Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(88)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: net/third_party/nss/ssl/ssl3con.c

Issue 14772023: Implement TLS 1.2. (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src/
Patch Set: Created 7 years, 7 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch | Annotate | Revision Log
« no previous file with comments | « net/third_party/nss/ssl/SSLerrs.h ('k') | net/third_party/nss/ssl/ssl3ecc.c » ('j') | net/third_party/nss/ssl/sslimpl.h » ('J')
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 /* -*- Mode: C; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 4 -*- */ 1 /* -*- Mode: C; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 4 -*- */
2 /* 2 /*
3 * SSL3 Protocol 3 * SSL3 Protocol
4 * 4 *
5 * This Source Code Form is subject to the terms of the Mozilla Public 5 * This Source Code Form is subject to the terms of the Mozilla Public
6 * License, v. 2.0. If a copy of the MPL was not distributed with this 6 * License, v. 2.0. If a copy of the MPL was not distributed with this
7 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ 7 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
8 /* $Id$ */ 8 /* $Id$ */
9 9
10 /* TODO(ekr): Implement HelloVerifyRequest on server side. OK for now. */ 10 /* TODO(ekr): Implement HelloVerifyRequest on server side. OK for now. */
11 11
12 #include "cert.h" 12 #include "cert.h"
13 #include "ssl.h" 13 #include "ssl.h"
14 #include "cryptohi.h" /* for DSAU_ stuff */ 14 #include "cryptohi.h" /* for DSAU_ stuff */
15 #include "keyhi.h" 15 #include "keyhi.h"
16 #include "secder.h" 16 #include "secder.h"
17 #include "secitem.h" 17 #include "secitem.h"
18 #include "sechash.h"
18 19
19 #include "sslimpl.h" 20 #include "sslimpl.h"
20 #include "sslproto.h" 21 #include "sslproto.h"
21 #include "sslerr.h" 22 #include "sslerr.h"
22 #include "prtime.h" 23 #include "prtime.h"
23 #include "prinrval.h" 24 #include "prinrval.h"
24 #include "prerror.h" 25 #include "prerror.h"
25 #include "pratom.h" 26 #include "pratom.h"
26 #include "prthread.h" 27 #include "prthread.h"
27 28
(...skipping 765 matching lines...) Expand 10 before | Expand all | Expand 10 after
793 random->rand[3] = (unsigned char)(gmt); 794 random->rand[3] = (unsigned char)(gmt);
794 795
795 /* first 4 bytes are reserverd for time */ 796 /* first 4 bytes are reserverd for time */
796 rv = PK11_GenerateRandom(&random->rand[4], SSL3_RANDOM_LENGTH - 4); 797 rv = PK11_GenerateRandom(&random->rand[4], SSL3_RANDOM_LENGTH - 4);
797 if (rv != SECSuccess) { 798 if (rv != SECSuccess) {
798 ssl_MapLowLevelError(SSL_ERROR_GENERATE_RANDOM_FAILURE); 799 ssl_MapLowLevelError(SSL_ERROR_GENERATE_RANDOM_FAILURE);
799 } 800 }
800 return rv; 801 return rv;
801 } 802 }
802 803
804 #define SSL_MAX_RSA_ASN1_PREFIX 20
805
806 /* ssl3_GetPKCS1v15ASN1Data sets |out| and |out_len| to point to a buffer that
807 * contains ASN.1 data that should be prepended to a hash of the given type in
808 * order to create a structure that is valid for use in a PKCS#1 v1.5 RSA
809 * signature. |out_len| will not be set to a value greater than
810 * SSL_MAX_RSA_ASN1_PREFIX. */
811 static SECStatus
812 ssl3_GetPKCS1v15ASN1Data(SECOidTag hashAlg,
813 const SSL3Opaque** out, unsigned int *out_len)
814 {
815 /* These are ASN1 DER structures:
816 * DigestInfo ::= SEQUENCE {
817 * digestAlgorithm AlgorithmIdentifier,
818 * digest OCTET STRING
819 * }
820 */
821 static const unsigned char kMD5[] = {
822 0x30, 0x20, 0x30, 0x0c, 0x06, 0x08, 0x2a, 0x86,
823 0x48, 0x86, 0xf7, 0x0d, 0x02, 0x05, 0x05, 0x00,
824 0x04, 0x10
825 };
826 static const unsigned char kSHA1[] = {
827 0x30, 0x21, 0x30, 0x09, 0x06, 0x05, 0x2b, 0x0e,
828 0x03, 0x02, 0x1a, 0x05, 0x00, 0x04, 0x14
829 };
830 static const unsigned char kSHA224[] = {
831 0x30, 0x2d, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86,
832 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x04, 0x05,
833 0x00, 0x04, 0x1c
834 };
835 static const unsigned char kSHA256[] = {
836 0x30, 0x31, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86,
837 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01, 0x05,
838 0x00, 0x04, 0x20
839 };
840 static const unsigned char kSHA384[] = {
841 0x30, 0x41, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86,
842 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x02, 0x05,
843 0x00, 0x04, 0x30
844 };
845 static const unsigned char kSHA512[] = {
846 0x30, 0x51, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86,
847 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x03, 0x05,
848 0x00, 0x04, 0x40
849 };
850
851 switch (hashAlg) {
852 case SEC_OID_UNKNOWN:
853 *out_len = 0;
854 break;
855 case SEC_OID_MD5:
856 *out = kMD5;
857 *out_len = sizeof(kMD5);
858 break;
859 case SEC_OID_SHA1:
860 *out = kSHA1;
861 *out_len = sizeof(kSHA1);
862 break;
863 case SEC_OID_SHA224:
864 *out = kSHA224;
865 *out_len = sizeof(kSHA224);
866 break;
867 case SEC_OID_SHA256:
868 *out = kSHA256;
869 *out_len = sizeof(kSHA256);
870 break;
871 case SEC_OID_SHA384:
872 *out = kSHA384;
873 *out_len = sizeof(kSHA384);
874 break;
875 case SEC_OID_SHA512:
876 *out = kSHA512;
877 *out_len = sizeof(kSHA512);
878 break;
879 default:
880 PORT_SetError(SSL_ERROR_UNSUPPORTED_HASH_FUNCTION);
881 return SECFailure;
882 }
883
884 return SECSuccess;
885 }
886
803 /* Called by ssl3_SendServerKeyExchange and ssl3_SendCertificateVerify */ 887 /* Called by ssl3_SendServerKeyExchange and ssl3_SendCertificateVerify */
804 SECStatus 888 SECStatus
805 ssl3_SignHashes(SSL3Hashes *hash, SECKEYPrivateKey *key, SECItem *buf, 889 ssl3_SignHashes(SSL3Hashes *hash, SECKEYPrivateKey *key, SECItem *buf,
806 PRBool isTLS) 890 PRBool isTLS)
807 { 891 {
808 SECStatus rv» » = SECFailure; 892 SECStatus rv» » = SECFailure;
809 PRBool doDerEncode = PR_FALSE; 893 PRBool doDerEncode = PR_FALSE;
810 int signatureLen; 894 int signatureLen;
811 SECItem hashItem; 895 SECItem hashItem;
896 unsigned int len;
897 const SSL3Opaque* asn1Prefix;
898 SSL3Opaque asn1AndHash[HASH_LENGTH_MAX + SSL_MAX_RSA_ASN1_PREFIX];
812 899
813 buf->data = NULL; 900 buf->data = NULL;
814 signatureLen = PK11_SignatureLen(key); 901 signatureLen = PK11_SignatureLen(key);
815 if (signatureLen <= 0) { 902 if (signatureLen <= 0) {
816 PORT_SetError(SEC_ERROR_INVALID_KEY); 903 PORT_SetError(SEC_ERROR_INVALID_KEY);
817 goto done; 904 goto done;
818 } 905 }
819 906
820 buf->len = (unsigned)signatureLen; 907 buf->len = (unsigned)signatureLen;
821 buf->data = (unsigned char *)PORT_Alloc(signatureLen); 908 buf->data = (unsigned char *)PORT_Alloc(signatureLen);
822 if (!buf->data) 909 if (!buf->data)
823 goto done; /* error code was set. */ 910 goto done; /* error code was set. */
824 911
825 switch (key->keyType) { 912 switch (key->keyType) {
826 case rsaKey: 913 case rsaKey:
827 » hashItem.data = hash->md5; 914 » rv = ssl3_GetPKCS1v15ASN1Data(hash->hashAlg, &asn1Prefix, &len);
828 » hashItem.len = sizeof(SSL3Hashes); 915 » if (rv != SECSuccess) {
916 » return rv;
917 » }
918 » if (len + hash->len > sizeof(asn1AndHash)) {
919 » PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
920 » return SECFailure;
921 » }
922 » memcpy(asn1AndHash, asn1Prefix, len);
923 » memcpy(asn1AndHash + len, hash->u.raw, hash->len);
924 » len += hash->len;
925 » hashItem.data = asn1AndHash;
926 » hashItem.len = len;
829 break; 927 break;
830 case dsaKey: 928 case dsaKey:
831 doDerEncode = isTLS; 929 doDerEncode = isTLS;
832 » hashItem.data = hash->sha; 930 » /* SEC_OID_UNKNOWN is used to specify the MD5/SHA1 concatenated hash.
833 » hashItem.len = sizeof(hash->sha); 931 » * In that case, we use just the SHA1 part. */
932 » if (hash->hashAlg == SEC_OID_UNKNOWN) {
933 » hashItem.data = hash->u.s.sha;
934 » hashItem.len = sizeof(hash->u.s.sha);
935 » } else {
936 » hashItem.data = hash->u.raw;
937 » hashItem.len = hash->len;
938 » }
834 break; 939 break;
835 #ifdef NSS_ENABLE_ECC 940 #ifdef NSS_ENABLE_ECC
836 case ecKey: 941 case ecKey:
837 doDerEncode = PR_TRUE; 942 doDerEncode = PR_TRUE;
838 » hashItem.data = hash->sha; 943 » /* SEC_OID_UNKNOWN is used to specify the MD5/SHA1 concatenated hash.
839 » hashItem.len = sizeof(hash->sha); 944 » * In that case, we use just the SHA1 part. */
945 » if (hash->hashAlg == SEC_OID_UNKNOWN) {
946 » hashItem.data = hash->u.s.sha;
947 » hashItem.len = sizeof(hash->u.s.sha);
948 » } else {
949 » hashItem.data = hash->u.raw;
950 » hashItem.len = hash->len;
951 » }
840 break; 952 break;
841 #endif /* NSS_ENABLE_ECC */ 953 #endif /* NSS_ENABLE_ECC */
842 default: 954 default:
843 PORT_SetError(SEC_ERROR_INVALID_KEY); 955 PORT_SetError(SEC_ERROR_INVALID_KEY);
844 goto done; 956 goto done;
845 } 957 }
846 PRINT_BUF(60, (NULL, "hash(es) to be signed", hashItem.data, hashItem.len)); 958 PRINT_BUF(60, (NULL, "hash(es) to be signed", hashItem.data, hashItem.len));
847 959
848 rv = PK11_Sign(key, buf, &hashItem); 960 rv = PK11_Sign(key, buf, &hashItem);
849 if (rv != SECSuccess) { 961 if (rv != SECSuccess) {
(...skipping 22 matching lines...) Expand all
872 984
873 /* Called from ssl3_HandleServerKeyExchange, ssl3_HandleCertificateVerify */ 985 /* Called from ssl3_HandleServerKeyExchange, ssl3_HandleCertificateVerify */
874 SECStatus 986 SECStatus
875 ssl3_VerifySignedHashes(SSL3Hashes *hash, CERTCertificate *cert, 987 ssl3_VerifySignedHashes(SSL3Hashes *hash, CERTCertificate *cert,
876 SECItem *buf, PRBool isTLS, void *pwArg) 988 SECItem *buf, PRBool isTLS, void *pwArg)
877 { 989 {
878 SECKEYPublicKey * key; 990 SECKEYPublicKey * key;
879 SECItem * signature = NULL; 991 SECItem * signature = NULL;
880 SECStatus rv; 992 SECStatus rv;
881 SECItem hashItem; 993 SECItem hashItem;
882 #ifdef NSS_ENABLE_ECC 994 const SSL3Opaque* asn1Prefix;
995 SSL3Opaque asn1AndHash[HASH_LENGTH_MAX + SSL_MAX_RSA_ASN1_PREFIX];
883 unsigned int len; 996 unsigned int len;
884 #endif /* NSS_ENABLE_ECC */
885 997
886 998
887 PRINT_BUF(60, (NULL, "check signed hashes", 999 PRINT_BUF(60, (NULL, "check signed hashes",
888 buf->data, buf->len)); 1000 buf->data, buf->len));
889 1001
890 key = CERT_ExtractPublicKey(cert); 1002 key = CERT_ExtractPublicKey(cert);
891 if (key == NULL) { 1003 if (key == NULL) {
892 ssl_MapLowLevelError(SSL_ERROR_EXTRACT_PUBLIC_KEY_FAILURE); 1004 ssl_MapLowLevelError(SSL_ERROR_EXTRACT_PUBLIC_KEY_FAILURE);
893 return SECFailure; 1005 return SECFailure;
894 } 1006 }
895 1007
896 switch (key->keyType) { 1008 switch (key->keyType) {
897 case rsaKey: 1009 case rsaKey:
898 » hashItem.data = hash->md5; 1010 » rv = ssl3_GetPKCS1v15ASN1Data(hash->hashAlg, &asn1Prefix, &len);
899 » hashItem.len = sizeof(SSL3Hashes); 1011 » if (rv != SECSuccess) {
1012 » return rv;
1013 » }
1014 » if (len + hash->len > sizeof(asn1AndHash)) {
1015 » PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
1016 » return SECFailure;
1017 » }
1018 » memcpy(asn1AndHash, asn1Prefix, len);
1019 » memcpy(asn1AndHash + len, hash->u.raw, hash->len);
1020 » len += hash->len;
1021 » hashItem.data = asn1AndHash;
1022 » hashItem.len = len;
900 break; 1023 break;
901 case dsaKey: 1024 case dsaKey:
902 » hashItem.data = hash->sha; 1025 » /* SEC_OID_UNKNOWN is used to specify the MD5/SHA1 concatenated hash.
903 » hashItem.len = sizeof(hash->sha); 1026 » * In that case, we use just the SHA1 part. */
1027 » if (hash->hashAlg == SEC_OID_UNKNOWN) {
1028 » hashItem.data = hash->u.s.sha;
1029 » hashItem.len = sizeof(hash->u.s.sha);
1030 » } else {
1031 » hashItem.data = hash->u.raw;
1032 » hashItem.len = hash->len;
1033 » }
904 /* Allow DER encoded DSA signatures in SSL 3.0 */ 1034 /* Allow DER encoded DSA signatures in SSL 3.0 */
905 if (isTLS || buf->len != SECKEY_SignatureLen(key)) { 1035 if (isTLS || buf->len != SECKEY_SignatureLen(key)) {
906 signature = DSAU_DecodeDerSig(buf); 1036 signature = DSAU_DecodeDerSig(buf);
907 if (!signature) { 1037 if (!signature) {
908 PORT_SetError(SSL_ERROR_BAD_HANDSHAKE_HASH_VALUE); 1038 PORT_SetError(SSL_ERROR_BAD_HANDSHAKE_HASH_VALUE);
909 return SECFailure; 1039 return SECFailure;
910 } 1040 }
911 buf = signature; 1041 buf = signature;
912 } 1042 }
913 break; 1043 break;
914 1044
915 #ifdef NSS_ENABLE_ECC 1045 #ifdef NSS_ENABLE_ECC
916 case ecKey: 1046 case ecKey:
917 » hashItem.data = hash->sha; 1047 » /* SEC_OID_UNKNOWN is used to specify the MD5/SHA1 concatenated hash.
918 » hashItem.len = sizeof(hash->sha); 1048 » * In that case, we use just the SHA1 part. */
1049 » if (hash->hashAlg == SEC_OID_UNKNOWN) {
1050 » hashItem.data = hash->u.s.sha;
1051 » hashItem.len = sizeof(hash->u.s.sha);
1052 » } else {
1053 » hashItem.data = hash->u.raw;
1054 » hashItem.len = hash->len;
1055 » }
919 /* 1056 /*
920 * ECDSA signatures always encode the integers r and s 1057 * ECDSA signatures always encode the integers r and s
921 * using ASN (unlike DSA where ASN encoding is used 1058 * using ASN (unlike DSA where ASN encoding is used
922 * with TLS but not with SSL3) 1059 * with TLS but not with SSL3)
923 */ 1060 */
924 len = SECKEY_SignatureLen(key); 1061 len = SECKEY_SignatureLen(key);
925 if (len == 0) { 1062 if (len == 0) {
926 SECKEY_DestroyPublicKey(key); 1063 SECKEY_DestroyPublicKey(key);
927 PORT_SetError(SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE); 1064 PORT_SetError(SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE);
928 return SECFailure; 1065 return SECFailure;
(...skipping 25 matching lines...) Expand all
954 ssl_MapLowLevelError(SSL_ERROR_BAD_HANDSHAKE_HASH_VALUE); 1091 ssl_MapLowLevelError(SSL_ERROR_BAD_HANDSHAKE_HASH_VALUE);
955 } 1092 }
956 return rv; 1093 return rv;
957 } 1094 }
958 1095
959 1096
960 /* Caller must set hiLevel error code. */ 1097 /* Caller must set hiLevel error code. */
961 /* Called from ssl3_ComputeExportRSAKeyHash 1098 /* Called from ssl3_ComputeExportRSAKeyHash
962 * ssl3_ComputeDHKeyHash 1099 * ssl3_ComputeDHKeyHash
963 * which are called from ssl3_HandleServerKeyExchange. 1100 * which are called from ssl3_HandleServerKeyExchange.
