pwSpec->write_seq_num.high = 0; | |
1811 } else { | |
1812 if (cwSpec->epoch == 65535) { | |
1813 /* The problem here is that we have rehandshaked too many | |
1814 times (you are not allowed to wrap the epoch). The | |
1815 spec says you should be discarding the connection | |
1816 and start over, so not much we can do here. */ | |
1817 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); | |
1818 rv = SECFailure; | |
1819 } | |
1820 /* We only need to modify pwSpec since there is only one | |
1821 "pending" spec object being pointed to by pwSpec and | |
1822 cwSpec at different times. | |
1823 | |
1824 The sequence number has the high 16 bits as the epoch. | |
1825 */ | |
1826 pwSpec->epoch = cwSpec->epoch + 1; | |
1827 | |
1828 pwSpec->read_seq_num.high = pwSpec->write_seq_num.high = | |
1829 pwSpec->epoch << 16; | |
1830 } | |
1831 pwSpec->read_seq_num.low = pwSpec->write_seq_num.low = 0; | |
1832 | |
1833 | |
1798 done: | 1834 done: |
1799 ssl_ReleaseSpecWriteLock(ss); /******************************/ | 1835 ssl_ReleaseSpecWriteLock(ss); /******************************/ |
1800 if (rv != SECSuccess) | 1836 if (rv != SECSuccess) |
1801 ssl_MapLowLevelError(SSL_ERROR_SESSION_KEY_GEN_FAILURE); | 1837 ssl_MapLowLevelError(SSL_ERROR_SESSION_KEY_GEN_FAILURE); |
1802 return rv; | 1838 return rv; |
1803 } | 1839 } |
1804 | 1840 |
1805 /* | 1841 /* |
1806 * 60 bytes is 3 times the maximum length MAC size that is supported. | 1842 * 60 bytes is 3 times the maximum length MAC size that is supported. |
1807 */ | 1843 */ |
(...skipping 19 matching lines...) Expand all Loading... | |
1827 }; | 1863 }; |
1828 | 1864 |
1829 /* Called from: ssl3_SendRecord() | 1865 /* Called from: ssl3_SendRecord() |
1830 ** ssl3_HandleRecord() | 1866 ** ssl3_HandleRecord() |
1831 ** Caller must already hold the SpecReadLock. (wish we could assert that!) | 1867 ** Caller must already hold the SpecReadLock. (wish we could assert that!) |
1832 */ | 1868 */ |
1833 static SECStatus | 1869 static SECStatus |
1834 ssl3_ComputeRecordMAC( | 1870 ssl3_ComputeRecordMAC( |
1835 ssl3CipherSpec * spec, | 1871 ssl3CipherSpec * spec, |
1836 PRBool useServerMacKey, | 1872 PRBool useServerMacKey, |
1873 PRBool isDtls, | |
1837 SSL3ContentType type, | 1874 SSL3ContentType type, |
1838 SSL3ProtocolVersion version, | 1875 SSL3ProtocolVersion version, |
1839 SSL3SequenceNumber seq_num, | 1876 SSL3SequenceNumber seq_num, |
1840 const SSL3Opaque * input, | 1877 const SSL3Opaque * input, |
1841 int inputLength, | 1878 int inputLength, |
1842 unsigned char * outbuf, | 1879 unsigned char * outbuf, |
1843 unsigned int * outLength) | 1880 unsigned int * outLength) |
1844 { | 1881 { |
1845 const ssl3MACDef * mac_def; | 1882 const ssl3MACDef * mac_def; |
1846 SECStatus rv; | 1883 SECStatus rv; |
(...skipping 17 matching lines...) Expand all Loading... | |
1864 ** NOT based on the version value in the record itself. | 1901 ** NOT based on the version value in the record itself. |
1865 ** But, we use the record'v version value in the computation. | 1902 ** But, we use the record'v version value in the computation. |
1866 */ | 1903 */ |
1867 if (spec->version <= SSL_LIBRARY_VERSION_3_0) { | 1904 if (spec->version <= SSL_LIBRARY_VERSION_3_0) { |
1868 temp[9] = MSB(inputLength); | 1905 temp[9] = MSB(inputLength); |
1869 temp[10] = LSB(inputLength); | 1906 temp[10] = LSB(inputLength); |
1870 tempLen = 11; | 1907 tempLen = 11; |
1871 isTLS = PR_FALSE; | 1908 isTLS = PR_FALSE; |
1872 } else { | 1909 } else { |
1873 /* New TLS hash includes version. */ | 1910 /* New TLS hash includes version. */ |
1874 » temp[9] = MSB(version); | 1911 if (isDtls) { |
1875 » temp[10] = LSB(version); | 1912 SSL3ProtocolVersion dtls_version; |
1913 | |
1914 dtls_version = dtls_TLSVersionToDTLSVersion(version); | |
1915 | |
1916 temp[9] = MSB(dtls_version); | |
1917 temp[10] = LSB(dtls_version); | |
1918 } else { | |
1919 temp[9] = MSB(version); | |
1920 temp[10] = LSB(version); | |
1921 } | |
1876 temp[11] = MSB(inputLength); | 1922 temp[11] = MSB(inputLength); |
1877 temp[12] = LSB(inputLength); | 1923 temp[12] = LSB(inputLength); |
1878 tempLen = 13; | 1924 tempLen = 13; |
1879 isTLS = PR_TRUE; | 1925 isTLS = PR_TRUE; |
1880 } | 1926 } |
1881 | 1927 |
1882 PRINT_BUF(95, (NULL, "frag hash1: temp", temp, tempLen)); | 1928 PRINT_BUF(95, (NULL, "frag hash1: temp", temp, tempLen)); |
1883 PRINT_BUF(95, (NULL, "frag hash1: input", input, inputLength)); | 1929 PRINT_BUF(95, (NULL, "frag hash1: input", input, inputLength)); |
1884 | 1930 |
1885 mac_def = spec->mac_def; | 1931 mac_def = spec->mac_def; |
(...skipping 129 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
2015 (PK11_NeedLogin(slot) && !PK11_IsLoggedIn(slot, NULL))) { | 2061 (PK11_NeedLogin(slot) && !PK11_IsLoggedIn(slot, NULL))) { |
2016 isPresent = PR_FALSE; | 2062 isPresent = PR_FALSE; |
2017 } | 2063 } |
2018 if (slot) { | 2064 if (slot) { |
2019 PK11_FreeSlot(slot); | 2065 PK11_FreeSlot(slot); |
2020 } | 2066 } |
2021 return isPresent; | 2067 return isPresent; |
2022 } | 2068 } |
2023 | 2069 |
2024 /* Caller must hold the spec read lock. */ | 2070 /* Caller must hold the spec read lock. */ |
2025 static SECStatus | 2071 SECStatus |
2026 ssl3_CompressMACEncryptRecord(ssl3CipherSpec * cwSpec, | 2072 ssl3_CompressMACEncryptRecord(ssl3CipherSpec * cwSpec, |
2027 PRBool isServer, | 2073 PRBool isServer, |
2074 PRBool isDtls, | |
2028 SSL3ContentType type, | 2075 SSL3ContentType type, |
2029 const SSL3Opaque * pIn, | 2076 const SSL3Opaque * pIn, |
2030 PRUint32 contentLen, | 2077 PRUint32 contentLen, |
2031 sslBuffer * wrBuf) | 2078 sslBuffer * wrBuf) |
2032 { | 2079 { |
2033 const ssl3BulkCipherDef * cipher_def; | 2080 const ssl3BulkCipherDef * cipher_def; |
2034 SECStatus rv; | 2081 SECStatus rv; |
2035 PRUint32 macLen = 0; | 2082 PRUint32 macLen = 0; |
2036 PRUint32 fragLen; | 2083 PRUint32 fragLen; |
2037 PRUint32 p1Len, p2Len, oddLen = 0; | 2084 PRUint32 p1Len, p2Len, oddLen = 0; |
2085 PRUint16 headerLength = isDtls ? DTLS_RECORD_HEADER_LENGTH : | |
2086 SSL3_RECORD_HEADER_LENGTH; | |
2087 | |
2038 int ivLen = 0; | 2088 int ivLen = 0; |
2089 int ivBytes = 0; | |
2039 int cipherBytes = 0; | 2090 int cipherBytes = 0; |
2040 | 2091 |
2041 cipher_def = cwSpec->cipher_def; | 2092 cipher_def = cwSpec->cipher_def; |
2042 | 2093 |
2043 if (cipher_def->type == type_block && | 2094 if (cipher_def->type == type_block && |
2044 cwSpec->version >= SSL_LIBRARY_VERSION_TLS_1_1) { | 2095 cwSpec->version >= SSL_LIBRARY_VERSION_TLS_1_1) { |
2045 /* Prepend the per-record explicit IV using technique 2b from | 2096 /* Prepend the per-record explicit IV using technique 2b from |
2046 * RFC 4346 section 6.2.3.2: The IV is a cryptographically | 2097 * RFC 4346 section 6.2.3.2: The IV is a cryptographically |
2047 * strong random number XORed with the CBC residue from the previous | 2098 * strong random number XORed with the CBC residue from the previous |
2048 * record. | 2099 * record. |
2049 */ | 2100 */ |
2050 ivLen = cipher_def->iv_size; | 2101 ivLen = cipher_def->iv_size; |
2051 » if (ivLen > wrBuf->space - SSL3_RECORD_HEADER_LENGTH) { | 2102 » if (ivLen > wrBuf->space - headerLength) { |
2052 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); | 2103 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); |
2053 return SECFailure; | 2104 return SECFailure; |
2054 } | 2105 } |
2055 » rv = PK11_GenerateRandom(wrBuf->buf + SSL3_RECORD_HEADER_LENGTH, ivLen); | 2106 » rv = PK11_GenerateRandom(wrBuf->buf + headerLength, ivLen); |
2056 if (rv != SECSuccess) { | 2107 if (rv != SECSuccess) { |
2057 ssl_MapLowLevelError(SSL_ERROR_GENERATE_RANDOM_FAILURE); | 2108 ssl_MapLowLevelError(SSL_ERROR_GENERATE_RANDOM_FAILURE); |
2058 return rv; | 2109 return rv; |
2059 } | 2110 } |
2060 rv = cwSpec->encode( cwSpec->encodeContext, | 2111 rv = cwSpec->encode( cwSpec->encodeContext, |
2061 » wrBuf->buf + SSL3_RECORD_HEADER_LENGTH, | 2112 » wrBuf->buf + headerLength, |
2062 &cipherBytes, /* output and actual outLen */ | 2113 &cipherBytes, /* output and actual outLen */ |
2063 ivLen, /* max outlen */ | 2114 ivLen, /* max outlen */ |
2064 » wrBuf->buf + SSL3_RECORD_HEADER_LENGTH, | 2115 » wrBuf->buf + headerLength, |
2065 ivLen); /* input and inputLen*/ | 2116 ivLen); /* input and inputLen*/ |
2066 if (rv != SECSuccess || cipherBytes != ivLen) { | 2117 if (rv != SECSuccess || cipherBytes != ivLen) { |
2067 PORT_SetError(SSL_ERROR_ENCRYPTION_FAILURE); | 2118 PORT_SetError(SSL_ERROR_ENCRYPTION_FAILURE); |
2068 return SECFailure; | 2119 return SECFailure; |
2069 } | 2120 } |
2070 } | 2121 } |
2071 | 2122 |
2072 if (cwSpec->compressor) { | 2123 if (cwSpec->compressor) { |
2073 int outlen; | 2124 int outlen; |
2074 rv = cwSpec->compressor( | 2125 rv = cwSpec->compressor( |
2075 cwSpec->compressContext, | 2126 cwSpec->compressContext, |
2076 » wrBuf->buf + SSL3_RECORD_HEADER_LENGTH + ivLen, &outlen, | 2127 » wrBuf->buf + headerLength + ivLen, &outlen, |
2077 » wrBuf->space - SSL3_RECORD_HEADER_LENGTH - ivLen, pIn, contentLen); | 2128 » wrBuf->space - headerLength - ivLen, pIn, contentLen); |
2078 if (rv != SECSuccess) | 2129 if (rv != SECSuccess) |
2079 return rv; | 2130 return rv; |
2080 » pIn = wrBuf->buf + SSL3_RECORD_HEADER_LENGTH + ivLen; | 2131 » pIn = wrBuf->buf + headerLength + ivLen; |
2081 contentLen = outlen; | 2132 contentLen = outlen; |
2082 } | 2133 } |
2083 | 2134 |
2084 /* | 2135 /* |
2085 * Add the MAC | 2136 * Add the MAC |
2086 */ | 2137 */ |
2087 rv = ssl3_ComputeRecordMAC( cwSpec, isServer, | 2138 rv = ssl3_ComputeRecordMAC( cwSpec, isServer, isDtls, |
2088 type, cwSpec->version, cwSpec->write_seq_num, pIn, contentLen, | 2139 type, cwSpec->version, cwSpec->write_seq_num, pIn, contentLen, |
2089 » wrBuf->buf + SSL3_RECORD_HEADER_LENGTH + ivLen + contentLen, &macLen); | 2140 » wrBuf->buf + headerLength + ivLen + contentLen, &macLen); |
2090 if (rv != SECSuccess) { | 2141 if (rv != SECSuccess) { |
2091 ssl_MapLowLevelError(SSL_ERROR_MAC_COMPUTATION_FAILURE); | 2142 ssl_MapLowLevelError(SSL_ERROR_MAC_COMPUTATION_FAILURE); |
2092 return SECFailure; | 2143 return SECFailure; |
2093 } | 2144 } |
2094 p1Len = contentLen; | 2145 p1Len = contentLen; |
2095 p2Len = macLen; | 2146 p2Len = macLen; |
2096 fragLen = contentLen + macLen; /* needs to be encrypted */ | 2147 fragLen = contentLen + macLen; /* needs to be encrypted */ |
2097 PORT_Assert(fragLen <= MAX_FRAGMENT_LENGTH + 1024); | 2148 PORT_Assert(fragLen <= MAX_FRAGMENT_LENGTH + 1024); |
2098 | 2149 |
2099 /* | 2150 /* |
2100 * Pad the text (if we're doing a block cipher) | 2151 * Pad the text (if we're doing a block cipher) |
2101 * then Encrypt it | 2152 * then Encrypt it |
2102 */ | 2153 */ |
2103 if (cipher_def->type == type_block) { | 2154 if (cipher_def->type == type_block) { |
2104 unsigned char * pBuf; | 2155 unsigned char * pBuf; |
2105 int padding_length; | 2156 int padding_length; |
2106 int i; | 2157 int i; |
2107 | 2158 |
2108 oddLen = contentLen % cipher_def->block_size; | 2159 oddLen = contentLen % cipher_def->block_size; |
2109 /* Assume blockSize is a power of two */ | 2160 /* Assume blockSize is a power of two */ |
2110 padding_length = cipher_def->block_size - 1 - | 2161 padding_length = cipher_def->block_size - 1 - |
2111 ((fragLen) & (cipher_def->block_size - 1)); | 2162 ((fragLen) & (cipher_def->block_size - 1)); |
2112 fragLen += padding_length + 1; | 2163 fragLen += padding_length + 1; |
2113 PORT_Assert((fragLen % cipher_def->block_size) == 0); | 2164 PORT_Assert((fragLen % cipher_def->block_size) == 0); |
2114 | 2165 |
2115 /* Pad according to TLS rules (also acceptable to SSL3). */ | 2166 /* Pad according to TLS rules (also acceptable to SSL3). */ |
2116 » pBuf = &wrBuf->buf[SSL3_RECORD_HEADER_LENGTH + ivLen + fragLen - 1]; | 2167 » pBuf = &wrBuf->buf[headerLength + ivLen + fragLen - 1]; |
2117 for (i = padding_length + 1; i > 0; --i) { | 2168 for (i = padding_length + 1; i > 0; --i) { |
2118 *pBuf-- = padding_length; | 2169 *pBuf-- = padding_length; |
2119 } | 2170 } |
2120 /* now, if contentLen is not a multiple of block size, fix it */ | 2171 /* now, if contentLen is not a multiple of block size, fix it */ |
2121 p2Len = fragLen - p1Len; | 2172 p2Len = fragLen - p1Len; |
2122 } | 2173 } |
2123 if (p1Len < 256) { | 2174 if (p1Len < 256) { |
2124 oddLen = p1Len; | 2175 oddLen = p1Len; |
2125 p1Len = 0; | 2176 p1Len = 0; |
2126 } else { | 2177 } else { |
2127 p1Len -= oddLen; | 2178 p1Len -= oddLen; |
2128 } | 2179 } |
2129 if (oddLen) { | 2180 if (oddLen) { |
2130 p2Len += oddLen; | 2181 p2Len += oddLen; |
2131 PORT_Assert( (cipher_def->block_size < 2) || \ | 2182 PORT_Assert( (cipher_def->block_size < 2) || \ |
2132 (p2Len % cipher_def->block_size) == 0); | 2183 (p2Len % cipher_def->block_size) == 0); |
2133 » memmove(wrBuf->buf + SSL3_RECORD_HEADER_LENGTH + ivLen + p1Len, | 2184 » memmove(wrBuf->buf + headerLength + ivLen + p1Len, |
2134 pIn + p1Len, oddLen); | 2185 pIn + p1Len, oddLen); |
2135 } | 2186 } |
2187 | |
2136 if (p1Len > 0) { | 2188 if (p1Len > 0) { |
2137 int cipherBytesPart1 = -1; | 2189 int cipherBytesPart1 = -1; |
2138 rv = cwSpec->encode( cwSpec->encodeContext, | 2190 rv = cwSpec->encode( cwSpec->encodeContext, |
2139 » wrBuf->buf + SSL3_RECORD_HEADER_LENGTH + ivLen, /* output */ | 2191 » wrBuf->buf + headerLength + ivLen, /* output */ |
2140 &cipherBytesPart1, /* actual outlen */ | 2192 &cipherBytesPart1, /* actual outlen */ |
2141 p1Len, /* max outlen */ | 2193 p1Len, /* max outlen */ |
2142 pIn, p1Len); /* input, and inputlen */ | 2194 pIn, p1Len); /* input, and inputlen */ |
2143 PORT_Assert(rv == SECSuccess && cipherBytesPart1 == (int) p1Len); | 2195 PORT_Assert(rv == SECSuccess && cipherBytesPart1 == (int) p1Len); |
2144 if (rv != SECSuccess || cipherBytesPart1 != (int) p1Len) { | 2196 if (rv != SECSuccess || cipherBytesPart1 != (int) p1Len) { |
2145 PORT_SetError(SSL_ERROR_ENCRYPTION_FAILURE); | 2197 PORT_SetError(SSL_ERROR_ENCRYPTION_FAILURE); |
2146 return SECFailure; | 2198 return SECFailure; |
2147 } | 2199 } |
2148 cipherBytes += cipherBytesPart1; | 2200 cipherBytes += cipherBytesPart1; |
2149 } | 2201 } |
2150 if (p2Len > 0) { | 2202 if (p2Len > 0) { |
2151 int cipherBytesPart2 = -1; | 2203 int cipherBytesPart2 = -1; |
2152 rv = cwSpec->encode( cwSpec->encodeContext, | 2204 rv = cwSpec->encode( cwSpec->encodeContext, |
2153 » wrBuf->buf + SSL3_RECORD_HEADER_LENGTH + ivLen + p1Len, | 2205 » wrBuf->buf + headerLength + ivLen + p1Len, |
2154 &cipherBytesPart2, /* output and actual outLen */ | 2206 &cipherBytesPart2, /* output and actual outLen */ |
2155 p2Len, /* max outlen */ | 2207 p2Len, /* max outlen */ |
2156 » wrBuf->buf + SSL3_RECORD_HEADER_LENGTH + ivLen + p1Len, | 2208 » wrBuf->buf + headerLength + ivLen + p1Len, |
2157 p2Len); /* input and inputLen*/ | 2209 p2Len); /* input and inputLen*/ |
2158 PORT_Assert(rv == SECSuccess && cipherBytesPart2 == (int) p2Len); | 2210 PORT_Assert(rv == SECSuccess && cipherBytesPart2 == (int) p2Len); |
2159 if (rv != SECSuccess || cipherBytesPart2 != (int) p2Len) { | 2211 if (rv != SECSuccess || cipherBytesPart2 != (int) p2Len) { |
2160 PORT_SetError(SSL_ERROR_ENCRYPTION_FAILURE); | 2212 PORT_SetError(SSL_ERROR_ENCRYPTION_FAILURE); |
2161 return SECFailure; | 2213 return SECFailure; |
2162 } | 2214 } |
2163 cipherBytes += cipherBytesPart2; | 2215 cipherBytes += cipherBytesPart2; |
2164 } | 2216 } |
2217 | |
2218 /* Add in the IV */ | |
2219 cipherBytes += ivBytes; | |
wtc
2012/03/21 01:22:07
This is a merging error.
