Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(266)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: net/third_party/nss/ssl/ssl3con.c

Issue 1053903002: Update libssl to NSS 3.18 RTM (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master
Patch Set: Created 5 years, 8 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« no previous file with comments | « net/third_party/nss/ssl/ssl.h ('k') | net/third_party/nss/ssl/ssl3ecc.c » ('j') | net/third_party/nss/ssl/ssl3ext.c » ('J')
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 /* -*- Mode: C; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 4 -*- */ 1 /* -*- Mode: C; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 4 -*- */
2 /* 2 /*
3 * SSL3 Protocol 3 * SSL3 Protocol
4 * 4 *
5 * This Source Code Form is subject to the terms of the Mozilla Public 5 * This Source Code Form is subject to the terms of the Mozilla Public
6 * License, v. 2.0. If a copy of the MPL was not distributed with this 6 * License, v. 2.0. If a copy of the MPL was not distributed with this
7 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ 7 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
8 8
9 /* TODO(ekr): Implement HelloVerifyRequest on server side. OK for now. */ 9 /* TODO(ekr): Implement HelloVerifyRequest on server side. OK for now. */
10 10
(...skipping 101 matching lines...) Expand 10 before | Expand all | Expand 10 after
112 * precedence (desirability). It only includes cipher suites we implement. 112 * precedence (desirability). It only includes cipher suites we implement.
113 * This table is modified by SSL3_SetPolicy(). The ordering of cipher suites 113 * This table is modified by SSL3_SetPolicy(). The ordering of cipher suites
114 * in this table must match the ordering in SSL_ImplementedCiphers (sslenum.c) 114 * in this table must match the ordering in SSL_ImplementedCiphers (sslenum.c)
115 * 115 *
116 * Important: See bug 946147 before enabling, reordering, or adding any cipher 116 * Important: See bug 946147 before enabling, reordering, or adding any cipher
117 * suites to this list. 117 * suites to this list.
118 */ 118 */
119 static ssl3CipherSuiteCfg cipherSuites[ssl_V3_SUITES_IMPLEMENTED] = { 119 static ssl3CipherSuiteCfg cipherSuites[ssl_V3_SUITES_IMPLEMENTED] = {
120 /* cipher_suite policy enabled isPresent */ 120 /* cipher_suite policy enabled isPresent */
121 121
122 #ifdef NSS_ENABLE_ECC 122 #ifndef NSS_DISABLE_ECC
123 { TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305, SSL_ALLOWED, PR_FALSE, PR_FALSE}, 123 { TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305, SSL_ALLOWED, PR_FALSE, PR_FALSE},
124 { TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305, SSL_ALLOWED, PR_FALSE, PR_FALSE}, 124 { TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305, SSL_ALLOWED, PR_FALSE, PR_FALSE},
125 { TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_FALSE, PR_FALSE}, 125 { TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_FALSE, PR_FALSE},
126 { TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_FALSE, PR_FALSE}, 126 { TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_FALSE, PR_FALSE},
127 /* TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA is out of order to work around 127 /* TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA is out of order to work around
128 * bug 946147. 128 * bug 946147.
129 */ 129 */
130 { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, 130 { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
131 { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, 131 { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
132 { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, 132 { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
133 { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_FALSE, PR_FALSE}, 133 { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_FALSE, PR_FALSE},
134 { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_FALSE, PR_FALSE}, 134 { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_FALSE, PR_FALSE},
135 { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, 135 { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
136 { TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, 136 { TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
137 { TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, 137 { TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
138 { TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, 138 { TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
139 { TLS_ECDHE_RSA_WITH_RC4_128_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, 139 { TLS_ECDHE_RSA_WITH_RC4_128_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
140 #endif /* NSS_ENABLE_ECC */ 140 #endif /* NSS_DISABLE_ECC */
141 141
142 { TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE}, 142 { TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
143 { TLS_DHE_RSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, 143 { TLS_DHE_RSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
144 { TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, 144 { TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
145 { TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE}, 145 { TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
146 { TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, 146 { TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
147 { TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, 147 { TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
148 { TLS_DHE_RSA_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, 148 { TLS_DHE_RSA_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
149 { TLS_DHE_DSS_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, 149 { TLS_DHE_DSS_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
150 { TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE}, 150 { TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
151 { TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, 151 { TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
152 { TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, 152 { TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
153 { SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, 153 { TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
154 { SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, 154 { TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
155 { TLS_DHE_DSS_WITH_RC4_128_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, 155 { TLS_DHE_DSS_WITH_RC4_128_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
156 156
157 #ifdef NSS_ENABLE_ECC 157 #ifndef NSS_DISABLE_ECC
158 { TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, 158 { TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
159 { TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, 159 { TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
160 { TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, 160 { TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
161 { TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, 161 { TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
162 { TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, 162 { TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
163 { TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, 163 { TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
164 { TLS_ECDH_ECDSA_WITH_RC4_128_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, 164 { TLS_ECDH_ECDSA_WITH_RC4_128_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
165 { TLS_ECDH_RSA_WITH_RC4_128_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, 165 { TLS_ECDH_RSA_WITH_RC4_128_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
166 #endif /* NSS_ENABLE_ECC */ 166 #endif /* NSS_DISABLE_ECC */
167 167
168 /* RSA */ 168 /* RSA */
169 { TLS_RSA_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE}, 169 { TLS_RSA_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
170 { TLS_RSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, 170 { TLS_RSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
171 { TLS_RSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE}, 171 { TLS_RSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
172 { TLS_RSA_WITH_CAMELLIA_128_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, 172 { TLS_RSA_WITH_CAMELLIA_128_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
173 { TLS_RSA_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, 173 { TLS_RSA_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
174 { TLS_RSA_WITH_AES_256_CBC_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE}, 174 { TLS_RSA_WITH_AES_256_CBC_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
175 { TLS_RSA_WITH_CAMELLIA_256_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, 175 { TLS_RSA_WITH_CAMELLIA_256_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
176 { TLS_RSA_WITH_SEED_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, 176 { TLS_RSA_WITH_SEED_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
177 { SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, 177 { SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
178 { SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, 178 { TLS_RSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
179 { SSL_RSA_WITH_RC4_128_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, 179 { TLS_RSA_WITH_RC4_128_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
180 { SSL_RSA_WITH_RC4_128_MD5, SSL_ALLOWED, PR_TRUE, PR_FALSE}, 180 { TLS_RSA_WITH_RC4_128_MD5, SSL_ALLOWED, PR_TRUE, PR_FALSE},
181 181
182 /* 56-bit DES "domestic" cipher suites */ 182 /* 56-bit DES "domestic" cipher suites */
183 { SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, 183 { TLS_DHE_RSA_WITH_DES_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
184 { SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, 184 { TLS_DHE_DSS_WITH_DES_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
185 { SSL_RSA_FIPS_WITH_DES_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, 185 { SSL_RSA_FIPS_WITH_DES_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
186 { SSL_RSA_WITH_DES_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, 186 { TLS_RSA_WITH_DES_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
187 187
188 /* export ciphersuites with 1024-bit public key exchange keys */ 188 /* export ciphersuites with 1024-bit public key exchange keys */
189 { TLS_RSA_EXPORT1024_WITH_RC4_56_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, 189 { TLS_RSA_EXPORT1024_WITH_RC4_56_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
190 { TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, 190 { TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
191 191
192 /* export ciphersuites with 512-bit public key exchange keys */ 192 /* export ciphersuites with 512-bit public key exchange keys */
193 { SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_ALLOWED, PR_FALSE, PR_FALSE}, 193 { TLS_RSA_EXPORT_WITH_RC4_40_MD5, SSL_ALLOWED, PR_FALSE, PR_FALSE},
194 { SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5, SSL_ALLOWED, PR_FALSE, PR_FALSE}, 194 { TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5, SSL_ALLOWED, PR_FALSE, PR_FALSE},
195 195
196 /* ciphersuites with no encryption */ 196 /* ciphersuites with no encryption */
197 #ifdef NSS_ENABLE_ECC 197 #ifndef NSS_DISABLE_ECC
198 { TLS_ECDHE_ECDSA_WITH_NULL_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, 198 { TLS_ECDHE_ECDSA_WITH_NULL_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
199 { TLS_ECDHE_RSA_WITH_NULL_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, 199 { TLS_ECDHE_RSA_WITH_NULL_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
200 { TLS_ECDH_RSA_WITH_NULL_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, 200 { TLS_ECDH_RSA_WITH_NULL_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
201 { TLS_ECDH_ECDSA_WITH_NULL_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, 201 { TLS_ECDH_ECDSA_WITH_NULL_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
202 #endif /* NSS_ENABLE_ECC */ 202 #endif /* NSS_DISABLE_ECC */
203 { SSL_RSA_WITH_NULL_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, 203 { TLS_RSA_WITH_NULL_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
204 { TLS_RSA_WITH_NULL_SHA256, SSL_ALLOWED, PR_FALSE, PR_FALSE}, 204 { TLS_RSA_WITH_NULL_SHA256, SSL_ALLOWED, PR_FALSE, PR_FALSE},
205 { SSL_RSA_WITH_NULL_MD5, SSL_ALLOWED, PR_FALSE, PR_FALSE}, 205 { TLS_RSA_WITH_NULL_MD5, SSL_ALLOWED, PR_FALSE, PR_FALSE},
206 }; 206 };
207 207
208 /* Verify that SSL_ImplementedCiphers and cipherSuites are in consistent order. 208 /* Verify that SSL_ImplementedCiphers and cipherSuites are in consistent order.
209 */ 209 */
210 #ifdef DEBUG 210 #ifdef DEBUG
211 void ssl3_CheckCipherSuiteOrderConsistency() 211 void ssl3_CheckCipherSuiteOrderConsistency()
212 { 212 {
213 unsigned int i; 213 unsigned int i;
214 214
215 /* Note that SSL_ImplementedCiphers has more elements than cipherSuites 215 /* Note that SSL_ImplementedCiphers has more elements than cipherSuites
(...skipping 24 matching lines...) Expand all
240 /* compressionEnabled returns true iff the compression algorithm is enabled 240 /* compressionEnabled returns true iff the compression algorithm is enabled
241 * for the given SSL socket. */ 241 * for the given SSL socket. */
242 static PRBool 242 static PRBool
243 compressionEnabled(sslSocket *ss, SSLCompressionMethod compression) 243 compressionEnabled(sslSocket *ss, SSLCompressionMethod compression)
244 { 244 {
245 switch (compression) { 245 switch (compression) {
246 case ssl_compression_null: 246 case ssl_compression_null:
247 return PR_TRUE; /* Always enabled */ 247 return PR_TRUE; /* Always enabled */
248 #ifdef NSS_ENABLE_ZLIB 248 #ifdef NSS_ENABLE_ZLIB
249 case ssl_compression_deflate: 249 case ssl_compression_deflate:
250 » return ss->opt.enableDeflate; 250 if (ss->version < SSL_LIBRARY_VERSION_TLS_1_3) {
251 return ss->opt.enableDeflate;
252 }
253 return PR_FALSE;
251 #endif 254 #endif
252 default: 255 default:
253 return PR_FALSE; 256 return PR_FALSE;
254 } 257 }
255 } 258 }
256 259
257 static const /*SSL3ClientCertificateType */ PRUint8 certificate_types [] = { 260 static const /*SSL3ClientCertificateType */ PRUint8 certificate_types [] = {
258 ct_RSA_sign, 261 ct_RSA_sign,
259 #ifdef NSS_ENABLE_ECC 262 #ifndef NSS_DISABLE_ECC
260 ct_ECDSA_sign, 263 ct_ECDSA_sign,
261 #endif /* NSS_ENABLE_ECC */ 264 #endif /* NSS_DISABLE_ECC */
262 ct_DSS_sign, 265 ct_DSS_sign,
263 }; 266 };
264 267
265 /* This block is the contents of the supported_signature_algorithms field of 268 /* This block is the contents of the supported_signature_algorithms field of
266 * our TLS 1.2 CertificateRequest message, in wire format. See 269 * our TLS 1.2 CertificateRequest message, in wire format. See
267 * https://tools.ietf.org/html/rfc5246#section-7.4.1.4.1 270 * https://tools.ietf.org/html/rfc5246#section-7.4.1.4.1
268 * 271 *
269 * This block contains only sha256 entries because we only support TLS 1.2 272 * This block contains only sha256 entries because we only support TLS 1.2
270 * CertificateVerify messages that use the handshake hash. */ 273 * CertificateVerify messages that use the handshake hash. */
271 static const PRUint8 supported_signature_algorithms[] = { 274 static const PRUint8 supported_signature_algorithms[] = {
272 tls_hash_sha256, tls_sig_rsa, 275 tls_hash_sha256, tls_sig_rsa,
273 #ifdef NSS_ENABLE_ECC 276 #ifndef NSS_DISABLE_ECC
274 tls_hash_sha256, tls_sig_ecdsa, 277 tls_hash_sha256, tls_sig_ecdsa,
275 #endif 278 #endif
276 tls_hash_sha256, tls_sig_dsa, 279 tls_hash_sha256, tls_sig_dsa,
277 }; 280 };
278 281
279 #define EXPORT_RSA_KEY_LENGTH 64 /* bytes */ 282 #define EXPORT_RSA_KEY_LENGTH 64 /* bytes */
280 283
281 284
282 /* This global item is used only in servers. It is is initialized by 285 /* This global item is used only in servers. It is is initialized by
283 ** SSL_ConfigSecureServer(), and is used in ssl3_SendCertificateRequest(). 286 ** SSL_ConfigSecureServer(), and is used in ssl3_SendCertificateRequest().
