OLD | NEW |
---|---|
1 /* -*- Mode: C; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 4 -*- */ | 1 /* -*- Mode: C; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 4 -*- */ |
2 /* | 2 /* |
3 * SSL3 Protocol | 3 * SSL3 Protocol |
4 * | 4 * |
5 * ***** BEGIN LICENSE BLOCK ***** | 5 * ***** BEGIN LICENSE BLOCK ***** |
6 * Version: MPL 1.1/GPL 2.0/LGPL 2.1 | 6 * Version: MPL 1.1/GPL 2.0/LGPL 2.1 |
7 * | 7 * |
8 * The contents of this file are subject to the Mozilla Public License Version | 8 * The contents of this file are subject to the Mozilla Public License Version |
9 * 1.1 (the "License"); you may not use this file except in compliance with | 9 * 1.1 (the "License"); you may not use this file except in compliance with |
10 * the License. You may obtain a copy of the License at | 10 * the License. You may obtain a copy of the License at |
(...skipping 24 matching lines...) Expand all Loading... | |
35 * under the terms of either the GPL or the LGPL, and not to allow others to | 35 * under the terms of either the GPL or the LGPL, and not to allow others to |
36 * use your version of this file under the terms of the MPL, indicate your | 36 * use your version of this file under the terms of the MPL, indicate your |
37 * decision by deleting the provisions above and replace them with the notice | 37 * decision by deleting the provisions above and replace them with the notice |
38 * and other provisions required by the GPL or the LGPL. If you do not delete | 38 * and other provisions required by the GPL or the LGPL. If you do not delete |
39 * the provisions above, a recipient may use your version of this file under | 39 * the provisions above, a recipient may use your version of this file under |
40 * the terms of any one of the MPL, the GPL or the LGPL. | 40 * the terms of any one of the MPL, the GPL or the LGPL. |
41 * | 41 * |
42 * ***** END LICENSE BLOCK ***** */ | 42 * ***** END LICENSE BLOCK ***** */ |
43 /* $Id: ssl3con.c,v 1.173 2012/03/18 00:31:19 wtc%google.com Exp $ */ | 43 /* $Id: ssl3con.c,v 1.173 2012/03/18 00:31:19 wtc%google.com Exp $ */ |
44 | 44 |
45 /* TODO(ekr): Implement HelloVerifyRequest on server side. OK for now. */ | |
46 | |
45 #include "cert.h" | 47 #include "cert.h" |
46 #include "ssl.h" | 48 #include "ssl.h" |
47 #include "cryptohi.h" /* for DSAU_ stuff */ | 49 #include "cryptohi.h" /* for DSAU_ stuff */ |
48 #include "keyhi.h" | 50 #include "keyhi.h" |
49 #include "secder.h" | 51 #include "secder.h" |
50 #include "secitem.h" | 52 #include "secitem.h" |
51 | 53 |
52 #include "sslimpl.h" | 54 #include "sslimpl.h" |
53 #include "sslproto.h" | 55 #include "sslproto.h" |
54 #include "sslerr.h" | 56 #include "sslerr.h" |
(...skipping 30 matching lines...) Expand all Loading... | |
85 static SECStatus ssl3_SendCertificateRequest(sslSocket *ss); | 87 static SECStatus ssl3_SendCertificateRequest(sslSocket *ss); |
86 static SECStatus ssl3_SendNextProto( sslSocket *ss); | 88 static SECStatus ssl3_SendNextProto( sslSocket *ss); |
87 static SECStatus ssl3_SendFinished( sslSocket *ss, PRInt32 flags); | 89 static SECStatus ssl3_SendFinished( sslSocket *ss, PRInt32 flags); |
88 static SECStatus ssl3_SendServerHello( sslSocket *ss); | 90 static SECStatus ssl3_SendServerHello( sslSocket *ss); |
89 static SECStatus ssl3_SendServerHelloDone( sslSocket *ss); | 91 static SECStatus ssl3_SendServerHelloDone( sslSocket *ss); |
90 static SECStatus ssl3_SendServerKeyExchange( sslSocket *ss); | 92 static SECStatus ssl3_SendServerKeyExchange( sslSocket *ss); |
91 static SECStatus ssl3_NewHandshakeHashes( sslSocket *ss); | 93 static SECStatus ssl3_NewHandshakeHashes( sslSocket *ss); |
92 static SECStatus ssl3_UpdateHandshakeHashes( sslSocket *ss, | 94 static SECStatus ssl3_UpdateHandshakeHashes( sslSocket *ss, |
93 const unsigned char *b, | 95 const unsigned char *b, |
94 unsigned int l); | 96 unsigned int l); |
97 static SECStatus ssl3_FlushHandshakeMessages(sslSocket *ss, PRInt32 flags); | |
95 | 98 |
96 static SECStatus Null_Cipher(void *ctx, unsigned char *output, int *outputLen, | 99 static SECStatus Null_Cipher(void *ctx, unsigned char *output, int *outputLen, |
97 int maxOutputLen, const unsigned char *input, | 100 int maxOutputLen, const unsigned char *input, |
98 int inputLen); | 101 int inputLen); |
99 | 102 |
100 #define MAX_SEND_BUF_LENGTH 32000 /* watch for 16-bit integer overflow */ | 103 #define MAX_SEND_BUF_LENGTH 32000 /* watch for 16-bit integer overflow */ |
101 #define MIN_SEND_BUF_LENGTH 4000 | 104 #define MIN_SEND_BUF_LENGTH 4000 |
102 | 105 |
103 #define MAX_CIPHER_SUITES 20 | 106 #define MAX_CIPHER_SUITES 20 |
104 | 107 |
(...skipping 109 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
214 } | 217 } |
215 | 218 |
216 static const /*SSL3ClientCertificateType */ uint8 certificate_types [] = { | 219 static const /*SSL3ClientCertificateType */ uint8 certificate_types [] = { |
217 ct_RSA_sign, | 220 ct_RSA_sign, |
218 ct_DSS_sign, | 221 ct_DSS_sign, |
219 #ifdef NSS_ENABLE_ECC | 222 #ifdef NSS_ENABLE_ECC |
220 ct_ECDSA_sign, | 223 ct_ECDSA_sign, |
221 #endif /* NSS_ENABLE_ECC */ | 224 #endif /* NSS_ENABLE_ECC */ |
222 }; | 225 }; |
223 | 226 |
224 #ifdef NSS_ENABLE_ZLIB | |
225 /* | |
226 * The DEFLATE algorithm can result in an expansion of 0.1% + 12 bytes. For a | |
227 * maximum TLS record payload of 2**14 bytes, that's 29 bytes. | |
228 */ | |
229 #define SSL3_COMPRESSION_MAX_EXPANSION 29 | |
230 #else /* !NSS_ENABLE_ZLIB */ | |
231 #define SSL3_COMPRESSION_MAX_EXPANSION 0 | |
232 #endif | |
233 | |
234 /* | |
235 * make sure there is room in the write buffer for padding and | |
236 * other compression and cryptographic expansions. | |
237 */ | |
238 #define SSL3_BUFFER_FUDGE 100 + SSL3_COMPRESSION_MAX_EXPANSION | |
239 | |
240 #define EXPORT_RSA_KEY_LENGTH 64 /* bytes */ | 227 #define EXPORT_RSA_KEY_LENGTH 64 /* bytes */ |
241 | 228 |
242 | 229 |
243 /* This global item is used only in servers. It is is initialized by | 230 /* This global item is used only in servers. It is is initialized by |
244 ** SSL_ConfigSecureServer(), and is used in ssl3_SendCertificateRequest(). | 231 ** SSL_ConfigSecureServer(), and is used in ssl3_SendCertificateRequest(). |
245 */ | 232 */ |
246 CERTDistNames *ssl3_server_ca_list = NULL; | 233 CERTDistNames *ssl3_server_ca_list = NULL; |
247 static SSL3Statistics ssl3stats; | 234 static SSL3Statistics ssl3stats; |
248 | 235 |
249 /* indexed by SSL3BulkCipher */ | 236 /* indexed by SSL3BulkCipher */ |
(...skipping 260 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
510 static char * | 497 static char * |
511 ssl3_DecodeHandshakeType(int msgType) | 498 ssl3_DecodeHandshakeType(int msgType) |
512 { | 499 { |
513 char * rv; | 500 char * rv; |
514 static char line[40]; | 501 static char line[40]; |
515 | 502 |
516 switch(msgType) { | 503 switch(msgType) { |
517 case hello_request: rv = "hello_request (0)"; break; | 504 case hello_request: rv = "hello_request (0)"; break; |
518 case client_hello: rv = "client_hello (1)"; break; | 505 case client_hello: rv = "client_hello (1)"; break; |
519 case server_hello: rv = "server_hello (2)"; break; | 506 case server_hello: rv = "server_hello (2)"; break; |
507 case hello_verify_request: rv = "hello_verify_request (3)"; break; | |
520 case certificate: rv = "certificate (11)"; break; | 508 case certificate: rv = "certificate (11)"; break; |
521 case server_key_exchange: rv = "server_key_exchange (12)"; break; | 509 case server_key_exchange: rv = "server_key_exchange (12)"; break; |
522 case certificate_request: rv = "certificate_request (13)"; break; | 510 case certificate_request: rv = "certificate_request (13)"; break; |
523 case server_hello_done: rv = "server_hello_done (14)"; break; | 511 case server_hello_done: rv = "server_hello_done (14)"; break; |
524 case certificate_verify: rv = "certificate_verify (15)"; break; | 512 case certificate_verify: rv = "certificate_verify (15)"; break; |
525 case client_key_exchange: rv = "client_key_exchange (16)"; break; | 513 case client_key_exchange: rv = "client_key_exchange (16)"; break; |
526 case finished: rv = "finished (20)"; break; | 514 case finished: rv = "finished (20)"; break; |
527 default: | 515 default: |
528 sprintf(line, "*UNKNOWN* handshake type! (%d)", msgType); | 516 sprintf(line, "*UNKNOWN* handshake type! (%d)", msgType); |
529 rv = line; | 517 rv = line; |
(...skipping 119 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
649 if (suite->enabled) { | 637 if (suite->enabled) { |
650 ++numEnabled; | 638 ++numEnabled; |
651 /* We need the cipher defs to see if we have a token that can handle | 639 /* We need the cipher defs to see if we have a token that can handle |
652 * this cipher. It isn't part of the static definition. | 640 * this cipher. It isn't part of the static definition. |
653 */ | 641 */ |
654 cipher_def = ssl_LookupCipherSuiteDef(suite->cipher_suite); | 642 cipher_def = ssl_LookupCipherSuiteDef(suite->cipher_suite); |
655 if (!cipher_def) { | 643 if (!cipher_def) { |
656 suite->isPresent = PR_FALSE; | 644 suite->isPresent = PR_FALSE; |
657 continue; | 645 continue; |
658 } | 646 } |
659 » cipher_alg=bulk_cipher_defs[cipher_def->bulk_cipher_alg ].calg; | 647 » cipher_alg = bulk_cipher_defs[cipher_def->bulk_cipher_alg].calg; |
660 PORT_Assert( alg2Mech[cipher_alg].calg == cipher_alg); | 648 PORT_Assert( alg2Mech[cipher_alg].calg == cipher_alg); |
661 cipher_mech = alg2Mech[cipher_alg].cmech; | 649 cipher_mech = alg2Mech[cipher_alg].cmech; |
662 exchKeyType = | 650 exchKeyType = |
663 kea_defs[cipher_def->key_exchange_alg].exchKeyType; | 651 kea_defs[cipher_def->key_exchange_alg].exchKeyType; |
664 #ifndef NSS_ENABLE_ECC | 652 #ifndef NSS_ENABLE_ECC |
665 svrAuth = ss->serverCerts + exchKeyType; | 653 svrAuth = ss->serverCerts + exchKeyType; |
666 #else | 654 #else |
667 /* XXX SSLKEAType isn't really a good choice for | 655 /* XXX SSLKEAType isn't really a good choice for |
668 * indexing certificates. It doesn't work for | 656 * indexing certificates. It doesn't work for |
669 * (EC)DHE-* ciphers. Here we use a hack to ensure | 657 * (EC)DHE-* ciphers. Here we use a hack to ensure |
(...skipping 471 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
1141 PK11_DestroyContext(mat->write_mac_context, PR_TRUE); | 1129 PK11_DestroyContext(mat->write_mac_context, PR_TRUE); |
1142 mat->write_mac_context = NULL; | 1130 mat->write_mac_context = NULL; |
1143 } | 1131 } |
1144 } | 1132 } |
1145 | 1133 |
1146 /* Called from ssl3_SendChangeCipherSpecs() and | 1134 /* Called from ssl3_SendChangeCipherSpecs() and |
1147 ** ssl3_HandleChangeCipherSpecs() | 1135 ** ssl3_HandleChangeCipherSpecs() |
1148 ** ssl3_DestroySSL3Info | 1136 ** ssl3_DestroySSL3Info |
1149 ** Caller must hold SpecWriteLock. | 1137 ** Caller must hold SpecWriteLock. |
1150 */ | 1138 */ |
1151 static void | 1139 void |
1152 ssl3_DestroyCipherSpec(ssl3CipherSpec *spec, PRBool freeSrvName) | 1140 ssl3_DestroyCipherSpec(ssl3CipherSpec *spec, PRBool freeSrvName) |
1153 { | 1141 { |
1154 PRBool freeit = (PRBool)(!spec->bypassCiphers); | 1142 PRBool freeit = (PRBool)(!spec->bypassCiphers); |
1155 /* PORT_Assert( ss->opt.noLocks || ssl_HaveSpecWriteLock(ss)); Don't have ss! * / | 1143 /* PORT_Assert( ss->opt.noLocks || ssl_HaveSpecWriteLock(ss)); Don't have ss! * / |
1156 if (spec->destroy) { | 1144 if (spec->destroy) { |
1157 spec->destroy(spec->encodeContext, freeit); | 1145 spec->destroy(spec->encodeContext, freeit); |
1158 spec->destroy(spec->decodeContext, freeit); | 1146 spec->destroy(spec->decodeContext, freeit); |
1159 spec->encodeContext = NULL; /* paranoia */ | 1147 spec->encodeContext = NULL; /* paranoia */ |
1160 spec->decodeContext = NULL; | 1148 spec->decodeContext = NULL; |
1161 } | 1149 } |
(...skipping 59 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
1221 | 1209 |
1222 SSL_TRC(3, ("%d: SSL3[%d]: Set XXX Pending Cipher Suite to 0x%04x", | 1210 SSL_TRC(3, ("%d: SSL3[%d]: Set XXX Pending Cipher Suite to 0x%04x", |
1223 SSL_GETPID(), ss->fd, suite)); | 1211 SSL_GETPID(), ss->fd, suite)); |
1224 | 1212 |
1225 suite_def = ssl_LookupCipherSuiteDef(suite); | 1213 suite_def = ssl_LookupCipherSuiteDef(suite); |
1226 if (suite_def == NULL) { | 1214 if (suite_def == NULL) { |
1227 ssl_ReleaseSpecWriteLock(ss); | 1215 ssl_ReleaseSpecWriteLock(ss); |
1228 return SECFailure; /* error code set by ssl_LookupCipherSuiteDef */ | 1216 return SECFailure; /* error code set by ssl_LookupCipherSuiteDef */ |
1229 } | 1217 } |
1230 | 1218 |
1219 if (IS_DTLS(ss)) { | |
1220 /* Double-check that we did not pick an RC4 suite */ | |
1221 PORT_Assert((suite_def->bulk_cipher_alg != cipher_rc4) && | |
1222 (suite_def->bulk_cipher_alg != cipher_rc4_40) && | |
1223 (suite_def->bulk_cipher_alg != cipher_rc4_56)); | |
1224 } | |
1231 | 1225 |
1232 cipher = suite_def->bulk_cipher_alg; | 1226 cipher = suite_def->bulk_cipher_alg; |
1233 kea = suite_def->key_exchange_alg; | 1227 kea = suite_def->key_exchange_alg; |
1234 mac = suite_def->mac_alg; | 1228 mac = suite_def->mac_alg; |
1235 if (isTLS) | 1229 if (isTLS) |
1236 mac += 2; | 1230 mac += 2; |
1237 | 1231 |
1238 ss->ssl3.hs.suite_def = suite_def; | 1232 ss->ssl3.hs.suite_def = suite_def; |
1239 ss->ssl3.hs.kea_def = &kea_defs[kea]; | 1233 ss->ssl3.hs.kea_def = &kea_defs[kea]; |
1240 PORT_Assert(ss->ssl3.hs.kea_def->kea == kea); | 1234 PORT_Assert(ss->ssl3.hs.kea_def->kea == kea); |
1241 | 1235 |
1242 pwSpec->cipher_def = &bulk_cipher_defs[cipher]; | 1236 pwSpec->cipher_def = &bulk_cipher_defs[cipher]; |
1243 PORT_Assert(pwSpec->cipher_def->cipher == cipher); | 1237 PORT_Assert(pwSpec->cipher_def->cipher == cipher); |
1244 | 1238 |
1245 pwSpec->mac_def = &mac_defs[mac]; | 1239 pwSpec->mac_def = &mac_defs[mac]; |
1246 PORT_Assert(pwSpec->mac_def->mac == mac); | 1240 PORT_Assert(pwSpec->mac_def->mac == mac); |
1247 | 1241 |
1248 ss->sec.keyBits = pwSpec->cipher_def->key_size * BPB; | 1242 ss->sec.keyBits = pwSpec->cipher_def->key_size * BPB; |
1249 ss->sec.secretKeyBits = pwSpec->cipher_def->secret_key_size * BPB; | 1243 ss->sec.secretKeyBits = pwSpec->cipher_def->secret_key_size * BPB; |
1250 ss->sec.cipherType = cipher; | 1244 ss->sec.cipherType = cipher; |
1251 | 1245 |
1252 pwSpec->encodeContext = NULL; | 1246 pwSpec->encodeContext = NULL; |
1253 pwSpec->decodeContext = NULL; | 1247 pwSpec->decodeContext = NULL; |
1254 | 1248 |
1255 pwSpec->mac_size = pwSpec->mac_def->mac_size; | 1249 pwSpec->mac_size = pwSpec->mac_def->mac_size; |
1256 | 1250 |
1257 pwSpec->compression_method = ss->ssl3.hs.compression; | 1251 pwSpec->compression_method = ss->ssl3.hs.compression; |
1258 pwSpec->compressContext = NULL; | 1252 pwSpec->compressContext = NULL; |
1259 pwSpec->decompressContext = NULL; | 1253 pwSpec->decompressContext = NULL; |
1254 | |
1255 /* Note: pwSpec == prSpec here so we're really doing the read side. | |
1256 * The epoch is set up in InitPendingCipherSpec */ | |
1257 dtls_InitRecvdRecords(&pwSpec->recvdRecords); | |
wtc
2012/03/22 21:59:54
ekr: can we also move this
dtls_InitRecvdRecor
ekr
2012/03/23 12:46:41
I have have the nagging feeling that I tried this
wtc
2012/03/23 13:48:49
Yes, please.