cipherBytes already incl
ekr
2012/03/21 01:36:40
Oops. This merge got ugly and I thought I caught a
ekr
2012/03/26 21:49:18
I double-checked this and I agree.
| |
2220 | |
2165 PORT_Assert(cipherBytes <= MAX_FRAGMENT_LENGTH + 1024); | 2221 PORT_Assert(cipherBytes <= MAX_FRAGMENT_LENGTH + 1024); |
2166 | 2222 |
2223 wrBuf->len = cipherBytes + headerLength; | |
2224 wrBuf->buf[0] = type; | |
2225 if (isDtls) { | |
2226 SSL3ProtocolVersion version; | |
2227 | |
2228 version = dtls_TLSVersionToDTLSVersion(cwSpec->version); | |
2229 | |
2230 wrBuf->buf[1] = MSB(version); | |
2231 wrBuf->buf[2] = LSB(version); | |
2232 wrBuf->buf[3] = (unsigned char)(cwSpec->write_seq_num.high >> 24); | |
2233 wrBuf->buf[4] = (unsigned char)(cwSpec->write_seq_num.high >> 16); | |
2234 wrBuf->buf[5] = (unsigned char)(cwSpec->write_seq_num.high >> 8); | |
2235 wrBuf->buf[6] = (unsigned char)(cwSpec->write_seq_num.high >> 0); | |
2236 wrBuf->buf[7] = (unsigned char)(cwSpec->write_seq_num.low >> 24); | |
2237 wrBuf->buf[8] = (unsigned char)(cwSpec->write_seq_num.low >> 16); | |
2238 wrBuf->buf[9] = (unsigned char)(cwSpec->write_seq_num.low >> 8); | |
2239 wrBuf->buf[10] = (unsigned char)(cwSpec->write_seq_num.low >> 0); | |
2240 wrBuf->buf[11] = MSB(cipherBytes); | |
2241 wrBuf->buf[12] = LSB(cipherBytes); | |
2242 } else { | |
2243 wrBuf->buf[1] = MSB(cwSpec->version); | |
2244 wrBuf->buf[2] = LSB(cwSpec->version); | |
2245 wrBuf->buf[3] = MSB(cipherBytes); | |
2246 wrBuf->buf[4] = LSB(cipherBytes); | |
2247 } | |
2248 | |
2167 ssl3_BumpSequenceNumber(&cwSpec->write_seq_num); | 2249 ssl3_BumpSequenceNumber(&cwSpec->write_seq_num); |
2168 | 2250 |
2169 wrBuf->len = cipherBytes + SSL3_RECORD_HEADER_LENGTH; | |
2170 wrBuf->buf[0] = type; | |
2171 wrBuf->buf[1] = MSB(cwSpec->version); | |
2172 wrBuf->buf[2] = LSB(cwSpec->version); | |
2173 wrBuf->buf[3] = MSB(cipherBytes); | |
2174 wrBuf->buf[4] = LSB(cipherBytes); | |
2175 | |
2176 return SECSuccess; | 2251 return SECSuccess; |
2177 } | 2252 } |
2178 | 2253 |
2179 /* Process the plain text before sending it. | 2254 /* Process the plain text before sending it. |
2180 * Returns the number of bytes of plaintext that were successfully sent | 2255 * Returns the number of bytes of plaintext that were successfully sent |
2181 * plus the number of bytes of plaintext that were copied into the | 2256 * plus the number of bytes of plaintext that were copied into the |
2182 * output (write) buffer. | 2257 * output (write) buffer. |
2183 * Returns SECFailure on a hard IO error, memory error, or crypto error. | 2258 * Returns SECFailure on a hard IO error, memory error, or crypto error. |
2184 * Does NOT return SECWouldBlock. | 2259 * Does NOT return SECWouldBlock. |
2185 * | 2260 * |
2186 * Notes on the use of the private ssl flags: | 2261 * Notes on the use of the private ssl flags: |
2187 * (no private SSL flags) | 2262 * (no private SSL flags) |
2188 * Attempt to make and send SSL records for all plaintext | 2263 * Attempt to make and send SSL records for all plaintext |
2189 * If non-blocking and a send gets WOULD_BLOCK, | 2264 * If non-blocking and a send gets WOULD_BLOCK, |
2190 * or if the pending (ciphertext) buffer is not empty, | 2265 * or if the pending (ciphertext) buffer is not empty, |
2191 * then buffer remaining bytes of ciphertext into pending buf, | 2266 * then buffer remaining bytes of ciphertext into pending buf, |
2192 * and continue to do that for all succssive records until all | 2267 * and continue to do that for all succssive records until all |
2193 * bytes are used. | 2268 * bytes are used. |
2194 * ssl_SEND_FLAG_FORCE_INTO_BUFFER | 2269 * ssl_SEND_FLAG_FORCE_INTO_BUFFER |
2195 * As above, except this suppresses all write attempts, and forces | 2270 * As above, except this suppresses all write attempts, and forces |
2196 * all ciphertext into the pending ciphertext buffer. | 2271 * all ciphertext into the pending ciphertext buffer. |
2272 * ssl_SEND_FLAG_USE_EPOCH (for DTLS) | |
2273 * Forces the use of the provided epoch | |
2197 * | 2274 * |
2198 */ | 2275 */ |
2199 static PRInt32 | 2276 PRInt32 |
2200 ssl3_SendRecord( sslSocket * ss, | 2277 ssl3_SendRecord( sslSocket * ss, |
2278 DTLSEpoch epoch, /* DTLS only */ | |
2201 SSL3ContentType type, | 2279 SSL3ContentType type, |
2202 const SSL3Opaque * pIn, /* input buffer */ | 2280 const SSL3Opaque * pIn, /* input buffer */ |
2203 PRInt32 nIn, /* bytes of input */ | 2281 PRInt32 nIn, /* bytes of input */ |
2204 PRInt32 flags) | 2282 PRInt32 flags) |
2205 { | 2283 { |
2206 sslBuffer * wrBuf = &ss->sec.writeBuf; | 2284 sslBuffer * wrBuf = &ss->sec.writeBuf; |
2207 SECStatus rv; | 2285 SECStatus rv; |
2208 PRInt32 totalSent = 0; | 2286 PRInt32 totalSent = 0; |
2209 | 2287 |
2210 SSL_TRC(3, ("%d: SSL3[%d] SendRecord type: %s nIn=%d", | 2288 SSL_TRC(3, ("%d: SSL3[%d] SendRecord type: %s nIn=%d", |
(...skipping 51 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
2262 SSL_DBG(("%d: SSL3[%d]: SendRecord, tried to get %d bytes", | 2340 SSL_DBG(("%d: SSL3[%d]: SendRecord, tried to get %d bytes", |
2263 SSL_GETPID(), ss->fd, spaceNeeded)); | 2341 SSL_GETPID(), ss->fd, spaceNeeded)); |
2264 goto spec_locked_loser; /* sslBuffer_Grow set error code. */ | 2342 goto spec_locked_loser; /* sslBuffer_Grow set error code. */ |
2265 } | 2343 } |
2266 } | 2344 } |
2267 | 2345 |
2268 if (numRecords == 2) { | 2346 if (numRecords == 2) { |
2269 sslBuffer secondRecord; | 2347 sslBuffer secondRecord; |
2270 | 2348 |
2271 rv = ssl3_CompressMACEncryptRecord(ss->ssl3.cwSpec, | 2349 rv = ssl3_CompressMACEncryptRecord(ss->ssl3.cwSpec, |
2272 » ss->sec.isServer, type, pIn, 1, | 2350 » ss->sec.isServer, |
2351 » » » » » IS_DTLS(ss), | |
2352 » » » » » type, pIn, 1, | |
2273 wrBuf); | 2353 wrBuf); |
2274 if (rv != SECSuccess) | 2354 if (rv != SECSuccess) |
2275 goto spec_locked_loser; | 2355 goto spec_locked_loser; |
2276 | 2356 |
2277 PRINT_BUF(50, (ss, "send (encrypted) record data [1/2]:", | 2357 PRINT_BUF(50, (ss, "send (encrypted) record data [1/2]:", |
2278 wrBuf->buf, wrBuf->len)); | 2358 wrBuf->buf, wrBuf->len)); |
2279 | 2359 |
2280 secondRecord.buf = wrBuf->buf + wrBuf->len; | 2360 secondRecord.buf = wrBuf->buf + wrBuf->len; |
2281 secondRecord.len = 0; | 2361 secondRecord.len = 0; |
2282 secondRecord.space = wrBuf->space - wrBuf->len; | 2362 secondRecord.space = wrBuf->space - wrBuf->len; |
2283 | 2363 |
2284 rv = ssl3_CompressMACEncryptRecord(ss->ssl3.cwSpec, | 2364 rv = ssl3_CompressMACEncryptRecord(ss->ssl3.cwSpec, |
2285 » ss->sec.isServer, type, pIn + 1, | 2365 » ss->sec.isServer, |
2366 » » » » » IS_DTLS(ss), | |
2367 » » » » » type, pIn + 1, | |
2286 contentLen - 1, &secondRecord); | 2368 contentLen - 1, &secondRecord); |
2287 if (rv == SECSuccess) { | 2369 if (rv == SECSuccess) { |
2288 PRINT_BUF(50, (ss, "send (encrypted) record data [2/2]:", | 2370 PRINT_BUF(50, (ss, "send (encrypted) record data [2/2]:", |
2289 secondRecord.buf, secondRecord.len)); | 2371 secondRecord.buf, secondRecord.len)); |
2290 wrBuf->len += secondRecord.len; | 2372 wrBuf->len += secondRecord.len; |
2291 } | 2373 } |
2292 } else { | 2374 } else { |
2293 » rv = ssl3_CompressMACEncryptRecord(ss->ssl3.cwSpec, | 2375 » if (!IS_DTLS(ss)) { |
2294 » ss->sec.isServer, type, pIn, | 2376 » » rv = ssl3_CompressMACEncryptRecord(ss->ssl3.cwSpec, |
2295 » contentLen, wrBuf); | 2377 » » » » » » ss->sec.isServer, |
2378 » » » » » » IS_DTLS(ss),»» » » » » | |
2379 » » » » » » type, pIn, | |
2380 » » » » » » contentLen, wrBuf); | |
2381 » } | |
2382 » else { | |
2383 » » rv = dtls_CompressMACEncryptRecord( ss, epoch, | |
2384 » » » » » » !!(flags & ssl_SEND_FLAG_USE _EPOCH), | |
2385 » » » » » » type, pIn, contentLen, wrBuf ); | |
2386 » } | |
2387 » | |
2296 if (rv == SECSuccess) { | 2388 if (rv == SECSuccess) { |
2297 PRINT_BUF(50, (ss, "send (encrypted) record data:", | 2389 PRINT_BUF(50, (ss, "send (encrypted) record data:", |
2298 wrBuf->buf, wrBuf->len)); | 2390 wrBuf->buf, wrBuf->len)); |
2299 } | 2391 } |
2300 } | 2392 } |
2301 | 2393 |
2302 spec_locked_loser: | 2394 spec_locked_loser: |
2303 ssl_ReleaseSpecReadLock(ss); /************************************/ | 2395 ssl_ReleaseSpecReadLock(ss); /************************************/ |
2304 | 2396 |
2305 if (rv != SECSuccess) | 2397 if (rv != SECSuccess) |
(...skipping 35 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
2341 sent = ssl_DefSend(ss, wrBuf->buf, wrBuf->len, | 2433 sent = ssl_DefSend(ss, wrBuf->buf, wrBuf->len, |
2342 flags & ~ssl_SEND_FLAG_MASK); | 2434 flags & ~ssl_SEND_FLAG_MASK); |
2343 if (sent < 0) { | 2435 if (sent < 0) { |
2344 if (PR_GetError() != PR_WOULD_BLOCK_ERROR) { | 2436 if (PR_GetError() != PR_WOULD_BLOCK_ERROR) { |
2345 ssl_MapLowLevelError(SSL_ERROR_SOCKET_WRITE_FAILURE); | 2437 ssl_MapLowLevelError(SSL_ERROR_SOCKET_WRITE_FAILURE); |
2346 return SECFailure; | 2438 return SECFailure; |
2347 } | 2439 } |
2348 /* we got PR_WOULD_BLOCK_ERROR, which means none was sent. */ | 2440 /* we got PR_WOULD_BLOCK_ERROR, which means none was sent. */ |
2349 sent = 0; | 2441 sent = 0; |
2350 } | 2442 } |
2443 | |
2351 wrBuf->len -= sent; | 2444 wrBuf->len -= sent; |
2352 if (wrBuf->len) { | 2445 if (wrBuf->len) { |
2353 » » /* now take all the remaining unsent new ciphertext and | 2446 » » if (IS_DTLS(ss)) { |
2354 » » * append it to the buffer of previously unsent ciphertext. | 2447 » » /* DTLS just says no in this case. No buffering */ |
2355 » » */ | 2448 » » PR_SetError(PR_WOULD_BLOCK_ERROR, 0); |
2356 » » rv = ssl_SaveWriteData(ss, wrBuf->buf + sent, wrBuf->len); | |
2357 » » if (rv != SECSuccess) { | |
2358 » » /* presumably a memory error, SEC_ERROR_NO_MEMORY */ | |
2359 return SECFailure; | 2449 return SECFailure; |
2450 } else { | |
2451 /* now take all the remaining unsent new ciphertext and | |
2452 * append it to the buffer of previously unsent ciphertext. | |
2453 */ | |
2454 | |
2455 rv = ssl_SaveWriteData(ss, wrBuf->buf + sent, wrBuf->len); | |
2456 if (rv != SECSuccess) { | |
2457 /* presumably a memory error, SEC_ERROR_NO_MEMORY */ | |
2458 return SECFailure; | |
2459 } | |
2360 } | 2460 } |
2361 } | 2461 } |
2362 } | 2462 } |
2363 totalSent += contentLen; | 2463 totalSent += contentLen; |
2364 } | 2464 } |
2365 return totalSent; | 2465 return totalSent; |
2366 } | 2466 } |
2367 | 2467 |
2368 #define SSL3_PENDING_HIGH_WATER 1024 | 2468 #define SSL3_PENDING_HIGH_WATER 1024 |
2369 | 2469 |
2370 /* Attempt to send the content of "in" in an SSL application_data record. | 2470 /* Attempt to send the content of "in" in an SSL application_data record. |
2371 * Returns "len" or SECFailure, never SECWouldBlock, nor SECSuccess. | 2471 * Returns "len" or SECFailure, never SECWouldBlock, nor SECSuccess. |
2372 */ | 2472 */ |
2373 int | 2473 int |
2374 ssl3_SendApplicationData(sslSocket *ss, const unsigned char *in, | 2474 ssl3_SendApplicationData(sslSocket *ss, const unsigned char *in, |
2375 PRInt32 len, PRInt32 flags) | 2475 PRInt32 len, PRInt32 flags) |
2376 { | 2476 { |
2377 PRInt32 totalSent = 0; | 2477 PRInt32 totalSent = 0; |
2378 PRInt32 discarded = 0; | 2478 PRInt32 discarded = 0; |
2379 | 2479 |
2380 PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss) ); | 2480 PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss) ); |
2481 /* These flags for internal use only */ | |
2482 PORT_Assert( !(flags & (ssl_SEND_FLAG_USE_EPOCH | | |
2483 ssl_SEND_FLAG_NO_RETRANSMIT))); | |
2381 if (len < 0 || !in) { | 2484 if (len < 0 || !in) { |
2382 PORT_SetError(PR_INVALID_ARGUMENT_ERROR); | 2485 PORT_SetError(PR_INVALID_ARGUMENT_ERROR); |
2383 return SECFailure; | 2486 return SECFailure; |
2384 } | 2487 } |
2385 | 2488 |
2386 if (ss->pendingBuf.len > SSL3_PENDING_HIGH_WATER && | 2489 if (ss->pendingBuf.len > SSL3_PENDING_HIGH_WATER && |
2387 !ssl_SocketIsBlocking(ss)) { | 2490 !ssl_SocketIsBlocking(ss)) { |
2388 PORT_Assert(!ssl_SocketIsBlocking(ss)); | 2491 PORT_Assert(!ssl_SocketIsBlocking(ss)); |
2389 PORT_SetError(PR_WOULD_BLOCK_ERROR); | 2492 PORT_SetError(PR_WOULD_BLOCK_ERROR); |
2390 return SECFailure; | 2493 return SECFailure; |
(...skipping 17 matching lines...) Expand all Loading... | |
2408 * The thread yield is intended to give the reader thread a | 2511 * The thread yield is intended to give the reader thread a |
2409 * chance to get some cycles while the writer thread is in | 2512 * chance to get some cycles while the writer thread is in |
2410 * the middle of a large application data write. (See | 2513 * the middle of a large application data write. (See |
2411 * Bugzilla bug 127740, comment #1.) | 2514 * Bugzilla bug 127740, comment #1.) |
2412 */ | 2515 */ |
2413 ssl_ReleaseXmitBufLock(ss); | 2516 ssl_ReleaseXmitBufLock(ss); |
2414 PR_Sleep(PR_INTERVAL_NO_WAIT); /* PR_Yield(); */ | 2517 PR_Sleep(PR_INTERVAL_NO_WAIT); /* PR_Yield(); */ |
2415 ssl_GetXmitBufLock(ss); | 2518 ssl_GetXmitBufLock(ss); |
2416 } | 2519 } |
2417 toSend = PR_MIN(len - totalSent, MAX_FRAGMENT_LENGTH); | 2520 toSend = PR_MIN(len - totalSent, MAX_FRAGMENT_LENGTH); |
2418 » sent = ssl3_SendRecord(ss, content_application_data, | 2521 » /* |
2522 » * Note that the 0 epoch is OK because flags will never | |
2523 » * require its use, as guaranteed by the PORT_Assert | |
2524 » * above | |
2525 » */ | |
2526 » sent = ssl3_SendRecord(ss, 0, content_application_data, | |
2419 in + totalSent, toSend, flags); | 2527 in + totalSent, toSend, flags); |
2420 if (sent < 0) { | 2528 if (sent < 0) { |
2421 if (totalSent > 0 && PR_GetError() == PR_WOULD_BLOCK_ERROR) { | 2529 if (totalSent > 0 && PR_GetError() == PR_WOULD_BLOCK_ERROR) { |
2422 PORT_Assert(ss->lastWriteBlocked); | 2530 PORT_Assert(ss->lastWriteBlocked); |
2423 break; | 2531 break; |
2424 } | 2532 } |
2425 return SECFailure; /* error code set by ssl3_SendRecord */ | 2533 return SECFailure; /* error code set by ssl3_SendRecord */ |
2426 } | 2534 } |
2427 totalSent += sent; | 2535 totalSent += sent; |
2428 if (ss->pendingBuf.len) { | 2536 if (ss->pendingBuf.len) { |
(...skipping 14 matching lines...) Expand all Loading... | |
2443 if (totalSent <= 0) { | 2551 if (totalSent <= 0) { |
2444 PORT_SetError(PR_WOULD_BLOCK_ERROR); | 2552 PORT_SetError(PR_WOULD_BLOCK_ERROR); |
2445 totalSent = SECFailure; | 2553 totalSent = SECFailure; |
2446 } | 2554 } |
2447 return totalSent; | 2555 return totalSent; |
2448 } | 2556 } |
2449 ss->appDataBuffered = 0; | 2557 ss->appDataBuffered = 0; |
2450 return totalSent + discarded; | 2558 return totalSent + discarded; |
2451 } | 2559 } |
2452 | 2560 |
2453 /* Attempt to send the content of sendBuf buffer in an SSL handshake record. | 2561 |
2562 /* Attempt to send buffered handshake messages. | |
2454 * This function returns SECSuccess or SECFailure, never SECWouldBlock. | 2563 * This function returns SECSuccess or SECFailure, never SECWouldBlock. |
2455 * Always set sendBuf.len to 0, even when returning SECFailure. | 2564 * Always set sendBuf.len to 0, even when returning SECFailure. |
2456 * | 2565 * |
