OLD | NEW |
1 /* -*- Mode: C; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 4 -*- */ | 1 /* -*- Mode: C; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 4 -*- */ |
2 /* | 2 /* |
3 * SSL3 Protocol | 3 * SSL3 Protocol |
4 * | 4 * |
5 * This Source Code Form is subject to the terms of the Mozilla Public | 5 * This Source Code Form is subject to the terms of the Mozilla Public |
6 * License, v. 2.0. If a copy of the MPL was not distributed with this | 6 * License, v. 2.0. If a copy of the MPL was not distributed with this |
7 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ | 7 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ |
8 /* $Id$ */ | 8 /* $Id$ */ |
9 | 9 |
10 /* TODO(ekr): Implement HelloVerifyRequest on server side. OK for now. */ | 10 /* TODO(ekr): Implement HelloVerifyRequest on server side. OK for now. */ |
11 | 11 |
12 #include "cert.h" | 12 #include "cert.h" |
13 #include "ssl.h" | 13 #include "ssl.h" |
14 #include "cryptohi.h" /* for DSAU_ stuff */ | 14 #include "cryptohi.h" /* for DSAU_ stuff */ |
15 #include "keyhi.h" | 15 #include "keyhi.h" |
16 #include "secder.h" | 16 #include "secder.h" |
17 #include "secitem.h" | 17 #include "secitem.h" |
| 18 #include "sechash.h" |
18 | 19 |
19 #include "sslimpl.h" | 20 #include "sslimpl.h" |
20 #include "sslproto.h" | 21 #include "sslproto.h" |
21 #include "sslerr.h" | 22 #include "sslerr.h" |
22 #include "prtime.h" | 23 #include "prtime.h" |
23 #include "prinrval.h" | 24 #include "prinrval.h" |
24 #include "prerror.h" | 25 #include "prerror.h" |
25 #include "pratom.h" | 26 #include "pratom.h" |
26 #include "prthread.h" | 27 #include "prthread.h" |
27 | 28 |
28 #include "pk11func.h" | 29 #include "pk11func.h" |
29 #include "secmod.h" | 30 #include "secmod.h" |
30 #ifndef NO_PKCS11_BYPASS | 31 #ifndef NO_PKCS11_BYPASS |
31 #include "blapi.h" | 32 #include "blapi.h" |
32 #endif | 33 #endif |
33 | 34 |
| 35 /* This is a bodge to allow this code to be compiled against older NSS headers |
| 36 * that don't contain the TLS 1.2 changes. */ |
| 37 #ifndef CKM_NSS_TLS_PRF_GENERAL_SHA256 |
| 38 #define CKM_NSS_TLS_PRF_GENERAL_SHA256 (CKM_NSS + 21) |
| 39 #define CKM_NSS_TLS_MASTER_KEY_DERIVE_SHA256 (CKM_NSS + 22) |
| 40 #define CKM_NSS_TLS_KEY_AND_MAC_DERIVE_SHA256 (CKM_NSS + 23) |
| 41 #define CKM_NSS_TLS_MASTER_KEY_DERIVE_DH_SHA256 (CKM_NSS + 24) |
| 42 #endif |
| 43 |
34 #include <stdio.h> | 44 #include <stdio.h> |
35 #ifdef NSS_ENABLE_ZLIB | 45 #ifdef NSS_ENABLE_ZLIB |
36 #include "zlib.h" | 46 #include "zlib.h" |
37 #endif | 47 #endif |
38 | 48 |
39 #ifndef PK11_SETATTRS | 49 #ifndef PK11_SETATTRS |
40 #define PK11_SETATTRS(x,id,v,l) (x)->type = (id); \ | 50 #define PK11_SETATTRS(x,id,v,l) (x)->type = (id); \ |
41 (x)->pValue=(v); (x)->ulValueLen = (l); | 51 (x)->pValue=(v); (x)->ulValueLen = (l); |
42 #endif | 52 #endif |
43 | 53 |
(...skipping 13 matching lines...) Expand all Loading... |
57 static SECStatus ssl3_SendEncryptedExtensions(sslSocket *ss); | 67 static SECStatus ssl3_SendEncryptedExtensions(sslSocket *ss); |
58 static SECStatus ssl3_SendFinished( sslSocket *ss, PRInt32 flags); | 68 static SECStatus ssl3_SendFinished( sslSocket *ss, PRInt32 flags); |
59 static SECStatus ssl3_SendServerHello( sslSocket *ss); | 69 static SECStatus ssl3_SendServerHello( sslSocket *ss); |
60 static SECStatus ssl3_SendServerHelloDone( sslSocket *ss); | 70 static SECStatus ssl3_SendServerHelloDone( sslSocket *ss); |
61 static SECStatus ssl3_SendServerKeyExchange( sslSocket *ss); | 71 static SECStatus ssl3_SendServerKeyExchange( sslSocket *ss); |
62 static SECStatus ssl3_NewHandshakeHashes( sslSocket *ss); | 72 static SECStatus ssl3_NewHandshakeHashes( sslSocket *ss); |
63 static SECStatus ssl3_UpdateHandshakeHashes( sslSocket *ss, | 73 static SECStatus ssl3_UpdateHandshakeHashes( sslSocket *ss, |
64 const unsigned char *b, | 74 const unsigned char *b, |
65 unsigned int l); | 75 unsigned int l); |
66 static SECStatus ssl3_FlushHandshakeMessages(sslSocket *ss, PRInt32 flags); | 76 static SECStatus ssl3_FlushHandshakeMessages(sslSocket *ss, PRInt32 flags); |
| 77 static int ssl3_OIDToTLSHashAlgorithm(SECOidTag oid); |
67 | 78 |
68 static SECStatus Null_Cipher(void *ctx, unsigned char *output, int *outputLen, | 79 static SECStatus Null_Cipher(void *ctx, unsigned char *output, int *outputLen, |
69 int maxOutputLen, const unsigned char *input, | 80 int maxOutputLen, const unsigned char *input, |
70 int inputLen); | 81 int inputLen); |
71 | 82 |
72 #define MAX_SEND_BUF_LENGTH 32000 /* watch for 16-bit integer overflow */ | 83 #define MAX_SEND_BUF_LENGTH 32000 /* watch for 16-bit integer overflow */ |
73 #define MIN_SEND_BUF_LENGTH 4000 | 84 #define MIN_SEND_BUF_LENGTH 4000 |
74 | 85 |
75 /* This list of SSL3 cipher suites is sorted in descending order of | 86 /* This list of SSL3 cipher suites is sorted in descending order of |
76 * precedence (desirability). It only includes cipher suites we implement. | 87 * precedence (desirability). It only includes cipher suites we implement. |
(...skipping 727 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
804 SECStatus | 815 SECStatus |
805 ssl3_SignHashes(SSL3Hashes *hash, SECKEYPrivateKey *key, SECItem *buf, | 816 ssl3_SignHashes(SSL3Hashes *hash, SECKEYPrivateKey *key, SECItem *buf, |
806 PRBool isTLS) | 817 PRBool isTLS) |
807 { | 818 { |
808 SECStatus rv = SECFailure; | 819 SECStatus rv = SECFailure; |
809 PRBool doDerEncode = PR_FALSE; | 820 PRBool doDerEncode = PR_FALSE; |
810 int signatureLen; | 821 int signatureLen; |
811 SECItem hashItem; | 822 SECItem hashItem; |
812 | 823 |
813 buf->data = NULL; | 824 buf->data = NULL; |
814 signatureLen = PK11_SignatureLen(key); | |
815 if (signatureLen <= 0) { | |
816 PORT_SetError(SEC_ERROR_INVALID_KEY); | |
817 goto done; | |
818 } | |
819 | |
820 buf->len = (unsigned)signatureLen; | |
821 buf->data = (unsigned char *)PORT_Alloc(signatureLen); | |
822 if (!buf->data) | |
823 goto done; /* error code was set. */ | |
824 | 825 |
825 switch (key->keyType) { | 826 switch (key->keyType) { |
826 case rsaKey: | 827 case rsaKey: |
827 » hashItem.data = hash->md5; | 828 » hashItem.data = hash->u.raw; |
828 » hashItem.len = sizeof(SSL3Hashes); | 829 » hashItem.len = hash->len; |
829 break; | 830 break; |
830 case dsaKey: | 831 case dsaKey: |
831 doDerEncode = isTLS; | 832 doDerEncode = isTLS; |
832 » hashItem.data = hash->sha; | 833 » /* SEC_OID_UNKNOWN is used to specify the MD5/SHA1 concatenated hash. |
833 » hashItem.len = sizeof(hash->sha); | 834 » * In that case, we use just the SHA1 part. */ |
| 835 » if (hash->hashAlg == SEC_OID_UNKNOWN) { |
| 836 » hashItem.data = hash->u.s.sha; |
| 837 » hashItem.len = sizeof(hash->u.s.sha); |
| 838 » } else { |
| 839 » hashItem.data = hash->u.raw; |
| 840 » hashItem.len = hash->len; |
| 841 » } |
834 break; | 842 break; |
835 #ifdef NSS_ENABLE_ECC | 843 #ifdef NSS_ENABLE_ECC |
836 case ecKey: | 844 case ecKey: |
837 doDerEncode = PR_TRUE; | 845 doDerEncode = PR_TRUE; |
838 » hashItem.data = hash->sha; | 846 » /* SEC_OID_UNKNOWN is used to specify the MD5/SHA1 concatenated hash. |
839 » hashItem.len = sizeof(hash->sha); | 847 » * In that case, we use just the SHA1 part. */ |
| 848 » if (hash->hashAlg == SEC_OID_UNKNOWN) { |
| 849 » hashItem.data = hash->u.s.sha; |
| 850 » hashItem.len = sizeof(hash->u.s.sha); |
| 851 » } else { |
| 852 » hashItem.data = hash->u.raw; |
| 853 » hashItem.len = hash->len; |
| 854 » } |
840 break; | 855 break; |
841 #endif /* NSS_ENABLE_ECC */ | 856 #endif /* NSS_ENABLE_ECC */ |
842 default: | 857 default: |
843 PORT_SetError(SEC_ERROR_INVALID_KEY); | 858 PORT_SetError(SEC_ERROR_INVALID_KEY); |
844 goto done; | 859 goto done; |
845 } | 860 } |
846 PRINT_BUF(60, (NULL, "hash(es) to be signed", hashItem.data, hashItem.len)); | 861 PRINT_BUF(60, (NULL, "hash(es) to be signed", hashItem.data, hashItem.len)); |
847 | 862 |
848 rv = PK11_Sign(key, buf, &hashItem); | 863 if (hash->hashAlg == SEC_OID_UNKNOWN) { |
| 864 » signatureLen = PK11_SignatureLen(key); |
| 865 » if (signatureLen <= 0) { |
| 866 » PORT_SetError(SEC_ERROR_INVALID_KEY); |
| 867 » goto done; |
| 868 » } |
| 869 |
| 870 » buf->len = (unsigned)signatureLen; |
| 871 » buf->data = (unsigned char *)PORT_Alloc(signatureLen); |
| 872 » if (!buf->data) |
| 873 » goto done; /* error code was set. */ |
| 874 |
| 875 » rv = PK11_Sign(key, buf, &hashItem); |
| 876 } else { |
| 877 » rv = SGN_Digest(key, hash->hashAlg, buf, &hashItem); |
| 878 } |
849 if (rv != SECSuccess) { | 879 if (rv != SECSuccess) { |
850 ssl_MapLowLevelError(SSL_ERROR_SIGN_HASHES_FAILURE); | 880 ssl_MapLowLevelError(SSL_ERROR_SIGN_HASHES_FAILURE); |
851 } else if (doDerEncode) { | 881 } else if (doDerEncode) { |
852 SECItem derSig = {siBuffer, NULL, 0}; | 882 SECItem derSig = {siBuffer, NULL, 0}; |
853 | 883 |
854 /* This also works for an ECDSA signature */ | 884 /* This also works for an ECDSA signature */ |
855 rv = DSAU_EncodeDerSigWithLen(&derSig, buf, buf->len); | 885 rv = DSAU_EncodeDerSigWithLen(&derSig, buf, buf->len); |
856 if (rv == SECSuccess) { | 886 if (rv == SECSuccess) { |
857 PORT_Free(buf->data); /* discard unencoded signature. */ | 887 PORT_Free(buf->data); /* discard unencoded signature. */ |
858 *buf = derSig; /* give caller encoded signature. */ | 888 *buf = derSig; /* give caller encoded signature. */ |
(...skipping 13 matching lines...) Expand all Loading... |
872 | 902 |
873 /* Called from ssl3_HandleServerKeyExchange, ssl3_HandleCertificateVerify */ | 903 /* Called from ssl3_HandleServerKeyExchange, ssl3_HandleCertificateVerify */ |
874 SECStatus | 904 SECStatus |
875 ssl3_VerifySignedHashes(SSL3Hashes *hash, CERTCertificate *cert, | 905 ssl3_VerifySignedHashes(SSL3Hashes *hash, CERTCertificate *cert, |
876 SECItem *buf, PRBool isTLS, void *pwArg) | 906 SECItem *buf, PRBool isTLS, void *pwArg) |
877 { | 907 { |
878 SECKEYPublicKey * key; | 908 SECKEYPublicKey * key; |
879 SECItem * signature = NULL; | 909 SECItem * signature = NULL; |
880 SECStatus rv; | 910 SECStatus rv; |
881 SECItem hashItem; | 911 SECItem hashItem; |
882 #ifdef NSS_ENABLE_ECC | 912 SECOidTag encAlg; |
883 unsigned int len; | 913 SECOidTag hashAlg; |
884 #endif /* NSS_ENABLE_ECC */ | |
885 | 914 |
886 | 915 |
887 PRINT_BUF(60, (NULL, "check signed hashes", | 916 PRINT_BUF(60, (NULL, "check signed hashes", |
888 buf->data, buf->len)); | 917 buf->data, buf->len)); |
889 | 918 |
890 key = CERT_ExtractPublicKey(cert); | 919 key = CERT_ExtractPublicKey(cert); |
891 if (key == NULL) { | 920 if (key == NULL) { |
892 ssl_MapLowLevelError(SSL_ERROR_EXTRACT_PUBLIC_KEY_FAILURE); | 921 ssl_MapLowLevelError(SSL_ERROR_EXTRACT_PUBLIC_KEY_FAILURE); |
893 return SECFailure; | 922 return SECFailure; |
894 } | 923 } |
895 | 924 |
| 925 hashAlg = hash->hashAlg; |
896 switch (key->keyType) { | 926 switch (key->keyType) { |
897 case rsaKey: | 927 case rsaKey: |
898 » hashItem.data = hash->md5; | 928 » encAlg = SEC_OID_PKCS1_RSA_ENCRYPTION; |
899 » hashItem.len = sizeof(SSL3Hashes); | 929 » hashItem.data = hash->u.raw; |
| 930 » hashItem.len = hash->len; |
900 break; | 931 break; |
901 case dsaKey: | 932 case dsaKey: |
902 » hashItem.data = hash->sha; | 933 » encAlg = SEC_OID_ANSIX9_DSA_SIGNATURE; |
903 » hashItem.len = sizeof(hash->sha); | 934 » /* SEC_OID_UNKNOWN is used to specify the MD5/SHA1 concatenated hash. |
| 935 » * In that case, we use just the SHA1 part. */ |
| 936 » if (hash->hashAlg == SEC_OID_UNKNOWN) { |
| 937 » hashItem.data = hash->u.s.sha; |
| 938 » hashItem.len = sizeof(hash->u.s.sha); |
| 939 » } else { |
| 940 » hashItem.data = hash->u.raw; |
| 941 » hashItem.len = hash->len; |
| 942 » } |
904 /* Allow DER encoded DSA signatures in SSL 3.0 */ | 943 /* Allow DER encoded DSA signatures in SSL 3.0 */ |
905 if (isTLS || buf->len != SECKEY_SignatureLen(key)) { | 944 if (isTLS || buf->len != SECKEY_SignatureLen(key)) { |
906 signature = DSAU_DecodeDerSig(buf); | 945 signature = DSAU_DecodeDerSig(buf); |
907 if (!signature) { | 946 if (!signature) { |
908 PORT_SetError(SSL_ERROR_BAD_HANDSHAKE_HASH_VALUE); | 947 PORT_SetError(SSL_ERROR_BAD_HANDSHAKE_HASH_VALUE); |
909 return SECFailure; | 948 return SECFailure; |
910 } | 949 } |
911 buf = signature; | 950 buf = signature; |
912 } | 951 } |
913 break; | 952 break; |
914 | 953 |
915 #ifdef NSS_ENABLE_ECC | 954 #ifdef NSS_ENABLE_ECC |
916 case ecKey: | 955 case ecKey: |
917 » hashItem.data = hash->sha; | 956 » encAlg = SEC_OID_ANSIX962_EC_PUBLIC_KEY; |
918 » hashItem.len = sizeof(hash->sha); | 957 » /* SEC_OID_UNKNOWN is used to specify the MD5/SHA1 concatenated hash. |
919 » /* | 958 » * In that case, we use just the SHA1 part. |
920 » * ECDSA signatures always encode the integers r and s | 959 » * ECDSA signatures always encode the integers r and s using ASN.1 |
921 » * using ASN (unlike DSA where ASN encoding is used | 960 » * (unlike DSA where ASN.1 encoding is used with TLS but not with |
922 » * with TLS but not with SSL3) | 961 » * SSL3). So we can use VFY_VerifyDigestDirect for ECDSA. |
923 */ | 962 */ |
924 » len = SECKEY_SignatureLen(key); | 963 » if (hash->hashAlg == SEC_OID_UNKNOWN) { |
925 » if (len == 0) { | 964 » hashAlg = SEC_OID_SHA1; |
926 » SECKEY_DestroyPublicKey(key); | 965 » hashItem.data = hash->u.s.sha; |
927 » PORT_SetError(SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE); | 966 » hashItem.len = sizeof(hash->u.s.sha); |
928 » return SECFailure; | 967 » } else { |
| 968 » hashItem.data = hash->u.raw; |
| 969 » hashItem.len = hash->len; |
929 } | 970 } |
930 signature = DSAU_DecodeDerSigToLen(buf, len); | |
931 if (!signature) { | |
932 PORT_SetError(SSL_ERROR_BAD_HANDSHAKE_HASH_VALUE); | |
933 return SECFailure; | |
934 } | |
935 buf = signature; | |
936 break; | 971 break; |
937 #endif /* NSS_ENABLE_ECC */ | 972 #endif /* NSS_ENABLE_ECC */ |
938 | 973 |
939 default: | 974 default: |
940 SECKEY_DestroyPublicKey(key); | 975 SECKEY_DestroyPublicKey(key); |