1101 *
1102 * hashAlg: either the OID for a hash function or SEC_OID_UNKNOWN to specify
1103 * the pre-1.2, MD5/SHA1 combination hash.
964 */ 1104 */
965 SECStatus 1105 SECStatus
966 ssl3_ComputeCommonKeyHash(PRUint8 * hashBuf, unsigned int bufLen, 1106 ssl3_ComputeCommonKeyHash(SECOidTag hashAlg,
967 » » » SSL3Hashes *hashes, PRBool bypassPKCS11) 1107 » » » PRUint8 * hashBuf, unsigned int bufLen,
1108 » » » SSL3Hashes *hashes, PRBool bypassPKCS11)
968 { 1109 {
969 SECStatus rv = SECSuccess; 1110 SECStatus rv = SECSuccess;
970 1111
971 #ifndef NO_PKCS11_BYPASS 1112 #ifndef NO_PKCS11_BYPASS
972 if (bypassPKCS11) { 1113 if (bypassPKCS11) {
973 » MD5_HashBuf (hashes->md5, hashBuf, bufLen); 1114 » if (hashAlg == SEC_OID_UNKNOWN) {
974 » SHA1_HashBuf(hashes->sha, hashBuf, bufLen); 1115 » MD5_HashBuf (hashes->u.s.md5, hashBuf, bufLen);
1116 » SHA1_HashBuf(hashes->u.s.sha, hashBuf, bufLen);
1117 » hashes->len = MD5_LENGTH + SHA1_LENGTH;
1118 » } else if (hashAlg == SEC_OID_SHA1) {
1119 » SHA1_HashBuf(hashes->u.raw, hashBuf, bufLen);
1120 » hashes->len = SHA1_LENGTH;
1121 » } else if (hashAlg == SEC_OID_SHA256) {
1122 » SHA256_HashBuf(hashes->u.raw, hashBuf, bufLen);
1123 » hashes->len = SHA256_LENGTH;
1124 » } else {
1125 » PORT_SetError(SSL_ERROR_UNSUPPORTED_HASH_FUNCTION);
1126 » return SECFailure;
1127 » }
975 } else 1128 } else
976 #endif 1129 #endif
977 { 1130 {
978 » rv = PK11_HashBuf(SEC_OID_MD5, hashes->md5, hashBuf, bufLen); 1131 » if (hashAlg == SEC_OID_UNKNOWN) {
979 » if (rv != SECSuccess) { 1132 » rv = PK11_HashBuf(SEC_OID_MD5, hashes->u.s.md5, hashBuf, bufLen);
980 » ssl_MapLowLevelError(SSL_ERROR_MD5_DIGEST_FAILURE); 1133 » if (rv != SECSuccess) {
981 » rv = SECFailure; 1134 » » ssl_MapLowLevelError(SSL_ERROR_MD5_DIGEST_FAILURE);
982 » goto done; 1135 » » rv = SECFailure;
983 » } 1136 » » goto done;
1137 » }
984 1138
985 » rv = PK11_HashBuf(SEC_OID_SHA1, hashes->sha, hashBuf, bufLen); 1139 » rv = PK11_HashBuf(SEC_OID_SHA1, hashes->u.s.sha, hashBuf, bufLen);
986 » if (rv != SECSuccess) { 1140 » if (rv != SECSuccess) {
987 » ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE); 1141 » » ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE);
988 » rv = SECFailure; 1142 » » rv = SECFailure;
1143 » }
1144 » hashes->len = MD5_LENGTH + SHA1_LENGTH;
1145 » } else {
1146 » hashes->len = HASH_ResultLenByOidTag(hashAlg);
1147 » if (hashes->len > sizeof(hashes->u.raw)) {
1148 » » ssl_MapLowLevelError(SSL_ERROR_SIGN_HASHES_FAILURE);
1149 » » rv = SECFailure;
1150 » } else {
1151 » » rv = PK11_HashBuf(hashAlg, hashes->u.raw, hashBuf, bufLen);
1152 » » if (rv != SECSuccess) {
1153 » » ssl_MapLowLevelError(SSL_ERROR_SIGN_HASHES_FAILURE);
1154 » » rv = SECFailure;
1155 » » }
1156 » }
989 } 1157 }
990 } 1158 }
1159 hashes->hashAlg = hashAlg;
1160
991 done: 1161 done:
992 return rv; 1162 return rv;
993 } 1163 }
994 1164
995 /* Caller must set hiLevel error code. 1165 /* Caller must set hiLevel error code.
996 ** Called from ssl3_SendServerKeyExchange and 1166 ** Called from ssl3_SendServerKeyExchange and
997 ** ssl3_HandleServerKeyExchange. 1167 ** ssl3_HandleServerKeyExchange.
998 */ 1168 */
999 static SECStatus 1169 static SECStatus
1000 ssl3_ComputeExportRSAKeyHash(SECItem modulus, SECItem publicExponent, 1170 ssl3_ComputeExportRSAKeyHash(SECOidTag hashAlg,
1171 » » » SECItem modulus, SECItem publicExponent,
1001 SSL3Random *client_rand, SSL3Random *server_rand, 1172 SSL3Random *client_rand, SSL3Random *server_rand,
1002 SSL3Hashes *hashes, PRBool bypassPKCS11) 1173 SSL3Hashes *hashes, PRBool bypassPKCS11)
1003 { 1174 {
1004 PRUint8 * hashBuf; 1175 PRUint8 * hashBuf;
1005 PRUint8 * pBuf; 1176 PRUint8 * pBuf;
1006 SECStatus rv = SECSuccess; 1177 SECStatus rv = SECSuccess;
1007 unsigned int bufLen; 1178 unsigned int bufLen;
1008 PRUint8 buf[2*SSL3_RANDOM_LENGTH + 2 + 4096/8 + 2 + 4096/8]; 1179 PRUint8 buf[2*SSL3_RANDOM_LENGTH + 2 + 4096/8 + 2 + 4096/8];
1009 1180
1010 bufLen = 2*SSL3_RANDOM_LENGTH + 2 + modulus.len + 2 + publicExponent.len; 1181 bufLen = 2*SSL3_RANDOM_LENGTH + 2 + modulus.len + 2 + publicExponent.len;
(...skipping 15 matching lines...) Expand all
1026 pBuf += 2; 1197 pBuf += 2;
1027 memcpy(pBuf, modulus.data, modulus.len); 1198 memcpy(pBuf, modulus.data, modulus.len);
1028 pBuf += modulus.len; 1199 pBuf += modulus.len;
1029 pBuf[0] = (PRUint8)(publicExponent.len >> 8); 1200 pBuf[0] = (PRUint8)(publicExponent.len >> 8);
1030 pBuf[1] = (PRUint8)(publicExponent.len); 1201 pBuf[1] = (PRUint8)(publicExponent.len);
1031 pBuf += 2; 1202 pBuf += 2;
1032 memcpy(pBuf, publicExponent.data, publicExponent.len); 1203 memcpy(pBuf, publicExponent.data, publicExponent.len);
1033 pBuf += publicExponent.len; 1204 pBuf += publicExponent.len;
1034 PORT_Assert((unsigned int)(pBuf - hashBuf) == bufLen); 1205 PORT_Assert((unsigned int)(pBuf - hashBuf) == bufLen);
1035 1206
1036 rv = ssl3_ComputeCommonKeyHash(hashBuf, bufLen, hashes, bypassPKCS11); 1207 rv = ssl3_ComputeCommonKeyHash(hashAlg, hashBuf, bufLen, hashes, bypassPKCS1 1);
1037 1208
1038 PRINT_BUF(95, (NULL, "RSAkey hash: ", hashBuf, bufLen)); 1209 PRINT_BUF(95, (NULL, "RSAkey hash: ", hashBuf, bufLen));
1039 PRINT_BUF(95, (NULL, "RSAkey hash: MD5 result", hashes->md5, MD5_LENGTH)); 1210 if (hashAlg == SEC_OID_UNKNOWN) {
1040 PRINT_BUF(95, (NULL, "RSAkey hash: SHA1 result", hashes->sha, SHA1_LENGTH)); 1211 » PRINT_BUF(95, (NULL, "RSAkey hash: MD5 result", hashes->u.s.md5, MD5_LEN GTH));
1212 » PRINT_BUF(95, (NULL, "RSAkey hash: SHA1 result", hashes->u.s.sha, SHA1_L ENGTH));
1213 } else {
1214 » PRINT_BUF(95, (NULL, "RSAkey hash: ", hashes->u.raw, hashes->len));
1215 }
1041 1216
1042 if (hashBuf != buf && hashBuf != NULL) 1217 if (hashBuf != buf && hashBuf != NULL)
1043 PORT_Free(hashBuf); 1218 PORT_Free(hashBuf);
1044 return rv; 1219 return rv;
1045 } 1220 }
1046 1221
1047 /* Caller must set hiLevel error code. */ 1222 /* Caller must set hiLevel error code. */
1048 /* Called from ssl3_HandleServerKeyExchange. */ 1223 /* Called from ssl3_HandleServerKeyExchange. */
1049 static SECStatus 1224 static SECStatus
1050 ssl3_ComputeDHKeyHash(SECItem dh_p, SECItem dh_g, SECItem dh_Ys, 1225 ssl3_ComputeDHKeyHash(SECOidTag hashAlg,
1051 » » » SSL3Random *client_rand, SSL3Random *server_rand, 1226 » » SECItem dh_p, SECItem dh_g, SECItem dh_Ys,
1052 » » » SSL3Hashes *hashes, PRBool bypassPKCS11) 1227 » » SSL3Random *client_rand, SSL3Random *server_rand,
1228 » » SSL3Hashes *hashes, PRBool bypassPKCS11)
1053 { 1229 {
1054 PRUint8 * hashBuf; 1230 PRUint8 * hashBuf;
1055 PRUint8 * pBuf; 1231 PRUint8 * pBuf;
1056 SECStatus rv = SECSuccess; 1232 SECStatus rv = SECSuccess;
1057 unsigned int bufLen; 1233 unsigned int bufLen;
1058 PRUint8 buf[2*SSL3_RANDOM_LENGTH + 2 + 4096/8 + 2 + 4096/8]; 1234 PRUint8 buf[2*SSL3_RANDOM_LENGTH + 2 + 4096/8 + 2 + 4096/8];
1059 1235
1060 bufLen = 2*SSL3_RANDOM_LENGTH + 2 + dh_p.len + 2 + dh_g.len + 2 + dh_Ys.len; 1236 bufLen = 2*SSL3_RANDOM_LENGTH + 2 + dh_p.len + 2 + dh_g.len + 2 + dh_Ys.len;
1061 if (bufLen <= sizeof buf) { 1237 if (bufLen <= sizeof buf) {
1062 hashBuf = buf; 1238 hashBuf = buf;
(...skipping 18 matching lines...) Expand all
1081 pBuf += 2; 1257 pBuf += 2;
1082 memcpy(pBuf, dh_g.data, dh_g.len); 1258 memcpy(pBuf, dh_g.data, dh_g.len);
1083 pBuf += dh_g.len; 1259 pBuf += dh_g.len;
1084 pBuf[0] = (PRUint8)(dh_Ys.len >> 8); 1260 pBuf[0] = (PRUint8)(dh_Ys.len >> 8);
1085 pBuf[1] = (PRUint8)(dh_Ys.len); 1261 pBuf[1] = (PRUint8)(dh_Ys.len);
1086 pBuf += 2; 1262 pBuf += 2;
1087 memcpy(pBuf, dh_Ys.data, dh_Ys.len); 1263 memcpy(pBuf, dh_Ys.data, dh_Ys.len);
1088 pBuf += dh_Ys.len; 1264 pBuf += dh_Ys.len;
1089 PORT_Assert((unsigned int)(pBuf - hashBuf) == bufLen); 1265 PORT_Assert((unsigned int)(pBuf - hashBuf) == bufLen);
1090 1266
1091 rv = ssl3_ComputeCommonKeyHash(hashBuf, bufLen, hashes, bypassPKCS11); 1267 rv = ssl3_ComputeCommonKeyHash(hashAlg, hashBuf, bufLen, hashes, bypassPKCS1 1);
1092 1268
1093 PRINT_BUF(95, (NULL, "DHkey hash: ", hashBuf, bufLen)); 1269 PRINT_BUF(95, (NULL, "DHkey hash: ", hashBuf, bufLen));
1094 PRINT_BUF(95, (NULL, "DHkey hash: MD5 result", hashes->md5, MD5_LENGTH)); 1270 if (hashAlg == SEC_OID_UNKNOWN) {
1095 PRINT_BUF(95, (NULL, "DHkey hash: SHA1 result", hashes->sha, SHA1_LENGTH)); 1271 » PRINT_BUF(95, (NULL, "DHkey hash: MD5 result", hashes->u.s.md5, MD5_LENG TH));
1272 » PRINT_BUF(95, (NULL, "DHkey hash: SHA1 result", hashes->u.s.sha, SHA1_LE NGTH));
1273 } else {
1274 » PRINT_BUF(95, (NULL, "DHkey hash: ", hashes->u.raw, hashes->len));
1275 }
1096 1276
1097 if (hashBuf != buf && hashBuf != NULL) 1277 if (hashBuf != buf && hashBuf != NULL)
1098 PORT_Free(hashBuf); 1278 PORT_Free(hashBuf);
1099 return rv; 1279 return rv;
1100 } 1280 }
1101 1281
1102 static void 1282 static void
1103 ssl3_BumpSequenceNumber(SSL3SequenceNumber *num) 1283 ssl3_BumpSequenceNumber(SSL3SequenceNumber *num)
1104 { 1284 {
1105 num->low++; 1285 num->low++;
(...skipping 2077 matching lines...) Expand 10 before | Expand all | Expand 10 after
3183 */ 3363 */
3184 static SECStatus 3364 static SECStatus
3185 ssl3_DeriveMasterSecret(sslSocket *ss, PK11SymKey *pms) 3365 ssl3_DeriveMasterSecret(sslSocket *ss, PK11SymKey *pms)
3186 { 3366 {
3187 ssl3CipherSpec * pwSpec = ss->ssl3.pwSpec; 3367 ssl3CipherSpec * pwSpec = ss->ssl3.pwSpec;
3188 const ssl3KEADef *kea_def= ss->ssl3.hs.kea_def; 3368 const ssl3KEADef *kea_def= ss->ssl3.hs.kea_def;
3189 unsigned char * cr = (unsigned char *)&ss->ssl3.hs.client_random; 3369 unsigned char * cr = (unsigned char *)&ss->ssl3.hs.client_random;
3190 unsigned char * sr = (unsigned char *)&ss->ssl3.hs.server_random; 3370 unsigned char * sr = (unsigned char *)&ss->ssl3.hs.server_random;
3191 PRBool isTLS = (PRBool)(kea_def->tls_keygen || 3371 PRBool isTLS = (PRBool)(kea_def->tls_keygen ||
3192 (pwSpec->version > SSL_LIBRARY_VERSION_3_0)); 3372 (pwSpec->version > SSL_LIBRARY_VERSION_3_0));
3373 PRBool isTLS12=
3374 (PRBool)(isTLS && pwSpec->version >= SSL_LIBRARY_VERSION_TLS_1_2);
3193 /* 3375 /*
3194 * Whenever isDH is true, we need to use CKM_TLS_MASTER_KEY_DERIVE_DH 3376 * Whenever isDH is true, we need to use CKM_TLS_MASTER_KEY_DERIVE_DH
3195 * which, unlike CKM_TLS_MASTER_KEY_DERIVE, converts arbitrary size 3377 * which, unlike CKM_TLS_MASTER_KEY_DERIVE, converts arbitrary size
3196 * data into a 48-byte value. 3378 * data into a 48-byte value.