(...skipping 41 matching lines...) Expand 10 before | Expand all | Expand 10 after
325 {kea_dh_dss_export, kt_dh, sign_dsa, PR_TRUE, 512, PR_FALSE}, 328 {kea_dh_dss_export, kt_dh, sign_dsa, PR_TRUE, 512, PR_FALSE},
326 {kea_dh_rsa, kt_dh, sign_rsa, PR_FALSE, 0, PR_FALSE}, 329 {kea_dh_rsa, kt_dh, sign_rsa, PR_FALSE, 0, PR_FALSE},
327 {kea_dh_rsa_export, kt_dh, sign_rsa, PR_TRUE, 512, PR_FALSE}, 330 {kea_dh_rsa_export, kt_dh, sign_rsa, PR_TRUE, 512, PR_FALSE},
328 {kea_dhe_dss, kt_dh, sign_dsa, PR_FALSE, 0, PR_FALSE}, 331 {kea_dhe_dss, kt_dh, sign_dsa, PR_FALSE, 0, PR_FALSE},
329 {kea_dhe_dss_export, kt_dh, sign_dsa, PR_TRUE, 512, PR_FALSE}, 332 {kea_dhe_dss_export, kt_dh, sign_dsa, PR_TRUE, 512, PR_FALSE},
330 {kea_dhe_rsa, kt_dh, sign_rsa, PR_FALSE, 0, PR_FALSE}, 333 {kea_dhe_rsa, kt_dh, sign_rsa, PR_FALSE, 0, PR_FALSE},
331 {kea_dhe_rsa_export, kt_dh, sign_rsa, PR_TRUE, 512, PR_FALSE}, 334 {kea_dhe_rsa_export, kt_dh, sign_rsa, PR_TRUE, 512, PR_FALSE},
332 {kea_dh_anon, kt_dh, sign_null, PR_FALSE, 0, PR_FALSE}, 335 {kea_dh_anon, kt_dh, sign_null, PR_FALSE, 0, PR_FALSE},
333 {kea_dh_anon_export, kt_dh, sign_null, PR_TRUE, 512, PR_FALSE}, 336 {kea_dh_anon_export, kt_dh, sign_null, PR_TRUE, 512, PR_FALSE},
334 {kea_rsa_fips, kt_rsa, sign_rsa, PR_FALSE, 0, PR_TRUE }, 337 {kea_rsa_fips, kt_rsa, sign_rsa, PR_FALSE, 0, PR_TRUE },
335 #ifdef NSS_ENABLE_ECC 338 #ifndef NSS_DISABLE_ECC
336 {kea_ecdh_ecdsa, kt_ecdh, sign_ecdsa, PR_FALSE, 0, PR_FALSE}, 339 {kea_ecdh_ecdsa, kt_ecdh, sign_ecdsa, PR_FALSE, 0, PR_FALSE},
337 {kea_ecdhe_ecdsa, kt_ecdh, sign_ecdsa, PR_FALSE, 0, PR_FALSE}, 340 {kea_ecdhe_ecdsa, kt_ecdh, sign_ecdsa, PR_FALSE, 0, PR_FALSE},
338 {kea_ecdh_rsa, kt_ecdh, sign_rsa, PR_FALSE, 0, PR_FALSE}, 341 {kea_ecdh_rsa, kt_ecdh, sign_rsa, PR_FALSE, 0, PR_FALSE},
339 {kea_ecdhe_rsa, kt_ecdh, sign_rsa, PR_FALSE, 0, PR_FALSE}, 342 {kea_ecdhe_rsa, kt_ecdh, sign_rsa, PR_FALSE, 0, PR_FALSE},
340 {kea_ecdh_anon, kt_ecdh, sign_null, PR_FALSE, 0, PR_FALSE}, 343 {kea_ecdh_anon, kt_ecdh, sign_null, PR_FALSE, 0, PR_FALSE},
341 #endif /* NSS_ENABLE_ECC */ 344 #endif /* NSS_DISABLE_ECC */
342 }; 345 };
343 346
344 /* must use ssl_LookupCipherSuiteDef to access */ 347 /* must use ssl_LookupCipherSuiteDef to access */
345 static const ssl3CipherSuiteDef cipher_suite_defs[] = 348 static const ssl3CipherSuiteDef cipher_suite_defs[] =
346 { 349 {
347 /* cipher_suite bulk_cipher_alg mac_alg key_exchange_alg */ 350 /* cipher_suite bulk_cipher_alg mac_alg key_exchange_alg */
348 351
349 {SSL_NULL_WITH_NULL_NULL, cipher_null, mac_null, kea_null}, 352 {TLS_NULL_WITH_NULL_NULL, cipher_null, mac_null, kea_null},
350 {SSL_RSA_WITH_NULL_MD5, cipher_null, mac_md5, kea_rsa}, 353 {TLS_RSA_WITH_NULL_MD5, cipher_null, mac_md5, kea_rsa},
351 {SSL_RSA_WITH_NULL_SHA, cipher_null, mac_sha, kea_rsa}, 354 {TLS_RSA_WITH_NULL_SHA, cipher_null, mac_sha, kea_rsa},
352 {TLS_RSA_WITH_NULL_SHA256, cipher_null, hmac_sha256, kea_rsa}, 355 {TLS_RSA_WITH_NULL_SHA256, cipher_null, hmac_sha256, kea_rsa},
353 {SSL_RSA_EXPORT_WITH_RC4_40_MD5,cipher_rc4_40, mac_md5, kea_rsa_export}, 356 {TLS_RSA_EXPORT_WITH_RC4_40_MD5,cipher_rc4_40, mac_md5, kea_rsa_export},
354 {SSL_RSA_WITH_RC4_128_MD5, cipher_rc4, mac_md5, kea_rsa}, 357 {TLS_RSA_WITH_RC4_128_MD5, cipher_rc4, mac_md5, kea_rsa},
355 {SSL_RSA_WITH_RC4_128_SHA, cipher_rc4, mac_sha, kea_rsa}, 358 {TLS_RSA_WITH_RC4_128_SHA, cipher_rc4, mac_sha, kea_rsa},
356 {SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5, 359 {TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5,
357 cipher_rc2_40, mac_md5, kea_rsa_export}, 360 cipher_rc2_40, mac_md5, kea_rsa_export},
358 #if 0 /* not implemented */ 361 #if 0 /* not implemented */
359 {SSL_RSA_WITH_IDEA_CBC_SHA, cipher_idea, mac_sha, kea_rsa}, 362 {TLS_RSA_WITH_IDEA_CBC_SHA, cipher_idea, mac_sha, kea_rsa},
360 {SSL_RSA_EXPORT_WITH_DES40_CBC_SHA, 363 {TLS_RSA_EXPORT_WITH_DES40_CBC_SHA,
361 cipher_des40, mac_sha, kea_rsa_export}, 364 cipher_des40, mac_sha, kea_rsa_export},
362 #endif 365 #endif
363 {SSL_RSA_WITH_DES_CBC_SHA, cipher_des, mac_sha, kea_rsa}, 366 {TLS_RSA_WITH_DES_CBC_SHA, cipher_des, mac_sha, kea_rsa},
364 {SSL_RSA_WITH_3DES_EDE_CBC_SHA, cipher_3des, mac_sha, kea_rsa}, 367 {TLS_RSA_WITH_3DES_EDE_CBC_SHA, cipher_3des, mac_sha, kea_rsa},
365 {SSL_DHE_DSS_WITH_DES_CBC_SHA, cipher_des, mac_sha, kea_dhe_dss}, 368 {TLS_DHE_DSS_WITH_DES_CBC_SHA, cipher_des, mac_sha, kea_dhe_dss},
366 {SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, 369 {TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,
367 cipher_3des, mac_sha, kea_dhe_dss}, 370 cipher_3des, mac_sha, kea_dhe_dss},
368 {TLS_DHE_DSS_WITH_RC4_128_SHA, cipher_rc4, mac_sha, kea_dhe_dss}, 371 {TLS_DHE_DSS_WITH_RC4_128_SHA, cipher_rc4, mac_sha, kea_dhe_dss},
369 #if 0 /* not implemented */ 372 #if 0 /* not implemented */
370 {SSL_DH_DSS_EXPORT_WITH_DES40_CBC_SHA, 373 {TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA,
371 cipher_des40, mac_sha, kea_dh_dss_export}, 374 cipher_des40, mac_sha, kea_dh_dss_export},
372 {SSL_DH_DSS_DES_CBC_SHA, cipher_des, mac_sha, kea_dh_dss}, 375 {TLS_DH_DSS_DES_CBC_SHA, cipher_des, mac_sha, kea_dh_dss},
373 {SSL_DH_DSS_3DES_CBC_SHA, cipher_3des, mac_sha, kea_dh_dss}, 376 {TLS_DH_DSS_3DES_CBC_SHA, cipher_3des, mac_sha, kea_dh_dss},
374 {SSL_DH_RSA_EXPORT_WITH_DES40_CBC_SHA, 377 {TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA,
375 cipher_des40, mac_sha, kea_dh_rsa_export}, 378 cipher_des40, mac_sha, kea_dh_rsa_export},
376 {SSL_DH_RSA_DES_CBC_SHA, cipher_des, mac_sha, kea_dh_rsa}, 379 {TLS_DH_RSA_DES_CBC_SHA, cipher_des, mac_sha, kea_dh_rsa},
377 {SSL_DH_RSA_3DES_CBC_SHA, cipher_3des, mac_sha, kea_dh_rsa}, 380 {TLS_DH_RSA_3DES_CBC_SHA, cipher_3des, mac_sha, kea_dh_rsa},
378 {SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA, 381 {TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA,
379 cipher_des40, mac_sha, kea_dh_dss_export}, 382 cipher_des40, mac_sha, kea_dh_dss_export},
380 {SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA, 383 {TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA,
381 cipher_des40, mac_sha, kea_dh_rsa_export}, 384 cipher_des40, mac_sha, kea_dh_rsa_export},
382 #endif 385 #endif
383 {SSL_DHE_RSA_WITH_DES_CBC_SHA, cipher_des, mac_sha, kea_dhe_rsa}, 386 {TLS_DHE_RSA_WITH_DES_CBC_SHA, cipher_des, mac_sha, kea_dhe_rsa},
384 {SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, 387 {TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,
385 cipher_3des, mac_sha, kea_dhe_rsa}, 388 cipher_3des, mac_sha, kea_dhe_rsa},
386 #if 0 389 #if 0
387 {SSL_DH_ANON_EXPORT_RC4_40_MD5, cipher_rc4_40, mac_md5, kea_dh_anon_export}, 390 {SSL_DH_ANON_EXPORT_RC4_40_MD5, cipher_rc4_40, mac_md5, kea_dh_anon_export},
388 {SSL_DH_ANON_EXPORT_WITH_DES40_CBC_SHA, 391 {TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA,
389 cipher_des40, mac_sha, kea_dh_anon_export}, 392 cipher_des40, mac_sha, kea_dh_anon_export},
390 {SSL_DH_ANON_DES_CBC_SHA, cipher_des, mac_sha, kea_dh_anon}, 393 {TLS_DH_anon_WITH_DES_CBC_SHA, cipher_des, mac_sha, kea_dh_anon},
391 {SSL_DH_ANON_3DES_CBC_SHA, cipher_3des, mac_sha, kea_dh_anon}, 394 {TLS_DH_anon_WITH_3DES_CBC_SHA, cipher_3des, mac_sha, kea_dh_anon},
392 #endif 395 #endif
393 396
394 397
395 /* New TLS cipher suites */ 398 /* New TLS cipher suites */
396 {TLS_RSA_WITH_AES_128_CBC_SHA, cipher_aes_128, mac_sha, kea_rsa}, 399 {TLS_RSA_WITH_AES_128_CBC_SHA, cipher_aes_128, mac_sha, kea_rsa},
397 {TLS_RSA_WITH_AES_128_CBC_SHA256, cipher_aes_128, hmac_sha256, kea_rsa}, 400 {TLS_RSA_WITH_AES_128_CBC_SHA256, cipher_aes_128, hmac_sha256, kea_rsa},
398 {TLS_DHE_DSS_WITH_AES_128_CBC_SHA, cipher_aes_128, mac_sha, kea_dhe_dss}, 401 {TLS_DHE_DSS_WITH_AES_128_CBC_SHA, cipher_aes_128, mac_sha, kea_dhe_dss},
399 {TLS_DHE_RSA_WITH_AES_128_CBC_SHA, cipher_aes_128, mac_sha, kea_dhe_rsa}, 402 {TLS_DHE_RSA_WITH_AES_128_CBC_SHA, cipher_aes_128, mac_sha, kea_dhe_rsa},
400 {TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, cipher_aes_128, hmac_sha256, kea_dhe_r sa}, 403 {TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, cipher_aes_128, hmac_sha256, kea_dhe_r sa},
401 {TLS_RSA_WITH_AES_256_CBC_SHA, cipher_aes_256, mac_sha, kea_rsa}, 404 {TLS_RSA_WITH_AES_256_CBC_SHA, cipher_aes_256, mac_sha, kea_rsa},
402 {TLS_RSA_WITH_AES_256_CBC_SHA256, cipher_aes_256, hmac_sha256, kea_rsa}, 405 {TLS_RSA_WITH_AES_256_CBC_SHA256, cipher_aes_256, hmac_sha256, kea_rsa},
403 {TLS_DHE_DSS_WITH_AES_256_CBC_SHA, cipher_aes_256, mac_sha, kea_dhe_dss}, 406 {TLS_DHE_DSS_WITH_AES_256_CBC_SHA, cipher_aes_256, mac_sha, kea_dhe_dss},
404 {TLS_DHE_RSA_WITH_AES_256_CBC_SHA, cipher_aes_256, mac_sha, kea_dhe_rsa}, 407 {TLS_DHE_RSA_WITH_AES_256_CBC_SHA, cipher_aes_256, mac_sha, kea_dhe_rsa},
405 {TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, cipher_aes_256, hmac_sha256, kea_dhe_r sa}, 408 {TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, cipher_aes_256, hmac_sha256, kea_dhe_r sa},
406 #if 0 409 #if 0
407 {TLS_DH_DSS_WITH_AES_128_CBC_SHA, cipher_aes_128, mac_sha, kea_dh_dss}, 410 {TLS_DH_DSS_WITH_AES_128_CBC_SHA, cipher_aes_128, mac_sha, kea_dh_dss},
408 {TLS_DH_RSA_WITH_AES_128_CBC_SHA, cipher_aes_128, mac_sha, kea_dh_rsa}, 411 {TLS_DH_RSA_WITH_AES_128_CBC_SHA, cipher_aes_128, mac_sha, kea_dh_rsa},
409 {TLS_DH_ANON_WITH_AES_128_CBC_SHA, »cipher_aes_128, mac_sha, kea_dh_anon}, 412 {TLS_DH_anon_WITH_AES_128_CBC_SHA, »cipher_aes_128, mac_sha, kea_dh_anon},
410 {TLS_DH_DSS_WITH_AES_256_CBC_SHA, cipher_aes_256, mac_sha, kea_dh_dss}, 413 {TLS_DH_DSS_WITH_AES_256_CBC_SHA, cipher_aes_256, mac_sha, kea_dh_dss},
411 {TLS_DH_RSA_WITH_AES_256_CBC_SHA, cipher_aes_256, mac_sha, kea_dh_rsa}, 414 {TLS_DH_RSA_WITH_AES_256_CBC_SHA, cipher_aes_256, mac_sha, kea_dh_rsa},
412 {TLS_DH_ANON_WITH_AES_256_CBC_SHA, »cipher_aes_256, mac_sha, kea_dh_anon}, 415 {TLS_DH_anon_WITH_AES_256_CBC_SHA, »cipher_aes_256, mac_sha, kea_dh_anon},
413 #endif 416 #endif
414 417
415 {TLS_RSA_WITH_SEED_CBC_SHA, cipher_seed, mac_sha, kea_rsa}, 418 {TLS_RSA_WITH_SEED_CBC_SHA, cipher_seed, mac_sha, kea_rsa},
416 419
417 {TLS_RSA_WITH_CAMELLIA_128_CBC_SHA, cipher_camellia_128, mac_sha, kea_rsa}, 420 {TLS_RSA_WITH_CAMELLIA_128_CBC_SHA, cipher_camellia_128, mac_sha, kea_rsa},
418 {TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA, 421 {TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA,
419 cipher_camellia_128, mac_sha, kea_dhe_dss}, 422 cipher_camellia_128, mac_sha, kea_dhe_dss},
420 {TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA, 423 {TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA,
421 cipher_camellia_128, mac_sha, kea_dhe_rsa}, 424 cipher_camellia_128, mac_sha, kea_dhe_rsa},
422 {TLS_RSA_WITH_CAMELLIA_256_CBC_SHA, cipher_camellia_256, mac_sha, kea_rsa}, 425 {TLS_RSA_WITH_CAMELLIA_256_CBC_SHA, cipher_camellia_256, mac_sha, kea_rsa},
(...skipping 10 matching lines...) Expand all
433 {SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA, cipher_3des, mac_sha, kea_rsa_fips}, 436 {SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA, cipher_3des, mac_sha, kea_rsa_fips},
434 {SSL_RSA_FIPS_WITH_DES_CBC_SHA, cipher_des, mac_sha, kea_rsa_fips}, 437 {SSL_RSA_FIPS_WITH_DES_CBC_SHA, cipher_des, mac_sha, kea_rsa_fips},
435 438
436 {TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_aead, kea_dhe_ rsa}, 439 {TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_aead, kea_dhe_ rsa},
437 {TLS_RSA_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_aead, kea_rsa}, 440 {TLS_RSA_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_aead, kea_rsa},
438 {TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_aead, kea_ec dhe_rsa}, 441 {TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_aead, kea_ec dhe_rsa},
439 {TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_aead, kea_ ecdhe_ecdsa}, 442 {TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_aead, kea_ ecdhe_ecdsa},
440 {TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305, cipher_chacha20, mac_aead, kea_ecdhe_ rsa}, 443 {TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305, cipher_chacha20, mac_aead, kea_ecdhe_ rsa},
441 {TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305, cipher_chacha20, mac_aead, kea_ecdh e_ecdsa}, 444 {TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305, cipher_chacha20, mac_aead, kea_ecdh e_ecdsa},
442 445
443 #ifdef NSS_ENABLE_ECC 446 #ifndef NSS_DISABLE_ECC
444 {TLS_ECDH_ECDSA_WITH_NULL_SHA, cipher_null, mac_sha, kea_ecdh_ecdsa}, 447 {TLS_ECDH_ECDSA_WITH_NULL_SHA, cipher_null, mac_sha, kea_ecdh_ecdsa},
445 {TLS_ECDH_ECDSA_WITH_RC4_128_SHA, cipher_rc4, mac_sha, kea_ecdh_ecdsa}, 448 {TLS_ECDH_ECDSA_WITH_RC4_128_SHA, cipher_rc4, mac_sha, kea_ecdh_ecdsa},
446 {TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, cipher_3des, mac_sha, kea_ecdh_ecdsa} , 449 {TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, cipher_3des, mac_sha, kea_ecdh_ecdsa} ,
447 {TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, cipher_aes_128, mac_sha, kea_ecdh_ecds a}, 450 {TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, cipher_aes_128, mac_sha, kea_ecdh_ecds a},