941 PORT_SetError(SEC_ERROR_UNSUPPORTED_KEYALG); | 976 PORT_SetError(SEC_ERROR_UNSUPPORTED_KEYALG); |
942 return SECFailure; | 977 return SECFailure; |
943 } | 978 } |
944 | 979 |
945 PRINT_BUF(60, (NULL, "hash(es) to be verified", | 980 PRINT_BUF(60, (NULL, "hash(es) to be verified", |
946 hashItem.data, hashItem.len)); | 981 hashItem.data, hashItem.len)); |
947 | 982 |
948 rv = PK11_Verify(key, buf, &hashItem, pwArg); | 983 if (hashAlg == SEC_OID_UNKNOWN || key->keyType == dsaKey) { |
| 984 » /* VFY_VerifyDigestDirect requires DSA signatures to be DER-encoded. |
| 985 » * DSA signatures are DER-encoded in TLS but not in SSL3 and the code |
| 986 » * above always removes the DER encoding of DSA signatures when |
| 987 » * present. Thus DSA signatures are always verified with PK11_Verify. |
| 988 » */ |
| 989 » rv = PK11_Verify(key, buf, &hashItem, pwArg); |
| 990 } else { |
| 991 » rv = VFY_VerifyDigestDirect(&hashItem, key, buf, encAlg, hashAlg, |
| 992 » » » » pwArg); |
| 993 } |
949 SECKEY_DestroyPublicKey(key); | 994 SECKEY_DestroyPublicKey(key); |
950 if (signature) { | 995 if (signature) { |
951 SECITEM_FreeItem(signature, PR_TRUE); | 996 SECITEM_FreeItem(signature, PR_TRUE); |
952 } | 997 } |
953 if (rv != SECSuccess) { | 998 if (rv != SECSuccess) { |
954 ssl_MapLowLevelError(SSL_ERROR_BAD_HANDSHAKE_HASH_VALUE); | 999 ssl_MapLowLevelError(SSL_ERROR_BAD_HANDSHAKE_HASH_VALUE); |
955 } | 1000 } |
956 return rv; | 1001 return rv; |
957 } | 1002 } |
958 | 1003 |
959 | 1004 |
960 /* Caller must set hiLevel error code. */ | 1005 /* Caller must set hiLevel error code. */ |
961 /* Called from ssl3_ComputeExportRSAKeyHash | 1006 /* Called from ssl3_ComputeExportRSAKeyHash |
962 * ssl3_ComputeDHKeyHash | 1007 * ssl3_ComputeDHKeyHash |
963 * which are called from ssl3_HandleServerKeyExchange. | 1008 * which are called from ssl3_HandleServerKeyExchange. |
| 1009 * |
| 1010 * hashAlg: either the OID for a hash algorithm or SEC_OID_UNKNOWN to specify |
| 1011 * the pre-1.2, MD5/SHA1 combination hash. |
964 */ | 1012 */ |
965 SECStatus | 1013 SECStatus |
966 ssl3_ComputeCommonKeyHash(PRUint8 * hashBuf, unsigned int bufLen, | 1014 ssl3_ComputeCommonKeyHash(SECOidTag hashAlg, |
967 » » » SSL3Hashes *hashes, PRBool bypassPKCS11) | 1015 » » » PRUint8 * hashBuf, unsigned int bufLen, |
| 1016 » » » SSL3Hashes *hashes, PRBool bypassPKCS11) |
968 { | 1017 { |
969 SECStatus rv = SECSuccess; | 1018 SECStatus rv = SECSuccess; |
970 | 1019 |
971 #ifndef NO_PKCS11_BYPASS | 1020 #ifndef NO_PKCS11_BYPASS |
972 if (bypassPKCS11) { | 1021 if (bypassPKCS11) { |
973 » MD5_HashBuf (hashes->md5, hashBuf, bufLen); | 1022 » if (hashAlg == SEC_OID_UNKNOWN) { |
974 » SHA1_HashBuf(hashes->sha, hashBuf, bufLen); | 1023 » MD5_HashBuf (hashes->u.s.md5, hashBuf, bufLen); |
| 1024 » SHA1_HashBuf(hashes->u.s.sha, hashBuf, bufLen); |
| 1025 » hashes->len = MD5_LENGTH + SHA1_LENGTH; |
| 1026 » } else if (hashAlg == SEC_OID_SHA1) { |
| 1027 » SHA1_HashBuf(hashes->u.raw, hashBuf, bufLen); |
| 1028 » hashes->len = SHA1_LENGTH; |
| 1029 » } else if (hashAlg == SEC_OID_SHA256) { |
| 1030 » SHA256_HashBuf(hashes->u.raw, hashBuf, bufLen); |
| 1031 » hashes->len = SHA256_LENGTH; |
| 1032 » } else if (hashAlg == SEC_OID_SHA384) { |
| 1033 » SHA384_HashBuf(hashes->u.raw, hashBuf, bufLen); |
| 1034 » hashes->len = SHA384_LENGTH; |
| 1035 » } else { |
| 1036 » PORT_SetError(SSL_ERROR_UNSUPPORTED_HASH_ALGORITHM); |
| 1037 » return SECFailure; |
| 1038 » } |
975 } else | 1039 } else |
976 #endif | 1040 #endif |
977 { | 1041 { |
978 » rv = PK11_HashBuf(SEC_OID_MD5, hashes->md5, hashBuf, bufLen); | 1042 » if (hashAlg == SEC_OID_UNKNOWN) { |
979 » if (rv != SECSuccess) { | 1043 » rv = PK11_HashBuf(SEC_OID_MD5, hashes->u.s.md5, hashBuf, bufLen); |
980 » ssl_MapLowLevelError(SSL_ERROR_MD5_DIGEST_FAILURE); | 1044 » if (rv != SECSuccess) { |
981 » rv = SECFailure; | 1045 » » ssl_MapLowLevelError(SSL_ERROR_MD5_DIGEST_FAILURE); |
982 » goto done; | 1046 » » rv = SECFailure; |
983 » } | 1047 » » goto done; |
| 1048 » } |
984 | 1049 |
985 » rv = PK11_HashBuf(SEC_OID_SHA1, hashes->sha, hashBuf, bufLen); | 1050 » rv = PK11_HashBuf(SEC_OID_SHA1, hashes->u.s.sha, hashBuf, bufLen); |
986 » if (rv != SECSuccess) { | 1051 » if (rv != SECSuccess) { |
987 » ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE); | 1052 » » ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE); |
988 » rv = SECFailure; | 1053 » » rv = SECFailure; |
| 1054 » } |
| 1055 » hashes->len = MD5_LENGTH + SHA1_LENGTH; |
| 1056 » } else { |
| 1057 » hashes->len = HASH_ResultLenByOidTag(hashAlg); |
| 1058 » if (hashes->len > sizeof(hashes->u.raw)) { |
| 1059 » » ssl_MapLowLevelError(SSL_ERROR_UNSUPPORTED_HASH_ALGORITHM); |
| 1060 » » rv = SECFailure; |
| 1061 » » goto done; |
| 1062 » } |
| 1063 » rv = PK11_HashBuf(hashAlg, hashes->u.raw, hashBuf, bufLen); |
| 1064 » if (rv != SECSuccess) { |
| 1065 » » ssl_MapLowLevelError(SSL_ERROR_DIGEST_FAILURE); |
| 1066 » » rv = SECFailure; |
| 1067 » } |
989 } | 1068 } |
990 } | 1069 } |
| 1070 hashes->hashAlg = hashAlg; |
| 1071 |
991 done: | 1072 done: |
992 return rv; | 1073 return rv; |
993 } | 1074 } |
994 | 1075 |
995 /* Caller must set hiLevel error code. | 1076 /* Caller must set hiLevel error code. |
996 ** Called from ssl3_SendServerKeyExchange and | 1077 ** Called from ssl3_SendServerKeyExchange and |
997 ** ssl3_HandleServerKeyExchange. | 1078 ** ssl3_HandleServerKeyExchange. |
998 */ | 1079 */ |
999 static SECStatus | 1080 static SECStatus |
1000 ssl3_ComputeExportRSAKeyHash(SECItem modulus, SECItem publicExponent, | 1081 ssl3_ComputeExportRSAKeyHash(SECOidTag hashAlg, |
| 1082 » » » SECItem modulus, SECItem publicExponent, |
1001 SSL3Random *client_rand, SSL3Random *server_rand, | 1083 SSL3Random *client_rand, SSL3Random *server_rand, |
1002 SSL3Hashes *hashes, PRBool bypassPKCS11) | 1084 SSL3Hashes *hashes, PRBool bypassPKCS11) |
1003 { | 1085 { |
1004 PRUint8 * hashBuf; | 1086 PRUint8 * hashBuf; |
1005 PRUint8 * pBuf; | 1087 PRUint8 * pBuf; |
1006 SECStatus rv = SECSuccess; | 1088 SECStatus rv = SECSuccess; |
1007 unsigned int bufLen; | 1089 unsigned int bufLen; |
1008 PRUint8 buf[2*SSL3_RANDOM_LENGTH + 2 + 4096/8 + 2 + 4096/8]; | 1090 PRUint8 buf[2*SSL3_RANDOM_LENGTH + 2 + 4096/8 + 2 + 4096/8]; |
1009 | 1091 |
1010 bufLen = 2*SSL3_RANDOM_LENGTH + 2 + modulus.len + 2 + publicExponent.len; | 1092 bufLen = 2*SSL3_RANDOM_LENGTH + 2 + modulus.len + 2 + publicExponent.len; |
(...skipping 15 matching lines...) Expand all Loading... |
1026 pBuf += 2; | 1108 pBuf += 2; |
1027 memcpy(pBuf, modulus.data, modulus.len); | 1109 memcpy(pBuf, modulus.data, modulus.len); |
1028 pBuf += modulus.len; | 1110 pBuf += modulus.len; |
1029 pBuf[0] = (PRUint8)(publicExponent.len >> 8); | 1111 pBuf[0] = (PRUint8)(publicExponent.len >> 8); |
1030 pBuf[1] = (PRUint8)(publicExponent.len); | 1112 pBuf[1] = (PRUint8)(publicExponent.len); |
1031 pBuf += 2; | 1113 pBuf += 2; |
1032 memcpy(pBuf, publicExponent.data, publicExponent.len); | 1114 memcpy(pBuf, publicExponent.data, publicExponent.len); |
1033 pBuf += publicExponent.len; | 1115 pBuf += publicExponent.len; |
1034 PORT_Assert((unsigned int)(pBuf - hashBuf) == bufLen); | 1116 PORT_Assert((unsigned int)(pBuf - hashBuf) == bufLen); |
1035 | 1117 |
1036 rv = ssl3_ComputeCommonKeyHash(hashBuf, bufLen, hashes, bypassPKCS11); | 1118 rv = ssl3_ComputeCommonKeyHash(hashAlg, hashBuf, bufLen, hashes, |
| 1119 » » » » bypassPKCS11); |
1037 | 1120 |
1038 PRINT_BUF(95, (NULL, "RSAkey hash: ", hashBuf, bufLen)); | 1121 PRINT_BUF(95, (NULL, "RSAkey hash: ", hashBuf, bufLen)); |
1039 PRINT_BUF(95, (NULL, "RSAkey hash: MD5 result", hashes->md5, MD5_LENGTH)); | 1122 if (hashAlg == SEC_OID_UNKNOWN) { |
1040 PRINT_BUF(95, (NULL, "RSAkey hash: SHA1 result", hashes->sha, SHA1_LENGTH)); | 1123 » PRINT_BUF(95, (NULL, "RSAkey hash: MD5 result", |
| 1124 » » hashes->u.s.md5, MD5_LENGTH)); |
| 1125 » PRINT_BUF(95, (NULL, "RSAkey hash: SHA1 result", |
| 1126 » » hashes->u.s.sha, SHA1_LENGTH)); |
| 1127 } else { |
| 1128 » PRINT_BUF(95, (NULL, "RSAkey hash: result", |
| 1129 » » hashes->u.raw, hashes->len)); |
| 1130 } |
1041 | 1131 |
1042 if (hashBuf != buf && hashBuf != NULL) | 1132 if (hashBuf != buf && hashBuf != NULL) |
1043 PORT_Free(hashBuf); | 1133 PORT_Free(hashBuf); |
1044 return rv; | 1134 return rv; |
1045 } | 1135 } |
1046 | 1136 |
1047 /* Caller must set hiLevel error code. */ | 1137 /* Caller must set hiLevel error code. */ |
1048 /* Called from ssl3_HandleServerKeyExchange. */ | 1138 /* Called from ssl3_HandleServerKeyExchange. */ |
1049 static SECStatus | 1139 static SECStatus |
1050 ssl3_ComputeDHKeyHash(SECItem dh_p, SECItem dh_g, SECItem dh_Ys, | 1140 ssl3_ComputeDHKeyHash(SECOidTag hashAlg, |
1051 » » » SSL3Random *client_rand, SSL3Random *server_rand, | 1141 » » SECItem dh_p, SECItem dh_g, SECItem dh_Ys, |
1052 » » » SSL3Hashes *hashes, PRBool bypassPKCS11) | 1142 » » SSL3Random *client_rand, SSL3Random *server_rand, |
| 1143 » » SSL3Hashes *hashes, PRBool bypassPKCS11) |
1053 { | 1144 { |
1054 PRUint8 * hashBuf; | 1145 PRUint8 * hashBuf; |
1055 PRUint8 * pBuf; | 1146 PRUint8 * pBuf; |
1056 SECStatus rv = SECSuccess; | 1147 SECStatus rv = SECSuccess; |
1057 unsigned int bufLen; | 1148 unsigned int bufLen; |
1058 PRUint8 buf[2*SSL3_RANDOM_LENGTH + 2 + 4096/8 + 2 + 4096/8]; | 1149 PRUint8 buf[2*SSL3_RANDOM_LENGTH + 2 + 4096/8 + 2 + 4096/8]; |
1059 | 1150 |
1060 bufLen = 2*SSL3_RANDOM_LENGTH + 2 + dh_p.len + 2 + dh_g.len + 2 + dh_Ys.len; | 1151 bufLen = 2*SSL3_RANDOM_LENGTH + 2 + dh_p.len + 2 + dh_g.len + 2 + dh_Ys.len; |
1061 if (bufLen <= sizeof buf) { | 1152 if (bufLen <= sizeof buf) { |
1062 hashBuf = buf; | 1153 hashBuf = buf; |
(...skipping 18 matching lines...) Expand all Loading... |
1081 pBuf += 2; | 1172 pBuf += 2; |
1082 memcpy(pBuf, dh_g.data, dh_g.len); | 1173 memcpy(pBuf, dh_g.data, dh_g.len); |
1083 pBuf += dh_g.len; | 1174 pBuf += dh_g.len; |
1084 pBuf[0] = (PRUint8)(dh_Ys.len >> 8); | 1175 pBuf[0] = (PRUint8)(dh_Ys.len >> 8); |
1085 pBuf[1] = (PRUint8)(dh_Ys.len); | 1176 pBuf[1] = (PRUint8)(dh_Ys.len); |
1086 pBuf += 2; | 1177 pBuf += 2; |
1087 memcpy(pBuf, dh_Ys.data, dh_Ys.len); | 1178 memcpy(pBuf, dh_Ys.data, dh_Ys.len); |
1088 pBuf += dh_Ys.len; | 1179 pBuf += dh_Ys.len; |
1089 PORT_Assert((unsigned int)(pBuf - hashBuf) == bufLen); | 1180 PORT_Assert((unsigned int)(pBuf - hashBuf) == bufLen); |
1090 | 1181 |
1091 rv = ssl3_ComputeCommonKeyHash(hashBuf, bufLen, hashes, bypassPKCS11); | 1182 rv = ssl3_ComputeCommonKeyHash(hashAlg, hashBuf, bufLen, hashes, |
| 1183 » » » » bypassPKCS11); |
1092 | 1184 |
1093 PRINT_BUF(95, (NULL, "DHkey hash: ", hashBuf, bufLen)); | 1185 PRINT_BUF(95, (NULL, "DHkey hash: ", hashBuf, bufLen)); |
1094 PRINT_BUF(95, (NULL, "DHkey hash: MD5 result", hashes->md5, MD5_LENGTH)); | 1186 if (hashAlg == SEC_OID_UNKNOWN) { |
1095 PRINT_BUF(95, (NULL, "DHkey hash: SHA1 result", hashes->sha, SHA1_LENGTH)); | 1187 » PRINT_BUF(95, (NULL, "DHkey hash: MD5 result", |
| 1188 » » hashes->u.s.md5, MD5_LENGTH)); |
| 1189 » PRINT_BUF(95, (NULL, "DHkey hash: SHA1 result", |
| 1190 » » hashes->u.s.sha, SHA1_LENGTH)); |
| 1191 } else { |
| 1192 » PRINT_BUF(95, (NULL, "DHkey hash: result", |
| 1193 » » hashes->u.raw, hashes->len)); |
| 1194 } |
1096 | 1195 |
1097 if (hashBuf != buf && hashBuf != NULL) | 1196 if (hashBuf != buf && hashBuf != NULL) |
1098 PORT_Free(hashBuf); | 1197 PORT_Free(hashBuf); |
1099 return rv; | 1198 return rv; |
1100 } | 1199 } |
1101 | 1200 |
1102 static void | 1201 static void |
1103 ssl3_BumpSequenceNumber(SSL3SequenceNumber *num) | 1202 ssl3_BumpSequenceNumber(SSL3SequenceNumber *num) |
1104 { | 1203 { |
1105 num->low++; | 1204 num->low++; |
(...skipping 2077 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
3183 */ | 3282 */ |
3184 static SECStatus | 3283 static SECStatus |
3185 ssl3_DeriveMasterSecret(sslSocket *ss, PK11SymKey *pms) | 3284 ssl3_DeriveMasterSecret(sslSocket *ss, PK11SymKey *pms) |
3186 { | 3285 { |
3187 ssl3CipherSpec * pwSpec = ss->ssl3.pwSpec; | 3286 ssl3CipherSpec * pwSpec = ss->ssl3.pwSpec; |
3188 const ssl3KEADef *kea_def= ss->ssl3.hs.kea_def; | 3287 const ssl3KEADef *kea_def= ss->ssl3.hs.kea_def; |
3189 unsigned char * cr = (unsigned char *)&ss->ssl3.hs.client_random; | 3288 unsigned char * cr = (unsigned char *)&ss->ssl3.hs.client_random; |
3190 unsigned char * sr = (unsigned char *)&ss->ssl3.hs.server_random; | 3289 unsigned char * sr = (unsigned char *)&ss->ssl3.hs.server_random; |
3191 PRBool isTLS = (PRBool)(kea_def->tls_keygen || | 3290 PRBool isTLS = (PRBool)(kea_def->tls_keygen || |
3192 (pwSpec->version > SSL_LIBRARY_VERSION_3_0)); | 3291 (pwSpec->version > SSL_LIBRARY_VERSION_3_0)); |
| 3292 PRBool isTLS12= |
| 3293 (PRBool)(isTLS && pwSpec->version >= SSL_LIBRARY_VERSION_TLS_1_2); |
3193 /* | 3294 /* |
3194 * Whenever isDH is true, we need to use CKM_TLS_MASTER_KEY_DERIVE_DH | 3295 * Whenever isDH is true, we need to use CKM_TLS_MASTER_KEY_DERIVE_DH |
3195 * which, unlike CKM_TLS_MASTER_KEY_DERIVE, converts arbitrary size | 3296 * which, unlike CKM_TLS_MASTER_KEY_DERIVE, converts arbitrary size |
3196 * data into a 48-byte value. | 3297 * data into a 48-byte value. |
3197 */ | 3298 */ |
3198 PRBool isDH = (PRBool) ((ss->ssl3.hs.kea_def->exchKeyType == kt_dh) || | 3299 PRBool isDH = (PRBool) ((ss->ssl3.hs.kea_def->exchKeyType == kt_dh) || |
3199 (ss->ssl3.hs.kea_def->exchKeyType == kt_ecdh)); | 3300 (ss->ssl3.hs.kea_def->exchKeyType == kt_ecdh)); |
3200 SECStatus rv = SECFailure; | 3301 SECStatus rv = SECFailure; |
3201 CK_MECHANISM_TYPE master_derive; | 3302 CK_MECHANISM_TYPE master_derive; |
3202 CK_MECHANISM_TYPE key_derive; | 3303 CK_MECHANISM_TYPE key_derive; |
3203 SECItem params; | 3304 SECItem params; |
3204 CK_FLAGS keyFlags; | 3305 CK_FLAGS keyFlags; |
3205 CK_VERSION pms_version; | 3306 CK_VERSION pms_version; |
3206 CK_SSL3_MASTER_KEY_DERIVE_PARAMS master_params; | 3307 CK_SSL3_MASTER_KEY_DERIVE_PARAMS master_params; |
3207 | 3308 |