2566 * Depending on whether we are doing DTLS or not, this either calls | |
2567 * | |
2568 * - ssl3_FlushHandshake if non-DTLS | |
2569 * - dtls_FlushHandshake if DTLS | |
2570 * | |
2457 * Called from SSL3_SendAlert(), ssl3_SendChangeCipherSpecs(), | 2571 * Called from SSL3_SendAlert(), ssl3_SendChangeCipherSpecs(), |
2458 * ssl3_AppendHandshake(), ssl3_SendClientHello(), | 2572 * ssl3_AppendHandshake(), ssl3_SendClientHello(), |
2459 * ssl3_SendHelloRequest(), ssl3_SendServerHelloDone(), | 2573 * ssl3_SendHelloRequest(), ssl3_SendServerHelloDone(), |
2460 * ssl3_SendFinished(), | 2574 * ssl3_SendFinished(), |
2461 */ | 2575 */ |
2462 static SECStatus | 2576 static SECStatus |
2463 ssl3_FlushHandshake(sslSocket *ss, PRInt32 flags) | 2577 ssl3_FlushHandshake(sslSocket *ss, PRInt32 flags) |
2464 { | 2578 { |
2579 if (IS_DTLS(ss)) { | |
2580 return dtls_FlushHandshakeMessages(ss, flags); | |
2581 } else { | |
2582 return ssl3_FlushHandshakeMessages(ss, flags); | |
2583 } | |
2584 } | |
2585 | |
2586 /* Attempt to send the content of sendBuf buffer in an SSL handshake record. | |
2587 * This function returns SECSuccess or SECFailure, never SECWouldBlock. | |
2588 * Always set sendBuf.len to 0, even when returning SECFailure. | |
2589 * | |
2590 * Called from ssl3_FlushHandshake | |
2591 */ | |
2592 static SECStatus | |
2593 ssl3_FlushHandshakeMessages(sslSocket *ss, PRInt32 flags) | |
2594 { | |
2465 PRInt32 rv = SECSuccess; | 2595 PRInt32 rv = SECSuccess; |
2466 | 2596 |
2467 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); | 2597 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); |
2468 PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss) ); | 2598 PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss) ); |
2469 | 2599 |
2470 if (!ss->sec.ci.sendBuf.buf || !ss->sec.ci.sendBuf.len) | 2600 if (!ss->sec.ci.sendBuf.buf || !ss->sec.ci.sendBuf.len) |
2471 return rv; | 2601 return rv; |
2472 | 2602 |
2473 /* only this flag is allowed */ | 2603 /* only this flag is allowed */ |
2474 PORT_Assert(!(flags & ~ssl_SEND_FLAG_FORCE_INTO_BUFFER)); | 2604 PORT_Assert(!(flags & ~ssl_SEND_FLAG_FORCE_INTO_BUFFER)); |
2475 if ((flags & ~ssl_SEND_FLAG_FORCE_INTO_BUFFER) != 0) { | 2605 if ((flags & ~ssl_SEND_FLAG_FORCE_INTO_BUFFER) != 0) { |
2476 PORT_SetError(SEC_ERROR_INVALID_ARGS); | 2606 PORT_SetError(SEC_ERROR_INVALID_ARGS); |
2477 rv = SECFailure; | 2607 rv = SECFailure; |
2478 } else { | 2608 } else { |
2479 » rv = ssl3_SendRecord(ss, content_handshake, ss->sec.ci.sendBuf.buf, | 2609 » rv = ssl3_SendRecord(ss, 0, content_handshake, ss->sec.ci.sendBuf.buf, |
2480 ss->sec.ci.sendBuf.len, flags); | 2610 ss->sec.ci.sendBuf.len, flags); |
2481 } | 2611 } |
2482 if (rv < 0) { | 2612 if (rv < 0) { |
2483 int err = PORT_GetError(); | 2613 int err = PORT_GetError(); |
2484 PORT_Assert(err != PR_WOULD_BLOCK_ERROR); | 2614 PORT_Assert(err != PR_WOULD_BLOCK_ERROR); |
2485 if (err == PR_WOULD_BLOCK_ERROR) { | 2615 if (err == PR_WOULD_BLOCK_ERROR) { |
2486 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); | 2616 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); |
2487 } | 2617 } |
2488 } else if (rv < ss->sec.ci.sendBuf.len) { | 2618 } else if (rv < ss->sec.ci.sendBuf.len) { |
2489 /* short write should never happen */ | 2619 /* short write should never happen */ |
(...skipping 96 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
2586 ssl_GetSSL3HandshakeLock(ss); | 2716 ssl_GetSSL3HandshakeLock(ss); |
2587 if (level == alert_fatal) { | 2717 if (level == alert_fatal) { |
2588 if (ss->sec.ci.sid) { | 2718 if (ss->sec.ci.sid) { |
2589 ss->sec.uncache(ss->sec.ci.sid); | 2719 ss->sec.uncache(ss->sec.ci.sid); |
2590 } | 2720 } |
2591 } | 2721 } |
2592 ssl_GetXmitBufLock(ss); | 2722 ssl_GetXmitBufLock(ss); |
2593 rv = ssl3_FlushHandshake(ss, ssl_SEND_FLAG_FORCE_INTO_BUFFER); | 2723 rv = ssl3_FlushHandshake(ss, ssl_SEND_FLAG_FORCE_INTO_BUFFER); |
2594 if (rv == SECSuccess) { | 2724 if (rv == SECSuccess) { |
2595 PRInt32 sent; | 2725 PRInt32 sent; |
2596 » sent = ssl3_SendRecord(ss, content_alert, bytes, 2, | 2726 » sent = ssl3_SendRecord(ss, 0, content_alert, bytes, 2, |
2597 desc == no_certificate | 2727 desc == no_certificate |
2598 ? ssl_SEND_FLAG_FORCE_INTO_BUFFER : 0); | 2728 ? ssl_SEND_FLAG_FORCE_INTO_BUFFER : 0); |
2599 rv = (sent >= 0) ? SECSuccess : (SECStatus)sent; | 2729 rv = (sent >= 0) ? SECSuccess : (SECStatus)sent; |
2600 } | 2730 } |
2601 ssl_ReleaseXmitBufLock(ss); | 2731 ssl_ReleaseXmitBufLock(ss); |
2602 ssl_ReleaseSSL3HandshakeLock(ss); | 2732 ssl_ReleaseSSL3HandshakeLock(ss); |
2603 return rv; /* error set by ssl3_FlushHandshake or ssl3_SendRecord */ | 2733 return rv; /* error set by ssl3_FlushHandshake or ssl3_SendRecord */ |
2604 } | 2734 } |
2605 | 2735 |
2606 /* | 2736 /* |
(...skipping 53 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
2660 SSL_DBG(("%d: SSL3[%d]: peer certificate is no good: error=%d", | 2790 SSL_DBG(("%d: SSL3[%d]: peer certificate is no good: error=%d", |
2661 SSL_GETPID(), ss->fd, errCode)); | 2791 SSL_GETPID(), ss->fd, errCode)); |
2662 | 2792 |
2663 (void) SSL3_SendAlert(ss, alert_fatal, desc); | 2793 (void) SSL3_SendAlert(ss, alert_fatal, desc); |
2664 } | 2794 } |
2665 | 2795 |
2666 | 2796 |
2667 /* | 2797 /* |
2668 * Send handshake_Failure alert. Set generic error number. | 2798 * Send handshake_Failure alert. Set generic error number. |
2669 */ | 2799 */ |
2670 static SECStatus | 2800 SECStatus |
2671 ssl3_DecodeError(sslSocket *ss) | 2801 ssl3_DecodeError(sslSocket *ss) |
2672 { | 2802 { |
2673 (void)SSL3_SendAlert(ss, alert_fatal, | 2803 (void)SSL3_SendAlert(ss, alert_fatal, |
2674 ss->version > SSL_LIBRARY_VERSION_3_0 ? decode_error | 2804 ss->version > SSL_LIBRARY_VERSION_3_0 ? decode_error |
2675 : illegal_parameter); | 2805 : illegal_parameter); |
2676 PORT_SetError( ss->sec.isServer ? SSL_ERROR_BAD_CLIENT | 2806 PORT_SetError( ss->sec.isServer ? SSL_ERROR_BAD_CLIENT |
2677 : SSL_ERROR_BAD_SERVER ); | 2807 : SSL_ERROR_BAD_SERVER ); |
2678 return SECFailure; | 2808 return SECFailure; |
2679 } | 2809 } |
2680 | 2810 |
(...skipping 67 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
2748 error = SSL_ERROR_CERTIFICATE_UNOBTAINABLE_ALERT; break; | 2878 error = SSL_ERROR_CERTIFICATE_UNOBTAINABLE_ALERT; break; |
2749 case unrecognized_name: | 2879 case unrecognized_name: |
2750 error = SSL_ERROR_UNRECOGNIZED_NAME_ALERT; break; | 2880 error = SSL_ERROR_UNRECOGNIZED_NAME_ALERT; break; |
2751 case bad_certificate_status_response: | 2881 case bad_certificate_status_response: |
2752 error = SSL_ERROR_BAD_CERT_STATUS_RESPONSE_ALERT; break; | 2882 error = SSL_ERROR_BAD_CERT_STATUS_RESPONSE_ALERT; break; |
2753 case bad_certificate_hash_value: | 2883 case bad_certificate_hash_value: |
2754 error = SSL_ERROR_BAD_CERT_HASH_VALUE_ALERT; break; | 2884 error = SSL_ERROR_BAD_CERT_HASH_VALUE_ALERT; break; |
2755 default: error = SSL_ERROR_RX_UNKNOWN_ALERT; break; | 2885 default: error = SSL_ERROR_RX_UNKNOWN_ALERT; break; |
2756 } | 2886 } |
2757 if (level == alert_fatal) { | 2887 if (level == alert_fatal) { |
2758 » ss->sec.uncache(ss->sec.ci.sid); | 2888 » if (!ss->opt.noCache) |
2889 » ss->sec.uncache(ss->sec.ci.sid); | |
wtc
2012/03/21 01:22:07
What is this change for? Did you run into a crash
ekr
2012/03/21 01:36:40
IIRC I was seeing crashes when noCache was set. I
wtc
2012/03/21 02:12:01
Thank you for the confirmation. We have fixed cra
wtc
2012/03/21 02:15:23
I found that this crash was reported in the NSS ne
| |
2759 if ((ss->ssl3.hs.ws == wait_server_hello) && | 2890 if ((ss->ssl3.hs.ws == wait_server_hello) && |
2760 (desc == handshake_failure)) { | 2891 (desc == handshake_failure)) { |
2761 /* XXX This is a hack. We're assuming that any handshake failure | 2892 /* XXX This is a hack. We're assuming that any handshake failure |
2762 * XXX on the client hello is a failure to match ciphers. | 2893 * XXX on the client hello is a failure to match ciphers. |
2763 */ | 2894 */ |
2764 error = SSL_ERROR_NO_CYPHER_OVERLAP; | 2895 error = SSL_ERROR_NO_CYPHER_OVERLAP; |
2765 } | 2896 } |
2766 PORT_SetError(error); | 2897 PORT_SetError(error); |
2767 return SECFailure; | 2898 return SECFailure; |
2768 } | 2899 } |
(...skipping 30 matching lines...) Expand all Loading... | |
2799 SSL_TRC(3, ("%d: SSL3[%d]: send change_cipher_spec record", | 2930 SSL_TRC(3, ("%d: SSL3[%d]: send change_cipher_spec record", |
2800 SSL_GETPID(), ss->fd)); | 2931 SSL_GETPID(), ss->fd)); |
2801 | 2932 |
2802 PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss) ); | 2933 PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss) ); |
2803 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); | 2934 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); |
2804 | 2935 |
2805 rv = ssl3_FlushHandshake(ss, ssl_SEND_FLAG_FORCE_INTO_BUFFER); | 2936 rv = ssl3_FlushHandshake(ss, ssl_SEND_FLAG_FORCE_INTO_BUFFER); |
2806 if (rv != SECSuccess) { | 2937 if (rv != SECSuccess) { |
2807 return rv; /* error code set by ssl3_FlushHandshake */ | 2938 return rv; /* error code set by ssl3_FlushHandshake */ |
2808 } | 2939 } |
2809 sent = ssl3_SendRecord(ss, content_change_cipher_spec, &change, 1, | 2940 if (!IS_DTLS(ss)) { |
2810 ssl_SEND_FLAG_FORCE_INTO_BUFFER); | 2941 sent = ssl3_SendRecord(ss, 0, content_change_cipher_spec, &change, 1, |
2811 if (sent < 0) { | 2942 ssl_SEND_FLAG_FORCE_INTO_BUFFER); |
2812 » return (SECStatus)sent;»/* error code set by ssl3_SendRecord */ | 2943 if (sent < 0) { |
2944 return (SECStatus)sent;» /* error code set by ssl3_SendRecord */ | |
2945 } | |
2946 } else { | |
2947 rv = dtls_QueueMessage(ss, content_change_cipher_spec, &change, 1); | |
2948 if (rv != SECSuccess) | |
2949 return rv; | |
2813 } | 2950 } |
2814 | 2951 |
2815 /* swap the pending and current write specs. */ | 2952 /* swap the pending and current write specs. */ |
2816 ssl_GetSpecWriteLock(ss); /**************************************/ | 2953 ssl_GetSpecWriteLock(ss); /**************************************/ |
2817 pwSpec = ss->ssl3.pwSpec; | 2954 pwSpec = ss->ssl3.pwSpec; |
2818 pwSpec->write_seq_num.high = 0; | |
2819 pwSpec->write_seq_num.low = 0; | |
2820 | 2955 |
2821 ss->ssl3.pwSpec = ss->ssl3.cwSpec; | 2956 ss->ssl3.pwSpec = ss->ssl3.cwSpec; |
2822 ss->ssl3.cwSpec = pwSpec; | 2957 ss->ssl3.cwSpec = pwSpec; |
2823 | 2958 |
2824 SSL_TRC(3, ("%d: SSL3[%d] Set Current Write Cipher Suite to Pending", | 2959 SSL_TRC(3, ("%d: SSL3[%d] Set Current Write Cipher Suite to Pending", |
2825 SSL_GETPID(), ss->fd )); | 2960 SSL_GETPID(), ss->fd )); |
2826 | 2961 |
2827 /* We need to free up the contexts, keys and certs ! */ | 2962 /* We need to free up the contexts, keys and certs ! */ |
2828 /* If we are really through with the old cipher spec | 2963 /* If we are really through with the old cipher spec |
2829 * (Both the read and write sides have changed) destroy it. | 2964 * (Both the read and write sides have changed) destroy it. |
2830 */ | 2965 */ |
2831 if (ss->ssl3.prSpec == ss->ssl3.pwSpec) { | 2966 if ( ss->ssl3.prSpec == ss->ssl3.pwSpec ) { |
2832 » ssl3_DestroyCipherSpec(ss->ssl3.pwSpec, PR_FALSE/*freeSrvName*/); | 2967 » if (!IS_DTLS(ss)) { |
2968 » ssl3_DestroyCipherSpec(ss->ssl3.pwSpec, PR_FALSE/*freeSrvName*/); | |
2969 » } else { | |
2970 » /* With DTLS, we need to set a holddown timer in case the final | |
2971 » message got lost */ | |
2972 » ss->ssl3.hs.rtTimeoutMs = DTLS_FINISHED_TIMER; | |
2973 » dtls_StartTimer(ss, dtls_FinishedTimerCb); | |
2974 » } | |
2833 } | 2975 } |
2834 ssl_ReleaseSpecWriteLock(ss); /**************************************/ | 2976 ssl_ReleaseSpecWriteLock(ss); /**************************************/ |
2835 | 2977 |
2836 return SECSuccess; | 2978 return SECSuccess; |
2837 } | 2979 } |
2838 | 2980 |
2839 /* Called from ssl3_HandleRecord. | 2981 /* Called from ssl3_HandleRecord. |
2840 ** Caller must hold both RecvBuf and Handshake locks. | 2982 ** Caller must hold both RecvBuf and Handshake locks. |
2841 * | 2983 * |
2842 * Acquires and releases spec write lock, to protect switching the current | 2984 * Acquires and releases spec write lock, to protect switching the current |
(...skipping 28 matching lines...) Expand all Loading... | |
2871 /* illegal_parameter is correct here for both SSL3 and TLS. */ | 3013 /* illegal_parameter is correct here for both SSL3 and TLS. */ |
2872 (void)ssl3_IllegalParameter(ss); | 3014 (void)ssl3_IllegalParameter(ss); |
2873 PORT_SetError(SSL_ERROR_RX_MALFORMED_CHANGE_CIPHER); | 3015 PORT_SetError(SSL_ERROR_RX_MALFORMED_CHANGE_CIPHER); |
2874 return SECFailure; | 3016 return SECFailure; |
2875 } | 3017 } |
2876 buf->len = 0; | 3018 buf->len = 0; |
2877 | 3019 |
2878 /* Swap the pending and current read specs. */ | 3020 /* Swap the pending and current read specs. */ |
2879 ssl_GetSpecWriteLock(ss); /*************************************/ | 3021 ssl_GetSpecWriteLock(ss); /*************************************/ |
2880 prSpec = ss->ssl3.prSpec; | 3022 prSpec = ss->ssl3.prSpec; |
2881 prSpec->read_seq_num.high = prSpec->read_seq_num.low = 0; | |
2882 | 3023 |
2883 ss->ssl3.prSpec = ss->ssl3.crSpec; | 3024 ss->ssl3.prSpec = ss->ssl3.crSpec; |
2884 ss->ssl3.crSpec = prSpec; | 3025 ss->ssl3.crSpec = prSpec; |
2885 | 3026 |
2886 if (ss->sec.isServer && | 3027 if (ss->sec.isServer && |
2887 ss->opt.requestCertificate && | 3028 ss->opt.requestCertificate && |
2888 ssl3_ExtensionNegotiated(ss, ssl_encrypted_client_certs)) { | 3029 ssl3_ExtensionNegotiated(ss, ssl_encrypted_client_certs)) { |
2889 ss->ssl3.hs.ws = wait_client_cert; | 3030 ss->ssl3.hs.ws = wait_client_cert; |
2890 } else { | 3031 } else { |
2891 ss->ssl3.hs.ws = wait_finished; | 3032 ss->ssl3.hs.ws = wait_finished; |
(...skipping 19 matching lines...) Expand all Loading... | |
2911 */ | 3052 */ |
2912 static SECStatus | 3053 static SECStatus |
2913 ssl3_DeriveMasterSecret(sslSocket *ss, PK11SymKey *pms) | 3054 ssl3_DeriveMasterSecret(sslSocket *ss, PK11SymKey *pms) |
2914 { | 3055 { |
2915 ssl3CipherSpec * pwSpec = ss->ssl3.pwSpec; | 3056 ssl3CipherSpec * pwSpec = ss->ssl3.pwSpec; |
2916 const ssl3KEADef *kea_def= ss->ssl3.hs.kea_def; | 3057 const ssl3KEADef *kea_def= ss->ssl3.hs.kea_def; |
2917 unsigned char * cr = (unsigned char *)&ss->ssl3.hs.client_random; | 3058 unsigned char * cr = (unsigned char *)&ss->ssl3.hs.client_random; |
2918 unsigned char * sr = (unsigned char *)&ss->ssl3.hs.server_random; | 3059 unsigned char * sr = (unsigned char *)&ss->ssl3.hs.server_random; |
2919 PRBool isTLS = (PRBool)(kea_def->tls_keygen || | 3060 PRBool isTLS = (PRBool)(kea_def->tls_keygen || |
2920 (pwSpec->version > SSL_LIBRARY_VERSION_3_0)); | 3061 (pwSpec->version > SSL_LIBRARY_VERSION_3_0)); |
3062 | |
2921 /* | 3063 /* |
2922 * Whenever isDH is true, we need to use CKM_TLS_MASTER_KEY_DERIVE_DH | 3064 * Whenever isDH is true, we need to use CKM_TLS_MASTER_KEY_DERIVE_DH |
2923 * which, unlike CKM_TLS_MASTER_KEY_DERIVE, converts arbitrary size | 3065 * which, unlike CKM_TLS_MASTER_KEY_DERIVE, converts arbitrary size |