448 {TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, cipher_aes_256, mac_sha, kea_ecdh_ecds a}, 451 {TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, cipher_aes_256, mac_sha, kea_ecdh_ecds a},
449 452
450 {TLS_ECDHE_ECDSA_WITH_NULL_SHA, cipher_null, mac_sha, kea_ecdhe_ecdsa }, 453 {TLS_ECDHE_ECDSA_WITH_NULL_SHA, cipher_null, mac_sha, kea_ecdhe_ecdsa },
451 {TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, cipher_rc4, mac_sha, kea_ecdhe_ecdsa }, 454 {TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, cipher_rc4, mac_sha, kea_ecdhe_ecdsa },
452 {TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, cipher_3des, mac_sha, kea_ecdhe_ecds a}, 455 {TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, cipher_3des, mac_sha, kea_ecdhe_ecds a},
453 {TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, cipher_aes_128, mac_sha, kea_ecdhe_ec dsa}, 456 {TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, cipher_aes_128, mac_sha, kea_ecdhe_ec dsa},
(...skipping 13 matching lines...) Expand all
467 {TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, cipher_aes_128, hmac_sha256, kea_ecd he_rsa}, 470 {TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, cipher_aes_128, hmac_sha256, kea_ecd he_rsa},
468 {TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, cipher_aes_256, mac_sha, kea_ecdhe_rsa }, 471 {TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, cipher_aes_256, mac_sha, kea_ecdhe_rsa },
469 472
470 #if 0 473 #if 0
471 {TLS_ECDH_anon_WITH_NULL_SHA, cipher_null, mac_sha, kea_ecdh_anon }, 474 {TLS_ECDH_anon_WITH_NULL_SHA, cipher_null, mac_sha, kea_ecdh_anon },
472 {TLS_ECDH_anon_WITH_RC4_128_SHA, cipher_rc4, mac_sha, kea_ecdh_anon }, 475 {TLS_ECDH_anon_WITH_RC4_128_SHA, cipher_rc4, mac_sha, kea_ecdh_anon },
473 {TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA, cipher_3des, mac_sha, kea_ecdh_anon }, 476 {TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA, cipher_3des, mac_sha, kea_ecdh_anon },
474 {TLS_ECDH_anon_WITH_AES_128_CBC_SHA, cipher_aes_128, mac_sha, kea_ecdh_anon }, 477 {TLS_ECDH_anon_WITH_AES_128_CBC_SHA, cipher_aes_128, mac_sha, kea_ecdh_anon },
475 {TLS_ECDH_anon_WITH_AES_256_CBC_SHA, cipher_aes_256, mac_sha, kea_ecdh_anon }, 478 {TLS_ECDH_anon_WITH_AES_256_CBC_SHA, cipher_aes_256, mac_sha, kea_ecdh_anon },
476 #endif 479 #endif
477 #endif /* NSS_ENABLE_ECC */ 480 #endif /* NSS_DISABLE_ECC */
478 }; 481 };
479 482
480 static const CK_MECHANISM_TYPE kea_alg_defs[] = { 483 static const CK_MECHANISM_TYPE kea_alg_defs[] = {
481 0x80000000L, 484 0x80000000L,
482 CKM_RSA_PKCS, 485 CKM_RSA_PKCS,
483 CKM_DH_PKCS_DERIVE, 486 CKM_DH_PKCS_DERIVE,
484 CKM_KEA_KEY_DERIVE, 487 CKM_KEA_KEY_DERIVE,
485 CKM_ECDH1_DERIVE 488 CKM_ECDH1_DERIVE
486 }; 489 };
487 490
(...skipping 53 matching lines...) Expand 10 before | Expand all | Expand 10 after
541 "IDEA-CBC", 544 "IDEA-CBC",
542 "AES-128", 545 "AES-128",
543 "AES-256", 546 "AES-256",
544 "Camellia-128", 547 "Camellia-128",
545 "Camellia-256", 548 "Camellia-256",
546 "SEED-CBC", 549 "SEED-CBC",
547 "AES-128-GCM", 550 "AES-128-GCM",
548 "missing" 551 "missing"
549 }; 552 };
550 553
551 #ifdef NSS_ENABLE_ECC 554 #ifndef NSS_DISABLE_ECC
552 /* The ECCWrappedKeyInfo structure defines how various pieces of 555 /* The ECCWrappedKeyInfo structure defines how various pieces of
553 * information are laid out within wrappedSymmetricWrappingkey 556 * information are laid out within wrappedSymmetricWrappingkey
554 * for ECDH key exchange. Since wrappedSymmetricWrappingkey is 557 * for ECDH key exchange. Since wrappedSymmetricWrappingkey is
555 * a 512-byte buffer (see sslimpl.h), the variable length field 558 * a 512-byte buffer (see sslimpl.h), the variable length field
556 * in ECCWrappedKeyInfo can be at most (512 - 8) = 504 bytes. 559 * in ECCWrappedKeyInfo can be at most (512 - 8) = 504 bytes.
557 * 560 *
558 * XXX For now, NSS only supports named elliptic curves of size 571 bits 561 * XXX For now, NSS only supports named elliptic curves of size 571 bits
559 * or smaller. The public value will fit within 145 bytes and EC params 562 * or smaller. The public value will fit within 145 bytes and EC params
560 * will fit within 12 bytes. We'll need to revisit this when NSS 563 * will fit within 12 bytes. We'll need to revisit this when NSS
561 * supports arbitrary curves. 564 * supports arbitrary curves.
562 */ 565 */
563 #define MAX_EC_WRAPPED_KEY_BUFLEN 504 566 #define MAX_EC_WRAPPED_KEY_BUFLEN 504
564 567
565 typedef struct ECCWrappedKeyInfoStr { 568 typedef struct ECCWrappedKeyInfoStr {
566 PRUint16 size; /* EC public key size in bits */ 569 PRUint16 size; /* EC public key size in bits */
567 PRUint16 encodedParamLen; /* length (in bytes) of DER encoded EC params */ 570 PRUint16 encodedParamLen; /* length (in bytes) of DER encoded EC params */
568 PRUint16 pubValueLen; /* length (in bytes) of EC public value */ 571 PRUint16 pubValueLen; /* length (in bytes) of EC public value */
569 PRUint16 wrappedKeyLen; /* length (in bytes) of the wrapped key */ 572 PRUint16 wrappedKeyLen; /* length (in bytes) of the wrapped key */
570 PRUint8 var[MAX_EC_WRAPPED_KEY_BUFLEN]; /* this buffer contains the */ 573 PRUint8 var[MAX_EC_WRAPPED_KEY_BUFLEN]; /* this buffer contains the */
571 /* EC public-key params, the EC public value and the wrapped key */ 574 /* EC public-key params, the EC public value and the wrapped key */
572 } ECCWrappedKeyInfo; 575 } ECCWrappedKeyInfo;
573 #endif /* NSS_ENABLE_ECC */ 576 #endif /* NSS_DISABLE_ECC */
574 577
575 #if defined(TRACE) 578 #if defined(TRACE)
576 579
577 static char * 580 static char *
578 ssl3_DecodeHandshakeType(int msgType) 581 ssl3_DecodeHandshakeType(int msgType)
579 { 582 {
580 char * rv; 583 char * rv;
581 static char line[40]; 584 static char line[40];
582 585
583 switch(msgType) { 586 switch(msgType) {
(...skipping 67 matching lines...) Expand 10 before | Expand all | Expand 10 after
651 static PRBool 654 static PRBool
652 ssl3_CipherSuiteAllowedForVersionRange( 655 ssl3_CipherSuiteAllowedForVersionRange(
653 ssl3CipherSuite cipherSuite, 656 ssl3CipherSuite cipherSuite,
654 const SSLVersionRange *vrange) 657 const SSLVersionRange *vrange)
655 { 658 {
656 switch (cipherSuite) { 659 switch (cipherSuite) {
657 /* See RFC 4346 A.5. Export cipher suites must not be used in TLS 1.1 or 660 /* See RFC 4346 A.5. Export cipher suites must not be used in TLS 1.1 or
658 * later. This set of cipher suites is similar to, but different from, the 661 * later. This set of cipher suites is similar to, but different from, the
659 * set of cipher suites considered exportable by SSL_IsExportCipherSuite. 662 * set of cipher suites considered exportable by SSL_IsExportCipherSuite.
660 */ 663 */
661 case SSL_RSA_EXPORT_WITH_RC4_40_MD5: 664 case TLS_RSA_EXPORT_WITH_RC4_40_MD5:
662 case SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5: 665 case TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5:
663 /* SSL_RSA_EXPORT_WITH_DES40_CBC_SHA: never implemented 666 /* TLS_RSA_EXPORT_WITH_DES40_CBC_SHA: never implemented
664 * SSL_DH_DSS_EXPORT_WITH_DES40_CBC_SHA: never implemented 667 * TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA: never implemented
665 * SSL_DH_RSA_EXPORT_WITH_DES40_CBC_SHA: never implemented 668 * TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA: never implemented
666 * SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA: never implemented 669 * TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA: never implemented
667 * SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA: never implemented 670 * TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA: never implemented
668 * SSL_DH_ANON_EXPORT_WITH_RC4_40_MD5: never implemented 671 * TLS_DH_anon_EXPORT_WITH_RC4_40_MD5: never implemented
669 * SSL_DH_ANON_EXPORT_WITH_DES40_CBC_SHA: never implemented 672 * TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA: never implemented
670 */ 673 */
671 return vrange->min <= SSL_LIBRARY_VERSION_TLS_1_0; 674 return vrange->min <= SSL_LIBRARY_VERSION_TLS_1_0;
675
672 case TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305: 676 case TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305:
673 case TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305: 677 case TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305:
674 case TLS_DHE_RSA_WITH_AES_256_CBC_SHA256: 678 case TLS_DHE_RSA_WITH_AES_256_CBC_SHA256:
675 case TLS_RSA_WITH_AES_256_CBC_SHA256: 679 case TLS_RSA_WITH_AES_256_CBC_SHA256:
676 case TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256: 680 case TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256:
677 case TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256:
678 case TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256: 681 case TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256:
679 case TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256:
680 case TLS_DHE_RSA_WITH_AES_128_CBC_SHA256: 682 case TLS_DHE_RSA_WITH_AES_128_CBC_SHA256:
681 case TLS_DHE_RSA_WITH_AES_128_GCM_SHA256:
682 case TLS_RSA_WITH_AES_128_CBC_SHA256: 683 case TLS_RSA_WITH_AES_128_CBC_SHA256:
683 case TLS_RSA_WITH_AES_128_GCM_SHA256: 684 case TLS_RSA_WITH_AES_128_GCM_SHA256:
684 case TLS_RSA_WITH_NULL_SHA256: 685 case TLS_RSA_WITH_NULL_SHA256:
686 return vrange->max == SSL_LIBRARY_VERSION_TLS_1_2;
687
688 case TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256:
689 case TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256:
690 case TLS_DHE_RSA_WITH_AES_128_GCM_SHA256:
685 return vrange->max >= SSL_LIBRARY_VERSION_TLS_1_2; 691 return vrange->max >= SSL_LIBRARY_VERSION_TLS_1_2;
692
693 /* RFC 4492: ECC cipher suites need TLS extensions to negotiate curves and
694 * point formats.*/
695 case TLS_ECDH_ECDSA_WITH_NULL_SHA:
696 case TLS_ECDH_ECDSA_WITH_RC4_128_SHA:
697 case TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA:
698 case TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA:
699 case TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA:
700 case TLS_ECDHE_ECDSA_WITH_NULL_SHA:
701 case TLS_ECDHE_ECDSA_WITH_RC4_128_SHA:
702 case TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA:
703 case TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA:
704 case TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA:
705 case TLS_ECDH_RSA_WITH_NULL_SHA:
706 case TLS_ECDH_RSA_WITH_RC4_128_SHA:
707 case TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA:
708 case TLS_ECDH_RSA_WITH_AES_128_CBC_SHA:
709 case TLS_ECDH_RSA_WITH_AES_256_CBC_SHA:
710 case TLS_ECDHE_RSA_WITH_NULL_SHA:
711 case TLS_ECDHE_RSA_WITH_RC4_128_SHA:
712 case TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA:
713 case TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA:
714 case TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA:
715 return vrange->max >= SSL_LIBRARY_VERSION_TLS_1_0 &&
716 vrange->min < SSL_LIBRARY_VERSION_TLS_1_3;
717
686 default: 718 default:
687 » return PR_TRUE; 719 return vrange->min < SSL_LIBRARY_VERSION_TLS_1_3;
688 } 720 }
689 } 721 }
690 722
691 /* return pointer to ssl3CipherSuiteDef for suite, or NULL */ 723 /* return pointer to ssl3CipherSuiteDef for suite, or NULL */
692 /* XXX This does a linear search. A binary search would be better. */ 724 /* XXX This does a linear search. A binary search would be better. */
693 static const ssl3CipherSuiteDef * 725 static const ssl3CipherSuiteDef *
694 ssl_LookupCipherSuiteDef(ssl3CipherSuite suite) 726 ssl_LookupCipherSuiteDef(ssl3CipherSuite suite)
695 { 727 {
696 int cipher_suite_def_len = 728 int cipher_suite_def_len =
697 sizeof(cipher_suite_defs) / sizeof(cipher_suite_defs[0]); 729 sizeof(cipher_suite_defs) / sizeof(cipher_suite_defs[0]);
(...skipping 64 matching lines...) Expand 10 before | Expand all | Expand 10 after
762 cipher_def = ssl_LookupCipherSuiteDef(suite->cipher_suite); 794 cipher_def = ssl_LookupCipherSuiteDef(suite->cipher_suite);
763 if (!cipher_def) { 795 if (!cipher_def) {
764 suite->isPresent = PR_FALSE; 796 suite->isPresent = PR_FALSE;
765 continue; 797 continue;
766 } 798 }
767 cipher_alg = bulk_cipher_defs[cipher_def->bulk_cipher_alg].calg; 799 cipher_alg = bulk_cipher_defs[cipher_def->bulk_cipher_alg].calg;
768 PORT_Assert( alg2Mech[cipher_alg].calg == cipher_alg); 800 PORT_Assert( alg2Mech[cipher_alg].calg == cipher_alg);
769 cipher_mech = alg2Mech[cipher_alg].cmech; 801 cipher_mech = alg2Mech[cipher_alg].cmech;
770 exchKeyType = 802 exchKeyType =
771 kea_defs[cipher_def->key_exchange_alg].exchKeyType; 803 kea_defs[cipher_def->key_exchange_alg].exchKeyType;
772 #ifndef NSS_ENABLE_ECC 804 #ifdef NSS_DISABLE_ECC
773 svrAuth = ss->serverCerts + exchKeyType; 805 svrAuth = ss->serverCerts + exchKeyType;
774 #else 806 #else
775 /* XXX SSLKEAType isn't really a good choice for 807 /* XXX SSLKEAType isn't really a good choice for
776 * indexing certificates. It doesn't work for 808 * indexing certificates. It doesn't work for
777 * (EC)DHE-* ciphers. Here we use a hack to ensure 809 * (EC)DHE-* ciphers. Here we use a hack to ensure
778 * that the server uses an RSA cert for (EC)DHE-RSA. 810 * that the server uses an RSA cert for (EC)DHE-RSA.