| |
1260 | 1258 |
1261 ssl_ReleaseSpecWriteLock(ss); /*******************************/ | 1259 ssl_ReleaseSpecWriteLock(ss); /*******************************/ |
1262 return SECSuccess; | 1260 return SECSuccess; |
1263 } | 1261 } |
1264 | 1262 |
1265 #ifdef NSS_ENABLE_ZLIB | 1263 #ifdef NSS_ENABLE_ZLIB |
1266 #define SSL3_DEFLATE_CONTEXT_SIZE sizeof(z_stream) | 1264 #define SSL3_DEFLATE_CONTEXT_SIZE sizeof(z_stream) |
1267 | 1265 |
1268 static SECStatus | 1266 static SECStatus |
1269 ssl3_MapZlibError(int zlib_error) | 1267 ssl3_MapZlibError(int zlib_error) |
(...skipping 477 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
1747 * Sets error code, but caller probably should override to disambiguate. | 1745 * Sets error code, but caller probably should override to disambiguate. |
1748 * NULL pms means re-use old master_secret. | 1746 * NULL pms means re-use old master_secret. |
1749 * | 1747 * |
1750 * This code is common to the bypass and PKCS11 execution paths. | 1748 * This code is common to the bypass and PKCS11 execution paths. |
1751 * For the bypass case, pms is NULL. | 1749 * For the bypass case, pms is NULL. |
1752 */ | 1750 */ |
1753 SECStatus | 1751 SECStatus |
1754 ssl3_InitPendingCipherSpec(sslSocket *ss, PK11SymKey *pms) | 1752 ssl3_InitPendingCipherSpec(sslSocket *ss, PK11SymKey *pms) |
1755 { | 1753 { |
1756 ssl3CipherSpec * pwSpec; | 1754 ssl3CipherSpec * pwSpec; |
1755 ssl3CipherSpec * cwSpec; | |
1757 SECStatus rv; | 1756 SECStatus rv; |
1758 | 1757 |
1759 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); | 1758 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); |
1760 | 1759 |
1761 ssl_GetSpecWriteLock(ss); /**************************************/ | 1760 ssl_GetSpecWriteLock(ss); /**************************************/ |
1762 | 1761 |
1763 PORT_Assert(ss->ssl3.prSpec == ss->ssl3.pwSpec); | 1762 PORT_Assert(ss->ssl3.prSpec == ss->ssl3.pwSpec); |
1764 | 1763 |
1765 pwSpec = ss->ssl3.pwSpec; | 1764 pwSpec = ss->ssl3.pwSpec; |
1765 cwSpec = ss->ssl3.cwSpec; | |
1766 | 1766 |
1767 if (pms || (!pwSpec->msItem.len && !pwSpec->master_secret)) { | 1767 if (pms || (!pwSpec->msItem.len && !pwSpec->master_secret)) { |
1768 rv = ssl3_DeriveMasterSecret(ss, pms); | 1768 rv = ssl3_DeriveMasterSecret(ss, pms); |
1769 if (rv != SECSuccess) { | 1769 if (rv != SECSuccess) { |
1770 goto done; /* err code set by ssl3_DeriveMasterSecret */ | 1770 goto done; /* err code set by ssl3_DeriveMasterSecret */ |
1771 } | 1771 } |
1772 } | 1772 } |
1773 if (ss->opt.bypassPKCS11 && pwSpec->msItem.len && pwSpec->msItem.data) { | 1773 if (ss->opt.bypassPKCS11 && pwSpec->msItem.len && pwSpec->msItem.data) { |
1774 /* Double Bypass succeeded in extracting the master_secret */ | 1774 /* Double Bypass succeeded in extracting the master_secret */ |
1775 const ssl3KEADef * kea_def = ss->ssl3.hs.kea_def; | 1775 const ssl3KEADef * kea_def = ss->ssl3.hs.kea_def; |
(...skipping 11 matching lines...) Expand all Loading... | |
1787 } else if (pwSpec->master_secret) { | 1787 } else if (pwSpec->master_secret) { |
1788 rv = ssl3_DeriveConnectionKeysPKCS11(ss); | 1788 rv = ssl3_DeriveConnectionKeysPKCS11(ss); |
1789 if (rv == SECSuccess) { | 1789 if (rv == SECSuccess) { |
1790 rv = ssl3_InitPendingContextsPKCS11(ss); | 1790 rv = ssl3_InitPendingContextsPKCS11(ss); |
1791 } | 1791 } |
1792 } else { | 1792 } else { |
1793 PORT_Assert(pwSpec->master_secret); | 1793 PORT_Assert(pwSpec->master_secret); |
1794 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); | 1794 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); |
1795 rv = SECFailure; | 1795 rv = SECFailure; |
1796 } | 1796 } |
1797 if (rv != SECSuccess) { | |
1798 goto done; | |
1799 } | |
1800 | |
1801 /* Generic behaviors -- common to all crypto methods */ | |
1802 if (!IS_DTLS(ss)) { | |
1803 pwSpec->read_seq_num.high = pwSpec->write_seq_num.high = 0; | |
1804 } else { | |
1805 if (cwSpec->epoch == 65535) { | |
1806 /* The problem here is that we have rehandshaked too many | |
1807 * times (you are not allowed to wrap the epoch). The | |
1808 * spec says you should be discarding the connection | |
1809 * and start over, so not much we can do here. */ | |
1810 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); | |
1811 rv = SECFailure; | |
1812 goto done; | |
1813 } | |
1814 /* The sequence number has the high 16 bits as the epoch. */ | |
1815 pwSpec->epoch = cwSpec->epoch + 1; | |
1816 pwSpec->read_seq_num.high = pwSpec->write_seq_num.high = | |
1817 pwSpec->epoch << 16; | |
1818 } | |
1819 pwSpec->read_seq_num.low = pwSpec->write_seq_num.low = 0; | |
1797 | 1820 |
1798 done: | 1821 done: |
1799 ssl_ReleaseSpecWriteLock(ss); /******************************/ | 1822 ssl_ReleaseSpecWriteLock(ss); /******************************/ |
1800 if (rv != SECSuccess) | 1823 if (rv != SECSuccess) |
1801 ssl_MapLowLevelError(SSL_ERROR_SESSION_KEY_GEN_FAILURE); | 1824 ssl_MapLowLevelError(SSL_ERROR_SESSION_KEY_GEN_FAILURE); |
1802 return rv; | 1825 return rv; |
1803 } | 1826 } |
1804 | 1827 |
1805 /* | 1828 /* |
1806 * 60 bytes is 3 times the maximum length MAC size that is supported. | 1829 * 60 bytes is 3 times the maximum length MAC size that is supported. |
(...skipping 20 matching lines...) Expand all Loading... | |
1827 }; | 1850 }; |
1828 | 1851 |
1829 /* Called from: ssl3_SendRecord() | 1852 /* Called from: ssl3_SendRecord() |
1830 ** ssl3_HandleRecord() | 1853 ** ssl3_HandleRecord() |
1831 ** Caller must already hold the SpecReadLock. (wish we could assert that!) | 1854 ** Caller must already hold the SpecReadLock. (wish we could assert that!) |
1832 */ | 1855 */ |
1833 static SECStatus | 1856 static SECStatus |
1834 ssl3_ComputeRecordMAC( | 1857 ssl3_ComputeRecordMAC( |
1835 ssl3CipherSpec * spec, | 1858 ssl3CipherSpec * spec, |
1836 PRBool useServerMacKey, | 1859 PRBool useServerMacKey, |
1860 PRBool isDTLS, | |
1837 SSL3ContentType type, | 1861 SSL3ContentType type, |
1838 SSL3ProtocolVersion version, | 1862 SSL3ProtocolVersion version, |
1839 SSL3SequenceNumber seq_num, | 1863 SSL3SequenceNumber seq_num, |
1840 const SSL3Opaque * input, | 1864 const SSL3Opaque * input, |
1841 int inputLength, | 1865 int inputLength, |
1842 unsigned char * outbuf, | 1866 unsigned char * outbuf, |
1843 unsigned int * outLength) | 1867 unsigned int * outLength) |
1844 { | 1868 { |
1845 const ssl3MACDef * mac_def; | 1869 const ssl3MACDef * mac_def; |
1846 SECStatus rv; | 1870 SECStatus rv; |
(...skipping 17 matching lines...) Expand all Loading... | |
1864 ** NOT based on the version value in the record itself. | 1888 ** NOT based on the version value in the record itself. |
1865 ** But, we use the record'v version value in the computation. | 1889 ** But, we use the record'v version value in the computation. |
1866 */ | 1890 */ |
1867 if (spec->version <= SSL_LIBRARY_VERSION_3_0) { | 1891 if (spec->version <= SSL_LIBRARY_VERSION_3_0) { |
1868 temp[9] = MSB(inputLength); | 1892 temp[9] = MSB(inputLength); |
1869 temp[10] = LSB(inputLength); | 1893 temp[10] = LSB(inputLength); |
1870 tempLen = 11; | 1894 tempLen = 11; |
1871 isTLS = PR_FALSE; | 1895 isTLS = PR_FALSE; |
1872 } else { | 1896 } else { |
1873 /* New TLS hash includes version. */ | 1897 /* New TLS hash includes version. */ |
1874 » temp[9] = MSB(version); | 1898 » if (isDTLS) { |
1875 » temp[10] = LSB(version); | 1899 » SSL3ProtocolVersion dtls_version; |
1900 | |
1901 » dtls_version = dtls_TLSVersionToDTLSVersion(version); | |
1902 » temp[9] = MSB(dtls_version); | |
1903 » temp[10] = LSB(dtls_version); | |
1904 } else { | |
1905 » temp[9] = MSB(version); | |
1906 » temp[10] = LSB(version); | |
1907 } | |
1876 temp[11] = MSB(inputLength); | 1908 temp[11] = MSB(inputLength); |
1877 temp[12] = LSB(inputLength); | 1909 temp[12] = LSB(inputLength); |
1878 tempLen = 13; | 1910 tempLen = 13; |
1879 isTLS = PR_TRUE; | 1911 isTLS = PR_TRUE; |
1880 } | 1912 } |
1881 | 1913 |
1882 PRINT_BUF(95, (NULL, "frag hash1: temp", temp, tempLen)); | 1914 PRINT_BUF(95, (NULL, "frag hash1: temp", temp, tempLen)); |
1883 PRINT_BUF(95, (NULL, "frag hash1: input", input, inputLength)); | 1915 PRINT_BUF(95, (NULL, "frag hash1: input", input, inputLength)); |
1884 | 1916 |
1885 mac_def = spec->mac_def; | 1917 mac_def = spec->mac_def; |
(...skipping 129 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
2015 (PK11_NeedLogin(slot) && !PK11_IsLoggedIn(slot, NULL))) { | 2047 (PK11_NeedLogin(slot) && !PK11_IsLoggedIn(slot, NULL))) { |
2016 isPresent = PR_FALSE; | 2048 isPresent = PR_FALSE; |
2017 } | 2049 } |
2018 if (slot) { | 2050 if (slot) { |
2019 PK11_FreeSlot(slot); | 2051 PK11_FreeSlot(slot); |
2020 } | 2052 } |
2021 return isPresent; | 2053 return isPresent; |
2022 } | 2054 } |
2023 | 2055 |
2024 /* Caller must hold the spec read lock. */ | 2056 /* Caller must hold the spec read lock. */ |
2025 static SECStatus | 2057 SECStatus |
2026 ssl3_CompressMACEncryptRecord(ssl3CipherSpec * cwSpec, | 2058 ssl3_CompressMACEncryptRecord(ssl3CipherSpec * cwSpec, |
2027 PRBool isServer, | 2059 PRBool isServer, |
2060 PRBool isDTLS, | |
2028 SSL3ContentType type, | 2061 SSL3ContentType type, |
2029 const SSL3Opaque * pIn, | 2062 const SSL3Opaque * pIn, |
2030 PRUint32 contentLen, | 2063 PRUint32 contentLen, |
2031 sslBuffer * wrBuf) | 2064 sslBuffer * wrBuf) |
2032 { | 2065 { |
2033 const ssl3BulkCipherDef * cipher_def; | 2066 const ssl3BulkCipherDef * cipher_def; |
2034 SECStatus rv; | 2067 SECStatus rv; |
2035 PRUint32 macLen = 0; | 2068 PRUint32 macLen = 0; |
2036 PRUint32 fragLen; | 2069 PRUint32 fragLen; |
2037 PRUint32 p1Len, p2Len, oddLen = 0; | 2070 PRUint32 p1Len, p2Len, oddLen = 0; |
2071 PRUint16 headerLen; | |
2038 int ivLen = 0; | 2072 int ivLen = 0; |
2039 int cipherBytes = 0; | 2073 int cipherBytes = 0; |
2040 | 2074 |
2041 cipher_def = cwSpec->cipher_def; | 2075 cipher_def = cwSpec->cipher_def; |
2076 headerLen = isDTLS ? DTLS_RECORD_HEADER_LENGTH : SSL3_RECORD_HEADER_LENGTH; | |
2042 | 2077 |
2043 if (cipher_def->type == type_block && | 2078 if (cipher_def->type == type_block && |
2044 cwSpec->version >= SSL_LIBRARY_VERSION_TLS_1_1) { | 2079 cwSpec->version >= SSL_LIBRARY_VERSION_TLS_1_1) { |
2045 /* Prepend the per-record explicit IV using technique 2b from | 2080 /* Prepend the per-record explicit IV using technique 2b from |
2046 * RFC 4346 section 6.2.3.2: The IV is a cryptographically | 2081 * RFC 4346 section 6.2.3.2: The IV is a cryptographically |
2047 * strong random number XORed with the CBC residue from the previous | 2082 * strong random number XORed with the CBC residue from the previous |
2048 * record. | 2083 * record. |
2049 */ | 2084 */ |
2050 ivLen = cipher_def->iv_size; | 2085 ivLen = cipher_def->iv_size; |
2051 » if (ivLen > wrBuf->space - SSL3_RECORD_HEADER_LENGTH) { | 2086 » if (ivLen > wrBuf->space - headerLen) { |
2052 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); | 2087 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); |
2053 return SECFailure; | 2088 return SECFailure; |
2054 } | 2089 } |
2055 » rv = PK11_GenerateRandom(wrBuf->buf + SSL3_RECORD_HEADER_LENGTH, ivLen); | 2090 » rv = PK11_GenerateRandom(wrBuf->buf + headerLen, ivLen); |
2056 if (rv != SECSuccess) { | 2091 if (rv != SECSuccess) { |
2057 ssl_MapLowLevelError(SSL_ERROR_GENERATE_RANDOM_FAILURE); | 2092 ssl_MapLowLevelError(SSL_ERROR_GENERATE_RANDOM_FAILURE); |
2058 return rv; | 2093 return rv; |
2059 } | 2094 } |
2060 rv = cwSpec->encode( cwSpec->encodeContext, | 2095 rv = cwSpec->encode( cwSpec->encodeContext, |
2061 » wrBuf->buf + SSL3_RECORD_HEADER_LENGTH, | 2096 » wrBuf->buf + headerLen, |
2062 &cipherBytes, /* output and actual outLen */ | 2097 &cipherBytes, /* output and actual outLen */ |
2063 ivLen, /* max outlen */ | 2098 ivLen, /* max outlen */ |
2064 » wrBuf->buf + SSL3_RECORD_HEADER_LENGTH, | 2099 » wrBuf->buf + headerLen, |
2065 ivLen); /* input and inputLen*/ | 2100 ivLen); /* input and inputLen*/ |
2066 if (rv != SECSuccess || cipherBytes != ivLen) { | 2101 if (rv != SECSuccess || cipherBytes != ivLen) { |
2067 PORT_SetError(SSL_ERROR_ENCRYPTION_FAILURE); | 2102 PORT_SetError(SSL_ERROR_ENCRYPTION_FAILURE); |
2068 return SECFailure; | 2103 return SECFailure; |
2069 } | 2104 } |
2070 } | 2105 } |
2071 | 2106 |
2072 if (cwSpec->compressor) { | 2107 if (cwSpec->compressor) { |
2073 int outlen; | 2108 int outlen; |
2074 rv = cwSpec->compressor( | 2109 rv = cwSpec->compressor( |
2075 cwSpec->compressContext, | 2110 cwSpec->compressContext, |
2076 » wrBuf->buf + SSL3_RECORD_HEADER_LENGTH + ivLen, &outlen, | 2111 » wrBuf->buf + headerLen + ivLen, &outlen, |
2077 » wrBuf->space - SSL3_RECORD_HEADER_LENGTH - ivLen, pIn, contentLen); | 2112 » wrBuf->space - headerLen - ivLen, pIn, contentLen); |
2078 if (rv != SECSuccess) | 2113 if (rv != SECSuccess) |
2079 return rv; | 2114 return rv; |
2080 » pIn = wrBuf->buf + SSL3_RECORD_HEADER_LENGTH + ivLen; | 2115 » pIn = wrBuf->buf + headerLen + ivLen; |
2081 contentLen = outlen; | 2116 contentLen = outlen; |
2082 } | 2117 } |
2083 | 2118 |
2084 /* | 2119 /* |
2085 * Add the MAC | 2120 * Add the MAC |
2086 */ | 2121 */ |
2087 rv = ssl3_ComputeRecordMAC( cwSpec, isServer, | 2122 rv = ssl3_ComputeRecordMAC( cwSpec, isServer, isDTLS, |
2088 type, cwSpec->version, cwSpec->write_seq_num, pIn, contentLen, | 2123 type, cwSpec->version, cwSpec->write_seq_num, pIn, contentLen, |
2089 » wrBuf->buf + SSL3_RECORD_HEADER_LENGTH + ivLen + contentLen, &macLen); | 2124 » wrBuf->buf + headerLen + ivLen + contentLen, &macLen); |
2090 if (rv != SECSuccess) { | 2125 if (rv != SECSuccess) { |
2091 ssl_MapLowLevelError(SSL_ERROR_MAC_COMPUTATION_FAILURE); | 2126 ssl_MapLowLevelError(SSL_ERROR_MAC_COMPUTATION_FAILURE); |
2092 return SECFailure; | 2127 return SECFailure; |
2093 } | 2128 } |
2094 p1Len = contentLen; | 2129 p1Len = contentLen; |
2095 p2Len = macLen; | 2130 p2Len = macLen; |
2096 fragLen = contentLen + macLen; /* needs to be encrypted */ | 2131 fragLen = contentLen + macLen; /* needs to be encrypted */ |
2097 PORT_Assert(fragLen <= MAX_FRAGMENT_LENGTH + 1024); | 2132 PORT_Assert(fragLen <= MAX_FRAGMENT_LENGTH + 1024); |
2098 | 2133 |
2099 /* | 2134 /* |
2100 * Pad the text (if we're doing a block cipher) | 2135 * Pad the text (if we're doing a block cipher) |
2101 * then Encrypt it | 2136 * then Encrypt it |
2102 */ | 2137 */ |
2103 if (cipher_def->type == type_block) { | 2138 if (cipher_def->type == type_block) { |
2104 unsigned char * pBuf; | 2139 unsigned char * pBuf; |
2105 int padding_length; | 2140 int padding_length; |
2106 int i; | 2141 int i; |
2107 | 2142 |
2108 oddLen = contentLen % cipher_def->block_size; | 2143 oddLen = contentLen % cipher_def->block_size; |
2109 /* Assume blockSize is a power of two */ | 2144 /* Assume blockSize is a power of two */ |
2110 padding_length = cipher_def->block_size - 1 - | 2145 padding_length = cipher_def->block_size - 1 - |
2111 ((fragLen) & (cipher_def->block_size - 1)); | 2146 ((fragLen) & (cipher_def->block_size - 1)); |
2112 fragLen += padding_length + 1; | 2147 fragLen += padding_length + 1; |
2113 PORT_Assert((fragLen % cipher_def->block_size) == 0); | 2148 PORT_Assert((fragLen % cipher_def->block_size) == 0); |
2114 | 2149 |
2115 /* Pad according to TLS rules (also acceptable to SSL3). */ | 2150 /* Pad according to TLS rules (also acceptable to SSL3). */ |
2116 » pBuf = &wrBuf->buf[SSL3_RECORD_HEADER_LENGTH + ivLen + fragLen - 1]; | 2151 » pBuf = &wrBuf->buf[headerLen + ivLen + fragLen - 1]; |
2117 for (i = padding_length + 1; i > 0; --i) { | 2152 for (i = padding_length + 1; i > 0; --i) { |
2118 *pBuf-- = padding_length; | 2153 *pBuf-- = padding_length; |
2119 } | 2154 } |
2120 /* now, if contentLen is not a multiple of block size, fix it */ | 2155 /* now, if contentLen is not a multiple of block size, fix it */ |
2121 p2Len = fragLen - p1Len; | 2156 p2Len = fragLen - p1Len; |
2122 } | 2157 } |