3197 */ 3379 */
3198 PRBool isDH = (PRBool) ((ss->ssl3.hs.kea_def->exchKeyType == kt_dh) || 3380 PRBool isDH = (PRBool) ((ss->ssl3.hs.kea_def->exchKeyType == kt_dh) ||
3199 (ss->ssl3.hs.kea_def->exchKeyType == kt_ecdh)); 3381 (ss->ssl3.hs.kea_def->exchKeyType == kt_ecdh));
3200 SECStatus rv = SECFailure; 3382 SECStatus rv = SECFailure;
3201 CK_MECHANISM_TYPE master_derive; 3383 CK_MECHANISM_TYPE master_derive;
3202 CK_MECHANISM_TYPE key_derive; 3384 CK_MECHANISM_TYPE key_derive;
3203 SECItem params; 3385 SECItem params;
3204 CK_FLAGS keyFlags; 3386 CK_FLAGS keyFlags;
3205 CK_VERSION pms_version; 3387 CK_VERSION pms_version;
3206 CK_SSL3_MASTER_KEY_DERIVE_PARAMS master_params; 3388 CK_SSL3_MASTER_KEY_DERIVE_PARAMS master_params;
3207 3389
3208 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); 3390 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
3209 PORT_Assert( ss->opt.noLocks || ssl_HaveSpecWriteLock(ss)); 3391 PORT_Assert( ss->opt.noLocks || ssl_HaveSpecWriteLock(ss));
3210 PORT_Assert(ss->ssl3.prSpec == ss->ssl3.pwSpec); 3392 PORT_Assert(ss->ssl3.prSpec == ss->ssl3.pwSpec);
3211 if (isTLS) { 3393 if (isTLS12) {
3394 » if(isDH) master_derive = CKM_NSS_TLS_MASTER_KEY_DERIVE_DH_SHA256;
3395 » else master_derive = CKM_NSS_TLS_MASTER_KEY_DERIVE_SHA256;
3396 » key_derive = CKM_NSS_TLS_KEY_AND_MAC_DERIVE_SHA256;
3397 » keyFlags = CKF_SIGN | CKF_VERIFY;
3398 } else if (isTLS) {
3212 if(isDH) master_derive = CKM_TLS_MASTER_KEY_DERIVE_DH; 3399 if(isDH) master_derive = CKM_TLS_MASTER_KEY_DERIVE_DH;
3213 else master_derive = CKM_TLS_MASTER_KEY_DERIVE; 3400 else master_derive = CKM_TLS_MASTER_KEY_DERIVE;
3214 key_derive = CKM_TLS_KEY_AND_MAC_DERIVE; 3401 key_derive = CKM_TLS_KEY_AND_MAC_DERIVE;
3215 keyFlags = CKF_SIGN | CKF_VERIFY; 3402 keyFlags = CKF_SIGN | CKF_VERIFY;
3216 } else { 3403 } else {
3217 if (isDH) master_derive = CKM_SSL3_MASTER_KEY_DERIVE_DH; 3404 if (isDH) master_derive = CKM_SSL3_MASTER_KEY_DERIVE_DH;
3218 else master_derive = CKM_SSL3_MASTER_KEY_DERIVE; 3405 else master_derive = CKM_SSL3_MASTER_KEY_DERIVE;
3219 key_derive = CKM_SSL3_KEY_AND_MAC_DERIVE; 3406 key_derive = CKM_SSL3_KEY_AND_MAC_DERIVE;
3220 keyFlags = 0; 3407 keyFlags = 0;
3221 } 3408 }
(...skipping 137 matching lines...) Expand 10 before | Expand all | Expand 10 after
3359 */ 3546 */
3360 static SECStatus 3547 static SECStatus
3361 ssl3_DeriveConnectionKeysPKCS11(sslSocket *ss) 3548 ssl3_DeriveConnectionKeysPKCS11(sslSocket *ss)
3362 { 3549 {
3363 ssl3CipherSpec * pwSpec = ss->ssl3.pwSpec; 3550 ssl3CipherSpec * pwSpec = ss->ssl3.pwSpec;
3364 const ssl3KEADef * kea_def = ss->ssl3.hs.kea_def; 3551 const ssl3KEADef * kea_def = ss->ssl3.hs.kea_def;
3365 unsigned char * cr = (unsigned char *)&ss->ssl3.hs.client_random; 3552 unsigned char * cr = (unsigned char *)&ss->ssl3.hs.client_random;
3366 unsigned char * sr = (unsigned char *)&ss->ssl3.hs.server_random; 3553 unsigned char * sr = (unsigned char *)&ss->ssl3.hs.server_random;
3367 PRBool isTLS = (PRBool)(kea_def->tls_keygen || 3554 PRBool isTLS = (PRBool)(kea_def->tls_keygen ||
3368 (pwSpec->version > SSL_LIBRARY_VERSION_3_0)); 3555 (pwSpec->version > SSL_LIBRARY_VERSION_3_0));
3556 PRBool isTLS12=
3557 (PRBool)(isTLS && pwSpec->version >= SSL_LIBRARY_VERSION_TLS_1_2);
3369 /* following variables used in PKCS11 path */ 3558 /* following variables used in PKCS11 path */
3370 const ssl3BulkCipherDef *cipher_def = pwSpec->cipher_def; 3559 const ssl3BulkCipherDef *cipher_def = pwSpec->cipher_def;
3371 PK11SlotInfo * slot = NULL; 3560 PK11SlotInfo * slot = NULL;
3372 PK11SymKey * symKey = NULL; 3561 PK11SymKey * symKey = NULL;
3373 void * pwArg = ss->pkcs11PinArg; 3562 void * pwArg = ss->pkcs11PinArg;
3374 int keySize; 3563 int keySize;
3375 CK_SSL3_KEY_MAT_PARAMS key_material_params; 3564 CK_SSL3_KEY_MAT_PARAMS key_material_params;
3376 CK_SSL3_KEY_MAT_OUT returnedKeys; 3565 CK_SSL3_KEY_MAT_OUT returnedKeys;
3377 CK_MECHANISM_TYPE key_derive; 3566 CK_MECHANISM_TYPE key_derive;
3378 CK_MECHANISM_TYPE bulk_mechanism; 3567 CK_MECHANISM_TYPE bulk_mechanism;
(...skipping 37 matching lines...) Expand 10 before | Expand all | Expand 10 after
3416 returnedKeys.pIVServer = NULL; 3605 returnedKeys.pIVServer = NULL;
3417 } 3606 }
3418 3607
3419 calg = cipher_def->calg; 3608 calg = cipher_def->calg;
3420 PORT_Assert( alg2Mech[calg].calg == calg); 3609 PORT_Assert( alg2Mech[calg].calg == calg);
3421 bulk_mechanism = alg2Mech[calg].cmech; 3610 bulk_mechanism = alg2Mech[calg].cmech;
3422 3611
3423 params.data = (unsigned char *)&key_material_params; 3612 params.data = (unsigned char *)&key_material_params;
3424 params.len = sizeof(key_material_params); 3613 params.len = sizeof(key_material_params);
3425 3614
3426 if (isTLS) { 3615 if (isTLS12) {
3616 » key_derive = CKM_NSS_TLS_KEY_AND_MAC_DERIVE_SHA256;
3617 } else if (isTLS) {
3427 key_derive = CKM_TLS_KEY_AND_MAC_DERIVE; 3618 key_derive = CKM_TLS_KEY_AND_MAC_DERIVE;
3428 } else { 3619 } else {
3429 key_derive = CKM_SSL3_KEY_AND_MAC_DERIVE; 3620 key_derive = CKM_SSL3_KEY_AND_MAC_DERIVE;
3430 } 3621 }
3431 3622
3432 /* CKM_SSL3_KEY_AND_MAC_DERIVE is defined to set ENCRYPT, DECRYPT, and 3623 /* CKM_SSL3_KEY_AND_MAC_DERIVE is defined to set ENCRYPT, DECRYPT, and
3433 * DERIVE by DEFAULT */ 3624 * DERIVE by DEFAULT */
3434 symKey = PK11_Derive(pwSpec->master_secret, key_derive, &params, 3625 symKey = PK11_Derive(pwSpec->master_secret, key_derive, &params,
3435 bulk_mechanism, CKA_ENCRYPT, keySize); 3626 bulk_mechanism, CKA_ENCRYPT, keySize);
3436 if (!symKey) { 3627 if (!symKey) {
(...skipping 36 matching lines...) Expand 10 before | Expand all | Expand 10 after
3473 PK11_FreeSymKey(symKey); 3664 PK11_FreeSymKey(symKey);
3474 return SECSuccess; 3665 return SECSuccess;
3475 3666
3476 3667
3477 loser: 3668 loser:
3478 if (symKey) PK11_FreeSymKey(symKey); 3669 if (symKey) PK11_FreeSymKey(symKey);
3479 ssl_MapLowLevelError(SSL_ERROR_SESSION_KEY_GEN_FAILURE); 3670 ssl_MapLowLevelError(SSL_ERROR_SESSION_KEY_GEN_FAILURE);
3480 return SECFailure; 3671 return SECFailure;
3481 } 3672 }
3482 3673
3674 /* ssl3_InitTLS12HandshakeHash creates a handshake hash function for TLS 1.2,
3675 * if needed, and hashes in any buffered messages in ss->ssl3.hs.messages. */
3676 static SECStatus
3677 ssl3_InitTLS12HandshakeHash(sslSocket *ss)
3678 {
3679 if (ss->version >= SSL_LIBRARY_VERSION_TLS_1_2 &&
3680 ss->ssl3.hs.tls12_handshake_hash == NULL) {
3681 /* If we ever support ciphersuites where the PRF hash isn't SHA-256
3682 * then this will need to be updated. */
3683 ss->ssl3.hs.tls12_handshake_hash =
3684 PK11_CreateDigestContext(SEC_OID_SHA256);
3685 if (!ss->ssl3.hs.tls12_handshake_hash ||
3686 SECSuccess != PK11_DigestBegin(ss->ssl3.hs.tls12_handshake_hash)) {
3687 ssl_MapLowLevelError(SSL_ERROR_UNSUPPORTED_HASH_FUNCTION);
3688 return SECFailure;
3689 }
3690 }
3691
3692 if (ss->ssl3.hs.tls12_handshake_hash && ss->ssl3.hs.messages.len > 0) {
3693 if (SECSuccess != PK11_DigestOp(
3694 ss->ssl3.hs.tls12_handshake_hash,
3695 ss->ssl3.hs.messages.buf,
3696 ss->ssl3.hs.messages.len)) {
3697 ssl_MapLowLevelError(SSL_ERROR_UNSUPPORTED_HASH_FUNCTION);
3698 return SECFailure;
3699 }
3700 }
3701
3702 if (ss->ssl3.hs.messages.buf && !ss->opt.bypassPKCS11) {
3703 PORT_Free(ss->ssl3.hs.messages.buf);
3704 ss->ssl3.hs.messages.buf = NULL;
3705 ss->ssl3.hs.messages.len = 0;
3706 ss->ssl3.hs.messages.space = 0;
3707 }
3708
3709 return SECSuccess;
3710 }
3711
3483 static SECStatus 3712 static SECStatus
3484 ssl3_RestartHandshakeHashes(sslSocket *ss) 3713 ssl3_RestartHandshakeHashes(sslSocket *ss)
3485 { 3714 {
3486 SECStatus rv = SECSuccess; 3715 SECStatus rv = SECSuccess;
3487 3716
3717 ss->ssl3.hs.messages.len = 0;
3488 #ifndef NO_PKCS11_BYPASS 3718 #ifndef NO_PKCS11_BYPASS
3489 if (ss->opt.bypassPKCS11) { 3719 if (ss->opt.bypassPKCS11) {
3490 ss->ssl3.hs.messages.len = 0;
3491 MD5_Begin((MD5Context *)ss->ssl3.hs.md5_cx); 3720 MD5_Begin((MD5Context *)ss->ssl3.hs.md5_cx);
3492 SHA1_Begin((SHA1Context *)ss->ssl3.hs.sha_cx); 3721 SHA1_Begin((SHA1Context *)ss->ssl3.hs.sha_cx);
3493 } else 3722 } else
3494 #endif 3723 #endif
3495 { 3724 {
3725 if (ss->ssl3.hs.tls12_handshake_hash) {
3726 rv = PK11_DigestBegin(ss->ssl3.hs.tls12_handshake_hash);
3727 if (rv != SECSuccess) {
3728 ssl_MapLowLevelError(SSL_ERROR_DIGEST_FAILURE);
3729 return rv;
3730 }
3731 }
3496 rv = PK11_DigestBegin(ss->ssl3.hs.md5); 3732 rv = PK11_DigestBegin(ss->ssl3.hs.md5);
3497 if (rv != SECSuccess) { 3733 if (rv != SECSuccess) {
3498 ssl_MapLowLevelError(SSL_ERROR_MD5_DIGEST_FAILURE); 3734 ssl_MapLowLevelError(SSL_ERROR_MD5_DIGEST_FAILURE);
3499 return rv; 3735 return rv;
3500 } 3736 }
3501 rv = PK11_DigestBegin(ss->ssl3.hs.sha); 3737 rv = PK11_DigestBegin(ss->ssl3.hs.sha);
3502 if (rv != SECSuccess) { 3738 if (rv != SECSuccess) {
3503 ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE); 3739 ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE);
3504 return rv; 3740 return rv;
3505 } 3741 }
3506 } 3742 }
3507 return rv; 3743 return rv;
3508 } 3744 }
3509 3745
3510 static SECStatus 3746 static SECStatus
3511 ssl3_NewHandshakeHashes(sslSocket *ss) 3747 ssl3_NewHandshakeHashes(sslSocket *ss)
3512 { 3748 {
3513 PK11Context *md5 = NULL; 3749 PK11Context *md5 = NULL;
3514 PK11Context *sha = NULL; 3750 PK11Context *sha = NULL;
3515 3751
3516 /* 3752 /*
3517 * note: We should probably lookup an SSL3 slot for these 3753 * note: We should probably lookup an SSL3 slot for these
3518 * handshake hashes in hopes that we wind up with the same slots 3754 * handshake hashes in hopes that we wind up with the same slots
3519 * that the master secret will wind up in ... 3755 * that the master secret will wind up in ...