3208 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); | 3309 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); |
3209 PORT_Assert( ss->opt.noLocks || ssl_HaveSpecWriteLock(ss)); | 3310 PORT_Assert( ss->opt.noLocks || ssl_HaveSpecWriteLock(ss)); |
3210 PORT_Assert(ss->ssl3.prSpec == ss->ssl3.pwSpec); | 3311 PORT_Assert(ss->ssl3.prSpec == ss->ssl3.pwSpec); |
3211 if (isTLS) { | 3312 if (isTLS12) { |
| 3313 » if(isDH) master_derive = CKM_NSS_TLS_MASTER_KEY_DERIVE_DH_SHA256; |
| 3314 » else master_derive = CKM_NSS_TLS_MASTER_KEY_DERIVE_SHA256; |
| 3315 » key_derive = CKM_NSS_TLS_KEY_AND_MAC_DERIVE_SHA256; |
| 3316 » keyFlags = CKF_SIGN | CKF_VERIFY; |
| 3317 } else if (isTLS) { |
3212 if(isDH) master_derive = CKM_TLS_MASTER_KEY_DERIVE_DH; | 3318 if(isDH) master_derive = CKM_TLS_MASTER_KEY_DERIVE_DH; |
3213 else master_derive = CKM_TLS_MASTER_KEY_DERIVE; | 3319 else master_derive = CKM_TLS_MASTER_KEY_DERIVE; |
3214 key_derive = CKM_TLS_KEY_AND_MAC_DERIVE; | 3320 key_derive = CKM_TLS_KEY_AND_MAC_DERIVE; |
3215 keyFlags = CKF_SIGN | CKF_VERIFY; | 3321 keyFlags = CKF_SIGN | CKF_VERIFY; |
3216 } else { | 3322 } else { |
3217 if (isDH) master_derive = CKM_SSL3_MASTER_KEY_DERIVE_DH; | 3323 if (isDH) master_derive = CKM_SSL3_MASTER_KEY_DERIVE_DH; |
3218 else master_derive = CKM_SSL3_MASTER_KEY_DERIVE; | 3324 else master_derive = CKM_SSL3_MASTER_KEY_DERIVE; |
3219 key_derive = CKM_SSL3_KEY_AND_MAC_DERIVE; | 3325 key_derive = CKM_SSL3_KEY_AND_MAC_DERIVE; |
3220 keyFlags = 0; | 3326 keyFlags = 0; |
3221 } | 3327 } |
(...skipping 137 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
3359 */ | 3465 */ |
3360 static SECStatus | 3466 static SECStatus |
3361 ssl3_DeriveConnectionKeysPKCS11(sslSocket *ss) | 3467 ssl3_DeriveConnectionKeysPKCS11(sslSocket *ss) |
3362 { | 3468 { |
3363 ssl3CipherSpec * pwSpec = ss->ssl3.pwSpec; | 3469 ssl3CipherSpec * pwSpec = ss->ssl3.pwSpec; |
3364 const ssl3KEADef * kea_def = ss->ssl3.hs.kea_def; | 3470 const ssl3KEADef * kea_def = ss->ssl3.hs.kea_def; |
3365 unsigned char * cr = (unsigned char *)&ss->ssl3.hs.client_random; | 3471 unsigned char * cr = (unsigned char *)&ss->ssl3.hs.client_random; |
3366 unsigned char * sr = (unsigned char *)&ss->ssl3.hs.server_random; | 3472 unsigned char * sr = (unsigned char *)&ss->ssl3.hs.server_random; |
3367 PRBool isTLS = (PRBool)(kea_def->tls_keygen || | 3473 PRBool isTLS = (PRBool)(kea_def->tls_keygen || |
3368 (pwSpec->version > SSL_LIBRARY_VERSION_3_0)); | 3474 (pwSpec->version > SSL_LIBRARY_VERSION_3_0)); |
| 3475 PRBool isTLS12= |
| 3476 (PRBool)(isTLS && pwSpec->version >= SSL_LIBRARY_VERSION_TLS_1_2); |
3369 /* following variables used in PKCS11 path */ | 3477 /* following variables used in PKCS11 path */ |
3370 const ssl3BulkCipherDef *cipher_def = pwSpec->cipher_def; | 3478 const ssl3BulkCipherDef *cipher_def = pwSpec->cipher_def; |
3371 PK11SlotInfo * slot = NULL; | 3479 PK11SlotInfo * slot = NULL; |
3372 PK11SymKey * symKey = NULL; | 3480 PK11SymKey * symKey = NULL; |
3373 void * pwArg = ss->pkcs11PinArg; | 3481 void * pwArg = ss->pkcs11PinArg; |
3374 int keySize; | 3482 int keySize; |
3375 CK_SSL3_KEY_MAT_PARAMS key_material_params; | 3483 CK_SSL3_KEY_MAT_PARAMS key_material_params; |
3376 CK_SSL3_KEY_MAT_OUT returnedKeys; | 3484 CK_SSL3_KEY_MAT_OUT returnedKeys; |
3377 CK_MECHANISM_TYPE key_derive; | 3485 CK_MECHANISM_TYPE key_derive; |
3378 CK_MECHANISM_TYPE bulk_mechanism; | 3486 CK_MECHANISM_TYPE bulk_mechanism; |
(...skipping 37 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
3416 returnedKeys.pIVServer = NULL; | 3524 returnedKeys.pIVServer = NULL; |
3417 } | 3525 } |
3418 | 3526 |
3419 calg = cipher_def->calg; | 3527 calg = cipher_def->calg; |
3420 PORT_Assert( alg2Mech[calg].calg == calg); | 3528 PORT_Assert( alg2Mech[calg].calg == calg); |
3421 bulk_mechanism = alg2Mech[calg].cmech; | 3529 bulk_mechanism = alg2Mech[calg].cmech; |
3422 | 3530 |
3423 params.data = (unsigned char *)&key_material_params; | 3531 params.data = (unsigned char *)&key_material_params; |
3424 params.len = sizeof(key_material_params); | 3532 params.len = sizeof(key_material_params); |
3425 | 3533 |
3426 if (isTLS) { | 3534 if (isTLS12) { |
| 3535 » key_derive = CKM_NSS_TLS_KEY_AND_MAC_DERIVE_SHA256; |
| 3536 } else if (isTLS) { |
3427 key_derive = CKM_TLS_KEY_AND_MAC_DERIVE; | 3537 key_derive = CKM_TLS_KEY_AND_MAC_DERIVE; |
3428 } else { | 3538 } else { |
3429 key_derive = CKM_SSL3_KEY_AND_MAC_DERIVE; | 3539 key_derive = CKM_SSL3_KEY_AND_MAC_DERIVE; |
3430 } | 3540 } |
3431 | 3541 |
3432 /* CKM_SSL3_KEY_AND_MAC_DERIVE is defined to set ENCRYPT, DECRYPT, and | 3542 /* CKM_SSL3_KEY_AND_MAC_DERIVE is defined to set ENCRYPT, DECRYPT, and |
3433 * DERIVE by DEFAULT */ | 3543 * DERIVE by DEFAULT */ |
3434 symKey = PK11_Derive(pwSpec->master_secret, key_derive, ¶ms, | 3544 symKey = PK11_Derive(pwSpec->master_secret, key_derive, ¶ms, |
3435 bulk_mechanism, CKA_ENCRYPT, keySize); | 3545 bulk_mechanism, CKA_ENCRYPT, keySize); |
3436 if (!symKey) { | 3546 if (!symKey) { |
(...skipping 36 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
3473 PK11_FreeSymKey(symKey); | 3583 PK11_FreeSymKey(symKey); |
3474 return SECSuccess; | 3584 return SECSuccess; |
3475 | 3585 |
3476 | 3586 |
3477 loser: | 3587 loser: |
3478 if (symKey) PK11_FreeSymKey(symKey); | 3588 if (symKey) PK11_FreeSymKey(symKey); |
3479 ssl_MapLowLevelError(SSL_ERROR_SESSION_KEY_GEN_FAILURE); | 3589 ssl_MapLowLevelError(SSL_ERROR_SESSION_KEY_GEN_FAILURE); |
3480 return SECFailure; | 3590 return SECFailure; |
3481 } | 3591 } |
3482 | 3592 |
| 3593 /* ssl3_InitTLS12HandshakeHash creates a handshake hash context for TLS 1.2, |
| 3594 * if needed, and hashes in any buffered messages in ss->ssl3.hs.messages. */ |
| 3595 static SECStatus |
| 3596 ssl3_InitTLS12HandshakeHash(sslSocket *ss) |
| 3597 { |
| 3598 if (ss->version >= SSL_LIBRARY_VERSION_TLS_1_2 && |
| 3599 ss->ssl3.hs.tls12_handshake_hash == NULL) { |
| 3600 /* If we ever support ciphersuites where the PRF hash isn't SHA-256 |
| 3601 * then this will need to be updated. */ |
| 3602 ss->ssl3.hs.tls12_handshake_hash = |
| 3603 PK11_CreateDigestContext(SEC_OID_SHA256); |
| 3604 if (!ss->ssl3.hs.tls12_handshake_hash || |
| 3605 PK11_DigestBegin(ss->ssl3.hs.tls12_handshake_hash) != SECSuccess) { |
| 3606 ssl_MapLowLevelError(SSL_ERROR_DIGEST_FAILURE); |
| 3607 return SECFailure; |
| 3608 } |
| 3609 } |
| 3610 |
| 3611 if (ss->ssl3.hs.tls12_handshake_hash && ss->ssl3.hs.messages.len > 0) { |
| 3612 if (PK11_DigestOp(ss->ssl3.hs.tls12_handshake_hash, |
| 3613 ss->ssl3.hs.messages.buf, |
| 3614 ss->ssl3.hs.messages.len) != SECSuccess) { |
| 3615 ssl_MapLowLevelError(SSL_ERROR_DIGEST_FAILURE); |
| 3616 return SECFailure; |
| 3617 } |
| 3618 } |
| 3619 |
| 3620 if (ss->ssl3.hs.messages.buf && !ss->opt.bypassPKCS11) { |
| 3621 PORT_Free(ss->ssl3.hs.messages.buf); |
| 3622 ss->ssl3.hs.messages.buf = NULL; |
| 3623 ss->ssl3.hs.messages.len = 0; |
| 3624 ss->ssl3.hs.messages.space = 0; |
| 3625 } |
| 3626 |
| 3627 return SECSuccess; |
| 3628 } |
| 3629 |
3483 static SECStatus | 3630 static SECStatus |
3484 ssl3_RestartHandshakeHashes(sslSocket *ss) | 3631 ssl3_RestartHandshakeHashes(sslSocket *ss) |
3485 { | 3632 { |
3486 SECStatus rv = SECSuccess; | 3633 SECStatus rv = SECSuccess; |
3487 | 3634 |
| 3635 ss->ssl3.hs.messages.len = 0; |
3488 #ifndef NO_PKCS11_BYPASS | 3636 #ifndef NO_PKCS11_BYPASS |
3489 if (ss->opt.bypassPKCS11) { | 3637 if (ss->opt.bypassPKCS11) { |
3490 ss->ssl3.hs.messages.len = 0; | |
3491 MD5_Begin((MD5Context *)ss->ssl3.hs.md5_cx); | 3638 MD5_Begin((MD5Context *)ss->ssl3.hs.md5_cx); |
3492 SHA1_Begin((SHA1Context *)ss->ssl3.hs.sha_cx); | 3639 SHA1_Begin((SHA1Context *)ss->ssl3.hs.sha_cx); |
3493 } else | 3640 } else |
3494 #endif | 3641 #endif |
3495 { | 3642 { |
| 3643 if (ss->ssl3.hs.tls12_handshake_hash) { |
| 3644 rv = PK11_DigestBegin(ss->ssl3.hs.tls12_handshake_hash); |
| 3645 if (rv != SECSuccess) { |
| 3646 ssl_MapLowLevelError(SSL_ERROR_DIGEST_FAILURE); |
| 3647 return rv; |
| 3648 } |
| 3649 } |
3496 rv = PK11_DigestBegin(ss->ssl3.hs.md5); | 3650 rv = PK11_DigestBegin(ss->ssl3.hs.md5); |
3497 if (rv != SECSuccess) { | 3651 if (rv != SECSuccess) { |
3498 ssl_MapLowLevelError(SSL_ERROR_MD5_DIGEST_FAILURE); | 3652 ssl_MapLowLevelError(SSL_ERROR_MD5_DIGEST_FAILURE); |
3499 return rv; | 3653 return rv; |
3500 } | 3654 } |
3501 rv = PK11_DigestBegin(ss->ssl3.hs.sha); | 3655 rv = PK11_DigestBegin(ss->ssl3.hs.sha); |
3502 if (rv != SECSuccess) { | 3656 if (rv != SECSuccess) { |
3503 ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE); | 3657 ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE); |
3504 return rv; | 3658 return rv; |
3505 } | 3659 } |
3506 } | 3660 } |
3507 return rv; | 3661 return rv; |
3508 } | 3662 } |
3509 | 3663 |
3510 static SECStatus | 3664 static SECStatus |
3511 ssl3_NewHandshakeHashes(sslSocket *ss) | 3665 ssl3_NewHandshakeHashes(sslSocket *ss) |
3512 { | 3666 { |
3513 PK11Context *md5 = NULL; | 3667 PK11Context *md5 = NULL; |
3514 PK11Context *sha = NULL; | 3668 PK11Context *sha = NULL; |
3515 | 3669 |
3516 /* | 3670 /* |
3517 * note: We should probably lookup an SSL3 slot for these | 3671 * note: We should probably lookup an SSL3 slot for these |
3518 * handshake hashes in hopes that we wind up with the same slots | 3672 * handshake hashes in hopes that we wind up with the same slots |
3519 * that the master secret will wind up in ... | 3673 * that the master secret will wind up in ... |
3520 */ | 3674 */ |
3521 SSL_TRC(30,("%d: SSL3[%d]: start handshake hashes", SSL_GETPID(), ss->fd)); | 3675 SSL_TRC(30,("%d: SSL3[%d]: start handshake hashes", SSL_GETPID(), ss->fd)); |
3522 #ifndef NO_PKCS11_BYPASS | 3676 PORT_Assert(!ss->ssl3.hs.messages.buf && !ss->ssl3.hs.messages.space); |
3523 if (ss->opt.bypassPKCS11) { | 3677 ss->ssl3.hs.messages.buf = NULL; |
3524 » PORT_Assert(!ss->ssl3.hs.messages.buf && !ss->ssl3.hs.messages.space); | 3678 ss->ssl3.hs.messages.space = 0; |
3525 » ss->ssl3.hs.messages.buf = NULL; | 3679 |
3526 » ss->ssl3.hs.messages.space = 0; | 3680 ss->ssl3.hs.md5 = md5 = PK11_CreateDigestContext(SEC_OID_MD5); |
3527 } else | 3681 ss->ssl3.hs.sha = sha = PK11_CreateDigestContext(SEC_OID_SHA1); |
3528 #endif | 3682 ss->ssl3.hs.tls12_handshake_hash = NULL; |
3529 { | 3683 if (md5 == NULL) { |
3530 » ss->ssl3.hs.md5 = md5 = PK11_CreateDigestContext(SEC_OID_MD5); | 3684 » ssl_MapLowLevelError(SSL_ERROR_MD5_DIGEST_FAILURE); |
3531 » ss->ssl3.hs.sha = sha = PK11_CreateDigestContext(SEC_OID_SHA1); | 3685 » goto loser; |
3532 » if (md5 == NULL) { | 3686 } |
3533 » ssl_MapLowLevelError(SSL_ERROR_MD5_DIGEST_FAILURE); | 3687 if (sha == NULL) { |
3534 » goto loser; | 3688 » ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE); |
3535 » } | 3689 » goto loser; |
3536 » if (sha == NULL) { | |
3537 » ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE); | |
3538 » goto loser; | |
3539 » } | |
3540 } | 3690 } |
3541 if (SECSuccess == ssl3_RestartHandshakeHashes(ss)) { | 3691 if (SECSuccess == ssl3_RestartHandshakeHashes(ss)) { |
3542 return SECSuccess; | 3692 return SECSuccess; |
3543 } | 3693 } |
3544 | 3694 |
3545 loser: | 3695 loser: |
3546 if (md5 != NULL) { | 3696 if (md5 != NULL) { |
3547 PK11_DestroyContext(md5, PR_TRUE); | 3697 PK11_DestroyContext(md5, PR_TRUE); |
3548 ss->ssl3.hs.md5 = NULL; | 3698 ss->ssl3.hs.md5 = NULL; |
3549 } | 3699 } |
(...skipping 17 matching lines...) Expand all Loading... |
3567 static SECStatus | 3717 static SECStatus |
3568 ssl3_UpdateHandshakeHashes(sslSocket *ss, const unsigned char *b, | 3718 ssl3_UpdateHandshakeHashes(sslSocket *ss, const unsigned char *b, |
3569 unsigned int l) | 3719 unsigned int l) |
3570 { | 3720 { |
3571 SECStatus rv = SECSuccess; | 3721 SECStatus rv = SECSuccess; |
3572 | 3722 |
3573 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) ); | 3723 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) ); |
3574 | 3724 |
3575 PRINT_BUF(90, (NULL, "MD5 & SHA handshake hash input:", b, l)); | 3725 PRINT_BUF(90, (NULL, "MD5 & SHA handshake hash input:", b, l)); |
3576 | 3726 |
| 3727 if ((ss->version == 0 || ss->version >= SSL_LIBRARY_VERSION_TLS_1_2) && |
| 3728 !ss->opt.bypassPKCS11 && |
| 3729 ss->ssl3.hs.tls12_handshake_hash == NULL) { |
| 3730 /* For TLS 1.2 connections we need to buffer the handshake messages |
| 3731 * until we have established which PRF hash function to use. */ |
| 3732 rv = sslBuffer_Append(&ss->ssl3.hs.messages, b, l); |
| 3733 if (rv != SECSuccess) { |
| 3734 return rv; |
| 3735 } |
| 3736 } |
| 3737 |
3577 #ifndef NO_PKCS11_BYPASS | 3738 #ifndef NO_PKCS11_BYPASS |
3578 if (ss->opt.bypassPKCS11) { | 3739 if (ss->opt.bypassPKCS11) { |
3579 MD5_Update((MD5Context *)ss->ssl3.hs.md5_cx, b, l); | 3740 MD5_Update((MD5Context *)ss->ssl3.hs.md5_cx, b, l); |
3580 SHA1_Update((SHA1Context *)ss->ssl3.hs.sha_cx, b, l); | 3741 SHA1_Update((SHA1Context *)ss->ssl3.hs.sha_cx, b, l); |
3581 #if defined(NSS_SURVIVE_DOUBLE_BYPASS_FAILURE) | 3742 #if defined(NSS_SURVIVE_DOUBLE_BYPASS_FAILURE) |
3582 rv = sslBuffer_Append(&ss->ssl3.hs.messages, b, l); | 3743 rv = sslBuffer_Append(&ss->ssl3.hs.messages, b, l); |
3583 #endif | 3744 #endif |
3584 return rv; | 3745 return rv; |
3585 } | 3746 } |
3586 #endif | 3747 #endif |
3587 rv = PK11_DigestOp(ss->ssl3.hs.md5, b, l); | 3748 if (ss->ssl3.hs.tls12_handshake_hash) { |
3588 if (rv != SECSuccess) { | 3749 » rv = PK11_DigestOp(ss->ssl3.hs.tls12_handshake_hash, b, l); |
3589 » ssl_MapLowLevelError(SSL_ERROR_MD5_DIGEST_FAILURE); | 3750 » if (rv != SECSuccess) { |
3590 » return rv; | 3751 » ssl_MapLowLevelError(SSL_ERROR_DIGEST_FAILURE); |
3591 } | 3752 » return rv; |
3592 rv = PK11_DigestOp(ss->ssl3.hs.sha, b, l); | 3753 » } |
3593 if (rv != SECSuccess) { | 3754 } else { |
3594 » ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE); | 3755 » rv = PK11_DigestOp(ss->ssl3.hs.md5, b, l); |
3595 » return rv; | 3756 » if (rv != SECSuccess) { |