2123 if (p1Len < 256) { | 2158 if (p1Len < 256) { |
2124 oddLen = p1Len; | 2159 oddLen = p1Len; |
2125 p1Len = 0; | 2160 p1Len = 0; |
2126 } else { | 2161 } else { |
2127 p1Len -= oddLen; | 2162 p1Len -= oddLen; |
2128 } | 2163 } |
2129 if (oddLen) { | 2164 if (oddLen) { |
2130 p2Len += oddLen; | 2165 p2Len += oddLen; |
2131 PORT_Assert( (cipher_def->block_size < 2) || \ | 2166 PORT_Assert( (cipher_def->block_size < 2) || \ |
2132 (p2Len % cipher_def->block_size) == 0); | 2167 (p2Len % cipher_def->block_size) == 0); |
2133 » memmove(wrBuf->buf + SSL3_RECORD_HEADER_LENGTH + ivLen + p1Len, | 2168 » memmove(wrBuf->buf + headerLen + ivLen + p1Len, pIn + p1Len, oddLen); |
2134 » pIn + p1Len, oddLen); | |
2135 } | 2169 } |
2136 if (p1Len > 0) { | 2170 if (p1Len > 0) { |
2137 int cipherBytesPart1 = -1; | 2171 int cipherBytesPart1 = -1; |
2138 rv = cwSpec->encode( cwSpec->encodeContext, | 2172 rv = cwSpec->encode( cwSpec->encodeContext, |
2139 » wrBuf->buf + SSL3_RECORD_HEADER_LENGTH + ivLen, /* output */ | 2173 » wrBuf->buf + headerLen + ivLen, /* output */ |
2140 &cipherBytesPart1, /* actual outlen */ | 2174 &cipherBytesPart1, /* actual outlen */ |
2141 p1Len, /* max outlen */ | 2175 p1Len, /* max outlen */ |
2142 pIn, p1Len); /* input, and inputlen */ | 2176 pIn, p1Len); /* input, and inputlen */ |
2143 PORT_Assert(rv == SECSuccess && cipherBytesPart1 == (int) p1Len); | 2177 PORT_Assert(rv == SECSuccess && cipherBytesPart1 == (int) p1Len); |
2144 if (rv != SECSuccess || cipherBytesPart1 != (int) p1Len) { | 2178 if (rv != SECSuccess || cipherBytesPart1 != (int) p1Len) { |
2145 PORT_SetError(SSL_ERROR_ENCRYPTION_FAILURE); | 2179 PORT_SetError(SSL_ERROR_ENCRYPTION_FAILURE); |
2146 return SECFailure; | 2180 return SECFailure; |
2147 } | 2181 } |
2148 cipherBytes += cipherBytesPart1; | 2182 cipherBytes += cipherBytesPart1; |
2149 } | 2183 } |
2150 if (p2Len > 0) { | 2184 if (p2Len > 0) { |
2151 int cipherBytesPart2 = -1; | 2185 int cipherBytesPart2 = -1; |
2152 rv = cwSpec->encode( cwSpec->encodeContext, | 2186 rv = cwSpec->encode( cwSpec->encodeContext, |
2153 » wrBuf->buf + SSL3_RECORD_HEADER_LENGTH + ivLen + p1Len, | 2187 » wrBuf->buf + headerLen + ivLen + p1Len, |
2154 &cipherBytesPart2, /* output and actual outLen */ | 2188 &cipherBytesPart2, /* output and actual outLen */ |
2155 p2Len, /* max outlen */ | 2189 p2Len, /* max outlen */ |
2156 » wrBuf->buf + SSL3_RECORD_HEADER_LENGTH + ivLen + p1Len, | 2190 » wrBuf->buf + headerLen + ivLen + p1Len, |
2157 p2Len); /* input and inputLen*/ | 2191 p2Len); /* input and inputLen*/ |
2158 PORT_Assert(rv == SECSuccess && cipherBytesPart2 == (int) p2Len); | 2192 PORT_Assert(rv == SECSuccess && cipherBytesPart2 == (int) p2Len); |
2159 if (rv != SECSuccess || cipherBytesPart2 != (int) p2Len) { | 2193 if (rv != SECSuccess || cipherBytesPart2 != (int) p2Len) { |
2160 PORT_SetError(SSL_ERROR_ENCRYPTION_FAILURE); | 2194 PORT_SetError(SSL_ERROR_ENCRYPTION_FAILURE); |
2161 return SECFailure; | 2195 return SECFailure; |
2162 } | 2196 } |
2163 cipherBytes += cipherBytesPart2; | 2197 cipherBytes += cipherBytesPart2; |
2164 } | 2198 } |
2165 PORT_Assert(cipherBytes <= MAX_FRAGMENT_LENGTH + 1024); | 2199 PORT_Assert(cipherBytes <= MAX_FRAGMENT_LENGTH + 1024); |
2166 | 2200 |
2201 wrBuf->len = cipherBytes + headerLen; | |
2202 wrBuf->buf[0] = type; | |
2203 if (isDTLS) { | |
2204 SSL3ProtocolVersion version; | |
2205 | |
2206 version = dtls_TLSVersionToDTLSVersion(cwSpec->version); | |
2207 wrBuf->buf[1] = MSB(version); | |
2208 wrBuf->buf[2] = LSB(version); | |
2209 wrBuf->buf[3] = (unsigned char)(cwSpec->write_seq_num.high >> 24); | |
2210 wrBuf->buf[4] = (unsigned char)(cwSpec->write_seq_num.high >> 16); | |
2211 wrBuf->buf[5] = (unsigned char)(cwSpec->write_seq_num.high >> 8); | |
2212 wrBuf->buf[6] = (unsigned char)(cwSpec->write_seq_num.high >> 0); | |
2213 wrBuf->buf[7] = (unsigned char)(cwSpec->write_seq_num.low >> 24); | |
2214 wrBuf->buf[8] = (unsigned char)(cwSpec->write_seq_num.low >> 16); | |
2215 wrBuf->buf[9] = (unsigned char)(cwSpec->write_seq_num.low >> 8); | |
2216 wrBuf->buf[10] = (unsigned char)(cwSpec->write_seq_num.low >> 0); | |
2217 wrBuf->buf[11] = MSB(cipherBytes); | |
2218 wrBuf->buf[12] = LSB(cipherBytes); | |
2219 } else { | |
2220 wrBuf->buf[1] = MSB(cwSpec->version); | |
2221 wrBuf->buf[2] = LSB(cwSpec->version); | |
2222 wrBuf->buf[3] = MSB(cipherBytes); | |
2223 wrBuf->buf[4] = LSB(cipherBytes); | |
2224 } | |
2225 | |
2167 ssl3_BumpSequenceNumber(&cwSpec->write_seq_num); | 2226 ssl3_BumpSequenceNumber(&cwSpec->write_seq_num); |
2168 | 2227 |
2169 wrBuf->len = cipherBytes + SSL3_RECORD_HEADER_LENGTH; | |
2170 wrBuf->buf[0] = type; | |
2171 wrBuf->buf[1] = MSB(cwSpec->version); | |
2172 wrBuf->buf[2] = LSB(cwSpec->version); | |
2173 wrBuf->buf[3] = MSB(cipherBytes); | |
2174 wrBuf->buf[4] = LSB(cipherBytes); | |
2175 | |
2176 return SECSuccess; | 2228 return SECSuccess; |
2177 } | 2229 } |
2178 | 2230 |
2179 /* Process the plain text before sending it. | 2231 /* Process the plain text before sending it. |
2180 * Returns the number of bytes of plaintext that were successfully sent | 2232 * Returns the number of bytes of plaintext that were successfully sent |
2181 * plus the number of bytes of plaintext that were copied into the | 2233 * plus the number of bytes of plaintext that were copied into the |
2182 * output (write) buffer. | 2234 * output (write) buffer. |
2183 * Returns SECFailure on a hard IO error, memory error, or crypto error. | 2235 * Returns SECFailure on a hard IO error, memory error, or crypto error. |
2184 * Does NOT return SECWouldBlock. | 2236 * Does NOT return SECWouldBlock. |
2185 * | 2237 * |
2186 * Notes on the use of the private ssl flags: | 2238 * Notes on the use of the private ssl flags: |
2187 * (no private SSL flags) | 2239 * (no private SSL flags) |
2188 * Attempt to make and send SSL records for all plaintext | 2240 * Attempt to make and send SSL records for all plaintext |
2189 * If non-blocking and a send gets WOULD_BLOCK, | 2241 * If non-blocking and a send gets WOULD_BLOCK, |
2190 * or if the pending (ciphertext) buffer is not empty, | 2242 * or if the pending (ciphertext) buffer is not empty, |
2191 * then buffer remaining bytes of ciphertext into pending buf, | 2243 * then buffer remaining bytes of ciphertext into pending buf, |
2192 * and continue to do that for all succssive records until all | 2244 * and continue to do that for all succssive records until all |
2193 * bytes are used. | 2245 * bytes are used. |
2194 * ssl_SEND_FLAG_FORCE_INTO_BUFFER | 2246 * ssl_SEND_FLAG_FORCE_INTO_BUFFER |
2195 * As above, except this suppresses all write attempts, and forces | 2247 * As above, except this suppresses all write attempts, and forces |
2196 * all ciphertext into the pending ciphertext buffer. | 2248 * all ciphertext into the pending ciphertext buffer. |
2249 * ssl_SEND_FLAG_USE_EPOCH (for DTLS) | |
2250 * Forces the use of the provided epoch | |
2197 * | 2251 * |
2198 */ | 2252 */ |
2199 static PRInt32 | 2253 PRInt32 |
2200 ssl3_SendRecord( sslSocket * ss, | 2254 ssl3_SendRecord( sslSocket * ss, |
2255 DTLSEpoch epoch, /* DTLS only */ | |
2201 SSL3ContentType type, | 2256 SSL3ContentType type, |
2202 const SSL3Opaque * pIn, /* input buffer */ | 2257 const SSL3Opaque * pIn, /* input buffer */ |
2203 PRInt32 nIn, /* bytes of input */ | 2258 PRInt32 nIn, /* bytes of input */ |
2204 PRInt32 flags) | 2259 PRInt32 flags) |
2205 { | 2260 { |
2206 sslBuffer * wrBuf = &ss->sec.writeBuf; | 2261 sslBuffer * wrBuf = &ss->sec.writeBuf; |
2207 SECStatus rv; | 2262 SECStatus rv; |
2208 PRInt32 totalSent = 0; | 2263 PRInt32 totalSent = 0; |
2209 | 2264 |
2210 SSL_TRC(3, ("%d: SSL3[%d] SendRecord type: %s nIn=%d", | 2265 SSL_TRC(3, ("%d: SSL3[%d] SendRecord type: %s nIn=%d", |
(...skipping 51 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
2262 SSL_DBG(("%d: SSL3[%d]: SendRecord, tried to get %d bytes", | 2317 SSL_DBG(("%d: SSL3[%d]: SendRecord, tried to get %d bytes", |
2263 SSL_GETPID(), ss->fd, spaceNeeded)); | 2318 SSL_GETPID(), ss->fd, spaceNeeded)); |
2264 goto spec_locked_loser; /* sslBuffer_Grow set error code. */ | 2319 goto spec_locked_loser; /* sslBuffer_Grow set error code. */ |
2265 } | 2320 } |
2266 } | 2321 } |
2267 | 2322 |
2268 if (numRecords == 2) { | 2323 if (numRecords == 2) { |
2269 sslBuffer secondRecord; | 2324 sslBuffer secondRecord; |
2270 | 2325 |
2271 rv = ssl3_CompressMACEncryptRecord(ss->ssl3.cwSpec, | 2326 rv = ssl3_CompressMACEncryptRecord(ss->ssl3.cwSpec, |
2272 » ss->sec.isServer, type, pIn, 1, | 2327 » ss->sec.isServer, IS_DTLS(ss), |
2273 » wrBuf); | 2328 » » » » » type, pIn, 1, wrBuf); |
2274 if (rv != SECSuccess) | 2329 if (rv != SECSuccess) |
2275 goto spec_locked_loser; | 2330 goto spec_locked_loser; |
2276 | 2331 |
2277 PRINT_BUF(50, (ss, "send (encrypted) record data [1/2]:", | 2332 PRINT_BUF(50, (ss, "send (encrypted) record data [1/2]:", |
2278 wrBuf->buf, wrBuf->len)); | 2333 wrBuf->buf, wrBuf->len)); |
2279 | 2334 |
2280 secondRecord.buf = wrBuf->buf + wrBuf->len; | 2335 secondRecord.buf = wrBuf->buf + wrBuf->len; |
2281 secondRecord.len = 0; | 2336 secondRecord.len = 0; |
2282 secondRecord.space = wrBuf->space - wrBuf->len; | 2337 secondRecord.space = wrBuf->space - wrBuf->len; |
2283 | 2338 |
2284 rv = ssl3_CompressMACEncryptRecord(ss->ssl3.cwSpec, | 2339 rv = ssl3_CompressMACEncryptRecord(ss->ssl3.cwSpec, |
2285 » ss->sec.isServer, type, pIn + 1, | 2340 » ss->sec.isServer, IS_DTLS(ss), |
2286 » contentLen - 1, &secondRecord); | 2341 » » » » » type, pIn + 1, contentLen - 1, |
2342 » &secondRecord); | |
2287 if (rv == SECSuccess) { | 2343 if (rv == SECSuccess) { |
2288 PRINT_BUF(50, (ss, "send (encrypted) record data [2/2]:", | 2344 PRINT_BUF(50, (ss, "send (encrypted) record data [2/2]:", |
2289 secondRecord.buf, secondRecord.len)); | 2345 secondRecord.buf, secondRecord.len)); |
2290 wrBuf->len += secondRecord.len; | 2346 wrBuf->len += secondRecord.len; |
2291 } | 2347 } |
2292 } else { | 2348 } else { |
2293 » rv = ssl3_CompressMACEncryptRecord(ss->ssl3.cwSpec, | 2349 » if (!IS_DTLS(ss)) { |
2294 » ss->sec.isServer, type, pIn, | 2350 » » rv = ssl3_CompressMACEncryptRecord(ss->ssl3.cwSpec, |
2295 » contentLen, wrBuf); | 2351 » » » » » » ss->sec.isServer, |
2352 » » » » » » IS_DTLS(ss), | |
2353 » » » » » » type, pIn, | |
2354 » » » » » » contentLen, wrBuf); | |
2355 » } else { | |
2356 » » rv = dtls_CompressMACEncryptRecord(ss, epoch, | |
2357 » » » » » » !!(flags & ssl_SEND_FLAG_USE_ EPOCH), | |
2358 » » » » » » type, pIn, | |
2359 » » » » » » contentLen, wrBuf); | |
2360 » } | |
2361 | |
2296 if (rv == SECSuccess) { | 2362 if (rv == SECSuccess) { |
2297 PRINT_BUF(50, (ss, "send (encrypted) record data:", | 2363 PRINT_BUF(50, (ss, "send (encrypted) record data:", |
2298 wrBuf->buf, wrBuf->len)); | 2364 wrBuf->buf, wrBuf->len)); |
2299 } | 2365 } |
2300 } | 2366 } |
2301 | 2367 |
2302 spec_locked_loser: | 2368 spec_locked_loser: |
2303 ssl_ReleaseSpecReadLock(ss); /************************************/ | 2369 ssl_ReleaseSpecReadLock(ss); /************************************/ |
2304 | 2370 |
2305 if (rv != SECSuccess) | 2371 if (rv != SECSuccess) |
(...skipping 37 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
2343 if (sent < 0) { | 2409 if (sent < 0) { |
2344 if (PR_GetError() != PR_WOULD_BLOCK_ERROR) { | 2410 if (PR_GetError() != PR_WOULD_BLOCK_ERROR) { |
2345 ssl_MapLowLevelError(SSL_ERROR_SOCKET_WRITE_FAILURE); | 2411 ssl_MapLowLevelError(SSL_ERROR_SOCKET_WRITE_FAILURE); |
2346 return SECFailure; | 2412 return SECFailure; |
2347 } | 2413 } |
2348 /* we got PR_WOULD_BLOCK_ERROR, which means none was sent. */ | 2414 /* we got PR_WOULD_BLOCK_ERROR, which means none was sent. */ |
2349 sent = 0; | 2415 sent = 0; |
2350 } | 2416 } |
2351 wrBuf->len -= sent; | 2417 wrBuf->len -= sent; |
2352 if (wrBuf->len) { | 2418 if (wrBuf->len) { |
2419 if (IS_DTLS(ss)) { | |
2420 /* DTLS just says no in this case. No buffering */ | |
2421 PR_SetError(PR_WOULD_BLOCK_ERROR, 0); | |
2422 return SECFailure; | |
2423 } | |
2353 /* now take all the remaining unsent new ciphertext and | 2424 /* now take all the remaining unsent new ciphertext and |
2354 * append it to the buffer of previously unsent ciphertext. | 2425 * append it to the buffer of previously unsent ciphertext. |
2355 */ | 2426 */ |
2356 rv = ssl_SaveWriteData(ss, wrBuf->buf + sent, wrBuf->len); | 2427 rv = ssl_SaveWriteData(ss, wrBuf->buf + sent, wrBuf->len); |
2357 if (rv != SECSuccess) { | 2428 if (rv != SECSuccess) { |
2358 /* presumably a memory error, SEC_ERROR_NO_MEMORY */ | 2429 /* presumably a memory error, SEC_ERROR_NO_MEMORY */ |
2359 return SECFailure; | 2430 return SECFailure; |
2360 } | 2431 } |
2361 } | 2432 } |
2362 } | 2433 } |
2363 totalSent += contentLen; | 2434 totalSent += contentLen; |
2364 } | 2435 } |
2365 return totalSent; | 2436 return totalSent; |
2366 } | 2437 } |
2367 | 2438 |
2368 #define SSL3_PENDING_HIGH_WATER 1024 | 2439 #define SSL3_PENDING_HIGH_WATER 1024 |
2369 | 2440 |
2370 /* Attempt to send the content of "in" in an SSL application_data record. | 2441 /* Attempt to send the content of "in" in an SSL application_data record. |
2371 * Returns "len" or SECFailure, never SECWouldBlock, nor SECSuccess. | 2442 * Returns "len" or SECFailure, never SECWouldBlock, nor SECSuccess. |
2372 */ | 2443 */ |
2373 int | 2444 int |
2374 ssl3_SendApplicationData(sslSocket *ss, const unsigned char *in, | 2445 ssl3_SendApplicationData(sslSocket *ss, const unsigned char *in, |
2375 PRInt32 len, PRInt32 flags) | 2446 PRInt32 len, PRInt32 flags) |
2376 { | 2447 { |
2377 PRInt32 totalSent = 0; | 2448 PRInt32 totalSent = 0; |
2378 PRInt32 discarded = 0; | 2449 PRInt32 discarded = 0; |
2379 | 2450 |
2380 PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss) ); | 2451 PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss) ); |
2452 /* These flags for internal use only */ | |
2453 PORT_Assert(!(flags & (ssl_SEND_FLAG_USE_EPOCH | | |
2454 ssl_SEND_FLAG_NO_RETRANSMIT))); | |
2381 if (len < 0 || !in) { | 2455 if (len < 0 || !in) { |
2382 PORT_SetError(PR_INVALID_ARGUMENT_ERROR); | 2456 PORT_SetError(PR_INVALID_ARGUMENT_ERROR); |
2383 return SECFailure; | 2457 return SECFailure; |
2384 } | 2458 } |
2385 | 2459 |
2386 if (ss->pendingBuf.len > SSL3_PENDING_HIGH_WATER && | 2460 if (ss->pendingBuf.len > SSL3_PENDING_HIGH_WATER && |
2387 !ssl_SocketIsBlocking(ss)) { | 2461 !ssl_SocketIsBlocking(ss)) { |
2388 PORT_Assert(!ssl_SocketIsBlocking(ss)); | 2462 PORT_Assert(!ssl_SocketIsBlocking(ss)); |
2389 PORT_SetError(PR_WOULD_BLOCK_ERROR); | 2463 PORT_SetError(PR_WOULD_BLOCK_ERROR); |
2390 return SECFailure; | 2464 return SECFailure; |
(...skipping 17 matching lines...) Expand all Loading... | |
2408 * The thread yield is intended to give the reader thread a | 2482 * The thread yield is intended to give the reader thread a |
2409 * chance to get some cycles while the writer thread is in | 2483 * chance to get some cycles while the writer thread is in |
2410 * the middle of a large application data write. (See | 2484 * the middle of a large application data write. (See |
2411 * Bugzilla bug 127740, comment #1.) | 2485 * Bugzilla bug 127740, comment #1.) |
2412 */ | 2486 */ |
2413 ssl_ReleaseXmitBufLock(ss); | 2487 ssl_ReleaseXmitBufLock(ss); |
2414 PR_Sleep(PR_INTERVAL_NO_WAIT); /* PR_Yield(); */ | 2488 PR_Sleep(PR_INTERVAL_NO_WAIT); /* PR_Yield(); */ |
2415 ssl_GetXmitBufLock(ss); | 2489 ssl_GetXmitBufLock(ss); |
2416 } | 2490 } |
2417 toSend = PR_MIN(len - totalSent, MAX_FRAGMENT_LENGTH); | 2491 toSend = PR_MIN(len - totalSent, MAX_FRAGMENT_LENGTH); |
2418 » sent = ssl3_SendRecord(ss, content_application_data, | 2492 » /* |
2493 » * Note that the 0 epoch is OK because flags will never require | |
2494 » * its use, as guaranteed by the PORT_Assert above. | |
2495 » */ | |
2496 » sent = ssl3_SendRecord(ss, 0, content_application_data, | |