3520 */ 3756 */
3521 SSL_TRC(30,("%d: SSL3[%d]: start handshake hashes", SSL_GETPID(), ss->fd)); 3757 SSL_TRC(30,("%d: SSL3[%d]: start handshake hashes", SSL_GETPID(), ss->fd));
3522 #ifndef NO_PKCS11_BYPASS 3758 PORT_Assert(!ss->ssl3.hs.messages.buf && !ss->ssl3.hs.messages.space);
3523 if (ss->opt.bypassPKCS11) { 3759 ss->ssl3.hs.messages.buf = NULL;
3524 » PORT_Assert(!ss->ssl3.hs.messages.buf && !ss->ssl3.hs.messages.space); 3760 ss->ssl3.hs.messages.space = 0;
3525 » ss->ssl3.hs.messages.buf = NULL; 3761
3526 » ss->ssl3.hs.messages.space = 0; 3762 ss->ssl3.hs.md5 = md5 = PK11_CreateDigestContext(SEC_OID_MD5);
3527 } else 3763 ss->ssl3.hs.sha = sha = PK11_CreateDigestContext(SEC_OID_SHA1);
3528 #endif 3764 ss->ssl3.hs.tls12_handshake_hash = NULL;
3529 { 3765 if (md5 == NULL) {
3530 » ss->ssl3.hs.md5 = md5 = PK11_CreateDigestContext(SEC_OID_MD5); 3766 » ssl_MapLowLevelError(SSL_ERROR_MD5_DIGEST_FAILURE);
3531 » ss->ssl3.hs.sha = sha = PK11_CreateDigestContext(SEC_OID_SHA1); 3767 » goto loser;
3532 » if (md5 == NULL) { 3768 }
3533 » ssl_MapLowLevelError(SSL_ERROR_MD5_DIGEST_FAILURE); 3769 if (sha == NULL) {
3534 » goto loser; 3770 » ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE);
3535 » } 3771 » goto loser;
3536 » if (sha == NULL) {
3537 » ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE);
3538 » goto loser;
3539 » }
3540 } 3772 }
3541 if (SECSuccess == ssl3_RestartHandshakeHashes(ss)) { 3773 if (SECSuccess == ssl3_RestartHandshakeHashes(ss)) {
3542 return SECSuccess; 3774 return SECSuccess;
3543 } 3775 }
3544 3776
3545 loser: 3777 loser:
3546 if (md5 != NULL) { 3778 if (md5 != NULL) {
3547 PK11_DestroyContext(md5, PR_TRUE); 3779 PK11_DestroyContext(md5, PR_TRUE);
3548 ss->ssl3.hs.md5 = NULL; 3780 ss->ssl3.hs.md5 = NULL;
3549 } 3781 }
(...skipping 17 matching lines...) Expand all
3567 static SECStatus 3799 static SECStatus
3568 ssl3_UpdateHandshakeHashes(sslSocket *ss, const unsigned char *b, 3800 ssl3_UpdateHandshakeHashes(sslSocket *ss, const unsigned char *b,
3569 unsigned int l) 3801 unsigned int l)
3570 { 3802 {
3571 SECStatus rv = SECSuccess; 3803 SECStatus rv = SECSuccess;
3572 3804
3573 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) ); 3805 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
3574 3806
3575 PRINT_BUF(90, (NULL, "MD5 & SHA handshake hash input:", b, l)); 3807 PRINT_BUF(90, (NULL, "MD5 & SHA handshake hash input:", b, l));
3576 3808
3809 if ((ss->version == 0 || ss->version >= SSL_LIBRARY_VERSION_TLS_1_2) &&
3810 !ss->opt.bypassPKCS11 &&
3811 ss->ssl3.hs.tls12_handshake_hash == NULL) {
3812 /* For TLS 1.2 connections we need to buffer the handshake messages
3813 * until we have established which PRF hash function to use. */
3814 rv = sslBuffer_Append(&ss->ssl3.hs.messages, b, l);
3815 if (rv != SECSuccess) {
3816 return rv;
3817 }
3818 }
3819
3577 #ifndef NO_PKCS11_BYPASS 3820 #ifndef NO_PKCS11_BYPASS
3578 if (ss->opt.bypassPKCS11) { 3821 if (ss->opt.bypassPKCS11) {
3579 MD5_Update((MD5Context *)ss->ssl3.hs.md5_cx, b, l); 3822 MD5_Update((MD5Context *)ss->ssl3.hs.md5_cx, b, l);
3580 SHA1_Update((SHA1Context *)ss->ssl3.hs.sha_cx, b, l); 3823 SHA1_Update((SHA1Context *)ss->ssl3.hs.sha_cx, b, l);
3581 #if defined(NSS_SURVIVE_DOUBLE_BYPASS_FAILURE) 3824 #if defined(NSS_SURVIVE_DOUBLE_BYPASS_FAILURE)
3582 rv = sslBuffer_Append(&ss->ssl3.hs.messages, b, l); 3825 rv = sslBuffer_Append(&ss->ssl3.hs.messages, b, l);
3583 #endif 3826 #endif
3584 return rv; 3827 return rv;
3585 } 3828 }
3586 #endif 3829 #endif
3587 rv = PK11_DigestOp(ss->ssl3.hs.md5, b, l); 3830 if (ss->ssl3.hs.tls12_handshake_hash) {
3588 if (rv != SECSuccess) { 3831 » rv = PK11_DigestOp(ss->ssl3.hs.tls12_handshake_hash, b, l);
3589 » ssl_MapLowLevelError(SSL_ERROR_MD5_DIGEST_FAILURE); 3832 } else {
3590 » return rv; 3833 » rv = PK11_DigestOp(ss->ssl3.hs.md5, b, l);
3591 } 3834 » if (rv != SECSuccess) {
3592 rv = PK11_DigestOp(ss->ssl3.hs.sha, b, l); 3835 » ssl_MapLowLevelError(SSL_ERROR_MD5_DIGEST_FAILURE);
3593 if (rv != SECSuccess) { 3836 » return rv;
3594 » ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE); 3837 » }
3595 » return rv; 3838 » rv = PK11_DigestOp(ss->ssl3.hs.sha, b, l);
3839 » if (rv != SECSuccess) {
3840 » ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE);
3841 » return rv;
3842 » }
3596 } 3843 }
3597 return rv; 3844 return rv;
3598 } 3845 }
3599 3846
3600 /************************************************************************** 3847 /**************************************************************************
3601 * Append Handshake functions. 3848 * Append Handshake functions.
3602 * All these functions set appropriate error codes. 3849 * All these functions set appropriate error codes.
3603 * Most rely on ssl3_AppendHandshake to set the error code. 3850 * Most rely on ssl3_AppendHandshake to set the error code.
3604 **************************************************************************/ 3851 **************************************************************************/
3605 SECStatus 3852 SECStatus
(...skipping 131 matching lines...) Expand 10 before | Expand all | Expand 10 after
3737 /* Fragment length -- set to the packet length because not fragmented */ 3984 /* Fragment length -- set to the packet length because not fragmented */
3738 rv = ssl3_AppendHandshakeNumber(ss, length, 3); 3985 rv = ssl3_AppendHandshakeNumber(ss, length, 3);
3739 if (rv != SECSuccess) { 3986 if (rv != SECSuccess) {
3740 return rv; /* error code set by AppendHandshake, if applicable. */ 3987 return rv; /* error code set by AppendHandshake, if applicable. */
3741 } 3988 }
3742 } 3989 }
3743 3990
3744 return rv; /* error code set by AppendHandshake, if applicable. */ 3991 return rv; /* error code set by AppendHandshake, if applicable. */
3745 } 3992 }
3746 3993
3994 /* ssl3_AppendSignatureAndHashAlgorithm appends the serialisation of
3995 * |sigAndHash| to the current handshake message. */
3996 SECStatus
3997 ssl3_AppendSignatureAndHashAlgorithm(
3998 sslSocket *ss, const SSL3SignatureAndHashAlgorithm* sigAndHash)
3999 {
4000 unsigned char serialized[2];
4001
4002 serialized[0] = ssl3_OIDToTLSHashFunction(sigAndHash->hashAlg);
4003 if (serialized[0] == 0) {
4004 PORT_SetError(SSL_ERROR_UNSUPPORTED_HASH_FUNCTION);
4005 return SECFailure;
4006 }
4007
4008 serialized[1] = sigAndHash->sigAlg;
4009
4010 return ssl3_AppendHandshake(ss, serialized, sizeof(serialized));
4011 }
4012
3747 /************************************************************************** 4013 /**************************************************************************
3748 * Consume Handshake functions. 4014 * Consume Handshake functions.
3749 * 4015 *
3750 * All data used in these functions is protected by two locks, 4016 * All data used in these functions is protected by two locks,
3751 * the RecvBufLock and the SSL3HandshakeLock 4017 * the RecvBufLock and the SSL3HandshakeLock
3752 **************************************************************************/ 4018 **************************************************************************/
3753 4019
3754 /* Read up the next "bytes" number of bytes from the (decrypted) input 4020 /* Read up the next "bytes" number of bytes from the (decrypted) input
3755 * stream "b" (which is *length bytes long). Copy them into buffer "v". 4021 * stream "b" (which is *length bytes long). Copy them into buffer "v".
3756 * Reduces *length by bytes. Advances *b by bytes. 4022 * Reduces *length by bytes. Advances *b by bytes.
(...skipping 86 matching lines...) Expand 10 before | Expand all | Expand 10 after
3843 return ssl3_DecodeError(ss); 4109 return ssl3_DecodeError(ss);
3844 } 4110 }
3845 i->data = *b; 4111 i->data = *b;
3846 i->len = count; 4112 i->len = count;
3847 *b += count; 4113 *b += count;
3848 *length -= count; 4114 *length -= count;
3849 } 4115 }
3850 return SECSuccess; 4116 return SECSuccess;
3851 } 4117 }
3852 4118
4119 /* tls12HashOIDMap contains the mapping between TLS hash identifiers and the
4120 * SECOidTag used internally by NSS. */
4121 static const struct {
4122 int tlsHash;
4123 SECOidTag oid;
4124 } tls12HashOIDMap[] = {
4125 { tls_hash_md5, SEC_OID_MD5 },
4126 { tls_hash_sha1, SEC_OID_SHA1 },
4127 { tls_hash_sha224, SEC_OID_SHA224 },
4128 { tls_hash_sha256, SEC_OID_SHA256 },
4129 { tls_hash_sha384, SEC_OID_SHA384 },
4130 { tls_hash_sha512, SEC_OID_SHA512 }
4131 };
4132
4133 /* ssl3_TLSHashFunctionToOID converts a TLS hash identifier into an OID value.
4134 * If the hash is not recognised, SEC_OID_UNKNOWN is returned.
4135 *
4136 * See https://tools.ietf.org/html/rfc5246#section-7.4.1.4.1 */
4137 SECOidTag ssl3_TLSHashFunctionToOID(int hashFunc)
4138 {
4139 size_t i;
4140
4141 for (i = 0; i < sizeof(tls12HashOIDMap) / sizeof(tls12HashOIDMap[0]); i++) {
4142 if (hashFunc == tls12HashOIDMap[i].tlsHash) {
4143 return tls12HashOIDMap[i].oid;
4144 }
4145 }
4146 return SEC_OID_UNKNOWN;
4147 }
4148
4149 /* ssl3_OIDToTLSHashFunction converts an OID to a TLS hash function identifier.
4150 * If the hash is not recognised, zero is returned.
4151 *
4152 * See https://tools.ietf.org/html/rfc5246#section-7.4.1.4.1 */
4153 int ssl3_OIDToTLSHashFunction(SECOidTag oid)
4154 {
4155 size_t i;
4156
4157 for (i = 0; i < sizeof(tls12HashOIDMap) / sizeof(tls12HashOIDMap[0]); i++) {
4158 if (oid == tls12HashOIDMap[i].oid) {
4159 return tls12HashOIDMap[i].tlsHash;
4160 }
4161 }
4162 return 0;
4163 }
4164
4165 /* ssl3_TLSSignatureAlgorithmForKeyType returns the TLS signature algorithm
4166 * identifier for a given KeyType. */
4167 static SECStatus ssl3_TLSSignatureAlgorithmForKeyType(
4168 KeyType keyType, TLS12SignatureAlgorithm *out)
4169 {
4170 switch (keyType) {
4171 case rsaKey:
4172 *out = tls_sig_rsa;
4173 return SECSuccess;
4174 case dsaKey:
4175 *out = tls_sig_dsa;
4176 return SECSuccess;
4177 case ecKey:
4178 *out = tls_sig_ecdsa;
4179 return SECSuccess;
4180 }
4181 PORT_SetError(SEC_ERROR_INVALID_KEY);
4182 return SECFailure;
4183 }
4184
4185 /* ssl3_TLSSignatureAlgorithmForKey returns the TLS 1.2 signature algorithm
4186 * identifier for the given private key. */
4187 static SECStatus ssl3_TLSSignatureAlgorithmForPrivateKey(
4188 SECKEYPrivateKey *key, TLS12SignatureAlgorithm *out)
4189 {
4190 return ssl3_TLSSignatureAlgorithmForKeyType(key->keyType, out);
4191 }
4192
4193 /* ssl3_TLSSignatureAlgorithmForCert returns the TLS 1.2 signature algorithm
4194 * identifier for the given certificate. */
4195 static SECStatus ssl3_TLSSignatureAlgorithmForCertificate(
4196 CERTCertificate *cert, TLS12SignatureAlgorithm *out)
4197 {
4198 SECKEYPublicKey *key;
4199
4200 key = CERT_ExtractPublicKey(cert);
4201 if (key == NULL) {
4202 ssl_MapLowLevelError(SSL_ERROR_EXTRACT_PUBLIC_KEY_FAILURE);
4203 return SECFailure;
4204 }
4205
4206 return ssl3_TLSSignatureAlgorithmForKeyType(key->keyType, out);
4207 }
4208
4209 /* ssl3_CheckSignatureAndHashAlgorithmConsistency checks that the signature
4210 * algorithm identifier in |sigAndHash| is consistent with the public key in
4211 * |cert|. If so, SECSuccess is returned. Otherwise, PORT_SetError is called
4212 * and SECFailure is returned. */
4213 SECStatus ssl3_CheckSignatureAndHashAlgorithmConsistency(
4214 const SSL3SignatureAndHashAlgorithm *sigAndHash, CERTCertificate* cert)
4215 {
4216 SECStatus rv;
4217 TLS12SignatureAlgorithm sigAlg;
4218
4219 rv = ssl3_TLSSignatureAlgorithmForCertificate(cert, &sigAlg);
4220 if (rv != SECSuccess) {
4221 return SECFailure;
4222 }
4223 if (sigAlg != sigAndHash->sigAlg) {
4224 PORT_SetError(SSL_ERROR_INCORRECT_SIGNATURE_ALGORITHM);
4225 return SECFailure;
4226 }
4227 return SECSuccess;
4228 }
4229
4230 /* ssl3_ConsumeSignatureAndHashAlgorithm reads a SignatureAndHashAlgorithm
4231 * structure from |b| and puts the resulting value into |out|. |b| and |length|
4232 * are updated accordingly.
4233 *
4234 * See https://tools.ietf.org/html/rfc5246#section-7.4.1.4.1 */
4235 SECStatus
4236 ssl3_ConsumeSignatureAndHashAlgorithm(sslSocket *ss,
4237 SSL3Opaque **b,
4238 PRUint32 *length,
4239 SSL3SignatureAndHashAlgorithm *out) {
4240 unsigned char bytes[2];
4241 SECStatus rv;
4242
4243 rv = ssl3_ConsumeHandshake(ss, bytes, sizeof(bytes), b, length);
4244 if (rv != SECSuccess) {
4245 return rv;
4246 }
4247
4248 out->hashAlg = ssl3_TLSHashFunctionToOID(bytes[0]);
4249 if (out->hashAlg == SEC_OID_UNKNOWN) {
4250 PORT_SetError(SSL_ERROR_UNSUPPORTED_HASH_FUNCTION);
4251 return SECFailure;
4252 }
4253
4254 out->sigAlg = bytes[1];
4255 return SECSuccess;
4256 }
4257
3853 /************************************************************************** 4258 /**************************************************************************
3854 * end of Consume Handshake functions. 4259 * end of Consume Handshake functions.
3855 **************************************************************************/ 4260 **************************************************************************/
3856 4261
3857 /* Extract the hashes of handshake messages to this point. 4262 /* Extract the hashes of handshake messages to this point.
3858 * Called from ssl3_SendCertificateVerify 4263 * Called from ssl3_SendCertificateVerify
3859 * ssl3_SendFinished 4264 * ssl3_SendFinished
3860 * ssl3_HandleHandshakeMessage 4265 * ssl3_HandleHandshakeMessage
3861 * 4266 *
3862 * Caller must hold the SSL3HandshakeLock. 4267 * Caller must hold the SSL3HandshakeLock.
3863 * Caller must hold a read or write lock on the Spec R/W lock. 4268 * Caller must hold a read or write lock on the Spec R/W lock.
3864 * (There is presently no way to assert on a Read lock.) 4269 * (There is presently no way to assert on a Read lock.)