779 */ 811 */
780 switch (cipher_def->key_exchange_alg) { 812 switch (cipher_def->key_exchange_alg) {
781 case kea_ecdhe_rsa: 813 case kea_ecdhe_rsa:
782 #if NSS_SERVER_DHE_IMPLEMENTED 814 #if NSS_SERVER_DHE_IMPLEMENTED
(...skipping 13 matching lines...) Expand all
796 * XXX We ought to have different indices for 828 * XXX We ought to have different indices for
797 * ECDSA- and RSA-signed EC certificates so 829 * ECDSA- and RSA-signed EC certificates so
798 * we could support both key exchange mechanisms 830 * we could support both key exchange mechanisms
799 * simultaneously. For now, both of them use 831 * simultaneously. For now, both of them use
800 * whatever is in the certificate slot for kt_ecdh 832 * whatever is in the certificate slot for kt_ecdh
801 */ 833 */
802 default: 834 default:
803 svrAuth = ss->serverCerts + exchKeyType; 835 svrAuth = ss->serverCerts + exchKeyType;
804 break; 836 break;
805 } 837 }
806 #endif /* NSS_ENABLE_ECC */ 838 #endif /* NSS_DISABLE_ECC */
807 839
808 /* Mark the suites that are backed by real tokens, certs and keys */ 840 /* Mark the suites that are backed by real tokens, certs and keys */
809 suite->isPresent = (PRBool) 841 suite->isPresent = (PRBool)
810 (((exchKeyType == kt_null) || 842 (((exchKeyType == kt_null) ||
811 ((!isServer || (svrAuth->serverKeyPair && 843 ((!isServer || (svrAuth->serverKeyPair &&
812 svrAuth->SERVERKEY && 844 svrAuth->SERVERKEY &&
813 svrAuth->serverCertChain)) && 845 svrAuth->serverCertChain)) &&
814 PK11_TokenExists(kea_alg_defs[exchKeyType]))) && 846 PK11_TokenExists(kea_alg_defs[exchKeyType]))) &&
815 ((cipher_alg == calg_null) || PK11_TokenExists(cipher_mech))); 847 ((cipher_alg == calg_null) || PK11_TokenExists(cipher_mech)));
816 if (suite->isPresent) 848 if (suite->isPresent)
(...skipping 86 matching lines...) Expand 10 before | Expand all | Expand 10 after
903 ssl3_NegotiateVersion(sslSocket *ss, SSL3ProtocolVersion peerVersion, 935 ssl3_NegotiateVersion(sslSocket *ss, SSL3ProtocolVersion peerVersion,
904 PRBool allowLargerPeerVersion) 936 PRBool allowLargerPeerVersion)
905 { 937 {
906 if (SSL3_ALL_VERSIONS_DISABLED(&ss->vrange)) { 938 if (SSL3_ALL_VERSIONS_DISABLED(&ss->vrange)) {
907 PORT_SetError(SSL_ERROR_SSL_DISABLED); 939 PORT_SetError(SSL_ERROR_SSL_DISABLED);
908 return SECFailure; 940 return SECFailure;
909 } 941 }
910 942
911 if (peerVersion < ss->vrange.min || 943 if (peerVersion < ss->vrange.min ||
912 (peerVersion > ss->vrange.max && !allowLargerPeerVersion)) { 944 (peerVersion > ss->vrange.max && !allowLargerPeerVersion)) {
913 » PORT_SetError(SSL_ERROR_NO_CYPHER_OVERLAP); 945 » PORT_SetError(SSL_ERROR_UNSUPPORTED_VERSION);
914 return SECFailure; 946 return SECFailure;
915 } 947 }
916 948
917 ss->version = PR_MIN(peerVersion, ss->vrange.max); 949 ss->version = PR_MIN(peerVersion, ss->vrange.max);
918 PORT_Assert(ssl3_VersionIsSupported(ss->protocolVariant, ss->version)); 950 PORT_Assert(ssl3_VersionIsSupported(ss->protocolVariant, ss->version));
919 951
920 return SECSuccess; 952 return SECSuccess;
921 } 953 }
922 954
923 static SECStatus 955 static SECStatus
(...skipping 31 matching lines...) Expand 10 before | Expand all | Expand 10 after
955 /* SEC_OID_UNKNOWN is used to specify the MD5/SHA1 concatenated hash. 987 /* SEC_OID_UNKNOWN is used to specify the MD5/SHA1 concatenated hash.
956 * In that case, we use just the SHA1 part. */ 988 * In that case, we use just the SHA1 part. */
957 if (hash->hashAlg == SEC_OID_UNKNOWN) { 989 if (hash->hashAlg == SEC_OID_UNKNOWN) {
958 hashItem.data = hash->u.s.sha; 990 hashItem.data = hash->u.s.sha;
959 hashItem.len = sizeof(hash->u.s.sha); 991 hashItem.len = sizeof(hash->u.s.sha);
960 } else { 992 } else {
961 hashItem.data = hash->u.raw; 993 hashItem.data = hash->u.raw;
962 hashItem.len = hash->len; 994 hashItem.len = hash->len;
963 } 995 }
964 break; 996 break;
965 #ifdef NSS_ENABLE_ECC 997 #ifndef NSS_DISABLE_ECC
966 case ecKey: 998 case ecKey:
967 doDerEncode = PR_TRUE; 999 doDerEncode = PR_TRUE;
968 /* SEC_OID_UNKNOWN is used to specify the MD5/SHA1 concatenated hash. 1000 /* SEC_OID_UNKNOWN is used to specify the MD5/SHA1 concatenated hash.
969 * In that case, we use just the SHA1 part. */ 1001 * In that case, we use just the SHA1 part. */
970 if (hash->hashAlg == SEC_OID_UNKNOWN) { 1002 if (hash->hashAlg == SEC_OID_UNKNOWN) {
971 hashItem.data = hash->u.s.sha; 1003 hashItem.data = hash->u.s.sha;
972 hashItem.len = sizeof(hash->u.s.sha); 1004 hashItem.len = sizeof(hash->u.s.sha);
973 } else { 1005 } else {
974 hashItem.data = hash->u.raw; 1006 hashItem.data = hash->u.raw;
975 hashItem.len = hash->len; 1007 hashItem.len = hash->len;
976 } 1008 }
977 break; 1009 break;
978 #endif /* NSS_ENABLE_ECC */ 1010 #endif /* NSS_DISABLE_ECC */
979 default: 1011 default:
980 PORT_SetError(SEC_ERROR_INVALID_KEY); 1012 PORT_SetError(SEC_ERROR_INVALID_KEY);
981 goto done; 1013 goto done;
982 } 1014 }
983 PRINT_BUF(60, (NULL, "hash(es) to be signed", hashItem.data, hashItem.len)); 1015 PRINT_BUF(60, (NULL, "hash(es) to be signed", hashItem.data, hashItem.len));
984 1016
985 if (hash->hashAlg == SEC_OID_UNKNOWN) { 1017 if (hash->hashAlg == SEC_OID_UNKNOWN) {
986 signatureLen = PK11_SignatureLen(key); 1018 signatureLen = PK11_SignatureLen(key);
987 if (signatureLen <= 0) { 1019 if (signatureLen <= 0) {
988 PORT_SetError(SEC_ERROR_INVALID_KEY); 1020 PORT_SetError(SEC_ERROR_INVALID_KEY);
(...skipping 77 matching lines...) Expand 10 before | Expand all | Expand 10 after
1066 if (isTLS || buf->len != SECKEY_SignatureLen(key)) { 1098 if (isTLS || buf->len != SECKEY_SignatureLen(key)) {
1067 signature = DSAU_DecodeDerSigToLen(buf, SECKEY_SignatureLen(key)); 1099 signature = DSAU_DecodeDerSigToLen(buf, SECKEY_SignatureLen(key));
1068 if (!signature) { 1100 if (!signature) {
1069 PORT_SetError(SSL_ERROR_BAD_HANDSHAKE_HASH_VALUE); 1101 PORT_SetError(SSL_ERROR_BAD_HANDSHAKE_HASH_VALUE);
1070 return SECFailure; 1102 return SECFailure;
1071 } 1103 }
1072 buf = signature; 1104 buf = signature;
1073 } 1105 }
1074 break; 1106 break;
1075 1107
1076 #ifdef NSS_ENABLE_ECC 1108 #ifndef NSS_DISABLE_ECC
1077 case ecKey: 1109 case ecKey:
1078 encAlg = SEC_OID_ANSIX962_EC_PUBLIC_KEY; 1110 encAlg = SEC_OID_ANSIX962_EC_PUBLIC_KEY;
1079 /* SEC_OID_UNKNOWN is used to specify the MD5/SHA1 concatenated hash. 1111 /* SEC_OID_UNKNOWN is used to specify the MD5/SHA1 concatenated hash.
1080 * In that case, we use just the SHA1 part. 1112 * In that case, we use just the SHA1 part.
1081 * ECDSA signatures always encode the integers r and s using ASN.1 1113 * ECDSA signatures always encode the integers r and s using ASN.1
1082 * (unlike DSA where ASN.1 encoding is used with TLS but not with 1114 * (unlike DSA where ASN.1 encoding is used with TLS but not with
1083 * SSL3). So we can use VFY_VerifyDigestDirect for ECDSA. 1115 * SSL3). So we can use VFY_VerifyDigestDirect for ECDSA.
1084 */ 1116 */
1085 if (hash->hashAlg == SEC_OID_UNKNOWN) { 1117 if (hash->hashAlg == SEC_OID_UNKNOWN) {
1086 hashAlg = SEC_OID_SHA1; 1118 hashAlg = SEC_OID_SHA1;
1087 hashItem.data = hash->u.s.sha; 1119 hashItem.data = hash->u.s.sha;
1088 hashItem.len = sizeof(hash->u.s.sha); 1120 hashItem.len = sizeof(hash->u.s.sha);
1089 } else { 1121 } else {
1090 hashItem.data = hash->u.raw; 1122 hashItem.data = hash->u.raw;
1091 hashItem.len = hash->len; 1123 hashItem.len = hash->len;
1092 } 1124 }
1093 break; 1125 break;
1094 #endif /* NSS_ENABLE_ECC */ 1126 #endif /* NSS_DISABLE_ECC */
1095 1127
1096 default: 1128 default:
1097 SECKEY_DestroyPublicKey(key); 1129 SECKEY_DestroyPublicKey(key);
1098 PORT_SetError(SEC_ERROR_UNSUPPORTED_KEYALG); 1130 PORT_SetError(SEC_ERROR_UNSUPPORTED_KEYALG);
1099 return SECFailure; 1131 return SECFailure;
1100 } 1132 }
1101 1133
1102 PRINT_BUF(60, (NULL, "hash(es) to be verified", 1134 PRINT_BUF(60, (NULL, "hash(es) to be verified",
1103 hashItem.data, hashItem.len)); 1135 hashItem.data, hashItem.len));
1104 1136
(...skipping 4114 matching lines...) Expand 10 before | Expand all | Expand 10 after
5219 5251
5220 if (isTLS || (ss->firstHsDone && ss->peerRequestedProtection)) { 5252 if (isTLS || (ss->firstHsDone && ss->peerRequestedProtection)) {
5221 PRUint32 maxBytes = 65535; /* 2^16 - 1 */ 5253 PRUint32 maxBytes = 65535; /* 2^16 - 1 */
5222 PRInt32 extLen; 5254 PRInt32 extLen;
5223 5255
5224 extLen = ssl3_CallHelloExtensionSenders(ss, PR_FALSE, maxBytes, NULL); 5256 extLen = ssl3_CallHelloExtensionSenders(ss, PR_FALSE, maxBytes, NULL);
5225 if (extLen < 0) { 5257 if (extLen < 0) {
5226 if (sid->u.ssl3.lock) { NSSRWLock_UnlockRead(sid->u.ssl3.lock); } 5258 if (sid->u.ssl3.lock) { NSSRWLock_UnlockRead(sid->u.ssl3.lock); }
5227 return SECFailure; 5259 return SECFailure;
5228 } 5260 }
5229 maxBytes -= extLen;
5230 total_exten_len += extLen; 5261 total_exten_len += extLen;
5231 5262
5232 if (total_exten_len > 0) 5263 if (total_exten_len > 0)
5233 total_exten_len += 2; 5264 total_exten_len += 2;
5234 } 5265 }
5235 5266
5236 #if defined(NSS_ENABLE_ECC) 5267 #ifndef NSS_DISABLE_ECC
5237 if (!total_exten_len || !isTLS) { 5268 if (!total_exten_len || !isTLS) {
5238 /* not sending the elliptic_curves and ec_point_formats extensions */ 5269 /* not sending the elliptic_curves and ec_point_formats extensions */
5239 ssl3_DisableECCSuites(ss, NULL); /* disable all ECC suites */ 5270 ssl3_DisableECCSuites(ss, NULL); /* disable all ECC suites */
5240 } 5271 }
5241 #endif 5272 #endif /* NSS_DISABLE_ECC */
5242 5273
5243 if (IS_DTLS(ss)) { 5274 if (IS_DTLS(ss)) {
5244 ssl3_DisableNonDTLSSuites(ss); 5275 ssl3_DisableNonDTLSSuites(ss);
5245 } 5276 }
5246 5277
5247 if (!ssl3_HasGCMSupport()) { 5278 if (!ssl3_HasGCMSupport()) {
5248 ssl3_DisableGCMSuites(ss); 5279 ssl3_DisableGCMSuites(ss);
5249 } 5280 }
5250 5281
5251 /* how many suites are permitted by policy and user preference? */ 5282 /* how many suites are permitted by policy and user preference? */
(...skipping 78 matching lines...) Expand 10 before | Expand all | Expand 10 after
5330 SSL3_RANDOM_LENGTH); 5361 SSL3_RANDOM_LENGTH);
5331 if (rv != SECSuccess) { 5362 if (rv != SECSuccess) {
5332 if (sid->u.ssl3.lock) { NSSRWLock_UnlockRead(sid->u.ssl3.lock); } 5363 if (sid->u.ssl3.lock) { NSSRWLock_UnlockRead(sid->u.ssl3.lock); }
5333 return rv; /* err set by ssl3_AppendHandshake* */ 5364 return rv; /* err set by ssl3_AppendHandshake* */
5334 } 5365 }
5335 5366
5336 if (sid) 5367 if (sid)
5337 rv = ssl3_AppendHandshakeVariable( 5368 rv = ssl3_AppendHandshakeVariable(
5338 ss, sid->u.ssl3.sessionID, sid->u.ssl3.sessionIDLength, 1); 5369 ss, sid->u.ssl3.sessionID, sid->u.ssl3.sessionIDLength, 1);
5339 else 5370 else
5340 » rv = ssl3_AppendHandshakeVariable(ss, NULL, 0, 1); 5371 » rv = ssl3_AppendHandshakeNumber(ss, 0, 1);
5341 if (rv != SECSuccess) { 5372 if (rv != SECSuccess) {
5342 if (sid->u.ssl3.lock) { NSSRWLock_UnlockRead(sid->u.ssl3.lock); } 5373 if (sid->u.ssl3.lock) { NSSRWLock_UnlockRead(sid->u.ssl3.lock); }
5343 return rv; /* err set by ssl3_AppendHandshake* */ 5374 return rv; /* err set by ssl3_AppendHandshake* */
5344 } 5375 }
5345 5376
5346 if (IS_DTLS(ss)) { 5377 if (IS_DTLS(ss)) {
5347 rv = ssl3_AppendHandshakeVariable( 5378 rv = ssl3_AppendHandshakeVariable(
5348 ss, ss->ssl3.hs.cookie, ss->ssl3.hs.cookieLen, 1); 5379 ss, ss->ssl3.hs.cookie, ss->ssl3.hs.cookieLen, 1);
5349 if (rv != SECSuccess) { 5380 if (rv != SECSuccess) {
5350 if (sid->u.ssl3.lock) { NSSRWLock_UnlockRead(sid->u.ssl3.lock); } 5381 if (sid->u.ssl3.lock) { NSSRWLock_UnlockRead(sid->u.ssl3.lock); }
(...skipping 10 matching lines...) Expand all
5361 if (ss->ssl3.hs.sendingSCSV) { 5392 if (ss->ssl3.hs.sendingSCSV) {
5362 /* Add the actual SCSV */ 5393 /* Add the actual SCSV */
5363 rv = ssl3_AppendHandshakeNumber(ss, TLS_EMPTY_RENEGOTIATION_INFO_SCSV, 5394 rv = ssl3_AppendHandshakeNumber(ss, TLS_EMPTY_RENEGOTIATION_INFO_SCSV,
5364 sizeof(ssl3CipherSuite)); 5395 sizeof(ssl3CipherSuite));
5365 if (rv != SECSuccess) { 5396 if (rv != SECSuccess) {
5366 if (sid->u.ssl3.lock) { NSSRWLock_UnlockRead(sid->u.ssl3.lock); } 5397 if (sid->u.ssl3.lock) { NSSRWLock_UnlockRead(sid->u.ssl3.lock); }