2419 in + totalSent, toSend, flags); | 2497 in + totalSent, toSend, flags); |
2420 if (sent < 0) { | 2498 if (sent < 0) { |
2421 if (totalSent > 0 && PR_GetError() == PR_WOULD_BLOCK_ERROR) { | 2499 if (totalSent > 0 && PR_GetError() == PR_WOULD_BLOCK_ERROR) { |
2422 PORT_Assert(ss->lastWriteBlocked); | 2500 PORT_Assert(ss->lastWriteBlocked); |
2423 break; | 2501 break; |
2424 } | 2502 } |
2425 return SECFailure; /* error code set by ssl3_SendRecord */ | 2503 return SECFailure; /* error code set by ssl3_SendRecord */ |
2426 } | 2504 } |
2427 totalSent += sent; | 2505 totalSent += sent; |
2428 if (ss->pendingBuf.len) { | 2506 if (ss->pendingBuf.len) { |
(...skipping 14 matching lines...) Expand all Loading... | |
2443 if (totalSent <= 0) { | 2521 if (totalSent <= 0) { |
2444 PORT_SetError(PR_WOULD_BLOCK_ERROR); | 2522 PORT_SetError(PR_WOULD_BLOCK_ERROR); |
2445 totalSent = SECFailure; | 2523 totalSent = SECFailure; |
2446 } | 2524 } |
2447 return totalSent; | 2525 return totalSent; |
2448 } | 2526 } |
2449 ss->appDataBuffered = 0; | 2527 ss->appDataBuffered = 0; |
2450 return totalSent + discarded; | 2528 return totalSent + discarded; |
2451 } | 2529 } |
2452 | 2530 |
2453 /* Attempt to send the content of sendBuf buffer in an SSL handshake record. | 2531 /* Attempt to send buffered handshake messages. |
2454 * This function returns SECSuccess or SECFailure, never SECWouldBlock. | 2532 * This function returns SECSuccess or SECFailure, never SECWouldBlock. |
2455 * Always set sendBuf.len to 0, even when returning SECFailure. | 2533 * Always set sendBuf.len to 0, even when returning SECFailure. |
2456 * | 2534 * |
2535 * Depending on whether we are doing DTLS or not, this either calls | |
2536 * | |
2537 * - ssl3_FlushHandshakeMessages if non-DTLS | |
2538 * - dtls_FlushHandshakeMessages if DTLS | |
2539 * | |
2457 * Called from SSL3_SendAlert(), ssl3_SendChangeCipherSpecs(), | 2540 * Called from SSL3_SendAlert(), ssl3_SendChangeCipherSpecs(), |
2458 * ssl3_AppendHandshake(), ssl3_SendClientHello(), | 2541 * ssl3_AppendHandshake(), ssl3_SendClientHello(), |
2459 * ssl3_SendHelloRequest(), ssl3_SendServerHelloDone(), | 2542 * ssl3_SendHelloRequest(), ssl3_SendServerHelloDone(), |
2460 * ssl3_SendFinished(), | 2543 * ssl3_SendFinished(), |
2461 */ | 2544 */ |
2462 static SECStatus | 2545 static SECStatus |
2463 ssl3_FlushHandshake(sslSocket *ss, PRInt32 flags) | 2546 ssl3_FlushHandshake(sslSocket *ss, PRInt32 flags) |
2464 { | 2547 { |
2548 if (IS_DTLS(ss)) { | |
2549 return dtls_FlushHandshakeMessages(ss, flags); | |
2550 } else { | |
2551 return ssl3_FlushHandshakeMessages(ss, flags); | |
2552 } | |
2553 } | |
2554 | |
2555 /* Attempt to send the content of sendBuf buffer in an SSL handshake record. | |
2556 * This function returns SECSuccess or SECFailure, never SECWouldBlock. | |
2557 * Always set sendBuf.len to 0, even when returning SECFailure. | |
2558 * | |
2559 * Called from ssl3_FlushHandshake | |
2560 */ | |
2561 static SECStatus | |
2562 ssl3_FlushHandshakeMessages(sslSocket *ss, PRInt32 flags) | |
2563 { | |
2465 PRInt32 rv = SECSuccess; | 2564 PRInt32 rv = SECSuccess; |
2466 | 2565 |
2467 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); | 2566 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); |
2468 PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss) ); | 2567 PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss) ); |
2469 | 2568 |
2470 if (!ss->sec.ci.sendBuf.buf || !ss->sec.ci.sendBuf.len) | 2569 if (!ss->sec.ci.sendBuf.buf || !ss->sec.ci.sendBuf.len) |
2471 return rv; | 2570 return rv; |
2472 | 2571 |
2473 /* only this flag is allowed */ | 2572 /* only this flag is allowed */ |
2474 PORT_Assert(!(flags & ~ssl_SEND_FLAG_FORCE_INTO_BUFFER)); | 2573 PORT_Assert(!(flags & ~ssl_SEND_FLAG_FORCE_INTO_BUFFER)); |
2475 if ((flags & ~ssl_SEND_FLAG_FORCE_INTO_BUFFER) != 0) { | 2574 if ((flags & ~ssl_SEND_FLAG_FORCE_INTO_BUFFER) != 0) { |
2476 PORT_SetError(SEC_ERROR_INVALID_ARGS); | 2575 PORT_SetError(SEC_ERROR_INVALID_ARGS); |
2477 rv = SECFailure; | 2576 rv = SECFailure; |
2478 } else { | 2577 } else { |
2479 » rv = ssl3_SendRecord(ss, content_handshake, ss->sec.ci.sendBuf.buf, | 2578 » rv = ssl3_SendRecord(ss, 0, content_handshake, ss->sec.ci.sendBuf.buf, |
2480 ss->sec.ci.sendBuf.len, flags); | 2579 ss->sec.ci.sendBuf.len, flags); |
2481 } | 2580 } |
2482 if (rv < 0) { | 2581 if (rv < 0) { |
2483 int err = PORT_GetError(); | 2582 int err = PORT_GetError(); |
2484 PORT_Assert(err != PR_WOULD_BLOCK_ERROR); | 2583 PORT_Assert(err != PR_WOULD_BLOCK_ERROR); |
2485 if (err == PR_WOULD_BLOCK_ERROR) { | 2584 if (err == PR_WOULD_BLOCK_ERROR) { |
2486 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); | 2585 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); |
2487 } | 2586 } |
2488 } else if (rv < ss->sec.ci.sendBuf.len) { | 2587 } else if (rv < ss->sec.ci.sendBuf.len) { |
2489 /* short write should never happen */ | 2588 /* short write should never happen */ |
(...skipping 96 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
2586 ssl_GetSSL3HandshakeLock(ss); | 2685 ssl_GetSSL3HandshakeLock(ss); |
2587 if (level == alert_fatal) { | 2686 if (level == alert_fatal) { |
2588 if (ss->sec.ci.sid) { | 2687 if (ss->sec.ci.sid) { |
2589 ss->sec.uncache(ss->sec.ci.sid); | 2688 ss->sec.uncache(ss->sec.ci.sid); |
2590 } | 2689 } |
2591 } | 2690 } |
2592 ssl_GetXmitBufLock(ss); | 2691 ssl_GetXmitBufLock(ss); |
2593 rv = ssl3_FlushHandshake(ss, ssl_SEND_FLAG_FORCE_INTO_BUFFER); | 2692 rv = ssl3_FlushHandshake(ss, ssl_SEND_FLAG_FORCE_INTO_BUFFER); |
2594 if (rv == SECSuccess) { | 2693 if (rv == SECSuccess) { |
2595 PRInt32 sent; | 2694 PRInt32 sent; |
2596 » sent = ssl3_SendRecord(ss, content_alert, bytes, 2, | 2695 » sent = ssl3_SendRecord(ss, 0, content_alert, bytes, 2, |
2597 desc == no_certificate | 2696 desc == no_certificate |
2598 ? ssl_SEND_FLAG_FORCE_INTO_BUFFER : 0); | 2697 ? ssl_SEND_FLAG_FORCE_INTO_BUFFER : 0); |
2599 rv = (sent >= 0) ? SECSuccess : (SECStatus)sent; | 2698 rv = (sent >= 0) ? SECSuccess : (SECStatus)sent; |
2600 } | 2699 } |
2601 ssl_ReleaseXmitBufLock(ss); | 2700 ssl_ReleaseXmitBufLock(ss); |
2602 ssl_ReleaseSSL3HandshakeLock(ss); | 2701 ssl_ReleaseSSL3HandshakeLock(ss); |
2603 return rv; /* error set by ssl3_FlushHandshake or ssl3_SendRecord */ | 2702 return rv; /* error set by ssl3_FlushHandshake or ssl3_SendRecord */ |
2604 } | 2703 } |
2605 | 2704 |
2606 /* | 2705 /* |
(...skipping 53 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
2660 SSL_DBG(("%d: SSL3[%d]: peer certificate is no good: error=%d", | 2759 SSL_DBG(("%d: SSL3[%d]: peer certificate is no good: error=%d", |
2661 SSL_GETPID(), ss->fd, errCode)); | 2760 SSL_GETPID(), ss->fd, errCode)); |
2662 | 2761 |
2663 (void) SSL3_SendAlert(ss, alert_fatal, desc); | 2762 (void) SSL3_SendAlert(ss, alert_fatal, desc); |
2664 } | 2763 } |
2665 | 2764 |
2666 | 2765 |
2667 /* | 2766 /* |
2668 * Send handshake_Failure alert. Set generic error number. | 2767 * Send handshake_Failure alert. Set generic error number. |
2669 */ | 2768 */ |
2670 static SECStatus | 2769 SECStatus |
2671 ssl3_DecodeError(sslSocket *ss) | 2770 ssl3_DecodeError(sslSocket *ss) |
2672 { | 2771 { |
2673 (void)SSL3_SendAlert(ss, alert_fatal, | 2772 (void)SSL3_SendAlert(ss, alert_fatal, |
2674 ss->version > SSL_LIBRARY_VERSION_3_0 ? decode_error | 2773 ss->version > SSL_LIBRARY_VERSION_3_0 ? decode_error |
2675 : illegal_parameter); | 2774 : illegal_parameter); |
2676 PORT_SetError( ss->sec.isServer ? SSL_ERROR_BAD_CLIENT | 2775 PORT_SetError( ss->sec.isServer ? SSL_ERROR_BAD_CLIENT |
2677 : SSL_ERROR_BAD_SERVER ); | 2776 : SSL_ERROR_BAD_SERVER ); |
2678 return SECFailure; | 2777 return SECFailure; |
2679 } | 2778 } |
2680 | 2779 |
(...skipping 67 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
2748 error = SSL_ERROR_CERTIFICATE_UNOBTAINABLE_ALERT; break; | 2847 error = SSL_ERROR_CERTIFICATE_UNOBTAINABLE_ALERT; break; |
2749 case unrecognized_name: | 2848 case unrecognized_name: |
2750 error = SSL_ERROR_UNRECOGNIZED_NAME_ALERT; break; | 2849 error = SSL_ERROR_UNRECOGNIZED_NAME_ALERT; break; |
2751 case bad_certificate_status_response: | 2850 case bad_certificate_status_response: |
2752 error = SSL_ERROR_BAD_CERT_STATUS_RESPONSE_ALERT; break; | 2851 error = SSL_ERROR_BAD_CERT_STATUS_RESPONSE_ALERT; break; |
2753 case bad_certificate_hash_value: | 2852 case bad_certificate_hash_value: |
2754 error = SSL_ERROR_BAD_CERT_HASH_VALUE_ALERT; break; | 2853 error = SSL_ERROR_BAD_CERT_HASH_VALUE_ALERT; break; |
2755 default: error = SSL_ERROR_RX_UNKNOWN_ALERT; break; | 2854 default: error = SSL_ERROR_RX_UNKNOWN_ALERT; break; |
2756 } | 2855 } |
2757 if (level == alert_fatal) { | 2856 if (level == alert_fatal) { |
2758 » ss->sec.uncache(ss->sec.ci.sid); | 2857 » if (!ss->opt.noCache) |
2858 » ss->sec.uncache(ss->sec.ci.sid); | |
2759 if ((ss->ssl3.hs.ws == wait_server_hello) && | 2859 if ((ss->ssl3.hs.ws == wait_server_hello) && |
2760 (desc == handshake_failure)) { | 2860 (desc == handshake_failure)) { |
2761 /* XXX This is a hack. We're assuming that any handshake failure | 2861 /* XXX This is a hack. We're assuming that any handshake failure |
2762 * XXX on the client hello is a failure to match ciphers. | 2862 * XXX on the client hello is a failure to match ciphers. |
2763 */ | 2863 */ |
2764 error = SSL_ERROR_NO_CYPHER_OVERLAP; | 2864 error = SSL_ERROR_NO_CYPHER_OVERLAP; |
2765 } | 2865 } |
2766 PORT_SetError(error); | 2866 PORT_SetError(error); |
2767 return SECFailure; | 2867 return SECFailure; |
2768 } | 2868 } |
(...skipping 30 matching lines...) Expand all Loading... | |
2799 SSL_TRC(3, ("%d: SSL3[%d]: send change_cipher_spec record", | 2899 SSL_TRC(3, ("%d: SSL3[%d]: send change_cipher_spec record", |
2800 SSL_GETPID(), ss->fd)); | 2900 SSL_GETPID(), ss->fd)); |
2801 | 2901 |
2802 PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss) ); | 2902 PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss) ); |
2803 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); | 2903 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); |
2804 | 2904 |
2805 rv = ssl3_FlushHandshake(ss, ssl_SEND_FLAG_FORCE_INTO_BUFFER); | 2905 rv = ssl3_FlushHandshake(ss, ssl_SEND_FLAG_FORCE_INTO_BUFFER); |
2806 if (rv != SECSuccess) { | 2906 if (rv != SECSuccess) { |
2807 return rv; /* error code set by ssl3_FlushHandshake */ | 2907 return rv; /* error code set by ssl3_FlushHandshake */ |
2808 } | 2908 } |
2809 sent = ssl3_SendRecord(ss, content_change_cipher_spec, &change, 1, | 2909 if (!IS_DTLS(ss)) { |
2810 ssl_SEND_FLAG_FORCE_INTO_BUFFER); | 2910 » sent = ssl3_SendRecord(ss, 0, content_change_cipher_spec, &change, 1, |
2811 if (sent < 0) { | 2911 » » » ssl_SEND_FLAG_FORCE_INTO_BUFFER); |
2812 » return (SECStatus)sent;»/* error code set by ssl3_SendRecord */ | 2912 » if (sent < 0) { |
2913 » return (SECStatus)sent;» /* error code set by ssl3_SendRecord */ | |
2914 » } | |
2915 } else { | |
2916 » rv = dtls_QueueMessage(ss, content_change_cipher_spec, &change, 1); | |
2917 » if (rv != SECSuccess) { | |
2918 » return rv; | |
2919 » } | |
2813 } | 2920 } |
2814 | 2921 |
2815 /* swap the pending and current write specs. */ | 2922 /* swap the pending and current write specs. */ |
2816 ssl_GetSpecWriteLock(ss); /**************************************/ | 2923 ssl_GetSpecWriteLock(ss); /**************************************/ |
2817 pwSpec = ss->ssl3.pwSpec; | 2924 pwSpec = ss->ssl3.pwSpec; |
2818 pwSpec->write_seq_num.high = 0; | |
2819 pwSpec->write_seq_num.low = 0; | |
2820 | 2925 |
2821 ss->ssl3.pwSpec = ss->ssl3.cwSpec; | 2926 ss->ssl3.pwSpec = ss->ssl3.cwSpec; |
2822 ss->ssl3.cwSpec = pwSpec; | 2927 ss->ssl3.cwSpec = pwSpec; |
2823 | 2928 |
2824 SSL_TRC(3, ("%d: SSL3[%d] Set Current Write Cipher Suite to Pending", | 2929 SSL_TRC(3, ("%d: SSL3[%d] Set Current Write Cipher Suite to Pending", |
2825 SSL_GETPID(), ss->fd )); | 2930 SSL_GETPID(), ss->fd )); |
2826 | 2931 |
2827 /* We need to free up the contexts, keys and certs ! */ | 2932 /* We need to free up the contexts, keys and certs ! */ |
2828 /* If we are really through with the old cipher spec | 2933 /* If we are really through with the old cipher spec |
2829 * (Both the read and write sides have changed) destroy it. | 2934 * (Both the read and write sides have changed) destroy it. |
2830 */ | 2935 */ |
2831 if (ss->ssl3.prSpec == ss->ssl3.pwSpec) { | 2936 if (ss->ssl3.prSpec == ss->ssl3.pwSpec) { |
2832 » ssl3_DestroyCipherSpec(ss->ssl3.pwSpec, PR_FALSE/*freeSrvName*/); | 2937 » if (!IS_DTLS(ss)) { |
2938 » ssl3_DestroyCipherSpec(ss->ssl3.pwSpec, PR_FALSE/*freeSrvName*/); | |
2939 » } else { | |
2940 » /* With DTLS, we need to set a holddown timer in case the final | |
2941 » * message got lost */ | |
2942 » ss->ssl3.hs.rtTimeoutMs = DTLS_FINISHED_TIMER_MS; | |
2943 » dtls_StartTimer(ss, dtls_FinishedTimerCb); | |
2944 » } | |
2833 } | 2945 } |
2834 ssl_ReleaseSpecWriteLock(ss); /**************************************/ | 2946 ssl_ReleaseSpecWriteLock(ss); /**************************************/ |
2835 | 2947 |
2836 return SECSuccess; | 2948 return SECSuccess; |
2837 } | 2949 } |
2838 | 2950 |
2839 /* Called from ssl3_HandleRecord. | 2951 /* Called from ssl3_HandleRecord. |
2840 ** Caller must hold both RecvBuf and Handshake locks. | 2952 ** Caller must hold both RecvBuf and Handshake locks. |
2841 * | 2953 * |
2842 * Acquires and releases spec write lock, to protect switching the current | 2954 * Acquires and releases spec write lock, to protect switching the current |
(...skipping 28 matching lines...) Expand all Loading... | |
2871 /* illegal_parameter is correct here for both SSL3 and TLS. */ | 2983 /* illegal_parameter is correct here for both SSL3 and TLS. */ |
2872 (void)ssl3_IllegalParameter(ss); | 2984 (void)ssl3_IllegalParameter(ss); |
2873 PORT_SetError(SSL_ERROR_RX_MALFORMED_CHANGE_CIPHER); | 2985 PORT_SetError(SSL_ERROR_RX_MALFORMED_CHANGE_CIPHER); |
2874 return SECFailure; | 2986 return SECFailure; |
2875 } | 2987 } |
2876 buf->len = 0; | 2988 buf->len = 0; |
2877 | 2989 |
2878 /* Swap the pending and current read specs. */ | 2990 /* Swap the pending and current read specs. */ |
2879 ssl_GetSpecWriteLock(ss); /*************************************/ | 2991 ssl_GetSpecWriteLock(ss); /*************************************/ |
2880 prSpec = ss->ssl3.prSpec; | 2992 prSpec = ss->ssl3.prSpec; |
2881 prSpec->read_seq_num.high = prSpec->read_seq_num.low = 0; | |
2882 | 2993 |
2883 ss->ssl3.prSpec = ss->ssl3.crSpec; | 2994 ss->ssl3.prSpec = ss->ssl3.crSpec; |
2884 ss->ssl3.crSpec = prSpec; | 2995 ss->ssl3.crSpec = prSpec; |
2885 | 2996 |
2886 if (ss->sec.isServer && | 2997 if (ss->sec.isServer && |
2887 ss->opt.requestCertificate && | 2998 ss->opt.requestCertificate && |
2888 ssl3_ExtensionNegotiated(ss, ssl_encrypted_client_certs)) { | 2999 ssl3_ExtensionNegotiated(ss, ssl_encrypted_client_certs)) { |
2889 ss->ssl3.hs.ws = wait_client_cert; | 3000 ss->ssl3.hs.ws = wait_client_cert; |
2890 } else { | 3001 } else { |
2891 ss->ssl3.hs.ws = wait_finished; | 3002 ss->ssl3.hs.ws = wait_finished; |
(...skipping 82 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
2974 keyData->data, keyData->len); | 3085 keyData->data, keyData->len); |
2975 } | 3086 } |
2976 } | 3087 } |
2977 } | 3088 } |
2978 #endif | 3089 #endif |
2979 pwSpec->master_secret = PK11_DeriveWithFlags(pms, master_derive, | 3090 pwSpec->master_secret = PK11_DeriveWithFlags(pms, master_derive, |
2980 ¶ms, key_derive, CKA_DERIVE, 0, keyFlags); | 3091 ¶ms, key_derive, CKA_DERIVE, 0, keyFlags); |
2981 if (!isDH && pwSpec->master_secret && ss->opt.detectRollBack) { | 3092 if (!isDH && pwSpec->master_secret && ss->opt.detectRollBack) { |
2982 SSL3ProtocolVersion client_version; | 3093 SSL3ProtocolVersion client_version; |
2983 client_version = pms_version.major << 8 | pms_version.minor; | 3094 client_version = pms_version.major << 8 | pms_version.minor; |