2924 * data into a 48-byte value. | 3066 * data into a 48-byte value. |
2925 */ | 3067 */ |
2926 PRBool isDH = (PRBool) ((ss->ssl3.hs.kea_def->exchKeyType == kt_dh) || | 3068 PRBool isDH = (PRBool) ((ss->ssl3.hs.kea_def->exchKeyType == kt_dh) || |
2927 (ss->ssl3.hs.kea_def->exchKeyType == kt_ecdh)); | 3069 (ss->ssl3.hs.kea_def->exchKeyType == kt_ecdh)); |
2928 SECStatus rv = SECFailure; | 3070 SECStatus rv = SECFailure; |
2929 CK_MECHANISM_TYPE master_derive; | 3071 CK_MECHANISM_TYPE master_derive; |
2930 CK_MECHANISM_TYPE key_derive; | 3072 CK_MECHANISM_TYPE key_derive; |
(...skipping 42 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
2973 ssl_PrintBuf(ss, "Pre-Master Secret", | 3115 ssl_PrintBuf(ss, "Pre-Master Secret", |
2974 keyData->data, keyData->len); | 3116 keyData->data, keyData->len); |
2975 } | 3117 } |
2976 } | 3118 } |
2977 } | 3119 } |
2978 #endif | 3120 #endif |
2979 pwSpec->master_secret = PK11_DeriveWithFlags(pms, master_derive, | 3121 pwSpec->master_secret = PK11_DeriveWithFlags(pms, master_derive, |
2980 ¶ms, key_derive, CKA_DERIVE, 0, keyFlags); | 3122 ¶ms, key_derive, CKA_DERIVE, 0, keyFlags); |
2981 if (!isDH && pwSpec->master_secret && ss->opt.detectRollBack) { | 3123 if (!isDH && pwSpec->master_secret && ss->opt.detectRollBack) { |
2982 SSL3ProtocolVersion client_version; | 3124 SSL3ProtocolVersion client_version; |
3125 | |
2983 client_version = pms_version.major << 8 | pms_version.minor; | 3126 client_version = pms_version.major << 8 | pms_version.minor; |
3127 | |
3128 if (IS_DTLS(ss)) { | |
3129 client_version = dtls_DTLSVersionToTLSVersion(client_version); | |
3130 } | |
3131 | |
2984 if (client_version != ss->clientHelloVersion) { | 3132 if (client_version != ss->clientHelloVersion) { |
2985 /* Destroy it. Version roll-back detected. */ | 3133 /* Destroy it. Version roll-back detected. */ |
2986 PK11_FreeSymKey(pwSpec->master_secret); | 3134 PK11_FreeSymKey(pwSpec->master_secret); |
2987 pwSpec->master_secret = NULL; | 3135 pwSpec->master_secret = NULL; |
2988 } | 3136 } |
2989 } | 3137 } |
2990 if (pwSpec->master_secret == NULL) { | 3138 if (pwSpec->master_secret == NULL) { |
2991 /* Generate a faux master secret in the same slot as the old one. */ | 3139 /* Generate a faux master secret in the same slot as the old one. */ |
2992 PK11SlotInfo * slot = PK11_GetSlotFromKey((PK11SymKey *)pms); | 3140 PK11SlotInfo * slot = PK11_GetSlotFromKey((PK11SymKey *)pms); |
2993 PK11SymKey * fpms = ssl3_GenerateRSAPMS(ss, pwSpec, slot); | 3141 PK11SymKey * fpms = ssl3_GenerateRSAPMS(ss, pwSpec, slot); |
(...skipping 404 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
3398 SSL_TRC(60, ("data:")); | 3546 SSL_TRC(60, ("data:")); |
3399 rv = ssl3_AppendHandshake(ss, src, bytes); | 3547 rv = ssl3_AppendHandshake(ss, src, bytes); |
3400 return rv; /* error code set by AppendHandshake, if applicable. */ | 3548 return rv; /* error code set by AppendHandshake, if applicable. */ |
3401 } | 3549 } |
3402 | 3550 |
3403 SECStatus | 3551 SECStatus |
3404 ssl3_AppendHandshakeHeader(sslSocket *ss, SSL3HandshakeType t, PRUint32 length) | 3552 ssl3_AppendHandshakeHeader(sslSocket *ss, SSL3HandshakeType t, PRUint32 length) |
3405 { | 3553 { |
3406 SECStatus rv; | 3554 SECStatus rv; |
3407 | 3555 |
3556 /* If we already have a message in place, we need to enqueue it. | |
3557 This empties the buffer | |
3558 */ | |
3559 if (IS_DTLS(ss)) { | |
3560 rv = dtls_StageHandshakeMessage(ss); | |
3561 if (rv != SECSuccess) | |
3562 return rv; | |
3563 } | |
3564 | |
3408 SSL_TRC(30,("%d: SSL3[%d]: append handshake header: type %s", | 3565 SSL_TRC(30,("%d: SSL3[%d]: append handshake header: type %s", |
3409 SSL_GETPID(), ss->fd, ssl3_DecodeHandshakeType(t))); | 3566 SSL_GETPID(), ss->fd, ssl3_DecodeHandshakeType(t))); |
3410 PRINT_BUF(60, (ss, "MD5 handshake hash:", | 3567 PRINT_BUF(60, (ss, "MD5 handshake hash:", |
3411 (unsigned char*)ss->ssl3.hs.md5_cx, MD5_LENGTH)); | 3568 (unsigned char*)ss->ssl3.hs.md5_cx, MD5_LENGTH)); |
3412 PRINT_BUF(95, (ss, "SHA handshake hash:", | 3569 PRINT_BUF(95, (ss, "SHA handshake hash:", |
3413 (unsigned char*)ss->ssl3.hs.sha_cx, SHA1_LENGTH)); | 3570 (unsigned char*)ss->ssl3.hs.sha_cx, SHA1_LENGTH)); |
3414 | 3571 |
3415 rv = ssl3_AppendHandshakeNumber(ss, t, 1); | 3572 rv = ssl3_AppendHandshakeNumber(ss, t, 1); |
3416 if (rv != SECSuccess) { | 3573 if (rv != SECSuccess) { |
3417 return rv; /* error code set by AppendHandshake, if applicable. */ | 3574 return rv; /* error code set by AppendHandshake, if applicable. */ |
3418 } | 3575 } |
3419 rv = ssl3_AppendHandshakeNumber(ss, length, 3); | 3576 rv = ssl3_AppendHandshakeNumber(ss, length, 3); |
3577 if (rv != SECSuccess) { | |
3578 return rv; /* error code set by AppendHandshake, if applicable. */ | |
3579 } | |
3580 | |
3581 if (IS_DTLS(ss)) { | |
3582 /* Note that we make an unfragmented message here. We fragment in the | |
3583 transmission code, if necessary */ | |
3584 rv = ssl3_AppendHandshakeNumber(ss, ss->ssl3.hs.sendMessageSeq, 2); | |
3585 if (rv != SECSuccess) { | |
3586 return rv; /* error code set by AppendHandshake, if applicable. */ | |
3587 } | |
3588 ss->ssl3.hs.sendMessageSeq++; | |
3589 | |
3590 /* 0 is the fragment offset, because it's not fragmented yet */ | |
3591 rv = ssl3_AppendHandshakeNumber(ss, 0, 3); | |
3592 if (rv != SECSuccess) { | |
3593 return rv; /* error code set by AppendHandshake, if applicable. */ | |
3594 } | |
3595 | |
3596 /* Fragment length -- set to the packet length because not fragmented */ | |
3597 rv = ssl3_AppendHandshakeNumber(ss, length, 3); | |
3598 if (rv != SECSuccess) { | |
3599 return rv; /* error code set by AppendHandshake, if applicable. */ | |
3600 } | |
3601 } | |
3602 | |
3420 return rv; /* error code set by AppendHandshake, if applicable. */ | 3603 return rv; /* error code set by AppendHandshake, if applicable. */ |
3421 } | 3604 } |
3422 | 3605 |
3423 /************************************************************************** | 3606 /************************************************************************** |
3424 * Consume Handshake functions. | 3607 * Consume Handshake functions. |
3425 * | 3608 * |
3426 * All data used in these functions is protected by two locks, | 3609 * All data used in these functions is protected by two locks, |
3427 * the RecvBufLock and the SSL3HandshakeLock | 3610 * the RecvBufLock and the SSL3HandshakeLock |
3428 **************************************************************************/ | 3611 **************************************************************************/ |
3429 | 3612 |
(...skipping 386 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
3816 } | 3999 } |
3817 | 4000 |
3818 /************************************************************************** | 4001 /************************************************************************** |
3819 * end of Handshake Hash functions. | 4002 * end of Handshake Hash functions. |
3820 * Begin Send and Handle functions for handshakes. | 4003 * Begin Send and Handle functions for handshakes. |
3821 **************************************************************************/ | 4004 **************************************************************************/ |
3822 | 4005 |
3823 /* Called from ssl3_HandleHelloRequest(), | 4006 /* Called from ssl3_HandleHelloRequest(), |
3824 * ssl3_RedoHandshake() | 4007 * ssl3_RedoHandshake() |
3825 * ssl2_BeginClientHandshake (when resuming ssl3 session) | 4008 * ssl2_BeginClientHandshake (when resuming ssl3 session) |
4009 * dtls_HandleHelloVerifyRequest(with resending=PR_TRUE) | |
4010 * | |
3826 */ | 4011 */ |
3827 SECStatus | 4012 SECStatus |
3828 ssl3_SendClientHello(sslSocket *ss) | 4013 ssl3_SendClientHello(sslSocket *ss, PRBool resending) |
3829 { | 4014 { |
3830 sslSessionID * sid; | 4015 sslSessionID * sid; |
3831 ssl3CipherSpec * cwSpec; | 4016 ssl3CipherSpec * cwSpec; |
3832 SECStatus rv; | 4017 SECStatus rv; |
3833 int i; | 4018 int i; |
3834 int length; | 4019 int length; |
3835 int num_suites; | 4020 int num_suites; |
3836 int actual_count = 0; | 4021 int actual_count = 0; |
3837 PRBool isTLS = PR_FALSE; | 4022 PRBool isTLS = PR_FALSE; |
3838 PRInt32 total_exten_len = 0; | 4023 PRInt32 total_exten_len = 0; |
3839 unsigned numCompressionMethods; | 4024 unsigned numCompressionMethods; |
3840 | 4025 |
3841 SSL_TRC(3, ("%d: SSL3[%d]: send client_hello handshake", SSL_GETPID(), | 4026 SSL_TRC(3, ("%d: SSL3[%d]: send client_hello handshake", SSL_GETPID(), |
3842 ss->fd)); | 4027 ss->fd)); |
3843 | 4028 |
3844 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) ); | 4029 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) ); |
3845 PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss) ); | 4030 PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss) ); |
3846 | 4031 |
3847 rv = ssl3_InitState(ss); | 4032 rv = ssl3_InitState(ss); |
3848 if (rv != SECSuccess) { | 4033 if (rv != SECSuccess) { |
3849 return rv; /* ssl3_InitState has set the error code. */ | 4034 return rv; /* ssl3_InitState has set the error code. */ |
3850 } | 4035 } |
3851 ss->ssl3.hs.sendingSCSV = PR_FALSE; /* Must be reset every handshake */ | 4036 ss->ssl3.hs.sendingSCSV = PR_FALSE; /* Must be reset every handshake */ |
3852 | 4037 PORT_Assert( IS_DTLS(ss) || !resending); |
4038 | |
3853 /* We might be starting a session renegotiation in which case we should | 4039 /* We might be starting a session renegotiation in which case we should |
3854 * clear previous state. | 4040 * clear previous state. |
3855 */ | 4041 */ |
3856 PORT_Memset(&ss->xtnData, 0, sizeof(TLSExtensionData)); | 4042 PORT_Memset(&ss->xtnData, 0, sizeof(TLSExtensionData)); |
3857 | 4043 |
3858 SSL_TRC(30,("%d: SSL3[%d]: reset handshake hashes", | 4044 SSL_TRC(30,("%d: SSL3[%d]: reset handshake hashes", |
3859 SSL_GETPID(), ss->fd )); | 4045 SSL_GETPID(), ss->fd )); |
3860 rv = ssl3_RestartHandshakeHashes(ss); | 4046 rv = ssl3_RestartHandshakeHashes(ss); |
3861 if (rv != SECSuccess) { | 4047 if (rv != SECSuccess) { |
3862 return rv; | 4048 return rv; |
(...skipping 54 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
3917 if (!sidOK) { | 4103 if (!sidOK) { |
3918 SSL_AtomicIncrementLong(& ssl3stats.sch_sid_cache_not_ok ); | 4104 SSL_AtomicIncrementLong(& ssl3stats.sch_sid_cache_not_ok ); |
3919 (*ss->sec.uncache)(sid); | 4105 (*ss->sec.uncache)(sid); |
3920 ssl_FreeSID(sid); | 4106 ssl_FreeSID(sid); |
3921 sid = NULL; | 4107 sid = NULL; |
3922 } | 4108 } |
3923 } | 4109 } |
3924 | 4110 |
3925 if (sid) { | 4111 if (sid) { |
3926 SSL_AtomicIncrementLong(& ssl3stats.sch_sid_cache_hits ); | 4112 SSL_AtomicIncrementLong(& ssl3stats.sch_sid_cache_hits ); |
3927 | 4113 » /* Are we attempting a stateless session resume? */ |
3928 » /* Are we attempting a stateless session resume? */ | |
3929 if (sid->version > SSL_LIBRARY_VERSION_3_0 && | 4114 if (sid->version > SSL_LIBRARY_VERSION_3_0 && |
3930 sid->u.ssl3.sessionTicket.ticket.data) | 4115 sid->u.ssl3.sessionTicket.ticket.data) |
3931 SSL_AtomicIncrementLong(& ssl3stats.sch_sid_stateless_resumes ); | 4116 SSL_AtomicIncrementLong(& ssl3stats.sch_sid_stateless_resumes ); |
3932 | 4117 |
3933 PRINT_BUF(4, (ss, "client, found session-id:", sid->u.ssl3.sessionID, | 4118 PRINT_BUF(4, (ss, "client, found session-id:", sid->u.ssl3.sessionID, |
3934 sid->u.ssl3.sessionIDLength)); | 4119 sid->u.ssl3.sessionIDLength)); |
3935 | 4120 |
3936 ss->ssl3.policy = sid->u.ssl3.policy; | 4121 ss->ssl3.policy = sid->u.ssl3.policy; |
3937 } else { | 4122 } else { |
3938 SSL_AtomicIncrementLong(& ssl3stats.sch_sid_cache_misses ); | 4123 SSL_AtomicIncrementLong(& ssl3stats.sch_sid_cache_misses ); |
(...skipping 62 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
4001 total_exten_len += 2; | 4186 total_exten_len += 2; |
4002 } | 4187 } |
4003 | 4188 |
4004 #if defined(NSS_ENABLE_ECC) && !defined(NSS_ECC_MORE_THAN_SUITE_B) | 4189 #if defined(NSS_ENABLE_ECC) && !defined(NSS_ECC_MORE_THAN_SUITE_B) |
4005 if (!total_exten_len || !isTLS) { | 4190 if (!total_exten_len || !isTLS) { |
4006 /* not sending the elliptic_curves and ec_point_formats extensions */ | 4191 /* not sending the elliptic_curves and ec_point_formats extensions */ |
4007 ssl3_DisableECCSuites(ss, NULL); /* disable all ECC suites */ | 4192 ssl3_DisableECCSuites(ss, NULL); /* disable all ECC suites */ |
4008 } | 4193 } |
4009 #endif | 4194 #endif |
4010 | 4195 |
4196 if (IS_DTLS(ss)) { | |
4197 ssl3_DisableNonDTLSSuites(ss); | |
4198 } | |
4199 | |
4011 /* how many suites are permitted by policy and user preference? */ | 4200 /* how many suites are permitted by policy and user preference? */ |
4012 num_suites = count_cipher_suites(ss, ss->ssl3.policy, PR_TRUE); | 4201 num_suites = count_cipher_suites(ss, ss->ssl3.policy, PR_TRUE); |
4013 if (!num_suites) | 4202 if (!num_suites) |
4014 return SECFailure; /* count_cipher_suites has set error code. */ | 4203 return SECFailure; /* count_cipher_suites has set error code. */ |
4015 if (ss->ssl3.hs.sendingSCSV) { | 4204 if (ss->ssl3.hs.sendingSCSV) { |
4016 ++num_suites; /* make room for SCSV */ | 4205 ++num_suites; /* make room for SCSV */ |
4017 } | 4206 } |
4018 | 4207 |
4019 /* count compression methods */ | 4208 /* count compression methods */ |
4020 numCompressionMethods = 0; | 4209 numCompressionMethods = 0; |
4021 for (i = 0; i < compressionMethodsCount; i++) { | 4210 for (i = 0; i < compressionMethodsCount; i++) { |
4022 if (compressionEnabled(ss, compressions[i])) | 4211 if (compressionEnabled(ss, compressions[i])) |
4023 numCompressionMethods++; | 4212 numCompressionMethods++; |
4024 } | 4213 } |
4025 | 4214 |
4026 length = sizeof(SSL3ProtocolVersion) + SSL3_RANDOM_LENGTH + | 4215 length = sizeof(SSL3ProtocolVersion) + SSL3_RANDOM_LENGTH + |
4027 1 + ((sid == NULL) ? 0 : sid->u.ssl3.sessionIDLength) + | 4216 1 + ((sid == NULL) ? 0 : sid->u.ssl3.sessionIDLength) + |
4028 2 + num_suites*sizeof(ssl3CipherSuite) + | 4217 2 + num_suites*sizeof(ssl3CipherSuite) + |
4029 1 + numCompressionMethods + total_exten_len; | 4218 1 + numCompressionMethods + total_exten_len; |
4219 if (IS_DTLS(ss)) { | |
4220 length += 1 + ss->ssl3.hs.cookieLen; | |
4221 } | |
4030 | 4222 |
4031 rv = ssl3_AppendHandshakeHeader(ss, client_hello, length); | 4223 rv = ssl3_AppendHandshakeHeader(ss, client_hello, length); |
4032 if (rv != SECSuccess) { | 4224 if (rv != SECSuccess) { |
4033 return rv; /* err set by ssl3_AppendHandshake* */ | 4225 return rv; /* err set by ssl3_AppendHandshake* */ |
4034 } | 4226 } |
4035 | 4227 |
4036 ss->clientHelloVersion = ss->version; | 4228 ss->clientHelloVersion = ss->version; |
4037 rv = ssl3_AppendHandshakeNumber(ss, ss->clientHelloVersion, 2); | 4229 if (IS_DTLS(ss)) { |
4230 /* One's complement */ | |
4231 PRUint16 version; | |
4232 | |
4233 version = dtls_TLSVersionToDTLSVersion(ss->clientHelloVersion); | |
4234 » rv = ssl3_AppendHandshakeNumber(ss,(unsigned short) | |