3865 */ 4270 */
3866 static SECStatus 4271 static SECStatus
3867 ssl3_ComputeHandshakeHashes(sslSocket * ss, 4272 ssl3_ComputeHandshakeHashes(sslSocket * ss,
3868 ssl3CipherSpec *spec, /* uses ->master_secret */ 4273 ssl3CipherSpec *spec, /* uses ->master_secret */
3869 SSL3Hashes * hashes, /* output goes here. */ 4274 SSL3Hashes * hashes, /* output goes here. */
3870 PRUint32 sender) 4275 PRUint32 sender)
3871 { 4276 {
3872 SECStatus rv = SECSuccess; 4277 SECStatus rv = SECSuccess;
3873 PRBool isTLS = (PRBool)(spec->version > SSL_LIBRARY_VERSION_3_0); 4278 PRBool isTLS = (PRBool)(spec->version > SSL_LIBRARY_VERSION_3_0);
3874 unsigned int outLength; 4279 unsigned int outLength;
3875 SSL3Opaque md5_inner[MAX_MAC_LENGTH]; 4280 SSL3Opaque md5_inner[MAX_MAC_LENGTH];
3876 SSL3Opaque sha_inner[MAX_MAC_LENGTH]; 4281 SSL3Opaque sha_inner[MAX_MAC_LENGTH];
3877 4282
3878 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) ); 4283 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
4284 hashes->hashAlg = SEC_OID_UNKNOWN;
3879 4285
3880 #ifndef NO_PKCS11_BYPASS 4286 #ifndef NO_PKCS11_BYPASS
3881 if (ss->opt.bypassPKCS11) { 4287 if (ss->opt.bypassPKCS11) {
3882 /* compute them without PKCS11 */ 4288 /* compute them without PKCS11 */
3883 PRUint64 md5_cx[MAX_MAC_CONTEXT_LLONGS]; 4289 PRUint64 md5_cx[MAX_MAC_CONTEXT_LLONGS];
3884 PRUint64 sha_cx[MAX_MAC_CONTEXT_LLONGS]; 4290 PRUint64 sha_cx[MAX_MAC_CONTEXT_LLONGS];
3885 4291
3886 #define md5cx ((MD5Context *)md5_cx) 4292 #define md5cx ((MD5Context *)md5_cx)
3887 #define shacx ((SHA1Context *)sha_cx) 4293 #define shacx ((SHA1Context *)sha_cx)
3888 4294
(...skipping 43 matching lines...) Expand 10 before | Expand all | Expand 10 after
3932 PRINT_BUF(95, (NULL, "SHA inner: result", sha_inner, outLength)); 4338 PRINT_BUF(95, (NULL, "SHA inner: result", sha_inner, outLength));
3933 PRINT_BUF(95, (NULL, "MD5 outer: MAC Pad 2", mac_pad_2, 4339 PRINT_BUF(95, (NULL, "MD5 outer: MAC Pad 2", mac_pad_2,
3934 mac_defs[mac_md5].pad_size)); 4340 mac_defs[mac_md5].pad_size));
3935 PRINT_BUF(95, (NULL, "MD5 outer: MD5 inner", md5_inner, MD5_LENGTH)) ; 4341 PRINT_BUF(95, (NULL, "MD5 outer: MD5 inner", md5_inner, MD5_LENGTH)) ;
3936 4342
3937 MD5_Begin(md5cx); 4343 MD5_Begin(md5cx);
3938 MD5_Update(md5cx, spec->msItem.data, spec->msItem.len); 4344 MD5_Update(md5cx, spec->msItem.data, spec->msItem.len);
3939 MD5_Update(md5cx, mac_pad_2, mac_defs[mac_md5].pad_size); 4345 MD5_Update(md5cx, mac_pad_2, mac_defs[mac_md5].pad_size);
3940 MD5_Update(md5cx, md5_inner, MD5_LENGTH); 4346 MD5_Update(md5cx, md5_inner, MD5_LENGTH);
3941 } 4347 }
3942 » MD5_End(md5cx, hashes->md5, &outLength, MD5_LENGTH); 4348 » MD5_End(md5cx, hashes->u.s.md5, &outLength, MD5_LENGTH);
3943 4349
3944 » PRINT_BUF(60, (NULL, "MD5 outer: result", hashes->md5, MD5_LENGTH)); 4350 » PRINT_BUF(60, (NULL, "MD5 outer: result", hashes->u.s.md5, MD5_LENGTH));
3945 4351
3946 if (!isTLS) { 4352 if (!isTLS) {
3947 PRINT_BUF(95, (NULL, "SHA outer: MAC Pad 2", mac_pad_2, 4353 PRINT_BUF(95, (NULL, "SHA outer: MAC Pad 2", mac_pad_2,
3948 mac_defs[mac_sha].pad_size)); 4354 mac_defs[mac_sha].pad_size));
3949 PRINT_BUF(95, (NULL, "SHA outer: SHA inner", sha_inner, SHA1_LENGTH) ); 4355 PRINT_BUF(95, (NULL, "SHA outer: SHA inner", sha_inner, SHA1_LENGTH) );
3950 4356
3951 SHA1_Begin(shacx); 4357 SHA1_Begin(shacx);
3952 SHA1_Update(shacx, spec->msItem.data, spec->msItem.len); 4358 SHA1_Update(shacx, spec->msItem.data, spec->msItem.len);
3953 SHA1_Update(shacx, mac_pad_2, mac_defs[mac_sha].pad_size); 4359 SHA1_Update(shacx, mac_pad_2, mac_defs[mac_sha].pad_size);
3954 SHA1_Update(shacx, sha_inner, SHA1_LENGTH); 4360 SHA1_Update(shacx, sha_inner, SHA1_LENGTH);
3955 } 4361 }
3956 » SHA1_End(shacx, hashes->sha, &outLength, SHA1_LENGTH); 4362 » SHA1_End(shacx, hashes->u.s.sha, &outLength, SHA1_LENGTH);
3957 4363
3958 » PRINT_BUF(60, (NULL, "SHA outer: result", hashes->sha, SHA1_LENGTH)); 4364 » PRINT_BUF(60, (NULL, "SHA outer: result", hashes->u.s.sha, SHA1_LENGTH)) ;
3959 4365
4366 hashes->len = MD5_LENGTH + SHA1_LENGTH;
3960 rv = SECSuccess; 4367 rv = SECSuccess;
3961 #undef md5cx 4368 #undef md5cx
3962 #undef shacx 4369 #undef shacx
3963 } else 4370 } else
3964 #endif 4371 #endif
3965 { 4372 if (ss->ssl3.hs.tls12_handshake_hash) {
4373 » PK11Context *h;
4374 » unsigned int stateLen;
4375 » unsigned char stackBuf[1024];
4376 » unsigned char *stateBuf = NULL;
4377
4378 » if (!spec->master_secret) {
4379 » PORT_SetError(SSL_ERROR_RX_UNEXPECTED_HANDSHAKE);
4380 » return SECFailure;
4381 » }
4382
4383 » h = ss->ssl3.hs.tls12_handshake_hash;
4384 » stateBuf = PK11_SaveContextAlloc(h, stackBuf,
4385 » » » » » sizeof(stackBuf), &stateLen);
4386 » if (stateBuf == NULL) {
4387 » ssl_MapLowLevelError(SSL_ERROR_DIGEST_FAILURE);
4388 » goto tls12Loser;
4389 » }
4390 » rv |= PK11_DigestFinal(h, hashes->u.raw, &hashes->len,
4391 » » » sizeof(hashes->u.raw));
4392 » if (rv != SECSuccess) {
4393 » ssl_MapLowLevelError(SSL_ERROR_DIGEST_FAILURE);
4394 » rv = SECFailure;
4395 » goto tls12Loser;
4396 » }
4397 » /* If we ever support ciphersuites where the PRF hash isn't SHA-256
4398 » * then this will need to be updated. */
4399 » hashes->hashAlg = SEC_OID_SHA256;
4400 » rv = SECSuccess;
4401
4402 tls12Loser:
4403 » if (stateBuf) {
4404 » if (PK11_RestoreContext(ss->ssl3.hs.tls12_handshake_hash, stateBuf,
4405 » » » » stateLen) != SECSuccess) {
4406 » » ssl_MapLowLevelError(SSL_ERROR_DIGEST_FAILURE);
4407 » » rv = SECFailure;
4408 » }
4409 » if (stateBuf != stackBuf) {
4410 » » PORT_ZFree(stateBuf, stateLen);
4411 » }
4412 » }
4413 } else {
3966 /* compute hases with PKCS11 */ 4414 /* compute hases with PKCS11 */
3967 PK11Context * md5; 4415 PK11Context * md5;
3968 PK11Context * sha = NULL; 4416 PK11Context * sha = NULL;
3969 unsigned char *md5StateBuf = NULL; 4417 unsigned char *md5StateBuf = NULL;
3970 unsigned char *shaStateBuf = NULL; 4418 unsigned char *shaStateBuf = NULL;
3971 unsigned int md5StateLen, shaStateLen; 4419 unsigned int md5StateLen, shaStateLen;
3972 unsigned char md5StackBuf[256]; 4420 unsigned char md5StackBuf[256];
3973 unsigned char shaStackBuf[512]; 4421 unsigned char shaStackBuf[512];
3974 4422
3975 if (!spec->master_secret) { 4423 if (!spec->master_secret) {
(...skipping 68 matching lines...) Expand 10 before | Expand all | Expand 10 after
4044 4492
4045 PRINT_BUF(95, (NULL, "MD5 outer: MAC Pad 2", mac_pad_2, 4493 PRINT_BUF(95, (NULL, "MD5 outer: MAC Pad 2", mac_pad_2,
4046 mac_defs[mac_md5].pad_size)); 4494 mac_defs[mac_md5].pad_size));
4047 PRINT_BUF(95, (NULL, "MD5 outer: MD5 inner", md5_inner, MD5_LENGTH)) ; 4495 PRINT_BUF(95, (NULL, "MD5 outer: MD5 inner", md5_inner, MD5_LENGTH)) ;
4048 4496
4049 rv |= PK11_DigestBegin(md5); 4497 rv |= PK11_DigestBegin(md5);
4050 rv |= PK11_DigestKey(md5, spec->master_secret); 4498 rv |= PK11_DigestKey(md5, spec->master_secret);
4051 rv |= PK11_DigestOp(md5, mac_pad_2, mac_defs[mac_md5].pad_size); 4499 rv |= PK11_DigestOp(md5, mac_pad_2, mac_defs[mac_md5].pad_size);
4052 rv |= PK11_DigestOp(md5, md5_inner, MD5_LENGTH); 4500 rv |= PK11_DigestOp(md5, md5_inner, MD5_LENGTH);
4053 } 4501 }
4054 » rv |= PK11_DigestFinal(md5, hashes->md5, &outLength, MD5_LENGTH); 4502 » rv |= PK11_DigestFinal(md5, hashes->u.s.md5, &outLength, MD5_LENGTH);
4055 PORT_Assert(rv != SECSuccess || outLength == MD5_LENGTH); 4503 PORT_Assert(rv != SECSuccess || outLength == MD5_LENGTH);
4056 if (rv != SECSuccess) { 4504 if (rv != SECSuccess) {
4057 ssl_MapLowLevelError(SSL_ERROR_MD5_DIGEST_FAILURE); 4505 ssl_MapLowLevelError(SSL_ERROR_MD5_DIGEST_FAILURE);
4058 rv = SECFailure; 4506 rv = SECFailure;
4059 goto loser; 4507 goto loser;
4060 } 4508 }
4061 4509
4062 » PRINT_BUF(60, (NULL, "MD5 outer: result", hashes->md5, MD5_LENGTH)); 4510 » PRINT_BUF(60, (NULL, "MD5 outer: result", hashes->u.s.md5, MD5_LENGTH));
4063 4511
4064 if (!isTLS) { 4512 if (!isTLS) {
4065 PRINT_BUF(95, (NULL, "SHA outer: MAC Pad 2", mac_pad_2, 4513 PRINT_BUF(95, (NULL, "SHA outer: MAC Pad 2", mac_pad_2,
4066 mac_defs[mac_sha].pad_size)); 4514 mac_defs[mac_sha].pad_size));
4067 PRINT_BUF(95, (NULL, "SHA outer: SHA inner", sha_inner, SHA1_LENGTH) ); 4515 PRINT_BUF(95, (NULL, "SHA outer: SHA inner", sha_inner, SHA1_LENGTH) );
4068 4516
4069 rv |= PK11_DigestBegin(sha); 4517 rv |= PK11_DigestBegin(sha);
4070 rv |= PK11_DigestKey(sha,spec->master_secret); 4518 rv |= PK11_DigestKey(sha,spec->master_secret);
4071 rv |= PK11_DigestOp(sha, mac_pad_2, mac_defs[mac_sha].pad_size); 4519 rv |= PK11_DigestOp(sha, mac_pad_2, mac_defs[mac_sha].pad_size);
4072 rv |= PK11_DigestOp(sha, sha_inner, SHA1_LENGTH); 4520 rv |= PK11_DigestOp(sha, sha_inner, SHA1_LENGTH);
4073 } 4521 }
4074 » rv |= PK11_DigestFinal(sha, hashes->sha, &outLength, SHA1_LENGTH); 4522 » rv |= PK11_DigestFinal(sha, hashes->u.s.sha, &outLength, SHA1_LENGTH);
4075 PORT_Assert(rv != SECSuccess || outLength == SHA1_LENGTH); 4523 PORT_Assert(rv != SECSuccess || outLength == SHA1_LENGTH);
4076 if (rv != SECSuccess) { 4524 if (rv != SECSuccess) {
4077 ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE); 4525 ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE);
4078 rv = SECFailure; 4526 rv = SECFailure;
4079 goto loser; 4527 goto loser;
4080 } 4528 }
4081 4529
4082 » PRINT_BUF(60, (NULL, "SHA outer: result", hashes->sha, SHA1_LENGTH)); 4530 » PRINT_BUF(60, (NULL, "SHA outer: result", hashes->u.s.sha, SHA1_LENGTH)) ;
4083 4531
4532 hashes->len = MD5_LENGTH + SHA1_LENGTH;
4084 rv = SECSuccess; 4533 rv = SECSuccess;
4085 4534
4086 loser: 4535 loser:
4087 if (md5StateBuf) { 4536 if (md5StateBuf) {
4088 if (PK11_RestoreContext(ss->ssl3.hs.md5, md5StateBuf, md5StateLen) 4537 if (PK11_RestoreContext(ss->ssl3.hs.md5, md5StateBuf, md5StateLen)
4089 != SECSuccess) 4538 != SECSuccess)
4090 { 4539 {
4091 ssl_MapLowLevelError(SSL_ERROR_MD5_DIGEST_FAILURE); 4540 ssl_MapLowLevelError(SSL_ERROR_MD5_DIGEST_FAILURE);
4092 rv = SECFailure; 4541 rv = SECFailure;
4093 } 4542 }
(...skipping 1242 matching lines...) Expand 10 before | Expand all | Expand 10 after
5336 SECKEY_DestroyPublicKey(serverKey); 5785 SECKEY_DestroyPublicKey(serverKey);
5337 return rv; /* err code already set. */ 5786 return rv; /* err code already set. */
5338 } 5787 }
5339 5788
5340 /* Called from ssl3_HandleServerHelloDone(). */ 5789 /* Called from ssl3_HandleServerHelloDone(). */
5341 static SECStatus 5790 static SECStatus
5342 ssl3_SendCertificateVerify(sslSocket *ss) 5791 ssl3_SendCertificateVerify(sslSocket *ss)
5343 { 5792 {
5344 SECStatus rv = SECFailure; 5793 SECStatus rv = SECFailure;
5345 PRBool isTLS; 5794 PRBool isTLS;
5795 PRBool isTLS12;
5346 SECItem buf = {siBuffer, NULL, 0}; 5796 SECItem buf = {siBuffer, NULL, 0};
5347 SSL3Hashes hashes; 5797 SSL3Hashes hashes;
5798 unsigned int len;
5799 SSL3SignatureAndHashAlgorithm sigAndHash;
5348 5800
5349 PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss)); 5801 PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss));
5350 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); 5802 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
5351 5803
5352 SSL_TRC(3, ("%d: SSL3[%d]: send certificate_verify handshake", 5804 SSL_TRC(3, ("%d: SSL3[%d]: send certificate_verify handshake",
5353 SSL_GETPID(), ss->fd)); 5805 SSL_GETPID(), ss->fd));
5354 5806
5355 ssl_GetSpecReadLock(ss); 5807 ssl_GetSpecReadLock(ss);
5356 rv = ssl3_ComputeHandshakeHashes(ss, ss->ssl3.pwSpec, &hashes, 0); 5808 rv = ssl3_ComputeHandshakeHashes(ss, ss->ssl3.pwSpec, &hashes, 0);
5357 ssl_ReleaseSpecReadLock(ss); 5809 ssl_ReleaseSpecReadLock(ss);
5358 if (rv != SECSuccess) { 5810 if (rv != SECSuccess) {
5359 goto done; /* err code was set by ssl3_ComputeHandshakeHashes */ 5811 goto done; /* err code was set by ssl3_ComputeHandshakeHashes */
5360 } 5812 }
5361 5813
5362 isTLS = (PRBool)(ss->ssl3.pwSpec->version > SSL_LIBRARY_VERSION_3_0); 5814 isTLS = (PRBool)(ss->ssl3.pwSpec->version > SSL_LIBRARY_VERSION_3_0);
5815 isTLS12 = (PRBool)(ss->version >= SSL_LIBRARY_VERSION_TLS_1_2);
5363 if (ss->ssl3.platformClientKey) { 5816 if (ss->ssl3.platformClientKey) {
5364 #ifdef NSS_PLATFORM_CLIENT_AUTH 5817 #ifdef NSS_PLATFORM_CLIENT_AUTH
5365 rv = ssl3_PlatformSignHashes( 5818 rv = ssl3_PlatformSignHashes(
5366 &hashes, ss->ssl3.platformClientKey, &buf, isTLS, 5819 &hashes, ss->ssl3.platformClientKey, &buf, isTLS,
5367 CERT_GetCertKeyType( 5820 CERT_GetCertKeyType(
5368 &ss->ssl3.clientCertificate->subjectPublicKeyInfo)); 5821 &ss->ssl3.clientCertificate->subjectPublicKeyInfo));
5369 ssl_FreePlatformKey(ss->ssl3.platformClientKey); 5822 ssl_FreePlatformKey(ss->ssl3.platformClientKey);
5370 ss->ssl3.platformClientKey = (PlatformKey)NULL; 5823 ss->ssl3.platformClientKey = (PlatformKey)NULL;
5371 #endif /* NSS_PLATFORM_CLIENT_AUTH */ 5824 #endif /* NSS_PLATFORM_CLIENT_AUTH */
5372 } else { 5825 } else {
5373 rv = ssl3_SignHashes(&hashes, ss->ssl3.clientPrivateKey, &buf, isTLS); 5826 rv = ssl3_SignHashes(&hashes, ss->ssl3.clientPrivateKey, &buf, isTLS);
5374 if (rv == SECSuccess) { 5827 if (rv == SECSuccess) {
5375 PK11SlotInfo * slot; 5828 PK11SlotInfo * slot;
5376 sslSessionID * sid = ss->sec.ci.sid; 5829 sslSessionID * sid = ss->sec.ci.sid;
5377 5830
5378 /* Remember the info about the slot that did the signing. 5831 /* Remember the info about the slot that did the signing.