3095 | |
3096 if (IS_DTLS(ss)) { | |
3097 client_version = dtls_DTLSVersionToTLSVersion(client_version); | |
3098 } | |
3099 | |
2984 if (client_version != ss->clientHelloVersion) { | 3100 if (client_version != ss->clientHelloVersion) { |
2985 /* Destroy it. Version roll-back detected. */ | 3101 /* Destroy it. Version roll-back detected. */ |
2986 PK11_FreeSymKey(pwSpec->master_secret); | 3102 PK11_FreeSymKey(pwSpec->master_secret); |
2987 pwSpec->master_secret = NULL; | 3103 pwSpec->master_secret = NULL; |
2988 } | 3104 } |
2989 } | 3105 } |
2990 if (pwSpec->master_secret == NULL) { | 3106 if (pwSpec->master_secret == NULL) { |
2991 /* Generate a faux master secret in the same slot as the old one. */ | 3107 /* Generate a faux master secret in the same slot as the old one. */ |
2992 PK11SlotInfo * slot = PK11_GetSlotFromKey((PK11SymKey *)pms); | 3108 PK11SlotInfo * slot = PK11_GetSlotFromKey((PK11SymKey *)pms); |
2993 PK11SymKey * fpms = ssl3_GenerateRSAPMS(ss, pwSpec, slot); | 3109 PK11SymKey * fpms = ssl3_GenerateRSAPMS(ss, pwSpec, slot); |
(...skipping 404 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
3398 SSL_TRC(60, ("data:")); | 3514 SSL_TRC(60, ("data:")); |
3399 rv = ssl3_AppendHandshake(ss, src, bytes); | 3515 rv = ssl3_AppendHandshake(ss, src, bytes); |
3400 return rv; /* error code set by AppendHandshake, if applicable. */ | 3516 return rv; /* error code set by AppendHandshake, if applicable. */ |
3401 } | 3517 } |
3402 | 3518 |
3403 SECStatus | 3519 SECStatus |
3404 ssl3_AppendHandshakeHeader(sslSocket *ss, SSL3HandshakeType t, PRUint32 length) | 3520 ssl3_AppendHandshakeHeader(sslSocket *ss, SSL3HandshakeType t, PRUint32 length) |
3405 { | 3521 { |
3406 SECStatus rv; | 3522 SECStatus rv; |
3407 | 3523 |
3524 /* If we already have a message in place, we need to enqueue it. | |
3525 * This empties the buffer. This is a convenient place to call | |
3526 * dtls_StageHandshakeMessage to mark the message boundary. | |
3527 */ | |
3528 if (IS_DTLS(ss)) { | |
3529 rv = dtls_StageHandshakeMessage(ss); | |
3530 if (rv != SECSuccess) { | |
3531 return rv; | |
3532 } | |
3533 } | |
3534 | |
3408 SSL_TRC(30,("%d: SSL3[%d]: append handshake header: type %s", | 3535 SSL_TRC(30,("%d: SSL3[%d]: append handshake header: type %s", |
3409 SSL_GETPID(), ss->fd, ssl3_DecodeHandshakeType(t))); | 3536 SSL_GETPID(), ss->fd, ssl3_DecodeHandshakeType(t))); |
3410 PRINT_BUF(60, (ss, "MD5 handshake hash:", | 3537 PRINT_BUF(60, (ss, "MD5 handshake hash:", |
3411 (unsigned char*)ss->ssl3.hs.md5_cx, MD5_LENGTH)); | 3538 (unsigned char*)ss->ssl3.hs.md5_cx, MD5_LENGTH)); |
3412 PRINT_BUF(95, (ss, "SHA handshake hash:", | 3539 PRINT_BUF(95, (ss, "SHA handshake hash:", |
3413 (unsigned char*)ss->ssl3.hs.sha_cx, SHA1_LENGTH)); | 3540 (unsigned char*)ss->ssl3.hs.sha_cx, SHA1_LENGTH)); |
3414 | 3541 |
3415 rv = ssl3_AppendHandshakeNumber(ss, t, 1); | 3542 rv = ssl3_AppendHandshakeNumber(ss, t, 1); |
3416 if (rv != SECSuccess) { | 3543 if (rv != SECSuccess) { |
3417 return rv; /* error code set by AppendHandshake, if applicable. */ | 3544 return rv; /* error code set by AppendHandshake, if applicable. */ |
3418 } | 3545 } |
3419 rv = ssl3_AppendHandshakeNumber(ss, length, 3); | 3546 rv = ssl3_AppendHandshakeNumber(ss, length, 3); |
3547 if (rv != SECSuccess) { | |
3548 return rv; /* error code set by AppendHandshake, if applicable. */ | |
3549 } | |
3550 | |
3551 if (IS_DTLS(ss)) { | |
3552 /* Note that we make an unfragmented message here. We fragment in the | |
3553 * transmission code, if necessary */ | |
3554 rv = ssl3_AppendHandshakeNumber(ss, ss->ssl3.hs.sendMessageSeq, 2); | |
3555 if (rv != SECSuccess) { | |
3556 return rv; /* error code set by AppendHandshake, if applicable. */ | |
3557 } | |
3558 ss->ssl3.hs.sendMessageSeq++; | |
3559 | |
3560 /* 0 is the fragment offset, because it's not fragmented yet */ | |
3561 rv = ssl3_AppendHandshakeNumber(ss, 0, 3); | |
3562 if (rv != SECSuccess) { | |
3563 return rv; /* error code set by AppendHandshake, if applicable. */ | |
3564 } | |
3565 | |
3566 /* Fragment length -- set to the packet length because not fragmented */ | |
3567 rv = ssl3_AppendHandshakeNumber(ss, length, 3); | |
3568 if (rv != SECSuccess) { | |
3569 return rv; /* error code set by AppendHandshake, if applicable. */ | |
3570 } | |
3571 } | |
3572 | |
3420 return rv; /* error code set by AppendHandshake, if applicable. */ | 3573 return rv; /* error code set by AppendHandshake, if applicable. */ |
3421 } | 3574 } |
3422 | 3575 |
3423 /************************************************************************** | 3576 /************************************************************************** |
3424 * Consume Handshake functions. | 3577 * Consume Handshake functions. |
3425 * | 3578 * |
3426 * All data used in these functions is protected by two locks, | 3579 * All data used in these functions is protected by two locks, |
3427 * the RecvBufLock and the SSL3HandshakeLock | 3580 * the RecvBufLock and the SSL3HandshakeLock |
3428 **************************************************************************/ | 3581 **************************************************************************/ |
3429 | 3582 |
(...skipping 386 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
3816 } | 3969 } |
3817 | 3970 |
3818 /************************************************************************** | 3971 /************************************************************************** |
3819 * end of Handshake Hash functions. | 3972 * end of Handshake Hash functions. |
3820 * Begin Send and Handle functions for handshakes. | 3973 * Begin Send and Handle functions for handshakes. |
3821 **************************************************************************/ | 3974 **************************************************************************/ |
3822 | 3975 |
3823 /* Called from ssl3_HandleHelloRequest(), | 3976 /* Called from ssl3_HandleHelloRequest(), |
3824 * ssl3_RedoHandshake() | 3977 * ssl3_RedoHandshake() |
3825 * ssl2_BeginClientHandshake (when resuming ssl3 session) | 3978 * ssl2_BeginClientHandshake (when resuming ssl3 session) |
3979 * dtls_HandleHelloVerifyRequest(with resending=PR_TRUE) | |
3826 */ | 3980 */ |
3827 SECStatus | 3981 SECStatus |
3828 ssl3_SendClientHello(sslSocket *ss) | 3982 ssl3_SendClientHello(sslSocket *ss, PRBool resending) |
3829 { | 3983 { |
3830 sslSessionID * sid; | 3984 sslSessionID * sid; |
3831 ssl3CipherSpec * cwSpec; | 3985 ssl3CipherSpec * cwSpec; |
3832 SECStatus rv; | 3986 SECStatus rv; |
3833 int i; | 3987 int i; |
3834 int length; | 3988 int length; |
3835 int num_suites; | 3989 int num_suites; |
3836 int actual_count = 0; | 3990 int actual_count = 0; |
3837 PRBool isTLS = PR_FALSE; | 3991 PRBool isTLS = PR_FALSE; |
3838 PRInt32 total_exten_len = 0; | 3992 PRInt32 total_exten_len = 0; |
3839 unsigned numCompressionMethods; | 3993 unsigned numCompressionMethods; |
3840 | 3994 |
3841 SSL_TRC(3, ("%d: SSL3[%d]: send client_hello handshake", SSL_GETPID(), | 3995 SSL_TRC(3, ("%d: SSL3[%d]: send client_hello handshake", SSL_GETPID(), |
3842 ss->fd)); | 3996 ss->fd)); |
3843 | 3997 |
3844 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) ); | 3998 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) ); |
3845 PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss) ); | 3999 PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss) ); |
3846 | 4000 |
3847 rv = ssl3_InitState(ss); | 4001 rv = ssl3_InitState(ss); |
3848 if (rv != SECSuccess) { | 4002 if (rv != SECSuccess) { |
3849 return rv; /* ssl3_InitState has set the error code. */ | 4003 return rv; /* ssl3_InitState has set the error code. */ |
3850 } | 4004 } |
3851 ss->ssl3.hs.sendingSCSV = PR_FALSE; /* Must be reset every handshake */ | 4005 ss->ssl3.hs.sendingSCSV = PR_FALSE; /* Must be reset every handshake */ |
4006 PORT_Assert(IS_DTLS(ss) || !resending); | |
3852 | 4007 |
3853 /* We might be starting a session renegotiation in which case we should | 4008 /* We might be starting a session renegotiation in which case we should |
3854 * clear previous state. | 4009 * clear previous state. |
3855 */ | 4010 */ |
3856 PORT_Memset(&ss->xtnData, 0, sizeof(TLSExtensionData)); | 4011 PORT_Memset(&ss->xtnData, 0, sizeof(TLSExtensionData)); |
3857 | 4012 |
3858 SSL_TRC(30,("%d: SSL3[%d]: reset handshake hashes", | 4013 SSL_TRC(30,("%d: SSL3[%d]: reset handshake hashes", |
3859 SSL_GETPID(), ss->fd )); | 4014 SSL_GETPID(), ss->fd )); |
3860 rv = ssl3_RestartHandshakeHashes(ss); | 4015 rv = ssl3_RestartHandshakeHashes(ss); |
3861 if (rv != SECSuccess) { | 4016 if (rv != SECSuccess) { |
(...skipping 139 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
4001 total_exten_len += 2; | 4156 total_exten_len += 2; |
4002 } | 4157 } |
4003 | 4158 |
4004 #if defined(NSS_ENABLE_ECC) && !defined(NSS_ECC_MORE_THAN_SUITE_B) | 4159 #if defined(NSS_ENABLE_ECC) && !defined(NSS_ECC_MORE_THAN_SUITE_B) |
4005 if (!total_exten_len || !isTLS) { | 4160 if (!total_exten_len || !isTLS) { |
4006 /* not sending the elliptic_curves and ec_point_formats extensions */ | 4161 /* not sending the elliptic_curves and ec_point_formats extensions */ |
4007 ssl3_DisableECCSuites(ss, NULL); /* disable all ECC suites */ | 4162 ssl3_DisableECCSuites(ss, NULL); /* disable all ECC suites */ |
4008 } | 4163 } |
4009 #endif | 4164 #endif |
4010 | 4165 |
4166 if (IS_DTLS(ss)) { | |
4167 ssl3_DisableNonDTLSSuites(ss); | |
4168 } | |
4169 | |
4011 /* how many suites are permitted by policy and user preference? */ | 4170 /* how many suites are permitted by policy and user preference? */ |
4012 num_suites = count_cipher_suites(ss, ss->ssl3.policy, PR_TRUE); | 4171 num_suites = count_cipher_suites(ss, ss->ssl3.policy, PR_TRUE); |
4013 if (!num_suites) | 4172 if (!num_suites) |
4014 return SECFailure; /* count_cipher_suites has set error code. */ | 4173 return SECFailure; /* count_cipher_suites has set error code. */ |
4015 if (ss->ssl3.hs.sendingSCSV) { | 4174 if (ss->ssl3.hs.sendingSCSV) { |
4016 ++num_suites; /* make room for SCSV */ | 4175 ++num_suites; /* make room for SCSV */ |
4017 } | 4176 } |
4018 | 4177 |
4019 /* count compression methods */ | 4178 /* count compression methods */ |
4020 numCompressionMethods = 0; | 4179 numCompressionMethods = 0; |
4021 for (i = 0; i < compressionMethodsCount; i++) { | 4180 for (i = 0; i < compressionMethodsCount; i++) { |
4022 if (compressionEnabled(ss, compressions[i])) | 4181 if (compressionEnabled(ss, compressions[i])) |
4023 numCompressionMethods++; | 4182 numCompressionMethods++; |
4024 } | 4183 } |
4025 | 4184 |
4026 length = sizeof(SSL3ProtocolVersion) + SSL3_RANDOM_LENGTH + | 4185 length = sizeof(SSL3ProtocolVersion) + SSL3_RANDOM_LENGTH + |
4027 1 + ((sid == NULL) ? 0 : sid->u.ssl3.sessionIDLength) + | 4186 1 + ((sid == NULL) ? 0 : sid->u.ssl3.sessionIDLength) + |
4028 2 + num_suites*sizeof(ssl3CipherSuite) + | 4187 2 + num_suites*sizeof(ssl3CipherSuite) + |
4029 1 + numCompressionMethods + total_exten_len; | 4188 1 + numCompressionMethods + total_exten_len; |
4189 if (IS_DTLS(ss)) { | |
4190 length += 1 + ss->ssl3.hs.cookieLen; | |
4191 } | |
4030 | 4192 |
4031 rv = ssl3_AppendHandshakeHeader(ss, client_hello, length); | 4193 rv = ssl3_AppendHandshakeHeader(ss, client_hello, length); |
4032 if (rv != SECSuccess) { | 4194 if (rv != SECSuccess) { |
4033 return rv; /* err set by ssl3_AppendHandshake* */ | 4195 return rv; /* err set by ssl3_AppendHandshake* */ |
4034 } | 4196 } |
4035 | 4197 |
4036 ss->clientHelloVersion = ss->version; | 4198 ss->clientHelloVersion = ss->version; |
4037 rv = ssl3_AppendHandshakeNumber(ss, ss->clientHelloVersion, 2); | 4199 if (IS_DTLS(ss)) { |
4200 » PRUint16 version; | |
4201 | |
4202 » version = dtls_TLSVersionToDTLSVersion(ss->clientHelloVersion); | |
4203 » rv = ssl3_AppendHandshakeNumber(ss, version, 2); | |
4204 } else { | |
4205 » rv = ssl3_AppendHandshakeNumber(ss, ss->clientHelloVersion, 2); | |
4206 } | |
4038 if (rv != SECSuccess) { | 4207 if (rv != SECSuccess) { |
4039 return rv; /* err set by ssl3_AppendHandshake* */ | 4208 return rv; /* err set by ssl3_AppendHandshake* */ |
4040 } | 4209 } |
4041 rv = ssl3_GetNewRandom(&ss->ssl3.hs.client_random); | 4210 |
4042 if (rv != SECSuccess) { | 4211 if (!resending) { /* Don't re-generate if we are in DTLS re-sending mode */ |
4043 » return rv;» /* err set by GetNewRandom. */ | 4212 » rv = ssl3_GetNewRandom(&ss->ssl3.hs.client_random); |
4213 » if (rv != SECSuccess) { | |
4214 » return rv;» /* err set by GetNewRandom. */ | |
4215 » } | |
4044 } | 4216 } |
4045 rv = ssl3_AppendHandshake(ss, &ss->ssl3.hs.client_random, | 4217 rv = ssl3_AppendHandshake(ss, &ss->ssl3.hs.client_random, |
4046 SSL3_RANDOM_LENGTH); | 4218 SSL3_RANDOM_LENGTH); |
4047 if (rv != SECSuccess) { | 4219 if (rv != SECSuccess) { |
4048 return rv; /* err set by ssl3_AppendHandshake* */ | 4220 return rv; /* err set by ssl3_AppendHandshake* */ |
4049 } | 4221 } |
4050 | 4222 |
4051 if (sid) | 4223 if (sid) |
4052 rv = ssl3_AppendHandshakeVariable( | 4224 rv = ssl3_AppendHandshakeVariable( |
4053 ss, sid->u.ssl3.sessionID, sid->u.ssl3.sessionIDLength, 1); | 4225 ss, sid->u.ssl3.sessionID, sid->u.ssl3.sessionIDLength, 1); |
4054 else | 4226 else |
4055 rv = ssl3_AppendHandshakeVariable(ss, NULL, 0, 1); | 4227 rv = ssl3_AppendHandshakeVariable(ss, NULL, 0, 1); |
4056 if (rv != SECSuccess) { | 4228 if (rv != SECSuccess) { |
4057 return rv; /* err set by ssl3_AppendHandshake* */ | 4229 return rv; /* err set by ssl3_AppendHandshake* */ |
4058 } | 4230 } |
4059 | 4231 |
4232 if (IS_DTLS(ss)) { | |
4233 rv = ssl3_AppendHandshakeVariable( | |
4234 ss, ss->ssl3.hs.cookie, ss->ssl3.hs.cookieLen, 1); | |
4235 if (rv != SECSuccess) { | |
4236 return rv; /* err set by ssl3_AppendHandshake* */ | |
4237 } | |
4238 } | |
4239 | |
4060 rv = ssl3_AppendHandshakeNumber(ss, num_suites*sizeof(ssl3CipherSuite), 2); | 4240 rv = ssl3_AppendHandshakeNumber(ss, num_suites*sizeof(ssl3CipherSuite), 2); |
4061 if (rv != SECSuccess) { | 4241 if (rv != SECSuccess) { |
4062 return rv; /* err set by ssl3_AppendHandshake* */ | 4242 return rv; /* err set by ssl3_AppendHandshake* */ |
4063 } | 4243 } |
4064 | 4244 |
4065 if (ss->ssl3.hs.sendingSCSV) { | 4245 if (ss->ssl3.hs.sendingSCSV) { |
4066 /* Add the actual SCSV */ | 4246 /* Add the actual SCSV */ |
4067 rv = ssl3_AppendHandshakeNumber(ss, TLS_EMPTY_RENEGOTIATION_INFO_SCSV, | 4247 rv = ssl3_AppendHandshakeNumber(ss, TLS_EMPTY_RENEGOTIATION_INFO_SCSV, |
4068 sizeof(ssl3CipherSuite)); | 4248 sizeof(ssl3CipherSuite)); |
4069 if (rv != SECSuccess) { | 4249 if (rv != SECSuccess) { |
(...skipping 103 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
4173 PORT_SetError(SSL_ERROR_RENEGOTIATION_NOT_ALLOWED); | 4353 PORT_SetError(SSL_ERROR_RENEGOTIATION_NOT_ALLOWED); |
4174 return SECFailure; | 4354 return SECFailure; |
4175 } | 4355 } |
4176 | 4356 |
4177 if (sid) { | 4357 if (sid) { |
4178 ss->sec.uncache(sid); | 4358 ss->sec.uncache(sid); |
4179 ssl_FreeSID(sid); | 4359 ssl_FreeSID(sid); |
4180 ss->sec.ci.sid = NULL; | 4360 ss->sec.ci.sid = NULL; |
4181 } | 4361 } |
4182 | 4362 |
4363 if (IS_DTLS(ss)) { | |
4364 dtls_RehandshakeCleanup(ss); | |
4365 } | |
4366 | |
4183 ssl_GetXmitBufLock(ss); | 4367 ssl_GetXmitBufLock(ss); |
4184 rv = ssl3_SendClientHello(ss); | 4368 rv = ssl3_SendClientHello(ss, PR_FALSE); |
4185 ssl_ReleaseXmitBufLock(ss); | 4369 ssl_ReleaseXmitBufLock(ss); |
4186 | 4370 |
4187 return rv; | 4371 return rv; |
4188 } | 4372 } |
4189 | 4373 |
4190 #define UNKNOWN_WRAP_MECHANISM 0x7fffffff | 4374 #define UNKNOWN_WRAP_MECHANISM 0x7fffffff |
4191 | 4375 |
4192 static const CK_MECHANISM_TYPE wrapMechanismList[SSL_NUM_WRAP_MECHS] = { | 4376 static const CK_MECHANISM_TYPE wrapMechanismList[SSL_NUM_WRAP_MECHS] = { |
4193 CKM_DES3_ECB, | 4377 CKM_DES3_ECB, |