4235 » » » » » version, 2); | |
4236 } else { | |
4237 » rv = ssl3_AppendHandshakeNumber(ss, ss->clientHelloVersion, 2); | |
4238 } | |
4038 if (rv != SECSuccess) { | 4239 if (rv != SECSuccess) { |
4039 return rv; /* err set by ssl3_AppendHandshake* */ | 4240 return rv; /* err set by ssl3_AppendHandshake* */ |
4040 } | 4241 } |
4041 rv = ssl3_GetNewRandom(&ss->ssl3.hs.client_random); | 4242 |
4042 if (rv != SECSuccess) { | 4243 if (!resending) { /* Don't re-generate if we are in DTLS re-sending mode */ |
4043 » return rv;» /* err set by GetNewRandom. */ | 4244 » rv = ssl3_GetNewRandom(&ss->ssl3.hs.client_random); |
4245 » if (rv != SECSuccess) { | |
4246 » return rv;» /* err set by GetNewRandom. */ | |
4247 » } | |
4044 } | 4248 } |
4045 rv = ssl3_AppendHandshake(ss, &ss->ssl3.hs.client_random, | 4249 rv = ssl3_AppendHandshake(ss, &ss->ssl3.hs.client_random, |
4046 SSL3_RANDOM_LENGTH); | 4250 SSL3_RANDOM_LENGTH); |
4047 if (rv != SECSuccess) { | 4251 if (rv != SECSuccess) { |
4048 return rv; /* err set by ssl3_AppendHandshake* */ | 4252 return rv; /* err set by ssl3_AppendHandshake* */ |
4049 } | 4253 } |
4050 | 4254 |
4051 if (sid) | 4255 if (sid) |
4052 rv = ssl3_AppendHandshakeVariable( | 4256 rv = ssl3_AppendHandshakeVariable( |
4053 ss, sid->u.ssl3.sessionID, sid->u.ssl3.sessionIDLength, 1); | 4257 ss, sid->u.ssl3.sessionID, sid->u.ssl3.sessionIDLength, 1); |
4054 else | 4258 else |
4055 rv = ssl3_AppendHandshakeVariable(ss, NULL, 0, 1); | 4259 rv = ssl3_AppendHandshakeVariable(ss, NULL, 0, 1); |
4056 if (rv != SECSuccess) { | 4260 if (rv != SECSuccess) { |
4057 return rv; /* err set by ssl3_AppendHandshake* */ | 4261 return rv; /* err set by ssl3_AppendHandshake* */ |
4058 } | 4262 } |
4059 | 4263 |
4264 if (IS_DTLS(ss)) { | |
4265 rv = ssl3_AppendHandshakeVariable( | |
4266 ss, ss->ssl3.hs.cookie, ss->ssl3.hs.cookieLen, 1); | |
4267 } | |
4268 if (rv != SECSuccess) { | |
4269 return rv; /* err set by ssl3_AppendHandshake* */ | |
4270 } | |
4271 | |
4060 rv = ssl3_AppendHandshakeNumber(ss, num_suites*sizeof(ssl3CipherSuite), 2); | 4272 rv = ssl3_AppendHandshakeNumber(ss, num_suites*sizeof(ssl3CipherSuite), 2); |
4061 if (rv != SECSuccess) { | 4273 if (rv != SECSuccess) { |
4062 return rv; /* err set by ssl3_AppendHandshake* */ | 4274 return rv; /* err set by ssl3_AppendHandshake* */ |
4063 } | 4275 } |
4064 | 4276 |
4065 if (ss->ssl3.hs.sendingSCSV) { | 4277 if (ss->ssl3.hs.sendingSCSV) { |
4066 /* Add the actual SCSV */ | 4278 /* Add the actual SCSV */ |
4067 rv = ssl3_AppendHandshakeNumber(ss, TLS_EMPTY_RENEGOTIATION_INFO_SCSV, | 4279 rv = ssl3_AppendHandshakeNumber(ss, TLS_EMPTY_RENEGOTIATION_INFO_SCSV, |
4068 sizeof(ssl3CipherSuite)); | 4280 sizeof(ssl3CipherSuite)); |
4069 if (rv != SECSuccess) { | 4281 if (rv != SECSuccess) { |
(...skipping 103 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
4173 PORT_SetError(SSL_ERROR_RENEGOTIATION_NOT_ALLOWED); | 4385 PORT_SetError(SSL_ERROR_RENEGOTIATION_NOT_ALLOWED); |
4174 return SECFailure; | 4386 return SECFailure; |
4175 } | 4387 } |
4176 | 4388 |
4177 if (sid) { | 4389 if (sid) { |
4178 ss->sec.uncache(sid); | 4390 ss->sec.uncache(sid); |
4179 ssl_FreeSID(sid); | 4391 ssl_FreeSID(sid); |
4180 ss->sec.ci.sid = NULL; | 4392 ss->sec.ci.sid = NULL; |
4181 } | 4393 } |
4182 | 4394 |
4395 if (IS_DTLS(ss)) { | |
4396 dtls_RehandshakeCleanup(ss); | |
4397 } | |
4398 | |
4183 ssl_GetXmitBufLock(ss); | 4399 ssl_GetXmitBufLock(ss); |
4184 rv = ssl3_SendClientHello(ss); | 4400 rv = ssl3_SendClientHello(ss, PR_FALSE); |
4185 ssl_ReleaseXmitBufLock(ss); | 4401 ssl_ReleaseXmitBufLock(ss); |
4186 | 4402 |
4187 return rv; | 4403 return rv; |
4188 } | 4404 } |
4189 | 4405 |
4190 #define UNKNOWN_WRAP_MECHANISM 0x7fffffff | 4406 #define UNKNOWN_WRAP_MECHANISM 0x7fffffff |
4191 | 4407 |
4192 static const CK_MECHANISM_TYPE wrapMechanismList[SSL_NUM_WRAP_MECHS] = { | 4408 static const CK_MECHANISM_TYPE wrapMechanismList[SSL_NUM_WRAP_MECHS] = { |
4193 CKM_DES3_ECB, | 4409 CKM_DES3_ECB, |
4194 CKM_CAST5_ECB, | 4410 CKM_CAST5_ECB, |
(...skipping 832 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
5027 if (ss->ssl3.platformClientKey) { | 5243 if (ss->ssl3.platformClientKey) { |
5028 ssl_FreePlatformKey(ss->ssl3.platformClientKey); | 5244 ssl_FreePlatformKey(ss->ssl3.platformClientKey); |
5029 ss->ssl3.platformClientKey = (PlatformKey)NULL; | 5245 ss->ssl3.platformClientKey = (PlatformKey)NULL; |
5030 } | 5246 } |
5031 #endif /* NSS_PLATFORM_CLIENT_AUTH */ | 5247 #endif /* NSS_PLATFORM_CLIENT_AUTH */ |
5032 | 5248 |
5033 temp = ssl3_ConsumeHandshakeNumber(ss, 2, &b, &length); | 5249 temp = ssl3_ConsumeHandshakeNumber(ss, 2, &b, &length); |
5034 if (temp < 0) { | 5250 if (temp < 0) { |
5035 goto loser; /* alert has been sent */ | 5251 goto loser; /* alert has been sent */ |
5036 } | 5252 } |
5037 version = (SSL3ProtocolVersion)temp; | 5253 |
5254 if (!IS_DTLS(ss)) { | |
5255 » /* this is appropriate since the negotiation is complete, and we only | |
5256 » ** know SSL 3.x. | |
5257 » */ | |
5258 version = (SSL3ProtocolVersion)temp; | |
5259 if (MSB(version) != MSB(SSL_LIBRARY_VERSION_3_0)) { | |
5260 desc = (version > SSL_LIBRARY_VERSION_3_0) ? protocol_version | |
5261 : handshake_failure; | |
5262 goto alert_loser; | |
5263 } | |
5264 } else { | |
5265 » /* RFC 4347 required that you verify that the server versions | |
5266 » match (S 4.2.1) in the HelloVerifyRequest and the ServerHello | |
5038 | 5267 |
5268 RFC 6347 suggests (SHOULD) that servers always use 1.0 | |
5269 in HelloVerifyRequest and allows the versions not to match, | |
5270 esp. when 1.2 is being negotiated. | |
5271 | |
5272 Therefore we do not check for matching here. | |
5273 */ | |
5274 version = dtls_DTLSVersionToTLSVersion(temp); | |
5275 if (version == 0) /* Insane version number */ | |
5276 goto alert_loser; | |
5277 } | |
5039 rv = ssl3_NegotiateVersion(ss, version, PR_FALSE); | 5278 rv = ssl3_NegotiateVersion(ss, version, PR_FALSE); |
5040 if (rv != SECSuccess) { | 5279 if (rv != SECSuccess) { |
5041 desc = (version > SSL_LIBRARY_VERSION_3_0) ? protocol_version | 5280 desc = (version > SSL_LIBRARY_VERSION_3_0) ? protocol_version |
5042 : handshake_failure; | 5281 : handshake_failure; |
5043 errCode = SSL_ERROR_NO_CYPHER_OVERLAP; | 5282 errCode = SSL_ERROR_NO_CYPHER_OVERLAP; |
5044 goto alert_loser; | 5283 goto alert_loser; |
5045 } | 5284 } |
5046 isTLS = (ss->version > SSL_LIBRARY_VERSION_3_0); | 5285 isTLS = ss->version > SSL_LIBRARY_VERSION_3_0; |
5047 | 5286 |
5048 rv = ssl3_ConsumeHandshake( | 5287 rv = ssl3_ConsumeHandshake( |
5049 ss, &ss->ssl3.hs.server_random, SSL3_RANDOM_LENGTH, &b, &length); | 5288 ss, &ss->ssl3.hs.server_random, SSL3_RANDOM_LENGTH, &b, &length); |
5050 if (rv != SECSuccess) { | 5289 if (rv != SECSuccess) { |
5051 goto loser; /* alert has been sent */ | 5290 goto loser; /* alert has been sent */ |
5052 } | 5291 } |
5053 | 5292 |
5054 rv = ssl3_ConsumeHandshakeVariable(ss, &sidBytes, 1, &b, &length); | 5293 rv = ssl3_ConsumeHandshakeVariable(ss, &sidBytes, 1, &b, &length); |
5055 if (rv != SECSuccess) { | 5294 if (rv != SECSuccess) { |
5056 goto loser; /* alert has been sent */ | 5295 goto loser; /* alert has been sent */ |
(...skipping 201 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
5258 ss->ssl3.hs.ws = wait_change_cipher; | 5497 ss->ssl3.hs.ws = wait_change_cipher; |
5259 | 5498 |
5260 ss->ssl3.hs.isResuming = PR_TRUE; | 5499 ss->ssl3.hs.isResuming = PR_TRUE; |
5261 | 5500 |
5262 /* copy the peer cert from the SID */ | 5501 /* copy the peer cert from the SID */ |
5263 if (sid->peerCert != NULL) { | 5502 if (sid->peerCert != NULL) { |
5264 ss->sec.peerCert = CERT_DupCertificate(sid->peerCert); | 5503 ss->sec.peerCert = CERT_DupCertificate(sid->peerCert); |
5265 ssl3_CopyPeerCertsFromSID(ss, sid); | 5504 ssl3_CopyPeerCertsFromSID(ss, sid); |
5266 } | 5505 } |
5267 | 5506 |
5268 | |
5269 /* NULL value for PMS signifies re-use of the old MS */ | 5507 /* NULL value for PMS signifies re-use of the old MS */ |
5270 rv = ssl3_InitPendingCipherSpec(ss, NULL); | 5508 rv = ssl3_InitPendingCipherSpec(ss, NULL); |
5271 if (rv != SECSuccess) { | 5509 if (rv != SECSuccess) { |
5272 goto alert_loser; /* err code was set */ | 5510 goto alert_loser; /* err code was set */ |
5273 } | 5511 } |
5274 return SECSuccess; | 5512 return SECSuccess; |
5275 } while (0); | 5513 } while (0); |
5276 | 5514 |
5277 if (sid_match) | 5515 if (sid_match) |
5278 SSL_AtomicIncrementLong(& ssl3stats.hsh_sid_cache_not_ok ); | 5516 SSL_AtomicIncrementLong(& ssl3stats.hsh_sid_cache_not_ok ); |
(...skipping 624 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
5903 * Caller must hold Handshake and RecvBuf locks. | 6141 * Caller must hold Handshake and RecvBuf locks. |
5904 */ | 6142 */ |
5905 static SECStatus | 6143 static SECStatus |
5906 ssl3_HandleServerHelloDone(sslSocket *ss) | 6144 ssl3_HandleServerHelloDone(sslSocket *ss) |
5907 { | 6145 { |
5908 SECStatus rv; | 6146 SECStatus rv; |
5909 SSL3WaitState ws = ss->ssl3.hs.ws; | 6147 SSL3WaitState ws = ss->ssl3.hs.ws; |
5910 | 6148 |
5911 SSL_TRC(3, ("%d: SSL3[%d]: handle server_hello_done handshake", | 6149 SSL_TRC(3, ("%d: SSL3[%d]: handle server_hello_done handshake", |
5912 SSL_GETPID(), ss->fd)); | 6150 SSL_GETPID(), ss->fd)); |
6151 | |
5913 PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) ); | 6152 PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) ); |
5914 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) ); | 6153 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) ); |
5915 | 6154 |
5916 if (ws != wait_hello_done && | 6155 if (ws != wait_hello_done && |
5917 ws != wait_server_cert && | 6156 ws != wait_server_cert && |
5918 ws != wait_server_key && | 6157 ws != wait_server_key && |
5919 ws != wait_cert_request) { | 6158 ws != wait_cert_request) { |
5920 SSL3_SendAlert(ss, alert_fatal, unexpected_message); | 6159 SSL3_SendAlert(ss, alert_fatal, unexpected_message); |
5921 PORT_SetError(SSL_ERROR_RX_UNEXPECTED_HELLO_DONE); | 6160 PORT_SetError(SSL_ERROR_RX_UNEXPECTED_HELLO_DONE); |
5922 return SECFailure; | 6161 return SECFailure; |
(...skipping 334 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
6257 sslSessionID * sid = NULL; | 6496 sslSessionID * sid = NULL; |
6258 PRInt32 tmp; | 6497 PRInt32 tmp; |
6259 unsigned int i; | 6498 unsigned int i; |
6260 int j; | 6499 int j; |
6261 SECStatus rv; | 6500 SECStatus rv; |
6262 int errCode = SSL_ERROR_RX_MALFORMED_CLIENT_HELLO; | 6501 int errCode = SSL_ERROR_RX_MALFORMED_CLIENT_HELLO; |
6263 SSL3AlertDescription desc = illegal_parameter; | 6502 SSL3AlertDescription desc = illegal_parameter; |
6264 SSL3AlertLevel level = alert_fatal; | 6503 SSL3AlertLevel level = alert_fatal; |
6265 SSL3ProtocolVersion version; | 6504 SSL3ProtocolVersion version; |
6266 SECItem sidBytes = {siBuffer, NULL, 0}; | 6505 SECItem sidBytes = {siBuffer, NULL, 0}; |
6506 SECItem cookieBytes = {siBuffer, NULL, 0}; | |
6267 SECItem suites = {siBuffer, NULL, 0}; | 6507 SECItem suites = {siBuffer, NULL, 0}; |
6268 SECItem comps = {siBuffer, NULL, 0}; | 6508 SECItem comps = {siBuffer, NULL, 0}; |
6269 PRBool haveSpecWriteLock = PR_FALSE; | 6509 PRBool haveSpecWriteLock = PR_FALSE; |
6270 PRBool haveXmitBufLock = PR_FALSE; | 6510 PRBool haveXmitBufLock = PR_FALSE; |
6271 | 6511 |
6272 SSL_TRC(3, ("%d: SSL3[%d]: handle client_hello handshake", | 6512 SSL_TRC(3, ("%d: SSL3[%d]: handle client_hello handshake", |
6273 SSL_GETPID(), ss->fd)); | 6513 SSL_GETPID(), ss->fd)); |
6274 | 6514 |
6275 PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) ); | 6515 PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) ); |
6276 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); | 6516 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); |
6277 | 6517 |
6278 /* Get peer name of client */ | 6518 /* Get peer name of client */ |
6279 rv = ssl_GetPeerInfo(ss); | 6519 rv = ssl_GetPeerInfo(ss); |
6280 if (rv != SECSuccess) { | 6520 if (rv != SECSuccess) { |
6281 return rv; /* error code is set. */ | 6521 return rv; /* error code is set. */ |
6282 } | 6522 } |
6283 | 6523 |
6524 /* Clearing the handshake pointers so that | |
6525 * ssl_Do1stHandshake won't call ssl2_HandleMessage. | |
6526 * | |
6527 * The issue here is that TLS ordinarily starts out | |
6528 * in ssl2_HandleV3HandshakeRecord() because of the | |
6529 * backward-compatibility code paths. That function | |
6530 * zeroes these next pointers. But with DTLS, we | |
6531 * don't even try to do the v2 ClientHello so we | |
6532 * skip that function and need to reset these | |
6533 * values here. | |
6534 */ | |
6535 ss->nextHandshake = NULL; | |
6536 ss->securityHandshake = NULL; | |
6537 | |
6284 /* We might be starting session renegotiation in which case we should | 6538 /* We might be starting session renegotiation in which case we should |
6285 * clear previous state. | 6539 * clear previous state. |
6286 */ | 6540 */ |
6287 PORT_Memset(&ss->xtnData, 0, sizeof(TLSExtensionData)); | 6541 PORT_Memset(&ss->xtnData, 0, sizeof(TLSExtensionData)); |
6288 ss->statelessResume = PR_FALSE; | 6542 ss->statelessResume = PR_FALSE; |
6289 | 6543 |
6290 rv = ssl3_InitState(ss); | 6544 rv = ssl3_InitState(ss); |
6291 if (rv != SECSuccess) { | 6545 if (rv != SECSuccess) { |
6292 return rv; /* ssl3_InitState has set the error code. */ | 6546 return rv; /* ssl3_InitState has set the error code. */ |
6293 } | 6547 } |
6294 | 6548 |
6295 if ((ss->ssl3.hs.ws != wait_client_hello) && | 6549 if ((ss->ssl3.hs.ws != wait_client_hello) && |
6296 (ss->ssl3.hs.ws != idle_handshake)) { | 6550 (ss->ssl3.hs.ws != idle_handshake)) { |
6297 desc = unexpected_message; | 6551 desc = unexpected_message; |
6298 errCode = SSL_ERROR_RX_UNEXPECTED_CLIENT_HELLO; | 6552 errCode = SSL_ERROR_RX_UNEXPECTED_CLIENT_HELLO; |
6299 goto alert_loser; | 6553 goto alert_loser; |
6300 } | 6554 } |
6301 if (ss->ssl3.hs.ws == idle_handshake && | 6555 if (ss->ssl3.hs.ws == idle_handshake && |
6302 ss->opt.enableRenegotiation == SSL_RENEGOTIATE_NEVER) { | 6556 ss->opt.enableRenegotiation == SSL_RENEGOTIATE_NEVER) { |
6303 desc = no_renegotiation; | 6557 desc = no_renegotiation; |
6304 level = alert_warning; | 6558 level = alert_warning; |
6305 errCode = SSL_ERROR_RENEGOTIATION_NOT_ALLOWED; | 6559 errCode = SSL_ERROR_RENEGOTIATION_NOT_ALLOWED; |
6306 goto alert_loser; | 6560 goto alert_loser; |
6307 } | 6561 } |
6308 | 6562 |
6563 if (IS_DTLS(ss)) { | |
6564 dtls_RehandshakeCleanup(ss); | |
6565 } | |
6566 | |
6309 tmp = ssl3_ConsumeHandshakeNumber(ss, 2, &b, &length); | 6567 tmp = ssl3_ConsumeHandshakeNumber(ss, 2, &b, &length); |
6310 if (tmp < 0) | 6568 if (tmp < 0) |
6311 goto loser; /* malformed, alert already sent */ | 6569 goto loser; /* malformed, alert already sent */ |
6312 ss->clientHelloVersion = version = (SSL3ProtocolVersion)tmp; | 6570 |
6571 /* Translate the version */ | |
6572 if (IS_DTLS(ss)) { | |
6573 ss->clientHelloVersion = version = | |