| 3757 » ssl_MapLowLevelError(SSL_ERROR_MD5_DIGEST_FAILURE); |
| 3758 » return rv; |
| 3759 » } |
| 3760 » rv = PK11_DigestOp(ss->ssl3.hs.sha, b, l); |
| 3761 » if (rv != SECSuccess) { |
| 3762 » ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE); |
| 3763 » return rv; |
| 3764 » } |
3596 } | 3765 } |
3597 return rv; | 3766 return rv; |
3598 } | 3767 } |
3599 | 3768 |
3600 /************************************************************************** | 3769 /************************************************************************** |
3601 * Append Handshake functions. | 3770 * Append Handshake functions. |
3602 * All these functions set appropriate error codes. | 3771 * All these functions set appropriate error codes. |
3603 * Most rely on ssl3_AppendHandshake to set the error code. | 3772 * Most rely on ssl3_AppendHandshake to set the error code. |
3604 **************************************************************************/ | 3773 **************************************************************************/ |
3605 SECStatus | 3774 SECStatus |
(...skipping 131 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
3737 /* Fragment length -- set to the packet length because not fragmented */ | 3906 /* Fragment length -- set to the packet length because not fragmented */ |
3738 rv = ssl3_AppendHandshakeNumber(ss, length, 3); | 3907 rv = ssl3_AppendHandshakeNumber(ss, length, 3); |
3739 if (rv != SECSuccess) { | 3908 if (rv != SECSuccess) { |
3740 return rv; /* error code set by AppendHandshake, if applicable. */ | 3909 return rv; /* error code set by AppendHandshake, if applicable. */ |
3741 } | 3910 } |
3742 } | 3911 } |
3743 | 3912 |
3744 return rv; /* error code set by AppendHandshake, if applicable. */ | 3913 return rv; /* error code set by AppendHandshake, if applicable. */ |
3745 } | 3914 } |
3746 | 3915 |
| 3916 /* ssl3_AppendSignatureAndHashAlgorithm appends the serialisation of |
| 3917 * |sigAndHash| to the current handshake message. */ |
| 3918 SECStatus |
| 3919 ssl3_AppendSignatureAndHashAlgorithm( |
| 3920 sslSocket *ss, const SSL3SignatureAndHashAlgorithm* sigAndHash) |
| 3921 { |
| 3922 unsigned char serialized[2]; |
| 3923 |
| 3924 serialized[0] = ssl3_OIDToTLSHashAlgorithm(sigAndHash->hashAlg); |
| 3925 if (serialized[0] == 0) { |
| 3926 PORT_SetError(SSL_ERROR_UNSUPPORTED_HASH_ALGORITHM); |
| 3927 return SECFailure; |
| 3928 } |
| 3929 |
| 3930 serialized[1] = sigAndHash->sigAlg; |
| 3931 |
| 3932 return ssl3_AppendHandshake(ss, serialized, sizeof(serialized)); |
| 3933 } |
| 3934 |
3747 /************************************************************************** | 3935 /************************************************************************** |
3748 * Consume Handshake functions. | 3936 * Consume Handshake functions. |
3749 * | 3937 * |
3750 * All data used in these functions is protected by two locks, | 3938 * All data used in these functions is protected by two locks, |
3751 * the RecvBufLock and the SSL3HandshakeLock | 3939 * the RecvBufLock and the SSL3HandshakeLock |
3752 **************************************************************************/ | 3940 **************************************************************************/ |
3753 | 3941 |
3754 /* Read up the next "bytes" number of bytes from the (decrypted) input | 3942 /* Read up the next "bytes" number of bytes from the (decrypted) input |
3755 * stream "b" (which is *length bytes long). Copy them into buffer "v". | 3943 * stream "b" (which is *length bytes long). Copy them into buffer "v". |
3756 * Reduces *length by bytes. Advances *b by bytes. | 3944 * Reduces *length by bytes. Advances *b by bytes. |
(...skipping 86 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
3843 return ssl3_DecodeError(ss); | 4031 return ssl3_DecodeError(ss); |
3844 } | 4032 } |
3845 i->data = *b; | 4033 i->data = *b; |
3846 i->len = count; | 4034 i->len = count; |
3847 *b += count; | 4035 *b += count; |
3848 *length -= count; | 4036 *length -= count; |
3849 } | 4037 } |
3850 return SECSuccess; | 4038 return SECSuccess; |
3851 } | 4039 } |
3852 | 4040 |
| 4041 /* tlsHashOIDMap contains the mapping between TLS hash identifiers and the |
| 4042 * SECOidTag used internally by NSS. */ |
| 4043 static const struct { |
| 4044 int tlsHash; |
| 4045 SECOidTag oid; |
| 4046 } tlsHashOIDMap[] = { |
| 4047 { tls_hash_md5, SEC_OID_MD5 }, |
| 4048 { tls_hash_sha1, SEC_OID_SHA1 }, |
| 4049 { tls_hash_sha224, SEC_OID_SHA224 }, |
| 4050 { tls_hash_sha256, SEC_OID_SHA256 }, |
| 4051 { tls_hash_sha384, SEC_OID_SHA384 }, |
| 4052 { tls_hash_sha512, SEC_OID_SHA512 } |
| 4053 }; |
| 4054 |
| 4055 /* ssl3_TLSHashAlgorithmToOID converts a TLS hash identifier into an OID value. |
| 4056 * If the hash is not recognised, SEC_OID_UNKNOWN is returned. |
| 4057 * |
| 4058 * See https://tools.ietf.org/html/rfc5246#section-7.4.1.4.1 */ |
| 4059 SECOidTag |
| 4060 ssl3_TLSHashAlgorithmToOID(int hashFunc) |
| 4061 { |
| 4062 unsigned int i; |
| 4063 |
| 4064 for (i = 0; i < PR_ARRAY_SIZE(tlsHashOIDMap); i++) { |
| 4065 if (hashFunc == tlsHashOIDMap[i].tlsHash) { |
| 4066 return tlsHashOIDMap[i].oid; |
| 4067 } |
| 4068 } |
| 4069 return SEC_OID_UNKNOWN; |
| 4070 } |
| 4071 |
| 4072 /* ssl3_OIDToTLSHashAlgorithm converts an OID to a TLS hash algorithm |
| 4073 * identifier. If the hash is not recognised, zero is returned. |
| 4074 * |
| 4075 * See https://tools.ietf.org/html/rfc5246#section-7.4.1.4.1 */ |
| 4076 static int |
| 4077 ssl3_OIDToTLSHashAlgorithm(SECOidTag oid) |
| 4078 { |
| 4079 unsigned int i; |
| 4080 |
| 4081 for (i = 0; i < PR_ARRAY_SIZE(tlsHashOIDMap); i++) { |
| 4082 if (oid == tlsHashOIDMap[i].oid) { |
| 4083 return tlsHashOIDMap[i].tlsHash; |
| 4084 } |
| 4085 } |
| 4086 return 0; |
| 4087 } |
| 4088 |
| 4089 /* ssl3_TLSSignatureAlgorithmForKeyType returns the TLS 1.2 signature algorithm |
| 4090 * identifier for a given KeyType. */ |
| 4091 static SECStatus |
| 4092 ssl3_TLSSignatureAlgorithmForKeyType(KeyType keyType, |
| 4093 TLSSignatureAlgorithm *out) |
| 4094 { |
| 4095 switch (keyType) { |
| 4096 case rsaKey: |
| 4097 *out = tls_sig_rsa; |
| 4098 return SECSuccess; |
| 4099 case dsaKey: |
| 4100 *out = tls_sig_dsa; |
| 4101 return SECSuccess; |
| 4102 case ecKey: |
| 4103 *out = tls_sig_ecdsa; |
| 4104 return SECSuccess; |
| 4105 default: |
| 4106 PORT_SetError(SEC_ERROR_INVALID_KEY); |
| 4107 return SECFailure; |
| 4108 } |
| 4109 } |
| 4110 |
| 4111 /* ssl3_TLSSignatureAlgorithmForCertificate returns the TLS 1.2 signature |
| 4112 * algorithm identifier for the given certificate. */ |
| 4113 static SECStatus |
| 4114 ssl3_TLSSignatureAlgorithmForCertificate(CERTCertificate *cert, |
| 4115 TLSSignatureAlgorithm *out) |
| 4116 { |
| 4117 SECKEYPublicKey *key; |
| 4118 KeyType keyType; |
| 4119 |
| 4120 key = CERT_ExtractPublicKey(cert); |
| 4121 if (key == NULL) { |
| 4122 ssl_MapLowLevelError(SSL_ERROR_EXTRACT_PUBLIC_KEY_FAILURE); |
| 4123 return SECFailure; |
| 4124 } |
| 4125 |
| 4126 keyType = key->keyType; |
| 4127 SECKEY_DestroyPublicKey(key); |
| 4128 return ssl3_TLSSignatureAlgorithmForKeyType(keyType, out); |
| 4129 } |
| 4130 |
| 4131 /* ssl3_CheckSignatureAndHashAlgorithmConsistency checks that the signature |
| 4132 * algorithm identifier in |sigAndHash| is consistent with the public key in |
| 4133 * |cert|. If so, SECSuccess is returned. Otherwise, PORT_SetError is called |
| 4134 * and SECFailure is returned. */ |
| 4135 SECStatus |
| 4136 ssl3_CheckSignatureAndHashAlgorithmConsistency( |
| 4137 const SSL3SignatureAndHashAlgorithm *sigAndHash, CERTCertificate* cert) |
| 4138 { |
| 4139 SECStatus rv; |
| 4140 TLSSignatureAlgorithm sigAlg; |
| 4141 |
| 4142 rv = ssl3_TLSSignatureAlgorithmForCertificate(cert, &sigAlg); |
| 4143 if (rv != SECSuccess) { |
| 4144 return rv; |
| 4145 } |
| 4146 if (sigAlg != sigAndHash->sigAlg) { |
| 4147 PORT_SetError(SSL_ERROR_INCORRECT_SIGNATURE_ALGORITHM); |
| 4148 return SECFailure; |
| 4149 } |
| 4150 return SECSuccess; |
| 4151 } |
| 4152 |
| 4153 /* ssl3_ConsumeSignatureAndHashAlgorithm reads a SignatureAndHashAlgorithm |
| 4154 * structure from |b| and puts the resulting value into |out|. |b| and |length| |
| 4155 * are updated accordingly. |
| 4156 * |
| 4157 * See https://tools.ietf.org/html/rfc5246#section-7.4.1.4.1 */ |
| 4158 SECStatus |
| 4159 ssl3_ConsumeSignatureAndHashAlgorithm(sslSocket *ss, |
| 4160 SSL3Opaque **b, |
| 4161 PRUint32 *length, |
| 4162 SSL3SignatureAndHashAlgorithm *out) |
| 4163 { |
| 4164 unsigned char bytes[2]; |
| 4165 SECStatus rv; |
| 4166 |
| 4167 rv = ssl3_ConsumeHandshake(ss, bytes, sizeof(bytes), b, length); |
| 4168 if (rv != SECSuccess) { |
| 4169 return rv; |
| 4170 } |
| 4171 |
| 4172 out->hashAlg = ssl3_TLSHashAlgorithmToOID(bytes[0]); |
| 4173 if (out->hashAlg == SEC_OID_UNKNOWN) { |
| 4174 PORT_SetError(SSL_ERROR_UNSUPPORTED_HASH_ALGORITHM); |
| 4175 return SECFailure; |
| 4176 } |
| 4177 |
| 4178 out->sigAlg = bytes[1]; |
| 4179 return SECSuccess; |
| 4180 } |
| 4181 |
3853 /************************************************************************** | 4182 /************************************************************************** |
3854 * end of Consume Handshake functions. | 4183 * end of Consume Handshake functions. |
3855 **************************************************************************/ | 4184 **************************************************************************/ |
3856 | 4185 |
3857 /* Extract the hashes of handshake messages to this point. | 4186 /* Extract the hashes of handshake messages to this point. |
3858 * Called from ssl3_SendCertificateVerify | 4187 * Called from ssl3_SendCertificateVerify |
3859 * ssl3_SendFinished | 4188 * ssl3_SendFinished |
3860 * ssl3_HandleHandshakeMessage | 4189 * ssl3_HandleHandshakeMessage |
3861 * | 4190 * |
3862 * Caller must hold the SSL3HandshakeLock. | 4191 * Caller must hold the SSL3HandshakeLock. |
3863 * Caller must hold a read or write lock on the Spec R/W lock. | 4192 * Caller must hold a read or write lock on the Spec R/W lock. |
3864 * (There is presently no way to assert on a Read lock.) | 4193 * (There is presently no way to assert on a Read lock.) |
3865 */ | 4194 */ |
3866 static SECStatus | 4195 static SECStatus |
3867 ssl3_ComputeHandshakeHashes(sslSocket * ss, | 4196 ssl3_ComputeHandshakeHashes(sslSocket * ss, |
3868 ssl3CipherSpec *spec, /* uses ->master_secret */ | 4197 ssl3CipherSpec *spec, /* uses ->master_secret */ |
3869 SSL3Hashes * hashes, /* output goes here. */ | 4198 SSL3Hashes * hashes, /* output goes here. */ |
3870 PRUint32 sender) | 4199 PRUint32 sender) |
3871 { | 4200 { |
3872 SECStatus rv = SECSuccess; | 4201 SECStatus rv = SECSuccess; |
3873 PRBool isTLS = (PRBool)(spec->version > SSL_LIBRARY_VERSION_3_0); | 4202 PRBool isTLS = (PRBool)(spec->version > SSL_LIBRARY_VERSION_3_0); |
3874 unsigned int outLength; | 4203 unsigned int outLength; |
3875 SSL3Opaque md5_inner[MAX_MAC_LENGTH]; | 4204 SSL3Opaque md5_inner[MAX_MAC_LENGTH]; |
3876 SSL3Opaque sha_inner[MAX_MAC_LENGTH]; | 4205 SSL3Opaque sha_inner[MAX_MAC_LENGTH]; |
3877 | 4206 |
3878 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) ); | 4207 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) ); |
| 4208 hashes->hashAlg = SEC_OID_UNKNOWN; |
3879 | 4209 |
3880 #ifndef NO_PKCS11_BYPASS | 4210 #ifndef NO_PKCS11_BYPASS |
3881 if (ss->opt.bypassPKCS11) { | 4211 if (ss->opt.bypassPKCS11) { |
3882 /* compute them without PKCS11 */ | 4212 /* compute them without PKCS11 */ |
3883 PRUint64 md5_cx[MAX_MAC_CONTEXT_LLONGS]; | 4213 PRUint64 md5_cx[MAX_MAC_CONTEXT_LLONGS]; |
3884 PRUint64 sha_cx[MAX_MAC_CONTEXT_LLONGS]; | 4214 PRUint64 sha_cx[MAX_MAC_CONTEXT_LLONGS]; |
3885 | 4215 |
3886 #define md5cx ((MD5Context *)md5_cx) | 4216 #define md5cx ((MD5Context *)md5_cx) |
3887 #define shacx ((SHA1Context *)sha_cx) | 4217 #define shacx ((SHA1Context *)sha_cx) |
3888 | 4218 |
(...skipping 43 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
3932 PRINT_BUF(95, (NULL, "SHA inner: result", sha_inner, outLength)); | 4262 PRINT_BUF(95, (NULL, "SHA inner: result", sha_inner, outLength)); |
3933 PRINT_BUF(95, (NULL, "MD5 outer: MAC Pad 2", mac_pad_2, | 4263 PRINT_BUF(95, (NULL, "MD5 outer: MAC Pad 2", mac_pad_2, |
3934 mac_defs[mac_md5].pad_size)); | 4264 mac_defs[mac_md5].pad_size)); |
3935 PRINT_BUF(95, (NULL, "MD5 outer: MD5 inner", md5_inner, MD5_LENGTH))
; | 4265 PRINT_BUF(95, (NULL, "MD5 outer: MD5 inner", md5_inner, MD5_LENGTH))
; |
3936 | 4266 |
3937 MD5_Begin(md5cx); | 4267 MD5_Begin(md5cx); |
3938 MD5_Update(md5cx, spec->msItem.data, spec->msItem.len); | 4268 MD5_Update(md5cx, spec->msItem.data, spec->msItem.len); |
3939 MD5_Update(md5cx, mac_pad_2, mac_defs[mac_md5].pad_size); | 4269 MD5_Update(md5cx, mac_pad_2, mac_defs[mac_md5].pad_size); |
3940 MD5_Update(md5cx, md5_inner, MD5_LENGTH); | 4270 MD5_Update(md5cx, md5_inner, MD5_LENGTH); |
3941 } | 4271 } |
3942 » MD5_End(md5cx, hashes->md5, &outLength, MD5_LENGTH); | 4272 » MD5_End(md5cx, hashes->u.s.md5, &outLength, MD5_LENGTH); |
3943 | 4273 |
3944 » PRINT_BUF(60, (NULL, "MD5 outer: result", hashes->md5, MD5_LENGTH)); | 4274 » PRINT_BUF(60, (NULL, "MD5 outer: result", hashes->u.s.md5, MD5_LENGTH)); |
3945 | 4275 |
3946 if (!isTLS) { | 4276 if (!isTLS) { |
3947 PRINT_BUF(95, (NULL, "SHA outer: MAC Pad 2", mac_pad_2, | 4277 PRINT_BUF(95, (NULL, "SHA outer: MAC Pad 2", mac_pad_2, |
3948 mac_defs[mac_sha].pad_size)); | 4278 mac_defs[mac_sha].pad_size)); |
3949 PRINT_BUF(95, (NULL, "SHA outer: SHA inner", sha_inner, SHA1_LENGTH)
); | 4279 PRINT_BUF(95, (NULL, "SHA outer: SHA inner", sha_inner, SHA1_LENGTH)
); |
3950 | 4280 |
3951 SHA1_Begin(shacx); | 4281 SHA1_Begin(shacx); |
3952 SHA1_Update(shacx, spec->msItem.data, spec->msItem.len); | 4282 SHA1_Update(shacx, spec->msItem.data, spec->msItem.len); |
3953 SHA1_Update(shacx, mac_pad_2, mac_defs[mac_sha].pad_size); | 4283 SHA1_Update(shacx, mac_pad_2, mac_defs[mac_sha].pad_size); |