4194 CKM_CAST5_ECB, | 4378 CKM_CAST5_ECB, |
(...skipping 834 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
5029 ss->ssl3.platformClientKey = (PlatformKey)NULL; | 5213 ss->ssl3.platformClientKey = (PlatformKey)NULL; |
5030 } | 5214 } |
5031 #endif /* NSS_PLATFORM_CLIENT_AUTH */ | 5215 #endif /* NSS_PLATFORM_CLIENT_AUTH */ |
5032 | 5216 |
5033 temp = ssl3_ConsumeHandshakeNumber(ss, 2, &b, &length); | 5217 temp = ssl3_ConsumeHandshakeNumber(ss, 2, &b, &length); |
5034 if (temp < 0) { | 5218 if (temp < 0) { |
5035 goto loser; /* alert has been sent */ | 5219 goto loser; /* alert has been sent */ |
5036 } | 5220 } |
5037 version = (SSL3ProtocolVersion)temp; | 5221 version = (SSL3ProtocolVersion)temp; |
5038 | 5222 |
5223 if (IS_DTLS(ss)) { | |
5224 /* RFC 4347 required that you verify that the server versions | |
5225 * match (S 4.2.1) in the HelloVerifyRequest and the ServerHello | |
5226 * | |
5227 * RFC 6347 suggests (SHOULD) that servers always use 1.0 | |
5228 * in HelloVerifyRequest and allows the versions not to match, | |
5229 * esp. when 1.2 is being negotiated. | |
5230 * | |
5231 * Therefore we do not check for matching here. | |
5232 */ | |
5233 version = dtls_DTLSVersionToTLSVersion(version); | |
5234 if (version == 0) { /* Insane version number */ | |
5235 goto alert_loser; | |
5236 } | |
5237 } | |
5238 | |
5039 rv = ssl3_NegotiateVersion(ss, version, PR_FALSE); | 5239 rv = ssl3_NegotiateVersion(ss, version, PR_FALSE); |
5040 if (rv != SECSuccess) { | 5240 if (rv != SECSuccess) { |
5041 desc = (version > SSL_LIBRARY_VERSION_3_0) ? protocol_version | 5241 desc = (version > SSL_LIBRARY_VERSION_3_0) ? protocol_version |
5042 : handshake_failure; | 5242 : handshake_failure; |
5043 errCode = SSL_ERROR_NO_CYPHER_OVERLAP; | 5243 errCode = SSL_ERROR_NO_CYPHER_OVERLAP; |
5044 goto alert_loser; | 5244 goto alert_loser; |
5045 } | 5245 } |
5046 isTLS = (ss->version > SSL_LIBRARY_VERSION_3_0); | 5246 isTLS = (ss->version > SSL_LIBRARY_VERSION_3_0); |
5047 | 5247 |
5048 rv = ssl3_ConsumeHandshake( | 5248 rv = ssl3_ConsumeHandshake( |
(...skipping 1208 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
6257 sslSessionID * sid = NULL; | 6457 sslSessionID * sid = NULL; |
6258 PRInt32 tmp; | 6458 PRInt32 tmp; |
6259 unsigned int i; | 6459 unsigned int i; |
6260 int j; | 6460 int j; |
6261 SECStatus rv; | 6461 SECStatus rv; |
6262 int errCode = SSL_ERROR_RX_MALFORMED_CLIENT_HELLO; | 6462 int errCode = SSL_ERROR_RX_MALFORMED_CLIENT_HELLO; |
6263 SSL3AlertDescription desc = illegal_parameter; | 6463 SSL3AlertDescription desc = illegal_parameter; |
6264 SSL3AlertLevel level = alert_fatal; | 6464 SSL3AlertLevel level = alert_fatal; |
6265 SSL3ProtocolVersion version; | 6465 SSL3ProtocolVersion version; |
6266 SECItem sidBytes = {siBuffer, NULL, 0}; | 6466 SECItem sidBytes = {siBuffer, NULL, 0}; |
6467 SECItem cookieBytes = {siBuffer, NULL, 0}; | |
6267 SECItem suites = {siBuffer, NULL, 0}; | 6468 SECItem suites = {siBuffer, NULL, 0}; |
6268 SECItem comps = {siBuffer, NULL, 0}; | 6469 SECItem comps = {siBuffer, NULL, 0}; |
6269 PRBool haveSpecWriteLock = PR_FALSE; | 6470 PRBool haveSpecWriteLock = PR_FALSE; |
6270 PRBool haveXmitBufLock = PR_FALSE; | 6471 PRBool haveXmitBufLock = PR_FALSE; |
6271 | 6472 |
6272 SSL_TRC(3, ("%d: SSL3[%d]: handle client_hello handshake", | 6473 SSL_TRC(3, ("%d: SSL3[%d]: handle client_hello handshake", |
6273 SSL_GETPID(), ss->fd)); | 6474 SSL_GETPID(), ss->fd)); |
6274 | 6475 |
6275 PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) ); | 6476 PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) ); |
6276 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); | 6477 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); |
6277 | 6478 |
6278 /* Get peer name of client */ | 6479 /* Get peer name of client */ |
6279 rv = ssl_GetPeerInfo(ss); | 6480 rv = ssl_GetPeerInfo(ss); |
6280 if (rv != SECSuccess) { | 6481 if (rv != SECSuccess) { |
6281 return rv; /* error code is set. */ | 6482 return rv; /* error code is set. */ |
6282 } | 6483 } |
6283 | 6484 |
6485 /* Clearing the handshake pointers so that ssl_Do1stHandshake won't | |
6486 * call ssl2_HandleMessage. | |
6487 * | |
6488 * The issue here is that TLS ordinarily starts out in | |
6489 * ssl2_HandleV3HandshakeRecord() because of the backward-compatibility | |
6490 * code paths. That function zeroes these next pointers. But with DTLS, | |
6491 * we don't even try to do the v2 ClientHello so we skip that function | |
6492 * and need to reset these values here. | |
6493 */ | |
6494 if (IS_DTLS(ss)) { | |
6495 ss->nextHandshake = NULL; | |
6496 ss->securityHandshake = NULL; | |
6497 } | |
wtc
2012/03/22 21:59:54
ekr: I put this code inside IS_DTLS(ss) to reduce
Ryan Sleevi
2012/03/22 22:26:37
See my note about the whole firstHandshakeLock nee
| |
6498 | |
6284 /* We might be starting session renegotiation in which case we should | 6499 /* We might be starting session renegotiation in which case we should |
6285 * clear previous state. | 6500 * clear previous state. |
6286 */ | 6501 */ |
6287 PORT_Memset(&ss->xtnData, 0, sizeof(TLSExtensionData)); | 6502 PORT_Memset(&ss->xtnData, 0, sizeof(TLSExtensionData)); |
6288 ss->statelessResume = PR_FALSE; | 6503 ss->statelessResume = PR_FALSE; |
6289 | 6504 |
6290 rv = ssl3_InitState(ss); | 6505 rv = ssl3_InitState(ss); |
6291 if (rv != SECSuccess) { | 6506 if (rv != SECSuccess) { |
6292 return rv; /* ssl3_InitState has set the error code. */ | 6507 return rv; /* ssl3_InitState has set the error code. */ |
6293 } | 6508 } |
6294 | 6509 |
6295 if ((ss->ssl3.hs.ws != wait_client_hello) && | 6510 if ((ss->ssl3.hs.ws != wait_client_hello) && |
6296 (ss->ssl3.hs.ws != idle_handshake)) { | 6511 (ss->ssl3.hs.ws != idle_handshake)) { |
6297 desc = unexpected_message; | 6512 desc = unexpected_message; |
6298 errCode = SSL_ERROR_RX_UNEXPECTED_CLIENT_HELLO; | 6513 errCode = SSL_ERROR_RX_UNEXPECTED_CLIENT_HELLO; |
6299 goto alert_loser; | 6514 goto alert_loser; |
6300 } | 6515 } |
6301 if (ss->ssl3.hs.ws == idle_handshake && | 6516 if (ss->ssl3.hs.ws == idle_handshake && |
6302 ss->opt.enableRenegotiation == SSL_RENEGOTIATE_NEVER) { | 6517 ss->opt.enableRenegotiation == SSL_RENEGOTIATE_NEVER) { |
6303 desc = no_renegotiation; | 6518 desc = no_renegotiation; |
6304 level = alert_warning; | 6519 level = alert_warning; |
6305 errCode = SSL_ERROR_RENEGOTIATION_NOT_ALLOWED; | 6520 errCode = SSL_ERROR_RENEGOTIATION_NOT_ALLOWED; |
6306 goto alert_loser; | 6521 goto alert_loser; |
6307 } | 6522 } |
6308 | 6523 |
6524 if (IS_DTLS(ss)) { | |
6525 dtls_RehandshakeCleanup(ss); | |
6526 } | |
6527 | |
6309 tmp = ssl3_ConsumeHandshakeNumber(ss, 2, &b, &length); | 6528 tmp = ssl3_ConsumeHandshakeNumber(ss, 2, &b, &length); |
6310 if (tmp < 0) | 6529 if (tmp < 0) |
6311 goto loser; /* malformed, alert already sent */ | 6530 goto loser; /* malformed, alert already sent */ |
6312 ss->clientHelloVersion = version = (SSL3ProtocolVersion)tmp; | 6531 |
6532 /* Translate the version */ | |
6533 if (IS_DTLS(ss)) { | |
6534 » ss->clientHelloVersion = version = | |
6535 » dtls_DTLSVersionToTLSVersion((SSL3ProtocolVersion)tmp); | |
6536 } else { | |
6537 » ss->clientHelloVersion = version = (SSL3ProtocolVersion)tmp; | |
6538 } | |
6539 | |
6313 rv = ssl3_NegotiateVersion(ss, version, PR_TRUE); | 6540 rv = ssl3_NegotiateVersion(ss, version, PR_TRUE); |
6314 if (rv != SECSuccess) { | 6541 if (rv != SECSuccess) { |
6315 desc = (version > SSL_LIBRARY_VERSION_3_0) ? protocol_version | 6542 desc = (version > SSL_LIBRARY_VERSION_3_0) ? protocol_version |
6316 : handshake_failure; | 6543 : handshake_failure; |
6317 errCode = SSL_ERROR_NO_CYPHER_OVERLAP; | 6544 errCode = SSL_ERROR_NO_CYPHER_OVERLAP; |
6318 goto alert_loser; | 6545 goto alert_loser; |
6319 } | 6546 } |
6320 | 6547 |
6321 /* grab the client random data. */ | 6548 /* grab the client random data. */ |
6322 rv = ssl3_ConsumeHandshake( | 6549 rv = ssl3_ConsumeHandshake( |
6323 ss, &ss->ssl3.hs.client_random, SSL3_RANDOM_LENGTH, &b, &length); | 6550 ss, &ss->ssl3.hs.client_random, SSL3_RANDOM_LENGTH, &b, &length); |
6324 if (rv != SECSuccess) { | 6551 if (rv != SECSuccess) { |
6325 goto loser; /* malformed */ | 6552 goto loser; /* malformed */ |
6326 } | 6553 } |
6327 | 6554 |
6328 /* grab the client's SID, if present. */ | 6555 /* grab the client's SID, if present. */ |
6329 rv = ssl3_ConsumeHandshakeVariable(ss, &sidBytes, 1, &b, &length); | 6556 rv = ssl3_ConsumeHandshakeVariable(ss, &sidBytes, 1, &b, &length); |
6330 if (rv != SECSuccess) { | 6557 if (rv != SECSuccess) { |
6331 goto loser; /* malformed */ | 6558 goto loser; /* malformed */ |
6332 } | 6559 } |
6333 | 6560 |
6561 /* grab the client's cookie, if present. */ | |
6562 if (IS_DTLS(ss)) { | |
6563 rv = ssl3_ConsumeHandshakeVariable(ss, &cookieBytes, 1, &b, &length); | |
6564 if (rv != SECSuccess) { | |
6565 goto loser; /* malformed */ | |
6566 } | |
6567 } | |
6568 | |
6334 /* grab the list of cipher suites. */ | 6569 /* grab the list of cipher suites. */ |
6335 rv = ssl3_ConsumeHandshakeVariable(ss, &suites, 2, &b, &length); | 6570 rv = ssl3_ConsumeHandshakeVariable(ss, &suites, 2, &b, &length); |
6336 if (rv != SECSuccess) { | 6571 if (rv != SECSuccess) { |
6337 goto loser; /* malformed */ | 6572 goto loser; /* malformed */ |
6338 } | 6573 } |
6339 | 6574 |
6340 /* grab the list of compression methods. */ | 6575 /* grab the list of compression methods. */ |
6341 rv = ssl3_ConsumeHandshakeVariable(ss, &comps, 1, &b, &length); | 6576 rv = ssl3_ConsumeHandshakeVariable(ss, &comps, 1, &b, &length); |
6342 if (rv != SECSuccess) { | 6577 if (rv != SECSuccess) { |
6343 goto loser; /* malformed */ | 6578 goto loser; /* malformed */ |
(...skipping 128 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
6472 ssl_FreeSID(sid); | 6707 ssl_FreeSID(sid); |
6473 sid = NULL; | 6708 sid = NULL; |
6474 } | 6709 } |
6475 } | 6710 } |
6476 | 6711 |
6477 #ifdef NSS_ENABLE_ECC | 6712 #ifdef NSS_ENABLE_ECC |
6478 /* Disable any ECC cipher suites for which we have no cert. */ | 6713 /* Disable any ECC cipher suites for which we have no cert. */ |
6479 ssl3_FilterECCipherSuitesByServerCerts(ss); | 6714 ssl3_FilterECCipherSuitesByServerCerts(ss); |
6480 #endif | 6715 #endif |
6481 | 6716 |
6717 if (IS_DTLS(ss)) { | |
6718 ssl3_DisableNonDTLSSuites(ss); | |
6719 } | |
6720 | |
6482 #ifdef PARANOID | 6721 #ifdef PARANOID |
6483 /* Look for a matching cipher suite. */ | 6722 /* Look for a matching cipher suite. */ |
6484 j = ssl3_config_match_init(ss); | 6723 j = ssl3_config_match_init(ss); |
6485 if (j <= 0) { /* no ciphers are working/supported by PK11 */ | 6724 if (j <= 0) { /* no ciphers are working/supported by PK11 */ |
6486 errCode = PORT_GetError(); /* error code is already set. */ | 6725 errCode = PORT_GetError(); /* error code is already set. */ |
6487 goto alert_loser; | 6726 goto alert_loser; |
6488 } | 6727 } |
6489 #endif | 6728 #endif |
6490 | 6729 |
6491 /* If we already have a session for this client, be sure to pick the | 6730 /* If we already have a session for this client, be sure to pick the |
(...skipping 667 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
7159 ** ssl3_SendServerHelloSequence <- ssl3_HandleV2ClientHello (new session) | 7398 ** ssl3_SendServerHelloSequence <- ssl3_HandleV2ClientHello (new session) |
7160 */ | 7399 */ |
7161 static SECStatus | 7400 static SECStatus |
7162 ssl3_SendServerHello(sslSocket *ss) | 7401 ssl3_SendServerHello(sslSocket *ss) |
7163 { | 7402 { |
7164 sslSessionID *sid; | 7403 sslSessionID *sid; |
7165 SECStatus rv; | 7404 SECStatus rv; |
7166 PRUint32 maxBytes = 65535; | 7405 PRUint32 maxBytes = 65535; |
7167 PRUint32 length; | 7406 PRUint32 length; |
7168 PRInt32 extensions_len = 0; | 7407 PRInt32 extensions_len = 0; |
7408 SSL3ProtocolVersion version; | |
7169 | 7409 |
7170 SSL_TRC(3, ("%d: SSL3[%d]: send server_hello handshake", SSL_GETPID(), | 7410 SSL_TRC(3, ("%d: SSL3[%d]: send server_hello handshake", SSL_GETPID(), |
7171 ss->fd)); | 7411 ss->fd)); |
7172 | 7412 |
7173 PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss)); | 7413 PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss)); |
7174 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); | 7414 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); |
7175 PORT_Assert( MSB(ss->version) == MSB(SSL_LIBRARY_VERSION_3_0)); | |
7176 | 7415 |
7177 if (MSB(ss->version) != MSB(SSL_LIBRARY_VERSION_3_0)) { | 7416 if (!IS_DTLS(ss)) { |
7178 » PORT_SetError(SSL_ERROR_NO_CYPHER_OVERLAP); | 7417 » PORT_Assert(MSB(ss->version) == MSB(SSL_LIBRARY_VERSION_3_0)); |
7179 » return SECFailure; | 7418 |
7419 » if (MSB(ss->version) != MSB(SSL_LIBRARY_VERSION_3_0)) { | |
7420 » PORT_SetError(SSL_ERROR_NO_CYPHER_OVERLAP); | |
7421 » return SECFailure; | |
7422 » } | |
7423 } else { | |
7424 » PORT_Assert(MSB(ss->version) == MSB(SSL_LIBRARY_VERSION_DTLS_1_0)); | |
7425 | |
7426 » if (MSB(ss->version) != MSB(SSL_LIBRARY_VERSION_DTLS_1_0)) { | |
7427 » PORT_SetError(SSL_ERROR_NO_CYPHER_OVERLAP); | |
7428 » return SECFailure; | |
7429 » } | |
7180 } | 7430 } |
7181 | 7431 |
7182 sid = ss->sec.ci.sid; | 7432 sid = ss->sec.ci.sid; |
7183 | 7433 |
7184 extensions_len = ssl3_CallHelloExtensionSenders(ss, PR_FALSE, maxBytes, | 7434 extensions_len = ssl3_CallHelloExtensionSenders(ss, PR_FALSE, maxBytes, |
7185 &ss->xtnData.serverSenders[0]); | 7435 &ss->xtnData.serverSenders[0]); |
7186 if (extensions_len > 0) | 7436 if (extensions_len > 0) |
7187 extensions_len += 2; /* Add sizeof total extension length */ | 7437 extensions_len += 2; /* Add sizeof total extension length */ |
7188 | 7438 |
7189 length = sizeof(SSL3ProtocolVersion) + SSL3_RANDOM_LENGTH + 1 + | 7439 length = sizeof(SSL3ProtocolVersion) + SSL3_RANDOM_LENGTH + 1 + |
7190 ((sid == NULL) ? 0: sid->u.ssl3.sessionIDLength) + | 7440 ((sid == NULL) ? 0: sid->u.ssl3.sessionIDLength) + |
7191 sizeof(ssl3CipherSuite) + 1 + extensions_len; | 7441 sizeof(ssl3CipherSuite) + 1 + extensions_len; |
7192 rv = ssl3_AppendHandshakeHeader(ss, server_hello, length); | 7442 rv = ssl3_AppendHandshakeHeader(ss, server_hello, length); |
7193 if (rv != SECSuccess) { | 7443 if (rv != SECSuccess) { |
7194 return rv; /* err set by AppendHandshake. */ | 7444 return rv; /* err set by AppendHandshake. */ |
7195 } | 7445 } |
7196 | 7446 |
7197 rv = ssl3_AppendHandshakeNumber(ss, ss->version, 2); | 7447 if (IS_DTLS(ss)) { |
7448 » version = dtls_TLSVersionToDTLSVersion(ss->version); | |
7449 } else { | |
7450 » version = ss->version; | |
7451 } | |
7452 | |
7453 rv = ssl3_AppendHandshakeNumber(ss, version, 2); | |
7198 if (rv != SECSuccess) { | 7454 if (rv != SECSuccess) { |
7199 return rv; /* err set by AppendHandshake. */ | 7455 return rv; /* err set by AppendHandshake. */ |
7200 } | 7456 } |
7201 rv = ssl3_GetNewRandom(&ss->ssl3.hs.server_random); | 7457 rv = ssl3_GetNewRandom(&ss->ssl3.hs.server_random); |
7202 if (rv != SECSuccess) { | 7458 if (rv != SECSuccess) { |
7203 ssl_MapLowLevelError(SSL_ERROR_GENERATE_RANDOM_FAILURE); | 7459 ssl_MapLowLevelError(SSL_ERROR_GENERATE_RANDOM_FAILURE); |
7204 return rv; | 7460 return rv; |
7205 } | 7461 } |
7206 rv = ssl3_AppendHandshake( | 7462 rv = ssl3_AppendHandshake( |
7207 ss, &ss->ssl3.hs.server_random, SSL3_RANDOM_LENGTH); | 7463 ss, &ss->ssl3.hs.server_random, SSL3_RANDOM_LENGTH); |
(...skipping 164 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
7372 ca_list = ss->ssl3.ca_list; | 7628 ca_list = ss->ssl3.ca_list; |
7373 if (!ca_list) { | 7629 if (!ca_list) { |
7374 ca_list = ssl3_server_ca_list; | 7630 ca_list = ssl3_server_ca_list; |
7375 } | 7631 } |
7376 | 7632 |
7377 if (ca_list != NULL) { | 7633 if (ca_list != NULL) { |
7378 names = ca_list->names; | 7634 names = ca_list->names; |
7379 nnames = ca_list->nnames; | 7635 nnames = ca_list->nnames; |
7380 } | 7636 } |
7381 | 7637 |