6574 dtls_DTLSVersionToTLSVersion((SSL3ProtocolVersion)tmp); | |
6575 } | |
6576 else { | |
6577 ss->clientHelloVersion = version = (SSL3ProtocolVersion)tmp; | |
6578 } | |
6579 | |
6313 rv = ssl3_NegotiateVersion(ss, version, PR_TRUE); | 6580 rv = ssl3_NegotiateVersion(ss, version, PR_TRUE); |
6581 | |
6314 if (rv != SECSuccess) { | 6582 if (rv != SECSuccess) { |
6315 desc = (version > SSL_LIBRARY_VERSION_3_0) ? protocol_version | 6583 desc = (version > SSL_LIBRARY_VERSION_3_0) ? protocol_version |
6316 : handshake_failure; | 6584 : handshake_failure; |
6317 errCode = SSL_ERROR_NO_CYPHER_OVERLAP; | 6585 errCode = SSL_ERROR_NO_CYPHER_OVERLAP; |
6318 goto alert_loser; | 6586 goto alert_loser; |
6319 } | 6587 } |
6320 | 6588 |
6321 /* grab the client random data. */ | 6589 /* grab the client random data. */ |
6322 rv = ssl3_ConsumeHandshake( | 6590 rv = ssl3_ConsumeHandshake( |
6323 ss, &ss->ssl3.hs.client_random, SSL3_RANDOM_LENGTH, &b, &length); | 6591 ss, &ss->ssl3.hs.client_random, SSL3_RANDOM_LENGTH, &b, &length); |
6324 if (rv != SECSuccess) { | 6592 if (rv != SECSuccess) { |
6325 goto loser; /* malformed */ | 6593 goto loser; /* malformed */ |
6326 } | 6594 } |
6327 | 6595 |
6328 /* grab the client's SID, if present. */ | 6596 /* grab the client's SID, if present. */ |
6329 rv = ssl3_ConsumeHandshakeVariable(ss, &sidBytes, 1, &b, &length); | 6597 rv = ssl3_ConsumeHandshakeVariable(ss, &sidBytes, 1, &b, &length); |
6330 if (rv != SECSuccess) { | 6598 if (rv != SECSuccess) { |
6331 goto loser; /* malformed */ | 6599 goto loser; /* malformed */ |
6332 } | 6600 } |
6333 | 6601 |
6602 /* grab the client's cookie, if present. */ | |
6603 if (IS_DTLS(ss)) { | |
6604 rv = ssl3_ConsumeHandshakeVariable(ss, &cookieBytes, 1, &b, &length); | |
6605 if (rv != SECSuccess) { | |
6606 goto loser; /* malformed */ | |
6607 } | |
6608 } | |
6609 | |
6334 /* grab the list of cipher suites. */ | 6610 /* grab the list of cipher suites. */ |
6335 rv = ssl3_ConsumeHandshakeVariable(ss, &suites, 2, &b, &length); | 6611 rv = ssl3_ConsumeHandshakeVariable(ss, &suites, 2, &b, &length); |
6336 if (rv != SECSuccess) { | 6612 if (rv != SECSuccess) { |
6337 goto loser; /* malformed */ | 6613 goto loser; /* malformed */ |
6338 } | 6614 } |
6339 | 6615 |
6340 /* grab the list of compression methods. */ | 6616 /* grab the list of compression methods. */ |
6341 rv = ssl3_ConsumeHandshakeVariable(ss, &comps, 1, &b, &length); | 6617 rv = ssl3_ConsumeHandshakeVariable(ss, &comps, 1, &b, &length); |
6342 if (rv != SECSuccess) { | 6618 if (rv != SECSuccess) { |
6343 goto loser; /* malformed */ | 6619 goto loser; /* malformed */ |
(...skipping 128 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
6472 ssl_FreeSID(sid); | 6748 ssl_FreeSID(sid); |
6473 sid = NULL; | 6749 sid = NULL; |
6474 } | 6750 } |
6475 } | 6751 } |
6476 | 6752 |
6477 #ifdef NSS_ENABLE_ECC | 6753 #ifdef NSS_ENABLE_ECC |
6478 /* Disable any ECC cipher suites for which we have no cert. */ | 6754 /* Disable any ECC cipher suites for which we have no cert. */ |
6479 ssl3_FilterECCipherSuitesByServerCerts(ss); | 6755 ssl3_FilterECCipherSuitesByServerCerts(ss); |
6480 #endif | 6756 #endif |
6481 | 6757 |
6758 if (IS_DTLS(ss)) { | |
6759 ssl3_DisableNonDTLSSuites(ss); | |
6760 } | |
6761 | |
6482 #ifdef PARANOID | 6762 #ifdef PARANOID |
6483 /* Look for a matching cipher suite. */ | 6763 /* Look for a matching cipher suite. */ |
6484 j = ssl3_config_match_init(ss); | 6764 j = ssl3_config_match_init(ss); |
6485 if (j <= 0) { /* no ciphers are working/supported by PK11 */ | 6765 if (j <= 0) { /* no ciphers are working/supported by PK11 */ |
6486 errCode = PORT_GetError(); /* error code is already set. */ | 6766 errCode = PORT_GetError(); /* error code is already set. */ |
6487 goto alert_loser; | 6767 goto alert_loser; |
6488 } | 6768 } |
6489 #endif | 6769 #endif |
6490 | 6770 |
6491 /* If we already have a session for this client, be sure to pick the | 6771 /* If we already have a session for this client, be sure to pick the |
(...skipping 63 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
6555 #endif | 6835 #endif |
6556 | 6836 |
6557 /* Select a cipher suite. | 6837 /* Select a cipher suite. |
6558 ** NOTE: This suite selection algorithm should be the same as the one in | 6838 ** NOTE: This suite selection algorithm should be the same as the one in |
6559 ** ssl3_HandleV2ClientHello(). | 6839 ** ssl3_HandleV2ClientHello(). |
6560 */ | 6840 */ |
6561 for (j = 0; j < ssl_V3_SUITES_IMPLEMENTED; j++) { | 6841 for (j = 0; j < ssl_V3_SUITES_IMPLEMENTED; j++) { |
6562 ssl3CipherSuiteCfg *suite = &ss->cipherSuites[j]; | 6842 ssl3CipherSuiteCfg *suite = &ss->cipherSuites[j]; |
6563 if (!config_match(suite, ss->ssl3.policy, PR_TRUE)) | 6843 if (!config_match(suite, ss->ssl3.policy, PR_TRUE)) |
6564 continue; | 6844 continue; |
6845 | |
6565 for (i = 0; i + 1 < suites.len; i += 2) { | 6846 for (i = 0; i + 1 < suites.len; i += 2) { |
6566 PRUint16 suite_i = (suites.data[i] << 8) | suites.data[i + 1]; | 6847 PRUint16 suite_i = (suites.data[i] << 8) | suites.data[i + 1]; |
6567 if (suite_i == suite->cipher_suite) { | 6848 if (suite_i == suite->cipher_suite) { |
6568 ss->ssl3.hs.cipher_suite = suite->cipher_suite; | 6849 ss->ssl3.hs.cipher_suite = suite->cipher_suite; |
6569 ss->ssl3.hs.suite_def = | 6850 ss->ssl3.hs.suite_def = |
6570 ssl_LookupCipherSuiteDef(ss->ssl3.hs.cipher_suite); | 6851 ssl_LookupCipherSuiteDef(ss->ssl3.hs.cipher_suite); |
6571 goto suite_found; | 6852 goto suite_found; |
6572 } | 6853 } |
6573 } | 6854 } |
6574 } | 6855 } |
(...skipping 584 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
7159 ** ssl3_SendServerHelloSequence <- ssl3_HandleV2ClientHello (new session) | 7440 ** ssl3_SendServerHelloSequence <- ssl3_HandleV2ClientHello (new session) |
7160 */ | 7441 */ |
7161 static SECStatus | 7442 static SECStatus |
7162 ssl3_SendServerHello(sslSocket *ss) | 7443 ssl3_SendServerHello(sslSocket *ss) |
7163 { | 7444 { |
7164 sslSessionID *sid; | 7445 sslSessionID *sid; |
7165 SECStatus rv; | 7446 SECStatus rv; |
7166 PRUint32 maxBytes = 65535; | 7447 PRUint32 maxBytes = 65535; |
7167 PRUint32 length; | 7448 PRUint32 length; |
7168 PRInt32 extensions_len = 0; | 7449 PRInt32 extensions_len = 0; |
7450 SSL3ProtocolVersion version; | |
7169 | 7451 |
7170 SSL_TRC(3, ("%d: SSL3[%d]: send server_hello handshake", SSL_GETPID(), | 7452 SSL_TRC(3, ("%d: SSL3[%d]: send server_hello handshake", SSL_GETPID(), |
7171 ss->fd)); | 7453 ss->fd)); |
7172 | 7454 |
7173 PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss)); | 7455 PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss)); |
7174 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); | 7456 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); |
7175 PORT_Assert( MSB(ss->version) == MSB(SSL_LIBRARY_VERSION_3_0)); | |
7176 | 7457 |
7177 if (MSB(ss->version) != MSB(SSL_LIBRARY_VERSION_3_0)) { | 7458 |
7178 » PORT_SetError(SSL_ERROR_NO_CYPHER_OVERLAP); | 7459 if (!IS_DTLS(ss)) { |
7179 » return SECFailure; | 7460 » PORT_Assert( MSB(ss->version) == MSB(SSL_LIBRARY_VERSION_3_0)); |
7461 | |
7462 » if (MSB(ss->version) != MSB(SSL_LIBRARY_VERSION_3_0)) { | |
7463 » PORT_SetError(SSL_ERROR_NO_CYPHER_OVERLAP); | |
7464 » return SECFailure; | |
7465 » } | |
7466 } else { | |
7467 » PORT_Assert(MSB(ss->version) == MSB(SSL_LIBRARY_VERSION_DTLS_1_0)); | |
7468 | |
7469 » if (MSB(ss->version) != MSB(SSL_LIBRARY_VERSION_DTLS_1_0)) { | |
7470 » PORT_SetError(SSL_ERROR_NO_CYPHER_OVERLAP); | |
7471 » return SECFailure; | |
7472 » } | |
7180 } | 7473 } |
7181 | 7474 |
7182 sid = ss->sec.ci.sid; | 7475 sid = ss->sec.ci.sid; |
7183 | 7476 |
7184 extensions_len = ssl3_CallHelloExtensionSenders(ss, PR_FALSE, maxBytes, | 7477 extensions_len = ssl3_CallHelloExtensionSenders(ss, PR_FALSE, maxBytes, |
7185 &ss->xtnData.serverSenders[0]); | 7478 &ss->xtnData.serverSenders[0]); |
7186 if (extensions_len > 0) | 7479 if (extensions_len > 0) |
7187 extensions_len += 2; /* Add sizeof total extension length */ | 7480 extensions_len += 2; /* Add sizeof total extension length */ |
7188 | 7481 |
7189 length = sizeof(SSL3ProtocolVersion) + SSL3_RANDOM_LENGTH + 1 + | 7482 length = sizeof(SSL3ProtocolVersion) + SSL3_RANDOM_LENGTH + 1 + |
7190 ((sid == NULL) ? 0: sid->u.ssl3.sessionIDLength) + | 7483 ((sid == NULL) ? 0: sid->u.ssl3.sessionIDLength) + |
7191 sizeof(ssl3CipherSuite) + 1 + extensions_len; | 7484 sizeof(ssl3CipherSuite) + 1 + extensions_len; |
7192 rv = ssl3_AppendHandshakeHeader(ss, server_hello, length); | 7485 rv = ssl3_AppendHandshakeHeader(ss, server_hello, length); |
7193 if (rv != SECSuccess) { | 7486 if (rv != SECSuccess) { |
7194 return rv; /* err set by AppendHandshake. */ | 7487 return rv; /* err set by AppendHandshake. */ |
7195 } | 7488 } |
7196 | 7489 |
7197 rv = ssl3_AppendHandshakeNumber(ss, ss->version, 2); | 7490 if (IS_DTLS(ss)) { |
7491 version = dtls_TLSVersionToDTLSVersion(ss->version); | |
7492 } | |
7493 else { | |
7494 version = ss->version; | |
7495 } | |
7496 | |
7497 rv = ssl3_AppendHandshakeNumber(ss, version, 2); | |
7198 if (rv != SECSuccess) { | 7498 if (rv != SECSuccess) { |
7199 return rv; /* err set by AppendHandshake. */ | 7499 return rv; /* err set by AppendHandshake. */ |
7200 } | 7500 } |
7201 rv = ssl3_GetNewRandom(&ss->ssl3.hs.server_random); | 7501 rv = ssl3_GetNewRandom(&ss->ssl3.hs.server_random); |
7202 if (rv != SECSuccess) { | 7502 if (rv != SECSuccess) { |
7203 ssl_MapLowLevelError(SSL_ERROR_GENERATE_RANDOM_FAILURE); | 7503 ssl_MapLowLevelError(SSL_ERROR_GENERATE_RANDOM_FAILURE); |
7204 return rv; | 7504 return rv; |
7205 } | 7505 } |
7206 rv = ssl3_AppendHandshake( | 7506 rv = ssl3_AppendHandshake( |
7207 ss, &ss->ssl3.hs.server_random, SSL3_RANDOM_LENGTH); | 7507 ss, &ss->ssl3.hs.server_random, SSL3_RANDOM_LENGTH); |
(...skipping 164 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
7372 ca_list = ss->ssl3.ca_list; | 7672 ca_list = ss->ssl3.ca_list; |
7373 if (!ca_list) { | 7673 if (!ca_list) { |
7374 ca_list = ssl3_server_ca_list; | 7674 ca_list = ssl3_server_ca_list; |
7375 } | 7675 } |
7376 | 7676 |
7377 if (ca_list != NULL) { | 7677 if (ca_list != NULL) { |
7378 names = ca_list->names; | 7678 names = ca_list->names; |
7379 nnames = ca_list->nnames; | 7679 nnames = ca_list->nnames; |
7380 } | 7680 } |
7381 | 7681 |
7382 if (!nnames) { | 7682 /* There used to be a test here to require a CA, but there |
7383 » PORT_SetError(SSL_ERROR_NO_TRUSTED_SSL_CLIENT_CA); | 7683 are cases where you want to have no CAs offered. */ |
wtc
2012/03/21 01:22:07
Are you sure this is good practice?
ekr
2012/03/21 01:36:40
So, it's explicitly permitted by RFC 5246, and it'
| |
7384 » return SECFailure; | |
7385 } | |
7386 | |
7387 for (i = 0, name = names; i < nnames; i++, name++) { | 7684 for (i = 0, name = names; i < nnames; i++, name++) { |
7388 calen += 2 + name->len; | 7685 calen += 2 + name->len; |
7389 } | 7686 } |
7390 | 7687 |
7391 certTypes = certificate_types; | 7688 certTypes = certificate_types; |
7392 certTypesLength = sizeof certificate_types; | 7689 certTypesLength = sizeof certificate_types; |
7393 | 7690 |
7394 length = 1 + certTypesLength + 2 + calen; | 7691 length = 1 + certTypesLength + 2 + calen; |
7395 | 7692 |
7396 rv = ssl3_AppendHandshakeHeader(ss, certificate_request, length); | 7693 rv = ssl3_AppendHandshakeHeader(ss, certificate_request, length); |
(...skipping 147 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
7544 /* can't find a slot with all three, find a slot with the minimum */ | 7841 /* can't find a slot with all three, find a slot with the minimum */ |
7545 slot = PK11_GetBestSlotMultiple(mechanism_array, 2, pwArg); | 7842 slot = PK11_GetBestSlotMultiple(mechanism_array, 2, pwArg); |
7546 if (slot == NULL) { | 7843 if (slot == NULL) { |
7547 PORT_SetError(SSL_ERROR_TOKEN_SLOT_NOT_FOUND); | 7844 PORT_SetError(SSL_ERROR_TOKEN_SLOT_NOT_FOUND); |
7548 return pms; /* which is NULL */ | 7845 return pms; /* which is NULL */ |
7549 } | 7846 } |
7550 } | 7847 } |
7551 } | 7848 } |
7552 | 7849 |
7553 /* Generate the pre-master secret ... */ | 7850 /* Generate the pre-master secret ... */ |
7554 version.major = MSB(ss->clientHelloVersion); | 7851 if (IS_DTLS(ss)) { |
7555 version.minor = LSB(ss->clientHelloVersion); | 7852 SSL3ProtocolVersion temp; |
7853 | |
7854 temp = dtls_TLSVersionToDTLSVersion(ss->clientHelloVersion); | |
7855 | |
7856 » version.major = MSB(temp); | |
7857 » version.minor = LSB(temp); | |
7858 } else { | |
7859 » version.major = MSB(ss->clientHelloVersion); | |
7860 » version.minor = LSB(ss->clientHelloVersion); | |
7861 } | |
7556 | 7862 |
7557 param.data = (unsigned char *)&version; | 7863 param.data = (unsigned char *)&version; |
7558 param.len = sizeof version; | 7864 param.len = sizeof version; |
7559 | 7865 |
7560 pms = PK11_KeyGen(slot, CKM_SSL3_PRE_MASTER_KEY_GEN, ¶m, 0, pwArg); | 7866 pms = PK11_KeyGen(slot, CKM_SSL3_PRE_MASTER_KEY_GEN, ¶m, 0, pwArg); |
7561 if (!serverKeySlot) | 7867 if (!serverKeySlot) |
7562 PK11_FreeSlot(slot); | 7868 PK11_FreeSlot(slot); |
7563 if (pms == NULL) { | 7869 if (pms == NULL) { |
7564 ssl_MapLowLevelError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE); | 7870 ssl_MapLowLevelError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE); |
7565 } | 7871 } |
(...skipping 60 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
7626 * pwSpec->msItem. Finally call ssl3_InitPendingCipherSpec with | 7932 * pwSpec->msItem. Finally call ssl3_InitPendingCipherSpec with |
7627 * ss and NULL, so that it will use the MS we've already derived here. | 7933 * ss and NULL, so that it will use the MS we've already derived here. |
7628 */ | 7934 */ |
7629 | 7935 |
7630 rv = PK11_PrivDecryptPKCS1(serverKey, rsaPmsBuf, &outLen, | 7936 rv = PK11_PrivDecryptPKCS1(serverKey, rsaPmsBuf, &outLen, |
7631 sizeof rsaPmsBuf, enc_pms.data, enc_pms.len); | 7937 sizeof rsaPmsBuf, enc_pms.data, enc_pms.len); |
7632 if (rv != SECSuccess) { | 7938 if (rv != SECSuccess) { |
7633 /* triple bypass failed. Let's try for a double bypass. */ | 7939 /* triple bypass failed. Let's try for a double bypass. */ |
7634 goto double_bypass; | 7940 goto double_bypass; |
7635 } else if (ss->opt.detectRollBack) { | 7941 } else if (ss->opt.detectRollBack) { |
7636 » SSL3ProtocolVersion client_version = | 7942 » SSL3ProtocolVersion client_version = (rsaPmsBuf[0] << 8) | rsaPmsBuf [1]; |
7637 » » » » » (rsaPmsBuf[0] << 8) | rsaPmsBuf[1]; | 7943 » |
7638 » if (client_version != ss->clientHelloVersion) { | 7944 » if (IS_DTLS(ss)) { |
7945 client_version = dtls_DTLSVersionToTLSVersion(client_version); | |
7946 » } | |
7947 | |
7948 » if (rv != SECSuccess || (client_version != ss->clientHelloVersion)) { | |
wtc
2012/03/21 01:22:07
I think this
rv != SECSuccess ||
was added i
ekr
2012/03/21 01:36:40
You're right. This was an error introduced when I
ekr
2012/03/26 21:49:18
Done.
ekr
2012/03/26 21:49:18
Done.