5367 return rv; /* err set by ssl3_AppendHandshake* */ 5398 return rv; /* err set by ssl3_AppendHandshake* */
5368 } 5399 }
5369 actual_count++; 5400 actual_count++;
5370 } 5401 }
5371 5402 if (fallbackSCSV) {
5403 » rv = ssl3_AppendHandshakeNumber(ss, TLS_FALLBACK_SCSV,
5404 » » » » » sizeof(ssl3CipherSuite));
5405 » if (rv != SECSuccess) {
5406 » if (sid->u.ssl3.lock) { NSSRWLock_UnlockRead(sid->u.ssl3.lock); }
5407 » return rv;» /* err set by ssl3_AppendHandshake* */
5408 » }
5409 » actual_count++;
5410 }
5372 for (i = 0; i < ssl_V3_SUITES_IMPLEMENTED; i++) { 5411 for (i = 0; i < ssl_V3_SUITES_IMPLEMENTED; i++) {
5373 ssl3CipherSuiteCfg *suite = &ss->cipherSuites[i]; 5412 ssl3CipherSuiteCfg *suite = &ss->cipherSuites[i];
5374 if (config_match(suite, ss->ssl3.policy, PR_TRUE, &ss->vrange)) { 5413 if (config_match(suite, ss->ssl3.policy, PR_TRUE, &ss->vrange)) {
5375 actual_count++; 5414 actual_count++;
5376 if (actual_count > num_suites) { 5415 if (actual_count > num_suites) {
5377 if (sid->u.ssl3.lock) { NSSRWLock_UnlockRead(sid->u.ssl3.lock); } 5416 if (sid->u.ssl3.lock) { NSSRWLock_UnlockRead(sid->u.ssl3.lock); }
5378 /* set error card removal/insertion error */ 5417 /* set error card removal/insertion error */
5379 PORT_SetError(SSL_ERROR_TOKEN_INSERTION_REMOVAL); 5418 PORT_SetError(SSL_ERROR_TOKEN_INSERTION_REMOVAL);
5380 return SECFailure; 5419 return SECFailure;
5381 } 5420 }
5382 rv = ssl3_AppendHandshakeNumber(ss, suite->cipher_suite, 5421 rv = ssl3_AppendHandshakeNumber(ss, suite->cipher_suite,
5383 sizeof(ssl3CipherSuite)); 5422 sizeof(ssl3CipherSuite));
5384 if (rv != SECSuccess) { 5423 if (rv != SECSuccess) {
5385 if (sid->u.ssl3.lock) { NSSRWLock_UnlockRead(sid->u.ssl3.lock); } 5424 if (sid->u.ssl3.lock) { NSSRWLock_UnlockRead(sid->u.ssl3.lock); }
5386 return rv; /* err set by ssl3_AppendHandshake* */ 5425 return rv; /* err set by ssl3_AppendHandshake* */
5387 } 5426 }
5388 } 5427 }
5389 } 5428 }
5390 5429
5391 if (fallbackSCSV) {
5392 rv = ssl3_AppendHandshakeNumber(ss, TLS_FALLBACK_SCSV,
5393 sizeof(ssl3CipherSuite));
5394 if (rv != SECSuccess) {
5395 if (sid->u.ssl3.lock) { NSSRWLock_UnlockRead(sid->u.ssl3.lock); }
5396 return rv; /* err set by ssl3_AppendHandshake* */
5397 }
5398 actual_count++;
5399 }
Ryan Sleevi 2015/04/02 23:35:40 David: Do you recall if there were ordering issues
davidben 2015/04/03 19:06:18 Not that I'm aware of. I've heard rumors that ther
5400
5401 /* if cards were removed or inserted between count_cipher_suites and 5430 /* if cards were removed or inserted between count_cipher_suites and
5402 * generating our list, detect the error here rather than send it off to 5431 * generating our list, detect the error here rather than send it off to
5403 * the server.. */ 5432 * the server.. */
5404 if (actual_count != num_suites) { 5433 if (actual_count != num_suites) {
5405 /* Card removal/insertion error */ 5434 /* Card removal/insertion error */
5406 if (sid->u.ssl3.lock) { NSSRWLock_UnlockRead(sid->u.ssl3.lock); } 5435 if (sid->u.ssl3.lock) { NSSRWLock_UnlockRead(sid->u.ssl3.lock); }
5407 PORT_SetError(SSL_ERROR_TOKEN_INSERTION_REMOVAL); 5436 PORT_SetError(SSL_ERROR_TOKEN_INSERTION_REMOVAL);
5408 return SECFailure; 5437 return SECFailure;
5409 } 5438 }
5410 5439
(...skipping 153 matching lines...) Expand 10 before | Expand all | Expand 10 after
5564 static PK11SymKey * 5593 static PK11SymKey *
5565 ssl_UnwrapSymWrappingKey( 5594 ssl_UnwrapSymWrappingKey(
5566 SSLWrappedSymWrappingKey *pWswk, 5595 SSLWrappedSymWrappingKey *pWswk,
5567 SECKEYPrivateKey * svrPrivKey, 5596 SECKEYPrivateKey * svrPrivKey,
5568 SSL3KEAType exchKeyType, 5597 SSL3KEAType exchKeyType,
5569 CK_MECHANISM_TYPE masterWrapMech, 5598 CK_MECHANISM_TYPE masterWrapMech,
5570 void * pwArg) 5599 void * pwArg)
5571 { 5600 {
5572 PK11SymKey * unwrappedWrappingKey = NULL; 5601 PK11SymKey * unwrappedWrappingKey = NULL;
5573 SECItem wrappedKey; 5602 SECItem wrappedKey;
5574 #ifdef NSS_ENABLE_ECC 5603 #ifndef NSS_DISABLE_ECC
5575 PK11SymKey * Ks; 5604 PK11SymKey * Ks;
5576 SECKEYPublicKey pubWrapKey; 5605 SECKEYPublicKey pubWrapKey;
5577 ECCWrappedKeyInfo *ecWrapped; 5606 ECCWrappedKeyInfo *ecWrapped;
5578 #endif /* NSS_ENABLE_ECC */ 5607 #endif /* NSS_DISABLE_ECC */
5579 5608
5580 /* found the wrapping key on disk. */ 5609 /* found the wrapping key on disk. */
5581 PORT_Assert(pWswk->symWrapMechanism == masterWrapMech); 5610 PORT_Assert(pWswk->symWrapMechanism == masterWrapMech);
5582 PORT_Assert(pWswk->exchKeyType == exchKeyType); 5611 PORT_Assert(pWswk->exchKeyType == exchKeyType);
5583 if (pWswk->symWrapMechanism != masterWrapMech || 5612 if (pWswk->symWrapMechanism != masterWrapMech ||
5584 pWswk->exchKeyType != exchKeyType) { 5613 pWswk->exchKeyType != exchKeyType) {
5585 goto loser; 5614 goto loser;
5586 } 5615 }
5587 wrappedKey.type = siBuffer; 5616 wrappedKey.type = siBuffer;
5588 wrappedKey.data = pWswk->wrappedSymmetricWrappingkey; 5617 wrappedKey.data = pWswk->wrappedSymmetricWrappingkey;
5589 wrappedKey.len = pWswk->wrappedSymKeyLen; 5618 wrappedKey.len = pWswk->wrappedSymKeyLen;
5590 PORT_Assert(wrappedKey.len <= sizeof pWswk->wrappedSymmetricWrappingkey); 5619 PORT_Assert(wrappedKey.len <= sizeof pWswk->wrappedSymmetricWrappingkey);
5591 5620
5592 switch (exchKeyType) { 5621 switch (exchKeyType) {
5593 5622
5594 case kt_rsa: 5623 case kt_rsa:
5595 unwrappedWrappingKey = 5624 unwrappedWrappingKey =
5596 PK11_PubUnwrapSymKey(svrPrivKey, &wrappedKey, 5625 PK11_PubUnwrapSymKey(svrPrivKey, &wrappedKey,
5597 masterWrapMech, CKA_UNWRAP, 0); 5626 masterWrapMech, CKA_UNWRAP, 0);
5598 break; 5627 break;
5599 5628
5600 #ifdef NSS_ENABLE_ECC 5629 #ifndef NSS_DISABLE_ECC
5601 case kt_ecdh: 5630 case kt_ecdh:
5602 /* 5631 /*
5603 * For kt_ecdh, we first create an EC public key based on 5632 * For kt_ecdh, we first create an EC public key based on
5604 * data stored with the wrappedSymmetricWrappingkey. Next, 5633 * data stored with the wrappedSymmetricWrappingkey. Next,
5605 * we do an ECDH computation involving this public key and 5634 * we do an ECDH computation involving this public key and
5606 * the SSL server's (long-term) EC private key. The resulting 5635 * the SSL server's (long-term) EC private key. The resulting
5607 * shared secret is treated the same way as Fortezza's Ks, i.e., 5636 * shared secret is treated the same way as Fortezza's Ks, i.e.,
5608 * it is used to recover the symmetric wrapping key. 5637 * it is used to recover the symmetric wrapping key.
5609 * 5638 *
5610 * The data in wrappedSymmetricWrappingkey is laid out as defined 5639 * The data in wrappedSymmetricWrappingkey is laid out as defined
(...skipping 117 matching lines...) Expand 10 before | Expand all | Expand 10 after
5728 SECKEYPrivateKey * svrPrivKey; 5757 SECKEYPrivateKey * svrPrivKey;
5729 SECKEYPublicKey * svrPubKey = NULL; 5758 SECKEYPublicKey * svrPubKey = NULL;
5730 PK11SymKey * unwrappedWrappingKey = NULL; 5759 PK11SymKey * unwrappedWrappingKey = NULL;
5731 PK11SymKey ** pSymWrapKey; 5760 PK11SymKey ** pSymWrapKey;
5732 CK_MECHANISM_TYPE asymWrapMechanism = CKM_INVALID_MECHANISM; 5761 CK_MECHANISM_TYPE asymWrapMechanism = CKM_INVALID_MECHANISM;
5733 int length; 5762 int length;
5734 int symWrapMechIndex; 5763 int symWrapMechIndex;
5735 SECStatus rv; 5764 SECStatus rv;
5736 SECItem wrappedKey; 5765 SECItem wrappedKey;
5737 SSLWrappedSymWrappingKey wswk; 5766 SSLWrappedSymWrappingKey wswk;
5738 #ifdef NSS_ENABLE_ECC 5767 #ifndef NSS_DISABLE_ECC
5739 PK11SymKey * Ks = NULL; 5768 PK11SymKey * Ks = NULL;
5740 SECKEYPublicKey *pubWrapKey = NULL; 5769 SECKEYPublicKey *pubWrapKey = NULL;
5741 SECKEYPrivateKey *privWrapKey = NULL; 5770 SECKEYPrivateKey *privWrapKey = NULL;
5742 ECCWrappedKeyInfo *ecWrapped; 5771 ECCWrappedKeyInfo *ecWrapped;
5743 #endif /* NSS_ENABLE_ECC */ 5772 #endif /* NSS_DISABLE_ECC */
5744 5773
5745 svrPrivKey = ss->serverCerts[exchKeyType].SERVERKEY; 5774 svrPrivKey = ss->serverCerts[exchKeyType].SERVERKEY;
5746 PORT_Assert(svrPrivKey != NULL); 5775 PORT_Assert(svrPrivKey != NULL);
5747 if (!svrPrivKey) { 5776 if (!svrPrivKey) {
5748 return NULL; /* why are we here?!? */ 5777 return NULL; /* why are we here?!? */
5749 } 5778 }
5750 5779
5751 symWrapMechIndex = ssl_FindIndexByWrapMechanism(masterWrapMech); 5780 symWrapMechIndex = ssl_FindIndexByWrapMechanism(masterWrapMech);
5752 PORT_Assert(symWrapMechIndex >= 0); 5781 PORT_Assert(symWrapMechIndex >= 0);
5753 if (symWrapMechIndex < 0) 5782 if (symWrapMechIndex < 0)
(...skipping 62 matching lines...) Expand 10 before | Expand all | Expand 10 after
5816 goto loser; 5845 goto loser;
5817 5846
5818 /* wrap symmetric wrapping key in server's public key. */ 5847 /* wrap symmetric wrapping key in server's public key. */
5819 switch (exchKeyType) { 5848 switch (exchKeyType) {
5820 case kt_rsa: 5849 case kt_rsa:
5821 asymWrapMechanism = CKM_RSA_PKCS; 5850 asymWrapMechanism = CKM_RSA_PKCS;
5822 rv = PK11_PubWrapSymKey(asymWrapMechanism, svrPubKey, 5851 rv = PK11_PubWrapSymKey(asymWrapMechanism, svrPubKey,
5823 unwrappedWrappingKey, &wrappedKey); 5852 unwrappedWrappingKey, &wrappedKey);
5824 break; 5853 break;
5825 5854
5826 #ifdef NSS_ENABLE_ECC 5855 #ifndef NSS_DISABLE_ECC
5827 case kt_ecdh: 5856 case kt_ecdh:
5828 /* 5857 /*
5829 * We generate an ephemeral EC key pair. Perform an ECDH 5858 * We generate an ephemeral EC key pair. Perform an ECDH
5830 * computation involving this ephemeral EC public key and 5859 * computation involving this ephemeral EC public key and
5831 * the SSL server's (long-term) EC private key. The resulting 5860 * the SSL server's (long-term) EC private key. The resulting
5832 * shared secret is treated in the same way as Fortezza's Ks, 5861 * shared secret is treated in the same way as Fortezza's Ks,
5833 * i.e., it is used to wrap the wrapping key. To facilitate 5862 * i.e., it is used to wrap the wrapping key. To facilitate
5834 * unwrapping in ssl_UnwrapWrappingKey, we also store all 5863 * unwrapping in ssl_UnwrapWrappingKey, we also store all
5835 * relevant info about the ephemeral EC public key in 5864 * relevant info about the ephemeral EC public key in
5836 * wswk.wrappedSymmetricWrappingkey and lay it out as 5865 * wswk.wrappedSymmetricWrappingkey and lay it out as
(...skipping 65 matching lines...) Expand 10 before | Expand all | Expand 10 after
5902 * wswk.wrappedSymmetricWrappingkey at the appropriate offset 5931 * wswk.wrappedSymmetricWrappingkey at the appropriate offset
5903 */ 5932 */
5904 ecWrapped->wrappedKeyLen = wrappedKey.len; 5933 ecWrapped->wrappedKeyLen = wrappedKey.len;
5905 5934
5906 ec_cleanup: 5935 ec_cleanup:
5907 if (privWrapKey) SECKEY_DestroyPrivateKey(privWrapKey); 5936 if (privWrapKey) SECKEY_DestroyPrivateKey(privWrapKey);
5908 if (pubWrapKey) SECKEY_DestroyPublicKey(pubWrapKey); 5937 if (pubWrapKey) SECKEY_DestroyPublicKey(pubWrapKey);
5909 if (Ks) PK11_FreeSymKey(Ks); 5938 if (Ks) PK11_FreeSymKey(Ks);
5910 asymWrapMechanism = masterWrapMech; 5939 asymWrapMechanism = masterWrapMech;
5911 break; 5940 break;
5912 #endif /* NSS_ENABLE_ECC */ 5941 #endif /* NSS_DISABLE_ECC */
5913 5942
5914 default: 5943 default:
5915 rv = SECFailure; 5944 rv = SECFailure;
5916 break; 5945 break;
5917 } 5946 }
5918 5947
5919 if (rv != SECSuccess) { 5948 if (rv != SECSuccess) {
5920 ssl_MapLowLevelError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE); 5949 ssl_MapLowLevelError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE);
5921 goto loser; 5950 goto loser;
5922 } 5951 }
(...skipping 292 matching lines...) Expand 10 before | Expand all | Expand 10 after
6215 6244
6216 switch (ss->ssl3.hs.kea_def->exchKeyType) { 6245 switch (ss->ssl3.hs.kea_def->exchKeyType) {
6217 case kt_rsa: 6246 case kt_rsa:
6218 rv = sendRSAClientKeyExchange(ss, serverKey); 6247 rv = sendRSAClientKeyExchange(ss, serverKey);
6219 break; 6248 break;
6220 6249
6221 case kt_dh: 6250 case kt_dh:
6222 rv = sendDHClientKeyExchange(ss, serverKey); 6251 rv = sendDHClientKeyExchange(ss, serverKey);
6223 break; 6252 break;
6224 6253
6225 #ifdef NSS_ENABLE_ECC 6254 #ifndef NSS_DISABLE_ECC