7382 if (!nnames) { | 7638 /* There used to be a test here to require a CA, but there |
7383 » PORT_SetError(SSL_ERROR_NO_TRUSTED_SSL_CLIENT_CA); | 7639 * are cases where you want to have no CAs offered. */ |
7384 » return SECFailure; | |
7385 } | |
7386 | |
7387 for (i = 0, name = names; i < nnames; i++, name++) { | 7640 for (i = 0, name = names; i < nnames; i++, name++) { |
7388 calen += 2 + name->len; | 7641 calen += 2 + name->len; |
7389 } | 7642 } |
7390 | 7643 |
7391 certTypes = certificate_types; | 7644 certTypes = certificate_types; |
7392 certTypesLength = sizeof certificate_types; | 7645 certTypesLength = sizeof certificate_types; |
7393 | 7646 |
7394 length = 1 + certTypesLength + 2 + calen; | 7647 length = 1 + certTypesLength + 2 + calen; |
7395 | 7648 |
7396 rv = ssl3_AppendHandshakeHeader(ss, certificate_request, length); | 7649 rv = ssl3_AppendHandshakeHeader(ss, certificate_request, length); |
(...skipping 147 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
7544 /* can't find a slot with all three, find a slot with the minimum */ | 7797 /* can't find a slot with all three, find a slot with the minimum */ |
7545 slot = PK11_GetBestSlotMultiple(mechanism_array, 2, pwArg); | 7798 slot = PK11_GetBestSlotMultiple(mechanism_array, 2, pwArg); |
7546 if (slot == NULL) { | 7799 if (slot == NULL) { |
7547 PORT_SetError(SSL_ERROR_TOKEN_SLOT_NOT_FOUND); | 7800 PORT_SetError(SSL_ERROR_TOKEN_SLOT_NOT_FOUND); |
7548 return pms; /* which is NULL */ | 7801 return pms; /* which is NULL */ |
7549 } | 7802 } |
7550 } | 7803 } |
7551 } | 7804 } |
7552 | 7805 |
7553 /* Generate the pre-master secret ... */ | 7806 /* Generate the pre-master secret ... */ |
7554 version.major = MSB(ss->clientHelloVersion); | 7807 if (IS_DTLS(ss)) { |
7555 version.minor = LSB(ss->clientHelloVersion); | 7808 » SSL3ProtocolVersion temp; |
7809 | |
7810 » temp = dtls_TLSVersionToDTLSVersion(ss->clientHelloVersion); | |
7811 » version.major = MSB(temp); | |
7812 » version.minor = LSB(temp); | |
7813 } else { | |
7814 » version.major = MSB(ss->clientHelloVersion); | |
7815 » version.minor = LSB(ss->clientHelloVersion); | |
7816 } | |
7556 | 7817 |
7557 param.data = (unsigned char *)&version; | 7818 param.data = (unsigned char *)&version; |
7558 param.len = sizeof version; | 7819 param.len = sizeof version; |
7559 | 7820 |
7560 pms = PK11_KeyGen(slot, CKM_SSL3_PRE_MASTER_KEY_GEN, ¶m, 0, pwArg); | 7821 pms = PK11_KeyGen(slot, CKM_SSL3_PRE_MASTER_KEY_GEN, ¶m, 0, pwArg); |
7561 if (!serverKeySlot) | 7822 if (!serverKeySlot) |
7562 PK11_FreeSlot(slot); | 7823 PK11_FreeSlot(slot); |
7563 if (pms == NULL) { | 7824 if (pms == NULL) { |
7564 ssl_MapLowLevelError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE); | 7825 ssl_MapLowLevelError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE); |
7565 } | 7826 } |
(...skipping 62 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
7628 */ | 7889 */ |
7629 | 7890 |
7630 rv = PK11_PrivDecryptPKCS1(serverKey, rsaPmsBuf, &outLen, | 7891 rv = PK11_PrivDecryptPKCS1(serverKey, rsaPmsBuf, &outLen, |
7631 sizeof rsaPmsBuf, enc_pms.data, enc_pms.len); | 7892 sizeof rsaPmsBuf, enc_pms.data, enc_pms.len); |
7632 if (rv != SECSuccess) { | 7893 if (rv != SECSuccess) { |
7633 /* triple bypass failed. Let's try for a double bypass. */ | 7894 /* triple bypass failed. Let's try for a double bypass. */ |
7634 goto double_bypass; | 7895 goto double_bypass; |
7635 } else if (ss->opt.detectRollBack) { | 7896 } else if (ss->opt.detectRollBack) { |
7636 SSL3ProtocolVersion client_version = | 7897 SSL3ProtocolVersion client_version = |
7637 (rsaPmsBuf[0] << 8) | rsaPmsBuf[1]; | 7898 (rsaPmsBuf[0] << 8) | rsaPmsBuf[1]; |
7899 | |
7900 if (IS_DTLS(ss)) { | |
7901 client_version = dtls_DTLSVersionToTLSVersion(client_version); | |
7902 } | |
7903 | |
7638 if (client_version != ss->clientHelloVersion) { | 7904 if (client_version != ss->clientHelloVersion) { |
7639 /* Version roll-back detected. ensure failure. */ | 7905 /* Version roll-back detected. ensure failure. */ |
7640 rv = PK11_GenerateRandom(rsaPmsBuf, sizeof rsaPmsBuf); | 7906 rv = PK11_GenerateRandom(rsaPmsBuf, sizeof rsaPmsBuf); |
7641 } | 7907 } |
7642 } | 7908 } |
7643 /* have PMS, build MS without PKCS11 */ | 7909 /* have PMS, build MS without PKCS11 */ |
7644 rv = ssl3_MasterKeyDeriveBypass(pwSpec, cr, sr, &pmsItem, isTLS, | 7910 rv = ssl3_MasterKeyDeriveBypass(pwSpec, cr, sr, &pmsItem, isTLS, |
7645 PR_TRUE); | 7911 PR_TRUE); |
7646 if (rv != SECSuccess) { | 7912 if (rv != SECSuccess) { |
7647 pwSpec->msItem.data = pwSpec->raw_master_secret; | 7913 pwSpec->msItem.data = pwSpec->raw_master_secret; |
(...skipping 1196 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
8844 flags = ssl_SEND_FLAG_FORCE_INTO_BUFFER; | 9110 flags = ssl_SEND_FLAG_FORCE_INTO_BUFFER; |
8845 } | 9111 } |
8846 | 9112 |
8847 if (!isServer && !ss->firstHsDone) { | 9113 if (!isServer && !ss->firstHsDone) { |
8848 rv = ssl3_SendNextProto(ss); | 9114 rv = ssl3_SendNextProto(ss); |
8849 if (rv != SECSuccess) { | 9115 if (rv != SECSuccess) { |
8850 goto xmit_loser; /* err code was set. */ | 9116 goto xmit_loser; /* err code was set. */ |
8851 } | 9117 } |
8852 } | 9118 } |
8853 | 9119 |
9120 if (IS_DTLS(ss)) { | |
9121 flags |= ssl_SEND_FLAG_NO_RETRANSMIT; | |
9122 } | |
9123 | |
8854 rv = ssl3_SendFinished(ss, flags); | 9124 rv = ssl3_SendFinished(ss, flags); |
8855 if (rv != SECSuccess) { | 9125 if (rv != SECSuccess) { |
8856 goto xmit_loser; /* err is set. */ | 9126 goto xmit_loser; /* err is set. */ |
8857 } | 9127 } |
8858 } | 9128 } |
8859 | 9129 |
8860 xmit_loser: | 9130 xmit_loser: |
8861 ssl_ReleaseXmitBufLock(ss); /*************************************/ | 9131 ssl_ReleaseXmitBufLock(ss); /*************************************/ |
8862 if (rv != SECSuccess) { | 9132 if (rv != SECSuccess) { |
8863 return rv; | 9133 return rv; |
(...skipping 109 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
8973 ss->ssl3.hs.pending_cert_msg.len); | 9243 ss->ssl3.hs.pending_cert_msg.len); |
8974 SECITEM_FreeItem(&ss->ssl3.hs.pending_cert_msg, PR_FALSE); | 9244 SECITEM_FreeItem(&ss->ssl3.hs.pending_cert_msg, PR_FALSE); |
8975 } | 9245 } |
8976 return rv; | 9246 return rv; |
8977 } | 9247 } |
8978 | 9248 |
8979 /* Called from ssl3_HandleHandshake() when it has gathered a complete ssl3 | 9249 /* Called from ssl3_HandleHandshake() when it has gathered a complete ssl3 |
8980 * hanshake message. | 9250 * hanshake message. |
8981 * Caller must hold Handshake and RecvBuf locks. | 9251 * Caller must hold Handshake and RecvBuf locks. |
8982 */ | 9252 */ |
8983 static SECStatus | 9253 SECStatus |
8984 ssl3_HandleHandshakeMessage(sslSocket *ss, SSL3Opaque *b, PRUint32 length) | 9254 ssl3_HandleHandshakeMessage(sslSocket *ss, SSL3Opaque *b, PRUint32 length) |
8985 { | 9255 { |
8986 SECStatus rv = SECSuccess; | 9256 SECStatus rv = SECSuccess; |
8987 SSL3HandshakeType type = ss->ssl3.hs.msg_type; | 9257 SSL3HandshakeType type = ss->ssl3.hs.msg_type; |
8988 SSL3Hashes hashes; /* computed hashes are put here. */ | 9258 SSL3Hashes hashes; /* computed hashes are put here. */ |
8989 PRUint8 hdr[4]; | 9259 PRUint8 hdr[4]; |
9260 PRUint8 dtlsData[8]; | |
8990 | 9261 |
8991 PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) ); | 9262 PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) ); |
8992 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) ); | 9263 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) ); |
8993 /* | 9264 /* |
8994 * We have to compute the hashes before we update them with the | 9265 * We have to compute the hashes before we update them with the |
8995 * current message. | 9266 * current message. |
8996 */ | 9267 */ |
8997 ssl_GetSpecReadLock(ss); /************************************/ | 9268 ssl_GetSpecReadLock(ss); /************************************/ |
8998 if((type == finished) || (type == certificate_verify)) { | 9269 if((type == finished) || (type == certificate_verify)) { |
8999 SSL3Sender sender = (SSL3Sender)0; | 9270 SSL3Sender sender = (SSL3Sender)0; |
(...skipping 25 matching lines...) Expand all Loading... | |
9025 | 9296 |
9026 /* Start new handshake hashes when we start a new handshake */ | 9297 /* Start new handshake hashes when we start a new handshake */ |
9027 if (ss->ssl3.hs.msg_type == client_hello) { | 9298 if (ss->ssl3.hs.msg_type == client_hello) { |
9028 SSL_TRC(30,("%d: SSL3[%d]: reset handshake hashes", | 9299 SSL_TRC(30,("%d: SSL3[%d]: reset handshake hashes", |
9029 SSL_GETPID(), ss->fd )); | 9300 SSL_GETPID(), ss->fd )); |
9030 rv = ssl3_RestartHandshakeHashes(ss); | 9301 rv = ssl3_RestartHandshakeHashes(ss); |
9031 if (rv != SECSuccess) { | 9302 if (rv != SECSuccess) { |
9032 return rv; | 9303 return rv; |
9033 } | 9304 } |
9034 } | 9305 } |
9035 /* We should not include hello_request messages in the handshake hashes */ | 9306 /* We should not include hello_request and hello_verify_request messages |
9036 if (ss->ssl3.hs.msg_type != hello_request) { | 9307 * in the handshake hashes */ |
9308 if ((ss->ssl3.hs.msg_type != hello_request) && | |
9309 » (ss->ssl3.hs.msg_type != hello_verify_request)) { | |
9037 rv = ssl3_UpdateHandshakeHashes(ss, (unsigned char*) hdr, 4); | 9310 rv = ssl3_UpdateHandshakeHashes(ss, (unsigned char*) hdr, 4); |
9038 if (rv != SECSuccess) return rv; /* err code already set. */ | 9311 if (rv != SECSuccess) return rv; /* err code already set. */ |
9312 | |
9313 /* Extra data to simulate a complete DTLS handshake fragment */ | |
9314 if (IS_DTLS(ss)) { | |
9315 /* Sequence number */ | |
9316 dtlsData[0] = MSB(ss->ssl3.hs.recvMessageSeq); | |
9317 dtlsData[1] = LSB(ss->ssl3.hs.recvMessageSeq); | |
9318 | |
9319 /* Fragment offset */ | |
9320 dtlsData[2] = 0; | |
9321 dtlsData[3] = 0; | |
9322 dtlsData[4] = 0; | |
9323 | |
9324 /* Fragment length */ | |
9325 dtlsData[5] = (PRUint8)(length >> 16); | |
9326 dtlsData[6] = (PRUint8)(length >> 8); | |
9327 dtlsData[7] = (PRUint8)(length ); | |
9328 | |
9329 rv = ssl3_UpdateHandshakeHashes(ss, (unsigned char*) dtlsData, | |
9330 sizeof(dtlsData)); | |
9331 if (rv != SECSuccess) return rv; /* err code already set. */ | |
9332 } | |
9333 | |
9334 /* The message body */ | |
9039 rv = ssl3_UpdateHandshakeHashes(ss, b, length); | 9335 rv = ssl3_UpdateHandshakeHashes(ss, b, length); |
9040 if (rv != SECSuccess) return rv; /* err code already set. */ | 9336 if (rv != SECSuccess) return rv; /* err code already set. */ |
9041 } | 9337 } |
9042 | 9338 |
9043 PORT_SetError(0); /* each message starts with no error. */ | 9339 PORT_SetError(0); /* each message starts with no error. */ |
9044 switch (ss->ssl3.hs.msg_type) { | 9340 switch (ss->ssl3.hs.msg_type) { |
9045 case hello_request: | 9341 case hello_request: |
9046 if (length != 0) { | 9342 if (length != 0) { |
9047 (void)ssl3_DecodeError(ss); | 9343 (void)ssl3_DecodeError(ss); |
9048 PORT_SetError(SSL_ERROR_RX_MALFORMED_HELLO_REQUEST); | 9344 PORT_SetError(SSL_ERROR_RX_MALFORMED_HELLO_REQUEST); |
(...skipping 15 matching lines...) Expand all Loading... | |
9064 rv = ssl3_HandleClientHello(ss, b, length); | 9360 rv = ssl3_HandleClientHello(ss, b, length); |
9065 break; | 9361 break; |
9066 case server_hello: | 9362 case server_hello: |
9067 if (ss->sec.isServer) { | 9363 if (ss->sec.isServer) { |
9068 (void)SSL3_SendAlert(ss, alert_fatal, unexpected_message); | 9364 (void)SSL3_SendAlert(ss, alert_fatal, unexpected_message); |
9069 PORT_SetError(SSL_ERROR_RX_UNEXPECTED_SERVER_HELLO); | 9365 PORT_SetError(SSL_ERROR_RX_UNEXPECTED_SERVER_HELLO); |
9070 return SECFailure; | 9366 return SECFailure; |
9071 } | 9367 } |
9072 rv = ssl3_HandleServerHello(ss, b, length); | 9368 rv = ssl3_HandleServerHello(ss, b, length); |
9073 break; | 9369 break; |
9370 case hello_verify_request: | |
9371 if (!IS_DTLS(ss) || ss->sec.isServer) { | |
9372 (void)SSL3_SendAlert(ss, alert_fatal, unexpected_message); | |
9373 PORT_SetError(SSL_ERROR_RX_UNEXPECTED_HELLO_VERIFY_REQUEST); | |
9374 return SECFailure; | |
9375 } | |
9376 rv = dtls_HandleHelloVerifyRequest(ss, b, length); | |
9377 break; | |
9074 case certificate: | 9378 case certificate: |
9075 if (ss->ssl3.hs.may_get_cert_status) { | 9379 if (ss->ssl3.hs.may_get_cert_status) { |
9076 /* If we might get a CertificateStatus then we want to postpone the | 9380 /* If we might get a CertificateStatus then we want to postpone the |
9077 * processing of the Certificate message until after we have | 9381 * processing of the Certificate message until after we have |
9078 * processed the CertificateStatus */ | 9382 * processed the CertificateStatus */ |
9079 if (ss->ssl3.hs.pending_cert_msg.data || | 9383 if (ss->ssl3.hs.pending_cert_msg.data || |
9080 ss->ssl3.hs.ws != wait_server_cert) { | 9384 ss->ssl3.hs.ws != wait_server_cert) { |
9081 (void)SSL3_SendAlert(ss, alert_fatal, unexpected_message); | 9385 (void)SSL3_SendAlert(ss, alert_fatal, unexpected_message); |
9082 (void)ssl_MapLowLevelError(SSL_ERROR_RX_UNEXPECTED_CERTIFICATE); | 9386 (void)ssl_MapLowLevelError(SSL_ERROR_RX_UNEXPECTED_CERTIFICATE); |
9083 return SECFailure; | 9387 return SECFailure; |
(...skipping 78 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
9162 rv = ssl3_HandleNewSessionTicket(ss, b, length); | 9466 rv = ssl3_HandleNewSessionTicket(ss, b, length); |
9163 break; | 9467 break; |
9164 case finished: | 9468 case finished: |
9165 rv = ssl3_HandleFinished(ss, b, length, &hashes); | 9469 rv = ssl3_HandleFinished(ss, b, length, &hashes); |
9166 break; | 9470 break; |
9167 default: | 9471 default: |
9168 (void)SSL3_SendAlert(ss, alert_fatal, unexpected_message); | 9472 (void)SSL3_SendAlert(ss, alert_fatal, unexpected_message); |
9169 PORT_SetError(SSL_ERROR_RX_UNKNOWN_HANDSHAKE); | 9473 PORT_SetError(SSL_ERROR_RX_UNKNOWN_HANDSHAKE); |
9170 rv = SECFailure; | 9474 rv = SECFailure; |
9171 } | 9475 } |
9476 | |
9477 if (IS_DTLS(ss) && (rv == SECSuccess)) { | |
9478 /* Increment the expected sequence number */ | |
9479 ss->ssl3.hs.recvMessageSeq++; | |
9480 } | |
9481 | |
9172 return rv; | 9482 return rv; |
9173 } | 9483 } |
9174 | 9484 |
9175 /* Called only from ssl3_HandleRecord, for each (deciphered) ssl3 record. | 9485 /* Called only from ssl3_HandleRecord, for each (deciphered) ssl3 record. |
9176 * origBuf is the decrypted ssl record content. | 9486 * origBuf is the decrypted ssl record content. |
9177 * Caller must hold the handshake and RecvBuf locks. | 9487 * Caller must hold the handshake and RecvBuf locks. |
9178 */ | 9488 */ |
9179 static SECStatus | 9489 static SECStatus |
9180 ssl3_HandleHandshake(sslSocket *ss, sslBuffer *origBuf) | 9490 ssl3_HandleHandshake(sslSocket *ss, sslBuffer *origBuf) |
9181 { | 9491 { |
(...skipping 142 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
9324 ssl3CipherSpec * crSpec; | 9634 ssl3CipherSpec * crSpec; |
9325 SECStatus rv; | 9635 SECStatus rv; |
9326 unsigned int hashBytes = MAX_MAC_LENGTH + 1; | 9636 unsigned int hashBytes = MAX_MAC_LENGTH + 1; |
9327 unsigned int padding_length; | 9637 unsigned int padding_length; |
9328 PRBool isTLS; | 9638 PRBool isTLS; |
9329 PRBool padIsBad = PR_FALSE; | 9639 PRBool padIsBad = PR_FALSE; |
9330 SSL3ContentType rType; | 9640 SSL3ContentType rType; |
9331 SSL3Opaque hash[MAX_MAC_LENGTH]; | 9641 SSL3Opaque hash[MAX_MAC_LENGTH]; |
9332 sslBuffer *plaintext; | 9642 sslBuffer *plaintext; |
9333 sslBuffer temp_buf; | 9643 sslBuffer temp_buf; |
9644 PRUint64 dtls_seq_num; | |
9334 unsigned int ivLen = 0; | 9645 unsigned int ivLen = 0; |
9335 | 9646 |
9336 PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) ); | 9647 PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) ); |
9337 | 9648 |
9338 if (!ss->ssl3.initialized) { | 9649 if (!ss->ssl3.initialized) { |
9339 ssl_GetSSL3HandshakeLock(ss); | 9650 ssl_GetSSL3HandshakeLock(ss); |
9340 rv = ssl3_InitState(ss); | 9651 rv = ssl3_InitState(ss); |
9341 ssl_ReleaseSSL3HandshakeLock(ss); | 9652 ssl_ReleaseSSL3HandshakeLock(ss); |