3954 SHA1_Update(shacx, sha_inner, SHA1_LENGTH); | 4284 SHA1_Update(shacx, sha_inner, SHA1_LENGTH); |
3955 } | 4285 } |
3956 » SHA1_End(shacx, hashes->sha, &outLength, SHA1_LENGTH); | 4286 » SHA1_End(shacx, hashes->u.s.sha, &outLength, SHA1_LENGTH); |
3957 | 4287 |
3958 » PRINT_BUF(60, (NULL, "SHA outer: result", hashes->sha, SHA1_LENGTH)); | 4288 » PRINT_BUF(60, (NULL, "SHA outer: result", hashes->u.s.sha, SHA1_LENGTH))
; |
3959 | 4289 |
| 4290 hashes->len = MD5_LENGTH + SHA1_LENGTH; |
3960 rv = SECSuccess; | 4291 rv = SECSuccess; |
3961 #undef md5cx | 4292 #undef md5cx |
3962 #undef shacx | 4293 #undef shacx |
3963 } else | 4294 } else |
3964 #endif | 4295 #endif |
3965 { | 4296 if (ss->ssl3.hs.tls12_handshake_hash) { |
| 4297 » PK11Context *h; |
| 4298 » unsigned int stateLen; |
| 4299 » unsigned char stackBuf[1024]; |
| 4300 » unsigned char *stateBuf = NULL; |
| 4301 |
| 4302 » if (!spec->master_secret) { |
| 4303 » PORT_SetError(SSL_ERROR_RX_UNEXPECTED_HANDSHAKE); |
| 4304 » return SECFailure; |
| 4305 » } |
| 4306 |
| 4307 » h = ss->ssl3.hs.tls12_handshake_hash; |
| 4308 » stateBuf = PK11_SaveContextAlloc(h, stackBuf, |
| 4309 » » » » » sizeof(stackBuf), &stateLen); |
| 4310 » if (stateBuf == NULL) { |
| 4311 » ssl_MapLowLevelError(SSL_ERROR_DIGEST_FAILURE); |
| 4312 » goto tls12_loser; |
| 4313 » } |
| 4314 » rv |= PK11_DigestFinal(h, hashes->u.raw, &hashes->len, |
| 4315 » » » sizeof(hashes->u.raw)); |
| 4316 » if (rv != SECSuccess) { |
| 4317 » ssl_MapLowLevelError(SSL_ERROR_DIGEST_FAILURE); |
| 4318 » rv = SECFailure; |
| 4319 » goto tls12_loser; |
| 4320 » } |
| 4321 » /* If we ever support ciphersuites where the PRF hash isn't SHA-256 |
| 4322 » * then this will need to be updated. */ |
| 4323 » hashes->hashAlg = SEC_OID_SHA256; |
| 4324 » rv = SECSuccess; |
| 4325 |
| 4326 tls12_loser: |
| 4327 » if (stateBuf) { |
| 4328 » if (PK11_RestoreContext(ss->ssl3.hs.tls12_handshake_hash, stateBuf, |
| 4329 » » » » stateLen) != SECSuccess) { |
| 4330 » » ssl_MapLowLevelError(SSL_ERROR_DIGEST_FAILURE); |
| 4331 » » rv = SECFailure; |
| 4332 » } |
| 4333 » if (stateBuf != stackBuf) { |
| 4334 » » PORT_ZFree(stateBuf, stateLen); |
| 4335 » } |
| 4336 » } |
| 4337 } else { |
3966 /* compute hases with PKCS11 */ | 4338 /* compute hases with PKCS11 */ |
3967 PK11Context * md5; | 4339 PK11Context * md5; |
3968 PK11Context * sha = NULL; | 4340 PK11Context * sha = NULL; |
3969 unsigned char *md5StateBuf = NULL; | 4341 unsigned char *md5StateBuf = NULL; |
3970 unsigned char *shaStateBuf = NULL; | 4342 unsigned char *shaStateBuf = NULL; |
3971 unsigned int md5StateLen, shaStateLen; | 4343 unsigned int md5StateLen, shaStateLen; |
3972 unsigned char md5StackBuf[256]; | 4344 unsigned char md5StackBuf[256]; |
3973 unsigned char shaStackBuf[512]; | 4345 unsigned char shaStackBuf[512]; |
3974 | 4346 |
3975 if (!spec->master_secret) { | 4347 if (!spec->master_secret) { |
(...skipping 68 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
4044 | 4416 |
4045 PRINT_BUF(95, (NULL, "MD5 outer: MAC Pad 2", mac_pad_2, | 4417 PRINT_BUF(95, (NULL, "MD5 outer: MAC Pad 2", mac_pad_2, |
4046 mac_defs[mac_md5].pad_size)); | 4418 mac_defs[mac_md5].pad_size)); |
4047 PRINT_BUF(95, (NULL, "MD5 outer: MD5 inner", md5_inner, MD5_LENGTH))
; | 4419 PRINT_BUF(95, (NULL, "MD5 outer: MD5 inner", md5_inner, MD5_LENGTH))
; |
4048 | 4420 |
4049 rv |= PK11_DigestBegin(md5); | 4421 rv |= PK11_DigestBegin(md5); |
4050 rv |= PK11_DigestKey(md5, spec->master_secret); | 4422 rv |= PK11_DigestKey(md5, spec->master_secret); |
4051 rv |= PK11_DigestOp(md5, mac_pad_2, mac_defs[mac_md5].pad_size); | 4423 rv |= PK11_DigestOp(md5, mac_pad_2, mac_defs[mac_md5].pad_size); |
4052 rv |= PK11_DigestOp(md5, md5_inner, MD5_LENGTH); | 4424 rv |= PK11_DigestOp(md5, md5_inner, MD5_LENGTH); |
4053 } | 4425 } |
4054 » rv |= PK11_DigestFinal(md5, hashes->md5, &outLength, MD5_LENGTH); | 4426 » rv |= PK11_DigestFinal(md5, hashes->u.s.md5, &outLength, MD5_LENGTH); |
4055 PORT_Assert(rv != SECSuccess || outLength == MD5_LENGTH); | 4427 PORT_Assert(rv != SECSuccess || outLength == MD5_LENGTH); |
4056 if (rv != SECSuccess) { | 4428 if (rv != SECSuccess) { |
4057 ssl_MapLowLevelError(SSL_ERROR_MD5_DIGEST_FAILURE); | 4429 ssl_MapLowLevelError(SSL_ERROR_MD5_DIGEST_FAILURE); |
4058 rv = SECFailure; | 4430 rv = SECFailure; |
4059 goto loser; | 4431 goto loser; |
4060 } | 4432 } |
4061 | 4433 |
4062 » PRINT_BUF(60, (NULL, "MD5 outer: result", hashes->md5, MD5_LENGTH)); | 4434 » PRINT_BUF(60, (NULL, "MD5 outer: result", hashes->u.s.md5, MD5_LENGTH)); |
4063 | 4435 |
4064 if (!isTLS) { | 4436 if (!isTLS) { |
4065 PRINT_BUF(95, (NULL, "SHA outer: MAC Pad 2", mac_pad_2, | 4437 PRINT_BUF(95, (NULL, "SHA outer: MAC Pad 2", mac_pad_2, |
4066 mac_defs[mac_sha].pad_size)); | 4438 mac_defs[mac_sha].pad_size)); |
4067 PRINT_BUF(95, (NULL, "SHA outer: SHA inner", sha_inner, SHA1_LENGTH)
); | 4439 PRINT_BUF(95, (NULL, "SHA outer: SHA inner", sha_inner, SHA1_LENGTH)
); |
4068 | 4440 |
4069 rv |= PK11_DigestBegin(sha); | 4441 rv |= PK11_DigestBegin(sha); |
4070 rv |= PK11_DigestKey(sha,spec->master_secret); | 4442 rv |= PK11_DigestKey(sha,spec->master_secret); |
4071 rv |= PK11_DigestOp(sha, mac_pad_2, mac_defs[mac_sha].pad_size); | 4443 rv |= PK11_DigestOp(sha, mac_pad_2, mac_defs[mac_sha].pad_size); |
4072 rv |= PK11_DigestOp(sha, sha_inner, SHA1_LENGTH); | 4444 rv |= PK11_DigestOp(sha, sha_inner, SHA1_LENGTH); |
4073 } | 4445 } |
4074 » rv |= PK11_DigestFinal(sha, hashes->sha, &outLength, SHA1_LENGTH); | 4446 » rv |= PK11_DigestFinal(sha, hashes->u.s.sha, &outLength, SHA1_LENGTH); |
4075 PORT_Assert(rv != SECSuccess || outLength == SHA1_LENGTH); | 4447 PORT_Assert(rv != SECSuccess || outLength == SHA1_LENGTH); |
4076 if (rv != SECSuccess) { | 4448 if (rv != SECSuccess) { |
4077 ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE); | 4449 ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE); |
4078 rv = SECFailure; | 4450 rv = SECFailure; |
4079 goto loser; | 4451 goto loser; |
4080 } | 4452 } |
4081 | 4453 |
4082 » PRINT_BUF(60, (NULL, "SHA outer: result", hashes->sha, SHA1_LENGTH)); | 4454 » PRINT_BUF(60, (NULL, "SHA outer: result", hashes->u.s.sha, SHA1_LENGTH))
; |
4083 | 4455 |
| 4456 hashes->len = MD5_LENGTH + SHA1_LENGTH; |
4084 rv = SECSuccess; | 4457 rv = SECSuccess; |
4085 | 4458 |
4086 loser: | 4459 loser: |
4087 if (md5StateBuf) { | 4460 if (md5StateBuf) { |
4088 if (PK11_RestoreContext(ss->ssl3.hs.md5, md5StateBuf, md5StateLen) | 4461 if (PK11_RestoreContext(ss->ssl3.hs.md5, md5StateBuf, md5StateLen) |
4089 != SECSuccess) | 4462 != SECSuccess) |
4090 { | 4463 { |
4091 ssl_MapLowLevelError(SSL_ERROR_MD5_DIGEST_FAILURE); | 4464 ssl_MapLowLevelError(SSL_ERROR_MD5_DIGEST_FAILURE); |
4092 rv = SECFailure; | 4465 rv = SECFailure; |
4093 } | 4466 } |
(...skipping 1242 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
5336 SECKEY_DestroyPublicKey(serverKey); | 5709 SECKEY_DestroyPublicKey(serverKey); |
5337 return rv; /* err code already set. */ | 5710 return rv; /* err code already set. */ |
5338 } | 5711 } |
5339 | 5712 |
5340 /* Called from ssl3_HandleServerHelloDone(). */ | 5713 /* Called from ssl3_HandleServerHelloDone(). */ |
5341 static SECStatus | 5714 static SECStatus |
5342 ssl3_SendCertificateVerify(sslSocket *ss) | 5715 ssl3_SendCertificateVerify(sslSocket *ss) |
5343 { | 5716 { |
5344 SECStatus rv = SECFailure; | 5717 SECStatus rv = SECFailure; |
5345 PRBool isTLS; | 5718 PRBool isTLS; |
| 5719 PRBool isTLS12; |
5346 SECItem buf = {siBuffer, NULL, 0}; | 5720 SECItem buf = {siBuffer, NULL, 0}; |
5347 SSL3Hashes hashes; | 5721 SSL3Hashes hashes; |
| 5722 KeyType keyType; |
| 5723 unsigned int len; |
| 5724 SSL3SignatureAndHashAlgorithm sigAndHash; |
5348 | 5725 |
5349 PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss)); | 5726 PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss)); |
5350 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); | 5727 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); |
5351 | 5728 |
5352 SSL_TRC(3, ("%d: SSL3[%d]: send certificate_verify handshake", | 5729 SSL_TRC(3, ("%d: SSL3[%d]: send certificate_verify handshake", |
5353 SSL_GETPID(), ss->fd)); | 5730 SSL_GETPID(), ss->fd)); |
5354 | 5731 |
5355 ssl_GetSpecReadLock(ss); | 5732 ssl_GetSpecReadLock(ss); |
5356 rv = ssl3_ComputeHandshakeHashes(ss, ss->ssl3.pwSpec, &hashes, 0); | 5733 rv = ssl3_ComputeHandshakeHashes(ss, ss->ssl3.pwSpec, &hashes, 0); |
5357 ssl_ReleaseSpecReadLock(ss); | 5734 ssl_ReleaseSpecReadLock(ss); |
5358 if (rv != SECSuccess) { | 5735 if (rv != SECSuccess) { |
5359 goto done; /* err code was set by ssl3_ComputeHandshakeHashes */ | 5736 goto done; /* err code was set by ssl3_ComputeHandshakeHashes */ |
5360 } | 5737 } |
5361 | 5738 |
5362 isTLS = (PRBool)(ss->ssl3.pwSpec->version > SSL_LIBRARY_VERSION_3_0); | 5739 isTLS = (PRBool)(ss->ssl3.pwSpec->version > SSL_LIBRARY_VERSION_3_0); |
| 5740 isTLS12 = (PRBool)(ss->ssl3.pwSpec->version >= SSL_LIBRARY_VERSION_TLS_1_2); |
5363 if (ss->ssl3.platformClientKey) { | 5741 if (ss->ssl3.platformClientKey) { |
5364 #ifdef NSS_PLATFORM_CLIENT_AUTH | 5742 #ifdef NSS_PLATFORM_CLIENT_AUTH |
| 5743 keyType = CERT_GetCertKeyType( |
| 5744 &ss->ssl3.clientCertificate->subjectPublicKeyInfo); |
5365 rv = ssl3_PlatformSignHashes( | 5745 rv = ssl3_PlatformSignHashes( |
5366 » &hashes, ss->ssl3.platformClientKey, &buf, isTLS, | 5746 » &hashes, ss->ssl3.platformClientKey, &buf, isTLS, keyType); |
5367 » CERT_GetCertKeyType( | |
5368 » » &ss->ssl3.clientCertificate->subjectPublicKeyInfo)); | |
5369 ssl_FreePlatformKey(ss->ssl3.platformClientKey); | 5747 ssl_FreePlatformKey(ss->ssl3.platformClientKey); |
5370 ss->ssl3.platformClientKey = (PlatformKey)NULL; | 5748 ss->ssl3.platformClientKey = (PlatformKey)NULL; |
5371 #endif /* NSS_PLATFORM_CLIENT_AUTH */ | 5749 #endif /* NSS_PLATFORM_CLIENT_AUTH */ |
5372 } else { | 5750 } else { |
| 5751 keyType = ss->ssl3.clientPrivateKey->keyType; |
5373 rv = ssl3_SignHashes(&hashes, ss->ssl3.clientPrivateKey, &buf, isTLS); | 5752 rv = ssl3_SignHashes(&hashes, ss->ssl3.clientPrivateKey, &buf, isTLS); |
5374 if (rv == SECSuccess) { | 5753 if (rv == SECSuccess) { |
5375 PK11SlotInfo * slot; | 5754 PK11SlotInfo * slot; |
5376 sslSessionID * sid = ss->sec.ci.sid; | 5755 sslSessionID * sid = ss->sec.ci.sid; |
5377 | 5756 |
5378 /* Remember the info about the slot that did the signing. | 5757 /* Remember the info about the slot that did the signing. |
5379 ** Later, when doing an SSL restart handshake, verify this. | 5758 ** Later, when doing an SSL restart handshake, verify this. |
5380 ** These calls are mere accessors, and can't fail. | 5759 ** These calls are mere accessors, and can't fail. |
5381 */ | 5760 */ |
5382 slot = PK11_GetSlotFromPrivateKey(ss->ssl3.clientPrivateKey); | 5761 slot = PK11_GetSlotFromPrivateKey(ss->ssl3.clientPrivateKey); |
5383 sid->u.ssl3.clAuthSeries = PK11_GetSlotSeries(slot); | 5762 sid->u.ssl3.clAuthSeries = PK11_GetSlotSeries(slot); |
5384 sid->u.ssl3.clAuthSlotID = PK11_GetSlotID(slot); | 5763 sid->u.ssl3.clAuthSlotID = PK11_GetSlotID(slot); |
5385 sid->u.ssl3.clAuthModuleID = PK11_GetModuleID(slot); | 5764 sid->u.ssl3.clAuthModuleID = PK11_GetModuleID(slot); |
5386 sid->u.ssl3.clAuthValid = PR_TRUE; | 5765 sid->u.ssl3.clAuthValid = PR_TRUE; |
5387 PK11_FreeSlot(slot); | 5766 PK11_FreeSlot(slot); |
5388 } | 5767 } |
5389 SECKEY_DestroyPrivateKey(ss->ssl3.clientPrivateKey); | 5768 SECKEY_DestroyPrivateKey(ss->ssl3.clientPrivateKey); |
5390 ss->ssl3.clientPrivateKey = NULL; | 5769 ss->ssl3.clientPrivateKey = NULL; |
5391 } | 5770 } |
5392 if (rv != SECSuccess) { | 5771 if (rv != SECSuccess) { |
5393 goto done; /* err code was set by ssl3_SignHashes */ | 5772 goto done; /* err code was set by ssl3_SignHashes */ |
5394 } | 5773 } |
5395 | 5774 |
5396 rv = ssl3_AppendHandshakeHeader(ss, certificate_verify, buf.len + 2); | 5775 len = buf.len + 2 + (isTLS12 ? 2 : 0); |
| 5776 |
| 5777 rv = ssl3_AppendHandshakeHeader(ss, certificate_verify, len); |
5397 if (rv != SECSuccess) { | 5778 if (rv != SECSuccess) { |
5398 goto done; /* error code set by AppendHandshake */ | 5779 goto done; /* error code set by AppendHandshake */ |
5399 } | 5780 } |
| 5781 if (isTLS12) { |
| 5782 rv = ssl3_TLSSignatureAlgorithmForKeyType(keyType, |
| 5783 &sigAndHash.sigAlg); |
| 5784 if (rv != SECSuccess) { |
| 5785 goto done; |
| 5786 } |
| 5787 /* We always sign using the handshake hash function. It's possible that |
| 5788 * a server could support SHA-256 as the handshake hash but not as a |
| 5789 * signature hash. In that case we wouldn't be able to do client |
| 5790 * certificates with it. The alternative is to buffer all handshake |
| 5791 * messages. */ |
| 5792 sigAndHash.hashAlg = hashes.hashAlg; |
| 5793 |
| 5794 rv = ssl3_AppendSignatureAndHashAlgorithm(ss, &sigAndHash); |
| 5795 if (rv != SECSuccess) { |
| 5796 goto done; /* err set by AppendHandshake. */ |
| 5797 } |
| 5798 } |
5400 rv = ssl3_AppendHandshakeVariable(ss, buf.data, buf.len, 2); | 5799 rv = ssl3_AppendHandshakeVariable(ss, buf.data, buf.len, 2); |
5401 if (rv != SECSuccess) { | 5800 if (rv != SECSuccess) { |
5402 goto done; /* error code set by AppendHandshake */ | 5801 goto done; /* error code set by AppendHandshake */ |
5403 } | 5802 } |
5404 | 5803 |
5405 done: | 5804 done: |
5406 if (buf.data) | 5805 if (buf.data) |
5407 PORT_Free(buf.data); | 5806 PORT_Free(buf.data); |
5408 return rv; | 5807 return rv; |
5409 } | 5808 } |
(...skipping 87 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
5497 | 5896 |
5498 rv = ssl3_NegotiateVersion(ss, version, PR_FALSE); | 5897 rv = ssl3_NegotiateVersion(ss, version, PR_FALSE); |
5499 if (rv != SECSuccess) { | 5898 if (rv != SECSuccess) { |
5500 desc = (version > SSL_LIBRARY_VERSION_3_0) ? protocol_version | 5899 desc = (version > SSL_LIBRARY_VERSION_3_0) ? protocol_version |
5501 : handshake_failure; | 5900 : handshake_failure; |