6226 case kt_ecdh: 6255 case kt_ecdh:
6227 rv = ssl3_SendECDHClientKeyExchange(ss, serverKey); 6256 rv = ssl3_SendECDHClientKeyExchange(ss, serverKey);
6228 break; 6257 break;
6229 #endif /* NSS_ENABLE_ECC */ 6258 #endif /* NSS_DISABLE_ECC */
6230 6259
6231 default: 6260 default:
6232 /* got an unknown or unsupported Key Exchange Algorithm. */ 6261 /* got an unknown or unsupported Key Exchange Algorithm. */
6233 SEND_ALERT 6262 SEND_ALERT
6234 PORT_SetError(SEC_ERROR_UNSUPPORTED_KEYALG); 6263 PORT_SetError(SEC_ERROR_UNSUPPORTED_KEYALG);
6235 break; 6264 break;
6236 } 6265 }
6237 6266
6238 SSL_TRC(3, ("%d: SSL3[%d]: DONE sending client_key_exchange", 6267 SSL_TRC(3, ("%d: SSL3[%d]: DONE sending client_key_exchange",
6239 SSL_GETPID(), ss->fd)); 6268 SSL_GETPID(), ss->fd));
(...skipping 182 matching lines...) Expand 10 before | Expand all | Expand 10 after
6422 version = dtls_DTLSVersionToTLSVersion(version); 6451 version = dtls_DTLSVersionToTLSVersion(version);
6423 if (version == 0) { /* Insane version number */ 6452 if (version == 0) { /* Insane version number */
6424 goto alert_loser; 6453 goto alert_loser;
6425 } 6454 }
6426 } 6455 }
6427 6456
6428 rv = ssl3_NegotiateVersion(ss, version, PR_FALSE); 6457 rv = ssl3_NegotiateVersion(ss, version, PR_FALSE);
6429 if (rv != SECSuccess) { 6458 if (rv != SECSuccess) {
6430 desc = (version > SSL_LIBRARY_VERSION_3_0) ? protocol_version 6459 desc = (version > SSL_LIBRARY_VERSION_3_0) ? protocol_version
6431 : handshake_failure; 6460 : handshake_failure;
6432 » errCode = SSL_ERROR_NO_CYPHER_OVERLAP; 6461 » errCode = SSL_ERROR_UNSUPPORTED_VERSION;
6433 goto alert_loser; 6462 goto alert_loser;
6434 } 6463 }
6435 isTLS = (ss->version > SSL_LIBRARY_VERSION_3_0); 6464 isTLS = (ss->version > SSL_LIBRARY_VERSION_3_0);
6436 6465
6437 rv = ssl3_InitHandshakeHashes(ss); 6466 rv = ssl3_InitHandshakeHashes(ss);
6438 if (rv != SECSuccess) { 6467 if (rv != SECSuccess) {
6439 desc = internal_error; 6468 desc = internal_error;
6440 errCode = PORT_GetError(); 6469 errCode = PORT_GetError();
6441 goto alert_loser; 6470 goto alert_loser;
6442 } 6471 }
(...skipping 567 matching lines...) Expand 10 before | Expand all | Expand 10 after
7010 SECITEM_CopyItem(arena, &peerKey->u.dh.publicValue, &dh_Ys)) 7039 SECITEM_CopyItem(arena, &peerKey->u.dh.publicValue, &dh_Ys))
7011 { 7040 {
7012 PORT_FreeArena(arena, PR_FALSE); 7041 PORT_FreeArena(arena, PR_FALSE);
7013 goto no_memory; 7042 goto no_memory;
7014 } 7043 }
7015 ss->sec.peerKey = peerKey; 7044 ss->sec.peerKey = peerKey;
7016 ss->ssl3.hs.ws = wait_cert_request; 7045 ss->ssl3.hs.ws = wait_cert_request;
7017 return SECSuccess; 7046 return SECSuccess;
7018 } 7047 }
7019 7048
7020 #ifdef NSS_ENABLE_ECC 7049 #ifndef NSS_DISABLE_ECC
7021 case kt_ecdh: 7050 case kt_ecdh:
7022 rv = ssl3_HandleECDHServerKeyExchange(ss, b, length); 7051 rv = ssl3_HandleECDHServerKeyExchange(ss, b, length);
7023 return rv; 7052 return rv;
7024 #endif /* NSS_ENABLE_ECC */ 7053 #endif /* NSS_DISABLE_ECC */
7025 7054
7026 default: 7055 default:
7027 desc = handshake_failure; 7056 desc = handshake_failure;
7028 errCode = SEC_ERROR_UNSUPPORTED_KEYALG; 7057 errCode = SEC_ERROR_UNSUPPORTED_KEYALG;
7029 break; /* goto alert_loser; */ 7058 break; /* goto alert_loser; */
7030 } 7059 }
7031 7060
7032 alert_loser: 7061 alert_loser:
7033 (void)SSL3_SendAlert(ss, alert_fatal, desc); 7062 (void)SSL3_SendAlert(ss, alert_fatal, desc);
7034 loser: 7063 loser:
(...skipping 911 matching lines...) Expand 10 before | Expand all | Expand 10 after
7946 rv = ssl3_SendServerKeyExchange(ss); 7975 rv = ssl3_SendServerKeyExchange(ss);
7947 if (rv != SECSuccess) { 7976 if (rv != SECSuccess) {
7948 return rv; /* err code was set. */ 7977 return rv; /* err code was set. */
7949 } 7978 }
7950 } else { 7979 } else {
7951 #ifndef HACKED_EXPORT_SERVER 7980 #ifndef HACKED_EXPORT_SERVER
7952 PORT_SetError(SSL_ERROR_PUB_KEY_SIZE_LIMIT_EXCEEDED); 7981 PORT_SetError(SSL_ERROR_PUB_KEY_SIZE_LIMIT_EXCEEDED);
7953 return rv; 7982 return rv;
7954 #endif 7983 #endif
7955 } 7984 }
7956 #ifdef NSS_ENABLE_ECC 7985 #ifndef NSS_DISABLE_ECC
7957 } else if ((kea_def->kea == kea_ecdhe_rsa) || 7986 } else if ((kea_def->kea == kea_ecdhe_rsa) ||
7958 (kea_def->kea == kea_ecdhe_ecdsa)) { 7987 (kea_def->kea == kea_ecdhe_ecdsa)) {
7959 rv = ssl3_SendServerKeyExchange(ss); 7988 rv = ssl3_SendServerKeyExchange(ss);
7960 if (rv != SECSuccess) { 7989 if (rv != SECSuccess) {
7961 return rv; /* err code was set. */ 7990 return rv; /* err code was set. */
7962 } 7991 }
7963 #endif /* NSS_ENABLE_ECC */ 7992 #endif /* NSS_DISABLE_ECC */
7964 } 7993 }
7965 7994
7966 if (ss->opt.requestCertificate) { 7995 if (ss->opt.requestCertificate) {
7967 rv = ssl3_SendCertificateRequest(ss); 7996 rv = ssl3_SendCertificateRequest(ss);
7968 if (rv != SECSuccess) { 7997 if (rv != SECSuccess) {
7969 return rv; /* err code is set. */ 7998 return rv; /* err code is set. */
7970 } 7999 }
7971 } 8000 }
7972 rv = ssl3_SendServerHelloDone(ss); 8001 rv = ssl3_SendServerHelloDone(ss);
7973 if (rv != SECSuccess) { 8002 if (rv != SECSuccess) {
(...skipping 91 matching lines...) Expand 10 before | Expand all | Expand 10 after
8065 ss->clientHelloVersion = version = 8094 ss->clientHelloVersion = version =
8066 dtls_DTLSVersionToTLSVersion((SSL3ProtocolVersion)tmp); 8095 dtls_DTLSVersionToTLSVersion((SSL3ProtocolVersion)tmp);
8067 } else { 8096 } else {
8068 ss->clientHelloVersion = version = (SSL3ProtocolVersion)tmp; 8097 ss->clientHelloVersion = version = (SSL3ProtocolVersion)tmp;
8069 } 8098 }
8070 8099
8071 rv = ssl3_NegotiateVersion(ss, version, PR_TRUE); 8100 rv = ssl3_NegotiateVersion(ss, version, PR_TRUE);
8072 if (rv != SECSuccess) { 8101 if (rv != SECSuccess) {
8073 desc = (version > SSL_LIBRARY_VERSION_3_0) ? protocol_version 8102 desc = (version > SSL_LIBRARY_VERSION_3_0) ? protocol_version
8074 : handshake_failure; 8103 : handshake_failure;
8075 » errCode = SSL_ERROR_NO_CYPHER_OVERLAP; 8104 » errCode = SSL_ERROR_UNSUPPORTED_VERSION;
8076 goto alert_loser; 8105 goto alert_loser;
8077 } 8106 }
8078 8107
8079 rv = ssl3_InitHandshakeHashes(ss); 8108 rv = ssl3_InitHandshakeHashes(ss);
8080 if (rv != SECSuccess) { 8109 if (rv != SECSuccess) {
8081 desc = internal_error; 8110 desc = internal_error;
8082 errCode = PORT_GetError(); 8111 errCode = PORT_GetError();
8083 goto alert_loser; 8112 goto alert_loser;
8084 } 8113 }
8085 8114
(...skipping 36 matching lines...) Expand 10 before | Expand all | Expand 10 after
8122 goto alert_loser; 8151 goto alert_loser;
8123 } 8152 }
8124 } 8153 }
8125 8154
8126 /* grab the list of compression methods. */ 8155 /* grab the list of compression methods. */
8127 rv = ssl3_ConsumeHandshakeVariable(ss, &comps, 1, &b, &length); 8156 rv = ssl3_ConsumeHandshakeVariable(ss, &comps, 1, &b, &length);
8128 if (rv != SECSuccess) { 8157 if (rv != SECSuccess) {
8129 goto loser; /* malformed */ 8158 goto loser; /* malformed */
8130 } 8159 }
8131 8160
8161 /* TLS 1.3 requires that compression be empty */
8162 if (ss->version >= SSL_LIBRARY_VERSION_TLS_1_3) {
8163 if (comps.len != 1 || comps.data[0] != ssl_compression_null) {
8164 goto loser;
8165 }
8166 }
8132 desc = handshake_failure; 8167 desc = handshake_failure;
8133 8168
8134 /* Handle TLS hello extensions for SSL3 & TLS. We do not know if 8169 /* Handle TLS hello extensions for SSL3 & TLS. We do not know if
8135 * we are restarting a previous session until extensions have been 8170 * we are restarting a previous session until extensions have been
8136 * parsed, since we might have received a SessionTicket extension. 8171 * parsed, since we might have received a SessionTicket extension.
8137 * Note: we allow extensions even when negotiating SSL3 for the sake 8172 * Note: we allow extensions even when negotiating SSL3 for the sake
8138 * of interoperability (and backwards compatibility). 8173 * of interoperability (and backwards compatibility).
8139 */ 8174 */
8140 8175
8141 if (length) { 8176 if (length) {
(...skipping 112 matching lines...) Expand 10 before | Expand all | Expand 10 after
8254 && !ss->firstHsDone))) { 8289 && !ss->firstHsDone))) {
8255 8290
8256 SSL_AtomicIncrementLong(& ssl3stats.hch_sid_cache_not_ok ); 8291 SSL_AtomicIncrementLong(& ssl3stats.hch_sid_cache_not_ok );
8257 if (ss->sec.uncache) 8292 if (ss->sec.uncache)
8258 ss->sec.uncache(sid); 8293 ss->sec.uncache(sid);
8259 ssl_FreeSID(sid); 8294 ssl_FreeSID(sid);
8260 sid = NULL; 8295 sid = NULL;
8261 } 8296 }
8262 } 8297 }
8263 8298
8264 #ifdef NSS_ENABLE_ECC 8299 #ifndef NSS_DISABLE_ECC
8265 /* Disable any ECC cipher suites for which we have no cert. */ 8300 /* Disable any ECC cipher suites for which we have no cert. */
8266 ssl3_FilterECCipherSuitesByServerCerts(ss); 8301 ssl3_FilterECCipherSuitesByServerCerts(ss);
8267 #endif 8302 #endif
8268 8303
8269 if (IS_DTLS(ss)) { 8304 if (IS_DTLS(ss)) {
8270 ssl3_DisableNonDTLSSuites(ss); 8305 ssl3_DisableNonDTLSSuites(ss);
8271 } 8306 }
8272 8307
8273 if (!ssl3_HasGCMSupport()) { 8308 if (!ssl3_HasGCMSupport()) {
8274 ssl3_DisableGCMSuites(ss); 8309 ssl3_DisableGCMSuites(ss);
(...skipping 562 matching lines...) Expand 10 before | Expand all | Expand 10 after
8837 8872
8838 version = (buffer[1] << 8) | buffer[2]; 8873 version = (buffer[1] << 8) | buffer[2];
8839 suite_length = (buffer[3] << 8) | buffer[4]; 8874 suite_length = (buffer[3] << 8) | buffer[4];
8840 sid_length = (buffer[5] << 8) | buffer[6]; 8875 sid_length = (buffer[5] << 8) | buffer[6];
8841 rand_length = (buffer[7] << 8) | buffer[8]; 8876 rand_length = (buffer[7] << 8) | buffer[8];
8842 ss->clientHelloVersion = version; 8877 ss->clientHelloVersion = version;
8843 8878
8844 rv = ssl3_NegotiateVersion(ss, version, PR_TRUE); 8879 rv = ssl3_NegotiateVersion(ss, version, PR_TRUE);
8845 if (rv != SECSuccess) { 8880 if (rv != SECSuccess) {
8846 /* send back which ever alert client will understand. */ 8881 /* send back which ever alert client will understand. */
8847 » desc = (version > SSL_LIBRARY_VERSION_3_0) ? protocol_version : handshak e_failure; 8882 » desc = (version > SSL_LIBRARY_VERSION_3_0) ? protocol_version
8848 » errCode = SSL_ERROR_NO_CYPHER_OVERLAP; 8883 » : handshake_failure;
8884 » errCode = SSL_ERROR_UNSUPPORTED_VERSION;
8849 goto alert_loser; 8885 goto alert_loser;
8850 } 8886 }
8851 8887
8852 rv = ssl3_InitHandshakeHashes(ss); 8888 rv = ssl3_InitHandshakeHashes(ss);
8853 if (rv != SECSuccess) { 8889 if (rv != SECSuccess) {
8854 desc = internal_error; 8890 desc = internal_error;
8855 errCode = PORT_GetError(); 8891 errCode = PORT_GetError();
8856 goto alert_loser; 8892 goto alert_loser;
8857 } 8893 }
8858 8894
(...skipping 17 matching lines...) Expand all
8876 8912
8877 PORT_Assert(SSL_MAX_CHALLENGE_BYTES == SSL3_RANDOM_LENGTH); 8913 PORT_Assert(SSL_MAX_CHALLENGE_BYTES == SSL3_RANDOM_LENGTH);
8878 8914
8879 PORT_Memset(&ss->ssl3.hs.client_random, 0, SSL3_RANDOM_LENGTH); 8915 PORT_Memset(&ss->ssl3.hs.client_random, 0, SSL3_RANDOM_LENGTH);
8880 PORT_Memcpy( 8916 PORT_Memcpy(
8881 &ss->ssl3.hs.client_random.rand[SSL3_RANDOM_LENGTH - rand_length], 8917 &ss->ssl3.hs.client_random.rand[SSL3_RANDOM_LENGTH - rand_length],
8882 random, rand_length); 8918 random, rand_length);
8883 8919
8884 PRINT_BUF(60, (ss, "client random:", &ss->ssl3.hs.client_random.rand[0], 8920 PRINT_BUF(60, (ss, "client random:", &ss->ssl3.hs.client_random.rand[0],
8885 SSL3_RANDOM_LENGTH)); 8921 SSL3_RANDOM_LENGTH));
8886 #ifdef NSS_ENABLE_ECC 8922 #ifndef NSS_DISABLE_ECC
8887 /* Disable any ECC cipher suites for which we have no cert. */ 8923 /* Disable any ECC cipher suites for which we have no cert. */
8888 ssl3_FilterECCipherSuitesByServerCerts(ss); 8924 ssl3_FilterECCipherSuitesByServerCerts(ss);
8889 #endif 8925 #endif
8890 i = ssl3_config_match_init(ss); 8926 i = ssl3_config_match_init(ss);
8891 if (i <= 0) { 8927 if (i <= 0) {
8892 errCode = PORT_GetError(); /* error code is already set. */ 8928 errCode = PORT_GetError(); /* error code is already set. */
8893 goto alert_loser; 8929 goto alert_loser;
8894 } 8930 }
8895 8931
8896 /* Select a cipher suite. 8932 /* Select a cipher suite.