9342 if (rv != SECSuccess) { | 9653 if (rv != SECSuccess) { |
9343 return rv; /* ssl3_InitState has set the error code. */ | 9654 return rv; /* ssl3_InitState has set the error code. */ |
(...skipping 15 matching lines...) Expand all Loading... | |
9359 SSL_GETPID(), ss->fd)); | 9670 SSL_GETPID(), ss->fd)); |
9360 rType = content_handshake; | 9671 rType = content_handshake; |
9361 goto process_it; | 9672 goto process_it; |
9362 } | 9673 } |
9363 | 9674 |
9364 ssl_GetSpecReadLock(ss); /******************************************/ | 9675 ssl_GetSpecReadLock(ss); /******************************************/ |
9365 | 9676 |
9366 crSpec = ss->ssl3.crSpec; | 9677 crSpec = ss->ssl3.crSpec; |
9367 cipher_def = crSpec->cipher_def; | 9678 cipher_def = crSpec->cipher_def; |
9368 | 9679 |
9680 /* | |
9681 * DTLS relevance checks: | |
9682 * Note that this code currently ignores all out-of-epoch packets, | |
9683 * which means we lose some in the case of rehandshake + | |
9684 * loss/reordering. Since DTLS is explicitly unreliable, this | |
9685 * seems like a good tradeoff for implementation effort and is | |
9686 * consistent with the guidance of RFC 6347 S 4.1 and S 4.2.4.1 | |
9687 */ | |
9688 if (IS_DTLS(ss)) { | |
9689 DTLSEpoch epoch = (cText->seq_num.high >> 16) & 0xffff; | |
9690 | |
9691 if (crSpec->epoch != epoch) { | |
9692 ssl_ReleaseSpecReadLock(ss); | |
9693 SSL_DBG(("%d: SSL3[%d]: HandleRecord, received packet " | |
9694 "from irrelevant epoch %d", SSL_GETPID(), ss->fd, epoch)); | |
9695 /* Silently drop the packet */ | |
9696 databuf->len = 0; /* Needed to ensure data not left around */ | |
9697 return SECSuccess; | |
9698 } | |
9699 | |
9700 dtls_seq_num = (((PRUint64)(cText->seq_num.high & 0xffff)) << 32) | | |
9701 ((PRUint64)cText->seq_num.low); | |
9702 | |
9703 if (dtls_RecordGetRecvd(&crSpec->recvdRecords, dtls_seq_num)) { | |
9704 ssl_ReleaseSpecReadLock(ss); | |
9705 SSL_DBG(("%d: SSL3[%d]: HandleRecord, rejecting " | |
9706 "potentially replayed packet", SSL_GETPID(), ss->fd)); | |
9707 /* Silently drop the packet */ | |
9708 databuf->len = 0; /* Needed to ensure data not left around */ | |
9709 return SECSuccess; | |
9710 } | |
9711 } | |
9712 | |
9369 if (cipher_def->type == type_block && | 9713 if (cipher_def->type == type_block && |
9370 crSpec->version >= SSL_LIBRARY_VERSION_TLS_1_1) { | 9714 crSpec->version >= SSL_LIBRARY_VERSION_TLS_1_1) { |
9371 /* Consume the per-record explicit IV. RFC 4346 Section 6.2.3.2 states | 9715 /* Consume the per-record explicit IV. RFC 4346 Section 6.2.3.2 states |
9372 * "The receiver decrypts the entire GenericBlockCipher structure and | 9716 * "The receiver decrypts the entire GenericBlockCipher structure and |
9373 * then discards the first cipher block corresponding to the IV | 9717 * then discards the first cipher block corresponding to the IV |
9374 * component." Instead, we decrypt the first cipher block and then | 9718 * component." Instead, we decrypt the first cipher block and then |
9375 * discard it before decrypting the rest. | 9719 * discard it before decrypting the rest. |
9376 */ | 9720 */ |
9377 SSL3Opaque iv[MAX_IV_LENGTH]; | 9721 SSL3Opaque iv[MAX_IV_LENGTH]; |
9378 int decoded; | 9722 int decoded; |
(...skipping 101 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
9480 | 9824 |
9481 /* Remove the MAC. */ | 9825 /* Remove the MAC. */ |
9482 if (plaintext->len >= crSpec->mac_size) | 9826 if (plaintext->len >= crSpec->mac_size) |
9483 plaintext->len -= crSpec->mac_size; | 9827 plaintext->len -= crSpec->mac_size; |
9484 else | 9828 else |
9485 padIsBad = PR_TRUE; /* really macIsBad */ | 9829 padIsBad = PR_TRUE; /* really macIsBad */ |
9486 | 9830 |
9487 /* compute the MAC */ | 9831 /* compute the MAC */ |
9488 rType = cText->type; | 9832 rType = cText->type; |
9489 rv = ssl3_ComputeRecordMAC( crSpec, (PRBool)(!ss->sec.isServer), | 9833 rv = ssl3_ComputeRecordMAC( crSpec, (PRBool)(!ss->sec.isServer), |
9490 » rType, cText->version, crSpec->read_seq_num, | 9834 IS_DTLS(ss), rType, cText->version, |
9835 IS_DTLS(ss) ? cText->seq_num : crSpec->read_seq_num, | |
9491 plaintext->buf, plaintext->len, hash, &hashBytes); | 9836 plaintext->buf, plaintext->len, hash, &hashBytes); |
9492 if (rv != SECSuccess) { | 9837 if (rv != SECSuccess) { |
9493 padIsBad = PR_TRUE; /* really macIsBad */ | 9838 padIsBad = PR_TRUE; /* really macIsBad */ |
9494 } | 9839 } |
9495 | 9840 |
9496 /* Check the MAC */ | 9841 /* Check the MAC */ |
9497 if (hashBytes != (unsigned)crSpec->mac_size || padIsBad || | 9842 if (hashBytes != (unsigned)crSpec->mac_size || padIsBad || |
9498 NSS_SecureMemcmp(plaintext->buf + plaintext->len, hash, | 9843 NSS_SecureMemcmp(plaintext->buf + plaintext->len, hash, |
9499 crSpec->mac_size) != 0) { | 9844 crSpec->mac_size) != 0) { |
9500 /* must not hold spec lock when calling SSL3_SendAlert. */ | 9845 /* must not hold spec lock when calling SSL3_SendAlert. */ |
9501 ssl_ReleaseSpecReadLock(ss); | 9846 ssl_ReleaseSpecReadLock(ss); |
9502 SSL3_SendAlert(ss, alert_fatal, bad_record_mac); | |
9503 /* always log mac error, in case attacker can read server logs. */ | |
9504 PORT_SetError(SSL_ERROR_BAD_MAC_READ); | |
9505 | 9847 |
9506 SSL_DBG(("%d: SSL3[%d]: mac check failed", SSL_GETPID(), ss->fd)); | 9848 SSL_DBG(("%d: SSL3[%d]: mac check failed", SSL_GETPID(), ss->fd)); |
9507 | 9849 |
9508 » return SECFailure; | 9850 » if (!IS_DTLS(ss)) { |
9851 » SSL3_SendAlert(ss, alert_fatal, bad_record_mac); | |
9852 » /* always log mac error, in case attacker can read server logs. */ | |
9853 » PORT_SetError(SSL_ERROR_BAD_MAC_READ); | |
9854 » return SECFailure; | |
9855 » } else { | |
9856 » /* Silently drop the packet */ | |
9857 databuf->len = 0; /* Needed to ensure data not left around */ | |
9858 » return SECSuccess; | |
9859 » } | |
9509 } | 9860 } |
9510 | 9861 |
9511 | 9862 if (!IS_DTLS(ss)) { |
9512 | 9863 » ssl3_BumpSequenceNumber(&crSpec->read_seq_num); |
9513 ssl3_BumpSequenceNumber(&crSpec->read_seq_num); | 9864 } else { |
9865 » dtls_RecordSetRecvd(&crSpec->recvdRecords, dtls_seq_num); | |
9866 } | |
9514 | 9867 |
9515 ssl_ReleaseSpecReadLock(ss); /*****************************************/ | 9868 ssl_ReleaseSpecReadLock(ss); /*****************************************/ |
9516 | 9869 |
9517 /* | 9870 /* |
9518 * The decrypted data is now in plaintext. | 9871 * The decrypted data is now in plaintext. |
9519 */ | 9872 */ |
9520 | 9873 |
9521 /* possibly decompress the record. If we aren't using compression then | 9874 /* possibly decompress the record. If we aren't using compression then |
9522 * plaintext == databuf and so the uncompressed data is already in | 9875 * plaintext == databuf and so the uncompressed data is already in |
9523 * databuf. */ | 9876 * databuf. */ |
(...skipping 84 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
9608 ** they return SECFailure or SECWouldBlock. | 9961 ** they return SECFailure or SECWouldBlock. |
9609 */ | 9962 */ |
9610 switch (rType) { | 9963 switch (rType) { |
9611 case content_change_cipher_spec: | 9964 case content_change_cipher_spec: |
9612 rv = ssl3_HandleChangeCipherSpecs(ss, databuf); | 9965 rv = ssl3_HandleChangeCipherSpecs(ss, databuf); |
9613 break; | 9966 break; |
9614 case content_alert: | 9967 case content_alert: |
9615 rv = ssl3_HandleAlert(ss, databuf); | 9968 rv = ssl3_HandleAlert(ss, databuf); |
9616 break; | 9969 break; |
9617 case content_handshake: | 9970 case content_handshake: |
9618 » rv = ssl3_HandleHandshake(ss, databuf); | 9971 » if (!IS_DTLS(ss)) { |
9972 » rv = ssl3_HandleHandshake(ss, databuf); | |
9973 » } else { | |
9974 » rv = dtls_HandleHandshake(ss, databuf); | |
9975 » } | |
9619 break; | 9976 break; |
9620 /* | 9977 /* |
9621 case content_application_data is handled before this switch | 9978 case content_application_data is handled before this switch |
9622 */ | 9979 */ |
9623 default: | 9980 default: |
9624 SSL_DBG(("%d: SSL3[%d]: bogus content type=%d", | 9981 SSL_DBG(("%d: SSL3[%d]: bogus content type=%d", |
9625 SSL_GETPID(), ss->fd, cText->type)); | 9982 SSL_GETPID(), ss->fd, cText->type)); |
9626 /* XXX Send an alert ??? */ | 9983 /* XXX Send an alert ??? */ |
9627 PORT_SetError(SSL_ERROR_RX_UNKNOWN_RECORD_TYPE); | 9984 PORT_SetError(SSL_ERROR_RX_UNKNOWN_RECORD_TYPE); |
9628 rv = SECFailure; | 9985 rv = SECFailure; |
(...skipping 39 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
9668 spec->server.write_key = NULL; | 10025 spec->server.write_key = NULL; |
9669 spec->server.write_mac_key = NULL; | 10026 spec->server.write_mac_key = NULL; |
9670 spec->server.write_mac_context = NULL; | 10027 spec->server.write_mac_context = NULL; |
9671 | 10028 |
9672 spec->write_seq_num.high = 0; | 10029 spec->write_seq_num.high = 0; |
9673 spec->write_seq_num.low = 0; | 10030 spec->write_seq_num.low = 0; |
9674 | 10031 |
9675 spec->read_seq_num.high = 0; | 10032 spec->read_seq_num.high = 0; |
9676 spec->read_seq_num.low = 0; | 10033 spec->read_seq_num.low = 0; |
9677 | 10034 |
10035 spec->epoch = 0; | |
10036 dtls_InitRecvdRecords(&spec->recvdRecords); | |
10037 | |
9678 spec->version = ss->vrange.max; | 10038 spec->version = ss->vrange.max; |
9679 } | 10039 } |
9680 | 10040 |
9681 /* Called from: ssl3_SendRecord | 10041 /* Called from: ssl3_SendRecord |
9682 ** ssl3_StartHandshakeHash() <- ssl2_BeginClientHandshake() | 10042 ** ssl3_StartHandshakeHash() <- ssl2_BeginClientHandshake() |
9683 ** ssl3_SendClientHello() | 10043 ** ssl3_SendClientHello() |
9684 ** ssl3_HandleServerHello() | 10044 ** ssl3_HandleServerHello() |
9685 ** ssl3_HandleClientHello() | 10045 ** ssl3_HandleClientHello() |
9686 ** ssl3_HandleV2ClientHello() | 10046 ** ssl3_HandleV2ClientHello() |
9687 ** ssl3_HandleRecord() | 10047 ** ssl3_HandleRecord() |
(...skipping 21 matching lines...) Expand all Loading... | |
9709 ssl3_InitCipherSpec(ss, ss->ssl3.prSpec); | 10069 ssl3_InitCipherSpec(ss, ss->ssl3.prSpec); |
9710 | 10070 |
9711 ss->ssl3.hs.ws = (ss->sec.isServer) ? wait_client_hello : wait_server_hello; | 10071 ss->ssl3.hs.ws = (ss->sec.isServer) ? wait_client_hello : wait_server_hello; |
9712 #ifdef NSS_ENABLE_ECC | 10072 #ifdef NSS_ENABLE_ECC |
9713 ss->ssl3.hs.negotiatedECCurves = SSL3_SUPPORTED_CURVES_MASK; | 10073 ss->ssl3.hs.negotiatedECCurves = SSL3_SUPPORTED_CURVES_MASK; |
9714 #endif | 10074 #endif |
9715 ssl_ReleaseSpecWriteLock(ss); | 10075 ssl_ReleaseSpecWriteLock(ss); |
9716 | 10076 |
9717 PORT_Memset(&ss->xtnData, 0, sizeof(TLSExtensionData)); | 10077 PORT_Memset(&ss->xtnData, 0, sizeof(TLSExtensionData)); |
9718 | 10078 |
10079 if (IS_DTLS(ss)) { | |
10080 ss->ssl3.hs.sendMessageSeq = 0; | |
10081 ss->ssl3.hs.recvMessageSeq = 0; | |
10082 ss->ssl3.hs.rtTimeoutMs = INITIAL_DTLS_TIMEOUT_MS; | |
10083 ss->ssl3.hs.rtRetries = 0; | |
10084 | |
10085 /* Have to allocate this because ssl_FreeSocket relocates | |
10086 * this structure in DEBUG mode */ | |
10087 if (!(ss->ssl3.hs.lastMessageFlight = PORT_New(PRCList))) | |
10088 return SECFailure; | |
10089 ss->ssl3.hs.recvdHighWater = -1; | |
10090 PR_INIT_CLIST(ss->ssl3.hs.lastMessageFlight); | |
10091 dtls_SetMTU(ss, 0); /* Set the MTU to the highest plateau */ | |
10092 } | |
10093 | |
9719 rv = ssl3_NewHandshakeHashes(ss); | 10094 rv = ssl3_NewHandshakeHashes(ss); |
9720 if (rv == SECSuccess) { | 10095 if (rv == SECSuccess) { |
9721 ss->ssl3.initialized = PR_TRUE; | 10096 ss->ssl3.initialized = PR_TRUE; |
9722 } | 10097 } |
9723 | 10098 |
9724 return rv; | 10099 return rv; |
9725 } | 10100 } |
9726 | 10101 |
9727 /* Returns a reference counted object that contains a key pair. | 10102 /* Returns a reference counted object that contains a key pair. |
9728 * Or NULL on failure. Initial ref count is 1. | 10103 * Or NULL on failure. Initial ref count is 1. |
(...skipping 232 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
9961 | 10336 |
9962 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) ); | 10337 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) ); |
9963 | 10338 |
9964 if (!ss->firstHsDone || | 10339 if (!ss->firstHsDone || |
9965 ((ss->version >= SSL_LIBRARY_VERSION_3_0) && | 10340 ((ss->version >= SSL_LIBRARY_VERSION_3_0) && |
9966 ss->ssl3.initialized && | 10341 ss->ssl3.initialized && |
9967 (ss->ssl3.hs.ws != idle_handshake))) { | 10342 (ss->ssl3.hs.ws != idle_handshake))) { |
9968 PORT_SetError(SSL_ERROR_HANDSHAKE_NOT_COMPLETED); | 10343 PORT_SetError(SSL_ERROR_HANDSHAKE_NOT_COMPLETED); |
9969 return SECFailure; | 10344 return SECFailure; |
9970 } | 10345 } |
10346 | |
10347 if (IS_DTLS(ss)) { | |
10348 dtls_RehandshakeCleanup(ss); | |
10349 } | |
10350 | |
9971 if (ss->opt.enableRenegotiation == SSL_RENEGOTIATE_NEVER) { | 10351 if (ss->opt.enableRenegotiation == SSL_RENEGOTIATE_NEVER) { |
9972 PORT_SetError(SSL_ERROR_RENEGOTIATION_NOT_ALLOWED); | 10352 PORT_SetError(SSL_ERROR_RENEGOTIATION_NOT_ALLOWED); |
9973 return SECFailure; | 10353 return SECFailure; |
9974 } | 10354 } |
9975 if (sid && flushCache) { | 10355 if (sid && flushCache) { |
9976 ss->sec.uncache(sid); /* remove it from whichever cache it's in. */ | 10356 ss->sec.uncache(sid); /* remove it from whichever cache it's in. */ |
9977 ssl_FreeSID(sid); /* dec ref count and free if zero. */ | 10357 ssl_FreeSID(sid); /* dec ref count and free if zero. */ |
9978 ss->sec.ci.sid = NULL; | 10358 ss->sec.ci.sid = NULL; |
9979 } | 10359 } |
9980 | 10360 |
9981 ssl_GetXmitBufLock(ss); /**************************************/ | 10361 ssl_GetXmitBufLock(ss); /**************************************/ |
9982 | 10362 |
9983 /* start off a new handshake. */ | 10363 /* start off a new handshake. */ |
9984 rv = (ss->sec.isServer) ? ssl3_SendHelloRequest(ss) | 10364 rv = (ss->sec.isServer) ? ssl3_SendHelloRequest(ss) |
9985 : ssl3_SendClientHello(ss); | 10365 : ssl3_SendClientHello(ss, PR_FALSE); |
9986 | 10366 |
9987 ssl_ReleaseXmitBufLock(ss); /**************************************/ | 10367 ssl_ReleaseXmitBufLock(ss); /**************************************/ |
9988 return rv; | 10368 return rv; |
9989 } | 10369 } |
9990 | 10370 |
9991 /* Called from ssl_DestroySocketContents() in sslsock.c */ | 10371 /* Called from ssl_DestroySocketContents() in sslsock.c */ |
9992 void | 10372 void |
9993 ssl3_DestroySSL3Info(sslSocket *ss) | 10373 ssl3_DestroySSL3Info(sslSocket *ss) |
9994 { | 10374 { |
9995 | 10375 |
(...skipping 39 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
10035 SECITEM_FreeItem(&ss->ssl3.hs.cert_status, PR_FALSE); | 10415 SECITEM_FreeItem(&ss->ssl3.hs.cert_status, PR_FALSE); |
10036 } | 10416 } |
10037 | 10417 |
10038 /* free the SSL3Buffer (msg_body) */ | 10418 /* free the SSL3Buffer (msg_body) */ |
10039 PORT_Free(ss->ssl3.hs.msg_body.buf); | 10419 PORT_Free(ss->ssl3.hs.msg_body.buf); |
10040 | 10420 |
10041 /* free up the CipherSpecs */ | 10421 /* free up the CipherSpecs */ |
10042 ssl3_DestroyCipherSpec(&ss->ssl3.specs[0], PR_TRUE/*freeSrvName*/); | 10422 ssl3_DestroyCipherSpec(&ss->ssl3.specs[0], PR_TRUE/*freeSrvName*/); |
10043 ssl3_DestroyCipherSpec(&ss->ssl3.specs[1], PR_TRUE/*freeSrvName*/); | 10423 ssl3_DestroyCipherSpec(&ss->ssl3.specs[1], PR_TRUE/*freeSrvName*/); |
10044 | 10424 |
10425 /* Destroy the DTLS data */ | |
10426 if (IS_DTLS(ss)) { | |
10427 if (ss->ssl3.hs.lastMessageFlight) { | |
10428 dtls_FreeHandshakeMessages(ss->ssl3.hs.lastMessageFlight); | |
10429 PORT_Free(ss->ssl3.hs.lastMessageFlight); | |
10430 } | |
10431 if (ss->ssl3.hs.recvdFragments.buf) { | |
10432 PORT_Free(ss->ssl3.hs.recvdFragments.buf); | |
10433 } | |
10434 } | |
10435 | |
10045 ss->ssl3.initialized = PR_FALSE; | 10436 ss->ssl3.initialized = PR_FALSE; |
10046 | 10437 |
10047 SECITEM_FreeItem(&ss->ssl3.nextProto, PR_FALSE); | 10438 SECITEM_FreeItem(&ss->ssl3.nextProto, PR_FALSE); |
10048 } | 10439 } |
10049 | 10440 |
10050 /* End of ssl3con.c */ | 10441 /* End of ssl3con.c */ |
OLD | NEW |