5502 errCode = SSL_ERROR_NO_CYPHER_OVERLAP; | 5901 errCode = SSL_ERROR_NO_CYPHER_OVERLAP; |
5503 goto alert_loser; | 5902 goto alert_loser; |
5504 } | 5903 } |
5505 isTLS = (ss->version > SSL_LIBRARY_VERSION_3_0); | 5904 isTLS = (ss->version > SSL_LIBRARY_VERSION_3_0); |
5506 | 5905 |
| 5906 rv = ssl3_InitTLS12HandshakeHash(ss); |
| 5907 if (rv != SECSuccess) { |
| 5908 desc = internal_error; |
| 5909 errCode = PORT_GetError(); |
| 5910 goto alert_loser; |
| 5911 } |
| 5912 |
5507 rv = ssl3_ConsumeHandshake( | 5913 rv = ssl3_ConsumeHandshake( |
5508 ss, &ss->ssl3.hs.server_random, SSL3_RANDOM_LENGTH, &b, &length); | 5914 ss, &ss->ssl3.hs.server_random, SSL3_RANDOM_LENGTH, &b, &length); |
5509 if (rv != SECSuccess) { | 5915 if (rv != SECSuccess) { |
5510 goto loser; /* alert has been sent */ | 5916 goto loser; /* alert has been sent */ |
5511 } | 5917 } |
5512 | 5918 |
5513 rv = ssl3_ConsumeHandshakeVariable(ss, &sidBytes, 1, &b, &length); | 5919 rv = ssl3_ConsumeHandshakeVariable(ss, &sidBytes, 1, &b, &length); |
5514 if (rv != SECSuccess) { | 5920 if (rv != SECSuccess) { |
5515 goto loser; /* alert has been sent */ | 5921 goto loser; /* alert has been sent */ |
5516 } | 5922 } |
(...skipping 310 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
5827 | 6233 |
5828 /* Called from ssl3_HandleHandshakeMessage() when it has deciphered a complete | 6234 /* Called from ssl3_HandleHandshakeMessage() when it has deciphered a complete |
5829 * ssl3 ServerKeyExchange message. | 6235 * ssl3 ServerKeyExchange message. |
5830 * Caller must hold Handshake and RecvBuf locks. | 6236 * Caller must hold Handshake and RecvBuf locks. |
5831 */ | 6237 */ |
5832 static SECStatus | 6238 static SECStatus |
5833 ssl3_HandleServerKeyExchange(sslSocket *ss, SSL3Opaque *b, PRUint32 length) | 6239 ssl3_HandleServerKeyExchange(sslSocket *ss, SSL3Opaque *b, PRUint32 length) |
5834 { | 6240 { |
5835 PRArenaPool * arena = NULL; | 6241 PRArenaPool * arena = NULL; |
5836 SECKEYPublicKey *peerKey = NULL; | 6242 SECKEYPublicKey *peerKey = NULL; |
5837 PRBool isTLS; | 6243 PRBool isTLS, isTLS12; |
5838 SECStatus rv; | 6244 SECStatus rv; |
5839 int errCode = SSL_ERROR_RX_MALFORMED_SERVER_KEY_EXCH; | 6245 int errCode = SSL_ERROR_RX_MALFORMED_SERVER_KEY_EXCH; |
5840 SSL3AlertDescription desc = illegal_parameter; | 6246 SSL3AlertDescription desc = illegal_parameter; |
5841 SSL3Hashes hashes; | 6247 SSL3Hashes hashes; |
5842 SECItem signature = {siBuffer, NULL, 0}; | 6248 SECItem signature = {siBuffer, NULL, 0}; |
| 6249 SSL3SignatureAndHashAlgorithm sigAndHash; |
| 6250 |
| 6251 sigAndHash.hashAlg = SEC_OID_UNKNOWN; |
5843 | 6252 |
5844 SSL_TRC(3, ("%d: SSL3[%d]: handle server_key_exchange handshake", | 6253 SSL_TRC(3, ("%d: SSL3[%d]: handle server_key_exchange handshake", |
5845 SSL_GETPID(), ss->fd)); | 6254 SSL_GETPID(), ss->fd)); |
5846 PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) ); | 6255 PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) ); |
5847 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) ); | 6256 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) ); |
5848 | 6257 |
5849 if (ss->ssl3.hs.ws != wait_server_key && | 6258 if (ss->ssl3.hs.ws != wait_server_key && |
5850 ss->ssl3.hs.ws != wait_server_cert) { | 6259 ss->ssl3.hs.ws != wait_server_cert) { |
5851 errCode = SSL_ERROR_RX_UNEXPECTED_SERVER_KEY_EXCH; | 6260 errCode = SSL_ERROR_RX_UNEXPECTED_SERVER_KEY_EXCH; |
5852 desc = unexpected_message; | 6261 desc = unexpected_message; |
5853 goto alert_loser; | 6262 goto alert_loser; |
5854 } | 6263 } |
5855 if (ss->sec.peerCert == NULL) { | 6264 if (ss->sec.peerCert == NULL) { |
5856 errCode = SSL_ERROR_RX_UNEXPECTED_SERVER_KEY_EXCH; | 6265 errCode = SSL_ERROR_RX_UNEXPECTED_SERVER_KEY_EXCH; |
5857 desc = unexpected_message; | 6266 desc = unexpected_message; |
5858 goto alert_loser; | 6267 goto alert_loser; |
5859 } | 6268 } |
5860 | 6269 |
5861 isTLS = (PRBool)(ss->ssl3.prSpec->version > SSL_LIBRARY_VERSION_3_0); | 6270 isTLS = (PRBool)(ss->ssl3.prSpec->version > SSL_LIBRARY_VERSION_3_0); |
| 6271 isTLS12 = (PRBool)(ss->ssl3.prSpec->version >= SSL_LIBRARY_VERSION_TLS_1_2); |
5862 | 6272 |
5863 switch (ss->ssl3.hs.kea_def->exchKeyType) { | 6273 switch (ss->ssl3.hs.kea_def->exchKeyType) { |
5864 | 6274 |
5865 case kt_rsa: { | 6275 case kt_rsa: { |
5866 SECItem modulus = {siBuffer, NULL, 0}; | 6276 SECItem modulus = {siBuffer, NULL, 0}; |
5867 SECItem exponent = {siBuffer, NULL, 0}; | 6277 SECItem exponent = {siBuffer, NULL, 0}; |
5868 | 6278 |
5869 rv = ssl3_ConsumeHandshakeVariable(ss, &modulus, 2, &b, &length); | 6279 rv = ssl3_ConsumeHandshakeVariable(ss, &modulus, 2, &b, &length); |
5870 if (rv != SECSuccess) { | 6280 if (rv != SECSuccess) { |
5871 goto loser; /* malformed. */ | 6281 goto loser; /* malformed. */ |
5872 } | 6282 } |
5873 rv = ssl3_ConsumeHandshakeVariable(ss, &exponent, 2, &b, &length); | 6283 rv = ssl3_ConsumeHandshakeVariable(ss, &exponent, 2, &b, &length); |
5874 if (rv != SECSuccess) { | 6284 if (rv != SECSuccess) { |
5875 goto loser; /* malformed. */ | 6285 goto loser; /* malformed. */ |
5876 } | 6286 } |
| 6287 if (isTLS12) { |
| 6288 rv = ssl3_ConsumeSignatureAndHashAlgorithm(ss, &b, &length, |
| 6289 &sigAndHash); |
| 6290 if (rv != SECSuccess) { |
| 6291 goto loser; /* malformed or unsupported. */ |
| 6292 } |
| 6293 rv = ssl3_CheckSignatureAndHashAlgorithmConsistency( |
| 6294 &sigAndHash, ss->sec.peerCert); |
| 6295 if (rv != SECSuccess) { |
| 6296 goto loser; |
| 6297 } |
| 6298 } |
5877 rv = ssl3_ConsumeHandshakeVariable(ss, &signature, 2, &b, &length); | 6299 rv = ssl3_ConsumeHandshakeVariable(ss, &signature, 2, &b, &length); |
5878 if (rv != SECSuccess) { | 6300 if (rv != SECSuccess) { |
5879 goto loser; /* malformed. */ | 6301 goto loser; /* malformed. */ |
5880 } | 6302 } |
5881 if (length != 0) { | 6303 if (length != 0) { |
5882 if (isTLS) | 6304 if (isTLS) |
5883 desc = decode_error; | 6305 desc = decode_error; |
5884 goto alert_loser; /* malformed. */ | 6306 goto alert_loser; /* malformed. */ |
5885 } | 6307 } |
5886 | 6308 |
5887 /* failures after this point are not malformed handshakes. */ | 6309 /* failures after this point are not malformed handshakes. */ |
5888 /* TLS: send decrypt_error if signature failed. */ | 6310 /* TLS: send decrypt_error if signature failed. */ |
5889 desc = isTLS ? decrypt_error : handshake_failure; | 6311 desc = isTLS ? decrypt_error : handshake_failure; |
5890 | 6312 |
5891 /* | 6313 /* |
5892 * check to make sure the hash is signed by right guy | 6314 * check to make sure the hash is signed by right guy |
5893 */ | 6315 */ |
5894 » rv = ssl3_ComputeExportRSAKeyHash(modulus, exponent, | 6316 » rv = ssl3_ComputeExportRSAKeyHash(sigAndHash.hashAlg, modulus, exponent, |
5895 &ss->ssl3.hs.client_random, | 6317 &ss->ssl3.hs.client_random, |
5896 &ss->ssl3.hs.server_random, | 6318 &ss->ssl3.hs.server_random, |
5897 &hashes, ss->opt.bypassPKCS11); | 6319 &hashes, ss->opt.bypassPKCS11); |
5898 if (rv != SECSuccess) { | 6320 if (rv != SECSuccess) { |
5899 errCode = | 6321 errCode = |
5900 ssl_MapLowLevelError(SSL_ERROR_SERVER_KEY_EXCHANGE_FAILURE); | 6322 ssl_MapLowLevelError(SSL_ERROR_SERVER_KEY_EXCHANGE_FAILURE); |
5901 goto alert_loser; | 6323 goto alert_loser; |
5902 } | 6324 } |
5903 rv = ssl3_VerifySignedHashes(&hashes, ss->sec.peerCert, &signature, | 6325 rv = ssl3_VerifySignedHashes(&hashes, ss->sec.peerCert, &signature, |
5904 isTLS, ss->pkcs11PinArg); | 6326 isTLS, ss->pkcs11PinArg); |
(...skipping 52 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
5957 goto loser; /* malformed. */ | 6379 goto loser; /* malformed. */ |
5958 } | 6380 } |
5959 if (dh_g.len > dh_p.len || !ssl3_BigIntGreaterThanOne(&dh_g)) | 6381 if (dh_g.len > dh_p.len || !ssl3_BigIntGreaterThanOne(&dh_g)) |
5960 goto alert_loser; | 6382 goto alert_loser; |
5961 rv = ssl3_ConsumeHandshakeVariable(ss, &dh_Ys, 2, &b, &length); | 6383 rv = ssl3_ConsumeHandshakeVariable(ss, &dh_Ys, 2, &b, &length); |
5962 if (rv != SECSuccess) { | 6384 if (rv != SECSuccess) { |
5963 goto loser; /* malformed. */ | 6385 goto loser; /* malformed. */ |
5964 } | 6386 } |
5965 if (dh_Ys.len > dh_p.len || !ssl3_BigIntGreaterThanOne(&dh_Ys)) | 6387 if (dh_Ys.len > dh_p.len || !ssl3_BigIntGreaterThanOne(&dh_Ys)) |
5966 goto alert_loser; | 6388 goto alert_loser; |
| 6389 if (isTLS12) { |
| 6390 rv = ssl3_ConsumeSignatureAndHashAlgorithm(ss, &b, &length, |
| 6391 &sigAndHash); |
| 6392 if (rv != SECSuccess) { |
| 6393 goto loser; /* malformed or unsupported. */ |
| 6394 } |
| 6395 rv = ssl3_CheckSignatureAndHashAlgorithmConsistency( |
| 6396 &sigAndHash, ss->sec.peerCert); |
| 6397 if (rv != SECSuccess) { |
| 6398 goto loser; |
| 6399 } |
| 6400 } |
5967 rv = ssl3_ConsumeHandshakeVariable(ss, &signature, 2, &b, &length); | 6401 rv = ssl3_ConsumeHandshakeVariable(ss, &signature, 2, &b, &length); |
5968 if (rv != SECSuccess) { | 6402 if (rv != SECSuccess) { |
5969 goto loser; /* malformed. */ | 6403 goto loser; /* malformed. */ |
5970 } | 6404 } |
5971 if (length != 0) { | 6405 if (length != 0) { |
5972 if (isTLS) | 6406 if (isTLS) |
5973 desc = decode_error; | 6407 desc = decode_error; |
5974 goto alert_loser; /* malformed. */ | 6408 goto alert_loser; /* malformed. */ |
5975 } | 6409 } |
5976 | 6410 |
5977 PRINT_BUF(60, (NULL, "Server DH p", dh_p.data, dh_p.len)); | 6411 PRINT_BUF(60, (NULL, "Server DH p", dh_p.data, dh_p.len)); |
5978 PRINT_BUF(60, (NULL, "Server DH g", dh_g.data, dh_g.len)); | 6412 PRINT_BUF(60, (NULL, "Server DH g", dh_g.data, dh_g.len)); |
5979 PRINT_BUF(60, (NULL, "Server DH Ys", dh_Ys.data, dh_Ys.len)); | 6413 PRINT_BUF(60, (NULL, "Server DH Ys", dh_Ys.data, dh_Ys.len)); |
5980 | 6414 |
5981 /* failures after this point are not malformed handshakes. */ | 6415 /* failures after this point are not malformed handshakes. */ |
5982 /* TLS: send decrypt_error if signature failed. */ | 6416 /* TLS: send decrypt_error if signature failed. */ |
5983 desc = isTLS ? decrypt_error : handshake_failure; | 6417 desc = isTLS ? decrypt_error : handshake_failure; |
5984 | 6418 |
5985 /* | 6419 /* |
5986 * check to make sure the hash is signed by right guy | 6420 * check to make sure the hash is signed by right guy |
5987 */ | 6421 */ |
5988 » rv = ssl3_ComputeDHKeyHash(dh_p, dh_g, dh_Ys, | 6422 » rv = ssl3_ComputeDHKeyHash(sigAndHash.hashAlg, dh_p, dh_g, dh_Ys, |
5989 &ss->ssl3.hs.client_random, | 6423 &ss->ssl3.hs.client_random, |
5990 &ss->ssl3.hs.server_random, | 6424 &ss->ssl3.hs.server_random, |
5991 &hashes, ss->opt.bypassPKCS11); | 6425 &hashes, ss->opt.bypassPKCS11); |
5992 if (rv != SECSuccess) { | 6426 if (rv != SECSuccess) { |
5993 errCode = | 6427 errCode = |
5994 ssl_MapLowLevelError(SSL_ERROR_SERVER_KEY_EXCHANGE_FAILURE); | 6428 ssl_MapLowLevelError(SSL_ERROR_SERVER_KEY_EXCHANGE_FAILURE); |
5995 goto alert_loser; | 6429 goto alert_loser; |
5996 } | 6430 } |
5997 rv = ssl3_VerifySignedHashes(&hashes, ss->sec.peerCert, &signature, | 6431 rv = ssl3_VerifySignedHashes(&hashes, ss->sec.peerCert, &signature, |
5998 isTLS, ss->pkcs11PinArg); | 6432 isTLS, ss->pkcs11PinArg); |
(...skipping 856 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
6855 } | 7289 } |
6856 | 7290 |
6857 rv = ssl3_NegotiateVersion(ss, version, PR_TRUE); | 7291 rv = ssl3_NegotiateVersion(ss, version, PR_TRUE); |
6858 if (rv != SECSuccess) { | 7292 if (rv != SECSuccess) { |
6859 desc = (version > SSL_LIBRARY_VERSION_3_0) ? protocol_version | 7293 desc = (version > SSL_LIBRARY_VERSION_3_0) ? protocol_version |
6860 : handshake_failure; | 7294 : handshake_failure; |
6861 errCode = SSL_ERROR_NO_CYPHER_OVERLAP; | 7295 errCode = SSL_ERROR_NO_CYPHER_OVERLAP; |
6862 goto alert_loser; | 7296 goto alert_loser; |
6863 } | 7297 } |
6864 | 7298 |
| 7299 rv = ssl3_InitTLS12HandshakeHash(ss); |
| 7300 if (rv != SECSuccess) { |
| 7301 desc = internal_error; |
| 7302 errCode = PORT_GetError(); |
| 7303 goto alert_loser; |
| 7304 } |
| 7305 |
6865 /* grab the client random data. */ | 7306 /* grab the client random data. */ |
6866 rv = ssl3_ConsumeHandshake( | 7307 rv = ssl3_ConsumeHandshake( |
6867 ss, &ss->ssl3.hs.client_random, SSL3_RANDOM_LENGTH, &b, &length); | 7308 ss, &ss->ssl3.hs.client_random, SSL3_RANDOM_LENGTH, &b, &length); |
6868 if (rv != SECSuccess) { | 7309 if (rv != SECSuccess) { |
6869 goto loser; /* malformed */ | 7310 goto loser; /* malformed */ |
6870 } | 7311 } |
6871 | 7312 |
6872 /* grab the client's SID, if present. */ | 7313 /* grab the client's SID, if present. */ |
6873 rv = ssl3_ConsumeHandshakeVariable(ss, &sidBytes, 1, &b, &length); | 7314 rv = ssl3_ConsumeHandshakeVariable(ss, &sidBytes, 1, &b, &length); |
6874 if (rv != SECSuccess) { | 7315 if (rv != SECSuccess) { |
(...skipping 722 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
7597 ss->clientHelloVersion = version; | 8038 ss->clientHelloVersion = version; |
7598 | 8039 |
7599 rv = ssl3_NegotiateVersion(ss, version, PR_TRUE); | 8040 rv = ssl3_NegotiateVersion(ss, version, PR_TRUE); |
7600 if (rv != SECSuccess) { | 8041 if (rv != SECSuccess) { |
7601 /* send back which ever alert client will understand. */ | 8042 /* send back which ever alert client will understand. */ |
7602 desc = (version > SSL_LIBRARY_VERSION_3_0) ? protocol_version : handshak
e_failure; | 8043 desc = (version > SSL_LIBRARY_VERSION_3_0) ? protocol_version : handshak
e_failure; |
7603 errCode = SSL_ERROR_NO_CYPHER_OVERLAP; | 8044 errCode = SSL_ERROR_NO_CYPHER_OVERLAP; |
7604 goto alert_loser; | 8045 goto alert_loser; |
7605 } | 8046 } |
7606 | 8047 |
| 8048 rv = ssl3_InitTLS12HandshakeHash(ss); |
| 8049 if (rv != SECSuccess) { |
| 8050 desc = internal_error; |
| 8051 errCode = PORT_GetError(); |
| 8052 goto alert_loser; |
| 8053 } |
| 8054 |
7607 /* if we get a non-zero SID, just ignore it. */ | 8055 /* if we get a non-zero SID, just ignore it. */ |
7608 if (length != | 8056 if (length != |
7609 SSL_HL_CLIENT_HELLO_HBYTES + suite_length + sid_length + rand_length) { | 8057 SSL_HL_CLIENT_HELLO_HBYTES + suite_length + sid_length + rand_length) { |