| |
7639 /* Version roll-back detected. ensure failure. */ | 7949 /* Version roll-back detected. ensure failure. */ |
7640 rv = PK11_GenerateRandom(rsaPmsBuf, sizeof rsaPmsBuf); | 7950 rv = PK11_GenerateRandom(rsaPmsBuf, sizeof rsaPmsBuf); |
7641 } | 7951 } |
7642 } | 7952 } |
7643 /* have PMS, build MS without PKCS11 */ | 7953 /* have PMS, build MS without PKCS11 */ |
7644 rv = ssl3_MasterKeyDeriveBypass(pwSpec, cr, sr, &pmsItem, isTLS, | 7954 rv = ssl3_MasterKeyDeriveBypass(pwSpec, cr, sr, &pmsItem, isTLS, |
7645 PR_TRUE); | 7955 PR_TRUE); |
7646 if (rv != SECSuccess) { | 7956 if (rv != SECSuccess) { |
7647 pwSpec->msItem.data = pwSpec->raw_master_secret; | 7957 pwSpec->msItem.data = pwSpec->raw_master_secret; |
7648 pwSpec->msItem.len = SSL3_MASTER_SECRET_LENGTH; | 7958 pwSpec->msItem.len = SSL3_MASTER_SECRET_LENGTH; |
(...skipping 1195 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
8844 flags = ssl_SEND_FLAG_FORCE_INTO_BUFFER; | 9154 flags = ssl_SEND_FLAG_FORCE_INTO_BUFFER; |
8845 } | 9155 } |
8846 | 9156 |
8847 if (!isServer && !ss->firstHsDone) { | 9157 if (!isServer && !ss->firstHsDone) { |
8848 rv = ssl3_SendNextProto(ss); | 9158 rv = ssl3_SendNextProto(ss); |
8849 if (rv != SECSuccess) { | 9159 if (rv != SECSuccess) { |
8850 goto xmit_loser; /* err code was set. */ | 9160 goto xmit_loser; /* err code was set. */ |
8851 } | 9161 } |
8852 } | 9162 } |
8853 | 9163 |
9164 if (IS_DTLS(ss)) { | |
9165 flags |= ssl_SEND_FLAG_NO_RETRANSMIT; | |
9166 } | |
9167 | |
8854 rv = ssl3_SendFinished(ss, flags); | 9168 rv = ssl3_SendFinished(ss, flags); |
8855 if (rv != SECSuccess) { | 9169 if (rv != SECSuccess) { |
8856 goto xmit_loser; /* err is set. */ | 9170 goto xmit_loser; /* err is set. */ |
8857 } | 9171 } |
8858 } | 9172 } |
8859 | 9173 |
8860 xmit_loser: | 9174 xmit_loser: |
8861 ssl_ReleaseXmitBufLock(ss); /*************************************/ | 9175 ssl_ReleaseXmitBufLock(ss); /*************************************/ |
8862 if (rv != SECSuccess) { | 9176 if (rv != SECSuccess) { |
8863 return rv; | 9177 return rv; |
(...skipping 109 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
8973 ss->ssl3.hs.pending_cert_msg.len); | 9287 ss->ssl3.hs.pending_cert_msg.len); |
8974 SECITEM_FreeItem(&ss->ssl3.hs.pending_cert_msg, PR_FALSE); | 9288 SECITEM_FreeItem(&ss->ssl3.hs.pending_cert_msg, PR_FALSE); |
8975 } | 9289 } |
8976 return rv; | 9290 return rv; |
8977 } | 9291 } |
8978 | 9292 |
8979 /* Called from ssl3_HandleHandshake() when it has gathered a complete ssl3 | 9293 /* Called from ssl3_HandleHandshake() when it has gathered a complete ssl3 |
8980 * hanshake message. | 9294 * hanshake message. |
8981 * Caller must hold Handshake and RecvBuf locks. | 9295 * Caller must hold Handshake and RecvBuf locks. |
8982 */ | 9296 */ |
8983 static SECStatus | 9297 SECStatus |
8984 ssl3_HandleHandshakeMessage(sslSocket *ss, SSL3Opaque *b, PRUint32 length) | 9298 ssl3_HandleHandshakeMessage(sslSocket *ss, SSL3Opaque *b, PRUint32 length) |
8985 { | 9299 { |
8986 SECStatus rv = SECSuccess; | 9300 SECStatus rv = SECSuccess; |
8987 SSL3HandshakeType type = ss->ssl3.hs.msg_type; | 9301 SSL3HandshakeType type = ss->ssl3.hs.msg_type; |
8988 SSL3Hashes hashes; /* computed hashes are put here. */ | 9302 SSL3Hashes hashes; /* computed hashes are put here. */ |
8989 PRUint8 hdr[4]; | 9303 PRUint8 hdr[4]; |
9304 PRUint8 dtlsData[8]; | |
8990 | 9305 |
8991 PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) ); | 9306 PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) ); |
8992 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) ); | 9307 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) ); |
8993 /* | 9308 /* |
8994 * We have to compute the hashes before we update them with the | 9309 * We have to compute the hashes before we update them with the |
8995 * current message. | 9310 * current message. |
8996 */ | 9311 */ |
8997 ssl_GetSpecReadLock(ss); /************************************/ | 9312 ssl_GetSpecReadLock(ss); /************************************/ |
8998 if((type == finished) || (type == certificate_verify)) { | 9313 if((type == finished) || (type == certificate_verify)) { |
8999 SSL3Sender sender = (SSL3Sender)0; | 9314 SSL3Sender sender = (SSL3Sender)0; |
(...skipping 16 matching lines...) Expand all Loading... | |
9016 PRINT_BUF(60, (ss, "MD5 handshake hash:", | 9331 PRINT_BUF(60, (ss, "MD5 handshake hash:", |
9017 (unsigned char*)ss->ssl3.hs.md5_cx, MD5_LENGTH)); | 9332 (unsigned char*)ss->ssl3.hs.md5_cx, MD5_LENGTH)); |
9018 PRINT_BUF(95, (ss, "SHA handshake hash:", | 9333 PRINT_BUF(95, (ss, "SHA handshake hash:", |
9019 (unsigned char*)ss->ssl3.hs.sha_cx, SHA1_LENGTH)); | 9334 (unsigned char*)ss->ssl3.hs.sha_cx, SHA1_LENGTH)); |
9020 | 9335 |
9021 hdr[0] = (PRUint8)ss->ssl3.hs.msg_type; | 9336 hdr[0] = (PRUint8)ss->ssl3.hs.msg_type; |
9022 hdr[1] = (PRUint8)(length >> 16); | 9337 hdr[1] = (PRUint8)(length >> 16); |
9023 hdr[2] = (PRUint8)(length >> 8); | 9338 hdr[2] = (PRUint8)(length >> 8); |
9024 hdr[3] = (PRUint8)(length ); | 9339 hdr[3] = (PRUint8)(length ); |
9025 | 9340 |
9341 | |
9026 /* Start new handshake hashes when we start a new handshake */ | 9342 /* Start new handshake hashes when we start a new handshake */ |
9027 if (ss->ssl3.hs.msg_type == client_hello) { | 9343 if (ss->ssl3.hs.msg_type == client_hello) { |
9028 SSL_TRC(30,("%d: SSL3[%d]: reset handshake hashes", | 9344 SSL_TRC(30,("%d: SSL3[%d]: reset handshake hashes", |
9029 SSL_GETPID(), ss->fd )); | 9345 SSL_GETPID(), ss->fd )); |
9030 rv = ssl3_RestartHandshakeHashes(ss); | 9346 rv = ssl3_RestartHandshakeHashes(ss); |
9031 if (rv != SECSuccess) { | 9347 if (rv != SECSuccess) { |
9032 return rv; | 9348 return rv; |
9033 } | 9349 } |
9034 } | 9350 } |
9035 /* We should not include hello_request messages in the handshake hashes */ | 9351 /* We should not include hello_request messages in the handshake hashes */ |
9036 if (ss->ssl3.hs.msg_type != hello_request) { | 9352 if ((ss->ssl3.hs.msg_type != hello_request) && |
9353 » (ss->ssl3.hs.msg_type != hello_verify_request)) { | |
9037 rv = ssl3_UpdateHandshakeHashes(ss, (unsigned char*) hdr, 4); | 9354 rv = ssl3_UpdateHandshakeHashes(ss, (unsigned char*) hdr, 4); |
9038 if (rv != SECSuccess) return rv; /* err code already set. */ | 9355 if (rv != SECSuccess) return rv; /* err code already set. */ |
9356 | |
9357 /* Extra data to simulate a complete DTLS handshake fragment */ | |
9358 if (IS_DTLS(ss)) { | |
9359 /* Sequence number */ | |
9360 dtlsData[0] = MSB(ss->ssl3.hs.recvMessageSeq); | |
9361 dtlsData[1] = LSB(ss->ssl3.hs.recvMessageSeq); | |
9362 | |
9363 /* Fragment offset */ | |
9364 dtlsData[2] = 0; | |
9365 dtlsData[3] = 0; | |
9366 dtlsData[4] = 0; | |
9367 | |
9368 /* Fragment length */ | |
9369 dtlsData[5] = (PRUint8)(length >> 16); | |
9370 dtlsData[6] = (PRUint8)(length >> 8); | |
9371 dtlsData[7] = (PRUint8)(length ); | |
9372 | |
9373 rv = ssl3_UpdateHandshakeHashes(ss, (unsigned char*) dtlsData, | |
9374 sizeof(dtlsData)); | |
9375 if (rv != SECSuccess) return rv; /* err code already set. */ | |
9376 | |
9377 } | |
9378 | |
9379 /* The message body */ | |
9039 rv = ssl3_UpdateHandshakeHashes(ss, b, length); | 9380 rv = ssl3_UpdateHandshakeHashes(ss, b, length); |
9040 if (rv != SECSuccess) return rv; /* err code already set. */ | 9381 if (rv != SECSuccess) return rv; /* err code already set. */ |
9041 } | 9382 } |
9042 | 9383 |
9043 PORT_SetError(0); /* each message starts with no error. */ | 9384 PORT_SetError(0); /* each message starts with no error. */ |
9385 | |
9044 switch (ss->ssl3.hs.msg_type) { | 9386 switch (ss->ssl3.hs.msg_type) { |
9045 case hello_request: | 9387 case hello_request: |
9046 if (length != 0) { | 9388 if (length != 0) { |
9047 (void)ssl3_DecodeError(ss); | 9389 (void)ssl3_DecodeError(ss); |
9048 PORT_SetError(SSL_ERROR_RX_MALFORMED_HELLO_REQUEST); | 9390 PORT_SetError(SSL_ERROR_RX_MALFORMED_HELLO_REQUEST); |
9049 return SECFailure; | 9391 return SECFailure; |
9050 } | 9392 } |
9051 if (ss->sec.isServer) { | 9393 if (ss->sec.isServer) { |
9052 (void)SSL3_SendAlert(ss, alert_fatal, unexpected_message); | 9394 (void)SSL3_SendAlert(ss, alert_fatal, unexpected_message); |
9053 PORT_SetError(SSL_ERROR_RX_UNEXPECTED_HELLO_REQUEST); | 9395 PORT_SetError(SSL_ERROR_RX_UNEXPECTED_HELLO_REQUEST); |
(...skipping 10 matching lines...) Expand all Loading... | |
9064 rv = ssl3_HandleClientHello(ss, b, length); | 9406 rv = ssl3_HandleClientHello(ss, b, length); |
9065 break; | 9407 break; |
9066 case server_hello: | 9408 case server_hello: |
9067 if (ss->sec.isServer) { | 9409 if (ss->sec.isServer) { |
9068 (void)SSL3_SendAlert(ss, alert_fatal, unexpected_message); | 9410 (void)SSL3_SendAlert(ss, alert_fatal, unexpected_message); |
9069 PORT_SetError(SSL_ERROR_RX_UNEXPECTED_SERVER_HELLO); | 9411 PORT_SetError(SSL_ERROR_RX_UNEXPECTED_SERVER_HELLO); |
9070 return SECFailure; | 9412 return SECFailure; |
9071 } | 9413 } |
9072 rv = ssl3_HandleServerHello(ss, b, length); | 9414 rv = ssl3_HandleServerHello(ss, b, length); |
9073 break; | 9415 break; |
9416 case hello_verify_request: | |
9417 if (!IS_DTLS(ss) || ss->sec.isServer) { | |
9418 (void)SSL3_SendAlert(ss, alert_fatal, unexpected_message); | |
9419 PORT_SetError(SSL_ERROR_RX_UNEXPECTED_HELLO_VERIFY_REQUEST); | |
9420 return SECFailure; | |
9421 } | |
9422 rv = dtls_HandleHelloVerifyRequest(ss, b, length); | |
9423 break; | |
9074 case certificate: | 9424 case certificate: |
9075 if (ss->ssl3.hs.may_get_cert_status) { | 9425 if (ss->ssl3.hs.may_get_cert_status) { |
9076 /* If we might get a CertificateStatus then we want to postpone the | 9426 /* If we might get a CertificateStatus then we want to postpone the |
9077 * processing of the Certificate message until after we have | 9427 * processing of the Certificate message until after we have |
9078 * processed the CertificateStatus */ | 9428 * processed the CertificateStatus */ |
9079 if (ss->ssl3.hs.pending_cert_msg.data || | 9429 if (ss->ssl3.hs.pending_cert_msg.data || |
9080 ss->ssl3.hs.ws != wait_server_cert) { | 9430 ss->ssl3.hs.ws != wait_server_cert) { |
9081 (void)SSL3_SendAlert(ss, alert_fatal, unexpected_message); | 9431 (void)SSL3_SendAlert(ss, alert_fatal, unexpected_message); |
9082 (void)ssl_MapLowLevelError(SSL_ERROR_RX_UNEXPECTED_CERTIFICATE); | 9432 (void)ssl_MapLowLevelError(SSL_ERROR_RX_UNEXPECTED_CERTIFICATE); |
9083 return SECFailure; | 9433 return SECFailure; |
(...skipping 78 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
9162 rv = ssl3_HandleNewSessionTicket(ss, b, length); | 9512 rv = ssl3_HandleNewSessionTicket(ss, b, length); |
9163 break; | 9513 break; |
9164 case finished: | 9514 case finished: |
9165 rv = ssl3_HandleFinished(ss, b, length, &hashes); | 9515 rv = ssl3_HandleFinished(ss, b, length, &hashes); |
9166 break; | 9516 break; |
9167 default: | 9517 default: |
9168 (void)SSL3_SendAlert(ss, alert_fatal, unexpected_message); | 9518 (void)SSL3_SendAlert(ss, alert_fatal, unexpected_message); |
9169 PORT_SetError(SSL_ERROR_RX_UNKNOWN_HANDSHAKE); | 9519 PORT_SetError(SSL_ERROR_RX_UNKNOWN_HANDSHAKE); |
9170 rv = SECFailure; | 9520 rv = SECFailure; |
9171 } | 9521 } |
9522 | |
9523 if (IS_DTLS(ss) && (rv == SECSuccess)) { | |
9524 /* Increment the expected sequence number */ | |
9525 ss->ssl3.hs.recvMessageSeq++; | |
9526 } | |
9527 | |
9172 return rv; | 9528 return rv; |
9173 } | 9529 } |
9174 | 9530 |
9531 | |
9175 /* Called only from ssl3_HandleRecord, for each (deciphered) ssl3 record. | 9532 /* Called only from ssl3_HandleRecord, for each (deciphered) ssl3 record. |
9176 * origBuf is the decrypted ssl record content. | 9533 * origBuf is the decrypted ssl record content. |
9177 * Caller must hold the handshake and RecvBuf locks. | 9534 * Caller must hold the handshake and RecvBuf locks. |
9178 */ | 9535 */ |
9179 static SECStatus | 9536 static SECStatus |
9180 ssl3_HandleHandshake(sslSocket *ss, sslBuffer *origBuf) | 9537 ssl3_HandleHandshake(sslSocket *ss, sslBuffer *origBuf) |
9181 { | 9538 { |
9182 /* | 9539 /* |
9183 * There may be a partial handshake message already in the handshake | 9540 * There may be a partial handshake message already in the handshake |
9184 * state. The incoming buffer may contain another portion, or a | 9541 * state. The incoming buffer may contain another portion, or a |
(...skipping 139 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
9324 ssl3CipherSpec * crSpec; | 9681 ssl3CipherSpec * crSpec; |
9325 SECStatus rv; | 9682 SECStatus rv; |
9326 unsigned int hashBytes = MAX_MAC_LENGTH + 1; | 9683 unsigned int hashBytes = MAX_MAC_LENGTH + 1; |
9327 unsigned int padding_length; | 9684 unsigned int padding_length; |
9328 PRBool isTLS; | 9685 PRBool isTLS; |
9329 PRBool padIsBad = PR_FALSE; | 9686 PRBool padIsBad = PR_FALSE; |
9330 SSL3ContentType rType; | 9687 SSL3ContentType rType; |
9331 SSL3Opaque hash[MAX_MAC_LENGTH]; | 9688 SSL3Opaque hash[MAX_MAC_LENGTH]; |
9332 sslBuffer *plaintext; | 9689 sslBuffer *plaintext; |
9333 sslBuffer temp_buf; | 9690 sslBuffer temp_buf; |
9691 PRUint64 dtls_seq_num; | |
9334 unsigned int ivLen = 0; | 9692 unsigned int ivLen = 0; |
9335 | 9693 |
9336 PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) ); | 9694 PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) ); |
9337 | 9695 |
9338 if (!ss->ssl3.initialized) { | 9696 if (!ss->ssl3.initialized) { |
9339 ssl_GetSSL3HandshakeLock(ss); | 9697 ssl_GetSSL3HandshakeLock(ss); |
9340 rv = ssl3_InitState(ss); | 9698 rv = ssl3_InitState(ss); |
9341 ssl_ReleaseSSL3HandshakeLock(ss); | 9699 ssl_ReleaseSSL3HandshakeLock(ss); |
9342 if (rv != SECSuccess) { | 9700 if (rv != SECSuccess) { |
9343 return rv; /* ssl3_InitState has set the error code. */ | 9701 return rv; /* ssl3_InitState has set the error code. */ |
(...skipping 15 matching lines...) Expand all Loading... | |
9359 SSL_GETPID(), ss->fd)); | 9717 SSL_GETPID(), ss->fd)); |
9360 rType = content_handshake; | 9718 rType = content_handshake; |
9361 goto process_it; | 9719 goto process_it; |
9362 } | 9720 } |
9363 | 9721 |
9364 ssl_GetSpecReadLock(ss); /******************************************/ | 9722 ssl_GetSpecReadLock(ss); /******************************************/ |
9365 | 9723 |
9366 crSpec = ss->ssl3.crSpec; | 9724 crSpec = ss->ssl3.crSpec; |
9367 cipher_def = crSpec->cipher_def; | 9725 cipher_def = crSpec->cipher_def; |
9368 | 9726 |
9727 /* If we will be decompressing the buffer we need to decrypt somewhere | |
9728 * other than into databuf */ | |
9729 if (crSpec->decompressor) { | |
9730 temp_buf.buf = NULL; | |
9731 temp_buf.space = 0; | |
9732 plaintext = &temp_buf; | |
9733 } else { | |
9734 plaintext = databuf; | |
9735 } | |
9736 | |
9737 plaintext->len = 0; /* filled in by decode call below. */ | |
9738 | |
9739 /* | |
9740 * DTLS relevance checks: | |
9741 * Note that this code currently ignores all out-of-epoch packets, | |
9742 * which means we lose some in the case of rehandshake + | |
9743 * loss/reordering. Since DTLS is explicitly unreliable, this | |
9744 * seems like a good tradeoff for implementation effort and is | |
9745 * consistent with the guidance of RFC 6347 S 4.1 and S 4.2.4.1 | |
9746 */ | |
9747 if (IS_DTLS(ss)) { | |
9748 DTLSEpoch epoch = (cText->seq_num.high >> 16) & 0xffff; | |
9749 | |
9750 if (crSpec->epoch != epoch) { | |
9751 ssl_ReleaseSpecReadLock(ss); | |
9752 SSL_DBG(("%d: SSL3[%d]: HandleRecord, received packet " | |
9753 "from irrelevant epoch %d", SSL_GETPID(), ss->fd, epoch)); | |
9754 return SECSuccess; | |
9755 } | |
9756 | |
9757 dtls_seq_num = (((PRUint64)(cText->seq_num.high & 0xffff)) << 32) | | |
9758 ((PRUint64)cText->seq_num.low); | |
9759 | |
9760 if (dtls_RecordGetRecvd(&crSpec->recvdRecords, dtls_seq_num)) { | |
9761 ssl_ReleaseSpecReadLock(ss); | |
9762 SSL_DBG(("%d: SSL3[%d]: HandleRecord, rejecting " | |
9763 "potentially replayed packet", SSL_GETPID(), ss->fd)); | |
9764 return SECSuccess; | |
9765 } | |
9766 } | |
9767 | |
9369 if (cipher_def->type == type_block && | 9768 if (cipher_def->type == type_block && |
9370 crSpec->version >= SSL_LIBRARY_VERSION_TLS_1_1) { | 9769 crSpec->version >= SSL_LIBRARY_VERSION_TLS_1_1) { |
9371 /* Consume the per-record explicit IV. RFC 4346 Section 6.2.3.2 states | 9770 /* Consume the per-record explicit IV. RFC 4346 Section 6.2.3.2 states |
9372 * "The receiver decrypts the entire GenericBlockCipher structure and | 9771 * "The receiver decrypts the entire GenericBlockCipher structure and |
9373 * then discards the first cipher block corresponding to the IV | 9772 * then discards the first cipher block corresponding to the IV |
9374 * component." Instead, we decrypt the first cipher block and then | 9773 * component." Instead, we decrypt the first cipher block and then |
9375 * discard it before decrypting the rest. | 9774 * discard it before decrypting the rest. |
9376 */ | 9775 */ |
9377 SSL3Opaque iv[MAX_IV_LENGTH]; | 9776 SSL3Opaque iv[MAX_IV_LENGTH]; |
9378 int decoded; | 9777 int decoded; |
(...skipping 25 matching lines...) Expand all Loading... | |
9404 sizeof(iv), cText->buf->buf, ivLen); | 9803 sizeof(iv), cText->buf->buf, ivLen); |
9405 | 9804 |
9406 if (rv != SECSuccess) { | 9805 if (rv != SECSuccess) { |
9407 /* All decryption failures must be treated like a bad record | 9806 /* All decryption failures must be treated like a bad record |
9408 * MAC; see RFC 5246 (TLS 1.2). | 9807 * MAC; see RFC 5246 (TLS 1.2). |
9409 */ | 9808 */ |
9410 padIsBad = PR_TRUE; | 9809 padIsBad = PR_TRUE; |
9411 } | 9810 } |
9412 } | 9811 } |
9413 | 9812 |
9414 /* If we will be decompressing the buffer we need to decrypt somewhere | |
9415 * other than into databuf */ | |
9416 if (crSpec->decompressor) { | |
9417 temp_buf.buf = NULL; | |
9418 temp_buf.space = 0; | |
9419 plaintext = &temp_buf; | |
9420 } else { | |
9421 plaintext = databuf; | |
9422 } | |
9423 | |
9424 plaintext->len = 0; /* filled in by decode call below. */ | |
9425 if (plaintext->space < MAX_FRAGMENT_LENGTH) { | 9813 if (plaintext->space < MAX_FRAGMENT_LENGTH) { |
9426 rv = sslBuffer_Grow(plaintext, MAX_FRAGMENT_LENGTH + 2048); | 9814 rv = sslBuffer_Grow(plaintext, MAX_FRAGMENT_LENGTH + 2048); |
9427 if (rv != SECSuccess) { | 9815 if (rv != SECSuccess) { |
9428 ssl_ReleaseSpecReadLock(ss); | 9816 ssl_ReleaseSpecReadLock(ss); |
9429 SSL_DBG(("%d: SSL3[%d]: HandleRecord, tried to get %d bytes", | 9817 SSL_DBG(("%d: SSL3[%d]: HandleRecord, tried to get %d bytes", |
9430 SSL_GETPID(), ss->fd, MAX_FRAGMENT_LENGTH + 2048)); | 9818 SSL_GETPID(), ss->fd, MAX_FRAGMENT_LENGTH + 2048)); |
9431 /* sslBuffer_Grow has set a memory error code. */ | 9819 /* sslBuffer_Grow has set a memory error code. */ |
9432 /* Perhaps we should send an alert. (but we have no memory!) */ | 9820 /* Perhaps we should send an alert. (but we have no memory!) */ |
9433 return SECFailure; | 9821 return SECFailure; |
9434 } | 9822 } |
9435 } | 9823 } |
9436 | 9824 |
9437 PRINT_BUF(80, (ss, "ciphertext:", cText->buf->buf + ivLen, | 9825 PRINT_BUF(80, (ss, "ciphertext:", cText->buf->buf + ivLen, |
9438 cText->buf->len - ivLen)); | 9826 cText->buf->len - ivLen)); |
9439 | 9827 |
9828 cipher_def = crSpec->cipher_def; | |
ekr
2012/03/26 21:49:18
This looks like it was just redundant?