(...skipping 161 matching lines...) Expand 10 before | Expand all | Expand 10 after
9058 rv = ssl3_AppendHandshake( 9094 rv = ssl3_AppendHandshake(
9059 ss, &ss->ssl3.hs.server_random, SSL3_RANDOM_LENGTH); 9095 ss, &ss->ssl3.hs.server_random, SSL3_RANDOM_LENGTH);
9060 if (rv != SECSuccess) { 9096 if (rv != SECSuccess) {
9061 return rv; /* err set by AppendHandshake. */ 9097 return rv; /* err set by AppendHandshake. */
9062 } 9098 }
9063 9099
9064 if (sid) 9100 if (sid)
9065 rv = ssl3_AppendHandshakeVariable( 9101 rv = ssl3_AppendHandshakeVariable(
9066 ss, sid->u.ssl3.sessionID, sid->u.ssl3.sessionIDLength, 1); 9102 ss, sid->u.ssl3.sessionID, sid->u.ssl3.sessionIDLength, 1);
9067 else 9103 else
9068 » rv = ssl3_AppendHandshakeVariable(ss, NULL, 0, 1); 9104 » rv = ssl3_AppendHandshakeNumber(ss, 0, 1);
9069 if (rv != SECSuccess) { 9105 if (rv != SECSuccess) {
9070 return rv; /* err set by AppendHandshake. */ 9106 return rv; /* err set by AppendHandshake. */
9071 } 9107 }
9072 9108
9073 rv = ssl3_AppendHandshakeNumber(ss, ss->ssl3.hs.cipher_suite, 2); 9109 rv = ssl3_AppendHandshakeNumber(ss, ss->ssl3.hs.cipher_suite, 2);
9074 if (rv != SECSuccess) { 9110 if (rv != SECSuccess) {
9075 return rv; /* err set by AppendHandshake. */ 9111 return rv; /* err set by AppendHandshake. */
9076 } 9112 }
9077 rv = ssl3_AppendHandshakeNumber(ss, ss->ssl3.hs.compression, 1); 9113 rv = ssl3_AppendHandshakeNumber(ss, ss->ssl3.hs.compression, 1);
9078 if (rv != SECSuccess) { 9114 if (rv != SECSuccess) {
(...skipping 29 matching lines...) Expand all
9108 * used. With TLS 1.2, a client may advertise its support for signature and 9144 * used. With TLS 1.2, a client may advertise its support for signature and
9109 * hash combinations. */ 9145 * hash combinations. */
9110 static SECStatus 9146 static SECStatus
9111 ssl3_PickSignatureHashAlgorithm(sslSocket *ss, 9147 ssl3_PickSignatureHashAlgorithm(sslSocket *ss,
9112 SSL3SignatureAndHashAlgorithm* out) 9148 SSL3SignatureAndHashAlgorithm* out)
9113 { 9149 {
9114 TLSSignatureAlgorithm sigAlg; 9150 TLSSignatureAlgorithm sigAlg;
9115 unsigned int i, j; 9151 unsigned int i, j;
9116 /* hashPreference expresses our preferences for hash algorithms, most 9152 /* hashPreference expresses our preferences for hash algorithms, most
9117 * preferable first. */ 9153 * preferable first. */
9118 static const PRUint8 hashPreference[] = { 9154 static const SECOidTag hashPreference[] = {
9119 » tls_hash_sha256, 9155 SEC_OID_SHA256,
9120 » tls_hash_sha384, 9156 SEC_OID_SHA384,
9121 » tls_hash_sha512, 9157 SEC_OID_SHA512,
9122 » tls_hash_sha1, 9158 SEC_OID_SHA1,
9123 }; 9159 };
9124 9160
9125 switch (ss->ssl3.hs.kea_def->kea) { 9161 switch (ss->ssl3.hs.kea_def->kea) {
9126 case kea_rsa: 9162 case kea_rsa:
9127 case kea_rsa_export: 9163 case kea_rsa_export:
9128 case kea_rsa_export_1024: 9164 case kea_rsa_export_1024:
9129 case kea_dh_rsa: 9165 case kea_dh_rsa:
9130 case kea_dh_rsa_export: 9166 case kea_dh_rsa_export:
9131 case kea_dhe_rsa: 9167 case kea_dhe_rsa:
9132 case kea_dhe_rsa_export: 9168 case kea_dhe_rsa_export:
(...skipping 132 matching lines...) Expand 10 before | Expand all | Expand 10 after
9265 } 9301 }
9266 9302
9267 rv = ssl3_AppendHandshakeVariable(ss, signed_hash.data, 9303 rv = ssl3_AppendHandshakeVariable(ss, signed_hash.data,
9268 signed_hash.len, 2); 9304 signed_hash.len, 2);
9269 if (rv != SECSuccess) { 9305 if (rv != SECSuccess) {
9270 goto loser; /* err set by AppendHandshake. */ 9306 goto loser; /* err set by AppendHandshake. */
9271 } 9307 }
9272 PORT_Free(signed_hash.data); 9308 PORT_Free(signed_hash.data);
9273 return SECSuccess; 9309 return SECSuccess;
9274 9310
9275 #ifdef NSS_ENABLE_ECC 9311 #ifndef NSS_DISABLE_ECC
9276 case kt_ecdh: { 9312 case kt_ecdh: {
9277 rv = ssl3_SendECDHServerKeyExchange(ss, &sigAndHash); 9313 rv = ssl3_SendECDHServerKeyExchange(ss, &sigAndHash);
9278 return rv; 9314 return rv;
9279 } 9315 }
9280 #endif /* NSS_ENABLE_ECC */ 9316 #endif /* NSS_DISABLE_ECC */
9281 9317
9282 case kt_dh: 9318 case kt_dh:
9283 case kt_null: 9319 case kt_null:
9284 default: 9320 default:
9285 PORT_SetError(SEC_ERROR_UNSUPPORTED_KEYALG); 9321 PORT_SetError(SEC_ERROR_UNSUPPORTED_KEYALG);
9286 break; 9322 break;
9287 } 9323 }
9288 loser: 9324 loser:
9289 if (signed_hash.data != NULL) 9325 if (signed_hash.data != NULL)
9290 PORT_Free(signed_hash.data); 9326 PORT_Free(signed_hash.data);
(...skipping 402 matching lines...) Expand 10 before | Expand all | Expand 10 after
9693 * ssl3 ClientKeyExchange message from the remote client 9729 * ssl3 ClientKeyExchange message from the remote client
9694 * Caller must hold Handshake and RecvBuf locks. 9730 * Caller must hold Handshake and RecvBuf locks.
9695 */ 9731 */
9696 static SECStatus 9732 static SECStatus
9697 ssl3_HandleClientKeyExchange(sslSocket *ss, SSL3Opaque *b, PRUint32 length) 9733 ssl3_HandleClientKeyExchange(sslSocket *ss, SSL3Opaque *b, PRUint32 length)
9698 { 9734 {
9699 SECKEYPrivateKey *serverKey = NULL; 9735 SECKEYPrivateKey *serverKey = NULL;
9700 SECStatus rv; 9736 SECStatus rv;
9701 const ssl3KEADef *kea_def; 9737 const ssl3KEADef *kea_def;
9702 ssl3KeyPair *serverKeyPair = NULL; 9738 ssl3KeyPair *serverKeyPair = NULL;
9703 #ifdef NSS_ENABLE_ECC 9739 #ifndef NSS_DISABLE_ECC
9704 SECKEYPublicKey *serverPubKey = NULL; 9740 SECKEYPublicKey *serverPubKey = NULL;
9705 #endif /* NSS_ENABLE_ECC */ 9741 #endif /* NSS_DISABLE_ECC */
9706 9742
9707 SSL_TRC(3, ("%d: SSL3[%d]: handle client_key_exchange handshake", 9743 SSL_TRC(3, ("%d: SSL3[%d]: handle client_key_exchange handshake",
9708 SSL_GETPID(), ss->fd)); 9744 SSL_GETPID(), ss->fd));
9709 9745
9710 PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) ); 9746 PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
9711 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) ); 9747 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
9712 9748
9713 if (ss->ssl3.hs.ws != wait_client_key) { 9749 if (ss->ssl3.hs.ws != wait_client_key) {
9714 SSL3_SendAlert(ss, alert_fatal, unexpected_message); 9750 SSL3_SendAlert(ss, alert_fatal, unexpected_message);
9715 PORT_SetError(SSL_ERROR_RX_UNEXPECTED_CLIENT_KEY_EXCH); 9751 PORT_SetError(SSL_ERROR_RX_UNEXPECTED_CLIENT_KEY_EXCH);
9716 return SECFailure; 9752 return SECFailure;
9717 } 9753 }
9718 9754
9719 kea_def = ss->ssl3.hs.kea_def; 9755 kea_def = ss->ssl3.hs.kea_def;
9720 9756
9721 if (ss->ssl3.hs.usedStepDownKey) { 9757 if (ss->ssl3.hs.usedStepDownKey) {
9722 PORT_Assert(kea_def->is_limited /* XXX OR cert is signing only */ 9758 PORT_Assert(kea_def->is_limited /* XXX OR cert is signing only */
9723 && kea_def->exchKeyType == kt_rsa 9759 && kea_def->exchKeyType == kt_rsa
9724 && ss->stepDownKeyPair != NULL); 9760 && ss->stepDownKeyPair != NULL);
9725 if (!kea_def->is_limited || 9761 if (!kea_def->is_limited ||
9726 kea_def->exchKeyType != kt_rsa || 9762 kea_def->exchKeyType != kt_rsa ||
9727 ss->stepDownKeyPair == NULL) { 9763 ss->stepDownKeyPair == NULL) {
9728 /* shouldn't happen, don't use step down if it does */ 9764 /* shouldn't happen, don't use step down if it does */
9729 goto skip; 9765 goto skip;
9730 } 9766 }
9731 serverKeyPair = ss->stepDownKeyPair; 9767 serverKeyPair = ss->stepDownKeyPair;
9732 ss->sec.keaKeyBits = EXPORT_RSA_KEY_LENGTH * BPB; 9768 ss->sec.keaKeyBits = EXPORT_RSA_KEY_LENGTH * BPB;
9733 } else 9769 } else
9734 skip: 9770 skip:
9735 #ifdef NSS_ENABLE_ECC 9771 #ifndef NSS_DISABLE_ECC
9736 /* XXX Using SSLKEAType to index server certifiates 9772 /* XXX Using SSLKEAType to index server certifiates
9737 * does not work for (EC)DHE ciphers. Until we have 9773 * does not work for (EC)DHE ciphers. Until we have
9738 * an indexing mechanism general enough for all key 9774 * an indexing mechanism general enough for all key
9739 * exchange algorithms, we'll need to deal with each 9775 * exchange algorithms, we'll need to deal with each
9740 * one seprately. 9776 * one seprately.
9741 */ 9777 */
9742 if ((kea_def->kea == kea_ecdhe_rsa) || 9778 if ((kea_def->kea == kea_ecdhe_rsa) ||
9743 (kea_def->kea == kea_ecdhe_ecdsa)) { 9779 (kea_def->kea == kea_ecdhe_ecdsa)) {
9744 if (ss->ephemeralECDHKeyPair != NULL) { 9780 if (ss->ephemeralECDHKeyPair != NULL) {
9745 serverKeyPair = ss->ephemeralECDHKeyPair; 9781 serverKeyPair = ss->ephemeralECDHKeyPair;
(...skipping 25 matching lines...) Expand all
9771 switch (kea_def->exchKeyType) { 9807 switch (kea_def->exchKeyType) {
9772 case kt_rsa: 9808 case kt_rsa:
9773 rv = ssl3_HandleRSAClientKeyExchange(ss, b, length, serverKey); 9809 rv = ssl3_HandleRSAClientKeyExchange(ss, b, length, serverKey);
9774 if (rv != SECSuccess) { 9810 if (rv != SECSuccess) {
9775 SEND_ALERT 9811 SEND_ALERT
9776 return SECFailure; /* error code set */ 9812 return SECFailure; /* error code set */
9777 } 9813 }
9778 break; 9814 break;
9779 9815
9780 9816
9781 #ifdef NSS_ENABLE_ECC 9817 #ifndef NSS_DISABLE_ECC
9782 case kt_ecdh: 9818 case kt_ecdh:
9783 /* XXX We really ought to be able to store multiple 9819 /* XXX We really ought to be able to store multiple
9784 * EC certs (a requirement if we wish to support both 9820 * EC certs (a requirement if we wish to support both
9785 * ECDH-RSA and ECDH-ECDSA key exchanges concurrently). 9821 * ECDH-RSA and ECDH-ECDSA key exchanges concurrently).
9786 * When we make that change, we'll need an index other 9822 * When we make that change, we'll need an index other
9787 * than kt_ecdh to pick the right EC certificate. 9823 * than kt_ecdh to pick the right EC certificate.