7610 SSL_DBG(("%d: SSL3[%d]: bad v2 client hello message, len=%d should=%d", | 8058 SSL_DBG(("%d: SSL3[%d]: bad v2 client hello message, len=%d should=%d", |
7611 SSL_GETPID(), ss->fd, length, | 8059 SSL_GETPID(), ss->fd, length, |
7612 SSL_HL_CLIENT_HELLO_HBYTES + suite_length + sid_length + | 8060 SSL_HL_CLIENT_HELLO_HBYTES + suite_length + sid_length + |
7613 rand_length)); | 8061 rand_length)); |
7614 goto loser; /* malformed */ /* alert_loser */ | 8062 goto loser; /* malformed */ /* alert_loser */ |
7615 } | 8063 } |
7616 | 8064 |
(...skipping 227 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
7844 } | 8292 } |
7845 } | 8293 } |
7846 rv = ssl3_SetupPendingCipherSpec(ss); | 8294 rv = ssl3_SetupPendingCipherSpec(ss); |
7847 if (rv != SECSuccess) { | 8295 if (rv != SECSuccess) { |
7848 return rv; /* err set by ssl3_SetupPendingCipherSpec */ | 8296 return rv; /* err set by ssl3_SetupPendingCipherSpec */ |
7849 } | 8297 } |
7850 | 8298 |
7851 return SECSuccess; | 8299 return SECSuccess; |
7852 } | 8300 } |
7853 | 8301 |
| 8302 /* ssl3_PickSignatureHashAlgorithm selects a hash algorithm to use when signing |
| 8303 * elements of the handshake. (The negotiated cipher suite determines the |
| 8304 * signature algorithm.) Prior to TLS 1.2, the MD5/SHA1 combination is always |
| 8305 * used. With TLS 1.2, a client may advertise its support for signature and |
| 8306 * hash combinations. */ |
| 8307 static SECStatus |
| 8308 ssl3_PickSignatureHashAlgorithm(sslSocket *ss, |
| 8309 SSL3SignatureAndHashAlgorithm* out) |
| 8310 { |
| 8311 TLSSignatureAlgorithm sigAlg; |
| 8312 unsigned int i, j; |
| 8313 /* hashPreference expresses our preferences for hash algorithms, most |
| 8314 * preferable first. */ |
| 8315 static const PRUint8 hashPreference[] = { |
| 8316 tls_hash_sha256, |
| 8317 tls_hash_sha384, |
| 8318 tls_hash_sha512, |
| 8319 tls_hash_sha1, |
| 8320 }; |
| 8321 |
| 8322 switch (ss->ssl3.hs.kea_def->kea) { |
| 8323 case kea_rsa: |
| 8324 case kea_rsa_export: |
| 8325 case kea_rsa_export_1024: |
| 8326 case kea_dh_rsa: |
| 8327 case kea_dh_rsa_export: |
| 8328 case kea_dhe_rsa: |
| 8329 case kea_dhe_rsa_export: |
| 8330 case kea_rsa_fips: |
| 8331 case kea_ecdh_rsa: |
| 8332 case kea_ecdhe_rsa: |
| 8333 sigAlg = tls_sig_rsa; |
| 8334 break; |
| 8335 case kea_dh_dss: |
| 8336 case kea_dh_dss_export: |
| 8337 case kea_dhe_dss: |
| 8338 case kea_dhe_dss_export: |
| 8339 sigAlg = tls_sig_dsa; |
| 8340 break; |
| 8341 case kea_ecdh_ecdsa: |
| 8342 case kea_ecdhe_ecdsa: |
| 8343 sigAlg = tls_sig_ecdsa; |
| 8344 break; |
| 8345 default: |
| 8346 PORT_SetError(SEC_ERROR_UNSUPPORTED_KEYALG); |
| 8347 return SECFailure; |
| 8348 } |
| 8349 out->sigAlg = sigAlg; |
| 8350 |
| 8351 if (ss->version <= SSL_LIBRARY_VERSION_TLS_1_1) { |
| 8352 /* SEC_OID_UNKNOWN means the MD5/SHA1 combo hash used in TLS 1.1 and |
| 8353 * prior. */ |
| 8354 out->hashAlg = SEC_OID_UNKNOWN; |
| 8355 return SECSuccess; |
| 8356 } |
| 8357 |
| 8358 if (ss->ssl3.hs.numClientSigAndHash == 0) { |
| 8359 /* If the client didn't provide any signature_algorithms extension then |
| 8360 * we can assume that they support SHA-1: |
| 8361 * https://tools.ietf.org/html/rfc5246#section-7.4.1.4.1 */ |
| 8362 out->hashAlg = SEC_OID_SHA1; |
| 8363 return SECSuccess; |
| 8364 } |
| 8365 |
| 8366 for (i = 0; i < PR_ARRAY_SIZE(hashPreference); i++) { |
| 8367 for (j = 0; j < ss->ssl3.hs.numClientSigAndHash; j++) { |
| 8368 const SSL3SignatureAndHashAlgorithm* sh = |
| 8369 &ss->ssl3.hs.clientSigAndHash[j]; |
| 8370 if (sh->sigAlg == sigAlg && sh->hashAlg == hashPreference[i]) { |
| 8371 out->hashAlg = sh->hashAlg; |
| 8372 return SECSuccess; |
| 8373 } |
| 8374 } |
| 8375 } |
| 8376 |
| 8377 PORT_SetError(SSL_ERROR_UNSUPPORTED_HASH_ALGORITHM); |
| 8378 return SECFailure; |
| 8379 } |
| 8380 |
7854 | 8381 |
7855 static SECStatus | 8382 static SECStatus |
7856 ssl3_SendServerKeyExchange(sslSocket *ss) | 8383 ssl3_SendServerKeyExchange(sslSocket *ss) |
7857 { | 8384 { |
7858 const ssl3KEADef * kea_def = ss->ssl3.hs.kea_def; | 8385 const ssl3KEADef * kea_def = ss->ssl3.hs.kea_def; |
7859 SECStatus rv = SECFailure; | 8386 SECStatus rv = SECFailure; |
7860 int length; | 8387 int length; |
7861 PRBool isTLS; | 8388 PRBool isTLS; |
7862 SECItem signed_hash = {siBuffer, NULL, 0}; | 8389 SECItem signed_hash = {siBuffer, NULL, 0}; |
7863 SSL3Hashes hashes; | 8390 SSL3Hashes hashes; |
7864 SECKEYPublicKey * sdPub; /* public key for step-down */ | 8391 SECKEYPublicKey * sdPub; /* public key for step-down */ |
| 8392 SSL3SignatureAndHashAlgorithm sigAndHash; |
7865 | 8393 |
7866 SSL_TRC(3, ("%d: SSL3[%d]: send server_key_exchange handshake", | 8394 SSL_TRC(3, ("%d: SSL3[%d]: send server_key_exchange handshake", |
7867 SSL_GETPID(), ss->fd)); | 8395 SSL_GETPID(), ss->fd)); |
7868 | 8396 |
7869 PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss)); | 8397 PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss)); |
7870 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); | 8398 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); |
7871 | 8399 |
| 8400 if (ssl3_PickSignatureHashAlgorithm(ss, &sigAndHash) != SECSuccess) { |
| 8401 return SECFailure; |
| 8402 } |
| 8403 |
7872 switch (kea_def->exchKeyType) { | 8404 switch (kea_def->exchKeyType) { |
7873 case kt_rsa: | 8405 case kt_rsa: |
7874 /* Perform SSL Step-Down here. */ | 8406 /* Perform SSL Step-Down here. */ |
7875 sdPub = ss->stepDownKeyPair->pubKey; | 8407 sdPub = ss->stepDownKeyPair->pubKey; |
7876 PORT_Assert(sdPub != NULL); | 8408 PORT_Assert(sdPub != NULL); |
7877 if (!sdPub) { | 8409 if (!sdPub) { |
7878 PORT_SetError(SSL_ERROR_SERVER_KEY_EXCHANGE_FAILURE); | 8410 PORT_SetError(SSL_ERROR_SERVER_KEY_EXCHANGE_FAILURE); |
7879 return SECFailure; | 8411 return SECFailure; |
7880 } | 8412 } |
7881 » rv = ssl3_ComputeExportRSAKeyHash(sdPub->u.rsa.modulus, | 8413 » rv = ssl3_ComputeExportRSAKeyHash(sigAndHash.hashAlg, |
| 8414 » » » » » sdPub->u.rsa.modulus, |
7882 sdPub->u.rsa.publicExponent, | 8415 sdPub->u.rsa.publicExponent, |
7883 &ss->ssl3.hs.client_random, | 8416 &ss->ssl3.hs.client_random, |
7884 &ss->ssl3.hs.server_random, | 8417 &ss->ssl3.hs.server_random, |
7885 &hashes, ss->opt.bypassPKCS11); | 8418 &hashes, ss->opt.bypassPKCS11); |
7886 if (rv != SECSuccess) { | 8419 if (rv != SECSuccess) { |
7887 ssl_MapLowLevelError(SSL_ERROR_SERVER_KEY_EXCHANGE_FAILURE); | 8420 ssl_MapLowLevelError(SSL_ERROR_SERVER_KEY_EXCHANGE_FAILURE); |
7888 return rv; | 8421 return rv; |
7889 } | 8422 } |
7890 | 8423 |
7891 isTLS = (PRBool)(ss->ssl3.pwSpec->version > SSL_LIBRARY_VERSION_3_0); | 8424 isTLS = (PRBool)(ss->ssl3.pwSpec->version > SSL_LIBRARY_VERSION_3_0); |
(...skipping 22 matching lines...) Expand all Loading... |
7914 goto loser; /* err set by AppendHandshake. */ | 8447 goto loser; /* err set by AppendHandshake. */ |
7915 } | 8448 } |
7916 | 8449 |
7917 rv = ssl3_AppendHandshakeVariable( | 8450 rv = ssl3_AppendHandshakeVariable( |
7918 ss, sdPub->u.rsa.publicExponent.data, | 8451 ss, sdPub->u.rsa.publicExponent.data, |
7919 sdPub->u.rsa.publicExponent.len, 2); | 8452 sdPub->u.rsa.publicExponent.len, 2); |
7920 if (rv != SECSuccess) { | 8453 if (rv != SECSuccess) { |
7921 goto loser; /* err set by AppendHandshake. */ | 8454 goto loser; /* err set by AppendHandshake. */ |
7922 } | 8455 } |
7923 | 8456 |
| 8457 if (ss->ssl3.pwSpec->version >= SSL_LIBRARY_VERSION_TLS_1_2) { |
| 8458 rv = ssl3_AppendSignatureAndHashAlgorithm(ss, &sigAndHash); |
| 8459 if (rv != SECSuccess) { |
| 8460 goto loser; /* err set by AppendHandshake. */ |
| 8461 } |
| 8462 } |
| 8463 |
7924 rv = ssl3_AppendHandshakeVariable(ss, signed_hash.data, | 8464 rv = ssl3_AppendHandshakeVariable(ss, signed_hash.data, |
7925 signed_hash.len, 2); | 8465 signed_hash.len, 2); |
7926 if (rv != SECSuccess) { | 8466 if (rv != SECSuccess) { |
7927 goto loser; /* err set by AppendHandshake. */ | 8467 goto loser; /* err set by AppendHandshake. */ |
7928 } | 8468 } |
7929 PORT_Free(signed_hash.data); | 8469 PORT_Free(signed_hash.data); |
7930 return SECSuccess; | 8470 return SECSuccess; |
7931 | 8471 |
7932 #ifdef NSS_ENABLE_ECC | 8472 #ifdef NSS_ENABLE_ECC |
7933 case kt_ecdh: { | 8473 case kt_ecdh: { |
7934 » rv = ssl3_SendECDHServerKeyExchange(ss); | 8474 » rv = ssl3_SendECDHServerKeyExchange(ss, &sigAndHash); |
7935 return rv; | 8475 return rv; |
7936 } | 8476 } |
7937 #endif /* NSS_ENABLE_ECC */ | 8477 #endif /* NSS_ENABLE_ECC */ |
7938 | 8478 |
7939 case kt_dh: | 8479 case kt_dh: |
7940 case kt_null: | 8480 case kt_null: |
7941 default: | 8481 default: |
7942 PORT_SetError(SEC_ERROR_UNSUPPORTED_KEYALG); | 8482 PORT_SetError(SEC_ERROR_UNSUPPORTED_KEYALG); |
7943 break; | 8483 break; |
7944 } | 8484 } |
(...skipping 93 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
8038 * Caller must hold Handshake and RecvBuf locks. | 8578 * Caller must hold Handshake and RecvBuf locks. |
8039 */ | 8579 */ |
8040 static SECStatus | 8580 static SECStatus |
8041 ssl3_HandleCertificateVerify(sslSocket *ss, SSL3Opaque *b, PRUint32 length, | 8581 ssl3_HandleCertificateVerify(sslSocket *ss, SSL3Opaque *b, PRUint32 length, |
8042 SSL3Hashes *hashes) | 8582 SSL3Hashes *hashes) |
8043 { | 8583 { |
8044 SECItem signed_hash = {siBuffer, NULL, 0}; | 8584 SECItem signed_hash = {siBuffer, NULL, 0}; |
8045 SECStatus rv; | 8585 SECStatus rv; |
8046 int errCode = SSL_ERROR_RX_MALFORMED_CERT_VERIFY; | 8586 int errCode = SSL_ERROR_RX_MALFORMED_CERT_VERIFY; |
8047 SSL3AlertDescription desc = handshake_failure; | 8587 SSL3AlertDescription desc = handshake_failure; |
8048 PRBool isTLS; | 8588 PRBool isTLS, isTLS12; |
| 8589 SSL3SignatureAndHashAlgorithm sigAndHash; |
8049 | 8590 |
8050 SSL_TRC(3, ("%d: SSL3[%d]: handle certificate_verify handshake", | 8591 SSL_TRC(3, ("%d: SSL3[%d]: handle certificate_verify handshake", |
8051 SSL_GETPID(), ss->fd)); | 8592 SSL_GETPID(), ss->fd)); |
8052 PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) ); | 8593 PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) ); |
8053 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) ); | 8594 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) ); |
8054 | 8595 |
| 8596 isTLS = (PRBool)(ss->ssl3.prSpec->version > SSL_LIBRARY_VERSION_3_0); |
| 8597 isTLS12 = (PRBool)(ss->ssl3.prSpec->version >= SSL_LIBRARY_VERSION_TLS_1_2); |
| 8598 |
8055 if (ss->ssl3.hs.ws != wait_cert_verify || ss->sec.peerCert == NULL) { | 8599 if (ss->ssl3.hs.ws != wait_cert_verify || ss->sec.peerCert == NULL) { |
8056 desc = unexpected_message; | 8600 desc = unexpected_message; |
8057 errCode = SSL_ERROR_RX_UNEXPECTED_CERT_VERIFY; | 8601 errCode = SSL_ERROR_RX_UNEXPECTED_CERT_VERIFY; |
8058 goto alert_loser; | 8602 goto alert_loser; |
8059 } | 8603 } |
8060 | 8604 |
| 8605 if (isTLS12) { |
| 8606 rv = ssl3_ConsumeSignatureAndHashAlgorithm(ss, &b, &length, |
| 8607 &sigAndHash); |
| 8608 if (rv != SECSuccess) { |
| 8609 goto loser; /* malformed or unsupported. */ |
| 8610 } |
| 8611 rv = ssl3_CheckSignatureAndHashAlgorithmConsistency( |
| 8612 &sigAndHash, ss->sec.peerCert); |
| 8613 if (rv != SECSuccess) { |
| 8614 errCode = PORT_GetError(); |
| 8615 desc = decrypt_error; |
| 8616 goto alert_loser; |
| 8617 } |
| 8618 |
| 8619 /* We only support CertificateVerify messages that use the handshake |
| 8620 * hash. */ |
| 8621 if (sigAndHash.hashAlg != hashes->hashAlg) { |
| 8622 errCode = SSL_ERROR_UNSUPPORTED_HASH_ALGORITHM; |
| 8623 desc = decrypt_error; |
| 8624 goto alert_loser; |
| 8625 } |
| 8626 } |
| 8627 |
8061 rv = ssl3_ConsumeHandshakeVariable(ss, &signed_hash, 2, &b, &length); | 8628 rv = ssl3_ConsumeHandshakeVariable(ss, &signed_hash, 2, &b, &length); |
8062 if (rv != SECSuccess) { | 8629 if (rv != SECSuccess) { |
8063 goto loser; /* malformed. */ | 8630 goto loser; /* malformed. */ |
8064 } | 8631 } |
8065 | 8632 |
8066 isTLS = (PRBool)(ss->ssl3.prSpec->version > SSL_LIBRARY_VERSION_3_0); | |
8067 | |
8068 /* XXX verify that the key & kea match */ | 8633 /* XXX verify that the key & kea match */ |
8069 rv = ssl3_VerifySignedHashes(hashes, ss->sec.peerCert, &signed_hash, | 8634 rv = ssl3_VerifySignedHashes(hashes, ss->sec.peerCert, &signed_hash, |
8070 isTLS, ss->pkcs11PinArg); | 8635 isTLS, ss->pkcs11PinArg); |
8071 if (rv != SECSuccess) { | 8636 if (rv != SECSuccess) { |
8072 errCode = PORT_GetError(); | 8637 errCode = PORT_GetError(); |
8073 desc = isTLS ? decrypt_error : handshake_failure; | 8638 desc = isTLS ? decrypt_error : handshake_failure; |
8074 goto alert_loser; | 8639 goto alert_loser; |
8075 } | 8640 } |
8076 | 8641 |
8077 signed_hash.data = NULL; | 8642 signed_hash.data = NULL; |
(...skipping 1078 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
9156 done: | 9721 done: |
9157 ssl_ReleaseSSL3HandshakeLock(ss); | 9722 ssl_ReleaseSSL3HandshakeLock(ss); |
9158 ssl_ReleaseRecvBufLock(ss); | 9723 ssl_ReleaseRecvBufLock(ss); |
9159 | 9724 |
9160 return rv; | 9725 return rv; |
9161 } | 9726 } |
9162 | 9727 |
9163 static SECStatus | 9728 static SECStatus |
9164 ssl3_ComputeTLSFinished(ssl3CipherSpec *spec, | 9729 ssl3_ComputeTLSFinished(ssl3CipherSpec *spec, |
9165 PRBool isServer, | 9730 PRBool isServer, |
9166 const SSL3Finished * hashes, | 9731 const SSL3Hashes * hashes, |
9167 TLSFinished * tlsFinished) | 9732 TLSFinished * tlsFinished) |
9168 { | 9733 { |
9169 const char * label; | 9734 const char * label; |
9170 unsigned int len; | 9735 unsigned int len; |
9171 SECStatus rv; | 9736 SECStatus rv; |
9172 | 9737 |
9173 label = isServer ? "server finished" : "client finished"; | 9738 label = isServer ? "server finished" : "client finished"; |
9174 len = 15; | 9739 len = 15; |
9175 | 9740 |
9176 rv = ssl3_TLSPRFWithMasterSecret(spec, label, len, hashes->md5, | 9741 rv = ssl3_TLSPRFWithMasterSecret(spec, label, len, hashes->u.raw, |
9177 » sizeof *hashes, tlsFinished->verify_data, | 9742 » hashes->len, tlsFinished->verify_data, |