5379 ** Later, when doing an SSL restart handshake, verify this. 5832 ** Later, when doing an SSL restart handshake, verify this.
5380 ** These calls are mere accessors, and can't fail. 5833 ** These calls are mere accessors, and can't fail.
5381 */ 5834 */
5382 slot = PK11_GetSlotFromPrivateKey(ss->ssl3.clientPrivateKey); 5835 slot = PK11_GetSlotFromPrivateKey(ss->ssl3.clientPrivateKey);
5383 sid->u.ssl3.clAuthSeries = PK11_GetSlotSeries(slot); 5836 sid->u.ssl3.clAuthSeries = PK11_GetSlotSeries(slot);
5384 sid->u.ssl3.clAuthSlotID = PK11_GetSlotID(slot); 5837 sid->u.ssl3.clAuthSlotID = PK11_GetSlotID(slot);
5385 sid->u.ssl3.clAuthModuleID = PK11_GetModuleID(slot); 5838 sid->u.ssl3.clAuthModuleID = PK11_GetModuleID(slot);
5386 sid->u.ssl3.clAuthValid = PR_TRUE; 5839 sid->u.ssl3.clAuthValid = PR_TRUE;
5387 PK11_FreeSlot(slot); 5840 PK11_FreeSlot(slot);
5841
5842 if (isTLS12) {
5843 rv = ssl3_TLSSignatureAlgorithmForPrivateKey(
5844 ss->ssl3.clientPrivateKey, &sigAndHash.sigAlg);
5845 }
5388 } 5846 }
5389 SECKEY_DestroyPrivateKey(ss->ssl3.clientPrivateKey); 5847 SECKEY_DestroyPrivateKey(ss->ssl3.clientPrivateKey);
5390 ss->ssl3.clientPrivateKey = NULL; 5848 ss->ssl3.clientPrivateKey = NULL;
5391 } 5849 }
5392 if (rv != SECSuccess) { 5850 if (rv != SECSuccess) {
5393 goto done; /* err code was set by ssl3_SignHashes */ 5851 goto done; /* err code was set by ssl3_SignHashes */
5394 } 5852 }
5395 5853
5396 rv = ssl3_AppendHandshakeHeader(ss, certificate_verify, buf.len + 2); 5854 len = buf.len + 2 + (isTLS12 ? 2 : 0);
5855
5856 rv = ssl3_AppendHandshakeHeader(ss, certificate_verify, len);
5397 if (rv != SECSuccess) { 5857 if (rv != SECSuccess) {
5398 goto done; /* error code set by AppendHandshake */ 5858 goto done; /* error code set by AppendHandshake */
5399 } 5859 }
5860 if (isTLS12) {
5861 /* We always sign using the handshake hash function. It's possible that
5862 * a server could support SHA-256 as the handshake hash but not as a
5863 * signature hash. In that case we wouldn't be able to do client
5864 * certificates with it. The alternative is to buffer all handshake
5865 * messages. */
5866 sigAndHash.hashAlg = hashes.hashAlg;
5867
5868 rv = ssl3_AppendSignatureAndHashAlgorithm(ss, &sigAndHash);
5869 if (rv != SECSuccess) {
5870 goto done; /* err set by AppendHandshake. */
5871 }
5872 }
5400 rv = ssl3_AppendHandshakeVariable(ss, buf.data, buf.len, 2); 5873 rv = ssl3_AppendHandshakeVariable(ss, buf.data, buf.len, 2);
5401 if (rv != SECSuccess) { 5874 if (rv != SECSuccess) {
5402 goto done; /* error code set by AppendHandshake */ 5875 goto done; /* error code set by AppendHandshake */
5403 } 5876 }
5404 5877
5405 done: 5878 done:
5406 if (buf.data) 5879 if (buf.data)
5407 PORT_Free(buf.data); 5880 PORT_Free(buf.data);
5408 return rv; 5881 return rv;
5409 } 5882 }
(...skipping 87 matching lines...) Expand 10 before | Expand all | Expand 10 after
5497 5970
5498 rv = ssl3_NegotiateVersion(ss, version, PR_FALSE); 5971 rv = ssl3_NegotiateVersion(ss, version, PR_FALSE);
5499 if (rv != SECSuccess) { 5972 if (rv != SECSuccess) {
5500 desc = (version > SSL_LIBRARY_VERSION_3_0) ? protocol_version 5973 desc = (version > SSL_LIBRARY_VERSION_3_0) ? protocol_version
5501 : handshake_failure; 5974 : handshake_failure;
5502 errCode = SSL_ERROR_NO_CYPHER_OVERLAP; 5975 errCode = SSL_ERROR_NO_CYPHER_OVERLAP;
5503 goto alert_loser; 5976 goto alert_loser;
5504 } 5977 }
5505 isTLS = (ss->version > SSL_LIBRARY_VERSION_3_0); 5978 isTLS = (ss->version > SSL_LIBRARY_VERSION_3_0);
5506 5979
5980 rv = ssl3_InitTLS12HandshakeHash(ss);
5981 if (rv != SECSuccess) {
5982 desc = internal_error;
5983 goto alert_loser;
5984 }
5985
5507 rv = ssl3_ConsumeHandshake( 5986 rv = ssl3_ConsumeHandshake(
5508 ss, &ss->ssl3.hs.server_random, SSL3_RANDOM_LENGTH, &b, &length); 5987 ss, &ss->ssl3.hs.server_random, SSL3_RANDOM_LENGTH, &b, &length);
5509 if (rv != SECSuccess) { 5988 if (rv != SECSuccess) {
5510 goto loser; /* alert has been sent */ 5989 goto loser; /* alert has been sent */
5511 } 5990 }
5512 5991
5513 rv = ssl3_ConsumeHandshakeVariable(ss, &sidBytes, 1, &b, &length); 5992 rv = ssl3_ConsumeHandshakeVariable(ss, &sidBytes, 1, &b, &length);
5514 if (rv != SECSuccess) { 5993 if (rv != SECSuccess) {
5515 goto loser; /* alert has been sent */ 5994 goto loser; /* alert has been sent */
5516 } 5995 }
(...skipping 316 matching lines...) Expand 10 before | Expand all | Expand 10 after
5833 ssl3_HandleServerKeyExchange(sslSocket *ss, SSL3Opaque *b, PRUint32 length) 6312 ssl3_HandleServerKeyExchange(sslSocket *ss, SSL3Opaque *b, PRUint32 length)
5834 { 6313 {
5835 PRArenaPool * arena = NULL; 6314 PRArenaPool * arena = NULL;
5836 SECKEYPublicKey *peerKey = NULL; 6315 SECKEYPublicKey *peerKey = NULL;
5837 PRBool isTLS; 6316 PRBool isTLS;
5838 SECStatus rv; 6317 SECStatus rv;
5839 int errCode = SSL_ERROR_RX_MALFORMED_SERVER_KEY_EXCH; 6318 int errCode = SSL_ERROR_RX_MALFORMED_SERVER_KEY_EXCH;
5840 SSL3AlertDescription desc = illegal_parameter; 6319 SSL3AlertDescription desc = illegal_parameter;
5841 SSL3Hashes hashes; 6320 SSL3Hashes hashes;
5842 SECItem signature = {siBuffer, NULL, 0}; 6321 SECItem signature = {siBuffer, NULL, 0};
6322 SSL3SignatureAndHashAlgorithm sigAndHash;
6323
6324 sigAndHash.hashAlg = SEC_OID_UNKNOWN;
5843 6325
5844 SSL_TRC(3, ("%d: SSL3[%d]: handle server_key_exchange handshake", 6326 SSL_TRC(3, ("%d: SSL3[%d]: handle server_key_exchange handshake",
5845 SSL_GETPID(), ss->fd)); 6327 SSL_GETPID(), ss->fd));
5846 PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) ); 6328 PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
5847 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) ); 6329 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
5848 6330
5849 if (ss->ssl3.hs.ws != wait_server_key && 6331 if (ss->ssl3.hs.ws != wait_server_key &&
5850 ss->ssl3.hs.ws != wait_server_cert) { 6332 ss->ssl3.hs.ws != wait_server_cert) {
5851 errCode = SSL_ERROR_RX_UNEXPECTED_SERVER_KEY_EXCH; 6333 errCode = SSL_ERROR_RX_UNEXPECTED_SERVER_KEY_EXCH;
5852 desc = unexpected_message; 6334 desc = unexpected_message;
(...skipping 14 matching lines...) Expand all
5867 SECItem exponent = {siBuffer, NULL, 0}; 6349 SECItem exponent = {siBuffer, NULL, 0};
5868 6350
5869 rv = ssl3_ConsumeHandshakeVariable(ss, &modulus, 2, &b, &length); 6351 rv = ssl3_ConsumeHandshakeVariable(ss, &modulus, 2, &b, &length);
5870 if (rv != SECSuccess) { 6352 if (rv != SECSuccess) {
5871 goto loser; /* malformed. */ 6353 goto loser; /* malformed. */
5872 } 6354 }
5873 rv = ssl3_ConsumeHandshakeVariable(ss, &exponent, 2, &b, &length); 6355 rv = ssl3_ConsumeHandshakeVariable(ss, &exponent, 2, &b, &length);
5874 if (rv != SECSuccess) { 6356 if (rv != SECSuccess) {
5875 goto loser; /* malformed. */ 6357 goto loser; /* malformed. */
5876 } 6358 }
6359 if (ss->version >= SSL_LIBRARY_VERSION_TLS_1_2) {
6360 rv = ssl3_ConsumeSignatureAndHashAlgorithm(ss, &b, &length, &sigAndH ash);
6361 if (rv != SECSuccess) {
6362 goto loser; /* malformed or unsupported. */
6363 }
6364 rv = ssl3_CheckSignatureAndHashAlgorithmConsistency(
6365 &sigAndHash, ss->sec.peerCert);
6366 if (rv != SECSuccess) {
6367 goto loser;
6368 }
6369 }
5877 rv = ssl3_ConsumeHandshakeVariable(ss, &signature, 2, &b, &length); 6370 rv = ssl3_ConsumeHandshakeVariable(ss, &signature, 2, &b, &length);
5878 if (rv != SECSuccess) { 6371 if (rv != SECSuccess) {
5879 goto loser; /* malformed. */ 6372 goto loser; /* malformed. */
5880 } 6373 }
5881 if (length != 0) { 6374 if (length != 0) {
5882 if (isTLS) 6375 if (isTLS)
5883 desc = decode_error; 6376 desc = decode_error;
5884 goto alert_loser; /* malformed. */ 6377 goto alert_loser; /* malformed. */
5885 } 6378 }
5886 6379
5887 /* failures after this point are not malformed handshakes. */ 6380 /* failures after this point are not malformed handshakes. */
5888 /* TLS: send decrypt_error if signature failed. */ 6381 /* TLS: send decrypt_error if signature failed. */
5889 desc = isTLS ? decrypt_error : handshake_failure; 6382 desc = isTLS ? decrypt_error : handshake_failure;
5890 6383
5891 /* 6384 /*
5892 * check to make sure the hash is signed by right guy 6385 * check to make sure the hash is signed by right guy
5893 */ 6386 */
5894 » rv = ssl3_ComputeExportRSAKeyHash(modulus, exponent, 6387 » rv = ssl3_ComputeExportRSAKeyHash(sigAndHash.hashAlg, modulus, exponent,
5895 &ss->ssl3.hs.client_random, 6388 &ss->ssl3.hs.client_random,
5896 &ss->ssl3.hs.server_random, 6389 &ss->ssl3.hs.server_random,
5897 &hashes, ss->opt.bypassPKCS11); 6390 &hashes, ss->opt.bypassPKCS11);
5898 if (rv != SECSuccess) { 6391 if (rv != SECSuccess) {
5899 errCode = 6392 errCode =
5900 ssl_MapLowLevelError(SSL_ERROR_SERVER_KEY_EXCHANGE_FAILURE); 6393 ssl_MapLowLevelError(SSL_ERROR_SERVER_KEY_EXCHANGE_FAILURE);
5901 goto alert_loser; 6394 goto alert_loser;
5902 } 6395 }
5903 rv = ssl3_VerifySignedHashes(&hashes, ss->sec.peerCert, &signature, 6396 rv = ssl3_VerifySignedHashes(&hashes, ss->sec.peerCert, &signature,
5904 isTLS, ss->pkcs11PinArg); 6397 isTLS, ss->pkcs11PinArg);
(...skipping 52 matching lines...) Expand 10 before | Expand all | Expand 10 after
5957 goto loser; /* malformed. */ 6450 goto loser; /* malformed. */
5958 } 6451 }
5959 if (dh_g.len > dh_p.len || !ssl3_BigIntGreaterThanOne(&dh_g)) 6452 if (dh_g.len > dh_p.len || !ssl3_BigIntGreaterThanOne(&dh_g))
5960 goto alert_loser; 6453 goto alert_loser;
5961 rv = ssl3_ConsumeHandshakeVariable(ss, &dh_Ys, 2, &b, &length); 6454 rv = ssl3_ConsumeHandshakeVariable(ss, &dh_Ys, 2, &b, &length);
5962 if (rv != SECSuccess) { 6455 if (rv != SECSuccess) {
5963 goto loser; /* malformed. */ 6456 goto loser; /* malformed. */
5964 } 6457 }
5965 if (dh_Ys.len > dh_p.len || !ssl3_BigIntGreaterThanOne(&dh_Ys)) 6458 if (dh_Ys.len > dh_p.len || !ssl3_BigIntGreaterThanOne(&dh_Ys))
5966 goto alert_loser; 6459 goto alert_loser;
6460 if (ss->version >= SSL_LIBRARY_VERSION_TLS_1_2) {
6461 rv = ssl3_ConsumeSignatureAndHashAlgorithm(ss, &b, &length, &sigAndH ash);
6462 if (rv != SECSuccess) {
6463 goto loser; /* malformed or unsupported. */
6464 }
6465 rv = ssl3_CheckSignatureAndHashAlgorithmConsistency(
6466 &sigAndHash, ss->sec.peerCert);
6467 if (rv != SECSuccess) {
6468 goto loser;
6469 }
6470 }
5967 rv = ssl3_ConsumeHandshakeVariable(ss, &signature, 2, &b, &length); 6471 rv = ssl3_ConsumeHandshakeVariable(ss, &signature, 2, &b, &length);
5968 if (rv != SECSuccess) { 6472 if (rv != SECSuccess) {
5969 goto loser; /* malformed. */ 6473 goto loser; /* malformed. */
5970 } 6474 }
5971 if (length != 0) { 6475 if (length != 0) {
5972 if (isTLS) 6476 if (isTLS)
5973 desc = decode_error; 6477 desc = decode_error;
5974 goto alert_loser; /* malformed. */ 6478 goto alert_loser; /* malformed. */
5975 } 6479 }
5976 6480
5977 PRINT_BUF(60, (NULL, "Server DH p", dh_p.data, dh_p.len)); 6481 PRINT_BUF(60, (NULL, "Server DH p", dh_p.data, dh_p.len));
5978 PRINT_BUF(60, (NULL, "Server DH g", dh_g.data, dh_g.len)); 6482 PRINT_BUF(60, (NULL, "Server DH g", dh_g.data, dh_g.len));
5979 PRINT_BUF(60, (NULL, "Server DH Ys", dh_Ys.data, dh_Ys.len)); 6483 PRINT_BUF(60, (NULL, "Server DH Ys", dh_Ys.data, dh_Ys.len));
5980 6484
5981 /* failures after this point are not malformed handshakes. */ 6485 /* failures after this point are not malformed handshakes. */
5982 /* TLS: send decrypt_error if signature failed. */ 6486 /* TLS: send decrypt_error if signature failed. */
5983 desc = isTLS ? decrypt_error : handshake_failure; 6487 desc = isTLS ? decrypt_error : handshake_failure;
5984 6488
5985 /* 6489 /*
5986 * check to make sure the hash is signed by right guy 6490 * check to make sure the hash is signed by right guy
5987 */ 6491 */
5988 » rv = ssl3_ComputeDHKeyHash(dh_p, dh_g, dh_Ys, 6492 » rv = ssl3_ComputeDHKeyHash(sigAndHash.hashAlg, dh_p, dh_g, dh_Ys,
5989 &ss->ssl3.hs.client_random, 6493 &ss->ssl3.hs.client_random,
5990 &ss->ssl3.hs.server_random, 6494 &ss->ssl3.hs.server_random,
5991 &hashes, ss->opt.bypassPKCS11); 6495 &hashes, ss->opt.bypassPKCS11);
5992 if (rv != SECSuccess) { 6496 if (rv != SECSuccess) {
5993 errCode = 6497 errCode =
5994 ssl_MapLowLevelError(SSL_ERROR_SERVER_KEY_EXCHANGE_FAILURE); 6498 ssl_MapLowLevelError(SSL_ERROR_SERVER_KEY_EXCHANGE_FAILURE);
5995 goto alert_loser; 6499 goto alert_loser;
5996 } 6500 }
5997 rv = ssl3_VerifySignedHashes(&hashes, ss->sec.peerCert, &signature, 6501 rv = ssl3_VerifySignedHashes(&hashes, ss->sec.peerCert, &signature,
5998 isTLS, ss->pkcs11PinArg); 6502 isTLS, ss->pkcs11PinArg);
(...skipping 856 matching lines...) Expand 10 before | Expand all | Expand 10 after
6855 } 7359 }
6856 7360
6857 rv = ssl3_NegotiateVersion(ss, version, PR_TRUE); 7361 rv = ssl3_NegotiateVersion(ss, version, PR_TRUE);
6858 if (rv != SECSuccess) { 7362 if (rv != SECSuccess) {
6859 desc = (version > SSL_LIBRARY_VERSION_3_0) ? protocol_version 7363 desc = (version > SSL_LIBRARY_VERSION_3_0) ? protocol_version
6860 : handshake_failure; 7364 : handshake_failure;
6861 errCode = SSL_ERROR_NO_CYPHER_OVERLAP; 7365 errCode = SSL_ERROR_NO_CYPHER_OVERLAP;
6862 goto alert_loser; 7366 goto alert_loser;
6863 } 7367 }
6864 7368
7369 rv = ssl3_InitTLS12HandshakeHash(ss);
7370 if (rv != SECSuccess) {
7371 desc = internal_error;
7372 goto alert_loser;
7373 }
7374
6865 /* grab the client random data. */ 7375 /* grab the client random data. */
6866 rv = ssl3_ConsumeHandshake( 7376 rv = ssl3_ConsumeHandshake(