9788 */ 9824 */
9789 if (serverKeyPair) { 9825 if (serverKeyPair) {
9790 serverPubKey = serverKeyPair->pubKey; 9826 serverPubKey = serverKeyPair->pubKey;
9791 } 9827 }
9792 if (serverPubKey == NULL) { 9828 if (serverPubKey == NULL) {
9793 /* XXX Is this the right error code? */ 9829 /* XXX Is this the right error code? */
9794 PORT_SetError(SSL_ERROR_EXTRACT_PUBLIC_KEY_FAILURE); 9830 PORT_SetError(SSL_ERROR_EXTRACT_PUBLIC_KEY_FAILURE);
9795 return SECFailure; 9831 return SECFailure;
9796 } 9832 }
9797 rv = ssl3_HandleECDHClientKeyExchange(ss, b, length, 9833 rv = ssl3_HandleECDHClientKeyExchange(ss, b, length,
9798 serverPubKey, serverKey); 9834 serverPubKey, serverKey);
9835 if (ss->ephemeralECDHKeyPair) {
9836 ssl3_FreeKeyPair(ss->ephemeralECDHKeyPair);
9837 ss->ephemeralECDHKeyPair = NULL;
9838 }
9799 if (rv != SECSuccess) { 9839 if (rv != SECSuccess) {
9800 return SECFailure; /* error code set */ 9840 return SECFailure; /* error code set */
9801 } 9841 }
9802 break; 9842 break;
9803 #endif /* NSS_ENABLE_ECC */ 9843 #endif /* NSS_DISABLE_ECC */
9804 9844
9805 default: 9845 default:
9806 (void) ssl3_HandshakeFailure(ss); 9846 (void) ssl3_HandshakeFailure(ss);
9807 PORT_SetError(SEC_ERROR_UNSUPPORTED_KEYALG); 9847 PORT_SetError(SEC_ERROR_UNSUPPORTED_KEYALG);
9808 return SECFailure; 9848 return SECFailure;
9809 } 9849 }
9810 ss->ssl3.hs.ws = ss->sec.peerCert ? wait_cert_verify : wait_change_cipher; 9850 ss->ssl3.hs.ws = ss->sec.peerCert ? wait_cert_verify : wait_change_cipher;
9811 return SECSuccess; 9851 return SECSuccess;
9812 9852
9813 } 9853 }
(...skipping 39 matching lines...) Expand 10 before | Expand all | Expand 10 after
9853 ss->ssl3.hs.newSessionTicket.received_timestamp = ssl_Time(); 9893 ss->ssl3.hs.newSessionTicket.received_timestamp = ssl_Time();
9854 if (length < 4) { 9894 if (length < 4) {
9855 (void)SSL3_SendAlert(ss, alert_fatal, decode_error); 9895 (void)SSL3_SendAlert(ss, alert_fatal, decode_error);
9856 PORT_SetError(SSL_ERROR_RX_MALFORMED_NEW_SESSION_TICKET); 9896 PORT_SetError(SSL_ERROR_RX_MALFORMED_NEW_SESSION_TICKET);
9857 return SECFailure; 9897 return SECFailure;
9858 } 9898 }
9859 ss->ssl3.hs.newSessionTicket.ticket_lifetime_hint = 9899 ss->ssl3.hs.newSessionTicket.ticket_lifetime_hint =
9860 (PRUint32)ssl3_ConsumeHandshakeNumber(ss, 4, &b, &length); 9900 (PRUint32)ssl3_ConsumeHandshakeNumber(ss, 4, &b, &length);
9861 9901
9862 rv = ssl3_ConsumeHandshakeVariable(ss, &ticketData, 2, &b, &length); 9902 rv = ssl3_ConsumeHandshakeVariable(ss, &ticketData, 2, &b, &length);
9863 if (length != 0 || rv != SECSuccess) { 9903 if (rv != SECSuccess || length != 0) {
9864 (void)SSL3_SendAlert(ss, alert_fatal, decode_error); 9904 (void)SSL3_SendAlert(ss, alert_fatal, decode_error);
9865 PORT_SetError(SSL_ERROR_RX_MALFORMED_NEW_SESSION_TICKET); 9905 PORT_SetError(SSL_ERROR_RX_MALFORMED_NEW_SESSION_TICKET);
9866 return SECFailure; /* malformed */ 9906 return SECFailure; /* malformed */
9867 } 9907 }
9868 rv = SECITEM_CopyItem(NULL, &ss->ssl3.hs.newSessionTicket.ticket, 9908 /* If the server sent a zero-length ticket, ignore it and keep the
9869 » » » &ticketData); 9909 * existing ticket. */
9870 if (rv != SECSuccess) { 9910 if (ticketData.len != 0) {
9871 » return rv; 9911 » rv = SECITEM_CopyItem(NULL, &ss->ssl3.hs.newSessionTicket.ticket,
9912 » » » &ticketData);
9913 » if (rv != SECSuccess) {
9914 » return rv;
9915 » }
9916 » ss->ssl3.hs.receivedNewSessionTicket = PR_TRUE;
9872 } 9917 }
9873 ss->ssl3.hs.receivedNewSessionTicket = PR_TRUE;
9874 9918
9875 ss->ssl3.hs.ws = wait_change_cipher; 9919 ss->ssl3.hs.ws = wait_change_cipher;
9876 return SECSuccess; 9920 return SECSuccess;
9877 } 9921 }
9878 9922
9879 #ifdef NISCC_TEST 9923 #ifdef NISCC_TEST
9880 static PRInt32 connNum = 0; 9924 static PRInt32 connNum = 0;
9881 9925
9882 static SECStatus 9926 static SECStatus
9883 get_fake_cert(SECItem *pCertItem, int *pIndex) 9927 get_fake_cert(SECItem *pCertItem, int *pIndex)
(...skipping 553 matching lines...) Expand 10 before | Expand all | Expand 10 after
10437 /* set the server authentication and key exchange types and sizes 10481 /* set the server authentication and key exchange types and sizes
10438 ** from the value in the cert. If the key exchange key is different, 10482 ** from the value in the cert. If the key exchange key is different,
10439 ** it will get fixed when we handle the server key exchange message. 10483 ** it will get fixed when we handle the server key exchange message.
10440 */ 10484 */
10441 SECKEYPublicKey * pubKey = CERT_ExtractPublicKey(cert); 10485 SECKEYPublicKey * pubKey = CERT_ExtractPublicKey(cert);
10442 ss->sec.authAlgorithm = ss->ssl3.hs.kea_def->signKeyType; 10486 ss->sec.authAlgorithm = ss->ssl3.hs.kea_def->signKeyType;
10443 ss->sec.keaType = ss->ssl3.hs.kea_def->exchKeyType; 10487 ss->sec.keaType = ss->ssl3.hs.kea_def->exchKeyType;
10444 if (pubKey) { 10488 if (pubKey) {
10445 ss->sec.keaKeyBits = ss->sec.authKeyBits = 10489 ss->sec.keaKeyBits = ss->sec.authKeyBits =
10446 SECKEY_PublicKeyStrengthInBits(pubKey); 10490 SECKEY_PublicKeyStrengthInBits(pubKey);
10447 #ifdef NSS_ENABLE_ECC 10491 #ifndef NSS_DISABLE_ECC
10448 if (ss->sec.keaType == kt_ecdh) { 10492 if (ss->sec.keaType == kt_ecdh) {
10449 /* Get authKeyBits from signing key. 10493 /* Get authKeyBits from signing key.
10450 * XXX The code below uses a quick approximation of 10494 * XXX The code below uses a quick approximation of
10451 * key size based on cert->signatureWrap.signature.data 10495 * key size based on cert->signatureWrap.signature.data
10452 * (which contains the DER encoded signature). The field 10496 * (which contains the DER encoded signature). The field
10453 * cert->signatureWrap.signature.len contains the 10497 * cert->signatureWrap.signature.len contains the
10454 * length of the encoded signature in bits. 10498 * length of the encoded signature in bits.
10455 */ 10499 */
10456 if (ss->ssl3.hs.kea_def->kea == kea_ecdh_ecdsa) { 10500 if (ss->ssl3.hs.kea_def->kea == kea_ecdh_ecdsa) {
10457 ss->sec.authKeyBits = 10501 ss->sec.authKeyBits =
10458 cert->signatureWrap.signature.data[3]*8; 10502 cert->signatureWrap.signature.data[3]*8;
10459 if (cert->signatureWrap.signature.data[4] == 0x00) 10503 if (cert->signatureWrap.signature.data[4] == 0x00)
10460 ss->sec.authKeyBits -= 8; 10504 ss->sec.authKeyBits -= 8;
10461 /* 10505 /*
10462 * XXX: if cert is not signed by ecdsa we should 10506 * XXX: if cert is not signed by ecdsa we should
10463 * destroy pubKey and goto bad_cert 10507 * destroy pubKey and goto bad_cert
10464 */ 10508 */
10465 } else if (ss->ssl3.hs.kea_def->kea == kea_ecdh_rsa) { 10509 } else if (ss->ssl3.hs.kea_def->kea == kea_ecdh_rsa) {
10466 ss->sec.authKeyBits = cert->signatureWrap.signature.len; 10510 ss->sec.authKeyBits = cert->signatureWrap.signature.len;
10467 /* 10511 /*
10468 * XXX: if cert is not signed by rsa we should 10512 * XXX: if cert is not signed by rsa we should
10469 * destroy pubKey and goto bad_cert 10513 * destroy pubKey and goto bad_cert
10470 */ 10514 */
10471 } 10515 }
10472 } 10516 }
10473 #endif /* NSS_ENABLE_ECC */ 10517 #endif /* NSS_DISABLE_ECC */
10474 SECKEY_DestroyPublicKey(pubKey); 10518 SECKEY_DestroyPublicKey(pubKey);
10475 pubKey = NULL; 10519 pubKey = NULL;
10476 } 10520 }
10477 10521
10478 ss->ssl3.hs.ws = wait_cert_request; /* disallow server_key_exchange */ 10522 ss->ssl3.hs.ws = wait_cert_request; /* disallow server_key_exchange */
10479 if (ss->ssl3.hs.kea_def->is_limited || 10523 if (ss->ssl3.hs.kea_def->is_limited ||
10480 /* XXX OR server cert is signing only. */ 10524 /* XXX OR server cert is signing only. */
10481 #ifdef NSS_ENABLE_ECC 10525 #ifndef NSS_DISABLE_ECC
10482 ss->ssl3.hs.kea_def->kea == kea_ecdhe_ecdsa || 10526 ss->ssl3.hs.kea_def->kea == kea_ecdhe_ecdsa ||
10483 ss->ssl3.hs.kea_def->kea == kea_ecdhe_rsa || 10527 ss->ssl3.hs.kea_def->kea == kea_ecdhe_rsa ||
10484 #endif /* NSS_ENABLE_ECC */ 10528 #endif /* NSS_DISABLE_ECC */
10485 ss->ssl3.hs.kea_def->exchKeyType == kt_dh) { 10529 ss->ssl3.hs.kea_def->exchKeyType == kt_dh) {
10486 ss->ssl3.hs.ws = wait_server_key; /* allow server_key_exchange */ 10530 ss->ssl3.hs.ws = wait_server_key; /* allow server_key_exchange */
10487 } 10531 }
10488 } else { 10532 } else {
10489 ss->ssl3.hs.ws = wait_client_key; 10533 ss->ssl3.hs.ws = wait_client_key;
10490 } 10534 }
10491 10535
10492 PORT_Assert(rv == SECSuccess); 10536 PORT_Assert(rv == SECSuccess);
10493 if (rv != SECSuccess) { 10537 if (rv != SECSuccess) {
10494 errCode = SEC_ERROR_LIBRARY_FAILURE; 10538 errCode = SEC_ERROR_LIBRARY_FAILURE;
(...skipping 736 matching lines...) Expand 10 before | Expand all | Expand 10 after
11231 effectiveExchKeyType = kt_rsa; 11275 effectiveExchKeyType = kt_rsa;
11232 } else { 11276 } else {
11233 effectiveExchKeyType = ss->ssl3.hs.kea_def->exchKeyType; 11277 effectiveExchKeyType = ss->ssl3.hs.kea_def->exchKeyType;
11234 } 11278 }
11235 11279
11236 if (sid->cached == never_cached && !ss->opt.noCache && ss->sec.cache) { 11280 if (sid->cached == never_cached && !ss->opt.noCache && ss->sec.cache) {
11237 /* fill in the sid */ 11281 /* fill in the sid */
11238 sid->u.ssl3.cipherSuite = ss->ssl3.hs.cipher_suite; 11282 sid->u.ssl3.cipherSuite = ss->ssl3.hs.cipher_suite;
11239 sid->u.ssl3.compression = ss->ssl3.hs.compression; 11283 sid->u.ssl3.compression = ss->ssl3.hs.compression;
11240 sid->u.ssl3.policy = ss->ssl3.policy; 11284 sid->u.ssl3.policy = ss->ssl3.policy;
11241 #ifdef NSS_ENABLE_ECC 11285 #ifndef NSS_DISABLE_ECC
11242 sid->u.ssl3.negotiatedECCurves = ss->ssl3.hs.negotiatedECCurves; 11286 sid->u.ssl3.negotiatedECCurves = ss->ssl3.hs.negotiatedECCurves;
11243 #endif 11287 #endif
11244 sid->u.ssl3.exchKeyType = effectiveExchKeyType; 11288 sid->u.ssl3.exchKeyType = effectiveExchKeyType;
11245 sid->version = ss->version; 11289 sid->version = ss->version;
11246 sid->authAlgorithm = ss->sec.authAlgorithm; 11290 sid->authAlgorithm = ss->sec.authAlgorithm;
11247 sid->authKeyBits = ss->sec.authKeyBits; 11291 sid->authKeyBits = ss->sec.authKeyBits;
11248 sid->keaType = ss->sec.keaType; 11292 sid->keaType = ss->sec.keaType;
11249 sid->keaKeyBits = ss->sec.keaKeyBits; 11293 sid->keaKeyBits = ss->sec.keaKeyBits;
11250 sid->lastAccessTime = sid->creationTime = ssl_Time(); 11294 sid->lastAccessTime = sid->creationTime = ssl_Time();
11251 sid->expirationTime = sid->creationTime + ssl3_sid_timeout; 11295 sid->expirationTime = sid->creationTime + ssl3_sid_timeout;
(...skipping 1115 matching lines...) Expand 10 before | Expand all | Expand 10 after
12367 ss->ssl3.policy = SSL_ALLOWED; 12411 ss->ssl3.policy = SSL_ALLOWED;
12368 12412
12369 ssl_GetSpecWriteLock(ss); 12413 ssl_GetSpecWriteLock(ss);
12370 ss->ssl3.crSpec = ss->ssl3.cwSpec = &ss->ssl3.specs[0]; 12414 ss->ssl3.crSpec = ss->ssl3.cwSpec = &ss->ssl3.specs[0];
12371 ss->ssl3.prSpec = ss->ssl3.pwSpec = &ss->ssl3.specs[1]; 12415 ss->ssl3.prSpec = ss->ssl3.pwSpec = &ss->ssl3.specs[1];
12372 ss->ssl3.hs.sendingSCSV = PR_FALSE; 12416 ss->ssl3.hs.sendingSCSV = PR_FALSE;
12373 ssl3_InitCipherSpec(ss, ss->ssl3.crSpec); 12417 ssl3_InitCipherSpec(ss, ss->ssl3.crSpec);
12374 ssl3_InitCipherSpec(ss, ss->ssl3.prSpec); 12418 ssl3_InitCipherSpec(ss, ss->ssl3.prSpec);
12375 12419
12376 ss->ssl3.hs.ws = (ss->sec.isServer) ? wait_client_hello : wait_server_hello; 12420 ss->ssl3.hs.ws = (ss->sec.isServer) ? wait_client_hello : wait_server_hello;
12377 #ifdef NSS_ENABLE_ECC 12421 #ifndef NSS_DISABLE_ECC
12378 ss->ssl3.hs.negotiatedECCurves = ssl3_GetSupportedECCurveMask(ss); 12422 ss->ssl3.hs.negotiatedECCurves = ssl3_GetSupportedECCurveMask(ss);
12379 #endif 12423 #endif
12380 ssl_ReleaseSpecWriteLock(ss); 12424 ssl_ReleaseSpecWriteLock(ss);
12381 12425
12382 PORT_Memset(&ss->xtnData, 0, sizeof(TLSExtensionData)); 12426 PORT_Memset(&ss->xtnData, 0, sizeof(TLSExtensionData));
12383 12427
12384 if (IS_DTLS(ss)) { 12428 if (IS_DTLS(ss)) {
12385 ss->ssl3.hs.sendMessageSeq = 0; 12429 ss->ssl3.hs.sendMessageSeq = 0;
12386 ss->ssl3.hs.recvMessageSeq = 0; 12430 ss->ssl3.hs.recvMessageSeq = 0;
12387 ss->ssl3.hs.rtTimeoutMs = INITIAL_DTLS_TIMEOUT_MS; 12431 ss->ssl3.hs.rtTimeoutMs = INITIAL_DTLS_TIMEOUT_MS;
(...skipping 458 matching lines...) Expand 10 before | Expand all | Expand 10 after
12846 PORT_Free(ss->ssl3.hs.recvdFragments.buf); 12890 PORT_Free(ss->ssl3.hs.recvdFragments.buf);
12847 } 12891 }
12848 } 12892 }
12849 12893
12850 ss->ssl3.initialized = PR_FALSE; 12894 ss->ssl3.initialized = PR_FALSE;
12851 12895
12852 SECITEM_FreeItem(&ss->ssl3.nextProto, PR_FALSE); 12896 SECITEM_FreeItem(&ss->ssl3.nextProto, PR_FALSE);
12853 } 12897 }
12854 12898
12855 /* End of ssl3con.c */ 12899 /* End of ssl3con.c */
OLDNEW
« no previous file with comments | « net/third_party/nss/ssl/ssl.h ('k') | net/third_party/nss/ssl/ssl3ecc.c » ('j') | net/third_party/nss/ssl/ssl3ext.c » ('J')

Powered by Google App Engine
This is Rietveld 408576698