9178 sizeof tlsFinished->verify_data); | 9743 sizeof tlsFinished->verify_data); |
9179 | 9744 |
9180 return rv; | 9745 return rv; |
9181 } | 9746 } |
9182 | 9747 |
9183 /* The calling function must acquire and release the appropriate | 9748 /* The calling function must acquire and release the appropriate |
9184 * lock (e.g., ssl_GetSpecReadLock / ssl_ReleaseSpecReadLock for | 9749 * lock (e.g., ssl_GetSpecReadLock / ssl_ReleaseSpecReadLock for |
9185 * ss->ssl3.crSpec). | 9750 * ss->ssl3.crSpec). |
9186 */ | 9751 */ |
9187 SECStatus | 9752 SECStatus |
9188 ssl3_TLSPRFWithMasterSecret(ssl3CipherSpec *spec, const char *label, | 9753 ssl3_TLSPRFWithMasterSecret(ssl3CipherSpec *spec, const char *label, |
9189 unsigned int labelLen, const unsigned char *val, unsigned int valLen, | 9754 unsigned int labelLen, const unsigned char *val, unsigned int valLen, |
9190 unsigned char *out, unsigned int outLen) | 9755 unsigned char *out, unsigned int outLen) |
9191 { | 9756 { |
9192 SECStatus rv = SECSuccess; | 9757 SECStatus rv = SECSuccess; |
9193 | 9758 |
9194 if (spec->master_secret && !spec->bypassCiphers) { | 9759 if (spec->master_secret && !spec->bypassCiphers) { |
9195 » SECItem param = {siBuffer, NULL, 0}; | 9760 » SECItem param = {siBuffer, NULL, 0}; |
9196 » PK11Context *prf_context = | 9761 » CK_MECHANISM_TYPE mech = CKM_TLS_PRF_GENERAL; |
9197 » PK11_CreateContextBySymKey(CKM_TLS_PRF_GENERAL, CKA_SIGN, | 9762 » PK11Context *prf_context; |
9198 » » » » spec->master_secret, ¶m); | |
9199 unsigned int retLen; | 9763 unsigned int retLen; |
9200 | 9764 |
| 9765 if (spec->version >= SSL_LIBRARY_VERSION_TLS_1_2) { |
| 9766 mech = CKM_NSS_TLS_PRF_GENERAL_SHA256; |
| 9767 } |
| 9768 prf_context = PK11_CreateContextBySymKey(mech, CKA_SIGN, |
| 9769 spec->master_secret, ¶m); |
9201 if (!prf_context) | 9770 if (!prf_context) |
9202 return SECFailure; | 9771 return SECFailure; |
9203 | 9772 |
9204 rv = PK11_DigestBegin(prf_context); | 9773 rv = PK11_DigestBegin(prf_context); |
9205 rv |= PK11_DigestOp(prf_context, (unsigned char *) label, labelLen); | 9774 rv |= PK11_DigestOp(prf_context, (unsigned char *) label, labelLen); |
9206 rv |= PK11_DigestOp(prf_context, val, valLen); | 9775 rv |= PK11_DigestOp(prf_context, val, valLen); |
9207 rv |= PK11_DigestFinal(prf_context, out, &retLen, outLen); | 9776 rv |= PK11_DigestFinal(prf_context, out, &retLen, outLen); |
9208 PORT_Assert(rv != SECSuccess || retLen == outLen); | 9777 PORT_Assert(rv != SECSuccess || retLen == outLen); |
9209 | 9778 |
9210 PK11_DestroyContext(prf_context, PR_TRUE); | 9779 PK11_DestroyContext(prf_context, PR_TRUE); |
(...skipping 191 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
9402 if (spki->len != sizeof(P256_SPKI_PREFIX) + CHANNEL_ID_PUBLIC_KEY_LENGTH || | 9971 if (spki->len != sizeof(P256_SPKI_PREFIX) + CHANNEL_ID_PUBLIC_KEY_LENGTH || |
9403 memcmp(spki->data, P256_SPKI_PREFIX, sizeof(P256_SPKI_PREFIX) != 0)) { | 9972 memcmp(spki->data, P256_SPKI_PREFIX, sizeof(P256_SPKI_PREFIX) != 0)) { |
9404 PORT_SetError(SSL_ERROR_INVALID_CHANNEL_ID_KEY); | 9973 PORT_SetError(SSL_ERROR_INVALID_CHANNEL_ID_KEY); |
9405 rv = SECFailure; | 9974 rv = SECFailure; |
9406 goto loser; | 9975 goto loser; |
9407 } | 9976 } |
9408 | 9977 |
9409 pub_bytes = spki->data + sizeof(P256_SPKI_PREFIX); | 9978 pub_bytes = spki->data + sizeof(P256_SPKI_PREFIX); |
9410 | 9979 |
9411 memcpy(signed_data, CHANNEL_ID_MAGIC, sizeof(CHANNEL_ID_MAGIC)); | 9980 memcpy(signed_data, CHANNEL_ID_MAGIC, sizeof(CHANNEL_ID_MAGIC)); |
9412 memcpy(signed_data + sizeof(CHANNEL_ID_MAGIC), &hashes, sizeof(hashes)); | 9981 memcpy(signed_data + sizeof(CHANNEL_ID_MAGIC), hashes.u.raw, hashes.len); |
9413 | 9982 |
9414 rv = PK11_HashBuf(SEC_OID_SHA256, digest, signed_data, sizeof(signed_data)); | 9983 rv = PK11_HashBuf(SEC_OID_SHA256, digest, signed_data, |
| 9984 » » sizeof(CHANNEL_ID_MAGIC) + hashes.len); |
9415 if (rv != SECSuccess) | 9985 if (rv != SECSuccess) |
9416 goto loser; | 9986 goto loser; |
9417 | 9987 |
9418 digest_item.data = digest; | 9988 digest_item.data = digest; |
9419 digest_item.len = sizeof(digest); | 9989 digest_item.len = sizeof(digest); |
9420 | 9990 |
9421 signature_item.data = signature; | 9991 signature_item.data = signature; |
9422 signature_item.len = sizeof(signature); | 9992 signature_item.len = sizeof(signature); |
9423 | 9993 |
9424 rv = PK11_Sign(ss->ssl3.channelID, &signature_item, &digest_item); | 9994 rv = PK11_Sign(ss->ssl3.channelID, &signature_item, &digest_item); |
(...skipping 64 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
9489 * ssl3_HandleFinished | 10059 * ssl3_HandleFinished |
9490 */ | 10060 */ |
9491 static SECStatus | 10061 static SECStatus |
9492 ssl3_SendFinished(sslSocket *ss, PRInt32 flags) | 10062 ssl3_SendFinished(sslSocket *ss, PRInt32 flags) |
9493 { | 10063 { |
9494 ssl3CipherSpec *cwSpec; | 10064 ssl3CipherSpec *cwSpec; |
9495 PRBool isTLS; | 10065 PRBool isTLS; |
9496 PRBool isServer = ss->sec.isServer; | 10066 PRBool isServer = ss->sec.isServer; |
9497 SECStatus rv; | 10067 SECStatus rv; |
9498 SSL3Sender sender = isServer ? sender_server : sender_client; | 10068 SSL3Sender sender = isServer ? sender_server : sender_client; |
9499 SSL3Finished hashes; | 10069 SSL3Hashes hashes; |
9500 TLSFinished tlsFinished; | 10070 TLSFinished tlsFinished; |
9501 | 10071 |
9502 SSL_TRC(3, ("%d: SSL3[%d]: send finished handshake", SSL_GETPID(), ss->fd)); | 10072 SSL_TRC(3, ("%d: SSL3[%d]: send finished handshake", SSL_GETPID(), ss->fd)); |
9503 | 10073 |
9504 PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss)); | 10074 PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss)); |
9505 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); | 10075 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); |
9506 | 10076 |
9507 ssl_GetSpecReadLock(ss); | 10077 ssl_GetSpecReadLock(ss); |
9508 cwSpec = ss->ssl3.cwSpec; | 10078 cwSpec = ss->ssl3.cwSpec; |
9509 isTLS = (PRBool)(cwSpec->version > SSL_LIBRARY_VERSION_3_0); | 10079 isTLS = (PRBool)(cwSpec->version > SSL_LIBRARY_VERSION_3_0); |
(...skipping 13 matching lines...) Expand all Loading... |
9523 ss->ssl3.hs.finishedMsgs.tFinished[0] = tlsFinished; | 10093 ss->ssl3.hs.finishedMsgs.tFinished[0] = tlsFinished; |
9524 ss->ssl3.hs.finishedBytes = sizeof tlsFinished; | 10094 ss->ssl3.hs.finishedBytes = sizeof tlsFinished; |
9525 rv = ssl3_AppendHandshakeHeader(ss, finished, sizeof tlsFinished); | 10095 rv = ssl3_AppendHandshakeHeader(ss, finished, sizeof tlsFinished); |
9526 if (rv != SECSuccess) | 10096 if (rv != SECSuccess) |
9527 goto fail; /* err set by AppendHandshake. */ | 10097 goto fail; /* err set by AppendHandshake. */ |
9528 rv = ssl3_AppendHandshake(ss, &tlsFinished, sizeof tlsFinished); | 10098 rv = ssl3_AppendHandshake(ss, &tlsFinished, sizeof tlsFinished); |
9529 if (rv != SECSuccess) | 10099 if (rv != SECSuccess) |
9530 goto fail; /* err set by AppendHandshake. */ | 10100 goto fail; /* err set by AppendHandshake. */ |
9531 } else { | 10101 } else { |
9532 if (isServer) | 10102 if (isServer) |
9533 » ss->ssl3.hs.finishedMsgs.sFinished[1] = hashes; | 10103 » ss->ssl3.hs.finishedMsgs.sFinished[1] = hashes.u.s; |
9534 else | 10104 else |
9535 » ss->ssl3.hs.finishedMsgs.sFinished[0] = hashes; | 10105 » ss->ssl3.hs.finishedMsgs.sFinished[0] = hashes.u.s; |
9536 » ss->ssl3.hs.finishedBytes = sizeof hashes; | 10106 » PORT_Assert(hashes.len == sizeof hashes.u.s); |
9537 » rv = ssl3_AppendHandshakeHeader(ss, finished, sizeof hashes); | 10107 » ss->ssl3.hs.finishedBytes = sizeof hashes.u.s; |
| 10108 » rv = ssl3_AppendHandshakeHeader(ss, finished, sizeof hashes.u.s); |
9538 if (rv != SECSuccess) | 10109 if (rv != SECSuccess) |
9539 goto fail; /* err set by AppendHandshake. */ | 10110 goto fail; /* err set by AppendHandshake. */ |
9540 » rv = ssl3_AppendHandshake(ss, &hashes, sizeof hashes); | 10111 » rv = ssl3_AppendHandshake(ss, &hashes.u.s, sizeof hashes.u.s); |
9541 if (rv != SECSuccess) | 10112 if (rv != SECSuccess) |
9542 goto fail; /* err set by AppendHandshake. */ | 10113 goto fail; /* err set by AppendHandshake. */ |
9543 } | 10114 } |
9544 rv = ssl3_FlushHandshake(ss, flags); | 10115 rv = ssl3_FlushHandshake(ss, flags); |
9545 if (rv != SECSuccess) { | 10116 if (rv != SECSuccess) { |
9546 goto fail; /* error code set by ssl3_FlushHandshake */ | 10117 goto fail; /* error code set by ssl3_FlushHandshake */ |
9547 } | 10118 } |
9548 | 10119 |
9549 ssl3_RecordKeyLog(ss); | 10120 ssl3_RecordKeyLog(ss); |
9550 | 10121 |
(...skipping 128 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
9679 else | 10250 else |
9680 ss->ssl3.hs.finishedMsgs.tFinished[0] = tlsFinished; | 10251 ss->ssl3.hs.finishedMsgs.tFinished[0] = tlsFinished; |
9681 ss->ssl3.hs.finishedBytes = sizeof tlsFinished; | 10252 ss->ssl3.hs.finishedBytes = sizeof tlsFinished; |
9682 if (rv != SECSuccess || | 10253 if (rv != SECSuccess || |
9683 0 != NSS_SecureMemcmp(&tlsFinished, b, length)) { | 10254 0 != NSS_SecureMemcmp(&tlsFinished, b, length)) { |
9684 (void)SSL3_SendAlert(ss, alert_fatal, decrypt_error); | 10255 (void)SSL3_SendAlert(ss, alert_fatal, decrypt_error); |
9685 PORT_SetError(SSL_ERROR_BAD_HANDSHAKE_HASH_VALUE); | 10256 PORT_SetError(SSL_ERROR_BAD_HANDSHAKE_HASH_VALUE); |
9686 return SECFailure; | 10257 return SECFailure; |
9687 } | 10258 } |
9688 } else { | 10259 } else { |
9689 » if (length != sizeof(SSL3Hashes)) { | 10260 » if (length != sizeof(SSL3Finished)) { |
9690 (void)ssl3_IllegalParameter(ss); | 10261 (void)ssl3_IllegalParameter(ss); |
9691 PORT_SetError(SSL_ERROR_RX_MALFORMED_FINISHED); | 10262 PORT_SetError(SSL_ERROR_RX_MALFORMED_FINISHED); |
9692 return SECFailure; | 10263 return SECFailure; |
9693 } | 10264 } |
9694 | 10265 |
9695 if (!isServer) | 10266 if (!isServer) |
9696 » ss->ssl3.hs.finishedMsgs.sFinished[1] = *hashes; | 10267 » ss->ssl3.hs.finishedMsgs.sFinished[1] = hashes->u.s; |
9697 else | 10268 else |
9698 » ss->ssl3.hs.finishedMsgs.sFinished[0] = *hashes; | 10269 » ss->ssl3.hs.finishedMsgs.sFinished[0] = hashes->u.s; |
9699 » ss->ssl3.hs.finishedBytes = sizeof *hashes; | 10270 » PORT_Assert(hashes->len == sizeof hashes->u.s); |
9700 » if (0 != NSS_SecureMemcmp(hashes, b, length)) { | 10271 » ss->ssl3.hs.finishedBytes = sizeof hashes->u.s; |
| 10272 » if (0 != NSS_SecureMemcmp(&hashes->u.s, b, length)) { |
9701 (void)ssl3_HandshakeFailure(ss); | 10273 (void)ssl3_HandshakeFailure(ss); |
9702 PORT_SetError(SSL_ERROR_BAD_HANDSHAKE_HASH_VALUE); | 10274 PORT_SetError(SSL_ERROR_BAD_HANDSHAKE_HASH_VALUE); |
9703 return SECFailure; | 10275 return SECFailure; |
9704 } | 10276 } |
9705 } | 10277 } |
9706 | 10278 |
9707 ssl_GetXmitBufLock(ss); /*************************************/ | 10279 ssl_GetXmitBufLock(ss); /*************************************/ |
9708 | 10280 |
9709 if ((isServer && !ss->ssl3.hs.isResuming) || | 10281 if ((isServer && !ss->ssl3.hs.isResuming) || |
9710 (!isServer && ss->ssl3.hs.isResuming)) { | 10282 (!isServer && ss->ssl3.hs.isResuming)) { |
(...skipping 1568 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
11279 SHA1_DestroyContext((SHA1Context *)ss->ssl3.hs.sha_cx, PR_FALSE); | 11851 SHA1_DestroyContext((SHA1Context *)ss->ssl3.hs.sha_cx, PR_FALSE); |
11280 MD5_DestroyContext((MD5Context *)ss->ssl3.hs.md5_cx, PR_FALSE); | 11852 MD5_DestroyContext((MD5Context *)ss->ssl3.hs.md5_cx, PR_FALSE); |
11281 } | 11853 } |
11282 #endif | 11854 #endif |
11283 if (ss->ssl3.hs.md5) { | 11855 if (ss->ssl3.hs.md5) { |
11284 PK11_DestroyContext(ss->ssl3.hs.md5,PR_TRUE); | 11856 PK11_DestroyContext(ss->ssl3.hs.md5,PR_TRUE); |
11285 } | 11857 } |
11286 if (ss->ssl3.hs.sha) { | 11858 if (ss->ssl3.hs.sha) { |
11287 PK11_DestroyContext(ss->ssl3.hs.sha,PR_TRUE); | 11859 PK11_DestroyContext(ss->ssl3.hs.sha,PR_TRUE); |
11288 } | 11860 } |
| 11861 if (ss->ssl3.hs.tls12_handshake_hash) { |
| 11862 PK11_DestroyContext(ss->ssl3.hs.tls12_handshake_hash,PR_TRUE); |
| 11863 } |
| 11864 if (ss->ssl3.hs.clientSigAndHash) { |
| 11865 PORT_Free(ss->ssl3.hs.clientSigAndHash); |
| 11866 } |
11289 if (ss->ssl3.hs.messages.buf) { | 11867 if (ss->ssl3.hs.messages.buf) { |
11290 PORT_Free(ss->ssl3.hs.messages.buf); | 11868 PORT_Free(ss->ssl3.hs.messages.buf); |
11291 ss->ssl3.hs.messages.buf = NULL; | 11869 ss->ssl3.hs.messages.buf = NULL; |
11292 ss->ssl3.hs.messages.len = 0; | 11870 ss->ssl3.hs.messages.len = 0; |
11293 ss->ssl3.hs.messages.space = 0; | 11871 ss->ssl3.hs.messages.space = 0; |
11294 } | 11872 } |
11295 | 11873 |
11296 /* free the SSL3Buffer (msg_body) */ | 11874 /* free the SSL3Buffer (msg_body) */ |
11297 PORT_Free(ss->ssl3.hs.msg_body.buf); | 11875 PORT_Free(ss->ssl3.hs.msg_body.buf); |
11298 | 11876 |
11299 /* free up the CipherSpecs */ | 11877 /* free up the CipherSpecs */ |
11300 ssl3_DestroyCipherSpec(&ss->ssl3.specs[0], PR_TRUE/*freeSrvName*/); | 11878 ssl3_DestroyCipherSpec(&ss->ssl3.specs[0], PR_TRUE/*freeSrvName*/); |
11301 ssl3_DestroyCipherSpec(&ss->ssl3.specs[1], PR_TRUE/*freeSrvName*/); | 11879 ssl3_DestroyCipherSpec(&ss->ssl3.specs[1], PR_TRUE/*freeSrvName*/); |
11302 | 11880 |
11303 /* Destroy the DTLS data */ | 11881 /* Destroy the DTLS data */ |
11304 if (IS_DTLS(ss)) { | 11882 if (IS_DTLS(ss)) { |
11305 dtls_FreeHandshakeMessages(&ss->ssl3.hs.lastMessageFlight); | 11883 dtls_FreeHandshakeMessages(&ss->ssl3.hs.lastMessageFlight); |
11306 if (ss->ssl3.hs.recvdFragments.buf) { | 11884 if (ss->ssl3.hs.recvdFragments.buf) { |
11307 PORT_Free(ss->ssl3.hs.recvdFragments.buf); | 11885 PORT_Free(ss->ssl3.hs.recvdFragments.buf); |
11308 } | 11886 } |
11309 } | 11887 } |
11310 | 11888 |
11311 ss->ssl3.initialized = PR_FALSE; | 11889 ss->ssl3.initialized = PR_FALSE; |
11312 | 11890 |
11313 SECITEM_FreeItem(&ss->ssl3.nextProto, PR_FALSE); | 11891 SECITEM_FreeItem(&ss->ssl3.nextProto, PR_FALSE); |
11314 } | 11892 } |
11315 | 11893 |
11316 /* End of ssl3con.c */ | 11894 /* End of ssl3con.c */ |
OLD | NEW |