6867 ss, &ss->ssl3.hs.client_random, SSL3_RANDOM_LENGTH, &b, &length); 7377 ss, &ss->ssl3.hs.client_random, SSL3_RANDOM_LENGTH, &b, &length);
6868 if (rv != SECSuccess) { 7378 if (rv != SECSuccess) {
6869 goto loser; /* malformed */ 7379 goto loser; /* malformed */
6870 } 7380 }
6871 7381
6872 /* grab the client's SID, if present. */ 7382 /* grab the client's SID, if present. */
6873 rv = ssl3_ConsumeHandshakeVariable(ss, &sidBytes, 1, &b, &length); 7383 rv = ssl3_ConsumeHandshakeVariable(ss, &sidBytes, 1, &b, &length);
6874 if (rv != SECSuccess) { 7384 if (rv != SECSuccess) {
(...skipping 821 matching lines...) Expand 10 before | Expand all | Expand 10 after
7696 /* we don't even search for a cache hit here. It's just a miss. */ 8206 /* we don't even search for a cache hit here. It's just a miss. */
7697 SSL_AtomicIncrementLong(& ssl3stats.hch_sid_cache_misses ); 8207 SSL_AtomicIncrementLong(& ssl3stats.hch_sid_cache_misses );
7698 sid = ssl3_NewSessionID(ss, PR_TRUE); 8208 sid = ssl3_NewSessionID(ss, PR_TRUE);
7699 if (sid == NULL) { 8209 if (sid == NULL) {
7700 errCode = PORT_GetError(); 8210 errCode = PORT_GetError();
7701 goto loser; /* memory error is set. */ 8211 goto loser; /* memory error is set. */
7702 } 8212 }
7703 ss->sec.ci.sid = sid; 8213 ss->sec.ci.sid = sid;
7704 /* do not worry about memory leak of sid since it now belongs to ci */ 8214 /* do not worry about memory leak of sid since it now belongs to ci */
7705 8215
8216 rv = ssl3_InitTLS12HandshakeHash(ss);
8217 if (rv != SECSuccess) {
8218 desc = internal_error;
8219 goto alert_loser;
8220 }
8221
7706 /* We have to update the handshake hashes before we can send stuff */ 8222 /* We have to update the handshake hashes before we can send stuff */
7707 rv = ssl3_UpdateHandshakeHashes(ss, buffer, length); 8223 rv = ssl3_UpdateHandshakeHashes(ss, buffer, length);
7708 if (rv != SECSuccess) { 8224 if (rv != SECSuccess) {
7709 errCode = PORT_GetError(); 8225 errCode = PORT_GetError();
7710 goto loser; 8226 goto loser;
7711 } 8227 }
7712 8228
7713 ssl_GetXmitBufLock(ss); 8229 ssl_GetXmitBufLock(ss);
7714 rv = ssl3_SendServerHelloSequence(ss); 8230 rv = ssl3_SendServerHelloSequence(ss);
7715 ssl_ReleaseXmitBufLock(ss); 8231 ssl_ReleaseXmitBufLock(ss);
(...skipping 128 matching lines...) Expand 10 before | Expand all | Expand 10 after
7844 } 8360 }
7845 } 8361 }
7846 rv = ssl3_SetupPendingCipherSpec(ss); 8362 rv = ssl3_SetupPendingCipherSpec(ss);
7847 if (rv != SECSuccess) { 8363 if (rv != SECSuccess) {
7848 return rv; /* err set by ssl3_SetupPendingCipherSpec */ 8364 return rv; /* err set by ssl3_SetupPendingCipherSpec */
7849 } 8365 }
7850 8366
7851 return SECSuccess; 8367 return SECSuccess;
7852 } 8368 }
7853 8369
8370 /* ssl3_PickSignatureHashFunction selects a hash function to use when signing
8371 * elements of the handshake. Prior to TLS 1.2, the MD5/SHA1 combination is
8372 * always used. With TLS 1.2, a client may advertise its support for signature
8373 * and hash combinations. */
8374 SECStatus
8375 ssl3_PickSignatureHashFunction(sslSocket *ss,
8376 SSL3SignatureAndHashAlgorithm* out)
8377 {
8378 TLS12SignatureAlgorithm sigAlg;
8379 unsigned int i, j;
8380 /* hashPreference expresses our preferences for hash functions, most
8381 * preferable first. */
8382 static const PRUint8 hashPreference[] = {
8383 tls_hash_sha256,
8384 tls_hash_sha384,
8385 tls_hash_sha512,
8386 tls_hash_sha1,
8387 };
8388
8389 switch (ss->ssl3.hs.kea_def->kea) {
8390 case kea_rsa:
8391 case kea_rsa_export:
8392 case kea_rsa_export_1024:
8393 case kea_dhe_rsa:
8394 case kea_dhe_rsa_export:
8395 case kea_rsa_fips:
8396 case kea_ecdh_rsa:
8397 case kea_ecdhe_rsa:
8398 sigAlg = tls_sig_rsa;
8399 break;
8400 case kea_dh_dss:
8401 case kea_dh_dss_export:
8402 case kea_dhe_dss:
8403 case kea_dhe_dss_export:
8404 sigAlg = tls_sig_dsa;
8405 break;
8406 case kea_ecdh_ecdsa:
8407 case kea_ecdhe_ecdsa:
8408 sigAlg = tls_sig_ecdsa;
8409 break;
8410 default:
8411 PORT_SetError(SEC_ERROR_UNSUPPORTED_KEYALG);
8412 return SECFailure;
8413 }
8414 out->sigAlg = sigAlg;
8415
8416 if (ss->version <= SSL_LIBRARY_VERSION_TLS_1_1) {
8417 /* SEC_OID_UNKNOWN means the MD5/SHA1 combo hash used in TLS 1.1 and
8418 * prior. */
8419 out->hashAlg = SEC_OID_UNKNOWN;
8420 return SECSuccess;
8421 }
8422
8423 if (ss->ssl3.hs.numClientSigAndHash == 0) {
8424 /* If the client didn't provide any signature_algorithms extension then
8425 * we can assume that they support SHA-1:
8426 * https://tools.ietf.org/html/rfc5246#section-7.4.1.4.1 */
8427 out->hashAlg = SEC_OID_SHA1;
8428 return SECSuccess;
8429 }
8430
8431
8432 for (i = 0; i < sizeof(hashPreference); i++) {
8433 for (j = 0; j < ss->ssl3.hs.numClientSigAndHash; j++) {
8434 const SSL3SignatureAndHashAlgorithm* sh =
8435 &ss->ssl3.hs.clientSigAndHash[j];
8436 if (sh->sigAlg == sigAlg && sh->hashAlg == hashPreference[i]) {
8437 *out = *sh;
8438 return SECSuccess;
8439 }
8440 }
8441 }
8442
8443 return SECFailure;
8444 }
8445
7854 8446
7855 static SECStatus 8447 static SECStatus
7856 ssl3_SendServerKeyExchange(sslSocket *ss) 8448 ssl3_SendServerKeyExchange(sslSocket *ss)
7857 { 8449 {
7858 const ssl3KEADef * kea_def = ss->ssl3.hs.kea_def; 8450 const ssl3KEADef * kea_def = ss->ssl3.hs.kea_def;
7859 SECStatus rv = SECFailure; 8451 SECStatus rv = SECFailure;
7860 int length; 8452 int length;
7861 PRBool isTLS; 8453 PRBool isTLS;
7862 SECItem signed_hash = {siBuffer, NULL, 0}; 8454 SECItem signed_hash = {siBuffer, NULL, 0};
7863 SSL3Hashes hashes; 8455 SSL3Hashes hashes;
7864 SECKEYPublicKey * sdPub; /* public key for step-down */ 8456 SECKEYPublicKey * sdPub; /* public key for step-down */
8457 SSL3SignatureAndHashAlgorithm sigAndHash;
7865 8458
7866 SSL_TRC(3, ("%d: SSL3[%d]: send server_key_exchange handshake", 8459 SSL_TRC(3, ("%d: SSL3[%d]: send server_key_exchange handshake",
7867 SSL_GETPID(), ss->fd)); 8460 SSL_GETPID(), ss->fd));
7868 8461
7869 PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss)); 8462 PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss));
7870 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); 8463 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
7871 8464
8465 if (SECSuccess != ssl3_PickSignatureHashFunction(ss, &sigAndHash)) {
8466 PORT_SetError(SSL_ERROR_UNSUPPORTED_HASH_FUNCTION);
8467 return SECFailure;
8468 }
8469
7872 switch (kea_def->exchKeyType) { 8470 switch (kea_def->exchKeyType) {
7873 case kt_rsa: 8471 case kt_rsa:
7874 /* Perform SSL Step-Down here. */ 8472 /* Perform SSL Step-Down here. */
7875 sdPub = ss->stepDownKeyPair->pubKey; 8473 sdPub = ss->stepDownKeyPair->pubKey;
7876 PORT_Assert(sdPub != NULL); 8474 PORT_Assert(sdPub != NULL);
7877 if (!sdPub) { 8475 if (!sdPub) {
7878 PORT_SetError(SSL_ERROR_SERVER_KEY_EXCHANGE_FAILURE); 8476 PORT_SetError(SSL_ERROR_SERVER_KEY_EXCHANGE_FAILURE);
7879 return SECFailure; 8477 return SECFailure;
7880 } 8478 }
7881 » rv = ssl3_ComputeExportRSAKeyHash(sdPub->u.rsa.modulus, 8479 » rv = ssl3_ComputeExportRSAKeyHash(sigAndHash.hashAlg,
8480 » » » » » sdPub->u.rsa.modulus,
7882 sdPub->u.rsa.publicExponent, 8481 sdPub->u.rsa.publicExponent,
7883 &ss->ssl3.hs.client_random, 8482 &ss->ssl3.hs.client_random,
7884 &ss->ssl3.hs.server_random, 8483 &ss->ssl3.hs.server_random,
7885 &hashes, ss->opt.bypassPKCS11); 8484 &hashes, ss->opt.bypassPKCS11);
7886 if (rv != SECSuccess) { 8485 if (rv != SECSuccess) {
7887 ssl_MapLowLevelError(SSL_ERROR_SERVER_KEY_EXCHANGE_FAILURE); 8486 ssl_MapLowLevelError(SSL_ERROR_SERVER_KEY_EXCHANGE_FAILURE);
7888 return rv; 8487 return rv;
7889 } 8488 }
7890 8489
7891 isTLS = (PRBool)(ss->ssl3.pwSpec->version > SSL_LIBRARY_VERSION_3_0); 8490 isTLS = (PRBool)(ss->ssl3.pwSpec->version > SSL_LIBRARY_VERSION_3_0);
(...skipping 22 matching lines...) Expand all
7914 goto loser; /* err set by AppendHandshake. */ 8513 goto loser; /* err set by AppendHandshake. */
7915 } 8514 }
7916 8515
7917 rv = ssl3_AppendHandshakeVariable( 8516 rv = ssl3_AppendHandshakeVariable(
7918 ss, sdPub->u.rsa.publicExponent.data, 8517 ss, sdPub->u.rsa.publicExponent.data,
7919 sdPub->u.rsa.publicExponent.len, 2); 8518 sdPub->u.rsa.publicExponent.len, 2);
7920 if (rv != SECSuccess) { 8519 if (rv != SECSuccess) {
7921 goto loser; /* err set by AppendHandshake. */ 8520 goto loser; /* err set by AppendHandshake. */
7922 } 8521 }
7923 8522
8523 if (ss->version >= SSL_LIBRARY_VERSION_TLS_1_2) {
8524 rv = ssl3_AppendSignatureAndHashAlgorithm(ss, &sigAndHash);
8525 if (rv != SECSuccess) {
8526 goto loser; /* err set by AppendHandshake. */
8527 }
8528 }
8529
7924 rv = ssl3_AppendHandshakeVariable(ss, signed_hash.data, 8530 rv = ssl3_AppendHandshakeVariable(ss, signed_hash.data,
7925 signed_hash.len, 2); 8531 signed_hash.len, 2);
7926 if (rv != SECSuccess) { 8532 if (rv != SECSuccess) {
7927 goto loser; /* err set by AppendHandshake. */ 8533 goto loser; /* err set by AppendHandshake. */
7928 } 8534 }
7929 PORT_Free(signed_hash.data); 8535 PORT_Free(signed_hash.data);
7930 return SECSuccess; 8536 return SECSuccess;
7931 8537
7932 #ifdef NSS_ENABLE_ECC 8538 #ifdef NSS_ENABLE_ECC
7933 case kt_ecdh: { 8539 case kt_ecdh: {
(...skipping 105 matching lines...) Expand 10 before | Expand all | Expand 10 after
8039 */ 8645 */
8040 static SECStatus 8646 static SECStatus
8041 ssl3_HandleCertificateVerify(sslSocket *ss, SSL3Opaque *b, PRUint32 length, 8647 ssl3_HandleCertificateVerify(sslSocket *ss, SSL3Opaque *b, PRUint32 length,
8042 SSL3Hashes *hashes) 8648 SSL3Hashes *hashes)
8043 { 8649 {
8044 SECItem signed_hash = {siBuffer, NULL, 0}; 8650 SECItem signed_hash = {siBuffer, NULL, 0};
8045 SECStatus rv; 8651 SECStatus rv;
8046 int errCode = SSL_ERROR_RX_MALFORMED_CERT_VERIFY; 8652 int errCode = SSL_ERROR_RX_MALFORMED_CERT_VERIFY;
8047 SSL3AlertDescription desc = handshake_failure; 8653 SSL3AlertDescription desc = handshake_failure;
8048 PRBool isTLS; 8654 PRBool isTLS;
8655 SSL3SignatureAndHashAlgorithm sigAndHash;
8049 8656
8050 SSL_TRC(3, ("%d: SSL3[%d]: handle certificate_verify handshake", 8657 SSL_TRC(3, ("%d: SSL3[%d]: handle certificate_verify handshake",
8051 SSL_GETPID(), ss->fd)); 8658 SSL_GETPID(), ss->fd));
8052 PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) ); 8659 PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
8053 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) ); 8660 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
8054 8661
8055 if (ss->ssl3.hs.ws != wait_cert_verify || ss->sec.peerCert == NULL) { 8662 if (ss->ssl3.hs.ws != wait_cert_verify || ss->sec.peerCert == NULL) {
8056 desc = unexpected_message; 8663 desc = unexpected_message;
8057 errCode = SSL_ERROR_RX_UNEXPECTED_CERT_VERIFY; 8664 errCode = SSL_ERROR_RX_UNEXPECTED_CERT_VERIFY;
8058 goto alert_loser; 8665 goto alert_loser;
8059 } 8666 }
8060 8667
8668 if (ss->version >= SSL_LIBRARY_VERSION_TLS_1_2) {
8669 rv = ssl3_ConsumeSignatureAndHashAlgorithm(ss, &b, &length,
8670 &sigAndHash);
8671 if (rv != SECSuccess) {
8672 goto loser; /* malformed or unsupported. */
8673 }
8674 rv = ssl3_CheckSignatureAndHashAlgorithmConsistency(
8675 &sigAndHash, ss->sec.peerCert);
8676 if (rv != SECSuccess) {
8677 goto loser;
8678 }
8679
8680 /* We only support CertificateVerify messages that use the handshake
8681 * hash. */
8682 if (sigAndHash.hashAlg != hashes->hashAlg) {
8683 PORT_SetError(SSL_ERROR_UNSUPPORTED_HASH_FUNCTION);
8684 return SECFailure;
8685 }
8686 }
8687
8061 rv = ssl3_ConsumeHandshakeVariable(ss, &signed_hash, 2, &b, &length); 8688 rv = ssl3_ConsumeHandshakeVariable(ss, &signed_hash, 2, &b, &length);
8062 if (rv != SECSuccess) { 8689 if (rv != SECSuccess) {
8063 goto loser; /* malformed. */ 8690 goto loser; /* malformed. */
8064 } 8691 }
8065 8692
8066 isTLS = (PRBool)(ss->ssl3.prSpec->version > SSL_LIBRARY_VERSION_3_0); 8693 isTLS = (PRBool)(ss->ssl3.prSpec->version > SSL_LIBRARY_VERSION_3_0);
8067 8694
8068 /* XXX verify that the key & kea match */ 8695 /* XXX verify that the key & kea match */
8069 rv = ssl3_VerifySignedHashes(hashes, ss->sec.peerCert, &signed_hash, 8696 rv = ssl3_VerifySignedHashes(hashes, ss->sec.peerCert, &signed_hash,
8070 isTLS, ss->pkcs11PinArg); 8697 isTLS, ss->pkcs11PinArg);
(...skipping 1095 matching lines...) Expand 10 before | Expand all | Expand 10 after
9166 const SSL3Finished * hashes, 9793 const SSL3Finished * hashes,
9167 TLSFinished * tlsFinished) 9794 TLSFinished * tlsFinished)
9168 { 9795 {
9169 const char * label; 9796 const char * label;
9170 unsigned int len; 9797 unsigned int len;
9171 SECStatus rv; 9798 SECStatus rv;
9172 9799
9173 label = isServer ? "server finished" : "client finished"; 9800 label = isServer ? "server finished" : "client finished";
9174 len = 15; 9801 len = 15;
9175 9802
9176 rv = ssl3_TLSPRFWithMasterSecret(spec, label, len, hashes->md5, 9803 rv = ssl3_TLSPRFWithMasterSecret(spec, label, len, hashes->u.raw,
9177 » sizeof *hashes, tlsFinished->verify_data, 9804 » hashes->len, tlsFinished->verify_data,
9178 sizeof tlsFinished->verify_data); 9805 sizeof tlsFinished->verify_data);
9179 9806
9180 return rv; 9807 return rv;
9181 } 9808 }
9182 9809
9183 /* The calling function must acquire and release the appropriate 9810 /* The calling function must acquire and release the appropriate
9184 * lock (e.g., ssl_GetSpecReadLock / ssl_ReleaseSpecReadLock for 9811 * lock (e.g., ssl_GetSpecReadLock / ssl_ReleaseSpecReadLock for
9185 * ss->ssl3.crSpec). 9812 * ss->ssl3.crSpec).