wtc
2012/03/27 00:28:25
Yes, I bet this is also a merging error. Brian Sm
| |
9440 isTLS = (PRBool)(crSpec->version > SSL_LIBRARY_VERSION_3_0); | 9829 isTLS = (PRBool)(crSpec->version > SSL_LIBRARY_VERSION_3_0); |
9441 | 9830 |
9442 if (isTLS && cText->buf->len - ivLen > (MAX_FRAGMENT_LENGTH + 2048)) { | 9831 if (isTLS && cText->buf->len - ivLen > (MAX_FRAGMENT_LENGTH + 2048)) { |
9443 ssl_ReleaseSpecReadLock(ss); | 9832 ssl_ReleaseSpecReadLock(ss); |
9444 SSL3_SendAlert(ss, alert_fatal, record_overflow); | 9833 SSL3_SendAlert(ss, alert_fatal, record_overflow); |
9445 PORT_SetError(SSL_ERROR_RX_RECORD_TOO_LONG); | 9834 PORT_SetError(SSL_ERROR_RX_RECORD_TOO_LONG); |
9446 return SECFailure; | 9835 return SECFailure; |
9447 } | 9836 } |
9448 | 9837 |
9449 /* decrypt from cText buf to plaintext. */ | 9838 /* decrypt from cText buf to plaintext. */ |
(...skipping 21 matching lines...) Expand all Loading... | |
9471 /* In TLS all padding bytes must be equal to the padding length. */ | 9860 /* In TLS all padding bytes must be equal to the padding length. */ |
9472 if (isTLS) { | 9861 if (isTLS) { |
9473 PRUint8 *p; | 9862 PRUint8 *p; |
9474 for (p = pPaddingLen - padding_length; p < pPaddingLen; ++p) { | 9863 for (p = pPaddingLen - padding_length; p < pPaddingLen; ++p) { |
9475 padIsBad |= *p ^ padding_length; | 9864 padIsBad |= *p ^ padding_length; |
9476 } | 9865 } |
9477 } | 9866 } |
9478 } | 9867 } |
9479 } | 9868 } |
9480 | 9869 |
9870 | |
9481 /* Remove the MAC. */ | 9871 /* Remove the MAC. */ |
9482 if (plaintext->len >= crSpec->mac_size) | 9872 if (plaintext->len >= crSpec->mac_size) |
9483 plaintext->len -= crSpec->mac_size; | 9873 plaintext->len -= crSpec->mac_size; |
9484 else | 9874 else |
9485 padIsBad = PR_TRUE; /* really macIsBad */ | 9875 padIsBad = PR_TRUE; /* really macIsBad */ |
9486 | 9876 |
9487 /* compute the MAC */ | 9877 /* compute the MAC */ |
9488 rType = cText->type; | 9878 rType = cText->type; |
9489 rv = ssl3_ComputeRecordMAC( crSpec, (PRBool)(!ss->sec.isServer), | 9879 rv = ssl3_ComputeRecordMAC( crSpec, (PRBool)(!ss->sec.isServer), |
9490 » rType, cText->version, crSpec->read_seq_num, | 9880 IS_DTLS(ss), rType, cText->version, |
9881 IS_DTLS(ss) ? cText->seq_num : crSpec->read_seq_num, | |
9491 plaintext->buf, plaintext->len, hash, &hashBytes); | 9882 plaintext->buf, plaintext->len, hash, &hashBytes); |
9492 if (rv != SECSuccess) { | 9883 if (rv != SECSuccess) { |
9493 padIsBad = PR_TRUE; /* really macIsBad */ | 9884 padIsBad = PR_TRUE; /* really macIsBad */ |
9494 } | 9885 } |
9495 | 9886 |
9496 /* Check the MAC */ | 9887 /* Check the MAC */ |
9497 if (hashBytes != (unsigned)crSpec->mac_size || padIsBad || | 9888 if (hashBytes != (unsigned)crSpec->mac_size || padIsBad || |
9498 NSS_SecureMemcmp(plaintext->buf + plaintext->len, hash, | 9889 NSS_SecureMemcmp(plaintext->buf + plaintext->len, hash, |
9499 crSpec->mac_size) != 0) { | 9890 crSpec->mac_size) != 0) { |
9500 /* must not hold spec lock when calling SSL3_SendAlert. */ | 9891 /* must not hold spec lock when calling SSL3_SendAlert. */ |
9501 ssl_ReleaseSpecReadLock(ss); | 9892 ssl_ReleaseSpecReadLock(ss); |
9502 » SSL3_SendAlert(ss, alert_fatal, bad_record_mac); | 9893 » |
9503 /* always log mac error, in case attacker can read server logs. */ | 9894 /* always log mac error, in case attacker can read server logs. */ |
9504 PORT_SetError(SSL_ERROR_BAD_MAC_READ); | 9895 PORT_SetError(SSL_ERROR_BAD_MAC_READ); |
9505 | |
9506 SSL_DBG(("%d: SSL3[%d]: mac check failed", SSL_GETPID(), ss->fd)); | 9896 SSL_DBG(("%d: SSL3[%d]: mac check failed", SSL_GETPID(), ss->fd)); |
9507 | 9897 |
9508 » return SECFailure; | 9898 » if (!IS_DTLS(ss)) { |
9899 » SSL3_SendAlert(ss, alert_fatal, bad_record_mac); | |
9900 » return SECFailure; | |
9901 » } else { | |
9902 » /* Silently drop the packet */ | |
9903 plaintext->len = 0; /* Needed to ensure data not left around */ | |
9904 » return SECSuccess; | |
9905 » } | |
9509 } | 9906 } |
9510 | 9907 |
9511 | 9908 |
9512 | 9909 if (!IS_DTLS(ss)) { |
9513 ssl3_BumpSequenceNumber(&crSpec->read_seq_num); | 9910 » ssl3_BumpSequenceNumber(&crSpec->read_seq_num); |
9911 } else { | |
9912 » dtls_RecordSetRecvd(&crSpec->recvdRecords, dtls_seq_num); | |
9913 } | |
9514 | 9914 |
9515 ssl_ReleaseSpecReadLock(ss); /*****************************************/ | 9915 ssl_ReleaseSpecReadLock(ss); /*****************************************/ |
9516 | 9916 |
9517 /* | 9917 /* |
9518 * The decrypted data is now in plaintext. | 9918 * The decrypted data is now in plaintext. |
9519 */ | 9919 */ |
9520 | 9920 |
9521 /* possibly decompress the record. If we aren't using compression then | 9921 /* possibly decompress the record. If we aren't using compression then |
9522 * plaintext == databuf and so the uncompressed data is already in | 9922 * plaintext == databuf and so the uncompressed data is already in |
9523 * databuf. */ | 9923 * databuf. */ |
(...skipping 84 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
9608 ** they return SECFailure or SECWouldBlock. | 10008 ** they return SECFailure or SECWouldBlock. |
9609 */ | 10009 */ |
9610 switch (rType) { | 10010 switch (rType) { |
9611 case content_change_cipher_spec: | 10011 case content_change_cipher_spec: |
9612 rv = ssl3_HandleChangeCipherSpecs(ss, databuf); | 10012 rv = ssl3_HandleChangeCipherSpecs(ss, databuf); |
9613 break; | 10013 break; |
9614 case content_alert: | 10014 case content_alert: |
9615 rv = ssl3_HandleAlert(ss, databuf); | 10015 rv = ssl3_HandleAlert(ss, databuf); |
9616 break; | 10016 break; |
9617 case content_handshake: | 10017 case content_handshake: |
9618 » rv = ssl3_HandleHandshake(ss, databuf); | 10018 if (!IS_DTLS(ss)) { |
10019 rv = ssl3_HandleHandshake(ss, databuf); | |
10020 } else { | |
10021 rv = dtls_HandleHandshake(ss, databuf); | |
10022 } | |
9619 break; | 10023 break; |
9620 /* | 10024 /* |
9621 case content_application_data is handled before this switch | 10025 case content_application_data is handled before this switch |
9622 */ | 10026 */ |
9623 default: | 10027 default: |
9624 SSL_DBG(("%d: SSL3[%d]: bogus content type=%d", | 10028 SSL_DBG(("%d: SSL3[%d]: bogus content type=%d", |
9625 SSL_GETPID(), ss->fd, cText->type)); | 10029 SSL_GETPID(), ss->fd, cText->type)); |
9626 /* XXX Send an alert ??? */ | 10030 /* XXX Send an alert ??? */ |
9627 PORT_SetError(SSL_ERROR_RX_UNKNOWN_RECORD_TYPE); | 10031 PORT_SetError(SSL_ERROR_RX_UNKNOWN_RECORD_TYPE); |
9628 rv = SECFailure; | 10032 rv = SECFailure; |
(...skipping 39 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
9668 spec->server.write_key = NULL; | 10072 spec->server.write_key = NULL; |
9669 spec->server.write_mac_key = NULL; | 10073 spec->server.write_mac_key = NULL; |
9670 spec->server.write_mac_context = NULL; | 10074 spec->server.write_mac_context = NULL; |
9671 | 10075 |
9672 spec->write_seq_num.high = 0; | 10076 spec->write_seq_num.high = 0; |
9673 spec->write_seq_num.low = 0; | 10077 spec->write_seq_num.low = 0; |
9674 | 10078 |
9675 spec->read_seq_num.high = 0; | 10079 spec->read_seq_num.high = 0; |
9676 spec->read_seq_num.low = 0; | 10080 spec->read_seq_num.low = 0; |
9677 | 10081 |
10082 spec->epoch = 0; | |
10083 dtls_InitRecvdRecords(&spec->recvdRecords); | |
10084 | |
9678 spec->version = ss->vrange.max; | 10085 spec->version = ss->vrange.max; |
9679 } | 10086 } |
9680 | 10087 |
9681 /* Called from: ssl3_SendRecord | 10088 /* Called from: ssl3_SendRecord |
9682 ** ssl3_StartHandshakeHash() <- ssl2_BeginClientHandshake() | 10089 ** ssl3_StartHandshakeHash() <- ssl2_BeginClientHandshake() |
9683 ** ssl3_SendClientHello() | 10090 ** ssl3_SendClientHello() |
9684 ** ssl3_HandleServerHello() | 10091 ** ssl3_HandleServerHello() |
9685 ** ssl3_HandleClientHello() | 10092 ** ssl3_HandleClientHello() |
9686 ** ssl3_HandleV2ClientHello() | 10093 ** ssl3_HandleV2ClientHello() |
9687 ** ssl3_HandleRecord() | 10094 ** ssl3_HandleRecord() |
(...skipping 21 matching lines...) Expand all Loading... | |
9709 ssl3_InitCipherSpec(ss, ss->ssl3.prSpec); | 10116 ssl3_InitCipherSpec(ss, ss->ssl3.prSpec); |
9710 | 10117 |
9711 ss->ssl3.hs.ws = (ss->sec.isServer) ? wait_client_hello : wait_server_hello; | 10118 ss->ssl3.hs.ws = (ss->sec.isServer) ? wait_client_hello : wait_server_hello; |
9712 #ifdef NSS_ENABLE_ECC | 10119 #ifdef NSS_ENABLE_ECC |
9713 ss->ssl3.hs.negotiatedECCurves = SSL3_SUPPORTED_CURVES_MASK; | 10120 ss->ssl3.hs.negotiatedECCurves = SSL3_SUPPORTED_CURVES_MASK; |
9714 #endif | 10121 #endif |
9715 ssl_ReleaseSpecWriteLock(ss); | 10122 ssl_ReleaseSpecWriteLock(ss); |
9716 | 10123 |
9717 PORT_Memset(&ss->xtnData, 0, sizeof(TLSExtensionData)); | 10124 PORT_Memset(&ss->xtnData, 0, sizeof(TLSExtensionData)); |
9718 | 10125 |
10126 if (IS_DTLS(ss)) { | |
10127 ss->ssl3.hs.sendMessageSeq = 0; | |
10128 ss->ssl3.hs.recvMessageSeq = 0; | |
10129 ss->ssl3.hs.rtTimeoutMs = INITIAL_DTLS_TIMEOUT_MS; | |
10130 ss->ssl3.hs.rtRetries = 0; | |
10131 | |
10132 /* Have to allocate this because ssl_FreeSocket relocates | |
10133 this structure in DEBUG mode */ | |
10134 if (!(ss->ssl3.hs.lastMessageFlight = PORT_Alloc(sizeof(PRCList)))) | |
10135 return SECFailure; | |
10136 ss->ssl3.hs.recvdHighWater = -1; | |
10137 PR_INIT_CLIST(ss->ssl3.hs.lastMessageFlight); | |
10138 dtls_SetMTU(ss, 0); /* Set the MTU to the highest plateau */ | |
10139 } | |
10140 | |
9719 rv = ssl3_NewHandshakeHashes(ss); | 10141 rv = ssl3_NewHandshakeHashes(ss); |
9720 if (rv == SECSuccess) { | 10142 if (rv == SECSuccess) { |
9721 ss->ssl3.initialized = PR_TRUE; | 10143 ss->ssl3.initialized = PR_TRUE; |
9722 } | 10144 } |
9723 | 10145 |
9724 return rv; | 10146 return rv; |
9725 } | 10147 } |
9726 | 10148 |
9727 /* Returns a reference counted object that contains a key pair. | 10149 /* Returns a reference counted object that contains a key pair. |
9728 * Or NULL on failure. Initial ref count is 1. | 10150 * Or NULL on failure. Initial ref count is 1. |
(...skipping 95 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
9824 | 10246 |
9825 suite = ssl_LookupCipherSuiteCfg(which, cipherSuites); | 10247 suite = ssl_LookupCipherSuiteCfg(which, cipherSuites); |
9826 if (suite) { | 10248 if (suite) { |
9827 policy = suite->policy; | 10249 policy = suite->policy; |
9828 rv = SECSuccess; | 10250 rv = SECSuccess; |
9829 } else { | 10251 } else { |
9830 policy = SSL_NOT_ALLOWED; | 10252 policy = SSL_NOT_ALLOWED; |
9831 rv = SECFailure; /* err code was set by Lookup. */ | 10253 rv = SECFailure; /* err code was set by Lookup. */ |
9832 } | 10254 } |
9833 *oPolicy = policy; | 10255 *oPolicy = policy; |
9834 return rv; | 10256 return rv; |
9835 } | 10257 } |
9836 | 10258 |
9837 /* record the user preference for this suite */ | 10259 /* record the user preference for this suite */ |
9838 SECStatus | 10260 SECStatus |
9839 ssl3_CipherPrefSetDefault(ssl3CipherSuite which, PRBool enabled) | 10261 ssl3_CipherPrefSetDefault(ssl3CipherSuite which, PRBool enabled) |
9840 { | 10262 { |
9841 ssl3CipherSuiteCfg *suite; | 10263 ssl3CipherSuiteCfg *suite; |
9842 | 10264 |
9843 suite = ssl_LookupCipherSuiteCfg(which, cipherSuites); | 10265 suite = ssl_LookupCipherSuiteCfg(which, cipherSuites); |
9844 if (suite == NULL) { | 10266 if (suite == NULL) { |
(...skipping 116 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
9961 | 10383 |
9962 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) ); | 10384 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) ); |
9963 | 10385 |
9964 if (!ss->firstHsDone || | 10386 if (!ss->firstHsDone || |
9965 ((ss->version >= SSL_LIBRARY_VERSION_3_0) && | 10387 ((ss->version >= SSL_LIBRARY_VERSION_3_0) && |
9966 ss->ssl3.initialized && | 10388 ss->ssl3.initialized && |
9967 (ss->ssl3.hs.ws != idle_handshake))) { | 10389 (ss->ssl3.hs.ws != idle_handshake))) { |
9968 PORT_SetError(SSL_ERROR_HANDSHAKE_NOT_COMPLETED); | 10390 PORT_SetError(SSL_ERROR_HANDSHAKE_NOT_COMPLETED); |
9969 return SECFailure; | 10391 return SECFailure; |
9970 } | 10392 } |
10393 | |
10394 if (IS_DTLS(ss)) { | |
10395 dtls_RehandshakeCleanup(ss); | |
10396 } | |
10397 | |
9971 if (ss->opt.enableRenegotiation == SSL_RENEGOTIATE_NEVER) { | 10398 if (ss->opt.enableRenegotiation == SSL_RENEGOTIATE_NEVER) { |
9972 PORT_SetError(SSL_ERROR_RENEGOTIATION_NOT_ALLOWED); | 10399 PORT_SetError(SSL_ERROR_RENEGOTIATION_NOT_ALLOWED); |
9973 return SECFailure; | 10400 return SECFailure; |
9974 } | 10401 } |
9975 if (sid && flushCache) { | 10402 if (sid && flushCache) { |
9976 ss->sec.uncache(sid); /* remove it from whichever cache it's in. */ | 10403 ss->sec.uncache(sid); /* remove it from whichever cache it's in. */ |
9977 ssl_FreeSID(sid); /* dec ref count and free if zero. */ | 10404 ssl_FreeSID(sid); /* dec ref count and free if zero. */ |
9978 ss->sec.ci.sid = NULL; | 10405 ss->sec.ci.sid = NULL; |
9979 } | 10406 } |
9980 | 10407 |
9981 ssl_GetXmitBufLock(ss); /**************************************/ | 10408 ssl_GetXmitBufLock(ss); /**************************************/ |
9982 | 10409 |
9983 /* start off a new handshake. */ | 10410 /* start off a new handshake. */ |
9984 rv = (ss->sec.isServer) ? ssl3_SendHelloRequest(ss) | 10411 rv = (ss->sec.isServer) ? ssl3_SendHelloRequest(ss) |
9985 : ssl3_SendClientHello(ss); | 10412 » » » : ssl3_SendClientHello(ss, PR_FALSE); |
9986 | 10413 |
9987 ssl_ReleaseXmitBufLock(ss); /**************************************/ | 10414 ssl_ReleaseXmitBufLock(ss); /**************************************/ |
9988 return rv; | 10415 return rv; |
9989 } | 10416 } |
9990 | 10417 |
9991 /* Called from ssl_DestroySocketContents() in sslsock.c */ | 10418 /* Called from ssl_DestroySocketContents() in sslsock.c */ |
9992 void | 10419 void |
9993 ssl3_DestroySSL3Info(sslSocket *ss) | 10420 ssl3_DestroySSL3Info(sslSocket *ss) |
9994 { | 10421 { |
9995 | 10422 |
(...skipping 39 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
10035 SECITEM_FreeItem(&ss->ssl3.hs.cert_status, PR_FALSE); | 10462 SECITEM_FreeItem(&ss->ssl3.hs.cert_status, PR_FALSE); |
10036 } | 10463 } |
10037 | 10464 |
10038 /* free the SSL3Buffer (msg_body) */ | 10465 /* free the SSL3Buffer (msg_body) */ |
10039 PORT_Free(ss->ssl3.hs.msg_body.buf); | 10466 PORT_Free(ss->ssl3.hs.msg_body.buf); |
10040 | 10467 |
10041 /* free up the CipherSpecs */ | 10468 /* free up the CipherSpecs */ |
10042 ssl3_DestroyCipherSpec(&ss->ssl3.specs[0], PR_TRUE/*freeSrvName*/); | 10469 ssl3_DestroyCipherSpec(&ss->ssl3.specs[0], PR_TRUE/*freeSrvName*/); |
10043 ssl3_DestroyCipherSpec(&ss->ssl3.specs[1], PR_TRUE/*freeSrvName*/); | 10470 ssl3_DestroyCipherSpec(&ss->ssl3.specs[1], PR_TRUE/*freeSrvName*/); |
10044 | 10471 |
10472 /* Destroy the DTLS data */ | |
10473 if (IS_DTLS(ss)) { | |
10474 if (ss->ssl3.hs.lastMessageFlight) { | |
10475 dtls_FreeHandshakeMessages(ss->ssl3.hs.lastMessageFlight); | |
10476 PORT_Free(ss->ssl3.hs.lastMessageFlight); | |
10477 } | |
10478 if (ss->ssl3.hs.recvdFragments.buf) { | |
10479 PORT_Free(ss->ssl3.hs.recvdFragments.buf); | |
10480 } | |
10481 } | |
10482 | |
10045 ss->ssl3.initialized = PR_FALSE; | 10483 ss->ssl3.initialized = PR_FALSE; |
10046 | 10484 |
10047 SECITEM_FreeItem(&ss->ssl3.nextProto, PR_FALSE); | 10485 SECITEM_FreeItem(&ss->ssl3.nextProto, PR_FALSE); |
10048 } | 10486 } |
10049 | 10487 |
10050 /* End of ssl3con.c */ | 10488 /* End of ssl3con.c */ |
OLD | NEW |