9186 */ 9813 */
9187 SECStatus 9814 SECStatus
9188 ssl3_TLSPRFWithMasterSecret(ssl3CipherSpec *spec, const char *label, 9815 ssl3_TLSPRFWithMasterSecret(ssl3CipherSpec *spec, const char *label,
9189 unsigned int labelLen, const unsigned char *val, unsigned int valLen, 9816 unsigned int labelLen, const unsigned char *val, unsigned int valLen,
9190 unsigned char *out, unsigned int outLen) 9817 unsigned char *out, unsigned int outLen)
9191 { 9818 {
9192 SECStatus rv = SECSuccess; 9819 SECStatus rv = SECSuccess;
9193 9820
9194 if (spec->master_secret && !spec->bypassCiphers) { 9821 if (spec->master_secret && !spec->bypassCiphers) {
9195 SECItem param = {siBuffer, NULL, 0}; 9822 SECItem param = {siBuffer, NULL, 0};
9823 CK_MECHANISM_TYPE mech = CKM_TLS_PRF_GENERAL;
9824 if (spec->version >= SSL_LIBRARY_VERSION_TLS_1_2) {
9825 mech = CKM_NSS_TLS_PRF_GENERAL_SHA256;
9826 }
9196 PK11Context *prf_context = 9827 PK11Context *prf_context =
9197 » PK11_CreateContextBySymKey(CKM_TLS_PRF_GENERAL, CKA_SIGN, 9828 » PK11_CreateContextBySymKey(mech, CKA_SIGN, spec->master_secret,
9198 » » » » spec->master_secret, &param); 9829 » » » » &param);
9199 unsigned int retLen; 9830 unsigned int retLen;
9200 9831
9201 if (!prf_context) 9832 if (!prf_context)
9202 return SECFailure; 9833 return SECFailure;
9203 9834
9204 rv = PK11_DigestBegin(prf_context); 9835 rv = PK11_DigestBegin(prf_context);
9205 rv |= PK11_DigestOp(prf_context, (unsigned char *) label, labelLen); 9836 rv |= PK11_DigestOp(prf_context, (unsigned char *) label, labelLen);
9206 rv |= PK11_DigestOp(prf_context, val, valLen); 9837 rv |= PK11_DigestOp(prf_context, val, valLen);
9207 rv |= PK11_DigestFinal(prf_context, out, &retLen, outLen); 9838 rv |= PK11_DigestFinal(prf_context, out, &retLen, outLen);
9208 PORT_Assert(rv != SECSuccess || retLen == outLen); 9839 PORT_Assert(rv != SECSuccess || retLen == outLen);
(...skipping 313 matching lines...) Expand 10 before | Expand all | Expand 10 after
9522 else 10153 else
9523 ss->ssl3.hs.finishedMsgs.tFinished[0] = tlsFinished; 10154 ss->ssl3.hs.finishedMsgs.tFinished[0] = tlsFinished;
9524 ss->ssl3.hs.finishedBytes = sizeof tlsFinished; 10155 ss->ssl3.hs.finishedBytes = sizeof tlsFinished;
9525 rv = ssl3_AppendHandshakeHeader(ss, finished, sizeof tlsFinished); 10156 rv = ssl3_AppendHandshakeHeader(ss, finished, sizeof tlsFinished);
9526 if (rv != SECSuccess) 10157 if (rv != SECSuccess)
9527 goto fail; /* err set by AppendHandshake. */ 10158 goto fail; /* err set by AppendHandshake. */
9528 rv = ssl3_AppendHandshake(ss, &tlsFinished, sizeof tlsFinished); 10159 rv = ssl3_AppendHandshake(ss, &tlsFinished, sizeof tlsFinished);
9529 if (rv != SECSuccess) 10160 if (rv != SECSuccess)
9530 goto fail; /* err set by AppendHandshake. */ 10161 goto fail; /* err set by AppendHandshake. */
9531 } else { 10162 } else {
9532 » if (isServer) 10163 » unsigned char *ssl3FinishedStorage;
9533 » ss->ssl3.hs.finishedMsgs.sFinished[1] = hashes; 10164
9534 » else 10165 » if (isServer) {
9535 » ss->ssl3.hs.finishedMsgs.sFinished[0] = hashes; 10166 » ssl3FinishedStorage = &ss->ssl3.hs.finishedMsgs.sFinished[1][0];
9536 » ss->ssl3.hs.finishedBytes = sizeof hashes; 10167 » } else {
9537 » rv = ssl3_AppendHandshakeHeader(ss, finished, sizeof hashes); 10168 » ssl3FinishedStorage = &ss->ssl3.hs.finishedMsgs.sFinished[0][0];
10169 » }
10170 » memcpy(ssl3FinishedStorage, hashes.u.raw, hashes.len);
10171 » ss->ssl3.hs.finishedBytes = hashes.len;
10172 » rv = ssl3_AppendHandshakeHeader(ss, finished, hashes.len);
9538 if (rv != SECSuccess) 10173 if (rv != SECSuccess)
9539 goto fail; /* err set by AppendHandshake. */ 10174 goto fail; /* err set by AppendHandshake. */
9540 » rv = ssl3_AppendHandshake(ss, &hashes, sizeof hashes); 10175 » rv = ssl3_AppendHandshake(ss, hashes.u.raw, hashes.len);
9541 if (rv != SECSuccess) 10176 if (rv != SECSuccess)
9542 goto fail; /* err set by AppendHandshake. */ 10177 goto fail; /* err set by AppendHandshake. */
9543 } 10178 }
9544 rv = ssl3_FlushHandshake(ss, flags); 10179 rv = ssl3_FlushHandshake(ss, flags);
9545 if (rv != SECSuccess) { 10180 if (rv != SECSuccess) {
9546 goto fail; /* error code set by ssl3_FlushHandshake */ 10181 goto fail; /* error code set by ssl3_FlushHandshake */
9547 } 10182 }
9548 10183
9549 ssl3_RecordKeyLog(ss); 10184 ssl3_RecordKeyLog(ss);
9550 10185
(...skipping 128 matching lines...) Expand 10 before | Expand all | Expand 10 after
9679 else 10314 else
9680 ss->ssl3.hs.finishedMsgs.tFinished[0] = tlsFinished; 10315 ss->ssl3.hs.finishedMsgs.tFinished[0] = tlsFinished;
9681 ss->ssl3.hs.finishedBytes = sizeof tlsFinished; 10316 ss->ssl3.hs.finishedBytes = sizeof tlsFinished;
9682 if (rv != SECSuccess || 10317 if (rv != SECSuccess ||
9683 0 != NSS_SecureMemcmp(&tlsFinished, b, length)) { 10318 0 != NSS_SecureMemcmp(&tlsFinished, b, length)) {
9684 (void)SSL3_SendAlert(ss, alert_fatal, decrypt_error); 10319 (void)SSL3_SendAlert(ss, alert_fatal, decrypt_error);
9685 PORT_SetError(SSL_ERROR_BAD_HANDSHAKE_HASH_VALUE); 10320 PORT_SetError(SSL_ERROR_BAD_HANDSHAKE_HASH_VALUE);
9686 return SECFailure; 10321 return SECFailure;
9687 } 10322 }
9688 } else { 10323 } else {
9689 » if (length != sizeof(SSL3Hashes)) { 10324 » unsigned char *ssl3FinishedStorage;
10325
10326 » if (length != hashes->len) {
9690 (void)ssl3_IllegalParameter(ss); 10327 (void)ssl3_IllegalParameter(ss);
9691 PORT_SetError(SSL_ERROR_RX_MALFORMED_FINISHED); 10328 PORT_SetError(SSL_ERROR_RX_MALFORMED_FINISHED);
9692 return SECFailure; 10329 return SECFailure;
9693 } 10330 }
9694 10331
9695 » if (!isServer) 10332 » if (!isServer) {
9696 » ss->ssl3.hs.finishedMsgs.sFinished[1] = *hashes; 10333 » ssl3FinishedStorage = &ss->ssl3.hs.finishedMsgs.sFinished[1][0];
9697 » else 10334 » } else {
9698 » ss->ssl3.hs.finishedMsgs.sFinished[0] = *hashes; 10335 » ssl3FinishedStorage = &ss->ssl3.hs.finishedMsgs.sFinished[0][0];
9699 » ss->ssl3.hs.finishedBytes = sizeof *hashes; 10336 » }
9700 » if (0 != NSS_SecureMemcmp(hashes, b, length)) { 10337 » memcpy(ssl3FinishedStorage, hashes->u.raw, hashes->len);
10338 » ss->ssl3.hs.finishedBytes = hashes->len;
10339 » if (0 != NSS_SecureMemcmp(hashes->u.raw, b, length)) {
9701 (void)ssl3_HandshakeFailure(ss); 10340 (void)ssl3_HandshakeFailure(ss);
9702 PORT_SetError(SSL_ERROR_BAD_HANDSHAKE_HASH_VALUE); 10341 PORT_SetError(SSL_ERROR_BAD_HANDSHAKE_HASH_VALUE);
9703 return SECFailure; 10342 return SECFailure;
9704 } 10343 }
9705 } 10344 }
9706 10345
9707 ssl_GetXmitBufLock(ss); /*************************************/ 10346 ssl_GetXmitBufLock(ss); /*************************************/
9708 10347
9709 if ((isServer && !ss->ssl3.hs.isResuming) || 10348 if ((isServer && !ss->ssl3.hs.isResuming) ||
9710 (!isServer && ss->ssl3.hs.isResuming)) { 10349 (!isServer && ss->ssl3.hs.isResuming)) {
(...skipping 1568 matching lines...) Expand 10 before | Expand all | Expand 10 after
11279 SHA1_DestroyContext((SHA1Context *)ss->ssl3.hs.sha_cx, PR_FALSE); 11918 SHA1_DestroyContext((SHA1Context *)ss->ssl3.hs.sha_cx, PR_FALSE);
11280 MD5_DestroyContext((MD5Context *)ss->ssl3.hs.md5_cx, PR_FALSE); 11919 MD5_DestroyContext((MD5Context *)ss->ssl3.hs.md5_cx, PR_FALSE);
11281 } 11920 }
11282 #endif 11921 #endif
11283 if (ss->ssl3.hs.md5) { 11922 if (ss->ssl3.hs.md5) {
11284 PK11_DestroyContext(ss->ssl3.hs.md5,PR_TRUE); 11923 PK11_DestroyContext(ss->ssl3.hs.md5,PR_TRUE);
11285 } 11924 }
11286 if (ss->ssl3.hs.sha) { 11925 if (ss->ssl3.hs.sha) {
11287 PK11_DestroyContext(ss->ssl3.hs.sha,PR_TRUE); 11926 PK11_DestroyContext(ss->ssl3.hs.sha,PR_TRUE);
11288 } 11927 }
11928 if (ss->ssl3.hs.tls12_handshake_hash) {
11929 PK11_DestroyContext(ss->ssl3.hs.tls12_handshake_hash,PR_TRUE);
11930 }
11931 if (ss->ssl3.hs.clientSigAndHash) {
11932 PORT_Free(ss->ssl3.hs.clientSigAndHash);
11933 }
11289 if (ss->ssl3.hs.messages.buf) { 11934 if (ss->ssl3.hs.messages.buf) {
11290 PORT_Free(ss->ssl3.hs.messages.buf); 11935 PORT_Free(ss->ssl3.hs.messages.buf);
11291 ss->ssl3.hs.messages.buf = NULL; 11936 ss->ssl3.hs.messages.buf = NULL;
11292 ss->ssl3.hs.messages.len = 0; 11937 ss->ssl3.hs.messages.len = 0;
11293 ss->ssl3.hs.messages.space = 0; 11938 ss->ssl3.hs.messages.space = 0;
11294 } 11939 }
11295 11940
11296 /* free the SSL3Buffer (msg_body) */ 11941 /* free the SSL3Buffer (msg_body) */
11297 PORT_Free(ss->ssl3.hs.msg_body.buf); 11942 PORT_Free(ss->ssl3.hs.msg_body.buf);
11298 11943
11299 /* free up the CipherSpecs */ 11944 /* free up the CipherSpecs */
11300 ssl3_DestroyCipherSpec(&ss->ssl3.specs[0], PR_TRUE/*freeSrvName*/); 11945 ssl3_DestroyCipherSpec(&ss->ssl3.specs[0], PR_TRUE/*freeSrvName*/);
11301 ssl3_DestroyCipherSpec(&ss->ssl3.specs[1], PR_TRUE/*freeSrvName*/); 11946 ssl3_DestroyCipherSpec(&ss->ssl3.specs[1], PR_TRUE/*freeSrvName*/);
11302 11947
11303 /* Destroy the DTLS data */ 11948 /* Destroy the DTLS data */
11304 if (IS_DTLS(ss)) { 11949 if (IS_DTLS(ss)) {
11305 dtls_FreeHandshakeMessages(&ss->ssl3.hs.lastMessageFlight); 11950 dtls_FreeHandshakeMessages(&ss->ssl3.hs.lastMessageFlight);
11306 if (ss->ssl3.hs.recvdFragments.buf) { 11951 if (ss->ssl3.hs.recvdFragments.buf) {
11307 PORT_Free(ss->ssl3.hs.recvdFragments.buf); 11952 PORT_Free(ss->ssl3.hs.recvdFragments.buf);
11308 } 11953 }
11309 } 11954 }
11310 11955
11311 ss->ssl3.initialized = PR_FALSE; 11956 ss->ssl3.initialized = PR_FALSE;
11312 11957
11313 SECITEM_FreeItem(&ss->ssl3.nextProto, PR_FALSE); 11958 SECITEM_FreeItem(&ss->ssl3.nextProto, PR_FALSE);
11314 } 11959 }
11315 11960
11316 /* End of ssl3con.c */ 11961 /* End of ssl3con.c */
OLDNEW
« no previous file with comments | « net/third_party/nss/ssl/SSLerrs.h ('k') | net/third_party/nss/ssl/ssl3ecc.c » ('j') | net/third_party/nss/ssl/sslimpl.h » ('J')

Powered by Google App Engine
This is Rietveld 408576698